Home | History | Annotate | Download | only in wpa_supplicant
      1 /*
      2  * wpa_supplicant - SME
      3  * Copyright (c) 2009-2014, Jouni Malinen <j (at) w1.fi>
      4  *
      5  * This software may be distributed under the terms of the BSD license.
      6  * See README for more details.
      7  */
      8 
      9 #include "includes.h"
     10 
     11 #include "common.h"
     12 #include "utils/eloop.h"
     13 #include "common/ieee802_11_defs.h"
     14 #include "common/ieee802_11_common.h"
     15 #include "eapol_supp/eapol_supp_sm.h"
     16 #include "common/wpa_common.h"
     17 #include "common/sae.h"
     18 #include "rsn_supp/wpa.h"
     19 #include "rsn_supp/pmksa_cache.h"
     20 #include "config.h"
     21 #include "wpa_supplicant_i.h"
     22 #include "driver_i.h"
     23 #include "wpas_glue.h"
     24 #include "wps_supplicant.h"
     25 #include "p2p_supplicant.h"
     26 #include "notify.h"
     27 #include "bss.h"
     28 #include "scan.h"
     29 #include "sme.h"
     30 #include "hs20_supplicant.h"
     31 
     32 #define SME_AUTH_TIMEOUT 5
     33 #define SME_ASSOC_TIMEOUT 5
     34 
     35 static void sme_auth_timer(void *eloop_ctx, void *timeout_ctx);
     36 static void sme_assoc_timer(void *eloop_ctx, void *timeout_ctx);
     37 static void sme_obss_scan_timeout(void *eloop_ctx, void *timeout_ctx);
     38 #ifdef CONFIG_IEEE80211W
     39 static void sme_stop_sa_query(struct wpa_supplicant *wpa_s);
     40 #endif /* CONFIG_IEEE80211W */
     41 
     42 
     43 #ifdef CONFIG_SAE
     44 
     45 static int index_within_array(const int *array, int idx)
     46 {
     47 	int i;
     48 	for (i = 0; i < idx; i++) {
     49 		if (array[i] <= 0)
     50 			return 0;
     51 	}
     52 	return 1;
     53 }
     54 
     55 
     56 static int sme_set_sae_group(struct wpa_supplicant *wpa_s)
     57 {
     58 	int *groups = wpa_s->conf->sae_groups;
     59 	int default_groups[] = { 19, 20, 21, 25, 26, 0 };
     60 
     61 	if (!groups || groups[0] <= 0)
     62 		groups = default_groups;
     63 
     64 	/* Configuration may have changed, so validate current index */
     65 	if (!index_within_array(groups, wpa_s->sme.sae_group_index))
     66 		return -1;
     67 
     68 	for (;;) {
     69 		int group = groups[wpa_s->sme.sae_group_index];
     70 		if (group <= 0)
     71 			break;
     72 		if (sae_set_group(&wpa_s->sme.sae, group) == 0) {
     73 			wpa_dbg(wpa_s, MSG_DEBUG, "SME: Selected SAE group %d",
     74 				wpa_s->sme.sae.group);
     75 		       return 0;
     76 		}
     77 		wpa_s->sme.sae_group_index++;
     78 	}
     79 
     80 	return -1;
     81 }
     82 
     83 
     84 static struct wpabuf * sme_auth_build_sae_commit(struct wpa_supplicant *wpa_s,
     85 						 struct wpa_ssid *ssid,
     86 						 const u8 *bssid)
     87 {
     88 	struct wpabuf *buf;
     89 	size_t len;
     90 
     91 	if (ssid->passphrase == NULL) {
     92 		wpa_printf(MSG_DEBUG, "SAE: No password available");
     93 		return NULL;
     94 	}
     95 
     96 	if (sme_set_sae_group(wpa_s) < 0) {
     97 		wpa_printf(MSG_DEBUG, "SAE: Failed to select group");
     98 		return NULL;
     99 	}
    100 
    101 	if (sae_prepare_commit(wpa_s->own_addr, bssid,
    102 			       (u8 *) ssid->passphrase,
    103 			       os_strlen(ssid->passphrase),
    104 			       &wpa_s->sme.sae) < 0) {
    105 		wpa_printf(MSG_DEBUG, "SAE: Could not pick PWE");
    106 		return NULL;
    107 	}
    108 
    109 	len = wpa_s->sme.sae_token ? wpabuf_len(wpa_s->sme.sae_token) : 0;
    110 	buf = wpabuf_alloc(4 + SAE_COMMIT_MAX_LEN + len);
    111 	if (buf == NULL)
    112 		return NULL;
    113 
    114 	wpabuf_put_le16(buf, 1); /* Transaction seq# */
    115 	wpabuf_put_le16(buf, WLAN_STATUS_SUCCESS);
    116 	sae_write_commit(&wpa_s->sme.sae, buf, wpa_s->sme.sae_token);
    117 
    118 	return buf;
    119 }
    120 
    121 
    122 static struct wpabuf * sme_auth_build_sae_confirm(struct wpa_supplicant *wpa_s)
    123 {
    124 	struct wpabuf *buf;
    125 
    126 	buf = wpabuf_alloc(4 + SAE_CONFIRM_MAX_LEN);
    127 	if (buf == NULL)
    128 		return NULL;
    129 
    130 	wpabuf_put_le16(buf, 2); /* Transaction seq# */
    131 	wpabuf_put_le16(buf, WLAN_STATUS_SUCCESS);
    132 	sae_write_confirm(&wpa_s->sme.sae, buf);
    133 
    134 	return buf;
    135 }
    136 
    137 #endif /* CONFIG_SAE */
    138 
    139 
    140 /**
    141  * sme_auth_handle_rrm - Handle RRM aspects of current authentication attempt
    142  * @wpa_s: Pointer to wpa_supplicant data
    143  * @bss: Pointer to the bss which is the target of authentication attempt
    144  */
    145 static void sme_auth_handle_rrm(struct wpa_supplicant *wpa_s,
    146 				struct wpa_bss *bss)
    147 {
    148 	const u8 rrm_ie_len = 5;
    149 	u8 *pos;
    150 	const u8 *rrm_ie;
    151 
    152 	wpa_s->rrm.rrm_used = 0;
    153 
    154 	wpa_printf(MSG_DEBUG,
    155 		   "RRM: Determining whether RRM can be used - device support: 0x%x",
    156 		   wpa_s->drv_rrm_flags);
    157 
    158 	rrm_ie = wpa_bss_get_ie(bss, WLAN_EID_RRM_ENABLED_CAPABILITIES);
    159 	if (!rrm_ie || !(bss->caps & IEEE80211_CAP_RRM)) {
    160 		wpa_printf(MSG_DEBUG, "RRM: No RRM in network");
    161 		return;
    162 	}
    163 
    164 	if (!(wpa_s->drv_rrm_flags &
    165 	      WPA_DRIVER_FLAGS_DS_PARAM_SET_IE_IN_PROBES) ||
    166 	    !(wpa_s->drv_rrm_flags & WPA_DRIVER_FLAGS_QUIET)) {
    167 		wpa_printf(MSG_DEBUG,
    168 			   "RRM: Insufficient RRM support in driver - do not use RRM");
    169 		return;
    170 	}
    171 
    172 	if (sizeof(wpa_s->sme.assoc_req_ie) <
    173 	    wpa_s->sme.assoc_req_ie_len + rrm_ie_len + 2) {
    174 		wpa_printf(MSG_INFO,
    175 			   "RRM: Unable to use RRM, no room for RRM IE");
    176 		return;
    177 	}
    178 
    179 	wpa_printf(MSG_DEBUG, "RRM: Adding RRM IE to Association Request");
    180 	pos = wpa_s->sme.assoc_req_ie + wpa_s->sme.assoc_req_ie_len;
    181 	os_memset(pos, 0, 2 + rrm_ie_len);
    182 	*pos++ = WLAN_EID_RRM_ENABLED_CAPABILITIES;
    183 	*pos++ = rrm_ie_len;
    184 
    185 	/* Set supported capabilites flags */
    186 	if (wpa_s->drv_rrm_flags & WPA_DRIVER_FLAGS_TX_POWER_INSERTION)
    187 		*pos |= WLAN_RRM_CAPS_LINK_MEASUREMENT;
    188 
    189 	wpa_s->sme.assoc_req_ie_len += rrm_ie_len + 2;
    190 	wpa_s->rrm.rrm_used = 1;
    191 }
    192 
    193 
    194 static void sme_send_authentication(struct wpa_supplicant *wpa_s,
    195 				    struct wpa_bss *bss, struct wpa_ssid *ssid,
    196 				    int start)
    197 {
    198 	struct wpa_driver_auth_params params;
    199 	struct wpa_ssid *old_ssid;
    200 #ifdef CONFIG_IEEE80211R
    201 	const u8 *ie;
    202 #endif /* CONFIG_IEEE80211R */
    203 #ifdef CONFIG_IEEE80211R
    204 	const u8 *md = NULL;
    205 #endif /* CONFIG_IEEE80211R */
    206 	int i, bssid_changed;
    207 	struct wpabuf *resp = NULL;
    208 	u8 ext_capab[18];
    209 	int ext_capab_len;
    210 	int skip_auth;
    211 #ifdef CONFIG_MBO
    212 	const u8 *mbo;
    213 #endif /* CONFIG_MBO */
    214 
    215 	if (bss == NULL) {
    216 		wpa_msg(wpa_s, MSG_ERROR, "SME: No scan result available for "
    217 			"the network");
    218 		wpas_connect_work_done(wpa_s);
    219 		return;
    220 	}
    221 
    222 	skip_auth = wpa_s->conf->reassoc_same_bss_optim &&
    223 		wpa_s->reassoc_same_bss;
    224 	wpa_s->current_bss = bss;
    225 
    226 	os_memset(&params, 0, sizeof(params));
    227 	wpa_s->reassociate = 0;
    228 
    229 	params.freq = bss->freq;
    230 	params.bssid = bss->bssid;
    231 	params.ssid = bss->ssid;
    232 	params.ssid_len = bss->ssid_len;
    233 	params.p2p = ssid->p2p_group;
    234 
    235 	if (wpa_s->sme.ssid_len != params.ssid_len ||
    236 	    os_memcmp(wpa_s->sme.ssid, params.ssid, params.ssid_len) != 0)
    237 		wpa_s->sme.prev_bssid_set = 0;
    238 
    239 	wpa_s->sme.freq = params.freq;
    240 	os_memcpy(wpa_s->sme.ssid, params.ssid, params.ssid_len);
    241 	wpa_s->sme.ssid_len = params.ssid_len;
    242 
    243 	params.auth_alg = WPA_AUTH_ALG_OPEN;
    244 #ifdef IEEE8021X_EAPOL
    245 	if (ssid->key_mgmt & WPA_KEY_MGMT_IEEE8021X_NO_WPA) {
    246 		if (ssid->leap) {
    247 			if (ssid->non_leap == 0)
    248 				params.auth_alg = WPA_AUTH_ALG_LEAP;
    249 			else
    250 				params.auth_alg |= WPA_AUTH_ALG_LEAP;
    251 		}
    252 	}
    253 #endif /* IEEE8021X_EAPOL */
    254 	wpa_dbg(wpa_s, MSG_DEBUG, "Automatic auth_alg selection: 0x%x",
    255 		params.auth_alg);
    256 	if (ssid->auth_alg) {
    257 		params.auth_alg = ssid->auth_alg;
    258 		wpa_dbg(wpa_s, MSG_DEBUG, "Overriding auth_alg selection: "
    259 			"0x%x", params.auth_alg);
    260 	}
    261 #ifdef CONFIG_SAE
    262 	wpa_s->sme.sae_pmksa_caching = 0;
    263 	if (wpa_key_mgmt_sae(ssid->key_mgmt)) {
    264 		const u8 *rsn;
    265 		struct wpa_ie_data ied;
    266 
    267 		rsn = wpa_bss_get_ie(bss, WLAN_EID_RSN);
    268 		if (!rsn) {
    269 			wpa_dbg(wpa_s, MSG_DEBUG,
    270 				"SAE enabled, but target BSS does not advertise RSN");
    271 		} else if (wpa_parse_wpa_ie(rsn, 2 + rsn[1], &ied) == 0 &&
    272 			   wpa_key_mgmt_sae(ied.key_mgmt)) {
    273 			wpa_dbg(wpa_s, MSG_DEBUG, "Using SAE auth_alg");
    274 			params.auth_alg = WPA_AUTH_ALG_SAE;
    275 		} else {
    276 			wpa_dbg(wpa_s, MSG_DEBUG,
    277 				"SAE enabled, but target BSS does not advertise SAE AKM for RSN");
    278 		}
    279 	}
    280 #endif /* CONFIG_SAE */
    281 
    282 	for (i = 0; i < NUM_WEP_KEYS; i++) {
    283 		if (ssid->wep_key_len[i])
    284 			params.wep_key[i] = ssid->wep_key[i];
    285 		params.wep_key_len[i] = ssid->wep_key_len[i];
    286 	}
    287 	params.wep_tx_keyidx = ssid->wep_tx_keyidx;
    288 
    289 	bssid_changed = !is_zero_ether_addr(wpa_s->bssid);
    290 	os_memset(wpa_s->bssid, 0, ETH_ALEN);
    291 	os_memcpy(wpa_s->pending_bssid, bss->bssid, ETH_ALEN);
    292 	if (bssid_changed)
    293 		wpas_notify_bssid_changed(wpa_s);
    294 
    295 	if ((wpa_bss_get_vendor_ie(bss, WPA_IE_VENDOR_TYPE) ||
    296 	     wpa_bss_get_ie(bss, WLAN_EID_RSN)) &&
    297 	    wpa_key_mgmt_wpa(ssid->key_mgmt)) {
    298 		int try_opportunistic;
    299 		try_opportunistic = (ssid->proactive_key_caching < 0 ?
    300 				     wpa_s->conf->okc :
    301 				     ssid->proactive_key_caching) &&
    302 			(ssid->proto & WPA_PROTO_RSN);
    303 		if (pmksa_cache_set_current(wpa_s->wpa, NULL, bss->bssid,
    304 					    wpa_s->current_ssid,
    305 					    try_opportunistic) == 0)
    306 			eapol_sm_notify_pmkid_attempt(wpa_s->eapol);
    307 		wpa_s->sme.assoc_req_ie_len = sizeof(wpa_s->sme.assoc_req_ie);
    308 		if (wpa_supplicant_set_suites(wpa_s, bss, ssid,
    309 					      wpa_s->sme.assoc_req_ie,
    310 					      &wpa_s->sme.assoc_req_ie_len)) {
    311 			wpa_msg(wpa_s, MSG_WARNING, "SME: Failed to set WPA "
    312 				"key management and encryption suites");
    313 			wpas_connect_work_done(wpa_s);
    314 			return;
    315 		}
    316 	} else if ((ssid->key_mgmt & WPA_KEY_MGMT_IEEE8021X_NO_WPA) &&
    317 		   wpa_key_mgmt_wpa_ieee8021x(ssid->key_mgmt)) {
    318 		/*
    319 		 * Both WPA and non-WPA IEEE 802.1X enabled in configuration -
    320 		 * use non-WPA since the scan results did not indicate that the
    321 		 * AP is using WPA or WPA2.
    322 		 */
    323 		wpa_supplicant_set_non_wpa_policy(wpa_s, ssid);
    324 		wpa_s->sme.assoc_req_ie_len = 0;
    325 	} else if (wpa_key_mgmt_wpa_any(ssid->key_mgmt)) {
    326 		wpa_s->sme.assoc_req_ie_len = sizeof(wpa_s->sme.assoc_req_ie);
    327 		if (wpa_supplicant_set_suites(wpa_s, NULL, ssid,
    328 					      wpa_s->sme.assoc_req_ie,
    329 					      &wpa_s->sme.assoc_req_ie_len)) {
    330 			wpa_msg(wpa_s, MSG_WARNING, "SME: Failed to set WPA "
    331 				"key management and encryption suites (no "
    332 				"scan results)");
    333 			wpas_connect_work_done(wpa_s);
    334 			return;
    335 		}
    336 #ifdef CONFIG_WPS
    337 	} else if (ssid->key_mgmt & WPA_KEY_MGMT_WPS) {
    338 		struct wpabuf *wps_ie;
    339 		wps_ie = wps_build_assoc_req_ie(wpas_wps_get_req_type(ssid));
    340 		if (wps_ie && wpabuf_len(wps_ie) <=
    341 		    sizeof(wpa_s->sme.assoc_req_ie)) {
    342 			wpa_s->sme.assoc_req_ie_len = wpabuf_len(wps_ie);
    343 			os_memcpy(wpa_s->sme.assoc_req_ie, wpabuf_head(wps_ie),
    344 				  wpa_s->sme.assoc_req_ie_len);
    345 		} else
    346 			wpa_s->sme.assoc_req_ie_len = 0;
    347 		wpabuf_free(wps_ie);
    348 		wpa_supplicant_set_non_wpa_policy(wpa_s, ssid);
    349 #endif /* CONFIG_WPS */
    350 	} else {
    351 		wpa_supplicant_set_non_wpa_policy(wpa_s, ssid);
    352 		wpa_s->sme.assoc_req_ie_len = 0;
    353 	}
    354 
    355 #ifdef CONFIG_IEEE80211R
    356 	ie = wpa_bss_get_ie(bss, WLAN_EID_MOBILITY_DOMAIN);
    357 	if (ie && ie[1] >= MOBILITY_DOMAIN_ID_LEN)
    358 		md = ie + 2;
    359 	wpa_sm_set_ft_params(wpa_s->wpa, ie, ie ? 2 + ie[1] : 0);
    360 	if (md) {
    361 		/* Prepare for the next transition */
    362 		wpa_ft_prepare_auth_request(wpa_s->wpa, ie);
    363 	}
    364 
    365 	if (md && wpa_key_mgmt_ft(ssid->key_mgmt)) {
    366 		if (wpa_s->sme.assoc_req_ie_len + 5 <
    367 		    sizeof(wpa_s->sme.assoc_req_ie)) {
    368 			struct rsn_mdie *mdie;
    369 			u8 *pos = wpa_s->sme.assoc_req_ie +
    370 				wpa_s->sme.assoc_req_ie_len;
    371 			*pos++ = WLAN_EID_MOBILITY_DOMAIN;
    372 			*pos++ = sizeof(*mdie);
    373 			mdie = (struct rsn_mdie *) pos;
    374 			os_memcpy(mdie->mobility_domain, md,
    375 				  MOBILITY_DOMAIN_ID_LEN);
    376 			mdie->ft_capab = md[MOBILITY_DOMAIN_ID_LEN];
    377 			wpa_s->sme.assoc_req_ie_len += 5;
    378 		}
    379 
    380 		if (wpa_s->sme.ft_used &&
    381 		    os_memcmp(md, wpa_s->sme.mobility_domain, 2) == 0 &&
    382 		    wpa_sm_has_ptk(wpa_s->wpa)) {
    383 			wpa_dbg(wpa_s, MSG_DEBUG, "SME: Trying to use FT "
    384 				"over-the-air");
    385 			params.auth_alg = WPA_AUTH_ALG_FT;
    386 			params.ie = wpa_s->sme.ft_ies;
    387 			params.ie_len = wpa_s->sme.ft_ies_len;
    388 		}
    389 	}
    390 #endif /* CONFIG_IEEE80211R */
    391 
    392 #ifdef CONFIG_IEEE80211W
    393 	wpa_s->sme.mfp = wpas_get_ssid_pmf(wpa_s, ssid);
    394 	if (wpa_s->sme.mfp != NO_MGMT_FRAME_PROTECTION) {
    395 		const u8 *rsn = wpa_bss_get_ie(bss, WLAN_EID_RSN);
    396 		struct wpa_ie_data _ie;
    397 		if (rsn && wpa_parse_wpa_ie(rsn, 2 + rsn[1], &_ie) == 0 &&
    398 		    _ie.capabilities &
    399 		    (WPA_CAPABILITY_MFPC | WPA_CAPABILITY_MFPR)) {
    400 			wpa_dbg(wpa_s, MSG_DEBUG, "SME: Selected AP supports "
    401 				"MFP: require MFP");
    402 			wpa_s->sme.mfp = MGMT_FRAME_PROTECTION_REQUIRED;
    403 		}
    404 	}
    405 #endif /* CONFIG_IEEE80211W */
    406 
    407 #ifdef CONFIG_P2P
    408 	if (wpa_s->global->p2p) {
    409 		u8 *pos;
    410 		size_t len;
    411 		int res;
    412 		pos = wpa_s->sme.assoc_req_ie + wpa_s->sme.assoc_req_ie_len;
    413 		len = sizeof(wpa_s->sme.assoc_req_ie) -
    414 			wpa_s->sme.assoc_req_ie_len;
    415 		res = wpas_p2p_assoc_req_ie(wpa_s, bss, pos, len,
    416 					    ssid->p2p_group);
    417 		if (res >= 0)
    418 			wpa_s->sme.assoc_req_ie_len += res;
    419 	}
    420 #endif /* CONFIG_P2P */
    421 
    422 #ifdef CONFIG_FST
    423 	if (wpa_s->fst_ies) {
    424 		int fst_ies_len = wpabuf_len(wpa_s->fst_ies);
    425 
    426 		if (wpa_s->sme.assoc_req_ie_len + fst_ies_len <=
    427 		    sizeof(wpa_s->sme.assoc_req_ie)) {
    428 			os_memcpy(wpa_s->sme.assoc_req_ie +
    429 				  wpa_s->sme.assoc_req_ie_len,
    430 				  wpabuf_head(wpa_s->fst_ies),
    431 				  fst_ies_len);
    432 			wpa_s->sme.assoc_req_ie_len += fst_ies_len;
    433 		}
    434 	}
    435 #endif /* CONFIG_FST */
    436 
    437 	sme_auth_handle_rrm(wpa_s, bss);
    438 
    439 #ifdef CONFIG_MBO
    440 	mbo = wpa_bss_get_vendor_ie(bss, MBO_IE_VENDOR_TYPE);
    441 	if (mbo) {
    442 		int len;
    443 
    444 		len = wpas_mbo_supp_op_class_ie(
    445 			wpa_s, bss->freq,
    446 			wpa_s->sme.assoc_req_ie + wpa_s->sme.assoc_req_ie_len,
    447 			sizeof(wpa_s->sme.assoc_req_ie) -
    448 			wpa_s->sme.assoc_req_ie_len);
    449 		if (len > 0)
    450 			wpa_s->sme.assoc_req_ie_len += len;
    451 	}
    452 #endif /* CONFIG_MBO */
    453 
    454 	ext_capab_len = wpas_build_ext_capab(wpa_s, ext_capab,
    455 					     sizeof(ext_capab));
    456 	if (ext_capab_len > 0) {
    457 		u8 *pos = wpa_s->sme.assoc_req_ie;
    458 		if (wpa_s->sme.assoc_req_ie_len > 0 && pos[0] == WLAN_EID_RSN)
    459 			pos += 2 + pos[1];
    460 		os_memmove(pos + ext_capab_len, pos,
    461 			   wpa_s->sme.assoc_req_ie_len -
    462 			   (pos - wpa_s->sme.assoc_req_ie));
    463 		wpa_s->sme.assoc_req_ie_len += ext_capab_len;
    464 		os_memcpy(pos, ext_capab, ext_capab_len);
    465 	}
    466 
    467 #ifdef CONFIG_HS20
    468 	if (is_hs20_network(wpa_s, ssid, bss)) {
    469 		struct wpabuf *hs20;
    470 
    471 		hs20 = wpabuf_alloc(20);
    472 		if (hs20) {
    473 			int pps_mo_id = hs20_get_pps_mo_id(wpa_s, ssid);
    474 			size_t len;
    475 
    476 			wpas_hs20_add_indication(hs20, pps_mo_id);
    477 			len = sizeof(wpa_s->sme.assoc_req_ie) -
    478 				wpa_s->sme.assoc_req_ie_len;
    479 			if (wpabuf_len(hs20) <= len) {
    480 				os_memcpy(wpa_s->sme.assoc_req_ie +
    481 					  wpa_s->sme.assoc_req_ie_len,
    482 					  wpabuf_head(hs20), wpabuf_len(hs20));
    483 				wpa_s->sme.assoc_req_ie_len += wpabuf_len(hs20);
    484 			}
    485 			wpabuf_free(hs20);
    486 		}
    487 	}
    488 #endif /* CONFIG_HS20 */
    489 
    490 	if (wpa_s->vendor_elem[VENDOR_ELEM_ASSOC_REQ]) {
    491 		struct wpabuf *buf = wpa_s->vendor_elem[VENDOR_ELEM_ASSOC_REQ];
    492 		size_t len;
    493 
    494 		len = sizeof(wpa_s->sme.assoc_req_ie) -
    495 			wpa_s->sme.assoc_req_ie_len;
    496 		if (wpabuf_len(buf) <= len) {
    497 			os_memcpy(wpa_s->sme.assoc_req_ie +
    498 				  wpa_s->sme.assoc_req_ie_len,
    499 				  wpabuf_head(buf), wpabuf_len(buf));
    500 			wpa_s->sme.assoc_req_ie_len += wpabuf_len(buf);
    501 		}
    502 	}
    503 
    504 #ifdef CONFIG_MBO
    505 	if (mbo) {
    506 		int len;
    507 
    508 		len = wpas_mbo_ie(wpa_s, wpa_s->sme.assoc_req_ie +
    509 				  wpa_s->sme.assoc_req_ie_len,
    510 				  sizeof(wpa_s->sme.assoc_req_ie) -
    511 				  wpa_s->sme.assoc_req_ie_len);
    512 		if (len >= 0)
    513 			wpa_s->sme.assoc_req_ie_len += len;
    514 	}
    515 #endif /* CONFIG_MBO */
    516 
    517 #ifdef CONFIG_SAE
    518 	if (!skip_auth && params.auth_alg == WPA_AUTH_ALG_SAE &&
    519 	    pmksa_cache_set_current(wpa_s->wpa, NULL, bss->bssid, ssid, 0) == 0)
    520 	{
    521 		wpa_dbg(wpa_s, MSG_DEBUG,
    522 			"PMKSA cache entry found - try to use PMKSA caching instead of new SAE authentication");
    523 		params.auth_alg = WPA_AUTH_ALG_OPEN;
    524 		wpa_s->sme.sae_pmksa_caching = 1;
    525 	}
    526 
    527 	if (!skip_auth && params.auth_alg == WPA_AUTH_ALG_SAE) {
    528 		if (start)
    529 			resp = sme_auth_build_sae_commit(wpa_s, ssid,
    530 							 bss->bssid);
    531 		else
    532 			resp = sme_auth_build_sae_confirm(wpa_s);
    533 		if (resp == NULL) {
    534 			wpas_connection_failed(wpa_s, bss->bssid);
    535 			return;
    536 		}
    537 		params.sae_data = wpabuf_head(resp);
    538 		params.sae_data_len = wpabuf_len(resp);
    539 		wpa_s->sme.sae.state = start ? SAE_COMMITTED : SAE_CONFIRMED;
    540 	}
    541 #endif /* CONFIG_SAE */
    542 
    543 	wpa_supplicant_cancel_sched_scan(wpa_s);
    544 	wpa_supplicant_cancel_scan(wpa_s);
    545 
    546 	wpa_msg(wpa_s, MSG_INFO, "SME: Trying to authenticate with " MACSTR
    547 		" (SSID='%s' freq=%d MHz)", MAC2STR(params.bssid),
    548 		wpa_ssid_txt(params.ssid, params.ssid_len), params.freq);
    549 
    550 	wpa_clear_keys(wpa_s, bss->bssid);
    551 	wpa_supplicant_set_state(wpa_s, WPA_AUTHENTICATING);
    552 	old_ssid = wpa_s->current_ssid;
    553 	wpa_s->current_ssid = ssid;
    554 	wpa_supplicant_rsn_supp_set_config(wpa_s, wpa_s->current_ssid);
    555 	wpa_supplicant_initiate_eapol(wpa_s);
    556 	if (old_ssid != wpa_s->current_ssid)
    557 		wpas_notify_network_changed(wpa_s);
    558 
    559 #ifdef CONFIG_P2P
    560 	/*
    561 	 * If multi-channel concurrency is not supported, check for any
    562 	 * frequency conflict. In case of any frequency conflict, remove the
    563 	 * least prioritized connection.
    564 	 */
    565 	if (wpa_s->num_multichan_concurrent < 2) {
    566 		int freq, num;
    567 		num = get_shared_radio_freqs(wpa_s, &freq, 1);
    568 		if (num > 0 && freq > 0 && freq != params.freq) {
    569 			wpa_printf(MSG_DEBUG,
    570 				   "Conflicting frequency found (%d != %d)",
    571 				   freq, params.freq);
    572 			if (wpas_p2p_handle_frequency_conflicts(wpa_s,
    573 								params.freq,
    574 								ssid) < 0) {
    575 				wpas_connection_failed(wpa_s, bss->bssid);
    576 				wpa_supplicant_mark_disassoc(wpa_s);
    577 				wpabuf_free(resp);
    578 				wpas_connect_work_done(wpa_s);
    579 				return;
    580 			}
    581 		}
    582 	}
    583 #endif /* CONFIG_P2P */
    584 
    585 	if (skip_auth) {
    586 		wpa_msg(wpa_s, MSG_DEBUG,
    587 			"SME: Skip authentication step on reassoc-to-same-BSS");
    588 		wpabuf_free(resp);
    589 		sme_associate(wpa_s, ssid->mode, bss->bssid, WLAN_AUTH_OPEN);
    590 		return;
    591 	}
    592 
    593 
    594 	wpa_s->sme.auth_alg = params.auth_alg;
    595 	if (wpa_drv_authenticate(wpa_s, &params) < 0) {
    596 		wpa_msg(wpa_s, MSG_INFO, "SME: Authentication request to the "
    597 			"driver failed");
    598 		wpas_connection_failed(wpa_s, bss->bssid);
    599 		wpa_supplicant_mark_disassoc(wpa_s);
    600 		wpabuf_free(resp);
    601 		wpas_connect_work_done(wpa_s);
    602 		return;
    603 	}
    604 
    605 	eloop_register_timeout(SME_AUTH_TIMEOUT, 0, sme_auth_timer, wpa_s,
    606 			       NULL);
    607 
    608 	/*
    609 	 * Association will be started based on the authentication event from
    610 	 * the driver.
    611 	 */
    612 
    613 	wpabuf_free(resp);
    614 }
    615 
    616 
    617 static void sme_auth_start_cb(struct wpa_radio_work *work, int deinit)
    618 {
    619 	struct wpa_connect_work *cwork = work->ctx;
    620 	struct wpa_supplicant *wpa_s = work->wpa_s;
    621 
    622 	if (deinit) {
    623 		if (work->started)
    624 			wpa_s->connect_work = NULL;
    625 
    626 		wpas_connect_work_free(cwork);
    627 		return;
    628 	}
    629 
    630 	wpa_s->connect_work = work;
    631 
    632 	if (cwork->bss_removed ||
    633 	    !wpas_valid_bss_ssid(wpa_s, cwork->bss, cwork->ssid) ||
    634 	    wpas_network_disabled(wpa_s, cwork->ssid)) {
    635 		wpa_dbg(wpa_s, MSG_DEBUG, "SME: BSS/SSID entry for authentication not valid anymore - drop connection attempt");
    636 		wpas_connect_work_done(wpa_s);
    637 		return;
    638 	}
    639 
    640 	sme_send_authentication(wpa_s, cwork->bss, cwork->ssid, 1);
    641 }
    642 
    643 
    644 void sme_authenticate(struct wpa_supplicant *wpa_s,
    645 		      struct wpa_bss *bss, struct wpa_ssid *ssid)
    646 {
    647 	struct wpa_connect_work *cwork;
    648 
    649 	if (bss == NULL || ssid == NULL)
    650 		return;
    651 	if (wpa_s->connect_work) {
    652 		wpa_dbg(wpa_s, MSG_DEBUG, "SME: Reject sme_authenticate() call since connect_work exist");
    653 		return;
    654 	}
    655 
    656 	if (radio_work_pending(wpa_s, "sme-connect")) {
    657 		/*
    658 		 * The previous sme-connect work might no longer be valid due to
    659 		 * the fact that the BSS list was updated. In addition, it makes
    660 		 * sense to adhere to the 'newer' decision.
    661 		 */
    662 		wpa_dbg(wpa_s, MSG_DEBUG,
    663 			"SME: Remove previous pending sme-connect");
    664 		radio_remove_works(wpa_s, "sme-connect", 0);
    665 	}
    666 
    667 	wpas_abort_ongoing_scan(wpa_s);
    668 
    669 	cwork = os_zalloc(sizeof(*cwork));
    670 	if (cwork == NULL)
    671 		return;
    672 	cwork->bss = bss;
    673 	cwork->ssid = ssid;
    674 	cwork->sme = 1;
    675 
    676 #ifdef CONFIG_SAE
    677 	wpa_s->sme.sae.state = SAE_NOTHING;
    678 	wpa_s->sme.sae.send_confirm = 0;
    679 	wpa_s->sme.sae_group_index = 0;
    680 #endif /* CONFIG_SAE */
    681 
    682 	if (radio_add_work(wpa_s, bss->freq, "sme-connect", 1,
    683 			   sme_auth_start_cb, cwork) < 0)
    684 		wpas_connect_work_free(cwork);
    685 }
    686 
    687 
    688 #ifdef CONFIG_SAE
    689 
    690 static int sme_sae_auth(struct wpa_supplicant *wpa_s, u16 auth_transaction,
    691 			u16 status_code, const u8 *data, size_t len)
    692 {
    693 	int *groups;
    694 
    695 	wpa_dbg(wpa_s, MSG_DEBUG, "SME: SAE authentication transaction %u "
    696 		"status code %u", auth_transaction, status_code);
    697 
    698 	if (auth_transaction == 1 &&
    699 	    status_code == WLAN_STATUS_ANTI_CLOGGING_TOKEN_REQ &&
    700 	    wpa_s->sme.sae.state == SAE_COMMITTED &&
    701 	    wpa_s->current_bss && wpa_s->current_ssid) {
    702 		int default_groups[] = { 19, 20, 21, 25, 26, 0 };
    703 		u16 group;
    704 
    705 		groups = wpa_s->conf->sae_groups;
    706 		if (!groups || groups[0] <= 0)
    707 			groups = default_groups;
    708 
    709 		if (len < sizeof(le16)) {
    710 			wpa_dbg(wpa_s, MSG_DEBUG,
    711 				"SME: Too short SAE anti-clogging token request");
    712 			return -1;
    713 		}
    714 		group = WPA_GET_LE16(data);
    715 		wpa_dbg(wpa_s, MSG_DEBUG,
    716 			"SME: SAE anti-clogging token requested (group %u)",
    717 			group);
    718 		if (sae_group_allowed(&wpa_s->sme.sae, groups, group) !=
    719 		    WLAN_STATUS_SUCCESS) {
    720 			wpa_dbg(wpa_s, MSG_ERROR,
    721 				"SME: SAE group %u of anti-clogging request is invalid",
    722 				group);
    723 			return -1;
    724 		}
    725 		wpabuf_free(wpa_s->sme.sae_token);
    726 		wpa_s->sme.sae_token = wpabuf_alloc_copy(data + sizeof(le16),
    727 							 len - sizeof(le16));
    728 		sme_send_authentication(wpa_s, wpa_s->current_bss,
    729 					wpa_s->current_ssid, 1);
    730 		return 0;
    731 	}
    732 
    733 	if (auth_transaction == 1 &&
    734 	    status_code == WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED &&
    735 	    wpa_s->sme.sae.state == SAE_COMMITTED &&
    736 	    wpa_s->current_bss && wpa_s->current_ssid) {
    737 		wpa_dbg(wpa_s, MSG_DEBUG, "SME: SAE group not supported");
    738 		wpa_s->sme.sae_group_index++;
    739 		if (sme_set_sae_group(wpa_s) < 0)
    740 			return -1; /* no other groups enabled */
    741 		wpa_dbg(wpa_s, MSG_DEBUG, "SME: Try next enabled SAE group");
    742 		sme_send_authentication(wpa_s, wpa_s->current_bss,
    743 					wpa_s->current_ssid, 1);
    744 		return 0;
    745 	}
    746 
    747 	if (status_code != WLAN_STATUS_SUCCESS)
    748 		return -1;
    749 
    750 	if (auth_transaction == 1) {
    751 		u16 res;
    752 
    753 		groups = wpa_s->conf->sae_groups;
    754 
    755 		wpa_dbg(wpa_s, MSG_DEBUG, "SME SAE commit");
    756 		if (wpa_s->current_bss == NULL ||
    757 		    wpa_s->current_ssid == NULL)
    758 			return -1;
    759 		if (wpa_s->sme.sae.state != SAE_COMMITTED)
    760 			return -1;
    761 		if (groups && groups[0] <= 0)
    762 			groups = NULL;
    763 		res = sae_parse_commit(&wpa_s->sme.sae, data, len, NULL, NULL,
    764 				       groups);
    765 		if (res == SAE_SILENTLY_DISCARD) {
    766 			wpa_printf(MSG_DEBUG,
    767 				   "SAE: Drop commit message due to reflection attack");
    768 			return 0;
    769 		}
    770 		if (res != WLAN_STATUS_SUCCESS)
    771 			return -1;
    772 
    773 		if (sae_process_commit(&wpa_s->sme.sae) < 0) {
    774 			wpa_printf(MSG_DEBUG, "SAE: Failed to process peer "
    775 				   "commit");
    776 			return -1;
    777 		}
    778 
    779 		wpabuf_free(wpa_s->sme.sae_token);
    780 		wpa_s->sme.sae_token = NULL;
    781 		sme_send_authentication(wpa_s, wpa_s->current_bss,
    782 					wpa_s->current_ssid, 0);
    783 		return 0;
    784 	} else if (auth_transaction == 2) {
    785 		wpa_dbg(wpa_s, MSG_DEBUG, "SME SAE confirm");
    786 		if (wpa_s->sme.sae.state != SAE_CONFIRMED)
    787 			return -1;
    788 		if (sae_check_confirm(&wpa_s->sme.sae, data, len) < 0)
    789 			return -1;
    790 		wpa_s->sme.sae.state = SAE_ACCEPTED;
    791 		sae_clear_temp_data(&wpa_s->sme.sae);
    792 		return 1;
    793 	}
    794 
    795 	return -1;
    796 }
    797 #endif /* CONFIG_SAE */
    798 
    799 
    800 void sme_event_auth(struct wpa_supplicant *wpa_s, union wpa_event_data *data)
    801 {
    802 	struct wpa_ssid *ssid = wpa_s->current_ssid;
    803 
    804 	if (ssid == NULL) {
    805 		wpa_dbg(wpa_s, MSG_DEBUG, "SME: Ignore authentication event "
    806 			"when network is not selected");
    807 		return;
    808 	}
    809 
    810 	if (wpa_s->wpa_state != WPA_AUTHENTICATING) {
    811 		wpa_dbg(wpa_s, MSG_DEBUG, "SME: Ignore authentication event "
    812 			"when not in authenticating state");
    813 		return;
    814 	}
    815 
    816 	if (os_memcmp(wpa_s->pending_bssid, data->auth.peer, ETH_ALEN) != 0) {
    817 		wpa_dbg(wpa_s, MSG_DEBUG, "SME: Ignore authentication with "
    818 			"unexpected peer " MACSTR,
    819 			MAC2STR(data->auth.peer));
    820 		return;
    821 	}
    822 
    823 	wpa_dbg(wpa_s, MSG_DEBUG, "SME: Authentication response: peer=" MACSTR
    824 		" auth_type=%d auth_transaction=%d status_code=%d",
    825 		MAC2STR(data->auth.peer), data->auth.auth_type,
    826 		data->auth.auth_transaction, data->auth.status_code);
    827 	wpa_hexdump(MSG_MSGDUMP, "SME: Authentication response IEs",
    828 		    data->auth.ies, data->auth.ies_len);
    829 
    830 	eloop_cancel_timeout(sme_auth_timer, wpa_s, NULL);
    831 
    832 #ifdef CONFIG_SAE
    833 	if (data->auth.auth_type == WLAN_AUTH_SAE) {
    834 		int res;
    835 		res = sme_sae_auth(wpa_s, data->auth.auth_transaction,
    836 				   data->auth.status_code, data->auth.ies,
    837 				   data->auth.ies_len);
    838 		if (res < 0) {
    839 			wpas_connection_failed(wpa_s, wpa_s->pending_bssid);
    840 			wpa_supplicant_set_state(wpa_s, WPA_DISCONNECTED);
    841 
    842 		}
    843 		if (res != 1)
    844 			return;
    845 
    846 		wpa_printf(MSG_DEBUG, "SME: SAE completed - setting PMK for "
    847 			   "4-way handshake");
    848 		wpa_sm_set_pmk(wpa_s->wpa, wpa_s->sme.sae.pmk, PMK_LEN,
    849 			       wpa_s->sme.sae.pmkid, wpa_s->pending_bssid);
    850 	}
    851 #endif /* CONFIG_SAE */
    852 
    853 	if (data->auth.status_code != WLAN_STATUS_SUCCESS) {
    854 		char *ie_txt = NULL;
    855 
    856 		if (data->auth.ies && data->auth.ies_len) {
    857 			size_t buflen = 2 * data->auth.ies_len + 1;
    858 			ie_txt = os_malloc(buflen);
    859 			if (ie_txt) {
    860 				wpa_snprintf_hex(ie_txt, buflen, data->auth.ies,
    861 						 data->auth.ies_len);
    862 			}
    863 		}
    864 		wpa_msg(wpa_s, MSG_INFO, WPA_EVENT_AUTH_REJECT MACSTR
    865 			" auth_type=%u auth_transaction=%u status_code=%u ie=%s",
    866 			MAC2STR(data->auth.peer), data->auth.auth_type,
    867 			data->auth.auth_transaction, data->auth.status_code,
    868 			ie_txt);
    869 		os_free(ie_txt);
    870 
    871 		if (data->auth.status_code !=
    872 		    WLAN_STATUS_NOT_SUPPORTED_AUTH_ALG ||
    873 		    wpa_s->sme.auth_alg == data->auth.auth_type ||
    874 		    wpa_s->current_ssid->auth_alg == WPA_AUTH_ALG_LEAP) {
    875 			wpas_connection_failed(wpa_s, wpa_s->pending_bssid);
    876 			wpa_supplicant_set_state(wpa_s, WPA_DISCONNECTED);
    877 			return;
    878 		}
    879 
    880 		wpas_connect_work_done(wpa_s);
    881 
    882 		switch (data->auth.auth_type) {
    883 		case WLAN_AUTH_OPEN:
    884 			wpa_s->current_ssid->auth_alg = WPA_AUTH_ALG_SHARED;
    885 
    886 			wpa_dbg(wpa_s, MSG_DEBUG, "SME: Trying SHARED auth");
    887 			wpa_supplicant_associate(wpa_s, wpa_s->current_bss,
    888 						 wpa_s->current_ssid);
    889 			return;
    890 
    891 		case WLAN_AUTH_SHARED_KEY:
    892 			wpa_s->current_ssid->auth_alg = WPA_AUTH_ALG_LEAP;
    893 
    894 			wpa_dbg(wpa_s, MSG_DEBUG, "SME: Trying LEAP auth");
    895 			wpa_supplicant_associate(wpa_s, wpa_s->current_bss,
    896 						 wpa_s->current_ssid);
    897 			return;
    898 
    899 		default:
    900 			return;
    901 		}
    902 	}
    903 
    904 #ifdef CONFIG_IEEE80211R
    905 	if (data->auth.auth_type == WLAN_AUTH_FT) {
    906 		if (wpa_ft_process_response(wpa_s->wpa, data->auth.ies,
    907 					    data->auth.ies_len, 0,
    908 					    data->auth.peer, NULL, 0) < 0) {
    909 			wpa_dbg(wpa_s, MSG_DEBUG,
    910 				"SME: FT Authentication response processing failed");
    911 			wpa_msg(wpa_s, MSG_INFO, WPA_EVENT_DISCONNECTED "bssid="
    912 				MACSTR
    913 				" reason=%d locally_generated=1",
    914 				MAC2STR(wpa_s->pending_bssid),
    915 				WLAN_REASON_DEAUTH_LEAVING);
    916 			wpas_connection_failed(wpa_s, wpa_s->pending_bssid);
    917 			wpa_supplicant_mark_disassoc(wpa_s);
    918 			return;
    919 		}
    920 	}
    921 #endif /* CONFIG_IEEE80211R */
    922 
    923 	sme_associate(wpa_s, ssid->mode, data->auth.peer,
    924 		      data->auth.auth_type);
    925 }
    926 
    927 
    928 void sme_associate(struct wpa_supplicant *wpa_s, enum wpas_mode mode,
    929 		   const u8 *bssid, u16 auth_type)
    930 {
    931 	struct wpa_driver_associate_params params;
    932 	struct ieee802_11_elems elems;
    933 #ifdef CONFIG_HT_OVERRIDES
    934 	struct ieee80211_ht_capabilities htcaps;
    935 	struct ieee80211_ht_capabilities htcaps_mask;
    936 #endif /* CONFIG_HT_OVERRIDES */
    937 #ifdef CONFIG_VHT_OVERRIDES
    938 	struct ieee80211_vht_capabilities vhtcaps;
    939 	struct ieee80211_vht_capabilities vhtcaps_mask;
    940 #endif /* CONFIG_VHT_OVERRIDES */
    941 
    942 	os_memset(&params, 0, sizeof(params));
    943 	params.bssid = bssid;
    944 	params.ssid = wpa_s->sme.ssid;
    945 	params.ssid_len = wpa_s->sme.ssid_len;
    946 	params.freq.freq = wpa_s->sme.freq;
    947 	params.bg_scan_period = wpa_s->current_ssid ?
    948 		wpa_s->current_ssid->bg_scan_period : -1;
    949 	params.wpa_ie = wpa_s->sme.assoc_req_ie_len ?
    950 		wpa_s->sme.assoc_req_ie : NULL;
    951 	params.wpa_ie_len = wpa_s->sme.assoc_req_ie_len;
    952 	params.pairwise_suite = wpa_s->pairwise_cipher;
    953 	params.group_suite = wpa_s->group_cipher;
    954 	params.key_mgmt_suite = wpa_s->key_mgmt;
    955 	params.wpa_proto = wpa_s->wpa_proto;
    956 #ifdef CONFIG_HT_OVERRIDES
    957 	os_memset(&htcaps, 0, sizeof(htcaps));
    958 	os_memset(&htcaps_mask, 0, sizeof(htcaps_mask));
    959 	params.htcaps = (u8 *) &htcaps;
    960 	params.htcaps_mask = (u8 *) &htcaps_mask;
    961 	wpa_supplicant_apply_ht_overrides(wpa_s, wpa_s->current_ssid, &params);
    962 #endif /* CONFIG_HT_OVERRIDES */
    963 #ifdef CONFIG_VHT_OVERRIDES
    964 	os_memset(&vhtcaps, 0, sizeof(vhtcaps));
    965 	os_memset(&vhtcaps_mask, 0, sizeof(vhtcaps_mask));
    966 	params.vhtcaps = &vhtcaps;
    967 	params.vhtcaps_mask = &vhtcaps_mask;
    968 	wpa_supplicant_apply_vht_overrides(wpa_s, wpa_s->current_ssid, &params);
    969 #endif /* CONFIG_VHT_OVERRIDES */
    970 #ifdef CONFIG_IEEE80211R
    971 	if (auth_type == WLAN_AUTH_FT && wpa_s->sme.ft_ies) {
    972 		params.wpa_ie = wpa_s->sme.ft_ies;
    973 		params.wpa_ie_len = wpa_s->sme.ft_ies_len;
    974 	}
    975 #endif /* CONFIG_IEEE80211R */
    976 	params.mode = mode;
    977 	params.mgmt_frame_protection = wpa_s->sme.mfp;
    978 	params.rrm_used = wpa_s->rrm.rrm_used;
    979 	if (wpa_s->sme.prev_bssid_set)
    980 		params.prev_bssid = wpa_s->sme.prev_bssid;
    981 
    982 	wpa_msg(wpa_s, MSG_INFO, "Trying to associate with " MACSTR
    983 		" (SSID='%s' freq=%d MHz)", MAC2STR(params.bssid),
    984 		params.ssid ? wpa_ssid_txt(params.ssid, params.ssid_len) : "",
    985 		params.freq.freq);
    986 
    987 	wpa_supplicant_set_state(wpa_s, WPA_ASSOCIATING);
    988 
    989 	if (params.wpa_ie == NULL ||
    990 	    ieee802_11_parse_elems(params.wpa_ie, params.wpa_ie_len, &elems, 0)
    991 	    < 0) {
    992 		wpa_dbg(wpa_s, MSG_DEBUG, "SME: Could not parse own IEs?!");
    993 		os_memset(&elems, 0, sizeof(elems));
    994 	}
    995 	if (elems.rsn_ie) {
    996 		params.wpa_proto = WPA_PROTO_RSN;
    997 		wpa_sm_set_assoc_wpa_ie(wpa_s->wpa, elems.rsn_ie - 2,
    998 					elems.rsn_ie_len + 2);
    999 	} else if (elems.wpa_ie) {
   1000 		params.wpa_proto = WPA_PROTO_WPA;
   1001 		wpa_sm_set_assoc_wpa_ie(wpa_s->wpa, elems.wpa_ie - 2,
   1002 					elems.wpa_ie_len + 2);
   1003 	} else if (elems.osen) {
   1004 		params.wpa_proto = WPA_PROTO_OSEN;
   1005 		wpa_sm_set_assoc_wpa_ie(wpa_s->wpa, elems.osen - 2,
   1006 					elems.osen_len + 2);
   1007 	} else
   1008 		wpa_sm_set_assoc_wpa_ie(wpa_s->wpa, NULL, 0);
   1009 	if (wpa_s->current_ssid && wpa_s->current_ssid->p2p_group)
   1010 		params.p2p = 1;
   1011 
   1012 	if (wpa_s->p2pdev->set_sta_uapsd)
   1013 		params.uapsd = wpa_s->p2pdev->sta_uapsd;
   1014 	else
   1015 		params.uapsd = -1;
   1016 
   1017 	if (wpa_drv_associate(wpa_s, &params) < 0) {
   1018 		wpa_msg(wpa_s, MSG_INFO, "SME: Association request to the "
   1019 			"driver failed");
   1020 		wpas_connection_failed(wpa_s, wpa_s->pending_bssid);
   1021 		wpa_supplicant_set_state(wpa_s, WPA_DISCONNECTED);
   1022 		os_memset(wpa_s->pending_bssid, 0, ETH_ALEN);
   1023 		return;
   1024 	}
   1025 
   1026 	eloop_register_timeout(SME_ASSOC_TIMEOUT, 0, sme_assoc_timer, wpa_s,
   1027 			       NULL);
   1028 }
   1029 
   1030 
   1031 int sme_update_ft_ies(struct wpa_supplicant *wpa_s, const u8 *md,
   1032 		      const u8 *ies, size_t ies_len)
   1033 {
   1034 	if (md == NULL || ies == NULL) {
   1035 		wpa_dbg(wpa_s, MSG_DEBUG, "SME: Remove mobility domain");
   1036 		os_free(wpa_s->sme.ft_ies);
   1037 		wpa_s->sme.ft_ies = NULL;
   1038 		wpa_s->sme.ft_ies_len = 0;
   1039 		wpa_s->sme.ft_used = 0;
   1040 		return 0;
   1041 	}
   1042 
   1043 	os_memcpy(wpa_s->sme.mobility_domain, md, MOBILITY_DOMAIN_ID_LEN);
   1044 	wpa_hexdump(MSG_DEBUG, "SME: FT IEs", ies, ies_len);
   1045 	os_free(wpa_s->sme.ft_ies);
   1046 	wpa_s->sme.ft_ies = os_malloc(ies_len);
   1047 	if (wpa_s->sme.ft_ies == NULL)
   1048 		return -1;
   1049 	os_memcpy(wpa_s->sme.ft_ies, ies, ies_len);
   1050 	wpa_s->sme.ft_ies_len = ies_len;
   1051 	return 0;
   1052 }
   1053 
   1054 
   1055 static void sme_deauth(struct wpa_supplicant *wpa_s)
   1056 {
   1057 	int bssid_changed;
   1058 
   1059 	bssid_changed = !is_zero_ether_addr(wpa_s->bssid);
   1060 
   1061 	if (wpa_drv_deauthenticate(wpa_s, wpa_s->pending_bssid,
   1062 				   WLAN_REASON_DEAUTH_LEAVING) < 0) {
   1063 		wpa_msg(wpa_s, MSG_INFO, "SME: Deauth request to the driver "
   1064 			"failed");
   1065 	}
   1066 	wpa_s->sme.prev_bssid_set = 0;
   1067 
   1068 	wpas_connection_failed(wpa_s, wpa_s->pending_bssid);
   1069 	wpa_supplicant_set_state(wpa_s, WPA_DISCONNECTED);
   1070 	os_memset(wpa_s->bssid, 0, ETH_ALEN);
   1071 	os_memset(wpa_s->pending_bssid, 0, ETH_ALEN);
   1072 	if (bssid_changed)
   1073 		wpas_notify_bssid_changed(wpa_s);
   1074 }
   1075 
   1076 
   1077 void sme_event_assoc_reject(struct wpa_supplicant *wpa_s,
   1078 			    union wpa_event_data *data)
   1079 {
   1080 	wpa_dbg(wpa_s, MSG_DEBUG, "SME: Association with " MACSTR " failed: "
   1081 		"status code %d", MAC2STR(wpa_s->pending_bssid),
   1082 		data->assoc_reject.status_code);
   1083 
   1084 	eloop_cancel_timeout(sme_assoc_timer, wpa_s, NULL);
   1085 
   1086 #ifdef CONFIG_SAE
   1087 	if (wpa_s->sme.sae_pmksa_caching && wpa_s->current_ssid &&
   1088 	    wpa_key_mgmt_sae(wpa_s->current_ssid->key_mgmt)) {
   1089 		wpa_dbg(wpa_s, MSG_DEBUG,
   1090 			"PMKSA caching attempt rejected - drop PMKSA cache entry and fall back to SAE authentication");
   1091 		wpa_sm_aborted_cached(wpa_s->wpa);
   1092 		wpa_sm_pmksa_cache_flush(wpa_s->wpa, wpa_s->current_ssid);
   1093 		if (wpa_s->current_bss) {
   1094 			struct wpa_bss *bss = wpa_s->current_bss;
   1095 			struct wpa_ssid *ssid = wpa_s->current_ssid;
   1096 
   1097 			wpa_drv_deauthenticate(wpa_s, wpa_s->pending_bssid,
   1098 					       WLAN_REASON_DEAUTH_LEAVING);
   1099 			wpas_connect_work_done(wpa_s);
   1100 			wpa_supplicant_mark_disassoc(wpa_s);
   1101 			wpa_supplicant_connect(wpa_s, bss, ssid);
   1102 			return;
   1103 		}
   1104 	}
   1105 #endif /* CONFIG_SAE */
   1106 
   1107 	/*
   1108 	 * For now, unconditionally terminate the previous authentication. In
   1109 	 * theory, this should not be needed, but mac80211 gets quite confused
   1110 	 * if the authentication is left pending.. Some roaming cases might
   1111 	 * benefit from using the previous authentication, so this could be
   1112 	 * optimized in the future.
   1113 	 */
   1114 	sme_deauth(wpa_s);
   1115 }
   1116 
   1117 
   1118 void sme_event_auth_timed_out(struct wpa_supplicant *wpa_s,
   1119 			      union wpa_event_data *data)
   1120 {
   1121 	wpa_dbg(wpa_s, MSG_DEBUG, "SME: Authentication timed out");
   1122 	wpas_connection_failed(wpa_s, wpa_s->pending_bssid);
   1123 	wpa_supplicant_mark_disassoc(wpa_s);
   1124 }
   1125 
   1126 
   1127 void sme_event_assoc_timed_out(struct wpa_supplicant *wpa_s,
   1128 			       union wpa_event_data *data)
   1129 {
   1130 	wpa_dbg(wpa_s, MSG_DEBUG, "SME: Association timed out");
   1131 	wpas_connection_failed(wpa_s, wpa_s->pending_bssid);
   1132 	wpa_supplicant_mark_disassoc(wpa_s);
   1133 }
   1134 
   1135 
   1136 void sme_event_disassoc(struct wpa_supplicant *wpa_s,
   1137 			struct disassoc_info *info)
   1138 {
   1139 	wpa_dbg(wpa_s, MSG_DEBUG, "SME: Disassociation event received");
   1140 	if (wpa_s->sme.prev_bssid_set) {
   1141 		/*
   1142 		 * cfg80211/mac80211 can get into somewhat confused state if
   1143 		 * the AP only disassociates us and leaves us in authenticated
   1144 		 * state. For now, force the state to be cleared to avoid
   1145 		 * confusing errors if we try to associate with the AP again.
   1146 		 */
   1147 		wpa_dbg(wpa_s, MSG_DEBUG, "SME: Deauthenticate to clear "
   1148 			"driver state");
   1149 		wpa_drv_deauthenticate(wpa_s, wpa_s->sme.prev_bssid,
   1150 				       WLAN_REASON_DEAUTH_LEAVING);
   1151 	}
   1152 }
   1153 
   1154 
   1155 static void sme_auth_timer(void *eloop_ctx, void *timeout_ctx)
   1156 {
   1157 	struct wpa_supplicant *wpa_s = eloop_ctx;
   1158 	if (wpa_s->wpa_state == WPA_AUTHENTICATING) {
   1159 		wpa_msg(wpa_s, MSG_DEBUG, "SME: Authentication timeout");
   1160 		sme_deauth(wpa_s);
   1161 	}
   1162 }
   1163 
   1164 
   1165 static void sme_assoc_timer(void *eloop_ctx, void *timeout_ctx)
   1166 {
   1167 	struct wpa_supplicant *wpa_s = eloop_ctx;
   1168 	if (wpa_s->wpa_state == WPA_ASSOCIATING) {
   1169 		wpa_msg(wpa_s, MSG_DEBUG, "SME: Association timeout");
   1170 		sme_deauth(wpa_s);
   1171 	}
   1172 }
   1173 
   1174 
   1175 void sme_state_changed(struct wpa_supplicant *wpa_s)
   1176 {
   1177 	/* Make sure timers are cleaned up appropriately. */
   1178 	if (wpa_s->wpa_state != WPA_ASSOCIATING)
   1179 		eloop_cancel_timeout(sme_assoc_timer, wpa_s, NULL);
   1180 	if (wpa_s->wpa_state != WPA_AUTHENTICATING)
   1181 		eloop_cancel_timeout(sme_auth_timer, wpa_s, NULL);
   1182 }
   1183 
   1184 
   1185 void sme_disassoc_while_authenticating(struct wpa_supplicant *wpa_s,
   1186 				       const u8 *prev_pending_bssid)
   1187 {
   1188 	/*
   1189 	 * mac80211-workaround to force deauth on failed auth cmd,
   1190 	 * requires us to remain in authenticating state to allow the
   1191 	 * second authentication attempt to be continued properly.
   1192 	 */
   1193 	wpa_dbg(wpa_s, MSG_DEBUG, "SME: Allow pending authentication "
   1194 		"to proceed after disconnection event");
   1195 	wpa_supplicant_set_state(wpa_s, WPA_AUTHENTICATING);
   1196 	os_memcpy(wpa_s->pending_bssid, prev_pending_bssid, ETH_ALEN);
   1197 
   1198 	/*
   1199 	 * Re-arm authentication timer in case auth fails for whatever reason.
   1200 	 */
   1201 	eloop_cancel_timeout(sme_auth_timer, wpa_s, NULL);
   1202 	eloop_register_timeout(SME_AUTH_TIMEOUT, 0, sme_auth_timer, wpa_s,
   1203 			       NULL);
   1204 }
   1205 
   1206 
   1207 void sme_clear_on_disassoc(struct wpa_supplicant *wpa_s)
   1208 {
   1209 	wpa_s->sme.prev_bssid_set = 0;
   1210 #ifdef CONFIG_SAE
   1211 	wpabuf_free(wpa_s->sme.sae_token);
   1212 	wpa_s->sme.sae_token = NULL;
   1213 	sae_clear_data(&wpa_s->sme.sae);
   1214 #endif /* CONFIG_SAE */
   1215 #ifdef CONFIG_IEEE80211R
   1216 	if (wpa_s->sme.ft_ies)
   1217 		sme_update_ft_ies(wpa_s, NULL, NULL, 0);
   1218 #endif /* CONFIG_IEEE80211R */
   1219 }
   1220 
   1221 
   1222 void sme_deinit(struct wpa_supplicant *wpa_s)
   1223 {
   1224 	os_free(wpa_s->sme.ft_ies);
   1225 	wpa_s->sme.ft_ies = NULL;
   1226 	wpa_s->sme.ft_ies_len = 0;
   1227 #ifdef CONFIG_IEEE80211W
   1228 	sme_stop_sa_query(wpa_s);
   1229 #endif /* CONFIG_IEEE80211W */
   1230 	sme_clear_on_disassoc(wpa_s);
   1231 
   1232 	eloop_cancel_timeout(sme_assoc_timer, wpa_s, NULL);
   1233 	eloop_cancel_timeout(sme_auth_timer, wpa_s, NULL);
   1234 	eloop_cancel_timeout(sme_obss_scan_timeout, wpa_s, NULL);
   1235 }
   1236 
   1237 
   1238 static void sme_send_2040_bss_coex(struct wpa_supplicant *wpa_s,
   1239 				   const u8 *chan_list, u8 num_channels,
   1240 				   u8 num_intol)
   1241 {
   1242 	struct ieee80211_2040_bss_coex_ie *bc_ie;
   1243 	struct ieee80211_2040_intol_chan_report *ic_report;
   1244 	struct wpabuf *buf;
   1245 
   1246 	wpa_printf(MSG_DEBUG, "SME: Send 20/40 BSS Coexistence to " MACSTR
   1247 		   " (num_channels=%u num_intol=%u)",
   1248 		   MAC2STR(wpa_s->bssid), num_channels, num_intol);
   1249 	wpa_hexdump(MSG_DEBUG, "SME: 20/40 BSS Intolerant Channels",
   1250 		    chan_list, num_channels);
   1251 
   1252 	buf = wpabuf_alloc(2 + /* action.category + action_code */
   1253 			   sizeof(struct ieee80211_2040_bss_coex_ie) +
   1254 			   sizeof(struct ieee80211_2040_intol_chan_report) +
   1255 			   num_channels);
   1256 	if (buf == NULL)
   1257 		return;
   1258 
   1259 	wpabuf_put_u8(buf, WLAN_ACTION_PUBLIC);
   1260 	wpabuf_put_u8(buf, WLAN_PA_20_40_BSS_COEX);
   1261 
   1262 	bc_ie = wpabuf_put(buf, sizeof(*bc_ie));
   1263 	bc_ie->element_id = WLAN_EID_20_40_BSS_COEXISTENCE;
   1264 	bc_ie->length = 1;
   1265 	if (num_intol)
   1266 		bc_ie->coex_param |= WLAN_20_40_BSS_COEX_20MHZ_WIDTH_REQ;
   1267 
   1268 	if (num_channels > 0) {
   1269 		ic_report = wpabuf_put(buf, sizeof(*ic_report));
   1270 		ic_report->element_id = WLAN_EID_20_40_BSS_INTOLERANT;
   1271 		ic_report->length = num_channels + 1;
   1272 		ic_report->op_class = 0;
   1273 		os_memcpy(wpabuf_put(buf, num_channels), chan_list,
   1274 			  num_channels);
   1275 	}
   1276 
   1277 	if (wpa_drv_send_action(wpa_s, wpa_s->assoc_freq, 0, wpa_s->bssid,
   1278 				wpa_s->own_addr, wpa_s->bssid,
   1279 				wpabuf_head(buf), wpabuf_len(buf), 0) < 0) {
   1280 		wpa_msg(wpa_s, MSG_INFO,
   1281 			"SME: Failed to send 20/40 BSS Coexistence frame");
   1282 	}
   1283 
   1284 	wpabuf_free(buf);
   1285 }
   1286 
   1287 
   1288 int sme_proc_obss_scan(struct wpa_supplicant *wpa_s)
   1289 {
   1290 	struct wpa_bss *bss;
   1291 	const u8 *ie;
   1292 	u16 ht_cap;
   1293 	u8 chan_list[P2P_MAX_CHANNELS], channel;
   1294 	u8 num_channels = 0, num_intol = 0, i;
   1295 
   1296 	if (!wpa_s->sme.sched_obss_scan)
   1297 		return 0;
   1298 
   1299 	wpa_s->sme.sched_obss_scan = 0;
   1300 	if (!wpa_s->current_bss || wpa_s->wpa_state != WPA_COMPLETED)
   1301 		return 1;
   1302 
   1303 	/*
   1304 	 * Check whether AP uses regulatory triplet or channel triplet in
   1305 	 * country info. Right now the operating class of the BSS channel
   1306 	 * width trigger event is "unknown" (IEEE Std 802.11-2012 10.15.12),
   1307 	 * based on the assumption that operating class triplet is not used in
   1308 	 * beacon frame. If the First Channel Number/Operating Extension
   1309 	 * Identifier octet has a positive integer value of 201 or greater,
   1310 	 * then its operating class triplet.
   1311 	 *
   1312 	 * TODO: If Supported Operating Classes element is present in beacon
   1313 	 * frame, have to lookup operating class in Annex E and fill them in
   1314 	 * 2040 coex frame.
   1315 	 */
   1316 	ie = wpa_bss_get_ie(wpa_s->current_bss, WLAN_EID_COUNTRY);
   1317 	if (ie && (ie[1] >= 6) && (ie[5] >= 201))
   1318 		return 1;
   1319 
   1320 	os_memset(chan_list, 0, sizeof(chan_list));
   1321 
   1322 	dl_list_for_each(bss, &wpa_s->bss, struct wpa_bss, list) {
   1323 		/* Skip other band bss */
   1324 		enum hostapd_hw_mode mode;
   1325 		mode = ieee80211_freq_to_chan(bss->freq, &channel);
   1326 		if (mode != HOSTAPD_MODE_IEEE80211G &&
   1327 		    mode != HOSTAPD_MODE_IEEE80211B)
   1328 			continue;
   1329 
   1330 		ie = wpa_bss_get_ie(bss, WLAN_EID_HT_CAP);
   1331 		ht_cap = (ie && (ie[1] == 26)) ? WPA_GET_LE16(ie + 2) : 0;
   1332 		wpa_printf(MSG_DEBUG, "SME OBSS scan BSS " MACSTR
   1333 			   " freq=%u chan=%u ht_cap=0x%x",
   1334 			   MAC2STR(bss->bssid), bss->freq, channel, ht_cap);
   1335 
   1336 		if (!ht_cap || (ht_cap & HT_CAP_INFO_40MHZ_INTOLERANT)) {
   1337 			if (ht_cap & HT_CAP_INFO_40MHZ_INTOLERANT)
   1338 				num_intol++;
   1339 
   1340 			/* Check whether the channel is already considered */
   1341 			for (i = 0; i < num_channels; i++) {
   1342 				if (channel == chan_list[i])
   1343 					break;
   1344 			}
   1345 			if (i != num_channels)
   1346 				continue;
   1347 
   1348 			chan_list[num_channels++] = channel;
   1349 		}
   1350 	}
   1351 
   1352 	sme_send_2040_bss_coex(wpa_s, chan_list, num_channels, num_intol);
   1353 	return 1;
   1354 }
   1355 
   1356 
   1357 static void wpa_obss_scan_freqs_list(struct wpa_supplicant *wpa_s,
   1358 				     struct wpa_driver_scan_params *params)
   1359 {
   1360 	/* Include only affected channels */
   1361 	struct hostapd_hw_modes *mode;
   1362 	int count, i;
   1363 	int start, end;
   1364 
   1365 	mode = get_mode(wpa_s->hw.modes, wpa_s->hw.num_modes,
   1366 			HOSTAPD_MODE_IEEE80211G);
   1367 	if (mode == NULL) {
   1368 		/* No channels supported in this band - use empty list */
   1369 		params->freqs = os_zalloc(sizeof(int));
   1370 		return;
   1371 	}
   1372 
   1373 	if (wpa_s->sme.ht_sec_chan == HT_SEC_CHAN_UNKNOWN &&
   1374 	    wpa_s->current_bss) {
   1375 		const u8 *ie;
   1376 
   1377 		ie = wpa_bss_get_ie(wpa_s->current_bss, WLAN_EID_HT_OPERATION);
   1378 		if (ie && ie[1] >= 2) {
   1379 			u8 o;
   1380 
   1381 			o = ie[3] & HT_INFO_HT_PARAM_SECONDARY_CHNL_OFF_MASK;
   1382 			if (o == HT_INFO_HT_PARAM_SECONDARY_CHNL_ABOVE)
   1383 				wpa_s->sme.ht_sec_chan = HT_SEC_CHAN_ABOVE;
   1384 			else if (o == HT_INFO_HT_PARAM_SECONDARY_CHNL_BELOW)
   1385 				wpa_s->sme.ht_sec_chan = HT_SEC_CHAN_BELOW;
   1386 		}
   1387 	}
   1388 
   1389 	start = wpa_s->assoc_freq - 10;
   1390 	end = wpa_s->assoc_freq + 10;
   1391 	switch (wpa_s->sme.ht_sec_chan) {
   1392 	case HT_SEC_CHAN_UNKNOWN:
   1393 		/* HT40+ possible on channels 1..9 */
   1394 		if (wpa_s->assoc_freq <= 2452)
   1395 			start -= 20;
   1396 		/* HT40- possible on channels 5-13 */
   1397 		if (wpa_s->assoc_freq >= 2432)
   1398 			end += 20;
   1399 		break;
   1400 	case HT_SEC_CHAN_ABOVE:
   1401 		end += 20;
   1402 		break;
   1403 	case HT_SEC_CHAN_BELOW:
   1404 		start -= 20;
   1405 		break;
   1406 	}
   1407 	wpa_printf(MSG_DEBUG,
   1408 		   "OBSS: assoc_freq %d possible affected range %d-%d",
   1409 		   wpa_s->assoc_freq, start, end);
   1410 
   1411 	params->freqs = os_calloc(mode->num_channels + 1, sizeof(int));
   1412 	if (params->freqs == NULL)
   1413 		return;
   1414 	for (count = 0, i = 0; i < mode->num_channels; i++) {
   1415 		int freq;
   1416 
   1417 		if (mode->channels[i].flag & HOSTAPD_CHAN_DISABLED)
   1418 			continue;
   1419 		freq = mode->channels[i].freq;
   1420 		if (freq - 10 >= end || freq + 10 <= start)
   1421 			continue; /* not affected */
   1422 		params->freqs[count++] = freq;
   1423 	}
   1424 }
   1425 
   1426 
   1427 static void sme_obss_scan_timeout(void *eloop_ctx, void *timeout_ctx)
   1428 {
   1429 	struct wpa_supplicant *wpa_s = eloop_ctx;
   1430 	struct wpa_driver_scan_params params;
   1431 
   1432 	if (!wpa_s->current_bss) {
   1433 		wpa_printf(MSG_DEBUG, "SME OBSS: Ignore scan request");
   1434 		return;
   1435 	}
   1436 
   1437 	os_memset(&params, 0, sizeof(params));
   1438 	wpa_obss_scan_freqs_list(wpa_s, &params);
   1439 	params.low_priority = 1;
   1440 	wpa_printf(MSG_DEBUG, "SME OBSS: Request an OBSS scan");
   1441 
   1442 	if (wpa_supplicant_trigger_scan(wpa_s, &params))
   1443 		wpa_printf(MSG_DEBUG, "SME OBSS: Failed to trigger scan");
   1444 	else
   1445 		wpa_s->sme.sched_obss_scan = 1;
   1446 	os_free(params.freqs);
   1447 
   1448 	eloop_register_timeout(wpa_s->sme.obss_scan_int, 0,
   1449 			       sme_obss_scan_timeout, wpa_s, NULL);
   1450 }
   1451 
   1452 
   1453 void sme_sched_obss_scan(struct wpa_supplicant *wpa_s, int enable)
   1454 {
   1455 	const u8 *ie;
   1456 	struct wpa_bss *bss = wpa_s->current_bss;
   1457 	struct wpa_ssid *ssid = wpa_s->current_ssid;
   1458 	struct hostapd_hw_modes *hw_mode = NULL;
   1459 	int i;
   1460 
   1461 	eloop_cancel_timeout(sme_obss_scan_timeout, wpa_s, NULL);
   1462 	wpa_s->sme.sched_obss_scan = 0;
   1463 	wpa_s->sme.ht_sec_chan = HT_SEC_CHAN_UNKNOWN;
   1464 	if (!enable)
   1465 		return;
   1466 
   1467 	/*
   1468 	 * Schedule OBSS scan if driver is using station SME in wpa_supplicant
   1469 	 * or it expects OBSS scan to be performed by wpa_supplicant.
   1470 	 */
   1471 	if (!((wpa_s->drv_flags & WPA_DRIVER_FLAGS_SME) ||
   1472 	      (wpa_s->drv_flags & WPA_DRIVER_FLAGS_OBSS_SCAN)) ||
   1473 	    ssid == NULL || ssid->mode != IEEE80211_MODE_INFRA)
   1474 		return;
   1475 
   1476 	if (!wpa_s->hw.modes)
   1477 		return;
   1478 
   1479 	/* only HT caps in 11g mode are relevant */
   1480 	for (i = 0; i < wpa_s->hw.num_modes; i++) {
   1481 		hw_mode = &wpa_s->hw.modes[i];
   1482 		if (hw_mode->mode == HOSTAPD_MODE_IEEE80211G)
   1483 			break;
   1484 	}
   1485 
   1486 	/* Driver does not support HT40 for 11g or doesn't have 11g. */
   1487 	if (i == wpa_s->hw.num_modes || !hw_mode ||
   1488 	    !(hw_mode->ht_capab & HT_CAP_INFO_SUPP_CHANNEL_WIDTH_SET))
   1489 		return;
   1490 
   1491 	if (bss == NULL || bss->freq < 2400 || bss->freq > 2500)
   1492 		return; /* Not associated on 2.4 GHz band */
   1493 
   1494 	/* Check whether AP supports HT40 */
   1495 	ie = wpa_bss_get_ie(wpa_s->current_bss, WLAN_EID_HT_CAP);
   1496 	if (!ie || ie[1] < 2 ||
   1497 	    !(WPA_GET_LE16(ie + 2) & HT_CAP_INFO_SUPP_CHANNEL_WIDTH_SET))
   1498 		return; /* AP does not support HT40 */
   1499 
   1500 	ie = wpa_bss_get_ie(wpa_s->current_bss,
   1501 			    WLAN_EID_OVERLAPPING_BSS_SCAN_PARAMS);
   1502 	if (!ie || ie[1] < 14)
   1503 		return; /* AP does not request OBSS scans */
   1504 
   1505 	wpa_s->sme.obss_scan_int = WPA_GET_LE16(ie + 6);
   1506 	if (wpa_s->sme.obss_scan_int < 10) {
   1507 		wpa_printf(MSG_DEBUG, "SME: Invalid OBSS Scan Interval %u "
   1508 			   "replaced with the minimum 10 sec",
   1509 			   wpa_s->sme.obss_scan_int);
   1510 		wpa_s->sme.obss_scan_int = 10;
   1511 	}
   1512 	wpa_printf(MSG_DEBUG, "SME: OBSS Scan Interval %u sec",
   1513 		   wpa_s->sme.obss_scan_int);
   1514 	eloop_register_timeout(wpa_s->sme.obss_scan_int, 0,
   1515 			       sme_obss_scan_timeout, wpa_s, NULL);
   1516 }
   1517 
   1518 
   1519 #ifdef CONFIG_IEEE80211W
   1520 
   1521 static const unsigned int sa_query_max_timeout = 1000;
   1522 static const unsigned int sa_query_retry_timeout = 201;
   1523 
   1524 static int sme_check_sa_query_timeout(struct wpa_supplicant *wpa_s)
   1525 {
   1526 	u32 tu;
   1527 	struct os_reltime now, passed;
   1528 	os_get_reltime(&now);
   1529 	os_reltime_sub(&now, &wpa_s->sme.sa_query_start, &passed);
   1530 	tu = (passed.sec * 1000000 + passed.usec) / 1024;
   1531 	if (sa_query_max_timeout < tu) {
   1532 		wpa_dbg(wpa_s, MSG_DEBUG, "SME: SA Query timed out");
   1533 		sme_stop_sa_query(wpa_s);
   1534 		wpa_supplicant_deauthenticate(
   1535 			wpa_s, WLAN_REASON_PREV_AUTH_NOT_VALID);
   1536 		return 1;
   1537 	}
   1538 
   1539 	return 0;
   1540 }
   1541 
   1542 
   1543 static void sme_send_sa_query_req(struct wpa_supplicant *wpa_s,
   1544 				  const u8 *trans_id)
   1545 {
   1546 	u8 req[2 + WLAN_SA_QUERY_TR_ID_LEN];
   1547 	wpa_dbg(wpa_s, MSG_DEBUG, "SME: Sending SA Query Request to "
   1548 		MACSTR, MAC2STR(wpa_s->bssid));
   1549 	wpa_hexdump(MSG_DEBUG, "SME: SA Query Transaction ID",
   1550 		    trans_id, WLAN_SA_QUERY_TR_ID_LEN);
   1551 	req[0] = WLAN_ACTION_SA_QUERY;
   1552 	req[1] = WLAN_SA_QUERY_REQUEST;
   1553 	os_memcpy(req + 2, trans_id, WLAN_SA_QUERY_TR_ID_LEN);
   1554 	if (wpa_drv_send_action(wpa_s, wpa_s->assoc_freq, 0, wpa_s->bssid,
   1555 				wpa_s->own_addr, wpa_s->bssid,
   1556 				req, sizeof(req), 0) < 0)
   1557 		wpa_msg(wpa_s, MSG_INFO, "SME: Failed to send SA Query "
   1558 			"Request");
   1559 }
   1560 
   1561 
   1562 static void sme_sa_query_timer(void *eloop_ctx, void *timeout_ctx)
   1563 {
   1564 	struct wpa_supplicant *wpa_s = eloop_ctx;
   1565 	unsigned int timeout, sec, usec;
   1566 	u8 *trans_id, *nbuf;
   1567 
   1568 	if (wpa_s->sme.sa_query_count > 0 &&
   1569 	    sme_check_sa_query_timeout(wpa_s))
   1570 		return;
   1571 
   1572 	nbuf = os_realloc_array(wpa_s->sme.sa_query_trans_id,
   1573 				wpa_s->sme.sa_query_count + 1,
   1574 				WLAN_SA_QUERY_TR_ID_LEN);
   1575 	if (nbuf == NULL)
   1576 		return;
   1577 	if (wpa_s->sme.sa_query_count == 0) {
   1578 		/* Starting a new SA Query procedure */
   1579 		os_get_reltime(&wpa_s->sme.sa_query_start);
   1580 	}
   1581 	trans_id = nbuf + wpa_s->sme.sa_query_count * WLAN_SA_QUERY_TR_ID_LEN;
   1582 	wpa_s->sme.sa_query_trans_id = nbuf;
   1583 	wpa_s->sme.sa_query_count++;
   1584 
   1585 	if (os_get_random(trans_id, WLAN_SA_QUERY_TR_ID_LEN) < 0) {
   1586 		wpa_printf(MSG_DEBUG, "Could not generate SA Query ID");
   1587 		return;
   1588 	}
   1589 
   1590 	timeout = sa_query_retry_timeout;
   1591 	sec = ((timeout / 1000) * 1024) / 1000;
   1592 	usec = (timeout % 1000) * 1024;
   1593 	eloop_register_timeout(sec, usec, sme_sa_query_timer, wpa_s, NULL);
   1594 
   1595 	wpa_dbg(wpa_s, MSG_DEBUG, "SME: Association SA Query attempt %d",
   1596 		wpa_s->sme.sa_query_count);
   1597 
   1598 	sme_send_sa_query_req(wpa_s, trans_id);
   1599 }
   1600 
   1601 
   1602 static void sme_start_sa_query(struct wpa_supplicant *wpa_s)
   1603 {
   1604 	sme_sa_query_timer(wpa_s, NULL);
   1605 }
   1606 
   1607 
   1608 static void sme_stop_sa_query(struct wpa_supplicant *wpa_s)
   1609 {
   1610 	eloop_cancel_timeout(sme_sa_query_timer, wpa_s, NULL);
   1611 	os_free(wpa_s->sme.sa_query_trans_id);
   1612 	wpa_s->sme.sa_query_trans_id = NULL;
   1613 	wpa_s->sme.sa_query_count = 0;
   1614 }
   1615 
   1616 
   1617 void sme_event_unprot_disconnect(struct wpa_supplicant *wpa_s, const u8 *sa,
   1618 				 const u8 *da, u16 reason_code)
   1619 {
   1620 	struct wpa_ssid *ssid;
   1621 	struct os_reltime now;
   1622 
   1623 	if (wpa_s->wpa_state != WPA_COMPLETED)
   1624 		return;
   1625 	ssid = wpa_s->current_ssid;
   1626 	if (wpas_get_ssid_pmf(wpa_s, ssid) == NO_MGMT_FRAME_PROTECTION)
   1627 		return;
   1628 	if (os_memcmp(sa, wpa_s->bssid, ETH_ALEN) != 0)
   1629 		return;
   1630 	if (reason_code != WLAN_REASON_CLASS2_FRAME_FROM_NONAUTH_STA &&
   1631 	    reason_code != WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA)
   1632 		return;
   1633 	if (wpa_s->sme.sa_query_count > 0)
   1634 		return;
   1635 
   1636 	os_get_reltime(&now);
   1637 	if (wpa_s->sme.last_unprot_disconnect.sec &&
   1638 	    !os_reltime_expired(&now, &wpa_s->sme.last_unprot_disconnect, 10))
   1639 		return; /* limit SA Query procedure frequency */
   1640 	wpa_s->sme.last_unprot_disconnect = now;
   1641 
   1642 	wpa_dbg(wpa_s, MSG_DEBUG, "SME: Unprotected disconnect dropped - "
   1643 		"possible AP/STA state mismatch - trigger SA Query");
   1644 	sme_start_sa_query(wpa_s);
   1645 }
   1646 
   1647 
   1648 void sme_sa_query_rx(struct wpa_supplicant *wpa_s, const u8 *sa,
   1649 		     const u8 *data, size_t len)
   1650 {
   1651 	int i;
   1652 
   1653 	if (wpa_s->sme.sa_query_trans_id == NULL ||
   1654 	    len < 1 + WLAN_SA_QUERY_TR_ID_LEN ||
   1655 	    data[0] != WLAN_SA_QUERY_RESPONSE)
   1656 		return;
   1657 	wpa_dbg(wpa_s, MSG_DEBUG, "SME: Received SA Query response from "
   1658 		MACSTR " (trans_id %02x%02x)", MAC2STR(sa), data[1], data[2]);
   1659 
   1660 	if (os_memcmp(sa, wpa_s->bssid, ETH_ALEN) != 0)
   1661 		return;
   1662 
   1663 	for (i = 0; i < wpa_s->sme.sa_query_count; i++) {
   1664 		if (os_memcmp(wpa_s->sme.sa_query_trans_id +
   1665 			      i * WLAN_SA_QUERY_TR_ID_LEN,
   1666 			      data + 1, WLAN_SA_QUERY_TR_ID_LEN) == 0)
   1667 			break;
   1668 	}
   1669 
   1670 	if (i >= wpa_s->sme.sa_query_count) {
   1671 		wpa_dbg(wpa_s, MSG_DEBUG, "SME: No matching SA Query "
   1672 			"transaction identifier found");
   1673 		return;
   1674 	}
   1675 
   1676 	wpa_dbg(wpa_s, MSG_DEBUG, "SME: Reply to pending SA Query received "
   1677 		"from " MACSTR, MAC2STR(sa));
   1678 	sme_stop_sa_query(wpa_s);
   1679 }
   1680 
   1681 #endif /* CONFIG_IEEE80211W */
   1682