1 /* 2 * wpa_supplicant - TDLS 3 * Copyright (c) 2010-2011, Atheros Communications 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "utils/includes.h" 10 11 #include "utils/common.h" 12 #include "utils/eloop.h" 13 #include "utils/os.h" 14 #include "common/ieee802_11_defs.h" 15 #include "common/ieee802_11_common.h" 16 #include "crypto/sha256.h" 17 #include "crypto/crypto.h" 18 #include "crypto/aes_wrap.h" 19 #include "rsn_supp/wpa.h" 20 #include "rsn_supp/wpa_ie.h" 21 #include "rsn_supp/wpa_i.h" 22 #include "drivers/driver.h" 23 #include "l2_packet/l2_packet.h" 24 25 #ifdef CONFIG_TDLS_TESTING 26 #define TDLS_TESTING_LONG_FRAME BIT(0) 27 #define TDLS_TESTING_ALT_RSN_IE BIT(1) 28 #define TDLS_TESTING_DIFF_BSSID BIT(2) 29 #define TDLS_TESTING_SHORT_LIFETIME BIT(3) 30 #define TDLS_TESTING_WRONG_LIFETIME_RESP BIT(4) 31 #define TDLS_TESTING_WRONG_LIFETIME_CONF BIT(5) 32 #define TDLS_TESTING_LONG_LIFETIME BIT(6) 33 #define TDLS_TESTING_CONCURRENT_INIT BIT(7) 34 #define TDLS_TESTING_NO_TPK_EXPIRATION BIT(8) 35 #define TDLS_TESTING_DECLINE_RESP BIT(9) 36 #define TDLS_TESTING_IGNORE_AP_PROHIBIT BIT(10) 37 #define TDLS_TESTING_WRONG_MIC BIT(11) 38 #define TDLS_TESTING_DOUBLE_TPK_M2 BIT(12) 39 unsigned int tdls_testing = 0; 40 #endif /* CONFIG_TDLS_TESTING */ 41 42 #define TPK_LIFETIME 43200 /* 12 hours */ 43 #define TPK_M1_RETRY_COUNT 3 44 #define TPK_M1_TIMEOUT 5000 /* in milliseconds */ 45 #define TPK_M2_RETRY_COUNT 10 46 #define TPK_M2_TIMEOUT 500 /* in milliseconds */ 47 48 #define TDLS_MIC_LEN 16 49 50 #define TDLS_TIMEOUT_LEN 4 51 52 struct wpa_tdls_ftie { 53 u8 ie_type; /* FTIE */ 54 u8 ie_len; 55 u8 mic_ctrl[2]; 56 u8 mic[TDLS_MIC_LEN]; 57 u8 Anonce[WPA_NONCE_LEN]; /* Responder Nonce in TDLS */ 58 u8 Snonce[WPA_NONCE_LEN]; /* Initiator Nonce in TDLS */ 59 /* followed by optional elements */ 60 } STRUCT_PACKED; 61 62 struct wpa_tdls_timeoutie { 63 u8 ie_type; /* Timeout IE */ 64 u8 ie_len; 65 u8 interval_type; 66 u8 value[TDLS_TIMEOUT_LEN]; 67 } STRUCT_PACKED; 68 69 struct wpa_tdls_lnkid { 70 u8 ie_type; /* Link Identifier IE */ 71 u8 ie_len; 72 u8 bssid[ETH_ALEN]; 73 u8 init_sta[ETH_ALEN]; 74 u8 resp_sta[ETH_ALEN]; 75 } STRUCT_PACKED; 76 77 /* TDLS frame headers as per IEEE Std 802.11z-2010 */ 78 struct wpa_tdls_frame { 79 u8 payloadtype; /* IEEE80211_TDLS_RFTYPE */ 80 u8 category; /* Category */ 81 u8 action; /* Action (enum tdls_frame_type) */ 82 } STRUCT_PACKED; 83 84 static u8 * wpa_add_tdls_timeoutie(u8 *pos, u8 *ie, size_t ie_len, u32 tsecs); 85 static void wpa_tdls_tpk_retry_timeout(void *eloop_ctx, void *timeout_ctx); 86 static void wpa_tdls_peer_free(struct wpa_sm *sm, struct wpa_tdls_peer *peer); 87 static void wpa_tdls_disable_peer_link(struct wpa_sm *sm, 88 struct wpa_tdls_peer *peer); 89 static int wpa_tdls_send_teardown(struct wpa_sm *sm, const u8 *addr, 90 u16 reason_code); 91 92 93 #define TDLS_MAX_IE_LEN 80 94 #define IEEE80211_MAX_SUPP_RATES 32 95 96 struct wpa_tdls_peer { 97 struct wpa_tdls_peer *next; 98 unsigned int reconfig_key:1; 99 int initiator; /* whether this end was initiator for TDLS setup */ 100 u8 addr[ETH_ALEN]; /* other end MAC address */ 101 u8 inonce[WPA_NONCE_LEN]; /* Initiator Nonce */ 102 u8 rnonce[WPA_NONCE_LEN]; /* Responder Nonce */ 103 u8 rsnie_i[TDLS_MAX_IE_LEN]; /* Initiator RSN IE */ 104 size_t rsnie_i_len; 105 u8 rsnie_p[TDLS_MAX_IE_LEN]; /* Peer RSN IE */ 106 size_t rsnie_p_len; 107 u32 lifetime; 108 int cipher; /* Selected cipher (WPA_CIPHER_*) */ 109 u8 dtoken; 110 111 struct tpk { 112 u8 kck[16]; /* TPK-KCK */ 113 u8 tk[16]; /* TPK-TK; assuming only CCMP will be used */ 114 } tpk; 115 int tpk_set; 116 int tk_set; /* TPK-TK configured to the driver */ 117 int tpk_success; 118 int tpk_in_progress; 119 120 struct tpk_timer { 121 u8 dest[ETH_ALEN]; 122 int count; /* Retry Count */ 123 int timer; /* Timeout in milliseconds */ 124 u8 action_code; /* TDLS frame type */ 125 u8 dialog_token; 126 u16 status_code; 127 u32 peer_capab; 128 int buf_len; /* length of TPK message for retransmission */ 129 u8 *buf; /* buffer for TPK message */ 130 } sm_tmr; 131 132 u16 capability; 133 134 u8 supp_rates[IEEE80211_MAX_SUPP_RATES]; 135 size_t supp_rates_len; 136 137 struct ieee80211_ht_capabilities *ht_capabilities; 138 struct ieee80211_vht_capabilities *vht_capabilities; 139 140 u8 qos_info; 141 142 u16 aid; 143 144 u8 *ext_capab; 145 size_t ext_capab_len; 146 147 u8 *supp_channels; 148 size_t supp_channels_len; 149 150 u8 *supp_oper_classes; 151 size_t supp_oper_classes_len; 152 153 u8 wmm_capable; 154 155 /* channel switch currently enabled */ 156 int chan_switch_enabled; 157 }; 158 159 160 static int wpa_tdls_get_privacy(struct wpa_sm *sm) 161 { 162 /* 163 * Get info needed from supplicant to check if the current BSS supports 164 * security. Other than OPEN mode, rest are considered secured 165 * WEP/WPA/WPA2 hence TDLS frames are processed for TPK handshake. 166 */ 167 return sm->pairwise_cipher != WPA_CIPHER_NONE; 168 } 169 170 171 static u8 * wpa_add_ie(u8 *pos, const u8 *ie, size_t ie_len) 172 { 173 os_memcpy(pos, ie, ie_len); 174 return pos + ie_len; 175 } 176 177 178 static int wpa_tdls_del_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer) 179 { 180 if (wpa_sm_set_key(sm, WPA_ALG_NONE, peer->addr, 181 0, 0, NULL, 0, NULL, 0) < 0) { 182 wpa_printf(MSG_WARNING, "TDLS: Failed to delete TPK-TK from " 183 "the driver"); 184 return -1; 185 } 186 187 return 0; 188 } 189 190 191 static int wpa_tdls_set_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer) 192 { 193 u8 key_len; 194 u8 rsc[6]; 195 enum wpa_alg alg; 196 197 if (peer->tk_set) { 198 /* 199 * This same TPK-TK has already been configured to the driver 200 * and this new configuration attempt (likely due to an 201 * unexpected retransmitted frame) would result in clearing 202 * the TX/RX sequence number which can break security, so must 203 * not allow that to happen. 204 */ 205 wpa_printf(MSG_INFO, "TDLS: TPK-TK for the peer " MACSTR 206 " has already been configured to the driver - do not reconfigure", 207 MAC2STR(peer->addr)); 208 return -1; 209 } 210 211 os_memset(rsc, 0, 6); 212 213 switch (peer->cipher) { 214 case WPA_CIPHER_CCMP: 215 alg = WPA_ALG_CCMP; 216 key_len = 16; 217 break; 218 case WPA_CIPHER_NONE: 219 wpa_printf(MSG_DEBUG, "TDLS: Pairwise Cipher Suite: " 220 "NONE - do not use pairwise keys"); 221 return -1; 222 default: 223 wpa_printf(MSG_WARNING, "TDLS: Unsupported pairwise cipher %d", 224 sm->pairwise_cipher); 225 return -1; 226 } 227 228 wpa_printf(MSG_DEBUG, "TDLS: Configure pairwise key for peer " MACSTR, 229 MAC2STR(peer->addr)); 230 if (wpa_sm_set_key(sm, alg, peer->addr, -1, 1, 231 rsc, sizeof(rsc), peer->tpk.tk, key_len) < 0) { 232 wpa_printf(MSG_WARNING, "TDLS: Failed to set TPK to the " 233 "driver"); 234 return -1; 235 } 236 peer->tk_set = 1; 237 return 0; 238 } 239 240 241 static int wpa_tdls_send_tpk_msg(struct wpa_sm *sm, const u8 *dst, 242 u8 action_code, u8 dialog_token, 243 u16 status_code, u32 peer_capab, 244 int initiator, const u8 *buf, size_t len) 245 { 246 return wpa_sm_send_tdls_mgmt(sm, dst, action_code, dialog_token, 247 status_code, peer_capab, initiator, buf, 248 len); 249 } 250 251 252 static int wpa_tdls_tpk_send(struct wpa_sm *sm, const u8 *dest, u8 action_code, 253 u8 dialog_token, u16 status_code, u32 peer_capab, 254 int initiator, const u8 *msg, size_t msg_len) 255 { 256 struct wpa_tdls_peer *peer; 257 258 wpa_printf(MSG_DEBUG, "TDLS: TPK send dest=" MACSTR " action_code=%u " 259 "dialog_token=%u status_code=%u peer_capab=%u initiator=%d " 260 "msg_len=%u", 261 MAC2STR(dest), action_code, dialog_token, status_code, 262 peer_capab, initiator, (unsigned int) msg_len); 263 264 if (wpa_tdls_send_tpk_msg(sm, dest, action_code, dialog_token, 265 status_code, peer_capab, initiator, msg, 266 msg_len)) { 267 wpa_printf(MSG_INFO, "TDLS: Failed to send message " 268 "(action_code=%u)", action_code); 269 return -1; 270 } 271 272 if (action_code == WLAN_TDLS_SETUP_CONFIRM || 273 action_code == WLAN_TDLS_TEARDOWN || 274 action_code == WLAN_TDLS_DISCOVERY_REQUEST || 275 action_code == WLAN_TDLS_DISCOVERY_RESPONSE) 276 return 0; /* No retries */ 277 278 for (peer = sm->tdls; peer; peer = peer->next) { 279 if (os_memcmp(peer->addr, dest, ETH_ALEN) == 0) 280 break; 281 } 282 283 if (peer == NULL) { 284 wpa_printf(MSG_INFO, "TDLS: No matching entry found for " 285 "retry " MACSTR, MAC2STR(dest)); 286 return 0; 287 } 288 289 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer); 290 291 if (action_code == WLAN_TDLS_SETUP_RESPONSE) { 292 peer->sm_tmr.count = TPK_M2_RETRY_COUNT; 293 peer->sm_tmr.timer = TPK_M2_TIMEOUT; 294 } else { 295 peer->sm_tmr.count = TPK_M1_RETRY_COUNT; 296 peer->sm_tmr.timer = TPK_M1_TIMEOUT; 297 } 298 299 /* Copy message to resend on timeout */ 300 os_memcpy(peer->sm_tmr.dest, dest, ETH_ALEN); 301 peer->sm_tmr.action_code = action_code; 302 peer->sm_tmr.dialog_token = dialog_token; 303 peer->sm_tmr.status_code = status_code; 304 peer->sm_tmr.peer_capab = peer_capab; 305 peer->sm_tmr.buf_len = msg_len; 306 os_free(peer->sm_tmr.buf); 307 peer->sm_tmr.buf = os_memdup(msg, msg_len); 308 if (peer->sm_tmr.buf == NULL) 309 return -1; 310 311 wpa_printf(MSG_DEBUG, "TDLS: Retry timeout registered " 312 "(action_code=%u)", action_code); 313 eloop_register_timeout(peer->sm_tmr.timer / 1000, 314 (peer->sm_tmr.timer % 1000) * 1000, 315 wpa_tdls_tpk_retry_timeout, sm, peer); 316 return 0; 317 } 318 319 320 static int wpa_tdls_do_teardown(struct wpa_sm *sm, struct wpa_tdls_peer *peer, 321 u16 reason_code) 322 { 323 int ret; 324 325 ret = wpa_tdls_send_teardown(sm, peer->addr, reason_code); 326 /* disable the link after teardown was sent */ 327 wpa_tdls_disable_peer_link(sm, peer); 328 329 return ret; 330 } 331 332 333 static void wpa_tdls_tpk_retry_timeout(void *eloop_ctx, void *timeout_ctx) 334 { 335 336 struct wpa_sm *sm = eloop_ctx; 337 struct wpa_tdls_peer *peer = timeout_ctx; 338 339 if (peer->sm_tmr.count) { 340 peer->sm_tmr.count--; 341 342 wpa_printf(MSG_INFO, "TDLS: Retrying sending of message " 343 "(action_code=%u)", 344 peer->sm_tmr.action_code); 345 346 if (peer->sm_tmr.buf == NULL) { 347 wpa_printf(MSG_INFO, "TDLS: No retry buffer available " 348 "for action_code=%u", 349 peer->sm_tmr.action_code); 350 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, 351 peer); 352 return; 353 } 354 355 /* resend TPK Handshake Message to Peer */ 356 if (wpa_tdls_send_tpk_msg(sm, peer->sm_tmr.dest, 357 peer->sm_tmr.action_code, 358 peer->sm_tmr.dialog_token, 359 peer->sm_tmr.status_code, 360 peer->sm_tmr.peer_capab, 361 peer->initiator, 362 peer->sm_tmr.buf, 363 peer->sm_tmr.buf_len)) { 364 wpa_printf(MSG_INFO, "TDLS: Failed to retry " 365 "transmission"); 366 } 367 368 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer); 369 eloop_register_timeout(peer->sm_tmr.timer / 1000, 370 (peer->sm_tmr.timer % 1000) * 1000, 371 wpa_tdls_tpk_retry_timeout, sm, peer); 372 } else { 373 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer); 374 375 wpa_printf(MSG_DEBUG, "TDLS: Sending Teardown Request"); 376 wpa_tdls_do_teardown(sm, peer, 377 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED); 378 } 379 } 380 381 382 static void wpa_tdls_tpk_retry_timeout_cancel(struct wpa_sm *sm, 383 struct wpa_tdls_peer *peer, 384 u8 action_code) 385 { 386 if (action_code == peer->sm_tmr.action_code) { 387 wpa_printf(MSG_DEBUG, "TDLS: Retry timeout cancelled for " 388 "action_code=%u", action_code); 389 390 /* Cancel Timeout registered */ 391 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer); 392 393 /* free all resources meant for retry */ 394 os_free(peer->sm_tmr.buf); 395 peer->sm_tmr.buf = NULL; 396 397 peer->sm_tmr.count = 0; 398 peer->sm_tmr.timer = 0; 399 peer->sm_tmr.buf_len = 0; 400 peer->sm_tmr.action_code = 0xff; 401 } else { 402 wpa_printf(MSG_INFO, "TDLS: Error in cancelling retry timeout " 403 "(Unknown action_code=%u)", action_code); 404 } 405 } 406 407 408 static void wpa_tdls_generate_tpk(struct wpa_tdls_peer *peer, 409 const u8 *own_addr, const u8 *bssid) 410 { 411 u8 key_input[SHA256_MAC_LEN]; 412 const u8 *nonce[2]; 413 size_t len[2]; 414 u8 data[3 * ETH_ALEN]; 415 416 /* IEEE Std 802.11-2016 12.7.9.2: 417 * TPK-Key-Input = Hash(min(SNonce, ANonce) || max(SNonce, ANonce)) 418 * Hash = SHA-256 for TDLS 419 */ 420 len[0] = WPA_NONCE_LEN; 421 len[1] = WPA_NONCE_LEN; 422 if (os_memcmp(peer->inonce, peer->rnonce, WPA_NONCE_LEN) < 0) { 423 nonce[0] = peer->inonce; 424 nonce[1] = peer->rnonce; 425 } else { 426 nonce[0] = peer->rnonce; 427 nonce[1] = peer->inonce; 428 } 429 wpa_hexdump(MSG_DEBUG, "TDLS: min(Nonce)", nonce[0], WPA_NONCE_LEN); 430 wpa_hexdump(MSG_DEBUG, "TDLS: max(Nonce)", nonce[1], WPA_NONCE_LEN); 431 sha256_vector(2, nonce, len, key_input); 432 wpa_hexdump_key(MSG_DEBUG, "TDLS: TPK-Key-Input", 433 key_input, SHA256_MAC_LEN); 434 435 /* 436 * TPK = KDF-Hash-Length(TPK-Key-Input, "TDLS PMK", 437 * min(MAC_I, MAC_R) || max(MAC_I, MAC_R) || BSSID) 438 */ 439 440 if (os_memcmp(own_addr, peer->addr, ETH_ALEN) < 0) { 441 os_memcpy(data, own_addr, ETH_ALEN); 442 os_memcpy(data + ETH_ALEN, peer->addr, ETH_ALEN); 443 } else { 444 os_memcpy(data, peer->addr, ETH_ALEN); 445 os_memcpy(data + ETH_ALEN, own_addr, ETH_ALEN); 446 } 447 os_memcpy(data + 2 * ETH_ALEN, bssid, ETH_ALEN); 448 wpa_hexdump(MSG_DEBUG, "TDLS: KDF Context", data, sizeof(data)); 449 450 sha256_prf(key_input, SHA256_MAC_LEN, "TDLS PMK", data, sizeof(data), 451 (u8 *) &peer->tpk, sizeof(peer->tpk)); 452 wpa_hexdump_key(MSG_DEBUG, "TDLS: TPK-KCK", 453 peer->tpk.kck, sizeof(peer->tpk.kck)); 454 wpa_hexdump_key(MSG_DEBUG, "TDLS: TPK-TK", 455 peer->tpk.tk, sizeof(peer->tpk.tk)); 456 peer->tpk_set = 1; 457 } 458 459 460 /** 461 * wpa_tdls_ftie_mic - Calculate TDLS FTIE MIC 462 * @kck: TPK-KCK 463 * @lnkid: Pointer to the beginning of Link Identifier IE 464 * @rsnie: Pointer to the beginning of RSN IE used for handshake 465 * @timeoutie: Pointer to the beginning of Timeout IE used for handshake 466 * @ftie: Pointer to the beginning of FT IE 467 * @mic: Pointer for writing MIC 468 * 469 * Calculate MIC for TDLS frame. 470 */ 471 static int wpa_tdls_ftie_mic(const u8 *kck, u8 trans_seq, const u8 *lnkid, 472 const u8 *rsnie, const u8 *timeoutie, 473 const u8 *ftie, u8 *mic) 474 { 475 u8 *buf, *pos; 476 struct wpa_tdls_ftie *_ftie; 477 const struct wpa_tdls_lnkid *_lnkid; 478 int ret; 479 int len = 2 * ETH_ALEN + 1 + 2 + lnkid[1] + 2 + rsnie[1] + 480 2 + timeoutie[1] + 2 + ftie[1]; 481 buf = os_zalloc(len); 482 if (!buf) { 483 wpa_printf(MSG_WARNING, "TDLS: No memory for MIC calculation"); 484 return -1; 485 } 486 487 pos = buf; 488 _lnkid = (const struct wpa_tdls_lnkid *) lnkid; 489 /* 1) TDLS initiator STA MAC address */ 490 os_memcpy(pos, _lnkid->init_sta, ETH_ALEN); 491 pos += ETH_ALEN; 492 /* 2) TDLS responder STA MAC address */ 493 os_memcpy(pos, _lnkid->resp_sta, ETH_ALEN); 494 pos += ETH_ALEN; 495 /* 3) Transaction Sequence number */ 496 *pos++ = trans_seq; 497 /* 4) Link Identifier IE */ 498 os_memcpy(pos, lnkid, 2 + lnkid[1]); 499 pos += 2 + lnkid[1]; 500 /* 5) RSN IE */ 501 os_memcpy(pos, rsnie, 2 + rsnie[1]); 502 pos += 2 + rsnie[1]; 503 /* 6) Timeout Interval IE */ 504 os_memcpy(pos, timeoutie, 2 + timeoutie[1]); 505 pos += 2 + timeoutie[1]; 506 /* 7) FTIE, with the MIC field of the FTIE set to 0 */ 507 os_memcpy(pos, ftie, 2 + ftie[1]); 508 _ftie = (struct wpa_tdls_ftie *) pos; 509 os_memset(_ftie->mic, 0, TDLS_MIC_LEN); 510 pos += 2 + ftie[1]; 511 512 wpa_hexdump(MSG_DEBUG, "TDLS: Data for FTIE MIC", buf, pos - buf); 513 wpa_hexdump_key(MSG_DEBUG, "TDLS: KCK", kck, 16); 514 ret = omac1_aes_128(kck, buf, pos - buf, mic); 515 os_free(buf); 516 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE MIC", mic, 16); 517 return ret; 518 } 519 520 521 /** 522 * wpa_tdls_key_mic_teardown - Calculate TDLS FTIE MIC for Teardown frame 523 * @kck: TPK-KCK 524 * @trans_seq: Transaction Sequence Number (4 - Teardown) 525 * @rcode: Reason code for Teardown 526 * @dtoken: Dialog Token used for that particular link 527 * @lnkid: Pointer to the beginning of Link Identifier IE 528 * @ftie: Pointer to the beginning of FT IE 529 * @mic: Pointer for writing MIC 530 * 531 * Calculate MIC for TDLS frame. 532 */ 533 static int wpa_tdls_key_mic_teardown(const u8 *kck, u8 trans_seq, u16 rcode, 534 u8 dtoken, const u8 *lnkid, 535 const u8 *ftie, u8 *mic) 536 { 537 u8 *buf, *pos; 538 struct wpa_tdls_ftie *_ftie; 539 int ret; 540 int len; 541 542 if (lnkid == NULL) 543 return -1; 544 545 len = 2 + lnkid[1] + sizeof(rcode) + sizeof(dtoken) + 546 sizeof(trans_seq) + 2 + ftie[1]; 547 548 buf = os_zalloc(len); 549 if (!buf) { 550 wpa_printf(MSG_WARNING, "TDLS: No memory for MIC calculation"); 551 return -1; 552 } 553 554 pos = buf; 555 /* 1) Link Identifier IE */ 556 os_memcpy(pos, lnkid, 2 + lnkid[1]); 557 pos += 2 + lnkid[1]; 558 /* 2) Reason Code */ 559 WPA_PUT_LE16(pos, rcode); 560 pos += sizeof(rcode); 561 /* 3) Dialog token */ 562 *pos++ = dtoken; 563 /* 4) Transaction Sequence number */ 564 *pos++ = trans_seq; 565 /* 7) FTIE, with the MIC field of the FTIE set to 0 */ 566 os_memcpy(pos, ftie, 2 + ftie[1]); 567 _ftie = (struct wpa_tdls_ftie *) pos; 568 os_memset(_ftie->mic, 0, TDLS_MIC_LEN); 569 pos += 2 + ftie[1]; 570 571 wpa_hexdump(MSG_DEBUG, "TDLS: Data for FTIE MIC", buf, pos - buf); 572 wpa_hexdump_key(MSG_DEBUG, "TDLS: KCK", kck, 16); 573 ret = omac1_aes_128(kck, buf, pos - buf, mic); 574 os_free(buf); 575 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE MIC", mic, 16); 576 return ret; 577 } 578 579 580 static int wpa_supplicant_verify_tdls_mic(u8 trans_seq, 581 struct wpa_tdls_peer *peer, 582 const u8 *lnkid, const u8 *timeoutie, 583 const struct wpa_tdls_ftie *ftie) 584 { 585 u8 mic[16]; 586 587 if (peer->tpk_set) { 588 wpa_tdls_ftie_mic(peer->tpk.kck, trans_seq, lnkid, 589 peer->rsnie_p, timeoutie, (u8 *) ftie, 590 mic); 591 if (os_memcmp_const(mic, ftie->mic, 16) != 0) { 592 wpa_printf(MSG_INFO, "TDLS: Invalid MIC in FTIE - " 593 "dropping packet"); 594 wpa_hexdump(MSG_DEBUG, "TDLS: Received MIC", 595 ftie->mic, 16); 596 wpa_hexdump(MSG_DEBUG, "TDLS: Calculated MIC", 597 mic, 16); 598 return -1; 599 } 600 } else { 601 wpa_printf(MSG_WARNING, "TDLS: Could not verify TDLS MIC, " 602 "TPK not set - dropping packet"); 603 return -1; 604 } 605 return 0; 606 } 607 608 609 static int wpa_supplicant_verify_tdls_mic_teardown( 610 u8 trans_seq, u16 rcode, u8 dtoken, struct wpa_tdls_peer *peer, 611 const u8 *lnkid, const struct wpa_tdls_ftie *ftie) 612 { 613 u8 mic[16]; 614 615 if (peer->tpk_set) { 616 wpa_tdls_key_mic_teardown(peer->tpk.kck, trans_seq, rcode, 617 dtoken, lnkid, (u8 *) ftie, mic); 618 if (os_memcmp_const(mic, ftie->mic, 16) != 0) { 619 wpa_printf(MSG_INFO, "TDLS: Invalid MIC in Teardown - " 620 "dropping packet"); 621 return -1; 622 } 623 } else { 624 wpa_printf(MSG_INFO, "TDLS: Could not verify TDLS Teardown " 625 "MIC, TPK not set - dropping packet"); 626 return -1; 627 } 628 return 0; 629 } 630 631 632 static void wpa_tdls_tpk_timeout(void *eloop_ctx, void *timeout_ctx) 633 { 634 struct wpa_sm *sm = eloop_ctx; 635 struct wpa_tdls_peer *peer = timeout_ctx; 636 637 /* 638 * On TPK lifetime expiration, we have an option of either tearing down 639 * the direct link or trying to re-initiate it. The selection of what 640 * to do is not strictly speaking controlled by our role in the expired 641 * link, but for now, use that to select whether to renew or tear down 642 * the link. 643 */ 644 645 if (peer->initiator) { 646 u8 addr[ETH_ALEN]; 647 648 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime expired for " MACSTR 649 " - try to renew", MAC2STR(peer->addr)); 650 /* cache the peer address before do_teardown */ 651 os_memcpy(addr, peer->addr, ETH_ALEN); 652 wpa_tdls_do_teardown(sm, peer, 653 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED); 654 wpa_tdls_start(sm, addr); 655 } else { 656 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime expired for " MACSTR 657 " - tear down", MAC2STR(peer->addr)); 658 wpa_tdls_do_teardown(sm, peer, 659 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED); 660 } 661 } 662 663 664 static void wpa_tdls_peer_remove_from_list(struct wpa_sm *sm, 665 struct wpa_tdls_peer *peer) 666 { 667 struct wpa_tdls_peer *cur, *prev; 668 669 cur = sm->tdls; 670 prev = NULL; 671 while (cur && cur != peer) { 672 prev = cur; 673 cur = cur->next; 674 } 675 676 if (cur != peer) { 677 wpa_printf(MSG_ERROR, "TDLS: Could not find peer " MACSTR 678 " to remove it from the list", 679 MAC2STR(peer->addr)); 680 return; 681 } 682 683 if (prev) 684 prev->next = peer->next; 685 else 686 sm->tdls = peer->next; 687 } 688 689 690 static void wpa_tdls_peer_clear(struct wpa_sm *sm, struct wpa_tdls_peer *peer) 691 { 692 wpa_printf(MSG_DEBUG, "TDLS: Clear state for peer " MACSTR, 693 MAC2STR(peer->addr)); 694 eloop_cancel_timeout(wpa_tdls_tpk_timeout, sm, peer); 695 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer); 696 peer->reconfig_key = 0; 697 peer->initiator = 0; 698 peer->tpk_in_progress = 0; 699 os_free(peer->sm_tmr.buf); 700 peer->sm_tmr.buf = NULL; 701 os_free(peer->ht_capabilities); 702 peer->ht_capabilities = NULL; 703 os_free(peer->vht_capabilities); 704 peer->vht_capabilities = NULL; 705 os_free(peer->ext_capab); 706 peer->ext_capab = NULL; 707 os_free(peer->supp_channels); 708 peer->supp_channels = NULL; 709 os_free(peer->supp_oper_classes); 710 peer->supp_oper_classes = NULL; 711 peer->rsnie_i_len = peer->rsnie_p_len = 0; 712 peer->cipher = 0; 713 peer->qos_info = 0; 714 peer->wmm_capable = 0; 715 peer->tk_set = peer->tpk_set = peer->tpk_success = 0; 716 peer->chan_switch_enabled = 0; 717 os_memset(&peer->tpk, 0, sizeof(peer->tpk)); 718 os_memset(peer->inonce, 0, WPA_NONCE_LEN); 719 os_memset(peer->rnonce, 0, WPA_NONCE_LEN); 720 } 721 722 723 static void wpa_tdls_peer_free(struct wpa_sm *sm, struct wpa_tdls_peer *peer) 724 { 725 wpa_tdls_peer_clear(sm, peer); 726 wpa_tdls_peer_remove_from_list(sm, peer); 727 os_free(peer); 728 } 729 730 731 static void wpa_tdls_linkid(struct wpa_sm *sm, struct wpa_tdls_peer *peer, 732 struct wpa_tdls_lnkid *lnkid) 733 { 734 lnkid->ie_type = WLAN_EID_LINK_ID; 735 lnkid->ie_len = 3 * ETH_ALEN; 736 os_memcpy(lnkid->bssid, sm->bssid, ETH_ALEN); 737 if (peer->initiator) { 738 os_memcpy(lnkid->init_sta, sm->own_addr, ETH_ALEN); 739 os_memcpy(lnkid->resp_sta, peer->addr, ETH_ALEN); 740 } else { 741 os_memcpy(lnkid->init_sta, peer->addr, ETH_ALEN); 742 os_memcpy(lnkid->resp_sta, sm->own_addr, ETH_ALEN); 743 } 744 } 745 746 747 static int wpa_tdls_send_teardown(struct wpa_sm *sm, const u8 *addr, 748 u16 reason_code) 749 { 750 struct wpa_tdls_peer *peer; 751 struct wpa_tdls_ftie *ftie; 752 struct wpa_tdls_lnkid lnkid; 753 u8 dialog_token; 754 u8 *rbuf, *pos; 755 int ielen; 756 757 if (sm->tdls_disabled || !sm->tdls_supported) 758 return -1; 759 760 /* Find the node and free from the list */ 761 for (peer = sm->tdls; peer; peer = peer->next) { 762 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 763 break; 764 } 765 766 if (peer == NULL) { 767 wpa_printf(MSG_INFO, "TDLS: No matching entry found for " 768 "Teardown " MACSTR, MAC2STR(addr)); 769 return 0; 770 } 771 772 /* Cancel active channel switch before teardown */ 773 if (peer->chan_switch_enabled) { 774 wpa_printf(MSG_DEBUG, "TDLS: First returning link with " MACSTR 775 " to base channel", MAC2STR(addr)); 776 wpa_sm_tdls_disable_channel_switch(sm, peer->addr); 777 } 778 779 dialog_token = peer->dtoken; 780 781 wpa_printf(MSG_DEBUG, "TDLS: TDLS Teardown for " MACSTR, 782 MAC2STR(addr)); 783 784 ielen = 0; 785 if (wpa_tdls_get_privacy(sm) && peer->tpk_set && peer->tpk_success) { 786 /* To add FTIE for Teardown request and compute MIC */ 787 ielen += sizeof(*ftie); 788 #ifdef CONFIG_TDLS_TESTING 789 if (tdls_testing & TDLS_TESTING_LONG_FRAME) 790 ielen += 170; 791 #endif /* CONFIG_TDLS_TESTING */ 792 } 793 794 rbuf = os_zalloc(ielen + 1); 795 if (rbuf == NULL) 796 return -1; 797 pos = rbuf; 798 799 if (!wpa_tdls_get_privacy(sm) || !peer->tpk_set || !peer->tpk_success) 800 goto skip_ies; 801 802 ftie = (struct wpa_tdls_ftie *) pos; 803 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION; 804 /* Using the recent nonce which should be for CONFIRM frame */ 805 os_memcpy(ftie->Anonce, peer->rnonce, WPA_NONCE_LEN); 806 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN); 807 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2; 808 pos = (u8 *) (ftie + 1); 809 #ifdef CONFIG_TDLS_TESTING 810 if (tdls_testing & TDLS_TESTING_LONG_FRAME) { 811 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to " 812 "FTIE"); 813 ftie->ie_len += 170; 814 *pos++ = 255; /* FTIE subelem */ 815 *pos++ = 168; /* FTIE subelem length */ 816 pos += 168; 817 } 818 #endif /* CONFIG_TDLS_TESTING */ 819 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE for TDLS Teardown handshake", 820 (u8 *) ftie, pos - (u8 *) ftie); 821 822 /* compute MIC before sending */ 823 wpa_tdls_linkid(sm, peer, &lnkid); 824 wpa_tdls_key_mic_teardown(peer->tpk.kck, 4, reason_code, 825 dialog_token, (u8 *) &lnkid, (u8 *) ftie, 826 ftie->mic); 827 828 skip_ies: 829 /* TODO: register for a Timeout handler, if Teardown is not received at 830 * the other end, then try again another time */ 831 832 /* request driver to send Teardown using this FTIE */ 833 wpa_tdls_tpk_send(sm, addr, WLAN_TDLS_TEARDOWN, 0, 834 reason_code, 0, peer->initiator, rbuf, pos - rbuf); 835 os_free(rbuf); 836 837 return 0; 838 } 839 840 841 int wpa_tdls_teardown_link(struct wpa_sm *sm, const u8 *addr, u16 reason_code) 842 { 843 struct wpa_tdls_peer *peer; 844 845 if (sm->tdls_disabled || !sm->tdls_supported) 846 return -1; 847 848 for (peer = sm->tdls; peer; peer = peer->next) { 849 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 850 break; 851 } 852 853 if (peer == NULL) { 854 wpa_printf(MSG_DEBUG, "TDLS: Could not find peer " MACSTR 855 " for link Teardown", MAC2STR(addr)); 856 return -1; 857 } 858 859 if (!peer->tpk_success) { 860 wpa_printf(MSG_DEBUG, "TDLS: Peer " MACSTR 861 " not connected - cannot Teardown link", MAC2STR(addr)); 862 return -1; 863 } 864 865 return wpa_tdls_do_teardown(sm, peer, reason_code); 866 } 867 868 869 static void wpa_tdls_disable_peer_link(struct wpa_sm *sm, 870 struct wpa_tdls_peer *peer) 871 { 872 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr); 873 wpa_tdls_peer_free(sm, peer); 874 } 875 876 877 void wpa_tdls_disable_unreachable_link(struct wpa_sm *sm, const u8 *addr) 878 { 879 struct wpa_tdls_peer *peer; 880 881 for (peer = sm->tdls; peer; peer = peer->next) { 882 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 883 break; 884 } 885 886 if (!peer || !peer->tpk_success) { 887 wpa_printf(MSG_DEBUG, "TDLS: Peer " MACSTR 888 " not connected - cannot teardown unreachable link", 889 MAC2STR(addr)); 890 return; 891 } 892 893 if (wpa_tdls_is_external_setup(sm)) { 894 /* 895 * Get us on the base channel, disable the link, send a 896 * teardown packet through the AP, and then reset link data. 897 */ 898 if (peer->chan_switch_enabled) 899 wpa_sm_tdls_disable_channel_switch(sm, peer->addr); 900 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, addr); 901 wpa_tdls_send_teardown(sm, addr, 902 WLAN_REASON_TDLS_TEARDOWN_UNREACHABLE); 903 wpa_tdls_peer_free(sm, peer); 904 } else { 905 wpa_tdls_disable_peer_link(sm, peer); 906 } 907 } 908 909 910 const char * wpa_tdls_get_link_status(struct wpa_sm *sm, const u8 *addr) 911 { 912 struct wpa_tdls_peer *peer; 913 914 if (sm->tdls_disabled || !sm->tdls_supported) 915 return "disabled"; 916 917 for (peer = sm->tdls; peer; peer = peer->next) { 918 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 919 break; 920 } 921 922 if (peer == NULL) 923 return "peer does not exist"; 924 925 if (!peer->tpk_success) 926 return "peer not connected"; 927 928 return "connected"; 929 } 930 931 932 static int wpa_tdls_recv_teardown(struct wpa_sm *sm, const u8 *src_addr, 933 const u8 *buf, size_t len) 934 { 935 struct wpa_tdls_peer *peer = NULL; 936 struct wpa_tdls_ftie *ftie; 937 struct wpa_tdls_lnkid *lnkid; 938 struct wpa_eapol_ie_parse kde; 939 u16 reason_code; 940 const u8 *pos; 941 int ielen; 942 943 /* Find the node and free from the list */ 944 for (peer = sm->tdls; peer; peer = peer->next) { 945 if (os_memcmp(peer->addr, src_addr, ETH_ALEN) == 0) 946 break; 947 } 948 949 if (peer == NULL) { 950 wpa_printf(MSG_INFO, "TDLS: No matching entry found for " 951 "Teardown " MACSTR, MAC2STR(src_addr)); 952 return 0; 953 } 954 955 pos = buf; 956 pos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */; 957 958 reason_code = WPA_GET_LE16(pos); 959 pos += 2; 960 961 wpa_printf(MSG_DEBUG, "TDLS: TDLS Teardown Request from " MACSTR 962 " (reason code %u)", MAC2STR(src_addr), reason_code); 963 964 ielen = len - (pos - buf); /* start of IE in buf */ 965 966 /* 967 * Don't reject the message if failing to parse IEs. The IEs we need are 968 * explicitly checked below. Some APs may add arbitrary padding to the 969 * end of short TDLS frames and that would look like invalid IEs. 970 */ 971 if (wpa_supplicant_parse_ies((const u8 *) pos, ielen, &kde) < 0) 972 wpa_printf(MSG_DEBUG, 973 "TDLS: Failed to parse IEs in Teardown - ignore as an interop workaround"); 974 975 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) { 976 wpa_printf(MSG_INFO, "TDLS: No Link Identifier IE in TDLS " 977 "Teardown"); 978 return -1; 979 } 980 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid; 981 982 if (!wpa_tdls_get_privacy(sm) || !peer->tpk_set || !peer->tpk_success) 983 goto skip_ftie; 984 985 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie)) { 986 wpa_printf(MSG_INFO, "TDLS: No FTIE in TDLS Teardown"); 987 return -1; 988 } 989 990 ftie = (struct wpa_tdls_ftie *) kde.ftie; 991 992 /* Process MIC check to see if TDLS Teardown is right */ 993 if (wpa_supplicant_verify_tdls_mic_teardown(4, reason_code, 994 peer->dtoken, peer, 995 (u8 *) lnkid, ftie) < 0) { 996 wpa_printf(MSG_DEBUG, "TDLS: MIC failure for TDLS " 997 "Teardown Request from " MACSTR, MAC2STR(src_addr)); 998 return -1; 999 } 1000 1001 skip_ftie: 1002 /* 1003 * Request the driver to disable the direct link and clear associated 1004 * keys. 1005 */ 1006 wpa_tdls_disable_peer_link(sm, peer); 1007 return 0; 1008 } 1009 1010 1011 /** 1012 * wpa_tdls_send_error - To send suitable TDLS status response with 1013 * appropriate status code mentioning reason for error/failure. 1014 * @dst - MAC addr of Peer station 1015 * @tdls_action - TDLS frame type for which error code is sent 1016 * @initiator - was this end the initiator of the connection 1017 * @status - status code mentioning reason 1018 */ 1019 1020 static int wpa_tdls_send_error(struct wpa_sm *sm, const u8 *dst, 1021 u8 tdls_action, u8 dialog_token, int initiator, 1022 u16 status) 1023 { 1024 wpa_printf(MSG_DEBUG, "TDLS: Sending error to " MACSTR 1025 " (action=%u status=%u)", 1026 MAC2STR(dst), tdls_action, status); 1027 return wpa_tdls_tpk_send(sm, dst, tdls_action, dialog_token, status, 1028 0, initiator, NULL, 0); 1029 } 1030 1031 1032 static struct wpa_tdls_peer * 1033 wpa_tdls_add_peer(struct wpa_sm *sm, const u8 *addr, int *existing) 1034 { 1035 struct wpa_tdls_peer *peer; 1036 1037 if (existing) 1038 *existing = 0; 1039 for (peer = sm->tdls; peer; peer = peer->next) { 1040 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) { 1041 if (existing) 1042 *existing = 1; 1043 return peer; /* re-use existing entry */ 1044 } 1045 } 1046 1047 wpa_printf(MSG_INFO, "TDLS: Creating peer entry for " MACSTR, 1048 MAC2STR(addr)); 1049 1050 peer = os_zalloc(sizeof(*peer)); 1051 if (peer == NULL) 1052 return NULL; 1053 1054 os_memcpy(peer->addr, addr, ETH_ALEN); 1055 peer->next = sm->tdls; 1056 sm->tdls = peer; 1057 1058 return peer; 1059 } 1060 1061 1062 static int wpa_tdls_send_tpk_m1(struct wpa_sm *sm, 1063 struct wpa_tdls_peer *peer) 1064 { 1065 size_t buf_len; 1066 struct wpa_tdls_timeoutie timeoutie; 1067 u16 rsn_capab; 1068 struct wpa_tdls_ftie *ftie; 1069 u8 *rbuf, *pos, *count_pos; 1070 u16 count; 1071 struct rsn_ie_hdr *hdr; 1072 int status; 1073 1074 if (!wpa_tdls_get_privacy(sm)) { 1075 wpa_printf(MSG_DEBUG, "TDLS: No security used on the link"); 1076 peer->rsnie_i_len = 0; 1077 goto skip_rsnie; 1078 } 1079 1080 /* 1081 * TPK Handshake Message 1: 1082 * FTIE: ANonce=0, SNonce=initiator nonce MIC=0, DataKDs=(RSNIE_I, 1083 * Timeout Interval IE)) 1084 */ 1085 1086 /* Filling RSN IE */ 1087 hdr = (struct rsn_ie_hdr *) peer->rsnie_i; 1088 hdr->elem_id = WLAN_EID_RSN; 1089 WPA_PUT_LE16(hdr->version, RSN_VERSION); 1090 1091 pos = (u8 *) (hdr + 1); 1092 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED); 1093 pos += RSN_SELECTOR_LEN; 1094 count_pos = pos; 1095 pos += 2; 1096 1097 count = 0; 1098 1099 /* 1100 * AES-CCMP is the default Encryption preferred for TDLS, so 1101 * RSN IE is filled only with CCMP CIPHER 1102 * Note: TKIP is not used to encrypt TDLS link. 1103 * 1104 * Regardless of the cipher used on the AP connection, select CCMP 1105 * here. 1106 */ 1107 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP); 1108 pos += RSN_SELECTOR_LEN; 1109 count++; 1110 1111 WPA_PUT_LE16(count_pos, count); 1112 1113 WPA_PUT_LE16(pos, 1); 1114 pos += 2; 1115 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_TPK_HANDSHAKE); 1116 pos += RSN_SELECTOR_LEN; 1117 1118 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED; 1119 rsn_capab |= RSN_NUM_REPLAY_COUNTERS_16 << 2; 1120 #ifdef CONFIG_TDLS_TESTING 1121 if (tdls_testing & TDLS_TESTING_ALT_RSN_IE) { 1122 wpa_printf(MSG_DEBUG, "TDLS: Use alternative RSN IE for " 1123 "testing"); 1124 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED; 1125 } 1126 #endif /* CONFIG_TDLS_TESTING */ 1127 WPA_PUT_LE16(pos, rsn_capab); 1128 pos += 2; 1129 #ifdef CONFIG_TDLS_TESTING 1130 if (tdls_testing & TDLS_TESTING_ALT_RSN_IE) { 1131 /* Number of PMKIDs */ 1132 *pos++ = 0x00; 1133 *pos++ = 0x00; 1134 } 1135 #endif /* CONFIG_TDLS_TESTING */ 1136 1137 hdr->len = (pos - peer->rsnie_i) - 2; 1138 peer->rsnie_i_len = pos - peer->rsnie_i; 1139 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE for TPK handshake", 1140 peer->rsnie_i, peer->rsnie_i_len); 1141 1142 skip_rsnie: 1143 buf_len = 0; 1144 if (wpa_tdls_get_privacy(sm)) 1145 buf_len += peer->rsnie_i_len + sizeof(struct wpa_tdls_ftie) + 1146 sizeof(struct wpa_tdls_timeoutie); 1147 #ifdef CONFIG_TDLS_TESTING 1148 if (wpa_tdls_get_privacy(sm) && 1149 (tdls_testing & TDLS_TESTING_LONG_FRAME)) 1150 buf_len += 170; 1151 if (tdls_testing & TDLS_TESTING_DIFF_BSSID) 1152 buf_len += sizeof(struct wpa_tdls_lnkid); 1153 #endif /* CONFIG_TDLS_TESTING */ 1154 rbuf = os_zalloc(buf_len + 1); 1155 if (rbuf == NULL) { 1156 wpa_tdls_peer_free(sm, peer); 1157 return -1; 1158 } 1159 pos = rbuf; 1160 1161 if (!wpa_tdls_get_privacy(sm)) 1162 goto skip_ies; 1163 1164 /* Initiator RSN IE */ 1165 pos = wpa_add_ie(pos, peer->rsnie_i, peer->rsnie_i_len); 1166 1167 ftie = (struct wpa_tdls_ftie *) pos; 1168 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION; 1169 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2; 1170 1171 if (os_get_random(peer->inonce, WPA_NONCE_LEN)) { 1172 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1173 "TDLS: Failed to get random data for initiator Nonce"); 1174 os_free(rbuf); 1175 wpa_tdls_peer_free(sm, peer); 1176 return -1; 1177 } 1178 peer->tk_set = 0; /* A new nonce results in a new TK */ 1179 wpa_hexdump(MSG_DEBUG, "TDLS: Initiator Nonce for TPK handshake", 1180 peer->inonce, WPA_NONCE_LEN); 1181 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN); 1182 1183 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE for TPK Handshake M1", 1184 (u8 *) ftie, sizeof(struct wpa_tdls_ftie)); 1185 1186 pos = (u8 *) (ftie + 1); 1187 1188 #ifdef CONFIG_TDLS_TESTING 1189 if (tdls_testing & TDLS_TESTING_LONG_FRAME) { 1190 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to " 1191 "FTIE"); 1192 ftie->ie_len += 170; 1193 *pos++ = 255; /* FTIE subelem */ 1194 *pos++ = 168; /* FTIE subelem length */ 1195 pos += 168; 1196 } 1197 #endif /* CONFIG_TDLS_TESTING */ 1198 1199 /* Lifetime */ 1200 peer->lifetime = TPK_LIFETIME; 1201 #ifdef CONFIG_TDLS_TESTING 1202 if (tdls_testing & TDLS_TESTING_SHORT_LIFETIME) { 1203 wpa_printf(MSG_DEBUG, "TDLS: Testing - use short TPK " 1204 "lifetime"); 1205 peer->lifetime = 301; 1206 } 1207 if (tdls_testing & TDLS_TESTING_LONG_LIFETIME) { 1208 wpa_printf(MSG_DEBUG, "TDLS: Testing - use long TPK " 1209 "lifetime"); 1210 peer->lifetime = 0xffffffff; 1211 } 1212 #endif /* CONFIG_TDLS_TESTING */ 1213 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie, 1214 sizeof(timeoutie), peer->lifetime); 1215 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds", peer->lifetime); 1216 1217 skip_ies: 1218 1219 #ifdef CONFIG_TDLS_TESTING 1220 if (tdls_testing & TDLS_TESTING_DIFF_BSSID) { 1221 struct wpa_tdls_lnkid *l = (struct wpa_tdls_lnkid *) pos; 1222 1223 wpa_printf(MSG_DEBUG, "TDLS: Testing - use incorrect BSSID in " 1224 "Link Identifier"); 1225 wpa_tdls_linkid(sm, peer, l); 1226 l->bssid[5] ^= 0x01; 1227 pos += sizeof(*l); 1228 } 1229 #endif /* CONFIG_TDLS_TESTING */ 1230 1231 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Setup Request / TPK " 1232 "Handshake Message 1 (peer " MACSTR ")", 1233 MAC2STR(peer->addr)); 1234 1235 status = wpa_tdls_tpk_send(sm, peer->addr, WLAN_TDLS_SETUP_REQUEST, 1236 1, 0, 0, peer->initiator, rbuf, pos - rbuf); 1237 os_free(rbuf); 1238 1239 return status; 1240 } 1241 1242 1243 static int wpa_tdls_send_tpk_m2(struct wpa_sm *sm, 1244 const unsigned char *src_addr, u8 dtoken, 1245 struct wpa_tdls_lnkid *lnkid, 1246 const struct wpa_tdls_peer *peer) 1247 { 1248 u8 *rbuf, *pos; 1249 size_t buf_len; 1250 u32 lifetime; 1251 struct wpa_tdls_timeoutie timeoutie; 1252 struct wpa_tdls_ftie *ftie; 1253 int status; 1254 1255 buf_len = 0; 1256 if (wpa_tdls_get_privacy(sm)) { 1257 /* Peer RSN IE, FTIE(Initiator Nonce, Responder Nonce), 1258 * Lifetime */ 1259 buf_len += peer->rsnie_i_len + sizeof(struct wpa_tdls_ftie) + 1260 sizeof(struct wpa_tdls_timeoutie); 1261 #ifdef CONFIG_TDLS_TESTING 1262 if (tdls_testing & TDLS_TESTING_LONG_FRAME) 1263 buf_len += 170; 1264 #endif /* CONFIG_TDLS_TESTING */ 1265 } 1266 1267 rbuf = os_zalloc(buf_len + 1); 1268 if (rbuf == NULL) 1269 return -1; 1270 pos = rbuf; 1271 1272 if (!wpa_tdls_get_privacy(sm)) 1273 goto skip_ies; 1274 1275 /* Peer RSN IE */ 1276 pos = wpa_add_ie(pos, peer->rsnie_p, peer->rsnie_p_len); 1277 1278 ftie = (struct wpa_tdls_ftie *) pos; 1279 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION; 1280 /* TODO: ftie->mic_control to set 2-RESPONSE */ 1281 os_memcpy(ftie->Anonce, peer->rnonce, WPA_NONCE_LEN); 1282 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN); 1283 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2; 1284 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE for TPK M2", 1285 (u8 *) ftie, sizeof(*ftie)); 1286 1287 pos = (u8 *) (ftie + 1); 1288 1289 #ifdef CONFIG_TDLS_TESTING 1290 if (tdls_testing & TDLS_TESTING_LONG_FRAME) { 1291 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to " 1292 "FTIE"); 1293 ftie->ie_len += 170; 1294 *pos++ = 255; /* FTIE subelem */ 1295 *pos++ = 168; /* FTIE subelem length */ 1296 pos += 168; 1297 } 1298 #endif /* CONFIG_TDLS_TESTING */ 1299 1300 /* Lifetime */ 1301 lifetime = peer->lifetime; 1302 #ifdef CONFIG_TDLS_TESTING 1303 if (tdls_testing & TDLS_TESTING_WRONG_LIFETIME_RESP) { 1304 wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong TPK " 1305 "lifetime in response"); 1306 lifetime++; 1307 } 1308 #endif /* CONFIG_TDLS_TESTING */ 1309 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie, 1310 sizeof(timeoutie), lifetime); 1311 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds from initiator", 1312 lifetime); 1313 1314 /* compute MIC before sending */ 1315 wpa_tdls_ftie_mic(peer->tpk.kck, 2, (u8 *) lnkid, peer->rsnie_p, 1316 (u8 *) &timeoutie, (u8 *) ftie, ftie->mic); 1317 #ifdef CONFIG_TDLS_TESTING 1318 if (tdls_testing & TDLS_TESTING_WRONG_MIC) { 1319 wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong MIC"); 1320 ftie->mic[0] ^= 0x01; 1321 } 1322 #endif /* CONFIG_TDLS_TESTING */ 1323 1324 skip_ies: 1325 status = wpa_tdls_tpk_send(sm, src_addr, WLAN_TDLS_SETUP_RESPONSE, 1326 dtoken, 0, 0, peer->initiator, rbuf, 1327 pos - rbuf); 1328 os_free(rbuf); 1329 1330 return status; 1331 } 1332 1333 1334 static int wpa_tdls_send_tpk_m3(struct wpa_sm *sm, 1335 const unsigned char *src_addr, u8 dtoken, 1336 struct wpa_tdls_lnkid *lnkid, 1337 const struct wpa_tdls_peer *peer) 1338 { 1339 u8 *rbuf, *pos; 1340 size_t buf_len; 1341 struct wpa_tdls_ftie *ftie; 1342 struct wpa_tdls_timeoutie timeoutie; 1343 u32 lifetime; 1344 int status; 1345 u32 peer_capab = 0; 1346 1347 buf_len = 0; 1348 if (wpa_tdls_get_privacy(sm)) { 1349 /* Peer RSN IE, FTIE(Initiator Nonce, Responder Nonce), 1350 * Lifetime */ 1351 buf_len += peer->rsnie_i_len + sizeof(struct wpa_tdls_ftie) + 1352 sizeof(struct wpa_tdls_timeoutie); 1353 #ifdef CONFIG_TDLS_TESTING 1354 if (tdls_testing & TDLS_TESTING_LONG_FRAME) 1355 buf_len += 170; 1356 #endif /* CONFIG_TDLS_TESTING */ 1357 } 1358 1359 rbuf = os_zalloc(buf_len + 1); 1360 if (rbuf == NULL) 1361 return -1; 1362 pos = rbuf; 1363 1364 if (!wpa_tdls_get_privacy(sm)) 1365 goto skip_ies; 1366 1367 /* Peer RSN IE */ 1368 pos = wpa_add_ie(pos, peer->rsnie_p, peer->rsnie_p_len); 1369 1370 ftie = (struct wpa_tdls_ftie *) pos; 1371 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION; 1372 /*TODO: ftie->mic_control to set 3-CONFIRM */ 1373 os_memcpy(ftie->Anonce, peer->rnonce, WPA_NONCE_LEN); 1374 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN); 1375 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2; 1376 1377 pos = (u8 *) (ftie + 1); 1378 1379 #ifdef CONFIG_TDLS_TESTING 1380 if (tdls_testing & TDLS_TESTING_LONG_FRAME) { 1381 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to " 1382 "FTIE"); 1383 ftie->ie_len += 170; 1384 *pos++ = 255; /* FTIE subelem */ 1385 *pos++ = 168; /* FTIE subelem length */ 1386 pos += 168; 1387 } 1388 #endif /* CONFIG_TDLS_TESTING */ 1389 1390 /* Lifetime */ 1391 lifetime = peer->lifetime; 1392 #ifdef CONFIG_TDLS_TESTING 1393 if (tdls_testing & TDLS_TESTING_WRONG_LIFETIME_CONF) { 1394 wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong TPK " 1395 "lifetime in confirm"); 1396 lifetime++; 1397 } 1398 #endif /* CONFIG_TDLS_TESTING */ 1399 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie, 1400 sizeof(timeoutie), lifetime); 1401 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds", 1402 lifetime); 1403 1404 /* compute MIC before sending */ 1405 wpa_tdls_ftie_mic(peer->tpk.kck, 3, (u8 *) lnkid, peer->rsnie_p, 1406 (u8 *) &timeoutie, (u8 *) ftie, ftie->mic); 1407 #ifdef CONFIG_TDLS_TESTING 1408 if (tdls_testing & TDLS_TESTING_WRONG_MIC) { 1409 wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong MIC"); 1410 ftie->mic[0] ^= 0x01; 1411 } 1412 #endif /* CONFIG_TDLS_TESTING */ 1413 1414 skip_ies: 1415 1416 if (peer->vht_capabilities) 1417 peer_capab |= TDLS_PEER_VHT; 1418 if (peer->ht_capabilities) 1419 peer_capab |= TDLS_PEER_HT; 1420 if (peer->wmm_capable) 1421 peer_capab |= TDLS_PEER_WMM; 1422 1423 status = wpa_tdls_tpk_send(sm, src_addr, WLAN_TDLS_SETUP_CONFIRM, 1424 dtoken, 0, peer_capab, peer->initiator, 1425 rbuf, pos - rbuf); 1426 os_free(rbuf); 1427 1428 return status; 1429 } 1430 1431 1432 static int wpa_tdls_send_discovery_response(struct wpa_sm *sm, 1433 struct wpa_tdls_peer *peer, 1434 u8 dialog_token) 1435 { 1436 size_t buf_len = 0; 1437 struct wpa_tdls_timeoutie timeoutie; 1438 u16 rsn_capab; 1439 u8 *rbuf, *pos, *count_pos; 1440 u16 count; 1441 struct rsn_ie_hdr *hdr; 1442 int status; 1443 1444 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Discovery Response " 1445 "(peer " MACSTR ")", MAC2STR(peer->addr)); 1446 if (!wpa_tdls_get_privacy(sm)) 1447 goto skip_rsn_ies; 1448 1449 /* Filling RSN IE */ 1450 hdr = (struct rsn_ie_hdr *) peer->rsnie_i; 1451 hdr->elem_id = WLAN_EID_RSN; 1452 WPA_PUT_LE16(hdr->version, RSN_VERSION); 1453 pos = (u8 *) (hdr + 1); 1454 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED); 1455 pos += RSN_SELECTOR_LEN; 1456 count_pos = pos; 1457 pos += 2; 1458 count = 0; 1459 1460 /* 1461 * AES-CCMP is the default encryption preferred for TDLS, so 1462 * RSN IE is filled only with CCMP cipher suite. 1463 * Note: TKIP is not used to encrypt TDLS link. 1464 * 1465 * Regardless of the cipher used on the AP connection, select CCMP 1466 * here. 1467 */ 1468 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP); 1469 pos += RSN_SELECTOR_LEN; 1470 count++; 1471 WPA_PUT_LE16(count_pos, count); 1472 WPA_PUT_LE16(pos, 1); 1473 pos += 2; 1474 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_TPK_HANDSHAKE); 1475 pos += RSN_SELECTOR_LEN; 1476 1477 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED; 1478 rsn_capab |= RSN_NUM_REPLAY_COUNTERS_16 << 2; 1479 WPA_PUT_LE16(pos, rsn_capab); 1480 pos += 2; 1481 hdr->len = (pos - (u8 *) hdr) - 2; 1482 peer->rsnie_i_len = pos - peer->rsnie_i; 1483 1484 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE for Discovery Response", 1485 (u8 *) hdr, hdr->len + 2); 1486 skip_rsn_ies: 1487 buf_len = 0; 1488 if (wpa_tdls_get_privacy(sm)) { 1489 /* Peer RSN IE, Lifetime */ 1490 buf_len += peer->rsnie_i_len + 1491 sizeof(struct wpa_tdls_timeoutie); 1492 } 1493 rbuf = os_zalloc(buf_len + 1); 1494 if (rbuf == NULL) { 1495 wpa_tdls_peer_free(sm, peer); 1496 return -1; 1497 } 1498 pos = rbuf; 1499 1500 if (!wpa_tdls_get_privacy(sm)) 1501 goto skip_ies; 1502 /* Initiator RSN IE */ 1503 pos = wpa_add_ie(pos, peer->rsnie_i, peer->rsnie_i_len); 1504 /* Lifetime */ 1505 peer->lifetime = TPK_LIFETIME; 1506 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie, 1507 sizeof(timeoutie), peer->lifetime); 1508 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds", peer->lifetime); 1509 skip_ies: 1510 status = wpa_tdls_tpk_send(sm, peer->addr, WLAN_TDLS_DISCOVERY_RESPONSE, 1511 dialog_token, 0, 0, 0, rbuf, pos - rbuf); 1512 os_free(rbuf); 1513 1514 return status; 1515 } 1516 1517 1518 static int 1519 wpa_tdls_process_discovery_request(struct wpa_sm *sm, const u8 *addr, 1520 const u8 *buf, size_t len) 1521 { 1522 struct wpa_eapol_ie_parse kde; 1523 const struct wpa_tdls_lnkid *lnkid; 1524 struct wpa_tdls_peer *peer; 1525 size_t min_req_len = sizeof(struct wpa_tdls_frame) + 1526 1 /* dialog token */ + sizeof(struct wpa_tdls_lnkid); 1527 u8 dialog_token; 1528 1529 wpa_printf(MSG_DEBUG, "TDLS: Discovery Request from " MACSTR, 1530 MAC2STR(addr)); 1531 1532 if (len < min_req_len) { 1533 wpa_printf(MSG_DEBUG, "TDLS Discovery Request is too short: " 1534 "%d", (int) len); 1535 return -1; 1536 } 1537 1538 dialog_token = buf[sizeof(struct wpa_tdls_frame)]; 1539 1540 /* 1541 * Some APs will tack on a weird IE to the end of a TDLS 1542 * discovery request packet. This needn't fail the response, 1543 * since the required IE are verified separately. 1544 */ 1545 if (wpa_supplicant_parse_ies(buf + sizeof(struct wpa_tdls_frame) + 1, 1546 len - (sizeof(struct wpa_tdls_frame) + 1), 1547 &kde) < 0) { 1548 wpa_printf(MSG_DEBUG, 1549 "TDLS: Failed to parse IEs in Discovery Request - ignore as an interop workaround"); 1550 } 1551 1552 if (!kde.lnkid) { 1553 wpa_printf(MSG_DEBUG, "TDLS: Link ID not found in Discovery " 1554 "Request"); 1555 return -1; 1556 } 1557 1558 lnkid = (const struct wpa_tdls_lnkid *) kde.lnkid; 1559 1560 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) { 1561 wpa_printf(MSG_DEBUG, "TDLS: Discovery Request from different " 1562 " BSS " MACSTR, MAC2STR(lnkid->bssid)); 1563 return -1; 1564 } 1565 1566 peer = wpa_tdls_add_peer(sm, addr, NULL); 1567 if (peer == NULL) 1568 return -1; 1569 1570 return wpa_tdls_send_discovery_response(sm, peer, dialog_token); 1571 } 1572 1573 1574 int wpa_tdls_send_discovery_request(struct wpa_sm *sm, const u8 *addr) 1575 { 1576 if (sm->tdls_disabled || !sm->tdls_supported) 1577 return -1; 1578 1579 wpa_printf(MSG_DEBUG, "TDLS: Sending Discovery Request to peer " 1580 MACSTR, MAC2STR(addr)); 1581 return wpa_tdls_tpk_send(sm, addr, WLAN_TDLS_DISCOVERY_REQUEST, 1582 1, 0, 0, 1, NULL, 0); 1583 } 1584 1585 1586 static int copy_supp_rates(const struct wpa_eapol_ie_parse *kde, 1587 struct wpa_tdls_peer *peer) 1588 { 1589 if (!kde->supp_rates) { 1590 wpa_printf(MSG_DEBUG, "TDLS: No supported rates received"); 1591 return -1; 1592 } 1593 peer->supp_rates_len = merge_byte_arrays( 1594 peer->supp_rates, sizeof(peer->supp_rates), 1595 kde->supp_rates + 2, kde->supp_rates_len - 2, 1596 kde->ext_supp_rates ? kde->ext_supp_rates + 2 : NULL, 1597 kde->ext_supp_rates ? kde->ext_supp_rates_len - 2 : 0); 1598 return 0; 1599 } 1600 1601 1602 static int copy_peer_ht_capab(const struct wpa_eapol_ie_parse *kde, 1603 struct wpa_tdls_peer *peer) 1604 { 1605 if (!kde->ht_capabilities) { 1606 wpa_printf(MSG_DEBUG, "TDLS: No supported ht capabilities " 1607 "received"); 1608 return 0; 1609 } 1610 1611 if (!peer->ht_capabilities) { 1612 peer->ht_capabilities = 1613 os_zalloc(sizeof(struct ieee80211_ht_capabilities)); 1614 if (peer->ht_capabilities == NULL) 1615 return -1; 1616 } 1617 1618 os_memcpy(peer->ht_capabilities, kde->ht_capabilities, 1619 sizeof(struct ieee80211_ht_capabilities)); 1620 wpa_hexdump(MSG_DEBUG, "TDLS: Peer HT capabilities", 1621 (u8 *) peer->ht_capabilities, 1622 sizeof(struct ieee80211_ht_capabilities)); 1623 1624 return 0; 1625 } 1626 1627 1628 static int copy_peer_vht_capab(const struct wpa_eapol_ie_parse *kde, 1629 struct wpa_tdls_peer *peer) 1630 { 1631 if (!kde->vht_capabilities) { 1632 wpa_printf(MSG_DEBUG, "TDLS: No supported vht capabilities " 1633 "received"); 1634 return 0; 1635 } 1636 1637 if (!peer->vht_capabilities) { 1638 peer->vht_capabilities = 1639 os_zalloc(sizeof(struct ieee80211_vht_capabilities)); 1640 if (peer->vht_capabilities == NULL) 1641 return -1; 1642 } 1643 1644 os_memcpy(peer->vht_capabilities, kde->vht_capabilities, 1645 sizeof(struct ieee80211_vht_capabilities)); 1646 wpa_hexdump(MSG_DEBUG, "TDLS: Peer VHT capabilities", 1647 (u8 *) peer->vht_capabilities, 1648 sizeof(struct ieee80211_vht_capabilities)); 1649 1650 return 0; 1651 } 1652 1653 1654 static int copy_peer_ext_capab(const struct wpa_eapol_ie_parse *kde, 1655 struct wpa_tdls_peer *peer) 1656 { 1657 if (!kde->ext_capab) { 1658 wpa_printf(MSG_DEBUG, "TDLS: No extended capabilities " 1659 "received"); 1660 return 0; 1661 } 1662 1663 if (!peer->ext_capab || peer->ext_capab_len < kde->ext_capab_len - 2) { 1664 /* Need to allocate buffer to fit the new information */ 1665 os_free(peer->ext_capab); 1666 peer->ext_capab = os_zalloc(kde->ext_capab_len - 2); 1667 if (peer->ext_capab == NULL) 1668 return -1; 1669 } 1670 1671 peer->ext_capab_len = kde->ext_capab_len - 2; 1672 os_memcpy(peer->ext_capab, kde->ext_capab + 2, peer->ext_capab_len); 1673 1674 return 0; 1675 } 1676 1677 1678 static int copy_peer_wmm_capab(const struct wpa_eapol_ie_parse *kde, 1679 struct wpa_tdls_peer *peer) 1680 { 1681 struct wmm_information_element *wmm; 1682 1683 if (!kde->wmm) { 1684 wpa_printf(MSG_DEBUG, "TDLS: No supported WMM capabilities received"); 1685 return 0; 1686 } 1687 1688 if (kde->wmm_len < sizeof(struct wmm_information_element)) { 1689 wpa_printf(MSG_DEBUG, "TDLS: Invalid supported WMM capabilities received"); 1690 return -1; 1691 } 1692 1693 wmm = (struct wmm_information_element *) kde->wmm; 1694 peer->qos_info = wmm->qos_info; 1695 1696 peer->wmm_capable = 1; 1697 1698 wpa_printf(MSG_DEBUG, "TDLS: Peer WMM QOS Info 0x%x", peer->qos_info); 1699 return 0; 1700 } 1701 1702 1703 static int copy_peer_supp_channels(const struct wpa_eapol_ie_parse *kde, 1704 struct wpa_tdls_peer *peer) 1705 { 1706 if (!kde->supp_channels) { 1707 wpa_printf(MSG_DEBUG, "TDLS: No supported channels received"); 1708 return 0; 1709 } 1710 1711 if (!peer->supp_channels || 1712 peer->supp_channels_len < kde->supp_channels_len) { 1713 os_free(peer->supp_channels); 1714 peer->supp_channels = os_zalloc(kde->supp_channels_len); 1715 if (peer->supp_channels == NULL) 1716 return -1; 1717 } 1718 1719 peer->supp_channels_len = kde->supp_channels_len; 1720 1721 os_memcpy(peer->supp_channels, kde->supp_channels, 1722 peer->supp_channels_len); 1723 wpa_hexdump(MSG_DEBUG, "TDLS: Peer Supported Channels", 1724 (u8 *) peer->supp_channels, peer->supp_channels_len); 1725 return 0; 1726 } 1727 1728 1729 static int copy_peer_supp_oper_classes(const struct wpa_eapol_ie_parse *kde, 1730 struct wpa_tdls_peer *peer) 1731 { 1732 if (!kde->supp_oper_classes) { 1733 wpa_printf(MSG_DEBUG, "TDLS: No supported operating classes received"); 1734 return 0; 1735 } 1736 1737 if (!peer->supp_oper_classes || 1738 peer->supp_oper_classes_len < kde->supp_oper_classes_len) { 1739 os_free(peer->supp_oper_classes); 1740 peer->supp_oper_classes = os_zalloc(kde->supp_oper_classes_len); 1741 if (peer->supp_oper_classes == NULL) 1742 return -1; 1743 } 1744 1745 peer->supp_oper_classes_len = kde->supp_oper_classes_len; 1746 os_memcpy(peer->supp_oper_classes, kde->supp_oper_classes, 1747 peer->supp_oper_classes_len); 1748 wpa_hexdump(MSG_DEBUG, "TDLS: Peer Supported Operating Classes", 1749 (u8 *) peer->supp_oper_classes, 1750 peer->supp_oper_classes_len); 1751 return 0; 1752 } 1753 1754 1755 static int wpa_tdls_addset_peer(struct wpa_sm *sm, struct wpa_tdls_peer *peer, 1756 int add) 1757 { 1758 return wpa_sm_tdls_peer_addset(sm, peer->addr, add, peer->aid, 1759 peer->capability, 1760 peer->supp_rates, peer->supp_rates_len, 1761 peer->ht_capabilities, 1762 peer->vht_capabilities, 1763 peer->qos_info, peer->wmm_capable, 1764 peer->ext_capab, peer->ext_capab_len, 1765 peer->supp_channels, 1766 peer->supp_channels_len, 1767 peer->supp_oper_classes, 1768 peer->supp_oper_classes_len); 1769 } 1770 1771 1772 static int tdls_nonce_set(const u8 *nonce) 1773 { 1774 int i; 1775 1776 for (i = 0; i < WPA_NONCE_LEN; i++) { 1777 if (nonce[i]) 1778 return 1; 1779 } 1780 1781 return 0; 1782 } 1783 1784 1785 static int wpa_tdls_process_tpk_m1(struct wpa_sm *sm, const u8 *src_addr, 1786 const u8 *buf, size_t len) 1787 { 1788 struct wpa_tdls_peer *peer; 1789 struct wpa_eapol_ie_parse kde; 1790 struct wpa_ie_data ie; 1791 int cipher; 1792 const u8 *cpos; 1793 struct wpa_tdls_ftie *ftie = NULL; 1794 struct wpa_tdls_timeoutie *timeoutie; 1795 struct wpa_tdls_lnkid *lnkid; 1796 u32 lifetime = 0; 1797 #if 0 1798 struct rsn_ie_hdr *hdr; 1799 u8 *pos; 1800 u16 rsn_capab; 1801 u16 rsn_ver; 1802 #endif 1803 u8 dtoken; 1804 u16 ielen; 1805 u16 status = WLAN_STATUS_UNSPECIFIED_FAILURE; 1806 int tdls_prohibited = sm->tdls_prohibited; 1807 int existing_peer = 0; 1808 1809 if (len < 3 + 3) 1810 return -1; 1811 1812 cpos = buf; 1813 cpos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */; 1814 1815 /* driver had already verified the frame format */ 1816 dtoken = *cpos++; /* dialog token */ 1817 1818 wpa_printf(MSG_INFO, "TDLS: Dialog Token in TPK M1 %d", dtoken); 1819 1820 peer = wpa_tdls_add_peer(sm, src_addr, &existing_peer); 1821 if (peer == NULL) 1822 goto error; 1823 1824 /* If found, use existing entry instead of adding a new one; 1825 * how to handle the case where both ends initiate at the 1826 * same time? */ 1827 if (existing_peer) { 1828 if (peer->tpk_success) { 1829 wpa_printf(MSG_DEBUG, "TDLS: TDLS Setup Request while " 1830 "direct link is enabled - tear down the " 1831 "old link first"); 1832 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr); 1833 wpa_tdls_peer_clear(sm, peer); 1834 } else if (peer->initiator) { 1835 /* 1836 * An entry is already present, so check if we already 1837 * sent a TDLS Setup Request. If so, compare MAC 1838 * addresses and let the STA with the lower MAC address 1839 * continue as the initiator. The other negotiation is 1840 * terminated. 1841 */ 1842 if (os_memcmp(sm->own_addr, src_addr, ETH_ALEN) < 0) { 1843 wpa_printf(MSG_DEBUG, "TDLS: Discard request " 1844 "from peer with higher address " 1845 MACSTR, MAC2STR(src_addr)); 1846 return -1; 1847 } else { 1848 wpa_printf(MSG_DEBUG, "TDLS: Accept request " 1849 "from peer with lower address " 1850 MACSTR " (terminate previously " 1851 "initiated negotiation", 1852 MAC2STR(src_addr)); 1853 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, 1854 peer->addr); 1855 wpa_tdls_peer_clear(sm, peer); 1856 } 1857 } 1858 } 1859 1860 /* capability information */ 1861 peer->capability = WPA_GET_LE16(cpos); 1862 cpos += 2; 1863 1864 ielen = len - (cpos - buf); /* start of IE in buf */ 1865 1866 /* 1867 * Don't reject the message if failing to parse IEs. The IEs we need are 1868 * explicitly checked below. Some APs may add arbitrary padding to the 1869 * end of short TDLS frames and that would look like invalid IEs. 1870 */ 1871 if (wpa_supplicant_parse_ies(cpos, ielen, &kde) < 0) 1872 wpa_printf(MSG_DEBUG, 1873 "TDLS: Failed to parse IEs in TPK M1 - ignore as an interop workaround"); 1874 1875 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) { 1876 wpa_printf(MSG_INFO, "TDLS: No valid Link Identifier IE in " 1877 "TPK M1"); 1878 goto error; 1879 } 1880 wpa_hexdump(MSG_DEBUG, "TDLS: Link ID Received from TPK M1", 1881 kde.lnkid, kde.lnkid_len); 1882 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid; 1883 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) { 1884 wpa_printf(MSG_INFO, "TDLS: TPK M1 from diff BSS"); 1885 status = WLAN_STATUS_REQUEST_DECLINED; 1886 goto error; 1887 } 1888 1889 wpa_printf(MSG_DEBUG, "TDLS: TPK M1 - TPK initiator " MACSTR, 1890 MAC2STR(src_addr)); 1891 1892 if (copy_supp_rates(&kde, peer) < 0) 1893 goto error; 1894 1895 if (copy_peer_ht_capab(&kde, peer) < 0) 1896 goto error; 1897 1898 if (copy_peer_vht_capab(&kde, peer) < 0) 1899 goto error; 1900 1901 if (copy_peer_ext_capab(&kde, peer) < 0) 1902 goto error; 1903 1904 if (copy_peer_supp_channels(&kde, peer) < 0) 1905 goto error; 1906 1907 if (copy_peer_supp_oper_classes(&kde, peer) < 0) 1908 goto error; 1909 1910 peer->qos_info = kde.qosinfo; 1911 1912 /* Overwrite with the qos_info obtained in WMM IE */ 1913 if (copy_peer_wmm_capab(&kde, peer) < 0) 1914 goto error; 1915 1916 peer->aid = kde.aid; 1917 1918 #ifdef CONFIG_TDLS_TESTING 1919 if (tdls_testing & TDLS_TESTING_CONCURRENT_INIT) { 1920 peer = wpa_tdls_add_peer(sm, src_addr, NULL); 1921 if (peer == NULL) 1922 goto error; 1923 wpa_printf(MSG_DEBUG, "TDLS: Testing concurrent initiation of " 1924 "TDLS setup - send own request"); 1925 peer->initiator = 1; 1926 wpa_sm_tdls_peer_addset(sm, peer->addr, 1, 0, 0, NULL, 0, NULL, 1927 NULL, 0, 0, NULL, 0, NULL, 0, NULL, 0); 1928 wpa_tdls_send_tpk_m1(sm, peer); 1929 } 1930 1931 if ((tdls_testing & TDLS_TESTING_IGNORE_AP_PROHIBIT) && 1932 tdls_prohibited) { 1933 wpa_printf(MSG_DEBUG, "TDLS: Testing - ignore AP prohibition " 1934 "on TDLS"); 1935 tdls_prohibited = 0; 1936 } 1937 #endif /* CONFIG_TDLS_TESTING */ 1938 1939 if (tdls_prohibited) { 1940 wpa_printf(MSG_INFO, "TDLS: TDLS prohibited in this BSS"); 1941 status = WLAN_STATUS_REQUEST_DECLINED; 1942 goto error; 1943 } 1944 1945 if (!wpa_tdls_get_privacy(sm)) { 1946 if (kde.rsn_ie) { 1947 wpa_printf(MSG_INFO, "TDLS: RSN IE in TPK M1 while " 1948 "security is disabled"); 1949 status = WLAN_STATUS_SECURITY_DISABLED; 1950 goto error; 1951 } 1952 goto skip_rsn; 1953 } 1954 1955 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie) || 1956 kde.rsn_ie == NULL) { 1957 wpa_printf(MSG_INFO, "TDLS: No FTIE or RSN IE in TPK M1"); 1958 status = WLAN_STATUS_INVALID_PARAMETERS; 1959 goto error; 1960 } 1961 1962 if (kde.rsn_ie_len > TDLS_MAX_IE_LEN) { 1963 wpa_printf(MSG_INFO, "TDLS: Too long Initiator RSN IE in " 1964 "TPK M1"); 1965 status = WLAN_STATUS_INVALID_RSNIE; 1966 goto error; 1967 } 1968 1969 if (wpa_parse_wpa_ie_rsn(kde.rsn_ie, kde.rsn_ie_len, &ie) < 0) { 1970 wpa_printf(MSG_INFO, "TDLS: Failed to parse RSN IE in TPK M1"); 1971 status = WLAN_STATUS_INVALID_RSNIE; 1972 goto error; 1973 } 1974 1975 cipher = ie.pairwise_cipher; 1976 if (cipher & WPA_CIPHER_CCMP) { 1977 wpa_printf(MSG_DEBUG, "TDLS: Using CCMP for direct link"); 1978 cipher = WPA_CIPHER_CCMP; 1979 } else { 1980 wpa_printf(MSG_INFO, "TDLS: No acceptable cipher in TPK M1"); 1981 status = WLAN_STATUS_PAIRWISE_CIPHER_NOT_VALID; 1982 goto error; 1983 } 1984 1985 if ((ie.capabilities & 1986 (WPA_CAPABILITY_NO_PAIRWISE | WPA_CAPABILITY_PEERKEY_ENABLED)) != 1987 WPA_CAPABILITY_PEERKEY_ENABLED) { 1988 wpa_printf(MSG_INFO, "TDLS: Invalid RSN Capabilities in " 1989 "TPK M1"); 1990 status = WLAN_STATUS_INVALID_RSN_IE_CAPAB; 1991 goto error; 1992 } 1993 1994 /* Lifetime */ 1995 if (kde.key_lifetime == NULL) { 1996 wpa_printf(MSG_INFO, "TDLS: No Key Lifetime IE in TPK M1"); 1997 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME; 1998 goto error; 1999 } 2000 timeoutie = (struct wpa_tdls_timeoutie *) kde.key_lifetime; 2001 lifetime = WPA_GET_LE32(timeoutie->value); 2002 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds", lifetime); 2003 if (lifetime < 300) { 2004 wpa_printf(MSG_INFO, "TDLS: Too short TPK lifetime"); 2005 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME; 2006 goto error; 2007 } 2008 2009 skip_rsn: 2010 #ifdef CONFIG_TDLS_TESTING 2011 if (tdls_testing & TDLS_TESTING_CONCURRENT_INIT) { 2012 if (os_memcmp(sm->own_addr, peer->addr, ETH_ALEN) < 0) { 2013 /* 2014 * The request frame from us is going to win, so do not 2015 * replace information based on this request frame from 2016 * the peer. 2017 */ 2018 goto skip_rsn_check; 2019 } 2020 } 2021 #endif /* CONFIG_TDLS_TESTING */ 2022 2023 peer->initiator = 0; /* Need to check */ 2024 peer->dtoken = dtoken; 2025 2026 if (!wpa_tdls_get_privacy(sm)) { 2027 peer->rsnie_i_len = 0; 2028 peer->rsnie_p_len = 0; 2029 peer->cipher = WPA_CIPHER_NONE; 2030 goto skip_rsn_check; 2031 } 2032 2033 ftie = (struct wpa_tdls_ftie *) kde.ftie; 2034 os_memcpy(peer->rsnie_i, kde.rsn_ie, kde.rsn_ie_len); 2035 peer->rsnie_i_len = kde.rsn_ie_len; 2036 peer->cipher = cipher; 2037 2038 if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0 || 2039 !tdls_nonce_set(peer->inonce)) { 2040 /* 2041 * There is no point in updating the RNonce for every obtained 2042 * TPK M1 frame (e.g., retransmission due to timeout) with the 2043 * same INonce (SNonce in FTIE). However, if the TPK M1 is 2044 * retransmitted with a different INonce, update the RNonce 2045 * since this is for a new TDLS session. 2046 */ 2047 wpa_printf(MSG_DEBUG, 2048 "TDLS: New TPK M1 INonce - generate new RNonce"); 2049 os_memcpy(peer->inonce, ftie->Snonce, WPA_NONCE_LEN); 2050 if (os_get_random(peer->rnonce, WPA_NONCE_LEN)) { 2051 wpa_msg(sm->ctx->ctx, MSG_WARNING, 2052 "TDLS: Failed to get random data for responder nonce"); 2053 goto error; 2054 } 2055 peer->tk_set = 0; /* A new nonce results in a new TK */ 2056 } 2057 2058 #if 0 2059 /* get version info from RSNIE received from Peer */ 2060 hdr = (struct rsn_ie_hdr *) kde.rsn_ie; 2061 rsn_ver = WPA_GET_LE16(hdr->version); 2062 2063 /* use min(peer's version, out version) */ 2064 if (rsn_ver > RSN_VERSION) 2065 rsn_ver = RSN_VERSION; 2066 2067 hdr = (struct rsn_ie_hdr *) peer->rsnie_p; 2068 2069 hdr->elem_id = WLAN_EID_RSN; 2070 WPA_PUT_LE16(hdr->version, rsn_ver); 2071 pos = (u8 *) (hdr + 1); 2072 2073 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED); 2074 pos += RSN_SELECTOR_LEN; 2075 /* Include only the selected cipher in pairwise cipher suite */ 2076 WPA_PUT_LE16(pos, 1); 2077 pos += 2; 2078 if (cipher == WPA_CIPHER_CCMP) 2079 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP); 2080 pos += RSN_SELECTOR_LEN; 2081 2082 WPA_PUT_LE16(pos, 1); 2083 pos += 2; 2084 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_TPK_HANDSHAKE); 2085 pos += RSN_SELECTOR_LEN; 2086 2087 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED; 2088 rsn_capab |= RSN_NUM_REPLAY_COUNTERS_16 << 2; 2089 WPA_PUT_LE16(pos, rsn_capab); 2090 pos += 2; 2091 2092 hdr->len = (pos - peer->rsnie_p) - 2; 2093 peer->rsnie_p_len = pos - peer->rsnie_p; 2094 #endif 2095 2096 /* temp fix: validation of RSNIE later */ 2097 os_memcpy(peer->rsnie_p, peer->rsnie_i, peer->rsnie_i_len); 2098 peer->rsnie_p_len = peer->rsnie_i_len; 2099 2100 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE for TPK handshake", 2101 peer->rsnie_p, peer->rsnie_p_len); 2102 2103 peer->lifetime = lifetime; 2104 2105 wpa_tdls_generate_tpk(peer, sm->own_addr, sm->bssid); 2106 2107 skip_rsn_check: 2108 #ifdef CONFIG_TDLS_TESTING 2109 if (tdls_testing & TDLS_TESTING_CONCURRENT_INIT) 2110 goto skip_add_peer; 2111 #endif /* CONFIG_TDLS_TESTING */ 2112 2113 /* add supported rates, capabilities, and qos_info to the TDLS peer */ 2114 if (wpa_tdls_addset_peer(sm, peer, 1) < 0) 2115 goto error; 2116 2117 #ifdef CONFIG_TDLS_TESTING 2118 skip_add_peer: 2119 #endif /* CONFIG_TDLS_TESTING */ 2120 peer->tpk_in_progress = 1; 2121 2122 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Setup Response / TPK M2"); 2123 if (wpa_tdls_send_tpk_m2(sm, src_addr, dtoken, lnkid, peer) < 0) { 2124 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr); 2125 goto error; 2126 } 2127 2128 #ifdef CONFIG_TDLS_TESTING 2129 if (tdls_testing & TDLS_TESTING_DOUBLE_TPK_M2) { 2130 wpa_printf(MSG_INFO, "TDLS: Testing - Send another TPK M2"); 2131 wpa_tdls_send_tpk_m2(sm, src_addr, dtoken, lnkid, peer); 2132 } 2133 #endif /* CONFIG_TDLS_TESTING */ 2134 2135 return 0; 2136 2137 error: 2138 wpa_tdls_send_error(sm, src_addr, WLAN_TDLS_SETUP_RESPONSE, dtoken, 0, 2139 status); 2140 if (peer) 2141 wpa_tdls_peer_free(sm, peer); 2142 return -1; 2143 } 2144 2145 2146 static int wpa_tdls_enable_link(struct wpa_sm *sm, struct wpa_tdls_peer *peer) 2147 { 2148 peer->tpk_success = 1; 2149 peer->tpk_in_progress = 0; 2150 eloop_cancel_timeout(wpa_tdls_tpk_timeout, sm, peer); 2151 if (wpa_tdls_get_privacy(sm)) { 2152 u32 lifetime = peer->lifetime; 2153 /* 2154 * Start the initiator process a bit earlier to avoid race 2155 * condition with the responder sending teardown request. 2156 */ 2157 if (lifetime > 3 && peer->initiator) 2158 lifetime -= 3; 2159 eloop_register_timeout(lifetime, 0, wpa_tdls_tpk_timeout, 2160 sm, peer); 2161 #ifdef CONFIG_TDLS_TESTING 2162 if (tdls_testing & TDLS_TESTING_NO_TPK_EXPIRATION) { 2163 wpa_printf(MSG_DEBUG, 2164 "TDLS: Testing - disable TPK expiration"); 2165 eloop_cancel_timeout(wpa_tdls_tpk_timeout, sm, peer); 2166 } 2167 #endif /* CONFIG_TDLS_TESTING */ 2168 } 2169 2170 if (peer->reconfig_key && wpa_tdls_set_key(sm, peer) < 0) { 2171 wpa_printf(MSG_INFO, "TDLS: Could not configure key to the " 2172 "driver"); 2173 return -1; 2174 } 2175 peer->reconfig_key = 0; 2176 2177 return wpa_sm_tdls_oper(sm, TDLS_ENABLE_LINK, peer->addr); 2178 } 2179 2180 2181 static int wpa_tdls_process_tpk_m2(struct wpa_sm *sm, const u8 *src_addr, 2182 const u8 *buf, size_t len) 2183 { 2184 struct wpa_tdls_peer *peer; 2185 struct wpa_eapol_ie_parse kde; 2186 struct wpa_ie_data ie; 2187 int cipher; 2188 struct wpa_tdls_ftie *ftie; 2189 struct wpa_tdls_timeoutie *timeoutie; 2190 struct wpa_tdls_lnkid *lnkid; 2191 u32 lifetime; 2192 u8 dtoken; 2193 int ielen; 2194 u16 status; 2195 const u8 *pos; 2196 int ret = 0; 2197 2198 wpa_printf(MSG_DEBUG, "TDLS: Received TDLS Setup Response / TPK M2 " 2199 "(Peer " MACSTR ")", MAC2STR(src_addr)); 2200 for (peer = sm->tdls; peer; peer = peer->next) { 2201 if (os_memcmp(peer->addr, src_addr, ETH_ALEN) == 0) 2202 break; 2203 } 2204 if (peer == NULL) { 2205 wpa_printf(MSG_INFO, "TDLS: No matching peer found for " 2206 "TPK M2: " MACSTR, MAC2STR(src_addr)); 2207 return -1; 2208 } 2209 if (!peer->initiator) { 2210 /* 2211 * This may happen if both devices try to initiate TDLS at the 2212 * same time and we accept the TPK M1 from the peer in 2213 * wpa_tdls_process_tpk_m1() and clear our previous state. 2214 */ 2215 wpa_printf(MSG_INFO, "TDLS: We were not the initiator, so " 2216 "ignore TPK M2 from " MACSTR, MAC2STR(src_addr)); 2217 return -1; 2218 } 2219 2220 if (peer->tpk_success) { 2221 wpa_printf(MSG_INFO, "TDLS: Ignore incoming TPK M2 retry, from " 2222 MACSTR " as TPK M3 was already sent", 2223 MAC2STR(src_addr)); 2224 return 0; 2225 } 2226 2227 wpa_tdls_tpk_retry_timeout_cancel(sm, peer, WLAN_TDLS_SETUP_REQUEST); 2228 2229 if (len < 3 + 2 + 1) { 2230 wpa_tdls_disable_peer_link(sm, peer); 2231 return -1; 2232 } 2233 2234 pos = buf; 2235 pos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */; 2236 status = WPA_GET_LE16(pos); 2237 pos += 2 /* status code */; 2238 2239 if (status != WLAN_STATUS_SUCCESS) { 2240 wpa_printf(MSG_INFO, "TDLS: Status code in TPK M2: %u", 2241 status); 2242 wpa_tdls_disable_peer_link(sm, peer); 2243 return -1; 2244 } 2245 2246 status = WLAN_STATUS_UNSPECIFIED_FAILURE; 2247 2248 /* TODO: need to verify dialog token matches here or in kernel */ 2249 dtoken = *pos++; /* dialog token */ 2250 2251 wpa_printf(MSG_DEBUG, "TDLS: Dialog Token in TPK M2 %d", dtoken); 2252 2253 if (len < 3 + 2 + 1 + 2) { 2254 wpa_tdls_disable_peer_link(sm, peer); 2255 return -1; 2256 } 2257 2258 /* capability information */ 2259 peer->capability = WPA_GET_LE16(pos); 2260 pos += 2; 2261 2262 ielen = len - (pos - buf); /* start of IE in buf */ 2263 2264 /* 2265 * Don't reject the message if failing to parse IEs. The IEs we need are 2266 * explicitly checked below. Some APs may add arbitrary padding to the 2267 * end of short TDLS frames and that would look like invalid IEs. 2268 */ 2269 if (wpa_supplicant_parse_ies(pos, ielen, &kde) < 0) 2270 wpa_printf(MSG_DEBUG, 2271 "TDLS: Failed to parse IEs in TPK M2 - ignore as an interop workaround"); 2272 2273 #ifdef CONFIG_TDLS_TESTING 2274 if (tdls_testing & TDLS_TESTING_DECLINE_RESP) { 2275 wpa_printf(MSG_DEBUG, "TDLS: Testing - decline response"); 2276 status = WLAN_STATUS_REQUEST_DECLINED; 2277 goto error; 2278 } 2279 #endif /* CONFIG_TDLS_TESTING */ 2280 2281 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) { 2282 wpa_printf(MSG_INFO, "TDLS: No valid Link Identifier IE in " 2283 "TPK M2"); 2284 goto error; 2285 } 2286 wpa_hexdump(MSG_DEBUG, "TDLS: Link ID Received from TPK M2", 2287 kde.lnkid, kde.lnkid_len); 2288 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid; 2289 2290 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) { 2291 wpa_printf(MSG_INFO, "TDLS: TPK M2 from different BSS"); 2292 status = WLAN_STATUS_NOT_IN_SAME_BSS; 2293 goto error; 2294 } 2295 2296 if (copy_supp_rates(&kde, peer) < 0) 2297 goto error; 2298 2299 if (copy_peer_ht_capab(&kde, peer) < 0) 2300 goto error; 2301 2302 if (copy_peer_vht_capab(&kde, peer) < 0) 2303 goto error; 2304 2305 if (copy_peer_ext_capab(&kde, peer) < 0) 2306 goto error; 2307 2308 if (copy_peer_supp_channels(&kde, peer) < 0) 2309 goto error; 2310 2311 if (copy_peer_supp_oper_classes(&kde, peer) < 0) 2312 goto error; 2313 2314 peer->qos_info = kde.qosinfo; 2315 2316 /* Overwrite with the qos_info obtained in WMM IE */ 2317 if (copy_peer_wmm_capab(&kde, peer) < 0) 2318 goto error; 2319 2320 peer->aid = kde.aid; 2321 2322 if (!wpa_tdls_get_privacy(sm)) { 2323 peer->rsnie_p_len = 0; 2324 peer->cipher = WPA_CIPHER_NONE; 2325 goto skip_rsn; 2326 } 2327 2328 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie) || 2329 kde.rsn_ie == NULL) { 2330 wpa_printf(MSG_INFO, "TDLS: No FTIE or RSN IE in TPK M2"); 2331 status = WLAN_STATUS_INVALID_PARAMETERS; 2332 goto error; 2333 } 2334 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Received from TPK M2", 2335 kde.rsn_ie, kde.rsn_ie_len); 2336 2337 if (kde.rsn_ie_len > TDLS_MAX_IE_LEN) { 2338 wpa_printf(MSG_INFO, 2339 "TDLS: Too long Responder RSN IE in TPK M2"); 2340 status = WLAN_STATUS_INVALID_RSNIE; 2341 goto error; 2342 } 2343 2344 /* 2345 * FIX: bitwise comparison of RSN IE is not the correct way of 2346 * validation this. It can be different, but certain fields must 2347 * match. Since we list only a single pairwise cipher in TPK M1, the 2348 * memcmp is likely to work in most cases, though. 2349 */ 2350 if (kde.rsn_ie_len != peer->rsnie_i_len || 2351 os_memcmp(peer->rsnie_i, kde.rsn_ie, peer->rsnie_i_len) != 0) { 2352 wpa_printf(MSG_INFO, "TDLS: RSN IE in TPK M2 does " 2353 "not match with RSN IE used in TPK M1"); 2354 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Sent in TPK M1", 2355 peer->rsnie_i, peer->rsnie_i_len); 2356 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Received from TPK M2", 2357 kde.rsn_ie, kde.rsn_ie_len); 2358 status = WLAN_STATUS_INVALID_RSNIE; 2359 goto error; 2360 } 2361 2362 if (wpa_parse_wpa_ie_rsn(kde.rsn_ie, kde.rsn_ie_len, &ie) < 0) { 2363 wpa_printf(MSG_INFO, "TDLS: Failed to parse RSN IE in TPK M2"); 2364 status = WLAN_STATUS_INVALID_RSNIE; 2365 goto error; 2366 } 2367 2368 cipher = ie.pairwise_cipher; 2369 if (cipher == WPA_CIPHER_CCMP) { 2370 wpa_printf(MSG_DEBUG, "TDLS: Using CCMP for direct link"); 2371 cipher = WPA_CIPHER_CCMP; 2372 } else { 2373 wpa_printf(MSG_INFO, "TDLS: No acceptable cipher in TPK M2"); 2374 status = WLAN_STATUS_PAIRWISE_CIPHER_NOT_VALID; 2375 goto error; 2376 } 2377 2378 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE Received from TPK M2", 2379 kde.ftie, sizeof(*ftie)); 2380 ftie = (struct wpa_tdls_ftie *) kde.ftie; 2381 2382 if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0) { 2383 wpa_printf(MSG_INFO, "TDLS: FTIE SNonce in TPK M2 does " 2384 "not match with FTIE SNonce used in TPK M1"); 2385 /* Silently discard the frame */ 2386 return -1; 2387 } 2388 2389 /* Responder Nonce and RSN IE */ 2390 os_memcpy(peer->rnonce, ftie->Anonce, WPA_NONCE_LEN); 2391 os_memcpy(peer->rsnie_p, kde.rsn_ie, kde.rsn_ie_len); 2392 peer->rsnie_p_len = kde.rsn_ie_len; 2393 peer->cipher = cipher; 2394 2395 /* Lifetime */ 2396 if (kde.key_lifetime == NULL) { 2397 wpa_printf(MSG_INFO, "TDLS: No Key Lifetime IE in TPK M2"); 2398 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME; 2399 goto error; 2400 } 2401 timeoutie = (struct wpa_tdls_timeoutie *) kde.key_lifetime; 2402 lifetime = WPA_GET_LE32(timeoutie->value); 2403 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds in TPK M2", 2404 lifetime); 2405 if (lifetime != peer->lifetime) { 2406 wpa_printf(MSG_INFO, "TDLS: Unexpected TPK lifetime %u in " 2407 "TPK M2 (expected %u)", lifetime, peer->lifetime); 2408 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME; 2409 goto error; 2410 } 2411 2412 wpa_tdls_generate_tpk(peer, sm->own_addr, sm->bssid); 2413 2414 /* Process MIC check to see if TPK M2 is right */ 2415 if (wpa_supplicant_verify_tdls_mic(2, peer, (u8 *) lnkid, 2416 (u8 *) timeoutie, ftie) < 0) { 2417 /* Discard the frame */ 2418 wpa_tdls_del_key(sm, peer); 2419 wpa_tdls_disable_peer_link(sm, peer); 2420 return -1; 2421 } 2422 2423 if (wpa_tdls_set_key(sm, peer) < 0) { 2424 /* 2425 * Some drivers may not be able to config the key prior to full 2426 * STA entry having been configured. 2427 */ 2428 wpa_printf(MSG_DEBUG, "TDLS: Try to configure TPK again after " 2429 "STA entry is complete"); 2430 peer->reconfig_key = 1; 2431 } 2432 2433 skip_rsn: 2434 peer->dtoken = dtoken; 2435 2436 /* add supported rates, capabilities, and qos_info to the TDLS peer */ 2437 if (wpa_tdls_addset_peer(sm, peer, 0) < 0) 2438 goto error; 2439 2440 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Setup Confirm / " 2441 "TPK Handshake Message 3"); 2442 if (wpa_tdls_send_tpk_m3(sm, src_addr, dtoken, lnkid, peer) < 0) 2443 goto error_no_msg; 2444 2445 if (!peer->tpk_success) { 2446 /* 2447 * Enable Link only when tpk_success is 0, signifying that this 2448 * processing of TPK M2 frame is not because of a retransmission 2449 * during TDLS setup handshake. 2450 */ 2451 ret = wpa_tdls_enable_link(sm, peer); 2452 if (ret < 0) { 2453 wpa_printf(MSG_DEBUG, "TDLS: Could not enable link"); 2454 wpa_tdls_do_teardown( 2455 sm, peer, 2456 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED); 2457 } 2458 } 2459 return ret; 2460 2461 error: 2462 wpa_tdls_send_error(sm, src_addr, WLAN_TDLS_SETUP_CONFIRM, dtoken, 1, 2463 status); 2464 error_no_msg: 2465 wpa_tdls_disable_peer_link(sm, peer); 2466 return -1; 2467 } 2468 2469 2470 static int wpa_tdls_process_tpk_m3(struct wpa_sm *sm, const u8 *src_addr, 2471 const u8 *buf, size_t len) 2472 { 2473 struct wpa_tdls_peer *peer; 2474 struct wpa_eapol_ie_parse kde; 2475 struct wpa_tdls_ftie *ftie; 2476 struct wpa_tdls_timeoutie *timeoutie; 2477 struct wpa_tdls_lnkid *lnkid; 2478 int ielen; 2479 u16 status; 2480 const u8 *pos; 2481 u32 lifetime; 2482 int ret = 0; 2483 2484 wpa_printf(MSG_DEBUG, "TDLS: Received TDLS Setup Confirm / TPK M3 " 2485 "(Peer " MACSTR ")", MAC2STR(src_addr)); 2486 for (peer = sm->tdls; peer; peer = peer->next) { 2487 if (os_memcmp(peer->addr, src_addr, ETH_ALEN) == 0) 2488 break; 2489 } 2490 if (peer == NULL) { 2491 wpa_printf(MSG_INFO, "TDLS: No matching peer found for " 2492 "TPK M3: " MACSTR, MAC2STR(src_addr)); 2493 return -1; 2494 } 2495 wpa_tdls_tpk_retry_timeout_cancel(sm, peer, WLAN_TDLS_SETUP_RESPONSE); 2496 2497 if (len < 3 + 3) 2498 goto error; 2499 pos = buf; 2500 pos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */; 2501 2502 status = WPA_GET_LE16(pos); 2503 2504 if (status != 0) { 2505 wpa_printf(MSG_INFO, "TDLS: Status code in TPK M3: %u", 2506 status); 2507 goto error; 2508 } 2509 pos += 2 /* status code */ + 1 /* dialog token */; 2510 2511 ielen = len - (pos - buf); /* start of IE in buf */ 2512 2513 /* 2514 * Don't reject the message if failing to parse IEs. The IEs we need are 2515 * explicitly checked below. Some APs piggy-back broken IEs to the end 2516 * of a TDLS Confirm packet, which will fail the link if we don't ignore 2517 * this error. 2518 */ 2519 if (wpa_supplicant_parse_ies((const u8 *) pos, ielen, &kde) < 0) { 2520 wpa_printf(MSG_DEBUG, 2521 "TDLS: Failed to parse KDEs in TPK M3 - ignore as an interop workaround"); 2522 } 2523 2524 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) { 2525 wpa_printf(MSG_INFO, "TDLS: No Link Identifier IE in TPK M3"); 2526 goto error; 2527 } 2528 wpa_hexdump(MSG_DEBUG, "TDLS: Link ID Received from TPK M3", 2529 (u8 *) kde.lnkid, kde.lnkid_len); 2530 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid; 2531 2532 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) { 2533 wpa_printf(MSG_INFO, "TDLS: TPK M3 from diff BSS"); 2534 goto error; 2535 } 2536 2537 if (!wpa_tdls_get_privacy(sm)) 2538 goto skip_rsn; 2539 2540 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie)) { 2541 wpa_printf(MSG_INFO, "TDLS: No FTIE in TPK M3"); 2542 goto error; 2543 } 2544 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE Received from TPK M3", 2545 kde.ftie, sizeof(*ftie)); 2546 ftie = (struct wpa_tdls_ftie *) kde.ftie; 2547 2548 if (kde.rsn_ie == NULL) { 2549 wpa_printf(MSG_INFO, "TDLS: No RSN IE in TPK M3"); 2550 goto error; 2551 } 2552 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Received from TPK M3", 2553 kde.rsn_ie, kde.rsn_ie_len); 2554 if (kde.rsn_ie_len != peer->rsnie_p_len || 2555 os_memcmp(kde.rsn_ie, peer->rsnie_p, peer->rsnie_p_len) != 0) { 2556 wpa_printf(MSG_INFO, "TDLS: RSN IE in TPK M3 does not match " 2557 "with the one sent in TPK M2"); 2558 goto error; 2559 } 2560 2561 if (os_memcmp(peer->rnonce, ftie->Anonce, WPA_NONCE_LEN) != 0) { 2562 wpa_printf(MSG_INFO, "TDLS: FTIE ANonce in TPK M3 does " 2563 "not match with FTIE ANonce used in TPK M2"); 2564 goto error; 2565 } 2566 2567 if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0) { 2568 wpa_printf(MSG_INFO, "TDLS: FTIE SNonce in TPK M3 does not " 2569 "match with FTIE SNonce used in TPK M1"); 2570 goto error; 2571 } 2572 2573 if (kde.key_lifetime == NULL) { 2574 wpa_printf(MSG_INFO, "TDLS: No Key Lifetime IE in TPK M3"); 2575 goto error; 2576 } 2577 timeoutie = (struct wpa_tdls_timeoutie *) kde.key_lifetime; 2578 wpa_hexdump(MSG_DEBUG, "TDLS: Timeout IE Received from TPK M3", 2579 (u8 *) timeoutie, sizeof(*timeoutie)); 2580 lifetime = WPA_GET_LE32(timeoutie->value); 2581 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds in TPK M3", 2582 lifetime); 2583 if (lifetime != peer->lifetime) { 2584 wpa_printf(MSG_INFO, "TDLS: Unexpected TPK lifetime %u in " 2585 "TPK M3 (expected %u)", lifetime, peer->lifetime); 2586 goto error; 2587 } 2588 2589 if (wpa_supplicant_verify_tdls_mic(3, peer, (u8 *) lnkid, 2590 (u8 *) timeoutie, ftie) < 0) { 2591 wpa_tdls_del_key(sm, peer); 2592 goto error; 2593 } 2594 2595 if (wpa_tdls_set_key(sm, peer) < 0) { 2596 /* 2597 * Some drivers may not be able to config the key prior to full 2598 * STA entry having been configured. 2599 */ 2600 wpa_printf(MSG_DEBUG, "TDLS: Try to configure TPK again after " 2601 "STA entry is complete"); 2602 peer->reconfig_key = 1; 2603 } 2604 2605 skip_rsn: 2606 /* add supported rates, capabilities, and qos_info to the TDLS peer */ 2607 if (wpa_tdls_addset_peer(sm, peer, 0) < 0) 2608 goto error; 2609 2610 if (!peer->tpk_success) { 2611 /* 2612 * Enable Link only when tpk_success is 0, signifying that this 2613 * processing of TPK M3 frame is not because of a retransmission 2614 * during TDLS setup handshake. 2615 */ 2616 ret = wpa_tdls_enable_link(sm, peer); 2617 if (ret < 0) { 2618 wpa_printf(MSG_DEBUG, "TDLS: Could not enable link"); 2619 goto error; 2620 } 2621 } 2622 return ret; 2623 error: 2624 wpa_tdls_do_teardown(sm, peer, WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED); 2625 return -1; 2626 } 2627 2628 2629 static u8 * wpa_add_tdls_timeoutie(u8 *pos, u8 *ie, size_t ie_len, u32 tsecs) 2630 { 2631 struct wpa_tdls_timeoutie *lifetime = (struct wpa_tdls_timeoutie *) ie; 2632 2633 os_memset(lifetime, 0, ie_len); 2634 lifetime->ie_type = WLAN_EID_TIMEOUT_INTERVAL; 2635 lifetime->ie_len = sizeof(struct wpa_tdls_timeoutie) - 2; 2636 lifetime->interval_type = WLAN_TIMEOUT_KEY_LIFETIME; 2637 WPA_PUT_LE32(lifetime->value, tsecs); 2638 os_memcpy(pos, ie, ie_len); 2639 return pos + ie_len; 2640 } 2641 2642 2643 /** 2644 * wpa_tdls_start - Initiate TDLS handshake (send TPK Handshake Message 1) 2645 * @sm: Pointer to WPA state machine data from wpa_sm_init() 2646 * @peer: MAC address of the peer STA 2647 * Returns: 0 on success, or -1 on failure 2648 * 2649 * Send TPK Handshake Message 1 info to driver to start TDLS 2650 * handshake with the peer. 2651 */ 2652 int wpa_tdls_start(struct wpa_sm *sm, const u8 *addr) 2653 { 2654 struct wpa_tdls_peer *peer; 2655 int tdls_prohibited = sm->tdls_prohibited; 2656 2657 if (sm->tdls_disabled || !sm->tdls_supported) 2658 return -1; 2659 2660 #ifdef CONFIG_TDLS_TESTING 2661 if ((tdls_testing & TDLS_TESTING_IGNORE_AP_PROHIBIT) && 2662 tdls_prohibited) { 2663 wpa_printf(MSG_DEBUG, "TDLS: Testing - ignore AP prohibition " 2664 "on TDLS"); 2665 tdls_prohibited = 0; 2666 } 2667 #endif /* CONFIG_TDLS_TESTING */ 2668 2669 if (tdls_prohibited) { 2670 wpa_printf(MSG_DEBUG, "TDLS: TDLS is prohibited in this BSS - " 2671 "reject request to start setup"); 2672 return -1; 2673 } 2674 2675 peer = wpa_tdls_add_peer(sm, addr, NULL); 2676 if (peer == NULL) 2677 return -1; 2678 2679 if (peer->tpk_in_progress) { 2680 wpa_printf(MSG_DEBUG, "TDLS: Setup is already in progress with the peer"); 2681 return 0; 2682 } 2683 2684 peer->initiator = 1; 2685 2686 /* add the peer to the driver as a "setup in progress" peer */ 2687 if (wpa_sm_tdls_peer_addset(sm, peer->addr, 1, 0, 0, NULL, 0, NULL, 2688 NULL, 0, 0, NULL, 0, NULL, 0, NULL, 0)) { 2689 wpa_tdls_disable_peer_link(sm, peer); 2690 return -1; 2691 } 2692 2693 peer->tpk_in_progress = 1; 2694 2695 if (wpa_tdls_send_tpk_m1(sm, peer) < 0) { 2696 wpa_tdls_disable_peer_link(sm, peer); 2697 return -1; 2698 } 2699 2700 return 0; 2701 } 2702 2703 2704 void wpa_tdls_remove(struct wpa_sm *sm, const u8 *addr) 2705 { 2706 struct wpa_tdls_peer *peer; 2707 2708 if (sm->tdls_disabled || !sm->tdls_supported) 2709 return; 2710 2711 for (peer = sm->tdls; peer; peer = peer->next) { 2712 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 2713 break; 2714 } 2715 2716 if (peer == NULL || !peer->tpk_success) 2717 return; 2718 2719 if (sm->tdls_external_setup) { 2720 /* 2721 * Disable previous link to allow renegotiation to be completed 2722 * on AP path. 2723 */ 2724 wpa_tdls_do_teardown(sm, peer, 2725 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED); 2726 } 2727 } 2728 2729 2730 /** 2731 * wpa_supplicant_rx_tdls - Receive TDLS data frame 2732 * 2733 * This function is called to receive TDLS (ethertype = 0x890d) data frames. 2734 */ 2735 static void wpa_supplicant_rx_tdls(void *ctx, const u8 *src_addr, 2736 const u8 *buf, size_t len) 2737 { 2738 struct wpa_sm *sm = ctx; 2739 struct wpa_tdls_frame *tf; 2740 2741 wpa_hexdump(MSG_DEBUG, "TDLS: Received Data frame encapsulation", 2742 buf, len); 2743 2744 if (sm->tdls_disabled || !sm->tdls_supported) { 2745 wpa_printf(MSG_DEBUG, "TDLS: Discard message - TDLS disabled " 2746 "or unsupported by driver"); 2747 return; 2748 } 2749 2750 if (os_memcmp(src_addr, sm->own_addr, ETH_ALEN) == 0) { 2751 wpa_printf(MSG_DEBUG, "TDLS: Discard copy of own message"); 2752 return; 2753 } 2754 2755 if (len < sizeof(*tf)) { 2756 wpa_printf(MSG_INFO, "TDLS: Drop too short frame"); 2757 return; 2758 } 2759 2760 /* Check to make sure its a valid encapsulated TDLS frame */ 2761 tf = (struct wpa_tdls_frame *) buf; 2762 if (tf->payloadtype != 2 /* TDLS_RFTYPE */ || 2763 tf->category != WLAN_ACTION_TDLS) { 2764 wpa_printf(MSG_INFO, "TDLS: Invalid frame - payloadtype=%u " 2765 "category=%u action=%u", 2766 tf->payloadtype, tf->category, tf->action); 2767 return; 2768 } 2769 2770 switch (tf->action) { 2771 case WLAN_TDLS_SETUP_REQUEST: 2772 wpa_tdls_process_tpk_m1(sm, src_addr, buf, len); 2773 break; 2774 case WLAN_TDLS_SETUP_RESPONSE: 2775 wpa_tdls_process_tpk_m2(sm, src_addr, buf, len); 2776 break; 2777 case WLAN_TDLS_SETUP_CONFIRM: 2778 wpa_tdls_process_tpk_m3(sm, src_addr, buf, len); 2779 break; 2780 case WLAN_TDLS_TEARDOWN: 2781 wpa_tdls_recv_teardown(sm, src_addr, buf, len); 2782 break; 2783 case WLAN_TDLS_DISCOVERY_REQUEST: 2784 wpa_tdls_process_discovery_request(sm, src_addr, buf, len); 2785 break; 2786 default: 2787 /* Kernel code will process remaining frames */ 2788 wpa_printf(MSG_DEBUG, "TDLS: Ignore TDLS frame action code %u", 2789 tf->action); 2790 break; 2791 } 2792 } 2793 2794 2795 /** 2796 * wpa_tdls_init - Initialize driver interface parameters for TDLS 2797 * @wpa_s: Pointer to wpa_supplicant data 2798 * Returns: 0 on success, -1 on failure 2799 * 2800 * This function is called to initialize driver interface parameters for TDLS. 2801 * wpa_drv_init() must have been called before this function to initialize the 2802 * driver interface. 2803 */ 2804 int wpa_tdls_init(struct wpa_sm *sm) 2805 { 2806 if (sm == NULL) 2807 return -1; 2808 2809 sm->l2_tdls = l2_packet_init(sm->bridge_ifname ? sm->bridge_ifname : 2810 sm->ifname, 2811 sm->own_addr, 2812 ETH_P_80211_ENCAP, wpa_supplicant_rx_tdls, 2813 sm, 0); 2814 if (sm->l2_tdls == NULL) { 2815 wpa_printf(MSG_ERROR, "TDLS: Failed to open l2_packet " 2816 "connection"); 2817 return -1; 2818 } 2819 2820 /* 2821 * Drivers that support TDLS but don't implement the get_capa callback 2822 * are assumed to perform everything internally 2823 */ 2824 if (wpa_sm_tdls_get_capa(sm, &sm->tdls_supported, 2825 &sm->tdls_external_setup, 2826 &sm->tdls_chan_switch) < 0) { 2827 sm->tdls_supported = 1; 2828 sm->tdls_external_setup = 0; 2829 } 2830 2831 wpa_printf(MSG_DEBUG, "TDLS: TDLS operation%s supported by " 2832 "driver", sm->tdls_supported ? "" : " not"); 2833 wpa_printf(MSG_DEBUG, "TDLS: Driver uses %s link setup", 2834 sm->tdls_external_setup ? "external" : "internal"); 2835 wpa_printf(MSG_DEBUG, "TDLS: Driver %s TDLS channel switching", 2836 sm->tdls_chan_switch ? "supports" : "does not support"); 2837 2838 return 0; 2839 } 2840 2841 2842 void wpa_tdls_teardown_peers(struct wpa_sm *sm) 2843 { 2844 struct wpa_tdls_peer *peer, *tmp; 2845 2846 if (!sm) 2847 return; 2848 peer = sm->tdls; 2849 2850 wpa_printf(MSG_DEBUG, "TDLS: Tear down peers"); 2851 2852 while (peer) { 2853 tmp = peer->next; 2854 wpa_printf(MSG_DEBUG, "TDLS: Tear down peer " MACSTR, 2855 MAC2STR(peer->addr)); 2856 if (sm->tdls_external_setup) 2857 wpa_tdls_do_teardown(sm, peer, 2858 WLAN_REASON_DEAUTH_LEAVING); 2859 else 2860 wpa_sm_tdls_oper(sm, TDLS_TEARDOWN, peer->addr); 2861 2862 peer = tmp; 2863 } 2864 } 2865 2866 2867 static void wpa_tdls_remove_peers(struct wpa_sm *sm) 2868 { 2869 struct wpa_tdls_peer *peer, *tmp; 2870 2871 peer = sm->tdls; 2872 2873 while (peer) { 2874 int res; 2875 tmp = peer->next; 2876 res = wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr); 2877 wpa_printf(MSG_DEBUG, "TDLS: Remove peer " MACSTR " (res=%d)", 2878 MAC2STR(peer->addr), res); 2879 wpa_tdls_peer_free(sm, peer); 2880 peer = tmp; 2881 } 2882 } 2883 2884 2885 /** 2886 * wpa_tdls_deinit - Deinitialize driver interface parameters for TDLS 2887 * 2888 * This function is called to recover driver interface parameters for TDLS 2889 * and frees resources allocated for it. 2890 */ 2891 void wpa_tdls_deinit(struct wpa_sm *sm) 2892 { 2893 if (sm == NULL) 2894 return; 2895 2896 if (sm->l2_tdls) 2897 l2_packet_deinit(sm->l2_tdls); 2898 sm->l2_tdls = NULL; 2899 2900 wpa_tdls_remove_peers(sm); 2901 } 2902 2903 2904 void wpa_tdls_assoc(struct wpa_sm *sm) 2905 { 2906 wpa_printf(MSG_DEBUG, "TDLS: Remove peers on association"); 2907 wpa_tdls_remove_peers(sm); 2908 } 2909 2910 2911 void wpa_tdls_disassoc(struct wpa_sm *sm) 2912 { 2913 wpa_printf(MSG_DEBUG, "TDLS: Remove peers on disassociation"); 2914 wpa_tdls_remove_peers(sm); 2915 } 2916 2917 2918 static int wpa_tdls_prohibited(struct ieee802_11_elems *elems) 2919 { 2920 /* bit 38 - TDLS Prohibited */ 2921 return !!(elems->ext_capab[4] & 0x40); 2922 } 2923 2924 2925 static int wpa_tdls_chan_switch_prohibited(struct ieee802_11_elems *elems) 2926 { 2927 /* bit 39 - TDLS Channel Switch Prohibited */ 2928 return !!(elems->ext_capab[4] & 0x80); 2929 } 2930 2931 2932 void wpa_tdls_ap_ies(struct wpa_sm *sm, const u8 *ies, size_t len) 2933 { 2934 struct ieee802_11_elems elems; 2935 2936 sm->tdls_prohibited = 0; 2937 sm->tdls_chan_switch_prohibited = 0; 2938 2939 if (ies == NULL || 2940 ieee802_11_parse_elems(ies, len, &elems, 0) == ParseFailed || 2941 elems.ext_capab == NULL || elems.ext_capab_len < 5) 2942 return; 2943 2944 sm->tdls_prohibited = wpa_tdls_prohibited(&elems); 2945 wpa_printf(MSG_DEBUG, "TDLS: TDLS is %s in the target BSS", 2946 sm->tdls_prohibited ? "prohibited" : "allowed"); 2947 sm->tdls_chan_switch_prohibited = 2948 wpa_tdls_chan_switch_prohibited(&elems); 2949 wpa_printf(MSG_DEBUG, "TDLS: TDLS channel switch %s in the target BSS", 2950 sm->tdls_chan_switch_prohibited ? "prohibited" : "allowed"); 2951 } 2952 2953 2954 void wpa_tdls_assoc_resp_ies(struct wpa_sm *sm, const u8 *ies, size_t len) 2955 { 2956 struct ieee802_11_elems elems; 2957 2958 if (ies == NULL || 2959 ieee802_11_parse_elems(ies, len, &elems, 0) == ParseFailed || 2960 elems.ext_capab == NULL || elems.ext_capab_len < 5) 2961 return; 2962 2963 if (!sm->tdls_prohibited && wpa_tdls_prohibited(&elems)) { 2964 wpa_printf(MSG_DEBUG, "TDLS: TDLS prohibited based on " 2965 "(Re)Association Response IEs"); 2966 sm->tdls_prohibited = 1; 2967 } 2968 2969 if (!sm->tdls_chan_switch_prohibited && 2970 wpa_tdls_chan_switch_prohibited(&elems)) { 2971 wpa_printf(MSG_DEBUG, 2972 "TDLS: TDLS channel switch prohibited based on (Re)Association Response IEs"); 2973 sm->tdls_chan_switch_prohibited = 1; 2974 } 2975 } 2976 2977 2978 void wpa_tdls_enable(struct wpa_sm *sm, int enabled) 2979 { 2980 wpa_printf(MSG_DEBUG, "TDLS: %s", enabled ? "enabled" : "disabled"); 2981 sm->tdls_disabled = !enabled; 2982 } 2983 2984 2985 int wpa_tdls_is_external_setup(struct wpa_sm *sm) 2986 { 2987 return sm->tdls_external_setup; 2988 } 2989 2990 2991 int wpa_tdls_enable_chan_switch(struct wpa_sm *sm, const u8 *addr, 2992 u8 oper_class, 2993 struct hostapd_freq_params *freq_params) 2994 { 2995 struct wpa_tdls_peer *peer; 2996 int ret; 2997 2998 if (sm->tdls_disabled || !sm->tdls_supported) 2999 return -1; 3000 3001 if (!sm->tdls_chan_switch) { 3002 wpa_printf(MSG_DEBUG, 3003 "TDLS: Channel switching not supported by the driver"); 3004 return -1; 3005 } 3006 3007 if (sm->tdls_chan_switch_prohibited) { 3008 wpa_printf(MSG_DEBUG, 3009 "TDLS: Channel switching is prohibited in this BSS - reject request to switch channel"); 3010 return -1; 3011 } 3012 3013 for (peer = sm->tdls; peer; peer = peer->next) { 3014 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 3015 break; 3016 } 3017 3018 if (peer == NULL || !peer->tpk_success) { 3019 wpa_printf(MSG_ERROR, "TDLS: Peer " MACSTR 3020 " not found for channel switching", MAC2STR(addr)); 3021 return -1; 3022 } 3023 3024 if (peer->chan_switch_enabled) { 3025 wpa_printf(MSG_DEBUG, "TDLS: Peer " MACSTR 3026 " already has channel switching enabled", 3027 MAC2STR(addr)); 3028 return 0; 3029 } 3030 3031 ret = wpa_sm_tdls_enable_channel_switch(sm, peer->addr, 3032 oper_class, freq_params); 3033 if (!ret) 3034 peer->chan_switch_enabled = 1; 3035 3036 return ret; 3037 } 3038 3039 3040 int wpa_tdls_disable_chan_switch(struct wpa_sm *sm, const u8 *addr) 3041 { 3042 struct wpa_tdls_peer *peer; 3043 3044 if (sm->tdls_disabled || !sm->tdls_supported) 3045 return -1; 3046 3047 for (peer = sm->tdls; peer; peer = peer->next) { 3048 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 3049 break; 3050 } 3051 3052 if (!peer || !peer->chan_switch_enabled) { 3053 wpa_printf(MSG_ERROR, "TDLS: Channel switching not enabled for " 3054 MACSTR, MAC2STR(addr)); 3055 return -1; 3056 } 3057 3058 /* ignore the return value */ 3059 wpa_sm_tdls_disable_channel_switch(sm, peer->addr); 3060 3061 peer->chan_switch_enabled = 0; 3062 return 0; 3063 } 3064
