qcacld-3.0: Fix FT-FILS roaming failure

The AP rejects the FILS-IM association request with reason
"Invalid IE format". In the assoc request, two problems are
seen:
    1. The RSN IE has a junk group management cipher suite.
    2. FILS HLP container IE is fragmented, and the fragment
       IE does not immediately follow the HLP container IE.

In the assoc request, the RSN IE encoded in the authentication
is unpacked and the PMKID is replaced with the pmkr1 name
derived at the end of FILS authentication. Currently, the
existing PMKID in the RSN IE is replaced only if the group
management cipher is present. In non-802.11w case, the new
PMKID is appended at the end of existing PMKID, and leads to
improper IE format.

To fix this, replace the existing PMKID whenever PMKID is
present.

To fix invalid HLP container IE format, encode the HLP
container and its fragment IEs together in the assoc request.

Also, inorder to get the pmksa match from the crypto table for
a FT-FILS, fill both ssid and cache ID. Without cache id, the
cached entry is not updated with MDIE.

Change-Id: I654b5527a726eb7872b90fb19a3d97623f3caa68
CRs-Fixed: 3233081

components/umac/mlme/connection_mgr/core/src/wlan_cm_roam_offload.c

@@ -4983,7 +4983,8 @@ out:
 	return status;
 }
 
-void cm_update_pmk_cache_ft(struct wlan_objmgr_psoc *psoc, uint8_t vdev_id)
+void cm_update_pmk_cache_ft(struct wlan_objmgr_psoc *psoc, uint8_t vdev_id,
+			    struct wlan_crypto_pmksa *pmk_cache)
 {
 	QDF_STATUS status = QDF_STATUS_E_INVAL;
 	struct wlan_objmgr_vdev *vdev;
@@ -5016,8 +5017,12 @@ void cm_update_pmk_cache_ft(struct wlan_objmgr_psoc *psoc, uint8_t vdev_id)
 	 */
 	wlan_vdev_get_bss_peer_mac(vdev, &pmksa.bssid);
 	wlan_vdev_mlme_get_ssid(vdev, pmksa.ssid, &pmksa.ssid_len);
-	wlan_cm_roam_cfg_get_value(psoc, vdev_id,
-				   MOBILITY_DOMAIN, &src_cfg);
+	wlan_cm_roam_cfg_get_value(psoc, vdev_id, MOBILITY_DOMAIN, &src_cfg);
+
+	if (pmk_cache)
+		qdf_mem_copy(pmksa.cache_id, pmk_cache->cache_id,
+			     WLAN_CACHE_ID_LEN);
+
 	if (src_cfg.bool_value) {
 		pmksa.mdid.mdie_present = 1;
 		pmksa.mdid.mobility_domain = src_cfg.uint_value;

components/umac/mlme/connection_mgr/core/src/wlan_cm_roam_offload.h

@@ -335,10 +335,12 @@ QDF_STATUS cm_roam_control_restore_default_config(struct wlan_objmgr_pdev *pdev,
  * cm_update_pmk_cache_ft - API to update MDID in PMKSA cache entry
  * @psoc: psoc pointer
  * @vdev_id: dvev ID
+ * @pmk_cache: pmksa from the userspace
  *
  * Return: None
  */
-void cm_update_pmk_cache_ft(struct wlan_objmgr_psoc *psoc, uint8_t vdev_id);
+void cm_update_pmk_cache_ft(struct wlan_objmgr_psoc *psoc, uint8_t vdev_id,
+			    struct wlan_crypto_pmksa *pmk_cache);
 
 /**
  * cm_lookup_pmkid_using_bssid() - lookup pmkid using bssid

components/umac/mlme/connection_mgr/core/src/wlan_cm_vdev_connect.c

@@ -1423,7 +1423,7 @@ static void cm_process_connect_complete(struct wlan_objmgr_psoc *psoc,
 	akm = wlan_crypto_get_param(vdev, WLAN_CRYPTO_PARAM_KEY_MGMT);
 	if (QDF_HAS_PARAM(akm, WLAN_CRYPTO_KEY_MGMT_FT_SAE)) {
 		mlme_debug("Update the MDID in PMK cache for FT-SAE case");
-		cm_update_pmk_cache_ft(psoc, vdev_id);
+		cm_update_pmk_cache_ft(psoc, vdev_id, NULL);
 	}
 
 	cm_update_owe_info(vdev, rsp, vdev_id);

core/mac/inc/sir_api.h

@@ -127,6 +127,10 @@ typedef uint8_t tSirVersionString[SIR_VERSION_STRING_LEN];
 #define SIR_KEK_KEY_LEN 16
 #define SIR_KEK_KEY_LEN_FILS 64
 
+#define SIR_FILS_HLP_OUI_TYPE  "\x5"
+#define SIR_FILS_HLP_OUI_LEN   1
+#define SIR_FILS_HLP_IE_LEN    2048
+
 #define SIR_REPLAY_CTR_LEN 8
 #ifdef WLAN_FEATURE_ROAM_OFFLOAD
 #define SIR_UAPSD_BITOFFSET_ACVO     0

core/mac/src/pe/lim/lim_process_fils.c

@@ -1303,6 +1303,8 @@ static QDF_STATUS lim_generate_fils_pmkr1_name(struct mac_context *mac_ctx,
 		return QDF_STATUS_E_FAILURE;
 	}
 
+	buf = fils_info->rsn_ie + fils_info->rsn_ie_len;
+
 	if (fils_info->group_mgmt_cipher_present) {
 		/*
 		 * If 802.11w is enabled, group management cipher
@@ -1314,28 +1316,19 @@ static QDF_STATUS lim_generate_fils_pmkr1_name(struct mac_context *mac_ctx,
 		 * suite.
 		 */
 
-		buf = fils_info->rsn_ie + fils_info->rsn_ie_len - 4;
+		buf -= 4;
 		fils_info->rsn_ie[1] -= 4; /* strip the grp mgmt cipher len */
 		qdf_mem_copy(gp_mgmt_cipher_suite, buf, 4);
-
-		if (dot11f_ie_rsn.pmkid_count) {
-			buf -= dot11f_ie_rsn.pmkid_count * PMKID_LEN;
-			fils_info->rsn_ie[1] -=
-				dot11f_ie_rsn.pmkid_count * PMKID_LEN;
-		}
-
-		fils_info->rsn_ie[1] -= 2;
-		buf -= 2; /* skip past the pmkid count */
-		/* Clear the buffer occupied by PMKID and GRP mgmt cipher */
-		qdf_mem_zero(buf,
-			     (dot11f_ie_rsn.pmkid_count * PMKID_LEN) + 2 + 4);
-	} else {
-		buf = fils_info->rsn_ie + fils_info->rsn_ie_len;
 	}
 
-	pe_debug("FT-FILS: Construct IM assoc RSN IE: current RSN len:%d gp_mgmt_cipher_present:%d",
-		 fils_info->rsn_ie_len,
-		 fils_info->group_mgmt_cipher_present);
+	if (dot11f_ie_rsn.pmkid_count || fils_info->group_mgmt_cipher_present) {
+		/* Skip past PMKID and PMKID count */
+		buf -= (dot11f_ie_rsn.pmkid_count * PMKID_LEN) + 2;
+		fils_info->rsn_ie[1] -=
+				(dot11f_ie_rsn.pmkid_count * PMKID_LEN) + 2;
+		/* Clear the buffer occupied by PMKID */
+		qdf_mem_zero(buf, (dot11f_ie_rsn.pmkid_count * PMKID_LEN) + 2);
+	}
 
 	/*
 	 * Add PMKID count as 1. PMKID count field is 2 bytes long.

core/mac/src/pe/lim/lim_send_management_frames.c

@@ -2443,11 +2443,12 @@ lim_send_assoc_req_mgmt_frame(struct mac_context *mac_ctx,
 	uint8_t mbo_ie_len = 0, adaptive_11r_ie_len = 0, rsnx_ie_len = 0;
 	uint8_t mscs_ext_ie_len = 0;
 	uint8_t *eht_cap_ie = NULL, eht_cap_ie_len = 0;
-	bool bss_mfp_capable;
+	bool bss_mfp_capable, frag_ie_present = false;
 	int8_t peer_rssi = 0;
 	bool is_band_2g;
 	uint16_t ie_buf_size;
-	uint16_t mlo_ie_len;
+	uint16_t mlo_ie_len, fils_hlp_ie_len = 0;
+	uint8_t *fils_hlp_ie = NULL;
 
 	if (!pe_session) {
 		pe_err("pe_session is NULL");
@@ -2774,6 +2775,43 @@ lim_send_assoc_req_mgmt_frame(struct mac_context *mac_ctx,
 	if (lim_is_fils_connection(pe_session)) {
 		populate_dot11f_fils_params(mac_ctx, frm, pe_session);
 		aes_block_size_len = AES_BLOCK_SIZE;
+		if (wlan_get_ie_ptr_from_eid(WLAN_ELEMID_FRAGMENT,
+					     add_ie, add_ie_len))
+			frag_ie_present = true;
+	}
+
+	/* Strip and append HLP container IE only if it is fragmented */
+	if (frag_ie_present &&
+	    wlan_get_ext_ie_ptr_from_ext_id(SIR_FILS_HLP_OUI_TYPE,
+					    SIR_FILS_HLP_OUI_LEN, add_ie,
+					    add_ie_len)) {
+		fils_hlp_ie = qdf_mem_malloc(SIR_FILS_HLP_IE_LEN);
+		if (!fils_hlp_ie)
+			goto end;
+
+		qdf_status =
+			lim_strip_ie(mac_ctx, add_ie, &add_ie_len,
+				     WLAN_ELEMID_EXTN_ELEM, ONE_BYTE,
+				     SIR_FILS_HLP_OUI_TYPE,
+				     SIR_FILS_HLP_OUI_LEN, fils_hlp_ie,
+				     SIR_FILS_HLP_IE_LEN - 2);
+		if (QDF_IS_STATUS_ERROR(qdf_status)) {
+			pe_err("Failed to strip FILS HLP container IE");
+			goto end;
+		}
+		fils_hlp_ie_len = fils_hlp_ie[1] + 2;
+
+		current_len = add_ie_len;
+		qdf_status =
+			lim_strip_ie(mac_ctx, add_ie, &add_ie_len,
+				     WLAN_ELEMID_FRAGMENT, ONE_BYTE,
+				     NULL, 0, &fils_hlp_ie[fils_hlp_ie_len],
+				     SIR_FILS_HLP_IE_LEN - fils_hlp_ie_len - 2);
+		if (QDF_IS_STATUS_ERROR(qdf_status)) {
+			pe_err("Failed to strip fragment IE of HLP container IE");
+			goto end;
+		}
+		fils_hlp_ie_len += current_len - add_ie_len;
 	}
 
 	/* RSNX IE for SAE PWE derivation based on H2E */
@@ -2909,7 +2947,7 @@ lim_send_assoc_req_mgmt_frame(struct mac_context *mac_ctx,
 
 	bytes = payload + sizeof(tSirMacMgmtHdr) + aes_block_size_len +
 		rsnx_ie_len + mbo_ie_len + adaptive_11r_ie_len +
-		mscs_ext_ie_len + vendor_ie_len + mlo_ie_len;
+		mscs_ext_ie_len + vendor_ie_len + mlo_ie_len + fils_hlp_ie_len;
 
 
 	qdf_status = cds_packet_alloc((uint16_t) bytes, (void **)&frame,
@@ -2950,6 +2988,12 @@ lim_send_assoc_req_mgmt_frame(struct mac_context *mac_ctx,
 		pe_warn("Assoc request pack warning (0x%08x)", status);
 	}
 
+	if (fils_hlp_ie && fils_hlp_ie_len) {
+		qdf_mem_copy(frame + sizeof(tSirMacMgmtHdr) + payload,
+			     fils_hlp_ie, fils_hlp_ie_len);
+		payload = payload + fils_hlp_ie_len;
+	}
+
 	/* Strip EHT capabilities IE */
 	if (lim_is_session_eht_capable(pe_session)) {
 		ie_buf_size = payload - WLAN_ASSOC_REQ_IES_OFFSET;
@@ -3105,6 +3149,7 @@ lim_send_assoc_req_mgmt_frame(struct mac_context *mac_ctx,
 	}
 
 end:
+	qdf_mem_free(fils_hlp_ie);
 	qdf_mem_free(rsnx_ie);
 	qdf_mem_free(vendor_ies);
 	qdf_mem_free(mbo_ie);

core/sme/src/csr/csr_api_roam.c

@@ -4942,7 +4942,7 @@ QDF_STATUS csr_set_pmk_cache_ft(struct mac_context *mac, uint8_t vdev_id,
 	    QDF_HAS_PARAM(akm, WLAN_CRYPTO_KEY_MGMT_FILS_SHA384) ||
 	    QDF_HAS_PARAM(akm, WLAN_CRYPTO_KEY_MGMT_FT_IEEE8021X_SHA384)) {
 		sme_debug("Auth type: %x update the MDID in cache", akm);
-		cm_update_pmk_cache_ft(mac->psoc, vdev_id);
+		cm_update_pmk_cache_ft(mac->psoc, vdev_id, pmk_cache);
 	} else {
 		struct cm_roam_values_copy src_cfg = {};
 		struct scan_filter *scan_filter;
@@ -4978,7 +4978,7 @@ QDF_STATUS csr_set_pmk_cache_ft(struct mac_context *mac, uint8_t vdev_id,
 				 (mdie->mobility_domain[1] << 8));
 			wlan_cm_roam_cfg_set_value(mac->psoc, vdev_id,
 						   MOBILITY_DOMAIN, &src_cfg);
-			cm_update_pmk_cache_ft(mac->psoc, vdev_id);
+			cm_update_pmk_cache_ft(mac->psoc, vdev_id, pmk_cache);
 		}
 err:
 		if (list)