1 /* 2 * wpa_supplicant - TDLS 3 * Copyright (c) 2010-2011, Atheros Communications 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "utils/includes.h" 10 11 #include "utils/common.h" 12 #include "utils/eloop.h" 13 #include "utils/os.h" 14 #include "common/ieee802_11_defs.h" 15 #include "crypto/sha256.h" 16 #include "crypto/crypto.h" 17 #include "crypto/aes_wrap.h" 18 #include "rsn_supp/wpa.h" 19 #include "rsn_supp/wpa_ie.h" 20 #include "rsn_supp/wpa_i.h" 21 #include "drivers/driver.h" 22 #include "l2_packet/l2_packet.h" 23 24 #ifdef CONFIG_TDLS_TESTING 25 #define TDLS_TESTING_LONG_FRAME BIT(0) 26 #define TDLS_TESTING_ALT_RSN_IE BIT(1) 27 #define TDLS_TESTING_DIFF_BSSID BIT(2) 28 #define TDLS_TESTING_SHORT_LIFETIME BIT(3) 29 #define TDLS_TESTING_WRONG_LIFETIME_RESP BIT(4) 30 #define TDLS_TESTING_WRONG_LIFETIME_CONF BIT(5) 31 #define TDLS_TESTING_LONG_LIFETIME BIT(6) 32 #define TDLS_TESTING_CONCURRENT_INIT BIT(7) 33 #define TDLS_TESTING_NO_TPK_EXPIRATION BIT(8) 34 #define TDLS_TESTING_DECLINE_RESP BIT(9) 35 #define TDLS_TESTING_IGNORE_AP_PROHIBIT BIT(10) 36 #define TDLS_TESTING_WRONG_MIC BIT(11) 37 unsigned int tdls_testing = 0; 38 #endif /* CONFIG_TDLS_TESTING */ 39 40 #define TPK_LIFETIME 43200 /* 12 hours */ 41 #define TPK_M1_RETRY_COUNT 3 42 #define TPK_M1_TIMEOUT 5000 /* in milliseconds */ 43 #define TPK_M2_RETRY_COUNT 10 44 #define TPK_M2_TIMEOUT 500 /* in milliseconds */ 45 46 #define TDLS_MIC_LEN 16 47 48 #define TDLS_TIMEOUT_LEN 4 49 50 struct wpa_tdls_ftie { 51 u8 ie_type; /* FTIE */ 52 u8 ie_len; 53 u8 mic_ctrl[2]; 54 u8 mic[TDLS_MIC_LEN]; 55 u8 Anonce[WPA_NONCE_LEN]; /* Responder Nonce in TDLS */ 56 u8 Snonce[WPA_NONCE_LEN]; /* Initiator Nonce in TDLS */ 57 /* followed by optional elements */ 58 } STRUCT_PACKED; 59 60 struct wpa_tdls_timeoutie { 61 u8 ie_type; /* Timeout IE */ 62 u8 ie_len; 63 u8 interval_type; 64 u8 value[TDLS_TIMEOUT_LEN]; 65 } STRUCT_PACKED; 66 67 struct wpa_tdls_lnkid { 68 u8 ie_type; /* Link Identifier IE */ 69 u8 ie_len; 70 u8 bssid[ETH_ALEN]; 71 u8 init_sta[ETH_ALEN]; 72 u8 resp_sta[ETH_ALEN]; 73 } STRUCT_PACKED; 74 75 /* TDLS frame headers as per IEEE Std 802.11z-2010 */ 76 struct wpa_tdls_frame { 77 u8 payloadtype; /* IEEE80211_TDLS_RFTYPE */ 78 u8 category; /* Category */ 79 u8 action; /* Action (enum tdls_frame_type) */ 80 } STRUCT_PACKED; 81 82 static u8 * wpa_add_tdls_timeoutie(u8 *pos, u8 *ie, size_t ie_len, u32 tsecs); 83 static void wpa_tdls_tpk_retry_timeout(void *eloop_ctx, void *timeout_ctx); 84 static void wpa_tdls_peer_free(struct wpa_sm *sm, struct wpa_tdls_peer *peer); 85 static void wpa_tdls_disable_peer_link(struct wpa_sm *sm, 86 struct wpa_tdls_peer *peer); 87 static int wpa_tdls_send_teardown(struct wpa_sm *sm, const u8 *addr, 88 u16 reason_code); 89 90 91 #define TDLS_MAX_IE_LEN 80 92 #define IEEE80211_MAX_SUPP_RATES 32 93 94 struct wpa_tdls_peer { 95 struct wpa_tdls_peer *next; 96 unsigned int reconfig_key:1; 97 int initiator; /* whether this end was initiator for TDLS setup */ 98 u8 addr[ETH_ALEN]; /* other end MAC address */ 99 u8 inonce[WPA_NONCE_LEN]; /* Initiator Nonce */ 100 u8 rnonce[WPA_NONCE_LEN]; /* Responder Nonce */ 101 u8 rsnie_i[TDLS_MAX_IE_LEN]; /* Initiator RSN IE */ 102 size_t rsnie_i_len; 103 u8 rsnie_p[TDLS_MAX_IE_LEN]; /* Peer RSN IE */ 104 size_t rsnie_p_len; 105 u32 lifetime; 106 int cipher; /* Selected cipher (WPA_CIPHER_*) */ 107 u8 dtoken; 108 109 struct tpk { 110 u8 kck[16]; /* TPK-KCK */ 111 u8 tk[16]; /* TPK-TK; assuming only CCMP will be used */ 112 } tpk; 113 int tpk_set; 114 int tpk_success; 115 int tpk_in_progress; 116 117 struct tpk_timer { 118 u8 dest[ETH_ALEN]; 119 int count; /* Retry Count */ 120 int timer; /* Timeout in milliseconds */ 121 u8 action_code; /* TDLS frame type */ 122 u8 dialog_token; 123 u16 status_code; 124 u32 peer_capab; 125 int buf_len; /* length of TPK message for retransmission */ 126 u8 *buf; /* buffer for TPK message */ 127 } sm_tmr; 128 129 u16 capability; 130 131 u8 supp_rates[IEEE80211_MAX_SUPP_RATES]; 132 size_t supp_rates_len; 133 134 struct ieee80211_ht_capabilities *ht_capabilities; 135 struct ieee80211_vht_capabilities *vht_capabilities; 136 137 u8 qos_info; 138 139 u16 aid; 140 141 u8 *ext_capab; 142 size_t ext_capab_len; 143 144 u8 *supp_channels; 145 size_t supp_channels_len; 146 147 u8 *supp_oper_classes; 148 size_t supp_oper_classes_len; 149 150 u8 wmm_capable; 151 }; 152 153 154 static int wpa_tdls_get_privacy(struct wpa_sm *sm) 155 { 156 /* 157 * Get info needed from supplicant to check if the current BSS supports 158 * security. Other than OPEN mode, rest are considered secured 159 * WEP/WPA/WPA2 hence TDLS frames are processed for TPK handshake. 160 */ 161 return sm->pairwise_cipher != WPA_CIPHER_NONE; 162 } 163 164 165 static u8 * wpa_add_ie(u8 *pos, const u8 *ie, size_t ie_len) 166 { 167 os_memcpy(pos, ie, ie_len); 168 return pos + ie_len; 169 } 170 171 172 static int wpa_tdls_del_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer) 173 { 174 if (wpa_sm_set_key(sm, WPA_ALG_NONE, peer->addr, 175 0, 0, NULL, 0, NULL, 0) < 0) { 176 wpa_printf(MSG_WARNING, "TDLS: Failed to delete TPK-TK from " 177 "the driver"); 178 return -1; 179 } 180 181 return 0; 182 } 183 184 185 static int wpa_tdls_set_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer) 186 { 187 u8 key_len; 188 u8 rsc[6]; 189 enum wpa_alg alg; 190 191 os_memset(rsc, 0, 6); 192 193 switch (peer->cipher) { 194 case WPA_CIPHER_CCMP: 195 alg = WPA_ALG_CCMP; 196 key_len = 16; 197 break; 198 case WPA_CIPHER_NONE: 199 wpa_printf(MSG_DEBUG, "TDLS: Pairwise Cipher Suite: " 200 "NONE - do not use pairwise keys"); 201 return -1; 202 default: 203 wpa_printf(MSG_WARNING, "TDLS: Unsupported pairwise cipher %d", 204 sm->pairwise_cipher); 205 return -1; 206 } 207 208 if (wpa_sm_set_key(sm, alg, peer->addr, -1, 1, 209 rsc, sizeof(rsc), peer->tpk.tk, key_len) < 0) { 210 wpa_printf(MSG_WARNING, "TDLS: Failed to set TPK to the " 211 "driver"); 212 return -1; 213 } 214 return 0; 215 } 216 217 218 static int wpa_tdls_send_tpk_msg(struct wpa_sm *sm, const u8 *dst, 219 u8 action_code, u8 dialog_token, 220 u16 status_code, u32 peer_capab, 221 int initiator, const u8 *buf, size_t len) 222 { 223 return wpa_sm_send_tdls_mgmt(sm, dst, action_code, dialog_token, 224 status_code, peer_capab, initiator, buf, 225 len); 226 } 227 228 229 static int wpa_tdls_tpk_send(struct wpa_sm *sm, const u8 *dest, u8 action_code, 230 u8 dialog_token, u16 status_code, u32 peer_capab, 231 int initiator, const u8 *msg, size_t msg_len) 232 { 233 struct wpa_tdls_peer *peer; 234 235 wpa_printf(MSG_DEBUG, "TDLS: TPK send dest=" MACSTR " action_code=%u " 236 "dialog_token=%u status_code=%u peer_capab=%u initiator=%d " 237 "msg_len=%u", 238 MAC2STR(dest), action_code, dialog_token, status_code, 239 peer_capab, initiator, (unsigned int) msg_len); 240 241 if (wpa_tdls_send_tpk_msg(sm, dest, action_code, dialog_token, 242 status_code, peer_capab, initiator, msg, 243 msg_len)) { 244 wpa_printf(MSG_INFO, "TDLS: Failed to send message " 245 "(action_code=%u)", action_code); 246 return -1; 247 } 248 249 if (action_code == WLAN_TDLS_SETUP_CONFIRM || 250 action_code == WLAN_TDLS_TEARDOWN || 251 action_code == WLAN_TDLS_DISCOVERY_REQUEST || 252 action_code == WLAN_TDLS_DISCOVERY_RESPONSE) 253 return 0; /* No retries */ 254 255 for (peer = sm->tdls; peer; peer = peer->next) { 256 if (os_memcmp(peer->addr, dest, ETH_ALEN) == 0) 257 break; 258 } 259 260 if (peer == NULL) { 261 wpa_printf(MSG_INFO, "TDLS: No matching entry found for " 262 "retry " MACSTR, MAC2STR(dest)); 263 return 0; 264 } 265 266 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer); 267 268 if (action_code == WLAN_TDLS_SETUP_RESPONSE) { 269 peer->sm_tmr.count = TPK_M2_RETRY_COUNT; 270 peer->sm_tmr.timer = TPK_M2_TIMEOUT; 271 } else { 272 peer->sm_tmr.count = TPK_M1_RETRY_COUNT; 273 peer->sm_tmr.timer = TPK_M1_TIMEOUT; 274 } 275 276 /* Copy message to resend on timeout */ 277 os_memcpy(peer->sm_tmr.dest, dest, ETH_ALEN); 278 peer->sm_tmr.action_code = action_code; 279 peer->sm_tmr.dialog_token = dialog_token; 280 peer->sm_tmr.status_code = status_code; 281 peer->sm_tmr.peer_capab = peer_capab; 282 peer->sm_tmr.buf_len = msg_len; 283 os_free(peer->sm_tmr.buf); 284 peer->sm_tmr.buf = os_malloc(msg_len); 285 if (peer->sm_tmr.buf == NULL) 286 return -1; 287 os_memcpy(peer->sm_tmr.buf, msg, msg_len); 288 289 wpa_printf(MSG_DEBUG, "TDLS: Retry timeout registered " 290 "(action_code=%u)", action_code); 291 eloop_register_timeout(peer->sm_tmr.timer / 1000, 292 (peer->sm_tmr.timer % 1000) * 1000, 293 wpa_tdls_tpk_retry_timeout, sm, peer); 294 return 0; 295 } 296 297 298 static int wpa_tdls_do_teardown(struct wpa_sm *sm, struct wpa_tdls_peer *peer, 299 u16 reason_code) 300 { 301 int ret; 302 303 ret = wpa_tdls_send_teardown(sm, peer->addr, reason_code); 304 /* disable the link after teardown was sent */ 305 wpa_tdls_disable_peer_link(sm, peer); 306 307 return ret; 308 } 309 310 311 static void wpa_tdls_tpk_retry_timeout(void *eloop_ctx, void *timeout_ctx) 312 { 313 314 struct wpa_sm *sm = eloop_ctx; 315 struct wpa_tdls_peer *peer = timeout_ctx; 316 317 if (peer->sm_tmr.count) { 318 peer->sm_tmr.count--; 319 320 wpa_printf(MSG_INFO, "TDLS: Retrying sending of message " 321 "(action_code=%u)", 322 peer->sm_tmr.action_code); 323 324 if (peer->sm_tmr.buf == NULL) { 325 wpa_printf(MSG_INFO, "TDLS: No retry buffer available " 326 "for action_code=%u", 327 peer->sm_tmr.action_code); 328 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, 329 peer); 330 return; 331 } 332 333 /* resend TPK Handshake Message to Peer */ 334 if (wpa_tdls_send_tpk_msg(sm, peer->sm_tmr.dest, 335 peer->sm_tmr.action_code, 336 peer->sm_tmr.dialog_token, 337 peer->sm_tmr.status_code, 338 peer->sm_tmr.peer_capab, 339 peer->initiator, 340 peer->sm_tmr.buf, 341 peer->sm_tmr.buf_len)) { 342 wpa_printf(MSG_INFO, "TDLS: Failed to retry " 343 "transmission"); 344 } 345 346 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer); 347 eloop_register_timeout(peer->sm_tmr.timer / 1000, 348 (peer->sm_tmr.timer % 1000) * 1000, 349 wpa_tdls_tpk_retry_timeout, sm, peer); 350 } else { 351 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer); 352 353 wpa_printf(MSG_DEBUG, "TDLS: Sending Teardown Request"); 354 wpa_tdls_do_teardown(sm, peer, 355 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED); 356 } 357 } 358 359 360 static void wpa_tdls_tpk_retry_timeout_cancel(struct wpa_sm *sm, 361 struct wpa_tdls_peer *peer, 362 u8 action_code) 363 { 364 if (action_code == peer->sm_tmr.action_code) { 365 wpa_printf(MSG_DEBUG, "TDLS: Retry timeout cancelled for " 366 "action_code=%u", action_code); 367 368 /* Cancel Timeout registered */ 369 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer); 370 371 /* free all resources meant for retry */ 372 os_free(peer->sm_tmr.buf); 373 peer->sm_tmr.buf = NULL; 374 375 peer->sm_tmr.count = 0; 376 peer->sm_tmr.timer = 0; 377 peer->sm_tmr.buf_len = 0; 378 peer->sm_tmr.action_code = 0xff; 379 } else { 380 wpa_printf(MSG_INFO, "TDLS: Error in cancelling retry timeout " 381 "(Unknown action_code=%u)", action_code); 382 } 383 } 384 385 386 static void wpa_tdls_generate_tpk(struct wpa_tdls_peer *peer, 387 const u8 *own_addr, const u8 *bssid) 388 { 389 u8 key_input[SHA256_MAC_LEN]; 390 const u8 *nonce[2]; 391 size_t len[2]; 392 u8 data[3 * ETH_ALEN]; 393 394 /* IEEE Std 802.11z-2010 8.5.9.1: 395 * TPK-Key-Input = SHA-256(min(SNonce, ANonce) || max(SNonce, ANonce)) 396 */ 397 len[0] = WPA_NONCE_LEN; 398 len[1] = WPA_NONCE_LEN; 399 if (os_memcmp(peer->inonce, peer->rnonce, WPA_NONCE_LEN) < 0) { 400 nonce[0] = peer->inonce; 401 nonce[1] = peer->rnonce; 402 } else { 403 nonce[0] = peer->rnonce; 404 nonce[1] = peer->inonce; 405 } 406 wpa_hexdump(MSG_DEBUG, "TDLS: min(Nonce)", nonce[0], WPA_NONCE_LEN); 407 wpa_hexdump(MSG_DEBUG, "TDLS: max(Nonce)", nonce[1], WPA_NONCE_LEN); 408 sha256_vector(2, nonce, len, key_input); 409 wpa_hexdump_key(MSG_DEBUG, "TDLS: TPK-Key-Input", 410 key_input, SHA256_MAC_LEN); 411 412 /* 413 * TPK-Key-Data = KDF-N_KEY(TPK-Key-Input, "TDLS PMK", 414 * min(MAC_I, MAC_R) || max(MAC_I, MAC_R) || BSSID || N_KEY) 415 * TODO: is N_KEY really included in KDF Context and if so, in which 416 * presentation format (little endian 16-bit?) is it used? It gets 417 * added by the KDF anyway.. 418 */ 419 420 if (os_memcmp(own_addr, peer->addr, ETH_ALEN) < 0) { 421 os_memcpy(data, own_addr, ETH_ALEN); 422 os_memcpy(data + ETH_ALEN, peer->addr, ETH_ALEN); 423 } else { 424 os_memcpy(data, peer->addr, ETH_ALEN); 425 os_memcpy(data + ETH_ALEN, own_addr, ETH_ALEN); 426 } 427 os_memcpy(data + 2 * ETH_ALEN, bssid, ETH_ALEN); 428 wpa_hexdump(MSG_DEBUG, "TDLS: KDF Context", data, sizeof(data)); 429 430 sha256_prf(key_input, SHA256_MAC_LEN, "TDLS PMK", data, sizeof(data), 431 (u8 *) &peer->tpk, sizeof(peer->tpk)); 432 wpa_hexdump_key(MSG_DEBUG, "TDLS: TPK-KCK", 433 peer->tpk.kck, sizeof(peer->tpk.kck)); 434 wpa_hexdump_key(MSG_DEBUG, "TDLS: TPK-TK", 435 peer->tpk.tk, sizeof(peer->tpk.tk)); 436 peer->tpk_set = 1; 437 } 438 439 440 /** 441 * wpa_tdls_ftie_mic - Calculate TDLS FTIE MIC 442 * @kck: TPK-KCK 443 * @lnkid: Pointer to the beginning of Link Identifier IE 444 * @rsnie: Pointer to the beginning of RSN IE used for handshake 445 * @timeoutie: Pointer to the beginning of Timeout IE used for handshake 446 * @ftie: Pointer to the beginning of FT IE 447 * @mic: Pointer for writing MIC 448 * 449 * Calculate MIC for TDLS frame. 450 */ 451 static int wpa_tdls_ftie_mic(const u8 *kck, u8 trans_seq, const u8 *lnkid, 452 const u8 *rsnie, const u8 *timeoutie, 453 const u8 *ftie, u8 *mic) 454 { 455 u8 *buf, *pos; 456 struct wpa_tdls_ftie *_ftie; 457 const struct wpa_tdls_lnkid *_lnkid; 458 int ret; 459 int len = 2 * ETH_ALEN + 1 + 2 + lnkid[1] + 2 + rsnie[1] + 460 2 + timeoutie[1] + 2 + ftie[1]; 461 buf = os_zalloc(len); 462 if (!buf) { 463 wpa_printf(MSG_WARNING, "TDLS: No memory for MIC calculation"); 464 return -1; 465 } 466 467 pos = buf; 468 _lnkid = (const struct wpa_tdls_lnkid *) lnkid; 469 /* 1) TDLS initiator STA MAC address */ 470 os_memcpy(pos, _lnkid->init_sta, ETH_ALEN); 471 pos += ETH_ALEN; 472 /* 2) TDLS responder STA MAC address */ 473 os_memcpy(pos, _lnkid->resp_sta, ETH_ALEN); 474 pos += ETH_ALEN; 475 /* 3) Transaction Sequence number */ 476 *pos++ = trans_seq; 477 /* 4) Link Identifier IE */ 478 os_memcpy(pos, lnkid, 2 + lnkid[1]); 479 pos += 2 + lnkid[1]; 480 /* 5) RSN IE */ 481 os_memcpy(pos, rsnie, 2 + rsnie[1]); 482 pos += 2 + rsnie[1]; 483 /* 6) Timeout Interval IE */ 484 os_memcpy(pos, timeoutie, 2 + timeoutie[1]); 485 pos += 2 + timeoutie[1]; 486 /* 7) FTIE, with the MIC field of the FTIE set to 0 */ 487 os_memcpy(pos, ftie, 2 + ftie[1]); 488 _ftie = (struct wpa_tdls_ftie *) pos; 489 os_memset(_ftie->mic, 0, TDLS_MIC_LEN); 490 pos += 2 + ftie[1]; 491 492 wpa_hexdump(MSG_DEBUG, "TDLS: Data for FTIE MIC", buf, pos - buf); 493 wpa_hexdump_key(MSG_DEBUG, "TDLS: KCK", kck, 16); 494 ret = omac1_aes_128(kck, buf, pos - buf, mic); 495 os_free(buf); 496 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE MIC", mic, 16); 497 return ret; 498 } 499 500 501 /** 502 * wpa_tdls_key_mic_teardown - Calculate TDLS FTIE MIC for Teardown frame 503 * @kck: TPK-KCK 504 * @trans_seq: Transaction Sequence Number (4 - Teardown) 505 * @rcode: Reason code for Teardown 506 * @dtoken: Dialog Token used for that particular link 507 * @lnkid: Pointer to the beginning of Link Identifier IE 508 * @ftie: Pointer to the beginning of FT IE 509 * @mic: Pointer for writing MIC 510 * 511 * Calculate MIC for TDLS frame. 512 */ 513 static int wpa_tdls_key_mic_teardown(const u8 *kck, u8 trans_seq, u16 rcode, 514 u8 dtoken, const u8 *lnkid, 515 const u8 *ftie, u8 *mic) 516 { 517 u8 *buf, *pos; 518 struct wpa_tdls_ftie *_ftie; 519 int ret; 520 int len; 521 522 if (lnkid == NULL) 523 return -1; 524 525 len = 2 + lnkid[1] + sizeof(rcode) + sizeof(dtoken) + 526 sizeof(trans_seq) + 2 + ftie[1]; 527 528 buf = os_zalloc(len); 529 if (!buf) { 530 wpa_printf(MSG_WARNING, "TDLS: No memory for MIC calculation"); 531 return -1; 532 } 533 534 pos = buf; 535 /* 1) Link Identifier IE */ 536 os_memcpy(pos, lnkid, 2 + lnkid[1]); 537 pos += 2 + lnkid[1]; 538 /* 2) Reason Code */ 539 WPA_PUT_LE16(pos, rcode); 540 pos += sizeof(rcode); 541 /* 3) Dialog token */ 542 *pos++ = dtoken; 543 /* 4) Transaction Sequence number */ 544 *pos++ = trans_seq; 545 /* 7) FTIE, with the MIC field of the FTIE set to 0 */ 546 os_memcpy(pos, ftie, 2 + ftie[1]); 547 _ftie = (struct wpa_tdls_ftie *) pos; 548 os_memset(_ftie->mic, 0, TDLS_MIC_LEN); 549 pos += 2 + ftie[1]; 550 551 wpa_hexdump(MSG_DEBUG, "TDLS: Data for FTIE MIC", buf, pos - buf); 552 wpa_hexdump_key(MSG_DEBUG, "TDLS: KCK", kck, 16); 553 ret = omac1_aes_128(kck, buf, pos - buf, mic); 554 os_free(buf); 555 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE MIC", mic, 16); 556 return ret; 557 } 558 559 560 static int wpa_supplicant_verify_tdls_mic(u8 trans_seq, 561 struct wpa_tdls_peer *peer, 562 const u8 *lnkid, const u8 *timeoutie, 563 const struct wpa_tdls_ftie *ftie) 564 { 565 u8 mic[16]; 566 567 if (peer->tpk_set) { 568 wpa_tdls_ftie_mic(peer->tpk.kck, trans_seq, lnkid, 569 peer->rsnie_p, timeoutie, (u8 *) ftie, 570 mic); 571 if (os_memcmp_const(mic, ftie->mic, 16) != 0) { 572 wpa_printf(MSG_INFO, "TDLS: Invalid MIC in FTIE - " 573 "dropping packet"); 574 wpa_hexdump(MSG_DEBUG, "TDLS: Received MIC", 575 ftie->mic, 16); 576 wpa_hexdump(MSG_DEBUG, "TDLS: Calculated MIC", 577 mic, 16); 578 return -1; 579 } 580 } else { 581 wpa_printf(MSG_WARNING, "TDLS: Could not verify TDLS MIC, " 582 "TPK not set - dropping packet"); 583 return -1; 584 } 585 return 0; 586 } 587 588 589 static int wpa_supplicant_verify_tdls_mic_teardown( 590 u8 trans_seq, u16 rcode, u8 dtoken, struct wpa_tdls_peer *peer, 591 const u8 *lnkid, const struct wpa_tdls_ftie *ftie) 592 { 593 u8 mic[16]; 594 595 if (peer->tpk_set) { 596 wpa_tdls_key_mic_teardown(peer->tpk.kck, trans_seq, rcode, 597 dtoken, lnkid, (u8 *) ftie, mic); 598 if (os_memcmp_const(mic, ftie->mic, 16) != 0) { 599 wpa_printf(MSG_INFO, "TDLS: Invalid MIC in Teardown - " 600 "dropping packet"); 601 return -1; 602 } 603 } else { 604 wpa_printf(MSG_INFO, "TDLS: Could not verify TDLS Teardown " 605 "MIC, TPK not set - dropping packet"); 606 return -1; 607 } 608 return 0; 609 } 610 611 612 static void wpa_tdls_tpk_timeout(void *eloop_ctx, void *timeout_ctx) 613 { 614 struct wpa_sm *sm = eloop_ctx; 615 struct wpa_tdls_peer *peer = timeout_ctx; 616 617 /* 618 * On TPK lifetime expiration, we have an option of either tearing down 619 * the direct link or trying to re-initiate it. The selection of what 620 * to do is not strictly speaking controlled by our role in the expired 621 * link, but for now, use that to select whether to renew or tear down 622 * the link. 623 */ 624 625 if (peer->initiator) { 626 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime expired for " MACSTR 627 " - try to renew", MAC2STR(peer->addr)); 628 wpa_tdls_start(sm, peer->addr); 629 } else { 630 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime expired for " MACSTR 631 " - tear down", MAC2STR(peer->addr)); 632 wpa_tdls_do_teardown(sm, peer, 633 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED); 634 } 635 } 636 637 638 static void wpa_tdls_peer_remove_from_list(struct wpa_sm *sm, 639 struct wpa_tdls_peer *peer) 640 { 641 struct wpa_tdls_peer *cur, *prev; 642 643 cur = sm->tdls; 644 prev = NULL; 645 while (cur && cur != peer) { 646 prev = cur; 647 cur = cur->next; 648 } 649 650 if (cur != peer) { 651 wpa_printf(MSG_ERROR, "TDLS: Could not find peer " MACSTR 652 " to remove it from the list", 653 MAC2STR(peer->addr)); 654 return; 655 } 656 657 if (prev) 658 prev->next = peer->next; 659 else 660 sm->tdls = peer->next; 661 } 662 663 664 static void wpa_tdls_peer_clear(struct wpa_sm *sm, struct wpa_tdls_peer *peer) 665 { 666 wpa_printf(MSG_DEBUG, "TDLS: Clear state for peer " MACSTR, 667 MAC2STR(peer->addr)); 668 eloop_cancel_timeout(wpa_tdls_tpk_timeout, sm, peer); 669 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer); 670 peer->reconfig_key = 0; 671 peer->initiator = 0; 672 peer->tpk_in_progress = 0; 673 os_free(peer->sm_tmr.buf); 674 peer->sm_tmr.buf = NULL; 675 os_free(peer->ht_capabilities); 676 peer->ht_capabilities = NULL; 677 os_free(peer->vht_capabilities); 678 peer->vht_capabilities = NULL; 679 os_free(peer->ext_capab); 680 peer->ext_capab = NULL; 681 os_free(peer->supp_channels); 682 peer->supp_channels = NULL; 683 os_free(peer->supp_oper_classes); 684 peer->supp_oper_classes = NULL; 685 peer->rsnie_i_len = peer->rsnie_p_len = 0; 686 peer->cipher = 0; 687 peer->qos_info = 0; 688 peer->wmm_capable = 0; 689 peer->tpk_set = peer->tpk_success = 0; 690 os_memset(&peer->tpk, 0, sizeof(peer->tpk)); 691 os_memset(peer->inonce, 0, WPA_NONCE_LEN); 692 os_memset(peer->rnonce, 0, WPA_NONCE_LEN); 693 } 694 695 696 static void wpa_tdls_peer_free(struct wpa_sm *sm, struct wpa_tdls_peer *peer) 697 { 698 wpa_tdls_peer_clear(sm, peer); 699 wpa_tdls_peer_remove_from_list(sm, peer); 700 os_free(peer); 701 } 702 703 704 static void wpa_tdls_linkid(struct wpa_sm *sm, struct wpa_tdls_peer *peer, 705 struct wpa_tdls_lnkid *lnkid) 706 { 707 lnkid->ie_type = WLAN_EID_LINK_ID; 708 lnkid->ie_len = 3 * ETH_ALEN; 709 os_memcpy(lnkid->bssid, sm->bssid, ETH_ALEN); 710 if (peer->initiator) { 711 os_memcpy(lnkid->init_sta, sm->own_addr, ETH_ALEN); 712 os_memcpy(lnkid->resp_sta, peer->addr, ETH_ALEN); 713 } else { 714 os_memcpy(lnkid->init_sta, peer->addr, ETH_ALEN); 715 os_memcpy(lnkid->resp_sta, sm->own_addr, ETH_ALEN); 716 } 717 } 718 719 720 static int wpa_tdls_send_teardown(struct wpa_sm *sm, const u8 *addr, 721 u16 reason_code) 722 { 723 struct wpa_tdls_peer *peer; 724 struct wpa_tdls_ftie *ftie; 725 struct wpa_tdls_lnkid lnkid; 726 u8 dialog_token; 727 u8 *rbuf, *pos; 728 int ielen; 729 730 if (sm->tdls_disabled || !sm->tdls_supported) 731 return -1; 732 733 /* Find the node and free from the list */ 734 for (peer = sm->tdls; peer; peer = peer->next) { 735 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 736 break; 737 } 738 739 if (peer == NULL) { 740 wpa_printf(MSG_INFO, "TDLS: No matching entry found for " 741 "Teardown " MACSTR, MAC2STR(addr)); 742 return 0; 743 } 744 745 dialog_token = peer->dtoken; 746 747 wpa_printf(MSG_DEBUG, "TDLS: TDLS Teardown for " MACSTR, 748 MAC2STR(addr)); 749 750 ielen = 0; 751 if (wpa_tdls_get_privacy(sm) && peer->tpk_set && peer->tpk_success) { 752 /* To add FTIE for Teardown request and compute MIC */ 753 ielen += sizeof(*ftie); 754 #ifdef CONFIG_TDLS_TESTING 755 if (tdls_testing & TDLS_TESTING_LONG_FRAME) 756 ielen += 170; 757 #endif /* CONFIG_TDLS_TESTING */ 758 } 759 760 rbuf = os_zalloc(ielen + 1); 761 if (rbuf == NULL) 762 return -1; 763 pos = rbuf; 764 765 if (!wpa_tdls_get_privacy(sm) || !peer->tpk_set || !peer->tpk_success) 766 goto skip_ies; 767 768 ftie = (struct wpa_tdls_ftie *) pos; 769 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION; 770 /* Using the recent nonce which should be for CONFIRM frame */ 771 os_memcpy(ftie->Anonce, peer->rnonce, WPA_NONCE_LEN); 772 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN); 773 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2; 774 pos = (u8 *) (ftie + 1); 775 #ifdef CONFIG_TDLS_TESTING 776 if (tdls_testing & TDLS_TESTING_LONG_FRAME) { 777 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to " 778 "FTIE"); 779 ftie->ie_len += 170; 780 *pos++ = 255; /* FTIE subelem */ 781 *pos++ = 168; /* FTIE subelem length */ 782 pos += 168; 783 } 784 #endif /* CONFIG_TDLS_TESTING */ 785 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE for TDLS Teardown handshake", 786 (u8 *) ftie, pos - (u8 *) ftie); 787 788 /* compute MIC before sending */ 789 wpa_tdls_linkid(sm, peer, &lnkid); 790 wpa_tdls_key_mic_teardown(peer->tpk.kck, 4, reason_code, 791 dialog_token, (u8 *) &lnkid, (u8 *) ftie, 792 ftie->mic); 793 794 skip_ies: 795 /* TODO: register for a Timeout handler, if Teardown is not received at 796 * the other end, then try again another time */ 797 798 /* request driver to send Teardown using this FTIE */ 799 wpa_tdls_tpk_send(sm, addr, WLAN_TDLS_TEARDOWN, 0, 800 reason_code, 0, peer->initiator, rbuf, pos - rbuf); 801 os_free(rbuf); 802 803 return 0; 804 } 805 806 807 int wpa_tdls_teardown_link(struct wpa_sm *sm, const u8 *addr, u16 reason_code) 808 { 809 struct wpa_tdls_peer *peer; 810 811 if (sm->tdls_disabled || !sm->tdls_supported) 812 return -1; 813 814 for (peer = sm->tdls; peer; peer = peer->next) { 815 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 816 break; 817 } 818 819 if (peer == NULL) { 820 wpa_printf(MSG_DEBUG, "TDLS: Could not find peer " MACSTR 821 " for link Teardown", MAC2STR(addr)); 822 return -1; 823 } 824 825 if (!peer->tpk_success) { 826 wpa_printf(MSG_DEBUG, "TDLS: Peer " MACSTR 827 " not connected - cannot Teardown link", MAC2STR(addr)); 828 return -1; 829 } 830 831 return wpa_tdls_do_teardown(sm, peer, reason_code); 832 } 833 834 835 static void wpa_tdls_disable_peer_link(struct wpa_sm *sm, 836 struct wpa_tdls_peer *peer) 837 { 838 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr); 839 wpa_tdls_peer_free(sm, peer); 840 } 841 842 843 void wpa_tdls_disable_unreachable_link(struct wpa_sm *sm, const u8 *addr) 844 { 845 struct wpa_tdls_peer *peer; 846 847 for (peer = sm->tdls; peer; peer = peer->next) { 848 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 849 break; 850 } 851 852 if (!peer || !peer->tpk_success) { 853 wpa_printf(MSG_DEBUG, "TDLS: Peer " MACSTR 854 " not connected - cannot teardown unreachable link", 855 MAC2STR(addr)); 856 return; 857 } 858 859 if (wpa_tdls_is_external_setup(sm)) { 860 /* 861 * Disable the link, send a teardown packet through the 862 * AP, and then reset link data. 863 */ 864 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, addr); 865 wpa_tdls_send_teardown(sm, addr, 866 WLAN_REASON_TDLS_TEARDOWN_UNREACHABLE); 867 wpa_tdls_peer_free(sm, peer); 868 } else { 869 wpa_tdls_disable_peer_link(sm, peer); 870 } 871 } 872 873 874 const char * wpa_tdls_get_link_status(struct wpa_sm *sm, const u8 *addr) 875 { 876 struct wpa_tdls_peer *peer; 877 878 if (sm->tdls_disabled || !sm->tdls_supported) 879 return "disabled"; 880 881 for (peer = sm->tdls; peer; peer = peer->next) { 882 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 883 break; 884 } 885 886 if (peer == NULL) 887 return "peer does not exist"; 888 889 if (!peer->tpk_success) 890 return "peer not connected"; 891 892 return "connected"; 893 } 894 895 896 static int wpa_tdls_recv_teardown(struct wpa_sm *sm, const u8 *src_addr, 897 const u8 *buf, size_t len) 898 { 899 struct wpa_tdls_peer *peer = NULL; 900 struct wpa_tdls_ftie *ftie; 901 struct wpa_tdls_lnkid *lnkid; 902 struct wpa_eapol_ie_parse kde; 903 u16 reason_code; 904 const u8 *pos; 905 int ielen; 906 907 /* Find the node and free from the list */ 908 for (peer = sm->tdls; peer; peer = peer->next) { 909 if (os_memcmp(peer->addr, src_addr, ETH_ALEN) == 0) 910 break; 911 } 912 913 if (peer == NULL) { 914 wpa_printf(MSG_INFO, "TDLS: No matching entry found for " 915 "Teardown " MACSTR, MAC2STR(src_addr)); 916 return 0; 917 } 918 919 pos = buf; 920 pos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */; 921 922 reason_code = WPA_GET_LE16(pos); 923 pos += 2; 924 925 wpa_printf(MSG_DEBUG, "TDLS: TDLS Teardown Request from " MACSTR 926 " (reason code %u)", MAC2STR(src_addr), reason_code); 927 928 ielen = len - (pos - buf); /* start of IE in buf */ 929 if (wpa_supplicant_parse_ies((const u8 *) pos, ielen, &kde) < 0) { 930 wpa_printf(MSG_INFO, "TDLS: Failed to parse IEs in Teardown"); 931 return -1; 932 } 933 934 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) { 935 wpa_printf(MSG_INFO, "TDLS: No Link Identifier IE in TDLS " 936 "Teardown"); 937 return -1; 938 } 939 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid; 940 941 if (!wpa_tdls_get_privacy(sm) || !peer->tpk_set || !peer->tpk_success) 942 goto skip_ftie; 943 944 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie)) { 945 wpa_printf(MSG_INFO, "TDLS: No FTIE in TDLS Teardown"); 946 return -1; 947 } 948 949 ftie = (struct wpa_tdls_ftie *) kde.ftie; 950 951 /* Process MIC check to see if TDLS Teardown is right */ 952 if (wpa_supplicant_verify_tdls_mic_teardown(4, reason_code, 953 peer->dtoken, peer, 954 (u8 *) lnkid, ftie) < 0) { 955 wpa_printf(MSG_DEBUG, "TDLS: MIC failure for TDLS " 956 "Teardown Request from " MACSTR, MAC2STR(src_addr)); 957 return -1; 958 } 959 960 skip_ftie: 961 /* 962 * Request the driver to disable the direct link and clear associated 963 * keys. 964 */ 965 wpa_tdls_disable_peer_link(sm, peer); 966 return 0; 967 } 968 969 970 /** 971 * wpa_tdls_send_error - To send suitable TDLS status response with 972 * appropriate status code mentioning reason for error/failure. 973 * @dst - MAC addr of Peer station 974 * @tdls_action - TDLS frame type for which error code is sent 975 * @initiator - was this end the initiator of the connection 976 * @status - status code mentioning reason 977 */ 978 979 static int wpa_tdls_send_error(struct wpa_sm *sm, const u8 *dst, 980 u8 tdls_action, u8 dialog_token, int initiator, 981 u16 status) 982 { 983 wpa_printf(MSG_DEBUG, "TDLS: Sending error to " MACSTR 984 " (action=%u status=%u)", 985 MAC2STR(dst), tdls_action, status); 986 return wpa_tdls_tpk_send(sm, dst, tdls_action, dialog_token, status, 987 0, initiator, NULL, 0); 988 } 989 990 991 static struct wpa_tdls_peer * 992 wpa_tdls_add_peer(struct wpa_sm *sm, const u8 *addr, int *existing) 993 { 994 struct wpa_tdls_peer *peer; 995 996 if (existing) 997 *existing = 0; 998 for (peer = sm->tdls; peer; peer = peer->next) { 999 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) { 1000 if (existing) 1001 *existing = 1; 1002 return peer; /* re-use existing entry */ 1003 } 1004 } 1005 1006 wpa_printf(MSG_INFO, "TDLS: Creating peer entry for " MACSTR, 1007 MAC2STR(addr)); 1008 1009 peer = os_zalloc(sizeof(*peer)); 1010 if (peer == NULL) 1011 return NULL; 1012 1013 os_memcpy(peer->addr, addr, ETH_ALEN); 1014 peer->next = sm->tdls; 1015 sm->tdls = peer; 1016 1017 return peer; 1018 } 1019 1020 1021 static int wpa_tdls_send_tpk_m1(struct wpa_sm *sm, 1022 struct wpa_tdls_peer *peer) 1023 { 1024 size_t buf_len; 1025 struct wpa_tdls_timeoutie timeoutie; 1026 u16 rsn_capab; 1027 struct wpa_tdls_ftie *ftie; 1028 u8 *rbuf, *pos, *count_pos; 1029 u16 count; 1030 struct rsn_ie_hdr *hdr; 1031 int status; 1032 1033 if (!wpa_tdls_get_privacy(sm)) { 1034 wpa_printf(MSG_DEBUG, "TDLS: No security used on the link"); 1035 peer->rsnie_i_len = 0; 1036 goto skip_rsnie; 1037 } 1038 1039 /* 1040 * TPK Handshake Message 1: 1041 * FTIE: ANonce=0, SNonce=initiator nonce MIC=0, DataKDs=(RSNIE_I, 1042 * Timeout Interval IE)) 1043 */ 1044 1045 /* Filling RSN IE */ 1046 hdr = (struct rsn_ie_hdr *) peer->rsnie_i; 1047 hdr->elem_id = WLAN_EID_RSN; 1048 WPA_PUT_LE16(hdr->version, RSN_VERSION); 1049 1050 pos = (u8 *) (hdr + 1); 1051 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED); 1052 pos += RSN_SELECTOR_LEN; 1053 count_pos = pos; 1054 pos += 2; 1055 1056 count = 0; 1057 1058 /* 1059 * AES-CCMP is the default Encryption preferred for TDLS, so 1060 * RSN IE is filled only with CCMP CIPHER 1061 * Note: TKIP is not used to encrypt TDLS link. 1062 * 1063 * Regardless of the cipher used on the AP connection, select CCMP 1064 * here. 1065 */ 1066 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP); 1067 pos += RSN_SELECTOR_LEN; 1068 count++; 1069 1070 WPA_PUT_LE16(count_pos, count); 1071 1072 WPA_PUT_LE16(pos, 1); 1073 pos += 2; 1074 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_TPK_HANDSHAKE); 1075 pos += RSN_SELECTOR_LEN; 1076 1077 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED; 1078 rsn_capab |= RSN_NUM_REPLAY_COUNTERS_16 << 2; 1079 #ifdef CONFIG_TDLS_TESTING 1080 if (tdls_testing & TDLS_TESTING_ALT_RSN_IE) { 1081 wpa_printf(MSG_DEBUG, "TDLS: Use alternative RSN IE for " 1082 "testing"); 1083 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED; 1084 } 1085 #endif /* CONFIG_TDLS_TESTING */ 1086 WPA_PUT_LE16(pos, rsn_capab); 1087 pos += 2; 1088 #ifdef CONFIG_TDLS_TESTING 1089 if (tdls_testing & TDLS_TESTING_ALT_RSN_IE) { 1090 /* Number of PMKIDs */ 1091 *pos++ = 0x00; 1092 *pos++ = 0x00; 1093 } 1094 #endif /* CONFIG_TDLS_TESTING */ 1095 1096 hdr->len = (pos - peer->rsnie_i) - 2; 1097 peer->rsnie_i_len = pos - peer->rsnie_i; 1098 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE for TPK handshake", 1099 peer->rsnie_i, peer->rsnie_i_len); 1100 1101 skip_rsnie: 1102 buf_len = 0; 1103 if (wpa_tdls_get_privacy(sm)) 1104 buf_len += peer->rsnie_i_len + sizeof(struct wpa_tdls_ftie) + 1105 sizeof(struct wpa_tdls_timeoutie); 1106 #ifdef CONFIG_TDLS_TESTING 1107 if (wpa_tdls_get_privacy(sm) && 1108 (tdls_testing & TDLS_TESTING_LONG_FRAME)) 1109 buf_len += 170; 1110 if (tdls_testing & TDLS_TESTING_DIFF_BSSID) 1111 buf_len += sizeof(struct wpa_tdls_lnkid); 1112 #endif /* CONFIG_TDLS_TESTING */ 1113 rbuf = os_zalloc(buf_len + 1); 1114 if (rbuf == NULL) { 1115 wpa_tdls_peer_free(sm, peer); 1116 return -1; 1117 } 1118 pos = rbuf; 1119 1120 if (!wpa_tdls_get_privacy(sm)) 1121 goto skip_ies; 1122 1123 /* Initiator RSN IE */ 1124 pos = wpa_add_ie(pos, peer->rsnie_i, peer->rsnie_i_len); 1125 1126 ftie = (struct wpa_tdls_ftie *) pos; 1127 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION; 1128 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2; 1129 1130 if (os_get_random(peer->inonce, WPA_NONCE_LEN)) { 1131 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1132 "TDLS: Failed to get random data for initiator Nonce"); 1133 os_free(rbuf); 1134 wpa_tdls_peer_free(sm, peer); 1135 return -1; 1136 } 1137 wpa_hexdump(MSG_DEBUG, "TDLS: Initiator Nonce for TPK handshake", 1138 peer->inonce, WPA_NONCE_LEN); 1139 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN); 1140 1141 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE for TPK Handshake M1", 1142 (u8 *) ftie, sizeof(struct wpa_tdls_ftie)); 1143 1144 pos = (u8 *) (ftie + 1); 1145 1146 #ifdef CONFIG_TDLS_TESTING 1147 if (tdls_testing & TDLS_TESTING_LONG_FRAME) { 1148 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to " 1149 "FTIE"); 1150 ftie->ie_len += 170; 1151 *pos++ = 255; /* FTIE subelem */ 1152 *pos++ = 168; /* FTIE subelem length */ 1153 pos += 168; 1154 } 1155 #endif /* CONFIG_TDLS_TESTING */ 1156 1157 /* Lifetime */ 1158 peer->lifetime = TPK_LIFETIME; 1159 #ifdef CONFIG_TDLS_TESTING 1160 if (tdls_testing & TDLS_TESTING_SHORT_LIFETIME) { 1161 wpa_printf(MSG_DEBUG, "TDLS: Testing - use short TPK " 1162 "lifetime"); 1163 peer->lifetime = 301; 1164 } 1165 if (tdls_testing & TDLS_TESTING_LONG_LIFETIME) { 1166 wpa_printf(MSG_DEBUG, "TDLS: Testing - use long TPK " 1167 "lifetime"); 1168 peer->lifetime = 0xffffffff; 1169 } 1170 #endif /* CONFIG_TDLS_TESTING */ 1171 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie, 1172 sizeof(timeoutie), peer->lifetime); 1173 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds", peer->lifetime); 1174 1175 skip_ies: 1176 1177 #ifdef CONFIG_TDLS_TESTING 1178 if (tdls_testing & TDLS_TESTING_DIFF_BSSID) { 1179 wpa_printf(MSG_DEBUG, "TDLS: Testing - use incorrect BSSID in " 1180 "Link Identifier"); 1181 struct wpa_tdls_lnkid *l = (struct wpa_tdls_lnkid *) pos; 1182 wpa_tdls_linkid(sm, peer, l); 1183 l->bssid[5] ^= 0x01; 1184 pos += sizeof(*l); 1185 } 1186 #endif /* CONFIG_TDLS_TESTING */ 1187 1188 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Setup Request / TPK " 1189 "Handshake Message 1 (peer " MACSTR ")", 1190 MAC2STR(peer->addr)); 1191 1192 status = wpa_tdls_tpk_send(sm, peer->addr, WLAN_TDLS_SETUP_REQUEST, 1193 1, 0, 0, peer->initiator, rbuf, pos - rbuf); 1194 os_free(rbuf); 1195 1196 return status; 1197 } 1198 1199 1200 static int wpa_tdls_send_tpk_m2(struct wpa_sm *sm, 1201 const unsigned char *src_addr, u8 dtoken, 1202 struct wpa_tdls_lnkid *lnkid, 1203 const struct wpa_tdls_peer *peer) 1204 { 1205 u8 *rbuf, *pos; 1206 size_t buf_len; 1207 u32 lifetime; 1208 struct wpa_tdls_timeoutie timeoutie; 1209 struct wpa_tdls_ftie *ftie; 1210 int status; 1211 1212 buf_len = 0; 1213 if (wpa_tdls_get_privacy(sm)) { 1214 /* Peer RSN IE, FTIE(Initiator Nonce, Responder Nonce), 1215 * Lifetime */ 1216 buf_len += peer->rsnie_i_len + sizeof(struct wpa_tdls_ftie) + 1217 sizeof(struct wpa_tdls_timeoutie); 1218 #ifdef CONFIG_TDLS_TESTING 1219 if (tdls_testing & TDLS_TESTING_LONG_FRAME) 1220 buf_len += 170; 1221 #endif /* CONFIG_TDLS_TESTING */ 1222 } 1223 1224 rbuf = os_zalloc(buf_len + 1); 1225 if (rbuf == NULL) 1226 return -1; 1227 pos = rbuf; 1228 1229 if (!wpa_tdls_get_privacy(sm)) 1230 goto skip_ies; 1231 1232 /* Peer RSN IE */ 1233 pos = wpa_add_ie(pos, peer->rsnie_p, peer->rsnie_p_len); 1234 1235 ftie = (struct wpa_tdls_ftie *) pos; 1236 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION; 1237 /* TODO: ftie->mic_control to set 2-RESPONSE */ 1238 os_memcpy(ftie->Anonce, peer->rnonce, WPA_NONCE_LEN); 1239 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN); 1240 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2; 1241 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE for TPK M2", 1242 (u8 *) ftie, sizeof(*ftie)); 1243 1244 pos = (u8 *) (ftie + 1); 1245 1246 #ifdef CONFIG_TDLS_TESTING 1247 if (tdls_testing & TDLS_TESTING_LONG_FRAME) { 1248 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to " 1249 "FTIE"); 1250 ftie->ie_len += 170; 1251 *pos++ = 255; /* FTIE subelem */ 1252 *pos++ = 168; /* FTIE subelem length */ 1253 pos += 168; 1254 } 1255 #endif /* CONFIG_TDLS_TESTING */ 1256 1257 /* Lifetime */ 1258 lifetime = peer->lifetime; 1259 #ifdef CONFIG_TDLS_TESTING 1260 if (tdls_testing & TDLS_TESTING_WRONG_LIFETIME_RESP) { 1261 wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong TPK " 1262 "lifetime in response"); 1263 lifetime++; 1264 } 1265 #endif /* CONFIG_TDLS_TESTING */ 1266 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie, 1267 sizeof(timeoutie), lifetime); 1268 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds from initiator", 1269 lifetime); 1270 1271 /* compute MIC before sending */ 1272 wpa_tdls_ftie_mic(peer->tpk.kck, 2, (u8 *) lnkid, peer->rsnie_p, 1273 (u8 *) &timeoutie, (u8 *) ftie, ftie->mic); 1274 #ifdef CONFIG_TDLS_TESTING 1275 if (tdls_testing & TDLS_TESTING_WRONG_MIC) { 1276 wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong MIC"); 1277 ftie->mic[0] ^= 0x01; 1278 } 1279 #endif /* CONFIG_TDLS_TESTING */ 1280 1281 skip_ies: 1282 status = wpa_tdls_tpk_send(sm, src_addr, WLAN_TDLS_SETUP_RESPONSE, 1283 dtoken, 0, 0, peer->initiator, rbuf, 1284 pos - rbuf); 1285 os_free(rbuf); 1286 1287 return status; 1288 } 1289 1290 1291 static int wpa_tdls_send_tpk_m3(struct wpa_sm *sm, 1292 const unsigned char *src_addr, u8 dtoken, 1293 struct wpa_tdls_lnkid *lnkid, 1294 const struct wpa_tdls_peer *peer) 1295 { 1296 u8 *rbuf, *pos; 1297 size_t buf_len; 1298 struct wpa_tdls_ftie *ftie; 1299 struct wpa_tdls_timeoutie timeoutie; 1300 u32 lifetime; 1301 int status; 1302 u32 peer_capab = 0; 1303 1304 buf_len = 0; 1305 if (wpa_tdls_get_privacy(sm)) { 1306 /* Peer RSN IE, FTIE(Initiator Nonce, Responder Nonce), 1307 * Lifetime */ 1308 buf_len += peer->rsnie_i_len + sizeof(struct wpa_tdls_ftie) + 1309 sizeof(struct wpa_tdls_timeoutie); 1310 #ifdef CONFIG_TDLS_TESTING 1311 if (tdls_testing & TDLS_TESTING_LONG_FRAME) 1312 buf_len += 170; 1313 #endif /* CONFIG_TDLS_TESTING */ 1314 } 1315 1316 rbuf = os_zalloc(buf_len + 1); 1317 if (rbuf == NULL) 1318 return -1; 1319 pos = rbuf; 1320 1321 if (!wpa_tdls_get_privacy(sm)) 1322 goto skip_ies; 1323 1324 /* Peer RSN IE */ 1325 pos = wpa_add_ie(pos, peer->rsnie_p, peer->rsnie_p_len); 1326 1327 ftie = (struct wpa_tdls_ftie *) pos; 1328 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION; 1329 /*TODO: ftie->mic_control to set 3-CONFIRM */ 1330 os_memcpy(ftie->Anonce, peer->rnonce, WPA_NONCE_LEN); 1331 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN); 1332 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2; 1333 1334 pos = (u8 *) (ftie + 1); 1335 1336 #ifdef CONFIG_TDLS_TESTING 1337 if (tdls_testing & TDLS_TESTING_LONG_FRAME) { 1338 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to " 1339 "FTIE"); 1340 ftie->ie_len += 170; 1341 *pos++ = 255; /* FTIE subelem */ 1342 *pos++ = 168; /* FTIE subelem length */ 1343 pos += 168; 1344 } 1345 #endif /* CONFIG_TDLS_TESTING */ 1346 1347 /* Lifetime */ 1348 lifetime = peer->lifetime; 1349 #ifdef CONFIG_TDLS_TESTING 1350 if (tdls_testing & TDLS_TESTING_WRONG_LIFETIME_CONF) { 1351 wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong TPK " 1352 "lifetime in confirm"); 1353 lifetime++; 1354 } 1355 #endif /* CONFIG_TDLS_TESTING */ 1356 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie, 1357 sizeof(timeoutie), lifetime); 1358 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds", 1359 lifetime); 1360 1361 /* compute MIC before sending */ 1362 wpa_tdls_ftie_mic(peer->tpk.kck, 3, (u8 *) lnkid, peer->rsnie_p, 1363 (u8 *) &timeoutie, (u8 *) ftie, ftie->mic); 1364 #ifdef CONFIG_TDLS_TESTING 1365 if (tdls_testing & TDLS_TESTING_WRONG_MIC) { 1366 wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong MIC"); 1367 ftie->mic[0] ^= 0x01; 1368 } 1369 #endif /* CONFIG_TDLS_TESTING */ 1370 1371 skip_ies: 1372 1373 if (peer->vht_capabilities) 1374 peer_capab |= TDLS_PEER_VHT; 1375 if (peer->ht_capabilities) 1376 peer_capab |= TDLS_PEER_HT; 1377 if (peer->wmm_capable) 1378 peer_capab |= TDLS_PEER_WMM; 1379 1380 status = wpa_tdls_tpk_send(sm, src_addr, WLAN_TDLS_SETUP_CONFIRM, 1381 dtoken, 0, peer_capab, peer->initiator, 1382 rbuf, pos - rbuf); 1383 os_free(rbuf); 1384 1385 return status; 1386 } 1387 1388 1389 static int wpa_tdls_send_discovery_response(struct wpa_sm *sm, 1390 struct wpa_tdls_peer *peer, 1391 u8 dialog_token) 1392 { 1393 size_t buf_len = 0; 1394 struct wpa_tdls_timeoutie timeoutie; 1395 u16 rsn_capab; 1396 u8 *rbuf, *pos, *count_pos; 1397 u16 count; 1398 struct rsn_ie_hdr *hdr; 1399 int status; 1400 1401 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Discovery Response " 1402 "(peer " MACSTR ")", MAC2STR(peer->addr)); 1403 if (!wpa_tdls_get_privacy(sm)) 1404 goto skip_rsn_ies; 1405 1406 /* Filling RSN IE */ 1407 hdr = (struct rsn_ie_hdr *) peer->rsnie_i; 1408 hdr->elem_id = WLAN_EID_RSN; 1409 WPA_PUT_LE16(hdr->version, RSN_VERSION); 1410 pos = (u8 *) (hdr + 1); 1411 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED); 1412 pos += RSN_SELECTOR_LEN; 1413 count_pos = pos; 1414 pos += 2; 1415 count = 0; 1416 1417 /* 1418 * AES-CCMP is the default encryption preferred for TDLS, so 1419 * RSN IE is filled only with CCMP cipher suite. 1420 * Note: TKIP is not used to encrypt TDLS link. 1421 * 1422 * Regardless of the cipher used on the AP connection, select CCMP 1423 * here. 1424 */ 1425 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP); 1426 pos += RSN_SELECTOR_LEN; 1427 count++; 1428 WPA_PUT_LE16(count_pos, count); 1429 WPA_PUT_LE16(pos, 1); 1430 pos += 2; 1431 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_TPK_HANDSHAKE); 1432 pos += RSN_SELECTOR_LEN; 1433 1434 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED; 1435 rsn_capab |= RSN_NUM_REPLAY_COUNTERS_16 << 2; 1436 WPA_PUT_LE16(pos, rsn_capab); 1437 pos += 2; 1438 hdr->len = (pos - (u8 *) hdr) - 2; 1439 peer->rsnie_i_len = pos - peer->rsnie_i; 1440 1441 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE for Discovery Response", 1442 (u8 *) hdr, hdr->len + 2); 1443 skip_rsn_ies: 1444 buf_len = 0; 1445 if (wpa_tdls_get_privacy(sm)) { 1446 /* Peer RSN IE, Lifetime */ 1447 buf_len += peer->rsnie_i_len + 1448 sizeof(struct wpa_tdls_timeoutie); 1449 } 1450 rbuf = os_zalloc(buf_len + 1); 1451 if (rbuf == NULL) { 1452 wpa_tdls_peer_free(sm, peer); 1453 return -1; 1454 } 1455 pos = rbuf; 1456 1457 if (!wpa_tdls_get_privacy(sm)) 1458 goto skip_ies; 1459 /* Initiator RSN IE */ 1460 pos = wpa_add_ie(pos, peer->rsnie_i, peer->rsnie_i_len); 1461 /* Lifetime */ 1462 peer->lifetime = TPK_LIFETIME; 1463 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie, 1464 sizeof(timeoutie), peer->lifetime); 1465 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds", peer->lifetime); 1466 skip_ies: 1467 status = wpa_tdls_tpk_send(sm, peer->addr, WLAN_TDLS_DISCOVERY_RESPONSE, 1468 dialog_token, 0, 0, 0, rbuf, pos - rbuf); 1469 os_free(rbuf); 1470 1471 return status; 1472 } 1473 1474 1475 static int 1476 wpa_tdls_process_discovery_request(struct wpa_sm *sm, const u8 *addr, 1477 const u8 *buf, size_t len) 1478 { 1479 struct wpa_eapol_ie_parse kde; 1480 const struct wpa_tdls_lnkid *lnkid; 1481 struct wpa_tdls_peer *peer; 1482 size_t min_req_len = sizeof(struct wpa_tdls_frame) + 1483 1 /* dialog token */ + sizeof(struct wpa_tdls_lnkid); 1484 u8 dialog_token; 1485 1486 wpa_printf(MSG_DEBUG, "TDLS: Discovery Request from " MACSTR, 1487 MAC2STR(addr)); 1488 1489 if (len < min_req_len) { 1490 wpa_printf(MSG_DEBUG, "TDLS Discovery Request is too short: " 1491 "%d", (int) len); 1492 return -1; 1493 } 1494 1495 dialog_token = buf[sizeof(struct wpa_tdls_frame)]; 1496 1497 /* 1498 * Some APs will tack on a weird IE to the end of a TDLS 1499 * discovery request packet. This needn't fail the response, 1500 * since the required IE are verified separately. 1501 */ 1502 if (wpa_supplicant_parse_ies(buf + sizeof(struct wpa_tdls_frame) + 1, 1503 len - (sizeof(struct wpa_tdls_frame) + 1), 1504 &kde) < 0) { 1505 wpa_printf(MSG_DEBUG, 1506 "TDLS: Failed to parse IEs in Discovery Request - ignore as an interop workaround"); 1507 } 1508 1509 if (!kde.lnkid) { 1510 wpa_printf(MSG_DEBUG, "TDLS: Link ID not found in Discovery " 1511 "Request"); 1512 return -1; 1513 } 1514 1515 lnkid = (const struct wpa_tdls_lnkid *) kde.lnkid; 1516 1517 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) { 1518 wpa_printf(MSG_DEBUG, "TDLS: Discovery Request from different " 1519 " BSS " MACSTR, MAC2STR(lnkid->bssid)); 1520 return -1; 1521 } 1522 1523 peer = wpa_tdls_add_peer(sm, addr, NULL); 1524 if (peer == NULL) 1525 return -1; 1526 1527 return wpa_tdls_send_discovery_response(sm, peer, dialog_token); 1528 } 1529 1530 1531 int wpa_tdls_send_discovery_request(struct wpa_sm *sm, const u8 *addr) 1532 { 1533 if (sm->tdls_disabled || !sm->tdls_supported) 1534 return -1; 1535 1536 wpa_printf(MSG_DEBUG, "TDLS: Sending Discovery Request to peer " 1537 MACSTR, MAC2STR(addr)); 1538 return wpa_tdls_tpk_send(sm, addr, WLAN_TDLS_DISCOVERY_REQUEST, 1539 1, 0, 0, 1, NULL, 0); 1540 } 1541 1542 1543 static int copy_supp_rates(const struct wpa_eapol_ie_parse *kde, 1544 struct wpa_tdls_peer *peer) 1545 { 1546 if (!kde->supp_rates) { 1547 wpa_printf(MSG_DEBUG, "TDLS: No supported rates received"); 1548 return -1; 1549 } 1550 peer->supp_rates_len = merge_byte_arrays( 1551 peer->supp_rates, sizeof(peer->supp_rates), 1552 kde->supp_rates + 2, kde->supp_rates_len - 2, 1553 kde->ext_supp_rates ? kde->ext_supp_rates + 2 : NULL, 1554 kde->ext_supp_rates_len - 2); 1555 return 0; 1556 } 1557 1558 1559 static int copy_peer_ht_capab(const struct wpa_eapol_ie_parse *kde, 1560 struct wpa_tdls_peer *peer) 1561 { 1562 if (!kde->ht_capabilities || 1563 kde->ht_capabilities_len < 1564 sizeof(struct ieee80211_ht_capabilities) ) { 1565 wpa_printf(MSG_DEBUG, "TDLS: No supported ht capabilities " 1566 "received"); 1567 return 0; 1568 } 1569 1570 if (!peer->ht_capabilities) { 1571 peer->ht_capabilities = 1572 os_zalloc(sizeof(struct ieee80211_ht_capabilities)); 1573 if (peer->ht_capabilities == NULL) 1574 return -1; 1575 } 1576 1577 os_memcpy(peer->ht_capabilities, kde->ht_capabilities, 1578 sizeof(struct ieee80211_ht_capabilities)); 1579 wpa_hexdump(MSG_DEBUG, "TDLS: Peer HT capabilities", 1580 (u8 *) peer->ht_capabilities, 1581 sizeof(struct ieee80211_ht_capabilities)); 1582 1583 return 0; 1584 } 1585 1586 1587 static int copy_peer_vht_capab(const struct wpa_eapol_ie_parse *kde, 1588 struct wpa_tdls_peer *peer) 1589 { 1590 if (!kde->vht_capabilities || 1591 kde->vht_capabilities_len < 1592 sizeof(struct ieee80211_vht_capabilities) ) { 1593 wpa_printf(MSG_DEBUG, "TDLS: No supported vht capabilities " 1594 "received"); 1595 return 0; 1596 } 1597 1598 if (!peer->vht_capabilities) { 1599 peer->vht_capabilities = 1600 os_zalloc(sizeof(struct ieee80211_vht_capabilities)); 1601 if (peer->vht_capabilities == NULL) 1602 return -1; 1603 } 1604 1605 os_memcpy(peer->vht_capabilities, kde->vht_capabilities, 1606 sizeof(struct ieee80211_vht_capabilities)); 1607 wpa_hexdump(MSG_DEBUG, "TDLS: Peer VHT capabilities", 1608 (u8 *) peer->vht_capabilities, 1609 sizeof(struct ieee80211_vht_capabilities)); 1610 1611 return 0; 1612 } 1613 1614 1615 static int copy_peer_ext_capab(const struct wpa_eapol_ie_parse *kde, 1616 struct wpa_tdls_peer *peer) 1617 { 1618 if (!kde->ext_capab) { 1619 wpa_printf(MSG_DEBUG, "TDLS: No extended capabilities " 1620 "received"); 1621 return 0; 1622 } 1623 1624 if (!peer->ext_capab || peer->ext_capab_len < kde->ext_capab_len - 2) { 1625 /* Need to allocate buffer to fit the new information */ 1626 os_free(peer->ext_capab); 1627 peer->ext_capab = os_zalloc(kde->ext_capab_len - 2); 1628 if (peer->ext_capab == NULL) 1629 return -1; 1630 } 1631 1632 peer->ext_capab_len = kde->ext_capab_len - 2; 1633 os_memcpy(peer->ext_capab, kde->ext_capab + 2, peer->ext_capab_len); 1634 1635 return 0; 1636 } 1637 1638 1639 static int copy_peer_wmm_capab(const struct wpa_eapol_ie_parse *kde, 1640 struct wpa_tdls_peer *peer) 1641 { 1642 struct wmm_information_element *wmm; 1643 1644 if (!kde->wmm) { 1645 wpa_printf(MSG_DEBUG, "TDLS: No supported WMM capabilities received"); 1646 return 0; 1647 } 1648 1649 if (kde->wmm_len < sizeof(struct wmm_information_element)) { 1650 wpa_printf(MSG_DEBUG, "TDLS: Invalid supported WMM capabilities received"); 1651 return -1; 1652 } 1653 1654 wmm = (struct wmm_information_element *) kde->wmm; 1655 peer->qos_info = wmm->qos_info; 1656 1657 peer->wmm_capable = 1; 1658 1659 wpa_printf(MSG_DEBUG, "TDLS: Peer WMM QOS Info 0x%x", peer->qos_info); 1660 return 0; 1661 } 1662 1663 1664 static int copy_peer_supp_channels(const struct wpa_eapol_ie_parse *kde, 1665 struct wpa_tdls_peer *peer) 1666 { 1667 if (!kde->supp_channels) { 1668 wpa_printf(MSG_DEBUG, "TDLS: No supported channels received"); 1669 return 0; 1670 } 1671 1672 if (!peer->supp_channels || 1673 peer->supp_channels_len < kde->supp_channels_len) { 1674 os_free(peer->supp_channels); 1675 peer->supp_channels = os_zalloc(kde->supp_channels_len); 1676 if (peer->supp_channels == NULL) 1677 return -1; 1678 } 1679 1680 peer->supp_channels_len = kde->supp_channels_len; 1681 1682 os_memcpy(peer->supp_channels, kde->supp_channels, 1683 peer->supp_channels_len); 1684 wpa_hexdump(MSG_DEBUG, "TDLS: Peer Supported Channels", 1685 (u8 *) peer->supp_channels, peer->supp_channels_len); 1686 return 0; 1687 } 1688 1689 1690 static int copy_peer_supp_oper_classes(const struct wpa_eapol_ie_parse *kde, 1691 struct wpa_tdls_peer *peer) 1692 { 1693 if (!kde->supp_oper_classes) { 1694 wpa_printf(MSG_DEBUG, "TDLS: No supported operating classes received"); 1695 return 0; 1696 } 1697 1698 if (!peer->supp_oper_classes || 1699 peer->supp_oper_classes_len < kde->supp_oper_classes_len) { 1700 os_free(peer->supp_oper_classes); 1701 peer->supp_oper_classes = os_zalloc(kde->supp_oper_classes_len); 1702 if (peer->supp_oper_classes == NULL) 1703 return -1; 1704 } 1705 1706 peer->supp_oper_classes_len = kde->supp_oper_classes_len; 1707 os_memcpy(peer->supp_oper_classes, kde->supp_oper_classes, 1708 peer->supp_oper_classes_len); 1709 wpa_hexdump(MSG_DEBUG, "TDLS: Peer Supported Operating Classes", 1710 (u8 *) peer->supp_oper_classes, 1711 peer->supp_oper_classes_len); 1712 return 0; 1713 } 1714 1715 1716 static int wpa_tdls_addset_peer(struct wpa_sm *sm, struct wpa_tdls_peer *peer, 1717 int add) 1718 { 1719 return wpa_sm_tdls_peer_addset(sm, peer->addr, add, peer->aid, 1720 peer->capability, 1721 peer->supp_rates, peer->supp_rates_len, 1722 peer->ht_capabilities, 1723 peer->vht_capabilities, 1724 peer->qos_info, peer->wmm_capable, 1725 peer->ext_capab, peer->ext_capab_len, 1726 peer->supp_channels, 1727 peer->supp_channels_len, 1728 peer->supp_oper_classes, 1729 peer->supp_oper_classes_len); 1730 } 1731 1732 1733 static int wpa_tdls_process_tpk_m1(struct wpa_sm *sm, const u8 *src_addr, 1734 const u8 *buf, size_t len) 1735 { 1736 struct wpa_tdls_peer *peer; 1737 struct wpa_eapol_ie_parse kde; 1738 struct wpa_ie_data ie; 1739 int cipher; 1740 const u8 *cpos; 1741 struct wpa_tdls_ftie *ftie = NULL; 1742 struct wpa_tdls_timeoutie *timeoutie; 1743 struct wpa_tdls_lnkid *lnkid; 1744 u32 lifetime = 0; 1745 #if 0 1746 struct rsn_ie_hdr *hdr; 1747 u8 *pos; 1748 u16 rsn_capab; 1749 u16 rsn_ver; 1750 #endif 1751 u8 dtoken; 1752 u16 ielen; 1753 u16 status = WLAN_STATUS_UNSPECIFIED_FAILURE; 1754 int tdls_prohibited = sm->tdls_prohibited; 1755 int existing_peer = 0; 1756 1757 if (len < 3 + 3) 1758 return -1; 1759 1760 cpos = buf; 1761 cpos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */; 1762 1763 /* driver had already verified the frame format */ 1764 dtoken = *cpos++; /* dialog token */ 1765 1766 wpa_printf(MSG_INFO, "TDLS: Dialog Token in TPK M1 %d", dtoken); 1767 1768 peer = wpa_tdls_add_peer(sm, src_addr, &existing_peer); 1769 if (peer == NULL) 1770 goto error; 1771 1772 /* If found, use existing entry instead of adding a new one; 1773 * how to handle the case where both ends initiate at the 1774 * same time? */ 1775 if (existing_peer) { 1776 if (peer->tpk_success) { 1777 wpa_printf(MSG_DEBUG, "TDLS: TDLS Setup Request while " 1778 "direct link is enabled - tear down the " 1779 "old link first"); 1780 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr); 1781 wpa_tdls_peer_clear(sm, peer); 1782 } else if (peer->initiator) { 1783 /* 1784 * An entry is already present, so check if we already 1785 * sent a TDLS Setup Request. If so, compare MAC 1786 * addresses and let the STA with the lower MAC address 1787 * continue as the initiator. The other negotiation is 1788 * terminated. 1789 */ 1790 if (os_memcmp(sm->own_addr, src_addr, ETH_ALEN) < 0) { 1791 wpa_printf(MSG_DEBUG, "TDLS: Discard request " 1792 "from peer with higher address " 1793 MACSTR, MAC2STR(src_addr)); 1794 return -1; 1795 } else { 1796 wpa_printf(MSG_DEBUG, "TDLS: Accept request " 1797 "from peer with lower address " 1798 MACSTR " (terminate previously " 1799 "initiated negotiation", 1800 MAC2STR(src_addr)); 1801 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, 1802 peer->addr); 1803 wpa_tdls_peer_clear(sm, peer); 1804 } 1805 } 1806 } 1807 1808 /* capability information */ 1809 peer->capability = WPA_GET_LE16(cpos); 1810 cpos += 2; 1811 1812 ielen = len - (cpos - buf); /* start of IE in buf */ 1813 if (wpa_supplicant_parse_ies(cpos, ielen, &kde) < 0) { 1814 wpa_printf(MSG_INFO, "TDLS: Failed to parse IEs in TPK M1"); 1815 goto error; 1816 } 1817 1818 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) { 1819 wpa_printf(MSG_INFO, "TDLS: No valid Link Identifier IE in " 1820 "TPK M1"); 1821 goto error; 1822 } 1823 wpa_hexdump(MSG_DEBUG, "TDLS: Link ID Received from TPK M1", 1824 kde.lnkid, kde.lnkid_len); 1825 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid; 1826 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) { 1827 wpa_printf(MSG_INFO, "TDLS: TPK M1 from diff BSS"); 1828 status = WLAN_STATUS_REQUEST_DECLINED; 1829 goto error; 1830 } 1831 1832 wpa_printf(MSG_DEBUG, "TDLS: TPK M1 - TPK initiator " MACSTR, 1833 MAC2STR(src_addr)); 1834 1835 if (copy_supp_rates(&kde, peer) < 0) 1836 goto error; 1837 1838 if (copy_peer_ht_capab(&kde, peer) < 0) 1839 goto error; 1840 1841 if (copy_peer_vht_capab(&kde, peer) < 0) 1842 goto error; 1843 1844 if (copy_peer_ext_capab(&kde, peer) < 0) 1845 goto error; 1846 1847 if (copy_peer_supp_channels(&kde, peer) < 0) 1848 goto error; 1849 1850 if (copy_peer_supp_oper_classes(&kde, peer) < 0) 1851 goto error; 1852 1853 peer->qos_info = kde.qosinfo; 1854 1855 /* Overwrite with the qos_info obtained in WMM IE */ 1856 if (copy_peer_wmm_capab(&kde, peer) < 0) 1857 goto error; 1858 1859 peer->aid = kde.aid; 1860 1861 #ifdef CONFIG_TDLS_TESTING 1862 if (tdls_testing & TDLS_TESTING_CONCURRENT_INIT) { 1863 peer = wpa_tdls_add_peer(sm, src_addr, NULL); 1864 if (peer == NULL) 1865 goto error; 1866 wpa_printf(MSG_DEBUG, "TDLS: Testing concurrent initiation of " 1867 "TDLS setup - send own request"); 1868 peer->initiator = 1; 1869 wpa_sm_tdls_peer_addset(sm, peer->addr, 1, 0, 0, NULL, 0, NULL, 1870 NULL, 0, 0, NULL, 0, NULL, 0, NULL, 0); 1871 wpa_tdls_send_tpk_m1(sm, peer); 1872 } 1873 1874 if ((tdls_testing & TDLS_TESTING_IGNORE_AP_PROHIBIT) && 1875 tdls_prohibited) { 1876 wpa_printf(MSG_DEBUG, "TDLS: Testing - ignore AP prohibition " 1877 "on TDLS"); 1878 tdls_prohibited = 0; 1879 } 1880 #endif /* CONFIG_TDLS_TESTING */ 1881 1882 if (tdls_prohibited) { 1883 wpa_printf(MSG_INFO, "TDLS: TDLS prohibited in this BSS"); 1884 status = WLAN_STATUS_REQUEST_DECLINED; 1885 goto error; 1886 } 1887 1888 if (!wpa_tdls_get_privacy(sm)) { 1889 if (kde.rsn_ie) { 1890 wpa_printf(MSG_INFO, "TDLS: RSN IE in TPK M1 while " 1891 "security is disabled"); 1892 status = WLAN_STATUS_SECURITY_DISABLED; 1893 goto error; 1894 } 1895 goto skip_rsn; 1896 } 1897 1898 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie) || 1899 kde.rsn_ie == NULL) { 1900 wpa_printf(MSG_INFO, "TDLS: No FTIE or RSN IE in TPK M1"); 1901 status = WLAN_STATUS_INVALID_PARAMETERS; 1902 goto error; 1903 } 1904 1905 if (kde.rsn_ie_len > TDLS_MAX_IE_LEN) { 1906 wpa_printf(MSG_INFO, "TDLS: Too long Initiator RSN IE in " 1907 "TPK M1"); 1908 status = WLAN_STATUS_INVALID_RSNIE; 1909 goto error; 1910 } 1911 1912 if (wpa_parse_wpa_ie_rsn(kde.rsn_ie, kde.rsn_ie_len, &ie) < 0) { 1913 wpa_printf(MSG_INFO, "TDLS: Failed to parse RSN IE in TPK M1"); 1914 status = WLAN_STATUS_INVALID_RSNIE; 1915 goto error; 1916 } 1917 1918 cipher = ie.pairwise_cipher; 1919 if (cipher & WPA_CIPHER_CCMP) { 1920 wpa_printf(MSG_DEBUG, "TDLS: Using CCMP for direct link"); 1921 cipher = WPA_CIPHER_CCMP; 1922 } else { 1923 wpa_printf(MSG_INFO, "TDLS: No acceptable cipher in TPK M1"); 1924 status = WLAN_STATUS_PAIRWISE_CIPHER_NOT_VALID; 1925 goto error; 1926 } 1927 1928 if ((ie.capabilities & 1929 (WPA_CAPABILITY_NO_PAIRWISE | WPA_CAPABILITY_PEERKEY_ENABLED)) != 1930 WPA_CAPABILITY_PEERKEY_ENABLED) { 1931 wpa_printf(MSG_INFO, "TDLS: Invalid RSN Capabilities in " 1932 "TPK M1"); 1933 status = WLAN_STATUS_INVALID_RSN_IE_CAPAB; 1934 goto error; 1935 } 1936 1937 /* Lifetime */ 1938 if (kde.key_lifetime == NULL) { 1939 wpa_printf(MSG_INFO, "TDLS: No Key Lifetime IE in TPK M1"); 1940 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME; 1941 goto error; 1942 } 1943 timeoutie = (struct wpa_tdls_timeoutie *) kde.key_lifetime; 1944 lifetime = WPA_GET_LE32(timeoutie->value); 1945 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds", lifetime); 1946 if (lifetime < 300) { 1947 wpa_printf(MSG_INFO, "TDLS: Too short TPK lifetime"); 1948 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME; 1949 goto error; 1950 } 1951 1952 skip_rsn: 1953 #ifdef CONFIG_TDLS_TESTING 1954 if (tdls_testing & TDLS_TESTING_CONCURRENT_INIT) { 1955 if (os_memcmp(sm->own_addr, peer->addr, ETH_ALEN) < 0) { 1956 /* 1957 * The request frame from us is going to win, so do not 1958 * replace information based on this request frame from 1959 * the peer. 1960 */ 1961 goto skip_rsn_check; 1962 } 1963 } 1964 #endif /* CONFIG_TDLS_TESTING */ 1965 1966 peer->initiator = 0; /* Need to check */ 1967 peer->dtoken = dtoken; 1968 1969 if (!wpa_tdls_get_privacy(sm)) { 1970 peer->rsnie_i_len = 0; 1971 peer->rsnie_p_len = 0; 1972 peer->cipher = WPA_CIPHER_NONE; 1973 goto skip_rsn_check; 1974 } 1975 1976 ftie = (struct wpa_tdls_ftie *) kde.ftie; 1977 os_memcpy(peer->rsnie_i, kde.rsn_ie, kde.rsn_ie_len); 1978 peer->rsnie_i_len = kde.rsn_ie_len; 1979 peer->cipher = cipher; 1980 1981 if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0) { 1982 /* 1983 * There is no point in updating the RNonce for every obtained 1984 * TPK M1 frame (e.g., retransmission due to timeout) with the 1985 * same INonce (SNonce in FTIE). However, if the TPK M1 is 1986 * retransmitted with a different INonce, update the RNonce 1987 * since this is for a new TDLS session. 1988 */ 1989 wpa_printf(MSG_DEBUG, 1990 "TDLS: New TPK M1 INonce - generate new RNonce"); 1991 os_memcpy(peer->inonce, ftie->Snonce, WPA_NONCE_LEN); 1992 if (os_get_random(peer->rnonce, WPA_NONCE_LEN)) { 1993 wpa_msg(sm->ctx->ctx, MSG_WARNING, 1994 "TDLS: Failed to get random data for responder nonce"); 1995 goto error; 1996 } 1997 } 1998 1999 #if 0 2000 /* get version info from RSNIE received from Peer */ 2001 hdr = (struct rsn_ie_hdr *) kde.rsn_ie; 2002 rsn_ver = WPA_GET_LE16(hdr->version); 2003 2004 /* use min(peer's version, out version) */ 2005 if (rsn_ver > RSN_VERSION) 2006 rsn_ver = RSN_VERSION; 2007 2008 hdr = (struct rsn_ie_hdr *) peer->rsnie_p; 2009 2010 hdr->elem_id = WLAN_EID_RSN; 2011 WPA_PUT_LE16(hdr->version, rsn_ver); 2012 pos = (u8 *) (hdr + 1); 2013 2014 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED); 2015 pos += RSN_SELECTOR_LEN; 2016 /* Include only the selected cipher in pairwise cipher suite */ 2017 WPA_PUT_LE16(pos, 1); 2018 pos += 2; 2019 if (cipher == WPA_CIPHER_CCMP) 2020 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP); 2021 pos += RSN_SELECTOR_LEN; 2022 2023 WPA_PUT_LE16(pos, 1); 2024 pos += 2; 2025 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_TPK_HANDSHAKE); 2026 pos += RSN_SELECTOR_LEN; 2027 2028 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED; 2029 rsn_capab |= RSN_NUM_REPLAY_COUNTERS_16 << 2; 2030 WPA_PUT_LE16(pos, rsn_capab); 2031 pos += 2; 2032 2033 hdr->len = (pos - peer->rsnie_p) - 2; 2034 peer->rsnie_p_len = pos - peer->rsnie_p; 2035 #endif 2036 2037 /* temp fix: validation of RSNIE later */ 2038 os_memcpy(peer->rsnie_p, peer->rsnie_i, peer->rsnie_i_len); 2039 peer->rsnie_p_len = peer->rsnie_i_len; 2040 2041 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE for TPK handshake", 2042 peer->rsnie_p, peer->rsnie_p_len); 2043 2044 peer->lifetime = lifetime; 2045 2046 wpa_tdls_generate_tpk(peer, sm->own_addr, sm->bssid); 2047 2048 skip_rsn_check: 2049 #ifdef CONFIG_TDLS_TESTING 2050 if (tdls_testing & TDLS_TESTING_CONCURRENT_INIT) 2051 goto skip_add_peer; 2052 #endif /* CONFIG_TDLS_TESTING */ 2053 2054 /* add supported rates, capabilities, and qos_info to the TDLS peer */ 2055 if (wpa_tdls_addset_peer(sm, peer, 1) < 0) 2056 goto error; 2057 2058 #ifdef CONFIG_TDLS_TESTING 2059 skip_add_peer: 2060 #endif /* CONFIG_TDLS_TESTING */ 2061 peer->tpk_in_progress = 1; 2062 2063 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Setup Response / TPK M2"); 2064 if (wpa_tdls_send_tpk_m2(sm, src_addr, dtoken, lnkid, peer) < 0) { 2065 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr); 2066 goto error; 2067 } 2068 2069 return 0; 2070 2071 error: 2072 wpa_tdls_send_error(sm, src_addr, WLAN_TDLS_SETUP_RESPONSE, dtoken, 0, 2073 status); 2074 if (peer) 2075 wpa_tdls_peer_free(sm, peer); 2076 return -1; 2077 } 2078 2079 2080 static int wpa_tdls_enable_link(struct wpa_sm *sm, struct wpa_tdls_peer *peer) 2081 { 2082 peer->tpk_success = 1; 2083 peer->tpk_in_progress = 0; 2084 eloop_cancel_timeout(wpa_tdls_tpk_timeout, sm, peer); 2085 if (wpa_tdls_get_privacy(sm)) { 2086 u32 lifetime = peer->lifetime; 2087 /* 2088 * Start the initiator process a bit earlier to avoid race 2089 * condition with the responder sending teardown request. 2090 */ 2091 if (lifetime > 3 && peer->initiator) 2092 lifetime -= 3; 2093 eloop_register_timeout(lifetime, 0, wpa_tdls_tpk_timeout, 2094 sm, peer); 2095 #ifdef CONFIG_TDLS_TESTING 2096 if (tdls_testing & TDLS_TESTING_NO_TPK_EXPIRATION) { 2097 wpa_printf(MSG_DEBUG, "TDLS: Testing - disable TPK " 2098 "expiration"); 2099 eloop_cancel_timeout(wpa_tdls_tpk_timeout, sm, peer); 2100 } 2101 #endif /* CONFIG_TDLS_TESTING */ 2102 } 2103 2104 if (peer->reconfig_key && wpa_tdls_set_key(sm, peer) < 0) { 2105 wpa_printf(MSG_INFO, "TDLS: Could not configure key to the " 2106 "driver"); 2107 return -1; 2108 } 2109 peer->reconfig_key = 0; 2110 2111 return wpa_sm_tdls_oper(sm, TDLS_ENABLE_LINK, peer->addr); 2112 } 2113 2114 2115 static int wpa_tdls_process_tpk_m2(struct wpa_sm *sm, const u8 *src_addr, 2116 const u8 *buf, size_t len) 2117 { 2118 struct wpa_tdls_peer *peer; 2119 struct wpa_eapol_ie_parse kde; 2120 struct wpa_ie_data ie; 2121 int cipher; 2122 struct wpa_tdls_ftie *ftie; 2123 struct wpa_tdls_timeoutie *timeoutie; 2124 struct wpa_tdls_lnkid *lnkid; 2125 u32 lifetime; 2126 u8 dtoken; 2127 int ielen; 2128 u16 status; 2129 const u8 *pos; 2130 int ret = 0; 2131 2132 wpa_printf(MSG_DEBUG, "TDLS: Received TDLS Setup Response / TPK M2 " 2133 "(Peer " MACSTR ")", MAC2STR(src_addr)); 2134 for (peer = sm->tdls; peer; peer = peer->next) { 2135 if (os_memcmp(peer->addr, src_addr, ETH_ALEN) == 0) 2136 break; 2137 } 2138 if (peer == NULL) { 2139 wpa_printf(MSG_INFO, "TDLS: No matching peer found for " 2140 "TPK M2: " MACSTR, MAC2STR(src_addr)); 2141 return -1; 2142 } 2143 if (!peer->initiator) { 2144 /* 2145 * This may happen if both devices try to initiate TDLS at the 2146 * same time and we accept the TPK M1 from the peer in 2147 * wpa_tdls_process_tpk_m1() and clear our previous state. 2148 */ 2149 wpa_printf(MSG_INFO, "TDLS: We were not the initiator, so " 2150 "ignore TPK M2 from " MACSTR, MAC2STR(src_addr)); 2151 return -1; 2152 } 2153 wpa_tdls_tpk_retry_timeout_cancel(sm, peer, WLAN_TDLS_SETUP_REQUEST); 2154 2155 if (len < 3 + 2 + 1) { 2156 wpa_tdls_disable_peer_link(sm, peer); 2157 return -1; 2158 } 2159 2160 pos = buf; 2161 pos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */; 2162 status = WPA_GET_LE16(pos); 2163 pos += 2 /* status code */; 2164 2165 if (status != WLAN_STATUS_SUCCESS) { 2166 wpa_printf(MSG_INFO, "TDLS: Status code in TPK M2: %u", 2167 status); 2168 wpa_tdls_disable_peer_link(sm, peer); 2169 return -1; 2170 } 2171 2172 status = WLAN_STATUS_UNSPECIFIED_FAILURE; 2173 2174 /* TODO: need to verify dialog token matches here or in kernel */ 2175 dtoken = *pos++; /* dialog token */ 2176 2177 wpa_printf(MSG_DEBUG, "TDLS: Dialog Token in TPK M2 %d", dtoken); 2178 2179 if (len < 3 + 2 + 1 + 2) { 2180 wpa_tdls_disable_peer_link(sm, peer); 2181 return -1; 2182 } 2183 2184 /* capability information */ 2185 peer->capability = WPA_GET_LE16(pos); 2186 pos += 2; 2187 2188 ielen = len - (pos - buf); /* start of IE in buf */ 2189 if (wpa_supplicant_parse_ies(pos, ielen, &kde) < 0) { 2190 wpa_printf(MSG_INFO, "TDLS: Failed to parse IEs in TPK M2"); 2191 goto error; 2192 } 2193 2194 #ifdef CONFIG_TDLS_TESTING 2195 if (tdls_testing & TDLS_TESTING_DECLINE_RESP) { 2196 wpa_printf(MSG_DEBUG, "TDLS: Testing - decline response"); 2197 status = WLAN_STATUS_REQUEST_DECLINED; 2198 goto error; 2199 } 2200 #endif /* CONFIG_TDLS_TESTING */ 2201 2202 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) { 2203 wpa_printf(MSG_INFO, "TDLS: No valid Link Identifier IE in " 2204 "TPK M2"); 2205 goto error; 2206 } 2207 wpa_hexdump(MSG_DEBUG, "TDLS: Link ID Received from TPK M2", 2208 kde.lnkid, kde.lnkid_len); 2209 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid; 2210 2211 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) { 2212 wpa_printf(MSG_INFO, "TDLS: TPK M2 from different BSS"); 2213 status = WLAN_STATUS_NOT_IN_SAME_BSS; 2214 goto error; 2215 } 2216 2217 if (copy_supp_rates(&kde, peer) < 0) 2218 goto error; 2219 2220 if (copy_peer_ht_capab(&kde, peer) < 0) 2221 goto error; 2222 2223 if (copy_peer_vht_capab(&kde, peer) < 0) 2224 goto error; 2225 2226 if (copy_peer_ext_capab(&kde, peer) < 0) 2227 goto error; 2228 2229 if (copy_peer_supp_channels(&kde, peer) < 0) 2230 goto error; 2231 2232 if (copy_peer_supp_oper_classes(&kde, peer) < 0) 2233 goto error; 2234 2235 peer->qos_info = kde.qosinfo; 2236 2237 /* Overwrite with the qos_info obtained in WMM IE */ 2238 if (copy_peer_wmm_capab(&kde, peer) < 0) 2239 goto error; 2240 2241 peer->aid = kde.aid; 2242 2243 if (!wpa_tdls_get_privacy(sm)) { 2244 peer->rsnie_p_len = 0; 2245 peer->cipher = WPA_CIPHER_NONE; 2246 goto skip_rsn; 2247 } 2248 2249 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie) || 2250 kde.rsn_ie == NULL) { 2251 wpa_printf(MSG_INFO, "TDLS: No FTIE or RSN IE in TPK M2"); 2252 status = WLAN_STATUS_INVALID_PARAMETERS; 2253 goto error; 2254 } 2255 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Received from TPK M2", 2256 kde.rsn_ie, kde.rsn_ie_len); 2257 2258 if (kde.rsn_ie_len > TDLS_MAX_IE_LEN) { 2259 wpa_printf(MSG_INFO, 2260 "TDLS: Too long Responder RSN IE in TPK M2"); 2261 status = WLAN_STATUS_INVALID_RSNIE; 2262 goto error; 2263 } 2264 2265 /* 2266 * FIX: bitwise comparison of RSN IE is not the correct way of 2267 * validation this. It can be different, but certain fields must 2268 * match. Since we list only a single pairwise cipher in TPK M1, the 2269 * memcmp is likely to work in most cases, though. 2270 */ 2271 if (kde.rsn_ie_len != peer->rsnie_i_len || 2272 os_memcmp(peer->rsnie_i, kde.rsn_ie, peer->rsnie_i_len) != 0) { 2273 wpa_printf(MSG_INFO, "TDLS: RSN IE in TPK M2 does " 2274 "not match with RSN IE used in TPK M1"); 2275 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Sent in TPK M1", 2276 peer->rsnie_i, peer->rsnie_i_len); 2277 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Received from TPK M2", 2278 kde.rsn_ie, kde.rsn_ie_len); 2279 status = WLAN_STATUS_INVALID_RSNIE; 2280 goto error; 2281 } 2282 2283 if (wpa_parse_wpa_ie_rsn(kde.rsn_ie, kde.rsn_ie_len, &ie) < 0) { 2284 wpa_printf(MSG_INFO, "TDLS: Failed to parse RSN IE in TPK M2"); 2285 status = WLAN_STATUS_INVALID_RSNIE; 2286 goto error; 2287 } 2288 2289 cipher = ie.pairwise_cipher; 2290 if (cipher == WPA_CIPHER_CCMP) { 2291 wpa_printf(MSG_DEBUG, "TDLS: Using CCMP for direct link"); 2292 cipher = WPA_CIPHER_CCMP; 2293 } else { 2294 wpa_printf(MSG_INFO, "TDLS: No acceptable cipher in TPK M2"); 2295 status = WLAN_STATUS_PAIRWISE_CIPHER_NOT_VALID; 2296 goto error; 2297 } 2298 2299 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE Received from TPK M2", 2300 kde.ftie, sizeof(*ftie)); 2301 ftie = (struct wpa_tdls_ftie *) kde.ftie; 2302 2303 if (!os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) == 0) { 2304 wpa_printf(MSG_INFO, "TDLS: FTIE SNonce in TPK M2 does " 2305 "not match with FTIE SNonce used in TPK M1"); 2306 /* Silently discard the frame */ 2307 return -1; 2308 } 2309 2310 /* Responder Nonce and RSN IE */ 2311 os_memcpy(peer->rnonce, ftie->Anonce, WPA_NONCE_LEN); 2312 os_memcpy(peer->rsnie_p, kde.rsn_ie, kde.rsn_ie_len); 2313 peer->rsnie_p_len = kde.rsn_ie_len; 2314 peer->cipher = cipher; 2315 2316 /* Lifetime */ 2317 if (kde.key_lifetime == NULL) { 2318 wpa_printf(MSG_INFO, "TDLS: No Key Lifetime IE in TPK M2"); 2319 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME; 2320 goto error; 2321 } 2322 timeoutie = (struct wpa_tdls_timeoutie *) kde.key_lifetime; 2323 lifetime = WPA_GET_LE32(timeoutie->value); 2324 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds in TPK M2", 2325 lifetime); 2326 if (lifetime != peer->lifetime) { 2327 wpa_printf(MSG_INFO, "TDLS: Unexpected TPK lifetime %u in " 2328 "TPK M2 (expected %u)", lifetime, peer->lifetime); 2329 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME; 2330 goto error; 2331 } 2332 2333 wpa_tdls_generate_tpk(peer, sm->own_addr, sm->bssid); 2334 2335 /* Process MIC check to see if TPK M2 is right */ 2336 if (wpa_supplicant_verify_tdls_mic(2, peer, (u8 *) lnkid, 2337 (u8 *) timeoutie, ftie) < 0) { 2338 /* Discard the frame */ 2339 wpa_tdls_del_key(sm, peer); 2340 wpa_tdls_disable_peer_link(sm, peer); 2341 return -1; 2342 } 2343 2344 if (wpa_tdls_set_key(sm, peer) < 0) { 2345 /* 2346 * Some drivers may not be able to config the key prior to full 2347 * STA entry having been configured. 2348 */ 2349 wpa_printf(MSG_DEBUG, "TDLS: Try to configure TPK again after " 2350 "STA entry is complete"); 2351 peer->reconfig_key = 1; 2352 } 2353 2354 skip_rsn: 2355 peer->dtoken = dtoken; 2356 2357 /* add supported rates, capabilities, and qos_info to the TDLS peer */ 2358 if (wpa_tdls_addset_peer(sm, peer, 0) < 0) 2359 goto error; 2360 2361 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Setup Confirm / " 2362 "TPK Handshake Message 3"); 2363 if (wpa_tdls_send_tpk_m3(sm, src_addr, dtoken, lnkid, peer) < 0) 2364 goto error; 2365 2366 if (!peer->tpk_success) { 2367 /* 2368 * Enable Link only when tpk_success is 0, signifying that this 2369 * processing of TPK M2 frame is not because of a retransmission 2370 * during TDLS setup handshake. 2371 */ 2372 ret = wpa_tdls_enable_link(sm, peer); 2373 if (ret < 0) { 2374 wpa_printf(MSG_DEBUG, "TDLS: Could not enable link"); 2375 wpa_tdls_do_teardown( 2376 sm, peer, 2377 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED); 2378 } 2379 } 2380 return ret; 2381 2382 error: 2383 wpa_tdls_send_error(sm, src_addr, WLAN_TDLS_SETUP_CONFIRM, dtoken, 1, 2384 status); 2385 wpa_tdls_disable_peer_link(sm, peer); 2386 return -1; 2387 } 2388 2389 2390 static int wpa_tdls_process_tpk_m3(struct wpa_sm *sm, const u8 *src_addr, 2391 const u8 *buf, size_t len) 2392 { 2393 struct wpa_tdls_peer *peer; 2394 struct wpa_eapol_ie_parse kde; 2395 struct wpa_tdls_ftie *ftie; 2396 struct wpa_tdls_timeoutie *timeoutie; 2397 struct wpa_tdls_lnkid *lnkid; 2398 int ielen; 2399 u16 status; 2400 const u8 *pos; 2401 u32 lifetime; 2402 int ret = 0; 2403 2404 wpa_printf(MSG_DEBUG, "TDLS: Received TDLS Setup Confirm / TPK M3 " 2405 "(Peer " MACSTR ")", MAC2STR(src_addr)); 2406 for (peer = sm->tdls; peer; peer = peer->next) { 2407 if (os_memcmp(peer->addr, src_addr, ETH_ALEN) == 0) 2408 break; 2409 } 2410 if (peer == NULL) { 2411 wpa_printf(MSG_INFO, "TDLS: No matching peer found for " 2412 "TPK M3: " MACSTR, MAC2STR(src_addr)); 2413 return -1; 2414 } 2415 wpa_tdls_tpk_retry_timeout_cancel(sm, peer, WLAN_TDLS_SETUP_RESPONSE); 2416 2417 if (len < 3 + 3) 2418 goto error; 2419 pos = buf; 2420 pos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */; 2421 2422 status = WPA_GET_LE16(pos); 2423 2424 if (status != 0) { 2425 wpa_printf(MSG_INFO, "TDLS: Status code in TPK M3: %u", 2426 status); 2427 goto error; 2428 } 2429 pos += 2 /* status code */ + 1 /* dialog token */; 2430 2431 ielen = len - (pos - buf); /* start of IE in buf */ 2432 2433 /* 2434 * Don't reject the message if failing to parse IEs. The IEs we need are 2435 * explicitly checked below. Some APs piggy-back broken IEs to the end 2436 * of a TDLS Confirm packet, which will fail the link if we don't ignore 2437 * this error. 2438 */ 2439 if (wpa_supplicant_parse_ies((const u8 *) pos, ielen, &kde) < 0) { 2440 wpa_printf(MSG_DEBUG, 2441 "TDLS: Failed to parse KDEs in TPK M3 - ignore as an interop workaround"); 2442 } 2443 2444 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) { 2445 wpa_printf(MSG_INFO, "TDLS: No Link Identifier IE in TPK M3"); 2446 goto error; 2447 } 2448 wpa_hexdump(MSG_DEBUG, "TDLS: Link ID Received from TPK M3", 2449 (u8 *) kde.lnkid, kde.lnkid_len); 2450 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid; 2451 2452 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) { 2453 wpa_printf(MSG_INFO, "TDLS: TPK M3 from diff BSS"); 2454 goto error; 2455 } 2456 2457 if (!wpa_tdls_get_privacy(sm)) 2458 goto skip_rsn; 2459 2460 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie)) { 2461 wpa_printf(MSG_INFO, "TDLS: No FTIE in TPK M3"); 2462 goto error; 2463 } 2464 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE Received from TPK M3", 2465 kde.ftie, sizeof(*ftie)); 2466 ftie = (struct wpa_tdls_ftie *) kde.ftie; 2467 2468 if (kde.rsn_ie == NULL) { 2469 wpa_printf(MSG_INFO, "TDLS: No RSN IE in TPK M3"); 2470 goto error; 2471 } 2472 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Received from TPK M3", 2473 kde.rsn_ie, kde.rsn_ie_len); 2474 if (kde.rsn_ie_len != peer->rsnie_p_len || 2475 os_memcmp(kde.rsn_ie, peer->rsnie_p, peer->rsnie_p_len) != 0) { 2476 wpa_printf(MSG_INFO, "TDLS: RSN IE in TPK M3 does not match " 2477 "with the one sent in TPK M2"); 2478 goto error; 2479 } 2480 2481 if (!os_memcmp(peer->rnonce, ftie->Anonce, WPA_NONCE_LEN) == 0) { 2482 wpa_printf(MSG_INFO, "TDLS: FTIE ANonce in TPK M3 does " 2483 "not match with FTIE ANonce used in TPK M2"); 2484 goto error; 2485 } 2486 2487 if (!os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) == 0) { 2488 wpa_printf(MSG_INFO, "TDLS: FTIE SNonce in TPK M3 does not " 2489 "match with FTIE SNonce used in TPK M1"); 2490 goto error; 2491 } 2492 2493 if (kde.key_lifetime == NULL) { 2494 wpa_printf(MSG_INFO, "TDLS: No Key Lifetime IE in TPK M3"); 2495 goto error; 2496 } 2497 timeoutie = (struct wpa_tdls_timeoutie *) kde.key_lifetime; 2498 wpa_hexdump(MSG_DEBUG, "TDLS: Timeout IE Received from TPK M3", 2499 (u8 *) timeoutie, sizeof(*timeoutie)); 2500 lifetime = WPA_GET_LE32(timeoutie->value); 2501 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds in TPK M3", 2502 lifetime); 2503 if (lifetime != peer->lifetime) { 2504 wpa_printf(MSG_INFO, "TDLS: Unexpected TPK lifetime %u in " 2505 "TPK M3 (expected %u)", lifetime, peer->lifetime); 2506 goto error; 2507 } 2508 2509 if (wpa_supplicant_verify_tdls_mic(3, peer, (u8 *) lnkid, 2510 (u8 *) timeoutie, ftie) < 0) { 2511 wpa_tdls_del_key(sm, peer); 2512 goto error; 2513 } 2514 2515 if (wpa_tdls_set_key(sm, peer) < 0) { 2516 /* 2517 * Some drivers may not be able to config the key prior to full 2518 * STA entry having been configured. 2519 */ 2520 wpa_printf(MSG_DEBUG, "TDLS: Try to configure TPK again after " 2521 "STA entry is complete"); 2522 peer->reconfig_key = 1; 2523 } 2524 2525 skip_rsn: 2526 /* add supported rates, capabilities, and qos_info to the TDLS peer */ 2527 if (wpa_tdls_addset_peer(sm, peer, 0) < 0) 2528 goto error; 2529 2530 if (!peer->tpk_success) { 2531 /* 2532 * Enable Link only when tpk_success is 0, signifying that this 2533 * processing of TPK M3 frame is not because of a retransmission 2534 * during TDLS setup handshake. 2535 */ 2536 ret = wpa_tdls_enable_link(sm, peer); 2537 if (ret < 0) { 2538 wpa_printf(MSG_DEBUG, "TDLS: Could not enable link"); 2539 goto error; 2540 } 2541 } 2542 return ret; 2543 error: 2544 wpa_tdls_do_teardown(sm, peer, WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED); 2545 return -1; 2546 } 2547 2548 2549 static u8 * wpa_add_tdls_timeoutie(u8 *pos, u8 *ie, size_t ie_len, u32 tsecs) 2550 { 2551 struct wpa_tdls_timeoutie *lifetime = (struct wpa_tdls_timeoutie *) ie; 2552 2553 os_memset(lifetime, 0, ie_len); 2554 lifetime->ie_type = WLAN_EID_TIMEOUT_INTERVAL; 2555 lifetime->ie_len = sizeof(struct wpa_tdls_timeoutie) - 2; 2556 lifetime->interval_type = WLAN_TIMEOUT_KEY_LIFETIME; 2557 WPA_PUT_LE32(lifetime->value, tsecs); 2558 os_memcpy(pos, ie, ie_len); 2559 return pos + ie_len; 2560 } 2561 2562 2563 /** 2564 * wpa_tdls_start - Initiate TDLS handshake (send TPK Handshake Message 1) 2565 * @sm: Pointer to WPA state machine data from wpa_sm_init() 2566 * @peer: MAC address of the peer STA 2567 * Returns: 0 on success, or -1 on failure 2568 * 2569 * Send TPK Handshake Message 1 info to driver to start TDLS 2570 * handshake with the peer. 2571 */ 2572 int wpa_tdls_start(struct wpa_sm *sm, const u8 *addr) 2573 { 2574 struct wpa_tdls_peer *peer; 2575 int tdls_prohibited = sm->tdls_prohibited; 2576 2577 if (sm->tdls_disabled || !sm->tdls_supported) 2578 return -1; 2579 2580 #ifdef CONFIG_TDLS_TESTING 2581 if ((tdls_testing & TDLS_TESTING_IGNORE_AP_PROHIBIT) && 2582 tdls_prohibited) { 2583 wpa_printf(MSG_DEBUG, "TDLS: Testing - ignore AP prohibition " 2584 "on TDLS"); 2585 tdls_prohibited = 0; 2586 } 2587 #endif /* CONFIG_TDLS_TESTING */ 2588 2589 if (tdls_prohibited) { 2590 wpa_printf(MSG_DEBUG, "TDLS: TDLS is prohibited in this BSS - " 2591 "reject request to start setup"); 2592 return -1; 2593 } 2594 2595 peer = wpa_tdls_add_peer(sm, addr, NULL); 2596 if (peer == NULL) 2597 return -1; 2598 2599 if (peer->tpk_in_progress) { 2600 wpa_printf(MSG_DEBUG, "TDLS: Setup is already in progress with the peer"); 2601 return 0; 2602 } 2603 2604 peer->initiator = 1; 2605 2606 /* add the peer to the driver as a "setup in progress" peer */ 2607 if (wpa_sm_tdls_peer_addset(sm, peer->addr, 1, 0, 0, NULL, 0, NULL, 2608 NULL, 0, 0, NULL, 0, NULL, 0, NULL, 0)) { 2609 wpa_tdls_disable_peer_link(sm, peer); 2610 return -1; 2611 } 2612 2613 peer->tpk_in_progress = 1; 2614 2615 if (wpa_tdls_send_tpk_m1(sm, peer) < 0) { 2616 wpa_tdls_disable_peer_link(sm, peer); 2617 return -1; 2618 } 2619 2620 return 0; 2621 } 2622 2623 2624 void wpa_tdls_remove(struct wpa_sm *sm, const u8 *addr) 2625 { 2626 struct wpa_tdls_peer *peer; 2627 2628 if (sm->tdls_disabled || !sm->tdls_supported) 2629 return; 2630 2631 for (peer = sm->tdls; peer; peer = peer->next) { 2632 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 2633 break; 2634 } 2635 2636 if (peer == NULL || !peer->tpk_success) 2637 return; 2638 2639 if (sm->tdls_external_setup) { 2640 /* 2641 * Disable previous link to allow renegotiation to be completed 2642 * on AP path. 2643 */ 2644 wpa_tdls_do_teardown(sm, peer, 2645 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED); 2646 } 2647 } 2648 2649 2650 /** 2651 * wpa_supplicant_rx_tdls - Receive TDLS data frame 2652 * 2653 * This function is called to receive TDLS (ethertype = 0x890d) data frames. 2654 */ 2655 static void wpa_supplicant_rx_tdls(void *ctx, const u8 *src_addr, 2656 const u8 *buf, size_t len) 2657 { 2658 struct wpa_sm *sm = ctx; 2659 struct wpa_tdls_frame *tf; 2660 2661 wpa_hexdump(MSG_DEBUG, "TDLS: Received Data frame encapsulation", 2662 buf, len); 2663 2664 if (sm->tdls_disabled || !sm->tdls_supported) { 2665 wpa_printf(MSG_DEBUG, "TDLS: Discard message - TDLS disabled " 2666 "or unsupported by driver"); 2667 return; 2668 } 2669 2670 if (os_memcmp(src_addr, sm->own_addr, ETH_ALEN) == 0) { 2671 wpa_printf(MSG_DEBUG, "TDLS: Discard copy of own message"); 2672 return; 2673 } 2674 2675 if (len < sizeof(*tf)) { 2676 wpa_printf(MSG_INFO, "TDLS: Drop too short frame"); 2677 return; 2678 } 2679 2680 /* Check to make sure its a valid encapsulated TDLS frame */ 2681 tf = (struct wpa_tdls_frame *) buf; 2682 if (tf->payloadtype != 2 /* TDLS_RFTYPE */ || 2683 tf->category != WLAN_ACTION_TDLS) { 2684 wpa_printf(MSG_INFO, "TDLS: Invalid frame - payloadtype=%u " 2685 "category=%u action=%u", 2686 tf->payloadtype, tf->category, tf->action); 2687 return; 2688 } 2689 2690 switch (tf->action) { 2691 case WLAN_TDLS_SETUP_REQUEST: 2692 wpa_tdls_process_tpk_m1(sm, src_addr, buf, len); 2693 break; 2694 case WLAN_TDLS_SETUP_RESPONSE: 2695 wpa_tdls_process_tpk_m2(sm, src_addr, buf, len); 2696 break; 2697 case WLAN_TDLS_SETUP_CONFIRM: 2698 wpa_tdls_process_tpk_m3(sm, src_addr, buf, len); 2699 break; 2700 case WLAN_TDLS_TEARDOWN: 2701 wpa_tdls_recv_teardown(sm, src_addr, buf, len); 2702 break; 2703 case WLAN_TDLS_DISCOVERY_REQUEST: 2704 wpa_tdls_process_discovery_request(sm, src_addr, buf, len); 2705 break; 2706 default: 2707 /* Kernel code will process remaining frames */ 2708 wpa_printf(MSG_DEBUG, "TDLS: Ignore TDLS frame action code %u", 2709 tf->action); 2710 break; 2711 } 2712 } 2713 2714 2715 /** 2716 * wpa_tdls_init - Initialize driver interface parameters for TDLS 2717 * @wpa_s: Pointer to wpa_supplicant data 2718 * Returns: 0 on success, -1 on failure 2719 * 2720 * This function is called to initialize driver interface parameters for TDLS. 2721 * wpa_drv_init() must have been called before this function to initialize the 2722 * driver interface. 2723 */ 2724 int wpa_tdls_init(struct wpa_sm *sm) 2725 { 2726 if (sm == NULL) 2727 return -1; 2728 2729 sm->l2_tdls = l2_packet_init(sm->bridge_ifname ? sm->bridge_ifname : 2730 sm->ifname, 2731 sm->own_addr, 2732 ETH_P_80211_ENCAP, wpa_supplicant_rx_tdls, 2733 sm, 0); 2734 if (sm->l2_tdls == NULL) { 2735 wpa_printf(MSG_ERROR, "TDLS: Failed to open l2_packet " 2736 "connection"); 2737 return -1; 2738 } 2739 2740 /* 2741 * Drivers that support TDLS but don't implement the get_capa callback 2742 * are assumed to perform everything internally 2743 */ 2744 if (wpa_sm_tdls_get_capa(sm, &sm->tdls_supported, 2745 &sm->tdls_external_setup) < 0) { 2746 sm->tdls_supported = 1; 2747 sm->tdls_external_setup = 0; 2748 } 2749 2750 wpa_printf(MSG_DEBUG, "TDLS: TDLS operation%s supported by " 2751 "driver", sm->tdls_supported ? "" : " not"); 2752 wpa_printf(MSG_DEBUG, "TDLS: Driver uses %s link setup", 2753 sm->tdls_external_setup ? "external" : "internal"); 2754 2755 return 0; 2756 } 2757 2758 2759 void wpa_tdls_teardown_peers(struct wpa_sm *sm) 2760 { 2761 struct wpa_tdls_peer *peer, *tmp; 2762 2763 peer = sm->tdls; 2764 2765 wpa_printf(MSG_DEBUG, "TDLS: Tear down peers"); 2766 2767 while (peer) { 2768 tmp = peer->next; 2769 wpa_printf(MSG_DEBUG, "TDLS: Tear down peer " MACSTR, 2770 MAC2STR(peer->addr)); 2771 if (sm->tdls_external_setup) 2772 wpa_tdls_do_teardown(sm, peer, 2773 WLAN_REASON_DEAUTH_LEAVING); 2774 else 2775 wpa_sm_tdls_oper(sm, TDLS_TEARDOWN, peer->addr); 2776 2777 peer = tmp; 2778 } 2779 } 2780 2781 2782 static void wpa_tdls_remove_peers(struct wpa_sm *sm) 2783 { 2784 struct wpa_tdls_peer *peer, *tmp; 2785 2786 peer = sm->tdls; 2787 2788 while (peer) { 2789 int res; 2790 tmp = peer->next; 2791 res = wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr); 2792 wpa_printf(MSG_DEBUG, "TDLS: Remove peer " MACSTR " (res=%d)", 2793 MAC2STR(peer->addr), res); 2794 wpa_tdls_peer_free(sm, peer); 2795 peer = tmp; 2796 } 2797 } 2798 2799 2800 /** 2801 * wpa_tdls_deinit - Deinitialize driver interface parameters for TDLS 2802 * 2803 * This function is called to recover driver interface parameters for TDLS 2804 * and frees resources allocated for it. 2805 */ 2806 void wpa_tdls_deinit(struct wpa_sm *sm) 2807 { 2808 if (sm == NULL) 2809 return; 2810 2811 if (sm->l2_tdls) 2812 l2_packet_deinit(sm->l2_tdls); 2813 sm->l2_tdls = NULL; 2814 2815 wpa_tdls_remove_peers(sm); 2816 } 2817 2818 2819 void wpa_tdls_assoc(struct wpa_sm *sm) 2820 { 2821 wpa_printf(MSG_DEBUG, "TDLS: Remove peers on association"); 2822 wpa_tdls_remove_peers(sm); 2823 } 2824 2825 2826 void wpa_tdls_disassoc(struct wpa_sm *sm) 2827 { 2828 wpa_printf(MSG_DEBUG, "TDLS: Remove peers on disassociation"); 2829 wpa_tdls_remove_peers(sm); 2830 } 2831 2832 2833 static int wpa_tdls_prohibited(const u8 *ies, size_t len) 2834 { 2835 struct wpa_eapol_ie_parse elems; 2836 2837 if (ies == NULL) 2838 return 0; 2839 2840 if (wpa_supplicant_parse_ies(ies, len, &elems) < 0) 2841 return 0; 2842 2843 if (elems.ext_capab == NULL || elems.ext_capab_len < 2 + 5) 2844 return 0; 2845 2846 /* bit 38 - TDLS Prohibited */ 2847 return !!(elems.ext_capab[2 + 4] & 0x40); 2848 } 2849 2850 2851 void wpa_tdls_ap_ies(struct wpa_sm *sm, const u8 *ies, size_t len) 2852 { 2853 sm->tdls_prohibited = wpa_tdls_prohibited(ies, len); 2854 wpa_printf(MSG_DEBUG, "TDLS: TDLS is %s in the target BSS", 2855 sm->tdls_prohibited ? "prohibited" : "allowed"); 2856 } 2857 2858 2859 void wpa_tdls_assoc_resp_ies(struct wpa_sm *sm, const u8 *ies, size_t len) 2860 { 2861 if (!sm->tdls_prohibited && wpa_tdls_prohibited(ies, len)) { 2862 wpa_printf(MSG_DEBUG, "TDLS: TDLS prohibited based on " 2863 "(Re)Association Response IEs"); 2864 sm->tdls_prohibited = 1; 2865 } 2866 } 2867 2868 2869 void wpa_tdls_enable(struct wpa_sm *sm, int enabled) 2870 { 2871 wpa_printf(MSG_DEBUG, "TDLS: %s", enabled ? "enabled" : "disabled"); 2872 sm->tdls_disabled = !enabled; 2873 } 2874 2875 2876 int wpa_tdls_is_external_setup(struct wpa_sm *sm) 2877 { 2878 return sm->tdls_external_setup; 2879 } 2880
