1 /* 2 * wpa_supplicant - SME 3 * Copyright (c) 2009-2014, Jouni Malinen <j (at) w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "includes.h" 10 11 #include "common.h" 12 #include "utils/eloop.h" 13 #include "common/ieee802_11_defs.h" 14 #include "common/ieee802_11_common.h" 15 #include "eapol_supp/eapol_supp_sm.h" 16 #include "common/wpa_common.h" 17 #include "common/sae.h" 18 #include "rsn_supp/wpa.h" 19 #include "rsn_supp/pmksa_cache.h" 20 #include "config.h" 21 #include "wpa_supplicant_i.h" 22 #include "driver_i.h" 23 #include "wpas_glue.h" 24 #include "wps_supplicant.h" 25 #include "p2p_supplicant.h" 26 #include "notify.h" 27 #include "bss.h" 28 #include "scan.h" 29 #include "sme.h" 30 #include "hs20_supplicant.h" 31 32 #define SME_AUTH_TIMEOUT 5 33 #define SME_ASSOC_TIMEOUT 5 34 35 static void sme_auth_timer(void *eloop_ctx, void *timeout_ctx); 36 static void sme_assoc_timer(void *eloop_ctx, void *timeout_ctx); 37 static void sme_obss_scan_timeout(void *eloop_ctx, void *timeout_ctx); 38 #ifdef CONFIG_IEEE80211W 39 static void sme_stop_sa_query(struct wpa_supplicant *wpa_s); 40 #endif /* CONFIG_IEEE80211W */ 41 42 43 #ifdef CONFIG_SAE 44 45 static int index_within_array(const int *array, int idx) 46 { 47 int i; 48 for (i = 0; i < idx; i++) { 49 if (array[i] <= 0) 50 return 0; 51 } 52 return 1; 53 } 54 55 56 static int sme_set_sae_group(struct wpa_supplicant *wpa_s) 57 { 58 int *groups = wpa_s->conf->sae_groups; 59 int default_groups[] = { 19, 20, 21, 25, 26, 0 }; 60 61 if (!groups || groups[0] <= 0) 62 groups = default_groups; 63 64 /* Configuration may have changed, so validate current index */ 65 if (!index_within_array(groups, wpa_s->sme.sae_group_index)) 66 return -1; 67 68 for (;;) { 69 int group = groups[wpa_s->sme.sae_group_index]; 70 if (group <= 0) 71 break; 72 if (sae_set_group(&wpa_s->sme.sae, group) == 0) { 73 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Selected SAE group %d", 74 wpa_s->sme.sae.group); 75 return 0; 76 } 77 wpa_s->sme.sae_group_index++; 78 } 79 80 return -1; 81 } 82 83 84 static struct wpabuf * sme_auth_build_sae_commit(struct wpa_supplicant *wpa_s, 85 struct wpa_ssid *ssid, 86 const u8 *bssid) 87 { 88 struct wpabuf *buf; 89 size_t len; 90 const char *password; 91 92 #ifdef CONFIG_TESTING_OPTIONS 93 if (wpa_s->sae_commit_override) { 94 wpa_printf(MSG_DEBUG, "SAE: TESTING - commit override"); 95 buf = wpabuf_alloc(4 + wpabuf_len(wpa_s->sae_commit_override)); 96 if (!buf) 97 return NULL; 98 wpabuf_put_le16(buf, 1); /* Transaction seq# */ 99 wpabuf_put_le16(buf, WLAN_STATUS_SUCCESS); 100 wpabuf_put_buf(buf, wpa_s->sae_commit_override); 101 return buf; 102 } 103 #endif /* CONFIG_TESTING_OPTIONS */ 104 105 password = ssid->sae_password; 106 if (!password) 107 password = ssid->passphrase; 108 if (!password) { 109 wpa_printf(MSG_DEBUG, "SAE: No password available"); 110 return NULL; 111 } 112 113 if (sme_set_sae_group(wpa_s) < 0) { 114 wpa_printf(MSG_DEBUG, "SAE: Failed to select group"); 115 return NULL; 116 } 117 118 if (sae_prepare_commit(wpa_s->own_addr, bssid, 119 (u8 *) password, os_strlen(password), 120 &wpa_s->sme.sae) < 0) { 121 wpa_printf(MSG_DEBUG, "SAE: Could not pick PWE"); 122 return NULL; 123 } 124 125 len = wpa_s->sme.sae_token ? wpabuf_len(wpa_s->sme.sae_token) : 0; 126 buf = wpabuf_alloc(4 + SAE_COMMIT_MAX_LEN + len); 127 if (buf == NULL) 128 return NULL; 129 130 wpabuf_put_le16(buf, 1); /* Transaction seq# */ 131 wpabuf_put_le16(buf, WLAN_STATUS_SUCCESS); 132 sae_write_commit(&wpa_s->sme.sae, buf, wpa_s->sme.sae_token); 133 134 return buf; 135 } 136 137 138 static struct wpabuf * sme_auth_build_sae_confirm(struct wpa_supplicant *wpa_s) 139 { 140 struct wpabuf *buf; 141 142 buf = wpabuf_alloc(4 + SAE_CONFIRM_MAX_LEN); 143 if (buf == NULL) 144 return NULL; 145 146 wpabuf_put_le16(buf, 2); /* Transaction seq# */ 147 wpabuf_put_le16(buf, WLAN_STATUS_SUCCESS); 148 sae_write_confirm(&wpa_s->sme.sae, buf); 149 150 return buf; 151 } 152 153 #endif /* CONFIG_SAE */ 154 155 156 /** 157 * sme_auth_handle_rrm - Handle RRM aspects of current authentication attempt 158 * @wpa_s: Pointer to wpa_supplicant data 159 * @bss: Pointer to the bss which is the target of authentication attempt 160 */ 161 static void sme_auth_handle_rrm(struct wpa_supplicant *wpa_s, 162 struct wpa_bss *bss) 163 { 164 const u8 rrm_ie_len = 5; 165 u8 *pos; 166 const u8 *rrm_ie; 167 168 wpa_s->rrm.rrm_used = 0; 169 170 wpa_printf(MSG_DEBUG, 171 "RRM: Determining whether RRM can be used - device support: 0x%x", 172 wpa_s->drv_rrm_flags); 173 174 rrm_ie = wpa_bss_get_ie(bss, WLAN_EID_RRM_ENABLED_CAPABILITIES); 175 if (!rrm_ie || !(bss->caps & IEEE80211_CAP_RRM)) { 176 wpa_printf(MSG_DEBUG, "RRM: No RRM in network"); 177 return; 178 } 179 180 if (!((wpa_s->drv_rrm_flags & 181 WPA_DRIVER_FLAGS_DS_PARAM_SET_IE_IN_PROBES) && 182 (wpa_s->drv_rrm_flags & WPA_DRIVER_FLAGS_QUIET)) && 183 !(wpa_s->drv_rrm_flags & WPA_DRIVER_FLAGS_SUPPORT_RRM)) { 184 wpa_printf(MSG_DEBUG, 185 "RRM: Insufficient RRM support in driver - do not use RRM"); 186 return; 187 } 188 189 if (sizeof(wpa_s->sme.assoc_req_ie) < 190 wpa_s->sme.assoc_req_ie_len + rrm_ie_len + 2) { 191 wpa_printf(MSG_INFO, 192 "RRM: Unable to use RRM, no room for RRM IE"); 193 return; 194 } 195 196 wpa_printf(MSG_DEBUG, "RRM: Adding RRM IE to Association Request"); 197 pos = wpa_s->sme.assoc_req_ie + wpa_s->sme.assoc_req_ie_len; 198 os_memset(pos, 0, 2 + rrm_ie_len); 199 *pos++ = WLAN_EID_RRM_ENABLED_CAPABILITIES; 200 *pos++ = rrm_ie_len; 201 202 /* Set supported capabilites flags */ 203 if (wpa_s->drv_rrm_flags & WPA_DRIVER_FLAGS_TX_POWER_INSERTION) 204 *pos |= WLAN_RRM_CAPS_LINK_MEASUREMENT; 205 206 *pos |= WLAN_RRM_CAPS_BEACON_REPORT_PASSIVE | 207 WLAN_RRM_CAPS_BEACON_REPORT_ACTIVE | 208 WLAN_RRM_CAPS_BEACON_REPORT_TABLE; 209 210 if (wpa_s->lci) 211 pos[1] |= WLAN_RRM_CAPS_LCI_MEASUREMENT; 212 213 wpa_s->sme.assoc_req_ie_len += rrm_ie_len + 2; 214 wpa_s->rrm.rrm_used = 1; 215 } 216 217 218 static void sme_send_authentication(struct wpa_supplicant *wpa_s, 219 struct wpa_bss *bss, struct wpa_ssid *ssid, 220 int start) 221 { 222 struct wpa_driver_auth_params params; 223 struct wpa_ssid *old_ssid; 224 #ifdef CONFIG_IEEE80211R 225 const u8 *ie; 226 #endif /* CONFIG_IEEE80211R */ 227 #if defined(CONFIG_IEEE80211R) || defined(CONFIG_FILS) 228 const u8 *md = NULL; 229 #endif /* CONFIG_IEEE80211R || CONFIG_FILS */ 230 int i, bssid_changed; 231 struct wpabuf *resp = NULL; 232 u8 ext_capab[18]; 233 int ext_capab_len; 234 int skip_auth; 235 236 if (bss == NULL) { 237 wpa_msg(wpa_s, MSG_ERROR, "SME: No scan result available for " 238 "the network"); 239 wpas_connect_work_done(wpa_s); 240 return; 241 } 242 243 skip_auth = wpa_s->conf->reassoc_same_bss_optim && 244 wpa_s->reassoc_same_bss; 245 wpa_s->current_bss = bss; 246 247 os_memset(¶ms, 0, sizeof(params)); 248 wpa_s->reassociate = 0; 249 250 params.freq = bss->freq; 251 params.bssid = bss->bssid; 252 params.ssid = bss->ssid; 253 params.ssid_len = bss->ssid_len; 254 params.p2p = ssid->p2p_group; 255 256 if (wpa_s->sme.ssid_len != params.ssid_len || 257 os_memcmp(wpa_s->sme.ssid, params.ssid, params.ssid_len) != 0) 258 wpa_s->sme.prev_bssid_set = 0; 259 260 wpa_s->sme.freq = params.freq; 261 os_memcpy(wpa_s->sme.ssid, params.ssid, params.ssid_len); 262 wpa_s->sme.ssid_len = params.ssid_len; 263 264 params.auth_alg = WPA_AUTH_ALG_OPEN; 265 #ifdef IEEE8021X_EAPOL 266 if (ssid->key_mgmt & WPA_KEY_MGMT_IEEE8021X_NO_WPA) { 267 if (ssid->leap) { 268 if (ssid->non_leap == 0) 269 params.auth_alg = WPA_AUTH_ALG_LEAP; 270 else 271 params.auth_alg |= WPA_AUTH_ALG_LEAP; 272 } 273 } 274 #endif /* IEEE8021X_EAPOL */ 275 wpa_dbg(wpa_s, MSG_DEBUG, "Automatic auth_alg selection: 0x%x", 276 params.auth_alg); 277 if (ssid->auth_alg) { 278 params.auth_alg = ssid->auth_alg; 279 wpa_dbg(wpa_s, MSG_DEBUG, "Overriding auth_alg selection: " 280 "0x%x", params.auth_alg); 281 } 282 #ifdef CONFIG_SAE 283 wpa_s->sme.sae_pmksa_caching = 0; 284 if (wpa_key_mgmt_sae(ssid->key_mgmt)) { 285 const u8 *rsn; 286 struct wpa_ie_data ied; 287 288 rsn = wpa_bss_get_ie(bss, WLAN_EID_RSN); 289 if (!rsn) { 290 wpa_dbg(wpa_s, MSG_DEBUG, 291 "SAE enabled, but target BSS does not advertise RSN"); 292 } else if (wpa_parse_wpa_ie(rsn, 2 + rsn[1], &ied) == 0 && 293 wpa_key_mgmt_sae(ied.key_mgmt)) { 294 wpa_dbg(wpa_s, MSG_DEBUG, "Using SAE auth_alg"); 295 params.auth_alg = WPA_AUTH_ALG_SAE; 296 } else { 297 wpa_dbg(wpa_s, MSG_DEBUG, 298 "SAE enabled, but target BSS does not advertise SAE AKM for RSN"); 299 } 300 } 301 #endif /* CONFIG_SAE */ 302 303 for (i = 0; i < NUM_WEP_KEYS; i++) { 304 if (ssid->wep_key_len[i]) 305 params.wep_key[i] = ssid->wep_key[i]; 306 params.wep_key_len[i] = ssid->wep_key_len[i]; 307 } 308 params.wep_tx_keyidx = ssid->wep_tx_keyidx; 309 310 bssid_changed = !is_zero_ether_addr(wpa_s->bssid); 311 os_memset(wpa_s->bssid, 0, ETH_ALEN); 312 os_memcpy(wpa_s->pending_bssid, bss->bssid, ETH_ALEN); 313 if (bssid_changed) 314 wpas_notify_bssid_changed(wpa_s); 315 316 if ((wpa_bss_get_vendor_ie(bss, WPA_IE_VENDOR_TYPE) || 317 wpa_bss_get_ie(bss, WLAN_EID_RSN)) && 318 wpa_key_mgmt_wpa(ssid->key_mgmt)) { 319 int try_opportunistic; 320 const u8 *cache_id = NULL; 321 322 try_opportunistic = (ssid->proactive_key_caching < 0 ? 323 wpa_s->conf->okc : 324 ssid->proactive_key_caching) && 325 (ssid->proto & WPA_PROTO_RSN); 326 #ifdef CONFIG_FILS 327 if (wpa_key_mgmt_fils(ssid->key_mgmt)) 328 cache_id = wpa_bss_get_fils_cache_id(bss); 329 #endif /* CONFIG_FILS */ 330 if (pmksa_cache_set_current(wpa_s->wpa, NULL, bss->bssid, 331 wpa_s->current_ssid, 332 try_opportunistic, cache_id) == 0) 333 eapol_sm_notify_pmkid_attempt(wpa_s->eapol); 334 wpa_s->sme.assoc_req_ie_len = sizeof(wpa_s->sme.assoc_req_ie); 335 if (wpa_supplicant_set_suites(wpa_s, bss, ssid, 336 wpa_s->sme.assoc_req_ie, 337 &wpa_s->sme.assoc_req_ie_len)) { 338 wpa_msg(wpa_s, MSG_WARNING, "SME: Failed to set WPA " 339 "key management and encryption suites"); 340 wpas_connect_work_done(wpa_s); 341 return; 342 } 343 } else if ((ssid->key_mgmt & WPA_KEY_MGMT_IEEE8021X_NO_WPA) && 344 wpa_key_mgmt_wpa_ieee8021x(ssid->key_mgmt)) { 345 /* 346 * Both WPA and non-WPA IEEE 802.1X enabled in configuration - 347 * use non-WPA since the scan results did not indicate that the 348 * AP is using WPA or WPA2. 349 */ 350 wpa_supplicant_set_non_wpa_policy(wpa_s, ssid); 351 wpa_s->sme.assoc_req_ie_len = 0; 352 } else if (wpa_key_mgmt_wpa_any(ssid->key_mgmt)) { 353 wpa_s->sme.assoc_req_ie_len = sizeof(wpa_s->sme.assoc_req_ie); 354 if (wpa_supplicant_set_suites(wpa_s, NULL, ssid, 355 wpa_s->sme.assoc_req_ie, 356 &wpa_s->sme.assoc_req_ie_len)) { 357 wpa_msg(wpa_s, MSG_WARNING, "SME: Failed to set WPA " 358 "key management and encryption suites (no " 359 "scan results)"); 360 wpas_connect_work_done(wpa_s); 361 return; 362 } 363 #ifdef CONFIG_WPS 364 } else if (ssid->key_mgmt & WPA_KEY_MGMT_WPS) { 365 struct wpabuf *wps_ie; 366 wps_ie = wps_build_assoc_req_ie(wpas_wps_get_req_type(ssid)); 367 if (wps_ie && wpabuf_len(wps_ie) <= 368 sizeof(wpa_s->sme.assoc_req_ie)) { 369 wpa_s->sme.assoc_req_ie_len = wpabuf_len(wps_ie); 370 os_memcpy(wpa_s->sme.assoc_req_ie, wpabuf_head(wps_ie), 371 wpa_s->sme.assoc_req_ie_len); 372 } else 373 wpa_s->sme.assoc_req_ie_len = 0; 374 wpabuf_free(wps_ie); 375 wpa_supplicant_set_non_wpa_policy(wpa_s, ssid); 376 #endif /* CONFIG_WPS */ 377 } else { 378 wpa_supplicant_set_non_wpa_policy(wpa_s, ssid); 379 wpa_s->sme.assoc_req_ie_len = 0; 380 } 381 382 #ifdef CONFIG_IEEE80211R 383 ie = wpa_bss_get_ie(bss, WLAN_EID_MOBILITY_DOMAIN); 384 if (ie && ie[1] >= MOBILITY_DOMAIN_ID_LEN) 385 md = ie + 2; 386 wpa_sm_set_ft_params(wpa_s->wpa, ie, ie ? 2 + ie[1] : 0); 387 if (md) { 388 /* Prepare for the next transition */ 389 wpa_ft_prepare_auth_request(wpa_s->wpa, ie); 390 } 391 392 if (md && !wpa_key_mgmt_ft(ssid->key_mgmt)) 393 md = NULL; 394 if (md) { 395 wpa_dbg(wpa_s, MSG_DEBUG, "SME: FT mobility domain %02x%02x", 396 md[0], md[1]); 397 398 if (wpa_s->sme.assoc_req_ie_len + 5 < 399 sizeof(wpa_s->sme.assoc_req_ie)) { 400 struct rsn_mdie *mdie; 401 u8 *pos = wpa_s->sme.assoc_req_ie + 402 wpa_s->sme.assoc_req_ie_len; 403 *pos++ = WLAN_EID_MOBILITY_DOMAIN; 404 *pos++ = sizeof(*mdie); 405 mdie = (struct rsn_mdie *) pos; 406 os_memcpy(mdie->mobility_domain, md, 407 MOBILITY_DOMAIN_ID_LEN); 408 mdie->ft_capab = md[MOBILITY_DOMAIN_ID_LEN]; 409 wpa_s->sme.assoc_req_ie_len += 5; 410 } 411 412 if (wpa_s->sme.ft_used && 413 os_memcmp(md, wpa_s->sme.mobility_domain, 2) == 0 && 414 wpa_sm_has_ptk(wpa_s->wpa)) { 415 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Trying to use FT " 416 "over-the-air"); 417 params.auth_alg = WPA_AUTH_ALG_FT; 418 params.ie = wpa_s->sme.ft_ies; 419 params.ie_len = wpa_s->sme.ft_ies_len; 420 } 421 } 422 #endif /* CONFIG_IEEE80211R */ 423 424 #ifdef CONFIG_IEEE80211W 425 wpa_s->sme.mfp = wpas_get_ssid_pmf(wpa_s, ssid); 426 if (wpa_s->sme.mfp != NO_MGMT_FRAME_PROTECTION) { 427 const u8 *rsn = wpa_bss_get_ie(bss, WLAN_EID_RSN); 428 struct wpa_ie_data _ie; 429 if (rsn && wpa_parse_wpa_ie(rsn, 2 + rsn[1], &_ie) == 0 && 430 _ie.capabilities & 431 (WPA_CAPABILITY_MFPC | WPA_CAPABILITY_MFPR)) { 432 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Selected AP supports " 433 "MFP: require MFP"); 434 wpa_s->sme.mfp = MGMT_FRAME_PROTECTION_REQUIRED; 435 } 436 } 437 #endif /* CONFIG_IEEE80211W */ 438 439 #ifdef CONFIG_P2P 440 if (wpa_s->global->p2p) { 441 u8 *pos; 442 size_t len; 443 int res; 444 pos = wpa_s->sme.assoc_req_ie + wpa_s->sme.assoc_req_ie_len; 445 len = sizeof(wpa_s->sme.assoc_req_ie) - 446 wpa_s->sme.assoc_req_ie_len; 447 res = wpas_p2p_assoc_req_ie(wpa_s, bss, pos, len, 448 ssid->p2p_group); 449 if (res >= 0) 450 wpa_s->sme.assoc_req_ie_len += res; 451 } 452 #endif /* CONFIG_P2P */ 453 454 #ifdef CONFIG_FST 455 if (wpa_s->fst_ies) { 456 int fst_ies_len = wpabuf_len(wpa_s->fst_ies); 457 458 if (wpa_s->sme.assoc_req_ie_len + fst_ies_len <= 459 sizeof(wpa_s->sme.assoc_req_ie)) { 460 os_memcpy(wpa_s->sme.assoc_req_ie + 461 wpa_s->sme.assoc_req_ie_len, 462 wpabuf_head(wpa_s->fst_ies), 463 fst_ies_len); 464 wpa_s->sme.assoc_req_ie_len += fst_ies_len; 465 } 466 } 467 #endif /* CONFIG_FST */ 468 469 sme_auth_handle_rrm(wpa_s, bss); 470 471 wpa_s->sme.assoc_req_ie_len += wpas_supp_op_class_ie( 472 wpa_s, bss->freq, 473 wpa_s->sme.assoc_req_ie + wpa_s->sme.assoc_req_ie_len, 474 sizeof(wpa_s->sme.assoc_req_ie) - wpa_s->sme.assoc_req_ie_len); 475 476 if (params.p2p) 477 wpa_drv_get_ext_capa(wpa_s, WPA_IF_P2P_CLIENT); 478 else 479 wpa_drv_get_ext_capa(wpa_s, WPA_IF_STATION); 480 481 ext_capab_len = wpas_build_ext_capab(wpa_s, ext_capab, 482 sizeof(ext_capab)); 483 if (ext_capab_len > 0) { 484 u8 *pos = wpa_s->sme.assoc_req_ie; 485 if (wpa_s->sme.assoc_req_ie_len > 0 && pos[0] == WLAN_EID_RSN) 486 pos += 2 + pos[1]; 487 os_memmove(pos + ext_capab_len, pos, 488 wpa_s->sme.assoc_req_ie_len - 489 (pos - wpa_s->sme.assoc_req_ie)); 490 wpa_s->sme.assoc_req_ie_len += ext_capab_len; 491 os_memcpy(pos, ext_capab, ext_capab_len); 492 } 493 494 #ifdef CONFIG_HS20 495 if (is_hs20_network(wpa_s, ssid, bss)) { 496 struct wpabuf *hs20; 497 498 hs20 = wpabuf_alloc(20); 499 if (hs20) { 500 int pps_mo_id = hs20_get_pps_mo_id(wpa_s, ssid); 501 size_t len; 502 503 wpas_hs20_add_indication(hs20, pps_mo_id); 504 len = sizeof(wpa_s->sme.assoc_req_ie) - 505 wpa_s->sme.assoc_req_ie_len; 506 if (wpabuf_len(hs20) <= len) { 507 os_memcpy(wpa_s->sme.assoc_req_ie + 508 wpa_s->sme.assoc_req_ie_len, 509 wpabuf_head(hs20), wpabuf_len(hs20)); 510 wpa_s->sme.assoc_req_ie_len += wpabuf_len(hs20); 511 } 512 wpabuf_free(hs20); 513 } 514 } 515 #endif /* CONFIG_HS20 */ 516 517 if (wpa_s->vendor_elem[VENDOR_ELEM_ASSOC_REQ]) { 518 struct wpabuf *buf = wpa_s->vendor_elem[VENDOR_ELEM_ASSOC_REQ]; 519 size_t len; 520 521 len = sizeof(wpa_s->sme.assoc_req_ie) - 522 wpa_s->sme.assoc_req_ie_len; 523 if (wpabuf_len(buf) <= len) { 524 os_memcpy(wpa_s->sme.assoc_req_ie + 525 wpa_s->sme.assoc_req_ie_len, 526 wpabuf_head(buf), wpabuf_len(buf)); 527 wpa_s->sme.assoc_req_ie_len += wpabuf_len(buf); 528 } 529 } 530 531 #ifdef CONFIG_MBO 532 if (wpa_bss_get_vendor_ie(bss, MBO_IE_VENDOR_TYPE)) { 533 int len; 534 535 len = wpas_mbo_ie(wpa_s, wpa_s->sme.assoc_req_ie + 536 wpa_s->sme.assoc_req_ie_len, 537 sizeof(wpa_s->sme.assoc_req_ie) - 538 wpa_s->sme.assoc_req_ie_len); 539 if (len >= 0) 540 wpa_s->sme.assoc_req_ie_len += len; 541 } 542 #endif /* CONFIG_MBO */ 543 544 #ifdef CONFIG_SAE 545 if (!skip_auth && params.auth_alg == WPA_AUTH_ALG_SAE && 546 pmksa_cache_set_current(wpa_s->wpa, NULL, bss->bssid, ssid, 0, 547 NULL) == 0) { 548 wpa_dbg(wpa_s, MSG_DEBUG, 549 "PMKSA cache entry found - try to use PMKSA caching instead of new SAE authentication"); 550 params.auth_alg = WPA_AUTH_ALG_OPEN; 551 wpa_s->sme.sae_pmksa_caching = 1; 552 } 553 554 if (!skip_auth && params.auth_alg == WPA_AUTH_ALG_SAE) { 555 if (start) 556 resp = sme_auth_build_sae_commit(wpa_s, ssid, 557 bss->bssid); 558 else 559 resp = sme_auth_build_sae_confirm(wpa_s); 560 if (resp == NULL) { 561 wpas_connection_failed(wpa_s, bss->bssid); 562 return; 563 } 564 params.auth_data = wpabuf_head(resp); 565 params.auth_data_len = wpabuf_len(resp); 566 wpa_s->sme.sae.state = start ? SAE_COMMITTED : SAE_CONFIRMED; 567 } 568 #endif /* CONFIG_SAE */ 569 570 old_ssid = wpa_s->current_ssid; 571 wpa_s->current_ssid = ssid; 572 wpa_supplicant_rsn_supp_set_config(wpa_s, wpa_s->current_ssid); 573 wpa_supplicant_initiate_eapol(wpa_s); 574 575 #ifdef CONFIG_FILS 576 /* TODO: FILS operations can in some cases be done between different 577 * network_ctx (i.e., same credentials can be used with multiple 578 * networks). */ 579 if (params.auth_alg == WPA_AUTH_ALG_OPEN && 580 wpa_key_mgmt_fils(ssid->key_mgmt)) { 581 const u8 *indic; 582 u16 fils_info; 583 584 /* 585 * Check FILS Indication element (FILS Information field) bits 586 * indicating supported authentication algorithms against local 587 * configuration (ssid->fils_dh_group). Try to use FILS 588 * authentication only if the AP supports the combination in the 589 * network profile. */ 590 indic = wpa_bss_get_ie(bss, WLAN_EID_FILS_INDICATION); 591 if (!indic || indic[1] < 2) { 592 wpa_printf(MSG_DEBUG, "SME: " MACSTR 593 " does not include FILS Indication element - cannot use FILS authentication with it", 594 MAC2STR(bss->bssid)); 595 goto no_fils; 596 } 597 598 fils_info = WPA_GET_LE16(indic + 2); 599 if (ssid->fils_dh_group == 0 && !(fils_info & BIT(9))) { 600 wpa_printf(MSG_DEBUG, "SME: " MACSTR 601 " does not support FILS SK without PFS - cannot use FILS authentication with it", 602 MAC2STR(bss->bssid)); 603 goto no_fils; 604 } 605 if (ssid->fils_dh_group != 0 && !(fils_info & BIT(10))) { 606 wpa_printf(MSG_DEBUG, "SME: " MACSTR 607 " does not support FILS SK with PFS - cannot use FILS authentication with it", 608 MAC2STR(bss->bssid)); 609 goto no_fils; 610 } 611 612 if (pmksa_cache_set_current(wpa_s->wpa, NULL, bss->bssid, 613 ssid, 0, 614 wpa_bss_get_fils_cache_id(bss)) == 615 0) 616 wpa_printf(MSG_DEBUG, 617 "SME: Try to use FILS with PMKSA caching"); 618 resp = fils_build_auth(wpa_s->wpa, ssid->fils_dh_group, md); 619 if (resp) { 620 int auth_alg; 621 622 if (ssid->fils_dh_group) 623 wpa_printf(MSG_DEBUG, 624 "SME: Try to use FILS SK authentication with PFS (DH Group %u)", 625 ssid->fils_dh_group); 626 else 627 wpa_printf(MSG_DEBUG, 628 "SME: Try to use FILS SK authentication without PFS"); 629 auth_alg = ssid->fils_dh_group ? 630 WPA_AUTH_ALG_FILS_SK_PFS : WPA_AUTH_ALG_FILS; 631 params.auth_alg = auth_alg; 632 params.auth_data = wpabuf_head(resp); 633 params.auth_data_len = wpabuf_len(resp); 634 wpa_s->sme.auth_alg = auth_alg; 635 } 636 } 637 no_fils: 638 #endif /* CONFIG_FILS */ 639 640 wpa_supplicant_cancel_sched_scan(wpa_s); 641 wpa_supplicant_cancel_scan(wpa_s); 642 643 wpa_msg(wpa_s, MSG_INFO, "SME: Trying to authenticate with " MACSTR 644 " (SSID='%s' freq=%d MHz)", MAC2STR(params.bssid), 645 wpa_ssid_txt(params.ssid, params.ssid_len), params.freq); 646 647 eapol_sm_notify_portValid(wpa_s->eapol, FALSE); 648 wpa_clear_keys(wpa_s, bss->bssid); 649 wpa_supplicant_set_state(wpa_s, WPA_AUTHENTICATING); 650 if (old_ssid != wpa_s->current_ssid) 651 wpas_notify_network_changed(wpa_s); 652 653 #ifdef CONFIG_HS20 654 hs20_configure_frame_filters(wpa_s); 655 #endif /* CONFIG_HS20 */ 656 657 #ifdef CONFIG_P2P 658 /* 659 * If multi-channel concurrency is not supported, check for any 660 * frequency conflict. In case of any frequency conflict, remove the 661 * least prioritized connection. 662 */ 663 if (wpa_s->num_multichan_concurrent < 2) { 664 int freq, num; 665 num = get_shared_radio_freqs(wpa_s, &freq, 1); 666 if (num > 0 && freq > 0 && freq != params.freq) { 667 wpa_printf(MSG_DEBUG, 668 "Conflicting frequency found (%d != %d)", 669 freq, params.freq); 670 if (wpas_p2p_handle_frequency_conflicts(wpa_s, 671 params.freq, 672 ssid) < 0) { 673 wpas_connection_failed(wpa_s, bss->bssid); 674 wpa_supplicant_mark_disassoc(wpa_s); 675 wpabuf_free(resp); 676 wpas_connect_work_done(wpa_s); 677 return; 678 } 679 } 680 } 681 #endif /* CONFIG_P2P */ 682 683 if (skip_auth) { 684 wpa_msg(wpa_s, MSG_DEBUG, 685 "SME: Skip authentication step on reassoc-to-same-BSS"); 686 wpabuf_free(resp); 687 sme_associate(wpa_s, ssid->mode, bss->bssid, WLAN_AUTH_OPEN); 688 return; 689 } 690 691 692 wpa_s->sme.auth_alg = params.auth_alg; 693 if (wpa_drv_authenticate(wpa_s, ¶ms) < 0) { 694 wpa_msg(wpa_s, MSG_INFO, "SME: Authentication request to the " 695 "driver failed"); 696 wpas_connection_failed(wpa_s, bss->bssid); 697 wpa_supplicant_mark_disassoc(wpa_s); 698 wpabuf_free(resp); 699 wpas_connect_work_done(wpa_s); 700 return; 701 } 702 703 eloop_register_timeout(SME_AUTH_TIMEOUT, 0, sme_auth_timer, wpa_s, 704 NULL); 705 706 /* 707 * Association will be started based on the authentication event from 708 * the driver. 709 */ 710 711 wpabuf_free(resp); 712 } 713 714 715 static void sme_auth_start_cb(struct wpa_radio_work *work, int deinit) 716 { 717 struct wpa_connect_work *cwork = work->ctx; 718 struct wpa_supplicant *wpa_s = work->wpa_s; 719 720 if (deinit) { 721 if (work->started) 722 wpa_s->connect_work = NULL; 723 724 wpas_connect_work_free(cwork); 725 return; 726 } 727 728 wpa_s->connect_work = work; 729 730 if (cwork->bss_removed || 731 !wpas_valid_bss_ssid(wpa_s, cwork->bss, cwork->ssid) || 732 wpas_network_disabled(wpa_s, cwork->ssid)) { 733 wpa_dbg(wpa_s, MSG_DEBUG, "SME: BSS/SSID entry for authentication not valid anymore - drop connection attempt"); 734 wpas_connect_work_done(wpa_s); 735 return; 736 } 737 738 /* Starting new connection, so clear the possibly used WPA IE from the 739 * previous association. */ 740 wpa_sm_set_assoc_wpa_ie(wpa_s->wpa, NULL, 0); 741 742 sme_send_authentication(wpa_s, cwork->bss, cwork->ssid, 1); 743 } 744 745 746 void sme_authenticate(struct wpa_supplicant *wpa_s, 747 struct wpa_bss *bss, struct wpa_ssid *ssid) 748 { 749 struct wpa_connect_work *cwork; 750 751 if (bss == NULL || ssid == NULL) 752 return; 753 if (wpa_s->connect_work) { 754 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Reject sme_authenticate() call since connect_work exist"); 755 return; 756 } 757 758 if (radio_work_pending(wpa_s, "sme-connect")) { 759 /* 760 * The previous sme-connect work might no longer be valid due to 761 * the fact that the BSS list was updated. In addition, it makes 762 * sense to adhere to the 'newer' decision. 763 */ 764 wpa_dbg(wpa_s, MSG_DEBUG, 765 "SME: Remove previous pending sme-connect"); 766 radio_remove_works(wpa_s, "sme-connect", 0); 767 } 768 769 wpas_abort_ongoing_scan(wpa_s); 770 771 cwork = os_zalloc(sizeof(*cwork)); 772 if (cwork == NULL) 773 return; 774 cwork->bss = bss; 775 cwork->ssid = ssid; 776 cwork->sme = 1; 777 778 #ifdef CONFIG_SAE 779 wpa_s->sme.sae.state = SAE_NOTHING; 780 wpa_s->sme.sae.send_confirm = 0; 781 wpa_s->sme.sae_group_index = 0; 782 #endif /* CONFIG_SAE */ 783 784 if (radio_add_work(wpa_s, bss->freq, "sme-connect", 1, 785 sme_auth_start_cb, cwork) < 0) 786 wpas_connect_work_free(cwork); 787 } 788 789 790 #ifdef CONFIG_SAE 791 792 static int sme_sae_auth(struct wpa_supplicant *wpa_s, u16 auth_transaction, 793 u16 status_code, const u8 *data, size_t len) 794 { 795 int *groups; 796 797 wpa_dbg(wpa_s, MSG_DEBUG, "SME: SAE authentication transaction %u " 798 "status code %u", auth_transaction, status_code); 799 800 if (auth_transaction == 1 && 801 status_code == WLAN_STATUS_ANTI_CLOGGING_TOKEN_REQ && 802 wpa_s->sme.sae.state == SAE_COMMITTED && 803 wpa_s->current_bss && wpa_s->current_ssid) { 804 int default_groups[] = { 19, 20, 21, 25, 26, 0 }; 805 u16 group; 806 807 groups = wpa_s->conf->sae_groups; 808 if (!groups || groups[0] <= 0) 809 groups = default_groups; 810 811 if (len < sizeof(le16)) { 812 wpa_dbg(wpa_s, MSG_DEBUG, 813 "SME: Too short SAE anti-clogging token request"); 814 return -1; 815 } 816 group = WPA_GET_LE16(data); 817 wpa_dbg(wpa_s, MSG_DEBUG, 818 "SME: SAE anti-clogging token requested (group %u)", 819 group); 820 if (sae_group_allowed(&wpa_s->sme.sae, groups, group) != 821 WLAN_STATUS_SUCCESS) { 822 wpa_dbg(wpa_s, MSG_ERROR, 823 "SME: SAE group %u of anti-clogging request is invalid", 824 group); 825 return -1; 826 } 827 wpabuf_free(wpa_s->sme.sae_token); 828 wpa_s->sme.sae_token = wpabuf_alloc_copy(data + sizeof(le16), 829 len - sizeof(le16)); 830 sme_send_authentication(wpa_s, wpa_s->current_bss, 831 wpa_s->current_ssid, 1); 832 return 0; 833 } 834 835 if (auth_transaction == 1 && 836 status_code == WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED && 837 wpa_s->sme.sae.state == SAE_COMMITTED && 838 wpa_s->current_bss && wpa_s->current_ssid) { 839 wpa_dbg(wpa_s, MSG_DEBUG, "SME: SAE group not supported"); 840 wpa_s->sme.sae_group_index++; 841 if (sme_set_sae_group(wpa_s) < 0) 842 return -1; /* no other groups enabled */ 843 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Try next enabled SAE group"); 844 sme_send_authentication(wpa_s, wpa_s->current_bss, 845 wpa_s->current_ssid, 1); 846 return 0; 847 } 848 849 if (status_code != WLAN_STATUS_SUCCESS) 850 return -1; 851 852 if (auth_transaction == 1) { 853 u16 res; 854 855 groups = wpa_s->conf->sae_groups; 856 857 wpa_dbg(wpa_s, MSG_DEBUG, "SME SAE commit"); 858 if (wpa_s->current_bss == NULL || 859 wpa_s->current_ssid == NULL) 860 return -1; 861 if (wpa_s->sme.sae.state != SAE_COMMITTED) 862 return -1; 863 if (groups && groups[0] <= 0) 864 groups = NULL; 865 res = sae_parse_commit(&wpa_s->sme.sae, data, len, NULL, NULL, 866 groups); 867 if (res == SAE_SILENTLY_DISCARD) { 868 wpa_printf(MSG_DEBUG, 869 "SAE: Drop commit message due to reflection attack"); 870 return 0; 871 } 872 if (res != WLAN_STATUS_SUCCESS) 873 return -1; 874 875 if (sae_process_commit(&wpa_s->sme.sae) < 0) { 876 wpa_printf(MSG_DEBUG, "SAE: Failed to process peer " 877 "commit"); 878 return -1; 879 } 880 881 wpabuf_free(wpa_s->sme.sae_token); 882 wpa_s->sme.sae_token = NULL; 883 sme_send_authentication(wpa_s, wpa_s->current_bss, 884 wpa_s->current_ssid, 0); 885 return 0; 886 } else if (auth_transaction == 2) { 887 wpa_dbg(wpa_s, MSG_DEBUG, "SME SAE confirm"); 888 if (wpa_s->sme.sae.state != SAE_CONFIRMED) 889 return -1; 890 if (sae_check_confirm(&wpa_s->sme.sae, data, len) < 0) 891 return -1; 892 wpa_s->sme.sae.state = SAE_ACCEPTED; 893 sae_clear_temp_data(&wpa_s->sme.sae); 894 return 1; 895 } 896 897 return -1; 898 } 899 #endif /* CONFIG_SAE */ 900 901 902 void sme_event_auth(struct wpa_supplicant *wpa_s, union wpa_event_data *data) 903 { 904 struct wpa_ssid *ssid = wpa_s->current_ssid; 905 906 if (ssid == NULL) { 907 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Ignore authentication event " 908 "when network is not selected"); 909 return; 910 } 911 912 if (wpa_s->wpa_state != WPA_AUTHENTICATING) { 913 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Ignore authentication event " 914 "when not in authenticating state"); 915 return; 916 } 917 918 if (os_memcmp(wpa_s->pending_bssid, data->auth.peer, ETH_ALEN) != 0) { 919 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Ignore authentication with " 920 "unexpected peer " MACSTR, 921 MAC2STR(data->auth.peer)); 922 return; 923 } 924 925 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Authentication response: peer=" MACSTR 926 " auth_type=%d auth_transaction=%d status_code=%d", 927 MAC2STR(data->auth.peer), data->auth.auth_type, 928 data->auth.auth_transaction, data->auth.status_code); 929 wpa_hexdump(MSG_MSGDUMP, "SME: Authentication response IEs", 930 data->auth.ies, data->auth.ies_len); 931 932 eloop_cancel_timeout(sme_auth_timer, wpa_s, NULL); 933 934 #ifdef CONFIG_SAE 935 if (data->auth.auth_type == WLAN_AUTH_SAE) { 936 int res; 937 res = sme_sae_auth(wpa_s, data->auth.auth_transaction, 938 data->auth.status_code, data->auth.ies, 939 data->auth.ies_len); 940 if (res < 0) { 941 wpas_connection_failed(wpa_s, wpa_s->pending_bssid); 942 wpa_supplicant_set_state(wpa_s, WPA_DISCONNECTED); 943 944 } 945 if (res != 1) 946 return; 947 948 wpa_printf(MSG_DEBUG, "SME: SAE completed - setting PMK for " 949 "4-way handshake"); 950 wpa_sm_set_pmk(wpa_s->wpa, wpa_s->sme.sae.pmk, PMK_LEN, 951 wpa_s->sme.sae.pmkid, wpa_s->pending_bssid); 952 } 953 #endif /* CONFIG_SAE */ 954 955 if (data->auth.status_code != WLAN_STATUS_SUCCESS) { 956 char *ie_txt = NULL; 957 958 if (data->auth.ies && data->auth.ies_len) { 959 size_t buflen = 2 * data->auth.ies_len + 1; 960 ie_txt = os_malloc(buflen); 961 if (ie_txt) { 962 wpa_snprintf_hex(ie_txt, buflen, data->auth.ies, 963 data->auth.ies_len); 964 } 965 } 966 wpa_msg(wpa_s, MSG_INFO, WPA_EVENT_AUTH_REJECT MACSTR 967 " auth_type=%u auth_transaction=%u status_code=%u%s%s", 968 MAC2STR(data->auth.peer), data->auth.auth_type, 969 data->auth.auth_transaction, data->auth.status_code, 970 ie_txt ? " ie=" : "", 971 ie_txt ? ie_txt : ""); 972 os_free(ie_txt); 973 974 if (data->auth.status_code != 975 WLAN_STATUS_NOT_SUPPORTED_AUTH_ALG || 976 wpa_s->sme.auth_alg == data->auth.auth_type || 977 wpa_s->current_ssid->auth_alg == WPA_AUTH_ALG_LEAP) { 978 wpas_connection_failed(wpa_s, wpa_s->pending_bssid); 979 wpa_supplicant_set_state(wpa_s, WPA_DISCONNECTED); 980 return; 981 } 982 983 wpas_connect_work_done(wpa_s); 984 985 switch (data->auth.auth_type) { 986 case WLAN_AUTH_OPEN: 987 wpa_s->current_ssid->auth_alg = WPA_AUTH_ALG_SHARED; 988 989 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Trying SHARED auth"); 990 wpa_supplicant_associate(wpa_s, wpa_s->current_bss, 991 wpa_s->current_ssid); 992 return; 993 994 case WLAN_AUTH_SHARED_KEY: 995 wpa_s->current_ssid->auth_alg = WPA_AUTH_ALG_LEAP; 996 997 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Trying LEAP auth"); 998 wpa_supplicant_associate(wpa_s, wpa_s->current_bss, 999 wpa_s->current_ssid); 1000 return; 1001 1002 default: 1003 return; 1004 } 1005 } 1006 1007 #ifdef CONFIG_IEEE80211R 1008 if (data->auth.auth_type == WLAN_AUTH_FT) { 1009 const u8 *ric_ies = NULL; 1010 size_t ric_ies_len = 0; 1011 1012 if (wpa_s->ric_ies) { 1013 ric_ies = wpabuf_head(wpa_s->ric_ies); 1014 ric_ies_len = wpabuf_len(wpa_s->ric_ies); 1015 } 1016 if (wpa_ft_process_response(wpa_s->wpa, data->auth.ies, 1017 data->auth.ies_len, 0, 1018 data->auth.peer, 1019 ric_ies, ric_ies_len) < 0) { 1020 wpa_dbg(wpa_s, MSG_DEBUG, 1021 "SME: FT Authentication response processing failed"); 1022 wpa_msg(wpa_s, MSG_INFO, WPA_EVENT_DISCONNECTED "bssid=" 1023 MACSTR 1024 " reason=%d locally_generated=1", 1025 MAC2STR(wpa_s->pending_bssid), 1026 WLAN_REASON_DEAUTH_LEAVING); 1027 wpas_connection_failed(wpa_s, wpa_s->pending_bssid); 1028 wpa_supplicant_mark_disassoc(wpa_s); 1029 return; 1030 } 1031 } 1032 #endif /* CONFIG_IEEE80211R */ 1033 1034 #ifdef CONFIG_FILS 1035 if (data->auth.auth_type == WLAN_AUTH_FILS_SK || 1036 data->auth.auth_type == WLAN_AUTH_FILS_SK_PFS) { 1037 u16 expect_auth_type; 1038 1039 expect_auth_type = wpa_s->sme.auth_alg == 1040 WPA_AUTH_ALG_FILS_SK_PFS ? WLAN_AUTH_FILS_SK_PFS : 1041 WLAN_AUTH_FILS_SK; 1042 if (data->auth.auth_type != expect_auth_type) { 1043 wpa_dbg(wpa_s, MSG_DEBUG, 1044 "SME: FILS Authentication response used different auth alg (%u; expected %u)", 1045 data->auth.auth_type, expect_auth_type); 1046 wpa_msg(wpa_s, MSG_INFO, WPA_EVENT_DISCONNECTED "bssid=" 1047 MACSTR 1048 " reason=%d locally_generated=1", 1049 MAC2STR(wpa_s->pending_bssid), 1050 WLAN_REASON_DEAUTH_LEAVING); 1051 wpas_connection_failed(wpa_s, wpa_s->pending_bssid); 1052 wpa_supplicant_mark_disassoc(wpa_s); 1053 return; 1054 } 1055 1056 if (fils_process_auth(wpa_s->wpa, wpa_s->pending_bssid, 1057 data->auth.ies, data->auth.ies_len) < 0) { 1058 wpa_dbg(wpa_s, MSG_DEBUG, 1059 "SME: FILS Authentication response processing failed"); 1060 wpa_msg(wpa_s, MSG_INFO, WPA_EVENT_DISCONNECTED "bssid=" 1061 MACSTR 1062 " reason=%d locally_generated=1", 1063 MAC2STR(wpa_s->pending_bssid), 1064 WLAN_REASON_DEAUTH_LEAVING); 1065 wpas_connection_failed(wpa_s, wpa_s->pending_bssid); 1066 wpa_supplicant_mark_disassoc(wpa_s); 1067 return; 1068 } 1069 } 1070 #endif /* CONFIG_FILS */ 1071 1072 sme_associate(wpa_s, ssid->mode, data->auth.peer, 1073 data->auth.auth_type); 1074 } 1075 1076 1077 #ifdef CONFIG_FILS 1078 #ifdef CONFIG_IEEE80211R 1079 static void remove_ie(u8 *buf, size_t *len, u8 eid) 1080 { 1081 u8 *pos, *next, *end; 1082 1083 pos = (u8 *) get_ie(buf, *len, eid); 1084 if (pos) { 1085 next = pos + 2 + pos[1]; 1086 end = buf + *len; 1087 *len -= 2 + pos[1]; 1088 os_memmove(pos, next, end - next); 1089 } 1090 } 1091 #endif /* CONFIG_IEEE80211R */ 1092 #endif /* CONFIG_FILS */ 1093 1094 1095 void sme_associate(struct wpa_supplicant *wpa_s, enum wpas_mode mode, 1096 const u8 *bssid, u16 auth_type) 1097 { 1098 struct wpa_driver_associate_params params; 1099 struct ieee802_11_elems elems; 1100 #ifdef CONFIG_FILS 1101 u8 nonces[2 * FILS_NONCE_LEN]; 1102 #endif /* CONFIG_FILS */ 1103 #ifdef CONFIG_HT_OVERRIDES 1104 struct ieee80211_ht_capabilities htcaps; 1105 struct ieee80211_ht_capabilities htcaps_mask; 1106 #endif /* CONFIG_HT_OVERRIDES */ 1107 #ifdef CONFIG_VHT_OVERRIDES 1108 struct ieee80211_vht_capabilities vhtcaps; 1109 struct ieee80211_vht_capabilities vhtcaps_mask; 1110 #endif /* CONFIG_VHT_OVERRIDES */ 1111 1112 os_memset(¶ms, 0, sizeof(params)); 1113 1114 #ifdef CONFIG_FILS 1115 if (auth_type == WLAN_AUTH_FILS_SK || 1116 auth_type == WLAN_AUTH_FILS_SK_PFS) { 1117 struct wpabuf *buf; 1118 const u8 *snonce, *anonce; 1119 const unsigned int max_hlp = 20; 1120 struct wpabuf *hlp[max_hlp]; 1121 unsigned int i, num_hlp = 0; 1122 struct fils_hlp_req *req; 1123 1124 dl_list_for_each(req, &wpa_s->fils_hlp_req, struct fils_hlp_req, 1125 list) { 1126 hlp[num_hlp] = wpabuf_alloc(2 * ETH_ALEN + 6 + 1127 wpabuf_len(req->pkt)); 1128 if (!hlp[num_hlp]) 1129 break; 1130 wpabuf_put_data(hlp[num_hlp], req->dst, ETH_ALEN); 1131 wpabuf_put_data(hlp[num_hlp], wpa_s->own_addr, 1132 ETH_ALEN); 1133 wpabuf_put_data(hlp[num_hlp], 1134 "\xaa\xaa\x03\x00\x00\x00", 6); 1135 wpabuf_put_buf(hlp[num_hlp], req->pkt); 1136 num_hlp++; 1137 if (num_hlp >= max_hlp) 1138 break; 1139 } 1140 1141 buf = fils_build_assoc_req(wpa_s->wpa, ¶ms.fils_kek, 1142 ¶ms.fils_kek_len, &snonce, 1143 &anonce, 1144 (const struct wpabuf **) hlp, 1145 num_hlp); 1146 for (i = 0; i < num_hlp; i++) 1147 wpabuf_free(hlp[i]); 1148 if (!buf) 1149 return; 1150 wpa_hexdump(MSG_DEBUG, "FILS: assoc_req before FILS elements", 1151 wpa_s->sme.assoc_req_ie, 1152 wpa_s->sme.assoc_req_ie_len); 1153 #ifdef CONFIG_IEEE80211R 1154 if (wpa_key_mgmt_ft(wpa_s->key_mgmt)) { 1155 /* Remove RSNE and MDE to allow them to be overridden 1156 * with FILS+FT specific values from 1157 * fils_build_assoc_req(). */ 1158 remove_ie(wpa_s->sme.assoc_req_ie, 1159 &wpa_s->sme.assoc_req_ie_len, 1160 WLAN_EID_RSN); 1161 wpa_hexdump(MSG_DEBUG, 1162 "FILS: assoc_req after RSNE removal", 1163 wpa_s->sme.assoc_req_ie, 1164 wpa_s->sme.assoc_req_ie_len); 1165 remove_ie(wpa_s->sme.assoc_req_ie, 1166 &wpa_s->sme.assoc_req_ie_len, 1167 WLAN_EID_MOBILITY_DOMAIN); 1168 wpa_hexdump(MSG_DEBUG, 1169 "FILS: assoc_req after MDE removal", 1170 wpa_s->sme.assoc_req_ie, 1171 wpa_s->sme.assoc_req_ie_len); 1172 } 1173 #endif /* CONFIG_IEEE80211R */ 1174 /* TODO: Make wpa_s->sme.assoc_req_ie use dynamic allocation */ 1175 if (wpa_s->sme.assoc_req_ie_len + wpabuf_len(buf) > 1176 sizeof(wpa_s->sme.assoc_req_ie)) { 1177 wpa_printf(MSG_ERROR, 1178 "FILS: Not enough buffer room for own AssocReq elements"); 1179 wpabuf_free(buf); 1180 return; 1181 } 1182 os_memcpy(wpa_s->sme.assoc_req_ie + wpa_s->sme.assoc_req_ie_len, 1183 wpabuf_head(buf), wpabuf_len(buf)); 1184 wpa_s->sme.assoc_req_ie_len += wpabuf_len(buf); 1185 wpabuf_free(buf); 1186 wpa_hexdump(MSG_DEBUG, "FILS: assoc_req after FILS elements", 1187 wpa_s->sme.assoc_req_ie, 1188 wpa_s->sme.assoc_req_ie_len); 1189 1190 os_memcpy(nonces, snonce, FILS_NONCE_LEN); 1191 os_memcpy(nonces + FILS_NONCE_LEN, anonce, FILS_NONCE_LEN); 1192 params.fils_nonces = nonces; 1193 params.fils_nonces_len = sizeof(nonces); 1194 } 1195 #endif /* CONFIG_FILS */ 1196 1197 #ifdef CONFIG_OWE 1198 #ifdef CONFIG_TESTING_OPTIONS 1199 if (get_ie_ext(wpa_s->sme.assoc_req_ie, wpa_s->sme.assoc_req_ie_len, 1200 WLAN_EID_EXT_OWE_DH_PARAM)) { 1201 wpa_printf(MSG_INFO, "TESTING: Override OWE DH element"); 1202 } else 1203 #endif /* CONFIG_TESTING_OPTIONS */ 1204 if (auth_type == WLAN_AUTH_OPEN && 1205 wpa_s->key_mgmt == WPA_KEY_MGMT_OWE) { 1206 struct wpabuf *owe_ie; 1207 u16 group = OWE_DH_GROUP; 1208 1209 if (wpa_s->current_ssid && wpa_s->current_ssid->owe_group) 1210 group = wpa_s->current_ssid->owe_group; 1211 owe_ie = owe_build_assoc_req(wpa_s->wpa, group); 1212 if (!owe_ie) { 1213 wpa_printf(MSG_ERROR, 1214 "OWE: Failed to build IE for Association Request frame"); 1215 return; 1216 } 1217 if (wpa_s->sme.assoc_req_ie_len + wpabuf_len(owe_ie) > 1218 sizeof(wpa_s->sme.assoc_req_ie)) { 1219 wpa_printf(MSG_ERROR, 1220 "OWE: Not enough buffer room for own Association Request frame elements"); 1221 wpabuf_free(owe_ie); 1222 return; 1223 } 1224 os_memcpy(wpa_s->sme.assoc_req_ie + wpa_s->sme.assoc_req_ie_len, 1225 wpabuf_head(owe_ie), wpabuf_len(owe_ie)); 1226 wpa_s->sme.assoc_req_ie_len += wpabuf_len(owe_ie); 1227 wpabuf_free(owe_ie); 1228 } 1229 #endif /* CONFIG_OWE */ 1230 1231 params.bssid = bssid; 1232 params.ssid = wpa_s->sme.ssid; 1233 params.ssid_len = wpa_s->sme.ssid_len; 1234 params.freq.freq = wpa_s->sme.freq; 1235 params.bg_scan_period = wpa_s->current_ssid ? 1236 wpa_s->current_ssid->bg_scan_period : -1; 1237 params.wpa_ie = wpa_s->sme.assoc_req_ie_len ? 1238 wpa_s->sme.assoc_req_ie : NULL; 1239 params.wpa_ie_len = wpa_s->sme.assoc_req_ie_len; 1240 params.pairwise_suite = wpa_s->pairwise_cipher; 1241 params.group_suite = wpa_s->group_cipher; 1242 params.mgmt_group_suite = wpa_s->mgmt_group_cipher; 1243 params.key_mgmt_suite = wpa_s->key_mgmt; 1244 params.wpa_proto = wpa_s->wpa_proto; 1245 #ifdef CONFIG_HT_OVERRIDES 1246 os_memset(&htcaps, 0, sizeof(htcaps)); 1247 os_memset(&htcaps_mask, 0, sizeof(htcaps_mask)); 1248 params.htcaps = (u8 *) &htcaps; 1249 params.htcaps_mask = (u8 *) &htcaps_mask; 1250 wpa_supplicant_apply_ht_overrides(wpa_s, wpa_s->current_ssid, ¶ms); 1251 #endif /* CONFIG_HT_OVERRIDES */ 1252 #ifdef CONFIG_VHT_OVERRIDES 1253 os_memset(&vhtcaps, 0, sizeof(vhtcaps)); 1254 os_memset(&vhtcaps_mask, 0, sizeof(vhtcaps_mask)); 1255 params.vhtcaps = &vhtcaps; 1256 params.vhtcaps_mask = &vhtcaps_mask; 1257 wpa_supplicant_apply_vht_overrides(wpa_s, wpa_s->current_ssid, ¶ms); 1258 #endif /* CONFIG_VHT_OVERRIDES */ 1259 #ifdef CONFIG_IEEE80211R 1260 if (auth_type == WLAN_AUTH_FT && wpa_s->sme.ft_ies) { 1261 params.wpa_ie = wpa_s->sme.ft_ies; 1262 params.wpa_ie_len = wpa_s->sme.ft_ies_len; 1263 } 1264 #endif /* CONFIG_IEEE80211R */ 1265 params.mode = mode; 1266 params.mgmt_frame_protection = wpa_s->sme.mfp; 1267 params.rrm_used = wpa_s->rrm.rrm_used; 1268 if (wpa_s->sme.prev_bssid_set) 1269 params.prev_bssid = wpa_s->sme.prev_bssid; 1270 1271 wpa_msg(wpa_s, MSG_INFO, "Trying to associate with " MACSTR 1272 " (SSID='%s' freq=%d MHz)", MAC2STR(params.bssid), 1273 params.ssid ? wpa_ssid_txt(params.ssid, params.ssid_len) : "", 1274 params.freq.freq); 1275 1276 wpa_supplicant_set_state(wpa_s, WPA_ASSOCIATING); 1277 1278 if (params.wpa_ie == NULL || 1279 ieee802_11_parse_elems(params.wpa_ie, params.wpa_ie_len, &elems, 0) 1280 < 0) { 1281 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Could not parse own IEs?!"); 1282 os_memset(&elems, 0, sizeof(elems)); 1283 } 1284 if (elems.rsn_ie) { 1285 params.wpa_proto = WPA_PROTO_RSN; 1286 wpa_sm_set_assoc_wpa_ie(wpa_s->wpa, elems.rsn_ie - 2, 1287 elems.rsn_ie_len + 2); 1288 } else if (elems.wpa_ie) { 1289 params.wpa_proto = WPA_PROTO_WPA; 1290 wpa_sm_set_assoc_wpa_ie(wpa_s->wpa, elems.wpa_ie - 2, 1291 elems.wpa_ie_len + 2); 1292 } else if (elems.osen) { 1293 params.wpa_proto = WPA_PROTO_OSEN; 1294 wpa_sm_set_assoc_wpa_ie(wpa_s->wpa, elems.osen - 2, 1295 elems.osen_len + 2); 1296 } else 1297 wpa_sm_set_assoc_wpa_ie(wpa_s->wpa, NULL, 0); 1298 if (wpa_s->current_ssid && wpa_s->current_ssid->p2p_group) 1299 params.p2p = 1; 1300 1301 if (wpa_s->p2pdev->set_sta_uapsd) 1302 params.uapsd = wpa_s->p2pdev->sta_uapsd; 1303 else 1304 params.uapsd = -1; 1305 1306 if (wpa_drv_associate(wpa_s, ¶ms) < 0) { 1307 wpa_msg(wpa_s, MSG_INFO, "SME: Association request to the " 1308 "driver failed"); 1309 wpas_connection_failed(wpa_s, wpa_s->pending_bssid); 1310 wpa_supplicant_set_state(wpa_s, WPA_DISCONNECTED); 1311 os_memset(wpa_s->pending_bssid, 0, ETH_ALEN); 1312 return; 1313 } 1314 1315 eloop_register_timeout(SME_ASSOC_TIMEOUT, 0, sme_assoc_timer, wpa_s, 1316 NULL); 1317 1318 #ifdef CONFIG_TESTING_OPTIONS 1319 wpabuf_free(wpa_s->last_assoc_req_wpa_ie); 1320 wpa_s->last_assoc_req_wpa_ie = NULL; 1321 if (params.wpa_ie) 1322 wpa_s->last_assoc_req_wpa_ie = 1323 wpabuf_alloc_copy(params.wpa_ie, params.wpa_ie_len); 1324 #endif /* CONFIG_TESTING_OPTIONS */ 1325 } 1326 1327 1328 int sme_update_ft_ies(struct wpa_supplicant *wpa_s, const u8 *md, 1329 const u8 *ies, size_t ies_len) 1330 { 1331 if (md == NULL || ies == NULL) { 1332 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Remove mobility domain"); 1333 os_free(wpa_s->sme.ft_ies); 1334 wpa_s->sme.ft_ies = NULL; 1335 wpa_s->sme.ft_ies_len = 0; 1336 wpa_s->sme.ft_used = 0; 1337 return 0; 1338 } 1339 1340 os_memcpy(wpa_s->sme.mobility_domain, md, MOBILITY_DOMAIN_ID_LEN); 1341 wpa_hexdump(MSG_DEBUG, "SME: FT IEs", ies, ies_len); 1342 os_free(wpa_s->sme.ft_ies); 1343 wpa_s->sme.ft_ies = os_memdup(ies, ies_len); 1344 if (wpa_s->sme.ft_ies == NULL) 1345 return -1; 1346 wpa_s->sme.ft_ies_len = ies_len; 1347 return 0; 1348 } 1349 1350 1351 static void sme_deauth(struct wpa_supplicant *wpa_s) 1352 { 1353 int bssid_changed; 1354 1355 bssid_changed = !is_zero_ether_addr(wpa_s->bssid); 1356 1357 if (wpa_drv_deauthenticate(wpa_s, wpa_s->pending_bssid, 1358 WLAN_REASON_DEAUTH_LEAVING) < 0) { 1359 wpa_msg(wpa_s, MSG_INFO, "SME: Deauth request to the driver " 1360 "failed"); 1361 } 1362 wpa_s->sme.prev_bssid_set = 0; 1363 1364 wpas_connection_failed(wpa_s, wpa_s->pending_bssid); 1365 wpa_supplicant_set_state(wpa_s, WPA_DISCONNECTED); 1366 os_memset(wpa_s->bssid, 0, ETH_ALEN); 1367 os_memset(wpa_s->pending_bssid, 0, ETH_ALEN); 1368 if (bssid_changed) 1369 wpas_notify_bssid_changed(wpa_s); 1370 } 1371 1372 1373 void sme_event_assoc_reject(struct wpa_supplicant *wpa_s, 1374 union wpa_event_data *data) 1375 { 1376 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Association with " MACSTR " failed: " 1377 "status code %d", MAC2STR(wpa_s->pending_bssid), 1378 data->assoc_reject.status_code); 1379 1380 eloop_cancel_timeout(sme_assoc_timer, wpa_s, NULL); 1381 1382 #ifdef CONFIG_SAE 1383 if (wpa_s->sme.sae_pmksa_caching && wpa_s->current_ssid && 1384 wpa_key_mgmt_sae(wpa_s->current_ssid->key_mgmt)) { 1385 wpa_dbg(wpa_s, MSG_DEBUG, 1386 "PMKSA caching attempt rejected - drop PMKSA cache entry and fall back to SAE authentication"); 1387 wpa_sm_aborted_cached(wpa_s->wpa); 1388 wpa_sm_pmksa_cache_flush(wpa_s->wpa, wpa_s->current_ssid); 1389 if (wpa_s->current_bss) { 1390 struct wpa_bss *bss = wpa_s->current_bss; 1391 struct wpa_ssid *ssid = wpa_s->current_ssid; 1392 1393 wpa_drv_deauthenticate(wpa_s, wpa_s->pending_bssid, 1394 WLAN_REASON_DEAUTH_LEAVING); 1395 wpas_connect_work_done(wpa_s); 1396 wpa_supplicant_mark_disassoc(wpa_s); 1397 wpa_supplicant_connect(wpa_s, bss, ssid); 1398 return; 1399 } 1400 } 1401 #endif /* CONFIG_SAE */ 1402 1403 /* 1404 * For now, unconditionally terminate the previous authentication. In 1405 * theory, this should not be needed, but mac80211 gets quite confused 1406 * if the authentication is left pending.. Some roaming cases might 1407 * benefit from using the previous authentication, so this could be 1408 * optimized in the future. 1409 */ 1410 sme_deauth(wpa_s); 1411 } 1412 1413 1414 void sme_event_auth_timed_out(struct wpa_supplicant *wpa_s, 1415 union wpa_event_data *data) 1416 { 1417 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Authentication timed out"); 1418 wpas_connection_failed(wpa_s, wpa_s->pending_bssid); 1419 wpa_supplicant_mark_disassoc(wpa_s); 1420 } 1421 1422 1423 void sme_event_assoc_timed_out(struct wpa_supplicant *wpa_s, 1424 union wpa_event_data *data) 1425 { 1426 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Association timed out"); 1427 wpas_connection_failed(wpa_s, wpa_s->pending_bssid); 1428 wpa_supplicant_mark_disassoc(wpa_s); 1429 } 1430 1431 1432 void sme_event_disassoc(struct wpa_supplicant *wpa_s, 1433 struct disassoc_info *info) 1434 { 1435 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Disassociation event received"); 1436 if (wpa_s->sme.prev_bssid_set) { 1437 /* 1438 * cfg80211/mac80211 can get into somewhat confused state if 1439 * the AP only disassociates us and leaves us in authenticated 1440 * state. For now, force the state to be cleared to avoid 1441 * confusing errors if we try to associate with the AP again. 1442 */ 1443 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Deauthenticate to clear " 1444 "driver state"); 1445 wpa_drv_deauthenticate(wpa_s, wpa_s->sme.prev_bssid, 1446 WLAN_REASON_DEAUTH_LEAVING); 1447 } 1448 } 1449 1450 1451 static void sme_auth_timer(void *eloop_ctx, void *timeout_ctx) 1452 { 1453 struct wpa_supplicant *wpa_s = eloop_ctx; 1454 if (wpa_s->wpa_state == WPA_AUTHENTICATING) { 1455 wpa_msg(wpa_s, MSG_DEBUG, "SME: Authentication timeout"); 1456 sme_deauth(wpa_s); 1457 } 1458 } 1459 1460 1461 static void sme_assoc_timer(void *eloop_ctx, void *timeout_ctx) 1462 { 1463 struct wpa_supplicant *wpa_s = eloop_ctx; 1464 if (wpa_s->wpa_state == WPA_ASSOCIATING) { 1465 wpa_msg(wpa_s, MSG_DEBUG, "SME: Association timeout"); 1466 sme_deauth(wpa_s); 1467 } 1468 } 1469 1470 1471 void sme_state_changed(struct wpa_supplicant *wpa_s) 1472 { 1473 /* Make sure timers are cleaned up appropriately. */ 1474 if (wpa_s->wpa_state != WPA_ASSOCIATING) 1475 eloop_cancel_timeout(sme_assoc_timer, wpa_s, NULL); 1476 if (wpa_s->wpa_state != WPA_AUTHENTICATING) 1477 eloop_cancel_timeout(sme_auth_timer, wpa_s, NULL); 1478 } 1479 1480 1481 void sme_disassoc_while_authenticating(struct wpa_supplicant *wpa_s, 1482 const u8 *prev_pending_bssid) 1483 { 1484 /* 1485 * mac80211-workaround to force deauth on failed auth cmd, 1486 * requires us to remain in authenticating state to allow the 1487 * second authentication attempt to be continued properly. 1488 */ 1489 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Allow pending authentication " 1490 "to proceed after disconnection event"); 1491 wpa_supplicant_set_state(wpa_s, WPA_AUTHENTICATING); 1492 os_memcpy(wpa_s->pending_bssid, prev_pending_bssid, ETH_ALEN); 1493 1494 /* 1495 * Re-arm authentication timer in case auth fails for whatever reason. 1496 */ 1497 eloop_cancel_timeout(sme_auth_timer, wpa_s, NULL); 1498 eloop_register_timeout(SME_AUTH_TIMEOUT, 0, sme_auth_timer, wpa_s, 1499 NULL); 1500 } 1501 1502 1503 void sme_clear_on_disassoc(struct wpa_supplicant *wpa_s) 1504 { 1505 wpa_s->sme.prev_bssid_set = 0; 1506 #ifdef CONFIG_SAE 1507 wpabuf_free(wpa_s->sme.sae_token); 1508 wpa_s->sme.sae_token = NULL; 1509 sae_clear_data(&wpa_s->sme.sae); 1510 #endif /* CONFIG_SAE */ 1511 #ifdef CONFIG_IEEE80211R 1512 if (wpa_s->sme.ft_ies) 1513 sme_update_ft_ies(wpa_s, NULL, NULL, 0); 1514 #endif /* CONFIG_IEEE80211R */ 1515 } 1516 1517 1518 void sme_deinit(struct wpa_supplicant *wpa_s) 1519 { 1520 os_free(wpa_s->sme.ft_ies); 1521 wpa_s->sme.ft_ies = NULL; 1522 wpa_s->sme.ft_ies_len = 0; 1523 #ifdef CONFIG_IEEE80211W 1524 sme_stop_sa_query(wpa_s); 1525 #endif /* CONFIG_IEEE80211W */ 1526 sme_clear_on_disassoc(wpa_s); 1527 1528 eloop_cancel_timeout(sme_assoc_timer, wpa_s, NULL); 1529 eloop_cancel_timeout(sme_auth_timer, wpa_s, NULL); 1530 eloop_cancel_timeout(sme_obss_scan_timeout, wpa_s, NULL); 1531 } 1532 1533 1534 static void sme_send_2040_bss_coex(struct wpa_supplicant *wpa_s, 1535 const u8 *chan_list, u8 num_channels, 1536 u8 num_intol) 1537 { 1538 struct ieee80211_2040_bss_coex_ie *bc_ie; 1539 struct ieee80211_2040_intol_chan_report *ic_report; 1540 struct wpabuf *buf; 1541 1542 wpa_printf(MSG_DEBUG, "SME: Send 20/40 BSS Coexistence to " MACSTR 1543 " (num_channels=%u num_intol=%u)", 1544 MAC2STR(wpa_s->bssid), num_channels, num_intol); 1545 wpa_hexdump(MSG_DEBUG, "SME: 20/40 BSS Intolerant Channels", 1546 chan_list, num_channels); 1547 1548 buf = wpabuf_alloc(2 + /* action.category + action_code */ 1549 sizeof(struct ieee80211_2040_bss_coex_ie) + 1550 sizeof(struct ieee80211_2040_intol_chan_report) + 1551 num_channels); 1552 if (buf == NULL) 1553 return; 1554 1555 wpabuf_put_u8(buf, WLAN_ACTION_PUBLIC); 1556 wpabuf_put_u8(buf, WLAN_PA_20_40_BSS_COEX); 1557 1558 bc_ie = wpabuf_put(buf, sizeof(*bc_ie)); 1559 bc_ie->element_id = WLAN_EID_20_40_BSS_COEXISTENCE; 1560 bc_ie->length = 1; 1561 if (num_intol) 1562 bc_ie->coex_param |= WLAN_20_40_BSS_COEX_20MHZ_WIDTH_REQ; 1563 1564 if (num_channels > 0) { 1565 ic_report = wpabuf_put(buf, sizeof(*ic_report)); 1566 ic_report->element_id = WLAN_EID_20_40_BSS_INTOLERANT; 1567 ic_report->length = num_channels + 1; 1568 ic_report->op_class = 0; 1569 os_memcpy(wpabuf_put(buf, num_channels), chan_list, 1570 num_channels); 1571 } 1572 1573 if (wpa_drv_send_action(wpa_s, wpa_s->assoc_freq, 0, wpa_s->bssid, 1574 wpa_s->own_addr, wpa_s->bssid, 1575 wpabuf_head(buf), wpabuf_len(buf), 0) < 0) { 1576 wpa_msg(wpa_s, MSG_INFO, 1577 "SME: Failed to send 20/40 BSS Coexistence frame"); 1578 } 1579 1580 wpabuf_free(buf); 1581 } 1582 1583 1584 int sme_proc_obss_scan(struct wpa_supplicant *wpa_s) 1585 { 1586 struct wpa_bss *bss; 1587 const u8 *ie; 1588 u16 ht_cap; 1589 u8 chan_list[P2P_MAX_CHANNELS], channel; 1590 u8 num_channels = 0, num_intol = 0, i; 1591 1592 if (!wpa_s->sme.sched_obss_scan) 1593 return 0; 1594 1595 wpa_s->sme.sched_obss_scan = 0; 1596 if (!wpa_s->current_bss || wpa_s->wpa_state != WPA_COMPLETED) 1597 return 1; 1598 1599 /* 1600 * Check whether AP uses regulatory triplet or channel triplet in 1601 * country info. Right now the operating class of the BSS channel 1602 * width trigger event is "unknown" (IEEE Std 802.11-2012 10.15.12), 1603 * based on the assumption that operating class triplet is not used in 1604 * beacon frame. If the First Channel Number/Operating Extension 1605 * Identifier octet has a positive integer value of 201 or greater, 1606 * then its operating class triplet. 1607 * 1608 * TODO: If Supported Operating Classes element is present in beacon 1609 * frame, have to lookup operating class in Annex E and fill them in 1610 * 2040 coex frame. 1611 */ 1612 ie = wpa_bss_get_ie(wpa_s->current_bss, WLAN_EID_COUNTRY); 1613 if (ie && (ie[1] >= 6) && (ie[5] >= 201)) 1614 return 1; 1615 1616 os_memset(chan_list, 0, sizeof(chan_list)); 1617 1618 dl_list_for_each(bss, &wpa_s->bss, struct wpa_bss, list) { 1619 /* Skip other band bss */ 1620 enum hostapd_hw_mode mode; 1621 mode = ieee80211_freq_to_chan(bss->freq, &channel); 1622 if (mode != HOSTAPD_MODE_IEEE80211G && 1623 mode != HOSTAPD_MODE_IEEE80211B) 1624 continue; 1625 1626 ie = wpa_bss_get_ie(bss, WLAN_EID_HT_CAP); 1627 ht_cap = (ie && (ie[1] == 26)) ? WPA_GET_LE16(ie + 2) : 0; 1628 wpa_printf(MSG_DEBUG, "SME OBSS scan BSS " MACSTR 1629 " freq=%u chan=%u ht_cap=0x%x", 1630 MAC2STR(bss->bssid), bss->freq, channel, ht_cap); 1631 1632 if (!ht_cap || (ht_cap & HT_CAP_INFO_40MHZ_INTOLERANT)) { 1633 if (ht_cap & HT_CAP_INFO_40MHZ_INTOLERANT) 1634 num_intol++; 1635 1636 /* Check whether the channel is already considered */ 1637 for (i = 0; i < num_channels; i++) { 1638 if (channel == chan_list[i]) 1639 break; 1640 } 1641 if (i != num_channels) 1642 continue; 1643 1644 chan_list[num_channels++] = channel; 1645 } 1646 } 1647 1648 sme_send_2040_bss_coex(wpa_s, chan_list, num_channels, num_intol); 1649 return 1; 1650 } 1651 1652 1653 static void wpa_obss_scan_freqs_list(struct wpa_supplicant *wpa_s, 1654 struct wpa_driver_scan_params *params) 1655 { 1656 /* Include only affected channels */ 1657 struct hostapd_hw_modes *mode; 1658 int count, i; 1659 int start, end; 1660 1661 mode = get_mode(wpa_s->hw.modes, wpa_s->hw.num_modes, 1662 HOSTAPD_MODE_IEEE80211G); 1663 if (mode == NULL) { 1664 /* No channels supported in this band - use empty list */ 1665 params->freqs = os_zalloc(sizeof(int)); 1666 return; 1667 } 1668 1669 if (wpa_s->sme.ht_sec_chan == HT_SEC_CHAN_UNKNOWN && 1670 wpa_s->current_bss) { 1671 const u8 *ie; 1672 1673 ie = wpa_bss_get_ie(wpa_s->current_bss, WLAN_EID_HT_OPERATION); 1674 if (ie && ie[1] >= 2) { 1675 u8 o; 1676 1677 o = ie[3] & HT_INFO_HT_PARAM_SECONDARY_CHNL_OFF_MASK; 1678 if (o == HT_INFO_HT_PARAM_SECONDARY_CHNL_ABOVE) 1679 wpa_s->sme.ht_sec_chan = HT_SEC_CHAN_ABOVE; 1680 else if (o == HT_INFO_HT_PARAM_SECONDARY_CHNL_BELOW) 1681 wpa_s->sme.ht_sec_chan = HT_SEC_CHAN_BELOW; 1682 } 1683 } 1684 1685 start = wpa_s->assoc_freq - 10; 1686 end = wpa_s->assoc_freq + 10; 1687 switch (wpa_s->sme.ht_sec_chan) { 1688 case HT_SEC_CHAN_UNKNOWN: 1689 /* HT40+ possible on channels 1..9 */ 1690 if (wpa_s->assoc_freq <= 2452) 1691 start -= 20; 1692 /* HT40- possible on channels 5-13 */ 1693 if (wpa_s->assoc_freq >= 2432) 1694 end += 20; 1695 break; 1696 case HT_SEC_CHAN_ABOVE: 1697 end += 20; 1698 break; 1699 case HT_SEC_CHAN_BELOW: 1700 start -= 20; 1701 break; 1702 } 1703 wpa_printf(MSG_DEBUG, 1704 "OBSS: assoc_freq %d possible affected range %d-%d", 1705 wpa_s->assoc_freq, start, end); 1706 1707 params->freqs = os_calloc(mode->num_channels + 1, sizeof(int)); 1708 if (params->freqs == NULL) 1709 return; 1710 for (count = 0, i = 0; i < mode->num_channels; i++) { 1711 int freq; 1712 1713 if (mode->channels[i].flag & HOSTAPD_CHAN_DISABLED) 1714 continue; 1715 freq = mode->channels[i].freq; 1716 if (freq - 10 >= end || freq + 10 <= start) 1717 continue; /* not affected */ 1718 params->freqs[count++] = freq; 1719 } 1720 } 1721 1722 1723 static void sme_obss_scan_timeout(void *eloop_ctx, void *timeout_ctx) 1724 { 1725 struct wpa_supplicant *wpa_s = eloop_ctx; 1726 struct wpa_driver_scan_params params; 1727 1728 if (!wpa_s->current_bss) { 1729 wpa_printf(MSG_DEBUG, "SME OBSS: Ignore scan request"); 1730 return; 1731 } 1732 1733 os_memset(¶ms, 0, sizeof(params)); 1734 wpa_obss_scan_freqs_list(wpa_s, ¶ms); 1735 params.low_priority = 1; 1736 wpa_printf(MSG_DEBUG, "SME OBSS: Request an OBSS scan"); 1737 1738 if (wpa_supplicant_trigger_scan(wpa_s, ¶ms)) 1739 wpa_printf(MSG_DEBUG, "SME OBSS: Failed to trigger scan"); 1740 else 1741 wpa_s->sme.sched_obss_scan = 1; 1742 os_free(params.freqs); 1743 1744 eloop_register_timeout(wpa_s->sme.obss_scan_int, 0, 1745 sme_obss_scan_timeout, wpa_s, NULL); 1746 } 1747 1748 1749 void sme_sched_obss_scan(struct wpa_supplicant *wpa_s, int enable) 1750 { 1751 const u8 *ie; 1752 struct wpa_bss *bss = wpa_s->current_bss; 1753 struct wpa_ssid *ssid = wpa_s->current_ssid; 1754 struct hostapd_hw_modes *hw_mode = NULL; 1755 int i; 1756 1757 eloop_cancel_timeout(sme_obss_scan_timeout, wpa_s, NULL); 1758 wpa_s->sme.sched_obss_scan = 0; 1759 wpa_s->sme.ht_sec_chan = HT_SEC_CHAN_UNKNOWN; 1760 if (!enable) 1761 return; 1762 1763 /* 1764 * Schedule OBSS scan if driver is using station SME in wpa_supplicant 1765 * or it expects OBSS scan to be performed by wpa_supplicant. 1766 */ 1767 if (!((wpa_s->drv_flags & WPA_DRIVER_FLAGS_SME) || 1768 (wpa_s->drv_flags & WPA_DRIVER_FLAGS_OBSS_SCAN)) || 1769 ssid == NULL || ssid->mode != IEEE80211_MODE_INFRA) 1770 return; 1771 1772 if (!wpa_s->hw.modes) 1773 return; 1774 1775 /* only HT caps in 11g mode are relevant */ 1776 for (i = 0; i < wpa_s->hw.num_modes; i++) { 1777 hw_mode = &wpa_s->hw.modes[i]; 1778 if (hw_mode->mode == HOSTAPD_MODE_IEEE80211G) 1779 break; 1780 } 1781 1782 /* Driver does not support HT40 for 11g or doesn't have 11g. */ 1783 if (i == wpa_s->hw.num_modes || !hw_mode || 1784 !(hw_mode->ht_capab & HT_CAP_INFO_SUPP_CHANNEL_WIDTH_SET)) 1785 return; 1786 1787 if (bss == NULL || bss->freq < 2400 || bss->freq > 2500) 1788 return; /* Not associated on 2.4 GHz band */ 1789 1790 /* Check whether AP supports HT40 */ 1791 ie = wpa_bss_get_ie(wpa_s->current_bss, WLAN_EID_HT_CAP); 1792 if (!ie || ie[1] < 2 || 1793 !(WPA_GET_LE16(ie + 2) & HT_CAP_INFO_SUPP_CHANNEL_WIDTH_SET)) 1794 return; /* AP does not support HT40 */ 1795 1796 ie = wpa_bss_get_ie(wpa_s->current_bss, 1797 WLAN_EID_OVERLAPPING_BSS_SCAN_PARAMS); 1798 if (!ie || ie[1] < 14) 1799 return; /* AP does not request OBSS scans */ 1800 1801 wpa_s->sme.obss_scan_int = WPA_GET_LE16(ie + 6); 1802 if (wpa_s->sme.obss_scan_int < 10) { 1803 wpa_printf(MSG_DEBUG, "SME: Invalid OBSS Scan Interval %u " 1804 "replaced with the minimum 10 sec", 1805 wpa_s->sme.obss_scan_int); 1806 wpa_s->sme.obss_scan_int = 10; 1807 } 1808 wpa_printf(MSG_DEBUG, "SME: OBSS Scan Interval %u sec", 1809 wpa_s->sme.obss_scan_int); 1810 eloop_register_timeout(wpa_s->sme.obss_scan_int, 0, 1811 sme_obss_scan_timeout, wpa_s, NULL); 1812 } 1813 1814 1815 #ifdef CONFIG_IEEE80211W 1816 1817 static const unsigned int sa_query_max_timeout = 1000; 1818 static const unsigned int sa_query_retry_timeout = 201; 1819 1820 static int sme_check_sa_query_timeout(struct wpa_supplicant *wpa_s) 1821 { 1822 u32 tu; 1823 struct os_reltime now, passed; 1824 os_get_reltime(&now); 1825 os_reltime_sub(&now, &wpa_s->sme.sa_query_start, &passed); 1826 tu = (passed.sec * 1000000 + passed.usec) / 1024; 1827 if (sa_query_max_timeout < tu) { 1828 wpa_dbg(wpa_s, MSG_DEBUG, "SME: SA Query timed out"); 1829 sme_stop_sa_query(wpa_s); 1830 wpa_supplicant_deauthenticate( 1831 wpa_s, WLAN_REASON_PREV_AUTH_NOT_VALID); 1832 return 1; 1833 } 1834 1835 return 0; 1836 } 1837 1838 1839 static void sme_send_sa_query_req(struct wpa_supplicant *wpa_s, 1840 const u8 *trans_id) 1841 { 1842 u8 req[2 + WLAN_SA_QUERY_TR_ID_LEN]; 1843 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Sending SA Query Request to " 1844 MACSTR, MAC2STR(wpa_s->bssid)); 1845 wpa_hexdump(MSG_DEBUG, "SME: SA Query Transaction ID", 1846 trans_id, WLAN_SA_QUERY_TR_ID_LEN); 1847 req[0] = WLAN_ACTION_SA_QUERY; 1848 req[1] = WLAN_SA_QUERY_REQUEST; 1849 os_memcpy(req + 2, trans_id, WLAN_SA_QUERY_TR_ID_LEN); 1850 if (wpa_drv_send_action(wpa_s, wpa_s->assoc_freq, 0, wpa_s->bssid, 1851 wpa_s->own_addr, wpa_s->bssid, 1852 req, sizeof(req), 0) < 0) 1853 wpa_msg(wpa_s, MSG_INFO, "SME: Failed to send SA Query " 1854 "Request"); 1855 } 1856 1857 1858 static void sme_sa_query_timer(void *eloop_ctx, void *timeout_ctx) 1859 { 1860 struct wpa_supplicant *wpa_s = eloop_ctx; 1861 unsigned int timeout, sec, usec; 1862 u8 *trans_id, *nbuf; 1863 1864 if (wpa_s->sme.sa_query_count > 0 && 1865 sme_check_sa_query_timeout(wpa_s)) 1866 return; 1867 1868 nbuf = os_realloc_array(wpa_s->sme.sa_query_trans_id, 1869 wpa_s->sme.sa_query_count + 1, 1870 WLAN_SA_QUERY_TR_ID_LEN); 1871 if (nbuf == NULL) { 1872 sme_stop_sa_query(wpa_s); 1873 return; 1874 } 1875 if (wpa_s->sme.sa_query_count == 0) { 1876 /* Starting a new SA Query procedure */ 1877 os_get_reltime(&wpa_s->sme.sa_query_start); 1878 } 1879 trans_id = nbuf + wpa_s->sme.sa_query_count * WLAN_SA_QUERY_TR_ID_LEN; 1880 wpa_s->sme.sa_query_trans_id = nbuf; 1881 wpa_s->sme.sa_query_count++; 1882 1883 if (os_get_random(trans_id, WLAN_SA_QUERY_TR_ID_LEN) < 0) { 1884 wpa_printf(MSG_DEBUG, "Could not generate SA Query ID"); 1885 sme_stop_sa_query(wpa_s); 1886 return; 1887 } 1888 1889 timeout = sa_query_retry_timeout; 1890 sec = ((timeout / 1000) * 1024) / 1000; 1891 usec = (timeout % 1000) * 1024; 1892 eloop_register_timeout(sec, usec, sme_sa_query_timer, wpa_s, NULL); 1893 1894 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Association SA Query attempt %d", 1895 wpa_s->sme.sa_query_count); 1896 1897 sme_send_sa_query_req(wpa_s, trans_id); 1898 } 1899 1900 1901 static void sme_start_sa_query(struct wpa_supplicant *wpa_s) 1902 { 1903 sme_sa_query_timer(wpa_s, NULL); 1904 } 1905 1906 1907 static void sme_stop_sa_query(struct wpa_supplicant *wpa_s) 1908 { 1909 eloop_cancel_timeout(sme_sa_query_timer, wpa_s, NULL); 1910 os_free(wpa_s->sme.sa_query_trans_id); 1911 wpa_s->sme.sa_query_trans_id = NULL; 1912 wpa_s->sme.sa_query_count = 0; 1913 } 1914 1915 1916 void sme_event_unprot_disconnect(struct wpa_supplicant *wpa_s, const u8 *sa, 1917 const u8 *da, u16 reason_code) 1918 { 1919 struct wpa_ssid *ssid; 1920 struct os_reltime now; 1921 1922 if (wpa_s->wpa_state != WPA_COMPLETED) 1923 return; 1924 ssid = wpa_s->current_ssid; 1925 if (wpas_get_ssid_pmf(wpa_s, ssid) == NO_MGMT_FRAME_PROTECTION) 1926 return; 1927 if (os_memcmp(sa, wpa_s->bssid, ETH_ALEN) != 0) 1928 return; 1929 if (reason_code != WLAN_REASON_CLASS2_FRAME_FROM_NONAUTH_STA && 1930 reason_code != WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA) 1931 return; 1932 if (wpa_s->sme.sa_query_count > 0) 1933 return; 1934 1935 os_get_reltime(&now); 1936 if (wpa_s->sme.last_unprot_disconnect.sec && 1937 !os_reltime_expired(&now, &wpa_s->sme.last_unprot_disconnect, 10)) 1938 return; /* limit SA Query procedure frequency */ 1939 wpa_s->sme.last_unprot_disconnect = now; 1940 1941 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Unprotected disconnect dropped - " 1942 "possible AP/STA state mismatch - trigger SA Query"); 1943 sme_start_sa_query(wpa_s); 1944 } 1945 1946 1947 void sme_sa_query_rx(struct wpa_supplicant *wpa_s, const u8 *sa, 1948 const u8 *data, size_t len) 1949 { 1950 int i; 1951 1952 if (wpa_s->sme.sa_query_trans_id == NULL || 1953 len < 1 + WLAN_SA_QUERY_TR_ID_LEN || 1954 data[0] != WLAN_SA_QUERY_RESPONSE) 1955 return; 1956 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Received SA Query response from " 1957 MACSTR " (trans_id %02x%02x)", MAC2STR(sa), data[1], data[2]); 1958 1959 if (os_memcmp(sa, wpa_s->bssid, ETH_ALEN) != 0) 1960 return; 1961 1962 for (i = 0; i < wpa_s->sme.sa_query_count; i++) { 1963 if (os_memcmp(wpa_s->sme.sa_query_trans_id + 1964 i * WLAN_SA_QUERY_TR_ID_LEN, 1965 data + 1, WLAN_SA_QUERY_TR_ID_LEN) == 0) 1966 break; 1967 } 1968 1969 if (i >= wpa_s->sme.sa_query_count) { 1970 wpa_dbg(wpa_s, MSG_DEBUG, "SME: No matching SA Query " 1971 "transaction identifier found"); 1972 return; 1973 } 1974 1975 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Reply to pending SA Query received " 1976 "from " MACSTR, MAC2STR(sa)); 1977 sme_stop_sa_query(wpa_s); 1978 } 1979 1980 #endif /* CONFIG_IEEE80211W */ 1981