1 /* 2 * wpa_supplicant - SME 3 * Copyright (c) 2009-2014, Jouni Malinen <j (at) w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "includes.h" 10 11 #include "common.h" 12 #include "utils/eloop.h" 13 #include "common/ieee802_11_defs.h" 14 #include "common/ieee802_11_common.h" 15 #include "eapol_supp/eapol_supp_sm.h" 16 #include "common/wpa_common.h" 17 #include "common/sae.h" 18 #include "rsn_supp/wpa.h" 19 #include "rsn_supp/pmksa_cache.h" 20 #include "config.h" 21 #include "wpa_supplicant_i.h" 22 #include "driver_i.h" 23 #include "wpas_glue.h" 24 #include "wps_supplicant.h" 25 #include "p2p_supplicant.h" 26 #include "notify.h" 27 #include "bss.h" 28 #include "scan.h" 29 #include "sme.h" 30 #include "hs20_supplicant.h" 31 32 #define SME_AUTH_TIMEOUT 5 33 #define SME_ASSOC_TIMEOUT 5 34 35 static void sme_auth_timer(void *eloop_ctx, void *timeout_ctx); 36 static void sme_assoc_timer(void *eloop_ctx, void *timeout_ctx); 37 static void sme_obss_scan_timeout(void *eloop_ctx, void *timeout_ctx); 38 #ifdef CONFIG_IEEE80211W 39 static void sme_stop_sa_query(struct wpa_supplicant *wpa_s); 40 #endif /* CONFIG_IEEE80211W */ 41 42 43 #ifdef CONFIG_SAE 44 45 static int index_within_array(const int *array, int idx) 46 { 47 int i; 48 for (i = 0; i < idx; i++) { 49 if (array[i] <= 0) 50 return 0; 51 } 52 return 1; 53 } 54 55 56 static int sme_set_sae_group(struct wpa_supplicant *wpa_s) 57 { 58 int *groups = wpa_s->conf->sae_groups; 59 int default_groups[] = { 19, 20, 21, 25, 26, 0 }; 60 61 if (!groups || groups[0] <= 0) 62 groups = default_groups; 63 64 /* Configuration may have changed, so validate current index */ 65 if (!index_within_array(groups, wpa_s->sme.sae_group_index)) 66 return -1; 67 68 for (;;) { 69 int group = groups[wpa_s->sme.sae_group_index]; 70 if (group <= 0) 71 break; 72 if (sae_set_group(&wpa_s->sme.sae, group) == 0) { 73 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Selected SAE group %d", 74 wpa_s->sme.sae.group); 75 return 0; 76 } 77 wpa_s->sme.sae_group_index++; 78 } 79 80 return -1; 81 } 82 83 84 static struct wpabuf * sme_auth_build_sae_commit(struct wpa_supplicant *wpa_s, 85 struct wpa_ssid *ssid, 86 const u8 *bssid) 87 { 88 struct wpabuf *buf; 89 size_t len; 90 91 if (ssid->passphrase == NULL) { 92 wpa_printf(MSG_DEBUG, "SAE: No password available"); 93 return NULL; 94 } 95 96 if (sme_set_sae_group(wpa_s) < 0) { 97 wpa_printf(MSG_DEBUG, "SAE: Failed to select group"); 98 return NULL; 99 } 100 101 if (sae_prepare_commit(wpa_s->own_addr, bssid, 102 (u8 *) ssid->passphrase, 103 os_strlen(ssid->passphrase), 104 &wpa_s->sme.sae) < 0) { 105 wpa_printf(MSG_DEBUG, "SAE: Could not pick PWE"); 106 return NULL; 107 } 108 109 len = wpa_s->sme.sae_token ? wpabuf_len(wpa_s->sme.sae_token) : 0; 110 buf = wpabuf_alloc(4 + SAE_COMMIT_MAX_LEN + len); 111 if (buf == NULL) 112 return NULL; 113 114 wpabuf_put_le16(buf, 1); /* Transaction seq# */ 115 wpabuf_put_le16(buf, WLAN_STATUS_SUCCESS); 116 sae_write_commit(&wpa_s->sme.sae, buf, wpa_s->sme.sae_token); 117 118 return buf; 119 } 120 121 122 static struct wpabuf * sme_auth_build_sae_confirm(struct wpa_supplicant *wpa_s) 123 { 124 struct wpabuf *buf; 125 126 buf = wpabuf_alloc(4 + SAE_CONFIRM_MAX_LEN); 127 if (buf == NULL) 128 return NULL; 129 130 wpabuf_put_le16(buf, 2); /* Transaction seq# */ 131 wpabuf_put_le16(buf, WLAN_STATUS_SUCCESS); 132 sae_write_confirm(&wpa_s->sme.sae, buf); 133 134 return buf; 135 } 136 137 #endif /* CONFIG_SAE */ 138 139 140 /** 141 * sme_auth_handle_rrm - Handle RRM aspects of current authentication attempt 142 * @wpa_s: Pointer to wpa_supplicant data 143 * @bss: Pointer to the bss which is the target of authentication attempt 144 */ 145 static void sme_auth_handle_rrm(struct wpa_supplicant *wpa_s, 146 struct wpa_bss *bss) 147 { 148 const u8 rrm_ie_len = 5; 149 u8 *pos; 150 const u8 *rrm_ie; 151 152 wpa_s->rrm.rrm_used = 0; 153 154 wpa_printf(MSG_DEBUG, 155 "RRM: Determining whether RRM can be used - device support: 0x%x", 156 wpa_s->drv_rrm_flags); 157 158 rrm_ie = wpa_bss_get_ie(bss, WLAN_EID_RRM_ENABLED_CAPABILITIES); 159 if (!rrm_ie || !(bss->caps & IEEE80211_CAP_RRM)) { 160 wpa_printf(MSG_DEBUG, "RRM: No RRM in network"); 161 return; 162 } 163 164 if (!((wpa_s->drv_rrm_flags & 165 WPA_DRIVER_FLAGS_DS_PARAM_SET_IE_IN_PROBES) && 166 (wpa_s->drv_rrm_flags & WPA_DRIVER_FLAGS_QUIET)) && 167 !(wpa_s->drv_rrm_flags & WPA_DRIVER_FLAGS_SUPPORT_RRM)) { 168 wpa_printf(MSG_DEBUG, 169 "RRM: Insufficient RRM support in driver - do not use RRM"); 170 return; 171 } 172 173 if (sizeof(wpa_s->sme.assoc_req_ie) < 174 wpa_s->sme.assoc_req_ie_len + rrm_ie_len + 2) { 175 wpa_printf(MSG_INFO, 176 "RRM: Unable to use RRM, no room for RRM IE"); 177 return; 178 } 179 180 wpa_printf(MSG_DEBUG, "RRM: Adding RRM IE to Association Request"); 181 pos = wpa_s->sme.assoc_req_ie + wpa_s->sme.assoc_req_ie_len; 182 os_memset(pos, 0, 2 + rrm_ie_len); 183 *pos++ = WLAN_EID_RRM_ENABLED_CAPABILITIES; 184 *pos++ = rrm_ie_len; 185 186 /* Set supported capabilites flags */ 187 if (wpa_s->drv_rrm_flags & WPA_DRIVER_FLAGS_TX_POWER_INSERTION) 188 *pos |= WLAN_RRM_CAPS_LINK_MEASUREMENT; 189 190 *pos |= WLAN_RRM_CAPS_BEACON_REPORT_PASSIVE | 191 WLAN_RRM_CAPS_BEACON_REPORT_ACTIVE | 192 WLAN_RRM_CAPS_BEACON_REPORT_TABLE; 193 194 if (wpa_s->lci) 195 pos[1] |= WLAN_RRM_CAPS_LCI_MEASUREMENT; 196 197 wpa_s->sme.assoc_req_ie_len += rrm_ie_len + 2; 198 wpa_s->rrm.rrm_used = 1; 199 } 200 201 202 static void sme_send_authentication(struct wpa_supplicant *wpa_s, 203 struct wpa_bss *bss, struct wpa_ssid *ssid, 204 int start) 205 { 206 struct wpa_driver_auth_params params; 207 struct wpa_ssid *old_ssid; 208 #ifdef CONFIG_IEEE80211R 209 const u8 *ie; 210 #endif /* CONFIG_IEEE80211R */ 211 #ifdef CONFIG_IEEE80211R 212 const u8 *md = NULL; 213 #endif /* CONFIG_IEEE80211R */ 214 int i, bssid_changed; 215 struct wpabuf *resp = NULL; 216 u8 ext_capab[18]; 217 int ext_capab_len; 218 int skip_auth; 219 220 if (bss == NULL) { 221 wpa_msg(wpa_s, MSG_ERROR, "SME: No scan result available for " 222 "the network"); 223 wpas_connect_work_done(wpa_s); 224 return; 225 } 226 227 skip_auth = wpa_s->conf->reassoc_same_bss_optim && 228 wpa_s->reassoc_same_bss; 229 wpa_s->current_bss = bss; 230 231 os_memset(¶ms, 0, sizeof(params)); 232 wpa_s->reassociate = 0; 233 234 params.freq = bss->freq; 235 params.bssid = bss->bssid; 236 params.ssid = bss->ssid; 237 params.ssid_len = bss->ssid_len; 238 params.p2p = ssid->p2p_group; 239 240 if (wpa_s->sme.ssid_len != params.ssid_len || 241 os_memcmp(wpa_s->sme.ssid, params.ssid, params.ssid_len) != 0) 242 wpa_s->sme.prev_bssid_set = 0; 243 244 wpa_s->sme.freq = params.freq; 245 os_memcpy(wpa_s->sme.ssid, params.ssid, params.ssid_len); 246 wpa_s->sme.ssid_len = params.ssid_len; 247 248 params.auth_alg = WPA_AUTH_ALG_OPEN; 249 #ifdef IEEE8021X_EAPOL 250 if (ssid->key_mgmt & WPA_KEY_MGMT_IEEE8021X_NO_WPA) { 251 if (ssid->leap) { 252 if (ssid->non_leap == 0) 253 params.auth_alg = WPA_AUTH_ALG_LEAP; 254 else 255 params.auth_alg |= WPA_AUTH_ALG_LEAP; 256 } 257 } 258 #endif /* IEEE8021X_EAPOL */ 259 wpa_dbg(wpa_s, MSG_DEBUG, "Automatic auth_alg selection: 0x%x", 260 params.auth_alg); 261 if (ssid->auth_alg) { 262 params.auth_alg = ssid->auth_alg; 263 wpa_dbg(wpa_s, MSG_DEBUG, "Overriding auth_alg selection: " 264 "0x%x", params.auth_alg); 265 } 266 #ifdef CONFIG_SAE 267 wpa_s->sme.sae_pmksa_caching = 0; 268 if (wpa_key_mgmt_sae(ssid->key_mgmt)) { 269 const u8 *rsn; 270 struct wpa_ie_data ied; 271 272 rsn = wpa_bss_get_ie(bss, WLAN_EID_RSN); 273 if (!rsn) { 274 wpa_dbg(wpa_s, MSG_DEBUG, 275 "SAE enabled, but target BSS does not advertise RSN"); 276 } else if (wpa_parse_wpa_ie(rsn, 2 + rsn[1], &ied) == 0 && 277 wpa_key_mgmt_sae(ied.key_mgmt)) { 278 wpa_dbg(wpa_s, MSG_DEBUG, "Using SAE auth_alg"); 279 params.auth_alg = WPA_AUTH_ALG_SAE; 280 } else { 281 wpa_dbg(wpa_s, MSG_DEBUG, 282 "SAE enabled, but target BSS does not advertise SAE AKM for RSN"); 283 } 284 } 285 #endif /* CONFIG_SAE */ 286 287 for (i = 0; i < NUM_WEP_KEYS; i++) { 288 if (ssid->wep_key_len[i]) 289 params.wep_key[i] = ssid->wep_key[i]; 290 params.wep_key_len[i] = ssid->wep_key_len[i]; 291 } 292 params.wep_tx_keyidx = ssid->wep_tx_keyidx; 293 294 bssid_changed = !is_zero_ether_addr(wpa_s->bssid); 295 os_memset(wpa_s->bssid, 0, ETH_ALEN); 296 os_memcpy(wpa_s->pending_bssid, bss->bssid, ETH_ALEN); 297 if (bssid_changed) 298 wpas_notify_bssid_changed(wpa_s); 299 300 if ((wpa_bss_get_vendor_ie(bss, WPA_IE_VENDOR_TYPE) || 301 wpa_bss_get_ie(bss, WLAN_EID_RSN)) && 302 wpa_key_mgmt_wpa(ssid->key_mgmt)) { 303 int try_opportunistic; 304 try_opportunistic = (ssid->proactive_key_caching < 0 ? 305 wpa_s->conf->okc : 306 ssid->proactive_key_caching) && 307 (ssid->proto & WPA_PROTO_RSN); 308 if (pmksa_cache_set_current(wpa_s->wpa, NULL, bss->bssid, 309 wpa_s->current_ssid, 310 try_opportunistic) == 0) 311 eapol_sm_notify_pmkid_attempt(wpa_s->eapol); 312 wpa_s->sme.assoc_req_ie_len = sizeof(wpa_s->sme.assoc_req_ie); 313 if (wpa_supplicant_set_suites(wpa_s, bss, ssid, 314 wpa_s->sme.assoc_req_ie, 315 &wpa_s->sme.assoc_req_ie_len)) { 316 wpa_msg(wpa_s, MSG_WARNING, "SME: Failed to set WPA " 317 "key management and encryption suites"); 318 wpas_connect_work_done(wpa_s); 319 return; 320 } 321 } else if ((ssid->key_mgmt & WPA_KEY_MGMT_IEEE8021X_NO_WPA) && 322 wpa_key_mgmt_wpa_ieee8021x(ssid->key_mgmt)) { 323 /* 324 * Both WPA and non-WPA IEEE 802.1X enabled in configuration - 325 * use non-WPA since the scan results did not indicate that the 326 * AP is using WPA or WPA2. 327 */ 328 wpa_supplicant_set_non_wpa_policy(wpa_s, ssid); 329 wpa_s->sme.assoc_req_ie_len = 0; 330 } else if (wpa_key_mgmt_wpa_any(ssid->key_mgmt)) { 331 wpa_s->sme.assoc_req_ie_len = sizeof(wpa_s->sme.assoc_req_ie); 332 if (wpa_supplicant_set_suites(wpa_s, NULL, ssid, 333 wpa_s->sme.assoc_req_ie, 334 &wpa_s->sme.assoc_req_ie_len)) { 335 wpa_msg(wpa_s, MSG_WARNING, "SME: Failed to set WPA " 336 "key management and encryption suites (no " 337 "scan results)"); 338 wpas_connect_work_done(wpa_s); 339 return; 340 } 341 #ifdef CONFIG_WPS 342 } else if (ssid->key_mgmt & WPA_KEY_MGMT_WPS) { 343 struct wpabuf *wps_ie; 344 wps_ie = wps_build_assoc_req_ie(wpas_wps_get_req_type(ssid)); 345 if (wps_ie && wpabuf_len(wps_ie) <= 346 sizeof(wpa_s->sme.assoc_req_ie)) { 347 wpa_s->sme.assoc_req_ie_len = wpabuf_len(wps_ie); 348 os_memcpy(wpa_s->sme.assoc_req_ie, wpabuf_head(wps_ie), 349 wpa_s->sme.assoc_req_ie_len); 350 } else 351 wpa_s->sme.assoc_req_ie_len = 0; 352 wpabuf_free(wps_ie); 353 wpa_supplicant_set_non_wpa_policy(wpa_s, ssid); 354 #endif /* CONFIG_WPS */ 355 } else { 356 wpa_supplicant_set_non_wpa_policy(wpa_s, ssid); 357 wpa_s->sme.assoc_req_ie_len = 0; 358 } 359 360 #ifdef CONFIG_IEEE80211R 361 ie = wpa_bss_get_ie(bss, WLAN_EID_MOBILITY_DOMAIN); 362 if (ie && ie[1] >= MOBILITY_DOMAIN_ID_LEN) 363 md = ie + 2; 364 wpa_sm_set_ft_params(wpa_s->wpa, ie, ie ? 2 + ie[1] : 0); 365 if (md) { 366 /* Prepare for the next transition */ 367 wpa_ft_prepare_auth_request(wpa_s->wpa, ie); 368 } 369 370 if (md && wpa_key_mgmt_ft(ssid->key_mgmt)) { 371 if (wpa_s->sme.assoc_req_ie_len + 5 < 372 sizeof(wpa_s->sme.assoc_req_ie)) { 373 struct rsn_mdie *mdie; 374 u8 *pos = wpa_s->sme.assoc_req_ie + 375 wpa_s->sme.assoc_req_ie_len; 376 *pos++ = WLAN_EID_MOBILITY_DOMAIN; 377 *pos++ = sizeof(*mdie); 378 mdie = (struct rsn_mdie *) pos; 379 os_memcpy(mdie->mobility_domain, md, 380 MOBILITY_DOMAIN_ID_LEN); 381 mdie->ft_capab = md[MOBILITY_DOMAIN_ID_LEN]; 382 wpa_s->sme.assoc_req_ie_len += 5; 383 } 384 385 if (wpa_s->sme.ft_used && 386 os_memcmp(md, wpa_s->sme.mobility_domain, 2) == 0 && 387 wpa_sm_has_ptk(wpa_s->wpa)) { 388 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Trying to use FT " 389 "over-the-air"); 390 params.auth_alg = WPA_AUTH_ALG_FT; 391 params.ie = wpa_s->sme.ft_ies; 392 params.ie_len = wpa_s->sme.ft_ies_len; 393 } 394 } 395 #endif /* CONFIG_IEEE80211R */ 396 397 #ifdef CONFIG_IEEE80211W 398 wpa_s->sme.mfp = wpas_get_ssid_pmf(wpa_s, ssid); 399 if (wpa_s->sme.mfp != NO_MGMT_FRAME_PROTECTION) { 400 const u8 *rsn = wpa_bss_get_ie(bss, WLAN_EID_RSN); 401 struct wpa_ie_data _ie; 402 if (rsn && wpa_parse_wpa_ie(rsn, 2 + rsn[1], &_ie) == 0 && 403 _ie.capabilities & 404 (WPA_CAPABILITY_MFPC | WPA_CAPABILITY_MFPR)) { 405 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Selected AP supports " 406 "MFP: require MFP"); 407 wpa_s->sme.mfp = MGMT_FRAME_PROTECTION_REQUIRED; 408 } 409 } 410 #endif /* CONFIG_IEEE80211W */ 411 412 #ifdef CONFIG_P2P 413 if (wpa_s->global->p2p) { 414 u8 *pos; 415 size_t len; 416 int res; 417 pos = wpa_s->sme.assoc_req_ie + wpa_s->sme.assoc_req_ie_len; 418 len = sizeof(wpa_s->sme.assoc_req_ie) - 419 wpa_s->sme.assoc_req_ie_len; 420 res = wpas_p2p_assoc_req_ie(wpa_s, bss, pos, len, 421 ssid->p2p_group); 422 if (res >= 0) 423 wpa_s->sme.assoc_req_ie_len += res; 424 } 425 #endif /* CONFIG_P2P */ 426 427 #ifdef CONFIG_FST 428 if (wpa_s->fst_ies) { 429 int fst_ies_len = wpabuf_len(wpa_s->fst_ies); 430 431 if (wpa_s->sme.assoc_req_ie_len + fst_ies_len <= 432 sizeof(wpa_s->sme.assoc_req_ie)) { 433 os_memcpy(wpa_s->sme.assoc_req_ie + 434 wpa_s->sme.assoc_req_ie_len, 435 wpabuf_head(wpa_s->fst_ies), 436 fst_ies_len); 437 wpa_s->sme.assoc_req_ie_len += fst_ies_len; 438 } 439 } 440 #endif /* CONFIG_FST */ 441 442 sme_auth_handle_rrm(wpa_s, bss); 443 444 wpa_s->sme.assoc_req_ie_len += wpas_supp_op_class_ie( 445 wpa_s, bss->freq, 446 wpa_s->sme.assoc_req_ie + wpa_s->sme.assoc_req_ie_len, 447 sizeof(wpa_s->sme.assoc_req_ie) - wpa_s->sme.assoc_req_ie_len); 448 449 if (params.p2p) 450 wpa_drv_get_ext_capa(wpa_s, WPA_IF_P2P_CLIENT); 451 else 452 wpa_drv_get_ext_capa(wpa_s, WPA_IF_STATION); 453 454 ext_capab_len = wpas_build_ext_capab(wpa_s, ext_capab, 455 sizeof(ext_capab)); 456 if (ext_capab_len > 0) { 457 u8 *pos = wpa_s->sme.assoc_req_ie; 458 if (wpa_s->sme.assoc_req_ie_len > 0 && pos[0] == WLAN_EID_RSN) 459 pos += 2 + pos[1]; 460 os_memmove(pos + ext_capab_len, pos, 461 wpa_s->sme.assoc_req_ie_len - 462 (pos - wpa_s->sme.assoc_req_ie)); 463 wpa_s->sme.assoc_req_ie_len += ext_capab_len; 464 os_memcpy(pos, ext_capab, ext_capab_len); 465 } 466 467 #ifdef CONFIG_HS20 468 if (is_hs20_network(wpa_s, ssid, bss)) { 469 struct wpabuf *hs20; 470 471 hs20 = wpabuf_alloc(20); 472 if (hs20) { 473 int pps_mo_id = hs20_get_pps_mo_id(wpa_s, ssid); 474 size_t len; 475 476 wpas_hs20_add_indication(hs20, pps_mo_id); 477 len = sizeof(wpa_s->sme.assoc_req_ie) - 478 wpa_s->sme.assoc_req_ie_len; 479 if (wpabuf_len(hs20) <= len) { 480 os_memcpy(wpa_s->sme.assoc_req_ie + 481 wpa_s->sme.assoc_req_ie_len, 482 wpabuf_head(hs20), wpabuf_len(hs20)); 483 wpa_s->sme.assoc_req_ie_len += wpabuf_len(hs20); 484 } 485 wpabuf_free(hs20); 486 } 487 } 488 #endif /* CONFIG_HS20 */ 489 490 if (wpa_s->vendor_elem[VENDOR_ELEM_ASSOC_REQ]) { 491 struct wpabuf *buf = wpa_s->vendor_elem[VENDOR_ELEM_ASSOC_REQ]; 492 size_t len; 493 494 len = sizeof(wpa_s->sme.assoc_req_ie) - 495 wpa_s->sme.assoc_req_ie_len; 496 if (wpabuf_len(buf) <= len) { 497 os_memcpy(wpa_s->sme.assoc_req_ie + 498 wpa_s->sme.assoc_req_ie_len, 499 wpabuf_head(buf), wpabuf_len(buf)); 500 wpa_s->sme.assoc_req_ie_len += wpabuf_len(buf); 501 } 502 } 503 504 #ifdef CONFIG_MBO 505 if (wpa_bss_get_vendor_ie(bss, MBO_IE_VENDOR_TYPE)) { 506 int len; 507 508 len = wpas_mbo_ie(wpa_s, wpa_s->sme.assoc_req_ie + 509 wpa_s->sme.assoc_req_ie_len, 510 sizeof(wpa_s->sme.assoc_req_ie) - 511 wpa_s->sme.assoc_req_ie_len); 512 if (len >= 0) 513 wpa_s->sme.assoc_req_ie_len += len; 514 } 515 #endif /* CONFIG_MBO */ 516 517 #ifdef CONFIG_SAE 518 if (!skip_auth && params.auth_alg == WPA_AUTH_ALG_SAE && 519 pmksa_cache_set_current(wpa_s->wpa, NULL, bss->bssid, ssid, 0) == 0) 520 { 521 wpa_dbg(wpa_s, MSG_DEBUG, 522 "PMKSA cache entry found - try to use PMKSA caching instead of new SAE authentication"); 523 params.auth_alg = WPA_AUTH_ALG_OPEN; 524 wpa_s->sme.sae_pmksa_caching = 1; 525 } 526 527 if (!skip_auth && params.auth_alg == WPA_AUTH_ALG_SAE) { 528 if (start) 529 resp = sme_auth_build_sae_commit(wpa_s, ssid, 530 bss->bssid); 531 else 532 resp = sme_auth_build_sae_confirm(wpa_s); 533 if (resp == NULL) { 534 wpas_connection_failed(wpa_s, bss->bssid); 535 return; 536 } 537 params.auth_data = wpabuf_head(resp); 538 params.auth_data_len = wpabuf_len(resp); 539 wpa_s->sme.sae.state = start ? SAE_COMMITTED : SAE_CONFIRMED; 540 } 541 #endif /* CONFIG_SAE */ 542 543 old_ssid = wpa_s->current_ssid; 544 wpa_s->current_ssid = ssid; 545 wpa_supplicant_rsn_supp_set_config(wpa_s, wpa_s->current_ssid); 546 wpa_supplicant_initiate_eapol(wpa_s); 547 548 #ifdef CONFIG_FILS 549 /* TODO: FILS operations can in some cases be done between different 550 * network_ctx (i.e., same credentials can be used with multiple 551 * networks). */ 552 if (params.auth_alg == WPA_AUTH_ALG_OPEN && 553 wpa_key_mgmt_fils(ssid->key_mgmt)) { 554 if (pmksa_cache_set_current(wpa_s->wpa, NULL, bss->bssid, 555 ssid, 0) == 0) 556 wpa_printf(MSG_DEBUG, 557 "SME: Try to use FILS with PMKSA caching"); 558 resp = fils_build_auth(wpa_s->wpa); 559 if (resp) { 560 params.auth_alg = WPA_AUTH_ALG_FILS; 561 params.auth_data = wpabuf_head(resp); 562 params.auth_data_len = wpabuf_len(resp); 563 wpa_s->sme.auth_alg = WPA_AUTH_ALG_FILS; 564 } 565 } 566 #endif /* CONFIG_FILS */ 567 568 wpa_supplicant_cancel_sched_scan(wpa_s); 569 wpa_supplicant_cancel_scan(wpa_s); 570 571 wpa_msg(wpa_s, MSG_INFO, "SME: Trying to authenticate with " MACSTR 572 " (SSID='%s' freq=%d MHz)", MAC2STR(params.bssid), 573 wpa_ssid_txt(params.ssid, params.ssid_len), params.freq); 574 575 wpa_clear_keys(wpa_s, bss->bssid); 576 wpa_supplicant_set_state(wpa_s, WPA_AUTHENTICATING); 577 if (old_ssid != wpa_s->current_ssid) 578 wpas_notify_network_changed(wpa_s); 579 580 #ifdef CONFIG_HS20 581 hs20_configure_frame_filters(wpa_s); 582 #endif /* CONFIG_HS20 */ 583 584 #ifdef CONFIG_P2P 585 /* 586 * If multi-channel concurrency is not supported, check for any 587 * frequency conflict. In case of any frequency conflict, remove the 588 * least prioritized connection. 589 */ 590 if (wpa_s->num_multichan_concurrent < 2) { 591 int freq, num; 592 num = get_shared_radio_freqs(wpa_s, &freq, 1); 593 if (num > 0 && freq > 0 && freq != params.freq) { 594 wpa_printf(MSG_DEBUG, 595 "Conflicting frequency found (%d != %d)", 596 freq, params.freq); 597 if (wpas_p2p_handle_frequency_conflicts(wpa_s, 598 params.freq, 599 ssid) < 0) { 600 wpas_connection_failed(wpa_s, bss->bssid); 601 wpa_supplicant_mark_disassoc(wpa_s); 602 wpabuf_free(resp); 603 wpas_connect_work_done(wpa_s); 604 return; 605 } 606 } 607 } 608 #endif /* CONFIG_P2P */ 609 610 if (skip_auth) { 611 wpa_msg(wpa_s, MSG_DEBUG, 612 "SME: Skip authentication step on reassoc-to-same-BSS"); 613 wpabuf_free(resp); 614 sme_associate(wpa_s, ssid->mode, bss->bssid, WLAN_AUTH_OPEN); 615 return; 616 } 617 618 619 wpa_s->sme.auth_alg = params.auth_alg; 620 if (wpa_drv_authenticate(wpa_s, ¶ms) < 0) { 621 wpa_msg(wpa_s, MSG_INFO, "SME: Authentication request to the " 622 "driver failed"); 623 wpas_connection_failed(wpa_s, bss->bssid); 624 wpa_supplicant_mark_disassoc(wpa_s); 625 wpabuf_free(resp); 626 wpas_connect_work_done(wpa_s); 627 return; 628 } 629 630 eloop_register_timeout(SME_AUTH_TIMEOUT, 0, sme_auth_timer, wpa_s, 631 NULL); 632 633 /* 634 * Association will be started based on the authentication event from 635 * the driver. 636 */ 637 638 wpabuf_free(resp); 639 } 640 641 642 static void sme_auth_start_cb(struct wpa_radio_work *work, int deinit) 643 { 644 struct wpa_connect_work *cwork = work->ctx; 645 struct wpa_supplicant *wpa_s = work->wpa_s; 646 647 if (deinit) { 648 if (work->started) 649 wpa_s->connect_work = NULL; 650 651 wpas_connect_work_free(cwork); 652 return; 653 } 654 655 wpa_s->connect_work = work; 656 657 if (cwork->bss_removed || 658 !wpas_valid_bss_ssid(wpa_s, cwork->bss, cwork->ssid) || 659 wpas_network_disabled(wpa_s, cwork->ssid)) { 660 wpa_dbg(wpa_s, MSG_DEBUG, "SME: BSS/SSID entry for authentication not valid anymore - drop connection attempt"); 661 wpas_connect_work_done(wpa_s); 662 return; 663 } 664 665 /* Starting new connection, so clear the possibly used WPA IE from the 666 * previous association. */ 667 wpa_sm_set_assoc_wpa_ie(wpa_s->wpa, NULL, 0); 668 669 sme_send_authentication(wpa_s, cwork->bss, cwork->ssid, 1); 670 } 671 672 673 void sme_authenticate(struct wpa_supplicant *wpa_s, 674 struct wpa_bss *bss, struct wpa_ssid *ssid) 675 { 676 struct wpa_connect_work *cwork; 677 678 if (bss == NULL || ssid == NULL) 679 return; 680 if (wpa_s->connect_work) { 681 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Reject sme_authenticate() call since connect_work exist"); 682 return; 683 } 684 685 if (radio_work_pending(wpa_s, "sme-connect")) { 686 /* 687 * The previous sme-connect work might no longer be valid due to 688 * the fact that the BSS list was updated. In addition, it makes 689 * sense to adhere to the 'newer' decision. 690 */ 691 wpa_dbg(wpa_s, MSG_DEBUG, 692 "SME: Remove previous pending sme-connect"); 693 radio_remove_works(wpa_s, "sme-connect", 0); 694 } 695 696 wpas_abort_ongoing_scan(wpa_s); 697 698 cwork = os_zalloc(sizeof(*cwork)); 699 if (cwork == NULL) 700 return; 701 cwork->bss = bss; 702 cwork->ssid = ssid; 703 cwork->sme = 1; 704 705 #ifdef CONFIG_SAE 706 wpa_s->sme.sae.state = SAE_NOTHING; 707 wpa_s->sme.sae.send_confirm = 0; 708 wpa_s->sme.sae_group_index = 0; 709 #endif /* CONFIG_SAE */ 710 711 if (radio_add_work(wpa_s, bss->freq, "sme-connect", 1, 712 sme_auth_start_cb, cwork) < 0) 713 wpas_connect_work_free(cwork); 714 } 715 716 717 #ifdef CONFIG_SAE 718 719 static int sme_sae_auth(struct wpa_supplicant *wpa_s, u16 auth_transaction, 720 u16 status_code, const u8 *data, size_t len) 721 { 722 int *groups; 723 724 wpa_dbg(wpa_s, MSG_DEBUG, "SME: SAE authentication transaction %u " 725 "status code %u", auth_transaction, status_code); 726 727 if (auth_transaction == 1 && 728 status_code == WLAN_STATUS_ANTI_CLOGGING_TOKEN_REQ && 729 wpa_s->sme.sae.state == SAE_COMMITTED && 730 wpa_s->current_bss && wpa_s->current_ssid) { 731 int default_groups[] = { 19, 20, 21, 25, 26, 0 }; 732 u16 group; 733 734 groups = wpa_s->conf->sae_groups; 735 if (!groups || groups[0] <= 0) 736 groups = default_groups; 737 738 if (len < sizeof(le16)) { 739 wpa_dbg(wpa_s, MSG_DEBUG, 740 "SME: Too short SAE anti-clogging token request"); 741 return -1; 742 } 743 group = WPA_GET_LE16(data); 744 wpa_dbg(wpa_s, MSG_DEBUG, 745 "SME: SAE anti-clogging token requested (group %u)", 746 group); 747 if (sae_group_allowed(&wpa_s->sme.sae, groups, group) != 748 WLAN_STATUS_SUCCESS) { 749 wpa_dbg(wpa_s, MSG_ERROR, 750 "SME: SAE group %u of anti-clogging request is invalid", 751 group); 752 return -1; 753 } 754 wpabuf_free(wpa_s->sme.sae_token); 755 wpa_s->sme.sae_token = wpabuf_alloc_copy(data + sizeof(le16), 756 len - sizeof(le16)); 757 sme_send_authentication(wpa_s, wpa_s->current_bss, 758 wpa_s->current_ssid, 1); 759 return 0; 760 } 761 762 if (auth_transaction == 1 && 763 status_code == WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED && 764 wpa_s->sme.sae.state == SAE_COMMITTED && 765 wpa_s->current_bss && wpa_s->current_ssid) { 766 wpa_dbg(wpa_s, MSG_DEBUG, "SME: SAE group not supported"); 767 wpa_s->sme.sae_group_index++; 768 if (sme_set_sae_group(wpa_s) < 0) 769 return -1; /* no other groups enabled */ 770 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Try next enabled SAE group"); 771 sme_send_authentication(wpa_s, wpa_s->current_bss, 772 wpa_s->current_ssid, 1); 773 return 0; 774 } 775 776 if (status_code != WLAN_STATUS_SUCCESS) 777 return -1; 778 779 if (auth_transaction == 1) { 780 u16 res; 781 782 groups = wpa_s->conf->sae_groups; 783 784 wpa_dbg(wpa_s, MSG_DEBUG, "SME SAE commit"); 785 if (wpa_s->current_bss == NULL || 786 wpa_s->current_ssid == NULL) 787 return -1; 788 if (wpa_s->sme.sae.state != SAE_COMMITTED) 789 return -1; 790 if (groups && groups[0] <= 0) 791 groups = NULL; 792 res = sae_parse_commit(&wpa_s->sme.sae, data, len, NULL, NULL, 793 groups); 794 if (res == SAE_SILENTLY_DISCARD) { 795 wpa_printf(MSG_DEBUG, 796 "SAE: Drop commit message due to reflection attack"); 797 return 0; 798 } 799 if (res != WLAN_STATUS_SUCCESS) 800 return -1; 801 802 if (sae_process_commit(&wpa_s->sme.sae) < 0) { 803 wpa_printf(MSG_DEBUG, "SAE: Failed to process peer " 804 "commit"); 805 return -1; 806 } 807 808 wpabuf_free(wpa_s->sme.sae_token); 809 wpa_s->sme.sae_token = NULL; 810 sme_send_authentication(wpa_s, wpa_s->current_bss, 811 wpa_s->current_ssid, 0); 812 return 0; 813 } else if (auth_transaction == 2) { 814 wpa_dbg(wpa_s, MSG_DEBUG, "SME SAE confirm"); 815 if (wpa_s->sme.sae.state != SAE_CONFIRMED) 816 return -1; 817 if (sae_check_confirm(&wpa_s->sme.sae, data, len) < 0) 818 return -1; 819 wpa_s->sme.sae.state = SAE_ACCEPTED; 820 sae_clear_temp_data(&wpa_s->sme.sae); 821 return 1; 822 } 823 824 return -1; 825 } 826 #endif /* CONFIG_SAE */ 827 828 829 void sme_event_auth(struct wpa_supplicant *wpa_s, union wpa_event_data *data) 830 { 831 struct wpa_ssid *ssid = wpa_s->current_ssid; 832 833 if (ssid == NULL) { 834 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Ignore authentication event " 835 "when network is not selected"); 836 return; 837 } 838 839 if (wpa_s->wpa_state != WPA_AUTHENTICATING) { 840 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Ignore authentication event " 841 "when not in authenticating state"); 842 return; 843 } 844 845 if (os_memcmp(wpa_s->pending_bssid, data->auth.peer, ETH_ALEN) != 0) { 846 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Ignore authentication with " 847 "unexpected peer " MACSTR, 848 MAC2STR(data->auth.peer)); 849 return; 850 } 851 852 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Authentication response: peer=" MACSTR 853 " auth_type=%d auth_transaction=%d status_code=%d", 854 MAC2STR(data->auth.peer), data->auth.auth_type, 855 data->auth.auth_transaction, data->auth.status_code); 856 wpa_hexdump(MSG_MSGDUMP, "SME: Authentication response IEs", 857 data->auth.ies, data->auth.ies_len); 858 859 eloop_cancel_timeout(sme_auth_timer, wpa_s, NULL); 860 861 #ifdef CONFIG_SAE 862 if (data->auth.auth_type == WLAN_AUTH_SAE) { 863 int res; 864 res = sme_sae_auth(wpa_s, data->auth.auth_transaction, 865 data->auth.status_code, data->auth.ies, 866 data->auth.ies_len); 867 if (res < 0) { 868 wpas_connection_failed(wpa_s, wpa_s->pending_bssid); 869 wpa_supplicant_set_state(wpa_s, WPA_DISCONNECTED); 870 871 } 872 if (res != 1) 873 return; 874 875 wpa_printf(MSG_DEBUG, "SME: SAE completed - setting PMK for " 876 "4-way handshake"); 877 wpa_sm_set_pmk(wpa_s->wpa, wpa_s->sme.sae.pmk, PMK_LEN, 878 wpa_s->sme.sae.pmkid, wpa_s->pending_bssid); 879 } 880 #endif /* CONFIG_SAE */ 881 882 if (data->auth.status_code != WLAN_STATUS_SUCCESS) { 883 char *ie_txt = NULL; 884 885 if (data->auth.ies && data->auth.ies_len) { 886 size_t buflen = 2 * data->auth.ies_len + 1; 887 ie_txt = os_malloc(buflen); 888 if (ie_txt) { 889 wpa_snprintf_hex(ie_txt, buflen, data->auth.ies, 890 data->auth.ies_len); 891 } 892 } 893 wpa_msg(wpa_s, MSG_INFO, WPA_EVENT_AUTH_REJECT MACSTR 894 " auth_type=%u auth_transaction=%u status_code=%u%s%s", 895 MAC2STR(data->auth.peer), data->auth.auth_type, 896 data->auth.auth_transaction, data->auth.status_code, 897 ie_txt ? " ie=" : "", 898 ie_txt ? ie_txt : ""); 899 os_free(ie_txt); 900 901 if (data->auth.status_code != 902 WLAN_STATUS_NOT_SUPPORTED_AUTH_ALG || 903 wpa_s->sme.auth_alg == data->auth.auth_type || 904 wpa_s->current_ssid->auth_alg == WPA_AUTH_ALG_LEAP) { 905 wpas_connection_failed(wpa_s, wpa_s->pending_bssid); 906 wpa_supplicant_set_state(wpa_s, WPA_DISCONNECTED); 907 return; 908 } 909 910 wpas_connect_work_done(wpa_s); 911 912 switch (data->auth.auth_type) { 913 case WLAN_AUTH_OPEN: 914 wpa_s->current_ssid->auth_alg = WPA_AUTH_ALG_SHARED; 915 916 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Trying SHARED auth"); 917 wpa_supplicant_associate(wpa_s, wpa_s->current_bss, 918 wpa_s->current_ssid); 919 return; 920 921 case WLAN_AUTH_SHARED_KEY: 922 wpa_s->current_ssid->auth_alg = WPA_AUTH_ALG_LEAP; 923 924 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Trying LEAP auth"); 925 wpa_supplicant_associate(wpa_s, wpa_s->current_bss, 926 wpa_s->current_ssid); 927 return; 928 929 default: 930 return; 931 } 932 } 933 934 #ifdef CONFIG_IEEE80211R 935 if (data->auth.auth_type == WLAN_AUTH_FT) { 936 const u8 *ric_ies = NULL; 937 size_t ric_ies_len = 0; 938 939 if (wpa_s->ric_ies) { 940 ric_ies = wpabuf_head(wpa_s->ric_ies); 941 ric_ies_len = wpabuf_len(wpa_s->ric_ies); 942 } 943 if (wpa_ft_process_response(wpa_s->wpa, data->auth.ies, 944 data->auth.ies_len, 0, 945 data->auth.peer, 946 ric_ies, ric_ies_len) < 0) { 947 wpa_dbg(wpa_s, MSG_DEBUG, 948 "SME: FT Authentication response processing failed"); 949 wpa_msg(wpa_s, MSG_INFO, WPA_EVENT_DISCONNECTED "bssid=" 950 MACSTR 951 " reason=%d locally_generated=1", 952 MAC2STR(wpa_s->pending_bssid), 953 WLAN_REASON_DEAUTH_LEAVING); 954 wpas_connection_failed(wpa_s, wpa_s->pending_bssid); 955 wpa_supplicant_mark_disassoc(wpa_s); 956 return; 957 } 958 } 959 #endif /* CONFIG_IEEE80211R */ 960 961 #ifdef CONFIG_FILS 962 if (data->auth.auth_type == WLAN_AUTH_FILS_SK) { 963 if (fils_process_auth(wpa_s->wpa, data->auth.ies, 964 data->auth.ies_len) < 0) { 965 wpa_dbg(wpa_s, MSG_DEBUG, 966 "SME: FILS Authentication response processing failed"); 967 wpa_msg(wpa_s, MSG_INFO, WPA_EVENT_DISCONNECTED "bssid=" 968 MACSTR 969 " reason=%d locally_generated=1", 970 MAC2STR(wpa_s->pending_bssid), 971 WLAN_REASON_DEAUTH_LEAVING); 972 wpas_connection_failed(wpa_s, wpa_s->pending_bssid); 973 wpa_supplicant_mark_disassoc(wpa_s); 974 return; 975 } 976 } 977 #endif /* CONFIG_FILS */ 978 979 sme_associate(wpa_s, ssid->mode, data->auth.peer, 980 data->auth.auth_type); 981 } 982 983 984 void sme_associate(struct wpa_supplicant *wpa_s, enum wpas_mode mode, 985 const u8 *bssid, u16 auth_type) 986 { 987 struct wpa_driver_associate_params params; 988 struct ieee802_11_elems elems; 989 #ifdef CONFIG_FILS 990 u8 nonces[2 * FILS_NONCE_LEN]; 991 #endif /* CONFIG_FILS */ 992 #ifdef CONFIG_HT_OVERRIDES 993 struct ieee80211_ht_capabilities htcaps; 994 struct ieee80211_ht_capabilities htcaps_mask; 995 #endif /* CONFIG_HT_OVERRIDES */ 996 #ifdef CONFIG_VHT_OVERRIDES 997 struct ieee80211_vht_capabilities vhtcaps; 998 struct ieee80211_vht_capabilities vhtcaps_mask; 999 #endif /* CONFIG_VHT_OVERRIDES */ 1000 1001 os_memset(¶ms, 0, sizeof(params)); 1002 1003 #ifdef CONFIG_FILS 1004 if (auth_type == WLAN_AUTH_FILS_SK) { 1005 struct wpabuf *buf; 1006 const u8 *snonce, *anonce; 1007 const unsigned int max_hlp = 20; 1008 struct wpabuf *hlp[max_hlp]; 1009 unsigned int i, num_hlp = 0; 1010 struct fils_hlp_req *req; 1011 1012 dl_list_for_each(req, &wpa_s->fils_hlp_req, struct fils_hlp_req, 1013 list) { 1014 hlp[num_hlp] = wpabuf_alloc(2 * ETH_ALEN + 6 + 1015 wpabuf_len(req->pkt)); 1016 if (!hlp[num_hlp]) 1017 break; 1018 wpabuf_put_data(hlp[num_hlp], req->dst, ETH_ALEN); 1019 wpabuf_put_data(hlp[num_hlp], wpa_s->own_addr, 1020 ETH_ALEN); 1021 wpabuf_put_data(hlp[num_hlp], 1022 "\xaa\xaa\x03\x00\x00\x00", 6); 1023 wpabuf_put_buf(hlp[num_hlp], req->pkt); 1024 num_hlp++; 1025 if (num_hlp >= max_hlp) 1026 break; 1027 } 1028 1029 buf = fils_build_assoc_req(wpa_s->wpa, ¶ms.fils_kek, 1030 ¶ms.fils_kek_len, &snonce, 1031 &anonce, 1032 (const struct wpabuf **) hlp, 1033 num_hlp); 1034 for (i = 0; i < num_hlp; i++) 1035 wpabuf_free(hlp[i]); 1036 if (!buf) 1037 return; 1038 /* TODO: Make wpa_s->sme.assoc_req_ie use dynamic allocation */ 1039 if (wpa_s->sme.assoc_req_ie_len + wpabuf_len(buf) > 1040 sizeof(wpa_s->sme.assoc_req_ie)) { 1041 wpa_printf(MSG_ERROR, 1042 "FILS: Not enough buffer room for own AssocReq elements"); 1043 wpabuf_free(buf); 1044 return; 1045 } 1046 os_memcpy(wpa_s->sme.assoc_req_ie + wpa_s->sme.assoc_req_ie_len, 1047 wpabuf_head(buf), wpabuf_len(buf)); 1048 wpa_s->sme.assoc_req_ie_len += wpabuf_len(buf); 1049 wpabuf_free(buf); 1050 1051 os_memcpy(nonces, snonce, FILS_NONCE_LEN); 1052 os_memcpy(nonces + FILS_NONCE_LEN, anonce, FILS_NONCE_LEN); 1053 params.fils_nonces = nonces; 1054 params.fils_nonces_len = sizeof(nonces); 1055 } 1056 #endif /* CONFIG_FILS */ 1057 1058 params.bssid = bssid; 1059 params.ssid = wpa_s->sme.ssid; 1060 params.ssid_len = wpa_s->sme.ssid_len; 1061 params.freq.freq = wpa_s->sme.freq; 1062 params.bg_scan_period = wpa_s->current_ssid ? 1063 wpa_s->current_ssid->bg_scan_period : -1; 1064 params.wpa_ie = wpa_s->sme.assoc_req_ie_len ? 1065 wpa_s->sme.assoc_req_ie : NULL; 1066 params.wpa_ie_len = wpa_s->sme.assoc_req_ie_len; 1067 params.pairwise_suite = wpa_s->pairwise_cipher; 1068 params.group_suite = wpa_s->group_cipher; 1069 params.key_mgmt_suite = wpa_s->key_mgmt; 1070 params.wpa_proto = wpa_s->wpa_proto; 1071 #ifdef CONFIG_HT_OVERRIDES 1072 os_memset(&htcaps, 0, sizeof(htcaps)); 1073 os_memset(&htcaps_mask, 0, sizeof(htcaps_mask)); 1074 params.htcaps = (u8 *) &htcaps; 1075 params.htcaps_mask = (u8 *) &htcaps_mask; 1076 wpa_supplicant_apply_ht_overrides(wpa_s, wpa_s->current_ssid, ¶ms); 1077 #endif /* CONFIG_HT_OVERRIDES */ 1078 #ifdef CONFIG_VHT_OVERRIDES 1079 os_memset(&vhtcaps, 0, sizeof(vhtcaps)); 1080 os_memset(&vhtcaps_mask, 0, sizeof(vhtcaps_mask)); 1081 params.vhtcaps = &vhtcaps; 1082 params.vhtcaps_mask = &vhtcaps_mask; 1083 wpa_supplicant_apply_vht_overrides(wpa_s, wpa_s->current_ssid, ¶ms); 1084 #endif /* CONFIG_VHT_OVERRIDES */ 1085 #ifdef CONFIG_IEEE80211R 1086 if (auth_type == WLAN_AUTH_FT && wpa_s->sme.ft_ies) { 1087 params.wpa_ie = wpa_s->sme.ft_ies; 1088 params.wpa_ie_len = wpa_s->sme.ft_ies_len; 1089 } 1090 #endif /* CONFIG_IEEE80211R */ 1091 params.mode = mode; 1092 params.mgmt_frame_protection = wpa_s->sme.mfp; 1093 params.rrm_used = wpa_s->rrm.rrm_used; 1094 if (wpa_s->sme.prev_bssid_set) 1095 params.prev_bssid = wpa_s->sme.prev_bssid; 1096 1097 wpa_msg(wpa_s, MSG_INFO, "Trying to associate with " MACSTR 1098 " (SSID='%s' freq=%d MHz)", MAC2STR(params.bssid), 1099 params.ssid ? wpa_ssid_txt(params.ssid, params.ssid_len) : "", 1100 params.freq.freq); 1101 1102 wpa_supplicant_set_state(wpa_s, WPA_ASSOCIATING); 1103 1104 if (params.wpa_ie == NULL || 1105 ieee802_11_parse_elems(params.wpa_ie, params.wpa_ie_len, &elems, 0) 1106 < 0) { 1107 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Could not parse own IEs?!"); 1108 os_memset(&elems, 0, sizeof(elems)); 1109 } 1110 if (elems.rsn_ie) { 1111 params.wpa_proto = WPA_PROTO_RSN; 1112 wpa_sm_set_assoc_wpa_ie(wpa_s->wpa, elems.rsn_ie - 2, 1113 elems.rsn_ie_len + 2); 1114 } else if (elems.wpa_ie) { 1115 params.wpa_proto = WPA_PROTO_WPA; 1116 wpa_sm_set_assoc_wpa_ie(wpa_s->wpa, elems.wpa_ie - 2, 1117 elems.wpa_ie_len + 2); 1118 } else if (elems.osen) { 1119 params.wpa_proto = WPA_PROTO_OSEN; 1120 wpa_sm_set_assoc_wpa_ie(wpa_s->wpa, elems.osen - 2, 1121 elems.osen_len + 2); 1122 } else 1123 wpa_sm_set_assoc_wpa_ie(wpa_s->wpa, NULL, 0); 1124 if (wpa_s->current_ssid && wpa_s->current_ssid->p2p_group) 1125 params.p2p = 1; 1126 1127 if (wpa_s->p2pdev->set_sta_uapsd) 1128 params.uapsd = wpa_s->p2pdev->sta_uapsd; 1129 else 1130 params.uapsd = -1; 1131 1132 if (wpa_drv_associate(wpa_s, ¶ms) < 0) { 1133 wpa_msg(wpa_s, MSG_INFO, "SME: Association request to the " 1134 "driver failed"); 1135 wpas_connection_failed(wpa_s, wpa_s->pending_bssid); 1136 wpa_supplicant_set_state(wpa_s, WPA_DISCONNECTED); 1137 os_memset(wpa_s->pending_bssid, 0, ETH_ALEN); 1138 return; 1139 } 1140 1141 eloop_register_timeout(SME_ASSOC_TIMEOUT, 0, sme_assoc_timer, wpa_s, 1142 NULL); 1143 } 1144 1145 1146 int sme_update_ft_ies(struct wpa_supplicant *wpa_s, const u8 *md, 1147 const u8 *ies, size_t ies_len) 1148 { 1149 if (md == NULL || ies == NULL) { 1150 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Remove mobility domain"); 1151 os_free(wpa_s->sme.ft_ies); 1152 wpa_s->sme.ft_ies = NULL; 1153 wpa_s->sme.ft_ies_len = 0; 1154 wpa_s->sme.ft_used = 0; 1155 return 0; 1156 } 1157 1158 os_memcpy(wpa_s->sme.mobility_domain, md, MOBILITY_DOMAIN_ID_LEN); 1159 wpa_hexdump(MSG_DEBUG, "SME: FT IEs", ies, ies_len); 1160 os_free(wpa_s->sme.ft_ies); 1161 wpa_s->sme.ft_ies = os_malloc(ies_len); 1162 if (wpa_s->sme.ft_ies == NULL) 1163 return -1; 1164 os_memcpy(wpa_s->sme.ft_ies, ies, ies_len); 1165 wpa_s->sme.ft_ies_len = ies_len; 1166 return 0; 1167 } 1168 1169 1170 static void sme_deauth(struct wpa_supplicant *wpa_s) 1171 { 1172 int bssid_changed; 1173 1174 bssid_changed = !is_zero_ether_addr(wpa_s->bssid); 1175 1176 if (wpa_drv_deauthenticate(wpa_s, wpa_s->pending_bssid, 1177 WLAN_REASON_DEAUTH_LEAVING) < 0) { 1178 wpa_msg(wpa_s, MSG_INFO, "SME: Deauth request to the driver " 1179 "failed"); 1180 } 1181 wpa_s->sme.prev_bssid_set = 0; 1182 1183 wpas_connection_failed(wpa_s, wpa_s->pending_bssid); 1184 wpa_supplicant_set_state(wpa_s, WPA_DISCONNECTED); 1185 os_memset(wpa_s->bssid, 0, ETH_ALEN); 1186 os_memset(wpa_s->pending_bssid, 0, ETH_ALEN); 1187 if (bssid_changed) 1188 wpas_notify_bssid_changed(wpa_s); 1189 } 1190 1191 1192 void sme_event_assoc_reject(struct wpa_supplicant *wpa_s, 1193 union wpa_event_data *data) 1194 { 1195 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Association with " MACSTR " failed: " 1196 "status code %d", MAC2STR(wpa_s->pending_bssid), 1197 data->assoc_reject.status_code); 1198 1199 eloop_cancel_timeout(sme_assoc_timer, wpa_s, NULL); 1200 1201 #ifdef CONFIG_SAE 1202 if (wpa_s->sme.sae_pmksa_caching && wpa_s->current_ssid && 1203 wpa_key_mgmt_sae(wpa_s->current_ssid->key_mgmt)) { 1204 wpa_dbg(wpa_s, MSG_DEBUG, 1205 "PMKSA caching attempt rejected - drop PMKSA cache entry and fall back to SAE authentication"); 1206 wpa_sm_aborted_cached(wpa_s->wpa); 1207 wpa_sm_pmksa_cache_flush(wpa_s->wpa, wpa_s->current_ssid); 1208 if (wpa_s->current_bss) { 1209 struct wpa_bss *bss = wpa_s->current_bss; 1210 struct wpa_ssid *ssid = wpa_s->current_ssid; 1211 1212 wpa_drv_deauthenticate(wpa_s, wpa_s->pending_bssid, 1213 WLAN_REASON_DEAUTH_LEAVING); 1214 wpas_connect_work_done(wpa_s); 1215 wpa_supplicant_mark_disassoc(wpa_s); 1216 wpa_supplicant_connect(wpa_s, bss, ssid); 1217 return; 1218 } 1219 } 1220 #endif /* CONFIG_SAE */ 1221 1222 /* 1223 * For now, unconditionally terminate the previous authentication. In 1224 * theory, this should not be needed, but mac80211 gets quite confused 1225 * if the authentication is left pending.. Some roaming cases might 1226 * benefit from using the previous authentication, so this could be 1227 * optimized in the future. 1228 */ 1229 sme_deauth(wpa_s); 1230 } 1231 1232 1233 void sme_event_auth_timed_out(struct wpa_supplicant *wpa_s, 1234 union wpa_event_data *data) 1235 { 1236 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Authentication timed out"); 1237 wpas_connection_failed(wpa_s, wpa_s->pending_bssid); 1238 wpa_supplicant_mark_disassoc(wpa_s); 1239 } 1240 1241 1242 void sme_event_assoc_timed_out(struct wpa_supplicant *wpa_s, 1243 union wpa_event_data *data) 1244 { 1245 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Association timed out"); 1246 wpas_connection_failed(wpa_s, wpa_s->pending_bssid); 1247 wpa_supplicant_mark_disassoc(wpa_s); 1248 } 1249 1250 1251 void sme_event_disassoc(struct wpa_supplicant *wpa_s, 1252 struct disassoc_info *info) 1253 { 1254 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Disassociation event received"); 1255 if (wpa_s->sme.prev_bssid_set) { 1256 /* 1257 * cfg80211/mac80211 can get into somewhat confused state if 1258 * the AP only disassociates us and leaves us in authenticated 1259 * state. For now, force the state to be cleared to avoid 1260 * confusing errors if we try to associate with the AP again. 1261 */ 1262 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Deauthenticate to clear " 1263 "driver state"); 1264 wpa_drv_deauthenticate(wpa_s, wpa_s->sme.prev_bssid, 1265 WLAN_REASON_DEAUTH_LEAVING); 1266 } 1267 } 1268 1269 1270 static void sme_auth_timer(void *eloop_ctx, void *timeout_ctx) 1271 { 1272 struct wpa_supplicant *wpa_s = eloop_ctx; 1273 if (wpa_s->wpa_state == WPA_AUTHENTICATING) { 1274 wpa_msg(wpa_s, MSG_DEBUG, "SME: Authentication timeout"); 1275 sme_deauth(wpa_s); 1276 } 1277 } 1278 1279 1280 static void sme_assoc_timer(void *eloop_ctx, void *timeout_ctx) 1281 { 1282 struct wpa_supplicant *wpa_s = eloop_ctx; 1283 if (wpa_s->wpa_state == WPA_ASSOCIATING) { 1284 wpa_msg(wpa_s, MSG_DEBUG, "SME: Association timeout"); 1285 sme_deauth(wpa_s); 1286 } 1287 } 1288 1289 1290 void sme_state_changed(struct wpa_supplicant *wpa_s) 1291 { 1292 /* Make sure timers are cleaned up appropriately. */ 1293 if (wpa_s->wpa_state != WPA_ASSOCIATING) 1294 eloop_cancel_timeout(sme_assoc_timer, wpa_s, NULL); 1295 if (wpa_s->wpa_state != WPA_AUTHENTICATING) 1296 eloop_cancel_timeout(sme_auth_timer, wpa_s, NULL); 1297 } 1298 1299 1300 void sme_disassoc_while_authenticating(struct wpa_supplicant *wpa_s, 1301 const u8 *prev_pending_bssid) 1302 { 1303 /* 1304 * mac80211-workaround to force deauth on failed auth cmd, 1305 * requires us to remain in authenticating state to allow the 1306 * second authentication attempt to be continued properly. 1307 */ 1308 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Allow pending authentication " 1309 "to proceed after disconnection event"); 1310 wpa_supplicant_set_state(wpa_s, WPA_AUTHENTICATING); 1311 os_memcpy(wpa_s->pending_bssid, prev_pending_bssid, ETH_ALEN); 1312 1313 /* 1314 * Re-arm authentication timer in case auth fails for whatever reason. 1315 */ 1316 eloop_cancel_timeout(sme_auth_timer, wpa_s, NULL); 1317 eloop_register_timeout(SME_AUTH_TIMEOUT, 0, sme_auth_timer, wpa_s, 1318 NULL); 1319 } 1320 1321 1322 void sme_clear_on_disassoc(struct wpa_supplicant *wpa_s) 1323 { 1324 wpa_s->sme.prev_bssid_set = 0; 1325 #ifdef CONFIG_SAE 1326 wpabuf_free(wpa_s->sme.sae_token); 1327 wpa_s->sme.sae_token = NULL; 1328 sae_clear_data(&wpa_s->sme.sae); 1329 #endif /* CONFIG_SAE */ 1330 #ifdef CONFIG_IEEE80211R 1331 if (wpa_s->sme.ft_ies) 1332 sme_update_ft_ies(wpa_s, NULL, NULL, 0); 1333 #endif /* CONFIG_IEEE80211R */ 1334 } 1335 1336 1337 void sme_deinit(struct wpa_supplicant *wpa_s) 1338 { 1339 os_free(wpa_s->sme.ft_ies); 1340 wpa_s->sme.ft_ies = NULL; 1341 wpa_s->sme.ft_ies_len = 0; 1342 #ifdef CONFIG_IEEE80211W 1343 sme_stop_sa_query(wpa_s); 1344 #endif /* CONFIG_IEEE80211W */ 1345 sme_clear_on_disassoc(wpa_s); 1346 1347 eloop_cancel_timeout(sme_assoc_timer, wpa_s, NULL); 1348 eloop_cancel_timeout(sme_auth_timer, wpa_s, NULL); 1349 eloop_cancel_timeout(sme_obss_scan_timeout, wpa_s, NULL); 1350 } 1351 1352 1353 static void sme_send_2040_bss_coex(struct wpa_supplicant *wpa_s, 1354 const u8 *chan_list, u8 num_channels, 1355 u8 num_intol) 1356 { 1357 struct ieee80211_2040_bss_coex_ie *bc_ie; 1358 struct ieee80211_2040_intol_chan_report *ic_report; 1359 struct wpabuf *buf; 1360 1361 wpa_printf(MSG_DEBUG, "SME: Send 20/40 BSS Coexistence to " MACSTR 1362 " (num_channels=%u num_intol=%u)", 1363 MAC2STR(wpa_s->bssid), num_channels, num_intol); 1364 wpa_hexdump(MSG_DEBUG, "SME: 20/40 BSS Intolerant Channels", 1365 chan_list, num_channels); 1366 1367 buf = wpabuf_alloc(2 + /* action.category + action_code */ 1368 sizeof(struct ieee80211_2040_bss_coex_ie) + 1369 sizeof(struct ieee80211_2040_intol_chan_report) + 1370 num_channels); 1371 if (buf == NULL) 1372 return; 1373 1374 wpabuf_put_u8(buf, WLAN_ACTION_PUBLIC); 1375 wpabuf_put_u8(buf, WLAN_PA_20_40_BSS_COEX); 1376 1377 bc_ie = wpabuf_put(buf, sizeof(*bc_ie)); 1378 bc_ie->element_id = WLAN_EID_20_40_BSS_COEXISTENCE; 1379 bc_ie->length = 1; 1380 if (num_intol) 1381 bc_ie->coex_param |= WLAN_20_40_BSS_COEX_20MHZ_WIDTH_REQ; 1382 1383 if (num_channels > 0) { 1384 ic_report = wpabuf_put(buf, sizeof(*ic_report)); 1385 ic_report->element_id = WLAN_EID_20_40_BSS_INTOLERANT; 1386 ic_report->length = num_channels + 1; 1387 ic_report->op_class = 0; 1388 os_memcpy(wpabuf_put(buf, num_channels), chan_list, 1389 num_channels); 1390 } 1391 1392 if (wpa_drv_send_action(wpa_s, wpa_s->assoc_freq, 0, wpa_s->bssid, 1393 wpa_s->own_addr, wpa_s->bssid, 1394 wpabuf_head(buf), wpabuf_len(buf), 0) < 0) { 1395 wpa_msg(wpa_s, MSG_INFO, 1396 "SME: Failed to send 20/40 BSS Coexistence frame"); 1397 } 1398 1399 wpabuf_free(buf); 1400 } 1401 1402 1403 int sme_proc_obss_scan(struct wpa_supplicant *wpa_s) 1404 { 1405 struct wpa_bss *bss; 1406 const u8 *ie; 1407 u16 ht_cap; 1408 u8 chan_list[P2P_MAX_CHANNELS], channel; 1409 u8 num_channels = 0, num_intol = 0, i; 1410 1411 if (!wpa_s->sme.sched_obss_scan) 1412 return 0; 1413 1414 wpa_s->sme.sched_obss_scan = 0; 1415 if (!wpa_s->current_bss || wpa_s->wpa_state != WPA_COMPLETED) 1416 return 1; 1417 1418 /* 1419 * Check whether AP uses regulatory triplet or channel triplet in 1420 * country info. Right now the operating class of the BSS channel 1421 * width trigger event is "unknown" (IEEE Std 802.11-2012 10.15.12), 1422 * based on the assumption that operating class triplet is not used in 1423 * beacon frame. If the First Channel Number/Operating Extension 1424 * Identifier octet has a positive integer value of 201 or greater, 1425 * then its operating class triplet. 1426 * 1427 * TODO: If Supported Operating Classes element is present in beacon 1428 * frame, have to lookup operating class in Annex E and fill them in 1429 * 2040 coex frame. 1430 */ 1431 ie = wpa_bss_get_ie(wpa_s->current_bss, WLAN_EID_COUNTRY); 1432 if (ie && (ie[1] >= 6) && (ie[5] >= 201)) 1433 return 1; 1434 1435 os_memset(chan_list, 0, sizeof(chan_list)); 1436 1437 dl_list_for_each(bss, &wpa_s->bss, struct wpa_bss, list) { 1438 /* Skip other band bss */ 1439 enum hostapd_hw_mode mode; 1440 mode = ieee80211_freq_to_chan(bss->freq, &channel); 1441 if (mode != HOSTAPD_MODE_IEEE80211G && 1442 mode != HOSTAPD_MODE_IEEE80211B) 1443 continue; 1444 1445 ie = wpa_bss_get_ie(bss, WLAN_EID_HT_CAP); 1446 ht_cap = (ie && (ie[1] == 26)) ? WPA_GET_LE16(ie + 2) : 0; 1447 wpa_printf(MSG_DEBUG, "SME OBSS scan BSS " MACSTR 1448 " freq=%u chan=%u ht_cap=0x%x", 1449 MAC2STR(bss->bssid), bss->freq, channel, ht_cap); 1450 1451 if (!ht_cap || (ht_cap & HT_CAP_INFO_40MHZ_INTOLERANT)) { 1452 if (ht_cap & HT_CAP_INFO_40MHZ_INTOLERANT) 1453 num_intol++; 1454 1455 /* Check whether the channel is already considered */ 1456 for (i = 0; i < num_channels; i++) { 1457 if (channel == chan_list[i]) 1458 break; 1459 } 1460 if (i != num_channels) 1461 continue; 1462 1463 chan_list[num_channels++] = channel; 1464 } 1465 } 1466 1467 sme_send_2040_bss_coex(wpa_s, chan_list, num_channels, num_intol); 1468 return 1; 1469 } 1470 1471 1472 static void wpa_obss_scan_freqs_list(struct wpa_supplicant *wpa_s, 1473 struct wpa_driver_scan_params *params) 1474 { 1475 /* Include only affected channels */ 1476 struct hostapd_hw_modes *mode; 1477 int count, i; 1478 int start, end; 1479 1480 mode = get_mode(wpa_s->hw.modes, wpa_s->hw.num_modes, 1481 HOSTAPD_MODE_IEEE80211G); 1482 if (mode == NULL) { 1483 /* No channels supported in this band - use empty list */ 1484 params->freqs = os_zalloc(sizeof(int)); 1485 return; 1486 } 1487 1488 if (wpa_s->sme.ht_sec_chan == HT_SEC_CHAN_UNKNOWN && 1489 wpa_s->current_bss) { 1490 const u8 *ie; 1491 1492 ie = wpa_bss_get_ie(wpa_s->current_bss, WLAN_EID_HT_OPERATION); 1493 if (ie && ie[1] >= 2) { 1494 u8 o; 1495 1496 o = ie[3] & HT_INFO_HT_PARAM_SECONDARY_CHNL_OFF_MASK; 1497 if (o == HT_INFO_HT_PARAM_SECONDARY_CHNL_ABOVE) 1498 wpa_s->sme.ht_sec_chan = HT_SEC_CHAN_ABOVE; 1499 else if (o == HT_INFO_HT_PARAM_SECONDARY_CHNL_BELOW) 1500 wpa_s->sme.ht_sec_chan = HT_SEC_CHAN_BELOW; 1501 } 1502 } 1503 1504 start = wpa_s->assoc_freq - 10; 1505 end = wpa_s->assoc_freq + 10; 1506 switch (wpa_s->sme.ht_sec_chan) { 1507 case HT_SEC_CHAN_UNKNOWN: 1508 /* HT40+ possible on channels 1..9 */ 1509 if (wpa_s->assoc_freq <= 2452) 1510 start -= 20; 1511 /* HT40- possible on channels 5-13 */ 1512 if (wpa_s->assoc_freq >= 2432) 1513 end += 20; 1514 break; 1515 case HT_SEC_CHAN_ABOVE: 1516 end += 20; 1517 break; 1518 case HT_SEC_CHAN_BELOW: 1519 start -= 20; 1520 break; 1521 } 1522 wpa_printf(MSG_DEBUG, 1523 "OBSS: assoc_freq %d possible affected range %d-%d", 1524 wpa_s->assoc_freq, start, end); 1525 1526 params->freqs = os_calloc(mode->num_channels + 1, sizeof(int)); 1527 if (params->freqs == NULL) 1528 return; 1529 for (count = 0, i = 0; i < mode->num_channels; i++) { 1530 int freq; 1531 1532 if (mode->channels[i].flag & HOSTAPD_CHAN_DISABLED) 1533 continue; 1534 freq = mode->channels[i].freq; 1535 if (freq - 10 >= end || freq + 10 <= start) 1536 continue; /* not affected */ 1537 params->freqs[count++] = freq; 1538 } 1539 } 1540 1541 1542 static void sme_obss_scan_timeout(void *eloop_ctx, void *timeout_ctx) 1543 { 1544 struct wpa_supplicant *wpa_s = eloop_ctx; 1545 struct wpa_driver_scan_params params; 1546 1547 if (!wpa_s->current_bss) { 1548 wpa_printf(MSG_DEBUG, "SME OBSS: Ignore scan request"); 1549 return; 1550 } 1551 1552 os_memset(¶ms, 0, sizeof(params)); 1553 wpa_obss_scan_freqs_list(wpa_s, ¶ms); 1554 params.low_priority = 1; 1555 wpa_printf(MSG_DEBUG, "SME OBSS: Request an OBSS scan"); 1556 1557 if (wpa_supplicant_trigger_scan(wpa_s, ¶ms)) 1558 wpa_printf(MSG_DEBUG, "SME OBSS: Failed to trigger scan"); 1559 else 1560 wpa_s->sme.sched_obss_scan = 1; 1561 os_free(params.freqs); 1562 1563 eloop_register_timeout(wpa_s->sme.obss_scan_int, 0, 1564 sme_obss_scan_timeout, wpa_s, NULL); 1565 } 1566 1567 1568 void sme_sched_obss_scan(struct wpa_supplicant *wpa_s, int enable) 1569 { 1570 const u8 *ie; 1571 struct wpa_bss *bss = wpa_s->current_bss; 1572 struct wpa_ssid *ssid = wpa_s->current_ssid; 1573 struct hostapd_hw_modes *hw_mode = NULL; 1574 int i; 1575 1576 eloop_cancel_timeout(sme_obss_scan_timeout, wpa_s, NULL); 1577 wpa_s->sme.sched_obss_scan = 0; 1578 wpa_s->sme.ht_sec_chan = HT_SEC_CHAN_UNKNOWN; 1579 if (!enable) 1580 return; 1581 1582 /* 1583 * Schedule OBSS scan if driver is using station SME in wpa_supplicant 1584 * or it expects OBSS scan to be performed by wpa_supplicant. 1585 */ 1586 if (!((wpa_s->drv_flags & WPA_DRIVER_FLAGS_SME) || 1587 (wpa_s->drv_flags & WPA_DRIVER_FLAGS_OBSS_SCAN)) || 1588 ssid == NULL || ssid->mode != IEEE80211_MODE_INFRA) 1589 return; 1590 1591 if (!wpa_s->hw.modes) 1592 return; 1593 1594 /* only HT caps in 11g mode are relevant */ 1595 for (i = 0; i < wpa_s->hw.num_modes; i++) { 1596 hw_mode = &wpa_s->hw.modes[i]; 1597 if (hw_mode->mode == HOSTAPD_MODE_IEEE80211G) 1598 break; 1599 } 1600 1601 /* Driver does not support HT40 for 11g or doesn't have 11g. */ 1602 if (i == wpa_s->hw.num_modes || !hw_mode || 1603 !(hw_mode->ht_capab & HT_CAP_INFO_SUPP_CHANNEL_WIDTH_SET)) 1604 return; 1605 1606 if (bss == NULL || bss->freq < 2400 || bss->freq > 2500) 1607 return; /* Not associated on 2.4 GHz band */ 1608 1609 /* Check whether AP supports HT40 */ 1610 ie = wpa_bss_get_ie(wpa_s->current_bss, WLAN_EID_HT_CAP); 1611 if (!ie || ie[1] < 2 || 1612 !(WPA_GET_LE16(ie + 2) & HT_CAP_INFO_SUPP_CHANNEL_WIDTH_SET)) 1613 return; /* AP does not support HT40 */ 1614 1615 ie = wpa_bss_get_ie(wpa_s->current_bss, 1616 WLAN_EID_OVERLAPPING_BSS_SCAN_PARAMS); 1617 if (!ie || ie[1] < 14) 1618 return; /* AP does not request OBSS scans */ 1619 1620 wpa_s->sme.obss_scan_int = WPA_GET_LE16(ie + 6); 1621 if (wpa_s->sme.obss_scan_int < 10) { 1622 wpa_printf(MSG_DEBUG, "SME: Invalid OBSS Scan Interval %u " 1623 "replaced with the minimum 10 sec", 1624 wpa_s->sme.obss_scan_int); 1625 wpa_s->sme.obss_scan_int = 10; 1626 } 1627 wpa_printf(MSG_DEBUG, "SME: OBSS Scan Interval %u sec", 1628 wpa_s->sme.obss_scan_int); 1629 eloop_register_timeout(wpa_s->sme.obss_scan_int, 0, 1630 sme_obss_scan_timeout, wpa_s, NULL); 1631 } 1632 1633 1634 #ifdef CONFIG_IEEE80211W 1635 1636 static const unsigned int sa_query_max_timeout = 1000; 1637 static const unsigned int sa_query_retry_timeout = 201; 1638 1639 static int sme_check_sa_query_timeout(struct wpa_supplicant *wpa_s) 1640 { 1641 u32 tu; 1642 struct os_reltime now, passed; 1643 os_get_reltime(&now); 1644 os_reltime_sub(&now, &wpa_s->sme.sa_query_start, &passed); 1645 tu = (passed.sec * 1000000 + passed.usec) / 1024; 1646 if (sa_query_max_timeout < tu) { 1647 wpa_dbg(wpa_s, MSG_DEBUG, "SME: SA Query timed out"); 1648 sme_stop_sa_query(wpa_s); 1649 wpa_supplicant_deauthenticate( 1650 wpa_s, WLAN_REASON_PREV_AUTH_NOT_VALID); 1651 return 1; 1652 } 1653 1654 return 0; 1655 } 1656 1657 1658 static void sme_send_sa_query_req(struct wpa_supplicant *wpa_s, 1659 const u8 *trans_id) 1660 { 1661 u8 req[2 + WLAN_SA_QUERY_TR_ID_LEN]; 1662 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Sending SA Query Request to " 1663 MACSTR, MAC2STR(wpa_s->bssid)); 1664 wpa_hexdump(MSG_DEBUG, "SME: SA Query Transaction ID", 1665 trans_id, WLAN_SA_QUERY_TR_ID_LEN); 1666 req[0] = WLAN_ACTION_SA_QUERY; 1667 req[1] = WLAN_SA_QUERY_REQUEST; 1668 os_memcpy(req + 2, trans_id, WLAN_SA_QUERY_TR_ID_LEN); 1669 if (wpa_drv_send_action(wpa_s, wpa_s->assoc_freq, 0, wpa_s->bssid, 1670 wpa_s->own_addr, wpa_s->bssid, 1671 req, sizeof(req), 0) < 0) 1672 wpa_msg(wpa_s, MSG_INFO, "SME: Failed to send SA Query " 1673 "Request"); 1674 } 1675 1676 1677 static void sme_sa_query_timer(void *eloop_ctx, void *timeout_ctx) 1678 { 1679 struct wpa_supplicant *wpa_s = eloop_ctx; 1680 unsigned int timeout, sec, usec; 1681 u8 *trans_id, *nbuf; 1682 1683 if (wpa_s->sme.sa_query_count > 0 && 1684 sme_check_sa_query_timeout(wpa_s)) 1685 return; 1686 1687 nbuf = os_realloc_array(wpa_s->sme.sa_query_trans_id, 1688 wpa_s->sme.sa_query_count + 1, 1689 WLAN_SA_QUERY_TR_ID_LEN); 1690 if (nbuf == NULL) { 1691 sme_stop_sa_query(wpa_s); 1692 return; 1693 } 1694 if (wpa_s->sme.sa_query_count == 0) { 1695 /* Starting a new SA Query procedure */ 1696 os_get_reltime(&wpa_s->sme.sa_query_start); 1697 } 1698 trans_id = nbuf + wpa_s->sme.sa_query_count * WLAN_SA_QUERY_TR_ID_LEN; 1699 wpa_s->sme.sa_query_trans_id = nbuf; 1700 wpa_s->sme.sa_query_count++; 1701 1702 if (os_get_random(trans_id, WLAN_SA_QUERY_TR_ID_LEN) < 0) { 1703 wpa_printf(MSG_DEBUG, "Could not generate SA Query ID"); 1704 sme_stop_sa_query(wpa_s); 1705 return; 1706 } 1707 1708 timeout = sa_query_retry_timeout; 1709 sec = ((timeout / 1000) * 1024) / 1000; 1710 usec = (timeout % 1000) * 1024; 1711 eloop_register_timeout(sec, usec, sme_sa_query_timer, wpa_s, NULL); 1712 1713 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Association SA Query attempt %d", 1714 wpa_s->sme.sa_query_count); 1715 1716 sme_send_sa_query_req(wpa_s, trans_id); 1717 } 1718 1719 1720 static void sme_start_sa_query(struct wpa_supplicant *wpa_s) 1721 { 1722 sme_sa_query_timer(wpa_s, NULL); 1723 } 1724 1725 1726 static void sme_stop_sa_query(struct wpa_supplicant *wpa_s) 1727 { 1728 eloop_cancel_timeout(sme_sa_query_timer, wpa_s, NULL); 1729 os_free(wpa_s->sme.sa_query_trans_id); 1730 wpa_s->sme.sa_query_trans_id = NULL; 1731 wpa_s->sme.sa_query_count = 0; 1732 } 1733 1734 1735 void sme_event_unprot_disconnect(struct wpa_supplicant *wpa_s, const u8 *sa, 1736 const u8 *da, u16 reason_code) 1737 { 1738 struct wpa_ssid *ssid; 1739 struct os_reltime now; 1740 1741 if (wpa_s->wpa_state != WPA_COMPLETED) 1742 return; 1743 ssid = wpa_s->current_ssid; 1744 if (wpas_get_ssid_pmf(wpa_s, ssid) == NO_MGMT_FRAME_PROTECTION) 1745 return; 1746 if (os_memcmp(sa, wpa_s->bssid, ETH_ALEN) != 0) 1747 return; 1748 if (reason_code != WLAN_REASON_CLASS2_FRAME_FROM_NONAUTH_STA && 1749 reason_code != WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA) 1750 return; 1751 if (wpa_s->sme.sa_query_count > 0) 1752 return; 1753 1754 os_get_reltime(&now); 1755 if (wpa_s->sme.last_unprot_disconnect.sec && 1756 !os_reltime_expired(&now, &wpa_s->sme.last_unprot_disconnect, 10)) 1757 return; /* limit SA Query procedure frequency */ 1758 wpa_s->sme.last_unprot_disconnect = now; 1759 1760 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Unprotected disconnect dropped - " 1761 "possible AP/STA state mismatch - trigger SA Query"); 1762 sme_start_sa_query(wpa_s); 1763 } 1764 1765 1766 void sme_sa_query_rx(struct wpa_supplicant *wpa_s, const u8 *sa, 1767 const u8 *data, size_t len) 1768 { 1769 int i; 1770 1771 if (wpa_s->sme.sa_query_trans_id == NULL || 1772 len < 1 + WLAN_SA_QUERY_TR_ID_LEN || 1773 data[0] != WLAN_SA_QUERY_RESPONSE) 1774 return; 1775 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Received SA Query response from " 1776 MACSTR " (trans_id %02x%02x)", MAC2STR(sa), data[1], data[2]); 1777 1778 if (os_memcmp(sa, wpa_s->bssid, ETH_ALEN) != 0) 1779 return; 1780 1781 for (i = 0; i < wpa_s->sme.sa_query_count; i++) { 1782 if (os_memcmp(wpa_s->sme.sa_query_trans_id + 1783 i * WLAN_SA_QUERY_TR_ID_LEN, 1784 data + 1, WLAN_SA_QUERY_TR_ID_LEN) == 0) 1785 break; 1786 } 1787 1788 if (i >= wpa_s->sme.sa_query_count) { 1789 wpa_dbg(wpa_s, MSG_DEBUG, "SME: No matching SA Query " 1790 "transaction identifier found"); 1791 return; 1792 } 1793 1794 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Reply to pending SA Query received " 1795 "from " MACSTR, MAC2STR(sa)); 1796 sme_stop_sa_query(wpa_s); 1797 } 1798 1799 #endif /* CONFIG_IEEE80211W */ 1800
