1 /* 2 * wpa_supplicant - TDLS 3 * Copyright (c) 2010-2011, Atheros Communications 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "utils/includes.h" 10 11 #include "utils/common.h" 12 #include "utils/eloop.h" 13 #include "utils/os.h" 14 #include "common/ieee802_11_defs.h" 15 #include "common/ieee802_11_common.h" 16 #include "crypto/sha256.h" 17 #include "crypto/crypto.h" 18 #include "crypto/aes_wrap.h" 19 #include "rsn_supp/wpa.h" 20 #include "rsn_supp/wpa_ie.h" 21 #include "rsn_supp/wpa_i.h" 22 #include "drivers/driver.h" 23 #include "l2_packet/l2_packet.h" 24 25 #ifdef CONFIG_TDLS_TESTING 26 #define TDLS_TESTING_LONG_FRAME BIT(0) 27 #define TDLS_TESTING_ALT_RSN_IE BIT(1) 28 #define TDLS_TESTING_DIFF_BSSID BIT(2) 29 #define TDLS_TESTING_SHORT_LIFETIME BIT(3) 30 #define TDLS_TESTING_WRONG_LIFETIME_RESP BIT(4) 31 #define TDLS_TESTING_WRONG_LIFETIME_CONF BIT(5) 32 #define TDLS_TESTING_LONG_LIFETIME BIT(6) 33 #define TDLS_TESTING_CONCURRENT_INIT BIT(7) 34 #define TDLS_TESTING_NO_TPK_EXPIRATION BIT(8) 35 #define TDLS_TESTING_DECLINE_RESP BIT(9) 36 #define TDLS_TESTING_IGNORE_AP_PROHIBIT BIT(10) 37 #define TDLS_TESTING_WRONG_MIC BIT(11) 38 unsigned int tdls_testing = 0; 39 #endif /* CONFIG_TDLS_TESTING */ 40 41 #define TPK_LIFETIME 43200 /* 12 hours */ 42 #define TPK_M1_RETRY_COUNT 3 43 #define TPK_M1_TIMEOUT 5000 /* in milliseconds */ 44 #define TPK_M2_RETRY_COUNT 10 45 #define TPK_M2_TIMEOUT 500 /* in milliseconds */ 46 47 #define TDLS_MIC_LEN 16 48 49 #define TDLS_TIMEOUT_LEN 4 50 51 struct wpa_tdls_ftie { 52 u8 ie_type; /* FTIE */ 53 u8 ie_len; 54 u8 mic_ctrl[2]; 55 u8 mic[TDLS_MIC_LEN]; 56 u8 Anonce[WPA_NONCE_LEN]; /* Responder Nonce in TDLS */ 57 u8 Snonce[WPA_NONCE_LEN]; /* Initiator Nonce in TDLS */ 58 /* followed by optional elements */ 59 } STRUCT_PACKED; 60 61 struct wpa_tdls_timeoutie { 62 u8 ie_type; /* Timeout IE */ 63 u8 ie_len; 64 u8 interval_type; 65 u8 value[TDLS_TIMEOUT_LEN]; 66 } STRUCT_PACKED; 67 68 struct wpa_tdls_lnkid { 69 u8 ie_type; /* Link Identifier IE */ 70 u8 ie_len; 71 u8 bssid[ETH_ALEN]; 72 u8 init_sta[ETH_ALEN]; 73 u8 resp_sta[ETH_ALEN]; 74 } STRUCT_PACKED; 75 76 /* TDLS frame headers as per IEEE Std 802.11z-2010 */ 77 struct wpa_tdls_frame { 78 u8 payloadtype; /* IEEE80211_TDLS_RFTYPE */ 79 u8 category; /* Category */ 80 u8 action; /* Action (enum tdls_frame_type) */ 81 } STRUCT_PACKED; 82 83 static u8 * wpa_add_tdls_timeoutie(u8 *pos, u8 *ie, size_t ie_len, u32 tsecs); 84 static void wpa_tdls_tpk_retry_timeout(void *eloop_ctx, void *timeout_ctx); 85 static void wpa_tdls_peer_free(struct wpa_sm *sm, struct wpa_tdls_peer *peer); 86 static void wpa_tdls_disable_peer_link(struct wpa_sm *sm, 87 struct wpa_tdls_peer *peer); 88 static int wpa_tdls_send_teardown(struct wpa_sm *sm, const u8 *addr, 89 u16 reason_code); 90 91 92 #define TDLS_MAX_IE_LEN 80 93 #define IEEE80211_MAX_SUPP_RATES 32 94 95 struct wpa_tdls_peer { 96 struct wpa_tdls_peer *next; 97 unsigned int reconfig_key:1; 98 int initiator; /* whether this end was initiator for TDLS setup */ 99 u8 addr[ETH_ALEN]; /* other end MAC address */ 100 u8 inonce[WPA_NONCE_LEN]; /* Initiator Nonce */ 101 u8 rnonce[WPA_NONCE_LEN]; /* Responder Nonce */ 102 u8 rsnie_i[TDLS_MAX_IE_LEN]; /* Initiator RSN IE */ 103 size_t rsnie_i_len; 104 u8 rsnie_p[TDLS_MAX_IE_LEN]; /* Peer RSN IE */ 105 size_t rsnie_p_len; 106 u32 lifetime; 107 int cipher; /* Selected cipher (WPA_CIPHER_*) */ 108 u8 dtoken; 109 110 struct tpk { 111 u8 kck[16]; /* TPK-KCK */ 112 u8 tk[16]; /* TPK-TK; assuming only CCMP will be used */ 113 } tpk; 114 int tpk_set; 115 int tpk_success; 116 int tpk_in_progress; 117 118 struct tpk_timer { 119 u8 dest[ETH_ALEN]; 120 int count; /* Retry Count */ 121 int timer; /* Timeout in milliseconds */ 122 u8 action_code; /* TDLS frame type */ 123 u8 dialog_token; 124 u16 status_code; 125 u32 peer_capab; 126 int buf_len; /* length of TPK message for retransmission */ 127 u8 *buf; /* buffer for TPK message */ 128 } sm_tmr; 129 130 u16 capability; 131 132 u8 supp_rates[IEEE80211_MAX_SUPP_RATES]; 133 size_t supp_rates_len; 134 135 struct ieee80211_ht_capabilities *ht_capabilities; 136 struct ieee80211_vht_capabilities *vht_capabilities; 137 138 u8 qos_info; 139 140 u16 aid; 141 142 u8 *ext_capab; 143 size_t ext_capab_len; 144 145 u8 *supp_channels; 146 size_t supp_channels_len; 147 148 u8 *supp_oper_classes; 149 size_t supp_oper_classes_len; 150 151 u8 wmm_capable; 152 153 /* channel switch currently enabled */ 154 int chan_switch_enabled; 155 }; 156 157 158 static int wpa_tdls_get_privacy(struct wpa_sm *sm) 159 { 160 /* 161 * Get info needed from supplicant to check if the current BSS supports 162 * security. Other than OPEN mode, rest are considered secured 163 * WEP/WPA/WPA2 hence TDLS frames are processed for TPK handshake. 164 */ 165 return sm->pairwise_cipher != WPA_CIPHER_NONE; 166 } 167 168 169 static u8 * wpa_add_ie(u8 *pos, const u8 *ie, size_t ie_len) 170 { 171 os_memcpy(pos, ie, ie_len); 172 return pos + ie_len; 173 } 174 175 176 static int wpa_tdls_del_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer) 177 { 178 if (wpa_sm_set_key(sm, WPA_ALG_NONE, peer->addr, 179 0, 0, NULL, 0, NULL, 0) < 0) { 180 wpa_printf(MSG_WARNING, "TDLS: Failed to delete TPK-TK from " 181 "the driver"); 182 return -1; 183 } 184 185 return 0; 186 } 187 188 189 static int wpa_tdls_set_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer) 190 { 191 u8 key_len; 192 u8 rsc[6]; 193 enum wpa_alg alg; 194 195 os_memset(rsc, 0, 6); 196 197 switch (peer->cipher) { 198 case WPA_CIPHER_CCMP: 199 alg = WPA_ALG_CCMP; 200 key_len = 16; 201 break; 202 case WPA_CIPHER_NONE: 203 wpa_printf(MSG_DEBUG, "TDLS: Pairwise Cipher Suite: " 204 "NONE - do not use pairwise keys"); 205 return -1; 206 default: 207 wpa_printf(MSG_WARNING, "TDLS: Unsupported pairwise cipher %d", 208 sm->pairwise_cipher); 209 return -1; 210 } 211 212 if (wpa_sm_set_key(sm, alg, peer->addr, -1, 1, 213 rsc, sizeof(rsc), peer->tpk.tk, key_len) < 0) { 214 wpa_printf(MSG_WARNING, "TDLS: Failed to set TPK to the " 215 "driver"); 216 return -1; 217 } 218 return 0; 219 } 220 221 222 static int wpa_tdls_send_tpk_msg(struct wpa_sm *sm, const u8 *dst, 223 u8 action_code, u8 dialog_token, 224 u16 status_code, u32 peer_capab, 225 int initiator, const u8 *buf, size_t len) 226 { 227 return wpa_sm_send_tdls_mgmt(sm, dst, action_code, dialog_token, 228 status_code, peer_capab, initiator, buf, 229 len); 230 } 231 232 233 static int wpa_tdls_tpk_send(struct wpa_sm *sm, const u8 *dest, u8 action_code, 234 u8 dialog_token, u16 status_code, u32 peer_capab, 235 int initiator, const u8 *msg, size_t msg_len) 236 { 237 struct wpa_tdls_peer *peer; 238 239 wpa_printf(MSG_DEBUG, "TDLS: TPK send dest=" MACSTR " action_code=%u " 240 "dialog_token=%u status_code=%u peer_capab=%u initiator=%d " 241 "msg_len=%u", 242 MAC2STR(dest), action_code, dialog_token, status_code, 243 peer_capab, initiator, (unsigned int) msg_len); 244 245 if (wpa_tdls_send_tpk_msg(sm, dest, action_code, dialog_token, 246 status_code, peer_capab, initiator, msg, 247 msg_len)) { 248 wpa_printf(MSG_INFO, "TDLS: Failed to send message " 249 "(action_code=%u)", action_code); 250 return -1; 251 } 252 253 if (action_code == WLAN_TDLS_SETUP_CONFIRM || 254 action_code == WLAN_TDLS_TEARDOWN || 255 action_code == WLAN_TDLS_DISCOVERY_REQUEST || 256 action_code == WLAN_TDLS_DISCOVERY_RESPONSE) 257 return 0; /* No retries */ 258 259 for (peer = sm->tdls; peer; peer = peer->next) { 260 if (os_memcmp(peer->addr, dest, ETH_ALEN) == 0) 261 break; 262 } 263 264 if (peer == NULL) { 265 wpa_printf(MSG_INFO, "TDLS: No matching entry found for " 266 "retry " MACSTR, MAC2STR(dest)); 267 return 0; 268 } 269 270 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer); 271 272 if (action_code == WLAN_TDLS_SETUP_RESPONSE) { 273 peer->sm_tmr.count = TPK_M2_RETRY_COUNT; 274 peer->sm_tmr.timer = TPK_M2_TIMEOUT; 275 } else { 276 peer->sm_tmr.count = TPK_M1_RETRY_COUNT; 277 peer->sm_tmr.timer = TPK_M1_TIMEOUT; 278 } 279 280 /* Copy message to resend on timeout */ 281 os_memcpy(peer->sm_tmr.dest, dest, ETH_ALEN); 282 peer->sm_tmr.action_code = action_code; 283 peer->sm_tmr.dialog_token = dialog_token; 284 peer->sm_tmr.status_code = status_code; 285 peer->sm_tmr.peer_capab = peer_capab; 286 peer->sm_tmr.buf_len = msg_len; 287 os_free(peer->sm_tmr.buf); 288 peer->sm_tmr.buf = os_malloc(msg_len); 289 if (peer->sm_tmr.buf == NULL) 290 return -1; 291 os_memcpy(peer->sm_tmr.buf, msg, msg_len); 292 293 wpa_printf(MSG_DEBUG, "TDLS: Retry timeout registered " 294 "(action_code=%u)", action_code); 295 eloop_register_timeout(peer->sm_tmr.timer / 1000, 296 (peer->sm_tmr.timer % 1000) * 1000, 297 wpa_tdls_tpk_retry_timeout, sm, peer); 298 return 0; 299 } 300 301 302 static int wpa_tdls_do_teardown(struct wpa_sm *sm, struct wpa_tdls_peer *peer, 303 u16 reason_code) 304 { 305 int ret; 306 307 ret = wpa_tdls_send_teardown(sm, peer->addr, reason_code); 308 /* disable the link after teardown was sent */ 309 wpa_tdls_disable_peer_link(sm, peer); 310 311 return ret; 312 } 313 314 315 static void wpa_tdls_tpk_retry_timeout(void *eloop_ctx, void *timeout_ctx) 316 { 317 318 struct wpa_sm *sm = eloop_ctx; 319 struct wpa_tdls_peer *peer = timeout_ctx; 320 321 if (peer->sm_tmr.count) { 322 peer->sm_tmr.count--; 323 324 wpa_printf(MSG_INFO, "TDLS: Retrying sending of message " 325 "(action_code=%u)", 326 peer->sm_tmr.action_code); 327 328 if (peer->sm_tmr.buf == NULL) { 329 wpa_printf(MSG_INFO, "TDLS: No retry buffer available " 330 "for action_code=%u", 331 peer->sm_tmr.action_code); 332 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, 333 peer); 334 return; 335 } 336 337 /* resend TPK Handshake Message to Peer */ 338 if (wpa_tdls_send_tpk_msg(sm, peer->sm_tmr.dest, 339 peer->sm_tmr.action_code, 340 peer->sm_tmr.dialog_token, 341 peer->sm_tmr.status_code, 342 peer->sm_tmr.peer_capab, 343 peer->initiator, 344 peer->sm_tmr.buf, 345 peer->sm_tmr.buf_len)) { 346 wpa_printf(MSG_INFO, "TDLS: Failed to retry " 347 "transmission"); 348 } 349 350 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer); 351 eloop_register_timeout(peer->sm_tmr.timer / 1000, 352 (peer->sm_tmr.timer % 1000) * 1000, 353 wpa_tdls_tpk_retry_timeout, sm, peer); 354 } else { 355 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer); 356 357 wpa_printf(MSG_DEBUG, "TDLS: Sending Teardown Request"); 358 wpa_tdls_do_teardown(sm, peer, 359 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED); 360 } 361 } 362 363 364 static void wpa_tdls_tpk_retry_timeout_cancel(struct wpa_sm *sm, 365 struct wpa_tdls_peer *peer, 366 u8 action_code) 367 { 368 if (action_code == peer->sm_tmr.action_code) { 369 wpa_printf(MSG_DEBUG, "TDLS: Retry timeout cancelled for " 370 "action_code=%u", action_code); 371 372 /* Cancel Timeout registered */ 373 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer); 374 375 /* free all resources meant for retry */ 376 os_free(peer->sm_tmr.buf); 377 peer->sm_tmr.buf = NULL; 378 379 peer->sm_tmr.count = 0; 380 peer->sm_tmr.timer = 0; 381 peer->sm_tmr.buf_len = 0; 382 peer->sm_tmr.action_code = 0xff; 383 } else { 384 wpa_printf(MSG_INFO, "TDLS: Error in cancelling retry timeout " 385 "(Unknown action_code=%u)", action_code); 386 } 387 } 388 389 390 static void wpa_tdls_generate_tpk(struct wpa_tdls_peer *peer, 391 const u8 *own_addr, const u8 *bssid) 392 { 393 u8 key_input[SHA256_MAC_LEN]; 394 const u8 *nonce[2]; 395 size_t len[2]; 396 u8 data[3 * ETH_ALEN]; 397 398 /* IEEE Std 802.11z-2010 8.5.9.1: 399 * TPK-Key-Input = SHA-256(min(SNonce, ANonce) || max(SNonce, ANonce)) 400 */ 401 len[0] = WPA_NONCE_LEN; 402 len[1] = WPA_NONCE_LEN; 403 if (os_memcmp(peer->inonce, peer->rnonce, WPA_NONCE_LEN) < 0) { 404 nonce[0] = peer->inonce; 405 nonce[1] = peer->rnonce; 406 } else { 407 nonce[0] = peer->rnonce; 408 nonce[1] = peer->inonce; 409 } 410 wpa_hexdump(MSG_DEBUG, "TDLS: min(Nonce)", nonce[0], WPA_NONCE_LEN); 411 wpa_hexdump(MSG_DEBUG, "TDLS: max(Nonce)", nonce[1], WPA_NONCE_LEN); 412 sha256_vector(2, nonce, len, key_input); 413 wpa_hexdump_key(MSG_DEBUG, "TDLS: TPK-Key-Input", 414 key_input, SHA256_MAC_LEN); 415 416 /* 417 * TPK-Key-Data = KDF-N_KEY(TPK-Key-Input, "TDLS PMK", 418 * min(MAC_I, MAC_R) || max(MAC_I, MAC_R) || BSSID || N_KEY) 419 * TODO: is N_KEY really included in KDF Context and if so, in which 420 * presentation format (little endian 16-bit?) is it used? It gets 421 * added by the KDF anyway.. 422 */ 423 424 if (os_memcmp(own_addr, peer->addr, ETH_ALEN) < 0) { 425 os_memcpy(data, own_addr, ETH_ALEN); 426 os_memcpy(data + ETH_ALEN, peer->addr, ETH_ALEN); 427 } else { 428 os_memcpy(data, peer->addr, ETH_ALEN); 429 os_memcpy(data + ETH_ALEN, own_addr, ETH_ALEN); 430 } 431 os_memcpy(data + 2 * ETH_ALEN, bssid, ETH_ALEN); 432 wpa_hexdump(MSG_DEBUG, "TDLS: KDF Context", data, sizeof(data)); 433 434 sha256_prf(key_input, SHA256_MAC_LEN, "TDLS PMK", data, sizeof(data), 435 (u8 *) &peer->tpk, sizeof(peer->tpk)); 436 wpa_hexdump_key(MSG_DEBUG, "TDLS: TPK-KCK", 437 peer->tpk.kck, sizeof(peer->tpk.kck)); 438 wpa_hexdump_key(MSG_DEBUG, "TDLS: TPK-TK", 439 peer->tpk.tk, sizeof(peer->tpk.tk)); 440 peer->tpk_set = 1; 441 } 442 443 444 /** 445 * wpa_tdls_ftie_mic - Calculate TDLS FTIE MIC 446 * @kck: TPK-KCK 447 * @lnkid: Pointer to the beginning of Link Identifier IE 448 * @rsnie: Pointer to the beginning of RSN IE used for handshake 449 * @timeoutie: Pointer to the beginning of Timeout IE used for handshake 450 * @ftie: Pointer to the beginning of FT IE 451 * @mic: Pointer for writing MIC 452 * 453 * Calculate MIC for TDLS frame. 454 */ 455 static int wpa_tdls_ftie_mic(const u8 *kck, u8 trans_seq, const u8 *lnkid, 456 const u8 *rsnie, const u8 *timeoutie, 457 const u8 *ftie, u8 *mic) 458 { 459 u8 *buf, *pos; 460 struct wpa_tdls_ftie *_ftie; 461 const struct wpa_tdls_lnkid *_lnkid; 462 int ret; 463 int len = 2 * ETH_ALEN + 1 + 2 + lnkid[1] + 2 + rsnie[1] + 464 2 + timeoutie[1] + 2 + ftie[1]; 465 buf = os_zalloc(len); 466 if (!buf) { 467 wpa_printf(MSG_WARNING, "TDLS: No memory for MIC calculation"); 468 return -1; 469 } 470 471 pos = buf; 472 _lnkid = (const struct wpa_tdls_lnkid *) lnkid; 473 /* 1) TDLS initiator STA MAC address */ 474 os_memcpy(pos, _lnkid->init_sta, ETH_ALEN); 475 pos += ETH_ALEN; 476 /* 2) TDLS responder STA MAC address */ 477 os_memcpy(pos, _lnkid->resp_sta, ETH_ALEN); 478 pos += ETH_ALEN; 479 /* 3) Transaction Sequence number */ 480 *pos++ = trans_seq; 481 /* 4) Link Identifier IE */ 482 os_memcpy(pos, lnkid, 2 + lnkid[1]); 483 pos += 2 + lnkid[1]; 484 /* 5) RSN IE */ 485 os_memcpy(pos, rsnie, 2 + rsnie[1]); 486 pos += 2 + rsnie[1]; 487 /* 6) Timeout Interval IE */ 488 os_memcpy(pos, timeoutie, 2 + timeoutie[1]); 489 pos += 2 + timeoutie[1]; 490 /* 7) FTIE, with the MIC field of the FTIE set to 0 */ 491 os_memcpy(pos, ftie, 2 + ftie[1]); 492 _ftie = (struct wpa_tdls_ftie *) pos; 493 os_memset(_ftie->mic, 0, TDLS_MIC_LEN); 494 pos += 2 + ftie[1]; 495 496 wpa_hexdump(MSG_DEBUG, "TDLS: Data for FTIE MIC", buf, pos - buf); 497 wpa_hexdump_key(MSG_DEBUG, "TDLS: KCK", kck, 16); 498 ret = omac1_aes_128(kck, buf, pos - buf, mic); 499 os_free(buf); 500 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE MIC", mic, 16); 501 return ret; 502 } 503 504 505 /** 506 * wpa_tdls_key_mic_teardown - Calculate TDLS FTIE MIC for Teardown frame 507 * @kck: TPK-KCK 508 * @trans_seq: Transaction Sequence Number (4 - Teardown) 509 * @rcode: Reason code for Teardown 510 * @dtoken: Dialog Token used for that particular link 511 * @lnkid: Pointer to the beginning of Link Identifier IE 512 * @ftie: Pointer to the beginning of FT IE 513 * @mic: Pointer for writing MIC 514 * 515 * Calculate MIC for TDLS frame. 516 */ 517 static int wpa_tdls_key_mic_teardown(const u8 *kck, u8 trans_seq, u16 rcode, 518 u8 dtoken, const u8 *lnkid, 519 const u8 *ftie, u8 *mic) 520 { 521 u8 *buf, *pos; 522 struct wpa_tdls_ftie *_ftie; 523 int ret; 524 int len; 525 526 if (lnkid == NULL) 527 return -1; 528 529 len = 2 + lnkid[1] + sizeof(rcode) + sizeof(dtoken) + 530 sizeof(trans_seq) + 2 + ftie[1]; 531 532 buf = os_zalloc(len); 533 if (!buf) { 534 wpa_printf(MSG_WARNING, "TDLS: No memory for MIC calculation"); 535 return -1; 536 } 537 538 pos = buf; 539 /* 1) Link Identifier IE */ 540 os_memcpy(pos, lnkid, 2 + lnkid[1]); 541 pos += 2 + lnkid[1]; 542 /* 2) Reason Code */ 543 WPA_PUT_LE16(pos, rcode); 544 pos += sizeof(rcode); 545 /* 3) Dialog token */ 546 *pos++ = dtoken; 547 /* 4) Transaction Sequence number */ 548 *pos++ = trans_seq; 549 /* 7) FTIE, with the MIC field of the FTIE set to 0 */ 550 os_memcpy(pos, ftie, 2 + ftie[1]); 551 _ftie = (struct wpa_tdls_ftie *) pos; 552 os_memset(_ftie->mic, 0, TDLS_MIC_LEN); 553 pos += 2 + ftie[1]; 554 555 wpa_hexdump(MSG_DEBUG, "TDLS: Data for FTIE MIC", buf, pos - buf); 556 wpa_hexdump_key(MSG_DEBUG, "TDLS: KCK", kck, 16); 557 ret = omac1_aes_128(kck, buf, pos - buf, mic); 558 os_free(buf); 559 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE MIC", mic, 16); 560 return ret; 561 } 562 563 564 static int wpa_supplicant_verify_tdls_mic(u8 trans_seq, 565 struct wpa_tdls_peer *peer, 566 const u8 *lnkid, const u8 *timeoutie, 567 const struct wpa_tdls_ftie *ftie) 568 { 569 u8 mic[16]; 570 571 if (peer->tpk_set) { 572 wpa_tdls_ftie_mic(peer->tpk.kck, trans_seq, lnkid, 573 peer->rsnie_p, timeoutie, (u8 *) ftie, 574 mic); 575 if (os_memcmp_const(mic, ftie->mic, 16) != 0) { 576 wpa_printf(MSG_INFO, "TDLS: Invalid MIC in FTIE - " 577 "dropping packet"); 578 wpa_hexdump(MSG_DEBUG, "TDLS: Received MIC", 579 ftie->mic, 16); 580 wpa_hexdump(MSG_DEBUG, "TDLS: Calculated MIC", 581 mic, 16); 582 return -1; 583 } 584 } else { 585 wpa_printf(MSG_WARNING, "TDLS: Could not verify TDLS MIC, " 586 "TPK not set - dropping packet"); 587 return -1; 588 } 589 return 0; 590 } 591 592 593 static int wpa_supplicant_verify_tdls_mic_teardown( 594 u8 trans_seq, u16 rcode, u8 dtoken, struct wpa_tdls_peer *peer, 595 const u8 *lnkid, const struct wpa_tdls_ftie *ftie) 596 { 597 u8 mic[16]; 598 599 if (peer->tpk_set) { 600 wpa_tdls_key_mic_teardown(peer->tpk.kck, trans_seq, rcode, 601 dtoken, lnkid, (u8 *) ftie, mic); 602 if (os_memcmp_const(mic, ftie->mic, 16) != 0) { 603 wpa_printf(MSG_INFO, "TDLS: Invalid MIC in Teardown - " 604 "dropping packet"); 605 return -1; 606 } 607 } else { 608 wpa_printf(MSG_INFO, "TDLS: Could not verify TDLS Teardown " 609 "MIC, TPK not set - dropping packet"); 610 return -1; 611 } 612 return 0; 613 } 614 615 616 static void wpa_tdls_tpk_timeout(void *eloop_ctx, void *timeout_ctx) 617 { 618 struct wpa_sm *sm = eloop_ctx; 619 struct wpa_tdls_peer *peer = timeout_ctx; 620 621 /* 622 * On TPK lifetime expiration, we have an option of either tearing down 623 * the direct link or trying to re-initiate it. The selection of what 624 * to do is not strictly speaking controlled by our role in the expired 625 * link, but for now, use that to select whether to renew or tear down 626 * the link. 627 */ 628 629 if (peer->initiator) { 630 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime expired for " MACSTR 631 " - try to renew", MAC2STR(peer->addr)); 632 wpa_tdls_start(sm, peer->addr); 633 } else { 634 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime expired for " MACSTR 635 " - tear down", MAC2STR(peer->addr)); 636 wpa_tdls_do_teardown(sm, peer, 637 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED); 638 } 639 } 640 641 642 static void wpa_tdls_peer_remove_from_list(struct wpa_sm *sm, 643 struct wpa_tdls_peer *peer) 644 { 645 struct wpa_tdls_peer *cur, *prev; 646 647 cur = sm->tdls; 648 prev = NULL; 649 while (cur && cur != peer) { 650 prev = cur; 651 cur = cur->next; 652 } 653 654 if (cur != peer) { 655 wpa_printf(MSG_ERROR, "TDLS: Could not find peer " MACSTR 656 " to remove it from the list", 657 MAC2STR(peer->addr)); 658 return; 659 } 660 661 if (prev) 662 prev->next = peer->next; 663 else 664 sm->tdls = peer->next; 665 } 666 667 668 static void wpa_tdls_peer_clear(struct wpa_sm *sm, struct wpa_tdls_peer *peer) 669 { 670 wpa_printf(MSG_DEBUG, "TDLS: Clear state for peer " MACSTR, 671 MAC2STR(peer->addr)); 672 eloop_cancel_timeout(wpa_tdls_tpk_timeout, sm, peer); 673 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer); 674 peer->reconfig_key = 0; 675 peer->initiator = 0; 676 peer->tpk_in_progress = 0; 677 os_free(peer->sm_tmr.buf); 678 peer->sm_tmr.buf = NULL; 679 os_free(peer->ht_capabilities); 680 peer->ht_capabilities = NULL; 681 os_free(peer->vht_capabilities); 682 peer->vht_capabilities = NULL; 683 os_free(peer->ext_capab); 684 peer->ext_capab = NULL; 685 os_free(peer->supp_channels); 686 peer->supp_channels = NULL; 687 os_free(peer->supp_oper_classes); 688 peer->supp_oper_classes = NULL; 689 peer->rsnie_i_len = peer->rsnie_p_len = 0; 690 peer->cipher = 0; 691 peer->qos_info = 0; 692 peer->wmm_capable = 0; 693 peer->tpk_set = peer->tpk_success = 0; 694 peer->chan_switch_enabled = 0; 695 os_memset(&peer->tpk, 0, sizeof(peer->tpk)); 696 os_memset(peer->inonce, 0, WPA_NONCE_LEN); 697 os_memset(peer->rnonce, 0, WPA_NONCE_LEN); 698 } 699 700 701 static void wpa_tdls_peer_free(struct wpa_sm *sm, struct wpa_tdls_peer *peer) 702 { 703 wpa_tdls_peer_clear(sm, peer); 704 wpa_tdls_peer_remove_from_list(sm, peer); 705 os_free(peer); 706 } 707 708 709 static void wpa_tdls_linkid(struct wpa_sm *sm, struct wpa_tdls_peer *peer, 710 struct wpa_tdls_lnkid *lnkid) 711 { 712 lnkid->ie_type = WLAN_EID_LINK_ID; 713 lnkid->ie_len = 3 * ETH_ALEN; 714 os_memcpy(lnkid->bssid, sm->bssid, ETH_ALEN); 715 if (peer->initiator) { 716 os_memcpy(lnkid->init_sta, sm->own_addr, ETH_ALEN); 717 os_memcpy(lnkid->resp_sta, peer->addr, ETH_ALEN); 718 } else { 719 os_memcpy(lnkid->init_sta, peer->addr, ETH_ALEN); 720 os_memcpy(lnkid->resp_sta, sm->own_addr, ETH_ALEN); 721 } 722 } 723 724 725 static int wpa_tdls_send_teardown(struct wpa_sm *sm, const u8 *addr, 726 u16 reason_code) 727 { 728 struct wpa_tdls_peer *peer; 729 struct wpa_tdls_ftie *ftie; 730 struct wpa_tdls_lnkid lnkid; 731 u8 dialog_token; 732 u8 *rbuf, *pos; 733 int ielen; 734 735 if (sm->tdls_disabled || !sm->tdls_supported) 736 return -1; 737 738 /* Find the node and free from the list */ 739 for (peer = sm->tdls; peer; peer = peer->next) { 740 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 741 break; 742 } 743 744 if (peer == NULL) { 745 wpa_printf(MSG_INFO, "TDLS: No matching entry found for " 746 "Teardown " MACSTR, MAC2STR(addr)); 747 return 0; 748 } 749 750 /* Cancel active channel switch before teardown */ 751 if (peer->chan_switch_enabled) { 752 wpa_printf(MSG_DEBUG, "TDLS: First returning link with " MACSTR 753 " to base channel", MAC2STR(addr)); 754 wpa_sm_tdls_disable_channel_switch(sm, peer->addr); 755 } 756 757 dialog_token = peer->dtoken; 758 759 wpa_printf(MSG_DEBUG, "TDLS: TDLS Teardown for " MACSTR, 760 MAC2STR(addr)); 761 762 ielen = 0; 763 if (wpa_tdls_get_privacy(sm) && peer->tpk_set && peer->tpk_success) { 764 /* To add FTIE for Teardown request and compute MIC */ 765 ielen += sizeof(*ftie); 766 #ifdef CONFIG_TDLS_TESTING 767 if (tdls_testing & TDLS_TESTING_LONG_FRAME) 768 ielen += 170; 769 #endif /* CONFIG_TDLS_TESTING */ 770 } 771 772 rbuf = os_zalloc(ielen + 1); 773 if (rbuf == NULL) 774 return -1; 775 pos = rbuf; 776 777 if (!wpa_tdls_get_privacy(sm) || !peer->tpk_set || !peer->tpk_success) 778 goto skip_ies; 779 780 ftie = (struct wpa_tdls_ftie *) pos; 781 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION; 782 /* Using the recent nonce which should be for CONFIRM frame */ 783 os_memcpy(ftie->Anonce, peer->rnonce, WPA_NONCE_LEN); 784 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN); 785 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2; 786 pos = (u8 *) (ftie + 1); 787 #ifdef CONFIG_TDLS_TESTING 788 if (tdls_testing & TDLS_TESTING_LONG_FRAME) { 789 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to " 790 "FTIE"); 791 ftie->ie_len += 170; 792 *pos++ = 255; /* FTIE subelem */ 793 *pos++ = 168; /* FTIE subelem length */ 794 pos += 168; 795 } 796 #endif /* CONFIG_TDLS_TESTING */ 797 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE for TDLS Teardown handshake", 798 (u8 *) ftie, pos - (u8 *) ftie); 799 800 /* compute MIC before sending */ 801 wpa_tdls_linkid(sm, peer, &lnkid); 802 wpa_tdls_key_mic_teardown(peer->tpk.kck, 4, reason_code, 803 dialog_token, (u8 *) &lnkid, (u8 *) ftie, 804 ftie->mic); 805 806 skip_ies: 807 /* TODO: register for a Timeout handler, if Teardown is not received at 808 * the other end, then try again another time */ 809 810 /* request driver to send Teardown using this FTIE */ 811 wpa_tdls_tpk_send(sm, addr, WLAN_TDLS_TEARDOWN, 0, 812 reason_code, 0, peer->initiator, rbuf, pos - rbuf); 813 os_free(rbuf); 814 815 return 0; 816 } 817 818 819 int wpa_tdls_teardown_link(struct wpa_sm *sm, const u8 *addr, u16 reason_code) 820 { 821 struct wpa_tdls_peer *peer; 822 823 if (sm->tdls_disabled || !sm->tdls_supported) 824 return -1; 825 826 for (peer = sm->tdls; peer; peer = peer->next) { 827 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 828 break; 829 } 830 831 if (peer == NULL) { 832 wpa_printf(MSG_DEBUG, "TDLS: Could not find peer " MACSTR 833 " for link Teardown", MAC2STR(addr)); 834 return -1; 835 } 836 837 if (!peer->tpk_success) { 838 wpa_printf(MSG_DEBUG, "TDLS: Peer " MACSTR 839 " not connected - cannot Teardown link", MAC2STR(addr)); 840 return -1; 841 } 842 843 return wpa_tdls_do_teardown(sm, peer, reason_code); 844 } 845 846 847 static void wpa_tdls_disable_peer_link(struct wpa_sm *sm, 848 struct wpa_tdls_peer *peer) 849 { 850 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr); 851 wpa_tdls_peer_free(sm, peer); 852 } 853 854 855 void wpa_tdls_disable_unreachable_link(struct wpa_sm *sm, const u8 *addr) 856 { 857 struct wpa_tdls_peer *peer; 858 859 for (peer = sm->tdls; peer; peer = peer->next) { 860 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 861 break; 862 } 863 864 if (!peer || !peer->tpk_success) { 865 wpa_printf(MSG_DEBUG, "TDLS: Peer " MACSTR 866 " not connected - cannot teardown unreachable link", 867 MAC2STR(addr)); 868 return; 869 } 870 871 if (wpa_tdls_is_external_setup(sm)) { 872 /* 873 * Get us on the base channel, disable the link, send a 874 * teardown packet through the AP, and then reset link data. 875 */ 876 if (peer->chan_switch_enabled) 877 wpa_sm_tdls_disable_channel_switch(sm, peer->addr); 878 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, addr); 879 wpa_tdls_send_teardown(sm, addr, 880 WLAN_REASON_TDLS_TEARDOWN_UNREACHABLE); 881 wpa_tdls_peer_free(sm, peer); 882 } else { 883 wpa_tdls_disable_peer_link(sm, peer); 884 } 885 } 886 887 888 const char * wpa_tdls_get_link_status(struct wpa_sm *sm, const u8 *addr) 889 { 890 struct wpa_tdls_peer *peer; 891 892 if (sm->tdls_disabled || !sm->tdls_supported) 893 return "disabled"; 894 895 for (peer = sm->tdls; peer; peer = peer->next) { 896 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 897 break; 898 } 899 900 if (peer == NULL) 901 return "peer does not exist"; 902 903 if (!peer->tpk_success) 904 return "peer not connected"; 905 906 return "connected"; 907 } 908 909 910 static int wpa_tdls_recv_teardown(struct wpa_sm *sm, const u8 *src_addr, 911 const u8 *buf, size_t len) 912 { 913 struct wpa_tdls_peer *peer = NULL; 914 struct wpa_tdls_ftie *ftie; 915 struct wpa_tdls_lnkid *lnkid; 916 struct wpa_eapol_ie_parse kde; 917 u16 reason_code; 918 const u8 *pos; 919 int ielen; 920 921 /* Find the node and free from the list */ 922 for (peer = sm->tdls; peer; peer = peer->next) { 923 if (os_memcmp(peer->addr, src_addr, ETH_ALEN) == 0) 924 break; 925 } 926 927 if (peer == NULL) { 928 wpa_printf(MSG_INFO, "TDLS: No matching entry found for " 929 "Teardown " MACSTR, MAC2STR(src_addr)); 930 return 0; 931 } 932 933 pos = buf; 934 pos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */; 935 936 reason_code = WPA_GET_LE16(pos); 937 pos += 2; 938 939 wpa_printf(MSG_DEBUG, "TDLS: TDLS Teardown Request from " MACSTR 940 " (reason code %u)", MAC2STR(src_addr), reason_code); 941 942 ielen = len - (pos - buf); /* start of IE in buf */ 943 944 /* 945 * Don't reject the message if failing to parse IEs. The IEs we need are 946 * explicitly checked below. Some APs may add arbitrary padding to the 947 * end of short TDLS frames and that would look like invalid IEs. 948 */ 949 if (wpa_supplicant_parse_ies((const u8 *) pos, ielen, &kde) < 0) 950 wpa_printf(MSG_DEBUG, 951 "TDLS: Failed to parse IEs in Teardown - ignore as an interop workaround"); 952 953 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) { 954 wpa_printf(MSG_INFO, "TDLS: No Link Identifier IE in TDLS " 955 "Teardown"); 956 return -1; 957 } 958 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid; 959 960 if (!wpa_tdls_get_privacy(sm) || !peer->tpk_set || !peer->tpk_success) 961 goto skip_ftie; 962 963 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie)) { 964 wpa_printf(MSG_INFO, "TDLS: No FTIE in TDLS Teardown"); 965 return -1; 966 } 967 968 ftie = (struct wpa_tdls_ftie *) kde.ftie; 969 970 /* Process MIC check to see if TDLS Teardown is right */ 971 if (wpa_supplicant_verify_tdls_mic_teardown(4, reason_code, 972 peer->dtoken, peer, 973 (u8 *) lnkid, ftie) < 0) { 974 wpa_printf(MSG_DEBUG, "TDLS: MIC failure for TDLS " 975 "Teardown Request from " MACSTR, MAC2STR(src_addr)); 976 return -1; 977 } 978 979 skip_ftie: 980 /* 981 * Request the driver to disable the direct link and clear associated 982 * keys. 983 */ 984 wpa_tdls_disable_peer_link(sm, peer); 985 return 0; 986 } 987 988 989 /** 990 * wpa_tdls_send_error - To send suitable TDLS status response with 991 * appropriate status code mentioning reason for error/failure. 992 * @dst - MAC addr of Peer station 993 * @tdls_action - TDLS frame type for which error code is sent 994 * @initiator - was this end the initiator of the connection 995 * @status - status code mentioning reason 996 */ 997 998 static int wpa_tdls_send_error(struct wpa_sm *sm, const u8 *dst, 999 u8 tdls_action, u8 dialog_token, int initiator, 1000 u16 status) 1001 { 1002 wpa_printf(MSG_DEBUG, "TDLS: Sending error to " MACSTR 1003 " (action=%u status=%u)", 1004 MAC2STR(dst), tdls_action, status); 1005 return wpa_tdls_tpk_send(sm, dst, tdls_action, dialog_token, status, 1006 0, initiator, NULL, 0); 1007 } 1008 1009 1010 static struct wpa_tdls_peer * 1011 wpa_tdls_add_peer(struct wpa_sm *sm, const u8 *addr, int *existing) 1012 { 1013 struct wpa_tdls_peer *peer; 1014 1015 if (existing) 1016 *existing = 0; 1017 for (peer = sm->tdls; peer; peer = peer->next) { 1018 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) { 1019 if (existing) 1020 *existing = 1; 1021 return peer; /* re-use existing entry */ 1022 } 1023 } 1024 1025 wpa_printf(MSG_INFO, "TDLS: Creating peer entry for " MACSTR, 1026 MAC2STR(addr)); 1027 1028 peer = os_zalloc(sizeof(*peer)); 1029 if (peer == NULL) 1030 return NULL; 1031 1032 os_memcpy(peer->addr, addr, ETH_ALEN); 1033 peer->next = sm->tdls; 1034 sm->tdls = peer; 1035 1036 return peer; 1037 } 1038 1039 1040 static int wpa_tdls_send_tpk_m1(struct wpa_sm *sm, 1041 struct wpa_tdls_peer *peer) 1042 { 1043 size_t buf_len; 1044 struct wpa_tdls_timeoutie timeoutie; 1045 u16 rsn_capab; 1046 struct wpa_tdls_ftie *ftie; 1047 u8 *rbuf, *pos, *count_pos; 1048 u16 count; 1049 struct rsn_ie_hdr *hdr; 1050 int status; 1051 1052 if (!wpa_tdls_get_privacy(sm)) { 1053 wpa_printf(MSG_DEBUG, "TDLS: No security used on the link"); 1054 peer->rsnie_i_len = 0; 1055 goto skip_rsnie; 1056 } 1057 1058 /* 1059 * TPK Handshake Message 1: 1060 * FTIE: ANonce=0, SNonce=initiator nonce MIC=0, DataKDs=(RSNIE_I, 1061 * Timeout Interval IE)) 1062 */ 1063 1064 /* Filling RSN IE */ 1065 hdr = (struct rsn_ie_hdr *) peer->rsnie_i; 1066 hdr->elem_id = WLAN_EID_RSN; 1067 WPA_PUT_LE16(hdr->version, RSN_VERSION); 1068 1069 pos = (u8 *) (hdr + 1); 1070 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED); 1071 pos += RSN_SELECTOR_LEN; 1072 count_pos = pos; 1073 pos += 2; 1074 1075 count = 0; 1076 1077 /* 1078 * AES-CCMP is the default Encryption preferred for TDLS, so 1079 * RSN IE is filled only with CCMP CIPHER 1080 * Note: TKIP is not used to encrypt TDLS link. 1081 * 1082 * Regardless of the cipher used on the AP connection, select CCMP 1083 * here. 1084 */ 1085 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP); 1086 pos += RSN_SELECTOR_LEN; 1087 count++; 1088 1089 WPA_PUT_LE16(count_pos, count); 1090 1091 WPA_PUT_LE16(pos, 1); 1092 pos += 2; 1093 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_TPK_HANDSHAKE); 1094 pos += RSN_SELECTOR_LEN; 1095 1096 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED; 1097 rsn_capab |= RSN_NUM_REPLAY_COUNTERS_16 << 2; 1098 #ifdef CONFIG_TDLS_TESTING 1099 if (tdls_testing & TDLS_TESTING_ALT_RSN_IE) { 1100 wpa_printf(MSG_DEBUG, "TDLS: Use alternative RSN IE for " 1101 "testing"); 1102 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED; 1103 } 1104 #endif /* CONFIG_TDLS_TESTING */ 1105 WPA_PUT_LE16(pos, rsn_capab); 1106 pos += 2; 1107 #ifdef CONFIG_TDLS_TESTING 1108 if (tdls_testing & TDLS_TESTING_ALT_RSN_IE) { 1109 /* Number of PMKIDs */ 1110 *pos++ = 0x00; 1111 *pos++ = 0x00; 1112 } 1113 #endif /* CONFIG_TDLS_TESTING */ 1114 1115 hdr->len = (pos - peer->rsnie_i) - 2; 1116 peer->rsnie_i_len = pos - peer->rsnie_i; 1117 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE for TPK handshake", 1118 peer->rsnie_i, peer->rsnie_i_len); 1119 1120 skip_rsnie: 1121 buf_len = 0; 1122 if (wpa_tdls_get_privacy(sm)) 1123 buf_len += peer->rsnie_i_len + sizeof(struct wpa_tdls_ftie) + 1124 sizeof(struct wpa_tdls_timeoutie); 1125 #ifdef CONFIG_TDLS_TESTING 1126 if (wpa_tdls_get_privacy(sm) && 1127 (tdls_testing & TDLS_TESTING_LONG_FRAME)) 1128 buf_len += 170; 1129 if (tdls_testing & TDLS_TESTING_DIFF_BSSID) 1130 buf_len += sizeof(struct wpa_tdls_lnkid); 1131 #endif /* CONFIG_TDLS_TESTING */ 1132 rbuf = os_zalloc(buf_len + 1); 1133 if (rbuf == NULL) { 1134 wpa_tdls_peer_free(sm, peer); 1135 return -1; 1136 } 1137 pos = rbuf; 1138 1139 if (!wpa_tdls_get_privacy(sm)) 1140 goto skip_ies; 1141 1142 /* Initiator RSN IE */ 1143 pos = wpa_add_ie(pos, peer->rsnie_i, peer->rsnie_i_len); 1144 1145 ftie = (struct wpa_tdls_ftie *) pos; 1146 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION; 1147 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2; 1148 1149 if (os_get_random(peer->inonce, WPA_NONCE_LEN)) { 1150 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1151 "TDLS: Failed to get random data for initiator Nonce"); 1152 os_free(rbuf); 1153 wpa_tdls_peer_free(sm, peer); 1154 return -1; 1155 } 1156 wpa_hexdump(MSG_DEBUG, "TDLS: Initiator Nonce for TPK handshake", 1157 peer->inonce, WPA_NONCE_LEN); 1158 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN); 1159 1160 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE for TPK Handshake M1", 1161 (u8 *) ftie, sizeof(struct wpa_tdls_ftie)); 1162 1163 pos = (u8 *) (ftie + 1); 1164 1165 #ifdef CONFIG_TDLS_TESTING 1166 if (tdls_testing & TDLS_TESTING_LONG_FRAME) { 1167 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to " 1168 "FTIE"); 1169 ftie->ie_len += 170; 1170 *pos++ = 255; /* FTIE subelem */ 1171 *pos++ = 168; /* FTIE subelem length */ 1172 pos += 168; 1173 } 1174 #endif /* CONFIG_TDLS_TESTING */ 1175 1176 /* Lifetime */ 1177 peer->lifetime = TPK_LIFETIME; 1178 #ifdef CONFIG_TDLS_TESTING 1179 if (tdls_testing & TDLS_TESTING_SHORT_LIFETIME) { 1180 wpa_printf(MSG_DEBUG, "TDLS: Testing - use short TPK " 1181 "lifetime"); 1182 peer->lifetime = 301; 1183 } 1184 if (tdls_testing & TDLS_TESTING_LONG_LIFETIME) { 1185 wpa_printf(MSG_DEBUG, "TDLS: Testing - use long TPK " 1186 "lifetime"); 1187 peer->lifetime = 0xffffffff; 1188 } 1189 #endif /* CONFIG_TDLS_TESTING */ 1190 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie, 1191 sizeof(timeoutie), peer->lifetime); 1192 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds", peer->lifetime); 1193 1194 skip_ies: 1195 1196 #ifdef CONFIG_TDLS_TESTING 1197 if (tdls_testing & TDLS_TESTING_DIFF_BSSID) { 1198 wpa_printf(MSG_DEBUG, "TDLS: Testing - use incorrect BSSID in " 1199 "Link Identifier"); 1200 struct wpa_tdls_lnkid *l = (struct wpa_tdls_lnkid *) pos; 1201 wpa_tdls_linkid(sm, peer, l); 1202 l->bssid[5] ^= 0x01; 1203 pos += sizeof(*l); 1204 } 1205 #endif /* CONFIG_TDLS_TESTING */ 1206 1207 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Setup Request / TPK " 1208 "Handshake Message 1 (peer " MACSTR ")", 1209 MAC2STR(peer->addr)); 1210 1211 status = wpa_tdls_tpk_send(sm, peer->addr, WLAN_TDLS_SETUP_REQUEST, 1212 1, 0, 0, peer->initiator, rbuf, pos - rbuf); 1213 os_free(rbuf); 1214 1215 return status; 1216 } 1217 1218 1219 static int wpa_tdls_send_tpk_m2(struct wpa_sm *sm, 1220 const unsigned char *src_addr, u8 dtoken, 1221 struct wpa_tdls_lnkid *lnkid, 1222 const struct wpa_tdls_peer *peer) 1223 { 1224 u8 *rbuf, *pos; 1225 size_t buf_len; 1226 u32 lifetime; 1227 struct wpa_tdls_timeoutie timeoutie; 1228 struct wpa_tdls_ftie *ftie; 1229 int status; 1230 1231 buf_len = 0; 1232 if (wpa_tdls_get_privacy(sm)) { 1233 /* Peer RSN IE, FTIE(Initiator Nonce, Responder Nonce), 1234 * Lifetime */ 1235 buf_len += peer->rsnie_i_len + sizeof(struct wpa_tdls_ftie) + 1236 sizeof(struct wpa_tdls_timeoutie); 1237 #ifdef CONFIG_TDLS_TESTING 1238 if (tdls_testing & TDLS_TESTING_LONG_FRAME) 1239 buf_len += 170; 1240 #endif /* CONFIG_TDLS_TESTING */ 1241 } 1242 1243 rbuf = os_zalloc(buf_len + 1); 1244 if (rbuf == NULL) 1245 return -1; 1246 pos = rbuf; 1247 1248 if (!wpa_tdls_get_privacy(sm)) 1249 goto skip_ies; 1250 1251 /* Peer RSN IE */ 1252 pos = wpa_add_ie(pos, peer->rsnie_p, peer->rsnie_p_len); 1253 1254 ftie = (struct wpa_tdls_ftie *) pos; 1255 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION; 1256 /* TODO: ftie->mic_control to set 2-RESPONSE */ 1257 os_memcpy(ftie->Anonce, peer->rnonce, WPA_NONCE_LEN); 1258 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN); 1259 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2; 1260 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE for TPK M2", 1261 (u8 *) ftie, sizeof(*ftie)); 1262 1263 pos = (u8 *) (ftie + 1); 1264 1265 #ifdef CONFIG_TDLS_TESTING 1266 if (tdls_testing & TDLS_TESTING_LONG_FRAME) { 1267 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to " 1268 "FTIE"); 1269 ftie->ie_len += 170; 1270 *pos++ = 255; /* FTIE subelem */ 1271 *pos++ = 168; /* FTIE subelem length */ 1272 pos += 168; 1273 } 1274 #endif /* CONFIG_TDLS_TESTING */ 1275 1276 /* Lifetime */ 1277 lifetime = peer->lifetime; 1278 #ifdef CONFIG_TDLS_TESTING 1279 if (tdls_testing & TDLS_TESTING_WRONG_LIFETIME_RESP) { 1280 wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong TPK " 1281 "lifetime in response"); 1282 lifetime++; 1283 } 1284 #endif /* CONFIG_TDLS_TESTING */ 1285 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie, 1286 sizeof(timeoutie), lifetime); 1287 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds from initiator", 1288 lifetime); 1289 1290 /* compute MIC before sending */ 1291 wpa_tdls_ftie_mic(peer->tpk.kck, 2, (u8 *) lnkid, peer->rsnie_p, 1292 (u8 *) &timeoutie, (u8 *) ftie, ftie->mic); 1293 #ifdef CONFIG_TDLS_TESTING 1294 if (tdls_testing & TDLS_TESTING_WRONG_MIC) { 1295 wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong MIC"); 1296 ftie->mic[0] ^= 0x01; 1297 } 1298 #endif /* CONFIG_TDLS_TESTING */ 1299 1300 skip_ies: 1301 status = wpa_tdls_tpk_send(sm, src_addr, WLAN_TDLS_SETUP_RESPONSE, 1302 dtoken, 0, 0, peer->initiator, rbuf, 1303 pos - rbuf); 1304 os_free(rbuf); 1305 1306 return status; 1307 } 1308 1309 1310 static int wpa_tdls_send_tpk_m3(struct wpa_sm *sm, 1311 const unsigned char *src_addr, u8 dtoken, 1312 struct wpa_tdls_lnkid *lnkid, 1313 const struct wpa_tdls_peer *peer) 1314 { 1315 u8 *rbuf, *pos; 1316 size_t buf_len; 1317 struct wpa_tdls_ftie *ftie; 1318 struct wpa_tdls_timeoutie timeoutie; 1319 u32 lifetime; 1320 int status; 1321 u32 peer_capab = 0; 1322 1323 buf_len = 0; 1324 if (wpa_tdls_get_privacy(sm)) { 1325 /* Peer RSN IE, FTIE(Initiator Nonce, Responder Nonce), 1326 * Lifetime */ 1327 buf_len += peer->rsnie_i_len + sizeof(struct wpa_tdls_ftie) + 1328 sizeof(struct wpa_tdls_timeoutie); 1329 #ifdef CONFIG_TDLS_TESTING 1330 if (tdls_testing & TDLS_TESTING_LONG_FRAME) 1331 buf_len += 170; 1332 #endif /* CONFIG_TDLS_TESTING */ 1333 } 1334 1335 rbuf = os_zalloc(buf_len + 1); 1336 if (rbuf == NULL) 1337 return -1; 1338 pos = rbuf; 1339 1340 if (!wpa_tdls_get_privacy(sm)) 1341 goto skip_ies; 1342 1343 /* Peer RSN IE */ 1344 pos = wpa_add_ie(pos, peer->rsnie_p, peer->rsnie_p_len); 1345 1346 ftie = (struct wpa_tdls_ftie *) pos; 1347 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION; 1348 /*TODO: ftie->mic_control to set 3-CONFIRM */ 1349 os_memcpy(ftie->Anonce, peer->rnonce, WPA_NONCE_LEN); 1350 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN); 1351 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2; 1352 1353 pos = (u8 *) (ftie + 1); 1354 1355 #ifdef CONFIG_TDLS_TESTING 1356 if (tdls_testing & TDLS_TESTING_LONG_FRAME) { 1357 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to " 1358 "FTIE"); 1359 ftie->ie_len += 170; 1360 *pos++ = 255; /* FTIE subelem */ 1361 *pos++ = 168; /* FTIE subelem length */ 1362 pos += 168; 1363 } 1364 #endif /* CONFIG_TDLS_TESTING */ 1365 1366 /* Lifetime */ 1367 lifetime = peer->lifetime; 1368 #ifdef CONFIG_TDLS_TESTING 1369 if (tdls_testing & TDLS_TESTING_WRONG_LIFETIME_CONF) { 1370 wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong TPK " 1371 "lifetime in confirm"); 1372 lifetime++; 1373 } 1374 #endif /* CONFIG_TDLS_TESTING */ 1375 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie, 1376 sizeof(timeoutie), lifetime); 1377 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds", 1378 lifetime); 1379 1380 /* compute MIC before sending */ 1381 wpa_tdls_ftie_mic(peer->tpk.kck, 3, (u8 *) lnkid, peer->rsnie_p, 1382 (u8 *) &timeoutie, (u8 *) ftie, ftie->mic); 1383 #ifdef CONFIG_TDLS_TESTING 1384 if (tdls_testing & TDLS_TESTING_WRONG_MIC) { 1385 wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong MIC"); 1386 ftie->mic[0] ^= 0x01; 1387 } 1388 #endif /* CONFIG_TDLS_TESTING */ 1389 1390 skip_ies: 1391 1392 if (peer->vht_capabilities) 1393 peer_capab |= TDLS_PEER_VHT; 1394 if (peer->ht_capabilities) 1395 peer_capab |= TDLS_PEER_HT; 1396 if (peer->wmm_capable) 1397 peer_capab |= TDLS_PEER_WMM; 1398 1399 status = wpa_tdls_tpk_send(sm, src_addr, WLAN_TDLS_SETUP_CONFIRM, 1400 dtoken, 0, peer_capab, peer->initiator, 1401 rbuf, pos - rbuf); 1402 os_free(rbuf); 1403 1404 return status; 1405 } 1406 1407 1408 static int wpa_tdls_send_discovery_response(struct wpa_sm *sm, 1409 struct wpa_tdls_peer *peer, 1410 u8 dialog_token) 1411 { 1412 size_t buf_len = 0; 1413 struct wpa_tdls_timeoutie timeoutie; 1414 u16 rsn_capab; 1415 u8 *rbuf, *pos, *count_pos; 1416 u16 count; 1417 struct rsn_ie_hdr *hdr; 1418 int status; 1419 1420 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Discovery Response " 1421 "(peer " MACSTR ")", MAC2STR(peer->addr)); 1422 if (!wpa_tdls_get_privacy(sm)) 1423 goto skip_rsn_ies; 1424 1425 /* Filling RSN IE */ 1426 hdr = (struct rsn_ie_hdr *) peer->rsnie_i; 1427 hdr->elem_id = WLAN_EID_RSN; 1428 WPA_PUT_LE16(hdr->version, RSN_VERSION); 1429 pos = (u8 *) (hdr + 1); 1430 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED); 1431 pos += RSN_SELECTOR_LEN; 1432 count_pos = pos; 1433 pos += 2; 1434 count = 0; 1435 1436 /* 1437 * AES-CCMP is the default encryption preferred for TDLS, so 1438 * RSN IE is filled only with CCMP cipher suite. 1439 * Note: TKIP is not used to encrypt TDLS link. 1440 * 1441 * Regardless of the cipher used on the AP connection, select CCMP 1442 * here. 1443 */ 1444 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP); 1445 pos += RSN_SELECTOR_LEN; 1446 count++; 1447 WPA_PUT_LE16(count_pos, count); 1448 WPA_PUT_LE16(pos, 1); 1449 pos += 2; 1450 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_TPK_HANDSHAKE); 1451 pos += RSN_SELECTOR_LEN; 1452 1453 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED; 1454 rsn_capab |= RSN_NUM_REPLAY_COUNTERS_16 << 2; 1455 WPA_PUT_LE16(pos, rsn_capab); 1456 pos += 2; 1457 hdr->len = (pos - (u8 *) hdr) - 2; 1458 peer->rsnie_i_len = pos - peer->rsnie_i; 1459 1460 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE for Discovery Response", 1461 (u8 *) hdr, hdr->len + 2); 1462 skip_rsn_ies: 1463 buf_len = 0; 1464 if (wpa_tdls_get_privacy(sm)) { 1465 /* Peer RSN IE, Lifetime */ 1466 buf_len += peer->rsnie_i_len + 1467 sizeof(struct wpa_tdls_timeoutie); 1468 } 1469 rbuf = os_zalloc(buf_len + 1); 1470 if (rbuf == NULL) { 1471 wpa_tdls_peer_free(sm, peer); 1472 return -1; 1473 } 1474 pos = rbuf; 1475 1476 if (!wpa_tdls_get_privacy(sm)) 1477 goto skip_ies; 1478 /* Initiator RSN IE */ 1479 pos = wpa_add_ie(pos, peer->rsnie_i, peer->rsnie_i_len); 1480 /* Lifetime */ 1481 peer->lifetime = TPK_LIFETIME; 1482 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie, 1483 sizeof(timeoutie), peer->lifetime); 1484 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds", peer->lifetime); 1485 skip_ies: 1486 status = wpa_tdls_tpk_send(sm, peer->addr, WLAN_TDLS_DISCOVERY_RESPONSE, 1487 dialog_token, 0, 0, 0, rbuf, pos - rbuf); 1488 os_free(rbuf); 1489 1490 return status; 1491 } 1492 1493 1494 static int 1495 wpa_tdls_process_discovery_request(struct wpa_sm *sm, const u8 *addr, 1496 const u8 *buf, size_t len) 1497 { 1498 struct wpa_eapol_ie_parse kde; 1499 const struct wpa_tdls_lnkid *lnkid; 1500 struct wpa_tdls_peer *peer; 1501 size_t min_req_len = sizeof(struct wpa_tdls_frame) + 1502 1 /* dialog token */ + sizeof(struct wpa_tdls_lnkid); 1503 u8 dialog_token; 1504 1505 wpa_printf(MSG_DEBUG, "TDLS: Discovery Request from " MACSTR, 1506 MAC2STR(addr)); 1507 1508 if (len < min_req_len) { 1509 wpa_printf(MSG_DEBUG, "TDLS Discovery Request is too short: " 1510 "%d", (int) len); 1511 return -1; 1512 } 1513 1514 dialog_token = buf[sizeof(struct wpa_tdls_frame)]; 1515 1516 /* 1517 * Some APs will tack on a weird IE to the end of a TDLS 1518 * discovery request packet. This needn't fail the response, 1519 * since the required IE are verified separately. 1520 */ 1521 if (wpa_supplicant_parse_ies(buf + sizeof(struct wpa_tdls_frame) + 1, 1522 len - (sizeof(struct wpa_tdls_frame) + 1), 1523 &kde) < 0) { 1524 wpa_printf(MSG_DEBUG, 1525 "TDLS: Failed to parse IEs in Discovery Request - ignore as an interop workaround"); 1526 } 1527 1528 if (!kde.lnkid) { 1529 wpa_printf(MSG_DEBUG, "TDLS: Link ID not found in Discovery " 1530 "Request"); 1531 return -1; 1532 } 1533 1534 lnkid = (const struct wpa_tdls_lnkid *) kde.lnkid; 1535 1536 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) { 1537 wpa_printf(MSG_DEBUG, "TDLS: Discovery Request from different " 1538 " BSS " MACSTR, MAC2STR(lnkid->bssid)); 1539 return -1; 1540 } 1541 1542 peer = wpa_tdls_add_peer(sm, addr, NULL); 1543 if (peer == NULL) 1544 return -1; 1545 1546 return wpa_tdls_send_discovery_response(sm, peer, dialog_token); 1547 } 1548 1549 1550 int wpa_tdls_send_discovery_request(struct wpa_sm *sm, const u8 *addr) 1551 { 1552 if (sm->tdls_disabled || !sm->tdls_supported) 1553 return -1; 1554 1555 wpa_printf(MSG_DEBUG, "TDLS: Sending Discovery Request to peer " 1556 MACSTR, MAC2STR(addr)); 1557 return wpa_tdls_tpk_send(sm, addr, WLAN_TDLS_DISCOVERY_REQUEST, 1558 1, 0, 0, 1, NULL, 0); 1559 } 1560 1561 1562 static int copy_supp_rates(const struct wpa_eapol_ie_parse *kde, 1563 struct wpa_tdls_peer *peer) 1564 { 1565 if (!kde->supp_rates) { 1566 wpa_printf(MSG_DEBUG, "TDLS: No supported rates received"); 1567 return -1; 1568 } 1569 peer->supp_rates_len = merge_byte_arrays( 1570 peer->supp_rates, sizeof(peer->supp_rates), 1571 kde->supp_rates + 2, kde->supp_rates_len - 2, 1572 kde->ext_supp_rates ? kde->ext_supp_rates + 2 : NULL, 1573 kde->ext_supp_rates_len - 2); 1574 return 0; 1575 } 1576 1577 1578 static int copy_peer_ht_capab(const struct wpa_eapol_ie_parse *kde, 1579 struct wpa_tdls_peer *peer) 1580 { 1581 if (!kde->ht_capabilities) { 1582 wpa_printf(MSG_DEBUG, "TDLS: No supported ht capabilities " 1583 "received"); 1584 return 0; 1585 } 1586 1587 if (!peer->ht_capabilities) { 1588 peer->ht_capabilities = 1589 os_zalloc(sizeof(struct ieee80211_ht_capabilities)); 1590 if (peer->ht_capabilities == NULL) 1591 return -1; 1592 } 1593 1594 os_memcpy(peer->ht_capabilities, kde->ht_capabilities, 1595 sizeof(struct ieee80211_ht_capabilities)); 1596 wpa_hexdump(MSG_DEBUG, "TDLS: Peer HT capabilities", 1597 (u8 *) peer->ht_capabilities, 1598 sizeof(struct ieee80211_ht_capabilities)); 1599 1600 return 0; 1601 } 1602 1603 1604 static int copy_peer_vht_capab(const struct wpa_eapol_ie_parse *kde, 1605 struct wpa_tdls_peer *peer) 1606 { 1607 if (!kde->vht_capabilities) { 1608 wpa_printf(MSG_DEBUG, "TDLS: No supported vht capabilities " 1609 "received"); 1610 return 0; 1611 } 1612 1613 if (!peer->vht_capabilities) { 1614 peer->vht_capabilities = 1615 os_zalloc(sizeof(struct ieee80211_vht_capabilities)); 1616 if (peer->vht_capabilities == NULL) 1617 return -1; 1618 } 1619 1620 os_memcpy(peer->vht_capabilities, kde->vht_capabilities, 1621 sizeof(struct ieee80211_vht_capabilities)); 1622 wpa_hexdump(MSG_DEBUG, "TDLS: Peer VHT capabilities", 1623 (u8 *) peer->vht_capabilities, 1624 sizeof(struct ieee80211_vht_capabilities)); 1625 1626 return 0; 1627 } 1628 1629 1630 static int copy_peer_ext_capab(const struct wpa_eapol_ie_parse *kde, 1631 struct wpa_tdls_peer *peer) 1632 { 1633 if (!kde->ext_capab) { 1634 wpa_printf(MSG_DEBUG, "TDLS: No extended capabilities " 1635 "received"); 1636 return 0; 1637 } 1638 1639 if (!peer->ext_capab || peer->ext_capab_len < kde->ext_capab_len - 2) { 1640 /* Need to allocate buffer to fit the new information */ 1641 os_free(peer->ext_capab); 1642 peer->ext_capab = os_zalloc(kde->ext_capab_len - 2); 1643 if (peer->ext_capab == NULL) 1644 return -1; 1645 } 1646 1647 peer->ext_capab_len = kde->ext_capab_len - 2; 1648 os_memcpy(peer->ext_capab, kde->ext_capab + 2, peer->ext_capab_len); 1649 1650 return 0; 1651 } 1652 1653 1654 static int copy_peer_wmm_capab(const struct wpa_eapol_ie_parse *kde, 1655 struct wpa_tdls_peer *peer) 1656 { 1657 struct wmm_information_element *wmm; 1658 1659 if (!kde->wmm) { 1660 wpa_printf(MSG_DEBUG, "TDLS: No supported WMM capabilities received"); 1661 return 0; 1662 } 1663 1664 if (kde->wmm_len < sizeof(struct wmm_information_element)) { 1665 wpa_printf(MSG_DEBUG, "TDLS: Invalid supported WMM capabilities received"); 1666 return -1; 1667 } 1668 1669 wmm = (struct wmm_information_element *) kde->wmm; 1670 peer->qos_info = wmm->qos_info; 1671 1672 peer->wmm_capable = 1; 1673 1674 wpa_printf(MSG_DEBUG, "TDLS: Peer WMM QOS Info 0x%x", peer->qos_info); 1675 return 0; 1676 } 1677 1678 1679 static int copy_peer_supp_channels(const struct wpa_eapol_ie_parse *kde, 1680 struct wpa_tdls_peer *peer) 1681 { 1682 if (!kde->supp_channels) { 1683 wpa_printf(MSG_DEBUG, "TDLS: No supported channels received"); 1684 return 0; 1685 } 1686 1687 if (!peer->supp_channels || 1688 peer->supp_channels_len < kde->supp_channels_len) { 1689 os_free(peer->supp_channels); 1690 peer->supp_channels = os_zalloc(kde->supp_channels_len); 1691 if (peer->supp_channels == NULL) 1692 return -1; 1693 } 1694 1695 peer->supp_channels_len = kde->supp_channels_len; 1696 1697 os_memcpy(peer->supp_channels, kde->supp_channels, 1698 peer->supp_channels_len); 1699 wpa_hexdump(MSG_DEBUG, "TDLS: Peer Supported Channels", 1700 (u8 *) peer->supp_channels, peer->supp_channels_len); 1701 return 0; 1702 } 1703 1704 1705 static int copy_peer_supp_oper_classes(const struct wpa_eapol_ie_parse *kde, 1706 struct wpa_tdls_peer *peer) 1707 { 1708 if (!kde->supp_oper_classes) { 1709 wpa_printf(MSG_DEBUG, "TDLS: No supported operating classes received"); 1710 return 0; 1711 } 1712 1713 if (!peer->supp_oper_classes || 1714 peer->supp_oper_classes_len < kde->supp_oper_classes_len) { 1715 os_free(peer->supp_oper_classes); 1716 peer->supp_oper_classes = os_zalloc(kde->supp_oper_classes_len); 1717 if (peer->supp_oper_classes == NULL) 1718 return -1; 1719 } 1720 1721 peer->supp_oper_classes_len = kde->supp_oper_classes_len; 1722 os_memcpy(peer->supp_oper_classes, kde->supp_oper_classes, 1723 peer->supp_oper_classes_len); 1724 wpa_hexdump(MSG_DEBUG, "TDLS: Peer Supported Operating Classes", 1725 (u8 *) peer->supp_oper_classes, 1726 peer->supp_oper_classes_len); 1727 return 0; 1728 } 1729 1730 1731 static int wpa_tdls_addset_peer(struct wpa_sm *sm, struct wpa_tdls_peer *peer, 1732 int add) 1733 { 1734 return wpa_sm_tdls_peer_addset(sm, peer->addr, add, peer->aid, 1735 peer->capability, 1736 peer->supp_rates, peer->supp_rates_len, 1737 peer->ht_capabilities, 1738 peer->vht_capabilities, 1739 peer->qos_info, peer->wmm_capable, 1740 peer->ext_capab, peer->ext_capab_len, 1741 peer->supp_channels, 1742 peer->supp_channels_len, 1743 peer->supp_oper_classes, 1744 peer->supp_oper_classes_len); 1745 } 1746 1747 1748 static int wpa_tdls_process_tpk_m1(struct wpa_sm *sm, const u8 *src_addr, 1749 const u8 *buf, size_t len) 1750 { 1751 struct wpa_tdls_peer *peer; 1752 struct wpa_eapol_ie_parse kde; 1753 struct wpa_ie_data ie; 1754 int cipher; 1755 const u8 *cpos; 1756 struct wpa_tdls_ftie *ftie = NULL; 1757 struct wpa_tdls_timeoutie *timeoutie; 1758 struct wpa_tdls_lnkid *lnkid; 1759 u32 lifetime = 0; 1760 #if 0 1761 struct rsn_ie_hdr *hdr; 1762 u8 *pos; 1763 u16 rsn_capab; 1764 u16 rsn_ver; 1765 #endif 1766 u8 dtoken; 1767 u16 ielen; 1768 u16 status = WLAN_STATUS_UNSPECIFIED_FAILURE; 1769 int tdls_prohibited = sm->tdls_prohibited; 1770 int existing_peer = 0; 1771 1772 if (len < 3 + 3) 1773 return -1; 1774 1775 cpos = buf; 1776 cpos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */; 1777 1778 /* driver had already verified the frame format */ 1779 dtoken = *cpos++; /* dialog token */ 1780 1781 wpa_printf(MSG_INFO, "TDLS: Dialog Token in TPK M1 %d", dtoken); 1782 1783 peer = wpa_tdls_add_peer(sm, src_addr, &existing_peer); 1784 if (peer == NULL) 1785 goto error; 1786 1787 /* If found, use existing entry instead of adding a new one; 1788 * how to handle the case where both ends initiate at the 1789 * same time? */ 1790 if (existing_peer) { 1791 if (peer->tpk_success) { 1792 wpa_printf(MSG_DEBUG, "TDLS: TDLS Setup Request while " 1793 "direct link is enabled - tear down the " 1794 "old link first"); 1795 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr); 1796 wpa_tdls_peer_clear(sm, peer); 1797 } else if (peer->initiator) { 1798 /* 1799 * An entry is already present, so check if we already 1800 * sent a TDLS Setup Request. If so, compare MAC 1801 * addresses and let the STA with the lower MAC address 1802 * continue as the initiator. The other negotiation is 1803 * terminated. 1804 */ 1805 if (os_memcmp(sm->own_addr, src_addr, ETH_ALEN) < 0) { 1806 wpa_printf(MSG_DEBUG, "TDLS: Discard request " 1807 "from peer with higher address " 1808 MACSTR, MAC2STR(src_addr)); 1809 return -1; 1810 } else { 1811 wpa_printf(MSG_DEBUG, "TDLS: Accept request " 1812 "from peer with lower address " 1813 MACSTR " (terminate previously " 1814 "initiated negotiation", 1815 MAC2STR(src_addr)); 1816 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, 1817 peer->addr); 1818 wpa_tdls_peer_clear(sm, peer); 1819 } 1820 } 1821 } 1822 1823 /* capability information */ 1824 peer->capability = WPA_GET_LE16(cpos); 1825 cpos += 2; 1826 1827 ielen = len - (cpos - buf); /* start of IE in buf */ 1828 1829 /* 1830 * Don't reject the message if failing to parse IEs. The IEs we need are 1831 * explicitly checked below. Some APs may add arbitrary padding to the 1832 * end of short TDLS frames and that would look like invalid IEs. 1833 */ 1834 if (wpa_supplicant_parse_ies(cpos, ielen, &kde) < 0) 1835 wpa_printf(MSG_DEBUG, 1836 "TDLS: Failed to parse IEs in TPK M1 - ignore as an interop workaround"); 1837 1838 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) { 1839 wpa_printf(MSG_INFO, "TDLS: No valid Link Identifier IE in " 1840 "TPK M1"); 1841 goto error; 1842 } 1843 wpa_hexdump(MSG_DEBUG, "TDLS: Link ID Received from TPK M1", 1844 kde.lnkid, kde.lnkid_len); 1845 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid; 1846 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) { 1847 wpa_printf(MSG_INFO, "TDLS: TPK M1 from diff BSS"); 1848 status = WLAN_STATUS_REQUEST_DECLINED; 1849 goto error; 1850 } 1851 1852 wpa_printf(MSG_DEBUG, "TDLS: TPK M1 - TPK initiator " MACSTR, 1853 MAC2STR(src_addr)); 1854 1855 if (copy_supp_rates(&kde, peer) < 0) 1856 goto error; 1857 1858 if (copy_peer_ht_capab(&kde, peer) < 0) 1859 goto error; 1860 1861 if (copy_peer_vht_capab(&kde, peer) < 0) 1862 goto error; 1863 1864 if (copy_peer_ext_capab(&kde, peer) < 0) 1865 goto error; 1866 1867 if (copy_peer_supp_channels(&kde, peer) < 0) 1868 goto error; 1869 1870 if (copy_peer_supp_oper_classes(&kde, peer) < 0) 1871 goto error; 1872 1873 peer->qos_info = kde.qosinfo; 1874 1875 /* Overwrite with the qos_info obtained in WMM IE */ 1876 if (copy_peer_wmm_capab(&kde, peer) < 0) 1877 goto error; 1878 1879 peer->aid = kde.aid; 1880 1881 #ifdef CONFIG_TDLS_TESTING 1882 if (tdls_testing & TDLS_TESTING_CONCURRENT_INIT) { 1883 peer = wpa_tdls_add_peer(sm, src_addr, NULL); 1884 if (peer == NULL) 1885 goto error; 1886 wpa_printf(MSG_DEBUG, "TDLS: Testing concurrent initiation of " 1887 "TDLS setup - send own request"); 1888 peer->initiator = 1; 1889 wpa_sm_tdls_peer_addset(sm, peer->addr, 1, 0, 0, NULL, 0, NULL, 1890 NULL, 0, 0, NULL, 0, NULL, 0, NULL, 0); 1891 wpa_tdls_send_tpk_m1(sm, peer); 1892 } 1893 1894 if ((tdls_testing & TDLS_TESTING_IGNORE_AP_PROHIBIT) && 1895 tdls_prohibited) { 1896 wpa_printf(MSG_DEBUG, "TDLS: Testing - ignore AP prohibition " 1897 "on TDLS"); 1898 tdls_prohibited = 0; 1899 } 1900 #endif /* CONFIG_TDLS_TESTING */ 1901 1902 if (tdls_prohibited) { 1903 wpa_printf(MSG_INFO, "TDLS: TDLS prohibited in this BSS"); 1904 status = WLAN_STATUS_REQUEST_DECLINED; 1905 goto error; 1906 } 1907 1908 if (!wpa_tdls_get_privacy(sm)) { 1909 if (kde.rsn_ie) { 1910 wpa_printf(MSG_INFO, "TDLS: RSN IE in TPK M1 while " 1911 "security is disabled"); 1912 status = WLAN_STATUS_SECURITY_DISABLED; 1913 goto error; 1914 } 1915 goto skip_rsn; 1916 } 1917 1918 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie) || 1919 kde.rsn_ie == NULL) { 1920 wpa_printf(MSG_INFO, "TDLS: No FTIE or RSN IE in TPK M1"); 1921 status = WLAN_STATUS_INVALID_PARAMETERS; 1922 goto error; 1923 } 1924 1925 if (kde.rsn_ie_len > TDLS_MAX_IE_LEN) { 1926 wpa_printf(MSG_INFO, "TDLS: Too long Initiator RSN IE in " 1927 "TPK M1"); 1928 status = WLAN_STATUS_INVALID_RSNIE; 1929 goto error; 1930 } 1931 1932 if (wpa_parse_wpa_ie_rsn(kde.rsn_ie, kde.rsn_ie_len, &ie) < 0) { 1933 wpa_printf(MSG_INFO, "TDLS: Failed to parse RSN IE in TPK M1"); 1934 status = WLAN_STATUS_INVALID_RSNIE; 1935 goto error; 1936 } 1937 1938 cipher = ie.pairwise_cipher; 1939 if (cipher & WPA_CIPHER_CCMP) { 1940 wpa_printf(MSG_DEBUG, "TDLS: Using CCMP for direct link"); 1941 cipher = WPA_CIPHER_CCMP; 1942 } else { 1943 wpa_printf(MSG_INFO, "TDLS: No acceptable cipher in TPK M1"); 1944 status = WLAN_STATUS_PAIRWISE_CIPHER_NOT_VALID; 1945 goto error; 1946 } 1947 1948 if ((ie.capabilities & 1949 (WPA_CAPABILITY_NO_PAIRWISE | WPA_CAPABILITY_PEERKEY_ENABLED)) != 1950 WPA_CAPABILITY_PEERKEY_ENABLED) { 1951 wpa_printf(MSG_INFO, "TDLS: Invalid RSN Capabilities in " 1952 "TPK M1"); 1953 status = WLAN_STATUS_INVALID_RSN_IE_CAPAB; 1954 goto error; 1955 } 1956 1957 /* Lifetime */ 1958 if (kde.key_lifetime == NULL) { 1959 wpa_printf(MSG_INFO, "TDLS: No Key Lifetime IE in TPK M1"); 1960 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME; 1961 goto error; 1962 } 1963 timeoutie = (struct wpa_tdls_timeoutie *) kde.key_lifetime; 1964 lifetime = WPA_GET_LE32(timeoutie->value); 1965 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds", lifetime); 1966 if (lifetime < 300) { 1967 wpa_printf(MSG_INFO, "TDLS: Too short TPK lifetime"); 1968 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME; 1969 goto error; 1970 } 1971 1972 skip_rsn: 1973 #ifdef CONFIG_TDLS_TESTING 1974 if (tdls_testing & TDLS_TESTING_CONCURRENT_INIT) { 1975 if (os_memcmp(sm->own_addr, peer->addr, ETH_ALEN) < 0) { 1976 /* 1977 * The request frame from us is going to win, so do not 1978 * replace information based on this request frame from 1979 * the peer. 1980 */ 1981 goto skip_rsn_check; 1982 } 1983 } 1984 #endif /* CONFIG_TDLS_TESTING */ 1985 1986 peer->initiator = 0; /* Need to check */ 1987 peer->dtoken = dtoken; 1988 1989 if (!wpa_tdls_get_privacy(sm)) { 1990 peer->rsnie_i_len = 0; 1991 peer->rsnie_p_len = 0; 1992 peer->cipher = WPA_CIPHER_NONE; 1993 goto skip_rsn_check; 1994 } 1995 1996 ftie = (struct wpa_tdls_ftie *) kde.ftie; 1997 os_memcpy(peer->rsnie_i, kde.rsn_ie, kde.rsn_ie_len); 1998 peer->rsnie_i_len = kde.rsn_ie_len; 1999 peer->cipher = cipher; 2000 2001 if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0) { 2002 /* 2003 * There is no point in updating the RNonce for every obtained 2004 * TPK M1 frame (e.g., retransmission due to timeout) with the 2005 * same INonce (SNonce in FTIE). However, if the TPK M1 is 2006 * retransmitted with a different INonce, update the RNonce 2007 * since this is for a new TDLS session. 2008 */ 2009 wpa_printf(MSG_DEBUG, 2010 "TDLS: New TPK M1 INonce - generate new RNonce"); 2011 os_memcpy(peer->inonce, ftie->Snonce, WPA_NONCE_LEN); 2012 if (os_get_random(peer->rnonce, WPA_NONCE_LEN)) { 2013 wpa_msg(sm->ctx->ctx, MSG_WARNING, 2014 "TDLS: Failed to get random data for responder nonce"); 2015 goto error; 2016 } 2017 } 2018 2019 #if 0 2020 /* get version info from RSNIE received from Peer */ 2021 hdr = (struct rsn_ie_hdr *) kde.rsn_ie; 2022 rsn_ver = WPA_GET_LE16(hdr->version); 2023 2024 /* use min(peer's version, out version) */ 2025 if (rsn_ver > RSN_VERSION) 2026 rsn_ver = RSN_VERSION; 2027 2028 hdr = (struct rsn_ie_hdr *) peer->rsnie_p; 2029 2030 hdr->elem_id = WLAN_EID_RSN; 2031 WPA_PUT_LE16(hdr->version, rsn_ver); 2032 pos = (u8 *) (hdr + 1); 2033 2034 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED); 2035 pos += RSN_SELECTOR_LEN; 2036 /* Include only the selected cipher in pairwise cipher suite */ 2037 WPA_PUT_LE16(pos, 1); 2038 pos += 2; 2039 if (cipher == WPA_CIPHER_CCMP) 2040 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP); 2041 pos += RSN_SELECTOR_LEN; 2042 2043 WPA_PUT_LE16(pos, 1); 2044 pos += 2; 2045 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_TPK_HANDSHAKE); 2046 pos += RSN_SELECTOR_LEN; 2047 2048 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED; 2049 rsn_capab |= RSN_NUM_REPLAY_COUNTERS_16 << 2; 2050 WPA_PUT_LE16(pos, rsn_capab); 2051 pos += 2; 2052 2053 hdr->len = (pos - peer->rsnie_p) - 2; 2054 peer->rsnie_p_len = pos - peer->rsnie_p; 2055 #endif 2056 2057 /* temp fix: validation of RSNIE later */ 2058 os_memcpy(peer->rsnie_p, peer->rsnie_i, peer->rsnie_i_len); 2059 peer->rsnie_p_len = peer->rsnie_i_len; 2060 2061 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE for TPK handshake", 2062 peer->rsnie_p, peer->rsnie_p_len); 2063 2064 peer->lifetime = lifetime; 2065 2066 wpa_tdls_generate_tpk(peer, sm->own_addr, sm->bssid); 2067 2068 skip_rsn_check: 2069 #ifdef CONFIG_TDLS_TESTING 2070 if (tdls_testing & TDLS_TESTING_CONCURRENT_INIT) 2071 goto skip_add_peer; 2072 #endif /* CONFIG_TDLS_TESTING */ 2073 2074 /* add supported rates, capabilities, and qos_info to the TDLS peer */ 2075 if (wpa_tdls_addset_peer(sm, peer, 1) < 0) 2076 goto error; 2077 2078 #ifdef CONFIG_TDLS_TESTING 2079 skip_add_peer: 2080 #endif /* CONFIG_TDLS_TESTING */ 2081 peer->tpk_in_progress = 1; 2082 2083 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Setup Response / TPK M2"); 2084 if (wpa_tdls_send_tpk_m2(sm, src_addr, dtoken, lnkid, peer) < 0) { 2085 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr); 2086 goto error; 2087 } 2088 2089 return 0; 2090 2091 error: 2092 wpa_tdls_send_error(sm, src_addr, WLAN_TDLS_SETUP_RESPONSE, dtoken, 0, 2093 status); 2094 if (peer) 2095 wpa_tdls_peer_free(sm, peer); 2096 return -1; 2097 } 2098 2099 2100 static int wpa_tdls_enable_link(struct wpa_sm *sm, struct wpa_tdls_peer *peer) 2101 { 2102 peer->tpk_success = 1; 2103 peer->tpk_in_progress = 0; 2104 eloop_cancel_timeout(wpa_tdls_tpk_timeout, sm, peer); 2105 if (wpa_tdls_get_privacy(sm)) { 2106 u32 lifetime = peer->lifetime; 2107 /* 2108 * Start the initiator process a bit earlier to avoid race 2109 * condition with the responder sending teardown request. 2110 */ 2111 if (lifetime > 3 && peer->initiator) 2112 lifetime -= 3; 2113 eloop_register_timeout(lifetime, 0, wpa_tdls_tpk_timeout, 2114 sm, peer); 2115 #ifdef CONFIG_TDLS_TESTING 2116 if (tdls_testing & TDLS_TESTING_NO_TPK_EXPIRATION) { 2117 wpa_printf(MSG_DEBUG, "TDLS: Testing - disable TPK " 2118 "expiration"); 2119 eloop_cancel_timeout(wpa_tdls_tpk_timeout, sm, peer); 2120 } 2121 #endif /* CONFIG_TDLS_TESTING */ 2122 } 2123 2124 if (peer->reconfig_key && wpa_tdls_set_key(sm, peer) < 0) { 2125 wpa_printf(MSG_INFO, "TDLS: Could not configure key to the " 2126 "driver"); 2127 return -1; 2128 } 2129 peer->reconfig_key = 0; 2130 2131 return wpa_sm_tdls_oper(sm, TDLS_ENABLE_LINK, peer->addr); 2132 } 2133 2134 2135 static int wpa_tdls_process_tpk_m2(struct wpa_sm *sm, const u8 *src_addr, 2136 const u8 *buf, size_t len) 2137 { 2138 struct wpa_tdls_peer *peer; 2139 struct wpa_eapol_ie_parse kde; 2140 struct wpa_ie_data ie; 2141 int cipher; 2142 struct wpa_tdls_ftie *ftie; 2143 struct wpa_tdls_timeoutie *timeoutie; 2144 struct wpa_tdls_lnkid *lnkid; 2145 u32 lifetime; 2146 u8 dtoken; 2147 int ielen; 2148 u16 status; 2149 const u8 *pos; 2150 int ret = 0; 2151 2152 wpa_printf(MSG_DEBUG, "TDLS: Received TDLS Setup Response / TPK M2 " 2153 "(Peer " MACSTR ")", MAC2STR(src_addr)); 2154 for (peer = sm->tdls; peer; peer = peer->next) { 2155 if (os_memcmp(peer->addr, src_addr, ETH_ALEN) == 0) 2156 break; 2157 } 2158 if (peer == NULL) { 2159 wpa_printf(MSG_INFO, "TDLS: No matching peer found for " 2160 "TPK M2: " MACSTR, MAC2STR(src_addr)); 2161 return -1; 2162 } 2163 if (!peer->initiator) { 2164 /* 2165 * This may happen if both devices try to initiate TDLS at the 2166 * same time and we accept the TPK M1 from the peer in 2167 * wpa_tdls_process_tpk_m1() and clear our previous state. 2168 */ 2169 wpa_printf(MSG_INFO, "TDLS: We were not the initiator, so " 2170 "ignore TPK M2 from " MACSTR, MAC2STR(src_addr)); 2171 return -1; 2172 } 2173 wpa_tdls_tpk_retry_timeout_cancel(sm, peer, WLAN_TDLS_SETUP_REQUEST); 2174 2175 if (len < 3 + 2 + 1) { 2176 wpa_tdls_disable_peer_link(sm, peer); 2177 return -1; 2178 } 2179 2180 pos = buf; 2181 pos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */; 2182 status = WPA_GET_LE16(pos); 2183 pos += 2 /* status code */; 2184 2185 if (status != WLAN_STATUS_SUCCESS) { 2186 wpa_printf(MSG_INFO, "TDLS: Status code in TPK M2: %u", 2187 status); 2188 wpa_tdls_disable_peer_link(sm, peer); 2189 return -1; 2190 } 2191 2192 status = WLAN_STATUS_UNSPECIFIED_FAILURE; 2193 2194 /* TODO: need to verify dialog token matches here or in kernel */ 2195 dtoken = *pos++; /* dialog token */ 2196 2197 wpa_printf(MSG_DEBUG, "TDLS: Dialog Token in TPK M2 %d", dtoken); 2198 2199 if (len < 3 + 2 + 1 + 2) { 2200 wpa_tdls_disable_peer_link(sm, peer); 2201 return -1; 2202 } 2203 2204 /* capability information */ 2205 peer->capability = WPA_GET_LE16(pos); 2206 pos += 2; 2207 2208 ielen = len - (pos - buf); /* start of IE in buf */ 2209 2210 /* 2211 * Don't reject the message if failing to parse IEs. The IEs we need are 2212 * explicitly checked below. Some APs may add arbitrary padding to the 2213 * end of short TDLS frames and that would look like invalid IEs. 2214 */ 2215 if (wpa_supplicant_parse_ies(pos, ielen, &kde) < 0) 2216 wpa_printf(MSG_DEBUG, 2217 "TDLS: Failed to parse IEs in TPK M2 - ignore as an interop workaround"); 2218 2219 #ifdef CONFIG_TDLS_TESTING 2220 if (tdls_testing & TDLS_TESTING_DECLINE_RESP) { 2221 wpa_printf(MSG_DEBUG, "TDLS: Testing - decline response"); 2222 status = WLAN_STATUS_REQUEST_DECLINED; 2223 goto error; 2224 } 2225 #endif /* CONFIG_TDLS_TESTING */ 2226 2227 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) { 2228 wpa_printf(MSG_INFO, "TDLS: No valid Link Identifier IE in " 2229 "TPK M2"); 2230 goto error; 2231 } 2232 wpa_hexdump(MSG_DEBUG, "TDLS: Link ID Received from TPK M2", 2233 kde.lnkid, kde.lnkid_len); 2234 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid; 2235 2236 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) { 2237 wpa_printf(MSG_INFO, "TDLS: TPK M2 from different BSS"); 2238 status = WLAN_STATUS_NOT_IN_SAME_BSS; 2239 goto error; 2240 } 2241 2242 if (copy_supp_rates(&kde, peer) < 0) 2243 goto error; 2244 2245 if (copy_peer_ht_capab(&kde, peer) < 0) 2246 goto error; 2247 2248 if (copy_peer_vht_capab(&kde, peer) < 0) 2249 goto error; 2250 2251 if (copy_peer_ext_capab(&kde, peer) < 0) 2252 goto error; 2253 2254 if (copy_peer_supp_channels(&kde, peer) < 0) 2255 goto error; 2256 2257 if (copy_peer_supp_oper_classes(&kde, peer) < 0) 2258 goto error; 2259 2260 peer->qos_info = kde.qosinfo; 2261 2262 /* Overwrite with the qos_info obtained in WMM IE */ 2263 if (copy_peer_wmm_capab(&kde, peer) < 0) 2264 goto error; 2265 2266 peer->aid = kde.aid; 2267 2268 if (!wpa_tdls_get_privacy(sm)) { 2269 peer->rsnie_p_len = 0; 2270 peer->cipher = WPA_CIPHER_NONE; 2271 goto skip_rsn; 2272 } 2273 2274 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie) || 2275 kde.rsn_ie == NULL) { 2276 wpa_printf(MSG_INFO, "TDLS: No FTIE or RSN IE in TPK M2"); 2277 status = WLAN_STATUS_INVALID_PARAMETERS; 2278 goto error; 2279 } 2280 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Received from TPK M2", 2281 kde.rsn_ie, kde.rsn_ie_len); 2282 2283 if (kde.rsn_ie_len > TDLS_MAX_IE_LEN) { 2284 wpa_printf(MSG_INFO, 2285 "TDLS: Too long Responder RSN IE in TPK M2"); 2286 status = WLAN_STATUS_INVALID_RSNIE; 2287 goto error; 2288 } 2289 2290 /* 2291 * FIX: bitwise comparison of RSN IE is not the correct way of 2292 * validation this. It can be different, but certain fields must 2293 * match. Since we list only a single pairwise cipher in TPK M1, the 2294 * memcmp is likely to work in most cases, though. 2295 */ 2296 if (kde.rsn_ie_len != peer->rsnie_i_len || 2297 os_memcmp(peer->rsnie_i, kde.rsn_ie, peer->rsnie_i_len) != 0) { 2298 wpa_printf(MSG_INFO, "TDLS: RSN IE in TPK M2 does " 2299 "not match with RSN IE used in TPK M1"); 2300 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Sent in TPK M1", 2301 peer->rsnie_i, peer->rsnie_i_len); 2302 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Received from TPK M2", 2303 kde.rsn_ie, kde.rsn_ie_len); 2304 status = WLAN_STATUS_INVALID_RSNIE; 2305 goto error; 2306 } 2307 2308 if (wpa_parse_wpa_ie_rsn(kde.rsn_ie, kde.rsn_ie_len, &ie) < 0) { 2309 wpa_printf(MSG_INFO, "TDLS: Failed to parse RSN IE in TPK M2"); 2310 status = WLAN_STATUS_INVALID_RSNIE; 2311 goto error; 2312 } 2313 2314 cipher = ie.pairwise_cipher; 2315 if (cipher == WPA_CIPHER_CCMP) { 2316 wpa_printf(MSG_DEBUG, "TDLS: Using CCMP for direct link"); 2317 cipher = WPA_CIPHER_CCMP; 2318 } else { 2319 wpa_printf(MSG_INFO, "TDLS: No acceptable cipher in TPK M2"); 2320 status = WLAN_STATUS_PAIRWISE_CIPHER_NOT_VALID; 2321 goto error; 2322 } 2323 2324 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE Received from TPK M2", 2325 kde.ftie, sizeof(*ftie)); 2326 ftie = (struct wpa_tdls_ftie *) kde.ftie; 2327 2328 if (!os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) == 0) { 2329 wpa_printf(MSG_INFO, "TDLS: FTIE SNonce in TPK M2 does " 2330 "not match with FTIE SNonce used in TPK M1"); 2331 /* Silently discard the frame */ 2332 return -1; 2333 } 2334 2335 /* Responder Nonce and RSN IE */ 2336 os_memcpy(peer->rnonce, ftie->Anonce, WPA_NONCE_LEN); 2337 os_memcpy(peer->rsnie_p, kde.rsn_ie, kde.rsn_ie_len); 2338 peer->rsnie_p_len = kde.rsn_ie_len; 2339 peer->cipher = cipher; 2340 2341 /* Lifetime */ 2342 if (kde.key_lifetime == NULL) { 2343 wpa_printf(MSG_INFO, "TDLS: No Key Lifetime IE in TPK M2"); 2344 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME; 2345 goto error; 2346 } 2347 timeoutie = (struct wpa_tdls_timeoutie *) kde.key_lifetime; 2348 lifetime = WPA_GET_LE32(timeoutie->value); 2349 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds in TPK M2", 2350 lifetime); 2351 if (lifetime != peer->lifetime) { 2352 wpa_printf(MSG_INFO, "TDLS: Unexpected TPK lifetime %u in " 2353 "TPK M2 (expected %u)", lifetime, peer->lifetime); 2354 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME; 2355 goto error; 2356 } 2357 2358 wpa_tdls_generate_tpk(peer, sm->own_addr, sm->bssid); 2359 2360 /* Process MIC check to see if TPK M2 is right */ 2361 if (wpa_supplicant_verify_tdls_mic(2, peer, (u8 *) lnkid, 2362 (u8 *) timeoutie, ftie) < 0) { 2363 /* Discard the frame */ 2364 wpa_tdls_del_key(sm, peer); 2365 wpa_tdls_disable_peer_link(sm, peer); 2366 return -1; 2367 } 2368 2369 if (wpa_tdls_set_key(sm, peer) < 0) { 2370 /* 2371 * Some drivers may not be able to config the key prior to full 2372 * STA entry having been configured. 2373 */ 2374 wpa_printf(MSG_DEBUG, "TDLS: Try to configure TPK again after " 2375 "STA entry is complete"); 2376 peer->reconfig_key = 1; 2377 } 2378 2379 skip_rsn: 2380 peer->dtoken = dtoken; 2381 2382 /* add supported rates, capabilities, and qos_info to the TDLS peer */ 2383 if (wpa_tdls_addset_peer(sm, peer, 0) < 0) 2384 goto error; 2385 2386 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Setup Confirm / " 2387 "TPK Handshake Message 3"); 2388 if (wpa_tdls_send_tpk_m3(sm, src_addr, dtoken, lnkid, peer) < 0) 2389 goto error; 2390 2391 if (!peer->tpk_success) { 2392 /* 2393 * Enable Link only when tpk_success is 0, signifying that this 2394 * processing of TPK M2 frame is not because of a retransmission 2395 * during TDLS setup handshake. 2396 */ 2397 ret = wpa_tdls_enable_link(sm, peer); 2398 if (ret < 0) { 2399 wpa_printf(MSG_DEBUG, "TDLS: Could not enable link"); 2400 wpa_tdls_do_teardown( 2401 sm, peer, 2402 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED); 2403 } 2404 } 2405 return ret; 2406 2407 error: 2408 wpa_tdls_send_error(sm, src_addr, WLAN_TDLS_SETUP_CONFIRM, dtoken, 1, 2409 status); 2410 wpa_tdls_disable_peer_link(sm, peer); 2411 return -1; 2412 } 2413 2414 2415 static int wpa_tdls_process_tpk_m3(struct wpa_sm *sm, const u8 *src_addr, 2416 const u8 *buf, size_t len) 2417 { 2418 struct wpa_tdls_peer *peer; 2419 struct wpa_eapol_ie_parse kde; 2420 struct wpa_tdls_ftie *ftie; 2421 struct wpa_tdls_timeoutie *timeoutie; 2422 struct wpa_tdls_lnkid *lnkid; 2423 int ielen; 2424 u16 status; 2425 const u8 *pos; 2426 u32 lifetime; 2427 int ret = 0; 2428 2429 wpa_printf(MSG_DEBUG, "TDLS: Received TDLS Setup Confirm / TPK M3 " 2430 "(Peer " MACSTR ")", MAC2STR(src_addr)); 2431 for (peer = sm->tdls; peer; peer = peer->next) { 2432 if (os_memcmp(peer->addr, src_addr, ETH_ALEN) == 0) 2433 break; 2434 } 2435 if (peer == NULL) { 2436 wpa_printf(MSG_INFO, "TDLS: No matching peer found for " 2437 "TPK M3: " MACSTR, MAC2STR(src_addr)); 2438 return -1; 2439 } 2440 wpa_tdls_tpk_retry_timeout_cancel(sm, peer, WLAN_TDLS_SETUP_RESPONSE); 2441 2442 if (len < 3 + 3) 2443 goto error; 2444 pos = buf; 2445 pos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */; 2446 2447 status = WPA_GET_LE16(pos); 2448 2449 if (status != 0) { 2450 wpa_printf(MSG_INFO, "TDLS: Status code in TPK M3: %u", 2451 status); 2452 goto error; 2453 } 2454 pos += 2 /* status code */ + 1 /* dialog token */; 2455 2456 ielen = len - (pos - buf); /* start of IE in buf */ 2457 2458 /* 2459 * Don't reject the message if failing to parse IEs. The IEs we need are 2460 * explicitly checked below. Some APs piggy-back broken IEs to the end 2461 * of a TDLS Confirm packet, which will fail the link if we don't ignore 2462 * this error. 2463 */ 2464 if (wpa_supplicant_parse_ies((const u8 *) pos, ielen, &kde) < 0) { 2465 wpa_printf(MSG_DEBUG, 2466 "TDLS: Failed to parse KDEs in TPK M3 - ignore as an interop workaround"); 2467 } 2468 2469 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) { 2470 wpa_printf(MSG_INFO, "TDLS: No Link Identifier IE in TPK M3"); 2471 goto error; 2472 } 2473 wpa_hexdump(MSG_DEBUG, "TDLS: Link ID Received from TPK M3", 2474 (u8 *) kde.lnkid, kde.lnkid_len); 2475 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid; 2476 2477 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) { 2478 wpa_printf(MSG_INFO, "TDLS: TPK M3 from diff BSS"); 2479 goto error; 2480 } 2481 2482 if (!wpa_tdls_get_privacy(sm)) 2483 goto skip_rsn; 2484 2485 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie)) { 2486 wpa_printf(MSG_INFO, "TDLS: No FTIE in TPK M3"); 2487 goto error; 2488 } 2489 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE Received from TPK M3", 2490 kde.ftie, sizeof(*ftie)); 2491 ftie = (struct wpa_tdls_ftie *) kde.ftie; 2492 2493 if (kde.rsn_ie == NULL) { 2494 wpa_printf(MSG_INFO, "TDLS: No RSN IE in TPK M3"); 2495 goto error; 2496 } 2497 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Received from TPK M3", 2498 kde.rsn_ie, kde.rsn_ie_len); 2499 if (kde.rsn_ie_len != peer->rsnie_p_len || 2500 os_memcmp(kde.rsn_ie, peer->rsnie_p, peer->rsnie_p_len) != 0) { 2501 wpa_printf(MSG_INFO, "TDLS: RSN IE in TPK M3 does not match " 2502 "with the one sent in TPK M2"); 2503 goto error; 2504 } 2505 2506 if (!os_memcmp(peer->rnonce, ftie->Anonce, WPA_NONCE_LEN) == 0) { 2507 wpa_printf(MSG_INFO, "TDLS: FTIE ANonce in TPK M3 does " 2508 "not match with FTIE ANonce used in TPK M2"); 2509 goto error; 2510 } 2511 2512 if (!os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) == 0) { 2513 wpa_printf(MSG_INFO, "TDLS: FTIE SNonce in TPK M3 does not " 2514 "match with FTIE SNonce used in TPK M1"); 2515 goto error; 2516 } 2517 2518 if (kde.key_lifetime == NULL) { 2519 wpa_printf(MSG_INFO, "TDLS: No Key Lifetime IE in TPK M3"); 2520 goto error; 2521 } 2522 timeoutie = (struct wpa_tdls_timeoutie *) kde.key_lifetime; 2523 wpa_hexdump(MSG_DEBUG, "TDLS: Timeout IE Received from TPK M3", 2524 (u8 *) timeoutie, sizeof(*timeoutie)); 2525 lifetime = WPA_GET_LE32(timeoutie->value); 2526 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds in TPK M3", 2527 lifetime); 2528 if (lifetime != peer->lifetime) { 2529 wpa_printf(MSG_INFO, "TDLS: Unexpected TPK lifetime %u in " 2530 "TPK M3 (expected %u)", lifetime, peer->lifetime); 2531 goto error; 2532 } 2533 2534 if (wpa_supplicant_verify_tdls_mic(3, peer, (u8 *) lnkid, 2535 (u8 *) timeoutie, ftie) < 0) { 2536 wpa_tdls_del_key(sm, peer); 2537 goto error; 2538 } 2539 2540 if (wpa_tdls_set_key(sm, peer) < 0) { 2541 /* 2542 * Some drivers may not be able to config the key prior to full 2543 * STA entry having been configured. 2544 */ 2545 wpa_printf(MSG_DEBUG, "TDLS: Try to configure TPK again after " 2546 "STA entry is complete"); 2547 peer->reconfig_key = 1; 2548 } 2549 2550 skip_rsn: 2551 /* add supported rates, capabilities, and qos_info to the TDLS peer */ 2552 if (wpa_tdls_addset_peer(sm, peer, 0) < 0) 2553 goto error; 2554 2555 if (!peer->tpk_success) { 2556 /* 2557 * Enable Link only when tpk_success is 0, signifying that this 2558 * processing of TPK M3 frame is not because of a retransmission 2559 * during TDLS setup handshake. 2560 */ 2561 ret = wpa_tdls_enable_link(sm, peer); 2562 if (ret < 0) { 2563 wpa_printf(MSG_DEBUG, "TDLS: Could not enable link"); 2564 goto error; 2565 } 2566 } 2567 return ret; 2568 error: 2569 wpa_tdls_do_teardown(sm, peer, WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED); 2570 return -1; 2571 } 2572 2573 2574 static u8 * wpa_add_tdls_timeoutie(u8 *pos, u8 *ie, size_t ie_len, u32 tsecs) 2575 { 2576 struct wpa_tdls_timeoutie *lifetime = (struct wpa_tdls_timeoutie *) ie; 2577 2578 os_memset(lifetime, 0, ie_len); 2579 lifetime->ie_type = WLAN_EID_TIMEOUT_INTERVAL; 2580 lifetime->ie_len = sizeof(struct wpa_tdls_timeoutie) - 2; 2581 lifetime->interval_type = WLAN_TIMEOUT_KEY_LIFETIME; 2582 WPA_PUT_LE32(lifetime->value, tsecs); 2583 os_memcpy(pos, ie, ie_len); 2584 return pos + ie_len; 2585 } 2586 2587 2588 /** 2589 * wpa_tdls_start - Initiate TDLS handshake (send TPK Handshake Message 1) 2590 * @sm: Pointer to WPA state machine data from wpa_sm_init() 2591 * @peer: MAC address of the peer STA 2592 * Returns: 0 on success, or -1 on failure 2593 * 2594 * Send TPK Handshake Message 1 info to driver to start TDLS 2595 * handshake with the peer. 2596 */ 2597 int wpa_tdls_start(struct wpa_sm *sm, const u8 *addr) 2598 { 2599 struct wpa_tdls_peer *peer; 2600 int tdls_prohibited = sm->tdls_prohibited; 2601 2602 if (sm->tdls_disabled || !sm->tdls_supported) 2603 return -1; 2604 2605 #ifdef CONFIG_TDLS_TESTING 2606 if ((tdls_testing & TDLS_TESTING_IGNORE_AP_PROHIBIT) && 2607 tdls_prohibited) { 2608 wpa_printf(MSG_DEBUG, "TDLS: Testing - ignore AP prohibition " 2609 "on TDLS"); 2610 tdls_prohibited = 0; 2611 } 2612 #endif /* CONFIG_TDLS_TESTING */ 2613 2614 if (tdls_prohibited) { 2615 wpa_printf(MSG_DEBUG, "TDLS: TDLS is prohibited in this BSS - " 2616 "reject request to start setup"); 2617 return -1; 2618 } 2619 2620 peer = wpa_tdls_add_peer(sm, addr, NULL); 2621 if (peer == NULL) 2622 return -1; 2623 2624 if (peer->tpk_in_progress) { 2625 wpa_printf(MSG_DEBUG, "TDLS: Setup is already in progress with the peer"); 2626 return 0; 2627 } 2628 2629 peer->initiator = 1; 2630 2631 /* add the peer to the driver as a "setup in progress" peer */ 2632 if (wpa_sm_tdls_peer_addset(sm, peer->addr, 1, 0, 0, NULL, 0, NULL, 2633 NULL, 0, 0, NULL, 0, NULL, 0, NULL, 0)) { 2634 wpa_tdls_disable_peer_link(sm, peer); 2635 return -1; 2636 } 2637 2638 peer->tpk_in_progress = 1; 2639 2640 if (wpa_tdls_send_tpk_m1(sm, peer) < 0) { 2641 wpa_tdls_disable_peer_link(sm, peer); 2642 return -1; 2643 } 2644 2645 return 0; 2646 } 2647 2648 2649 void wpa_tdls_remove(struct wpa_sm *sm, const u8 *addr) 2650 { 2651 struct wpa_tdls_peer *peer; 2652 2653 if (sm->tdls_disabled || !sm->tdls_supported) 2654 return; 2655 2656 for (peer = sm->tdls; peer; peer = peer->next) { 2657 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 2658 break; 2659 } 2660 2661 if (peer == NULL || !peer->tpk_success) 2662 return; 2663 2664 if (sm->tdls_external_setup) { 2665 /* 2666 * Disable previous link to allow renegotiation to be completed 2667 * on AP path. 2668 */ 2669 wpa_tdls_do_teardown(sm, peer, 2670 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED); 2671 } 2672 } 2673 2674 2675 /** 2676 * wpa_supplicant_rx_tdls - Receive TDLS data frame 2677 * 2678 * This function is called to receive TDLS (ethertype = 0x890d) data frames. 2679 */ 2680 static void wpa_supplicant_rx_tdls(void *ctx, const u8 *src_addr, 2681 const u8 *buf, size_t len) 2682 { 2683 struct wpa_sm *sm = ctx; 2684 struct wpa_tdls_frame *tf; 2685 2686 wpa_hexdump(MSG_DEBUG, "TDLS: Received Data frame encapsulation", 2687 buf, len); 2688 2689 if (sm->tdls_disabled || !sm->tdls_supported) { 2690 wpa_printf(MSG_DEBUG, "TDLS: Discard message - TDLS disabled " 2691 "or unsupported by driver"); 2692 return; 2693 } 2694 2695 if (os_memcmp(src_addr, sm->own_addr, ETH_ALEN) == 0) { 2696 wpa_printf(MSG_DEBUG, "TDLS: Discard copy of own message"); 2697 return; 2698 } 2699 2700 if (len < sizeof(*tf)) { 2701 wpa_printf(MSG_INFO, "TDLS: Drop too short frame"); 2702 return; 2703 } 2704 2705 /* Check to make sure its a valid encapsulated TDLS frame */ 2706 tf = (struct wpa_tdls_frame *) buf; 2707 if (tf->payloadtype != 2 /* TDLS_RFTYPE */ || 2708 tf->category != WLAN_ACTION_TDLS) { 2709 wpa_printf(MSG_INFO, "TDLS: Invalid frame - payloadtype=%u " 2710 "category=%u action=%u", 2711 tf->payloadtype, tf->category, tf->action); 2712 return; 2713 } 2714 2715 switch (tf->action) { 2716 case WLAN_TDLS_SETUP_REQUEST: 2717 wpa_tdls_process_tpk_m1(sm, src_addr, buf, len); 2718 break; 2719 case WLAN_TDLS_SETUP_RESPONSE: 2720 wpa_tdls_process_tpk_m2(sm, src_addr, buf, len); 2721 break; 2722 case WLAN_TDLS_SETUP_CONFIRM: 2723 wpa_tdls_process_tpk_m3(sm, src_addr, buf, len); 2724 break; 2725 case WLAN_TDLS_TEARDOWN: 2726 wpa_tdls_recv_teardown(sm, src_addr, buf, len); 2727 break; 2728 case WLAN_TDLS_DISCOVERY_REQUEST: 2729 wpa_tdls_process_discovery_request(sm, src_addr, buf, len); 2730 break; 2731 default: 2732 /* Kernel code will process remaining frames */ 2733 wpa_printf(MSG_DEBUG, "TDLS: Ignore TDLS frame action code %u", 2734 tf->action); 2735 break; 2736 } 2737 } 2738 2739 2740 /** 2741 * wpa_tdls_init - Initialize driver interface parameters for TDLS 2742 * @wpa_s: Pointer to wpa_supplicant data 2743 * Returns: 0 on success, -1 on failure 2744 * 2745 * This function is called to initialize driver interface parameters for TDLS. 2746 * wpa_drv_init() must have been called before this function to initialize the 2747 * driver interface. 2748 */ 2749 int wpa_tdls_init(struct wpa_sm *sm) 2750 { 2751 if (sm == NULL) 2752 return -1; 2753 2754 sm->l2_tdls = l2_packet_init(sm->bridge_ifname ? sm->bridge_ifname : 2755 sm->ifname, 2756 sm->own_addr, 2757 ETH_P_80211_ENCAP, wpa_supplicant_rx_tdls, 2758 sm, 0); 2759 if (sm->l2_tdls == NULL) { 2760 wpa_printf(MSG_ERROR, "TDLS: Failed to open l2_packet " 2761 "connection"); 2762 return -1; 2763 } 2764 2765 /* 2766 * Drivers that support TDLS but don't implement the get_capa callback 2767 * are assumed to perform everything internally 2768 */ 2769 if (wpa_sm_tdls_get_capa(sm, &sm->tdls_supported, 2770 &sm->tdls_external_setup, 2771 &sm->tdls_chan_switch) < 0) { 2772 sm->tdls_supported = 1; 2773 sm->tdls_external_setup = 0; 2774 } 2775 2776 wpa_printf(MSG_DEBUG, "TDLS: TDLS operation%s supported by " 2777 "driver", sm->tdls_supported ? "" : " not"); 2778 wpa_printf(MSG_DEBUG, "TDLS: Driver uses %s link setup", 2779 sm->tdls_external_setup ? "external" : "internal"); 2780 wpa_printf(MSG_DEBUG, "TDLS: Driver %s TDLS channel switching", 2781 sm->tdls_chan_switch ? "supports" : "does not support"); 2782 2783 return 0; 2784 } 2785 2786 2787 void wpa_tdls_teardown_peers(struct wpa_sm *sm) 2788 { 2789 struct wpa_tdls_peer *peer, *tmp; 2790 2791 if (!sm) 2792 return; 2793 peer = sm->tdls; 2794 2795 wpa_printf(MSG_DEBUG, "TDLS: Tear down peers"); 2796 2797 while (peer) { 2798 tmp = peer->next; 2799 wpa_printf(MSG_DEBUG, "TDLS: Tear down peer " MACSTR, 2800 MAC2STR(peer->addr)); 2801 if (sm->tdls_external_setup) 2802 wpa_tdls_do_teardown(sm, peer, 2803 WLAN_REASON_DEAUTH_LEAVING); 2804 else 2805 wpa_sm_tdls_oper(sm, TDLS_TEARDOWN, peer->addr); 2806 2807 peer = tmp; 2808 } 2809 } 2810 2811 2812 static void wpa_tdls_remove_peers(struct wpa_sm *sm) 2813 { 2814 struct wpa_tdls_peer *peer, *tmp; 2815 2816 peer = sm->tdls; 2817 2818 while (peer) { 2819 int res; 2820 tmp = peer->next; 2821 res = wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr); 2822 wpa_printf(MSG_DEBUG, "TDLS: Remove peer " MACSTR " (res=%d)", 2823 MAC2STR(peer->addr), res); 2824 wpa_tdls_peer_free(sm, peer); 2825 peer = tmp; 2826 } 2827 } 2828 2829 2830 /** 2831 * wpa_tdls_deinit - Deinitialize driver interface parameters for TDLS 2832 * 2833 * This function is called to recover driver interface parameters for TDLS 2834 * and frees resources allocated for it. 2835 */ 2836 void wpa_tdls_deinit(struct wpa_sm *sm) 2837 { 2838 if (sm == NULL) 2839 return; 2840 2841 if (sm->l2_tdls) 2842 l2_packet_deinit(sm->l2_tdls); 2843 sm->l2_tdls = NULL; 2844 2845 wpa_tdls_remove_peers(sm); 2846 } 2847 2848 2849 void wpa_tdls_assoc(struct wpa_sm *sm) 2850 { 2851 wpa_printf(MSG_DEBUG, "TDLS: Remove peers on association"); 2852 wpa_tdls_remove_peers(sm); 2853 } 2854 2855 2856 void wpa_tdls_disassoc(struct wpa_sm *sm) 2857 { 2858 wpa_printf(MSG_DEBUG, "TDLS: Remove peers on disassociation"); 2859 wpa_tdls_remove_peers(sm); 2860 } 2861 2862 2863 static int wpa_tdls_prohibited(struct ieee802_11_elems *elems) 2864 { 2865 /* bit 38 - TDLS Prohibited */ 2866 return !!(elems->ext_capab[2 + 4] & 0x40); 2867 } 2868 2869 2870 static int wpa_tdls_chan_switch_prohibited(struct ieee802_11_elems *elems) 2871 { 2872 /* bit 39 - TDLS Channel Switch Prohibited */ 2873 return !!(elems->ext_capab[2 + 4] & 0x80); 2874 } 2875 2876 2877 void wpa_tdls_ap_ies(struct wpa_sm *sm, const u8 *ies, size_t len) 2878 { 2879 struct ieee802_11_elems elems; 2880 2881 sm->tdls_prohibited = 0; 2882 sm->tdls_chan_switch_prohibited = 0; 2883 2884 if (ies == NULL || 2885 ieee802_11_parse_elems(ies, len, &elems, 0) == ParseFailed || 2886 elems.ext_capab == NULL || elems.ext_capab_len < 2 + 5) 2887 return; 2888 2889 sm->tdls_prohibited = wpa_tdls_prohibited(&elems); 2890 wpa_printf(MSG_DEBUG, "TDLS: TDLS is %s in the target BSS", 2891 sm->tdls_prohibited ? "prohibited" : "allowed"); 2892 sm->tdls_chan_switch_prohibited = 2893 wpa_tdls_chan_switch_prohibited(&elems); 2894 wpa_printf(MSG_DEBUG, "TDLS: TDLS channel switch %s in the target BSS", 2895 sm->tdls_chan_switch_prohibited ? "prohibited" : "allowed"); 2896 } 2897 2898 2899 void wpa_tdls_assoc_resp_ies(struct wpa_sm *sm, const u8 *ies, size_t len) 2900 { 2901 struct ieee802_11_elems elems; 2902 2903 if (ies == NULL || 2904 ieee802_11_parse_elems(ies, len, &elems, 0) == ParseFailed || 2905 elems.ext_capab == NULL || elems.ext_capab_len < 2 + 5) 2906 return; 2907 2908 if (!sm->tdls_prohibited && wpa_tdls_prohibited(&elems)) { 2909 wpa_printf(MSG_DEBUG, "TDLS: TDLS prohibited based on " 2910 "(Re)Association Response IEs"); 2911 sm->tdls_prohibited = 1; 2912 } 2913 2914 if (!sm->tdls_chan_switch_prohibited && 2915 wpa_tdls_chan_switch_prohibited(&elems)) { 2916 wpa_printf(MSG_DEBUG, 2917 "TDLS: TDLS channel switch prohibited based on (Re)Association Response IEs"); 2918 sm->tdls_chan_switch_prohibited = 1; 2919 } 2920 } 2921 2922 2923 void wpa_tdls_enable(struct wpa_sm *sm, int enabled) 2924 { 2925 wpa_printf(MSG_DEBUG, "TDLS: %s", enabled ? "enabled" : "disabled"); 2926 sm->tdls_disabled = !enabled; 2927 } 2928 2929 2930 int wpa_tdls_is_external_setup(struct wpa_sm *sm) 2931 { 2932 return sm->tdls_external_setup; 2933 } 2934 2935 2936 int wpa_tdls_enable_chan_switch(struct wpa_sm *sm, const u8 *addr, 2937 u8 oper_class, 2938 struct hostapd_freq_params *freq_params) 2939 { 2940 struct wpa_tdls_peer *peer; 2941 int ret; 2942 2943 if (sm->tdls_disabled || !sm->tdls_supported) 2944 return -1; 2945 2946 if (!sm->tdls_chan_switch) { 2947 wpa_printf(MSG_DEBUG, 2948 "TDLS: Channel switching not supported by the driver"); 2949 return -1; 2950 } 2951 2952 if (sm->tdls_chan_switch_prohibited) { 2953 wpa_printf(MSG_DEBUG, 2954 "TDLS: Channel switching is prohibited in this BSS - reject request to switch channel"); 2955 return -1; 2956 } 2957 2958 for (peer = sm->tdls; peer; peer = peer->next) { 2959 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 2960 break; 2961 } 2962 2963 if (peer == NULL || !peer->tpk_success) { 2964 wpa_printf(MSG_ERROR, "TDLS: Peer " MACSTR 2965 " not found for channel switching", MAC2STR(addr)); 2966 return -1; 2967 } 2968 2969 if (peer->chan_switch_enabled) { 2970 wpa_printf(MSG_DEBUG, "TDLS: Peer " MACSTR 2971 " already has channel switching enabled", 2972 MAC2STR(addr)); 2973 return 0; 2974 } 2975 2976 ret = wpa_sm_tdls_enable_channel_switch(sm, peer->addr, 2977 oper_class, freq_params); 2978 if (!ret) 2979 peer->chan_switch_enabled = 1; 2980 2981 return ret; 2982 } 2983 2984 2985 int wpa_tdls_disable_chan_switch(struct wpa_sm *sm, const u8 *addr) 2986 { 2987 struct wpa_tdls_peer *peer; 2988 2989 if (sm->tdls_disabled || !sm->tdls_supported) 2990 return -1; 2991 2992 for (peer = sm->tdls; peer; peer = peer->next) { 2993 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 2994 break; 2995 } 2996 2997 if (!peer || !peer->chan_switch_enabled) { 2998 wpa_printf(MSG_ERROR, "TDLS: Channel switching not enabled for " 2999 MACSTR, MAC2STR(addr)); 3000 return -1; 3001 } 3002 3003 /* ignore the return value */ 3004 wpa_sm_tdls_disable_channel_switch(sm, peer->addr); 3005 3006 peer->chan_switch_enabled = 0; 3007 return 0; 3008 } 3009