1/*
2 * WPA Supplicant - Scanning
3 * Copyright (c) 2003-2014, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9#include "utils/includes.h"
10
11#include "utils/common.h"
12#include "utils/eloop.h"
13#include "common/ieee802_11_defs.h"
14#include "common/wpa_ctrl.h"
15#include "config.h"
16#include "wpa_supplicant_i.h"
17#include "driver_i.h"
18#include "wps_supplicant.h"
19#include "p2p_supplicant.h"
20#include "p2p/p2p.h"
21#include "hs20_supplicant.h"
22#include "notify.h"
23#include "bss.h"
24#include "scan.h"
25#include "mesh.h"
26
27
28static void wpa_supplicant_gen_assoc_event(struct wpa_supplicant *wpa_s)
29{
30	struct wpa_ssid *ssid;
31	union wpa_event_data data;
32
33	ssid = wpa_supplicant_get_ssid(wpa_s);
34	if (ssid == NULL)
35		return;
36
37	if (wpa_s->current_ssid == NULL) {
38		wpa_s->current_ssid = ssid;
39		if (wpa_s->current_ssid != NULL)
40			wpas_notify_network_changed(wpa_s);
41	}
42	wpa_supplicant_initiate_eapol(wpa_s);
43	wpa_dbg(wpa_s, MSG_DEBUG, "Already associated with a configured "
44		"network - generating associated event");
45	os_memset(&data, 0, sizeof(data));
46	wpa_supplicant_event(wpa_s, EVENT_ASSOC, &data);
47}
48
49
50#ifdef CONFIG_WPS
51static int wpas_wps_in_use(struct wpa_supplicant *wpa_s,
52			   enum wps_request_type *req_type)
53{
54	struct wpa_ssid *ssid;
55	int wps = 0;
56
57	for (ssid = wpa_s->conf->ssid; ssid; ssid = ssid->next) {
58		if (!(ssid->key_mgmt & WPA_KEY_MGMT_WPS))
59			continue;
60
61		wps = 1;
62		*req_type = wpas_wps_get_req_type(ssid);
63		if (!ssid->eap.phase1)
64			continue;
65
66		if (os_strstr(ssid->eap.phase1, "pbc=1"))
67			return 2;
68	}
69
70#ifdef CONFIG_P2P
71	if (!wpa_s->global->p2p_disabled && wpa_s->global->p2p &&
72	    !wpa_s->conf->p2p_disabled) {
73		wpa_s->wps->dev.p2p = 1;
74		if (!wps) {
75			wps = 1;
76			*req_type = WPS_REQ_ENROLLEE_INFO;
77		}
78	}
79#endif /* CONFIG_P2P */
80
81	return wps;
82}
83#endif /* CONFIG_WPS */
84
85
86/**
87 * wpa_supplicant_enabled_networks - Check whether there are enabled networks
88 * @wpa_s: Pointer to wpa_supplicant data
89 * Returns: 0 if no networks are enabled, >0 if networks are enabled
90 *
91 * This function is used to figure out whether any networks (or Interworking
92 * with enabled credentials and auto_interworking) are present in the current
93 * configuration.
94 */
95int wpa_supplicant_enabled_networks(struct wpa_supplicant *wpa_s)
96{
97	struct wpa_ssid *ssid = wpa_s->conf->ssid;
98	int count = 0, disabled = 0;
99
100	if (wpa_s->p2p_mgmt)
101		return 0; /* no normal network profiles on p2p_mgmt interface */
102
103	while (ssid) {
104		if (!wpas_network_disabled(wpa_s, ssid))
105			count++;
106		else
107			disabled++;
108		ssid = ssid->next;
109	}
110	if (wpa_s->conf->cred && wpa_s->conf->interworking &&
111	    wpa_s->conf->auto_interworking)
112		count++;
113	if (count == 0 && disabled > 0) {
114		wpa_dbg(wpa_s, MSG_DEBUG, "No enabled networks (%d disabled "
115			"networks)", disabled);
116	}
117	return count;
118}
119
120
121static void wpa_supplicant_assoc_try(struct wpa_supplicant *wpa_s,
122				     struct wpa_ssid *ssid)
123{
124	while (ssid) {
125		if (!wpas_network_disabled(wpa_s, ssid))
126			break;
127		ssid = ssid->next;
128	}
129
130	/* ap_scan=2 mode - try to associate with each SSID. */
131	if (ssid == NULL) {
132		wpa_dbg(wpa_s, MSG_DEBUG, "wpa_supplicant_assoc_try: Reached "
133			"end of scan list - go back to beginning");
134		wpa_s->prev_scan_ssid = WILDCARD_SSID_SCAN;
135		wpa_supplicant_req_scan(wpa_s, 0, 0);
136		return;
137	}
138	if (ssid->next) {
139		/* Continue from the next SSID on the next attempt. */
140		wpa_s->prev_scan_ssid = ssid;
141	} else {
142		/* Start from the beginning of the SSID list. */
143		wpa_s->prev_scan_ssid = WILDCARD_SSID_SCAN;
144	}
145	wpa_supplicant_associate(wpa_s, NULL, ssid);
146}
147
148
149static void wpas_trigger_scan_cb(struct wpa_radio_work *work, int deinit)
150{
151	struct wpa_supplicant *wpa_s = work->wpa_s;
152	struct wpa_driver_scan_params *params = work->ctx;
153	int ret;
154
155	if (deinit) {
156		if (!work->started) {
157			wpa_scan_free_params(params);
158			return;
159		}
160		wpa_supplicant_notify_scanning(wpa_s, 0);
161		wpas_notify_scan_done(wpa_s, 0);
162		wpa_s->scan_work = NULL;
163		return;
164	}
165
166	if (wpas_update_random_addr_disassoc(wpa_s) < 0) {
167		wpa_msg(wpa_s, MSG_INFO,
168			"Failed to assign random MAC address for a scan");
169		radio_work_done(work);
170		return;
171	}
172
173	wpa_supplicant_notify_scanning(wpa_s, 1);
174
175	if (wpa_s->clear_driver_scan_cache) {
176		wpa_printf(MSG_DEBUG,
177			   "Request driver to clear scan cache due to local BSS flush");
178		params->only_new_results = 1;
179	}
180	ret = wpa_drv_scan(wpa_s, params);
181	wpa_scan_free_params(params);
182	work->ctx = NULL;
183	if (ret) {
184		int retry = wpa_s->last_scan_req != MANUAL_SCAN_REQ;
185
186		if (wpa_s->disconnected)
187			retry = 0;
188
189		wpa_supplicant_notify_scanning(wpa_s, 0);
190		wpas_notify_scan_done(wpa_s, 0);
191		if (wpa_s->wpa_state == WPA_SCANNING)
192			wpa_supplicant_set_state(wpa_s,
193						 wpa_s->scan_prev_wpa_state);
194		wpa_msg(wpa_s, MSG_INFO, WPA_EVENT_SCAN_FAILED "ret=%d%s",
195			ret, retry ? " retry=1" : "");
196		radio_work_done(work);
197
198		if (retry) {
199			/* Restore scan_req since we will try to scan again */
200			wpa_s->scan_req = wpa_s->last_scan_req;
201			wpa_supplicant_req_scan(wpa_s, 1, 0);
202		}
203		return;
204	}
205
206	os_get_reltime(&wpa_s->scan_trigger_time);
207	wpa_s->scan_runs++;
208	wpa_s->normal_scans++;
209	wpa_s->own_scan_requested = 1;
210	wpa_s->clear_driver_scan_cache = 0;
211	wpa_s->scan_work = work;
212}
213
214
215/**
216 * wpa_supplicant_trigger_scan - Request driver to start a scan
217 * @wpa_s: Pointer to wpa_supplicant data
218 * @params: Scan parameters
219 * Returns: 0 on success, -1 on failure
220 */
221int wpa_supplicant_trigger_scan(struct wpa_supplicant *wpa_s,
222				struct wpa_driver_scan_params *params)
223{
224	struct wpa_driver_scan_params *ctx;
225
226	if (wpa_s->scan_work) {
227		wpa_dbg(wpa_s, MSG_INFO, "Reject scan trigger since one is already pending");
228		return -1;
229	}
230
231	ctx = wpa_scan_clone_params(params);
232	if (ctx == NULL)
233		return -1;
234
235	if (radio_add_work(wpa_s, 0, "scan", 0, wpas_trigger_scan_cb, ctx) < 0)
236	{
237		wpa_scan_free_params(ctx);
238		return -1;
239	}
240
241	return 0;
242}
243
244
245static void
246wpa_supplicant_delayed_sched_scan_timeout(void *eloop_ctx, void *timeout_ctx)
247{
248	struct wpa_supplicant *wpa_s = eloop_ctx;
249
250	wpa_dbg(wpa_s, MSG_DEBUG, "Starting delayed sched scan");
251
252	if (wpa_supplicant_req_sched_scan(wpa_s))
253		wpa_supplicant_req_scan(wpa_s, 0, 0);
254}
255
256
257static void
258wpa_supplicant_sched_scan_timeout(void *eloop_ctx, void *timeout_ctx)
259{
260	struct wpa_supplicant *wpa_s = eloop_ctx;
261
262	wpa_dbg(wpa_s, MSG_DEBUG, "Sched scan timeout - stopping it");
263
264	wpa_s->sched_scan_timed_out = 1;
265	wpa_supplicant_cancel_sched_scan(wpa_s);
266}
267
268
269int wpa_supplicant_start_sched_scan(struct wpa_supplicant *wpa_s,
270				    struct wpa_driver_scan_params *params)
271{
272	int ret;
273
274	wpa_supplicant_notify_scanning(wpa_s, 1);
275	ret = wpa_drv_sched_scan(wpa_s, params);
276	if (ret)
277		wpa_supplicant_notify_scanning(wpa_s, 0);
278	else
279		wpa_s->sched_scanning = 1;
280
281	return ret;
282}
283
284
285int wpa_supplicant_stop_sched_scan(struct wpa_supplicant *wpa_s)
286{
287	int ret;
288
289	ret = wpa_drv_stop_sched_scan(wpa_s);
290	if (ret) {
291		wpa_dbg(wpa_s, MSG_DEBUG, "stopping sched_scan failed!");
292		/* TODO: what to do if stopping fails? */
293		return -1;
294	}
295
296	return ret;
297}
298
299
300static struct wpa_driver_scan_filter *
301wpa_supplicant_build_filter_ssids(struct wpa_config *conf, size_t *num_ssids)
302{
303	struct wpa_driver_scan_filter *ssids;
304	struct wpa_ssid *ssid;
305	size_t count;
306
307	*num_ssids = 0;
308	if (!conf->filter_ssids)
309		return NULL;
310
311	for (count = 0, ssid = conf->ssid; ssid; ssid = ssid->next) {
312		if (ssid->ssid && ssid->ssid_len)
313			count++;
314	}
315	if (count == 0)
316		return NULL;
317	ssids = os_calloc(count, sizeof(struct wpa_driver_scan_filter));
318	if (ssids == NULL)
319		return NULL;
320
321	for (ssid = conf->ssid; ssid; ssid = ssid->next) {
322		if (!ssid->ssid || !ssid->ssid_len)
323			continue;
324		os_memcpy(ssids[*num_ssids].ssid, ssid->ssid, ssid->ssid_len);
325		ssids[*num_ssids].ssid_len = ssid->ssid_len;
326		(*num_ssids)++;
327	}
328
329	return ssids;
330}
331
332
333static void wpa_supplicant_optimize_freqs(
334	struct wpa_supplicant *wpa_s, struct wpa_driver_scan_params *params)
335{
336#ifdef CONFIG_P2P
337	if (params->freqs == NULL && wpa_s->p2p_in_provisioning &&
338	    wpa_s->go_params) {
339		/* Optimize provisioning state scan based on GO information */
340		if (wpa_s->p2p_in_provisioning < 5 &&
341		    wpa_s->go_params->freq > 0) {
342			wpa_dbg(wpa_s, MSG_DEBUG, "P2P: Scan only GO "
343				"preferred frequency %d MHz",
344				wpa_s->go_params->freq);
345			params->freqs = os_calloc(2, sizeof(int));
346			if (params->freqs)
347				params->freqs[0] = wpa_s->go_params->freq;
348		} else if (wpa_s->p2p_in_provisioning < 8 &&
349			   wpa_s->go_params->freq_list[0]) {
350			wpa_dbg(wpa_s, MSG_DEBUG, "P2P: Scan only common "
351				"channels");
352			int_array_concat(&params->freqs,
353					 wpa_s->go_params->freq_list);
354			if (params->freqs)
355				int_array_sort_unique(params->freqs);
356		}
357		wpa_s->p2p_in_provisioning++;
358	}
359
360	if (params->freqs == NULL && wpa_s->p2p_in_invitation) {
361		/*
362		 * Optimize scan based on GO information during persistent
363		 * group reinvocation
364		 */
365		if (wpa_s->p2p_in_invitation < 5 &&
366		    wpa_s->p2p_invite_go_freq > 0) {
367			wpa_dbg(wpa_s, MSG_DEBUG, "P2P: Scan only GO preferred frequency %d MHz during invitation",
368				wpa_s->p2p_invite_go_freq);
369			params->freqs = os_calloc(2, sizeof(int));
370			if (params->freqs)
371				params->freqs[0] = wpa_s->p2p_invite_go_freq;
372		}
373		wpa_s->p2p_in_invitation++;
374		if (wpa_s->p2p_in_invitation > 20) {
375			/*
376			 * This should not really happen since the variable is
377			 * cleared on group removal, but if it does happen, make
378			 * sure we do not get stuck in special invitation scan
379			 * mode.
380			 */
381			wpa_dbg(wpa_s, MSG_DEBUG, "P2P: Clear p2p_in_invitation");
382			wpa_s->p2p_in_invitation = 0;
383		}
384	}
385#endif /* CONFIG_P2P */
386
387#ifdef CONFIG_WPS
388	if (params->freqs == NULL && wpa_s->after_wps && wpa_s->wps_freq) {
389		/*
390		 * Optimize post-provisioning scan based on channel used
391		 * during provisioning.
392		 */
393		wpa_dbg(wpa_s, MSG_DEBUG, "WPS: Scan only frequency %u MHz "
394			"that was used during provisioning", wpa_s->wps_freq);
395		params->freqs = os_calloc(2, sizeof(int));
396		if (params->freqs)
397			params->freqs[0] = wpa_s->wps_freq;
398		wpa_s->after_wps--;
399	} else if (wpa_s->after_wps)
400		wpa_s->after_wps--;
401
402	if (params->freqs == NULL && wpa_s->known_wps_freq && wpa_s->wps_freq)
403	{
404		/* Optimize provisioning scan based on already known channel */
405		wpa_dbg(wpa_s, MSG_DEBUG, "WPS: Scan only frequency %u MHz",
406			wpa_s->wps_freq);
407		params->freqs = os_calloc(2, sizeof(int));
408		if (params->freqs)
409			params->freqs[0] = wpa_s->wps_freq;
410		wpa_s->known_wps_freq = 0; /* only do this once */
411	}
412#endif /* CONFIG_WPS */
413}
414
415
416#ifdef CONFIG_INTERWORKING
417static void wpas_add_interworking_elements(struct wpa_supplicant *wpa_s,
418					   struct wpabuf *buf)
419{
420	wpabuf_put_u8(buf, WLAN_EID_INTERWORKING);
421	wpabuf_put_u8(buf, is_zero_ether_addr(wpa_s->conf->hessid) ? 1 :
422		      1 + ETH_ALEN);
423	wpabuf_put_u8(buf, wpa_s->conf->access_network_type);
424	/* No Venue Info */
425	if (!is_zero_ether_addr(wpa_s->conf->hessid))
426		wpabuf_put_data(buf, wpa_s->conf->hessid, ETH_ALEN);
427}
428#endif /* CONFIG_INTERWORKING */
429
430
431static struct wpabuf * wpa_supplicant_extra_ies(struct wpa_supplicant *wpa_s)
432{
433	struct wpabuf *extra_ie = NULL;
434	u8 ext_capab[18];
435	int ext_capab_len;
436#ifdef CONFIG_WPS
437	int wps = 0;
438	enum wps_request_type req_type = WPS_REQ_ENROLLEE_INFO;
439#endif /* CONFIG_WPS */
440
441	ext_capab_len = wpas_build_ext_capab(wpa_s, ext_capab,
442					     sizeof(ext_capab));
443	if (ext_capab_len > 0 &&
444	    wpabuf_resize(&extra_ie, ext_capab_len) == 0)
445		wpabuf_put_data(extra_ie, ext_capab, ext_capab_len);
446
447#ifdef CONFIG_INTERWORKING
448	if (wpa_s->conf->interworking &&
449	    wpabuf_resize(&extra_ie, 100) == 0)
450		wpas_add_interworking_elements(wpa_s, extra_ie);
451#endif /* CONFIG_INTERWORKING */
452
453#ifdef CONFIG_WPS
454	wps = wpas_wps_in_use(wpa_s, &req_type);
455
456	if (wps) {
457		struct wpabuf *wps_ie;
458		wps_ie = wps_build_probe_req_ie(wps == 2 ? DEV_PW_PUSHBUTTON :
459						DEV_PW_DEFAULT,
460						&wpa_s->wps->dev,
461						wpa_s->wps->uuid, req_type,
462						0, NULL);
463		if (wps_ie) {
464			if (wpabuf_resize(&extra_ie, wpabuf_len(wps_ie)) == 0)
465				wpabuf_put_buf(extra_ie, wps_ie);
466			wpabuf_free(wps_ie);
467		}
468	}
469
470#ifdef CONFIG_P2P
471	if (wps) {
472		size_t ielen = p2p_scan_ie_buf_len(wpa_s->global->p2p);
473		if (wpabuf_resize(&extra_ie, ielen) == 0)
474			wpas_p2p_scan_ie(wpa_s, extra_ie);
475	}
476#endif /* CONFIG_P2P */
477
478	wpa_supplicant_mesh_add_scan_ie(wpa_s, &extra_ie);
479
480#endif /* CONFIG_WPS */
481
482#ifdef CONFIG_HS20
483	if (wpa_s->conf->hs20 && wpabuf_resize(&extra_ie, 7) == 0)
484		wpas_hs20_add_indication(extra_ie, -1);
485#endif /* CONFIG_HS20 */
486
487#ifdef CONFIG_FST
488	if (wpa_s->fst_ies &&
489	    wpabuf_resize(&extra_ie, wpabuf_len(wpa_s->fst_ies)) == 0)
490		wpabuf_put_buf(extra_ie, wpa_s->fst_ies);
491#endif /* CONFIG_FST */
492
493#ifdef CONFIG_MBO
494	/* Send cellular capabilities for potential MBO STAs */
495	if (wpabuf_resize(&extra_ie, 9) == 0)
496		wpas_mbo_scan_ie(wpa_s, extra_ie);
497#endif /* CONFIG_MBO */
498
499	return extra_ie;
500}
501
502
503#ifdef CONFIG_P2P
504
505/*
506 * Check whether there are any enabled networks or credentials that could be
507 * used for a non-P2P connection.
508 */
509static int non_p2p_network_enabled(struct wpa_supplicant *wpa_s)
510{
511	struct wpa_ssid *ssid;
512
513	for (ssid = wpa_s->conf->ssid; ssid; ssid = ssid->next) {
514		if (wpas_network_disabled(wpa_s, ssid))
515			continue;
516		if (!ssid->p2p_group)
517			return 1;
518	}
519
520	if (wpa_s->conf->cred && wpa_s->conf->interworking &&
521	    wpa_s->conf->auto_interworking)
522		return 1;
523
524	return 0;
525}
526
527#endif /* CONFIG_P2P */
528
529
530static void wpa_setband_scan_freqs_list(struct wpa_supplicant *wpa_s,
531					enum hostapd_hw_mode band,
532					struct wpa_driver_scan_params *params)
533{
534	/* Include only supported channels for the specified band */
535	struct hostapd_hw_modes *mode;
536	int count, i;
537
538	mode = get_mode(wpa_s->hw.modes, wpa_s->hw.num_modes, band);
539	if (mode == NULL) {
540		/* No channels supported in this band - use empty list */
541		params->freqs = os_zalloc(sizeof(int));
542		return;
543	}
544
545	params->freqs = os_calloc(mode->num_channels + 1, sizeof(int));
546	if (params->freqs == NULL)
547		return;
548	for (count = 0, i = 0; i < mode->num_channels; i++) {
549		if (mode->channels[i].flag & HOSTAPD_CHAN_DISABLED)
550			continue;
551		params->freqs[count++] = mode->channels[i].freq;
552	}
553}
554
555
556static void wpa_setband_scan_freqs(struct wpa_supplicant *wpa_s,
557				   struct wpa_driver_scan_params *params)
558{
559	if (wpa_s->hw.modes == NULL)
560		return; /* unknown what channels the driver supports */
561	if (params->freqs)
562		return; /* already using a limited channel set */
563	if (wpa_s->setband == WPA_SETBAND_5G)
564		wpa_setband_scan_freqs_list(wpa_s, HOSTAPD_MODE_IEEE80211A,
565					    params);
566	else if (wpa_s->setband == WPA_SETBAND_2G)
567		wpa_setband_scan_freqs_list(wpa_s, HOSTAPD_MODE_IEEE80211G,
568					    params);
569}
570
571
572static void wpa_set_scan_ssids(struct wpa_supplicant *wpa_s,
573			       struct wpa_driver_scan_params *params,
574			       size_t max_ssids)
575{
576	unsigned int i;
577	struct wpa_ssid *ssid;
578	/*
579	 * For devices with |max_ssids| greater than 1, leave the last slot empty
580	 * for adding the wildcard scan entry.
581	 */
582	max_ssids = (max_ssids == 1) ? max_ssids : max_ssids - 1;
583
584	for (i = 0; i < wpa_s->scan_id_count; i++) {
585		unsigned int j;
586
587		ssid = wpa_config_get_network(wpa_s->conf, wpa_s->scan_id[i]);
588		if (!ssid || !ssid->scan_ssid)
589			continue;
590
591		for (j = 0; j < params->num_ssids; j++) {
592			if (params->ssids[j].ssid_len == ssid->ssid_len &&
593			    params->ssids[j].ssid &&
594			    os_memcmp(params->ssids[j].ssid, ssid->ssid,
595				      ssid->ssid_len) == 0)
596				break;
597		}
598		if (j < params->num_ssids)
599			continue; /* already in the list */
600
601		if (params->num_ssids + 1 > max_ssids) {
602			wpa_printf(MSG_DEBUG,
603				   "Over max scan SSIDs for manual request");
604			break;
605		}
606
607		wpa_printf(MSG_DEBUG, "Scan SSID (manual request): %s",
608			   wpa_ssid_txt(ssid->ssid, ssid->ssid_len));
609		params->ssids[params->num_ssids].ssid = ssid->ssid;
610		params->ssids[params->num_ssids].ssid_len = ssid->ssid_len;
611		params->num_ssids++;
612	}
613
614	wpa_s->scan_id_count = 0;
615}
616
617
618static int wpa_set_ssids_from_scan_req(struct wpa_supplicant *wpa_s,
619				       struct wpa_driver_scan_params *params,
620				       size_t max_ssids)
621{
622	unsigned int i;
623
624	if (wpa_s->ssids_from_scan_req == NULL ||
625	    wpa_s->num_ssids_from_scan_req == 0)
626		return 0;
627
628	if (wpa_s->num_ssids_from_scan_req > max_ssids) {
629		wpa_s->num_ssids_from_scan_req = max_ssids;
630		wpa_printf(MSG_DEBUG, "Over max scan SSIDs from scan req: %u",
631			   (unsigned int) max_ssids);
632	}
633
634	for (i = 0; i < wpa_s->num_ssids_from_scan_req; i++) {
635		params->ssids[i].ssid = wpa_s->ssids_from_scan_req[i].ssid;
636		params->ssids[i].ssid_len =
637			wpa_s->ssids_from_scan_req[i].ssid_len;
638		wpa_hexdump_ascii(MSG_DEBUG, "specific SSID",
639				  params->ssids[i].ssid,
640				  params->ssids[i].ssid_len);
641	}
642
643	params->num_ssids = wpa_s->num_ssids_from_scan_req;
644	wpa_s->num_ssids_from_scan_req = 0;
645	return 1;
646}
647
648
649static void wpa_supplicant_scan(void *eloop_ctx, void *timeout_ctx)
650{
651	struct wpa_supplicant *wpa_s = eloop_ctx;
652	struct wpa_ssid *ssid;
653	int ret, p2p_in_prog;
654	struct wpabuf *extra_ie = NULL;
655	struct wpa_driver_scan_params params;
656	struct wpa_driver_scan_params *scan_params;
657	size_t max_ssids;
658	int connect_without_scan = 0;
659
660	if (wpa_s->pno || wpa_s->pno_sched_pending) {
661		wpa_dbg(wpa_s, MSG_DEBUG, "Skip scan - PNO is in progress");
662		return;
663	}
664
665	if (wpa_s->wpa_state == WPA_INTERFACE_DISABLED) {
666		wpa_dbg(wpa_s, MSG_DEBUG, "Skip scan - interface disabled");
667		return;
668	}
669
670	if (wpa_s->disconnected && wpa_s->scan_req == NORMAL_SCAN_REQ) {
671		wpa_dbg(wpa_s, MSG_DEBUG, "Disconnected - do not scan");
672		wpa_supplicant_set_state(wpa_s, WPA_DISCONNECTED);
673		return;
674	}
675
676	if (wpa_s->scanning) {
677		/*
678		 * If we are already in scanning state, we shall reschedule the
679		 * the incoming scan request.
680		 */
681		wpa_dbg(wpa_s, MSG_DEBUG, "Already scanning - Reschedule the incoming scan req");
682		wpa_supplicant_req_scan(wpa_s, 1, 0);
683		return;
684	}
685
686	if (!wpa_supplicant_enabled_networks(wpa_s) &&
687	    wpa_s->scan_req == NORMAL_SCAN_REQ) {
688		wpa_dbg(wpa_s, MSG_DEBUG, "No enabled networks - do not scan");
689		wpa_supplicant_set_state(wpa_s, WPA_INACTIVE);
690		return;
691	}
692
693	if (wpa_s->conf->ap_scan != 0 &&
694	    (wpa_s->drv_flags & WPA_DRIVER_FLAGS_WIRED)) {
695		wpa_dbg(wpa_s, MSG_DEBUG, "Using wired authentication - "
696			"overriding ap_scan configuration");
697		wpa_s->conf->ap_scan = 0;
698		wpas_notify_ap_scan_changed(wpa_s);
699	}
700
701	if (wpa_s->conf->ap_scan == 0) {
702		wpa_supplicant_gen_assoc_event(wpa_s);
703		return;
704	}
705
706	ssid = NULL;
707	if (wpa_s->scan_req != MANUAL_SCAN_REQ &&
708	    wpa_s->connect_without_scan) {
709		connect_without_scan = 1;
710		for (ssid = wpa_s->conf->ssid; ssid; ssid = ssid->next) {
711			if (ssid == wpa_s->connect_without_scan)
712				break;
713		}
714	}
715
716	p2p_in_prog = wpas_p2p_in_progress(wpa_s);
717	if (p2p_in_prog && p2p_in_prog != 2 &&
718	    (!ssid ||
719	     (ssid->mode != WPAS_MODE_AP && ssid->mode != WPAS_MODE_P2P_GO))) {
720		wpa_dbg(wpa_s, MSG_DEBUG, "Delay station mode scan while P2P operation is in progress");
721		wpa_supplicant_req_scan(wpa_s, 5, 0);
722		return;
723	}
724
725	if (wpa_s->conf->ap_scan == 2)
726		max_ssids = 1;
727	else {
728		max_ssids = wpa_s->max_scan_ssids;
729		if (max_ssids > WPAS_MAX_SCAN_SSIDS)
730			max_ssids = WPAS_MAX_SCAN_SSIDS;
731	}
732
733	wpa_s->last_scan_req = wpa_s->scan_req;
734	wpa_s->scan_req = NORMAL_SCAN_REQ;
735
736	if (connect_without_scan) {
737		wpa_s->connect_without_scan = NULL;
738		if (ssid) {
739			wpa_printf(MSG_DEBUG, "Start a pre-selected network "
740				   "without scan step");
741			wpa_supplicant_associate(wpa_s, NULL, ssid);
742			return;
743		}
744	}
745
746	os_memset(&params, 0, sizeof(params));
747
748	wpa_s->scan_prev_wpa_state = wpa_s->wpa_state;
749	if (wpa_s->wpa_state == WPA_DISCONNECTED ||
750	    wpa_s->wpa_state == WPA_INACTIVE)
751		wpa_supplicant_set_state(wpa_s, WPA_SCANNING);
752
753	/*
754	 * If autoscan has set its own scanning parameters
755	 */
756	if (wpa_s->autoscan_params != NULL) {
757		scan_params = wpa_s->autoscan_params;
758		goto scan;
759	}
760
761	if (wpa_s->last_scan_req == MANUAL_SCAN_REQ &&
762	    wpa_set_ssids_from_scan_req(wpa_s, &params, max_ssids)) {
763		wpa_printf(MSG_DEBUG, "Use specific SSIDs from SCAN command");
764		goto ssid_list_set;
765	}
766
767#ifdef CONFIG_P2P
768	if ((wpa_s->p2p_in_provisioning || wpa_s->show_group_started) &&
769	    wpa_s->go_params && !wpa_s->conf->passive_scan) {
770		wpa_printf(MSG_DEBUG, "P2P: Use specific SSID for scan during P2P group formation (p2p_in_provisioning=%d show_group_started=%d)",
771			   wpa_s->p2p_in_provisioning,
772			   wpa_s->show_group_started);
773		params.ssids[0].ssid = wpa_s->go_params->ssid;
774		params.ssids[0].ssid_len = wpa_s->go_params->ssid_len;
775		params.num_ssids = 1;
776		goto ssid_list_set;
777	}
778
779	if (wpa_s->p2p_in_invitation) {
780		if (wpa_s->current_ssid) {
781			wpa_printf(MSG_DEBUG, "P2P: Use specific SSID for scan during invitation");
782			params.ssids[0].ssid = wpa_s->current_ssid->ssid;
783			params.ssids[0].ssid_len =
784				wpa_s->current_ssid->ssid_len;
785			params.num_ssids = 1;
786		} else {
787			wpa_printf(MSG_DEBUG, "P2P: No specific SSID known for scan during invitation");
788		}
789		goto ssid_list_set;
790	}
791#endif /* CONFIG_P2P */
792
793	/* Find the starting point from which to continue scanning */
794	ssid = wpa_s->conf->ssid;
795	if (wpa_s->prev_scan_ssid != WILDCARD_SSID_SCAN) {
796		while (ssid) {
797			if (ssid == wpa_s->prev_scan_ssid) {
798				ssid = ssid->next;
799				break;
800			}
801			ssid = ssid->next;
802		}
803	}
804
805	if (wpa_s->last_scan_req != MANUAL_SCAN_REQ &&
806#ifdef CONFIG_AP
807	    !wpa_s->ap_iface &&
808#endif /* CONFIG_AP */
809	    wpa_s->conf->ap_scan == 2) {
810		wpa_s->connect_without_scan = NULL;
811		wpa_s->prev_scan_wildcard = 0;
812		wpa_supplicant_assoc_try(wpa_s, ssid);
813		return;
814	} else if (wpa_s->conf->ap_scan == 2) {
815		/*
816		 * User-initiated scan request in ap_scan == 2; scan with
817		 * wildcard SSID.
818		 */
819		ssid = NULL;
820	} else if (wpa_s->reattach && wpa_s->current_ssid != NULL) {
821		/*
822		 * Perform single-channel single-SSID scan for
823		 * reassociate-to-same-BSS operation.
824		 */
825		/* Setup SSID */
826		ssid = wpa_s->current_ssid;
827		wpa_hexdump_ascii(MSG_DEBUG, "Scan SSID",
828				  ssid->ssid, ssid->ssid_len);
829		params.ssids[0].ssid = ssid->ssid;
830		params.ssids[0].ssid_len = ssid->ssid_len;
831		params.num_ssids = 1;
832
833		/*
834		 * Allocate memory for frequency array, allocate one extra
835		 * slot for the zero-terminator.
836		 */
837		params.freqs = os_malloc(sizeof(int) * 2);
838		if (params.freqs == NULL) {
839			wpa_dbg(wpa_s, MSG_ERROR, "Memory allocation failed");
840			return;
841		}
842		params.freqs[0] = wpa_s->assoc_freq;
843		params.freqs[1] = 0;
844
845		/*
846		 * Reset the reattach flag so that we fall back to full scan if
847		 * this scan fails.
848		 */
849		wpa_s->reattach = 0;
850	} else {
851		struct wpa_ssid *start = ssid, *tssid;
852		int freqs_set = 0;
853		if (ssid == NULL && max_ssids > 1)
854			ssid = wpa_s->conf->ssid;
855		while (ssid) {
856			if (!wpas_network_disabled(wpa_s, ssid) &&
857			    ssid->scan_ssid) {
858				wpa_hexdump_ascii(MSG_DEBUG, "Scan SSID",
859						  ssid->ssid, ssid->ssid_len);
860				params.ssids[params.num_ssids].ssid =
861					ssid->ssid;
862				params.ssids[params.num_ssids].ssid_len =
863					ssid->ssid_len;
864				params.num_ssids++;
865				if (params.num_ssids + 1 >= max_ssids)
866					break;
867			}
868			ssid = ssid->next;
869			if (ssid == start)
870				break;
871			if (ssid == NULL && max_ssids > 1 &&
872			    start != wpa_s->conf->ssid)
873				ssid = wpa_s->conf->ssid;
874		}
875
876		if (wpa_s->scan_id_count &&
877		    wpa_s->last_scan_req == MANUAL_SCAN_REQ)
878			wpa_set_scan_ssids(wpa_s, &params, max_ssids);
879
880		for (tssid = wpa_s->conf->ssid;
881		     wpa_s->last_scan_req != MANUAL_SCAN_REQ && tssid;
882		     tssid = tssid->next) {
883			if (wpas_network_disabled(wpa_s, tssid))
884				continue;
885			if ((params.freqs || !freqs_set) && tssid->scan_freq) {
886				int_array_concat(&params.freqs,
887						 tssid->scan_freq);
888			} else {
889				os_free(params.freqs);
890				params.freqs = NULL;
891			}
892			freqs_set = 1;
893		}
894		int_array_sort_unique(params.freqs);
895	}
896
897	if (ssid && max_ssids == 1) {
898		/*
899		 * If the driver is limited to 1 SSID at a time interleave
900		 * wildcard SSID scans with specific SSID scans to avoid
901		 * waiting a long time for a wildcard scan.
902		 */
903		if (!wpa_s->prev_scan_wildcard) {
904			params.ssids[0].ssid = NULL;
905			params.ssids[0].ssid_len = 0;
906			wpa_s->prev_scan_wildcard = 1;
907			wpa_dbg(wpa_s, MSG_DEBUG, "Starting AP scan for "
908				"wildcard SSID (Interleave with specific)");
909		} else {
910			wpa_s->prev_scan_ssid = ssid;
911			wpa_s->prev_scan_wildcard = 0;
912			wpa_dbg(wpa_s, MSG_DEBUG,
913				"Starting AP scan for specific SSID: %s",
914				wpa_ssid_txt(ssid->ssid, ssid->ssid_len));
915		}
916	} else if (ssid) {
917		/* max_ssids > 1 */
918
919		wpa_s->prev_scan_ssid = ssid;
920		wpa_dbg(wpa_s, MSG_DEBUG, "Include wildcard SSID in "
921			"the scan request");
922		params.num_ssids++;
923	} else if (wpa_s->last_scan_req == MANUAL_SCAN_REQ &&
924		   wpa_s->manual_scan_passive && params.num_ssids == 0) {
925		wpa_dbg(wpa_s, MSG_DEBUG, "Use passive scan based on manual request");
926	} else if (wpa_s->conf->passive_scan) {
927		wpa_dbg(wpa_s, MSG_DEBUG,
928			"Use passive scan based on configuration");
929	} else {
930		wpa_s->prev_scan_ssid = WILDCARD_SSID_SCAN;
931		params.num_ssids++;
932		wpa_dbg(wpa_s, MSG_DEBUG, "Starting AP scan for wildcard "
933			"SSID");
934	}
935
936ssid_list_set:
937	wpa_supplicant_optimize_freqs(wpa_s, &params);
938	extra_ie = wpa_supplicant_extra_ies(wpa_s);
939
940	if (wpa_s->last_scan_req == MANUAL_SCAN_REQ &&
941	    wpa_s->manual_scan_only_new) {
942		wpa_printf(MSG_DEBUG,
943			   "Request driver to clear scan cache due to manual only_new=1 scan");
944		params.only_new_results = 1;
945	}
946
947	if (wpa_s->last_scan_req == MANUAL_SCAN_REQ && params.freqs == NULL &&
948	    wpa_s->manual_scan_freqs) {
949		wpa_dbg(wpa_s, MSG_DEBUG, "Limit manual scan to specified channels");
950		params.freqs = wpa_s->manual_scan_freqs;
951		wpa_s->manual_scan_freqs = NULL;
952	}
953
954	if (params.freqs == NULL && wpa_s->next_scan_freqs) {
955		wpa_dbg(wpa_s, MSG_DEBUG, "Optimize scan based on previously "
956			"generated frequency list");
957		params.freqs = wpa_s->next_scan_freqs;
958	} else
959		os_free(wpa_s->next_scan_freqs);
960	wpa_s->next_scan_freqs = NULL;
961	wpa_setband_scan_freqs(wpa_s, &params);
962
963	/* See if user specified frequencies. If so, scan only those. */
964	if (wpa_s->conf->freq_list && !params.freqs) {
965		wpa_dbg(wpa_s, MSG_DEBUG,
966			"Optimize scan based on conf->freq_list");
967		int_array_concat(&params.freqs, wpa_s->conf->freq_list);
968	}
969
970	/* Use current associated channel? */
971	if (wpa_s->conf->scan_cur_freq && !params.freqs) {
972		unsigned int num = wpa_s->num_multichan_concurrent;
973
974		params.freqs = os_calloc(num + 1, sizeof(int));
975		if (params.freqs) {
976			num = get_shared_radio_freqs(wpa_s, params.freqs, num);
977			if (num > 0) {
978				wpa_dbg(wpa_s, MSG_DEBUG, "Scan only the "
979					"current operating channels since "
980					"scan_cur_freq is enabled");
981			} else {
982				os_free(params.freqs);
983				params.freqs = NULL;
984			}
985		}
986	}
987
988	params.filter_ssids = wpa_supplicant_build_filter_ssids(
989		wpa_s->conf, &params.num_filter_ssids);
990	if (extra_ie) {
991		params.extra_ies = wpabuf_head(extra_ie);
992		params.extra_ies_len = wpabuf_len(extra_ie);
993	}
994
995#ifdef CONFIG_P2P
996	if (wpa_s->p2p_in_provisioning || wpa_s->p2p_in_invitation ||
997	    (wpa_s->show_group_started && wpa_s->go_params)) {
998		/*
999		 * The interface may not yet be in P2P mode, so we have to
1000		 * explicitly request P2P probe to disable CCK rates.
1001		 */
1002		params.p2p_probe = 1;
1003	}
1004#endif /* CONFIG_P2P */
1005
1006	if (wpa_s->mac_addr_rand_enable & MAC_ADDR_RAND_SCAN) {
1007		params.mac_addr_rand = 1;
1008		if (wpa_s->mac_addr_scan) {
1009			params.mac_addr = wpa_s->mac_addr_scan;
1010			params.mac_addr_mask = wpa_s->mac_addr_scan + ETH_ALEN;
1011		}
1012	}
1013
1014	if (!is_zero_ether_addr(wpa_s->next_scan_bssid)) {
1015		struct wpa_bss *bss;
1016
1017		params.bssid = wpa_s->next_scan_bssid;
1018		bss = wpa_bss_get_bssid_latest(wpa_s, params.bssid);
1019		if (bss && bss->ssid_len && params.num_ssids == 1 &&
1020		    params.ssids[0].ssid_len == 0) {
1021			params.ssids[0].ssid = bss->ssid;
1022			params.ssids[0].ssid_len = bss->ssid_len;
1023			wpa_dbg(wpa_s, MSG_DEBUG,
1024				"Scan a previously specified BSSID " MACSTR
1025				" and SSID %s",
1026				MAC2STR(params.bssid),
1027				wpa_ssid_txt(bss->ssid, bss->ssid_len));
1028		} else {
1029			wpa_dbg(wpa_s, MSG_DEBUG,
1030				"Scan a previously specified BSSID " MACSTR,
1031				MAC2STR(params.bssid));
1032		}
1033	}
1034
1035	scan_params = &params;
1036
1037scan:
1038#ifdef CONFIG_P2P
1039	/*
1040	 * If the driver does not support multi-channel concurrency and a
1041	 * virtual interface that shares the same radio with the wpa_s interface
1042	 * is operating there may not be need to scan other channels apart from
1043	 * the current operating channel on the other virtual interface. Filter
1044	 * out other channels in case we are trying to find a connection for a
1045	 * station interface when we are not configured to prefer station
1046	 * connection and a concurrent operation is already in process.
1047	 */
1048	if (wpa_s->scan_for_connection &&
1049	    wpa_s->last_scan_req == NORMAL_SCAN_REQ &&
1050	    !scan_params->freqs && !params.freqs &&
1051	    wpas_is_p2p_prioritized(wpa_s) &&
1052	    wpa_s->p2p_group_interface == NOT_P2P_GROUP_INTERFACE &&
1053	    non_p2p_network_enabled(wpa_s)) {
1054		unsigned int num = wpa_s->num_multichan_concurrent;
1055
1056		params.freqs = os_calloc(num + 1, sizeof(int));
1057		if (params.freqs) {
1058			num = get_shared_radio_freqs(wpa_s, params.freqs, num);
1059			if (num > 0 && num == wpa_s->num_multichan_concurrent) {
1060				wpa_dbg(wpa_s, MSG_DEBUG, "Scan only the current operating channels since all channels are already used");
1061			} else {
1062				os_free(params.freqs);
1063				params.freqs = NULL;
1064			}
1065		}
1066	}
1067#endif /* CONFIG_P2P */
1068
1069	ret = wpa_supplicant_trigger_scan(wpa_s, scan_params);
1070
1071	if (ret && wpa_s->last_scan_req == MANUAL_SCAN_REQ && params.freqs &&
1072	    !wpa_s->manual_scan_freqs) {
1073		/* Restore manual_scan_freqs for the next attempt */
1074		wpa_s->manual_scan_freqs = params.freqs;
1075		params.freqs = NULL;
1076	}
1077
1078	wpabuf_free(extra_ie);
1079	os_free(params.freqs);
1080	os_free(params.filter_ssids);
1081
1082	if (ret) {
1083		wpa_msg(wpa_s, MSG_WARNING, "Failed to initiate AP scan");
1084		if (wpa_s->scan_prev_wpa_state != wpa_s->wpa_state)
1085			wpa_supplicant_set_state(wpa_s,
1086						 wpa_s->scan_prev_wpa_state);
1087		/* Restore scan_req since we will try to scan again */
1088		wpa_s->scan_req = wpa_s->last_scan_req;
1089		wpa_supplicant_req_scan(wpa_s, 1, 0);
1090	} else {
1091		wpa_s->scan_for_connection = 0;
1092#ifdef CONFIG_INTERWORKING
1093		wpa_s->interworking_fast_assoc_tried = 0;
1094#endif /* CONFIG_INTERWORKING */
1095		if (params.bssid)
1096			os_memset(wpa_s->next_scan_bssid, 0, ETH_ALEN);
1097	}
1098}
1099
1100
1101void wpa_supplicant_update_scan_int(struct wpa_supplicant *wpa_s, int sec)
1102{
1103	struct os_reltime remaining, new_int;
1104	int cancelled;
1105
1106	cancelled = eloop_cancel_timeout_one(wpa_supplicant_scan, wpa_s, NULL,
1107					     &remaining);
1108
1109	new_int.sec = sec;
1110	new_int.usec = 0;
1111	if (cancelled && os_reltime_before(&remaining, &new_int)) {
1112		new_int.sec = remaining.sec;
1113		new_int.usec = remaining.usec;
1114	}
1115
1116	if (cancelled) {
1117		eloop_register_timeout(new_int.sec, new_int.usec,
1118				       wpa_supplicant_scan, wpa_s, NULL);
1119	}
1120	wpa_s->scan_interval = sec;
1121}
1122
1123
1124/**
1125 * wpa_supplicant_req_scan - Schedule a scan for neighboring access points
1126 * @wpa_s: Pointer to wpa_supplicant data
1127 * @sec: Number of seconds after which to scan
1128 * @usec: Number of microseconds after which to scan
1129 *
1130 * This function is used to schedule a scan for neighboring access points after
1131 * the specified time.
1132 */
1133void wpa_supplicant_req_scan(struct wpa_supplicant *wpa_s, int sec, int usec)
1134{
1135	int res;
1136
1137	if (wpa_s->p2p_mgmt) {
1138		wpa_dbg(wpa_s, MSG_DEBUG,
1139			"Ignore scan request (%d.%06d sec) on p2p_mgmt interface",
1140			sec, usec);
1141		return;
1142	}
1143
1144	res = eloop_deplete_timeout(sec, usec, wpa_supplicant_scan, wpa_s,
1145				    NULL);
1146	if (res == 1) {
1147		wpa_dbg(wpa_s, MSG_DEBUG, "Rescheduling scan request: %d.%06d sec",
1148			sec, usec);
1149	} else if (res == 0) {
1150		wpa_dbg(wpa_s, MSG_DEBUG, "Ignore new scan request for %d.%06d sec since an earlier request is scheduled to trigger sooner",
1151			sec, usec);
1152	} else {
1153		wpa_dbg(wpa_s, MSG_DEBUG, "Setting scan request: %d.%06d sec",
1154			sec, usec);
1155		eloop_register_timeout(sec, usec, wpa_supplicant_scan, wpa_s, NULL);
1156	}
1157}
1158
1159
1160/**
1161 * wpa_supplicant_delayed_sched_scan - Request a delayed scheduled scan
1162 * @wpa_s: Pointer to wpa_supplicant data
1163 * @sec: Number of seconds after which to scan
1164 * @usec: Number of microseconds after which to scan
1165 * Returns: 0 on success or -1 otherwise
1166 *
1167 * This function is used to schedule periodic scans for neighboring
1168 * access points after the specified time.
1169 */
1170int wpa_supplicant_delayed_sched_scan(struct wpa_supplicant *wpa_s,
1171				      int sec, int usec)
1172{
1173	if (!wpa_s->sched_scan_supported)
1174		return -1;
1175
1176	eloop_register_timeout(sec, usec,
1177			       wpa_supplicant_delayed_sched_scan_timeout,
1178			       wpa_s, NULL);
1179
1180	return 0;
1181}
1182
1183
1184/**
1185 * wpa_supplicant_req_sched_scan - Start a periodic scheduled scan
1186 * @wpa_s: Pointer to wpa_supplicant data
1187 * Returns: 0 is sched_scan was started or -1 otherwise
1188 *
1189 * This function is used to schedule periodic scans for neighboring
1190 * access points repeating the scan continuously.
1191 */
1192int wpa_supplicant_req_sched_scan(struct wpa_supplicant *wpa_s)
1193{
1194	struct wpa_driver_scan_params params;
1195	struct wpa_driver_scan_params *scan_params;
1196	enum wpa_states prev_state;
1197	struct wpa_ssid *ssid = NULL;
1198	struct wpabuf *extra_ie = NULL;
1199	int ret;
1200	unsigned int max_sched_scan_ssids;
1201	int wildcard = 0;
1202	int need_ssids;
1203	struct sched_scan_plan scan_plan;
1204
1205	if (!wpa_s->sched_scan_supported)
1206		return -1;
1207
1208	if (wpa_s->max_sched_scan_ssids > WPAS_MAX_SCAN_SSIDS)
1209		max_sched_scan_ssids = WPAS_MAX_SCAN_SSIDS;
1210	else
1211		max_sched_scan_ssids = wpa_s->max_sched_scan_ssids;
1212	if (max_sched_scan_ssids < 1 || wpa_s->conf->disable_scan_offload)
1213		return -1;
1214
1215	if (wpa_s->sched_scanning) {
1216		wpa_dbg(wpa_s, MSG_DEBUG, "Already sched scanning");
1217		return 0;
1218	}
1219
1220	need_ssids = 0;
1221	for (ssid = wpa_s->conf->ssid; ssid; ssid = ssid->next) {
1222		if (!wpas_network_disabled(wpa_s, ssid) && !ssid->scan_ssid) {
1223			/* Use wildcard SSID to find this network */
1224			wildcard = 1;
1225		} else if (!wpas_network_disabled(wpa_s, ssid) &&
1226			   ssid->ssid_len)
1227			need_ssids++;
1228
1229#ifdef CONFIG_WPS
1230		if (!wpas_network_disabled(wpa_s, ssid) &&
1231		    ssid->key_mgmt == WPA_KEY_MGMT_WPS) {
1232			/*
1233			 * Normal scan is more reliable and faster for WPS
1234			 * operations and since these are for short periods of
1235			 * time, the benefit of trying to use sched_scan would
1236			 * be limited.
1237			 */
1238			wpa_dbg(wpa_s, MSG_DEBUG, "Use normal scan instead of "
1239				"sched_scan for WPS");
1240			return -1;
1241		}
1242#endif /* CONFIG_WPS */
1243	}
1244	if (wildcard)
1245		need_ssids++;
1246
1247	if (wpa_s->normal_scans < 3 &&
1248	    (need_ssids <= wpa_s->max_scan_ssids ||
1249	     wpa_s->max_scan_ssids >= (int) max_sched_scan_ssids)) {
1250		/*
1251		 * When normal scan can speed up operations, use that for the
1252		 * first operations before starting the sched_scan to allow
1253		 * user space sleep more. We do this only if the normal scan
1254		 * has functionality that is suitable for this or if the
1255		 * sched_scan does not have better support for multiple SSIDs.
1256		 */
1257		wpa_dbg(wpa_s, MSG_DEBUG, "Use normal scan instead of "
1258			"sched_scan for initial scans (normal_scans=%d)",
1259			wpa_s->normal_scans);
1260		return -1;
1261	}
1262
1263	os_memset(&params, 0, sizeof(params));
1264
1265	/* If we can't allocate space for the filters, we just don't filter */
1266	params.filter_ssids = os_calloc(wpa_s->max_match_sets,
1267					sizeof(struct wpa_driver_scan_filter));
1268
1269	prev_state = wpa_s->wpa_state;
1270	if (wpa_s->wpa_state == WPA_DISCONNECTED ||
1271	    wpa_s->wpa_state == WPA_INACTIVE)
1272		wpa_supplicant_set_state(wpa_s, WPA_SCANNING);
1273
1274	if (wpa_s->autoscan_params != NULL) {
1275		scan_params = wpa_s->autoscan_params;
1276		goto scan;
1277	}
1278
1279	/* Find the starting point from which to continue scanning */
1280	ssid = wpa_s->conf->ssid;
1281	if (wpa_s->prev_sched_ssid) {
1282		while (ssid) {
1283			if (ssid == wpa_s->prev_sched_ssid) {
1284				ssid = ssid->next;
1285				break;
1286			}
1287			ssid = ssid->next;
1288		}
1289	}
1290
1291	if (!ssid || !wpa_s->prev_sched_ssid) {
1292		wpa_dbg(wpa_s, MSG_DEBUG, "Beginning of SSID list");
1293		wpa_s->sched_scan_timeout = max_sched_scan_ssids * 2;
1294		wpa_s->first_sched_scan = 1;
1295		ssid = wpa_s->conf->ssid;
1296		wpa_s->prev_sched_ssid = ssid;
1297	}
1298
1299	if (wildcard) {
1300		wpa_dbg(wpa_s, MSG_DEBUG, "Add wildcard SSID to sched_scan");
1301		params.num_ssids++;
1302	}
1303
1304	while (ssid) {
1305		if (wpas_network_disabled(wpa_s, ssid))
1306			goto next;
1307
1308		if (params.num_filter_ssids < wpa_s->max_match_sets &&
1309		    params.filter_ssids && ssid->ssid && ssid->ssid_len) {
1310			wpa_dbg(wpa_s, MSG_DEBUG, "add to filter ssid: %s",
1311				wpa_ssid_txt(ssid->ssid, ssid->ssid_len));
1312			os_memcpy(params.filter_ssids[params.num_filter_ssids].ssid,
1313				  ssid->ssid, ssid->ssid_len);
1314			params.filter_ssids[params.num_filter_ssids].ssid_len =
1315				ssid->ssid_len;
1316			params.num_filter_ssids++;
1317		} else if (params.filter_ssids && ssid->ssid && ssid->ssid_len)
1318		{
1319			wpa_dbg(wpa_s, MSG_DEBUG, "Not enough room for SSID "
1320				"filter for sched_scan - drop filter");
1321			os_free(params.filter_ssids);
1322			params.filter_ssids = NULL;
1323			params.num_filter_ssids = 0;
1324		}
1325
1326		if (ssid->scan_ssid && ssid->ssid && ssid->ssid_len) {
1327			if (params.num_ssids == max_sched_scan_ssids)
1328				break; /* only room for broadcast SSID */
1329			wpa_dbg(wpa_s, MSG_DEBUG,
1330				"add to active scan ssid: %s",
1331				wpa_ssid_txt(ssid->ssid, ssid->ssid_len));
1332			params.ssids[params.num_ssids].ssid =
1333				ssid->ssid;
1334			params.ssids[params.num_ssids].ssid_len =
1335				ssid->ssid_len;
1336			params.num_ssids++;
1337			if (params.num_ssids >= max_sched_scan_ssids) {
1338				wpa_s->prev_sched_ssid = ssid;
1339				do {
1340					ssid = ssid->next;
1341				} while (ssid &&
1342					 (wpas_network_disabled(wpa_s, ssid) ||
1343					  !ssid->scan_ssid));
1344				break;
1345			}
1346		}
1347
1348	next:
1349		wpa_s->prev_sched_ssid = ssid;
1350		ssid = ssid->next;
1351	}
1352
1353	if (params.num_filter_ssids == 0) {
1354		os_free(params.filter_ssids);
1355		params.filter_ssids = NULL;
1356	}
1357
1358	extra_ie = wpa_supplicant_extra_ies(wpa_s);
1359	if (extra_ie) {
1360		params.extra_ies = wpabuf_head(extra_ie);
1361		params.extra_ies_len = wpabuf_len(extra_ie);
1362	}
1363
1364	if (wpa_s->conf->filter_rssi)
1365		params.filter_rssi = wpa_s->conf->filter_rssi;
1366
1367	/* See if user specified frequencies. If so, scan only those. */
1368	if (wpa_s->conf->freq_list && !params.freqs) {
1369		wpa_dbg(wpa_s, MSG_DEBUG,
1370			"Optimize scan based on conf->freq_list");
1371		int_array_concat(&params.freqs, wpa_s->conf->freq_list);
1372	}
1373
1374	scan_params = &params;
1375
1376scan:
1377	wpa_s->sched_scan_timed_out = 0;
1378
1379	/*
1380	 * We cannot support multiple scan plans if the scan request includes
1381	 * too many SSID's, so in this case use only the last scan plan and make
1382	 * it run infinitely. It will be stopped by the timeout.
1383	 */
1384	if (wpa_s->sched_scan_plans_num == 1 ||
1385	    (wpa_s->sched_scan_plans_num && !ssid && wpa_s->first_sched_scan)) {
1386		params.sched_scan_plans = wpa_s->sched_scan_plans;
1387		params.sched_scan_plans_num = wpa_s->sched_scan_plans_num;
1388	} else if (wpa_s->sched_scan_plans_num > 1) {
1389		wpa_dbg(wpa_s, MSG_DEBUG,
1390			"Too many SSIDs. Default to using single scheduled_scan plan");
1391		params.sched_scan_plans =
1392			&wpa_s->sched_scan_plans[wpa_s->sched_scan_plans_num -
1393						 1];
1394		params.sched_scan_plans_num = 1;
1395	} else {
1396		if (wpa_s->conf->sched_scan_interval)
1397			scan_plan.interval = wpa_s->conf->sched_scan_interval;
1398		else
1399			scan_plan.interval = 10;
1400
1401		if (scan_plan.interval > wpa_s->max_sched_scan_plan_interval) {
1402			wpa_printf(MSG_WARNING,
1403				   "Scan interval too long(%u), use the maximum allowed(%u)",
1404				   scan_plan.interval,
1405				   wpa_s->max_sched_scan_plan_interval);
1406			scan_plan.interval =
1407				wpa_s->max_sched_scan_plan_interval;
1408		}
1409
1410		scan_plan.iterations = 0;
1411		params.sched_scan_plans = &scan_plan;
1412		params.sched_scan_plans_num = 1;
1413	}
1414
1415	if (ssid || !wpa_s->first_sched_scan) {
1416		wpa_dbg(wpa_s, MSG_DEBUG,
1417			"Starting sched scan: interval %u timeout %d",
1418			params.sched_scan_plans[0].interval,
1419			wpa_s->sched_scan_timeout);
1420	} else {
1421		wpa_dbg(wpa_s, MSG_DEBUG, "Starting sched scan (no timeout)");
1422	}
1423
1424	wpa_setband_scan_freqs(wpa_s, scan_params);
1425
1426	if (wpa_s->mac_addr_rand_enable & MAC_ADDR_RAND_SCHED_SCAN) {
1427		params.mac_addr_rand = 1;
1428		if (wpa_s->mac_addr_sched_scan) {
1429			params.mac_addr = wpa_s->mac_addr_sched_scan;
1430			params.mac_addr_mask = wpa_s->mac_addr_sched_scan +
1431				ETH_ALEN;
1432		}
1433	}
1434
1435	ret = wpa_supplicant_start_sched_scan(wpa_s, scan_params);
1436	wpabuf_free(extra_ie);
1437	os_free(params.filter_ssids);
1438	if (ret) {
1439		wpa_msg(wpa_s, MSG_WARNING, "Failed to initiate sched scan");
1440		if (prev_state != wpa_s->wpa_state)
1441			wpa_supplicant_set_state(wpa_s, prev_state);
1442		return ret;
1443	}
1444
1445	/* If we have more SSIDs to scan, add a timeout so we scan them too */
1446	if (ssid || !wpa_s->first_sched_scan) {
1447		wpa_s->sched_scan_timed_out = 0;
1448		eloop_register_timeout(wpa_s->sched_scan_timeout, 0,
1449				       wpa_supplicant_sched_scan_timeout,
1450				       wpa_s, NULL);
1451		wpa_s->first_sched_scan = 0;
1452		wpa_s->sched_scan_timeout /= 2;
1453		params.sched_scan_plans[0].interval *= 2;
1454		if ((unsigned int) wpa_s->sched_scan_timeout <
1455		    params.sched_scan_plans[0].interval ||
1456		    params.sched_scan_plans[0].interval >
1457		    wpa_s->max_sched_scan_plan_interval) {
1458			params.sched_scan_plans[0].interval = 10;
1459			wpa_s->sched_scan_timeout = max_sched_scan_ssids * 2;
1460		}
1461	}
1462
1463	/* If there is no more ssids, start next time from the beginning */
1464	if (!ssid)
1465		wpa_s->prev_sched_ssid = NULL;
1466
1467	return 0;
1468}
1469
1470
1471/**
1472 * wpa_supplicant_cancel_scan - Cancel a scheduled scan request
1473 * @wpa_s: Pointer to wpa_supplicant data
1474 *
1475 * This function is used to cancel a scan request scheduled with
1476 * wpa_supplicant_req_scan().
1477 */
1478void wpa_supplicant_cancel_scan(struct wpa_supplicant *wpa_s)
1479{
1480	wpa_dbg(wpa_s, MSG_DEBUG, "Cancelling scan request");
1481	eloop_cancel_timeout(wpa_supplicant_scan, wpa_s, NULL);
1482}
1483
1484
1485/**
1486 * wpa_supplicant_cancel_delayed_sched_scan - Stop a delayed scheduled scan
1487 * @wpa_s: Pointer to wpa_supplicant data
1488 *
1489 * This function is used to stop a delayed scheduled scan.
1490 */
1491void wpa_supplicant_cancel_delayed_sched_scan(struct wpa_supplicant *wpa_s)
1492{
1493	if (!wpa_s->sched_scan_supported)
1494		return;
1495
1496	wpa_dbg(wpa_s, MSG_DEBUG, "Cancelling delayed sched scan");
1497	eloop_cancel_timeout(wpa_supplicant_delayed_sched_scan_timeout,
1498			     wpa_s, NULL);
1499}
1500
1501
1502/**
1503 * wpa_supplicant_cancel_sched_scan - Stop running scheduled scans
1504 * @wpa_s: Pointer to wpa_supplicant data
1505 *
1506 * This function is used to stop a periodic scheduled scan.
1507 */
1508void wpa_supplicant_cancel_sched_scan(struct wpa_supplicant *wpa_s)
1509{
1510	if (!wpa_s->sched_scanning)
1511		return;
1512
1513	wpa_dbg(wpa_s, MSG_DEBUG, "Cancelling sched scan");
1514	eloop_cancel_timeout(wpa_supplicant_sched_scan_timeout, wpa_s, NULL);
1515	wpa_supplicant_stop_sched_scan(wpa_s);
1516}
1517
1518
1519/**
1520 * wpa_supplicant_notify_scanning - Indicate possible scan state change
1521 * @wpa_s: Pointer to wpa_supplicant data
1522 * @scanning: Whether scanning is currently in progress
1523 *
1524 * This function is to generate scanning notifycations. It is called whenever
1525 * there may have been a change in scanning (scan started, completed, stopped).
1526 * wpas_notify_scanning() is called whenever the scanning state changed from the
1527 * previously notified state.
1528 */
1529void wpa_supplicant_notify_scanning(struct wpa_supplicant *wpa_s,
1530				    int scanning)
1531{
1532	if (wpa_s->scanning != scanning) {
1533		wpa_s->scanning = scanning;
1534		wpas_notify_scanning(wpa_s);
1535	}
1536}
1537
1538
1539static int wpa_scan_get_max_rate(const struct wpa_scan_res *res)
1540{
1541	int rate = 0;
1542	const u8 *ie;
1543	int i;
1544
1545	ie = wpa_scan_get_ie(res, WLAN_EID_SUPP_RATES);
1546	for (i = 0; ie && i < ie[1]; i++) {
1547		if ((ie[i + 2] & 0x7f) > rate)
1548			rate = ie[i + 2] & 0x7f;
1549	}
1550
1551	ie = wpa_scan_get_ie(res, WLAN_EID_EXT_SUPP_RATES);
1552	for (i = 0; ie && i < ie[1]; i++) {
1553		if ((ie[i + 2] & 0x7f) > rate)
1554			rate = ie[i + 2] & 0x7f;
1555	}
1556
1557	return rate;
1558}
1559
1560
1561/**
1562 * wpa_scan_get_ie - Fetch a specified information element from a scan result
1563 * @res: Scan result entry
1564 * @ie: Information element identitifier (WLAN_EID_*)
1565 * Returns: Pointer to the information element (id field) or %NULL if not found
1566 *
1567 * This function returns the first matching information element in the scan
1568 * result.
1569 */
1570const u8 * wpa_scan_get_ie(const struct wpa_scan_res *res, u8 ie)
1571{
1572	return get_ie((const u8 *) (res + 1), res->ie_len, ie);
1573}
1574
1575
1576/**
1577 * wpa_scan_get_vendor_ie - Fetch vendor information element from a scan result
1578 * @res: Scan result entry
1579 * @vendor_type: Vendor type (four octets starting the IE payload)
1580 * Returns: Pointer to the information element (id field) or %NULL if not found
1581 *
1582 * This function returns the first matching information element in the scan
1583 * result.
1584 */
1585const u8 * wpa_scan_get_vendor_ie(const struct wpa_scan_res *res,
1586				  u32 vendor_type)
1587{
1588	const u8 *end, *pos;
1589
1590	pos = (const u8 *) (res + 1);
1591	end = pos + res->ie_len;
1592
1593	while (end - pos > 1) {
1594		if (2 + pos[1] > end - pos)
1595			break;
1596		if (pos[0] == WLAN_EID_VENDOR_SPECIFIC && pos[1] >= 4 &&
1597		    vendor_type == WPA_GET_BE32(&pos[2]))
1598			return pos;
1599		pos += 2 + pos[1];
1600	}
1601
1602	return NULL;
1603}
1604
1605
1606/**
1607 * wpa_scan_get_vendor_ie_beacon - Fetch vendor information from a scan result
1608 * @res: Scan result entry
1609 * @vendor_type: Vendor type (four octets starting the IE payload)
1610 * Returns: Pointer to the information element (id field) or %NULL if not found
1611 *
1612 * This function returns the first matching information element in the scan
1613 * result.
1614 *
1615 * This function is like wpa_scan_get_vendor_ie(), but uses IE buffer only
1616 * from Beacon frames instead of either Beacon or Probe Response frames.
1617 */
1618const u8 * wpa_scan_get_vendor_ie_beacon(const struct wpa_scan_res *res,
1619					 u32 vendor_type)
1620{
1621	const u8 *end, *pos;
1622
1623	if (res->beacon_ie_len == 0)
1624		return NULL;
1625
1626	pos = (const u8 *) (res + 1);
1627	pos += res->ie_len;
1628	end = pos + res->beacon_ie_len;
1629
1630	while (end - pos > 1) {
1631		if (2 + pos[1] > end - pos)
1632			break;
1633		if (pos[0] == WLAN_EID_VENDOR_SPECIFIC && pos[1] >= 4 &&
1634		    vendor_type == WPA_GET_BE32(&pos[2]))
1635			return pos;
1636		pos += 2 + pos[1];
1637	}
1638
1639	return NULL;
1640}
1641
1642
1643/**
1644 * wpa_scan_get_vendor_ie_multi - Fetch vendor IE data from a scan result
1645 * @res: Scan result entry
1646 * @vendor_type: Vendor type (four octets starting the IE payload)
1647 * Returns: Pointer to the information element payload or %NULL if not found
1648 *
1649 * This function returns concatenated payload of possibly fragmented vendor
1650 * specific information elements in the scan result. The caller is responsible
1651 * for freeing the returned buffer.
1652 */
1653struct wpabuf * wpa_scan_get_vendor_ie_multi(const struct wpa_scan_res *res,
1654					     u32 vendor_type)
1655{
1656	struct wpabuf *buf;
1657	const u8 *end, *pos;
1658
1659	buf = wpabuf_alloc(res->ie_len);
1660	if (buf == NULL)
1661		return NULL;
1662
1663	pos = (const u8 *) (res + 1);
1664	end = pos + res->ie_len;
1665
1666	while (end - pos > 1) {
1667		if (2 + pos[1] > end - pos)
1668			break;
1669		if (pos[0] == WLAN_EID_VENDOR_SPECIFIC && pos[1] >= 4 &&
1670		    vendor_type == WPA_GET_BE32(&pos[2]))
1671			wpabuf_put_data(buf, pos + 2 + 4, pos[1] - 4);
1672		pos += 2 + pos[1];
1673	}
1674
1675	if (wpabuf_len(buf) == 0) {
1676		wpabuf_free(buf);
1677		buf = NULL;
1678	}
1679
1680	return buf;
1681}
1682
1683
1684/*
1685 * Channels with a great SNR can operate at full rate. What is a great SNR?
1686 * This doc https://supportforums.cisco.com/docs/DOC-12954 says, "the general
1687 * rule of thumb is that any SNR above 20 is good." This one
1688 * http://www.cisco.com/en/US/tech/tk722/tk809/technologies_q_and_a_item09186a00805e9a96.shtml#qa23
1689 * recommends 25 as a minimum SNR for 54 Mbps data rate. 30 is chosen here as a
1690 * conservative value.
1691 */
1692#define GREAT_SNR 30
1693
1694#define IS_5GHZ(n) (n > 4000)
1695
1696/* Compare function for sorting scan results. Return >0 if @b is considered
1697 * better. */
1698static int wpa_scan_result_compar(const void *a, const void *b)
1699{
1700#define MIN(a,b) a < b ? a : b
1701	struct wpa_scan_res **_wa = (void *) a;
1702	struct wpa_scan_res **_wb = (void *) b;
1703	struct wpa_scan_res *wa = *_wa;
1704	struct wpa_scan_res *wb = *_wb;
1705	int wpa_a, wpa_b;
1706	int snr_a, snr_b, snr_a_full, snr_b_full;
1707
1708	/* WPA/WPA2 support preferred */
1709	wpa_a = wpa_scan_get_vendor_ie(wa, WPA_IE_VENDOR_TYPE) != NULL ||
1710		wpa_scan_get_ie(wa, WLAN_EID_RSN) != NULL;
1711	wpa_b = wpa_scan_get_vendor_ie(wb, WPA_IE_VENDOR_TYPE) != NULL ||
1712		wpa_scan_get_ie(wb, WLAN_EID_RSN) != NULL;
1713
1714	if (wpa_b && !wpa_a)
1715		return 1;
1716	if (!wpa_b && wpa_a)
1717		return -1;
1718
1719	/* privacy support preferred */
1720	if ((wa->caps & IEEE80211_CAP_PRIVACY) == 0 &&
1721	    (wb->caps & IEEE80211_CAP_PRIVACY))
1722		return 1;
1723	if ((wa->caps & IEEE80211_CAP_PRIVACY) &&
1724	    (wb->caps & IEEE80211_CAP_PRIVACY) == 0)
1725		return -1;
1726
1727	if (wa->flags & wb->flags & WPA_SCAN_LEVEL_DBM) {
1728		snr_a_full = wa->snr;
1729		snr_a = MIN(wa->snr, GREAT_SNR);
1730		snr_b_full = wb->snr;
1731		snr_b = MIN(wb->snr, GREAT_SNR);
1732	} else {
1733		/* Level is not in dBm, so we can't calculate
1734		 * SNR. Just use raw level (units unknown). */
1735		snr_a = snr_a_full = wa->level;
1736		snr_b = snr_b_full = wb->level;
1737	}
1738
1739	/* if SNR is close, decide by max rate or frequency band */
1740	if ((snr_a && snr_b && abs(snr_b - snr_a) < 5) ||
1741	    (wa->qual && wb->qual && abs(wb->qual - wa->qual) < 10)) {
1742		if (wa->est_throughput != wb->est_throughput)
1743			return wb->est_throughput - wa->est_throughput;
1744		if (IS_5GHZ(wa->freq) ^ IS_5GHZ(wb->freq))
1745			return IS_5GHZ(wa->freq) ? -1 : 1;
1746	}
1747
1748	/* all things being equal, use SNR; if SNRs are
1749	 * identical, use quality values since some drivers may only report
1750	 * that value and leave the signal level zero */
1751	if (snr_b_full == snr_a_full)
1752		return wb->qual - wa->qual;
1753	return snr_b_full - snr_a_full;
1754#undef MIN
1755}
1756
1757
1758#ifdef CONFIG_WPS
1759/* Compare function for sorting scan results when searching a WPS AP for
1760 * provisioning. Return >0 if @b is considered better. */
1761static int wpa_scan_result_wps_compar(const void *a, const void *b)
1762{
1763	struct wpa_scan_res **_wa = (void *) a;
1764	struct wpa_scan_res **_wb = (void *) b;
1765	struct wpa_scan_res *wa = *_wa;
1766	struct wpa_scan_res *wb = *_wb;
1767	int uses_wps_a, uses_wps_b;
1768	struct wpabuf *wps_a, *wps_b;
1769	int res;
1770
1771	/* Optimization - check WPS IE existence before allocated memory and
1772	 * doing full reassembly. */
1773	uses_wps_a = wpa_scan_get_vendor_ie(wa, WPS_IE_VENDOR_TYPE) != NULL;
1774	uses_wps_b = wpa_scan_get_vendor_ie(wb, WPS_IE_VENDOR_TYPE) != NULL;
1775	if (uses_wps_a && !uses_wps_b)
1776		return -1;
1777	if (!uses_wps_a && uses_wps_b)
1778		return 1;
1779
1780	if (uses_wps_a && uses_wps_b) {
1781		wps_a = wpa_scan_get_vendor_ie_multi(wa, WPS_IE_VENDOR_TYPE);
1782		wps_b = wpa_scan_get_vendor_ie_multi(wb, WPS_IE_VENDOR_TYPE);
1783		res = wps_ap_priority_compar(wps_a, wps_b);
1784		wpabuf_free(wps_a);
1785		wpabuf_free(wps_b);
1786		if (res)
1787			return res;
1788	}
1789
1790	/*
1791	 * Do not use current AP security policy as a sorting criteria during
1792	 * WPS provisioning step since the AP may get reconfigured at the
1793	 * completion of provisioning.
1794	 */
1795
1796	/* all things being equal, use signal level; if signal levels are
1797	 * identical, use quality values since some drivers may only report
1798	 * that value and leave the signal level zero */
1799	if (wb->level == wa->level)
1800		return wb->qual - wa->qual;
1801	return wb->level - wa->level;
1802}
1803#endif /* CONFIG_WPS */
1804
1805
1806static void dump_scan_res(struct wpa_scan_results *scan_res)
1807{
1808#ifndef CONFIG_NO_STDOUT_DEBUG
1809	size_t i;
1810
1811	if (scan_res->res == NULL || scan_res->num == 0)
1812		return;
1813
1814	wpa_printf(MSG_EXCESSIVE, "Sorted scan results");
1815
1816	for (i = 0; i < scan_res->num; i++) {
1817		struct wpa_scan_res *r = scan_res->res[i];
1818		u8 *pos;
1819		if (r->flags & WPA_SCAN_LEVEL_DBM) {
1820			int noise_valid = !(r->flags & WPA_SCAN_NOISE_INVALID);
1821
1822			wpa_printf(MSG_EXCESSIVE, MACSTR " freq=%d qual=%d "
1823				   "noise=%d%s level=%d snr=%d%s flags=0x%x age=%u est=%u",
1824				   MAC2STR(r->bssid), r->freq, r->qual,
1825				   r->noise, noise_valid ? "" : "~", r->level,
1826				   r->snr, r->snr >= GREAT_SNR ? "*" : "",
1827				   r->flags,
1828				   r->age, r->est_throughput);
1829		} else {
1830			wpa_printf(MSG_EXCESSIVE, MACSTR " freq=%d qual=%d "
1831				   "noise=%d level=%d flags=0x%x age=%u est=%u",
1832				   MAC2STR(r->bssid), r->freq, r->qual,
1833				   r->noise, r->level, r->flags, r->age,
1834				   r->est_throughput);
1835		}
1836		pos = (u8 *) (r + 1);
1837		if (r->ie_len)
1838			wpa_hexdump(MSG_EXCESSIVE, "IEs", pos, r->ie_len);
1839		pos += r->ie_len;
1840		if (r->beacon_ie_len)
1841			wpa_hexdump(MSG_EXCESSIVE, "Beacon IEs",
1842				    pos, r->beacon_ie_len);
1843	}
1844#endif /* CONFIG_NO_STDOUT_DEBUG */
1845}
1846
1847
1848/**
1849 * wpa_supplicant_filter_bssid_match - Is the specified BSSID allowed
1850 * @wpa_s: Pointer to wpa_supplicant data
1851 * @bssid: BSSID to check
1852 * Returns: 0 if the BSSID is filtered or 1 if not
1853 *
1854 * This function is used to filter out specific BSSIDs from scan reslts mainly
1855 * for testing purposes (SET bssid_filter ctrl_iface command).
1856 */
1857int wpa_supplicant_filter_bssid_match(struct wpa_supplicant *wpa_s,
1858				      const u8 *bssid)
1859{
1860	size_t i;
1861
1862	if (wpa_s->bssid_filter == NULL)
1863		return 1;
1864
1865	for (i = 0; i < wpa_s->bssid_filter_count; i++) {
1866		if (os_memcmp(wpa_s->bssid_filter + i * ETH_ALEN, bssid,
1867			      ETH_ALEN) == 0)
1868			return 1;
1869	}
1870
1871	return 0;
1872}
1873
1874
1875static void filter_scan_res(struct wpa_supplicant *wpa_s,
1876			    struct wpa_scan_results *res)
1877{
1878	size_t i, j;
1879
1880	if (wpa_s->bssid_filter == NULL)
1881		return;
1882
1883	for (i = 0, j = 0; i < res->num; i++) {
1884		if (wpa_supplicant_filter_bssid_match(wpa_s,
1885						      res->res[i]->bssid)) {
1886			res->res[j++] = res->res[i];
1887		} else {
1888			os_free(res->res[i]);
1889			res->res[i] = NULL;
1890		}
1891	}
1892
1893	if (res->num != j) {
1894		wpa_printf(MSG_DEBUG, "Filtered out %d scan results",
1895			   (int) (res->num - j));
1896		res->num = j;
1897	}
1898}
1899
1900
1901/*
1902 * Noise floor values to use when we have signal strength
1903 * measurements, but no noise floor measurements. These values were
1904 * measured in an office environment with many APs.
1905 */
1906#define DEFAULT_NOISE_FLOOR_2GHZ (-89)
1907#define DEFAULT_NOISE_FLOOR_5GHZ (-92)
1908
1909static void scan_snr(struct wpa_scan_res *res)
1910{
1911	if (res->flags & WPA_SCAN_NOISE_INVALID) {
1912		res->noise = IS_5GHZ(res->freq) ?
1913			DEFAULT_NOISE_FLOOR_5GHZ :
1914			DEFAULT_NOISE_FLOOR_2GHZ;
1915	}
1916
1917	if (res->flags & WPA_SCAN_LEVEL_DBM) {
1918		res->snr = res->level - res->noise;
1919	} else {
1920		/* Level is not in dBm, so we can't calculate
1921		 * SNR. Just use raw level (units unknown). */
1922		res->snr = res->level;
1923	}
1924}
1925
1926
1927static unsigned int max_ht20_rate(int snr)
1928{
1929	if (snr < 6)
1930		return 6500; /* HT20 MCS0 */
1931	if (snr < 8)
1932		return 13000; /* HT20 MCS1 */
1933	if (snr < 13)
1934		return 19500; /* HT20 MCS2 */
1935	if (snr < 17)
1936		return 26000; /* HT20 MCS3 */
1937	if (snr < 20)
1938		return 39000; /* HT20 MCS4 */
1939	if (snr < 23)
1940		return 52000; /* HT20 MCS5 */
1941	if (snr < 24)
1942		return 58500; /* HT20 MCS6 */
1943	return 65000; /* HT20 MCS7 */
1944}
1945
1946
1947static unsigned int max_ht40_rate(int snr)
1948{
1949	if (snr < 3)
1950		return 13500; /* HT40 MCS0 */
1951	if (snr < 6)
1952		return 27000; /* HT40 MCS1 */
1953	if (snr < 10)
1954		return 40500; /* HT40 MCS2 */
1955	if (snr < 15)
1956		return 54000; /* HT40 MCS3 */
1957	if (snr < 17)
1958		return 81000; /* HT40 MCS4 */
1959	if (snr < 22)
1960		return 108000; /* HT40 MCS5 */
1961	if (snr < 24)
1962		return 121500; /* HT40 MCS6 */
1963	return 135000; /* HT40 MCS7 */
1964}
1965
1966
1967static unsigned int max_vht80_rate(int snr)
1968{
1969	if (snr < 1)
1970		return 0;
1971	if (snr < 2)
1972		return 29300; /* VHT80 MCS0 */
1973	if (snr < 5)
1974		return 58500; /* VHT80 MCS1 */
1975	if (snr < 9)
1976		return 87800; /* VHT80 MCS2 */
1977	if (snr < 11)
1978		return 117000; /* VHT80 MCS3 */
1979	if (snr < 15)
1980		return 175500; /* VHT80 MCS4 */
1981	if (snr < 16)
1982		return 234000; /* VHT80 MCS5 */
1983	if (snr < 18)
1984		return 263300; /* VHT80 MCS6 */
1985	if (snr < 20)
1986		return 292500; /* VHT80 MCS7 */
1987	if (snr < 22)
1988		return 351000; /* VHT80 MCS8 */
1989	return 390000; /* VHT80 MCS9 */
1990}
1991
1992
1993static void scan_est_throughput(struct wpa_supplicant *wpa_s,
1994				struct wpa_scan_res *res)
1995{
1996	enum local_hw_capab capab = wpa_s->hw_capab;
1997	int rate; /* max legacy rate in 500 kb/s units */
1998	const u8 *ie;
1999	unsigned int est, tmp;
2000	int snr = res->snr;
2001
2002	if (res->est_throughput)
2003		return;
2004
2005	/* Get maximum legacy rate */
2006	rate = wpa_scan_get_max_rate(res);
2007
2008	/* Limit based on estimated SNR */
2009	if (rate > 1 * 2 && snr < 1)
2010		rate = 1 * 2;
2011	else if (rate > 2 * 2 && snr < 4)
2012		rate = 2 * 2;
2013	else if (rate > 6 * 2 && snr < 5)
2014		rate = 6 * 2;
2015	else if (rate > 9 * 2 && snr < 6)
2016		rate = 9 * 2;
2017	else if (rate > 12 * 2 && snr < 7)
2018		rate = 12 * 2;
2019	else if (rate > 18 * 2 && snr < 10)
2020		rate = 18 * 2;
2021	else if (rate > 24 * 2 && snr < 11)
2022		rate = 24 * 2;
2023	else if (rate > 36 * 2 && snr < 15)
2024		rate = 36 * 2;
2025	else if (rate > 48 * 2 && snr < 19)
2026		rate = 48 * 2;
2027	else if (rate > 54 * 2 && snr < 21)
2028		rate = 54 * 2;
2029	est = rate * 500;
2030
2031	if (capab == CAPAB_HT || capab == CAPAB_HT40 || capab == CAPAB_VHT) {
2032		ie = wpa_scan_get_ie(res, WLAN_EID_HT_CAP);
2033		if (ie) {
2034			tmp = max_ht20_rate(snr);
2035			if (tmp > est)
2036				est = tmp;
2037		}
2038	}
2039
2040	if (capab == CAPAB_HT40 || capab == CAPAB_VHT) {
2041		ie = wpa_scan_get_ie(res, WLAN_EID_HT_OPERATION);
2042		if (ie && ie[1] >= 2 &&
2043		    (ie[3] & HT_INFO_HT_PARAM_SECONDARY_CHNL_OFF_MASK)) {
2044			tmp = max_ht40_rate(snr);
2045			if (tmp > est)
2046				est = tmp;
2047		}
2048	}
2049
2050	if (capab == CAPAB_VHT) {
2051		/* Use +1 to assume VHT is always faster than HT */
2052		ie = wpa_scan_get_ie(res, WLAN_EID_VHT_CAP);
2053		if (ie) {
2054			tmp = max_ht20_rate(snr) + 1;
2055			if (tmp > est)
2056				est = tmp;
2057
2058			ie = wpa_scan_get_ie(res, WLAN_EID_HT_OPERATION);
2059			if (ie && ie[1] >= 2 &&
2060			    (ie[3] &
2061			     HT_INFO_HT_PARAM_SECONDARY_CHNL_OFF_MASK)) {
2062				tmp = max_ht40_rate(snr) + 1;
2063				if (tmp > est)
2064					est = tmp;
2065			}
2066
2067			ie = wpa_scan_get_ie(res, WLAN_EID_VHT_OPERATION);
2068			if (ie && ie[1] >= 1 &&
2069			    (ie[2] & VHT_OPMODE_CHANNEL_WIDTH_MASK)) {
2070				tmp = max_vht80_rate(snr) + 1;
2071				if (tmp > est)
2072					est = tmp;
2073			}
2074		}
2075	}
2076
2077	/* TODO: channel utilization and AP load (e.g., from AP Beacon) */
2078
2079	res->est_throughput = est;
2080}
2081
2082
2083/**
2084 * wpa_supplicant_get_scan_results - Get scan results
2085 * @wpa_s: Pointer to wpa_supplicant data
2086 * @info: Information about what was scanned or %NULL if not available
2087 * @new_scan: Whether a new scan was performed
2088 * Returns: Scan results, %NULL on failure
2089 *
2090 * This function request the current scan results from the driver and updates
2091 * the local BSS list wpa_s->bss. The caller is responsible for freeing the
2092 * results with wpa_scan_results_free().
2093 */
2094struct wpa_scan_results *
2095wpa_supplicant_get_scan_results(struct wpa_supplicant *wpa_s,
2096				struct scan_info *info, int new_scan)
2097{
2098	struct wpa_scan_results *scan_res;
2099	size_t i;
2100	int (*compar)(const void *, const void *) = wpa_scan_result_compar;
2101
2102	scan_res = wpa_drv_get_scan_results2(wpa_s);
2103	if (scan_res == NULL) {
2104		wpa_dbg(wpa_s, MSG_DEBUG, "Failed to get scan results");
2105		return NULL;
2106	}
2107	if (scan_res->fetch_time.sec == 0) {
2108		/*
2109		 * Make sure we have a valid timestamp if the driver wrapper
2110		 * does not set this.
2111		 */
2112		os_get_reltime(&scan_res->fetch_time);
2113	}
2114	filter_scan_res(wpa_s, scan_res);
2115
2116	for (i = 0; i < scan_res->num; i++) {
2117		struct wpa_scan_res *scan_res_item = scan_res->res[i];
2118
2119		scan_snr(scan_res_item);
2120		scan_est_throughput(wpa_s, scan_res_item);
2121	}
2122
2123#ifdef CONFIG_WPS
2124	if (wpas_wps_searching(wpa_s)) {
2125		wpa_dbg(wpa_s, MSG_DEBUG, "WPS: Order scan results with WPS "
2126			"provisioning rules");
2127		compar = wpa_scan_result_wps_compar;
2128	}
2129#endif /* CONFIG_WPS */
2130
2131	qsort(scan_res->res, scan_res->num, sizeof(struct wpa_scan_res *),
2132	      compar);
2133	dump_scan_res(scan_res);
2134
2135	wpa_bss_update_start(wpa_s);
2136	for (i = 0; i < scan_res->num; i++)
2137		wpa_bss_update_scan_res(wpa_s, scan_res->res[i],
2138					&scan_res->fetch_time);
2139	wpa_bss_update_end(wpa_s, info, new_scan);
2140
2141	return scan_res;
2142}
2143
2144
2145/**
2146 * wpa_supplicant_update_scan_results - Update scan results from the driver
2147 * @wpa_s: Pointer to wpa_supplicant data
2148 * Returns: 0 on success, -1 on failure
2149 *
2150 * This function updates the BSS table within wpa_supplicant based on the
2151 * currently available scan results from the driver without requesting a new
2152 * scan. This is used in cases where the driver indicates an association
2153 * (including roaming within ESS) and wpa_supplicant does not yet have the
2154 * needed information to complete the connection (e.g., to perform validation
2155 * steps in 4-way handshake).
2156 */
2157int wpa_supplicant_update_scan_results(struct wpa_supplicant *wpa_s)
2158{
2159	struct wpa_scan_results *scan_res;
2160	scan_res = wpa_supplicant_get_scan_results(wpa_s, NULL, 0);
2161	if (scan_res == NULL)
2162		return -1;
2163	wpa_scan_results_free(scan_res);
2164
2165	return 0;
2166}
2167
2168
2169/**
2170 * scan_only_handler - Reports scan results
2171 */
2172void scan_only_handler(struct wpa_supplicant *wpa_s,
2173		       struct wpa_scan_results *scan_res)
2174{
2175	wpa_dbg(wpa_s, MSG_DEBUG, "Scan-only results received");
2176	if (wpa_s->last_scan_req == MANUAL_SCAN_REQ &&
2177	    wpa_s->manual_scan_use_id && wpa_s->own_scan_running) {
2178		wpa_msg_ctrl(wpa_s, MSG_INFO, WPA_EVENT_SCAN_RESULTS "id=%u",
2179			     wpa_s->manual_scan_id);
2180		wpa_s->manual_scan_use_id = 0;
2181	} else {
2182		wpa_msg_ctrl(wpa_s, MSG_INFO, WPA_EVENT_SCAN_RESULTS);
2183	}
2184	wpas_notify_scan_results(wpa_s);
2185	wpas_notify_scan_done(wpa_s, 1);
2186	if (wpa_s->scan_work) {
2187		struct wpa_radio_work *work = wpa_s->scan_work;
2188		wpa_s->scan_work = NULL;
2189		radio_work_done(work);
2190	}
2191
2192	if (wpa_s->wpa_state == WPA_SCANNING)
2193		wpa_supplicant_set_state(wpa_s, wpa_s->scan_prev_wpa_state);
2194}
2195
2196
2197int wpas_scan_scheduled(struct wpa_supplicant *wpa_s)
2198{
2199	return eloop_is_timeout_registered(wpa_supplicant_scan, wpa_s, NULL);
2200}
2201
2202
2203struct wpa_driver_scan_params *
2204wpa_scan_clone_params(const struct wpa_driver_scan_params *src)
2205{
2206	struct wpa_driver_scan_params *params;
2207	size_t i;
2208	u8 *n;
2209
2210	params = os_zalloc(sizeof(*params));
2211	if (params == NULL)
2212		return NULL;
2213
2214	for (i = 0; i < src->num_ssids; i++) {
2215		if (src->ssids[i].ssid) {
2216			n = os_malloc(src->ssids[i].ssid_len);
2217			if (n == NULL)
2218				goto failed;
2219			os_memcpy(n, src->ssids[i].ssid,
2220				  src->ssids[i].ssid_len);
2221			params->ssids[i].ssid = n;
2222			params->ssids[i].ssid_len = src->ssids[i].ssid_len;
2223		}
2224	}
2225	params->num_ssids = src->num_ssids;
2226
2227	if (src->extra_ies) {
2228		n = os_malloc(src->extra_ies_len);
2229		if (n == NULL)
2230			goto failed;
2231		os_memcpy(n, src->extra_ies, src->extra_ies_len);
2232		params->extra_ies = n;
2233		params->extra_ies_len = src->extra_ies_len;
2234	}
2235
2236	if (src->freqs) {
2237		int len = int_array_len(src->freqs);
2238		params->freqs = os_malloc((len + 1) * sizeof(int));
2239		if (params->freqs == NULL)
2240			goto failed;
2241		os_memcpy(params->freqs, src->freqs, (len + 1) * sizeof(int));
2242	}
2243
2244	if (src->filter_ssids) {
2245		params->filter_ssids = os_malloc(sizeof(*params->filter_ssids) *
2246						 src->num_filter_ssids);
2247		if (params->filter_ssids == NULL)
2248			goto failed;
2249		os_memcpy(params->filter_ssids, src->filter_ssids,
2250			  sizeof(*params->filter_ssids) *
2251			  src->num_filter_ssids);
2252		params->num_filter_ssids = src->num_filter_ssids;
2253	}
2254
2255	params->filter_rssi = src->filter_rssi;
2256	params->p2p_probe = src->p2p_probe;
2257	params->only_new_results = src->only_new_results;
2258	params->low_priority = src->low_priority;
2259
2260	if (src->sched_scan_plans_num > 0) {
2261		params->sched_scan_plans =
2262			os_malloc(sizeof(*src->sched_scan_plans) *
2263				  src->sched_scan_plans_num);
2264		if (!params->sched_scan_plans)
2265			goto failed;
2266
2267		os_memcpy(params->sched_scan_plans, src->sched_scan_plans,
2268			  sizeof(*src->sched_scan_plans) *
2269			  src->sched_scan_plans_num);
2270		params->sched_scan_plans_num = src->sched_scan_plans_num;
2271	}
2272
2273	if (src->mac_addr_rand) {
2274		params->mac_addr_rand = src->mac_addr_rand;
2275
2276		if (src->mac_addr && src->mac_addr_mask) {
2277			u8 *mac_addr;
2278
2279			mac_addr = os_malloc(2 * ETH_ALEN);
2280			if (!mac_addr)
2281				goto failed;
2282
2283			os_memcpy(mac_addr, src->mac_addr, ETH_ALEN);
2284			os_memcpy(mac_addr + ETH_ALEN, src->mac_addr_mask,
2285				  ETH_ALEN);
2286			params->mac_addr = mac_addr;
2287			params->mac_addr_mask = mac_addr + ETH_ALEN;
2288		}
2289	}
2290
2291	if (src->bssid) {
2292		u8 *bssid;
2293
2294		bssid = os_malloc(ETH_ALEN);
2295		if (!bssid)
2296			goto failed;
2297		os_memcpy(bssid, src->bssid, ETH_ALEN);
2298		params->bssid = bssid;
2299	}
2300
2301	return params;
2302
2303failed:
2304	wpa_scan_free_params(params);
2305	return NULL;
2306}
2307
2308
2309void wpa_scan_free_params(struct wpa_driver_scan_params *params)
2310{
2311	size_t i;
2312
2313	if (params == NULL)
2314		return;
2315
2316	for (i = 0; i < params->num_ssids; i++)
2317		os_free((u8 *) params->ssids[i].ssid);
2318	os_free((u8 *) params->extra_ies);
2319	os_free(params->freqs);
2320	os_free(params->filter_ssids);
2321	os_free(params->sched_scan_plans);
2322
2323	/*
2324	 * Note: params->mac_addr_mask points to same memory allocation and
2325	 * must not be freed separately.
2326	 */
2327	os_free((u8 *) params->mac_addr);
2328
2329	os_free((u8 *) params->bssid);
2330
2331	os_free(params);
2332}
2333
2334
2335int wpas_start_pno(struct wpa_supplicant *wpa_s)
2336{
2337	int ret, prio;
2338	size_t i, num_ssid, num_match_ssid;
2339	struct wpa_ssid *ssid;
2340	struct wpa_driver_scan_params params;
2341	struct sched_scan_plan scan_plan;
2342	unsigned int max_sched_scan_ssids;
2343
2344	if (!wpa_s->sched_scan_supported)
2345		return -1;
2346
2347	if (wpa_s->max_sched_scan_ssids > WPAS_MAX_SCAN_SSIDS)
2348		max_sched_scan_ssids = WPAS_MAX_SCAN_SSIDS;
2349	else
2350		max_sched_scan_ssids = wpa_s->max_sched_scan_ssids;
2351	if (max_sched_scan_ssids < 1)
2352		return -1;
2353
2354	if (wpa_s->pno || wpa_s->pno_sched_pending)
2355		return 0;
2356
2357	if ((wpa_s->wpa_state > WPA_SCANNING) &&
2358	    (wpa_s->wpa_state <= WPA_COMPLETED)) {
2359		wpa_printf(MSG_ERROR, "PNO: In assoc process");
2360		return -EAGAIN;
2361	}
2362
2363	if (wpa_s->wpa_state == WPA_SCANNING) {
2364		wpa_supplicant_cancel_scan(wpa_s);
2365		if (wpa_s->sched_scanning) {
2366			wpa_printf(MSG_DEBUG, "Schedule PNO on completion of "
2367				   "ongoing sched scan");
2368			wpa_supplicant_cancel_sched_scan(wpa_s);
2369			wpa_s->pno_sched_pending = 1;
2370			return 0;
2371		}
2372	}
2373
2374	os_memset(&params, 0, sizeof(params));
2375
2376	num_ssid = num_match_ssid = 0;
2377	ssid = wpa_s->conf->ssid;
2378	while (ssid) {
2379		if (!wpas_network_disabled(wpa_s, ssid)) {
2380			num_match_ssid++;
2381			if (ssid->scan_ssid)
2382				num_ssid++;
2383		}
2384		ssid = ssid->next;
2385	}
2386
2387	if (num_match_ssid == 0) {
2388		wpa_printf(MSG_DEBUG, "PNO: No configured SSIDs");
2389		return -1;
2390	}
2391
2392	if (num_match_ssid > num_ssid) {
2393		params.num_ssids++; /* wildcard */
2394		num_ssid++;
2395	}
2396
2397	if (num_ssid > max_sched_scan_ssids) {
2398		wpa_printf(MSG_DEBUG, "PNO: Use only the first %u SSIDs from "
2399			   "%u", max_sched_scan_ssids, (unsigned int) num_ssid);
2400		num_ssid = max_sched_scan_ssids;
2401	}
2402
2403	if (num_match_ssid > wpa_s->max_match_sets) {
2404		num_match_ssid = wpa_s->max_match_sets;
2405		wpa_dbg(wpa_s, MSG_DEBUG, "PNO: Too many SSIDs to match");
2406	}
2407	params.filter_ssids = os_calloc(num_match_ssid,
2408					sizeof(struct wpa_driver_scan_filter));
2409	if (params.filter_ssids == NULL)
2410		return -1;
2411
2412	i = 0;
2413	prio = 0;
2414	ssid = wpa_s->conf->pssid[prio];
2415	while (ssid) {
2416		if (!wpas_network_disabled(wpa_s, ssid)) {
2417			if (ssid->scan_ssid && params.num_ssids < num_ssid) {
2418				params.ssids[params.num_ssids].ssid =
2419					ssid->ssid;
2420				params.ssids[params.num_ssids].ssid_len =
2421					 ssid->ssid_len;
2422				params.num_ssids++;
2423			}
2424			os_memcpy(params.filter_ssids[i].ssid, ssid->ssid,
2425				  ssid->ssid_len);
2426			params.filter_ssids[i].ssid_len = ssid->ssid_len;
2427			params.num_filter_ssids++;
2428			i++;
2429			if (i == num_match_ssid)
2430				break;
2431		}
2432		if (ssid->pnext)
2433			ssid = ssid->pnext;
2434		else if (prio + 1 == wpa_s->conf->num_prio)
2435			break;
2436		else
2437			ssid = wpa_s->conf->pssid[++prio];
2438	}
2439
2440	if (wpa_s->conf->filter_rssi)
2441		params.filter_rssi = wpa_s->conf->filter_rssi;
2442
2443	if (wpa_s->sched_scan_plans_num) {
2444		params.sched_scan_plans = wpa_s->sched_scan_plans;
2445		params.sched_scan_plans_num = wpa_s->sched_scan_plans_num;
2446	} else {
2447		/* Set one scan plan that will run infinitely */
2448		if (wpa_s->conf->sched_scan_interval)
2449			scan_plan.interval = wpa_s->conf->sched_scan_interval;
2450		else
2451			scan_plan.interval = 10;
2452
2453		scan_plan.iterations = 0;
2454		params.sched_scan_plans = &scan_plan;
2455		params.sched_scan_plans_num = 1;
2456	}
2457
2458	if (params.freqs == NULL && wpa_s->manual_sched_scan_freqs) {
2459		wpa_dbg(wpa_s, MSG_DEBUG, "Limit sched scan to specified channels");
2460		params.freqs = wpa_s->manual_sched_scan_freqs;
2461	}
2462
2463	if (wpa_s->mac_addr_rand_enable & MAC_ADDR_RAND_PNO) {
2464		params.mac_addr_rand = 1;
2465		if (wpa_s->mac_addr_pno) {
2466			params.mac_addr = wpa_s->mac_addr_pno;
2467			params.mac_addr_mask = wpa_s->mac_addr_pno + ETH_ALEN;
2468		}
2469	}
2470
2471	ret = wpa_supplicant_start_sched_scan(wpa_s, &params);
2472	os_free(params.filter_ssids);
2473	if (ret == 0)
2474		wpa_s->pno = 1;
2475	else
2476		wpa_msg(wpa_s, MSG_ERROR, "Failed to schedule PNO");
2477	return ret;
2478}
2479
2480
2481int wpas_stop_pno(struct wpa_supplicant *wpa_s)
2482{
2483	int ret = 0;
2484
2485	if (!wpa_s->pno)
2486		return 0;
2487
2488	ret = wpa_supplicant_stop_sched_scan(wpa_s);
2489
2490	wpa_s->pno = 0;
2491	wpa_s->pno_sched_pending = 0;
2492
2493	if (wpa_s->wpa_state == WPA_SCANNING)
2494		wpa_supplicant_req_scan(wpa_s, 0, 0);
2495
2496	return ret;
2497}
2498
2499
2500void wpas_mac_addr_rand_scan_clear(struct wpa_supplicant *wpa_s,
2501				    unsigned int type)
2502{
2503	type &= MAC_ADDR_RAND_ALL;
2504	wpa_s->mac_addr_rand_enable &= ~type;
2505
2506	if (type & MAC_ADDR_RAND_SCAN) {
2507		os_free(wpa_s->mac_addr_scan);
2508		wpa_s->mac_addr_scan = NULL;
2509	}
2510
2511	if (type & MAC_ADDR_RAND_SCHED_SCAN) {
2512		os_free(wpa_s->mac_addr_sched_scan);
2513		wpa_s->mac_addr_sched_scan = NULL;
2514	}
2515
2516	if (type & MAC_ADDR_RAND_PNO) {
2517		os_free(wpa_s->mac_addr_pno);
2518		wpa_s->mac_addr_pno = NULL;
2519	}
2520}
2521
2522
2523int wpas_mac_addr_rand_scan_set(struct wpa_supplicant *wpa_s,
2524				unsigned int type, const u8 *addr,
2525				const u8 *mask)
2526{
2527	u8 *tmp = NULL;
2528
2529	wpas_mac_addr_rand_scan_clear(wpa_s, type);
2530
2531	if (addr) {
2532		tmp = os_malloc(2 * ETH_ALEN);
2533		if (!tmp)
2534			return -1;
2535		os_memcpy(tmp, addr, ETH_ALEN);
2536		os_memcpy(tmp + ETH_ALEN, mask, ETH_ALEN);
2537	}
2538
2539	if (type == MAC_ADDR_RAND_SCAN) {
2540		wpa_s->mac_addr_scan = tmp;
2541	} else if (type == MAC_ADDR_RAND_SCHED_SCAN) {
2542		wpa_s->mac_addr_sched_scan = tmp;
2543	} else if (type == MAC_ADDR_RAND_PNO) {
2544		wpa_s->mac_addr_pno = tmp;
2545	} else {
2546		wpa_printf(MSG_INFO,
2547			   "scan: Invalid MAC randomization type=0x%x",
2548			   type);
2549		os_free(tmp);
2550		return -1;
2551	}
2552
2553	wpa_s->mac_addr_rand_enable |= type;
2554	return 0;
2555}
2556
2557
2558int wpas_abort_ongoing_scan(struct wpa_supplicant *wpa_s)
2559{
2560	int scan_work = !!wpa_s->scan_work;
2561
2562#ifdef CONFIG_P2P
2563	scan_work |= !!wpa_s->p2p_scan_work;
2564#endif /* CONFIG_P2P */
2565
2566	if (scan_work && wpa_s->own_scan_running) {
2567		wpa_dbg(wpa_s, MSG_DEBUG, "Abort an ongoing scan");
2568		return wpa_drv_abort_scan(wpa_s);
2569	}
2570
2571	return 0;
2572}
2573
2574
2575int wpas_sched_scan_plans_set(struct wpa_supplicant *wpa_s, const char *cmd)
2576{
2577	struct sched_scan_plan *scan_plans = NULL;
2578	const char *token, *context = NULL;
2579	unsigned int num = 0;
2580
2581	if (!cmd)
2582		return -1;
2583
2584	if (!cmd[0]) {
2585		wpa_printf(MSG_DEBUG, "Clear sched scan plans");
2586		os_free(wpa_s->sched_scan_plans);
2587		wpa_s->sched_scan_plans = NULL;
2588		wpa_s->sched_scan_plans_num = 0;
2589		return 0;
2590	}
2591
2592	while ((token = cstr_token(cmd, " ", &context))) {
2593		int ret;
2594		struct sched_scan_plan *scan_plan, *n;
2595
2596		n = os_realloc_array(scan_plans, num + 1, sizeof(*scan_plans));
2597		if (!n)
2598			goto fail;
2599
2600		scan_plans = n;
2601		scan_plan = &scan_plans[num];
2602		num++;
2603
2604		ret = sscanf(token, "%u:%u", &scan_plan->interval,
2605			     &scan_plan->iterations);
2606		if (ret <= 0 || ret > 2 || !scan_plan->interval) {
2607			wpa_printf(MSG_ERROR,
2608				   "Invalid sched scan plan input: %s", token);
2609			goto fail;
2610		}
2611
2612		if (!scan_plan->interval) {
2613			wpa_printf(MSG_ERROR,
2614				   "scan plan %u: Interval cannot be zero",
2615				   num);
2616			goto fail;
2617		}
2618
2619		if (scan_plan->interval > wpa_s->max_sched_scan_plan_interval) {
2620			wpa_printf(MSG_WARNING,
2621				   "scan plan %u: Scan interval too long(%u), use the maximum allowed(%u)",
2622				   num, scan_plan->interval,
2623				   wpa_s->max_sched_scan_plan_interval);
2624			scan_plan->interval =
2625				wpa_s->max_sched_scan_plan_interval;
2626		}
2627
2628		if (ret == 1) {
2629			scan_plan->iterations = 0;
2630			break;
2631		}
2632
2633		if (!scan_plan->iterations) {
2634			wpa_printf(MSG_ERROR,
2635				   "scan plan %u: Number of iterations cannot be zero",
2636				   num);
2637			goto fail;
2638		}
2639
2640		if (scan_plan->iterations >
2641		    wpa_s->max_sched_scan_plan_iterations) {
2642			wpa_printf(MSG_WARNING,
2643				   "scan plan %u: Too many iterations(%u), use the maximum allowed(%u)",
2644				   num, scan_plan->iterations,
2645				   wpa_s->max_sched_scan_plan_iterations);
2646			scan_plan->iterations =
2647				wpa_s->max_sched_scan_plan_iterations;
2648		}
2649
2650		wpa_printf(MSG_DEBUG,
2651			   "scan plan %u: interval=%u iterations=%u",
2652			   num, scan_plan->interval, scan_plan->iterations);
2653	}
2654
2655	if (!scan_plans) {
2656		wpa_printf(MSG_ERROR, "Invalid scan plans entry");
2657		goto fail;
2658	}
2659
2660	if (cstr_token(cmd, " ", &context) || scan_plans[num - 1].iterations) {
2661		wpa_printf(MSG_ERROR,
2662			   "All scan plans but the last must specify a number of iterations");
2663		goto fail;
2664	}
2665
2666	wpa_printf(MSG_DEBUG, "scan plan %u (last plan): interval=%u",
2667		   num, scan_plans[num - 1].interval);
2668
2669	if (num > wpa_s->max_sched_scan_plans) {
2670		wpa_printf(MSG_WARNING,
2671			   "Too many scheduled scan plans (only %u supported)",
2672			   wpa_s->max_sched_scan_plans);
2673		wpa_printf(MSG_WARNING,
2674			   "Use only the first %u scan plans, and the last one (in infinite loop)",
2675			   wpa_s->max_sched_scan_plans - 1);
2676		os_memcpy(&scan_plans[wpa_s->max_sched_scan_plans - 1],
2677			  &scan_plans[num - 1], sizeof(*scan_plans));
2678		num = wpa_s->max_sched_scan_plans;
2679	}
2680
2681	os_free(wpa_s->sched_scan_plans);
2682	wpa_s->sched_scan_plans = scan_plans;
2683	wpa_s->sched_scan_plans_num = num;
2684
2685	return 0;
2686
2687fail:
2688	os_free(scan_plans);
2689	wpa_printf(MSG_ERROR, "invalid scan plans list");
2690	return -1;
2691}
2692