2 * Interworking (IEEE 802.11u)
3 * Copyright (c) 2011, Qualcomm Atheros
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation.
9 * Alternatively, this software may be distributed under the terms of BSD
12 * See README and COPYING for more details.
18 #include "common/ieee802_11_defs.h"
19 #include "common/gas.h"
20 #include "common/wpa_ctrl.h"
21 #include "drivers/driver.h"
22 #include "eap_common/eap_defs.h"
23 #include "eap_peer/eap_methods.h"
24 #include "wpa_supplicant_i.h"
29 #include "gas_query.h"
30 #include "interworking.h"
33 static void interworking_next_anqp_fetch(struct wpa_supplicant *wpa_s);
36 static struct wpabuf * anqp_build_req(u16 info_ids[], size_t num_ids,
43 buf = gas_anqp_build_initial_req(0, 4 + num_ids * 2 +
44 (extra ? wpabuf_len(extra) : 0));
48 len_pos = gas_anqp_add_element(buf, ANQP_QUERY_LIST);
49 for (i = 0; i < num_ids; i++)
50 wpabuf_put_le16(buf, info_ids[i]);
51 gas_anqp_set_element_len(buf, len_pos);
53 wpabuf_put_buf(buf, extra);
55 gas_anqp_set_len(buf);
61 static void interworking_anqp_resp_cb(void *ctx, const u8 *dst,
63 enum gas_query_result result,
64 const struct wpabuf *adv_proto,
65 const struct wpabuf *resp,
68 struct wpa_supplicant *wpa_s = ctx;
70 anqp_resp_cb(wpa_s, dst, dialog_token, result, adv_proto, resp,
72 interworking_next_anqp_fetch(wpa_s);
76 static int interworking_anqp_send_req(struct wpa_supplicant *wpa_s,
85 ANQP_NETWORK_AUTH_TYPE,
86 ANQP_ROAMING_CONSORTIUM,
87 ANQP_IP_ADDR_TYPE_AVAILABILITY,
89 ANQP_3GPP_CELLULAR_NETWORK,
92 struct wpabuf *extra = NULL;
94 wpa_printf(MSG_DEBUG, "Interworking: ANQP Query Request to " MACSTR,
97 buf = anqp_build_req(info_ids, sizeof(info_ids) / sizeof(info_ids[0]),
103 res = gas_query_req(wpa_s->gas, bss->bssid, bss->freq, buf,
104 interworking_anqp_resp_cb, wpa_s);
106 wpa_printf(MSG_DEBUG, "ANQP: Failed to send Query Request");
109 wpa_printf(MSG_DEBUG, "ANQP: Query started with dialog token "
117 struct nai_realm_eap {
120 enum nai_realm_eap_auth_inner_non_eap inner_non_eap;
122 u8 tunneled_cred_type;
129 struct nai_realm_eap *eap;
133 static void nai_realm_free(struct nai_realm *realms, u16 count)
139 for (i = 0; i < count; i++) {
140 os_free(realms[i].eap);
141 os_free(realms[i].realm);
147 static const u8 * nai_realm_parse_eap(struct nai_realm_eap *e, const u8 *pos,
150 u8 elen, auth_count, a;
154 wpa_printf(MSG_DEBUG, "No room for EAP Method fixed fields");
159 if (pos + elen > end || elen < 2) {
160 wpa_printf(MSG_DEBUG, "No room for EAP Method subfield");
166 wpa_printf(MSG_DEBUG, "EAP Method: len=%u method=%u auth_count=%u",
167 elen, e->method, auth_count);
169 for (a = 0; a < auth_count; a++) {
172 if (pos + 2 > end || pos + 2 + pos[1] > end) {
173 wpa_printf(MSG_DEBUG, "No room for Authentication "
174 "Parameter subfield");
182 case NAI_REALM_EAP_AUTH_NON_EAP_INNER_AUTH:
185 e->inner_non_eap = *pos;
186 if (e->method != EAP_TYPE_TTLS)
189 case NAI_REALM_INNER_NON_EAP_PAP:
190 wpa_printf(MSG_DEBUG, "EAP-TTLS/PAP");
192 case NAI_REALM_INNER_NON_EAP_CHAP:
193 wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP");
195 case NAI_REALM_INNER_NON_EAP_MSCHAP:
196 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP");
198 case NAI_REALM_INNER_NON_EAP_MSCHAPV2:
199 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2");
203 case NAI_REALM_EAP_AUTH_INNER_AUTH_EAP_METHOD:
206 e->inner_method = *pos;
207 wpa_printf(MSG_DEBUG, "Inner EAP method: %u",
210 case NAI_REALM_EAP_AUTH_CRED_TYPE:
214 wpa_printf(MSG_DEBUG, "Credential Type: %u",
217 case NAI_REALM_EAP_AUTH_TUNNELED_CRED_TYPE:
220 e->tunneled_cred_type = *pos;
221 wpa_printf(MSG_DEBUG, "Tunneled EAP Method Credential "
222 "Type: %u", e->tunneled_cred_type);
225 wpa_printf(MSG_DEBUG, "Unsupported Authentication "
226 "Parameter: id=%u len=%u", id, len);
227 wpa_hexdump(MSG_DEBUG, "Authentication Parameter "
239 static const u8 * nai_realm_parse_realm(struct nai_realm *r, const u8 *pos,
247 wpa_printf(MSG_DEBUG, "No room for NAI Realm Data "
252 len = WPA_GET_LE16(pos); /* NAI Realm Data field Length */
254 if (pos + len > end || len < 3) {
255 wpa_printf(MSG_DEBUG, "No room for NAI Realm Data "
257 len, (unsigned int) (end - pos));
262 r->encoding = *pos++;
264 if (pos + realm_len > f_end) {
265 wpa_printf(MSG_DEBUG, "No room for NAI Realm "
267 realm_len, (unsigned int) (f_end - pos));
270 wpa_hexdump_ascii(MSG_DEBUG, "NAI Realm", pos, realm_len);
271 r->realm = os_malloc(realm_len + 1);
272 if (r->realm == NULL)
274 os_memcpy(r->realm, pos, realm_len);
275 r->realm[realm_len] = '\0';
278 if (pos + 1 > f_end) {
279 wpa_printf(MSG_DEBUG, "No room for EAP Method Count");
282 r->eap_count = *pos++;
283 wpa_printf(MSG_DEBUG, "EAP Count: %u", r->eap_count);
284 if (pos + r->eap_count * 3 > f_end) {
285 wpa_printf(MSG_DEBUG, "No room for EAP Methods");
288 r->eap = os_zalloc(r->eap_count * sizeof(struct nai_realm_eap));
292 for (e = 0; e < r->eap_count; e++) {
293 pos = nai_realm_parse_eap(&r->eap[e], pos, f_end);
302 static struct nai_realm * nai_realm_parse(struct wpabuf *anqp, u16 *count)
304 struct nai_realm *realm;
308 if (anqp == NULL || wpabuf_len(anqp) < 2)
311 pos = wpabuf_head_u8(anqp);
312 end = pos + wpabuf_len(anqp);
313 num = WPA_GET_LE16(pos);
314 wpa_printf(MSG_DEBUG, "NAI Realm Count: %u", num);
317 if (num * 5 > end - pos) {
318 wpa_printf(MSG_DEBUG, "Invalid NAI Realm Count %u - not "
319 "enough data (%u octets) for that many realms",
320 num, (unsigned int) (end - pos));
324 realm = os_zalloc(num * sizeof(struct nai_realm));
328 for (i = 0; i < num; i++) {
329 pos = nai_realm_parse_realm(&realm[i], pos, end);
331 nai_realm_free(realm, num);
341 static int nai_realm_match(struct nai_realm *realm, const char *home_realm)
343 char *tmp, *pos, *end;
346 if (realm->realm == NULL)
349 if (os_strchr(realm->realm, ';') == NULL)
350 return os_strcasecmp(realm->realm, home_realm) == 0;
352 tmp = os_strdup(realm->realm);
358 end = os_strchr(pos, ';');
361 if (os_strcasecmp(pos, home_realm) == 0) {
376 static int nai_realm_cred_username(struct nai_realm_eap *eap)
378 if (eap_get_name(EAP_VENDOR_IETF, eap->method) == NULL)
379 return 0; /* method not supported */
381 if (eap->method != EAP_TYPE_TTLS && eap->method != EAP_TYPE_PEAP) {
382 /* Only tunneled methods with username/password supported */
386 if (eap->method == EAP_TYPE_PEAP &&
387 eap_get_name(EAP_VENDOR_IETF, eap->inner_method) == NULL)
390 if (eap->method == EAP_TYPE_TTLS) {
391 if (eap->inner_method == 0 && eap->inner_non_eap == 0)
393 if (eap->inner_method &&
394 eap_get_name(EAP_VENDOR_IETF, eap->inner_method) == NULL)
396 if (eap->inner_non_eap &&
397 eap->inner_non_eap != NAI_REALM_INNER_NON_EAP_PAP &&
398 eap->inner_non_eap != NAI_REALM_INNER_NON_EAP_CHAP &&
399 eap->inner_non_eap != NAI_REALM_INNER_NON_EAP_MSCHAP &&
400 eap->inner_non_eap != NAI_REALM_INNER_NON_EAP_MSCHAPV2)
404 if (eap->inner_method &&
405 eap->inner_method != EAP_TYPE_GTC &&
406 eap->inner_method != EAP_TYPE_MSCHAPV2)
413 struct nai_realm_eap * nai_realm_find_eap(struct wpa_supplicant *wpa_s,
414 struct nai_realm *realm)
418 if (wpa_s->conf->home_username == NULL ||
419 wpa_s->conf->home_username[0] == '\0' ||
420 wpa_s->conf->home_password == NULL ||
421 wpa_s->conf->home_password[0] == '\0')
424 for (e = 0; e < realm->eap_count; e++) {
425 struct nai_realm_eap *eap = &realm->eap[e];
426 if (nai_realm_cred_username(eap))
434 int interworking_connect(struct wpa_supplicant *wpa_s, struct wpa_bss *bss)
436 struct wpa_ssid *ssid;
437 struct nai_realm *realm;
438 struct nai_realm_eap *eap = NULL;
445 ie = wpa_bss_get_ie(bss, WLAN_EID_SSID);
446 if (ie == NULL || ie[1] == 0) {
447 wpa_printf(MSG_DEBUG, "Interworking: No SSID known for "
448 MACSTR, MAC2STR(bss->bssid));
452 realm = nai_realm_parse(bss->anqp_nai_realm, &count);
454 wpa_printf(MSG_DEBUG, "Interworking: Could not parse NAI "
455 "Realm list from " MACSTR, MAC2STR(bss->bssid));
456 nai_realm_free(realm, count);
460 for (i = 0; i < count; i++) {
461 if (!nai_realm_match(&realm[i], wpa_s->conf->home_realm))
463 eap = nai_realm_find_eap(wpa_s, &realm[i]);
469 wpa_printf(MSG_DEBUG, "Interworking: No matching credentials "
470 "and EAP method found for " MACSTR,
471 MAC2STR(bss->bssid));
472 nai_realm_free(realm, count);
476 wpa_printf(MSG_DEBUG, "Interworking: Connect with " MACSTR,
477 MAC2STR(bss->bssid));
479 ssid = wpa_config_add_network(wpa_s->conf);
481 nai_realm_free(realm, count);
484 wpas_notify_network_added(wpa_s, ssid);
485 wpa_config_set_network_defaults(ssid);
487 ssid->ssid = os_zalloc(ie[1] + 1);
488 if (ssid->ssid == NULL)
490 os_memcpy(ssid->ssid, ie + 2, ie[1]);
491 ssid->ssid_len = ie[1];
493 if (wpa_config_set(ssid, "eap", eap_get_name(EAP_VENDOR_IETF,
494 eap->method), 0) < 0)
497 if (wpa_s->conf->home_username && wpa_s->conf->home_username[0] &&
498 wpa_config_set_quoted(ssid, "identity",
499 wpa_s->conf->home_username) < 0)
502 if (wpa_s->conf->home_password && wpa_s->conf->home_password[0] &&
503 wpa_config_set_quoted(ssid, "password", wpa_s->conf->home_password)
507 switch (eap->method) {
509 if (eap->inner_method) {
510 os_snprintf(buf, sizeof(buf), "\"autheap=%s\"",
511 eap_get_name(EAP_VENDOR_IETF,
513 if (wpa_config_set(ssid, "phase2", buf, 0) < 0)
517 switch (eap->inner_non_eap) {
518 case NAI_REALM_INNER_NON_EAP_PAP:
519 if (wpa_config_set(ssid, "phase2", "\"auth=PAP\"", 0) <
523 case NAI_REALM_INNER_NON_EAP_CHAP:
524 if (wpa_config_set(ssid, "phase2", "\"auth=CHAP\"", 0)
528 case NAI_REALM_INNER_NON_EAP_MSCHAP:
529 if (wpa_config_set(ssid, "phase2", "\"auth=CHAP\"", 0)
533 case NAI_REALM_INNER_NON_EAP_MSCHAPV2:
534 if (wpa_config_set(ssid, "phase2", "\"auth=MSCHAPV2\"",
541 os_snprintf(buf, sizeof(buf), "\"auth=%s\"",
542 eap_get_name(EAP_VENDOR_IETF, eap->inner_method));
543 if (wpa_config_set(ssid, "phase2", buf, 0) < 0)
548 if (wpa_s->conf->home_ca_cert && wpa_s->conf->home_ca_cert[0] &&
549 wpa_config_set_quoted(ssid, "ca_cert", wpa_s->conf->home_ca_cert) <
553 nai_realm_free(realm, count);
555 wpa_supplicant_select_network(wpa_s, ssid);
560 wpas_notify_network_removed(wpa_s, ssid);
561 wpa_config_remove_network(wpa_s->conf, ssid->id);
562 nai_realm_free(realm, count);
567 static int interworking_credentials_available(struct wpa_supplicant *wpa_s,
570 struct nai_realm *realm;
574 if (bss->anqp_nai_realm == NULL)
577 if (wpa_s->conf->home_realm == NULL)
580 wpa_printf(MSG_DEBUG, "Interworking: Parsing NAI Realm list from "
581 MACSTR, MAC2STR(bss->bssid));
582 realm = nai_realm_parse(bss->anqp_nai_realm, &count);
584 wpa_printf(MSG_DEBUG, "Interworking: Could not parse NAI "
585 "Realm list from " MACSTR, MAC2STR(bss->bssid));
589 for (i = 0; i < count; i++) {
590 if (!nai_realm_match(&realm[i], wpa_s->conf->home_realm))
592 if (nai_realm_find_eap(wpa_s, &realm[i])) {
598 nai_realm_free(realm, count);
604 static void interworking_select_network(struct wpa_supplicant *wpa_s)
606 struct wpa_bss *bss, *selected = NULL;
607 unsigned int count = 0;
609 wpa_s->network_select = 0;
611 dl_list_for_each(bss, &wpa_s->bss, struct wpa_bss, list) {
612 if (!interworking_credentials_available(wpa_s, bss))
615 wpa_msg(wpa_s, MSG_INFO, INTERWORKING_AP MACSTR,
616 MAC2STR(bss->bssid));
617 if (selected == NULL && wpa_s->auto_select)
622 wpa_msg(wpa_s, MSG_INFO, INTERWORKING_NO_MATCH "No network "
623 "with matching credentials found");
627 interworking_connect(wpa_s, selected);
631 static void interworking_next_anqp_fetch(struct wpa_supplicant *wpa_s)
637 if (!wpa_s->fetch_anqp_in_progress)
640 dl_list_for_each(bss, &wpa_s->bss, struct wpa_bss, list) {
641 if (!(bss->caps & IEEE80211_CAP_ESS))
643 ie = wpa_bss_get_ie(bss, WLAN_EID_EXT_CAPAB);
644 if (ie == NULL || ie[1] < 4 || !(ie[5] & 0x80))
645 continue; /* AP does not support Interworking */
647 if (!(bss->flags & WPA_BSS_ANQP_FETCH_TRIED)) {
649 bss->flags |= WPA_BSS_ANQP_FETCH_TRIED;
650 wpa_msg(wpa_s, MSG_INFO, "Starting ANQP fetch for "
651 MACSTR, MAC2STR(bss->bssid));
652 interworking_anqp_send_req(wpa_s, bss);
658 wpa_msg(wpa_s, MSG_INFO, "ANQP fetch completed");
659 wpa_s->fetch_anqp_in_progress = 0;
660 if (wpa_s->network_select)
661 interworking_select_network(wpa_s);
666 static void interworking_start_fetch_anqp(struct wpa_supplicant *wpa_s)
670 dl_list_for_each(bss, &wpa_s->bss, struct wpa_bss, list)
671 bss->flags &= ~WPA_BSS_ANQP_FETCH_TRIED;
673 wpa_s->fetch_anqp_in_progress = 1;
674 interworking_next_anqp_fetch(wpa_s);
678 int interworking_fetch_anqp(struct wpa_supplicant *wpa_s)
680 if (wpa_s->fetch_anqp_in_progress || wpa_s->network_select)
683 wpa_s->network_select = 0;
685 interworking_start_fetch_anqp(wpa_s);
691 void interworking_stop_fetch_anqp(struct wpa_supplicant *wpa_s)
693 if (!wpa_s->fetch_anqp_in_progress)
696 wpa_s->fetch_anqp_in_progress = 0;
700 int anqp_send_req(struct wpa_supplicant *wpa_s, const u8 *dst,
701 u16 info_ids[], size_t num_ids)
709 freq = wpa_s->assoc_freq;
710 bss = wpa_bss_get_bssid(wpa_s, dst);
716 wpa_printf(MSG_DEBUG, "ANQP: Query Request to " MACSTR " for %u id(s)",
717 MAC2STR(dst), (unsigned int) num_ids);
719 buf = anqp_build_req(info_ids, num_ids, NULL);
723 res = gas_query_req(wpa_s->gas, dst, freq, buf, anqp_resp_cb, wpa_s);
725 wpa_printf(MSG_DEBUG, "ANQP: Failed to send Query Request");
728 wpa_printf(MSG_DEBUG, "ANQP: Query started with dialog token "
736 static void interworking_parse_rx_anqp_resp(struct wpa_supplicant *wpa_s,
737 const u8 *sa, u16 info_id,
738 const u8 *data, size_t slen)
740 const u8 *pos = data;
741 struct wpa_bss *bss = wpa_bss_get_bssid(wpa_s, sa);
744 case ANQP_CAPABILITY_LIST:
745 wpa_msg(wpa_s, MSG_INFO, "RX-ANQP " MACSTR
746 " ANQP Capability list", MAC2STR(sa));
748 case ANQP_VENUE_NAME:
749 wpa_msg(wpa_s, MSG_INFO, "RX-ANQP " MACSTR
750 " Venue Name", MAC2STR(sa));
751 wpa_hexdump_ascii(MSG_DEBUG, "ANQP: Venue Name", pos, slen);
753 wpabuf_free(bss->anqp_venue_name);
754 bss->anqp_venue_name = wpabuf_alloc_copy(pos, slen);
757 case ANQP_NETWORK_AUTH_TYPE:
758 wpa_msg(wpa_s, MSG_INFO, "RX-ANQP " MACSTR
759 " Network Authentication Type information",
761 wpa_hexdump_ascii(MSG_DEBUG, "ANQP: Network Authentication "
764 wpabuf_free(bss->anqp_network_auth_type);
765 bss->anqp_network_auth_type =
766 wpabuf_alloc_copy(pos, slen);
769 case ANQP_ROAMING_CONSORTIUM:
770 wpa_msg(wpa_s, MSG_INFO, "RX-ANQP " MACSTR
771 " Roaming Consortium list", MAC2STR(sa));
772 wpa_hexdump_ascii(MSG_DEBUG, "ANQP: Roaming Consortium",
775 wpabuf_free(bss->anqp_roaming_consortium);
776 bss->anqp_roaming_consortium =
777 wpabuf_alloc_copy(pos, slen);
780 case ANQP_IP_ADDR_TYPE_AVAILABILITY:
781 wpa_msg(wpa_s, MSG_INFO, "RX-ANQP " MACSTR
782 " IP Address Type Availability information",
784 wpa_hexdump(MSG_MSGDUMP, "ANQP: IP Address Availability",
787 wpabuf_free(bss->anqp_ip_addr_type_availability);
788 bss->anqp_ip_addr_type_availability =
789 wpabuf_alloc_copy(pos, slen);
793 wpa_msg(wpa_s, MSG_INFO, "RX-ANQP " MACSTR
794 " NAI Realm list", MAC2STR(sa));
795 wpa_hexdump_ascii(MSG_DEBUG, "ANQP: NAI Realm", pos, slen);
797 wpabuf_free(bss->anqp_nai_realm);
798 bss->anqp_nai_realm = wpabuf_alloc_copy(pos, slen);
801 case ANQP_3GPP_CELLULAR_NETWORK:
802 wpa_msg(wpa_s, MSG_INFO, "RX-ANQP " MACSTR
803 " 3GPP Cellular Network information", MAC2STR(sa));
804 wpa_hexdump_ascii(MSG_DEBUG, "ANQP: 3GPP Cellular Network",
807 wpabuf_free(bss->anqp_3gpp);
808 bss->anqp_3gpp = wpabuf_alloc_copy(pos, slen);
811 case ANQP_DOMAIN_NAME:
812 wpa_msg(wpa_s, MSG_INFO, "RX-ANQP " MACSTR
813 " Domain Name list", MAC2STR(sa));
814 wpa_hexdump_ascii(MSG_MSGDUMP, "ANQP: Domain Name", pos, slen);
816 wpabuf_free(bss->anqp_domain_name);
817 bss->anqp_domain_name = wpabuf_alloc_copy(pos, slen);
820 case ANQP_VENDOR_SPECIFIC:
824 switch (WPA_GET_BE24(pos)) {
826 wpa_printf(MSG_DEBUG, "Interworking: Unsupported "
827 "vendor-specific ANQP OUI %06x",
833 wpa_printf(MSG_DEBUG, "Interworking: Unsupported ANQP Info ID "
840 void anqp_resp_cb(void *ctx, const u8 *dst, u8 dialog_token,
841 enum gas_query_result result,
842 const struct wpabuf *adv_proto,
843 const struct wpabuf *resp, u16 status_code)
845 struct wpa_supplicant *wpa_s = ctx;
851 if (result != GAS_QUERY_SUCCESS)
854 pos = wpabuf_head(adv_proto);
855 if (wpabuf_len(adv_proto) < 4 || pos[0] != WLAN_EID_ADV_PROTO ||
856 pos[1] < 2 || pos[3] != ACCESS_NETWORK_QUERY_PROTOCOL) {
857 wpa_printf(MSG_DEBUG, "ANQP: Unexpected Advertisement "
858 "Protocol in response");
862 pos = wpabuf_head(resp);
863 end = pos + wpabuf_len(resp);
867 wpa_printf(MSG_DEBUG, "ANQP: Invalid element");
870 info_id = WPA_GET_LE16(pos);
872 slen = WPA_GET_LE16(pos);
874 if (pos + slen > end) {
875 wpa_printf(MSG_DEBUG, "ANQP: Invalid element length "
876 "for Info ID %u", info_id);
879 interworking_parse_rx_anqp_resp(wpa_s, dst, info_id, pos,
886 static void interworking_scan_res_handler(struct wpa_supplicant *wpa_s,
887 struct wpa_scan_results *scan_res)
889 wpa_printf(MSG_DEBUG, "Interworking: Scan results available - start "
891 interworking_start_fetch_anqp(wpa_s);
895 int interworking_select(struct wpa_supplicant *wpa_s, int auto_select)
897 interworking_stop_fetch_anqp(wpa_s);
898 wpa_s->network_select = 1;
899 wpa_s->auto_select = !!auto_select;
900 wpa_printf(MSG_DEBUG, "Interworking: Start scan for network "
902 wpa_s->scan_res_handler = interworking_scan_res_handler;
904 wpa_supplicant_req_scan(wpa_s, 0, 0);