1 /* 2 * wpa_supplicant - TDLS 3 * Copyright (c) 2010-2011, Atheros Communications 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "utils/includes.h" 10 11 #include "utils/common.h" 12 #include "utils/eloop.h" 13 #include "utils/os.h" 14 #include "common/ieee802_11_defs.h" 15 #include "common/ieee802_11_common.h" 16 #include "crypto/sha256.h" 17 #include "crypto/crypto.h" 18 #include "crypto/aes_wrap.h" 19 #include "rsn_supp/wpa.h" 20 #include "rsn_supp/wpa_ie.h" 21 #include "rsn_supp/wpa_i.h" 22 #include "drivers/driver.h" 23 #include "l2_packet/l2_packet.h" 24 25 #ifdef CONFIG_TDLS_TESTING 26 #define TDLS_TESTING_LONG_FRAME BIT(0) 27 #define TDLS_TESTING_ALT_RSN_IE BIT(1) 28 #define TDLS_TESTING_DIFF_BSSID BIT(2) 29 #define TDLS_TESTING_SHORT_LIFETIME BIT(3) 30 #define TDLS_TESTING_WRONG_LIFETIME_RESP BIT(4) 31 #define TDLS_TESTING_WRONG_LIFETIME_CONF BIT(5) 32 #define TDLS_TESTING_LONG_LIFETIME BIT(6) 33 #define TDLS_TESTING_CONCURRENT_INIT BIT(7) 34 #define TDLS_TESTING_NO_TPK_EXPIRATION BIT(8) 35 #define TDLS_TESTING_DECLINE_RESP BIT(9) 36 #define TDLS_TESTING_IGNORE_AP_PROHIBIT BIT(10) 37 #define TDLS_TESTING_WRONG_MIC BIT(11) 38 unsigned int tdls_testing = 0; 39 #endif /* CONFIG_TDLS_TESTING */ 40 41 #define TPK_LIFETIME 43200 /* 12 hours */ 42 #define TPK_M1_RETRY_COUNT 3 43 #define TPK_M1_TIMEOUT 5000 /* in milliseconds */ 44 #define TPK_M2_RETRY_COUNT 10 45 #define TPK_M2_TIMEOUT 500 /* in milliseconds */ 46 47 #define TDLS_MIC_LEN 16 48 49 #define TDLS_TIMEOUT_LEN 4 50 51 struct wpa_tdls_ftie { 52 u8 ie_type; /* FTIE */ 53 u8 ie_len; 54 u8 mic_ctrl[2]; 55 u8 mic[TDLS_MIC_LEN]; 56 u8 Anonce[WPA_NONCE_LEN]; /* Responder Nonce in TDLS */ 57 u8 Snonce[WPA_NONCE_LEN]; /* Initiator Nonce in TDLS */ 58 /* followed by optional elements */ 59 } STRUCT_PACKED; 60 61 struct wpa_tdls_timeoutie { 62 u8 ie_type; /* Timeout IE */ 63 u8 ie_len; 64 u8 interval_type; 65 u8 value[TDLS_TIMEOUT_LEN]; 66 } STRUCT_PACKED; 67 68 struct wpa_tdls_lnkid { 69 u8 ie_type; /* Link Identifier IE */ 70 u8 ie_len; 71 u8 bssid[ETH_ALEN]; 72 u8 init_sta[ETH_ALEN]; 73 u8 resp_sta[ETH_ALEN]; 74 } STRUCT_PACKED; 75 76 /* TDLS frame headers as per IEEE Std 802.11z-2010 */ 77 struct wpa_tdls_frame { 78 u8 payloadtype; /* IEEE80211_TDLS_RFTYPE */ 79 u8 category; /* Category */ 80 u8 action; /* Action (enum tdls_frame_type) */ 81 } STRUCT_PACKED; 82 83 static u8 * wpa_add_tdls_timeoutie(u8 *pos, u8 *ie, size_t ie_len, u32 tsecs); 84 static void wpa_tdls_tpk_retry_timeout(void *eloop_ctx, void *timeout_ctx); 85 static void wpa_tdls_peer_free(struct wpa_sm *sm, struct wpa_tdls_peer *peer); 86 static void wpa_tdls_disable_peer_link(struct wpa_sm *sm, 87 struct wpa_tdls_peer *peer); 88 static int wpa_tdls_send_teardown(struct wpa_sm *sm, const u8 *addr, 89 u16 reason_code); 90 91 92 #define TDLS_MAX_IE_LEN 80 93 #define IEEE80211_MAX_SUPP_RATES 32 94 95 struct wpa_tdls_peer { 96 struct wpa_tdls_peer *next; 97 unsigned int reconfig_key:1; 98 int initiator; /* whether this end was initiator for TDLS setup */ 99 u8 addr[ETH_ALEN]; /* other end MAC address */ 100 u8 inonce[WPA_NONCE_LEN]; /* Initiator Nonce */ 101 u8 rnonce[WPA_NONCE_LEN]; /* Responder Nonce */ 102 u8 rsnie_i[TDLS_MAX_IE_LEN]; /* Initiator RSN IE */ 103 size_t rsnie_i_len; 104 u8 rsnie_p[TDLS_MAX_IE_LEN]; /* Peer RSN IE */ 105 size_t rsnie_p_len; 106 u32 lifetime; 107 int cipher; /* Selected cipher (WPA_CIPHER_*) */ 108 u8 dtoken; 109 110 struct tpk { 111 u8 kck[16]; /* TPK-KCK */ 112 u8 tk[16]; /* TPK-TK; assuming only CCMP will be used */ 113 } tpk; 114 int tpk_set; 115 int tk_set; /* TPK-TK configured to the driver */ 116 int tpk_success; 117 int tpk_in_progress; 118 119 struct tpk_timer { 120 u8 dest[ETH_ALEN]; 121 int count; /* Retry Count */ 122 int timer; /* Timeout in milliseconds */ 123 u8 action_code; /* TDLS frame type */ 124 u8 dialog_token; 125 u16 status_code; 126 u32 peer_capab; 127 int buf_len; /* length of TPK message for retransmission */ 128 u8 *buf; /* buffer for TPK message */ 129 } sm_tmr; 130 131 u16 capability; 132 133 u8 supp_rates[IEEE80211_MAX_SUPP_RATES]; 134 size_t supp_rates_len; 135 136 struct ieee80211_ht_capabilities *ht_capabilities; 137 struct ieee80211_vht_capabilities *vht_capabilities; 138 139 u8 qos_info; 140 141 u16 aid; 142 143 u8 *ext_capab; 144 size_t ext_capab_len; 145 146 u8 *supp_channels; 147 size_t supp_channels_len; 148 149 u8 *supp_oper_classes; 150 size_t supp_oper_classes_len; 151 152 u8 wmm_capable; 153 154 /* channel switch currently enabled */ 155 int chan_switch_enabled; 156 }; 157 158 159 static int wpa_tdls_get_privacy(struct wpa_sm *sm) 160 { 161 /* 162 * Get info needed from supplicant to check if the current BSS supports 163 * security. Other than OPEN mode, rest are considered secured 164 * WEP/WPA/WPA2 hence TDLS frames are processed for TPK handshake. 165 */ 166 return sm->pairwise_cipher != WPA_CIPHER_NONE; 167 } 168 169 170 static u8 * wpa_add_ie(u8 *pos, const u8 *ie, size_t ie_len) 171 { 172 os_memcpy(pos, ie, ie_len); 173 return pos + ie_len; 174 } 175 176 177 static int wpa_tdls_del_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer) 178 { 179 if (wpa_sm_set_key(sm, WPA_ALG_NONE, peer->addr, 180 0, 0, NULL, 0, NULL, 0) < 0) { 181 wpa_printf(MSG_WARNING, "TDLS: Failed to delete TPK-TK from " 182 "the driver"); 183 return -1; 184 } 185 186 return 0; 187 } 188 189 190 static int wpa_tdls_set_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer) 191 { 192 u8 key_len; 193 u8 rsc[6]; 194 enum wpa_alg alg; 195 196 if (peer->tk_set) { 197 /* 198 * This same TPK-TK has already been configured to the driver 199 * and this new configuration attempt (likely due to an 200 * unexpected retransmitted frame) would result in clearing 201 * the TX/RX sequence number which can break security, so must 202 * not allow that to happen. 203 */ 204 wpa_printf(MSG_INFO, "TDLS: TPK-TK for the peer " MACSTR 205 " has already been configured to the driver - do not reconfigure", 206 MAC2STR(peer->addr)); 207 return -1; 208 } 209 210 os_memset(rsc, 0, 6); 211 212 switch (peer->cipher) { 213 case WPA_CIPHER_CCMP: 214 alg = WPA_ALG_CCMP; 215 key_len = 16; 216 break; 217 case WPA_CIPHER_NONE: 218 wpa_printf(MSG_DEBUG, "TDLS: Pairwise Cipher Suite: " 219 "NONE - do not use pairwise keys"); 220 return -1; 221 default: 222 wpa_printf(MSG_WARNING, "TDLS: Unsupported pairwise cipher %d", 223 sm->pairwise_cipher); 224 return -1; 225 } 226 227 wpa_printf(MSG_DEBUG, "TDLS: Configure pairwise key for peer " MACSTR, 228 MAC2STR(peer->addr)); 229 if (wpa_sm_set_key(sm, alg, peer->addr, -1, 1, 230 rsc, sizeof(rsc), peer->tpk.tk, key_len) < 0) { 231 wpa_printf(MSG_WARNING, "TDLS: Failed to set TPK to the " 232 "driver"); 233 return -1; 234 } 235 peer->tk_set = 1; 236 return 0; 237 } 238 239 240 static int wpa_tdls_send_tpk_msg(struct wpa_sm *sm, const u8 *dst, 241 u8 action_code, u8 dialog_token, 242 u16 status_code, u32 peer_capab, 243 int initiator, const u8 *buf, size_t len) 244 { 245 return wpa_sm_send_tdls_mgmt(sm, dst, action_code, dialog_token, 246 status_code, peer_capab, initiator, buf, 247 len); 248 } 249 250 251 static int wpa_tdls_tpk_send(struct wpa_sm *sm, const u8 *dest, u8 action_code, 252 u8 dialog_token, u16 status_code, u32 peer_capab, 253 int initiator, const u8 *msg, size_t msg_len) 254 { 255 struct wpa_tdls_peer *peer; 256 257 wpa_printf(MSG_DEBUG, "TDLS: TPK send dest=" MACSTR " action_code=%u " 258 "dialog_token=%u status_code=%u peer_capab=%u initiator=%d " 259 "msg_len=%u", 260 MAC2STR(dest), action_code, dialog_token, status_code, 261 peer_capab, initiator, (unsigned int) msg_len); 262 263 if (wpa_tdls_send_tpk_msg(sm, dest, action_code, dialog_token, 264 status_code, peer_capab, initiator, msg, 265 msg_len)) { 266 wpa_printf(MSG_INFO, "TDLS: Failed to send message " 267 "(action_code=%u)", action_code); 268 return -1; 269 } 270 271 if (action_code == WLAN_TDLS_SETUP_CONFIRM || 272 action_code == WLAN_TDLS_TEARDOWN || 273 action_code == WLAN_TDLS_DISCOVERY_REQUEST || 274 action_code == WLAN_TDLS_DISCOVERY_RESPONSE) 275 return 0; /* No retries */ 276 277 for (peer = sm->tdls; peer; peer = peer->next) { 278 if (os_memcmp(peer->addr, dest, ETH_ALEN) == 0) 279 break; 280 } 281 282 if (peer == NULL) { 283 wpa_printf(MSG_INFO, "TDLS: No matching entry found for " 284 "retry " MACSTR, MAC2STR(dest)); 285 return 0; 286 } 287 288 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer); 289 290 if (action_code == WLAN_TDLS_SETUP_RESPONSE) { 291 peer->sm_tmr.count = TPK_M2_RETRY_COUNT; 292 peer->sm_tmr.timer = TPK_M2_TIMEOUT; 293 } else { 294 peer->sm_tmr.count = TPK_M1_RETRY_COUNT; 295 peer->sm_tmr.timer = TPK_M1_TIMEOUT; 296 } 297 298 /* Copy message to resend on timeout */ 299 os_memcpy(peer->sm_tmr.dest, dest, ETH_ALEN); 300 peer->sm_tmr.action_code = action_code; 301 peer->sm_tmr.dialog_token = dialog_token; 302 peer->sm_tmr.status_code = status_code; 303 peer->sm_tmr.peer_capab = peer_capab; 304 peer->sm_tmr.buf_len = msg_len; 305 os_free(peer->sm_tmr.buf); 306 peer->sm_tmr.buf = os_malloc(msg_len); 307 if (peer->sm_tmr.buf == NULL) 308 return -1; 309 os_memcpy(peer->sm_tmr.buf, msg, msg_len); 310 311 wpa_printf(MSG_DEBUG, "TDLS: Retry timeout registered " 312 "(action_code=%u)", action_code); 313 eloop_register_timeout(peer->sm_tmr.timer / 1000, 314 (peer->sm_tmr.timer % 1000) * 1000, 315 wpa_tdls_tpk_retry_timeout, sm, peer); 316 return 0; 317 } 318 319 320 static int wpa_tdls_do_teardown(struct wpa_sm *sm, struct wpa_tdls_peer *peer, 321 u16 reason_code) 322 { 323 int ret; 324 325 ret = wpa_tdls_send_teardown(sm, peer->addr, reason_code); 326 /* disable the link after teardown was sent */ 327 wpa_tdls_disable_peer_link(sm, peer); 328 329 return ret; 330 } 331 332 333 static void wpa_tdls_tpk_retry_timeout(void *eloop_ctx, void *timeout_ctx) 334 { 335 336 struct wpa_sm *sm = eloop_ctx; 337 struct wpa_tdls_peer *peer = timeout_ctx; 338 339 if (peer->sm_tmr.count) { 340 peer->sm_tmr.count--; 341 342 wpa_printf(MSG_INFO, "TDLS: Retrying sending of message " 343 "(action_code=%u)", 344 peer->sm_tmr.action_code); 345 346 if (peer->sm_tmr.buf == NULL) { 347 wpa_printf(MSG_INFO, "TDLS: No retry buffer available " 348 "for action_code=%u", 349 peer->sm_tmr.action_code); 350 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, 351 peer); 352 return; 353 } 354 355 /* resend TPK Handshake Message to Peer */ 356 if (wpa_tdls_send_tpk_msg(sm, peer->sm_tmr.dest, 357 peer->sm_tmr.action_code, 358 peer->sm_tmr.dialog_token, 359 peer->sm_tmr.status_code, 360 peer->sm_tmr.peer_capab, 361 peer->initiator, 362 peer->sm_tmr.buf, 363 peer->sm_tmr.buf_len)) { 364 wpa_printf(MSG_INFO, "TDLS: Failed to retry " 365 "transmission"); 366 } 367 368 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer); 369 eloop_register_timeout(peer->sm_tmr.timer / 1000, 370 (peer->sm_tmr.timer % 1000) * 1000, 371 wpa_tdls_tpk_retry_timeout, sm, peer); 372 } else { 373 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer); 374 375 wpa_printf(MSG_DEBUG, "TDLS: Sending Teardown Request"); 376 wpa_tdls_do_teardown(sm, peer, 377 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED); 378 } 379 } 380 381 382 static void wpa_tdls_tpk_retry_timeout_cancel(struct wpa_sm *sm, 383 struct wpa_tdls_peer *peer, 384 u8 action_code) 385 { 386 if (action_code == peer->sm_tmr.action_code) { 387 wpa_printf(MSG_DEBUG, "TDLS: Retry timeout cancelled for " 388 "action_code=%u", action_code); 389 390 /* Cancel Timeout registered */ 391 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer); 392 393 /* free all resources meant for retry */ 394 os_free(peer->sm_tmr.buf); 395 peer->sm_tmr.buf = NULL; 396 397 peer->sm_tmr.count = 0; 398 peer->sm_tmr.timer = 0; 399 peer->sm_tmr.buf_len = 0; 400 peer->sm_tmr.action_code = 0xff; 401 } else { 402 wpa_printf(MSG_INFO, "TDLS: Error in cancelling retry timeout " 403 "(Unknown action_code=%u)", action_code); 404 } 405 } 406 407 408 static void wpa_tdls_generate_tpk(struct wpa_tdls_peer *peer, 409 const u8 *own_addr, const u8 *bssid) 410 { 411 u8 key_input[SHA256_MAC_LEN]; 412 const u8 *nonce[2]; 413 size_t len[2]; 414 u8 data[3 * ETH_ALEN]; 415 416 /* IEEE Std 802.11z-2010 8.5.9.1: 417 * TPK-Key-Input = SHA-256(min(SNonce, ANonce) || max(SNonce, ANonce)) 418 */ 419 len[0] = WPA_NONCE_LEN; 420 len[1] = WPA_NONCE_LEN; 421 if (os_memcmp(peer->inonce, peer->rnonce, WPA_NONCE_LEN) < 0) { 422 nonce[0] = peer->inonce; 423 nonce[1] = peer->rnonce; 424 } else { 425 nonce[0] = peer->rnonce; 426 nonce[1] = peer->inonce; 427 } 428 wpa_hexdump(MSG_DEBUG, "TDLS: min(Nonce)", nonce[0], WPA_NONCE_LEN); 429 wpa_hexdump(MSG_DEBUG, "TDLS: max(Nonce)", nonce[1], WPA_NONCE_LEN); 430 sha256_vector(2, nonce, len, key_input); 431 wpa_hexdump_key(MSG_DEBUG, "TDLS: TPK-Key-Input", 432 key_input, SHA256_MAC_LEN); 433 434 /* 435 * TPK-Key-Data = KDF-N_KEY(TPK-Key-Input, "TDLS PMK", 436 * min(MAC_I, MAC_R) || max(MAC_I, MAC_R) || BSSID || N_KEY) 437 * TODO: is N_KEY really included in KDF Context and if so, in which 438 * presentation format (little endian 16-bit?) is it used? It gets 439 * added by the KDF anyway.. 440 */ 441 442 if (os_memcmp(own_addr, peer->addr, ETH_ALEN) < 0) { 443 os_memcpy(data, own_addr, ETH_ALEN); 444 os_memcpy(data + ETH_ALEN, peer->addr, ETH_ALEN); 445 } else { 446 os_memcpy(data, peer->addr, ETH_ALEN); 447 os_memcpy(data + ETH_ALEN, own_addr, ETH_ALEN); 448 } 449 os_memcpy(data + 2 * ETH_ALEN, bssid, ETH_ALEN); 450 wpa_hexdump(MSG_DEBUG, "TDLS: KDF Context", data, sizeof(data)); 451 452 sha256_prf(key_input, SHA256_MAC_LEN, "TDLS PMK", data, sizeof(data), 453 (u8 *) &peer->tpk, sizeof(peer->tpk)); 454 wpa_hexdump_key(MSG_DEBUG, "TDLS: TPK-KCK", 455 peer->tpk.kck, sizeof(peer->tpk.kck)); 456 wpa_hexdump_key(MSG_DEBUG, "TDLS: TPK-TK", 457 peer->tpk.tk, sizeof(peer->tpk.tk)); 458 peer->tpk_set = 1; 459 } 460 461 462 /** 463 * wpa_tdls_ftie_mic - Calculate TDLS FTIE MIC 464 * @kck: TPK-KCK 465 * @lnkid: Pointer to the beginning of Link Identifier IE 466 * @rsnie: Pointer to the beginning of RSN IE used for handshake 467 * @timeoutie: Pointer to the beginning of Timeout IE used for handshake 468 * @ftie: Pointer to the beginning of FT IE 469 * @mic: Pointer for writing MIC 470 * 471 * Calculate MIC for TDLS frame. 472 */ 473 static int wpa_tdls_ftie_mic(const u8 *kck, u8 trans_seq, const u8 *lnkid, 474 const u8 *rsnie, const u8 *timeoutie, 475 const u8 *ftie, u8 *mic) 476 { 477 u8 *buf, *pos; 478 struct wpa_tdls_ftie *_ftie; 479 const struct wpa_tdls_lnkid *_lnkid; 480 int ret; 481 int len = 2 * ETH_ALEN + 1 + 2 + lnkid[1] + 2 + rsnie[1] + 482 2 + timeoutie[1] + 2 + ftie[1]; 483 buf = os_zalloc(len); 484 if (!buf) { 485 wpa_printf(MSG_WARNING, "TDLS: No memory for MIC calculation"); 486 return -1; 487 } 488 489 pos = buf; 490 _lnkid = (const struct wpa_tdls_lnkid *) lnkid; 491 /* 1) TDLS initiator STA MAC address */ 492 os_memcpy(pos, _lnkid->init_sta, ETH_ALEN); 493 pos += ETH_ALEN; 494 /* 2) TDLS responder STA MAC address */ 495 os_memcpy(pos, _lnkid->resp_sta, ETH_ALEN); 496 pos += ETH_ALEN; 497 /* 3) Transaction Sequence number */ 498 *pos++ = trans_seq; 499 /* 4) Link Identifier IE */ 500 os_memcpy(pos, lnkid, 2 + lnkid[1]); 501 pos += 2 + lnkid[1]; 502 /* 5) RSN IE */ 503 os_memcpy(pos, rsnie, 2 + rsnie[1]); 504 pos += 2 + rsnie[1]; 505 /* 6) Timeout Interval IE */ 506 os_memcpy(pos, timeoutie, 2 + timeoutie[1]); 507 pos += 2 + timeoutie[1]; 508 /* 7) FTIE, with the MIC field of the FTIE set to 0 */ 509 os_memcpy(pos, ftie, 2 + ftie[1]); 510 _ftie = (struct wpa_tdls_ftie *) pos; 511 os_memset(_ftie->mic, 0, TDLS_MIC_LEN); 512 pos += 2 + ftie[1]; 513 514 wpa_hexdump(MSG_DEBUG, "TDLS: Data for FTIE MIC", buf, pos - buf); 515 wpa_hexdump_key(MSG_DEBUG, "TDLS: KCK", kck, 16); 516 ret = omac1_aes_128(kck, buf, pos - buf, mic); 517 os_free(buf); 518 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE MIC", mic, 16); 519 return ret; 520 } 521 522 523 /** 524 * wpa_tdls_key_mic_teardown - Calculate TDLS FTIE MIC for Teardown frame 525 * @kck: TPK-KCK 526 * @trans_seq: Transaction Sequence Number (4 - Teardown) 527 * @rcode: Reason code for Teardown 528 * @dtoken: Dialog Token used for that particular link 529 * @lnkid: Pointer to the beginning of Link Identifier IE 530 * @ftie: Pointer to the beginning of FT IE 531 * @mic: Pointer for writing MIC 532 * 533 * Calculate MIC for TDLS frame. 534 */ 535 static int wpa_tdls_key_mic_teardown(const u8 *kck, u8 trans_seq, u16 rcode, 536 u8 dtoken, const u8 *lnkid, 537 const u8 *ftie, u8 *mic) 538 { 539 u8 *buf, *pos; 540 struct wpa_tdls_ftie *_ftie; 541 int ret; 542 int len; 543 544 if (lnkid == NULL) 545 return -1; 546 547 len = 2 + lnkid[1] + sizeof(rcode) + sizeof(dtoken) + 548 sizeof(trans_seq) + 2 + ftie[1]; 549 550 buf = os_zalloc(len); 551 if (!buf) { 552 wpa_printf(MSG_WARNING, "TDLS: No memory for MIC calculation"); 553 return -1; 554 } 555 556 pos = buf; 557 /* 1) Link Identifier IE */ 558 os_memcpy(pos, lnkid, 2 + lnkid[1]); 559 pos += 2 + lnkid[1]; 560 /* 2) Reason Code */ 561 WPA_PUT_LE16(pos, rcode); 562 pos += sizeof(rcode); 563 /* 3) Dialog token */ 564 *pos++ = dtoken; 565 /* 4) Transaction Sequence number */ 566 *pos++ = trans_seq; 567 /* 7) FTIE, with the MIC field of the FTIE set to 0 */ 568 os_memcpy(pos, ftie, 2 + ftie[1]); 569 _ftie = (struct wpa_tdls_ftie *) pos; 570 os_memset(_ftie->mic, 0, TDLS_MIC_LEN); 571 pos += 2 + ftie[1]; 572 573 wpa_hexdump(MSG_DEBUG, "TDLS: Data for FTIE MIC", buf, pos - buf); 574 wpa_hexdump_key(MSG_DEBUG, "TDLS: KCK", kck, 16); 575 ret = omac1_aes_128(kck, buf, pos - buf, mic); 576 os_free(buf); 577 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE MIC", mic, 16); 578 return ret; 579 } 580 581 582 static int wpa_supplicant_verify_tdls_mic(u8 trans_seq, 583 struct wpa_tdls_peer *peer, 584 const u8 *lnkid, const u8 *timeoutie, 585 const struct wpa_tdls_ftie *ftie) 586 { 587 u8 mic[16]; 588 589 if (peer->tpk_set) { 590 wpa_tdls_ftie_mic(peer->tpk.kck, trans_seq, lnkid, 591 peer->rsnie_p, timeoutie, (u8 *) ftie, 592 mic); 593 if (os_memcmp_const(mic, ftie->mic, 16) != 0) { 594 wpa_printf(MSG_INFO, "TDLS: Invalid MIC in FTIE - " 595 "dropping packet"); 596 wpa_hexdump(MSG_DEBUG, "TDLS: Received MIC", 597 ftie->mic, 16); 598 wpa_hexdump(MSG_DEBUG, "TDLS: Calculated MIC", 599 mic, 16); 600 return -1; 601 } 602 } else { 603 wpa_printf(MSG_WARNING, "TDLS: Could not verify TDLS MIC, " 604 "TPK not set - dropping packet"); 605 return -1; 606 } 607 return 0; 608 } 609 610 611 static int wpa_supplicant_verify_tdls_mic_teardown( 612 u8 trans_seq, u16 rcode, u8 dtoken, struct wpa_tdls_peer *peer, 613 const u8 *lnkid, const struct wpa_tdls_ftie *ftie) 614 { 615 u8 mic[16]; 616 617 if (peer->tpk_set) { 618 wpa_tdls_key_mic_teardown(peer->tpk.kck, trans_seq, rcode, 619 dtoken, lnkid, (u8 *) ftie, mic); 620 if (os_memcmp_const(mic, ftie->mic, 16) != 0) { 621 wpa_printf(MSG_INFO, "TDLS: Invalid MIC in Teardown - " 622 "dropping packet"); 623 return -1; 624 } 625 } else { 626 wpa_printf(MSG_INFO, "TDLS: Could not verify TDLS Teardown " 627 "MIC, TPK not set - dropping packet"); 628 return -1; 629 } 630 return 0; 631 } 632 633 634 static void wpa_tdls_tpk_timeout(void *eloop_ctx, void *timeout_ctx) 635 { 636 struct wpa_sm *sm = eloop_ctx; 637 struct wpa_tdls_peer *peer = timeout_ctx; 638 639 /* 640 * On TPK lifetime expiration, we have an option of either tearing down 641 * the direct link or trying to re-initiate it. The selection of what 642 * to do is not strictly speaking controlled by our role in the expired 643 * link, but for now, use that to select whether to renew or tear down 644 * the link. 645 */ 646 647 if (peer->initiator) { 648 u8 addr[ETH_ALEN]; 649 650 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime expired for " MACSTR 651 " - try to renew", MAC2STR(peer->addr)); 652 /* cache the peer address before do_teardown */ 653 os_memcpy(addr, peer->addr, ETH_ALEN); 654 wpa_tdls_do_teardown(sm, peer, 655 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED); 656 wpa_tdls_start(sm, addr); 657 } else { 658 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime expired for " MACSTR 659 " - tear down", MAC2STR(peer->addr)); 660 wpa_tdls_do_teardown(sm, peer, 661 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED); 662 } 663 } 664 665 666 static void wpa_tdls_peer_remove_from_list(struct wpa_sm *sm, 667 struct wpa_tdls_peer *peer) 668 { 669 struct wpa_tdls_peer *cur, *prev; 670 671 cur = sm->tdls; 672 prev = NULL; 673 while (cur && cur != peer) { 674 prev = cur; 675 cur = cur->next; 676 } 677 678 if (cur != peer) { 679 wpa_printf(MSG_ERROR, "TDLS: Could not find peer " MACSTR 680 " to remove it from the list", 681 MAC2STR(peer->addr)); 682 return; 683 } 684 685 if (prev) 686 prev->next = peer->next; 687 else 688 sm->tdls = peer->next; 689 } 690 691 692 static void wpa_tdls_peer_clear(struct wpa_sm *sm, struct wpa_tdls_peer *peer) 693 { 694 wpa_printf(MSG_DEBUG, "TDLS: Clear state for peer " MACSTR, 695 MAC2STR(peer->addr)); 696 eloop_cancel_timeout(wpa_tdls_tpk_timeout, sm, peer); 697 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer); 698 peer->reconfig_key = 0; 699 peer->initiator = 0; 700 peer->tpk_in_progress = 0; 701 os_free(peer->sm_tmr.buf); 702 peer->sm_tmr.buf = NULL; 703 os_free(peer->ht_capabilities); 704 peer->ht_capabilities = NULL; 705 os_free(peer->vht_capabilities); 706 peer->vht_capabilities = NULL; 707 os_free(peer->ext_capab); 708 peer->ext_capab = NULL; 709 os_free(peer->supp_channels); 710 peer->supp_channels = NULL; 711 os_free(peer->supp_oper_classes); 712 peer->supp_oper_classes = NULL; 713 peer->rsnie_i_len = peer->rsnie_p_len = 0; 714 peer->cipher = 0; 715 peer->qos_info = 0; 716 peer->wmm_capable = 0; 717 peer->tk_set = peer->tpk_set = peer->tpk_success = 0; 718 peer->chan_switch_enabled = 0; 719 os_memset(&peer->tpk, 0, sizeof(peer->tpk)); 720 os_memset(peer->inonce, 0, WPA_NONCE_LEN); 721 os_memset(peer->rnonce, 0, WPA_NONCE_LEN); 722 } 723 724 725 static void wpa_tdls_peer_free(struct wpa_sm *sm, struct wpa_tdls_peer *peer) 726 { 727 wpa_tdls_peer_clear(sm, peer); 728 wpa_tdls_peer_remove_from_list(sm, peer); 729 os_free(peer); 730 } 731 732 733 static void wpa_tdls_linkid(struct wpa_sm *sm, struct wpa_tdls_peer *peer, 734 struct wpa_tdls_lnkid *lnkid) 735 { 736 lnkid->ie_type = WLAN_EID_LINK_ID; 737 lnkid->ie_len = 3 * ETH_ALEN; 738 os_memcpy(lnkid->bssid, sm->bssid, ETH_ALEN); 739 if (peer->initiator) { 740 os_memcpy(lnkid->init_sta, sm->own_addr, ETH_ALEN); 741 os_memcpy(lnkid->resp_sta, peer->addr, ETH_ALEN); 742 } else { 743 os_memcpy(lnkid->init_sta, peer->addr, ETH_ALEN); 744 os_memcpy(lnkid->resp_sta, sm->own_addr, ETH_ALEN); 745 } 746 } 747 748 749 static int wpa_tdls_send_teardown(struct wpa_sm *sm, const u8 *addr, 750 u16 reason_code) 751 { 752 struct wpa_tdls_peer *peer; 753 struct wpa_tdls_ftie *ftie; 754 struct wpa_tdls_lnkid lnkid; 755 u8 dialog_token; 756 u8 *rbuf, *pos; 757 int ielen; 758 759 if (sm->tdls_disabled || !sm->tdls_supported) 760 return -1; 761 762 /* Find the node and free from the list */ 763 for (peer = sm->tdls; peer; peer = peer->next) { 764 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 765 break; 766 } 767 768 if (peer == NULL) { 769 wpa_printf(MSG_INFO, "TDLS: No matching entry found for " 770 "Teardown " MACSTR, MAC2STR(addr)); 771 return 0; 772 } 773 774 /* Cancel active channel switch before teardown */ 775 if (peer->chan_switch_enabled) { 776 wpa_printf(MSG_DEBUG, "TDLS: First returning link with " MACSTR 777 " to base channel", MAC2STR(addr)); 778 wpa_sm_tdls_disable_channel_switch(sm, peer->addr); 779 } 780 781 dialog_token = peer->dtoken; 782 783 wpa_printf(MSG_DEBUG, "TDLS: TDLS Teardown for " MACSTR, 784 MAC2STR(addr)); 785 786 ielen = 0; 787 if (wpa_tdls_get_privacy(sm) && peer->tpk_set && peer->tpk_success) { 788 /* To add FTIE for Teardown request and compute MIC */ 789 ielen += sizeof(*ftie); 790 #ifdef CONFIG_TDLS_TESTING 791 if (tdls_testing & TDLS_TESTING_LONG_FRAME) 792 ielen += 170; 793 #endif /* CONFIG_TDLS_TESTING */ 794 } 795 796 rbuf = os_zalloc(ielen + 1); 797 if (rbuf == NULL) 798 return -1; 799 pos = rbuf; 800 801 if (!wpa_tdls_get_privacy(sm) || !peer->tpk_set || !peer->tpk_success) 802 goto skip_ies; 803 804 ftie = (struct wpa_tdls_ftie *) pos; 805 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION; 806 /* Using the recent nonce which should be for CONFIRM frame */ 807 os_memcpy(ftie->Anonce, peer->rnonce, WPA_NONCE_LEN); 808 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN); 809 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2; 810 pos = (u8 *) (ftie + 1); 811 #ifdef CONFIG_TDLS_TESTING 812 if (tdls_testing & TDLS_TESTING_LONG_FRAME) { 813 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to " 814 "FTIE"); 815 ftie->ie_len += 170; 816 *pos++ = 255; /* FTIE subelem */ 817 *pos++ = 168; /* FTIE subelem length */ 818 pos += 168; 819 } 820 #endif /* CONFIG_TDLS_TESTING */ 821 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE for TDLS Teardown handshake", 822 (u8 *) ftie, pos - (u8 *) ftie); 823 824 /* compute MIC before sending */ 825 wpa_tdls_linkid(sm, peer, &lnkid); 826 wpa_tdls_key_mic_teardown(peer->tpk.kck, 4, reason_code, 827 dialog_token, (u8 *) &lnkid, (u8 *) ftie, 828 ftie->mic); 829 830 skip_ies: 831 /* TODO: register for a Timeout handler, if Teardown is not received at 832 * the other end, then try again another time */ 833 834 /* request driver to send Teardown using this FTIE */ 835 wpa_tdls_tpk_send(sm, addr, WLAN_TDLS_TEARDOWN, 0, 836 reason_code, 0, peer->initiator, rbuf, pos - rbuf); 837 os_free(rbuf); 838 839 return 0; 840 } 841 842 843 int wpa_tdls_teardown_link(struct wpa_sm *sm, const u8 *addr, u16 reason_code) 844 { 845 struct wpa_tdls_peer *peer; 846 847 if (sm->tdls_disabled || !sm->tdls_supported) 848 return -1; 849 850 for (peer = sm->tdls; peer; peer = peer->next) { 851 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 852 break; 853 } 854 855 if (peer == NULL) { 856 wpa_printf(MSG_DEBUG, "TDLS: Could not find peer " MACSTR 857 " for link Teardown", MAC2STR(addr)); 858 return -1; 859 } 860 861 if (!peer->tpk_success) { 862 wpa_printf(MSG_DEBUG, "TDLS: Peer " MACSTR 863 " not connected - cannot Teardown link", MAC2STR(addr)); 864 return -1; 865 } 866 867 return wpa_tdls_do_teardown(sm, peer, reason_code); 868 } 869 870 871 static void wpa_tdls_disable_peer_link(struct wpa_sm *sm, 872 struct wpa_tdls_peer *peer) 873 { 874 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr); 875 wpa_tdls_peer_free(sm, peer); 876 } 877 878 879 void wpa_tdls_disable_unreachable_link(struct wpa_sm *sm, const u8 *addr) 880 { 881 struct wpa_tdls_peer *peer; 882 883 for (peer = sm->tdls; peer; peer = peer->next) { 884 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 885 break; 886 } 887 888 if (!peer || !peer->tpk_success) { 889 wpa_printf(MSG_DEBUG, "TDLS: Peer " MACSTR 890 " not connected - cannot teardown unreachable link", 891 MAC2STR(addr)); 892 return; 893 } 894 895 if (wpa_tdls_is_external_setup(sm)) { 896 /* 897 * Get us on the base channel, disable the link, send a 898 * teardown packet through the AP, and then reset link data. 899 */ 900 if (peer->chan_switch_enabled) 901 wpa_sm_tdls_disable_channel_switch(sm, peer->addr); 902 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, addr); 903 wpa_tdls_send_teardown(sm, addr, 904 WLAN_REASON_TDLS_TEARDOWN_UNREACHABLE); 905 wpa_tdls_peer_free(sm, peer); 906 } else { 907 wpa_tdls_disable_peer_link(sm, peer); 908 } 909 } 910 911 912 const char * wpa_tdls_get_link_status(struct wpa_sm *sm, const u8 *addr) 913 { 914 struct wpa_tdls_peer *peer; 915 916 if (sm->tdls_disabled || !sm->tdls_supported) 917 return "disabled"; 918 919 for (peer = sm->tdls; peer; peer = peer->next) { 920 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 921 break; 922 } 923 924 if (peer == NULL) 925 return "peer does not exist"; 926 927 if (!peer->tpk_success) 928 return "peer not connected"; 929 930 return "connected"; 931 } 932 933 934 static int wpa_tdls_recv_teardown(struct wpa_sm *sm, const u8 *src_addr, 935 const u8 *buf, size_t len) 936 { 937 struct wpa_tdls_peer *peer = NULL; 938 struct wpa_tdls_ftie *ftie; 939 struct wpa_tdls_lnkid *lnkid; 940 struct wpa_eapol_ie_parse kde; 941 u16 reason_code; 942 const u8 *pos; 943 int ielen; 944 945 /* Find the node and free from the list */ 946 for (peer = sm->tdls; peer; peer = peer->next) { 947 if (os_memcmp(peer->addr, src_addr, ETH_ALEN) == 0) 948 break; 949 } 950 951 if (peer == NULL) { 952 wpa_printf(MSG_INFO, "TDLS: No matching entry found for " 953 "Teardown " MACSTR, MAC2STR(src_addr)); 954 return 0; 955 } 956 957 pos = buf; 958 pos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */; 959 960 reason_code = WPA_GET_LE16(pos); 961 pos += 2; 962 963 wpa_printf(MSG_DEBUG, "TDLS: TDLS Teardown Request from " MACSTR 964 " (reason code %u)", MAC2STR(src_addr), reason_code); 965 966 ielen = len - (pos - buf); /* start of IE in buf */ 967 968 /* 969 * Don't reject the message if failing to parse IEs. The IEs we need are 970 * explicitly checked below. Some APs may add arbitrary padding to the 971 * end of short TDLS frames and that would look like invalid IEs. 972 */ 973 if (wpa_supplicant_parse_ies((const u8 *) pos, ielen, &kde) < 0) 974 wpa_printf(MSG_DEBUG, 975 "TDLS: Failed to parse IEs in Teardown - ignore as an interop workaround"); 976 977 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) { 978 wpa_printf(MSG_INFO, "TDLS: No Link Identifier IE in TDLS " 979 "Teardown"); 980 return -1; 981 } 982 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid; 983 984 if (!wpa_tdls_get_privacy(sm) || !peer->tpk_set || !peer->tpk_success) 985 goto skip_ftie; 986 987 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie)) { 988 wpa_printf(MSG_INFO, "TDLS: No FTIE in TDLS Teardown"); 989 return -1; 990 } 991 992 ftie = (struct wpa_tdls_ftie *) kde.ftie; 993 994 /* Process MIC check to see if TDLS Teardown is right */ 995 if (wpa_supplicant_verify_tdls_mic_teardown(4, reason_code, 996 peer->dtoken, peer, 997 (u8 *) lnkid, ftie) < 0) { 998 wpa_printf(MSG_DEBUG, "TDLS: MIC failure for TDLS " 999 "Teardown Request from " MACSTR, MAC2STR(src_addr)); 1000 return -1; 1001 } 1002 1003 skip_ftie: 1004 /* 1005 * Request the driver to disable the direct link and clear associated 1006 * keys. 1007 */ 1008 wpa_tdls_disable_peer_link(sm, peer); 1009 return 0; 1010 } 1011 1012 1013 /** 1014 * wpa_tdls_send_error - To send suitable TDLS status response with 1015 * appropriate status code mentioning reason for error/failure. 1016 * @dst - MAC addr of Peer station 1017 * @tdls_action - TDLS frame type for which error code is sent 1018 * @initiator - was this end the initiator of the connection 1019 * @status - status code mentioning reason 1020 */ 1021 1022 static int wpa_tdls_send_error(struct wpa_sm *sm, const u8 *dst, 1023 u8 tdls_action, u8 dialog_token, int initiator, 1024 u16 status) 1025 { 1026 wpa_printf(MSG_DEBUG, "TDLS: Sending error to " MACSTR 1027 " (action=%u status=%u)", 1028 MAC2STR(dst), tdls_action, status); 1029 return wpa_tdls_tpk_send(sm, dst, tdls_action, dialog_token, status, 1030 0, initiator, NULL, 0); 1031 } 1032 1033 1034 static struct wpa_tdls_peer * 1035 wpa_tdls_add_peer(struct wpa_sm *sm, const u8 *addr, int *existing) 1036 { 1037 struct wpa_tdls_peer *peer; 1038 1039 if (existing) 1040 *existing = 0; 1041 for (peer = sm->tdls; peer; peer = peer->next) { 1042 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) { 1043 if (existing) 1044 *existing = 1; 1045 return peer; /* re-use existing entry */ 1046 } 1047 } 1048 1049 wpa_printf(MSG_INFO, "TDLS: Creating peer entry for " MACSTR, 1050 MAC2STR(addr)); 1051 1052 peer = os_zalloc(sizeof(*peer)); 1053 if (peer == NULL) 1054 return NULL; 1055 1056 os_memcpy(peer->addr, addr, ETH_ALEN); 1057 peer->next = sm->tdls; 1058 sm->tdls = peer; 1059 1060 return peer; 1061 } 1062 1063 1064 static int wpa_tdls_send_tpk_m1(struct wpa_sm *sm, 1065 struct wpa_tdls_peer *peer) 1066 { 1067 size_t buf_len; 1068 struct wpa_tdls_timeoutie timeoutie; 1069 u16 rsn_capab; 1070 struct wpa_tdls_ftie *ftie; 1071 u8 *rbuf, *pos, *count_pos; 1072 u16 count; 1073 struct rsn_ie_hdr *hdr; 1074 int status; 1075 1076 if (!wpa_tdls_get_privacy(sm)) { 1077 wpa_printf(MSG_DEBUG, "TDLS: No security used on the link"); 1078 peer->rsnie_i_len = 0; 1079 goto skip_rsnie; 1080 } 1081 1082 /* 1083 * TPK Handshake Message 1: 1084 * FTIE: ANonce=0, SNonce=initiator nonce MIC=0, DataKDs=(RSNIE_I, 1085 * Timeout Interval IE)) 1086 */ 1087 1088 /* Filling RSN IE */ 1089 hdr = (struct rsn_ie_hdr *) peer->rsnie_i; 1090 hdr->elem_id = WLAN_EID_RSN; 1091 WPA_PUT_LE16(hdr->version, RSN_VERSION); 1092 1093 pos = (u8 *) (hdr + 1); 1094 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED); 1095 pos += RSN_SELECTOR_LEN; 1096 count_pos = pos; 1097 pos += 2; 1098 1099 count = 0; 1100 1101 /* 1102 * AES-CCMP is the default Encryption preferred for TDLS, so 1103 * RSN IE is filled only with CCMP CIPHER 1104 * Note: TKIP is not used to encrypt TDLS link. 1105 * 1106 * Regardless of the cipher used on the AP connection, select CCMP 1107 * here. 1108 */ 1109 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP); 1110 pos += RSN_SELECTOR_LEN; 1111 count++; 1112 1113 WPA_PUT_LE16(count_pos, count); 1114 1115 WPA_PUT_LE16(pos, 1); 1116 pos += 2; 1117 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_TPK_HANDSHAKE); 1118 pos += RSN_SELECTOR_LEN; 1119 1120 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED; 1121 rsn_capab |= RSN_NUM_REPLAY_COUNTERS_16 << 2; 1122 #ifdef CONFIG_TDLS_TESTING 1123 if (tdls_testing & TDLS_TESTING_ALT_RSN_IE) { 1124 wpa_printf(MSG_DEBUG, "TDLS: Use alternative RSN IE for " 1125 "testing"); 1126 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED; 1127 } 1128 #endif /* CONFIG_TDLS_TESTING */ 1129 WPA_PUT_LE16(pos, rsn_capab); 1130 pos += 2; 1131 #ifdef CONFIG_TDLS_TESTING 1132 if (tdls_testing & TDLS_TESTING_ALT_RSN_IE) { 1133 /* Number of PMKIDs */ 1134 *pos++ = 0x00; 1135 *pos++ = 0x00; 1136 } 1137 #endif /* CONFIG_TDLS_TESTING */ 1138 1139 hdr->len = (pos - peer->rsnie_i) - 2; 1140 peer->rsnie_i_len = pos - peer->rsnie_i; 1141 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE for TPK handshake", 1142 peer->rsnie_i, peer->rsnie_i_len); 1143 1144 skip_rsnie: 1145 buf_len = 0; 1146 if (wpa_tdls_get_privacy(sm)) 1147 buf_len += peer->rsnie_i_len + sizeof(struct wpa_tdls_ftie) + 1148 sizeof(struct wpa_tdls_timeoutie); 1149 #ifdef CONFIG_TDLS_TESTING 1150 if (wpa_tdls_get_privacy(sm) && 1151 (tdls_testing & TDLS_TESTING_LONG_FRAME)) 1152 buf_len += 170; 1153 if (tdls_testing & TDLS_TESTING_DIFF_BSSID) 1154 buf_len += sizeof(struct wpa_tdls_lnkid); 1155 #endif /* CONFIG_TDLS_TESTING */ 1156 rbuf = os_zalloc(buf_len + 1); 1157 if (rbuf == NULL) { 1158 wpa_tdls_peer_free(sm, peer); 1159 return -1; 1160 } 1161 pos = rbuf; 1162 1163 if (!wpa_tdls_get_privacy(sm)) 1164 goto skip_ies; 1165 1166 /* Initiator RSN IE */ 1167 pos = wpa_add_ie(pos, peer->rsnie_i, peer->rsnie_i_len); 1168 1169 ftie = (struct wpa_tdls_ftie *) pos; 1170 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION; 1171 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2; 1172 1173 if (os_get_random(peer->inonce, WPA_NONCE_LEN)) { 1174 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1175 "TDLS: Failed to get random data for initiator Nonce"); 1176 os_free(rbuf); 1177 wpa_tdls_peer_free(sm, peer); 1178 return -1; 1179 } 1180 peer->tk_set = 0; /* A new nonce results in a new TK */ 1181 wpa_hexdump(MSG_DEBUG, "TDLS: Initiator Nonce for TPK handshake", 1182 peer->inonce, WPA_NONCE_LEN); 1183 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN); 1184 1185 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE for TPK Handshake M1", 1186 (u8 *) ftie, sizeof(struct wpa_tdls_ftie)); 1187 1188 pos = (u8 *) (ftie + 1); 1189 1190 #ifdef CONFIG_TDLS_TESTING 1191 if (tdls_testing & TDLS_TESTING_LONG_FRAME) { 1192 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to " 1193 "FTIE"); 1194 ftie->ie_len += 170; 1195 *pos++ = 255; /* FTIE subelem */ 1196 *pos++ = 168; /* FTIE subelem length */ 1197 pos += 168; 1198 } 1199 #endif /* CONFIG_TDLS_TESTING */ 1200 1201 /* Lifetime */ 1202 peer->lifetime = TPK_LIFETIME; 1203 #ifdef CONFIG_TDLS_TESTING 1204 if (tdls_testing & TDLS_TESTING_SHORT_LIFETIME) { 1205 wpa_printf(MSG_DEBUG, "TDLS: Testing - use short TPK " 1206 "lifetime"); 1207 peer->lifetime = 301; 1208 } 1209 if (tdls_testing & TDLS_TESTING_LONG_LIFETIME) { 1210 wpa_printf(MSG_DEBUG, "TDLS: Testing - use long TPK " 1211 "lifetime"); 1212 peer->lifetime = 0xffffffff; 1213 } 1214 #endif /* CONFIG_TDLS_TESTING */ 1215 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie, 1216 sizeof(timeoutie), peer->lifetime); 1217 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds", peer->lifetime); 1218 1219 skip_ies: 1220 1221 #ifdef CONFIG_TDLS_TESTING 1222 if (tdls_testing & TDLS_TESTING_DIFF_BSSID) { 1223 wpa_printf(MSG_DEBUG, "TDLS: Testing - use incorrect BSSID in " 1224 "Link Identifier"); 1225 struct wpa_tdls_lnkid *l = (struct wpa_tdls_lnkid *) pos; 1226 wpa_tdls_linkid(sm, peer, l); 1227 l->bssid[5] ^= 0x01; 1228 pos += sizeof(*l); 1229 } 1230 #endif /* CONFIG_TDLS_TESTING */ 1231 1232 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Setup Request / TPK " 1233 "Handshake Message 1 (peer " MACSTR ")", 1234 MAC2STR(peer->addr)); 1235 1236 status = wpa_tdls_tpk_send(sm, peer->addr, WLAN_TDLS_SETUP_REQUEST, 1237 1, 0, 0, peer->initiator, rbuf, pos - rbuf); 1238 os_free(rbuf); 1239 1240 return status; 1241 } 1242 1243 1244 static int wpa_tdls_send_tpk_m2(struct wpa_sm *sm, 1245 const unsigned char *src_addr, u8 dtoken, 1246 struct wpa_tdls_lnkid *lnkid, 1247 const struct wpa_tdls_peer *peer) 1248 { 1249 u8 *rbuf, *pos; 1250 size_t buf_len; 1251 u32 lifetime; 1252 struct wpa_tdls_timeoutie timeoutie; 1253 struct wpa_tdls_ftie *ftie; 1254 int status; 1255 1256 buf_len = 0; 1257 if (wpa_tdls_get_privacy(sm)) { 1258 /* Peer RSN IE, FTIE(Initiator Nonce, Responder Nonce), 1259 * Lifetime */ 1260 buf_len += peer->rsnie_i_len + sizeof(struct wpa_tdls_ftie) + 1261 sizeof(struct wpa_tdls_timeoutie); 1262 #ifdef CONFIG_TDLS_TESTING 1263 if (tdls_testing & TDLS_TESTING_LONG_FRAME) 1264 buf_len += 170; 1265 #endif /* CONFIG_TDLS_TESTING */ 1266 } 1267 1268 rbuf = os_zalloc(buf_len + 1); 1269 if (rbuf == NULL) 1270 return -1; 1271 pos = rbuf; 1272 1273 if (!wpa_tdls_get_privacy(sm)) 1274 goto skip_ies; 1275 1276 /* Peer RSN IE */ 1277 pos = wpa_add_ie(pos, peer->rsnie_p, peer->rsnie_p_len); 1278 1279 ftie = (struct wpa_tdls_ftie *) pos; 1280 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION; 1281 /* TODO: ftie->mic_control to set 2-RESPONSE */ 1282 os_memcpy(ftie->Anonce, peer->rnonce, WPA_NONCE_LEN); 1283 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN); 1284 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2; 1285 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE for TPK M2", 1286 (u8 *) ftie, sizeof(*ftie)); 1287 1288 pos = (u8 *) (ftie + 1); 1289 1290 #ifdef CONFIG_TDLS_TESTING 1291 if (tdls_testing & TDLS_TESTING_LONG_FRAME) { 1292 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to " 1293 "FTIE"); 1294 ftie->ie_len += 170; 1295 *pos++ = 255; /* FTIE subelem */ 1296 *pos++ = 168; /* FTIE subelem length */ 1297 pos += 168; 1298 } 1299 #endif /* CONFIG_TDLS_TESTING */ 1300 1301 /* Lifetime */ 1302 lifetime = peer->lifetime; 1303 #ifdef CONFIG_TDLS_TESTING 1304 if (tdls_testing & TDLS_TESTING_WRONG_LIFETIME_RESP) { 1305 wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong TPK " 1306 "lifetime in response"); 1307 lifetime++; 1308 } 1309 #endif /* CONFIG_TDLS_TESTING */ 1310 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie, 1311 sizeof(timeoutie), lifetime); 1312 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds from initiator", 1313 lifetime); 1314 1315 /* compute MIC before sending */ 1316 wpa_tdls_ftie_mic(peer->tpk.kck, 2, (u8 *) lnkid, peer->rsnie_p, 1317 (u8 *) &timeoutie, (u8 *) ftie, ftie->mic); 1318 #ifdef CONFIG_TDLS_TESTING 1319 if (tdls_testing & TDLS_TESTING_WRONG_MIC) { 1320 wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong MIC"); 1321 ftie->mic[0] ^= 0x01; 1322 } 1323 #endif /* CONFIG_TDLS_TESTING */ 1324 1325 skip_ies: 1326 status = wpa_tdls_tpk_send(sm, src_addr, WLAN_TDLS_SETUP_RESPONSE, 1327 dtoken, 0, 0, peer->initiator, rbuf, 1328 pos - rbuf); 1329 os_free(rbuf); 1330 1331 return status; 1332 } 1333 1334 1335 static int wpa_tdls_send_tpk_m3(struct wpa_sm *sm, 1336 const unsigned char *src_addr, u8 dtoken, 1337 struct wpa_tdls_lnkid *lnkid, 1338 const struct wpa_tdls_peer *peer) 1339 { 1340 u8 *rbuf, *pos; 1341 size_t buf_len; 1342 struct wpa_tdls_ftie *ftie; 1343 struct wpa_tdls_timeoutie timeoutie; 1344 u32 lifetime; 1345 int status; 1346 u32 peer_capab = 0; 1347 1348 buf_len = 0; 1349 if (wpa_tdls_get_privacy(sm)) { 1350 /* Peer RSN IE, FTIE(Initiator Nonce, Responder Nonce), 1351 * Lifetime */ 1352 buf_len += peer->rsnie_i_len + sizeof(struct wpa_tdls_ftie) + 1353 sizeof(struct wpa_tdls_timeoutie); 1354 #ifdef CONFIG_TDLS_TESTING 1355 if (tdls_testing & TDLS_TESTING_LONG_FRAME) 1356 buf_len += 170; 1357 #endif /* CONFIG_TDLS_TESTING */ 1358 } 1359 1360 rbuf = os_zalloc(buf_len + 1); 1361 if (rbuf == NULL) 1362 return -1; 1363 pos = rbuf; 1364 1365 if (!wpa_tdls_get_privacy(sm)) 1366 goto skip_ies; 1367 1368 /* Peer RSN IE */ 1369 pos = wpa_add_ie(pos, peer->rsnie_p, peer->rsnie_p_len); 1370 1371 ftie = (struct wpa_tdls_ftie *) pos; 1372 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION; 1373 /*TODO: ftie->mic_control to set 3-CONFIRM */ 1374 os_memcpy(ftie->Anonce, peer->rnonce, WPA_NONCE_LEN); 1375 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN); 1376 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2; 1377 1378 pos = (u8 *) (ftie + 1); 1379 1380 #ifdef CONFIG_TDLS_TESTING 1381 if (tdls_testing & TDLS_TESTING_LONG_FRAME) { 1382 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to " 1383 "FTIE"); 1384 ftie->ie_len += 170; 1385 *pos++ = 255; /* FTIE subelem */ 1386 *pos++ = 168; /* FTIE subelem length */ 1387 pos += 168; 1388 } 1389 #endif /* CONFIG_TDLS_TESTING */ 1390 1391 /* Lifetime */ 1392 lifetime = peer->lifetime; 1393 #ifdef CONFIG_TDLS_TESTING 1394 if (tdls_testing & TDLS_TESTING_WRONG_LIFETIME_CONF) { 1395 wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong TPK " 1396 "lifetime in confirm"); 1397 lifetime++; 1398 } 1399 #endif /* CONFIG_TDLS_TESTING */ 1400 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie, 1401 sizeof(timeoutie), lifetime); 1402 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds", 1403 lifetime); 1404 1405 /* compute MIC before sending */ 1406 wpa_tdls_ftie_mic(peer->tpk.kck, 3, (u8 *) lnkid, peer->rsnie_p, 1407 (u8 *) &timeoutie, (u8 *) ftie, ftie->mic); 1408 #ifdef CONFIG_TDLS_TESTING 1409 if (tdls_testing & TDLS_TESTING_WRONG_MIC) { 1410 wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong MIC"); 1411 ftie->mic[0] ^= 0x01; 1412 } 1413 #endif /* CONFIG_TDLS_TESTING */ 1414 1415 skip_ies: 1416 1417 if (peer->vht_capabilities) 1418 peer_capab |= TDLS_PEER_VHT; 1419 if (peer->ht_capabilities) 1420 peer_capab |= TDLS_PEER_HT; 1421 if (peer->wmm_capable) 1422 peer_capab |= TDLS_PEER_WMM; 1423 1424 status = wpa_tdls_tpk_send(sm, src_addr, WLAN_TDLS_SETUP_CONFIRM, 1425 dtoken, 0, peer_capab, peer->initiator, 1426 rbuf, pos - rbuf); 1427 os_free(rbuf); 1428 1429 return status; 1430 } 1431 1432 1433 static int wpa_tdls_send_discovery_response(struct wpa_sm *sm, 1434 struct wpa_tdls_peer *peer, 1435 u8 dialog_token) 1436 { 1437 size_t buf_len = 0; 1438 struct wpa_tdls_timeoutie timeoutie; 1439 u16 rsn_capab; 1440 u8 *rbuf, *pos, *count_pos; 1441 u16 count; 1442 struct rsn_ie_hdr *hdr; 1443 int status; 1444 1445 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Discovery Response " 1446 "(peer " MACSTR ")", MAC2STR(peer->addr)); 1447 if (!wpa_tdls_get_privacy(sm)) 1448 goto skip_rsn_ies; 1449 1450 /* Filling RSN IE */ 1451 hdr = (struct rsn_ie_hdr *) peer->rsnie_i; 1452 hdr->elem_id = WLAN_EID_RSN; 1453 WPA_PUT_LE16(hdr->version, RSN_VERSION); 1454 pos = (u8 *) (hdr + 1); 1455 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED); 1456 pos += RSN_SELECTOR_LEN; 1457 count_pos = pos; 1458 pos += 2; 1459 count = 0; 1460 1461 /* 1462 * AES-CCMP is the default encryption preferred for TDLS, so 1463 * RSN IE is filled only with CCMP cipher suite. 1464 * Note: TKIP is not used to encrypt TDLS link. 1465 * 1466 * Regardless of the cipher used on the AP connection, select CCMP 1467 * here. 1468 */ 1469 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP); 1470 pos += RSN_SELECTOR_LEN; 1471 count++; 1472 WPA_PUT_LE16(count_pos, count); 1473 WPA_PUT_LE16(pos, 1); 1474 pos += 2; 1475 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_TPK_HANDSHAKE); 1476 pos += RSN_SELECTOR_LEN; 1477 1478 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED; 1479 rsn_capab |= RSN_NUM_REPLAY_COUNTERS_16 << 2; 1480 WPA_PUT_LE16(pos, rsn_capab); 1481 pos += 2; 1482 hdr->len = (pos - (u8 *) hdr) - 2; 1483 peer->rsnie_i_len = pos - peer->rsnie_i; 1484 1485 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE for Discovery Response", 1486 (u8 *) hdr, hdr->len + 2); 1487 skip_rsn_ies: 1488 buf_len = 0; 1489 if (wpa_tdls_get_privacy(sm)) { 1490 /* Peer RSN IE, Lifetime */ 1491 buf_len += peer->rsnie_i_len + 1492 sizeof(struct wpa_tdls_timeoutie); 1493 } 1494 rbuf = os_zalloc(buf_len + 1); 1495 if (rbuf == NULL) { 1496 wpa_tdls_peer_free(sm, peer); 1497 return -1; 1498 } 1499 pos = rbuf; 1500 1501 if (!wpa_tdls_get_privacy(sm)) 1502 goto skip_ies; 1503 /* Initiator RSN IE */ 1504 pos = wpa_add_ie(pos, peer->rsnie_i, peer->rsnie_i_len); 1505 /* Lifetime */ 1506 peer->lifetime = TPK_LIFETIME; 1507 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie, 1508 sizeof(timeoutie), peer->lifetime); 1509 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds", peer->lifetime); 1510 skip_ies: 1511 status = wpa_tdls_tpk_send(sm, peer->addr, WLAN_TDLS_DISCOVERY_RESPONSE, 1512 dialog_token, 0, 0, 0, rbuf, pos - rbuf); 1513 os_free(rbuf); 1514 1515 return status; 1516 } 1517 1518 1519 static int 1520 wpa_tdls_process_discovery_request(struct wpa_sm *sm, const u8 *addr, 1521 const u8 *buf, size_t len) 1522 { 1523 struct wpa_eapol_ie_parse kde; 1524 const struct wpa_tdls_lnkid *lnkid; 1525 struct wpa_tdls_peer *peer; 1526 size_t min_req_len = sizeof(struct wpa_tdls_frame) + 1527 1 /* dialog token */ + sizeof(struct wpa_tdls_lnkid); 1528 u8 dialog_token; 1529 1530 wpa_printf(MSG_DEBUG, "TDLS: Discovery Request from " MACSTR, 1531 MAC2STR(addr)); 1532 1533 if (len < min_req_len) { 1534 wpa_printf(MSG_DEBUG, "TDLS Discovery Request is too short: " 1535 "%d", (int) len); 1536 return -1; 1537 } 1538 1539 dialog_token = buf[sizeof(struct wpa_tdls_frame)]; 1540 1541 /* 1542 * Some APs will tack on a weird IE to the end of a TDLS 1543 * discovery request packet. This needn't fail the response, 1544 * since the required IE are verified separately. 1545 */ 1546 if (wpa_supplicant_parse_ies(buf + sizeof(struct wpa_tdls_frame) + 1, 1547 len - (sizeof(struct wpa_tdls_frame) + 1), 1548 &kde) < 0) { 1549 wpa_printf(MSG_DEBUG, 1550 "TDLS: Failed to parse IEs in Discovery Request - ignore as an interop workaround"); 1551 } 1552 1553 if (!kde.lnkid) { 1554 wpa_printf(MSG_DEBUG, "TDLS: Link ID not found in Discovery " 1555 "Request"); 1556 return -1; 1557 } 1558 1559 lnkid = (const struct wpa_tdls_lnkid *) kde.lnkid; 1560 1561 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) { 1562 wpa_printf(MSG_DEBUG, "TDLS: Discovery Request from different " 1563 " BSS " MACSTR, MAC2STR(lnkid->bssid)); 1564 return -1; 1565 } 1566 1567 peer = wpa_tdls_add_peer(sm, addr, NULL); 1568 if (peer == NULL) 1569 return -1; 1570 1571 return wpa_tdls_send_discovery_response(sm, peer, dialog_token); 1572 } 1573 1574 1575 int wpa_tdls_send_discovery_request(struct wpa_sm *sm, const u8 *addr) 1576 { 1577 if (sm->tdls_disabled || !sm->tdls_supported) 1578 return -1; 1579 1580 wpa_printf(MSG_DEBUG, "TDLS: Sending Discovery Request to peer " 1581 MACSTR, MAC2STR(addr)); 1582 return wpa_tdls_tpk_send(sm, addr, WLAN_TDLS_DISCOVERY_REQUEST, 1583 1, 0, 0, 1, NULL, 0); 1584 } 1585 1586 1587 static int copy_supp_rates(const struct wpa_eapol_ie_parse *kde, 1588 struct wpa_tdls_peer *peer) 1589 { 1590 if (!kde->supp_rates) { 1591 wpa_printf(MSG_DEBUG, "TDLS: No supported rates received"); 1592 return -1; 1593 } 1594 peer->supp_rates_len = merge_byte_arrays( 1595 peer->supp_rates, sizeof(peer->supp_rates), 1596 kde->supp_rates + 2, kde->supp_rates_len - 2, 1597 kde->ext_supp_rates ? kde->ext_supp_rates + 2 : NULL, 1598 kde->ext_supp_rates_len - 2); 1599 return 0; 1600 } 1601 1602 1603 static int copy_peer_ht_capab(const struct wpa_eapol_ie_parse *kde, 1604 struct wpa_tdls_peer *peer) 1605 { 1606 if (!kde->ht_capabilities) { 1607 wpa_printf(MSG_DEBUG, "TDLS: No supported ht capabilities " 1608 "received"); 1609 return 0; 1610 } 1611 1612 if (!peer->ht_capabilities) { 1613 peer->ht_capabilities = 1614 os_zalloc(sizeof(struct ieee80211_ht_capabilities)); 1615 if (peer->ht_capabilities == NULL) 1616 return -1; 1617 } 1618 1619 os_memcpy(peer->ht_capabilities, kde->ht_capabilities, 1620 sizeof(struct ieee80211_ht_capabilities)); 1621 wpa_hexdump(MSG_DEBUG, "TDLS: Peer HT capabilities", 1622 (u8 *) peer->ht_capabilities, 1623 sizeof(struct ieee80211_ht_capabilities)); 1624 1625 return 0; 1626 } 1627 1628 1629 static int copy_peer_vht_capab(const struct wpa_eapol_ie_parse *kde, 1630 struct wpa_tdls_peer *peer) 1631 { 1632 if (!kde->vht_capabilities) { 1633 wpa_printf(MSG_DEBUG, "TDLS: No supported vht capabilities " 1634 "received"); 1635 return 0; 1636 } 1637 1638 if (!peer->vht_capabilities) { 1639 peer->vht_capabilities = 1640 os_zalloc(sizeof(struct ieee80211_vht_capabilities)); 1641 if (peer->vht_capabilities == NULL) 1642 return -1; 1643 } 1644 1645 os_memcpy(peer->vht_capabilities, kde->vht_capabilities, 1646 sizeof(struct ieee80211_vht_capabilities)); 1647 wpa_hexdump(MSG_DEBUG, "TDLS: Peer VHT capabilities", 1648 (u8 *) peer->vht_capabilities, 1649 sizeof(struct ieee80211_vht_capabilities)); 1650 1651 return 0; 1652 } 1653 1654 1655 static int copy_peer_ext_capab(const struct wpa_eapol_ie_parse *kde, 1656 struct wpa_tdls_peer *peer) 1657 { 1658 if (!kde->ext_capab) { 1659 wpa_printf(MSG_DEBUG, "TDLS: No extended capabilities " 1660 "received"); 1661 return 0; 1662 } 1663 1664 if (!peer->ext_capab || peer->ext_capab_len < kde->ext_capab_len - 2) { 1665 /* Need to allocate buffer to fit the new information */ 1666 os_free(peer->ext_capab); 1667 peer->ext_capab = os_zalloc(kde->ext_capab_len - 2); 1668 if (peer->ext_capab == NULL) 1669 return -1; 1670 } 1671 1672 peer->ext_capab_len = kde->ext_capab_len - 2; 1673 os_memcpy(peer->ext_capab, kde->ext_capab + 2, peer->ext_capab_len); 1674 1675 return 0; 1676 } 1677 1678 1679 static int copy_peer_wmm_capab(const struct wpa_eapol_ie_parse *kde, 1680 struct wpa_tdls_peer *peer) 1681 { 1682 struct wmm_information_element *wmm; 1683 1684 if (!kde->wmm) { 1685 wpa_printf(MSG_DEBUG, "TDLS: No supported WMM capabilities received"); 1686 return 0; 1687 } 1688 1689 if (kde->wmm_len < sizeof(struct wmm_information_element)) { 1690 wpa_printf(MSG_DEBUG, "TDLS: Invalid supported WMM capabilities received"); 1691 return -1; 1692 } 1693 1694 wmm = (struct wmm_information_element *) kde->wmm; 1695 peer->qos_info = wmm->qos_info; 1696 1697 peer->wmm_capable = 1; 1698 1699 wpa_printf(MSG_DEBUG, "TDLS: Peer WMM QOS Info 0x%x", peer->qos_info); 1700 return 0; 1701 } 1702 1703 1704 static int copy_peer_supp_channels(const struct wpa_eapol_ie_parse *kde, 1705 struct wpa_tdls_peer *peer) 1706 { 1707 if (!kde->supp_channels) { 1708 wpa_printf(MSG_DEBUG, "TDLS: No supported channels received"); 1709 return 0; 1710 } 1711 1712 if (!peer->supp_channels || 1713 peer->supp_channels_len < kde->supp_channels_len) { 1714 os_free(peer->supp_channels); 1715 peer->supp_channels = os_zalloc(kde->supp_channels_len); 1716 if (peer->supp_channels == NULL) 1717 return -1; 1718 } 1719 1720 peer->supp_channels_len = kde->supp_channels_len; 1721 1722 os_memcpy(peer->supp_channels, kde->supp_channels, 1723 peer->supp_channels_len); 1724 wpa_hexdump(MSG_DEBUG, "TDLS: Peer Supported Channels", 1725 (u8 *) peer->supp_channels, peer->supp_channels_len); 1726 return 0; 1727 } 1728 1729 1730 static int copy_peer_supp_oper_classes(const struct wpa_eapol_ie_parse *kde, 1731 struct wpa_tdls_peer *peer) 1732 { 1733 if (!kde->supp_oper_classes) { 1734 wpa_printf(MSG_DEBUG, "TDLS: No supported operating classes received"); 1735 return 0; 1736 } 1737 1738 if (!peer->supp_oper_classes || 1739 peer->supp_oper_classes_len < kde->supp_oper_classes_len) { 1740 os_free(peer->supp_oper_classes); 1741 peer->supp_oper_classes = os_zalloc(kde->supp_oper_classes_len); 1742 if (peer->supp_oper_classes == NULL) 1743 return -1; 1744 } 1745 1746 peer->supp_oper_classes_len = kde->supp_oper_classes_len; 1747 os_memcpy(peer->supp_oper_classes, kde->supp_oper_classes, 1748 peer->supp_oper_classes_len); 1749 wpa_hexdump(MSG_DEBUG, "TDLS: Peer Supported Operating Classes", 1750 (u8 *) peer->supp_oper_classes, 1751 peer->supp_oper_classes_len); 1752 return 0; 1753 } 1754 1755 1756 static int wpa_tdls_addset_peer(struct wpa_sm *sm, struct wpa_tdls_peer *peer, 1757 int add) 1758 { 1759 return wpa_sm_tdls_peer_addset(sm, peer->addr, add, peer->aid, 1760 peer->capability, 1761 peer->supp_rates, peer->supp_rates_len, 1762 peer->ht_capabilities, 1763 peer->vht_capabilities, 1764 peer->qos_info, peer->wmm_capable, 1765 peer->ext_capab, peer->ext_capab_len, 1766 peer->supp_channels, 1767 peer->supp_channels_len, 1768 peer->supp_oper_classes, 1769 peer->supp_oper_classes_len); 1770 } 1771 1772 1773 static int tdls_nonce_set(const u8 *nonce) 1774 { 1775 int i; 1776 1777 for (i = 0; i < WPA_NONCE_LEN; i++) { 1778 if (nonce[i]) 1779 return 1; 1780 } 1781 1782 return 0; 1783 } 1784 1785 1786 static int wpa_tdls_process_tpk_m1(struct wpa_sm *sm, const u8 *src_addr, 1787 const u8 *buf, size_t len) 1788 { 1789 struct wpa_tdls_peer *peer; 1790 struct wpa_eapol_ie_parse kde; 1791 struct wpa_ie_data ie; 1792 int cipher; 1793 const u8 *cpos; 1794 struct wpa_tdls_ftie *ftie = NULL; 1795 struct wpa_tdls_timeoutie *timeoutie; 1796 struct wpa_tdls_lnkid *lnkid; 1797 u32 lifetime = 0; 1798 #if 0 1799 struct rsn_ie_hdr *hdr; 1800 u8 *pos; 1801 u16 rsn_capab; 1802 u16 rsn_ver; 1803 #endif 1804 u8 dtoken; 1805 u16 ielen; 1806 u16 status = WLAN_STATUS_UNSPECIFIED_FAILURE; 1807 int tdls_prohibited = sm->tdls_prohibited; 1808 int existing_peer = 0; 1809 1810 if (len < 3 + 3) 1811 return -1; 1812 1813 cpos = buf; 1814 cpos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */; 1815 1816 /* driver had already verified the frame format */ 1817 dtoken = *cpos++; /* dialog token */ 1818 1819 wpa_printf(MSG_INFO, "TDLS: Dialog Token in TPK M1 %d", dtoken); 1820 1821 peer = wpa_tdls_add_peer(sm, src_addr, &existing_peer); 1822 if (peer == NULL) 1823 goto error; 1824 1825 /* If found, use existing entry instead of adding a new one; 1826 * how to handle the case where both ends initiate at the 1827 * same time? */ 1828 if (existing_peer) { 1829 if (peer->tpk_success) { 1830 wpa_printf(MSG_DEBUG, "TDLS: TDLS Setup Request while " 1831 "direct link is enabled - tear down the " 1832 "old link first"); 1833 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr); 1834 wpa_tdls_peer_clear(sm, peer); 1835 } else if (peer->initiator) { 1836 /* 1837 * An entry is already present, so check if we already 1838 * sent a TDLS Setup Request. If so, compare MAC 1839 * addresses and let the STA with the lower MAC address 1840 * continue as the initiator. The other negotiation is 1841 * terminated. 1842 */ 1843 if (os_memcmp(sm->own_addr, src_addr, ETH_ALEN) < 0) { 1844 wpa_printf(MSG_DEBUG, "TDLS: Discard request " 1845 "from peer with higher address " 1846 MACSTR, MAC2STR(src_addr)); 1847 return -1; 1848 } else { 1849 wpa_printf(MSG_DEBUG, "TDLS: Accept request " 1850 "from peer with lower address " 1851 MACSTR " (terminate previously " 1852 "initiated negotiation", 1853 MAC2STR(src_addr)); 1854 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, 1855 peer->addr); 1856 wpa_tdls_peer_clear(sm, peer); 1857 } 1858 } 1859 } 1860 1861 /* capability information */ 1862 peer->capability = WPA_GET_LE16(cpos); 1863 cpos += 2; 1864 1865 ielen = len - (cpos - buf); /* start of IE in buf */ 1866 1867 /* 1868 * Don't reject the message if failing to parse IEs. The IEs we need are 1869 * explicitly checked below. Some APs may add arbitrary padding to the 1870 * end of short TDLS frames and that would look like invalid IEs. 1871 */ 1872 if (wpa_supplicant_parse_ies(cpos, ielen, &kde) < 0) 1873 wpa_printf(MSG_DEBUG, 1874 "TDLS: Failed to parse IEs in TPK M1 - ignore as an interop workaround"); 1875 1876 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) { 1877 wpa_printf(MSG_INFO, "TDLS: No valid Link Identifier IE in " 1878 "TPK M1"); 1879 goto error; 1880 } 1881 wpa_hexdump(MSG_DEBUG, "TDLS: Link ID Received from TPK M1", 1882 kde.lnkid, kde.lnkid_len); 1883 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid; 1884 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) { 1885 wpa_printf(MSG_INFO, "TDLS: TPK M1 from diff BSS"); 1886 status = WLAN_STATUS_REQUEST_DECLINED; 1887 goto error; 1888 } 1889 1890 wpa_printf(MSG_DEBUG, "TDLS: TPK M1 - TPK initiator " MACSTR, 1891 MAC2STR(src_addr)); 1892 1893 if (copy_supp_rates(&kde, peer) < 0) 1894 goto error; 1895 1896 if (copy_peer_ht_capab(&kde, peer) < 0) 1897 goto error; 1898 1899 if (copy_peer_vht_capab(&kde, peer) < 0) 1900 goto error; 1901 1902 if (copy_peer_ext_capab(&kde, peer) < 0) 1903 goto error; 1904 1905 if (copy_peer_supp_channels(&kde, peer) < 0) 1906 goto error; 1907 1908 if (copy_peer_supp_oper_classes(&kde, peer) < 0) 1909 goto error; 1910 1911 peer->qos_info = kde.qosinfo; 1912 1913 /* Overwrite with the qos_info obtained in WMM IE */ 1914 if (copy_peer_wmm_capab(&kde, peer) < 0) 1915 goto error; 1916 1917 peer->aid = kde.aid; 1918 1919 #ifdef CONFIG_TDLS_TESTING 1920 if (tdls_testing & TDLS_TESTING_CONCURRENT_INIT) { 1921 peer = wpa_tdls_add_peer(sm, src_addr, NULL); 1922 if (peer == NULL) 1923 goto error; 1924 wpa_printf(MSG_DEBUG, "TDLS: Testing concurrent initiation of " 1925 "TDLS setup - send own request"); 1926 peer->initiator = 1; 1927 wpa_sm_tdls_peer_addset(sm, peer->addr, 1, 0, 0, NULL, 0, NULL, 1928 NULL, 0, 0, NULL, 0, NULL, 0, NULL, 0); 1929 wpa_tdls_send_tpk_m1(sm, peer); 1930 } 1931 1932 if ((tdls_testing & TDLS_TESTING_IGNORE_AP_PROHIBIT) && 1933 tdls_prohibited) { 1934 wpa_printf(MSG_DEBUG, "TDLS: Testing - ignore AP prohibition " 1935 "on TDLS"); 1936 tdls_prohibited = 0; 1937 } 1938 #endif /* CONFIG_TDLS_TESTING */ 1939 1940 if (tdls_prohibited) { 1941 wpa_printf(MSG_INFO, "TDLS: TDLS prohibited in this BSS"); 1942 status = WLAN_STATUS_REQUEST_DECLINED; 1943 goto error; 1944 } 1945 1946 if (!wpa_tdls_get_privacy(sm)) { 1947 if (kde.rsn_ie) { 1948 wpa_printf(MSG_INFO, "TDLS: RSN IE in TPK M1 while " 1949 "security is disabled"); 1950 status = WLAN_STATUS_SECURITY_DISABLED; 1951 goto error; 1952 } 1953 goto skip_rsn; 1954 } 1955 1956 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie) || 1957 kde.rsn_ie == NULL) { 1958 wpa_printf(MSG_INFO, "TDLS: No FTIE or RSN IE in TPK M1"); 1959 status = WLAN_STATUS_INVALID_PARAMETERS; 1960 goto error; 1961 } 1962 1963 if (kde.rsn_ie_len > TDLS_MAX_IE_LEN) { 1964 wpa_printf(MSG_INFO, "TDLS: Too long Initiator RSN IE in " 1965 "TPK M1"); 1966 status = WLAN_STATUS_INVALID_RSNIE; 1967 goto error; 1968 } 1969 1970 if (wpa_parse_wpa_ie_rsn(kde.rsn_ie, kde.rsn_ie_len, &ie) < 0) { 1971 wpa_printf(MSG_INFO, "TDLS: Failed to parse RSN IE in TPK M1"); 1972 status = WLAN_STATUS_INVALID_RSNIE; 1973 goto error; 1974 } 1975 1976 cipher = ie.pairwise_cipher; 1977 if (cipher & WPA_CIPHER_CCMP) { 1978 wpa_printf(MSG_DEBUG, "TDLS: Using CCMP for direct link"); 1979 cipher = WPA_CIPHER_CCMP; 1980 } else { 1981 wpa_printf(MSG_INFO, "TDLS: No acceptable cipher in TPK M1"); 1982 status = WLAN_STATUS_PAIRWISE_CIPHER_NOT_VALID; 1983 goto error; 1984 } 1985 1986 if ((ie.capabilities & 1987 (WPA_CAPABILITY_NO_PAIRWISE | WPA_CAPABILITY_PEERKEY_ENABLED)) != 1988 WPA_CAPABILITY_PEERKEY_ENABLED) { 1989 wpa_printf(MSG_INFO, "TDLS: Invalid RSN Capabilities in " 1990 "TPK M1"); 1991 status = WLAN_STATUS_INVALID_RSN_IE_CAPAB; 1992 goto error; 1993 } 1994 1995 /* Lifetime */ 1996 if (kde.key_lifetime == NULL) { 1997 wpa_printf(MSG_INFO, "TDLS: No Key Lifetime IE in TPK M1"); 1998 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME; 1999 goto error; 2000 } 2001 timeoutie = (struct wpa_tdls_timeoutie *) kde.key_lifetime; 2002 lifetime = WPA_GET_LE32(timeoutie->value); 2003 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds", lifetime); 2004 if (lifetime < 300) { 2005 wpa_printf(MSG_INFO, "TDLS: Too short TPK lifetime"); 2006 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME; 2007 goto error; 2008 } 2009 2010 skip_rsn: 2011 #ifdef CONFIG_TDLS_TESTING 2012 if (tdls_testing & TDLS_TESTING_CONCURRENT_INIT) { 2013 if (os_memcmp(sm->own_addr, peer->addr, ETH_ALEN) < 0) { 2014 /* 2015 * The request frame from us is going to win, so do not 2016 * replace information based on this request frame from 2017 * the peer. 2018 */ 2019 goto skip_rsn_check; 2020 } 2021 } 2022 #endif /* CONFIG_TDLS_TESTING */ 2023 2024 peer->initiator = 0; /* Need to check */ 2025 peer->dtoken = dtoken; 2026 2027 if (!wpa_tdls_get_privacy(sm)) { 2028 peer->rsnie_i_len = 0; 2029 peer->rsnie_p_len = 0; 2030 peer->cipher = WPA_CIPHER_NONE; 2031 goto skip_rsn_check; 2032 } 2033 2034 ftie = (struct wpa_tdls_ftie *) kde.ftie; 2035 os_memcpy(peer->rsnie_i, kde.rsn_ie, kde.rsn_ie_len); 2036 peer->rsnie_i_len = kde.rsn_ie_len; 2037 peer->cipher = cipher; 2038 2039 if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0 || 2040 !tdls_nonce_set(peer->inonce)) { 2041 /* 2042 * There is no point in updating the RNonce for every obtained 2043 * TPK M1 frame (e.g., retransmission due to timeout) with the 2044 * same INonce (SNonce in FTIE). However, if the TPK M1 is 2045 * retransmitted with a different INonce, update the RNonce 2046 * since this is for a new TDLS session. 2047 */ 2048 wpa_printf(MSG_DEBUG, 2049 "TDLS: New TPK M1 INonce - generate new RNonce"); 2050 os_memcpy(peer->inonce, ftie->Snonce, WPA_NONCE_LEN); 2051 if (os_get_random(peer->rnonce, WPA_NONCE_LEN)) { 2052 wpa_msg(sm->ctx->ctx, MSG_WARNING, 2053 "TDLS: Failed to get random data for responder nonce"); 2054 goto error; 2055 } 2056 peer->tk_set = 0; /* A new nonce results in a new TK */ 2057 } 2058 2059 #if 0 2060 /* get version info from RSNIE received from Peer */ 2061 hdr = (struct rsn_ie_hdr *) kde.rsn_ie; 2062 rsn_ver = WPA_GET_LE16(hdr->version); 2063 2064 /* use min(peer's version, out version) */ 2065 if (rsn_ver > RSN_VERSION) 2066 rsn_ver = RSN_VERSION; 2067 2068 hdr = (struct rsn_ie_hdr *) peer->rsnie_p; 2069 2070 hdr->elem_id = WLAN_EID_RSN; 2071 WPA_PUT_LE16(hdr->version, rsn_ver); 2072 pos = (u8 *) (hdr + 1); 2073 2074 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED); 2075 pos += RSN_SELECTOR_LEN; 2076 /* Include only the selected cipher in pairwise cipher suite */ 2077 WPA_PUT_LE16(pos, 1); 2078 pos += 2; 2079 if (cipher == WPA_CIPHER_CCMP) 2080 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP); 2081 pos += RSN_SELECTOR_LEN; 2082 2083 WPA_PUT_LE16(pos, 1); 2084 pos += 2; 2085 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_TPK_HANDSHAKE); 2086 pos += RSN_SELECTOR_LEN; 2087 2088 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED; 2089 rsn_capab |= RSN_NUM_REPLAY_COUNTERS_16 << 2; 2090 WPA_PUT_LE16(pos, rsn_capab); 2091 pos += 2; 2092 2093 hdr->len = (pos - peer->rsnie_p) - 2; 2094 peer->rsnie_p_len = pos - peer->rsnie_p; 2095 #endif 2096 2097 /* temp fix: validation of RSNIE later */ 2098 os_memcpy(peer->rsnie_p, peer->rsnie_i, peer->rsnie_i_len); 2099 peer->rsnie_p_len = peer->rsnie_i_len; 2100 2101 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE for TPK handshake", 2102 peer->rsnie_p, peer->rsnie_p_len); 2103 2104 peer->lifetime = lifetime; 2105 2106 wpa_tdls_generate_tpk(peer, sm->own_addr, sm->bssid); 2107 2108 skip_rsn_check: 2109 #ifdef CONFIG_TDLS_TESTING 2110 if (tdls_testing & TDLS_TESTING_CONCURRENT_INIT) 2111 goto skip_add_peer; 2112 #endif /* CONFIG_TDLS_TESTING */ 2113 2114 /* add supported rates, capabilities, and qos_info to the TDLS peer */ 2115 if (wpa_tdls_addset_peer(sm, peer, 1) < 0) 2116 goto error; 2117 2118 #ifdef CONFIG_TDLS_TESTING 2119 skip_add_peer: 2120 #endif /* CONFIG_TDLS_TESTING */ 2121 peer->tpk_in_progress = 1; 2122 2123 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Setup Response / TPK M2"); 2124 if (wpa_tdls_send_tpk_m2(sm, src_addr, dtoken, lnkid, peer) < 0) { 2125 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr); 2126 goto error; 2127 } 2128 2129 return 0; 2130 2131 error: 2132 wpa_tdls_send_error(sm, src_addr, WLAN_TDLS_SETUP_RESPONSE, dtoken, 0, 2133 status); 2134 if (peer) 2135 wpa_tdls_peer_free(sm, peer); 2136 return -1; 2137 } 2138 2139 2140 static int wpa_tdls_enable_link(struct wpa_sm *sm, struct wpa_tdls_peer *peer) 2141 { 2142 peer->tpk_success = 1; 2143 peer->tpk_in_progress = 0; 2144 eloop_cancel_timeout(wpa_tdls_tpk_timeout, sm, peer); 2145 if (wpa_tdls_get_privacy(sm)) { 2146 u32 lifetime = peer->lifetime; 2147 /* 2148 * Start the initiator process a bit earlier to avoid race 2149 * condition with the responder sending teardown request. 2150 */ 2151 if (lifetime > 3 && peer->initiator) 2152 lifetime -= 3; 2153 eloop_register_timeout(lifetime, 0, wpa_tdls_tpk_timeout, 2154 sm, peer); 2155 #ifdef CONFIG_TDLS_TESTING 2156 if (tdls_testing & TDLS_TESTING_NO_TPK_EXPIRATION) { 2157 wpa_printf(MSG_DEBUG, "TDLS: Testing - disable TPK " 2158 "expiration"); 2159 eloop_cancel_timeout(wpa_tdls_tpk_timeout, sm, peer); 2160 } 2161 #endif /* CONFIG_TDLS_TESTING */ 2162 } 2163 2164 if (peer->reconfig_key && wpa_tdls_set_key(sm, peer) < 0) { 2165 wpa_printf(MSG_INFO, "TDLS: Could not configure key to the " 2166 "driver"); 2167 return -1; 2168 } 2169 peer->reconfig_key = 0; 2170 2171 return wpa_sm_tdls_oper(sm, TDLS_ENABLE_LINK, peer->addr); 2172 } 2173 2174 2175 static int wpa_tdls_process_tpk_m2(struct wpa_sm *sm, const u8 *src_addr, 2176 const u8 *buf, size_t len) 2177 { 2178 struct wpa_tdls_peer *peer; 2179 struct wpa_eapol_ie_parse kde; 2180 struct wpa_ie_data ie; 2181 int cipher; 2182 struct wpa_tdls_ftie *ftie; 2183 struct wpa_tdls_timeoutie *timeoutie; 2184 struct wpa_tdls_lnkid *lnkid; 2185 u32 lifetime; 2186 u8 dtoken; 2187 int ielen; 2188 u16 status; 2189 const u8 *pos; 2190 int ret = 0; 2191 2192 wpa_printf(MSG_DEBUG, "TDLS: Received TDLS Setup Response / TPK M2 " 2193 "(Peer " MACSTR ")", MAC2STR(src_addr)); 2194 for (peer = sm->tdls; peer; peer = peer->next) { 2195 if (os_memcmp(peer->addr, src_addr, ETH_ALEN) == 0) 2196 break; 2197 } 2198 if (peer == NULL) { 2199 wpa_printf(MSG_INFO, "TDLS: No matching peer found for " 2200 "TPK M2: " MACSTR, MAC2STR(src_addr)); 2201 return -1; 2202 } 2203 if (!peer->initiator) { 2204 /* 2205 * This may happen if both devices try to initiate TDLS at the 2206 * same time and we accept the TPK M1 from the peer in 2207 * wpa_tdls_process_tpk_m1() and clear our previous state. 2208 */ 2209 wpa_printf(MSG_INFO, "TDLS: We were not the initiator, so " 2210 "ignore TPK M2 from " MACSTR, MAC2STR(src_addr)); 2211 return -1; 2212 } 2213 2214 if (peer->tpk_success) { 2215 wpa_printf(MSG_INFO, "TDLS: Ignore incoming TPK M2 retry, from " 2216 MACSTR " as TPK M3 was already sent", 2217 MAC2STR(src_addr)); 2218 return 0; 2219 } 2220 2221 wpa_tdls_tpk_retry_timeout_cancel(sm, peer, WLAN_TDLS_SETUP_REQUEST); 2222 2223 if (len < 3 + 2 + 1) { 2224 wpa_tdls_disable_peer_link(sm, peer); 2225 return -1; 2226 } 2227 2228 pos = buf; 2229 pos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */; 2230 status = WPA_GET_LE16(pos); 2231 pos += 2 /* status code */; 2232 2233 if (status != WLAN_STATUS_SUCCESS) { 2234 wpa_printf(MSG_INFO, "TDLS: Status code in TPK M2: %u", 2235 status); 2236 wpa_tdls_disable_peer_link(sm, peer); 2237 return -1; 2238 } 2239 2240 status = WLAN_STATUS_UNSPECIFIED_FAILURE; 2241 2242 /* TODO: need to verify dialog token matches here or in kernel */ 2243 dtoken = *pos++; /* dialog token */ 2244 2245 wpa_printf(MSG_DEBUG, "TDLS: Dialog Token in TPK M2 %d", dtoken); 2246 2247 if (len < 3 + 2 + 1 + 2) { 2248 wpa_tdls_disable_peer_link(sm, peer); 2249 return -1; 2250 } 2251 2252 /* capability information */ 2253 peer->capability = WPA_GET_LE16(pos); 2254 pos += 2; 2255 2256 ielen = len - (pos - buf); /* start of IE in buf */ 2257 2258 /* 2259 * Don't reject the message if failing to parse IEs. The IEs we need are 2260 * explicitly checked below. Some APs may add arbitrary padding to the 2261 * end of short TDLS frames and that would look like invalid IEs. 2262 */ 2263 if (wpa_supplicant_parse_ies(pos, ielen, &kde) < 0) 2264 wpa_printf(MSG_DEBUG, 2265 "TDLS: Failed to parse IEs in TPK M2 - ignore as an interop workaround"); 2266 2267 #ifdef CONFIG_TDLS_TESTING 2268 if (tdls_testing & TDLS_TESTING_DECLINE_RESP) { 2269 wpa_printf(MSG_DEBUG, "TDLS: Testing - decline response"); 2270 status = WLAN_STATUS_REQUEST_DECLINED; 2271 goto error; 2272 } 2273 #endif /* CONFIG_TDLS_TESTING */ 2274 2275 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) { 2276 wpa_printf(MSG_INFO, "TDLS: No valid Link Identifier IE in " 2277 "TPK M2"); 2278 goto error; 2279 } 2280 wpa_hexdump(MSG_DEBUG, "TDLS: Link ID Received from TPK M2", 2281 kde.lnkid, kde.lnkid_len); 2282 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid; 2283 2284 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) { 2285 wpa_printf(MSG_INFO, "TDLS: TPK M2 from different BSS"); 2286 status = WLAN_STATUS_NOT_IN_SAME_BSS; 2287 goto error; 2288 } 2289 2290 if (copy_supp_rates(&kde, peer) < 0) 2291 goto error; 2292 2293 if (copy_peer_ht_capab(&kde, peer) < 0) 2294 goto error; 2295 2296 if (copy_peer_vht_capab(&kde, peer) < 0) 2297 goto error; 2298 2299 if (copy_peer_ext_capab(&kde, peer) < 0) 2300 goto error; 2301 2302 if (copy_peer_supp_channels(&kde, peer) < 0) 2303 goto error; 2304 2305 if (copy_peer_supp_oper_classes(&kde, peer) < 0) 2306 goto error; 2307 2308 peer->qos_info = kde.qosinfo; 2309 2310 /* Overwrite with the qos_info obtained in WMM IE */ 2311 if (copy_peer_wmm_capab(&kde, peer) < 0) 2312 goto error; 2313 2314 peer->aid = kde.aid; 2315 2316 if (!wpa_tdls_get_privacy(sm)) { 2317 peer->rsnie_p_len = 0; 2318 peer->cipher = WPA_CIPHER_NONE; 2319 goto skip_rsn; 2320 } 2321 2322 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie) || 2323 kde.rsn_ie == NULL) { 2324 wpa_printf(MSG_INFO, "TDLS: No FTIE or RSN IE in TPK M2"); 2325 status = WLAN_STATUS_INVALID_PARAMETERS; 2326 goto error; 2327 } 2328 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Received from TPK M2", 2329 kde.rsn_ie, kde.rsn_ie_len); 2330 2331 if (kde.rsn_ie_len > TDLS_MAX_IE_LEN) { 2332 wpa_printf(MSG_INFO, 2333 "TDLS: Too long Responder RSN IE in TPK M2"); 2334 status = WLAN_STATUS_INVALID_RSNIE; 2335 goto error; 2336 } 2337 2338 /* 2339 * FIX: bitwise comparison of RSN IE is not the correct way of 2340 * validation this. It can be different, but certain fields must 2341 * match. Since we list only a single pairwise cipher in TPK M1, the 2342 * memcmp is likely to work in most cases, though. 2343 */ 2344 if (kde.rsn_ie_len != peer->rsnie_i_len || 2345 os_memcmp(peer->rsnie_i, kde.rsn_ie, peer->rsnie_i_len) != 0) { 2346 wpa_printf(MSG_INFO, "TDLS: RSN IE in TPK M2 does " 2347 "not match with RSN IE used in TPK M1"); 2348 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Sent in TPK M1", 2349 peer->rsnie_i, peer->rsnie_i_len); 2350 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Received from TPK M2", 2351 kde.rsn_ie, kde.rsn_ie_len); 2352 status = WLAN_STATUS_INVALID_RSNIE; 2353 goto error; 2354 } 2355 2356 if (wpa_parse_wpa_ie_rsn(kde.rsn_ie, kde.rsn_ie_len, &ie) < 0) { 2357 wpa_printf(MSG_INFO, "TDLS: Failed to parse RSN IE in TPK M2"); 2358 status = WLAN_STATUS_INVALID_RSNIE; 2359 goto error; 2360 } 2361 2362 cipher = ie.pairwise_cipher; 2363 if (cipher == WPA_CIPHER_CCMP) { 2364 wpa_printf(MSG_DEBUG, "TDLS: Using CCMP for direct link"); 2365 cipher = WPA_CIPHER_CCMP; 2366 } else { 2367 wpa_printf(MSG_INFO, "TDLS: No acceptable cipher in TPK M2"); 2368 status = WLAN_STATUS_PAIRWISE_CIPHER_NOT_VALID; 2369 goto error; 2370 } 2371 2372 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE Received from TPK M2", 2373 kde.ftie, sizeof(*ftie)); 2374 ftie = (struct wpa_tdls_ftie *) kde.ftie; 2375 2376 if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0) { 2377 wpa_printf(MSG_INFO, "TDLS: FTIE SNonce in TPK M2 does " 2378 "not match with FTIE SNonce used in TPK M1"); 2379 /* Silently discard the frame */ 2380 return -1; 2381 } 2382 2383 /* Responder Nonce and RSN IE */ 2384 os_memcpy(peer->rnonce, ftie->Anonce, WPA_NONCE_LEN); 2385 os_memcpy(peer->rsnie_p, kde.rsn_ie, kde.rsn_ie_len); 2386 peer->rsnie_p_len = kde.rsn_ie_len; 2387 peer->cipher = cipher; 2388 2389 /* Lifetime */ 2390 if (kde.key_lifetime == NULL) { 2391 wpa_printf(MSG_INFO, "TDLS: No Key Lifetime IE in TPK M2"); 2392 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME; 2393 goto error; 2394 } 2395 timeoutie = (struct wpa_tdls_timeoutie *) kde.key_lifetime; 2396 lifetime = WPA_GET_LE32(timeoutie->value); 2397 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds in TPK M2", 2398 lifetime); 2399 if (lifetime != peer->lifetime) { 2400 wpa_printf(MSG_INFO, "TDLS: Unexpected TPK lifetime %u in " 2401 "TPK M2 (expected %u)", lifetime, peer->lifetime); 2402 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME; 2403 goto error; 2404 } 2405 2406 wpa_tdls_generate_tpk(peer, sm->own_addr, sm->bssid); 2407 2408 /* Process MIC check to see if TPK M2 is right */ 2409 if (wpa_supplicant_verify_tdls_mic(2, peer, (u8 *) lnkid, 2410 (u8 *) timeoutie, ftie) < 0) { 2411 /* Discard the frame */ 2412 wpa_tdls_del_key(sm, peer); 2413 wpa_tdls_disable_peer_link(sm, peer); 2414 return -1; 2415 } 2416 2417 if (wpa_tdls_set_key(sm, peer) < 0) { 2418 /* 2419 * Some drivers may not be able to config the key prior to full 2420 * STA entry having been configured. 2421 */ 2422 wpa_printf(MSG_DEBUG, "TDLS: Try to configure TPK again after " 2423 "STA entry is complete"); 2424 peer->reconfig_key = 1; 2425 } 2426 2427 skip_rsn: 2428 peer->dtoken = dtoken; 2429 2430 /* add supported rates, capabilities, and qos_info to the TDLS peer */ 2431 if (wpa_tdls_addset_peer(sm, peer, 0) < 0) 2432 goto error; 2433 2434 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Setup Confirm / " 2435 "TPK Handshake Message 3"); 2436 if (wpa_tdls_send_tpk_m3(sm, src_addr, dtoken, lnkid, peer) < 0) 2437 goto error_no_msg; 2438 2439 if (!peer->tpk_success) { 2440 /* 2441 * Enable Link only when tpk_success is 0, signifying that this 2442 * processing of TPK M2 frame is not because of a retransmission 2443 * during TDLS setup handshake. 2444 */ 2445 ret = wpa_tdls_enable_link(sm, peer); 2446 if (ret < 0) { 2447 wpa_printf(MSG_DEBUG, "TDLS: Could not enable link"); 2448 wpa_tdls_do_teardown( 2449 sm, peer, 2450 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED); 2451 } 2452 } 2453 return ret; 2454 2455 error: 2456 wpa_tdls_send_error(sm, src_addr, WLAN_TDLS_SETUP_CONFIRM, dtoken, 1, 2457 status); 2458 error_no_msg: 2459 wpa_tdls_disable_peer_link(sm, peer); 2460 return -1; 2461 } 2462 2463 2464 static int wpa_tdls_process_tpk_m3(struct wpa_sm *sm, const u8 *src_addr, 2465 const u8 *buf, size_t len) 2466 { 2467 struct wpa_tdls_peer *peer; 2468 struct wpa_eapol_ie_parse kde; 2469 struct wpa_tdls_ftie *ftie; 2470 struct wpa_tdls_timeoutie *timeoutie; 2471 struct wpa_tdls_lnkid *lnkid; 2472 int ielen; 2473 u16 status; 2474 const u8 *pos; 2475 u32 lifetime; 2476 int ret = 0; 2477 2478 wpa_printf(MSG_DEBUG, "TDLS: Received TDLS Setup Confirm / TPK M3 " 2479 "(Peer " MACSTR ")", MAC2STR(src_addr)); 2480 for (peer = sm->tdls; peer; peer = peer->next) { 2481 if (os_memcmp(peer->addr, src_addr, ETH_ALEN) == 0) 2482 break; 2483 } 2484 if (peer == NULL) { 2485 wpa_printf(MSG_INFO, "TDLS: No matching peer found for " 2486 "TPK M3: " MACSTR, MAC2STR(src_addr)); 2487 return -1; 2488 } 2489 wpa_tdls_tpk_retry_timeout_cancel(sm, peer, WLAN_TDLS_SETUP_RESPONSE); 2490 2491 if (len < 3 + 3) 2492 goto error; 2493 pos = buf; 2494 pos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */; 2495 2496 status = WPA_GET_LE16(pos); 2497 2498 if (status != 0) { 2499 wpa_printf(MSG_INFO, "TDLS: Status code in TPK M3: %u", 2500 status); 2501 goto error; 2502 } 2503 pos += 2 /* status code */ + 1 /* dialog token */; 2504 2505 ielen = len - (pos - buf); /* start of IE in buf */ 2506 2507 /* 2508 * Don't reject the message if failing to parse IEs. The IEs we need are 2509 * explicitly checked below. Some APs piggy-back broken IEs to the end 2510 * of a TDLS Confirm packet, which will fail the link if we don't ignore 2511 * this error. 2512 */ 2513 if (wpa_supplicant_parse_ies((const u8 *) pos, ielen, &kde) < 0) { 2514 wpa_printf(MSG_DEBUG, 2515 "TDLS: Failed to parse KDEs in TPK M3 - ignore as an interop workaround"); 2516 } 2517 2518 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) { 2519 wpa_printf(MSG_INFO, "TDLS: No Link Identifier IE in TPK M3"); 2520 goto error; 2521 } 2522 wpa_hexdump(MSG_DEBUG, "TDLS: Link ID Received from TPK M3", 2523 (u8 *) kde.lnkid, kde.lnkid_len); 2524 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid; 2525 2526 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) { 2527 wpa_printf(MSG_INFO, "TDLS: TPK M3 from diff BSS"); 2528 goto error; 2529 } 2530 2531 if (!wpa_tdls_get_privacy(sm)) 2532 goto skip_rsn; 2533 2534 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie)) { 2535 wpa_printf(MSG_INFO, "TDLS: No FTIE in TPK M3"); 2536 goto error; 2537 } 2538 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE Received from TPK M3", 2539 kde.ftie, sizeof(*ftie)); 2540 ftie = (struct wpa_tdls_ftie *) kde.ftie; 2541 2542 if (kde.rsn_ie == NULL) { 2543 wpa_printf(MSG_INFO, "TDLS: No RSN IE in TPK M3"); 2544 goto error; 2545 } 2546 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Received from TPK M3", 2547 kde.rsn_ie, kde.rsn_ie_len); 2548 if (kde.rsn_ie_len != peer->rsnie_p_len || 2549 os_memcmp(kde.rsn_ie, peer->rsnie_p, peer->rsnie_p_len) != 0) { 2550 wpa_printf(MSG_INFO, "TDLS: RSN IE in TPK M3 does not match " 2551 "with the one sent in TPK M2"); 2552 goto error; 2553 } 2554 2555 if (os_memcmp(peer->rnonce, ftie->Anonce, WPA_NONCE_LEN) != 0) { 2556 wpa_printf(MSG_INFO, "TDLS: FTIE ANonce in TPK M3 does " 2557 "not match with FTIE ANonce used in TPK M2"); 2558 goto error; 2559 } 2560 2561 if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0) { 2562 wpa_printf(MSG_INFO, "TDLS: FTIE SNonce in TPK M3 does not " 2563 "match with FTIE SNonce used in TPK M1"); 2564 goto error; 2565 } 2566 2567 if (kde.key_lifetime == NULL) { 2568 wpa_printf(MSG_INFO, "TDLS: No Key Lifetime IE in TPK M3"); 2569 goto error; 2570 } 2571 timeoutie = (struct wpa_tdls_timeoutie *) kde.key_lifetime; 2572 wpa_hexdump(MSG_DEBUG, "TDLS: Timeout IE Received from TPK M3", 2573 (u8 *) timeoutie, sizeof(*timeoutie)); 2574 lifetime = WPA_GET_LE32(timeoutie->value); 2575 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds in TPK M3", 2576 lifetime); 2577 if (lifetime != peer->lifetime) { 2578 wpa_printf(MSG_INFO, "TDLS: Unexpected TPK lifetime %u in " 2579 "TPK M3 (expected %u)", lifetime, peer->lifetime); 2580 goto error; 2581 } 2582 2583 if (wpa_supplicant_verify_tdls_mic(3, peer, (u8 *) lnkid, 2584 (u8 *) timeoutie, ftie) < 0) { 2585 wpa_tdls_del_key(sm, peer); 2586 goto error; 2587 } 2588 2589 if (wpa_tdls_set_key(sm, peer) < 0) { 2590 /* 2591 * Some drivers may not be able to config the key prior to full 2592 * STA entry having been configured. 2593 */ 2594 wpa_printf(MSG_DEBUG, "TDLS: Try to configure TPK again after " 2595 "STA entry is complete"); 2596 peer->reconfig_key = 1; 2597 } 2598 2599 skip_rsn: 2600 /* add supported rates, capabilities, and qos_info to the TDLS peer */ 2601 if (wpa_tdls_addset_peer(sm, peer, 0) < 0) 2602 goto error; 2603 2604 if (!peer->tpk_success) { 2605 /* 2606 * Enable Link only when tpk_success is 0, signifying that this 2607 * processing of TPK M3 frame is not because of a retransmission 2608 * during TDLS setup handshake. 2609 */ 2610 ret = wpa_tdls_enable_link(sm, peer); 2611 if (ret < 0) { 2612 wpa_printf(MSG_DEBUG, "TDLS: Could not enable link"); 2613 goto error; 2614 } 2615 } 2616 return ret; 2617 error: 2618 wpa_tdls_do_teardown(sm, peer, WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED); 2619 return -1; 2620 } 2621 2622 2623 static u8 * wpa_add_tdls_timeoutie(u8 *pos, u8 *ie, size_t ie_len, u32 tsecs) 2624 { 2625 struct wpa_tdls_timeoutie *lifetime = (struct wpa_tdls_timeoutie *) ie; 2626 2627 os_memset(lifetime, 0, ie_len); 2628 lifetime->ie_type = WLAN_EID_TIMEOUT_INTERVAL; 2629 lifetime->ie_len = sizeof(struct wpa_tdls_timeoutie) - 2; 2630 lifetime->interval_type = WLAN_TIMEOUT_KEY_LIFETIME; 2631 WPA_PUT_LE32(lifetime->value, tsecs); 2632 os_memcpy(pos, ie, ie_len); 2633 return pos + ie_len; 2634 } 2635 2636 2637 /** 2638 * wpa_tdls_start - Initiate TDLS handshake (send TPK Handshake Message 1) 2639 * @sm: Pointer to WPA state machine data from wpa_sm_init() 2640 * @peer: MAC address of the peer STA 2641 * Returns: 0 on success, or -1 on failure 2642 * 2643 * Send TPK Handshake Message 1 info to driver to start TDLS 2644 * handshake with the peer. 2645 */ 2646 int wpa_tdls_start(struct wpa_sm *sm, const u8 *addr) 2647 { 2648 struct wpa_tdls_peer *peer; 2649 int tdls_prohibited = sm->tdls_prohibited; 2650 2651 if (sm->tdls_disabled || !sm->tdls_supported) 2652 return -1; 2653 2654 #ifdef CONFIG_TDLS_TESTING 2655 if ((tdls_testing & TDLS_TESTING_IGNORE_AP_PROHIBIT) && 2656 tdls_prohibited) { 2657 wpa_printf(MSG_DEBUG, "TDLS: Testing - ignore AP prohibition " 2658 "on TDLS"); 2659 tdls_prohibited = 0; 2660 } 2661 #endif /* CONFIG_TDLS_TESTING */ 2662 2663 if (tdls_prohibited) { 2664 wpa_printf(MSG_DEBUG, "TDLS: TDLS is prohibited in this BSS - " 2665 "reject request to start setup"); 2666 return -1; 2667 } 2668 2669 peer = wpa_tdls_add_peer(sm, addr, NULL); 2670 if (peer == NULL) 2671 return -1; 2672 2673 if (peer->tpk_in_progress) { 2674 wpa_printf(MSG_DEBUG, "TDLS: Setup is already in progress with the peer"); 2675 return 0; 2676 } 2677 2678 peer->initiator = 1; 2679 2680 /* add the peer to the driver as a "setup in progress" peer */ 2681 if (wpa_sm_tdls_peer_addset(sm, peer->addr, 1, 0, 0, NULL, 0, NULL, 2682 NULL, 0, 0, NULL, 0, NULL, 0, NULL, 0)) { 2683 wpa_tdls_disable_peer_link(sm, peer); 2684 return -1; 2685 } 2686 2687 peer->tpk_in_progress = 1; 2688 2689 if (wpa_tdls_send_tpk_m1(sm, peer) < 0) { 2690 wpa_tdls_disable_peer_link(sm, peer); 2691 return -1; 2692 } 2693 2694 return 0; 2695 } 2696 2697 2698 void wpa_tdls_remove(struct wpa_sm *sm, const u8 *addr) 2699 { 2700 struct wpa_tdls_peer *peer; 2701 2702 if (sm->tdls_disabled || !sm->tdls_supported) 2703 return; 2704 2705 for (peer = sm->tdls; peer; peer = peer->next) { 2706 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 2707 break; 2708 } 2709 2710 if (peer == NULL || !peer->tpk_success) 2711 return; 2712 2713 if (sm->tdls_external_setup) { 2714 /* 2715 * Disable previous link to allow renegotiation to be completed 2716 * on AP path. 2717 */ 2718 wpa_tdls_do_teardown(sm, peer, 2719 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED); 2720 } 2721 } 2722 2723 2724 /** 2725 * wpa_supplicant_rx_tdls - Receive TDLS data frame 2726 * 2727 * This function is called to receive TDLS (ethertype = 0x890d) data frames. 2728 */ 2729 static void wpa_supplicant_rx_tdls(void *ctx, const u8 *src_addr, 2730 const u8 *buf, size_t len) 2731 { 2732 struct wpa_sm *sm = ctx; 2733 struct wpa_tdls_frame *tf; 2734 2735 wpa_hexdump(MSG_DEBUG, "TDLS: Received Data frame encapsulation", 2736 buf, len); 2737 2738 if (sm->tdls_disabled || !sm->tdls_supported) { 2739 wpa_printf(MSG_DEBUG, "TDLS: Discard message - TDLS disabled " 2740 "or unsupported by driver"); 2741 return; 2742 } 2743 2744 if (os_memcmp(src_addr, sm->own_addr, ETH_ALEN) == 0) { 2745 wpa_printf(MSG_DEBUG, "TDLS: Discard copy of own message"); 2746 return; 2747 } 2748 2749 if (len < sizeof(*tf)) { 2750 wpa_printf(MSG_INFO, "TDLS: Drop too short frame"); 2751 return; 2752 } 2753 2754 /* Check to make sure its a valid encapsulated TDLS frame */ 2755 tf = (struct wpa_tdls_frame *) buf; 2756 if (tf->payloadtype != 2 /* TDLS_RFTYPE */ || 2757 tf->category != WLAN_ACTION_TDLS) { 2758 wpa_printf(MSG_INFO, "TDLS: Invalid frame - payloadtype=%u " 2759 "category=%u action=%u", 2760 tf->payloadtype, tf->category, tf->action); 2761 return; 2762 } 2763 2764 switch (tf->action) { 2765 case WLAN_TDLS_SETUP_REQUEST: 2766 wpa_tdls_process_tpk_m1(sm, src_addr, buf, len); 2767 break; 2768 case WLAN_TDLS_SETUP_RESPONSE: 2769 wpa_tdls_process_tpk_m2(sm, src_addr, buf, len); 2770 break; 2771 case WLAN_TDLS_SETUP_CONFIRM: 2772 wpa_tdls_process_tpk_m3(sm, src_addr, buf, len); 2773 break; 2774 case WLAN_TDLS_TEARDOWN: 2775 wpa_tdls_recv_teardown(sm, src_addr, buf, len); 2776 break; 2777 case WLAN_TDLS_DISCOVERY_REQUEST: 2778 wpa_tdls_process_discovery_request(sm, src_addr, buf, len); 2779 break; 2780 default: 2781 /* Kernel code will process remaining frames */ 2782 wpa_printf(MSG_DEBUG, "TDLS: Ignore TDLS frame action code %u", 2783 tf->action); 2784 break; 2785 } 2786 } 2787 2788 2789 /** 2790 * wpa_tdls_init - Initialize driver interface parameters for TDLS 2791 * @wpa_s: Pointer to wpa_supplicant data 2792 * Returns: 0 on success, -1 on failure 2793 * 2794 * This function is called to initialize driver interface parameters for TDLS. 2795 * wpa_drv_init() must have been called before this function to initialize the 2796 * driver interface. 2797 */ 2798 int wpa_tdls_init(struct wpa_sm *sm) 2799 { 2800 if (sm == NULL) 2801 return -1; 2802 2803 sm->l2_tdls = l2_packet_init(sm->bridge_ifname ? sm->bridge_ifname : 2804 sm->ifname, 2805 sm->own_addr, 2806 ETH_P_80211_ENCAP, wpa_supplicant_rx_tdls, 2807 sm, 0); 2808 if (sm->l2_tdls == NULL) { 2809 wpa_printf(MSG_ERROR, "TDLS: Failed to open l2_packet " 2810 "connection"); 2811 return -1; 2812 } 2813 2814 /* 2815 * Drivers that support TDLS but don't implement the get_capa callback 2816 * are assumed to perform everything internally 2817 */ 2818 if (wpa_sm_tdls_get_capa(sm, &sm->tdls_supported, 2819 &sm->tdls_external_setup, 2820 &sm->tdls_chan_switch) < 0) { 2821 sm->tdls_supported = 1; 2822 sm->tdls_external_setup = 0; 2823 } 2824 2825 wpa_printf(MSG_DEBUG, "TDLS: TDLS operation%s supported by " 2826 "driver", sm->tdls_supported ? "" : " not"); 2827 wpa_printf(MSG_DEBUG, "TDLS: Driver uses %s link setup", 2828 sm->tdls_external_setup ? "external" : "internal"); 2829 wpa_printf(MSG_DEBUG, "TDLS: Driver %s TDLS channel switching", 2830 sm->tdls_chan_switch ? "supports" : "does not support"); 2831 2832 return 0; 2833 } 2834 2835 2836 void wpa_tdls_teardown_peers(struct wpa_sm *sm) 2837 { 2838 struct wpa_tdls_peer *peer, *tmp; 2839 2840 if (!sm) 2841 return; 2842 peer = sm->tdls; 2843 2844 wpa_printf(MSG_DEBUG, "TDLS: Tear down peers"); 2845 2846 while (peer) { 2847 tmp = peer->next; 2848 wpa_printf(MSG_DEBUG, "TDLS: Tear down peer " MACSTR, 2849 MAC2STR(peer->addr)); 2850 if (sm->tdls_external_setup) 2851 wpa_tdls_do_teardown(sm, peer, 2852 WLAN_REASON_DEAUTH_LEAVING); 2853 else 2854 wpa_sm_tdls_oper(sm, TDLS_TEARDOWN, peer->addr); 2855 2856 peer = tmp; 2857 } 2858 } 2859 2860 2861 static void wpa_tdls_remove_peers(struct wpa_sm *sm) 2862 { 2863 struct wpa_tdls_peer *peer, *tmp; 2864 2865 peer = sm->tdls; 2866 2867 while (peer) { 2868 int res; 2869 tmp = peer->next; 2870 res = wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr); 2871 wpa_printf(MSG_DEBUG, "TDLS: Remove peer " MACSTR " (res=%d)", 2872 MAC2STR(peer->addr), res); 2873 wpa_tdls_peer_free(sm, peer); 2874 peer = tmp; 2875 } 2876 } 2877 2878 2879 /** 2880 * wpa_tdls_deinit - Deinitialize driver interface parameters for TDLS 2881 * 2882 * This function is called to recover driver interface parameters for TDLS 2883 * and frees resources allocated for it. 2884 */ 2885 void wpa_tdls_deinit(struct wpa_sm *sm) 2886 { 2887 if (sm == NULL) 2888 return; 2889 2890 if (sm->l2_tdls) 2891 l2_packet_deinit(sm->l2_tdls); 2892 sm->l2_tdls = NULL; 2893 2894 wpa_tdls_remove_peers(sm); 2895 } 2896 2897 2898 void wpa_tdls_assoc(struct wpa_sm *sm) 2899 { 2900 wpa_printf(MSG_DEBUG, "TDLS: Remove peers on association"); 2901 wpa_tdls_remove_peers(sm); 2902 } 2903 2904 2905 void wpa_tdls_disassoc(struct wpa_sm *sm) 2906 { 2907 wpa_printf(MSG_DEBUG, "TDLS: Remove peers on disassociation"); 2908 wpa_tdls_remove_peers(sm); 2909 } 2910 2911 2912 static int wpa_tdls_prohibited(struct ieee802_11_elems *elems) 2913 { 2914 /* bit 38 - TDLS Prohibited */ 2915 return !!(elems->ext_capab[2 + 4] & 0x40); 2916 } 2917 2918 2919 static int wpa_tdls_chan_switch_prohibited(struct ieee802_11_elems *elems) 2920 { 2921 /* bit 39 - TDLS Channel Switch Prohibited */ 2922 return !!(elems->ext_capab[2 + 4] & 0x80); 2923 } 2924 2925 2926 void wpa_tdls_ap_ies(struct wpa_sm *sm, const u8 *ies, size_t len) 2927 { 2928 struct ieee802_11_elems elems; 2929 2930 sm->tdls_prohibited = 0; 2931 sm->tdls_chan_switch_prohibited = 0; 2932 2933 if (ies == NULL || 2934 ieee802_11_parse_elems(ies, len, &elems, 0) == ParseFailed || 2935 elems.ext_capab == NULL || elems.ext_capab_len < 2 + 5) 2936 return; 2937 2938 sm->tdls_prohibited = wpa_tdls_prohibited(&elems); 2939 wpa_printf(MSG_DEBUG, "TDLS: TDLS is %s in the target BSS", 2940 sm->tdls_prohibited ? "prohibited" : "allowed"); 2941 sm->tdls_chan_switch_prohibited = 2942 wpa_tdls_chan_switch_prohibited(&elems); 2943 wpa_printf(MSG_DEBUG, "TDLS: TDLS channel switch %s in the target BSS", 2944 sm->tdls_chan_switch_prohibited ? "prohibited" : "allowed"); 2945 } 2946 2947 2948 void wpa_tdls_assoc_resp_ies(struct wpa_sm *sm, const u8 *ies, size_t len) 2949 { 2950 struct ieee802_11_elems elems; 2951 2952 if (ies == NULL || 2953 ieee802_11_parse_elems(ies, len, &elems, 0) == ParseFailed || 2954 elems.ext_capab == NULL || elems.ext_capab_len < 2 + 5) 2955 return; 2956 2957 if (!sm->tdls_prohibited && wpa_tdls_prohibited(&elems)) { 2958 wpa_printf(MSG_DEBUG, "TDLS: TDLS prohibited based on " 2959 "(Re)Association Response IEs"); 2960 sm->tdls_prohibited = 1; 2961 } 2962 2963 if (!sm->tdls_chan_switch_prohibited && 2964 wpa_tdls_chan_switch_prohibited(&elems)) { 2965 wpa_printf(MSG_DEBUG, 2966 "TDLS: TDLS channel switch prohibited based on (Re)Association Response IEs"); 2967 sm->tdls_chan_switch_prohibited = 1; 2968 } 2969 } 2970 2971 2972 void wpa_tdls_enable(struct wpa_sm *sm, int enabled) 2973 { 2974 wpa_printf(MSG_DEBUG, "TDLS: %s", enabled ? "enabled" : "disabled"); 2975 sm->tdls_disabled = !enabled; 2976 } 2977 2978 2979 int wpa_tdls_is_external_setup(struct wpa_sm *sm) 2980 { 2981 return sm->tdls_external_setup; 2982 } 2983 2984 2985 int wpa_tdls_enable_chan_switch(struct wpa_sm *sm, const u8 *addr, 2986 u8 oper_class, 2987 struct hostapd_freq_params *freq_params) 2988 { 2989 struct wpa_tdls_peer *peer; 2990 int ret; 2991 2992 if (sm->tdls_disabled || !sm->tdls_supported) 2993 return -1; 2994 2995 if (!sm->tdls_chan_switch) { 2996 wpa_printf(MSG_DEBUG, 2997 "TDLS: Channel switching not supported by the driver"); 2998 return -1; 2999 } 3000 3001 if (sm->tdls_chan_switch_prohibited) { 3002 wpa_printf(MSG_DEBUG, 3003 "TDLS: Channel switching is prohibited in this BSS - reject request to switch channel"); 3004 return -1; 3005 } 3006 3007 for (peer = sm->tdls; peer; peer = peer->next) { 3008 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 3009 break; 3010 } 3011 3012 if (peer == NULL || !peer->tpk_success) { 3013 wpa_printf(MSG_ERROR, "TDLS: Peer " MACSTR 3014 " not found for channel switching", MAC2STR(addr)); 3015 return -1; 3016 } 3017 3018 if (peer->chan_switch_enabled) { 3019 wpa_printf(MSG_DEBUG, "TDLS: Peer " MACSTR 3020 " already has channel switching enabled", 3021 MAC2STR(addr)); 3022 return 0; 3023 } 3024 3025 ret = wpa_sm_tdls_enable_channel_switch(sm, peer->addr, 3026 oper_class, freq_params); 3027 if (!ret) 3028 peer->chan_switch_enabled = 1; 3029 3030 return ret; 3031 } 3032 3033 3034 int wpa_tdls_disable_chan_switch(struct wpa_sm *sm, const u8 *addr) 3035 { 3036 struct wpa_tdls_peer *peer; 3037 3038 if (sm->tdls_disabled || !sm->tdls_supported) 3039 return -1; 3040 3041 for (peer = sm->tdls; peer; peer = peer->next) { 3042 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 3043 break; 3044 } 3045 3046 if (!peer || !peer->chan_switch_enabled) { 3047 wpa_printf(MSG_ERROR, "TDLS: Channel switching not enabled for " 3048 MACSTR, MAC2STR(addr)); 3049 return -1; 3050 } 3051 3052 /* ignore the return value */ 3053 wpa_sm_tdls_disable_channel_switch(sm, peer->addr); 3054 3055 peer->chan_switch_enabled = 0; 3056 return 0; 3057 } 3058