1 /*
2 * wpa_supplicant - Radio Measurements
3 * Copyright (c) 2003-2016, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "utils/includes.h"
10
11 #include "utils/common.h"
12 #include "utils/bitfield.h"
13 #include "utils/eloop.h"
14 #include "common/ieee802_11_defs.h"
15 #include "common/ieee802_11_common.h"
16 #include "wpa_supplicant_i.h"
17 #include "bss.h"
18 #include "rrm.h"
19 #include "scan.h"
20 #include <sys/errno.h>
21 #ifdef ESP_SUPPLICANT
22 #include "esp_common_i.h"
23 #endif
24
wpas_rrm_neighbor_rep_timeout_handler(void * data,void * user_ctx)25 static void wpas_rrm_neighbor_rep_timeout_handler(void *data, void *user_ctx)
26 {
27 struct rrm_data *rrm = data;
28
29 if (!rrm->notify_neighbor_rep) {
30 wpa_printf(MSG_ERROR,
31 "RRM: Unexpected neighbor report timeout");
32 return;
33 }
34
35 wpa_printf(MSG_DEBUG, "RRM: Notifying neighbor report - NONE");
36 rrm->notify_neighbor_rep(rrm->neighbor_rep_cb_ctx, NULL, 0);
37
38 rrm->notify_neighbor_rep = NULL;
39 rrm->neighbor_rep_cb_ctx = NULL;
40 }
41
42
43 /*
44 * wpas_rrm_reset - Clear and reset all RRM data in wpa_supplicant
45 * @wpa_s: Pointer to wpa_supplicant
46 */
wpas_rrm_reset(struct wpa_supplicant * wpa_s)47 void wpas_rrm_reset(struct wpa_supplicant *wpa_s)
48 {
49 wpa_s->rrm.rrm_used = 0;
50
51 eloop_cancel_timeout(wpas_rrm_neighbor_rep_timeout_handler, &wpa_s->rrm,
52 NULL);
53 if (wpa_s->rrm.notify_neighbor_rep)
54 wpas_rrm_neighbor_rep_timeout_handler(&wpa_s->rrm, NULL);
55 wpa_s->rrm.next_neighbor_rep_token = 1;
56 wpas_clear_beacon_rep_data(wpa_s);
57 }
58
59
60 /*
61 * wpas_rrm_process_neighbor_rep - Handle incoming neighbor report
62 * @wpa_s: Pointer to wpa_supplicant
63 * @report: Neighbor report buffer, prefixed by a 1-byte dialog token
64 * @report_len: Length of neighbor report buffer
65 */
wpas_rrm_process_neighbor_rep(struct wpa_supplicant * wpa_s,const u8 * report,size_t report_len)66 void wpas_rrm_process_neighbor_rep(struct wpa_supplicant *wpa_s,
67 const u8 *report, size_t report_len)
68 {
69
70 wpa_hexdump(MSG_DEBUG, "RRM: New Neighbor Report", report, report_len);
71 if (report_len < 1)
72 return;
73
74 if (report[0] != wpa_s->rrm.next_neighbor_rep_token - 1) {
75 wpa_printf(MSG_DEBUG,
76 "RRM: Discarding neighbor report with token %d (expected %d)",
77 report[0], wpa_s->rrm.next_neighbor_rep_token - 1);
78 return;
79 }
80
81 eloop_cancel_timeout(wpas_rrm_neighbor_rep_timeout_handler, &wpa_s->rrm,
82 NULL);
83
84 if (!wpa_s->rrm.notify_neighbor_rep) {
85 wpa_msg(wpa_s, MSG_INFO, "RRM: Unexpected neighbor report");
86 return;
87 }
88
89 wpa_printf(MSG_DEBUG, "RRM: Notifying neighbor report (token = %d)",
90 report[0]);
91 wpa_s->rrm.notify_neighbor_rep(wpa_s->rrm.neighbor_rep_cb_ctx,
92 report, report_len);
93 wpa_s->rrm.notify_neighbor_rep = NULL;
94 wpa_s->rrm.neighbor_rep_cb_ctx = NULL;
95 }
96
97
98 #if defined(__CYGWIN__) || defined(CONFIG_NATIVE_WINDOWS)
99 /* Workaround different, undefined for Windows, error codes used here */
100 #ifndef ENOTCONN
101 #define ENOTCONN -1
102 #endif
103 #ifndef EOPNOTSUPP
104 #define EOPNOTSUPP -1
105 #endif
106 #ifndef ECANCELED
107 #define ECANCELED -1
108 #endif
109 #endif
110
111 /* Measurement Request element + Location Subject + Maximum Age subelement */
112 #define MEASURE_REQUEST_LCI_LEN (3 + 1 + 4)
113 /* Measurement Request element + Location Civic Request */
114 #define MEASURE_REQUEST_CIVIC_LEN (3 + 5)
115
116
117 /**
118 * wpas_rrm_send_neighbor_rep_request - Request a neighbor report from our AP
119 * @wpa_s: Pointer to wpa_supplicant
120 * @ssid: if not null, this is sent in the request. Otherwise, no SSID IE
121 * is sent in the request.
122 * @lci: if set, neighbor request will include LCI request
123 * @civic: if set, neighbor request will include civic location request
124 * @cb: Callback function to be called once the requested report arrives, or
125 * timed out after RRM_NEIGHBOR_REPORT_TIMEOUT seconds.
126 * In the former case, 'neighbor_rep' is a newly allocated wpabuf, and it's
127 * the requester's responsibility to free it.
128 * In the latter case NULL will be sent in 'neighbor_rep'.
129 * @cb_ctx: Context value to send the callback function
130 * Returns: 0 in case of success, negative error code otherwise
131 *
132 * In case there is a previous request which has not been answered yet, the
133 * new request fails. The caller may retry after RRM_NEIGHBOR_REPORT_TIMEOUT.
134 * Request must contain a callback function.
135 */
wpas_rrm_send_neighbor_rep_request(struct wpa_supplicant * wpa_s,const struct wpa_ssid_value * ssid,int lci,int civic,void (* cb)(void * ctx,const u8 * neighbor_rep,size_t len),void * cb_ctx)136 int wpas_rrm_send_neighbor_rep_request(struct wpa_supplicant *wpa_s,
137 const struct wpa_ssid_value *ssid,
138 int lci, int civic,
139 void (*cb)(void *ctx,
140 const u8 *neighbor_rep, size_t len),
141 void *cb_ctx)
142 {
143 struct wpabuf *buf;
144
145 if (!(wpa_s->rrm_ie[0] & WLAN_RRM_CAPS_NEIGHBOR_REPORT)) {
146 wpa_printf(MSG_ERROR,
147 "RRM: No network support for Neighbor Report.");
148 return -EOPNOTSUPP;
149 }
150
151 /* Refuse if there's a live request */
152 if (wpa_s->rrm.notify_neighbor_rep) {
153 wpa_dbg(wpa_s, MSG_DEBUG,
154 "RRM: Currently handling previous Neighbor Report.");
155 return -EBUSY;
156 }
157
158 /* 3 = action category + action code + dialog token */
159 buf = wpabuf_alloc(3 + (ssid ? 2 + ssid->ssid_len : 0) +
160 (lci ? 2 + MEASURE_REQUEST_LCI_LEN : 0) +
161 (civic ? 2 + MEASURE_REQUEST_CIVIC_LEN : 0));
162 if (buf == NULL) {
163 wpa_dbg(wpa_s, MSG_DEBUG,
164 "RRM: Failed to allocate Neighbor Report Request");
165 return -ENOMEM;
166 }
167
168 wpa_dbg(wpa_s, MSG_DEBUG,
169 "RRM: Neighbor report request (for %s), token=%d",
170 (ssid ? wpa_ssid_txt(ssid->ssid, ssid->ssid_len) : ""),
171 wpa_s->rrm.next_neighbor_rep_token);
172
173 wpabuf_put_u8(buf, WLAN_ACTION_RADIO_MEASUREMENT);
174 wpabuf_put_u8(buf, WLAN_RRM_NEIGHBOR_REPORT_REQUEST);
175 wpabuf_put_u8(buf, wpa_s->rrm.next_neighbor_rep_token);
176 if (ssid) {
177 wpabuf_put_u8(buf, WLAN_EID_SSID);
178 wpabuf_put_u8(buf, ssid->ssid_len);
179 wpabuf_put_data(buf, ssid->ssid, ssid->ssid_len);
180 }
181
182 if (lci) {
183 /* IEEE P802.11-REVmc/D5.0 9.4.2.21 */
184 wpabuf_put_u8(buf, WLAN_EID_MEASURE_REQUEST);
185 wpabuf_put_u8(buf, MEASURE_REQUEST_LCI_LEN);
186
187 /*
188 * Measurement token; nonzero number that is unique among the
189 * Measurement Request elements in a particular frame.
190 */
191 wpabuf_put_u8(buf, 1); /* Measurement Token */
192
193 /*
194 * Parallel, Enable, Request, and Report bits are 0, Duration is
195 * reserved.
196 */
197 wpabuf_put_u8(buf, 0); /* Measurement Request Mode */
198 wpabuf_put_u8(buf, MEASURE_TYPE_LCI); /* Measurement Type */
199
200 /* IEEE P802.11-REVmc/D5.0 9.4.2.21.10 - LCI request */
201 /* Location Subject */
202 wpabuf_put_u8(buf, LOCATION_SUBJECT_REMOTE);
203
204 /* Optional Subelements */
205 /*
206 * IEEE P802.11-REVmc/D5.0 Figure 9-170
207 * The Maximum Age subelement is required, otherwise the AP can
208 * send only data that was determined after receiving the
209 * request. Setting it here to unlimited age.
210 */
211 wpabuf_put_u8(buf, LCI_REQ_SUBELEM_MAX_AGE);
212 wpabuf_put_u8(buf, 2);
213 wpabuf_put_le16(buf, 0xffff);
214 }
215
216 if (civic) {
217 /* IEEE P802.11-REVmc/D5.0 9.4.2.21 */
218 wpabuf_put_u8(buf, WLAN_EID_MEASURE_REQUEST);
219 wpabuf_put_u8(buf, MEASURE_REQUEST_CIVIC_LEN);
220
221 /*
222 * Measurement token; nonzero number that is unique among the
223 * Measurement Request elements in a particular frame.
224 */
225 wpabuf_put_u8(buf, 2); /* Measurement Token */
226
227 /*
228 * Parallel, Enable, Request, and Report bits are 0, Duration is
229 * reserved.
230 */
231 wpabuf_put_u8(buf, 0); /* Measurement Request Mode */
232 /* Measurement Type */
233 wpabuf_put_u8(buf, MEASURE_TYPE_LOCATION_CIVIC);
234
235 /* IEEE P802.11-REVmc/D5.0 9.4.2.21.14:
236 * Location Civic request */
237 /* Location Subject */
238 wpabuf_put_u8(buf, LOCATION_SUBJECT_REMOTE);
239 wpabuf_put_u8(buf, 0); /* Civic Location Type: IETF RFC 4776 */
240 /* Location Service Interval Units: Seconds */
241 wpabuf_put_u8(buf, 0);
242 /* Location Service Interval: 0 - Only one report is requested
243 */
244 wpabuf_put_le16(buf, 0);
245 /* No optional subelements */
246 }
247
248 wpa_s->rrm.next_neighbor_rep_token++;
249
250 if (wpa_drv_send_action(wpa_s, 0, 0,
251 wpabuf_head(buf), wpabuf_len(buf), 0) < 0) {
252 wpa_dbg(wpa_s, MSG_DEBUG,
253 "RRM: Failed to send Neighbor Report Request");
254 wpabuf_free(buf);
255 return -ECANCELED;
256 }
257
258 wpa_s->rrm.neighbor_rep_cb_ctx = cb_ctx;
259 wpa_s->rrm.notify_neighbor_rep = cb;
260 eloop_register_timeout(RRM_NEIGHBOR_REPORT_TIMEOUT, 0,
261 wpas_rrm_neighbor_rep_timeout_handler,
262 &wpa_s->rrm, NULL);
263
264 wpabuf_free(buf);
265 return 0;
266 }
267
268
wpas_rrm_report_elem(struct wpabuf ** buf,u8 token,u8 mode,u8 type,const u8 * data,size_t data_len)269 static int wpas_rrm_report_elem(struct wpabuf **buf, u8 token, u8 mode, u8 type,
270 const u8 *data, size_t data_len)
271 {
272 if (wpabuf_resize(buf, 5 + data_len))
273 return -1;
274
275 wpabuf_put_u8(*buf, WLAN_EID_MEASURE_REPORT);
276 wpabuf_put_u8(*buf, 3 + data_len);
277 wpabuf_put_u8(*buf, token);
278 wpabuf_put_u8(*buf, mode);
279 wpabuf_put_u8(*buf, type);
280
281 if (data_len)
282 wpabuf_put_data(*buf, data, data_len);
283
284 return 0;
285 }
286
wpas_rrm_send_msr_report_mpdu(struct wpa_supplicant * wpa_s,const u8 * data,size_t len)287 static void wpas_rrm_send_msr_report_mpdu(struct wpa_supplicant *wpa_s,
288 const u8 *data, size_t len)
289 {
290 struct wpabuf *report = wpabuf_alloc(len + 3);
291
292 if (!report)
293 return;
294
295 wpabuf_put_u8(report, WLAN_ACTION_RADIO_MEASUREMENT);
296 wpabuf_put_u8(report, WLAN_RRM_RADIO_MEASUREMENT_REPORT);
297 wpabuf_put_u8(report, wpa_s->rrm.token);
298
299 wpabuf_put_data(report, data, len);
300
301 if (wpa_drv_send_action(wpa_s, 0, 0,
302 wpabuf_head(report), wpabuf_len(report), 0)) {
303 wpa_printf(MSG_ERROR,
304 "RRM: Radio measurement report failed: Sending Action frame failed");
305 }
306
307 wpabuf_free(report);
308 }
309
310
wpas_rrm_beacon_rep_update_last_frame(u8 * pos,size_t len)311 static int wpas_rrm_beacon_rep_update_last_frame(u8 *pos, size_t len)
312 {
313 struct rrm_measurement_report_element *msr_rep;
314 u8 *end = pos + len;
315 u8 *msr_rep_end;
316 struct rrm_measurement_beacon_report *rep = NULL;
317 u8 *subelem;
318
319 /* Find the last beacon report element */
320 while (end - pos >= (int) sizeof(*msr_rep)) {
321 msr_rep = (struct rrm_measurement_report_element *) pos;
322 msr_rep_end = pos + msr_rep->len + 2;
323
324 if (msr_rep->eid != WLAN_EID_MEASURE_REPORT ||
325 msr_rep_end > end) {
326 /* Should not happen. This indicates a bug. */
327 wpa_printf(MSG_ERROR,
328 "RRM: non-measurement report element in measurement report frame");
329 return -1;
330 }
331
332 if (msr_rep->type == MEASURE_TYPE_BEACON)
333 rep = (struct rrm_measurement_beacon_report *)
334 msr_rep->variable;
335
336 pos += pos[1] + 2;
337 }
338
339 if (!rep)
340 return 0;
341
342 subelem = rep->variable;
343 while (subelem + 2 < msr_rep_end &&
344 subelem[0] != WLAN_BEACON_REPORT_SUBELEM_LAST_INDICATION)
345 subelem += 2 + subelem[1];
346
347 if (subelem + 2 < msr_rep_end &&
348 subelem[0] == WLAN_BEACON_REPORT_SUBELEM_LAST_INDICATION &&
349 subelem[1] == 1 &&
350 subelem + BEACON_REPORT_LAST_INDICATION_SUBELEM_LEN <= end)
351 subelem[2] = 1;
352
353 return 0;
354 }
355
356
wpas_rrm_send_msr_report(struct wpa_supplicant * wpa_s,struct wpabuf * buf)357 static void wpas_rrm_send_msr_report(struct wpa_supplicant *wpa_s,
358 struct wpabuf *buf)
359 {
360 int len = wpabuf_len(buf);
361 u8 *pos = wpabuf_mhead_u8(buf), *next = pos;
362
363 #define MPDU_REPORT_LEN (int) (IEEE80211_MAX_MMPDU_SIZE - IEEE80211_HDRLEN - 3)
364
365 while (len) {
366 int send_len = (len > MPDU_REPORT_LEN) ? next - pos : len;
367
368 if (send_len == len)
369 wpas_rrm_beacon_rep_update_last_frame(pos, len);
370
371 if (send_len == len ||
372 (send_len + next[1] + 2) > MPDU_REPORT_LEN) {
373 wpas_rrm_send_msr_report_mpdu(wpa_s, pos, send_len);
374 len -= send_len;
375 pos = next;
376 }
377
378 if (len)
379 next += next[1] + 2;
380 }
381 #undef MPDU_REPORT_LEN
382 }
383
wpas_get_op_chan_phy(int channel,const u8 * ies,size_t ies_len,u8 * op_class,u8 * chan,u8 * phy_type)384 static int wpas_get_op_chan_phy(int channel, const u8 *ies, size_t ies_len,
385 u8 *op_class, u8 *chan, u8 *phy_type)
386 {
387 const u8 *ie;
388 int sec_chan = 0;
389 struct ieee80211_ht_operation *ht_oper = NULL;
390
391 ie = get_ie(ies, ies_len, WLAN_EID_HT_OPERATION);
392 if (ie && ie[1] >= 2) {
393 ht_oper = (struct ieee80211_ht_operation *) (ie + 2);
394
395 if (ht_oper->ht_param & HT_INFO_HT_PARAM_SECONDARY_CHNL_ABOVE)
396 sec_chan = 1;
397 else if (ht_oper->ht_param &
398 HT_INFO_HT_PARAM_SECONDARY_CHNL_BELOW)
399 sec_chan = -1;
400 }
401
402 *op_class = get_operating_class(channel, sec_chan);
403
404 *phy_type = (sec_chan != 0) ? PHY_TYPE_HT : PHY_TYPE_ERP;
405
406 return 0;
407 }
408
409
wpas_beacon_rep_add_frame_body(struct bitfield * eids,enum beacon_report_detail detail,struct wpa_bss * bss,u8 * buf,size_t buf_len,u8 ** ies_buf,size_t * ie_len,int add_fixed)410 static int wpas_beacon_rep_add_frame_body(struct bitfield *eids,
411 enum beacon_report_detail detail,
412 struct wpa_bss *bss, u8 *buf,
413 size_t buf_len, u8 **ies_buf,
414 size_t *ie_len, int add_fixed)
415 {
416 u8 *ies = *ies_buf;
417 size_t ies_len = *ie_len;
418 u8 *pos = buf;
419 int rem_len;
420
421 rem_len = 255 - sizeof(struct rrm_measurement_beacon_report) -
422 sizeof(struct rrm_measurement_report_element) - 2 -
423 REPORTED_FRAME_BODY_SUBELEM_LEN;
424
425 if (detail > BEACON_REPORT_DETAIL_ALL_FIELDS_AND_ELEMENTS) {
426 wpa_printf(MSG_DEBUG,
427 "Beacon Request: Invalid reporting detail: %d",
428 detail);
429 return -1;
430 }
431
432 if (detail == BEACON_REPORT_DETAIL_NONE)
433 return 0;
434
435 /*
436 * Minimal frame body subelement size: EID(1) + length(1) + TSF(8) +
437 * beacon interval(2) + capabilities(2) = 14 bytes
438 */
439 if (add_fixed && buf_len < 14)
440 return -1;
441
442 *pos++ = WLAN_BEACON_REPORT_SUBELEM_FRAME_BODY;
443 /* The length will be filled later */
444 pos++;
445
446 if (add_fixed) {
447 WPA_PUT_LE64(pos, bss->tsf);
448 pos += sizeof(bss->tsf);
449 WPA_PUT_LE16(pos, bss->beacon_int);
450 pos += 2;
451 WPA_PUT_LE16(pos, bss->caps);
452 pos += 2;
453 }
454
455 rem_len -= pos - buf;
456
457 /*
458 * According to IEEE Std 802.11-2016, 9.4.2.22.7, if the reported frame
459 * body subelement causes the element to exceed the maximum element
460 * size, the subelement is truncated so that the last IE is a complete
461 * IE. So even when required to report all IEs, add elements one after
462 * the other and stop once there is no more room in the measurement
463 * element.
464 */
465 while (ies_len > 2 && 2U + ies[1] <= ies_len && rem_len > 0) {
466 if (detail == BEACON_REPORT_DETAIL_ALL_FIELDS_AND_ELEMENTS ||
467 (eids && bitfield_is_set(eids, ies[0]))) {
468 u8 elen = ies[1];
469
470 if (2 + elen > buf + buf_len - pos ||
471 2 + elen > rem_len)
472 break;
473
474 *pos++ = ies[0];
475 *pos++ = elen;
476 os_memcpy(pos, ies + 2, elen);
477 pos += elen;
478 rem_len -= 2 + elen;
479 }
480
481 ies_len -= 2 + ies[1];
482 ies += 2 + ies[1];
483 }
484
485 *ie_len = ies_len;
486 *ies_buf = ies;
487
488 /* Now the length is known */
489 buf[1] = pos - buf - 2;
490 return pos - buf;
491 }
492
493
wpas_add_beacon_rep_elem(struct beacon_rep_data * data,struct wpa_bss * bss,struct wpabuf ** wpa_buf,struct rrm_measurement_beacon_report * rep,u8 ** ie,size_t * ie_len,u8 idx)494 static int wpas_add_beacon_rep_elem(struct beacon_rep_data *data,
495 struct wpa_bss *bss,
496 struct wpabuf **wpa_buf,
497 struct rrm_measurement_beacon_report *rep,
498 u8 **ie, size_t *ie_len, u8 idx)
499 {
500 int ret;
501 u8 *buf, *pos;
502 u32 subelems_len = REPORTED_FRAME_BODY_SUBELEM_LEN +
503 (data->last_indication ?
504 BEACON_REPORT_LAST_INDICATION_SUBELEM_LEN : 0);
505
506 /* Maximum element length: Beacon Report element + Reported Frame Body
507 * subelement + all IEs of the reported Beacon frame + Reported Frame
508 * Body Fragment ID subelement */
509 buf = os_malloc(sizeof(*rep) + 14 + *ie_len + subelems_len);
510 if (!buf)
511 return -1;
512
513 os_memcpy(buf, rep, sizeof(*rep));
514
515 ret = wpas_beacon_rep_add_frame_body(data->eids, data->report_detail,
516 bss, buf + sizeof(*rep),
517 14 + *ie_len, ie, ie_len,
518 idx == 0);
519 if (ret < 0)
520 goto out;
521
522 pos = buf + ret + sizeof(*rep);
523 pos[0] = WLAN_BEACON_REPORT_SUBELEM_FRAME_BODY_FRAGMENT_ID;
524 pos[1] = 2;
525
526 /*
527 * Only one Beacon Report Measurement is supported at a time, so
528 * the Beacon Report ID can always be set to 1.
529 */
530 pos[2] = 1;
531
532 /* Fragment ID Number (bits 0..6) and More Frame Body Fragments (bit 7)
533 */
534 pos[3] = idx;
535 if (data->report_detail != BEACON_REPORT_DETAIL_NONE && *ie_len)
536 pos[3] |= REPORTED_FRAME_BODY_MORE_FRAGMENTS;
537 else
538 pos[3] &= ~REPORTED_FRAME_BODY_MORE_FRAGMENTS;
539
540 pos += REPORTED_FRAME_BODY_SUBELEM_LEN;
541
542 if (data->last_indication) {
543 pos[0] = WLAN_BEACON_REPORT_SUBELEM_LAST_INDICATION;
544 pos[1] = 1;
545
546 /* This field will be updated later if this is the last frame */
547 pos[2] = 0;
548 }
549
550 ret = wpas_rrm_report_elem(wpa_buf, data->token,
551 MEASUREMENT_REPORT_MODE_ACCEPT,
552 MEASURE_TYPE_BEACON, buf,
553 ret + sizeof(*rep) + subelems_len);
554 out:
555 os_free(buf);
556 return ret;
557 }
558
559
wpas_add_beacon_rep(struct wpa_supplicant * wpa_s,struct wpabuf ** wpa_buf,struct wpa_bss * bss,u64 start,u64 parent_tsf)560 static int wpas_add_beacon_rep(struct wpa_supplicant *wpa_s,
561 struct wpabuf **wpa_buf, struct wpa_bss *bss,
562 u64 start, u64 parent_tsf)
563 {
564 struct beacon_rep_data *data = &wpa_s->beacon_rep_data;
565 u8 *ies = (u8 *) (bss + 1);
566 u8 *pos = ies;
567 size_t ies_len = bss->ie_len ? bss->ie_len : bss->beacon_ie_len;
568 struct rrm_measurement_beacon_report rep;
569 u8 idx = 0;
570
571 if (os_memcmp(data->bssid, broadcast_ether_addr, ETH_ALEN) != 0 &&
572 os_memcmp(data->bssid, bss->bssid, ETH_ALEN) != 0)
573 return 0;
574
575 if (data->ssid_len &&
576 (data->ssid_len != bss->ssid_len ||
577 os_memcmp(data->ssid, bss->ssid, bss->ssid_len) != 0))
578 return 0;
579
580 if (wpas_get_op_chan_phy(bss->channel, ies, ies_len, &rep.op_class,
581 &rep.channel, &rep.report_info) < 0)
582 return 0;
583
584 rep.channel = bss->channel;
585 rep.start_time = host_to_le64(start);
586 rep.duration = host_to_le16(data->scan_params.duration);
587 rep.rcpi = rssi_to_rcpi(bss->level);
588 rep.rsni = 255; /* 255 indicates that RSNI is not available */
589 os_memcpy(rep.bssid, bss->bssid, ETH_ALEN);
590 rep.antenna_id = 0; /* unknown */
591 rep.parent_tsf = host_to_le32(parent_tsf);
592
593 do {
594 int ret;
595
596 ret = wpas_add_beacon_rep_elem(data, bss, wpa_buf, &rep,
597 &pos, &ies_len, idx++);
598 if (ret)
599 return ret;
600 } while (data->report_detail != BEACON_REPORT_DETAIL_NONE &&
601 ies_len >= 2);
602
603 return 0;
604 }
605
606
wpas_beacon_rep_no_results(struct wpa_supplicant * wpa_s,struct wpabuf ** buf)607 static int wpas_beacon_rep_no_results(struct wpa_supplicant *wpa_s,
608 struct wpabuf **buf)
609 {
610 return wpas_rrm_report_elem(buf, wpa_s->beacon_rep_data.token,
611 MEASUREMENT_REPORT_MODE_ACCEPT,
612 MEASURE_TYPE_BEACON, NULL, 0);
613 }
614
615
wpas_beacon_rep_table(struct wpa_supplicant * wpa_s,struct wpabuf ** buf)616 static void wpas_beacon_rep_table(struct wpa_supplicant *wpa_s,
617 struct wpabuf **buf)
618 {
619 size_t i;
620
621 for (i = 0; i < wpa_s->last_scan_res_used; i++) {
622 if (wpas_add_beacon_rep(wpa_s, buf, wpa_s->last_scan_res[i],
623 0, 0) < 0)
624 break;
625 }
626
627 if (!(*buf))
628 wpas_beacon_rep_no_results(wpa_s, buf);
629
630 wpa_hexdump_buf(MSG_DEBUG, "RRM: Radio Measurement report", *buf);
631 }
632
633
wpas_rrm_refuse_request(struct wpa_supplicant * wpa_s)634 static void wpas_rrm_refuse_request(struct wpa_supplicant *wpa_s)
635 {
636 if (!is_multicast_ether_addr(wpa_s->rrm.dst_addr)) {
637 struct wpabuf *buf = NULL;
638
639 if (wpas_rrm_report_elem(&buf, wpa_s->beacon_rep_data.token,
640 MEASUREMENT_REPORT_MODE_REJECT_REFUSED,
641 MEASURE_TYPE_BEACON, NULL, 0)) {
642 wpa_printf(MSG_ERROR, "RRM: Memory allocation failed");
643 wpabuf_free(buf);
644 return;
645 }
646
647 wpas_rrm_send_msr_report(wpa_s, buf);
648 wpabuf_free(buf);
649 }
650
651 wpas_clear_beacon_rep_data(wpa_s);
652 }
653
654
wpas_rrm_scan_timeout(void * eloop_ctx,void * timeout_ctx)655 static void wpas_rrm_scan_timeout(void *eloop_ctx, void *timeout_ctx)
656 {
657 struct wpa_supplicant *wpa_s = eloop_ctx;
658 struct wpa_driver_scan_params *params =
659 &wpa_s->beacon_rep_data.scan_params;
660 u16 prev_duration = params->duration;
661
662 if (!wpa_s->current_bss)
663 return;
664
665 os_get_reltime(&wpa_s->beacon_rep_scan);
666 wpa_s->scan_reason = REASON_RRM_BEACON_REPORT;
667 if (wpa_supplicant_trigger_scan(wpa_s, params) < 0)
668 wpas_rrm_refuse_request(wpa_s);
669 params->duration = prev_duration;
670 }
671
672
wpas_rm_handle_beacon_req_subelem(struct wpa_supplicant * wpa_s,struct beacon_rep_data * data,u8 sid,u8 slen,const u8 * subelem)673 static int wpas_rm_handle_beacon_req_subelem(struct wpa_supplicant *wpa_s,
674 struct beacon_rep_data *data,
675 u8 sid, u8 slen, const u8 *subelem)
676 {
677 u8 report_info, i;
678
679 switch (sid) {
680 case WLAN_BEACON_REQUEST_SUBELEM_SSID:
681 if (!slen) {
682 wpa_printf(MSG_DEBUG,
683 "SSID subelement with zero length - wildcard SSID");
684 break;
685 }
686
687 if (slen > SSID_MAX_LEN) {
688 wpa_printf(MSG_DEBUG,
689 "Invalid SSID subelement length: %u", slen);
690 return -1;
691 }
692
693 data->ssid_len = slen;
694 os_memcpy(data->ssid, subelem, data->ssid_len);
695 break;
696 case WLAN_BEACON_REQUEST_SUBELEM_INFO:
697 if (slen != 2) {
698 wpa_printf(MSG_DEBUG,
699 "Invalid reporting information subelement length: %u",
700 slen);
701 return -1;
702 }
703
704 report_info = subelem[0];
705 if (report_info != 0) {
706 wpa_printf(MSG_DEBUG,
707 "reporting information=%u is not supported",
708 report_info);
709 return 0;
710 }
711 break;
712 case WLAN_BEACON_REQUEST_SUBELEM_DETAIL:
713 if (slen != 1) {
714 wpa_printf(MSG_DEBUG,
715 "Invalid reporting detail subelement length: %u",
716 slen);
717 return -1;
718 }
719
720 data->report_detail = subelem[0];
721 if (data->report_detail >
722 BEACON_REPORT_DETAIL_ALL_FIELDS_AND_ELEMENTS) {
723 wpa_printf(MSG_DEBUG, "Invalid reporting detail: %u",
724 subelem[0]);
725 return -1;
726 }
727
728 break;
729 case WLAN_BEACON_REQUEST_SUBELEM_REQUEST:
730 if (data->report_detail !=
731 BEACON_REPORT_DETAIL_REQUESTED_ONLY) {
732 wpa_printf(MSG_DEBUG,
733 "Beacon request: request subelement is present but report detail is %u",
734 data->report_detail);
735 return -1;
736 }
737
738 if (!slen) {
739 wpa_printf(MSG_DEBUG,
740 "Invalid request subelement length: %u",
741 slen);
742 return -1;
743 }
744
745 if (data->eids) {
746 wpa_printf(MSG_DEBUG,
747 "Beacon Request: Request subelement appears more than once");
748 return -1;
749 }
750
751 data->eids = bitfield_alloc(255);
752 if (!data->eids) {
753 wpa_printf(MSG_DEBUG, "Failed to allocate EIDs bitmap");
754 return -1;
755 }
756
757 for (i = 0; i < slen; i++)
758 bitfield_set(data->eids, subelem[i]);
759 break;
760 case WLAN_BEACON_REQUEST_SUBELEM_AP_CHANNEL:
761 /* Skip - it will be processed when freqs are added */
762 break;
763 case WLAN_BEACON_REQUEST_SUBELEM_LAST_INDICATION:
764 if (slen != 1) {
765 wpa_printf(MSG_DEBUG,
766 "Beacon request: Invalid last indication request subelement length: %u",
767 slen);
768 return -1;
769 }
770
771 data->last_indication = subelem[0];
772 break;
773 default:
774 wpa_printf(MSG_DEBUG,
775 "Beacon request: Unknown subelement id %u", sid);
776 break;
777 }
778
779 return 1;
780 }
781
782
783 /**
784 * Returns 0 if the next element can be processed, 1 if some operation was
785 * triggered, and -1 if processing failed (i.e., the element is in invalid
786 * format or an internal error occurred).
787 */
788 static int
wpas_rm_handle_beacon_req(struct wpa_supplicant * wpa_s,u8 elem_token,int duration_mandatory,const struct rrm_measurement_beacon_request * req,size_t len,struct wpabuf ** buf)789 wpas_rm_handle_beacon_req(struct wpa_supplicant *wpa_s,
790 u8 elem_token, int duration_mandatory,
791 const struct rrm_measurement_beacon_request *req,
792 size_t len, struct wpabuf **buf)
793 {
794 struct beacon_rep_data *data = &wpa_s->beacon_rep_data;
795 struct wpa_driver_scan_params *params = &data->scan_params;
796 const u8 *subelems;
797 size_t elems_len;
798 u16 rand_interval;
799 u32 interval_usec;
800 u32 _rand;
801 int ret = 0, res;
802 u8 reject_mode;
803
804 if (len < sizeof(*req))
805 return -1;
806
807 if (req->mode != BEACON_REPORT_MODE_PASSIVE &&
808 req->mode != BEACON_REPORT_MODE_ACTIVE &&
809 req->mode != BEACON_REPORT_MODE_TABLE)
810 return 0;
811
812 subelems = req->variable;
813 elems_len = len - sizeof(*req);
814 rand_interval = le_to_host16(req->rand_interval);
815
816 os_memset(data, 0, sizeof(*data));
817
818 data->token = elem_token;
819
820 /* default reporting detail is all fixed length fields and all
821 * elements */
822 data->report_detail = BEACON_REPORT_DETAIL_ALL_FIELDS_AND_ELEMENTS;
823 os_memcpy(data->bssid, req->bssid, ETH_ALEN);
824
825 while (elems_len >= 2) {
826 if (subelems[1] > elems_len - 2) {
827 wpa_printf(MSG_DEBUG,
828 "Beacon Request: Truncated subelement");
829 ret = -1;
830 goto out;
831 }
832
833 res = wpas_rm_handle_beacon_req_subelem(
834 wpa_s, data, subelems[0], subelems[1], &subelems[2]);
835 if (res < 0) {
836 ret = res;
837 goto out;
838 } else if (!res) {
839 reject_mode = MEASUREMENT_REPORT_MODE_REJECT_INCAPABLE;
840 goto out_reject;
841 }
842
843 elems_len -= 2 + subelems[1];
844 subelems += 2 + subelems[1];
845 }
846
847 if (req->mode == BEACON_REPORT_MODE_TABLE) {
848 wpas_beacon_rep_table(wpa_s, buf);
849 goto out;
850 }
851 params->channel = req->channel;
852 #ifdef ESP_SUPPLICANT
853 if (params->channel == 0xff) {
854 /* set it to zero */
855 params->channel = 0;
856 }
857 #endif
858 params->duration = le_to_host16(req->duration);
859 params->duration_mandatory = duration_mandatory;
860 params->mode = req->mode;
861 if (!params->duration) {
862 wpa_printf(MSG_DEBUG, "Beacon request: Duration is 0");
863 ret = -1;
864 goto out;
865 }
866
867 if (data->ssid_len) {
868 params->ssids[params->num_ssids].ssid = data->ssid;
869 params->ssids[params->num_ssids++].ssid_len = data->ssid_len;
870 }
871
872 if (os_get_random((u8 *) &_rand, sizeof(_rand)) < 0)
873 _rand = os_random();
874 interval_usec = (_rand % (rand_interval + 1)) * 1024;
875 os_sleep(0, interval_usec);
876 wpas_rrm_scan_timeout(wpa_s, NULL);
877 return 1;
878 out_reject:
879 if (!is_multicast_ether_addr(wpa_s->rrm.dst_addr) &&
880 wpas_rrm_report_elem(buf, elem_token, reject_mode,
881 MEASURE_TYPE_BEACON, NULL, 0) < 0) {
882 wpa_printf(MSG_DEBUG, "RRM: Failed to add report element");
883 ret = -1;
884 }
885 out:
886 wpas_clear_beacon_rep_data(wpa_s);
887 return ret;
888 }
889
890
891 static int
wpas_rrm_handle_msr_req_element(struct wpa_supplicant * wpa_s,const struct rrm_measurement_request_element * req,struct wpabuf ** buf)892 wpas_rrm_handle_msr_req_element(
893 struct wpa_supplicant *wpa_s,
894 const struct rrm_measurement_request_element *req,
895 struct wpabuf **buf)
896 {
897 int duration_mandatory;
898
899 wpa_printf(MSG_DEBUG, "Measurement request type %d token %d",
900 req->type, req->token);
901
902 if (req->mode & MEASUREMENT_REQUEST_MODE_ENABLE) {
903 /* Enable bit is not supported for now */
904 wpa_printf(MSG_DEBUG, "RRM: Enable bit not supported, ignore");
905 return 0;
906 }
907
908 if ((req->mode & MEASUREMENT_REQUEST_MODE_PARALLEL) &&
909 req->type > MEASURE_TYPE_RPI_HIST) {
910 /* Parallel measurements are not supported for now */
911 wpa_printf(MSG_DEBUG,
912 "RRM: Parallel measurements are not supported, reject");
913 goto reject;
914 }
915
916 duration_mandatory =
917 !!(req->mode & MEASUREMENT_REQUEST_MODE_DURATION_MANDATORY);
918
919 switch (req->type) {
920 case MEASURE_TYPE_BEACON:
921 return wpas_rm_handle_beacon_req(wpa_s, req->token,
922 duration_mandatory,
923 (const void *) req->variable,
924 req->len - 3, buf);
925 default:
926 wpa_printf(MSG_INFO,
927 "RRM: Unsupported radio measurement type %u",
928 req->type);
929 break;
930 }
931
932 reject:
933 if (!is_multicast_ether_addr(wpa_s->rrm.dst_addr) &&
934 wpas_rrm_report_elem(buf, req->token,
935 MEASUREMENT_REPORT_MODE_REJECT_INCAPABLE,
936 req->type, NULL, 0) < 0) {
937 wpa_printf(MSG_DEBUG, "RRM: Failed to add report element");
938 return -1;
939 }
940
941 return 0;
942 }
943
944
945 static struct wpabuf *
wpas_rrm_process_msr_req_elems(struct wpa_supplicant * wpa_s,const u8 * pos,size_t len)946 wpas_rrm_process_msr_req_elems(struct wpa_supplicant *wpa_s, const u8 *pos,
947 size_t len)
948 {
949 struct wpabuf *buf = NULL;
950
951 while (len) {
952 const struct rrm_measurement_request_element *req;
953 int res;
954
955 if (len < 2) {
956 wpa_printf(MSG_DEBUG, "RRM: Truncated element");
957 goto out;
958 }
959
960 req = (const struct rrm_measurement_request_element *) pos;
961 if (req->eid != WLAN_EID_MEASURE_REQUEST) {
962 wpa_printf(MSG_DEBUG,
963 "RRM: Expected Measurement Request element, but EID is %u",
964 req->eid);
965 printf("len is %d", len);
966 goto out;
967 }
968
969 if (req->len < 3) {
970 wpa_printf(MSG_DEBUG, "RRM: Element length too short");
971 goto out;
972 }
973
974 if (req->len > len - 2) {
975 wpa_printf(MSG_DEBUG, "RRM: Element length too long");
976 goto out;
977 }
978
979 res = wpas_rrm_handle_msr_req_element(wpa_s, req, &buf);
980 if (res < 0)
981 goto out;
982
983 pos += req->len + 2;
984 len -= req->len + 2;
985 }
986
987 return buf;
988
989 out:
990 wpabuf_free(buf);
991 return NULL;
992 }
993
994
wpas_rrm_handle_radio_measurement_request(struct wpa_supplicant * wpa_s,const u8 * src,const u8 * dst,const u8 * frame,size_t len)995 void wpas_rrm_handle_radio_measurement_request(struct wpa_supplicant *wpa_s,
996 const u8 *src, const u8 *dst,
997 const u8 *frame, size_t len)
998 {
999 struct wpabuf *report;
1000
1001 if (!wpa_s->rrm.rrm_used) {
1002 wpa_printf(MSG_INFO,
1003 "RRM: Ignoring radio measurement request: Not RRM network");
1004 return;
1005 }
1006
1007 if (len < 3) {
1008 wpa_printf(MSG_INFO,
1009 "RRM: Ignoring too short radio measurement request");
1010 return;
1011 }
1012
1013 wpa_s->rrm.token = *frame;
1014 os_memcpy(wpa_s->rrm.dst_addr, dst, ETH_ALEN);
1015
1016 /* Number of repetitions is not supported */
1017
1018 report = wpas_rrm_process_msr_req_elems(wpa_s, frame + 3, len - 3);
1019 if (!report)
1020 return;
1021
1022 wpas_rrm_send_msr_report(wpa_s, report);
1023 wpabuf_free(report);
1024 }
1025
1026
wpas_rrm_handle_link_measurement_request(struct wpa_supplicant * wpa_s,const u8 * src,const u8 * frame,size_t len,int rssi)1027 void wpas_rrm_handle_link_measurement_request(struct wpa_supplicant *wpa_s,
1028 const u8 *src,
1029 const u8 *frame, size_t len,
1030 int rssi)
1031 {
1032 struct wpabuf *buf;
1033 const struct rrm_link_measurement_request *req;
1034 struct rrm_link_measurement_report report;
1035
1036 req = (const struct rrm_link_measurement_request *) frame;
1037 if (len < sizeof(*req)) {
1038 wpa_printf(MSG_INFO,
1039 "RRM: Link measurement report failed. Request too short");
1040 return;
1041 }
1042
1043 os_memset(&report, 0, sizeof(report));
1044 report.dialog_token = req->dialog_token;
1045 report.tpc.eid = WLAN_EID_TPC_REPORT;
1046 report.tpc.len = 2;
1047 /* Note: The driver is expected to update report.tpc.tx_power and
1048 * report.tpc.link_margin subfields when sending out this frame.
1049 * Similarly, the driver would need to update report.rx_ant_id and
1050 * report.tx_ant_id subfields. */
1051
1052 #ifdef ESP_SUPPLICANT
1053 esp_get_tx_power(&report.tpc.tx_power);
1054 /* Minimum RSSI = -96 dbm */
1055 report.tpc.link_margin = rssi + 96;
1056 #endif
1057 report.rsni = 255; /* 255 indicates that RSNI is not available */
1058 report.rcpi = rssi_to_rcpi(rssi);
1059
1060 /* action_category + action_code */
1061 buf = wpabuf_alloc(2 + sizeof(report));
1062 if (buf == NULL) {
1063 wpa_printf(MSG_ERROR,
1064 "RRM: Link measurement report failed. Buffer allocation failed");
1065 return;
1066 }
1067
1068 wpabuf_put_u8(buf, WLAN_ACTION_RADIO_MEASUREMENT);
1069 wpabuf_put_u8(buf, WLAN_RRM_LINK_MEASUREMENT_REPORT);
1070 wpabuf_put_data(buf, &report, sizeof(report));
1071 wpa_hexdump_buf(MSG_DEBUG, "RRM: Link measurement report", buf);
1072
1073 if (wpa_drv_send_action(wpa_s, 0, 0,
1074 wpabuf_head(buf), wpabuf_len(buf), 0)) {
1075 wpa_printf(MSG_ERROR,
1076 "RRM: Link measurement report failed. Send action failed");
1077 }
1078 wpabuf_free(buf);
1079 }
1080
1081
wpas_beacon_rep_scan_process(struct wpa_supplicant * wpa_s,u64 scan_start_tsf)1082 int wpas_beacon_rep_scan_process(struct wpa_supplicant *wpa_s,
1083 u64 scan_start_tsf)
1084 {
1085 size_t i = 0;
1086 struct wpabuf *buf = NULL;
1087 struct wpa_bss *bss = NULL;
1088
1089 if (!wpa_s->beacon_rep_data.token)
1090 return 0;
1091
1092 if (!wpa_s->current_bss)
1093 goto out;
1094
1095 wpa_printf(MSG_DEBUG, "RRM: TSF current BSS: " MACSTR,
1096 MAC2STR(wpa_s->current_bss->bssid));
1097
1098 for (i = 0; i < wpa_s->num_bss; i++) {
1099 bss = wpa_bss_get_next_bss(wpa_s, bss);
1100
1101 if (!bss)
1102 continue;
1103
1104 if (wpa_s->beacon_rep_data.scan_params.channel &&
1105 bss->channel != wpa_s->beacon_rep_data.scan_params.channel)
1106 continue;
1107 /* We flush scan results before issuing scan again */
1108 #ifndef ESP_SUPPLICANT
1109 /*
1110 * Don't report results that were not received during the
1111 * current measurement.
1112 */
1113 if (scan_start_tsf <
1114 scan_res->res[i]->parent_tsf) {
1115 struct os_reltime update_time, diff;
1116
1117 /* For now, allow 7 ms older results due to some
1118 * unknown issue with cfg80211 BSS table updates during
1119 * a scan with the current BSS.
1120 * TODO: Fix this more properly to avoid having to have
1121 * this type of hacks in place. */
1122 calculate_update_time(&scan_res->fetch_time,
1123 scan_res->res[i]->age,
1124 &update_time);
1125 os_reltime_sub(&wpa_s->beacon_rep_scan,
1126 &update_time, &diff);
1127 if (os_reltime_before(&update_time,
1128 &wpa_s->beacon_rep_scan) &&
1129 (diff.sec || diff.usec >= 8000)) {
1130 wpa_printf(MSG_ERROR,
1131 "RRM: Ignore scan result for " MACSTR
1132 " due to old update (age(ms) %u, calculated age %u.%06u seconds)",
1133 MAC2STR(scan_res->res[i]->bssid),
1134 scan_res->res[i]->age,
1135 (unsigned int) diff.sec,
1136 (unsigned int) diff.usec);
1137 continue;
1138 }
1139 } else {
1140 continue;
1141 }
1142 #endif
1143 if (wpas_add_beacon_rep(wpa_s, &buf, bss, scan_start_tsf,
1144 bss->parent_tsf) < 0)
1145 break;
1146 }
1147
1148 if (!buf && wpas_beacon_rep_no_results(wpa_s, &buf))
1149 goto out;
1150
1151 wpa_hexdump_buf(MSG_DEBUG, "RRM: Radio Measurement report", buf);
1152
1153 wpas_rrm_send_msr_report(wpa_s, buf);
1154 wpabuf_free(buf);
1155
1156 out:
1157 wpas_clear_beacon_rep_data(wpa_s);
1158 return 1;
1159 }
1160
1161
wpas_clear_beacon_rep_data(struct wpa_supplicant * wpa_s)1162 void wpas_clear_beacon_rep_data(struct wpa_supplicant *wpa_s)
1163 {
1164 struct beacon_rep_data *data = &wpa_s->beacon_rep_data;
1165
1166 eloop_cancel_timeout(wpas_rrm_scan_timeout, wpa_s, NULL);
1167 bitfield_free(data->eids);
1168 os_memset(data, 0, sizeof(*data));
1169 }
1170
