1 /* 2 * wpa_supplicant - TDLS 3 * Copyright (c) 2010-2011, Atheros Communications 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "utils/includes.h" 10 11 #include "utils/common.h" 12 #include "utils/eloop.h" 13 #include "utils/os.h" 14 #include "common/ieee802_11_defs.h" 15 #include "common/ieee802_11_common.h" 16 #include "crypto/sha256.h" 17 #include "crypto/crypto.h" 18 #include "crypto/aes_wrap.h" 19 #include "rsn_supp/wpa.h" 20 #include "rsn_supp/wpa_ie.h" 21 #include "rsn_supp/wpa_i.h" 22 #include "drivers/driver.h" 23 #include "l2_packet/l2_packet.h" 24 25 #ifdef CONFIG_TDLS_TESTING 26 #define TDLS_TESTING_LONG_FRAME BIT(0) 27 #define TDLS_TESTING_ALT_RSN_IE BIT(1) 28 #define TDLS_TESTING_DIFF_BSSID BIT(2) 29 #define TDLS_TESTING_SHORT_LIFETIME BIT(3) 30 #define TDLS_TESTING_WRONG_LIFETIME_RESP BIT(4) 31 #define TDLS_TESTING_WRONG_LIFETIME_CONF BIT(5) 32 #define TDLS_TESTING_LONG_LIFETIME BIT(6) 33 #define TDLS_TESTING_CONCURRENT_INIT BIT(7) 34 #define TDLS_TESTING_NO_TPK_EXPIRATION BIT(8) 35 #define TDLS_TESTING_DECLINE_RESP BIT(9) 36 #define TDLS_TESTING_IGNORE_AP_PROHIBIT BIT(10) 37 #define TDLS_TESTING_WRONG_MIC BIT(11) 38 #define TDLS_TESTING_DOUBLE_TPK_M2 BIT(12) 39 unsigned int tdls_testing = 0; 40 #endif /* CONFIG_TDLS_TESTING */ 41 42 #define TPK_LIFETIME 43200 /* 12 hours */ 43 #define TPK_M1_RETRY_COUNT 3 44 #define TPK_M1_TIMEOUT 5000 /* in milliseconds */ 45 #define TPK_M2_RETRY_COUNT 10 46 #define TPK_M2_TIMEOUT 500 /* in milliseconds */ 47 48 #define TDLS_MIC_LEN 16 49 50 #define TDLS_TIMEOUT_LEN 4 51 52 struct wpa_tdls_ftie { 53 u8 ie_type; /* FTIE */ 54 u8 ie_len; 55 u8 mic_ctrl[2]; 56 u8 mic[TDLS_MIC_LEN]; 57 u8 Anonce[WPA_NONCE_LEN]; /* Responder Nonce in TDLS */ 58 u8 Snonce[WPA_NONCE_LEN]; /* Initiator Nonce in TDLS */ 59 /* followed by optional elements */ 60 } STRUCT_PACKED; 61 62 struct wpa_tdls_timeoutie { 63 u8 ie_type; /* Timeout IE */ 64 u8 ie_len; 65 u8 interval_type; 66 u8 value[TDLS_TIMEOUT_LEN]; 67 } STRUCT_PACKED; 68 69 struct wpa_tdls_lnkid { 70 u8 ie_type; /* Link Identifier IE */ 71 u8 ie_len; 72 u8 bssid[ETH_ALEN]; 73 u8 init_sta[ETH_ALEN]; 74 u8 resp_sta[ETH_ALEN]; 75 } STRUCT_PACKED; 76 77 /* TDLS frame headers as per IEEE Std 802.11z-2010 */ 78 struct wpa_tdls_frame { 79 u8 payloadtype; /* IEEE80211_TDLS_RFTYPE */ 80 u8 category; /* Category */ 81 u8 action; /* Action (enum tdls_frame_type) */ 82 } STRUCT_PACKED; 83 84 static u8 * wpa_add_tdls_timeoutie(u8 *pos, u8 *ie, size_t ie_len, u32 tsecs); 85 static void wpa_tdls_tpk_retry_timeout(void *eloop_ctx, void *timeout_ctx); 86 static void wpa_tdls_peer_free(struct wpa_sm *sm, struct wpa_tdls_peer *peer); 87 static void wpa_tdls_disable_peer_link(struct wpa_sm *sm, 88 struct wpa_tdls_peer *peer); 89 static int wpa_tdls_send_teardown(struct wpa_sm *sm, const u8 *addr, 90 u16 reason_code); 91 92 93 #define TDLS_MAX_IE_LEN 80 94 #define IEEE80211_MAX_SUPP_RATES 32 95 96 struct wpa_tdls_peer { 97 struct wpa_tdls_peer *next; 98 unsigned int reconfig_key:1; 99 int initiator; /* whether this end was initiator for TDLS setup */ 100 u8 addr[ETH_ALEN]; /* other end MAC address */ 101 u8 inonce[WPA_NONCE_LEN]; /* Initiator Nonce */ 102 u8 rnonce[WPA_NONCE_LEN]; /* Responder Nonce */ 103 u8 rsnie_i[TDLS_MAX_IE_LEN]; /* Initiator RSN IE */ 104 size_t rsnie_i_len; 105 u8 rsnie_p[TDLS_MAX_IE_LEN]; /* Peer RSN IE */ 106 size_t rsnie_p_len; 107 u32 lifetime; 108 int cipher; /* Selected cipher (WPA_CIPHER_*) */ 109 u8 dtoken; 110 111 struct tpk { 112 u8 kck[16]; /* TPK-KCK */ 113 u8 tk[16]; /* TPK-TK; assuming only CCMP will be used */ 114 } tpk; 115 int tpk_set; 116 int tk_set; /* TPK-TK configured to the driver */ 117 int tpk_success; 118 int tpk_in_progress; 119 120 struct tpk_timer { 121 u8 dest[ETH_ALEN]; 122 int count; /* Retry Count */ 123 int timer; /* Timeout in milliseconds */ 124 u8 action_code; /* TDLS frame type */ 125 u8 dialog_token; 126 u16 status_code; 127 u32 peer_capab; 128 int buf_len; /* length of TPK message for retransmission */ 129 u8 *buf; /* buffer for TPK message */ 130 } sm_tmr; 131 132 u16 capability; 133 134 u8 supp_rates[IEEE80211_MAX_SUPP_RATES]; 135 size_t supp_rates_len; 136 137 struct ieee80211_ht_capabilities *ht_capabilities; 138 struct ieee80211_vht_capabilities *vht_capabilities; 139 struct ieee80211_he_capabilities *he_capabilities; 140 size_t he_capab_len; 141 struct ieee80211_he_6ghz_band_cap *he_6ghz_band_capabilities; 142 143 u8 qos_info; 144 145 u16 aid; 146 147 u8 *ext_capab; 148 size_t ext_capab_len; 149 150 u8 *supp_channels; 151 size_t supp_channels_len; 152 153 u8 *supp_oper_classes; 154 size_t supp_oper_classes_len; 155 156 u8 wmm_capable; 157 158 /* channel switch currently enabled */ 159 int chan_switch_enabled; 160 }; 161 162 163 static int wpa_tdls_get_privacy(struct wpa_sm *sm) 164 { 165 /* 166 * Get info needed from supplicant to check if the current BSS supports 167 * security. Other than OPEN mode, rest are considered secured 168 * WEP/WPA/WPA2 hence TDLS frames are processed for TPK handshake. 169 */ 170 return sm->pairwise_cipher != WPA_CIPHER_NONE; 171 } 172 173 174 static u8 * wpa_add_ie(u8 *pos, const u8 *ie, size_t ie_len) 175 { 176 os_memcpy(pos, ie, ie_len); 177 return pos + ie_len; 178 } 179 180 181 static int wpa_tdls_del_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer) 182 { 183 if (wpa_sm_set_key(sm, WPA_ALG_NONE, peer->addr, 184 0, 0, NULL, 0, NULL, 0, KEY_FLAG_PAIRWISE) < 0) { 185 wpa_printf(MSG_WARNING, "TDLS: Failed to delete TPK-TK from " 186 "the driver"); 187 return -1; 188 } 189 190 return 0; 191 } 192 193 194 static int wpa_tdls_set_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer) 195 { 196 u8 key_len; 197 u8 rsc[6]; 198 enum wpa_alg alg; 199 200 if (peer->tk_set) { 201 /* 202 * This same TPK-TK has already been configured to the driver 203 * and this new configuration attempt (likely due to an 204 * unexpected retransmitted frame) would result in clearing 205 * the TX/RX sequence number which can break security, so must 206 * not allow that to happen. 207 */ 208 wpa_printf(MSG_INFO, "TDLS: TPK-TK for the peer " MACSTR 209 " has already been configured to the driver - do not reconfigure", 210 MAC2STR(peer->addr)); 211 return -1; 212 } 213 214 os_memset(rsc, 0, 6); 215 216 switch (peer->cipher) { 217 case WPA_CIPHER_CCMP: 218 alg = WPA_ALG_CCMP; 219 key_len = 16; 220 break; 221 case WPA_CIPHER_NONE: 222 wpa_printf(MSG_DEBUG, "TDLS: Pairwise Cipher Suite: " 223 "NONE - do not use pairwise keys"); 224 return -1; 225 default: 226 wpa_printf(MSG_WARNING, "TDLS: Unsupported pairwise cipher %d", 227 sm->pairwise_cipher); 228 return -1; 229 } 230 231 wpa_printf(MSG_DEBUG, "TDLS: Configure pairwise key for peer " MACSTR, 232 MAC2STR(peer->addr)); 233 if (wpa_sm_set_key(sm, alg, peer->addr, 0, 1, rsc, sizeof(rsc), 234 peer->tpk.tk, key_len, 235 KEY_FLAG_PAIRWISE_RX_TX) < 0) { 236 wpa_printf(MSG_WARNING, "TDLS: Failed to set TPK to the " 237 "driver"); 238 return -1; 239 } 240 peer->tk_set = 1; 241 return 0; 242 } 243 244 245 static int wpa_tdls_send_tpk_msg(struct wpa_sm *sm, const u8 *dst, 246 u8 action_code, u8 dialog_token, 247 u16 status_code, u32 peer_capab, 248 int initiator, const u8 *buf, size_t len) 249 { 250 return wpa_sm_send_tdls_mgmt(sm, dst, action_code, dialog_token, 251 status_code, peer_capab, initiator, buf, 252 len); 253 } 254 255 256 static int wpa_tdls_tpk_send(struct wpa_sm *sm, const u8 *dest, u8 action_code, 257 u8 dialog_token, u16 status_code, u32 peer_capab, 258 int initiator, const u8 *msg, size_t msg_len) 259 { 260 struct wpa_tdls_peer *peer; 261 262 wpa_printf(MSG_DEBUG, "TDLS: TPK send dest=" MACSTR " action_code=%u " 263 "dialog_token=%u status_code=%u peer_capab=%u initiator=%d " 264 "msg_len=%u", 265 MAC2STR(dest), action_code, dialog_token, status_code, 266 peer_capab, initiator, (unsigned int) msg_len); 267 268 if (wpa_tdls_send_tpk_msg(sm, dest, action_code, dialog_token, 269 status_code, peer_capab, initiator, msg, 270 msg_len)) { 271 wpa_printf(MSG_INFO, "TDLS: Failed to send message " 272 "(action_code=%u)", action_code); 273 return -1; 274 } 275 276 if (action_code == WLAN_TDLS_SETUP_CONFIRM || 277 action_code == WLAN_TDLS_TEARDOWN || 278 action_code == WLAN_TDLS_DISCOVERY_REQUEST || 279 action_code == WLAN_TDLS_DISCOVERY_RESPONSE) 280 return 0; /* No retries */ 281 282 for (peer = sm->tdls; peer; peer = peer->next) { 283 if (os_memcmp(peer->addr, dest, ETH_ALEN) == 0) 284 break; 285 } 286 287 if (peer == NULL) { 288 wpa_printf(MSG_INFO, "TDLS: No matching entry found for " 289 "retry " MACSTR, MAC2STR(dest)); 290 return 0; 291 } 292 293 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer); 294 295 if (action_code == WLAN_TDLS_SETUP_RESPONSE) { 296 peer->sm_tmr.count = TPK_M2_RETRY_COUNT; 297 peer->sm_tmr.timer = TPK_M2_TIMEOUT; 298 } else { 299 peer->sm_tmr.count = TPK_M1_RETRY_COUNT; 300 peer->sm_tmr.timer = TPK_M1_TIMEOUT; 301 } 302 303 /* Copy message to resend on timeout */ 304 os_memcpy(peer->sm_tmr.dest, dest, ETH_ALEN); 305 peer->sm_tmr.action_code = action_code; 306 peer->sm_tmr.dialog_token = dialog_token; 307 peer->sm_tmr.status_code = status_code; 308 peer->sm_tmr.peer_capab = peer_capab; 309 peer->sm_tmr.buf_len = msg_len; 310 os_free(peer->sm_tmr.buf); 311 peer->sm_tmr.buf = os_memdup(msg, msg_len); 312 if (peer->sm_tmr.buf == NULL) 313 return -1; 314 315 wpa_printf(MSG_DEBUG, "TDLS: Retry timeout registered " 316 "(action_code=%u)", action_code); 317 eloop_register_timeout(peer->sm_tmr.timer / 1000, 318 (peer->sm_tmr.timer % 1000) * 1000, 319 wpa_tdls_tpk_retry_timeout, sm, peer); 320 return 0; 321 } 322 323 324 static int wpa_tdls_do_teardown(struct wpa_sm *sm, struct wpa_tdls_peer *peer, 325 u16 reason_code) 326 { 327 int ret; 328 329 ret = wpa_tdls_send_teardown(sm, peer->addr, reason_code); 330 /* disable the link after teardown was sent */ 331 wpa_tdls_disable_peer_link(sm, peer); 332 333 return ret; 334 } 335 336 337 static void wpa_tdls_tpk_retry_timeout(void *eloop_ctx, void *timeout_ctx) 338 { 339 340 struct wpa_sm *sm = eloop_ctx; 341 struct wpa_tdls_peer *peer = timeout_ctx; 342 343 if (peer->sm_tmr.count) { 344 peer->sm_tmr.count--; 345 346 wpa_printf(MSG_INFO, "TDLS: Retrying sending of message " 347 "(action_code=%u)", 348 peer->sm_tmr.action_code); 349 350 if (peer->sm_tmr.buf == NULL) { 351 wpa_printf(MSG_INFO, "TDLS: No retry buffer available " 352 "for action_code=%u", 353 peer->sm_tmr.action_code); 354 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, 355 peer); 356 return; 357 } 358 359 /* resend TPK Handshake Message to Peer */ 360 if (wpa_tdls_send_tpk_msg(sm, peer->sm_tmr.dest, 361 peer->sm_tmr.action_code, 362 peer->sm_tmr.dialog_token, 363 peer->sm_tmr.status_code, 364 peer->sm_tmr.peer_capab, 365 peer->initiator, 366 peer->sm_tmr.buf, 367 peer->sm_tmr.buf_len)) { 368 wpa_printf(MSG_INFO, "TDLS: Failed to retry " 369 "transmission"); 370 } 371 372 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer); 373 eloop_register_timeout(peer->sm_tmr.timer / 1000, 374 (peer->sm_tmr.timer % 1000) * 1000, 375 wpa_tdls_tpk_retry_timeout, sm, peer); 376 } else { 377 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer); 378 379 wpa_printf(MSG_DEBUG, "TDLS: Sending Teardown Request"); 380 wpa_tdls_do_teardown(sm, peer, 381 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED); 382 } 383 } 384 385 386 static void wpa_tdls_tpk_retry_timeout_cancel(struct wpa_sm *sm, 387 struct wpa_tdls_peer *peer, 388 u8 action_code) 389 { 390 if (action_code == peer->sm_tmr.action_code) { 391 wpa_printf(MSG_DEBUG, "TDLS: Retry timeout cancelled for " 392 "action_code=%u", action_code); 393 394 /* Cancel Timeout registered */ 395 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer); 396 397 /* free all resources meant for retry */ 398 os_free(peer->sm_tmr.buf); 399 peer->sm_tmr.buf = NULL; 400 401 peer->sm_tmr.count = 0; 402 peer->sm_tmr.timer = 0; 403 peer->sm_tmr.buf_len = 0; 404 peer->sm_tmr.action_code = 0xff; 405 } else { 406 wpa_printf(MSG_INFO, "TDLS: Error in cancelling retry timeout " 407 "(Unknown action_code=%u)", action_code); 408 } 409 } 410 411 412 static void wpa_tdls_generate_tpk(struct wpa_tdls_peer *peer, 413 const u8 *own_addr, const u8 *bssid) 414 { 415 u8 key_input[SHA256_MAC_LEN]; 416 const u8 *nonce[2]; 417 size_t len[2]; 418 u8 data[3 * ETH_ALEN]; 419 420 /* IEEE Std 802.11-2016 12.7.9.2: 421 * TPK-Key-Input = Hash(min(SNonce, ANonce) || max(SNonce, ANonce)) 422 * Hash = SHA-256 for TDLS 423 */ 424 len[0] = WPA_NONCE_LEN; 425 len[1] = WPA_NONCE_LEN; 426 if (os_memcmp(peer->inonce, peer->rnonce, WPA_NONCE_LEN) < 0) { 427 nonce[0] = peer->inonce; 428 nonce[1] = peer->rnonce; 429 } else { 430 nonce[0] = peer->rnonce; 431 nonce[1] = peer->inonce; 432 } 433 wpa_hexdump(MSG_DEBUG, "TDLS: min(Nonce)", nonce[0], WPA_NONCE_LEN); 434 wpa_hexdump(MSG_DEBUG, "TDLS: max(Nonce)", nonce[1], WPA_NONCE_LEN); 435 sha256_vector(2, nonce, len, key_input); 436 wpa_hexdump_key(MSG_DEBUG, "TDLS: TPK-Key-Input", 437 key_input, SHA256_MAC_LEN); 438 439 /* 440 * TPK = KDF-Hash-Length(TPK-Key-Input, "TDLS PMK", 441 * min(MAC_I, MAC_R) || max(MAC_I, MAC_R) || BSSID) 442 */ 443 444 if (os_memcmp(own_addr, peer->addr, ETH_ALEN) < 0) { 445 os_memcpy(data, own_addr, ETH_ALEN); 446 os_memcpy(data + ETH_ALEN, peer->addr, ETH_ALEN); 447 } else { 448 os_memcpy(data, peer->addr, ETH_ALEN); 449 os_memcpy(data + ETH_ALEN, own_addr, ETH_ALEN); 450 } 451 os_memcpy(data + 2 * ETH_ALEN, bssid, ETH_ALEN); 452 wpa_hexdump(MSG_DEBUG, "TDLS: KDF Context", data, sizeof(data)); 453 454 sha256_prf(key_input, SHA256_MAC_LEN, "TDLS PMK", data, sizeof(data), 455 (u8 *) &peer->tpk, sizeof(peer->tpk)); 456 wpa_hexdump_key(MSG_DEBUG, "TDLS: TPK-KCK", 457 peer->tpk.kck, sizeof(peer->tpk.kck)); 458 wpa_hexdump_key(MSG_DEBUG, "TDLS: TPK-TK", 459 peer->tpk.tk, sizeof(peer->tpk.tk)); 460 peer->tpk_set = 1; 461 } 462 463 464 /** 465 * wpa_tdls_ftie_mic - Calculate TDLS FTIE MIC 466 * @kck: TPK-KCK 467 * @lnkid: Pointer to the beginning of Link Identifier IE 468 * @rsnie: Pointer to the beginning of RSN IE used for handshake 469 * @timeoutie: Pointer to the beginning of Timeout IE used for handshake 470 * @ftie: Pointer to the beginning of FT IE 471 * @mic: Pointer for writing MIC 472 * 473 * Calculate MIC for TDLS frame. 474 */ 475 static int wpa_tdls_ftie_mic(const u8 *kck, u8 trans_seq, const u8 *lnkid, 476 const u8 *rsnie, const u8 *timeoutie, 477 const u8 *ftie, u8 *mic) 478 { 479 u8 *buf, *pos; 480 struct wpa_tdls_ftie *_ftie; 481 const struct wpa_tdls_lnkid *_lnkid; 482 int ret; 483 int len = 2 * ETH_ALEN + 1 + 2 + lnkid[1] + 2 + rsnie[1] + 484 2 + timeoutie[1] + 2 + ftie[1]; 485 buf = os_zalloc(len); 486 if (!buf) { 487 wpa_printf(MSG_WARNING, "TDLS: No memory for MIC calculation"); 488 return -1; 489 } 490 491 pos = buf; 492 _lnkid = (const struct wpa_tdls_lnkid *) lnkid; 493 /* 1) TDLS initiator STA MAC address */ 494 os_memcpy(pos, _lnkid->init_sta, ETH_ALEN); 495 pos += ETH_ALEN; 496 /* 2) TDLS responder STA MAC address */ 497 os_memcpy(pos, _lnkid->resp_sta, ETH_ALEN); 498 pos += ETH_ALEN; 499 /* 3) Transaction Sequence number */ 500 *pos++ = trans_seq; 501 /* 4) Link Identifier IE */ 502 os_memcpy(pos, lnkid, 2 + lnkid[1]); 503 pos += 2 + lnkid[1]; 504 /* 5) RSN IE */ 505 os_memcpy(pos, rsnie, 2 + rsnie[1]); 506 pos += 2 + rsnie[1]; 507 /* 6) Timeout Interval IE */ 508 os_memcpy(pos, timeoutie, 2 + timeoutie[1]); 509 pos += 2 + timeoutie[1]; 510 /* 7) FTIE, with the MIC field of the FTIE set to 0 */ 511 os_memcpy(pos, ftie, 2 + ftie[1]); 512 _ftie = (struct wpa_tdls_ftie *) pos; 513 os_memset(_ftie->mic, 0, TDLS_MIC_LEN); 514 pos += 2 + ftie[1]; 515 516 wpa_hexdump(MSG_DEBUG, "TDLS: Data for FTIE MIC", buf, pos - buf); 517 wpa_hexdump_key(MSG_DEBUG, "TDLS: KCK", kck, 16); 518 ret = omac1_aes_128(kck, buf, pos - buf, mic); 519 os_free(buf); 520 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE MIC", mic, 16); 521 return ret; 522 } 523 524 525 /** 526 * wpa_tdls_key_mic_teardown - Calculate TDLS FTIE MIC for Teardown frame 527 * @kck: TPK-KCK 528 * @trans_seq: Transaction Sequence Number (4 - Teardown) 529 * @rcode: Reason code for Teardown 530 * @dtoken: Dialog Token used for that particular link 531 * @lnkid: Pointer to the beginning of Link Identifier IE 532 * @ftie: Pointer to the beginning of FT IE 533 * @mic: Pointer for writing MIC 534 * 535 * Calculate MIC for TDLS frame. 536 */ 537 static int wpa_tdls_key_mic_teardown(const u8 *kck, u8 trans_seq, u16 rcode, 538 u8 dtoken, const u8 *lnkid, 539 const u8 *ftie, u8 *mic) 540 { 541 u8 *buf, *pos; 542 struct wpa_tdls_ftie *_ftie; 543 int ret; 544 int len; 545 546 if (lnkid == NULL) 547 return -1; 548 549 len = 2 + lnkid[1] + sizeof(rcode) + sizeof(dtoken) + 550 sizeof(trans_seq) + 2 + ftie[1]; 551 552 buf = os_zalloc(len); 553 if (!buf) { 554 wpa_printf(MSG_WARNING, "TDLS: No memory for MIC calculation"); 555 return -1; 556 } 557 558 pos = buf; 559 /* 1) Link Identifier IE */ 560 os_memcpy(pos, lnkid, 2 + lnkid[1]); 561 pos += 2 + lnkid[1]; 562 /* 2) Reason Code */ 563 WPA_PUT_LE16(pos, rcode); 564 pos += sizeof(rcode); 565 /* 3) Dialog token */ 566 *pos++ = dtoken; 567 /* 4) Transaction Sequence number */ 568 *pos++ = trans_seq; 569 /* 7) FTIE, with the MIC field of the FTIE set to 0 */ 570 os_memcpy(pos, ftie, 2 + ftie[1]); 571 _ftie = (struct wpa_tdls_ftie *) pos; 572 os_memset(_ftie->mic, 0, TDLS_MIC_LEN); 573 pos += 2 + ftie[1]; 574 575 wpa_hexdump(MSG_DEBUG, "TDLS: Data for FTIE MIC", buf, pos - buf); 576 wpa_hexdump_key(MSG_DEBUG, "TDLS: KCK", kck, 16); 577 ret = omac1_aes_128(kck, buf, pos - buf, mic); 578 os_free(buf); 579 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE MIC", mic, 16); 580 return ret; 581 } 582 583 584 static int wpa_supplicant_verify_tdls_mic(u8 trans_seq, 585 struct wpa_tdls_peer *peer, 586 const u8 *lnkid, const u8 *timeoutie, 587 const struct wpa_tdls_ftie *ftie) 588 { 589 u8 mic[16]; 590 591 if (peer->tpk_set) { 592 wpa_tdls_ftie_mic(peer->tpk.kck, trans_seq, lnkid, 593 peer->rsnie_p, timeoutie, (u8 *) ftie, 594 mic); 595 if (os_memcmp_const(mic, ftie->mic, 16) != 0) { 596 wpa_printf(MSG_INFO, "TDLS: Invalid MIC in FTIE - " 597 "dropping packet"); 598 wpa_hexdump(MSG_DEBUG, "TDLS: Received MIC", 599 ftie->mic, 16); 600 wpa_hexdump(MSG_DEBUG, "TDLS: Calculated MIC", 601 mic, 16); 602 return -1; 603 } 604 } else { 605 wpa_printf(MSG_WARNING, "TDLS: Could not verify TDLS MIC, " 606 "TPK not set - dropping packet"); 607 return -1; 608 } 609 return 0; 610 } 611 612 613 static int wpa_supplicant_verify_tdls_mic_teardown( 614 u8 trans_seq, u16 rcode, u8 dtoken, struct wpa_tdls_peer *peer, 615 const u8 *lnkid, const struct wpa_tdls_ftie *ftie) 616 { 617 u8 mic[16]; 618 619 if (peer->tpk_set) { 620 wpa_tdls_key_mic_teardown(peer->tpk.kck, trans_seq, rcode, 621 dtoken, lnkid, (u8 *) ftie, mic); 622 if (os_memcmp_const(mic, ftie->mic, 16) != 0) { 623 wpa_printf(MSG_INFO, "TDLS: Invalid MIC in Teardown - " 624 "dropping packet"); 625 return -1; 626 } 627 } else { 628 wpa_printf(MSG_INFO, "TDLS: Could not verify TDLS Teardown " 629 "MIC, TPK not set - dropping packet"); 630 return -1; 631 } 632 return 0; 633 } 634 635 636 static void wpa_tdls_tpk_timeout(void *eloop_ctx, void *timeout_ctx) 637 { 638 struct wpa_sm *sm = eloop_ctx; 639 struct wpa_tdls_peer *peer = timeout_ctx; 640 641 /* 642 * On TPK lifetime expiration, we have an option of either tearing down 643 * the direct link or trying to re-initiate it. The selection of what 644 * to do is not strictly speaking controlled by our role in the expired 645 * link, but for now, use that to select whether to renew or tear down 646 * the link. 647 */ 648 649 if (peer->initiator) { 650 u8 addr[ETH_ALEN]; 651 652 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime expired for " MACSTR 653 " - try to renew", MAC2STR(peer->addr)); 654 /* cache the peer address before do_teardown */ 655 os_memcpy(addr, peer->addr, ETH_ALEN); 656 wpa_tdls_do_teardown(sm, peer, 657 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED); 658 wpa_tdls_start(sm, addr); 659 } else { 660 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime expired for " MACSTR 661 " - tear down", MAC2STR(peer->addr)); 662 wpa_tdls_do_teardown(sm, peer, 663 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED); 664 } 665 } 666 667 668 static void wpa_tdls_peer_remove_from_list(struct wpa_sm *sm, 669 struct wpa_tdls_peer *peer) 670 { 671 struct wpa_tdls_peer *cur, *prev; 672 673 cur = sm->tdls; 674 prev = NULL; 675 while (cur && cur != peer) { 676 prev = cur; 677 cur = cur->next; 678 } 679 680 if (cur != peer) { 681 wpa_printf(MSG_ERROR, "TDLS: Could not find peer " MACSTR 682 " to remove it from the list", 683 MAC2STR(peer->addr)); 684 return; 685 } 686 687 if (prev) 688 prev->next = peer->next; 689 else 690 sm->tdls = peer->next; 691 } 692 693 694 static void wpa_tdls_peer_clear(struct wpa_sm *sm, struct wpa_tdls_peer *peer) 695 { 696 wpa_printf(MSG_DEBUG, "TDLS: Clear state for peer " MACSTR, 697 MAC2STR(peer->addr)); 698 eloop_cancel_timeout(wpa_tdls_tpk_timeout, sm, peer); 699 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer); 700 peer->reconfig_key = 0; 701 peer->initiator = 0; 702 peer->tpk_in_progress = 0; 703 os_free(peer->sm_tmr.buf); 704 peer->sm_tmr.buf = NULL; 705 os_free(peer->ht_capabilities); 706 peer->ht_capabilities = NULL; 707 os_free(peer->vht_capabilities); 708 peer->vht_capabilities = NULL; 709 os_free(peer->he_capabilities); 710 peer->he_capabilities = NULL; 711 os_free(peer->he_6ghz_band_capabilities); 712 peer->he_6ghz_band_capabilities = NULL; 713 os_free(peer->ext_capab); 714 peer->ext_capab = NULL; 715 os_free(peer->supp_channels); 716 peer->supp_channels = NULL; 717 os_free(peer->supp_oper_classes); 718 peer->supp_oper_classes = NULL; 719 peer->rsnie_i_len = peer->rsnie_p_len = 0; 720 peer->cipher = 0; 721 peer->qos_info = 0; 722 peer->wmm_capable = 0; 723 peer->tk_set = peer->tpk_set = peer->tpk_success = 0; 724 peer->chan_switch_enabled = 0; 725 os_memset(&peer->tpk, 0, sizeof(peer->tpk)); 726 os_memset(peer->inonce, 0, WPA_NONCE_LEN); 727 os_memset(peer->rnonce, 0, WPA_NONCE_LEN); 728 } 729 730 731 static void wpa_tdls_peer_free(struct wpa_sm *sm, struct wpa_tdls_peer *peer) 732 { 733 wpa_tdls_peer_clear(sm, peer); 734 wpa_tdls_peer_remove_from_list(sm, peer); 735 os_free(peer); 736 } 737 738 739 static void wpa_tdls_linkid(struct wpa_sm *sm, struct wpa_tdls_peer *peer, 740 struct wpa_tdls_lnkid *lnkid) 741 { 742 lnkid->ie_type = WLAN_EID_LINK_ID; 743 lnkid->ie_len = 3 * ETH_ALEN; 744 os_memcpy(lnkid->bssid, sm->bssid, ETH_ALEN); 745 if (peer->initiator) { 746 os_memcpy(lnkid->init_sta, sm->own_addr, ETH_ALEN); 747 os_memcpy(lnkid->resp_sta, peer->addr, ETH_ALEN); 748 } else { 749 os_memcpy(lnkid->init_sta, peer->addr, ETH_ALEN); 750 os_memcpy(lnkid->resp_sta, sm->own_addr, ETH_ALEN); 751 } 752 } 753 754 755 static int wpa_tdls_send_teardown(struct wpa_sm *sm, const u8 *addr, 756 u16 reason_code) 757 { 758 struct wpa_tdls_peer *peer; 759 struct wpa_tdls_ftie *ftie; 760 struct wpa_tdls_lnkid lnkid; 761 u8 dialog_token; 762 u8 *rbuf, *pos; 763 int ielen; 764 765 if (sm->tdls_disabled || !sm->tdls_supported) 766 return -1; 767 768 /* Find the node and free from the list */ 769 for (peer = sm->tdls; peer; peer = peer->next) { 770 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 771 break; 772 } 773 774 if (peer == NULL) { 775 wpa_printf(MSG_INFO, "TDLS: No matching entry found for " 776 "Teardown " MACSTR, MAC2STR(addr)); 777 return 0; 778 } 779 780 /* Cancel active channel switch before teardown */ 781 if (peer->chan_switch_enabled) { 782 wpa_printf(MSG_DEBUG, "TDLS: First returning link with " MACSTR 783 " to base channel", MAC2STR(addr)); 784 wpa_sm_tdls_disable_channel_switch(sm, peer->addr); 785 } 786 787 dialog_token = peer->dtoken; 788 789 wpa_printf(MSG_DEBUG, "TDLS: TDLS Teardown for " MACSTR, 790 MAC2STR(addr)); 791 792 ielen = 0; 793 if (wpa_tdls_get_privacy(sm) && peer->tpk_set && peer->tpk_success) { 794 /* To add FTIE for Teardown request and compute MIC */ 795 ielen += sizeof(*ftie); 796 #ifdef CONFIG_TDLS_TESTING 797 if (tdls_testing & TDLS_TESTING_LONG_FRAME) 798 ielen += 170; 799 #endif /* CONFIG_TDLS_TESTING */ 800 } 801 802 rbuf = os_zalloc(ielen + 1); 803 if (rbuf == NULL) 804 return -1; 805 pos = rbuf; 806 807 if (!wpa_tdls_get_privacy(sm) || !peer->tpk_set || !peer->tpk_success) 808 goto skip_ies; 809 810 ftie = (struct wpa_tdls_ftie *) pos; 811 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION; 812 /* Using the recent nonce which should be for CONFIRM frame */ 813 os_memcpy(ftie->Anonce, peer->rnonce, WPA_NONCE_LEN); 814 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN); 815 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2; 816 pos = (u8 *) (ftie + 1); 817 #ifdef CONFIG_TDLS_TESTING 818 if (tdls_testing & TDLS_TESTING_LONG_FRAME) { 819 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to " 820 "FTIE"); 821 ftie->ie_len += 170; 822 *pos++ = 255; /* FTIE subelem */ 823 *pos++ = 168; /* FTIE subelem length */ 824 pos += 168; 825 } 826 #endif /* CONFIG_TDLS_TESTING */ 827 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE for TDLS Teardown handshake", 828 (u8 *) ftie, pos - (u8 *) ftie); 829 830 /* compute MIC before sending */ 831 wpa_tdls_linkid(sm, peer, &lnkid); 832 wpa_tdls_key_mic_teardown(peer->tpk.kck, 4, reason_code, 833 dialog_token, (u8 *) &lnkid, (u8 *) ftie, 834 ftie->mic); 835 836 skip_ies: 837 /* TODO: register for a Timeout handler, if Teardown is not received at 838 * the other end, then try again another time */ 839 840 /* request driver to send Teardown using this FTIE */ 841 wpa_tdls_tpk_send(sm, addr, WLAN_TDLS_TEARDOWN, 0, 842 reason_code, 0, peer->initiator, rbuf, pos - rbuf); 843 os_free(rbuf); 844 845 return 0; 846 } 847 848 849 int wpa_tdls_teardown_link(struct wpa_sm *sm, const u8 *addr, u16 reason_code) 850 { 851 struct wpa_tdls_peer *peer; 852 853 if (sm->tdls_disabled || !sm->tdls_supported) 854 return -1; 855 856 for (peer = sm->tdls; peer; peer = peer->next) { 857 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 858 break; 859 } 860 861 if (peer == NULL) { 862 wpa_printf(MSG_DEBUG, "TDLS: Could not find peer " MACSTR 863 " for link Teardown", MAC2STR(addr)); 864 return -1; 865 } 866 867 if (!peer->tpk_success) { 868 wpa_printf(MSG_DEBUG, "TDLS: Peer " MACSTR 869 " not connected - cannot Teardown link", MAC2STR(addr)); 870 return -1; 871 } 872 873 return wpa_tdls_do_teardown(sm, peer, reason_code); 874 } 875 876 877 static void wpa_tdls_disable_peer_link(struct wpa_sm *sm, 878 struct wpa_tdls_peer *peer) 879 { 880 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr); 881 wpa_tdls_peer_free(sm, peer); 882 } 883 884 885 void wpa_tdls_disable_unreachable_link(struct wpa_sm *sm, const u8 *addr) 886 { 887 struct wpa_tdls_peer *peer; 888 889 for (peer = sm->tdls; peer; peer = peer->next) { 890 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 891 break; 892 } 893 894 if (!peer || !peer->tpk_success) { 895 wpa_printf(MSG_DEBUG, "TDLS: Peer " MACSTR 896 " not connected - cannot teardown unreachable link", 897 MAC2STR(addr)); 898 return; 899 } 900 901 if (wpa_tdls_is_external_setup(sm)) { 902 /* 903 * Get us on the base channel, disable the link, send a 904 * teardown packet through the AP, and then reset link data. 905 */ 906 if (peer->chan_switch_enabled) 907 wpa_sm_tdls_disable_channel_switch(sm, peer->addr); 908 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, addr); 909 wpa_tdls_send_teardown(sm, addr, 910 WLAN_REASON_TDLS_TEARDOWN_UNREACHABLE); 911 wpa_tdls_peer_free(sm, peer); 912 } else { 913 wpa_tdls_disable_peer_link(sm, peer); 914 } 915 } 916 917 918 const char * wpa_tdls_get_link_status(struct wpa_sm *sm, const u8 *addr) 919 { 920 struct wpa_tdls_peer *peer; 921 922 if (sm->tdls_disabled || !sm->tdls_supported) 923 return "disabled"; 924 925 for (peer = sm->tdls; peer; peer = peer->next) { 926 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 927 break; 928 } 929 930 if (peer == NULL) 931 return "peer does not exist"; 932 933 if (!peer->tpk_success) 934 return "peer not connected"; 935 936 return "connected"; 937 } 938 939 940 static int wpa_tdls_recv_teardown(struct wpa_sm *sm, const u8 *src_addr, 941 const u8 *buf, size_t len) 942 { 943 struct wpa_tdls_peer *peer = NULL; 944 struct wpa_tdls_ftie *ftie; 945 struct wpa_tdls_lnkid *lnkid; 946 struct wpa_eapol_ie_parse kde; 947 u16 reason_code; 948 const u8 *pos; 949 int ielen; 950 951 /* Find the node and free from the list */ 952 for (peer = sm->tdls; peer; peer = peer->next) { 953 if (os_memcmp(peer->addr, src_addr, ETH_ALEN) == 0) 954 break; 955 } 956 957 if (peer == NULL) { 958 wpa_printf(MSG_INFO, "TDLS: No matching entry found for " 959 "Teardown " MACSTR, MAC2STR(src_addr)); 960 return 0; 961 } 962 963 pos = buf; 964 pos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */; 965 966 reason_code = WPA_GET_LE16(pos); 967 pos += 2; 968 969 wpa_printf(MSG_DEBUG, "TDLS: TDLS Teardown Request from " MACSTR 970 " (reason code %u)", MAC2STR(src_addr), reason_code); 971 972 ielen = len - (pos - buf); /* start of IE in buf */ 973 974 /* 975 * Don't reject the message if failing to parse IEs. The IEs we need are 976 * explicitly checked below. Some APs may add arbitrary padding to the 977 * end of short TDLS frames and that would look like invalid IEs. 978 */ 979 if (wpa_supplicant_parse_ies((const u8 *) pos, ielen, &kde) < 0) 980 wpa_printf(MSG_DEBUG, 981 "TDLS: Failed to parse IEs in Teardown - ignore as an interop workaround"); 982 983 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) { 984 wpa_printf(MSG_INFO, "TDLS: No Link Identifier IE in TDLS " 985 "Teardown"); 986 return -1; 987 } 988 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid; 989 990 if (!wpa_tdls_get_privacy(sm) || !peer->tpk_set || !peer->tpk_success) 991 goto skip_ftie; 992 993 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie)) { 994 wpa_printf(MSG_INFO, "TDLS: No FTIE in TDLS Teardown"); 995 return -1; 996 } 997 998 ftie = (struct wpa_tdls_ftie *) kde.ftie; 999 1000 /* Process MIC check to see if TDLS Teardown is right */ 1001 if (wpa_supplicant_verify_tdls_mic_teardown(4, reason_code, 1002 peer->dtoken, peer, 1003 (u8 *) lnkid, ftie) < 0) { 1004 wpa_printf(MSG_DEBUG, "TDLS: MIC failure for TDLS " 1005 "Teardown Request from " MACSTR, MAC2STR(src_addr)); 1006 return -1; 1007 } 1008 1009 skip_ftie: 1010 /* 1011 * Request the driver to disable the direct link and clear associated 1012 * keys. 1013 */ 1014 wpa_tdls_disable_peer_link(sm, peer); 1015 return 0; 1016 } 1017 1018 1019 /** 1020 * wpa_tdls_send_error - To send suitable TDLS status response with 1021 * appropriate status code mentioning reason for error/failure. 1022 * @dst - MAC addr of Peer station 1023 * @tdls_action - TDLS frame type for which error code is sent 1024 * @initiator - was this end the initiator of the connection 1025 * @status - status code mentioning reason 1026 */ 1027 1028 static int wpa_tdls_send_error(struct wpa_sm *sm, const u8 *dst, 1029 u8 tdls_action, u8 dialog_token, int initiator, 1030 u16 status) 1031 { 1032 wpa_printf(MSG_DEBUG, "TDLS: Sending error to " MACSTR 1033 " (action=%u status=%u)", 1034 MAC2STR(dst), tdls_action, status); 1035 return wpa_tdls_tpk_send(sm, dst, tdls_action, dialog_token, status, 1036 0, initiator, NULL, 0); 1037 } 1038 1039 1040 static struct wpa_tdls_peer * 1041 wpa_tdls_add_peer(struct wpa_sm *sm, const u8 *addr, int *existing) 1042 { 1043 struct wpa_tdls_peer *peer; 1044 1045 if (existing) 1046 *existing = 0; 1047 for (peer = sm->tdls; peer; peer = peer->next) { 1048 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) { 1049 if (existing) 1050 *existing = 1; 1051 return peer; /* re-use existing entry */ 1052 } 1053 } 1054 1055 wpa_printf(MSG_INFO, "TDLS: Creating peer entry for " MACSTR, 1056 MAC2STR(addr)); 1057 1058 peer = os_zalloc(sizeof(*peer)); 1059 if (peer == NULL) 1060 return NULL; 1061 1062 os_memcpy(peer->addr, addr, ETH_ALEN); 1063 peer->next = sm->tdls; 1064 sm->tdls = peer; 1065 1066 return peer; 1067 } 1068 1069 1070 static int wpa_tdls_send_tpk_m1(struct wpa_sm *sm, 1071 struct wpa_tdls_peer *peer) 1072 { 1073 size_t buf_len; 1074 struct wpa_tdls_timeoutie timeoutie; 1075 u16 rsn_capab; 1076 struct wpa_tdls_ftie *ftie; 1077 u8 *rbuf, *pos, *count_pos; 1078 u16 count; 1079 struct rsn_ie_hdr *hdr; 1080 int status; 1081 1082 if (!wpa_tdls_get_privacy(sm)) { 1083 wpa_printf(MSG_DEBUG, "TDLS: No security used on the link"); 1084 peer->rsnie_i_len = 0; 1085 goto skip_rsnie; 1086 } 1087 1088 /* 1089 * TPK Handshake Message 1: 1090 * FTIE: ANonce=0, SNonce=initiator nonce MIC=0, DataKDs=(RSNIE_I, 1091 * Timeout Interval IE)) 1092 */ 1093 1094 /* Filling RSN IE */ 1095 hdr = (struct rsn_ie_hdr *) peer->rsnie_i; 1096 hdr->elem_id = WLAN_EID_RSN; 1097 WPA_PUT_LE16(hdr->version, RSN_VERSION); 1098 1099 pos = (u8 *) (hdr + 1); 1100 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED); 1101 pos += RSN_SELECTOR_LEN; 1102 count_pos = pos; 1103 pos += 2; 1104 1105 count = 0; 1106 1107 /* 1108 * AES-CCMP is the default Encryption preferred for TDLS, so 1109 * RSN IE is filled only with CCMP CIPHER 1110 * Note: TKIP is not used to encrypt TDLS link. 1111 * 1112 * Regardless of the cipher used on the AP connection, select CCMP 1113 * here. 1114 */ 1115 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP); 1116 pos += RSN_SELECTOR_LEN; 1117 count++; 1118 1119 WPA_PUT_LE16(count_pos, count); 1120 1121 WPA_PUT_LE16(pos, 1); 1122 pos += 2; 1123 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_TPK_HANDSHAKE); 1124 pos += RSN_SELECTOR_LEN; 1125 1126 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED; 1127 rsn_capab |= RSN_NUM_REPLAY_COUNTERS_16 << 2; 1128 #ifdef CONFIG_TDLS_TESTING 1129 if (tdls_testing & TDLS_TESTING_ALT_RSN_IE) { 1130 wpa_printf(MSG_DEBUG, "TDLS: Use alternative RSN IE for " 1131 "testing"); 1132 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED; 1133 } 1134 #endif /* CONFIG_TDLS_TESTING */ 1135 WPA_PUT_LE16(pos, rsn_capab); 1136 pos += 2; 1137 #ifdef CONFIG_TDLS_TESTING 1138 if (tdls_testing & TDLS_TESTING_ALT_RSN_IE) { 1139 /* Number of PMKIDs */ 1140 *pos++ = 0x00; 1141 *pos++ = 0x00; 1142 } 1143 #endif /* CONFIG_TDLS_TESTING */ 1144 1145 hdr->len = (pos - peer->rsnie_i) - 2; 1146 peer->rsnie_i_len = pos - peer->rsnie_i; 1147 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE for TPK handshake", 1148 peer->rsnie_i, peer->rsnie_i_len); 1149 1150 skip_rsnie: 1151 buf_len = 0; 1152 if (wpa_tdls_get_privacy(sm)) 1153 buf_len += peer->rsnie_i_len + sizeof(struct wpa_tdls_ftie) + 1154 sizeof(struct wpa_tdls_timeoutie); 1155 #ifdef CONFIG_TDLS_TESTING 1156 if (wpa_tdls_get_privacy(sm) && 1157 (tdls_testing & TDLS_TESTING_LONG_FRAME)) 1158 buf_len += 170; 1159 if (tdls_testing & TDLS_TESTING_DIFF_BSSID) 1160 buf_len += sizeof(struct wpa_tdls_lnkid); 1161 #endif /* CONFIG_TDLS_TESTING */ 1162 rbuf = os_zalloc(buf_len + 1); 1163 if (rbuf == NULL) { 1164 wpa_tdls_peer_free(sm, peer); 1165 return -2; 1166 } 1167 pos = rbuf; 1168 1169 if (!wpa_tdls_get_privacy(sm)) 1170 goto skip_ies; 1171 1172 /* Initiator RSN IE */ 1173 pos = wpa_add_ie(pos, peer->rsnie_i, peer->rsnie_i_len); 1174 1175 ftie = (struct wpa_tdls_ftie *) pos; 1176 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION; 1177 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2; 1178 1179 if (os_get_random(peer->inonce, WPA_NONCE_LEN)) { 1180 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1181 "TDLS: Failed to get random data for initiator Nonce"); 1182 os_free(rbuf); 1183 wpa_tdls_peer_free(sm, peer); 1184 return -2; 1185 } 1186 peer->tk_set = 0; /* A new nonce results in a new TK */ 1187 wpa_hexdump(MSG_DEBUG, "TDLS: Initiator Nonce for TPK handshake", 1188 peer->inonce, WPA_NONCE_LEN); 1189 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN); 1190 1191 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE for TPK Handshake M1", 1192 (u8 *) ftie, sizeof(struct wpa_tdls_ftie)); 1193 1194 pos = (u8 *) (ftie + 1); 1195 1196 #ifdef CONFIG_TDLS_TESTING 1197 if (tdls_testing & TDLS_TESTING_LONG_FRAME) { 1198 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to " 1199 "FTIE"); 1200 ftie->ie_len += 170; 1201 *pos++ = 255; /* FTIE subelem */ 1202 *pos++ = 168; /* FTIE subelem length */ 1203 pos += 168; 1204 } 1205 #endif /* CONFIG_TDLS_TESTING */ 1206 1207 /* Lifetime */ 1208 peer->lifetime = TPK_LIFETIME; 1209 #ifdef CONFIG_TDLS_TESTING 1210 if (tdls_testing & TDLS_TESTING_SHORT_LIFETIME) { 1211 wpa_printf(MSG_DEBUG, "TDLS: Testing - use short TPK " 1212 "lifetime"); 1213 peer->lifetime = 301; 1214 } 1215 if (tdls_testing & TDLS_TESTING_LONG_LIFETIME) { 1216 wpa_printf(MSG_DEBUG, "TDLS: Testing - use long TPK " 1217 "lifetime"); 1218 peer->lifetime = 0xffffffff; 1219 } 1220 #endif /* CONFIG_TDLS_TESTING */ 1221 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie, 1222 sizeof(timeoutie), peer->lifetime); 1223 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds", peer->lifetime); 1224 1225 skip_ies: 1226 1227 #ifdef CONFIG_TDLS_TESTING 1228 if (tdls_testing & TDLS_TESTING_DIFF_BSSID) { 1229 struct wpa_tdls_lnkid *l = (struct wpa_tdls_lnkid *) pos; 1230 1231 wpa_printf(MSG_DEBUG, "TDLS: Testing - use incorrect BSSID in " 1232 "Link Identifier"); 1233 wpa_tdls_linkid(sm, peer, l); 1234 l->bssid[5] ^= 0x01; 1235 pos += sizeof(*l); 1236 } 1237 #endif /* CONFIG_TDLS_TESTING */ 1238 1239 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Setup Request / TPK " 1240 "Handshake Message 1 (peer " MACSTR ")", 1241 MAC2STR(peer->addr)); 1242 1243 status = wpa_tdls_tpk_send(sm, peer->addr, WLAN_TDLS_SETUP_REQUEST, 1244 1, 0, 0, peer->initiator, rbuf, pos - rbuf); 1245 os_free(rbuf); 1246 1247 return status; 1248 } 1249 1250 1251 static int wpa_tdls_send_tpk_m2(struct wpa_sm *sm, 1252 const unsigned char *src_addr, u8 dtoken, 1253 struct wpa_tdls_lnkid *lnkid, 1254 const struct wpa_tdls_peer *peer) 1255 { 1256 u8 *rbuf, *pos; 1257 size_t buf_len; 1258 u32 lifetime; 1259 struct wpa_tdls_timeoutie timeoutie; 1260 struct wpa_tdls_ftie *ftie; 1261 int status; 1262 1263 buf_len = 0; 1264 if (wpa_tdls_get_privacy(sm)) { 1265 /* Peer RSN IE, FTIE(Initiator Nonce, Responder Nonce), 1266 * Lifetime */ 1267 buf_len += peer->rsnie_i_len + sizeof(struct wpa_tdls_ftie) + 1268 sizeof(struct wpa_tdls_timeoutie); 1269 #ifdef CONFIG_TDLS_TESTING 1270 if (tdls_testing & TDLS_TESTING_LONG_FRAME) 1271 buf_len += 170; 1272 #endif /* CONFIG_TDLS_TESTING */ 1273 } 1274 1275 rbuf = os_zalloc(buf_len + 1); 1276 if (rbuf == NULL) 1277 return -1; 1278 pos = rbuf; 1279 1280 if (!wpa_tdls_get_privacy(sm)) 1281 goto skip_ies; 1282 1283 /* Peer RSN IE */ 1284 pos = wpa_add_ie(pos, peer->rsnie_p, peer->rsnie_p_len); 1285 1286 ftie = (struct wpa_tdls_ftie *) pos; 1287 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION; 1288 /* TODO: ftie->mic_control to set 2-RESPONSE */ 1289 os_memcpy(ftie->Anonce, peer->rnonce, WPA_NONCE_LEN); 1290 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN); 1291 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2; 1292 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE for TPK M2", 1293 (u8 *) ftie, sizeof(*ftie)); 1294 1295 pos = (u8 *) (ftie + 1); 1296 1297 #ifdef CONFIG_TDLS_TESTING 1298 if (tdls_testing & TDLS_TESTING_LONG_FRAME) { 1299 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to " 1300 "FTIE"); 1301 ftie->ie_len += 170; 1302 *pos++ = 255; /* FTIE subelem */ 1303 *pos++ = 168; /* FTIE subelem length */ 1304 pos += 168; 1305 } 1306 #endif /* CONFIG_TDLS_TESTING */ 1307 1308 /* Lifetime */ 1309 lifetime = peer->lifetime; 1310 #ifdef CONFIG_TDLS_TESTING 1311 if (tdls_testing & TDLS_TESTING_WRONG_LIFETIME_RESP) { 1312 wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong TPK " 1313 "lifetime in response"); 1314 lifetime++; 1315 } 1316 #endif /* CONFIG_TDLS_TESTING */ 1317 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie, 1318 sizeof(timeoutie), lifetime); 1319 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds from initiator", 1320 lifetime); 1321 1322 /* compute MIC before sending */ 1323 wpa_tdls_ftie_mic(peer->tpk.kck, 2, (u8 *) lnkid, peer->rsnie_p, 1324 (u8 *) &timeoutie, (u8 *) ftie, ftie->mic); 1325 #ifdef CONFIG_TDLS_TESTING 1326 if (tdls_testing & TDLS_TESTING_WRONG_MIC) { 1327 wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong MIC"); 1328 ftie->mic[0] ^= 0x01; 1329 } 1330 #endif /* CONFIG_TDLS_TESTING */ 1331 1332 skip_ies: 1333 status = wpa_tdls_tpk_send(sm, src_addr, WLAN_TDLS_SETUP_RESPONSE, 1334 dtoken, 0, 0, peer->initiator, rbuf, 1335 pos - rbuf); 1336 os_free(rbuf); 1337 1338 return status; 1339 } 1340 1341 1342 static int wpa_tdls_send_tpk_m3(struct wpa_sm *sm, 1343 const unsigned char *src_addr, u8 dtoken, 1344 struct wpa_tdls_lnkid *lnkid, 1345 const struct wpa_tdls_peer *peer) 1346 { 1347 u8 *rbuf, *pos; 1348 size_t buf_len; 1349 struct wpa_tdls_ftie *ftie; 1350 struct wpa_tdls_timeoutie timeoutie; 1351 u32 lifetime; 1352 int status; 1353 u32 peer_capab = 0; 1354 1355 buf_len = 0; 1356 if (wpa_tdls_get_privacy(sm)) { 1357 /* Peer RSN IE, FTIE(Initiator Nonce, Responder Nonce), 1358 * Lifetime */ 1359 buf_len += peer->rsnie_i_len + sizeof(struct wpa_tdls_ftie) + 1360 sizeof(struct wpa_tdls_timeoutie); 1361 #ifdef CONFIG_TDLS_TESTING 1362 if (tdls_testing & TDLS_TESTING_LONG_FRAME) 1363 buf_len += 170; 1364 #endif /* CONFIG_TDLS_TESTING */ 1365 } 1366 1367 rbuf = os_zalloc(buf_len + 1); 1368 if (rbuf == NULL) 1369 return -1; 1370 pos = rbuf; 1371 1372 if (!wpa_tdls_get_privacy(sm)) 1373 goto skip_ies; 1374 1375 /* Peer RSN IE */ 1376 pos = wpa_add_ie(pos, peer->rsnie_p, peer->rsnie_p_len); 1377 1378 ftie = (struct wpa_tdls_ftie *) pos; 1379 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION; 1380 /*TODO: ftie->mic_control to set 3-CONFIRM */ 1381 os_memcpy(ftie->Anonce, peer->rnonce, WPA_NONCE_LEN); 1382 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN); 1383 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2; 1384 1385 pos = (u8 *) (ftie + 1); 1386 1387 #ifdef CONFIG_TDLS_TESTING 1388 if (tdls_testing & TDLS_TESTING_LONG_FRAME) { 1389 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to " 1390 "FTIE"); 1391 ftie->ie_len += 170; 1392 *pos++ = 255; /* FTIE subelem */ 1393 *pos++ = 168; /* FTIE subelem length */ 1394 pos += 168; 1395 } 1396 #endif /* CONFIG_TDLS_TESTING */ 1397 1398 /* Lifetime */ 1399 lifetime = peer->lifetime; 1400 #ifdef CONFIG_TDLS_TESTING 1401 if (tdls_testing & TDLS_TESTING_WRONG_LIFETIME_CONF) { 1402 wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong TPK " 1403 "lifetime in confirm"); 1404 lifetime++; 1405 } 1406 #endif /* CONFIG_TDLS_TESTING */ 1407 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie, 1408 sizeof(timeoutie), lifetime); 1409 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds", 1410 lifetime); 1411 1412 /* compute MIC before sending */ 1413 wpa_tdls_ftie_mic(peer->tpk.kck, 3, (u8 *) lnkid, peer->rsnie_p, 1414 (u8 *) &timeoutie, (u8 *) ftie, ftie->mic); 1415 #ifdef CONFIG_TDLS_TESTING 1416 if (tdls_testing & TDLS_TESTING_WRONG_MIC) { 1417 wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong MIC"); 1418 ftie->mic[0] ^= 0x01; 1419 } 1420 #endif /* CONFIG_TDLS_TESTING */ 1421 1422 skip_ies: 1423 1424 if (peer->he_capabilities) 1425 peer_capab |= TDLS_PEER_HE; 1426 if (peer->vht_capabilities) 1427 peer_capab |= TDLS_PEER_VHT; 1428 if (peer->ht_capabilities) 1429 peer_capab |= TDLS_PEER_HT; 1430 if (peer->wmm_capable) 1431 peer_capab |= TDLS_PEER_WMM; 1432 1433 status = wpa_tdls_tpk_send(sm, src_addr, WLAN_TDLS_SETUP_CONFIRM, 1434 dtoken, 0, peer_capab, peer->initiator, 1435 rbuf, pos - rbuf); 1436 os_free(rbuf); 1437 1438 return status; 1439 } 1440 1441 1442 static int wpa_tdls_send_discovery_response(struct wpa_sm *sm, 1443 struct wpa_tdls_peer *peer, 1444 u8 dialog_token) 1445 { 1446 size_t buf_len = 0; 1447 struct wpa_tdls_timeoutie timeoutie; 1448 u16 rsn_capab; 1449 u8 *rbuf, *pos, *count_pos; 1450 u16 count; 1451 struct rsn_ie_hdr *hdr; 1452 int status; 1453 1454 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Discovery Response " 1455 "(peer " MACSTR ")", MAC2STR(peer->addr)); 1456 if (!wpa_tdls_get_privacy(sm)) 1457 goto skip_rsn_ies; 1458 1459 /* Filling RSN IE */ 1460 hdr = (struct rsn_ie_hdr *) peer->rsnie_i; 1461 hdr->elem_id = WLAN_EID_RSN; 1462 WPA_PUT_LE16(hdr->version, RSN_VERSION); 1463 pos = (u8 *) (hdr + 1); 1464 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED); 1465 pos += RSN_SELECTOR_LEN; 1466 count_pos = pos; 1467 pos += 2; 1468 count = 0; 1469 1470 /* 1471 * AES-CCMP is the default encryption preferred for TDLS, so 1472 * RSN IE is filled only with CCMP cipher suite. 1473 * Note: TKIP is not used to encrypt TDLS link. 1474 * 1475 * Regardless of the cipher used on the AP connection, select CCMP 1476 * here. 1477 */ 1478 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP); 1479 pos += RSN_SELECTOR_LEN; 1480 count++; 1481 WPA_PUT_LE16(count_pos, count); 1482 WPA_PUT_LE16(pos, 1); 1483 pos += 2; 1484 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_TPK_HANDSHAKE); 1485 pos += RSN_SELECTOR_LEN; 1486 1487 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED; 1488 rsn_capab |= RSN_NUM_REPLAY_COUNTERS_16 << 2; 1489 WPA_PUT_LE16(pos, rsn_capab); 1490 pos += 2; 1491 hdr->len = (pos - (u8 *) hdr) - 2; 1492 peer->rsnie_i_len = pos - peer->rsnie_i; 1493 1494 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE for Discovery Response", 1495 (u8 *) hdr, hdr->len + 2); 1496 skip_rsn_ies: 1497 buf_len = 0; 1498 if (wpa_tdls_get_privacy(sm)) { 1499 /* Peer RSN IE, Lifetime */ 1500 buf_len += peer->rsnie_i_len + 1501 sizeof(struct wpa_tdls_timeoutie); 1502 } 1503 rbuf = os_zalloc(buf_len + 1); 1504 if (rbuf == NULL) { 1505 wpa_tdls_peer_free(sm, peer); 1506 return -1; 1507 } 1508 pos = rbuf; 1509 1510 if (!wpa_tdls_get_privacy(sm)) 1511 goto skip_ies; 1512 /* Initiator RSN IE */ 1513 pos = wpa_add_ie(pos, peer->rsnie_i, peer->rsnie_i_len); 1514 /* Lifetime */ 1515 peer->lifetime = TPK_LIFETIME; 1516 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie, 1517 sizeof(timeoutie), peer->lifetime); 1518 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds", peer->lifetime); 1519 skip_ies: 1520 status = wpa_tdls_tpk_send(sm, peer->addr, WLAN_TDLS_DISCOVERY_RESPONSE, 1521 dialog_token, 0, 0, 0, rbuf, pos - rbuf); 1522 os_free(rbuf); 1523 1524 return status; 1525 } 1526 1527 1528 static int 1529 wpa_tdls_process_discovery_request(struct wpa_sm *sm, const u8 *addr, 1530 const u8 *buf, size_t len) 1531 { 1532 struct wpa_eapol_ie_parse kde; 1533 const struct wpa_tdls_lnkid *lnkid; 1534 struct wpa_tdls_peer *peer; 1535 size_t min_req_len = sizeof(struct wpa_tdls_frame) + 1536 1 /* dialog token */ + sizeof(struct wpa_tdls_lnkid); 1537 u8 dialog_token; 1538 1539 wpa_printf(MSG_DEBUG, "TDLS: Discovery Request from " MACSTR, 1540 MAC2STR(addr)); 1541 1542 if (len < min_req_len) { 1543 wpa_printf(MSG_DEBUG, "TDLS Discovery Request is too short: " 1544 "%d", (int) len); 1545 return -1; 1546 } 1547 1548 dialog_token = buf[sizeof(struct wpa_tdls_frame)]; 1549 1550 /* 1551 * Some APs will tack on a weird IE to the end of a TDLS 1552 * discovery request packet. This needn't fail the response, 1553 * since the required IE are verified separately. 1554 */ 1555 if (wpa_supplicant_parse_ies(buf + sizeof(struct wpa_tdls_frame) + 1, 1556 len - (sizeof(struct wpa_tdls_frame) + 1), 1557 &kde) < 0) { 1558 wpa_printf(MSG_DEBUG, 1559 "TDLS: Failed to parse IEs in Discovery Request - ignore as an interop workaround"); 1560 } 1561 1562 if (!kde.lnkid) { 1563 wpa_printf(MSG_DEBUG, "TDLS: Link ID not found in Discovery " 1564 "Request"); 1565 return -1; 1566 } 1567 1568 lnkid = (const struct wpa_tdls_lnkid *) kde.lnkid; 1569 1570 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) { 1571 wpa_printf(MSG_DEBUG, "TDLS: Discovery Request from different " 1572 " BSS " MACSTR, MAC2STR(lnkid->bssid)); 1573 return -1; 1574 } 1575 1576 peer = wpa_tdls_add_peer(sm, addr, NULL); 1577 if (peer == NULL) 1578 return -1; 1579 1580 return wpa_tdls_send_discovery_response(sm, peer, dialog_token); 1581 } 1582 1583 1584 int wpa_tdls_send_discovery_request(struct wpa_sm *sm, const u8 *addr) 1585 { 1586 if (sm->tdls_disabled || !sm->tdls_supported) 1587 return -1; 1588 1589 wpa_printf(MSG_DEBUG, "TDLS: Sending Discovery Request to peer " 1590 MACSTR, MAC2STR(addr)); 1591 return wpa_tdls_tpk_send(sm, addr, WLAN_TDLS_DISCOVERY_REQUEST, 1592 1, 0, 0, 1, NULL, 0); 1593 } 1594 1595 1596 static int copy_supp_rates(const struct wpa_eapol_ie_parse *kde, 1597 struct wpa_tdls_peer *peer) 1598 { 1599 if (!kde->supp_rates) { 1600 wpa_printf(MSG_DEBUG, "TDLS: No supported rates received"); 1601 return -1; 1602 } 1603 peer->supp_rates_len = merge_byte_arrays( 1604 peer->supp_rates, sizeof(peer->supp_rates), 1605 kde->supp_rates + 2, kde->supp_rates_len - 2, 1606 kde->ext_supp_rates ? kde->ext_supp_rates + 2 : NULL, 1607 kde->ext_supp_rates ? kde->ext_supp_rates_len - 2 : 0); 1608 return 0; 1609 } 1610 1611 1612 static int copy_peer_ht_capab(const struct wpa_eapol_ie_parse *kde, 1613 struct wpa_tdls_peer *peer) 1614 { 1615 if (!kde->ht_capabilities) { 1616 wpa_printf(MSG_DEBUG, "TDLS: No supported ht capabilities " 1617 "received"); 1618 return 0; 1619 } 1620 1621 if (!peer->ht_capabilities) { 1622 peer->ht_capabilities = 1623 os_zalloc(sizeof(struct ieee80211_ht_capabilities)); 1624 if (peer->ht_capabilities == NULL) 1625 return -1; 1626 } 1627 1628 os_memcpy(peer->ht_capabilities, kde->ht_capabilities, 1629 sizeof(struct ieee80211_ht_capabilities)); 1630 wpa_hexdump(MSG_DEBUG, "TDLS: Peer HT capabilities", 1631 (u8 *) peer->ht_capabilities, 1632 sizeof(struct ieee80211_ht_capabilities)); 1633 1634 return 0; 1635 } 1636 1637 1638 static int copy_peer_vht_capab(const struct wpa_eapol_ie_parse *kde, 1639 struct wpa_tdls_peer *peer) 1640 { 1641 if (!kde->vht_capabilities) { 1642 wpa_printf(MSG_DEBUG, "TDLS: No supported vht capabilities " 1643 "received"); 1644 return 0; 1645 } 1646 1647 if (!peer->vht_capabilities) { 1648 peer->vht_capabilities = 1649 os_zalloc(sizeof(struct ieee80211_vht_capabilities)); 1650 if (peer->vht_capabilities == NULL) 1651 return -1; 1652 } 1653 1654 os_memcpy(peer->vht_capabilities, kde->vht_capabilities, 1655 sizeof(struct ieee80211_vht_capabilities)); 1656 wpa_hexdump(MSG_DEBUG, "TDLS: Peer VHT capabilities", 1657 (u8 *) peer->vht_capabilities, 1658 sizeof(struct ieee80211_vht_capabilities)); 1659 1660 return 0; 1661 } 1662 1663 1664 static int copy_peer_he_capab(const struct wpa_eapol_ie_parse *kde, 1665 struct wpa_tdls_peer *peer) 1666 { 1667 if (!kde->he_capabilities) { 1668 wpa_printf(MSG_DEBUG, "TDLS: No HE capabilities received"); 1669 return 0; 1670 } 1671 1672 os_free(peer->he_capabilities); 1673 peer->he_capab_len = 0; 1674 peer->he_capabilities = os_memdup(kde->he_capabilities, 1675 kde->he_capab_len); 1676 if (!peer->he_capabilities) 1677 return -1; 1678 1679 peer->he_capab_len = kde->he_capab_len; 1680 wpa_hexdump(MSG_DEBUG, "TDLS: Peer HE capabilities", 1681 peer->he_capabilities, peer->he_capab_len); 1682 1683 return 0; 1684 } 1685 1686 1687 static int copy_peer_he_6ghz_band_capab(const struct wpa_eapol_ie_parse *kde, 1688 struct wpa_tdls_peer *peer) 1689 { 1690 if (!kde->he_6ghz_capabilities) { 1691 wpa_printf(MSG_DEBUG, 1692 "TDLS: No HE 6 GHz band capabilities received"); 1693 return 0; 1694 } 1695 1696 if (!peer->he_6ghz_band_capabilities) { 1697 peer->he_6ghz_band_capabilities = 1698 os_zalloc(sizeof(struct ieee80211_he_6ghz_band_cap)); 1699 if (peer->he_6ghz_band_capabilities == NULL) 1700 return -1; 1701 } 1702 1703 os_memcpy(peer->he_6ghz_band_capabilities, kde->he_6ghz_capabilities, 1704 sizeof(struct ieee80211_he_6ghz_band_cap)); 1705 1706 wpa_hexdump(MSG_DEBUG, "TDLS: Peer 6 GHz band HE capabilities", 1707 peer->he_6ghz_band_capabilities, 1708 sizeof(struct ieee80211_he_6ghz_band_cap)); 1709 1710 return 0; 1711 } 1712 1713 1714 static int copy_peer_ext_capab(const struct wpa_eapol_ie_parse *kde, 1715 struct wpa_tdls_peer *peer) 1716 { 1717 if (!kde->ext_capab) { 1718 wpa_printf(MSG_DEBUG, "TDLS: No extended capabilities " 1719 "received"); 1720 return 0; 1721 } 1722 1723 if (!peer->ext_capab || peer->ext_capab_len < kde->ext_capab_len - 2) { 1724 /* Need to allocate buffer to fit the new information */ 1725 os_free(peer->ext_capab); 1726 peer->ext_capab = os_zalloc(kde->ext_capab_len - 2); 1727 if (peer->ext_capab == NULL) 1728 return -1; 1729 } 1730 1731 peer->ext_capab_len = kde->ext_capab_len - 2; 1732 os_memcpy(peer->ext_capab, kde->ext_capab + 2, peer->ext_capab_len); 1733 1734 return 0; 1735 } 1736 1737 1738 static int copy_peer_wmm_capab(const struct wpa_eapol_ie_parse *kde, 1739 struct wpa_tdls_peer *peer) 1740 { 1741 struct wmm_information_element *wmm; 1742 1743 if (!kde->wmm) { 1744 wpa_printf(MSG_DEBUG, "TDLS: No supported WMM capabilities received"); 1745 return 0; 1746 } 1747 1748 if (kde->wmm_len < sizeof(struct wmm_information_element)) { 1749 wpa_printf(MSG_DEBUG, "TDLS: Invalid supported WMM capabilities received"); 1750 return -1; 1751 } 1752 1753 wmm = (struct wmm_information_element *) kde->wmm; 1754 peer->qos_info = wmm->qos_info; 1755 1756 peer->wmm_capable = 1; 1757 1758 wpa_printf(MSG_DEBUG, "TDLS: Peer WMM QOS Info 0x%x", peer->qos_info); 1759 return 0; 1760 } 1761 1762 1763 static int copy_peer_supp_channels(const struct wpa_eapol_ie_parse *kde, 1764 struct wpa_tdls_peer *peer) 1765 { 1766 if (!kde->supp_channels) { 1767 wpa_printf(MSG_DEBUG, "TDLS: No supported channels received"); 1768 return 0; 1769 } 1770 1771 if (!peer->supp_channels || 1772 peer->supp_channels_len < kde->supp_channels_len) { 1773 os_free(peer->supp_channels); 1774 peer->supp_channels = os_zalloc(kde->supp_channels_len); 1775 if (peer->supp_channels == NULL) 1776 return -1; 1777 } 1778 1779 peer->supp_channels_len = kde->supp_channels_len; 1780 1781 os_memcpy(peer->supp_channels, kde->supp_channels, 1782 peer->supp_channels_len); 1783 wpa_hexdump(MSG_DEBUG, "TDLS: Peer Supported Channels", 1784 (u8 *) peer->supp_channels, peer->supp_channels_len); 1785 return 0; 1786 } 1787 1788 1789 static int copy_peer_supp_oper_classes(const struct wpa_eapol_ie_parse *kde, 1790 struct wpa_tdls_peer *peer) 1791 { 1792 if (!kde->supp_oper_classes) { 1793 wpa_printf(MSG_DEBUG, "TDLS: No supported operating classes received"); 1794 return 0; 1795 } 1796 1797 if (!peer->supp_oper_classes || 1798 peer->supp_oper_classes_len < kde->supp_oper_classes_len) { 1799 os_free(peer->supp_oper_classes); 1800 peer->supp_oper_classes = os_zalloc(kde->supp_oper_classes_len); 1801 if (peer->supp_oper_classes == NULL) 1802 return -1; 1803 } 1804 1805 peer->supp_oper_classes_len = kde->supp_oper_classes_len; 1806 os_memcpy(peer->supp_oper_classes, kde->supp_oper_classes, 1807 peer->supp_oper_classes_len); 1808 wpa_hexdump(MSG_DEBUG, "TDLS: Peer Supported Operating Classes", 1809 (u8 *) peer->supp_oper_classes, 1810 peer->supp_oper_classes_len); 1811 return 0; 1812 } 1813 1814 1815 static int wpa_tdls_addset_peer(struct wpa_sm *sm, struct wpa_tdls_peer *peer, 1816 int add) 1817 { 1818 return wpa_sm_tdls_peer_addset(sm, peer->addr, add, peer->aid, 1819 peer->capability, 1820 peer->supp_rates, peer->supp_rates_len, 1821 peer->ht_capabilities, 1822 peer->vht_capabilities, 1823 peer->he_capabilities, 1824 peer->he_capab_len, 1825 peer->he_6ghz_band_capabilities, 1826 peer->qos_info, peer->wmm_capable, 1827 peer->ext_capab, peer->ext_capab_len, 1828 peer->supp_channels, 1829 peer->supp_channels_len, 1830 peer->supp_oper_classes, 1831 peer->supp_oper_classes_len); 1832 } 1833 1834 1835 static int tdls_nonce_set(const u8 *nonce) 1836 { 1837 int i; 1838 1839 for (i = 0; i < WPA_NONCE_LEN; i++) { 1840 if (nonce[i]) 1841 return 1; 1842 } 1843 1844 return 0; 1845 } 1846 1847 1848 static int wpa_tdls_process_tpk_m1(struct wpa_sm *sm, const u8 *src_addr, 1849 const u8 *buf, size_t len) 1850 { 1851 struct wpa_tdls_peer *peer; 1852 struct wpa_eapol_ie_parse kde; 1853 struct wpa_ie_data ie; 1854 int cipher; 1855 const u8 *cpos; 1856 struct wpa_tdls_ftie *ftie = NULL; 1857 struct wpa_tdls_timeoutie *timeoutie; 1858 struct wpa_tdls_lnkid *lnkid; 1859 u32 lifetime = 0; 1860 #if 0 1861 struct rsn_ie_hdr *hdr; 1862 u8 *pos; 1863 u16 rsn_capab; 1864 u16 rsn_ver; 1865 #endif 1866 u8 dtoken; 1867 u16 ielen; 1868 u16 status = WLAN_STATUS_UNSPECIFIED_FAILURE; 1869 int tdls_prohibited = sm->tdls_prohibited; 1870 int existing_peer = 0; 1871 1872 if (len < 3 + 3) 1873 return -1; 1874 1875 cpos = buf; 1876 cpos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */; 1877 1878 /* driver had already verified the frame format */ 1879 dtoken = *cpos++; /* dialog token */ 1880 1881 wpa_printf(MSG_INFO, "TDLS: Dialog Token in TPK M1 %d", dtoken); 1882 1883 peer = wpa_tdls_add_peer(sm, src_addr, &existing_peer); 1884 if (peer == NULL) 1885 goto error; 1886 1887 /* If found, use existing entry instead of adding a new one; 1888 * how to handle the case where both ends initiate at the 1889 * same time? */ 1890 if (existing_peer) { 1891 if (peer->tpk_success) { 1892 wpa_printf(MSG_DEBUG, "TDLS: TDLS Setup Request while " 1893 "direct link is enabled - tear down the " 1894 "old link first"); 1895 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr); 1896 wpa_tdls_peer_clear(sm, peer); 1897 } else if (peer->initiator) { 1898 /* 1899 * An entry is already present, so check if we already 1900 * sent a TDLS Setup Request. If so, compare MAC 1901 * addresses and let the STA with the lower MAC address 1902 * continue as the initiator. The other negotiation is 1903 * terminated. 1904 */ 1905 if (os_memcmp(sm->own_addr, src_addr, ETH_ALEN) < 0) { 1906 wpa_printf(MSG_DEBUG, "TDLS: Discard request " 1907 "from peer with higher address " 1908 MACSTR, MAC2STR(src_addr)); 1909 return -1; 1910 } else { 1911 wpa_printf(MSG_DEBUG, "TDLS: Accept request " 1912 "from peer with lower address " 1913 MACSTR " (terminate previously " 1914 "initiated negotiation", 1915 MAC2STR(src_addr)); 1916 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, 1917 peer->addr); 1918 wpa_tdls_peer_clear(sm, peer); 1919 } 1920 } 1921 } 1922 1923 /* capability information */ 1924 peer->capability = WPA_GET_LE16(cpos); 1925 cpos += 2; 1926 1927 ielen = len - (cpos - buf); /* start of IE in buf */ 1928 1929 /* 1930 * Don't reject the message if failing to parse IEs. The IEs we need are 1931 * explicitly checked below. Some APs may add arbitrary padding to the 1932 * end of short TDLS frames and that would look like invalid IEs. 1933 */ 1934 if (wpa_supplicant_parse_ies(cpos, ielen, &kde) < 0) 1935 wpa_printf(MSG_DEBUG, 1936 "TDLS: Failed to parse IEs in TPK M1 - ignore as an interop workaround"); 1937 1938 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) { 1939 wpa_printf(MSG_INFO, "TDLS: No valid Link Identifier IE in " 1940 "TPK M1"); 1941 goto error; 1942 } 1943 wpa_hexdump(MSG_DEBUG, "TDLS: Link ID Received from TPK M1", 1944 kde.lnkid, kde.lnkid_len); 1945 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid; 1946 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) { 1947 wpa_printf(MSG_INFO, "TDLS: TPK M1 from diff BSS"); 1948 status = WLAN_STATUS_REQUEST_DECLINED; 1949 goto error; 1950 } 1951 1952 wpa_printf(MSG_DEBUG, "TDLS: TPK M1 - TPK initiator " MACSTR, 1953 MAC2STR(src_addr)); 1954 1955 if (copy_supp_rates(&kde, peer) < 0) 1956 goto error; 1957 1958 if (copy_peer_ht_capab(&kde, peer) < 0) 1959 goto error; 1960 1961 if (copy_peer_vht_capab(&kde, peer) < 0 || 1962 copy_peer_he_capab(&kde, peer) < 0 || 1963 copy_peer_he_6ghz_band_capab(&kde, peer) < 0) 1964 goto error; 1965 1966 if (copy_peer_ext_capab(&kde, peer) < 0) 1967 goto error; 1968 1969 if (copy_peer_supp_channels(&kde, peer) < 0) 1970 goto error; 1971 1972 if (copy_peer_supp_oper_classes(&kde, peer) < 0) 1973 goto error; 1974 1975 peer->qos_info = kde.qosinfo; 1976 1977 /* Overwrite with the qos_info obtained in WMM IE */ 1978 if (copy_peer_wmm_capab(&kde, peer) < 0) 1979 goto error; 1980 1981 peer->aid = kde.aid; 1982 1983 #ifdef CONFIG_TDLS_TESTING 1984 if (tdls_testing & TDLS_TESTING_CONCURRENT_INIT) { 1985 peer = wpa_tdls_add_peer(sm, src_addr, NULL); 1986 if (peer == NULL) 1987 goto error; 1988 wpa_printf(MSG_DEBUG, "TDLS: Testing concurrent initiation of " 1989 "TDLS setup - send own request"); 1990 peer->initiator = 1; 1991 wpa_sm_tdls_peer_addset(sm, peer->addr, 1, 0, 0, NULL, 0, NULL, 1992 NULL, NULL, 0, NULL, 0, 0, NULL, 0, 1993 NULL, 0, NULL, 0); 1994 if (wpa_tdls_send_tpk_m1(sm, peer) == -2) { 1995 peer = NULL; 1996 goto error; 1997 } 1998 } 1999 2000 if ((tdls_testing & TDLS_TESTING_IGNORE_AP_PROHIBIT) && 2001 tdls_prohibited) { 2002 wpa_printf(MSG_DEBUG, "TDLS: Testing - ignore AP prohibition " 2003 "on TDLS"); 2004 tdls_prohibited = 0; 2005 } 2006 #endif /* CONFIG_TDLS_TESTING */ 2007 2008 if (tdls_prohibited) { 2009 wpa_printf(MSG_INFO, "TDLS: TDLS prohibited in this BSS"); 2010 status = WLAN_STATUS_REQUEST_DECLINED; 2011 goto error; 2012 } 2013 2014 if (!wpa_tdls_get_privacy(sm)) { 2015 if (kde.rsn_ie) { 2016 wpa_printf(MSG_INFO, "TDLS: RSN IE in TPK M1 while " 2017 "security is disabled"); 2018 status = WLAN_STATUS_SECURITY_DISABLED; 2019 goto error; 2020 } 2021 goto skip_rsn; 2022 } 2023 2024 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie) || 2025 kde.rsn_ie == NULL) { 2026 wpa_printf(MSG_INFO, "TDLS: No FTIE or RSN IE in TPK M1"); 2027 status = WLAN_STATUS_INVALID_PARAMETERS; 2028 goto error; 2029 } 2030 2031 if (kde.rsn_ie_len > TDLS_MAX_IE_LEN) { 2032 wpa_printf(MSG_INFO, "TDLS: Too long Initiator RSN IE in " 2033 "TPK M1"); 2034 status = WLAN_STATUS_INVALID_RSNIE; 2035 goto error; 2036 } 2037 2038 if (wpa_parse_wpa_ie_rsn(kde.rsn_ie, kde.rsn_ie_len, &ie) < 0) { 2039 wpa_printf(MSG_INFO, "TDLS: Failed to parse RSN IE in TPK M1"); 2040 status = WLAN_STATUS_INVALID_RSNIE; 2041 goto error; 2042 } 2043 2044 cipher = ie.pairwise_cipher; 2045 if (cipher & WPA_CIPHER_CCMP) { 2046 wpa_printf(MSG_DEBUG, "TDLS: Using CCMP for direct link"); 2047 cipher = WPA_CIPHER_CCMP; 2048 } else { 2049 wpa_printf(MSG_INFO, "TDLS: No acceptable cipher in TPK M1"); 2050 status = WLAN_STATUS_PAIRWISE_CIPHER_NOT_VALID; 2051 goto error; 2052 } 2053 2054 if ((ie.capabilities & 2055 (WPA_CAPABILITY_NO_PAIRWISE | WPA_CAPABILITY_PEERKEY_ENABLED)) != 2056 WPA_CAPABILITY_PEERKEY_ENABLED) { 2057 wpa_printf(MSG_INFO, "TDLS: Invalid RSN Capabilities in " 2058 "TPK M1"); 2059 status = WLAN_STATUS_INVALID_RSN_IE_CAPAB; 2060 goto error; 2061 } 2062 2063 /* Lifetime */ 2064 if (kde.key_lifetime == NULL) { 2065 wpa_printf(MSG_INFO, "TDLS: No Key Lifetime IE in TPK M1"); 2066 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME; 2067 goto error; 2068 } 2069 timeoutie = (struct wpa_tdls_timeoutie *) kde.key_lifetime; 2070 lifetime = WPA_GET_LE32(timeoutie->value); 2071 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds", lifetime); 2072 if (lifetime < 300) { 2073 wpa_printf(MSG_INFO, "TDLS: Too short TPK lifetime"); 2074 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME; 2075 goto error; 2076 } 2077 2078 skip_rsn: 2079 #ifdef CONFIG_TDLS_TESTING 2080 if (tdls_testing & TDLS_TESTING_CONCURRENT_INIT) { 2081 if (os_memcmp(sm->own_addr, peer->addr, ETH_ALEN) < 0) { 2082 /* 2083 * The request frame from us is going to win, so do not 2084 * replace information based on this request frame from 2085 * the peer. 2086 */ 2087 goto skip_rsn_check; 2088 } 2089 } 2090 #endif /* CONFIG_TDLS_TESTING */ 2091 2092 peer->initiator = 0; /* Need to check */ 2093 peer->dtoken = dtoken; 2094 2095 if (!wpa_tdls_get_privacy(sm)) { 2096 peer->rsnie_i_len = 0; 2097 peer->rsnie_p_len = 0; 2098 peer->cipher = WPA_CIPHER_NONE; 2099 goto skip_rsn_check; 2100 } 2101 2102 ftie = (struct wpa_tdls_ftie *) kde.ftie; 2103 os_memcpy(peer->rsnie_i, kde.rsn_ie, kde.rsn_ie_len); 2104 peer->rsnie_i_len = kde.rsn_ie_len; 2105 peer->cipher = cipher; 2106 2107 if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0 || 2108 !tdls_nonce_set(peer->inonce)) { 2109 /* 2110 * There is no point in updating the RNonce for every obtained 2111 * TPK M1 frame (e.g., retransmission due to timeout) with the 2112 * same INonce (SNonce in FTIE). However, if the TPK M1 is 2113 * retransmitted with a different INonce, update the RNonce 2114 * since this is for a new TDLS session. 2115 */ 2116 wpa_printf(MSG_DEBUG, 2117 "TDLS: New TPK M1 INonce - generate new RNonce"); 2118 os_memcpy(peer->inonce, ftie->Snonce, WPA_NONCE_LEN); 2119 if (os_get_random(peer->rnonce, WPA_NONCE_LEN)) { 2120 wpa_msg(sm->ctx->ctx, MSG_WARNING, 2121 "TDLS: Failed to get random data for responder nonce"); 2122 goto error; 2123 } 2124 peer->tk_set = 0; /* A new nonce results in a new TK */ 2125 } 2126 2127 #if 0 2128 /* get version info from RSNIE received from Peer */ 2129 hdr = (struct rsn_ie_hdr *) kde.rsn_ie; 2130 rsn_ver = WPA_GET_LE16(hdr->version); 2131 2132 /* use min(peer's version, out version) */ 2133 if (rsn_ver > RSN_VERSION) 2134 rsn_ver = RSN_VERSION; 2135 2136 hdr = (struct rsn_ie_hdr *) peer->rsnie_p; 2137 2138 hdr->elem_id = WLAN_EID_RSN; 2139 WPA_PUT_LE16(hdr->version, rsn_ver); 2140 pos = (u8 *) (hdr + 1); 2141 2142 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED); 2143 pos += RSN_SELECTOR_LEN; 2144 /* Include only the selected cipher in pairwise cipher suite */ 2145 WPA_PUT_LE16(pos, 1); 2146 pos += 2; 2147 if (cipher == WPA_CIPHER_CCMP) 2148 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP); 2149 pos += RSN_SELECTOR_LEN; 2150 2151 WPA_PUT_LE16(pos, 1); 2152 pos += 2; 2153 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_TPK_HANDSHAKE); 2154 pos += RSN_SELECTOR_LEN; 2155 2156 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED; 2157 rsn_capab |= RSN_NUM_REPLAY_COUNTERS_16 << 2; 2158 WPA_PUT_LE16(pos, rsn_capab); 2159 pos += 2; 2160 2161 hdr->len = (pos - peer->rsnie_p) - 2; 2162 peer->rsnie_p_len = pos - peer->rsnie_p; 2163 #endif 2164 2165 /* temp fix: validation of RSNIE later */ 2166 os_memcpy(peer->rsnie_p, peer->rsnie_i, peer->rsnie_i_len); 2167 peer->rsnie_p_len = peer->rsnie_i_len; 2168 2169 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE for TPK handshake", 2170 peer->rsnie_p, peer->rsnie_p_len); 2171 2172 peer->lifetime = lifetime; 2173 2174 wpa_tdls_generate_tpk(peer, sm->own_addr, sm->bssid); 2175 2176 skip_rsn_check: 2177 #ifdef CONFIG_TDLS_TESTING 2178 if (tdls_testing & TDLS_TESTING_CONCURRENT_INIT) 2179 goto skip_add_peer; 2180 #endif /* CONFIG_TDLS_TESTING */ 2181 2182 /* add supported rates, capabilities, and qos_info to the TDLS peer */ 2183 if (wpa_tdls_addset_peer(sm, peer, 1) < 0) 2184 goto error; 2185 2186 #ifdef CONFIG_TDLS_TESTING 2187 skip_add_peer: 2188 #endif /* CONFIG_TDLS_TESTING */ 2189 peer->tpk_in_progress = 1; 2190 2191 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Setup Response / TPK M2"); 2192 if (wpa_tdls_send_tpk_m2(sm, src_addr, dtoken, lnkid, peer) < 0) { 2193 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr); 2194 goto error; 2195 } 2196 2197 #ifdef CONFIG_TDLS_TESTING 2198 if (tdls_testing & TDLS_TESTING_DOUBLE_TPK_M2) { 2199 wpa_printf(MSG_INFO, "TDLS: Testing - Send another TPK M2"); 2200 wpa_tdls_send_tpk_m2(sm, src_addr, dtoken, lnkid, peer); 2201 } 2202 #endif /* CONFIG_TDLS_TESTING */ 2203 2204 return 0; 2205 2206 error: 2207 wpa_tdls_send_error(sm, src_addr, WLAN_TDLS_SETUP_RESPONSE, dtoken, 0, 2208 status); 2209 if (peer) 2210 wpa_tdls_peer_free(sm, peer); 2211 return -1; 2212 } 2213 2214 2215 static int wpa_tdls_enable_link(struct wpa_sm *sm, struct wpa_tdls_peer *peer) 2216 { 2217 peer->tpk_success = 1; 2218 peer->tpk_in_progress = 0; 2219 eloop_cancel_timeout(wpa_tdls_tpk_timeout, sm, peer); 2220 if (wpa_tdls_get_privacy(sm)) { 2221 u32 lifetime = peer->lifetime; 2222 /* 2223 * Start the initiator process a bit earlier to avoid race 2224 * condition with the responder sending teardown request. 2225 */ 2226 if (lifetime > 3 && peer->initiator) 2227 lifetime -= 3; 2228 eloop_register_timeout(lifetime, 0, wpa_tdls_tpk_timeout, 2229 sm, peer); 2230 #ifdef CONFIG_TDLS_TESTING 2231 if (tdls_testing & TDLS_TESTING_NO_TPK_EXPIRATION) { 2232 wpa_printf(MSG_DEBUG, 2233 "TDLS: Testing - disable TPK expiration"); 2234 eloop_cancel_timeout(wpa_tdls_tpk_timeout, sm, peer); 2235 } 2236 #endif /* CONFIG_TDLS_TESTING */ 2237 } 2238 2239 if (peer->reconfig_key && wpa_tdls_set_key(sm, peer) < 0) { 2240 wpa_printf(MSG_INFO, "TDLS: Could not configure key to the " 2241 "driver"); 2242 return -1; 2243 } 2244 peer->reconfig_key = 0; 2245 2246 return wpa_sm_tdls_oper(sm, TDLS_ENABLE_LINK, peer->addr); 2247 } 2248 2249 2250 static int wpa_tdls_process_tpk_m2(struct wpa_sm *sm, const u8 *src_addr, 2251 const u8 *buf, size_t len) 2252 { 2253 struct wpa_tdls_peer *peer; 2254 struct wpa_eapol_ie_parse kde; 2255 struct wpa_ie_data ie; 2256 int cipher; 2257 struct wpa_tdls_ftie *ftie; 2258 struct wpa_tdls_timeoutie *timeoutie; 2259 struct wpa_tdls_lnkid *lnkid; 2260 u32 lifetime; 2261 u8 dtoken; 2262 int ielen; 2263 u16 status; 2264 const u8 *pos; 2265 int ret = 0; 2266 2267 wpa_printf(MSG_DEBUG, "TDLS: Received TDLS Setup Response / TPK M2 " 2268 "(Peer " MACSTR ")", MAC2STR(src_addr)); 2269 for (peer = sm->tdls; peer; peer = peer->next) { 2270 if (os_memcmp(peer->addr, src_addr, ETH_ALEN) == 0) 2271 break; 2272 } 2273 if (peer == NULL) { 2274 wpa_printf(MSG_INFO, "TDLS: No matching peer found for " 2275 "TPK M2: " MACSTR, MAC2STR(src_addr)); 2276 return -1; 2277 } 2278 if (!peer->initiator) { 2279 /* 2280 * This may happen if both devices try to initiate TDLS at the 2281 * same time and we accept the TPK M1 from the peer in 2282 * wpa_tdls_process_tpk_m1() and clear our previous state. 2283 */ 2284 wpa_printf(MSG_INFO, "TDLS: We were not the initiator, so " 2285 "ignore TPK M2 from " MACSTR, MAC2STR(src_addr)); 2286 return -1; 2287 } 2288 2289 if (peer->tpk_success) { 2290 wpa_printf(MSG_INFO, "TDLS: Ignore incoming TPK M2 retry, from " 2291 MACSTR " as TPK M3 was already sent", 2292 MAC2STR(src_addr)); 2293 return 0; 2294 } 2295 2296 wpa_tdls_tpk_retry_timeout_cancel(sm, peer, WLAN_TDLS_SETUP_REQUEST); 2297 2298 if (len < 3 + 2 + 1) { 2299 wpa_tdls_disable_peer_link(sm, peer); 2300 return -1; 2301 } 2302 2303 pos = buf; 2304 pos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */; 2305 status = WPA_GET_LE16(pos); 2306 pos += 2 /* status code */; 2307 2308 if (status != WLAN_STATUS_SUCCESS) { 2309 wpa_printf(MSG_INFO, "TDLS: Status code in TPK M2: %u", 2310 status); 2311 wpa_tdls_disable_peer_link(sm, peer); 2312 return -1; 2313 } 2314 2315 status = WLAN_STATUS_UNSPECIFIED_FAILURE; 2316 2317 /* TODO: need to verify dialog token matches here or in kernel */ 2318 dtoken = *pos++; /* dialog token */ 2319 2320 wpa_printf(MSG_DEBUG, "TDLS: Dialog Token in TPK M2 %d", dtoken); 2321 2322 if (len < 3 + 2 + 1 + 2) { 2323 wpa_tdls_disable_peer_link(sm, peer); 2324 return -1; 2325 } 2326 2327 /* capability information */ 2328 peer->capability = WPA_GET_LE16(pos); 2329 pos += 2; 2330 2331 ielen = len - (pos - buf); /* start of IE in buf */ 2332 2333 /* 2334 * Don't reject the message if failing to parse IEs. The IEs we need are 2335 * explicitly checked below. Some APs may add arbitrary padding to the 2336 * end of short TDLS frames and that would look like invalid IEs. 2337 */ 2338 if (wpa_supplicant_parse_ies(pos, ielen, &kde) < 0) 2339 wpa_printf(MSG_DEBUG, 2340 "TDLS: Failed to parse IEs in TPK M2 - ignore as an interop workaround"); 2341 2342 #ifdef CONFIG_TDLS_TESTING 2343 if (tdls_testing & TDLS_TESTING_DECLINE_RESP) { 2344 wpa_printf(MSG_DEBUG, "TDLS: Testing - decline response"); 2345 status = WLAN_STATUS_REQUEST_DECLINED; 2346 goto error; 2347 } 2348 #endif /* CONFIG_TDLS_TESTING */ 2349 2350 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) { 2351 wpa_printf(MSG_INFO, "TDLS: No valid Link Identifier IE in " 2352 "TPK M2"); 2353 goto error; 2354 } 2355 wpa_hexdump(MSG_DEBUG, "TDLS: Link ID Received from TPK M2", 2356 kde.lnkid, kde.lnkid_len); 2357 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid; 2358 2359 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) { 2360 wpa_printf(MSG_INFO, "TDLS: TPK M2 from different BSS"); 2361 status = WLAN_STATUS_NOT_IN_SAME_BSS; 2362 goto error; 2363 } 2364 2365 if (copy_supp_rates(&kde, peer) < 0) 2366 goto error; 2367 2368 if (copy_peer_ht_capab(&kde, peer) < 0) 2369 goto error; 2370 2371 if (copy_peer_vht_capab(&kde, peer) < 0 || 2372 copy_peer_he_capab(&kde, peer) < 0 || 2373 copy_peer_he_6ghz_band_capab(&kde, peer) < 0) 2374 goto error; 2375 2376 if (copy_peer_ext_capab(&kde, peer) < 0) 2377 goto error; 2378 2379 if (copy_peer_supp_channels(&kde, peer) < 0) 2380 goto error; 2381 2382 if (copy_peer_supp_oper_classes(&kde, peer) < 0) 2383 goto error; 2384 2385 peer->qos_info = kde.qosinfo; 2386 2387 /* Overwrite with the qos_info obtained in WMM IE */ 2388 if (copy_peer_wmm_capab(&kde, peer) < 0) 2389 goto error; 2390 2391 peer->aid = kde.aid; 2392 2393 if (!wpa_tdls_get_privacy(sm)) { 2394 peer->rsnie_p_len = 0; 2395 peer->cipher = WPA_CIPHER_NONE; 2396 goto skip_rsn; 2397 } 2398 2399 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie) || 2400 kde.rsn_ie == NULL) { 2401 wpa_printf(MSG_INFO, "TDLS: No FTIE or RSN IE in TPK M2"); 2402 status = WLAN_STATUS_INVALID_PARAMETERS; 2403 goto error; 2404 } 2405 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Received from TPK M2", 2406 kde.rsn_ie, kde.rsn_ie_len); 2407 2408 if (kde.rsn_ie_len > TDLS_MAX_IE_LEN) { 2409 wpa_printf(MSG_INFO, 2410 "TDLS: Too long Responder RSN IE in TPK M2"); 2411 status = WLAN_STATUS_INVALID_RSNIE; 2412 goto error; 2413 } 2414 2415 /* 2416 * FIX: bitwise comparison of RSN IE is not the correct way of 2417 * validation this. It can be different, but certain fields must 2418 * match. Since we list only a single pairwise cipher in TPK M1, the 2419 * memcmp is likely to work in most cases, though. 2420 */ 2421 if (kde.rsn_ie_len != peer->rsnie_i_len || 2422 os_memcmp(peer->rsnie_i, kde.rsn_ie, peer->rsnie_i_len) != 0) { 2423 wpa_printf(MSG_INFO, "TDLS: RSN IE in TPK M2 does " 2424 "not match with RSN IE used in TPK M1"); 2425 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Sent in TPK M1", 2426 peer->rsnie_i, peer->rsnie_i_len); 2427 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Received from TPK M2", 2428 kde.rsn_ie, kde.rsn_ie_len); 2429 status = WLAN_STATUS_INVALID_RSNIE; 2430 goto error; 2431 } 2432 2433 if (wpa_parse_wpa_ie_rsn(kde.rsn_ie, kde.rsn_ie_len, &ie) < 0) { 2434 wpa_printf(MSG_INFO, "TDLS: Failed to parse RSN IE in TPK M2"); 2435 status = WLAN_STATUS_INVALID_RSNIE; 2436 goto error; 2437 } 2438 2439 cipher = ie.pairwise_cipher; 2440 if (cipher == WPA_CIPHER_CCMP) { 2441 wpa_printf(MSG_DEBUG, "TDLS: Using CCMP for direct link"); 2442 cipher = WPA_CIPHER_CCMP; 2443 } else { 2444 wpa_printf(MSG_INFO, "TDLS: No acceptable cipher in TPK M2"); 2445 status = WLAN_STATUS_PAIRWISE_CIPHER_NOT_VALID; 2446 goto error; 2447 } 2448 2449 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE Received from TPK M2", 2450 kde.ftie, sizeof(*ftie)); 2451 ftie = (struct wpa_tdls_ftie *) kde.ftie; 2452 2453 if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0) { 2454 wpa_printf(MSG_INFO, "TDLS: FTIE SNonce in TPK M2 does " 2455 "not match with FTIE SNonce used in TPK M1"); 2456 /* Silently discard the frame */ 2457 return -1; 2458 } 2459 2460 /* Responder Nonce and RSN IE */ 2461 os_memcpy(peer->rnonce, ftie->Anonce, WPA_NONCE_LEN); 2462 os_memcpy(peer->rsnie_p, kde.rsn_ie, kde.rsn_ie_len); 2463 peer->rsnie_p_len = kde.rsn_ie_len; 2464 peer->cipher = cipher; 2465 2466 /* Lifetime */ 2467 if (kde.key_lifetime == NULL) { 2468 wpa_printf(MSG_INFO, "TDLS: No Key Lifetime IE in TPK M2"); 2469 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME; 2470 goto error; 2471 } 2472 timeoutie = (struct wpa_tdls_timeoutie *) kde.key_lifetime; 2473 lifetime = WPA_GET_LE32(timeoutie->value); 2474 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds in TPK M2", 2475 lifetime); 2476 if (lifetime != peer->lifetime) { 2477 wpa_printf(MSG_INFO, "TDLS: Unexpected TPK lifetime %u in " 2478 "TPK M2 (expected %u)", lifetime, peer->lifetime); 2479 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME; 2480 goto error; 2481 } 2482 2483 wpa_tdls_generate_tpk(peer, sm->own_addr, sm->bssid); 2484 2485 /* Process MIC check to see if TPK M2 is right */ 2486 if (wpa_supplicant_verify_tdls_mic(2, peer, (u8 *) lnkid, 2487 (u8 *) timeoutie, ftie) < 0) { 2488 /* Discard the frame */ 2489 wpa_tdls_del_key(sm, peer); 2490 wpa_tdls_disable_peer_link(sm, peer); 2491 return -1; 2492 } 2493 2494 if (wpa_tdls_set_key(sm, peer) < 0) { 2495 /* 2496 * Some drivers may not be able to config the key prior to full 2497 * STA entry having been configured. 2498 */ 2499 wpa_printf(MSG_DEBUG, "TDLS: Try to configure TPK again after " 2500 "STA entry is complete"); 2501 peer->reconfig_key = 1; 2502 } 2503 2504 skip_rsn: 2505 peer->dtoken = dtoken; 2506 2507 /* add supported rates, capabilities, and qos_info to the TDLS peer */ 2508 if (wpa_tdls_addset_peer(sm, peer, 0) < 0) 2509 goto error; 2510 2511 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Setup Confirm / " 2512 "TPK Handshake Message 3"); 2513 if (wpa_tdls_send_tpk_m3(sm, src_addr, dtoken, lnkid, peer) < 0) 2514 goto error_no_msg; 2515 2516 if (!peer->tpk_success) { 2517 /* 2518 * Enable Link only when tpk_success is 0, signifying that this 2519 * processing of TPK M2 frame is not because of a retransmission 2520 * during TDLS setup handshake. 2521 */ 2522 ret = wpa_tdls_enable_link(sm, peer); 2523 if (ret < 0) { 2524 wpa_printf(MSG_DEBUG, "TDLS: Could not enable link"); 2525 wpa_tdls_do_teardown( 2526 sm, peer, 2527 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED); 2528 } 2529 } 2530 return ret; 2531 2532 error: 2533 wpa_tdls_send_error(sm, src_addr, WLAN_TDLS_SETUP_CONFIRM, dtoken, 1, 2534 status); 2535 error_no_msg: 2536 wpa_tdls_disable_peer_link(sm, peer); 2537 return -1; 2538 } 2539 2540 2541 static int wpa_tdls_process_tpk_m3(struct wpa_sm *sm, const u8 *src_addr, 2542 const u8 *buf, size_t len) 2543 { 2544 struct wpa_tdls_peer *peer; 2545 struct wpa_eapol_ie_parse kde; 2546 struct wpa_tdls_ftie *ftie; 2547 struct wpa_tdls_timeoutie *timeoutie; 2548 struct wpa_tdls_lnkid *lnkid; 2549 int ielen; 2550 u16 status; 2551 const u8 *pos; 2552 u32 lifetime; 2553 int ret = 0; 2554 2555 wpa_printf(MSG_DEBUG, "TDLS: Received TDLS Setup Confirm / TPK M3 " 2556 "(Peer " MACSTR ")", MAC2STR(src_addr)); 2557 for (peer = sm->tdls; peer; peer = peer->next) { 2558 if (os_memcmp(peer->addr, src_addr, ETH_ALEN) == 0) 2559 break; 2560 } 2561 if (peer == NULL) { 2562 wpa_printf(MSG_INFO, "TDLS: No matching peer found for " 2563 "TPK M3: " MACSTR, MAC2STR(src_addr)); 2564 return -1; 2565 } 2566 wpa_tdls_tpk_retry_timeout_cancel(sm, peer, WLAN_TDLS_SETUP_RESPONSE); 2567 2568 if (len < 3 + 3) 2569 goto error; 2570 pos = buf; 2571 pos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */; 2572 2573 status = WPA_GET_LE16(pos); 2574 2575 if (status != 0) { 2576 wpa_printf(MSG_INFO, "TDLS: Status code in TPK M3: %u", 2577 status); 2578 goto error; 2579 } 2580 pos += 2 /* status code */ + 1 /* dialog token */; 2581 2582 ielen = len - (pos - buf); /* start of IE in buf */ 2583 2584 /* 2585 * Don't reject the message if failing to parse IEs. The IEs we need are 2586 * explicitly checked below. Some APs piggy-back broken IEs to the end 2587 * of a TDLS Confirm packet, which will fail the link if we don't ignore 2588 * this error. 2589 */ 2590 if (wpa_supplicant_parse_ies((const u8 *) pos, ielen, &kde) < 0) { 2591 wpa_printf(MSG_DEBUG, 2592 "TDLS: Failed to parse KDEs in TPK M3 - ignore as an interop workaround"); 2593 } 2594 2595 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) { 2596 wpa_printf(MSG_INFO, "TDLS: No Link Identifier IE in TPK M3"); 2597 goto error; 2598 } 2599 wpa_hexdump(MSG_DEBUG, "TDLS: Link ID Received from TPK M3", 2600 (u8 *) kde.lnkid, kde.lnkid_len); 2601 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid; 2602 2603 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) { 2604 wpa_printf(MSG_INFO, "TDLS: TPK M3 from diff BSS"); 2605 goto error; 2606 } 2607 2608 if (!wpa_tdls_get_privacy(sm)) 2609 goto skip_rsn; 2610 2611 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie)) { 2612 wpa_printf(MSG_INFO, "TDLS: No FTIE in TPK M3"); 2613 goto error; 2614 } 2615 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE Received from TPK M3", 2616 kde.ftie, sizeof(*ftie)); 2617 ftie = (struct wpa_tdls_ftie *) kde.ftie; 2618 2619 if (kde.rsn_ie == NULL) { 2620 wpa_printf(MSG_INFO, "TDLS: No RSN IE in TPK M3"); 2621 goto error; 2622 } 2623 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Received from TPK M3", 2624 kde.rsn_ie, kde.rsn_ie_len); 2625 if (kde.rsn_ie_len != peer->rsnie_p_len || 2626 os_memcmp(kde.rsn_ie, peer->rsnie_p, peer->rsnie_p_len) != 0) { 2627 wpa_printf(MSG_INFO, "TDLS: RSN IE in TPK M3 does not match " 2628 "with the one sent in TPK M2"); 2629 goto error; 2630 } 2631 2632 if (os_memcmp(peer->rnonce, ftie->Anonce, WPA_NONCE_LEN) != 0) { 2633 wpa_printf(MSG_INFO, "TDLS: FTIE ANonce in TPK M3 does " 2634 "not match with FTIE ANonce used in TPK M2"); 2635 goto error; 2636 } 2637 2638 if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0) { 2639 wpa_printf(MSG_INFO, "TDLS: FTIE SNonce in TPK M3 does not " 2640 "match with FTIE SNonce used in TPK M1"); 2641 goto error; 2642 } 2643 2644 if (kde.key_lifetime == NULL) { 2645 wpa_printf(MSG_INFO, "TDLS: No Key Lifetime IE in TPK M3"); 2646 goto error; 2647 } 2648 timeoutie = (struct wpa_tdls_timeoutie *) kde.key_lifetime; 2649 wpa_hexdump(MSG_DEBUG, "TDLS: Timeout IE Received from TPK M3", 2650 (u8 *) timeoutie, sizeof(*timeoutie)); 2651 lifetime = WPA_GET_LE32(timeoutie->value); 2652 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds in TPK M3", 2653 lifetime); 2654 if (lifetime != peer->lifetime) { 2655 wpa_printf(MSG_INFO, "TDLS: Unexpected TPK lifetime %u in " 2656 "TPK M3 (expected %u)", lifetime, peer->lifetime); 2657 goto error; 2658 } 2659 2660 if (wpa_supplicant_verify_tdls_mic(3, peer, (u8 *) lnkid, 2661 (u8 *) timeoutie, ftie) < 0) { 2662 wpa_tdls_del_key(sm, peer); 2663 goto error; 2664 } 2665 2666 if (wpa_tdls_set_key(sm, peer) < 0) { 2667 /* 2668 * Some drivers may not be able to config the key prior to full 2669 * STA entry having been configured. 2670 */ 2671 wpa_printf(MSG_DEBUG, "TDLS: Try to configure TPK again after " 2672 "STA entry is complete"); 2673 peer->reconfig_key = 1; 2674 } 2675 2676 skip_rsn: 2677 /* add supported rates, capabilities, and qos_info to the TDLS peer */ 2678 if (wpa_tdls_addset_peer(sm, peer, 0) < 0) 2679 goto error; 2680 2681 if (!peer->tpk_success) { 2682 /* 2683 * Enable Link only when tpk_success is 0, signifying that this 2684 * processing of TPK M3 frame is not because of a retransmission 2685 * during TDLS setup handshake. 2686 */ 2687 ret = wpa_tdls_enable_link(sm, peer); 2688 if (ret < 0) { 2689 wpa_printf(MSG_DEBUG, "TDLS: Could not enable link"); 2690 goto error; 2691 } 2692 } 2693 return ret; 2694 error: 2695 wpa_tdls_do_teardown(sm, peer, WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED); 2696 return -1; 2697 } 2698 2699 2700 static u8 * wpa_add_tdls_timeoutie(u8 *pos, u8 *ie, size_t ie_len, u32 tsecs) 2701 { 2702 struct wpa_tdls_timeoutie *lifetime = (struct wpa_tdls_timeoutie *) ie; 2703 2704 os_memset(lifetime, 0, ie_len); 2705 lifetime->ie_type = WLAN_EID_TIMEOUT_INTERVAL; 2706 lifetime->ie_len = sizeof(struct wpa_tdls_timeoutie) - 2; 2707 lifetime->interval_type = WLAN_TIMEOUT_KEY_LIFETIME; 2708 WPA_PUT_LE32(lifetime->value, tsecs); 2709 os_memcpy(pos, ie, ie_len); 2710 return pos + ie_len; 2711 } 2712 2713 2714 /** 2715 * wpa_tdls_start - Initiate TDLS handshake (send TPK Handshake Message 1) 2716 * @sm: Pointer to WPA state machine data from wpa_sm_init() 2717 * @peer: MAC address of the peer STA 2718 * Returns: 0 on success, or -1 on failure 2719 * 2720 * Send TPK Handshake Message 1 info to driver to start TDLS 2721 * handshake with the peer. 2722 */ 2723 int wpa_tdls_start(struct wpa_sm *sm, const u8 *addr) 2724 { 2725 struct wpa_tdls_peer *peer; 2726 int tdls_prohibited = sm->tdls_prohibited; 2727 int res; 2728 2729 if (sm->tdls_disabled || !sm->tdls_supported) 2730 return -1; 2731 2732 #ifdef CONFIG_TDLS_TESTING 2733 if ((tdls_testing & TDLS_TESTING_IGNORE_AP_PROHIBIT) && 2734 tdls_prohibited) { 2735 wpa_printf(MSG_DEBUG, "TDLS: Testing - ignore AP prohibition " 2736 "on TDLS"); 2737 tdls_prohibited = 0; 2738 } 2739 #endif /* CONFIG_TDLS_TESTING */ 2740 2741 if (tdls_prohibited) { 2742 wpa_printf(MSG_DEBUG, "TDLS: TDLS is prohibited in this BSS - " 2743 "reject request to start setup"); 2744 return -1; 2745 } 2746 2747 peer = wpa_tdls_add_peer(sm, addr, NULL); 2748 if (peer == NULL) 2749 return -1; 2750 2751 if (peer->tpk_in_progress) { 2752 wpa_printf(MSG_DEBUG, "TDLS: Setup is already in progress with the peer"); 2753 return 0; 2754 } 2755 2756 peer->initiator = 1; 2757 2758 /* add the peer to the driver as a "setup in progress" peer */ 2759 if (wpa_sm_tdls_peer_addset(sm, peer->addr, 1, 0, 0, NULL, 0, NULL, 2760 NULL, NULL, 0, NULL, 0, 0, NULL, 0, NULL, 0, 2761 NULL, 0)) { 2762 wpa_tdls_disable_peer_link(sm, peer); 2763 return -1; 2764 } 2765 2766 peer->tpk_in_progress = 1; 2767 2768 res = wpa_tdls_send_tpk_m1(sm, peer); 2769 if (res < 0) { 2770 if (res != -2) 2771 wpa_tdls_disable_peer_link(sm, peer); 2772 return -1; 2773 } 2774 2775 return 0; 2776 } 2777 2778 2779 void wpa_tdls_remove(struct wpa_sm *sm, const u8 *addr) 2780 { 2781 struct wpa_tdls_peer *peer; 2782 2783 if (sm->tdls_disabled || !sm->tdls_supported) 2784 return; 2785 2786 for (peer = sm->tdls; peer; peer = peer->next) { 2787 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 2788 break; 2789 } 2790 2791 if (peer == NULL || !peer->tpk_success) 2792 return; 2793 2794 if (sm->tdls_external_setup) { 2795 /* 2796 * Disable previous link to allow renegotiation to be completed 2797 * on AP path. 2798 */ 2799 wpa_tdls_do_teardown(sm, peer, 2800 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED); 2801 } 2802 } 2803 2804 2805 /** 2806 * wpa_supplicant_rx_tdls - Receive TDLS data frame 2807 * 2808 * This function is called to receive TDLS (ethertype = 0x890d) data frames. 2809 */ 2810 static void wpa_supplicant_rx_tdls(void *ctx, const u8 *src_addr, 2811 const u8 *buf, size_t len) 2812 { 2813 struct wpa_sm *sm = ctx; 2814 struct wpa_tdls_frame *tf; 2815 2816 wpa_hexdump(MSG_DEBUG, "TDLS: Received Data frame encapsulation", 2817 buf, len); 2818 2819 if (sm->tdls_disabled || !sm->tdls_supported) { 2820 wpa_printf(MSG_DEBUG, "TDLS: Discard message - TDLS disabled " 2821 "or unsupported by driver"); 2822 return; 2823 } 2824 2825 if (os_memcmp(src_addr, sm->own_addr, ETH_ALEN) == 0) { 2826 wpa_printf(MSG_DEBUG, "TDLS: Discard copy of own message"); 2827 return; 2828 } 2829 2830 if (len < sizeof(*tf)) { 2831 wpa_printf(MSG_INFO, "TDLS: Drop too short frame"); 2832 return; 2833 } 2834 2835 /* Check to make sure its a valid encapsulated TDLS frame */ 2836 tf = (struct wpa_tdls_frame *) buf; 2837 if (tf->payloadtype != 2 /* TDLS_RFTYPE */ || 2838 tf->category != WLAN_ACTION_TDLS) { 2839 wpa_printf(MSG_INFO, "TDLS: Invalid frame - payloadtype=%u " 2840 "category=%u action=%u", 2841 tf->payloadtype, tf->category, tf->action); 2842 return; 2843 } 2844 2845 switch (tf->action) { 2846 case WLAN_TDLS_SETUP_REQUEST: 2847 wpa_tdls_process_tpk_m1(sm, src_addr, buf, len); 2848 break; 2849 case WLAN_TDLS_SETUP_RESPONSE: 2850 wpa_tdls_process_tpk_m2(sm, src_addr, buf, len); 2851 break; 2852 case WLAN_TDLS_SETUP_CONFIRM: 2853 wpa_tdls_process_tpk_m3(sm, src_addr, buf, len); 2854 break; 2855 case WLAN_TDLS_TEARDOWN: 2856 wpa_tdls_recv_teardown(sm, src_addr, buf, len); 2857 break; 2858 case WLAN_TDLS_DISCOVERY_REQUEST: 2859 wpa_tdls_process_discovery_request(sm, src_addr, buf, len); 2860 break; 2861 default: 2862 /* Kernel code will process remaining frames */ 2863 wpa_printf(MSG_DEBUG, "TDLS: Ignore TDLS frame action code %u", 2864 tf->action); 2865 break; 2866 } 2867 } 2868 2869 2870 /** 2871 * wpa_tdls_init - Initialize driver interface parameters for TDLS 2872 * @wpa_s: Pointer to wpa_supplicant data 2873 * Returns: 0 on success, -1 on failure 2874 * 2875 * This function is called to initialize driver interface parameters for TDLS. 2876 * wpa_drv_init() must have been called before this function to initialize the 2877 * driver interface. 2878 */ 2879 int wpa_tdls_init(struct wpa_sm *sm) 2880 { 2881 if (sm == NULL) 2882 return -1; 2883 2884 if (sm->l2_tdls) { 2885 l2_packet_deinit(sm->l2_tdls); 2886 sm->l2_tdls = NULL; 2887 } 2888 2889 sm->l2_tdls = l2_packet_init(sm->bridge_ifname ? sm->bridge_ifname : 2890 sm->ifname, 2891 sm->own_addr, 2892 ETH_P_80211_ENCAP, wpa_supplicant_rx_tdls, 2893 sm, 0); 2894 if (sm->l2_tdls == NULL) { 2895 wpa_printf(MSG_ERROR, "TDLS: Failed to open l2_packet " 2896 "connection"); 2897 return -1; 2898 } 2899 2900 /* 2901 * Drivers that support TDLS but don't implement the get_capa callback 2902 * are assumed to perform everything internally 2903 */ 2904 if (wpa_sm_tdls_get_capa(sm, &sm->tdls_supported, 2905 &sm->tdls_external_setup, 2906 &sm->tdls_chan_switch) < 0) { 2907 sm->tdls_supported = 1; 2908 sm->tdls_external_setup = 0; 2909 } 2910 2911 wpa_printf(MSG_DEBUG, "TDLS: TDLS operation%s supported by " 2912 "driver", sm->tdls_supported ? "" : " not"); 2913 wpa_printf(MSG_DEBUG, "TDLS: Driver uses %s link setup", 2914 sm->tdls_external_setup ? "external" : "internal"); 2915 wpa_printf(MSG_DEBUG, "TDLS: Driver %s TDLS channel switching", 2916 sm->tdls_chan_switch ? "supports" : "does not support"); 2917 2918 return 0; 2919 } 2920 2921 2922 void wpa_tdls_teardown_peers(struct wpa_sm *sm) 2923 { 2924 struct wpa_tdls_peer *peer, *tmp; 2925 2926 if (!sm) 2927 return; 2928 peer = sm->tdls; 2929 2930 wpa_printf(MSG_DEBUG, "TDLS: Tear down peers"); 2931 2932 while (peer) { 2933 tmp = peer->next; 2934 wpa_printf(MSG_DEBUG, "TDLS: Tear down peer " MACSTR, 2935 MAC2STR(peer->addr)); 2936 if (sm->tdls_external_setup) 2937 wpa_tdls_do_teardown(sm, peer, 2938 WLAN_REASON_DEAUTH_LEAVING); 2939 else 2940 wpa_sm_tdls_oper(sm, TDLS_TEARDOWN, peer->addr); 2941 2942 peer = tmp; 2943 } 2944 } 2945 2946 2947 static void wpa_tdls_remove_peers(struct wpa_sm *sm) 2948 { 2949 struct wpa_tdls_peer *peer, *tmp; 2950 2951 peer = sm->tdls; 2952 2953 while (peer) { 2954 int res; 2955 tmp = peer->next; 2956 res = wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr); 2957 wpa_printf(MSG_DEBUG, "TDLS: Remove peer " MACSTR " (res=%d)", 2958 MAC2STR(peer->addr), res); 2959 wpa_tdls_peer_free(sm, peer); 2960 peer = tmp; 2961 } 2962 } 2963 2964 2965 /** 2966 * wpa_tdls_deinit - Deinitialize driver interface parameters for TDLS 2967 * 2968 * This function is called to recover driver interface parameters for TDLS 2969 * and frees resources allocated for it. 2970 */ 2971 void wpa_tdls_deinit(struct wpa_sm *sm) 2972 { 2973 if (sm == NULL) 2974 return; 2975 2976 if (sm->l2_tdls) 2977 l2_packet_deinit(sm->l2_tdls); 2978 sm->l2_tdls = NULL; 2979 2980 wpa_tdls_remove_peers(sm); 2981 } 2982 2983 2984 void wpa_tdls_assoc(struct wpa_sm *sm) 2985 { 2986 wpa_printf(MSG_DEBUG, "TDLS: Remove peers on association"); 2987 wpa_tdls_remove_peers(sm); 2988 } 2989 2990 2991 void wpa_tdls_disassoc(struct wpa_sm *sm) 2992 { 2993 wpa_printf(MSG_DEBUG, "TDLS: Remove peers on disassociation"); 2994 wpa_tdls_remove_peers(sm); 2995 } 2996 2997 2998 static int wpa_tdls_prohibited(struct ieee802_11_elems *elems) 2999 { 3000 /* bit 38 - TDLS Prohibited */ 3001 return !!(elems->ext_capab[4] & 0x40); 3002 } 3003 3004 3005 static int wpa_tdls_chan_switch_prohibited(struct ieee802_11_elems *elems) 3006 { 3007 /* bit 39 - TDLS Channel Switch Prohibited */ 3008 return !!(elems->ext_capab[4] & 0x80); 3009 } 3010 3011 3012 void wpa_tdls_ap_ies(struct wpa_sm *sm, const u8 *ies, size_t len) 3013 { 3014 struct ieee802_11_elems elems; 3015 3016 sm->tdls_prohibited = 0; 3017 sm->tdls_chan_switch_prohibited = 0; 3018 3019 if (ies == NULL || 3020 ieee802_11_parse_elems(ies, len, &elems, 0) == ParseFailed || 3021 elems.ext_capab == NULL || elems.ext_capab_len < 5) 3022 return; 3023 3024 sm->tdls_prohibited = wpa_tdls_prohibited(&elems); 3025 wpa_printf(MSG_DEBUG, "TDLS: TDLS is %s in the target BSS", 3026 sm->tdls_prohibited ? "prohibited" : "allowed"); 3027 sm->tdls_chan_switch_prohibited = 3028 wpa_tdls_chan_switch_prohibited(&elems); 3029 wpa_printf(MSG_DEBUG, "TDLS: TDLS channel switch %s in the target BSS", 3030 sm->tdls_chan_switch_prohibited ? "prohibited" : "allowed"); 3031 } 3032 3033 3034 void wpa_tdls_assoc_resp_ies(struct wpa_sm *sm, const u8 *ies, size_t len) 3035 { 3036 struct ieee802_11_elems elems; 3037 3038 if (ies == NULL || 3039 ieee802_11_parse_elems(ies, len, &elems, 0) == ParseFailed || 3040 elems.ext_capab == NULL || elems.ext_capab_len < 5) 3041 return; 3042 3043 if (!sm->tdls_prohibited && wpa_tdls_prohibited(&elems)) { 3044 wpa_printf(MSG_DEBUG, "TDLS: TDLS prohibited based on " 3045 "(Re)Association Response IEs"); 3046 sm->tdls_prohibited = 1; 3047 } 3048 3049 if (!sm->tdls_chan_switch_prohibited && 3050 wpa_tdls_chan_switch_prohibited(&elems)) { 3051 wpa_printf(MSG_DEBUG, 3052 "TDLS: TDLS channel switch prohibited based on (Re)Association Response IEs"); 3053 sm->tdls_chan_switch_prohibited = 1; 3054 } 3055 } 3056 3057 3058 void wpa_tdls_enable(struct wpa_sm *sm, int enabled) 3059 { 3060 wpa_printf(MSG_DEBUG, "TDLS: %s", enabled ? "enabled" : "disabled"); 3061 sm->tdls_disabled = !enabled; 3062 } 3063 3064 3065 int wpa_tdls_is_external_setup(struct wpa_sm *sm) 3066 { 3067 return sm->tdls_external_setup; 3068 } 3069 3070 3071 int wpa_tdls_enable_chan_switch(struct wpa_sm *sm, const u8 *addr, 3072 u8 oper_class, 3073 struct hostapd_freq_params *freq_params) 3074 { 3075 struct wpa_tdls_peer *peer; 3076 int ret; 3077 3078 if (sm->tdls_disabled || !sm->tdls_supported) 3079 return -1; 3080 3081 if (!sm->tdls_chan_switch) { 3082 wpa_printf(MSG_DEBUG, 3083 "TDLS: Channel switching not supported by the driver"); 3084 return -1; 3085 } 3086 3087 if (sm->tdls_chan_switch_prohibited) { 3088 wpa_printf(MSG_DEBUG, 3089 "TDLS: Channel switching is prohibited in this BSS - reject request to switch channel"); 3090 return -1; 3091 } 3092 3093 for (peer = sm->tdls; peer; peer = peer->next) { 3094 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 3095 break; 3096 } 3097 3098 if (peer == NULL || !peer->tpk_success) { 3099 wpa_printf(MSG_ERROR, "TDLS: Peer " MACSTR 3100 " not found for channel switching", MAC2STR(addr)); 3101 return -1; 3102 } 3103 3104 if (peer->chan_switch_enabled) { 3105 wpa_printf(MSG_DEBUG, "TDLS: Peer " MACSTR 3106 " already has channel switching enabled", 3107 MAC2STR(addr)); 3108 return 0; 3109 } 3110 3111 ret = wpa_sm_tdls_enable_channel_switch(sm, peer->addr, 3112 oper_class, freq_params); 3113 if (!ret) 3114 peer->chan_switch_enabled = 1; 3115 3116 return ret; 3117 } 3118 3119 3120 int wpa_tdls_disable_chan_switch(struct wpa_sm *sm, const u8 *addr) 3121 { 3122 struct wpa_tdls_peer *peer; 3123 3124 if (sm->tdls_disabled || !sm->tdls_supported) 3125 return -1; 3126 3127 for (peer = sm->tdls; peer; peer = peer->next) { 3128 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 3129 break; 3130 } 3131 3132 if (!peer || !peer->chan_switch_enabled) { 3133 wpa_printf(MSG_ERROR, "TDLS: Channel switching not enabled for " 3134 MACSTR, MAC2STR(addr)); 3135 return -1; 3136 } 3137 3138 /* ignore the return value */ 3139 wpa_sm_tdls_disable_channel_switch(sm, peer->addr); 3140 3141 peer->chan_switch_enabled = 0; 3142 return 0; 3143 } 3144