path: root/wpa_supplicant/wnm_sta.c
Commit message (Collapse)AuthorAgeFilesLines
* WNM: Use NULL instead of 0 as the pointer return valueJouni Malinen2016-06-231-1/+1
| | | | Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* WNM: Fetch scan results before checking transition candidatesKanchanapally, Vidyullatha2016-04-231-21/+141
| | | | | | | | | | | | | On receiving a WNM BSS Transition Management Request frame with a candidate list, fetch the latest scan results from the kernel to see if there are any recent scan results for the candidates and initiate a connection if found. This helps to avoid triggering a new scan in cases where a scan initiated by something else (e.g., an internal beacon measurement report functionality in a driver) has processed Beacon or Probe Response frames without wpa_supplicant having received a notification of such an update yet. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* WNM: Verify BSS TM target match against the current network profileJouni Malinen2016-03-241-0/+11
| | | | | | | Reject a BSS transition management candidate if it does not match the current network profile, e.g., due to incompatible security parameters. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* WNM: Do not scan based on malformed BSS Transition Management RequestAvraham Stern2016-03-031-0/+11
| | | | | | | | | Verify that when the Candidate List Included bit is set in a BSS Transition Management Request frame, the candidate list actually includes at least one candidate. If no candidates are included, reject the request without scanning. Signed-off-by: Avraham Stern <avraham.stern@intel.com>
* WNM: Fix candidates count in BSS Transition Management RequestAvraham Stern2016-03-031-1/+1
| | | | | | | | | | | | | In BSS Transition Management Request frame, it is possible that vendor specific IEs are included after the candidate list. In this case the candidates count was incremented for each IE although the candidate list is already over which could result in adding all zeros candidates into the neighbor list. Fix that by incrementing the candidates count only for neighbor report elements. Signed-off-by: Avraham Stern <avraham.stern@intel.com>
* WNM: Optimize a single BSS transition management candidate scanJouni Malinen2016-02-261-0/+8
| | | | | | | | | | | If the BSS Transition Management Request frame includes only a single candidate and we need to scan for the BSS to get up-to-date information, use a scan for the known BSSID instead of wildcard BSSID. In addition, set the SSID in the scan if it is known based on old scan results in the BSS table. This removes unnecessary Probe Response frames when we are interested in results from only a single BSS. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* WNM: Add candidate list to BSS transition queryAvraham Stern2016-02-221-4/+8
| | | | | | | | | | Add an option to configure a candidate list to BSS transition query ("list" as the second argument to WNM_BSS_QUERY). The candidate list is built from the available scan results. If no updated scan results (< 10 sec) are available, the command fails. Signed-off-by: David Spinadel <david.spinadel@intel.com> Signed-off-by: Avraham Stern <avraham.stern@intel.com>
* WNM: Add candidate list to BSS transition responseAvraham Stern2016-02-221-1/+182
| | | | | | | | | Add the transition candidate list to BSS Transition Management Response frame. The candidates preference is set using the regular wpa_supplicant BSS selection logic. If the BSS transition request is rejected and updated scan results are not available, the list is not added. Signed-off-by: Avraham Stern <avraham.stern@intel.com>
* MBO: Add MBO IE to BSS Transition Management Response frameAvraham Stern2016-02-221-0/+8
| | | | | | | | | When rejecting a BSS Transition Management Request frame, add MBO IE to the BSS Transition Management Response frame to specify the transition rejection reason. Signed-off-by: David Spinadel <david.spinadel@intel.com> Signed-off-by: Avraham Stern <avraham.stern@intel.com>
* MBO: Parse MBO IE in BSS Transition Management Request framesAvraham Stern2016-02-221-0/+17
| | | | | | | | | | | | | Add parsing of MBO IE in BSS Transition Management Request frames. If the MBO IE includes the association retry delay attribute, do not try to reconnect to the current BSS until the delay time is over. If the MBO IE includes the cellular data connection preference attribute or the transition rejection reason attribute, send a message to upper layers with the data. Signed-off-by: David Spinadel <david.spinadel@intel.com> Signed-off-by: Avraham Stern <avraham.stern@intel.com>
* WNM: Workaround for broken AP operating class behaviorJouni Malinen2016-02-051-1/+16
| | | | | | | | | | | Some APs do not advertise operating classes correctly for BSS Transition Management. Try to determine the most likely operating frequency based on the channel number (1..14 --> 2.4 GHz; 36..169 --> 5 GHz) if invalid op_class == 0 is received in a BSS Transition Management Request. This speeds up the following operating by avoiding a full scan due to an unknown channel. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* WNM: Ignore WNM-Sleep Mode Response if WNM-Sleep Mode has not been usedJouni Malinen2015-11-101-0/+8
| | | | | | | | The AP is not expected to send out a WNM-Sleep Mode Response frame without the STA trying to use WNM-Sleep Mode. Drop such unexpected responses to reduce unnecessary processing of the frame. Signed-off-by: Jouni Malinen <j@w1.fi>
* WNM: Ignore Key Data in WNM Sleep Mode Response frame if no PMF in useJouni Malinen2015-11-101-0/+6
| | | | | | | | WNM Sleep Mode Response frame is used to update GTK/IGTK only if PMF is enabled. Verify that PMF is in use before using this field on station side to avoid accepting unauthenticated key updates. (CVE-2015-5310) Signed-off-by: Jouni Malinen <j@w1.fi>
* WNM: Clear BSS TM data if already associated with preferred candidateJouni Malinen2015-11-011-0/+1
| | | | | | | | | | | | | | | | | Previously, wnm_deallocate_memory() was called only if we decided to move to another BSS at the completion of an accepted BSS Transition Management Request. This resulted in the candidate information being left in effect for the following scan operation if we were already associated with the preferred candidate. This could result in unexpected behavior in the following connection attempt. Fix this by clearing the candidate information even if we do not need to roam to another BSS. This was triggered with mac80211_hwsim test cases in this sequence: wnm_bss_tm ap_track_sta_force_2ghz Signed-off-by: Jouni Malinen <j@w1.fi>
* WNM: Verify WNM Sleep Mode element lengthJouni Malinen2015-10-251-1/+1
| | | | | | | | | This element is required to have at least four octets of actual payload. This was not previously verified before use and the extra buffer data after the IE might have been used instead if a received WNM-Sleep Mode Response frame was invalid. Signed-off-by: Jouni Malinen <j@w1.fi>
* WNM: Mark set TFS buffer constJouni Malinen2015-10-251-8/+10
| | | | | | | | This moves the type cast needed for the current driver interface to ieee802_11_set_tfs_ie() to allow the WNM-Sleep parsing routines to use const pointers. Signed-off-by: Jouni Malinen <j@w1.fi>
* WNM: Avoid undefined behavior in pointer arithmeticJouni Malinen2015-10-251-12/+12
| | | | | | | | | Reorder terms in a way that no invalid pointers are generated with pos+len operations. end-pos is always defined (with a valid pos pointer) while pos+len could end up pointing beyond the end pointer which would be undefined behavior. Signed-off-by: Jouni Malinen <j@w1.fi>
* Use os_calloc() instead of os_zalloc()Jouni Malinen2014-12-081-2/+2
| | | | | | | | | | | | | | | | | | | | | | Automatic changes with spatch using the following semantic patch: @@ constant C; type T; @@ - os_zalloc(C*sizeof(T)) + os_calloc(C,sizeof(T)) @@ expression E; type T; @@ - os_zalloc((E)*sizeof(T)) + os_calloc(E,sizeof(T)) Signed-off-by: Jouni Malinen <j@w1.fi>
* WNM: Use country code, if available, to help in channel mappingJouni Malinen2014-11-241-1/+11
| | | | | | | | The country code from the current AP needs to be used in ieee80211_chan_to_freq() to support cases where non-global operating class table is used. Signed-off-by: Jouni Malinen <j@w1.fi>
* WNM: Use a clearer validation step for key_len_totalJouni Malinen2014-11-231-2/+4
| | | | | | | The previous one based on pointer arithmetic was apparently too much for some static analyzers (CID 68130). Signed-off-by: Jouni Malinen <j@w1.fi>
* WNM: Print debug message if Action frame sending failsJouni Malinen2014-11-231-3/+8
| | | | | | | This makes wpa_drv_send_action() return value checking more consistent (CID 75390). Signed-off-by: Jouni Malinen <j@w1.fi>
* WNM: Use recent scan results on BSS transition requestJouni Malinen2014-11-221-2/+20
| | | | | | | | | If the last scans are recent (for now, less than ten seconds old), use them instead of triggering a new scan when a BSS Transition Management Request frame is received. As a fallback, allow a new scan to be triggered if no matches were found. Signed-off-by: Jouni Malinen <j@w1.fi>
* WNM: Optimize BSS transition management scansJouni Malinen2014-11-221-2/+83
| | | | | | | | When the list of preferred transition candidates is received, use the identified channels to optimize the following scan so that no time is wasted on other channels. Signed-off-by: Jouni Malinen <j@w1.fi>
* WNM: Move transition candidate list processing to normal scanJouni Malinen2014-11-221-63/+70
| | | | | | This makes it easier to optimize transition request processing. Signed-off-by: Jouni Malinen <j@w1.fi>
* WNM: Fix TM candidate freeing if multiple requests are processedJouni Malinen2014-11-221-2/+1
| | | | | | | The previously cached candidate list needs to be free properly through a call to wnm_deallocate_memory() to ensure all subelements gets freed. Signed-off-by: Jouni Malinen <j@w1.fi>
* WNM: Allow BSS transition request in same ESS even if RSSI is worseJouni Malinen2014-11-221-18/+57
| | | | | | | | This allows an AP to steer us to another BSS within the ESS even if that results in reduced signal strength as long as the signal strength with the target BSS is expected to provide some connectivity. Signed-off-by: Jouni Malinen <j@w1.fi>
* WNM: Mark wnm_scan_response() staticJouni Malinen2014-11-221-2/+2
| | | | | | This function is not used outside wnm_sta.c. Signed-off-by: Jouni Malinen <j@w1.fi>
* WNM: Order BSS transmission candidate entries based on preferenceJouni Malinen2014-11-221-0/+30
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* WNM: Simplify how candidate subelements are storedJouni Malinen2014-11-221-48/+17
| | | | | | | | There is no need to use a separately allocated data structures for this. A bitfield indicating which information is present and variables within struct neighbor_report are simpler to use and more efficient. Signed-off-by: Jouni Malinen <j@w1.fi>
* WNM: Calculate valid-until time for transition candidate listJouni Malinen2014-11-221-8/+21
| | | | | | | This is of more use than the raw validity interval (number of beacon intervals) that was recorded previously. Signed-off-by: Jouni Malinen <j@w1.fi>
* WNM: Convert BSSID Info into a u32Jouni Malinen2014-11-221-3/+4
| | | | | | This is more convenient to use than u8 array. Signed-off-by: Jouni Malinen <j@w1.fi>
* WNM: Debug print WNM BSS Transition Candidate ListJouni Malinen2014-11-221-0/+22
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* WNM: Use cleaner way of generating pointer to a field (CID 68100)Jouni Malinen2014-06-121-2/+1
| | | | | | | | The Action code field is in a fixed location, so the IEEE80211_HDRLEN can be used here to clean up bounds checking to avoid false reports from static analyzer. Signed-off-by: Jouni Malinen <j@w1.fi>
* WNM: Remove unnecessary present flagJouni Malinen2014-04-071-8/+0
| | | | | | | The structures are all allocated, so the pointer can be compared to NULL to determine whether the subelement was present. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* WNM: Fix neighbor report subelement formatsJouni Malinen2014-04-071-10/+10
| | | | | | Number of of subelements were using incorrect format definition. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* WNM: Fix neighbor report subelement parser to not leak memoryJouni Malinen2014-04-071-0/+8
| | | | | | | | If a subelement is unexpectedly included multiple times, the parser must not re-allocate memory for the entry without first freeing the old allocation. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* WNM: Fix neighbor report subelement parserJouni Malinen2014-04-071-5/+14
| | | | | | | | Only the Neighbor Report element should be included here, so verify that the element id matches. In addition, verify that each subelement has valid length before using the data. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* WNM: Fix deinit path to clean neighbor report countJouni Malinen2014-04-071-0/+1
| | | | | | | | | wnm_deallocate_memory() left wnm_num_neighbor_report set while freeing the allocated buffer of neighbor reports. If this function was called twice in a row without having went through new neighbor report parsing, invalid pointers could have been freed resulted in segfault. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* WNM: Fix regression in Sleep Mode exit key data parsingJouni Malinen2014-04-051-2/+6
| | | | | | | | | | | Commit dbfb8e82ff69e6c7969b7cd23e53fd39b3e896e7 changed the Action frame RX payload pointer design to point to a different field. WNM Sleep Mode Response handler updated one of the uses to accommodate this change, but that commit missed another use for key data length. This resulted in GTK and IGTK being ignored in many cases when waking up from WNM Sleep Mode with PMF enabled. Signed-off-by: Jouni Malinen <j@w1.fi>
* WNM: Check wpa_s->current_bss more consistentlyJouni Malinen2014-03-021-3/+2
| | | | | | | | | The scan result comparison routine would not make much sense without current BSS level known, so return from the function without going through the iteration that could have dereferenced the pointer if wpa_s->current_bss == NULL. Signed-off-by: Jouni Malinen <j@w1.fi>
* HS 2.0R2: Add STA support for Deauthentication Request notificationJouni Malinen2014-02-251-3/+44
| | | | | | | If requested, disable the network based on the HS 2.0 deauthentication request. Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
* HS 2.0R2: Add WNM-Notification Request for Subscription RemediationJouni Malinen2014-02-251-0/+110
| | | | | | | | Subscription remediation notification WNM-Notification Request is now shown in the following way in wpa_supplicant control interface: <3>HS20-SUBSCRIPTION-REMEDIATION http://example.com/foo/ Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
* Remove unnecessary EVENT_RX_ACTIONJouni Malinen2013-12-291-13/+14
| | | | | | | | | | | | This driver event was used separately for some Action frames, but all the driver wrappers converted to this from information that would have been enough to indicate an EVENT_RX_MGMT event. In addition, the received event was then converted back to a full IEEE 802.11 management frame for processing in most cases. This is unnecessary complexity, so get rid of the extra path and use EVENT_RX_MGMT for Action frames as well as other management frame subtypes. Signed-hostap: Jouni Malinen <j@w1.fi>
* WNM: Add Target BSSID into BSS Transition Management ResponseJouni Malinen2013-12-271-1/+9
| | | | | | | P802.11-REVmc clarifies that the Target BSSID field is always present hen status code is zero, so match that requirement. Signed-hostap: Jouni Malinen <j@w1.fi>
* WNM: Use nonzero dialog token in BSS Transition Management QueryJouni Malinen2013-12-271-1/+1
| | | | Signed-hostap: Jouni Malinen <j@w1.fi>
* WNM: Add debug logs to get the RSSI from the scan resultsSudha Daram2013-12-261-0/+12
| | | | | | | | This commit adds few more debug prints to log the RSSI information from the scanned BSSIDs and the current connected BSSID when comparing neighbor results during WNM Transition Management Request processing. Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
* WNM: Make ESS Disassoc Imminent event more convenient to useJouni Malinen2013-05-231-3/+13
| | | | | | | | Define a proper event prefix and include additional information to allow ESS Dissassociation Imminent event to be used in a wpa_cli action script. Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
* WNM: Do not reject ESS Disassoc ImminentJouni Malinen2013-05-231-4/+8
| | | | | | | This indication is not expected to include candidates, so do not reject it based on that. Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
* WNM: Use defines for BSS Trans Mgmt field valuesJouni Malinen2013-05-231-10/+11
| | | | Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
* WNM: Add sending of BSS Transition Management QueryVinayak Kamath2013-05-161-0/+35
| | | | | | | The new control interface command can be used to send a BSS Transition Management Query frame to the current AP. Signed-hostap: Vinayak Kamath <vkamat@codeaurora.org>