Google Git
Sign in
chromium / chromiumos / third_party / hostap / 7c65e9d2ec42c9d4a8163e8abd12ae39db63746d / . / wpa_supplicant / wpa_supplicant.c
blob: d40f405294a08279eab834f2990342712a008f12 [file] [log] [blame]
/*
* WPA Supplicant
* Copyright (c) 2003-2024, Jouni Malinen <j@w1.fi>
*
* This software may be distributed under the terms of the BSD license.
* See README for more details.
*
* This file implements functions for registering and unregistering
* %wpa_supplicant interfaces. In addition, this file contains number of
* functions for managing network connections.
*/
#include "includes.h"
#ifdef CONFIG_MATCH_IFACE
#include <net/if.h>
#include <fnmatch.h>
#endif /* CONFIG_MATCH_IFACE */
#include "common.h"
#include "crypto/crypto.h"
#include "crypto/random.h"
#include "crypto/sha1.h"
#include "eapol_supp/eapol_supp_sm.h"
#include "eap_peer/eap.h"
#include "eap_peer/eap_proxy.h"
#include "eap_server/eap_methods.h"
#include "rsn_supp/wpa.h"
#include "eloop.h"
#include "config.h"
#include "utils/ext_password.h"
#include "l2_packet/l2_packet.h"
#include "wpa_supplicant_i.h"
#include "driver_i.h"
#include "ctrl_iface.h"
#include "pcsc_funcs.h"
#include "common/version.h"
#include "rsn_supp/preauth.h"
#include "rsn_supp/pmksa_cache.h"
#include "common/wpa_ctrl.h"
#include "common/ieee802_11_common.h"
#include "common/ieee802_11_defs.h"
#include "common/hw_features_common.h"
#include "common/gas_server.h"
#include "common/dpp.h"
#include "common/ptksa_cache.h"
#include "p2p/p2p.h"
#include "fst/fst.h"
#include "bssid_ignore.h"
#include "wpas_glue.h"
#include "wps_supplicant.h"
#include "ibss_rsn.h"
#include "sme.h"
#include "gas_query.h"
#include "ap.h"
#include "p2p_supplicant.h"
#include "wifi_display.h"
#include "notify.h"
#include "bgscan.h"
#include "autoscan.h"
#include "bss.h"
#include "scan.h"
#include "offchannel.h"
#include "hs20_supplicant.h"
#include "wnm_sta.h"
#include "wpas_kay.h"
#include "mesh.h"
#include "dpp_supplicant.h"
#include "nan_usd.h"
#ifdef CONFIG_MESH
#include "ap/ap_config.h"
#include "ap/hostapd.h"
#endif /* CONFIG_MESH */
const char *const wpa_supplicant_version =
"wpa_supplicant v" VERSION_STR "\n"
"Copyright (c) 2003-2022, Jouni Malinen <j@w1.fi> and contributors";
const char *const wpa_supplicant_license =
"This software may be distributed under the terms of the BSD license.\n"
"See README for more details.\n"
#ifdef EAP_TLS_OPENSSL
"\nThis product includes software developed by the OpenSSL Project\n"
"for use in the OpenSSL Toolkit (http://www.openssl.org/)\n"
#endif /* EAP_TLS_OPENSSL */
;
#ifndef CONFIG_NO_STDOUT_DEBUG
/* Long text divided into parts in order to fit in C89 strings size limits. */
const char *const wpa_supplicant_full_license1 =
"";
const char *const wpa_supplicant_full_license2 =
"This software may be distributed under the terms of the BSD license.\n"
"\n"
"Redistribution and use in source and binary forms, with or without\n"
"modification, are permitted provided that the following conditions are\n"
"met:\n"
"\n";
const char *const wpa_supplicant_full_license3 =
"1. Redistributions of source code must retain the above copyright\n"
" notice, this list of conditions and the following disclaimer.\n"
"\n"
"2. Redistributions in binary form must reproduce the above copyright\n"
" notice, this list of conditions and the following disclaimer in the\n"
" documentation and/or other materials provided with the distribution.\n"
"\n";
const char *const wpa_supplicant_full_license4 =
"3. Neither the name(s) of the above-listed copyright holder(s) nor the\n"
" names of its contributors may be used to endorse or promote products\n"
" derived from this software without specific prior written permission.\n"
"\n"
"THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS\n"
"\"AS IS\" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT\n"
"LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR\n"
"A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT\n";
const char *const wpa_supplicant_full_license5 =
"OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,\n"
"SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT\n"
"LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\n"
"DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\n"
"THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n"
"(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE\n"
"OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n"
"\n";
#endif /* CONFIG_NO_STDOUT_DEBUG */
static void wpa_bss_tmp_disallow_timeout(void *eloop_ctx, void *timeout_ctx);
static void wpas_verify_ssid_beacon(void *eloop_ctx, void *timeout_ctx);
#if defined(CONFIG_FILS) && defined(IEEE8021X_EAPOL)
static void wpas_update_fils_connect_params(struct wpa_supplicant *wpa_s);
#endif /* CONFIG_FILS && IEEE8021X_EAPOL */
#ifdef CONFIG_OWE
static void wpas_update_owe_connect_params(struct wpa_supplicant *wpa_s);
#endif /* CONFIG_OWE */
#ifdef CONFIG_WEP
/* Configure default/group WEP keys for static WEP */
int wpa_set_wep_keys(struct wpa_supplicant *wpa_s, struct wpa_ssid *ssid)
{
int i, set = 0;
for (i = 0; i < NUM_WEP_KEYS; i++) {
if (ssid->wep_key_len[i] == 0)
continue;
set = 1;
wpa_drv_set_key(wpa_s, -1, WPA_ALG_WEP, NULL,
i, i == ssid->wep_tx_keyidx, NULL, 0,
ssid->wep_key[i], ssid->wep_key_len[i],
i == ssid->wep_tx_keyidx ?
KEY_FLAG_GROUP_RX_TX_DEFAULT :
KEY_FLAG_GROUP_RX_TX);
}
return set;
}
#endif /* CONFIG_WEP */
int wpa_supplicant_set_wpa_none_key(struct wpa_supplicant *wpa_s,
struct wpa_ssid *ssid)
{
u8 key[32];
size_t keylen;
enum wpa_alg alg;
u8 seq[6] = { 0 };
int ret;
/* IBSS/WPA-None uses only one key (Group) for both receiving and
* sending unicast and multicast packets. */
if (ssid->mode != WPAS_MODE_IBSS) {
wpa_msg(wpa_s, MSG_INFO, "WPA: Invalid mode %d (not "
"IBSS/ad-hoc) for WPA-None", ssid->mode);
return -1;
}
if (!ssid->psk_set) {
wpa_msg(wpa_s, MSG_INFO, "WPA: No PSK configured for "
"WPA-None");
return -1;
}
switch (wpa_s->group_cipher) {
case WPA_CIPHER_CCMP:
os_memcpy(key, ssid->psk, 16);
keylen = 16;
alg = WPA_ALG_CCMP;
break;
case WPA_CIPHER_GCMP:
os_memcpy(key, ssid->psk, 16);
keylen = 16;
alg = WPA_ALG_GCMP;
break;
case WPA_CIPHER_TKIP:
/* WPA-None uses the same Michael MIC key for both TX and RX */
os_memcpy(key, ssid->psk, 16 + 8);
os_memcpy(key + 16 + 8, ssid->psk + 16, 8);
keylen = 32;
alg = WPA_ALG_TKIP;
break;
default:
wpa_msg(wpa_s, MSG_INFO, "WPA: Invalid group cipher %d for "
"WPA-None", wpa_s->group_cipher);
return -1;
}
/* TODO: should actually remember the previously used seq#, both for TX
* and RX from each STA.. */
ret = wpa_drv_set_key(wpa_s, -1, alg, NULL, 0, 1, seq, 6, key, keylen,
KEY_FLAG_GROUP_RX_TX_DEFAULT);
os_memset(key, 0, sizeof(key));
return ret;
}
static void wpa_supplicant_timeout(void *eloop_ctx, void *timeout_ctx)
{
struct wpa_supplicant *wpa_s = eloop_ctx;
const u8 *bssid = wpa_s->bssid;
if (!is_zero_ether_addr(wpa_s->pending_bssid) &&
(wpa_s->wpa_state == WPA_AUTHENTICATING ||
wpa_s->wpa_state == WPA_ASSOCIATING))
bssid = wpa_s->pending_bssid;
wpa_msg(wpa_s, MSG_INFO, "Authentication with " MACSTR " timed out.",
MAC2STR(bssid));
wpa_bssid_ignore_add(wpa_s, bssid);
wpa_sm_notify_disassoc(wpa_s->wpa);
wpa_supplicant_deauthenticate(wpa_s, WLAN_REASON_DEAUTH_LEAVING);
wpa_s->reassociate = 1;
/*
* If we timed out, the AP or the local radio may be busy.
* So, wait a second until scanning again.
*/
wpa_supplicant_req_scan(wpa_s, 1, 0);
}
/**
* wpa_supplicant_req_auth_timeout - Schedule a timeout for authentication
* @wpa_s: Pointer to wpa_supplicant data
* @sec: Number of seconds after which to time out authentication
* @usec: Number of microseconds after which to time out authentication
*
* This function is used to schedule a timeout for the current authentication
* attempt.
*/
void wpa_supplicant_req_auth_timeout(struct wpa_supplicant *wpa_s,
int sec, int usec)
{
if (wpa_s->conf->ap_scan == 0 &&
(wpa_s->drv_flags & WPA_DRIVER_FLAGS_WIRED))
return;
wpa_dbg(wpa_s, MSG_DEBUG, "Setting authentication timeout: %d sec "
"%d usec", sec, usec);
eloop_cancel_timeout(wpa_supplicant_timeout, wpa_s, NULL);
wpa_s->last_auth_timeout_sec = sec;
eloop_register_timeout(sec, usec, wpa_supplicant_timeout, wpa_s, NULL);
}
/*
* wpas_auth_timeout_restart - Restart and change timeout for authentication
* @wpa_s: Pointer to wpa_supplicant data
* @sec_diff: difference in seconds applied to original timeout value
*/
void wpas_auth_timeout_restart(struct wpa_supplicant *wpa_s, int sec_diff)
{
int new_sec = wpa_s->last_auth_timeout_sec + sec_diff;
if (eloop_is_timeout_registered(wpa_supplicant_timeout, wpa_s, NULL)) {
wpa_dbg(wpa_s, MSG_DEBUG,
"Authentication timeout restart: %d sec", new_sec);
eloop_cancel_timeout(wpa_supplicant_timeout, wpa_s, NULL);
eloop_register_timeout(new_sec, 0, wpa_supplicant_timeout,
wpa_s, NULL);
}
}
/**
* wpa_supplicant_cancel_auth_timeout - Cancel authentication timeout
* @wpa_s: Pointer to wpa_supplicant data
*
* This function is used to cancel authentication timeout scheduled with
* wpa_supplicant_req_auth_timeout() and it is called when authentication has
* been completed.
*/
void wpa_supplicant_cancel_auth_timeout(struct wpa_supplicant *wpa_s)
{
wpa_dbg(wpa_s, MSG_DEBUG, "Cancelling authentication timeout");
eloop_cancel_timeout(wpa_supplicant_timeout, wpa_s, NULL);
wpa_bssid_ignore_del(wpa_s, wpa_s->bssid);
os_free(wpa_s->last_con_fail_realm);
wpa_s->last_con_fail_realm = NULL;
wpa_s->last_con_fail_realm_len = 0;
}
/**
* wpa_supplicant_initiate_eapol - Configure EAPOL state machine
* @wpa_s: Pointer to wpa_supplicant data
*
* This function is used to configure EAPOL state machine based on the selected
* authentication mode.
*/
void wpa_supplicant_initiate_eapol(struct wpa_supplicant *wpa_s)
{
#ifdef IEEE8021X_EAPOL
struct eapol_config eapol_conf;
struct wpa_ssid *ssid = wpa_s->current_ssid;
#ifdef CONFIG_IBSS_RSN
if (ssid->mode == WPAS_MODE_IBSS &&
wpa_s->key_mgmt != WPA_KEY_MGMT_NONE &&
wpa_s->key_mgmt != WPA_KEY_MGMT_WPA_NONE) {
/*
* RSN IBSS authentication is per-STA and we can disable the
* per-BSSID EAPOL authentication.
*/
eapol_sm_notify_portControl(wpa_s->eapol, ForceAuthorized);
eapol_sm_notify_eap_success(wpa_s->eapol, true);
eapol_sm_notify_eap_fail(wpa_s->eapol, false);
return;
}
#endif /* CONFIG_IBSS_RSN */
eapol_sm_notify_eap_success(wpa_s->eapol, false);
eapol_sm_notify_eap_fail(wpa_s->eapol, false);
if (wpa_s->key_mgmt == WPA_KEY_MGMT_NONE ||
wpa_s->key_mgmt == WPA_KEY_MGMT_WPA_NONE)
eapol_sm_notify_portControl(wpa_s->eapol, ForceAuthorized);
else
eapol_sm_notify_portControl(wpa_s->eapol, Auto);
os_memset(&eapol_conf, 0, sizeof(eapol_conf));
if (wpa_s->key_mgmt == WPA_KEY_MGMT_IEEE8021X_NO_WPA) {
eapol_conf.accept_802_1x_keys = 1;
eapol_conf.required_keys = 0;
if (ssid->eapol_flags & EAPOL_FLAG_REQUIRE_KEY_UNICAST) {
eapol_conf.required_keys |= EAPOL_REQUIRE_KEY_UNICAST;
}
if (ssid->eapol_flags & EAPOL_FLAG_REQUIRE_KEY_BROADCAST) {
eapol_conf.required_keys |=
EAPOL_REQUIRE_KEY_BROADCAST;
}
if (wpa_s->drv_flags & WPA_DRIVER_FLAGS_WIRED)
eapol_conf.required_keys = 0;
}
eapol_conf.fast_reauth = wpa_s->conf->fast_reauth;
eapol_conf.workaround = ssid->eap_workaround;
eapol_conf.eap_disabled =
!wpa_key_mgmt_wpa_ieee8021x(wpa_s->key_mgmt) &&
wpa_s->key_mgmt != WPA_KEY_MGMT_IEEE8021X_NO_WPA &&
wpa_s->key_mgmt != WPA_KEY_MGMT_WPS;
eapol_conf.external_sim = wpa_s->conf->external_sim;
#ifdef CONFIG_WPS
if (wpa_s->key_mgmt == WPA_KEY_MGMT_WPS) {
eapol_conf.wps |= EAPOL_LOCAL_WPS_IN_USE;
if (wpa_s->current_bss) {
struct wpabuf *ie;
ie = wpa_bss_get_vendor_ie_multi(wpa_s->current_bss,
WPS_IE_VENDOR_TYPE);
if (ie) {
if (wps_is_20(ie))
eapol_conf.wps |=
EAPOL_PEER_IS_WPS20_AP;
wpabuf_free(ie);
}
}
}
#endif /* CONFIG_WPS */
eapol_sm_notify_config(wpa_s->eapol, &ssid->eap, &eapol_conf);
#ifdef CONFIG_MACSEC
if (wpa_s->key_mgmt == WPA_KEY_MGMT_NONE && ssid->mka_psk_set)
ieee802_1x_create_preshared_mka(wpa_s, ssid);
else
ieee802_1x_alloc_kay_sm(wpa_s, ssid);
#endif /* CONFIG_MACSEC */
#endif /* IEEE8021X_EAPOL */
}
/**
* wpa_supplicant_set_non_wpa_policy - Set WPA parameters to non-WPA mode
* @wpa_s: Pointer to wpa_supplicant data
* @ssid: Configuration data for the network
*
* This function is used to configure WPA state machine and related parameters
* to a mode where WPA is not enabled. This is called as part of the
* authentication configuration when the selected network does not use WPA.
*/
void wpa_supplicant_set_non_wpa_policy(struct wpa_supplicant *wpa_s,
struct wpa_ssid *ssid)
{
#ifdef CONFIG_WEP
int i;
#endif /* CONFIG_WEP */
struct wpa_sm_mlo mlo;
if (ssid->key_mgmt & WPA_KEY_MGMT_WPS)
wpa_s->key_mgmt = WPA_KEY_MGMT_WPS;
else if (ssid->key_mgmt & WPA_KEY_MGMT_IEEE8021X_NO_WPA)
wpa_s->key_mgmt = WPA_KEY_MGMT_IEEE8021X_NO_WPA;
else
wpa_s->key_mgmt = WPA_KEY_MGMT_NONE;
wpa_sm_set_ap_wpa_ie(wpa_s->wpa, NULL, 0);
wpa_sm_set_ap_rsn_ie(wpa_s->wpa, NULL, 0);
wpa_sm_set_ap_rsnxe(wpa_s->wpa, NULL, 0);
wpa_sm_set_assoc_wpa_ie(wpa_s->wpa, NULL, 0);
wpa_sm_set_assoc_rsnxe(wpa_s->wpa, NULL, 0);
wpa_s->rsnxe_len = 0;
wpa_s->pairwise_cipher = WPA_CIPHER_NONE;
wpa_s->group_cipher = WPA_CIPHER_NONE;
wpa_s->mgmt_group_cipher = 0;
#ifdef CONFIG_WEP
for (i = 0; i < NUM_WEP_KEYS; i++) {
if (ssid->wep_key_len[i] > 5) {
wpa_s->pairwise_cipher = WPA_CIPHER_WEP104;
wpa_s->group_cipher = WPA_CIPHER_WEP104;
break;
} else if (ssid->wep_key_len[i] > 0) {
wpa_s->pairwise_cipher = WPA_CIPHER_WEP40;
wpa_s->group_cipher = WPA_CIPHER_WEP40;
break;
}
}
#endif /* CONFIG_WEP */
wpa_sm_set_param(wpa_s->wpa, WPA_PARAM_RSN_ENABLED, 0);
wpa_sm_set_param(wpa_s->wpa, WPA_PARAM_KEY_MGMT, wpa_s->key_mgmt);
wpa_sm_set_param(wpa_s->wpa, WPA_PARAM_PAIRWISE,
wpa_s->pairwise_cipher);
wpa_sm_set_param(wpa_s->wpa, WPA_PARAM_GROUP, wpa_s->group_cipher);
wpa_sm_set_param(wpa_s->wpa, WPA_PARAM_MGMT_GROUP,
wpa_s->mgmt_group_cipher);
wpa_sm_set_param(wpa_s->wpa, WPA_PARAM_SSID_PROTECTION, 0);
pmksa_cache_clear_current(wpa_s->wpa);
os_memset(&mlo, 0, sizeof(mlo));
wpa_sm_set_mlo_params(wpa_s->wpa, &mlo);
}
void free_hw_features(struct wpa_supplicant *wpa_s)
{
int i;
if (wpa_s->hw.modes == NULL)
return;
for (i = 0; i < wpa_s->hw.num_modes; i++) {
os_free(wpa_s->hw.modes[i].channels);
os_free(wpa_s->hw.modes[i].rates);
}
os_free(wpa_s->hw.modes);
wpa_s->hw.modes = NULL;
}
static void remove_bss_tmp_disallowed_entry(struct wpa_supplicant *wpa_s,
struct wpa_bss_tmp_disallowed *bss)
{
eloop_cancel_timeout(wpa_bss_tmp_disallow_timeout, wpa_s, bss);
dl_list_del(&bss->list);
os_free(bss);
}
void free_bss_tmp_disallowed(struct wpa_supplicant *wpa_s)
{
struct wpa_bss_tmp_disallowed *bss, *prev;
dl_list_for_each_safe(bss, prev, &wpa_s->bss_tmp_disallowed,
struct wpa_bss_tmp_disallowed, list)
remove_bss_tmp_disallowed_entry(wpa_s, bss);
}
void wpas_flush_fils_hlp_req(struct wpa_supplicant *wpa_s)
{
struct fils_hlp_req *req;
while ((req = dl_list_first(&wpa_s->fils_hlp_req, struct fils_hlp_req,
list)) != NULL) {
dl_list_del(&req->list);
wpabuf_free(req->pkt);
os_free(req);
}
}
void wpas_clear_disabled_interface(void *eloop_ctx, void *timeout_ctx)
{
struct wpa_supplicant *wpa_s = eloop_ctx;
if (wpa_s->wpa_state != WPA_INTERFACE_DISABLED)
return;
wpa_dbg(wpa_s, MSG_DEBUG, "Clear cached state on disabled interface");
wpa_bss_flush(wpa_s);
}
#ifdef CONFIG_TESTING_OPTIONS
void wpas_clear_driver_signal_override(struct wpa_supplicant *wpa_s)
{
struct driver_signal_override *dso;
while ((dso = dl_list_first(&wpa_s->drv_signal_override,
struct driver_signal_override, list))) {
dl_list_del(&dso->list);
os_free(dso);
}
}
#endif /* CONFIG_TESTING_OPTIONS */
static void wpa_supplicant_cleanup(struct wpa_supplicant *wpa_s)
{
int i;
bgscan_deinit(wpa_s);
autoscan_deinit(wpa_s);
scard_deinit(wpa_s->scard);
wpa_s->scard = NULL;
wpa_sm_set_scard_ctx(wpa_s->wpa, NULL);
eapol_sm_register_scard_ctx(wpa_s->eapol, NULL);
l2_packet_deinit(wpa_s->l2);
wpa_s->l2 = NULL;
if (wpa_s->l2_br) {
l2_packet_deinit(wpa_s->l2_br);
wpa_s->l2_br = NULL;
}
#ifdef CONFIG_TESTING_OPTIONS
l2_packet_deinit(wpa_s->l2_test);
wpa_s->l2_test = NULL;
os_free(wpa_s->get_pref_freq_list_override);
wpa_s->get_pref_freq_list_override = NULL;
wpabuf_free(wpa_s->last_assoc_req_wpa_ie);
wpa_s->last_assoc_req_wpa_ie = NULL;
os_free(wpa_s->extra_sae_rejected_groups);
wpa_s->extra_sae_rejected_groups = NULL;
wpabuf_free(wpa_s->rsne_override_eapol);
wpa_s->rsne_override_eapol = NULL;
wpabuf_free(wpa_s->rsnxe_override_assoc);
wpa_s->rsnxe_override_assoc = NULL;
wpabuf_free(wpa_s->rsnxe_override_eapol);
wpa_s->rsnxe_override_eapol = NULL;
wpas_clear_driver_signal_override(wpa_s);
#endif /* CONFIG_TESTING_OPTIONS */
if (wpa_s->conf != NULL) {
struct wpa_ssid *ssid;
for (ssid = wpa_s->conf->ssid; ssid; ssid = ssid->next)
wpas_notify_network_removed(wpa_s, ssid);
}
os_free(wpa_s->confname);
wpa_s->confname = NULL;
os_free(wpa_s->confanother);
wpa_s->confanother = NULL;
os_free(wpa_s->last_con_fail_realm);
wpa_s->last_con_fail_realm = NULL;
wpa_s->last_con_fail_realm_len = 0;
wpa_sm_set_eapol(wpa_s->wpa, NULL);
eapol_sm_deinit(wpa_s->eapol);
wpa_s->eapol = NULL;
rsn_preauth_deinit(wpa_s->wpa);
#ifdef CONFIG_TDLS
wpa_tdls_deinit(wpa_s->wpa);
#endif /* CONFIG_TDLS */
#ifndef CONFIG_NO_WMM_AC
wmm_ac_clear_saved_tspecs(wpa_s);
#endif /* CONFIG_NO_WMM_AC */
pmksa_candidate_free(wpa_s->wpa);
ptksa_cache_deinit(wpa_s->ptksa);
wpa_s->ptksa = NULL;
wpa_sm_deinit(wpa_s->wpa);
wpa_s->wpa = NULL;
wpa_bssid_ignore_clear(wpa_s);
#ifdef CONFIG_PASN
wpas_pasn_auth_stop(wpa_s);
#endif /* CONFIG_PASN */
wpa_bss_deinit(wpa_s);
wpa_supplicant_cancel_delayed_sched_scan(wpa_s);
wpa_supplicant_cancel_scan(wpa_s);
wpa_supplicant_cancel_auth_timeout(wpa_s);
eloop_cancel_timeout(wpa_supplicant_stop_countermeasures, wpa_s, NULL);
#ifdef CONFIG_DELAYED_MIC_ERROR_REPORT
eloop_cancel_timeout(wpa_supplicant_delayed_mic_error_report,
wpa_s, NULL);
#endif /* CONFIG_DELAYED_MIC_ERROR_REPORT */
eloop_cancel_timeout(wpas_network_reenabled, wpa_s, NULL);
eloop_cancel_timeout(wpas_clear_disabled_interface, wpa_s, NULL);
eloop_cancel_timeout(wpas_verify_ssid_beacon, wpa_s, NULL);
wpas_wps_deinit(wpa_s);
wpabuf_free(wpa_s->pending_eapol_rx);
wpa_s->pending_eapol_rx = NULL;
#ifdef CONFIG_IBSS_RSN
ibss_rsn_deinit(wpa_s->ibss_rsn);
wpa_s->ibss_rsn = NULL;
#endif /* CONFIG_IBSS_RSN */
sme_deinit(wpa_s);
#ifdef CONFIG_AP
wpa_supplicant_ap_deinit(wpa_s);
#endif /* CONFIG_AP */
wpas_p2p_deinit(wpa_s);
#ifdef CONFIG_OFFCHANNEL
offchannel_deinit(wpa_s);
#endif /* CONFIG_OFFCHANNEL */
wpa_supplicant_cancel_sched_scan(wpa_s);
os_free(wpa_s->next_scan_freqs);
wpa_s->next_scan_freqs = NULL;
os_free(wpa_s->manual_scan_freqs);
wpa_s->manual_scan_freqs = NULL;
os_free(wpa_s->select_network_scan_freqs);
wpa_s->select_network_scan_freqs = NULL;
os_free(wpa_s->manual_sched_scan_freqs);
wpa_s->manual_sched_scan_freqs = NULL;
wpas_mac_addr_rand_scan_clear(wpa_s, MAC_ADDR_RAND_ALL);
/*
* Need to remove any pending gas-query radio work before the
* gas_query_deinit() call because gas_query::work has not yet been set
* for works that have not been started. gas_query_free() will be unable
* to cancel such pending radio works and once the pending gas-query
* radio work eventually gets removed, the deinit notification call to
* gas_query_start_cb() would result in dereferencing freed memory.
*/
if (wpa_s->radio)
radio_remove_works(wpa_s, "gas-query", 0);
gas_query_deinit(wpa_s->gas);
wpa_s->gas = NULL;
gas_server_deinit(wpa_s->gas_server);
wpa_s->gas_server = NULL;
free_hw_features(wpa_s);
ieee802_1x_dealloc_kay_sm(wpa_s);
os_free(wpa_s->bssid_filter);
wpa_s->bssid_filter = NULL;
os_free(wpa_s->disallow_aps_bssid);
wpa_s->disallow_aps_bssid = NULL;
os_free(wpa_s->disallow_aps_ssid);
wpa_s->disallow_aps_ssid = NULL;
wnm_bss_keep_alive_deinit(wpa_s);
wnm_btm_reset(wpa_s);
ext_password_deinit(wpa_s->ext_pw);
wpa_s->ext_pw = NULL;
wpabuf_free(wpa_s->last_gas_resp);
wpa_s->last_gas_resp = NULL;
wpabuf_free(wpa_s->prev_gas_resp);
wpa_s->prev_gas_resp = NULL;
os_free(wpa_s->last_scan_res);
wpa_s->last_scan_res = NULL;
#ifdef CONFIG_HS20
if (wpa_s->drv_priv)
wpa_drv_configure_frame_filters(wpa_s, 0);
hs20_deinit(wpa_s);
#endif /* CONFIG_HS20 */
for (i = 0; i < NUM_VENDOR_ELEM_FRAMES; i++) {
wpabuf_free(wpa_s->vendor_elem[i]);
wpa_s->vendor_elem[i] = NULL;
}
#ifndef CONFIG_NO_WMM_AC
wmm_ac_notify_disassoc(wpa_s);
#endif /* CONFIG_NO_WMM_AC */
wpa_s->sched_scan_plans_num = 0;
os_free(wpa_s->sched_scan_plans);
wpa_s->sched_scan_plans = NULL;
#ifdef CONFIG_MBO
wpa_s->non_pref_chan_num = 0;
os_free(wpa_s->non_pref_chan);
wpa_s->non_pref_chan = NULL;
#endif /* CONFIG_MBO */
free_bss_tmp_disallowed(wpa_s);
wpabuf_free(wpa_s->lci);
wpa_s->lci = NULL;
#ifndef CONFIG_NO_RRM
wpas_clear_beacon_rep_data(wpa_s);
#endif /* CONFIG_NO_RRM */
#ifdef CONFIG_PMKSA_CACHE_EXTERNAL
#ifdef CONFIG_MESH
{
struct external_pmksa_cache *entry;
while ((entry = dl_list_last(&wpa_s->mesh_external_pmksa_cache,
struct external_pmksa_cache,
list)) != NULL) {
dl_list_del(&entry->list);
os_free(entry->pmksa_cache);
os_free(entry);
}
}
#endif /* CONFIG_MESH */
#endif /* CONFIG_PMKSA_CACHE_EXTERNAL */
wpas_flush_fils_hlp_req(wpa_s);
wpabuf_free(wpa_s->ric_ies);
wpa_s->ric_ies = NULL;
#ifdef CONFIG_DPP
wpas_dpp_deinit(wpa_s);
dpp_global_deinit(wpa_s->dpp);
wpa_s->dpp = NULL;
#endif /* CONFIG_DPP */
#ifdef CONFIG_NAN_USD
wpas_nan_usd_deinit(wpa_s);
#endif /* CONFIG_NAN_USD */
#ifdef CONFIG_PASN
wpas_pasn_auth_stop(wpa_s);
#endif /* CONFIG_PASN */
#ifndef CONFIG_NO_ROBUST_AV
wpas_scs_deinit(wpa_s);
wpas_dscp_deinit(wpa_s);
#endif /* CONFIG_NO_ROBUST_AV */
#ifdef CONFIG_OWE
os_free(wpa_s->owe_trans_scan_freq);
wpa_s->owe_trans_scan_freq = NULL;
#endif /* CONFIG_OWE */
}
/**
* wpa_clear_keys - Clear keys configured for the driver
* @wpa_s: Pointer to wpa_supplicant data
* @addr: Previously used BSSID or %NULL if not available
*
* This function clears the encryption keys that has been previously configured
* for the driver.
*/
void wpa_clear_keys(struct wpa_supplicant *wpa_s, const u8 *addr)
{
int i, max = 6;
/* MLME-DELETEKEYS.request */
for (i = 0; i < max; i++) {
if (wpa_s->keys_cleared & BIT(i))
continue;
wpa_drv_set_key(wpa_s, -1, WPA_ALG_NONE, NULL, i, 0, NULL, 0,
NULL, 0, KEY_FLAG_GROUP);
}
/* Pairwise Key ID 1 for Extended Key ID is tracked in bit 15 */
if (~wpa_s->keys_cleared & (BIT(0) | BIT(15)) && addr &&
!is_zero_ether_addr(addr)) {
if (!(wpa_s->keys_cleared & BIT(0)))
wpa_drv_set_key(wpa_s, -1, WPA_ALG_NONE, addr, 0, 0,
NULL, 0, NULL, 0, KEY_FLAG_PAIRWISE);
if (!(wpa_s->keys_cleared & BIT(15)))
wpa_drv_set_key(wpa_s, -1, WPA_ALG_NONE, addr, 1, 0,
NULL, 0, NULL, 0, KEY_FLAG_PAIRWISE);
/* MLME-SETPROTECTION.request(None) */
wpa_drv_mlme_setprotection(
wpa_s, addr,
MLME_SETPROTECTION_PROTECT_TYPE_NONE,
MLME_SETPROTECTION_KEY_TYPE_PAIRWISE);
}
wpa_s->keys_cleared = (u32) -1;
}
/**
* wpa_supplicant_state_txt - Get the connection state name as a text string
* @state: State (wpa_state; WPA_*)
* Returns: The state name as a printable text string
*/
const char * wpa_supplicant_state_txt(enum wpa_states state)
{
switch (state) {
case WPA_DISCONNECTED:
return "DISCONNECTED";
case WPA_INACTIVE:
return "INACTIVE";
case WPA_INTERFACE_DISABLED:
return "INTERFACE_DISABLED";
case WPA_SCANNING:
return "SCANNING";
case WPA_AUTHENTICATING:
return "AUTHENTICATING";
case WPA_ASSOCIATING:
return "ASSOCIATING";
case WPA_ASSOCIATED:
return "ASSOCIATED";
case WPA_4WAY_HANDSHAKE:
return "4WAY_HANDSHAKE";
case WPA_GROUP_HANDSHAKE:
return "GROUP_HANDSHAKE";
case WPA_COMPLETED:
return "COMPLETED";
default:
return "UNKNOWN";
}
}
#ifdef CONFIG_BGSCAN
static void wpa_supplicant_stop_bgscan(struct wpa_supplicant *wpa_s)
{
if (wpa_s->bgscan_ssid) {
bgscan_deinit(wpa_s);
wpa_s->bgscan_ssid = NULL;
}
}
/**
* wpa_supplicant_reset_bgscan - Reset the bgscan for the current SSID.
* @wpa_s: Pointer to the wpa_supplicant data
*
* Stop, start, or reconfigure the scan parameters depending on the method.
*/
void wpa_supplicant_reset_bgscan(struct wpa_supplicant *wpa_s)
{
const char *name;
if (wpa_s->current_ssid && wpa_s->current_ssid->bgscan)
name = wpa_s->current_ssid->bgscan;
else
name = wpa_s->conf->bgscan;
if (!name || name[0] == '\0') {
wpa_supplicant_stop_bgscan(wpa_s);
return;
}
if (wpas_driver_bss_selection(wpa_s))
return;
#ifdef CONFIG_P2P
if (wpa_s->p2p_group_interface != NOT_P2P_GROUP_INTERFACE)
return;
#endif /* CONFIG_P2P */
bgscan_deinit(wpa_s);
if (wpa_s->current_ssid) {
if (bgscan_init(wpa_s, wpa_s->current_ssid, name)) {
wpa_dbg(wpa_s, MSG_DEBUG, "Failed to initialize "
"bgscan");
/*
* Live without bgscan; it is only used as a roaming
* optimization, so the initial connection is not
* affected.
*/
} else {
struct wpa_scan_results *scan_res;
wpa_s->bgscan_ssid = wpa_s->current_ssid;
scan_res = wpa_supplicant_get_scan_results(wpa_s, NULL,
0, NULL);
if (scan_res) {
bgscan_notify_scan(wpa_s, scan_res);
wpa_scan_results_free(scan_res);
}
}
} else
wpa_s->bgscan_ssid = NULL;
}
#endif /* CONFIG_BGSCAN */
static void wpa_supplicant_start_autoscan(struct wpa_supplicant *wpa_s)
{
if (autoscan_init(wpa_s, 0))
wpa_dbg(wpa_s, MSG_DEBUG, "Failed to initialize autoscan");
}
static void wpa_supplicant_stop_autoscan(struct wpa_supplicant *wpa_s)
{
autoscan_deinit(wpa_s);
}
void wpa_supplicant_reinit_autoscan(struct wpa_supplicant *wpa_s)
{
if (wpa_s->wpa_state == WPA_DISCONNECTED ||
wpa_s->wpa_state == WPA_SCANNING) {
autoscan_deinit(wpa_s);
wpa_supplicant_start_autoscan(wpa_s);
}
}
static void wpas_verify_ssid_beacon(void *eloop_ctx, void *timeout_ctx)
{
struct wpa_supplicant *wpa_s = eloop_ctx;
struct wpa_bss *bss;
const u8 *ssid;
size_t ssid_len;
if (!wpa_s->current_ssid || !wpa_s->current_bss)
return;
ssid = wpa_s->current_bss->ssid;
ssid_len = wpa_s->current_bss->ssid_len;
if (wpa_s->current_ssid->ssid_len &&
(wpa_s->current_ssid->ssid_len != ssid_len ||
os_memcmp(wpa_s->current_ssid->ssid, ssid, ssid_len) != 0))
return;
if (wpa_s->wpa_state < WPA_4WAY_HANDSHAKE ||
!wpa_s->bigtk_set || wpa_s->ssid_verified)
return;
wpa_printf(MSG_DEBUG,
"SSID not yet verified; check if the driver has received a verified Beacon frame");
if (wpa_supplicant_update_scan_results(wpa_s, wpa_s->bssid) < 0)
return;
bss = wpa_bss_get_bssid_latest(wpa_s, wpa_s->bssid);
if (!bss)
return;
wpa_printf(MSG_DEBUG, "The current beacon time stamp: 0x%llx",
(long long unsigned int) bss->tsf);
if (bss->tsf > wpa_s->first_beacon_tsf) {
const u8 *ie;
wpa_printf(MSG_DEBUG,
"Verified Beacon frame has been received");
wpa_s->beacons_checked++;
ie = wpa_bss_get_ie_beacon(bss, WLAN_EID_SSID);
if (ie && ie[1] == ssid_len &&
os_memcmp(&ie[2], ssid, ssid_len) == 0) {
wpa_printf(MSG_DEBUG,
"SSID verified based on a Beacon frame and beacon protection");
wpa_s->ssid_verified = true;
return;
}
/* TODO: Multiple BSSID element */
}
if (wpa_s->beacons_checked < 16) {
eloop_register_timeout(wpa_s->next_beacon_check, 0,
wpas_verify_ssid_beacon, wpa_s, NULL);
wpa_s->next_beacon_check++;
}
}
static void wpas_verify_ssid_beacon_prot(struct wpa_supplicant *wpa_s)
{
struct wpa_bss *bss;
wpa_printf(MSG_DEBUG,
"SSID not yet verified; try to verify using beacon protection");
/* Fetch the current scan result which is likely based on not yet
* verified payload since the current BIGTK was just received. Any
* newer update in the future with a larger timestamp value is an
* indication that a verified Beacon frame has been received. */
if (wpa_supplicant_update_scan_results(wpa_s, wpa_s->bssid) < 0)
return;
bss = wpa_bss_get_bssid_latest(wpa_s, wpa_s->bssid);
if (!bss)
return;
wpa_printf(MSG_DEBUG, "The initial beacon time stamp: 0x%llx",
(long long unsigned int) bss->tsf);
wpa_s->first_beacon_tsf = bss->tsf;
wpa_s->beacons_checked = 0;
wpa_s->next_beacon_check = 1;
eloop_cancel_timeout(wpas_verify_ssid_beacon, wpa_s, NULL);
eloop_register_timeout(1, 0, wpas_verify_ssid_beacon, wpa_s, NULL);
}
/**
* wpa_supplicant_set_state - Set current connection state
* @wpa_s: Pointer to wpa_supplicant data
* @state: The new connection state
*
* This function is called whenever the connection state changes, e.g.,
* association is completed for WPA/WPA2 4-Way Handshake is started.
*/
void wpa_supplicant_set_state(struct wpa_supplicant *wpa_s,
enum wpa_states state)
{
enum wpa_states old_state = wpa_s->wpa_state;
#if defined(CONFIG_FILS) && defined(IEEE8021X_EAPOL)
bool update_fils_connect_params = false;
#endif /* CONFIG_FILS && IEEE8021X_EAPOL */
wpa_dbg(wpa_s, MSG_DEBUG, "State: %s -> %s",
wpa_supplicant_state_txt(wpa_s->wpa_state),
wpa_supplicant_state_txt(state));
if (state == WPA_COMPLETED &&
os_reltime_initialized(&wpa_s->roam_start)) {
os_reltime_age(&wpa_s->roam_start, &wpa_s->roam_time);
wpa_s->roam_start.sec = 0;
wpa_s->roam_start.usec = 0;
wpas_notify_auth_changed(wpa_s);
wpas_notify_roam_time(wpa_s);
wpas_notify_roam_complete(wpa_s);
} else if (state == WPA_DISCONNECTED &&
os_reltime_initialized(&wpa_s->roam_start)) {
wpa_s->roam_start.sec = 0;
wpa_s->roam_start.usec = 0;
wpa_s->roam_time.sec = 0;
wpa_s->roam_time.usec = 0;
wpas_notify_roam_complete(wpa_s);
}
if (state == WPA_INTERFACE_DISABLED) {
/* Assure normal scan when interface is restored */
wpa_s->normal_scans = 0;
}
if (state == WPA_COMPLETED) {
wpas_connect_work_done(wpa_s);
/* Reinitialize normal_scan counter */
wpa_s->normal_scans = 0;
}
#ifdef CONFIG_P2P
/*
* P2PS client has to reply to Probe Request frames received on the
* group operating channel. Enable Probe Request frame reporting for
* P2P connected client in case p2p_cli_probe configuration property is
* set to 1.
*/
if (wpa_s->conf->p2p_cli_probe && wpa_s->current_ssid &&
wpa_s->current_ssid->mode == WPAS_MODE_INFRA &&
wpa_s->current_ssid->p2p_group) {
if (state == WPA_COMPLETED && !wpa_s->p2p_cli_probe) {
wpa_dbg(wpa_s, MSG_DEBUG,
"P2P: Enable CLI Probe Request RX reporting");
wpa_s->p2p_cli_probe =
wpa_drv_probe_req_report(wpa_s, 1) >= 0;
} else if (state != WPA_COMPLETED && wpa_s->p2p_cli_probe) {
wpa_dbg(wpa_s, MSG_DEBUG,
"P2P: Disable CLI Probe Request RX reporting");
wpa_s->p2p_cli_probe = 0;
wpa_drv_probe_req_report(wpa_s, 0);
}
}
#endif /* CONFIG_P2P */
if (state != WPA_SCANNING)
wpa_supplicant_notify_scanning(wpa_s, 0);
if (state == WPA_COMPLETED && wpa_s->new_connection) {
struct wpa_ssid *ssid = wpa_s->current_ssid;
int fils_hlp_sent = 0;
char mld_addr[50];
mld_addr[0] = '\0';
if (wpa_s->valid_links)
os_snprintf(mld_addr, sizeof(mld_addr),
" ap_mld_addr=" MACSTR,
MAC2STR(wpa_s->ap_mld_addr));
#ifdef CONFIG_SME
if ((wpa_s->drv_flags & WPA_DRIVER_FLAGS_SME) &&
wpa_auth_alg_fils(wpa_s->sme.auth_alg))
fils_hlp_sent = 1;
#endif /* CONFIG_SME */
if (!(wpa_s->drv_flags & WPA_DRIVER_FLAGS_SME) &&
wpa_auth_alg_fils(wpa_s->auth_alg))
fils_hlp_sent = 1;
#if defined(CONFIG_CTRL_IFACE) || !defined(CONFIG_NO_STDOUT_DEBUG)
wpa_msg(wpa_s, MSG_INFO, WPA_EVENT_CONNECTED "- Connection to "
MACSTR " completed [id=%d id_str=%s%s]%s",
MAC2STR(wpa_s->bssid),
ssid ? ssid->id : -1,
ssid && ssid->id_str ? ssid->id_str : "",
fils_hlp_sent ? " FILS_HLP_SENT" : "", mld_addr);
#endif /* CONFIG_CTRL_IFACE || !CONFIG_NO_STDOUT_DEBUG */
wpas_clear_temp_disabled(wpa_s, ssid, 1);
wpa_s->consecutive_conn_failures = 0;
wpa_s->new_connection = 0;
wpa_drv_set_operstate(wpa_s, 1);
#ifndef IEEE8021X_EAPOL
wpa_drv_set_supp_port(wpa_s, 1);
#endif /* IEEE8021X_EAPOL */
wpa_s->after_wps = 0;
wpa_s->known_wps_freq = 0;
wpas_p2p_completed(wpa_s);
sme_sched_obss_scan(wpa_s, 1);
#if defined(CONFIG_FILS) && defined(IEEE8021X_EAPOL)
if (!fils_hlp_sent && ssid && ssid->eap.erp)
update_fils_connect_params = true;
#endif /* CONFIG_FILS && IEEE8021X_EAPOL */
#ifdef CONFIG_OWE
if (ssid && (ssid->key_mgmt & WPA_KEY_MGMT_OWE))
wpas_update_owe_connect_params(wpa_s);
#endif /* CONFIG_OWE */
} else if (state == WPA_DISCONNECTED || state == WPA_ASSOCIATING ||
state == WPA_ASSOCIATED) {
wpa_s->new_connection = 1;
wpa_drv_set_operstate(wpa_s, 0);
#ifndef IEEE8021X_EAPOL
wpa_drv_set_supp_port(wpa_s, 0);
#endif /* IEEE8021X_EAPOL */
sme_sched_obss_scan(wpa_s, 0);
}
wpa_s->wpa_state = state;
#ifdef CONFIG_BGSCAN
if (state == WPA_COMPLETED && wpa_s->current_ssid != wpa_s->bgscan_ssid)
wpa_supplicant_reset_bgscan(wpa_s);
else if (state < WPA_ASSOCIATED)
wpa_supplicant_stop_bgscan(wpa_s);
#endif /* CONFIG_BGSCAN */
if (state > WPA_SCANNING)
wpa_supplicant_stop_autoscan(wpa_s);
if (state == WPA_DISCONNECTED || state == WPA_INACTIVE)
wpa_supplicant_start_autoscan(wpa_s);
if (state == WPA_COMPLETED || state == WPA_INTERFACE_DISABLED ||
state == WPA_INACTIVE)
wnm_btm_reset(wpa_s);
#ifndef CONFIG_NO_WMM_AC
if (old_state >= WPA_ASSOCIATED && wpa_s->wpa_state < WPA_ASSOCIATED)
wmm_ac_notify_disassoc(wpa_s);
#endif /* CONFIG_NO_WMM_AC */
if (wpa_s->wpa_state != old_state) {
wpas_notify_state_changed(wpa_s, wpa_s->wpa_state, old_state);
if (wpa_s->auth_bss && (wpa_s->wpa_state == WPA_DISCONNECTED ||
wpa_s->wpa_state == WPA_ASSOCIATED)) {
wpa_s->auth_bss = NULL;
wpas_notify_auth_bssid_changed(wpa_s);
}
/*
* Notify the P2P Device interface about a state change in one
* of the interfaces.
*/
wpas_p2p_indicate_state_change(wpa_s);
if (wpa_s->wpa_state == WPA_COMPLETED ||
old_state == WPA_COMPLETED)
wpas_notify_auth_changed(wpa_s);
#ifdef CONFIG_DPP2
if (wpa_s->wpa_state == WPA_COMPLETED)
wpas_dpp_connected(wpa_s);
#endif /* CONFIG_DPP2 */
if (wpa_s->wpa_state == WPA_COMPLETED &&
wpa_s->bigtk_set && !wpa_s->ssid_verified)
wpas_verify_ssid_beacon_prot(wpa_s);
}
#if defined(CONFIG_FILS) && defined(IEEE8021X_EAPOL)
if (update_fils_connect_params)
wpas_update_fils_connect_params(wpa_s);
#endif /* CONFIG_FILS && IEEE8021X_EAPOL */
}
void wpa_supplicant_terminate_proc(struct wpa_global *global)
{
int pending = 0;
#ifdef CONFIG_WPS
struct wpa_supplicant *wpa_s = global->ifaces;
while (wpa_s) {
struct wpa_supplicant *next = wpa_s->next;
if (wpas_wps_terminate_pending(wpa_s) == 1)
pending = 1;
#ifdef CONFIG_P2P
if (wpa_s->p2p_group_interface != NOT_P2P_GROUP_INTERFACE ||
(wpa_s->current_ssid && wpa_s->current_ssid->p2p_group))
wpas_p2p_disconnect(wpa_s);
#endif /* CONFIG_P2P */
wpa_s = next;
}
#endif /* CONFIG_WPS */
if (pending)
return;
eloop_terminate();
}
static void wpa_supplicant_terminate(int sig, void *signal_ctx)
{
struct wpa_global *global = signal_ctx;
wpa_supplicant_terminate_proc(global);
}
void wpa_supplicant_clear_status(struct wpa_supplicant *wpa_s)
{
enum wpa_states old_state = wpa_s->wpa_state;
enum wpa_states new_state;
if (old_state == WPA_SCANNING)
new_state = WPA_SCANNING;
else
new_state = WPA_DISCONNECTED;
wpa_s->pairwise_cipher = 0;
wpa_s->group_cipher = 0;
wpa_s->mgmt_group_cipher = 0;
wpa_s->key_mgmt = 0;
wpa_s->allowed_key_mgmts = 0;
if (wpa_s->wpa_state != WPA_INTERFACE_DISABLED)
wpa_supplicant_set_state(wpa_s, new_state);
if (wpa_s->wpa_state != old_state)
wpas_notify_state_changed(wpa_s, wpa_s->wpa_state, old_state);
}
/**
* wpa_supplicant_reload_configuration - Reload configuration data
* @wpa_s: Pointer to wpa_supplicant data
* Returns: 0 on success or -1 if configuration parsing failed
*
* This function can be used to request that the configuration data is reloaded
* (e.g., after configuration file change). This function is reloading
* configuration only for one interface, so this may need to be called multiple
* times if %wpa_supplicant is controlling multiple interfaces and all
* interfaces need reconfiguration.
*/
int wpa_supplicant_reload_configuration(struct wpa_supplicant *wpa_s)
{
struct wpa_config *conf;
int reconf_ctrl;
int old_ap_scan;
if (wpa_s->confname == NULL)
return -1;
conf = wpa_config_read(wpa_s->confname, NULL, false);
if (conf == NULL) {
wpa_msg(wpa_s, MSG_ERROR, "Failed to parse the configuration "
"file '%s' - exiting", wpa_s->confname);
return -1;
}
if (wpa_s->confanother &&
!wpa_config_read(wpa_s->confanother, conf, true)) {
wpa_msg(wpa_s, MSG_ERROR,
"Failed to parse the configuration file '%s' - exiting",
wpa_s->confanother);
return -1;
}
conf->changed_parameters = (unsigned int) -1;
reconf_ctrl = !!conf->ctrl_interface != !!wpa_s->conf->ctrl_interface
|| (conf->ctrl_interface && wpa_s->conf->ctrl_interface &&
os_strcmp(conf->ctrl_interface,
wpa_s->conf->ctrl_interface) != 0);
if (reconf_ctrl) {
wpa_supplicant_ctrl_iface_deinit(wpa_s, wpa_s->ctrl_iface);
wpa_s->ctrl_iface = NULL;
}
eapol_sm_invalidate_cached_session(wpa_s->eapol);
if (wpa_s->current_ssid) {
if (wpa_s->wpa_state >= WPA_AUTHENTICATING)
wpa_s->own_disconnect_req = 1;
wpa_supplicant_deauthenticate(wpa_s,
WLAN_REASON_DEAUTH_LEAVING);
}
/*
* TODO: should notify EAPOL SM about changes in opensc_engine_path,
* pkcs11_engine_path, pkcs11_module_path, openssl_ciphers.
*/
if (wpa_key_mgmt_wpa_psk(wpa_s->key_mgmt) ||
wpa_s->key_mgmt == WPA_KEY_MGMT_OWE ||
wpa_s->key_mgmt == WPA_KEY_MGMT_DPP) {
/*
* Clear forced success to clear EAP state for next
* authentication.
*/
eapol_sm_notify_eap_success(wpa_s->eapol, false);
}
eapol_sm_notify_config(wpa_s->eapol, NULL, NULL);
wpa_sm_set_config(wpa_s->wpa, NULL);
wpa_sm_pmksa_cache_flush(wpa_s->wpa, NULL);
wpa_sm_set_fast_reauth(wpa_s->wpa, wpa_s->conf->fast_reauth);
rsn_preauth_deinit(wpa_s->wpa);
old_ap_scan = wpa_s->conf->ap_scan;
wpa_config_free(wpa_s->conf);
wpa_s->conf = conf;
if (old_ap_scan != wpa_s->conf->ap_scan)
wpas_notify_ap_scan_changed(wpa_s);
if (reconf_ctrl)
wpa_s->ctrl_iface = wpa_supplicant_ctrl_iface_init(wpa_s);
wpa_supplicant_update_config(wpa_s);
wpa_supplicant_clear_status(wpa_s);
if (wpa_supplicant_enabled_networks(wpa_s)) {
wpa_s->reassociate = 1;
wpa_supplicant_req_scan(wpa_s, 0, 0);
}
wpa_bssid_ignore_clear(wpa_s);
wpa_dbg(wpa_s, MSG_DEBUG, "Reconfiguration completed");
return 0;
}
static void wpa_supplicant_reconfig(int sig, void *signal_ctx)
{
struct wpa_global *global = signal_ctx;
struct wpa_supplicant *wpa_s;
for (wpa_s = global->ifaces; wpa_s; wpa_s = wpa_s->next) {
wpa_dbg(wpa_s, MSG_DEBUG, "Signal %d received - reconfiguring",
sig);
if (wpa_supplicant_reload_configuration(wpa_s) < 0) {
wpa_supplicant_terminate_proc(global);
}
}
if (wpa_debug_reopen_file() < 0) {
/* Ignore errors since we cannot really do much to fix this */
wpa_printf(MSG_DEBUG, "Could not reopen debug log file");
}
}
static int wpa_supplicant_suites_from_ai(struct wpa_supplicant *wpa_s,
struct wpa_ssid *ssid,
struct wpa_ie_data *ie)
{
int ret = wpa_sm_parse_own_wpa_ie(wpa_s->wpa, ie);
if (ret) {
if (ret == -2) {
wpa_msg(wpa_s, MSG_INFO, "WPA: Failed to parse WPA IE "
"from association info");
}
return -1;
}
wpa_dbg(wpa_s, MSG_DEBUG, "WPA: Using WPA IE from AssocReq to set "
"cipher suites");
if (!(ie->group_cipher & ssid->group_cipher)) {
wpa_msg(wpa_s, MSG_INFO, "WPA: Driver used disabled group "
"cipher 0x%x (mask 0x%x) - reject",
ie->group_cipher, ssid->group_cipher);
return -1;
}
if (!(ie->pairwise_cipher & ssid->pairwise_cipher)) {
wpa_msg(wpa_s, MSG_INFO, "WPA: Driver used disabled pairwise "
"cipher 0x%x (mask 0x%x) - reject",
ie->pairwise_cipher, ssid->pairwise_cipher);
return -1;
}
if (!(ie->key_mgmt & ssid->key_mgmt)) {
wpa_msg(wpa_s, MSG_INFO, "WPA: Driver used disabled key "
"management 0x%x (mask 0x%x) - reject",
ie->key_mgmt, ssid->key_mgmt);
return -1;
}
if (!(ie->capabilities & WPA_CAPABILITY_MFPC) &&
wpas_get_ssid_pmf(wpa_s, ssid) == MGMT_FRAME_PROTECTION_REQUIRED) {
wpa_msg(wpa_s, MSG_INFO, "WPA: Driver associated with an AP "
"that does not support management frame protection - "
"reject");
return -1;
}
return 0;
}
static int matching_ciphers(struct wpa_ssid *ssid, struct wpa_ie_data *ie,
int freq)
{
if (!ie->has_group)
ie->group_cipher = wpa_default_rsn_cipher(freq);
if (!ie->has_pairwise)
ie->pairwise_cipher = wpa_default_rsn_cipher(freq);
return (ie->group_cipher & ssid->group_cipher) &&
(ie->pairwise_cipher & ssid->pairwise_cipher);
}
void wpas_set_mgmt_group_cipher(struct wpa_supplicant *wpa_s,
struct wpa_ssid *ssid, struct wpa_ie_data *ie)
{
int sel;
sel = ie->mgmt_group_cipher;
if (ssid->group_mgmt_cipher)
sel &= ssid->group_mgmt_cipher;
if (wpas_get_ssid_pmf(wpa_s, ssid) == NO_MGMT_FRAME_PROTECTION ||
!(ie->capabilities & WPA_CAPABILITY_MFPC))
sel = 0;
wpa_dbg(wpa_s, MSG_DEBUG,
"WPA: AP mgmt_group_cipher 0x%x network profile mgmt_group_cipher 0x%x; available mgmt_group_cipher 0x%x",
ie->mgmt_group_cipher, ssid->group_mgmt_cipher, sel);
if (sel & WPA_CIPHER_AES_128_CMAC) {
wpa_s->mgmt_group_cipher = WPA_CIPHER_AES_128_CMAC;
wpa_dbg(wpa_s, MSG_DEBUG,
"WPA: using MGMT group cipher AES-128-CMAC");
} else if (sel & WPA_CIPHER_BIP_GMAC_128) {
wpa_s->mgmt_group_cipher = WPA_CIPHER_BIP_GMAC_128;
wpa_dbg(wpa_s, MSG_DEBUG,
"WPA: using MGMT group cipher BIP-GMAC-128");
} else if (sel & WPA_CIPHER_BIP_GMAC_256) {
wpa_s->mgmt_group_cipher = WPA_CIPHER_BIP_GMAC_256;
wpa_dbg(wpa_s, MSG_DEBUG,
"WPA: using MGMT group cipher BIP-GMAC-256");
} else if (sel & WPA_CIPHER_BIP_CMAC_256) {
wpa_s->mgmt_group_cipher = WPA_CIPHER_BIP_CMAC_256;
wpa_dbg(wpa_s, MSG_DEBUG,
"WPA: using MGMT group cipher BIP-CMAC-256");
} else {
wpa_s->mgmt_group_cipher = 0;
wpa_dbg(wpa_s, MSG_DEBUG, "WPA: not using MGMT group cipher");
}
wpa_sm_set_param(wpa_s->wpa, WPA_PARAM_MGMT_GROUP,
wpa_s->mgmt_group_cipher);
wpa_sm_set_param(wpa_s->wpa, WPA_PARAM_MFP,
wpas_get_ssid_pmf(wpa_s, ssid));
}
/**
* wpa_supplicant_get_psk - Get PSK from config or external database
* @wpa_s: Pointer to wpa_supplicant data
* @bss: Scan results for the selected BSS, or %NULL if not available
* @ssid: Configuration data for the selected network
* @psk: Buffer for the PSK
* Returns: 0 on success or -1 if configuration parsing failed
*
* This function obtains the PSK for a network, either included inline in the
* config or retrieved from an external database.
*/
static int wpa_supplicant_get_psk(struct wpa_supplicant *wpa_s,
struct wpa_bss *bss, struct wpa_ssid *ssid,
u8 *psk)
{
if (ssid->psk_set) {
wpa_hexdump_key(MSG_MSGDUMP, "PSK (set in config)",
ssid->psk, PMK_LEN);
os_memcpy(psk, ssid->psk, PMK_LEN);
return 0;
}
#ifndef CONFIG_NO_PBKDF2
if (bss && ssid->bssid_set && ssid->ssid_len == 0 && ssid->passphrase) {
if (pbkdf2_sha1(ssid->passphrase, bss->ssid, bss->ssid_len,
4096, psk, PMK_LEN) != 0) {
wpa_msg(wpa_s, MSG_WARNING, "Error in pbkdf2_sha1()");
return -1;
}
wpa_hexdump_key(MSG_MSGDUMP, "PSK (from passphrase)",
psk, PMK_LEN);
return 0;
}
#endif /* CONFIG_NO_PBKDF2 */
#ifdef CONFIG_EXT_PASSWORD
if (ssid->ext_psk) {
struct wpabuf *pw = ext_password_get(wpa_s->ext_pw,
ssid->ext_psk);
char pw_str[64 + 1];
if (!pw) {
wpa_msg(wpa_s, MSG_INFO,
"EXT PW: No PSK found from external storage");
return -1;
}
if (wpabuf_len(pw) < 8 || wpabuf_len(pw) > 64) {
wpa_msg(wpa_s, MSG_INFO,
"EXT PW: Unexpected PSK length %d in external storage",
(int) wpabuf_len(pw));
ext_password_free(pw);
return -1;
}
os_memcpy(pw_str, wpabuf_head(pw), wpabuf_len(pw));
pw_str[wpabuf_len(pw)] = '\0';
#ifndef CONFIG_NO_PBKDF2
if (wpabuf_len(pw) >= 8 && wpabuf_len(pw) < 64 && bss)
{
if (pbkdf2_sha1(pw_str, bss->ssid, bss->ssid_len,
4096, psk, PMK_LEN) != 0) {
wpa_msg(wpa_s, MSG_WARNING,
"Error in pbkdf2_sha1()");
forced_memzero(pw_str, sizeof(pw_str));
ext_password_free(pw);
return -1;
}
wpa_hexdump_key(MSG_MSGDUMP,
"PSK (from external passphrase)",
psk, PMK_LEN);
} else
#endif /* CONFIG_NO_PBKDF2 */
if (wpabuf_len(pw) == 2 * PMK_LEN) {
if (hexstr2bin(pw_str, psk, PMK_LEN) < 0) {
wpa_msg(wpa_s, MSG_INFO,
"EXT PW: Invalid PSK hex string");
forced_memzero(pw_str, sizeof(pw_str));
ext_password_free(pw);
return -1;
}
wpa_hexdump_key(MSG_MSGDUMP, "PSK (from external PSK)",
psk, PMK_LEN);
} else {
wpa_msg(wpa_s, MSG_INFO,
"EXT PW: No suitable PSK available");
forced_memzero(pw_str, sizeof(pw_str));
ext_password_free(pw);
return -1;
}
forced_memzero(pw_str, sizeof(pw_str));
ext_password_free(pw);
return 0;
}
#endif /* CONFIG_EXT_PASSWORD */
return -1;
}
static void wpas_update_allowed_key_mgmt(struct wpa_supplicant *wpa_s,
struct wpa_ssid *ssid)
{
int akm_count = wpa_s->max_num_akms;
u8 capab = 0;
if (akm_count < 2)
return;
akm_count--;
wpa_s->allowed_key_mgmts = 0;
switch (wpa_s->key_mgmt) {
case WPA_KEY_MGMT_PSK:
if (ssid->key_mgmt & WPA_KEY_MGMT_SAE) {
akm_count--;
wpa_s->allowed_key_mgmts |= WPA_KEY_MGMT_SAE;
}
if (!akm_count)
break;
if (ssid->key_mgmt & WPA_KEY_MGMT_SAE_EXT_KEY) {
akm_count--;
wpa_s->allowed_key_mgmts |= WPA_KEY_MGMT_SAE_EXT_KEY;
}
if (!akm_count)
break;
if (ssid->key_mgmt & WPA_KEY_MGMT_PSK_SHA256)
wpa_s->allowed_key_mgmts |=
WPA_KEY_MGMT_PSK_SHA256;
break;
case WPA_KEY_MGMT_PSK_SHA256:
if (ssid->key_mgmt & WPA_KEY_MGMT_SAE) {
akm_count--;
wpa_s->allowed_key_mgmts |= WPA_KEY_MGMT_SAE;
}
if (!akm_count)
break;
if (ssid->key_mgmt & WPA_KEY_MGMT_SAE_EXT_KEY) {
akm_count--;
wpa_s->allowed_key_mgmts |= WPA_KEY_MGMT_SAE_EXT_KEY;
}
if (!akm_count)
break;
if (ssid->key_mgmt & WPA_KEY_MGMT_PSK)
wpa_s->allowed_key_mgmts |= WPA_KEY_MGMT_PSK;
break;
case WPA_KEY_MGMT_SAE:
if (ssid->key_mgmt & WPA_KEY_MGMT_PSK) {
akm_count--;
wpa_s->allowed_key_mgmts |= WPA_KEY_MGMT_PSK;
}
if (!akm_count)
break;
if (ssid->key_mgmt & WPA_KEY_MGMT_SAE_EXT_KEY) {
akm_count--;
wpa_s->allowed_key_mgmts |= WPA_KEY_MGMT_SAE_EXT_KEY;
}
if (!akm_count)
break;
if (ssid->key_mgmt & WPA_KEY_MGMT_PSK_SHA256)
wpa_s->allowed_key_mgmts |=
WPA_KEY_MGMT_PSK_SHA256;
break;
case WPA_KEY_MGMT_SAE_EXT_KEY:
if (ssid->key_mgmt & WPA_KEY_MGMT_SAE) {
akm_count--;
wpa_s->allowed_key_mgmts |= WPA_KEY_MGMT_SAE;
}
if (!akm_count)
break;
if (ssid->key_mgmt & WPA_KEY_MGMT_PSK) {
akm_count--;
wpa_s->allowed_key_mgmts |= WPA_KEY_MGMT_PSK;
}
if (!akm_count)
break;
if (ssid->key_mgmt & WPA_KEY_MGMT_PSK_SHA256)
wpa_s->allowed_key_mgmts |=
WPA_KEY_MGMT_PSK_SHA256;
break;
default:
return;
}
if (wpa_s->conf->sae_pwe != SAE_PWE_HUNT_AND_PECK &&
wpa_s->conf->sae_pwe != SAE_PWE_FORCE_HUNT_AND_PECK)
capab |= BIT(WLAN_RSNX_CAPAB_SAE_H2E);
#ifdef CONFIG_SAE_PK
if (ssid->sae_pk)
capab |= BIT(WLAN_RSNX_CAPAB_SAE_PK);
#endif /* CONFIG_SAE_PK */
if (!((wpa_s->allowed_key_mgmts &
(WPA_KEY_MGMT_SAE | WPA_KEY_MGMT_SAE_EXT_KEY)) && capab))
return;
if (!wpa_s->rsnxe_len) {
wpa_s->rsnxe_len = 3;
wpa_s->rsnxe[0] = WLAN_EID_RSNX;
wpa_s->rsnxe[1] = 1;
wpa_s->rsnxe[2] = 0;
}
wpa_s->rsnxe[2] |= capab;
}
/**
* wpa_supplicant_set_suites - Set authentication and encryption parameters
* @wpa_s: Pointer to wpa_supplicant data
* @bss: Scan results for the selected BSS, or %NULL if not available
* @ssid: Configuration data for the selected network
* @wpa_ie: Buffer for the WPA/RSN IE
* @wpa_ie_len: Maximum wpa_ie buffer size on input. This is changed to be the
* used buffer length in case the functions returns success.
* @skip_default_rsne: Whether to skip setting of the default RSNE/RSNXE
* Returns: 0 on success or -1 on failure
*
* This function is used to configure authentication and encryption parameters
* based on the network configuration and scan result for the selected BSS (if
* available).
*/
int wpa_supplicant_set_suites(struct wpa_supplicant *wpa_s,
struct wpa_bss *bss, struct wpa_ssid *ssid,
u8 *wpa_ie, size_t *wpa_ie_len,
bool skip_default_rsne)
{
struct wpa_ie_data ie;
int sel, proto;
enum sae_pwe sae_pwe;
const u8 *bss_wpa, *bss_rsn, *bss_rsnx, *bss_osen;
bool wmm;
if (bss) {
bss_wpa = wpa_bss_get_vendor_ie(bss, WPA_IE_VENDOR_TYPE);
bss_rsn = wpa_bss_get_ie(bss, WLAN_EID_RSN);
bss_rsnx = wpa_bss_get_ie(bss, WLAN_EID_RSNX);
bss_osen = wpa_bss_get_vendor_ie(bss, OSEN_IE_VENDOR_TYPE);
} else {
bss_wpa = bss_rsn = bss_rsnx = bss_osen = NULL;
}
if (bss_rsn && (ssid->proto & WPA_PROTO_RSN) &&
wpa_parse_wpa_ie(bss_rsn, 2 + bss_rsn[1], &ie) == 0 &&
matching_ciphers(ssid, &ie, bss->freq) &&
(ie.key_mgmt & ssid->key_mgmt)) {
wpa_dbg(wpa_s, MSG_DEBUG, "RSN: using IEEE 802.11i/D9.0");
proto = WPA_PROTO_RSN;
} else if (bss_wpa && (ssid->proto & WPA_PROTO_WPA) &&
wpa_parse_wpa_ie(bss_wpa, 2 + bss_wpa[1], &ie) == 0 &&
(ie.group_cipher & ssid->group_cipher) &&
(ie.pairwise_cipher & ssid->pairwise_cipher) &&
(ie.key_mgmt & ssid->key_mgmt)) {
wpa_dbg(wpa_s, MSG_DEBUG, "WPA: using IEEE 802.11i/D3.0");
proto = WPA_PROTO_WPA;
#ifdef CONFIG_HS20
} else if (bss_osen && (ssid->proto & WPA_PROTO_OSEN) &&
wpa_parse_wpa_ie(bss_osen, 2 + bss_osen[1], &ie) == 0 &&
(ie.group_cipher & ssid->group_cipher) &&
(ie.pairwise_cipher & ssid->pairwise_cipher) &&
(ie.key_mgmt & ssid->key_mgmt)) {
wpa_dbg(wpa_s, MSG_DEBUG, "HS 2.0: using OSEN");
proto = WPA_PROTO_OSEN;
} else if (bss_rsn && (ssid->proto & WPA_PROTO_OSEN) &&
wpa_parse_wpa_ie(bss_rsn, 2 + bss_rsn[1], &ie) == 0 &&
(ie.group_cipher & ssid->group_cipher) &&
(ie.pairwise_cipher & ssid->pairwise_cipher) &&
(ie.key_mgmt & ssid->key_mgmt)) {
wpa_dbg(wpa_s, MSG_DEBUG, "RSN: using OSEN (within RSN)");
proto = WPA_PROTO_RSN;
#endif /* CONFIG_HS20 */
} else if (bss) {
wpa_msg(wpa_s, MSG_WARNING, "WPA: Failed to select WPA/RSN");
wpa_dbg(wpa_s, MSG_DEBUG,
"WPA: ssid proto=0x%x pairwise_cipher=0x%x group_cipher=0x%x key_mgmt=0x%x",
ssid->proto, ssid->pairwise_cipher, ssid->group_cipher,
ssid->key_mgmt);
wpa_dbg(wpa_s, MSG_DEBUG, "WPA: BSS " MACSTR " ssid='%s'%s%s%s",
MAC2STR(bss->bssid),
wpa_ssid_txt(bss->ssid, bss->ssid_len),
bss_wpa ? " WPA" : "",
bss_rsn ? " RSN" : "",
bss_osen ? " OSEN" : "");
if (bss_rsn) {
wpa_hexdump(MSG_DEBUG, "RSN", bss_rsn, 2 + bss_rsn[1]);
if (wpa_parse_wpa_ie(bss_rsn, 2 + bss_rsn[1], &ie)) {
wpa_dbg(wpa_s, MSG_DEBUG,
"Could not parse RSN element");
} else {
wpa_dbg(wpa_s, MSG_DEBUG,
"RSN: pairwise_cipher=0x%x group_cipher=0x%x key_mgmt=0x%x",
ie.pairwise_cipher, ie.group_cipher,
ie.key_mgmt);
}
}
if (bss_wpa) {
wpa_hexdump(MSG_DEBUG, "WPA", bss_wpa, 2 + bss_wpa[1]);
if (wpa_parse_wpa_ie(bss_wpa, 2 + bss_wpa[1], &ie)) {
wpa_dbg(wpa_s, MSG_DEBUG,
"Could not parse WPA element");
} else {
wpa_dbg(wpa_s, MSG_DEBUG,
"WPA: pairwise_cipher=0x%x group_cipher=0x%x key_mgmt=0x%x",
ie.pairwise_cipher, ie.group_cipher,
ie.key_mgmt);
}
}
return -1;
} else {
if (ssid->proto & WPA_PROTO_OSEN)
proto = WPA_PROTO_OSEN;
else if (ssid->proto & WPA_PROTO_RSN)
proto = WPA_PROTO_RSN;
else
proto = WPA_PROTO_WPA;
if (wpa_supplicant_suites_from_ai(wpa_s, ssid, &ie) < 0) {
os_memset(&ie, 0, sizeof(ie));
ie.group_cipher = ssid->group_cipher;
ie.pairwise_cipher = ssid->pairwise_cipher;
ie.key_mgmt = ssid->key_mgmt;
ie.mgmt_group_cipher = 0;
if (ssid->ieee80211w != NO_MGMT_FRAME_PROTECTION) {
if (ssid->group_mgmt_cipher &
WPA_CIPHER_BIP_GMAC_256)
ie.mgmt_group_cipher =
WPA_CIPHER_BIP_GMAC_256;
else if (ssid->group_mgmt_cipher &
WPA_CIPHER_BIP_CMAC_256)
ie.mgmt_group_cipher =
WPA_CIPHER_BIP_CMAC_256;
else if (ssid->group_mgmt_cipher &
WPA_CIPHER_BIP_GMAC_128)
ie.mgmt_group_cipher =
WPA_CIPHER_BIP_GMAC_128;
else
ie.mgmt_group_cipher =
WPA_CIPHER_AES_128_CMAC;
}
#ifdef CONFIG_OWE
if ((ssid->key_mgmt & WPA_KEY_MGMT_OWE) &&
!ssid->owe_only &&
!bss_wpa && !bss_rsn && !bss_osen) {
wpa_supplicant_set_non_wpa_policy(wpa_s, ssid);
wpa_s->wpa_proto = 0;
*wpa_ie_len = 0;
return 0;
}
#endif /* CONFIG_OWE */
wpa_dbg(wpa_s, MSG_DEBUG, "WPA: Set cipher suites "
"based on configuration");
} else
proto = ie.proto;
}
wpa_dbg(wpa_s, MSG_DEBUG, "WPA: Selected cipher suites: group %d "
"pairwise %d key_mgmt %d proto %d",
ie.group_cipher, ie.pairwise_cipher, ie.key_mgmt, proto);
if (ssid->ieee80211w) {
wpa_dbg(wpa_s, MSG_DEBUG, "WPA: Selected mgmt group cipher %d",
ie.mgmt_group_cipher);
}
wpa_s->wpa_proto = proto;
wpa_sm_set_param(wpa_s->wpa, WPA_PARAM_PROTO, proto);
wpa_sm_set_param(wpa_s->wpa, WPA_PARAM_RSN_ENABLED,
!!(ssid->proto & (WPA_PROTO_RSN | WPA_PROTO_OSEN)));
if (bss || !wpa_s->ap_ies_from_associnfo) {
if (wpa_sm_set_ap_wpa_ie(wpa_s->wpa, bss_wpa,
bss_wpa ? 2 + bss_wpa[1] : 0) ||
wpa_sm_set_ap_rsn_ie(wpa_s->wpa, bss_rsn,
bss_rsn ? 2 + bss_rsn[1] : 0) ||
wpa_sm_set_ap_rsnxe(wpa_s->wpa, bss_rsnx,
bss_rsnx ? 2 + bss_rsnx[1] : 0))
return -1;
}
#ifdef CONFIG_NO_WPA
wpa_s->group_cipher = WPA_CIPHER_NONE;
wpa_s->pairwise_cipher = WPA_CIPHER_NONE;
#else /* CONFIG_NO_WPA */
sel = ie.group_cipher & ssid->group_cipher & wpa_s->drv_ciphers;
wpa_dbg(wpa_s, MSG_DEBUG,
"WPA: AP group 0x%x network profile group 0x%x driver supported ciphers 0x%x; available group 0x%x",
ie.group_cipher, ssid->group_cipher, wpa_s->drv_ciphers, sel);
wpa_s->group_cipher = wpa_pick_group_cipher(sel);
if (wpa_s->group_cipher < 0) {
wpa_msg(wpa_s, MSG_WARNING, "WPA: Failed to select group "
"cipher");
return -1;
}
wpa_dbg(wpa_s, MSG_DEBUG, "WPA: using GTK %s",
wpa_cipher_txt(wpa_s->group_cipher));
sel = ie.pairwise_cipher & ssid->pairwise_cipher & wpa_s->drv_ciphers;
wpa_dbg(wpa_s, MSG_DEBUG,
"WPA: AP pairwise 0x%x network profile pairwise 0x%x driver supported ciphers 0x%x; available pairwise 0x%x",
ie.pairwise_cipher, ssid->pairwise_cipher, wpa_s->drv_ciphers,
sel);
wpa_s->pairwise_cipher = wpa_pick_pairwise_cipher(sel, 1);
if (wpa_s->pairwise_cipher < 0) {
wpa_msg(wpa_s, MSG_WARNING, "WPA: Failed to select pairwise "
"cipher");
return -1;
}
wpa_dbg(wpa_s, MSG_DEBUG, "WPA: using PTK %s",
wpa_cipher_txt(wpa_s->pairwise_cipher));
#endif /* CONFIG_NO_WPA */
sel = ie.key_mgmt & ssid->key_mgmt;
#ifdef CONFIG_SAE
if ((!(wpa_s->drv_flags & WPA_DRIVER_FLAGS_SAE) &&
!(wpa_s->drv_flags2 & WPA_DRIVER_FLAGS2_SAE_OFFLOAD_STA)) ||
wpas_is_sae_avoided(wpa_s, ssid, &ie))
sel &= ~(WPA_KEY_MGMT_SAE | WPA_KEY_MGMT_SAE_EXT_KEY |
WPA_KEY_MGMT_FT_SAE | WPA_KEY_MGMT_FT_SAE_EXT_KEY);
#endif /* CONFIG_SAE */
#ifdef CONFIG_IEEE80211R
if (!(wpa_s->drv_flags & (WPA_DRIVER_FLAGS_SME |
WPA_DRIVER_FLAGS_UPDATE_FT_IES)))
sel &= ~WPA_KEY_MGMT_FT;
#endif /* CONFIG_IEEE80211R */
wpa_dbg(wpa_s, MSG_DEBUG,
"WPA: AP key_mgmt 0x%x network profile key_mgmt 0x%x; available key_mgmt 0x%x",
ie.key_mgmt, ssid->key_mgmt, sel);
if (0) {
#ifdef CONFIG_IEEE80211R
#ifdef CONFIG_SHA384
} else if ((sel & WPA_KEY_MGMT_FT_IEEE8021X_SHA384) &&
os_strcmp(wpa_supplicant_get_eap_mode(wpa_s), "LEAP") != 0) {
wpa_s->key_mgmt = WPA_KEY_MGMT_FT_IEEE8021X_SHA384;
wpa_dbg(wpa_s, MSG_DEBUG,
"WPA: using KEY_MGMT FT/802.1X-SHA384");
if (!ssid->ft_eap_pmksa_caching &&
pmksa_cache_get_current(wpa_s->wpa)) {
/* PMKSA caching with FT may have interoperability
* issues, so disable that case by default for now. */
wpa_dbg(wpa_s, MSG_DEBUG,
"WPA: Disable PMKSA caching for FT/802.1X connection");
pmksa_cache_clear_current(wpa_s->wpa);
}
#endif /* CONFIG_SHA384 */
#endif /* CONFIG_IEEE80211R */
#ifdef CONFIG_SUITEB192
} else if (sel & WPA_KEY_MGMT_IEEE8021X_SUITE_B_192) {
wpa_s->key_mgmt = WPA_KEY_MGMT_IEEE8021X_SUITE_B_192;
wpa_dbg(wpa_s, MSG_DEBUG,
"WPA: using KEY_MGMT 802.1X with Suite B (192-bit)");
#endif /* CONFIG_SUITEB192 */
#ifdef CONFIG_SUITEB
} else if (sel & WPA_KEY_MGMT_IEEE8021X_SUITE_B) {
wpa_s->key_mgmt = WPA_KEY_MGMT_IEEE8021X_SUITE_B;
wpa_dbg(wpa_s, MSG_DEBUG,
"WPA: using KEY_MGMT 802.1X with Suite B");
#endif /* CONFIG_SUITEB */
#ifdef CONFIG_SHA384
} else if (sel & WPA_KEY_MGMT_IEEE8021X_SHA384) {
wpa_s->key_mgmt = WPA_KEY_MGMT_IEEE8021X_SHA384;
wpa_dbg(wpa_s, MSG_DEBUG,
"WPA: using KEY_MGMT 802.1X with SHA384");
#endif /* CONFIG_SHA384 */
#ifdef CONFIG_FILS
#ifdef CONFIG_IEEE80211R
} else if (sel & WPA_KEY_MGMT_FT_FILS_SHA384) {
wpa_s->key_mgmt = WPA_KEY_MGMT_FT_FILS_SHA384;
wpa_dbg(wpa_s, MSG_DEBUG, "WPA: using KEY_MGMT FT-FILS-SHA384");
#endif /* CONFIG_IEEE80211R */
} else if (sel & WPA_KEY_MGMT_FILS_SHA384) {
wpa_s->key_mgmt = WPA_KEY_MGMT_FILS_SHA384;
wpa_dbg(wpa_s, MSG_DEBUG, "WPA: using KEY_MGMT FILS-SHA384");
#ifdef CONFIG_IEEE80211R
} else if (sel & WPA_KEY_MGMT_FT_FILS_SHA256) {
wpa_s->key_mgmt = WPA_KEY_MGMT_FT_FILS_SHA256;
wpa_dbg(wpa_s, MSG_DEBUG, "WPA: using KEY_MGMT FT-FILS-SHA256");
#endif /* CONFIG_IEEE80211R */
} else if (sel & WPA_KEY_MGMT_FILS_SHA256) {
wpa_s->key_mgmt = WPA_KEY_MGMT_FILS_SHA256;
wpa_dbg(wpa_s, MSG_DEBUG, "WPA: using KEY_MGMT FILS-SHA256");
#endif /* CONFIG_FILS */
#ifdef CONFIG_IEEE80211R
} else if ((sel & WPA_KEY_MGMT_FT_IEEE8021X) &&
os_strcmp(wpa_supplicant_get_eap_mode(wpa_s), "LEAP") != 0) {
wpa_s->key_mgmt = WPA_KEY_MGMT_FT_IEEE8021X;
wpa_dbg(wpa_s, MSG_DEBUG, "WPA: using KEY_MGMT FT/802.1X");
if (!ssid->ft_eap_pmksa_caching &&
pmksa_cache_get_current(wpa_s->wpa)) {
/* PMKSA caching with FT may have interoperability
* issues, so disable that case by default for now. */
wpa_dbg(wpa_s, MSG_DEBUG,
"WPA: Disable PMKSA caching for FT/802.1X connection");
pmksa_cache_clear_current(wpa_s->wpa);
}
#endif /* CONFIG_IEEE80211R */
#ifdef CONFIG_DPP
} else if (sel & WPA_KEY_MGMT_DPP) {
wpa_s->key_mgmt = WPA_KEY_MGMT_DPP;
wpa_dbg(wpa_s, MSG_DEBUG, "RSN: using KEY_MGMT DPP");
#endif /* CONFIG_DPP */
#ifdef CONFIG_SAE
} else if (sel & WPA_KEY_MGMT_FT_SAE_EXT_KEY) {
wpa_s->key_mgmt = WPA_KEY_MGMT_FT_SAE_EXT_KEY;
wpa_dbg(wpa_s, MSG_DEBUG,
"RSN: using KEY_MGMT FT/SAE (ext key)");
} else if (sel & WPA_KEY_MGMT_SAE_EXT_KEY) {
wpa_s->key_mgmt = WPA_KEY_MGMT_SAE_EXT_KEY;
wpa_dbg(wpa_s, MSG_DEBUG, "RSN: using KEY_MGMT SAE (ext key)");
} else if (sel & WPA_KEY_MGMT_FT_SAE) {
wpa_s->key_mgmt = WPA_KEY_MGMT_FT_SAE;
wpa_dbg(wpa_s, MSG_DEBUG, "RSN: using KEY_MGMT FT/SAE");
} else if (sel & WPA_KEY_MGMT_SAE) {
wpa_s->key_mgmt = WPA_KEY_MGMT_SAE;
wpa_dbg(wpa_s, MSG_DEBUG, "RSN: using KEY_MGMT SAE");
#endif /* CONFIG_SAE */
#ifdef CONFIG_IEEE80211R
} else if (sel & WPA_KEY_MGMT_FT_PSK) {
wpa_s->key_mgmt = WPA_KEY_MGMT_FT_PSK;
wpa_dbg(wpa_s, MSG_DEBUG, "WPA: using KEY_MGMT FT/PSK");
#endif /* CONFIG_IEEE80211R */
} else if (sel & WPA_KEY_MGMT_IEEE8021X_SHA256) {
wpa_s->key_mgmt = WPA_KEY_MGMT_IEEE8021X_SHA256;
wpa_dbg(wpa_s, MSG_DEBUG,
"WPA: using KEY_MGMT 802.1X with SHA256");
} else if (sel & WPA_KEY_MGMT_PSK_SHA256) {
wpa_s->key_mgmt = WPA_KEY_MGMT_PSK_SHA256;
wpa_dbg(wpa_s, MSG_DEBUG,
"WPA: using KEY_MGMT PSK with SHA256");
} else if (sel & WPA_KEY_MGMT_IEEE8021X) {
wpa_s->key_mgmt = WPA_KEY_MGMT_IEEE8021X;
wpa_dbg(wpa_s, MSG_DEBUG, "WPA: using KEY_MGMT 802.1X");
} else if (sel & WPA_KEY_MGMT_PSK) {
wpa_s->key_mgmt = WPA_KEY_MGMT_PSK;
wpa_dbg(wpa_s, MSG_DEBUG, "WPA: using KEY_MGMT WPA-PSK");
} else if (sel & WPA_KEY_MGMT_WPA_NONE) {
wpa_s->key_mgmt = WPA_KEY_MGMT_WPA_NONE;
wpa_dbg(wpa_s, MSG_DEBUG, "WPA: using KEY_MGMT WPA-NONE");
#ifdef CONFIG_HS20
} else if (sel & WPA_KEY_MGMT_OSEN) {
wpa_s->key_mgmt = WPA_KEY_MGMT_OSEN;
wpa_dbg(wpa_s, MSG_DEBUG, "HS 2.0: using KEY_MGMT OSEN");
#endif /* CONFIG_HS20 */
#ifdef CONFIG_OWE
} else if (sel & WPA_KEY_MGMT_OWE) {
wpa_s->key_mgmt = WPA_KEY_MGMT_OWE;
wpa_dbg(wpa_s, MSG_DEBUG, "RSN: using KEY_MGMT OWE");
#endif /* CONFIG_OWE */
} else {
wpa_msg(wpa_s, MSG_WARNING, "WPA: Failed to select "
"authenticated key management type");
return -1;
}
wpa_sm_set_param(wpa_s->wpa, WPA_PARAM_KEY_MGMT, wpa_s->key_mgmt);
wpa_sm_set_param(wpa_s->wpa, WPA_PARAM_PAIRWISE,
wpa_s->pairwise_cipher);
wpa_sm_set_param(wpa_s->wpa, WPA_PARAM_GROUP, wpa_s->group_cipher);
if (!(ie.capabilities & WPA_CAPABILITY_MFPC) &&
(wpas_get_ssid_pmf(wpa_s, ssid) == MGMT_FRAME_PROTECTION_REQUIRED ||
(bss && is_6ghz_freq(bss->freq)))) {
wpa_msg(wpa_s, MSG_INFO,
"RSN: Management frame protection required but the selected AP does not enable it");
return -1;
}
wpas_set_mgmt_group_cipher(wpa_s, ssid, &ie);
#ifdef CONFIG_OCV
if ((wpa_s->drv_flags & WPA_DRIVER_FLAGS_SME) ||
(wpa_s->drv_flags2 & WPA_DRIVER_FLAGS2_OCV))
wpa_sm_set_param(wpa_s->wpa, WPA_PARAM_OCV, ssid->ocv);
#endif /* CONFIG_OCV */
sae_pwe = wpa_s->conf->sae_pwe;
if ((ssid->sae_password_id ||
wpa_key_mgmt_sae_ext_key(wpa_s->key_mgmt)) &&
sae_pwe != SAE_PWE_FORCE_HUNT_AND_PECK)
sae_pwe = SAE_PWE_HASH_TO_ELEMENT;
if (bss && is_6ghz_freq(bss->freq) &&
sae_pwe == SAE_PWE_HUNT_AND_PECK) {
wpa_dbg(wpa_s, MSG_DEBUG,
"RSN: Enable SAE hash-to-element mode for 6 GHz BSS");
sae_pwe = SAE_PWE_BOTH;
}
wpa_sm_set_param(wpa_s->wpa, WPA_PARAM_SAE_PWE, sae_pwe);
#ifdef CONFIG_SAE_PK
wpa_sm_set_param(wpa_s->wpa, WPA_PARAM_SAE_PK,
wpa_key_mgmt_sae(ssid->key_mgmt) &&
ssid->sae_pk != SAE_PK_MODE_DISABLED &&
((ssid->sae_password &&
sae_pk_valid_password(ssid->sae_password)) ||
(!ssid->sae_password && ssid->passphrase &&
sae_pk_valid_password(ssid->passphrase))));
#endif /* CONFIG_SAE_PK */
if (bss && is_6ghz_freq(bss->freq) &&
wpas_get_ssid_pmf(wpa_s, ssid) != MGMT_FRAME_PROTECTION_REQUIRED) {
wpa_dbg(wpa_s, MSG_DEBUG, "RSN: Force MFPR=1 on 6 GHz");
wpa_sm_set_param(wpa_s->wpa, WPA_PARAM_MFP,
MGMT_FRAME_PROTECTION_REQUIRED);
}
#ifdef CONFIG_TESTING_OPTIONS
wpa_sm_set_param(wpa_s->wpa, WPA_PARAM_FT_RSNXE_USED,
wpa_s->ft_rsnxe_used);
wpa_sm_set_param(wpa_s->wpa, WPA_PARAM_OCI_FREQ_EAPOL,
wpa_s->oci_freq_override_eapol);
wpa_sm_set_param(wpa_s->wpa, WPA_PARAM_OCI_FREQ_EAPOL_G2,
wpa_s->oci_freq_override_eapol_g2);
wpa_sm_set_param(wpa_s->wpa, WPA_PARAM_OCI_FREQ_FT_ASSOC,
wpa_s->oci_freq_override_ft_assoc);
wpa_sm_set_param(wpa_s->wpa, WPA_PARAM_OCI_FREQ_FILS_ASSOC,
wpa_s->oci_freq_override_fils_assoc);
wpa_sm_set_param(wpa_s->wpa, WPA_PARAM_DISABLE_EAPOL_G2_TX,
wpa_s->disable_eapol_g2_tx);
#endif /* CONFIG_TESTING_OPTIONS */
/* Extended Key ID is only supported in infrastructure BSS so far */
if (ssid->mode == WPAS_MODE_INFRA && wpa_s->conf->extended_key_id &&
(ssid->proto & WPA_PROTO_RSN) &&
ssid->pairwise_cipher & (WPA_CIPHER_CCMP | WPA_CIPHER_CCMP_256 |
WPA_CIPHER_GCMP | WPA_CIPHER_GCMP_256) &&
(wpa_s->drv_flags & WPA_DRIVER_FLAGS_EXTENDED_KEY_ID)) {
int use_ext_key_id = 0;
wpa_msg(wpa_s, MSG_DEBUG,
"WPA: Enable Extended Key ID support");
wpa_sm_set_param(wpa_s->wpa, WPA_PARAM_EXT_KEY_ID,
wpa_s->conf->extended_key_id);
if (bss_rsn &&
wpa_s->conf->extended_key_id &&
wpa_s->pairwise_cipher != WPA_CIPHER_TKIP &&
(ie.capabilities & WPA_CAPABILITY_EXT_KEY_ID_FOR_UNICAST))
use_ext_key_id = 1;
wpa_sm_set_param(wpa_s->wpa, WPA_PARAM_USE_EXT_KEY_ID,
use_ext_key_id);
} else {
wpa_sm_set_param(wpa_s->wpa, WPA_PARAM_EXT_KEY_ID, 0);
wpa_sm_set_param(wpa_s->wpa, WPA_PARAM_USE_EXT_KEY_ID, 0);
}
/* Mark WMM enabled for any HT/VHT/HE/EHT association to get more
* appropriate advertisement of the supported number of PTKSA receive
* counters. In theory, this could be based on a driver capability, but
* in practice all cases using WMM support at least eight replay
* counters, so use a hardcoded value for now since there is no explicit
* driver capability indication for this.
*
* In addition, claim WMM to be enabled if the AP supports it since it
* is far more likely for any current device to support WMM. */
wmm = wpa_s->connection_set &&
(wpa_s->connection_ht || wpa_s->connection_vht ||
wpa_s->connection_he || wpa_s->connection_eht);
if (!wmm && bss)
wmm = !!wpa_bss_get_vendor_ie(bss, WMM_IE_VENDOR_TYPE);
wpa_sm_set_param(wpa_s->wpa, WPA_PARAM_WMM_ENABLED, wmm);
if (ssid->ssid_protection && proto == WPA_PROTO_RSN) {
bool ssid_prot;
/* Enable SSID protection based on the AP advertising support
* for it to avoid potential interoperability issues with
* incorrect AP behavior if we were to send an "unexpected"
* RSNXE with multiple octets of payload. */
ssid_prot = ieee802_11_rsnx_capab(
bss_rsnx, WLAN_RSNX_CAPAB_SSID_PROTECTION);
if (!skip_default_rsne)
wpa_sm_set_param(wpa_s->wpa, WPA_PARAM_SSID_PROTECTION,
proto == WPA_PROTO_RSN && ssid_prot);
} else {
wpa_sm_set_param(wpa_s->wpa, WPA_PARAM_SSID_PROTECTION, false);
}
if (!skip_default_rsne) {
if (wpa_sm_set_assoc_wpa_ie_default(wpa_s->wpa, wpa_ie,
wpa_ie_len)) {
wpa_msg(wpa_s, MSG_WARNING,
"RSN: Failed to generate RSNE/WPA IE");
return -1;
}
wpa_s->rsnxe_len = sizeof(wpa_s->rsnxe);
if (wpa_sm_set_assoc_rsnxe_default(wpa_s->wpa, wpa_s->rsnxe,
&wpa_s->rsnxe_len)) {
wpa_msg(wpa_s, MSG_WARNING,
"RSN: Failed to generate RSNXE");
return -1;
}
}
if (0) {
#ifdef CONFIG_DPP
} else if (wpa_s->key_mgmt == WPA_KEY_MGMT_DPP) {
/* Use PMK from DPP network introduction (PMKSA entry) */
wpa_sm_set_pmk_from_pmksa(wpa_s->wpa);
#ifdef CONFIG_DPP2
wpa_sm_set_param(wpa_s->wpa, WPA_PARAM_DPP_PFS, ssid->dpp_pfs);
#endif /* CONFIG_DPP2 */
#endif /* CONFIG_DPP */
} else if (wpa_key_mgmt_wpa_psk(ssid->key_mgmt)) {
int psk_set = 0;
if (wpa_key_mgmt_wpa_psk_no_sae(ssid->key_mgmt)) {
u8 psk[PMK_LEN];
if (wpa_supplicant_get_psk(wpa_s, bss, ssid,
psk) == 0) {
wpa_sm_set_pmk(wpa_s->wpa, psk, PMK_LEN, NULL,
NULL);
psk_set = 1;
}
forced_memzero(psk, sizeof(psk));
}
if (wpa_key_mgmt_sae(ssid->key_mgmt) &&
(ssid->sae_password || ssid->passphrase || ssid->ext_psk))
psk_set = 1;
if (!psk_set) {
wpa_msg(wpa_s, MSG_INFO,
"No PSK available for association");
wpas_auth_failed(wpa_s, "NO_PSK_AVAILABLE", NULL);
return -1;
}
#ifdef CONFIG_OWE
} else if (wpa_s->key_mgmt == WPA_KEY_MGMT_OWE) {
/* OWE Diffie-Hellman exchange in (Re)Association
* Request/Response frames set the PMK, so do not override it
* here. */
#endif /* CONFIG_OWE */
} else
wpa_sm_set_pmk_from_pmksa(wpa_s->wpa);
if (ssid->mode != WPAS_MODE_IBSS &&
!(wpa_s->drv_flags & WPA_DRIVER_FLAGS_WIRED) &&
(ssid->wpa_deny_ptk0_rekey == PTK0_REKEY_ALLOW_NEVER ||
(ssid->wpa_deny_ptk0_rekey == PTK0_REKEY_ALLOW_LOCAL_OK &&
!(wpa_s->drv_flags & WPA_DRIVER_FLAGS_SAFE_PTK0_REKEYS)))) {
wpa_msg(wpa_s, MSG_INFO,
"Disable PTK0 rekey support - replaced with reconnect");
wpa_s->deny_ptk0_rekey = 1;
wpa_sm_set_param(wpa_s->wpa, WPA_PARAM_DENY_PTK0_REKEY, 1);
} else {
wpa_s->deny_ptk0_rekey = 0;
wpa_sm_set_param(wpa_s->wpa, WPA_PARAM_DENY_PTK0_REKEY, 0);
}
if (wpa_key_mgmt_cross_akm(wpa_s->key_mgmt) &&
!(wpa_s->drv_flags & WPA_DRIVER_FLAGS_SME))
wpas_update_allowed_key_mgmt(wpa_s, ssid);
return 0;
}
static void wpas_ext_capab_byte(struct wpa_supplicant *wpa_s, u8 *pos, int idx,
struct wpa_bss *bss)
{
#ifndef CONFIG_NO_ROBUST_AV
bool scs = true, mscs = true;
#endif /* CONFIG_NO_ROBUST_AV */
*pos = 0x00;
switch (idx) {
case 0: /* Bits 0-7 */
break;
case 1: /* Bits 8-15 */
if (wpa_s->conf->coloc_intf_reporting) {
/* Bit 13 - Collocated Interference Reporting */
*pos |= 0x20;
}
break;
case 2: /* Bits 16-23 */
#ifdef CONFIG_WNM
*pos |= 0x02; /* Bit 17 - WNM-Sleep Mode */
if ((wpas_driver_bss_selection(wpa_s) ||
!wpa_s->disable_mbo_oce) &&
!wpa_s->conf->disable_btm)
*pos |= 0x08; /* Bit 19 - BSS Transition */
#endif /* CONFIG_WNM */
break;
case 3: /* Bits 24-31 */
#ifdef CONFIG_WNM
*pos |= 0x02; /* Bit 25 - SSID List */
#endif /* CONFIG_WNM */
#ifdef CONFIG_INTERWORKING
if (wpa_s->conf->interworking)
*pos |= 0x80; /* Bit 31 - Interworking */
#endif /* CONFIG_INTERWORKING */
break;
case 4: /* Bits 32-39 */
#ifdef CONFIG_INTERWORKING
if (wpa_s->drv_flags & WPA_DRIVER_FLAGS_QOS_MAPPING)
*pos |= 0x01; /* Bit 32 - QoS Map */
#endif /* CONFIG_INTERWORKING */
break;
case 5: /* Bits 40-47 */
#ifdef CONFIG_HS20
if (wpa_s->conf->hs20)
*pos |= 0x40; /* Bit 46 - WNM-Notification */
#endif /* CONFIG_HS20 */
#ifdef CONFIG_MBO
*pos |= 0x40; /* Bit 46 - WNM-Notification */
#endif /* CONFIG_MBO */
break;
case 6: /* Bits 48-55 */
#ifndef CONFIG_NO_ROBUST_AV
#ifdef CONFIG_TESTING_OPTIONS
if (wpa_s->disable_scs_support)
scs = false;
#endif /* CONFIG_TESTING_OPTIONS */
if (bss && !wpa_bss_ext_capab(bss, WLAN_EXT_CAPAB_SCS)) {
/* Drop own SCS capability indication since the AP does
* not support it. This is needed to avoid
* interoperability issues with APs that get confused
* with Extended Capabilities element. */
scs = false;
}
if (scs)
*pos |= 0x40; /* Bit 54 - SCS */
#endif /* CONFIG_NO_ROBUST_AV */
break;
case 7: /* Bits 56-63 */
break;
case 8: /* Bits 64-71 */
if (wpa_s->conf->ftm_responder)
*pos |= 0x40; /* Bit 70 - FTM responder */
if (wpa_s->conf->ftm_initiator)
*pos |= 0x80; /* Bit 71 - FTM initiator */
break;
case 9: /* Bits 72-79 */
#ifdef CONFIG_FILS
if (!wpa_s->disable_fils)
*pos |= 0x01;
#endif /* CONFIG_FILS */
break;
case 10: /* Bits 80-87 */
#ifndef CONFIG_NO_ROBUST_AV
#ifdef CONFIG_TESTING_OPTIONS
if (wpa_s->disable_mscs_support)
mscs = false;
#endif /* CONFIG_TESTING_OPTIONS */
if (bss && !wpa_bss_ext_capab(bss, WLAN_EXT_CAPAB_MSCS)) {
/* Drop own MSCS capability indication since the AP does
* not support it. This is needed to avoid
* interoperability issues with APs that get confused
* with Extended Capabilities element. */
mscs = false;
}
if (mscs)
*pos |= 0x20; /* Bit 85 - Mirrored SCS */
#endif /* CONFIG_NO_ROBUST_AV */
break;
}
}
int wpas_build_ext_capab(struct wpa_supplicant *wpa_s, u8 *buf,
size_t buflen, struct wpa_bss *bss)
{
u8 *pos = buf;
u8 len = 11, i;
if (len < wpa_s->extended_capa_len)
len = wpa_s->extended_capa_len;
if (buflen < (size_t) len + 2) {
wpa_printf(MSG_INFO,
"Not enough room for building extended capabilities element");
return -1;
}
*pos++ = WLAN_EID_EXT_CAPAB;
*pos++ = len;
for (i = 0; i < len; i++, pos++) {
wpas_ext_capab_byte(wpa_s, pos, i, bss);
if (i < wpa_s->extended_capa_len) {
*pos &= ~wpa_s->extended_capa_mask[i];
*pos |= wpa_s->extended_capa[i];
}
}
while (len > 0 && buf[1 + len] == 0) {
len--;
buf[1] = len;
}
if (len == 0)
return 0;
return 2 + len;
}
static int wpas_valid_bss(struct wpa_supplicant *wpa_s,
struct wpa_bss *test_bss)
{
struct wpa_bss *bss;
dl_list_for_each(bss, &wpa_s->bss, struct wpa_bss, list) {
if (bss == test_bss)
return 1;
}
return 0;
}
static int wpas_valid_ssid(struct wpa_supplicant *wpa_s,
struct wpa_ssid *test_ssid)
{
struct wpa_ssid *ssid;
for (ssid = wpa_s->conf->ssid; ssid; ssid = ssid->next) {
if (ssid == test_ssid)
return 1;
}
return 0;
}
int wpas_valid_bss_ssid(struct wpa_supplicant *wpa_s, struct wpa_bss *test_bss,
struct wpa_ssid *test_ssid)
{
if (test_bss && !wpas_valid_bss(wpa_s, test_bss))
return 0;
return test_ssid == NULL || wpas_valid_ssid(wpa_s, test_ssid);
}
void wpas_connect_work_free(struct wpa_connect_work *cwork)
{
if (cwork == NULL)
return;
os_free(cwork);
}
void wpas_connect_work_done(struct wpa_supplicant *wpa_s)
{
struct wpa_connect_work *cwork;
struct wpa_radio_work *work = wpa_s->connect_work;
if (!work)
return;
wpa_s->connect_work = NULL;
cwork = work->ctx;
work->ctx = NULL;
wpas_connect_work_free(cwork);
radio_work_done(work);
}
int wpas_update_random_addr(struct wpa_supplicant *wpa_s,
enum wpas_mac_addr_style style,
struct wpa_ssid *ssid)
{
struct os_reltime now;
u8 addr[ETH_ALEN];
os_get_reltime(&now);
/* Random addresses are valid within a given ESS so check
* expiration/value only when continuing to use the same ESS. */
if (wpa_s->last_mac_addr_style == style && wpa_s->reassoc_same_ess) {
if (style == WPAS_MAC_ADDR_STYLE_DEDICATED_PER_ESS) {
/* Pregenerated addresses do not expire but their value
* might have changed, so let's check that. */
if (ether_addr_equal(wpa_s->own_addr, ssid->mac_value))
return 0;
} else if ((wpa_s->last_mac_addr_change.sec != 0 ||
wpa_s->last_mac_addr_change.usec != 0) &&
!os_reltime_expired(
&now,
&wpa_s->last_mac_addr_change,
wpa_s->conf->rand_addr_lifetime)) {
wpa_msg(wpa_s, MSG_DEBUG,
"Previously selected random MAC address has not yet expired");
return 0;
}
}
switch (style) {
case WPAS_MAC_ADDR_STYLE_RANDOM:
if (random_mac_addr(addr) < 0)
return -1;
break;
case WPAS_MAC_ADDR_STYLE_RANDOM_SAME_OUI:
os_memcpy(addr, wpa_s->perm_addr, ETH_ALEN);
if (random_mac_addr_keep_oui(addr) < 0)
return -1;
break;
case WPAS_MAC_ADDR_STYLE_DEDICATED_PER_ESS:
if (!ssid) {
wpa_msg(wpa_s, MSG_INFO,
"Invalid 'ssid' for address policy 3");
return -1;
}
os_memcpy(addr, ssid->mac_value, ETH_ALEN);
break;
default:
return -1;
}
if (wpa_drv_set_mac_addr(wpa_s, addr) < 0) {
wpa_msg(wpa_s, MSG_INFO,
"Failed to set random MAC address");
return -1;
}
os_get_reltime(&wpa_s->last_mac_addr_change);
wpa_s->mac_addr_changed = 1;
wpa_s->last_mac_addr_style = style;
if (wpa_supplicant_update_mac_addr(wpa_s) < 0) {
wpa_msg(wpa_s, MSG_INFO,
"Could not update MAC address information");
return -1;
}
wpa_msg(wpa_s, MSG_DEBUG, "Using random MAC address " MACSTR,
MAC2STR(addr));
return 1;
}
int wpas_update_random_addr_disassoc(struct wpa_supplicant *wpa_s)
{
if (wpa_s->wpa_state >= WPA_AUTHENTICATING ||
!wpa_s->conf->preassoc_mac_addr)
return 0;
return wpas_update_random_addr(wpa_s, wpa_s->conf->preassoc_mac_addr,
NULL);
}
void wpa_s_setup_sae_pt(struct wpa_config *conf, struct wpa_ssid *ssid,
bool force)
{
#ifdef CONFIG_SAE
int *groups = conf->sae_groups;
int default_groups[] = { 19, 20, 21, 0 };
const char *password;
if (!groups || groups[0] <= 0)
groups = default_groups;
password = ssid->sae_password;
if (!password)
password = ssid->passphrase;
if (!password ||
!wpa_key_mgmt_sae(ssid->key_mgmt) ||
(conf->sae_pwe == SAE_PWE_HUNT_AND_PECK && !ssid->sae_password_id &&
!wpa_key_mgmt_sae_ext_key(ssid->key_mgmt) &&
!force &&
!sae_pk_valid_password(password)) ||
conf->sae_pwe == SAE_PWE_FORCE_HUNT_AND_PECK) {
/* PT derivation not needed */
sae_deinit_pt(ssid->pt);
ssid->pt = NULL;
return;
}
if (ssid->pt)
return; /* PT already derived */
ssid->pt = sae_derive_pt(groups, ssid->ssid, ssid->ssid_len,
(const u8 *) password, os_strlen(password),
ssid->sae_password_id);
#endif /* CONFIG_SAE */
}
void wpa_s_clear_sae_rejected(struct wpa_supplicant *wpa_s)
{
#if defined(CONFIG_SAE) && defined(CONFIG_SME)
os_free(wpa_s->sme.sae_rejected_groups);
wpa_s->sme.sae_rejected_groups = NULL;
#ifdef CONFIG_TESTING_OPTIONS
if (wpa_s->extra_sae_rejected_groups) {
int i, *groups = wpa_s->extra_sae_rejected_groups;
for (i = 0; groups[i]; i++) {
wpa_printf(MSG_DEBUG,
"TESTING: Indicate rejection of an extra SAE group %d",
groups[i]);
int_array_add_unique(&wpa_s->sme.sae_rejected_groups,
groups[i]);
}
}
#endif /* CONFIG_TESTING_OPTIONS */
#endif /* CONFIG_SAE && CONFIG_SME */
}
int wpas_restore_permanent_mac_addr(struct wpa_supplicant *wpa_s)
{
if (wpa_drv_set_mac_addr(wpa_s, NULL) < 0) {
wpa_msg(wpa_s, MSG_INFO,
"Could not restore permanent MAC address");
return -1;
}
wpa_s->mac_addr_changed = 0;
if (wpa_supplicant_update_mac_addr(wpa_s) < 0) {
wpa_msg(wpa_s, MSG_INFO,
"Could not update MAC address information");
return -1;
}
wpa_msg(wpa_s, MSG_DEBUG, "Using permanent MAC address");
return 0;
}
static void wpas_start_assoc_cb(struct wpa_radio_work *work, int deinit);
/**
* wpa_supplicant_associate - Request association
* @wpa_s: Pointer to wpa_supplicant data
* @bss: Scan results for the selected BSS, or %NULL if not available
* @ssid: Configuration data for the selected network
*
* This function is used to request %wpa_supplicant to associate with a BSS.
*/
void wpa_supplicant_associate(struct wpa_supplicant *wpa_s,
struct wpa_bss *bss, struct wpa_ssid *ssid)
{
bool clear_rejected = true;
struct wpa_connect_work *cwork;
enum wpas_mac_addr_style rand_style;
wpa_s->own_disconnect_req = 0;
wpa_s->own_reconnect_req = 0;
/*
* If we are starting a new connection, any previously pending EAPOL
* RX cannot be valid anymore.
*/
wpabuf_free(wpa_s->pending_eapol_rx);
wpa_s->pending_eapol_rx = NULL;
if (ssid->mac_addr == WPAS_MAC_ADDR_STYLE_NOT_SET)
rand_style = wpa_s->conf->mac_addr;
else
rand_style = ssid->mac_addr;
wpa_s->eapol_failed = 0;
wpa_s->multi_ap_ie = 0;
#ifndef CONFIG_NO_WMM_AC
wmm_ac_clear_saved_tspecs(wpa_s);
#endif /* CONFIG_NO_WMM_AC */
#ifdef CONFIG_WNM
wpa_s->wnm_mode = 0;
wpa_s->wnm_target_bss = NULL;
#endif /* CONFIG_WNM */
wpa_s->reassoc_same_bss = 0;
wpa_s->reassoc_same_ess = 0;
#ifdef CONFIG_TESTING_OPTIONS
wpa_s->testing_resend_assoc = 0;
#endif /* CONFIG_TESTING_OPTIONS */
if (wpa_s->last_ssid == ssid) {
wpa_dbg(wpa_s, MSG_DEBUG, "Re-association to the same ESS");
wpa_s->reassoc_same_ess = 1;
if (wpa_s->current_bss && wpa_s->current_bss == bss) {
#ifndef CONFIG_NO_WMM_AC
wmm_ac_save_tspecs(wpa_s);
#endif /* CONFIG_NO_WMM_AC */
wpa_s->reassoc_same_bss = 1;
clear_rejected = false;
} else if (wpa_s->current_bss && wpa_s->current_bss != bss) {
os_get_reltime(&wpa_s->roam_start);
}
}
if (clear_rejected)
wpa_s_clear_sae_rejected(wpa_s);
#ifdef CONFIG_SAE
wpa_s_setup_sae_pt(wpa_s->conf, ssid, false);
#endif /* CONFIG_SAE */
if (rand_style > WPAS_MAC_ADDR_STYLE_PERMANENT) {
int status = wpas_update_random_addr(wpa_s, rand_style, ssid);
if (status < 0)
return;
if (rand_style != WPAS_MAC_ADDR_STYLE_DEDICATED_PER_ESS &&
status > 0) /* MAC changed */
wpa_sm_pmksa_cache_flush(wpa_s->wpa, ssid);
} else if (rand_style == WPAS_MAC_ADDR_STYLE_PERMANENT &&
wpa_s->mac_addr_changed) {
if (wpas_restore_permanent_mac_addr(wpa_s) < 0)
return;
}
wpa_s->last_ssid = ssid;
#ifdef CONFIG_IBSS_RSN
ibss_rsn_deinit(wpa_s->ibss_rsn);
wpa_s->ibss_rsn = NULL;
#else /* CONFIG_IBSS_RSN */
if (ssid->mode == WPAS_MODE_IBSS &&
!(ssid->key_mgmt & (WPA_KEY_MGMT_NONE | WPA_KEY_MGMT_WPA_NONE))) {
wpa_msg(wpa_s, MSG_INFO,
"IBSS RSN not supported in the build");
return;
}
#endif /* CONFIG_IBSS_RSN */
if (ssid->mode == WPAS_MODE_AP || ssid->mode == WPAS_MODE_P2P_GO ||
ssid->mode == WPAS_MODE_P2P_GROUP_FORMATION) {
#ifdef CONFIG_AP
if (!(wpa_s->drv_flags & WPA_DRIVER_FLAGS_AP)) {
wpa_msg(wpa_s, MSG_INFO, "Driver does not support AP "
"mode");
return;
}
if (wpa_supplicant_create_ap(wpa_s, ssid) < 0) {
wpa_supplicant_set_state(wpa_s, WPA_DISCONNECTED);
if (ssid->mode == WPAS_MODE_P2P_GROUP_FORMATION)
wpas_p2p_ap_setup_failed(wpa_s);
return;
}
wpa_s->current_bss = bss;
#else /* CONFIG_AP */
wpa_msg(wpa_s, MSG_ERROR, "AP mode support not included in "
"the build");
#endif /* CONFIG_AP */
return;
}
if (ssid->mode == WPAS_MODE_MESH) {
#ifdef CONFIG_MESH
if (!(wpa_s->drv_flags & WPA_DRIVER_FLAGS_MESH)) {
wpa_msg(wpa_s, MSG_INFO,
"Driver does not support mesh mode");
return;
}
if (bss)
ssid->frequency = bss->freq;
if (wpa_supplicant_join_mesh(wpa_s, ssid) < 0) {
wpa_supplicant_set_state(wpa_s, WPA_INACTIVE);
wpa_msg(wpa_s, MSG_ERROR, "Could not join mesh");
return;
}
wpa_s->current_bss = bss;
#else /* CONFIG_MESH */
wpa_msg(wpa_s, MSG_ERROR,
"mesh mode support not included in the build");
#endif /* CONFIG_MESH */
return;
}
/*
* Set WPA state machine configuration to match the selected network now
* so that the information is available before wpas_start_assoc_cb()
* gets called. This is needed at least for RSN pre-authentication where
* candidate APs are added to a list based on scan result processing
* before completion of the first association.
*/
wpa_supplicant_rsn_supp_set_config(wpa_s, ssid);
#ifdef CONFIG_DPP
if (wpas_dpp_check_connect(wpa_s, ssid, bss) != 0)
return;
#endif /* CONFIG_DPP */
#ifdef CONFIG_TDLS
if (bss)
wpa_tdls_ap_ies(wpa_s->wpa, wpa_bss_ie_ptr(bss), bss->ie_len);
#endif /* CONFIG_TDLS */
#ifdef CONFIG_MBO
wpas_mbo_check_pmf(wpa_s, bss, ssid);
#endif /* CONFIG_MBO */
if ((wpa_s->drv_flags & WPA_DRIVER_FLAGS_SME) &&
ssid->mode == WPAS_MODE_INFRA) {
sme_authenticate(wpa_s, bss, ssid);
return;
}
if (wpa_s->connect_work) {
wpa_dbg(wpa_s, MSG_DEBUG, "Reject wpa_supplicant_associate() call since connect_work exist");
return;
}
if (radio_work_pending(wpa_s, "connect")) {
wpa_dbg(wpa_s, MSG_DEBUG, "Reject wpa_supplicant_associate() call since pending work exist");
return;
}
#ifdef CONFIG_SME
if (ssid->mode == WPAS_MODE_IBSS || ssid->mode == WPAS_MODE_MESH) {
/* Clear possibly set auth_alg, if any, from last attempt. */
wpa_s->sme.auth_alg = WPA_AUTH_ALG_OPEN;
}
#endif /* CONFIG_SME */
wpas_abort_ongoing_scan(wpa_s);
cwork = os_zalloc(sizeof(*cwork));
if (cwork == NULL)
return;
cwork->bss = bss;
cwork->ssid = ssid;
if (radio_add_work(wpa_s, bss ? bss->freq : 0, "connect", 1,
wpas_start_assoc_cb, cwork) < 0) {
os_free(cwork);
}
}
static int bss_is_ibss(struct wpa_bss *bss)
{
return (bss->caps & (IEEE80211_CAP_ESS | IEEE80211_CAP_IBSS)) ==
IEEE80211_CAP_IBSS;
}
static int drv_supports_vht(struct wpa_supplicant *wpa_s,
const struct wpa_ssid *ssid)
{
enum hostapd_hw_mode hw_mode;
struct hostapd_hw_modes *mode = NULL;
u8 channel;
int i;
hw_mode = ieee80211_freq_to_chan(ssid->frequency, &channel);
if (hw_mode == NUM_HOSTAPD_MODES)
return 0;
for (i = 0; wpa_s->hw.modes && i < wpa_s->hw.num_modes; i++) {
if (wpa_s->hw.modes[i].mode == hw_mode) {
mode = &wpa_s->hw.modes[i];
break;
}
}
if (!mode)
return 0;
return mode->vht_capab != 0;
}
static bool ibss_mesh_is_80mhz_avail(int channel, struct hostapd_hw_modes *mode)
{
int i;
for (i = channel; i < channel + 16; i += 4) {
struct hostapd_channel_data *chan;
chan = hw_get_channel_chan(mode, i, NULL);
if (!chan ||
chan->flag & (HOSTAPD_CHAN_DISABLED | HOSTAPD_CHAN_NO_IR))
return false;
}
return true;
}
static struct wpa_bss * ibss_find_existing_bss(struct wpa_supplicant *wpa_s,
const struct wpa_ssid *ssid)
{
unsigned int j;
for (j = 0; j < wpa_s->last_scan_res_used; j++) {
struct wpa_bss *bss = wpa_s->last_scan_res[j];
if (!bss_is_ibss(bss))
continue;
if (ssid->ssid_len == bss->ssid_len &&
os_memcmp(ssid->ssid, bss->ssid, bss->ssid_len) == 0)
return bss;
}
return NULL;
}
static bool ibss_mesh_can_use_ht(struct wpa_supplicant *wpa_s,
const struct wpa_ssid *ssid,
struct hostapd_hw_modes *mode)
{
/* For IBSS check HT_IBSS flag */
if (ssid->mode == WPAS_MODE_IBSS &&
!(wpa_s->drv_flags & WPA_DRIVER_FLAGS_HT_IBSS))
return false;
if (wpa_s->group_cipher == WPA_CIPHER_WEP40 ||
wpa_s->group_cipher == WPA_CIPHER_WEP104 ||
wpa_s->pairwise_cipher == WPA_CIPHER_TKIP) {
wpa_printf(MSG_DEBUG,
"IBSS: WEP/TKIP detected, do not try to enable HT");
return false;
}
if (!ht_supported(mode))
return false;
#ifdef CONFIG_HT_OVERRIDES
if (ssid->disable_ht)
return false;
#endif /* CONFIG_HT_OVERRIDES */
return true;
}
static bool ibss_mesh_can_use_vht(struct wpa_supplicant *wpa_s,
const struct wpa_ssid *ssid,
struct hostapd_hw_modes *mode)
{
if (mode->mode != HOSTAPD_MODE_IEEE80211A)
return false;
if (!drv_supports_vht(wpa_s, ssid))
return false;
/* For IBSS check VHT_IBSS flag */
if (ssid->mode == WPAS_MODE_IBSS &&
!(wpa_s->drv_flags & WPA_DRIVER_FLAGS_VHT_IBSS))
return false;
if (!vht_supported(mode))
return false;
#ifdef CONFIG_VHT_OVERRIDES
if (ssid->disable_vht)
return false;
#endif /* CONFIG_VHT_OVERRIDES */
return true;
}
static bool ibss_mesh_can_use_he(struct wpa_supplicant *wpa_s,
const struct wpa_ssid *ssid,
const struct hostapd_hw_modes *mode,
int ieee80211_mode)
{
#ifdef CONFIG_HE_OVERRIDES
if (ssid->disable_he)
return false;
#endif /* CONFIG_HE_OVERRIDES */
switch (mode->mode) {
case HOSTAPD_MODE_IEEE80211G:
case HOSTAPD_MODE_IEEE80211B:
case HOSTAPD_MODE_IEEE80211A:
return mode->he_capab[ieee80211_mode].he_supported;
default:
return false;
}
}
static bool ibss_mesh_can_use_eht(struct wpa_supplicant *wpa_s,
const struct wpa_ssid *ssid,
const struct hostapd_hw_modes *mode,
int ieee80211_mode)
{
if (ssid->disable_eht)
return false;
switch(mode->mode) {
case HOSTAPD_MODE_IEEE80211G:
case HOSTAPD_MODE_IEEE80211B:
case HOSTAPD_MODE_IEEE80211A:
return mode->eht_capab[ieee80211_mode].eht_supported;
default:
return false;
}
}
static void ibss_mesh_select_40mhz(struct wpa_supplicant *wpa_s,
const struct wpa_ssid *ssid,
struct hostapd_hw_modes *mode,
struct hostapd_freq_params *freq,
int obss_scan) {
int chan_idx;
struct hostapd_channel_data *pri_chan = NULL, *sec_chan = NULL;
int i, res;
unsigned int j;
static const int ht40plus[] = {
36, 44, 52, 60, 100, 108, 116, 124, 132, 140,
149, 157, 165, 173, 184, 192
};
int ht40 = -1;
if (!freq->ht_enabled)
return;
for (chan_idx = 0; chan_idx < mode->num_channels; chan_idx++) {
pri_chan = &mode->channels[chan_idx];
if (pri_chan->chan == freq->channel)
break;
pri_chan = NULL;
}
if (!pri_chan)
return;
/* Check primary channel flags */
if (pri_chan->flag & (HOSTAPD_CHAN_DISABLED | HOSTAPD_CHAN_NO_IR))
return;
#ifdef CONFIG_HT_OVERRIDES
if (ssid->disable_ht40)
return;
#endif
/* Check/setup HT40+/HT40- */
for (j = 0; j < ARRAY_SIZE(ht40plus); j++) {
if (ht40plus[j] == freq->channel) {
ht40 = 1;
break;
}
}
/* Find secondary channel */
for (i = 0; i < mode->num_channels; i++) {
sec_chan = &mode->channels[i];
if (sec_chan->chan == freq->channel + ht40 * 4)
break;
sec_chan = NULL;
}
if (!sec_chan)
return;
/* Check secondary channel flags */
if (sec_chan->flag & (HOSTAPD_CHAN_DISABLED | HOSTAPD_CHAN_NO_IR))
return;
if (ht40 == -1) {
if (!(pri_chan->flag & HOSTAPD_CHAN_HT40MINUS))