1 /*
2  * BSS table
3  * Copyright (c) 2009-2019, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #include "utils/includes.h"
10 
11 #include "utils/common.h"
12 #include "utils/eloop.h"
13 #include "common/ieee802_11_defs.h"
14 #include "drivers/driver.h"
15 #include "eap_peer/eap.h"
16 #include "rsn_supp/wpa.h"
17 #include "wpa_supplicant_i.h"
18 #include "config.h"
19 #include "notify.h"
20 #include "scan.h"
21 #include "bssid_ignore.h"
22 #include "bss.h"
23 
wpa_bss_set_hessid(struct wpa_bss * bss)24 static void wpa_bss_set_hessid(struct wpa_bss *bss)
25 {
26 #ifdef CONFIG_INTERWORKING
27 	const u8 *ie = wpa_bss_get_ie(bss, WLAN_EID_INTERWORKING);
28 	if (ie == NULL || (ie[1] != 7 && ie[1] != 9)) {
29 		os_memset(bss->hessid, 0, ETH_ALEN);
30 		return;
31 	}
32 	if (ie[1] == 7)
33 		os_memcpy(bss->hessid, ie + 3, ETH_ALEN);
34 	else
35 		os_memcpy(bss->hessid, ie + 5, ETH_ALEN);
36 #endif /* CONFIG_INTERWORKING */
37 }
38 
39 
40 /**
41  * wpa_bss_anqp_alloc - Allocate ANQP data structure for a BSS entry
42  * Returns: Allocated ANQP data structure or %NULL on failure
43  *
44  * The allocated ANQP data structure has its users count set to 1. It may be
45  * shared by multiple BSS entries and each shared entry is freed with
46  * wpa_bss_anqp_free().
47  */
wpa_bss_anqp_alloc(void)48 struct wpa_bss_anqp * wpa_bss_anqp_alloc(void)
49 {
50 	struct wpa_bss_anqp *anqp;
51 	anqp = os_zalloc(sizeof(*anqp));
52 	if (anqp == NULL)
53 		return NULL;
54 #ifdef CONFIG_INTERWORKING
55 	dl_list_init(&anqp->anqp_elems);
56 #endif /* CONFIG_INTERWORKING */
57 	anqp->users = 1;
58 	return anqp;
59 }
60 
61 
62 /**
63  * wpa_bss_anqp_clone - Clone an ANQP data structure
64  * @anqp: ANQP data structure from wpa_bss_anqp_alloc()
65  * Returns: Cloned ANQP data structure or %NULL on failure
66  */
wpa_bss_anqp_clone(struct wpa_bss_anqp * anqp)67 static struct wpa_bss_anqp * wpa_bss_anqp_clone(struct wpa_bss_anqp *anqp)
68 {
69 	struct wpa_bss_anqp *n;
70 
71 	n = os_zalloc(sizeof(*n));
72 	if (n == NULL)
73 		return NULL;
74 
75 #define ANQP_DUP(f) if (anqp->f) n->f = wpabuf_dup(anqp->f)
76 #ifdef CONFIG_INTERWORKING
77 	dl_list_init(&n->anqp_elems);
78 	ANQP_DUP(capability_list);
79 	ANQP_DUP(venue_name);
80 	ANQP_DUP(network_auth_type);
81 	ANQP_DUP(roaming_consortium);
82 	ANQP_DUP(ip_addr_type_availability);
83 	ANQP_DUP(nai_realm);
84 	ANQP_DUP(anqp_3gpp);
85 	ANQP_DUP(domain_name);
86 	ANQP_DUP(fils_realm_info);
87 #endif /* CONFIG_INTERWORKING */
88 #ifdef CONFIG_HS20
89 	ANQP_DUP(hs20_capability_list);
90 	ANQP_DUP(hs20_operator_friendly_name);
91 	ANQP_DUP(hs20_wan_metrics);
92 	ANQP_DUP(hs20_connection_capability);
93 	ANQP_DUP(hs20_operating_class);
94 	ANQP_DUP(hs20_osu_providers_list);
95 	ANQP_DUP(hs20_operator_icon_metadata);
96 	ANQP_DUP(hs20_osu_providers_nai_list);
97 #endif /* CONFIG_HS20 */
98 #undef ANQP_DUP
99 
100 	return n;
101 }
102 
103 
104 /**
105  * wpa_bss_anqp_unshare_alloc - Unshare ANQP data (if shared) in a BSS entry
106  * @bss: BSS entry
107  * Returns: 0 on success, -1 on failure
108  *
109  * This function ensures the specific BSS entry has an ANQP data structure that
110  * is not shared with any other BSS entry.
111  */
wpa_bss_anqp_unshare_alloc(struct wpa_bss * bss)112 int wpa_bss_anqp_unshare_alloc(struct wpa_bss *bss)
113 {
114 	struct wpa_bss_anqp *anqp;
115 
116 	if (bss->anqp && bss->anqp->users > 1) {
117 		/* allocated, but shared - clone an unshared copy */
118 		anqp = wpa_bss_anqp_clone(bss->anqp);
119 		if (anqp == NULL)
120 			return -1;
121 		anqp->users = 1;
122 		bss->anqp->users--;
123 		bss->anqp = anqp;
124 		return 0;
125 	}
126 
127 	if (bss->anqp)
128 		return 0; /* already allocated and not shared */
129 
130 	/* not allocated - allocate a new storage area */
131 	bss->anqp = wpa_bss_anqp_alloc();
132 	return bss->anqp ? 0 : -1;
133 }
134 
135 
136 /**
137  * wpa_bss_anqp_free - Free an ANQP data structure
138  * @anqp: ANQP data structure from wpa_bss_anqp_alloc() or wpa_bss_anqp_clone()
139  */
wpa_bss_anqp_free(struct wpa_bss_anqp * anqp)140 static void wpa_bss_anqp_free(struct wpa_bss_anqp *anqp)
141 {
142 #ifdef CONFIG_INTERWORKING
143 	struct wpa_bss_anqp_elem *elem;
144 #endif /* CONFIG_INTERWORKING */
145 
146 	if (anqp == NULL)
147 		return;
148 
149 	anqp->users--;
150 	if (anqp->users > 0) {
151 		/* Another BSS entry holds a pointer to this ANQP info */
152 		return;
153 	}
154 
155 #ifdef CONFIG_INTERWORKING
156 	wpabuf_free(anqp->capability_list);
157 	wpabuf_free(anqp->venue_name);
158 	wpabuf_free(anqp->network_auth_type);
159 	wpabuf_free(anqp->roaming_consortium);
160 	wpabuf_free(anqp->ip_addr_type_availability);
161 	wpabuf_free(anqp->nai_realm);
162 	wpabuf_free(anqp->anqp_3gpp);
163 	wpabuf_free(anqp->domain_name);
164 	wpabuf_free(anqp->fils_realm_info);
165 
166 	while ((elem = dl_list_first(&anqp->anqp_elems,
167 				     struct wpa_bss_anqp_elem, list))) {
168 		dl_list_del(&elem->list);
169 		wpabuf_free(elem->payload);
170 		os_free(elem);
171 	}
172 #endif /* CONFIG_INTERWORKING */
173 #ifdef CONFIG_HS20
174 	wpabuf_free(anqp->hs20_capability_list);
175 	wpabuf_free(anqp->hs20_operator_friendly_name);
176 	wpabuf_free(anqp->hs20_wan_metrics);
177 	wpabuf_free(anqp->hs20_connection_capability);
178 	wpabuf_free(anqp->hs20_operating_class);
179 	wpabuf_free(anqp->hs20_osu_providers_list);
180 	wpabuf_free(anqp->hs20_operator_icon_metadata);
181 	wpabuf_free(anqp->hs20_osu_providers_nai_list);
182 #endif /* CONFIG_HS20 */
183 
184 	os_free(anqp);
185 }
186 
187 static struct wpa_connect_work *
wpa_bss_check_pending_connect(struct wpa_supplicant * wpa_s,struct wpa_bss * bss)188 wpa_bss_check_pending_connect(struct wpa_supplicant *wpa_s, struct wpa_bss *bss)
189 {
190 	struct wpa_radio_work *work;
191 	struct wpa_connect_work *cwork;
192 
193 	work = radio_work_pending(wpa_s, "sme-connect");
194 	if (!work)
195 		work = radio_work_pending(wpa_s, "connect");
196 	if (!work)
197 		return NULL;
198 
199 	cwork = work->ctx;
200 	if (cwork->bss != bss)
201 		return NULL;
202 
203 	return cwork;
204 }
205 
wpa_bss_update_pending_connect(struct wpa_connect_work * cwork,struct wpa_bss * new_bss)206 static void wpa_bss_update_pending_connect(struct wpa_connect_work *cwork,
207 					   struct wpa_bss *new_bss)
208 {
209 	wpa_printf(MSG_DEBUG,
210 		   "Update BSS pointer for the pending connect radio work");
211 	cwork->bss = new_bss;
212 	if (!new_bss)
213 		cwork->bss_removed = 1;
214 }
215 
216 
wpa_bss_remove(struct wpa_supplicant * wpa_s,struct wpa_bss * bss,const char * reason)217 void wpa_bss_remove(struct wpa_supplicant *wpa_s, struct wpa_bss *bss,
218 		    const char *reason)
219 {
220 	struct wpa_connect_work *cwork;
221 
222 	if (wpa_s->last_scan_res) {
223 		unsigned int i;
224 		for (i = 0; i < wpa_s->last_scan_res_used; i++) {
225 			if (wpa_s->last_scan_res[i] == bss) {
226 				os_memmove(&wpa_s->last_scan_res[i],
227 					   &wpa_s->last_scan_res[i + 1],
228 					   (wpa_s->last_scan_res_used - i - 1)
229 					   * sizeof(struct wpa_bss *));
230 				wpa_s->last_scan_res_used--;
231 				break;
232 			}
233 		}
234 	}
235 	cwork = wpa_bss_check_pending_connect(wpa_s, bss);
236 	if (cwork)
237 		wpa_bss_update_pending_connect(cwork, NULL);
238 	dl_list_del(&bss->list);
239 	dl_list_del(&bss->list_id);
240 	wpa_s->num_bss--;
241 	wpa_dbg(wpa_s, MSG_DEBUG, "BSS: Remove id %u BSSID " MACSTR
242 		" SSID '%s' due to %s", bss->id, MAC2STR(bss->bssid),
243 		wpa_ssid_txt(bss->ssid, bss->ssid_len), reason);
244 	wpas_notify_bss_removed(wpa_s, bss->bssid, bss->id);
245 	wpa_bss_anqp_free(bss->anqp);
246 	os_free(bss);
247 }
248 
249 
250 /**
251  * wpa_bss_get - Fetch a BSS table entry based on BSSID and SSID
252  * @wpa_s: Pointer to wpa_supplicant data
253  * @bssid: BSSID, or %NULL to match any BSSID
254  * @ssid: SSID
255  * @ssid_len: Length of @ssid
256  * Returns: Pointer to the BSS entry or %NULL if not found
257  */
wpa_bss_get(struct wpa_supplicant * wpa_s,const u8 * bssid,const u8 * ssid,size_t ssid_len)258 struct wpa_bss * wpa_bss_get(struct wpa_supplicant *wpa_s, const u8 *bssid,
259 			     const u8 *ssid, size_t ssid_len)
260 {
261 	struct wpa_bss *bss;
262 
263 	if (bssid && !wpa_supplicant_filter_bssid_match(wpa_s, bssid))
264 		return NULL;
265 	dl_list_for_each(bss, &wpa_s->bss, struct wpa_bss, list) {
266 		if ((!bssid || ether_addr_equal(bss->bssid, bssid)) &&
267 		    bss->ssid_len == ssid_len &&
268 		    os_memcmp(bss->ssid, ssid, ssid_len) == 0)
269 			return bss;
270 	}
271 	return NULL;
272 }
273 
274 
calculate_update_time(const struct os_reltime * fetch_time,unsigned int age_ms,struct os_reltime * update_time)275 void calculate_update_time(const struct os_reltime *fetch_time,
276 			   unsigned int age_ms,
277 			   struct os_reltime *update_time)
278 {
279 	os_time_t usec;
280 
281 	update_time->sec = fetch_time->sec;
282 	update_time->usec = fetch_time->usec;
283 	update_time->sec -= age_ms / 1000;
284 	usec = (age_ms % 1000) * 1000;
285 	if (update_time->usec < usec) {
286 		update_time->sec--;
287 		update_time->usec += 1000000;
288 	}
289 	update_time->usec -= usec;
290 }
291 
292 
wpa_bss_copy_res(struct wpa_bss * dst,struct wpa_scan_res * src,struct os_reltime * fetch_time)293 static void wpa_bss_copy_res(struct wpa_bss *dst, struct wpa_scan_res *src,
294 			     struct os_reltime *fetch_time)
295 {
296 	dst->flags = src->flags;
297 	os_memcpy(dst->bssid, src->bssid, ETH_ALEN);
298 	dst->freq = src->freq;
299 	dst->max_cw = src->max_cw;
300 	dst->beacon_int = src->beacon_int;
301 	dst->caps = src->caps;
302 	dst->qual = src->qual;
303 	dst->noise = src->noise;
304 	dst->level = src->level;
305 	dst->tsf = src->tsf;
306 	dst->beacon_newer = src->beacon_newer;
307 	dst->est_throughput = src->est_throughput;
308 	dst->snr = src->snr;
309 
310 	calculate_update_time(fetch_time, src->age, &dst->last_update);
311 }
312 
313 
wpa_bss_is_wps_candidate(struct wpa_supplicant * wpa_s,struct wpa_bss * bss)314 static int wpa_bss_is_wps_candidate(struct wpa_supplicant *wpa_s,
315 				    struct wpa_bss *bss)
316 {
317 #ifdef CONFIG_WPS
318 	struct wpa_ssid *ssid;
319 	struct wpabuf *wps_ie;
320 	int pbc = 0, ret;
321 
322 	wps_ie = wpa_bss_get_vendor_ie_multi(bss, WPS_IE_VENDOR_TYPE);
323 	if (!wps_ie)
324 		return 0;
325 
326 	if (wps_is_selected_pbc_registrar(wps_ie)) {
327 		pbc = 1;
328 	} else if (!wps_is_addr_authorized(wps_ie, wpa_s->own_addr, 1)) {
329 		wpabuf_free(wps_ie);
330 		return 0;
331 	}
332 
333 	for (ssid = wpa_s->conf->ssid; ssid; ssid = ssid->next) {
334 		if (!(ssid->key_mgmt & WPA_KEY_MGMT_WPS))
335 			continue;
336 		if (ssid->ssid_len &&
337 		    (ssid->ssid_len != bss->ssid_len ||
338 		     os_memcmp(ssid->ssid, bss->ssid, ssid->ssid_len) != 0))
339 			continue;
340 
341 		if (pbc)
342 			ret = eap_is_wps_pbc_enrollee(&ssid->eap);
343 		else
344 			ret = eap_is_wps_pin_enrollee(&ssid->eap);
345 		wpabuf_free(wps_ie);
346 		return ret;
347 	}
348 	wpabuf_free(wps_ie);
349 #endif /* CONFIG_WPS */
350 
351 	return 0;
352 }
353 
354 
is_p2p_pending_bss(struct wpa_supplicant * wpa_s,struct wpa_bss * bss)355 static bool is_p2p_pending_bss(struct wpa_supplicant *wpa_s,
356 			       struct wpa_bss *bss)
357 {
358 #ifdef CONFIG_P2P
359 	u8 addr[ETH_ALEN];
360 
361 	if (ether_addr_equal(bss->bssid, wpa_s->pending_join_iface_addr))
362 		return true;
363 	if (!is_zero_ether_addr(wpa_s->pending_join_dev_addr) &&
364 	    p2p_parse_dev_addr(wpa_bss_ie_ptr(bss), bss->ie_len, addr) == 0 &&
365 	    ether_addr_equal(addr, wpa_s->pending_join_dev_addr))
366 		return true;
367 #endif /* CONFIG_P2P */
368 	return false;
369 }
370 
371 
wpa_bss_known(struct wpa_supplicant * wpa_s,struct wpa_bss * bss)372 static int wpa_bss_known(struct wpa_supplicant *wpa_s, struct wpa_bss *bss)
373 {
374 	struct wpa_ssid *ssid;
375 
376 	if (is_p2p_pending_bss(wpa_s, bss))
377 		return 1;
378 
379 	for (ssid = wpa_s->conf->ssid; ssid; ssid = ssid->next) {
380 		if (ssid->ssid == NULL || ssid->ssid_len == 0)
381 			continue;
382 		if (ssid->ssid_len == bss->ssid_len &&
383 		    os_memcmp(ssid->ssid, bss->ssid, ssid->ssid_len) == 0)
384 			return 1;
385 	}
386 
387 	return 0;
388 }
389 
390 
wpa_bss_in_use(struct wpa_supplicant * wpa_s,struct wpa_bss * bss)391 static int wpa_bss_in_use(struct wpa_supplicant *wpa_s, struct wpa_bss *bss)
392 {
393 	int i;
394 
395 	if (bss == wpa_s->current_bss)
396 		return 1;
397 
398 	if (bss == wpa_s->ml_connect_probe_bss)
399 		return 1;
400 
401 #ifdef CONFIG_WNM
402 	if (bss == wpa_s->wnm_target_bss)
403 		return 1;
404 #endif /* CONFIG_WNM */
405 
406 	if (wpa_s->current_bss &&
407 	    (bss->ssid_len != wpa_s->current_bss->ssid_len ||
408 	     os_memcmp(bss->ssid, wpa_s->current_bss->ssid,
409 		       bss->ssid_len) != 0))
410 		return 0; /* SSID has changed */
411 
412 	if (!is_zero_ether_addr(bss->bssid) &&
413 	    (ether_addr_equal(bss->bssid, wpa_s->bssid) ||
414 	     ether_addr_equal(bss->bssid, wpa_s->pending_bssid)))
415 		return 1;
416 
417 	if (!wpa_s->valid_links)
418 		return 0;
419 
420 	for_each_link(wpa_s->valid_links, i) {
421 		if (ether_addr_equal(bss->bssid, wpa_s->links[i].bssid))
422 			return 1;
423 	}
424 
425 	return 0;
426 }
427 
428 
wpa_bss_remove_oldest_unknown(struct wpa_supplicant * wpa_s)429 static int wpa_bss_remove_oldest_unknown(struct wpa_supplicant *wpa_s)
430 {
431 	struct wpa_bss *bss;
432 
433 	dl_list_for_each(bss, &wpa_s->bss, struct wpa_bss, list) {
434 		if (!wpa_bss_known(wpa_s, bss) &&
435 		    !wpa_bss_is_wps_candidate(wpa_s, bss)) {
436 			wpa_bss_remove(wpa_s, bss, __func__);
437 			return 0;
438 		}
439 	}
440 
441 	return -1;
442 }
443 
444 
wpa_bss_remove_oldest(struct wpa_supplicant * wpa_s)445 static int wpa_bss_remove_oldest(struct wpa_supplicant *wpa_s)
446 {
447 	struct wpa_bss *bss;
448 
449 	/*
450 	 * Remove the oldest entry that does not match with any configured
451 	 * network.
452 	 */
453 	if (wpa_bss_remove_oldest_unknown(wpa_s) == 0)
454 		return 0;
455 
456 	/*
457 	 * Remove the oldest entry that isn't currently in use.
458 	 */
459 	dl_list_for_each(bss, &wpa_s->bss, struct wpa_bss, list) {
460 		if (!wpa_bss_in_use(wpa_s, bss)) {
461 			wpa_bss_remove(wpa_s, bss, __func__);
462 			return 0;
463 		}
464 	}
465 
466 	return -1;
467 }
468 
469 
wpa_bss_add(struct wpa_supplicant * wpa_s,const u8 * ssid,size_t ssid_len,struct wpa_scan_res * res,struct os_reltime * fetch_time)470 static struct wpa_bss * wpa_bss_add(struct wpa_supplicant *wpa_s,
471 				    const u8 *ssid, size_t ssid_len,
472 				    struct wpa_scan_res *res,
473 				    struct os_reltime *fetch_time)
474 {
475 	struct wpa_bss *bss;
476 	char extra[100];
477 	const u8 *ml_ie;
478 	char *pos, *end;
479 	int ret = 0;
480 	const u8 *mld_addr;
481 
482 	bss = os_zalloc(sizeof(*bss) + res->ie_len + res->beacon_ie_len);
483 	if (bss == NULL)
484 		return NULL;
485 	bss->id = wpa_s->bss_next_id++;
486 	bss->last_update_idx = wpa_s->bss_update_idx;
487 	wpa_bss_copy_res(bss, res, fetch_time);
488 	os_memcpy(bss->ssid, ssid, ssid_len);
489 	bss->ssid_len = ssid_len;
490 	bss->ie_len = res->ie_len;
491 	bss->beacon_ie_len = res->beacon_ie_len;
492 	os_memcpy(bss->ies, res + 1, res->ie_len + res->beacon_ie_len);
493 	wpa_bss_set_hessid(bss);
494 
495 	os_memset(bss->mld_addr, 0, ETH_ALEN);
496 	ml_ie = wpa_scan_get_ml_ie(res, MULTI_LINK_CONTROL_TYPE_BASIC);
497 	if (ml_ie) {
498 		mld_addr = get_basic_mle_mld_addr(&ml_ie[3], ml_ie[1] - 1);
499 		if (mld_addr)
500 			os_memcpy(bss->mld_addr, mld_addr, ETH_ALEN);
501 	}
502 
503 	if (wpa_s->num_bss + 1 > wpa_s->conf->bss_max_count &&
504 	    wpa_bss_remove_oldest(wpa_s) != 0) {
505 		wpa_printf(MSG_ERROR, "Increasing the MAX BSS count to %d "
506 			   "because all BSSes are in use. We should normally "
507 			   "not get here!", (int) wpa_s->num_bss + 1);
508 		wpa_s->conf->bss_max_count = wpa_s->num_bss + 1;
509 	}
510 
511 	dl_list_add_tail(&wpa_s->bss, &bss->list);
512 	dl_list_add_tail(&wpa_s->bss_id, &bss->list_id);
513 	wpa_s->num_bss++;
514 
515 	extra[0] = '\0';
516 	pos = extra;
517 	end = pos + sizeof(extra);
518 	if (!is_zero_ether_addr(bss->hessid))
519 		ret = os_snprintf(pos, end - pos, " HESSID " MACSTR,
520 				  MAC2STR(bss->hessid));
521 
522 	if (!is_zero_ether_addr(bss->mld_addr) &&
523 	    !os_snprintf_error(end - pos, ret)) {
524 		pos += ret;
525 		ret = os_snprintf(pos, end - pos, " MLD ADDR " MACSTR,
526 				  MAC2STR(bss->mld_addr));
527 	}
528 
529 	wpa_dbg(wpa_s, MSG_DEBUG, "BSS: Add new id %u BSSID " MACSTR
530 		" SSID '%s' freq %d%s",
531 		bss->id, MAC2STR(bss->bssid), wpa_ssid_txt(ssid, ssid_len),
532 		bss->freq, extra);
533 	wpas_notify_bss_added(wpa_s, bss->bssid, bss->id);
534 	return bss;
535 }
536 
537 
are_ies_equal(const struct wpa_bss * old,const struct wpa_scan_res * new_res,u32 ie)538 static int are_ies_equal(const struct wpa_bss *old,
539 			 const struct wpa_scan_res *new_res, u32 ie)
540 {
541 	const u8 *old_ie, *new_ie;
542 	struct wpabuf *old_ie_buff = NULL;
543 	struct wpabuf *new_ie_buff = NULL;
544 	int new_ie_len, old_ie_len, ret, is_multi;
545 
546 	switch (ie) {
547 	case WPA_IE_VENDOR_TYPE:
548 		old_ie = wpa_bss_get_vendor_ie(old, ie);
549 		new_ie = wpa_scan_get_vendor_ie(new_res, ie);
550 		is_multi = 0;
551 		break;
552 	case WPS_IE_VENDOR_TYPE:
553 		old_ie_buff = wpa_bss_get_vendor_ie_multi(old, ie);
554 		new_ie_buff = wpa_scan_get_vendor_ie_multi(new_res, ie);
555 		is_multi = 1;
556 		break;
557 	case WLAN_EID_RSN:
558 	case WLAN_EID_SUPP_RATES:
559 	case WLAN_EID_EXT_SUPP_RATES:
560 		old_ie = wpa_bss_get_ie(old, ie);
561 		new_ie = wpa_scan_get_ie(new_res, ie);
562 		is_multi = 0;
563 		break;
564 	default:
565 		wpa_printf(MSG_DEBUG, "bss: %s: cannot compare IEs", __func__);
566 		return 0;
567 	}
568 
569 	if (is_multi) {
570 		/* in case of multiple IEs stored in buffer */
571 		old_ie = old_ie_buff ? wpabuf_head_u8(old_ie_buff) : NULL;
572 		new_ie = new_ie_buff ? wpabuf_head_u8(new_ie_buff) : NULL;
573 		old_ie_len = old_ie_buff ? wpabuf_len(old_ie_buff) : 0;
574 		new_ie_len = new_ie_buff ? wpabuf_len(new_ie_buff) : 0;
575 	} else {
576 		/* in case of single IE */
577 		old_ie_len = old_ie ? old_ie[1] + 2 : 0;
578 		new_ie_len = new_ie ? new_ie[1] + 2 : 0;
579 	}
580 
581 	if (!old_ie || !new_ie)
582 		ret = !old_ie && !new_ie;
583 	else
584 		ret = (old_ie_len == new_ie_len &&
585 		       os_memcmp(old_ie, new_ie, old_ie_len) == 0);
586 
587 	wpabuf_free(old_ie_buff);
588 	wpabuf_free(new_ie_buff);
589 
590 	return ret;
591 }
592 
593 
wpa_bss_compare_res(const struct wpa_bss * old,const struct wpa_scan_res * new_res)594 static u32 wpa_bss_compare_res(const struct wpa_bss *old,
595 			       const struct wpa_scan_res *new_res)
596 {
597 	u32 changes = 0;
598 	int caps_diff = old->caps ^ new_res->caps;
599 
600 	if (old->freq != new_res->freq)
601 		changes |= WPA_BSS_FREQ_CHANGED_FLAG;
602 
603 	if (old->level != new_res->level)
604 		changes |= WPA_BSS_SIGNAL_CHANGED_FLAG;
605 
606 	if (caps_diff & IEEE80211_CAP_PRIVACY)
607 		changes |= WPA_BSS_PRIVACY_CHANGED_FLAG;
608 
609 	if (caps_diff & IEEE80211_CAP_IBSS)
610 		changes |= WPA_BSS_MODE_CHANGED_FLAG;
611 
612 	if (old->ie_len == new_res->ie_len &&
613 	    os_memcmp(wpa_bss_ie_ptr(old), new_res + 1, old->ie_len) == 0)
614 		return changes;
615 	changes |= WPA_BSS_IES_CHANGED_FLAG;
616 
617 	if (!are_ies_equal(old, new_res, WPA_IE_VENDOR_TYPE))
618 		changes |= WPA_BSS_WPAIE_CHANGED_FLAG;
619 
620 	if (!are_ies_equal(old, new_res, WLAN_EID_RSN))
621 		changes |= WPA_BSS_RSNIE_CHANGED_FLAG;
622 
623 	if (!are_ies_equal(old, new_res, WPS_IE_VENDOR_TYPE))
624 		changes |= WPA_BSS_WPS_CHANGED_FLAG;
625 
626 	if (!are_ies_equal(old, new_res, WLAN_EID_SUPP_RATES) ||
627 	    !are_ies_equal(old, new_res, WLAN_EID_EXT_SUPP_RATES))
628 		changes |= WPA_BSS_RATES_CHANGED_FLAG;
629 
630 	return changes;
631 }
632 
633 
notify_bss_changes(struct wpa_supplicant * wpa_s,u32 changes,const struct wpa_bss * bss)634 void notify_bss_changes(struct wpa_supplicant *wpa_s, u32 changes,
635 			const struct wpa_bss *bss)
636 {
637 	if (changes & WPA_BSS_FREQ_CHANGED_FLAG)
638 		wpas_notify_bss_freq_changed(wpa_s, bss->id);
639 
640 	if (changes & WPA_BSS_SIGNAL_CHANGED_FLAG)
641 		wpas_notify_bss_signal_changed(wpa_s, bss->id);
642 
643 	if (changes & WPA_BSS_PRIVACY_CHANGED_FLAG)
644 		wpas_notify_bss_privacy_changed(wpa_s, bss->id);
645 
646 	if (changes & WPA_BSS_MODE_CHANGED_FLAG)
647 		wpas_notify_bss_mode_changed(wpa_s, bss->id);
648 
649 	if (changes & WPA_BSS_WPAIE_CHANGED_FLAG)
650 		wpas_notify_bss_wpaie_changed(wpa_s, bss->id);
651 
652 	if (changes & WPA_BSS_RSNIE_CHANGED_FLAG)
653 		wpas_notify_bss_rsnie_changed(wpa_s, bss->id);
654 
655 	if (changes & WPA_BSS_WPS_CHANGED_FLAG)
656 		wpas_notify_bss_wps_changed(wpa_s, bss->id);
657 
658 	if (changes & WPA_BSS_IES_CHANGED_FLAG)
659 		wpas_notify_bss_ies_changed(wpa_s, bss->id);
660 
661 	if (changes & WPA_BSS_RATES_CHANGED_FLAG)
662 		wpas_notify_bss_rates_changed(wpa_s, bss->id);
663 
664 	wpas_notify_bss_seen(wpa_s, bss->id);
665 }
666 
667 
668 static struct wpa_bss *
wpa_bss_update(struct wpa_supplicant * wpa_s,struct wpa_bss * bss,struct wpa_scan_res * res,struct os_reltime * fetch_time)669 wpa_bss_update(struct wpa_supplicant *wpa_s, struct wpa_bss *bss,
670 	       struct wpa_scan_res *res, struct os_reltime *fetch_time)
671 {
672 	u32 changes;
673 
674 	if (bss->last_update_idx == wpa_s->bss_update_idx) {
675 		struct os_reltime update_time;
676 
677 		/*
678 		 * Some drivers (e.g., cfg80211) include multiple BSS entries
679 		 * for the same BSS if that BSS's channel changes. The BSS list
680 		 * implementation in wpa_supplicant does not do that and we need
681 		 * to filter out the obsolete results here to make sure only the
682 		 * most current BSS information remains in the table.
683 		 */
684 		wpa_printf(MSG_DEBUG, "BSS: " MACSTR
685 			   " has multiple entries in the scan results - select the most current one",
686 			   MAC2STR(bss->bssid));
687 		calculate_update_time(fetch_time, res->age, &update_time);
688 		wpa_printf(MSG_DEBUG,
689 			   "Previous last_update: %u.%06u (freq %d%s)",
690 			   (unsigned int) bss->last_update.sec,
691 			   (unsigned int) bss->last_update.usec,
692 			   bss->freq,
693 			   (bss->flags & WPA_BSS_ASSOCIATED) ? " assoc" : "");
694 		wpa_printf(MSG_DEBUG, "New last_update: %u.%06u (freq %d%s)",
695 			   (unsigned int) update_time.sec,
696 			   (unsigned int) update_time.usec,
697 			   res->freq,
698 			   (res->flags & WPA_SCAN_ASSOCIATED) ? " assoc" : "");
699 		if ((bss->flags & WPA_BSS_ASSOCIATED) ||
700 		    (!(res->flags & WPA_SCAN_ASSOCIATED) &&
701 		     !os_reltime_before(&bss->last_update, &update_time))) {
702 			wpa_printf(MSG_DEBUG,
703 				   "Ignore this BSS entry since the previous update looks more current");
704 			return bss;
705 		}
706 		wpa_printf(MSG_DEBUG,
707 			   "Accept this BSS entry since it looks more current than the previous update");
708 	}
709 
710 	changes = wpa_bss_compare_res(bss, res);
711 	if (changes & WPA_BSS_FREQ_CHANGED_FLAG)
712 		wpa_printf(MSG_DEBUG, "BSS: " MACSTR " changed freq %d --> %d",
713 			   MAC2STR(bss->bssid), bss->freq, res->freq);
714 	bss->scan_miss_count = 0;
715 	bss->last_update_idx = wpa_s->bss_update_idx;
716 	wpa_bss_copy_res(bss, res, fetch_time);
717 	/* Move the entry to the end of the list */
718 	dl_list_del(&bss->list);
719 #ifdef CONFIG_P2P
720 	if (wpa_bss_get_vendor_ie(bss, P2P_IE_VENDOR_TYPE) &&
721 	    !wpa_scan_get_vendor_ie(res, P2P_IE_VENDOR_TYPE) &&
722 	    !(changes & WPA_BSS_FREQ_CHANGED_FLAG)) {
723 		/*
724 		 * This can happen when non-P2P station interface runs a scan
725 		 * without P2P IE in the Probe Request frame. P2P GO would reply
726 		 * to that with a Probe Response that does not include P2P IE.
727 		 * Do not update the IEs in this BSS entry to avoid such loss of
728 		 * information that may be needed for P2P operations to
729 		 * determine group information.
730 		 */
731 		wpa_dbg(wpa_s, MSG_DEBUG, "BSS: Do not update scan IEs for "
732 			MACSTR " since that would remove P2P IE information",
733 			MAC2STR(bss->bssid));
734 	} else
735 #endif /* CONFIG_P2P */
736 	if (bss->ie_len + bss->beacon_ie_len >=
737 	    res->ie_len + res->beacon_ie_len) {
738 		os_memcpy(bss->ies, res + 1, res->ie_len + res->beacon_ie_len);
739 		bss->ie_len = res->ie_len;
740 		bss->beacon_ie_len = res->beacon_ie_len;
741 	} else {
742 		struct wpa_bss *nbss;
743 		struct dl_list *prev = bss->list_id.prev;
744 		struct wpa_connect_work *cwork;
745 		unsigned int i;
746 		bool update_current_bss = wpa_s->current_bss == bss;
747 		bool update_ml_probe_bss = wpa_s->ml_connect_probe_bss == bss;
748 
749 		cwork = wpa_bss_check_pending_connect(wpa_s, bss);
750 
751 		for (i = 0; i < wpa_s->last_scan_res_used; i++) {
752 			if (wpa_s->last_scan_res[i] == bss)
753 				break;
754 		}
755 		dl_list_del(&bss->list_id);
756 		nbss = os_realloc(bss, sizeof(*bss) + res->ie_len +
757 				  res->beacon_ie_len);
758 		if (nbss) {
759 			if (i != wpa_s->last_scan_res_used)
760 				wpa_s->last_scan_res[i] = nbss;
761 
762 			if (update_current_bss)
763 				wpa_s->current_bss = nbss;
764 
765 			if (update_ml_probe_bss)
766 				wpa_s->ml_connect_probe_bss = nbss;
767 
768 			if (cwork)
769 				wpa_bss_update_pending_connect(cwork, nbss);
770 
771 			bss = nbss;
772 			os_memcpy(bss->ies, res + 1,
773 				  res->ie_len + res->beacon_ie_len);
774 			bss->ie_len = res->ie_len;
775 			bss->beacon_ie_len = res->beacon_ie_len;
776 		}
777 		dl_list_add(prev, &bss->list_id);
778 	}
779 	if (changes & WPA_BSS_IES_CHANGED_FLAG) {
780 		const u8 *ml_ie, *mld_addr;
781 
782 		wpa_bss_set_hessid(bss);
783 		os_memset(bss->mld_addr, 0, ETH_ALEN);
784 		ml_ie = wpa_scan_get_ml_ie(res, MULTI_LINK_CONTROL_TYPE_BASIC);
785 		if (ml_ie) {
786 			mld_addr = get_basic_mle_mld_addr(&ml_ie[3],
787 							  ml_ie[1] - 1);
788 			if (mld_addr)
789 				os_memcpy(bss->mld_addr, mld_addr, ETH_ALEN);
790 		}
791 	}
792 	dl_list_add_tail(&wpa_s->bss, &bss->list);
793 
794 	notify_bss_changes(wpa_s, changes, bss);
795 
796 	return bss;
797 }
798 
799 
800 /**
801  * wpa_bss_update_start - Start a BSS table update from scan results
802  * @wpa_s: Pointer to wpa_supplicant data
803  *
804  * This function is called at the start of each BSS table update round for new
805  * scan results. The actual scan result entries are indicated with calls to
806  * wpa_bss_update_scan_res() and the update round is finished with a call to
807  * wpa_bss_update_end().
808  */
wpa_bss_update_start(struct wpa_supplicant * wpa_s)809 void wpa_bss_update_start(struct wpa_supplicant *wpa_s)
810 {
811 	wpa_s->bss_update_idx++;
812 	wpa_dbg(wpa_s, MSG_DEBUG, "BSS: Start scan result update %u",
813 		wpa_s->bss_update_idx);
814 	wpa_s->last_scan_res_used = 0;
815 }
816 
817 
818 /**
819  * wpa_bss_update_scan_res - Update a BSS table entry based on a scan result
820  * @wpa_s: Pointer to wpa_supplicant data
821  * @res: Scan result
822  * @fetch_time: Time when the result was fetched from the driver
823  *
824  * This function updates a BSS table entry (or adds one) based on a scan result.
825  * This is called separately for each scan result between the calls to
826  * wpa_bss_update_start() and wpa_bss_update_end().
827  */
wpa_bss_update_scan_res(struct wpa_supplicant * wpa_s,struct wpa_scan_res * res,struct os_reltime * fetch_time)828 void wpa_bss_update_scan_res(struct wpa_supplicant *wpa_s,
829 			     struct wpa_scan_res *res,
830 			     struct os_reltime *fetch_time)
831 {
832 	const u8 *ssid, *p2p, *mesh;
833 	struct wpa_bss *bss;
834 
835 	if (wpa_s->conf->ignore_old_scan_res) {
836 		struct os_reltime update;
837 		calculate_update_time(fetch_time, res->age, &update);
838 		if (os_reltime_before(&update, &wpa_s->scan_trigger_time)) {
839 			struct os_reltime age;
840 			os_reltime_sub(&wpa_s->scan_trigger_time, &update,
841 				       &age);
842 			wpa_dbg(wpa_s, MSG_DEBUG, "BSS: Ignore driver BSS "
843 				"table entry that is %u.%06u seconds older "
844 				"than our scan trigger",
845 				(unsigned int) age.sec,
846 				(unsigned int) age.usec);
847 			return;
848 		}
849 	}
850 
851 	ssid = wpa_scan_get_ie(res, WLAN_EID_SSID);
852 	if (ssid == NULL) {
853 		wpa_dbg(wpa_s, MSG_DEBUG, "BSS: No SSID IE included for "
854 			MACSTR, MAC2STR(res->bssid));
855 		return;
856 	}
857 	if (ssid[1] > SSID_MAX_LEN) {
858 		wpa_dbg(wpa_s, MSG_DEBUG, "BSS: Too long SSID IE included for "
859 			MACSTR, MAC2STR(res->bssid));
860 		return;
861 	}
862 
863 	p2p = wpa_scan_get_vendor_ie(res, P2P_IE_VENDOR_TYPE);
864 #ifdef CONFIG_P2P
865 	if (p2p == NULL &&
866 	    wpa_s->p2p_group_interface != NOT_P2P_GROUP_INTERFACE) {
867 		/*
868 		 * If it's a P2P specific interface, then don't update
869 		 * the scan result without a P2P IE.
870 		 */
871 		wpa_printf(MSG_DEBUG, "BSS: No P2P IE - skipping BSS " MACSTR
872 			   " update for P2P interface", MAC2STR(res->bssid));
873 		return;
874 	}
875 #endif /* CONFIG_P2P */
876 	if (p2p && ssid[1] == P2P_WILDCARD_SSID_LEN &&
877 	    os_memcmp(ssid + 2, P2P_WILDCARD_SSID, P2P_WILDCARD_SSID_LEN) == 0)
878 		return; /* Skip P2P listen discovery results here */
879 
880 	/* TODO: add option for ignoring BSSes we are not interested in
881 	 * (to save memory) */
882 
883 	mesh = wpa_scan_get_ie(res, WLAN_EID_MESH_ID);
884 	if (mesh && mesh[1] <= SSID_MAX_LEN)
885 		ssid = mesh;
886 
887 	bss = wpa_bss_get(wpa_s, res->bssid, ssid + 2, ssid[1]);
888 	if (bss == NULL)
889 		bss = wpa_bss_add(wpa_s, ssid + 2, ssid[1], res, fetch_time);
890 	else {
891 		bss = wpa_bss_update(wpa_s, bss, res, fetch_time);
892 		if (wpa_s->last_scan_res) {
893 			unsigned int i;
894 			for (i = 0; i < wpa_s->last_scan_res_used; i++) {
895 				if (bss == wpa_s->last_scan_res[i]) {
896 					/* Already in the list */
897 					return;
898 				}
899 			}
900 		}
901 	}
902 
903 	if (bss == NULL)
904 		return;
905 	if (wpa_s->last_scan_res_used >= wpa_s->last_scan_res_size) {
906 		struct wpa_bss **n;
907 		unsigned int siz;
908 		if (wpa_s->last_scan_res_size == 0)
909 			siz = 32;
910 		else
911 			siz = wpa_s->last_scan_res_size * 2;
912 		n = os_realloc_array(wpa_s->last_scan_res, siz,
913 				     sizeof(struct wpa_bss *));
914 		if (n == NULL)
915 			return;
916 		wpa_s->last_scan_res = n;
917 		wpa_s->last_scan_res_size = siz;
918 	}
919 
920 	if (wpa_s->last_scan_res)
921 		wpa_s->last_scan_res[wpa_s->last_scan_res_used++] = bss;
922 }
923 
924 
wpa_bss_included_in_scan(const struct wpa_bss * bss,const struct scan_info * info)925 static int wpa_bss_included_in_scan(const struct wpa_bss *bss,
926 				    const struct scan_info *info)
927 {
928 	int found;
929 	size_t i;
930 
931 	if (info == NULL)
932 		return 1;
933 
934 	if (info->num_freqs) {
935 		found = 0;
936 		for (i = 0; i < info->num_freqs; i++) {
937 			if (bss->freq == info->freqs[i]) {
938 				found = 1;
939 				break;
940 			}
941 		}
942 		if (!found)
943 			return 0;
944 	}
945 
946 	if (info->num_ssids) {
947 		found = 0;
948 		for (i = 0; i < info->num_ssids; i++) {
949 			const struct wpa_driver_scan_ssid *s = &info->ssids[i];
950 			if ((s->ssid == NULL || s->ssid_len == 0) ||
951 			    (s->ssid_len == bss->ssid_len &&
952 			     os_memcmp(s->ssid, bss->ssid, bss->ssid_len) ==
953 			     0)) {
954 				found = 1;
955 				break;
956 			}
957 		}
958 		if (!found)
959 			return 0;
960 	}
961 
962 	return 1;
963 }
964 
965 
966 /**
967  * wpa_bss_update_end - End a BSS table update from scan results
968  * @wpa_s: Pointer to wpa_supplicant data
969  * @info: Information about scan parameters
970  * @new_scan: Whether this update round was based on a new scan
971  *
972  * This function is called at the end of each BSS table update round for new
973  * scan results. The start of the update was indicated with a call to
974  * wpa_bss_update_start().
975  */
wpa_bss_update_end(struct wpa_supplicant * wpa_s,struct scan_info * info,int new_scan)976 void wpa_bss_update_end(struct wpa_supplicant *wpa_s, struct scan_info *info,
977 			int new_scan)
978 {
979 	struct wpa_bss *bss, *n;
980 
981 	os_get_reltime(&wpa_s->last_scan);
982 	if ((info && info->aborted) || !new_scan)
983 		return; /* do not expire entries without new scan */
984 
985 	dl_list_for_each_safe(bss, n, &wpa_s->bss, struct wpa_bss, list) {
986 		if (wpa_bss_in_use(wpa_s, bss))
987 			continue;
988 		if (!wpa_bss_included_in_scan(bss, info))
989 			continue; /* expire only BSSes that were scanned */
990 		if (bss->last_update_idx < wpa_s->bss_update_idx)
991 			bss->scan_miss_count++;
992 		if (bss->scan_miss_count >=
993 		    wpa_s->conf->bss_expiration_scan_count) {
994 			wpa_bss_remove(wpa_s, bss, "no match in scan");
995 		}
996 	}
997 
998 	wpa_printf(MSG_DEBUG, "BSS: last_scan_res_used=%zu/%zu",
999 		   wpa_s->last_scan_res_used, wpa_s->last_scan_res_size);
1000 }
1001 
1002 
1003 /**
1004  * wpa_bss_flush_by_age - Flush old BSS entries
1005  * @wpa_s: Pointer to wpa_supplicant data
1006  * @age: Maximum entry age in seconds
1007  *
1008  * Remove BSS entries that have not been updated during the last @age seconds.
1009  */
wpa_bss_flush_by_age(struct wpa_supplicant * wpa_s,int age)1010 void wpa_bss_flush_by_age(struct wpa_supplicant *wpa_s, int age)
1011 {
1012 	struct wpa_bss *bss, *n;
1013 	struct os_reltime t;
1014 
1015 	if (dl_list_empty(&wpa_s->bss))
1016 		return;
1017 
1018 	os_get_reltime(&t);
1019 
1020 	if (t.sec < age)
1021 		return; /* avoid underflow; there can be no older entries */
1022 
1023 	t.sec -= age;
1024 
1025 	dl_list_for_each_safe(bss, n, &wpa_s->bss, struct wpa_bss, list) {
1026 		if (wpa_bss_in_use(wpa_s, bss))
1027 			continue;
1028 
1029 		if (wpa_s->reassoc_same_ess &&
1030 		    wpa_s->wpa_state != WPA_COMPLETED &&
1031 		    wpa_s->last_ssid &&
1032 		    bss->ssid_len == wpa_s->last_ssid->ssid_len &&
1033 		    os_memcmp(bss->ssid, wpa_s->last_ssid->ssid,
1034 			      bss->ssid_len) == 0)
1035 			continue;
1036 
1037 		if (os_reltime_before(&bss->last_update, &t)) {
1038 			wpa_bss_remove(wpa_s, bss, __func__);
1039 		} else
1040 			break;
1041 	}
1042 }
1043 
1044 
1045 /**
1046  * wpa_bss_init - Initialize BSS table
1047  * @wpa_s: Pointer to wpa_supplicant data
1048  * Returns: 0 on success, -1 on failure
1049  *
1050  * This prepares BSS table lists and timer for periodic updates. The BSS table
1051  * is deinitialized with wpa_bss_deinit() once not needed anymore.
1052  */
wpa_bss_init(struct wpa_supplicant * wpa_s)1053 int wpa_bss_init(struct wpa_supplicant *wpa_s)
1054 {
1055 	dl_list_init(&wpa_s->bss);
1056 	dl_list_init(&wpa_s->bss_id);
1057 	return 0;
1058 }
1059 
1060 
1061 /**
1062  * wpa_bss_flush - Flush all unused BSS entries
1063  * @wpa_s: Pointer to wpa_supplicant data
1064  */
wpa_bss_flush(struct wpa_supplicant * wpa_s)1065 void wpa_bss_flush(struct wpa_supplicant *wpa_s)
1066 {
1067 	struct wpa_bss *bss, *n;
1068 
1069 	wpa_s->clear_driver_scan_cache = 1;
1070 
1071 	if (wpa_s->bss.next == NULL)
1072 		return; /* BSS table not yet initialized */
1073 
1074 	dl_list_for_each_safe(bss, n, &wpa_s->bss, struct wpa_bss, list) {
1075 		if (wpa_bss_in_use(wpa_s, bss))
1076 			continue;
1077 		wpa_bss_remove(wpa_s, bss, __func__);
1078 	}
1079 }
1080 
1081 
1082 /**
1083  * wpa_bss_deinit - Deinitialize BSS table
1084  * @wpa_s: Pointer to wpa_supplicant data
1085  */
wpa_bss_deinit(struct wpa_supplicant * wpa_s)1086 void wpa_bss_deinit(struct wpa_supplicant *wpa_s)
1087 {
1088 	wpa_bss_flush(wpa_s);
1089 }
1090 
1091 
1092 /**
1093  * wpa_bss_get_bssid - Fetch a BSS table entry based on BSSID
1094  * @wpa_s: Pointer to wpa_supplicant data
1095  * @bssid: BSSID
1096  * Returns: Pointer to the BSS entry or %NULL if not found
1097  */
wpa_bss_get_bssid(struct wpa_supplicant * wpa_s,const u8 * bssid)1098 struct wpa_bss * wpa_bss_get_bssid(struct wpa_supplicant *wpa_s,
1099 				   const u8 *bssid)
1100 {
1101 	struct wpa_bss *bss;
1102 	if (!wpa_supplicant_filter_bssid_match(wpa_s, bssid))
1103 		return NULL;
1104 	dl_list_for_each_reverse(bss, &wpa_s->bss, struct wpa_bss, list) {
1105 		if (ether_addr_equal(bss->bssid, bssid))
1106 			return bss;
1107 	}
1108 	return NULL;
1109 }
1110 
1111 
1112 /**
1113  * wpa_bss_get_bssid_latest - Fetch the latest BSS table entry based on BSSID
1114  * @wpa_s: Pointer to wpa_supplicant data
1115  * @bssid: BSSID
1116  * Returns: Pointer to the BSS entry or %NULL if not found
1117  *
1118  * This function is like wpa_bss_get_bssid(), but full BSS table is iterated to
1119  * find the entry that has the most recent update. This can help in finding the
1120  * correct entry in cases where the SSID of the AP may have changed recently
1121  * (e.g., in WPS reconfiguration cases).
1122  */
wpa_bss_get_bssid_latest(struct wpa_supplicant * wpa_s,const u8 * bssid)1123 struct wpa_bss * wpa_bss_get_bssid_latest(struct wpa_supplicant *wpa_s,
1124 					  const u8 *bssid)
1125 {
1126 	struct wpa_bss *bss, *found = NULL;
1127 	if (!wpa_supplicant_filter_bssid_match(wpa_s, bssid))
1128 		return NULL;
1129 	dl_list_for_each_reverse(bss, &wpa_s->bss, struct wpa_bss, list) {
1130 		if (!ether_addr_equal(bss->bssid, bssid))
1131 			continue;
1132 		if (found == NULL ||
1133 		    os_reltime_before(&found->last_update, &bss->last_update))
1134 			found = bss;
1135 	}
1136 	return found;
1137 }
1138 
1139 
1140 #ifdef CONFIG_P2P
1141 /**
1142  * wpa_bss_get_p2p_dev_addr - Fetch the latest BSS table entry based on P2P Device Addr
1143  * @wpa_s: Pointer to wpa_supplicant data
1144  * @dev_addr: P2P Device Address of the GO
1145  * Returns: Pointer to the BSS entry or %NULL if not found
1146  *
1147  * This function tries to find the entry that has the most recent update. This
1148  * can help in finding the correct entry in cases where the SSID of the P2P
1149  * Device may have changed recently.
1150  */
wpa_bss_get_p2p_dev_addr(struct wpa_supplicant * wpa_s,const u8 * dev_addr)1151 struct wpa_bss * wpa_bss_get_p2p_dev_addr(struct wpa_supplicant *wpa_s,
1152 					  const u8 *dev_addr)
1153 {
1154 	struct wpa_bss *bss, *found = NULL;
1155 	dl_list_for_each_reverse(bss, &wpa_s->bss, struct wpa_bss, list) {
1156 		u8 addr[ETH_ALEN];
1157 		if (p2p_parse_dev_addr(wpa_bss_ie_ptr(bss), bss->ie_len,
1158 				       addr) != 0 ||
1159 		    !ether_addr_equal(addr, dev_addr))
1160 			continue;
1161 		if (!found ||
1162 		    os_reltime_before(&found->last_update, &bss->last_update))
1163 			found = bss;
1164 	}
1165 	return found;
1166 }
1167 #endif /* CONFIG_P2P */
1168 
1169 
1170 /**
1171  * wpa_bss_get_id - Fetch a BSS table entry based on identifier
1172  * @wpa_s: Pointer to wpa_supplicant data
1173  * @id: Unique identifier (struct wpa_bss::id) assigned for the entry
1174  * Returns: Pointer to the BSS entry or %NULL if not found
1175  */
wpa_bss_get_id(struct wpa_supplicant * wpa_s,unsigned int id)1176 struct wpa_bss * wpa_bss_get_id(struct wpa_supplicant *wpa_s, unsigned int id)
1177 {
1178 	struct wpa_bss *bss;
1179 	dl_list_for_each(bss, &wpa_s->bss, struct wpa_bss, list) {
1180 		if (bss->id == id)
1181 			return bss;
1182 	}
1183 	return NULL;
1184 }
1185 
1186 
1187 /**
1188  * wpa_bss_get_id_range - Fetch a BSS table entry based on identifier range
1189  * @wpa_s: Pointer to wpa_supplicant data
1190  * @idf: Smallest allowed identifier assigned for the entry
1191  * @idf: Largest allowed identifier assigned for the entry
1192  * Returns: Pointer to the BSS entry or %NULL if not found
1193  *
1194  * This function is similar to wpa_bss_get_id() but allows a BSS entry with the
1195  * smallest id value to be fetched within the specified range without the
1196  * caller having to know the exact id.
1197  */
wpa_bss_get_id_range(struct wpa_supplicant * wpa_s,unsigned int idf,unsigned int idl)1198 struct wpa_bss * wpa_bss_get_id_range(struct wpa_supplicant *wpa_s,
1199 				      unsigned int idf, unsigned int idl)
1200 {
1201 	struct wpa_bss *bss;
1202 	dl_list_for_each(bss, &wpa_s->bss_id, struct wpa_bss, list_id) {
1203 		if (bss->id >= idf && bss->id <= idl)
1204 			return bss;
1205 	}
1206 	return NULL;
1207 }
1208 
1209 
1210 /**
1211  * wpa_bss_get_ie - Fetch a specified information element from a BSS entry
1212  * @bss: BSS table entry
1213  * @ie: Information element identitifier (WLAN_EID_*)
1214  * Returns: Pointer to the information element (id field) or %NULL if not found
1215  *
1216  * This function returns the first matching information element in the BSS
1217  * entry.
1218  */
wpa_bss_get_ie(const struct wpa_bss * bss,u8 ie)1219 const u8 * wpa_bss_get_ie(const struct wpa_bss *bss, u8 ie)
1220 {
1221 	return get_ie(wpa_bss_ie_ptr(bss), bss->ie_len, ie);
1222 }
1223 
1224 
1225 /**
1226  * wpa_bss_get_ie_beacon - Fetch a specified information element from a BSS entry
1227  * @bss: BSS table entry
1228  * @ie: Information element identitifier (WLAN_EID_*)
1229  * Returns: Pointer to the information element (id field) or %NULL if not found
1230  *
1231  * This function returns the first matching information element in the BSS
1232  * entry.
1233  *
1234  * This function is like wpa_bss_get_ie(), but uses IE buffer only from Beacon
1235  * frames instead of either Beacon or Probe Response frames.
1236  */
wpa_bss_get_ie_beacon(const struct wpa_bss * bss,u8 ie)1237 const u8 * wpa_bss_get_ie_beacon(const struct wpa_bss *bss, u8 ie)
1238 {
1239 	const u8 *ies;
1240 
1241 	if (bss->beacon_ie_len == 0)
1242 		return NULL;
1243 
1244 	ies = wpa_bss_ie_ptr(bss);
1245 	ies += bss->ie_len;
1246 	return get_ie(ies, bss->beacon_ie_len, ie);
1247 }
1248 
1249 
1250 /**
1251  * wpa_bss_get_ie_ext - Fetch a specified extended IE from a BSS entry
1252  * @bss: BSS table entry
1253  * @ext: Information element extension identifier (WLAN_EID_EXT_*)
1254  * Returns: Pointer to the information element (id field) or %NULL if not found
1255  *
1256  * This function returns the first matching information element in the BSS
1257  * entry.
1258  */
wpa_bss_get_ie_ext(const struct wpa_bss * bss,u8 ext)1259 const u8 * wpa_bss_get_ie_ext(const struct wpa_bss *bss, u8 ext)
1260 {
1261 	return get_ie_ext(wpa_bss_ie_ptr(bss), bss->ie_len, ext);
1262 }
1263 
1264 
1265 /**
1266  * wpa_bss_get_vendor_ie - Fetch a vendor information element from a BSS entry
1267  * @bss: BSS table entry
1268  * @vendor_type: Vendor type (four octets starting the IE payload)
1269  * Returns: Pointer to the information element (id field) or %NULL if not found
1270  *
1271  * This function returns the first matching information element in the BSS
1272  * entry.
1273  */
wpa_bss_get_vendor_ie(const struct wpa_bss * bss,u32 vendor_type)1274 const u8 * wpa_bss_get_vendor_ie(const struct wpa_bss *bss, u32 vendor_type)
1275 {
1276 	const u8 *ies;
1277 	const struct element *elem;
1278 
1279 	ies = wpa_bss_ie_ptr(bss);
1280 
1281 	for_each_element_id(elem, WLAN_EID_VENDOR_SPECIFIC, ies, bss->ie_len) {
1282 		if (elem->datalen >= 4 &&
1283 		    vendor_type == WPA_GET_BE32(elem->data))
1284 			return &elem->id;
1285 	}
1286 
1287 	return NULL;
1288 }
1289 
1290 
1291 /**
1292  * wpa_bss_get_vendor_ie_beacon - Fetch a vendor information from a BSS entry
1293  * @bss: BSS table entry
1294  * @vendor_type: Vendor type (four octets starting the IE payload)
1295  * Returns: Pointer to the information element (id field) or %NULL if not found
1296  *
1297  * This function returns the first matching information element in the BSS
1298  * entry.
1299  *
1300  * This function is like wpa_bss_get_vendor_ie(), but uses IE buffer only
1301  * from Beacon frames instead of either Beacon or Probe Response frames.
1302  */
wpa_bss_get_vendor_ie_beacon(const struct wpa_bss * bss,u32 vendor_type)1303 const u8 * wpa_bss_get_vendor_ie_beacon(const struct wpa_bss *bss,
1304 					u32 vendor_type)
1305 {
1306 	const u8 *ies;
1307 	const struct element *elem;
1308 
1309 	if (bss->beacon_ie_len == 0)
1310 		return NULL;
1311 
1312 	ies = wpa_bss_ie_ptr(bss);
1313 	ies += bss->ie_len;
1314 
1315 	for_each_element_id(elem, WLAN_EID_VENDOR_SPECIFIC, ies,
1316 			    bss->beacon_ie_len) {
1317 		if (elem->datalen >= 4 &&
1318 		    vendor_type == WPA_GET_BE32(elem->data))
1319 			return &elem->id;
1320 	}
1321 
1322 	return NULL;
1323 }
1324 
1325 
1326 /**
1327  * wpa_bss_get_vendor_ie_multi - Fetch vendor IE data from a BSS entry
1328  * @bss: BSS table entry
1329  * @vendor_type: Vendor type (four octets starting the IE payload)
1330  * Returns: Pointer to the information element payload or %NULL if not found
1331  *
1332  * This function returns concatenated payload of possibly fragmented vendor
1333  * specific information elements in the BSS entry. The caller is responsible for
1334  * freeing the returned buffer.
1335  */
wpa_bss_get_vendor_ie_multi(const struct wpa_bss * bss,u32 vendor_type)1336 struct wpabuf * wpa_bss_get_vendor_ie_multi(const struct wpa_bss *bss,
1337 					    u32 vendor_type)
1338 {
1339 	struct wpabuf *buf;
1340 	const u8 *end, *pos;
1341 
1342 	buf = wpabuf_alloc(bss->ie_len);
1343 	if (buf == NULL)
1344 		return NULL;
1345 
1346 	pos = wpa_bss_ie_ptr(bss);
1347 	end = pos + bss->ie_len;
1348 
1349 	while (end - pos > 1) {
1350 		u8 ie, len;
1351 
1352 		ie = pos[0];
1353 		len = pos[1];
1354 		if (len > end - pos - 2)
1355 			break;
1356 		pos += 2;
1357 		if (ie == WLAN_EID_VENDOR_SPECIFIC && len >= 4 &&
1358 		    vendor_type == WPA_GET_BE32(pos))
1359 			wpabuf_put_data(buf, pos + 4, len - 4);
1360 		pos += len;
1361 	}
1362 
1363 	if (wpabuf_len(buf) == 0) {
1364 		wpabuf_free(buf);
1365 		buf = NULL;
1366 	}
1367 
1368 	return buf;
1369 }
1370 
1371 
1372 /**
1373  * wpa_bss_get_vendor_ie_multi_beacon - Fetch vendor IE data from a BSS entry
1374  * @bss: BSS table entry
1375  * @vendor_type: Vendor type (four octets starting the IE payload)
1376  * Returns: Pointer to the information element payload or %NULL if not found
1377  *
1378  * This function returns concatenated payload of possibly fragmented vendor
1379  * specific information elements in the BSS entry. The caller is responsible for
1380  * freeing the returned buffer.
1381  *
1382  * This function is like wpa_bss_get_vendor_ie_multi(), but uses IE buffer only
1383  * from Beacon frames instead of either Beacon or Probe Response frames.
1384  */
wpa_bss_get_vendor_ie_multi_beacon(const struct wpa_bss * bss,u32 vendor_type)1385 struct wpabuf * wpa_bss_get_vendor_ie_multi_beacon(const struct wpa_bss *bss,
1386 						   u32 vendor_type)
1387 {
1388 	struct wpabuf *buf;
1389 	const u8 *end, *pos;
1390 
1391 	buf = wpabuf_alloc(bss->beacon_ie_len);
1392 	if (buf == NULL)
1393 		return NULL;
1394 
1395 	pos = wpa_bss_ie_ptr(bss);
1396 	pos += bss->ie_len;
1397 	end = pos + bss->beacon_ie_len;
1398 
1399 	while (end - pos > 1) {
1400 		u8 id, len;
1401 
1402 		id = *pos++;
1403 		len = *pos++;
1404 		if (len > end - pos)
1405 			break;
1406 		if (id == WLAN_EID_VENDOR_SPECIFIC && len >= 4 &&
1407 		    vendor_type == WPA_GET_BE32(pos))
1408 			wpabuf_put_data(buf, pos + 4, len - 4);
1409 		pos += len;
1410 	}
1411 
1412 	if (wpabuf_len(buf) == 0) {
1413 		wpabuf_free(buf);
1414 		buf = NULL;
1415 	}
1416 
1417 	return buf;
1418 }
1419 
1420 
1421 /**
1422  * wpa_bss_get_max_rate - Get maximum legacy TX rate supported in a BSS
1423  * @bss: BSS table entry
1424  * Returns: Maximum legacy rate in units of 500 kbps
1425  */
wpa_bss_get_max_rate(const struct wpa_bss * bss)1426 int wpa_bss_get_max_rate(const struct wpa_bss *bss)
1427 {
1428 	int rate = 0;
1429 	const u8 *ie;
1430 	int i;
1431 
1432 	ie = wpa_bss_get_ie(bss, WLAN_EID_SUPP_RATES);
1433 	for (i = 0; ie && i < ie[1]; i++) {
1434 		if ((ie[i + 2] & 0x7f) > rate)
1435 			rate = ie[i + 2] & 0x7f;
1436 	}
1437 
1438 	ie = wpa_bss_get_ie(bss, WLAN_EID_EXT_SUPP_RATES);
1439 	for (i = 0; ie && i < ie[1]; i++) {
1440 		if ((ie[i + 2] & 0x7f) > rate)
1441 			rate = ie[i + 2] & 0x7f;
1442 	}
1443 
1444 	return rate;
1445 }
1446 
1447 
1448 /**
1449  * wpa_bss_get_bit_rates - Get legacy TX rates supported in a BSS
1450  * @bss: BSS table entry
1451  * @rates: Buffer for returning a pointer to the rates list (units of 500 kbps)
1452  * Returns: number of legacy TX rates or -1 on failure
1453  *
1454  * The caller is responsible for freeing the returned buffer with os_free() in
1455  * case of success.
1456  */
wpa_bss_get_bit_rates(const struct wpa_bss * bss,u8 ** rates)1457 int wpa_bss_get_bit_rates(const struct wpa_bss *bss, u8 **rates)
1458 {
1459 	const u8 *ie, *ie2;
1460 	int i, j;
1461 	unsigned int len;
1462 	u8 *r;
1463 
1464 	ie = wpa_bss_get_ie(bss, WLAN_EID_SUPP_RATES);
1465 	ie2 = wpa_bss_get_ie(bss, WLAN_EID_EXT_SUPP_RATES);
1466 
1467 	len = (ie ? ie[1] : 0) + (ie2 ? ie2[1] : 0);
1468 
1469 	r = os_malloc(len);
1470 	if (!r)
1471 		return -1;
1472 
1473 	for (i = 0; ie && i < ie[1]; i++)
1474 		r[i] = ie[i + 2] & 0x7f;
1475 
1476 	for (j = 0; ie2 && j < ie2[1]; j++)
1477 		r[i + j] = ie2[j + 2] & 0x7f;
1478 
1479 	*rates = r;
1480 	return len;
1481 }
1482 
1483 
1484 #ifdef CONFIG_FILS
wpa_bss_get_fils_cache_id(const struct wpa_bss * bss)1485 const u8 * wpa_bss_get_fils_cache_id(const struct wpa_bss *bss)
1486 {
1487 	const u8 *ie;
1488 
1489 	if (bss) {
1490 		ie = wpa_bss_get_ie(bss, WLAN_EID_FILS_INDICATION);
1491 		if (ie && ie[1] >= 4 && WPA_GET_LE16(ie + 2) & BIT(7))
1492 			return ie + 4;
1493 	}
1494 
1495 	return NULL;
1496 }
1497 #endif /* CONFIG_FILS */
1498 
1499 
wpa_bss_ext_capab(const struct wpa_bss * bss,unsigned int capab)1500 int wpa_bss_ext_capab(const struct wpa_bss *bss, unsigned int capab)
1501 {
1502 	if (!bss)
1503 		return 0;
1504 	return ieee802_11_ext_capab(wpa_bss_get_ie(bss, WLAN_EID_EXT_CAPAB),
1505 				    capab);
1506 }
1507 
1508 
1509 static void
wpa_bss_parse_ml_rnr_ap_info(struct wpa_supplicant * wpa_s,struct wpa_bss * bss,u8 mbssid_idx,const struct ieee80211_neighbor_ap_info * ap_info,size_t len,u16 * seen,u16 * missing,struct wpa_ssid * ssid)1510 wpa_bss_parse_ml_rnr_ap_info(struct wpa_supplicant *wpa_s,
1511 			     struct wpa_bss *bss, u8 mbssid_idx,
1512 			     const struct ieee80211_neighbor_ap_info *ap_info,
1513 			     size_t len, u16 *seen, u16 *missing,
1514 			     struct wpa_ssid *ssid)
1515 {
1516 	const u8 *pos, *end;
1517 	const u8 *mld_params;
1518 	u8 count, mld_params_offset;
1519 	u8 i, type, link_id;
1520 
1521 	count = RNR_TBTT_INFO_COUNT_VAL(ap_info->tbtt_info_hdr) + 1;
1522 	type = ap_info->tbtt_info_hdr & RNR_TBTT_INFO_HDR_TYPE_MSK;
1523 
1524 	/* MLD information is at offset 13 or at start */
1525 	if (type == 0 && ap_info->tbtt_info_len >= RNR_TBTT_INFO_MLD_LEN) {
1526 		/* MLD info is appended */
1527 		mld_params_offset = RNR_TBTT_INFO_LEN;
1528 	} else {
1529 		/* TODO: Support NSTR AP */
1530 		return;
1531 	}
1532 
1533 	pos = (const u8 *) ap_info;
1534 	end = pos + len;
1535 	pos += sizeof(*ap_info);
1536 
1537 	for (i = 0; i < count; i++) {
1538 		u8 bss_params;
1539 
1540 		if (end - pos < ap_info->tbtt_info_len)
1541 			break;
1542 
1543 		bss_params = pos[1 + ETH_ALEN + 4];
1544 		mld_params = pos + mld_params_offset;
1545 
1546 		link_id = *(mld_params + 1) & EHT_ML_LINK_ID_MSK;
1547 		if (link_id >= MAX_NUM_MLD_LINKS)
1548 			return;
1549 
1550 		if (*mld_params != mbssid_idx) {
1551 			wpa_printf(MSG_DEBUG,
1552 				   "MLD: Reported link not part of MLD");
1553 		} else if (!(BIT(link_id) & *seen)) {
1554 			struct wpa_bss *neigh_bss;
1555 
1556 			if (ssid && ssid->ssid_len)
1557 				neigh_bss = wpa_bss_get(wpa_s, pos + 1,
1558 							ssid->ssid,
1559 							ssid->ssid_len);
1560 			else
1561 				neigh_bss = wpa_bss_get_bssid(wpa_s, pos + 1);
1562 
1563 			*seen |= BIT(link_id);
1564 			wpa_printf(MSG_DEBUG, "MLD: mld ID=%u, link ID=%u",
1565 				   *mld_params, link_id);
1566 
1567 			if (!neigh_bss) {
1568 				*missing |= BIT(link_id);
1569 			} else if ((!ssid ||
1570 				    (bss_params & (RNR_BSS_PARAM_SAME_SSID |
1571 						   RNR_BSS_PARAM_CO_LOCATED)) ||
1572 				    wpa_scan_res_match(wpa_s, 0, neigh_bss,
1573 						       ssid, 1, 0)) &&
1574 				   !wpa_bssid_ignore_is_listed(
1575 					   wpa_s, neigh_bss->bssid)) {
1576 				struct mld_link *l;
1577 
1578 				bss->valid_links |= BIT(link_id);
1579 				l = &bss->mld_links[link_id];
1580 				os_memcpy(l->bssid, pos + 1, ETH_ALEN);
1581 				l->freq = neigh_bss->freq;
1582 				l->disabled = mld_params[2] &
1583 					RNR_TBTT_INFO_MLD_PARAM2_LINK_DISABLED;
1584 			}
1585 		}
1586 
1587 		pos += ap_info->tbtt_info_len;
1588 	}
1589 }
1590 
1591 
1592 /**
1593  * wpa_bss_parse_basic_ml_element - Parse the Basic Multi-Link element
1594  * @wpa_s: Pointer to wpa_supplicant data
1595  * @bss: BSS table entry
1596  * @mld_addr: AP MLD address (or %NULL)
1597  * @link_info: Array to store link information (or %NULL),
1598  *   should be initialized and #MAX_NUM_MLD_LINKS elements long
1599  * @missing_links: Result bitmask of links that were not discovered (or %NULL)
1600  * @ssid: Target SSID (or %NULL)
1601  * @ap_mld_id: On return would hold the corresponding AP MLD ID (or %NULL)
1602  * Returns: 0 on success or -1 for non-MLD or parsing failures
1603  *
1604  * Parses the Basic Multi-Link element of the BSS into @link_info using the scan
1605  * information stored in the wpa_supplicant data to fill in information for
1606  * links where possible. The @missing_links out parameter will contain any links
1607  * for which no corresponding BSS was found.
1608  */
wpa_bss_parse_basic_ml_element(struct wpa_supplicant * wpa_s,struct wpa_bss * bss,u8 * ap_mld_addr,u16 * missing_links,struct wpa_ssid * ssid,u8 * ap_mld_id)1609 int wpa_bss_parse_basic_ml_element(struct wpa_supplicant *wpa_s,
1610 				   struct wpa_bss *bss,
1611 				   u8 *ap_mld_addr,
1612 				   u16 *missing_links,
1613 				   struct wpa_ssid *ssid,
1614 				   u8 *ap_mld_id)
1615 {
1616 	struct ieee802_11_elems elems;
1617 	struct wpabuf *mlbuf;
1618 	const struct element *elem;
1619 	u8 mbssid_idx = 0;
1620 	size_t ml_ie_len;
1621 	const struct ieee80211_eht_ml *eht_ml;
1622 	const struct eht_ml_basic_common_info *ml_basic_common_info;
1623 	u8 i, link_id;
1624 	const u16 control_mask =
1625 		MULTI_LINK_CONTROL_TYPE_MASK |
1626 		BASIC_MULTI_LINK_CTRL_PRES_LINK_ID |
1627 		BASIC_MULTI_LINK_CTRL_PRES_BSS_PARAM_CH_COUNT |
1628 		BASIC_MULTI_LINK_CTRL_PRES_MLD_CAPA;
1629 	const u16 control =
1630 		MULTI_LINK_CONTROL_TYPE_BASIC |
1631 		BASIC_MULTI_LINK_CTRL_PRES_LINK_ID |
1632 		BASIC_MULTI_LINK_CTRL_PRES_BSS_PARAM_CH_COUNT |
1633 		BASIC_MULTI_LINK_CTRL_PRES_MLD_CAPA;
1634 	u16 missing = 0;
1635 	u16 seen;
1636 	const u8 *ies_pos = wpa_bss_ie_ptr(bss);
1637 	size_t ies_len = bss->ie_len ? bss->ie_len : bss->beacon_ie_len;
1638 	int ret = -1;
1639 	struct mld_link *l;
1640 
1641 	if (ieee802_11_parse_elems(ies_pos, ies_len, &elems, 1) ==
1642 	    ParseFailed) {
1643 		wpa_dbg(wpa_s, MSG_DEBUG, "MLD: Failed to parse elements");
1644 		return ret;
1645 	}
1646 
1647 	mlbuf = ieee802_11_defrag(elems.basic_mle, elems.basic_mle_len, true);
1648 	if (!mlbuf) {
1649 		wpa_dbg(wpa_s, MSG_DEBUG, "MLD: No Multi-Link element");
1650 		return ret;
1651 	}
1652 
1653 	ml_ie_len = wpabuf_len(mlbuf);
1654 
1655 	if (ssid) {
1656 		struct wpa_ie_data ie;
1657 		const u8 *rsne;
1658 		size_t rsne_len;
1659 
1660 		if (elems.rsne_override_2 && wpas_rsn_overriding(wpa_s, ssid)) {
1661 			rsne = elems.rsne_override_2;
1662 			rsne_len = elems.rsne_override_2_len;
1663 		} else if (elems.rsne_override &&
1664 			   wpas_rsn_overriding(wpa_s, ssid)) {
1665 			rsne = elems.rsne_override;
1666 			rsne_len = elems.rsne_override_len;
1667 		} else {
1668 			rsne = elems.rsn_ie;
1669 			rsne_len = elems.rsn_ie_len;
1670 		}
1671 		if (!rsne ||
1672 		    wpa_parse_wpa_ie(rsne - 2, 2 + rsne_len, &ie)) {
1673 			wpa_dbg(wpa_s, MSG_DEBUG, "MLD: No RSN element");
1674 			goto out;
1675 		}
1676 
1677 		if (!(ie.capabilities & WPA_CAPABILITY_MFPC) ||
1678 		    wpas_get_ssid_pmf(wpa_s, ssid) == NO_MGMT_FRAME_PROTECTION) {
1679 			wpa_dbg(wpa_s, MSG_DEBUG,
1680 				"MLD: No management frame protection");
1681 			goto out;
1682 		}
1683 
1684 		ie.key_mgmt &= ~(WPA_KEY_MGMT_PSK | WPA_KEY_MGMT_FT_PSK |
1685 				 WPA_KEY_MGMT_PSK_SHA256);
1686 		if (!(ie.key_mgmt & ssid->key_mgmt)) {
1687 			wpa_dbg(wpa_s, MSG_DEBUG,
1688 				"MLD: No valid key management");
1689 			goto out;
1690 		}
1691 	}
1692 
1693 	/*
1694 	 * for ext ID + 2 control + common info len + MLD address +
1695 	 * link info
1696 	 */
1697 	if (ml_ie_len < 2UL + 1UL + ETH_ALEN + 1UL)
1698 		goto out;
1699 
1700 	eht_ml = (const struct ieee80211_eht_ml *) wpabuf_head(mlbuf);
1701 	if ((le_to_host16(eht_ml->ml_control) & control_mask) != control) {
1702 		wpa_printf(MSG_DEBUG,
1703 			   "MLD: Unexpected Multi-Link element control=0x%x (mask 0x%x expected 0x%x)",
1704 			   le_to_host16(eht_ml->ml_control), control_mask,
1705 			   control);
1706 		goto out;
1707 	}
1708 
1709 	ml_basic_common_info =
1710 		(const struct eht_ml_basic_common_info *) eht_ml->variable;
1711 
1712 	/* Common info length should be valid */
1713 	if (ml_basic_common_info->len < ETH_ALEN + 1UL)
1714 		goto out;
1715 
1716 	/* Get the MLD address and MLD link ID */
1717 	if (ap_mld_addr)
1718 		os_memcpy(ap_mld_addr, ml_basic_common_info->mld_addr,
1719 			  ETH_ALEN);
1720 
1721 	link_id = ml_basic_common_info->variable[0] & EHT_ML_LINK_ID_MSK;
1722 
1723 	bss->mld_link_id = link_id;
1724 	seen = bss->valid_links = BIT(link_id);
1725 
1726 	l = &bss->mld_links[link_id];
1727 	os_memcpy(l->bssid, bss->bssid, ETH_ALEN);
1728 	l->freq = bss->freq;
1729 
1730 
1731 	/*
1732 	 * The AP MLD ID in the RNR corresponds to the MBSSID index, see
1733 	 * IEEE P802.11be/D4.0, 9.4.2.169.2 (Neighbor AP Information field).
1734 	 *
1735 	 * For the transmitting BSSID it is clear that both the MBSSID index
1736 	 * and the AP MLD ID in the RNR are zero.
1737 	 *
1738 	 * For nontransmitted BSSIDs we will have a BSS generated from the
1739 	 * MBSSID element(s) using inheritance rules. Included in the elements
1740 	 * is the MBSSID Index Element. The RNR is copied from the Beacon/Probe
1741 	 * Response frame that was send by the transmitting BSSID. As such, the
1742 	 * reported AP MLD ID in the RNR will match the value in the MBSSID
1743 	 * Index Element.
1744 	 */
1745 	elem = (const struct element *)
1746 		wpa_bss_get_ie(bss, WLAN_EID_MULTIPLE_BSSID_INDEX);
1747 	if (elem && elem->datalen >= 1)
1748 		mbssid_idx = elem->data[0];
1749 
1750 	for_each_element_id(elem, WLAN_EID_REDUCED_NEIGHBOR_REPORT,
1751 			    wpa_bss_ie_ptr(bss),
1752 			    bss->ie_len ? bss->ie_len : bss->beacon_ie_len) {
1753 		const struct ieee80211_neighbor_ap_info *ap_info;
1754 		const u8 *pos = elem->data;
1755 		size_t len = elem->datalen;
1756 
1757 		/* RNR IE may contain more than one Neighbor AP Info */
1758 		while (sizeof(*ap_info) <= len) {
1759 			size_t ap_info_len = sizeof(*ap_info);
1760 			u8 count;
1761 
1762 			ap_info = (const struct ieee80211_neighbor_ap_info *)
1763 				pos;
1764 			count = RNR_TBTT_INFO_COUNT_VAL(ap_info->tbtt_info_hdr) + 1;
1765 			ap_info_len += count * ap_info->tbtt_info_len;
1766 
1767 			if (ap_info_len > len)
1768 				goto out;
1769 
1770 			wpa_bss_parse_ml_rnr_ap_info(wpa_s, bss, mbssid_idx,
1771 						     ap_info, len, &seen,
1772 						     &missing, ssid);
1773 
1774 			pos += ap_info_len;
1775 			len -= ap_info_len;
1776 		}
1777 	}
1778 
1779 	wpa_printf(MSG_DEBUG, "MLD: valid_links=%04hx (unresolved: 0x%04hx)",
1780 		   bss->valid_links, missing);
1781 
1782 	for_each_link(bss->valid_links, i) {
1783 		wpa_printf(MSG_DEBUG, "MLD: link=%u, bssid=" MACSTR,
1784 			   i, MAC2STR(bss->mld_links[i].bssid));
1785 	}
1786 
1787 	if (missing_links)
1788 		*missing_links = missing;
1789 
1790 	if (ap_mld_id)
1791 		*ap_mld_id = mbssid_idx;
1792 
1793 	ret = 0;
1794 out:
1795 	wpabuf_free(mlbuf);
1796 	return ret;
1797 }
1798 
1799 
1800 /*
1801  * wpa_bss_parse_reconf_ml_element - Parse the Reconfiguration ML element
1802  * @wpa_s: Pointer to wpa_supplicant data
1803  * @bss: BSS table entry
1804  * Returns: The bitmap of links that are going to be removed
1805  */
wpa_bss_parse_reconf_ml_element(struct wpa_supplicant * wpa_s,struct wpa_bss * bss)1806 u16 wpa_bss_parse_reconf_ml_element(struct wpa_supplicant *wpa_s,
1807 				    struct wpa_bss *bss)
1808 {
1809 	struct ieee802_11_elems elems;
1810 	struct wpabuf *mlbuf;
1811 	const u8 *pos = wpa_bss_ie_ptr(bss);
1812 	size_t len = bss->ie_len ? bss->ie_len : bss->beacon_ie_len;
1813 	const struct ieee80211_eht_ml *ml;
1814 	u16 removed_links = 0;
1815 	u8 ml_common_len;
1816 
1817 	if (ieee802_11_parse_elems(pos, len, &elems, 1) == ParseFailed)
1818 		return 0;
1819 
1820 	if (!elems.reconf_mle || !elems.reconf_mle_len)
1821 		return 0;
1822 
1823 	mlbuf = ieee802_11_defrag(elems.reconf_mle, elems.reconf_mle_len, true);
1824 	if (!mlbuf)
1825 		return 0;
1826 
1827 	ml = (const struct ieee80211_eht_ml *) wpabuf_head(mlbuf);
1828 	len = wpabuf_len(mlbuf);
1829 
1830 	if (len < sizeof(*ml))
1831 		goto out;
1832 
1833 	ml_common_len = 1;
1834 	if (ml->ml_control & RECONF_MULTI_LINK_CTRL_PRES_MLD_MAC_ADDR)
1835 		ml_common_len += ETH_ALEN;
1836 
1837 	if (len < sizeof(*ml) + ml_common_len) {
1838 		wpa_printf(MSG_DEBUG,
1839 			   "MLD: Unexpected Reconfiguration ML element length: (%zu < %zu)",
1840 			   len, sizeof(*ml) + ml_common_len);
1841 		goto out;
1842 	}
1843 
1844 	pos = ml->variable + ml_common_len;
1845 	len -= sizeof(*ml) + ml_common_len;
1846 
1847 	while (len >= 2 + sizeof(struct ieee80211_eht_per_sta_profile)) {
1848 		size_t sub_elem_len = *(pos + 1);
1849 
1850 		if (2 + sub_elem_len > len) {
1851 			wpa_printf(MSG_DEBUG,
1852 				   "MLD: Invalid link info len: %zu %zu",
1853 				   2 + sub_elem_len, len);
1854 			goto out;
1855 		}
1856 
1857 		if  (*pos == EHT_ML_SUB_ELEM_PER_STA_PROFILE) {
1858 			const struct ieee80211_eht_per_sta_profile *sta_prof =
1859 				(const struct ieee80211_eht_per_sta_profile *)
1860 				(pos + 2);
1861 			u16 control = le_to_host16(sta_prof->sta_control);
1862 			u8 link_id;
1863 
1864 			link_id = control & EHT_PER_STA_RECONF_CTRL_LINK_ID_MSK;
1865 			removed_links |= BIT(link_id);
1866 		}
1867 
1868 		pos += 2 + sub_elem_len;
1869 		len -= 2 + sub_elem_len;
1870 	}
1871 
1872 	wpa_printf(MSG_DEBUG, "MLD: Reconfiguration: removed_links=0x%x",
1873 		   removed_links);
1874 out:
1875 	wpabuf_free(mlbuf);
1876 	return removed_links;
1877 }
1878 
1879 
wpa_bss_supported_cipher(struct wpa_supplicant * wpa_s,int pairwise_cipher)1880 static bool wpa_bss_supported_cipher(struct wpa_supplicant *wpa_s,
1881 				     int pairwise_cipher)
1882 {
1883 	if (!wpa_s->drv_enc)
1884 		return true;
1885 
1886 	if ((pairwise_cipher & WPA_CIPHER_CCMP) &&
1887 	    (wpa_s->drv_enc & WPA_DRIVER_CAPA_ENC_CCMP))
1888 		return true;
1889 
1890 	if ((pairwise_cipher & WPA_CIPHER_GCMP) &&
1891 	    (wpa_s->drv_enc & WPA_DRIVER_CAPA_ENC_GCMP))
1892 		return true;
1893 
1894 	if ((pairwise_cipher & WPA_CIPHER_CCMP_256) &&
1895 	    (wpa_s->drv_enc & WPA_DRIVER_CAPA_ENC_CCMP_256))
1896 		return true;
1897 
1898 	if ((pairwise_cipher & WPA_CIPHER_GCMP_256) &&
1899 	    (wpa_s->drv_enc & WPA_DRIVER_CAPA_ENC_GCMP_256))
1900 		return true;
1901 
1902 	return false;
1903 }
1904 
1905 
wpa_bss_supported_key_mgmt(struct wpa_supplicant * wpa_s,int key_mgmt)1906 static bool wpa_bss_supported_key_mgmt(struct wpa_supplicant *wpa_s,
1907 				       int key_mgmt)
1908 {
1909 	if (!wpa_s->drv_key_mgmt)
1910 		return true;
1911 
1912 	if ((key_mgmt & WPA_KEY_MGMT_IEEE8021X) &&
1913 	    (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_WPA2))
1914 		return true;
1915 	if ((key_mgmt & WPA_KEY_MGMT_IEEE8021X_SHA256) &&
1916 	    (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_802_1X_SHA256))
1917 		return true;
1918 	if ((key_mgmt & WPA_KEY_MGMT_FT_IEEE8021X) &&
1919 	    (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_FT))
1920 		return true;
1921 	if ((key_mgmt & WPA_KEY_MGMT_FT_IEEE8021X_SHA384) &&
1922 	    (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_FT_802_1X_SHA384))
1923 		return true;
1924 	if ((key_mgmt & WPA_KEY_MGMT_IEEE8021X_SUITE_B) &&
1925 	    (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_SUITE_B))
1926 		return true;
1927 	if ((key_mgmt & WPA_KEY_MGMT_IEEE8021X_SUITE_B_192) &&
1928 	    (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_SUITE_B_192))
1929 		return true;
1930 	if ((key_mgmt & WPA_KEY_MGMT_PSK) &&
1931 	    (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_WPA2_PSK))
1932 		return true;
1933 	if ((key_mgmt & WPA_KEY_MGMT_FT_PSK) &&
1934 	    (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_FT_PSK))
1935 		return true;
1936 	if ((key_mgmt & WPA_KEY_MGMT_PSK_SHA256) &&
1937 	    (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_PSK_SHA256))
1938 		return true;
1939 	if ((key_mgmt & WPA_KEY_MGMT_SAE) &&
1940 	    (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_SAE))
1941 		return true;
1942 	if ((key_mgmt & WPA_KEY_MGMT_SAE_EXT_KEY) &&
1943 	    (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_SAE_EXT_KEY))
1944 		return true;
1945 	if ((key_mgmt & WPA_KEY_MGMT_FT_SAE) &&
1946 	    (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_FT_SAE))
1947 		return true;
1948 	if ((key_mgmt & WPA_KEY_MGMT_FT_SAE_EXT_KEY) &&
1949 	    (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_FT_SAE_EXT_KEY))
1950 		return true;
1951 	if ((key_mgmt & WPA_KEY_MGMT_OWE) &&
1952 	    (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_OWE))
1953 		return true;
1954 	if ((key_mgmt & WPA_KEY_MGMT_DPP) &&
1955 	    (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_DPP))
1956 		return true;
1957 	if ((key_mgmt & WPA_KEY_MGMT_FILS_SHA256) &&
1958 	    (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_FILS_SHA256))
1959 		return true;
1960 	if ((key_mgmt & WPA_KEY_MGMT_FILS_SHA384) &&
1961 	    (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_FILS_SHA384))
1962 		return true;
1963 	if ((key_mgmt & WPA_KEY_MGMT_FT_FILS_SHA256) &&
1964 	    (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_FT_FILS_SHA256))
1965 		return true;
1966 	if ((key_mgmt & WPA_KEY_MGMT_FT_FILS_SHA384) &&
1967 	    (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_FT_FILS_SHA384))
1968 		return true;
1969 
1970 	return false;
1971 }
1972 
1973 
wpa_bss_supported_rsne(struct wpa_supplicant * wpa_s,struct wpa_ssid * ssid,const u8 * ie)1974 static bool wpa_bss_supported_rsne(struct wpa_supplicant *wpa_s,
1975 				   struct wpa_ssid *ssid, const u8 *ie)
1976 {
1977 	struct wpa_ie_data data;
1978 
1979 	if (wpa_parse_wpa_ie_rsn(ie, 2 + ie[1], &data) < 0)
1980 		return false;
1981 
1982 	/* Check that there is a supported AKM and pairwise cipher based on
1983 	 * overall capabilities */
1984 	if (!data.pairwise_cipher || !data.key_mgmt)
1985 		return false;
1986 
1987 	if (wpa_s->drv_capa_known) {
1988 		if (!wpa_bss_supported_cipher(wpa_s, data.pairwise_cipher) ||
1989 		    !wpa_bss_supported_key_mgmt(wpa_s, data.key_mgmt))
1990 			return false;
1991 	}
1992 
1993 	if (ssid) {
1994 		/* Check that there is a supported AKM and pairwise cipher
1995 		 * based on the specific network profile. */
1996 		if ((ssid->pairwise_cipher & data.pairwise_cipher) == 0)
1997 			return false;
1998 		if ((ssid->key_mgmt & data.key_mgmt) == 0)
1999 			return false;
2000 	}
2001 
2002 	return true;
2003 }
2004 
2005 
wpa_bss_get_rsne(struct wpa_supplicant * wpa_s,const struct wpa_bss * bss,struct wpa_ssid * ssid,bool mlo)2006 const u8 * wpa_bss_get_rsne(struct wpa_supplicant *wpa_s,
2007 			    const struct wpa_bss *bss, struct wpa_ssid *ssid,
2008 			    bool mlo)
2009 {
2010 	const u8 *ie;
2011 
2012 	if (wpas_rsn_overriding(wpa_s, ssid)) {
2013 		if (!ssid)
2014 			ssid = wpa_s->current_ssid;
2015 
2016 		/* MLO cases for RSN overriding are required to use RSNE
2017 		 * Override 2 element and RSNXE Override element together. */
2018 		ie = wpa_bss_get_vendor_ie(bss, RSNE_OVERRIDE_2_IE_VENDOR_TYPE);
2019 		if (mlo && ie &&
2020 		    !wpa_bss_get_vendor_ie(bss,
2021 					   RSNXE_OVERRIDE_IE_VENDOR_TYPE)) {
2022 			wpa_printf(MSG_DEBUG, "BSS " MACSTR
2023 				   " advertises RSNE Override 2 element without RSNXE Override element - ignore RSNE Override 2 element for MLO",
2024 				   MAC2STR(bss->bssid));
2025 		} else if (ie && wpa_bss_supported_rsne(wpa_s, ssid, ie)) {
2026 			return ie;
2027 		}
2028 
2029 		if (!mlo) {
2030 			ie = wpa_bss_get_vendor_ie(
2031 				bss, RSNE_OVERRIDE_IE_VENDOR_TYPE);
2032 			if (ie && wpa_bss_supported_rsne(wpa_s, ssid, ie))
2033 				return ie;
2034 		}
2035 	}
2036 
2037 	return wpa_bss_get_ie(bss, WLAN_EID_RSN);
2038 }
2039 
2040 
wpa_bss_get_rsnxe(struct wpa_supplicant * wpa_s,const struct wpa_bss * bss,struct wpa_ssid * ssid,bool mlo)2041 const u8 * wpa_bss_get_rsnxe(struct wpa_supplicant *wpa_s,
2042 			     const struct wpa_bss *bss, struct wpa_ssid *ssid,
2043 			     bool mlo)
2044 {
2045 	const u8 *ie;
2046 
2047 	if (wpas_rsn_overriding(wpa_s, ssid)) {
2048 		ie = wpa_bss_get_vendor_ie(bss, RSNXE_OVERRIDE_IE_VENDOR_TYPE);
2049 		if (ie) {
2050 			const u8 *tmp;
2051 
2052 			tmp = wpa_bss_get_rsne(wpa_s, bss, ssid, mlo);
2053 			if (!tmp || tmp[0] == WLAN_EID_RSN) {
2054 				/* An acceptable RSNE override element was not
2055 				 * found, so need to ignore RSNXE overriding. */
2056 				goto out;
2057 			}
2058 
2059 			return ie;
2060 		}
2061 
2062 		/* MLO cases for RSN overriding are required to use RSNE
2063 		 * Override 2 element and RSNXE Override element together. */
2064 		if (mlo && wpa_bss_get_vendor_ie(
2065 			    bss, RSNE_OVERRIDE_2_IE_VENDOR_TYPE)) {
2066 			wpa_printf(MSG_DEBUG, "BSS " MACSTR
2067 				   " advertises RSNXE Override element without RSNE Override 2 element - ignore RSNXE Override element for MLO",
2068 				   MAC2STR(bss->bssid));
2069 			goto out;
2070 		}
2071 	}
2072 
2073 out:
2074 	return wpa_bss_get_ie(bss, WLAN_EID_RSNX);
2075 }
2076