1 /* 2 * wpa_supplicant - TDLS 3 * Copyright (c) 2010-2011, Atheros Communications 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "utils/includes.h" 10 11 #include "utils/common.h" 12 #include "utils/eloop.h" 13 #include "utils/os.h" 14 #include "common/ieee802_11_defs.h" 15 #include "common/ieee802_11_common.h" 16 #include "crypto/sha256.h" 17 #include "crypto/crypto.h" 18 #include "crypto/aes_wrap.h" 19 #include "rsn_supp/wpa.h" 20 #include "rsn_supp/wpa_ie.h" 21 #include "rsn_supp/wpa_i.h" 22 #include "drivers/driver.h" 23 #include "l2_packet/l2_packet.h" 24 25 #ifdef CONFIG_TDLS_TESTING 26 #define TDLS_TESTING_LONG_FRAME BIT(0) 27 #define TDLS_TESTING_ALT_RSN_IE BIT(1) 28 #define TDLS_TESTING_DIFF_BSSID BIT(2) 29 #define TDLS_TESTING_SHORT_LIFETIME BIT(3) 30 #define TDLS_TESTING_WRONG_LIFETIME_RESP BIT(4) 31 #define TDLS_TESTING_WRONG_LIFETIME_CONF BIT(5) 32 #define TDLS_TESTING_LONG_LIFETIME BIT(6) 33 #define TDLS_TESTING_CONCURRENT_INIT BIT(7) 34 #define TDLS_TESTING_NO_TPK_EXPIRATION BIT(8) 35 #define TDLS_TESTING_DECLINE_RESP BIT(9) 36 #define TDLS_TESTING_IGNORE_AP_PROHIBIT BIT(10) 37 #define TDLS_TESTING_WRONG_MIC BIT(11) 38 #define TDLS_TESTING_DOUBLE_TPK_M2 BIT(12) 39 unsigned int tdls_testing = 0; 40 #endif /* CONFIG_TDLS_TESTING */ 41 42 #define TPK_LIFETIME 43200 /* 12 hours */ 43 #define TPK_M1_RETRY_COUNT 3 44 #define TPK_M1_TIMEOUT 5000 /* in milliseconds */ 45 #define TPK_M2_RETRY_COUNT 10 46 #define TPK_M2_TIMEOUT 500 /* in milliseconds */ 47 48 #define TDLS_MIC_LEN 16 49 50 #define TDLS_TIMEOUT_LEN 4 51 52 struct wpa_tdls_ftie { 53 u8 ie_type; /* FTIE */ 54 u8 ie_len; 55 u8 mic_ctrl[2]; 56 u8 mic[TDLS_MIC_LEN]; 57 u8 Anonce[WPA_NONCE_LEN]; /* Responder Nonce in TDLS */ 58 u8 Snonce[WPA_NONCE_LEN]; /* Initiator Nonce in TDLS */ 59 /* followed by optional elements */ 60 } STRUCT_PACKED; 61 62 struct wpa_tdls_timeoutie { 63 u8 ie_type; /* Timeout IE */ 64 u8 ie_len; 65 u8 interval_type; 66 u8 value[TDLS_TIMEOUT_LEN]; 67 } STRUCT_PACKED; 68 69 struct wpa_tdls_lnkid { 70 u8 ie_type; /* Link Identifier IE */ 71 u8 ie_len; 72 u8 bssid[ETH_ALEN]; 73 u8 init_sta[ETH_ALEN]; 74 u8 resp_sta[ETH_ALEN]; 75 } STRUCT_PACKED; 76 77 /* TDLS frame headers as per IEEE Std 802.11z-2010 */ 78 struct wpa_tdls_frame { 79 u8 payloadtype; /* IEEE80211_TDLS_RFTYPE */ 80 u8 category; /* Category */ 81 u8 action; /* Action (enum tdls_frame_type) */ 82 } STRUCT_PACKED; 83 84 static u8 * wpa_add_tdls_timeoutie(u8 *pos, u8 *ie, size_t ie_len, u32 tsecs); 85 static void wpa_tdls_tpk_retry_timeout(void *eloop_ctx, void *timeout_ctx); 86 static void wpa_tdls_peer_free(struct wpa_sm *sm, struct wpa_tdls_peer *peer); 87 static void wpa_tdls_disable_peer_link(struct wpa_sm *sm, 88 struct wpa_tdls_peer *peer); 89 static int wpa_tdls_send_teardown(struct wpa_sm *sm, const u8 *addr, 90 u16 reason_code); 91 92 93 #define TDLS_MAX_IE_LEN 80 94 #define IEEE80211_MAX_SUPP_RATES 32 95 96 struct wpa_tdls_peer { 97 struct wpa_tdls_peer *next; 98 unsigned int reconfig_key:1; 99 int initiator; /* whether this end was initiator for TDLS setup */ 100 u8 addr[ETH_ALEN]; /* other end MAC address */ 101 u8 inonce[WPA_NONCE_LEN]; /* Initiator Nonce */ 102 u8 rnonce[WPA_NONCE_LEN]; /* Responder Nonce */ 103 u8 rsnie_i[TDLS_MAX_IE_LEN]; /* Initiator RSN IE */ 104 size_t rsnie_i_len; 105 u8 rsnie_p[TDLS_MAX_IE_LEN]; /* Peer RSN IE */ 106 size_t rsnie_p_len; 107 u32 lifetime; 108 int cipher; /* Selected cipher (WPA_CIPHER_*) */ 109 u8 dtoken; 110 111 struct tpk { 112 u8 kck[16]; /* TPK-KCK */ 113 u8 tk[16]; /* TPK-TK; assuming only CCMP will be used */ 114 } tpk; 115 int tpk_set; 116 int tk_set; /* TPK-TK configured to the driver */ 117 int tpk_success; 118 int tpk_in_progress; 119 120 struct tpk_timer { 121 u8 dest[ETH_ALEN]; 122 int count; /* Retry Count */ 123 int timer; /* Timeout in milliseconds */ 124 u8 action_code; /* TDLS frame type */ 125 u8 dialog_token; 126 u16 status_code; 127 u32 peer_capab; 128 int buf_len; /* length of TPK message for retransmission */ 129 u8 *buf; /* buffer for TPK message */ 130 } sm_tmr; 131 132 u16 capability; 133 134 u8 supp_rates[IEEE80211_MAX_SUPP_RATES]; 135 size_t supp_rates_len; 136 137 struct ieee80211_ht_capabilities *ht_capabilities; 138 struct ieee80211_vht_capabilities *vht_capabilities; 139 struct ieee80211_he_capabilities *he_capabilities; 140 size_t he_capab_len; 141 142 u8 qos_info; 143 144 u16 aid; 145 146 u8 *ext_capab; 147 size_t ext_capab_len; 148 149 u8 *supp_channels; 150 size_t supp_channels_len; 151 152 u8 *supp_oper_classes; 153 size_t supp_oper_classes_len; 154 155 u8 wmm_capable; 156 157 /* channel switch currently enabled */ 158 int chan_switch_enabled; 159 }; 160 161 162 static int wpa_tdls_get_privacy(struct wpa_sm *sm) 163 { 164 /* 165 * Get info needed from supplicant to check if the current BSS supports 166 * security. Other than OPEN mode, rest are considered secured 167 * WEP/WPA/WPA2 hence TDLS frames are processed for TPK handshake. 168 */ 169 return sm->pairwise_cipher != WPA_CIPHER_NONE; 170 } 171 172 173 static u8 * wpa_add_ie(u8 *pos, const u8 *ie, size_t ie_len) 174 { 175 os_memcpy(pos, ie, ie_len); 176 return pos + ie_len; 177 } 178 179 180 static int wpa_tdls_del_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer) 181 { 182 if (wpa_sm_set_key(sm, WPA_ALG_NONE, peer->addr, 183 0, 0, NULL, 0, NULL, 0, KEY_FLAG_PAIRWISE) < 0) { 184 wpa_printf(MSG_WARNING, "TDLS: Failed to delete TPK-TK from " 185 "the driver"); 186 return -1; 187 } 188 189 return 0; 190 } 191 192 193 static int wpa_tdls_set_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer) 194 { 195 u8 key_len; 196 u8 rsc[6]; 197 enum wpa_alg alg; 198 199 if (peer->tk_set) { 200 /* 201 * This same TPK-TK has already been configured to the driver 202 * and this new configuration attempt (likely due to an 203 * unexpected retransmitted frame) would result in clearing 204 * the TX/RX sequence number which can break security, so must 205 * not allow that to happen. 206 */ 207 wpa_printf(MSG_INFO, "TDLS: TPK-TK for the peer " MACSTR 208 " has already been configured to the driver - do not reconfigure", 209 MAC2STR(peer->addr)); 210 return -1; 211 } 212 213 os_memset(rsc, 0, 6); 214 215 switch (peer->cipher) { 216 case WPA_CIPHER_CCMP: 217 alg = WPA_ALG_CCMP; 218 key_len = 16; 219 break; 220 case WPA_CIPHER_NONE: 221 wpa_printf(MSG_DEBUG, "TDLS: Pairwise Cipher Suite: " 222 "NONE - do not use pairwise keys"); 223 return -1; 224 default: 225 wpa_printf(MSG_WARNING, "TDLS: Unsupported pairwise cipher %d", 226 sm->pairwise_cipher); 227 return -1; 228 } 229 230 wpa_printf(MSG_DEBUG, "TDLS: Configure pairwise key for peer " MACSTR, 231 MAC2STR(peer->addr)); 232 if (wpa_sm_set_key(sm, alg, peer->addr, 0, 1, rsc, sizeof(rsc), 233 peer->tpk.tk, key_len, 234 KEY_FLAG_PAIRWISE_RX_TX) < 0) { 235 wpa_printf(MSG_WARNING, "TDLS: Failed to set TPK to the " 236 "driver"); 237 return -1; 238 } 239 peer->tk_set = 1; 240 return 0; 241 } 242 243 244 static int wpa_tdls_send_tpk_msg(struct wpa_sm *sm, const u8 *dst, 245 u8 action_code, u8 dialog_token, 246 u16 status_code, u32 peer_capab, 247 int initiator, const u8 *buf, size_t len) 248 { 249 return wpa_sm_send_tdls_mgmt(sm, dst, action_code, dialog_token, 250 status_code, peer_capab, initiator, buf, 251 len); 252 } 253 254 255 static int wpa_tdls_tpk_send(struct wpa_sm *sm, const u8 *dest, u8 action_code, 256 u8 dialog_token, u16 status_code, u32 peer_capab, 257 int initiator, const u8 *msg, size_t msg_len) 258 { 259 struct wpa_tdls_peer *peer; 260 261 wpa_printf(MSG_DEBUG, "TDLS: TPK send dest=" MACSTR " action_code=%u " 262 "dialog_token=%u status_code=%u peer_capab=%u initiator=%d " 263 "msg_len=%u", 264 MAC2STR(dest), action_code, dialog_token, status_code, 265 peer_capab, initiator, (unsigned int) msg_len); 266 267 if (wpa_tdls_send_tpk_msg(sm, dest, action_code, dialog_token, 268 status_code, peer_capab, initiator, msg, 269 msg_len)) { 270 wpa_printf(MSG_INFO, "TDLS: Failed to send message " 271 "(action_code=%u)", action_code); 272 return -1; 273 } 274 275 if (action_code == WLAN_TDLS_SETUP_CONFIRM || 276 action_code == WLAN_TDLS_TEARDOWN || 277 action_code == WLAN_TDLS_DISCOVERY_REQUEST || 278 action_code == WLAN_TDLS_DISCOVERY_RESPONSE) 279 return 0; /* No retries */ 280 281 for (peer = sm->tdls; peer; peer = peer->next) { 282 if (os_memcmp(peer->addr, dest, ETH_ALEN) == 0) 283 break; 284 } 285 286 if (peer == NULL) { 287 wpa_printf(MSG_INFO, "TDLS: No matching entry found for " 288 "retry " MACSTR, MAC2STR(dest)); 289 return 0; 290 } 291 292 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer); 293 294 if (action_code == WLAN_TDLS_SETUP_RESPONSE) { 295 peer->sm_tmr.count = TPK_M2_RETRY_COUNT; 296 peer->sm_tmr.timer = TPK_M2_TIMEOUT; 297 } else { 298 peer->sm_tmr.count = TPK_M1_RETRY_COUNT; 299 peer->sm_tmr.timer = TPK_M1_TIMEOUT; 300 } 301 302 /* Copy message to resend on timeout */ 303 os_memcpy(peer->sm_tmr.dest, dest, ETH_ALEN); 304 peer->sm_tmr.action_code = action_code; 305 peer->sm_tmr.dialog_token = dialog_token; 306 peer->sm_tmr.status_code = status_code; 307 peer->sm_tmr.peer_capab = peer_capab; 308 peer->sm_tmr.buf_len = msg_len; 309 os_free(peer->sm_tmr.buf); 310 peer->sm_tmr.buf = os_memdup(msg, msg_len); 311 if (peer->sm_tmr.buf == NULL) 312 return -1; 313 314 wpa_printf(MSG_DEBUG, "TDLS: Retry timeout registered " 315 "(action_code=%u)", action_code); 316 eloop_register_timeout(peer->sm_tmr.timer / 1000, 317 (peer->sm_tmr.timer % 1000) * 1000, 318 wpa_tdls_tpk_retry_timeout, sm, peer); 319 return 0; 320 } 321 322 323 static int wpa_tdls_do_teardown(struct wpa_sm *sm, struct wpa_tdls_peer *peer, 324 u16 reason_code) 325 { 326 int ret; 327 328 ret = wpa_tdls_send_teardown(sm, peer->addr, reason_code); 329 /* disable the link after teardown was sent */ 330 wpa_tdls_disable_peer_link(sm, peer); 331 332 return ret; 333 } 334 335 336 static void wpa_tdls_tpk_retry_timeout(void *eloop_ctx, void *timeout_ctx) 337 { 338 339 struct wpa_sm *sm = eloop_ctx; 340 struct wpa_tdls_peer *peer = timeout_ctx; 341 342 if (peer->sm_tmr.count) { 343 peer->sm_tmr.count--; 344 345 wpa_printf(MSG_INFO, "TDLS: Retrying sending of message " 346 "(action_code=%u)", 347 peer->sm_tmr.action_code); 348 349 if (peer->sm_tmr.buf == NULL) { 350 wpa_printf(MSG_INFO, "TDLS: No retry buffer available " 351 "for action_code=%u", 352 peer->sm_tmr.action_code); 353 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, 354 peer); 355 return; 356 } 357 358 /* resend TPK Handshake Message to Peer */ 359 if (wpa_tdls_send_tpk_msg(sm, peer->sm_tmr.dest, 360 peer->sm_tmr.action_code, 361 peer->sm_tmr.dialog_token, 362 peer->sm_tmr.status_code, 363 peer->sm_tmr.peer_capab, 364 peer->initiator, 365 peer->sm_tmr.buf, 366 peer->sm_tmr.buf_len)) { 367 wpa_printf(MSG_INFO, "TDLS: Failed to retry " 368 "transmission"); 369 } 370 371 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer); 372 eloop_register_timeout(peer->sm_tmr.timer / 1000, 373 (peer->sm_tmr.timer % 1000) * 1000, 374 wpa_tdls_tpk_retry_timeout, sm, peer); 375 } else { 376 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer); 377 378 wpa_printf(MSG_DEBUG, "TDLS: Sending Teardown Request"); 379 wpa_tdls_do_teardown(sm, peer, 380 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED); 381 } 382 } 383 384 385 static void wpa_tdls_tpk_retry_timeout_cancel(struct wpa_sm *sm, 386 struct wpa_tdls_peer *peer, 387 u8 action_code) 388 { 389 if (action_code == peer->sm_tmr.action_code) { 390 wpa_printf(MSG_DEBUG, "TDLS: Retry timeout cancelled for " 391 "action_code=%u", action_code); 392 393 /* Cancel Timeout registered */ 394 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer); 395 396 /* free all resources meant for retry */ 397 os_free(peer->sm_tmr.buf); 398 peer->sm_tmr.buf = NULL; 399 400 peer->sm_tmr.count = 0; 401 peer->sm_tmr.timer = 0; 402 peer->sm_tmr.buf_len = 0; 403 peer->sm_tmr.action_code = 0xff; 404 } else { 405 wpa_printf(MSG_INFO, "TDLS: Error in cancelling retry timeout " 406 "(Unknown action_code=%u)", action_code); 407 } 408 } 409 410 411 static void wpa_tdls_generate_tpk(struct wpa_tdls_peer *peer, 412 const u8 *own_addr, const u8 *bssid) 413 { 414 u8 key_input[SHA256_MAC_LEN]; 415 const u8 *nonce[2]; 416 size_t len[2]; 417 u8 data[3 * ETH_ALEN]; 418 419 /* IEEE Std 802.11-2016 12.7.9.2: 420 * TPK-Key-Input = Hash(min(SNonce, ANonce) || max(SNonce, ANonce)) 421 * Hash = SHA-256 for TDLS 422 */ 423 len[0] = WPA_NONCE_LEN; 424 len[1] = WPA_NONCE_LEN; 425 if (os_memcmp(peer->inonce, peer->rnonce, WPA_NONCE_LEN) < 0) { 426 nonce[0] = peer->inonce; 427 nonce[1] = peer->rnonce; 428 } else { 429 nonce[0] = peer->rnonce; 430 nonce[1] = peer->inonce; 431 } 432 wpa_hexdump(MSG_DEBUG, "TDLS: min(Nonce)", nonce[0], WPA_NONCE_LEN); 433 wpa_hexdump(MSG_DEBUG, "TDLS: max(Nonce)", nonce[1], WPA_NONCE_LEN); 434 sha256_vector(2, nonce, len, key_input); 435 wpa_hexdump_key(MSG_DEBUG, "TDLS: TPK-Key-Input", 436 key_input, SHA256_MAC_LEN); 437 438 /* 439 * TPK = KDF-Hash-Length(TPK-Key-Input, "TDLS PMK", 440 * min(MAC_I, MAC_R) || max(MAC_I, MAC_R) || BSSID) 441 */ 442 443 if (os_memcmp(own_addr, peer->addr, ETH_ALEN) < 0) { 444 os_memcpy(data, own_addr, ETH_ALEN); 445 os_memcpy(data + ETH_ALEN, peer->addr, ETH_ALEN); 446 } else { 447 os_memcpy(data, peer->addr, ETH_ALEN); 448 os_memcpy(data + ETH_ALEN, own_addr, ETH_ALEN); 449 } 450 os_memcpy(data + 2 * ETH_ALEN, bssid, ETH_ALEN); 451 wpa_hexdump(MSG_DEBUG, "TDLS: KDF Context", data, sizeof(data)); 452 453 sha256_prf(key_input, SHA256_MAC_LEN, "TDLS PMK", data, sizeof(data), 454 (u8 *) &peer->tpk, sizeof(peer->tpk)); 455 wpa_hexdump_key(MSG_DEBUG, "TDLS: TPK-KCK", 456 peer->tpk.kck, sizeof(peer->tpk.kck)); 457 wpa_hexdump_key(MSG_DEBUG, "TDLS: TPK-TK", 458 peer->tpk.tk, sizeof(peer->tpk.tk)); 459 peer->tpk_set = 1; 460 } 461 462 463 /** 464 * wpa_tdls_ftie_mic - Calculate TDLS FTIE MIC 465 * @kck: TPK-KCK 466 * @lnkid: Pointer to the beginning of Link Identifier IE 467 * @rsnie: Pointer to the beginning of RSN IE used for handshake 468 * @timeoutie: Pointer to the beginning of Timeout IE used for handshake 469 * @ftie: Pointer to the beginning of FT IE 470 * @mic: Pointer for writing MIC 471 * 472 * Calculate MIC for TDLS frame. 473 */ 474 static int wpa_tdls_ftie_mic(const u8 *kck, u8 trans_seq, const u8 *lnkid, 475 const u8 *rsnie, const u8 *timeoutie, 476 const u8 *ftie, u8 *mic) 477 { 478 u8 *buf, *pos; 479 struct wpa_tdls_ftie *_ftie; 480 const struct wpa_tdls_lnkid *_lnkid; 481 int ret; 482 int len = 2 * ETH_ALEN + 1 + 2 + lnkid[1] + 2 + rsnie[1] + 483 2 + timeoutie[1] + 2 + ftie[1]; 484 buf = os_zalloc(len); 485 if (!buf) { 486 wpa_printf(MSG_WARNING, "TDLS: No memory for MIC calculation"); 487 return -1; 488 } 489 490 pos = buf; 491 _lnkid = (const struct wpa_tdls_lnkid *) lnkid; 492 /* 1) TDLS initiator STA MAC address */ 493 os_memcpy(pos, _lnkid->init_sta, ETH_ALEN); 494 pos += ETH_ALEN; 495 /* 2) TDLS responder STA MAC address */ 496 os_memcpy(pos, _lnkid->resp_sta, ETH_ALEN); 497 pos += ETH_ALEN; 498 /* 3) Transaction Sequence number */ 499 *pos++ = trans_seq; 500 /* 4) Link Identifier IE */ 501 os_memcpy(pos, lnkid, 2 + lnkid[1]); 502 pos += 2 + lnkid[1]; 503 /* 5) RSN IE */ 504 os_memcpy(pos, rsnie, 2 + rsnie[1]); 505 pos += 2 + rsnie[1]; 506 /* 6) Timeout Interval IE */ 507 os_memcpy(pos, timeoutie, 2 + timeoutie[1]); 508 pos += 2 + timeoutie[1]; 509 /* 7) FTIE, with the MIC field of the FTIE set to 0 */ 510 os_memcpy(pos, ftie, 2 + ftie[1]); 511 _ftie = (struct wpa_tdls_ftie *) pos; 512 os_memset(_ftie->mic, 0, TDLS_MIC_LEN); 513 pos += 2 + ftie[1]; 514 515 wpa_hexdump(MSG_DEBUG, "TDLS: Data for FTIE MIC", buf, pos - buf); 516 wpa_hexdump_key(MSG_DEBUG, "TDLS: KCK", kck, 16); 517 ret = omac1_aes_128(kck, buf, pos - buf, mic); 518 os_free(buf); 519 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE MIC", mic, 16); 520 return ret; 521 } 522 523 524 /** 525 * wpa_tdls_key_mic_teardown - Calculate TDLS FTIE MIC for Teardown frame 526 * @kck: TPK-KCK 527 * @trans_seq: Transaction Sequence Number (4 - Teardown) 528 * @rcode: Reason code for Teardown 529 * @dtoken: Dialog Token used for that particular link 530 * @lnkid: Pointer to the beginning of Link Identifier IE 531 * @ftie: Pointer to the beginning of FT IE 532 * @mic: Pointer for writing MIC 533 * 534 * Calculate MIC for TDLS frame. 535 */ 536 static int wpa_tdls_key_mic_teardown(const u8 *kck, u8 trans_seq, u16 rcode, 537 u8 dtoken, const u8 *lnkid, 538 const u8 *ftie, u8 *mic) 539 { 540 u8 *buf, *pos; 541 struct wpa_tdls_ftie *_ftie; 542 int ret; 543 int len; 544 545 if (lnkid == NULL) 546 return -1; 547 548 len = 2 + lnkid[1] + sizeof(rcode) + sizeof(dtoken) + 549 sizeof(trans_seq) + 2 + ftie[1]; 550 551 buf = os_zalloc(len); 552 if (!buf) { 553 wpa_printf(MSG_WARNING, "TDLS: No memory for MIC calculation"); 554 return -1; 555 } 556 557 pos = buf; 558 /* 1) Link Identifier IE */ 559 os_memcpy(pos, lnkid, 2 + lnkid[1]); 560 pos += 2 + lnkid[1]; 561 /* 2) Reason Code */ 562 WPA_PUT_LE16(pos, rcode); 563 pos += sizeof(rcode); 564 /* 3) Dialog token */ 565 *pos++ = dtoken; 566 /* 4) Transaction Sequence number */ 567 *pos++ = trans_seq; 568 /* 7) FTIE, with the MIC field of the FTIE set to 0 */ 569 os_memcpy(pos, ftie, 2 + ftie[1]); 570 _ftie = (struct wpa_tdls_ftie *) pos; 571 os_memset(_ftie->mic, 0, TDLS_MIC_LEN); 572 pos += 2 + ftie[1]; 573 574 wpa_hexdump(MSG_DEBUG, "TDLS: Data for FTIE MIC", buf, pos - buf); 575 wpa_hexdump_key(MSG_DEBUG, "TDLS: KCK", kck, 16); 576 ret = omac1_aes_128(kck, buf, pos - buf, mic); 577 os_free(buf); 578 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE MIC", mic, 16); 579 return ret; 580 } 581 582 583 static int wpa_supplicant_verify_tdls_mic(u8 trans_seq, 584 struct wpa_tdls_peer *peer, 585 const u8 *lnkid, const u8 *timeoutie, 586 const struct wpa_tdls_ftie *ftie) 587 { 588 u8 mic[16]; 589 590 if (peer->tpk_set) { 591 wpa_tdls_ftie_mic(peer->tpk.kck, trans_seq, lnkid, 592 peer->rsnie_p, timeoutie, (u8 *) ftie, 593 mic); 594 if (os_memcmp_const(mic, ftie->mic, 16) != 0) { 595 wpa_printf(MSG_INFO, "TDLS: Invalid MIC in FTIE - " 596 "dropping packet"); 597 wpa_hexdump(MSG_DEBUG, "TDLS: Received MIC", 598 ftie->mic, 16); 599 wpa_hexdump(MSG_DEBUG, "TDLS: Calculated MIC", 600 mic, 16); 601 return -1; 602 } 603 } else { 604 wpa_printf(MSG_WARNING, "TDLS: Could not verify TDLS MIC, " 605 "TPK not set - dropping packet"); 606 return -1; 607 } 608 return 0; 609 } 610 611 612 static int wpa_supplicant_verify_tdls_mic_teardown( 613 u8 trans_seq, u16 rcode, u8 dtoken, struct wpa_tdls_peer *peer, 614 const u8 *lnkid, const struct wpa_tdls_ftie *ftie) 615 { 616 u8 mic[16]; 617 618 if (peer->tpk_set) { 619 wpa_tdls_key_mic_teardown(peer->tpk.kck, trans_seq, rcode, 620 dtoken, lnkid, (u8 *) ftie, mic); 621 if (os_memcmp_const(mic, ftie->mic, 16) != 0) { 622 wpa_printf(MSG_INFO, "TDLS: Invalid MIC in Teardown - " 623 "dropping packet"); 624 return -1; 625 } 626 } else { 627 wpa_printf(MSG_INFO, "TDLS: Could not verify TDLS Teardown " 628 "MIC, TPK not set - dropping packet"); 629 return -1; 630 } 631 return 0; 632 } 633 634 635 static void wpa_tdls_tpk_timeout(void *eloop_ctx, void *timeout_ctx) 636 { 637 struct wpa_sm *sm = eloop_ctx; 638 struct wpa_tdls_peer *peer = timeout_ctx; 639 640 /* 641 * On TPK lifetime expiration, we have an option of either tearing down 642 * the direct link or trying to re-initiate it. The selection of what 643 * to do is not strictly speaking controlled by our role in the expired 644 * link, but for now, use that to select whether to renew or tear down 645 * the link. 646 */ 647 648 if (peer->initiator) { 649 u8 addr[ETH_ALEN]; 650 651 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime expired for " MACSTR 652 " - try to renew", MAC2STR(peer->addr)); 653 /* cache the peer address before do_teardown */ 654 os_memcpy(addr, peer->addr, ETH_ALEN); 655 wpa_tdls_do_teardown(sm, peer, 656 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED); 657 wpa_tdls_start(sm, addr); 658 } else { 659 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime expired for " MACSTR 660 " - tear down", MAC2STR(peer->addr)); 661 wpa_tdls_do_teardown(sm, peer, 662 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED); 663 } 664 } 665 666 667 static void wpa_tdls_peer_remove_from_list(struct wpa_sm *sm, 668 struct wpa_tdls_peer *peer) 669 { 670 struct wpa_tdls_peer *cur, *prev; 671 672 cur = sm->tdls; 673 prev = NULL; 674 while (cur && cur != peer) { 675 prev = cur; 676 cur = cur->next; 677 } 678 679 if (cur != peer) { 680 wpa_printf(MSG_ERROR, "TDLS: Could not find peer " MACSTR 681 " to remove it from the list", 682 MAC2STR(peer->addr)); 683 return; 684 } 685 686 if (prev) 687 prev->next = peer->next; 688 else 689 sm->tdls = peer->next; 690 } 691 692 693 static void wpa_tdls_peer_clear(struct wpa_sm *sm, struct wpa_tdls_peer *peer) 694 { 695 wpa_printf(MSG_DEBUG, "TDLS: Clear state for peer " MACSTR, 696 MAC2STR(peer->addr)); 697 eloop_cancel_timeout(wpa_tdls_tpk_timeout, sm, peer); 698 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer); 699 peer->reconfig_key = 0; 700 peer->initiator = 0; 701 peer->tpk_in_progress = 0; 702 os_free(peer->sm_tmr.buf); 703 peer->sm_tmr.buf = NULL; 704 os_free(peer->ht_capabilities); 705 peer->ht_capabilities = NULL; 706 os_free(peer->vht_capabilities); 707 peer->vht_capabilities = NULL; 708 os_free(peer->he_capabilities); 709 peer->he_capabilities = NULL; 710 os_free(peer->ext_capab); 711 peer->ext_capab = NULL; 712 os_free(peer->supp_channels); 713 peer->supp_channels = NULL; 714 os_free(peer->supp_oper_classes); 715 peer->supp_oper_classes = NULL; 716 peer->rsnie_i_len = peer->rsnie_p_len = 0; 717 peer->cipher = 0; 718 peer->qos_info = 0; 719 peer->wmm_capable = 0; 720 peer->tk_set = peer->tpk_set = peer->tpk_success = 0; 721 peer->chan_switch_enabled = 0; 722 os_memset(&peer->tpk, 0, sizeof(peer->tpk)); 723 os_memset(peer->inonce, 0, WPA_NONCE_LEN); 724 os_memset(peer->rnonce, 0, WPA_NONCE_LEN); 725 } 726 727 728 static void wpa_tdls_peer_free(struct wpa_sm *sm, struct wpa_tdls_peer *peer) 729 { 730 wpa_tdls_peer_clear(sm, peer); 731 wpa_tdls_peer_remove_from_list(sm, peer); 732 os_free(peer); 733 } 734 735 736 static void wpa_tdls_linkid(struct wpa_sm *sm, struct wpa_tdls_peer *peer, 737 struct wpa_tdls_lnkid *lnkid) 738 { 739 lnkid->ie_type = WLAN_EID_LINK_ID; 740 lnkid->ie_len = 3 * ETH_ALEN; 741 os_memcpy(lnkid->bssid, sm->bssid, ETH_ALEN); 742 if (peer->initiator) { 743 os_memcpy(lnkid->init_sta, sm->own_addr, ETH_ALEN); 744 os_memcpy(lnkid->resp_sta, peer->addr, ETH_ALEN); 745 } else { 746 os_memcpy(lnkid->init_sta, peer->addr, ETH_ALEN); 747 os_memcpy(lnkid->resp_sta, sm->own_addr, ETH_ALEN); 748 } 749 } 750 751 752 static int wpa_tdls_send_teardown(struct wpa_sm *sm, const u8 *addr, 753 u16 reason_code) 754 { 755 struct wpa_tdls_peer *peer; 756 struct wpa_tdls_ftie *ftie; 757 struct wpa_tdls_lnkid lnkid; 758 u8 dialog_token; 759 u8 *rbuf, *pos; 760 int ielen; 761 762 if (sm->tdls_disabled || !sm->tdls_supported) 763 return -1; 764 765 /* Find the node and free from the list */ 766 for (peer = sm->tdls; peer; peer = peer->next) { 767 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 768 break; 769 } 770 771 if (peer == NULL) { 772 wpa_printf(MSG_INFO, "TDLS: No matching entry found for " 773 "Teardown " MACSTR, MAC2STR(addr)); 774 return 0; 775 } 776 777 /* Cancel active channel switch before teardown */ 778 if (peer->chan_switch_enabled) { 779 wpa_printf(MSG_DEBUG, "TDLS: First returning link with " MACSTR 780 " to base channel", MAC2STR(addr)); 781 wpa_sm_tdls_disable_channel_switch(sm, peer->addr); 782 } 783 784 dialog_token = peer->dtoken; 785 786 wpa_printf(MSG_DEBUG, "TDLS: TDLS Teardown for " MACSTR, 787 MAC2STR(addr)); 788 789 ielen = 0; 790 if (wpa_tdls_get_privacy(sm) && peer->tpk_set && peer->tpk_success) { 791 /* To add FTIE for Teardown request and compute MIC */ 792 ielen += sizeof(*ftie); 793 #ifdef CONFIG_TDLS_TESTING 794 if (tdls_testing & TDLS_TESTING_LONG_FRAME) 795 ielen += 170; 796 #endif /* CONFIG_TDLS_TESTING */ 797 } 798 799 rbuf = os_zalloc(ielen + 1); 800 if (rbuf == NULL) 801 return -1; 802 pos = rbuf; 803 804 if (!wpa_tdls_get_privacy(sm) || !peer->tpk_set || !peer->tpk_success) 805 goto skip_ies; 806 807 ftie = (struct wpa_tdls_ftie *) pos; 808 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION; 809 /* Using the recent nonce which should be for CONFIRM frame */ 810 os_memcpy(ftie->Anonce, peer->rnonce, WPA_NONCE_LEN); 811 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN); 812 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2; 813 pos = (u8 *) (ftie + 1); 814 #ifdef CONFIG_TDLS_TESTING 815 if (tdls_testing & TDLS_TESTING_LONG_FRAME) { 816 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to " 817 "FTIE"); 818 ftie->ie_len += 170; 819 *pos++ = 255; /* FTIE subelem */ 820 *pos++ = 168; /* FTIE subelem length */ 821 pos += 168; 822 } 823 #endif /* CONFIG_TDLS_TESTING */ 824 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE for TDLS Teardown handshake", 825 (u8 *) ftie, pos - (u8 *) ftie); 826 827 /* compute MIC before sending */ 828 wpa_tdls_linkid(sm, peer, &lnkid); 829 wpa_tdls_key_mic_teardown(peer->tpk.kck, 4, reason_code, 830 dialog_token, (u8 *) &lnkid, (u8 *) ftie, 831 ftie->mic); 832 833 skip_ies: 834 /* TODO: register for a Timeout handler, if Teardown is not received at 835 * the other end, then try again another time */ 836 837 /* request driver to send Teardown using this FTIE */ 838 wpa_tdls_tpk_send(sm, addr, WLAN_TDLS_TEARDOWN, 0, 839 reason_code, 0, peer->initiator, rbuf, pos - rbuf); 840 os_free(rbuf); 841 842 return 0; 843 } 844 845 846 int wpa_tdls_teardown_link(struct wpa_sm *sm, const u8 *addr, u16 reason_code) 847 { 848 struct wpa_tdls_peer *peer; 849 850 if (sm->tdls_disabled || !sm->tdls_supported) 851 return -1; 852 853 for (peer = sm->tdls; peer; peer = peer->next) { 854 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 855 break; 856 } 857 858 if (peer == NULL) { 859 wpa_printf(MSG_DEBUG, "TDLS: Could not find peer " MACSTR 860 " for link Teardown", MAC2STR(addr)); 861 return -1; 862 } 863 864 if (!peer->tpk_success) { 865 wpa_printf(MSG_DEBUG, "TDLS: Peer " MACSTR 866 " not connected - cannot Teardown link", MAC2STR(addr)); 867 return -1; 868 } 869 870 return wpa_tdls_do_teardown(sm, peer, reason_code); 871 } 872 873 874 static void wpa_tdls_disable_peer_link(struct wpa_sm *sm, 875 struct wpa_tdls_peer *peer) 876 { 877 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr); 878 wpa_tdls_peer_free(sm, peer); 879 } 880 881 882 void wpa_tdls_disable_unreachable_link(struct wpa_sm *sm, const u8 *addr) 883 { 884 struct wpa_tdls_peer *peer; 885 886 for (peer = sm->tdls; peer; peer = peer->next) { 887 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 888 break; 889 } 890 891 if (!peer || !peer->tpk_success) { 892 wpa_printf(MSG_DEBUG, "TDLS: Peer " MACSTR 893 " not connected - cannot teardown unreachable link", 894 MAC2STR(addr)); 895 return; 896 } 897 898 if (wpa_tdls_is_external_setup(sm)) { 899 /* 900 * Get us on the base channel, disable the link, send a 901 * teardown packet through the AP, and then reset link data. 902 */ 903 if (peer->chan_switch_enabled) 904 wpa_sm_tdls_disable_channel_switch(sm, peer->addr); 905 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, addr); 906 wpa_tdls_send_teardown(sm, addr, 907 WLAN_REASON_TDLS_TEARDOWN_UNREACHABLE); 908 wpa_tdls_peer_free(sm, peer); 909 } else { 910 wpa_tdls_disable_peer_link(sm, peer); 911 } 912 } 913 914 915 const char * wpa_tdls_get_link_status(struct wpa_sm *sm, const u8 *addr) 916 { 917 struct wpa_tdls_peer *peer; 918 919 if (sm->tdls_disabled || !sm->tdls_supported) 920 return "disabled"; 921 922 for (peer = sm->tdls; peer; peer = peer->next) { 923 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 924 break; 925 } 926 927 if (peer == NULL) 928 return "peer does not exist"; 929 930 if (!peer->tpk_success) 931 return "peer not connected"; 932 933 return "connected"; 934 } 935 936 937 static int wpa_tdls_recv_teardown(struct wpa_sm *sm, const u8 *src_addr, 938 const u8 *buf, size_t len) 939 { 940 struct wpa_tdls_peer *peer = NULL; 941 struct wpa_tdls_ftie *ftie; 942 struct wpa_tdls_lnkid *lnkid; 943 struct wpa_eapol_ie_parse kde; 944 u16 reason_code; 945 const u8 *pos; 946 int ielen; 947 948 /* Find the node and free from the list */ 949 for (peer = sm->tdls; peer; peer = peer->next) { 950 if (os_memcmp(peer->addr, src_addr, ETH_ALEN) == 0) 951 break; 952 } 953 954 if (peer == NULL) { 955 wpa_printf(MSG_INFO, "TDLS: No matching entry found for " 956 "Teardown " MACSTR, MAC2STR(src_addr)); 957 return 0; 958 } 959 960 pos = buf; 961 pos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */; 962 963 reason_code = WPA_GET_LE16(pos); 964 pos += 2; 965 966 wpa_printf(MSG_DEBUG, "TDLS: TDLS Teardown Request from " MACSTR 967 " (reason code %u)", MAC2STR(src_addr), reason_code); 968 969 ielen = len - (pos - buf); /* start of IE in buf */ 970 971 /* 972 * Don't reject the message if failing to parse IEs. The IEs we need are 973 * explicitly checked below. Some APs may add arbitrary padding to the 974 * end of short TDLS frames and that would look like invalid IEs. 975 */ 976 if (wpa_supplicant_parse_ies((const u8 *) pos, ielen, &kde) < 0) 977 wpa_printf(MSG_DEBUG, 978 "TDLS: Failed to parse IEs in Teardown - ignore as an interop workaround"); 979 980 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) { 981 wpa_printf(MSG_INFO, "TDLS: No Link Identifier IE in TDLS " 982 "Teardown"); 983 return -1; 984 } 985 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid; 986 987 if (!wpa_tdls_get_privacy(sm) || !peer->tpk_set || !peer->tpk_success) 988 goto skip_ftie; 989 990 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie)) { 991 wpa_printf(MSG_INFO, "TDLS: No FTIE in TDLS Teardown"); 992 return -1; 993 } 994 995 ftie = (struct wpa_tdls_ftie *) kde.ftie; 996 997 /* Process MIC check to see if TDLS Teardown is right */ 998 if (wpa_supplicant_verify_tdls_mic_teardown(4, reason_code, 999 peer->dtoken, peer, 1000 (u8 *) lnkid, ftie) < 0) { 1001 wpa_printf(MSG_DEBUG, "TDLS: MIC failure for TDLS " 1002 "Teardown Request from " MACSTR, MAC2STR(src_addr)); 1003 return -1; 1004 } 1005 1006 skip_ftie: 1007 /* 1008 * Request the driver to disable the direct link and clear associated 1009 * keys. 1010 */ 1011 wpa_tdls_disable_peer_link(sm, peer); 1012 return 0; 1013 } 1014 1015 1016 /** 1017 * wpa_tdls_send_error - To send suitable TDLS status response with 1018 * appropriate status code mentioning reason for error/failure. 1019 * @dst - MAC addr of Peer station 1020 * @tdls_action - TDLS frame type for which error code is sent 1021 * @initiator - was this end the initiator of the connection 1022 * @status - status code mentioning reason 1023 */ 1024 1025 static int wpa_tdls_send_error(struct wpa_sm *sm, const u8 *dst, 1026 u8 tdls_action, u8 dialog_token, int initiator, 1027 u16 status) 1028 { 1029 wpa_printf(MSG_DEBUG, "TDLS: Sending error to " MACSTR 1030 " (action=%u status=%u)", 1031 MAC2STR(dst), tdls_action, status); 1032 return wpa_tdls_tpk_send(sm, dst, tdls_action, dialog_token, status, 1033 0, initiator, NULL, 0); 1034 } 1035 1036 1037 static struct wpa_tdls_peer * 1038 wpa_tdls_add_peer(struct wpa_sm *sm, const u8 *addr, int *existing) 1039 { 1040 struct wpa_tdls_peer *peer; 1041 1042 if (existing) 1043 *existing = 0; 1044 for (peer = sm->tdls; peer; peer = peer->next) { 1045 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) { 1046 if (existing) 1047 *existing = 1; 1048 return peer; /* re-use existing entry */ 1049 } 1050 } 1051 1052 wpa_printf(MSG_INFO, "TDLS: Creating peer entry for " MACSTR, 1053 MAC2STR(addr)); 1054 1055 peer = os_zalloc(sizeof(*peer)); 1056 if (peer == NULL) 1057 return NULL; 1058 1059 os_memcpy(peer->addr, addr, ETH_ALEN); 1060 peer->next = sm->tdls; 1061 sm->tdls = peer; 1062 1063 return peer; 1064 } 1065 1066 1067 static int wpa_tdls_send_tpk_m1(struct wpa_sm *sm, 1068 struct wpa_tdls_peer *peer) 1069 { 1070 size_t buf_len; 1071 struct wpa_tdls_timeoutie timeoutie; 1072 u16 rsn_capab; 1073 struct wpa_tdls_ftie *ftie; 1074 u8 *rbuf, *pos, *count_pos; 1075 u16 count; 1076 struct rsn_ie_hdr *hdr; 1077 int status; 1078 1079 if (!wpa_tdls_get_privacy(sm)) { 1080 wpa_printf(MSG_DEBUG, "TDLS: No security used on the link"); 1081 peer->rsnie_i_len = 0; 1082 goto skip_rsnie; 1083 } 1084 1085 /* 1086 * TPK Handshake Message 1: 1087 * FTIE: ANonce=0, SNonce=initiator nonce MIC=0, DataKDs=(RSNIE_I, 1088 * Timeout Interval IE)) 1089 */ 1090 1091 /* Filling RSN IE */ 1092 hdr = (struct rsn_ie_hdr *) peer->rsnie_i; 1093 hdr->elem_id = WLAN_EID_RSN; 1094 WPA_PUT_LE16(hdr->version, RSN_VERSION); 1095 1096 pos = (u8 *) (hdr + 1); 1097 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED); 1098 pos += RSN_SELECTOR_LEN; 1099 count_pos = pos; 1100 pos += 2; 1101 1102 count = 0; 1103 1104 /* 1105 * AES-CCMP is the default Encryption preferred for TDLS, so 1106 * RSN IE is filled only with CCMP CIPHER 1107 * Note: TKIP is not used to encrypt TDLS link. 1108 * 1109 * Regardless of the cipher used on the AP connection, select CCMP 1110 * here. 1111 */ 1112 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP); 1113 pos += RSN_SELECTOR_LEN; 1114 count++; 1115 1116 WPA_PUT_LE16(count_pos, count); 1117 1118 WPA_PUT_LE16(pos, 1); 1119 pos += 2; 1120 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_TPK_HANDSHAKE); 1121 pos += RSN_SELECTOR_LEN; 1122 1123 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED; 1124 rsn_capab |= RSN_NUM_REPLAY_COUNTERS_16 << 2; 1125 #ifdef CONFIG_TDLS_TESTING 1126 if (tdls_testing & TDLS_TESTING_ALT_RSN_IE) { 1127 wpa_printf(MSG_DEBUG, "TDLS: Use alternative RSN IE for " 1128 "testing"); 1129 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED; 1130 } 1131 #endif /* CONFIG_TDLS_TESTING */ 1132 WPA_PUT_LE16(pos, rsn_capab); 1133 pos += 2; 1134 #ifdef CONFIG_TDLS_TESTING 1135 if (tdls_testing & TDLS_TESTING_ALT_RSN_IE) { 1136 /* Number of PMKIDs */ 1137 *pos++ = 0x00; 1138 *pos++ = 0x00; 1139 } 1140 #endif /* CONFIG_TDLS_TESTING */ 1141 1142 hdr->len = (pos - peer->rsnie_i) - 2; 1143 peer->rsnie_i_len = pos - peer->rsnie_i; 1144 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE for TPK handshake", 1145 peer->rsnie_i, peer->rsnie_i_len); 1146 1147 skip_rsnie: 1148 buf_len = 0; 1149 if (wpa_tdls_get_privacy(sm)) 1150 buf_len += peer->rsnie_i_len + sizeof(struct wpa_tdls_ftie) + 1151 sizeof(struct wpa_tdls_timeoutie); 1152 #ifdef CONFIG_TDLS_TESTING 1153 if (wpa_tdls_get_privacy(sm) && 1154 (tdls_testing & TDLS_TESTING_LONG_FRAME)) 1155 buf_len += 170; 1156 if (tdls_testing & TDLS_TESTING_DIFF_BSSID) 1157 buf_len += sizeof(struct wpa_tdls_lnkid); 1158 #endif /* CONFIG_TDLS_TESTING */ 1159 rbuf = os_zalloc(buf_len + 1); 1160 if (rbuf == NULL) { 1161 wpa_tdls_peer_free(sm, peer); 1162 return -2; 1163 } 1164 pos = rbuf; 1165 1166 if (!wpa_tdls_get_privacy(sm)) 1167 goto skip_ies; 1168 1169 /* Initiator RSN IE */ 1170 pos = wpa_add_ie(pos, peer->rsnie_i, peer->rsnie_i_len); 1171 1172 ftie = (struct wpa_tdls_ftie *) pos; 1173 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION; 1174 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2; 1175 1176 if (os_get_random(peer->inonce, WPA_NONCE_LEN)) { 1177 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1178 "TDLS: Failed to get random data for initiator Nonce"); 1179 os_free(rbuf); 1180 wpa_tdls_peer_free(sm, peer); 1181 return -2; 1182 } 1183 peer->tk_set = 0; /* A new nonce results in a new TK */ 1184 wpa_hexdump(MSG_DEBUG, "TDLS: Initiator Nonce for TPK handshake", 1185 peer->inonce, WPA_NONCE_LEN); 1186 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN); 1187 1188 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE for TPK Handshake M1", 1189 (u8 *) ftie, sizeof(struct wpa_tdls_ftie)); 1190 1191 pos = (u8 *) (ftie + 1); 1192 1193 #ifdef CONFIG_TDLS_TESTING 1194 if (tdls_testing & TDLS_TESTING_LONG_FRAME) { 1195 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to " 1196 "FTIE"); 1197 ftie->ie_len += 170; 1198 *pos++ = 255; /* FTIE subelem */ 1199 *pos++ = 168; /* FTIE subelem length */ 1200 pos += 168; 1201 } 1202 #endif /* CONFIG_TDLS_TESTING */ 1203 1204 /* Lifetime */ 1205 peer->lifetime = TPK_LIFETIME; 1206 #ifdef CONFIG_TDLS_TESTING 1207 if (tdls_testing & TDLS_TESTING_SHORT_LIFETIME) { 1208 wpa_printf(MSG_DEBUG, "TDLS: Testing - use short TPK " 1209 "lifetime"); 1210 peer->lifetime = 301; 1211 } 1212 if (tdls_testing & TDLS_TESTING_LONG_LIFETIME) { 1213 wpa_printf(MSG_DEBUG, "TDLS: Testing - use long TPK " 1214 "lifetime"); 1215 peer->lifetime = 0xffffffff; 1216 } 1217 #endif /* CONFIG_TDLS_TESTING */ 1218 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie, 1219 sizeof(timeoutie), peer->lifetime); 1220 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds", peer->lifetime); 1221 1222 skip_ies: 1223 1224 #ifdef CONFIG_TDLS_TESTING 1225 if (tdls_testing & TDLS_TESTING_DIFF_BSSID) { 1226 struct wpa_tdls_lnkid *l = (struct wpa_tdls_lnkid *) pos; 1227 1228 wpa_printf(MSG_DEBUG, "TDLS: Testing - use incorrect BSSID in " 1229 "Link Identifier"); 1230 wpa_tdls_linkid(sm, peer, l); 1231 l->bssid[5] ^= 0x01; 1232 pos += sizeof(*l); 1233 } 1234 #endif /* CONFIG_TDLS_TESTING */ 1235 1236 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Setup Request / TPK " 1237 "Handshake Message 1 (peer " MACSTR ")", 1238 MAC2STR(peer->addr)); 1239 1240 status = wpa_tdls_tpk_send(sm, peer->addr, WLAN_TDLS_SETUP_REQUEST, 1241 1, 0, 0, peer->initiator, rbuf, pos - rbuf); 1242 os_free(rbuf); 1243 1244 return status; 1245 } 1246 1247 1248 static int wpa_tdls_send_tpk_m2(struct wpa_sm *sm, 1249 const unsigned char *src_addr, u8 dtoken, 1250 struct wpa_tdls_lnkid *lnkid, 1251 const struct wpa_tdls_peer *peer) 1252 { 1253 u8 *rbuf, *pos; 1254 size_t buf_len; 1255 u32 lifetime; 1256 struct wpa_tdls_timeoutie timeoutie; 1257 struct wpa_tdls_ftie *ftie; 1258 int status; 1259 1260 buf_len = 0; 1261 if (wpa_tdls_get_privacy(sm)) { 1262 /* Peer RSN IE, FTIE(Initiator Nonce, Responder Nonce), 1263 * Lifetime */ 1264 buf_len += peer->rsnie_i_len + sizeof(struct wpa_tdls_ftie) + 1265 sizeof(struct wpa_tdls_timeoutie); 1266 #ifdef CONFIG_TDLS_TESTING 1267 if (tdls_testing & TDLS_TESTING_LONG_FRAME) 1268 buf_len += 170; 1269 #endif /* CONFIG_TDLS_TESTING */ 1270 } 1271 1272 rbuf = os_zalloc(buf_len + 1); 1273 if (rbuf == NULL) 1274 return -1; 1275 pos = rbuf; 1276 1277 if (!wpa_tdls_get_privacy(sm)) 1278 goto skip_ies; 1279 1280 /* Peer RSN IE */ 1281 pos = wpa_add_ie(pos, peer->rsnie_p, peer->rsnie_p_len); 1282 1283 ftie = (struct wpa_tdls_ftie *) pos; 1284 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION; 1285 /* TODO: ftie->mic_control to set 2-RESPONSE */ 1286 os_memcpy(ftie->Anonce, peer->rnonce, WPA_NONCE_LEN); 1287 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN); 1288 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2; 1289 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE for TPK M2", 1290 (u8 *) ftie, sizeof(*ftie)); 1291 1292 pos = (u8 *) (ftie + 1); 1293 1294 #ifdef CONFIG_TDLS_TESTING 1295 if (tdls_testing & TDLS_TESTING_LONG_FRAME) { 1296 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to " 1297 "FTIE"); 1298 ftie->ie_len += 170; 1299 *pos++ = 255; /* FTIE subelem */ 1300 *pos++ = 168; /* FTIE subelem length */ 1301 pos += 168; 1302 } 1303 #endif /* CONFIG_TDLS_TESTING */ 1304 1305 /* Lifetime */ 1306 lifetime = peer->lifetime; 1307 #ifdef CONFIG_TDLS_TESTING 1308 if (tdls_testing & TDLS_TESTING_WRONG_LIFETIME_RESP) { 1309 wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong TPK " 1310 "lifetime in response"); 1311 lifetime++; 1312 } 1313 #endif /* CONFIG_TDLS_TESTING */ 1314 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie, 1315 sizeof(timeoutie), lifetime); 1316 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds from initiator", 1317 lifetime); 1318 1319 /* compute MIC before sending */ 1320 wpa_tdls_ftie_mic(peer->tpk.kck, 2, (u8 *) lnkid, peer->rsnie_p, 1321 (u8 *) &timeoutie, (u8 *) ftie, ftie->mic); 1322 #ifdef CONFIG_TDLS_TESTING 1323 if (tdls_testing & TDLS_TESTING_WRONG_MIC) { 1324 wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong MIC"); 1325 ftie->mic[0] ^= 0x01; 1326 } 1327 #endif /* CONFIG_TDLS_TESTING */ 1328 1329 skip_ies: 1330 status = wpa_tdls_tpk_send(sm, src_addr, WLAN_TDLS_SETUP_RESPONSE, 1331 dtoken, 0, 0, peer->initiator, rbuf, 1332 pos - rbuf); 1333 os_free(rbuf); 1334 1335 return status; 1336 } 1337 1338 1339 static int wpa_tdls_send_tpk_m3(struct wpa_sm *sm, 1340 const unsigned char *src_addr, u8 dtoken, 1341 struct wpa_tdls_lnkid *lnkid, 1342 const struct wpa_tdls_peer *peer) 1343 { 1344 u8 *rbuf, *pos; 1345 size_t buf_len; 1346 struct wpa_tdls_ftie *ftie; 1347 struct wpa_tdls_timeoutie timeoutie; 1348 u32 lifetime; 1349 int status; 1350 u32 peer_capab = 0; 1351 1352 buf_len = 0; 1353 if (wpa_tdls_get_privacy(sm)) { 1354 /* Peer RSN IE, FTIE(Initiator Nonce, Responder Nonce), 1355 * Lifetime */ 1356 buf_len += peer->rsnie_i_len + sizeof(struct wpa_tdls_ftie) + 1357 sizeof(struct wpa_tdls_timeoutie); 1358 #ifdef CONFIG_TDLS_TESTING 1359 if (tdls_testing & TDLS_TESTING_LONG_FRAME) 1360 buf_len += 170; 1361 #endif /* CONFIG_TDLS_TESTING */ 1362 } 1363 1364 rbuf = os_zalloc(buf_len + 1); 1365 if (rbuf == NULL) 1366 return -1; 1367 pos = rbuf; 1368 1369 if (!wpa_tdls_get_privacy(sm)) 1370 goto skip_ies; 1371 1372 /* Peer RSN IE */ 1373 pos = wpa_add_ie(pos, peer->rsnie_p, peer->rsnie_p_len); 1374 1375 ftie = (struct wpa_tdls_ftie *) pos; 1376 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION; 1377 /*TODO: ftie->mic_control to set 3-CONFIRM */ 1378 os_memcpy(ftie->Anonce, peer->rnonce, WPA_NONCE_LEN); 1379 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN); 1380 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2; 1381 1382 pos = (u8 *) (ftie + 1); 1383 1384 #ifdef CONFIG_TDLS_TESTING 1385 if (tdls_testing & TDLS_TESTING_LONG_FRAME) { 1386 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to " 1387 "FTIE"); 1388 ftie->ie_len += 170; 1389 *pos++ = 255; /* FTIE subelem */ 1390 *pos++ = 168; /* FTIE subelem length */ 1391 pos += 168; 1392 } 1393 #endif /* CONFIG_TDLS_TESTING */ 1394 1395 /* Lifetime */ 1396 lifetime = peer->lifetime; 1397 #ifdef CONFIG_TDLS_TESTING 1398 if (tdls_testing & TDLS_TESTING_WRONG_LIFETIME_CONF) { 1399 wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong TPK " 1400 "lifetime in confirm"); 1401 lifetime++; 1402 } 1403 #endif /* CONFIG_TDLS_TESTING */ 1404 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie, 1405 sizeof(timeoutie), lifetime); 1406 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds", 1407 lifetime); 1408 1409 /* compute MIC before sending */ 1410 wpa_tdls_ftie_mic(peer->tpk.kck, 3, (u8 *) lnkid, peer->rsnie_p, 1411 (u8 *) &timeoutie, (u8 *) ftie, ftie->mic); 1412 #ifdef CONFIG_TDLS_TESTING 1413 if (tdls_testing & TDLS_TESTING_WRONG_MIC) { 1414 wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong MIC"); 1415 ftie->mic[0] ^= 0x01; 1416 } 1417 #endif /* CONFIG_TDLS_TESTING */ 1418 1419 skip_ies: 1420 1421 if (peer->he_capabilities) 1422 peer_capab |= TDLS_PEER_HE; 1423 if (peer->vht_capabilities) 1424 peer_capab |= TDLS_PEER_VHT; 1425 if (peer->ht_capabilities) 1426 peer_capab |= TDLS_PEER_HT; 1427 if (peer->wmm_capable) 1428 peer_capab |= TDLS_PEER_WMM; 1429 1430 status = wpa_tdls_tpk_send(sm, src_addr, WLAN_TDLS_SETUP_CONFIRM, 1431 dtoken, 0, peer_capab, peer->initiator, 1432 rbuf, pos - rbuf); 1433 os_free(rbuf); 1434 1435 return status; 1436 } 1437 1438 1439 static int wpa_tdls_send_discovery_response(struct wpa_sm *sm, 1440 struct wpa_tdls_peer *peer, 1441 u8 dialog_token) 1442 { 1443 size_t buf_len = 0; 1444 struct wpa_tdls_timeoutie timeoutie; 1445 u16 rsn_capab; 1446 u8 *rbuf, *pos, *count_pos; 1447 u16 count; 1448 struct rsn_ie_hdr *hdr; 1449 int status; 1450 1451 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Discovery Response " 1452 "(peer " MACSTR ")", MAC2STR(peer->addr)); 1453 if (!wpa_tdls_get_privacy(sm)) 1454 goto skip_rsn_ies; 1455 1456 /* Filling RSN IE */ 1457 hdr = (struct rsn_ie_hdr *) peer->rsnie_i; 1458 hdr->elem_id = WLAN_EID_RSN; 1459 WPA_PUT_LE16(hdr->version, RSN_VERSION); 1460 pos = (u8 *) (hdr + 1); 1461 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED); 1462 pos += RSN_SELECTOR_LEN; 1463 count_pos = pos; 1464 pos += 2; 1465 count = 0; 1466 1467 /* 1468 * AES-CCMP is the default encryption preferred for TDLS, so 1469 * RSN IE is filled only with CCMP cipher suite. 1470 * Note: TKIP is not used to encrypt TDLS link. 1471 * 1472 * Regardless of the cipher used on the AP connection, select CCMP 1473 * here. 1474 */ 1475 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP); 1476 pos += RSN_SELECTOR_LEN; 1477 count++; 1478 WPA_PUT_LE16(count_pos, count); 1479 WPA_PUT_LE16(pos, 1); 1480 pos += 2; 1481 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_TPK_HANDSHAKE); 1482 pos += RSN_SELECTOR_LEN; 1483 1484 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED; 1485 rsn_capab |= RSN_NUM_REPLAY_COUNTERS_16 << 2; 1486 WPA_PUT_LE16(pos, rsn_capab); 1487 pos += 2; 1488 hdr->len = (pos - (u8 *) hdr) - 2; 1489 peer->rsnie_i_len = pos - peer->rsnie_i; 1490 1491 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE for Discovery Response", 1492 (u8 *) hdr, hdr->len + 2); 1493 skip_rsn_ies: 1494 buf_len = 0; 1495 if (wpa_tdls_get_privacy(sm)) { 1496 /* Peer RSN IE, Lifetime */ 1497 buf_len += peer->rsnie_i_len + 1498 sizeof(struct wpa_tdls_timeoutie); 1499 } 1500 rbuf = os_zalloc(buf_len + 1); 1501 if (rbuf == NULL) { 1502 wpa_tdls_peer_free(sm, peer); 1503 return -1; 1504 } 1505 pos = rbuf; 1506 1507 if (!wpa_tdls_get_privacy(sm)) 1508 goto skip_ies; 1509 /* Initiator RSN IE */ 1510 pos = wpa_add_ie(pos, peer->rsnie_i, peer->rsnie_i_len); 1511 /* Lifetime */ 1512 peer->lifetime = TPK_LIFETIME; 1513 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie, 1514 sizeof(timeoutie), peer->lifetime); 1515 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds", peer->lifetime); 1516 skip_ies: 1517 status = wpa_tdls_tpk_send(sm, peer->addr, WLAN_TDLS_DISCOVERY_RESPONSE, 1518 dialog_token, 0, 0, 0, rbuf, pos - rbuf); 1519 os_free(rbuf); 1520 1521 return status; 1522 } 1523 1524 1525 static int 1526 wpa_tdls_process_discovery_request(struct wpa_sm *sm, const u8 *addr, 1527 const u8 *buf, size_t len) 1528 { 1529 struct wpa_eapol_ie_parse kde; 1530 const struct wpa_tdls_lnkid *lnkid; 1531 struct wpa_tdls_peer *peer; 1532 size_t min_req_len = sizeof(struct wpa_tdls_frame) + 1533 1 /* dialog token */ + sizeof(struct wpa_tdls_lnkid); 1534 u8 dialog_token; 1535 1536 wpa_printf(MSG_DEBUG, "TDLS: Discovery Request from " MACSTR, 1537 MAC2STR(addr)); 1538 1539 if (len < min_req_len) { 1540 wpa_printf(MSG_DEBUG, "TDLS Discovery Request is too short: " 1541 "%d", (int) len); 1542 return -1; 1543 } 1544 1545 dialog_token = buf[sizeof(struct wpa_tdls_frame)]; 1546 1547 /* 1548 * Some APs will tack on a weird IE to the end of a TDLS 1549 * discovery request packet. This needn't fail the response, 1550 * since the required IE are verified separately. 1551 */ 1552 if (wpa_supplicant_parse_ies(buf + sizeof(struct wpa_tdls_frame) + 1, 1553 len - (sizeof(struct wpa_tdls_frame) + 1), 1554 &kde) < 0) { 1555 wpa_printf(MSG_DEBUG, 1556 "TDLS: Failed to parse IEs in Discovery Request - ignore as an interop workaround"); 1557 } 1558 1559 if (!kde.lnkid) { 1560 wpa_printf(MSG_DEBUG, "TDLS: Link ID not found in Discovery " 1561 "Request"); 1562 return -1; 1563 } 1564 1565 lnkid = (const struct wpa_tdls_lnkid *) kde.lnkid; 1566 1567 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) { 1568 wpa_printf(MSG_DEBUG, "TDLS: Discovery Request from different " 1569 " BSS " MACSTR, MAC2STR(lnkid->bssid)); 1570 return -1; 1571 } 1572 1573 peer = wpa_tdls_add_peer(sm, addr, NULL); 1574 if (peer == NULL) 1575 return -1; 1576 1577 return wpa_tdls_send_discovery_response(sm, peer, dialog_token); 1578 } 1579 1580 1581 int wpa_tdls_send_discovery_request(struct wpa_sm *sm, const u8 *addr) 1582 { 1583 if (sm->tdls_disabled || !sm->tdls_supported) 1584 return -1; 1585 1586 wpa_printf(MSG_DEBUG, "TDLS: Sending Discovery Request to peer " 1587 MACSTR, MAC2STR(addr)); 1588 return wpa_tdls_tpk_send(sm, addr, WLAN_TDLS_DISCOVERY_REQUEST, 1589 1, 0, 0, 1, NULL, 0); 1590 } 1591 1592 1593 static int copy_supp_rates(const struct wpa_eapol_ie_parse *kde, 1594 struct wpa_tdls_peer *peer) 1595 { 1596 if (!kde->supp_rates) { 1597 wpa_printf(MSG_DEBUG, "TDLS: No supported rates received"); 1598 return -1; 1599 } 1600 peer->supp_rates_len = merge_byte_arrays( 1601 peer->supp_rates, sizeof(peer->supp_rates), 1602 kde->supp_rates + 2, kde->supp_rates_len - 2, 1603 kde->ext_supp_rates ? kde->ext_supp_rates + 2 : NULL, 1604 kde->ext_supp_rates ? kde->ext_supp_rates_len - 2 : 0); 1605 return 0; 1606 } 1607 1608 1609 static int copy_peer_ht_capab(const struct wpa_eapol_ie_parse *kde, 1610 struct wpa_tdls_peer *peer) 1611 { 1612 if (!kde->ht_capabilities) { 1613 wpa_printf(MSG_DEBUG, "TDLS: No supported ht capabilities " 1614 "received"); 1615 return 0; 1616 } 1617 1618 if (!peer->ht_capabilities) { 1619 peer->ht_capabilities = 1620 os_zalloc(sizeof(struct ieee80211_ht_capabilities)); 1621 if (peer->ht_capabilities == NULL) 1622 return -1; 1623 } 1624 1625 os_memcpy(peer->ht_capabilities, kde->ht_capabilities, 1626 sizeof(struct ieee80211_ht_capabilities)); 1627 wpa_hexdump(MSG_DEBUG, "TDLS: Peer HT capabilities", 1628 (u8 *) peer->ht_capabilities, 1629 sizeof(struct ieee80211_ht_capabilities)); 1630 1631 return 0; 1632 } 1633 1634 1635 static int copy_peer_vht_capab(const struct wpa_eapol_ie_parse *kde, 1636 struct wpa_tdls_peer *peer) 1637 { 1638 if (!kde->vht_capabilities) { 1639 wpa_printf(MSG_DEBUG, "TDLS: No supported vht capabilities " 1640 "received"); 1641 return 0; 1642 } 1643 1644 if (!peer->vht_capabilities) { 1645 peer->vht_capabilities = 1646 os_zalloc(sizeof(struct ieee80211_vht_capabilities)); 1647 if (peer->vht_capabilities == NULL) 1648 return -1; 1649 } 1650 1651 os_memcpy(peer->vht_capabilities, kde->vht_capabilities, 1652 sizeof(struct ieee80211_vht_capabilities)); 1653 wpa_hexdump(MSG_DEBUG, "TDLS: Peer VHT capabilities", 1654 (u8 *) peer->vht_capabilities, 1655 sizeof(struct ieee80211_vht_capabilities)); 1656 1657 return 0; 1658 } 1659 1660 1661 static int copy_peer_he_capab(const struct wpa_eapol_ie_parse *kde, 1662 struct wpa_tdls_peer *peer) 1663 { 1664 if (!kde->he_capabilities) { 1665 wpa_printf(MSG_DEBUG, "TDLS: No HE capabilities received"); 1666 return 0; 1667 } 1668 1669 os_free(peer->he_capabilities); 1670 peer->he_capab_len = 0; 1671 peer->he_capabilities = os_memdup(kde->he_capabilities, 1672 kde->he_capab_len); 1673 if (!peer->he_capabilities) 1674 return -1; 1675 1676 peer->he_capab_len = kde->he_capab_len; 1677 wpa_hexdump(MSG_DEBUG, "TDLS: Peer HE capabilities", 1678 peer->he_capabilities, peer->he_capab_len); 1679 1680 return 0; 1681 } 1682 1683 1684 static int copy_peer_ext_capab(const struct wpa_eapol_ie_parse *kde, 1685 struct wpa_tdls_peer *peer) 1686 { 1687 if (!kde->ext_capab) { 1688 wpa_printf(MSG_DEBUG, "TDLS: No extended capabilities " 1689 "received"); 1690 return 0; 1691 } 1692 1693 if (!peer->ext_capab || peer->ext_capab_len < kde->ext_capab_len - 2) { 1694 /* Need to allocate buffer to fit the new information */ 1695 os_free(peer->ext_capab); 1696 peer->ext_capab = os_zalloc(kde->ext_capab_len - 2); 1697 if (peer->ext_capab == NULL) 1698 return -1; 1699 } 1700 1701 peer->ext_capab_len = kde->ext_capab_len - 2; 1702 os_memcpy(peer->ext_capab, kde->ext_capab + 2, peer->ext_capab_len); 1703 1704 return 0; 1705 } 1706 1707 1708 static int copy_peer_wmm_capab(const struct wpa_eapol_ie_parse *kde, 1709 struct wpa_tdls_peer *peer) 1710 { 1711 struct wmm_information_element *wmm; 1712 1713 if (!kde->wmm) { 1714 wpa_printf(MSG_DEBUG, "TDLS: No supported WMM capabilities received"); 1715 return 0; 1716 } 1717 1718 if (kde->wmm_len < sizeof(struct wmm_information_element)) { 1719 wpa_printf(MSG_DEBUG, "TDLS: Invalid supported WMM capabilities received"); 1720 return -1; 1721 } 1722 1723 wmm = (struct wmm_information_element *) kde->wmm; 1724 peer->qos_info = wmm->qos_info; 1725 1726 peer->wmm_capable = 1; 1727 1728 wpa_printf(MSG_DEBUG, "TDLS: Peer WMM QOS Info 0x%x", peer->qos_info); 1729 return 0; 1730 } 1731 1732 1733 static int copy_peer_supp_channels(const struct wpa_eapol_ie_parse *kde, 1734 struct wpa_tdls_peer *peer) 1735 { 1736 if (!kde->supp_channels) { 1737 wpa_printf(MSG_DEBUG, "TDLS: No supported channels received"); 1738 return 0; 1739 } 1740 1741 if (!peer->supp_channels || 1742 peer->supp_channels_len < kde->supp_channels_len) { 1743 os_free(peer->supp_channels); 1744 peer->supp_channels = os_zalloc(kde->supp_channels_len); 1745 if (peer->supp_channels == NULL) 1746 return -1; 1747 } 1748 1749 peer->supp_channels_len = kde->supp_channels_len; 1750 1751 os_memcpy(peer->supp_channels, kde->supp_channels, 1752 peer->supp_channels_len); 1753 wpa_hexdump(MSG_DEBUG, "TDLS: Peer Supported Channels", 1754 (u8 *) peer->supp_channels, peer->supp_channels_len); 1755 return 0; 1756 } 1757 1758 1759 static int copy_peer_supp_oper_classes(const struct wpa_eapol_ie_parse *kde, 1760 struct wpa_tdls_peer *peer) 1761 { 1762 if (!kde->supp_oper_classes) { 1763 wpa_printf(MSG_DEBUG, "TDLS: No supported operating classes received"); 1764 return 0; 1765 } 1766 1767 if (!peer->supp_oper_classes || 1768 peer->supp_oper_classes_len < kde->supp_oper_classes_len) { 1769 os_free(peer->supp_oper_classes); 1770 peer->supp_oper_classes = os_zalloc(kde->supp_oper_classes_len); 1771 if (peer->supp_oper_classes == NULL) 1772 return -1; 1773 } 1774 1775 peer->supp_oper_classes_len = kde->supp_oper_classes_len; 1776 os_memcpy(peer->supp_oper_classes, kde->supp_oper_classes, 1777 peer->supp_oper_classes_len); 1778 wpa_hexdump(MSG_DEBUG, "TDLS: Peer Supported Operating Classes", 1779 (u8 *) peer->supp_oper_classes, 1780 peer->supp_oper_classes_len); 1781 return 0; 1782 } 1783 1784 1785 static int wpa_tdls_addset_peer(struct wpa_sm *sm, struct wpa_tdls_peer *peer, 1786 int add) 1787 { 1788 return wpa_sm_tdls_peer_addset(sm, peer->addr, add, peer->aid, 1789 peer->capability, 1790 peer->supp_rates, peer->supp_rates_len, 1791 peer->ht_capabilities, 1792 peer->vht_capabilities, 1793 peer->he_capabilities, 1794 peer->he_capab_len, 1795 peer->qos_info, peer->wmm_capable, 1796 peer->ext_capab, peer->ext_capab_len, 1797 peer->supp_channels, 1798 peer->supp_channels_len, 1799 peer->supp_oper_classes, 1800 peer->supp_oper_classes_len); 1801 } 1802 1803 1804 static int tdls_nonce_set(const u8 *nonce) 1805 { 1806 int i; 1807 1808 for (i = 0; i < WPA_NONCE_LEN; i++) { 1809 if (nonce[i]) 1810 return 1; 1811 } 1812 1813 return 0; 1814 } 1815 1816 1817 static int wpa_tdls_process_tpk_m1(struct wpa_sm *sm, const u8 *src_addr, 1818 const u8 *buf, size_t len) 1819 { 1820 struct wpa_tdls_peer *peer; 1821 struct wpa_eapol_ie_parse kde; 1822 struct wpa_ie_data ie; 1823 int cipher; 1824 const u8 *cpos; 1825 struct wpa_tdls_ftie *ftie = NULL; 1826 struct wpa_tdls_timeoutie *timeoutie; 1827 struct wpa_tdls_lnkid *lnkid; 1828 u32 lifetime = 0; 1829 #if 0 1830 struct rsn_ie_hdr *hdr; 1831 u8 *pos; 1832 u16 rsn_capab; 1833 u16 rsn_ver; 1834 #endif 1835 u8 dtoken; 1836 u16 ielen; 1837 u16 status = WLAN_STATUS_UNSPECIFIED_FAILURE; 1838 int tdls_prohibited = sm->tdls_prohibited; 1839 int existing_peer = 0; 1840 1841 if (len < 3 + 3) 1842 return -1; 1843 1844 cpos = buf; 1845 cpos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */; 1846 1847 /* driver had already verified the frame format */ 1848 dtoken = *cpos++; /* dialog token */ 1849 1850 wpa_printf(MSG_INFO, "TDLS: Dialog Token in TPK M1 %d", dtoken); 1851 1852 peer = wpa_tdls_add_peer(sm, src_addr, &existing_peer); 1853 if (peer == NULL) 1854 goto error; 1855 1856 /* If found, use existing entry instead of adding a new one; 1857 * how to handle the case where both ends initiate at the 1858 * same time? */ 1859 if (existing_peer) { 1860 if (peer->tpk_success) { 1861 wpa_printf(MSG_DEBUG, "TDLS: TDLS Setup Request while " 1862 "direct link is enabled - tear down the " 1863 "old link first"); 1864 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr); 1865 wpa_tdls_peer_clear(sm, peer); 1866 } else if (peer->initiator) { 1867 /* 1868 * An entry is already present, so check if we already 1869 * sent a TDLS Setup Request. If so, compare MAC 1870 * addresses and let the STA with the lower MAC address 1871 * continue as the initiator. The other negotiation is 1872 * terminated. 1873 */ 1874 if (os_memcmp(sm->own_addr, src_addr, ETH_ALEN) < 0) { 1875 wpa_printf(MSG_DEBUG, "TDLS: Discard request " 1876 "from peer with higher address " 1877 MACSTR, MAC2STR(src_addr)); 1878 return -1; 1879 } else { 1880 wpa_printf(MSG_DEBUG, "TDLS: Accept request " 1881 "from peer with lower address " 1882 MACSTR " (terminate previously " 1883 "initiated negotiation", 1884 MAC2STR(src_addr)); 1885 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, 1886 peer->addr); 1887 wpa_tdls_peer_clear(sm, peer); 1888 } 1889 } 1890 } 1891 1892 /* capability information */ 1893 peer->capability = WPA_GET_LE16(cpos); 1894 cpos += 2; 1895 1896 ielen = len - (cpos - buf); /* start of IE in buf */ 1897 1898 /* 1899 * Don't reject the message if failing to parse IEs. The IEs we need are 1900 * explicitly checked below. Some APs may add arbitrary padding to the 1901 * end of short TDLS frames and that would look like invalid IEs. 1902 */ 1903 if (wpa_supplicant_parse_ies(cpos, ielen, &kde) < 0) 1904 wpa_printf(MSG_DEBUG, 1905 "TDLS: Failed to parse IEs in TPK M1 - ignore as an interop workaround"); 1906 1907 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) { 1908 wpa_printf(MSG_INFO, "TDLS: No valid Link Identifier IE in " 1909 "TPK M1"); 1910 goto error; 1911 } 1912 wpa_hexdump(MSG_DEBUG, "TDLS: Link ID Received from TPK M1", 1913 kde.lnkid, kde.lnkid_len); 1914 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid; 1915 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) { 1916 wpa_printf(MSG_INFO, "TDLS: TPK M1 from diff BSS"); 1917 status = WLAN_STATUS_REQUEST_DECLINED; 1918 goto error; 1919 } 1920 1921 wpa_printf(MSG_DEBUG, "TDLS: TPK M1 - TPK initiator " MACSTR, 1922 MAC2STR(src_addr)); 1923 1924 if (copy_supp_rates(&kde, peer) < 0) 1925 goto error; 1926 1927 if (copy_peer_ht_capab(&kde, peer) < 0) 1928 goto error; 1929 1930 if (copy_peer_vht_capab(&kde, peer) < 0 || 1931 copy_peer_he_capab(&kde, peer) < 0) 1932 goto error; 1933 1934 if (copy_peer_ext_capab(&kde, peer) < 0) 1935 goto error; 1936 1937 if (copy_peer_supp_channels(&kde, peer) < 0) 1938 goto error; 1939 1940 if (copy_peer_supp_oper_classes(&kde, peer) < 0) 1941 goto error; 1942 1943 peer->qos_info = kde.qosinfo; 1944 1945 /* Overwrite with the qos_info obtained in WMM IE */ 1946 if (copy_peer_wmm_capab(&kde, peer) < 0) 1947 goto error; 1948 1949 peer->aid = kde.aid; 1950 1951 #ifdef CONFIG_TDLS_TESTING 1952 if (tdls_testing & TDLS_TESTING_CONCURRENT_INIT) { 1953 peer = wpa_tdls_add_peer(sm, src_addr, NULL); 1954 if (peer == NULL) 1955 goto error; 1956 wpa_printf(MSG_DEBUG, "TDLS: Testing concurrent initiation of " 1957 "TDLS setup - send own request"); 1958 peer->initiator = 1; 1959 wpa_sm_tdls_peer_addset(sm, peer->addr, 1, 0, 0, NULL, 0, NULL, 1960 NULL, NULL, 0, 0, 0, NULL, 0, NULL, 0, 1961 NULL, 0); 1962 if (wpa_tdls_send_tpk_m1(sm, peer) == -2) { 1963 peer = NULL; 1964 goto error; 1965 } 1966 } 1967 1968 if ((tdls_testing & TDLS_TESTING_IGNORE_AP_PROHIBIT) && 1969 tdls_prohibited) { 1970 wpa_printf(MSG_DEBUG, "TDLS: Testing - ignore AP prohibition " 1971 "on TDLS"); 1972 tdls_prohibited = 0; 1973 } 1974 #endif /* CONFIG_TDLS_TESTING */ 1975 1976 if (tdls_prohibited) { 1977 wpa_printf(MSG_INFO, "TDLS: TDLS prohibited in this BSS"); 1978 status = WLAN_STATUS_REQUEST_DECLINED; 1979 goto error; 1980 } 1981 1982 if (!wpa_tdls_get_privacy(sm)) { 1983 if (kde.rsn_ie) { 1984 wpa_printf(MSG_INFO, "TDLS: RSN IE in TPK M1 while " 1985 "security is disabled"); 1986 status = WLAN_STATUS_SECURITY_DISABLED; 1987 goto error; 1988 } 1989 goto skip_rsn; 1990 } 1991 1992 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie) || 1993 kde.rsn_ie == NULL) { 1994 wpa_printf(MSG_INFO, "TDLS: No FTIE or RSN IE in TPK M1"); 1995 status = WLAN_STATUS_INVALID_PARAMETERS; 1996 goto error; 1997 } 1998 1999 if (kde.rsn_ie_len > TDLS_MAX_IE_LEN) { 2000 wpa_printf(MSG_INFO, "TDLS: Too long Initiator RSN IE in " 2001 "TPK M1"); 2002 status = WLAN_STATUS_INVALID_RSNIE; 2003 goto error; 2004 } 2005 2006 if (wpa_parse_wpa_ie_rsn(kde.rsn_ie, kde.rsn_ie_len, &ie) < 0) { 2007 wpa_printf(MSG_INFO, "TDLS: Failed to parse RSN IE in TPK M1"); 2008 status = WLAN_STATUS_INVALID_RSNIE; 2009 goto error; 2010 } 2011 2012 cipher = ie.pairwise_cipher; 2013 if (cipher & WPA_CIPHER_CCMP) { 2014 wpa_printf(MSG_DEBUG, "TDLS: Using CCMP for direct link"); 2015 cipher = WPA_CIPHER_CCMP; 2016 } else { 2017 wpa_printf(MSG_INFO, "TDLS: No acceptable cipher in TPK M1"); 2018 status = WLAN_STATUS_PAIRWISE_CIPHER_NOT_VALID; 2019 goto error; 2020 } 2021 2022 if ((ie.capabilities & 2023 (WPA_CAPABILITY_NO_PAIRWISE | WPA_CAPABILITY_PEERKEY_ENABLED)) != 2024 WPA_CAPABILITY_PEERKEY_ENABLED) { 2025 wpa_printf(MSG_INFO, "TDLS: Invalid RSN Capabilities in " 2026 "TPK M1"); 2027 status = WLAN_STATUS_INVALID_RSN_IE_CAPAB; 2028 goto error; 2029 } 2030 2031 /* Lifetime */ 2032 if (kde.key_lifetime == NULL) { 2033 wpa_printf(MSG_INFO, "TDLS: No Key Lifetime IE in TPK M1"); 2034 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME; 2035 goto error; 2036 } 2037 timeoutie = (struct wpa_tdls_timeoutie *) kde.key_lifetime; 2038 lifetime = WPA_GET_LE32(timeoutie->value); 2039 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds", lifetime); 2040 if (lifetime < 300) { 2041 wpa_printf(MSG_INFO, "TDLS: Too short TPK lifetime"); 2042 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME; 2043 goto error; 2044 } 2045 2046 skip_rsn: 2047 #ifdef CONFIG_TDLS_TESTING 2048 if (tdls_testing & TDLS_TESTING_CONCURRENT_INIT) { 2049 if (os_memcmp(sm->own_addr, peer->addr, ETH_ALEN) < 0) { 2050 /* 2051 * The request frame from us is going to win, so do not 2052 * replace information based on this request frame from 2053 * the peer. 2054 */ 2055 goto skip_rsn_check; 2056 } 2057 } 2058 #endif /* CONFIG_TDLS_TESTING */ 2059 2060 peer->initiator = 0; /* Need to check */ 2061 peer->dtoken = dtoken; 2062 2063 if (!wpa_tdls_get_privacy(sm)) { 2064 peer->rsnie_i_len = 0; 2065 peer->rsnie_p_len = 0; 2066 peer->cipher = WPA_CIPHER_NONE; 2067 goto skip_rsn_check; 2068 } 2069 2070 ftie = (struct wpa_tdls_ftie *) kde.ftie; 2071 os_memcpy(peer->rsnie_i, kde.rsn_ie, kde.rsn_ie_len); 2072 peer->rsnie_i_len = kde.rsn_ie_len; 2073 peer->cipher = cipher; 2074 2075 if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0 || 2076 !tdls_nonce_set(peer->inonce)) { 2077 /* 2078 * There is no point in updating the RNonce for every obtained 2079 * TPK M1 frame (e.g., retransmission due to timeout) with the 2080 * same INonce (SNonce in FTIE). However, if the TPK M1 is 2081 * retransmitted with a different INonce, update the RNonce 2082 * since this is for a new TDLS session. 2083 */ 2084 wpa_printf(MSG_DEBUG, 2085 "TDLS: New TPK M1 INonce - generate new RNonce"); 2086 os_memcpy(peer->inonce, ftie->Snonce, WPA_NONCE_LEN); 2087 if (os_get_random(peer->rnonce, WPA_NONCE_LEN)) { 2088 wpa_msg(sm->ctx->ctx, MSG_WARNING, 2089 "TDLS: Failed to get random data for responder nonce"); 2090 goto error; 2091 } 2092 peer->tk_set = 0; /* A new nonce results in a new TK */ 2093 } 2094 2095 #if 0 2096 /* get version info from RSNIE received from Peer */ 2097 hdr = (struct rsn_ie_hdr *) kde.rsn_ie; 2098 rsn_ver = WPA_GET_LE16(hdr->version); 2099 2100 /* use min(peer's version, out version) */ 2101 if (rsn_ver > RSN_VERSION) 2102 rsn_ver = RSN_VERSION; 2103 2104 hdr = (struct rsn_ie_hdr *) peer->rsnie_p; 2105 2106 hdr->elem_id = WLAN_EID_RSN; 2107 WPA_PUT_LE16(hdr->version, rsn_ver); 2108 pos = (u8 *) (hdr + 1); 2109 2110 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED); 2111 pos += RSN_SELECTOR_LEN; 2112 /* Include only the selected cipher in pairwise cipher suite */ 2113 WPA_PUT_LE16(pos, 1); 2114 pos += 2; 2115 if (cipher == WPA_CIPHER_CCMP) 2116 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP); 2117 pos += RSN_SELECTOR_LEN; 2118 2119 WPA_PUT_LE16(pos, 1); 2120 pos += 2; 2121 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_TPK_HANDSHAKE); 2122 pos += RSN_SELECTOR_LEN; 2123 2124 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED; 2125 rsn_capab |= RSN_NUM_REPLAY_COUNTERS_16 << 2; 2126 WPA_PUT_LE16(pos, rsn_capab); 2127 pos += 2; 2128 2129 hdr->len = (pos - peer->rsnie_p) - 2; 2130 peer->rsnie_p_len = pos - peer->rsnie_p; 2131 #endif 2132 2133 /* temp fix: validation of RSNIE later */ 2134 os_memcpy(peer->rsnie_p, peer->rsnie_i, peer->rsnie_i_len); 2135 peer->rsnie_p_len = peer->rsnie_i_len; 2136 2137 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE for TPK handshake", 2138 peer->rsnie_p, peer->rsnie_p_len); 2139 2140 peer->lifetime = lifetime; 2141 2142 wpa_tdls_generate_tpk(peer, sm->own_addr, sm->bssid); 2143 2144 skip_rsn_check: 2145 #ifdef CONFIG_TDLS_TESTING 2146 if (tdls_testing & TDLS_TESTING_CONCURRENT_INIT) 2147 goto skip_add_peer; 2148 #endif /* CONFIG_TDLS_TESTING */ 2149 2150 /* add supported rates, capabilities, and qos_info to the TDLS peer */ 2151 if (wpa_tdls_addset_peer(sm, peer, 1) < 0) 2152 goto error; 2153 2154 #ifdef CONFIG_TDLS_TESTING 2155 skip_add_peer: 2156 #endif /* CONFIG_TDLS_TESTING */ 2157 peer->tpk_in_progress = 1; 2158 2159 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Setup Response / TPK M2"); 2160 if (wpa_tdls_send_tpk_m2(sm, src_addr, dtoken, lnkid, peer) < 0) { 2161 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr); 2162 goto error; 2163 } 2164 2165 #ifdef CONFIG_TDLS_TESTING 2166 if (tdls_testing & TDLS_TESTING_DOUBLE_TPK_M2) { 2167 wpa_printf(MSG_INFO, "TDLS: Testing - Send another TPK M2"); 2168 wpa_tdls_send_tpk_m2(sm, src_addr, dtoken, lnkid, peer); 2169 } 2170 #endif /* CONFIG_TDLS_TESTING */ 2171 2172 return 0; 2173 2174 error: 2175 wpa_tdls_send_error(sm, src_addr, WLAN_TDLS_SETUP_RESPONSE, dtoken, 0, 2176 status); 2177 if (peer) 2178 wpa_tdls_peer_free(sm, peer); 2179 return -1; 2180 } 2181 2182 2183 static int wpa_tdls_enable_link(struct wpa_sm *sm, struct wpa_tdls_peer *peer) 2184 { 2185 peer->tpk_success = 1; 2186 peer->tpk_in_progress = 0; 2187 eloop_cancel_timeout(wpa_tdls_tpk_timeout, sm, peer); 2188 if (wpa_tdls_get_privacy(sm)) { 2189 u32 lifetime = peer->lifetime; 2190 /* 2191 * Start the initiator process a bit earlier to avoid race 2192 * condition with the responder sending teardown request. 2193 */ 2194 if (lifetime > 3 && peer->initiator) 2195 lifetime -= 3; 2196 eloop_register_timeout(lifetime, 0, wpa_tdls_tpk_timeout, 2197 sm, peer); 2198 #ifdef CONFIG_TDLS_TESTING 2199 if (tdls_testing & TDLS_TESTING_NO_TPK_EXPIRATION) { 2200 wpa_printf(MSG_DEBUG, 2201 "TDLS: Testing - disable TPK expiration"); 2202 eloop_cancel_timeout(wpa_tdls_tpk_timeout, sm, peer); 2203 } 2204 #endif /* CONFIG_TDLS_TESTING */ 2205 } 2206 2207 if (peer->reconfig_key && wpa_tdls_set_key(sm, peer) < 0) { 2208 wpa_printf(MSG_INFO, "TDLS: Could not configure key to the " 2209 "driver"); 2210 return -1; 2211 } 2212 peer->reconfig_key = 0; 2213 2214 return wpa_sm_tdls_oper(sm, TDLS_ENABLE_LINK, peer->addr); 2215 } 2216 2217 2218 static int wpa_tdls_process_tpk_m2(struct wpa_sm *sm, const u8 *src_addr, 2219 const u8 *buf, size_t len) 2220 { 2221 struct wpa_tdls_peer *peer; 2222 struct wpa_eapol_ie_parse kde; 2223 struct wpa_ie_data ie; 2224 int cipher; 2225 struct wpa_tdls_ftie *ftie; 2226 struct wpa_tdls_timeoutie *timeoutie; 2227 struct wpa_tdls_lnkid *lnkid; 2228 u32 lifetime; 2229 u8 dtoken; 2230 int ielen; 2231 u16 status; 2232 const u8 *pos; 2233 int ret = 0; 2234 2235 wpa_printf(MSG_DEBUG, "TDLS: Received TDLS Setup Response / TPK M2 " 2236 "(Peer " MACSTR ")", MAC2STR(src_addr)); 2237 for (peer = sm->tdls; peer; peer = peer->next) { 2238 if (os_memcmp(peer->addr, src_addr, ETH_ALEN) == 0) 2239 break; 2240 } 2241 if (peer == NULL) { 2242 wpa_printf(MSG_INFO, "TDLS: No matching peer found for " 2243 "TPK M2: " MACSTR, MAC2STR(src_addr)); 2244 return -1; 2245 } 2246 if (!peer->initiator) { 2247 /* 2248 * This may happen if both devices try to initiate TDLS at the 2249 * same time and we accept the TPK M1 from the peer in 2250 * wpa_tdls_process_tpk_m1() and clear our previous state. 2251 */ 2252 wpa_printf(MSG_INFO, "TDLS: We were not the initiator, so " 2253 "ignore TPK M2 from " MACSTR, MAC2STR(src_addr)); 2254 return -1; 2255 } 2256 2257 if (peer->tpk_success) { 2258 wpa_printf(MSG_INFO, "TDLS: Ignore incoming TPK M2 retry, from " 2259 MACSTR " as TPK M3 was already sent", 2260 MAC2STR(src_addr)); 2261 return 0; 2262 } 2263 2264 wpa_tdls_tpk_retry_timeout_cancel(sm, peer, WLAN_TDLS_SETUP_REQUEST); 2265 2266 if (len < 3 + 2 + 1) { 2267 wpa_tdls_disable_peer_link(sm, peer); 2268 return -1; 2269 } 2270 2271 pos = buf; 2272 pos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */; 2273 status = WPA_GET_LE16(pos); 2274 pos += 2 /* status code */; 2275 2276 if (status != WLAN_STATUS_SUCCESS) { 2277 wpa_printf(MSG_INFO, "TDLS: Status code in TPK M2: %u", 2278 status); 2279 wpa_tdls_disable_peer_link(sm, peer); 2280 return -1; 2281 } 2282 2283 status = WLAN_STATUS_UNSPECIFIED_FAILURE; 2284 2285 /* TODO: need to verify dialog token matches here or in kernel */ 2286 dtoken = *pos++; /* dialog token */ 2287 2288 wpa_printf(MSG_DEBUG, "TDLS: Dialog Token in TPK M2 %d", dtoken); 2289 2290 if (len < 3 + 2 + 1 + 2) { 2291 wpa_tdls_disable_peer_link(sm, peer); 2292 return -1; 2293 } 2294 2295 /* capability information */ 2296 peer->capability = WPA_GET_LE16(pos); 2297 pos += 2; 2298 2299 ielen = len - (pos - buf); /* start of IE in buf */ 2300 2301 /* 2302 * Don't reject the message if failing to parse IEs. The IEs we need are 2303 * explicitly checked below. Some APs may add arbitrary padding to the 2304 * end of short TDLS frames and that would look like invalid IEs. 2305 */ 2306 if (wpa_supplicant_parse_ies(pos, ielen, &kde) < 0) 2307 wpa_printf(MSG_DEBUG, 2308 "TDLS: Failed to parse IEs in TPK M2 - ignore as an interop workaround"); 2309 2310 #ifdef CONFIG_TDLS_TESTING 2311 if (tdls_testing & TDLS_TESTING_DECLINE_RESP) { 2312 wpa_printf(MSG_DEBUG, "TDLS: Testing - decline response"); 2313 status = WLAN_STATUS_REQUEST_DECLINED; 2314 goto error; 2315 } 2316 #endif /* CONFIG_TDLS_TESTING */ 2317 2318 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) { 2319 wpa_printf(MSG_INFO, "TDLS: No valid Link Identifier IE in " 2320 "TPK M2"); 2321 goto error; 2322 } 2323 wpa_hexdump(MSG_DEBUG, "TDLS: Link ID Received from TPK M2", 2324 kde.lnkid, kde.lnkid_len); 2325 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid; 2326 2327 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) { 2328 wpa_printf(MSG_INFO, "TDLS: TPK M2 from different BSS"); 2329 status = WLAN_STATUS_NOT_IN_SAME_BSS; 2330 goto error; 2331 } 2332 2333 if (copy_supp_rates(&kde, peer) < 0) 2334 goto error; 2335 2336 if (copy_peer_ht_capab(&kde, peer) < 0) 2337 goto error; 2338 2339 if (copy_peer_vht_capab(&kde, peer) < 0 || 2340 copy_peer_he_capab(&kde, peer) < 0) 2341 goto error; 2342 2343 if (copy_peer_ext_capab(&kde, peer) < 0) 2344 goto error; 2345 2346 if (copy_peer_supp_channels(&kde, peer) < 0) 2347 goto error; 2348 2349 if (copy_peer_supp_oper_classes(&kde, peer) < 0) 2350 goto error; 2351 2352 peer->qos_info = kde.qosinfo; 2353 2354 /* Overwrite with the qos_info obtained in WMM IE */ 2355 if (copy_peer_wmm_capab(&kde, peer) < 0) 2356 goto error; 2357 2358 peer->aid = kde.aid; 2359 2360 if (!wpa_tdls_get_privacy(sm)) { 2361 peer->rsnie_p_len = 0; 2362 peer->cipher = WPA_CIPHER_NONE; 2363 goto skip_rsn; 2364 } 2365 2366 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie) || 2367 kde.rsn_ie == NULL) { 2368 wpa_printf(MSG_INFO, "TDLS: No FTIE or RSN IE in TPK M2"); 2369 status = WLAN_STATUS_INVALID_PARAMETERS; 2370 goto error; 2371 } 2372 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Received from TPK M2", 2373 kde.rsn_ie, kde.rsn_ie_len); 2374 2375 if (kde.rsn_ie_len > TDLS_MAX_IE_LEN) { 2376 wpa_printf(MSG_INFO, 2377 "TDLS: Too long Responder RSN IE in TPK M2"); 2378 status = WLAN_STATUS_INVALID_RSNIE; 2379 goto error; 2380 } 2381 2382 /* 2383 * FIX: bitwise comparison of RSN IE is not the correct way of 2384 * validation this. It can be different, but certain fields must 2385 * match. Since we list only a single pairwise cipher in TPK M1, the 2386 * memcmp is likely to work in most cases, though. 2387 */ 2388 if (kde.rsn_ie_len != peer->rsnie_i_len || 2389 os_memcmp(peer->rsnie_i, kde.rsn_ie, peer->rsnie_i_len) != 0) { 2390 wpa_printf(MSG_INFO, "TDLS: RSN IE in TPK M2 does " 2391 "not match with RSN IE used in TPK M1"); 2392 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Sent in TPK M1", 2393 peer->rsnie_i, peer->rsnie_i_len); 2394 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Received from TPK M2", 2395 kde.rsn_ie, kde.rsn_ie_len); 2396 status = WLAN_STATUS_INVALID_RSNIE; 2397 goto error; 2398 } 2399 2400 if (wpa_parse_wpa_ie_rsn(kde.rsn_ie, kde.rsn_ie_len, &ie) < 0) { 2401 wpa_printf(MSG_INFO, "TDLS: Failed to parse RSN IE in TPK M2"); 2402 status = WLAN_STATUS_INVALID_RSNIE; 2403 goto error; 2404 } 2405 2406 cipher = ie.pairwise_cipher; 2407 if (cipher == WPA_CIPHER_CCMP) { 2408 wpa_printf(MSG_DEBUG, "TDLS: Using CCMP for direct link"); 2409 cipher = WPA_CIPHER_CCMP; 2410 } else { 2411 wpa_printf(MSG_INFO, "TDLS: No acceptable cipher in TPK M2"); 2412 status = WLAN_STATUS_PAIRWISE_CIPHER_NOT_VALID; 2413 goto error; 2414 } 2415 2416 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE Received from TPK M2", 2417 kde.ftie, sizeof(*ftie)); 2418 ftie = (struct wpa_tdls_ftie *) kde.ftie; 2419 2420 if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0) { 2421 wpa_printf(MSG_INFO, "TDLS: FTIE SNonce in TPK M2 does " 2422 "not match with FTIE SNonce used in TPK M1"); 2423 /* Silently discard the frame */ 2424 return -1; 2425 } 2426 2427 /* Responder Nonce and RSN IE */ 2428 os_memcpy(peer->rnonce, ftie->Anonce, WPA_NONCE_LEN); 2429 os_memcpy(peer->rsnie_p, kde.rsn_ie, kde.rsn_ie_len); 2430 peer->rsnie_p_len = kde.rsn_ie_len; 2431 peer->cipher = cipher; 2432 2433 /* Lifetime */ 2434 if (kde.key_lifetime == NULL) { 2435 wpa_printf(MSG_INFO, "TDLS: No Key Lifetime IE in TPK M2"); 2436 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME; 2437 goto error; 2438 } 2439 timeoutie = (struct wpa_tdls_timeoutie *) kde.key_lifetime; 2440 lifetime = WPA_GET_LE32(timeoutie->value); 2441 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds in TPK M2", 2442 lifetime); 2443 if (lifetime != peer->lifetime) { 2444 wpa_printf(MSG_INFO, "TDLS: Unexpected TPK lifetime %u in " 2445 "TPK M2 (expected %u)", lifetime, peer->lifetime); 2446 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME; 2447 goto error; 2448 } 2449 2450 wpa_tdls_generate_tpk(peer, sm->own_addr, sm->bssid); 2451 2452 /* Process MIC check to see if TPK M2 is right */ 2453 if (wpa_supplicant_verify_tdls_mic(2, peer, (u8 *) lnkid, 2454 (u8 *) timeoutie, ftie) < 0) { 2455 /* Discard the frame */ 2456 wpa_tdls_del_key(sm, peer); 2457 wpa_tdls_disable_peer_link(sm, peer); 2458 return -1; 2459 } 2460 2461 if (wpa_tdls_set_key(sm, peer) < 0) { 2462 /* 2463 * Some drivers may not be able to config the key prior to full 2464 * STA entry having been configured. 2465 */ 2466 wpa_printf(MSG_DEBUG, "TDLS: Try to configure TPK again after " 2467 "STA entry is complete"); 2468 peer->reconfig_key = 1; 2469 } 2470 2471 skip_rsn: 2472 peer->dtoken = dtoken; 2473 2474 /* add supported rates, capabilities, and qos_info to the TDLS peer */ 2475 if (wpa_tdls_addset_peer(sm, peer, 0) < 0) 2476 goto error; 2477 2478 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Setup Confirm / " 2479 "TPK Handshake Message 3"); 2480 if (wpa_tdls_send_tpk_m3(sm, src_addr, dtoken, lnkid, peer) < 0) 2481 goto error_no_msg; 2482 2483 if (!peer->tpk_success) { 2484 /* 2485 * Enable Link only when tpk_success is 0, signifying that this 2486 * processing of TPK M2 frame is not because of a retransmission 2487 * during TDLS setup handshake. 2488 */ 2489 ret = wpa_tdls_enable_link(sm, peer); 2490 if (ret < 0) { 2491 wpa_printf(MSG_DEBUG, "TDLS: Could not enable link"); 2492 wpa_tdls_do_teardown( 2493 sm, peer, 2494 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED); 2495 } 2496 } 2497 return ret; 2498 2499 error: 2500 wpa_tdls_send_error(sm, src_addr, WLAN_TDLS_SETUP_CONFIRM, dtoken, 1, 2501 status); 2502 error_no_msg: 2503 wpa_tdls_disable_peer_link(sm, peer); 2504 return -1; 2505 } 2506 2507 2508 static int wpa_tdls_process_tpk_m3(struct wpa_sm *sm, const u8 *src_addr, 2509 const u8 *buf, size_t len) 2510 { 2511 struct wpa_tdls_peer *peer; 2512 struct wpa_eapol_ie_parse kde; 2513 struct wpa_tdls_ftie *ftie; 2514 struct wpa_tdls_timeoutie *timeoutie; 2515 struct wpa_tdls_lnkid *lnkid; 2516 int ielen; 2517 u16 status; 2518 const u8 *pos; 2519 u32 lifetime; 2520 int ret = 0; 2521 2522 wpa_printf(MSG_DEBUG, "TDLS: Received TDLS Setup Confirm / TPK M3 " 2523 "(Peer " MACSTR ")", MAC2STR(src_addr)); 2524 for (peer = sm->tdls; peer; peer = peer->next) { 2525 if (os_memcmp(peer->addr, src_addr, ETH_ALEN) == 0) 2526 break; 2527 } 2528 if (peer == NULL) { 2529 wpa_printf(MSG_INFO, "TDLS: No matching peer found for " 2530 "TPK M3: " MACSTR, MAC2STR(src_addr)); 2531 return -1; 2532 } 2533 wpa_tdls_tpk_retry_timeout_cancel(sm, peer, WLAN_TDLS_SETUP_RESPONSE); 2534 2535 if (len < 3 + 3) 2536 goto error; 2537 pos = buf; 2538 pos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */; 2539 2540 status = WPA_GET_LE16(pos); 2541 2542 if (status != 0) { 2543 wpa_printf(MSG_INFO, "TDLS: Status code in TPK M3: %u", 2544 status); 2545 goto error; 2546 } 2547 pos += 2 /* status code */ + 1 /* dialog token */; 2548 2549 ielen = len - (pos - buf); /* start of IE in buf */ 2550 2551 /* 2552 * Don't reject the message if failing to parse IEs. The IEs we need are 2553 * explicitly checked below. Some APs piggy-back broken IEs to the end 2554 * of a TDLS Confirm packet, which will fail the link if we don't ignore 2555 * this error. 2556 */ 2557 if (wpa_supplicant_parse_ies((const u8 *) pos, ielen, &kde) < 0) { 2558 wpa_printf(MSG_DEBUG, 2559 "TDLS: Failed to parse KDEs in TPK M3 - ignore as an interop workaround"); 2560 } 2561 2562 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) { 2563 wpa_printf(MSG_INFO, "TDLS: No Link Identifier IE in TPK M3"); 2564 goto error; 2565 } 2566 wpa_hexdump(MSG_DEBUG, "TDLS: Link ID Received from TPK M3", 2567 (u8 *) kde.lnkid, kde.lnkid_len); 2568 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid; 2569 2570 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) { 2571 wpa_printf(MSG_INFO, "TDLS: TPK M3 from diff BSS"); 2572 goto error; 2573 } 2574 2575 if (!wpa_tdls_get_privacy(sm)) 2576 goto skip_rsn; 2577 2578 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie)) { 2579 wpa_printf(MSG_INFO, "TDLS: No FTIE in TPK M3"); 2580 goto error; 2581 } 2582 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE Received from TPK M3", 2583 kde.ftie, sizeof(*ftie)); 2584 ftie = (struct wpa_tdls_ftie *) kde.ftie; 2585 2586 if (kde.rsn_ie == NULL) { 2587 wpa_printf(MSG_INFO, "TDLS: No RSN IE in TPK M3"); 2588 goto error; 2589 } 2590 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Received from TPK M3", 2591 kde.rsn_ie, kde.rsn_ie_len); 2592 if (kde.rsn_ie_len != peer->rsnie_p_len || 2593 os_memcmp(kde.rsn_ie, peer->rsnie_p, peer->rsnie_p_len) != 0) { 2594 wpa_printf(MSG_INFO, "TDLS: RSN IE in TPK M3 does not match " 2595 "with the one sent in TPK M2"); 2596 goto error; 2597 } 2598 2599 if (os_memcmp(peer->rnonce, ftie->Anonce, WPA_NONCE_LEN) != 0) { 2600 wpa_printf(MSG_INFO, "TDLS: FTIE ANonce in TPK M3 does " 2601 "not match with FTIE ANonce used in TPK M2"); 2602 goto error; 2603 } 2604 2605 if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0) { 2606 wpa_printf(MSG_INFO, "TDLS: FTIE SNonce in TPK M3 does not " 2607 "match with FTIE SNonce used in TPK M1"); 2608 goto error; 2609 } 2610 2611 if (kde.key_lifetime == NULL) { 2612 wpa_printf(MSG_INFO, "TDLS: No Key Lifetime IE in TPK M3"); 2613 goto error; 2614 } 2615 timeoutie = (struct wpa_tdls_timeoutie *) kde.key_lifetime; 2616 wpa_hexdump(MSG_DEBUG, "TDLS: Timeout IE Received from TPK M3", 2617 (u8 *) timeoutie, sizeof(*timeoutie)); 2618 lifetime = WPA_GET_LE32(timeoutie->value); 2619 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds in TPK M3", 2620 lifetime); 2621 if (lifetime != peer->lifetime) { 2622 wpa_printf(MSG_INFO, "TDLS: Unexpected TPK lifetime %u in " 2623 "TPK M3 (expected %u)", lifetime, peer->lifetime); 2624 goto error; 2625 } 2626 2627 if (wpa_supplicant_verify_tdls_mic(3, peer, (u8 *) lnkid, 2628 (u8 *) timeoutie, ftie) < 0) { 2629 wpa_tdls_del_key(sm, peer); 2630 goto error; 2631 } 2632 2633 if (wpa_tdls_set_key(sm, peer) < 0) { 2634 /* 2635 * Some drivers may not be able to config the key prior to full 2636 * STA entry having been configured. 2637 */ 2638 wpa_printf(MSG_DEBUG, "TDLS: Try to configure TPK again after " 2639 "STA entry is complete"); 2640 peer->reconfig_key = 1; 2641 } 2642 2643 skip_rsn: 2644 /* add supported rates, capabilities, and qos_info to the TDLS peer */ 2645 if (wpa_tdls_addset_peer(sm, peer, 0) < 0) 2646 goto error; 2647 2648 if (!peer->tpk_success) { 2649 /* 2650 * Enable Link only when tpk_success is 0, signifying that this 2651 * processing of TPK M3 frame is not because of a retransmission 2652 * during TDLS setup handshake. 2653 */ 2654 ret = wpa_tdls_enable_link(sm, peer); 2655 if (ret < 0) { 2656 wpa_printf(MSG_DEBUG, "TDLS: Could not enable link"); 2657 goto error; 2658 } 2659 } 2660 return ret; 2661 error: 2662 wpa_tdls_do_teardown(sm, peer, WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED); 2663 return -1; 2664 } 2665 2666 2667 static u8 * wpa_add_tdls_timeoutie(u8 *pos, u8 *ie, size_t ie_len, u32 tsecs) 2668 { 2669 struct wpa_tdls_timeoutie *lifetime = (struct wpa_tdls_timeoutie *) ie; 2670 2671 os_memset(lifetime, 0, ie_len); 2672 lifetime->ie_type = WLAN_EID_TIMEOUT_INTERVAL; 2673 lifetime->ie_len = sizeof(struct wpa_tdls_timeoutie) - 2; 2674 lifetime->interval_type = WLAN_TIMEOUT_KEY_LIFETIME; 2675 WPA_PUT_LE32(lifetime->value, tsecs); 2676 os_memcpy(pos, ie, ie_len); 2677 return pos + ie_len; 2678 } 2679 2680 2681 /** 2682 * wpa_tdls_start - Initiate TDLS handshake (send TPK Handshake Message 1) 2683 * @sm: Pointer to WPA state machine data from wpa_sm_init() 2684 * @peer: MAC address of the peer STA 2685 * Returns: 0 on success, or -1 on failure 2686 * 2687 * Send TPK Handshake Message 1 info to driver to start TDLS 2688 * handshake with the peer. 2689 */ 2690 int wpa_tdls_start(struct wpa_sm *sm, const u8 *addr) 2691 { 2692 struct wpa_tdls_peer *peer; 2693 int tdls_prohibited = sm->tdls_prohibited; 2694 int res; 2695 2696 if (sm->tdls_disabled || !sm->tdls_supported) 2697 return -1; 2698 2699 #ifdef CONFIG_TDLS_TESTING 2700 if ((tdls_testing & TDLS_TESTING_IGNORE_AP_PROHIBIT) && 2701 tdls_prohibited) { 2702 wpa_printf(MSG_DEBUG, "TDLS: Testing - ignore AP prohibition " 2703 "on TDLS"); 2704 tdls_prohibited = 0; 2705 } 2706 #endif /* CONFIG_TDLS_TESTING */ 2707 2708 if (tdls_prohibited) { 2709 wpa_printf(MSG_DEBUG, "TDLS: TDLS is prohibited in this BSS - " 2710 "reject request to start setup"); 2711 return -1; 2712 } 2713 2714 peer = wpa_tdls_add_peer(sm, addr, NULL); 2715 if (peer == NULL) 2716 return -1; 2717 2718 if (peer->tpk_in_progress) { 2719 wpa_printf(MSG_DEBUG, "TDLS: Setup is already in progress with the peer"); 2720 return 0; 2721 } 2722 2723 peer->initiator = 1; 2724 2725 /* add the peer to the driver as a "setup in progress" peer */ 2726 if (wpa_sm_tdls_peer_addset(sm, peer->addr, 1, 0, 0, NULL, 0, NULL, 2727 NULL, NULL, 0, 0, 0, NULL, 0, NULL, 0, 2728 NULL, 0)) { 2729 wpa_tdls_disable_peer_link(sm, peer); 2730 return -1; 2731 } 2732 2733 peer->tpk_in_progress = 1; 2734 2735 res = wpa_tdls_send_tpk_m1(sm, peer); 2736 if (res < 0) { 2737 if (res != -2) 2738 wpa_tdls_disable_peer_link(sm, peer); 2739 return -1; 2740 } 2741 2742 return 0; 2743 } 2744 2745 2746 void wpa_tdls_remove(struct wpa_sm *sm, const u8 *addr) 2747 { 2748 struct wpa_tdls_peer *peer; 2749 2750 if (sm->tdls_disabled || !sm->tdls_supported) 2751 return; 2752 2753 for (peer = sm->tdls; peer; peer = peer->next) { 2754 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 2755 break; 2756 } 2757 2758 if (peer == NULL || !peer->tpk_success) 2759 return; 2760 2761 if (sm->tdls_external_setup) { 2762 /* 2763 * Disable previous link to allow renegotiation to be completed 2764 * on AP path. 2765 */ 2766 wpa_tdls_do_teardown(sm, peer, 2767 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED); 2768 } 2769 } 2770 2771 2772 /** 2773 * wpa_supplicant_rx_tdls - Receive TDLS data frame 2774 * 2775 * This function is called to receive TDLS (ethertype = 0x890d) data frames. 2776 */ 2777 static void wpa_supplicant_rx_tdls(void *ctx, const u8 *src_addr, 2778 const u8 *buf, size_t len) 2779 { 2780 struct wpa_sm *sm = ctx; 2781 struct wpa_tdls_frame *tf; 2782 2783 wpa_hexdump(MSG_DEBUG, "TDLS: Received Data frame encapsulation", 2784 buf, len); 2785 2786 if (sm->tdls_disabled || !sm->tdls_supported) { 2787 wpa_printf(MSG_DEBUG, "TDLS: Discard message - TDLS disabled " 2788 "or unsupported by driver"); 2789 return; 2790 } 2791 2792 if (os_memcmp(src_addr, sm->own_addr, ETH_ALEN) == 0) { 2793 wpa_printf(MSG_DEBUG, "TDLS: Discard copy of own message"); 2794 return; 2795 } 2796 2797 if (len < sizeof(*tf)) { 2798 wpa_printf(MSG_INFO, "TDLS: Drop too short frame"); 2799 return; 2800 } 2801 2802 /* Check to make sure its a valid encapsulated TDLS frame */ 2803 tf = (struct wpa_tdls_frame *) buf; 2804 if (tf->payloadtype != 2 /* TDLS_RFTYPE */ || 2805 tf->category != WLAN_ACTION_TDLS) { 2806 wpa_printf(MSG_INFO, "TDLS: Invalid frame - payloadtype=%u " 2807 "category=%u action=%u", 2808 tf->payloadtype, tf->category, tf->action); 2809 return; 2810 } 2811 2812 switch (tf->action) { 2813 case WLAN_TDLS_SETUP_REQUEST: 2814 wpa_tdls_process_tpk_m1(sm, src_addr, buf, len); 2815 break; 2816 case WLAN_TDLS_SETUP_RESPONSE: 2817 wpa_tdls_process_tpk_m2(sm, src_addr, buf, len); 2818 break; 2819 case WLAN_TDLS_SETUP_CONFIRM: 2820 wpa_tdls_process_tpk_m3(sm, src_addr, buf, len); 2821 break; 2822 case WLAN_TDLS_TEARDOWN: 2823 wpa_tdls_recv_teardown(sm, src_addr, buf, len); 2824 break; 2825 case WLAN_TDLS_DISCOVERY_REQUEST: 2826 wpa_tdls_process_discovery_request(sm, src_addr, buf, len); 2827 break; 2828 default: 2829 /* Kernel code will process remaining frames */ 2830 wpa_printf(MSG_DEBUG, "TDLS: Ignore TDLS frame action code %u", 2831 tf->action); 2832 break; 2833 } 2834 } 2835 2836 2837 /** 2838 * wpa_tdls_init - Initialize driver interface parameters for TDLS 2839 * @wpa_s: Pointer to wpa_supplicant data 2840 * Returns: 0 on success, -1 on failure 2841 * 2842 * This function is called to initialize driver interface parameters for TDLS. 2843 * wpa_drv_init() must have been called before this function to initialize the 2844 * driver interface. 2845 */ 2846 int wpa_tdls_init(struct wpa_sm *sm) 2847 { 2848 if (sm == NULL) 2849 return -1; 2850 2851 if (sm->l2_tdls) { 2852 l2_packet_deinit(sm->l2_tdls); 2853 sm->l2_tdls = NULL; 2854 } 2855 2856 sm->l2_tdls = l2_packet_init(sm->bridge_ifname ? sm->bridge_ifname : 2857 sm->ifname, 2858 sm->own_addr, 2859 ETH_P_80211_ENCAP, wpa_supplicant_rx_tdls, 2860 sm, 0); 2861 if (sm->l2_tdls == NULL) { 2862 wpa_printf(MSG_ERROR, "TDLS: Failed to open l2_packet " 2863 "connection"); 2864 return -1; 2865 } 2866 2867 /* 2868 * Drivers that support TDLS but don't implement the get_capa callback 2869 * are assumed to perform everything internally 2870 */ 2871 if (wpa_sm_tdls_get_capa(sm, &sm->tdls_supported, 2872 &sm->tdls_external_setup, 2873 &sm->tdls_chan_switch) < 0) { 2874 sm->tdls_supported = 1; 2875 sm->tdls_external_setup = 0; 2876 } 2877 2878 wpa_printf(MSG_DEBUG, "TDLS: TDLS operation%s supported by " 2879 "driver", sm->tdls_supported ? "" : " not"); 2880 wpa_printf(MSG_DEBUG, "TDLS: Driver uses %s link setup", 2881 sm->tdls_external_setup ? "external" : "internal"); 2882 wpa_printf(MSG_DEBUG, "TDLS: Driver %s TDLS channel switching", 2883 sm->tdls_chan_switch ? "supports" : "does not support"); 2884 2885 return 0; 2886 } 2887 2888 2889 void wpa_tdls_teardown_peers(struct wpa_sm *sm) 2890 { 2891 struct wpa_tdls_peer *peer, *tmp; 2892 2893 if (!sm) 2894 return; 2895 peer = sm->tdls; 2896 2897 wpa_printf(MSG_DEBUG, "TDLS: Tear down peers"); 2898 2899 while (peer) { 2900 tmp = peer->next; 2901 wpa_printf(MSG_DEBUG, "TDLS: Tear down peer " MACSTR, 2902 MAC2STR(peer->addr)); 2903 if (sm->tdls_external_setup) 2904 wpa_tdls_do_teardown(sm, peer, 2905 WLAN_REASON_DEAUTH_LEAVING); 2906 else 2907 wpa_sm_tdls_oper(sm, TDLS_TEARDOWN, peer->addr); 2908 2909 peer = tmp; 2910 } 2911 } 2912 2913 2914 static void wpa_tdls_remove_peers(struct wpa_sm *sm) 2915 { 2916 struct wpa_tdls_peer *peer, *tmp; 2917 2918 peer = sm->tdls; 2919 2920 while (peer) { 2921 int res; 2922 tmp = peer->next; 2923 res = wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr); 2924 wpa_printf(MSG_DEBUG, "TDLS: Remove peer " MACSTR " (res=%d)", 2925 MAC2STR(peer->addr), res); 2926 wpa_tdls_peer_free(sm, peer); 2927 peer = tmp; 2928 } 2929 } 2930 2931 2932 /** 2933 * wpa_tdls_deinit - Deinitialize driver interface parameters for TDLS 2934 * 2935 * This function is called to recover driver interface parameters for TDLS 2936 * and frees resources allocated for it. 2937 */ 2938 void wpa_tdls_deinit(struct wpa_sm *sm) 2939 { 2940 if (sm == NULL) 2941 return; 2942 2943 if (sm->l2_tdls) 2944 l2_packet_deinit(sm->l2_tdls); 2945 sm->l2_tdls = NULL; 2946 2947 wpa_tdls_remove_peers(sm); 2948 } 2949 2950 2951 void wpa_tdls_assoc(struct wpa_sm *sm) 2952 { 2953 wpa_printf(MSG_DEBUG, "TDLS: Remove peers on association"); 2954 wpa_tdls_remove_peers(sm); 2955 } 2956 2957 2958 void wpa_tdls_disassoc(struct wpa_sm *sm) 2959 { 2960 wpa_printf(MSG_DEBUG, "TDLS: Remove peers on disassociation"); 2961 wpa_tdls_remove_peers(sm); 2962 } 2963 2964 2965 static int wpa_tdls_prohibited(struct ieee802_11_elems *elems) 2966 { 2967 /* bit 38 - TDLS Prohibited */ 2968 return !!(elems->ext_capab[4] & 0x40); 2969 } 2970 2971 2972 static int wpa_tdls_chan_switch_prohibited(struct ieee802_11_elems *elems) 2973 { 2974 /* bit 39 - TDLS Channel Switch Prohibited */ 2975 return !!(elems->ext_capab[4] & 0x80); 2976 } 2977 2978 2979 void wpa_tdls_ap_ies(struct wpa_sm *sm, const u8 *ies, size_t len) 2980 { 2981 struct ieee802_11_elems elems; 2982 2983 sm->tdls_prohibited = 0; 2984 sm->tdls_chan_switch_prohibited = 0; 2985 2986 if (ies == NULL || 2987 ieee802_11_parse_elems(ies, len, &elems, 0) == ParseFailed || 2988 elems.ext_capab == NULL || elems.ext_capab_len < 5) 2989 return; 2990 2991 sm->tdls_prohibited = wpa_tdls_prohibited(&elems); 2992 wpa_printf(MSG_DEBUG, "TDLS: TDLS is %s in the target BSS", 2993 sm->tdls_prohibited ? "prohibited" : "allowed"); 2994 sm->tdls_chan_switch_prohibited = 2995 wpa_tdls_chan_switch_prohibited(&elems); 2996 wpa_printf(MSG_DEBUG, "TDLS: TDLS channel switch %s in the target BSS", 2997 sm->tdls_chan_switch_prohibited ? "prohibited" : "allowed"); 2998 } 2999 3000 3001 void wpa_tdls_assoc_resp_ies(struct wpa_sm *sm, const u8 *ies, size_t len) 3002 { 3003 struct ieee802_11_elems elems; 3004 3005 if (ies == NULL || 3006 ieee802_11_parse_elems(ies, len, &elems, 0) == ParseFailed || 3007 elems.ext_capab == NULL || elems.ext_capab_len < 5) 3008 return; 3009 3010 if (!sm->tdls_prohibited && wpa_tdls_prohibited(&elems)) { 3011 wpa_printf(MSG_DEBUG, "TDLS: TDLS prohibited based on " 3012 "(Re)Association Response IEs"); 3013 sm->tdls_prohibited = 1; 3014 } 3015 3016 if (!sm->tdls_chan_switch_prohibited && 3017 wpa_tdls_chan_switch_prohibited(&elems)) { 3018 wpa_printf(MSG_DEBUG, 3019 "TDLS: TDLS channel switch prohibited based on (Re)Association Response IEs"); 3020 sm->tdls_chan_switch_prohibited = 1; 3021 } 3022 } 3023 3024 3025 void wpa_tdls_enable(struct wpa_sm *sm, int enabled) 3026 { 3027 wpa_printf(MSG_DEBUG, "TDLS: %s", enabled ? "enabled" : "disabled"); 3028 sm->tdls_disabled = !enabled; 3029 } 3030 3031 3032 int wpa_tdls_is_external_setup(struct wpa_sm *sm) 3033 { 3034 return sm->tdls_external_setup; 3035 } 3036 3037 3038 int wpa_tdls_enable_chan_switch(struct wpa_sm *sm, const u8 *addr, 3039 u8 oper_class, 3040 struct hostapd_freq_params *freq_params) 3041 { 3042 struct wpa_tdls_peer *peer; 3043 int ret; 3044 3045 if (sm->tdls_disabled || !sm->tdls_supported) 3046 return -1; 3047 3048 if (!sm->tdls_chan_switch) { 3049 wpa_printf(MSG_DEBUG, 3050 "TDLS: Channel switching not supported by the driver"); 3051 return -1; 3052 } 3053 3054 if (sm->tdls_chan_switch_prohibited) { 3055 wpa_printf(MSG_DEBUG, 3056 "TDLS: Channel switching is prohibited in this BSS - reject request to switch channel"); 3057 return -1; 3058 } 3059 3060 for (peer = sm->tdls; peer; peer = peer->next) { 3061 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 3062 break; 3063 } 3064 3065 if (peer == NULL || !peer->tpk_success) { 3066 wpa_printf(MSG_ERROR, "TDLS: Peer " MACSTR 3067 " not found for channel switching", MAC2STR(addr)); 3068 return -1; 3069 } 3070 3071 if (peer->chan_switch_enabled) { 3072 wpa_printf(MSG_DEBUG, "TDLS: Peer " MACSTR 3073 " already has channel switching enabled", 3074 MAC2STR(addr)); 3075 return 0; 3076 } 3077 3078 ret = wpa_sm_tdls_enable_channel_switch(sm, peer->addr, 3079 oper_class, freq_params); 3080 if (!ret) 3081 peer->chan_switch_enabled = 1; 3082 3083 return ret; 3084 } 3085 3086 3087 int wpa_tdls_disable_chan_switch(struct wpa_sm *sm, const u8 *addr) 3088 { 3089 struct wpa_tdls_peer *peer; 3090 3091 if (sm->tdls_disabled || !sm->tdls_supported) 3092 return -1; 3093 3094 for (peer = sm->tdls; peer; peer = peer->next) { 3095 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 3096 break; 3097 } 3098 3099 if (!peer || !peer->chan_switch_enabled) { 3100 wpa_printf(MSG_ERROR, "TDLS: Channel switching not enabled for " 3101 MACSTR, MAC2STR(addr)); 3102 return -1; 3103 } 3104 3105 /* ignore the return value */ 3106 wpa_sm_tdls_disable_channel_switch(sm, peer->addr); 3107 3108 peer->chan_switch_enabled = 0; 3109 return 0; 3110 } 3111