wpa_supplicant: Add BTM security checks

2024-10-05 20:47:46 -04:00 · 2021-12-31 20:15:32 +05:30 · 2021-12-31 20:15:32 +05:30 · bf4f9b9e41
commit bf4f9b9e41
parent b1f7ad6983
7 changed files with 111 additions and 85 deletions
--- a/components/wpa_supplicant/src/common/scan.c
+++ b/components/wpa_supplicant/src/common/scan.c
@ -36,6 +36,10 @@ void wpa_supplicant_req_scan(struct wpa_supplicant *wpa_s, int sec, int usec)
 		wpa_dbg(wpa_s, MSG_DEBUG, "Already scanning - Return");
 		return;
 	}
+	if (!wpa_s->current_bss) {
+		wpa_dbg(wpa_s, MSG_INFO, "Current BSS is null - Return");
+		return;
+	}
 	params = os_zalloc(sizeof(*params));

 	if (!params) {
--- a/components/wpa_supplicant/src/common/wnm_sta.c
+++ b/components/wpa_supplicant/src/common/wnm_sta.c
@ -205,12 +205,15 @@ bool wpa_scan_res_match(struct wpa_supplicant *wpa_s,
 		return false;
 	}

-	/* TODO security Match */
+	/* Just check for Open/secure mode */
+	if ((current_bss->caps & WLAN_CAPABILITY_PRIVACY) != (target_bss->caps & WLAN_CAPABILITY_PRIVACY)) {
+		wpa_printf(MSG_DEBUG, "WNM: Security didn't match");
+		return false;
+	}

 	return true;
 }

-
 static struct wpa_bss *
 compare_scan_neighbor_results(struct wpa_supplicant *wpa_s, os_time_t age_secs,
 			      enum mbo_transition_reject_reason *reason)
--- a/components/wpa_supplicant/src/esp_supplicant/esp_common.c
+++ b/components/wpa_supplicant/src/esp_supplicant/esp_common.c
@ -1,17 +1,7 @@
-/**
- * Copyright 2020 Espressif Systems (Shanghai) PTE LTD
+/*
+ * SPDX-FileCopyrightText: 2020-2022 Espressif Systems (Shanghai) CO LTD
 *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *   http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
+ * SPDX-License-Identifier: Apache-2.0
 */

 #include "utils/includes.h"
@ -33,12 +23,12 @@

 struct wpa_supplicant g_wpa_supp;

-static void *s_supplicant_task_hdl = NULL;
+static TaskHandle_t s_supplicant_task_hdl = NULL;
 static void *s_supplicant_evt_queue = NULL;
 static void *s_supplicant_api_lock = NULL;

-static int esp_handle_action_frm(u8 *frame, size_t len,
-				 u8 *sender, u32 rssi, u8 channel)
+static int handle_action_frm(u8 *frame, size_t len,
+			     u8 *sender, u32 rssi, u8 channel)
 {
 	struct ieee_mgmt_frame *frm = os_malloc(sizeof(struct ieee_mgmt_frame) + len);

@ -61,7 +51,7 @@ static int esp_handle_action_frm(u8 *frame, size_t len,
 	return 0;
 }

-static void esp_rx_rrm_frame(struct wpa_supplicant *wpa_s, u8 *sender,
+static void handle_rrm_frame(struct wpa_supplicant *wpa_s, u8 *sender,
 			     u8 *payload, size_t len, u32 rssi)
 {
 	if (payload[0] == WLAN_RRM_NEIGHBOR_REPORT_RESPONSE) {
@ -78,7 +68,7 @@ static void esp_rx_rrm_frame(struct wpa_supplicant *wpa_s, u8 *sender,
 	}
 }

-static int esp_mgmt_rx_action(u8 *sender, u8 *payload, size_t len, u8 channel, u32 rssi)
+static int mgmt_rx_action(u8 *sender, u8 *payload, size_t len, u8 channel, u32 rssi)
 {
 	u8 category;
 	u8 bssid[ETH_ALEN];
@ -95,13 +85,13 @@ static int esp_mgmt_rx_action(u8 *sender, u8 *payload, size_t len, u8 channel, u
 	if (category == WLAN_ACTION_WNM) {
 		ieee802_11_rx_wnm_action(wpa_s, sender, payload, len);
 	} else if (category == WLAN_ACTION_RADIO_MEASUREMENT) {
-		esp_rx_rrm_frame(wpa_s, sender, payload, len, rssi);
+		handle_rrm_frame(wpa_s, sender, payload, len, rssi);
 	}

 	return 0;
 }

-static void esp_btm_rrm_task(void *pvParameters)
+static void btm_rrm_task(void *pvParameters)
 {
 	supplicant_event_t *evt;
 	bool task_del = false;
@ -120,7 +110,7 @@ static void esp_btm_rrm_task(void *pvParameters)
 		case SIG_SUPPLICANT_RX_ACTION:
 		{
 			struct ieee_mgmt_frame *frm = (struct ieee_mgmt_frame *)evt->data;
-			esp_mgmt_rx_action(frm->sender, frm->payload, frm->len, frm->channel, frm->rssi);
+			mgmt_rx_action(frm->sender, frm->payload, frm->len, frm->channel, frm->rssi);
 			os_free(frm);
 			break;
 		}
@ -153,7 +143,7 @@ static void esp_btm_rrm_task(void *pvParameters)
 	vTaskDelete(NULL);
 }

-static void esp_clear_bssid_flag(struct wpa_supplicant *wpa_s)
+static void clear_bssid_flag(struct wpa_supplicant *wpa_s)
 {
 	wifi_config_t *config;

@ -175,7 +165,7 @@ static void esp_clear_bssid_flag(struct wpa_supplicant *wpa_s)
 	wpa_printf(MSG_DEBUG, "cleared bssid flag");
 }

-static void esp_register_action_frame(struct wpa_supplicant *wpa_s)
+static void register_action_frame(struct wpa_supplicant *wpa_s)
 {
 	wpa_s->type &= ~(1 << WLAN_FC_STYPE_ACTION);
 	/* subtype is defined only for action frame */
@ -193,8 +183,8 @@ static void esp_register_action_frame(struct wpa_supplicant *wpa_s)
 	esp_wifi_register_mgmt_frame_internal(wpa_s->type, wpa_s->subtype);
 }

-static void esp_supplicant_sta_conn_handler(void* arg, esp_event_base_t event_base,
-					    int32_t event_id, void* event_data)
+static void supplicant_sta_conn_handler(void* arg, esp_event_base_t event_base,
+					int32_t event_id, void* event_data)
 {
 	u8 bssid[ETH_ALEN];
 	u8 *ie;
@ -215,9 +205,9 @@ static void esp_supplicant_sta_conn_handler(void* arg, esp_event_base_t event_ba
 	ieee802_11_parse_elems(wpa_s, ie, bss->ie_len);
 	wpa_bss_flush(wpa_s);
 	/* Register for action frames */
-	esp_register_action_frame(wpa_s);
+	register_action_frame(wpa_s);
 	/* clear set bssid flag */
-	esp_clear_bssid_flag(wpa_s);
+	clear_bssid_flag(wpa_s);
 }

 static void supplicant_sta_disconn_handler(void* arg, esp_event_base_t event_base,
@ -228,19 +218,46 @@ static void supplicant_sta_disconn_handler(void* arg, esp_event_base_t event_bas
 	if (wpa_s->current_bss) {
 		wpa_s->current_bss = NULL;
 	}
+	clear_bssid_flag(wpa_s);
 }

-void esp_supplicant_common_init(struct wpa_funcs *wpa_cb)
+static int ieee80211_handle_rx_frm(u8 type, u8 *frame, size_t len, u8 *sender,
+				   u32 rssi, u8 channel, u64 current_tsf)
+{
+	if (type == WLAN_FC_STYPE_BEACON || type == WLAN_FC_STYPE_PROBE_RESP) {
+		return esp_handle_beacon_probe(type, frame, len, sender, rssi, channel, current_tsf);
+	} else if (type ==  WLAN_FC_STYPE_ACTION) {
+		return handle_action_frm(frame, len, sender, rssi, channel);
+	}
+
+	return -1;
+}
+
+
+int esp_supplicant_common_init(struct wpa_funcs *wpa_cb)
 {
 	struct wpa_supplicant *wpa_s = &g_wpa_supp;
-
-	s_supplicant_evt_queue = xQueueCreate(3, sizeof(supplicant_event_t));
-	xTaskCreate(esp_btm_rrm_task, "btm_rrm_t", SUPPLICANT_TASK_STACK_SIZE, NULL, 2, s_supplicant_task_hdl);
+	int ret;

 	s_supplicant_api_lock = xSemaphoreCreateRecursiveMutex();
 	if (!s_supplicant_api_lock) {
-		wpa_printf(MSG_ERROR, "esp_supplicant_common_init: failed to create Supplicant API lock");
-		return;
+		wpa_printf(MSG_ERROR, "%s: failed to create Supplicant API lock", __func__);
+		ret = -1;
+		goto err;
+	}
+
+	s_supplicant_evt_queue = xQueueCreate(3, sizeof(supplicant_event_t));
+
+	if (!s_supplicant_evt_queue) {
+		wpa_printf(MSG_ERROR, "%s: failed to create Supplicant event queue", __func__);
+		ret = -1;
+		goto err;
+	}
+	ret = xTaskCreate(btm_rrm_task, "btm_rrm_t", SUPPLICANT_TASK_STACK_SIZE, NULL, 2, &s_supplicant_task_hdl);
+	if (ret != pdPASS) {
+		wpa_printf(MSG_ERROR, "btm: failed to create task");
+		ret = -1;
+		goto err;
 	}

 	esp_scan_init(wpa_s);
@ -248,13 +265,19 @@ void esp_supplicant_common_init(struct wpa_funcs *wpa_cb)
 	wpas_clear_beacon_rep_data(wpa_s);

 	esp_event_handler_register(WIFI_EVENT, WIFI_EVENT_STA_CONNECTED,
-			&esp_supplicant_sta_conn_handler, NULL);
+			&supplicant_sta_conn_handler, NULL);
 	esp_event_handler_register(WIFI_EVENT, WIFI_EVENT_STA_DISCONNECTED,
 			&supplicant_sta_disconn_handler, NULL);

 	wpa_s->type = 0;
 	wpa_s->subtype = 0;
-	wpa_cb->wpa_sta_rx_mgmt = esp_ieee80211_handle_rx_frm;
+	wpa_s->type |= (1 << WLAN_FC_STYPE_BEACON) | (1 << WLAN_FC_STYPE_PROBE_RESP);
+	esp_wifi_register_mgmt_frame_internal(wpa_s->type, wpa_s->subtype);
+	wpa_cb->wpa_sta_rx_mgmt = ieee80211_handle_rx_frm;
+	return 0;
+err:
+	esp_supplicant_common_deinit();
+	return ret;
 }

 void esp_supplicant_common_deinit(void)
@ -265,13 +288,22 @@ void esp_supplicant_common_deinit(void)
 	wpas_rrm_reset(wpa_s);
 	wpas_clear_beacon_rep_data(wpa_s);
 	esp_event_handler_unregister(WIFI_EVENT, WIFI_EVENT_STA_CONNECTED,
-			&esp_supplicant_sta_conn_handler);
+			&supplicant_sta_conn_handler);
 	esp_event_handler_unregister(WIFI_EVENT, WIFI_EVENT_STA_DISCONNECTED,
 			&supplicant_sta_disconn_handler);
-	wpa_s->type = 0;
-	wpa_s->subtype = 0;
-	esp_wifi_register_mgmt_frame_internal(wpa_s->type, wpa_s->subtype);
-	if (esp_supplicant_post_evt(SIG_SUPPLICANT_DEL_TASK, 0) != 0) {
+	if (wpa_s->type) {
+		wpa_s->type = 0;
+		esp_wifi_register_mgmt_frame_internal(wpa_s->type, wpa_s->subtype);
+	}
+	if (!s_supplicant_task_hdl && esp_supplicant_post_evt(SIG_SUPPLICANT_DEL_TASK, 0) != 0) {
+		if (s_supplicant_evt_queue) {
+			vQueueDelete(s_supplicant_evt_queue);
+			s_supplicant_evt_queue = NULL;
+		}
+		if (s_supplicant_api_lock) {
+			vSemaphoreDelete(s_supplicant_api_lock);
+			s_supplicant_api_lock = NULL;
+		}
 		wpa_printf(MSG_ERROR, "failed to send task delete event");
 	}
 }
@ -279,20 +311,20 @@ void esp_supplicant_common_deinit(void)
 int esp_rrm_send_neighbor_rep_request(neighbor_rep_request_cb cb,
 				      void *cb_ctx)
 {
-	struct wpa_supplicant *wpa_s = &g_wpa_supp;
 	struct wpa_ssid_value wpa_ssid = {0};
 	struct wifi_ssid *ssid = esp_wifi_sta_get_prof_ssid_internal();
+
 	os_memcpy(wpa_ssid.ssid, ssid->ssid, ssid->len);
 	wpa_ssid.ssid_len = ssid->len;
-	return wpas_rrm_send_neighbor_rep_request(wpa_s, &wpa_ssid, 0, 0, cb, cb_ctx);
+
+	return wpas_rrm_send_neighbor_rep_request(&g_wpa_supp, &wpa_ssid, 0, 0, cb, cb_ctx);
 }

 int esp_wnm_send_bss_transition_mgmt_query(enum btm_query_reason query_reason,
 					   const char *btm_candidates,
 					   int cand_list)
 {
-	struct wpa_supplicant *wpa_s = &g_wpa_supp;
-	return wnm_send_bss_transition_mgmt_query(wpa_s, query_reason, btm_candidates, cand_list);
+	return wnm_send_bss_transition_mgmt_query(&g_wpa_supp, query_reason, btm_candidates, cand_list);
 }

 void wpa_supplicant_connect(struct wpa_supplicant *wpa_s,
@ -397,6 +429,7 @@ int esp_supplicant_post_evt(uint32_t evt_id, uint32_t data)
 	if (s_supplicant_api_lock) {
 		SUPPLICANT_API_LOCK();
 	} else {
+		os_free(evt);
 		return -1;
 	}
 	if (xQueueSend(s_supplicant_evt_queue, &evt, 10 / portTICK_PERIOD_MS ) != pdPASS) {
@ -409,15 +442,3 @@ int esp_supplicant_post_evt(uint32_t evt_id, uint32_t data)
 	}
 	return 0;
 }
-
-int esp_ieee80211_handle_rx_frm(u8 type, u8 *frame, size_t len, u8 *sender,
-				u32 rssi, u8 channel, u64 current_tsf)
-{
-	if (type == WLAN_FC_STYPE_BEACON || type == WLAN_FC_STYPE_PROBE_RESP) {
-		return esp_handle_beacon_probe(type, frame, len, sender, rssi, channel, current_tsf);
-	} else if (type ==  WLAN_FC_STYPE_ACTION) {
-		return esp_handle_action_frm(frame, len, sender, rssi, channel);
-	}
-
-	return -1;
-}
--- a/components/wpa_supplicant/src/esp_supplicant/esp_common_i.h
+++ b/components/wpa_supplicant/src/esp_supplicant/esp_common_i.h
@ -1,17 +1,7 @@
-/**
- * Copyright 2020 Espressif Systems (Shanghai) PTE LTD
+/*
+ * SPDX-FileCopyrightText: 2020-2021 Espressif Systems (Shanghai) CO LTD
 *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *   http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
+ * SPDX-License-Identifier: Apache-2.0
 */

 #ifndef ESP_COMMON_I_H
@ -47,11 +37,9 @@ enum SIG_SUPPLICANT {
 };

 int esp_supplicant_post_evt(uint32_t evt_id, uint32_t data);
-int esp_ieee80211_handle_rx_frm(u8 type, u8 *frame, size_t len, u8 *sender,
-			    u32 rssi, u8 channel, u64 current_tsf);
 void esp_set_rm_enabled_ie(void);
 void esp_get_tx_power(uint8_t *tx_power);
-void esp_supplicant_common_init(struct wpa_funcs *wpa_cb);
+int esp_supplicant_common_init(struct wpa_funcs *wpa_cb);
 void esp_supplicant_common_deinit(void);
 #else

@ -59,11 +47,6 @@ void esp_supplicant_common_deinit(void);
 #include "esp_wnm.h"

 static inline void esp_set_rm_enabled_ie(void) {}
-static inline int esp_ieee80211_handle_rx_frm(u8 type, u8 *frame, size_t len, u8 *sender,
-			    u32 rssi, u8 channel, u64 current_tsf)
-{
-	return -1;
-}
 int esp_rrm_send_neighbor_rep_request(neighbor_rep_request_cb cb,
 				      void *cb_ctx)
 {
--- a/components/wpa_supplicant/src/esp_supplicant/esp_dpp.c
+++ b/components/wpa_supplicant/src/esp_supplicant/esp_dpp.c
@ -13,7 +13,7 @@
 #include "common/ieee802_11_defs.h"

 #ifdef CONFIG_DPP
-static void *s_dpp_task_hdl = NULL;
+static TaskHandle_t s_dpp_task_hdl = NULL;
 static void *s_dpp_evt_queue = NULL;
 static void *s_dpp_api_lock = NULL;

@ -620,6 +620,7 @@ void esp_supp_dpp_stop_listen(void)
 esp_err_t esp_supp_dpp_init(esp_supp_dpp_event_cb_t cb)
 {
    struct dpp_global_config cfg = {0};
+    int ret;

    os_bzero(&s_dpp_ctx, sizeof(s_dpp_ctx));
    s_dpp_ctx.dpp_event_cb = cb;
@ -630,7 +631,11 @@ esp_err_t esp_supp_dpp_init(esp_supp_dpp_event_cb_t cb)

    s_dpp_stop_listening = false;
    s_dpp_evt_queue = xQueueCreate(3, sizeof(dpp_event_t));
-    xTaskCreate(esp_dpp_task, "dppT", DPP_TASK_STACK_SIZE, NULL, 2, s_dpp_task_hdl);
+    ret = xTaskCreate(esp_dpp_task, "dppT", DPP_TASK_STACK_SIZE, NULL, 2, &s_dpp_task_hdl);
+    if (ret != pdPASS) {
+        wpa_printf(MSG_ERROR, "DPP: failed to create task");
+        return ESP_FAIL;
+    }

    s_dpp_api_lock = xSemaphoreCreateRecursiveMutex();
    if (!s_dpp_api_lock) {
--- a/components/wpa_supplicant/src/esp_supplicant/esp_wpa2.c
+++ b/components/wpa_supplicant/src/esp_supplicant/esp_wpa2.c
@ -72,7 +72,7 @@ static int wpa2_start_eapol_internal(void);
 int wpa2_post(uint32_t sig, uint32_t par);

 #ifdef USE_WPA2_TASK
-static void *s_wpa2_task_hdl = NULL;
+static TaskHandle_t s_wpa2_task_hdl = NULL;
 static void *s_wpa2_queue = NULL;
 static wpa2_state_t s_wpa2_state = WPA2_STATE_DISABLED;
 static void *s_wpa2_api_lock = NULL;
@ -803,7 +803,12 @@ static int eap_peer_sm_init(void)
    gEapSm = sm;
 #ifdef USE_WPA2_TASK
    s_wpa2_queue = xQueueCreate(SIG_WPA2_MAX, sizeof( void * ) );
-    xTaskCreate(wpa2_task, "wpa2T", WPA2_TASK_STACK_SIZE, NULL, 2, s_wpa2_task_hdl);
+    ret = xTaskCreate(wpa2_task, "wpa2T", WPA2_TASK_STACK_SIZE, NULL, 2, &s_wpa2_task_hdl);
+    if (ret != pdPASS) {
+        wpa_printf(MSG_ERROR, "wps enable: failed to create task");
+        ret = ESP_FAIL;
+        goto _err;
+    }
    s_wifi_wpa2_sync_sem = xSemaphoreCreateCounting(1, 0);
    if (!s_wifi_wpa2_sync_sem) {
        vQueueDelete(s_wpa2_queue);
--- a/components/wpa_supplicant/src/esp_supplicant/esp_wpa_main.c
+++ b/components/wpa_supplicant/src/esp_supplicant/esp_wpa_main.c
@ -227,9 +227,10 @@ static void wpa_sta_disconnected_cb(uint8_t reason_code)
 }

 #ifndef ROAMING_SUPPORT
-static inline void esp_supplicant_common_init(struct wpa_funcs *wpa_cb)
+static inline int esp_supplicant_common_init(struct wpa_funcs *wpa_cb)
 {
 	wpa_cb->wpa_sta_rx_mgmt = NULL;
+	return 0;
 }
 static inline void esp_supplicant_common_deinit(void)
 {
@ -268,7 +269,11 @@ int esp_supplicant_init(void)
    wpa_cb->wpa_config_done = wpa_config_done;

    esp_wifi_register_wpa3_cb(wpa_cb);
-    esp_supplicant_common_init(wpa_cb);
+    ret = esp_supplicant_common_init(wpa_cb);
+
+    if (ret != 0) {
+        return ret;
+    }

    esp_wifi_register_wpa_cb_internal(wpa_cb);