1 /* 2 * wpa_supplicant - TDLS 3 * Copyright (c) 2010-2011, Atheros Communications 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "utils/includes.h" 10 11 #include "utils/common.h" 12 #include "utils/eloop.h" 13 #include "utils/os.h" 14 #include "common/ieee802_11_defs.h" 15 #include "common/ieee802_11_common.h" 16 #include "crypto/sha256.h" 17 #include "crypto/crypto.h" 18 #include "crypto/aes_wrap.h" 19 #include "rsn_supp/wpa.h" 20 #include "rsn_supp/wpa_ie.h" 21 #include "rsn_supp/wpa_i.h" 22 #include "drivers/driver.h" 23 #include "l2_packet/l2_packet.h" 24 25 #ifdef CONFIG_TDLS_TESTING 26 #define TDLS_TESTING_LONG_FRAME BIT(0) 27 #define TDLS_TESTING_ALT_RSN_IE BIT(1) 28 #define TDLS_TESTING_DIFF_BSSID BIT(2) 29 #define TDLS_TESTING_SHORT_LIFETIME BIT(3) 30 #define TDLS_TESTING_WRONG_LIFETIME_RESP BIT(4) 31 #define TDLS_TESTING_WRONG_LIFETIME_CONF BIT(5) 32 #define TDLS_TESTING_LONG_LIFETIME BIT(6) 33 #define TDLS_TESTING_CONCURRENT_INIT BIT(7) 34 #define TDLS_TESTING_NO_TPK_EXPIRATION BIT(8) 35 #define TDLS_TESTING_DECLINE_RESP BIT(9) 36 #define TDLS_TESTING_IGNORE_AP_PROHIBIT BIT(10) 37 #define TDLS_TESTING_WRONG_MIC BIT(11) 38 unsigned int tdls_testing = 0; 39 #endif /* CONFIG_TDLS_TESTING */ 40 41 #define TPK_LIFETIME 43200 /* 12 hours */ 42 #define TPK_M1_RETRY_COUNT 3 43 #define TPK_M1_TIMEOUT 5000 /* in milliseconds */ 44 #define TPK_M2_RETRY_COUNT 10 45 #define TPK_M2_TIMEOUT 500 /* in milliseconds */ 46 47 #define TDLS_MIC_LEN 16 48 49 #define TDLS_TIMEOUT_LEN 4 50 51 struct wpa_tdls_ftie { 52 u8 ie_type; /* FTIE */ 53 u8 ie_len; 54 u8 mic_ctrl[2]; 55 u8 mic[TDLS_MIC_LEN]; 56 u8 Anonce[WPA_NONCE_LEN]; /* Responder Nonce in TDLS */ 57 u8 Snonce[WPA_NONCE_LEN]; /* Initiator Nonce in TDLS */ 58 /* followed by optional elements */ 59 } STRUCT_PACKED; 60 61 struct wpa_tdls_timeoutie { 62 u8 ie_type; /* Timeout IE */ 63 u8 ie_len; 64 u8 interval_type; 65 u8 value[TDLS_TIMEOUT_LEN]; 66 } STRUCT_PACKED; 67 68 struct wpa_tdls_lnkid { 69 u8 ie_type; /* Link Identifier IE */ 70 u8 ie_len; 71 u8 bssid[ETH_ALEN]; 72 u8 init_sta[ETH_ALEN]; 73 u8 resp_sta[ETH_ALEN]; 74 } STRUCT_PACKED; 75 76 /* TDLS frame headers as per IEEE Std 802.11z-2010 */ 77 struct wpa_tdls_frame { 78 u8 payloadtype; /* IEEE80211_TDLS_RFTYPE */ 79 u8 category; /* Category */ 80 u8 action; /* Action (enum tdls_frame_type) */ 81 } STRUCT_PACKED; 82 83 static u8 * wpa_add_tdls_timeoutie(u8 *pos, u8 *ie, size_t ie_len, u32 tsecs); 84 static void wpa_tdls_tpk_retry_timeout(void *eloop_ctx, void *timeout_ctx); 85 static void wpa_tdls_peer_free(struct wpa_sm *sm, struct wpa_tdls_peer *peer); 86 static void wpa_tdls_disable_peer_link(struct wpa_sm *sm, 87 struct wpa_tdls_peer *peer); 88 static int wpa_tdls_send_teardown(struct wpa_sm *sm, const u8 *addr, 89 u16 reason_code); 90 91 92 #define TDLS_MAX_IE_LEN 80 93 #define IEEE80211_MAX_SUPP_RATES 32 94 95 struct wpa_tdls_peer { 96 struct wpa_tdls_peer *next; 97 unsigned int reconfig_key:1; 98 int initiator; /* whether this end was initiator for TDLS setup */ 99 u8 addr[ETH_ALEN]; /* other end MAC address */ 100 u8 inonce[WPA_NONCE_LEN]; /* Initiator Nonce */ 101 u8 rnonce[WPA_NONCE_LEN]; /* Responder Nonce */ 102 u8 rsnie_i[TDLS_MAX_IE_LEN]; /* Initiator RSN IE */ 103 size_t rsnie_i_len; 104 u8 rsnie_p[TDLS_MAX_IE_LEN]; /* Peer RSN IE */ 105 size_t rsnie_p_len; 106 u32 lifetime; 107 int cipher; /* Selected cipher (WPA_CIPHER_*) */ 108 u8 dtoken; 109 110 struct tpk { 111 u8 kck[16]; /* TPK-KCK */ 112 u8 tk[16]; /* TPK-TK; assuming only CCMP will be used */ 113 } tpk; 114 int tpk_set; 115 int tpk_success; 116 int tpk_in_progress; 117 118 struct tpk_timer { 119 u8 dest[ETH_ALEN]; 120 int count; /* Retry Count */ 121 int timer; /* Timeout in milliseconds */ 122 u8 action_code; /* TDLS frame type */ 123 u8 dialog_token; 124 u16 status_code; 125 u32 peer_capab; 126 int buf_len; /* length of TPK message for retransmission */ 127 u8 *buf; /* buffer for TPK message */ 128 } sm_tmr; 129 130 u16 capability; 131 132 u8 supp_rates[IEEE80211_MAX_SUPP_RATES]; 133 size_t supp_rates_len; 134 135 struct ieee80211_ht_capabilities *ht_capabilities; 136 struct ieee80211_vht_capabilities *vht_capabilities; 137 138 u8 qos_info; 139 140 u16 aid; 141 142 u8 *ext_capab; 143 size_t ext_capab_len; 144 145 u8 *supp_channels; 146 size_t supp_channels_len; 147 148 u8 *supp_oper_classes; 149 size_t supp_oper_classes_len; 150 151 u8 wmm_capable; 152 153 /* channel switch currently enabled */ 154 int chan_switch_enabled; 155 }; 156 157 158 static int wpa_tdls_get_privacy(struct wpa_sm *sm) 159 { 160 /* 161 * Get info needed from supplicant to check if the current BSS supports 162 * security. Other than OPEN mode, rest are considered secured 163 * WEP/WPA/WPA2 hence TDLS frames are processed for TPK handshake. 164 */ 165 return sm->pairwise_cipher != WPA_CIPHER_NONE; 166 } 167 168 169 static u8 * wpa_add_ie(u8 *pos, const u8 *ie, size_t ie_len) 170 { 171 os_memcpy(pos, ie, ie_len); 172 return pos + ie_len; 173 } 174 175 176 static int wpa_tdls_del_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer) 177 { 178 if (wpa_sm_set_key(sm, WPA_ALG_NONE, peer->addr, 179 0, 0, NULL, 0, NULL, 0) < 0) { 180 wpa_printf(MSG_WARNING, "TDLS: Failed to delete TPK-TK from " 181 "the driver"); 182 return -1; 183 } 184 185 return 0; 186 } 187 188 189 static int wpa_tdls_set_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer) 190 { 191 u8 key_len; 192 u8 rsc[6]; 193 enum wpa_alg alg; 194 195 os_memset(rsc, 0, 6); 196 197 switch (peer->cipher) { 198 case WPA_CIPHER_CCMP: 199 alg = WPA_ALG_CCMP; 200 key_len = 16; 201 break; 202 case WPA_CIPHER_NONE: 203 wpa_printf(MSG_DEBUG, "TDLS: Pairwise Cipher Suite: " 204 "NONE - do not use pairwise keys"); 205 return -1; 206 default: 207 wpa_printf(MSG_WARNING, "TDLS: Unsupported pairwise cipher %d", 208 sm->pairwise_cipher); 209 return -1; 210 } 211 212 if (wpa_sm_set_key(sm, alg, peer->addr, -1, 1, 213 rsc, sizeof(rsc), peer->tpk.tk, key_len) < 0) { 214 wpa_printf(MSG_WARNING, "TDLS: Failed to set TPK to the " 215 "driver"); 216 return -1; 217 } 218 return 0; 219 } 220 221 222 static int wpa_tdls_send_tpk_msg(struct wpa_sm *sm, const u8 *dst, 223 u8 action_code, u8 dialog_token, 224 u16 status_code, u32 peer_capab, 225 int initiator, const u8 *buf, size_t len) 226 { 227 return wpa_sm_send_tdls_mgmt(sm, dst, action_code, dialog_token, 228 status_code, peer_capab, initiator, buf, 229 len); 230 } 231 232 233 static int wpa_tdls_tpk_send(struct wpa_sm *sm, const u8 *dest, u8 action_code, 234 u8 dialog_token, u16 status_code, u32 peer_capab, 235 int initiator, const u8 *msg, size_t msg_len) 236 { 237 struct wpa_tdls_peer *peer; 238 239 wpa_printf(MSG_DEBUG, "TDLS: TPK send dest=" MACSTR " action_code=%u " 240 "dialog_token=%u status_code=%u peer_capab=%u initiator=%d " 241 "msg_len=%u", 242 MAC2STR(dest), action_code, dialog_token, status_code, 243 peer_capab, initiator, (unsigned int) msg_len); 244 245 if (wpa_tdls_send_tpk_msg(sm, dest, action_code, dialog_token, 246 status_code, peer_capab, initiator, msg, 247 msg_len)) { 248 wpa_printf(MSG_INFO, "TDLS: Failed to send message " 249 "(action_code=%u)", action_code); 250 return -1; 251 } 252 253 if (action_code == WLAN_TDLS_SETUP_CONFIRM || 254 action_code == WLAN_TDLS_TEARDOWN || 255 action_code == WLAN_TDLS_DISCOVERY_REQUEST || 256 action_code == WLAN_TDLS_DISCOVERY_RESPONSE) 257 return 0; /* No retries */ 258 259 for (peer = sm->tdls; peer; peer = peer->next) { 260 if (os_memcmp(peer->addr, dest, ETH_ALEN) == 0) 261 break; 262 } 263 264 if (peer == NULL) { 265 wpa_printf(MSG_INFO, "TDLS: No matching entry found for " 266 "retry " MACSTR, MAC2STR(dest)); 267 return 0; 268 } 269 270 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer); 271 272 if (action_code == WLAN_TDLS_SETUP_RESPONSE) { 273 peer->sm_tmr.count = TPK_M2_RETRY_COUNT; 274 peer->sm_tmr.timer = TPK_M2_TIMEOUT; 275 } else { 276 peer->sm_tmr.count = TPK_M1_RETRY_COUNT; 277 peer->sm_tmr.timer = TPK_M1_TIMEOUT; 278 } 279 280 /* Copy message to resend on timeout */ 281 os_memcpy(peer->sm_tmr.dest, dest, ETH_ALEN); 282 peer->sm_tmr.action_code = action_code; 283 peer->sm_tmr.dialog_token = dialog_token; 284 peer->sm_tmr.status_code = status_code; 285 peer->sm_tmr.peer_capab = peer_capab; 286 peer->sm_tmr.buf_len = msg_len; 287 os_free(peer->sm_tmr.buf); 288 peer->sm_tmr.buf = os_malloc(msg_len); 289 if (peer->sm_tmr.buf == NULL) 290 return -1; 291 os_memcpy(peer->sm_tmr.buf, msg, msg_len); 292 293 wpa_printf(MSG_DEBUG, "TDLS: Retry timeout registered " 294 "(action_code=%u)", action_code); 295 eloop_register_timeout(peer->sm_tmr.timer / 1000, 296 (peer->sm_tmr.timer % 1000) * 1000, 297 wpa_tdls_tpk_retry_timeout, sm, peer); 298 return 0; 299 } 300 301 302 static int wpa_tdls_do_teardown(struct wpa_sm *sm, struct wpa_tdls_peer *peer, 303 u16 reason_code) 304 { 305 int ret; 306 307 ret = wpa_tdls_send_teardown(sm, peer->addr, reason_code); 308 /* disable the link after teardown was sent */ 309 wpa_tdls_disable_peer_link(sm, peer); 310 311 return ret; 312 } 313 314 315 static void wpa_tdls_tpk_retry_timeout(void *eloop_ctx, void *timeout_ctx) 316 { 317 318 struct wpa_sm *sm = eloop_ctx; 319 struct wpa_tdls_peer *peer = timeout_ctx; 320 321 if (peer->sm_tmr.count) { 322 peer->sm_tmr.count--; 323 324 wpa_printf(MSG_INFO, "TDLS: Retrying sending of message " 325 "(action_code=%u)", 326 peer->sm_tmr.action_code); 327 328 if (peer->sm_tmr.buf == NULL) { 329 wpa_printf(MSG_INFO, "TDLS: No retry buffer available " 330 "for action_code=%u", 331 peer->sm_tmr.action_code); 332 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, 333 peer); 334 return; 335 } 336 337 /* resend TPK Handshake Message to Peer */ 338 if (wpa_tdls_send_tpk_msg(sm, peer->sm_tmr.dest, 339 peer->sm_tmr.action_code, 340 peer->sm_tmr.dialog_token, 341 peer->sm_tmr.status_code, 342 peer->sm_tmr.peer_capab, 343 peer->initiator, 344 peer->sm_tmr.buf, 345 peer->sm_tmr.buf_len)) { 346 wpa_printf(MSG_INFO, "TDLS: Failed to retry " 347 "transmission"); 348 } 349 350 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer); 351 eloop_register_timeout(peer->sm_tmr.timer / 1000, 352 (peer->sm_tmr.timer % 1000) * 1000, 353 wpa_tdls_tpk_retry_timeout, sm, peer); 354 } else { 355 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer); 356 357 wpa_printf(MSG_DEBUG, "TDLS: Sending Teardown Request"); 358 wpa_tdls_do_teardown(sm, peer, 359 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED); 360 } 361 } 362 363 364 static void wpa_tdls_tpk_retry_timeout_cancel(struct wpa_sm *sm, 365 struct wpa_tdls_peer *peer, 366 u8 action_code) 367 { 368 if (action_code == peer->sm_tmr.action_code) { 369 wpa_printf(MSG_DEBUG, "TDLS: Retry timeout cancelled for " 370 "action_code=%u", action_code); 371 372 /* Cancel Timeout registered */ 373 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer); 374 375 /* free all resources meant for retry */ 376 os_free(peer->sm_tmr.buf); 377 peer->sm_tmr.buf = NULL; 378 379 peer->sm_tmr.count = 0; 380 peer->sm_tmr.timer = 0; 381 peer->sm_tmr.buf_len = 0; 382 peer->sm_tmr.action_code = 0xff; 383 } else { 384 wpa_printf(MSG_INFO, "TDLS: Error in cancelling retry timeout " 385 "(Unknown action_code=%u)", action_code); 386 } 387 } 388 389 390 static void wpa_tdls_generate_tpk(struct wpa_tdls_peer *peer, 391 const u8 *own_addr, const u8 *bssid) 392 { 393 u8 key_input[SHA256_MAC_LEN]; 394 const u8 *nonce[2]; 395 size_t len[2]; 396 u8 data[3 * ETH_ALEN]; 397 398 /* IEEE Std 802.11z-2010 8.5.9.1: 399 * TPK-Key-Input = SHA-256(min(SNonce, ANonce) || max(SNonce, ANonce)) 400 */ 401 len[0] = WPA_NONCE_LEN; 402 len[1] = WPA_NONCE_LEN; 403 if (os_memcmp(peer->inonce, peer->rnonce, WPA_NONCE_LEN) < 0) { 404 nonce[0] = peer->inonce; 405 nonce[1] = peer->rnonce; 406 } else { 407 nonce[0] = peer->rnonce; 408 nonce[1] = peer->inonce; 409 } 410 wpa_hexdump(MSG_DEBUG, "TDLS: min(Nonce)", nonce[0], WPA_NONCE_LEN); 411 wpa_hexdump(MSG_DEBUG, "TDLS: max(Nonce)", nonce[1], WPA_NONCE_LEN); 412 sha256_vector(2, nonce, len, key_input); 413 wpa_hexdump_key(MSG_DEBUG, "TDLS: TPK-Key-Input", 414 key_input, SHA256_MAC_LEN); 415 416 /* 417 * TPK-Key-Data = KDF-N_KEY(TPK-Key-Input, "TDLS PMK", 418 * min(MAC_I, MAC_R) || max(MAC_I, MAC_R) || BSSID || N_KEY) 419 * TODO: is N_KEY really included in KDF Context and if so, in which 420 * presentation format (little endian 16-bit?) is it used? It gets 421 * added by the KDF anyway.. 422 */ 423 424 if (os_memcmp(own_addr, peer->addr, ETH_ALEN) < 0) { 425 os_memcpy(data, own_addr, ETH_ALEN); 426 os_memcpy(data + ETH_ALEN, peer->addr, ETH_ALEN); 427 } else { 428 os_memcpy(data, peer->addr, ETH_ALEN); 429 os_memcpy(data + ETH_ALEN, own_addr, ETH_ALEN); 430 } 431 os_memcpy(data + 2 * ETH_ALEN, bssid, ETH_ALEN); 432 wpa_hexdump(MSG_DEBUG, "TDLS: KDF Context", data, sizeof(data)); 433 434 sha256_prf(key_input, SHA256_MAC_LEN, "TDLS PMK", data, sizeof(data), 435 (u8 *) &peer->tpk, sizeof(peer->tpk)); 436 wpa_hexdump_key(MSG_DEBUG, "TDLS: TPK-KCK", 437 peer->tpk.kck, sizeof(peer->tpk.kck)); 438 wpa_hexdump_key(MSG_DEBUG, "TDLS: TPK-TK", 439 peer->tpk.tk, sizeof(peer->tpk.tk)); 440 peer->tpk_set = 1; 441 } 442 443 444 /** 445 * wpa_tdls_ftie_mic - Calculate TDLS FTIE MIC 446 * @kck: TPK-KCK 447 * @lnkid: Pointer to the beginning of Link Identifier IE 448 * @rsnie: Pointer to the beginning of RSN IE used for handshake 449 * @timeoutie: Pointer to the beginning of Timeout IE used for handshake 450 * @ftie: Pointer to the beginning of FT IE 451 * @mic: Pointer for writing MIC 452 * 453 * Calculate MIC for TDLS frame. 454 */ 455 static int wpa_tdls_ftie_mic(const u8 *kck, u8 trans_seq, const u8 *lnkid, 456 const u8 *rsnie, const u8 *timeoutie, 457 const u8 *ftie, u8 *mic) 458 { 459 u8 *buf, *pos; 460 struct wpa_tdls_ftie *_ftie; 461 const struct wpa_tdls_lnkid *_lnkid; 462 int ret; 463 int len = 2 * ETH_ALEN + 1 + 2 + lnkid[1] + 2 + rsnie[1] + 464 2 + timeoutie[1] + 2 + ftie[1]; 465 buf = os_zalloc(len); 466 if (!buf) { 467 wpa_printf(MSG_WARNING, "TDLS: No memory for MIC calculation"); 468 return -1; 469 } 470 471 pos = buf; 472 _lnkid = (const struct wpa_tdls_lnkid *) lnkid; 473 /* 1) TDLS initiator STA MAC address */ 474 os_memcpy(pos, _lnkid->init_sta, ETH_ALEN); 475 pos += ETH_ALEN; 476 /* 2) TDLS responder STA MAC address */ 477 os_memcpy(pos, _lnkid->resp_sta, ETH_ALEN); 478 pos += ETH_ALEN; 479 /* 3) Transaction Sequence number */ 480 *pos++ = trans_seq; 481 /* 4) Link Identifier IE */ 482 os_memcpy(pos, lnkid, 2 + lnkid[1]); 483 pos += 2 + lnkid[1]; 484 /* 5) RSN IE */ 485 os_memcpy(pos, rsnie, 2 + rsnie[1]); 486 pos += 2 + rsnie[1]; 487 /* 6) Timeout Interval IE */ 488 os_memcpy(pos, timeoutie, 2 + timeoutie[1]); 489 pos += 2 + timeoutie[1]; 490 /* 7) FTIE, with the MIC field of the FTIE set to 0 */ 491 os_memcpy(pos, ftie, 2 + ftie[1]); 492 _ftie = (struct wpa_tdls_ftie *) pos; 493 os_memset(_ftie->mic, 0, TDLS_MIC_LEN); 494 pos += 2 + ftie[1]; 495 496 wpa_hexdump(MSG_DEBUG, "TDLS: Data for FTIE MIC", buf, pos - buf); 497 wpa_hexdump_key(MSG_DEBUG, "TDLS: KCK", kck, 16); 498 ret = omac1_aes_128(kck, buf, pos - buf, mic); 499 os_free(buf); 500 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE MIC", mic, 16); 501 return ret; 502 } 503 504 505 /** 506 * wpa_tdls_key_mic_teardown - Calculate TDLS FTIE MIC for Teardown frame 507 * @kck: TPK-KCK 508 * @trans_seq: Transaction Sequence Number (4 - Teardown) 509 * @rcode: Reason code for Teardown 510 * @dtoken: Dialog Token used for that particular link 511 * @lnkid: Pointer to the beginning of Link Identifier IE 512 * @ftie: Pointer to the beginning of FT IE 513 * @mic: Pointer for writing MIC 514 * 515 * Calculate MIC for TDLS frame. 516 */ 517 static int wpa_tdls_key_mic_teardown(const u8 *kck, u8 trans_seq, u16 rcode, 518 u8 dtoken, const u8 *lnkid, 519 const u8 *ftie, u8 *mic) 520 { 521 u8 *buf, *pos; 522 struct wpa_tdls_ftie *_ftie; 523 int ret; 524 int len; 525 526 if (lnkid == NULL) 527 return -1; 528 529 len = 2 + lnkid[1] + sizeof(rcode) + sizeof(dtoken) + 530 sizeof(trans_seq) + 2 + ftie[1]; 531 532 buf = os_zalloc(len); 533 if (!buf) { 534 wpa_printf(MSG_WARNING, "TDLS: No memory for MIC calculation"); 535 return -1; 536 } 537 538 pos = buf; 539 /* 1) Link Identifier IE */ 540 os_memcpy(pos, lnkid, 2 + lnkid[1]); 541 pos += 2 + lnkid[1]; 542 /* 2) Reason Code */ 543 WPA_PUT_LE16(pos, rcode); 544 pos += sizeof(rcode); 545 /* 3) Dialog token */ 546 *pos++ = dtoken; 547 /* 4) Transaction Sequence number */ 548 *pos++ = trans_seq; 549 /* 7) FTIE, with the MIC field of the FTIE set to 0 */ 550 os_memcpy(pos, ftie, 2 + ftie[1]); 551 _ftie = (struct wpa_tdls_ftie *) pos; 552 os_memset(_ftie->mic, 0, TDLS_MIC_LEN); 553 pos += 2 + ftie[1]; 554 555 wpa_hexdump(MSG_DEBUG, "TDLS: Data for FTIE MIC", buf, pos - buf); 556 wpa_hexdump_key(MSG_DEBUG, "TDLS: KCK", kck, 16); 557 ret = omac1_aes_128(kck, buf, pos - buf, mic); 558 os_free(buf); 559 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE MIC", mic, 16); 560 return ret; 561 } 562 563 564 static int wpa_supplicant_verify_tdls_mic(u8 trans_seq, 565 struct wpa_tdls_peer *peer, 566 const u8 *lnkid, const u8 *timeoutie, 567 const struct wpa_tdls_ftie *ftie) 568 { 569 u8 mic[16]; 570 571 if (peer->tpk_set) { 572 wpa_tdls_ftie_mic(peer->tpk.kck, trans_seq, lnkid, 573 peer->rsnie_p, timeoutie, (u8 *) ftie, 574 mic); 575 if (os_memcmp_const(mic, ftie->mic, 16) != 0) { 576 wpa_printf(MSG_INFO, "TDLS: Invalid MIC in FTIE - " 577 "dropping packet"); 578 wpa_hexdump(MSG_DEBUG, "TDLS: Received MIC", 579 ftie->mic, 16); 580 wpa_hexdump(MSG_DEBUG, "TDLS: Calculated MIC", 581 mic, 16); 582 return -1; 583 } 584 } else { 585 wpa_printf(MSG_WARNING, "TDLS: Could not verify TDLS MIC, " 586 "TPK not set - dropping packet"); 587 return -1; 588 } 589 return 0; 590 } 591 592 593 static int wpa_supplicant_verify_tdls_mic_teardown( 594 u8 trans_seq, u16 rcode, u8 dtoken, struct wpa_tdls_peer *peer, 595 const u8 *lnkid, const struct wpa_tdls_ftie *ftie) 596 { 597 u8 mic[16]; 598 599 if (peer->tpk_set) { 600 wpa_tdls_key_mic_teardown(peer->tpk.kck, trans_seq, rcode, 601 dtoken, lnkid, (u8 *) ftie, mic); 602 if (os_memcmp_const(mic, ftie->mic, 16) != 0) { 603 wpa_printf(MSG_INFO, "TDLS: Invalid MIC in Teardown - " 604 "dropping packet"); 605 return -1; 606 } 607 } else { 608 wpa_printf(MSG_INFO, "TDLS: Could not verify TDLS Teardown " 609 "MIC, TPK not set - dropping packet"); 610 return -1; 611 } 612 return 0; 613 } 614 615 616 static void wpa_tdls_tpk_timeout(void *eloop_ctx, void *timeout_ctx) 617 { 618 struct wpa_sm *sm = eloop_ctx; 619 struct wpa_tdls_peer *peer = timeout_ctx; 620 621 /* 622 * On TPK lifetime expiration, we have an option of either tearing down 623 * the direct link or trying to re-initiate it. The selection of what 624 * to do is not strictly speaking controlled by our role in the expired 625 * link, but for now, use that to select whether to renew or tear down 626 * the link. 627 */ 628 629 if (peer->initiator) { 630 u8 addr[ETH_ALEN]; 631 632 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime expired for " MACSTR 633 " - try to renew", MAC2STR(peer->addr)); 634 /* cache the peer address before do_teardown */ 635 os_memcpy(addr, peer->addr, ETH_ALEN); 636 wpa_tdls_do_teardown(sm, peer, 637 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED); 638 wpa_tdls_start(sm, addr); 639 } else { 640 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime expired for " MACSTR 641 " - tear down", MAC2STR(peer->addr)); 642 wpa_tdls_do_teardown(sm, peer, 643 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED); 644 } 645 } 646 647 648 static void wpa_tdls_peer_remove_from_list(struct wpa_sm *sm, 649 struct wpa_tdls_peer *peer) 650 { 651 struct wpa_tdls_peer *cur, *prev; 652 653 cur = sm->tdls; 654 prev = NULL; 655 while (cur && cur != peer) { 656 prev = cur; 657 cur = cur->next; 658 } 659 660 if (cur != peer) { 661 wpa_printf(MSG_ERROR, "TDLS: Could not find peer " MACSTR 662 " to remove it from the list", 663 MAC2STR(peer->addr)); 664 return; 665 } 666 667 if (prev) 668 prev->next = peer->next; 669 else 670 sm->tdls = peer->next; 671 } 672 673 674 static void wpa_tdls_peer_clear(struct wpa_sm *sm, struct wpa_tdls_peer *peer) 675 { 676 wpa_printf(MSG_DEBUG, "TDLS: Clear state for peer " MACSTR, 677 MAC2STR(peer->addr)); 678 eloop_cancel_timeout(wpa_tdls_tpk_timeout, sm, peer); 679 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer); 680 peer->reconfig_key = 0; 681 peer->initiator = 0; 682 peer->tpk_in_progress = 0; 683 os_free(peer->sm_tmr.buf); 684 peer->sm_tmr.buf = NULL; 685 os_free(peer->ht_capabilities); 686 peer->ht_capabilities = NULL; 687 os_free(peer->vht_capabilities); 688 peer->vht_capabilities = NULL; 689 os_free(peer->ext_capab); 690 peer->ext_capab = NULL; 691 os_free(peer->supp_channels); 692 peer->supp_channels = NULL; 693 os_free(peer->supp_oper_classes); 694 peer->supp_oper_classes = NULL; 695 peer->rsnie_i_len = peer->rsnie_p_len = 0; 696 peer->cipher = 0; 697 peer->qos_info = 0; 698 peer->wmm_capable = 0; 699 peer->tpk_set = peer->tpk_success = 0; 700 peer->chan_switch_enabled = 0; 701 os_memset(&peer->tpk, 0, sizeof(peer->tpk)); 702 os_memset(peer->inonce, 0, WPA_NONCE_LEN); 703 os_memset(peer->rnonce, 0, WPA_NONCE_LEN); 704 } 705 706 707 static void wpa_tdls_peer_free(struct wpa_sm *sm, struct wpa_tdls_peer *peer) 708 { 709 wpa_tdls_peer_clear(sm, peer); 710 wpa_tdls_peer_remove_from_list(sm, peer); 711 os_free(peer); 712 } 713 714 715 static void wpa_tdls_linkid(struct wpa_sm *sm, struct wpa_tdls_peer *peer, 716 struct wpa_tdls_lnkid *lnkid) 717 { 718 lnkid->ie_type = WLAN_EID_LINK_ID; 719 lnkid->ie_len = 3 * ETH_ALEN; 720 os_memcpy(lnkid->bssid, sm->bssid, ETH_ALEN); 721 if (peer->initiator) { 722 os_memcpy(lnkid->init_sta, sm->own_addr, ETH_ALEN); 723 os_memcpy(lnkid->resp_sta, peer->addr, ETH_ALEN); 724 } else { 725 os_memcpy(lnkid->init_sta, peer->addr, ETH_ALEN); 726 os_memcpy(lnkid->resp_sta, sm->own_addr, ETH_ALEN); 727 } 728 } 729 730 731 static int wpa_tdls_send_teardown(struct wpa_sm *sm, const u8 *addr, 732 u16 reason_code) 733 { 734 struct wpa_tdls_peer *peer; 735 struct wpa_tdls_ftie *ftie; 736 struct wpa_tdls_lnkid lnkid; 737 u8 dialog_token; 738 u8 *rbuf, *pos; 739 int ielen; 740 741 if (sm->tdls_disabled || !sm->tdls_supported) 742 return -1; 743 744 /* Find the node and free from the list */ 745 for (peer = sm->tdls; peer; peer = peer->next) { 746 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 747 break; 748 } 749 750 if (peer == NULL) { 751 wpa_printf(MSG_INFO, "TDLS: No matching entry found for " 752 "Teardown " MACSTR, MAC2STR(addr)); 753 return 0; 754 } 755 756 /* Cancel active channel switch before teardown */ 757 if (peer->chan_switch_enabled) { 758 wpa_printf(MSG_DEBUG, "TDLS: First returning link with " MACSTR 759 " to base channel", MAC2STR(addr)); 760 wpa_sm_tdls_disable_channel_switch(sm, peer->addr); 761 } 762 763 dialog_token = peer->dtoken; 764 765 wpa_printf(MSG_DEBUG, "TDLS: TDLS Teardown for " MACSTR, 766 MAC2STR(addr)); 767 768 ielen = 0; 769 if (wpa_tdls_get_privacy(sm) && peer->tpk_set && peer->tpk_success) { 770 /* To add FTIE for Teardown request and compute MIC */ 771 ielen += sizeof(*ftie); 772 #ifdef CONFIG_TDLS_TESTING 773 if (tdls_testing & TDLS_TESTING_LONG_FRAME) 774 ielen += 170; 775 #endif /* CONFIG_TDLS_TESTING */ 776 } 777 778 rbuf = os_zalloc(ielen + 1); 779 if (rbuf == NULL) 780 return -1; 781 pos = rbuf; 782 783 if (!wpa_tdls_get_privacy(sm) || !peer->tpk_set || !peer->tpk_success) 784 goto skip_ies; 785 786 ftie = (struct wpa_tdls_ftie *) pos; 787 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION; 788 /* Using the recent nonce which should be for CONFIRM frame */ 789 os_memcpy(ftie->Anonce, peer->rnonce, WPA_NONCE_LEN); 790 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN); 791 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2; 792 pos = (u8 *) (ftie + 1); 793 #ifdef CONFIG_TDLS_TESTING 794 if (tdls_testing & TDLS_TESTING_LONG_FRAME) { 795 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to " 796 "FTIE"); 797 ftie->ie_len += 170; 798 *pos++ = 255; /* FTIE subelem */ 799 *pos++ = 168; /* FTIE subelem length */ 800 pos += 168; 801 } 802 #endif /* CONFIG_TDLS_TESTING */ 803 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE for TDLS Teardown handshake", 804 (u8 *) ftie, pos - (u8 *) ftie); 805 806 /* compute MIC before sending */ 807 wpa_tdls_linkid(sm, peer, &lnkid); 808 wpa_tdls_key_mic_teardown(peer->tpk.kck, 4, reason_code, 809 dialog_token, (u8 *) &lnkid, (u8 *) ftie, 810 ftie->mic); 811 812 skip_ies: 813 /* TODO: register for a Timeout handler, if Teardown is not received at 814 * the other end, then try again another time */ 815 816 /* request driver to send Teardown using this FTIE */ 817 wpa_tdls_tpk_send(sm, addr, WLAN_TDLS_TEARDOWN, 0, 818 reason_code, 0, peer->initiator, rbuf, pos - rbuf); 819 os_free(rbuf); 820 821 return 0; 822 } 823 824 825 int wpa_tdls_teardown_link(struct wpa_sm *sm, const u8 *addr, u16 reason_code) 826 { 827 struct wpa_tdls_peer *peer; 828 829 if (sm->tdls_disabled || !sm->tdls_supported) 830 return -1; 831 832 for (peer = sm->tdls; peer; peer = peer->next) { 833 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 834 break; 835 } 836 837 if (peer == NULL) { 838 wpa_printf(MSG_DEBUG, "TDLS: Could not find peer " MACSTR 839 " for link Teardown", MAC2STR(addr)); 840 return -1; 841 } 842 843 if (!peer->tpk_success) { 844 wpa_printf(MSG_DEBUG, "TDLS: Peer " MACSTR 845 " not connected - cannot Teardown link", MAC2STR(addr)); 846 return -1; 847 } 848 849 return wpa_tdls_do_teardown(sm, peer, reason_code); 850 } 851 852 853 static void wpa_tdls_disable_peer_link(struct wpa_sm *sm, 854 struct wpa_tdls_peer *peer) 855 { 856 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr); 857 wpa_tdls_peer_free(sm, peer); 858 } 859 860 861 void wpa_tdls_disable_unreachable_link(struct wpa_sm *sm, const u8 *addr) 862 { 863 struct wpa_tdls_peer *peer; 864 865 for (peer = sm->tdls; peer; peer = peer->next) { 866 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 867 break; 868 } 869 870 if (!peer || !peer->tpk_success) { 871 wpa_printf(MSG_DEBUG, "TDLS: Peer " MACSTR 872 " not connected - cannot teardown unreachable link", 873 MAC2STR(addr)); 874 return; 875 } 876 877 if (wpa_tdls_is_external_setup(sm)) { 878 /* 879 * Get us on the base channel, disable the link, send a 880 * teardown packet through the AP, and then reset link data. 881 */ 882 if (peer->chan_switch_enabled) 883 wpa_sm_tdls_disable_channel_switch(sm, peer->addr); 884 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, addr); 885 wpa_tdls_send_teardown(sm, addr, 886 WLAN_REASON_TDLS_TEARDOWN_UNREACHABLE); 887 wpa_tdls_peer_free(sm, peer); 888 } else { 889 wpa_tdls_disable_peer_link(sm, peer); 890 } 891 } 892 893 894 const char * wpa_tdls_get_link_status(struct wpa_sm *sm, const u8 *addr) 895 { 896 struct wpa_tdls_peer *peer; 897 898 if (sm->tdls_disabled || !sm->tdls_supported) 899 return "disabled"; 900 901 for (peer = sm->tdls; peer; peer = peer->next) { 902 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 903 break; 904 } 905 906 if (peer == NULL) 907 return "peer does not exist"; 908 909 if (!peer->tpk_success) 910 return "peer not connected"; 911 912 return "connected"; 913 } 914 915 916 static int wpa_tdls_recv_teardown(struct wpa_sm *sm, const u8 *src_addr, 917 const u8 *buf, size_t len) 918 { 919 struct wpa_tdls_peer *peer = NULL; 920 struct wpa_tdls_ftie *ftie; 921 struct wpa_tdls_lnkid *lnkid; 922 struct wpa_eapol_ie_parse kde; 923 u16 reason_code; 924 const u8 *pos; 925 int ielen; 926 927 /* Find the node and free from the list */ 928 for (peer = sm->tdls; peer; peer = peer->next) { 929 if (os_memcmp(peer->addr, src_addr, ETH_ALEN) == 0) 930 break; 931 } 932 933 if (peer == NULL) { 934 wpa_printf(MSG_INFO, "TDLS: No matching entry found for " 935 "Teardown " MACSTR, MAC2STR(src_addr)); 936 return 0; 937 } 938 939 pos = buf; 940 pos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */; 941 942 reason_code = WPA_GET_LE16(pos); 943 pos += 2; 944 945 wpa_printf(MSG_DEBUG, "TDLS: TDLS Teardown Request from " MACSTR 946 " (reason code %u)", MAC2STR(src_addr), reason_code); 947 948 ielen = len - (pos - buf); /* start of IE in buf */ 949 950 /* 951 * Don't reject the message if failing to parse IEs. The IEs we need are 952 * explicitly checked below. Some APs may add arbitrary padding to the 953 * end of short TDLS frames and that would look like invalid IEs. 954 */ 955 if (wpa_supplicant_parse_ies((const u8 *) pos, ielen, &kde) < 0) 956 wpa_printf(MSG_DEBUG, 957 "TDLS: Failed to parse IEs in Teardown - ignore as an interop workaround"); 958 959 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) { 960 wpa_printf(MSG_INFO, "TDLS: No Link Identifier IE in TDLS " 961 "Teardown"); 962 return -1; 963 } 964 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid; 965 966 if (!wpa_tdls_get_privacy(sm) || !peer->tpk_set || !peer->tpk_success) 967 goto skip_ftie; 968 969 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie)) { 970 wpa_printf(MSG_INFO, "TDLS: No FTIE in TDLS Teardown"); 971 return -1; 972 } 973 974 ftie = (struct wpa_tdls_ftie *) kde.ftie; 975 976 /* Process MIC check to see if TDLS Teardown is right */ 977 if (wpa_supplicant_verify_tdls_mic_teardown(4, reason_code, 978 peer->dtoken, peer, 979 (u8 *) lnkid, ftie) < 0) { 980 wpa_printf(MSG_DEBUG, "TDLS: MIC failure for TDLS " 981 "Teardown Request from " MACSTR, MAC2STR(src_addr)); 982 return -1; 983 } 984 985 skip_ftie: 986 /* 987 * Request the driver to disable the direct link and clear associated 988 * keys. 989 */ 990 wpa_tdls_disable_peer_link(sm, peer); 991 return 0; 992 } 993 994 995 /** 996 * wpa_tdls_send_error - To send suitable TDLS status response with 997 * appropriate status code mentioning reason for error/failure. 998 * @dst - MAC addr of Peer station 999 * @tdls_action - TDLS frame type for which error code is sent 1000 * @initiator - was this end the initiator of the connection 1001 * @status - status code mentioning reason 1002 */ 1003 1004 static int wpa_tdls_send_error(struct wpa_sm *sm, const u8 *dst, 1005 u8 tdls_action, u8 dialog_token, int initiator, 1006 u16 status) 1007 { 1008 wpa_printf(MSG_DEBUG, "TDLS: Sending error to " MACSTR 1009 " (action=%u status=%u)", 1010 MAC2STR(dst), tdls_action, status); 1011 return wpa_tdls_tpk_send(sm, dst, tdls_action, dialog_token, status, 1012 0, initiator, NULL, 0); 1013 } 1014 1015 1016 static struct wpa_tdls_peer * 1017 wpa_tdls_add_peer(struct wpa_sm *sm, const u8 *addr, int *existing) 1018 { 1019 struct wpa_tdls_peer *peer; 1020 1021 if (existing) 1022 *existing = 0; 1023 for (peer = sm->tdls; peer; peer = peer->next) { 1024 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) { 1025 if (existing) 1026 *existing = 1; 1027 return peer; /* re-use existing entry */ 1028 } 1029 } 1030 1031 wpa_printf(MSG_INFO, "TDLS: Creating peer entry for " MACSTR, 1032 MAC2STR(addr)); 1033 1034 peer = os_zalloc(sizeof(*peer)); 1035 if (peer == NULL) 1036 return NULL; 1037 1038 os_memcpy(peer->addr, addr, ETH_ALEN); 1039 peer->next = sm->tdls; 1040 sm->tdls = peer; 1041 1042 return peer; 1043 } 1044 1045 1046 static int wpa_tdls_send_tpk_m1(struct wpa_sm *sm, 1047 struct wpa_tdls_peer *peer) 1048 { 1049 size_t buf_len; 1050 struct wpa_tdls_timeoutie timeoutie; 1051 u16 rsn_capab; 1052 struct wpa_tdls_ftie *ftie; 1053 u8 *rbuf, *pos, *count_pos; 1054 u16 count; 1055 struct rsn_ie_hdr *hdr; 1056 int status; 1057 1058 if (!wpa_tdls_get_privacy(sm)) { 1059 wpa_printf(MSG_DEBUG, "TDLS: No security used on the link"); 1060 peer->rsnie_i_len = 0; 1061 goto skip_rsnie; 1062 } 1063 1064 /* 1065 * TPK Handshake Message 1: 1066 * FTIE: ANonce=0, SNonce=initiator nonce MIC=0, DataKDs=(RSNIE_I, 1067 * Timeout Interval IE)) 1068 */ 1069 1070 /* Filling RSN IE */ 1071 hdr = (struct rsn_ie_hdr *) peer->rsnie_i; 1072 hdr->elem_id = WLAN_EID_RSN; 1073 WPA_PUT_LE16(hdr->version, RSN_VERSION); 1074 1075 pos = (u8 *) (hdr + 1); 1076 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED); 1077 pos += RSN_SELECTOR_LEN; 1078 count_pos = pos; 1079 pos += 2; 1080 1081 count = 0; 1082 1083 /* 1084 * AES-CCMP is the default Encryption preferred for TDLS, so 1085 * RSN IE is filled only with CCMP CIPHER 1086 * Note: TKIP is not used to encrypt TDLS link. 1087 * 1088 * Regardless of the cipher used on the AP connection, select CCMP 1089 * here. 1090 */ 1091 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP); 1092 pos += RSN_SELECTOR_LEN; 1093 count++; 1094 1095 WPA_PUT_LE16(count_pos, count); 1096 1097 WPA_PUT_LE16(pos, 1); 1098 pos += 2; 1099 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_TPK_HANDSHAKE); 1100 pos += RSN_SELECTOR_LEN; 1101 1102 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED; 1103 rsn_capab |= RSN_NUM_REPLAY_COUNTERS_16 << 2; 1104 #ifdef CONFIG_TDLS_TESTING 1105 if (tdls_testing & TDLS_TESTING_ALT_RSN_IE) { 1106 wpa_printf(MSG_DEBUG, "TDLS: Use alternative RSN IE for " 1107 "testing"); 1108 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED; 1109 } 1110 #endif /* CONFIG_TDLS_TESTING */ 1111 WPA_PUT_LE16(pos, rsn_capab); 1112 pos += 2; 1113 #ifdef CONFIG_TDLS_TESTING 1114 if (tdls_testing & TDLS_TESTING_ALT_RSN_IE) { 1115 /* Number of PMKIDs */ 1116 *pos++ = 0x00; 1117 *pos++ = 0x00; 1118 } 1119 #endif /* CONFIG_TDLS_TESTING */ 1120 1121 hdr->len = (pos - peer->rsnie_i) - 2; 1122 peer->rsnie_i_len = pos - peer->rsnie_i; 1123 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE for TPK handshake", 1124 peer->rsnie_i, peer->rsnie_i_len); 1125 1126 skip_rsnie: 1127 buf_len = 0; 1128 if (wpa_tdls_get_privacy(sm)) 1129 buf_len += peer->rsnie_i_len + sizeof(struct wpa_tdls_ftie) + 1130 sizeof(struct wpa_tdls_timeoutie); 1131 #ifdef CONFIG_TDLS_TESTING 1132 if (wpa_tdls_get_privacy(sm) && 1133 (tdls_testing & TDLS_TESTING_LONG_FRAME)) 1134 buf_len += 170; 1135 if (tdls_testing & TDLS_TESTING_DIFF_BSSID) 1136 buf_len += sizeof(struct wpa_tdls_lnkid); 1137 #endif /* CONFIG_TDLS_TESTING */ 1138 rbuf = os_zalloc(buf_len + 1); 1139 if (rbuf == NULL) { 1140 wpa_tdls_peer_free(sm, peer); 1141 return -1; 1142 } 1143 pos = rbuf; 1144 1145 if (!wpa_tdls_get_privacy(sm)) 1146 goto skip_ies; 1147 1148 /* Initiator RSN IE */ 1149 pos = wpa_add_ie(pos, peer->rsnie_i, peer->rsnie_i_len); 1150 1151 ftie = (struct wpa_tdls_ftie *) pos; 1152 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION; 1153 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2; 1154 1155 if (os_get_random(peer->inonce, WPA_NONCE_LEN)) { 1156 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1157 "TDLS: Failed to get random data for initiator Nonce"); 1158 os_free(rbuf); 1159 wpa_tdls_peer_free(sm, peer); 1160 return -1; 1161 } 1162 wpa_hexdump(MSG_DEBUG, "TDLS: Initiator Nonce for TPK handshake", 1163 peer->inonce, WPA_NONCE_LEN); 1164 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN); 1165 1166 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE for TPK Handshake M1", 1167 (u8 *) ftie, sizeof(struct wpa_tdls_ftie)); 1168 1169 pos = (u8 *) (ftie + 1); 1170 1171 #ifdef CONFIG_TDLS_TESTING 1172 if (tdls_testing & TDLS_TESTING_LONG_FRAME) { 1173 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to " 1174 "FTIE"); 1175 ftie->ie_len += 170; 1176 *pos++ = 255; /* FTIE subelem */ 1177 *pos++ = 168; /* FTIE subelem length */ 1178 pos += 168; 1179 } 1180 #endif /* CONFIG_TDLS_TESTING */ 1181 1182 /* Lifetime */ 1183 peer->lifetime = TPK_LIFETIME; 1184 #ifdef CONFIG_TDLS_TESTING 1185 if (tdls_testing & TDLS_TESTING_SHORT_LIFETIME) { 1186 wpa_printf(MSG_DEBUG, "TDLS: Testing - use short TPK " 1187 "lifetime"); 1188 peer->lifetime = 301; 1189 } 1190 if (tdls_testing & TDLS_TESTING_LONG_LIFETIME) { 1191 wpa_printf(MSG_DEBUG, "TDLS: Testing - use long TPK " 1192 "lifetime"); 1193 peer->lifetime = 0xffffffff; 1194 } 1195 #endif /* CONFIG_TDLS_TESTING */ 1196 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie, 1197 sizeof(timeoutie), peer->lifetime); 1198 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds", peer->lifetime); 1199 1200 skip_ies: 1201 1202 #ifdef CONFIG_TDLS_TESTING 1203 if (tdls_testing & TDLS_TESTING_DIFF_BSSID) { 1204 struct wpa_tdls_lnkid *l = (struct wpa_tdls_lnkid *) pos; 1205 1206 wpa_printf(MSG_DEBUG, "TDLS: Testing - use incorrect BSSID in " 1207 "Link Identifier"); 1208 wpa_tdls_linkid(sm, peer, l); 1209 l->bssid[5] ^= 0x01; 1210 pos += sizeof(*l); 1211 } 1212 #endif /* CONFIG_TDLS_TESTING */ 1213 1214 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Setup Request / TPK " 1215 "Handshake Message 1 (peer " MACSTR ")", 1216 MAC2STR(peer->addr)); 1217 1218 status = wpa_tdls_tpk_send(sm, peer->addr, WLAN_TDLS_SETUP_REQUEST, 1219 1, 0, 0, peer->initiator, rbuf, pos - rbuf); 1220 os_free(rbuf); 1221 1222 return status; 1223 } 1224 1225 1226 static int wpa_tdls_send_tpk_m2(struct wpa_sm *sm, 1227 const unsigned char *src_addr, u8 dtoken, 1228 struct wpa_tdls_lnkid *lnkid, 1229 const struct wpa_tdls_peer *peer) 1230 { 1231 u8 *rbuf, *pos; 1232 size_t buf_len; 1233 u32 lifetime; 1234 struct wpa_tdls_timeoutie timeoutie; 1235 struct wpa_tdls_ftie *ftie; 1236 int status; 1237 1238 buf_len = 0; 1239 if (wpa_tdls_get_privacy(sm)) { 1240 /* Peer RSN IE, FTIE(Initiator Nonce, Responder Nonce), 1241 * Lifetime */ 1242 buf_len += peer->rsnie_i_len + sizeof(struct wpa_tdls_ftie) + 1243 sizeof(struct wpa_tdls_timeoutie); 1244 #ifdef CONFIG_TDLS_TESTING 1245 if (tdls_testing & TDLS_TESTING_LONG_FRAME) 1246 buf_len += 170; 1247 #endif /* CONFIG_TDLS_TESTING */ 1248 } 1249 1250 rbuf = os_zalloc(buf_len + 1); 1251 if (rbuf == NULL) 1252 return -1; 1253 pos = rbuf; 1254 1255 if (!wpa_tdls_get_privacy(sm)) 1256 goto skip_ies; 1257 1258 /* Peer RSN IE */ 1259 pos = wpa_add_ie(pos, peer->rsnie_p, peer->rsnie_p_len); 1260 1261 ftie = (struct wpa_tdls_ftie *) pos; 1262 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION; 1263 /* TODO: ftie->mic_control to set 2-RESPONSE */ 1264 os_memcpy(ftie->Anonce, peer->rnonce, WPA_NONCE_LEN); 1265 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN); 1266 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2; 1267 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE for TPK M2", 1268 (u8 *) ftie, sizeof(*ftie)); 1269 1270 pos = (u8 *) (ftie + 1); 1271 1272 #ifdef CONFIG_TDLS_TESTING 1273 if (tdls_testing & TDLS_TESTING_LONG_FRAME) { 1274 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to " 1275 "FTIE"); 1276 ftie->ie_len += 170; 1277 *pos++ = 255; /* FTIE subelem */ 1278 *pos++ = 168; /* FTIE subelem length */ 1279 pos += 168; 1280 } 1281 #endif /* CONFIG_TDLS_TESTING */ 1282 1283 /* Lifetime */ 1284 lifetime = peer->lifetime; 1285 #ifdef CONFIG_TDLS_TESTING 1286 if (tdls_testing & TDLS_TESTING_WRONG_LIFETIME_RESP) { 1287 wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong TPK " 1288 "lifetime in response"); 1289 lifetime++; 1290 } 1291 #endif /* CONFIG_TDLS_TESTING */ 1292 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie, 1293 sizeof(timeoutie), lifetime); 1294 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds from initiator", 1295 lifetime); 1296 1297 /* compute MIC before sending */ 1298 wpa_tdls_ftie_mic(peer->tpk.kck, 2, (u8 *) lnkid, peer->rsnie_p, 1299 (u8 *) &timeoutie, (u8 *) ftie, ftie->mic); 1300 #ifdef CONFIG_TDLS_TESTING 1301 if (tdls_testing & TDLS_TESTING_WRONG_MIC) { 1302 wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong MIC"); 1303 ftie->mic[0] ^= 0x01; 1304 } 1305 #endif /* CONFIG_TDLS_TESTING */ 1306 1307 skip_ies: 1308 status = wpa_tdls_tpk_send(sm, src_addr, WLAN_TDLS_SETUP_RESPONSE, 1309 dtoken, 0, 0, peer->initiator, rbuf, 1310 pos - rbuf); 1311 os_free(rbuf); 1312 1313 return status; 1314 } 1315 1316 1317 static int wpa_tdls_send_tpk_m3(struct wpa_sm *sm, 1318 const unsigned char *src_addr, u8 dtoken, 1319 struct wpa_tdls_lnkid *lnkid, 1320 const struct wpa_tdls_peer *peer) 1321 { 1322 u8 *rbuf, *pos; 1323 size_t buf_len; 1324 struct wpa_tdls_ftie *ftie; 1325 struct wpa_tdls_timeoutie timeoutie; 1326 u32 lifetime; 1327 int status; 1328 u32 peer_capab = 0; 1329 1330 buf_len = 0; 1331 if (wpa_tdls_get_privacy(sm)) { 1332 /* Peer RSN IE, FTIE(Initiator Nonce, Responder Nonce), 1333 * Lifetime */ 1334 buf_len += peer->rsnie_i_len + sizeof(struct wpa_tdls_ftie) + 1335 sizeof(struct wpa_tdls_timeoutie); 1336 #ifdef CONFIG_TDLS_TESTING 1337 if (tdls_testing & TDLS_TESTING_LONG_FRAME) 1338 buf_len += 170; 1339 #endif /* CONFIG_TDLS_TESTING */ 1340 } 1341 1342 rbuf = os_zalloc(buf_len + 1); 1343 if (rbuf == NULL) 1344 return -1; 1345 pos = rbuf; 1346 1347 if (!wpa_tdls_get_privacy(sm)) 1348 goto skip_ies; 1349 1350 /* Peer RSN IE */ 1351 pos = wpa_add_ie(pos, peer->rsnie_p, peer->rsnie_p_len); 1352 1353 ftie = (struct wpa_tdls_ftie *) pos; 1354 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION; 1355 /*TODO: ftie->mic_control to set 3-CONFIRM */ 1356 os_memcpy(ftie->Anonce, peer->rnonce, WPA_NONCE_LEN); 1357 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN); 1358 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2; 1359 1360 pos = (u8 *) (ftie + 1); 1361 1362 #ifdef CONFIG_TDLS_TESTING 1363 if (tdls_testing & TDLS_TESTING_LONG_FRAME) { 1364 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to " 1365 "FTIE"); 1366 ftie->ie_len += 170; 1367 *pos++ = 255; /* FTIE subelem */ 1368 *pos++ = 168; /* FTIE subelem length */ 1369 pos += 168; 1370 } 1371 #endif /* CONFIG_TDLS_TESTING */ 1372 1373 /* Lifetime */ 1374 lifetime = peer->lifetime; 1375 #ifdef CONFIG_TDLS_TESTING 1376 if (tdls_testing & TDLS_TESTING_WRONG_LIFETIME_CONF) { 1377 wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong TPK " 1378 "lifetime in confirm"); 1379 lifetime++; 1380 } 1381 #endif /* CONFIG_TDLS_TESTING */ 1382 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie, 1383 sizeof(timeoutie), lifetime); 1384 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds", 1385 lifetime); 1386 1387 /* compute MIC before sending */ 1388 wpa_tdls_ftie_mic(peer->tpk.kck, 3, (u8 *) lnkid, peer->rsnie_p, 1389 (u8 *) &timeoutie, (u8 *) ftie, ftie->mic); 1390 #ifdef CONFIG_TDLS_TESTING 1391 if (tdls_testing & TDLS_TESTING_WRONG_MIC) { 1392 wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong MIC"); 1393 ftie->mic[0] ^= 0x01; 1394 } 1395 #endif /* CONFIG_TDLS_TESTING */ 1396 1397 skip_ies: 1398 1399 if (peer->vht_capabilities) 1400 peer_capab |= TDLS_PEER_VHT; 1401 if (peer->ht_capabilities) 1402 peer_capab |= TDLS_PEER_HT; 1403 if (peer->wmm_capable) 1404 peer_capab |= TDLS_PEER_WMM; 1405 1406 status = wpa_tdls_tpk_send(sm, src_addr, WLAN_TDLS_SETUP_CONFIRM, 1407 dtoken, 0, peer_capab, peer->initiator, 1408 rbuf, pos - rbuf); 1409 os_free(rbuf); 1410 1411 return status; 1412 } 1413 1414 1415 static int wpa_tdls_send_discovery_response(struct wpa_sm *sm, 1416 struct wpa_tdls_peer *peer, 1417 u8 dialog_token) 1418 { 1419 size_t buf_len = 0; 1420 struct wpa_tdls_timeoutie timeoutie; 1421 u16 rsn_capab; 1422 u8 *rbuf, *pos, *count_pos; 1423 u16 count; 1424 struct rsn_ie_hdr *hdr; 1425 int status; 1426 1427 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Discovery Response " 1428 "(peer " MACSTR ")", MAC2STR(peer->addr)); 1429 if (!wpa_tdls_get_privacy(sm)) 1430 goto skip_rsn_ies; 1431 1432 /* Filling RSN IE */ 1433 hdr = (struct rsn_ie_hdr *) peer->rsnie_i; 1434 hdr->elem_id = WLAN_EID_RSN; 1435 WPA_PUT_LE16(hdr->version, RSN_VERSION); 1436 pos = (u8 *) (hdr + 1); 1437 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED); 1438 pos += RSN_SELECTOR_LEN; 1439 count_pos = pos; 1440 pos += 2; 1441 count = 0; 1442 1443 /* 1444 * AES-CCMP is the default encryption preferred for TDLS, so 1445 * RSN IE is filled only with CCMP cipher suite. 1446 * Note: TKIP is not used to encrypt TDLS link. 1447 * 1448 * Regardless of the cipher used on the AP connection, select CCMP 1449 * here. 1450 */ 1451 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP); 1452 pos += RSN_SELECTOR_LEN; 1453 count++; 1454 WPA_PUT_LE16(count_pos, count); 1455 WPA_PUT_LE16(pos, 1); 1456 pos += 2; 1457 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_TPK_HANDSHAKE); 1458 pos += RSN_SELECTOR_LEN; 1459 1460 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED; 1461 rsn_capab |= RSN_NUM_REPLAY_COUNTERS_16 << 2; 1462 WPA_PUT_LE16(pos, rsn_capab); 1463 pos += 2; 1464 hdr->len = (pos - (u8 *) hdr) - 2; 1465 peer->rsnie_i_len = pos - peer->rsnie_i; 1466 1467 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE for Discovery Response", 1468 (u8 *) hdr, hdr->len + 2); 1469 skip_rsn_ies: 1470 buf_len = 0; 1471 if (wpa_tdls_get_privacy(sm)) { 1472 /* Peer RSN IE, Lifetime */ 1473 buf_len += peer->rsnie_i_len + 1474 sizeof(struct wpa_tdls_timeoutie); 1475 } 1476 rbuf = os_zalloc(buf_len + 1); 1477 if (rbuf == NULL) { 1478 wpa_tdls_peer_free(sm, peer); 1479 return -1; 1480 } 1481 pos = rbuf; 1482 1483 if (!wpa_tdls_get_privacy(sm)) 1484 goto skip_ies; 1485 /* Initiator RSN IE */ 1486 pos = wpa_add_ie(pos, peer->rsnie_i, peer->rsnie_i_len); 1487 /* Lifetime */ 1488 peer->lifetime = TPK_LIFETIME; 1489 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie, 1490 sizeof(timeoutie), peer->lifetime); 1491 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds", peer->lifetime); 1492 skip_ies: 1493 status = wpa_tdls_tpk_send(sm, peer->addr, WLAN_TDLS_DISCOVERY_RESPONSE, 1494 dialog_token, 0, 0, 0, rbuf, pos - rbuf); 1495 os_free(rbuf); 1496 1497 return status; 1498 } 1499 1500 1501 static int 1502 wpa_tdls_process_discovery_request(struct wpa_sm *sm, const u8 *addr, 1503 const u8 *buf, size_t len) 1504 { 1505 struct wpa_eapol_ie_parse kde; 1506 const struct wpa_tdls_lnkid *lnkid; 1507 struct wpa_tdls_peer *peer; 1508 size_t min_req_len = sizeof(struct wpa_tdls_frame) + 1509 1 /* dialog token */ + sizeof(struct wpa_tdls_lnkid); 1510 u8 dialog_token; 1511 1512 wpa_printf(MSG_DEBUG, "TDLS: Discovery Request from " MACSTR, 1513 MAC2STR(addr)); 1514 1515 if (len < min_req_len) { 1516 wpa_printf(MSG_DEBUG, "TDLS Discovery Request is too short: " 1517 "%d", (int) len); 1518 return -1; 1519 } 1520 1521 dialog_token = buf[sizeof(struct wpa_tdls_frame)]; 1522 1523 /* 1524 * Some APs will tack on a weird IE to the end of a TDLS 1525 * discovery request packet. This needn't fail the response, 1526 * since the required IE are verified separately. 1527 */ 1528 if (wpa_supplicant_parse_ies(buf + sizeof(struct wpa_tdls_frame) + 1, 1529 len - (sizeof(struct wpa_tdls_frame) + 1), 1530 &kde) < 0) { 1531 wpa_printf(MSG_DEBUG, 1532 "TDLS: Failed to parse IEs in Discovery Request - ignore as an interop workaround"); 1533 } 1534 1535 if (!kde.lnkid) { 1536 wpa_printf(MSG_DEBUG, "TDLS: Link ID not found in Discovery " 1537 "Request"); 1538 return -1; 1539 } 1540 1541 lnkid = (const struct wpa_tdls_lnkid *) kde.lnkid; 1542 1543 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) { 1544 wpa_printf(MSG_DEBUG, "TDLS: Discovery Request from different " 1545 " BSS " MACSTR, MAC2STR(lnkid->bssid)); 1546 return -1; 1547 } 1548 1549 peer = wpa_tdls_add_peer(sm, addr, NULL); 1550 if (peer == NULL) 1551 return -1; 1552 1553 return wpa_tdls_send_discovery_response(sm, peer, dialog_token); 1554 } 1555 1556 1557 int wpa_tdls_send_discovery_request(struct wpa_sm *sm, const u8 *addr) 1558 { 1559 if (sm->tdls_disabled || !sm->tdls_supported) 1560 return -1; 1561 1562 wpa_printf(MSG_DEBUG, "TDLS: Sending Discovery Request to peer " 1563 MACSTR, MAC2STR(addr)); 1564 return wpa_tdls_tpk_send(sm, addr, WLAN_TDLS_DISCOVERY_REQUEST, 1565 1, 0, 0, 1, NULL, 0); 1566 } 1567 1568 1569 static int copy_supp_rates(const struct wpa_eapol_ie_parse *kde, 1570 struct wpa_tdls_peer *peer) 1571 { 1572 if (!kde->supp_rates) { 1573 wpa_printf(MSG_DEBUG, "TDLS: No supported rates received"); 1574 return -1; 1575 } 1576 peer->supp_rates_len = merge_byte_arrays( 1577 peer->supp_rates, sizeof(peer->supp_rates), 1578 kde->supp_rates + 2, kde->supp_rates_len - 2, 1579 kde->ext_supp_rates ? kde->ext_supp_rates + 2 : NULL, 1580 kde->ext_supp_rates_len - 2); 1581 return 0; 1582 } 1583 1584 1585 static int copy_peer_ht_capab(const struct wpa_eapol_ie_parse *kde, 1586 struct wpa_tdls_peer *peer) 1587 { 1588 if (!kde->ht_capabilities) { 1589 wpa_printf(MSG_DEBUG, "TDLS: No supported ht capabilities " 1590 "received"); 1591 return 0; 1592 } 1593 1594 if (!peer->ht_capabilities) { 1595 peer->ht_capabilities = 1596 os_zalloc(sizeof(struct ieee80211_ht_capabilities)); 1597 if (peer->ht_capabilities == NULL) 1598 return -1; 1599 } 1600 1601 os_memcpy(peer->ht_capabilities, kde->ht_capabilities, 1602 sizeof(struct ieee80211_ht_capabilities)); 1603 wpa_hexdump(MSG_DEBUG, "TDLS: Peer HT capabilities", 1604 (u8 *) peer->ht_capabilities, 1605 sizeof(struct ieee80211_ht_capabilities)); 1606 1607 return 0; 1608 } 1609 1610 1611 static int copy_peer_vht_capab(const struct wpa_eapol_ie_parse *kde, 1612 struct wpa_tdls_peer *peer) 1613 { 1614 if (!kde->vht_capabilities) { 1615 wpa_printf(MSG_DEBUG, "TDLS: No supported vht capabilities " 1616 "received"); 1617 return 0; 1618 } 1619 1620 if (!peer->vht_capabilities) { 1621 peer->vht_capabilities = 1622 os_zalloc(sizeof(struct ieee80211_vht_capabilities)); 1623 if (peer->vht_capabilities == NULL) 1624 return -1; 1625 } 1626 1627 os_memcpy(peer->vht_capabilities, kde->vht_capabilities, 1628 sizeof(struct ieee80211_vht_capabilities)); 1629 wpa_hexdump(MSG_DEBUG, "TDLS: Peer VHT capabilities", 1630 (u8 *) peer->vht_capabilities, 1631 sizeof(struct ieee80211_vht_capabilities)); 1632 1633 return 0; 1634 } 1635 1636 1637 static int copy_peer_ext_capab(const struct wpa_eapol_ie_parse *kde, 1638 struct wpa_tdls_peer *peer) 1639 { 1640 if (!kde->ext_capab) { 1641 wpa_printf(MSG_DEBUG, "TDLS: No extended capabilities " 1642 "received"); 1643 return 0; 1644 } 1645 1646 if (!peer->ext_capab || peer->ext_capab_len < kde->ext_capab_len - 2) { 1647 /* Need to allocate buffer to fit the new information */ 1648 os_free(peer->ext_capab); 1649 peer->ext_capab = os_zalloc(kde->ext_capab_len - 2); 1650 if (peer->ext_capab == NULL) 1651 return -1; 1652 } 1653 1654 peer->ext_capab_len = kde->ext_capab_len - 2; 1655 os_memcpy(peer->ext_capab, kde->ext_capab + 2, peer->ext_capab_len); 1656 1657 return 0; 1658 } 1659 1660 1661 static int copy_peer_wmm_capab(const struct wpa_eapol_ie_parse *kde, 1662 struct wpa_tdls_peer *peer) 1663 { 1664 struct wmm_information_element *wmm; 1665 1666 if (!kde->wmm) { 1667 wpa_printf(MSG_DEBUG, "TDLS: No supported WMM capabilities received"); 1668 return 0; 1669 } 1670 1671 if (kde->wmm_len < sizeof(struct wmm_information_element)) { 1672 wpa_printf(MSG_DEBUG, "TDLS: Invalid supported WMM capabilities received"); 1673 return -1; 1674 } 1675 1676 wmm = (struct wmm_information_element *) kde->wmm; 1677 peer->qos_info = wmm->qos_info; 1678 1679 peer->wmm_capable = 1; 1680 1681 wpa_printf(MSG_DEBUG, "TDLS: Peer WMM QOS Info 0x%x", peer->qos_info); 1682 return 0; 1683 } 1684 1685 1686 static int copy_peer_supp_channels(const struct wpa_eapol_ie_parse *kde, 1687 struct wpa_tdls_peer *peer) 1688 { 1689 if (!kde->supp_channels) { 1690 wpa_printf(MSG_DEBUG, "TDLS: No supported channels received"); 1691 return 0; 1692 } 1693 1694 if (!peer->supp_channels || 1695 peer->supp_channels_len < kde->supp_channels_len) { 1696 os_free(peer->supp_channels); 1697 peer->supp_channels = os_zalloc(kde->supp_channels_len); 1698 if (peer->supp_channels == NULL) 1699 return -1; 1700 } 1701 1702 peer->supp_channels_len = kde->supp_channels_len; 1703 1704 os_memcpy(peer->supp_channels, kde->supp_channels, 1705 peer->supp_channels_len); 1706 wpa_hexdump(MSG_DEBUG, "TDLS: Peer Supported Channels", 1707 (u8 *) peer->supp_channels, peer->supp_channels_len); 1708 return 0; 1709 } 1710 1711 1712 static int copy_peer_supp_oper_classes(const struct wpa_eapol_ie_parse *kde, 1713 struct wpa_tdls_peer *peer) 1714 { 1715 if (!kde->supp_oper_classes) { 1716 wpa_printf(MSG_DEBUG, "TDLS: No supported operating classes received"); 1717 return 0; 1718 } 1719 1720 if (!peer->supp_oper_classes || 1721 peer->supp_oper_classes_len < kde->supp_oper_classes_len) { 1722 os_free(peer->supp_oper_classes); 1723 peer->supp_oper_classes = os_zalloc(kde->supp_oper_classes_len); 1724 if (peer->supp_oper_classes == NULL) 1725 return -1; 1726 } 1727 1728 peer->supp_oper_classes_len = kde->supp_oper_classes_len; 1729 os_memcpy(peer->supp_oper_classes, kde->supp_oper_classes, 1730 peer->supp_oper_classes_len); 1731 wpa_hexdump(MSG_DEBUG, "TDLS: Peer Supported Operating Classes", 1732 (u8 *) peer->supp_oper_classes, 1733 peer->supp_oper_classes_len); 1734 return 0; 1735 } 1736 1737 1738 static int wpa_tdls_addset_peer(struct wpa_sm *sm, struct wpa_tdls_peer *peer, 1739 int add) 1740 { 1741 return wpa_sm_tdls_peer_addset(sm, peer->addr, add, peer->aid, 1742 peer->capability, 1743 peer->supp_rates, peer->supp_rates_len, 1744 peer->ht_capabilities, 1745 peer->vht_capabilities, 1746 peer->qos_info, peer->wmm_capable, 1747 peer->ext_capab, peer->ext_capab_len, 1748 peer->supp_channels, 1749 peer->supp_channels_len, 1750 peer->supp_oper_classes, 1751 peer->supp_oper_classes_len); 1752 } 1753 1754 1755 static int wpa_tdls_process_tpk_m1(struct wpa_sm *sm, const u8 *src_addr, 1756 const u8 *buf, size_t len) 1757 { 1758 struct wpa_tdls_peer *peer; 1759 struct wpa_eapol_ie_parse kde; 1760 struct wpa_ie_data ie; 1761 int cipher; 1762 const u8 *cpos; 1763 struct wpa_tdls_ftie *ftie = NULL; 1764 struct wpa_tdls_timeoutie *timeoutie; 1765 struct wpa_tdls_lnkid *lnkid; 1766 u32 lifetime = 0; 1767 #if 0 1768 struct rsn_ie_hdr *hdr; 1769 u8 *pos; 1770 u16 rsn_capab; 1771 u16 rsn_ver; 1772 #endif 1773 u8 dtoken; 1774 u16 ielen; 1775 u16 status = WLAN_STATUS_UNSPECIFIED_FAILURE; 1776 int tdls_prohibited = sm->tdls_prohibited; 1777 int existing_peer = 0; 1778 1779 if (len < 3 + 3) 1780 return -1; 1781 1782 cpos = buf; 1783 cpos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */; 1784 1785 /* driver had already verified the frame format */ 1786 dtoken = *cpos++; /* dialog token */ 1787 1788 wpa_printf(MSG_INFO, "TDLS: Dialog Token in TPK M1 %d", dtoken); 1789 1790 peer = wpa_tdls_add_peer(sm, src_addr, &existing_peer); 1791 if (peer == NULL) 1792 goto error; 1793 1794 /* If found, use existing entry instead of adding a new one; 1795 * how to handle the case where both ends initiate at the 1796 * same time? */ 1797 if (existing_peer) { 1798 if (peer->tpk_success) { 1799 wpa_printf(MSG_DEBUG, "TDLS: TDLS Setup Request while " 1800 "direct link is enabled - tear down the " 1801 "old link first"); 1802 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr); 1803 wpa_tdls_peer_clear(sm, peer); 1804 } else if (peer->initiator) { 1805 /* 1806 * An entry is already present, so check if we already 1807 * sent a TDLS Setup Request. If so, compare MAC 1808 * addresses and let the STA with the lower MAC address 1809 * continue as the initiator. The other negotiation is 1810 * terminated. 1811 */ 1812 if (os_memcmp(sm->own_addr, src_addr, ETH_ALEN) < 0) { 1813 wpa_printf(MSG_DEBUG, "TDLS: Discard request " 1814 "from peer with higher address " 1815 MACSTR, MAC2STR(src_addr)); 1816 return -1; 1817 } else { 1818 wpa_printf(MSG_DEBUG, "TDLS: Accept request " 1819 "from peer with lower address " 1820 MACSTR " (terminate previously " 1821 "initiated negotiation", 1822 MAC2STR(src_addr)); 1823 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, 1824 peer->addr); 1825 wpa_tdls_peer_clear(sm, peer); 1826 } 1827 } 1828 } 1829 1830 /* capability information */ 1831 peer->capability = WPA_GET_LE16(cpos); 1832 cpos += 2; 1833 1834 ielen = len - (cpos - buf); /* start of IE in buf */ 1835 1836 /* 1837 * Don't reject the message if failing to parse IEs. The IEs we need are 1838 * explicitly checked below. Some APs may add arbitrary padding to the 1839 * end of short TDLS frames and that would look like invalid IEs. 1840 */ 1841 if (wpa_supplicant_parse_ies(cpos, ielen, &kde) < 0) 1842 wpa_printf(MSG_DEBUG, 1843 "TDLS: Failed to parse IEs in TPK M1 - ignore as an interop workaround"); 1844 1845 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) { 1846 wpa_printf(MSG_INFO, "TDLS: No valid Link Identifier IE in " 1847 "TPK M1"); 1848 goto error; 1849 } 1850 wpa_hexdump(MSG_DEBUG, "TDLS: Link ID Received from TPK M1", 1851 kde.lnkid, kde.lnkid_len); 1852 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid; 1853 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) { 1854 wpa_printf(MSG_INFO, "TDLS: TPK M1 from diff BSS"); 1855 status = WLAN_STATUS_REQUEST_DECLINED; 1856 goto error; 1857 } 1858 1859 wpa_printf(MSG_DEBUG, "TDLS: TPK M1 - TPK initiator " MACSTR, 1860 MAC2STR(src_addr)); 1861 1862 if (copy_supp_rates(&kde, peer) < 0) 1863 goto error; 1864 1865 if (copy_peer_ht_capab(&kde, peer) < 0) 1866 goto error; 1867 1868 if (copy_peer_vht_capab(&kde, peer) < 0) 1869 goto error; 1870 1871 if (copy_peer_ext_capab(&kde, peer) < 0) 1872 goto error; 1873 1874 if (copy_peer_supp_channels(&kde, peer) < 0) 1875 goto error; 1876 1877 if (copy_peer_supp_oper_classes(&kde, peer) < 0) 1878 goto error; 1879 1880 peer->qos_info = kde.qosinfo; 1881 1882 /* Overwrite with the qos_info obtained in WMM IE */ 1883 if (copy_peer_wmm_capab(&kde, peer) < 0) 1884 goto error; 1885 1886 peer->aid = kde.aid; 1887 1888 #ifdef CONFIG_TDLS_TESTING 1889 if (tdls_testing & TDLS_TESTING_CONCURRENT_INIT) { 1890 peer = wpa_tdls_add_peer(sm, src_addr, NULL); 1891 if (peer == NULL) 1892 goto error; 1893 wpa_printf(MSG_DEBUG, "TDLS: Testing concurrent initiation of " 1894 "TDLS setup - send own request"); 1895 peer->initiator = 1; 1896 wpa_sm_tdls_peer_addset(sm, peer->addr, 1, 0, 0, NULL, 0, NULL, 1897 NULL, 0, 0, NULL, 0, NULL, 0, NULL, 0); 1898 wpa_tdls_send_tpk_m1(sm, peer); 1899 } 1900 1901 if ((tdls_testing & TDLS_TESTING_IGNORE_AP_PROHIBIT) && 1902 tdls_prohibited) { 1903 wpa_printf(MSG_DEBUG, "TDLS: Testing - ignore AP prohibition " 1904 "on TDLS"); 1905 tdls_prohibited = 0; 1906 } 1907 #endif /* CONFIG_TDLS_TESTING */ 1908 1909 if (tdls_prohibited) { 1910 wpa_printf(MSG_INFO, "TDLS: TDLS prohibited in this BSS"); 1911 status = WLAN_STATUS_REQUEST_DECLINED; 1912 goto error; 1913 } 1914 1915 if (!wpa_tdls_get_privacy(sm)) { 1916 if (kde.rsn_ie) { 1917 wpa_printf(MSG_INFO, "TDLS: RSN IE in TPK M1 while " 1918 "security is disabled"); 1919 status = WLAN_STATUS_SECURITY_DISABLED; 1920 goto error; 1921 } 1922 goto skip_rsn; 1923 } 1924 1925 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie) || 1926 kde.rsn_ie == NULL) { 1927 wpa_printf(MSG_INFO, "TDLS: No FTIE or RSN IE in TPK M1"); 1928 status = WLAN_STATUS_INVALID_PARAMETERS; 1929 goto error; 1930 } 1931 1932 if (kde.rsn_ie_len > TDLS_MAX_IE_LEN) { 1933 wpa_printf(MSG_INFO, "TDLS: Too long Initiator RSN IE in " 1934 "TPK M1"); 1935 status = WLAN_STATUS_INVALID_RSNIE; 1936 goto error; 1937 } 1938 1939 if (wpa_parse_wpa_ie_rsn(kde.rsn_ie, kde.rsn_ie_len, &ie) < 0) { 1940 wpa_printf(MSG_INFO, "TDLS: Failed to parse RSN IE in TPK M1"); 1941 status = WLAN_STATUS_INVALID_RSNIE; 1942 goto error; 1943 } 1944 1945 cipher = ie.pairwise_cipher; 1946 if (cipher & WPA_CIPHER_CCMP) { 1947 wpa_printf(MSG_DEBUG, "TDLS: Using CCMP for direct link"); 1948 cipher = WPA_CIPHER_CCMP; 1949 } else { 1950 wpa_printf(MSG_INFO, "TDLS: No acceptable cipher in TPK M1"); 1951 status = WLAN_STATUS_PAIRWISE_CIPHER_NOT_VALID; 1952 goto error; 1953 } 1954 1955 if ((ie.capabilities & 1956 (WPA_CAPABILITY_NO_PAIRWISE | WPA_CAPABILITY_PEERKEY_ENABLED)) != 1957 WPA_CAPABILITY_PEERKEY_ENABLED) { 1958 wpa_printf(MSG_INFO, "TDLS: Invalid RSN Capabilities in " 1959 "TPK M1"); 1960 status = WLAN_STATUS_INVALID_RSN_IE_CAPAB; 1961 goto error; 1962 } 1963 1964 /* Lifetime */ 1965 if (kde.key_lifetime == NULL) { 1966 wpa_printf(MSG_INFO, "TDLS: No Key Lifetime IE in TPK M1"); 1967 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME; 1968 goto error; 1969 } 1970 timeoutie = (struct wpa_tdls_timeoutie *) kde.key_lifetime; 1971 lifetime = WPA_GET_LE32(timeoutie->value); 1972 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds", lifetime); 1973 if (lifetime < 300) { 1974 wpa_printf(MSG_INFO, "TDLS: Too short TPK lifetime"); 1975 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME; 1976 goto error; 1977 } 1978 1979 skip_rsn: 1980 #ifdef CONFIG_TDLS_TESTING 1981 if (tdls_testing & TDLS_TESTING_CONCURRENT_INIT) { 1982 if (os_memcmp(sm->own_addr, peer->addr, ETH_ALEN) < 0) { 1983 /* 1984 * The request frame from us is going to win, so do not 1985 * replace information based on this request frame from 1986 * the peer. 1987 */ 1988 goto skip_rsn_check; 1989 } 1990 } 1991 #endif /* CONFIG_TDLS_TESTING */ 1992 1993 peer->initiator = 0; /* Need to check */ 1994 peer->dtoken = dtoken; 1995 1996 if (!wpa_tdls_get_privacy(sm)) { 1997 peer->rsnie_i_len = 0; 1998 peer->rsnie_p_len = 0; 1999 peer->cipher = WPA_CIPHER_NONE; 2000 goto skip_rsn_check; 2001 } 2002 2003 ftie = (struct wpa_tdls_ftie *) kde.ftie; 2004 os_memcpy(peer->rsnie_i, kde.rsn_ie, kde.rsn_ie_len); 2005 peer->rsnie_i_len = kde.rsn_ie_len; 2006 peer->cipher = cipher; 2007 2008 if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0) { 2009 /* 2010 * There is no point in updating the RNonce for every obtained 2011 * TPK M1 frame (e.g., retransmission due to timeout) with the 2012 * same INonce (SNonce in FTIE). However, if the TPK M1 is 2013 * retransmitted with a different INonce, update the RNonce 2014 * since this is for a new TDLS session. 2015 */ 2016 wpa_printf(MSG_DEBUG, 2017 "TDLS: New TPK M1 INonce - generate new RNonce"); 2018 os_memcpy(peer->inonce, ftie->Snonce, WPA_NONCE_LEN); 2019 if (os_get_random(peer->rnonce, WPA_NONCE_LEN)) { 2020 wpa_msg(sm->ctx->ctx, MSG_WARNING, 2021 "TDLS: Failed to get random data for responder nonce"); 2022 goto error; 2023 } 2024 } 2025 2026 #if 0 2027 /* get version info from RSNIE received from Peer */ 2028 hdr = (struct rsn_ie_hdr *) kde.rsn_ie; 2029 rsn_ver = WPA_GET_LE16(hdr->version); 2030 2031 /* use min(peer's version, out version) */ 2032 if (rsn_ver > RSN_VERSION) 2033 rsn_ver = RSN_VERSION; 2034 2035 hdr = (struct rsn_ie_hdr *) peer->rsnie_p; 2036 2037 hdr->elem_id = WLAN_EID_RSN; 2038 WPA_PUT_LE16(hdr->version, rsn_ver); 2039 pos = (u8 *) (hdr + 1); 2040 2041 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED); 2042 pos += RSN_SELECTOR_LEN; 2043 /* Include only the selected cipher in pairwise cipher suite */ 2044 WPA_PUT_LE16(pos, 1); 2045 pos += 2; 2046 if (cipher == WPA_CIPHER_CCMP) 2047 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP); 2048 pos += RSN_SELECTOR_LEN; 2049 2050 WPA_PUT_LE16(pos, 1); 2051 pos += 2; 2052 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_TPK_HANDSHAKE); 2053 pos += RSN_SELECTOR_LEN; 2054 2055 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED; 2056 rsn_capab |= RSN_NUM_REPLAY_COUNTERS_16 << 2; 2057 WPA_PUT_LE16(pos, rsn_capab); 2058 pos += 2; 2059 2060 hdr->len = (pos - peer->rsnie_p) - 2; 2061 peer->rsnie_p_len = pos - peer->rsnie_p; 2062 #endif 2063 2064 /* temp fix: validation of RSNIE later */ 2065 os_memcpy(peer->rsnie_p, peer->rsnie_i, peer->rsnie_i_len); 2066 peer->rsnie_p_len = peer->rsnie_i_len; 2067 2068 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE for TPK handshake", 2069 peer->rsnie_p, peer->rsnie_p_len); 2070 2071 peer->lifetime = lifetime; 2072 2073 wpa_tdls_generate_tpk(peer, sm->own_addr, sm->bssid); 2074 2075 skip_rsn_check: 2076 #ifdef CONFIG_TDLS_TESTING 2077 if (tdls_testing & TDLS_TESTING_CONCURRENT_INIT) 2078 goto skip_add_peer; 2079 #endif /* CONFIG_TDLS_TESTING */ 2080 2081 /* add supported rates, capabilities, and qos_info to the TDLS peer */ 2082 if (wpa_tdls_addset_peer(sm, peer, 1) < 0) 2083 goto error; 2084 2085 #ifdef CONFIG_TDLS_TESTING 2086 skip_add_peer: 2087 #endif /* CONFIG_TDLS_TESTING */ 2088 peer->tpk_in_progress = 1; 2089 2090 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Setup Response / TPK M2"); 2091 if (wpa_tdls_send_tpk_m2(sm, src_addr, dtoken, lnkid, peer) < 0) { 2092 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr); 2093 goto error; 2094 } 2095 2096 return 0; 2097 2098 error: 2099 wpa_tdls_send_error(sm, src_addr, WLAN_TDLS_SETUP_RESPONSE, dtoken, 0, 2100 status); 2101 if (peer) 2102 wpa_tdls_peer_free(sm, peer); 2103 return -1; 2104 } 2105 2106 2107 static int wpa_tdls_enable_link(struct wpa_sm *sm, struct wpa_tdls_peer *peer) 2108 { 2109 peer->tpk_success = 1; 2110 peer->tpk_in_progress = 0; 2111 eloop_cancel_timeout(wpa_tdls_tpk_timeout, sm, peer); 2112 if (wpa_tdls_get_privacy(sm)) { 2113 u32 lifetime = peer->lifetime; 2114 /* 2115 * Start the initiator process a bit earlier to avoid race 2116 * condition with the responder sending teardown request. 2117 */ 2118 if (lifetime > 3 && peer->initiator) 2119 lifetime -= 3; 2120 eloop_register_timeout(lifetime, 0, wpa_tdls_tpk_timeout, 2121 sm, peer); 2122 #ifdef CONFIG_TDLS_TESTING 2123 if (tdls_testing & TDLS_TESTING_NO_TPK_EXPIRATION) { 2124 wpa_printf(MSG_DEBUG, "TDLS: Testing - disable TPK " 2125 "expiration"); 2126 eloop_cancel_timeout(wpa_tdls_tpk_timeout, sm, peer); 2127 } 2128 #endif /* CONFIG_TDLS_TESTING */ 2129 } 2130 2131 if (peer->reconfig_key && wpa_tdls_set_key(sm, peer) < 0) { 2132 wpa_printf(MSG_INFO, "TDLS: Could not configure key to the " 2133 "driver"); 2134 return -1; 2135 } 2136 peer->reconfig_key = 0; 2137 2138 return wpa_sm_tdls_oper(sm, TDLS_ENABLE_LINK, peer->addr); 2139 } 2140 2141 2142 static int wpa_tdls_process_tpk_m2(struct wpa_sm *sm, const u8 *src_addr, 2143 const u8 *buf, size_t len) 2144 { 2145 struct wpa_tdls_peer *peer; 2146 struct wpa_eapol_ie_parse kde; 2147 struct wpa_ie_data ie; 2148 int cipher; 2149 struct wpa_tdls_ftie *ftie; 2150 struct wpa_tdls_timeoutie *timeoutie; 2151 struct wpa_tdls_lnkid *lnkid; 2152 u32 lifetime; 2153 u8 dtoken; 2154 int ielen; 2155 u16 status; 2156 const u8 *pos; 2157 int ret = 0; 2158 2159 wpa_printf(MSG_DEBUG, "TDLS: Received TDLS Setup Response / TPK M2 " 2160 "(Peer " MACSTR ")", MAC2STR(src_addr)); 2161 for (peer = sm->tdls; peer; peer = peer->next) { 2162 if (os_memcmp(peer->addr, src_addr, ETH_ALEN) == 0) 2163 break; 2164 } 2165 if (peer == NULL) { 2166 wpa_printf(MSG_INFO, "TDLS: No matching peer found for " 2167 "TPK M2: " MACSTR, MAC2STR(src_addr)); 2168 return -1; 2169 } 2170 if (!peer->initiator) { 2171 /* 2172 * This may happen if both devices try to initiate TDLS at the 2173 * same time and we accept the TPK M1 from the peer in 2174 * wpa_tdls_process_tpk_m1() and clear our previous state. 2175 */ 2176 wpa_printf(MSG_INFO, "TDLS: We were not the initiator, so " 2177 "ignore TPK M2 from " MACSTR, MAC2STR(src_addr)); 2178 return -1; 2179 } 2180 2181 if (peer->tpk_success) { 2182 wpa_printf(MSG_INFO, "TDLS: Ignore incoming TPK M2 retry, from " 2183 MACSTR " as TPK M3 was already sent", 2184 MAC2STR(src_addr)); 2185 return 0; 2186 } 2187 2188 wpa_tdls_tpk_retry_timeout_cancel(sm, peer, WLAN_TDLS_SETUP_REQUEST); 2189 2190 if (len < 3 + 2 + 1) { 2191 wpa_tdls_disable_peer_link(sm, peer); 2192 return -1; 2193 } 2194 2195 pos = buf; 2196 pos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */; 2197 status = WPA_GET_LE16(pos); 2198 pos += 2 /* status code */; 2199 2200 if (status != WLAN_STATUS_SUCCESS) { 2201 wpa_printf(MSG_INFO, "TDLS: Status code in TPK M2: %u", 2202 status); 2203 wpa_tdls_disable_peer_link(sm, peer); 2204 return -1; 2205 } 2206 2207 status = WLAN_STATUS_UNSPECIFIED_FAILURE; 2208 2209 /* TODO: need to verify dialog token matches here or in kernel */ 2210 dtoken = *pos++; /* dialog token */ 2211 2212 wpa_printf(MSG_DEBUG, "TDLS: Dialog Token in TPK M2 %d", dtoken); 2213 2214 if (len < 3 + 2 + 1 + 2) { 2215 wpa_tdls_disable_peer_link(sm, peer); 2216 return -1; 2217 } 2218 2219 /* capability information */ 2220 peer->capability = WPA_GET_LE16(pos); 2221 pos += 2; 2222 2223 ielen = len - (pos - buf); /* start of IE in buf */ 2224 2225 /* 2226 * Don't reject the message if failing to parse IEs. The IEs we need are 2227 * explicitly checked below. Some APs may add arbitrary padding to the 2228 * end of short TDLS frames and that would look like invalid IEs. 2229 */ 2230 if (wpa_supplicant_parse_ies(pos, ielen, &kde) < 0) 2231 wpa_printf(MSG_DEBUG, 2232 "TDLS: Failed to parse IEs in TPK M2 - ignore as an interop workaround"); 2233 2234 #ifdef CONFIG_TDLS_TESTING 2235 if (tdls_testing & TDLS_TESTING_DECLINE_RESP) { 2236 wpa_printf(MSG_DEBUG, "TDLS: Testing - decline response"); 2237 status = WLAN_STATUS_REQUEST_DECLINED; 2238 goto error; 2239 } 2240 #endif /* CONFIG_TDLS_TESTING */ 2241 2242 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) { 2243 wpa_printf(MSG_INFO, "TDLS: No valid Link Identifier IE in " 2244 "TPK M2"); 2245 goto error; 2246 } 2247 wpa_hexdump(MSG_DEBUG, "TDLS: Link ID Received from TPK M2", 2248 kde.lnkid, kde.lnkid_len); 2249 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid; 2250 2251 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) { 2252 wpa_printf(MSG_INFO, "TDLS: TPK M2 from different BSS"); 2253 status = WLAN_STATUS_NOT_IN_SAME_BSS; 2254 goto error; 2255 } 2256 2257 if (copy_supp_rates(&kde, peer) < 0) 2258 goto error; 2259 2260 if (copy_peer_ht_capab(&kde, peer) < 0) 2261 goto error; 2262 2263 if (copy_peer_vht_capab(&kde, peer) < 0) 2264 goto error; 2265 2266 if (copy_peer_ext_capab(&kde, peer) < 0) 2267 goto error; 2268 2269 if (copy_peer_supp_channels(&kde, peer) < 0) 2270 goto error; 2271 2272 if (copy_peer_supp_oper_classes(&kde, peer) < 0) 2273 goto error; 2274 2275 peer->qos_info = kde.qosinfo; 2276 2277 /* Overwrite with the qos_info obtained in WMM IE */ 2278 if (copy_peer_wmm_capab(&kde, peer) < 0) 2279 goto error; 2280 2281 peer->aid = kde.aid; 2282 2283 if (!wpa_tdls_get_privacy(sm)) { 2284 peer->rsnie_p_len = 0; 2285 peer->cipher = WPA_CIPHER_NONE; 2286 goto skip_rsn; 2287 } 2288 2289 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie) || 2290 kde.rsn_ie == NULL) { 2291 wpa_printf(MSG_INFO, "TDLS: No FTIE or RSN IE in TPK M2"); 2292 status = WLAN_STATUS_INVALID_PARAMETERS; 2293 goto error; 2294 } 2295 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Received from TPK M2", 2296 kde.rsn_ie, kde.rsn_ie_len); 2297 2298 if (kde.rsn_ie_len > TDLS_MAX_IE_LEN) { 2299 wpa_printf(MSG_INFO, 2300 "TDLS: Too long Responder RSN IE in TPK M2"); 2301 status = WLAN_STATUS_INVALID_RSNIE; 2302 goto error; 2303 } 2304 2305 /* 2306 * FIX: bitwise comparison of RSN IE is not the correct way of 2307 * validation this. It can be different, but certain fields must 2308 * match. Since we list only a single pairwise cipher in TPK M1, the 2309 * memcmp is likely to work in most cases, though. 2310 */ 2311 if (kde.rsn_ie_len != peer->rsnie_i_len || 2312 os_memcmp(peer->rsnie_i, kde.rsn_ie, peer->rsnie_i_len) != 0) { 2313 wpa_printf(MSG_INFO, "TDLS: RSN IE in TPK M2 does " 2314 "not match with RSN IE used in TPK M1"); 2315 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Sent in TPK M1", 2316 peer->rsnie_i, peer->rsnie_i_len); 2317 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Received from TPK M2", 2318 kde.rsn_ie, kde.rsn_ie_len); 2319 status = WLAN_STATUS_INVALID_RSNIE; 2320 goto error; 2321 } 2322 2323 if (wpa_parse_wpa_ie_rsn(kde.rsn_ie, kde.rsn_ie_len, &ie) < 0) { 2324 wpa_printf(MSG_INFO, "TDLS: Failed to parse RSN IE in TPK M2"); 2325 status = WLAN_STATUS_INVALID_RSNIE; 2326 goto error; 2327 } 2328 2329 cipher = ie.pairwise_cipher; 2330 if (cipher == WPA_CIPHER_CCMP) { 2331 wpa_printf(MSG_DEBUG, "TDLS: Using CCMP for direct link"); 2332 cipher = WPA_CIPHER_CCMP; 2333 } else { 2334 wpa_printf(MSG_INFO, "TDLS: No acceptable cipher in TPK M2"); 2335 status = WLAN_STATUS_PAIRWISE_CIPHER_NOT_VALID; 2336 goto error; 2337 } 2338 2339 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE Received from TPK M2", 2340 kde.ftie, sizeof(*ftie)); 2341 ftie = (struct wpa_tdls_ftie *) kde.ftie; 2342 2343 if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0) { 2344 wpa_printf(MSG_INFO, "TDLS: FTIE SNonce in TPK M2 does " 2345 "not match with FTIE SNonce used in TPK M1"); 2346 /* Silently discard the frame */ 2347 return -1; 2348 } 2349 2350 /* Responder Nonce and RSN IE */ 2351 os_memcpy(peer->rnonce, ftie->Anonce, WPA_NONCE_LEN); 2352 os_memcpy(peer->rsnie_p, kde.rsn_ie, kde.rsn_ie_len); 2353 peer->rsnie_p_len = kde.rsn_ie_len; 2354 peer->cipher = cipher; 2355 2356 /* Lifetime */ 2357 if (kde.key_lifetime == NULL) { 2358 wpa_printf(MSG_INFO, "TDLS: No Key Lifetime IE in TPK M2"); 2359 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME; 2360 goto error; 2361 } 2362 timeoutie = (struct wpa_tdls_timeoutie *) kde.key_lifetime; 2363 lifetime = WPA_GET_LE32(timeoutie->value); 2364 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds in TPK M2", 2365 lifetime); 2366 if (lifetime != peer->lifetime) { 2367 wpa_printf(MSG_INFO, "TDLS: Unexpected TPK lifetime %u in " 2368 "TPK M2 (expected %u)", lifetime, peer->lifetime); 2369 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME; 2370 goto error; 2371 } 2372 2373 wpa_tdls_generate_tpk(peer, sm->own_addr, sm->bssid); 2374 2375 /* Process MIC check to see if TPK M2 is right */ 2376 if (wpa_supplicant_verify_tdls_mic(2, peer, (u8 *) lnkid, 2377 (u8 *) timeoutie, ftie) < 0) { 2378 /* Discard the frame */ 2379 wpa_tdls_del_key(sm, peer); 2380 wpa_tdls_disable_peer_link(sm, peer); 2381 return -1; 2382 } 2383 2384 if (wpa_tdls_set_key(sm, peer) < 0) { 2385 /* 2386 * Some drivers may not be able to config the key prior to full 2387 * STA entry having been configured. 2388 */ 2389 wpa_printf(MSG_DEBUG, "TDLS: Try to configure TPK again after " 2390 "STA entry is complete"); 2391 peer->reconfig_key = 1; 2392 } 2393 2394 skip_rsn: 2395 peer->dtoken = dtoken; 2396 2397 /* add supported rates, capabilities, and qos_info to the TDLS peer */ 2398 if (wpa_tdls_addset_peer(sm, peer, 0) < 0) 2399 goto error; 2400 2401 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Setup Confirm / " 2402 "TPK Handshake Message 3"); 2403 if (wpa_tdls_send_tpk_m3(sm, src_addr, dtoken, lnkid, peer) < 0) 2404 goto error_no_msg; 2405 2406 if (!peer->tpk_success) { 2407 /* 2408 * Enable Link only when tpk_success is 0, signifying that this 2409 * processing of TPK M2 frame is not because of a retransmission 2410 * during TDLS setup handshake. 2411 */ 2412 ret = wpa_tdls_enable_link(sm, peer); 2413 if (ret < 0) { 2414 wpa_printf(MSG_DEBUG, "TDLS: Could not enable link"); 2415 wpa_tdls_do_teardown( 2416 sm, peer, 2417 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED); 2418 } 2419 } 2420 return ret; 2421 2422 error: 2423 wpa_tdls_send_error(sm, src_addr, WLAN_TDLS_SETUP_CONFIRM, dtoken, 1, 2424 status); 2425 error_no_msg: 2426 wpa_tdls_disable_peer_link(sm, peer); 2427 return -1; 2428 } 2429 2430 2431 static int wpa_tdls_process_tpk_m3(struct wpa_sm *sm, const u8 *src_addr, 2432 const u8 *buf, size_t len) 2433 { 2434 struct wpa_tdls_peer *peer; 2435 struct wpa_eapol_ie_parse kde; 2436 struct wpa_tdls_ftie *ftie; 2437 struct wpa_tdls_timeoutie *timeoutie; 2438 struct wpa_tdls_lnkid *lnkid; 2439 int ielen; 2440 u16 status; 2441 const u8 *pos; 2442 u32 lifetime; 2443 int ret = 0; 2444 2445 wpa_printf(MSG_DEBUG, "TDLS: Received TDLS Setup Confirm / TPK M3 " 2446 "(Peer " MACSTR ")", MAC2STR(src_addr)); 2447 for (peer = sm->tdls; peer; peer = peer->next) { 2448 if (os_memcmp(peer->addr, src_addr, ETH_ALEN) == 0) 2449 break; 2450 } 2451 if (peer == NULL) { 2452 wpa_printf(MSG_INFO, "TDLS: No matching peer found for " 2453 "TPK M3: " MACSTR, MAC2STR(src_addr)); 2454 return -1; 2455 } 2456 wpa_tdls_tpk_retry_timeout_cancel(sm, peer, WLAN_TDLS_SETUP_RESPONSE); 2457 2458 if (len < 3 + 3) 2459 goto error; 2460 pos = buf; 2461 pos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */; 2462 2463 status = WPA_GET_LE16(pos); 2464 2465 if (status != 0) { 2466 wpa_printf(MSG_INFO, "TDLS: Status code in TPK M3: %u", 2467 status); 2468 goto error; 2469 } 2470 pos += 2 /* status code */ + 1 /* dialog token */; 2471 2472 ielen = len - (pos - buf); /* start of IE in buf */ 2473 2474 /* 2475 * Don't reject the message if failing to parse IEs. The IEs we need are 2476 * explicitly checked below. Some APs piggy-back broken IEs to the end 2477 * of a TDLS Confirm packet, which will fail the link if we don't ignore 2478 * this error. 2479 */ 2480 if (wpa_supplicant_parse_ies((const u8 *) pos, ielen, &kde) < 0) { 2481 wpa_printf(MSG_DEBUG, 2482 "TDLS: Failed to parse KDEs in TPK M3 - ignore as an interop workaround"); 2483 } 2484 2485 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) { 2486 wpa_printf(MSG_INFO, "TDLS: No Link Identifier IE in TPK M3"); 2487 goto error; 2488 } 2489 wpa_hexdump(MSG_DEBUG, "TDLS: Link ID Received from TPK M3", 2490 (u8 *) kde.lnkid, kde.lnkid_len); 2491 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid; 2492 2493 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) { 2494 wpa_printf(MSG_INFO, "TDLS: TPK M3 from diff BSS"); 2495 goto error; 2496 } 2497 2498 if (!wpa_tdls_get_privacy(sm)) 2499 goto skip_rsn; 2500 2501 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie)) { 2502 wpa_printf(MSG_INFO, "TDLS: No FTIE in TPK M3"); 2503 goto error; 2504 } 2505 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE Received from TPK M3", 2506 kde.ftie, sizeof(*ftie)); 2507 ftie = (struct wpa_tdls_ftie *) kde.ftie; 2508 2509 if (kde.rsn_ie == NULL) { 2510 wpa_printf(MSG_INFO, "TDLS: No RSN IE in TPK M3"); 2511 goto error; 2512 } 2513 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Received from TPK M3", 2514 kde.rsn_ie, kde.rsn_ie_len); 2515 if (kde.rsn_ie_len != peer->rsnie_p_len || 2516 os_memcmp(kde.rsn_ie, peer->rsnie_p, peer->rsnie_p_len) != 0) { 2517 wpa_printf(MSG_INFO, "TDLS: RSN IE in TPK M3 does not match " 2518 "with the one sent in TPK M2"); 2519 goto error; 2520 } 2521 2522 if (os_memcmp(peer->rnonce, ftie->Anonce, WPA_NONCE_LEN) != 0) { 2523 wpa_printf(MSG_INFO, "TDLS: FTIE ANonce in TPK M3 does " 2524 "not match with FTIE ANonce used in TPK M2"); 2525 goto error; 2526 } 2527 2528 if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0) { 2529 wpa_printf(MSG_INFO, "TDLS: FTIE SNonce in TPK M3 does not " 2530 "match with FTIE SNonce used in TPK M1"); 2531 goto error; 2532 } 2533 2534 if (kde.key_lifetime == NULL) { 2535 wpa_printf(MSG_INFO, "TDLS: No Key Lifetime IE in TPK M3"); 2536 goto error; 2537 } 2538 timeoutie = (struct wpa_tdls_timeoutie *) kde.key_lifetime; 2539 wpa_hexdump(MSG_DEBUG, "TDLS: Timeout IE Received from TPK M3", 2540 (u8 *) timeoutie, sizeof(*timeoutie)); 2541 lifetime = WPA_GET_LE32(timeoutie->value); 2542 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds in TPK M3", 2543 lifetime); 2544 if (lifetime != peer->lifetime) { 2545 wpa_printf(MSG_INFO, "TDLS: Unexpected TPK lifetime %u in " 2546 "TPK M3 (expected %u)", lifetime, peer->lifetime); 2547 goto error; 2548 } 2549 2550 if (wpa_supplicant_verify_tdls_mic(3, peer, (u8 *) lnkid, 2551 (u8 *) timeoutie, ftie) < 0) { 2552 wpa_tdls_del_key(sm, peer); 2553 goto error; 2554 } 2555 2556 if (wpa_tdls_set_key(sm, peer) < 0) { 2557 /* 2558 * Some drivers may not be able to config the key prior to full 2559 * STA entry having been configured. 2560 */ 2561 wpa_printf(MSG_DEBUG, "TDLS: Try to configure TPK again after " 2562 "STA entry is complete"); 2563 peer->reconfig_key = 1; 2564 } 2565 2566 skip_rsn: 2567 /* add supported rates, capabilities, and qos_info to the TDLS peer */ 2568 if (wpa_tdls_addset_peer(sm, peer, 0) < 0) 2569 goto error; 2570 2571 if (!peer->tpk_success) { 2572 /* 2573 * Enable Link only when tpk_success is 0, signifying that this 2574 * processing of TPK M3 frame is not because of a retransmission 2575 * during TDLS setup handshake. 2576 */ 2577 ret = wpa_tdls_enable_link(sm, peer); 2578 if (ret < 0) { 2579 wpa_printf(MSG_DEBUG, "TDLS: Could not enable link"); 2580 goto error; 2581 } 2582 } 2583 return ret; 2584 error: 2585 wpa_tdls_do_teardown(sm, peer, WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED); 2586 return -1; 2587 } 2588 2589 2590 static u8 * wpa_add_tdls_timeoutie(u8 *pos, u8 *ie, size_t ie_len, u32 tsecs) 2591 { 2592 struct wpa_tdls_timeoutie *lifetime = (struct wpa_tdls_timeoutie *) ie; 2593 2594 os_memset(lifetime, 0, ie_len); 2595 lifetime->ie_type = WLAN_EID_TIMEOUT_INTERVAL; 2596 lifetime->ie_len = sizeof(struct wpa_tdls_timeoutie) - 2; 2597 lifetime->interval_type = WLAN_TIMEOUT_KEY_LIFETIME; 2598 WPA_PUT_LE32(lifetime->value, tsecs); 2599 os_memcpy(pos, ie, ie_len); 2600 return pos + ie_len; 2601 } 2602 2603 2604 /** 2605 * wpa_tdls_start - Initiate TDLS handshake (send TPK Handshake Message 1) 2606 * @sm: Pointer to WPA state machine data from wpa_sm_init() 2607 * @peer: MAC address of the peer STA 2608 * Returns: 0 on success, or -1 on failure 2609 * 2610 * Send TPK Handshake Message 1 info to driver to start TDLS 2611 * handshake with the peer. 2612 */ 2613 int wpa_tdls_start(struct wpa_sm *sm, const u8 *addr) 2614 { 2615 struct wpa_tdls_peer *peer; 2616 int tdls_prohibited = sm->tdls_prohibited; 2617 2618 if (sm->tdls_disabled || !sm->tdls_supported) 2619 return -1; 2620 2621 #ifdef CONFIG_TDLS_TESTING 2622 if ((tdls_testing & TDLS_TESTING_IGNORE_AP_PROHIBIT) && 2623 tdls_prohibited) { 2624 wpa_printf(MSG_DEBUG, "TDLS: Testing - ignore AP prohibition " 2625 "on TDLS"); 2626 tdls_prohibited = 0; 2627 } 2628 #endif /* CONFIG_TDLS_TESTING */ 2629 2630 if (tdls_prohibited) { 2631 wpa_printf(MSG_DEBUG, "TDLS: TDLS is prohibited in this BSS - " 2632 "reject request to start setup"); 2633 return -1; 2634 } 2635 2636 peer = wpa_tdls_add_peer(sm, addr, NULL); 2637 if (peer == NULL) 2638 return -1; 2639 2640 if (peer->tpk_in_progress) { 2641 wpa_printf(MSG_DEBUG, "TDLS: Setup is already in progress with the peer"); 2642 return 0; 2643 } 2644 2645 peer->initiator = 1; 2646 2647 /* add the peer to the driver as a "setup in progress" peer */ 2648 if (wpa_sm_tdls_peer_addset(sm, peer->addr, 1, 0, 0, NULL, 0, NULL, 2649 NULL, 0, 0, NULL, 0, NULL, 0, NULL, 0)) { 2650 wpa_tdls_disable_peer_link(sm, peer); 2651 return -1; 2652 } 2653 2654 peer->tpk_in_progress = 1; 2655 2656 if (wpa_tdls_send_tpk_m1(sm, peer) < 0) { 2657 wpa_tdls_disable_peer_link(sm, peer); 2658 return -1; 2659 } 2660 2661 return 0; 2662 } 2663 2664 2665 void wpa_tdls_remove(struct wpa_sm *sm, const u8 *addr) 2666 { 2667 struct wpa_tdls_peer *peer; 2668 2669 if (sm->tdls_disabled || !sm->tdls_supported) 2670 return; 2671 2672 for (peer = sm->tdls; peer; peer = peer->next) { 2673 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 2674 break; 2675 } 2676 2677 if (peer == NULL || !peer->tpk_success) 2678 return; 2679 2680 if (sm->tdls_external_setup) { 2681 /* 2682 * Disable previous link to allow renegotiation to be completed 2683 * on AP path. 2684 */ 2685 wpa_tdls_do_teardown(sm, peer, 2686 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED); 2687 } 2688 } 2689 2690 2691 /** 2692 * wpa_supplicant_rx_tdls - Receive TDLS data frame 2693 * 2694 * This function is called to receive TDLS (ethertype = 0x890d) data frames. 2695 */ 2696 static void wpa_supplicant_rx_tdls(void *ctx, const u8 *src_addr, 2697 const u8 *buf, size_t len) 2698 { 2699 struct wpa_sm *sm = ctx; 2700 struct wpa_tdls_frame *tf; 2701 2702 wpa_hexdump(MSG_DEBUG, "TDLS: Received Data frame encapsulation", 2703 buf, len); 2704 2705 if (sm->tdls_disabled || !sm->tdls_supported) { 2706 wpa_printf(MSG_DEBUG, "TDLS: Discard message - TDLS disabled " 2707 "or unsupported by driver"); 2708 return; 2709 } 2710 2711 if (os_memcmp(src_addr, sm->own_addr, ETH_ALEN) == 0) { 2712 wpa_printf(MSG_DEBUG, "TDLS: Discard copy of own message"); 2713 return; 2714 } 2715 2716 if (len < sizeof(*tf)) { 2717 wpa_printf(MSG_INFO, "TDLS: Drop too short frame"); 2718 return; 2719 } 2720 2721 /* Check to make sure its a valid encapsulated TDLS frame */ 2722 tf = (struct wpa_tdls_frame *) buf; 2723 if (tf->payloadtype != 2 /* TDLS_RFTYPE */ || 2724 tf->category != WLAN_ACTION_TDLS) { 2725 wpa_printf(MSG_INFO, "TDLS: Invalid frame - payloadtype=%u " 2726 "category=%u action=%u", 2727 tf->payloadtype, tf->category, tf->action); 2728 return; 2729 } 2730 2731 switch (tf->action) { 2732 case WLAN_TDLS_SETUP_REQUEST: 2733 wpa_tdls_process_tpk_m1(sm, src_addr, buf, len); 2734 break; 2735 case WLAN_TDLS_SETUP_RESPONSE: 2736 wpa_tdls_process_tpk_m2(sm, src_addr, buf, len); 2737 break; 2738 case WLAN_TDLS_SETUP_CONFIRM: 2739 wpa_tdls_process_tpk_m3(sm, src_addr, buf, len); 2740 break; 2741 case WLAN_TDLS_TEARDOWN: 2742 wpa_tdls_recv_teardown(sm, src_addr, buf, len); 2743 break; 2744 case WLAN_TDLS_DISCOVERY_REQUEST: 2745 wpa_tdls_process_discovery_request(sm, src_addr, buf, len); 2746 break; 2747 default: 2748 /* Kernel code will process remaining frames */ 2749 wpa_printf(MSG_DEBUG, "TDLS: Ignore TDLS frame action code %u", 2750 tf->action); 2751 break; 2752 } 2753 } 2754 2755 2756 /** 2757 * wpa_tdls_init - Initialize driver interface parameters for TDLS 2758 * @wpa_s: Pointer to wpa_supplicant data 2759 * Returns: 0 on success, -1 on failure 2760 * 2761 * This function is called to initialize driver interface parameters for TDLS. 2762 * wpa_drv_init() must have been called before this function to initialize the 2763 * driver interface. 2764 */ 2765 int wpa_tdls_init(struct wpa_sm *sm) 2766 { 2767 if (sm == NULL) 2768 return -1; 2769 2770 sm->l2_tdls = l2_packet_init(sm->bridge_ifname ? sm->bridge_ifname : 2771 sm->ifname, 2772 sm->own_addr, 2773 ETH_P_80211_ENCAP, wpa_supplicant_rx_tdls, 2774 sm, 0); 2775 if (sm->l2_tdls == NULL) { 2776 wpa_printf(MSG_ERROR, "TDLS: Failed to open l2_packet " 2777 "connection"); 2778 return -1; 2779 } 2780 2781 /* 2782 * Drivers that support TDLS but don't implement the get_capa callback 2783 * are assumed to perform everything internally 2784 */ 2785 if (wpa_sm_tdls_get_capa(sm, &sm->tdls_supported, 2786 &sm->tdls_external_setup, 2787 &sm->tdls_chan_switch) < 0) { 2788 sm->tdls_supported = 1; 2789 sm->tdls_external_setup = 0; 2790 } 2791 2792 wpa_printf(MSG_DEBUG, "TDLS: TDLS operation%s supported by " 2793 "driver", sm->tdls_supported ? "" : " not"); 2794 wpa_printf(MSG_DEBUG, "TDLS: Driver uses %s link setup", 2795 sm->tdls_external_setup ? "external" : "internal"); 2796 wpa_printf(MSG_DEBUG, "TDLS: Driver %s TDLS channel switching", 2797 sm->tdls_chan_switch ? "supports" : "does not support"); 2798 2799 return 0; 2800 } 2801 2802 2803 void wpa_tdls_teardown_peers(struct wpa_sm *sm) 2804 { 2805 struct wpa_tdls_peer *peer, *tmp; 2806 2807 if (!sm) 2808 return; 2809 peer = sm->tdls; 2810 2811 wpa_printf(MSG_DEBUG, "TDLS: Tear down peers"); 2812 2813 while (peer) { 2814 tmp = peer->next; 2815 wpa_printf(MSG_DEBUG, "TDLS: Tear down peer " MACSTR, 2816 MAC2STR(peer->addr)); 2817 if (sm->tdls_external_setup) 2818 wpa_tdls_do_teardown(sm, peer, 2819 WLAN_REASON_DEAUTH_LEAVING); 2820 else 2821 wpa_sm_tdls_oper(sm, TDLS_TEARDOWN, peer->addr); 2822 2823 peer = tmp; 2824 } 2825 } 2826 2827 2828 static void wpa_tdls_remove_peers(struct wpa_sm *sm) 2829 { 2830 struct wpa_tdls_peer *peer, *tmp; 2831 2832 peer = sm->tdls; 2833 2834 while (peer) { 2835 int res; 2836 tmp = peer->next; 2837 res = wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr); 2838 wpa_printf(MSG_DEBUG, "TDLS: Remove peer " MACSTR " (res=%d)", 2839 MAC2STR(peer->addr), res); 2840 wpa_tdls_peer_free(sm, peer); 2841 peer = tmp; 2842 } 2843 } 2844 2845 2846 /** 2847 * wpa_tdls_deinit - Deinitialize driver interface parameters for TDLS 2848 * 2849 * This function is called to recover driver interface parameters for TDLS 2850 * and frees resources allocated for it. 2851 */ 2852 void wpa_tdls_deinit(struct wpa_sm *sm) 2853 { 2854 if (sm == NULL) 2855 return; 2856 2857 if (sm->l2_tdls) 2858 l2_packet_deinit(sm->l2_tdls); 2859 sm->l2_tdls = NULL; 2860 2861 wpa_tdls_remove_peers(sm); 2862 } 2863 2864 2865 void wpa_tdls_assoc(struct wpa_sm *sm) 2866 { 2867 wpa_printf(MSG_DEBUG, "TDLS: Remove peers on association"); 2868 wpa_tdls_remove_peers(sm); 2869 } 2870 2871 2872 void wpa_tdls_disassoc(struct wpa_sm *sm) 2873 { 2874 wpa_printf(MSG_DEBUG, "TDLS: Remove peers on disassociation"); 2875 wpa_tdls_remove_peers(sm); 2876 } 2877 2878 2879 static int wpa_tdls_prohibited(struct ieee802_11_elems *elems) 2880 { 2881 /* bit 38 - TDLS Prohibited */ 2882 return !!(elems->ext_capab[4] & 0x40); 2883 } 2884 2885 2886 static int wpa_tdls_chan_switch_prohibited(struct ieee802_11_elems *elems) 2887 { 2888 /* bit 39 - TDLS Channel Switch Prohibited */ 2889 return !!(elems->ext_capab[4] & 0x80); 2890 } 2891 2892 2893 void wpa_tdls_ap_ies(struct wpa_sm *sm, const u8 *ies, size_t len) 2894 { 2895 struct ieee802_11_elems elems; 2896 2897 sm->tdls_prohibited = 0; 2898 sm->tdls_chan_switch_prohibited = 0; 2899 2900 if (ies == NULL || 2901 ieee802_11_parse_elems(ies, len, &elems, 0) == ParseFailed || 2902 elems.ext_capab == NULL || elems.ext_capab_len < 5) 2903 return; 2904 2905 sm->tdls_prohibited = wpa_tdls_prohibited(&elems); 2906 wpa_printf(MSG_DEBUG, "TDLS: TDLS is %s in the target BSS", 2907 sm->tdls_prohibited ? "prohibited" : "allowed"); 2908 sm->tdls_chan_switch_prohibited = 2909 wpa_tdls_chan_switch_prohibited(&elems); 2910 wpa_printf(MSG_DEBUG, "TDLS: TDLS channel switch %s in the target BSS", 2911 sm->tdls_chan_switch_prohibited ? "prohibited" : "allowed"); 2912 } 2913 2914 2915 void wpa_tdls_assoc_resp_ies(struct wpa_sm *sm, const u8 *ies, size_t len) 2916 { 2917 struct ieee802_11_elems elems; 2918 2919 if (ies == NULL || 2920 ieee802_11_parse_elems(ies, len, &elems, 0) == ParseFailed || 2921 elems.ext_capab == NULL || elems.ext_capab_len < 5) 2922 return; 2923 2924 if (!sm->tdls_prohibited && wpa_tdls_prohibited(&elems)) { 2925 wpa_printf(MSG_DEBUG, "TDLS: TDLS prohibited based on " 2926 "(Re)Association Response IEs"); 2927 sm->tdls_prohibited = 1; 2928 } 2929 2930 if (!sm->tdls_chan_switch_prohibited && 2931 wpa_tdls_chan_switch_prohibited(&elems)) { 2932 wpa_printf(MSG_DEBUG, 2933 "TDLS: TDLS channel switch prohibited based on (Re)Association Response IEs"); 2934 sm->tdls_chan_switch_prohibited = 1; 2935 } 2936 } 2937 2938 2939 void wpa_tdls_enable(struct wpa_sm *sm, int enabled) 2940 { 2941 wpa_printf(MSG_DEBUG, "TDLS: %s", enabled ? "enabled" : "disabled"); 2942 sm->tdls_disabled = !enabled; 2943 } 2944 2945 2946 int wpa_tdls_is_external_setup(struct wpa_sm *sm) 2947 { 2948 return sm->tdls_external_setup; 2949 } 2950 2951 2952 int wpa_tdls_enable_chan_switch(struct wpa_sm *sm, const u8 *addr, 2953 u8 oper_class, 2954 struct hostapd_freq_params *freq_params) 2955 { 2956 struct wpa_tdls_peer *peer; 2957 int ret; 2958 2959 if (sm->tdls_disabled || !sm->tdls_supported) 2960 return -1; 2961 2962 if (!sm->tdls_chan_switch) { 2963 wpa_printf(MSG_DEBUG, 2964 "TDLS: Channel switching not supported by the driver"); 2965 return -1; 2966 } 2967 2968 if (sm->tdls_chan_switch_prohibited) { 2969 wpa_printf(MSG_DEBUG, 2970 "TDLS: Channel switching is prohibited in this BSS - reject request to switch channel"); 2971 return -1; 2972 } 2973 2974 for (peer = sm->tdls; peer; peer = peer->next) { 2975 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 2976 break; 2977 } 2978 2979 if (peer == NULL || !peer->tpk_success) { 2980 wpa_printf(MSG_ERROR, "TDLS: Peer " MACSTR 2981 " not found for channel switching", MAC2STR(addr)); 2982 return -1; 2983 } 2984 2985 if (peer->chan_switch_enabled) { 2986 wpa_printf(MSG_DEBUG, "TDLS: Peer " MACSTR 2987 " already has channel switching enabled", 2988 MAC2STR(addr)); 2989 return 0; 2990 } 2991 2992 ret = wpa_sm_tdls_enable_channel_switch(sm, peer->addr, 2993 oper_class, freq_params); 2994 if (!ret) 2995 peer->chan_switch_enabled = 1; 2996 2997 return ret; 2998 } 2999 3000 3001 int wpa_tdls_disable_chan_switch(struct wpa_sm *sm, const u8 *addr) 3002 { 3003 struct wpa_tdls_peer *peer; 3004 3005 if (sm->tdls_disabled || !sm->tdls_supported) 3006 return -1; 3007 3008 for (peer = sm->tdls; peer; peer = peer->next) { 3009 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 3010 break; 3011 } 3012 3013 if (!peer || !peer->chan_switch_enabled) { 3014 wpa_printf(MSG_ERROR, "TDLS: Channel switching not enabled for " 3015 MACSTR, MAC2STR(addr)); 3016 return -1; 3017 } 3018 3019 /* ignore the return value */ 3020 wpa_sm_tdls_disable_channel_switch(sm, peer->addr); 3021 3022 peer->chan_switch_enabled = 0; 3023 return 0; 3024 } 3025