1 /*
2 * wpa_supplicant - SME
3 * Copyright (c) 2009-2014, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "includes.h"
10
11 #include "common.h"
12 #include "utils/eloop.h"
13 #include "common/ieee802_11_defs.h"
14 #include "common/ieee802_11_common.h"
15 #include "common/ocv.h"
16 #include "eapol_supp/eapol_supp_sm.h"
17 #include "common/wpa_common.h"
18 #include "common/sae.h"
19 #include "common/dpp.h"
20 #include "rsn_supp/wpa.h"
21 #include "rsn_supp/pmksa_cache.h"
22 #include "config.h"
23 #include "wpa_supplicant_i.h"
24 #include "driver_i.h"
25 #include "wpas_glue.h"
26 #include "wps_supplicant.h"
27 #include "p2p_supplicant.h"
28 #include "notify.h"
29 #include "bss.h"
30 #include "scan.h"
31 #include "sme.h"
32 #include "hs20_supplicant.h"
33
34 #define SME_AUTH_TIMEOUT 5
35 #define SME_ASSOC_TIMEOUT 5
36
37 static void sme_auth_timer(void *eloop_ctx, void *timeout_ctx);
38 static void sme_assoc_timer(void *eloop_ctx, void *timeout_ctx);
39 static void sme_obss_scan_timeout(void *eloop_ctx, void *timeout_ctx);
40 static void sme_stop_sa_query(struct wpa_supplicant *wpa_s);
41
42
43 #ifdef CONFIG_SAE
44
index_within_array(const int * array,int idx)45 static int index_within_array(const int *array, int idx)
46 {
47 int i;
48 for (i = 0; i < idx; i++) {
49 if (array[i] <= 0)
50 return 0;
51 }
52 return 1;
53 }
54
55
sme_set_sae_group(struct wpa_supplicant * wpa_s)56 static int sme_set_sae_group(struct wpa_supplicant *wpa_s)
57 {
58 int *groups = wpa_s->conf->sae_groups;
59 int default_groups[] = { 19, 20, 21, 0 };
60
61 if (!groups || groups[0] <= 0)
62 groups = default_groups;
63
64 /* Configuration may have changed, so validate current index */
65 if (!index_within_array(groups, wpa_s->sme.sae_group_index))
66 return -1;
67
68 for (;;) {
69 int group = groups[wpa_s->sme.sae_group_index];
70 if (group <= 0)
71 break;
72 if (sae_set_group(&wpa_s->sme.sae, group) == 0) {
73 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Selected SAE group %d",
74 wpa_s->sme.sae.group);
75 return 0;
76 }
77 wpa_s->sme.sae_group_index++;
78 }
79
80 return -1;
81 }
82
83
sme_auth_build_sae_commit(struct wpa_supplicant * wpa_s,struct wpa_ssid * ssid,const u8 * bssid,int external,int reuse,int * ret_use_pt,bool * ret_use_pk)84 static struct wpabuf * sme_auth_build_sae_commit(struct wpa_supplicant *wpa_s,
85 struct wpa_ssid *ssid,
86 const u8 *bssid, int external,
87 int reuse, int *ret_use_pt,
88 bool *ret_use_pk)
89 {
90 struct wpabuf *buf;
91 size_t len;
92 const char *password;
93 struct wpa_bss *bss;
94 int use_pt = 0;
95 bool use_pk = false;
96 u8 rsnxe_capa = 0;
97
98 if (ret_use_pt)
99 *ret_use_pt = 0;
100 if (ret_use_pk)
101 *ret_use_pk = false;
102
103 #ifdef CONFIG_TESTING_OPTIONS
104 if (wpa_s->sae_commit_override) {
105 wpa_printf(MSG_DEBUG, "SAE: TESTING - commit override");
106 buf = wpabuf_alloc(4 + wpabuf_len(wpa_s->sae_commit_override));
107 if (!buf)
108 return NULL;
109 if (!external) {
110 wpabuf_put_le16(buf, 1); /* Transaction seq# */
111 wpabuf_put_le16(buf, WLAN_STATUS_SUCCESS);
112 }
113 wpabuf_put_buf(buf, wpa_s->sae_commit_override);
114 return buf;
115 }
116 #endif /* CONFIG_TESTING_OPTIONS */
117
118 password = ssid->sae_password;
119 if (!password)
120 password = ssid->passphrase;
121 if (!password) {
122 wpa_printf(MSG_DEBUG, "SAE: No password available");
123 return NULL;
124 }
125
126 if (reuse && wpa_s->sme.sae.tmp &&
127 os_memcmp(bssid, wpa_s->sme.sae.tmp->bssid, ETH_ALEN) == 0) {
128 wpa_printf(MSG_DEBUG,
129 "SAE: Reuse previously generated PWE on a retry with the same AP");
130 use_pt = wpa_s->sme.sae.h2e;
131 use_pk = wpa_s->sme.sae.pk;
132 goto reuse_data;
133 }
134 if (sme_set_sae_group(wpa_s) < 0) {
135 wpa_printf(MSG_DEBUG, "SAE: Failed to select group");
136 return NULL;
137 }
138
139 bss = wpa_bss_get_bssid_latest(wpa_s, bssid);
140 if (!bss) {
141 wpa_printf(MSG_DEBUG,
142 "SAE: BSS not available, update scan result to get BSS");
143 wpa_supplicant_update_scan_results(wpa_s);
144 bss = wpa_bss_get_bssid_latest(wpa_s, bssid);
145 }
146 if (bss) {
147 const u8 *rsnxe;
148
149 rsnxe = wpa_bss_get_ie(bss, WLAN_EID_RSNX);
150 if (rsnxe && rsnxe[1] >= 1)
151 rsnxe_capa = rsnxe[2];
152 }
153
154 if (ssid->sae_password_id && wpa_s->conf->sae_pwe != 3)
155 use_pt = 1;
156 #ifdef CONFIG_SAE_PK
157 if ((rsnxe_capa & BIT(WLAN_RSNX_CAPAB_SAE_PK)) &&
158 ssid->sae_pk != SAE_PK_MODE_DISABLED &&
159 ((ssid->sae_password &&
160 sae_pk_valid_password(ssid->sae_password)) ||
161 (!ssid->sae_password && ssid->passphrase &&
162 sae_pk_valid_password(ssid->passphrase)))) {
163 use_pt = 1;
164 use_pk = true;
165 }
166
167 if (ssid->sae_pk == SAE_PK_MODE_ONLY && !use_pk) {
168 wpa_printf(MSG_DEBUG,
169 "SAE: Cannot use PK with the selected AP");
170 return NULL;
171 }
172 #endif /* CONFIG_SAE_PK */
173
174 if (use_pt || wpa_s->conf->sae_pwe == 1 || wpa_s->conf->sae_pwe == 2) {
175 use_pt = !!(rsnxe_capa & BIT(WLAN_RSNX_CAPAB_SAE_H2E));
176
177 if ((wpa_s->conf->sae_pwe == 1 || ssid->sae_password_id) &&
178 wpa_s->conf->sae_pwe != 3 &&
179 !use_pt) {
180 wpa_printf(MSG_DEBUG,
181 "SAE: Cannot use H2E with the selected AP");
182 return NULL;
183 }
184 }
185
186 if (use_pt &&
187 sae_prepare_commit_pt(&wpa_s->sme.sae, ssid->pt,
188 wpa_s->own_addr, bssid,
189 wpa_s->sme.sae_rejected_groups, NULL) < 0)
190 return NULL;
191 if (!use_pt &&
192 sae_prepare_commit(wpa_s->own_addr, bssid,
193 (u8 *) password, os_strlen(password),
194 &wpa_s->sme.sae) < 0) {
195 wpa_printf(MSG_DEBUG, "SAE: Could not pick PWE");
196 return NULL;
197 }
198 if (wpa_s->sme.sae.tmp) {
199 os_memcpy(wpa_s->sme.sae.tmp->bssid, bssid, ETH_ALEN);
200 if (use_pt && use_pk)
201 wpa_s->sme.sae.pk = 1;
202 #ifdef CONFIG_SAE_PK
203 os_memcpy(wpa_s->sme.sae.tmp->own_addr, wpa_s->own_addr,
204 ETH_ALEN);
205 os_memcpy(wpa_s->sme.sae.tmp->peer_addr, bssid, ETH_ALEN);
206 sae_pk_set_password(&wpa_s->sme.sae, password);
207 #endif /* CONFIG_SAE_PK */
208 }
209
210 reuse_data:
211 len = wpa_s->sme.sae_token ? 3 + wpabuf_len(wpa_s->sme.sae_token) : 0;
212 if (ssid->sae_password_id)
213 len += 4 + os_strlen(ssid->sae_password_id);
214 buf = wpabuf_alloc(4 + SAE_COMMIT_MAX_LEN + len);
215 if (buf == NULL)
216 return NULL;
217 if (!external) {
218 wpabuf_put_le16(buf, 1); /* Transaction seq# */
219 if (use_pk)
220 wpabuf_put_le16(buf, WLAN_STATUS_SAE_PK);
221 else if (use_pt)
222 wpabuf_put_le16(buf, WLAN_STATUS_SAE_HASH_TO_ELEMENT);
223 else
224 wpabuf_put_le16(buf,WLAN_STATUS_SUCCESS);
225 }
226 if (sae_write_commit(&wpa_s->sme.sae, buf, wpa_s->sme.sae_token,
227 ssid->sae_password_id) < 0) {
228 wpabuf_free(buf);
229 return NULL;
230 }
231 if (ret_use_pt)
232 *ret_use_pt = use_pt;
233 if (ret_use_pk)
234 *ret_use_pk = use_pk;
235
236 return buf;
237 }
238
239
sme_auth_build_sae_confirm(struct wpa_supplicant * wpa_s,int external)240 static struct wpabuf * sme_auth_build_sae_confirm(struct wpa_supplicant *wpa_s,
241 int external)
242 {
243 struct wpabuf *buf;
244
245 buf = wpabuf_alloc(4 + SAE_CONFIRM_MAX_LEN);
246 if (buf == NULL)
247 return NULL;
248
249 if (!external) {
250 wpabuf_put_le16(buf, 2); /* Transaction seq# */
251 wpabuf_put_le16(buf, WLAN_STATUS_SUCCESS);
252 }
253 sae_write_confirm(&wpa_s->sme.sae, buf);
254
255 return buf;
256 }
257
258 #endif /* CONFIG_SAE */
259
260
261 /**
262 * sme_auth_handle_rrm - Handle RRM aspects of current authentication attempt
263 * @wpa_s: Pointer to wpa_supplicant data
264 * @bss: Pointer to the bss which is the target of authentication attempt
265 */
sme_auth_handle_rrm(struct wpa_supplicant * wpa_s,struct wpa_bss * bss)266 static void sme_auth_handle_rrm(struct wpa_supplicant *wpa_s,
267 struct wpa_bss *bss)
268 {
269 const u8 rrm_ie_len = 5;
270 u8 *pos;
271 const u8 *rrm_ie;
272
273 wpa_s->rrm.rrm_used = 0;
274
275 wpa_printf(MSG_DEBUG,
276 "RRM: Determining whether RRM can be used - device support: 0x%x",
277 wpa_s->drv_rrm_flags);
278
279 rrm_ie = wpa_bss_get_ie(bss, WLAN_EID_RRM_ENABLED_CAPABILITIES);
280 if (!rrm_ie || !(bss->caps & IEEE80211_CAP_RRM)) {
281 wpa_printf(MSG_DEBUG, "RRM: No RRM in network");
282 return;
283 }
284
285 if (!((wpa_s->drv_rrm_flags &
286 WPA_DRIVER_FLAGS_DS_PARAM_SET_IE_IN_PROBES) &&
287 (wpa_s->drv_rrm_flags & WPA_DRIVER_FLAGS_QUIET)) &&
288 !(wpa_s->drv_rrm_flags & WPA_DRIVER_FLAGS_SUPPORT_RRM)) {
289 wpa_printf(MSG_DEBUG,
290 "RRM: Insufficient RRM support in driver - do not use RRM");
291 return;
292 }
293
294 if (sizeof(wpa_s->sme.assoc_req_ie) <
295 wpa_s->sme.assoc_req_ie_len + rrm_ie_len + 2) {
296 wpa_printf(MSG_INFO,
297 "RRM: Unable to use RRM, no room for RRM IE");
298 return;
299 }
300
301 wpa_printf(MSG_DEBUG, "RRM: Adding RRM IE to Association Request");
302 pos = wpa_s->sme.assoc_req_ie + wpa_s->sme.assoc_req_ie_len;
303 os_memset(pos, 0, 2 + rrm_ie_len);
304 *pos++ = WLAN_EID_RRM_ENABLED_CAPABILITIES;
305 *pos++ = rrm_ie_len;
306
307 /* Set supported capabilities flags */
308 if (wpa_s->drv_rrm_flags & WPA_DRIVER_FLAGS_TX_POWER_INSERTION)
309 *pos |= WLAN_RRM_CAPS_LINK_MEASUREMENT;
310
311 *pos |= WLAN_RRM_CAPS_BEACON_REPORT_PASSIVE |
312 WLAN_RRM_CAPS_BEACON_REPORT_ACTIVE |
313 WLAN_RRM_CAPS_BEACON_REPORT_TABLE;
314
315 if (wpa_s->lci)
316 pos[1] |= WLAN_RRM_CAPS_LCI_MEASUREMENT;
317
318 wpa_s->sme.assoc_req_ie_len += rrm_ie_len + 2;
319 wpa_s->rrm.rrm_used = 1;
320 }
321
322
sme_send_authentication(struct wpa_supplicant * wpa_s,struct wpa_bss * bss,struct wpa_ssid * ssid,int start)323 static void sme_send_authentication(struct wpa_supplicant *wpa_s,
324 struct wpa_bss *bss, struct wpa_ssid *ssid,
325 int start)
326 {
327 struct wpa_driver_auth_params params;
328 struct wpa_ssid *old_ssid;
329 #ifdef CONFIG_IEEE80211R
330 const u8 *ie;
331 #endif /* CONFIG_IEEE80211R */
332 #if defined(CONFIG_IEEE80211R) || defined(CONFIG_FILS)
333 const u8 *md = NULL;
334 #endif /* CONFIG_IEEE80211R || CONFIG_FILS */
335 int bssid_changed;
336 struct wpabuf *resp = NULL;
337 u8 ext_capab[18];
338 int ext_capab_len;
339 int skip_auth;
340 u8 *wpa_ie;
341 size_t wpa_ie_len;
342 #ifdef CONFIG_MBO
343 const u8 *mbo_ie;
344 #endif /* CONFIG_MBO */
345 int omit_rsnxe = 0;
346
347 if (bss == NULL) {
348 wpa_msg(wpa_s, MSG_ERROR, "SME: No scan result available for "
349 "the network");
350 wpas_connect_work_done(wpa_s);
351 return;
352 }
353
354 skip_auth = wpa_s->conf->reassoc_same_bss_optim &&
355 wpa_s->reassoc_same_bss;
356 wpa_s->current_bss = bss;
357
358 os_memset(¶ms, 0, sizeof(params));
359 wpa_s->reassociate = 0;
360
361 params.freq = bss->freq;
362 params.bssid = bss->bssid;
363 params.ssid = bss->ssid;
364 params.ssid_len = bss->ssid_len;
365 params.p2p = ssid->p2p_group;
366
367 if (wpa_s->sme.ssid_len != params.ssid_len ||
368 os_memcmp(wpa_s->sme.ssid, params.ssid, params.ssid_len) != 0)
369 wpa_s->sme.prev_bssid_set = 0;
370
371 wpa_s->sme.freq = params.freq;
372 os_memcpy(wpa_s->sme.ssid, params.ssid, params.ssid_len);
373 wpa_s->sme.ssid_len = params.ssid_len;
374
375 params.auth_alg = WPA_AUTH_ALG_OPEN;
376 #ifdef IEEE8021X_EAPOL
377 if (ssid->key_mgmt & WPA_KEY_MGMT_IEEE8021X_NO_WPA) {
378 if (ssid->leap) {
379 if (ssid->non_leap == 0)
380 params.auth_alg = WPA_AUTH_ALG_LEAP;
381 else
382 params.auth_alg |= WPA_AUTH_ALG_LEAP;
383 }
384 }
385 #endif /* IEEE8021X_EAPOL */
386 wpa_dbg(wpa_s, MSG_DEBUG, "Automatic auth_alg selection: 0x%x",
387 params.auth_alg);
388 if (ssid->auth_alg) {
389 params.auth_alg = ssid->auth_alg;
390 wpa_dbg(wpa_s, MSG_DEBUG, "Overriding auth_alg selection: "
391 "0x%x", params.auth_alg);
392 }
393 #ifdef CONFIG_SAE
394 wpa_s->sme.sae_pmksa_caching = 0;
395 if (wpa_key_mgmt_sae(ssid->key_mgmt)) {
396 const u8 *rsn;
397 struct wpa_ie_data ied;
398
399 rsn = wpa_bss_get_ie(bss, WLAN_EID_RSN);
400 if (!rsn) {
401 wpa_dbg(wpa_s, MSG_DEBUG,
402 "SAE enabled, but target BSS does not advertise RSN");
403 #ifdef CONFIG_DPP
404 } else if (wpa_parse_wpa_ie(rsn, 2 + rsn[1], &ied) == 0 &&
405 (ssid->key_mgmt & WPA_KEY_MGMT_DPP) &&
406 (ied.key_mgmt & WPA_KEY_MGMT_DPP)) {
407 wpa_dbg(wpa_s, MSG_DEBUG, "Prefer DPP over SAE when both are enabled");
408 #endif /* CONFIG_DPP */
409 } else if (wpa_parse_wpa_ie(rsn, 2 + rsn[1], &ied) == 0 &&
410 wpa_key_mgmt_sae(ied.key_mgmt)) {
411 wpa_dbg(wpa_s, MSG_DEBUG, "Using SAE auth_alg");
412 params.auth_alg = WPA_AUTH_ALG_SAE;
413 } else {
414 wpa_dbg(wpa_s, MSG_DEBUG,
415 "SAE enabled, but target BSS does not advertise SAE AKM for RSN");
416 }
417 }
418 #endif /* CONFIG_SAE */
419
420 #ifdef CONFIG_WEP
421 {
422 int i;
423
424 for (i = 0; i < NUM_WEP_KEYS; i++) {
425 if (ssid->wep_key_len[i])
426 params.wep_key[i] = ssid->wep_key[i];
427 params.wep_key_len[i] = ssid->wep_key_len[i];
428 }
429 params.wep_tx_keyidx = ssid->wep_tx_keyidx;
430 }
431 #endif /* CONFIG_WEP */
432
433 if ((wpa_bss_get_vendor_ie(bss, WPA_IE_VENDOR_TYPE) ||
434 wpa_bss_get_ie(bss, WLAN_EID_RSN)) &&
435 wpa_key_mgmt_wpa(ssid->key_mgmt)) {
436 int try_opportunistic;
437 const u8 *cache_id = NULL;
438
439 try_opportunistic = (ssid->proactive_key_caching < 0 ?
440 wpa_s->conf->okc :
441 ssid->proactive_key_caching) &&
442 (ssid->proto & WPA_PROTO_RSN);
443 #ifdef CONFIG_FILS
444 if (wpa_key_mgmt_fils(ssid->key_mgmt))
445 cache_id = wpa_bss_get_fils_cache_id(bss);
446 #endif /* CONFIG_FILS */
447 if (pmksa_cache_set_current(wpa_s->wpa, NULL, bss->bssid,
448 wpa_s->current_ssid,
449 try_opportunistic, cache_id,
450 0) == 0)
451 eapol_sm_notify_pmkid_attempt(wpa_s->eapol);
452 wpa_s->sme.assoc_req_ie_len = sizeof(wpa_s->sme.assoc_req_ie);
453 if (wpa_supplicant_set_suites(wpa_s, bss, ssid,
454 wpa_s->sme.assoc_req_ie,
455 &wpa_s->sme.assoc_req_ie_len)) {
456 wpa_msg(wpa_s, MSG_WARNING, "SME: Failed to set WPA "
457 "key management and encryption suites");
458 wpas_connect_work_done(wpa_s);
459 return;
460 }
461 #ifdef CONFIG_HS20
462 } else if (wpa_bss_get_vendor_ie(bss, OSEN_IE_VENDOR_TYPE) &&
463 (ssid->key_mgmt & WPA_KEY_MGMT_OSEN)) {
464 /* No PMKSA caching, but otherwise similar to RSN/WPA */
465 wpa_s->sme.assoc_req_ie_len = sizeof(wpa_s->sme.assoc_req_ie);
466 if (wpa_supplicant_set_suites(wpa_s, bss, ssid,
467 wpa_s->sme.assoc_req_ie,
468 &wpa_s->sme.assoc_req_ie_len)) {
469 wpa_msg(wpa_s, MSG_WARNING, "SME: Failed to set WPA "
470 "key management and encryption suites");
471 wpas_connect_work_done(wpa_s);
472 return;
473 }
474 #endif /* CONFIG_HS20 */
475 } else if ((ssid->key_mgmt & WPA_KEY_MGMT_IEEE8021X_NO_WPA) &&
476 wpa_key_mgmt_wpa_ieee8021x(ssid->key_mgmt)) {
477 /*
478 * Both WPA and non-WPA IEEE 802.1X enabled in configuration -
479 * use non-WPA since the scan results did not indicate that the
480 * AP is using WPA or WPA2.
481 */
482 wpa_supplicant_set_non_wpa_policy(wpa_s, ssid);
483 wpa_s->sme.assoc_req_ie_len = 0;
484 } else if (wpa_key_mgmt_wpa_any(ssid->key_mgmt)) {
485 wpa_s->sme.assoc_req_ie_len = sizeof(wpa_s->sme.assoc_req_ie);
486 if (wpa_supplicant_set_suites(wpa_s, NULL, ssid,
487 wpa_s->sme.assoc_req_ie,
488 &wpa_s->sme.assoc_req_ie_len)) {
489 wpa_msg(wpa_s, MSG_WARNING, "SME: Failed to set WPA "
490 "key management and encryption suites (no "
491 "scan results)");
492 wpas_connect_work_done(wpa_s);
493 return;
494 }
495 #ifdef CONFIG_WPS
496 } else if (ssid->key_mgmt & WPA_KEY_MGMT_WPS) {
497 struct wpabuf *wps_ie;
498 wps_ie = wps_build_assoc_req_ie(wpas_wps_get_req_type(ssid));
499 if (wps_ie && wpabuf_len(wps_ie) <=
500 sizeof(wpa_s->sme.assoc_req_ie)) {
501 wpa_s->sme.assoc_req_ie_len = wpabuf_len(wps_ie);
502 os_memcpy(wpa_s->sme.assoc_req_ie, wpabuf_head(wps_ie),
503 wpa_s->sme.assoc_req_ie_len);
504 } else
505 wpa_s->sme.assoc_req_ie_len = 0;
506 wpabuf_free(wps_ie);
507 wpa_supplicant_set_non_wpa_policy(wpa_s, ssid);
508 #endif /* CONFIG_WPS */
509 } else {
510 wpa_supplicant_set_non_wpa_policy(wpa_s, ssid);
511 wpa_s->sme.assoc_req_ie_len = 0;
512 }
513
514 /* In case the WPA vendor IE is used, it should be placed after all the
515 * non-vendor IEs, as the lower layer expects the IEs to be ordered as
516 * defined in the standard. Store the WPA IE so it can later be
517 * inserted at the correct location.
518 */
519 wpa_ie = NULL;
520 wpa_ie_len = 0;
521 if (wpa_s->wpa_proto == WPA_PROTO_WPA) {
522 wpa_ie = os_memdup(wpa_s->sme.assoc_req_ie,
523 wpa_s->sme.assoc_req_ie_len);
524 if (wpa_ie) {
525 wpa_dbg(wpa_s, MSG_DEBUG, "WPA: Storing WPA IE");
526
527 wpa_ie_len = wpa_s->sme.assoc_req_ie_len;
528 wpa_s->sme.assoc_req_ie_len = 0;
529 } else {
530 wpa_msg(wpa_s, MSG_WARNING, "WPA: Failed copy WPA IE");
531 wpas_connect_work_done(wpa_s);
532 return;
533 }
534 }
535
536 #ifdef CONFIG_IEEE80211R
537 ie = wpa_bss_get_ie(bss, WLAN_EID_MOBILITY_DOMAIN);
538 if (ie && ie[1] >= MOBILITY_DOMAIN_ID_LEN)
539 md = ie + 2;
540 wpa_sm_set_ft_params(wpa_s->wpa, ie, ie ? 2 + ie[1] : 0);
541 if (md && (!wpa_key_mgmt_ft(ssid->key_mgmt) ||
542 !wpa_key_mgmt_ft(wpa_s->key_mgmt)))
543 md = NULL;
544 if (md) {
545 /* Prepare for the next transition */
546 wpa_ft_prepare_auth_request(wpa_s->wpa, ie);
547 }
548
549 if (md) {
550 wpa_dbg(wpa_s, MSG_DEBUG, "SME: FT mobility domain %02x%02x",
551 md[0], md[1]);
552
553 omit_rsnxe = !wpa_bss_get_ie(bss, WLAN_EID_RSNX);
554 if (wpa_s->sme.assoc_req_ie_len + 5 <
555 sizeof(wpa_s->sme.assoc_req_ie)) {
556 struct rsn_mdie *mdie;
557 u8 *pos = wpa_s->sme.assoc_req_ie +
558 wpa_s->sme.assoc_req_ie_len;
559 *pos++ = WLAN_EID_MOBILITY_DOMAIN;
560 *pos++ = sizeof(*mdie);
561 mdie = (struct rsn_mdie *) pos;
562 os_memcpy(mdie->mobility_domain, md,
563 MOBILITY_DOMAIN_ID_LEN);
564 mdie->ft_capab = md[MOBILITY_DOMAIN_ID_LEN];
565 wpa_s->sme.assoc_req_ie_len += 5;
566 }
567
568 if (wpa_s->sme.prev_bssid_set && wpa_s->sme.ft_used &&
569 os_memcmp(md, wpa_s->sme.mobility_domain, 2) == 0 &&
570 wpa_sm_has_ptk(wpa_s->wpa)) {
571 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Trying to use FT "
572 "over-the-air");
573 params.auth_alg = WPA_AUTH_ALG_FT;
574 params.ie = wpa_s->sme.ft_ies;
575 params.ie_len = wpa_s->sme.ft_ies_len;
576 }
577 }
578 #endif /* CONFIG_IEEE80211R */
579
580 wpa_s->sme.mfp = wpas_get_ssid_pmf(wpa_s, ssid);
581 if (wpa_s->sme.mfp != NO_MGMT_FRAME_PROTECTION) {
582 const u8 *rsn = wpa_bss_get_ie(bss, WLAN_EID_RSN);
583 struct wpa_ie_data _ie;
584 if (rsn && wpa_parse_wpa_ie(rsn, 2 + rsn[1], &_ie) == 0 &&
585 _ie.capabilities &
586 (WPA_CAPABILITY_MFPC | WPA_CAPABILITY_MFPR)) {
587 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Selected AP supports "
588 "MFP: require MFP");
589 wpa_s->sme.mfp = MGMT_FRAME_PROTECTION_REQUIRED;
590 }
591 }
592
593 #ifdef CONFIG_P2P
594 if (wpa_s->global->p2p) {
595 u8 *pos;
596 size_t len;
597 int res;
598 pos = wpa_s->sme.assoc_req_ie + wpa_s->sme.assoc_req_ie_len;
599 len = sizeof(wpa_s->sme.assoc_req_ie) -
600 wpa_s->sme.assoc_req_ie_len;
601 res = wpas_p2p_assoc_req_ie(wpa_s, bss, pos, len,
602 ssid->p2p_group);
603 if (res >= 0)
604 wpa_s->sme.assoc_req_ie_len += res;
605 }
606 #endif /* CONFIG_P2P */
607
608 #ifdef CONFIG_FST
609 if (wpa_s->fst_ies) {
610 int fst_ies_len = wpabuf_len(wpa_s->fst_ies);
611
612 if (wpa_s->sme.assoc_req_ie_len + fst_ies_len <=
613 sizeof(wpa_s->sme.assoc_req_ie)) {
614 os_memcpy(wpa_s->sme.assoc_req_ie +
615 wpa_s->sme.assoc_req_ie_len,
616 wpabuf_head(wpa_s->fst_ies),
617 fst_ies_len);
618 wpa_s->sme.assoc_req_ie_len += fst_ies_len;
619 }
620 }
621 #endif /* CONFIG_FST */
622
623 sme_auth_handle_rrm(wpa_s, bss);
624
625 #ifdef CONFIG_RRM
626 wpa_s->sme.assoc_req_ie_len += wpas_supp_op_class_ie(
627 wpa_s, ssid, bss,
628 wpa_s->sme.assoc_req_ie + wpa_s->sme.assoc_req_ie_len,
629 sizeof(wpa_s->sme.assoc_req_ie) - wpa_s->sme.assoc_req_ie_len);
630 #endif /* CONFIG_RRM */
631 if (params.p2p)
632 wpa_drv_get_ext_capa(wpa_s, WPA_IF_P2P_CLIENT);
633 else
634 wpa_drv_get_ext_capa(wpa_s, WPA_IF_STATION);
635
636 ext_capab_len = wpas_build_ext_capab(wpa_s, ext_capab,
637 sizeof(ext_capab));
638 if (ext_capab_len > 0) {
639 u8 *pos = wpa_s->sme.assoc_req_ie;
640 if (wpa_s->sme.assoc_req_ie_len > 0 && pos[0] == WLAN_EID_RSN)
641 pos += 2 + pos[1];
642 os_memmove(pos + ext_capab_len, pos,
643 wpa_s->sme.assoc_req_ie_len -
644 (pos - wpa_s->sme.assoc_req_ie));
645 wpa_s->sme.assoc_req_ie_len += ext_capab_len;
646 os_memcpy(pos, ext_capab, ext_capab_len);
647 }
648
649 #ifdef CONFIG_TESTING_OPTIONS
650 if (wpa_s->rsnxe_override_assoc &&
651 wpabuf_len(wpa_s->rsnxe_override_assoc) <=
652 sizeof(wpa_s->sme.assoc_req_ie) - wpa_s->sme.assoc_req_ie_len) {
653 wpa_printf(MSG_DEBUG, "TESTING: RSNXE AssocReq override");
654 os_memcpy(wpa_s->sme.assoc_req_ie + wpa_s->sme.assoc_req_ie_len,
655 wpabuf_head(wpa_s->rsnxe_override_assoc),
656 wpabuf_len(wpa_s->rsnxe_override_assoc));
657 wpa_s->sme.assoc_req_ie_len +=
658 wpabuf_len(wpa_s->rsnxe_override_assoc);
659 } else
660 #endif /* CONFIG_TESTING_OPTIONS */
661 if (wpa_s->rsnxe_len > 0 &&
662 wpa_s->rsnxe_len <=
663 sizeof(wpa_s->sme.assoc_req_ie) - wpa_s->sme.assoc_req_ie_len &&
664 !omit_rsnxe) {
665 os_memcpy(wpa_s->sme.assoc_req_ie + wpa_s->sme.assoc_req_ie_len,
666 wpa_s->rsnxe, wpa_s->rsnxe_len);
667 wpa_s->sme.assoc_req_ie_len += wpa_s->rsnxe_len;
668 }
669
670 #ifdef CONFIG_HS20
671 if (is_hs20_network(wpa_s, ssid, bss)) {
672 struct wpabuf *hs20;
673
674 hs20 = wpabuf_alloc(20 + MAX_ROAMING_CONS_OI_LEN);
675 if (hs20) {
676 int pps_mo_id = hs20_get_pps_mo_id(wpa_s, ssid);
677 size_t len;
678
679 wpas_hs20_add_indication(hs20, pps_mo_id,
680 get_hs20_version(bss));
681 wpas_hs20_add_roam_cons_sel(hs20, ssid);
682 len = sizeof(wpa_s->sme.assoc_req_ie) -
683 wpa_s->sme.assoc_req_ie_len;
684 if (wpabuf_len(hs20) <= len) {
685 os_memcpy(wpa_s->sme.assoc_req_ie +
686 wpa_s->sme.assoc_req_ie_len,
687 wpabuf_head(hs20), wpabuf_len(hs20));
688 wpa_s->sme.assoc_req_ie_len += wpabuf_len(hs20);
689 }
690 wpabuf_free(hs20);
691 }
692 }
693 #endif /* CONFIG_HS20 */
694
695 if (wpa_ie) {
696 size_t len;
697
698 wpa_dbg(wpa_s, MSG_DEBUG, "WPA: Reinsert WPA IE");
699
700 len = sizeof(wpa_s->sme.assoc_req_ie) -
701 wpa_s->sme.assoc_req_ie_len;
702
703 if (len > wpa_ie_len) {
704 os_memcpy(wpa_s->sme.assoc_req_ie +
705 wpa_s->sme.assoc_req_ie_len,
706 wpa_ie, wpa_ie_len);
707 wpa_s->sme.assoc_req_ie_len += wpa_ie_len;
708 } else {
709 wpa_dbg(wpa_s, MSG_DEBUG, "WPA: Failed to add WPA IE");
710 }
711
712 os_free(wpa_ie);
713 }
714
715 if (wpa_s->vendor_elem[VENDOR_ELEM_ASSOC_REQ]) {
716 struct wpabuf *buf = wpa_s->vendor_elem[VENDOR_ELEM_ASSOC_REQ];
717 size_t len;
718
719 len = sizeof(wpa_s->sme.assoc_req_ie) -
720 wpa_s->sme.assoc_req_ie_len;
721 if (wpabuf_len(buf) <= len) {
722 os_memcpy(wpa_s->sme.assoc_req_ie +
723 wpa_s->sme.assoc_req_ie_len,
724 wpabuf_head(buf), wpabuf_len(buf));
725 wpa_s->sme.assoc_req_ie_len += wpabuf_len(buf);
726 }
727 }
728
729 #ifdef CONFIG_MBO
730 mbo_ie = wpa_bss_get_vendor_ie(bss, MBO_IE_VENDOR_TYPE);
731 if (!wpa_s->disable_mbo_oce && mbo_ie) {
732 int len;
733
734 len = wpas_mbo_ie(wpa_s, wpa_s->sme.assoc_req_ie +
735 wpa_s->sme.assoc_req_ie_len,
736 sizeof(wpa_s->sme.assoc_req_ie) -
737 wpa_s->sme.assoc_req_ie_len,
738 !!mbo_attr_from_mbo_ie(mbo_ie,
739 OCE_ATTR_ID_CAPA_IND));
740 if (len >= 0)
741 wpa_s->sme.assoc_req_ie_len += len;
742 }
743 #endif /* CONFIG_MBO */
744
745 #ifdef CONFIG_SAE
746 if (!skip_auth && params.auth_alg == WPA_AUTH_ALG_SAE &&
747 pmksa_cache_set_current(wpa_s->wpa, NULL, bss->bssid, ssid, 0,
748 NULL,
749 wpa_s->key_mgmt == WPA_KEY_MGMT_FT_SAE ?
750 WPA_KEY_MGMT_FT_SAE :
751 WPA_KEY_MGMT_SAE) == 0) {
752 wpa_dbg(wpa_s, MSG_DEBUG,
753 "PMKSA cache entry found - try to use PMKSA caching instead of new SAE authentication");
754 wpa_sm_set_pmk_from_pmksa(wpa_s->wpa);
755 params.auth_alg = WPA_AUTH_ALG_OPEN;
756 wpa_s->sme.sae_pmksa_caching = 1;
757 }
758
759 if (!skip_auth && params.auth_alg == WPA_AUTH_ALG_SAE) {
760 if (start)
761 resp = sme_auth_build_sae_commit(wpa_s, ssid,
762 bss->bssid, 0,
763 start == 2, NULL,
764 NULL);
765 else
766 resp = sme_auth_build_sae_confirm(wpa_s, 0);
767 if (resp == NULL) {
768 wpas_connection_failed(wpa_s, bss->bssid);
769 return;
770 }
771 params.auth_data = wpabuf_head(resp);
772 params.auth_data_len = wpabuf_len(resp);
773 wpa_s->sme.sae.state = start ? SAE_COMMITTED : SAE_CONFIRMED;
774 }
775 #endif /* CONFIG_SAE */
776
777 bssid_changed = !is_zero_ether_addr(wpa_s->bssid);
778 os_memset(wpa_s->bssid, 0, ETH_ALEN);
779 os_memcpy(wpa_s->pending_bssid, bss->bssid, ETH_ALEN);
780 if (bssid_changed)
781 wpas_notify_bssid_changed(wpa_s);
782
783 old_ssid = wpa_s->current_ssid;
784 wpa_s->current_ssid = ssid;
785 wpa_supplicant_rsn_supp_set_config(wpa_s, wpa_s->current_ssid);
786 wpa_supplicant_initiate_eapol(wpa_s);
787
788 #ifdef CONFIG_FILS
789 /* TODO: FILS operations can in some cases be done between different
790 * network_ctx (i.e., same credentials can be used with multiple
791 * networks). */
792 if (params.auth_alg == WPA_AUTH_ALG_OPEN &&
793 wpa_key_mgmt_fils(ssid->key_mgmt)) {
794 const u8 *indic;
795 u16 fils_info;
796 const u8 *realm, *username, *rrk;
797 size_t realm_len, username_len, rrk_len;
798 u16 next_seq_num;
799
800 /*
801 * Check FILS Indication element (FILS Information field) bits
802 * indicating supported authentication algorithms against local
803 * configuration (ssid->fils_dh_group). Try to use FILS
804 * authentication only if the AP supports the combination in the
805 * network profile. */
806 indic = wpa_bss_get_ie(bss, WLAN_EID_FILS_INDICATION);
807 if (!indic || indic[1] < 2) {
808 wpa_printf(MSG_DEBUG, "SME: " MACSTR
809 " does not include FILS Indication element - cannot use FILS authentication with it",
810 MAC2STR(bss->bssid));
811 goto no_fils;
812 }
813
814 fils_info = WPA_GET_LE16(indic + 2);
815 if (ssid->fils_dh_group == 0 && !(fils_info & BIT(9))) {
816 wpa_printf(MSG_DEBUG, "SME: " MACSTR
817 " does not support FILS SK without PFS - cannot use FILS authentication with it",
818 MAC2STR(bss->bssid));
819 goto no_fils;
820 }
821 if (ssid->fils_dh_group != 0 && !(fils_info & BIT(10))) {
822 wpa_printf(MSG_DEBUG, "SME: " MACSTR
823 " does not support FILS SK with PFS - cannot use FILS authentication with it",
824 MAC2STR(bss->bssid));
825 goto no_fils;
826 }
827
828 if (wpa_s->last_con_fail_realm &&
829 eapol_sm_get_erp_info(wpa_s->eapol, &ssid->eap,
830 &username, &username_len,
831 &realm, &realm_len, &next_seq_num,
832 &rrk, &rrk_len) == 0 &&
833 realm && realm_len == wpa_s->last_con_fail_realm_len &&
834 os_memcmp(realm, wpa_s->last_con_fail_realm,
835 realm_len) == 0) {
836 wpa_printf(MSG_DEBUG,
837 "SME: FILS authentication for this realm failed last time - try to regenerate ERP key hierarchy");
838 goto no_fils;
839 }
840
841 if (pmksa_cache_set_current(wpa_s->wpa, NULL, bss->bssid,
842 ssid, 0,
843 wpa_bss_get_fils_cache_id(bss),
844 0) == 0)
845 wpa_printf(MSG_DEBUG,
846 "SME: Try to use FILS with PMKSA caching");
847 resp = fils_build_auth(wpa_s->wpa, ssid->fils_dh_group, md);
848 if (resp) {
849 int auth_alg;
850
851 if (ssid->fils_dh_group)
852 wpa_printf(MSG_DEBUG,
853 "SME: Try to use FILS SK authentication with PFS (DH Group %u)",
854 ssid->fils_dh_group);
855 else
856 wpa_printf(MSG_DEBUG,
857 "SME: Try to use FILS SK authentication without PFS");
858 auth_alg = ssid->fils_dh_group ?
859 WPA_AUTH_ALG_FILS_SK_PFS : WPA_AUTH_ALG_FILS;
860 params.auth_alg = auth_alg;
861 params.auth_data = wpabuf_head(resp);
862 params.auth_data_len = wpabuf_len(resp);
863 wpa_s->sme.auth_alg = auth_alg;
864 }
865 }
866 no_fils:
867 #endif /* CONFIG_FILS */
868
869 wpa_supplicant_cancel_sched_scan(wpa_s);
870 wpa_supplicant_cancel_scan(wpa_s);
871
872 wpa_msg(wpa_s, MSG_INFO, "SME: Trying to authenticate with " MACSTR
873 " (SSID='%s' freq=%d MHz)", MAC2STR(params.bssid),
874 wpa_ssid_txt(params.ssid, params.ssid_len), params.freq);
875
876 eapol_sm_notify_portValid(wpa_s->eapol, false);
877 wpa_clear_keys(wpa_s, bss->bssid);
878 wpa_supplicant_set_state(wpa_s, WPA_AUTHENTICATING);
879 if (old_ssid != wpa_s->current_ssid)
880 wpas_notify_network_changed(wpa_s);
881
882 #ifdef CONFIG_HS20
883 hs20_configure_frame_filters(wpa_s);
884 #endif /* CONFIG_HS20 */
885
886 #ifdef CONFIG_P2P
887 /*
888 * If multi-channel concurrency is not supported, check for any
889 * frequency conflict. In case of any frequency conflict, remove the
890 * least prioritized connection.
891 */
892 if (wpa_s->num_multichan_concurrent < 2) {
893 int freq, num;
894 num = get_shared_radio_freqs(wpa_s, &freq, 1);
895 if (num > 0 && freq > 0 && freq != params.freq) {
896 wpa_printf(MSG_DEBUG,
897 "Conflicting frequency found (%d != %d)",
898 freq, params.freq);
899 if (wpas_p2p_handle_frequency_conflicts(wpa_s,
900 params.freq,
901 ssid) < 0) {
902 wpas_connection_failed(wpa_s, bss->bssid);
903 wpa_supplicant_mark_disassoc(wpa_s);
904 wpabuf_free(resp);
905 wpas_connect_work_done(wpa_s);
906 return;
907 }
908 }
909 }
910 #endif /* CONFIG_P2P */
911
912 if (skip_auth) {
913 wpa_msg(wpa_s, MSG_DEBUG,
914 "SME: Skip authentication step on reassoc-to-same-BSS");
915 wpabuf_free(resp);
916 sme_associate(wpa_s, ssid->mode, bss->bssid, WLAN_AUTH_OPEN);
917 return;
918 }
919
920
921 wpa_s->sme.auth_alg = params.auth_alg;
922 if (wpa_drv_authenticate(wpa_s, ¶ms) < 0) {
923 wpa_msg(wpa_s, MSG_INFO, "SME: Authentication request to the "
924 "driver failed");
925 wpas_connection_failed(wpa_s, bss->bssid);
926 wpa_supplicant_mark_disassoc(wpa_s);
927 wpabuf_free(resp);
928 wpas_connect_work_done(wpa_s);
929 return;
930 }
931
932 eloop_register_timeout(SME_AUTH_TIMEOUT, 0, sme_auth_timer, wpa_s,
933 NULL);
934
935 /*
936 * Association will be started based on the authentication event from
937 * the driver.
938 */
939
940 wpabuf_free(resp);
941 }
942
943
sme_auth_start_cb(struct wpa_radio_work * work,int deinit)944 static void sme_auth_start_cb(struct wpa_radio_work *work, int deinit)
945 {
946 struct wpa_connect_work *cwork = work->ctx;
947 struct wpa_supplicant *wpa_s = work->wpa_s;
948
949 wpa_s->roam_in_progress = false;
950 #ifdef CONFIG_WNM
951 wpa_s->bss_trans_mgmt_in_progress = false;
952 #endif /* CONFIG_WNM */
953
954 if (deinit) {
955 if (work->started)
956 wpa_s->connect_work = NULL;
957
958 wpas_connect_work_free(cwork);
959 return;
960 }
961
962 wpa_s->connect_work = work;
963
964 if (cwork->bss_removed ||
965 !wpas_valid_bss_ssid(wpa_s, cwork->bss, cwork->ssid) ||
966 wpas_network_disabled(wpa_s, cwork->ssid)) {
967 wpa_dbg(wpa_s, MSG_DEBUG, "SME: BSS/SSID entry for authentication not valid anymore - drop connection attempt");
968 wpas_connect_work_done(wpa_s);
969 return;
970 }
971
972 /* Starting new connection, so clear the possibly used WPA IE from the
973 * previous association. */
974 wpa_sm_set_assoc_wpa_ie(wpa_s->wpa, NULL, 0);
975 wpa_sm_set_assoc_rsnxe(wpa_s->wpa, NULL, 0);
976 wpa_s->rsnxe_len = 0;
977
978 sme_send_authentication(wpa_s, cwork->bss, cwork->ssid, 1);
979 }
980
981
sme_authenticate(struct wpa_supplicant * wpa_s,struct wpa_bss * bss,struct wpa_ssid * ssid)982 void sme_authenticate(struct wpa_supplicant *wpa_s,
983 struct wpa_bss *bss, struct wpa_ssid *ssid)
984 {
985 struct wpa_connect_work *cwork;
986
987 if (bss == NULL || ssid == NULL)
988 return;
989 if (wpa_s->connect_work) {
990 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Reject sme_authenticate() call since connect_work exist");
991 return;
992 }
993
994 if (wpa_s->roam_in_progress) {
995 wpa_dbg(wpa_s, MSG_DEBUG,
996 "SME: Reject sme_authenticate() in favor of explicit roam request");
997 return;
998 }
999 #ifdef CONFIG_WNM
1000 if (wpa_s->bss_trans_mgmt_in_progress) {
1001 wpa_dbg(wpa_s, MSG_DEBUG,
1002 "SME: Reject sme_authenticate() in favor of BSS transition management request");
1003 return;
1004 }
1005 #endif /* CONFIG_WNM */
1006 if (radio_work_pending(wpa_s, "sme-connect")) {
1007 /*
1008 * The previous sme-connect work might no longer be valid due to
1009 * the fact that the BSS list was updated. In addition, it makes
1010 * sense to adhere to the 'newer' decision.
1011 */
1012 wpa_dbg(wpa_s, MSG_DEBUG,
1013 "SME: Remove previous pending sme-connect");
1014 radio_remove_works(wpa_s, "sme-connect", 0);
1015 }
1016
1017 wpas_abort_ongoing_scan(wpa_s);
1018
1019 cwork = os_zalloc(sizeof(*cwork));
1020 if (cwork == NULL)
1021 return;
1022 cwork->bss = bss;
1023 cwork->ssid = ssid;
1024 cwork->sme = 1;
1025
1026 #ifdef CONFIG_SAE
1027 wpa_s->sme.sae.state = SAE_NOTHING;
1028 wpa_s->sme.sae.send_confirm = 0;
1029 wpa_s->sme.sae_group_index = 0;
1030 #endif /* CONFIG_SAE */
1031
1032 if (radio_add_work(wpa_s, bss->freq, "sme-connect", 1,
1033 sme_auth_start_cb, cwork) < 0)
1034 wpas_connect_work_free(cwork);
1035 }
1036
1037
1038 #ifdef CONFIG_SAE
1039
sme_external_auth_build_buf(struct wpabuf * buf,struct wpabuf * params,const u8 * sa,const u8 * da,u16 auth_transaction,u16 seq_num,u16 status_code)1040 static int sme_external_auth_build_buf(struct wpabuf *buf,
1041 struct wpabuf *params,
1042 const u8 *sa, const u8 *da,
1043 u16 auth_transaction, u16 seq_num,
1044 u16 status_code)
1045 {
1046 struct ieee80211_mgmt *resp;
1047
1048 resp = wpabuf_put(buf, offsetof(struct ieee80211_mgmt,
1049 u.auth.variable));
1050
1051 resp->frame_control = host_to_le16((WLAN_FC_TYPE_MGMT << 2) |
1052 (WLAN_FC_STYPE_AUTH << 4));
1053 os_memcpy(resp->da, da, ETH_ALEN);
1054 os_memcpy(resp->sa, sa, ETH_ALEN);
1055 os_memcpy(resp->bssid, da, ETH_ALEN);
1056 resp->u.auth.auth_alg = host_to_le16(WLAN_AUTH_SAE);
1057 resp->seq_ctrl = host_to_le16(seq_num << 4);
1058 resp->u.auth.auth_transaction = host_to_le16(auth_transaction);
1059 resp->u.auth.status_code = host_to_le16(status_code);
1060 if (params)
1061 wpabuf_put_buf(buf, params);
1062
1063 return 0;
1064 }
1065
1066
sme_external_auth_send_sae_commit(struct wpa_supplicant * wpa_s,const u8 * bssid,struct wpa_ssid * ssid)1067 static int sme_external_auth_send_sae_commit(struct wpa_supplicant *wpa_s,
1068 const u8 *bssid,
1069 struct wpa_ssid *ssid)
1070 {
1071 struct wpabuf *resp, *buf;
1072 int use_pt;
1073 bool use_pk;
1074 u16 status;
1075
1076 resp = sme_auth_build_sae_commit(wpa_s, ssid, bssid, 1, 0, &use_pt,
1077 &use_pk);
1078 if (!resp) {
1079 wpa_printf(MSG_DEBUG, "SAE: Failed to build SAE commit");
1080 return -1;
1081 }
1082
1083 wpa_s->sme.sae.state = SAE_COMMITTED;
1084 buf = wpabuf_alloc(4 + SAE_COMMIT_MAX_LEN + wpabuf_len(resp));
1085 if (!buf) {
1086 wpabuf_free(resp);
1087 return -1;
1088 }
1089
1090 wpa_s->sme.seq_num++;
1091 if (use_pk)
1092 status = WLAN_STATUS_SAE_PK;
1093 else if (use_pt)
1094 status = WLAN_STATUS_SAE_HASH_TO_ELEMENT;
1095 else
1096 status = WLAN_STATUS_SUCCESS;
1097 sme_external_auth_build_buf(buf, resp, wpa_s->own_addr,
1098 bssid, 1, wpa_s->sme.seq_num, status);
1099 wpa_drv_send_mlme(wpa_s, wpabuf_head(buf), wpabuf_len(buf), 1, 0, 0);
1100 wpabuf_free(resp);
1101 wpabuf_free(buf);
1102
1103 return 0;
1104 }
1105
1106
sme_send_external_auth_status(struct wpa_supplicant * wpa_s,u16 status)1107 static void sme_send_external_auth_status(struct wpa_supplicant *wpa_s,
1108 u16 status)
1109 {
1110 struct external_auth params;
1111
1112 os_memset(¶ms, 0, sizeof(params));
1113 params.status = status;
1114 params.ssid = wpa_s->sme.ext_auth_ssid;
1115 params.ssid_len = wpa_s->sme.ext_auth_ssid_len;
1116 params.bssid = wpa_s->sme.ext_auth_bssid;
1117 if (wpa_s->conf->sae_pmkid_in_assoc && status == WLAN_STATUS_SUCCESS)
1118 params.pmkid = wpa_s->sme.sae.pmkid;
1119 wpa_drv_send_external_auth_status(wpa_s, ¶ms);
1120 }
1121
1122
sme_handle_external_auth_start(struct wpa_supplicant * wpa_s,union wpa_event_data * data)1123 static int sme_handle_external_auth_start(struct wpa_supplicant *wpa_s,
1124 union wpa_event_data *data)
1125 {
1126 struct wpa_ssid *ssid;
1127 size_t ssid_str_len = data->external_auth.ssid_len;
1128 const u8 *ssid_str = data->external_auth.ssid;
1129
1130 /* Get the SSID conf from the ssid string obtained */
1131 for (ssid = wpa_s->conf->ssid; ssid; ssid = ssid->next) {
1132 if (!wpas_network_disabled(wpa_s, ssid) &&
1133 ssid_str_len == ssid->ssid_len &&
1134 os_memcmp(ssid_str, ssid->ssid, ssid_str_len) == 0 &&
1135 (ssid->key_mgmt & (WPA_KEY_MGMT_SAE | WPA_KEY_MGMT_FT_SAE)))
1136 break;
1137 }
1138 if (!ssid ||
1139 sme_external_auth_send_sae_commit(wpa_s, data->external_auth.bssid,
1140 ssid) < 0)
1141 return -1;
1142
1143 return 0;
1144 }
1145
1146
sme_external_auth_send_sae_confirm(struct wpa_supplicant * wpa_s,const u8 * da)1147 static void sme_external_auth_send_sae_confirm(struct wpa_supplicant *wpa_s,
1148 const u8 *da)
1149 {
1150 struct wpabuf *resp, *buf;
1151
1152 resp = sme_auth_build_sae_confirm(wpa_s, 1);
1153 if (!resp) {
1154 wpa_printf(MSG_DEBUG, "SAE: Confirm message buf alloc failure");
1155 return;
1156 }
1157
1158 wpa_s->sme.sae.state = SAE_CONFIRMED;
1159 buf = wpabuf_alloc(4 + SAE_CONFIRM_MAX_LEN + wpabuf_len(resp));
1160 if (!buf) {
1161 wpa_printf(MSG_DEBUG, "SAE: Auth Confirm buf alloc failure");
1162 wpabuf_free(resp);
1163 return;
1164 }
1165 wpa_s->sme.seq_num++;
1166 sme_external_auth_build_buf(buf, resp, wpa_s->own_addr,
1167 da, 2, wpa_s->sme.seq_num,
1168 WLAN_STATUS_SUCCESS);
1169 wpa_drv_send_mlme(wpa_s, wpabuf_head(buf), wpabuf_len(buf), 1, 0, 0);
1170 wpabuf_free(resp);
1171 wpabuf_free(buf);
1172 }
1173
1174
sme_external_auth_trigger(struct wpa_supplicant * wpa_s,union wpa_event_data * data)1175 void sme_external_auth_trigger(struct wpa_supplicant *wpa_s,
1176 union wpa_event_data *data)
1177 {
1178 if (RSN_SELECTOR_GET(&data->external_auth.key_mgmt_suite) !=
1179 RSN_AUTH_KEY_MGMT_SAE)
1180 return;
1181
1182 if (data->external_auth.action == EXT_AUTH_START) {
1183 if (!data->external_auth.bssid || !data->external_auth.ssid)
1184 return;
1185 os_memcpy(wpa_s->sme.ext_auth_bssid, data->external_auth.bssid,
1186 ETH_ALEN);
1187 os_memcpy(wpa_s->sme.ext_auth_ssid, data->external_auth.ssid,
1188 data->external_auth.ssid_len);
1189 wpa_s->sme.ext_auth_ssid_len = data->external_auth.ssid_len;
1190 wpa_s->sme.seq_num = 0;
1191 wpa_s->sme.sae.state = SAE_NOTHING;
1192 wpa_s->sme.sae.send_confirm = 0;
1193 wpa_s->sme.sae_group_index = 0;
1194 if (sme_handle_external_auth_start(wpa_s, data) < 0)
1195 sme_send_external_auth_status(wpa_s,
1196 WLAN_STATUS_UNSPECIFIED_FAILURE);
1197 } else if (data->external_auth.action == EXT_AUTH_ABORT) {
1198 /* Report failure to driver for the wrong trigger */
1199 sme_send_external_auth_status(wpa_s,
1200 WLAN_STATUS_UNSPECIFIED_FAILURE);
1201 }
1202 }
1203
1204
sme_sae_is_group_enabled(struct wpa_supplicant * wpa_s,int group)1205 static int sme_sae_is_group_enabled(struct wpa_supplicant *wpa_s, int group)
1206 {
1207 int *groups = wpa_s->conf->sae_groups;
1208 int default_groups[] = { 19, 20, 21, 0 };
1209 int i;
1210
1211 if (!groups)
1212 groups = default_groups;
1213
1214 for (i = 0; groups[i] > 0; i++) {
1215 if (groups[i] == group)
1216 return 1;
1217 }
1218
1219 return 0;
1220 }
1221
1222
sme_check_sae_rejected_groups(struct wpa_supplicant * wpa_s,const struct wpabuf * groups)1223 static int sme_check_sae_rejected_groups(struct wpa_supplicant *wpa_s,
1224 const struct wpabuf *groups)
1225 {
1226 size_t i, count;
1227 const u8 *pos;
1228
1229 if (!groups)
1230 return 0;
1231
1232 pos = wpabuf_head(groups);
1233 count = wpabuf_len(groups) / 2;
1234 for (i = 0; i < count; i++) {
1235 int enabled;
1236 u16 group;
1237
1238 group = WPA_GET_LE16(pos);
1239 pos += 2;
1240 enabled = sme_sae_is_group_enabled(wpa_s, group);
1241 wpa_printf(MSG_DEBUG, "SAE: Rejected group %u is %s",
1242 group, enabled ? "enabled" : "disabled");
1243 if (enabled)
1244 return 1;
1245 }
1246
1247 return 0;
1248 }
1249
1250
sme_sae_auth(struct wpa_supplicant * wpa_s,u16 auth_transaction,u16 status_code,const u8 * data,size_t len,int external,const u8 * sa)1251 static int sme_sae_auth(struct wpa_supplicant *wpa_s, u16 auth_transaction,
1252 u16 status_code, const u8 *data, size_t len,
1253 int external, const u8 *sa)
1254 {
1255 int *groups;
1256
1257 wpa_dbg(wpa_s, MSG_DEBUG, "SME: SAE authentication transaction %u "
1258 "status code %u", auth_transaction, status_code);
1259
1260 if (auth_transaction == 1 &&
1261 status_code == WLAN_STATUS_ANTI_CLOGGING_TOKEN_REQ &&
1262 wpa_s->sme.sae.state == SAE_COMMITTED &&
1263 (external || wpa_s->current_bss) && wpa_s->current_ssid) {
1264 int default_groups[] = { 19, 20, 21, 0 };
1265 u16 group;
1266 const u8 *token_pos;
1267 size_t token_len;
1268 int h2e = 0;
1269
1270 groups = wpa_s->conf->sae_groups;
1271 if (!groups || groups[0] <= 0)
1272 groups = default_groups;
1273
1274 wpa_hexdump(MSG_DEBUG, "SME: SAE anti-clogging token request",
1275 data, len);
1276 if (len < sizeof(le16)) {
1277 wpa_dbg(wpa_s, MSG_DEBUG,
1278 "SME: Too short SAE anti-clogging token request");
1279 return -1;
1280 }
1281 group = WPA_GET_LE16(data);
1282 wpa_dbg(wpa_s, MSG_DEBUG,
1283 "SME: SAE anti-clogging token requested (group %u)",
1284 group);
1285 if (sae_group_allowed(&wpa_s->sme.sae, groups, group) !=
1286 WLAN_STATUS_SUCCESS) {
1287 wpa_dbg(wpa_s, MSG_ERROR,
1288 "SME: SAE group %u of anti-clogging request is invalid",
1289 group);
1290 return -1;
1291 }
1292 wpabuf_free(wpa_s->sme.sae_token);
1293 token_pos = data + sizeof(le16);
1294 token_len = len - sizeof(le16);
1295 h2e = wpa_s->sme.sae.h2e;
1296 if (h2e) {
1297 if (token_len < 3) {
1298 wpa_dbg(wpa_s, MSG_DEBUG,
1299 "SME: Too short SAE anti-clogging token container");
1300 return -1;
1301 }
1302 if (token_pos[0] != WLAN_EID_EXTENSION ||
1303 token_pos[1] == 0 ||
1304 token_pos[1] > token_len - 2 ||
1305 token_pos[2] != WLAN_EID_EXT_ANTI_CLOGGING_TOKEN) {
1306 wpa_dbg(wpa_s, MSG_DEBUG,
1307 "SME: Invalid SAE anti-clogging token container header");
1308 return -1;
1309 }
1310 token_len = token_pos[1] - 1;
1311 token_pos += 3;
1312 }
1313 wpa_s->sme.sae_token = wpabuf_alloc_copy(token_pos, token_len);
1314 wpa_hexdump_buf(MSG_DEBUG, "SME: Requested anti-clogging token",
1315 wpa_s->sme.sae_token);
1316 if (!external)
1317 sme_send_authentication(wpa_s, wpa_s->current_bss,
1318 wpa_s->current_ssid, 2);
1319 else
1320 sme_external_auth_send_sae_commit(
1321 wpa_s, wpa_s->sme.ext_auth_bssid,
1322 wpa_s->current_ssid);
1323 return 0;
1324 }
1325
1326 if (auth_transaction == 1 &&
1327 status_code == WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED &&
1328 wpa_s->sme.sae.state == SAE_COMMITTED &&
1329 (external || wpa_s->current_bss) && wpa_s->current_ssid) {
1330 wpa_dbg(wpa_s, MSG_DEBUG, "SME: SAE group not supported");
1331 int_array_add_unique(&wpa_s->sme.sae_rejected_groups,
1332 wpa_s->sme.sae.group);
1333 wpa_s->sme.sae_group_index++;
1334 if (sme_set_sae_group(wpa_s) < 0)
1335 return -1; /* no other groups enabled */
1336 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Try next enabled SAE group");
1337 if (!external)
1338 sme_send_authentication(wpa_s, wpa_s->current_bss,
1339 wpa_s->current_ssid, 1);
1340 else
1341 sme_external_auth_send_sae_commit(
1342 wpa_s, wpa_s->sme.ext_auth_bssid,
1343 wpa_s->current_ssid);
1344 return 0;
1345 }
1346
1347 if (auth_transaction == 1 &&
1348 status_code == WLAN_STATUS_UNKNOWN_PASSWORD_IDENTIFIER) {
1349 const u8 *bssid = sa ? sa : wpa_s->pending_bssid;
1350
1351 wpa_msg(wpa_s, MSG_INFO,
1352 WPA_EVENT_SAE_UNKNOWN_PASSWORD_IDENTIFIER MACSTR,
1353 MAC2STR(bssid));
1354 return -1;
1355 }
1356
1357 if (status_code != WLAN_STATUS_SUCCESS &&
1358 status_code != WLAN_STATUS_SAE_HASH_TO_ELEMENT &&
1359 status_code != WLAN_STATUS_SAE_PK) {
1360 const u8 *bssid = sa ? sa : wpa_s->pending_bssid;
1361
1362 wpa_msg(wpa_s, MSG_INFO, WPA_EVENT_AUTH_REJECT MACSTR
1363 " auth_type=%u auth_transaction=%u status_code=%u",
1364 MAC2STR(bssid), WLAN_AUTH_SAE,
1365 auth_transaction, status_code);
1366 return -1;
1367 }
1368
1369 if (auth_transaction == 1) {
1370 u16 res;
1371
1372 groups = wpa_s->conf->sae_groups;
1373
1374 wpa_dbg(wpa_s, MSG_DEBUG, "SME SAE commit");
1375 if ((!external && wpa_s->current_bss == NULL) ||
1376 wpa_s->current_ssid == NULL)
1377 return -1;
1378 if (wpa_s->sme.sae.state != SAE_COMMITTED) {
1379 wpa_printf(MSG_DEBUG,
1380 "SAE: Ignore commit message while waiting for confirm");
1381 return 0;
1382 }
1383 if (wpa_s->sme.sae.h2e && status_code == WLAN_STATUS_SUCCESS) {
1384 wpa_printf(MSG_DEBUG,
1385 "SAE: Unexpected use of status code 0 in SAE commit when H2E was expected");
1386 return -1;
1387 }
1388 if ((!wpa_s->sme.sae.h2e || wpa_s->sme.sae.pk) &&
1389 status_code == WLAN_STATUS_SAE_HASH_TO_ELEMENT) {
1390 wpa_printf(MSG_DEBUG,
1391 "SAE: Unexpected use of status code for H2E in SAE commit when H2E was not expected");
1392 return -1;
1393 }
1394 if (!wpa_s->sme.sae.pk &&
1395 status_code == WLAN_STATUS_SAE_PK) {
1396 wpa_printf(MSG_DEBUG,
1397 "SAE: Unexpected use of status code for PK in SAE commit when PK was not expected");
1398 return -1;
1399 }
1400
1401 if (groups && groups[0] <= 0)
1402 groups = NULL;
1403 res = sae_parse_commit(&wpa_s->sme.sae, data, len, NULL, NULL,
1404 groups, status_code ==
1405 WLAN_STATUS_SAE_HASH_TO_ELEMENT ||
1406 status_code == WLAN_STATUS_SAE_PK);
1407 if (res == SAE_SILENTLY_DISCARD) {
1408 wpa_printf(MSG_DEBUG,
1409 "SAE: Drop commit message due to reflection attack");
1410 return 0;
1411 }
1412 if (res != WLAN_STATUS_SUCCESS)
1413 return -1;
1414
1415 if (wpa_s->sme.sae.tmp &&
1416 sme_check_sae_rejected_groups(
1417 wpa_s,
1418 wpa_s->sme.sae.tmp->peer_rejected_groups))
1419 return -1;
1420
1421 if (sae_process_commit(&wpa_s->sme.sae) < 0) {
1422 wpa_printf(MSG_DEBUG, "SAE: Failed to process peer "
1423 "commit");
1424 return -1;
1425 }
1426
1427 wpabuf_free(wpa_s->sme.sae_token);
1428 wpa_s->sme.sae_token = NULL;
1429 if (!external)
1430 sme_send_authentication(wpa_s, wpa_s->current_bss,
1431 wpa_s->current_ssid, 0);
1432 else
1433 sme_external_auth_send_sae_confirm(wpa_s, sa);
1434 return 0;
1435 } else if (auth_transaction == 2) {
1436 if (status_code != WLAN_STATUS_SUCCESS)
1437 return -1;
1438 wpa_dbg(wpa_s, MSG_DEBUG, "SME SAE confirm");
1439 if (wpa_s->sme.sae.state != SAE_CONFIRMED)
1440 return -1;
1441 if (sae_check_confirm(&wpa_s->sme.sae, data, len) < 0)
1442 return -1;
1443 wpa_s->sme.sae.state = SAE_ACCEPTED;
1444 sae_clear_temp_data(&wpa_s->sme.sae);
1445
1446 if (external) {
1447 /* Report success to driver */
1448 sme_send_external_auth_status(wpa_s,
1449 WLAN_STATUS_SUCCESS);
1450 }
1451
1452 return 1;
1453 }
1454
1455 return -1;
1456 }
1457
1458
sme_sae_set_pmk(struct wpa_supplicant * wpa_s,const u8 * bssid)1459 static int sme_sae_set_pmk(struct wpa_supplicant *wpa_s, const u8 *bssid)
1460 {
1461 wpa_printf(MSG_DEBUG,
1462 "SME: SAE completed - setting PMK for 4-way handshake");
1463 wpa_sm_set_pmk(wpa_s->wpa, wpa_s->sme.sae.pmk, PMK_LEN,
1464 wpa_s->sme.sae.pmkid, bssid);
1465 if (wpa_s->conf->sae_pmkid_in_assoc) {
1466 /* Update the own RSNE contents now that we have set the PMK
1467 * and added a PMKSA cache entry based on the successfully
1468 * completed SAE exchange. In practice, this will add the PMKID
1469 * into RSNE. */
1470 if (wpa_s->sme.assoc_req_ie_len + 2 + PMKID_LEN >
1471 sizeof(wpa_s->sme.assoc_req_ie)) {
1472 wpa_msg(wpa_s, MSG_WARNING,
1473 "RSN: Not enough room for inserting own PMKID into RSNE");
1474 return -1;
1475 }
1476 if (wpa_insert_pmkid(wpa_s->sme.assoc_req_ie,
1477 &wpa_s->sme.assoc_req_ie_len,
1478 wpa_s->sme.sae.pmkid) < 0)
1479 return -1;
1480 wpa_hexdump(MSG_DEBUG,
1481 "SME: Updated Association Request IEs",
1482 wpa_s->sme.assoc_req_ie,
1483 wpa_s->sme.assoc_req_ie_len);
1484 }
1485
1486 return 0;
1487 }
1488
1489
sme_external_auth_mgmt_rx(struct wpa_supplicant * wpa_s,const u8 * auth_frame,size_t len)1490 void sme_external_auth_mgmt_rx(struct wpa_supplicant *wpa_s,
1491 const u8 *auth_frame, size_t len)
1492 {
1493 const struct ieee80211_mgmt *header;
1494 size_t auth_length;
1495
1496 header = (const struct ieee80211_mgmt *) auth_frame;
1497 auth_length = IEEE80211_HDRLEN + sizeof(header->u.auth);
1498
1499 if (len < auth_length) {
1500 /* Notify failure to the driver */
1501 sme_send_external_auth_status(wpa_s,
1502 WLAN_STATUS_UNSPECIFIED_FAILURE);
1503 return;
1504 }
1505
1506 if (le_to_host16(header->u.auth.auth_alg) == WLAN_AUTH_SAE) {
1507 int res;
1508
1509 res = sme_sae_auth(
1510 wpa_s, le_to_host16(header->u.auth.auth_transaction),
1511 le_to_host16(header->u.auth.status_code),
1512 header->u.auth.variable,
1513 len - auth_length, 1, header->sa);
1514 if (res < 0) {
1515 /* Notify failure to the driver */
1516 sme_send_external_auth_status(
1517 wpa_s, WLAN_STATUS_UNSPECIFIED_FAILURE);
1518 return;
1519 }
1520 if (res != 1)
1521 return;
1522
1523 if (sme_sae_set_pmk(wpa_s, wpa_s->sme.ext_auth_bssid) < 0)
1524 return;
1525 }
1526 }
1527
1528 #endif /* CONFIG_SAE */
1529
1530
sme_event_auth(struct wpa_supplicant * wpa_s,union wpa_event_data * data)1531 void sme_event_auth(struct wpa_supplicant *wpa_s, union wpa_event_data *data)
1532 {
1533 struct wpa_ssid *ssid = wpa_s->current_ssid;
1534
1535 if (ssid == NULL) {
1536 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Ignore authentication event "
1537 "when network is not selected");
1538 return;
1539 }
1540
1541 if (wpa_s->wpa_state != WPA_AUTHENTICATING) {
1542 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Ignore authentication event "
1543 "when not in authenticating state");
1544 return;
1545 }
1546
1547 if (os_memcmp(wpa_s->pending_bssid, data->auth.peer, ETH_ALEN) != 0) {
1548 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Ignore authentication with "
1549 "unexpected peer " MACSTR,
1550 MAC2STR(data->auth.peer));
1551 return;
1552 }
1553
1554 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Authentication response: peer=" MACSTR
1555 " auth_type=%d auth_transaction=%d status_code=%d",
1556 MAC2STR(data->auth.peer), data->auth.auth_type,
1557 data->auth.auth_transaction, data->auth.status_code);
1558 wpa_hexdump(MSG_MSGDUMP, "SME: Authentication response IEs",
1559 data->auth.ies, data->auth.ies_len);
1560
1561 eloop_cancel_timeout(sme_auth_timer, wpa_s, NULL);
1562
1563 #ifdef CONFIG_SAE
1564 if (data->auth.auth_type == WLAN_AUTH_SAE) {
1565 int res;
1566 res = sme_sae_auth(wpa_s, data->auth.auth_transaction,
1567 data->auth.status_code, data->auth.ies,
1568 data->auth.ies_len, 0, data->auth.peer);
1569 if (res < 0) {
1570 wpas_connection_failed(wpa_s, wpa_s->pending_bssid);
1571 wpa_supplicant_set_state(wpa_s, WPA_DISCONNECTED);
1572
1573 }
1574 if (res != 1)
1575 return;
1576
1577 if (sme_sae_set_pmk(wpa_s, wpa_s->pending_bssid) < 0)
1578 return;
1579 }
1580 #endif /* CONFIG_SAE */
1581
1582 if (data->auth.status_code != WLAN_STATUS_SUCCESS) {
1583 char *ie_txt = NULL;
1584
1585 if (data->auth.ies && data->auth.ies_len) {
1586 size_t buflen = 2 * data->auth.ies_len + 1;
1587 ie_txt = os_malloc(buflen);
1588 if (ie_txt) {
1589 wpa_snprintf_hex(ie_txt, buflen, data->auth.ies,
1590 data->auth.ies_len);
1591 }
1592 }
1593 wpa_msg(wpa_s, MSG_INFO, WPA_EVENT_AUTH_REJECT MACSTR
1594 " auth_type=%u auth_transaction=%u status_code=%u%s%s",
1595 MAC2STR(data->auth.peer), data->auth.auth_type,
1596 data->auth.auth_transaction, data->auth.status_code,
1597 ie_txt ? " ie=" : "",
1598 ie_txt ? ie_txt : "");
1599 os_free(ie_txt);
1600
1601 #ifdef CONFIG_FILS
1602 if (wpa_s->sme.auth_alg == WPA_AUTH_ALG_FILS ||
1603 wpa_s->sme.auth_alg == WPA_AUTH_ALG_FILS_SK_PFS)
1604 fils_connection_failure(wpa_s);
1605 #endif /* CONFIG_FILS */
1606
1607 if (data->auth.status_code !=
1608 WLAN_STATUS_NOT_SUPPORTED_AUTH_ALG ||
1609 wpa_s->sme.auth_alg == data->auth.auth_type ||
1610 wpa_s->current_ssid->auth_alg == WPA_AUTH_ALG_LEAP) {
1611 wpas_connection_failed(wpa_s, wpa_s->pending_bssid);
1612 wpa_supplicant_set_state(wpa_s, WPA_DISCONNECTED);
1613 return;
1614 }
1615
1616 wpas_connect_work_done(wpa_s);
1617
1618 switch (data->auth.auth_type) {
1619 case WLAN_AUTH_OPEN:
1620 wpa_s->current_ssid->auth_alg = WPA_AUTH_ALG_SHARED;
1621
1622 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Trying SHARED auth");
1623 wpa_supplicant_associate(wpa_s, wpa_s->current_bss,
1624 wpa_s->current_ssid);
1625 return;
1626
1627 case WLAN_AUTH_SHARED_KEY:
1628 wpa_s->current_ssid->auth_alg = WPA_AUTH_ALG_LEAP;
1629
1630 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Trying LEAP auth");
1631 wpa_supplicant_associate(wpa_s, wpa_s->current_bss,
1632 wpa_s->current_ssid);
1633 return;
1634
1635 default:
1636 return;
1637 }
1638 }
1639
1640 #ifdef CONFIG_IEEE80211R
1641 if (data->auth.auth_type == WLAN_AUTH_FT) {
1642 const u8 *ric_ies = NULL;
1643 size_t ric_ies_len = 0;
1644
1645 if (wpa_s->ric_ies) {
1646 ric_ies = wpabuf_head(wpa_s->ric_ies);
1647 ric_ies_len = wpabuf_len(wpa_s->ric_ies);
1648 }
1649 if (wpa_ft_process_response(wpa_s->wpa, data->auth.ies,
1650 data->auth.ies_len, 0,
1651 data->auth.peer,
1652 ric_ies, ric_ies_len) < 0) {
1653 wpa_dbg(wpa_s, MSG_DEBUG,
1654 "SME: FT Authentication response processing failed");
1655 wpa_msg(wpa_s, MSG_INFO, WPA_EVENT_DISCONNECTED "bssid="
1656 MACSTR
1657 " reason=%d locally_generated=1",
1658 MAC2STR(wpa_s->pending_bssid),
1659 WLAN_REASON_DEAUTH_LEAVING);
1660 wpas_connection_failed(wpa_s, wpa_s->pending_bssid);
1661 wpa_supplicant_mark_disassoc(wpa_s);
1662 return;
1663 }
1664 }
1665 #endif /* CONFIG_IEEE80211R */
1666
1667 #ifdef CONFIG_FILS
1668 if (data->auth.auth_type == WLAN_AUTH_FILS_SK ||
1669 data->auth.auth_type == WLAN_AUTH_FILS_SK_PFS) {
1670 u16 expect_auth_type;
1671
1672 expect_auth_type = wpa_s->sme.auth_alg ==
1673 WPA_AUTH_ALG_FILS_SK_PFS ? WLAN_AUTH_FILS_SK_PFS :
1674 WLAN_AUTH_FILS_SK;
1675 if (data->auth.auth_type != expect_auth_type) {
1676 wpa_dbg(wpa_s, MSG_DEBUG,
1677 "SME: FILS Authentication response used different auth alg (%u; expected %u)",
1678 data->auth.auth_type, expect_auth_type);
1679 wpa_msg(wpa_s, MSG_INFO, WPA_EVENT_DISCONNECTED "bssid="
1680 MACSTR
1681 " reason=%d locally_generated=1",
1682 MAC2STR(wpa_s->pending_bssid),
1683 WLAN_REASON_DEAUTH_LEAVING);
1684 wpas_connection_failed(wpa_s, wpa_s->pending_bssid);
1685 wpa_supplicant_mark_disassoc(wpa_s);
1686 return;
1687 }
1688
1689 if (fils_process_auth(wpa_s->wpa, wpa_s->pending_bssid,
1690 data->auth.ies, data->auth.ies_len) < 0) {
1691 wpa_dbg(wpa_s, MSG_DEBUG,
1692 "SME: FILS Authentication response processing failed");
1693 wpa_msg(wpa_s, MSG_INFO, WPA_EVENT_DISCONNECTED "bssid="
1694 MACSTR
1695 " reason=%d locally_generated=1",
1696 MAC2STR(wpa_s->pending_bssid),
1697 WLAN_REASON_DEAUTH_LEAVING);
1698 wpas_connection_failed(wpa_s, wpa_s->pending_bssid);
1699 wpa_supplicant_mark_disassoc(wpa_s);
1700 return;
1701 }
1702 }
1703 #endif /* CONFIG_FILS */
1704
1705 sme_associate(wpa_s, ssid->mode, data->auth.peer,
1706 data->auth.auth_type);
1707 }
1708
1709
1710 #ifdef CONFIG_IEEE80211R
remove_ie(u8 * buf,size_t * len,u8 eid)1711 static void remove_ie(u8 *buf, size_t *len, u8 eid)
1712 {
1713 u8 *pos, *next, *end;
1714
1715 pos = (u8 *) get_ie(buf, *len, eid);
1716 if (pos) {
1717 next = pos + 2 + pos[1];
1718 end = buf + *len;
1719 *len -= 2 + pos[1];
1720 os_memmove(pos, next, end - next);
1721 }
1722 }
1723 #endif /* CONFIG_IEEE80211R */
1724
1725
sme_associate(struct wpa_supplicant * wpa_s,enum wpas_mode mode,const u8 * bssid,u16 auth_type)1726 void sme_associate(struct wpa_supplicant *wpa_s, enum wpas_mode mode,
1727 const u8 *bssid, u16 auth_type)
1728 {
1729 struct wpa_driver_associate_params params;
1730 struct ieee802_11_elems elems;
1731 struct wpa_ssid *ssid = wpa_s->current_ssid;
1732 #ifdef CONFIG_FILS
1733 u8 nonces[2 * FILS_NONCE_LEN];
1734 #endif /* CONFIG_FILS */
1735 #ifdef CONFIG_HT_OVERRIDES
1736 struct ieee80211_ht_capabilities htcaps;
1737 struct ieee80211_ht_capabilities htcaps_mask;
1738 #endif /* CONFIG_HT_OVERRIDES */
1739 #ifdef CONFIG_VHT_OVERRIDES
1740 struct ieee80211_vht_capabilities vhtcaps;
1741 struct ieee80211_vht_capabilities vhtcaps_mask;
1742 #endif /* CONFIG_VHT_OVERRIDES */
1743
1744 os_memset(¶ms, 0, sizeof(params));
1745
1746 #ifdef CONFIG_FILS
1747 if (auth_type == WLAN_AUTH_FILS_SK ||
1748 auth_type == WLAN_AUTH_FILS_SK_PFS) {
1749 struct wpabuf *buf;
1750 const u8 *snonce, *anonce;
1751 const unsigned int max_hlp = 20;
1752 struct wpabuf *hlp[max_hlp];
1753 unsigned int i, num_hlp = 0;
1754 struct fils_hlp_req *req;
1755
1756 dl_list_for_each(req, &wpa_s->fils_hlp_req, struct fils_hlp_req,
1757 list) {
1758 hlp[num_hlp] = wpabuf_alloc(2 * ETH_ALEN + 6 +
1759 wpabuf_len(req->pkt));
1760 if (!hlp[num_hlp])
1761 break;
1762 wpabuf_put_data(hlp[num_hlp], req->dst, ETH_ALEN);
1763 wpabuf_put_data(hlp[num_hlp], wpa_s->own_addr,
1764 ETH_ALEN);
1765 wpabuf_put_data(hlp[num_hlp],
1766 "\xaa\xaa\x03\x00\x00\x00", 6);
1767 wpabuf_put_buf(hlp[num_hlp], req->pkt);
1768 num_hlp++;
1769 if (num_hlp >= max_hlp)
1770 break;
1771 }
1772
1773 buf = fils_build_assoc_req(wpa_s->wpa, ¶ms.fils_kek,
1774 ¶ms.fils_kek_len, &snonce,
1775 &anonce,
1776 (const struct wpabuf **) hlp,
1777 num_hlp);
1778 for (i = 0; i < num_hlp; i++)
1779 wpabuf_free(hlp[i]);
1780 if (!buf)
1781 return;
1782 wpa_hexdump(MSG_DEBUG, "FILS: assoc_req before FILS elements",
1783 wpa_s->sme.assoc_req_ie,
1784 wpa_s->sme.assoc_req_ie_len);
1785 #ifdef CONFIG_IEEE80211R
1786 if (wpa_key_mgmt_ft(wpa_s->key_mgmt)) {
1787 /* Remove RSNE and MDE to allow them to be overridden
1788 * with FILS+FT specific values from
1789 * fils_build_assoc_req(). */
1790 remove_ie(wpa_s->sme.assoc_req_ie,
1791 &wpa_s->sme.assoc_req_ie_len,
1792 WLAN_EID_RSN);
1793 wpa_hexdump(MSG_DEBUG,
1794 "FILS: assoc_req after RSNE removal",
1795 wpa_s->sme.assoc_req_ie,
1796 wpa_s->sme.assoc_req_ie_len);
1797 remove_ie(wpa_s->sme.assoc_req_ie,
1798 &wpa_s->sme.assoc_req_ie_len,
1799 WLAN_EID_MOBILITY_DOMAIN);
1800 wpa_hexdump(MSG_DEBUG,
1801 "FILS: assoc_req after MDE removal",
1802 wpa_s->sme.assoc_req_ie,
1803 wpa_s->sme.assoc_req_ie_len);
1804 }
1805 #endif /* CONFIG_IEEE80211R */
1806 /* TODO: Make wpa_s->sme.assoc_req_ie use dynamic allocation */
1807 if (wpa_s->sme.assoc_req_ie_len + wpabuf_len(buf) >
1808 sizeof(wpa_s->sme.assoc_req_ie)) {
1809 wpa_printf(MSG_ERROR,
1810 "FILS: Not enough buffer room for own AssocReq elements");
1811 wpabuf_free(buf);
1812 return;
1813 }
1814 os_memcpy(wpa_s->sme.assoc_req_ie + wpa_s->sme.assoc_req_ie_len,
1815 wpabuf_head(buf), wpabuf_len(buf));
1816 wpa_s->sme.assoc_req_ie_len += wpabuf_len(buf);
1817 wpabuf_free(buf);
1818 wpa_hexdump(MSG_DEBUG, "FILS: assoc_req after FILS elements",
1819 wpa_s->sme.assoc_req_ie,
1820 wpa_s->sme.assoc_req_ie_len);
1821
1822 os_memcpy(nonces, snonce, FILS_NONCE_LEN);
1823 os_memcpy(nonces + FILS_NONCE_LEN, anonce, FILS_NONCE_LEN);
1824 params.fils_nonces = nonces;
1825 params.fils_nonces_len = sizeof(nonces);
1826 }
1827 #endif /* CONFIG_FILS */
1828
1829 #ifdef CONFIG_OWE
1830 #ifdef CONFIG_TESTING_OPTIONS
1831 if (get_ie_ext(wpa_s->sme.assoc_req_ie, wpa_s->sme.assoc_req_ie_len,
1832 WLAN_EID_EXT_OWE_DH_PARAM)) {
1833 wpa_printf(MSG_INFO, "TESTING: Override OWE DH element");
1834 } else
1835 #endif /* CONFIG_TESTING_OPTIONS */
1836 if (auth_type == WLAN_AUTH_OPEN &&
1837 wpa_s->key_mgmt == WPA_KEY_MGMT_OWE) {
1838 struct wpabuf *owe_ie;
1839 u16 group;
1840
1841 if (ssid && ssid->owe_group) {
1842 group = ssid->owe_group;
1843 } else if (wpa_s->assoc_status_code ==
1844 WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED) {
1845 if (wpa_s->last_owe_group == 19)
1846 group = 20;
1847 else if (wpa_s->last_owe_group == 20)
1848 group = 21;
1849 else
1850 group = OWE_DH_GROUP;
1851 } else {
1852 group = OWE_DH_GROUP;
1853 }
1854
1855 wpa_s->last_owe_group = group;
1856 wpa_printf(MSG_DEBUG, "OWE: Try to use group %u", group);
1857 owe_ie = owe_build_assoc_req(wpa_s->wpa, group);
1858 if (!owe_ie) {
1859 wpa_printf(MSG_ERROR,
1860 "OWE: Failed to build IE for Association Request frame");
1861 return;
1862 }
1863 if (wpa_s->sme.assoc_req_ie_len + wpabuf_len(owe_ie) >
1864 sizeof(wpa_s->sme.assoc_req_ie)) {
1865 wpa_printf(MSG_ERROR,
1866 "OWE: Not enough buffer room for own Association Request frame elements");
1867 wpabuf_free(owe_ie);
1868 return;
1869 }
1870 os_memcpy(wpa_s->sme.assoc_req_ie + wpa_s->sme.assoc_req_ie_len,
1871 wpabuf_head(owe_ie), wpabuf_len(owe_ie));
1872 wpa_s->sme.assoc_req_ie_len += wpabuf_len(owe_ie);
1873 wpabuf_free(owe_ie);
1874 }
1875 #endif /* CONFIG_OWE */
1876
1877 #ifdef CONFIG_DPP2
1878 if (DPP_VERSION > 1 && wpa_s->key_mgmt == WPA_KEY_MGMT_DPP && ssid &&
1879 ssid->dpp_netaccesskey && ssid->dpp_pfs != 2 &&
1880 !ssid->dpp_pfs_fallback) {
1881 struct rsn_pmksa_cache_entry *pmksa;
1882
1883 pmksa = pmksa_cache_get_current(wpa_s->wpa);
1884 if (!pmksa || !pmksa->dpp_pfs)
1885 goto pfs_fail;
1886
1887 dpp_pfs_free(wpa_s->dpp_pfs);
1888 wpa_s->dpp_pfs = dpp_pfs_init(ssid->dpp_netaccesskey,
1889 ssid->dpp_netaccesskey_len);
1890 if (!wpa_s->dpp_pfs) {
1891 wpa_printf(MSG_DEBUG, "DPP: Could not initialize PFS");
1892 /* Try to continue without PFS */
1893 goto pfs_fail;
1894 }
1895 if (wpa_s->sme.assoc_req_ie_len +
1896 wpabuf_len(wpa_s->dpp_pfs->ie) >
1897 sizeof(wpa_s->sme.assoc_req_ie)) {
1898 wpa_printf(MSG_ERROR,
1899 "DPP: Not enough buffer room for own Association Request frame elements");
1900 dpp_pfs_free(wpa_s->dpp_pfs);
1901 wpa_s->dpp_pfs = NULL;
1902 goto pfs_fail;
1903 }
1904 os_memcpy(wpa_s->sme.assoc_req_ie + wpa_s->sme.assoc_req_ie_len,
1905 wpabuf_head(wpa_s->dpp_pfs->ie),
1906 wpabuf_len(wpa_s->dpp_pfs->ie));
1907 wpa_s->sme.assoc_req_ie_len += wpabuf_len(wpa_s->dpp_pfs->ie);
1908 }
1909 pfs_fail:
1910 #endif /* CONFIG_DPP2 */
1911 #ifdef CONFIG_RRM
1912 wpa_s->mscs_setup_done = false;
1913 if (wpa_bss_ext_capab(wpa_s->current_bss, WLAN_EXT_CAPAB_MSCS) &&
1914 wpa_s->robust_av.valid_config) {
1915 struct wpabuf *mscs_ie;
1916 size_t mscs_ie_len, buf_len, *wpa_ie_len, max_ie_len;
1917
1918 buf_len = 3 + /* MSCS descriptor IE header */
1919 1 + /* Request type */
1920 2 + /* User priority control */
1921 4 + /* Stream timeout */
1922 3 + /* TCLAS Mask IE header */
1923 wpa_s->robust_av.frame_classifier_len;
1924 mscs_ie = wpabuf_alloc(buf_len);
1925 if (!mscs_ie) {
1926 wpa_printf(MSG_INFO,
1927 "MSCS: Failed to allocate MSCS IE");
1928 goto mscs_fail;
1929 }
1930
1931 wpa_ie_len = &wpa_s->sme.assoc_req_ie_len;
1932 max_ie_len = sizeof(wpa_s->sme.assoc_req_ie);
1933 wpas_populate_mscs_descriptor_ie(&wpa_s->robust_av, mscs_ie);
1934 if ((*wpa_ie_len + wpabuf_len(mscs_ie)) <= max_ie_len) {
1935 wpa_hexdump_buf(MSG_MSGDUMP, "MSCS IE", mscs_ie);
1936 mscs_ie_len = wpabuf_len(mscs_ie);
1937 os_memcpy(wpa_s->sme.assoc_req_ie + *wpa_ie_len,
1938 wpabuf_head(mscs_ie), mscs_ie_len);
1939 *wpa_ie_len += mscs_ie_len;
1940 }
1941
1942 wpabuf_free(mscs_ie);
1943 }
1944 mscs_fail:
1945 #endif /* CONFIG_RRM */
1946 if (ssid && ssid->multi_ap_backhaul_sta) {
1947 size_t multi_ap_ie_len;
1948
1949 multi_ap_ie_len = add_multi_ap_ie(
1950 wpa_s->sme.assoc_req_ie + wpa_s->sme.assoc_req_ie_len,
1951 sizeof(wpa_s->sme.assoc_req_ie) -
1952 wpa_s->sme.assoc_req_ie_len,
1953 MULTI_AP_BACKHAUL_STA);
1954 if (multi_ap_ie_len == 0) {
1955 wpa_printf(MSG_ERROR,
1956 "Multi-AP: Failed to build Multi-AP IE");
1957 return;
1958 }
1959 wpa_s->sme.assoc_req_ie_len += multi_ap_ie_len;
1960 }
1961
1962 params.bssid = bssid;
1963 params.ssid = wpa_s->sme.ssid;
1964 params.ssid_len = wpa_s->sme.ssid_len;
1965 params.freq.freq = wpa_s->sme.freq;
1966 params.bg_scan_period = ssid ? ssid->bg_scan_period : -1;
1967 params.wpa_ie = wpa_s->sme.assoc_req_ie_len ?
1968 wpa_s->sme.assoc_req_ie : NULL;
1969 params.wpa_ie_len = wpa_s->sme.assoc_req_ie_len;
1970 wpa_hexdump(MSG_DEBUG, "SME: Association Request IEs",
1971 params.wpa_ie, params.wpa_ie_len);
1972 params.pairwise_suite = wpa_s->pairwise_cipher;
1973 params.group_suite = wpa_s->group_cipher;
1974 params.mgmt_group_suite = wpa_s->mgmt_group_cipher;
1975 params.key_mgmt_suite = wpa_s->key_mgmt;
1976 params.wpa_proto = wpa_s->wpa_proto;
1977 #ifdef CONFIG_HT_OVERRIDES
1978 os_memset(&htcaps, 0, sizeof(htcaps));
1979 os_memset(&htcaps_mask, 0, sizeof(htcaps_mask));
1980 params.htcaps = (u8 *) &htcaps;
1981 params.htcaps_mask = (u8 *) &htcaps_mask;
1982 wpa_supplicant_apply_ht_overrides(wpa_s, ssid, ¶ms);
1983 #endif /* CONFIG_HT_OVERRIDES */
1984 #ifdef CONFIG_VHT_OVERRIDES
1985 os_memset(&vhtcaps, 0, sizeof(vhtcaps));
1986 os_memset(&vhtcaps_mask, 0, sizeof(vhtcaps_mask));
1987 params.vhtcaps = &vhtcaps;
1988 params.vhtcaps_mask = &vhtcaps_mask;
1989 wpa_supplicant_apply_vht_overrides(wpa_s, ssid, ¶ms);
1990 #endif /* CONFIG_VHT_OVERRIDES */
1991 #ifdef CONFIG_HE_OVERRIDES
1992 wpa_supplicant_apply_he_overrides(wpa_s, ssid, ¶ms);
1993 #endif /* CONFIG_HE_OVERRIDES */
1994 #ifdef CONFIG_IEEE80211R
1995 if (auth_type == WLAN_AUTH_FT && wpa_s->sme.ft_ies &&
1996 get_ie(wpa_s->sme.ft_ies, wpa_s->sme.ft_ies_len,
1997 WLAN_EID_RIC_DATA)) {
1998 /* There seems to be a pretty inconvenient bug in the Linux
1999 * kernel IE splitting functionality when RIC is used. For now,
2000 * skip correct behavior in IE construction here (i.e., drop the
2001 * additional non-FT-specific IEs) to avoid kernel issues. This
2002 * is fine since RIC is used only for testing purposes in the
2003 * current implementation. */
2004 wpa_printf(MSG_INFO,
2005 "SME: Linux kernel workaround - do not try to include additional IEs with RIC");
2006 params.wpa_ie = wpa_s->sme.ft_ies;
2007 params.wpa_ie_len = wpa_s->sme.ft_ies_len;
2008 } else if (auth_type == WLAN_AUTH_FT && wpa_s->sme.ft_ies) {
2009 const u8 *rm_en, *pos, *end;
2010 size_t rm_en_len = 0;
2011 u8 *rm_en_dup = NULL, *wpos;
2012
2013 /* Remove RSNE, MDE, FTE to allow them to be overridden with
2014 * FT specific values */
2015 remove_ie(wpa_s->sme.assoc_req_ie,
2016 &wpa_s->sme.assoc_req_ie_len,
2017 WLAN_EID_RSN);
2018 remove_ie(wpa_s->sme.assoc_req_ie,
2019 &wpa_s->sme.assoc_req_ie_len,
2020 WLAN_EID_MOBILITY_DOMAIN);
2021 remove_ie(wpa_s->sme.assoc_req_ie,
2022 &wpa_s->sme.assoc_req_ie_len,
2023 WLAN_EID_FAST_BSS_TRANSITION);
2024 rm_en = get_ie(wpa_s->sme.assoc_req_ie,
2025 wpa_s->sme.assoc_req_ie_len,
2026 WLAN_EID_RRM_ENABLED_CAPABILITIES);
2027 if (rm_en) {
2028 /* Need to remove RM Enabled Capabilities element as
2029 * well temporarily, so that it can be placed between
2030 * RSNE and MDE. */
2031 rm_en_len = 2 + rm_en[1];
2032 rm_en_dup = os_memdup(rm_en, rm_en_len);
2033 remove_ie(wpa_s->sme.assoc_req_ie,
2034 &wpa_s->sme.assoc_req_ie_len,
2035 WLAN_EID_RRM_ENABLED_CAPABILITIES);
2036 }
2037 wpa_hexdump(MSG_DEBUG,
2038 "SME: Association Request IEs after FT IE removal",
2039 wpa_s->sme.assoc_req_ie,
2040 wpa_s->sme.assoc_req_ie_len);
2041 if (wpa_s->sme.assoc_req_ie_len + wpa_s->sme.ft_ies_len +
2042 rm_en_len > sizeof(wpa_s->sme.assoc_req_ie)) {
2043 wpa_printf(MSG_ERROR,
2044 "SME: Not enough buffer room for FT IEs in Association Request frame");
2045 os_free(rm_en_dup);
2046 return;
2047 }
2048
2049 os_memmove(wpa_s->sme.assoc_req_ie + wpa_s->sme.ft_ies_len +
2050 rm_en_len,
2051 wpa_s->sme.assoc_req_ie,
2052 wpa_s->sme.assoc_req_ie_len);
2053 pos = wpa_s->sme.ft_ies;
2054 end = pos + wpa_s->sme.ft_ies_len;
2055 wpos = wpa_s->sme.assoc_req_ie;
2056 if (*pos == WLAN_EID_RSN) {
2057 os_memcpy(wpos, pos, 2 + pos[1]);
2058 wpos += 2 + pos[1];
2059 pos += 2 + pos[1];
2060 }
2061 if (rm_en_dup) {
2062 os_memcpy(wpos, rm_en_dup, rm_en_len);
2063 wpos += rm_en_len;
2064 os_free(rm_en_dup);
2065 }
2066 os_memcpy(wpos, pos, end - pos);
2067 wpa_s->sme.assoc_req_ie_len += wpa_s->sme.ft_ies_len +
2068 rm_en_len;
2069 params.wpa_ie = wpa_s->sme.assoc_req_ie;
2070 params.wpa_ie_len = wpa_s->sme.assoc_req_ie_len;
2071 wpa_hexdump(MSG_DEBUG,
2072 "SME: Association Request IEs after FT override",
2073 params.wpa_ie, params.wpa_ie_len);
2074 }
2075 #endif /* CONFIG_IEEE80211R */
2076 params.mode = mode;
2077 params.mgmt_frame_protection = wpa_s->sme.mfp;
2078 params.rrm_used = wpa_s->rrm.rrm_used;
2079 if (wpa_s->sme.prev_bssid_set)
2080 params.prev_bssid = wpa_s->sme.prev_bssid;
2081
2082 wpa_msg(wpa_s, MSG_INFO, "Trying to associate with " MACSTR
2083 " (SSID='%s' freq=%d MHz)", MAC2STR(params.bssid),
2084 params.ssid ? wpa_ssid_txt(params.ssid, params.ssid_len) : "",
2085 params.freq.freq);
2086
2087 wpa_supplicant_set_state(wpa_s, WPA_ASSOCIATING);
2088
2089 if (params.wpa_ie == NULL ||
2090 ieee802_11_parse_elems(params.wpa_ie, params.wpa_ie_len, &elems, 0)
2091 < 0) {
2092 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Could not parse own IEs?!");
2093 os_memset(&elems, 0, sizeof(elems));
2094 }
2095 if (elems.rsn_ie) {
2096 params.wpa_proto = WPA_PROTO_RSN;
2097 wpa_sm_set_assoc_wpa_ie(wpa_s->wpa, elems.rsn_ie - 2,
2098 elems.rsn_ie_len + 2);
2099 } else if (elems.wpa_ie) {
2100 params.wpa_proto = WPA_PROTO_WPA;
2101 wpa_sm_set_assoc_wpa_ie(wpa_s->wpa, elems.wpa_ie - 2,
2102 elems.wpa_ie_len + 2);
2103 } else if (elems.osen) {
2104 params.wpa_proto = WPA_PROTO_OSEN;
2105 wpa_sm_set_assoc_wpa_ie(wpa_s->wpa, elems.osen - 2,
2106 elems.osen_len + 2);
2107 } else
2108 wpa_sm_set_assoc_wpa_ie(wpa_s->wpa, NULL, 0);
2109 if (elems.rsnxe)
2110 wpa_sm_set_assoc_rsnxe(wpa_s->wpa, elems.rsnxe - 2,
2111 elems.rsnxe_len + 2);
2112 else
2113 wpa_sm_set_assoc_rsnxe(wpa_s->wpa, NULL, 0);
2114 if (ssid && ssid->p2p_group)
2115 params.p2p = 1;
2116
2117 if (wpa_s->p2pdev->set_sta_uapsd)
2118 params.uapsd = wpa_s->p2pdev->sta_uapsd;
2119 else
2120 params.uapsd = -1;
2121
2122 params.bss_max_idle_period = CONFIG_BSS_MAX_IDLE_TIME;
2123 if (wpa_drv_associate(wpa_s, ¶ms) < 0) {
2124 wpa_msg(wpa_s, MSG_INFO, "SME: Association request to the "
2125 "driver failed");
2126 wpas_connection_failed(wpa_s, wpa_s->pending_bssid);
2127 wpa_supplicant_set_state(wpa_s, WPA_DISCONNECTED);
2128 os_memset(wpa_s->pending_bssid, 0, ETH_ALEN);
2129 return;
2130 }
2131
2132 eloop_register_timeout(SME_ASSOC_TIMEOUT, 0, sme_assoc_timer, wpa_s,
2133 NULL);
2134
2135 #ifdef CONFIG_TESTING_OPTIONS
2136 wpabuf_free(wpa_s->last_assoc_req_wpa_ie);
2137 wpa_s->last_assoc_req_wpa_ie = NULL;
2138 if (params.wpa_ie)
2139 wpa_s->last_assoc_req_wpa_ie =
2140 wpabuf_alloc_copy(params.wpa_ie, params.wpa_ie_len);
2141 #endif /* CONFIG_TESTING_OPTIONS */
2142 }
2143
2144
sme_update_ft_ies(struct wpa_supplicant * wpa_s,const u8 * md,const u8 * ies,size_t ies_len)2145 int sme_update_ft_ies(struct wpa_supplicant *wpa_s, const u8 *md,
2146 const u8 *ies, size_t ies_len)
2147 {
2148 if (md == NULL || ies == NULL) {
2149 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Remove mobility domain");
2150 os_free(wpa_s->sme.ft_ies);
2151 wpa_s->sme.ft_ies = NULL;
2152 wpa_s->sme.ft_ies_len = 0;
2153 wpa_s->sme.ft_used = 0;
2154 return 0;
2155 }
2156
2157 os_memcpy(wpa_s->sme.mobility_domain, md, MOBILITY_DOMAIN_ID_LEN);
2158 wpa_hexdump(MSG_DEBUG, "SME: FT IEs", ies, ies_len);
2159 os_free(wpa_s->sme.ft_ies);
2160 wpa_s->sme.ft_ies = os_memdup(ies, ies_len);
2161 if (wpa_s->sme.ft_ies == NULL)
2162 return -1;
2163 wpa_s->sme.ft_ies_len = ies_len;
2164 return 0;
2165 }
2166
2167
sme_deauth(struct wpa_supplicant * wpa_s)2168 static void sme_deauth(struct wpa_supplicant *wpa_s)
2169 {
2170 int bssid_changed;
2171
2172 bssid_changed = !is_zero_ether_addr(wpa_s->bssid);
2173
2174 if (wpa_drv_deauthenticate(wpa_s, wpa_s->pending_bssid,
2175 WLAN_REASON_DEAUTH_LEAVING) < 0) {
2176 wpa_msg(wpa_s, MSG_INFO, "SME: Deauth request to the driver "
2177 "failed");
2178 }
2179 wpa_s->sme.prev_bssid_set = 0;
2180
2181 wpas_connection_failed(wpa_s, wpa_s->pending_bssid);
2182 wpa_supplicant_set_state(wpa_s, WPA_DISCONNECTED);
2183 os_memset(wpa_s->bssid, 0, ETH_ALEN);
2184 os_memset(wpa_s->pending_bssid, 0, ETH_ALEN);
2185 if (bssid_changed)
2186 wpas_notify_bssid_changed(wpa_s);
2187 }
2188
2189
sme_event_assoc_reject(struct wpa_supplicant * wpa_s,union wpa_event_data * data)2190 void sme_event_assoc_reject(struct wpa_supplicant *wpa_s,
2191 union wpa_event_data *data)
2192 {
2193 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Association with " MACSTR " failed: "
2194 "status code %d", MAC2STR(wpa_s->pending_bssid),
2195 data->assoc_reject.status_code);
2196
2197 eloop_cancel_timeout(sme_assoc_timer, wpa_s, NULL);
2198
2199 #ifdef CONFIG_SAE
2200 if (wpa_s->sme.sae_pmksa_caching && wpa_s->current_ssid &&
2201 wpa_key_mgmt_sae(wpa_s->current_ssid->key_mgmt)) {
2202 wpa_dbg(wpa_s, MSG_DEBUG,
2203 "PMKSA caching attempt rejected - drop PMKSA cache entry and fall back to SAE authentication");
2204 wpa_sm_aborted_cached(wpa_s->wpa);
2205 wpa_sm_pmksa_cache_flush(wpa_s->wpa, wpa_s->current_ssid);
2206 if (wpa_s->current_bss) {
2207 struct wpa_bss *bss = wpa_s->current_bss;
2208 struct wpa_ssid *ssid = wpa_s->current_ssid;
2209
2210 wpa_drv_deauthenticate(wpa_s, wpa_s->pending_bssid,
2211 WLAN_REASON_DEAUTH_LEAVING);
2212 wpas_connect_work_done(wpa_s);
2213 wpa_supplicant_mark_disassoc(wpa_s);
2214 wpa_supplicant_connect(wpa_s, bss, ssid);
2215 return;
2216 }
2217 }
2218 #endif /* CONFIG_SAE */
2219
2220 /*
2221 * For now, unconditionally terminate the previous authentication. In
2222 * theory, this should not be needed, but mac80211 gets quite confused
2223 * if the authentication is left pending.. Some roaming cases might
2224 * benefit from using the previous authentication, so this could be
2225 * optimized in the future.
2226 */
2227 sme_deauth(wpa_s);
2228 }
2229
2230
sme_event_auth_timed_out(struct wpa_supplicant * wpa_s,union wpa_event_data * data)2231 void sme_event_auth_timed_out(struct wpa_supplicant *wpa_s,
2232 union wpa_event_data *data)
2233 {
2234 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Authentication timed out");
2235 wpas_connection_failed(wpa_s, wpa_s->pending_bssid);
2236 wpa_supplicant_mark_disassoc(wpa_s);
2237 }
2238
2239
sme_event_assoc_timed_out(struct wpa_supplicant * wpa_s,union wpa_event_data * data)2240 void sme_event_assoc_timed_out(struct wpa_supplicant *wpa_s,
2241 union wpa_event_data *data)
2242 {
2243 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Association timed out");
2244 wpas_connection_failed(wpa_s, wpa_s->pending_bssid);
2245 wpa_supplicant_mark_disassoc(wpa_s);
2246 }
2247
2248
sme_event_disassoc(struct wpa_supplicant * wpa_s,struct disassoc_info * info)2249 void sme_event_disassoc(struct wpa_supplicant *wpa_s,
2250 struct disassoc_info *info)
2251 {
2252 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Disassociation event received");
2253 if (wpa_s->sme.prev_bssid_set) {
2254 /*
2255 * cfg80211/mac80211 can get into somewhat confused state if
2256 * the AP only disassociates us and leaves us in authenticated
2257 * state. For now, force the state to be cleared to avoid
2258 * confusing errors if we try to associate with the AP again.
2259 */
2260 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Deauthenticate to clear "
2261 "driver state");
2262 wpa_drv_deauthenticate(wpa_s, wpa_s->sme.prev_bssid,
2263 WLAN_REASON_DEAUTH_LEAVING);
2264 }
2265 }
2266
2267
sme_auth_timer(void * eloop_ctx,void * timeout_ctx)2268 static void sme_auth_timer(void *eloop_ctx, void *timeout_ctx)
2269 {
2270 struct wpa_supplicant *wpa_s = eloop_ctx;
2271 if (wpa_s->wpa_state == WPA_AUTHENTICATING) {
2272 wpa_msg(wpa_s, MSG_DEBUG, "SME: Authentication timeout");
2273 sme_deauth(wpa_s);
2274 }
2275 }
2276
2277
sme_assoc_timer(void * eloop_ctx,void * timeout_ctx)2278 static void sme_assoc_timer(void *eloop_ctx, void *timeout_ctx)
2279 {
2280 struct wpa_supplicant *wpa_s = eloop_ctx;
2281 if (wpa_s->wpa_state == WPA_ASSOCIATING) {
2282 wpa_msg(wpa_s, MSG_DEBUG, "SME: Association timeout");
2283 sme_deauth(wpa_s);
2284 }
2285 }
2286
2287
sme_state_changed(struct wpa_supplicant * wpa_s)2288 void sme_state_changed(struct wpa_supplicant *wpa_s)
2289 {
2290 /* Make sure timers are cleaned up appropriately. */
2291 if (wpa_s->wpa_state != WPA_ASSOCIATING)
2292 eloop_cancel_timeout(sme_assoc_timer, wpa_s, NULL);
2293 if (wpa_s->wpa_state != WPA_AUTHENTICATING)
2294 eloop_cancel_timeout(sme_auth_timer, wpa_s, NULL);
2295 }
2296
2297
sme_disassoc_while_authenticating(struct wpa_supplicant * wpa_s,const u8 * prev_pending_bssid)2298 void sme_disassoc_while_authenticating(struct wpa_supplicant *wpa_s,
2299 const u8 *prev_pending_bssid)
2300 {
2301 /*
2302 * mac80211-workaround to force deauth on failed auth cmd,
2303 * requires us to remain in authenticating state to allow the
2304 * second authentication attempt to be continued properly.
2305 */
2306 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Allow pending authentication "
2307 "to proceed after disconnection event");
2308 wpa_supplicant_set_state(wpa_s, WPA_AUTHENTICATING);
2309 os_memcpy(wpa_s->pending_bssid, prev_pending_bssid, ETH_ALEN);
2310
2311 /*
2312 * Re-arm authentication timer in case auth fails for whatever reason.
2313 */
2314 eloop_cancel_timeout(sme_auth_timer, wpa_s, NULL);
2315 eloop_register_timeout(SME_AUTH_TIMEOUT, 0, sme_auth_timer, wpa_s,
2316 NULL);
2317 }
2318
2319
sme_clear_on_disassoc(struct wpa_supplicant * wpa_s)2320 void sme_clear_on_disassoc(struct wpa_supplicant *wpa_s)
2321 {
2322 wpa_s->sme.prev_bssid_set = 0;
2323 #ifdef CONFIG_SAE
2324 wpabuf_free(wpa_s->sme.sae_token);
2325 wpa_s->sme.sae_token = NULL;
2326 sae_clear_data(&wpa_s->sme.sae);
2327 #endif /* CONFIG_SAE */
2328 #ifdef CONFIG_IEEE80211R
2329 if (wpa_s->sme.ft_ies || wpa_s->sme.ft_used)
2330 sme_update_ft_ies(wpa_s, NULL, NULL, 0);
2331 #endif /* CONFIG_IEEE80211R */
2332 sme_stop_sa_query(wpa_s);
2333 }
2334
2335
sme_deinit(struct wpa_supplicant * wpa_s)2336 void sme_deinit(struct wpa_supplicant *wpa_s)
2337 {
2338 sme_clear_on_disassoc(wpa_s);
2339 #ifdef CONFIG_SAE
2340 os_free(wpa_s->sme.sae_rejected_groups);
2341 wpa_s->sme.sae_rejected_groups = NULL;
2342 #endif /* CONFIG_SAE */
2343
2344 eloop_cancel_timeout(sme_assoc_timer, wpa_s, NULL);
2345 eloop_cancel_timeout(sme_auth_timer, wpa_s, NULL);
2346 eloop_cancel_timeout(sme_obss_scan_timeout, wpa_s, NULL);
2347 }
2348
2349
sme_send_2040_bss_coex(struct wpa_supplicant * wpa_s,const u8 * chan_list,u8 num_channels,u8 num_intol)2350 static void sme_send_2040_bss_coex(struct wpa_supplicant *wpa_s,
2351 const u8 *chan_list, u8 num_channels,
2352 u8 num_intol)
2353 {
2354 struct ieee80211_2040_bss_coex_ie *bc_ie;
2355 struct ieee80211_2040_intol_chan_report *ic_report;
2356 struct wpabuf *buf;
2357
2358 wpa_printf(MSG_DEBUG, "SME: Send 20/40 BSS Coexistence to " MACSTR
2359 " (num_channels=%u num_intol=%u)",
2360 MAC2STR(wpa_s->bssid), num_channels, num_intol);
2361 wpa_hexdump(MSG_DEBUG, "SME: 20/40 BSS Intolerant Channels",
2362 chan_list, num_channels);
2363
2364 buf = wpabuf_alloc(2 + /* action.category + action_code */
2365 sizeof(struct ieee80211_2040_bss_coex_ie) +
2366 sizeof(struct ieee80211_2040_intol_chan_report) +
2367 num_channels);
2368 if (buf == NULL)
2369 return;
2370
2371 wpabuf_put_u8(buf, WLAN_ACTION_PUBLIC);
2372 wpabuf_put_u8(buf, WLAN_PA_20_40_BSS_COEX);
2373
2374 bc_ie = wpabuf_put(buf, sizeof(*bc_ie));
2375 bc_ie->element_id = WLAN_EID_20_40_BSS_COEXISTENCE;
2376 bc_ie->length = 1;
2377 if (num_intol)
2378 bc_ie->coex_param |= WLAN_20_40_BSS_COEX_20MHZ_WIDTH_REQ;
2379
2380 if (num_channels > 0) {
2381 ic_report = wpabuf_put(buf, sizeof(*ic_report));
2382 ic_report->element_id = WLAN_EID_20_40_BSS_INTOLERANT;
2383 ic_report->length = num_channels + 1;
2384 ic_report->op_class = 0;
2385 os_memcpy(wpabuf_put(buf, num_channels), chan_list,
2386 num_channels);
2387 }
2388
2389 if (wpa_drv_send_action(wpa_s, wpa_s->assoc_freq, 0, wpa_s->bssid,
2390 wpa_s->own_addr, wpa_s->bssid,
2391 wpabuf_head(buf), wpabuf_len(buf), 0) < 0) {
2392 wpa_msg(wpa_s, MSG_INFO,
2393 "SME: Failed to send 20/40 BSS Coexistence frame");
2394 }
2395
2396 wpabuf_free(buf);
2397 }
2398
2399
sme_proc_obss_scan(struct wpa_supplicant * wpa_s)2400 int sme_proc_obss_scan(struct wpa_supplicant *wpa_s)
2401 {
2402 struct wpa_bss *bss;
2403 const u8 *ie;
2404 u16 ht_cap;
2405 u8 chan_list[P2P_MAX_CHANNELS], channel;
2406 u8 num_channels = 0, num_intol = 0, i;
2407
2408 if (!wpa_s->sme.sched_obss_scan)
2409 return 0;
2410
2411 wpa_s->sme.sched_obss_scan = 0;
2412 if (!wpa_s->current_bss || wpa_s->wpa_state != WPA_COMPLETED)
2413 return 1;
2414
2415 /*
2416 * Check whether AP uses regulatory triplet or channel triplet in
2417 * country info. Right now the operating class of the BSS channel
2418 * width trigger event is "unknown" (IEEE Std 802.11-2012 10.15.12),
2419 * based on the assumption that operating class triplet is not used in
2420 * beacon frame. If the First Channel Number/Operating Extension
2421 * Identifier octet has a positive integer value of 201 or greater,
2422 * then its operating class triplet.
2423 *
2424 * TODO: If Supported Operating Classes element is present in beacon
2425 * frame, have to lookup operating class in Annex E and fill them in
2426 * 2040 coex frame.
2427 */
2428 ie = wpa_bss_get_ie(wpa_s->current_bss, WLAN_EID_COUNTRY);
2429 if (ie && (ie[1] >= 6) && (ie[5] >= 201))
2430 return 1;
2431
2432 os_memset(chan_list, 0, sizeof(chan_list));
2433
2434 dl_list_for_each(bss, &wpa_s->bss, struct wpa_bss, list) {
2435 /* Skip other band bss */
2436 enum hostapd_hw_mode mode;
2437 mode = ieee80211_freq_to_chan(bss->freq, &channel);
2438 if (mode != HOSTAPD_MODE_IEEE80211G &&
2439 mode != HOSTAPD_MODE_IEEE80211B)
2440 continue;
2441
2442 ie = wpa_bss_get_ie(bss, WLAN_EID_HT_CAP);
2443 ht_cap = (ie && (ie[1] == 26)) ? WPA_GET_LE16(ie + 2) : 0;
2444 wpa_printf(MSG_DEBUG, "SME OBSS scan BSS " MACSTR
2445 " freq=%u chan=%u ht_cap=0x%x",
2446 MAC2STR(bss->bssid), bss->freq, channel, ht_cap);
2447
2448 if (!ht_cap || (ht_cap & HT_CAP_INFO_40MHZ_INTOLERANT)) {
2449 if (ht_cap & HT_CAP_INFO_40MHZ_INTOLERANT)
2450 num_intol++;
2451
2452 /* Check whether the channel is already considered */
2453 for (i = 0; i < num_channels; i++) {
2454 if (channel == chan_list[i])
2455 break;
2456 }
2457 if (i != num_channels)
2458 continue;
2459
2460 chan_list[num_channels++] = channel;
2461 }
2462 }
2463
2464 sme_send_2040_bss_coex(wpa_s, chan_list, num_channels, num_intol);
2465 return 1;
2466 }
2467
2468
wpa_obss_scan_freqs_list(struct wpa_supplicant * wpa_s,struct wpa_driver_scan_params * params)2469 static void wpa_obss_scan_freqs_list(struct wpa_supplicant *wpa_s,
2470 struct wpa_driver_scan_params *params)
2471 {
2472 /* Include only affected channels */
2473 struct hostapd_hw_modes *mode;
2474 int count, i;
2475 int start, end;
2476
2477 mode = get_mode(wpa_s->hw.modes, wpa_s->hw.num_modes,
2478 HOSTAPD_MODE_IEEE80211G, false);
2479 if (mode == NULL) {
2480 /* No channels supported in this band - use empty list */
2481 params->freqs = os_zalloc(sizeof(int));
2482 return;
2483 }
2484
2485 if (wpa_s->sme.ht_sec_chan == HT_SEC_CHAN_UNKNOWN &&
2486 wpa_s->current_bss) {
2487 const u8 *ie;
2488
2489 ie = wpa_bss_get_ie(wpa_s->current_bss, WLAN_EID_HT_OPERATION);
2490 if (ie && ie[1] >= 2) {
2491 u8 o;
2492
2493 o = ie[3] & HT_INFO_HT_PARAM_SECONDARY_CHNL_OFF_MASK;
2494 if (o == HT_INFO_HT_PARAM_SECONDARY_CHNL_ABOVE)
2495 wpa_s->sme.ht_sec_chan = HT_SEC_CHAN_ABOVE;
2496 else if (o == HT_INFO_HT_PARAM_SECONDARY_CHNL_BELOW)
2497 wpa_s->sme.ht_sec_chan = HT_SEC_CHAN_BELOW;
2498 }
2499 }
2500
2501 start = wpa_s->assoc_freq - 10;
2502 end = wpa_s->assoc_freq + 10;
2503 switch (wpa_s->sme.ht_sec_chan) {
2504 case HT_SEC_CHAN_UNKNOWN:
2505 /* HT40+ possible on channels 1..9 */
2506 if (wpa_s->assoc_freq <= 2452)
2507 start -= 20;
2508 /* HT40- possible on channels 5-13 */
2509 if (wpa_s->assoc_freq >= 2432)
2510 end += 20;
2511 break;
2512 case HT_SEC_CHAN_ABOVE:
2513 end += 20;
2514 break;
2515 case HT_SEC_CHAN_BELOW:
2516 start -= 20;
2517 break;
2518 }
2519 wpa_printf(MSG_DEBUG,
2520 "OBSS: assoc_freq %d possible affected range %d-%d",
2521 wpa_s->assoc_freq, start, end);
2522
2523 params->freqs = os_calloc(mode->num_channels + 1, sizeof(int));
2524 if (params->freqs == NULL)
2525 return;
2526 for (count = 0, i = 0; i < mode->num_channels; i++) {
2527 int freq;
2528
2529 if (mode->channels[i].flag & HOSTAPD_CHAN_DISABLED)
2530 continue;
2531 freq = mode->channels[i].freq;
2532 if (freq - 10 >= end || freq + 10 <= start)
2533 continue; /* not affected */
2534 params->freqs[count++] = freq;
2535 }
2536 }
2537
2538
sme_obss_scan_timeout(void * eloop_ctx,void * timeout_ctx)2539 static void sme_obss_scan_timeout(void *eloop_ctx, void *timeout_ctx)
2540 {
2541 struct wpa_supplicant *wpa_s = eloop_ctx;
2542 struct wpa_driver_scan_params params;
2543
2544 if (!wpa_s->current_bss) {
2545 wpa_printf(MSG_DEBUG, "SME OBSS: Ignore scan request");
2546 return;
2547 }
2548
2549 os_memset(¶ms, 0, sizeof(params));
2550 wpa_obss_scan_freqs_list(wpa_s, ¶ms);
2551 params.low_priority = 1;
2552 wpa_printf(MSG_DEBUG, "SME OBSS: Request an OBSS scan");
2553
2554 if (wpa_supplicant_trigger_scan(wpa_s, ¶ms))
2555 wpa_printf(MSG_DEBUG, "SME OBSS: Failed to trigger scan");
2556 else
2557 wpa_s->sme.sched_obss_scan = 1;
2558 os_free(params.freqs);
2559
2560 eloop_register_timeout(wpa_s->sme.obss_scan_int, 0,
2561 sme_obss_scan_timeout, wpa_s, NULL);
2562 }
2563
2564
sme_sched_obss_scan(struct wpa_supplicant * wpa_s,int enable)2565 void sme_sched_obss_scan(struct wpa_supplicant *wpa_s, int enable)
2566 {
2567 const u8 *ie;
2568 struct wpa_bss *bss = wpa_s->current_bss;
2569 struct wpa_ssid *ssid = wpa_s->current_ssid;
2570 struct hostapd_hw_modes *hw_mode = NULL;
2571 int i;
2572
2573 eloop_cancel_timeout(sme_obss_scan_timeout, wpa_s, NULL);
2574 wpa_s->sme.sched_obss_scan = 0;
2575 wpa_s->sme.ht_sec_chan = HT_SEC_CHAN_UNKNOWN;
2576 if (!enable)
2577 return;
2578
2579 /*
2580 * Schedule OBSS scan if driver is using station SME in wpa_supplicant
2581 * or it expects OBSS scan to be performed by wpa_supplicant.
2582 */
2583 if (!((wpa_s->drv_flags & WPA_DRIVER_FLAGS_SME) ||
2584 (wpa_s->drv_flags & WPA_DRIVER_FLAGS_OBSS_SCAN)) ||
2585 ssid == NULL || ssid->mode != WPAS_MODE_INFRA)
2586 return;
2587
2588 #ifdef CONFIG_HT_OVERRIDES
2589 /* No need for OBSS scan if HT40 is explicitly disabled */
2590 if (ssid->disable_ht40)
2591 return;
2592 #endif /* CONFIG_HT_OVERRIDES */
2593
2594 if (!wpa_s->hw.modes)
2595 return;
2596
2597 /* only HT caps in 11g mode are relevant */
2598 for (i = 0; i < wpa_s->hw.num_modes; i++) {
2599 hw_mode = &wpa_s->hw.modes[i];
2600 if (hw_mode->mode == HOSTAPD_MODE_IEEE80211G)
2601 break;
2602 }
2603
2604 /* Driver does not support HT40 for 11g or doesn't have 11g. */
2605 if (i == wpa_s->hw.num_modes || !hw_mode ||
2606 !(hw_mode->ht_capab & HT_CAP_INFO_SUPP_CHANNEL_WIDTH_SET))
2607 return;
2608
2609 if (bss == NULL || bss->freq < 2400 || bss->freq > 2500)
2610 return; /* Not associated on 2.4 GHz band */
2611
2612 /* Check whether AP supports HT40 */
2613 ie = wpa_bss_get_ie(wpa_s->current_bss, WLAN_EID_HT_CAP);
2614 if (!ie || ie[1] < 2 ||
2615 !(WPA_GET_LE16(ie + 2) & HT_CAP_INFO_SUPP_CHANNEL_WIDTH_SET))
2616 return; /* AP does not support HT40 */
2617
2618 ie = wpa_bss_get_ie(wpa_s->current_bss,
2619 WLAN_EID_OVERLAPPING_BSS_SCAN_PARAMS);
2620 if (!ie || ie[1] < 14)
2621 return; /* AP does not request OBSS scans */
2622
2623 wpa_s->sme.obss_scan_int = WPA_GET_LE16(ie + 6);
2624 if (wpa_s->sme.obss_scan_int < 10) {
2625 wpa_printf(MSG_DEBUG, "SME: Invalid OBSS Scan Interval %u "
2626 "replaced with the minimum 10 sec",
2627 wpa_s->sme.obss_scan_int);
2628 wpa_s->sme.obss_scan_int = 10;
2629 }
2630 wpa_printf(MSG_DEBUG, "SME: OBSS Scan Interval %u sec",
2631 wpa_s->sme.obss_scan_int);
2632 eloop_register_timeout(wpa_s->sme.obss_scan_int, 0,
2633 sme_obss_scan_timeout, wpa_s, NULL);
2634 }
2635
2636
2637 static const unsigned int sa_query_max_timeout = 1000;
2638 static const unsigned int sa_query_retry_timeout = 201;
2639 static const unsigned int sa_query_ch_switch_max_delay = 5000; /* in usec */
2640
sme_check_sa_query_timeout(struct wpa_supplicant * wpa_s)2641 static int sme_check_sa_query_timeout(struct wpa_supplicant *wpa_s)
2642 {
2643 u32 tu;
2644 struct os_reltime now, passed;
2645 os_get_reltime(&now);
2646 os_reltime_sub(&now, &wpa_s->sme.sa_query_start, &passed);
2647 tu = (passed.sec * 1000000 + passed.usec) / 1024;
2648 if (sa_query_max_timeout < tu) {
2649 wpa_dbg(wpa_s, MSG_DEBUG, "SME: SA Query timed out");
2650 sme_stop_sa_query(wpa_s);
2651 wpa_supplicant_deauthenticate(
2652 wpa_s, WLAN_REASON_PREV_AUTH_NOT_VALID);
2653 return 1;
2654 }
2655
2656 return 0;
2657 }
2658
2659
sme_send_sa_query_req(struct wpa_supplicant * wpa_s,const u8 * trans_id)2660 static void sme_send_sa_query_req(struct wpa_supplicant *wpa_s,
2661 const u8 *trans_id)
2662 {
2663 u8 req[2 + WLAN_SA_QUERY_TR_ID_LEN + OCV_OCI_EXTENDED_LEN];
2664 u8 req_len = 2 + WLAN_SA_QUERY_TR_ID_LEN;
2665
2666 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Sending SA Query Request to "
2667 MACSTR, MAC2STR(wpa_s->bssid));
2668 wpa_hexdump(MSG_DEBUG, "SME: SA Query Transaction ID",
2669 trans_id, WLAN_SA_QUERY_TR_ID_LEN);
2670 req[0] = WLAN_ACTION_SA_QUERY;
2671 req[1] = WLAN_SA_QUERY_REQUEST;
2672 os_memcpy(req + 2, trans_id, WLAN_SA_QUERY_TR_ID_LEN);
2673
2674 #ifdef CONFIG_OCV
2675 if (wpa_sm_ocv_enabled(wpa_s->wpa)) {
2676 struct wpa_channel_info ci;
2677
2678 if (wpa_drv_channel_info(wpa_s, &ci) != 0) {
2679 wpa_printf(MSG_WARNING,
2680 "Failed to get channel info for OCI element in SA Query Request frame");
2681 return;
2682 }
2683
2684 #ifdef CONFIG_TESTING_OPTIONS
2685 if (wpa_s->oci_freq_override_saquery_req) {
2686 wpa_printf(MSG_INFO,
2687 "TEST: Override SA Query Request OCI frequency %d -> %d MHz",
2688 ci.frequency,
2689 wpa_s->oci_freq_override_saquery_req);
2690 ci.frequency = wpa_s->oci_freq_override_saquery_req;
2691 }
2692 #endif /* CONFIG_TESTING_OPTIONS */
2693
2694 if (ocv_insert_extended_oci(&ci, req + req_len) < 0)
2695 return;
2696
2697 req_len += OCV_OCI_EXTENDED_LEN;
2698 }
2699 #endif /* CONFIG_OCV */
2700
2701 if (wpa_drv_send_action(wpa_s, wpa_s->assoc_freq, 0, wpa_s->bssid,
2702 wpa_s->own_addr, wpa_s->bssid,
2703 req, req_len, 0) < 0)
2704 wpa_msg(wpa_s, MSG_INFO, "SME: Failed to send SA Query "
2705 "Request");
2706 }
2707
2708
sme_sa_query_timer(void * eloop_ctx,void * timeout_ctx)2709 static void sme_sa_query_timer(void *eloop_ctx, void *timeout_ctx)
2710 {
2711 struct wpa_supplicant *wpa_s = eloop_ctx;
2712 unsigned int timeout, sec, usec;
2713 u8 *trans_id, *nbuf;
2714
2715 if (wpa_s->sme.sa_query_count > 0 &&
2716 sme_check_sa_query_timeout(wpa_s))
2717 return;
2718
2719 nbuf = os_realloc_array(wpa_s->sme.sa_query_trans_id,
2720 wpa_s->sme.sa_query_count + 1,
2721 WLAN_SA_QUERY_TR_ID_LEN);
2722 if (nbuf == NULL) {
2723 sme_stop_sa_query(wpa_s);
2724 return;
2725 }
2726 if (wpa_s->sme.sa_query_count == 0) {
2727 /* Starting a new SA Query procedure */
2728 os_get_reltime(&wpa_s->sme.sa_query_start);
2729 }
2730 trans_id = nbuf + wpa_s->sme.sa_query_count * WLAN_SA_QUERY_TR_ID_LEN;
2731 wpa_s->sme.sa_query_trans_id = nbuf;
2732 wpa_s->sme.sa_query_count++;
2733
2734 if (os_get_random(trans_id, WLAN_SA_QUERY_TR_ID_LEN) < 0) {
2735 wpa_printf(MSG_DEBUG, "Could not generate SA Query ID");
2736 sme_stop_sa_query(wpa_s);
2737 return;
2738 }
2739
2740 timeout = sa_query_retry_timeout;
2741 sec = ((timeout / 1000) * 1024) / 1000;
2742 usec = (timeout % 1000) * 1024;
2743 eloop_register_timeout(sec, usec, sme_sa_query_timer, wpa_s, NULL);
2744
2745 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Association SA Query attempt %d",
2746 wpa_s->sme.sa_query_count);
2747
2748 sme_send_sa_query_req(wpa_s, trans_id);
2749 }
2750
2751
sme_start_sa_query(struct wpa_supplicant * wpa_s)2752 static void sme_start_sa_query(struct wpa_supplicant *wpa_s)
2753 {
2754 sme_sa_query_timer(wpa_s, NULL);
2755 }
2756
2757
sme_stop_sa_query(struct wpa_supplicant * wpa_s)2758 static void sme_stop_sa_query(struct wpa_supplicant *wpa_s)
2759 {
2760 if (wpa_s->sme.sa_query_trans_id)
2761 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Stop SA Query");
2762 eloop_cancel_timeout(sme_sa_query_timer, wpa_s, NULL);
2763 os_free(wpa_s->sme.sa_query_trans_id);
2764 wpa_s->sme.sa_query_trans_id = NULL;
2765 wpa_s->sme.sa_query_count = 0;
2766 }
2767
2768
sme_event_unprot_disconnect(struct wpa_supplicant * wpa_s,const u8 * sa,const u8 * da,u16 reason_code)2769 void sme_event_unprot_disconnect(struct wpa_supplicant *wpa_s, const u8 *sa,
2770 const u8 *da, u16 reason_code)
2771 {
2772 struct wpa_ssid *ssid;
2773 struct os_reltime now;
2774
2775 if (wpa_s->wpa_state != WPA_COMPLETED)
2776 return;
2777 ssid = wpa_s->current_ssid;
2778 if (wpas_get_ssid_pmf(wpa_s, ssid) == NO_MGMT_FRAME_PROTECTION)
2779 return;
2780 if (os_memcmp(sa, wpa_s->bssid, ETH_ALEN) != 0)
2781 return;
2782 if (reason_code != WLAN_REASON_CLASS2_FRAME_FROM_NONAUTH_STA &&
2783 reason_code != WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA)
2784 return;
2785 if (wpa_s->sme.sa_query_count > 0)
2786 return;
2787 #ifdef CONFIG_TESTING_OPTIONS
2788 if (wpa_s->disable_sa_query)
2789 return;
2790 #endif /* CONFIG_TESTING_OPTIONS */
2791
2792 os_get_reltime(&now);
2793 if (wpa_s->sme.last_unprot_disconnect.sec &&
2794 !os_reltime_expired(&now, &wpa_s->sme.last_unprot_disconnect, 10))
2795 return; /* limit SA Query procedure frequency */
2796 wpa_s->sme.last_unprot_disconnect = now;
2797
2798 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Unprotected disconnect dropped - "
2799 "possible AP/STA state mismatch - trigger SA Query");
2800 sme_start_sa_query(wpa_s);
2801 }
2802
2803
sme_event_ch_switch(struct wpa_supplicant * wpa_s)2804 void sme_event_ch_switch(struct wpa_supplicant *wpa_s)
2805 {
2806 unsigned int usec;
2807 u32 _rand;
2808
2809 if (wpa_s->wpa_state != WPA_COMPLETED ||
2810 !wpa_sm_ocv_enabled(wpa_s->wpa))
2811 return;
2812
2813 wpa_dbg(wpa_s, MSG_DEBUG,
2814 "SME: Channel switch completed - trigger new SA Query to verify new operating channel");
2815 sme_stop_sa_query(wpa_s);
2816
2817 if (os_get_random((u8 *) &_rand, sizeof(_rand)) < 0)
2818 _rand = os_random();
2819 usec = _rand % (sa_query_ch_switch_max_delay + 1);
2820 eloop_register_timeout(0, usec, sme_sa_query_timer, wpa_s, NULL);
2821 }
2822
2823
sme_process_sa_query_request(struct wpa_supplicant * wpa_s,const u8 * sa,const u8 * data,size_t len)2824 static void sme_process_sa_query_request(struct wpa_supplicant *wpa_s,
2825 const u8 *sa, const u8 *data,
2826 size_t len)
2827 {
2828 u8 resp[2 + WLAN_SA_QUERY_TR_ID_LEN + OCV_OCI_EXTENDED_LEN];
2829 u8 resp_len = 2 + WLAN_SA_QUERY_TR_ID_LEN;
2830
2831 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Sending SA Query Response to "
2832 MACSTR, MAC2STR(wpa_s->bssid));
2833
2834 resp[0] = WLAN_ACTION_SA_QUERY;
2835 resp[1] = WLAN_SA_QUERY_RESPONSE;
2836 os_memcpy(resp + 2, data + 1, WLAN_SA_QUERY_TR_ID_LEN);
2837
2838 #ifdef CONFIG_OCV
2839 if (wpa_sm_ocv_enabled(wpa_s->wpa)) {
2840 struct wpa_channel_info ci;
2841
2842 if (wpa_drv_channel_info(wpa_s, &ci) != 0) {
2843 wpa_printf(MSG_WARNING,
2844 "Failed to get channel info for OCI element in SA Query Response frame");
2845 return;
2846 }
2847
2848 #ifdef CONFIG_TESTING_OPTIONS
2849 if (wpa_s->oci_freq_override_saquery_resp) {
2850 wpa_printf(MSG_INFO,
2851 "TEST: Override SA Query Response OCI frequency %d -> %d MHz",
2852 ci.frequency,
2853 wpa_s->oci_freq_override_saquery_resp);
2854 ci.frequency = wpa_s->oci_freq_override_saquery_resp;
2855 }
2856 #endif /* CONFIG_TESTING_OPTIONS */
2857
2858 if (ocv_insert_extended_oci(&ci, resp + resp_len) < 0)
2859 return;
2860
2861 resp_len += OCV_OCI_EXTENDED_LEN;
2862 }
2863 #endif /* CONFIG_OCV */
2864
2865 if (wpa_drv_send_action(wpa_s, wpa_s->assoc_freq, 0, wpa_s->bssid,
2866 wpa_s->own_addr, wpa_s->bssid,
2867 resp, resp_len, 0) < 0)
2868 wpa_msg(wpa_s, MSG_INFO,
2869 "SME: Failed to send SA Query Response");
2870 }
2871
2872
sme_process_sa_query_response(struct wpa_supplicant * wpa_s,const u8 * sa,const u8 * data,size_t len)2873 static void sme_process_sa_query_response(struct wpa_supplicant *wpa_s,
2874 const u8 *sa, const u8 *data,
2875 size_t len)
2876 {
2877 int i;
2878
2879 if (!wpa_s->sme.sa_query_trans_id)
2880 return;
2881
2882 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Received SA Query response from "
2883 MACSTR " (trans_id %02x%02x)", MAC2STR(sa), data[1], data[2]);
2884
2885 if (os_memcmp(sa, wpa_s->bssid, ETH_ALEN) != 0)
2886 return;
2887
2888 for (i = 0; i < wpa_s->sme.sa_query_count; i++) {
2889 if (os_memcmp(wpa_s->sme.sa_query_trans_id +
2890 i * WLAN_SA_QUERY_TR_ID_LEN,
2891 data + 1, WLAN_SA_QUERY_TR_ID_LEN) == 0)
2892 break;
2893 }
2894
2895 if (i >= wpa_s->sme.sa_query_count) {
2896 wpa_dbg(wpa_s, MSG_DEBUG, "SME: No matching SA Query "
2897 "transaction identifier found");
2898 return;
2899 }
2900
2901 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Reply to pending SA Query received "
2902 "from " MACSTR, MAC2STR(sa));
2903 sme_stop_sa_query(wpa_s);
2904 }
2905
2906
sme_sa_query_rx(struct wpa_supplicant * wpa_s,const u8 * da,const u8 * sa,const u8 * data,size_t len)2907 void sme_sa_query_rx(struct wpa_supplicant *wpa_s, const u8 *da, const u8 *sa,
2908 const u8 *data, size_t len)
2909 {
2910 if (len < 1 + WLAN_SA_QUERY_TR_ID_LEN)
2911 return;
2912 if (is_multicast_ether_addr(da)) {
2913 wpa_printf(MSG_DEBUG,
2914 "IEEE 802.11: Ignore group-addressed SA Query frame (A1=" MACSTR " A2=" MACSTR ")",
2915 MAC2STR(da), MAC2STR(sa));
2916 return;
2917 }
2918
2919 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Received SA Query frame from "
2920 MACSTR " (trans_id %02x%02x)", MAC2STR(sa), data[1], data[2]);
2921
2922 #ifdef CONFIG_OCV
2923 if (wpa_sm_ocv_enabled(wpa_s->wpa)) {
2924 struct ieee802_11_elems elems;
2925 struct wpa_channel_info ci;
2926
2927 if (ieee802_11_parse_elems(data + 1 + WLAN_SA_QUERY_TR_ID_LEN,
2928 len - 1 - WLAN_SA_QUERY_TR_ID_LEN,
2929 &elems, 1) == ParseFailed) {
2930 wpa_printf(MSG_DEBUG,
2931 "SA Query: Failed to parse elements");
2932 return;
2933 }
2934
2935 if (wpa_drv_channel_info(wpa_s, &ci) != 0) {
2936 wpa_printf(MSG_WARNING,
2937 "Failed to get channel info to validate received OCI in SA Query Action frame");
2938 return;
2939 }
2940
2941 if (ocv_verify_tx_params(elems.oci, elems.oci_len, &ci,
2942 channel_width_to_int(ci.chanwidth),
2943 ci.seg1_idx) != OCI_SUCCESS) {
2944 wpa_msg(wpa_s, MSG_INFO, OCV_FAILURE "addr=" MACSTR
2945 " frame=saquery%s error=%s",
2946 MAC2STR(sa), data[0] == WLAN_SA_QUERY_REQUEST ?
2947 "req" : "resp", ocv_errorstr);
2948 return;
2949 }
2950 }
2951 #endif /* CONFIG_OCV */
2952
2953 if (data[0] == WLAN_SA_QUERY_REQUEST)
2954 sme_process_sa_query_request(wpa_s, sa, data, len);
2955 else if (data[0] == WLAN_SA_QUERY_RESPONSE)
2956 sme_process_sa_query_response(wpa_s, sa, data, len);
2957 }
2958
