/src/hostap/wpa_supplicant/wnm_sta.c
Line | Count | Source |
1 | | /* |
2 | | * wpa_supplicant - WNM |
3 | | * Copyright (c) 2011-2013, Qualcomm Atheros, Inc. |
4 | | * |
5 | | * This software may be distributed under the terms of the BSD license. |
6 | | * See README for more details. |
7 | | */ |
8 | | |
9 | | #include "utils/includes.h" |
10 | | |
11 | | #include "utils/common.h" |
12 | | #include "common/ieee802_11_defs.h" |
13 | | #include "common/ieee802_11_common.h" |
14 | | #include "common/wpa_ctrl.h" |
15 | | #include "common/ocv.h" |
16 | | #include "rsn_supp/wpa.h" |
17 | | #include "config.h" |
18 | | #include "wpa_supplicant_i.h" |
19 | | #include "driver_i.h" |
20 | | #include "scan.h" |
21 | | #include "ctrl_iface.h" |
22 | | #include "bss.h" |
23 | | #include "wnm_sta.h" |
24 | | #include "notify.h" |
25 | | #include "hs20_supplicant.h" |
26 | | |
27 | 0 | #define MAX_TFS_IE_LEN 1024 |
28 | 7.11M | #define WNM_MAX_NEIGHBOR_REPORT 10 |
29 | | |
30 | | |
31 | | /* get the TFS IE from driver */ |
32 | | static int ieee80211_11_get_tfs_ie(struct wpa_supplicant *wpa_s, u8 *buf, |
33 | | u16 *buf_len, enum wnm_oper oper) |
34 | 0 | { |
35 | 0 | wpa_printf(MSG_DEBUG, "%s: TFS get operation %d", __func__, oper); |
36 | |
|
37 | 0 | return wpa_drv_wnm_oper(wpa_s, oper, wpa_s->bssid, buf, buf_len); |
38 | 0 | } |
39 | | |
40 | | |
41 | | /* set the TFS IE to driver */ |
42 | | static int ieee80211_11_set_tfs_ie(struct wpa_supplicant *wpa_s, |
43 | | const u8 *addr, const u8 *buf, u16 buf_len, |
44 | | enum wnm_oper oper) |
45 | 0 | { |
46 | 0 | u16 len = buf_len; |
47 | |
|
48 | 0 | wpa_printf(MSG_DEBUG, "%s: TFS set operation %d", __func__, oper); |
49 | |
|
50 | 0 | return wpa_drv_wnm_oper(wpa_s, oper, addr, (u8 *) buf, &len); |
51 | 0 | } |
52 | | |
53 | | |
54 | | /* MLME-SLEEPMODE.request */ |
55 | | int ieee802_11_send_wnmsleep_req(struct wpa_supplicant *wpa_s, |
56 | | u8 action, u16 intval, struct wpabuf *tfs_req) |
57 | 0 | { |
58 | 0 | struct ieee80211_mgmt *mgmt; |
59 | 0 | int res; |
60 | 0 | size_t len; |
61 | 0 | struct wnm_sleep_element *wnmsleep_ie; |
62 | 0 | u8 *wnmtfs_ie, *oci_ie; |
63 | 0 | u8 wnmsleep_ie_len, oci_ie_len; |
64 | 0 | u16 wnmtfs_ie_len; /* possibly multiple IE(s) */ |
65 | 0 | enum wnm_oper tfs_oper = action == 0 ? WNM_SLEEP_TFS_REQ_IE_ADD : |
66 | 0 | WNM_SLEEP_TFS_REQ_IE_NONE; |
67 | |
|
68 | 0 | wpa_printf(MSG_DEBUG, "WNM: Request to send WNM-Sleep Mode Request " |
69 | 0 | "action=%s to " MACSTR, |
70 | 0 | action == 0 ? "enter" : "exit", |
71 | 0 | MAC2STR(wpa_s->bssid)); |
72 | | |
73 | | /* WNM-Sleep Mode IE */ |
74 | 0 | wnmsleep_ie_len = sizeof(struct wnm_sleep_element); |
75 | 0 | wnmsleep_ie = os_zalloc(sizeof(struct wnm_sleep_element)); |
76 | 0 | if (wnmsleep_ie == NULL) |
77 | 0 | return -1; |
78 | 0 | wnmsleep_ie->eid = WLAN_EID_WNMSLEEP; |
79 | 0 | wnmsleep_ie->len = wnmsleep_ie_len - 2; |
80 | 0 | wnmsleep_ie->action_type = action; |
81 | 0 | wnmsleep_ie->status = WNM_STATUS_SLEEP_ACCEPT; |
82 | 0 | wnmsleep_ie->intval = host_to_le16(intval); |
83 | 0 | wpa_hexdump(MSG_DEBUG, "WNM: WNM-Sleep Mode element", |
84 | 0 | (u8 *) wnmsleep_ie, wnmsleep_ie_len); |
85 | | |
86 | | /* TFS IE(s) */ |
87 | 0 | if (tfs_req) { |
88 | 0 | wnmtfs_ie_len = wpabuf_len(tfs_req); |
89 | 0 | wnmtfs_ie = os_memdup(wpabuf_head(tfs_req), wnmtfs_ie_len); |
90 | 0 | if (wnmtfs_ie == NULL) { |
91 | 0 | os_free(wnmsleep_ie); |
92 | 0 | return -1; |
93 | 0 | } |
94 | 0 | } else { |
95 | 0 | wnmtfs_ie = os_zalloc(MAX_TFS_IE_LEN); |
96 | 0 | if (wnmtfs_ie == NULL) { |
97 | 0 | os_free(wnmsleep_ie); |
98 | 0 | return -1; |
99 | 0 | } |
100 | 0 | if (ieee80211_11_get_tfs_ie(wpa_s, wnmtfs_ie, &wnmtfs_ie_len, |
101 | 0 | tfs_oper)) { |
102 | 0 | wnmtfs_ie_len = 0; |
103 | 0 | os_free(wnmtfs_ie); |
104 | 0 | wnmtfs_ie = NULL; |
105 | 0 | } |
106 | 0 | } |
107 | 0 | wpa_hexdump(MSG_DEBUG, "WNM: TFS Request element", |
108 | 0 | (u8 *) wnmtfs_ie, wnmtfs_ie_len); |
109 | |
|
110 | 0 | oci_ie = NULL; |
111 | 0 | oci_ie_len = 0; |
112 | | #ifdef CONFIG_OCV |
113 | | if (action == WNM_SLEEP_MODE_EXIT && wpa_sm_ocv_enabled(wpa_s->wpa)) { |
114 | | struct wpa_channel_info ci; |
115 | | |
116 | | if (wpa_drv_channel_info(wpa_s, &ci) != 0) { |
117 | | wpa_printf(MSG_WARNING, |
118 | | "Failed to get channel info for OCI element in WNM-Sleep Mode frame"); |
119 | | os_free(wnmsleep_ie); |
120 | | os_free(wnmtfs_ie); |
121 | | return -1; |
122 | | } |
123 | | #ifdef CONFIG_TESTING_OPTIONS |
124 | | if (wpa_s->oci_freq_override_wnm_sleep) { |
125 | | wpa_printf(MSG_INFO, |
126 | | "TEST: Override OCI KDE frequency %d -> %d MHz", |
127 | | ci.frequency, |
128 | | wpa_s->oci_freq_override_wnm_sleep); |
129 | | ci.frequency = wpa_s->oci_freq_override_wnm_sleep; |
130 | | } |
131 | | #endif /* CONFIG_TESTING_OPTIONS */ |
132 | | |
133 | | oci_ie_len = OCV_OCI_EXTENDED_LEN; |
134 | | oci_ie = os_zalloc(oci_ie_len); |
135 | | if (!oci_ie) { |
136 | | wpa_printf(MSG_WARNING, |
137 | | "Failed to allocate buffer for for OCI element in WNM-Sleep Mode frame"); |
138 | | os_free(wnmsleep_ie); |
139 | | os_free(wnmtfs_ie); |
140 | | return -1; |
141 | | } |
142 | | |
143 | | if (ocv_insert_extended_oci(&ci, oci_ie) < 0) { |
144 | | os_free(wnmsleep_ie); |
145 | | os_free(wnmtfs_ie); |
146 | | os_free(oci_ie); |
147 | | return -1; |
148 | | } |
149 | | } |
150 | | #endif /* CONFIG_OCV */ |
151 | |
|
152 | 0 | mgmt = os_zalloc(sizeof(*mgmt) + wnmsleep_ie_len + wnmtfs_ie_len + |
153 | 0 | oci_ie_len); |
154 | 0 | if (mgmt == NULL) { |
155 | 0 | wpa_printf(MSG_DEBUG, "MLME: Failed to allocate buffer for " |
156 | 0 | "WNM-Sleep Request action frame"); |
157 | 0 | os_free(wnmsleep_ie); |
158 | 0 | os_free(wnmtfs_ie); |
159 | 0 | return -1; |
160 | 0 | } |
161 | | |
162 | 0 | os_memcpy(mgmt->da, wpa_s->bssid, ETH_ALEN); |
163 | 0 | os_memcpy(mgmt->sa, wpa_s->own_addr, ETH_ALEN); |
164 | 0 | os_memcpy(mgmt->bssid, wpa_s->bssid, ETH_ALEN); |
165 | 0 | mgmt->frame_control = IEEE80211_FC(WLAN_FC_TYPE_MGMT, |
166 | 0 | WLAN_FC_STYPE_ACTION); |
167 | 0 | mgmt->u.action.category = WLAN_ACTION_WNM; |
168 | 0 | mgmt->u.action.u.wnm_sleep_req.action = WNM_SLEEP_MODE_REQ; |
169 | 0 | mgmt->u.action.u.wnm_sleep_req.dialogtoken = 1; |
170 | 0 | os_memcpy(mgmt->u.action.u.wnm_sleep_req.variable, wnmsleep_ie, |
171 | 0 | wnmsleep_ie_len); |
172 | | /* copy TFS IE here */ |
173 | 0 | if (wnmtfs_ie_len > 0) { |
174 | 0 | os_memcpy(mgmt->u.action.u.wnm_sleep_req.variable + |
175 | 0 | wnmsleep_ie_len, wnmtfs_ie, wnmtfs_ie_len); |
176 | 0 | } |
177 | |
|
178 | | #ifdef CONFIG_OCV |
179 | | /* copy OCV OCI here */ |
180 | | if (oci_ie_len > 0) { |
181 | | os_memcpy(mgmt->u.action.u.wnm_sleep_req.variable + |
182 | | wnmsleep_ie_len + wnmtfs_ie_len, oci_ie, oci_ie_len); |
183 | | } |
184 | | #endif /* CONFIG_OCV */ |
185 | |
|
186 | 0 | len = 1 + sizeof(mgmt->u.action.u.wnm_sleep_req) + wnmsleep_ie_len + |
187 | 0 | wnmtfs_ie_len + oci_ie_len; |
188 | |
|
189 | 0 | res = wpa_drv_send_action(wpa_s, wpa_s->assoc_freq, 0, wpa_s->bssid, |
190 | 0 | wpa_s->own_addr, wpa_s->bssid, |
191 | 0 | &mgmt->u.action.category, len, 0); |
192 | 0 | if (res < 0) |
193 | 0 | wpa_printf(MSG_DEBUG, "Failed to send WNM-Sleep Request " |
194 | 0 | "(action=%d, intval=%d)", action, intval); |
195 | 0 | else |
196 | 0 | wpa_s->wnmsleep_used = 1; |
197 | |
|
198 | 0 | os_free(wnmsleep_ie); |
199 | 0 | os_free(wnmtfs_ie); |
200 | 0 | os_free(oci_ie); |
201 | 0 | os_free(mgmt); |
202 | |
|
203 | 0 | return res; |
204 | 0 | } |
205 | | |
206 | | |
207 | | static void wnm_sleep_mode_enter_success(struct wpa_supplicant *wpa_s, |
208 | | const u8 *tfsresp_ie_start, |
209 | | const u8 *tfsresp_ie_end) |
210 | 0 | { |
211 | 0 | wpa_drv_wnm_oper(wpa_s, WNM_SLEEP_ENTER_CONFIRM, |
212 | 0 | wpa_s->bssid, NULL, NULL); |
213 | | /* remove GTK/IGTK ?? */ |
214 | | |
215 | | /* set the TFS Resp IE(s) */ |
216 | 0 | if (tfsresp_ie_start && tfsresp_ie_end && |
217 | 0 | tfsresp_ie_end - tfsresp_ie_start >= 0) { |
218 | 0 | u16 tfsresp_ie_len; |
219 | 0 | tfsresp_ie_len = (tfsresp_ie_end + tfsresp_ie_end[1] + 2) - |
220 | 0 | tfsresp_ie_start; |
221 | 0 | wpa_printf(MSG_DEBUG, "TFS Resp IE(s) found"); |
222 | | /* pass the TFS Resp IE(s) to driver for processing */ |
223 | 0 | if (ieee80211_11_set_tfs_ie(wpa_s, wpa_s->bssid, |
224 | 0 | tfsresp_ie_start, |
225 | 0 | tfsresp_ie_len, |
226 | 0 | WNM_SLEEP_TFS_RESP_IE_SET)) |
227 | 0 | wpa_printf(MSG_DEBUG, "WNM: Fail to set TFS Resp IE"); |
228 | 0 | } |
229 | 0 | } |
230 | | |
231 | | |
232 | | static void wnm_sleep_mode_exit_success(struct wpa_supplicant *wpa_s, |
233 | | const u8 *frm, u16 key_len_total) |
234 | 0 | { |
235 | 0 | u8 *ptr, *end; |
236 | 0 | u8 gtk_len; |
237 | |
|
238 | 0 | wpa_drv_wnm_oper(wpa_s, WNM_SLEEP_EXIT_CONFIRM, wpa_s->bssid, |
239 | 0 | NULL, NULL); |
240 | | |
241 | | /* Install GTK/IGTK */ |
242 | | |
243 | | /* point to key data field */ |
244 | 0 | ptr = (u8 *) frm + 1 + 2; |
245 | 0 | end = ptr + key_len_total; |
246 | 0 | wpa_hexdump_key(MSG_DEBUG, "WNM: Key Data", ptr, key_len_total); |
247 | |
|
248 | 0 | if (key_len_total && !wpa_sm_pmf_enabled(wpa_s->wpa)) { |
249 | 0 | wpa_msg(wpa_s, MSG_INFO, |
250 | 0 | "WNM: Ignore Key Data in WNM-Sleep Mode Response - PMF not enabled"); |
251 | 0 | return; |
252 | 0 | } |
253 | | |
254 | 0 | while (end - ptr > 1) { |
255 | 0 | if (2 + ptr[1] > end - ptr) { |
256 | 0 | wpa_printf(MSG_DEBUG, "WNM: Invalid Key Data element " |
257 | 0 | "length"); |
258 | 0 | if (end > ptr) { |
259 | 0 | wpa_hexdump(MSG_DEBUG, "WNM: Remaining data", |
260 | 0 | ptr, end - ptr); |
261 | 0 | } |
262 | 0 | break; |
263 | 0 | } |
264 | 0 | if (*ptr == WNM_SLEEP_SUBELEM_GTK) { |
265 | 0 | if (ptr[1] < 11 + 5) { |
266 | 0 | wpa_printf(MSG_DEBUG, "WNM: Too short GTK " |
267 | 0 | "subelem"); |
268 | 0 | break; |
269 | 0 | } |
270 | 0 | gtk_len = *(ptr + 4); |
271 | 0 | if (ptr[1] < 11 + gtk_len || |
272 | 0 | gtk_len < 5 || gtk_len > 32) { |
273 | 0 | wpa_printf(MSG_DEBUG, "WNM: Invalid GTK " |
274 | 0 | "subelem"); |
275 | 0 | break; |
276 | 0 | } |
277 | 0 | wpa_wnmsleep_install_key( |
278 | 0 | wpa_s->wpa, |
279 | 0 | WNM_SLEEP_SUBELEM_GTK, |
280 | 0 | ptr); |
281 | 0 | ptr += 13 + gtk_len; |
282 | 0 | } else if (*ptr == WNM_SLEEP_SUBELEM_IGTK) { |
283 | 0 | if (ptr[1] < 2 + 6 + WPA_IGTK_LEN) { |
284 | 0 | wpa_printf(MSG_DEBUG, "WNM: Too short IGTK " |
285 | 0 | "subelem"); |
286 | 0 | break; |
287 | 0 | } |
288 | 0 | wpa_wnmsleep_install_key(wpa_s->wpa, |
289 | 0 | WNM_SLEEP_SUBELEM_IGTK, ptr); |
290 | 0 | ptr += 10 + WPA_IGTK_LEN; |
291 | 0 | } else if (*ptr == WNM_SLEEP_SUBELEM_BIGTK) { |
292 | 0 | if (ptr[1] < 2 + 6 + WPA_BIGTK_LEN) { |
293 | 0 | wpa_printf(MSG_DEBUG, |
294 | 0 | "WNM: Too short BIGTK subelem"); |
295 | 0 | break; |
296 | 0 | } |
297 | 0 | wpa_wnmsleep_install_key(wpa_s->wpa, |
298 | 0 | WNM_SLEEP_SUBELEM_BIGTK, ptr); |
299 | 0 | ptr += 10 + WPA_BIGTK_LEN; |
300 | 0 | } else |
301 | 0 | break; /* skip the loop */ |
302 | 0 | } |
303 | 0 | } |
304 | | |
305 | | |
306 | | static void ieee802_11_rx_wnmsleep_resp(struct wpa_supplicant *wpa_s, |
307 | | const u8 *da, const u8 *sa, |
308 | | const u8 *frm, int len) |
309 | 1 | { |
310 | | /* |
311 | | * Action [1] | Dialog Token [1] | Key Data Len [2] | Key Data | |
312 | | * WNM-Sleep Mode IE | TFS Response IE |
313 | | */ |
314 | 1 | const u8 *pos = frm; /* point to payload after the action field */ |
315 | 1 | u16 key_len_total; |
316 | 1 | struct wnm_sleep_element *wnmsleep_ie = NULL; |
317 | | /* multiple TFS Resp IE (assuming consecutive) */ |
318 | 1 | const u8 *tfsresp_ie_start = NULL; |
319 | 1 | const u8 *tfsresp_ie_end = NULL; |
320 | | #ifdef CONFIG_OCV |
321 | | const u8 *oci_ie = NULL; |
322 | | u8 oci_ie_len = 0; |
323 | | #endif /* CONFIG_OCV */ |
324 | 1 | size_t left; |
325 | | |
326 | 1 | if (!wpa_s->wnmsleep_used) { |
327 | 1 | wpa_printf(MSG_DEBUG, |
328 | 1 | "WNM: Ignore WNM-Sleep Mode Response frame since WNM-Sleep Mode operation has not been requested"); |
329 | 1 | return; |
330 | 1 | } |
331 | | |
332 | 0 | if (is_multicast_ether_addr(da)) { |
333 | 0 | wpa_printf(MSG_DEBUG, |
334 | 0 | "WNM: Ignore group-addressed WNM-Sleep Mode Response frame (A1=" |
335 | 0 | MACSTR " A2=" MACSTR ")", |
336 | 0 | MAC2STR(da), MAC2STR(sa)); |
337 | 0 | return; |
338 | 0 | } |
339 | | |
340 | 0 | if (len < 3) |
341 | 0 | return; |
342 | 0 | key_len_total = WPA_GET_LE16(frm + 1); |
343 | |
|
344 | 0 | wpa_printf(MSG_DEBUG, "WNM-Sleep Mode Response token=%u key_len_total=%d", |
345 | 0 | frm[0], key_len_total); |
346 | 0 | left = len - 3; |
347 | 0 | if (key_len_total > left) { |
348 | 0 | wpa_printf(MSG_INFO, "WNM: Too short frame for Key Data field"); |
349 | 0 | return; |
350 | 0 | } |
351 | 0 | pos += 3 + key_len_total; |
352 | 0 | while (pos - frm + 1 < len) { |
353 | 0 | u8 ie_len = *(pos + 1); |
354 | 0 | if (2 + ie_len > frm + len - pos) { |
355 | 0 | wpa_printf(MSG_INFO, "WNM: Invalid IE len %u", ie_len); |
356 | 0 | break; |
357 | 0 | } |
358 | 0 | wpa_hexdump(MSG_DEBUG, "WNM: Element", pos, 2 + ie_len); |
359 | 0 | if (*pos == WLAN_EID_WNMSLEEP && ie_len >= 4) |
360 | 0 | wnmsleep_ie = (struct wnm_sleep_element *) pos; |
361 | 0 | else if (*pos == WLAN_EID_TFS_RESP) { |
362 | 0 | if (!tfsresp_ie_start) |
363 | 0 | tfsresp_ie_start = pos; |
364 | 0 | tfsresp_ie_end = pos; |
365 | | #ifdef CONFIG_OCV |
366 | | } else if (*pos == WLAN_EID_EXTENSION && ie_len >= 1 && |
367 | | pos[2] == WLAN_EID_EXT_OCV_OCI) { |
368 | | oci_ie = pos + 3; |
369 | | oci_ie_len = ie_len - 1; |
370 | | #endif /* CONFIG_OCV */ |
371 | 0 | } else |
372 | 0 | wpa_printf(MSG_DEBUG, "EID %d not recognized", *pos); |
373 | 0 | pos += ie_len + 2; |
374 | 0 | } |
375 | |
|
376 | 0 | if (!wnmsleep_ie) { |
377 | 0 | wpa_printf(MSG_DEBUG, "No WNM-Sleep IE found"); |
378 | 0 | return; |
379 | 0 | } |
380 | | |
381 | | #ifdef CONFIG_OCV |
382 | | if (wnmsleep_ie->action_type == WNM_SLEEP_MODE_EXIT && |
383 | | wpa_sm_ocv_enabled(wpa_s->wpa)) { |
384 | | struct wpa_channel_info ci; |
385 | | |
386 | | if (wpa_drv_channel_info(wpa_s, &ci) != 0) { |
387 | | wpa_msg(wpa_s, MSG_WARNING, |
388 | | "Failed to get channel info to validate received OCI in WNM-Sleep Mode frame"); |
389 | | return; |
390 | | } |
391 | | |
392 | | if (ocv_verify_tx_params(oci_ie, oci_ie_len, &ci, |
393 | | channel_width_to_int(ci.chanwidth), |
394 | | ci.seg1_idx) != OCI_SUCCESS) { |
395 | | wpa_msg(wpa_s, MSG_WARNING, "WNM: OCV failed: %s", |
396 | | ocv_errorstr); |
397 | | return; |
398 | | } |
399 | | } |
400 | | #endif /* CONFIG_OCV */ |
401 | | |
402 | 0 | wpa_s->wnmsleep_used = 0; |
403 | |
|
404 | 0 | if (wnmsleep_ie->status == WNM_STATUS_SLEEP_ACCEPT || |
405 | 0 | wnmsleep_ie->status == WNM_STATUS_SLEEP_EXIT_ACCEPT_GTK_UPDATE) { |
406 | 0 | wpa_printf(MSG_DEBUG, "Successfully recv WNM-Sleep Response " |
407 | 0 | "frame (action=%d, intval=%d)", |
408 | 0 | wnmsleep_ie->action_type, wnmsleep_ie->intval); |
409 | 0 | if (wnmsleep_ie->action_type == WNM_SLEEP_MODE_ENTER) { |
410 | 0 | wnm_sleep_mode_enter_success(wpa_s, tfsresp_ie_start, |
411 | 0 | tfsresp_ie_end); |
412 | 0 | } else if (wnmsleep_ie->action_type == WNM_SLEEP_MODE_EXIT) { |
413 | 0 | wnm_sleep_mode_exit_success(wpa_s, frm, key_len_total); |
414 | 0 | } |
415 | 0 | } else { |
416 | 0 | wpa_printf(MSG_DEBUG, "Reject recv WNM-Sleep Response frame " |
417 | 0 | "(action=%d, intval=%d)", |
418 | 0 | wnmsleep_ie->action_type, wnmsleep_ie->intval); |
419 | 0 | if (wnmsleep_ie->action_type == WNM_SLEEP_MODE_ENTER) |
420 | 0 | wpa_drv_wnm_oper(wpa_s, WNM_SLEEP_ENTER_FAIL, |
421 | 0 | wpa_s->bssid, NULL, NULL); |
422 | 0 | else if (wnmsleep_ie->action_type == WNM_SLEEP_MODE_EXIT) |
423 | 0 | wpa_drv_wnm_oper(wpa_s, WNM_SLEEP_EXIT_FAIL, |
424 | 0 | wpa_s->bssid, NULL, NULL); |
425 | 0 | } |
426 | 0 | } |
427 | | |
428 | | |
429 | | void wnm_btm_reset(struct wpa_supplicant *wpa_s) |
430 | 3.05k | { |
431 | 3.05k | int i; |
432 | | |
433 | 6.17k | for (i = 0; i < wpa_s->wnm_num_neighbor_report; i++) { |
434 | 3.11k | os_free(wpa_s->wnm_neighbor_report_elements[i].meas_pilot); |
435 | 3.11k | os_free(wpa_s->wnm_neighbor_report_elements[i].mul_bssid); |
436 | 3.11k | } |
437 | | |
438 | 3.05k | wpa_s->wnm_num_neighbor_report = 0; |
439 | 3.05k | os_free(wpa_s->wnm_neighbor_report_elements); |
440 | 3.05k | wpa_s->wnm_neighbor_report_elements = NULL; |
441 | | |
442 | 3.05k | wpa_s->wnm_target_bss = NULL; |
443 | | |
444 | 3.05k | wpa_s->wnm_cand_valid_until.sec = 0; |
445 | 3.05k | wpa_s->wnm_cand_valid_until.usec = 0; |
446 | | |
447 | 3.05k | wpa_s->wnm_mode = 0; |
448 | 3.05k | wpa_s->wnm_dialog_token = 0; |
449 | 3.05k | wpa_s->wnm_reply = 0; |
450 | | |
451 | | #ifdef CONFIG_MBO |
452 | | wpa_s->wnm_mbo_trans_reason_present = 0; |
453 | | wpa_s->wnm_mbo_transition_reason = 0; |
454 | | #endif /* CONFIG_MBO */ |
455 | 3.05k | } |
456 | | |
457 | | |
458 | | static void wnm_parse_neighbor_report_multi_link(struct neighbor_report *rep, |
459 | | u8 id, u8 elen, const u8 *pos) |
460 | 1.31k | { |
461 | 1.31k | const struct ieee80211_eht_ml *ml = |
462 | 1.31k | (const struct ieee80211_eht_ml *) pos; |
463 | 1.31k | bool has_link_id; |
464 | 1.31k | u8 common_info_len; |
465 | | |
466 | | /* The Basic Multi-Link subelement has the same body as the Basic MLE. |
467 | | * It includes at least the 2 octet Multi-Link Control field, 1 octet |
468 | | * Common Info Length, and the 6 oxtet MLD MAC Address fields. */ |
469 | 1.31k | if (elen < sizeof(*ml) + 1 + ETH_ALEN) { |
470 | 206 | wpa_printf(MSG_DEBUG, "WNM: Too short ML element"); |
471 | 206 | return; |
472 | 206 | } |
473 | | |
474 | | /* The ML control should be all zeroes except for the Link ID Info |
475 | | * Present field. */ |
476 | 1.11k | if ((le_to_host16(ml->ml_control) & |
477 | 1.11k | ~BASIC_MULTI_LINK_CTRL_PRES_LINK_ID)) |
478 | 686 | wpa_printf(MSG_DEBUG, |
479 | 686 | "WNM: Ignore unsupported ML Control field bits: 0x%04x", |
480 | 686 | le_to_host16(ml->ml_control) & |
481 | 686 | ~BASIC_MULTI_LINK_CTRL_PRES_LINK_ID); |
482 | | |
483 | 1.11k | has_link_id = !!(le_to_host16(ml->ml_control) & |
484 | 1.11k | BASIC_MULTI_LINK_CTRL_PRES_LINK_ID); |
485 | | |
486 | | /* Followed by the Common Info Length and the MLD MAC Address fields */ |
487 | 1.11k | common_info_len = pos[2]; |
488 | 1.11k | if (common_info_len < 1 + ETH_ALEN) { |
489 | 363 | wpa_printf(MSG_DEBUG, "WNM: Too short ML Common Info: %u < 7", |
490 | 363 | common_info_len); |
491 | 363 | return; |
492 | 363 | } |
493 | | |
494 | | /* MLD MAC Address */ |
495 | 748 | os_memcpy(rep->mld_addr, &pos[3], ETH_ALEN); |
496 | | |
497 | 748 | if (!has_link_id) |
498 | 146 | return; |
499 | | |
500 | 602 | if (common_info_len < 1 + ETH_ALEN + 1 || common_info_len + 2 > elen) { |
501 | 227 | wpa_printf(MSG_DEBUG, |
502 | 227 | "WNM: ML Common Info too short or does not fit: %u (elen: %u)", |
503 | 227 | common_info_len, elen); |
504 | 227 | return; |
505 | 227 | } |
506 | | |
507 | | /* Link ID Info */ |
508 | 375 | if ((pos[9] & EHT_ML_LINK_ID_MSK) >= MAX_NUM_MLD_LINKS) { |
509 | 68 | wpa_printf(MSG_DEBUG, |
510 | 68 | "WNM: ML common info contains invalid link ID"); |
511 | 68 | return; |
512 | 68 | } |
513 | | |
514 | 307 | rep->mld_links = BIT(pos[9] & EHT_ML_LINK_ID_MSK); |
515 | | |
516 | 307 | elen -= common_info_len + 2; |
517 | 307 | pos += common_info_len + 2; |
518 | | |
519 | | /* Parse out per-STA information */ |
520 | 1.00k | while (elen >= 2) { |
521 | 866 | u8 sub_elem_len = pos[1]; |
522 | | |
523 | 866 | if (2 + sub_elem_len > elen) { |
524 | 93 | wpa_printf(MSG_DEBUG, |
525 | 93 | "WNM: Invalid sub-element length: %u %u", |
526 | 93 | 2 + sub_elem_len, elen); |
527 | 93 | rep->mld_links = 0; |
528 | 93 | break; |
529 | 93 | } |
530 | | |
531 | 773 | if (*pos == MULTI_LINK_SUB_ELEM_ID_PER_STA_PROFILE) { |
532 | 514 | const struct ieee80211_eht_per_sta_profile *sta_prof = |
533 | 514 | (const struct ieee80211_eht_per_sta_profile *) |
534 | 514 | (pos + 2); |
535 | 514 | u16 control; |
536 | 514 | u8 link_id; |
537 | | |
538 | 514 | if (sub_elem_len < sizeof(*sta_prof)) { |
539 | 71 | wpa_printf(MSG_DEBUG, |
540 | 71 | "WNM: Invalid STA-profile length: %u", |
541 | 71 | sub_elem_len); |
542 | 71 | rep->mld_links = 0; |
543 | 71 | break; |
544 | 71 | } |
545 | | |
546 | 443 | control = le_to_host16(sta_prof->sta_control); |
547 | | |
548 | 443 | link_id = control & EHT_PER_STA_RECONF_CTRL_LINK_ID_MSK; |
549 | 443 | rep->mld_links |= BIT(link_id); |
550 | 443 | } |
551 | | |
552 | 702 | pos += 2 + sub_elem_len; |
553 | 702 | elen -= 2 + sub_elem_len; |
554 | 702 | } |
555 | | |
556 | 307 | if (elen != 0) { |
557 | 207 | wpa_printf(MSG_DEBUG, |
558 | 207 | "WNM: Data left at end of multi-link element: %u", |
559 | 207 | elen); |
560 | 207 | rep->mld_links = 0; |
561 | 207 | } |
562 | 307 | } |
563 | | |
564 | | |
565 | | static void wnm_parse_neighbor_report_elem(struct neighbor_report *rep, |
566 | | u8 id, u8 elen, const u8 *pos) |
567 | 11.6k | { |
568 | 11.6k | switch (id) { |
569 | 796 | case WNM_NEIGHBOR_TSF: |
570 | 796 | if (elen < 2 + 2) { |
571 | 540 | wpa_printf(MSG_DEBUG, "WNM: Too short TSF"); |
572 | 540 | break; |
573 | 540 | } |
574 | 256 | rep->tsf_offset = WPA_GET_LE16(pos); |
575 | 256 | rep->beacon_int = WPA_GET_LE16(pos + 2); |
576 | 256 | rep->tsf_present = 1; |
577 | 256 | break; |
578 | 807 | case WNM_NEIGHBOR_CONDENSED_COUNTRY_STRING: |
579 | 807 | if (elen < 2) { |
580 | 541 | wpa_printf(MSG_DEBUG, "WNM: Too short condensed " |
581 | 541 | "country string"); |
582 | 541 | break; |
583 | 541 | } |
584 | 266 | os_memcpy(rep->country, pos, 2); |
585 | 266 | rep->country_present = 1; |
586 | 266 | break; |
587 | 1.06k | case WNM_NEIGHBOR_BSS_TRANSITION_CANDIDATE: |
588 | 1.06k | if (elen < 1) { |
589 | 456 | wpa_printf(MSG_DEBUG, "WNM: Too short BSS transition " |
590 | 456 | "candidate"); |
591 | 456 | break; |
592 | 456 | } |
593 | 607 | rep->preference = pos[0]; |
594 | 607 | rep->preference_present = 1; |
595 | 607 | break; |
596 | 837 | case WNM_NEIGHBOR_BSS_TERMINATION_DURATION: |
597 | 837 | if (elen < 10) { |
598 | 384 | wpa_printf(MSG_DEBUG, |
599 | 384 | "WNM: Too short BSS termination duration"); |
600 | 384 | break; |
601 | 384 | } |
602 | 453 | rep->bss_term_tsf = WPA_GET_LE64(pos); |
603 | 453 | rep->bss_term_dur = WPA_GET_LE16(pos + 8); |
604 | 453 | rep->bss_term_present = 1; |
605 | 453 | break; |
606 | 632 | case WNM_NEIGHBOR_BEARING: |
607 | 632 | if (elen < 8) { |
608 | 255 | wpa_printf(MSG_DEBUG, "WNM: Too short neighbor " |
609 | 255 | "bearing"); |
610 | 255 | break; |
611 | 255 | } |
612 | 377 | rep->bearing = WPA_GET_LE16(pos); |
613 | 377 | rep->distance = WPA_GET_LE32(pos + 2); |
614 | 377 | rep->rel_height = WPA_GET_LE16(pos + 2 + 4); |
615 | 377 | rep->bearing_present = 1; |
616 | 377 | break; |
617 | 1.25k | case WNM_NEIGHBOR_MEASUREMENT_PILOT: |
618 | 1.25k | if (elen < 1) { |
619 | 242 | wpa_printf(MSG_DEBUG, "WNM: Too short measurement " |
620 | 242 | "pilot"); |
621 | 242 | break; |
622 | 242 | } |
623 | 1.01k | os_free(rep->meas_pilot); |
624 | 1.01k | rep->meas_pilot = os_zalloc(sizeof(struct measurement_pilot)); |
625 | 1.01k | if (rep->meas_pilot == NULL) |
626 | 0 | break; |
627 | 1.01k | rep->meas_pilot->measurement_pilot = pos[0]; |
628 | 1.01k | rep->meas_pilot->subelem_len = elen - 1; |
629 | 1.01k | os_memcpy(rep->meas_pilot->subelems, pos + 1, elen - 1); |
630 | 1.01k | break; |
631 | 473 | case WNM_NEIGHBOR_RRM_ENABLED_CAPABILITIES: |
632 | 473 | if (elen < 5) { |
633 | 228 | wpa_printf(MSG_DEBUG, "WNM: Too short RRM enabled " |
634 | 228 | "capabilities"); |
635 | 228 | break; |
636 | 228 | } |
637 | 245 | os_memcpy(rep->rm_capab, pos, 5); |
638 | 245 | rep->rm_capab_present = 1; |
639 | 245 | break; |
640 | 506 | case WNM_NEIGHBOR_MULTIPLE_BSSID: |
641 | 506 | if (elen < 1) { |
642 | 199 | wpa_printf(MSG_DEBUG, "WNM: Too short multiple BSSID"); |
643 | 199 | break; |
644 | 199 | } |
645 | 307 | os_free(rep->mul_bssid); |
646 | 307 | rep->mul_bssid = os_zalloc(sizeof(struct multiple_bssid)); |
647 | 307 | if (rep->mul_bssid == NULL) |
648 | 0 | break; |
649 | 307 | rep->mul_bssid->max_bssid_indicator = pos[0]; |
650 | 307 | rep->mul_bssid->subelem_len = elen - 1; |
651 | 307 | os_memcpy(rep->mul_bssid->subelems, pos + 1, elen - 1); |
652 | 307 | break; |
653 | 1.31k | case WNM_NEIGHBOR_MULTI_LINK: |
654 | 1.31k | wnm_parse_neighbor_report_multi_link(rep, id, elen, pos); |
655 | 1.31k | break; |
656 | 4.01k | default: |
657 | 4.01k | wpa_printf(MSG_DEBUG, |
658 | 4.01k | "WNM: Unsupported neighbor report subelement id %u", |
659 | 4.01k | id); |
660 | 4.01k | break; |
661 | 11.6k | } |
662 | 11.6k | } |
663 | | |
664 | | |
665 | | static int wnm_nei_get_chan(struct wpa_supplicant *wpa_s, u8 op_class, u8 chan) |
666 | 2.83k | { |
667 | 2.83k | struct wpa_bss *bss = wpa_s->current_bss; |
668 | 2.83k | const char *country = NULL; |
669 | 2.83k | int freq; |
670 | | |
671 | 2.83k | if (bss) { |
672 | 2.83k | const u8 *elem = wpa_bss_get_ie(bss, WLAN_EID_COUNTRY); |
673 | | |
674 | 2.83k | if (elem && elem[1] >= 2) |
675 | 0 | country = (const char *) (elem + 2); |
676 | 2.83k | } |
677 | | |
678 | 2.83k | freq = ieee80211_chan_to_freq(country, op_class, chan); |
679 | 2.83k | if (freq <= 0 && (op_class == 0 || op_class == 255)) { |
680 | | /* |
681 | | * Some APs do not advertise correct operating class |
682 | | * information. Try to determine the most likely operating |
683 | | * frequency based on the channel number. |
684 | | */ |
685 | 580 | if (chan >= 1 && chan <= 13) |
686 | 122 | freq = 2407 + chan * 5; |
687 | 458 | else if (chan == 14) |
688 | 19 | freq = 2484; |
689 | 439 | else if (chan >= 36 && chan <= 177) |
690 | 133 | freq = 5000 + chan * 5; |
691 | 580 | } |
692 | 2.83k | return freq; |
693 | 2.83k | } |
694 | | |
695 | | |
696 | | static void wnm_parse_neighbor_report(struct wpa_supplicant *wpa_s, |
697 | | const u8 *pos, u8 len, |
698 | | struct neighbor_report *rep) |
699 | 3.11k | { |
700 | 3.11k | u8 left = len; |
701 | | |
702 | 3.11k | if (left < 13) { |
703 | 281 | wpa_printf(MSG_DEBUG, "WNM: Too short neighbor report"); |
704 | 281 | return; |
705 | 281 | } |
706 | | |
707 | 2.83k | os_memcpy(rep->bssid, pos, ETH_ALEN); |
708 | 2.83k | rep->bssid_info = WPA_GET_LE32(pos + ETH_ALEN); |
709 | 2.83k | rep->regulatory_class = *(pos + 10); |
710 | 2.83k | rep->channel_number = *(pos + 11); |
711 | 2.83k | rep->phy_type = *(pos + 12); |
712 | | |
713 | 2.83k | pos += 13; |
714 | 2.83k | left -= 13; |
715 | | |
716 | 14.5k | while (left >= 2) { |
717 | 12.1k | u8 id, elen; |
718 | | |
719 | 12.1k | id = *pos++; |
720 | 12.1k | elen = *pos++; |
721 | 12.1k | wpa_printf(MSG_DEBUG, "WNM: Subelement id=%u len=%u", id, elen); |
722 | 12.1k | left -= 2; |
723 | 12.1k | if (elen > left) { |
724 | 437 | wpa_printf(MSG_DEBUG, |
725 | 437 | "WNM: Truncated neighbor report subelement"); |
726 | 437 | break; |
727 | 437 | } |
728 | 11.6k | wnm_parse_neighbor_report_elem(rep, id, elen, pos); |
729 | 11.6k | left -= elen; |
730 | 11.6k | pos += elen; |
731 | 11.6k | } |
732 | | |
733 | 2.83k | rep->freq = wnm_nei_get_chan(wpa_s, rep->regulatory_class, |
734 | 2.83k | rep->channel_number); |
735 | 2.83k | } |
736 | | |
737 | | |
738 | | static void |
739 | | fetch_drv_mbo_candidate_info(struct wpa_supplicant *wpa_s, |
740 | | enum mbo_transition_reject_reason *reason) |
741 | 1.16k | { |
742 | | #ifdef CONFIG_MBO |
743 | | struct wpa_bss_trans_info params; |
744 | | struct wpa_bss_candidate_info *info = NULL; |
745 | | struct neighbor_report *nei; |
746 | | u8 *pos; |
747 | | unsigned int i; |
748 | | |
749 | | if (!wpa_s->wnm_mbo_trans_reason_present) |
750 | | return; |
751 | | |
752 | | params.mbo_transition_reason = wpa_s->wnm_mbo_transition_reason; |
753 | | params.n_candidates = 0; |
754 | | params.bssid = os_calloc(wpa_s->wnm_num_neighbor_report, ETH_ALEN); |
755 | | if (!params.bssid) |
756 | | return; |
757 | | |
758 | | pos = params.bssid; |
759 | | for (i = 0; i < wpa_s->wnm_num_neighbor_report; i++) { |
760 | | nei = &wpa_s->wnm_neighbor_report_elements[i]; |
761 | | |
762 | | nei->drv_mbo_reject = 0; |
763 | | |
764 | | if (nei->preference_present && nei->preference == 0) |
765 | | continue; |
766 | | |
767 | | /* Should we query BSSIDs that we reject for other reasons? */ |
768 | | |
769 | | os_memcpy(pos, nei->bssid, ETH_ALEN); |
770 | | pos += ETH_ALEN; |
771 | | params.n_candidates++; |
772 | | } |
773 | | |
774 | | if (!params.n_candidates) |
775 | | goto end; |
776 | | |
777 | | info = wpa_drv_get_bss_trans_status(wpa_s, ¶ms); |
778 | | if (!info) |
779 | | goto end; |
780 | | |
781 | | for (i = 0; i < info->num; i++) { |
782 | | int j; |
783 | | |
784 | | for (j = 0; j < wpa_s->wnm_num_neighbor_report; j++) { |
785 | | nei = &wpa_s->wnm_neighbor_report_elements[j]; |
786 | | |
787 | | if (!ether_addr_equal(info->candidates[i].bssid, |
788 | | nei->bssid)) |
789 | | continue; |
790 | | |
791 | | nei->drv_mbo_reject = !info->candidates[i].is_accept; |
792 | | |
793 | | /* Use the reject reason from the first candidate */ |
794 | | if (i == 0 && nei->drv_mbo_reject) |
795 | | *reason = info->candidates[i].reject_reason; |
796 | | |
797 | | break; |
798 | | } |
799 | | } |
800 | | |
801 | | end: |
802 | | os_free(params.bssid); |
803 | | if (info) { |
804 | | os_free(info->candidates); |
805 | | os_free(info); |
806 | | } |
807 | | #endif /* CONFIG_MBO */ |
808 | 1.16k | } |
809 | | |
810 | | |
811 | | static int wpa_bss_ies_eq(struct wpa_bss *a, struct wpa_bss *b, u8 eid) |
812 | 0 | { |
813 | 0 | const u8 *ie_a, *ie_b; |
814 | |
|
815 | 0 | if (!a || !b) |
816 | 0 | return 0; |
817 | | |
818 | 0 | ie_a = wpa_bss_get_ie(a, eid); |
819 | 0 | ie_b = wpa_bss_get_ie(b, eid); |
820 | |
|
821 | 0 | if (!ie_a || !ie_b || ie_a[1] != ie_b[1]) |
822 | 0 | return 0; |
823 | | |
824 | 0 | return os_memcmp(ie_a, ie_b, ie_a[1]) == 0; |
825 | 0 | } |
826 | | |
827 | | |
828 | | static u32 wnm_get_bss_info(struct wpa_supplicant *wpa_s, struct wpa_bss *bss) |
829 | 0 | { |
830 | 0 | u32 info = 0; |
831 | |
|
832 | 0 | info |= NEI_REP_BSSID_INFO_AP_UNKNOWN_REACH; |
833 | | |
834 | | /* |
835 | | * Leave the security and key scope bits unset to indicate that the |
836 | | * security information is not available. |
837 | | */ |
838 | |
|
839 | 0 | if (bss->caps & WLAN_CAPABILITY_SPECTRUM_MGMT) |
840 | 0 | info |= NEI_REP_BSSID_INFO_SPECTRUM_MGMT; |
841 | 0 | if (bss->caps & WLAN_CAPABILITY_QOS) |
842 | 0 | info |= NEI_REP_BSSID_INFO_QOS; |
843 | 0 | if (bss->caps & WLAN_CAPABILITY_APSD) |
844 | 0 | info |= NEI_REP_BSSID_INFO_APSD; |
845 | 0 | if (bss->caps & WLAN_CAPABILITY_RADIO_MEASUREMENT) |
846 | 0 | info |= NEI_REP_BSSID_INFO_RM; |
847 | 0 | if (wpa_bss_ies_eq(bss, wpa_s->current_bss, WLAN_EID_MOBILITY_DOMAIN)) |
848 | 0 | info |= NEI_REP_BSSID_INFO_MOBILITY_DOMAIN; |
849 | 0 | if (wpa_bss_ies_eq(bss, wpa_s->current_bss, WLAN_EID_HT_CAP)) |
850 | 0 | info |= NEI_REP_BSSID_INFO_HT; |
851 | |
|
852 | 0 | return info; |
853 | 0 | } |
854 | | |
855 | | |
856 | | static int wnm_add_nei_rep(struct wpabuf **buf, const u8 *bssid, |
857 | | u32 bss_info, u8 op_class, u8 chan, u8 phy_type, |
858 | | u8 pref) |
859 | 0 | { |
860 | 0 | if (wpabuf_len(*buf) + 18 > |
861 | 0 | IEEE80211_MAX_MMPDU_SIZE - IEEE80211_HDRLEN) { |
862 | 0 | wpa_printf(MSG_DEBUG, |
863 | 0 | "WNM: No room in frame for Neighbor Report element"); |
864 | 0 | return -1; |
865 | 0 | } |
866 | | |
867 | 0 | if (wpabuf_resize(buf, 18) < 0) { |
868 | 0 | wpa_printf(MSG_DEBUG, |
869 | 0 | "WNM: Failed to allocate memory for Neighbor Report element"); |
870 | 0 | return -1; |
871 | 0 | } |
872 | | |
873 | 0 | wpabuf_put_u8(*buf, WLAN_EID_NEIGHBOR_REPORT); |
874 | | /* length: 13 for basic neighbor report + 3 for preference subelement */ |
875 | 0 | wpabuf_put_u8(*buf, 16); |
876 | 0 | wpabuf_put_data(*buf, bssid, ETH_ALEN); |
877 | 0 | wpabuf_put_le32(*buf, bss_info); |
878 | 0 | wpabuf_put_u8(*buf, op_class); |
879 | 0 | wpabuf_put_u8(*buf, chan); |
880 | 0 | wpabuf_put_u8(*buf, phy_type); |
881 | 0 | wpabuf_put_u8(*buf, WNM_NEIGHBOR_BSS_TRANSITION_CANDIDATE); |
882 | 0 | wpabuf_put_u8(*buf, 1); |
883 | 0 | wpabuf_put_u8(*buf, pref); |
884 | 0 | return 0; |
885 | 0 | } |
886 | | |
887 | | |
888 | | static int wnm_nei_rep_add_bss(struct wpa_supplicant *wpa_s, |
889 | | struct wpa_bss *bss, struct wpabuf **buf, |
890 | | u8 pref) |
891 | 0 | { |
892 | 0 | u8 op_class, chan; |
893 | 0 | int sec_chan = 0, chanwidth = 0; |
894 | 0 | struct ieee802_11_elems elems; |
895 | 0 | struct ieee80211_ht_operation *ht_oper; |
896 | 0 | enum phy_type phy_type; |
897 | 0 | u32 info; |
898 | |
|
899 | 0 | if (ieee802_11_parse_elems(wpa_bss_ie_ptr(bss), bss->ie_len, &elems, |
900 | 0 | 1) == ParseFailed) |
901 | 0 | return -2; |
902 | | |
903 | 0 | chanwidth = get_operation_channel_width(&elems); |
904 | 0 | if (chanwidth == CHAN_WIDTH_UNKNOWN) { |
905 | 0 | wpa_printf(MSG_DEBUG, "Cannot determine channel width"); |
906 | 0 | return -2; |
907 | 0 | } |
908 | 0 | ht_oper = (struct ieee80211_ht_operation *) elems.ht_operation; |
909 | 0 | if (ht_oper) { |
910 | 0 | u8 sec_chan_offset = ht_oper->ht_param & |
911 | 0 | HT_INFO_HT_PARAM_SECONDARY_CHNL_OFF_MASK; |
912 | |
|
913 | 0 | if (sec_chan_offset == HT_INFO_HT_PARAM_SECONDARY_CHNL_ABOVE) |
914 | 0 | sec_chan = 1; |
915 | 0 | else if (sec_chan_offset == |
916 | 0 | HT_INFO_HT_PARAM_SECONDARY_CHNL_BELOW) |
917 | 0 | sec_chan = -1; |
918 | 0 | } |
919 | |
|
920 | 0 | if (ieee80211_freq_to_channel_ext(bss->freq, sec_chan, chanwidth, |
921 | 0 | &op_class, &chan) == |
922 | 0 | NUM_HOSTAPD_MODES) { |
923 | 0 | wpa_printf(MSG_DEBUG, |
924 | 0 | "WNM: Cannot determine operating class and channel"); |
925 | 0 | return -2; |
926 | 0 | } |
927 | | |
928 | 0 | phy_type = ieee80211_get_phy_type(bss->freq, elems.ht_operation != NULL, |
929 | 0 | elems.vht_operation != NULL, |
930 | 0 | elems.he_operation != NULL); |
931 | 0 | if (phy_type == PHY_TYPE_UNSPECIFIED) { |
932 | 0 | wpa_printf(MSG_DEBUG, |
933 | 0 | "WNM: Cannot determine BSS phy type for Neighbor Report"); |
934 | 0 | return -2; |
935 | 0 | } |
936 | | |
937 | 0 | info = wnm_get_bss_info(wpa_s, bss); |
938 | |
|
939 | 0 | return wnm_add_nei_rep(buf, bss->bssid, info, op_class, chan, phy_type, |
940 | 0 | pref); |
941 | 0 | } |
942 | | |
943 | | |
944 | | static void wnm_add_cand_list(struct wpa_supplicant *wpa_s, struct wpabuf **buf) |
945 | 0 | { |
946 | 0 | unsigned int i, pref = 255; |
947 | 0 | struct os_reltime now; |
948 | 0 | struct wpa_ssid *ssid = wpa_s->current_ssid; |
949 | |
|
950 | 0 | if (!ssid) |
951 | 0 | return; |
952 | | |
953 | | /* |
954 | | * TODO: Define when scan results are no longer valid for the candidate |
955 | | * list. |
956 | | */ |
957 | 0 | os_get_reltime(&now); |
958 | 0 | if (os_reltime_expired(&now, &wpa_s->last_scan, 10)) |
959 | 0 | return; |
960 | | |
961 | 0 | wpa_printf(MSG_DEBUG, |
962 | 0 | "WNM: Add candidate list to BSS Transition Management Response frame"); |
963 | 0 | for (i = 0; i < wpa_s->last_scan_res_used && pref; i++) { |
964 | 0 | struct wpa_bss *bss = wpa_s->last_scan_res[i]; |
965 | 0 | int res; |
966 | |
|
967 | 0 | if (wpa_scan_res_match(wpa_s, i, bss, ssid, 1, 0, false)) { |
968 | 0 | res = wnm_nei_rep_add_bss(wpa_s, bss, buf, pref--); |
969 | 0 | if (res == -2) |
970 | 0 | continue; /* could not build entry for BSS */ |
971 | 0 | if (res < 0) |
972 | 0 | break; /* no more room for candidates */ |
973 | 0 | if (pref == 1) |
974 | 0 | break; |
975 | 0 | } |
976 | 0 | } |
977 | |
|
978 | 0 | wpa_hexdump_buf(MSG_DEBUG, |
979 | 0 | "WNM: BSS Transition Management Response candidate list", |
980 | 0 | *buf); |
981 | 0 | } |
982 | | |
983 | | |
984 | 25 | #define BTM_RESP_MIN_SIZE 5 + ETH_ALEN |
985 | | |
986 | | static int wnm_send_bss_transition_mgmt_resp( |
987 | | struct wpa_supplicant *wpa_s, |
988 | | enum bss_trans_mgmt_status_code status, |
989 | | enum mbo_transition_reject_reason reason, |
990 | | u8 delay, const u8 *target_bssid) |
991 | 25 | { |
992 | 25 | struct wpabuf *buf; |
993 | 25 | int res; |
994 | | |
995 | 25 | wpa_s->wnm_reply = 0; |
996 | | |
997 | 25 | wpa_printf(MSG_DEBUG, |
998 | 25 | "WNM: Send BSS Transition Management Response to " MACSTR |
999 | 25 | " dialog_token=%u status=%u reason=%u delay=%d", |
1000 | 25 | MAC2STR(wpa_s->bssid), wpa_s->wnm_dialog_token, status, |
1001 | 25 | reason, delay); |
1002 | 25 | if (!wpa_s->current_bss) { |
1003 | 0 | wpa_printf(MSG_DEBUG, |
1004 | 0 | "WNM: Current BSS not known - drop response"); |
1005 | 0 | return -1; |
1006 | 0 | } |
1007 | | |
1008 | 25 | buf = wpabuf_alloc(BTM_RESP_MIN_SIZE); |
1009 | 25 | if (!buf) { |
1010 | 0 | wpa_printf(MSG_DEBUG, |
1011 | 0 | "WNM: Failed to allocate memory for BTM response"); |
1012 | 0 | return -1; |
1013 | 0 | } |
1014 | | |
1015 | 25 | wpa_s->bss_tm_status = status; |
1016 | 25 | wpas_notify_bss_tm_status(wpa_s); |
1017 | | |
1018 | 25 | wpabuf_put_u8(buf, WLAN_ACTION_WNM); |
1019 | 25 | wpabuf_put_u8(buf, WNM_BSS_TRANS_MGMT_RESP); |
1020 | 25 | wpabuf_put_u8(buf, wpa_s->wnm_dialog_token); |
1021 | 25 | wpabuf_put_u8(buf, status); |
1022 | 25 | wpabuf_put_u8(buf, delay); |
1023 | 25 | if (target_bssid) { |
1024 | 0 | wpabuf_put_data(buf, target_bssid, ETH_ALEN); |
1025 | 25 | } else if (status == WNM_BSS_TM_ACCEPT) { |
1026 | | /* |
1027 | | * IEEE Std 802.11-2024, 9.6.13.10 (BSS Transition Management |
1028 | | * Response frame format) clarifies that the Target BSSID field |
1029 | | * is always present when status code is zero, so use a fake |
1030 | | * value here if no BSSID is yet known. |
1031 | | */ |
1032 | 5 | wpabuf_put_data(buf, "\0\0\0\0\0\0", ETH_ALEN); |
1033 | 5 | } |
1034 | | |
1035 | 25 | if (status == WNM_BSS_TM_ACCEPT && target_bssid) |
1036 | 0 | wnm_add_cand_list(wpa_s, &buf); |
1037 | | |
1038 | | #ifdef CONFIG_MBO |
1039 | | if (status != WNM_BSS_TM_ACCEPT && |
1040 | | wpa_bss_get_vendor_ie(wpa_s->current_bss, MBO_IE_VENDOR_TYPE)) { |
1041 | | u8 mbo[10]; |
1042 | | size_t ret; |
1043 | | |
1044 | | ret = wpas_mbo_ie_bss_trans_reject(wpa_s, mbo, sizeof(mbo), |
1045 | | reason); |
1046 | | if (ret) { |
1047 | | if (wpabuf_resize(&buf, ret) < 0) { |
1048 | | wpabuf_free(buf); |
1049 | | wpa_printf(MSG_DEBUG, |
1050 | | "WNM: Failed to allocate memory for MBO IE"); |
1051 | | return -1; |
1052 | | } |
1053 | | |
1054 | | wpabuf_put_data(buf, mbo, ret); |
1055 | | } |
1056 | | } |
1057 | | #endif /* CONFIG_MBO */ |
1058 | | |
1059 | 25 | res = wpa_drv_send_action(wpa_s, wpa_s->assoc_freq, 0, wpa_s->bssid, |
1060 | 25 | wpa_s->own_addr, wpa_s->bssid, |
1061 | 25 | wpabuf_head_u8(buf), wpabuf_len(buf), 0); |
1062 | 25 | if (res < 0) { |
1063 | 25 | wpa_printf(MSG_DEBUG, |
1064 | 25 | "WNM: Failed to send BSS Transition Management Response"); |
1065 | 25 | } |
1066 | | |
1067 | 25 | wpabuf_free(buf); |
1068 | | |
1069 | 25 | return res; |
1070 | 25 | } |
1071 | | |
1072 | | |
1073 | | static void wnm_bss_tm_connect(struct wpa_supplicant *wpa_s, |
1074 | | struct wpa_bss *bss, struct wpa_ssid *ssid, |
1075 | | int after_new_scan) |
1076 | 0 | { |
1077 | 0 | struct wpa_radio_work *already_connecting; |
1078 | |
|
1079 | 0 | wpa_dbg(wpa_s, MSG_DEBUG, |
1080 | 0 | "WNM: Transition to BSS " MACSTR |
1081 | 0 | " based on BSS Transition Management Request (old BSSID " |
1082 | 0 | MACSTR " after_new_scan=%d)", |
1083 | 0 | MAC2STR(bss->bssid), MAC2STR(wpa_s->bssid), after_new_scan); |
1084 | | |
1085 | | /* Send the BSS Management Response - Accept */ |
1086 | 0 | if (wpa_s->wnm_reply) { |
1087 | 0 | wpa_s->wnm_target_bss = bss; |
1088 | 0 | wpa_printf(MSG_DEBUG, |
1089 | 0 | "WNM: Sending successful BSS Transition Management Response"); |
1090 | | |
1091 | | /* This function will be called again from the TX handler to |
1092 | | * start the actual reassociation after this response has been |
1093 | | * delivered to the current AP. */ |
1094 | 0 | if (wnm_send_bss_transition_mgmt_resp( |
1095 | 0 | wpa_s, WNM_BSS_TM_ACCEPT, |
1096 | 0 | MBO_TRANSITION_REJECT_REASON_UNSPECIFIED, 0, |
1097 | 0 | bss->bssid) >= 0) |
1098 | 0 | return; |
1099 | 0 | } |
1100 | | |
1101 | 0 | if (bss == wpa_s->current_bss) { |
1102 | 0 | wpa_printf(MSG_DEBUG, |
1103 | 0 | "WNM: Already associated with the preferred candidate"); |
1104 | 0 | wnm_btm_reset(wpa_s); |
1105 | 0 | return; |
1106 | 0 | } |
1107 | | |
1108 | 0 | already_connecting = radio_work_pending(wpa_s, "sme-connect"); |
1109 | 0 | wpa_s->reassociate = 1; |
1110 | 0 | wpa_printf(MSG_DEBUG, "WNM: Issuing connect"); |
1111 | 0 | wpa_supplicant_connect(wpa_s, bss, ssid); |
1112 | | |
1113 | | /* |
1114 | | * Indicate that a BSS transition is in progress so scan results that |
1115 | | * come in before the 'sme-connect' radio work gets executed do not |
1116 | | * override the original connection attempt. |
1117 | | */ |
1118 | 0 | if (!already_connecting && radio_work_pending(wpa_s, "sme-connect")) |
1119 | 0 | wpa_s->bss_trans_mgmt_in_progress = true; |
1120 | 0 | } |
1121 | | |
1122 | | |
1123 | | int wnm_scan_process(struct wpa_supplicant *wpa_s, bool pre_scan_check) |
1124 | 1.16k | { |
1125 | 1.16k | struct wpa_bss *bss, *current_bss = wpa_s->current_bss; |
1126 | 1.16k | struct wpa_ssid *ssid = wpa_s->current_ssid; |
1127 | 1.16k | enum bss_trans_mgmt_status_code status = WNM_BSS_TM_REJECT_UNSPECIFIED; |
1128 | 1.16k | enum mbo_transition_reject_reason reason = |
1129 | 1.16k | MBO_TRANSITION_REJECT_REASON_UNSPECIFIED; |
1130 | 1.16k | struct wpa_ssid *selected_ssid = NULL; |
1131 | | |
1132 | 1.16k | if (!ssid || !wpa_s->wnm_dialog_token) |
1133 | 0 | return 0; |
1134 | | |
1135 | 1.16k | wpa_dbg(wpa_s, MSG_DEBUG, |
1136 | 1.16k | "WNM: Process scan results for BSS Transition Management"); |
1137 | 1.16k | if (!pre_scan_check && |
1138 | 0 | os_reltime_initialized(&wpa_s->wnm_cand_valid_until) && |
1139 | 0 | os_reltime_before(&wpa_s->wnm_cand_valid_until, |
1140 | 0 | &wpa_s->scan_trigger_time)) { |
1141 | 0 | wpa_printf(MSG_DEBUG, "WNM: Previously stored BSS transition candidate list is not valid anymore - drop it"); |
1142 | 0 | goto send_bss_resp_fail; |
1143 | 0 | } |
1144 | | |
1145 | 1.16k | if (!pre_scan_check && !wpa_s->wnm_transition_scan) |
1146 | 0 | return 0; |
1147 | | |
1148 | 1.16k | wpa_s->wnm_transition_scan = false; |
1149 | | |
1150 | | /* Fetch MBO transition candidate rejection information from driver */ |
1151 | 1.16k | fetch_drv_mbo_candidate_info(wpa_s, &reason); |
1152 | | |
1153 | | /* Compare the Neighbor Report and scan results */ |
1154 | 1.16k | bss = wpa_supplicant_select_bss(wpa_s, ssid, &selected_ssid, 1); |
1155 | | #ifdef CONFIG_MBO |
1156 | | if (!bss && wpa_s->wnm_mbo_trans_reason_present && |
1157 | | (wpa_s->wnm_mode & WNM_BSS_TM_REQ_DISASSOC_IMMINENT)) { |
1158 | | int i; |
1159 | | bool changed = false; |
1160 | | |
1161 | | /* |
1162 | | * We didn't find any candidate, the driver had a say about |
1163 | | * which targets to reject and disassociation is immiment. |
1164 | | * |
1165 | | * We should still try to roam, so retry after ignoring the |
1166 | | * driver reject for any BSS that has an RSSI better than |
1167 | | * disassoc_imminent_rssi_threshold. |
1168 | | */ |
1169 | | for (i = 0; i < wpa_s->wnm_num_neighbor_report; i++) { |
1170 | | struct neighbor_report *nei; |
1171 | | |
1172 | | nei = &wpa_s->wnm_neighbor_report_elements[i]; |
1173 | | bss = wpa_bss_get_bssid(wpa_s, nei->bssid); |
1174 | | if (bss && bss->level > |
1175 | | wpa_s->conf->disassoc_imminent_rssi_threshold) { |
1176 | | nei->drv_mbo_reject = 0; |
1177 | | changed = true; |
1178 | | } |
1179 | | } |
1180 | | |
1181 | | if (changed) { |
1182 | | wpa_printf(MSG_DEBUG, |
1183 | | "WNM: Ignore driver rejection due to imminent disassociation and acceptable RSSI"); |
1184 | | bss = wpa_supplicant_select_bss(wpa_s, ssid, |
1185 | | &selected_ssid, 1); |
1186 | | } |
1187 | | } |
1188 | | #endif /* CONFIG_MBO */ |
1189 | | |
1190 | | /* |
1191 | | * If this is a pre-scan check, returning 0 will trigger a scan and |
1192 | | * another call. In that case, reject "bad" candidates in the hope of |
1193 | | * finding a better candidate after scanning. |
1194 | | * |
1195 | | * Use a simple heuristic to check whether the selection is reasonable |
1196 | | * or a scan is a good idea. For that, we need to have found a |
1197 | | * candidate BSS (which might be the current one), it is up-to-date, |
1198 | | * and we don't want to immediately roam back again. |
1199 | | */ |
1200 | 1.16k | if (pre_scan_check) { |
1201 | 1.16k | struct os_reltime age; |
1202 | | |
1203 | 1.16k | if (!bss) |
1204 | 1.16k | return 0; |
1205 | | |
1206 | 0 | os_reltime_age(&bss->last_update, &age); |
1207 | 0 | if (age.sec >= 10) |
1208 | 0 | return 0; |
1209 | | |
1210 | 0 | #ifndef CONFIG_NO_ROAMING |
1211 | 0 | if (current_bss && bss != current_bss && |
1212 | 0 | wpa_supplicant_need_to_roam_within_ess(wpa_s, bss, |
1213 | 0 | current_bss, false)) |
1214 | 0 | return 0; |
1215 | 0 | #endif /* CONFIG_NO_ROAMING */ |
1216 | 0 | } |
1217 | | |
1218 | 0 | #ifndef CONFIG_NO_ROAMING |
1219 | | /* Apply normal roaming rules if we can stay with the current BSS */ |
1220 | 0 | if (current_bss && bss != current_bss && |
1221 | 0 | wpa_scan_res_match(wpa_s, 0, current_bss, wpa_s->current_ssid, |
1222 | 0 | 1, 0, false) && |
1223 | 0 | !wpa_supplicant_need_to_roam_within_ess(wpa_s, current_bss, bss, |
1224 | 0 | true)) |
1225 | 0 | bss = current_bss; |
1226 | 0 | #endif /* CONFIG_NO_ROAMING */ |
1227 | |
|
1228 | 0 | if (!bss) { |
1229 | 0 | wpa_printf(MSG_DEBUG, "WNM: No BSS transition candidate match found"); |
1230 | 0 | status = WNM_BSS_TM_REJECT_NO_SUITABLE_CANDIDATES; |
1231 | 0 | goto send_bss_resp_fail; |
1232 | 0 | } |
1233 | | |
1234 | 0 | wpa_printf(MSG_DEBUG, |
1235 | 0 | "WNM: Found an acceptable preferred transition candidate BSS " |
1236 | 0 | MACSTR " (RSSI %d, tput: %d bss-tput: %d)", |
1237 | 0 | MAC2STR(bss->bssid), bss->level, bss->est_throughput, |
1238 | 0 | current_bss ? (int) current_bss->est_throughput : -1); |
1239 | | |
1240 | | /* Associate to the network */ |
1241 | 0 | wnm_bss_tm_connect(wpa_s, bss, ssid, 1); |
1242 | 0 | return 1; |
1243 | | |
1244 | 0 | send_bss_resp_fail: |
1245 | 0 | if (wpa_s->wnm_reply) { |
1246 | | /* If disassoc imminent is set, we must not reject */ |
1247 | 0 | if (wpa_s->wnm_mode & |
1248 | 0 | (WNM_BSS_TM_REQ_DISASSOC_IMMINENT | |
1249 | 0 | WNM_BSS_TM_REQ_ESS_DISASSOC_IMMINENT)) { |
1250 | 0 | wpa_printf(MSG_DEBUG, |
1251 | 0 | "WNM: Accept BTM request because disassociation imminent bit is set"); |
1252 | 0 | status = WNM_BSS_TM_ACCEPT; |
1253 | 0 | } |
1254 | |
|
1255 | 0 | wnm_send_bss_transition_mgmt_resp(wpa_s, status, reason, |
1256 | 0 | 0, NULL); |
1257 | 0 | } |
1258 | |
|
1259 | 0 | wnm_btm_reset(wpa_s); |
1260 | |
|
1261 | 0 | return 1; |
1262 | 0 | } |
1263 | | |
1264 | | |
1265 | | static int cand_pref_compar(const void *a, const void *b) |
1266 | 3.01k | { |
1267 | 3.01k | const struct neighbor_report *aa = a; |
1268 | 3.01k | const struct neighbor_report *bb = b; |
1269 | | |
1270 | 3.01k | if (aa->disassoc_imminent && !bb->disassoc_imminent) |
1271 | 194 | return 1; |
1272 | 2.82k | if (bb->disassoc_imminent && !aa->disassoc_imminent) |
1273 | 72 | return -1; |
1274 | | |
1275 | 2.75k | if (!aa->preference_present && !bb->preference_present) |
1276 | 2.22k | return 0; |
1277 | 531 | if (!aa->preference_present) |
1278 | 142 | return 1; |
1279 | 389 | if (!bb->preference_present) |
1280 | 90 | return -1; |
1281 | 299 | if (bb->preference > aa->preference) |
1282 | 112 | return 1; |
1283 | 187 | if (bb->preference < aa->preference) |
1284 | 54 | return -1; |
1285 | 133 | return 0; |
1286 | 187 | } |
1287 | | |
1288 | | |
1289 | | static void wnm_sort_cand_list(struct wpa_supplicant *wpa_s) |
1290 | 1.15k | { |
1291 | 1.15k | if (!wpa_s->wnm_neighbor_report_elements) |
1292 | 0 | return; |
1293 | 1.15k | qsort(wpa_s->wnm_neighbor_report_elements, |
1294 | 1.15k | wpa_s->wnm_num_neighbor_report, sizeof(struct neighbor_report), |
1295 | 1.15k | cand_pref_compar); |
1296 | 1.15k | } |
1297 | | |
1298 | | |
1299 | | static void wnm_dump_cand_list(struct wpa_supplicant *wpa_s) |
1300 | 1.15k | { |
1301 | 1.15k | unsigned int i; |
1302 | | |
1303 | 1.15k | wpa_printf(MSG_DEBUG, "WNM: BSS Transition Candidate List"); |
1304 | 1.15k | if (!wpa_s->wnm_neighbor_report_elements) |
1305 | 0 | return; |
1306 | 4.11k | for (i = 0; i < wpa_s->wnm_num_neighbor_report; i++) { |
1307 | 2.96k | struct neighbor_report *nei; |
1308 | 2.96k | char mld_info[42] = ""; |
1309 | | |
1310 | 2.96k | nei = &wpa_s->wnm_neighbor_report_elements[i]; |
1311 | | |
1312 | 2.96k | if (!is_zero_ether_addr(nei->mld_addr)) |
1313 | 245 | os_snprintf(mld_info, sizeof(mld_info) - 1, |
1314 | 245 | " mld_addr=" MACSTR " links=0x%02x", |
1315 | 245 | MAC2STR(nei->mld_addr), nei->mld_links); |
1316 | | |
1317 | 2.96k | wpa_printf(MSG_DEBUG, "%u: " MACSTR |
1318 | 2.96k | " info=0x%x op_class=%u chan=%u phy=%u pref=%d freq=%d%s", |
1319 | 2.96k | i, MAC2STR(nei->bssid), nei->bssid_info, |
1320 | 2.96k | nei->regulatory_class, |
1321 | 2.96k | nei->channel_number, nei->phy_type, |
1322 | 2.96k | nei->preference_present ? nei->preference : -1, |
1323 | 2.96k | nei->freq, mld_info); |
1324 | 2.96k | } |
1325 | 1.15k | } |
1326 | | |
1327 | | |
1328 | | static int chan_supported(struct wpa_supplicant *wpa_s, int freq) |
1329 | 0 | { |
1330 | 0 | unsigned int i; |
1331 | |
|
1332 | 0 | for (i = 0; i < wpa_s->hw.num_modes; i++) { |
1333 | 0 | struct hostapd_hw_modes *mode = &wpa_s->hw.modes[i]; |
1334 | 0 | int j; |
1335 | |
|
1336 | 0 | for (j = 0; j < mode->num_channels; j++) { |
1337 | 0 | struct hostapd_channel_data *chan; |
1338 | |
|
1339 | 0 | chan = &mode->channels[j]; |
1340 | 0 | if (chan->freq == freq && |
1341 | 0 | !(chan->flag & HOSTAPD_CHAN_DISABLED)) |
1342 | 0 | return 1; |
1343 | 0 | } |
1344 | 0 | } |
1345 | | |
1346 | 0 | return 0; |
1347 | 0 | } |
1348 | | |
1349 | | |
1350 | | static void wnm_set_scan_freqs(struct wpa_supplicant *wpa_s) |
1351 | 1.16k | { |
1352 | 1.16k | unsigned int i; |
1353 | 1.16k | bool has_6ghz = false; |
1354 | | |
1355 | 1.16k | if (!wpa_s->wnm_neighbor_report_elements) |
1356 | 18 | return; |
1357 | | |
1358 | 1.15k | if (wpa_s->hw.modes == NULL) |
1359 | 1.15k | return; |
1360 | | |
1361 | 0 | os_free(wpa_s->next_scan_freqs); |
1362 | 0 | wpa_s->next_scan_freqs = NULL; |
1363 | |
|
1364 | 0 | for (i = 0; i < wpa_s->wnm_num_neighbor_report; i++) { |
1365 | 0 | struct neighbor_report *nei; |
1366 | |
|
1367 | 0 | nei = &wpa_s->wnm_neighbor_report_elements[i]; |
1368 | |
|
1369 | 0 | if (nei->preference_present && nei->preference == 0) |
1370 | 0 | continue; |
1371 | | |
1372 | 0 | if (nei->freq <= 0) { |
1373 | 0 | wpa_printf(MSG_DEBUG, |
1374 | 0 | "WNM: Unknown neighbor operating frequency for " |
1375 | 0 | MACSTR " - scan all channels", |
1376 | 0 | MAC2STR(nei->bssid)); |
1377 | 0 | os_free(wpa_s->next_scan_freqs); |
1378 | 0 | wpa_s->next_scan_freqs = NULL; |
1379 | 0 | return; |
1380 | 0 | } |
1381 | 0 | if (chan_supported(wpa_s, nei->freq)) |
1382 | 0 | int_array_add_unique(&wpa_s->next_scan_freqs, |
1383 | 0 | nei->freq); |
1384 | 0 | has_6ghz |= is_6ghz_freq(nei->freq); |
1385 | 0 | } |
1386 | | |
1387 | 0 | if (!wpa_s->next_scan_freqs) |
1388 | 0 | return; |
1389 | | |
1390 | 0 | wpa_printf(MSG_DEBUG, |
1391 | 0 | "WNM: Scan %zu frequencies based on transition candidate list", |
1392 | 0 | int_array_len(wpa_s->next_scan_freqs)); |
1393 | | |
1394 | | /* |
1395 | | * Candidates on 6 GHz channels might be collocated ones, and thus, in |
1396 | | * order to discover them need to include the frequencies on the 2.4 |
1397 | | * and 5 GHz bands. Since the scan time can be long, optimize the case |
1398 | | * of a single channel by forcing passive scan instead of doing a |
1399 | | * collocated scan. |
1400 | | */ |
1401 | 0 | if (has_6ghz) { |
1402 | 0 | struct hostapd_channel_data *chan; |
1403 | 0 | struct os_reltime now; |
1404 | | |
1405 | | /* In case the candidate validity time is too short, force it |
1406 | | * to be long enough to account for the longer scan time. |
1407 | | */ |
1408 | 0 | os_get_reltime(&now); |
1409 | 0 | now.sec += 5; |
1410 | |
|
1411 | 0 | if (os_reltime_initialized(&wpa_s->wnm_cand_valid_until) && |
1412 | 0 | !os_reltime_before(&wpa_s->wnm_cand_valid_until, &now)) { |
1413 | 0 | wpa_printf(MSG_DEBUG, |
1414 | 0 | "WNM: Scan: 6 GHz: update validity time"); |
1415 | |
|
1416 | 0 | os_memcpy(&wpa_s->wnm_cand_valid_until, &now, |
1417 | 0 | sizeof(now)); |
1418 | 0 | } |
1419 | |
|
1420 | 0 | if (int_array_len(wpa_s->next_scan_freqs) == 1) { |
1421 | 0 | wpa_printf(MSG_DEBUG, |
1422 | 0 | "WNM: Scan: Single 6 GHz channel: passive"); |
1423 | |
|
1424 | 0 | wpa_s->scan_req = MANUAL_SCAN_REQ; |
1425 | 0 | wpa_s->manual_scan_passive = 1; |
1426 | 0 | return; |
1427 | 0 | } |
1428 | | |
1429 | 0 | wpa_printf(MSG_DEBUG, |
1430 | 0 | "WNM: Scan: Add 2.4/5 GHz channels as well for 6 GHz discovery"); |
1431 | |
|
1432 | 0 | for (i = 0; i < wpa_s->hw.num_modes; i++) { |
1433 | 0 | struct hostapd_hw_modes *mode = &wpa_s->hw.modes[i]; |
1434 | 0 | int j; |
1435 | | |
1436 | | /* skip all the irrelevant modes */ |
1437 | 0 | if ((mode->mode != HOSTAPD_MODE_IEEE80211B && |
1438 | 0 | mode->mode != HOSTAPD_MODE_IEEE80211G && |
1439 | 0 | mode->mode != HOSTAPD_MODE_IEEE80211A) || |
1440 | 0 | mode->is_6ghz) |
1441 | 0 | continue; |
1442 | | |
1443 | 0 | for (j = 0; j < mode->num_channels; j++) { |
1444 | 0 | chan = &mode->channels[j]; |
1445 | 0 | if (chan->flag & HOSTAPD_CHAN_DISABLED) |
1446 | 0 | continue; |
1447 | | |
1448 | 0 | int_array_add_unique(&wpa_s->next_scan_freqs, |
1449 | 0 | chan->freq); |
1450 | 0 | } |
1451 | 0 | } |
1452 | |
|
1453 | 0 | wpa_printf(MSG_DEBUG, |
1454 | 0 | "WNM: Scan %zu frequencies (including collocated)", |
1455 | 0 | int_array_len(wpa_s->next_scan_freqs)); |
1456 | 0 | } |
1457 | 0 | } |
1458 | | |
1459 | | |
1460 | | static int wnm_parse_candidate_list(struct wpa_supplicant *wpa_s, |
1461 | | const u8 *pos, const u8 *end, |
1462 | | int *num_valid_candidates) |
1463 | 1.25k | { |
1464 | 1.25k | *num_valid_candidates = 0; |
1465 | | |
1466 | 7.11M | while (end - pos >= 2 && |
1467 | 7.11M | wpa_s->wnm_num_neighbor_report < WNM_MAX_NEIGHBOR_REPORT) { |
1468 | 7.11M | u8 tag = *pos++; |
1469 | 7.11M | u8 len = *pos++; |
1470 | | |
1471 | 7.11M | wpa_printf(MSG_DEBUG, "WNM: Neighbor report tag %u", tag); |
1472 | 7.11M | if (len > end - pos) { |
1473 | 58 | wpa_printf(MSG_DEBUG, "WNM: Truncated request"); |
1474 | 58 | return -1; |
1475 | 58 | } |
1476 | 7.11M | if (tag == WLAN_EID_NEIGHBOR_REPORT) { |
1477 | 3.11k | struct neighbor_report *rep; |
1478 | | |
1479 | 3.11k | if (!wpa_s->wnm_num_neighbor_report) { |
1480 | 1.19k | wpa_s->wnm_neighbor_report_elements = os_calloc( |
1481 | 1.19k | WNM_MAX_NEIGHBOR_REPORT, |
1482 | 1.19k | sizeof(struct neighbor_report)); |
1483 | 1.19k | if (!wpa_s->wnm_neighbor_report_elements) |
1484 | 0 | return -1; |
1485 | 1.19k | } |
1486 | | |
1487 | 3.11k | rep = &wpa_s->wnm_neighbor_report_elements[ |
1488 | 3.11k | wpa_s->wnm_num_neighbor_report]; |
1489 | 3.11k | wnm_parse_neighbor_report(wpa_s, pos, len, rep); |
1490 | 3.11k | if ((wpa_s->wnm_mode & |
1491 | 3.11k | WNM_BSS_TM_REQ_DISASSOC_IMMINENT) && |
1492 | 1.42k | ether_addr_equal(rep->bssid, wpa_s->bssid)) |
1493 | 170 | rep->disassoc_imminent = 1; |
1494 | | |
1495 | 3.11k | if (rep->preference_present && rep->preference) |
1496 | 206 | *num_valid_candidates += 1; |
1497 | | |
1498 | 3.11k | wpa_s->wnm_num_neighbor_report++; |
1499 | 3.11k | } |
1500 | | |
1501 | 7.11M | pos += len; |
1502 | 7.11M | } |
1503 | | |
1504 | 1.19k | return 0; |
1505 | 1.25k | } |
1506 | | |
1507 | | |
1508 | | static void ieee802_11_rx_bss_trans_mgmt_req(struct wpa_supplicant *wpa_s, |
1509 | | const u8 *pos, const u8 *end, |
1510 | | int reply) |
1511 | 1.28k | { |
1512 | 1.28k | unsigned int beacon_int; |
1513 | 1.28k | u8 valid_int; |
1514 | | #ifdef CONFIG_MBO |
1515 | | const u8 *vendor; |
1516 | | #endif /* CONFIG_MBO */ |
1517 | 1.28k | bool disassoc_imminent; |
1518 | 1.28k | int num_valid_candidates; |
1519 | | |
1520 | 1.28k | if (wpa_s->disable_mbo_oce || wpa_s->conf->disable_btm) |
1521 | 0 | return; |
1522 | | |
1523 | 1.28k | if (end - pos < 5) |
1524 | 5 | return; |
1525 | | |
1526 | 1.27k | if (wpa_s->current_bss) |
1527 | 1.27k | beacon_int = wpa_s->current_bss->beacon_int; |
1528 | 0 | else |
1529 | 0 | beacon_int = 100; /* best guess */ |
1530 | | |
1531 | 1.27k | wnm_btm_reset(wpa_s); |
1532 | | |
1533 | 1.27k | wpa_s->wnm_dialog_token = pos[0]; |
1534 | 1.27k | wpa_s->wnm_mode = pos[1]; |
1535 | 1.27k | wpa_s->wnm_disassoc_timer = WPA_GET_LE16(pos + 2); |
1536 | 1.27k | wpa_s->wnm_link_removal = false; |
1537 | 1.27k | valid_int = pos[4]; |
1538 | 1.27k | wpa_s->wnm_reply = reply; |
1539 | | |
1540 | 1.27k | wpa_printf(MSG_DEBUG, "WNM: BSS Transition Management Request: " |
1541 | 1.27k | "dialog_token=%u request_mode=0x%x " |
1542 | 1.27k | "disassoc_timer=%u validity_interval=%u", |
1543 | 1.27k | wpa_s->wnm_dialog_token, wpa_s->wnm_mode, |
1544 | 1.27k | wpa_s->wnm_disassoc_timer, valid_int); |
1545 | | |
1546 | 1.27k | if (!wpa_s->wnm_dialog_token) { |
1547 | 2 | wpa_printf(MSG_DEBUG, "WNM: Invalid dialog token"); |
1548 | 2 | goto reset; |
1549 | 2 | } |
1550 | | |
1551 | | #if defined(CONFIG_MBO) && defined(CONFIG_TESTING_OPTIONS) |
1552 | | if (wpa_s->reject_btm_req_reason) { |
1553 | | wpa_printf(MSG_INFO, |
1554 | | "WNM: Testing - reject BSS Transition Management Request: reject_btm_req_reason=%d", |
1555 | | wpa_s->reject_btm_req_reason); |
1556 | | wnm_send_bss_transition_mgmt_resp( |
1557 | | wpa_s, wpa_s->reject_btm_req_reason, |
1558 | | MBO_TRANSITION_REJECT_REASON_UNSPECIFIED, 0, NULL); |
1559 | | goto reset; |
1560 | | } |
1561 | | #endif /* CONFIG_MBO && CONFIG_TESTING_OPTIONS */ |
1562 | | |
1563 | 1.27k | pos += 5; |
1564 | | |
1565 | 1.27k | if (wpa_s->wnm_mode & WNM_BSS_TM_REQ_BSS_TERMINATION_INCLUDED) { |
1566 | 38 | if (end - pos < 12) { |
1567 | 5 | wpa_printf(MSG_DEBUG, "WNM: Too short BSS TM Request"); |
1568 | 5 | goto reset; |
1569 | 5 | } |
1570 | 33 | os_memcpy(wpa_s->wnm_bss_termination_duration, pos, 12); |
1571 | 33 | pos += 12; /* BSS Termination Duration */ |
1572 | 33 | } |
1573 | | |
1574 | 1.26k | if (wpa_s->wnm_mode & WNM_BSS_TM_REQ_ESS_DISASSOC_IMMINENT) { |
1575 | 107 | char url[256]; |
1576 | 107 | u8 url_len; |
1577 | | |
1578 | 107 | if (end - pos < 1) { |
1579 | 4 | wpa_printf(MSG_DEBUG, "WNM: Invalid BSS Transition " |
1580 | 4 | "Management Request (URL)"); |
1581 | 4 | goto reset; |
1582 | 4 | } |
1583 | 103 | url_len = *pos++; |
1584 | 103 | if (url_len > end - pos) { |
1585 | 11 | wpa_printf(MSG_DEBUG, |
1586 | 11 | "WNM: Invalid BSS Transition Management Request (URL truncated)"); |
1587 | 11 | goto reset; |
1588 | 11 | } |
1589 | 92 | os_memcpy(url, pos, url_len); |
1590 | 92 | url[url_len] = '\0'; |
1591 | 92 | pos += url_len; |
1592 | | |
1593 | 92 | wpa_msg(wpa_s, MSG_INFO, ESS_DISASSOC_IMMINENT "%d %u %s", |
1594 | 92 | wpa_sm_pmf_enabled(wpa_s->wpa), |
1595 | 92 | wpa_s->wnm_disassoc_timer * beacon_int * 128 / 125, |
1596 | 92 | url); |
1597 | 92 | } |
1598 | | |
1599 | 1.25k | disassoc_imminent = wpa_s->wnm_mode & WNM_BSS_TM_REQ_DISASSOC_IMMINENT; |
1600 | | |
1601 | | /* |
1602 | | * Based on IEEE Std 802.11be-2024, Table 9-538a (BSS Termination |
1603 | | * Included and Link Removal Imminent fields encoding), when a station |
1604 | | * is a non-AP MLD with more than one affiliated link, the Link Removal |
1605 | | * Imminent field is set to 1, and the BSS Termination Included field |
1606 | | * is set to 1, only one of the links is removed and the other links |
1607 | | * remain associated. Ignore the Disassociation Imminent field in such |
1608 | | * a case. |
1609 | | * |
1610 | | * TODO: We should check if the AP has more than one link. |
1611 | | * TODO: We should pass the RX link and use that |
1612 | | */ |
1613 | 1.25k | if (disassoc_imminent && wpa_s->valid_links && |
1614 | 0 | (wpa_s->wnm_mode & WNM_BSS_TM_REQ_LINK_REMOVAL_IMMINENT) && |
1615 | 0 | (wpa_s->wnm_mode & WNM_BSS_TM_REQ_BSS_TERMINATION_INCLUDED)) { |
1616 | | /* If we still have a link, then just accept the request */ |
1617 | 0 | if (wpa_s->valid_links & (wpa_s->valid_links - 1)) { |
1618 | 0 | wpa_printf(MSG_INFO, |
1619 | 0 | "WNM: BTM request for a single MLO link - ignore disassociation imminent since other links remain associated"); |
1620 | 0 | disassoc_imminent = false; |
1621 | |
|
1622 | 0 | wnm_send_bss_transition_mgmt_resp( |
1623 | 0 | wpa_s, WNM_BSS_TM_ACCEPT, 0, 0, NULL); |
1624 | |
|
1625 | 0 | goto reset; |
1626 | 0 | } |
1627 | | |
1628 | | /* The last link is being removed (which must be the assoc link) |
1629 | | */ |
1630 | 0 | wpa_s->wnm_link_removal = true; |
1631 | 0 | wpa_s->wnm_disassoc_mld = false; |
1632 | 0 | os_memcpy(wpa_s->wnm_disassoc_addr, |
1633 | 0 | wpa_s->links[wpa_s->mlo_assoc_link_id].bssid, |
1634 | 0 | ETH_ALEN); |
1635 | 1.25k | } else if (wpa_s->valid_links) { |
1636 | 0 | wpa_s->wnm_disassoc_mld = true; |
1637 | 0 | os_memcpy(wpa_s->wnm_disassoc_addr, wpa_s->ap_mld_addr, |
1638 | 0 | ETH_ALEN); |
1639 | 1.25k | } else { |
1640 | 1.25k | wpa_s->wnm_disassoc_mld = false; |
1641 | 1.25k | os_memcpy(wpa_s->wnm_disassoc_addr, wpa_s->bssid, ETH_ALEN); |
1642 | 1.25k | } |
1643 | | |
1644 | 1.25k | if (disassoc_imminent) |
1645 | 505 | wpa_msg(wpa_s, MSG_INFO, "WNM: Disassociation Imminent - " |
1646 | 505 | "Disassociation Timer %u", wpa_s->wnm_disassoc_timer); |
1647 | | |
1648 | | #ifdef CONFIG_MBO |
1649 | | vendor = get_ie(pos, end - pos, WLAN_EID_VENDOR_SPECIFIC); |
1650 | | if (vendor) |
1651 | | wpas_mbo_ie_trans_req(wpa_s, vendor + 2, vendor[1]); |
1652 | | #endif /* CONFIG_MBO */ |
1653 | | |
1654 | 1.25k | if (wnm_parse_candidate_list(wpa_s, pos, end, |
1655 | 1.25k | &num_valid_candidates) < 0) |
1656 | 58 | goto reset; |
1657 | | |
1658 | 1.19k | if (wpa_s->wnm_mode & WNM_BSS_TM_REQ_PREF_CAND_LIST_INCLUDED) { |
1659 | 622 | if (!wpa_s->wnm_num_neighbor_report) { |
1660 | 13 | wpa_printf(MSG_DEBUG, |
1661 | 13 | "WNM: Candidate list included bit is set, but no candidates found"); |
1662 | 13 | wnm_send_bss_transition_mgmt_resp( |
1663 | 13 | wpa_s, WNM_BSS_TM_REJECT_NO_SUITABLE_CANDIDATES, |
1664 | 13 | MBO_TRANSITION_REJECT_REASON_UNSPECIFIED, 0, |
1665 | 13 | NULL); |
1666 | 13 | goto reset; |
1667 | 13 | } |
1668 | 609 | wpa_msg(wpa_s, MSG_INFO, "WNM: Preferred List Available"); |
1669 | 609 | } |
1670 | | |
1671 | 1.18k | if (wpa_s->wnm_num_neighbor_report) { |
1672 | 1.15k | unsigned int valid_ms; |
1673 | | |
1674 | 1.15k | wnm_sort_cand_list(wpa_s); |
1675 | 1.15k | wnm_dump_cand_list(wpa_s); |
1676 | 1.15k | valid_ms = valid_int * beacon_int * 128 / 125; |
1677 | 1.15k | wpa_printf(MSG_DEBUG, "WNM: Candidate list valid for %u ms", |
1678 | 1.15k | valid_ms); |
1679 | 1.15k | os_get_reltime(&wpa_s->wnm_cand_valid_until); |
1680 | 1.15k | os_reltime_add_ms(&wpa_s->wnm_cand_valid_until, valid_ms); |
1681 | 1.15k | } else if (!disassoc_imminent) { |
1682 | 15 | enum bss_trans_mgmt_status_code status; |
1683 | | |
1684 | | /* No candidate list and disassociation is not imminent */ |
1685 | | |
1686 | 15 | if ((wpa_s->wnm_mode & WNM_BSS_TM_REQ_ESS_DISASSOC_IMMINENT) || |
1687 | 10 | wpa_s->wnm_link_removal) |
1688 | 5 | status = WNM_BSS_TM_ACCEPT; |
1689 | 10 | else { |
1690 | 10 | wpa_msg(wpa_s, MSG_INFO, "WNM: BSS Transition Management Request did not include candidates"); |
1691 | 10 | status = WNM_BSS_TM_REJECT_UNSPECIFIED; |
1692 | 10 | } |
1693 | | |
1694 | 15 | if (reply) |
1695 | 12 | wnm_send_bss_transition_mgmt_resp( |
1696 | 12 | wpa_s, status, |
1697 | 12 | MBO_TRANSITION_REJECT_REASON_UNSPECIFIED, 0, |
1698 | 12 | NULL); |
1699 | | |
1700 | 15 | goto reset; |
1701 | 15 | } |
1702 | | |
1703 | | /* |
1704 | | * Try fetching the latest scan results from the kernel. |
1705 | | * This can help in finding more up-to-date information should |
1706 | | * the driver have done some internal scanning operations after |
1707 | | * the last scan result update in wpa_supplicant. |
1708 | | * |
1709 | | * It is not a new scan, this does not update the last_scan |
1710 | | * timestamp nor will it expire old BSSs. |
1711 | | */ |
1712 | 1.16k | wpa_supplicant_update_scan_results(wpa_s, NULL); |
1713 | 1.16k | if (wnm_scan_process(wpa_s, true) > 0) |
1714 | 0 | return; |
1715 | 1.16k | wpa_printf(MSG_DEBUG, |
1716 | 1.16k | "WNM: No valid match in previous scan results - try a new scan"); |
1717 | | |
1718 | | /* |
1719 | | * If we have a fixed BSSID configured, just reject at this point. |
1720 | | * NOTE: We could actually check if we are allowed to stay (and we do |
1721 | | * above if we have scan results available). |
1722 | | */ |
1723 | 1.16k | if (wpa_s->current_ssid && wpa_s->current_ssid->bssid_set) { |
1724 | 0 | wpa_printf(MSG_DEBUG, "WNM: Fixed BSSID, rejecting request"); |
1725 | |
|
1726 | 0 | if (reply) |
1727 | 0 | wnm_send_bss_transition_mgmt_resp( |
1728 | 0 | wpa_s, WNM_BSS_TM_REJECT_NO_SUITABLE_CANDIDATES, |
1729 | 0 | MBO_TRANSITION_REJECT_REASON_UNSPECIFIED, 0, |
1730 | 0 | NULL); |
1731 | |
|
1732 | 0 | goto reset; |
1733 | 0 | } |
1734 | | |
1735 | 1.16k | wnm_set_scan_freqs(wpa_s); |
1736 | 1.16k | if (num_valid_candidates == 1) { |
1737 | | /* Any invalid candidate was sorted to the end */ |
1738 | 34 | os_memcpy(wpa_s->next_scan_bssid, |
1739 | 34 | wpa_s->wnm_neighbor_report_elements[0].bssid, |
1740 | 34 | ETH_ALEN); |
1741 | 34 | wpa_printf(MSG_DEBUG, |
1742 | 34 | "WNM: Scan only for a specific BSSID since there is only a single candidate " |
1743 | 34 | MACSTR, MAC2STR(wpa_s->next_scan_bssid)); |
1744 | 34 | } |
1745 | 1.16k | wpa_s->wnm_transition_scan = true; |
1746 | 1.16k | wpa_supplicant_req_scan(wpa_s, 0, 0); |
1747 | | |
1748 | | /* Continue from scan handler */ |
1749 | 1.16k | return; |
1750 | | |
1751 | 108 | reset: |
1752 | 108 | wnm_btm_reset(wpa_s); |
1753 | 108 | } |
1754 | | |
1755 | | |
1756 | | int wnm_btm_resp_tx_status(struct wpa_supplicant *wpa_s, const u8 *data, |
1757 | | size_t data_len) |
1758 | 0 | { |
1759 | 0 | const struct ieee80211_mgmt *frame = |
1760 | 0 | (const struct ieee80211_mgmt *) data; |
1761 | |
|
1762 | 0 | if (data_len < |
1763 | 0 | IEEE80211_HDRLEN + sizeof(frame->u.action.u.bss_tm_resp) || |
1764 | 0 | frame->u.action.category != WLAN_ACTION_WNM || |
1765 | 0 | frame->u.action.u.bss_tm_resp.action != WNM_BSS_TRANS_MGMT_RESP || |
1766 | 0 | frame->u.action.u.bss_tm_resp.status_code != WNM_BSS_TM_ACCEPT) |
1767 | 0 | return -1; |
1768 | | |
1769 | | /* |
1770 | | * If disassoc imminent bit was set in the request, the response may |
1771 | | * indicate accept even if no candidate was found, so bail out here. |
1772 | | */ |
1773 | 0 | if (!wpa_s->wnm_target_bss) { |
1774 | 0 | wpa_printf(MSG_DEBUG, "WNM: Target BSS is not set"); |
1775 | 0 | return 0; |
1776 | 0 | } |
1777 | | |
1778 | 0 | if (!wpa_s->current_ssid) |
1779 | 0 | return 0; |
1780 | | |
1781 | 0 | wnm_bss_tm_connect(wpa_s, wpa_s->wnm_target_bss, wpa_s->current_ssid, |
1782 | 0 | 0); |
1783 | |
|
1784 | 0 | wpa_s->wnm_target_bss = NULL; |
1785 | 0 | return 0; |
1786 | 0 | } |
1787 | | |
1788 | | |
1789 | 0 | #define BTM_QUERY_MIN_SIZE 4 |
1790 | | |
1791 | | int wnm_send_bss_transition_mgmt_query(struct wpa_supplicant *wpa_s, |
1792 | | u8 query_reason, |
1793 | | const char *btm_candidates, |
1794 | | int cand_list) |
1795 | 0 | { |
1796 | 0 | struct wpabuf *buf; |
1797 | 0 | int ret; |
1798 | |
|
1799 | 0 | wpa_printf(MSG_DEBUG, "WNM: Send BSS Transition Management Query to " |
1800 | 0 | MACSTR " query_reason=%u%s", |
1801 | 0 | MAC2STR(wpa_s->bssid), query_reason, |
1802 | 0 | cand_list ? " candidate list" : ""); |
1803 | |
|
1804 | 0 | buf = wpabuf_alloc(BTM_QUERY_MIN_SIZE); |
1805 | 0 | if (!buf) |
1806 | 0 | return -1; |
1807 | | |
1808 | 0 | wpabuf_put_u8(buf, WLAN_ACTION_WNM); |
1809 | 0 | wpabuf_put_u8(buf, WNM_BSS_TRANS_MGMT_QUERY); |
1810 | 0 | wpabuf_put_u8(buf, 1); |
1811 | 0 | wpabuf_put_u8(buf, query_reason); |
1812 | |
|
1813 | 0 | if (cand_list) |
1814 | 0 | wnm_add_cand_list(wpa_s, &buf); |
1815 | |
|
1816 | 0 | if (btm_candidates) { |
1817 | 0 | const size_t max_len = 1000; |
1818 | |
|
1819 | 0 | ret = wpabuf_resize(&buf, max_len); |
1820 | 0 | if (ret < 0) { |
1821 | 0 | wpabuf_free(buf); |
1822 | 0 | return ret; |
1823 | 0 | } |
1824 | | |
1825 | 0 | ret = ieee802_11_parse_candidate_list(btm_candidates, |
1826 | 0 | wpabuf_put(buf, 0), |
1827 | 0 | max_len); |
1828 | 0 | if (ret < 0) { |
1829 | 0 | wpabuf_free(buf); |
1830 | 0 | return ret; |
1831 | 0 | } |
1832 | | |
1833 | 0 | wpabuf_put(buf, ret); |
1834 | 0 | } |
1835 | | |
1836 | 0 | ret = wpa_drv_send_action(wpa_s, wpa_s->assoc_freq, 0, wpa_s->bssid, |
1837 | 0 | wpa_s->own_addr, wpa_s->bssid, |
1838 | 0 | wpabuf_head_u8(buf), wpabuf_len(buf), 0); |
1839 | |
|
1840 | 0 | wpabuf_free(buf); |
1841 | 0 | return ret; |
1842 | 0 | } |
1843 | | |
1844 | | |
1845 | | static void ieee802_11_rx_wnm_notif_req_wfa(struct wpa_supplicant *wpa_s, |
1846 | | const u8 *sa, const u8 *data, |
1847 | | int len) |
1848 | 287 | { |
1849 | 287 | const u8 *pos, *end, *next; |
1850 | 287 | u8 ie, ie_len; |
1851 | | |
1852 | 287 | pos = data; |
1853 | 287 | end = data + len; |
1854 | | |
1855 | 1.53M | while (end - pos > 1) { |
1856 | 1.53M | ie = *pos++; |
1857 | 1.53M | ie_len = *pos++; |
1858 | 1.53M | wpa_printf(MSG_DEBUG, "WNM: WFA subelement %u len %u", |
1859 | 1.53M | ie, ie_len); |
1860 | 1.53M | if (ie_len > end - pos) { |
1861 | 54 | wpa_printf(MSG_DEBUG, "WNM: Not enough room for " |
1862 | 54 | "subelement"); |
1863 | 54 | break; |
1864 | 54 | } |
1865 | 1.53M | next = pos + ie_len; |
1866 | 1.53M | if (ie_len < 4) { |
1867 | 1.49M | pos = next; |
1868 | 1.49M | continue; |
1869 | 1.49M | } |
1870 | 45.3k | wpa_printf(MSG_DEBUG, "WNM: Subelement OUI %06x type %u", |
1871 | 45.3k | WPA_GET_BE24(pos), pos[3]); |
1872 | | |
1873 | 45.3k | #ifdef CONFIG_HS20 |
1874 | 45.3k | if (ie == WLAN_EID_VENDOR_SPECIFIC && ie_len >= 8 && |
1875 | 2.43k | WPA_GET_BE24(pos) == OUI_WFA && |
1876 | 1.71k | pos[3] == HS20_WNM_DEAUTH_IMMINENT_NOTICE) { |
1877 | 481 | const u8 *ie_end; |
1878 | 481 | u8 url_len; |
1879 | 481 | char *url; |
1880 | 481 | u8 code; |
1881 | 481 | u16 reauth_delay; |
1882 | | |
1883 | 481 | ie_end = pos + ie_len; |
1884 | 481 | pos += 4; |
1885 | 481 | code = *pos++; |
1886 | 481 | reauth_delay = WPA_GET_LE16(pos); |
1887 | 481 | pos += 2; |
1888 | 481 | url_len = *pos++; |
1889 | 481 | wpa_printf(MSG_DEBUG, "WNM: HS 2.0 Deauthentication " |
1890 | 481 | "Imminent - Reason Code %u " |
1891 | 481 | "Re-Auth Delay %u URL Length %u", |
1892 | 481 | code, reauth_delay, url_len); |
1893 | 481 | if (url_len > ie_end - pos) |
1894 | 8 | break; |
1895 | 473 | url = os_malloc(url_len + 1); |
1896 | 473 | if (url == NULL) |
1897 | 0 | break; |
1898 | 473 | os_memcpy(url, pos, url_len); |
1899 | 473 | url[url_len] = '\0'; |
1900 | 473 | hs20_rx_deauth_imminent_notice(wpa_s, code, |
1901 | 473 | reauth_delay, url); |
1902 | 473 | os_free(url); |
1903 | 473 | pos = next; |
1904 | 473 | continue; |
1905 | 473 | } |
1906 | | |
1907 | 44.8k | if (ie == WLAN_EID_VENDOR_SPECIFIC && ie_len >= 5 && |
1908 | 6.25k | WPA_GET_BE24(pos) == OUI_WFA && |
1909 | 4.23k | pos[3] == HS20_WNM_T_C_ACCEPTANCE) { |
1910 | 923 | const u8 *ie_end; |
1911 | 923 | u8 url_len; |
1912 | 923 | char *url; |
1913 | | |
1914 | 923 | ie_end = pos + ie_len; |
1915 | 923 | pos += 4; |
1916 | 923 | url_len = *pos++; |
1917 | 923 | wpa_printf(MSG_DEBUG, |
1918 | 923 | "WNM: HS 2.0 Terms and Conditions Acceptance (URL Length %u)", |
1919 | 923 | url_len); |
1920 | 923 | if (url_len > ie_end - pos) |
1921 | 14 | break; |
1922 | 909 | url = os_malloc(url_len + 1); |
1923 | 909 | if (!url) |
1924 | 0 | break; |
1925 | 909 | os_memcpy(url, pos, url_len); |
1926 | 909 | url[url_len] = '\0'; |
1927 | 909 | hs20_rx_t_c_acceptance(wpa_s, url); |
1928 | 909 | os_free(url); |
1929 | 909 | pos = next; |
1930 | 909 | continue; |
1931 | 909 | } |
1932 | 43.9k | #endif /* CONFIG_HS20 */ |
1933 | | |
1934 | 43.9k | pos = next; |
1935 | 43.9k | } |
1936 | 287 | } |
1937 | | |
1938 | | |
1939 | | static void ieee802_11_rx_wnm_notif_req(struct wpa_supplicant *wpa_s, |
1940 | | const u8 *da, const u8 *sa, |
1941 | | const u8 *frm, int len) |
1942 | 299 | { |
1943 | 299 | const u8 *pos, *end; |
1944 | 299 | u8 dialog_token, type; |
1945 | | |
1946 | 299 | if (is_multicast_ether_addr(da)) { |
1947 | 1 | wpa_printf(MSG_DEBUG, |
1948 | 1 | "WNM: Ignore group-addressed WNM Notification Request frame (A1=" |
1949 | 1 | MACSTR " A2=" MACSTR ")", |
1950 | 1 | MAC2STR(da), MAC2STR(sa)); |
1951 | 1 | return; |
1952 | 1 | } |
1953 | | |
1954 | | /* Dialog Token [1] | Type [1] | Subelements */ |
1955 | | |
1956 | 298 | if (len < 2 || sa == NULL) |
1957 | 2 | return; |
1958 | 296 | end = frm + len; |
1959 | 296 | pos = frm; |
1960 | 296 | dialog_token = *pos++; |
1961 | 296 | type = *pos++; |
1962 | | |
1963 | 296 | wpa_dbg(wpa_s, MSG_DEBUG, "WNM: Received WNM-Notification Request " |
1964 | 296 | "(dialog_token %u type %u sa " MACSTR ")", |
1965 | 296 | dialog_token, type, MAC2STR(sa)); |
1966 | 296 | wpa_hexdump(MSG_DEBUG, "WNM-Notification Request subelements", |
1967 | 296 | pos, end - pos); |
1968 | | |
1969 | 296 | if (wpa_s->wpa_state != WPA_COMPLETED || |
1970 | 296 | (!ether_addr_equal(sa, wpa_s->bssid) && |
1971 | 0 | (!wpa_s->valid_links || |
1972 | 0 | !ether_addr_equal(sa, wpa_s->ap_mld_addr)))) { |
1973 | 0 | wpa_dbg(wpa_s, MSG_DEBUG, "WNM: WNM-Notification frame not " |
1974 | 0 | "from our AP - ignore it"); |
1975 | 0 | return; |
1976 | 0 | } |
1977 | | |
1978 | 296 | switch (type) { |
1979 | 287 | case 1: |
1980 | 287 | ieee802_11_rx_wnm_notif_req_wfa(wpa_s, sa, pos, end - pos); |
1981 | 287 | break; |
1982 | 9 | default: |
1983 | 9 | wpa_dbg(wpa_s, MSG_DEBUG, "WNM: Ignore unknown " |
1984 | 9 | "WNM-Notification type %u", type); |
1985 | 9 | break; |
1986 | 296 | } |
1987 | 296 | } |
1988 | | |
1989 | | |
1990 | | static void ieee802_11_rx_wnm_coloc_intf_req(struct wpa_supplicant *wpa_s, |
1991 | | const u8 *sa, const u8 *frm, |
1992 | | int len) |
1993 | 2 | { |
1994 | 2 | u8 dialog_token, req_info, auto_report, timeout; |
1995 | | |
1996 | 2 | if (!wpa_s->conf->coloc_intf_reporting) |
1997 | 2 | return; |
1998 | | |
1999 | | /* Dialog Token [1] | Request Info [1] */ |
2000 | | |
2001 | 0 | if (len < 2) |
2002 | 0 | return; |
2003 | 0 | dialog_token = frm[0]; |
2004 | 0 | req_info = frm[1]; |
2005 | 0 | auto_report = req_info & 0x03; |
2006 | 0 | timeout = req_info >> 2; |
2007 | |
|
2008 | 0 | wpa_dbg(wpa_s, MSG_DEBUG, |
2009 | 0 | "WNM: Received Collocated Interference Request (dialog_token %u auto_report %u timeout %u sa " MACSTR ")", |
2010 | 0 | dialog_token, auto_report, timeout, MAC2STR(sa)); |
2011 | |
|
2012 | 0 | if (dialog_token == 0) |
2013 | 0 | return; /* only nonzero values are used for request */ |
2014 | | |
2015 | 0 | if (wpa_s->wpa_state != WPA_COMPLETED || |
2016 | 0 | (!ether_addr_equal(sa, wpa_s->bssid) && |
2017 | 0 | (!wpa_s->valid_links || |
2018 | 0 | !ether_addr_equal(sa, wpa_s->ap_mld_addr)))) { |
2019 | 0 | wpa_dbg(wpa_s, MSG_DEBUG, |
2020 | 0 | "WNM: Collocated Interference Request frame not from current AP - ignore it"); |
2021 | 0 | return; |
2022 | 0 | } |
2023 | | |
2024 | 0 | wpa_msg(wpa_s, MSG_INFO, COLOC_INTF_REQ "%u %u %u", |
2025 | 0 | dialog_token, auto_report, timeout); |
2026 | 0 | wpa_s->coloc_intf_dialog_token = dialog_token; |
2027 | 0 | wpa_s->coloc_intf_auto_report = auto_report; |
2028 | 0 | wpa_s->coloc_intf_timeout = timeout; |
2029 | 0 | } |
2030 | | |
2031 | | |
2032 | | void ieee802_11_rx_wnm_action(struct wpa_supplicant *wpa_s, |
2033 | | const struct ieee80211_mgmt *mgmt, size_t len) |
2034 | 1.66k | { |
2035 | 1.66k | const u8 *pos, *end; |
2036 | 1.66k | u8 act; |
2037 | | |
2038 | 1.66k | if (len < IEEE80211_HDRLEN + 2) |
2039 | 31 | return; |
2040 | | |
2041 | 1.63k | pos = ((const u8 *) mgmt) + IEEE80211_HDRLEN + 1; |
2042 | 1.63k | act = *pos++; |
2043 | 1.63k | end = ((const u8 *) mgmt) + len; |
2044 | | |
2045 | 1.63k | wpa_printf(MSG_DEBUG, "WNM: RX action %u from " MACSTR, |
2046 | 1.63k | act, MAC2STR(mgmt->sa)); |
2047 | 1.63k | if (wpa_s->wpa_state < WPA_ASSOCIATED || |
2048 | 1.63k | (!ether_addr_equal(mgmt->sa, wpa_s->bssid) && |
2049 | 52 | (!wpa_s->valid_links || |
2050 | 52 | !ether_addr_equal(mgmt->sa, wpa_s->ap_mld_addr)))) { |
2051 | 52 | wpa_printf(MSG_DEBUG, "WNM: Ignore unexpected WNM Action " |
2052 | 52 | "frame"); |
2053 | 52 | return; |
2054 | 52 | } |
2055 | | |
2056 | 1.58k | switch (act) { |
2057 | 1.28k | case WNM_BSS_TRANS_MGMT_REQ: |
2058 | 1.28k | ieee802_11_rx_bss_trans_mgmt_req(wpa_s, pos, end, |
2059 | 1.28k | !(mgmt->da[0] & 0x01)); |
2060 | 1.28k | break; |
2061 | 1 | case WNM_SLEEP_MODE_RESP: |
2062 | 1 | ieee802_11_rx_wnmsleep_resp(wpa_s, mgmt->da, mgmt->sa, |
2063 | 1 | pos, end - pos); |
2064 | 1 | break; |
2065 | 299 | case WNM_NOTIFICATION_REQ: |
2066 | 299 | ieee802_11_rx_wnm_notif_req(wpa_s, mgmt->da, mgmt->sa, |
2067 | 299 | pos, end - pos); |
2068 | 299 | break; |
2069 | 2 | case WNM_COLLOCATED_INTERFERENCE_REQ: |
2070 | 2 | ieee802_11_rx_wnm_coloc_intf_req(wpa_s, mgmt->sa, pos, |
2071 | 2 | end - pos); |
2072 | 2 | break; |
2073 | 2 | default: |
2074 | 2 | wpa_printf(MSG_ERROR, "WNM: Unknown request"); |
2075 | 2 | break; |
2076 | 1.58k | } |
2077 | 1.58k | } |
2078 | | |
2079 | | |
2080 | | int wnm_send_coloc_intf_report(struct wpa_supplicant *wpa_s, u8 dialog_token, |
2081 | | const struct wpabuf *elems) |
2082 | 0 | { |
2083 | 0 | struct wpabuf *buf; |
2084 | 0 | int ret; |
2085 | |
|
2086 | 0 | if (wpa_s->wpa_state < WPA_ASSOCIATED || !elems) |
2087 | 0 | return -1; |
2088 | | |
2089 | 0 | wpa_printf(MSG_DEBUG, "WNM: Send Collocated Interference Report to " |
2090 | 0 | MACSTR " (dialog token %u)", |
2091 | 0 | MAC2STR(wpa_s->bssid), dialog_token); |
2092 | |
|
2093 | 0 | buf = wpabuf_alloc(3 + wpabuf_len(elems)); |
2094 | 0 | if (!buf) |
2095 | 0 | return -1; |
2096 | | |
2097 | 0 | wpabuf_put_u8(buf, WLAN_ACTION_WNM); |
2098 | 0 | wpabuf_put_u8(buf, WNM_COLLOCATED_INTERFERENCE_REPORT); |
2099 | 0 | wpabuf_put_u8(buf, dialog_token); |
2100 | 0 | wpabuf_put_buf(buf, elems); |
2101 | |
|
2102 | 0 | ret = wpa_drv_send_action(wpa_s, wpa_s->assoc_freq, 0, wpa_s->bssid, |
2103 | 0 | wpa_s->own_addr, wpa_s->bssid, |
2104 | 0 | wpabuf_head_u8(buf), wpabuf_len(buf), 0); |
2105 | 0 | wpabuf_free(buf); |
2106 | 0 | return ret; |
2107 | 0 | } |
2108 | | |
2109 | | |
2110 | | void wnm_set_coloc_intf_elems(struct wpa_supplicant *wpa_s, |
2111 | | struct wpabuf *elems) |
2112 | 0 | { |
2113 | 0 | if (elems && wpabuf_len(elems) == 0) { |
2114 | 0 | wpabuf_free(elems); |
2115 | 0 | elems = NULL; |
2116 | 0 | } |
2117 | | |
2118 | | /* NOTE: The elements are not stored as they are only send out once */ |
2119 | |
|
2120 | 0 | if (wpa_s->conf->coloc_intf_reporting && elems && |
2121 | 0 | wpa_s->coloc_intf_dialog_token && |
2122 | 0 | (wpa_s->coloc_intf_auto_report == 1 || |
2123 | 0 | wpa_s->coloc_intf_auto_report == 3)) { |
2124 | | /* TODO: Check that there has not been less than |
2125 | | * wpa_s->coloc_intf_timeout * 200 TU from the last report. |
2126 | | */ |
2127 | 0 | wnm_send_coloc_intf_report(wpa_s, |
2128 | 0 | wpa_s->coloc_intf_dialog_token, |
2129 | 0 | elems); |
2130 | 0 | } |
2131 | |
|
2132 | 0 | wpabuf_free(elems); |
2133 | 0 | } |
2134 | | |
2135 | | |
2136 | | void wnm_clear_coloc_intf_reporting(struct wpa_supplicant *wpa_s) |
2137 | 0 | { |
2138 | 0 | wpa_s->coloc_intf_dialog_token = 0; |
2139 | 0 | wpa_s->coloc_intf_auto_report = 0; |
2140 | 0 | } |
2141 | | |
2142 | | |
2143 | | bool wnm_is_bss_excluded(struct wpa_supplicant *wpa_s, struct wpa_bss *bss) |
2144 | 0 | { |
2145 | 0 | int i; |
2146 | | |
2147 | | /* |
2148 | | * In case disassociation imminent is set, do no try to use a BSS to |
2149 | | * which we are connected. |
2150 | | */ |
2151 | 0 | if (wpa_s->wnm_mode & WNM_BSS_TM_REQ_DISASSOC_IMMINENT) { |
2152 | 0 | if (!wpa_s->wnm_disassoc_mld) { |
2153 | 0 | if (ether_addr_equal(bss->bssid, |
2154 | 0 | wpa_s->wnm_disassoc_addr)) |
2155 | 0 | return true; |
2156 | 0 | } else { |
2157 | 0 | if (ether_addr_equal(bss->mld_addr, |
2158 | 0 | wpa_s->wnm_disassoc_addr)) |
2159 | 0 | return true; |
2160 | 0 | } |
2161 | 0 | } |
2162 | | |
2163 | 0 | for (i = 0; i < wpa_s->wnm_num_neighbor_report; i++) { |
2164 | 0 | struct neighbor_report *nei; |
2165 | |
|
2166 | 0 | nei = &wpa_s->wnm_neighbor_report_elements[i]; |
2167 | 0 | if (!ether_addr_equal(nei->bssid, bss->bssid) && |
2168 | 0 | (is_zero_ether_addr(bss->mld_addr) || |
2169 | 0 | !ether_addr_equal(nei->mld_addr, bss->mld_addr))) |
2170 | 0 | continue; |
2171 | | |
2172 | 0 | if (nei->preference_present && nei->preference == 0) |
2173 | 0 | return true; |
2174 | | |
2175 | | #ifdef CONFIG_MBO |
2176 | | if (nei->drv_mbo_reject) |
2177 | | return true; |
2178 | | #endif /* CONFIG_MBO */ |
2179 | | |
2180 | | /* |
2181 | | * NOTE: We should select one entry and stick with it, but to |
2182 | | * do that we need to refactor the BSS selection to be MLD |
2183 | | * aware from the beginning. Instead we just check whether the |
2184 | | * link is permitted in any possible configuration. We are not |
2185 | | * supposed to do that, however the AP is able to reject a |
2186 | | * subset of the requested links. |
2187 | | */ |
2188 | 0 | if (nei->mld_links && !(nei->mld_links & BIT(bss->mld_link_id))) |
2189 | 0 | continue; |
2190 | | |
2191 | 0 | break; |
2192 | 0 | } |
2193 | | |
2194 | | /* If the abridged bit is set, the BSS must be a known neighbor. */ |
2195 | 0 | if ((wpa_s->wnm_mode & WNM_BSS_TM_REQ_ABRIDGED) && |
2196 | 0 | wpa_s->wnm_num_neighbor_report == i) |
2197 | 0 | return true; |
2198 | | |
2199 | 0 | return false; |
2200 | 0 | } |