1  /*
2   * BSS table
3   * Copyright (c) 2009-2019, Jouni Malinen <j@w1.fi>
4   *
5   * This software may be distributed under the terms of the BSD license.
6   * See README for more details.
7   */
8  
9  #include "utils/includes.h"
10  
11  #include "utils/common.h"
12  #include "utils/eloop.h"
13  #include "common/ieee802_11_defs.h"
14  #include "drivers/driver.h"
15  #include "eap_peer/eap.h"
16  #include "rsn_supp/wpa.h"
17  #include "wpa_supplicant_i.h"
18  #include "config.h"
19  #include "notify.h"
20  #include "scan.h"
21  #include "bssid_ignore.h"
22  #include "bss.h"
23  
wpa_bss_set_hessid(struct wpa_bss * bss)24  static void wpa_bss_set_hessid(struct wpa_bss *bss)
25  {
26  #ifdef CONFIG_INTERWORKING
27  	const u8 *ie = wpa_bss_get_ie(bss, WLAN_EID_INTERWORKING);
28  	if (ie == NULL || (ie[1] != 7 && ie[1] != 9)) {
29  		os_memset(bss->hessid, 0, ETH_ALEN);
30  		return;
31  	}
32  	if (ie[1] == 7)
33  		os_memcpy(bss->hessid, ie + 3, ETH_ALEN);
34  	else
35  		os_memcpy(bss->hessid, ie + 5, ETH_ALEN);
36  #endif /* CONFIG_INTERWORKING */
37  }
38  
39  
40  /**
41   * wpa_bss_anqp_alloc - Allocate ANQP data structure for a BSS entry
42   * Returns: Allocated ANQP data structure or %NULL on failure
43   *
44   * The allocated ANQP data structure has its users count set to 1. It may be
45   * shared by multiple BSS entries and each shared entry is freed with
46   * wpa_bss_anqp_free().
47   */
wpa_bss_anqp_alloc(void)48  struct wpa_bss_anqp * wpa_bss_anqp_alloc(void)
49  {
50  	struct wpa_bss_anqp *anqp;
51  	anqp = os_zalloc(sizeof(*anqp));
52  	if (anqp == NULL)
53  		return NULL;
54  #ifdef CONFIG_INTERWORKING
55  	dl_list_init(&anqp->anqp_elems);
56  #endif /* CONFIG_INTERWORKING */
57  	anqp->users = 1;
58  	return anqp;
59  }
60  
61  
62  /**
63   * wpa_bss_anqp_clone - Clone an ANQP data structure
64   * @anqp: ANQP data structure from wpa_bss_anqp_alloc()
65   * Returns: Cloned ANQP data structure or %NULL on failure
66   */
wpa_bss_anqp_clone(struct wpa_bss_anqp * anqp)67  static struct wpa_bss_anqp * wpa_bss_anqp_clone(struct wpa_bss_anqp *anqp)
68  {
69  	struct wpa_bss_anqp *n;
70  
71  	n = os_zalloc(sizeof(*n));
72  	if (n == NULL)
73  		return NULL;
74  
75  #define ANQP_DUP(f) if (anqp->f) n->f = wpabuf_dup(anqp->f)
76  #ifdef CONFIG_INTERWORKING
77  	dl_list_init(&n->anqp_elems);
78  	ANQP_DUP(capability_list);
79  	ANQP_DUP(venue_name);
80  	ANQP_DUP(network_auth_type);
81  	ANQP_DUP(roaming_consortium);
82  	ANQP_DUP(ip_addr_type_availability);
83  	ANQP_DUP(nai_realm);
84  	ANQP_DUP(anqp_3gpp);
85  	ANQP_DUP(domain_name);
86  	ANQP_DUP(fils_realm_info);
87  #endif /* CONFIG_INTERWORKING */
88  #ifdef CONFIG_HS20
89  	ANQP_DUP(hs20_capability_list);
90  	ANQP_DUP(hs20_operator_friendly_name);
91  	ANQP_DUP(hs20_wan_metrics);
92  	ANQP_DUP(hs20_connection_capability);
93  	ANQP_DUP(hs20_operating_class);
94  #endif /* CONFIG_HS20 */
95  #undef ANQP_DUP
96  
97  	return n;
98  }
99  
100  
101  /**
102   * wpa_bss_anqp_unshare_alloc - Unshare ANQP data (if shared) in a BSS entry
103   * @bss: BSS entry
104   * Returns: 0 on success, -1 on failure
105   *
106   * This function ensures the specific BSS entry has an ANQP data structure that
107   * is not shared with any other BSS entry.
108   */
wpa_bss_anqp_unshare_alloc(struct wpa_bss * bss)109  int wpa_bss_anqp_unshare_alloc(struct wpa_bss *bss)
110  {
111  	struct wpa_bss_anqp *anqp;
112  
113  	if (bss->anqp && bss->anqp->users > 1) {
114  		/* allocated, but shared - clone an unshared copy */
115  		anqp = wpa_bss_anqp_clone(bss->anqp);
116  		if (anqp == NULL)
117  			return -1;
118  		anqp->users = 1;
119  		bss->anqp->users--;
120  		bss->anqp = anqp;
121  		return 0;
122  	}
123  
124  	if (bss->anqp)
125  		return 0; /* already allocated and not shared */
126  
127  	/* not allocated - allocate a new storage area */
128  	bss->anqp = wpa_bss_anqp_alloc();
129  	return bss->anqp ? 0 : -1;
130  }
131  
132  
133  /**
134   * wpa_bss_anqp_free - Free an ANQP data structure
135   * @anqp: ANQP data structure from wpa_bss_anqp_alloc() or wpa_bss_anqp_clone()
136   */
wpa_bss_anqp_free(struct wpa_bss_anqp * anqp)137  static void wpa_bss_anqp_free(struct wpa_bss_anqp *anqp)
138  {
139  #ifdef CONFIG_INTERWORKING
140  	struct wpa_bss_anqp_elem *elem;
141  #endif /* CONFIG_INTERWORKING */
142  
143  	if (anqp == NULL)
144  		return;
145  
146  	anqp->users--;
147  	if (anqp->users > 0) {
148  		/* Another BSS entry holds a pointer to this ANQP info */
149  		return;
150  	}
151  
152  #ifdef CONFIG_INTERWORKING
153  	wpabuf_free(anqp->capability_list);
154  	wpabuf_free(anqp->venue_name);
155  	wpabuf_free(anqp->network_auth_type);
156  	wpabuf_free(anqp->roaming_consortium);
157  	wpabuf_free(anqp->ip_addr_type_availability);
158  	wpabuf_free(anqp->nai_realm);
159  	wpabuf_free(anqp->anqp_3gpp);
160  	wpabuf_free(anqp->domain_name);
161  	wpabuf_free(anqp->fils_realm_info);
162  
163  	while ((elem = dl_list_first(&anqp->anqp_elems,
164  				     struct wpa_bss_anqp_elem, list))) {
165  		dl_list_del(&elem->list);
166  		wpabuf_free(elem->payload);
167  		os_free(elem);
168  	}
169  #endif /* CONFIG_INTERWORKING */
170  #ifdef CONFIG_HS20
171  	wpabuf_free(anqp->hs20_capability_list);
172  	wpabuf_free(anqp->hs20_operator_friendly_name);
173  	wpabuf_free(anqp->hs20_wan_metrics);
174  	wpabuf_free(anqp->hs20_connection_capability);
175  	wpabuf_free(anqp->hs20_operating_class);
176  #endif /* CONFIG_HS20 */
177  
178  	os_free(anqp);
179  }
180  
181  
182  static struct wpa_connect_work *
wpa_bss_check_pending_connect(struct wpa_supplicant * wpa_s,struct wpa_bss * bss)183  wpa_bss_check_pending_connect(struct wpa_supplicant *wpa_s, struct wpa_bss *bss)
184  {
185  	struct wpa_radio_work *work;
186  	struct wpa_connect_work *cwork;
187  
188  	work = radio_work_pending(wpa_s, "sme-connect");
189  	if (!work)
190  		work = radio_work_pending(wpa_s, "connect");
191  	if (!work)
192  		return NULL;
193  
194  	cwork = work->ctx;
195  	if (cwork->bss != bss)
196  		return NULL;
197  
198  	return cwork;
199  }
200  
201  
wpa_bss_update_pending_connect(struct wpa_connect_work * cwork,struct wpa_bss * new_bss)202  static void wpa_bss_update_pending_connect(struct wpa_connect_work *cwork,
203  					   struct wpa_bss *new_bss)
204  {
205  	wpa_printf(MSG_DEBUG,
206  		   "Update BSS pointer for the pending connect radio work");
207  	cwork->bss = new_bss;
208  	if (!new_bss)
209  		cwork->bss_removed = 1;
210  }
211  
212  
wpa_bss_remove(struct wpa_supplicant * wpa_s,struct wpa_bss * bss,const char * reason)213  void wpa_bss_remove(struct wpa_supplicant *wpa_s, struct wpa_bss *bss,
214  		    const char *reason)
215  {
216  	struct wpa_connect_work *cwork;
217  	unsigned int j;
218  
219  	if (wpa_s->last_scan_res) {
220  		unsigned int i;
221  		for (i = 0; i < wpa_s->last_scan_res_used; i++) {
222  			if (wpa_s->last_scan_res[i] == bss) {
223  				os_memmove(&wpa_s->last_scan_res[i],
224  					   &wpa_s->last_scan_res[i + 1],
225  					   (wpa_s->last_scan_res_used - i - 1)
226  					   * sizeof(struct wpa_bss *));
227  				wpa_s->last_scan_res_used--;
228  				break;
229  			}
230  		}
231  	}
232  	cwork = wpa_bss_check_pending_connect(wpa_s, bss);
233  	if (cwork)
234  		wpa_bss_update_pending_connect(cwork, NULL);
235  	dl_list_del(&bss->list);
236  	dl_list_del(&bss->list_id);
237  	wpa_s->num_bss--;
238  	wpa_dbg(wpa_s, MSG_DEBUG, "BSS: Remove id %u BSSID " MACSTR
239  		" SSID '%s' due to %s", bss->id, MAC2STR(bss->bssid),
240  		wpa_ssid_txt(bss->ssid, bss->ssid_len), reason);
241  	wpas_notify_bss_removed(wpa_s, bss->bssid, bss->id);
242  	wpa_bss_anqp_free(bss->anqp);
243  
244  	if (wpa_s->current_bss == bss) {
245  		wpa_printf(MSG_DEBUG,
246  			   "BSS: Clear current_bss due to bss removal");
247  		wpa_s->current_bss = NULL;
248  	}
249  
250  #ifdef CONFIG_INTERWORKING
251  	if (wpa_s->interworking_gas_bss == bss) {
252  		wpa_printf(MSG_DEBUG,
253  			   "BSS: Clear interworking_gas_bss due to bss removal");
254  		wpa_s->interworking_gas_bss = NULL;
255  	}
256  #endif /* CONFIG_INTERWORKING */
257  
258  #ifdef CONFIG_WNM
259  	if (wpa_s->wnm_target_bss == bss) {
260  		wpa_printf(MSG_DEBUG,
261  			   "BSS: Clear wnm_target_bss due to bss removal");
262  		wpa_s->wnm_target_bss = NULL;
263  	}
264  #endif /* CONFIG_WNM */
265  
266  	if (wpa_s->ml_connect_probe_bss == bss) {
267  		wpa_printf(MSG_DEBUG,
268  			   "BSS: Clear ml_connect_probe_bss due to bss removal");
269  		wpa_s->ml_connect_probe_bss = NULL;
270  	}
271  
272  	for (j = 0; j < MAX_NUM_MLD_LINKS; j++) {
273  		if (wpa_s->links[j].bss == bss) {
274  			wpa_printf(MSG_DEBUG,
275  				   "BSS: Clear links[%d].bss due to bss removal",
276  				   j);
277  			wpa_s->valid_links &= ~BIT(j);
278  			wpa_s->links[j].bss = NULL;
279  		}
280  	}
281  
282  	os_free(bss);
283  }
284  
285  
286  /**
287   * wpa_bss_get - Fetch a BSS table entry based on BSSID and SSID
288   * @wpa_s: Pointer to wpa_supplicant data
289   * @bssid: BSSID, or %NULL to match any BSSID
290   * @ssid: SSID
291   * @ssid_len: Length of @ssid
292   * Returns: Pointer to the BSS entry or %NULL if not found
293   */
wpa_bss_get(struct wpa_supplicant * wpa_s,const u8 * bssid,const u8 * ssid,size_t ssid_len)294  struct wpa_bss * wpa_bss_get(struct wpa_supplicant *wpa_s, const u8 *bssid,
295  			     const u8 *ssid, size_t ssid_len)
296  {
297  	struct wpa_bss *bss;
298  
299  	if (bssid && !wpa_supplicant_filter_bssid_match(wpa_s, bssid))
300  		return NULL;
301  	dl_list_for_each(bss, &wpa_s->bss, struct wpa_bss, list) {
302  		if ((!bssid || ether_addr_equal(bss->bssid, bssid)) &&
303  		    bss->ssid_len == ssid_len &&
304  		    os_memcmp(bss->ssid, ssid, ssid_len) == 0)
305  			return bss;
306  	}
307  	return NULL;
308  }
309  
310  /**
311   * wpa_bss_get_connection - Fetch a BSS table entry based on BSSID and SSID.
312   * @wpa_s: Pointer to wpa_supplicant data
313   * @bssid: BSSID, or %NULL to match any BSSID
314   * @ssid: SSID
315   * @ssid_len: Length of @ssid
316   * Returns: Pointer to the BSS entry or %NULL if not found
317   *
318   * This function is similar to wpa_bss_get() but it will also return OWE
319   * transition mode encrypted networks for which transition-element matches
320   * @ssid.
321   */
wpa_bss_get_connection(struct wpa_supplicant * wpa_s,const u8 * bssid,const u8 * ssid,size_t ssid_len)322  struct wpa_bss * wpa_bss_get_connection(struct wpa_supplicant *wpa_s,
323  					const u8 *bssid,
324  					const u8 *ssid, size_t ssid_len)
325  {
326  	struct wpa_bss *bss;
327  #ifdef CONFIG_OWE
328  	const u8 *owe, *owe_bssid, *owe_ssid;
329  	size_t owe_ssid_len;
330  #endif /* CONFIG_OWE */
331  
332  	if (bssid && !wpa_supplicant_filter_bssid_match(wpa_s, bssid))
333  		return NULL;
334  	dl_list_for_each(bss, &wpa_s->bss, struct wpa_bss, list) {
335  		if (bssid && !ether_addr_equal(bss->bssid, bssid))
336  			continue;
337  
338  		if (bss->ssid_len == ssid_len &&
339  		    os_memcmp(bss->ssid, ssid, ssid_len) == 0)
340  			return bss;
341  
342  #ifdef CONFIG_OWE
343  		/* Check if OWE transition mode element is present and matches
344  		 * the SSID */
345  		owe = wpa_bss_get_vendor_ie(bss, OWE_IE_VENDOR_TYPE);
346  		if (!owe)
347  			continue;
348  
349  		if (wpas_get_owe_trans_network(owe, &owe_bssid, &owe_ssid,
350  					       &owe_ssid_len))
351  			continue;
352  
353  		if (bss->ssid_len &&
354  		    owe_ssid_len == ssid_len &&
355  		    os_memcmp(owe_ssid, ssid, ssid_len) == 0)
356  			return bss;
357  #endif /* CONFIG_OWE */
358  	}
359  	return NULL;
360  }
361  
362  
calculate_update_time(const struct os_reltime * fetch_time,unsigned int age_ms,struct os_reltime * update_time)363  void calculate_update_time(const struct os_reltime *fetch_time,
364  			   unsigned int age_ms,
365  			   struct os_reltime *update_time)
366  {
367  	os_time_t usec;
368  
369  	update_time->sec = fetch_time->sec;
370  	update_time->usec = fetch_time->usec;
371  	update_time->sec -= age_ms / 1000;
372  	usec = (age_ms % 1000) * 1000;
373  	if (update_time->usec < usec) {
374  		update_time->sec--;
375  		update_time->usec += 1000000;
376  	}
377  	update_time->usec -= usec;
378  }
379  
380  
wpa_bss_copy_res(struct wpa_bss * dst,struct wpa_scan_res * src,struct os_reltime * fetch_time)381  static void wpa_bss_copy_res(struct wpa_bss *dst, struct wpa_scan_res *src,
382  			     struct os_reltime *fetch_time)
383  {
384  	dst->flags = src->flags;
385  	os_memcpy(dst->bssid, src->bssid, ETH_ALEN);
386  	dst->freq = src->freq;
387  	dst->max_cw = src->max_cw;
388  	dst->beacon_int = src->beacon_int;
389  	dst->caps = src->caps;
390  	dst->qual = src->qual;
391  	dst->noise = src->noise;
392  	dst->level = src->level;
393  	dst->tsf = src->tsf;
394  	dst->beacon_newer = src->beacon_newer;
395  	dst->est_throughput = src->est_throughput;
396  	dst->snr = src->snr;
397  
398  	calculate_update_time(fetch_time, src->age, &dst->last_update);
399  }
400  
401  
wpa_bss_is_wps_candidate(struct wpa_supplicant * wpa_s,struct wpa_bss * bss)402  static int wpa_bss_is_wps_candidate(struct wpa_supplicant *wpa_s,
403  				    struct wpa_bss *bss)
404  {
405  #ifdef CONFIG_WPS
406  	struct wpa_ssid *ssid;
407  	struct wpabuf *wps_ie;
408  	int pbc = 0, ret;
409  
410  	wps_ie = wpa_bss_get_vendor_ie_multi(bss, WPS_IE_VENDOR_TYPE);
411  	if (!wps_ie)
412  		return 0;
413  
414  	if (wps_is_selected_pbc_registrar(wps_ie)) {
415  		pbc = 1;
416  	} else if (!wps_is_addr_authorized(wps_ie, wpa_s->own_addr, 1)) {
417  		wpabuf_free(wps_ie);
418  		return 0;
419  	}
420  
421  	for (ssid = wpa_s->conf->ssid; ssid; ssid = ssid->next) {
422  		if (!(ssid->key_mgmt & WPA_KEY_MGMT_WPS))
423  			continue;
424  		if (ssid->ssid_len &&
425  		    (ssid->ssid_len != bss->ssid_len ||
426  		     os_memcmp(ssid->ssid, bss->ssid, ssid->ssid_len) != 0))
427  			continue;
428  
429  		if (pbc)
430  			ret = eap_is_wps_pbc_enrollee(&ssid->eap);
431  		else
432  			ret = eap_is_wps_pin_enrollee(&ssid->eap);
433  		wpabuf_free(wps_ie);
434  		return ret;
435  	}
436  	wpabuf_free(wps_ie);
437  #endif /* CONFIG_WPS */
438  
439  	return 0;
440  }
441  
442  
is_p2p_pending_bss(struct wpa_supplicant * wpa_s,struct wpa_bss * bss)443  static bool is_p2p_pending_bss(struct wpa_supplicant *wpa_s,
444  			       struct wpa_bss *bss)
445  {
446  #ifdef CONFIG_P2P
447  	u8 addr[ETH_ALEN];
448  
449  	if (ether_addr_equal(bss->bssid, wpa_s->pending_join_iface_addr))
450  		return true;
451  	if (!is_zero_ether_addr(wpa_s->pending_join_dev_addr) &&
452  	    p2p_parse_dev_addr(wpa_bss_ie_ptr(bss), bss->ie_len, addr) == 0 &&
453  	    ether_addr_equal(addr, wpa_s->pending_join_dev_addr))
454  		return true;
455  #endif /* CONFIG_P2P */
456  	return false;
457  }
458  
459  
460  #ifdef CONFIG_OWE
wpa_bss_owe_trans_known(struct wpa_supplicant * wpa_s,struct wpa_bss * bss,const u8 * entry_ssid,size_t entry_ssid_len)461  static int wpa_bss_owe_trans_known(struct wpa_supplicant *wpa_s,
462  				   struct wpa_bss *bss,
463  				   const u8 *entry_ssid, size_t entry_ssid_len)
464  {
465  	const u8 *owe, *owe_bssid, *owe_ssid;
466  	size_t owe_ssid_len;
467  
468  	owe = wpa_bss_get_vendor_ie(bss, OWE_IE_VENDOR_TYPE);
469  	if (!owe)
470  		return 0;
471  
472  	if (wpas_get_owe_trans_network(owe, &owe_bssid, &owe_ssid,
473  				       &owe_ssid_len))
474  		return 0;
475  
476  	return entry_ssid_len == owe_ssid_len &&
477  		os_memcmp(owe_ssid, entry_ssid, owe_ssid_len) == 0;
478  }
479  #endif /* CONFIG_OWE */
480  
481  
wpa_bss_known(struct wpa_supplicant * wpa_s,struct wpa_bss * bss)482  static int wpa_bss_known(struct wpa_supplicant *wpa_s, struct wpa_bss *bss)
483  {
484  	struct wpa_ssid *ssid;
485  
486  	if (is_p2p_pending_bss(wpa_s, bss))
487  		return 1;
488  
489  	for (ssid = wpa_s->conf->ssid; ssid; ssid = ssid->next) {
490  		if (ssid->ssid == NULL || ssid->ssid_len == 0)
491  			continue;
492  		if (ssid->ssid_len == bss->ssid_len &&
493  		    os_memcmp(ssid->ssid, bss->ssid, ssid->ssid_len) == 0)
494  			return 1;
495  #ifdef CONFIG_OWE
496  		if (wpa_bss_owe_trans_known(wpa_s, bss, ssid->ssid,
497  					    ssid->ssid_len))
498  			return 1;
499  #endif /* CONFIG_OWE */
500  	}
501  
502  	return 0;
503  }
504  
505  
wpa_bss_in_use(struct wpa_supplicant * wpa_s,struct wpa_bss * bss)506  static int wpa_bss_in_use(struct wpa_supplicant *wpa_s, struct wpa_bss *bss)
507  {
508  	int i;
509  
510  	if (bss == wpa_s->current_bss)
511  		return 1;
512  
513  	if (bss == wpa_s->ml_connect_probe_bss)
514  		return 1;
515  
516  #ifdef CONFIG_WNM
517  	if (bss == wpa_s->wnm_target_bss)
518  		return 1;
519  #endif /* CONFIG_WNM */
520  
521  	if (wpa_s->current_bss &&
522  	    (bss->ssid_len != wpa_s->current_bss->ssid_len ||
523  	     os_memcmp(bss->ssid, wpa_s->current_bss->ssid,
524  		       bss->ssid_len) != 0))
525  		return 0; /* SSID has changed */
526  
527  	if (!is_zero_ether_addr(bss->bssid) &&
528  	    (ether_addr_equal(bss->bssid, wpa_s->bssid) ||
529  	     ether_addr_equal(bss->bssid, wpa_s->pending_bssid)))
530  		return 1;
531  
532  	if (!wpa_s->valid_links)
533  		return 0;
534  
535  	for_each_link(wpa_s->valid_links, i) {
536  		if (ether_addr_equal(bss->bssid, wpa_s->links[i].bssid))
537  			return 1;
538  	}
539  
540  	return 0;
541  }
542  
543  
wpa_bss_remove_oldest_unknown(struct wpa_supplicant * wpa_s)544  static int wpa_bss_remove_oldest_unknown(struct wpa_supplicant *wpa_s)
545  {
546  	struct wpa_bss *bss;
547  
548  	dl_list_for_each(bss, &wpa_s->bss, struct wpa_bss, list) {
549  		if (!wpa_bss_known(wpa_s, bss) &&
550  		    !wpa_bss_in_use(wpa_s, bss) &&
551  		    !wpa_bss_is_wps_candidate(wpa_s, bss)) {
552  			wpa_bss_remove(wpa_s, bss, __func__);
553  			return 0;
554  		}
555  	}
556  
557  	return -1;
558  }
559  
560  
wpa_bss_remove_oldest(struct wpa_supplicant * wpa_s)561  static int wpa_bss_remove_oldest(struct wpa_supplicant *wpa_s)
562  {
563  	struct wpa_bss *bss;
564  
565  	/*
566  	 * Remove the oldest entry that does not match with any configured
567  	 * network.
568  	 */
569  	if (wpa_bss_remove_oldest_unknown(wpa_s) == 0)
570  		return 0;
571  
572  	/*
573  	 * Remove the oldest entry that isn't currently in use.
574  	 */
575  	dl_list_for_each(bss, &wpa_s->bss, struct wpa_bss, list) {
576  		if (!wpa_bss_in_use(wpa_s, bss)) {
577  			wpa_bss_remove(wpa_s, bss, __func__);
578  			return 0;
579  		}
580  	}
581  
582  	return -1;
583  }
584  
585  
wpa_bss_add(struct wpa_supplicant * wpa_s,const u8 * ssid,size_t ssid_len,struct wpa_scan_res * res,struct os_reltime * fetch_time)586  static struct wpa_bss * wpa_bss_add(struct wpa_supplicant *wpa_s,
587  				    const u8 *ssid, size_t ssid_len,
588  				    struct wpa_scan_res *res,
589  				    struct os_reltime *fetch_time)
590  {
591  	struct wpa_bss *bss;
592  	char extra[100];
593  	const u8 *ml_ie;
594  	char *pos, *end;
595  	int ret = 0;
596  	const u8 *mld_addr;
597  
598  	bss = os_zalloc(sizeof(*bss) + res->ie_len + res->beacon_ie_len);
599  	if (bss == NULL)
600  		return NULL;
601  	bss->id = wpa_s->bss_next_id++;
602  	bss->last_update_idx = wpa_s->bss_update_idx;
603  	wpa_bss_copy_res(bss, res, fetch_time);
604  	os_memcpy(bss->ssid, ssid, ssid_len);
605  	bss->ssid_len = ssid_len;
606  	bss->ie_len = res->ie_len;
607  	bss->beacon_ie_len = res->beacon_ie_len;
608  	os_memcpy(bss->ies, res + 1, res->ie_len + res->beacon_ie_len);
609  	wpa_bss_set_hessid(bss);
610  
611  	os_memset(bss->mld_addr, 0, ETH_ALEN);
612  	ml_ie = wpa_scan_get_ml_ie(res, MULTI_LINK_CONTROL_TYPE_BASIC);
613  	if (ml_ie) {
614  		mld_addr = get_basic_mle_mld_addr(&ml_ie[3], ml_ie[1] - 1);
615  		if (mld_addr)
616  			os_memcpy(bss->mld_addr, mld_addr, ETH_ALEN);
617  	}
618  
619  	if (wpa_s->num_bss + 1 > wpa_s->conf->bss_max_count &&
620  	    wpa_bss_remove_oldest(wpa_s) != 0) {
621  		wpa_printf(MSG_ERROR, "Increasing the MAX BSS count to %d "
622  			   "because all BSSes are in use. We should normally "
623  			   "not get here!", (int) wpa_s->num_bss + 1);
624  		wpa_s->conf->bss_max_count = wpa_s->num_bss + 1;
625  	}
626  
627  	dl_list_add_tail(&wpa_s->bss, &bss->list);
628  	dl_list_add_tail(&wpa_s->bss_id, &bss->list_id);
629  	wpa_s->num_bss++;
630  
631  	extra[0] = '\0';
632  	pos = extra;
633  	end = pos + sizeof(extra);
634  	if (!is_zero_ether_addr(bss->hessid))
635  		ret = os_snprintf(pos, end - pos, " HESSID " MACSTR,
636  				  MAC2STR(bss->hessid));
637  
638  	if (!is_zero_ether_addr(bss->mld_addr) &&
639  	    !os_snprintf_error(end - pos, ret)) {
640  		pos += ret;
641  		ret = os_snprintf(pos, end - pos, " MLD ADDR " MACSTR,
642  				  MAC2STR(bss->mld_addr));
643  	}
644  
645  	wpa_dbg(wpa_s, MSG_DEBUG, "BSS: Add new id %u BSSID " MACSTR
646  		" SSID '%s' freq %d%s",
647  		bss->id, MAC2STR(bss->bssid), wpa_ssid_txt(ssid, ssid_len),
648  		bss->freq, extra);
649  	wpas_notify_bss_added(wpa_s, bss->bssid, bss->id);
650  	return bss;
651  }
652  
653  
are_ies_equal(const struct wpa_bss * old,const struct wpa_scan_res * new_res,u32 ie)654  static int are_ies_equal(const struct wpa_bss *old,
655  			 const struct wpa_scan_res *new_res, u32 ie)
656  {
657  	const u8 *old_ie, *new_ie;
658  	struct wpabuf *old_ie_buff = NULL;
659  	struct wpabuf *new_ie_buff = NULL;
660  	int new_ie_len, old_ie_len, ret, is_multi;
661  
662  	switch (ie) {
663  	case WPA_IE_VENDOR_TYPE:
664  		old_ie = wpa_bss_get_vendor_ie(old, ie);
665  		new_ie = wpa_scan_get_vendor_ie(new_res, ie);
666  		is_multi = 0;
667  		break;
668  	case WPS_IE_VENDOR_TYPE:
669  		old_ie_buff = wpa_bss_get_vendor_ie_multi(old, ie);
670  		new_ie_buff = wpa_scan_get_vendor_ie_multi(new_res, ie);
671  		is_multi = 1;
672  		break;
673  	case WLAN_EID_RSN:
674  	case WLAN_EID_SUPP_RATES:
675  	case WLAN_EID_EXT_SUPP_RATES:
676  		old_ie = wpa_bss_get_ie(old, ie);
677  		new_ie = wpa_scan_get_ie(new_res, ie);
678  		is_multi = 0;
679  		break;
680  	default:
681  		wpa_printf(MSG_DEBUG, "bss: %s: cannot compare IEs", __func__);
682  		return 0;
683  	}
684  
685  	if (is_multi) {
686  		/* in case of multiple IEs stored in buffer */
687  		old_ie = old_ie_buff ? wpabuf_head_u8(old_ie_buff) : NULL;
688  		new_ie = new_ie_buff ? wpabuf_head_u8(new_ie_buff) : NULL;
689  		old_ie_len = old_ie_buff ? wpabuf_len(old_ie_buff) : 0;
690  		new_ie_len = new_ie_buff ? wpabuf_len(new_ie_buff) : 0;
691  	} else {
692  		/* in case of single IE */
693  		old_ie_len = old_ie ? old_ie[1] + 2 : 0;
694  		new_ie_len = new_ie ? new_ie[1] + 2 : 0;
695  	}
696  
697  	if (!old_ie || !new_ie)
698  		ret = !old_ie && !new_ie;
699  	else
700  		ret = (old_ie_len == new_ie_len &&
701  		       os_memcmp(old_ie, new_ie, old_ie_len) == 0);
702  
703  	wpabuf_free(old_ie_buff);
704  	wpabuf_free(new_ie_buff);
705  
706  	return ret;
707  }
708  
709  
wpa_bss_compare_res(const struct wpa_bss * old,const struct wpa_scan_res * new_res)710  static u32 wpa_bss_compare_res(const struct wpa_bss *old,
711  			       const struct wpa_scan_res *new_res)
712  {
713  	u32 changes = 0;
714  	int caps_diff = old->caps ^ new_res->caps;
715  
716  	if (old->freq != new_res->freq)
717  		changes |= WPA_BSS_FREQ_CHANGED_FLAG;
718  
719  	if (old->level != new_res->level)
720  		changes |= WPA_BSS_SIGNAL_CHANGED_FLAG;
721  
722  	if (caps_diff & IEEE80211_CAP_PRIVACY)
723  		changes |= WPA_BSS_PRIVACY_CHANGED_FLAG;
724  
725  	if (caps_diff & IEEE80211_CAP_IBSS)
726  		changes |= WPA_BSS_MODE_CHANGED_FLAG;
727  
728  	if (old->ie_len == new_res->ie_len &&
729  	    os_memcmp(wpa_bss_ie_ptr(old), new_res + 1, old->ie_len) == 0)
730  		return changes;
731  	changes |= WPA_BSS_IES_CHANGED_FLAG;
732  
733  	if (!are_ies_equal(old, new_res, WPA_IE_VENDOR_TYPE))
734  		changes |= WPA_BSS_WPAIE_CHANGED_FLAG;
735  
736  	if (!are_ies_equal(old, new_res, WLAN_EID_RSN))
737  		changes |= WPA_BSS_RSNIE_CHANGED_FLAG;
738  
739  	if (!are_ies_equal(old, new_res, WPS_IE_VENDOR_TYPE))
740  		changes |= WPA_BSS_WPS_CHANGED_FLAG;
741  
742  	if (!are_ies_equal(old, new_res, WLAN_EID_SUPP_RATES) ||
743  	    !are_ies_equal(old, new_res, WLAN_EID_EXT_SUPP_RATES))
744  		changes |= WPA_BSS_RATES_CHANGED_FLAG;
745  
746  	return changes;
747  }
748  
749  
notify_bss_changes(struct wpa_supplicant * wpa_s,u32 changes,const struct wpa_bss * bss)750  void notify_bss_changes(struct wpa_supplicant *wpa_s, u32 changes,
751  			const struct wpa_bss *bss)
752  {
753  	if (changes & WPA_BSS_FREQ_CHANGED_FLAG)
754  		wpas_notify_bss_freq_changed(wpa_s, bss->id);
755  
756  	if (changes & WPA_BSS_SIGNAL_CHANGED_FLAG)
757  		wpas_notify_bss_signal_changed(wpa_s, bss->id);
758  
759  	if (changes & WPA_BSS_PRIVACY_CHANGED_FLAG)
760  		wpas_notify_bss_privacy_changed(wpa_s, bss->id);
761  
762  	if (changes & WPA_BSS_MODE_CHANGED_FLAG)
763  		wpas_notify_bss_mode_changed(wpa_s, bss->id);
764  
765  	if (changes & WPA_BSS_WPAIE_CHANGED_FLAG)
766  		wpas_notify_bss_wpaie_changed(wpa_s, bss->id);
767  
768  	if (changes & WPA_BSS_RSNIE_CHANGED_FLAG)
769  		wpas_notify_bss_rsnie_changed(wpa_s, bss->id);
770  
771  	if (changes & WPA_BSS_WPS_CHANGED_FLAG)
772  		wpas_notify_bss_wps_changed(wpa_s, bss->id);
773  
774  	if (changes & WPA_BSS_IES_CHANGED_FLAG)
775  		wpas_notify_bss_ies_changed(wpa_s, bss->id);
776  
777  	if (changes & WPA_BSS_RATES_CHANGED_FLAG)
778  		wpas_notify_bss_rates_changed(wpa_s, bss->id);
779  
780  	wpas_notify_bss_seen(wpa_s, bss->id);
781  }
782  
783  
784  static struct wpa_bss *
wpa_bss_update(struct wpa_supplicant * wpa_s,struct wpa_bss * bss,struct wpa_scan_res * res,struct os_reltime * fetch_time)785  wpa_bss_update(struct wpa_supplicant *wpa_s, struct wpa_bss *bss,
786  	       struct wpa_scan_res *res, struct os_reltime *fetch_time)
787  {
788  	u32 changes;
789  
790  	if (bss->last_update_idx == wpa_s->bss_update_idx) {
791  		struct os_reltime update_time;
792  
793  		/*
794  		 * Some drivers (e.g., cfg80211) include multiple BSS entries
795  		 * for the same BSS if that BSS's channel changes. The BSS list
796  		 * implementation in wpa_supplicant does not do that and we need
797  		 * to filter out the obsolete results here to make sure only the
798  		 * most current BSS information remains in the table.
799  		 */
800  		wpa_printf(MSG_DEBUG, "BSS: " MACSTR
801  			   " has multiple entries in the scan results - select the most current one",
802  			   MAC2STR(bss->bssid));
803  		calculate_update_time(fetch_time, res->age, &update_time);
804  		wpa_printf(MSG_DEBUG,
805  			   "Previous last_update: %u.%06u (freq %d%s)",
806  			   (unsigned int) bss->last_update.sec,
807  			   (unsigned int) bss->last_update.usec,
808  			   bss->freq,
809  			   (bss->flags & WPA_BSS_ASSOCIATED) ? " assoc" : "");
810  		wpa_printf(MSG_DEBUG, "New last_update: %u.%06u (freq %d%s)",
811  			   (unsigned int) update_time.sec,
812  			   (unsigned int) update_time.usec,
813  			   res->freq,
814  			   (res->flags & WPA_SCAN_ASSOCIATED) ? " assoc" : "");
815  		if ((bss->flags & WPA_BSS_ASSOCIATED) ||
816  		    (!(res->flags & WPA_SCAN_ASSOCIATED) &&
817  		     !os_reltime_before(&bss->last_update, &update_time))) {
818  			wpa_printf(MSG_DEBUG,
819  				   "Ignore this BSS entry since the previous update looks more current");
820  			return bss;
821  		}
822  		wpa_printf(MSG_DEBUG,
823  			   "Accept this BSS entry since it looks more current than the previous update");
824  	}
825  
826  	changes = wpa_bss_compare_res(bss, res);
827  	if (changes & WPA_BSS_FREQ_CHANGED_FLAG)
828  		wpa_printf(MSG_DEBUG, "BSS: " MACSTR " changed freq %d --> %d",
829  			   MAC2STR(bss->bssid), bss->freq, res->freq);
830  	bss->scan_miss_count = 0;
831  	bss->last_update_idx = wpa_s->bss_update_idx;
832  	wpa_bss_copy_res(bss, res, fetch_time);
833  	/* Move the entry to the end of the list */
834  	dl_list_del(&bss->list);
835  #ifdef CONFIG_P2P
836  	if (wpa_bss_get_vendor_ie(bss, P2P_IE_VENDOR_TYPE) &&
837  	    !wpa_scan_get_vendor_ie(res, P2P_IE_VENDOR_TYPE) &&
838  	    !(changes & WPA_BSS_FREQ_CHANGED_FLAG)) {
839  		/*
840  		 * This can happen when non-P2P station interface runs a scan
841  		 * without P2P IE in the Probe Request frame. P2P GO would reply
842  		 * to that with a Probe Response that does not include P2P IE.
843  		 * Do not update the IEs in this BSS entry to avoid such loss of
844  		 * information that may be needed for P2P operations to
845  		 * determine group information.
846  		 */
847  		wpa_dbg(wpa_s, MSG_DEBUG, "BSS: Do not update scan IEs for "
848  			MACSTR " since that would remove P2P IE information",
849  			MAC2STR(bss->bssid));
850  	} else
851  #endif /* CONFIG_P2P */
852  	if (bss->ie_len + bss->beacon_ie_len >=
853  	    res->ie_len + res->beacon_ie_len) {
854  		os_memcpy(bss->ies, res + 1, res->ie_len + res->beacon_ie_len);
855  		bss->ie_len = res->ie_len;
856  		bss->beacon_ie_len = res->beacon_ie_len;
857  	} else {
858  		struct wpa_bss *nbss;
859  		struct dl_list *prev = bss->list_id.prev;
860  		struct wpa_connect_work *cwork;
861  		unsigned int i, j;
862  		bool update_current_bss = wpa_s->current_bss == bss;
863  		bool update_ml_probe_bss = wpa_s->ml_connect_probe_bss == bss;
864  		int update_link_bss = -1;
865  
866  		for (j = 0; j < MAX_NUM_MLD_LINKS; j++) {
867  			if (wpa_s->links[j].bss == bss) {
868  				update_link_bss = j;
869  				break;
870  			}
871  		}
872  
873  		cwork = wpa_bss_check_pending_connect(wpa_s, bss);
874  
875  		for (i = 0; i < wpa_s->last_scan_res_used; i++) {
876  			if (wpa_s->last_scan_res[i] == bss)
877  				break;
878  		}
879  
880  		dl_list_del(&bss->list_id);
881  		nbss = os_realloc(bss, sizeof(*bss) + res->ie_len +
882  				  res->beacon_ie_len);
883  		if (nbss) {
884  			if (i != wpa_s->last_scan_res_used)
885  				wpa_s->last_scan_res[i] = nbss;
886  
887  			if (update_current_bss)
888  				wpa_s->current_bss = nbss;
889  
890  			if (update_ml_probe_bss)
891  				wpa_s->ml_connect_probe_bss = nbss;
892  
893  			if (update_link_bss >= 0)
894  				wpa_s->links[update_link_bss].bss = nbss;
895  
896  			if (cwork)
897  				wpa_bss_update_pending_connect(cwork, nbss);
898  
899  			bss = nbss;
900  			os_memcpy(bss->ies, res + 1,
901  				  res->ie_len + res->beacon_ie_len);
902  			bss->ie_len = res->ie_len;
903  			bss->beacon_ie_len = res->beacon_ie_len;
904  		}
905  		dl_list_add(prev, &bss->list_id);
906  	}
907  	if (changes & WPA_BSS_IES_CHANGED_FLAG) {
908  		const u8 *ml_ie, *mld_addr;
909  
910  		wpa_bss_set_hessid(bss);
911  		os_memset(bss->mld_addr, 0, ETH_ALEN);
912  		ml_ie = wpa_scan_get_ml_ie(res, MULTI_LINK_CONTROL_TYPE_BASIC);
913  		if (ml_ie) {
914  			mld_addr = get_basic_mle_mld_addr(&ml_ie[3],
915  							  ml_ie[1] - 1);
916  			if (mld_addr)
917  				os_memcpy(bss->mld_addr, mld_addr, ETH_ALEN);
918  		}
919  	}
920  	dl_list_add_tail(&wpa_s->bss, &bss->list);
921  
922  	notify_bss_changes(wpa_s, changes, bss);
923  
924  	return bss;
925  }
926  
927  
928  /**
929   * wpa_bss_update_start - Start a BSS table update from scan results
930   * @wpa_s: Pointer to wpa_supplicant data
931   *
932   * This function is called at the start of each BSS table update round for new
933   * scan results. The actual scan result entries are indicated with calls to
934   * wpa_bss_update_scan_res() and the update round is finished with a call to
935   * wpa_bss_update_end().
936   */
wpa_bss_update_start(struct wpa_supplicant * wpa_s)937  void wpa_bss_update_start(struct wpa_supplicant *wpa_s)
938  {
939  	wpa_s->bss_update_idx++;
940  	wpa_dbg(wpa_s, MSG_DEBUG, "BSS: Start scan result update %u",
941  		wpa_s->bss_update_idx);
942  	wpa_s->last_scan_res_used = 0;
943  }
944  
945  
946  /**
947   * wpa_bss_update_scan_res - Update a BSS table entry based on a scan result
948   * @wpa_s: Pointer to wpa_supplicant data
949   * @res: Scan result
950   * @fetch_time: Time when the result was fetched from the driver
951   *
952   * This function updates a BSS table entry (or adds one) based on a scan result.
953   * This is called separately for each scan result between the calls to
954   * wpa_bss_update_start() and wpa_bss_update_end().
955   */
wpa_bss_update_scan_res(struct wpa_supplicant * wpa_s,struct wpa_scan_res * res,struct os_reltime * fetch_time)956  void wpa_bss_update_scan_res(struct wpa_supplicant *wpa_s,
957  			     struct wpa_scan_res *res,
958  			     struct os_reltime *fetch_time)
959  {
960  	const u8 *ssid, *p2p, *mesh;
961  	struct wpa_bss *bss;
962  
963  	if (wpa_s->conf->ignore_old_scan_res) {
964  		struct os_reltime update;
965  		calculate_update_time(fetch_time, res->age, &update);
966  		if (os_reltime_before(&update, &wpa_s->scan_trigger_time)) {
967  			struct os_reltime age;
968  			os_reltime_sub(&wpa_s->scan_trigger_time, &update,
969  				       &age);
970  			wpa_dbg(wpa_s, MSG_DEBUG, "BSS: Ignore driver BSS "
971  				"table entry that is %u.%06u seconds older "
972  				"than our scan trigger",
973  				(unsigned int) age.sec,
974  				(unsigned int) age.usec);
975  			return;
976  		}
977  	}
978  
979  	ssid = wpa_scan_get_ie(res, WLAN_EID_SSID);
980  	if (ssid == NULL) {
981  		wpa_dbg(wpa_s, MSG_DEBUG, "BSS: No SSID IE included for "
982  			MACSTR, MAC2STR(res->bssid));
983  		return;
984  	}
985  	if (ssid[1] > SSID_MAX_LEN) {
986  		wpa_dbg(wpa_s, MSG_DEBUG, "BSS: Too long SSID IE included for "
987  			MACSTR, MAC2STR(res->bssid));
988  		return;
989  	}
990  
991  	p2p = wpa_scan_get_vendor_ie(res, P2P_IE_VENDOR_TYPE);
992  #ifdef CONFIG_P2P
993  	if (p2p == NULL &&
994  	    wpa_s->p2p_group_interface != NOT_P2P_GROUP_INTERFACE) {
995  		/*
996  		 * If it's a P2P specific interface, then don't update
997  		 * the scan result without a P2P IE.
998  		 */
999  		wpa_printf(MSG_DEBUG, "BSS: No P2P IE - skipping BSS " MACSTR
1000  			   " update for P2P interface", MAC2STR(res->bssid));
1001  		return;
1002  	}
1003  #endif /* CONFIG_P2P */
1004  	if (p2p && ssid[1] == P2P_WILDCARD_SSID_LEN &&
1005  	    os_memcmp(ssid + 2, P2P_WILDCARD_SSID, P2P_WILDCARD_SSID_LEN) == 0)
1006  		return; /* Skip P2P listen discovery results here */
1007  
1008  	/* TODO: add option for ignoring BSSes we are not interested in
1009  	 * (to save memory) */
1010  
1011  	mesh = wpa_scan_get_ie(res, WLAN_EID_MESH_ID);
1012  	if (mesh && mesh[1] <= SSID_MAX_LEN)
1013  		ssid = mesh;
1014  
1015  	bss = wpa_bss_get(wpa_s, res->bssid, ssid + 2, ssid[1]);
1016  	if (bss == NULL)
1017  		bss = wpa_bss_add(wpa_s, ssid + 2, ssid[1], res, fetch_time);
1018  	else {
1019  		bss = wpa_bss_update(wpa_s, bss, res, fetch_time);
1020  		if (wpa_s->last_scan_res) {
1021  			unsigned int i;
1022  			for (i = 0; i < wpa_s->last_scan_res_used; i++) {
1023  				if (bss == wpa_s->last_scan_res[i]) {
1024  					/* Already in the list */
1025  					return;
1026  				}
1027  			}
1028  		}
1029  	}
1030  
1031  	if (bss == NULL)
1032  		return;
1033  	if (wpa_s->last_scan_res_used >= wpa_s->last_scan_res_size) {
1034  		struct wpa_bss **n;
1035  		unsigned int siz;
1036  		if (wpa_s->last_scan_res_size == 0)
1037  			siz = 32;
1038  		else
1039  			siz = wpa_s->last_scan_res_size * 2;
1040  		n = os_realloc_array(wpa_s->last_scan_res, siz,
1041  				     sizeof(struct wpa_bss *));
1042  		if (n == NULL)
1043  			return;
1044  		wpa_s->last_scan_res = n;
1045  		wpa_s->last_scan_res_size = siz;
1046  	}
1047  
1048  	if (wpa_s->last_scan_res)
1049  		wpa_s->last_scan_res[wpa_s->last_scan_res_used++] = bss;
1050  }
1051  
1052  
wpa_bss_included_in_scan(const struct wpa_bss * bss,const struct scan_info * info)1053  static int wpa_bss_included_in_scan(const struct wpa_bss *bss,
1054  				    const struct scan_info *info)
1055  {
1056  	int found;
1057  	size_t i;
1058  
1059  	if (info == NULL)
1060  		return 1;
1061  
1062  	if (info->num_freqs) {
1063  		found = 0;
1064  		for (i = 0; i < info->num_freqs; i++) {
1065  			if (bss->freq == info->freqs[i]) {
1066  				found = 1;
1067  				break;
1068  			}
1069  		}
1070  		if (!found)
1071  			return 0;
1072  	}
1073  
1074  	if (info->num_ssids) {
1075  		found = 0;
1076  		for (i = 0; i < info->num_ssids; i++) {
1077  			const struct wpa_driver_scan_ssid *s = &info->ssids[i];
1078  			if ((s->ssid == NULL || s->ssid_len == 0) ||
1079  			    (s->ssid_len == bss->ssid_len &&
1080  			     os_memcmp(s->ssid, bss->ssid, bss->ssid_len) ==
1081  			     0)) {
1082  				found = 1;
1083  				break;
1084  			}
1085  		}
1086  		if (!found)
1087  			return 0;
1088  	}
1089  
1090  	return 1;
1091  }
1092  
1093  
1094  /**
1095   * wpa_bss_update_end - End a BSS table update from scan results
1096   * @wpa_s: Pointer to wpa_supplicant data
1097   * @info: Information about scan parameters
1098   * @new_scan: Whether this update round was based on a new scan
1099   *
1100   * This function is called at the end of each BSS table update round for new
1101   * scan results. The start of the update was indicated with a call to
1102   * wpa_bss_update_start().
1103   */
wpa_bss_update_end(struct wpa_supplicant * wpa_s,struct scan_info * info,int new_scan)1104  void wpa_bss_update_end(struct wpa_supplicant *wpa_s, struct scan_info *info,
1105  			int new_scan)
1106  {
1107  	struct wpa_bss *bss, *n;
1108  
1109  	os_get_reltime(&wpa_s->last_scan);
1110  	if ((info && info->aborted) || !new_scan)
1111  		return; /* do not expire entries without new scan */
1112  
1113  	dl_list_for_each_safe(bss, n, &wpa_s->bss, struct wpa_bss, list) {
1114  		if (wpa_bss_in_use(wpa_s, bss))
1115  			continue;
1116  		if (!wpa_bss_included_in_scan(bss, info))
1117  			continue; /* expire only BSSes that were scanned */
1118  		if (bss->last_update_idx < wpa_s->bss_update_idx)
1119  			bss->scan_miss_count++;
1120  		if (bss->scan_miss_count >=
1121  		    wpa_s->conf->bss_expiration_scan_count) {
1122  			wpa_bss_remove(wpa_s, bss, "no match in scan");
1123  		}
1124  	}
1125  
1126  	wpa_printf(MSG_DEBUG, "BSS: last_scan_res_used=%zu/%zu",
1127  		   wpa_s->last_scan_res_used, wpa_s->last_scan_res_size);
1128  }
1129  
1130  
1131  /**
1132   * wpa_bss_flush_by_age - Flush old BSS entries
1133   * @wpa_s: Pointer to wpa_supplicant data
1134   * @age: Maximum entry age in seconds
1135   *
1136   * Remove BSS entries that have not been updated during the last @age seconds.
1137   */
wpa_bss_flush_by_age(struct wpa_supplicant * wpa_s,int age)1138  void wpa_bss_flush_by_age(struct wpa_supplicant *wpa_s, int age)
1139  {
1140  	struct wpa_bss *bss, *n;
1141  	struct os_reltime t;
1142  
1143  	if (dl_list_empty(&wpa_s->bss))
1144  		return;
1145  
1146  	os_get_reltime(&t);
1147  
1148  	if (t.sec < age)
1149  		return; /* avoid underflow; there can be no older entries */
1150  
1151  	t.sec -= age;
1152  
1153  	dl_list_for_each_safe(bss, n, &wpa_s->bss, struct wpa_bss, list) {
1154  		if (wpa_bss_in_use(wpa_s, bss))
1155  			continue;
1156  
1157  		if (wpa_s->reassoc_same_ess &&
1158  		    wpa_s->wpa_state != WPA_COMPLETED &&
1159  		    wpa_s->last_ssid &&
1160  		    wpa_s->last_ssid->ssid &&
1161  		    bss->ssid_len == wpa_s->last_ssid->ssid_len &&
1162  		    os_memcmp(bss->ssid, wpa_s->last_ssid->ssid,
1163  			      bss->ssid_len) == 0)
1164  			continue;
1165  
1166  		if (os_reltime_before(&bss->last_update, &t)) {
1167  			wpa_bss_remove(wpa_s, bss, __func__);
1168  		} else
1169  			break;
1170  	}
1171  }
1172  
1173  
1174  /**
1175   * wpa_bss_init - Initialize BSS table
1176   * @wpa_s: Pointer to wpa_supplicant data
1177   * Returns: 0 on success, -1 on failure
1178   *
1179   * This prepares BSS table lists and timer for periodic updates. The BSS table
1180   * is deinitialized with wpa_bss_deinit() once not needed anymore.
1181   */
wpa_bss_init(struct wpa_supplicant * wpa_s)1182  int wpa_bss_init(struct wpa_supplicant *wpa_s)
1183  {
1184  	dl_list_init(&wpa_s->bss);
1185  	dl_list_init(&wpa_s->bss_id);
1186  	return 0;
1187  }
1188  
1189  
1190  /**
1191   * wpa_bss_flush - Flush all unused BSS entries
1192   * @wpa_s: Pointer to wpa_supplicant data
1193   */
wpa_bss_flush(struct wpa_supplicant * wpa_s)1194  void wpa_bss_flush(struct wpa_supplicant *wpa_s)
1195  {
1196  	struct wpa_bss *bss, *n;
1197  
1198  	wpa_s->clear_driver_scan_cache = 1;
1199  
1200  	if (wpa_s->bss.next == NULL)
1201  		return; /* BSS table not yet initialized */
1202  
1203  	dl_list_for_each_safe(bss, n, &wpa_s->bss, struct wpa_bss, list) {
1204  		if (wpa_bss_in_use(wpa_s, bss))
1205  			continue;
1206  		wpa_bss_remove(wpa_s, bss, __func__);
1207  	}
1208  }
1209  
1210  
1211  /**
1212   * wpa_bss_deinit - Deinitialize BSS table
1213   * @wpa_s: Pointer to wpa_supplicant data
1214   */
wpa_bss_deinit(struct wpa_supplicant * wpa_s)1215  void wpa_bss_deinit(struct wpa_supplicant *wpa_s)
1216  {
1217  	wpa_bss_flush(wpa_s);
1218  }
1219  
1220  
1221  /**
1222   * wpa_bss_get_bssid - Fetch a BSS table entry based on BSSID
1223   * @wpa_s: Pointer to wpa_supplicant data
1224   * @bssid: BSSID
1225   * Returns: Pointer to the BSS entry or %NULL if not found
1226   */
wpa_bss_get_bssid(struct wpa_supplicant * wpa_s,const u8 * bssid)1227  struct wpa_bss * wpa_bss_get_bssid(struct wpa_supplicant *wpa_s,
1228  				   const u8 *bssid)
1229  {
1230  	struct wpa_bss *bss;
1231  	if (!wpa_supplicant_filter_bssid_match(wpa_s, bssid))
1232  		return NULL;
1233  	dl_list_for_each_reverse(bss, &wpa_s->bss, struct wpa_bss, list) {
1234  		if (ether_addr_equal(bss->bssid, bssid))
1235  			return bss;
1236  	}
1237  	return NULL;
1238  }
1239  
1240  
1241  /**
1242   * wpa_bss_get_bssid_latest - Fetch the latest BSS table entry based on BSSID
1243   * @wpa_s: Pointer to wpa_supplicant data
1244   * @bssid: BSSID
1245   * Returns: Pointer to the BSS entry or %NULL if not found
1246   *
1247   * This function is like wpa_bss_get_bssid(), but full BSS table is iterated to
1248   * find the entry that has the most recent update. This can help in finding the
1249   * correct entry in cases where the SSID of the AP may have changed recently
1250   * (e.g., in WPS reconfiguration cases).
1251   */
wpa_bss_get_bssid_latest(struct wpa_supplicant * wpa_s,const u8 * bssid)1252  struct wpa_bss * wpa_bss_get_bssid_latest(struct wpa_supplicant *wpa_s,
1253  					  const u8 *bssid)
1254  {
1255  	struct wpa_bss *bss, *found = NULL;
1256  	if (!wpa_supplicant_filter_bssid_match(wpa_s, bssid))
1257  		return NULL;
1258  	dl_list_for_each_reverse(bss, &wpa_s->bss, struct wpa_bss, list) {
1259  		if (!ether_addr_equal(bss->bssid, bssid))
1260  			continue;
1261  		if (found == NULL ||
1262  		    os_reltime_before(&found->last_update, &bss->last_update))
1263  			found = bss;
1264  	}
1265  	return found;
1266  }
1267  
1268  
1269  #ifdef CONFIG_P2P
1270  /**
1271   * wpa_bss_get_p2p_dev_addr - Fetch the latest BSS table entry based on P2P Device Addr
1272   * @wpa_s: Pointer to wpa_supplicant data
1273   * @dev_addr: P2P Device Address of the GO
1274   * Returns: Pointer to the BSS entry or %NULL if not found
1275   *
1276   * This function tries to find the entry that has the most recent update. This
1277   * can help in finding the correct entry in cases where the SSID of the P2P
1278   * Device may have changed recently.
1279   */
wpa_bss_get_p2p_dev_addr(struct wpa_supplicant * wpa_s,const u8 * dev_addr)1280  struct wpa_bss * wpa_bss_get_p2p_dev_addr(struct wpa_supplicant *wpa_s,
1281  					  const u8 *dev_addr)
1282  {
1283  	struct wpa_bss *bss, *found = NULL;
1284  	dl_list_for_each_reverse(bss, &wpa_s->bss, struct wpa_bss, list) {
1285  		u8 addr[ETH_ALEN];
1286  		if (p2p_parse_dev_addr(wpa_bss_ie_ptr(bss), bss->ie_len,
1287  				       addr) != 0 ||
1288  		    !ether_addr_equal(addr, dev_addr))
1289  			continue;
1290  		if (!found ||
1291  		    os_reltime_before(&found->last_update, &bss->last_update))
1292  			found = bss;
1293  	}
1294  	return found;
1295  }
1296  #endif /* CONFIG_P2P */
1297  
1298  
1299  /**
1300   * wpa_bss_get_id - Fetch a BSS table entry based on identifier
1301   * @wpa_s: Pointer to wpa_supplicant data
1302   * @id: Unique identifier (struct wpa_bss::id) assigned for the entry
1303   * Returns: Pointer to the BSS entry or %NULL if not found
1304   */
wpa_bss_get_id(struct wpa_supplicant * wpa_s,unsigned int id)1305  struct wpa_bss * wpa_bss_get_id(struct wpa_supplicant *wpa_s, unsigned int id)
1306  {
1307  	struct wpa_bss *bss;
1308  	dl_list_for_each(bss, &wpa_s->bss, struct wpa_bss, list) {
1309  		if (bss->id == id)
1310  			return bss;
1311  	}
1312  	return NULL;
1313  }
1314  
1315  
1316  /**
1317   * wpa_bss_get_id_range - Fetch a BSS table entry based on identifier range
1318   * @wpa_s: Pointer to wpa_supplicant data
1319   * @idf: Smallest allowed identifier assigned for the entry
1320   * @idf: Largest allowed identifier assigned for the entry
1321   * Returns: Pointer to the BSS entry or %NULL if not found
1322   *
1323   * This function is similar to wpa_bss_get_id() but allows a BSS entry with the
1324   * smallest id value to be fetched within the specified range without the
1325   * caller having to know the exact id.
1326   */
wpa_bss_get_id_range(struct wpa_supplicant * wpa_s,unsigned int idf,unsigned int idl)1327  struct wpa_bss * wpa_bss_get_id_range(struct wpa_supplicant *wpa_s,
1328  				      unsigned int idf, unsigned int idl)
1329  {
1330  	struct wpa_bss *bss;
1331  	dl_list_for_each(bss, &wpa_s->bss_id, struct wpa_bss, list_id) {
1332  		if (bss->id >= idf && bss->id <= idl)
1333  			return bss;
1334  	}
1335  	return NULL;
1336  }
1337  
1338  
1339  /**
1340   * wpa_bss_get_ie - Fetch a specified information element from a BSS entry
1341   * @bss: BSS table entry
1342   * @ie: Information element identitifier (WLAN_EID_*)
1343   * Returns: Pointer to the information element (id field) or %NULL if not found
1344   *
1345   * This function returns the first matching information element in the BSS
1346   * entry.
1347   */
wpa_bss_get_ie(const struct wpa_bss * bss,u8 ie)1348  const u8 * wpa_bss_get_ie(const struct wpa_bss *bss, u8 ie)
1349  {
1350  	return get_ie(wpa_bss_ie_ptr(bss), bss->ie_len, ie);
1351  }
1352  
1353  
1354  /**
1355   * wpa_bss_get_ie_beacon - Fetch a specified information element from a BSS entry
1356   * @bss: BSS table entry
1357   * @ie: Information element identitifier (WLAN_EID_*)
1358   * Returns: Pointer to the information element (id field) or %NULL if not found
1359   *
1360   * This function returns the first matching information element in the BSS
1361   * entry.
1362   *
1363   * This function is like wpa_bss_get_ie(), but uses IE buffer only from Beacon
1364   * frames instead of either Beacon or Probe Response frames.
1365   */
wpa_bss_get_ie_beacon(const struct wpa_bss * bss,u8 ie)1366  const u8 * wpa_bss_get_ie_beacon(const struct wpa_bss *bss, u8 ie)
1367  {
1368  	const u8 *ies;
1369  
1370  	if (bss->beacon_ie_len == 0)
1371  		return NULL;
1372  
1373  	ies = wpa_bss_ie_ptr(bss);
1374  	ies += bss->ie_len;
1375  	return get_ie(ies, bss->beacon_ie_len, ie);
1376  }
1377  
1378  
1379  /**
1380   * wpa_bss_get_ie_ext - Fetch a specified extended IE from a BSS entry
1381   * @bss: BSS table entry
1382   * @ext: Information element extension identifier (WLAN_EID_EXT_*)
1383   * Returns: Pointer to the information element (id field) or %NULL if not found
1384   *
1385   * This function returns the first matching information element in the BSS
1386   * entry.
1387   */
wpa_bss_get_ie_ext(const struct wpa_bss * bss,u8 ext)1388  const u8 * wpa_bss_get_ie_ext(const struct wpa_bss *bss, u8 ext)
1389  {
1390  	return get_ie_ext(wpa_bss_ie_ptr(bss), bss->ie_len, ext);
1391  }
1392  
1393  
1394  /**
1395   * wpa_bss_get_vendor_ie - Fetch a vendor information element from a BSS entry
1396   * @bss: BSS table entry
1397   * @vendor_type: Vendor type (four octets starting the IE payload)
1398   * Returns: Pointer to the information element (id field) or %NULL if not found
1399   *
1400   * This function returns the first matching information element in the BSS
1401   * entry.
1402   */
wpa_bss_get_vendor_ie(const struct wpa_bss * bss,u32 vendor_type)1403  const u8 * wpa_bss_get_vendor_ie(const struct wpa_bss *bss, u32 vendor_type)
1404  {
1405  	const u8 *ies;
1406  	const struct element *elem;
1407  
1408  	ies = wpa_bss_ie_ptr(bss);
1409  
1410  	for_each_element_id(elem, WLAN_EID_VENDOR_SPECIFIC, ies, bss->ie_len) {
1411  		if (elem->datalen >= 4 &&
1412  		    vendor_type == WPA_GET_BE32(elem->data))
1413  			return &elem->id;
1414  	}
1415  
1416  	return NULL;
1417  }
1418  
1419  
1420  /**
1421   * wpa_bss_get_vendor_ie_beacon - Fetch a vendor information from a BSS entry
1422   * @bss: BSS table entry
1423   * @vendor_type: Vendor type (four octets starting the IE payload)
1424   * Returns: Pointer to the information element (id field) or %NULL if not found
1425   *
1426   * This function returns the first matching information element in the BSS
1427   * entry.
1428   *
1429   * This function is like wpa_bss_get_vendor_ie(), but uses IE buffer only
1430   * from Beacon frames instead of either Beacon or Probe Response frames.
1431   */
wpa_bss_get_vendor_ie_beacon(const struct wpa_bss * bss,u32 vendor_type)1432  const u8 * wpa_bss_get_vendor_ie_beacon(const struct wpa_bss *bss,
1433  					u32 vendor_type)
1434  {
1435  	const u8 *ies;
1436  	const struct element *elem;
1437  
1438  	if (bss->beacon_ie_len == 0)
1439  		return NULL;
1440  
1441  	ies = wpa_bss_ie_ptr(bss);
1442  	ies += bss->ie_len;
1443  
1444  	for_each_element_id(elem, WLAN_EID_VENDOR_SPECIFIC, ies,
1445  			    bss->beacon_ie_len) {
1446  		if (elem->datalen >= 4 &&
1447  		    vendor_type == WPA_GET_BE32(elem->data))
1448  			return &elem->id;
1449  	}
1450  
1451  	return NULL;
1452  }
1453  
1454  
1455  /**
1456   * wpa_bss_get_vendor_ie_multi - Fetch vendor IE data from a BSS entry
1457   * @bss: BSS table entry
1458   * @vendor_type: Vendor type (four octets starting the IE payload)
1459   * Returns: Pointer to the information element payload or %NULL if not found
1460   *
1461   * This function returns concatenated payload of possibly fragmented vendor
1462   * specific information elements in the BSS entry. The caller is responsible for
1463   * freeing the returned buffer.
1464   */
wpa_bss_get_vendor_ie_multi(const struct wpa_bss * bss,u32 vendor_type)1465  struct wpabuf * wpa_bss_get_vendor_ie_multi(const struct wpa_bss *bss,
1466  					    u32 vendor_type)
1467  {
1468  	struct wpabuf *buf;
1469  	const u8 *end, *pos;
1470  
1471  	buf = wpabuf_alloc(bss->ie_len);
1472  	if (buf == NULL)
1473  		return NULL;
1474  
1475  	pos = wpa_bss_ie_ptr(bss);
1476  	end = pos + bss->ie_len;
1477  
1478  	while (end - pos > 1) {
1479  		u8 ie, len;
1480  
1481  		ie = pos[0];
1482  		len = pos[1];
1483  		if (len > end - pos - 2)
1484  			break;
1485  		pos += 2;
1486  		if (ie == WLAN_EID_VENDOR_SPECIFIC && len >= 4 &&
1487  		    vendor_type == WPA_GET_BE32(pos))
1488  			wpabuf_put_data(buf, pos + 4, len - 4);
1489  		pos += len;
1490  	}
1491  
1492  	if (wpabuf_len(buf) == 0) {
1493  		wpabuf_free(buf);
1494  		buf = NULL;
1495  	}
1496  
1497  	return buf;
1498  }
1499  
1500  
1501  /**
1502   * wpa_bss_get_vendor_ie_multi_beacon - Fetch vendor IE data from a BSS entry
1503   * @bss: BSS table entry
1504   * @vendor_type: Vendor type (four octets starting the IE payload)
1505   * Returns: Pointer to the information element payload or %NULL if not found
1506   *
1507   * This function returns concatenated payload of possibly fragmented vendor
1508   * specific information elements in the BSS entry. The caller is responsible for
1509   * freeing the returned buffer.
1510   *
1511   * This function is like wpa_bss_get_vendor_ie_multi(), but uses IE buffer only
1512   * from Beacon frames instead of either Beacon or Probe Response frames.
1513   */
wpa_bss_get_vendor_ie_multi_beacon(const struct wpa_bss * bss,u32 vendor_type)1514  struct wpabuf * wpa_bss_get_vendor_ie_multi_beacon(const struct wpa_bss *bss,
1515  						   u32 vendor_type)
1516  {
1517  	struct wpabuf *buf;
1518  	const u8 *end, *pos;
1519  
1520  	buf = wpabuf_alloc(bss->beacon_ie_len);
1521  	if (buf == NULL)
1522  		return NULL;
1523  
1524  	pos = wpa_bss_ie_ptr(bss);
1525  	pos += bss->ie_len;
1526  	end = pos + bss->beacon_ie_len;
1527  
1528  	while (end - pos > 1) {
1529  		u8 id, len;
1530  
1531  		id = *pos++;
1532  		len = *pos++;
1533  		if (len > end - pos)
1534  			break;
1535  		if (id == WLAN_EID_VENDOR_SPECIFIC && len >= 4 &&
1536  		    vendor_type == WPA_GET_BE32(pos))
1537  			wpabuf_put_data(buf, pos + 4, len - 4);
1538  		pos += len;
1539  	}
1540  
1541  	if (wpabuf_len(buf) == 0) {
1542  		wpabuf_free(buf);
1543  		buf = NULL;
1544  	}
1545  
1546  	return buf;
1547  }
1548  
1549  
1550  /**
1551   * wpa_bss_get_max_rate - Get maximum legacy TX rate supported in a BSS
1552   * @bss: BSS table entry
1553   * Returns: Maximum legacy rate in units of 500 kbps
1554   */
wpa_bss_get_max_rate(const struct wpa_bss * bss)1555  int wpa_bss_get_max_rate(const struct wpa_bss *bss)
1556  {
1557  	int rate = 0;
1558  	const u8 *ie;
1559  	int i;
1560  
1561  	ie = wpa_bss_get_ie(bss, WLAN_EID_SUPP_RATES);
1562  	for (i = 0; ie && i < ie[1]; i++) {
1563  		if ((ie[i + 2] & 0x7f) > rate)
1564  			rate = ie[i + 2] & 0x7f;
1565  	}
1566  
1567  	ie = wpa_bss_get_ie(bss, WLAN_EID_EXT_SUPP_RATES);
1568  	for (i = 0; ie && i < ie[1]; i++) {
1569  		if ((ie[i + 2] & 0x7f) > rate)
1570  			rate = ie[i + 2] & 0x7f;
1571  	}
1572  
1573  	return rate;
1574  }
1575  
1576  
1577  /**
1578   * wpa_bss_get_bit_rates - Get legacy TX rates supported in a BSS
1579   * @bss: BSS table entry
1580   * @rates: Buffer for returning a pointer to the rates list (units of 500 kbps)
1581   * Returns: number of legacy TX rates or -1 on failure
1582   *
1583   * The caller is responsible for freeing the returned buffer with os_free() in
1584   * case of success.
1585   */
wpa_bss_get_bit_rates(const struct wpa_bss * bss,u8 ** rates)1586  int wpa_bss_get_bit_rates(const struct wpa_bss *bss, u8 **rates)
1587  {
1588  	const u8 *ie, *ie2;
1589  	int i, j;
1590  	unsigned int len;
1591  	u8 *r;
1592  
1593  	ie = wpa_bss_get_ie(bss, WLAN_EID_SUPP_RATES);
1594  	ie2 = wpa_bss_get_ie(bss, WLAN_EID_EXT_SUPP_RATES);
1595  
1596  	len = (ie ? ie[1] : 0) + (ie2 ? ie2[1] : 0);
1597  
1598  	r = os_malloc(len);
1599  	if (!r)
1600  		return -1;
1601  
1602  	for (i = 0; ie && i < ie[1]; i++)
1603  		r[i] = ie[i + 2] & 0x7f;
1604  
1605  	for (j = 0; ie2 && j < ie2[1]; j++)
1606  		r[i + j] = ie2[j + 2] & 0x7f;
1607  
1608  	*rates = r;
1609  	return len;
1610  }
1611  
1612  
1613  #ifdef CONFIG_FILS
wpa_bss_get_fils_cache_id(const struct wpa_bss * bss)1614  const u8 * wpa_bss_get_fils_cache_id(const struct wpa_bss *bss)
1615  {
1616  	const u8 *ie;
1617  
1618  	if (bss) {
1619  		ie = wpa_bss_get_ie(bss, WLAN_EID_FILS_INDICATION);
1620  		if (ie && ie[1] >= 4 && WPA_GET_LE16(ie + 2) & BIT(7))
1621  			return ie + 4;
1622  	}
1623  
1624  	return NULL;
1625  }
1626  #endif /* CONFIG_FILS */
1627  
1628  
wpa_bss_ext_capab(const struct wpa_bss * bss,unsigned int capab)1629  int wpa_bss_ext_capab(const struct wpa_bss *bss, unsigned int capab)
1630  {
1631  	if (!bss)
1632  		return 0;
1633  	return ieee802_11_ext_capab(wpa_bss_get_ie(bss, WLAN_EID_EXT_CAPAB),
1634  				    capab);
1635  }
1636  
1637  
1638  static void
wpa_bss_parse_ml_rnr_ap_info(struct wpa_supplicant * wpa_s,struct wpa_bss * bss,u8 mbssid_idx,const struct ieee80211_neighbor_ap_info * ap_info,size_t len,u16 * seen,u16 * missing,struct wpa_ssid * ssid)1639  wpa_bss_parse_ml_rnr_ap_info(struct wpa_supplicant *wpa_s,
1640  			     struct wpa_bss *bss, u8 mbssid_idx,
1641  			     const struct ieee80211_neighbor_ap_info *ap_info,
1642  			     size_t len, u16 *seen, u16 *missing,
1643  			     struct wpa_ssid *ssid)
1644  {
1645  	const u8 *pos, *end;
1646  	const u8 *mld_params;
1647  	u8 count, mld_params_offset;
1648  	u8 i, type, link_id;
1649  
1650  	count = RNR_TBTT_INFO_COUNT_VAL(ap_info->tbtt_info_hdr) + 1;
1651  	type = ap_info->tbtt_info_hdr & RNR_TBTT_INFO_HDR_TYPE_MSK;
1652  
1653  	/* MLD information is at offset 13 or at start */
1654  	if (type == 0 && ap_info->tbtt_info_len >= RNR_TBTT_INFO_MLD_LEN) {
1655  		/* MLD info is appended */
1656  		mld_params_offset = RNR_TBTT_INFO_LEN;
1657  	} else {
1658  		/* TODO: Support NSTR AP */
1659  		return;
1660  	}
1661  
1662  	pos = (const u8 *) ap_info;
1663  	end = pos + len;
1664  	pos += sizeof(*ap_info);
1665  
1666  	for (i = 0; i < count; i++, pos += ap_info->tbtt_info_len) {
1667  		if (end - pos < ap_info->tbtt_info_len)
1668  			break;
1669  
1670  		mld_params = pos + mld_params_offset;
1671  
1672  		link_id = *(mld_params + 1) & EHT_ML_LINK_ID_MSK;
1673  		if (link_id >= MAX_NUM_MLD_LINKS)
1674  			continue;
1675  
1676  		if (*mld_params != mbssid_idx) {
1677  			wpa_printf(MSG_DEBUG,
1678  				   "MLD: Reported link not part of MLD");
1679  		} else if (!(BIT(link_id) & *seen)) {
1680  			struct wpa_bss *neigh_bss;
1681  
1682  			if (ssid && ssid->ssid_len)
1683  				neigh_bss = wpa_bss_get(wpa_s, pos + 1,
1684  							ssid->ssid,
1685  							ssid->ssid_len);
1686  			else
1687  				neigh_bss = wpa_bss_get_bssid(wpa_s, pos + 1);
1688  
1689  			*seen |= BIT(link_id);
1690  			wpa_printf(MSG_DEBUG, "MLD: mld ID=%u, link ID=%u",
1691  				   *mld_params, link_id);
1692  
1693  			if (!neigh_bss) {
1694  				*missing |= BIT(link_id);
1695  			} else if ((!ssid ||
1696  				    wpa_scan_res_match(wpa_s, 0, neigh_bss,
1697  						       ssid, 1, 0, true)) &&
1698  				   !wpa_bssid_ignore_is_listed(
1699  					   wpa_s, neigh_bss->bssid)) {
1700  				struct mld_link *l;
1701  
1702  				bss->valid_links |= BIT(link_id);
1703  				l = &bss->mld_links[link_id];
1704  				os_memcpy(l->bssid, pos + 1, ETH_ALEN);
1705  				l->freq = neigh_bss->freq;
1706  				l->disabled = mld_params[2] &
1707  					RNR_TBTT_INFO_MLD_PARAM2_LINK_DISABLED;
1708  			}
1709  		}
1710  	}
1711  }
1712  
1713  
1714  /**
1715   * wpa_bss_parse_basic_ml_element - Parse the Basic Multi-Link element
1716   * @wpa_s: Pointer to wpa_supplicant data
1717   * @bss: BSS table entry
1718   * @mld_addr: AP MLD address (or %NULL)
1719   * @link_info: Array to store link information (or %NULL),
1720   *   should be initialized and #MAX_NUM_MLD_LINKS elements long
1721   * @missing_links: Result bitmask of links that were not discovered (or %NULL)
1722   * @ssid: Target SSID (or %NULL)
1723   * @ap_mld_id: On return would hold the corresponding AP MLD ID (or %NULL)
1724   * Returns: 0 on success or -1 for non-MLD or parsing failures
1725   *
1726   * Parses the Basic Multi-Link element of the BSS into @link_info using the scan
1727   * information stored in the wpa_supplicant data to fill in information for
1728   * links where possible. The @missing_links out parameter will contain any links
1729   * for which no corresponding BSS was found.
1730   */
wpa_bss_parse_basic_ml_element(struct wpa_supplicant * wpa_s,struct wpa_bss * bss,u8 * ap_mld_addr,u16 * missing_links,struct wpa_ssid * ssid,u8 * ap_mld_id)1731  int wpa_bss_parse_basic_ml_element(struct wpa_supplicant *wpa_s,
1732  				   struct wpa_bss *bss,
1733  				   u8 *ap_mld_addr,
1734  				   u16 *missing_links,
1735  				   struct wpa_ssid *ssid,
1736  				   u8 *ap_mld_id)
1737  {
1738  	struct ieee802_11_elems elems;
1739  	struct wpabuf *mlbuf;
1740  	const struct element *elem;
1741  	u8 mbssid_idx = 0;
1742  	size_t ml_ie_len;
1743  	const struct ieee80211_eht_ml *eht_ml;
1744  	const struct eht_ml_basic_common_info *ml_basic_common_info;
1745  	u8 i, link_id;
1746  	const u16 control_mask =
1747  		MULTI_LINK_CONTROL_TYPE_MASK |
1748  		BASIC_MULTI_LINK_CTRL_PRES_LINK_ID |
1749  		BASIC_MULTI_LINK_CTRL_PRES_BSS_PARAM_CH_COUNT |
1750  		BASIC_MULTI_LINK_CTRL_PRES_MLD_CAPA;
1751  	const u16 control =
1752  		MULTI_LINK_CONTROL_TYPE_BASIC |
1753  		BASIC_MULTI_LINK_CTRL_PRES_LINK_ID |
1754  		BASIC_MULTI_LINK_CTRL_PRES_BSS_PARAM_CH_COUNT |
1755  		BASIC_MULTI_LINK_CTRL_PRES_MLD_CAPA;
1756  	u16 missing = 0;
1757  	u16 seen;
1758  	const u8 *ies_pos = wpa_bss_ie_ptr(bss);
1759  	size_t ies_len = bss->ie_len ? bss->ie_len : bss->beacon_ie_len;
1760  	int ret = -1;
1761  	struct mld_link *l;
1762  
1763  	if (ieee802_11_parse_elems(ies_pos, ies_len, &elems, 1) ==
1764  	    ParseFailed) {
1765  		wpa_dbg(wpa_s, MSG_DEBUG, "MLD: Failed to parse elements");
1766  		return ret;
1767  	}
1768  
1769  	mlbuf = ieee802_11_defrag(elems.basic_mle, elems.basic_mle_len, true);
1770  	if (!mlbuf) {
1771  		wpa_dbg(wpa_s, MSG_DEBUG, "MLD: No Multi-Link element");
1772  		return ret;
1773  	}
1774  
1775  	ml_ie_len = wpabuf_len(mlbuf);
1776  
1777  	if (ssid) {
1778  		struct wpa_ie_data ie;
1779  		const u8 *rsne;
1780  		size_t rsne_len;
1781  
1782  		if (elems.rsne_override_2 && wpas_rsn_overriding(wpa_s, ssid)) {
1783  			rsne = elems.rsne_override_2;
1784  			rsne_len = elems.rsne_override_2_len;
1785  		} else if (elems.rsne_override &&
1786  			   wpas_rsn_overriding(wpa_s, ssid)) {
1787  			rsne = elems.rsne_override;
1788  			rsne_len = elems.rsne_override_len;
1789  		} else {
1790  			rsne = elems.rsn_ie;
1791  			rsne_len = elems.rsn_ie_len;
1792  		}
1793  		if (!rsne ||
1794  		    wpa_parse_wpa_ie(rsne - 2, 2 + rsne_len, &ie)) {
1795  			wpa_dbg(wpa_s, MSG_DEBUG, "MLD: No RSN element");
1796  			goto out;
1797  		}
1798  
1799  		if (!(ie.capabilities & WPA_CAPABILITY_MFPC) ||
1800  		    wpas_get_ssid_pmf(wpa_s, ssid) == NO_MGMT_FRAME_PROTECTION) {
1801  			wpa_dbg(wpa_s, MSG_DEBUG,
1802  				"MLD: No management frame protection");
1803  			goto out;
1804  		}
1805  
1806  		ie.key_mgmt &= ~(WPA_KEY_MGMT_PSK | WPA_KEY_MGMT_FT_PSK |
1807  				 WPA_KEY_MGMT_PSK_SHA256);
1808  		if (!(ie.key_mgmt & ssid->key_mgmt)) {
1809  			wpa_dbg(wpa_s, MSG_DEBUG,
1810  				"MLD: No valid key management");
1811  			goto out;
1812  		}
1813  	}
1814  
1815  	/*
1816  	 * for ext ID + 2 control + common info len + MLD address +
1817  	 * link info
1818  	 */
1819  	if (ml_ie_len < 2UL + 1UL + ETH_ALEN + 1UL)
1820  		goto out;
1821  
1822  	eht_ml = (const struct ieee80211_eht_ml *) wpabuf_head(mlbuf);
1823  	if ((le_to_host16(eht_ml->ml_control) & control_mask) != control) {
1824  		wpa_printf(MSG_DEBUG,
1825  			   "MLD: Unexpected Multi-Link element control=0x%x (mask 0x%x expected 0x%x)",
1826  			   le_to_host16(eht_ml->ml_control), control_mask,
1827  			   control);
1828  		goto out;
1829  	}
1830  
1831  	ml_basic_common_info =
1832  		(const struct eht_ml_basic_common_info *) eht_ml->variable;
1833  
1834  	/* Common info length should be valid */
1835  	if (ml_basic_common_info->len < ETH_ALEN + 1UL)
1836  		goto out;
1837  
1838  	/* Get the MLD address and MLD link ID */
1839  	if (ap_mld_addr)
1840  		os_memcpy(ap_mld_addr, ml_basic_common_info->mld_addr,
1841  			  ETH_ALEN);
1842  
1843  	link_id = ml_basic_common_info->variable[0] & EHT_ML_LINK_ID_MSK;
1844  
1845  	bss->mld_link_id = link_id;
1846  	seen = bss->valid_links = BIT(link_id);
1847  
1848  	l = &bss->mld_links[link_id];
1849  	os_memcpy(l->bssid, bss->bssid, ETH_ALEN);
1850  	l->freq = bss->freq;
1851  
1852  
1853  	/*
1854  	 * The AP MLD ID in the RNR corresponds to the MBSSID index, see
1855  	 * IEEE P802.11be/D4.0, 9.4.2.169.2 (Neighbor AP Information field).
1856  	 *
1857  	 * For the transmitting BSSID it is clear that both the MBSSID index
1858  	 * and the AP MLD ID in the RNR are zero.
1859  	 *
1860  	 * For nontransmitted BSSIDs we will have a BSS generated from the
1861  	 * MBSSID element(s) using inheritance rules. Included in the elements
1862  	 * is the MBSSID Index Element. The RNR is copied from the Beacon/Probe
1863  	 * Response frame that was send by the transmitting BSSID. As such, the
1864  	 * reported AP MLD ID in the RNR will match the value in the MBSSID
1865  	 * Index Element.
1866  	 */
1867  	elem = (const struct element *)
1868  		wpa_bss_get_ie(bss, WLAN_EID_MULTIPLE_BSSID_INDEX);
1869  	if (elem && elem->datalen >= 1)
1870  		mbssid_idx = elem->data[0];
1871  
1872  	for_each_element_id(elem, WLAN_EID_REDUCED_NEIGHBOR_REPORT,
1873  			    wpa_bss_ie_ptr(bss),
1874  			    bss->ie_len ? bss->ie_len : bss->beacon_ie_len) {
1875  		const struct ieee80211_neighbor_ap_info *ap_info;
1876  		const u8 *pos = elem->data;
1877  		size_t len = elem->datalen;
1878  
1879  		/* RNR IE may contain more than one Neighbor AP Info */
1880  		while (sizeof(*ap_info) <= len) {
1881  			size_t ap_info_len = sizeof(*ap_info);
1882  			u8 count;
1883  
1884  			ap_info = (const struct ieee80211_neighbor_ap_info *)
1885  				pos;
1886  			count = RNR_TBTT_INFO_COUNT_VAL(ap_info->tbtt_info_hdr) + 1;
1887  			ap_info_len += count * ap_info->tbtt_info_len;
1888  
1889  			if (ap_info_len > len)
1890  				goto out;
1891  
1892  			wpa_bss_parse_ml_rnr_ap_info(wpa_s, bss, mbssid_idx,
1893  						     ap_info, ap_info_len,
1894  						     &seen, &missing, ssid);
1895  
1896  			pos += ap_info_len;
1897  			len -= ap_info_len;
1898  		}
1899  	}
1900  
1901  	wpa_printf(MSG_DEBUG, "MLD: valid_links=%04hx (unresolved: 0x%04hx)",
1902  		   bss->valid_links, missing);
1903  
1904  	for_each_link(bss->valid_links, i) {
1905  		wpa_printf(MSG_DEBUG, "MLD: link=%u, bssid=" MACSTR,
1906  			   i, MAC2STR(bss->mld_links[i].bssid));
1907  	}
1908  
1909  	if (missing_links)
1910  		*missing_links = missing;
1911  
1912  	if (ap_mld_id)
1913  		*ap_mld_id = mbssid_idx;
1914  
1915  	ret = 0;
1916  out:
1917  	wpabuf_free(mlbuf);
1918  	return ret;
1919  }
1920  
1921  
1922  /*
1923   * wpa_bss_parse_reconf_ml_element - Parse the Reconfiguration ML element
1924   * @wpa_s: Pointer to wpa_supplicant data
1925   * @bss: BSS table entry
1926   * Returns: The bitmap of links that are going to be removed
1927   */
wpa_bss_parse_reconf_ml_element(struct wpa_supplicant * wpa_s,struct wpa_bss * bss)1928  u16 wpa_bss_parse_reconf_ml_element(struct wpa_supplicant *wpa_s,
1929  				    struct wpa_bss *bss)
1930  {
1931  	struct ieee802_11_elems elems;
1932  	struct wpabuf *mlbuf;
1933  	const u8 *pos = wpa_bss_ie_ptr(bss);
1934  	size_t len = bss->ie_len ? bss->ie_len : bss->beacon_ie_len;
1935  	const struct ieee80211_eht_ml *ml;
1936  	const struct eht_ml_reconf_common_info *common_info;
1937  	u16 removed_links = 0;
1938  	u8 expected_ml_common_len;
1939  
1940  	if (ieee802_11_parse_elems(pos, len, &elems, 1) == ParseFailed)
1941  		return 0;
1942  
1943  	if (!elems.reconf_mle || !elems.reconf_mle_len)
1944  		return 0;
1945  
1946  	mlbuf = ieee802_11_defrag(elems.reconf_mle, elems.reconf_mle_len, true);
1947  	if (!mlbuf)
1948  		return 0;
1949  
1950  	ml = (const struct ieee80211_eht_ml *) wpabuf_head(mlbuf);
1951  	len = wpabuf_len(mlbuf);
1952  
1953  	/* There must be at least one octet for the Common Info Length subfield
1954  	 */
1955  	if (len < sizeof(*ml) + 1UL)
1956  		goto out;
1957  
1958  	expected_ml_common_len = 1;
1959  	if (le_to_host16(ml->ml_control) &
1960  	    RECONF_MULTI_LINK_CTRL_PRES_MLD_MAC_ADDR)
1961  		expected_ml_common_len += ETH_ALEN;
1962  
1963  	common_info = (const struct eht_ml_reconf_common_info *) ml->variable;
1964  	if (len < sizeof(*ml) + common_info->len) {
1965  		wpa_printf(MSG_DEBUG,
1966  			   "MLD: Unexpected Reconfiguration ML element length: (%zu < %zu)",
1967  			   len, sizeof(*ml) + common_info->len);
1968  		goto out;
1969  	}
1970  
1971  	if (common_info->len < expected_ml_common_len) {
1972  		wpa_printf(MSG_DEBUG,
1973  			   "MLD: Invalid common info len=%u; min expected=%u",
1974  			   common_info->len, expected_ml_common_len);
1975  		goto out;
1976  	}
1977  
1978  	pos = ml->variable + common_info->len;
1979  	len -= sizeof(*ml) + common_info->len;
1980  
1981  	while (len >= 2 + sizeof(struct ieee80211_eht_per_sta_profile)) {
1982  		size_t sub_elem_len = *(pos + 1);
1983  
1984  		if (2 + sub_elem_len > len) {
1985  			wpa_printf(MSG_DEBUG,
1986  				   "MLD: Invalid link info len: %zu %zu",
1987  				   2 + sub_elem_len, len);
1988  			goto out;
1989  		}
1990  
1991  		if  (*pos == EHT_ML_SUB_ELEM_PER_STA_PROFILE &&
1992  		     sub_elem_len >= 2) {
1993  			const struct ieee80211_eht_per_sta_profile *sta_prof =
1994  				(const struct ieee80211_eht_per_sta_profile *)
1995  				(pos + 2);
1996  			u16 control = le_to_host16(sta_prof->sta_control);
1997  			u8 link_id;
1998  
1999  			link_id = control & EHT_PER_STA_RECONF_CTRL_LINK_ID_MSK;
2000  			removed_links |= BIT(link_id);
2001  		}
2002  
2003  		pos += 2 + sub_elem_len;
2004  		len -= 2 + sub_elem_len;
2005  	}
2006  
2007  	wpa_printf(MSG_DEBUG, "MLD: Reconfiguration: removed_links=0x%x",
2008  		   removed_links);
2009  out:
2010  	wpabuf_free(mlbuf);
2011  	return removed_links;
2012  }
2013  
2014  
2015  #ifndef CONFIG_NO_WPA
2016  
wpa_bss_supported_cipher(struct wpa_supplicant * wpa_s,int pairwise_cipher)2017  static bool wpa_bss_supported_cipher(struct wpa_supplicant *wpa_s,
2018  				     int pairwise_cipher)
2019  {
2020  	if (!wpa_s->drv_enc)
2021  		return true;
2022  
2023  	if ((pairwise_cipher & WPA_CIPHER_CCMP) &&
2024  	    (wpa_s->drv_enc & WPA_DRIVER_CAPA_ENC_CCMP))
2025  		return true;
2026  
2027  	if ((pairwise_cipher & WPA_CIPHER_GCMP) &&
2028  	    (wpa_s->drv_enc & WPA_DRIVER_CAPA_ENC_GCMP))
2029  		return true;
2030  
2031  	if ((pairwise_cipher & WPA_CIPHER_CCMP_256) &&
2032  	    (wpa_s->drv_enc & WPA_DRIVER_CAPA_ENC_CCMP_256))
2033  		return true;
2034  
2035  	if ((pairwise_cipher & WPA_CIPHER_GCMP_256) &&
2036  	    (wpa_s->drv_enc & WPA_DRIVER_CAPA_ENC_GCMP_256))
2037  		return true;
2038  
2039  	return false;
2040  }
2041  
2042  
wpa_bss_supported_key_mgmt(struct wpa_supplicant * wpa_s,int key_mgmt)2043  static bool wpa_bss_supported_key_mgmt(struct wpa_supplicant *wpa_s,
2044  				       int key_mgmt)
2045  {
2046  	if (!wpa_s->drv_key_mgmt)
2047  		return true;
2048  
2049  	if ((key_mgmt & WPA_KEY_MGMT_IEEE8021X) &&
2050  	    (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_WPA2))
2051  		return true;
2052  	if ((key_mgmt & WPA_KEY_MGMT_IEEE8021X_SHA256) &&
2053  	    (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_802_1X_SHA256))
2054  		return true;
2055  	if ((key_mgmt & WPA_KEY_MGMT_FT_IEEE8021X) &&
2056  	    (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_FT))
2057  		return true;
2058  	if ((key_mgmt & WPA_KEY_MGMT_FT_IEEE8021X_SHA384) &&
2059  	    (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_FT_802_1X_SHA384))
2060  		return true;
2061  	if ((key_mgmt & WPA_KEY_MGMT_IEEE8021X_SUITE_B) &&
2062  	    (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_SUITE_B))
2063  		return true;
2064  	if ((key_mgmt & WPA_KEY_MGMT_IEEE8021X_SUITE_B_192) &&
2065  	    (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_SUITE_B_192))
2066  		return true;
2067  	if ((key_mgmt & WPA_KEY_MGMT_PSK) &&
2068  	    (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_WPA2_PSK))
2069  		return true;
2070  	if ((key_mgmt & WPA_KEY_MGMT_FT_PSK) &&
2071  	    (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_FT_PSK))
2072  		return true;
2073  	if ((key_mgmt & WPA_KEY_MGMT_PSK_SHA256) &&
2074  	    (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_PSK_SHA256))
2075  		return true;
2076  	if ((key_mgmt & WPA_KEY_MGMT_SAE) &&
2077  	    (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_SAE))
2078  		return true;
2079  	if ((key_mgmt & WPA_KEY_MGMT_SAE_EXT_KEY) &&
2080  	    (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_SAE_EXT_KEY))
2081  		return true;
2082  	if ((key_mgmt & WPA_KEY_MGMT_FT_SAE) &&
2083  	    (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_FT_SAE))
2084  		return true;
2085  	if ((key_mgmt & WPA_KEY_MGMT_FT_SAE_EXT_KEY) &&
2086  	    (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_FT_SAE_EXT_KEY))
2087  		return true;
2088  	if ((key_mgmt & WPA_KEY_MGMT_OWE) &&
2089  	    (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_OWE))
2090  		return true;
2091  	if ((key_mgmt & WPA_KEY_MGMT_DPP) &&
2092  	    (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_DPP))
2093  		return true;
2094  	if ((key_mgmt & WPA_KEY_MGMT_FILS_SHA256) &&
2095  	    (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_FILS_SHA256))
2096  		return true;
2097  	if ((key_mgmt & WPA_KEY_MGMT_FILS_SHA384) &&
2098  	    (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_FILS_SHA384))
2099  		return true;
2100  	if ((key_mgmt & WPA_KEY_MGMT_FT_FILS_SHA256) &&
2101  	    (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_FT_FILS_SHA256))
2102  		return true;
2103  	if ((key_mgmt & WPA_KEY_MGMT_FT_FILS_SHA384) &&
2104  	    (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_FT_FILS_SHA384))
2105  		return true;
2106  
2107  	return false;
2108  }
2109  
2110  
wpa_bss_supported_rsne(struct wpa_supplicant * wpa_s,struct wpa_ssid * ssid,const u8 * ie)2111  static bool wpa_bss_supported_rsne(struct wpa_supplicant *wpa_s,
2112  				   struct wpa_ssid *ssid, const u8 *ie)
2113  {
2114  	struct wpa_ie_data data;
2115  
2116  	if (wpa_parse_wpa_ie_rsn(ie, 2 + ie[1], &data) < 0)
2117  		return false;
2118  
2119  	/* Check that there is a supported AKM and pairwise cipher based on
2120  	 * overall capabilities */
2121  	if (!data.pairwise_cipher || !data.key_mgmt)
2122  		return false;
2123  
2124  	if (wpa_s->drv_capa_known) {
2125  		if (!wpa_bss_supported_cipher(wpa_s, data.pairwise_cipher) ||
2126  		    !wpa_bss_supported_key_mgmt(wpa_s, data.key_mgmt))
2127  			return false;
2128  	}
2129  
2130  	if (ssid) {
2131  		/* Check that there is a supported AKM and pairwise cipher
2132  		 * based on the specific network profile. */
2133  		if ((ssid->pairwise_cipher & data.pairwise_cipher) == 0)
2134  			return false;
2135  		if ((ssid->key_mgmt & data.key_mgmt) == 0)
2136  			return false;
2137  	}
2138  
2139  	return true;
2140  }
2141  
2142  #endif /* CONFIG_NO_WPA */
2143  
2144  
wpa_bss_get_rsne(struct wpa_supplicant * wpa_s,const struct wpa_bss * bss,struct wpa_ssid * ssid,bool mlo)2145  const u8 * wpa_bss_get_rsne(struct wpa_supplicant *wpa_s,
2146  			    const struct wpa_bss *bss, struct wpa_ssid *ssid,
2147  			    bool mlo)
2148  {
2149  #ifndef CONFIG_NO_WPA
2150  	const u8 *ie;
2151  
2152  	if (wpas_rsn_overriding(wpa_s, ssid)) {
2153  		if (!ssid)
2154  			ssid = wpa_s->current_ssid;
2155  
2156  		/* MLO cases for RSN overriding are required to use RSNE
2157  		 * Override 2 element and RSNXE Override element together. */
2158  		ie = wpa_bss_get_vendor_ie(bss, RSNE_OVERRIDE_2_IE_VENDOR_TYPE);
2159  		if (mlo && ie &&
2160  		    !wpa_bss_get_vendor_ie(bss,
2161  					   RSNXE_OVERRIDE_IE_VENDOR_TYPE)) {
2162  			wpa_printf(MSG_DEBUG, "BSS " MACSTR
2163  				   " advertises RSNE Override 2 element without RSNXE Override element - ignore RSNE Override 2 element for MLO",
2164  				   MAC2STR(bss->bssid));
2165  		} else if (ie && wpa_bss_supported_rsne(wpa_s, ssid, ie)) {
2166  			return ie;
2167  		}
2168  
2169  		if (!mlo) {
2170  			ie = wpa_bss_get_vendor_ie(
2171  				bss, RSNE_OVERRIDE_IE_VENDOR_TYPE);
2172  			if (ie && wpa_bss_supported_rsne(wpa_s, ssid, ie))
2173  				return ie;
2174  		}
2175  	}
2176  #endif /* CONFIG_NO_WPA */
2177  
2178  	return wpa_bss_get_ie(bss, WLAN_EID_RSN);
2179  }
2180  
2181  
wpa_bss_get_rsnxe(struct wpa_supplicant * wpa_s,const struct wpa_bss * bss,struct wpa_ssid * ssid,bool mlo)2182  const u8 * wpa_bss_get_rsnxe(struct wpa_supplicant *wpa_s,
2183  			     const struct wpa_bss *bss, struct wpa_ssid *ssid,
2184  			     bool mlo)
2185  {
2186  	const u8 *ie;
2187  
2188  	if (wpas_rsn_overriding(wpa_s, ssid)) {
2189  		ie = wpa_bss_get_vendor_ie(bss, RSNXE_OVERRIDE_IE_VENDOR_TYPE);
2190  		if (ie) {
2191  			const u8 *tmp;
2192  
2193  			tmp = wpa_bss_get_rsne(wpa_s, bss, ssid, mlo);
2194  			if (!tmp || tmp[0] == WLAN_EID_RSN) {
2195  				/* An acceptable RSNE override element was not
2196  				 * found, so need to ignore RSNXE overriding. */
2197  				goto out;
2198  			}
2199  
2200  			return ie;
2201  		}
2202  
2203  		/* MLO cases for RSN overriding are required to use RSNE
2204  		 * Override 2 element and RSNXE Override element together. */
2205  		if (mlo && wpa_bss_get_vendor_ie(
2206  			    bss, RSNE_OVERRIDE_2_IE_VENDOR_TYPE)) {
2207  			wpa_printf(MSG_DEBUG, "BSS " MACSTR
2208  				   " advertises RSNXE Override element without RSNE Override 2 element - ignore RSNXE Override element for MLO",
2209  				   MAC2STR(bss->bssid));
2210  			goto out;
2211  		}
2212  	}
2213  
2214  out:
2215  	return wpa_bss_get_ie(bss, WLAN_EID_RSNX);
2216  }
2217