1 /* 2 * wpa_supplicant - TDLS 3 * Copyright (c) 2010-2011, Atheros Communications 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "utils/includes.h" 10 11 #include "utils/common.h" 12 #include "utils/eloop.h" 13 #include "utils/os.h" 14 #include "common/ieee802_11_defs.h" 15 #include "common/ieee802_11_common.h" 16 #include "crypto/sha256.h" 17 #include "crypto/crypto.h" 18 #include "crypto/aes_wrap.h" 19 #include "rsn_supp/wpa.h" 20 #include "rsn_supp/wpa_ie.h" 21 #include "rsn_supp/wpa_i.h" 22 #include "drivers/driver.h" 23 #include "l2_packet/l2_packet.h" 24 25 #ifdef CONFIG_TDLS_TESTING 26 #define TDLS_TESTING_LONG_FRAME BIT(0) 27 #define TDLS_TESTING_ALT_RSN_IE BIT(1) 28 #define TDLS_TESTING_DIFF_BSSID BIT(2) 29 #define TDLS_TESTING_SHORT_LIFETIME BIT(3) 30 #define TDLS_TESTING_WRONG_LIFETIME_RESP BIT(4) 31 #define TDLS_TESTING_WRONG_LIFETIME_CONF BIT(5) 32 #define TDLS_TESTING_LONG_LIFETIME BIT(6) 33 #define TDLS_TESTING_CONCURRENT_INIT BIT(7) 34 #define TDLS_TESTING_NO_TPK_EXPIRATION BIT(8) 35 #define TDLS_TESTING_DECLINE_RESP BIT(9) 36 #define TDLS_TESTING_IGNORE_AP_PROHIBIT BIT(10) 37 #define TDLS_TESTING_WRONG_MIC BIT(11) 38 unsigned int tdls_testing = 0; 39 #endif /* CONFIG_TDLS_TESTING */ 40 41 #define TPK_LIFETIME 43200 /* 12 hours */ 42 #define TPK_M1_RETRY_COUNT 3 43 #define TPK_M1_TIMEOUT 5000 /* in milliseconds */ 44 #define TPK_M2_RETRY_COUNT 10 45 #define TPK_M2_TIMEOUT 500 /* in milliseconds */ 46 47 #define TDLS_MIC_LEN 16 48 49 #define TDLS_TIMEOUT_LEN 4 50 51 struct wpa_tdls_ftie { 52 u8 ie_type; /* FTIE */ 53 u8 ie_len; 54 u8 mic_ctrl[2]; 55 u8 mic[TDLS_MIC_LEN]; 56 u8 Anonce[WPA_NONCE_LEN]; /* Responder Nonce in TDLS */ 57 u8 Snonce[WPA_NONCE_LEN]; /* Initiator Nonce in TDLS */ 58 /* followed by optional elements */ 59 } STRUCT_PACKED; 60 61 struct wpa_tdls_timeoutie { 62 u8 ie_type; /* Timeout IE */ 63 u8 ie_len; 64 u8 interval_type; 65 u8 value[TDLS_TIMEOUT_LEN]; 66 } STRUCT_PACKED; 67 68 struct wpa_tdls_lnkid { 69 u8 ie_type; /* Link Identifier IE */ 70 u8 ie_len; 71 u8 bssid[ETH_ALEN]; 72 u8 init_sta[ETH_ALEN]; 73 u8 resp_sta[ETH_ALEN]; 74 } STRUCT_PACKED; 75 76 /* TDLS frame headers as per IEEE Std 802.11z-2010 */ 77 struct wpa_tdls_frame { 78 u8 payloadtype; /* IEEE80211_TDLS_RFTYPE */ 79 u8 category; /* Category */ 80 u8 action; /* Action (enum tdls_frame_type) */ 81 } STRUCT_PACKED; 82 83 static u8 * wpa_add_tdls_timeoutie(u8 *pos, u8 *ie, size_t ie_len, u32 tsecs); 84 static void wpa_tdls_tpk_retry_timeout(void *eloop_ctx, void *timeout_ctx); 85 static void wpa_tdls_peer_free(struct wpa_sm *sm, struct wpa_tdls_peer *peer); 86 static void wpa_tdls_disable_peer_link(struct wpa_sm *sm, 87 struct wpa_tdls_peer *peer); 88 static int wpa_tdls_send_teardown(struct wpa_sm *sm, const u8 *addr, 89 u16 reason_code); 90 91 92 #define TDLS_MAX_IE_LEN 80 93 #define IEEE80211_MAX_SUPP_RATES 32 94 95 struct wpa_tdls_peer { 96 struct wpa_tdls_peer *next; 97 unsigned int reconfig_key:1; 98 int initiator; /* whether this end was initiator for TDLS setup */ 99 u8 addr[ETH_ALEN]; /* other end MAC address */ 100 u8 inonce[WPA_NONCE_LEN]; /* Initiator Nonce */ 101 u8 rnonce[WPA_NONCE_LEN]; /* Responder Nonce */ 102 u8 rsnie_i[TDLS_MAX_IE_LEN]; /* Initiator RSN IE */ 103 size_t rsnie_i_len; 104 u8 rsnie_p[TDLS_MAX_IE_LEN]; /* Peer RSN IE */ 105 size_t rsnie_p_len; 106 u32 lifetime; 107 int cipher; /* Selected cipher (WPA_CIPHER_*) */ 108 u8 dtoken; 109 110 struct tpk { 111 u8 kck[16]; /* TPK-KCK */ 112 u8 tk[16]; /* TPK-TK; assuming only CCMP will be used */ 113 } tpk; 114 int tpk_set; 115 int tpk_success; 116 int tpk_in_progress; 117 118 struct tpk_timer { 119 u8 dest[ETH_ALEN]; 120 int count; /* Retry Count */ 121 int timer; /* Timeout in milliseconds */ 122 u8 action_code; /* TDLS frame type */ 123 u8 dialog_token; 124 u16 status_code; 125 u32 peer_capab; 126 int buf_len; /* length of TPK message for retransmission */ 127 u8 *buf; /* buffer for TPK message */ 128 } sm_tmr; 129 130 u16 capability; 131 132 u8 supp_rates[IEEE80211_MAX_SUPP_RATES]; 133 size_t supp_rates_len; 134 135 struct ieee80211_ht_capabilities *ht_capabilities; 136 struct ieee80211_vht_capabilities *vht_capabilities; 137 138 u8 qos_info; 139 140 u16 aid; 141 142 u8 *ext_capab; 143 size_t ext_capab_len; 144 145 u8 *supp_channels; 146 size_t supp_channels_len; 147 148 u8 *supp_oper_classes; 149 size_t supp_oper_classes_len; 150 151 u8 wmm_capable; 152 153 /* channel switch currently enabled */ 154 int chan_switch_enabled; 155 }; 156 157 158 static int wpa_tdls_get_privacy(struct wpa_sm *sm) 159 { 160 /* 161 * Get info needed from supplicant to check if the current BSS supports 162 * security. Other than OPEN mode, rest are considered secured 163 * WEP/WPA/WPA2 hence TDLS frames are processed for TPK handshake. 164 */ 165 return sm->pairwise_cipher != WPA_CIPHER_NONE; 166 } 167 168 169 static u8 * wpa_add_ie(u8 *pos, const u8 *ie, size_t ie_len) 170 { 171 os_memcpy(pos, ie, ie_len); 172 return pos + ie_len; 173 } 174 175 176 static int wpa_tdls_del_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer) 177 { 178 if (wpa_sm_set_key(sm, WPA_ALG_NONE, peer->addr, 179 0, 0, NULL, 0, NULL, 0) < 0) { 180 wpa_printf(MSG_WARNING, "TDLS: Failed to delete TPK-TK from " 181 "the driver"); 182 return -1; 183 } 184 185 return 0; 186 } 187 188 189 static int wpa_tdls_set_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer) 190 { 191 u8 key_len; 192 u8 rsc[6]; 193 enum wpa_alg alg; 194 195 os_memset(rsc, 0, 6); 196 197 switch (peer->cipher) { 198 case WPA_CIPHER_CCMP: 199 alg = WPA_ALG_CCMP; 200 key_len = 16; 201 break; 202 case WPA_CIPHER_NONE: 203 wpa_printf(MSG_DEBUG, "TDLS: Pairwise Cipher Suite: " 204 "NONE - do not use pairwise keys"); 205 return -1; 206 default: 207 wpa_printf(MSG_WARNING, "TDLS: Unsupported pairwise cipher %d", 208 sm->pairwise_cipher); 209 return -1; 210 } 211 212 if (wpa_sm_set_key(sm, alg, peer->addr, -1, 1, 213 rsc, sizeof(rsc), peer->tpk.tk, key_len) < 0) { 214 wpa_printf(MSG_WARNING, "TDLS: Failed to set TPK to the " 215 "driver"); 216 return -1; 217 } 218 return 0; 219 } 220 221 222 static int wpa_tdls_send_tpk_msg(struct wpa_sm *sm, const u8 *dst, 223 u8 action_code, u8 dialog_token, 224 u16 status_code, u32 peer_capab, 225 int initiator, const u8 *buf, size_t len) 226 { 227 return wpa_sm_send_tdls_mgmt(sm, dst, action_code, dialog_token, 228 status_code, peer_capab, initiator, buf, 229 len); 230 } 231 232 233 static int wpa_tdls_tpk_send(struct wpa_sm *sm, const u8 *dest, u8 action_code, 234 u8 dialog_token, u16 status_code, u32 peer_capab, 235 int initiator, const u8 *msg, size_t msg_len) 236 { 237 struct wpa_tdls_peer *peer; 238 239 wpa_printf(MSG_DEBUG, "TDLS: TPK send dest=" MACSTR " action_code=%u " 240 "dialog_token=%u status_code=%u peer_capab=%u initiator=%d " 241 "msg_len=%u", 242 MAC2STR(dest), action_code, dialog_token, status_code, 243 peer_capab, initiator, (unsigned int) msg_len); 244 245 if (wpa_tdls_send_tpk_msg(sm, dest, action_code, dialog_token, 246 status_code, peer_capab, initiator, msg, 247 msg_len)) { 248 wpa_printf(MSG_INFO, "TDLS: Failed to send message " 249 "(action_code=%u)", action_code); 250 return -1; 251 } 252 253 if (action_code == WLAN_TDLS_SETUP_CONFIRM || 254 action_code == WLAN_TDLS_TEARDOWN || 255 action_code == WLAN_TDLS_DISCOVERY_REQUEST || 256 action_code == WLAN_TDLS_DISCOVERY_RESPONSE) 257 return 0; /* No retries */ 258 259 for (peer = sm->tdls; peer; peer = peer->next) { 260 if (os_memcmp(peer->addr, dest, ETH_ALEN) == 0) 261 break; 262 } 263 264 if (peer == NULL) { 265 wpa_printf(MSG_INFO, "TDLS: No matching entry found for " 266 "retry " MACSTR, MAC2STR(dest)); 267 return 0; 268 } 269 270 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer); 271 272 if (action_code == WLAN_TDLS_SETUP_RESPONSE) { 273 peer->sm_tmr.count = TPK_M2_RETRY_COUNT; 274 peer->sm_tmr.timer = TPK_M2_TIMEOUT; 275 } else { 276 peer->sm_tmr.count = TPK_M1_RETRY_COUNT; 277 peer->sm_tmr.timer = TPK_M1_TIMEOUT; 278 } 279 280 /* Copy message to resend on timeout */ 281 os_memcpy(peer->sm_tmr.dest, dest, ETH_ALEN); 282 peer->sm_tmr.action_code = action_code; 283 peer->sm_tmr.dialog_token = dialog_token; 284 peer->sm_tmr.status_code = status_code; 285 peer->sm_tmr.peer_capab = peer_capab; 286 peer->sm_tmr.buf_len = msg_len; 287 os_free(peer->sm_tmr.buf); 288 peer->sm_tmr.buf = os_malloc(msg_len); 289 if (peer->sm_tmr.buf == NULL) 290 return -1; 291 os_memcpy(peer->sm_tmr.buf, msg, msg_len); 292 293 wpa_printf(MSG_DEBUG, "TDLS: Retry timeout registered " 294 "(action_code=%u)", action_code); 295 eloop_register_timeout(peer->sm_tmr.timer / 1000, 296 (peer->sm_tmr.timer % 1000) * 1000, 297 wpa_tdls_tpk_retry_timeout, sm, peer); 298 return 0; 299 } 300 301 302 static int wpa_tdls_do_teardown(struct wpa_sm *sm, struct wpa_tdls_peer *peer, 303 u16 reason_code) 304 { 305 int ret; 306 307 ret = wpa_tdls_send_teardown(sm, peer->addr, reason_code); 308 /* disable the link after teardown was sent */ 309 wpa_tdls_disable_peer_link(sm, peer); 310 311 return ret; 312 } 313 314 315 static void wpa_tdls_tpk_retry_timeout(void *eloop_ctx, void *timeout_ctx) 316 { 317 318 struct wpa_sm *sm = eloop_ctx; 319 struct wpa_tdls_peer *peer = timeout_ctx; 320 321 if (peer->sm_tmr.count) { 322 peer->sm_tmr.count--; 323 324 wpa_printf(MSG_INFO, "TDLS: Retrying sending of message " 325 "(action_code=%u)", 326 peer->sm_tmr.action_code); 327 328 if (peer->sm_tmr.buf == NULL) { 329 wpa_printf(MSG_INFO, "TDLS: No retry buffer available " 330 "for action_code=%u", 331 peer->sm_tmr.action_code); 332 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, 333 peer); 334 return; 335 } 336 337 /* resend TPK Handshake Message to Peer */ 338 if (wpa_tdls_send_tpk_msg(sm, peer->sm_tmr.dest, 339 peer->sm_tmr.action_code, 340 peer->sm_tmr.dialog_token, 341 peer->sm_tmr.status_code, 342 peer->sm_tmr.peer_capab, 343 peer->initiator, 344 peer->sm_tmr.buf, 345 peer->sm_tmr.buf_len)) { 346 wpa_printf(MSG_INFO, "TDLS: Failed to retry " 347 "transmission"); 348 } 349 350 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer); 351 eloop_register_timeout(peer->sm_tmr.timer / 1000, 352 (peer->sm_tmr.timer % 1000) * 1000, 353 wpa_tdls_tpk_retry_timeout, sm, peer); 354 } else { 355 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer); 356 357 wpa_printf(MSG_DEBUG, "TDLS: Sending Teardown Request"); 358 wpa_tdls_do_teardown(sm, peer, 359 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED); 360 } 361 } 362 363 364 static void wpa_tdls_tpk_retry_timeout_cancel(struct wpa_sm *sm, 365 struct wpa_tdls_peer *peer, 366 u8 action_code) 367 { 368 if (action_code == peer->sm_tmr.action_code) { 369 wpa_printf(MSG_DEBUG, "TDLS: Retry timeout cancelled for " 370 "action_code=%u", action_code); 371 372 /* Cancel Timeout registered */ 373 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer); 374 375 /* free all resources meant for retry */ 376 os_free(peer->sm_tmr.buf); 377 peer->sm_tmr.buf = NULL; 378 379 peer->sm_tmr.count = 0; 380 peer->sm_tmr.timer = 0; 381 peer->sm_tmr.buf_len = 0; 382 peer->sm_tmr.action_code = 0xff; 383 } else { 384 wpa_printf(MSG_INFO, "TDLS: Error in cancelling retry timeout " 385 "(Unknown action_code=%u)", action_code); 386 } 387 } 388 389 390 static void wpa_tdls_generate_tpk(struct wpa_tdls_peer *peer, 391 const u8 *own_addr, const u8 *bssid) 392 { 393 u8 key_input[SHA256_MAC_LEN]; 394 const u8 *nonce[2]; 395 size_t len[2]; 396 u8 data[3 * ETH_ALEN]; 397 398 /* IEEE Std 802.11z-2010 8.5.9.1: 399 * TPK-Key-Input = SHA-256(min(SNonce, ANonce) || max(SNonce, ANonce)) 400 */ 401 len[0] = WPA_NONCE_LEN; 402 len[1] = WPA_NONCE_LEN; 403 if (os_memcmp(peer->inonce, peer->rnonce, WPA_NONCE_LEN) < 0) { 404 nonce[0] = peer->inonce; 405 nonce[1] = peer->rnonce; 406 } else { 407 nonce[0] = peer->rnonce; 408 nonce[1] = peer->inonce; 409 } 410 wpa_hexdump(MSG_DEBUG, "TDLS: min(Nonce)", nonce[0], WPA_NONCE_LEN); 411 wpa_hexdump(MSG_DEBUG, "TDLS: max(Nonce)", nonce[1], WPA_NONCE_LEN); 412 sha256_vector(2, nonce, len, key_input); 413 wpa_hexdump_key(MSG_DEBUG, "TDLS: TPK-Key-Input", 414 key_input, SHA256_MAC_LEN); 415 416 /* 417 * TPK-Key-Data = KDF-N_KEY(TPK-Key-Input, "TDLS PMK", 418 * min(MAC_I, MAC_R) || max(MAC_I, MAC_R) || BSSID || N_KEY) 419 * TODO: is N_KEY really included in KDF Context and if so, in which 420 * presentation format (little endian 16-bit?) is it used? It gets 421 * added by the KDF anyway.. 422 */ 423 424 if (os_memcmp(own_addr, peer->addr, ETH_ALEN) < 0) { 425 os_memcpy(data, own_addr, ETH_ALEN); 426 os_memcpy(data + ETH_ALEN, peer->addr, ETH_ALEN); 427 } else { 428 os_memcpy(data, peer->addr, ETH_ALEN); 429 os_memcpy(data + ETH_ALEN, own_addr, ETH_ALEN); 430 } 431 os_memcpy(data + 2 * ETH_ALEN, bssid, ETH_ALEN); 432 wpa_hexdump(MSG_DEBUG, "TDLS: KDF Context", data, sizeof(data)); 433 434 sha256_prf(key_input, SHA256_MAC_LEN, "TDLS PMK", data, sizeof(data), 435 (u8 *) &peer->tpk, sizeof(peer->tpk)); 436 wpa_hexdump_key(MSG_DEBUG, "TDLS: TPK-KCK", 437 peer->tpk.kck, sizeof(peer->tpk.kck)); 438 wpa_hexdump_key(MSG_DEBUG, "TDLS: TPK-TK", 439 peer->tpk.tk, sizeof(peer->tpk.tk)); 440 peer->tpk_set = 1; 441 } 442 443 444 /** 445 * wpa_tdls_ftie_mic - Calculate TDLS FTIE MIC 446 * @kck: TPK-KCK 447 * @lnkid: Pointer to the beginning of Link Identifier IE 448 * @rsnie: Pointer to the beginning of RSN IE used for handshake 449 * @timeoutie: Pointer to the beginning of Timeout IE used for handshake 450 * @ftie: Pointer to the beginning of FT IE 451 * @mic: Pointer for writing MIC 452 * 453 * Calculate MIC for TDLS frame. 454 */ 455 static int wpa_tdls_ftie_mic(const u8 *kck, u8 trans_seq, const u8 *lnkid, 456 const u8 *rsnie, const u8 *timeoutie, 457 const u8 *ftie, u8 *mic) 458 { 459 u8 *buf, *pos; 460 struct wpa_tdls_ftie *_ftie; 461 const struct wpa_tdls_lnkid *_lnkid; 462 int ret; 463 int len = 2 * ETH_ALEN + 1 + 2 + lnkid[1] + 2 + rsnie[1] + 464 2 + timeoutie[1] + 2 + ftie[1]; 465 buf = os_zalloc(len); 466 if (!buf) { 467 wpa_printf(MSG_WARNING, "TDLS: No memory for MIC calculation"); 468 return -1; 469 } 470 471 pos = buf; 472 _lnkid = (const struct wpa_tdls_lnkid *) lnkid; 473 /* 1) TDLS initiator STA MAC address */ 474 os_memcpy(pos, _lnkid->init_sta, ETH_ALEN); 475 pos += ETH_ALEN; 476 /* 2) TDLS responder STA MAC address */ 477 os_memcpy(pos, _lnkid->resp_sta, ETH_ALEN); 478 pos += ETH_ALEN; 479 /* 3) Transaction Sequence number */ 480 *pos++ = trans_seq; 481 /* 4) Link Identifier IE */ 482 os_memcpy(pos, lnkid, 2 + lnkid[1]); 483 pos += 2 + lnkid[1]; 484 /* 5) RSN IE */ 485 os_memcpy(pos, rsnie, 2 + rsnie[1]); 486 pos += 2 + rsnie[1]; 487 /* 6) Timeout Interval IE */ 488 os_memcpy(pos, timeoutie, 2 + timeoutie[1]); 489 pos += 2 + timeoutie[1]; 490 /* 7) FTIE, with the MIC field of the FTIE set to 0 */ 491 os_memcpy(pos, ftie, 2 + ftie[1]); 492 _ftie = (struct wpa_tdls_ftie *) pos; 493 os_memset(_ftie->mic, 0, TDLS_MIC_LEN); 494 pos += 2 + ftie[1]; 495 496 wpa_hexdump(MSG_DEBUG, "TDLS: Data for FTIE MIC", buf, pos - buf); 497 wpa_hexdump_key(MSG_DEBUG, "TDLS: KCK", kck, 16); 498 ret = omac1_aes_128(kck, buf, pos - buf, mic); 499 os_free(buf); 500 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE MIC", mic, 16); 501 return ret; 502 } 503 504 505 /** 506 * wpa_tdls_key_mic_teardown - Calculate TDLS FTIE MIC for Teardown frame 507 * @kck: TPK-KCK 508 * @trans_seq: Transaction Sequence Number (4 - Teardown) 509 * @rcode: Reason code for Teardown 510 * @dtoken: Dialog Token used for that particular link 511 * @lnkid: Pointer to the beginning of Link Identifier IE 512 * @ftie: Pointer to the beginning of FT IE 513 * @mic: Pointer for writing MIC 514 * 515 * Calculate MIC for TDLS frame. 516 */ 517 static int wpa_tdls_key_mic_teardown(const u8 *kck, u8 trans_seq, u16 rcode, 518 u8 dtoken, const u8 *lnkid, 519 const u8 *ftie, u8 *mic) 520 { 521 u8 *buf, *pos; 522 struct wpa_tdls_ftie *_ftie; 523 int ret; 524 int len; 525 526 if (lnkid == NULL) 527 return -1; 528 529 len = 2 + lnkid[1] + sizeof(rcode) + sizeof(dtoken) + 530 sizeof(trans_seq) + 2 + ftie[1]; 531 532 buf = os_zalloc(len); 533 if (!buf) { 534 wpa_printf(MSG_WARNING, "TDLS: No memory for MIC calculation"); 535 return -1; 536 } 537 538 pos = buf; 539 /* 1) Link Identifier IE */ 540 os_memcpy(pos, lnkid, 2 + lnkid[1]); 541 pos += 2 + lnkid[1]; 542 /* 2) Reason Code */ 543 WPA_PUT_LE16(pos, rcode); 544 pos += sizeof(rcode); 545 /* 3) Dialog token */ 546 *pos++ = dtoken; 547 /* 4) Transaction Sequence number */ 548 *pos++ = trans_seq; 549 /* 7) FTIE, with the MIC field of the FTIE set to 0 */ 550 os_memcpy(pos, ftie, 2 + ftie[1]); 551 _ftie = (struct wpa_tdls_ftie *) pos; 552 os_memset(_ftie->mic, 0, TDLS_MIC_LEN); 553 pos += 2 + ftie[1]; 554 555 wpa_hexdump(MSG_DEBUG, "TDLS: Data for FTIE MIC", buf, pos - buf); 556 wpa_hexdump_key(MSG_DEBUG, "TDLS: KCK", kck, 16); 557 ret = omac1_aes_128(kck, buf, pos - buf, mic); 558 os_free(buf); 559 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE MIC", mic, 16); 560 return ret; 561 } 562 563 564 static int wpa_supplicant_verify_tdls_mic(u8 trans_seq, 565 struct wpa_tdls_peer *peer, 566 const u8 *lnkid, const u8 *timeoutie, 567 const struct wpa_tdls_ftie *ftie) 568 { 569 u8 mic[16]; 570 571 if (peer->tpk_set) { 572 wpa_tdls_ftie_mic(peer->tpk.kck, trans_seq, lnkid, 573 peer->rsnie_p, timeoutie, (u8 *) ftie, 574 mic); 575 if (os_memcmp_const(mic, ftie->mic, 16) != 0) { 576 wpa_printf(MSG_INFO, "TDLS: Invalid MIC in FTIE - " 577 "dropping packet"); 578 wpa_hexdump(MSG_DEBUG, "TDLS: Received MIC", 579 ftie->mic, 16); 580 wpa_hexdump(MSG_DEBUG, "TDLS: Calculated MIC", 581 mic, 16); 582 return -1; 583 } 584 } else { 585 wpa_printf(MSG_WARNING, "TDLS: Could not verify TDLS MIC, " 586 "TPK not set - dropping packet"); 587 return -1; 588 } 589 return 0; 590 } 591 592 593 static int wpa_supplicant_verify_tdls_mic_teardown( 594 u8 trans_seq, u16 rcode, u8 dtoken, struct wpa_tdls_peer *peer, 595 const u8 *lnkid, const struct wpa_tdls_ftie *ftie) 596 { 597 u8 mic[16]; 598 599 if (peer->tpk_set) { 600 wpa_tdls_key_mic_teardown(peer->tpk.kck, trans_seq, rcode, 601 dtoken, lnkid, (u8 *) ftie, mic); 602 if (os_memcmp_const(mic, ftie->mic, 16) != 0) { 603 wpa_printf(MSG_INFO, "TDLS: Invalid MIC in Teardown - " 604 "dropping packet"); 605 return -1; 606 } 607 } else { 608 wpa_printf(MSG_INFO, "TDLS: Could not verify TDLS Teardown " 609 "MIC, TPK not set - dropping packet"); 610 return -1; 611 } 612 return 0; 613 } 614 615 616 static void wpa_tdls_tpk_timeout(void *eloop_ctx, void *timeout_ctx) 617 { 618 struct wpa_sm *sm = eloop_ctx; 619 struct wpa_tdls_peer *peer = timeout_ctx; 620 621 /* 622 * On TPK lifetime expiration, we have an option of either tearing down 623 * the direct link or trying to re-initiate it. The selection of what 624 * to do is not strictly speaking controlled by our role in the expired 625 * link, but for now, use that to select whether to renew or tear down 626 * the link. 627 */ 628 629 if (peer->initiator) { 630 u8 addr[ETH_ALEN]; 631 632 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime expired for " MACSTR 633 " - try to renew", MAC2STR(peer->addr)); 634 /* cache the peer address before do_teardown */ 635 os_memcpy(addr, peer->addr, ETH_ALEN); 636 wpa_tdls_do_teardown(sm, peer, 637 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED); 638 wpa_tdls_start(sm, addr); 639 } else { 640 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime expired for " MACSTR 641 " - tear down", MAC2STR(peer->addr)); 642 wpa_tdls_do_teardown(sm, peer, 643 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED); 644 } 645 } 646 647 648 static void wpa_tdls_peer_remove_from_list(struct wpa_sm *sm, 649 struct wpa_tdls_peer *peer) 650 { 651 struct wpa_tdls_peer *cur, *prev; 652 653 cur = sm->tdls; 654 prev = NULL; 655 while (cur && cur != peer) { 656 prev = cur; 657 cur = cur->next; 658 } 659 660 if (cur != peer) { 661 wpa_printf(MSG_ERROR, "TDLS: Could not find peer " MACSTR 662 " to remove it from the list", 663 MAC2STR(peer->addr)); 664 return; 665 } 666 667 if (prev) 668 prev->next = peer->next; 669 else 670 sm->tdls = peer->next; 671 } 672 673 674 static void wpa_tdls_peer_clear(struct wpa_sm *sm, struct wpa_tdls_peer *peer) 675 { 676 wpa_printf(MSG_DEBUG, "TDLS: Clear state for peer " MACSTR, 677 MAC2STR(peer->addr)); 678 eloop_cancel_timeout(wpa_tdls_tpk_timeout, sm, peer); 679 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer); 680 peer->reconfig_key = 0; 681 peer->initiator = 0; 682 peer->tpk_in_progress = 0; 683 os_free(peer->sm_tmr.buf); 684 peer->sm_tmr.buf = NULL; 685 os_free(peer->ht_capabilities); 686 peer->ht_capabilities = NULL; 687 os_free(peer->vht_capabilities); 688 peer->vht_capabilities = NULL; 689 os_free(peer->ext_capab); 690 peer->ext_capab = NULL; 691 os_free(peer->supp_channels); 692 peer->supp_channels = NULL; 693 os_free(peer->supp_oper_classes); 694 peer->supp_oper_classes = NULL; 695 peer->rsnie_i_len = peer->rsnie_p_len = 0; 696 peer->cipher = 0; 697 peer->qos_info = 0; 698 peer->wmm_capable = 0; 699 peer->tpk_set = peer->tpk_success = 0; 700 peer->chan_switch_enabled = 0; 701 os_memset(&peer->tpk, 0, sizeof(peer->tpk)); 702 os_memset(peer->inonce, 0, WPA_NONCE_LEN); 703 os_memset(peer->rnonce, 0, WPA_NONCE_LEN); 704 } 705 706 707 static void wpa_tdls_peer_free(struct wpa_sm *sm, struct wpa_tdls_peer *peer) 708 { 709 wpa_tdls_peer_clear(sm, peer); 710 wpa_tdls_peer_remove_from_list(sm, peer); 711 os_free(peer); 712 } 713 714 715 static void wpa_tdls_linkid(struct wpa_sm *sm, struct wpa_tdls_peer *peer, 716 struct wpa_tdls_lnkid *lnkid) 717 { 718 lnkid->ie_type = WLAN_EID_LINK_ID; 719 lnkid->ie_len = 3 * ETH_ALEN; 720 os_memcpy(lnkid->bssid, sm->bssid, ETH_ALEN); 721 if (peer->initiator) { 722 os_memcpy(lnkid->init_sta, sm->own_addr, ETH_ALEN); 723 os_memcpy(lnkid->resp_sta, peer->addr, ETH_ALEN); 724 } else { 725 os_memcpy(lnkid->init_sta, peer->addr, ETH_ALEN); 726 os_memcpy(lnkid->resp_sta, sm->own_addr, ETH_ALEN); 727 } 728 } 729 730 731 static int wpa_tdls_send_teardown(struct wpa_sm *sm, const u8 *addr, 732 u16 reason_code) 733 { 734 struct wpa_tdls_peer *peer; 735 struct wpa_tdls_ftie *ftie; 736 struct wpa_tdls_lnkid lnkid; 737 u8 dialog_token; 738 u8 *rbuf, *pos; 739 int ielen; 740 741 if (sm->tdls_disabled || !sm->tdls_supported) 742 return -1; 743 744 /* Find the node and free from the list */ 745 for (peer = sm->tdls; peer; peer = peer->next) { 746 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 747 break; 748 } 749 750 if (peer == NULL) { 751 wpa_printf(MSG_INFO, "TDLS: No matching entry found for " 752 "Teardown " MACSTR, MAC2STR(addr)); 753 return 0; 754 } 755 756 /* Cancel active channel switch before teardown */ 757 if (peer->chan_switch_enabled) { 758 wpa_printf(MSG_DEBUG, "TDLS: First returning link with " MACSTR 759 " to base channel", MAC2STR(addr)); 760 wpa_sm_tdls_disable_channel_switch(sm, peer->addr); 761 } 762 763 dialog_token = peer->dtoken; 764 765 wpa_printf(MSG_DEBUG, "TDLS: TDLS Teardown for " MACSTR, 766 MAC2STR(addr)); 767 768 ielen = 0; 769 if (wpa_tdls_get_privacy(sm) && peer->tpk_set && peer->tpk_success) { 770 /* To add FTIE for Teardown request and compute MIC */ 771 ielen += sizeof(*ftie); 772 #ifdef CONFIG_TDLS_TESTING 773 if (tdls_testing & TDLS_TESTING_LONG_FRAME) 774 ielen += 170; 775 #endif /* CONFIG_TDLS_TESTING */ 776 } 777 778 rbuf = os_zalloc(ielen + 1); 779 if (rbuf == NULL) 780 return -1; 781 pos = rbuf; 782 783 if (!wpa_tdls_get_privacy(sm) || !peer->tpk_set || !peer->tpk_success) 784 goto skip_ies; 785 786 ftie = (struct wpa_tdls_ftie *) pos; 787 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION; 788 /* Using the recent nonce which should be for CONFIRM frame */ 789 os_memcpy(ftie->Anonce, peer->rnonce, WPA_NONCE_LEN); 790 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN); 791 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2; 792 pos = (u8 *) (ftie + 1); 793 #ifdef CONFIG_TDLS_TESTING 794 if (tdls_testing & TDLS_TESTING_LONG_FRAME) { 795 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to " 796 "FTIE"); 797 ftie->ie_len += 170; 798 *pos++ = 255; /* FTIE subelem */ 799 *pos++ = 168; /* FTIE subelem length */ 800 pos += 168; 801 } 802 #endif /* CONFIG_TDLS_TESTING */ 803 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE for TDLS Teardown handshake", 804 (u8 *) ftie, pos - (u8 *) ftie); 805 806 /* compute MIC before sending */ 807 wpa_tdls_linkid(sm, peer, &lnkid); 808 wpa_tdls_key_mic_teardown(peer->tpk.kck, 4, reason_code, 809 dialog_token, (u8 *) &lnkid, (u8 *) ftie, 810 ftie->mic); 811 812 skip_ies: 813 /* TODO: register for a Timeout handler, if Teardown is not received at 814 * the other end, then try again another time */ 815 816 /* request driver to send Teardown using this FTIE */ 817 wpa_tdls_tpk_send(sm, addr, WLAN_TDLS_TEARDOWN, 0, 818 reason_code, 0, peer->initiator, rbuf, pos - rbuf); 819 os_free(rbuf); 820 821 return 0; 822 } 823 824 825 int wpa_tdls_teardown_link(struct wpa_sm *sm, const u8 *addr, u16 reason_code) 826 { 827 struct wpa_tdls_peer *peer; 828 829 if (sm->tdls_disabled || !sm->tdls_supported) 830 return -1; 831 832 for (peer = sm->tdls; peer; peer = peer->next) { 833 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 834 break; 835 } 836 837 if (peer == NULL) { 838 wpa_printf(MSG_DEBUG, "TDLS: Could not find peer " MACSTR 839 " for link Teardown", MAC2STR(addr)); 840 return -1; 841 } 842 843 if (!peer->tpk_success) { 844 wpa_printf(MSG_DEBUG, "TDLS: Peer " MACSTR 845 " not connected - cannot Teardown link", MAC2STR(addr)); 846 return -1; 847 } 848 849 return wpa_tdls_do_teardown(sm, peer, reason_code); 850 } 851 852 853 static void wpa_tdls_disable_peer_link(struct wpa_sm *sm, 854 struct wpa_tdls_peer *peer) 855 { 856 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr); 857 wpa_tdls_peer_free(sm, peer); 858 } 859 860 861 void wpa_tdls_disable_unreachable_link(struct wpa_sm *sm, const u8 *addr) 862 { 863 struct wpa_tdls_peer *peer; 864 865 for (peer = sm->tdls; peer; peer = peer->next) { 866 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 867 break; 868 } 869 870 if (!peer || !peer->tpk_success) { 871 wpa_printf(MSG_DEBUG, "TDLS: Peer " MACSTR 872 " not connected - cannot teardown unreachable link", 873 MAC2STR(addr)); 874 return; 875 } 876 877 if (wpa_tdls_is_external_setup(sm)) { 878 /* 879 * Get us on the base channel, disable the link, send a 880 * teardown packet through the AP, and then reset link data. 881 */ 882 if (peer->chan_switch_enabled) 883 wpa_sm_tdls_disable_channel_switch(sm, peer->addr); 884 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, addr); 885 wpa_tdls_send_teardown(sm, addr, 886 WLAN_REASON_TDLS_TEARDOWN_UNREACHABLE); 887 wpa_tdls_peer_free(sm, peer); 888 } else { 889 wpa_tdls_disable_peer_link(sm, peer); 890 } 891 } 892 893 894 const char * wpa_tdls_get_link_status(struct wpa_sm *sm, const u8 *addr) 895 { 896 struct wpa_tdls_peer *peer; 897 898 if (sm->tdls_disabled || !sm->tdls_supported) 899 return "disabled"; 900 901 for (peer = sm->tdls; peer; peer = peer->next) { 902 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 903 break; 904 } 905 906 if (peer == NULL) 907 return "peer does not exist"; 908 909 if (!peer->tpk_success) 910 return "peer not connected"; 911 912 return "connected"; 913 } 914 915 916 static int wpa_tdls_recv_teardown(struct wpa_sm *sm, const u8 *src_addr, 917 const u8 *buf, size_t len) 918 { 919 struct wpa_tdls_peer *peer = NULL; 920 struct wpa_tdls_ftie *ftie; 921 struct wpa_tdls_lnkid *lnkid; 922 struct wpa_eapol_ie_parse kde; 923 u16 reason_code; 924 const u8 *pos; 925 int ielen; 926 927 /* Find the node and free from the list */ 928 for (peer = sm->tdls; peer; peer = peer->next) { 929 if (os_memcmp(peer->addr, src_addr, ETH_ALEN) == 0) 930 break; 931 } 932 933 if (peer == NULL) { 934 wpa_printf(MSG_INFO, "TDLS: No matching entry found for " 935 "Teardown " MACSTR, MAC2STR(src_addr)); 936 return 0; 937 } 938 939 pos = buf; 940 pos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */; 941 942 reason_code = WPA_GET_LE16(pos); 943 pos += 2; 944 945 wpa_printf(MSG_DEBUG, "TDLS: TDLS Teardown Request from " MACSTR 946 " (reason code %u)", MAC2STR(src_addr), reason_code); 947 948 ielen = len - (pos - buf); /* start of IE in buf */ 949 950 /* 951 * Don't reject the message if failing to parse IEs. The IEs we need are 952 * explicitly checked below. Some APs may add arbitrary padding to the 953 * end of short TDLS frames and that would look like invalid IEs. 954 */ 955 if (wpa_supplicant_parse_ies((const u8 *) pos, ielen, &kde) < 0) 956 wpa_printf(MSG_DEBUG, 957 "TDLS: Failed to parse IEs in Teardown - ignore as an interop workaround"); 958 959 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) { 960 wpa_printf(MSG_INFO, "TDLS: No Link Identifier IE in TDLS " 961 "Teardown"); 962 return -1; 963 } 964 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid; 965 966 if (!wpa_tdls_get_privacy(sm) || !peer->tpk_set || !peer->tpk_success) 967 goto skip_ftie; 968 969 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie)) { 970 wpa_printf(MSG_INFO, "TDLS: No FTIE in TDLS Teardown"); 971 return -1; 972 } 973 974 ftie = (struct wpa_tdls_ftie *) kde.ftie; 975 976 /* Process MIC check to see if TDLS Teardown is right */ 977 if (wpa_supplicant_verify_tdls_mic_teardown(4, reason_code, 978 peer->dtoken, peer, 979 (u8 *) lnkid, ftie) < 0) { 980 wpa_printf(MSG_DEBUG, "TDLS: MIC failure for TDLS " 981 "Teardown Request from " MACSTR, MAC2STR(src_addr)); 982 return -1; 983 } 984 985 skip_ftie: 986 /* 987 * Request the driver to disable the direct link and clear associated 988 * keys. 989 */ 990 wpa_tdls_disable_peer_link(sm, peer); 991 return 0; 992 } 993 994 995 /** 996 * wpa_tdls_send_error - To send suitable TDLS status response with 997 * appropriate status code mentioning reason for error/failure. 998 * @dst - MAC addr of Peer station 999 * @tdls_action - TDLS frame type for which error code is sent 1000 * @initiator - was this end the initiator of the connection 1001 * @status - status code mentioning reason 1002 */ 1003 1004 static int wpa_tdls_send_error(struct wpa_sm *sm, const u8 *dst, 1005 u8 tdls_action, u8 dialog_token, int initiator, 1006 u16 status) 1007 { 1008 wpa_printf(MSG_DEBUG, "TDLS: Sending error to " MACSTR 1009 " (action=%u status=%u)", 1010 MAC2STR(dst), tdls_action, status); 1011 return wpa_tdls_tpk_send(sm, dst, tdls_action, dialog_token, status, 1012 0, initiator, NULL, 0); 1013 } 1014 1015 1016 static struct wpa_tdls_peer * 1017 wpa_tdls_add_peer(struct wpa_sm *sm, const u8 *addr, int *existing) 1018 { 1019 struct wpa_tdls_peer *peer; 1020 1021 if (existing) 1022 *existing = 0; 1023 for (peer = sm->tdls; peer; peer = peer->next) { 1024 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) { 1025 if (existing) 1026 *existing = 1; 1027 return peer; /* re-use existing entry */ 1028 } 1029 } 1030 1031 wpa_printf(MSG_INFO, "TDLS: Creating peer entry for " MACSTR, 1032 MAC2STR(addr)); 1033 1034 peer = os_zalloc(sizeof(*peer)); 1035 if (peer == NULL) 1036 return NULL; 1037 1038 os_memcpy(peer->addr, addr, ETH_ALEN); 1039 peer->next = sm->tdls; 1040 sm->tdls = peer; 1041 1042 return peer; 1043 } 1044 1045 1046 static int wpa_tdls_send_tpk_m1(struct wpa_sm *sm, 1047 struct wpa_tdls_peer *peer) 1048 { 1049 size_t buf_len; 1050 struct wpa_tdls_timeoutie timeoutie; 1051 u16 rsn_capab; 1052 struct wpa_tdls_ftie *ftie; 1053 u8 *rbuf, *pos, *count_pos; 1054 u16 count; 1055 struct rsn_ie_hdr *hdr; 1056 int status; 1057 1058 if (!wpa_tdls_get_privacy(sm)) { 1059 wpa_printf(MSG_DEBUG, "TDLS: No security used on the link"); 1060 peer->rsnie_i_len = 0; 1061 goto skip_rsnie; 1062 } 1063 1064 /* 1065 * TPK Handshake Message 1: 1066 * FTIE: ANonce=0, SNonce=initiator nonce MIC=0, DataKDs=(RSNIE_I, 1067 * Timeout Interval IE)) 1068 */ 1069 1070 /* Filling RSN IE */ 1071 hdr = (struct rsn_ie_hdr *) peer->rsnie_i; 1072 hdr->elem_id = WLAN_EID_RSN; 1073 WPA_PUT_LE16(hdr->version, RSN_VERSION); 1074 1075 pos = (u8 *) (hdr + 1); 1076 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED); 1077 pos += RSN_SELECTOR_LEN; 1078 count_pos = pos; 1079 pos += 2; 1080 1081 count = 0; 1082 1083 /* 1084 * AES-CCMP is the default Encryption preferred for TDLS, so 1085 * RSN IE is filled only with CCMP CIPHER 1086 * Note: TKIP is not used to encrypt TDLS link. 1087 * 1088 * Regardless of the cipher used on the AP connection, select CCMP 1089 * here. 1090 */ 1091 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP); 1092 pos += RSN_SELECTOR_LEN; 1093 count++; 1094 1095 WPA_PUT_LE16(count_pos, count); 1096 1097 WPA_PUT_LE16(pos, 1); 1098 pos += 2; 1099 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_TPK_HANDSHAKE); 1100 pos += RSN_SELECTOR_LEN; 1101 1102 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED; 1103 rsn_capab |= RSN_NUM_REPLAY_COUNTERS_16 << 2; 1104 #ifdef CONFIG_TDLS_TESTING 1105 if (tdls_testing & TDLS_TESTING_ALT_RSN_IE) { 1106 wpa_printf(MSG_DEBUG, "TDLS: Use alternative RSN IE for " 1107 "testing"); 1108 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED; 1109 } 1110 #endif /* CONFIG_TDLS_TESTING */ 1111 WPA_PUT_LE16(pos, rsn_capab); 1112 pos += 2; 1113 #ifdef CONFIG_TDLS_TESTING 1114 if (tdls_testing & TDLS_TESTING_ALT_RSN_IE) { 1115 /* Number of PMKIDs */ 1116 *pos++ = 0x00; 1117 *pos++ = 0x00; 1118 } 1119 #endif /* CONFIG_TDLS_TESTING */ 1120 1121 hdr->len = (pos - peer->rsnie_i) - 2; 1122 peer->rsnie_i_len = pos - peer->rsnie_i; 1123 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE for TPK handshake", 1124 peer->rsnie_i, peer->rsnie_i_len); 1125 1126 skip_rsnie: 1127 buf_len = 0; 1128 if (wpa_tdls_get_privacy(sm)) 1129 buf_len += peer->rsnie_i_len + sizeof(struct wpa_tdls_ftie) + 1130 sizeof(struct wpa_tdls_timeoutie); 1131 #ifdef CONFIG_TDLS_TESTING 1132 if (wpa_tdls_get_privacy(sm) && 1133 (tdls_testing & TDLS_TESTING_LONG_FRAME)) 1134 buf_len += 170; 1135 if (tdls_testing & TDLS_TESTING_DIFF_BSSID) 1136 buf_len += sizeof(struct wpa_tdls_lnkid); 1137 #endif /* CONFIG_TDLS_TESTING */ 1138 rbuf = os_zalloc(buf_len + 1); 1139 if (rbuf == NULL) { 1140 wpa_tdls_peer_free(sm, peer); 1141 return -1; 1142 } 1143 pos = rbuf; 1144 1145 if (!wpa_tdls_get_privacy(sm)) 1146 goto skip_ies; 1147 1148 /* Initiator RSN IE */ 1149 pos = wpa_add_ie(pos, peer->rsnie_i, peer->rsnie_i_len); 1150 1151 ftie = (struct wpa_tdls_ftie *) pos; 1152 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION; 1153 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2; 1154 1155 if (os_get_random(peer->inonce, WPA_NONCE_LEN)) { 1156 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1157 "TDLS: Failed to get random data for initiator Nonce"); 1158 os_free(rbuf); 1159 wpa_tdls_peer_free(sm, peer); 1160 return -1; 1161 } 1162 wpa_hexdump(MSG_DEBUG, "TDLS: Initiator Nonce for TPK handshake", 1163 peer->inonce, WPA_NONCE_LEN); 1164 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN); 1165 1166 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE for TPK Handshake M1", 1167 (u8 *) ftie, sizeof(struct wpa_tdls_ftie)); 1168 1169 pos = (u8 *) (ftie + 1); 1170 1171 #ifdef CONFIG_TDLS_TESTING 1172 if (tdls_testing & TDLS_TESTING_LONG_FRAME) { 1173 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to " 1174 "FTIE"); 1175 ftie->ie_len += 170; 1176 *pos++ = 255; /* FTIE subelem */ 1177 *pos++ = 168; /* FTIE subelem length */ 1178 pos += 168; 1179 } 1180 #endif /* CONFIG_TDLS_TESTING */ 1181 1182 /* Lifetime */ 1183 peer->lifetime = TPK_LIFETIME; 1184 #ifdef CONFIG_TDLS_TESTING 1185 if (tdls_testing & TDLS_TESTING_SHORT_LIFETIME) { 1186 wpa_printf(MSG_DEBUG, "TDLS: Testing - use short TPK " 1187 "lifetime"); 1188 peer->lifetime = 301; 1189 } 1190 if (tdls_testing & TDLS_TESTING_LONG_LIFETIME) { 1191 wpa_printf(MSG_DEBUG, "TDLS: Testing - use long TPK " 1192 "lifetime"); 1193 peer->lifetime = 0xffffffff; 1194 } 1195 #endif /* CONFIG_TDLS_TESTING */ 1196 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie, 1197 sizeof(timeoutie), peer->lifetime); 1198 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds", peer->lifetime); 1199 1200 skip_ies: 1201 1202 #ifdef CONFIG_TDLS_TESTING 1203 if (tdls_testing & TDLS_TESTING_DIFF_BSSID) { 1204 wpa_printf(MSG_DEBUG, "TDLS: Testing - use incorrect BSSID in " 1205 "Link Identifier"); 1206 struct wpa_tdls_lnkid *l = (struct wpa_tdls_lnkid *) pos; 1207 wpa_tdls_linkid(sm, peer, l); 1208 l->bssid[5] ^= 0x01; 1209 pos += sizeof(*l); 1210 } 1211 #endif /* CONFIG_TDLS_TESTING */ 1212 1213 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Setup Request / TPK " 1214 "Handshake Message 1 (peer " MACSTR ")", 1215 MAC2STR(peer->addr)); 1216 1217 status = wpa_tdls_tpk_send(sm, peer->addr, WLAN_TDLS_SETUP_REQUEST, 1218 1, 0, 0, peer->initiator, rbuf, pos - rbuf); 1219 os_free(rbuf); 1220 1221 return status; 1222 } 1223 1224 1225 static int wpa_tdls_send_tpk_m2(struct wpa_sm *sm, 1226 const unsigned char *src_addr, u8 dtoken, 1227 struct wpa_tdls_lnkid *lnkid, 1228 const struct wpa_tdls_peer *peer) 1229 { 1230 u8 *rbuf, *pos; 1231 size_t buf_len; 1232 u32 lifetime; 1233 struct wpa_tdls_timeoutie timeoutie; 1234 struct wpa_tdls_ftie *ftie; 1235 int status; 1236 1237 buf_len = 0; 1238 if (wpa_tdls_get_privacy(sm)) { 1239 /* Peer RSN IE, FTIE(Initiator Nonce, Responder Nonce), 1240 * Lifetime */ 1241 buf_len += peer->rsnie_i_len + sizeof(struct wpa_tdls_ftie) + 1242 sizeof(struct wpa_tdls_timeoutie); 1243 #ifdef CONFIG_TDLS_TESTING 1244 if (tdls_testing & TDLS_TESTING_LONG_FRAME) 1245 buf_len += 170; 1246 #endif /* CONFIG_TDLS_TESTING */ 1247 } 1248 1249 rbuf = os_zalloc(buf_len + 1); 1250 if (rbuf == NULL) 1251 return -1; 1252 pos = rbuf; 1253 1254 if (!wpa_tdls_get_privacy(sm)) 1255 goto skip_ies; 1256 1257 /* Peer RSN IE */ 1258 pos = wpa_add_ie(pos, peer->rsnie_p, peer->rsnie_p_len); 1259 1260 ftie = (struct wpa_tdls_ftie *) pos; 1261 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION; 1262 /* TODO: ftie->mic_control to set 2-RESPONSE */ 1263 os_memcpy(ftie->Anonce, peer->rnonce, WPA_NONCE_LEN); 1264 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN); 1265 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2; 1266 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE for TPK M2", 1267 (u8 *) ftie, sizeof(*ftie)); 1268 1269 pos = (u8 *) (ftie + 1); 1270 1271 #ifdef CONFIG_TDLS_TESTING 1272 if (tdls_testing & TDLS_TESTING_LONG_FRAME) { 1273 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to " 1274 "FTIE"); 1275 ftie->ie_len += 170; 1276 *pos++ = 255; /* FTIE subelem */ 1277 *pos++ = 168; /* FTIE subelem length */ 1278 pos += 168; 1279 } 1280 #endif /* CONFIG_TDLS_TESTING */ 1281 1282 /* Lifetime */ 1283 lifetime = peer->lifetime; 1284 #ifdef CONFIG_TDLS_TESTING 1285 if (tdls_testing & TDLS_TESTING_WRONG_LIFETIME_RESP) { 1286 wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong TPK " 1287 "lifetime in response"); 1288 lifetime++; 1289 } 1290 #endif /* CONFIG_TDLS_TESTING */ 1291 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie, 1292 sizeof(timeoutie), lifetime); 1293 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds from initiator", 1294 lifetime); 1295 1296 /* compute MIC before sending */ 1297 wpa_tdls_ftie_mic(peer->tpk.kck, 2, (u8 *) lnkid, peer->rsnie_p, 1298 (u8 *) &timeoutie, (u8 *) ftie, ftie->mic); 1299 #ifdef CONFIG_TDLS_TESTING 1300 if (tdls_testing & TDLS_TESTING_WRONG_MIC) { 1301 wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong MIC"); 1302 ftie->mic[0] ^= 0x01; 1303 } 1304 #endif /* CONFIG_TDLS_TESTING */ 1305 1306 skip_ies: 1307 status = wpa_tdls_tpk_send(sm, src_addr, WLAN_TDLS_SETUP_RESPONSE, 1308 dtoken, 0, 0, peer->initiator, rbuf, 1309 pos - rbuf); 1310 os_free(rbuf); 1311 1312 return status; 1313 } 1314 1315 1316 static int wpa_tdls_send_tpk_m3(struct wpa_sm *sm, 1317 const unsigned char *src_addr, u8 dtoken, 1318 struct wpa_tdls_lnkid *lnkid, 1319 const struct wpa_tdls_peer *peer) 1320 { 1321 u8 *rbuf, *pos; 1322 size_t buf_len; 1323 struct wpa_tdls_ftie *ftie; 1324 struct wpa_tdls_timeoutie timeoutie; 1325 u32 lifetime; 1326 int status; 1327 u32 peer_capab = 0; 1328 1329 buf_len = 0; 1330 if (wpa_tdls_get_privacy(sm)) { 1331 /* Peer RSN IE, FTIE(Initiator Nonce, Responder Nonce), 1332 * Lifetime */ 1333 buf_len += peer->rsnie_i_len + sizeof(struct wpa_tdls_ftie) + 1334 sizeof(struct wpa_tdls_timeoutie); 1335 #ifdef CONFIG_TDLS_TESTING 1336 if (tdls_testing & TDLS_TESTING_LONG_FRAME) 1337 buf_len += 170; 1338 #endif /* CONFIG_TDLS_TESTING */ 1339 } 1340 1341 rbuf = os_zalloc(buf_len + 1); 1342 if (rbuf == NULL) 1343 return -1; 1344 pos = rbuf; 1345 1346 if (!wpa_tdls_get_privacy(sm)) 1347 goto skip_ies; 1348 1349 /* Peer RSN IE */ 1350 pos = wpa_add_ie(pos, peer->rsnie_p, peer->rsnie_p_len); 1351 1352 ftie = (struct wpa_tdls_ftie *) pos; 1353 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION; 1354 /*TODO: ftie->mic_control to set 3-CONFIRM */ 1355 os_memcpy(ftie->Anonce, peer->rnonce, WPA_NONCE_LEN); 1356 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN); 1357 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2; 1358 1359 pos = (u8 *) (ftie + 1); 1360 1361 #ifdef CONFIG_TDLS_TESTING 1362 if (tdls_testing & TDLS_TESTING_LONG_FRAME) { 1363 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to " 1364 "FTIE"); 1365 ftie->ie_len += 170; 1366 *pos++ = 255; /* FTIE subelem */ 1367 *pos++ = 168; /* FTIE subelem length */ 1368 pos += 168; 1369 } 1370 #endif /* CONFIG_TDLS_TESTING */ 1371 1372 /* Lifetime */ 1373 lifetime = peer->lifetime; 1374 #ifdef CONFIG_TDLS_TESTING 1375 if (tdls_testing & TDLS_TESTING_WRONG_LIFETIME_CONF) { 1376 wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong TPK " 1377 "lifetime in confirm"); 1378 lifetime++; 1379 } 1380 #endif /* CONFIG_TDLS_TESTING */ 1381 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie, 1382 sizeof(timeoutie), lifetime); 1383 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds", 1384 lifetime); 1385 1386 /* compute MIC before sending */ 1387 wpa_tdls_ftie_mic(peer->tpk.kck, 3, (u8 *) lnkid, peer->rsnie_p, 1388 (u8 *) &timeoutie, (u8 *) ftie, ftie->mic); 1389 #ifdef CONFIG_TDLS_TESTING 1390 if (tdls_testing & TDLS_TESTING_WRONG_MIC) { 1391 wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong MIC"); 1392 ftie->mic[0] ^= 0x01; 1393 } 1394 #endif /* CONFIG_TDLS_TESTING */ 1395 1396 skip_ies: 1397 1398 if (peer->vht_capabilities) 1399 peer_capab |= TDLS_PEER_VHT; 1400 if (peer->ht_capabilities) 1401 peer_capab |= TDLS_PEER_HT; 1402 if (peer->wmm_capable) 1403 peer_capab |= TDLS_PEER_WMM; 1404 1405 status = wpa_tdls_tpk_send(sm, src_addr, WLAN_TDLS_SETUP_CONFIRM, 1406 dtoken, 0, peer_capab, peer->initiator, 1407 rbuf, pos - rbuf); 1408 os_free(rbuf); 1409 1410 return status; 1411 } 1412 1413 1414 static int wpa_tdls_send_discovery_response(struct wpa_sm *sm, 1415 struct wpa_tdls_peer *peer, 1416 u8 dialog_token) 1417 { 1418 size_t buf_len = 0; 1419 struct wpa_tdls_timeoutie timeoutie; 1420 u16 rsn_capab; 1421 u8 *rbuf, *pos, *count_pos; 1422 u16 count; 1423 struct rsn_ie_hdr *hdr; 1424 int status; 1425 1426 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Discovery Response " 1427 "(peer " MACSTR ")", MAC2STR(peer->addr)); 1428 if (!wpa_tdls_get_privacy(sm)) 1429 goto skip_rsn_ies; 1430 1431 /* Filling RSN IE */ 1432 hdr = (struct rsn_ie_hdr *) peer->rsnie_i; 1433 hdr->elem_id = WLAN_EID_RSN; 1434 WPA_PUT_LE16(hdr->version, RSN_VERSION); 1435 pos = (u8 *) (hdr + 1); 1436 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED); 1437 pos += RSN_SELECTOR_LEN; 1438 count_pos = pos; 1439 pos += 2; 1440 count = 0; 1441 1442 /* 1443 * AES-CCMP is the default encryption preferred for TDLS, so 1444 * RSN IE is filled only with CCMP cipher suite. 1445 * Note: TKIP is not used to encrypt TDLS link. 1446 * 1447 * Regardless of the cipher used on the AP connection, select CCMP 1448 * here. 1449 */ 1450 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP); 1451 pos += RSN_SELECTOR_LEN; 1452 count++; 1453 WPA_PUT_LE16(count_pos, count); 1454 WPA_PUT_LE16(pos, 1); 1455 pos += 2; 1456 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_TPK_HANDSHAKE); 1457 pos += RSN_SELECTOR_LEN; 1458 1459 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED; 1460 rsn_capab |= RSN_NUM_REPLAY_COUNTERS_16 << 2; 1461 WPA_PUT_LE16(pos, rsn_capab); 1462 pos += 2; 1463 hdr->len = (pos - (u8 *) hdr) - 2; 1464 peer->rsnie_i_len = pos - peer->rsnie_i; 1465 1466 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE for Discovery Response", 1467 (u8 *) hdr, hdr->len + 2); 1468 skip_rsn_ies: 1469 buf_len = 0; 1470 if (wpa_tdls_get_privacy(sm)) { 1471 /* Peer RSN IE, Lifetime */ 1472 buf_len += peer->rsnie_i_len + 1473 sizeof(struct wpa_tdls_timeoutie); 1474 } 1475 rbuf = os_zalloc(buf_len + 1); 1476 if (rbuf == NULL) { 1477 wpa_tdls_peer_free(sm, peer); 1478 return -1; 1479 } 1480 pos = rbuf; 1481 1482 if (!wpa_tdls_get_privacy(sm)) 1483 goto skip_ies; 1484 /* Initiator RSN IE */ 1485 pos = wpa_add_ie(pos, peer->rsnie_i, peer->rsnie_i_len); 1486 /* Lifetime */ 1487 peer->lifetime = TPK_LIFETIME; 1488 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie, 1489 sizeof(timeoutie), peer->lifetime); 1490 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds", peer->lifetime); 1491 skip_ies: 1492 status = wpa_tdls_tpk_send(sm, peer->addr, WLAN_TDLS_DISCOVERY_RESPONSE, 1493 dialog_token, 0, 0, 0, rbuf, pos - rbuf); 1494 os_free(rbuf); 1495 1496 return status; 1497 } 1498 1499 1500 static int 1501 wpa_tdls_process_discovery_request(struct wpa_sm *sm, const u8 *addr, 1502 const u8 *buf, size_t len) 1503 { 1504 struct wpa_eapol_ie_parse kde; 1505 const struct wpa_tdls_lnkid *lnkid; 1506 struct wpa_tdls_peer *peer; 1507 size_t min_req_len = sizeof(struct wpa_tdls_frame) + 1508 1 /* dialog token */ + sizeof(struct wpa_tdls_lnkid); 1509 u8 dialog_token; 1510 1511 wpa_printf(MSG_DEBUG, "TDLS: Discovery Request from " MACSTR, 1512 MAC2STR(addr)); 1513 1514 if (len < min_req_len) { 1515 wpa_printf(MSG_DEBUG, "TDLS Discovery Request is too short: " 1516 "%d", (int) len); 1517 return -1; 1518 } 1519 1520 dialog_token = buf[sizeof(struct wpa_tdls_frame)]; 1521 1522 /* 1523 * Some APs will tack on a weird IE to the end of a TDLS 1524 * discovery request packet. This needn't fail the response, 1525 * since the required IE are verified separately. 1526 */ 1527 if (wpa_supplicant_parse_ies(buf + sizeof(struct wpa_tdls_frame) + 1, 1528 len - (sizeof(struct wpa_tdls_frame) + 1), 1529 &kde) < 0) { 1530 wpa_printf(MSG_DEBUG, 1531 "TDLS: Failed to parse IEs in Discovery Request - ignore as an interop workaround"); 1532 } 1533 1534 if (!kde.lnkid) { 1535 wpa_printf(MSG_DEBUG, "TDLS: Link ID not found in Discovery " 1536 "Request"); 1537 return -1; 1538 } 1539 1540 lnkid = (const struct wpa_tdls_lnkid *) kde.lnkid; 1541 1542 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) { 1543 wpa_printf(MSG_DEBUG, "TDLS: Discovery Request from different " 1544 " BSS " MACSTR, MAC2STR(lnkid->bssid)); 1545 return -1; 1546 } 1547 1548 peer = wpa_tdls_add_peer(sm, addr, NULL); 1549 if (peer == NULL) 1550 return -1; 1551 1552 return wpa_tdls_send_discovery_response(sm, peer, dialog_token); 1553 } 1554 1555 1556 int wpa_tdls_send_discovery_request(struct wpa_sm *sm, const u8 *addr) 1557 { 1558 if (sm->tdls_disabled || !sm->tdls_supported) 1559 return -1; 1560 1561 wpa_printf(MSG_DEBUG, "TDLS: Sending Discovery Request to peer " 1562 MACSTR, MAC2STR(addr)); 1563 return wpa_tdls_tpk_send(sm, addr, WLAN_TDLS_DISCOVERY_REQUEST, 1564 1, 0, 0, 1, NULL, 0); 1565 } 1566 1567 1568 static int copy_supp_rates(const struct wpa_eapol_ie_parse *kde, 1569 struct wpa_tdls_peer *peer) 1570 { 1571 if (!kde->supp_rates) { 1572 wpa_printf(MSG_DEBUG, "TDLS: No supported rates received"); 1573 return -1; 1574 } 1575 peer->supp_rates_len = merge_byte_arrays( 1576 peer->supp_rates, sizeof(peer->supp_rates), 1577 kde->supp_rates + 2, kde->supp_rates_len - 2, 1578 kde->ext_supp_rates ? kde->ext_supp_rates + 2 : NULL, 1579 kde->ext_supp_rates_len - 2); 1580 return 0; 1581 } 1582 1583 1584 static int copy_peer_ht_capab(const struct wpa_eapol_ie_parse *kde, 1585 struct wpa_tdls_peer *peer) 1586 { 1587 if (!kde->ht_capabilities) { 1588 wpa_printf(MSG_DEBUG, "TDLS: No supported ht capabilities " 1589 "received"); 1590 return 0; 1591 } 1592 1593 if (!peer->ht_capabilities) { 1594 peer->ht_capabilities = 1595 os_zalloc(sizeof(struct ieee80211_ht_capabilities)); 1596 if (peer->ht_capabilities == NULL) 1597 return -1; 1598 } 1599 1600 os_memcpy(peer->ht_capabilities, kde->ht_capabilities, 1601 sizeof(struct ieee80211_ht_capabilities)); 1602 wpa_hexdump(MSG_DEBUG, "TDLS: Peer HT capabilities", 1603 (u8 *) peer->ht_capabilities, 1604 sizeof(struct ieee80211_ht_capabilities)); 1605 1606 return 0; 1607 } 1608 1609 1610 static int copy_peer_vht_capab(const struct wpa_eapol_ie_parse *kde, 1611 struct wpa_tdls_peer *peer) 1612 { 1613 if (!kde->vht_capabilities) { 1614 wpa_printf(MSG_DEBUG, "TDLS: No supported vht capabilities " 1615 "received"); 1616 return 0; 1617 } 1618 1619 if (!peer->vht_capabilities) { 1620 peer->vht_capabilities = 1621 os_zalloc(sizeof(struct ieee80211_vht_capabilities)); 1622 if (peer->vht_capabilities == NULL) 1623 return -1; 1624 } 1625 1626 os_memcpy(peer->vht_capabilities, kde->vht_capabilities, 1627 sizeof(struct ieee80211_vht_capabilities)); 1628 wpa_hexdump(MSG_DEBUG, "TDLS: Peer VHT capabilities", 1629 (u8 *) peer->vht_capabilities, 1630 sizeof(struct ieee80211_vht_capabilities)); 1631 1632 return 0; 1633 } 1634 1635 1636 static int copy_peer_ext_capab(const struct wpa_eapol_ie_parse *kde, 1637 struct wpa_tdls_peer *peer) 1638 { 1639 if (!kde->ext_capab) { 1640 wpa_printf(MSG_DEBUG, "TDLS: No extended capabilities " 1641 "received"); 1642 return 0; 1643 } 1644 1645 if (!peer->ext_capab || peer->ext_capab_len < kde->ext_capab_len - 2) { 1646 /* Need to allocate buffer to fit the new information */ 1647 os_free(peer->ext_capab); 1648 peer->ext_capab = os_zalloc(kde->ext_capab_len - 2); 1649 if (peer->ext_capab == NULL) 1650 return -1; 1651 } 1652 1653 peer->ext_capab_len = kde->ext_capab_len - 2; 1654 os_memcpy(peer->ext_capab, kde->ext_capab + 2, peer->ext_capab_len); 1655 1656 return 0; 1657 } 1658 1659 1660 static int copy_peer_wmm_capab(const struct wpa_eapol_ie_parse *kde, 1661 struct wpa_tdls_peer *peer) 1662 { 1663 struct wmm_information_element *wmm; 1664 1665 if (!kde->wmm) { 1666 wpa_printf(MSG_DEBUG, "TDLS: No supported WMM capabilities received"); 1667 return 0; 1668 } 1669 1670 if (kde->wmm_len < sizeof(struct wmm_information_element)) { 1671 wpa_printf(MSG_DEBUG, "TDLS: Invalid supported WMM capabilities received"); 1672 return -1; 1673 } 1674 1675 wmm = (struct wmm_information_element *) kde->wmm; 1676 peer->qos_info = wmm->qos_info; 1677 1678 peer->wmm_capable = 1; 1679 1680 wpa_printf(MSG_DEBUG, "TDLS: Peer WMM QOS Info 0x%x", peer->qos_info); 1681 return 0; 1682 } 1683 1684 1685 static int copy_peer_supp_channels(const struct wpa_eapol_ie_parse *kde, 1686 struct wpa_tdls_peer *peer) 1687 { 1688 if (!kde->supp_channels) { 1689 wpa_printf(MSG_DEBUG, "TDLS: No supported channels received"); 1690 return 0; 1691 } 1692 1693 if (!peer->supp_channels || 1694 peer->supp_channels_len < kde->supp_channels_len) { 1695 os_free(peer->supp_channels); 1696 peer->supp_channels = os_zalloc(kde->supp_channels_len); 1697 if (peer->supp_channels == NULL) 1698 return -1; 1699 } 1700 1701 peer->supp_channels_len = kde->supp_channels_len; 1702 1703 os_memcpy(peer->supp_channels, kde->supp_channels, 1704 peer->supp_channels_len); 1705 wpa_hexdump(MSG_DEBUG, "TDLS: Peer Supported Channels", 1706 (u8 *) peer->supp_channels, peer->supp_channels_len); 1707 return 0; 1708 } 1709 1710 1711 static int copy_peer_supp_oper_classes(const struct wpa_eapol_ie_parse *kde, 1712 struct wpa_tdls_peer *peer) 1713 { 1714 if (!kde->supp_oper_classes) { 1715 wpa_printf(MSG_DEBUG, "TDLS: No supported operating classes received"); 1716 return 0; 1717 } 1718 1719 if (!peer->supp_oper_classes || 1720 peer->supp_oper_classes_len < kde->supp_oper_classes_len) { 1721 os_free(peer->supp_oper_classes); 1722 peer->supp_oper_classes = os_zalloc(kde->supp_oper_classes_len); 1723 if (peer->supp_oper_classes == NULL) 1724 return -1; 1725 } 1726 1727 peer->supp_oper_classes_len = kde->supp_oper_classes_len; 1728 os_memcpy(peer->supp_oper_classes, kde->supp_oper_classes, 1729 peer->supp_oper_classes_len); 1730 wpa_hexdump(MSG_DEBUG, "TDLS: Peer Supported Operating Classes", 1731 (u8 *) peer->supp_oper_classes, 1732 peer->supp_oper_classes_len); 1733 return 0; 1734 } 1735 1736 1737 static int wpa_tdls_addset_peer(struct wpa_sm *sm, struct wpa_tdls_peer *peer, 1738 int add) 1739 { 1740 return wpa_sm_tdls_peer_addset(sm, peer->addr, add, peer->aid, 1741 peer->capability, 1742 peer->supp_rates, peer->supp_rates_len, 1743 peer->ht_capabilities, 1744 peer->vht_capabilities, 1745 peer->qos_info, peer->wmm_capable, 1746 peer->ext_capab, peer->ext_capab_len, 1747 peer->supp_channels, 1748 peer->supp_channels_len, 1749 peer->supp_oper_classes, 1750 peer->supp_oper_classes_len); 1751 } 1752 1753 1754 static int wpa_tdls_process_tpk_m1(struct wpa_sm *sm, const u8 *src_addr, 1755 const u8 *buf, size_t len) 1756 { 1757 struct wpa_tdls_peer *peer; 1758 struct wpa_eapol_ie_parse kde; 1759 struct wpa_ie_data ie; 1760 int cipher; 1761 const u8 *cpos; 1762 struct wpa_tdls_ftie *ftie = NULL; 1763 struct wpa_tdls_timeoutie *timeoutie; 1764 struct wpa_tdls_lnkid *lnkid; 1765 u32 lifetime = 0; 1766 #if 0 1767 struct rsn_ie_hdr *hdr; 1768 u8 *pos; 1769 u16 rsn_capab; 1770 u16 rsn_ver; 1771 #endif 1772 u8 dtoken; 1773 u16 ielen; 1774 u16 status = WLAN_STATUS_UNSPECIFIED_FAILURE; 1775 int tdls_prohibited = sm->tdls_prohibited; 1776 int existing_peer = 0; 1777 1778 if (len < 3 + 3) 1779 return -1; 1780 1781 cpos = buf; 1782 cpos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */; 1783 1784 /* driver had already verified the frame format */ 1785 dtoken = *cpos++; /* dialog token */ 1786 1787 wpa_printf(MSG_INFO, "TDLS: Dialog Token in TPK M1 %d", dtoken); 1788 1789 peer = wpa_tdls_add_peer(sm, src_addr, &existing_peer); 1790 if (peer == NULL) 1791 goto error; 1792 1793 /* If found, use existing entry instead of adding a new one; 1794 * how to handle the case where both ends initiate at the 1795 * same time? */ 1796 if (existing_peer) { 1797 if (peer->tpk_success) { 1798 wpa_printf(MSG_DEBUG, "TDLS: TDLS Setup Request while " 1799 "direct link is enabled - tear down the " 1800 "old link first"); 1801 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr); 1802 wpa_tdls_peer_clear(sm, peer); 1803 } else if (peer->initiator) { 1804 /* 1805 * An entry is already present, so check if we already 1806 * sent a TDLS Setup Request. If so, compare MAC 1807 * addresses and let the STA with the lower MAC address 1808 * continue as the initiator. The other negotiation is 1809 * terminated. 1810 */ 1811 if (os_memcmp(sm->own_addr, src_addr, ETH_ALEN) < 0) { 1812 wpa_printf(MSG_DEBUG, "TDLS: Discard request " 1813 "from peer with higher address " 1814 MACSTR, MAC2STR(src_addr)); 1815 return -1; 1816 } else { 1817 wpa_printf(MSG_DEBUG, "TDLS: Accept request " 1818 "from peer with lower address " 1819 MACSTR " (terminate previously " 1820 "initiated negotiation", 1821 MAC2STR(src_addr)); 1822 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, 1823 peer->addr); 1824 wpa_tdls_peer_clear(sm, peer); 1825 } 1826 } 1827 } 1828 1829 /* capability information */ 1830 peer->capability = WPA_GET_LE16(cpos); 1831 cpos += 2; 1832 1833 ielen = len - (cpos - buf); /* start of IE in buf */ 1834 1835 /* 1836 * Don't reject the message if failing to parse IEs. The IEs we need are 1837 * explicitly checked below. Some APs may add arbitrary padding to the 1838 * end of short TDLS frames and that would look like invalid IEs. 1839 */ 1840 if (wpa_supplicant_parse_ies(cpos, ielen, &kde) < 0) 1841 wpa_printf(MSG_DEBUG, 1842 "TDLS: Failed to parse IEs in TPK M1 - ignore as an interop workaround"); 1843 1844 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) { 1845 wpa_printf(MSG_INFO, "TDLS: No valid Link Identifier IE in " 1846 "TPK M1"); 1847 goto error; 1848 } 1849 wpa_hexdump(MSG_DEBUG, "TDLS: Link ID Received from TPK M1", 1850 kde.lnkid, kde.lnkid_len); 1851 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid; 1852 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) { 1853 wpa_printf(MSG_INFO, "TDLS: TPK M1 from diff BSS"); 1854 status = WLAN_STATUS_REQUEST_DECLINED; 1855 goto error; 1856 } 1857 1858 wpa_printf(MSG_DEBUG, "TDLS: TPK M1 - TPK initiator " MACSTR, 1859 MAC2STR(src_addr)); 1860 1861 if (copy_supp_rates(&kde, peer) < 0) 1862 goto error; 1863 1864 if (copy_peer_ht_capab(&kde, peer) < 0) 1865 goto error; 1866 1867 if (copy_peer_vht_capab(&kde, peer) < 0) 1868 goto error; 1869 1870 if (copy_peer_ext_capab(&kde, peer) < 0) 1871 goto error; 1872 1873 if (copy_peer_supp_channels(&kde, peer) < 0) 1874 goto error; 1875 1876 if (copy_peer_supp_oper_classes(&kde, peer) < 0) 1877 goto error; 1878 1879 peer->qos_info = kde.qosinfo; 1880 1881 /* Overwrite with the qos_info obtained in WMM IE */ 1882 if (copy_peer_wmm_capab(&kde, peer) < 0) 1883 goto error; 1884 1885 peer->aid = kde.aid; 1886 1887 #ifdef CONFIG_TDLS_TESTING 1888 if (tdls_testing & TDLS_TESTING_CONCURRENT_INIT) { 1889 peer = wpa_tdls_add_peer(sm, src_addr, NULL); 1890 if (peer == NULL) 1891 goto error; 1892 wpa_printf(MSG_DEBUG, "TDLS: Testing concurrent initiation of " 1893 "TDLS setup - send own request"); 1894 peer->initiator = 1; 1895 wpa_sm_tdls_peer_addset(sm, peer->addr, 1, 0, 0, NULL, 0, NULL, 1896 NULL, 0, 0, NULL, 0, NULL, 0, NULL, 0); 1897 wpa_tdls_send_tpk_m1(sm, peer); 1898 } 1899 1900 if ((tdls_testing & TDLS_TESTING_IGNORE_AP_PROHIBIT) && 1901 tdls_prohibited) { 1902 wpa_printf(MSG_DEBUG, "TDLS: Testing - ignore AP prohibition " 1903 "on TDLS"); 1904 tdls_prohibited = 0; 1905 } 1906 #endif /* CONFIG_TDLS_TESTING */ 1907 1908 if (tdls_prohibited) { 1909 wpa_printf(MSG_INFO, "TDLS: TDLS prohibited in this BSS"); 1910 status = WLAN_STATUS_REQUEST_DECLINED; 1911 goto error; 1912 } 1913 1914 if (!wpa_tdls_get_privacy(sm)) { 1915 if (kde.rsn_ie) { 1916 wpa_printf(MSG_INFO, "TDLS: RSN IE in TPK M1 while " 1917 "security is disabled"); 1918 status = WLAN_STATUS_SECURITY_DISABLED; 1919 goto error; 1920 } 1921 goto skip_rsn; 1922 } 1923 1924 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie) || 1925 kde.rsn_ie == NULL) { 1926 wpa_printf(MSG_INFO, "TDLS: No FTIE or RSN IE in TPK M1"); 1927 status = WLAN_STATUS_INVALID_PARAMETERS; 1928 goto error; 1929 } 1930 1931 if (kde.rsn_ie_len > TDLS_MAX_IE_LEN) { 1932 wpa_printf(MSG_INFO, "TDLS: Too long Initiator RSN IE in " 1933 "TPK M1"); 1934 status = WLAN_STATUS_INVALID_RSNIE; 1935 goto error; 1936 } 1937 1938 if (wpa_parse_wpa_ie_rsn(kde.rsn_ie, kde.rsn_ie_len, &ie) < 0) { 1939 wpa_printf(MSG_INFO, "TDLS: Failed to parse RSN IE in TPK M1"); 1940 status = WLAN_STATUS_INVALID_RSNIE; 1941 goto error; 1942 } 1943 1944 cipher = ie.pairwise_cipher; 1945 if (cipher & WPA_CIPHER_CCMP) { 1946 wpa_printf(MSG_DEBUG, "TDLS: Using CCMP for direct link"); 1947 cipher = WPA_CIPHER_CCMP; 1948 } else { 1949 wpa_printf(MSG_INFO, "TDLS: No acceptable cipher in TPK M1"); 1950 status = WLAN_STATUS_PAIRWISE_CIPHER_NOT_VALID; 1951 goto error; 1952 } 1953 1954 if ((ie.capabilities & 1955 (WPA_CAPABILITY_NO_PAIRWISE | WPA_CAPABILITY_PEERKEY_ENABLED)) != 1956 WPA_CAPABILITY_PEERKEY_ENABLED) { 1957 wpa_printf(MSG_INFO, "TDLS: Invalid RSN Capabilities in " 1958 "TPK M1"); 1959 status = WLAN_STATUS_INVALID_RSN_IE_CAPAB; 1960 goto error; 1961 } 1962 1963 /* Lifetime */ 1964 if (kde.key_lifetime == NULL) { 1965 wpa_printf(MSG_INFO, "TDLS: No Key Lifetime IE in TPK M1"); 1966 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME; 1967 goto error; 1968 } 1969 timeoutie = (struct wpa_tdls_timeoutie *) kde.key_lifetime; 1970 lifetime = WPA_GET_LE32(timeoutie->value); 1971 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds", lifetime); 1972 if (lifetime < 300) { 1973 wpa_printf(MSG_INFO, "TDLS: Too short TPK lifetime"); 1974 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME; 1975 goto error; 1976 } 1977 1978 skip_rsn: 1979 #ifdef CONFIG_TDLS_TESTING 1980 if (tdls_testing & TDLS_TESTING_CONCURRENT_INIT) { 1981 if (os_memcmp(sm->own_addr, peer->addr, ETH_ALEN) < 0) { 1982 /* 1983 * The request frame from us is going to win, so do not 1984 * replace information based on this request frame from 1985 * the peer. 1986 */ 1987 goto skip_rsn_check; 1988 } 1989 } 1990 #endif /* CONFIG_TDLS_TESTING */ 1991 1992 peer->initiator = 0; /* Need to check */ 1993 peer->dtoken = dtoken; 1994 1995 if (!wpa_tdls_get_privacy(sm)) { 1996 peer->rsnie_i_len = 0; 1997 peer->rsnie_p_len = 0; 1998 peer->cipher = WPA_CIPHER_NONE; 1999 goto skip_rsn_check; 2000 } 2001 2002 ftie = (struct wpa_tdls_ftie *) kde.ftie; 2003 os_memcpy(peer->rsnie_i, kde.rsn_ie, kde.rsn_ie_len); 2004 peer->rsnie_i_len = kde.rsn_ie_len; 2005 peer->cipher = cipher; 2006 2007 if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0) { 2008 /* 2009 * There is no point in updating the RNonce for every obtained 2010 * TPK M1 frame (e.g., retransmission due to timeout) with the 2011 * same INonce (SNonce in FTIE). However, if the TPK M1 is 2012 * retransmitted with a different INonce, update the RNonce 2013 * since this is for a new TDLS session. 2014 */ 2015 wpa_printf(MSG_DEBUG, 2016 "TDLS: New TPK M1 INonce - generate new RNonce"); 2017 os_memcpy(peer->inonce, ftie->Snonce, WPA_NONCE_LEN); 2018 if (os_get_random(peer->rnonce, WPA_NONCE_LEN)) { 2019 wpa_msg(sm->ctx->ctx, MSG_WARNING, 2020 "TDLS: Failed to get random data for responder nonce"); 2021 goto error; 2022 } 2023 } 2024 2025 #if 0 2026 /* get version info from RSNIE received from Peer */ 2027 hdr = (struct rsn_ie_hdr *) kde.rsn_ie; 2028 rsn_ver = WPA_GET_LE16(hdr->version); 2029 2030 /* use min(peer's version, out version) */ 2031 if (rsn_ver > RSN_VERSION) 2032 rsn_ver = RSN_VERSION; 2033 2034 hdr = (struct rsn_ie_hdr *) peer->rsnie_p; 2035 2036 hdr->elem_id = WLAN_EID_RSN; 2037 WPA_PUT_LE16(hdr->version, rsn_ver); 2038 pos = (u8 *) (hdr + 1); 2039 2040 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED); 2041 pos += RSN_SELECTOR_LEN; 2042 /* Include only the selected cipher in pairwise cipher suite */ 2043 WPA_PUT_LE16(pos, 1); 2044 pos += 2; 2045 if (cipher == WPA_CIPHER_CCMP) 2046 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP); 2047 pos += RSN_SELECTOR_LEN; 2048 2049 WPA_PUT_LE16(pos, 1); 2050 pos += 2; 2051 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_TPK_HANDSHAKE); 2052 pos += RSN_SELECTOR_LEN; 2053 2054 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED; 2055 rsn_capab |= RSN_NUM_REPLAY_COUNTERS_16 << 2; 2056 WPA_PUT_LE16(pos, rsn_capab); 2057 pos += 2; 2058 2059 hdr->len = (pos - peer->rsnie_p) - 2; 2060 peer->rsnie_p_len = pos - peer->rsnie_p; 2061 #endif 2062 2063 /* temp fix: validation of RSNIE later */ 2064 os_memcpy(peer->rsnie_p, peer->rsnie_i, peer->rsnie_i_len); 2065 peer->rsnie_p_len = peer->rsnie_i_len; 2066 2067 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE for TPK handshake", 2068 peer->rsnie_p, peer->rsnie_p_len); 2069 2070 peer->lifetime = lifetime; 2071 2072 wpa_tdls_generate_tpk(peer, sm->own_addr, sm->bssid); 2073 2074 skip_rsn_check: 2075 #ifdef CONFIG_TDLS_TESTING 2076 if (tdls_testing & TDLS_TESTING_CONCURRENT_INIT) 2077 goto skip_add_peer; 2078 #endif /* CONFIG_TDLS_TESTING */ 2079 2080 /* add supported rates, capabilities, and qos_info to the TDLS peer */ 2081 if (wpa_tdls_addset_peer(sm, peer, 1) < 0) 2082 goto error; 2083 2084 #ifdef CONFIG_TDLS_TESTING 2085 skip_add_peer: 2086 #endif /* CONFIG_TDLS_TESTING */ 2087 peer->tpk_in_progress = 1; 2088 2089 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Setup Response / TPK M2"); 2090 if (wpa_tdls_send_tpk_m2(sm, src_addr, dtoken, lnkid, peer) < 0) { 2091 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr); 2092 goto error; 2093 } 2094 2095 return 0; 2096 2097 error: 2098 wpa_tdls_send_error(sm, src_addr, WLAN_TDLS_SETUP_RESPONSE, dtoken, 0, 2099 status); 2100 if (peer) 2101 wpa_tdls_peer_free(sm, peer); 2102 return -1; 2103 } 2104 2105 2106 static int wpa_tdls_enable_link(struct wpa_sm *sm, struct wpa_tdls_peer *peer) 2107 { 2108 peer->tpk_success = 1; 2109 peer->tpk_in_progress = 0; 2110 eloop_cancel_timeout(wpa_tdls_tpk_timeout, sm, peer); 2111 if (wpa_tdls_get_privacy(sm)) { 2112 u32 lifetime = peer->lifetime; 2113 /* 2114 * Start the initiator process a bit earlier to avoid race 2115 * condition with the responder sending teardown request. 2116 */ 2117 if (lifetime > 3 && peer->initiator) 2118 lifetime -= 3; 2119 eloop_register_timeout(lifetime, 0, wpa_tdls_tpk_timeout, 2120 sm, peer); 2121 #ifdef CONFIG_TDLS_TESTING 2122 if (tdls_testing & TDLS_TESTING_NO_TPK_EXPIRATION) { 2123 wpa_printf(MSG_DEBUG, "TDLS: Testing - disable TPK " 2124 "expiration"); 2125 eloop_cancel_timeout(wpa_tdls_tpk_timeout, sm, peer); 2126 } 2127 #endif /* CONFIG_TDLS_TESTING */ 2128 } 2129 2130 if (peer->reconfig_key && wpa_tdls_set_key(sm, peer) < 0) { 2131 wpa_printf(MSG_INFO, "TDLS: Could not configure key to the " 2132 "driver"); 2133 return -1; 2134 } 2135 peer->reconfig_key = 0; 2136 2137 return wpa_sm_tdls_oper(sm, TDLS_ENABLE_LINK, peer->addr); 2138 } 2139 2140 2141 static int wpa_tdls_process_tpk_m2(struct wpa_sm *sm, const u8 *src_addr, 2142 const u8 *buf, size_t len) 2143 { 2144 struct wpa_tdls_peer *peer; 2145 struct wpa_eapol_ie_parse kde; 2146 struct wpa_ie_data ie; 2147 int cipher; 2148 struct wpa_tdls_ftie *ftie; 2149 struct wpa_tdls_timeoutie *timeoutie; 2150 struct wpa_tdls_lnkid *lnkid; 2151 u32 lifetime; 2152 u8 dtoken; 2153 int ielen; 2154 u16 status; 2155 const u8 *pos; 2156 int ret = 0; 2157 2158 wpa_printf(MSG_DEBUG, "TDLS: Received TDLS Setup Response / TPK M2 " 2159 "(Peer " MACSTR ")", MAC2STR(src_addr)); 2160 for (peer = sm->tdls; peer; peer = peer->next) { 2161 if (os_memcmp(peer->addr, src_addr, ETH_ALEN) == 0) 2162 break; 2163 } 2164 if (peer == NULL) { 2165 wpa_printf(MSG_INFO, "TDLS: No matching peer found for " 2166 "TPK M2: " MACSTR, MAC2STR(src_addr)); 2167 return -1; 2168 } 2169 if (!peer->initiator) { 2170 /* 2171 * This may happen if both devices try to initiate TDLS at the 2172 * same time and we accept the TPK M1 from the peer in 2173 * wpa_tdls_process_tpk_m1() and clear our previous state. 2174 */ 2175 wpa_printf(MSG_INFO, "TDLS: We were not the initiator, so " 2176 "ignore TPK M2 from " MACSTR, MAC2STR(src_addr)); 2177 return -1; 2178 } 2179 2180 if (peer->tpk_success) { 2181 wpa_printf(MSG_INFO, "TDLS: Ignore incoming TPK M2 retry, from " 2182 MACSTR " as TPK M3 was already sent", 2183 MAC2STR(src_addr)); 2184 return 0; 2185 } 2186 2187 wpa_tdls_tpk_retry_timeout_cancel(sm, peer, WLAN_TDLS_SETUP_REQUEST); 2188 2189 if (len < 3 + 2 + 1) { 2190 wpa_tdls_disable_peer_link(sm, peer); 2191 return -1; 2192 } 2193 2194 pos = buf; 2195 pos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */; 2196 status = WPA_GET_LE16(pos); 2197 pos += 2 /* status code */; 2198 2199 if (status != WLAN_STATUS_SUCCESS) { 2200 wpa_printf(MSG_INFO, "TDLS: Status code in TPK M2: %u", 2201 status); 2202 wpa_tdls_disable_peer_link(sm, peer); 2203 return -1; 2204 } 2205 2206 status = WLAN_STATUS_UNSPECIFIED_FAILURE; 2207 2208 /* TODO: need to verify dialog token matches here or in kernel */ 2209 dtoken = *pos++; /* dialog token */ 2210 2211 wpa_printf(MSG_DEBUG, "TDLS: Dialog Token in TPK M2 %d", dtoken); 2212 2213 if (len < 3 + 2 + 1 + 2) { 2214 wpa_tdls_disable_peer_link(sm, peer); 2215 return -1; 2216 } 2217 2218 /* capability information */ 2219 peer->capability = WPA_GET_LE16(pos); 2220 pos += 2; 2221 2222 ielen = len - (pos - buf); /* start of IE in buf */ 2223 2224 /* 2225 * Don't reject the message if failing to parse IEs. The IEs we need are 2226 * explicitly checked below. Some APs may add arbitrary padding to the 2227 * end of short TDLS frames and that would look like invalid IEs. 2228 */ 2229 if (wpa_supplicant_parse_ies(pos, ielen, &kde) < 0) 2230 wpa_printf(MSG_DEBUG, 2231 "TDLS: Failed to parse IEs in TPK M2 - ignore as an interop workaround"); 2232 2233 #ifdef CONFIG_TDLS_TESTING 2234 if (tdls_testing & TDLS_TESTING_DECLINE_RESP) { 2235 wpa_printf(MSG_DEBUG, "TDLS: Testing - decline response"); 2236 status = WLAN_STATUS_REQUEST_DECLINED; 2237 goto error; 2238 } 2239 #endif /* CONFIG_TDLS_TESTING */ 2240 2241 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) { 2242 wpa_printf(MSG_INFO, "TDLS: No valid Link Identifier IE in " 2243 "TPK M2"); 2244 goto error; 2245 } 2246 wpa_hexdump(MSG_DEBUG, "TDLS: Link ID Received from TPK M2", 2247 kde.lnkid, kde.lnkid_len); 2248 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid; 2249 2250 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) { 2251 wpa_printf(MSG_INFO, "TDLS: TPK M2 from different BSS"); 2252 status = WLAN_STATUS_NOT_IN_SAME_BSS; 2253 goto error; 2254 } 2255 2256 if (copy_supp_rates(&kde, peer) < 0) 2257 goto error; 2258 2259 if (copy_peer_ht_capab(&kde, peer) < 0) 2260 goto error; 2261 2262 if (copy_peer_vht_capab(&kde, peer) < 0) 2263 goto error; 2264 2265 if (copy_peer_ext_capab(&kde, peer) < 0) 2266 goto error; 2267 2268 if (copy_peer_supp_channels(&kde, peer) < 0) 2269 goto error; 2270 2271 if (copy_peer_supp_oper_classes(&kde, peer) < 0) 2272 goto error; 2273 2274 peer->qos_info = kde.qosinfo; 2275 2276 /* Overwrite with the qos_info obtained in WMM IE */ 2277 if (copy_peer_wmm_capab(&kde, peer) < 0) 2278 goto error; 2279 2280 peer->aid = kde.aid; 2281 2282 if (!wpa_tdls_get_privacy(sm)) { 2283 peer->rsnie_p_len = 0; 2284 peer->cipher = WPA_CIPHER_NONE; 2285 goto skip_rsn; 2286 } 2287 2288 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie) || 2289 kde.rsn_ie == NULL) { 2290 wpa_printf(MSG_INFO, "TDLS: No FTIE or RSN IE in TPK M2"); 2291 status = WLAN_STATUS_INVALID_PARAMETERS; 2292 goto error; 2293 } 2294 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Received from TPK M2", 2295 kde.rsn_ie, kde.rsn_ie_len); 2296 2297 if (kde.rsn_ie_len > TDLS_MAX_IE_LEN) { 2298 wpa_printf(MSG_INFO, 2299 "TDLS: Too long Responder RSN IE in TPK M2"); 2300 status = WLAN_STATUS_INVALID_RSNIE; 2301 goto error; 2302 } 2303 2304 /* 2305 * FIX: bitwise comparison of RSN IE is not the correct way of 2306 * validation this. It can be different, but certain fields must 2307 * match. Since we list only a single pairwise cipher in TPK M1, the 2308 * memcmp is likely to work in most cases, though. 2309 */ 2310 if (kde.rsn_ie_len != peer->rsnie_i_len || 2311 os_memcmp(peer->rsnie_i, kde.rsn_ie, peer->rsnie_i_len) != 0) { 2312 wpa_printf(MSG_INFO, "TDLS: RSN IE in TPK M2 does " 2313 "not match with RSN IE used in TPK M1"); 2314 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Sent in TPK M1", 2315 peer->rsnie_i, peer->rsnie_i_len); 2316 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Received from TPK M2", 2317 kde.rsn_ie, kde.rsn_ie_len); 2318 status = WLAN_STATUS_INVALID_RSNIE; 2319 goto error; 2320 } 2321 2322 if (wpa_parse_wpa_ie_rsn(kde.rsn_ie, kde.rsn_ie_len, &ie) < 0) { 2323 wpa_printf(MSG_INFO, "TDLS: Failed to parse RSN IE in TPK M2"); 2324 status = WLAN_STATUS_INVALID_RSNIE; 2325 goto error; 2326 } 2327 2328 cipher = ie.pairwise_cipher; 2329 if (cipher == WPA_CIPHER_CCMP) { 2330 wpa_printf(MSG_DEBUG, "TDLS: Using CCMP for direct link"); 2331 cipher = WPA_CIPHER_CCMP; 2332 } else { 2333 wpa_printf(MSG_INFO, "TDLS: No acceptable cipher in TPK M2"); 2334 status = WLAN_STATUS_PAIRWISE_CIPHER_NOT_VALID; 2335 goto error; 2336 } 2337 2338 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE Received from TPK M2", 2339 kde.ftie, sizeof(*ftie)); 2340 ftie = (struct wpa_tdls_ftie *) kde.ftie; 2341 2342 if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0) { 2343 wpa_printf(MSG_INFO, "TDLS: FTIE SNonce in TPK M2 does " 2344 "not match with FTIE SNonce used in TPK M1"); 2345 /* Silently discard the frame */ 2346 return -1; 2347 } 2348 2349 /* Responder Nonce and RSN IE */ 2350 os_memcpy(peer->rnonce, ftie->Anonce, WPA_NONCE_LEN); 2351 os_memcpy(peer->rsnie_p, kde.rsn_ie, kde.rsn_ie_len); 2352 peer->rsnie_p_len = kde.rsn_ie_len; 2353 peer->cipher = cipher; 2354 2355 /* Lifetime */ 2356 if (kde.key_lifetime == NULL) { 2357 wpa_printf(MSG_INFO, "TDLS: No Key Lifetime IE in TPK M2"); 2358 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME; 2359 goto error; 2360 } 2361 timeoutie = (struct wpa_tdls_timeoutie *) kde.key_lifetime; 2362 lifetime = WPA_GET_LE32(timeoutie->value); 2363 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds in TPK M2", 2364 lifetime); 2365 if (lifetime != peer->lifetime) { 2366 wpa_printf(MSG_INFO, "TDLS: Unexpected TPK lifetime %u in " 2367 "TPK M2 (expected %u)", lifetime, peer->lifetime); 2368 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME; 2369 goto error; 2370 } 2371 2372 wpa_tdls_generate_tpk(peer, sm->own_addr, sm->bssid); 2373 2374 /* Process MIC check to see if TPK M2 is right */ 2375 if (wpa_supplicant_verify_tdls_mic(2, peer, (u8 *) lnkid, 2376 (u8 *) timeoutie, ftie) < 0) { 2377 /* Discard the frame */ 2378 wpa_tdls_del_key(sm, peer); 2379 wpa_tdls_disable_peer_link(sm, peer); 2380 return -1; 2381 } 2382 2383 if (wpa_tdls_set_key(sm, peer) < 0) { 2384 /* 2385 * Some drivers may not be able to config the key prior to full 2386 * STA entry having been configured. 2387 */ 2388 wpa_printf(MSG_DEBUG, "TDLS: Try to configure TPK again after " 2389 "STA entry is complete"); 2390 peer->reconfig_key = 1; 2391 } 2392 2393 skip_rsn: 2394 peer->dtoken = dtoken; 2395 2396 /* add supported rates, capabilities, and qos_info to the TDLS peer */ 2397 if (wpa_tdls_addset_peer(sm, peer, 0) < 0) 2398 goto error; 2399 2400 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Setup Confirm / " 2401 "TPK Handshake Message 3"); 2402 if (wpa_tdls_send_tpk_m3(sm, src_addr, dtoken, lnkid, peer) < 0) 2403 goto error_no_msg; 2404 2405 if (!peer->tpk_success) { 2406 /* 2407 * Enable Link only when tpk_success is 0, signifying that this 2408 * processing of TPK M2 frame is not because of a retransmission 2409 * during TDLS setup handshake. 2410 */ 2411 ret = wpa_tdls_enable_link(sm, peer); 2412 if (ret < 0) { 2413 wpa_printf(MSG_DEBUG, "TDLS: Could not enable link"); 2414 wpa_tdls_do_teardown( 2415 sm, peer, 2416 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED); 2417 } 2418 } 2419 return ret; 2420 2421 error: 2422 wpa_tdls_send_error(sm, src_addr, WLAN_TDLS_SETUP_CONFIRM, dtoken, 1, 2423 status); 2424 error_no_msg: 2425 wpa_tdls_disable_peer_link(sm, peer); 2426 return -1; 2427 } 2428 2429 2430 static int wpa_tdls_process_tpk_m3(struct wpa_sm *sm, const u8 *src_addr, 2431 const u8 *buf, size_t len) 2432 { 2433 struct wpa_tdls_peer *peer; 2434 struct wpa_eapol_ie_parse kde; 2435 struct wpa_tdls_ftie *ftie; 2436 struct wpa_tdls_timeoutie *timeoutie; 2437 struct wpa_tdls_lnkid *lnkid; 2438 int ielen; 2439 u16 status; 2440 const u8 *pos; 2441 u32 lifetime; 2442 int ret = 0; 2443 2444 wpa_printf(MSG_DEBUG, "TDLS: Received TDLS Setup Confirm / TPK M3 " 2445 "(Peer " MACSTR ")", MAC2STR(src_addr)); 2446 for (peer = sm->tdls; peer; peer = peer->next) { 2447 if (os_memcmp(peer->addr, src_addr, ETH_ALEN) == 0) 2448 break; 2449 } 2450 if (peer == NULL) { 2451 wpa_printf(MSG_INFO, "TDLS: No matching peer found for " 2452 "TPK M3: " MACSTR, MAC2STR(src_addr)); 2453 return -1; 2454 } 2455 wpa_tdls_tpk_retry_timeout_cancel(sm, peer, WLAN_TDLS_SETUP_RESPONSE); 2456 2457 if (len < 3 + 3) 2458 goto error; 2459 pos = buf; 2460 pos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */; 2461 2462 status = WPA_GET_LE16(pos); 2463 2464 if (status != 0) { 2465 wpa_printf(MSG_INFO, "TDLS: Status code in TPK M3: %u", 2466 status); 2467 goto error; 2468 } 2469 pos += 2 /* status code */ + 1 /* dialog token */; 2470 2471 ielen = len - (pos - buf); /* start of IE in buf */ 2472 2473 /* 2474 * Don't reject the message if failing to parse IEs. The IEs we need are 2475 * explicitly checked below. Some APs piggy-back broken IEs to the end 2476 * of a TDLS Confirm packet, which will fail the link if we don't ignore 2477 * this error. 2478 */ 2479 if (wpa_supplicant_parse_ies((const u8 *) pos, ielen, &kde) < 0) { 2480 wpa_printf(MSG_DEBUG, 2481 "TDLS: Failed to parse KDEs in TPK M3 - ignore as an interop workaround"); 2482 } 2483 2484 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) { 2485 wpa_printf(MSG_INFO, "TDLS: No Link Identifier IE in TPK M3"); 2486 goto error; 2487 } 2488 wpa_hexdump(MSG_DEBUG, "TDLS: Link ID Received from TPK M3", 2489 (u8 *) kde.lnkid, kde.lnkid_len); 2490 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid; 2491 2492 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) { 2493 wpa_printf(MSG_INFO, "TDLS: TPK M3 from diff BSS"); 2494 goto error; 2495 } 2496 2497 if (!wpa_tdls_get_privacy(sm)) 2498 goto skip_rsn; 2499 2500 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie)) { 2501 wpa_printf(MSG_INFO, "TDLS: No FTIE in TPK M3"); 2502 goto error; 2503 } 2504 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE Received from TPK M3", 2505 kde.ftie, sizeof(*ftie)); 2506 ftie = (struct wpa_tdls_ftie *) kde.ftie; 2507 2508 if (kde.rsn_ie == NULL) { 2509 wpa_printf(MSG_INFO, "TDLS: No RSN IE in TPK M3"); 2510 goto error; 2511 } 2512 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Received from TPK M3", 2513 kde.rsn_ie, kde.rsn_ie_len); 2514 if (kde.rsn_ie_len != peer->rsnie_p_len || 2515 os_memcmp(kde.rsn_ie, peer->rsnie_p, peer->rsnie_p_len) != 0) { 2516 wpa_printf(MSG_INFO, "TDLS: RSN IE in TPK M3 does not match " 2517 "with the one sent in TPK M2"); 2518 goto error; 2519 } 2520 2521 if (os_memcmp(peer->rnonce, ftie->Anonce, WPA_NONCE_LEN) != 0) { 2522 wpa_printf(MSG_INFO, "TDLS: FTIE ANonce in TPK M3 does " 2523 "not match with FTIE ANonce used in TPK M2"); 2524 goto error; 2525 } 2526 2527 if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0) { 2528 wpa_printf(MSG_INFO, "TDLS: FTIE SNonce in TPK M3 does not " 2529 "match with FTIE SNonce used in TPK M1"); 2530 goto error; 2531 } 2532 2533 if (kde.key_lifetime == NULL) { 2534 wpa_printf(MSG_INFO, "TDLS: No Key Lifetime IE in TPK M3"); 2535 goto error; 2536 } 2537 timeoutie = (struct wpa_tdls_timeoutie *) kde.key_lifetime; 2538 wpa_hexdump(MSG_DEBUG, "TDLS: Timeout IE Received from TPK M3", 2539 (u8 *) timeoutie, sizeof(*timeoutie)); 2540 lifetime = WPA_GET_LE32(timeoutie->value); 2541 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds in TPK M3", 2542 lifetime); 2543 if (lifetime != peer->lifetime) { 2544 wpa_printf(MSG_INFO, "TDLS: Unexpected TPK lifetime %u in " 2545 "TPK M3 (expected %u)", lifetime, peer->lifetime); 2546 goto error; 2547 } 2548 2549 if (wpa_supplicant_verify_tdls_mic(3, peer, (u8 *) lnkid, 2550 (u8 *) timeoutie, ftie) < 0) { 2551 wpa_tdls_del_key(sm, peer); 2552 goto error; 2553 } 2554 2555 if (wpa_tdls_set_key(sm, peer) < 0) { 2556 /* 2557 * Some drivers may not be able to config the key prior to full 2558 * STA entry having been configured. 2559 */ 2560 wpa_printf(MSG_DEBUG, "TDLS: Try to configure TPK again after " 2561 "STA entry is complete"); 2562 peer->reconfig_key = 1; 2563 } 2564 2565 skip_rsn: 2566 /* add supported rates, capabilities, and qos_info to the TDLS peer */ 2567 if (wpa_tdls_addset_peer(sm, peer, 0) < 0) 2568 goto error; 2569 2570 if (!peer->tpk_success) { 2571 /* 2572 * Enable Link only when tpk_success is 0, signifying that this 2573 * processing of TPK M3 frame is not because of a retransmission 2574 * during TDLS setup handshake. 2575 */ 2576 ret = wpa_tdls_enable_link(sm, peer); 2577 if (ret < 0) { 2578 wpa_printf(MSG_DEBUG, "TDLS: Could not enable link"); 2579 goto error; 2580 } 2581 } 2582 return ret; 2583 error: 2584 wpa_tdls_do_teardown(sm, peer, WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED); 2585 return -1; 2586 } 2587 2588 2589 static u8 * wpa_add_tdls_timeoutie(u8 *pos, u8 *ie, size_t ie_len, u32 tsecs) 2590 { 2591 struct wpa_tdls_timeoutie *lifetime = (struct wpa_tdls_timeoutie *) ie; 2592 2593 os_memset(lifetime, 0, ie_len); 2594 lifetime->ie_type = WLAN_EID_TIMEOUT_INTERVAL; 2595 lifetime->ie_len = sizeof(struct wpa_tdls_timeoutie) - 2; 2596 lifetime->interval_type = WLAN_TIMEOUT_KEY_LIFETIME; 2597 WPA_PUT_LE32(lifetime->value, tsecs); 2598 os_memcpy(pos, ie, ie_len); 2599 return pos + ie_len; 2600 } 2601 2602 2603 /** 2604 * wpa_tdls_start - Initiate TDLS handshake (send TPK Handshake Message 1) 2605 * @sm: Pointer to WPA state machine data from wpa_sm_init() 2606 * @peer: MAC address of the peer STA 2607 * Returns: 0 on success, or -1 on failure 2608 * 2609 * Send TPK Handshake Message 1 info to driver to start TDLS 2610 * handshake with the peer. 2611 */ 2612 int wpa_tdls_start(struct wpa_sm *sm, const u8 *addr) 2613 { 2614 struct wpa_tdls_peer *peer; 2615 int tdls_prohibited = sm->tdls_prohibited; 2616 2617 if (sm->tdls_disabled || !sm->tdls_supported) 2618 return -1; 2619 2620 #ifdef CONFIG_TDLS_TESTING 2621 if ((tdls_testing & TDLS_TESTING_IGNORE_AP_PROHIBIT) && 2622 tdls_prohibited) { 2623 wpa_printf(MSG_DEBUG, "TDLS: Testing - ignore AP prohibition " 2624 "on TDLS"); 2625 tdls_prohibited = 0; 2626 } 2627 #endif /* CONFIG_TDLS_TESTING */ 2628 2629 if (tdls_prohibited) { 2630 wpa_printf(MSG_DEBUG, "TDLS: TDLS is prohibited in this BSS - " 2631 "reject request to start setup"); 2632 return -1; 2633 } 2634 2635 peer = wpa_tdls_add_peer(sm, addr, NULL); 2636 if (peer == NULL) 2637 return -1; 2638 2639 if (peer->tpk_in_progress) { 2640 wpa_printf(MSG_DEBUG, "TDLS: Setup is already in progress with the peer"); 2641 return 0; 2642 } 2643 2644 peer->initiator = 1; 2645 2646 /* add the peer to the driver as a "setup in progress" peer */ 2647 if (wpa_sm_tdls_peer_addset(sm, peer->addr, 1, 0, 0, NULL, 0, NULL, 2648 NULL, 0, 0, NULL, 0, NULL, 0, NULL, 0)) { 2649 wpa_tdls_disable_peer_link(sm, peer); 2650 return -1; 2651 } 2652 2653 peer->tpk_in_progress = 1; 2654 2655 if (wpa_tdls_send_tpk_m1(sm, peer) < 0) { 2656 wpa_tdls_disable_peer_link(sm, peer); 2657 return -1; 2658 } 2659 2660 return 0; 2661 } 2662 2663 2664 void wpa_tdls_remove(struct wpa_sm *sm, const u8 *addr) 2665 { 2666 struct wpa_tdls_peer *peer; 2667 2668 if (sm->tdls_disabled || !sm->tdls_supported) 2669 return; 2670 2671 for (peer = sm->tdls; peer; peer = peer->next) { 2672 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 2673 break; 2674 } 2675 2676 if (peer == NULL || !peer->tpk_success) 2677 return; 2678 2679 if (sm->tdls_external_setup) { 2680 /* 2681 * Disable previous link to allow renegotiation to be completed 2682 * on AP path. 2683 */ 2684 wpa_tdls_do_teardown(sm, peer, 2685 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED); 2686 } 2687 } 2688 2689 2690 /** 2691 * wpa_supplicant_rx_tdls - Receive TDLS data frame 2692 * 2693 * This function is called to receive TDLS (ethertype = 0x890d) data frames. 2694 */ 2695 static void wpa_supplicant_rx_tdls(void *ctx, const u8 *src_addr, 2696 const u8 *buf, size_t len) 2697 { 2698 struct wpa_sm *sm = ctx; 2699 struct wpa_tdls_frame *tf; 2700 2701 wpa_hexdump(MSG_DEBUG, "TDLS: Received Data frame encapsulation", 2702 buf, len); 2703 2704 if (sm->tdls_disabled || !sm->tdls_supported) { 2705 wpa_printf(MSG_DEBUG, "TDLS: Discard message - TDLS disabled " 2706 "or unsupported by driver"); 2707 return; 2708 } 2709 2710 if (os_memcmp(src_addr, sm->own_addr, ETH_ALEN) == 0) { 2711 wpa_printf(MSG_DEBUG, "TDLS: Discard copy of own message"); 2712 return; 2713 } 2714 2715 if (len < sizeof(*tf)) { 2716 wpa_printf(MSG_INFO, "TDLS: Drop too short frame"); 2717 return; 2718 } 2719 2720 /* Check to make sure its a valid encapsulated TDLS frame */ 2721 tf = (struct wpa_tdls_frame *) buf; 2722 if (tf->payloadtype != 2 /* TDLS_RFTYPE */ || 2723 tf->category != WLAN_ACTION_TDLS) { 2724 wpa_printf(MSG_INFO, "TDLS: Invalid frame - payloadtype=%u " 2725 "category=%u action=%u", 2726 tf->payloadtype, tf->category, tf->action); 2727 return; 2728 } 2729 2730 switch (tf->action) { 2731 case WLAN_TDLS_SETUP_REQUEST: 2732 wpa_tdls_process_tpk_m1(sm, src_addr, buf, len); 2733 break; 2734 case WLAN_TDLS_SETUP_RESPONSE: 2735 wpa_tdls_process_tpk_m2(sm, src_addr, buf, len); 2736 break; 2737 case WLAN_TDLS_SETUP_CONFIRM: 2738 wpa_tdls_process_tpk_m3(sm, src_addr, buf, len); 2739 break; 2740 case WLAN_TDLS_TEARDOWN: 2741 wpa_tdls_recv_teardown(sm, src_addr, buf, len); 2742 break; 2743 case WLAN_TDLS_DISCOVERY_REQUEST: 2744 wpa_tdls_process_discovery_request(sm, src_addr, buf, len); 2745 break; 2746 default: 2747 /* Kernel code will process remaining frames */ 2748 wpa_printf(MSG_DEBUG, "TDLS: Ignore TDLS frame action code %u", 2749 tf->action); 2750 break; 2751 } 2752 } 2753 2754 2755 /** 2756 * wpa_tdls_init - Initialize driver interface parameters for TDLS 2757 * @wpa_s: Pointer to wpa_supplicant data 2758 * Returns: 0 on success, -1 on failure 2759 * 2760 * This function is called to initialize driver interface parameters for TDLS. 2761 * wpa_drv_init() must have been called before this function to initialize the 2762 * driver interface. 2763 */ 2764 int wpa_tdls_init(struct wpa_sm *sm) 2765 { 2766 if (sm == NULL) 2767 return -1; 2768 2769 sm->l2_tdls = l2_packet_init(sm->bridge_ifname ? sm->bridge_ifname : 2770 sm->ifname, 2771 sm->own_addr, 2772 ETH_P_80211_ENCAP, wpa_supplicant_rx_tdls, 2773 sm, 0); 2774 if (sm->l2_tdls == NULL) { 2775 wpa_printf(MSG_ERROR, "TDLS: Failed to open l2_packet " 2776 "connection"); 2777 return -1; 2778 } 2779 2780 /* 2781 * Drivers that support TDLS but don't implement the get_capa callback 2782 * are assumed to perform everything internally 2783 */ 2784 if (wpa_sm_tdls_get_capa(sm, &sm->tdls_supported, 2785 &sm->tdls_external_setup, 2786 &sm->tdls_chan_switch) < 0) { 2787 sm->tdls_supported = 1; 2788 sm->tdls_external_setup = 0; 2789 } 2790 2791 wpa_printf(MSG_DEBUG, "TDLS: TDLS operation%s supported by " 2792 "driver", sm->tdls_supported ? "" : " not"); 2793 wpa_printf(MSG_DEBUG, "TDLS: Driver uses %s link setup", 2794 sm->tdls_external_setup ? "external" : "internal"); 2795 wpa_printf(MSG_DEBUG, "TDLS: Driver %s TDLS channel switching", 2796 sm->tdls_chan_switch ? "supports" : "does not support"); 2797 2798 return 0; 2799 } 2800 2801 2802 void wpa_tdls_teardown_peers(struct wpa_sm *sm) 2803 { 2804 struct wpa_tdls_peer *peer, *tmp; 2805 2806 if (!sm) 2807 return; 2808 peer = sm->tdls; 2809 2810 wpa_printf(MSG_DEBUG, "TDLS: Tear down peers"); 2811 2812 while (peer) { 2813 tmp = peer->next; 2814 wpa_printf(MSG_DEBUG, "TDLS: Tear down peer " MACSTR, 2815 MAC2STR(peer->addr)); 2816 if (sm->tdls_external_setup) 2817 wpa_tdls_do_teardown(sm, peer, 2818 WLAN_REASON_DEAUTH_LEAVING); 2819 else 2820 wpa_sm_tdls_oper(sm, TDLS_TEARDOWN, peer->addr); 2821 2822 peer = tmp; 2823 } 2824 } 2825 2826 2827 static void wpa_tdls_remove_peers(struct wpa_sm *sm) 2828 { 2829 struct wpa_tdls_peer *peer, *tmp; 2830 2831 peer = sm->tdls; 2832 2833 while (peer) { 2834 int res; 2835 tmp = peer->next; 2836 res = wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr); 2837 wpa_printf(MSG_DEBUG, "TDLS: Remove peer " MACSTR " (res=%d)", 2838 MAC2STR(peer->addr), res); 2839 wpa_tdls_peer_free(sm, peer); 2840 peer = tmp; 2841 } 2842 } 2843 2844 2845 /** 2846 * wpa_tdls_deinit - Deinitialize driver interface parameters for TDLS 2847 * 2848 * This function is called to recover driver interface parameters for TDLS 2849 * and frees resources allocated for it. 2850 */ 2851 void wpa_tdls_deinit(struct wpa_sm *sm) 2852 { 2853 if (sm == NULL) 2854 return; 2855 2856 if (sm->l2_tdls) 2857 l2_packet_deinit(sm->l2_tdls); 2858 sm->l2_tdls = NULL; 2859 2860 wpa_tdls_remove_peers(sm); 2861 } 2862 2863 2864 void wpa_tdls_assoc(struct wpa_sm *sm) 2865 { 2866 wpa_printf(MSG_DEBUG, "TDLS: Remove peers on association"); 2867 wpa_tdls_remove_peers(sm); 2868 } 2869 2870 2871 void wpa_tdls_disassoc(struct wpa_sm *sm) 2872 { 2873 wpa_printf(MSG_DEBUG, "TDLS: Remove peers on disassociation"); 2874 wpa_tdls_remove_peers(sm); 2875 } 2876 2877 2878 static int wpa_tdls_prohibited(struct ieee802_11_elems *elems) 2879 { 2880 /* bit 38 - TDLS Prohibited */ 2881 return !!(elems->ext_capab[2 + 4] & 0x40); 2882 } 2883 2884 2885 static int wpa_tdls_chan_switch_prohibited(struct ieee802_11_elems *elems) 2886 { 2887 /* bit 39 - TDLS Channel Switch Prohibited */ 2888 return !!(elems->ext_capab[2 + 4] & 0x80); 2889 } 2890 2891 2892 void wpa_tdls_ap_ies(struct wpa_sm *sm, const u8 *ies, size_t len) 2893 { 2894 struct ieee802_11_elems elems; 2895 2896 sm->tdls_prohibited = 0; 2897 sm->tdls_chan_switch_prohibited = 0; 2898 2899 if (ies == NULL || 2900 ieee802_11_parse_elems(ies, len, &elems, 0) == ParseFailed || 2901 elems.ext_capab == NULL || elems.ext_capab_len < 2 + 5) 2902 return; 2903 2904 sm->tdls_prohibited = wpa_tdls_prohibited(&elems); 2905 wpa_printf(MSG_DEBUG, "TDLS: TDLS is %s in the target BSS", 2906 sm->tdls_prohibited ? "prohibited" : "allowed"); 2907 sm->tdls_chan_switch_prohibited = 2908 wpa_tdls_chan_switch_prohibited(&elems); 2909 wpa_printf(MSG_DEBUG, "TDLS: TDLS channel switch %s in the target BSS", 2910 sm->tdls_chan_switch_prohibited ? "prohibited" : "allowed"); 2911 } 2912 2913 2914 void wpa_tdls_assoc_resp_ies(struct wpa_sm *sm, const u8 *ies, size_t len) 2915 { 2916 struct ieee802_11_elems elems; 2917 2918 if (ies == NULL || 2919 ieee802_11_parse_elems(ies, len, &elems, 0) == ParseFailed || 2920 elems.ext_capab == NULL || elems.ext_capab_len < 2 + 5) 2921 return; 2922 2923 if (!sm->tdls_prohibited && wpa_tdls_prohibited(&elems)) { 2924 wpa_printf(MSG_DEBUG, "TDLS: TDLS prohibited based on " 2925 "(Re)Association Response IEs"); 2926 sm->tdls_prohibited = 1; 2927 } 2928 2929 if (!sm->tdls_chan_switch_prohibited && 2930 wpa_tdls_chan_switch_prohibited(&elems)) { 2931 wpa_printf(MSG_DEBUG, 2932 "TDLS: TDLS channel switch prohibited based on (Re)Association Response IEs"); 2933 sm->tdls_chan_switch_prohibited = 1; 2934 } 2935 } 2936 2937 2938 void wpa_tdls_enable(struct wpa_sm *sm, int enabled) 2939 { 2940 wpa_printf(MSG_DEBUG, "TDLS: %s", enabled ? "enabled" : "disabled"); 2941 sm->tdls_disabled = !enabled; 2942 } 2943 2944 2945 int wpa_tdls_is_external_setup(struct wpa_sm *sm) 2946 { 2947 return sm->tdls_external_setup; 2948 } 2949 2950 2951 int wpa_tdls_enable_chan_switch(struct wpa_sm *sm, const u8 *addr, 2952 u8 oper_class, 2953 struct hostapd_freq_params *freq_params) 2954 { 2955 struct wpa_tdls_peer *peer; 2956 int ret; 2957 2958 if (sm->tdls_disabled || !sm->tdls_supported) 2959 return -1; 2960 2961 if (!sm->tdls_chan_switch) { 2962 wpa_printf(MSG_DEBUG, 2963 "TDLS: Channel switching not supported by the driver"); 2964 return -1; 2965 } 2966 2967 if (sm->tdls_chan_switch_prohibited) { 2968 wpa_printf(MSG_DEBUG, 2969 "TDLS: Channel switching is prohibited in this BSS - reject request to switch channel"); 2970 return -1; 2971 } 2972 2973 for (peer = sm->tdls; peer; peer = peer->next) { 2974 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 2975 break; 2976 } 2977 2978 if (peer == NULL || !peer->tpk_success) { 2979 wpa_printf(MSG_ERROR, "TDLS: Peer " MACSTR 2980 " not found for channel switching", MAC2STR(addr)); 2981 return -1; 2982 } 2983 2984 if (peer->chan_switch_enabled) { 2985 wpa_printf(MSG_DEBUG, "TDLS: Peer " MACSTR 2986 " already has channel switching enabled", 2987 MAC2STR(addr)); 2988 return 0; 2989 } 2990 2991 ret = wpa_sm_tdls_enable_channel_switch(sm, peer->addr, 2992 oper_class, freq_params); 2993 if (!ret) 2994 peer->chan_switch_enabled = 1; 2995 2996 return ret; 2997 } 2998 2999 3000 int wpa_tdls_disable_chan_switch(struct wpa_sm *sm, const u8 *addr) 3001 { 3002 struct wpa_tdls_peer *peer; 3003 3004 if (sm->tdls_disabled || !sm->tdls_supported) 3005 return -1; 3006 3007 for (peer = sm->tdls; peer; peer = peer->next) { 3008 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 3009 break; 3010 } 3011 3012 if (!peer || !peer->chan_switch_enabled) { 3013 wpa_printf(MSG_ERROR, "TDLS: Channel switching not enabled for " 3014 MACSTR, MAC2STR(addr)); 3015 return -1; 3016 } 3017 3018 /* ignore the return value */ 3019 wpa_sm_tdls_disable_channel_switch(sm, peer->addr); 3020 3021 peer->chan_switch_enabled = 0; 3022 return 0; 3023 } 3024
