1 /* 2 * wpa_supplicant - TDLS 3 * Copyright (c) 2010-2011, Atheros Communications 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "utils/includes.h" 10 11 #include "utils/common.h" 12 #include "utils/eloop.h" 13 #include "utils/os.h" 14 #include "common/ieee802_11_defs.h" 15 #include "common/ieee802_11_common.h" 16 #include "crypto/sha256.h" 17 #include "crypto/crypto.h" 18 #include "crypto/aes_wrap.h" 19 #include "rsn_supp/wpa.h" 20 #include "rsn_supp/wpa_ie.h" 21 #include "rsn_supp/wpa_i.h" 22 #include "drivers/driver.h" 23 #include "l2_packet/l2_packet.h" 24 25 #ifdef CONFIG_TDLS_TESTING 26 #define TDLS_TESTING_LONG_FRAME BIT(0) 27 #define TDLS_TESTING_ALT_RSN_IE BIT(1) 28 #define TDLS_TESTING_DIFF_BSSID BIT(2) 29 #define TDLS_TESTING_SHORT_LIFETIME BIT(3) 30 #define TDLS_TESTING_WRONG_LIFETIME_RESP BIT(4) 31 #define TDLS_TESTING_WRONG_LIFETIME_CONF BIT(5) 32 #define TDLS_TESTING_LONG_LIFETIME BIT(6) 33 #define TDLS_TESTING_CONCURRENT_INIT BIT(7) 34 #define TDLS_TESTING_NO_TPK_EXPIRATION BIT(8) 35 #define TDLS_TESTING_DECLINE_RESP BIT(9) 36 #define TDLS_TESTING_IGNORE_AP_PROHIBIT BIT(10) 37 #define TDLS_TESTING_WRONG_MIC BIT(11) 38 unsigned int tdls_testing = 0; 39 #endif /* CONFIG_TDLS_TESTING */ 40 41 #define TPK_LIFETIME 43200 /* 12 hours */ 42 #define TPK_M1_RETRY_COUNT 3 43 #define TPK_M1_TIMEOUT 5000 /* in milliseconds */ 44 #define TPK_M2_RETRY_COUNT 10 45 #define TPK_M2_TIMEOUT 500 /* in milliseconds */ 46 47 #define TDLS_MIC_LEN 16 48 49 #define TDLS_TIMEOUT_LEN 4 50 51 struct wpa_tdls_ftie { 52 u8 ie_type; /* FTIE */ 53 u8 ie_len; 54 u8 mic_ctrl[2]; 55 u8 mic[TDLS_MIC_LEN]; 56 u8 Anonce[WPA_NONCE_LEN]; /* Responder Nonce in TDLS */ 57 u8 Snonce[WPA_NONCE_LEN]; /* Initiator Nonce in TDLS */ 58 /* followed by optional elements */ 59 } STRUCT_PACKED; 60 61 struct wpa_tdls_timeoutie { 62 u8 ie_type; /* Timeout IE */ 63 u8 ie_len; 64 u8 interval_type; 65 u8 value[TDLS_TIMEOUT_LEN]; 66 } STRUCT_PACKED; 67 68 struct wpa_tdls_lnkid { 69 u8 ie_type; /* Link Identifier IE */ 70 u8 ie_len; 71 u8 bssid[ETH_ALEN]; 72 u8 init_sta[ETH_ALEN]; 73 u8 resp_sta[ETH_ALEN]; 74 } STRUCT_PACKED; 75 76 /* TDLS frame headers as per IEEE Std 802.11z-2010 */ 77 struct wpa_tdls_frame { 78 u8 payloadtype; /* IEEE80211_TDLS_RFTYPE */ 79 u8 category; /* Category */ 80 u8 action; /* Action (enum tdls_frame_type) */ 81 } STRUCT_PACKED; 82 83 static u8 * wpa_add_tdls_timeoutie(u8 *pos, u8 *ie, size_t ie_len, u32 tsecs); 84 static void wpa_tdls_tpk_retry_timeout(void *eloop_ctx, void *timeout_ctx); 85 static void wpa_tdls_peer_free(struct wpa_sm *sm, struct wpa_tdls_peer *peer); 86 static void wpa_tdls_disable_peer_link(struct wpa_sm *sm, 87 struct wpa_tdls_peer *peer); 88 static int wpa_tdls_send_teardown(struct wpa_sm *sm, const u8 *addr, 89 u16 reason_code); 90 91 92 #define TDLS_MAX_IE_LEN 80 93 #define IEEE80211_MAX_SUPP_RATES 32 94 95 struct wpa_tdls_peer { 96 struct wpa_tdls_peer *next; 97 unsigned int reconfig_key:1; 98 int initiator; /* whether this end was initiator for TDLS setup */ 99 u8 addr[ETH_ALEN]; /* other end MAC address */ 100 u8 inonce[WPA_NONCE_LEN]; /* Initiator Nonce */ 101 u8 rnonce[WPA_NONCE_LEN]; /* Responder Nonce */ 102 u8 rsnie_i[TDLS_MAX_IE_LEN]; /* Initiator RSN IE */ 103 size_t rsnie_i_len; 104 u8 rsnie_p[TDLS_MAX_IE_LEN]; /* Peer RSN IE */ 105 size_t rsnie_p_len; 106 u32 lifetime; 107 int cipher; /* Selected cipher (WPA_CIPHER_*) */ 108 u8 dtoken; 109 110 struct tpk { 111 u8 kck[16]; /* TPK-KCK */ 112 u8 tk[16]; /* TPK-TK; assuming only CCMP will be used */ 113 } tpk; 114 int tpk_set; 115 int tk_set; /* TPK-TK configured to the driver */ 116 int tpk_success; 117 int tpk_in_progress; 118 119 struct tpk_timer { 120 u8 dest[ETH_ALEN]; 121 int count; /* Retry Count */ 122 int timer; /* Timeout in milliseconds */ 123 u8 action_code; /* TDLS frame type */ 124 u8 dialog_token; 125 u16 status_code; 126 u32 peer_capab; 127 int buf_len; /* length of TPK message for retransmission */ 128 u8 *buf; /* buffer for TPK message */ 129 } sm_tmr; 130 131 u16 capability; 132 133 u8 supp_rates[IEEE80211_MAX_SUPP_RATES]; 134 size_t supp_rates_len; 135 136 struct ieee80211_ht_capabilities *ht_capabilities; 137 struct ieee80211_vht_capabilities *vht_capabilities; 138 139 u8 qos_info; 140 141 u16 aid; 142 143 u8 *ext_capab; 144 size_t ext_capab_len; 145 146 u8 *supp_channels; 147 size_t supp_channels_len; 148 149 u8 *supp_oper_classes; 150 size_t supp_oper_classes_len; 151 152 u8 wmm_capable; 153 154 /* channel switch currently enabled */ 155 int chan_switch_enabled; 156 }; 157 158 159 static int wpa_tdls_get_privacy(struct wpa_sm *sm) 160 { 161 /* 162 * Get info needed from supplicant to check if the current BSS supports 163 * security. Other than OPEN mode, rest are considered secured 164 * WEP/WPA/WPA2 hence TDLS frames are processed for TPK handshake. 165 */ 166 return sm->pairwise_cipher != WPA_CIPHER_NONE; 167 } 168 169 170 static u8 * wpa_add_ie(u8 *pos, const u8 *ie, size_t ie_len) 171 { 172 os_memcpy(pos, ie, ie_len); 173 return pos + ie_len; 174 } 175 176 177 static int wpa_tdls_del_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer) 178 { 179 if (wpa_sm_set_key(sm, WPA_ALG_NONE, peer->addr, 180 0, 0, NULL, 0, NULL, 0) < 0) { 181 wpa_printf(MSG_WARNING, "TDLS: Failed to delete TPK-TK from " 182 "the driver"); 183 return -1; 184 } 185 186 return 0; 187 } 188 189 190 static int wpa_tdls_set_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer) 191 { 192 u8 key_len; 193 u8 rsc[6]; 194 enum wpa_alg alg; 195 196 if (peer->tk_set) { 197 /* 198 * This same TPK-TK has already been configured to the driver 199 * and this new configuration attempt (likely due to an 200 * unexpected retransmitted frame) would result in clearing 201 * the TX/RX sequence number which can break security, so must 202 * not allow that to happen. 203 */ 204 wpa_printf(MSG_INFO, "TDLS: TPK-TK for the peer " MACSTR 205 " has already been configured to the driver - do not reconfigure", 206 MAC2STR(peer->addr)); 207 return -1; 208 } 209 210 os_memset(rsc, 0, 6); 211 212 switch (peer->cipher) { 213 case WPA_CIPHER_CCMP: 214 alg = WPA_ALG_CCMP; 215 key_len = 16; 216 break; 217 case WPA_CIPHER_NONE: 218 wpa_printf(MSG_DEBUG, "TDLS: Pairwise Cipher Suite: " 219 "NONE - do not use pairwise keys"); 220 return -1; 221 default: 222 wpa_printf(MSG_WARNING, "TDLS: Unsupported pairwise cipher %d", 223 sm->pairwise_cipher); 224 return -1; 225 } 226 227 wpa_printf(MSG_DEBUG, "TDLS: Configure pairwise key for peer " MACSTR, 228 MAC2STR(peer->addr)); 229 if (wpa_sm_set_key(sm, alg, peer->addr, -1, 1, 230 rsc, sizeof(rsc), peer->tpk.tk, key_len) < 0) { 231 wpa_printf(MSG_WARNING, "TDLS: Failed to set TPK to the " 232 "driver"); 233 return -1; 234 } 235 peer->tk_set = 1; 236 return 0; 237 } 238 239 240 static int wpa_tdls_send_tpk_msg(struct wpa_sm *sm, const u8 *dst, 241 u8 action_code, u8 dialog_token, 242 u16 status_code, u32 peer_capab, 243 int initiator, const u8 *buf, size_t len) 244 { 245 return wpa_sm_send_tdls_mgmt(sm, dst, action_code, dialog_token, 246 status_code, peer_capab, initiator, buf, 247 len); 248 } 249 250 251 static int wpa_tdls_tpk_send(struct wpa_sm *sm, const u8 *dest, u8 action_code, 252 u8 dialog_token, u16 status_code, u32 peer_capab, 253 int initiator, const u8 *msg, size_t msg_len) 254 { 255 struct wpa_tdls_peer *peer; 256 257 wpa_printf(MSG_DEBUG, "TDLS: TPK send dest=" MACSTR " action_code=%u " 258 "dialog_token=%u status_code=%u peer_capab=%u initiator=%d " 259 "msg_len=%u", 260 MAC2STR(dest), action_code, dialog_token, status_code, 261 peer_capab, initiator, (unsigned int) msg_len); 262 263 if (wpa_tdls_send_tpk_msg(sm, dest, action_code, dialog_token, 264 status_code, peer_capab, initiator, msg, 265 msg_len)) { 266 wpa_printf(MSG_INFO, "TDLS: Failed to send message " 267 "(action_code=%u)", action_code); 268 return -1; 269 } 270 271 if (action_code == WLAN_TDLS_SETUP_CONFIRM || 272 action_code == WLAN_TDLS_TEARDOWN || 273 action_code == WLAN_TDLS_DISCOVERY_REQUEST || 274 action_code == WLAN_TDLS_DISCOVERY_RESPONSE) 275 return 0; /* No retries */ 276 277 for (peer = sm->tdls; peer; peer = peer->next) { 278 if (os_memcmp(peer->addr, dest, ETH_ALEN) == 0) 279 break; 280 } 281 282 if (peer == NULL) { 283 wpa_printf(MSG_INFO, "TDLS: No matching entry found for " 284 "retry " MACSTR, MAC2STR(dest)); 285 return 0; 286 } 287 288 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer); 289 290 if (action_code == WLAN_TDLS_SETUP_RESPONSE) { 291 peer->sm_tmr.count = TPK_M2_RETRY_COUNT; 292 peer->sm_tmr.timer = TPK_M2_TIMEOUT; 293 } else { 294 peer->sm_tmr.count = TPK_M1_RETRY_COUNT; 295 peer->sm_tmr.timer = TPK_M1_TIMEOUT; 296 } 297 298 /* Copy message to resend on timeout */ 299 os_memcpy(peer->sm_tmr.dest, dest, ETH_ALEN); 300 peer->sm_tmr.action_code = action_code; 301 peer->sm_tmr.dialog_token = dialog_token; 302 peer->sm_tmr.status_code = status_code; 303 peer->sm_tmr.peer_capab = peer_capab; 304 peer->sm_tmr.buf_len = msg_len; 305 os_free(peer->sm_tmr.buf); 306 peer->sm_tmr.buf = os_memdup(msg, msg_len); 307 if (peer->sm_tmr.buf == NULL) 308 return -1; 309 310 wpa_printf(MSG_DEBUG, "TDLS: Retry timeout registered " 311 "(action_code=%u)", action_code); 312 eloop_register_timeout(peer->sm_tmr.timer / 1000, 313 (peer->sm_tmr.timer % 1000) * 1000, 314 wpa_tdls_tpk_retry_timeout, sm, peer); 315 return 0; 316 } 317 318 319 static int wpa_tdls_do_teardown(struct wpa_sm *sm, struct wpa_tdls_peer *peer, 320 u16 reason_code) 321 { 322 int ret; 323 324 ret = wpa_tdls_send_teardown(sm, peer->addr, reason_code); 325 /* disable the link after teardown was sent */ 326 wpa_tdls_disable_peer_link(sm, peer); 327 328 return ret; 329 } 330 331 332 static void wpa_tdls_tpk_retry_timeout(void *eloop_ctx, void *timeout_ctx) 333 { 334 335 struct wpa_sm *sm = eloop_ctx; 336 struct wpa_tdls_peer *peer = timeout_ctx; 337 338 if (peer->sm_tmr.count) { 339 peer->sm_tmr.count--; 340 341 wpa_printf(MSG_INFO, "TDLS: Retrying sending of message " 342 "(action_code=%u)", 343 peer->sm_tmr.action_code); 344 345 if (peer->sm_tmr.buf == NULL) { 346 wpa_printf(MSG_INFO, "TDLS: No retry buffer available " 347 "for action_code=%u", 348 peer->sm_tmr.action_code); 349 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, 350 peer); 351 return; 352 } 353 354 /* resend TPK Handshake Message to Peer */ 355 if (wpa_tdls_send_tpk_msg(sm, peer->sm_tmr.dest, 356 peer->sm_tmr.action_code, 357 peer->sm_tmr.dialog_token, 358 peer->sm_tmr.status_code, 359 peer->sm_tmr.peer_capab, 360 peer->initiator, 361 peer->sm_tmr.buf, 362 peer->sm_tmr.buf_len)) { 363 wpa_printf(MSG_INFO, "TDLS: Failed to retry " 364 "transmission"); 365 } 366 367 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer); 368 eloop_register_timeout(peer->sm_tmr.timer / 1000, 369 (peer->sm_tmr.timer % 1000) * 1000, 370 wpa_tdls_tpk_retry_timeout, sm, peer); 371 } else { 372 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer); 373 374 wpa_printf(MSG_DEBUG, "TDLS: Sending Teardown Request"); 375 wpa_tdls_do_teardown(sm, peer, 376 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED); 377 } 378 } 379 380 381 static void wpa_tdls_tpk_retry_timeout_cancel(struct wpa_sm *sm, 382 struct wpa_tdls_peer *peer, 383 u8 action_code) 384 { 385 if (action_code == peer->sm_tmr.action_code) { 386 wpa_printf(MSG_DEBUG, "TDLS: Retry timeout cancelled for " 387 "action_code=%u", action_code); 388 389 /* Cancel Timeout registered */ 390 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer); 391 392 /* free all resources meant for retry */ 393 os_free(peer->sm_tmr.buf); 394 peer->sm_tmr.buf = NULL; 395 396 peer->sm_tmr.count = 0; 397 peer->sm_tmr.timer = 0; 398 peer->sm_tmr.buf_len = 0; 399 peer->sm_tmr.action_code = 0xff; 400 } else { 401 wpa_printf(MSG_INFO, "TDLS: Error in cancelling retry timeout " 402 "(Unknown action_code=%u)", action_code); 403 } 404 } 405 406 407 static void wpa_tdls_generate_tpk(struct wpa_tdls_peer *peer, 408 const u8 *own_addr, const u8 *bssid) 409 { 410 u8 key_input[SHA256_MAC_LEN]; 411 const u8 *nonce[2]; 412 size_t len[2]; 413 u8 data[3 * ETH_ALEN]; 414 415 /* IEEE Std 802.11-2016 12.7.9.2: 416 * TPK-Key-Input = Hash(min(SNonce, ANonce) || max(SNonce, ANonce)) 417 * Hash = SHA-256 for TDLS 418 */ 419 len[0] = WPA_NONCE_LEN; 420 len[1] = WPA_NONCE_LEN; 421 if (os_memcmp(peer->inonce, peer->rnonce, WPA_NONCE_LEN) < 0) { 422 nonce[0] = peer->inonce; 423 nonce[1] = peer->rnonce; 424 } else { 425 nonce[0] = peer->rnonce; 426 nonce[1] = peer->inonce; 427 } 428 wpa_hexdump(MSG_DEBUG, "TDLS: min(Nonce)", nonce[0], WPA_NONCE_LEN); 429 wpa_hexdump(MSG_DEBUG, "TDLS: max(Nonce)", nonce[1], WPA_NONCE_LEN); 430 sha256_vector(2, nonce, len, key_input); 431 wpa_hexdump_key(MSG_DEBUG, "TDLS: TPK-Key-Input", 432 key_input, SHA256_MAC_LEN); 433 434 /* 435 * TPK = KDF-Hash-Length(TPK-Key-Input, "TDLS PMK", 436 * min(MAC_I, MAC_R) || max(MAC_I, MAC_R) || BSSID) 437 */ 438 439 if (os_memcmp(own_addr, peer->addr, ETH_ALEN) < 0) { 440 os_memcpy(data, own_addr, ETH_ALEN); 441 os_memcpy(data + ETH_ALEN, peer->addr, ETH_ALEN); 442 } else { 443 os_memcpy(data, peer->addr, ETH_ALEN); 444 os_memcpy(data + ETH_ALEN, own_addr, ETH_ALEN); 445 } 446 os_memcpy(data + 2 * ETH_ALEN, bssid, ETH_ALEN); 447 wpa_hexdump(MSG_DEBUG, "TDLS: KDF Context", data, sizeof(data)); 448 449 sha256_prf(key_input, SHA256_MAC_LEN, "TDLS PMK", data, sizeof(data), 450 (u8 *) &peer->tpk, sizeof(peer->tpk)); 451 wpa_hexdump_key(MSG_DEBUG, "TDLS: TPK-KCK", 452 peer->tpk.kck, sizeof(peer->tpk.kck)); 453 wpa_hexdump_key(MSG_DEBUG, "TDLS: TPK-TK", 454 peer->tpk.tk, sizeof(peer->tpk.tk)); 455 peer->tpk_set = 1; 456 } 457 458 459 /** 460 * wpa_tdls_ftie_mic - Calculate TDLS FTIE MIC 461 * @kck: TPK-KCK 462 * @lnkid: Pointer to the beginning of Link Identifier IE 463 * @rsnie: Pointer to the beginning of RSN IE used for handshake 464 * @timeoutie: Pointer to the beginning of Timeout IE used for handshake 465 * @ftie: Pointer to the beginning of FT IE 466 * @mic: Pointer for writing MIC 467 * 468 * Calculate MIC for TDLS frame. 469 */ 470 static int wpa_tdls_ftie_mic(const u8 *kck, u8 trans_seq, const u8 *lnkid, 471 const u8 *rsnie, const u8 *timeoutie, 472 const u8 *ftie, u8 *mic) 473 { 474 u8 *buf, *pos; 475 struct wpa_tdls_ftie *_ftie; 476 const struct wpa_tdls_lnkid *_lnkid; 477 int ret; 478 int len = 2 * ETH_ALEN + 1 + 2 + lnkid[1] + 2 + rsnie[1] + 479 2 + timeoutie[1] + 2 + ftie[1]; 480 buf = os_zalloc(len); 481 if (!buf) { 482 wpa_printf(MSG_WARNING, "TDLS: No memory for MIC calculation"); 483 return -1; 484 } 485 486 pos = buf; 487 _lnkid = (const struct wpa_tdls_lnkid *) lnkid; 488 /* 1) TDLS initiator STA MAC address */ 489 os_memcpy(pos, _lnkid->init_sta, ETH_ALEN); 490 pos += ETH_ALEN; 491 /* 2) TDLS responder STA MAC address */ 492 os_memcpy(pos, _lnkid->resp_sta, ETH_ALEN); 493 pos += ETH_ALEN; 494 /* 3) Transaction Sequence number */ 495 *pos++ = trans_seq; 496 /* 4) Link Identifier IE */ 497 os_memcpy(pos, lnkid, 2 + lnkid[1]); 498 pos += 2 + lnkid[1]; 499 /* 5) RSN IE */ 500 os_memcpy(pos, rsnie, 2 + rsnie[1]); 501 pos += 2 + rsnie[1]; 502 /* 6) Timeout Interval IE */ 503 os_memcpy(pos, timeoutie, 2 + timeoutie[1]); 504 pos += 2 + timeoutie[1]; 505 /* 7) FTIE, with the MIC field of the FTIE set to 0 */ 506 os_memcpy(pos, ftie, 2 + ftie[1]); 507 _ftie = (struct wpa_tdls_ftie *) pos; 508 os_memset(_ftie->mic, 0, TDLS_MIC_LEN); 509 pos += 2 + ftie[1]; 510 511 wpa_hexdump(MSG_DEBUG, "TDLS: Data for FTIE MIC", buf, pos - buf); 512 wpa_hexdump_key(MSG_DEBUG, "TDLS: KCK", kck, 16); 513 ret = omac1_aes_128(kck, buf, pos - buf, mic); 514 os_free(buf); 515 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE MIC", mic, 16); 516 return ret; 517 } 518 519 520 /** 521 * wpa_tdls_key_mic_teardown - Calculate TDLS FTIE MIC for Teardown frame 522 * @kck: TPK-KCK 523 * @trans_seq: Transaction Sequence Number (4 - Teardown) 524 * @rcode: Reason code for Teardown 525 * @dtoken: Dialog Token used for that particular link 526 * @lnkid: Pointer to the beginning of Link Identifier IE 527 * @ftie: Pointer to the beginning of FT IE 528 * @mic: Pointer for writing MIC 529 * 530 * Calculate MIC for TDLS frame. 531 */ 532 static int wpa_tdls_key_mic_teardown(const u8 *kck, u8 trans_seq, u16 rcode, 533 u8 dtoken, const u8 *lnkid, 534 const u8 *ftie, u8 *mic) 535 { 536 u8 *buf, *pos; 537 struct wpa_tdls_ftie *_ftie; 538 int ret; 539 int len; 540 541 if (lnkid == NULL) 542 return -1; 543 544 len = 2 + lnkid[1] + sizeof(rcode) + sizeof(dtoken) + 545 sizeof(trans_seq) + 2 + ftie[1]; 546 547 buf = os_zalloc(len); 548 if (!buf) { 549 wpa_printf(MSG_WARNING, "TDLS: No memory for MIC calculation"); 550 return -1; 551 } 552 553 pos = buf; 554 /* 1) Link Identifier IE */ 555 os_memcpy(pos, lnkid, 2 + lnkid[1]); 556 pos += 2 + lnkid[1]; 557 /* 2) Reason Code */ 558 WPA_PUT_LE16(pos, rcode); 559 pos += sizeof(rcode); 560 /* 3) Dialog token */ 561 *pos++ = dtoken; 562 /* 4) Transaction Sequence number */ 563 *pos++ = trans_seq; 564 /* 7) FTIE, with the MIC field of the FTIE set to 0 */ 565 os_memcpy(pos, ftie, 2 + ftie[1]); 566 _ftie = (struct wpa_tdls_ftie *) pos; 567 os_memset(_ftie->mic, 0, TDLS_MIC_LEN); 568 pos += 2 + ftie[1]; 569 570 wpa_hexdump(MSG_DEBUG, "TDLS: Data for FTIE MIC", buf, pos - buf); 571 wpa_hexdump_key(MSG_DEBUG, "TDLS: KCK", kck, 16); 572 ret = omac1_aes_128(kck, buf, pos - buf, mic); 573 os_free(buf); 574 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE MIC", mic, 16); 575 return ret; 576 } 577 578 579 static int wpa_supplicant_verify_tdls_mic(u8 trans_seq, 580 struct wpa_tdls_peer *peer, 581 const u8 *lnkid, const u8 *timeoutie, 582 const struct wpa_tdls_ftie *ftie) 583 { 584 u8 mic[16]; 585 586 if (peer->tpk_set) { 587 wpa_tdls_ftie_mic(peer->tpk.kck, trans_seq, lnkid, 588 peer->rsnie_p, timeoutie, (u8 *) ftie, 589 mic); 590 if (os_memcmp_const(mic, ftie->mic, 16) != 0) { 591 wpa_printf(MSG_INFO, "TDLS: Invalid MIC in FTIE - " 592 "dropping packet"); 593 wpa_hexdump(MSG_DEBUG, "TDLS: Received MIC", 594 ftie->mic, 16); 595 wpa_hexdump(MSG_DEBUG, "TDLS: Calculated MIC", 596 mic, 16); 597 return -1; 598 } 599 } else { 600 wpa_printf(MSG_WARNING, "TDLS: Could not verify TDLS MIC, " 601 "TPK not set - dropping packet"); 602 return -1; 603 } 604 return 0; 605 } 606 607 608 static int wpa_supplicant_verify_tdls_mic_teardown( 609 u8 trans_seq, u16 rcode, u8 dtoken, struct wpa_tdls_peer *peer, 610 const u8 *lnkid, const struct wpa_tdls_ftie *ftie) 611 { 612 u8 mic[16]; 613 614 if (peer->tpk_set) { 615 wpa_tdls_key_mic_teardown(peer->tpk.kck, trans_seq, rcode, 616 dtoken, lnkid, (u8 *) ftie, mic); 617 if (os_memcmp_const(mic, ftie->mic, 16) != 0) { 618 wpa_printf(MSG_INFO, "TDLS: Invalid MIC in Teardown - " 619 "dropping packet"); 620 return -1; 621 } 622 } else { 623 wpa_printf(MSG_INFO, "TDLS: Could not verify TDLS Teardown " 624 "MIC, TPK not set - dropping packet"); 625 return -1; 626 } 627 return 0; 628 } 629 630 631 static void wpa_tdls_tpk_timeout(void *eloop_ctx, void *timeout_ctx) 632 { 633 struct wpa_sm *sm = eloop_ctx; 634 struct wpa_tdls_peer *peer = timeout_ctx; 635 636 /* 637 * On TPK lifetime expiration, we have an option of either tearing down 638 * the direct link or trying to re-initiate it. The selection of what 639 * to do is not strictly speaking controlled by our role in the expired 640 * link, but for now, use that to select whether to renew or tear down 641 * the link. 642 */ 643 644 if (peer->initiator) { 645 u8 addr[ETH_ALEN]; 646 647 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime expired for " MACSTR 648 " - try to renew", MAC2STR(peer->addr)); 649 /* cache the peer address before do_teardown */ 650 os_memcpy(addr, peer->addr, ETH_ALEN); 651 wpa_tdls_do_teardown(sm, peer, 652 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED); 653 wpa_tdls_start(sm, addr); 654 } else { 655 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime expired for " MACSTR 656 " - tear down", MAC2STR(peer->addr)); 657 wpa_tdls_do_teardown(sm, peer, 658 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED); 659 } 660 } 661 662 663 static void wpa_tdls_peer_remove_from_list(struct wpa_sm *sm, 664 struct wpa_tdls_peer *peer) 665 { 666 struct wpa_tdls_peer *cur, *prev; 667 668 cur = sm->tdls; 669 prev = NULL; 670 while (cur && cur != peer) { 671 prev = cur; 672 cur = cur->next; 673 } 674 675 if (cur != peer) { 676 wpa_printf(MSG_ERROR, "TDLS: Could not find peer " MACSTR 677 " to remove it from the list", 678 MAC2STR(peer->addr)); 679 return; 680 } 681 682 if (prev) 683 prev->next = peer->next; 684 else 685 sm->tdls = peer->next; 686 } 687 688 689 static void wpa_tdls_peer_clear(struct wpa_sm *sm, struct wpa_tdls_peer *peer) 690 { 691 wpa_printf(MSG_DEBUG, "TDLS: Clear state for peer " MACSTR, 692 MAC2STR(peer->addr)); 693 eloop_cancel_timeout(wpa_tdls_tpk_timeout, sm, peer); 694 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer); 695 peer->reconfig_key = 0; 696 peer->initiator = 0; 697 peer->tpk_in_progress = 0; 698 os_free(peer->sm_tmr.buf); 699 peer->sm_tmr.buf = NULL; 700 os_free(peer->ht_capabilities); 701 peer->ht_capabilities = NULL; 702 os_free(peer->vht_capabilities); 703 peer->vht_capabilities = NULL; 704 os_free(peer->ext_capab); 705 peer->ext_capab = NULL; 706 os_free(peer->supp_channels); 707 peer->supp_channels = NULL; 708 os_free(peer->supp_oper_classes); 709 peer->supp_oper_classes = NULL; 710 peer->rsnie_i_len = peer->rsnie_p_len = 0; 711 peer->cipher = 0; 712 peer->qos_info = 0; 713 peer->wmm_capable = 0; 714 peer->tk_set = peer->tpk_set = peer->tpk_success = 0; 715 peer->chan_switch_enabled = 0; 716 os_memset(&peer->tpk, 0, sizeof(peer->tpk)); 717 os_memset(peer->inonce, 0, WPA_NONCE_LEN); 718 os_memset(peer->rnonce, 0, WPA_NONCE_LEN); 719 } 720 721 722 static void wpa_tdls_peer_free(struct wpa_sm *sm, struct wpa_tdls_peer *peer) 723 { 724 wpa_tdls_peer_clear(sm, peer); 725 wpa_tdls_peer_remove_from_list(sm, peer); 726 os_free(peer); 727 } 728 729 730 static void wpa_tdls_linkid(struct wpa_sm *sm, struct wpa_tdls_peer *peer, 731 struct wpa_tdls_lnkid *lnkid) 732 { 733 lnkid->ie_type = WLAN_EID_LINK_ID; 734 lnkid->ie_len = 3 * ETH_ALEN; 735 os_memcpy(lnkid->bssid, sm->bssid, ETH_ALEN); 736 if (peer->initiator) { 737 os_memcpy(lnkid->init_sta, sm->own_addr, ETH_ALEN); 738 os_memcpy(lnkid->resp_sta, peer->addr, ETH_ALEN); 739 } else { 740 os_memcpy(lnkid->init_sta, peer->addr, ETH_ALEN); 741 os_memcpy(lnkid->resp_sta, sm->own_addr, ETH_ALEN); 742 } 743 } 744 745 746 static int wpa_tdls_send_teardown(struct wpa_sm *sm, const u8 *addr, 747 u16 reason_code) 748 { 749 struct wpa_tdls_peer *peer; 750 struct wpa_tdls_ftie *ftie; 751 struct wpa_tdls_lnkid lnkid; 752 u8 dialog_token; 753 u8 *rbuf, *pos; 754 int ielen; 755 756 if (sm->tdls_disabled || !sm->tdls_supported) 757 return -1; 758 759 /* Find the node and free from the list */ 760 for (peer = sm->tdls; peer; peer = peer->next) { 761 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 762 break; 763 } 764 765 if (peer == NULL) { 766 wpa_printf(MSG_INFO, "TDLS: No matching entry found for " 767 "Teardown " MACSTR, MAC2STR(addr)); 768 return 0; 769 } 770 771 /* Cancel active channel switch before teardown */ 772 if (peer->chan_switch_enabled) { 773 wpa_printf(MSG_DEBUG, "TDLS: First returning link with " MACSTR 774 " to base channel", MAC2STR(addr)); 775 wpa_sm_tdls_disable_channel_switch(sm, peer->addr); 776 } 777 778 dialog_token = peer->dtoken; 779 780 wpa_printf(MSG_DEBUG, "TDLS: TDLS Teardown for " MACSTR, 781 MAC2STR(addr)); 782 783 ielen = 0; 784 if (wpa_tdls_get_privacy(sm) && peer->tpk_set && peer->tpk_success) { 785 /* To add FTIE for Teardown request and compute MIC */ 786 ielen += sizeof(*ftie); 787 #ifdef CONFIG_TDLS_TESTING 788 if (tdls_testing & TDLS_TESTING_LONG_FRAME) 789 ielen += 170; 790 #endif /* CONFIG_TDLS_TESTING */ 791 } 792 793 rbuf = os_zalloc(ielen + 1); 794 if (rbuf == NULL) 795 return -1; 796 pos = rbuf; 797 798 if (!wpa_tdls_get_privacy(sm) || !peer->tpk_set || !peer->tpk_success) 799 goto skip_ies; 800 801 ftie = (struct wpa_tdls_ftie *) pos; 802 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION; 803 /* Using the recent nonce which should be for CONFIRM frame */ 804 os_memcpy(ftie->Anonce, peer->rnonce, WPA_NONCE_LEN); 805 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN); 806 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2; 807 pos = (u8 *) (ftie + 1); 808 #ifdef CONFIG_TDLS_TESTING 809 if (tdls_testing & TDLS_TESTING_LONG_FRAME) { 810 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to " 811 "FTIE"); 812 ftie->ie_len += 170; 813 *pos++ = 255; /* FTIE subelem */ 814 *pos++ = 168; /* FTIE subelem length */ 815 pos += 168; 816 } 817 #endif /* CONFIG_TDLS_TESTING */ 818 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE for TDLS Teardown handshake", 819 (u8 *) ftie, pos - (u8 *) ftie); 820 821 /* compute MIC before sending */ 822 wpa_tdls_linkid(sm, peer, &lnkid); 823 wpa_tdls_key_mic_teardown(peer->tpk.kck, 4, reason_code, 824 dialog_token, (u8 *) &lnkid, (u8 *) ftie, 825 ftie->mic); 826 827 skip_ies: 828 /* TODO: register for a Timeout handler, if Teardown is not received at 829 * the other end, then try again another time */ 830 831 /* request driver to send Teardown using this FTIE */ 832 wpa_tdls_tpk_send(sm, addr, WLAN_TDLS_TEARDOWN, 0, 833 reason_code, 0, peer->initiator, rbuf, pos - rbuf); 834 os_free(rbuf); 835 836 return 0; 837 } 838 839 840 int wpa_tdls_teardown_link(struct wpa_sm *sm, const u8 *addr, u16 reason_code) 841 { 842 struct wpa_tdls_peer *peer; 843 844 if (sm->tdls_disabled || !sm->tdls_supported) 845 return -1; 846 847 for (peer = sm->tdls; peer; peer = peer->next) { 848 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 849 break; 850 } 851 852 if (peer == NULL) { 853 wpa_printf(MSG_DEBUG, "TDLS: Could not find peer " MACSTR 854 " for link Teardown", MAC2STR(addr)); 855 return -1; 856 } 857 858 if (!peer->tpk_success) { 859 wpa_printf(MSG_DEBUG, "TDLS: Peer " MACSTR 860 " not connected - cannot Teardown link", MAC2STR(addr)); 861 return -1; 862 } 863 864 return wpa_tdls_do_teardown(sm, peer, reason_code); 865 } 866 867 868 static void wpa_tdls_disable_peer_link(struct wpa_sm *sm, 869 struct wpa_tdls_peer *peer) 870 { 871 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr); 872 wpa_tdls_peer_free(sm, peer); 873 } 874 875 876 void wpa_tdls_disable_unreachable_link(struct wpa_sm *sm, const u8 *addr) 877 { 878 struct wpa_tdls_peer *peer; 879 880 for (peer = sm->tdls; peer; peer = peer->next) { 881 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 882 break; 883 } 884 885 if (!peer || !peer->tpk_success) { 886 wpa_printf(MSG_DEBUG, "TDLS: Peer " MACSTR 887 " not connected - cannot teardown unreachable link", 888 MAC2STR(addr)); 889 return; 890 } 891 892 if (wpa_tdls_is_external_setup(sm)) { 893 /* 894 * Get us on the base channel, disable the link, send a 895 * teardown packet through the AP, and then reset link data. 896 */ 897 if (peer->chan_switch_enabled) 898 wpa_sm_tdls_disable_channel_switch(sm, peer->addr); 899 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, addr); 900 wpa_tdls_send_teardown(sm, addr, 901 WLAN_REASON_TDLS_TEARDOWN_UNREACHABLE); 902 wpa_tdls_peer_free(sm, peer); 903 } else { 904 wpa_tdls_disable_peer_link(sm, peer); 905 } 906 } 907 908 909 const char * wpa_tdls_get_link_status(struct wpa_sm *sm, const u8 *addr) 910 { 911 struct wpa_tdls_peer *peer; 912 913 if (sm->tdls_disabled || !sm->tdls_supported) 914 return "disabled"; 915 916 for (peer = sm->tdls; peer; peer = peer->next) { 917 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 918 break; 919 } 920 921 if (peer == NULL) 922 return "peer does not exist"; 923 924 if (!peer->tpk_success) 925 return "peer not connected"; 926 927 return "connected"; 928 } 929 930 931 static int wpa_tdls_recv_teardown(struct wpa_sm *sm, const u8 *src_addr, 932 const u8 *buf, size_t len) 933 { 934 struct wpa_tdls_peer *peer = NULL; 935 struct wpa_tdls_ftie *ftie; 936 struct wpa_tdls_lnkid *lnkid; 937 struct wpa_eapol_ie_parse kde; 938 u16 reason_code; 939 const u8 *pos; 940 int ielen; 941 942 /* Find the node and free from the list */ 943 for (peer = sm->tdls; peer; peer = peer->next) { 944 if (os_memcmp(peer->addr, src_addr, ETH_ALEN) == 0) 945 break; 946 } 947 948 if (peer == NULL) { 949 wpa_printf(MSG_INFO, "TDLS: No matching entry found for " 950 "Teardown " MACSTR, MAC2STR(src_addr)); 951 return 0; 952 } 953 954 pos = buf; 955 pos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */; 956 957 reason_code = WPA_GET_LE16(pos); 958 pos += 2; 959 960 wpa_printf(MSG_DEBUG, "TDLS: TDLS Teardown Request from " MACSTR 961 " (reason code %u)", MAC2STR(src_addr), reason_code); 962 963 ielen = len - (pos - buf); /* start of IE in buf */ 964 965 /* 966 * Don't reject the message if failing to parse IEs. The IEs we need are 967 * explicitly checked below. Some APs may add arbitrary padding to the 968 * end of short TDLS frames and that would look like invalid IEs. 969 */ 970 if (wpa_supplicant_parse_ies((const u8 *) pos, ielen, &kde) < 0) 971 wpa_printf(MSG_DEBUG, 972 "TDLS: Failed to parse IEs in Teardown - ignore as an interop workaround"); 973 974 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) { 975 wpa_printf(MSG_INFO, "TDLS: No Link Identifier IE in TDLS " 976 "Teardown"); 977 return -1; 978 } 979 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid; 980 981 if (!wpa_tdls_get_privacy(sm) || !peer->tpk_set || !peer->tpk_success) 982 goto skip_ftie; 983 984 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie)) { 985 wpa_printf(MSG_INFO, "TDLS: No FTIE in TDLS Teardown"); 986 return -1; 987 } 988 989 ftie = (struct wpa_tdls_ftie *) kde.ftie; 990 991 /* Process MIC check to see if TDLS Teardown is right */ 992 if (wpa_supplicant_verify_tdls_mic_teardown(4, reason_code, 993 peer->dtoken, peer, 994 (u8 *) lnkid, ftie) < 0) { 995 wpa_printf(MSG_DEBUG, "TDLS: MIC failure for TDLS " 996 "Teardown Request from " MACSTR, MAC2STR(src_addr)); 997 return -1; 998 } 999 1000 skip_ftie: 1001 /* 1002 * Request the driver to disable the direct link and clear associated 1003 * keys. 1004 */ 1005 wpa_tdls_disable_peer_link(sm, peer); 1006 return 0; 1007 } 1008 1009 1010 /** 1011 * wpa_tdls_send_error - To send suitable TDLS status response with 1012 * appropriate status code mentioning reason for error/failure. 1013 * @dst - MAC addr of Peer station 1014 * @tdls_action - TDLS frame type for which error code is sent 1015 * @initiator - was this end the initiator of the connection 1016 * @status - status code mentioning reason 1017 */ 1018 1019 static int wpa_tdls_send_error(struct wpa_sm *sm, const u8 *dst, 1020 u8 tdls_action, u8 dialog_token, int initiator, 1021 u16 status) 1022 { 1023 wpa_printf(MSG_DEBUG, "TDLS: Sending error to " MACSTR 1024 " (action=%u status=%u)", 1025 MAC2STR(dst), tdls_action, status); 1026 return wpa_tdls_tpk_send(sm, dst, tdls_action, dialog_token, status, 1027 0, initiator, NULL, 0); 1028 } 1029 1030 1031 static struct wpa_tdls_peer * 1032 wpa_tdls_add_peer(struct wpa_sm *sm, const u8 *addr, int *existing) 1033 { 1034 struct wpa_tdls_peer *peer; 1035 1036 if (existing) 1037 *existing = 0; 1038 for (peer = sm->tdls; peer; peer = peer->next) { 1039 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) { 1040 if (existing) 1041 *existing = 1; 1042 return peer; /* re-use existing entry */ 1043 } 1044 } 1045 1046 wpa_printf(MSG_INFO, "TDLS: Creating peer entry for " MACSTR, 1047 MAC2STR(addr)); 1048 1049 peer = os_zalloc(sizeof(*peer)); 1050 if (peer == NULL) 1051 return NULL; 1052 1053 os_memcpy(peer->addr, addr, ETH_ALEN); 1054 peer->next = sm->tdls; 1055 sm->tdls = peer; 1056 1057 return peer; 1058 } 1059 1060 1061 static int wpa_tdls_send_tpk_m1(struct wpa_sm *sm, 1062 struct wpa_tdls_peer *peer) 1063 { 1064 size_t buf_len; 1065 struct wpa_tdls_timeoutie timeoutie; 1066 u16 rsn_capab; 1067 struct wpa_tdls_ftie *ftie; 1068 u8 *rbuf, *pos, *count_pos; 1069 u16 count; 1070 struct rsn_ie_hdr *hdr; 1071 int status; 1072 1073 if (!wpa_tdls_get_privacy(sm)) { 1074 wpa_printf(MSG_DEBUG, "TDLS: No security used on the link"); 1075 peer->rsnie_i_len = 0; 1076 goto skip_rsnie; 1077 } 1078 1079 /* 1080 * TPK Handshake Message 1: 1081 * FTIE: ANonce=0, SNonce=initiator nonce MIC=0, DataKDs=(RSNIE_I, 1082 * Timeout Interval IE)) 1083 */ 1084 1085 /* Filling RSN IE */ 1086 hdr = (struct rsn_ie_hdr *) peer->rsnie_i; 1087 hdr->elem_id = WLAN_EID_RSN; 1088 WPA_PUT_LE16(hdr->version, RSN_VERSION); 1089 1090 pos = (u8 *) (hdr + 1); 1091 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED); 1092 pos += RSN_SELECTOR_LEN; 1093 count_pos = pos; 1094 pos += 2; 1095 1096 count = 0; 1097 1098 /* 1099 * AES-CCMP is the default Encryption preferred for TDLS, so 1100 * RSN IE is filled only with CCMP CIPHER 1101 * Note: TKIP is not used to encrypt TDLS link. 1102 * 1103 * Regardless of the cipher used on the AP connection, select CCMP 1104 * here. 1105 */ 1106 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP); 1107 pos += RSN_SELECTOR_LEN; 1108 count++; 1109 1110 WPA_PUT_LE16(count_pos, count); 1111 1112 WPA_PUT_LE16(pos, 1); 1113 pos += 2; 1114 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_TPK_HANDSHAKE); 1115 pos += RSN_SELECTOR_LEN; 1116 1117 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED; 1118 rsn_capab |= RSN_NUM_REPLAY_COUNTERS_16 << 2; 1119 #ifdef CONFIG_TDLS_TESTING 1120 if (tdls_testing & TDLS_TESTING_ALT_RSN_IE) { 1121 wpa_printf(MSG_DEBUG, "TDLS: Use alternative RSN IE for " 1122 "testing"); 1123 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED; 1124 } 1125 #endif /* CONFIG_TDLS_TESTING */ 1126 WPA_PUT_LE16(pos, rsn_capab); 1127 pos += 2; 1128 #ifdef CONFIG_TDLS_TESTING 1129 if (tdls_testing & TDLS_TESTING_ALT_RSN_IE) { 1130 /* Number of PMKIDs */ 1131 *pos++ = 0x00; 1132 *pos++ = 0x00; 1133 } 1134 #endif /* CONFIG_TDLS_TESTING */ 1135 1136 hdr->len = (pos - peer->rsnie_i) - 2; 1137 peer->rsnie_i_len = pos - peer->rsnie_i; 1138 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE for TPK handshake", 1139 peer->rsnie_i, peer->rsnie_i_len); 1140 1141 skip_rsnie: 1142 buf_len = 0; 1143 if (wpa_tdls_get_privacy(sm)) 1144 buf_len += peer->rsnie_i_len + sizeof(struct wpa_tdls_ftie) + 1145 sizeof(struct wpa_tdls_timeoutie); 1146 #ifdef CONFIG_TDLS_TESTING 1147 if (wpa_tdls_get_privacy(sm) && 1148 (tdls_testing & TDLS_TESTING_LONG_FRAME)) 1149 buf_len += 170; 1150 if (tdls_testing & TDLS_TESTING_DIFF_BSSID) 1151 buf_len += sizeof(struct wpa_tdls_lnkid); 1152 #endif /* CONFIG_TDLS_TESTING */ 1153 rbuf = os_zalloc(buf_len + 1); 1154 if (rbuf == NULL) { 1155 wpa_tdls_peer_free(sm, peer); 1156 return -1; 1157 } 1158 pos = rbuf; 1159 1160 if (!wpa_tdls_get_privacy(sm)) 1161 goto skip_ies; 1162 1163 /* Initiator RSN IE */ 1164 pos = wpa_add_ie(pos, peer->rsnie_i, peer->rsnie_i_len); 1165 1166 ftie = (struct wpa_tdls_ftie *) pos; 1167 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION; 1168 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2; 1169 1170 if (os_get_random(peer->inonce, WPA_NONCE_LEN)) { 1171 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1172 "TDLS: Failed to get random data for initiator Nonce"); 1173 os_free(rbuf); 1174 wpa_tdls_peer_free(sm, peer); 1175 return -1; 1176 } 1177 peer->tk_set = 0; /* A new nonce results in a new TK */ 1178 wpa_hexdump(MSG_DEBUG, "TDLS: Initiator Nonce for TPK handshake", 1179 peer->inonce, WPA_NONCE_LEN); 1180 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN); 1181 1182 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE for TPK Handshake M1", 1183 (u8 *) ftie, sizeof(struct wpa_tdls_ftie)); 1184 1185 pos = (u8 *) (ftie + 1); 1186 1187 #ifdef CONFIG_TDLS_TESTING 1188 if (tdls_testing & TDLS_TESTING_LONG_FRAME) { 1189 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to " 1190 "FTIE"); 1191 ftie->ie_len += 170; 1192 *pos++ = 255; /* FTIE subelem */ 1193 *pos++ = 168; /* FTIE subelem length */ 1194 pos += 168; 1195 } 1196 #endif /* CONFIG_TDLS_TESTING */ 1197 1198 /* Lifetime */ 1199 peer->lifetime = TPK_LIFETIME; 1200 #ifdef CONFIG_TDLS_TESTING 1201 if (tdls_testing & TDLS_TESTING_SHORT_LIFETIME) { 1202 wpa_printf(MSG_DEBUG, "TDLS: Testing - use short TPK " 1203 "lifetime"); 1204 peer->lifetime = 301; 1205 } 1206 if (tdls_testing & TDLS_TESTING_LONG_LIFETIME) { 1207 wpa_printf(MSG_DEBUG, "TDLS: Testing - use long TPK " 1208 "lifetime"); 1209 peer->lifetime = 0xffffffff; 1210 } 1211 #endif /* CONFIG_TDLS_TESTING */ 1212 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie, 1213 sizeof(timeoutie), peer->lifetime); 1214 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds", peer->lifetime); 1215 1216 skip_ies: 1217 1218 #ifdef CONFIG_TDLS_TESTING 1219 if (tdls_testing & TDLS_TESTING_DIFF_BSSID) { 1220 struct wpa_tdls_lnkid *l = (struct wpa_tdls_lnkid *) pos; 1221 1222 wpa_printf(MSG_DEBUG, "TDLS: Testing - use incorrect BSSID in " 1223 "Link Identifier"); 1224 wpa_tdls_linkid(sm, peer, l); 1225 l->bssid[5] ^= 0x01; 1226 pos += sizeof(*l); 1227 } 1228 #endif /* CONFIG_TDLS_TESTING */ 1229 1230 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Setup Request / TPK " 1231 "Handshake Message 1 (peer " MACSTR ")", 1232 MAC2STR(peer->addr)); 1233 1234 status = wpa_tdls_tpk_send(sm, peer->addr, WLAN_TDLS_SETUP_REQUEST, 1235 1, 0, 0, peer->initiator, rbuf, pos - rbuf); 1236 os_free(rbuf); 1237 1238 return status; 1239 } 1240 1241 1242 static int wpa_tdls_send_tpk_m2(struct wpa_sm *sm, 1243 const unsigned char *src_addr, u8 dtoken, 1244 struct wpa_tdls_lnkid *lnkid, 1245 const struct wpa_tdls_peer *peer) 1246 { 1247 u8 *rbuf, *pos; 1248 size_t buf_len; 1249 u32 lifetime; 1250 struct wpa_tdls_timeoutie timeoutie; 1251 struct wpa_tdls_ftie *ftie; 1252 int status; 1253 1254 buf_len = 0; 1255 if (wpa_tdls_get_privacy(sm)) { 1256 /* Peer RSN IE, FTIE(Initiator Nonce, Responder Nonce), 1257 * Lifetime */ 1258 buf_len += peer->rsnie_i_len + sizeof(struct wpa_tdls_ftie) + 1259 sizeof(struct wpa_tdls_timeoutie); 1260 #ifdef CONFIG_TDLS_TESTING 1261 if (tdls_testing & TDLS_TESTING_LONG_FRAME) 1262 buf_len += 170; 1263 #endif /* CONFIG_TDLS_TESTING */ 1264 } 1265 1266 rbuf = os_zalloc(buf_len + 1); 1267 if (rbuf == NULL) 1268 return -1; 1269 pos = rbuf; 1270 1271 if (!wpa_tdls_get_privacy(sm)) 1272 goto skip_ies; 1273 1274 /* Peer RSN IE */ 1275 pos = wpa_add_ie(pos, peer->rsnie_p, peer->rsnie_p_len); 1276 1277 ftie = (struct wpa_tdls_ftie *) pos; 1278 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION; 1279 /* TODO: ftie->mic_control to set 2-RESPONSE */ 1280 os_memcpy(ftie->Anonce, peer->rnonce, WPA_NONCE_LEN); 1281 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN); 1282 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2; 1283 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE for TPK M2", 1284 (u8 *) ftie, sizeof(*ftie)); 1285 1286 pos = (u8 *) (ftie + 1); 1287 1288 #ifdef CONFIG_TDLS_TESTING 1289 if (tdls_testing & TDLS_TESTING_LONG_FRAME) { 1290 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to " 1291 "FTIE"); 1292 ftie->ie_len += 170; 1293 *pos++ = 255; /* FTIE subelem */ 1294 *pos++ = 168; /* FTIE subelem length */ 1295 pos += 168; 1296 } 1297 #endif /* CONFIG_TDLS_TESTING */ 1298 1299 /* Lifetime */ 1300 lifetime = peer->lifetime; 1301 #ifdef CONFIG_TDLS_TESTING 1302 if (tdls_testing & TDLS_TESTING_WRONG_LIFETIME_RESP) { 1303 wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong TPK " 1304 "lifetime in response"); 1305 lifetime++; 1306 } 1307 #endif /* CONFIG_TDLS_TESTING */ 1308 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie, 1309 sizeof(timeoutie), lifetime); 1310 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds from initiator", 1311 lifetime); 1312 1313 /* compute MIC before sending */ 1314 wpa_tdls_ftie_mic(peer->tpk.kck, 2, (u8 *) lnkid, peer->rsnie_p, 1315 (u8 *) &timeoutie, (u8 *) ftie, ftie->mic); 1316 #ifdef CONFIG_TDLS_TESTING 1317 if (tdls_testing & TDLS_TESTING_WRONG_MIC) { 1318 wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong MIC"); 1319 ftie->mic[0] ^= 0x01; 1320 } 1321 #endif /* CONFIG_TDLS_TESTING */ 1322 1323 skip_ies: 1324 status = wpa_tdls_tpk_send(sm, src_addr, WLAN_TDLS_SETUP_RESPONSE, 1325 dtoken, 0, 0, peer->initiator, rbuf, 1326 pos - rbuf); 1327 os_free(rbuf); 1328 1329 return status; 1330 } 1331 1332 1333 static int wpa_tdls_send_tpk_m3(struct wpa_sm *sm, 1334 const unsigned char *src_addr, u8 dtoken, 1335 struct wpa_tdls_lnkid *lnkid, 1336 const struct wpa_tdls_peer *peer) 1337 { 1338 u8 *rbuf, *pos; 1339 size_t buf_len; 1340 struct wpa_tdls_ftie *ftie; 1341 struct wpa_tdls_timeoutie timeoutie; 1342 u32 lifetime; 1343 int status; 1344 u32 peer_capab = 0; 1345 1346 buf_len = 0; 1347 if (wpa_tdls_get_privacy(sm)) { 1348 /* Peer RSN IE, FTIE(Initiator Nonce, Responder Nonce), 1349 * Lifetime */ 1350 buf_len += peer->rsnie_i_len + sizeof(struct wpa_tdls_ftie) + 1351 sizeof(struct wpa_tdls_timeoutie); 1352 #ifdef CONFIG_TDLS_TESTING 1353 if (tdls_testing & TDLS_TESTING_LONG_FRAME) 1354 buf_len += 170; 1355 #endif /* CONFIG_TDLS_TESTING */ 1356 } 1357 1358 rbuf = os_zalloc(buf_len + 1); 1359 if (rbuf == NULL) 1360 return -1; 1361 pos = rbuf; 1362 1363 if (!wpa_tdls_get_privacy(sm)) 1364 goto skip_ies; 1365 1366 /* Peer RSN IE */ 1367 pos = wpa_add_ie(pos, peer->rsnie_p, peer->rsnie_p_len); 1368 1369 ftie = (struct wpa_tdls_ftie *) pos; 1370 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION; 1371 /*TODO: ftie->mic_control to set 3-CONFIRM */ 1372 os_memcpy(ftie->Anonce, peer->rnonce, WPA_NONCE_LEN); 1373 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN); 1374 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2; 1375 1376 pos = (u8 *) (ftie + 1); 1377 1378 #ifdef CONFIG_TDLS_TESTING 1379 if (tdls_testing & TDLS_TESTING_LONG_FRAME) { 1380 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to " 1381 "FTIE"); 1382 ftie->ie_len += 170; 1383 *pos++ = 255; /* FTIE subelem */ 1384 *pos++ = 168; /* FTIE subelem length */ 1385 pos += 168; 1386 } 1387 #endif /* CONFIG_TDLS_TESTING */ 1388 1389 /* Lifetime */ 1390 lifetime = peer->lifetime; 1391 #ifdef CONFIG_TDLS_TESTING 1392 if (tdls_testing & TDLS_TESTING_WRONG_LIFETIME_CONF) { 1393 wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong TPK " 1394 "lifetime in confirm"); 1395 lifetime++; 1396 } 1397 #endif /* CONFIG_TDLS_TESTING */ 1398 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie, 1399 sizeof(timeoutie), lifetime); 1400 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds", 1401 lifetime); 1402 1403 /* compute MIC before sending */ 1404 wpa_tdls_ftie_mic(peer->tpk.kck, 3, (u8 *) lnkid, peer->rsnie_p, 1405 (u8 *) &timeoutie, (u8 *) ftie, ftie->mic); 1406 #ifdef CONFIG_TDLS_TESTING 1407 if (tdls_testing & TDLS_TESTING_WRONG_MIC) { 1408 wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong MIC"); 1409 ftie->mic[0] ^= 0x01; 1410 } 1411 #endif /* CONFIG_TDLS_TESTING */ 1412 1413 skip_ies: 1414 1415 if (peer->vht_capabilities) 1416 peer_capab |= TDLS_PEER_VHT; 1417 if (peer->ht_capabilities) 1418 peer_capab |= TDLS_PEER_HT; 1419 if (peer->wmm_capable) 1420 peer_capab |= TDLS_PEER_WMM; 1421 1422 status = wpa_tdls_tpk_send(sm, src_addr, WLAN_TDLS_SETUP_CONFIRM, 1423 dtoken, 0, peer_capab, peer->initiator, 1424 rbuf, pos - rbuf); 1425 os_free(rbuf); 1426 1427 return status; 1428 } 1429 1430 1431 static int wpa_tdls_send_discovery_response(struct wpa_sm *sm, 1432 struct wpa_tdls_peer *peer, 1433 u8 dialog_token) 1434 { 1435 size_t buf_len = 0; 1436 struct wpa_tdls_timeoutie timeoutie; 1437 u16 rsn_capab; 1438 u8 *rbuf, *pos, *count_pos; 1439 u16 count; 1440 struct rsn_ie_hdr *hdr; 1441 int status; 1442 1443 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Discovery Response " 1444 "(peer " MACSTR ")", MAC2STR(peer->addr)); 1445 if (!wpa_tdls_get_privacy(sm)) 1446 goto skip_rsn_ies; 1447 1448 /* Filling RSN IE */ 1449 hdr = (struct rsn_ie_hdr *) peer->rsnie_i; 1450 hdr->elem_id = WLAN_EID_RSN; 1451 WPA_PUT_LE16(hdr->version, RSN_VERSION); 1452 pos = (u8 *) (hdr + 1); 1453 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED); 1454 pos += RSN_SELECTOR_LEN; 1455 count_pos = pos; 1456 pos += 2; 1457 count = 0; 1458 1459 /* 1460 * AES-CCMP is the default encryption preferred for TDLS, so 1461 * RSN IE is filled only with CCMP cipher suite. 1462 * Note: TKIP is not used to encrypt TDLS link. 1463 * 1464 * Regardless of the cipher used on the AP connection, select CCMP 1465 * here. 1466 */ 1467 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP); 1468 pos += RSN_SELECTOR_LEN; 1469 count++; 1470 WPA_PUT_LE16(count_pos, count); 1471 WPA_PUT_LE16(pos, 1); 1472 pos += 2; 1473 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_TPK_HANDSHAKE); 1474 pos += RSN_SELECTOR_LEN; 1475 1476 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED; 1477 rsn_capab |= RSN_NUM_REPLAY_COUNTERS_16 << 2; 1478 WPA_PUT_LE16(pos, rsn_capab); 1479 pos += 2; 1480 hdr->len = (pos - (u8 *) hdr) - 2; 1481 peer->rsnie_i_len = pos - peer->rsnie_i; 1482 1483 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE for Discovery Response", 1484 (u8 *) hdr, hdr->len + 2); 1485 skip_rsn_ies: 1486 buf_len = 0; 1487 if (wpa_tdls_get_privacy(sm)) { 1488 /* Peer RSN IE, Lifetime */ 1489 buf_len += peer->rsnie_i_len + 1490 sizeof(struct wpa_tdls_timeoutie); 1491 } 1492 rbuf = os_zalloc(buf_len + 1); 1493 if (rbuf == NULL) { 1494 wpa_tdls_peer_free(sm, peer); 1495 return -1; 1496 } 1497 pos = rbuf; 1498 1499 if (!wpa_tdls_get_privacy(sm)) 1500 goto skip_ies; 1501 /* Initiator RSN IE */ 1502 pos = wpa_add_ie(pos, peer->rsnie_i, peer->rsnie_i_len); 1503 /* Lifetime */ 1504 peer->lifetime = TPK_LIFETIME; 1505 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie, 1506 sizeof(timeoutie), peer->lifetime); 1507 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds", peer->lifetime); 1508 skip_ies: 1509 status = wpa_tdls_tpk_send(sm, peer->addr, WLAN_TDLS_DISCOVERY_RESPONSE, 1510 dialog_token, 0, 0, 0, rbuf, pos - rbuf); 1511 os_free(rbuf); 1512 1513 return status; 1514 } 1515 1516 1517 static int 1518 wpa_tdls_process_discovery_request(struct wpa_sm *sm, const u8 *addr, 1519 const u8 *buf, size_t len) 1520 { 1521 struct wpa_eapol_ie_parse kde; 1522 const struct wpa_tdls_lnkid *lnkid; 1523 struct wpa_tdls_peer *peer; 1524 size_t min_req_len = sizeof(struct wpa_tdls_frame) + 1525 1 /* dialog token */ + sizeof(struct wpa_tdls_lnkid); 1526 u8 dialog_token; 1527 1528 wpa_printf(MSG_DEBUG, "TDLS: Discovery Request from " MACSTR, 1529 MAC2STR(addr)); 1530 1531 if (len < min_req_len) { 1532 wpa_printf(MSG_DEBUG, "TDLS Discovery Request is too short: " 1533 "%d", (int) len); 1534 return -1; 1535 } 1536 1537 dialog_token = buf[sizeof(struct wpa_tdls_frame)]; 1538 1539 /* 1540 * Some APs will tack on a weird IE to the end of a TDLS 1541 * discovery request packet. This needn't fail the response, 1542 * since the required IE are verified separately. 1543 */ 1544 if (wpa_supplicant_parse_ies(buf + sizeof(struct wpa_tdls_frame) + 1, 1545 len - (sizeof(struct wpa_tdls_frame) + 1), 1546 &kde) < 0) { 1547 wpa_printf(MSG_DEBUG, 1548 "TDLS: Failed to parse IEs in Discovery Request - ignore as an interop workaround"); 1549 } 1550 1551 if (!kde.lnkid) { 1552 wpa_printf(MSG_DEBUG, "TDLS: Link ID not found in Discovery " 1553 "Request"); 1554 return -1; 1555 } 1556 1557 lnkid = (const struct wpa_tdls_lnkid *) kde.lnkid; 1558 1559 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) { 1560 wpa_printf(MSG_DEBUG, "TDLS: Discovery Request from different " 1561 " BSS " MACSTR, MAC2STR(lnkid->bssid)); 1562 return -1; 1563 } 1564 1565 peer = wpa_tdls_add_peer(sm, addr, NULL); 1566 if (peer == NULL) 1567 return -1; 1568 1569 return wpa_tdls_send_discovery_response(sm, peer, dialog_token); 1570 } 1571 1572 1573 int wpa_tdls_send_discovery_request(struct wpa_sm *sm, const u8 *addr) 1574 { 1575 if (sm->tdls_disabled || !sm->tdls_supported) 1576 return -1; 1577 1578 wpa_printf(MSG_DEBUG, "TDLS: Sending Discovery Request to peer " 1579 MACSTR, MAC2STR(addr)); 1580 return wpa_tdls_tpk_send(sm, addr, WLAN_TDLS_DISCOVERY_REQUEST, 1581 1, 0, 0, 1, NULL, 0); 1582 } 1583 1584 1585 static int copy_supp_rates(const struct wpa_eapol_ie_parse *kde, 1586 struct wpa_tdls_peer *peer) 1587 { 1588 if (!kde->supp_rates) { 1589 wpa_printf(MSG_DEBUG, "TDLS: No supported rates received"); 1590 return -1; 1591 } 1592 peer->supp_rates_len = merge_byte_arrays( 1593 peer->supp_rates, sizeof(peer->supp_rates), 1594 kde->supp_rates + 2, kde->supp_rates_len - 2, 1595 kde->ext_supp_rates ? kde->ext_supp_rates + 2 : NULL, 1596 kde->ext_supp_rates_len - 2); 1597 return 0; 1598 } 1599 1600 1601 static int copy_peer_ht_capab(const struct wpa_eapol_ie_parse *kde, 1602 struct wpa_tdls_peer *peer) 1603 { 1604 if (!kde->ht_capabilities) { 1605 wpa_printf(MSG_DEBUG, "TDLS: No supported ht capabilities " 1606 "received"); 1607 return 0; 1608 } 1609 1610 if (!peer->ht_capabilities) { 1611 peer->ht_capabilities = 1612 os_zalloc(sizeof(struct ieee80211_ht_capabilities)); 1613 if (peer->ht_capabilities == NULL) 1614 return -1; 1615 } 1616 1617 os_memcpy(peer->ht_capabilities, kde->ht_capabilities, 1618 sizeof(struct ieee80211_ht_capabilities)); 1619 wpa_hexdump(MSG_DEBUG, "TDLS: Peer HT capabilities", 1620 (u8 *) peer->ht_capabilities, 1621 sizeof(struct ieee80211_ht_capabilities)); 1622 1623 return 0; 1624 } 1625 1626 1627 static int copy_peer_vht_capab(const struct wpa_eapol_ie_parse *kde, 1628 struct wpa_tdls_peer *peer) 1629 { 1630 if (!kde->vht_capabilities) { 1631 wpa_printf(MSG_DEBUG, "TDLS: No supported vht capabilities " 1632 "received"); 1633 return 0; 1634 } 1635 1636 if (!peer->vht_capabilities) { 1637 peer->vht_capabilities = 1638 os_zalloc(sizeof(struct ieee80211_vht_capabilities)); 1639 if (peer->vht_capabilities == NULL) 1640 return -1; 1641 } 1642 1643 os_memcpy(peer->vht_capabilities, kde->vht_capabilities, 1644 sizeof(struct ieee80211_vht_capabilities)); 1645 wpa_hexdump(MSG_DEBUG, "TDLS: Peer VHT capabilities", 1646 (u8 *) peer->vht_capabilities, 1647 sizeof(struct ieee80211_vht_capabilities)); 1648 1649 return 0; 1650 } 1651 1652 1653 static int copy_peer_ext_capab(const struct wpa_eapol_ie_parse *kde, 1654 struct wpa_tdls_peer *peer) 1655 { 1656 if (!kde->ext_capab) { 1657 wpa_printf(MSG_DEBUG, "TDLS: No extended capabilities " 1658 "received"); 1659 return 0; 1660 } 1661 1662 if (!peer->ext_capab || peer->ext_capab_len < kde->ext_capab_len - 2) { 1663 /* Need to allocate buffer to fit the new information */ 1664 os_free(peer->ext_capab); 1665 peer->ext_capab = os_zalloc(kde->ext_capab_len - 2); 1666 if (peer->ext_capab == NULL) 1667 return -1; 1668 } 1669 1670 peer->ext_capab_len = kde->ext_capab_len - 2; 1671 os_memcpy(peer->ext_capab, kde->ext_capab + 2, peer->ext_capab_len); 1672 1673 return 0; 1674 } 1675 1676 1677 static int copy_peer_wmm_capab(const struct wpa_eapol_ie_parse *kde, 1678 struct wpa_tdls_peer *peer) 1679 { 1680 struct wmm_information_element *wmm; 1681 1682 if (!kde->wmm) { 1683 wpa_printf(MSG_DEBUG, "TDLS: No supported WMM capabilities received"); 1684 return 0; 1685 } 1686 1687 if (kde->wmm_len < sizeof(struct wmm_information_element)) { 1688 wpa_printf(MSG_DEBUG, "TDLS: Invalid supported WMM capabilities received"); 1689 return -1; 1690 } 1691 1692 wmm = (struct wmm_information_element *) kde->wmm; 1693 peer->qos_info = wmm->qos_info; 1694 1695 peer->wmm_capable = 1; 1696 1697 wpa_printf(MSG_DEBUG, "TDLS: Peer WMM QOS Info 0x%x", peer->qos_info); 1698 return 0; 1699 } 1700 1701 1702 static int copy_peer_supp_channels(const struct wpa_eapol_ie_parse *kde, 1703 struct wpa_tdls_peer *peer) 1704 { 1705 if (!kde->supp_channels) { 1706 wpa_printf(MSG_DEBUG, "TDLS: No supported channels received"); 1707 return 0; 1708 } 1709 1710 if (!peer->supp_channels || 1711 peer->supp_channels_len < kde->supp_channels_len) { 1712 os_free(peer->supp_channels); 1713 peer->supp_channels = os_zalloc(kde->supp_channels_len); 1714 if (peer->supp_channels == NULL) 1715 return -1; 1716 } 1717 1718 peer->supp_channels_len = kde->supp_channels_len; 1719 1720 os_memcpy(peer->supp_channels, kde->supp_channels, 1721 peer->supp_channels_len); 1722 wpa_hexdump(MSG_DEBUG, "TDLS: Peer Supported Channels", 1723 (u8 *) peer->supp_channels, peer->supp_channels_len); 1724 return 0; 1725 } 1726 1727 1728 static int copy_peer_supp_oper_classes(const struct wpa_eapol_ie_parse *kde, 1729 struct wpa_tdls_peer *peer) 1730 { 1731 if (!kde->supp_oper_classes) { 1732 wpa_printf(MSG_DEBUG, "TDLS: No supported operating classes received"); 1733 return 0; 1734 } 1735 1736 if (!peer->supp_oper_classes || 1737 peer->supp_oper_classes_len < kde->supp_oper_classes_len) { 1738 os_free(peer->supp_oper_classes); 1739 peer->supp_oper_classes = os_zalloc(kde->supp_oper_classes_len); 1740 if (peer->supp_oper_classes == NULL) 1741 return -1; 1742 } 1743 1744 peer->supp_oper_classes_len = kde->supp_oper_classes_len; 1745 os_memcpy(peer->supp_oper_classes, kde->supp_oper_classes, 1746 peer->supp_oper_classes_len); 1747 wpa_hexdump(MSG_DEBUG, "TDLS: Peer Supported Operating Classes", 1748 (u8 *) peer->supp_oper_classes, 1749 peer->supp_oper_classes_len); 1750 return 0; 1751 } 1752 1753 1754 static int wpa_tdls_addset_peer(struct wpa_sm *sm, struct wpa_tdls_peer *peer, 1755 int add) 1756 { 1757 return wpa_sm_tdls_peer_addset(sm, peer->addr, add, peer->aid, 1758 peer->capability, 1759 peer->supp_rates, peer->supp_rates_len, 1760 peer->ht_capabilities, 1761 peer->vht_capabilities, 1762 peer->qos_info, peer->wmm_capable, 1763 peer->ext_capab, peer->ext_capab_len, 1764 peer->supp_channels, 1765 peer->supp_channels_len, 1766 peer->supp_oper_classes, 1767 peer->supp_oper_classes_len); 1768 } 1769 1770 1771 static int tdls_nonce_set(const u8 *nonce) 1772 { 1773 int i; 1774 1775 for (i = 0; i < WPA_NONCE_LEN; i++) { 1776 if (nonce[i]) 1777 return 1; 1778 } 1779 1780 return 0; 1781 } 1782 1783 1784 static int wpa_tdls_process_tpk_m1(struct wpa_sm *sm, const u8 *src_addr, 1785 const u8 *buf, size_t len) 1786 { 1787 struct wpa_tdls_peer *peer; 1788 struct wpa_eapol_ie_parse kde; 1789 struct wpa_ie_data ie; 1790 int cipher; 1791 const u8 *cpos; 1792 struct wpa_tdls_ftie *ftie = NULL; 1793 struct wpa_tdls_timeoutie *timeoutie; 1794 struct wpa_tdls_lnkid *lnkid; 1795 u32 lifetime = 0; 1796 #if 0 1797 struct rsn_ie_hdr *hdr; 1798 u8 *pos; 1799 u16 rsn_capab; 1800 u16 rsn_ver; 1801 #endif 1802 u8 dtoken; 1803 u16 ielen; 1804 u16 status = WLAN_STATUS_UNSPECIFIED_FAILURE; 1805 int tdls_prohibited = sm->tdls_prohibited; 1806 int existing_peer = 0; 1807 1808 if (len < 3 + 3) 1809 return -1; 1810 1811 cpos = buf; 1812 cpos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */; 1813 1814 /* driver had already verified the frame format */ 1815 dtoken = *cpos++; /* dialog token */ 1816 1817 wpa_printf(MSG_INFO, "TDLS: Dialog Token in TPK M1 %d", dtoken); 1818 1819 peer = wpa_tdls_add_peer(sm, src_addr, &existing_peer); 1820 if (peer == NULL) 1821 goto error; 1822 1823 /* If found, use existing entry instead of adding a new one; 1824 * how to handle the case where both ends initiate at the 1825 * same time? */ 1826 if (existing_peer) { 1827 if (peer->tpk_success) { 1828 wpa_printf(MSG_DEBUG, "TDLS: TDLS Setup Request while " 1829 "direct link is enabled - tear down the " 1830 "old link first"); 1831 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr); 1832 wpa_tdls_peer_clear(sm, peer); 1833 } else if (peer->initiator) { 1834 /* 1835 * An entry is already present, so check if we already 1836 * sent a TDLS Setup Request. If so, compare MAC 1837 * addresses and let the STA with the lower MAC address 1838 * continue as the initiator. The other negotiation is 1839 * terminated. 1840 */ 1841 if (os_memcmp(sm->own_addr, src_addr, ETH_ALEN) < 0) { 1842 wpa_printf(MSG_DEBUG, "TDLS: Discard request " 1843 "from peer with higher address " 1844 MACSTR, MAC2STR(src_addr)); 1845 return -1; 1846 } else { 1847 wpa_printf(MSG_DEBUG, "TDLS: Accept request " 1848 "from peer with lower address " 1849 MACSTR " (terminate previously " 1850 "initiated negotiation", 1851 MAC2STR(src_addr)); 1852 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, 1853 peer->addr); 1854 wpa_tdls_peer_clear(sm, peer); 1855 } 1856 } 1857 } 1858 1859 /* capability information */ 1860 peer->capability = WPA_GET_LE16(cpos); 1861 cpos += 2; 1862 1863 ielen = len - (cpos - buf); /* start of IE in buf */ 1864 1865 /* 1866 * Don't reject the message if failing to parse IEs. The IEs we need are 1867 * explicitly checked below. Some APs may add arbitrary padding to the 1868 * end of short TDLS frames and that would look like invalid IEs. 1869 */ 1870 if (wpa_supplicant_parse_ies(cpos, ielen, &kde) < 0) 1871 wpa_printf(MSG_DEBUG, 1872 "TDLS: Failed to parse IEs in TPK M1 - ignore as an interop workaround"); 1873 1874 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) { 1875 wpa_printf(MSG_INFO, "TDLS: No valid Link Identifier IE in " 1876 "TPK M1"); 1877 goto error; 1878 } 1879 wpa_hexdump(MSG_DEBUG, "TDLS: Link ID Received from TPK M1", 1880 kde.lnkid, kde.lnkid_len); 1881 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid; 1882 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) { 1883 wpa_printf(MSG_INFO, "TDLS: TPK M1 from diff BSS"); 1884 status = WLAN_STATUS_REQUEST_DECLINED; 1885 goto error; 1886 } 1887 1888 wpa_printf(MSG_DEBUG, "TDLS: TPK M1 - TPK initiator " MACSTR, 1889 MAC2STR(src_addr)); 1890 1891 if (copy_supp_rates(&kde, peer) < 0) 1892 goto error; 1893 1894 if (copy_peer_ht_capab(&kde, peer) < 0) 1895 goto error; 1896 1897 if (copy_peer_vht_capab(&kde, peer) < 0) 1898 goto error; 1899 1900 if (copy_peer_ext_capab(&kde, peer) < 0) 1901 goto error; 1902 1903 if (copy_peer_supp_channels(&kde, peer) < 0) 1904 goto error; 1905 1906 if (copy_peer_supp_oper_classes(&kde, peer) < 0) 1907 goto error; 1908 1909 peer->qos_info = kde.qosinfo; 1910 1911 /* Overwrite with the qos_info obtained in WMM IE */ 1912 if (copy_peer_wmm_capab(&kde, peer) < 0) 1913 goto error; 1914 1915 peer->aid = kde.aid; 1916 1917 #ifdef CONFIG_TDLS_TESTING 1918 if (tdls_testing & TDLS_TESTING_CONCURRENT_INIT) { 1919 peer = wpa_tdls_add_peer(sm, src_addr, NULL); 1920 if (peer == NULL) 1921 goto error; 1922 wpa_printf(MSG_DEBUG, "TDLS: Testing concurrent initiation of " 1923 "TDLS setup - send own request"); 1924 peer->initiator = 1; 1925 wpa_sm_tdls_peer_addset(sm, peer->addr, 1, 0, 0, NULL, 0, NULL, 1926 NULL, 0, 0, NULL, 0, NULL, 0, NULL, 0); 1927 wpa_tdls_send_tpk_m1(sm, peer); 1928 } 1929 1930 if ((tdls_testing & TDLS_TESTING_IGNORE_AP_PROHIBIT) && 1931 tdls_prohibited) { 1932 wpa_printf(MSG_DEBUG, "TDLS: Testing - ignore AP prohibition " 1933 "on TDLS"); 1934 tdls_prohibited = 0; 1935 } 1936 #endif /* CONFIG_TDLS_TESTING */ 1937 1938 if (tdls_prohibited) { 1939 wpa_printf(MSG_INFO, "TDLS: TDLS prohibited in this BSS"); 1940 status = WLAN_STATUS_REQUEST_DECLINED; 1941 goto error; 1942 } 1943 1944 if (!wpa_tdls_get_privacy(sm)) { 1945 if (kde.rsn_ie) { 1946 wpa_printf(MSG_INFO, "TDLS: RSN IE in TPK M1 while " 1947 "security is disabled"); 1948 status = WLAN_STATUS_SECURITY_DISABLED; 1949 goto error; 1950 } 1951 goto skip_rsn; 1952 } 1953 1954 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie) || 1955 kde.rsn_ie == NULL) { 1956 wpa_printf(MSG_INFO, "TDLS: No FTIE or RSN IE in TPK M1"); 1957 status = WLAN_STATUS_INVALID_PARAMETERS; 1958 goto error; 1959 } 1960 1961 if (kde.rsn_ie_len > TDLS_MAX_IE_LEN) { 1962 wpa_printf(MSG_INFO, "TDLS: Too long Initiator RSN IE in " 1963 "TPK M1"); 1964 status = WLAN_STATUS_INVALID_RSNIE; 1965 goto error; 1966 } 1967 1968 if (wpa_parse_wpa_ie_rsn(kde.rsn_ie, kde.rsn_ie_len, &ie) < 0) { 1969 wpa_printf(MSG_INFO, "TDLS: Failed to parse RSN IE in TPK M1"); 1970 status = WLAN_STATUS_INVALID_RSNIE; 1971 goto error; 1972 } 1973 1974 cipher = ie.pairwise_cipher; 1975 if (cipher & WPA_CIPHER_CCMP) { 1976 wpa_printf(MSG_DEBUG, "TDLS: Using CCMP for direct link"); 1977 cipher = WPA_CIPHER_CCMP; 1978 } else { 1979 wpa_printf(MSG_INFO, "TDLS: No acceptable cipher in TPK M1"); 1980 status = WLAN_STATUS_PAIRWISE_CIPHER_NOT_VALID; 1981 goto error; 1982 } 1983 1984 if ((ie.capabilities & 1985 (WPA_CAPABILITY_NO_PAIRWISE | WPA_CAPABILITY_PEERKEY_ENABLED)) != 1986 WPA_CAPABILITY_PEERKEY_ENABLED) { 1987 wpa_printf(MSG_INFO, "TDLS: Invalid RSN Capabilities in " 1988 "TPK M1"); 1989 status = WLAN_STATUS_INVALID_RSN_IE_CAPAB; 1990 goto error; 1991 } 1992 1993 /* Lifetime */ 1994 if (kde.key_lifetime == NULL) { 1995 wpa_printf(MSG_INFO, "TDLS: No Key Lifetime IE in TPK M1"); 1996 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME; 1997 goto error; 1998 } 1999 timeoutie = (struct wpa_tdls_timeoutie *) kde.key_lifetime; 2000 lifetime = WPA_GET_LE32(timeoutie->value); 2001 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds", lifetime); 2002 if (lifetime < 300) { 2003 wpa_printf(MSG_INFO, "TDLS: Too short TPK lifetime"); 2004 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME; 2005 goto error; 2006 } 2007 2008 skip_rsn: 2009 #ifdef CONFIG_TDLS_TESTING 2010 if (tdls_testing & TDLS_TESTING_CONCURRENT_INIT) { 2011 if (os_memcmp(sm->own_addr, peer->addr, ETH_ALEN) < 0) { 2012 /* 2013 * The request frame from us is going to win, so do not 2014 * replace information based on this request frame from 2015 * the peer. 2016 */ 2017 goto skip_rsn_check; 2018 } 2019 } 2020 #endif /* CONFIG_TDLS_TESTING */ 2021 2022 peer->initiator = 0; /* Need to check */ 2023 peer->dtoken = dtoken; 2024 2025 if (!wpa_tdls_get_privacy(sm)) { 2026 peer->rsnie_i_len = 0; 2027 peer->rsnie_p_len = 0; 2028 peer->cipher = WPA_CIPHER_NONE; 2029 goto skip_rsn_check; 2030 } 2031 2032 ftie = (struct wpa_tdls_ftie *) kde.ftie; 2033 os_memcpy(peer->rsnie_i, kde.rsn_ie, kde.rsn_ie_len); 2034 peer->rsnie_i_len = kde.rsn_ie_len; 2035 peer->cipher = cipher; 2036 2037 if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0 || 2038 !tdls_nonce_set(peer->inonce)) { 2039 /* 2040 * There is no point in updating the RNonce for every obtained 2041 * TPK M1 frame (e.g., retransmission due to timeout) with the 2042 * same INonce (SNonce in FTIE). However, if the TPK M1 is 2043 * retransmitted with a different INonce, update the RNonce 2044 * since this is for a new TDLS session. 2045 */ 2046 wpa_printf(MSG_DEBUG, 2047 "TDLS: New TPK M1 INonce - generate new RNonce"); 2048 os_memcpy(peer->inonce, ftie->Snonce, WPA_NONCE_LEN); 2049 if (os_get_random(peer->rnonce, WPA_NONCE_LEN)) { 2050 wpa_msg(sm->ctx->ctx, MSG_WARNING, 2051 "TDLS: Failed to get random data for responder nonce"); 2052 goto error; 2053 } 2054 peer->tk_set = 0; /* A new nonce results in a new TK */ 2055 } 2056 2057 #if 0 2058 /* get version info from RSNIE received from Peer */ 2059 hdr = (struct rsn_ie_hdr *) kde.rsn_ie; 2060 rsn_ver = WPA_GET_LE16(hdr->version); 2061 2062 /* use min(peer's version, out version) */ 2063 if (rsn_ver > RSN_VERSION) 2064 rsn_ver = RSN_VERSION; 2065 2066 hdr = (struct rsn_ie_hdr *) peer->rsnie_p; 2067 2068 hdr->elem_id = WLAN_EID_RSN; 2069 WPA_PUT_LE16(hdr->version, rsn_ver); 2070 pos = (u8 *) (hdr + 1); 2071 2072 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED); 2073 pos += RSN_SELECTOR_LEN; 2074 /* Include only the selected cipher in pairwise cipher suite */ 2075 WPA_PUT_LE16(pos, 1); 2076 pos += 2; 2077 if (cipher == WPA_CIPHER_CCMP) 2078 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP); 2079 pos += RSN_SELECTOR_LEN; 2080 2081 WPA_PUT_LE16(pos, 1); 2082 pos += 2; 2083 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_TPK_HANDSHAKE); 2084 pos += RSN_SELECTOR_LEN; 2085 2086 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED; 2087 rsn_capab |= RSN_NUM_REPLAY_COUNTERS_16 << 2; 2088 WPA_PUT_LE16(pos, rsn_capab); 2089 pos += 2; 2090 2091 hdr->len = (pos - peer->rsnie_p) - 2; 2092 peer->rsnie_p_len = pos - peer->rsnie_p; 2093 #endif 2094 2095 /* temp fix: validation of RSNIE later */ 2096 os_memcpy(peer->rsnie_p, peer->rsnie_i, peer->rsnie_i_len); 2097 peer->rsnie_p_len = peer->rsnie_i_len; 2098 2099 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE for TPK handshake", 2100 peer->rsnie_p, peer->rsnie_p_len); 2101 2102 peer->lifetime = lifetime; 2103 2104 wpa_tdls_generate_tpk(peer, sm->own_addr, sm->bssid); 2105 2106 skip_rsn_check: 2107 #ifdef CONFIG_TDLS_TESTING 2108 if (tdls_testing & TDLS_TESTING_CONCURRENT_INIT) 2109 goto skip_add_peer; 2110 #endif /* CONFIG_TDLS_TESTING */ 2111 2112 /* add supported rates, capabilities, and qos_info to the TDLS peer */ 2113 if (wpa_tdls_addset_peer(sm, peer, 1) < 0) 2114 goto error; 2115 2116 #ifdef CONFIG_TDLS_TESTING 2117 skip_add_peer: 2118 #endif /* CONFIG_TDLS_TESTING */ 2119 peer->tpk_in_progress = 1; 2120 2121 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Setup Response / TPK M2"); 2122 if (wpa_tdls_send_tpk_m2(sm, src_addr, dtoken, lnkid, peer) < 0) { 2123 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr); 2124 goto error; 2125 } 2126 2127 return 0; 2128 2129 error: 2130 wpa_tdls_send_error(sm, src_addr, WLAN_TDLS_SETUP_RESPONSE, dtoken, 0, 2131 status); 2132 if (peer) 2133 wpa_tdls_peer_free(sm, peer); 2134 return -1; 2135 } 2136 2137 2138 static int wpa_tdls_enable_link(struct wpa_sm *sm, struct wpa_tdls_peer *peer) 2139 { 2140 peer->tpk_success = 1; 2141 peer->tpk_in_progress = 0; 2142 eloop_cancel_timeout(wpa_tdls_tpk_timeout, sm, peer); 2143 if (wpa_tdls_get_privacy(sm)) { 2144 u32 lifetime = peer->lifetime; 2145 /* 2146 * Start the initiator process a bit earlier to avoid race 2147 * condition with the responder sending teardown request. 2148 */ 2149 if (lifetime > 3 && peer->initiator) 2150 lifetime -= 3; 2151 eloop_register_timeout(lifetime, 0, wpa_tdls_tpk_timeout, 2152 sm, peer); 2153 #ifdef CONFIG_TDLS_TESTING 2154 if (tdls_testing & TDLS_TESTING_NO_TPK_EXPIRATION) { 2155 wpa_printf(MSG_DEBUG, "TDLS: Testing - disable TPK " 2156 "expiration"); 2157 eloop_cancel_timeout(wpa_tdls_tpk_timeout, sm, peer); 2158 } 2159 #endif /* CONFIG_TDLS_TESTING */ 2160 } 2161 2162 if (peer->reconfig_key && wpa_tdls_set_key(sm, peer) < 0) { 2163 wpa_printf(MSG_INFO, "TDLS: Could not configure key to the " 2164 "driver"); 2165 return -1; 2166 } 2167 peer->reconfig_key = 0; 2168 2169 return wpa_sm_tdls_oper(sm, TDLS_ENABLE_LINK, peer->addr); 2170 } 2171 2172 2173 static int wpa_tdls_process_tpk_m2(struct wpa_sm *sm, const u8 *src_addr, 2174 const u8 *buf, size_t len) 2175 { 2176 struct wpa_tdls_peer *peer; 2177 struct wpa_eapol_ie_parse kde; 2178 struct wpa_ie_data ie; 2179 int cipher; 2180 struct wpa_tdls_ftie *ftie; 2181 struct wpa_tdls_timeoutie *timeoutie; 2182 struct wpa_tdls_lnkid *lnkid; 2183 u32 lifetime; 2184 u8 dtoken; 2185 int ielen; 2186 u16 status; 2187 const u8 *pos; 2188 int ret = 0; 2189 2190 wpa_printf(MSG_DEBUG, "TDLS: Received TDLS Setup Response / TPK M2 " 2191 "(Peer " MACSTR ")", MAC2STR(src_addr)); 2192 for (peer = sm->tdls; peer; peer = peer->next) { 2193 if (os_memcmp(peer->addr, src_addr, ETH_ALEN) == 0) 2194 break; 2195 } 2196 if (peer == NULL) { 2197 wpa_printf(MSG_INFO, "TDLS: No matching peer found for " 2198 "TPK M2: " MACSTR, MAC2STR(src_addr)); 2199 return -1; 2200 } 2201 if (!peer->initiator) { 2202 /* 2203 * This may happen if both devices try to initiate TDLS at the 2204 * same time and we accept the TPK M1 from the peer in 2205 * wpa_tdls_process_tpk_m1() and clear our previous state. 2206 */ 2207 wpa_printf(MSG_INFO, "TDLS: We were not the initiator, so " 2208 "ignore TPK M2 from " MACSTR, MAC2STR(src_addr)); 2209 return -1; 2210 } 2211 2212 if (peer->tpk_success) { 2213 wpa_printf(MSG_INFO, "TDLS: Ignore incoming TPK M2 retry, from " 2214 MACSTR " as TPK M3 was already sent", 2215 MAC2STR(src_addr)); 2216 return 0; 2217 } 2218 2219 wpa_tdls_tpk_retry_timeout_cancel(sm, peer, WLAN_TDLS_SETUP_REQUEST); 2220 2221 if (len < 3 + 2 + 1) { 2222 wpa_tdls_disable_peer_link(sm, peer); 2223 return -1; 2224 } 2225 2226 pos = buf; 2227 pos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */; 2228 status = WPA_GET_LE16(pos); 2229 pos += 2 /* status code */; 2230 2231 if (status != WLAN_STATUS_SUCCESS) { 2232 wpa_printf(MSG_INFO, "TDLS: Status code in TPK M2: %u", 2233 status); 2234 wpa_tdls_disable_peer_link(sm, peer); 2235 return -1; 2236 } 2237 2238 status = WLAN_STATUS_UNSPECIFIED_FAILURE; 2239 2240 /* TODO: need to verify dialog token matches here or in kernel */ 2241 dtoken = *pos++; /* dialog token */ 2242 2243 wpa_printf(MSG_DEBUG, "TDLS: Dialog Token in TPK M2 %d", dtoken); 2244 2245 if (len < 3 + 2 + 1 + 2) { 2246 wpa_tdls_disable_peer_link(sm, peer); 2247 return -1; 2248 } 2249 2250 /* capability information */ 2251 peer->capability = WPA_GET_LE16(pos); 2252 pos += 2; 2253 2254 ielen = len - (pos - buf); /* start of IE in buf */ 2255 2256 /* 2257 * Don't reject the message if failing to parse IEs. The IEs we need are 2258 * explicitly checked below. Some APs may add arbitrary padding to the 2259 * end of short TDLS frames and that would look like invalid IEs. 2260 */ 2261 if (wpa_supplicant_parse_ies(pos, ielen, &kde) < 0) 2262 wpa_printf(MSG_DEBUG, 2263 "TDLS: Failed to parse IEs in TPK M2 - ignore as an interop workaround"); 2264 2265 #ifdef CONFIG_TDLS_TESTING 2266 if (tdls_testing & TDLS_TESTING_DECLINE_RESP) { 2267 wpa_printf(MSG_DEBUG, "TDLS: Testing - decline response"); 2268 status = WLAN_STATUS_REQUEST_DECLINED; 2269 goto error; 2270 } 2271 #endif /* CONFIG_TDLS_TESTING */ 2272 2273 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) { 2274 wpa_printf(MSG_INFO, "TDLS: No valid Link Identifier IE in " 2275 "TPK M2"); 2276 goto error; 2277 } 2278 wpa_hexdump(MSG_DEBUG, "TDLS: Link ID Received from TPK M2", 2279 kde.lnkid, kde.lnkid_len); 2280 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid; 2281 2282 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) { 2283 wpa_printf(MSG_INFO, "TDLS: TPK M2 from different BSS"); 2284 status = WLAN_STATUS_NOT_IN_SAME_BSS; 2285 goto error; 2286 } 2287 2288 if (copy_supp_rates(&kde, peer) < 0) 2289 goto error; 2290 2291 if (copy_peer_ht_capab(&kde, peer) < 0) 2292 goto error; 2293 2294 if (copy_peer_vht_capab(&kde, peer) < 0) 2295 goto error; 2296 2297 if (copy_peer_ext_capab(&kde, peer) < 0) 2298 goto error; 2299 2300 if (copy_peer_supp_channels(&kde, peer) < 0) 2301 goto error; 2302 2303 if (copy_peer_supp_oper_classes(&kde, peer) < 0) 2304 goto error; 2305 2306 peer->qos_info = kde.qosinfo; 2307 2308 /* Overwrite with the qos_info obtained in WMM IE */ 2309 if (copy_peer_wmm_capab(&kde, peer) < 0) 2310 goto error; 2311 2312 peer->aid = kde.aid; 2313 2314 if (!wpa_tdls_get_privacy(sm)) { 2315 peer->rsnie_p_len = 0; 2316 peer->cipher = WPA_CIPHER_NONE; 2317 goto skip_rsn; 2318 } 2319 2320 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie) || 2321 kde.rsn_ie == NULL) { 2322 wpa_printf(MSG_INFO, "TDLS: No FTIE or RSN IE in TPK M2"); 2323 status = WLAN_STATUS_INVALID_PARAMETERS; 2324 goto error; 2325 } 2326 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Received from TPK M2", 2327 kde.rsn_ie, kde.rsn_ie_len); 2328 2329 if (kde.rsn_ie_len > TDLS_MAX_IE_LEN) { 2330 wpa_printf(MSG_INFO, 2331 "TDLS: Too long Responder RSN IE in TPK M2"); 2332 status = WLAN_STATUS_INVALID_RSNIE; 2333 goto error; 2334 } 2335 2336 /* 2337 * FIX: bitwise comparison of RSN IE is not the correct way of 2338 * validation this. It can be different, but certain fields must 2339 * match. Since we list only a single pairwise cipher in TPK M1, the 2340 * memcmp is likely to work in most cases, though. 2341 */ 2342 if (kde.rsn_ie_len != peer->rsnie_i_len || 2343 os_memcmp(peer->rsnie_i, kde.rsn_ie, peer->rsnie_i_len) != 0) { 2344 wpa_printf(MSG_INFO, "TDLS: RSN IE in TPK M2 does " 2345 "not match with RSN IE used in TPK M1"); 2346 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Sent in TPK M1", 2347 peer->rsnie_i, peer->rsnie_i_len); 2348 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Received from TPK M2", 2349 kde.rsn_ie, kde.rsn_ie_len); 2350 status = WLAN_STATUS_INVALID_RSNIE; 2351 goto error; 2352 } 2353 2354 if (wpa_parse_wpa_ie_rsn(kde.rsn_ie, kde.rsn_ie_len, &ie) < 0) { 2355 wpa_printf(MSG_INFO, "TDLS: Failed to parse RSN IE in TPK M2"); 2356 status = WLAN_STATUS_INVALID_RSNIE; 2357 goto error; 2358 } 2359 2360 cipher = ie.pairwise_cipher; 2361 if (cipher == WPA_CIPHER_CCMP) { 2362 wpa_printf(MSG_DEBUG, "TDLS: Using CCMP for direct link"); 2363 cipher = WPA_CIPHER_CCMP; 2364 } else { 2365 wpa_printf(MSG_INFO, "TDLS: No acceptable cipher in TPK M2"); 2366 status = WLAN_STATUS_PAIRWISE_CIPHER_NOT_VALID; 2367 goto error; 2368 } 2369 2370 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE Received from TPK M2", 2371 kde.ftie, sizeof(*ftie)); 2372 ftie = (struct wpa_tdls_ftie *) kde.ftie; 2373 2374 if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0) { 2375 wpa_printf(MSG_INFO, "TDLS: FTIE SNonce in TPK M2 does " 2376 "not match with FTIE SNonce used in TPK M1"); 2377 /* Silently discard the frame */ 2378 return -1; 2379 } 2380 2381 /* Responder Nonce and RSN IE */ 2382 os_memcpy(peer->rnonce, ftie->Anonce, WPA_NONCE_LEN); 2383 os_memcpy(peer->rsnie_p, kde.rsn_ie, kde.rsn_ie_len); 2384 peer->rsnie_p_len = kde.rsn_ie_len; 2385 peer->cipher = cipher; 2386 2387 /* Lifetime */ 2388 if (kde.key_lifetime == NULL) { 2389 wpa_printf(MSG_INFO, "TDLS: No Key Lifetime IE in TPK M2"); 2390 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME; 2391 goto error; 2392 } 2393 timeoutie = (struct wpa_tdls_timeoutie *) kde.key_lifetime; 2394 lifetime = WPA_GET_LE32(timeoutie->value); 2395 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds in TPK M2", 2396 lifetime); 2397 if (lifetime != peer->lifetime) { 2398 wpa_printf(MSG_INFO, "TDLS: Unexpected TPK lifetime %u in " 2399 "TPK M2 (expected %u)", lifetime, peer->lifetime); 2400 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME; 2401 goto error; 2402 } 2403 2404 wpa_tdls_generate_tpk(peer, sm->own_addr, sm->bssid); 2405 2406 /* Process MIC check to see if TPK M2 is right */ 2407 if (wpa_supplicant_verify_tdls_mic(2, peer, (u8 *) lnkid, 2408 (u8 *) timeoutie, ftie) < 0) { 2409 /* Discard the frame */ 2410 wpa_tdls_del_key(sm, peer); 2411 wpa_tdls_disable_peer_link(sm, peer); 2412 return -1; 2413 } 2414 2415 if (wpa_tdls_set_key(sm, peer) < 0) { 2416 /* 2417 * Some drivers may not be able to config the key prior to full 2418 * STA entry having been configured. 2419 */ 2420 wpa_printf(MSG_DEBUG, "TDLS: Try to configure TPK again after " 2421 "STA entry is complete"); 2422 peer->reconfig_key = 1; 2423 } 2424 2425 skip_rsn: 2426 peer->dtoken = dtoken; 2427 2428 /* add supported rates, capabilities, and qos_info to the TDLS peer */ 2429 if (wpa_tdls_addset_peer(sm, peer, 0) < 0) 2430 goto error; 2431 2432 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Setup Confirm / " 2433 "TPK Handshake Message 3"); 2434 if (wpa_tdls_send_tpk_m3(sm, src_addr, dtoken, lnkid, peer) < 0) 2435 goto error_no_msg; 2436 2437 if (!peer->tpk_success) { 2438 /* 2439 * Enable Link only when tpk_success is 0, signifying that this 2440 * processing of TPK M2 frame is not because of a retransmission 2441 * during TDLS setup handshake. 2442 */ 2443 ret = wpa_tdls_enable_link(sm, peer); 2444 if (ret < 0) { 2445 wpa_printf(MSG_DEBUG, "TDLS: Could not enable link"); 2446 wpa_tdls_do_teardown( 2447 sm, peer, 2448 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED); 2449 } 2450 } 2451 return ret; 2452 2453 error: 2454 wpa_tdls_send_error(sm, src_addr, WLAN_TDLS_SETUP_CONFIRM, dtoken, 1, 2455 status); 2456 error_no_msg: 2457 wpa_tdls_disable_peer_link(sm, peer); 2458 return -1; 2459 } 2460 2461 2462 static int wpa_tdls_process_tpk_m3(struct wpa_sm *sm, const u8 *src_addr, 2463 const u8 *buf, size_t len) 2464 { 2465 struct wpa_tdls_peer *peer; 2466 struct wpa_eapol_ie_parse kde; 2467 struct wpa_tdls_ftie *ftie; 2468 struct wpa_tdls_timeoutie *timeoutie; 2469 struct wpa_tdls_lnkid *lnkid; 2470 int ielen; 2471 u16 status; 2472 const u8 *pos; 2473 u32 lifetime; 2474 int ret = 0; 2475 2476 wpa_printf(MSG_DEBUG, "TDLS: Received TDLS Setup Confirm / TPK M3 " 2477 "(Peer " MACSTR ")", MAC2STR(src_addr)); 2478 for (peer = sm->tdls; peer; peer = peer->next) { 2479 if (os_memcmp(peer->addr, src_addr, ETH_ALEN) == 0) 2480 break; 2481 } 2482 if (peer == NULL) { 2483 wpa_printf(MSG_INFO, "TDLS: No matching peer found for " 2484 "TPK M3: " MACSTR, MAC2STR(src_addr)); 2485 return -1; 2486 } 2487 wpa_tdls_tpk_retry_timeout_cancel(sm, peer, WLAN_TDLS_SETUP_RESPONSE); 2488 2489 if (len < 3 + 3) 2490 goto error; 2491 pos = buf; 2492 pos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */; 2493 2494 status = WPA_GET_LE16(pos); 2495 2496 if (status != 0) { 2497 wpa_printf(MSG_INFO, "TDLS: Status code in TPK M3: %u", 2498 status); 2499 goto error; 2500 } 2501 pos += 2 /* status code */ + 1 /* dialog token */; 2502 2503 ielen = len - (pos - buf); /* start of IE in buf */ 2504 2505 /* 2506 * Don't reject the message if failing to parse IEs. The IEs we need are 2507 * explicitly checked below. Some APs piggy-back broken IEs to the end 2508 * of a TDLS Confirm packet, which will fail the link if we don't ignore 2509 * this error. 2510 */ 2511 if (wpa_supplicant_parse_ies((const u8 *) pos, ielen, &kde) < 0) { 2512 wpa_printf(MSG_DEBUG, 2513 "TDLS: Failed to parse KDEs in TPK M3 - ignore as an interop workaround"); 2514 } 2515 2516 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) { 2517 wpa_printf(MSG_INFO, "TDLS: No Link Identifier IE in TPK M3"); 2518 goto error; 2519 } 2520 wpa_hexdump(MSG_DEBUG, "TDLS: Link ID Received from TPK M3", 2521 (u8 *) kde.lnkid, kde.lnkid_len); 2522 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid; 2523 2524 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) { 2525 wpa_printf(MSG_INFO, "TDLS: TPK M3 from diff BSS"); 2526 goto error; 2527 } 2528 2529 if (!wpa_tdls_get_privacy(sm)) 2530 goto skip_rsn; 2531 2532 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie)) { 2533 wpa_printf(MSG_INFO, "TDLS: No FTIE in TPK M3"); 2534 goto error; 2535 } 2536 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE Received from TPK M3", 2537 kde.ftie, sizeof(*ftie)); 2538 ftie = (struct wpa_tdls_ftie *) kde.ftie; 2539 2540 if (kde.rsn_ie == NULL) { 2541 wpa_printf(MSG_INFO, "TDLS: No RSN IE in TPK M3"); 2542 goto error; 2543 } 2544 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Received from TPK M3", 2545 kde.rsn_ie, kde.rsn_ie_len); 2546 if (kde.rsn_ie_len != peer->rsnie_p_len || 2547 os_memcmp(kde.rsn_ie, peer->rsnie_p, peer->rsnie_p_len) != 0) { 2548 wpa_printf(MSG_INFO, "TDLS: RSN IE in TPK M3 does not match " 2549 "with the one sent in TPK M2"); 2550 goto error; 2551 } 2552 2553 if (os_memcmp(peer->rnonce, ftie->Anonce, WPA_NONCE_LEN) != 0) { 2554 wpa_printf(MSG_INFO, "TDLS: FTIE ANonce in TPK M3 does " 2555 "not match with FTIE ANonce used in TPK M2"); 2556 goto error; 2557 } 2558 2559 if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0) { 2560 wpa_printf(MSG_INFO, "TDLS: FTIE SNonce in TPK M3 does not " 2561 "match with FTIE SNonce used in TPK M1"); 2562 goto error; 2563 } 2564 2565 if (kde.key_lifetime == NULL) { 2566 wpa_printf(MSG_INFO, "TDLS: No Key Lifetime IE in TPK M3"); 2567 goto error; 2568 } 2569 timeoutie = (struct wpa_tdls_timeoutie *) kde.key_lifetime; 2570 wpa_hexdump(MSG_DEBUG, "TDLS: Timeout IE Received from TPK M3", 2571 (u8 *) timeoutie, sizeof(*timeoutie)); 2572 lifetime = WPA_GET_LE32(timeoutie->value); 2573 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds in TPK M3", 2574 lifetime); 2575 if (lifetime != peer->lifetime) { 2576 wpa_printf(MSG_INFO, "TDLS: Unexpected TPK lifetime %u in " 2577 "TPK M3 (expected %u)", lifetime, peer->lifetime); 2578 goto error; 2579 } 2580 2581 if (wpa_supplicant_verify_tdls_mic(3, peer, (u8 *) lnkid, 2582 (u8 *) timeoutie, ftie) < 0) { 2583 wpa_tdls_del_key(sm, peer); 2584 goto error; 2585 } 2586 2587 if (wpa_tdls_set_key(sm, peer) < 0) { 2588 /* 2589 * Some drivers may not be able to config the key prior to full 2590 * STA entry having been configured. 2591 */ 2592 wpa_printf(MSG_DEBUG, "TDLS: Try to configure TPK again after " 2593 "STA entry is complete"); 2594 peer->reconfig_key = 1; 2595 } 2596 2597 skip_rsn: 2598 /* add supported rates, capabilities, and qos_info to the TDLS peer */ 2599 if (wpa_tdls_addset_peer(sm, peer, 0) < 0) 2600 goto error; 2601 2602 if (!peer->tpk_success) { 2603 /* 2604 * Enable Link only when tpk_success is 0, signifying that this 2605 * processing of TPK M3 frame is not because of a retransmission 2606 * during TDLS setup handshake. 2607 */ 2608 ret = wpa_tdls_enable_link(sm, peer); 2609 if (ret < 0) { 2610 wpa_printf(MSG_DEBUG, "TDLS: Could not enable link"); 2611 goto error; 2612 } 2613 } 2614 return ret; 2615 error: 2616 wpa_tdls_do_teardown(sm, peer, WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED); 2617 return -1; 2618 } 2619 2620 2621 static u8 * wpa_add_tdls_timeoutie(u8 *pos, u8 *ie, size_t ie_len, u32 tsecs) 2622 { 2623 struct wpa_tdls_timeoutie *lifetime = (struct wpa_tdls_timeoutie *) ie; 2624 2625 os_memset(lifetime, 0, ie_len); 2626 lifetime->ie_type = WLAN_EID_TIMEOUT_INTERVAL; 2627 lifetime->ie_len = sizeof(struct wpa_tdls_timeoutie) - 2; 2628 lifetime->interval_type = WLAN_TIMEOUT_KEY_LIFETIME; 2629 WPA_PUT_LE32(lifetime->value, tsecs); 2630 os_memcpy(pos, ie, ie_len); 2631 return pos + ie_len; 2632 } 2633 2634 2635 /** 2636 * wpa_tdls_start - Initiate TDLS handshake (send TPK Handshake Message 1) 2637 * @sm: Pointer to WPA state machine data from wpa_sm_init() 2638 * @peer: MAC address of the peer STA 2639 * Returns: 0 on success, or -1 on failure 2640 * 2641 * Send TPK Handshake Message 1 info to driver to start TDLS 2642 * handshake with the peer. 2643 */ 2644 int wpa_tdls_start(struct wpa_sm *sm, const u8 *addr) 2645 { 2646 struct wpa_tdls_peer *peer; 2647 int tdls_prohibited = sm->tdls_prohibited; 2648 2649 if (sm->tdls_disabled || !sm->tdls_supported) 2650 return -1; 2651 2652 #ifdef CONFIG_TDLS_TESTING 2653 if ((tdls_testing & TDLS_TESTING_IGNORE_AP_PROHIBIT) && 2654 tdls_prohibited) { 2655 wpa_printf(MSG_DEBUG, "TDLS: Testing - ignore AP prohibition " 2656 "on TDLS"); 2657 tdls_prohibited = 0; 2658 } 2659 #endif /* CONFIG_TDLS_TESTING */ 2660 2661 if (tdls_prohibited) { 2662 wpa_printf(MSG_DEBUG, "TDLS: TDLS is prohibited in this BSS - " 2663 "reject request to start setup"); 2664 return -1; 2665 } 2666 2667 peer = wpa_tdls_add_peer(sm, addr, NULL); 2668 if (peer == NULL) 2669 return -1; 2670 2671 if (peer->tpk_in_progress) { 2672 wpa_printf(MSG_DEBUG, "TDLS: Setup is already in progress with the peer"); 2673 return 0; 2674 } 2675 2676 peer->initiator = 1; 2677 2678 /* add the peer to the driver as a "setup in progress" peer */ 2679 if (wpa_sm_tdls_peer_addset(sm, peer->addr, 1, 0, 0, NULL, 0, NULL, 2680 NULL, 0, 0, NULL, 0, NULL, 0, NULL, 0)) { 2681 wpa_tdls_disable_peer_link(sm, peer); 2682 return -1; 2683 } 2684 2685 peer->tpk_in_progress = 1; 2686 2687 if (wpa_tdls_send_tpk_m1(sm, peer) < 0) { 2688 wpa_tdls_disable_peer_link(sm, peer); 2689 return -1; 2690 } 2691 2692 return 0; 2693 } 2694 2695 2696 void wpa_tdls_remove(struct wpa_sm *sm, const u8 *addr) 2697 { 2698 struct wpa_tdls_peer *peer; 2699 2700 if (sm->tdls_disabled || !sm->tdls_supported) 2701 return; 2702 2703 for (peer = sm->tdls; peer; peer = peer->next) { 2704 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 2705 break; 2706 } 2707 2708 if (peer == NULL || !peer->tpk_success) 2709 return; 2710 2711 if (sm->tdls_external_setup) { 2712 /* 2713 * Disable previous link to allow renegotiation to be completed 2714 * on AP path. 2715 */ 2716 wpa_tdls_do_teardown(sm, peer, 2717 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED); 2718 } 2719 } 2720 2721 2722 /** 2723 * wpa_supplicant_rx_tdls - Receive TDLS data frame 2724 * 2725 * This function is called to receive TDLS (ethertype = 0x890d) data frames. 2726 */ 2727 static void wpa_supplicant_rx_tdls(void *ctx, const u8 *src_addr, 2728 const u8 *buf, size_t len) 2729 { 2730 struct wpa_sm *sm = ctx; 2731 struct wpa_tdls_frame *tf; 2732 2733 wpa_hexdump(MSG_DEBUG, "TDLS: Received Data frame encapsulation", 2734 buf, len); 2735 2736 if (sm->tdls_disabled || !sm->tdls_supported) { 2737 wpa_printf(MSG_DEBUG, "TDLS: Discard message - TDLS disabled " 2738 "or unsupported by driver"); 2739 return; 2740 } 2741 2742 if (os_memcmp(src_addr, sm->own_addr, ETH_ALEN) == 0) { 2743 wpa_printf(MSG_DEBUG, "TDLS: Discard copy of own message"); 2744 return; 2745 } 2746 2747 if (len < sizeof(*tf)) { 2748 wpa_printf(MSG_INFO, "TDLS: Drop too short frame"); 2749 return; 2750 } 2751 2752 /* Check to make sure its a valid encapsulated TDLS frame */ 2753 tf = (struct wpa_tdls_frame *) buf; 2754 if (tf->payloadtype != 2 /* TDLS_RFTYPE */ || 2755 tf->category != WLAN_ACTION_TDLS) { 2756 wpa_printf(MSG_INFO, "TDLS: Invalid frame - payloadtype=%u " 2757 "category=%u action=%u", 2758 tf->payloadtype, tf->category, tf->action); 2759 return; 2760 } 2761 2762 switch (tf->action) { 2763 case WLAN_TDLS_SETUP_REQUEST: 2764 wpa_tdls_process_tpk_m1(sm, src_addr, buf, len); 2765 break; 2766 case WLAN_TDLS_SETUP_RESPONSE: 2767 wpa_tdls_process_tpk_m2(sm, src_addr, buf, len); 2768 break; 2769 case WLAN_TDLS_SETUP_CONFIRM: 2770 wpa_tdls_process_tpk_m3(sm, src_addr, buf, len); 2771 break; 2772 case WLAN_TDLS_TEARDOWN: 2773 wpa_tdls_recv_teardown(sm, src_addr, buf, len); 2774 break; 2775 case WLAN_TDLS_DISCOVERY_REQUEST: 2776 wpa_tdls_process_discovery_request(sm, src_addr, buf, len); 2777 break; 2778 default: 2779 /* Kernel code will process remaining frames */ 2780 wpa_printf(MSG_DEBUG, "TDLS: Ignore TDLS frame action code %u", 2781 tf->action); 2782 break; 2783 } 2784 } 2785 2786 2787 /** 2788 * wpa_tdls_init - Initialize driver interface parameters for TDLS 2789 * @wpa_s: Pointer to wpa_supplicant data 2790 * Returns: 0 on success, -1 on failure 2791 * 2792 * This function is called to initialize driver interface parameters for TDLS. 2793 * wpa_drv_init() must have been called before this function to initialize the 2794 * driver interface. 2795 */ 2796 int wpa_tdls_init(struct wpa_sm *sm) 2797 { 2798 if (sm == NULL) 2799 return -1; 2800 2801 sm->l2_tdls = l2_packet_init(sm->bridge_ifname ? sm->bridge_ifname : 2802 sm->ifname, 2803 sm->own_addr, 2804 ETH_P_80211_ENCAP, wpa_supplicant_rx_tdls, 2805 sm, 0); 2806 if (sm->l2_tdls == NULL) { 2807 wpa_printf(MSG_ERROR, "TDLS: Failed to open l2_packet " 2808 "connection"); 2809 return -1; 2810 } 2811 2812 /* 2813 * Drivers that support TDLS but don't implement the get_capa callback 2814 * are assumed to perform everything internally 2815 */ 2816 if (wpa_sm_tdls_get_capa(sm, &sm->tdls_supported, 2817 &sm->tdls_external_setup, 2818 &sm->tdls_chan_switch) < 0) { 2819 sm->tdls_supported = 1; 2820 sm->tdls_external_setup = 0; 2821 } 2822 2823 wpa_printf(MSG_DEBUG, "TDLS: TDLS operation%s supported by " 2824 "driver", sm->tdls_supported ? "" : " not"); 2825 wpa_printf(MSG_DEBUG, "TDLS: Driver uses %s link setup", 2826 sm->tdls_external_setup ? "external" : "internal"); 2827 wpa_printf(MSG_DEBUG, "TDLS: Driver %s TDLS channel switching", 2828 sm->tdls_chan_switch ? "supports" : "does not support"); 2829 2830 return 0; 2831 } 2832 2833 2834 void wpa_tdls_teardown_peers(struct wpa_sm *sm) 2835 { 2836 struct wpa_tdls_peer *peer, *tmp; 2837 2838 if (!sm) 2839 return; 2840 peer = sm->tdls; 2841 2842 wpa_printf(MSG_DEBUG, "TDLS: Tear down peers"); 2843 2844 while (peer) { 2845 tmp = peer->next; 2846 wpa_printf(MSG_DEBUG, "TDLS: Tear down peer " MACSTR, 2847 MAC2STR(peer->addr)); 2848 if (sm->tdls_external_setup) 2849 wpa_tdls_do_teardown(sm, peer, 2850 WLAN_REASON_DEAUTH_LEAVING); 2851 else 2852 wpa_sm_tdls_oper(sm, TDLS_TEARDOWN, peer->addr); 2853 2854 peer = tmp; 2855 } 2856 } 2857 2858 2859 static void wpa_tdls_remove_peers(struct wpa_sm *sm) 2860 { 2861 struct wpa_tdls_peer *peer, *tmp; 2862 2863 peer = sm->tdls; 2864 2865 while (peer) { 2866 int res; 2867 tmp = peer->next; 2868 res = wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr); 2869 wpa_printf(MSG_DEBUG, "TDLS: Remove peer " MACSTR " (res=%d)", 2870 MAC2STR(peer->addr), res); 2871 wpa_tdls_peer_free(sm, peer); 2872 peer = tmp; 2873 } 2874 } 2875 2876 2877 /** 2878 * wpa_tdls_deinit - Deinitialize driver interface parameters for TDLS 2879 * 2880 * This function is called to recover driver interface parameters for TDLS 2881 * and frees resources allocated for it. 2882 */ 2883 void wpa_tdls_deinit(struct wpa_sm *sm) 2884 { 2885 if (sm == NULL) 2886 return; 2887 2888 if (sm->l2_tdls) 2889 l2_packet_deinit(sm->l2_tdls); 2890 sm->l2_tdls = NULL; 2891 2892 wpa_tdls_remove_peers(sm); 2893 } 2894 2895 2896 void wpa_tdls_assoc(struct wpa_sm *sm) 2897 { 2898 wpa_printf(MSG_DEBUG, "TDLS: Remove peers on association"); 2899 wpa_tdls_remove_peers(sm); 2900 } 2901 2902 2903 void wpa_tdls_disassoc(struct wpa_sm *sm) 2904 { 2905 wpa_printf(MSG_DEBUG, "TDLS: Remove peers on disassociation"); 2906 wpa_tdls_remove_peers(sm); 2907 } 2908 2909 2910 static int wpa_tdls_prohibited(struct ieee802_11_elems *elems) 2911 { 2912 /* bit 38 - TDLS Prohibited */ 2913 return !!(elems->ext_capab[4] & 0x40); 2914 } 2915 2916 2917 static int wpa_tdls_chan_switch_prohibited(struct ieee802_11_elems *elems) 2918 { 2919 /* bit 39 - TDLS Channel Switch Prohibited */ 2920 return !!(elems->ext_capab[4] & 0x80); 2921 } 2922 2923 2924 void wpa_tdls_ap_ies(struct wpa_sm *sm, const u8 *ies, size_t len) 2925 { 2926 struct ieee802_11_elems elems; 2927 2928 sm->tdls_prohibited = 0; 2929 sm->tdls_chan_switch_prohibited = 0; 2930 2931 if (ies == NULL || 2932 ieee802_11_parse_elems(ies, len, &elems, 0) == ParseFailed || 2933 elems.ext_capab == NULL || elems.ext_capab_len < 5) 2934 return; 2935 2936 sm->tdls_prohibited = wpa_tdls_prohibited(&elems); 2937 wpa_printf(MSG_DEBUG, "TDLS: TDLS is %s in the target BSS", 2938 sm->tdls_prohibited ? "prohibited" : "allowed"); 2939 sm->tdls_chan_switch_prohibited = 2940 wpa_tdls_chan_switch_prohibited(&elems); 2941 wpa_printf(MSG_DEBUG, "TDLS: TDLS channel switch %s in the target BSS", 2942 sm->tdls_chan_switch_prohibited ? "prohibited" : "allowed"); 2943 } 2944 2945 2946 void wpa_tdls_assoc_resp_ies(struct wpa_sm *sm, const u8 *ies, size_t len) 2947 { 2948 struct ieee802_11_elems elems; 2949 2950 if (ies == NULL || 2951 ieee802_11_parse_elems(ies, len, &elems, 0) == ParseFailed || 2952 elems.ext_capab == NULL || elems.ext_capab_len < 5) 2953 return; 2954 2955 if (!sm->tdls_prohibited && wpa_tdls_prohibited(&elems)) { 2956 wpa_printf(MSG_DEBUG, "TDLS: TDLS prohibited based on " 2957 "(Re)Association Response IEs"); 2958 sm->tdls_prohibited = 1; 2959 } 2960 2961 if (!sm->tdls_chan_switch_prohibited && 2962 wpa_tdls_chan_switch_prohibited(&elems)) { 2963 wpa_printf(MSG_DEBUG, 2964 "TDLS: TDLS channel switch prohibited based on (Re)Association Response IEs"); 2965 sm->tdls_chan_switch_prohibited = 1; 2966 } 2967 } 2968 2969 2970 void wpa_tdls_enable(struct wpa_sm *sm, int enabled) 2971 { 2972 wpa_printf(MSG_DEBUG, "TDLS: %s", enabled ? "enabled" : "disabled"); 2973 sm->tdls_disabled = !enabled; 2974 } 2975 2976 2977 int wpa_tdls_is_external_setup(struct wpa_sm *sm) 2978 { 2979 return sm->tdls_external_setup; 2980 } 2981 2982 2983 int wpa_tdls_enable_chan_switch(struct wpa_sm *sm, const u8 *addr, 2984 u8 oper_class, 2985 struct hostapd_freq_params *freq_params) 2986 { 2987 struct wpa_tdls_peer *peer; 2988 int ret; 2989 2990 if (sm->tdls_disabled || !sm->tdls_supported) 2991 return -1; 2992 2993 if (!sm->tdls_chan_switch) { 2994 wpa_printf(MSG_DEBUG, 2995 "TDLS: Channel switching not supported by the driver"); 2996 return -1; 2997 } 2998 2999 if (sm->tdls_chan_switch_prohibited) { 3000 wpa_printf(MSG_DEBUG, 3001 "TDLS: Channel switching is prohibited in this BSS - reject request to switch channel"); 3002 return -1; 3003 } 3004 3005 for (peer = sm->tdls; peer; peer = peer->next) { 3006 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 3007 break; 3008 } 3009 3010 if (peer == NULL || !peer->tpk_success) { 3011 wpa_printf(MSG_ERROR, "TDLS: Peer " MACSTR 3012 " not found for channel switching", MAC2STR(addr)); 3013 return -1; 3014 } 3015 3016 if (peer->chan_switch_enabled) { 3017 wpa_printf(MSG_DEBUG, "TDLS: Peer " MACSTR 3018 " already has channel switching enabled", 3019 MAC2STR(addr)); 3020 return 0; 3021 } 3022 3023 ret = wpa_sm_tdls_enable_channel_switch(sm, peer->addr, 3024 oper_class, freq_params); 3025 if (!ret) 3026 peer->chan_switch_enabled = 1; 3027 3028 return ret; 3029 } 3030 3031 3032 int wpa_tdls_disable_chan_switch(struct wpa_sm *sm, const u8 *addr) 3033 { 3034 struct wpa_tdls_peer *peer; 3035 3036 if (sm->tdls_disabled || !sm->tdls_supported) 3037 return -1; 3038 3039 for (peer = sm->tdls; peer; peer = peer->next) { 3040 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 3041 break; 3042 } 3043 3044 if (!peer || !peer->chan_switch_enabled) { 3045 wpa_printf(MSG_ERROR, "TDLS: Channel switching not enabled for " 3046 MACSTR, MAC2STR(addr)); 3047 return -1; 3048 } 3049 3050 /* ignore the return value */ 3051 wpa_sm_tdls_disable_channel_switch(sm, peer->addr); 3052 3053 peer->chan_switch_enabled = 0; 3054 return 0; 3055 } 3056
