1 /*
2  * WPA Supplicant - Basic mesh peer management
3  * Copyright (c) 2013-2014, cozybit, Inc.  All rights reserved.
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #include "utils/includes.h"
10 
11 #include "utils/common.h"
12 #include "utils/eloop.h"
13 #include "common/ieee802_11_defs.h"
14 #include "common/hw_features_common.h"
15 #include "common/ocv.h"
16 #include "ap/hostapd.h"
17 #include "ap/sta_info.h"
18 #include "ap/ieee802_11.h"
19 #include "ap/beacon.h"
20 #include "ap/wpa_auth.h"
21 #include "wpa_supplicant_i.h"
22 #include "driver_i.h"
23 #include "mesh_mpm.h"
24 #include "mesh_rsn.h"
25 #include "notify.h"
26 
27 struct mesh_peer_mgmt_ie {
28 	const u8 *proto_id; /* Mesh Peering Protocol Identifier (2 octets) */
29 	const u8 *llid; /* Local Link ID (2 octets) */
30 	const u8 *plid; /* Peer Link ID (conditional, 2 octets) */
31 	const u8 *reason; /* Reason Code (conditional, 2 octets) */
32 	const u8 *chosen_pmk; /* Chosen PMK (optional, 16 octets) */
33 };
34 
35 static void plink_timer(void *eloop_ctx, void *user_data);
36 
37 
38 enum plink_event {
39 	PLINK_UNDEFINED,
40 	OPN_ACPT,
41 	OPN_RJCT,
42 	CNF_ACPT,
43 	CNF_RJCT,
44 	CLS_ACPT,
45 	REQ_RJCT
46 };
47 
48 static const char * const mplstate[] = {
49 	[0] = "UNINITIALIZED",
50 	[PLINK_IDLE] = "IDLE",
51 	[PLINK_OPN_SNT] = "OPN_SNT",
52 	[PLINK_OPN_RCVD] = "OPN_RCVD",
53 	[PLINK_CNF_RCVD] = "CNF_RCVD",
54 	[PLINK_ESTAB] = "ESTAB",
55 	[PLINK_HOLDING] = "HOLDING",
56 	[PLINK_BLOCKED] = "BLOCKED"
57 };
58 
59 static const char * const mplevent[] = {
60 	[PLINK_UNDEFINED] = "UNDEFINED",
61 	[OPN_ACPT] = "OPN_ACPT",
62 	[OPN_RJCT] = "OPN_RJCT",
63 	[CNF_ACPT] = "CNF_ACPT",
64 	[CNF_RJCT] = "CNF_RJCT",
65 	[CLS_ACPT] = "CLS_ACPT",
66 	[REQ_RJCT] = "REQ_RJCT",
67 };
68 
69 
mesh_mpm_parse_peer_mgmt(struct wpa_supplicant * wpa_s,u8 action_field,const u8 * ie,size_t len,struct mesh_peer_mgmt_ie * mpm_ie)70 static int mesh_mpm_parse_peer_mgmt(struct wpa_supplicant *wpa_s,
71 				    u8 action_field,
72 				    const u8 *ie, size_t len,
73 				    struct mesh_peer_mgmt_ie *mpm_ie)
74 {
75 	os_memset(mpm_ie, 0, sizeof(*mpm_ie));
76 
77 	/* Remove optional Chosen PMK field at end */
78 	if (len >= SAE_PMKID_LEN) {
79 		mpm_ie->chosen_pmk = ie + len - SAE_PMKID_LEN;
80 		len -= SAE_PMKID_LEN;
81 	}
82 
83 	if ((action_field == PLINK_OPEN && len != 4) ||
84 	    (action_field == PLINK_CONFIRM && len != 6) ||
85 	    (action_field == PLINK_CLOSE && len != 6 && len != 8)) {
86 		wpa_msg(wpa_s, MSG_DEBUG, "MPM: Invalid peer mgmt ie");
87 		return -1;
88 	}
89 
90 	/* required fields */
91 	if (len < 4)
92 		return -1;
93 	mpm_ie->proto_id = ie;
94 	mpm_ie->llid = ie + 2;
95 	ie += 4;
96 	len -= 4;
97 
98 	/* close reason is always present at end for close */
99 	if (action_field == PLINK_CLOSE) {
100 		if (len < 2)
101 			return -1;
102 		mpm_ie->reason = ie + len - 2;
103 		len -= 2;
104 	}
105 
106 	/* Peer Link ID, present for confirm, and possibly close */
107 	if (len >= 2)
108 		mpm_ie->plid = ie;
109 
110 	return 0;
111 }
112 
113 
plink_free_count(struct hostapd_data * hapd)114 static int plink_free_count(struct hostapd_data *hapd)
115 {
116 	if (hapd->max_plinks > hapd->num_plinks)
117 		return hapd->max_plinks - hapd->num_plinks;
118 	return 0;
119 }
120 
121 
copy_supp_rates(struct wpa_supplicant * wpa_s,struct sta_info * sta,struct ieee802_11_elems * elems)122 static u16 copy_supp_rates(struct wpa_supplicant *wpa_s,
123 			   struct sta_info *sta,
124 			   struct ieee802_11_elems *elems)
125 {
126 	if (!elems->supp_rates) {
127 		wpa_msg(wpa_s, MSG_ERROR, "no supported rates from " MACSTR,
128 			MAC2STR(sta->addr));
129 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
130 	}
131 
132 	if (elems->supp_rates_len + elems->ext_supp_rates_len >
133 	    sizeof(sta->supported_rates)) {
134 		wpa_msg(wpa_s, MSG_ERROR,
135 			"Invalid supported rates element length " MACSTR
136 			" %d+%d", MAC2STR(sta->addr), elems->supp_rates_len,
137 			elems->ext_supp_rates_len);
138 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
139 	}
140 
141 	sta->supported_rates_len = merge_byte_arrays(
142 		sta->supported_rates, sizeof(sta->supported_rates),
143 		elems->supp_rates, elems->supp_rates_len,
144 		elems->ext_supp_rates, elems->ext_supp_rates_len);
145 
146 	return WLAN_STATUS_SUCCESS;
147 }
148 
149 
150 /* return true if elems from a neighbor match this MBSS */
matches_local(struct wpa_supplicant * wpa_s,struct ieee802_11_elems * elems)151 static bool matches_local(struct wpa_supplicant *wpa_s,
152 			  struct ieee802_11_elems *elems)
153 {
154 	struct mesh_conf *mconf = wpa_s->ifmsh->mconf;
155 
156 	if (elems->mesh_config_len < 5)
157 		return false;
158 
159 	return (mconf->meshid_len == elems->mesh_id_len &&
160 		os_memcmp(mconf->meshid, elems->mesh_id,
161 			  elems->mesh_id_len) == 0 &&
162 		mconf->mesh_pp_id == elems->mesh_config[0] &&
163 		mconf->mesh_pm_id == elems->mesh_config[1] &&
164 		mconf->mesh_cc_id == elems->mesh_config[2] &&
165 		mconf->mesh_sp_id == elems->mesh_config[3] &&
166 		mconf->mesh_auth_id == elems->mesh_config[4]);
167 }
168 
169 
170 /* check if local link id is already used with another peer */
llid_in_use(struct wpa_supplicant * wpa_s,u16 llid)171 static bool llid_in_use(struct wpa_supplicant *wpa_s, u16 llid)
172 {
173 	struct sta_info *sta;
174 	struct hostapd_data *hapd = wpa_s->ifmsh->bss[0];
175 
176 	for (sta = hapd->sta_list; sta; sta = sta->next) {
177 		if (sta->my_lid == llid)
178 			return true;
179 	}
180 
181 	return false;
182 }
183 
184 
185 /* generate an llid for a link and set to initial state */
mesh_mpm_init_link(struct wpa_supplicant * wpa_s,struct sta_info * sta)186 static void mesh_mpm_init_link(struct wpa_supplicant *wpa_s,
187 			       struct sta_info *sta)
188 {
189 	u16 llid;
190 
191 	do {
192 		if (os_get_random((u8 *) &llid, sizeof(llid)) < 0)
193 			llid = 0; /* continue */
194 	} while (!llid || llid_in_use(wpa_s, llid));
195 
196 	sta->my_lid = llid;
197 	sta->peer_lid = 0;
198 	sta->peer_aid = 0;
199 
200 	/*
201 	 * We do not use wpa_mesh_set_plink_state() here because there is no
202 	 * entry in kernel yet.
203 	 */
204 	sta->plink_state = PLINK_IDLE;
205 }
206 
207 
mesh_mpm_send_plink_action(struct wpa_supplicant * wpa_s,struct sta_info * sta,enum plink_action_field type,u16 close_reason)208 static void mesh_mpm_send_plink_action(struct wpa_supplicant *wpa_s,
209 				       struct sta_info *sta,
210 				       enum plink_action_field type,
211 				       u16 close_reason)
212 {
213 	struct wpabuf *buf;
214 	struct hostapd_iface *ifmsh = wpa_s->ifmsh;
215 	struct hostapd_data *bss = ifmsh->bss[0];
216 	struct mesh_conf *conf = ifmsh->mconf;
217 	u8 supp_rates[2 + 2 + 32];
218 	u8 *pos, *cat;
219 	u8 ie_len, add_plid = 0;
220 	int ret;
221 	int ampe = conf->security & MESH_CONF_SEC_AMPE;
222 	size_t buf_len;
223 
224 	if (!sta)
225 		return;
226 
227 	buf_len = 2 +      /* Category and Action */
228 		  2 +      /* capability info */
229 		  2 +      /* AID */
230 		  2 + 8 +  /* supported rates */
231 		  2 + (32 - 8) +
232 		  2 + 32 + /* mesh ID */
233 		  2 + 7 +  /* mesh config */
234 		  2 + 24 + /* peering management */
235 		  2 + 96 + 32 + 32 + /* AMPE (96 + max GTKlen + max IGTKlen) */
236 		  2 + 16;  /* MIC */
237 	if (type != PLINK_CLOSE && wpa_s->mesh_ht_enabled) {
238 		buf_len += 2 + 26 + /* HT capabilities */
239 			   2 + 22;  /* HT operation */
240 	}
241 #ifdef CONFIG_IEEE80211AC
242 	if (type != PLINK_CLOSE && wpa_s->mesh_vht_enabled) {
243 		buf_len += 2 + 12 + /* VHT Capabilities */
244 			   2 + 5;  /* VHT Operation */
245 	}
246 #endif /* CONFIG_IEEE80211AC */
247 #ifdef CONFIG_IEEE80211AX
248 	if (type != PLINK_CLOSE && wpa_s->mesh_he_enabled) {
249 		buf_len += 3 +
250 			   HE_MAX_MAC_CAPAB_SIZE +
251 			   HE_MAX_PHY_CAPAB_SIZE +
252 			   HE_MAX_MCS_CAPAB_SIZE +
253 			   HE_MAX_PPET_CAPAB_SIZE;
254 		buf_len += 3 + sizeof(struct ieee80211_he_operation);
255 		if (is_6ghz_op_class(bss->iconf->op_class))
256 			buf_len += sizeof(struct ieee80211_he_6ghz_oper_info) +
257 				3 + sizeof(struct ieee80211_he_6ghz_band_cap);
258 	}
259 #endif /* CONFIG_IEEE80211AX */
260 	if (type != PLINK_CLOSE)
261 		buf_len += conf->rsn_ie_len; /* RSN IE */
262 #ifdef CONFIG_OCV
263 	/* OCI is included even when the other STA doesn't support OCV */
264 	if (type != PLINK_CLOSE && conf->ocv)
265 		buf_len += OCV_OCI_EXTENDED_LEN;
266 #endif /* CONFIG_OCV */
267 #ifdef CONFIG_IEEE80211BE
268 	if (type != PLINK_CLOSE && wpa_s->mesh_eht_enabled) {
269 		buf_len += 3 + 2 + EHT_PHY_CAPAB_LEN + EHT_MCS_NSS_CAPAB_LEN +
270 			EHT_PPE_THRESH_CAPAB_LEN;
271 		buf_len += 3 + sizeof(struct ieee80211_eht_operation);
272 }
273 #endif /* CONFIG_IEEE80211BE */
274 
275 	buf = wpabuf_alloc(buf_len);
276 	if (!buf)
277 		return;
278 
279 	cat = wpabuf_mhead_u8(buf);
280 	wpabuf_put_u8(buf, WLAN_ACTION_SELF_PROTECTED);
281 	wpabuf_put_u8(buf, type);
282 
283 	if (type != PLINK_CLOSE) {
284 		u8 info;
285 
286 		/* capability info */
287 		wpabuf_put_le16(buf, ampe ? IEEE80211_CAP_PRIVACY : 0);
288 
289 		/* aid */
290 		if (type == PLINK_CONFIRM)
291 			wpabuf_put_le16(buf, sta->aid);
292 
293 		/* IE: supp + ext. supp rates */
294 		pos = hostapd_eid_supp_rates(bss, supp_rates);
295 		pos = hostapd_eid_ext_supp_rates(bss, pos);
296 		wpabuf_put_data(buf, supp_rates, pos - supp_rates);
297 
298 		/* IE: RSN IE */
299 		wpabuf_put_data(buf, conf->rsn_ie, conf->rsn_ie_len);
300 
301 		/* IE: Mesh ID */
302 		wpabuf_put_u8(buf, WLAN_EID_MESH_ID);
303 		wpabuf_put_u8(buf, conf->meshid_len);
304 		wpabuf_put_data(buf, conf->meshid, conf->meshid_len);
305 
306 		/* IE: mesh conf */
307 		wpabuf_put_u8(buf, WLAN_EID_MESH_CONFIG);
308 		wpabuf_put_u8(buf, 7);
309 		wpabuf_put_u8(buf, conf->mesh_pp_id);
310 		wpabuf_put_u8(buf, conf->mesh_pm_id);
311 		wpabuf_put_u8(buf, conf->mesh_cc_id);
312 		wpabuf_put_u8(buf, conf->mesh_sp_id);
313 		wpabuf_put_u8(buf, conf->mesh_auth_id);
314 		info = (bss->num_plinks > 63 ? 63 : bss->num_plinks) << 1;
315 		/* TODO: Add Connected to Mesh Gate/AS subfields */
316 		wpabuf_put_u8(buf, info);
317 		/* Set forwarding based on configuration and always accept
318 		 * plinks for now */
319 		wpabuf_put_u8(buf, MESH_CAP_ACCEPT_ADDITIONAL_PEER |
320 			      (conf->mesh_fwding ? MESH_CAP_FORWARDING : 0));
321 	} else {	/* Peer closing frame */
322 		/* IE: Mesh ID */
323 		wpabuf_put_u8(buf, WLAN_EID_MESH_ID);
324 		wpabuf_put_u8(buf, conf->meshid_len);
325 		wpabuf_put_data(buf, conf->meshid, conf->meshid_len);
326 	}
327 
328 	/* IE: Mesh Peering Management element */
329 	ie_len = 4;
330 	if (ampe)
331 		ie_len += PMKID_LEN;
332 	switch (type) {
333 	case PLINK_OPEN:
334 		break;
335 	case PLINK_CONFIRM:
336 		ie_len += 2;
337 		add_plid = 1;
338 		break;
339 	case PLINK_CLOSE:
340 		ie_len += 2;
341 		add_plid = 1;
342 		ie_len += 2; /* reason code */
343 		break;
344 	}
345 
346 	wpabuf_put_u8(buf, WLAN_EID_PEER_MGMT);
347 	wpabuf_put_u8(buf, ie_len);
348 	/* peering protocol */
349 	if (ampe)
350 		wpabuf_put_le16(buf, 1);
351 	else
352 		wpabuf_put_le16(buf, 0);
353 	wpabuf_put_le16(buf, sta->my_lid);
354 	if (add_plid)
355 		wpabuf_put_le16(buf, sta->peer_lid);
356 	if (type == PLINK_CLOSE)
357 		wpabuf_put_le16(buf, close_reason);
358 	if (ampe) {
359 		if (sta->sae == NULL) {
360 			wpa_msg(wpa_s, MSG_INFO, "Mesh MPM: no SAE session");
361 			goto fail;
362 		}
363 		mesh_rsn_get_pmkid(wpa_s->mesh_rsn, sta,
364 				   wpabuf_put(buf, PMKID_LEN));
365 	}
366 
367 	if (type != PLINK_CLOSE && wpa_s->mesh_ht_enabled) {
368 		u8 ht_capa_oper[2 + 26 + 2 + 22];
369 
370 		pos = hostapd_eid_ht_capabilities(bss, ht_capa_oper);
371 		pos = hostapd_eid_ht_operation(bss, pos);
372 		wpabuf_put_data(buf, ht_capa_oper, pos - ht_capa_oper);
373 	}
374 #ifdef CONFIG_IEEE80211AC
375 	if (type != PLINK_CLOSE && wpa_s->mesh_vht_enabled) {
376 		u8 vht_capa_oper[2 + 12 + 2 + 5];
377 
378 		pos = hostapd_eid_vht_capabilities(bss, vht_capa_oper, 0);
379 		pos = hostapd_eid_vht_operation(bss, pos);
380 		wpabuf_put_data(buf, vht_capa_oper, pos - vht_capa_oper);
381 	}
382 #endif /* CONFIG_IEEE80211AC */
383 #ifdef CONFIG_IEEE80211AX
384 	if (type != PLINK_CLOSE && wpa_s->mesh_he_enabled) {
385 		u8 he_capa_oper[3 +
386 				HE_MAX_MAC_CAPAB_SIZE +
387 				HE_MAX_PHY_CAPAB_SIZE +
388 				HE_MAX_MCS_CAPAB_SIZE +
389 				HE_MAX_PPET_CAPAB_SIZE +
390 				3 + sizeof(struct ieee80211_he_operation) +
391 				sizeof(struct ieee80211_he_6ghz_oper_info) +
392 				3 + sizeof(struct ieee80211_he_6ghz_band_cap)];
393 
394 		pos = hostapd_eid_he_capab(bss, he_capa_oper,
395 					   IEEE80211_MODE_MESH);
396 		pos = hostapd_eid_he_operation(bss, pos);
397 		pos = hostapd_eid_he_6ghz_band_cap(bss, pos);
398 		wpabuf_put_data(buf, he_capa_oper, pos - he_capa_oper);
399 	}
400 #endif /* CONFIG_IEEE80211AX */
401 #ifdef CONFIG_OCV
402 	if (type != PLINK_CLOSE && conf->ocv) {
403 		struct wpa_channel_info ci;
404 
405 		if (wpa_drv_channel_info(wpa_s, &ci) != 0) {
406 			wpa_printf(MSG_WARNING,
407 				   "Mesh MPM: Failed to get channel info for OCI element");
408 			goto fail;
409 		}
410 
411 		pos = wpabuf_put(buf, OCV_OCI_EXTENDED_LEN);
412 		if (ocv_insert_extended_oci(&ci, pos) < 0)
413 			goto fail;
414 	}
415 #endif /* CONFIG_OCV */
416 
417 #ifdef CONFIG_IEEE80211BE
418 	if (type != PLINK_CLOSE && wpa_s->mesh_eht_enabled) {
419 		u8 eht_capa_oper[3 +
420 				 2 +
421 				 EHT_PHY_CAPAB_LEN +
422 				 EHT_MCS_NSS_CAPAB_LEN +
423 				 EHT_PPE_THRESH_CAPAB_LEN +
424 				 3 + sizeof(struct ieee80211_eht_operation)];
425 		pos = hostapd_eid_eht_capab(bss, eht_capa_oper,
426 					    IEEE80211_MODE_MESH);
427 		pos = hostapd_eid_eht_operation(bss, pos);
428 		wpabuf_put_data(buf, eht_capa_oper, pos - eht_capa_oper);
429 	}
430 #endif /* CONFIG_IEEE80211BE */
431 
432 	if (ampe && mesh_rsn_protect_frame(wpa_s->mesh_rsn, sta, cat, buf)) {
433 		wpa_msg(wpa_s, MSG_INFO,
434 			"Mesh MPM: failed to add AMPE and MIC IE");
435 		goto fail;
436 	}
437 
438 	wpa_msg(wpa_s, MSG_DEBUG, "Mesh MPM: Sending peering frame type %d to "
439 		MACSTR " (my_lid=0x%x peer_lid=0x%x)",
440 		type, MAC2STR(sta->addr), sta->my_lid, sta->peer_lid);
441 	ret = wpa_drv_send_action(wpa_s, wpa_s->assoc_freq, 0,
442 				  sta->addr, wpa_s->own_addr, wpa_s->own_addr,
443 				  wpabuf_head(buf), wpabuf_len(buf), 0);
444 	if (ret < 0)
445 		wpa_msg(wpa_s, MSG_INFO,
446 			"Mesh MPM: failed to send peering frame");
447 
448 fail:
449 	wpabuf_free(buf);
450 }
451 
452 
453 /* configure peering state in ours and driver's station entry */
wpa_mesh_set_plink_state(struct wpa_supplicant * wpa_s,struct sta_info * sta,enum mesh_plink_state state)454 void wpa_mesh_set_plink_state(struct wpa_supplicant *wpa_s,
455 			      struct sta_info *sta,
456 			      enum mesh_plink_state state)
457 {
458 	struct hostapd_sta_add_params params;
459 	int ret;
460 
461 	wpa_msg(wpa_s, MSG_DEBUG, "MPM set " MACSTR " from %s into %s",
462 		MAC2STR(sta->addr), mplstate[sta->plink_state],
463 		mplstate[state]);
464 	sta->plink_state = state;
465 
466 	os_memset(¶ms, 0, sizeof(params));
467 	params.addr = sta->addr;
468 	params.plink_state = state;
469 	params.peer_aid = sta->peer_aid;
470 	params.set = 1;
471 	params.mld_link_id = -1;
472 
473 	ret = wpa_drv_sta_add(wpa_s, ¶ms);
474 	if (ret) {
475 		wpa_msg(wpa_s, MSG_ERROR, "Driver failed to set " MACSTR
476 			": %d", MAC2STR(sta->addr), ret);
477 	}
478 }
479 
480 
mesh_mpm_fsm_restart(struct wpa_supplicant * wpa_s,struct sta_info * sta)481 static void mesh_mpm_fsm_restart(struct wpa_supplicant *wpa_s,
482 				 struct sta_info *sta)
483 {
484 	struct hostapd_data *hapd = wpa_s->ifmsh->bss[0];
485 
486 	eloop_cancel_timeout(plink_timer, wpa_s, sta);
487 
488 	ap_free_sta(hapd, sta);
489 }
490 
491 
plink_timer(void * eloop_ctx,void * user_data)492 static void plink_timer(void *eloop_ctx, void *user_data)
493 {
494 	struct wpa_supplicant *wpa_s = eloop_ctx;
495 	struct sta_info *sta = user_data;
496 	u16 reason = 0;
497 	struct mesh_conf *conf = wpa_s->ifmsh->mconf;
498 	struct hostapd_data *hapd = wpa_s->ifmsh->bss[0];
499 
500 	switch (sta->plink_state) {
501 	case PLINK_OPN_RCVD:
502 	case PLINK_OPN_SNT:
503 		/* retry timer */
504 		if (sta->mpm_retries < conf->dot11MeshMaxRetries) {
505 			eloop_register_timeout(
506 				conf->dot11MeshRetryTimeout / 1000,
507 				(conf->dot11MeshRetryTimeout % 1000) * 1000,
508 				plink_timer, wpa_s, sta);
509 			mesh_mpm_send_plink_action(wpa_s, sta, PLINK_OPEN, 0);
510 			sta->mpm_retries++;
511 			break;
512 		}
513 		reason = WLAN_REASON_MESH_MAX_RETRIES;
514 		/* fall through */
515 
516 	case PLINK_CNF_RCVD:
517 		/* confirm timer */
518 		if (!reason)
519 			reason = WLAN_REASON_MESH_CONFIRM_TIMEOUT;
520 		wpa_mesh_set_plink_state(wpa_s, sta, PLINK_HOLDING);
521 		eloop_register_timeout(conf->dot11MeshHoldingTimeout / 1000,
522 			(conf->dot11MeshHoldingTimeout % 1000) * 1000,
523 			plink_timer, wpa_s, sta);
524 		mesh_mpm_send_plink_action(wpa_s, sta, PLINK_CLOSE, reason);
525 		break;
526 	case PLINK_HOLDING:
527 		/* holding timer */
528 
529 		if (sta->mesh_sae_pmksa_caching) {
530 			wpa_printf(MSG_DEBUG, "MPM: Peer " MACSTR
531 				   " looks like it does not support mesh SAE PMKSA caching, so remove the cached entry for it",
532 				   MAC2STR(sta->addr));
533 			wpa_auth_pmksa_remove(hapd->wpa_auth, sta->addr);
534 		}
535 		mesh_mpm_fsm_restart(wpa_s, sta);
536 		break;
537 	default:
538 		break;
539 	}
540 }
541 
542 
543 /* initiate peering with station */
544 static void
mesh_mpm_plink_open(struct wpa_supplicant * wpa_s,struct sta_info * sta,enum mesh_plink_state next_state)545 mesh_mpm_plink_open(struct wpa_supplicant *wpa_s, struct sta_info *sta,
546 		    enum mesh_plink_state next_state)
547 {
548 	struct mesh_conf *conf = wpa_s->ifmsh->mconf;
549 
550 	eloop_cancel_timeout(plink_timer, wpa_s, sta);
551 	eloop_register_timeout(conf->dot11MeshRetryTimeout / 1000,
552 			       (conf->dot11MeshRetryTimeout % 1000) * 1000,
553 			       plink_timer, wpa_s, sta);
554 	mesh_mpm_send_plink_action(wpa_s, sta, PLINK_OPEN, 0);
555 	wpa_mesh_set_plink_state(wpa_s, sta, next_state);
556 }
557 
558 
mesh_mpm_plink_close(struct hostapd_data * hapd,struct sta_info * sta,void * ctx)559 static int mesh_mpm_plink_close(struct hostapd_data *hapd, struct sta_info *sta,
560 				void *ctx)
561 {
562 	struct wpa_supplicant *wpa_s = ctx;
563 	int reason = WLAN_REASON_MESH_PEERING_CANCELLED;
564 
565 	if (sta) {
566 		if (sta->plink_state == PLINK_ESTAB) {
567 			hapd->num_plinks--;
568 			wpas_notify_mesh_peer_disconnected(
569 				wpa_s, sta->addr, WLAN_REASON_UNSPECIFIED);
570 		}
571 		wpa_mesh_set_plink_state(wpa_s, sta, PLINK_HOLDING);
572 		mesh_mpm_send_plink_action(wpa_s, sta, PLINK_CLOSE, reason);
573 		wpa_printf(MSG_DEBUG, "MPM closing plink sta=" MACSTR,
574 			   MAC2STR(sta->addr));
575 		eloop_cancel_timeout(plink_timer, wpa_s, sta);
576 		eloop_cancel_timeout(mesh_auth_timer, wpa_s, sta);
577 		return 0;
578 	}
579 
580 	return 1;
581 }
582 
583 
mesh_mpm_close_peer(struct wpa_supplicant * wpa_s,const u8 * addr)584 int mesh_mpm_close_peer(struct wpa_supplicant *wpa_s, const u8 *addr)
585 {
586 	struct hostapd_data *hapd;
587 	struct sta_info *sta;
588 
589 	if (!wpa_s->ifmsh) {
590 		wpa_msg(wpa_s, MSG_INFO, "Mesh is not prepared yet");
591 		return -1;
592 	}
593 
594 	hapd = wpa_s->ifmsh->bss[0];
595 	sta = ap_get_sta(hapd, addr);
596 	if (!sta) {
597 		wpa_msg(wpa_s, MSG_INFO, "No such mesh peer");
598 		return -1;
599 	}
600 
601 	return mesh_mpm_plink_close(hapd, sta, wpa_s) == 0 ? 0 : -1;
602 }
603 
604 
peer_add_timer(void * eloop_ctx,void * user_data)605 static void peer_add_timer(void *eloop_ctx, void *user_data)
606 {
607 	struct wpa_supplicant *wpa_s = eloop_ctx;
608 	struct hostapd_data *hapd = wpa_s->ifmsh->bss[0];
609 
610 	os_memset(hapd->mesh_required_peer, 0, ETH_ALEN);
611 }
612 
613 
mesh_mpm_connect_peer(struct wpa_supplicant * wpa_s,const u8 * addr,int duration)614 int mesh_mpm_connect_peer(struct wpa_supplicant *wpa_s, const u8 *addr,
615 			  int duration)
616 {
617 	struct wpa_ssid *ssid = wpa_s->current_ssid;
618 	struct hostapd_data *hapd;
619 	struct sta_info *sta;
620 	struct mesh_conf *conf;
621 
622 	if (!wpa_s->ifmsh) {
623 		wpa_msg(wpa_s, MSG_INFO, "Mesh is not prepared yet");
624 		return -1;
625 	}
626 
627 	if (!ssid || !ssid->no_auto_peer) {
628 		wpa_msg(wpa_s, MSG_INFO,
629 			"This command is available only with no_auto_peer mesh network");
630 		return -1;
631 	}
632 
633 	hapd = wpa_s->ifmsh->bss[0];
634 	conf = wpa_s->ifmsh->mconf;
635 
636 	sta = ap_get_sta(hapd, addr);
637 	if (!sta) {
638 		wpa_msg(wpa_s, MSG_INFO, "No such mesh peer");
639 		return -1;
640 	}
641 
642 	if ((PLINK_OPN_SNT <= sta->plink_state &&
643 	    sta->plink_state <= PLINK_ESTAB) ||
644 	    (sta->sae && sta->sae->state > SAE_NOTHING)) {
645 		wpa_msg(wpa_s, MSG_INFO,
646 			"Specified peer is connecting/connected");
647 		return -1;
648 	}
649 
650 	if (conf->security == MESH_CONF_SEC_NONE) {
651 		mesh_mpm_plink_open(wpa_s, sta, PLINK_OPN_SNT);
652 	} else {
653 		mesh_rsn_auth_sae_sta(wpa_s, sta);
654 		os_memcpy(hapd->mesh_required_peer, addr, ETH_ALEN);
655 		eloop_register_timeout(duration == -1 ? 10 : duration, 0,
656 				       peer_add_timer, wpa_s, NULL);
657 	}
658 
659 	return 0;
660 }
661 
662 
mesh_mpm_deinit(struct wpa_supplicant * wpa_s,struct hostapd_iface * ifmsh)663 void mesh_mpm_deinit(struct wpa_supplicant *wpa_s, struct hostapd_iface *ifmsh)
664 {
665 	struct hostapd_data *hapd = ifmsh->bss[0];
666 
667 	/* notify peers we're leaving */
668 	ap_for_each_sta(hapd, mesh_mpm_plink_close, wpa_s);
669 
670 	hapd->num_plinks = 0;
671 	hostapd_free_stas(hapd);
672 	eloop_cancel_timeout(peer_add_timer, wpa_s, NULL);
673 }
674 
675 
676 /* for mesh_rsn to indicate this peer has completed authentication, and we're
677  * ready to start AMPE */
mesh_mpm_auth_peer(struct wpa_supplicant * wpa_s,const u8 * addr)678 void mesh_mpm_auth_peer(struct wpa_supplicant *wpa_s, const u8 *addr)
679 {
680 	struct hostapd_data *data = wpa_s->ifmsh->bss[0];
681 	struct hostapd_sta_add_params params;
682 	struct sta_info *sta;
683 	int ret;
684 
685 	sta = ap_get_sta(data, addr);
686 	if (!sta) {
687 		wpa_msg(wpa_s, MSG_DEBUG, "no such mesh peer");
688 		return;
689 	}
690 
691 	/* TODO: Should do nothing if this STA is already authenticated, but
692 	 * the AP code already sets this flag. */
693 	sta->flags |= WLAN_STA_AUTH;
694 
695 	mesh_rsn_init_ampe_sta(wpa_s, sta);
696 
697 	os_memset(¶ms, 0, sizeof(params));
698 	params.addr = sta->addr;
699 	params.flags = WPA_STA_AUTHENTICATED | WPA_STA_AUTHORIZED;
700 	params.set = 1;
701 	params.mld_link_id = -1;
702 
703 	wpa_msg(wpa_s, MSG_DEBUG, "MPM authenticating " MACSTR,
704 		MAC2STR(sta->addr));
705 	ret = wpa_drv_sta_add(wpa_s, ¶ms);
706 	if (ret) {
707 		wpa_msg(wpa_s, MSG_ERROR,
708 			"Driver failed to set " MACSTR ": %d",
709 			MAC2STR(sta->addr), ret);
710 	}
711 
712 	if (!sta->my_lid)
713 		mesh_mpm_init_link(wpa_s, sta);
714 
715 	mesh_mpm_plink_open(wpa_s, sta, PLINK_OPN_SNT);
716 }
717 
718 /*
719  * Initialize a sta_info structure for a peer and upload it into the driver
720  * in preparation for beginning authentication or peering. This is done when a
721  * Beacon (secure or open mesh) or a peering open frame (for open mesh) is
722  * received from the peer for the first time.
723  */
mesh_mpm_add_peer(struct wpa_supplicant * wpa_s,const u8 * addr,struct ieee802_11_elems * elems)724 static struct sta_info * mesh_mpm_add_peer(struct wpa_supplicant *wpa_s,
725 					   const u8 *addr,
726 					   struct ieee802_11_elems *elems)
727 {
728 	struct hostapd_sta_add_params params;
729 	struct mesh_conf *conf = wpa_s->ifmsh->mconf;
730 	struct hostapd_data *data = wpa_s->ifmsh->bss[0];
731 	struct sta_info *sta;
732 	struct ieee80211_ht_operation *oper;
733 	int ret;
734 
735 	if (elems->mesh_config_len >= 7 &&
736 	    !(elems->mesh_config[6] & MESH_CAP_ACCEPT_ADDITIONAL_PEER)) {
737 		wpa_msg(wpa_s, MSG_DEBUG,
738 			"mesh: Ignore a crowded peer " MACSTR,
739 			MAC2STR(addr));
740 		return NULL;
741 	}
742 
743 	sta = ap_get_sta(data, addr);
744 	if (sta)
745 		return NULL;
746 
747 	sta = ap_sta_add(data, addr);
748 	if (!sta)
749 		return NULL;
750 
751 	/* Set WMM by default since Mesh STAs are QoS STAs */
752 	sta->flags |= WLAN_STA_WMM;
753 
754 	/* initialize sta */
755 	if (copy_supp_rates(wpa_s, sta, elems)) {
756 		ap_free_sta(data, sta);
757 		return NULL;
758 	}
759 
760 	if (!sta->my_lid)
761 		mesh_mpm_init_link(wpa_s, sta);
762 
763 	copy_sta_ht_capab(data, sta, elems->ht_capabilities);
764 
765 	oper = (struct ieee80211_ht_operation *) elems->ht_operation;
766 	if (oper &&
767 	    !(oper->ht_param & HT_INFO_HT_PARAM_STA_CHNL_WIDTH) &&
768 	    sta->ht_capabilities) {
769 		wpa_msg(wpa_s, MSG_DEBUG, MACSTR
770 			" does not support 40 MHz bandwidth",
771 			MAC2STR(sta->addr));
772 		set_disable_ht40(sta->ht_capabilities, 1);
773 	}
774 
775 	if (update_ht_state(data, sta) > 0)
776 		ieee802_11_update_beacons(data->iface);
777 
778 #ifdef CONFIG_IEEE80211AC
779 	copy_sta_vht_capab(data, sta, elems->vht_capabilities);
780 	copy_sta_vht_oper(data, sta, elems->vht_operation);
781 	set_sta_vht_opmode(data, sta, elems->opmode_notif);
782 #endif /* CONFIG_IEEE80211AC */
783 
784 #ifdef CONFIG_IEEE80211AX
785 	copy_sta_he_capab(data, sta, IEEE80211_MODE_MESH,
786 			  elems->he_capabilities, elems->he_capabilities_len);
787 	copy_sta_he_6ghz_capab(data, sta, elems->he_6ghz_band_cap);
788 #endif /* CONFIG_IEEE80211AX */
789 #ifdef CONFIG_IEEE80211BE
790 	copy_sta_eht_capab(data, sta, IEEE80211_MODE_MESH,
791 			   elems->he_capabilities,
792 			   elems->he_capabilities_len,
793 			   elems->eht_capabilities,
794 			   elems->eht_capabilities_len);
795 #endif /*CONFIG_IEEE80211BE */
796 
797 	if (hostapd_get_aid(data, sta) < 0) {
798 		wpa_msg(wpa_s, MSG_ERROR, "No AIDs available");
799 		ap_free_sta(data, sta);
800 		return NULL;
801 	}
802 
803 	/* insert into driver */
804 	os_memset(¶ms, 0, sizeof(params));
805 	params.supp_rates = sta->supported_rates;
806 	params.supp_rates_len = sta->supported_rates_len;
807 	params.addr = addr;
808 	params.plink_state = sta->plink_state;
809 	params.aid = sta->aid;
810 	params.peer_aid = sta->peer_aid;
811 	params.listen_interval = 100;
812 	params.ht_capabilities = sta->ht_capabilities;
813 	params.vht_capabilities = sta->vht_capabilities;
814 	params.he_capab = sta->he_capab;
815 	params.he_capab_len = sta->he_capab_len;
816 	params.he_6ghz_capab = sta->he_6ghz_capab;
817 	params.eht_capab = sta->eht_capab;
818 	params.eht_capab_len = sta->eht_capab_len;
819 	params.flags |= WPA_STA_WMM;
820 	params.flags_mask |= WPA_STA_AUTHENTICATED;
821 	params.mld_link_id = -1;
822 	if (conf->security == MESH_CONF_SEC_NONE) {
823 		params.flags |= WPA_STA_AUTHORIZED;
824 		params.flags |= WPA_STA_AUTHENTICATED;
825 	} else {
826 		sta->flags |= WLAN_STA_MFP;
827 		params.flags |= WPA_STA_MFP;
828 	}
829 
830 	ret = wpa_drv_sta_add(wpa_s, ¶ms);
831 	if (ret) {
832 		wpa_msg(wpa_s, MSG_ERROR,
833 			"Driver failed to insert " MACSTR ": %d",
834 			MAC2STR(addr), ret);
835 		ap_free_sta(data, sta);
836 		return NULL;
837 	}
838 
839 	return sta;
840 }
841 
842 
wpa_mesh_new_mesh_peer(struct wpa_supplicant * wpa_s,const u8 * addr,struct ieee802_11_elems * elems)843 void wpa_mesh_new_mesh_peer(struct wpa_supplicant *wpa_s, const u8 *addr,
844 			    struct ieee802_11_elems *elems)
845 {
846 	struct mesh_conf *conf = wpa_s->ifmsh->mconf;
847 	struct hostapd_data *data = wpa_s->ifmsh->bss[0];
848 	struct sta_info *sta;
849 	struct wpa_ssid *ssid = wpa_s->current_ssid;
850 
851 	sta = mesh_mpm_add_peer(wpa_s, addr, elems);
852 	if (!sta)
853 		return;
854 
855 	if (ssid && ssid->no_auto_peer &&
856 	    (is_zero_ether_addr(data->mesh_required_peer) ||
857 	     !ether_addr_equal(data->mesh_required_peer, addr))) {
858 		wpa_msg(wpa_s, MSG_INFO, "will not initiate new peer link with "
859 			MACSTR " because of no_auto_peer", MAC2STR(addr));
860 		if (data->mesh_pending_auth) {
861 			struct os_reltime age;
862 			const struct ieee80211_mgmt *mgmt;
863 			struct hostapd_frame_info fi;
864 
865 			mgmt = wpabuf_head(data->mesh_pending_auth);
866 			os_reltime_age(&data->mesh_pending_auth_time, &age);
867 			if (age.sec < 2 &&
868 			    ether_addr_equal(mgmt->sa, addr)) {
869 				wpa_printf(MSG_DEBUG,
870 					   "mesh: Process pending Authentication frame from %u.%06u seconds ago",
871 					   (unsigned int) age.sec,
872 					   (unsigned int) age.usec);
873 				os_memset(&fi, 0, sizeof(fi));
874 				ieee802_11_mgmt(
875 					data,
876 					wpabuf_head(data->mesh_pending_auth),
877 					wpabuf_len(data->mesh_pending_auth),
878 					&fi);
879 			}
880 			wpabuf_free(data->mesh_pending_auth);
881 			data->mesh_pending_auth = NULL;
882 		}
883 		return;
884 	}
885 
886 	if (conf->security == MESH_CONF_SEC_NONE) {
887 		if (sta->plink_state < PLINK_OPN_SNT ||
888 		    sta->plink_state > PLINK_ESTAB)
889 			mesh_mpm_plink_open(wpa_s, sta, PLINK_OPN_SNT);
890 	} else {
891 		mesh_rsn_auth_sae_sta(wpa_s, sta);
892 	}
893 }
894 
895 
mesh_mpm_mgmt_rx(struct wpa_supplicant * wpa_s,struct rx_mgmt * rx_mgmt)896 void mesh_mpm_mgmt_rx(struct wpa_supplicant *wpa_s, struct rx_mgmt *rx_mgmt)
897 {
898 	struct hostapd_frame_info fi;
899 
900 	os_memset(&fi, 0, sizeof(fi));
901 	fi.datarate = rx_mgmt->datarate;
902 	fi.ssi_signal = rx_mgmt->ssi_signal;
903 	ieee802_11_mgmt(wpa_s->ifmsh->bss[0], rx_mgmt->frame,
904 			rx_mgmt->frame_len, &fi);
905 }
906 
907 
mesh_mpm_plink_estab(struct wpa_supplicant * wpa_s,struct sta_info * sta)908 static void mesh_mpm_plink_estab(struct wpa_supplicant *wpa_s,
909 				 struct sta_info *sta)
910 {
911 	struct hostapd_data *hapd = wpa_s->ifmsh->bss[0];
912 	struct mesh_conf *conf = wpa_s->ifmsh->mconf;
913 	u8 seq[6] = {};
914 
915 	wpa_msg(wpa_s, MSG_INFO, "mesh plink with " MACSTR " established",
916 		MAC2STR(sta->addr));
917 
918 	if (conf->security & MESH_CONF_SEC_AMPE) {
919 		wpa_hexdump_key(MSG_DEBUG, "mesh: MTK", sta->mtk, sta->mtk_len);
920 		wpa_drv_set_key(wpa_s, -1,
921 				wpa_cipher_to_alg(conf->pairwise_cipher),
922 				sta->addr, 0, 0, seq, sizeof(seq),
923 				sta->mtk, sta->mtk_len,
924 				KEY_FLAG_PAIRWISE_RX_TX);
925 
926 		wpa_hexdump_key(MSG_DEBUG, "mesh: RX MGTK Key RSC",
927 				sta->mgtk_rsc, sizeof(sta->mgtk_rsc));
928 		wpa_hexdump_key(MSG_DEBUG, "mesh: RX MGTK",
929 				sta->mgtk, sta->mgtk_len);
930 		wpa_drv_set_key(wpa_s, -1,
931 				wpa_cipher_to_alg(conf->group_cipher),
932 				sta->addr, sta->mgtk_key_id, 0,
933 				sta->mgtk_rsc, sizeof(sta->mgtk_rsc),
934 				sta->mgtk, sta->mgtk_len,
935 				KEY_FLAG_GROUP_RX);
936 
937 		if (sta->igtk_len) {
938 			wpa_hexdump_key(MSG_DEBUG, "mesh: RX IGTK Key RSC",
939 					sta->igtk_rsc, sizeof(sta->igtk_rsc));
940 			wpa_hexdump_key(MSG_DEBUG, "mesh: RX IGTK",
941 					sta->igtk, sta->igtk_len);
942 			wpa_drv_set_key(
943 				wpa_s, -1,
944 				wpa_cipher_to_alg(conf->mgmt_group_cipher),
945 				sta->addr, sta->igtk_key_id, 0,
946 				sta->igtk_rsc, sizeof(sta->igtk_rsc),
947 				sta->igtk, sta->igtk_len,
948 				KEY_FLAG_GROUP_RX);
949 		}
950 	}
951 
952 	wpa_mesh_set_plink_state(wpa_s, sta, PLINK_ESTAB);
953 	hapd->num_plinks++;
954 
955 	sta->flags |= WLAN_STA_ASSOC;
956 	sta->mesh_sae_pmksa_caching = 0;
957 
958 	eloop_cancel_timeout(peer_add_timer, wpa_s, NULL);
959 	peer_add_timer(wpa_s, NULL);
960 	eloop_cancel_timeout(plink_timer, wpa_s, sta);
961 
962 	wpas_notify_mesh_peer_connected(wpa_s, sta->addr);
963 }
964 
965 
mesh_mpm_fsm(struct wpa_supplicant * wpa_s,struct sta_info * sta,enum plink_event event,u16 reason)966 static void mesh_mpm_fsm(struct wpa_supplicant *wpa_s, struct sta_info *sta,
967 			 enum plink_event event, u16 reason)
968 {
969 	struct hostapd_data *hapd = wpa_s->ifmsh->bss[0];
970 	struct mesh_conf *conf = wpa_s->ifmsh->mconf;
971 
972 	wpa_msg(wpa_s, MSG_DEBUG, "MPM " MACSTR " state %s event %s",
973 		MAC2STR(sta->addr), mplstate[sta->plink_state],
974 		mplevent[event]);
975 
976 	switch (sta->plink_state) {
977 	case PLINK_IDLE:
978 		switch (event) {
979 		case CLS_ACPT:
980 			mesh_mpm_fsm_restart(wpa_s, sta);
981 			break;
982 		case OPN_ACPT:
983 			mesh_mpm_plink_open(wpa_s, sta, PLINK_OPN_RCVD);
984 			mesh_mpm_send_plink_action(wpa_s, sta, PLINK_CONFIRM,
985 						   0);
986 			break;
987 		case REQ_RJCT:
988 			mesh_mpm_send_plink_action(wpa_s, sta,
989 						   PLINK_CLOSE, reason);
990 			break;
991 		default:
992 			break;
993 		}
994 		break;
995 	case PLINK_OPN_SNT:
996 		switch (event) {
997 		case OPN_RJCT:
998 		case CNF_RJCT:
999 			if (!reason)
1000 				reason = WLAN_REASON_MESH_CONFIG_POLICY_VIOLATION;
1001 			/* fall-through */
1002 		case CLS_ACPT:
1003 			wpa_mesh_set_plink_state(wpa_s, sta, PLINK_HOLDING);
1004 			if (!reason)
1005 				reason = WLAN_REASON_MESH_CLOSE_RCVD;
1006 			eloop_register_timeout(
1007 				conf->dot11MeshHoldingTimeout / 1000,
1008 				(conf->dot11MeshHoldingTimeout % 1000) * 1000,
1009 				plink_timer, wpa_s, sta);
1010 			mesh_mpm_send_plink_action(wpa_s, sta,
1011 						   PLINK_CLOSE, reason);
1012 			break;
1013 		case OPN_ACPT:
1014 			/* retry timer is left untouched */
1015 			wpa_mesh_set_plink_state(wpa_s, sta, PLINK_OPN_RCVD);
1016 			mesh_mpm_send_plink_action(wpa_s, sta,
1017 						   PLINK_CONFIRM, 0);
1018 			break;
1019 		case CNF_ACPT:
1020 			wpa_mesh_set_plink_state(wpa_s, sta, PLINK_CNF_RCVD);
1021 			eloop_cancel_timeout(plink_timer, wpa_s, sta);
1022 			eloop_register_timeout(
1023 				conf->dot11MeshConfirmTimeout / 1000,
1024 				(conf->dot11MeshConfirmTimeout % 1000) * 1000,
1025 				plink_timer, wpa_s, sta);
1026 			break;
1027 		default:
1028 			break;
1029 		}
1030 		break;
1031 	case PLINK_OPN_RCVD:
1032 		switch (event) {
1033 		case OPN_RJCT:
1034 		case CNF_RJCT:
1035 			if (!reason)
1036 				reason = WLAN_REASON_MESH_CONFIG_POLICY_VIOLATION;
1037 			/* fall-through */
1038 		case CLS_ACPT:
1039 			wpa_mesh_set_plink_state(wpa_s, sta, PLINK_HOLDING);
1040 			if (!reason)
1041 				reason = WLAN_REASON_MESH_CLOSE_RCVD;
1042 			eloop_register_timeout(
1043 				conf->dot11MeshHoldingTimeout / 1000,
1044 				(conf->dot11MeshHoldingTimeout % 1000) * 1000,
1045 				plink_timer, wpa_s, sta);
1046 			sta->mpm_close_reason = reason;
1047 			mesh_mpm_send_plink_action(wpa_s, sta,
1048 						   PLINK_CLOSE, reason);
1049 			break;
1050 		case OPN_ACPT:
1051 			mesh_mpm_send_plink_action(wpa_s, sta,
1052 						   PLINK_CONFIRM, 0);
1053 			break;
1054 		case CNF_ACPT:
1055 			if (conf->security & MESH_CONF_SEC_AMPE)
1056 				mesh_rsn_derive_mtk(wpa_s, sta);
1057 			mesh_mpm_plink_estab(wpa_s, sta);
1058 			break;
1059 		default:
1060 			break;
1061 		}
1062 		break;
1063 	case PLINK_CNF_RCVD:
1064 		switch (event) {
1065 		case OPN_RJCT:
1066 		case CNF_RJCT:
1067 			if (!reason)
1068 				reason = WLAN_REASON_MESH_CONFIG_POLICY_VIOLATION;
1069 			/* fall-through */
1070 		case CLS_ACPT:
1071 			wpa_mesh_set_plink_state(wpa_s, sta, PLINK_HOLDING);
1072 			if (!reason)
1073 				reason = WLAN_REASON_MESH_CLOSE_RCVD;
1074 			eloop_register_timeout(
1075 				conf->dot11MeshHoldingTimeout / 1000,
1076 				(conf->dot11MeshHoldingTimeout % 1000) * 1000,
1077 				plink_timer, wpa_s, sta);
1078 			sta->mpm_close_reason = reason;
1079 			mesh_mpm_send_plink_action(wpa_s, sta,
1080 						   PLINK_CLOSE, reason);
1081 			break;
1082 		case OPN_ACPT:
1083 			if (conf->security & MESH_CONF_SEC_AMPE)
1084 				mesh_rsn_derive_mtk(wpa_s, sta);
1085 			mesh_mpm_plink_estab(wpa_s, sta);
1086 			mesh_mpm_send_plink_action(wpa_s, sta,
1087 						   PLINK_CONFIRM, 0);
1088 			break;
1089 		default:
1090 			break;
1091 		}
1092 		break;
1093 	case PLINK_ESTAB:
1094 		switch (event) {
1095 		case OPN_RJCT:
1096 		case CNF_RJCT:
1097 		case CLS_ACPT:
1098 			wpa_mesh_set_plink_state(wpa_s, sta, PLINK_HOLDING);
1099 			if (!reason)
1100 				reason = WLAN_REASON_MESH_CLOSE_RCVD;
1101 
1102 			eloop_register_timeout(
1103 				conf->dot11MeshHoldingTimeout / 1000,
1104 				(conf->dot11MeshHoldingTimeout % 1000) * 1000,
1105 				plink_timer, wpa_s, sta);
1106 			sta->mpm_close_reason = reason;
1107 
1108 			wpa_msg(wpa_s, MSG_INFO, "mesh plink with " MACSTR
1109 				" closed with reason %d",
1110 				MAC2STR(sta->addr), reason);
1111 
1112 			wpas_notify_mesh_peer_disconnected(wpa_s, sta->addr,
1113 							   reason);
1114 
1115 			hapd->num_plinks--;
1116 
1117 			mesh_mpm_send_plink_action(wpa_s, sta,
1118 						   PLINK_CLOSE, reason);
1119 			break;
1120 		case OPN_ACPT:
1121 			mesh_mpm_send_plink_action(wpa_s, sta,
1122 						   PLINK_CONFIRM, 0);
1123 			break;
1124 		default:
1125 			break;
1126 		}
1127 		break;
1128 	case PLINK_HOLDING:
1129 		switch (event) {
1130 		case CLS_ACPT:
1131 			mesh_mpm_fsm_restart(wpa_s, sta);
1132 			break;
1133 		case OPN_ACPT:
1134 		case CNF_ACPT:
1135 		case OPN_RJCT:
1136 		case CNF_RJCT:
1137 			reason = sta->mpm_close_reason;
1138 			mesh_mpm_send_plink_action(wpa_s, sta,
1139 						   PLINK_CLOSE, reason);
1140 			break;
1141 		default:
1142 			break;
1143 		}
1144 		break;
1145 	default:
1146 		wpa_msg(wpa_s, MSG_DEBUG,
1147 			"Unsupported MPM event %s for state %s",
1148 			mplevent[event], mplstate[sta->plink_state]);
1149 		break;
1150 	}
1151 }
1152 
1153 
mesh_mpm_action_rx(struct wpa_supplicant * wpa_s,const struct ieee80211_mgmt * mgmt,size_t len)1154 void mesh_mpm_action_rx(struct wpa_supplicant *wpa_s,
1155 			const struct ieee80211_mgmt *mgmt, size_t len)
1156 {
1157 	u8 action_field;
1158 	struct hostapd_data *hapd = wpa_s->ifmsh->bss[0];
1159 	struct mesh_conf *mconf = wpa_s->ifmsh->mconf;
1160 	struct sta_info *sta;
1161 	u16 plid = 0, llid = 0, aid = 0;
1162 	enum plink_event event;
1163 	struct ieee802_11_elems elems;
1164 	struct mesh_peer_mgmt_ie peer_mgmt_ie;
1165 	const u8 *ies;
1166 	size_t ie_len;
1167 	int ret;
1168 	u16 reason = 0;
1169 
1170 	if (mgmt->u.action.category != WLAN_ACTION_SELF_PROTECTED)
1171 		return;
1172 
1173 	action_field = mgmt->u.action.u.slf_prot_action.action;
1174 	if (action_field != PLINK_OPEN &&
1175 	    action_field != PLINK_CONFIRM &&
1176 	    action_field != PLINK_CLOSE)
1177 		return;
1178 
1179 	ies = mgmt->u.action.u.slf_prot_action.variable;
1180 	ie_len = (const u8 *) mgmt + len -
1181 		mgmt->u.action.u.slf_prot_action.variable;
1182 
1183 	/* at least expect mesh id and peering mgmt */
1184 	if (ie_len < 2 + 2) {
1185 		wpa_printf(MSG_DEBUG,
1186 			   "MPM: Ignore too short action frame %u ie_len %u",
1187 			   action_field, (unsigned int) ie_len);
1188 		return;
1189 	}
1190 	wpa_printf(MSG_DEBUG, "MPM: Received PLINK action %u", action_field);
1191 
1192 	if (action_field == PLINK_OPEN || action_field == PLINK_CONFIRM) {
1193 		wpa_printf(MSG_DEBUG, "MPM: Capability 0x%x",
1194 			   WPA_GET_LE16(ies));
1195 		ies += 2;	/* capability */
1196 		ie_len -= 2;
1197 	}
1198 	if (action_field == PLINK_CONFIRM) {
1199 		aid = WPA_GET_LE16(ies);
1200 		wpa_printf(MSG_DEBUG, "MPM: AID 0x%x", aid);
1201 		ies += 2;	/* aid */
1202 		ie_len -= 2;
1203 	}
1204 
1205 	/* check for mesh peering, mesh id and mesh config IEs */
1206 	if (ieee802_11_parse_elems(ies, ie_len, &elems, 0) == ParseFailed) {
1207 		wpa_printf(MSG_DEBUG, "MPM: Failed to parse PLINK IEs");
1208 		return;
1209 	}
1210 	if (!elems.peer_mgmt) {
1211 		wpa_printf(MSG_DEBUG,
1212 			   "MPM: No Mesh Peering Management element");
1213 		return;
1214 	}
1215 	if (action_field != PLINK_CLOSE) {
1216 		if (!elems.mesh_id || !elems.mesh_config) {
1217 			wpa_printf(MSG_DEBUG,
1218 				   "MPM: No Mesh ID or Mesh Configuration element");
1219 			return;
1220 		}
1221 
1222 		if (!matches_local(wpa_s, &elems)) {
1223 			wpa_printf(MSG_DEBUG,
1224 				   "MPM: Mesh ID or Mesh Configuration element do not match local MBSS");
1225 			return;
1226 		}
1227 	}
1228 
1229 	ret = mesh_mpm_parse_peer_mgmt(wpa_s, action_field,
1230 				       elems.peer_mgmt,
1231 				       elems.peer_mgmt_len,
1232 				       &peer_mgmt_ie);
1233 	if (ret) {
1234 		wpa_printf(MSG_DEBUG, "MPM: Mesh parsing rejected frame");
1235 		return;
1236 	}
1237 
1238 	/* the sender's llid is our plid and vice-versa */
1239 	plid = WPA_GET_LE16(peer_mgmt_ie.llid);
1240 	if (peer_mgmt_ie.plid)
1241 		llid = WPA_GET_LE16(peer_mgmt_ie.plid);
1242 	wpa_printf(MSG_DEBUG, "MPM: plid=0x%x llid=0x%x", plid, llid);
1243 
1244 	if (action_field == PLINK_CLOSE)
1245 		wpa_printf(MSG_DEBUG, "MPM: close reason=%u",
1246 			   WPA_GET_LE16(peer_mgmt_ie.reason));
1247 
1248 	sta = ap_get_sta(hapd, mgmt->sa);
1249 
1250 	/*
1251 	 * If this is an open frame from an unknown STA, and this is an
1252 	 * open mesh, then go ahead and add the peer before proceeding.
1253 	 */
1254 	if (!sta && action_field == PLINK_OPEN &&
1255 	    (!(mconf->security & MESH_CONF_SEC_AMPE) ||
1256 	     wpa_auth_pmksa_get(hapd->wpa_auth, mgmt->sa, NULL)))
1257 		sta = mesh_mpm_add_peer(wpa_s, mgmt->sa, &elems);
1258 
1259 	if (!sta) {
1260 		wpa_printf(MSG_DEBUG, "MPM: No STA entry for peer");
1261 		return;
1262 	}
1263 
1264 #ifdef CONFIG_SAE
1265 	/* peer is in sae_accepted? */
1266 	if (sta->sae && sta->sae->state != SAE_ACCEPTED) {
1267 		wpa_printf(MSG_DEBUG, "MPM: SAE not yet accepted for peer");
1268 		return;
1269 	}
1270 #endif /* CONFIG_SAE */
1271 
1272 	if (!sta->my_lid)
1273 		mesh_mpm_init_link(wpa_s, sta);
1274 
1275 	if (mconf->security & MESH_CONF_SEC_AMPE) {
1276 		int res;
1277 
1278 		res = mesh_rsn_process_ampe(wpa_s, sta, &elems,
1279 					    &mgmt->u.action.category,
1280 					    peer_mgmt_ie.chosen_pmk,
1281 					    ies, ie_len);
1282 		if (res) {
1283 			wpa_printf(MSG_DEBUG,
1284 				   "MPM: RSN process rejected frame (res=%d)",
1285 				   res);
1286 			if (action_field == PLINK_OPEN && res == -2) {
1287 				/* AES-SIV decryption failed */
1288 				mesh_mpm_fsm(wpa_s, sta, OPN_RJCT,
1289 					     WLAN_REASON_MESH_INVALID_GTK);
1290 			}
1291 			return;
1292 		}
1293 
1294 #ifdef CONFIG_OCV
1295 		if (action_field == PLINK_OPEN && elems.rsn_ie) {
1296 			struct wpa_state_machine *sm = sta->wpa_sm;
1297 			struct wpa_ie_data data;
1298 
1299 			res = wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2,
1300 						   elems.rsn_ie_len + 2,
1301 						   &data);
1302 			if (res) {
1303 				wpa_printf(MSG_DEBUG,
1304 					   "Failed to parse RSN IE (res=%d)",
1305 					   res);
1306 				wpa_hexdump(MSG_DEBUG, "RSN IE", elems.rsn_ie,
1307 					    elems.rsn_ie_len);
1308 				return;
1309 			}
1310 
1311 			wpa_auth_set_ocv(sm, mconf->ocv &&
1312 					 (data.capabilities &
1313 					  WPA_CAPABILITY_OCVC));
1314 		}
1315 
1316 		if (action_field != PLINK_CLOSE &&
1317 		    wpa_auth_uses_ocv(sta->wpa_sm)) {
1318 			struct wpa_channel_info ci;
1319 			int tx_chanwidth;
1320 			int tx_seg1_idx;
1321 
1322 			if (wpa_drv_channel_info(wpa_s, &ci) != 0) {
1323 				wpa_printf(MSG_WARNING,
1324 					   "MPM: Failed to get channel info to validate received OCI in MPM Confirm");
1325 				return;
1326 			}
1327 
1328 			if (get_tx_parameters(
1329 				    sta, channel_width_to_int(ci.chanwidth),
1330 				    ci.seg1_idx, &tx_chanwidth,
1331 				    &tx_seg1_idx) < 0)
1332 				return;
1333 
1334 			if (ocv_verify_tx_params(elems.oci, elems.oci_len, &ci,
1335 						 tx_chanwidth, tx_seg1_idx) !=
1336 			    OCI_SUCCESS) {
1337 				wpa_printf(MSG_WARNING, "MPM: OCV failed: %s",
1338 					   ocv_errorstr);
1339 				return;
1340 			}
1341 		}
1342 #endif /* CONFIG_OCV */
1343 	}
1344 
1345 	if (sta->plink_state == PLINK_BLOCKED) {
1346 		wpa_printf(MSG_DEBUG, "MPM: PLINK_BLOCKED");
1347 		return;
1348 	}
1349 
1350 	/* Now we will figure out the appropriate event... */
1351 	switch (action_field) {
1352 	case PLINK_OPEN:
1353 		if (plink_free_count(hapd) == 0) {
1354 			event = REQ_RJCT;
1355 			reason = WLAN_REASON_MESH_MAX_PEERS;
1356 			wpa_printf(MSG_INFO,
1357 				   "MPM: Peer link num over quota(%d)",
1358 				   hapd->max_plinks);
1359 		} else if (sta->peer_lid && sta->peer_lid != plid) {
1360 			wpa_printf(MSG_DEBUG,
1361 				   "MPM: peer_lid mismatch: 0x%x != 0x%x",
1362 				   sta->peer_lid, plid);
1363 			return; /* no FSM event */
1364 		} else {
1365 			sta->peer_lid = plid;
1366 			event = OPN_ACPT;
1367 		}
1368 		break;
1369 	case PLINK_CONFIRM:
1370 		if (plink_free_count(hapd) == 0) {
1371 			event = REQ_RJCT;
1372 			reason = WLAN_REASON_MESH_MAX_PEERS;
1373 			wpa_printf(MSG_INFO,
1374 				   "MPM: Peer link num over quota(%d)",
1375 				   hapd->max_plinks);
1376 		} else if (sta->my_lid != llid ||
1377 			   (sta->peer_lid && sta->peer_lid != plid)) {
1378 			wpa_printf(MSG_DEBUG,
1379 				   "MPM: lid mismatch: my_lid: 0x%x != 0x%x or peer_lid: 0x%x != 0x%x",
1380 				   sta->my_lid, llid, sta->peer_lid, plid);
1381 			return; /* no FSM event */
1382 		} else {
1383 			if (!sta->peer_lid)
1384 				sta->peer_lid = plid;
1385 			sta->peer_aid = aid;
1386 			event = CNF_ACPT;
1387 		}
1388 		break;
1389 	case PLINK_CLOSE:
1390 		if (sta->plink_state == PLINK_ESTAB)
1391 			/* Do not check for llid or plid. This does not
1392 			 * follow the standard but since multiple plinks
1393 			 * per cand are not supported, it is necessary in
1394 			 * order to avoid a livelock when MP A sees an
1395 			 * establish peer link to MP B but MP B does not
1396 			 * see it. This can be caused by a timeout in
1397 			 * B's peer link establishment or B being
1398 			 * restarted.
1399 			 */
1400 			event = CLS_ACPT;
1401 		else if (sta->peer_lid != plid) {
1402 			wpa_printf(MSG_DEBUG,
1403 				   "MPM: peer_lid mismatch: 0x%x != 0x%x",
1404 				   sta->peer_lid, plid);
1405 			return; /* no FSM event */
1406 		} else if (peer_mgmt_ie.plid && sta->my_lid != llid) {
1407 			wpa_printf(MSG_DEBUG,
1408 				   "MPM: my_lid mismatch: 0x%x != 0x%x",
1409 				   sta->my_lid, llid);
1410 			return; /* no FSM event */
1411 		} else {
1412 			event = CLS_ACPT;
1413 		}
1414 		break;
1415 	default:
1416 		/*
1417 		 * This cannot be hit due to the action_field check above, but
1418 		 * compilers may not be able to figure that out and can warn
1419 		 * about uninitialized event below.
1420 		 */
1421 		return;
1422 	}
1423 	mesh_mpm_fsm(wpa_s, sta, event, reason);
1424 }
1425 
1426 
1427 /* called by ap_free_sta */
mesh_mpm_free_sta(struct hostapd_data * hapd,struct sta_info * sta)1428 void mesh_mpm_free_sta(struct hostapd_data *hapd, struct sta_info *sta)
1429 {
1430 	struct wpa_supplicant *wpa_s = hapd->iface->owner;
1431 
1432 	if (sta->plink_state == PLINK_ESTAB) {
1433 		hapd->num_plinks--;
1434 		wpas_notify_mesh_peer_disconnected(
1435 			wpa_s, sta->addr, WLAN_REASON_UNSPECIFIED);
1436 	}
1437 	eloop_cancel_timeout(plink_timer, ELOOP_ALL_CTX, sta);
1438 	eloop_cancel_timeout(mesh_auth_timer, ELOOP_ALL_CTX, sta);
1439 }
1440