1 /*
2 * BSS table
3 * Copyright (c) 2009-2019, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "utils/includes.h"
10
11 #include "utils/common.h"
12 #include "utils/eloop.h"
13 #include "common/ieee802_11_defs.h"
14 #include "drivers/driver.h"
15 #include "eap_peer/eap.h"
16 #include "rsn_supp/wpa.h"
17 #include "wpa_supplicant_i.h"
18 #include "config.h"
19 #include "notify.h"
20 #include "scan.h"
21 #include "bssid_ignore.h"
22 #include "bss.h"
23
wpa_bss_set_hessid(struct wpa_bss * bss)24 static void wpa_bss_set_hessid(struct wpa_bss *bss)
25 {
26 #ifdef CONFIG_INTERWORKING
27 const u8 *ie = wpa_bss_get_ie(bss, WLAN_EID_INTERWORKING);
28 if (ie == NULL || (ie[1] != 7 && ie[1] != 9)) {
29 os_memset(bss->hessid, 0, ETH_ALEN);
30 return;
31 }
32 if (ie[1] == 7)
33 os_memcpy(bss->hessid, ie + 3, ETH_ALEN);
34 else
35 os_memcpy(bss->hessid, ie + 5, ETH_ALEN);
36 #endif /* CONFIG_INTERWORKING */
37 }
38
39
40 /**
41 * wpa_bss_anqp_alloc - Allocate ANQP data structure for a BSS entry
42 * Returns: Allocated ANQP data structure or %NULL on failure
43 *
44 * The allocated ANQP data structure has its users count set to 1. It may be
45 * shared by multiple BSS entries and each shared entry is freed with
46 * wpa_bss_anqp_free().
47 */
wpa_bss_anqp_alloc(void)48 struct wpa_bss_anqp * wpa_bss_anqp_alloc(void)
49 {
50 struct wpa_bss_anqp *anqp;
51 anqp = os_zalloc(sizeof(*anqp));
52 if (anqp == NULL)
53 return NULL;
54 #ifdef CONFIG_INTERWORKING
55 dl_list_init(&anqp->anqp_elems);
56 #endif /* CONFIG_INTERWORKING */
57 anqp->users = 1;
58 return anqp;
59 }
60
61
62 /**
63 * wpa_bss_anqp_clone - Clone an ANQP data structure
64 * @anqp: ANQP data structure from wpa_bss_anqp_alloc()
65 * Returns: Cloned ANQP data structure or %NULL on failure
66 */
wpa_bss_anqp_clone(struct wpa_bss_anqp * anqp)67 static struct wpa_bss_anqp * wpa_bss_anqp_clone(struct wpa_bss_anqp *anqp)
68 {
69 struct wpa_bss_anqp *n;
70
71 n = os_zalloc(sizeof(*n));
72 if (n == NULL)
73 return NULL;
74
75 #define ANQP_DUP(f) if (anqp->f) n->f = wpabuf_dup(anqp->f)
76 #ifdef CONFIG_INTERWORKING
77 dl_list_init(&n->anqp_elems);
78 ANQP_DUP(capability_list);
79 ANQP_DUP(venue_name);
80 ANQP_DUP(network_auth_type);
81 ANQP_DUP(roaming_consortium);
82 ANQP_DUP(ip_addr_type_availability);
83 ANQP_DUP(nai_realm);
84 ANQP_DUP(anqp_3gpp);
85 ANQP_DUP(domain_name);
86 ANQP_DUP(fils_realm_info);
87 #endif /* CONFIG_INTERWORKING */
88 #ifdef CONFIG_HS20
89 ANQP_DUP(hs20_capability_list);
90 ANQP_DUP(hs20_operator_friendly_name);
91 ANQP_DUP(hs20_wan_metrics);
92 ANQP_DUP(hs20_connection_capability);
93 ANQP_DUP(hs20_operating_class);
94 #endif /* CONFIG_HS20 */
95 #undef ANQP_DUP
96
97 return n;
98 }
99
100
101 /**
102 * wpa_bss_anqp_unshare_alloc - Unshare ANQP data (if shared) in a BSS entry
103 * @bss: BSS entry
104 * Returns: 0 on success, -1 on failure
105 *
106 * This function ensures the specific BSS entry has an ANQP data structure that
107 * is not shared with any other BSS entry.
108 */
wpa_bss_anqp_unshare_alloc(struct wpa_bss * bss)109 int wpa_bss_anqp_unshare_alloc(struct wpa_bss *bss)
110 {
111 struct wpa_bss_anqp *anqp;
112
113 if (bss->anqp && bss->anqp->users > 1) {
114 /* allocated, but shared - clone an unshared copy */
115 anqp = wpa_bss_anqp_clone(bss->anqp);
116 if (anqp == NULL)
117 return -1;
118 anqp->users = 1;
119 bss->anqp->users--;
120 bss->anqp = anqp;
121 return 0;
122 }
123
124 if (bss->anqp)
125 return 0; /* already allocated and not shared */
126
127 /* not allocated - allocate a new storage area */
128 bss->anqp = wpa_bss_anqp_alloc();
129 return bss->anqp ? 0 : -1;
130 }
131
132
133 /**
134 * wpa_bss_anqp_free - Free an ANQP data structure
135 * @anqp: ANQP data structure from wpa_bss_anqp_alloc() or wpa_bss_anqp_clone()
136 */
wpa_bss_anqp_free(struct wpa_bss_anqp * anqp)137 static void wpa_bss_anqp_free(struct wpa_bss_anqp *anqp)
138 {
139 #ifdef CONFIG_INTERWORKING
140 struct wpa_bss_anqp_elem *elem;
141 #endif /* CONFIG_INTERWORKING */
142
143 if (anqp == NULL)
144 return;
145
146 anqp->users--;
147 if (anqp->users > 0) {
148 /* Another BSS entry holds a pointer to this ANQP info */
149 return;
150 }
151
152 #ifdef CONFIG_INTERWORKING
153 wpabuf_free(anqp->capability_list);
154 wpabuf_free(anqp->venue_name);
155 wpabuf_free(anqp->network_auth_type);
156 wpabuf_free(anqp->roaming_consortium);
157 wpabuf_free(anqp->ip_addr_type_availability);
158 wpabuf_free(anqp->nai_realm);
159 wpabuf_free(anqp->anqp_3gpp);
160 wpabuf_free(anqp->domain_name);
161 wpabuf_free(anqp->fils_realm_info);
162
163 while ((elem = dl_list_first(&anqp->anqp_elems,
164 struct wpa_bss_anqp_elem, list))) {
165 dl_list_del(&elem->list);
166 wpabuf_free(elem->payload);
167 os_free(elem);
168 }
169 #endif /* CONFIG_INTERWORKING */
170 #ifdef CONFIG_HS20
171 wpabuf_free(anqp->hs20_capability_list);
172 wpabuf_free(anqp->hs20_operator_friendly_name);
173 wpabuf_free(anqp->hs20_wan_metrics);
174 wpabuf_free(anqp->hs20_connection_capability);
175 wpabuf_free(anqp->hs20_operating_class);
176 #endif /* CONFIG_HS20 */
177
178 os_free(anqp);
179 }
180
181
182 static struct wpa_connect_work *
wpa_bss_check_pending_connect(struct wpa_supplicant * wpa_s,struct wpa_bss * bss)183 wpa_bss_check_pending_connect(struct wpa_supplicant *wpa_s, struct wpa_bss *bss)
184 {
185 struct wpa_radio_work *work;
186 struct wpa_connect_work *cwork;
187
188 work = radio_work_pending(wpa_s, "sme-connect");
189 if (!work)
190 work = radio_work_pending(wpa_s, "connect");
191 if (!work)
192 return NULL;
193
194 cwork = work->ctx;
195 if (cwork->bss != bss)
196 return NULL;
197
198 return cwork;
199 }
200
201
wpa_bss_update_pending_connect(struct wpa_connect_work * cwork,struct wpa_bss * new_bss)202 static void wpa_bss_update_pending_connect(struct wpa_connect_work *cwork,
203 struct wpa_bss *new_bss)
204 {
205 wpa_printf(MSG_DEBUG,
206 "Update BSS pointer for the pending connect radio work");
207 cwork->bss = new_bss;
208 if (!new_bss)
209 cwork->bss_removed = 1;
210 }
211
212
wpa_bss_remove(struct wpa_supplicant * wpa_s,struct wpa_bss * bss,const char * reason)213 void wpa_bss_remove(struct wpa_supplicant *wpa_s, struct wpa_bss *bss,
214 const char *reason)
215 {
216 struct wpa_connect_work *cwork;
217 unsigned int j;
218
219 if (wpa_s->last_scan_res) {
220 unsigned int i;
221 for (i = 0; i < wpa_s->last_scan_res_used; i++) {
222 if (wpa_s->last_scan_res[i] == bss) {
223 os_memmove(&wpa_s->last_scan_res[i],
224 &wpa_s->last_scan_res[i + 1],
225 (wpa_s->last_scan_res_used - i - 1)
226 * sizeof(struct wpa_bss *));
227 wpa_s->last_scan_res_used--;
228 break;
229 }
230 }
231 }
232 cwork = wpa_bss_check_pending_connect(wpa_s, bss);
233 if (cwork)
234 wpa_bss_update_pending_connect(cwork, NULL);
235 dl_list_del(&bss->list);
236 dl_list_del(&bss->list_id);
237 wpa_s->num_bss--;
238 wpa_dbg(wpa_s, MSG_DEBUG, "BSS: Remove id %u BSSID " MACSTR
239 " SSID '%s' due to %s", bss->id, MAC2STR(bss->bssid),
240 wpa_ssid_txt(bss->ssid, bss->ssid_len), reason);
241 wpas_notify_bss_removed(wpa_s, bss->bssid, bss->id);
242 wpa_bss_anqp_free(bss->anqp);
243
244 if (wpa_s->current_bss == bss) {
245 wpa_printf(MSG_DEBUG,
246 "BSS: Clear current_bss due to bss removal");
247 wpa_s->current_bss = NULL;
248 }
249
250 #ifdef CONFIG_INTERWORKING
251 if (wpa_s->interworking_gas_bss == bss) {
252 wpa_printf(MSG_DEBUG,
253 "BSS: Clear interworking_gas_bss due to bss removal");
254 wpa_s->interworking_gas_bss = NULL;
255 }
256 #endif /* CONFIG_INTERWORKING */
257
258 #ifdef CONFIG_WNM
259 if (wpa_s->wnm_target_bss == bss) {
260 wpa_printf(MSG_DEBUG,
261 "BSS: Clear wnm_target_bss due to bss removal");
262 wpa_s->wnm_target_bss = NULL;
263 }
264 #endif /* CONFIG_WNM */
265
266 if (wpa_s->ml_connect_probe_bss == bss) {
267 wpa_printf(MSG_DEBUG,
268 "BSS: Clear ml_connect_probe_bss due to bss removal");
269 wpa_s->ml_connect_probe_bss = NULL;
270 }
271
272 for (j = 0; j < MAX_NUM_MLD_LINKS; j++) {
273 if (wpa_s->links[j].bss == bss) {
274 wpa_printf(MSG_DEBUG,
275 "BSS: Clear links[%d].bss due to bss removal",
276 j);
277 wpa_s->valid_links &= ~BIT(j);
278 wpa_s->links[j].bss = NULL;
279 }
280 }
281
282 os_free(bss);
283 }
284
285
286 /**
287 * wpa_bss_get - Fetch a BSS table entry based on BSSID and SSID
288 * @wpa_s: Pointer to wpa_supplicant data
289 * @bssid: BSSID, or %NULL to match any BSSID
290 * @ssid: SSID
291 * @ssid_len: Length of @ssid
292 * Returns: Pointer to the BSS entry or %NULL if not found
293 */
wpa_bss_get(struct wpa_supplicant * wpa_s,const u8 * bssid,const u8 * ssid,size_t ssid_len)294 struct wpa_bss * wpa_bss_get(struct wpa_supplicant *wpa_s, const u8 *bssid,
295 const u8 *ssid, size_t ssid_len)
296 {
297 struct wpa_bss *bss;
298
299 if (bssid && !wpa_supplicant_filter_bssid_match(wpa_s, bssid))
300 return NULL;
301 dl_list_for_each(bss, &wpa_s->bss, struct wpa_bss, list) {
302 if ((!bssid || ether_addr_equal(bss->bssid, bssid)) &&
303 bss->ssid_len == ssid_len &&
304 os_memcmp(bss->ssid, ssid, ssid_len) == 0)
305 return bss;
306 }
307 return NULL;
308 }
309
310 /**
311 * wpa_bss_get_connection - Fetch a BSS table entry based on BSSID and SSID.
312 * @wpa_s: Pointer to wpa_supplicant data
313 * @bssid: BSSID, or %NULL to match any BSSID
314 * @ssid: SSID
315 * @ssid_len: Length of @ssid
316 * Returns: Pointer to the BSS entry or %NULL if not found
317 *
318 * This function is similar to wpa_bss_get() but it will also return OWE
319 * transition mode encrypted networks for which transition-element matches
320 * @ssid.
321 */
wpa_bss_get_connection(struct wpa_supplicant * wpa_s,const u8 * bssid,const u8 * ssid,size_t ssid_len)322 struct wpa_bss * wpa_bss_get_connection(struct wpa_supplicant *wpa_s,
323 const u8 *bssid,
324 const u8 *ssid, size_t ssid_len)
325 {
326 struct wpa_bss *bss;
327 #ifdef CONFIG_OWE
328 const u8 *owe, *owe_bssid, *owe_ssid;
329 size_t owe_ssid_len;
330 #endif /* CONFIG_OWE */
331
332 if (bssid && !wpa_supplicant_filter_bssid_match(wpa_s, bssid))
333 return NULL;
334 dl_list_for_each(bss, &wpa_s->bss, struct wpa_bss, list) {
335 if (bssid && !ether_addr_equal(bss->bssid, bssid))
336 continue;
337
338 if (bss->ssid_len == ssid_len &&
339 os_memcmp(bss->ssid, ssid, ssid_len) == 0)
340 return bss;
341
342 #ifdef CONFIG_OWE
343 /* Check if OWE transition mode element is present and matches
344 * the SSID */
345 owe = wpa_bss_get_vendor_ie(bss, OWE_IE_VENDOR_TYPE);
346 if (!owe)
347 continue;
348
349 if (wpas_get_owe_trans_network(owe, &owe_bssid, &owe_ssid,
350 &owe_ssid_len))
351 continue;
352
353 if (bss->ssid_len &&
354 owe_ssid_len == ssid_len &&
355 os_memcmp(owe_ssid, ssid, ssid_len) == 0)
356 return bss;
357 #endif /* CONFIG_OWE */
358 }
359 return NULL;
360 }
361
362
calculate_update_time(const struct os_reltime * fetch_time,unsigned int age_ms,struct os_reltime * update_time)363 void calculate_update_time(const struct os_reltime *fetch_time,
364 unsigned int age_ms,
365 struct os_reltime *update_time)
366 {
367 os_time_t usec;
368
369 update_time->sec = fetch_time->sec;
370 update_time->usec = fetch_time->usec;
371 update_time->sec -= age_ms / 1000;
372 usec = (age_ms % 1000) * 1000;
373 if (update_time->usec < usec) {
374 update_time->sec--;
375 update_time->usec += 1000000;
376 }
377 update_time->usec -= usec;
378 }
379
380
wpa_bss_copy_res(struct wpa_bss * dst,struct wpa_scan_res * src,struct os_reltime * fetch_time)381 static void wpa_bss_copy_res(struct wpa_bss *dst, struct wpa_scan_res *src,
382 struct os_reltime *fetch_time)
383 {
384 dst->flags = src->flags;
385 os_memcpy(dst->bssid, src->bssid, ETH_ALEN);
386 dst->freq = src->freq;
387 dst->max_cw = src->max_cw;
388 dst->beacon_int = src->beacon_int;
389 dst->caps = src->caps;
390 dst->qual = src->qual;
391 dst->noise = src->noise;
392 dst->level = src->level;
393 dst->tsf = src->tsf;
394 dst->beacon_newer = src->beacon_newer;
395 dst->est_throughput = src->est_throughput;
396 dst->snr = src->snr;
397
398 calculate_update_time(fetch_time, src->age, &dst->last_update);
399 }
400
401
wpa_bss_is_wps_candidate(struct wpa_supplicant * wpa_s,struct wpa_bss * bss)402 static int wpa_bss_is_wps_candidate(struct wpa_supplicant *wpa_s,
403 struct wpa_bss *bss)
404 {
405 #ifdef CONFIG_WPS
406 struct wpa_ssid *ssid;
407 struct wpabuf *wps_ie;
408 int pbc = 0, ret;
409
410 wps_ie = wpa_bss_get_vendor_ie_multi(bss, WPS_IE_VENDOR_TYPE);
411 if (!wps_ie)
412 return 0;
413
414 if (wps_is_selected_pbc_registrar(wps_ie)) {
415 pbc = 1;
416 } else if (!wps_is_addr_authorized(wps_ie, wpa_s->own_addr, 1)) {
417 wpabuf_free(wps_ie);
418 return 0;
419 }
420
421 for (ssid = wpa_s->conf->ssid; ssid; ssid = ssid->next) {
422 if (!(ssid->key_mgmt & WPA_KEY_MGMT_WPS))
423 continue;
424 if (ssid->ssid_len &&
425 (ssid->ssid_len != bss->ssid_len ||
426 os_memcmp(ssid->ssid, bss->ssid, ssid->ssid_len) != 0))
427 continue;
428
429 if (pbc)
430 ret = eap_is_wps_pbc_enrollee(&ssid->eap);
431 else
432 ret = eap_is_wps_pin_enrollee(&ssid->eap);
433 wpabuf_free(wps_ie);
434 return ret;
435 }
436 wpabuf_free(wps_ie);
437 #endif /* CONFIG_WPS */
438
439 return 0;
440 }
441
442
is_p2p_pending_bss(struct wpa_supplicant * wpa_s,struct wpa_bss * bss)443 static bool is_p2p_pending_bss(struct wpa_supplicant *wpa_s,
444 struct wpa_bss *bss)
445 {
446 #ifdef CONFIG_P2P
447 u8 addr[ETH_ALEN];
448
449 if (ether_addr_equal(bss->bssid, wpa_s->pending_join_iface_addr))
450 return true;
451 if (!is_zero_ether_addr(wpa_s->pending_join_dev_addr) &&
452 p2p_parse_dev_addr(wpa_bss_ie_ptr(bss), bss->ie_len, addr) == 0 &&
453 ether_addr_equal(addr, wpa_s->pending_join_dev_addr))
454 return true;
455 #endif /* CONFIG_P2P */
456 return false;
457 }
458
459
460 #ifdef CONFIG_OWE
wpa_bss_owe_trans_known(struct wpa_supplicant * wpa_s,struct wpa_bss * bss,const u8 * entry_ssid,size_t entry_ssid_len)461 static int wpa_bss_owe_trans_known(struct wpa_supplicant *wpa_s,
462 struct wpa_bss *bss,
463 const u8 *entry_ssid, size_t entry_ssid_len)
464 {
465 const u8 *owe, *owe_bssid, *owe_ssid;
466 size_t owe_ssid_len;
467
468 owe = wpa_bss_get_vendor_ie(bss, OWE_IE_VENDOR_TYPE);
469 if (!owe)
470 return 0;
471
472 if (wpas_get_owe_trans_network(owe, &owe_bssid, &owe_ssid,
473 &owe_ssid_len))
474 return 0;
475
476 return entry_ssid_len == owe_ssid_len &&
477 os_memcmp(owe_ssid, entry_ssid, owe_ssid_len) == 0;
478 }
479 #endif /* CONFIG_OWE */
480
481
wpa_bss_known(struct wpa_supplicant * wpa_s,struct wpa_bss * bss)482 static int wpa_bss_known(struct wpa_supplicant *wpa_s, struct wpa_bss *bss)
483 {
484 struct wpa_ssid *ssid;
485
486 if (is_p2p_pending_bss(wpa_s, bss))
487 return 1;
488
489 for (ssid = wpa_s->conf->ssid; ssid; ssid = ssid->next) {
490 if (ssid->ssid == NULL || ssid->ssid_len == 0)
491 continue;
492 if (ssid->ssid_len == bss->ssid_len &&
493 os_memcmp(ssid->ssid, bss->ssid, ssid->ssid_len) == 0)
494 return 1;
495 #ifdef CONFIG_OWE
496 if (wpa_bss_owe_trans_known(wpa_s, bss, ssid->ssid,
497 ssid->ssid_len))
498 return 1;
499 #endif /* CONFIG_OWE */
500 }
501
502 return 0;
503 }
504
505
wpa_bss_in_use(struct wpa_supplicant * wpa_s,struct wpa_bss * bss)506 static int wpa_bss_in_use(struct wpa_supplicant *wpa_s, struct wpa_bss *bss)
507 {
508 int i;
509
510 if (bss == wpa_s->current_bss)
511 return 1;
512
513 if (bss == wpa_s->ml_connect_probe_bss)
514 return 1;
515
516 #ifdef CONFIG_WNM
517 if (bss == wpa_s->wnm_target_bss)
518 return 1;
519 #endif /* CONFIG_WNM */
520
521 if (wpa_s->current_bss &&
522 (bss->ssid_len != wpa_s->current_bss->ssid_len ||
523 os_memcmp(bss->ssid, wpa_s->current_bss->ssid,
524 bss->ssid_len) != 0))
525 return 0; /* SSID has changed */
526
527 if (!is_zero_ether_addr(bss->bssid) &&
528 (ether_addr_equal(bss->bssid, wpa_s->bssid) ||
529 ether_addr_equal(bss->bssid, wpa_s->pending_bssid)))
530 return 1;
531
532 if (!wpa_s->valid_links)
533 return 0;
534
535 for_each_link(wpa_s->valid_links, i) {
536 if (ether_addr_equal(bss->bssid, wpa_s->links[i].bssid))
537 return 1;
538 }
539
540 return 0;
541 }
542
543
wpa_bss_remove_oldest_unknown(struct wpa_supplicant * wpa_s)544 static int wpa_bss_remove_oldest_unknown(struct wpa_supplicant *wpa_s)
545 {
546 struct wpa_bss *bss;
547
548 dl_list_for_each(bss, &wpa_s->bss, struct wpa_bss, list) {
549 if (!wpa_bss_known(wpa_s, bss) &&
550 !wpa_bss_in_use(wpa_s, bss) &&
551 !wpa_bss_is_wps_candidate(wpa_s, bss)) {
552 wpa_bss_remove(wpa_s, bss, __func__);
553 return 0;
554 }
555 }
556
557 return -1;
558 }
559
560
wpa_bss_remove_oldest(struct wpa_supplicant * wpa_s)561 static int wpa_bss_remove_oldest(struct wpa_supplicant *wpa_s)
562 {
563 struct wpa_bss *bss;
564
565 /*
566 * Remove the oldest entry that does not match with any configured
567 * network.
568 */
569 if (wpa_bss_remove_oldest_unknown(wpa_s) == 0)
570 return 0;
571
572 /*
573 * Remove the oldest entry that isn't currently in use.
574 */
575 dl_list_for_each(bss, &wpa_s->bss, struct wpa_bss, list) {
576 if (!wpa_bss_in_use(wpa_s, bss)) {
577 wpa_bss_remove(wpa_s, bss, __func__);
578 return 0;
579 }
580 }
581
582 return -1;
583 }
584
585
wpa_bss_add(struct wpa_supplicant * wpa_s,const u8 * ssid,size_t ssid_len,struct wpa_scan_res * res,struct os_reltime * fetch_time)586 static struct wpa_bss * wpa_bss_add(struct wpa_supplicant *wpa_s,
587 const u8 *ssid, size_t ssid_len,
588 struct wpa_scan_res *res,
589 struct os_reltime *fetch_time)
590 {
591 struct wpa_bss *bss;
592 char extra[100];
593 const u8 *ml_ie;
594 char *pos, *end;
595 int ret = 0;
596 const u8 *mld_addr;
597
598 bss = os_zalloc(sizeof(*bss) + res->ie_len + res->beacon_ie_len);
599 if (bss == NULL)
600 return NULL;
601 bss->id = wpa_s->bss_next_id++;
602 bss->last_update_idx = wpa_s->bss_update_idx;
603 wpa_bss_copy_res(bss, res, fetch_time);
604 os_memcpy(bss->ssid, ssid, ssid_len);
605 bss->ssid_len = ssid_len;
606 bss->ie_len = res->ie_len;
607 bss->beacon_ie_len = res->beacon_ie_len;
608 os_memcpy(bss->ies, res + 1, res->ie_len + res->beacon_ie_len);
609 wpa_bss_set_hessid(bss);
610
611 os_memset(bss->mld_addr, 0, ETH_ALEN);
612 ml_ie = wpa_scan_get_ml_ie(res, MULTI_LINK_CONTROL_TYPE_BASIC);
613 if (ml_ie) {
614 mld_addr = get_basic_mle_mld_addr(&ml_ie[3], ml_ie[1] - 1);
615 if (mld_addr)
616 os_memcpy(bss->mld_addr, mld_addr, ETH_ALEN);
617 }
618
619 if (wpa_s->num_bss + 1 > wpa_s->conf->bss_max_count &&
620 wpa_bss_remove_oldest(wpa_s) != 0) {
621 wpa_printf(MSG_ERROR, "Increasing the MAX BSS count to %d "
622 "because all BSSes are in use. We should normally "
623 "not get here!", (int) wpa_s->num_bss + 1);
624 wpa_s->conf->bss_max_count = wpa_s->num_bss + 1;
625 }
626
627 dl_list_add_tail(&wpa_s->bss, &bss->list);
628 dl_list_add_tail(&wpa_s->bss_id, &bss->list_id);
629 wpa_s->num_bss++;
630
631 extra[0] = '\0';
632 pos = extra;
633 end = pos + sizeof(extra);
634 if (!is_zero_ether_addr(bss->hessid))
635 ret = os_snprintf(pos, end - pos, " HESSID " MACSTR,
636 MAC2STR(bss->hessid));
637
638 if (!is_zero_ether_addr(bss->mld_addr) &&
639 !os_snprintf_error(end - pos, ret)) {
640 pos += ret;
641 ret = os_snprintf(pos, end - pos, " MLD ADDR " MACSTR,
642 MAC2STR(bss->mld_addr));
643 }
644
645 wpa_dbg(wpa_s, MSG_DEBUG, "BSS: Add new id %u BSSID " MACSTR
646 " SSID '%s' freq %d%s",
647 bss->id, MAC2STR(bss->bssid), wpa_ssid_txt(ssid, ssid_len),
648 bss->freq, extra);
649 wpas_notify_bss_added(wpa_s, bss->bssid, bss->id);
650 return bss;
651 }
652
653
are_ies_equal(const struct wpa_bss * old,const struct wpa_scan_res * new_res,u32 ie)654 static int are_ies_equal(const struct wpa_bss *old,
655 const struct wpa_scan_res *new_res, u32 ie)
656 {
657 const u8 *old_ie, *new_ie;
658 struct wpabuf *old_ie_buff = NULL;
659 struct wpabuf *new_ie_buff = NULL;
660 int new_ie_len, old_ie_len, ret, is_multi;
661
662 switch (ie) {
663 case WPA_IE_VENDOR_TYPE:
664 old_ie = wpa_bss_get_vendor_ie(old, ie);
665 new_ie = wpa_scan_get_vendor_ie(new_res, ie);
666 is_multi = 0;
667 break;
668 case WPS_IE_VENDOR_TYPE:
669 old_ie_buff = wpa_bss_get_vendor_ie_multi(old, ie);
670 new_ie_buff = wpa_scan_get_vendor_ie_multi(new_res, ie);
671 is_multi = 1;
672 break;
673 case WLAN_EID_RSN:
674 case WLAN_EID_SUPP_RATES:
675 case WLAN_EID_EXT_SUPP_RATES:
676 old_ie = wpa_bss_get_ie(old, ie);
677 new_ie = wpa_scan_get_ie(new_res, ie);
678 is_multi = 0;
679 break;
680 default:
681 wpa_printf(MSG_DEBUG, "bss: %s: cannot compare IEs", __func__);
682 return 0;
683 }
684
685 if (is_multi) {
686 /* in case of multiple IEs stored in buffer */
687 old_ie = old_ie_buff ? wpabuf_head_u8(old_ie_buff) : NULL;
688 new_ie = new_ie_buff ? wpabuf_head_u8(new_ie_buff) : NULL;
689 old_ie_len = old_ie_buff ? wpabuf_len(old_ie_buff) : 0;
690 new_ie_len = new_ie_buff ? wpabuf_len(new_ie_buff) : 0;
691 } else {
692 /* in case of single IE */
693 old_ie_len = old_ie ? old_ie[1] + 2 : 0;
694 new_ie_len = new_ie ? new_ie[1] + 2 : 0;
695 }
696
697 if (!old_ie || !new_ie)
698 ret = !old_ie && !new_ie;
699 else
700 ret = (old_ie_len == new_ie_len &&
701 os_memcmp(old_ie, new_ie, old_ie_len) == 0);
702
703 wpabuf_free(old_ie_buff);
704 wpabuf_free(new_ie_buff);
705
706 return ret;
707 }
708
709
wpa_bss_compare_res(const struct wpa_bss * old,const struct wpa_scan_res * new_res)710 static u32 wpa_bss_compare_res(const struct wpa_bss *old,
711 const struct wpa_scan_res *new_res)
712 {
713 u32 changes = 0;
714 int caps_diff = old->caps ^ new_res->caps;
715
716 if (old->freq != new_res->freq)
717 changes |= WPA_BSS_FREQ_CHANGED_FLAG;
718
719 if (old->level != new_res->level)
720 changes |= WPA_BSS_SIGNAL_CHANGED_FLAG;
721
722 if (caps_diff & IEEE80211_CAP_PRIVACY)
723 changes |= WPA_BSS_PRIVACY_CHANGED_FLAG;
724
725 if (caps_diff & IEEE80211_CAP_IBSS)
726 changes |= WPA_BSS_MODE_CHANGED_FLAG;
727
728 if (old->ie_len == new_res->ie_len &&
729 os_memcmp(wpa_bss_ie_ptr(old), new_res + 1, old->ie_len) == 0)
730 return changes;
731 changes |= WPA_BSS_IES_CHANGED_FLAG;
732
733 if (!are_ies_equal(old, new_res, WPA_IE_VENDOR_TYPE))
734 changes |= WPA_BSS_WPAIE_CHANGED_FLAG;
735
736 if (!are_ies_equal(old, new_res, WLAN_EID_RSN))
737 changes |= WPA_BSS_RSNIE_CHANGED_FLAG;
738
739 if (!are_ies_equal(old, new_res, WPS_IE_VENDOR_TYPE))
740 changes |= WPA_BSS_WPS_CHANGED_FLAG;
741
742 if (!are_ies_equal(old, new_res, WLAN_EID_SUPP_RATES) ||
743 !are_ies_equal(old, new_res, WLAN_EID_EXT_SUPP_RATES))
744 changes |= WPA_BSS_RATES_CHANGED_FLAG;
745
746 return changes;
747 }
748
749
notify_bss_changes(struct wpa_supplicant * wpa_s,u32 changes,const struct wpa_bss * bss)750 void notify_bss_changes(struct wpa_supplicant *wpa_s, u32 changes,
751 const struct wpa_bss *bss)
752 {
753 if (changes & WPA_BSS_FREQ_CHANGED_FLAG)
754 wpas_notify_bss_freq_changed(wpa_s, bss->id);
755
756 if (changes & WPA_BSS_SIGNAL_CHANGED_FLAG)
757 wpas_notify_bss_signal_changed(wpa_s, bss->id);
758
759 if (changes & WPA_BSS_PRIVACY_CHANGED_FLAG)
760 wpas_notify_bss_privacy_changed(wpa_s, bss->id);
761
762 if (changes & WPA_BSS_MODE_CHANGED_FLAG)
763 wpas_notify_bss_mode_changed(wpa_s, bss->id);
764
765 if (changes & WPA_BSS_WPAIE_CHANGED_FLAG)
766 wpas_notify_bss_wpaie_changed(wpa_s, bss->id);
767
768 if (changes & WPA_BSS_RSNIE_CHANGED_FLAG)
769 wpas_notify_bss_rsnie_changed(wpa_s, bss->id);
770
771 if (changes & WPA_BSS_WPS_CHANGED_FLAG)
772 wpas_notify_bss_wps_changed(wpa_s, bss->id);
773
774 if (changes & WPA_BSS_IES_CHANGED_FLAG)
775 wpas_notify_bss_ies_changed(wpa_s, bss->id);
776
777 if (changes & WPA_BSS_RATES_CHANGED_FLAG)
778 wpas_notify_bss_rates_changed(wpa_s, bss->id);
779
780 wpas_notify_bss_seen(wpa_s, bss->id);
781 }
782
783
784 static struct wpa_bss *
wpa_bss_update(struct wpa_supplicant * wpa_s,struct wpa_bss * bss,struct wpa_scan_res * res,struct os_reltime * fetch_time)785 wpa_bss_update(struct wpa_supplicant *wpa_s, struct wpa_bss *bss,
786 struct wpa_scan_res *res, struct os_reltime *fetch_time)
787 {
788 u32 changes;
789
790 if (bss->last_update_idx == wpa_s->bss_update_idx) {
791 struct os_reltime update_time;
792
793 /*
794 * Some drivers (e.g., cfg80211) include multiple BSS entries
795 * for the same BSS if that BSS's channel changes. The BSS list
796 * implementation in wpa_supplicant does not do that and we need
797 * to filter out the obsolete results here to make sure only the
798 * most current BSS information remains in the table.
799 */
800 wpa_printf(MSG_DEBUG, "BSS: " MACSTR
801 " has multiple entries in the scan results - select the most current one",
802 MAC2STR(bss->bssid));
803 calculate_update_time(fetch_time, res->age, &update_time);
804 wpa_printf(MSG_DEBUG,
805 "Previous last_update: %u.%06u (freq %d%s)",
806 (unsigned int) bss->last_update.sec,
807 (unsigned int) bss->last_update.usec,
808 bss->freq,
809 (bss->flags & WPA_BSS_ASSOCIATED) ? " assoc" : "");
810 wpa_printf(MSG_DEBUG, "New last_update: %u.%06u (freq %d%s)",
811 (unsigned int) update_time.sec,
812 (unsigned int) update_time.usec,
813 res->freq,
814 (res->flags & WPA_SCAN_ASSOCIATED) ? " assoc" : "");
815 if ((bss->flags & WPA_BSS_ASSOCIATED) ||
816 (!(res->flags & WPA_SCAN_ASSOCIATED) &&
817 !os_reltime_before(&bss->last_update, &update_time))) {
818 wpa_printf(MSG_DEBUG,
819 "Ignore this BSS entry since the previous update looks more current");
820 return bss;
821 }
822 wpa_printf(MSG_DEBUG,
823 "Accept this BSS entry since it looks more current than the previous update");
824 }
825
826 changes = wpa_bss_compare_res(bss, res);
827 if (changes & WPA_BSS_FREQ_CHANGED_FLAG)
828 wpa_printf(MSG_DEBUG, "BSS: " MACSTR " changed freq %d --> %d",
829 MAC2STR(bss->bssid), bss->freq, res->freq);
830 bss->scan_miss_count = 0;
831 bss->last_update_idx = wpa_s->bss_update_idx;
832 wpa_bss_copy_res(bss, res, fetch_time);
833 /* Move the entry to the end of the list */
834 dl_list_del(&bss->list);
835 #ifdef CONFIG_P2P
836 if (wpa_bss_get_vendor_ie(bss, P2P_IE_VENDOR_TYPE) &&
837 !wpa_scan_get_vendor_ie(res, P2P_IE_VENDOR_TYPE) &&
838 !(changes & WPA_BSS_FREQ_CHANGED_FLAG)) {
839 /*
840 * This can happen when non-P2P station interface runs a scan
841 * without P2P IE in the Probe Request frame. P2P GO would reply
842 * to that with a Probe Response that does not include P2P IE.
843 * Do not update the IEs in this BSS entry to avoid such loss of
844 * information that may be needed for P2P operations to
845 * determine group information.
846 */
847 wpa_dbg(wpa_s, MSG_DEBUG, "BSS: Do not update scan IEs for "
848 MACSTR " since that would remove P2P IE information",
849 MAC2STR(bss->bssid));
850 } else
851 #endif /* CONFIG_P2P */
852 if (bss->ie_len + bss->beacon_ie_len >=
853 res->ie_len + res->beacon_ie_len) {
854 os_memcpy(bss->ies, res + 1, res->ie_len + res->beacon_ie_len);
855 bss->ie_len = res->ie_len;
856 bss->beacon_ie_len = res->beacon_ie_len;
857 } else {
858 struct wpa_bss *nbss;
859 struct dl_list *prev = bss->list_id.prev;
860 struct wpa_connect_work *cwork;
861 unsigned int i, j;
862 bool update_current_bss = wpa_s->current_bss == bss;
863 bool update_ml_probe_bss = wpa_s->ml_connect_probe_bss == bss;
864 int update_link_bss = -1;
865
866 for (j = 0; j < MAX_NUM_MLD_LINKS; j++) {
867 if (wpa_s->links[j].bss == bss) {
868 update_link_bss = j;
869 break;
870 }
871 }
872
873 cwork = wpa_bss_check_pending_connect(wpa_s, bss);
874
875 for (i = 0; i < wpa_s->last_scan_res_used; i++) {
876 if (wpa_s->last_scan_res[i] == bss)
877 break;
878 }
879
880 dl_list_del(&bss->list_id);
881 nbss = os_realloc(bss, sizeof(*bss) + res->ie_len +
882 res->beacon_ie_len);
883 if (nbss) {
884 if (i != wpa_s->last_scan_res_used)
885 wpa_s->last_scan_res[i] = nbss;
886
887 if (update_current_bss)
888 wpa_s->current_bss = nbss;
889
890 if (update_ml_probe_bss)
891 wpa_s->ml_connect_probe_bss = nbss;
892
893 if (update_link_bss >= 0)
894 wpa_s->links[update_link_bss].bss = nbss;
895
896 if (cwork)
897 wpa_bss_update_pending_connect(cwork, nbss);
898
899 bss = nbss;
900 os_memcpy(bss->ies, res + 1,
901 res->ie_len + res->beacon_ie_len);
902 bss->ie_len = res->ie_len;
903 bss->beacon_ie_len = res->beacon_ie_len;
904 }
905 dl_list_add(prev, &bss->list_id);
906 }
907 if (changes & WPA_BSS_IES_CHANGED_FLAG) {
908 const u8 *ml_ie, *mld_addr;
909
910 wpa_bss_set_hessid(bss);
911 os_memset(bss->mld_addr, 0, ETH_ALEN);
912 ml_ie = wpa_scan_get_ml_ie(res, MULTI_LINK_CONTROL_TYPE_BASIC);
913 if (ml_ie) {
914 mld_addr = get_basic_mle_mld_addr(&ml_ie[3],
915 ml_ie[1] - 1);
916 if (mld_addr)
917 os_memcpy(bss->mld_addr, mld_addr, ETH_ALEN);
918 }
919 }
920 dl_list_add_tail(&wpa_s->bss, &bss->list);
921
922 notify_bss_changes(wpa_s, changes, bss);
923
924 return bss;
925 }
926
927
928 /**
929 * wpa_bss_update_start - Start a BSS table update from scan results
930 * @wpa_s: Pointer to wpa_supplicant data
931 *
932 * This function is called at the start of each BSS table update round for new
933 * scan results. The actual scan result entries are indicated with calls to
934 * wpa_bss_update_scan_res() and the update round is finished with a call to
935 * wpa_bss_update_end().
936 */
wpa_bss_update_start(struct wpa_supplicant * wpa_s)937 void wpa_bss_update_start(struct wpa_supplicant *wpa_s)
938 {
939 wpa_s->bss_update_idx++;
940 wpa_dbg(wpa_s, MSG_DEBUG, "BSS: Start scan result update %u",
941 wpa_s->bss_update_idx);
942 wpa_s->last_scan_res_used = 0;
943 }
944
945
946 /**
947 * wpa_bss_update_scan_res - Update a BSS table entry based on a scan result
948 * @wpa_s: Pointer to wpa_supplicant data
949 * @res: Scan result
950 * @fetch_time: Time when the result was fetched from the driver
951 *
952 * This function updates a BSS table entry (or adds one) based on a scan result.
953 * This is called separately for each scan result between the calls to
954 * wpa_bss_update_start() and wpa_bss_update_end().
955 */
wpa_bss_update_scan_res(struct wpa_supplicant * wpa_s,struct wpa_scan_res * res,struct os_reltime * fetch_time)956 void wpa_bss_update_scan_res(struct wpa_supplicant *wpa_s,
957 struct wpa_scan_res *res,
958 struct os_reltime *fetch_time)
959 {
960 const u8 *ssid, *p2p, *mesh;
961 struct wpa_bss *bss;
962
963 if (wpa_s->conf->ignore_old_scan_res) {
964 struct os_reltime update;
965 calculate_update_time(fetch_time, res->age, &update);
966 if (os_reltime_before(&update, &wpa_s->scan_trigger_time)) {
967 struct os_reltime age;
968 os_reltime_sub(&wpa_s->scan_trigger_time, &update,
969 &age);
970 wpa_dbg(wpa_s, MSG_DEBUG, "BSS: Ignore driver BSS "
971 "table entry that is %u.%06u seconds older "
972 "than our scan trigger",
973 (unsigned int) age.sec,
974 (unsigned int) age.usec);
975 return;
976 }
977 }
978
979 ssid = wpa_scan_get_ie(res, WLAN_EID_SSID);
980 if (ssid == NULL) {
981 wpa_dbg(wpa_s, MSG_DEBUG, "BSS: No SSID IE included for "
982 MACSTR, MAC2STR(res->bssid));
983 return;
984 }
985 if (ssid[1] > SSID_MAX_LEN) {
986 wpa_dbg(wpa_s, MSG_DEBUG, "BSS: Too long SSID IE included for "
987 MACSTR, MAC2STR(res->bssid));
988 return;
989 }
990
991 p2p = wpa_scan_get_vendor_ie(res, P2P_IE_VENDOR_TYPE);
992 #ifdef CONFIG_P2P
993 if (p2p == NULL &&
994 wpa_s->p2p_group_interface != NOT_P2P_GROUP_INTERFACE) {
995 /*
996 * If it's a P2P specific interface, then don't update
997 * the scan result without a P2P IE.
998 */
999 wpa_printf(MSG_DEBUG, "BSS: No P2P IE - skipping BSS " MACSTR
1000 " update for P2P interface", MAC2STR(res->bssid));
1001 return;
1002 }
1003 #endif /* CONFIG_P2P */
1004 if (p2p && ssid[1] == P2P_WILDCARD_SSID_LEN &&
1005 os_memcmp(ssid + 2, P2P_WILDCARD_SSID, P2P_WILDCARD_SSID_LEN) == 0)
1006 return; /* Skip P2P listen discovery results here */
1007
1008 /* TODO: add option for ignoring BSSes we are not interested in
1009 * (to save memory) */
1010
1011 mesh = wpa_scan_get_ie(res, WLAN_EID_MESH_ID);
1012 if (mesh && mesh[1] <= SSID_MAX_LEN)
1013 ssid = mesh;
1014
1015 bss = wpa_bss_get(wpa_s, res->bssid, ssid + 2, ssid[1]);
1016 if (bss == NULL)
1017 bss = wpa_bss_add(wpa_s, ssid + 2, ssid[1], res, fetch_time);
1018 else {
1019 bss = wpa_bss_update(wpa_s, bss, res, fetch_time);
1020 if (wpa_s->last_scan_res) {
1021 unsigned int i;
1022 for (i = 0; i < wpa_s->last_scan_res_used; i++) {
1023 if (bss == wpa_s->last_scan_res[i]) {
1024 /* Already in the list */
1025 return;
1026 }
1027 }
1028 }
1029 }
1030
1031 if (bss == NULL)
1032 return;
1033 if (wpa_s->last_scan_res_used >= wpa_s->last_scan_res_size) {
1034 struct wpa_bss **n;
1035 unsigned int siz;
1036 if (wpa_s->last_scan_res_size == 0)
1037 siz = 32;
1038 else
1039 siz = wpa_s->last_scan_res_size * 2;
1040 n = os_realloc_array(wpa_s->last_scan_res, siz,
1041 sizeof(struct wpa_bss *));
1042 if (n == NULL)
1043 return;
1044 wpa_s->last_scan_res = n;
1045 wpa_s->last_scan_res_size = siz;
1046 }
1047
1048 if (wpa_s->last_scan_res)
1049 wpa_s->last_scan_res[wpa_s->last_scan_res_used++] = bss;
1050 }
1051
1052
wpa_bss_included_in_scan(const struct wpa_bss * bss,const struct scan_info * info)1053 static int wpa_bss_included_in_scan(const struct wpa_bss *bss,
1054 const struct scan_info *info)
1055 {
1056 int found;
1057 size_t i;
1058
1059 if (info == NULL)
1060 return 1;
1061
1062 if (info->num_freqs) {
1063 found = 0;
1064 for (i = 0; i < info->num_freqs; i++) {
1065 if (bss->freq == info->freqs[i]) {
1066 found = 1;
1067 break;
1068 }
1069 }
1070 if (!found)
1071 return 0;
1072 }
1073
1074 if (info->num_ssids) {
1075 found = 0;
1076 for (i = 0; i < info->num_ssids; i++) {
1077 const struct wpa_driver_scan_ssid *s = &info->ssids[i];
1078 if ((s->ssid == NULL || s->ssid_len == 0) ||
1079 (s->ssid_len == bss->ssid_len &&
1080 os_memcmp(s->ssid, bss->ssid, bss->ssid_len) ==
1081 0)) {
1082 found = 1;
1083 break;
1084 }
1085 }
1086 if (!found)
1087 return 0;
1088 }
1089
1090 return 1;
1091 }
1092
1093
1094 /**
1095 * wpa_bss_update_end - End a BSS table update from scan results
1096 * @wpa_s: Pointer to wpa_supplicant data
1097 * @info: Information about scan parameters
1098 * @new_scan: Whether this update round was based on a new scan
1099 *
1100 * This function is called at the end of each BSS table update round for new
1101 * scan results. The start of the update was indicated with a call to
1102 * wpa_bss_update_start().
1103 */
wpa_bss_update_end(struct wpa_supplicant * wpa_s,struct scan_info * info,int new_scan)1104 void wpa_bss_update_end(struct wpa_supplicant *wpa_s, struct scan_info *info,
1105 int new_scan)
1106 {
1107 struct wpa_bss *bss, *n;
1108
1109 os_get_reltime(&wpa_s->last_scan);
1110 if ((info && info->aborted) || !new_scan)
1111 return; /* do not expire entries without new scan */
1112
1113 dl_list_for_each_safe(bss, n, &wpa_s->bss, struct wpa_bss, list) {
1114 if (wpa_bss_in_use(wpa_s, bss))
1115 continue;
1116 if (!wpa_bss_included_in_scan(bss, info))
1117 continue; /* expire only BSSes that were scanned */
1118 if (bss->last_update_idx < wpa_s->bss_update_idx)
1119 bss->scan_miss_count++;
1120 if (bss->scan_miss_count >=
1121 wpa_s->conf->bss_expiration_scan_count) {
1122 wpa_bss_remove(wpa_s, bss, "no match in scan");
1123 }
1124 }
1125
1126 wpa_printf(MSG_DEBUG, "BSS: last_scan_res_used=%zu/%zu",
1127 wpa_s->last_scan_res_used, wpa_s->last_scan_res_size);
1128 }
1129
1130
1131 /**
1132 * wpa_bss_flush_by_age - Flush old BSS entries
1133 * @wpa_s: Pointer to wpa_supplicant data
1134 * @age: Maximum entry age in seconds
1135 *
1136 * Remove BSS entries that have not been updated during the last @age seconds.
1137 */
wpa_bss_flush_by_age(struct wpa_supplicant * wpa_s,int age)1138 void wpa_bss_flush_by_age(struct wpa_supplicant *wpa_s, int age)
1139 {
1140 struct wpa_bss *bss, *n;
1141 struct os_reltime t;
1142
1143 if (dl_list_empty(&wpa_s->bss))
1144 return;
1145
1146 os_get_reltime(&t);
1147
1148 if (t.sec < age)
1149 return; /* avoid underflow; there can be no older entries */
1150
1151 t.sec -= age;
1152
1153 dl_list_for_each_safe(bss, n, &wpa_s->bss, struct wpa_bss, list) {
1154 if (wpa_bss_in_use(wpa_s, bss))
1155 continue;
1156
1157 if (wpa_s->reassoc_same_ess &&
1158 wpa_s->wpa_state != WPA_COMPLETED &&
1159 wpa_s->last_ssid &&
1160 wpa_s->last_ssid->ssid &&
1161 bss->ssid_len == wpa_s->last_ssid->ssid_len &&
1162 os_memcmp(bss->ssid, wpa_s->last_ssid->ssid,
1163 bss->ssid_len) == 0)
1164 continue;
1165
1166 if (os_reltime_before(&bss->last_update, &t)) {
1167 wpa_bss_remove(wpa_s, bss, __func__);
1168 } else
1169 break;
1170 }
1171 }
1172
1173
1174 /**
1175 * wpa_bss_init - Initialize BSS table
1176 * @wpa_s: Pointer to wpa_supplicant data
1177 * Returns: 0 on success, -1 on failure
1178 *
1179 * This prepares BSS table lists and timer for periodic updates. The BSS table
1180 * is deinitialized with wpa_bss_deinit() once not needed anymore.
1181 */
wpa_bss_init(struct wpa_supplicant * wpa_s)1182 int wpa_bss_init(struct wpa_supplicant *wpa_s)
1183 {
1184 dl_list_init(&wpa_s->bss);
1185 dl_list_init(&wpa_s->bss_id);
1186 return 0;
1187 }
1188
1189
1190 /**
1191 * wpa_bss_flush - Flush all unused BSS entries
1192 * @wpa_s: Pointer to wpa_supplicant data
1193 */
wpa_bss_flush(struct wpa_supplicant * wpa_s)1194 void wpa_bss_flush(struct wpa_supplicant *wpa_s)
1195 {
1196 struct wpa_bss *bss, *n;
1197
1198 wpa_s->clear_driver_scan_cache = 1;
1199
1200 if (wpa_s->bss.next == NULL)
1201 return; /* BSS table not yet initialized */
1202
1203 dl_list_for_each_safe(bss, n, &wpa_s->bss, struct wpa_bss, list) {
1204 if (wpa_bss_in_use(wpa_s, bss))
1205 continue;
1206 wpa_bss_remove(wpa_s, bss, __func__);
1207 }
1208 }
1209
1210
1211 /**
1212 * wpa_bss_deinit - Deinitialize BSS table
1213 * @wpa_s: Pointer to wpa_supplicant data
1214 */
wpa_bss_deinit(struct wpa_supplicant * wpa_s)1215 void wpa_bss_deinit(struct wpa_supplicant *wpa_s)
1216 {
1217 wpa_bss_flush(wpa_s);
1218 }
1219
1220
1221 /**
1222 * wpa_bss_get_bssid - Fetch a BSS table entry based on BSSID
1223 * @wpa_s: Pointer to wpa_supplicant data
1224 * @bssid: BSSID
1225 * Returns: Pointer to the BSS entry or %NULL if not found
1226 */
wpa_bss_get_bssid(struct wpa_supplicant * wpa_s,const u8 * bssid)1227 struct wpa_bss * wpa_bss_get_bssid(struct wpa_supplicant *wpa_s,
1228 const u8 *bssid)
1229 {
1230 struct wpa_bss *bss;
1231 if (!wpa_supplicant_filter_bssid_match(wpa_s, bssid))
1232 return NULL;
1233 dl_list_for_each_reverse(bss, &wpa_s->bss, struct wpa_bss, list) {
1234 if (ether_addr_equal(bss->bssid, bssid))
1235 return bss;
1236 }
1237 return NULL;
1238 }
1239
1240
1241 /**
1242 * wpa_bss_get_bssid_latest - Fetch the latest BSS table entry based on BSSID
1243 * @wpa_s: Pointer to wpa_supplicant data
1244 * @bssid: BSSID
1245 * Returns: Pointer to the BSS entry or %NULL if not found
1246 *
1247 * This function is like wpa_bss_get_bssid(), but full BSS table is iterated to
1248 * find the entry that has the most recent update. This can help in finding the
1249 * correct entry in cases where the SSID of the AP may have changed recently
1250 * (e.g., in WPS reconfiguration cases).
1251 */
wpa_bss_get_bssid_latest(struct wpa_supplicant * wpa_s,const u8 * bssid)1252 struct wpa_bss * wpa_bss_get_bssid_latest(struct wpa_supplicant *wpa_s,
1253 const u8 *bssid)
1254 {
1255 struct wpa_bss *bss, *found = NULL;
1256 if (!wpa_supplicant_filter_bssid_match(wpa_s, bssid))
1257 return NULL;
1258 dl_list_for_each_reverse(bss, &wpa_s->bss, struct wpa_bss, list) {
1259 if (!ether_addr_equal(bss->bssid, bssid))
1260 continue;
1261 if (found == NULL ||
1262 os_reltime_before(&found->last_update, &bss->last_update))
1263 found = bss;
1264 }
1265 return found;
1266 }
1267
1268
1269 #ifdef CONFIG_P2P
1270 /**
1271 * wpa_bss_get_p2p_dev_addr - Fetch the latest BSS table entry based on P2P Device Addr
1272 * @wpa_s: Pointer to wpa_supplicant data
1273 * @dev_addr: P2P Device Address of the GO
1274 * Returns: Pointer to the BSS entry or %NULL if not found
1275 *
1276 * This function tries to find the entry that has the most recent update. This
1277 * can help in finding the correct entry in cases where the SSID of the P2P
1278 * Device may have changed recently.
1279 */
wpa_bss_get_p2p_dev_addr(struct wpa_supplicant * wpa_s,const u8 * dev_addr)1280 struct wpa_bss * wpa_bss_get_p2p_dev_addr(struct wpa_supplicant *wpa_s,
1281 const u8 *dev_addr)
1282 {
1283 struct wpa_bss *bss, *found = NULL;
1284 dl_list_for_each_reverse(bss, &wpa_s->bss, struct wpa_bss, list) {
1285 u8 addr[ETH_ALEN];
1286 if (p2p_parse_dev_addr(wpa_bss_ie_ptr(bss), bss->ie_len,
1287 addr) != 0 ||
1288 !ether_addr_equal(addr, dev_addr))
1289 continue;
1290 if (!found ||
1291 os_reltime_before(&found->last_update, &bss->last_update))
1292 found = bss;
1293 }
1294 return found;
1295 }
1296 #endif /* CONFIG_P2P */
1297
1298
1299 /**
1300 * wpa_bss_get_id - Fetch a BSS table entry based on identifier
1301 * @wpa_s: Pointer to wpa_supplicant data
1302 * @id: Unique identifier (struct wpa_bss::id) assigned for the entry
1303 * Returns: Pointer to the BSS entry or %NULL if not found
1304 */
wpa_bss_get_id(struct wpa_supplicant * wpa_s,unsigned int id)1305 struct wpa_bss * wpa_bss_get_id(struct wpa_supplicant *wpa_s, unsigned int id)
1306 {
1307 struct wpa_bss *bss;
1308 dl_list_for_each(bss, &wpa_s->bss, struct wpa_bss, list) {
1309 if (bss->id == id)
1310 return bss;
1311 }
1312 return NULL;
1313 }
1314
1315
1316 /**
1317 * wpa_bss_get_id_range - Fetch a BSS table entry based on identifier range
1318 * @wpa_s: Pointer to wpa_supplicant data
1319 * @idf: Smallest allowed identifier assigned for the entry
1320 * @idf: Largest allowed identifier assigned for the entry
1321 * Returns: Pointer to the BSS entry or %NULL if not found
1322 *
1323 * This function is similar to wpa_bss_get_id() but allows a BSS entry with the
1324 * smallest id value to be fetched within the specified range without the
1325 * caller having to know the exact id.
1326 */
wpa_bss_get_id_range(struct wpa_supplicant * wpa_s,unsigned int idf,unsigned int idl)1327 struct wpa_bss * wpa_bss_get_id_range(struct wpa_supplicant *wpa_s,
1328 unsigned int idf, unsigned int idl)
1329 {
1330 struct wpa_bss *bss;
1331 dl_list_for_each(bss, &wpa_s->bss_id, struct wpa_bss, list_id) {
1332 if (bss->id >= idf && bss->id <= idl)
1333 return bss;
1334 }
1335 return NULL;
1336 }
1337
1338
1339 /**
1340 * wpa_bss_get_ie - Fetch a specified information element from a BSS entry
1341 * @bss: BSS table entry
1342 * @ie: Information element identitifier (WLAN_EID_*)
1343 * Returns: Pointer to the information element (id field) or %NULL if not found
1344 *
1345 * This function returns the first matching information element in the BSS
1346 * entry.
1347 */
wpa_bss_get_ie(const struct wpa_bss * bss,u8 ie)1348 const u8 * wpa_bss_get_ie(const struct wpa_bss *bss, u8 ie)
1349 {
1350 return get_ie(wpa_bss_ie_ptr(bss), bss->ie_len, ie);
1351 }
1352
1353
1354 /**
1355 * wpa_bss_get_ie_beacon - Fetch a specified information element from a BSS entry
1356 * @bss: BSS table entry
1357 * @ie: Information element identitifier (WLAN_EID_*)
1358 * Returns: Pointer to the information element (id field) or %NULL if not found
1359 *
1360 * This function returns the first matching information element in the BSS
1361 * entry.
1362 *
1363 * This function is like wpa_bss_get_ie(), but uses IE buffer only from Beacon
1364 * frames instead of either Beacon or Probe Response frames.
1365 */
wpa_bss_get_ie_beacon(const struct wpa_bss * bss,u8 ie)1366 const u8 * wpa_bss_get_ie_beacon(const struct wpa_bss *bss, u8 ie)
1367 {
1368 const u8 *ies;
1369
1370 if (bss->beacon_ie_len == 0)
1371 return NULL;
1372
1373 ies = wpa_bss_ie_ptr(bss);
1374 ies += bss->ie_len;
1375 return get_ie(ies, bss->beacon_ie_len, ie);
1376 }
1377
1378
1379 /**
1380 * wpa_bss_get_ie_ext - Fetch a specified extended IE from a BSS entry
1381 * @bss: BSS table entry
1382 * @ext: Information element extension identifier (WLAN_EID_EXT_*)
1383 * Returns: Pointer to the information element (id field) or %NULL if not found
1384 *
1385 * This function returns the first matching information element in the BSS
1386 * entry.
1387 */
wpa_bss_get_ie_ext(const struct wpa_bss * bss,u8 ext)1388 const u8 * wpa_bss_get_ie_ext(const struct wpa_bss *bss, u8 ext)
1389 {
1390 return get_ie_ext(wpa_bss_ie_ptr(bss), bss->ie_len, ext);
1391 }
1392
1393
1394 /**
1395 * wpa_bss_get_vendor_ie - Fetch a vendor information element from a BSS entry
1396 * @bss: BSS table entry
1397 * @vendor_type: Vendor type (four octets starting the IE payload)
1398 * Returns: Pointer to the information element (id field) or %NULL if not found
1399 *
1400 * This function returns the first matching information element in the BSS
1401 * entry.
1402 */
wpa_bss_get_vendor_ie(const struct wpa_bss * bss,u32 vendor_type)1403 const u8 * wpa_bss_get_vendor_ie(const struct wpa_bss *bss, u32 vendor_type)
1404 {
1405 const u8 *ies;
1406 const struct element *elem;
1407
1408 ies = wpa_bss_ie_ptr(bss);
1409
1410 for_each_element_id(elem, WLAN_EID_VENDOR_SPECIFIC, ies, bss->ie_len) {
1411 if (elem->datalen >= 4 &&
1412 vendor_type == WPA_GET_BE32(elem->data))
1413 return &elem->id;
1414 }
1415
1416 return NULL;
1417 }
1418
1419
1420 /**
1421 * wpa_bss_get_vendor_ie_beacon - Fetch a vendor information from a BSS entry
1422 * @bss: BSS table entry
1423 * @vendor_type: Vendor type (four octets starting the IE payload)
1424 * Returns: Pointer to the information element (id field) or %NULL if not found
1425 *
1426 * This function returns the first matching information element in the BSS
1427 * entry.
1428 *
1429 * This function is like wpa_bss_get_vendor_ie(), but uses IE buffer only
1430 * from Beacon frames instead of either Beacon or Probe Response frames.
1431 */
wpa_bss_get_vendor_ie_beacon(const struct wpa_bss * bss,u32 vendor_type)1432 const u8 * wpa_bss_get_vendor_ie_beacon(const struct wpa_bss *bss,
1433 u32 vendor_type)
1434 {
1435 const u8 *ies;
1436 const struct element *elem;
1437
1438 if (bss->beacon_ie_len == 0)
1439 return NULL;
1440
1441 ies = wpa_bss_ie_ptr(bss);
1442 ies += bss->ie_len;
1443
1444 for_each_element_id(elem, WLAN_EID_VENDOR_SPECIFIC, ies,
1445 bss->beacon_ie_len) {
1446 if (elem->datalen >= 4 &&
1447 vendor_type == WPA_GET_BE32(elem->data))
1448 return &elem->id;
1449 }
1450
1451 return NULL;
1452 }
1453
1454
1455 /**
1456 * wpa_bss_get_vendor_ie_multi - Fetch vendor IE data from a BSS entry
1457 * @bss: BSS table entry
1458 * @vendor_type: Vendor type (four octets starting the IE payload)
1459 * Returns: Pointer to the information element payload or %NULL if not found
1460 *
1461 * This function returns concatenated payload of possibly fragmented vendor
1462 * specific information elements in the BSS entry. The caller is responsible for
1463 * freeing the returned buffer.
1464 */
wpa_bss_get_vendor_ie_multi(const struct wpa_bss * bss,u32 vendor_type)1465 struct wpabuf * wpa_bss_get_vendor_ie_multi(const struct wpa_bss *bss,
1466 u32 vendor_type)
1467 {
1468 struct wpabuf *buf;
1469 const u8 *end, *pos;
1470
1471 buf = wpabuf_alloc(bss->ie_len);
1472 if (buf == NULL)
1473 return NULL;
1474
1475 pos = wpa_bss_ie_ptr(bss);
1476 end = pos + bss->ie_len;
1477
1478 while (end - pos > 1) {
1479 u8 ie, len;
1480
1481 ie = pos[0];
1482 len = pos[1];
1483 if (len > end - pos - 2)
1484 break;
1485 pos += 2;
1486 if (ie == WLAN_EID_VENDOR_SPECIFIC && len >= 4 &&
1487 vendor_type == WPA_GET_BE32(pos))
1488 wpabuf_put_data(buf, pos + 4, len - 4);
1489 pos += len;
1490 }
1491
1492 if (wpabuf_len(buf) == 0) {
1493 wpabuf_free(buf);
1494 buf = NULL;
1495 }
1496
1497 return buf;
1498 }
1499
1500
1501 /**
1502 * wpa_bss_get_vendor_ie_multi_beacon - Fetch vendor IE data from a BSS entry
1503 * @bss: BSS table entry
1504 * @vendor_type: Vendor type (four octets starting the IE payload)
1505 * Returns: Pointer to the information element payload or %NULL if not found
1506 *
1507 * This function returns concatenated payload of possibly fragmented vendor
1508 * specific information elements in the BSS entry. The caller is responsible for
1509 * freeing the returned buffer.
1510 *
1511 * This function is like wpa_bss_get_vendor_ie_multi(), but uses IE buffer only
1512 * from Beacon frames instead of either Beacon or Probe Response frames.
1513 */
wpa_bss_get_vendor_ie_multi_beacon(const struct wpa_bss * bss,u32 vendor_type)1514 struct wpabuf * wpa_bss_get_vendor_ie_multi_beacon(const struct wpa_bss *bss,
1515 u32 vendor_type)
1516 {
1517 struct wpabuf *buf;
1518 const u8 *end, *pos;
1519
1520 buf = wpabuf_alloc(bss->beacon_ie_len);
1521 if (buf == NULL)
1522 return NULL;
1523
1524 pos = wpa_bss_ie_ptr(bss);
1525 pos += bss->ie_len;
1526 end = pos + bss->beacon_ie_len;
1527
1528 while (end - pos > 1) {
1529 u8 id, len;
1530
1531 id = *pos++;
1532 len = *pos++;
1533 if (len > end - pos)
1534 break;
1535 if (id == WLAN_EID_VENDOR_SPECIFIC && len >= 4 &&
1536 vendor_type == WPA_GET_BE32(pos))
1537 wpabuf_put_data(buf, pos + 4, len - 4);
1538 pos += len;
1539 }
1540
1541 if (wpabuf_len(buf) == 0) {
1542 wpabuf_free(buf);
1543 buf = NULL;
1544 }
1545
1546 return buf;
1547 }
1548
1549
1550 /**
1551 * wpa_bss_get_max_rate - Get maximum legacy TX rate supported in a BSS
1552 * @bss: BSS table entry
1553 * Returns: Maximum legacy rate in units of 500 kbps
1554 */
wpa_bss_get_max_rate(const struct wpa_bss * bss)1555 int wpa_bss_get_max_rate(const struct wpa_bss *bss)
1556 {
1557 int rate = 0;
1558 const u8 *ie;
1559 int i;
1560
1561 ie = wpa_bss_get_ie(bss, WLAN_EID_SUPP_RATES);
1562 for (i = 0; ie && i < ie[1]; i++) {
1563 if ((ie[i + 2] & 0x7f) > rate)
1564 rate = ie[i + 2] & 0x7f;
1565 }
1566
1567 ie = wpa_bss_get_ie(bss, WLAN_EID_EXT_SUPP_RATES);
1568 for (i = 0; ie && i < ie[1]; i++) {
1569 if ((ie[i + 2] & 0x7f) > rate)
1570 rate = ie[i + 2] & 0x7f;
1571 }
1572
1573 return rate;
1574 }
1575
1576
1577 /**
1578 * wpa_bss_get_bit_rates - Get legacy TX rates supported in a BSS
1579 * @bss: BSS table entry
1580 * @rates: Buffer for returning a pointer to the rates list (units of 500 kbps)
1581 * Returns: number of legacy TX rates or -1 on failure
1582 *
1583 * The caller is responsible for freeing the returned buffer with os_free() in
1584 * case of success.
1585 */
wpa_bss_get_bit_rates(const struct wpa_bss * bss,u8 ** rates)1586 int wpa_bss_get_bit_rates(const struct wpa_bss *bss, u8 **rates)
1587 {
1588 const u8 *ie, *ie2;
1589 int i, j;
1590 unsigned int len;
1591 u8 *r;
1592
1593 ie = wpa_bss_get_ie(bss, WLAN_EID_SUPP_RATES);
1594 ie2 = wpa_bss_get_ie(bss, WLAN_EID_EXT_SUPP_RATES);
1595
1596 len = (ie ? ie[1] : 0) + (ie2 ? ie2[1] : 0);
1597
1598 r = os_malloc(len);
1599 if (!r)
1600 return -1;
1601
1602 for (i = 0; ie && i < ie[1]; i++)
1603 r[i] = ie[i + 2] & 0x7f;
1604
1605 for (j = 0; ie2 && j < ie2[1]; j++)
1606 r[i + j] = ie2[j + 2] & 0x7f;
1607
1608 *rates = r;
1609 return len;
1610 }
1611
1612
1613 #ifdef CONFIG_FILS
wpa_bss_get_fils_cache_id(const struct wpa_bss * bss)1614 const u8 * wpa_bss_get_fils_cache_id(const struct wpa_bss *bss)
1615 {
1616 const u8 *ie;
1617
1618 if (bss) {
1619 ie = wpa_bss_get_ie(bss, WLAN_EID_FILS_INDICATION);
1620 if (ie && ie[1] >= 4 && WPA_GET_LE16(ie + 2) & BIT(7))
1621 return ie + 4;
1622 }
1623
1624 return NULL;
1625 }
1626 #endif /* CONFIG_FILS */
1627
1628
wpa_bss_ext_capab(const struct wpa_bss * bss,unsigned int capab)1629 int wpa_bss_ext_capab(const struct wpa_bss *bss, unsigned int capab)
1630 {
1631 if (!bss)
1632 return 0;
1633 return ieee802_11_ext_capab(wpa_bss_get_ie(bss, WLAN_EID_EXT_CAPAB),
1634 capab);
1635 }
1636
1637
1638 static void
wpa_bss_parse_ml_rnr_ap_info(struct wpa_supplicant * wpa_s,struct wpa_bss * bss,u8 mbssid_idx,const struct ieee80211_neighbor_ap_info * ap_info,size_t len,u16 * seen,u16 * missing,struct wpa_ssid * ssid)1639 wpa_bss_parse_ml_rnr_ap_info(struct wpa_supplicant *wpa_s,
1640 struct wpa_bss *bss, u8 mbssid_idx,
1641 const struct ieee80211_neighbor_ap_info *ap_info,
1642 size_t len, u16 *seen, u16 *missing,
1643 struct wpa_ssid *ssid)
1644 {
1645 const u8 *pos, *end;
1646 const u8 *mld_params;
1647 u8 count, mld_params_offset;
1648 u8 i, type, link_id;
1649
1650 count = RNR_TBTT_INFO_COUNT_VAL(ap_info->tbtt_info_hdr) + 1;
1651 type = ap_info->tbtt_info_hdr & RNR_TBTT_INFO_HDR_TYPE_MSK;
1652
1653 /* MLD information is at offset 13 or at start */
1654 if (type == 0 && ap_info->tbtt_info_len >= RNR_TBTT_INFO_MLD_LEN) {
1655 /* MLD info is appended */
1656 mld_params_offset = RNR_TBTT_INFO_LEN;
1657 } else {
1658 /* TODO: Support NSTR AP */
1659 return;
1660 }
1661
1662 pos = (const u8 *) ap_info;
1663 end = pos + len;
1664 pos += sizeof(*ap_info);
1665
1666 for (i = 0; i < count; i++, pos += ap_info->tbtt_info_len) {
1667 if (end - pos < ap_info->tbtt_info_len)
1668 break;
1669
1670 mld_params = pos + mld_params_offset;
1671
1672 link_id = *(mld_params + 1) & EHT_ML_LINK_ID_MSK;
1673 if (link_id >= MAX_NUM_MLD_LINKS)
1674 continue;
1675
1676 if (*mld_params != mbssid_idx) {
1677 wpa_printf(MSG_DEBUG,
1678 "MLD: Reported link not part of MLD");
1679 } else if (!(BIT(link_id) & *seen)) {
1680 struct wpa_bss *neigh_bss;
1681
1682 if (ssid && ssid->ssid_len)
1683 neigh_bss = wpa_bss_get(wpa_s, pos + 1,
1684 ssid->ssid,
1685 ssid->ssid_len);
1686 else
1687 neigh_bss = wpa_bss_get_bssid(wpa_s, pos + 1);
1688
1689 *seen |= BIT(link_id);
1690 wpa_printf(MSG_DEBUG, "MLD: mld ID=%u, link ID=%u",
1691 *mld_params, link_id);
1692
1693 if (!neigh_bss) {
1694 *missing |= BIT(link_id);
1695 } else if ((!ssid ||
1696 wpa_scan_res_match(wpa_s, 0, neigh_bss,
1697 ssid, 1, 0, true)) &&
1698 !wpa_bssid_ignore_is_listed(
1699 wpa_s, neigh_bss->bssid)) {
1700 struct mld_link *l;
1701
1702 bss->valid_links |= BIT(link_id);
1703 l = &bss->mld_links[link_id];
1704 os_memcpy(l->bssid, pos + 1, ETH_ALEN);
1705 l->freq = neigh_bss->freq;
1706 l->disabled = mld_params[2] &
1707 RNR_TBTT_INFO_MLD_PARAM2_LINK_DISABLED;
1708 }
1709 }
1710 }
1711 }
1712
1713
1714 /**
1715 * wpa_bss_parse_basic_ml_element - Parse the Basic Multi-Link element
1716 * @wpa_s: Pointer to wpa_supplicant data
1717 * @bss: BSS table entry
1718 * @mld_addr: AP MLD address (or %NULL)
1719 * @link_info: Array to store link information (or %NULL),
1720 * should be initialized and #MAX_NUM_MLD_LINKS elements long
1721 * @missing_links: Result bitmask of links that were not discovered (or %NULL)
1722 * @ssid: Target SSID (or %NULL)
1723 * @ap_mld_id: On return would hold the corresponding AP MLD ID (or %NULL)
1724 * Returns: 0 on success or -1 for non-MLD or parsing failures
1725 *
1726 * Parses the Basic Multi-Link element of the BSS into @link_info using the scan
1727 * information stored in the wpa_supplicant data to fill in information for
1728 * links where possible. The @missing_links out parameter will contain any links
1729 * for which no corresponding BSS was found.
1730 */
wpa_bss_parse_basic_ml_element(struct wpa_supplicant * wpa_s,struct wpa_bss * bss,u8 * ap_mld_addr,u16 * missing_links,struct wpa_ssid * ssid,u8 * ap_mld_id)1731 int wpa_bss_parse_basic_ml_element(struct wpa_supplicant *wpa_s,
1732 struct wpa_bss *bss,
1733 u8 *ap_mld_addr,
1734 u16 *missing_links,
1735 struct wpa_ssid *ssid,
1736 u8 *ap_mld_id)
1737 {
1738 struct ieee802_11_elems elems;
1739 struct wpabuf *mlbuf;
1740 const struct element *elem;
1741 u8 mbssid_idx = 0;
1742 size_t ml_ie_len;
1743 const struct ieee80211_eht_ml *eht_ml;
1744 const struct eht_ml_basic_common_info *ml_basic_common_info;
1745 u8 i, link_id;
1746 const u16 control_mask =
1747 MULTI_LINK_CONTROL_TYPE_MASK |
1748 BASIC_MULTI_LINK_CTRL_PRES_LINK_ID |
1749 BASIC_MULTI_LINK_CTRL_PRES_BSS_PARAM_CH_COUNT |
1750 BASIC_MULTI_LINK_CTRL_PRES_MLD_CAPA;
1751 const u16 control =
1752 MULTI_LINK_CONTROL_TYPE_BASIC |
1753 BASIC_MULTI_LINK_CTRL_PRES_LINK_ID |
1754 BASIC_MULTI_LINK_CTRL_PRES_BSS_PARAM_CH_COUNT |
1755 BASIC_MULTI_LINK_CTRL_PRES_MLD_CAPA;
1756 u16 missing = 0;
1757 u16 seen;
1758 const u8 *ies_pos = wpa_bss_ie_ptr(bss);
1759 size_t ies_len = bss->ie_len ? bss->ie_len : bss->beacon_ie_len;
1760 int ret = -1;
1761 struct mld_link *l;
1762
1763 if (ieee802_11_parse_elems(ies_pos, ies_len, &elems, 1) ==
1764 ParseFailed) {
1765 wpa_dbg(wpa_s, MSG_DEBUG, "MLD: Failed to parse elements");
1766 return ret;
1767 }
1768
1769 mlbuf = ieee802_11_defrag(elems.basic_mle, elems.basic_mle_len, true);
1770 if (!mlbuf) {
1771 wpa_dbg(wpa_s, MSG_DEBUG, "MLD: No Multi-Link element");
1772 return ret;
1773 }
1774
1775 ml_ie_len = wpabuf_len(mlbuf);
1776
1777 if (ssid) {
1778 struct wpa_ie_data ie;
1779 const u8 *rsne;
1780 size_t rsne_len;
1781
1782 if (elems.rsne_override_2 && wpas_rsn_overriding(wpa_s, ssid)) {
1783 rsne = elems.rsne_override_2;
1784 rsne_len = elems.rsne_override_2_len;
1785 } else if (elems.rsne_override &&
1786 wpas_rsn_overriding(wpa_s, ssid)) {
1787 rsne = elems.rsne_override;
1788 rsne_len = elems.rsne_override_len;
1789 } else {
1790 rsne = elems.rsn_ie;
1791 rsne_len = elems.rsn_ie_len;
1792 }
1793 if (!rsne ||
1794 wpa_parse_wpa_ie(rsne - 2, 2 + rsne_len, &ie)) {
1795 wpa_dbg(wpa_s, MSG_DEBUG, "MLD: No RSN element");
1796 goto out;
1797 }
1798
1799 if (!(ie.capabilities & WPA_CAPABILITY_MFPC) ||
1800 wpas_get_ssid_pmf(wpa_s, ssid) == NO_MGMT_FRAME_PROTECTION) {
1801 wpa_dbg(wpa_s, MSG_DEBUG,
1802 "MLD: No management frame protection");
1803 goto out;
1804 }
1805
1806 ie.key_mgmt &= ~(WPA_KEY_MGMT_PSK | WPA_KEY_MGMT_FT_PSK |
1807 WPA_KEY_MGMT_PSK_SHA256);
1808 if (!(ie.key_mgmt & ssid->key_mgmt)) {
1809 wpa_dbg(wpa_s, MSG_DEBUG,
1810 "MLD: No valid key management");
1811 goto out;
1812 }
1813 }
1814
1815 /*
1816 * for ext ID + 2 control + common info len + MLD address +
1817 * link info
1818 */
1819 if (ml_ie_len < 2UL + 1UL + ETH_ALEN + 1UL)
1820 goto out;
1821
1822 eht_ml = (const struct ieee80211_eht_ml *) wpabuf_head(mlbuf);
1823 if ((le_to_host16(eht_ml->ml_control) & control_mask) != control) {
1824 wpa_printf(MSG_DEBUG,
1825 "MLD: Unexpected Multi-Link element control=0x%x (mask 0x%x expected 0x%x)",
1826 le_to_host16(eht_ml->ml_control), control_mask,
1827 control);
1828 goto out;
1829 }
1830
1831 ml_basic_common_info =
1832 (const struct eht_ml_basic_common_info *) eht_ml->variable;
1833
1834 /* Common info length should be valid */
1835 if (ml_basic_common_info->len < ETH_ALEN + 1UL)
1836 goto out;
1837
1838 /* Get the MLD address and MLD link ID */
1839 if (ap_mld_addr)
1840 os_memcpy(ap_mld_addr, ml_basic_common_info->mld_addr,
1841 ETH_ALEN);
1842
1843 link_id = ml_basic_common_info->variable[0] & EHT_ML_LINK_ID_MSK;
1844
1845 bss->mld_link_id = link_id;
1846 seen = bss->valid_links = BIT(link_id);
1847
1848 l = &bss->mld_links[link_id];
1849 os_memcpy(l->bssid, bss->bssid, ETH_ALEN);
1850 l->freq = bss->freq;
1851
1852
1853 /*
1854 * The AP MLD ID in the RNR corresponds to the MBSSID index, see
1855 * IEEE P802.11be/D4.0, 9.4.2.169.2 (Neighbor AP Information field).
1856 *
1857 * For the transmitting BSSID it is clear that both the MBSSID index
1858 * and the AP MLD ID in the RNR are zero.
1859 *
1860 * For nontransmitted BSSIDs we will have a BSS generated from the
1861 * MBSSID element(s) using inheritance rules. Included in the elements
1862 * is the MBSSID Index Element. The RNR is copied from the Beacon/Probe
1863 * Response frame that was send by the transmitting BSSID. As such, the
1864 * reported AP MLD ID in the RNR will match the value in the MBSSID
1865 * Index Element.
1866 */
1867 elem = (const struct element *)
1868 wpa_bss_get_ie(bss, WLAN_EID_MULTIPLE_BSSID_INDEX);
1869 if (elem && elem->datalen >= 1)
1870 mbssid_idx = elem->data[0];
1871
1872 for_each_element_id(elem, WLAN_EID_REDUCED_NEIGHBOR_REPORT,
1873 wpa_bss_ie_ptr(bss),
1874 bss->ie_len ? bss->ie_len : bss->beacon_ie_len) {
1875 const struct ieee80211_neighbor_ap_info *ap_info;
1876 const u8 *pos = elem->data;
1877 size_t len = elem->datalen;
1878
1879 /* RNR IE may contain more than one Neighbor AP Info */
1880 while (sizeof(*ap_info) <= len) {
1881 size_t ap_info_len = sizeof(*ap_info);
1882 u8 count;
1883
1884 ap_info = (const struct ieee80211_neighbor_ap_info *)
1885 pos;
1886 count = RNR_TBTT_INFO_COUNT_VAL(ap_info->tbtt_info_hdr) + 1;
1887 ap_info_len += count * ap_info->tbtt_info_len;
1888
1889 if (ap_info_len > len)
1890 goto out;
1891
1892 wpa_bss_parse_ml_rnr_ap_info(wpa_s, bss, mbssid_idx,
1893 ap_info, ap_info_len,
1894 &seen, &missing, ssid);
1895
1896 pos += ap_info_len;
1897 len -= ap_info_len;
1898 }
1899 }
1900
1901 wpa_printf(MSG_DEBUG, "MLD: valid_links=%04hx (unresolved: 0x%04hx)",
1902 bss->valid_links, missing);
1903
1904 for_each_link(bss->valid_links, i) {
1905 wpa_printf(MSG_DEBUG, "MLD: link=%u, bssid=" MACSTR,
1906 i, MAC2STR(bss->mld_links[i].bssid));
1907 }
1908
1909 if (missing_links)
1910 *missing_links = missing;
1911
1912 if (ap_mld_id)
1913 *ap_mld_id = mbssid_idx;
1914
1915 ret = 0;
1916 out:
1917 wpabuf_free(mlbuf);
1918 return ret;
1919 }
1920
1921
1922 /*
1923 * wpa_bss_parse_reconf_ml_element - Parse the Reconfiguration ML element
1924 * @wpa_s: Pointer to wpa_supplicant data
1925 * @bss: BSS table entry
1926 * Returns: The bitmap of links that are going to be removed
1927 */
wpa_bss_parse_reconf_ml_element(struct wpa_supplicant * wpa_s,struct wpa_bss * bss)1928 u16 wpa_bss_parse_reconf_ml_element(struct wpa_supplicant *wpa_s,
1929 struct wpa_bss *bss)
1930 {
1931 struct ieee802_11_elems elems;
1932 struct wpabuf *mlbuf;
1933 const u8 *pos = wpa_bss_ie_ptr(bss);
1934 size_t len = bss->ie_len ? bss->ie_len : bss->beacon_ie_len;
1935 const struct ieee80211_eht_ml *ml;
1936 const struct eht_ml_reconf_common_info *common_info;
1937 u16 removed_links = 0;
1938 u8 expected_ml_common_len;
1939
1940 if (ieee802_11_parse_elems(pos, len, &elems, 1) == ParseFailed)
1941 return 0;
1942
1943 if (!elems.reconf_mle || !elems.reconf_mle_len)
1944 return 0;
1945
1946 mlbuf = ieee802_11_defrag(elems.reconf_mle, elems.reconf_mle_len, true);
1947 if (!mlbuf)
1948 return 0;
1949
1950 ml = (const struct ieee80211_eht_ml *) wpabuf_head(mlbuf);
1951 len = wpabuf_len(mlbuf);
1952
1953 /* There must be at least one octet for the Common Info Length subfield
1954 */
1955 if (len < sizeof(*ml) + 1UL)
1956 goto out;
1957
1958 expected_ml_common_len = 1;
1959 if (le_to_host16(ml->ml_control) &
1960 RECONF_MULTI_LINK_CTRL_PRES_MLD_MAC_ADDR)
1961 expected_ml_common_len += ETH_ALEN;
1962
1963 common_info = (const struct eht_ml_reconf_common_info *) ml->variable;
1964 if (len < sizeof(*ml) + common_info->len) {
1965 wpa_printf(MSG_DEBUG,
1966 "MLD: Unexpected Reconfiguration ML element length: (%zu < %zu)",
1967 len, sizeof(*ml) + common_info->len);
1968 goto out;
1969 }
1970
1971 if (common_info->len < expected_ml_common_len) {
1972 wpa_printf(MSG_DEBUG,
1973 "MLD: Invalid common info len=%u; min expected=%u",
1974 common_info->len, expected_ml_common_len);
1975 goto out;
1976 }
1977
1978 pos = ml->variable + common_info->len;
1979 len -= sizeof(*ml) + common_info->len;
1980
1981 while (len >= 2 + sizeof(struct ieee80211_eht_per_sta_profile)) {
1982 size_t sub_elem_len = *(pos + 1);
1983
1984 if (2 + sub_elem_len > len) {
1985 wpa_printf(MSG_DEBUG,
1986 "MLD: Invalid link info len: %zu %zu",
1987 2 + sub_elem_len, len);
1988 goto out;
1989 }
1990
1991 if (*pos == EHT_ML_SUB_ELEM_PER_STA_PROFILE &&
1992 sub_elem_len >= 2) {
1993 const struct ieee80211_eht_per_sta_profile *sta_prof =
1994 (const struct ieee80211_eht_per_sta_profile *)
1995 (pos + 2);
1996 u16 control = le_to_host16(sta_prof->sta_control);
1997 u8 link_id;
1998
1999 link_id = control & EHT_PER_STA_RECONF_CTRL_LINK_ID_MSK;
2000 removed_links |= BIT(link_id);
2001 }
2002
2003 pos += 2 + sub_elem_len;
2004 len -= 2 + sub_elem_len;
2005 }
2006
2007 wpa_printf(MSG_DEBUG, "MLD: Reconfiguration: removed_links=0x%x",
2008 removed_links);
2009 out:
2010 wpabuf_free(mlbuf);
2011 return removed_links;
2012 }
2013
2014
2015 #ifndef CONFIG_NO_WPA
2016
wpa_bss_supported_cipher(struct wpa_supplicant * wpa_s,int pairwise_cipher)2017 static bool wpa_bss_supported_cipher(struct wpa_supplicant *wpa_s,
2018 int pairwise_cipher)
2019 {
2020 if (!wpa_s->drv_enc)
2021 return true;
2022
2023 if ((pairwise_cipher & WPA_CIPHER_CCMP) &&
2024 (wpa_s->drv_enc & WPA_DRIVER_CAPA_ENC_CCMP))
2025 return true;
2026
2027 if ((pairwise_cipher & WPA_CIPHER_GCMP) &&
2028 (wpa_s->drv_enc & WPA_DRIVER_CAPA_ENC_GCMP))
2029 return true;
2030
2031 if ((pairwise_cipher & WPA_CIPHER_CCMP_256) &&
2032 (wpa_s->drv_enc & WPA_DRIVER_CAPA_ENC_CCMP_256))
2033 return true;
2034
2035 if ((pairwise_cipher & WPA_CIPHER_GCMP_256) &&
2036 (wpa_s->drv_enc & WPA_DRIVER_CAPA_ENC_GCMP_256))
2037 return true;
2038
2039 return false;
2040 }
2041
2042
wpa_bss_supported_key_mgmt(struct wpa_supplicant * wpa_s,int key_mgmt)2043 static bool wpa_bss_supported_key_mgmt(struct wpa_supplicant *wpa_s,
2044 int key_mgmt)
2045 {
2046 if (!wpa_s->drv_key_mgmt)
2047 return true;
2048
2049 if ((key_mgmt & WPA_KEY_MGMT_IEEE8021X) &&
2050 (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_WPA2))
2051 return true;
2052 if ((key_mgmt & WPA_KEY_MGMT_IEEE8021X_SHA256) &&
2053 (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_802_1X_SHA256))
2054 return true;
2055 if ((key_mgmt & WPA_KEY_MGMT_FT_IEEE8021X) &&
2056 (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_FT))
2057 return true;
2058 if ((key_mgmt & WPA_KEY_MGMT_FT_IEEE8021X_SHA384) &&
2059 (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_FT_802_1X_SHA384))
2060 return true;
2061 if ((key_mgmt & WPA_KEY_MGMT_IEEE8021X_SUITE_B) &&
2062 (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_SUITE_B))
2063 return true;
2064 if ((key_mgmt & WPA_KEY_MGMT_IEEE8021X_SUITE_B_192) &&
2065 (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_SUITE_B_192))
2066 return true;
2067 if ((key_mgmt & WPA_KEY_MGMT_PSK) &&
2068 (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_WPA2_PSK))
2069 return true;
2070 if ((key_mgmt & WPA_KEY_MGMT_FT_PSK) &&
2071 (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_FT_PSK))
2072 return true;
2073 if ((key_mgmt & WPA_KEY_MGMT_PSK_SHA256) &&
2074 (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_PSK_SHA256))
2075 return true;
2076 if ((key_mgmt & WPA_KEY_MGMT_SAE) &&
2077 (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_SAE))
2078 return true;
2079 if ((key_mgmt & WPA_KEY_MGMT_SAE_EXT_KEY) &&
2080 (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_SAE_EXT_KEY))
2081 return true;
2082 if ((key_mgmt & WPA_KEY_MGMT_FT_SAE) &&
2083 (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_FT_SAE))
2084 return true;
2085 if ((key_mgmt & WPA_KEY_MGMT_FT_SAE_EXT_KEY) &&
2086 (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_FT_SAE_EXT_KEY))
2087 return true;
2088 if ((key_mgmt & WPA_KEY_MGMT_OWE) &&
2089 (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_OWE))
2090 return true;
2091 if ((key_mgmt & WPA_KEY_MGMT_DPP) &&
2092 (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_DPP))
2093 return true;
2094 if ((key_mgmt & WPA_KEY_MGMT_FILS_SHA256) &&
2095 (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_FILS_SHA256))
2096 return true;
2097 if ((key_mgmt & WPA_KEY_MGMT_FILS_SHA384) &&
2098 (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_FILS_SHA384))
2099 return true;
2100 if ((key_mgmt & WPA_KEY_MGMT_FT_FILS_SHA256) &&
2101 (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_FT_FILS_SHA256))
2102 return true;
2103 if ((key_mgmt & WPA_KEY_MGMT_FT_FILS_SHA384) &&
2104 (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_FT_FILS_SHA384))
2105 return true;
2106
2107 return false;
2108 }
2109
2110
wpa_bss_supported_rsne(struct wpa_supplicant * wpa_s,struct wpa_ssid * ssid,const u8 * ie)2111 static bool wpa_bss_supported_rsne(struct wpa_supplicant *wpa_s,
2112 struct wpa_ssid *ssid, const u8 *ie)
2113 {
2114 struct wpa_ie_data data;
2115
2116 if (wpa_parse_wpa_ie_rsn(ie, 2 + ie[1], &data) < 0)
2117 return false;
2118
2119 /* Check that there is a supported AKM and pairwise cipher based on
2120 * overall capabilities */
2121 if (!data.pairwise_cipher || !data.key_mgmt)
2122 return false;
2123
2124 if (wpa_s->drv_capa_known) {
2125 if (!wpa_bss_supported_cipher(wpa_s, data.pairwise_cipher) ||
2126 !wpa_bss_supported_key_mgmt(wpa_s, data.key_mgmt))
2127 return false;
2128 }
2129
2130 if (ssid) {
2131 /* Check that there is a supported AKM and pairwise cipher
2132 * based on the specific network profile. */
2133 if ((ssid->pairwise_cipher & data.pairwise_cipher) == 0)
2134 return false;
2135 if ((ssid->key_mgmt & data.key_mgmt) == 0)
2136 return false;
2137 }
2138
2139 return true;
2140 }
2141
2142 #endif /* CONFIG_NO_WPA */
2143
2144
wpa_bss_get_rsne(struct wpa_supplicant * wpa_s,const struct wpa_bss * bss,struct wpa_ssid * ssid,bool mlo)2145 const u8 * wpa_bss_get_rsne(struct wpa_supplicant *wpa_s,
2146 const struct wpa_bss *bss, struct wpa_ssid *ssid,
2147 bool mlo)
2148 {
2149 #ifndef CONFIG_NO_WPA
2150 const u8 *ie;
2151
2152 if (wpas_rsn_overriding(wpa_s, ssid)) {
2153 if (!ssid)
2154 ssid = wpa_s->current_ssid;
2155
2156 /* MLO cases for RSN overriding are required to use RSNE
2157 * Override 2 element and RSNXE Override element together. */
2158 ie = wpa_bss_get_vendor_ie(bss, RSNE_OVERRIDE_2_IE_VENDOR_TYPE);
2159 if (mlo && ie &&
2160 !wpa_bss_get_vendor_ie(bss,
2161 RSNXE_OVERRIDE_IE_VENDOR_TYPE)) {
2162 wpa_printf(MSG_DEBUG, "BSS " MACSTR
2163 " advertises RSNE Override 2 element without RSNXE Override element - ignore RSNE Override 2 element for MLO",
2164 MAC2STR(bss->bssid));
2165 } else if (ie && wpa_bss_supported_rsne(wpa_s, ssid, ie)) {
2166 return ie;
2167 }
2168
2169 if (!mlo) {
2170 ie = wpa_bss_get_vendor_ie(
2171 bss, RSNE_OVERRIDE_IE_VENDOR_TYPE);
2172 if (ie && wpa_bss_supported_rsne(wpa_s, ssid, ie))
2173 return ie;
2174 }
2175 }
2176 #endif /* CONFIG_NO_WPA */
2177
2178 return wpa_bss_get_ie(bss, WLAN_EID_RSN);
2179 }
2180
2181
wpa_bss_get_rsnxe(struct wpa_supplicant * wpa_s,const struct wpa_bss * bss,struct wpa_ssid * ssid,bool mlo)2182 const u8 * wpa_bss_get_rsnxe(struct wpa_supplicant *wpa_s,
2183 const struct wpa_bss *bss, struct wpa_ssid *ssid,
2184 bool mlo)
2185 {
2186 const u8 *ie;
2187
2188 if (wpas_rsn_overriding(wpa_s, ssid)) {
2189 ie = wpa_bss_get_vendor_ie(bss, RSNXE_OVERRIDE_IE_VENDOR_TYPE);
2190 if (ie) {
2191 const u8 *tmp;
2192
2193 tmp = wpa_bss_get_rsne(wpa_s, bss, ssid, mlo);
2194 if (!tmp || tmp[0] == WLAN_EID_RSN) {
2195 /* An acceptable RSNE override element was not
2196 * found, so need to ignore RSNXE overriding. */
2197 goto out;
2198 }
2199
2200 return ie;
2201 }
2202
2203 /* MLO cases for RSN overriding are required to use RSNE
2204 * Override 2 element and RSNXE Override element together. */
2205 if (mlo && wpa_bss_get_vendor_ie(
2206 bss, RSNE_OVERRIDE_2_IE_VENDOR_TYPE)) {
2207 wpa_printf(MSG_DEBUG, "BSS " MACSTR
2208 " advertises RSNXE Override element without RSNE Override 2 element - ignore RSNXE Override element for MLO",
2209 MAC2STR(bss->bssid));
2210 goto out;
2211 }
2212 }
2213
2214 out:
2215 return wpa_bss_get_ie(bss, WLAN_EID_RSNX);
2216 }
2217