1 /* 2 * wpa_supplicant - TDLS 3 * Copyright (c) 2010-2011, Atheros Communications 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "utils/includes.h" 10 11 #include "utils/common.h" 12 #include "utils/eloop.h" 13 #include "utils/os.h" 14 #include "common/ieee802_11_defs.h" 15 #include "common/ieee802_11_common.h" 16 #include "crypto/sha256.h" 17 #include "crypto/crypto.h" 18 #include "crypto/aes_wrap.h" 19 #include "rsn_supp/wpa.h" 20 #include "rsn_supp/wpa_ie.h" 21 #include "rsn_supp/wpa_i.h" 22 #include "drivers/driver.h" 23 #include "l2_packet/l2_packet.h" 24 25 #ifdef CONFIG_TDLS_TESTING 26 #define TDLS_TESTING_LONG_FRAME BIT(0) 27 #define TDLS_TESTING_ALT_RSN_IE BIT(1) 28 #define TDLS_TESTING_DIFF_BSSID BIT(2) 29 #define TDLS_TESTING_SHORT_LIFETIME BIT(3) 30 #define TDLS_TESTING_WRONG_LIFETIME_RESP BIT(4) 31 #define TDLS_TESTING_WRONG_LIFETIME_CONF BIT(5) 32 #define TDLS_TESTING_LONG_LIFETIME BIT(6) 33 #define TDLS_TESTING_CONCURRENT_INIT BIT(7) 34 #define TDLS_TESTING_NO_TPK_EXPIRATION BIT(8) 35 #define TDLS_TESTING_DECLINE_RESP BIT(9) 36 #define TDLS_TESTING_IGNORE_AP_PROHIBIT BIT(10) 37 #define TDLS_TESTING_WRONG_MIC BIT(11) 38 unsigned int tdls_testing = 0; 39 #endif /* CONFIG_TDLS_TESTING */ 40 41 #define TPK_LIFETIME 43200 /* 12 hours */ 42 #define TPK_M1_RETRY_COUNT 3 43 #define TPK_M1_TIMEOUT 5000 /* in milliseconds */ 44 #define TPK_M2_RETRY_COUNT 10 45 #define TPK_M2_TIMEOUT 500 /* in milliseconds */ 46 47 #define TDLS_MIC_LEN 16 48 49 #define TDLS_TIMEOUT_LEN 4 50 51 struct wpa_tdls_ftie { 52 u8 ie_type; /* FTIE */ 53 u8 ie_len; 54 u8 mic_ctrl[2]; 55 u8 mic[TDLS_MIC_LEN]; 56 u8 Anonce[WPA_NONCE_LEN]; /* Responder Nonce in TDLS */ 57 u8 Snonce[WPA_NONCE_LEN]; /* Initiator Nonce in TDLS */ 58 /* followed by optional elements */ 59 } STRUCT_PACKED; 60 61 struct wpa_tdls_timeoutie { 62 u8 ie_type; /* Timeout IE */ 63 u8 ie_len; 64 u8 interval_type; 65 u8 value[TDLS_TIMEOUT_LEN]; 66 } STRUCT_PACKED; 67 68 struct wpa_tdls_lnkid { 69 u8 ie_type; /* Link Identifier IE */ 70 u8 ie_len; 71 u8 bssid[ETH_ALEN]; 72 u8 init_sta[ETH_ALEN]; 73 u8 resp_sta[ETH_ALEN]; 74 } STRUCT_PACKED; 75 76 /* TDLS frame headers as per IEEE Std 802.11z-2010 */ 77 struct wpa_tdls_frame { 78 u8 payloadtype; /* IEEE80211_TDLS_RFTYPE */ 79 u8 category; /* Category */ 80 u8 action; /* Action (enum tdls_frame_type) */ 81 } STRUCT_PACKED; 82 83 static u8 * wpa_add_tdls_timeoutie(u8 *pos, u8 *ie, size_t ie_len, u32 tsecs); 84 static void wpa_tdls_tpk_retry_timeout(void *eloop_ctx, void *timeout_ctx); 85 static void wpa_tdls_peer_free(struct wpa_sm *sm, struct wpa_tdls_peer *peer); 86 static void wpa_tdls_disable_peer_link(struct wpa_sm *sm, 87 struct wpa_tdls_peer *peer); 88 static int wpa_tdls_send_teardown(struct wpa_sm *sm, const u8 *addr, 89 u16 reason_code); 90 91 92 #define TDLS_MAX_IE_LEN 80 93 #define IEEE80211_MAX_SUPP_RATES 32 94 95 struct wpa_tdls_peer { 96 struct wpa_tdls_peer *next; 97 unsigned int reconfig_key:1; 98 int initiator; /* whether this end was initiator for TDLS setup */ 99 u8 addr[ETH_ALEN]; /* other end MAC address */ 100 u8 inonce[WPA_NONCE_LEN]; /* Initiator Nonce */ 101 u8 rnonce[WPA_NONCE_LEN]; /* Responder Nonce */ 102 u8 rsnie_i[TDLS_MAX_IE_LEN]; /* Initiator RSN IE */ 103 size_t rsnie_i_len; 104 u8 rsnie_p[TDLS_MAX_IE_LEN]; /* Peer RSN IE */ 105 size_t rsnie_p_len; 106 u32 lifetime; 107 int cipher; /* Selected cipher (WPA_CIPHER_*) */ 108 u8 dtoken; 109 110 struct tpk { 111 u8 kck[16]; /* TPK-KCK */ 112 u8 tk[16]; /* TPK-TK; assuming only CCMP will be used */ 113 } tpk; 114 int tpk_set; 115 int tk_set; /* TPK-TK configured to the driver */ 116 int tpk_success; 117 int tpk_in_progress; 118 119 struct tpk_timer { 120 u8 dest[ETH_ALEN]; 121 int count; /* Retry Count */ 122 int timer; /* Timeout in milliseconds */ 123 u8 action_code; /* TDLS frame type */ 124 u8 dialog_token; 125 u16 status_code; 126 u32 peer_capab; 127 int buf_len; /* length of TPK message for retransmission */ 128 u8 *buf; /* buffer for TPK message */ 129 } sm_tmr; 130 131 u16 capability; 132 133 u8 supp_rates[IEEE80211_MAX_SUPP_RATES]; 134 size_t supp_rates_len; 135 136 struct ieee80211_ht_capabilities *ht_capabilities; 137 struct ieee80211_vht_capabilities *vht_capabilities; 138 139 u8 qos_info; 140 141 u16 aid; 142 143 u8 *ext_capab; 144 size_t ext_capab_len; 145 146 u8 *supp_channels; 147 size_t supp_channels_len; 148 149 u8 *supp_oper_classes; 150 size_t supp_oper_classes_len; 151 152 u8 wmm_capable; 153 154 /* channel switch currently enabled */ 155 int chan_switch_enabled; 156 }; 157 158 159 static int wpa_tdls_get_privacy(struct wpa_sm *sm) 160 { 161 /* 162 * Get info needed from supplicant to check if the current BSS supports 163 * security. Other than OPEN mode, rest are considered secured 164 * WEP/WPA/WPA2 hence TDLS frames are processed for TPK handshake. 165 */ 166 return sm->pairwise_cipher != WPA_CIPHER_NONE; 167 } 168 169 170 static u8 * wpa_add_ie(u8 *pos, const u8 *ie, size_t ie_len) 171 { 172 os_memcpy(pos, ie, ie_len); 173 return pos + ie_len; 174 } 175 176 177 static int wpa_tdls_del_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer) 178 { 179 if (wpa_sm_set_key(sm, WPA_ALG_NONE, peer->addr, 180 0, 0, NULL, 0, NULL, 0) < 0) { 181 wpa_printf(MSG_WARNING, "TDLS: Failed to delete TPK-TK from " 182 "the driver"); 183 return -1; 184 } 185 186 return 0; 187 } 188 189 190 static int wpa_tdls_set_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer) 191 { 192 u8 key_len; 193 u8 rsc[6]; 194 enum wpa_alg alg; 195 196 if (peer->tk_set) { 197 /* 198 * This same TPK-TK has already been configured to the driver 199 * and this new configuration attempt (likely due to an 200 * unexpected retransmitted frame) would result in clearing 201 * the TX/RX sequence number which can break security, so must 202 * not allow that to happen. 203 */ 204 wpa_printf(MSG_INFO, "TDLS: TPK-TK for the peer " MACSTR 205 " has already been configured to the driver - do not reconfigure", 206 MAC2STR(peer->addr)); 207 return -1; 208 } 209 210 os_memset(rsc, 0, 6); 211 212 switch (peer->cipher) { 213 case WPA_CIPHER_CCMP: 214 alg = WPA_ALG_CCMP; 215 key_len = 16; 216 break; 217 case WPA_CIPHER_NONE: 218 wpa_printf(MSG_DEBUG, "TDLS: Pairwise Cipher Suite: " 219 "NONE - do not use pairwise keys"); 220 return -1; 221 default: 222 wpa_printf(MSG_WARNING, "TDLS: Unsupported pairwise cipher %d", 223 sm->pairwise_cipher); 224 return -1; 225 } 226 227 wpa_printf(MSG_DEBUG, "TDLS: Configure pairwise key for peer " MACSTR, 228 MAC2STR(peer->addr)); 229 if (wpa_sm_set_key(sm, alg, peer->addr, -1, 1, 230 rsc, sizeof(rsc), peer->tpk.tk, key_len) < 0) { 231 wpa_printf(MSG_WARNING, "TDLS: Failed to set TPK to the " 232 "driver"); 233 return -1; 234 } 235 peer->tk_set = 1; 236 return 0; 237 } 238 239 240 static int wpa_tdls_send_tpk_msg(struct wpa_sm *sm, const u8 *dst, 241 u8 action_code, u8 dialog_token, 242 u16 status_code, u32 peer_capab, 243 int initiator, const u8 *buf, size_t len) 244 { 245 return wpa_sm_send_tdls_mgmt(sm, dst, action_code, dialog_token, 246 status_code, peer_capab, initiator, buf, 247 len); 248 } 249 250 251 static int wpa_tdls_tpk_send(struct wpa_sm *sm, const u8 *dest, u8 action_code, 252 u8 dialog_token, u16 status_code, u32 peer_capab, 253 int initiator, const u8 *msg, size_t msg_len) 254 { 255 struct wpa_tdls_peer *peer; 256 257 wpa_printf(MSG_DEBUG, "TDLS: TPK send dest=" MACSTR " action_code=%u " 258 "dialog_token=%u status_code=%u peer_capab=%u initiator=%d " 259 "msg_len=%u", 260 MAC2STR(dest), action_code, dialog_token, status_code, 261 peer_capab, initiator, (unsigned int) msg_len); 262 263 if (wpa_tdls_send_tpk_msg(sm, dest, action_code, dialog_token, 264 status_code, peer_capab, initiator, msg, 265 msg_len)) { 266 wpa_printf(MSG_INFO, "TDLS: Failed to send message " 267 "(action_code=%u)", action_code); 268 return -1; 269 } 270 271 if (action_code == WLAN_TDLS_SETUP_CONFIRM || 272 action_code == WLAN_TDLS_TEARDOWN || 273 action_code == WLAN_TDLS_DISCOVERY_REQUEST || 274 action_code == WLAN_TDLS_DISCOVERY_RESPONSE) 275 return 0; /* No retries */ 276 277 for (peer = sm->tdls; peer; peer = peer->next) { 278 if (os_memcmp(peer->addr, dest, ETH_ALEN) == 0) 279 break; 280 } 281 282 if (peer == NULL) { 283 wpa_printf(MSG_INFO, "TDLS: No matching entry found for " 284 "retry " MACSTR, MAC2STR(dest)); 285 return 0; 286 } 287 288 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer); 289 290 if (action_code == WLAN_TDLS_SETUP_RESPONSE) { 291 peer->sm_tmr.count = TPK_M2_RETRY_COUNT; 292 peer->sm_tmr.timer = TPK_M2_TIMEOUT; 293 } else { 294 peer->sm_tmr.count = TPK_M1_RETRY_COUNT; 295 peer->sm_tmr.timer = TPK_M1_TIMEOUT; 296 } 297 298 /* Copy message to resend on timeout */ 299 os_memcpy(peer->sm_tmr.dest, dest, ETH_ALEN); 300 peer->sm_tmr.action_code = action_code; 301 peer->sm_tmr.dialog_token = dialog_token; 302 peer->sm_tmr.status_code = status_code; 303 peer->sm_tmr.peer_capab = peer_capab; 304 peer->sm_tmr.buf_len = msg_len; 305 os_free(peer->sm_tmr.buf); 306 peer->sm_tmr.buf = os_malloc(msg_len); 307 if (peer->sm_tmr.buf == NULL) 308 return -1; 309 os_memcpy(peer->sm_tmr.buf, msg, msg_len); 310 311 wpa_printf(MSG_DEBUG, "TDLS: Retry timeout registered " 312 "(action_code=%u)", action_code); 313 eloop_register_timeout(peer->sm_tmr.timer / 1000, 314 (peer->sm_tmr.timer % 1000) * 1000, 315 wpa_tdls_tpk_retry_timeout, sm, peer); 316 return 0; 317 } 318 319 320 static int wpa_tdls_do_teardown(struct wpa_sm *sm, struct wpa_tdls_peer *peer, 321 u16 reason_code) 322 { 323 int ret; 324 325 ret = wpa_tdls_send_teardown(sm, peer->addr, reason_code); 326 /* disable the link after teardown was sent */ 327 wpa_tdls_disable_peer_link(sm, peer); 328 329 return ret; 330 } 331 332 333 static void wpa_tdls_tpk_retry_timeout(void *eloop_ctx, void *timeout_ctx) 334 { 335 336 struct wpa_sm *sm = eloop_ctx; 337 struct wpa_tdls_peer *peer = timeout_ctx; 338 339 if (peer->sm_tmr.count) { 340 peer->sm_tmr.count--; 341 342 wpa_printf(MSG_INFO, "TDLS: Retrying sending of message " 343 "(action_code=%u)", 344 peer->sm_tmr.action_code); 345 346 if (peer->sm_tmr.buf == NULL) { 347 wpa_printf(MSG_INFO, "TDLS: No retry buffer available " 348 "for action_code=%u", 349 peer->sm_tmr.action_code); 350 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, 351 peer); 352 return; 353 } 354 355 /* resend TPK Handshake Message to Peer */ 356 if (wpa_tdls_send_tpk_msg(sm, peer->sm_tmr.dest, 357 peer->sm_tmr.action_code, 358 peer->sm_tmr.dialog_token, 359 peer->sm_tmr.status_code, 360 peer->sm_tmr.peer_capab, 361 peer->initiator, 362 peer->sm_tmr.buf, 363 peer->sm_tmr.buf_len)) { 364 wpa_printf(MSG_INFO, "TDLS: Failed to retry " 365 "transmission"); 366 } 367 368 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer); 369 eloop_register_timeout(peer->sm_tmr.timer / 1000, 370 (peer->sm_tmr.timer % 1000) * 1000, 371 wpa_tdls_tpk_retry_timeout, sm, peer); 372 } else { 373 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer); 374 375 wpa_printf(MSG_DEBUG, "TDLS: Sending Teardown Request"); 376 wpa_tdls_do_teardown(sm, peer, 377 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED); 378 } 379 } 380 381 382 static void wpa_tdls_tpk_retry_timeout_cancel(struct wpa_sm *sm, 383 struct wpa_tdls_peer *peer, 384 u8 action_code) 385 { 386 if (action_code == peer->sm_tmr.action_code) { 387 wpa_printf(MSG_DEBUG, "TDLS: Retry timeout cancelled for " 388 "action_code=%u", action_code); 389 390 /* Cancel Timeout registered */ 391 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer); 392 393 /* free all resources meant for retry */ 394 os_free(peer->sm_tmr.buf); 395 peer->sm_tmr.buf = NULL; 396 397 peer->sm_tmr.count = 0; 398 peer->sm_tmr.timer = 0; 399 peer->sm_tmr.buf_len = 0; 400 peer->sm_tmr.action_code = 0xff; 401 } else { 402 wpa_printf(MSG_INFO, "TDLS: Error in cancelling retry timeout " 403 "(Unknown action_code=%u)", action_code); 404 } 405 } 406 407 408 static void wpa_tdls_generate_tpk(struct wpa_tdls_peer *peer, 409 const u8 *own_addr, const u8 *bssid) 410 { 411 u8 key_input[SHA256_MAC_LEN]; 412 const u8 *nonce[2]; 413 size_t len[2]; 414 u8 data[3 * ETH_ALEN]; 415 416 /* IEEE Std 802.11z-2010 8.5.9.1: 417 * TPK-Key-Input = SHA-256(min(SNonce, ANonce) || max(SNonce, ANonce)) 418 */ 419 len[0] = WPA_NONCE_LEN; 420 len[1] = WPA_NONCE_LEN; 421 if (os_memcmp(peer->inonce, peer->rnonce, WPA_NONCE_LEN) < 0) { 422 nonce[0] = peer->inonce; 423 nonce[1] = peer->rnonce; 424 } else { 425 nonce[0] = peer->rnonce; 426 nonce[1] = peer->inonce; 427 } 428 wpa_hexdump(MSG_DEBUG, "TDLS: min(Nonce)", nonce[0], WPA_NONCE_LEN); 429 wpa_hexdump(MSG_DEBUG, "TDLS: max(Nonce)", nonce[1], WPA_NONCE_LEN); 430 sha256_vector(2, nonce, len, key_input); 431 wpa_hexdump_key(MSG_DEBUG, "TDLS: TPK-Key-Input", 432 key_input, SHA256_MAC_LEN); 433 434 /* 435 * TPK-Key-Data = KDF-N_KEY(TPK-Key-Input, "TDLS PMK", 436 * min(MAC_I, MAC_R) || max(MAC_I, MAC_R) || BSSID || N_KEY) 437 * TODO: is N_KEY really included in KDF Context and if so, in which 438 * presentation format (little endian 16-bit?) is it used? It gets 439 * added by the KDF anyway.. 440 */ 441 442 if (os_memcmp(own_addr, peer->addr, ETH_ALEN) < 0) { 443 os_memcpy(data, own_addr, ETH_ALEN); 444 os_memcpy(data + ETH_ALEN, peer->addr, ETH_ALEN); 445 } else { 446 os_memcpy(data, peer->addr, ETH_ALEN); 447 os_memcpy(data + ETH_ALEN, own_addr, ETH_ALEN); 448 } 449 os_memcpy(data + 2 * ETH_ALEN, bssid, ETH_ALEN); 450 wpa_hexdump(MSG_DEBUG, "TDLS: KDF Context", data, sizeof(data)); 451 452 sha256_prf(key_input, SHA256_MAC_LEN, "TDLS PMK", data, sizeof(data), 453 (u8 *) &peer->tpk, sizeof(peer->tpk)); 454 wpa_hexdump_key(MSG_DEBUG, "TDLS: TPK-KCK", 455 peer->tpk.kck, sizeof(peer->tpk.kck)); 456 wpa_hexdump_key(MSG_DEBUG, "TDLS: TPK-TK", 457 peer->tpk.tk, sizeof(peer->tpk.tk)); 458 peer->tpk_set = 1; 459 } 460 461 462 /** 463 * wpa_tdls_ftie_mic - Calculate TDLS FTIE MIC 464 * @kck: TPK-KCK 465 * @lnkid: Pointer to the beginning of Link Identifier IE 466 * @rsnie: Pointer to the beginning of RSN IE used for handshake 467 * @timeoutie: Pointer to the beginning of Timeout IE used for handshake 468 * @ftie: Pointer to the beginning of FT IE 469 * @mic: Pointer for writing MIC 470 * 471 * Calculate MIC for TDLS frame. 472 */ 473 static int wpa_tdls_ftie_mic(const u8 *kck, u8 trans_seq, const u8 *lnkid, 474 const u8 *rsnie, const u8 *timeoutie, 475 const u8 *ftie, u8 *mic) 476 { 477 u8 *buf, *pos; 478 struct wpa_tdls_ftie *_ftie; 479 const struct wpa_tdls_lnkid *_lnkid; 480 int ret; 481 int len = 2 * ETH_ALEN + 1 + 2 + lnkid[1] + 2 + rsnie[1] + 482 2 + timeoutie[1] + 2 + ftie[1]; 483 buf = os_zalloc(len); 484 if (!buf) { 485 wpa_printf(MSG_WARNING, "TDLS: No memory for MIC calculation"); 486 return -1; 487 } 488 489 pos = buf; 490 _lnkid = (const struct wpa_tdls_lnkid *) lnkid; 491 /* 1) TDLS initiator STA MAC address */ 492 os_memcpy(pos, _lnkid->init_sta, ETH_ALEN); 493 pos += ETH_ALEN; 494 /* 2) TDLS responder STA MAC address */ 495 os_memcpy(pos, _lnkid->resp_sta, ETH_ALEN); 496 pos += ETH_ALEN; 497 /* 3) Transaction Sequence number */ 498 *pos++ = trans_seq; 499 /* 4) Link Identifier IE */ 500 os_memcpy(pos, lnkid, 2 + lnkid[1]); 501 pos += 2 + lnkid[1]; 502 /* 5) RSN IE */ 503 os_memcpy(pos, rsnie, 2 + rsnie[1]); 504 pos += 2 + rsnie[1]; 505 /* 6) Timeout Interval IE */ 506 os_memcpy(pos, timeoutie, 2 + timeoutie[1]); 507 pos += 2 + timeoutie[1]; 508 /* 7) FTIE, with the MIC field of the FTIE set to 0 */ 509 os_memcpy(pos, ftie, 2 + ftie[1]); 510 _ftie = (struct wpa_tdls_ftie *) pos; 511 os_memset(_ftie->mic, 0, TDLS_MIC_LEN); 512 pos += 2 + ftie[1]; 513 514 wpa_hexdump(MSG_DEBUG, "TDLS: Data for FTIE MIC", buf, pos - buf); 515 wpa_hexdump_key(MSG_DEBUG, "TDLS: KCK", kck, 16); 516 ret = omac1_aes_128(kck, buf, pos - buf, mic); 517 os_free(buf); 518 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE MIC", mic, 16); 519 return ret; 520 } 521 522 523 /** 524 * wpa_tdls_key_mic_teardown - Calculate TDLS FTIE MIC for Teardown frame 525 * @kck: TPK-KCK 526 * @trans_seq: Transaction Sequence Number (4 - Teardown) 527 * @rcode: Reason code for Teardown 528 * @dtoken: Dialog Token used for that particular link 529 * @lnkid: Pointer to the beginning of Link Identifier IE 530 * @ftie: Pointer to the beginning of FT IE 531 * @mic: Pointer for writing MIC 532 * 533 * Calculate MIC for TDLS frame. 534 */ 535 static int wpa_tdls_key_mic_teardown(const u8 *kck, u8 trans_seq, u16 rcode, 536 u8 dtoken, const u8 *lnkid, 537 const u8 *ftie, u8 *mic) 538 { 539 u8 *buf, *pos; 540 struct wpa_tdls_ftie *_ftie; 541 int ret; 542 int len; 543 544 if (lnkid == NULL) 545 return -1; 546 547 len = 2 + lnkid[1] + sizeof(rcode) + sizeof(dtoken) + 548 sizeof(trans_seq) + 2 + ftie[1]; 549 550 buf = os_zalloc(len); 551 if (!buf) { 552 wpa_printf(MSG_WARNING, "TDLS: No memory for MIC calculation"); 553 return -1; 554 } 555 556 pos = buf; 557 /* 1) Link Identifier IE */ 558 os_memcpy(pos, lnkid, 2 + lnkid[1]); 559 pos += 2 + lnkid[1]; 560 /* 2) Reason Code */ 561 WPA_PUT_LE16(pos, rcode); 562 pos += sizeof(rcode); 563 /* 3) Dialog token */ 564 *pos++ = dtoken; 565 /* 4) Transaction Sequence number */ 566 *pos++ = trans_seq; 567 /* 7) FTIE, with the MIC field of the FTIE set to 0 */ 568 os_memcpy(pos, ftie, 2 + ftie[1]); 569 _ftie = (struct wpa_tdls_ftie *) pos; 570 os_memset(_ftie->mic, 0, TDLS_MIC_LEN); 571 pos += 2 + ftie[1]; 572 573 wpa_hexdump(MSG_DEBUG, "TDLS: Data for FTIE MIC", buf, pos - buf); 574 wpa_hexdump_key(MSG_DEBUG, "TDLS: KCK", kck, 16); 575 ret = omac1_aes_128(kck, buf, pos - buf, mic); 576 os_free(buf); 577 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE MIC", mic, 16); 578 return ret; 579 } 580 581 582 static int wpa_supplicant_verify_tdls_mic(u8 trans_seq, 583 struct wpa_tdls_peer *peer, 584 const u8 *lnkid, const u8 *timeoutie, 585 const struct wpa_tdls_ftie *ftie) 586 { 587 u8 mic[16]; 588 589 if (peer->tpk_set) { 590 wpa_tdls_ftie_mic(peer->tpk.kck, trans_seq, lnkid, 591 peer->rsnie_p, timeoutie, (u8 *) ftie, 592 mic); 593 if (os_memcmp_const(mic, ftie->mic, 16) != 0) { 594 wpa_printf(MSG_INFO, "TDLS: Invalid MIC in FTIE - " 595 "dropping packet"); 596 wpa_hexdump(MSG_DEBUG, "TDLS: Received MIC", 597 ftie->mic, 16); 598 wpa_hexdump(MSG_DEBUG, "TDLS: Calculated MIC", 599 mic, 16); 600 return -1; 601 } 602 } else { 603 wpa_printf(MSG_WARNING, "TDLS: Could not verify TDLS MIC, " 604 "TPK not set - dropping packet"); 605 return -1; 606 } 607 return 0; 608 } 609 610 611 static int wpa_supplicant_verify_tdls_mic_teardown( 612 u8 trans_seq, u16 rcode, u8 dtoken, struct wpa_tdls_peer *peer, 613 const u8 *lnkid, const struct wpa_tdls_ftie *ftie) 614 { 615 u8 mic[16]; 616 617 if (peer->tpk_set) { 618 wpa_tdls_key_mic_teardown(peer->tpk.kck, trans_seq, rcode, 619 dtoken, lnkid, (u8 *) ftie, mic); 620 if (os_memcmp_const(mic, ftie->mic, 16) != 0) { 621 wpa_printf(MSG_INFO, "TDLS: Invalid MIC in Teardown - " 622 "dropping packet"); 623 return -1; 624 } 625 } else { 626 wpa_printf(MSG_INFO, "TDLS: Could not verify TDLS Teardown " 627 "MIC, TPK not set - dropping packet"); 628 return -1; 629 } 630 return 0; 631 } 632 633 634 static void wpa_tdls_tpk_timeout(void *eloop_ctx, void *timeout_ctx) 635 { 636 struct wpa_sm *sm = eloop_ctx; 637 struct wpa_tdls_peer *peer = timeout_ctx; 638 639 /* 640 * On TPK lifetime expiration, we have an option of either tearing down 641 * the direct link or trying to re-initiate it. The selection of what 642 * to do is not strictly speaking controlled by our role in the expired 643 * link, but for now, use that to select whether to renew or tear down 644 * the link. 645 */ 646 647 if (peer->initiator) { 648 u8 addr[ETH_ALEN]; 649 650 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime expired for " MACSTR 651 " - try to renew", MAC2STR(peer->addr)); 652 /* cache the peer address before do_teardown */ 653 os_memcpy(addr, peer->addr, ETH_ALEN); 654 wpa_tdls_do_teardown(sm, peer, 655 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED); 656 wpa_tdls_start(sm, addr); 657 } else { 658 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime expired for " MACSTR 659 " - tear down", MAC2STR(peer->addr)); 660 wpa_tdls_do_teardown(sm, peer, 661 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED); 662 } 663 } 664 665 666 static void wpa_tdls_peer_remove_from_list(struct wpa_sm *sm, 667 struct wpa_tdls_peer *peer) 668 { 669 struct wpa_tdls_peer *cur, *prev; 670 671 cur = sm->tdls; 672 prev = NULL; 673 while (cur && cur != peer) { 674 prev = cur; 675 cur = cur->next; 676 } 677 678 if (cur != peer) { 679 wpa_printf(MSG_ERROR, "TDLS: Could not find peer " MACSTR 680 " to remove it from the list", 681 MAC2STR(peer->addr)); 682 return; 683 } 684 685 if (prev) 686 prev->next = peer->next; 687 else 688 sm->tdls = peer->next; 689 } 690 691 692 static void wpa_tdls_peer_clear(struct wpa_sm *sm, struct wpa_tdls_peer *peer) 693 { 694 wpa_printf(MSG_DEBUG, "TDLS: Clear state for peer " MACSTR, 695 MAC2STR(peer->addr)); 696 eloop_cancel_timeout(wpa_tdls_tpk_timeout, sm, peer); 697 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer); 698 peer->reconfig_key = 0; 699 peer->initiator = 0; 700 peer->tpk_in_progress = 0; 701 os_free(peer->sm_tmr.buf); 702 peer->sm_tmr.buf = NULL; 703 os_free(peer->ht_capabilities); 704 peer->ht_capabilities = NULL; 705 os_free(peer->vht_capabilities); 706 peer->vht_capabilities = NULL; 707 os_free(peer->ext_capab); 708 peer->ext_capab = NULL; 709 os_free(peer->supp_channels); 710 peer->supp_channels = NULL; 711 os_free(peer->supp_oper_classes); 712 peer->supp_oper_classes = NULL; 713 peer->rsnie_i_len = peer->rsnie_p_len = 0; 714 peer->cipher = 0; 715 peer->qos_info = 0; 716 peer->wmm_capable = 0; 717 peer->tk_set = peer->tpk_set = peer->tpk_success = 0; 718 peer->chan_switch_enabled = 0; 719 os_memset(&peer->tpk, 0, sizeof(peer->tpk)); 720 os_memset(peer->inonce, 0, WPA_NONCE_LEN); 721 os_memset(peer->rnonce, 0, WPA_NONCE_LEN); 722 } 723 724 725 static void wpa_tdls_peer_free(struct wpa_sm *sm, struct wpa_tdls_peer *peer) 726 { 727 wpa_tdls_peer_clear(sm, peer); 728 wpa_tdls_peer_remove_from_list(sm, peer); 729 os_free(peer); 730 } 731 732 733 static void wpa_tdls_linkid(struct wpa_sm *sm, struct wpa_tdls_peer *peer, 734 struct wpa_tdls_lnkid *lnkid) 735 { 736 lnkid->ie_type = WLAN_EID_LINK_ID; 737 lnkid->ie_len = 3 * ETH_ALEN; 738 os_memcpy(lnkid->bssid, sm->bssid, ETH_ALEN); 739 if (peer->initiator) { 740 os_memcpy(lnkid->init_sta, sm->own_addr, ETH_ALEN); 741 os_memcpy(lnkid->resp_sta, peer->addr, ETH_ALEN); 742 } else { 743 os_memcpy(lnkid->init_sta, peer->addr, ETH_ALEN); 744 os_memcpy(lnkid->resp_sta, sm->own_addr, ETH_ALEN); 745 } 746 } 747 748 749 static int wpa_tdls_send_teardown(struct wpa_sm *sm, const u8 *addr, 750 u16 reason_code) 751 { 752 struct wpa_tdls_peer *peer; 753 struct wpa_tdls_ftie *ftie; 754 struct wpa_tdls_lnkid lnkid; 755 u8 dialog_token; 756 u8 *rbuf, *pos; 757 int ielen; 758 759 if (sm->tdls_disabled || !sm->tdls_supported) 760 return -1; 761 762 /* Find the node and free from the list */ 763 for (peer = sm->tdls; peer; peer = peer->next) { 764 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 765 break; 766 } 767 768 if (peer == NULL) { 769 wpa_printf(MSG_INFO, "TDLS: No matching entry found for " 770 "Teardown " MACSTR, MAC2STR(addr)); 771 return 0; 772 } 773 774 /* Cancel active channel switch before teardown */ 775 if (peer->chan_switch_enabled) { 776 wpa_printf(MSG_DEBUG, "TDLS: First returning link with " MACSTR 777 " to base channel", MAC2STR(addr)); 778 wpa_sm_tdls_disable_channel_switch(sm, peer->addr); 779 } 780 781 dialog_token = peer->dtoken; 782 783 wpa_printf(MSG_DEBUG, "TDLS: TDLS Teardown for " MACSTR, 784 MAC2STR(addr)); 785 786 ielen = 0; 787 if (wpa_tdls_get_privacy(sm) && peer->tpk_set && peer->tpk_success) { 788 /* To add FTIE for Teardown request and compute MIC */ 789 ielen += sizeof(*ftie); 790 #ifdef CONFIG_TDLS_TESTING 791 if (tdls_testing & TDLS_TESTING_LONG_FRAME) 792 ielen += 170; 793 #endif /* CONFIG_TDLS_TESTING */ 794 } 795 796 rbuf = os_zalloc(ielen + 1); 797 if (rbuf == NULL) 798 return -1; 799 pos = rbuf; 800 801 if (!wpa_tdls_get_privacy(sm) || !peer->tpk_set || !peer->tpk_success) 802 goto skip_ies; 803 804 ftie = (struct wpa_tdls_ftie *) pos; 805 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION; 806 /* Using the recent nonce which should be for CONFIRM frame */ 807 os_memcpy(ftie->Anonce, peer->rnonce, WPA_NONCE_LEN); 808 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN); 809 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2; 810 pos = (u8 *) (ftie + 1); 811 #ifdef CONFIG_TDLS_TESTING 812 if (tdls_testing & TDLS_TESTING_LONG_FRAME) { 813 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to " 814 "FTIE"); 815 ftie->ie_len += 170; 816 *pos++ = 255; /* FTIE subelem */ 817 *pos++ = 168; /* FTIE subelem length */ 818 pos += 168; 819 } 820 #endif /* CONFIG_TDLS_TESTING */ 821 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE for TDLS Teardown handshake", 822 (u8 *) ftie, pos - (u8 *) ftie); 823 824 /* compute MIC before sending */ 825 wpa_tdls_linkid(sm, peer, &lnkid); 826 wpa_tdls_key_mic_teardown(peer->tpk.kck, 4, reason_code, 827 dialog_token, (u8 *) &lnkid, (u8 *) ftie, 828 ftie->mic); 829 830 skip_ies: 831 /* TODO: register for a Timeout handler, if Teardown is not received at 832 * the other end, then try again another time */ 833 834 /* request driver to send Teardown using this FTIE */ 835 wpa_tdls_tpk_send(sm, addr, WLAN_TDLS_TEARDOWN, 0, 836 reason_code, 0, peer->initiator, rbuf, pos - rbuf); 837 os_free(rbuf); 838 839 return 0; 840 } 841 842 843 int wpa_tdls_teardown_link(struct wpa_sm *sm, const u8 *addr, u16 reason_code) 844 { 845 struct wpa_tdls_peer *peer; 846 847 if (sm->tdls_disabled || !sm->tdls_supported) 848 return -1; 849 850 for (peer = sm->tdls; peer; peer = peer->next) { 851 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 852 break; 853 } 854 855 if (peer == NULL) { 856 wpa_printf(MSG_DEBUG, "TDLS: Could not find peer " MACSTR 857 " for link Teardown", MAC2STR(addr)); 858 return -1; 859 } 860 861 if (!peer->tpk_success) { 862 wpa_printf(MSG_DEBUG, "TDLS: Peer " MACSTR 863 " not connected - cannot Teardown link", MAC2STR(addr)); 864 return -1; 865 } 866 867 return wpa_tdls_do_teardown(sm, peer, reason_code); 868 } 869 870 871 static void wpa_tdls_disable_peer_link(struct wpa_sm *sm, 872 struct wpa_tdls_peer *peer) 873 { 874 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr); 875 wpa_tdls_peer_free(sm, peer); 876 } 877 878 879 void wpa_tdls_disable_unreachable_link(struct wpa_sm *sm, const u8 *addr) 880 { 881 struct wpa_tdls_peer *peer; 882 883 for (peer = sm->tdls; peer; peer = peer->next) { 884 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 885 break; 886 } 887 888 if (!peer || !peer->tpk_success) { 889 wpa_printf(MSG_DEBUG, "TDLS: Peer " MACSTR 890 " not connected - cannot teardown unreachable link", 891 MAC2STR(addr)); 892 return; 893 } 894 895 if (wpa_tdls_is_external_setup(sm)) { 896 /* 897 * Get us on the base channel, disable the link, send a 898 * teardown packet through the AP, and then reset link data. 899 */ 900 if (peer->chan_switch_enabled) 901 wpa_sm_tdls_disable_channel_switch(sm, peer->addr); 902 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, addr); 903 wpa_tdls_send_teardown(sm, addr, 904 WLAN_REASON_TDLS_TEARDOWN_UNREACHABLE); 905 wpa_tdls_peer_free(sm, peer); 906 } else { 907 wpa_tdls_disable_peer_link(sm, peer); 908 } 909 } 910 911 912 const char * wpa_tdls_get_link_status(struct wpa_sm *sm, const u8 *addr) 913 { 914 struct wpa_tdls_peer *peer; 915 916 if (sm->tdls_disabled || !sm->tdls_supported) 917 return "disabled"; 918 919 for (peer = sm->tdls; peer; peer = peer->next) { 920 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 921 break; 922 } 923 924 if (peer == NULL) 925 return "peer does not exist"; 926 927 if (!peer->tpk_success) 928 return "peer not connected"; 929 930 return "connected"; 931 } 932 933 934 static int wpa_tdls_recv_teardown(struct wpa_sm *sm, const u8 *src_addr, 935 const u8 *buf, size_t len) 936 { 937 struct wpa_tdls_peer *peer = NULL; 938 struct wpa_tdls_ftie *ftie; 939 struct wpa_tdls_lnkid *lnkid; 940 struct wpa_eapol_ie_parse kde; 941 u16 reason_code; 942 const u8 *pos; 943 int ielen; 944 945 /* Find the node and free from the list */ 946 for (peer = sm->tdls; peer; peer = peer->next) { 947 if (os_memcmp(peer->addr, src_addr, ETH_ALEN) == 0) 948 break; 949 } 950 951 if (peer == NULL) { 952 wpa_printf(MSG_INFO, "TDLS: No matching entry found for " 953 "Teardown " MACSTR, MAC2STR(src_addr)); 954 return 0; 955 } 956 957 pos = buf; 958 pos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */; 959 960 reason_code = WPA_GET_LE16(pos); 961 pos += 2; 962 963 wpa_printf(MSG_DEBUG, "TDLS: TDLS Teardown Request from " MACSTR 964 " (reason code %u)", MAC2STR(src_addr), reason_code); 965 966 ielen = len - (pos - buf); /* start of IE in buf */ 967 968 /* 969 * Don't reject the message if failing to parse IEs. The IEs we need are 970 * explicitly checked below. Some APs may add arbitrary padding to the 971 * end of short TDLS frames and that would look like invalid IEs. 972 */ 973 if (wpa_supplicant_parse_ies((const u8 *) pos, ielen, &kde) < 0) 974 wpa_printf(MSG_DEBUG, 975 "TDLS: Failed to parse IEs in Teardown - ignore as an interop workaround"); 976 977 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) { 978 wpa_printf(MSG_INFO, "TDLS: No Link Identifier IE in TDLS " 979 "Teardown"); 980 return -1; 981 } 982 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid; 983 984 if (!wpa_tdls_get_privacy(sm) || !peer->tpk_set || !peer->tpk_success) 985 goto skip_ftie; 986 987 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie)) { 988 wpa_printf(MSG_INFO, "TDLS: No FTIE in TDLS Teardown"); 989 return -1; 990 } 991 992 ftie = (struct wpa_tdls_ftie *) kde.ftie; 993 994 /* Process MIC check to see if TDLS Teardown is right */ 995 if (wpa_supplicant_verify_tdls_mic_teardown(4, reason_code, 996 peer->dtoken, peer, 997 (u8 *) lnkid, ftie) < 0) { 998 wpa_printf(MSG_DEBUG, "TDLS: MIC failure for TDLS " 999 "Teardown Request from " MACSTR, MAC2STR(src_addr)); 1000 return -1; 1001 } 1002 1003 skip_ftie: 1004 /* 1005 * Request the driver to disable the direct link and clear associated 1006 * keys. 1007 */ 1008 wpa_tdls_disable_peer_link(sm, peer); 1009 return 0; 1010 } 1011 1012 1013 /** 1014 * wpa_tdls_send_error - To send suitable TDLS status response with 1015 * appropriate status code mentioning reason for error/failure. 1016 * @dst - MAC addr of Peer station 1017 * @tdls_action - TDLS frame type for which error code is sent 1018 * @initiator - was this end the initiator of the connection 1019 * @status - status code mentioning reason 1020 */ 1021 1022 static int wpa_tdls_send_error(struct wpa_sm *sm, const u8 *dst, 1023 u8 tdls_action, u8 dialog_token, int initiator, 1024 u16 status) 1025 { 1026 wpa_printf(MSG_DEBUG, "TDLS: Sending error to " MACSTR 1027 " (action=%u status=%u)", 1028 MAC2STR(dst), tdls_action, status); 1029 return wpa_tdls_tpk_send(sm, dst, tdls_action, dialog_token, status, 1030 0, initiator, NULL, 0); 1031 } 1032 1033 1034 static struct wpa_tdls_peer * 1035 wpa_tdls_add_peer(struct wpa_sm *sm, const u8 *addr, int *existing) 1036 { 1037 struct wpa_tdls_peer *peer; 1038 1039 if (existing) 1040 *existing = 0; 1041 for (peer = sm->tdls; peer; peer = peer->next) { 1042 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) { 1043 if (existing) 1044 *existing = 1; 1045 return peer; /* re-use existing entry */ 1046 } 1047 } 1048 1049 wpa_printf(MSG_INFO, "TDLS: Creating peer entry for " MACSTR, 1050 MAC2STR(addr)); 1051 1052 peer = os_zalloc(sizeof(*peer)); 1053 if (peer == NULL) 1054 return NULL; 1055 1056 os_memcpy(peer->addr, addr, ETH_ALEN); 1057 peer->next = sm->tdls; 1058 sm->tdls = peer; 1059 1060 return peer; 1061 } 1062 1063 1064 static int wpa_tdls_send_tpk_m1(struct wpa_sm *sm, 1065 struct wpa_tdls_peer *peer) 1066 { 1067 size_t buf_len; 1068 struct wpa_tdls_timeoutie timeoutie; 1069 u16 rsn_capab; 1070 struct wpa_tdls_ftie *ftie; 1071 u8 *rbuf, *pos, *count_pos; 1072 u16 count; 1073 struct rsn_ie_hdr *hdr; 1074 int status; 1075 1076 if (!wpa_tdls_get_privacy(sm)) { 1077 wpa_printf(MSG_DEBUG, "TDLS: No security used on the link"); 1078 peer->rsnie_i_len = 0; 1079 goto skip_rsnie; 1080 } 1081 1082 /* 1083 * TPK Handshake Message 1: 1084 * FTIE: ANonce=0, SNonce=initiator nonce MIC=0, DataKDs=(RSNIE_I, 1085 * Timeout Interval IE)) 1086 */ 1087 1088 /* Filling RSN IE */ 1089 hdr = (struct rsn_ie_hdr *) peer->rsnie_i; 1090 hdr->elem_id = WLAN_EID_RSN; 1091 WPA_PUT_LE16(hdr->version, RSN_VERSION); 1092 1093 pos = (u8 *) (hdr + 1); 1094 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED); 1095 pos += RSN_SELECTOR_LEN; 1096 count_pos = pos; 1097 pos += 2; 1098 1099 count = 0; 1100 1101 /* 1102 * AES-CCMP is the default Encryption preferred for TDLS, so 1103 * RSN IE is filled only with CCMP CIPHER 1104 * Note: TKIP is not used to encrypt TDLS link. 1105 * 1106 * Regardless of the cipher used on the AP connection, select CCMP 1107 * here. 1108 */ 1109 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP); 1110 pos += RSN_SELECTOR_LEN; 1111 count++; 1112 1113 WPA_PUT_LE16(count_pos, count); 1114 1115 WPA_PUT_LE16(pos, 1); 1116 pos += 2; 1117 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_TPK_HANDSHAKE); 1118 pos += RSN_SELECTOR_LEN; 1119 1120 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED; 1121 rsn_capab |= RSN_NUM_REPLAY_COUNTERS_16 << 2; 1122 #ifdef CONFIG_TDLS_TESTING 1123 if (tdls_testing & TDLS_TESTING_ALT_RSN_IE) { 1124 wpa_printf(MSG_DEBUG, "TDLS: Use alternative RSN IE for " 1125 "testing"); 1126 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED; 1127 } 1128 #endif /* CONFIG_TDLS_TESTING */ 1129 WPA_PUT_LE16(pos, rsn_capab); 1130 pos += 2; 1131 #ifdef CONFIG_TDLS_TESTING 1132 if (tdls_testing & TDLS_TESTING_ALT_RSN_IE) { 1133 /* Number of PMKIDs */ 1134 *pos++ = 0x00; 1135 *pos++ = 0x00; 1136 } 1137 #endif /* CONFIG_TDLS_TESTING */ 1138 1139 hdr->len = (pos - peer->rsnie_i) - 2; 1140 peer->rsnie_i_len = pos - peer->rsnie_i; 1141 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE for TPK handshake", 1142 peer->rsnie_i, peer->rsnie_i_len); 1143 1144 skip_rsnie: 1145 buf_len = 0; 1146 if (wpa_tdls_get_privacy(sm)) 1147 buf_len += peer->rsnie_i_len + sizeof(struct wpa_tdls_ftie) + 1148 sizeof(struct wpa_tdls_timeoutie); 1149 #ifdef CONFIG_TDLS_TESTING 1150 if (wpa_tdls_get_privacy(sm) && 1151 (tdls_testing & TDLS_TESTING_LONG_FRAME)) 1152 buf_len += 170; 1153 if (tdls_testing & TDLS_TESTING_DIFF_BSSID) 1154 buf_len += sizeof(struct wpa_tdls_lnkid); 1155 #endif /* CONFIG_TDLS_TESTING */ 1156 rbuf = os_zalloc(buf_len + 1); 1157 if (rbuf == NULL) { 1158 wpa_tdls_peer_free(sm, peer); 1159 return -1; 1160 } 1161 pos = rbuf; 1162 1163 if (!wpa_tdls_get_privacy(sm)) 1164 goto skip_ies; 1165 1166 /* Initiator RSN IE */ 1167 pos = wpa_add_ie(pos, peer->rsnie_i, peer->rsnie_i_len); 1168 1169 ftie = (struct wpa_tdls_ftie *) pos; 1170 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION; 1171 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2; 1172 1173 if (os_get_random(peer->inonce, WPA_NONCE_LEN)) { 1174 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1175 "TDLS: Failed to get random data for initiator Nonce"); 1176 os_free(rbuf); 1177 wpa_tdls_peer_free(sm, peer); 1178 return -1; 1179 } 1180 peer->tk_set = 0; /* A new nonce results in a new TK */ 1181 wpa_hexdump(MSG_DEBUG, "TDLS: Initiator Nonce for TPK handshake", 1182 peer->inonce, WPA_NONCE_LEN); 1183 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN); 1184 1185 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE for TPK Handshake M1", 1186 (u8 *) ftie, sizeof(struct wpa_tdls_ftie)); 1187 1188 pos = (u8 *) (ftie + 1); 1189 1190 #ifdef CONFIG_TDLS_TESTING 1191 if (tdls_testing & TDLS_TESTING_LONG_FRAME) { 1192 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to " 1193 "FTIE"); 1194 ftie->ie_len += 170; 1195 *pos++ = 255; /* FTIE subelem */ 1196 *pos++ = 168; /* FTIE subelem length */ 1197 pos += 168; 1198 } 1199 #endif /* CONFIG_TDLS_TESTING */ 1200 1201 /* Lifetime */ 1202 peer->lifetime = TPK_LIFETIME; 1203 #ifdef CONFIG_TDLS_TESTING 1204 if (tdls_testing & TDLS_TESTING_SHORT_LIFETIME) { 1205 wpa_printf(MSG_DEBUG, "TDLS: Testing - use short TPK " 1206 "lifetime"); 1207 peer->lifetime = 301; 1208 } 1209 if (tdls_testing & TDLS_TESTING_LONG_LIFETIME) { 1210 wpa_printf(MSG_DEBUG, "TDLS: Testing - use long TPK " 1211 "lifetime"); 1212 peer->lifetime = 0xffffffff; 1213 } 1214 #endif /* CONFIG_TDLS_TESTING */ 1215 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie, 1216 sizeof(timeoutie), peer->lifetime); 1217 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds", peer->lifetime); 1218 1219 skip_ies: 1220 1221 #ifdef CONFIG_TDLS_TESTING 1222 if (tdls_testing & TDLS_TESTING_DIFF_BSSID) { 1223 struct wpa_tdls_lnkid *l = (struct wpa_tdls_lnkid *) pos; 1224 1225 wpa_printf(MSG_DEBUG, "TDLS: Testing - use incorrect BSSID in " 1226 "Link Identifier"); 1227 wpa_tdls_linkid(sm, peer, l); 1228 l->bssid[5] ^= 0x01; 1229 pos += sizeof(*l); 1230 } 1231 #endif /* CONFIG_TDLS_TESTING */ 1232 1233 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Setup Request / TPK " 1234 "Handshake Message 1 (peer " MACSTR ")", 1235 MAC2STR(peer->addr)); 1236 1237 status = wpa_tdls_tpk_send(sm, peer->addr, WLAN_TDLS_SETUP_REQUEST, 1238 1, 0, 0, peer->initiator, rbuf, pos - rbuf); 1239 os_free(rbuf); 1240 1241 return status; 1242 } 1243 1244 1245 static int wpa_tdls_send_tpk_m2(struct wpa_sm *sm, 1246 const unsigned char *src_addr, u8 dtoken, 1247 struct wpa_tdls_lnkid *lnkid, 1248 const struct wpa_tdls_peer *peer) 1249 { 1250 u8 *rbuf, *pos; 1251 size_t buf_len; 1252 u32 lifetime; 1253 struct wpa_tdls_timeoutie timeoutie; 1254 struct wpa_tdls_ftie *ftie; 1255 int status; 1256 1257 buf_len = 0; 1258 if (wpa_tdls_get_privacy(sm)) { 1259 /* Peer RSN IE, FTIE(Initiator Nonce, Responder Nonce), 1260 * Lifetime */ 1261 buf_len += peer->rsnie_i_len + sizeof(struct wpa_tdls_ftie) + 1262 sizeof(struct wpa_tdls_timeoutie); 1263 #ifdef CONFIG_TDLS_TESTING 1264 if (tdls_testing & TDLS_TESTING_LONG_FRAME) 1265 buf_len += 170; 1266 #endif /* CONFIG_TDLS_TESTING */ 1267 } 1268 1269 rbuf = os_zalloc(buf_len + 1); 1270 if (rbuf == NULL) 1271 return -1; 1272 pos = rbuf; 1273 1274 if (!wpa_tdls_get_privacy(sm)) 1275 goto skip_ies; 1276 1277 /* Peer RSN IE */ 1278 pos = wpa_add_ie(pos, peer->rsnie_p, peer->rsnie_p_len); 1279 1280 ftie = (struct wpa_tdls_ftie *) pos; 1281 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION; 1282 /* TODO: ftie->mic_control to set 2-RESPONSE */ 1283 os_memcpy(ftie->Anonce, peer->rnonce, WPA_NONCE_LEN); 1284 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN); 1285 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2; 1286 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE for TPK M2", 1287 (u8 *) ftie, sizeof(*ftie)); 1288 1289 pos = (u8 *) (ftie + 1); 1290 1291 #ifdef CONFIG_TDLS_TESTING 1292 if (tdls_testing & TDLS_TESTING_LONG_FRAME) { 1293 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to " 1294 "FTIE"); 1295 ftie->ie_len += 170; 1296 *pos++ = 255; /* FTIE subelem */ 1297 *pos++ = 168; /* FTIE subelem length */ 1298 pos += 168; 1299 } 1300 #endif /* CONFIG_TDLS_TESTING */ 1301 1302 /* Lifetime */ 1303 lifetime = peer->lifetime; 1304 #ifdef CONFIG_TDLS_TESTING 1305 if (tdls_testing & TDLS_TESTING_WRONG_LIFETIME_RESP) { 1306 wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong TPK " 1307 "lifetime in response"); 1308 lifetime++; 1309 } 1310 #endif /* CONFIG_TDLS_TESTING */ 1311 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie, 1312 sizeof(timeoutie), lifetime); 1313 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds from initiator", 1314 lifetime); 1315 1316 /* compute MIC before sending */ 1317 wpa_tdls_ftie_mic(peer->tpk.kck, 2, (u8 *) lnkid, peer->rsnie_p, 1318 (u8 *) &timeoutie, (u8 *) ftie, ftie->mic); 1319 #ifdef CONFIG_TDLS_TESTING 1320 if (tdls_testing & TDLS_TESTING_WRONG_MIC) { 1321 wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong MIC"); 1322 ftie->mic[0] ^= 0x01; 1323 } 1324 #endif /* CONFIG_TDLS_TESTING */ 1325 1326 skip_ies: 1327 status = wpa_tdls_tpk_send(sm, src_addr, WLAN_TDLS_SETUP_RESPONSE, 1328 dtoken, 0, 0, peer->initiator, rbuf, 1329 pos - rbuf); 1330 os_free(rbuf); 1331 1332 return status; 1333 } 1334 1335 1336 static int wpa_tdls_send_tpk_m3(struct wpa_sm *sm, 1337 const unsigned char *src_addr, u8 dtoken, 1338 struct wpa_tdls_lnkid *lnkid, 1339 const struct wpa_tdls_peer *peer) 1340 { 1341 u8 *rbuf, *pos; 1342 size_t buf_len; 1343 struct wpa_tdls_ftie *ftie; 1344 struct wpa_tdls_timeoutie timeoutie; 1345 u32 lifetime; 1346 int status; 1347 u32 peer_capab = 0; 1348 1349 buf_len = 0; 1350 if (wpa_tdls_get_privacy(sm)) { 1351 /* Peer RSN IE, FTIE(Initiator Nonce, Responder Nonce), 1352 * Lifetime */ 1353 buf_len += peer->rsnie_i_len + sizeof(struct wpa_tdls_ftie) + 1354 sizeof(struct wpa_tdls_timeoutie); 1355 #ifdef CONFIG_TDLS_TESTING 1356 if (tdls_testing & TDLS_TESTING_LONG_FRAME) 1357 buf_len += 170; 1358 #endif /* CONFIG_TDLS_TESTING */ 1359 } 1360 1361 rbuf = os_zalloc(buf_len + 1); 1362 if (rbuf == NULL) 1363 return -1; 1364 pos = rbuf; 1365 1366 if (!wpa_tdls_get_privacy(sm)) 1367 goto skip_ies; 1368 1369 /* Peer RSN IE */ 1370 pos = wpa_add_ie(pos, peer->rsnie_p, peer->rsnie_p_len); 1371 1372 ftie = (struct wpa_tdls_ftie *) pos; 1373 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION; 1374 /*TODO: ftie->mic_control to set 3-CONFIRM */ 1375 os_memcpy(ftie->Anonce, peer->rnonce, WPA_NONCE_LEN); 1376 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN); 1377 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2; 1378 1379 pos = (u8 *) (ftie + 1); 1380 1381 #ifdef CONFIG_TDLS_TESTING 1382 if (tdls_testing & TDLS_TESTING_LONG_FRAME) { 1383 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to " 1384 "FTIE"); 1385 ftie->ie_len += 170; 1386 *pos++ = 255; /* FTIE subelem */ 1387 *pos++ = 168; /* FTIE subelem length */ 1388 pos += 168; 1389 } 1390 #endif /* CONFIG_TDLS_TESTING */ 1391 1392 /* Lifetime */ 1393 lifetime = peer->lifetime; 1394 #ifdef CONFIG_TDLS_TESTING 1395 if (tdls_testing & TDLS_TESTING_WRONG_LIFETIME_CONF) { 1396 wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong TPK " 1397 "lifetime in confirm"); 1398 lifetime++; 1399 } 1400 #endif /* CONFIG_TDLS_TESTING */ 1401 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie, 1402 sizeof(timeoutie), lifetime); 1403 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds", 1404 lifetime); 1405 1406 /* compute MIC before sending */ 1407 wpa_tdls_ftie_mic(peer->tpk.kck, 3, (u8 *) lnkid, peer->rsnie_p, 1408 (u8 *) &timeoutie, (u8 *) ftie, ftie->mic); 1409 #ifdef CONFIG_TDLS_TESTING 1410 if (tdls_testing & TDLS_TESTING_WRONG_MIC) { 1411 wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong MIC"); 1412 ftie->mic[0] ^= 0x01; 1413 } 1414 #endif /* CONFIG_TDLS_TESTING */ 1415 1416 skip_ies: 1417 1418 if (peer->vht_capabilities) 1419 peer_capab |= TDLS_PEER_VHT; 1420 if (peer->ht_capabilities) 1421 peer_capab |= TDLS_PEER_HT; 1422 if (peer->wmm_capable) 1423 peer_capab |= TDLS_PEER_WMM; 1424 1425 status = wpa_tdls_tpk_send(sm, src_addr, WLAN_TDLS_SETUP_CONFIRM, 1426 dtoken, 0, peer_capab, peer->initiator, 1427 rbuf, pos - rbuf); 1428 os_free(rbuf); 1429 1430 return status; 1431 } 1432 1433 1434 static int wpa_tdls_send_discovery_response(struct wpa_sm *sm, 1435 struct wpa_tdls_peer *peer, 1436 u8 dialog_token) 1437 { 1438 size_t buf_len = 0; 1439 struct wpa_tdls_timeoutie timeoutie; 1440 u16 rsn_capab; 1441 u8 *rbuf, *pos, *count_pos; 1442 u16 count; 1443 struct rsn_ie_hdr *hdr; 1444 int status; 1445 1446 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Discovery Response " 1447 "(peer " MACSTR ")", MAC2STR(peer->addr)); 1448 if (!wpa_tdls_get_privacy(sm)) 1449 goto skip_rsn_ies; 1450 1451 /* Filling RSN IE */ 1452 hdr = (struct rsn_ie_hdr *) peer->rsnie_i; 1453 hdr->elem_id = WLAN_EID_RSN; 1454 WPA_PUT_LE16(hdr->version, RSN_VERSION); 1455 pos = (u8 *) (hdr + 1); 1456 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED); 1457 pos += RSN_SELECTOR_LEN; 1458 count_pos = pos; 1459 pos += 2; 1460 count = 0; 1461 1462 /* 1463 * AES-CCMP is the default encryption preferred for TDLS, so 1464 * RSN IE is filled only with CCMP cipher suite. 1465 * Note: TKIP is not used to encrypt TDLS link. 1466 * 1467 * Regardless of the cipher used on the AP connection, select CCMP 1468 * here. 1469 */ 1470 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP); 1471 pos += RSN_SELECTOR_LEN; 1472 count++; 1473 WPA_PUT_LE16(count_pos, count); 1474 WPA_PUT_LE16(pos, 1); 1475 pos += 2; 1476 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_TPK_HANDSHAKE); 1477 pos += RSN_SELECTOR_LEN; 1478 1479 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED; 1480 rsn_capab |= RSN_NUM_REPLAY_COUNTERS_16 << 2; 1481 WPA_PUT_LE16(pos, rsn_capab); 1482 pos += 2; 1483 hdr->len = (pos - (u8 *) hdr) - 2; 1484 peer->rsnie_i_len = pos - peer->rsnie_i; 1485 1486 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE for Discovery Response", 1487 (u8 *) hdr, hdr->len + 2); 1488 skip_rsn_ies: 1489 buf_len = 0; 1490 if (wpa_tdls_get_privacy(sm)) { 1491 /* Peer RSN IE, Lifetime */ 1492 buf_len += peer->rsnie_i_len + 1493 sizeof(struct wpa_tdls_timeoutie); 1494 } 1495 rbuf = os_zalloc(buf_len + 1); 1496 if (rbuf == NULL) { 1497 wpa_tdls_peer_free(sm, peer); 1498 return -1; 1499 } 1500 pos = rbuf; 1501 1502 if (!wpa_tdls_get_privacy(sm)) 1503 goto skip_ies; 1504 /* Initiator RSN IE */ 1505 pos = wpa_add_ie(pos, peer->rsnie_i, peer->rsnie_i_len); 1506 /* Lifetime */ 1507 peer->lifetime = TPK_LIFETIME; 1508 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie, 1509 sizeof(timeoutie), peer->lifetime); 1510 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds", peer->lifetime); 1511 skip_ies: 1512 status = wpa_tdls_tpk_send(sm, peer->addr, WLAN_TDLS_DISCOVERY_RESPONSE, 1513 dialog_token, 0, 0, 0, rbuf, pos - rbuf); 1514 os_free(rbuf); 1515 1516 return status; 1517 } 1518 1519 1520 static int 1521 wpa_tdls_process_discovery_request(struct wpa_sm *sm, const u8 *addr, 1522 const u8 *buf, size_t len) 1523 { 1524 struct wpa_eapol_ie_parse kde; 1525 const struct wpa_tdls_lnkid *lnkid; 1526 struct wpa_tdls_peer *peer; 1527 size_t min_req_len = sizeof(struct wpa_tdls_frame) + 1528 1 /* dialog token */ + sizeof(struct wpa_tdls_lnkid); 1529 u8 dialog_token; 1530 1531 wpa_printf(MSG_DEBUG, "TDLS: Discovery Request from " MACSTR, 1532 MAC2STR(addr)); 1533 1534 if (len < min_req_len) { 1535 wpa_printf(MSG_DEBUG, "TDLS Discovery Request is too short: " 1536 "%d", (int) len); 1537 return -1; 1538 } 1539 1540 dialog_token = buf[sizeof(struct wpa_tdls_frame)]; 1541 1542 /* 1543 * Some APs will tack on a weird IE to the end of a TDLS 1544 * discovery request packet. This needn't fail the response, 1545 * since the required IE are verified separately. 1546 */ 1547 if (wpa_supplicant_parse_ies(buf + sizeof(struct wpa_tdls_frame) + 1, 1548 len - (sizeof(struct wpa_tdls_frame) + 1), 1549 &kde) < 0) { 1550 wpa_printf(MSG_DEBUG, 1551 "TDLS: Failed to parse IEs in Discovery Request - ignore as an interop workaround"); 1552 } 1553 1554 if (!kde.lnkid) { 1555 wpa_printf(MSG_DEBUG, "TDLS: Link ID not found in Discovery " 1556 "Request"); 1557 return -1; 1558 } 1559 1560 lnkid = (const struct wpa_tdls_lnkid *) kde.lnkid; 1561 1562 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) { 1563 wpa_printf(MSG_DEBUG, "TDLS: Discovery Request from different " 1564 " BSS " MACSTR, MAC2STR(lnkid->bssid)); 1565 return -1; 1566 } 1567 1568 peer = wpa_tdls_add_peer(sm, addr, NULL); 1569 if (peer == NULL) 1570 return -1; 1571 1572 return wpa_tdls_send_discovery_response(sm, peer, dialog_token); 1573 } 1574 1575 1576 int wpa_tdls_send_discovery_request(struct wpa_sm *sm, const u8 *addr) 1577 { 1578 if (sm->tdls_disabled || !sm->tdls_supported) 1579 return -1; 1580 1581 wpa_printf(MSG_DEBUG, "TDLS: Sending Discovery Request to peer " 1582 MACSTR, MAC2STR(addr)); 1583 return wpa_tdls_tpk_send(sm, addr, WLAN_TDLS_DISCOVERY_REQUEST, 1584 1, 0, 0, 1, NULL, 0); 1585 } 1586 1587 1588 static int copy_supp_rates(const struct wpa_eapol_ie_parse *kde, 1589 struct wpa_tdls_peer *peer) 1590 { 1591 if (!kde->supp_rates) { 1592 wpa_printf(MSG_DEBUG, "TDLS: No supported rates received"); 1593 return -1; 1594 } 1595 peer->supp_rates_len = merge_byte_arrays( 1596 peer->supp_rates, sizeof(peer->supp_rates), 1597 kde->supp_rates + 2, kde->supp_rates_len - 2, 1598 kde->ext_supp_rates ? kde->ext_supp_rates + 2 : NULL, 1599 kde->ext_supp_rates_len - 2); 1600 return 0; 1601 } 1602 1603 1604 static int copy_peer_ht_capab(const struct wpa_eapol_ie_parse *kde, 1605 struct wpa_tdls_peer *peer) 1606 { 1607 if (!kde->ht_capabilities) { 1608 wpa_printf(MSG_DEBUG, "TDLS: No supported ht capabilities " 1609 "received"); 1610 return 0; 1611 } 1612 1613 if (!peer->ht_capabilities) { 1614 peer->ht_capabilities = 1615 os_zalloc(sizeof(struct ieee80211_ht_capabilities)); 1616 if (peer->ht_capabilities == NULL) 1617 return -1; 1618 } 1619 1620 os_memcpy(peer->ht_capabilities, kde->ht_capabilities, 1621 sizeof(struct ieee80211_ht_capabilities)); 1622 wpa_hexdump(MSG_DEBUG, "TDLS: Peer HT capabilities", 1623 (u8 *) peer->ht_capabilities, 1624 sizeof(struct ieee80211_ht_capabilities)); 1625 1626 return 0; 1627 } 1628 1629 1630 static int copy_peer_vht_capab(const struct wpa_eapol_ie_parse *kde, 1631 struct wpa_tdls_peer *peer) 1632 { 1633 if (!kde->vht_capabilities) { 1634 wpa_printf(MSG_DEBUG, "TDLS: No supported vht capabilities " 1635 "received"); 1636 return 0; 1637 } 1638 1639 if (!peer->vht_capabilities) { 1640 peer->vht_capabilities = 1641 os_zalloc(sizeof(struct ieee80211_vht_capabilities)); 1642 if (peer->vht_capabilities == NULL) 1643 return -1; 1644 } 1645 1646 os_memcpy(peer->vht_capabilities, kde->vht_capabilities, 1647 sizeof(struct ieee80211_vht_capabilities)); 1648 wpa_hexdump(MSG_DEBUG, "TDLS: Peer VHT capabilities", 1649 (u8 *) peer->vht_capabilities, 1650 sizeof(struct ieee80211_vht_capabilities)); 1651 1652 return 0; 1653 } 1654 1655 1656 static int copy_peer_ext_capab(const struct wpa_eapol_ie_parse *kde, 1657 struct wpa_tdls_peer *peer) 1658 { 1659 if (!kde->ext_capab) { 1660 wpa_printf(MSG_DEBUG, "TDLS: No extended capabilities " 1661 "received"); 1662 return 0; 1663 } 1664 1665 if (!peer->ext_capab || peer->ext_capab_len < kde->ext_capab_len - 2) { 1666 /* Need to allocate buffer to fit the new information */ 1667 os_free(peer->ext_capab); 1668 peer->ext_capab = os_zalloc(kde->ext_capab_len - 2); 1669 if (peer->ext_capab == NULL) 1670 return -1; 1671 } 1672 1673 peer->ext_capab_len = kde->ext_capab_len - 2; 1674 os_memcpy(peer->ext_capab, kde->ext_capab + 2, peer->ext_capab_len); 1675 1676 return 0; 1677 } 1678 1679 1680 static int copy_peer_wmm_capab(const struct wpa_eapol_ie_parse *kde, 1681 struct wpa_tdls_peer *peer) 1682 { 1683 struct wmm_information_element *wmm; 1684 1685 if (!kde->wmm) { 1686 wpa_printf(MSG_DEBUG, "TDLS: No supported WMM capabilities received"); 1687 return 0; 1688 } 1689 1690 if (kde->wmm_len < sizeof(struct wmm_information_element)) { 1691 wpa_printf(MSG_DEBUG, "TDLS: Invalid supported WMM capabilities received"); 1692 return -1; 1693 } 1694 1695 wmm = (struct wmm_information_element *) kde->wmm; 1696 peer->qos_info = wmm->qos_info; 1697 1698 peer->wmm_capable = 1; 1699 1700 wpa_printf(MSG_DEBUG, "TDLS: Peer WMM QOS Info 0x%x", peer->qos_info); 1701 return 0; 1702 } 1703 1704 1705 static int copy_peer_supp_channels(const struct wpa_eapol_ie_parse *kde, 1706 struct wpa_tdls_peer *peer) 1707 { 1708 if (!kde->supp_channels) { 1709 wpa_printf(MSG_DEBUG, "TDLS: No supported channels received"); 1710 return 0; 1711 } 1712 1713 if (!peer->supp_channels || 1714 peer->supp_channels_len < kde->supp_channels_len) { 1715 os_free(peer->supp_channels); 1716 peer->supp_channels = os_zalloc(kde->supp_channels_len); 1717 if (peer->supp_channels == NULL) 1718 return -1; 1719 } 1720 1721 peer->supp_channels_len = kde->supp_channels_len; 1722 1723 os_memcpy(peer->supp_channels, kde->supp_channels, 1724 peer->supp_channels_len); 1725 wpa_hexdump(MSG_DEBUG, "TDLS: Peer Supported Channels", 1726 (u8 *) peer->supp_channels, peer->supp_channels_len); 1727 return 0; 1728 } 1729 1730 1731 static int copy_peer_supp_oper_classes(const struct wpa_eapol_ie_parse *kde, 1732 struct wpa_tdls_peer *peer) 1733 { 1734 if (!kde->supp_oper_classes) { 1735 wpa_printf(MSG_DEBUG, "TDLS: No supported operating classes received"); 1736 return 0; 1737 } 1738 1739 if (!peer->supp_oper_classes || 1740 peer->supp_oper_classes_len < kde->supp_oper_classes_len) { 1741 os_free(peer->supp_oper_classes); 1742 peer->supp_oper_classes = os_zalloc(kde->supp_oper_classes_len); 1743 if (peer->supp_oper_classes == NULL) 1744 return -1; 1745 } 1746 1747 peer->supp_oper_classes_len = kde->supp_oper_classes_len; 1748 os_memcpy(peer->supp_oper_classes, kde->supp_oper_classes, 1749 peer->supp_oper_classes_len); 1750 wpa_hexdump(MSG_DEBUG, "TDLS: Peer Supported Operating Classes", 1751 (u8 *) peer->supp_oper_classes, 1752 peer->supp_oper_classes_len); 1753 return 0; 1754 } 1755 1756 1757 static int wpa_tdls_addset_peer(struct wpa_sm *sm, struct wpa_tdls_peer *peer, 1758 int add) 1759 { 1760 return wpa_sm_tdls_peer_addset(sm, peer->addr, add, peer->aid, 1761 peer->capability, 1762 peer->supp_rates, peer->supp_rates_len, 1763 peer->ht_capabilities, 1764 peer->vht_capabilities, 1765 peer->qos_info, peer->wmm_capable, 1766 peer->ext_capab, peer->ext_capab_len, 1767 peer->supp_channels, 1768 peer->supp_channels_len, 1769 peer->supp_oper_classes, 1770 peer->supp_oper_classes_len); 1771 } 1772 1773 1774 static int tdls_nonce_set(const u8 *nonce) 1775 { 1776 int i; 1777 1778 for (i = 0; i < WPA_NONCE_LEN; i++) { 1779 if (nonce[i]) 1780 return 1; 1781 } 1782 1783 return 0; 1784 } 1785 1786 1787 static int wpa_tdls_process_tpk_m1(struct wpa_sm *sm, const u8 *src_addr, 1788 const u8 *buf, size_t len) 1789 { 1790 struct wpa_tdls_peer *peer; 1791 struct wpa_eapol_ie_parse kde; 1792 struct wpa_ie_data ie; 1793 int cipher; 1794 const u8 *cpos; 1795 struct wpa_tdls_ftie *ftie = NULL; 1796 struct wpa_tdls_timeoutie *timeoutie; 1797 struct wpa_tdls_lnkid *lnkid; 1798 u32 lifetime = 0; 1799 #if 0 1800 struct rsn_ie_hdr *hdr; 1801 u8 *pos; 1802 u16 rsn_capab; 1803 u16 rsn_ver; 1804 #endif 1805 u8 dtoken; 1806 u16 ielen; 1807 u16 status = WLAN_STATUS_UNSPECIFIED_FAILURE; 1808 int tdls_prohibited = sm->tdls_prohibited; 1809 int existing_peer = 0; 1810 1811 if (len < 3 + 3) 1812 return -1; 1813 1814 cpos = buf; 1815 cpos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */; 1816 1817 /* driver had already verified the frame format */ 1818 dtoken = *cpos++; /* dialog token */ 1819 1820 wpa_printf(MSG_INFO, "TDLS: Dialog Token in TPK M1 %d", dtoken); 1821 1822 peer = wpa_tdls_add_peer(sm, src_addr, &existing_peer); 1823 if (peer == NULL) 1824 goto error; 1825 1826 /* If found, use existing entry instead of adding a new one; 1827 * how to handle the case where both ends initiate at the 1828 * same time? */ 1829 if (existing_peer) { 1830 if (peer->tpk_success) { 1831 wpa_printf(MSG_DEBUG, "TDLS: TDLS Setup Request while " 1832 "direct link is enabled - tear down the " 1833 "old link first"); 1834 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr); 1835 wpa_tdls_peer_clear(sm, peer); 1836 } else if (peer->initiator) { 1837 /* 1838 * An entry is already present, so check if we already 1839 * sent a TDLS Setup Request. If so, compare MAC 1840 * addresses and let the STA with the lower MAC address 1841 * continue as the initiator. The other negotiation is 1842 * terminated. 1843 */ 1844 if (os_memcmp(sm->own_addr, src_addr, ETH_ALEN) < 0) { 1845 wpa_printf(MSG_DEBUG, "TDLS: Discard request " 1846 "from peer with higher address " 1847 MACSTR, MAC2STR(src_addr)); 1848 return -1; 1849 } else { 1850 wpa_printf(MSG_DEBUG, "TDLS: Accept request " 1851 "from peer with lower address " 1852 MACSTR " (terminate previously " 1853 "initiated negotiation", 1854 MAC2STR(src_addr)); 1855 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, 1856 peer->addr); 1857 wpa_tdls_peer_clear(sm, peer); 1858 } 1859 } 1860 } 1861 1862 /* capability information */ 1863 peer->capability = WPA_GET_LE16(cpos); 1864 cpos += 2; 1865 1866 ielen = len - (cpos - buf); /* start of IE in buf */ 1867 1868 /* 1869 * Don't reject the message if failing to parse IEs. The IEs we need are 1870 * explicitly checked below. Some APs may add arbitrary padding to the 1871 * end of short TDLS frames and that would look like invalid IEs. 1872 */ 1873 if (wpa_supplicant_parse_ies(cpos, ielen, &kde) < 0) 1874 wpa_printf(MSG_DEBUG, 1875 "TDLS: Failed to parse IEs in TPK M1 - ignore as an interop workaround"); 1876 1877 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) { 1878 wpa_printf(MSG_INFO, "TDLS: No valid Link Identifier IE in " 1879 "TPK M1"); 1880 goto error; 1881 } 1882 wpa_hexdump(MSG_DEBUG, "TDLS: Link ID Received from TPK M1", 1883 kde.lnkid, kde.lnkid_len); 1884 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid; 1885 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) { 1886 wpa_printf(MSG_INFO, "TDLS: TPK M1 from diff BSS"); 1887 status = WLAN_STATUS_REQUEST_DECLINED; 1888 goto error; 1889 } 1890 1891 wpa_printf(MSG_DEBUG, "TDLS: TPK M1 - TPK initiator " MACSTR, 1892 MAC2STR(src_addr)); 1893 1894 if (copy_supp_rates(&kde, peer) < 0) 1895 goto error; 1896 1897 if (copy_peer_ht_capab(&kde, peer) < 0) 1898 goto error; 1899 1900 if (copy_peer_vht_capab(&kde, peer) < 0) 1901 goto error; 1902 1903 if (copy_peer_ext_capab(&kde, peer) < 0) 1904 goto error; 1905 1906 if (copy_peer_supp_channels(&kde, peer) < 0) 1907 goto error; 1908 1909 if (copy_peer_supp_oper_classes(&kde, peer) < 0) 1910 goto error; 1911 1912 peer->qos_info = kde.qosinfo; 1913 1914 /* Overwrite with the qos_info obtained in WMM IE */ 1915 if (copy_peer_wmm_capab(&kde, peer) < 0) 1916 goto error; 1917 1918 peer->aid = kde.aid; 1919 1920 #ifdef CONFIG_TDLS_TESTING 1921 if (tdls_testing & TDLS_TESTING_CONCURRENT_INIT) { 1922 peer = wpa_tdls_add_peer(sm, src_addr, NULL); 1923 if (peer == NULL) 1924 goto error; 1925 wpa_printf(MSG_DEBUG, "TDLS: Testing concurrent initiation of " 1926 "TDLS setup - send own request"); 1927 peer->initiator = 1; 1928 wpa_sm_tdls_peer_addset(sm, peer->addr, 1, 0, 0, NULL, 0, NULL, 1929 NULL, 0, 0, NULL, 0, NULL, 0, NULL, 0); 1930 wpa_tdls_send_tpk_m1(sm, peer); 1931 } 1932 1933 if ((tdls_testing & TDLS_TESTING_IGNORE_AP_PROHIBIT) && 1934 tdls_prohibited) { 1935 wpa_printf(MSG_DEBUG, "TDLS: Testing - ignore AP prohibition " 1936 "on TDLS"); 1937 tdls_prohibited = 0; 1938 } 1939 #endif /* CONFIG_TDLS_TESTING */ 1940 1941 if (tdls_prohibited) { 1942 wpa_printf(MSG_INFO, "TDLS: TDLS prohibited in this BSS"); 1943 status = WLAN_STATUS_REQUEST_DECLINED; 1944 goto error; 1945 } 1946 1947 if (!wpa_tdls_get_privacy(sm)) { 1948 if (kde.rsn_ie) { 1949 wpa_printf(MSG_INFO, "TDLS: RSN IE in TPK M1 while " 1950 "security is disabled"); 1951 status = WLAN_STATUS_SECURITY_DISABLED; 1952 goto error; 1953 } 1954 goto skip_rsn; 1955 } 1956 1957 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie) || 1958 kde.rsn_ie == NULL) { 1959 wpa_printf(MSG_INFO, "TDLS: No FTIE or RSN IE in TPK M1"); 1960 status = WLAN_STATUS_INVALID_PARAMETERS; 1961 goto error; 1962 } 1963 1964 if (kde.rsn_ie_len > TDLS_MAX_IE_LEN) { 1965 wpa_printf(MSG_INFO, "TDLS: Too long Initiator RSN IE in " 1966 "TPK M1"); 1967 status = WLAN_STATUS_INVALID_RSNIE; 1968 goto error; 1969 } 1970 1971 if (wpa_parse_wpa_ie_rsn(kde.rsn_ie, kde.rsn_ie_len, &ie) < 0) { 1972 wpa_printf(MSG_INFO, "TDLS: Failed to parse RSN IE in TPK M1"); 1973 status = WLAN_STATUS_INVALID_RSNIE; 1974 goto error; 1975 } 1976 1977 cipher = ie.pairwise_cipher; 1978 if (cipher & WPA_CIPHER_CCMP) { 1979 wpa_printf(MSG_DEBUG, "TDLS: Using CCMP for direct link"); 1980 cipher = WPA_CIPHER_CCMP; 1981 } else { 1982 wpa_printf(MSG_INFO, "TDLS: No acceptable cipher in TPK M1"); 1983 status = WLAN_STATUS_PAIRWISE_CIPHER_NOT_VALID; 1984 goto error; 1985 } 1986 1987 if ((ie.capabilities & 1988 (WPA_CAPABILITY_NO_PAIRWISE | WPA_CAPABILITY_PEERKEY_ENABLED)) != 1989 WPA_CAPABILITY_PEERKEY_ENABLED) { 1990 wpa_printf(MSG_INFO, "TDLS: Invalid RSN Capabilities in " 1991 "TPK M1"); 1992 status = WLAN_STATUS_INVALID_RSN_IE_CAPAB; 1993 goto error; 1994 } 1995 1996 /* Lifetime */ 1997 if (kde.key_lifetime == NULL) { 1998 wpa_printf(MSG_INFO, "TDLS: No Key Lifetime IE in TPK M1"); 1999 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME; 2000 goto error; 2001 } 2002 timeoutie = (struct wpa_tdls_timeoutie *) kde.key_lifetime; 2003 lifetime = WPA_GET_LE32(timeoutie->value); 2004 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds", lifetime); 2005 if (lifetime < 300) { 2006 wpa_printf(MSG_INFO, "TDLS: Too short TPK lifetime"); 2007 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME; 2008 goto error; 2009 } 2010 2011 skip_rsn: 2012 #ifdef CONFIG_TDLS_TESTING 2013 if (tdls_testing & TDLS_TESTING_CONCURRENT_INIT) { 2014 if (os_memcmp(sm->own_addr, peer->addr, ETH_ALEN) < 0) { 2015 /* 2016 * The request frame from us is going to win, so do not 2017 * replace information based on this request frame from 2018 * the peer. 2019 */ 2020 goto skip_rsn_check; 2021 } 2022 } 2023 #endif /* CONFIG_TDLS_TESTING */ 2024 2025 peer->initiator = 0; /* Need to check */ 2026 peer->dtoken = dtoken; 2027 2028 if (!wpa_tdls_get_privacy(sm)) { 2029 peer->rsnie_i_len = 0; 2030 peer->rsnie_p_len = 0; 2031 peer->cipher = WPA_CIPHER_NONE; 2032 goto skip_rsn_check; 2033 } 2034 2035 ftie = (struct wpa_tdls_ftie *) kde.ftie; 2036 os_memcpy(peer->rsnie_i, kde.rsn_ie, kde.rsn_ie_len); 2037 peer->rsnie_i_len = kde.rsn_ie_len; 2038 peer->cipher = cipher; 2039 2040 if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0 || 2041 !tdls_nonce_set(peer->inonce)) { 2042 /* 2043 * There is no point in updating the RNonce for every obtained 2044 * TPK M1 frame (e.g., retransmission due to timeout) with the 2045 * same INonce (SNonce in FTIE). However, if the TPK M1 is 2046 * retransmitted with a different INonce, update the RNonce 2047 * since this is for a new TDLS session. 2048 */ 2049 wpa_printf(MSG_DEBUG, 2050 "TDLS: New TPK M1 INonce - generate new RNonce"); 2051 os_memcpy(peer->inonce, ftie->Snonce, WPA_NONCE_LEN); 2052 if (os_get_random(peer->rnonce, WPA_NONCE_LEN)) { 2053 wpa_msg(sm->ctx->ctx, MSG_WARNING, 2054 "TDLS: Failed to get random data for responder nonce"); 2055 goto error; 2056 } 2057 peer->tk_set = 0; /* A new nonce results in a new TK */ 2058 } 2059 2060 #if 0 2061 /* get version info from RSNIE received from Peer */ 2062 hdr = (struct rsn_ie_hdr *) kde.rsn_ie; 2063 rsn_ver = WPA_GET_LE16(hdr->version); 2064 2065 /* use min(peer's version, out version) */ 2066 if (rsn_ver > RSN_VERSION) 2067 rsn_ver = RSN_VERSION; 2068 2069 hdr = (struct rsn_ie_hdr *) peer->rsnie_p; 2070 2071 hdr->elem_id = WLAN_EID_RSN; 2072 WPA_PUT_LE16(hdr->version, rsn_ver); 2073 pos = (u8 *) (hdr + 1); 2074 2075 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED); 2076 pos += RSN_SELECTOR_LEN; 2077 /* Include only the selected cipher in pairwise cipher suite */ 2078 WPA_PUT_LE16(pos, 1); 2079 pos += 2; 2080 if (cipher == WPA_CIPHER_CCMP) 2081 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP); 2082 pos += RSN_SELECTOR_LEN; 2083 2084 WPA_PUT_LE16(pos, 1); 2085 pos += 2; 2086 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_TPK_HANDSHAKE); 2087 pos += RSN_SELECTOR_LEN; 2088 2089 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED; 2090 rsn_capab |= RSN_NUM_REPLAY_COUNTERS_16 << 2; 2091 WPA_PUT_LE16(pos, rsn_capab); 2092 pos += 2; 2093 2094 hdr->len = (pos - peer->rsnie_p) - 2; 2095 peer->rsnie_p_len = pos - peer->rsnie_p; 2096 #endif 2097 2098 /* temp fix: validation of RSNIE later */ 2099 os_memcpy(peer->rsnie_p, peer->rsnie_i, peer->rsnie_i_len); 2100 peer->rsnie_p_len = peer->rsnie_i_len; 2101 2102 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE for TPK handshake", 2103 peer->rsnie_p, peer->rsnie_p_len); 2104 2105 peer->lifetime = lifetime; 2106 2107 wpa_tdls_generate_tpk(peer, sm->own_addr, sm->bssid); 2108 2109 skip_rsn_check: 2110 #ifdef CONFIG_TDLS_TESTING 2111 if (tdls_testing & TDLS_TESTING_CONCURRENT_INIT) 2112 goto skip_add_peer; 2113 #endif /* CONFIG_TDLS_TESTING */ 2114 2115 /* add supported rates, capabilities, and qos_info to the TDLS peer */ 2116 if (wpa_tdls_addset_peer(sm, peer, 1) < 0) 2117 goto error; 2118 2119 #ifdef CONFIG_TDLS_TESTING 2120 skip_add_peer: 2121 #endif /* CONFIG_TDLS_TESTING */ 2122 peer->tpk_in_progress = 1; 2123 2124 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Setup Response / TPK M2"); 2125 if (wpa_tdls_send_tpk_m2(sm, src_addr, dtoken, lnkid, peer) < 0) { 2126 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr); 2127 goto error; 2128 } 2129 2130 return 0; 2131 2132 error: 2133 wpa_tdls_send_error(sm, src_addr, WLAN_TDLS_SETUP_RESPONSE, dtoken, 0, 2134 status); 2135 if (peer) 2136 wpa_tdls_peer_free(sm, peer); 2137 return -1; 2138 } 2139 2140 2141 static int wpa_tdls_enable_link(struct wpa_sm *sm, struct wpa_tdls_peer *peer) 2142 { 2143 peer->tpk_success = 1; 2144 peer->tpk_in_progress = 0; 2145 eloop_cancel_timeout(wpa_tdls_tpk_timeout, sm, peer); 2146 if (wpa_tdls_get_privacy(sm)) { 2147 u32 lifetime = peer->lifetime; 2148 /* 2149 * Start the initiator process a bit earlier to avoid race 2150 * condition with the responder sending teardown request. 2151 */ 2152 if (lifetime > 3 && peer->initiator) 2153 lifetime -= 3; 2154 eloop_register_timeout(lifetime, 0, wpa_tdls_tpk_timeout, 2155 sm, peer); 2156 #ifdef CONFIG_TDLS_TESTING 2157 if (tdls_testing & TDLS_TESTING_NO_TPK_EXPIRATION) { 2158 wpa_printf(MSG_DEBUG, "TDLS: Testing - disable TPK " 2159 "expiration"); 2160 eloop_cancel_timeout(wpa_tdls_tpk_timeout, sm, peer); 2161 } 2162 #endif /* CONFIG_TDLS_TESTING */ 2163 } 2164 2165 if (peer->reconfig_key && wpa_tdls_set_key(sm, peer) < 0) { 2166 wpa_printf(MSG_INFO, "TDLS: Could not configure key to the " 2167 "driver"); 2168 return -1; 2169 } 2170 peer->reconfig_key = 0; 2171 2172 return wpa_sm_tdls_oper(sm, TDLS_ENABLE_LINK, peer->addr); 2173 } 2174 2175 2176 static int wpa_tdls_process_tpk_m2(struct wpa_sm *sm, const u8 *src_addr, 2177 const u8 *buf, size_t len) 2178 { 2179 struct wpa_tdls_peer *peer; 2180 struct wpa_eapol_ie_parse kde; 2181 struct wpa_ie_data ie; 2182 int cipher; 2183 struct wpa_tdls_ftie *ftie; 2184 struct wpa_tdls_timeoutie *timeoutie; 2185 struct wpa_tdls_lnkid *lnkid; 2186 u32 lifetime; 2187 u8 dtoken; 2188 int ielen; 2189 u16 status; 2190 const u8 *pos; 2191 int ret = 0; 2192 2193 wpa_printf(MSG_DEBUG, "TDLS: Received TDLS Setup Response / TPK M2 " 2194 "(Peer " MACSTR ")", MAC2STR(src_addr)); 2195 for (peer = sm->tdls; peer; peer = peer->next) { 2196 if (os_memcmp(peer->addr, src_addr, ETH_ALEN) == 0) 2197 break; 2198 } 2199 if (peer == NULL) { 2200 wpa_printf(MSG_INFO, "TDLS: No matching peer found for " 2201 "TPK M2: " MACSTR, MAC2STR(src_addr)); 2202 return -1; 2203 } 2204 if (!peer->initiator) { 2205 /* 2206 * This may happen if both devices try to initiate TDLS at the 2207 * same time and we accept the TPK M1 from the peer in 2208 * wpa_tdls_process_tpk_m1() and clear our previous state. 2209 */ 2210 wpa_printf(MSG_INFO, "TDLS: We were not the initiator, so " 2211 "ignore TPK M2 from " MACSTR, MAC2STR(src_addr)); 2212 return -1; 2213 } 2214 2215 if (peer->tpk_success) { 2216 wpa_printf(MSG_INFO, "TDLS: Ignore incoming TPK M2 retry, from " 2217 MACSTR " as TPK M3 was already sent", 2218 MAC2STR(src_addr)); 2219 return 0; 2220 } 2221 2222 wpa_tdls_tpk_retry_timeout_cancel(sm, peer, WLAN_TDLS_SETUP_REQUEST); 2223 2224 if (len < 3 + 2 + 1) { 2225 wpa_tdls_disable_peer_link(sm, peer); 2226 return -1; 2227 } 2228 2229 pos = buf; 2230 pos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */; 2231 status = WPA_GET_LE16(pos); 2232 pos += 2 /* status code */; 2233 2234 if (status != WLAN_STATUS_SUCCESS) { 2235 wpa_printf(MSG_INFO, "TDLS: Status code in TPK M2: %u", 2236 status); 2237 wpa_tdls_disable_peer_link(sm, peer); 2238 return -1; 2239 } 2240 2241 status = WLAN_STATUS_UNSPECIFIED_FAILURE; 2242 2243 /* TODO: need to verify dialog token matches here or in kernel */ 2244 dtoken = *pos++; /* dialog token */ 2245 2246 wpa_printf(MSG_DEBUG, "TDLS: Dialog Token in TPK M2 %d", dtoken); 2247 2248 if (len < 3 + 2 + 1 + 2) { 2249 wpa_tdls_disable_peer_link(sm, peer); 2250 return -1; 2251 } 2252 2253 /* capability information */ 2254 peer->capability = WPA_GET_LE16(pos); 2255 pos += 2; 2256 2257 ielen = len - (pos - buf); /* start of IE in buf */ 2258 2259 /* 2260 * Don't reject the message if failing to parse IEs. The IEs we need are 2261 * explicitly checked below. Some APs may add arbitrary padding to the 2262 * end of short TDLS frames and that would look like invalid IEs. 2263 */ 2264 if (wpa_supplicant_parse_ies(pos, ielen, &kde) < 0) 2265 wpa_printf(MSG_DEBUG, 2266 "TDLS: Failed to parse IEs in TPK M2 - ignore as an interop workaround"); 2267 2268 #ifdef CONFIG_TDLS_TESTING 2269 if (tdls_testing & TDLS_TESTING_DECLINE_RESP) { 2270 wpa_printf(MSG_DEBUG, "TDLS: Testing - decline response"); 2271 status = WLAN_STATUS_REQUEST_DECLINED; 2272 goto error; 2273 } 2274 #endif /* CONFIG_TDLS_TESTING */ 2275 2276 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) { 2277 wpa_printf(MSG_INFO, "TDLS: No valid Link Identifier IE in " 2278 "TPK M2"); 2279 goto error; 2280 } 2281 wpa_hexdump(MSG_DEBUG, "TDLS: Link ID Received from TPK M2", 2282 kde.lnkid, kde.lnkid_len); 2283 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid; 2284 2285 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) { 2286 wpa_printf(MSG_INFO, "TDLS: TPK M2 from different BSS"); 2287 status = WLAN_STATUS_NOT_IN_SAME_BSS; 2288 goto error; 2289 } 2290 2291 if (copy_supp_rates(&kde, peer) < 0) 2292 goto error; 2293 2294 if (copy_peer_ht_capab(&kde, peer) < 0) 2295 goto error; 2296 2297 if (copy_peer_vht_capab(&kde, peer) < 0) 2298 goto error; 2299 2300 if (copy_peer_ext_capab(&kde, peer) < 0) 2301 goto error; 2302 2303 if (copy_peer_supp_channels(&kde, peer) < 0) 2304 goto error; 2305 2306 if (copy_peer_supp_oper_classes(&kde, peer) < 0) 2307 goto error; 2308 2309 peer->qos_info = kde.qosinfo; 2310 2311 /* Overwrite with the qos_info obtained in WMM IE */ 2312 if (copy_peer_wmm_capab(&kde, peer) < 0) 2313 goto error; 2314 2315 peer->aid = kde.aid; 2316 2317 if (!wpa_tdls_get_privacy(sm)) { 2318 peer->rsnie_p_len = 0; 2319 peer->cipher = WPA_CIPHER_NONE; 2320 goto skip_rsn; 2321 } 2322 2323 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie) || 2324 kde.rsn_ie == NULL) { 2325 wpa_printf(MSG_INFO, "TDLS: No FTIE or RSN IE in TPK M2"); 2326 status = WLAN_STATUS_INVALID_PARAMETERS; 2327 goto error; 2328 } 2329 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Received from TPK M2", 2330 kde.rsn_ie, kde.rsn_ie_len); 2331 2332 if (kde.rsn_ie_len > TDLS_MAX_IE_LEN) { 2333 wpa_printf(MSG_INFO, 2334 "TDLS: Too long Responder RSN IE in TPK M2"); 2335 status = WLAN_STATUS_INVALID_RSNIE; 2336 goto error; 2337 } 2338 2339 /* 2340 * FIX: bitwise comparison of RSN IE is not the correct way of 2341 * validation this. It can be different, but certain fields must 2342 * match. Since we list only a single pairwise cipher in TPK M1, the 2343 * memcmp is likely to work in most cases, though. 2344 */ 2345 if (kde.rsn_ie_len != peer->rsnie_i_len || 2346 os_memcmp(peer->rsnie_i, kde.rsn_ie, peer->rsnie_i_len) != 0) { 2347 wpa_printf(MSG_INFO, "TDLS: RSN IE in TPK M2 does " 2348 "not match with RSN IE used in TPK M1"); 2349 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Sent in TPK M1", 2350 peer->rsnie_i, peer->rsnie_i_len); 2351 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Received from TPK M2", 2352 kde.rsn_ie, kde.rsn_ie_len); 2353 status = WLAN_STATUS_INVALID_RSNIE; 2354 goto error; 2355 } 2356 2357 if (wpa_parse_wpa_ie_rsn(kde.rsn_ie, kde.rsn_ie_len, &ie) < 0) { 2358 wpa_printf(MSG_INFO, "TDLS: Failed to parse RSN IE in TPK M2"); 2359 status = WLAN_STATUS_INVALID_RSNIE; 2360 goto error; 2361 } 2362 2363 cipher = ie.pairwise_cipher; 2364 if (cipher == WPA_CIPHER_CCMP) { 2365 wpa_printf(MSG_DEBUG, "TDLS: Using CCMP for direct link"); 2366 cipher = WPA_CIPHER_CCMP; 2367 } else { 2368 wpa_printf(MSG_INFO, "TDLS: No acceptable cipher in TPK M2"); 2369 status = WLAN_STATUS_PAIRWISE_CIPHER_NOT_VALID; 2370 goto error; 2371 } 2372 2373 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE Received from TPK M2", 2374 kde.ftie, sizeof(*ftie)); 2375 ftie = (struct wpa_tdls_ftie *) kde.ftie; 2376 2377 if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0) { 2378 wpa_printf(MSG_INFO, "TDLS: FTIE SNonce in TPK M2 does " 2379 "not match with FTIE SNonce used in TPK M1"); 2380 /* Silently discard the frame */ 2381 return -1; 2382 } 2383 2384 /* Responder Nonce and RSN IE */ 2385 os_memcpy(peer->rnonce, ftie->Anonce, WPA_NONCE_LEN); 2386 os_memcpy(peer->rsnie_p, kde.rsn_ie, kde.rsn_ie_len); 2387 peer->rsnie_p_len = kde.rsn_ie_len; 2388 peer->cipher = cipher; 2389 2390 /* Lifetime */ 2391 if (kde.key_lifetime == NULL) { 2392 wpa_printf(MSG_INFO, "TDLS: No Key Lifetime IE in TPK M2"); 2393 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME; 2394 goto error; 2395 } 2396 timeoutie = (struct wpa_tdls_timeoutie *) kde.key_lifetime; 2397 lifetime = WPA_GET_LE32(timeoutie->value); 2398 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds in TPK M2", 2399 lifetime); 2400 if (lifetime != peer->lifetime) { 2401 wpa_printf(MSG_INFO, "TDLS: Unexpected TPK lifetime %u in " 2402 "TPK M2 (expected %u)", lifetime, peer->lifetime); 2403 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME; 2404 goto error; 2405 } 2406 2407 wpa_tdls_generate_tpk(peer, sm->own_addr, sm->bssid); 2408 2409 /* Process MIC check to see if TPK M2 is right */ 2410 if (wpa_supplicant_verify_tdls_mic(2, peer, (u8 *) lnkid, 2411 (u8 *) timeoutie, ftie) < 0) { 2412 /* Discard the frame */ 2413 wpa_tdls_del_key(sm, peer); 2414 wpa_tdls_disable_peer_link(sm, peer); 2415 return -1; 2416 } 2417 2418 if (wpa_tdls_set_key(sm, peer) < 0) { 2419 /* 2420 * Some drivers may not be able to config the key prior to full 2421 * STA entry having been configured. 2422 */ 2423 wpa_printf(MSG_DEBUG, "TDLS: Try to configure TPK again after " 2424 "STA entry is complete"); 2425 peer->reconfig_key = 1; 2426 } 2427 2428 skip_rsn: 2429 peer->dtoken = dtoken; 2430 2431 /* add supported rates, capabilities, and qos_info to the TDLS peer */ 2432 if (wpa_tdls_addset_peer(sm, peer, 0) < 0) 2433 goto error; 2434 2435 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Setup Confirm / " 2436 "TPK Handshake Message 3"); 2437 if (wpa_tdls_send_tpk_m3(sm, src_addr, dtoken, lnkid, peer) < 0) 2438 goto error_no_msg; 2439 2440 if (!peer->tpk_success) { 2441 /* 2442 * Enable Link only when tpk_success is 0, signifying that this 2443 * processing of TPK M2 frame is not because of a retransmission 2444 * during TDLS setup handshake. 2445 */ 2446 ret = wpa_tdls_enable_link(sm, peer); 2447 if (ret < 0) { 2448 wpa_printf(MSG_DEBUG, "TDLS: Could not enable link"); 2449 wpa_tdls_do_teardown( 2450 sm, peer, 2451 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED); 2452 } 2453 } 2454 return ret; 2455 2456 error: 2457 wpa_tdls_send_error(sm, src_addr, WLAN_TDLS_SETUP_CONFIRM, dtoken, 1, 2458 status); 2459 error_no_msg: 2460 wpa_tdls_disable_peer_link(sm, peer); 2461 return -1; 2462 } 2463 2464 2465 static int wpa_tdls_process_tpk_m3(struct wpa_sm *sm, const u8 *src_addr, 2466 const u8 *buf, size_t len) 2467 { 2468 struct wpa_tdls_peer *peer; 2469 struct wpa_eapol_ie_parse kde; 2470 struct wpa_tdls_ftie *ftie; 2471 struct wpa_tdls_timeoutie *timeoutie; 2472 struct wpa_tdls_lnkid *lnkid; 2473 int ielen; 2474 u16 status; 2475 const u8 *pos; 2476 u32 lifetime; 2477 int ret = 0; 2478 2479 wpa_printf(MSG_DEBUG, "TDLS: Received TDLS Setup Confirm / TPK M3 " 2480 "(Peer " MACSTR ")", MAC2STR(src_addr)); 2481 for (peer = sm->tdls; peer; peer = peer->next) { 2482 if (os_memcmp(peer->addr, src_addr, ETH_ALEN) == 0) 2483 break; 2484 } 2485 if (peer == NULL) { 2486 wpa_printf(MSG_INFO, "TDLS: No matching peer found for " 2487 "TPK M3: " MACSTR, MAC2STR(src_addr)); 2488 return -1; 2489 } 2490 wpa_tdls_tpk_retry_timeout_cancel(sm, peer, WLAN_TDLS_SETUP_RESPONSE); 2491 2492 if (len < 3 + 3) 2493 goto error; 2494 pos = buf; 2495 pos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */; 2496 2497 status = WPA_GET_LE16(pos); 2498 2499 if (status != 0) { 2500 wpa_printf(MSG_INFO, "TDLS: Status code in TPK M3: %u", 2501 status); 2502 goto error; 2503 } 2504 pos += 2 /* status code */ + 1 /* dialog token */; 2505 2506 ielen = len - (pos - buf); /* start of IE in buf */ 2507 2508 /* 2509 * Don't reject the message if failing to parse IEs. The IEs we need are 2510 * explicitly checked below. Some APs piggy-back broken IEs to the end 2511 * of a TDLS Confirm packet, which will fail the link if we don't ignore 2512 * this error. 2513 */ 2514 if (wpa_supplicant_parse_ies((const u8 *) pos, ielen, &kde) < 0) { 2515 wpa_printf(MSG_DEBUG, 2516 "TDLS: Failed to parse KDEs in TPK M3 - ignore as an interop workaround"); 2517 } 2518 2519 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) { 2520 wpa_printf(MSG_INFO, "TDLS: No Link Identifier IE in TPK M3"); 2521 goto error; 2522 } 2523 wpa_hexdump(MSG_DEBUG, "TDLS: Link ID Received from TPK M3", 2524 (u8 *) kde.lnkid, kde.lnkid_len); 2525 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid; 2526 2527 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) { 2528 wpa_printf(MSG_INFO, "TDLS: TPK M3 from diff BSS"); 2529 goto error; 2530 } 2531 2532 if (!wpa_tdls_get_privacy(sm)) 2533 goto skip_rsn; 2534 2535 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie)) { 2536 wpa_printf(MSG_INFO, "TDLS: No FTIE in TPK M3"); 2537 goto error; 2538 } 2539 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE Received from TPK M3", 2540 kde.ftie, sizeof(*ftie)); 2541 ftie = (struct wpa_tdls_ftie *) kde.ftie; 2542 2543 if (kde.rsn_ie == NULL) { 2544 wpa_printf(MSG_INFO, "TDLS: No RSN IE in TPK M3"); 2545 goto error; 2546 } 2547 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Received from TPK M3", 2548 kde.rsn_ie, kde.rsn_ie_len); 2549 if (kde.rsn_ie_len != peer->rsnie_p_len || 2550 os_memcmp(kde.rsn_ie, peer->rsnie_p, peer->rsnie_p_len) != 0) { 2551 wpa_printf(MSG_INFO, "TDLS: RSN IE in TPK M3 does not match " 2552 "with the one sent in TPK M2"); 2553 goto error; 2554 } 2555 2556 if (os_memcmp(peer->rnonce, ftie->Anonce, WPA_NONCE_LEN) != 0) { 2557 wpa_printf(MSG_INFO, "TDLS: FTIE ANonce in TPK M3 does " 2558 "not match with FTIE ANonce used in TPK M2"); 2559 goto error; 2560 } 2561 2562 if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0) { 2563 wpa_printf(MSG_INFO, "TDLS: FTIE SNonce in TPK M3 does not " 2564 "match with FTIE SNonce used in TPK M1"); 2565 goto error; 2566 } 2567 2568 if (kde.key_lifetime == NULL) { 2569 wpa_printf(MSG_INFO, "TDLS: No Key Lifetime IE in TPK M3"); 2570 goto error; 2571 } 2572 timeoutie = (struct wpa_tdls_timeoutie *) kde.key_lifetime; 2573 wpa_hexdump(MSG_DEBUG, "TDLS: Timeout IE Received from TPK M3", 2574 (u8 *) timeoutie, sizeof(*timeoutie)); 2575 lifetime = WPA_GET_LE32(timeoutie->value); 2576 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds in TPK M3", 2577 lifetime); 2578 if (lifetime != peer->lifetime) { 2579 wpa_printf(MSG_INFO, "TDLS: Unexpected TPK lifetime %u in " 2580 "TPK M3 (expected %u)", lifetime, peer->lifetime); 2581 goto error; 2582 } 2583 2584 if (wpa_supplicant_verify_tdls_mic(3, peer, (u8 *) lnkid, 2585 (u8 *) timeoutie, ftie) < 0) { 2586 wpa_tdls_del_key(sm, peer); 2587 goto error; 2588 } 2589 2590 if (wpa_tdls_set_key(sm, peer) < 0) { 2591 /* 2592 * Some drivers may not be able to config the key prior to full 2593 * STA entry having been configured. 2594 */ 2595 wpa_printf(MSG_DEBUG, "TDLS: Try to configure TPK again after " 2596 "STA entry is complete"); 2597 peer->reconfig_key = 1; 2598 } 2599 2600 skip_rsn: 2601 /* add supported rates, capabilities, and qos_info to the TDLS peer */ 2602 if (wpa_tdls_addset_peer(sm, peer, 0) < 0) 2603 goto error; 2604 2605 if (!peer->tpk_success) { 2606 /* 2607 * Enable Link only when tpk_success is 0, signifying that this 2608 * processing of TPK M3 frame is not because of a retransmission 2609 * during TDLS setup handshake. 2610 */ 2611 ret = wpa_tdls_enable_link(sm, peer); 2612 if (ret < 0) { 2613 wpa_printf(MSG_DEBUG, "TDLS: Could not enable link"); 2614 goto error; 2615 } 2616 } 2617 return ret; 2618 error: 2619 wpa_tdls_do_teardown(sm, peer, WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED); 2620 return -1; 2621 } 2622 2623 2624 static u8 * wpa_add_tdls_timeoutie(u8 *pos, u8 *ie, size_t ie_len, u32 tsecs) 2625 { 2626 struct wpa_tdls_timeoutie *lifetime = (struct wpa_tdls_timeoutie *) ie; 2627 2628 os_memset(lifetime, 0, ie_len); 2629 lifetime->ie_type = WLAN_EID_TIMEOUT_INTERVAL; 2630 lifetime->ie_len = sizeof(struct wpa_tdls_timeoutie) - 2; 2631 lifetime->interval_type = WLAN_TIMEOUT_KEY_LIFETIME; 2632 WPA_PUT_LE32(lifetime->value, tsecs); 2633 os_memcpy(pos, ie, ie_len); 2634 return pos + ie_len; 2635 } 2636 2637 2638 /** 2639 * wpa_tdls_start - Initiate TDLS handshake (send TPK Handshake Message 1) 2640 * @sm: Pointer to WPA state machine data from wpa_sm_init() 2641 * @peer: MAC address of the peer STA 2642 * Returns: 0 on success, or -1 on failure 2643 * 2644 * Send TPK Handshake Message 1 info to driver to start TDLS 2645 * handshake with the peer. 2646 */ 2647 int wpa_tdls_start(struct wpa_sm *sm, const u8 *addr) 2648 { 2649 struct wpa_tdls_peer *peer; 2650 int tdls_prohibited = sm->tdls_prohibited; 2651 2652 if (sm->tdls_disabled || !sm->tdls_supported) 2653 return -1; 2654 2655 #ifdef CONFIG_TDLS_TESTING 2656 if ((tdls_testing & TDLS_TESTING_IGNORE_AP_PROHIBIT) && 2657 tdls_prohibited) { 2658 wpa_printf(MSG_DEBUG, "TDLS: Testing - ignore AP prohibition " 2659 "on TDLS"); 2660 tdls_prohibited = 0; 2661 } 2662 #endif /* CONFIG_TDLS_TESTING */ 2663 2664 if (tdls_prohibited) { 2665 wpa_printf(MSG_DEBUG, "TDLS: TDLS is prohibited in this BSS - " 2666 "reject request to start setup"); 2667 return -1; 2668 } 2669 2670 peer = wpa_tdls_add_peer(sm, addr, NULL); 2671 if (peer == NULL) 2672 return -1; 2673 2674 if (peer->tpk_in_progress) { 2675 wpa_printf(MSG_DEBUG, "TDLS: Setup is already in progress with the peer"); 2676 return 0; 2677 } 2678 2679 peer->initiator = 1; 2680 2681 /* add the peer to the driver as a "setup in progress" peer */ 2682 if (wpa_sm_tdls_peer_addset(sm, peer->addr, 1, 0, 0, NULL, 0, NULL, 2683 NULL, 0, 0, NULL, 0, NULL, 0, NULL, 0)) { 2684 wpa_tdls_disable_peer_link(sm, peer); 2685 return -1; 2686 } 2687 2688 peer->tpk_in_progress = 1; 2689 2690 if (wpa_tdls_send_tpk_m1(sm, peer) < 0) { 2691 wpa_tdls_disable_peer_link(sm, peer); 2692 return -1; 2693 } 2694 2695 return 0; 2696 } 2697 2698 2699 void wpa_tdls_remove(struct wpa_sm *sm, const u8 *addr) 2700 { 2701 struct wpa_tdls_peer *peer; 2702 2703 if (sm->tdls_disabled || !sm->tdls_supported) 2704 return; 2705 2706 for (peer = sm->tdls; peer; peer = peer->next) { 2707 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 2708 break; 2709 } 2710 2711 if (peer == NULL || !peer->tpk_success) 2712 return; 2713 2714 if (sm->tdls_external_setup) { 2715 /* 2716 * Disable previous link to allow renegotiation to be completed 2717 * on AP path. 2718 */ 2719 wpa_tdls_do_teardown(sm, peer, 2720 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED); 2721 } 2722 } 2723 2724 2725 /** 2726 * wpa_supplicant_rx_tdls - Receive TDLS data frame 2727 * 2728 * This function is called to receive TDLS (ethertype = 0x890d) data frames. 2729 */ 2730 static void wpa_supplicant_rx_tdls(void *ctx, const u8 *src_addr, 2731 const u8 *buf, size_t len) 2732 { 2733 struct wpa_sm *sm = ctx; 2734 struct wpa_tdls_frame *tf; 2735 2736 wpa_hexdump(MSG_DEBUG, "TDLS: Received Data frame encapsulation", 2737 buf, len); 2738 2739 if (sm->tdls_disabled || !sm->tdls_supported) { 2740 wpa_printf(MSG_DEBUG, "TDLS: Discard message - TDLS disabled " 2741 "or unsupported by driver"); 2742 return; 2743 } 2744 2745 if (os_memcmp(src_addr, sm->own_addr, ETH_ALEN) == 0) { 2746 wpa_printf(MSG_DEBUG, "TDLS: Discard copy of own message"); 2747 return; 2748 } 2749 2750 if (len < sizeof(*tf)) { 2751 wpa_printf(MSG_INFO, "TDLS: Drop too short frame"); 2752 return; 2753 } 2754 2755 /* Check to make sure its a valid encapsulated TDLS frame */ 2756 tf = (struct wpa_tdls_frame *) buf; 2757 if (tf->payloadtype != 2 /* TDLS_RFTYPE */ || 2758 tf->category != WLAN_ACTION_TDLS) { 2759 wpa_printf(MSG_INFO, "TDLS: Invalid frame - payloadtype=%u " 2760 "category=%u action=%u", 2761 tf->payloadtype, tf->category, tf->action); 2762 return; 2763 } 2764 2765 switch (tf->action) { 2766 case WLAN_TDLS_SETUP_REQUEST: 2767 wpa_tdls_process_tpk_m1(sm, src_addr, buf, len); 2768 break; 2769 case WLAN_TDLS_SETUP_RESPONSE: 2770 wpa_tdls_process_tpk_m2(sm, src_addr, buf, len); 2771 break; 2772 case WLAN_TDLS_SETUP_CONFIRM: 2773 wpa_tdls_process_tpk_m3(sm, src_addr, buf, len); 2774 break; 2775 case WLAN_TDLS_TEARDOWN: 2776 wpa_tdls_recv_teardown(sm, src_addr, buf, len); 2777 break; 2778 case WLAN_TDLS_DISCOVERY_REQUEST: 2779 wpa_tdls_process_discovery_request(sm, src_addr, buf, len); 2780 break; 2781 default: 2782 /* Kernel code will process remaining frames */ 2783 wpa_printf(MSG_DEBUG, "TDLS: Ignore TDLS frame action code %u", 2784 tf->action); 2785 break; 2786 } 2787 } 2788 2789 2790 /** 2791 * wpa_tdls_init - Initialize driver interface parameters for TDLS 2792 * @wpa_s: Pointer to wpa_supplicant data 2793 * Returns: 0 on success, -1 on failure 2794 * 2795 * This function is called to initialize driver interface parameters for TDLS. 2796 * wpa_drv_init() must have been called before this function to initialize the 2797 * driver interface. 2798 */ 2799 int wpa_tdls_init(struct wpa_sm *sm) 2800 { 2801 if (sm == NULL) 2802 return -1; 2803 2804 sm->l2_tdls = l2_packet_init(sm->bridge_ifname ? sm->bridge_ifname : 2805 sm->ifname, 2806 sm->own_addr, 2807 ETH_P_80211_ENCAP, wpa_supplicant_rx_tdls, 2808 sm, 0); 2809 if (sm->l2_tdls == NULL) { 2810 wpa_printf(MSG_ERROR, "TDLS: Failed to open l2_packet " 2811 "connection"); 2812 return -1; 2813 } 2814 2815 /* 2816 * Drivers that support TDLS but don't implement the get_capa callback 2817 * are assumed to perform everything internally 2818 */ 2819 if (wpa_sm_tdls_get_capa(sm, &sm->tdls_supported, 2820 &sm->tdls_external_setup, 2821 &sm->tdls_chan_switch) < 0) { 2822 sm->tdls_supported = 1; 2823 sm->tdls_external_setup = 0; 2824 } 2825 2826 wpa_printf(MSG_DEBUG, "TDLS: TDLS operation%s supported by " 2827 "driver", sm->tdls_supported ? "" : " not"); 2828 wpa_printf(MSG_DEBUG, "TDLS: Driver uses %s link setup", 2829 sm->tdls_external_setup ? "external" : "internal"); 2830 wpa_printf(MSG_DEBUG, "TDLS: Driver %s TDLS channel switching", 2831 sm->tdls_chan_switch ? "supports" : "does not support"); 2832 2833 return 0; 2834 } 2835 2836 2837 void wpa_tdls_teardown_peers(struct wpa_sm *sm) 2838 { 2839 struct wpa_tdls_peer *peer, *tmp; 2840 2841 if (!sm) 2842 return; 2843 peer = sm->tdls; 2844 2845 wpa_printf(MSG_DEBUG, "TDLS: Tear down peers"); 2846 2847 while (peer) { 2848 tmp = peer->next; 2849 wpa_printf(MSG_DEBUG, "TDLS: Tear down peer " MACSTR, 2850 MAC2STR(peer->addr)); 2851 if (sm->tdls_external_setup) 2852 wpa_tdls_do_teardown(sm, peer, 2853 WLAN_REASON_DEAUTH_LEAVING); 2854 else 2855 wpa_sm_tdls_oper(sm, TDLS_TEARDOWN, peer->addr); 2856 2857 peer = tmp; 2858 } 2859 } 2860 2861 2862 static void wpa_tdls_remove_peers(struct wpa_sm *sm) 2863 { 2864 struct wpa_tdls_peer *peer, *tmp; 2865 2866 peer = sm->tdls; 2867 2868 while (peer) { 2869 int res; 2870 tmp = peer->next; 2871 res = wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr); 2872 wpa_printf(MSG_DEBUG, "TDLS: Remove peer " MACSTR " (res=%d)", 2873 MAC2STR(peer->addr), res); 2874 wpa_tdls_peer_free(sm, peer); 2875 peer = tmp; 2876 } 2877 } 2878 2879 2880 /** 2881 * wpa_tdls_deinit - Deinitialize driver interface parameters for TDLS 2882 * 2883 * This function is called to recover driver interface parameters for TDLS 2884 * and frees resources allocated for it. 2885 */ 2886 void wpa_tdls_deinit(struct wpa_sm *sm) 2887 { 2888 if (sm == NULL) 2889 return; 2890 2891 if (sm->l2_tdls) 2892 l2_packet_deinit(sm->l2_tdls); 2893 sm->l2_tdls = NULL; 2894 2895 wpa_tdls_remove_peers(sm); 2896 } 2897 2898 2899 void wpa_tdls_assoc(struct wpa_sm *sm) 2900 { 2901 wpa_printf(MSG_DEBUG, "TDLS: Remove peers on association"); 2902 wpa_tdls_remove_peers(sm); 2903 } 2904 2905 2906 void wpa_tdls_disassoc(struct wpa_sm *sm) 2907 { 2908 wpa_printf(MSG_DEBUG, "TDLS: Remove peers on disassociation"); 2909 wpa_tdls_remove_peers(sm); 2910 } 2911 2912 2913 static int wpa_tdls_prohibited(struct ieee802_11_elems *elems) 2914 { 2915 /* bit 38 - TDLS Prohibited */ 2916 return !!(elems->ext_capab[4] & 0x40); 2917 } 2918 2919 2920 static int wpa_tdls_chan_switch_prohibited(struct ieee802_11_elems *elems) 2921 { 2922 /* bit 39 - TDLS Channel Switch Prohibited */ 2923 return !!(elems->ext_capab[4] & 0x80); 2924 } 2925 2926 2927 void wpa_tdls_ap_ies(struct wpa_sm *sm, const u8 *ies, size_t len) 2928 { 2929 struct ieee802_11_elems elems; 2930 2931 sm->tdls_prohibited = 0; 2932 sm->tdls_chan_switch_prohibited = 0; 2933 2934 if (ies == NULL || 2935 ieee802_11_parse_elems(ies, len, &elems, 0) == ParseFailed || 2936 elems.ext_capab == NULL || elems.ext_capab_len < 5) 2937 return; 2938 2939 sm->tdls_prohibited = wpa_tdls_prohibited(&elems); 2940 wpa_printf(MSG_DEBUG, "TDLS: TDLS is %s in the target BSS", 2941 sm->tdls_prohibited ? "prohibited" : "allowed"); 2942 sm->tdls_chan_switch_prohibited = 2943 wpa_tdls_chan_switch_prohibited(&elems); 2944 wpa_printf(MSG_DEBUG, "TDLS: TDLS channel switch %s in the target BSS", 2945 sm->tdls_chan_switch_prohibited ? "prohibited" : "allowed"); 2946 } 2947 2948 2949 void wpa_tdls_assoc_resp_ies(struct wpa_sm *sm, const u8 *ies, size_t len) 2950 { 2951 struct ieee802_11_elems elems; 2952 2953 if (ies == NULL || 2954 ieee802_11_parse_elems(ies, len, &elems, 0) == ParseFailed || 2955 elems.ext_capab == NULL || elems.ext_capab_len < 5) 2956 return; 2957 2958 if (!sm->tdls_prohibited && wpa_tdls_prohibited(&elems)) { 2959 wpa_printf(MSG_DEBUG, "TDLS: TDLS prohibited based on " 2960 "(Re)Association Response IEs"); 2961 sm->tdls_prohibited = 1; 2962 } 2963 2964 if (!sm->tdls_chan_switch_prohibited && 2965 wpa_tdls_chan_switch_prohibited(&elems)) { 2966 wpa_printf(MSG_DEBUG, 2967 "TDLS: TDLS channel switch prohibited based on (Re)Association Response IEs"); 2968 sm->tdls_chan_switch_prohibited = 1; 2969 } 2970 } 2971 2972 2973 void wpa_tdls_enable(struct wpa_sm *sm, int enabled) 2974 { 2975 wpa_printf(MSG_DEBUG, "TDLS: %s", enabled ? "enabled" : "disabled"); 2976 sm->tdls_disabled = !enabled; 2977 } 2978 2979 2980 int wpa_tdls_is_external_setup(struct wpa_sm *sm) 2981 { 2982 return sm->tdls_external_setup; 2983 } 2984 2985 2986 int wpa_tdls_enable_chan_switch(struct wpa_sm *sm, const u8 *addr, 2987 u8 oper_class, 2988 struct hostapd_freq_params *freq_params) 2989 { 2990 struct wpa_tdls_peer *peer; 2991 int ret; 2992 2993 if (sm->tdls_disabled || !sm->tdls_supported) 2994 return -1; 2995 2996 if (!sm->tdls_chan_switch) { 2997 wpa_printf(MSG_DEBUG, 2998 "TDLS: Channel switching not supported by the driver"); 2999 return -1; 3000 } 3001 3002 if (sm->tdls_chan_switch_prohibited) { 3003 wpa_printf(MSG_DEBUG, 3004 "TDLS: Channel switching is prohibited in this BSS - reject request to switch channel"); 3005 return -1; 3006 } 3007 3008 for (peer = sm->tdls; peer; peer = peer->next) { 3009 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 3010 break; 3011 } 3012 3013 if (peer == NULL || !peer->tpk_success) { 3014 wpa_printf(MSG_ERROR, "TDLS: Peer " MACSTR 3015 " not found for channel switching", MAC2STR(addr)); 3016 return -1; 3017 } 3018 3019 if (peer->chan_switch_enabled) { 3020 wpa_printf(MSG_DEBUG, "TDLS: Peer " MACSTR 3021 " already has channel switching enabled", 3022 MAC2STR(addr)); 3023 return 0; 3024 } 3025 3026 ret = wpa_sm_tdls_enable_channel_switch(sm, peer->addr, 3027 oper_class, freq_params); 3028 if (!ret) 3029 peer->chan_switch_enabled = 1; 3030 3031 return ret; 3032 } 3033 3034 3035 int wpa_tdls_disable_chan_switch(struct wpa_sm *sm, const u8 *addr) 3036 { 3037 struct wpa_tdls_peer *peer; 3038 3039 if (sm->tdls_disabled || !sm->tdls_supported) 3040 return -1; 3041 3042 for (peer = sm->tdls; peer; peer = peer->next) { 3043 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 3044 break; 3045 } 3046 3047 if (!peer || !peer->chan_switch_enabled) { 3048 wpa_printf(MSG_ERROR, "TDLS: Channel switching not enabled for " 3049 MACSTR, MAC2STR(addr)); 3050 return -1; 3051 } 3052 3053 /* ignore the return value */ 3054 wpa_sm_tdls_disable_channel_switch(sm, peer->addr); 3055 3056 peer->chan_switch_enabled = 0; 3057 return 0; 3058 } 3059
