1 /* 2 * wpa_supplicant - TDLS 3 * Copyright (c) 2010-2011, Atheros Communications 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "utils/includes.h" 10 11 #include "utils/common.h" 12 #include "utils/eloop.h" 13 #include "utils/os.h" 14 #include "common/ieee802_11_defs.h" 15 #include "common/ieee802_11_common.h" 16 #include "crypto/sha256.h" 17 #include "crypto/crypto.h" 18 #include "crypto/aes_wrap.h" 19 #include "rsn_supp/wpa.h" 20 #include "rsn_supp/wpa_ie.h" 21 #include "rsn_supp/wpa_i.h" 22 #include "drivers/driver.h" 23 #include "l2_packet/l2_packet.h" 24 25 #ifdef CONFIG_TDLS_TESTING 26 #define TDLS_TESTING_LONG_FRAME BIT(0) 27 #define TDLS_TESTING_ALT_RSN_IE BIT(1) 28 #define TDLS_TESTING_DIFF_BSSID BIT(2) 29 #define TDLS_TESTING_SHORT_LIFETIME BIT(3) 30 #define TDLS_TESTING_WRONG_LIFETIME_RESP BIT(4) 31 #define TDLS_TESTING_WRONG_LIFETIME_CONF BIT(5) 32 #define TDLS_TESTING_LONG_LIFETIME BIT(6) 33 #define TDLS_TESTING_CONCURRENT_INIT BIT(7) 34 #define TDLS_TESTING_NO_TPK_EXPIRATION BIT(8) 35 #define TDLS_TESTING_DECLINE_RESP BIT(9) 36 #define TDLS_TESTING_IGNORE_AP_PROHIBIT BIT(10) 37 #define TDLS_TESTING_WRONG_MIC BIT(11) 38 unsigned int tdls_testing = 0; 39 #endif /* CONFIG_TDLS_TESTING */ 40 41 #define TPK_LIFETIME 43200 /* 12 hours */ 42 #define TPK_M1_RETRY_COUNT 3 43 #define TPK_M1_TIMEOUT 5000 /* in milliseconds */ 44 #define TPK_M2_RETRY_COUNT 10 45 #define TPK_M2_TIMEOUT 500 /* in milliseconds */ 46 47 #define TDLS_MIC_LEN 16 48 49 #define TDLS_TIMEOUT_LEN 4 50 51 struct wpa_tdls_ftie { 52 u8 ie_type; /* FTIE */ 53 u8 ie_len; 54 u8 mic_ctrl[2]; 55 u8 mic[TDLS_MIC_LEN]; 56 u8 Anonce[WPA_NONCE_LEN]; /* Responder Nonce in TDLS */ 57 u8 Snonce[WPA_NONCE_LEN]; /* Initiator Nonce in TDLS */ 58 /* followed by optional elements */ 59 } STRUCT_PACKED; 60 61 struct wpa_tdls_timeoutie { 62 u8 ie_type; /* Timeout IE */ 63 u8 ie_len; 64 u8 interval_type; 65 u8 value[TDLS_TIMEOUT_LEN]; 66 } STRUCT_PACKED; 67 68 struct wpa_tdls_lnkid { 69 u8 ie_type; /* Link Identifier IE */ 70 u8 ie_len; 71 u8 bssid[ETH_ALEN]; 72 u8 init_sta[ETH_ALEN]; 73 u8 resp_sta[ETH_ALEN]; 74 } STRUCT_PACKED; 75 76 /* TDLS frame headers as per IEEE Std 802.11z-2010 */ 77 struct wpa_tdls_frame { 78 u8 payloadtype; /* IEEE80211_TDLS_RFTYPE */ 79 u8 category; /* Category */ 80 u8 action; /* Action (enum tdls_frame_type) */ 81 } STRUCT_PACKED; 82 83 static u8 * wpa_add_tdls_timeoutie(u8 *pos, u8 *ie, size_t ie_len, u32 tsecs); 84 static void wpa_tdls_tpk_retry_timeout(void *eloop_ctx, void *timeout_ctx); 85 static void wpa_tdls_peer_free(struct wpa_sm *sm, struct wpa_tdls_peer *peer); 86 static void wpa_tdls_disable_peer_link(struct wpa_sm *sm, 87 struct wpa_tdls_peer *peer); 88 static int wpa_tdls_send_teardown(struct wpa_sm *sm, const u8 *addr, 89 u16 reason_code); 90 91 92 #define TDLS_MAX_IE_LEN 80 93 #define IEEE80211_MAX_SUPP_RATES 32 94 95 struct wpa_tdls_peer { 96 struct wpa_tdls_peer *next; 97 unsigned int reconfig_key:1; 98 int initiator; /* whether this end was initiator for TDLS setup */ 99 u8 addr[ETH_ALEN]; /* other end MAC address */ 100 u8 inonce[WPA_NONCE_LEN]; /* Initiator Nonce */ 101 u8 rnonce[WPA_NONCE_LEN]; /* Responder Nonce */ 102 u8 rsnie_i[TDLS_MAX_IE_LEN]; /* Initiator RSN IE */ 103 size_t rsnie_i_len; 104 u8 rsnie_p[TDLS_MAX_IE_LEN]; /* Peer RSN IE */ 105 size_t rsnie_p_len; 106 u32 lifetime; 107 int cipher; /* Selected cipher (WPA_CIPHER_*) */ 108 u8 dtoken; 109 110 struct tpk { 111 u8 kck[16]; /* TPK-KCK */ 112 u8 tk[16]; /* TPK-TK; assuming only CCMP will be used */ 113 } tpk; 114 int tpk_set; 115 int tk_set; /* TPK-TK configured to the driver */ 116 int tpk_success; 117 int tpk_in_progress; 118 119 struct tpk_timer { 120 u8 dest[ETH_ALEN]; 121 int count; /* Retry Count */ 122 int timer; /* Timeout in milliseconds */ 123 u8 action_code; /* TDLS frame type */ 124 u8 dialog_token; 125 u16 status_code; 126 u32 peer_capab; 127 int buf_len; /* length of TPK message for retransmission */ 128 u8 *buf; /* buffer for TPK message */ 129 } sm_tmr; 130 131 u16 capability; 132 133 u8 supp_rates[IEEE80211_MAX_SUPP_RATES]; 134 size_t supp_rates_len; 135 136 struct ieee80211_ht_capabilities *ht_capabilities; 137 struct ieee80211_vht_capabilities *vht_capabilities; 138 139 u8 qos_info; 140 141 u16 aid; 142 143 u8 *ext_capab; 144 size_t ext_capab_len; 145 146 u8 *supp_channels; 147 size_t supp_channels_len; 148 149 u8 *supp_oper_classes; 150 size_t supp_oper_classes_len; 151 152 u8 wmm_capable; 153 154 /* channel switch currently enabled */ 155 int chan_switch_enabled; 156 }; 157 158 159 static int wpa_tdls_get_privacy(struct wpa_sm *sm) 160 { 161 /* 162 * Get info needed from supplicant to check if the current BSS supports 163 * security. Other than OPEN mode, rest are considered secured 164 * WEP/WPA/WPA2 hence TDLS frames are processed for TPK handshake. 165 */ 166 return sm->pairwise_cipher != WPA_CIPHER_NONE; 167 } 168 169 170 static u8 * wpa_add_ie(u8 *pos, const u8 *ie, size_t ie_len) 171 { 172 os_memcpy(pos, ie, ie_len); 173 return pos + ie_len; 174 } 175 176 177 static int wpa_tdls_del_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer) 178 { 179 if (wpa_sm_set_key(sm, WPA_ALG_NONE, peer->addr, 180 0, 0, NULL, 0, NULL, 0) < 0) { 181 wpa_printf(MSG_WARNING, "TDLS: Failed to delete TPK-TK from " 182 "the driver"); 183 return -1; 184 } 185 186 return 0; 187 } 188 189 190 static int wpa_tdls_set_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer) 191 { 192 u8 key_len; 193 u8 rsc[6]; 194 enum wpa_alg alg; 195 196 if (peer->tk_set) { 197 /* 198 * This same TPK-TK has already been configured to the driver 199 * and this new configuration attempt (likely due to an 200 * unexpected retransmitted frame) would result in clearing 201 * the TX/RX sequence number which can break security, so must 202 * not allow that to happen. 203 */ 204 wpa_printf(MSG_INFO, "TDLS: TPK-TK for the peer " MACSTR 205 " has already been configured to the driver - do not reconfigure", 206 MAC2STR(peer->addr)); 207 return -1; 208 } 209 210 os_memset(rsc, 0, 6); 211 212 switch (peer->cipher) { 213 case WPA_CIPHER_CCMP: 214 alg = WPA_ALG_CCMP; 215 key_len = 16; 216 break; 217 case WPA_CIPHER_NONE: 218 wpa_printf(MSG_DEBUG, "TDLS: Pairwise Cipher Suite: " 219 "NONE - do not use pairwise keys"); 220 return -1; 221 default: 222 wpa_printf(MSG_WARNING, "TDLS: Unsupported pairwise cipher %d", 223 sm->pairwise_cipher); 224 return -1; 225 } 226 227 wpa_printf(MSG_DEBUG, "TDLS: Configure pairwise key for peer " MACSTR, 228 MAC2STR(peer->addr)); 229 if (wpa_sm_set_key(sm, alg, peer->addr, -1, 1, 230 rsc, sizeof(rsc), peer->tpk.tk, key_len) < 0) { 231 wpa_printf(MSG_WARNING, "TDLS: Failed to set TPK to the " 232 "driver"); 233 return -1; 234 } 235 peer->tk_set = 1; 236 return 0; 237 } 238 239 240 static int wpa_tdls_send_tpk_msg(struct wpa_sm *sm, const u8 *dst, 241 u8 action_code, u8 dialog_token, 242 u16 status_code, u32 peer_capab, 243 int initiator, const u8 *buf, size_t len) 244 { 245 return wpa_sm_send_tdls_mgmt(sm, dst, action_code, dialog_token, 246 status_code, peer_capab, initiator, buf, 247 len); 248 } 249 250 251 static int wpa_tdls_tpk_send(struct wpa_sm *sm, const u8 *dest, u8 action_code, 252 u8 dialog_token, u16 status_code, u32 peer_capab, 253 int initiator, const u8 *msg, size_t msg_len) 254 { 255 struct wpa_tdls_peer *peer; 256 257 wpa_printf(MSG_DEBUG, "TDLS: TPK send dest=" MACSTR " action_code=%u " 258 "dialog_token=%u status_code=%u peer_capab=%u initiator=%d " 259 "msg_len=%u", 260 MAC2STR(dest), action_code, dialog_token, status_code, 261 peer_capab, initiator, (unsigned int) msg_len); 262 263 if (wpa_tdls_send_tpk_msg(sm, dest, action_code, dialog_token, 264 status_code, peer_capab, initiator, msg, 265 msg_len)) { 266 wpa_printf(MSG_INFO, "TDLS: Failed to send message " 267 "(action_code=%u)", action_code); 268 return -1; 269 } 270 271 if (action_code == WLAN_TDLS_SETUP_CONFIRM || 272 action_code == WLAN_TDLS_TEARDOWN || 273 action_code == WLAN_TDLS_DISCOVERY_REQUEST || 274 action_code == WLAN_TDLS_DISCOVERY_RESPONSE) 275 return 0; /* No retries */ 276 277 for (peer = sm->tdls; peer; peer = peer->next) { 278 if (os_memcmp(peer->addr, dest, ETH_ALEN) == 0) 279 break; 280 } 281 282 if (peer == NULL) { 283 wpa_printf(MSG_INFO, "TDLS: No matching entry found for " 284 "retry " MACSTR, MAC2STR(dest)); 285 return 0; 286 } 287 288 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer); 289 290 if (action_code == WLAN_TDLS_SETUP_RESPONSE) { 291 peer->sm_tmr.count = TPK_M2_RETRY_COUNT; 292 peer->sm_tmr.timer = TPK_M2_TIMEOUT; 293 } else { 294 peer->sm_tmr.count = TPK_M1_RETRY_COUNT; 295 peer->sm_tmr.timer = TPK_M1_TIMEOUT; 296 } 297 298 /* Copy message to resend on timeout */ 299 os_memcpy(peer->sm_tmr.dest, dest, ETH_ALEN); 300 peer->sm_tmr.action_code = action_code; 301 peer->sm_tmr.dialog_token = dialog_token; 302 peer->sm_tmr.status_code = status_code; 303 peer->sm_tmr.peer_capab = peer_capab; 304 peer->sm_tmr.buf_len = msg_len; 305 os_free(peer->sm_tmr.buf); 306 peer->sm_tmr.buf = os_malloc(msg_len); 307 if (peer->sm_tmr.buf == NULL) 308 return -1; 309 os_memcpy(peer->sm_tmr.buf, msg, msg_len); 310 311 wpa_printf(MSG_DEBUG, "TDLS: Retry timeout registered " 312 "(action_code=%u)", action_code); 313 eloop_register_timeout(peer->sm_tmr.timer / 1000, 314 (peer->sm_tmr.timer % 1000) * 1000, 315 wpa_tdls_tpk_retry_timeout, sm, peer); 316 return 0; 317 } 318 319 320 static int wpa_tdls_do_teardown(struct wpa_sm *sm, struct wpa_tdls_peer *peer, 321 u16 reason_code) 322 { 323 int ret; 324 325 ret = wpa_tdls_send_teardown(sm, peer->addr, reason_code); 326 /* disable the link after teardown was sent */ 327 wpa_tdls_disable_peer_link(sm, peer); 328 329 return ret; 330 } 331 332 333 static void wpa_tdls_tpk_retry_timeout(void *eloop_ctx, void *timeout_ctx) 334 { 335 336 struct wpa_sm *sm = eloop_ctx; 337 struct wpa_tdls_peer *peer = timeout_ctx; 338 339 if (peer->sm_tmr.count) { 340 peer->sm_tmr.count--; 341 342 wpa_printf(MSG_INFO, "TDLS: Retrying sending of message " 343 "(action_code=%u)", 344 peer->sm_tmr.action_code); 345 346 if (peer->sm_tmr.buf == NULL) { 347 wpa_printf(MSG_INFO, "TDLS: No retry buffer available " 348 "for action_code=%u", 349 peer->sm_tmr.action_code); 350 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, 351 peer); 352 return; 353 } 354 355 /* resend TPK Handshake Message to Peer */ 356 if (wpa_tdls_send_tpk_msg(sm, peer->sm_tmr.dest, 357 peer->sm_tmr.action_code, 358 peer->sm_tmr.dialog_token, 359 peer->sm_tmr.status_code, 360 peer->sm_tmr.peer_capab, 361 peer->initiator, 362 peer->sm_tmr.buf, 363 peer->sm_tmr.buf_len)) { 364 wpa_printf(MSG_INFO, "TDLS: Failed to retry " 365 "transmission"); 366 } 367 368 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer); 369 eloop_register_timeout(peer->sm_tmr.timer / 1000, 370 (peer->sm_tmr.timer % 1000) * 1000, 371 wpa_tdls_tpk_retry_timeout, sm, peer); 372 } else { 373 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer); 374 375 wpa_printf(MSG_DEBUG, "TDLS: Sending Teardown Request"); 376 wpa_tdls_do_teardown(sm, peer, 377 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED); 378 } 379 } 380 381 382 static void wpa_tdls_tpk_retry_timeout_cancel(struct wpa_sm *sm, 383 struct wpa_tdls_peer *peer, 384 u8 action_code) 385 { 386 if (action_code == peer->sm_tmr.action_code) { 387 wpa_printf(MSG_DEBUG, "TDLS: Retry timeout cancelled for " 388 "action_code=%u", action_code); 389 390 /* Cancel Timeout registered */ 391 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer); 392 393 /* free all resources meant for retry */ 394 os_free(peer->sm_tmr.buf); 395 peer->sm_tmr.buf = NULL; 396 397 peer->sm_tmr.count = 0; 398 peer->sm_tmr.timer = 0; 399 peer->sm_tmr.buf_len = 0; 400 peer->sm_tmr.action_code = 0xff; 401 } else { 402 wpa_printf(MSG_INFO, "TDLS: Error in cancelling retry timeout " 403 "(Unknown action_code=%u)", action_code); 404 } 405 } 406 407 408 static void wpa_tdls_generate_tpk(struct wpa_tdls_peer *peer, 409 const u8 *own_addr, const u8 *bssid) 410 { 411 u8 key_input[SHA256_MAC_LEN]; 412 const u8 *nonce[2]; 413 size_t len[2]; 414 u8 data[3 * ETH_ALEN]; 415 416 /* IEEE Std 802.11z-2010 8.5.9.1: 417 * TPK-Key-Input = SHA-256(min(SNonce, ANonce) || max(SNonce, ANonce)) 418 */ 419 len[0] = WPA_NONCE_LEN; 420 len[1] = WPA_NONCE_LEN; 421 if (os_memcmp(peer->inonce, peer->rnonce, WPA_NONCE_LEN) < 0) { 422 nonce[0] = peer->inonce; 423 nonce[1] = peer->rnonce; 424 } else { 425 nonce[0] = peer->rnonce; 426 nonce[1] = peer->inonce; 427 } 428 wpa_hexdump(MSG_DEBUG, "TDLS: min(Nonce)", nonce[0], WPA_NONCE_LEN); 429 wpa_hexdump(MSG_DEBUG, "TDLS: max(Nonce)", nonce[1], WPA_NONCE_LEN); 430 sha256_vector(2, nonce, len, key_input); 431 wpa_hexdump_key(MSG_DEBUG, "TDLS: TPK-Key-Input", 432 key_input, SHA256_MAC_LEN); 433 434 /* 435 * TPK-Key-Data = KDF-N_KEY(TPK-Key-Input, "TDLS PMK", 436 * min(MAC_I, MAC_R) || max(MAC_I, MAC_R) || BSSID || N_KEY) 437 * TODO: is N_KEY really included in KDF Context and if so, in which 438 * presentation format (little endian 16-bit?) is it used? It gets 439 * added by the KDF anyway.. 440 */ 441 442 if (os_memcmp(own_addr, peer->addr, ETH_ALEN) < 0) { 443 os_memcpy(data, own_addr, ETH_ALEN); 444 os_memcpy(data + ETH_ALEN, peer->addr, ETH_ALEN); 445 } else { 446 os_memcpy(data, peer->addr, ETH_ALEN); 447 os_memcpy(data + ETH_ALEN, own_addr, ETH_ALEN); 448 } 449 os_memcpy(data + 2 * ETH_ALEN, bssid, ETH_ALEN); 450 wpa_hexdump(MSG_DEBUG, "TDLS: KDF Context", data, sizeof(data)); 451 452 sha256_prf(key_input, SHA256_MAC_LEN, "TDLS PMK", data, sizeof(data), 453 (u8 *) &peer->tpk, sizeof(peer->tpk)); 454 wpa_hexdump_key(MSG_DEBUG, "TDLS: TPK-KCK", 455 peer->tpk.kck, sizeof(peer->tpk.kck)); 456 wpa_hexdump_key(MSG_DEBUG, "TDLS: TPK-TK", 457 peer->tpk.tk, sizeof(peer->tpk.tk)); 458 peer->tpk_set = 1; 459 } 460 461 462 /** 463 * wpa_tdls_ftie_mic - Calculate TDLS FTIE MIC 464 * @kck: TPK-KCK 465 * @lnkid: Pointer to the beginning of Link Identifier IE 466 * @rsnie: Pointer to the beginning of RSN IE used for handshake 467 * @timeoutie: Pointer to the beginning of Timeout IE used for handshake 468 * @ftie: Pointer to the beginning of FT IE 469 * @mic: Pointer for writing MIC 470 * 471 * Calculate MIC for TDLS frame. 472 */ 473 static int wpa_tdls_ftie_mic(const u8 *kck, u8 trans_seq, const u8 *lnkid, 474 const u8 *rsnie, const u8 *timeoutie, 475 const u8 *ftie, u8 *mic) 476 { 477 u8 *buf, *pos; 478 struct wpa_tdls_ftie *_ftie; 479 const struct wpa_tdls_lnkid *_lnkid; 480 int ret; 481 int len = 2 * ETH_ALEN + 1 + 2 + lnkid[1] + 2 + rsnie[1] + 482 2 + timeoutie[1] + 2 + ftie[1]; 483 buf = os_zalloc(len); 484 if (!buf) { 485 wpa_printf(MSG_WARNING, "TDLS: No memory for MIC calculation"); 486 return -1; 487 } 488 489 pos = buf; 490 _lnkid = (const struct wpa_tdls_lnkid *) lnkid; 491 /* 1) TDLS initiator STA MAC address */ 492 os_memcpy(pos, _lnkid->init_sta, ETH_ALEN); 493 pos += ETH_ALEN; 494 /* 2) TDLS responder STA MAC address */ 495 os_memcpy(pos, _lnkid->resp_sta, ETH_ALEN); 496 pos += ETH_ALEN; 497 /* 3) Transaction Sequence number */ 498 *pos++ = trans_seq; 499 /* 4) Link Identifier IE */ 500 os_memcpy(pos, lnkid, 2 + lnkid[1]); 501 pos += 2 + lnkid[1]; 502 /* 5) RSN IE */ 503 os_memcpy(pos, rsnie, 2 + rsnie[1]); 504 pos += 2 + rsnie[1]; 505 /* 6) Timeout Interval IE */ 506 os_memcpy(pos, timeoutie, 2 + timeoutie[1]); 507 pos += 2 + timeoutie[1]; 508 /* 7) FTIE, with the MIC field of the FTIE set to 0 */ 509 os_memcpy(pos, ftie, 2 + ftie[1]); 510 _ftie = (struct wpa_tdls_ftie *) pos; 511 os_memset(_ftie->mic, 0, TDLS_MIC_LEN); 512 pos += 2 + ftie[1]; 513 514 wpa_hexdump(MSG_DEBUG, "TDLS: Data for FTIE MIC", buf, pos - buf); 515 wpa_hexdump_key(MSG_DEBUG, "TDLS: KCK", kck, 16); 516 ret = omac1_aes_128(kck, buf, pos - buf, mic); 517 os_free(buf); 518 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE MIC", mic, 16); 519 return ret; 520 } 521 522 523 /** 524 * wpa_tdls_key_mic_teardown - Calculate TDLS FTIE MIC for Teardown frame 525 * @kck: TPK-KCK 526 * @trans_seq: Transaction Sequence Number (4 - Teardown) 527 * @rcode: Reason code for Teardown 528 * @dtoken: Dialog Token used for that particular link 529 * @lnkid: Pointer to the beginning of Link Identifier IE 530 * @ftie: Pointer to the beginning of FT IE 531 * @mic: Pointer for writing MIC 532 * 533 * Calculate MIC for TDLS frame. 534 */ 535 static int wpa_tdls_key_mic_teardown(const u8 *kck, u8 trans_seq, u16 rcode, 536 u8 dtoken, const u8 *lnkid, 537 const u8 *ftie, u8 *mic) 538 { 539 u8 *buf, *pos; 540 struct wpa_tdls_ftie *_ftie; 541 int ret; 542 int len; 543 544 if (lnkid == NULL) 545 return -1; 546 547 len = 2 + lnkid[1] + sizeof(rcode) + sizeof(dtoken) + 548 sizeof(trans_seq) + 2 + ftie[1]; 549 550 buf = os_zalloc(len); 551 if (!buf) { 552 wpa_printf(MSG_WARNING, "TDLS: No memory for MIC calculation"); 553 return -1; 554 } 555 556 pos = buf; 557 /* 1) Link Identifier IE */ 558 os_memcpy(pos, lnkid, 2 + lnkid[1]); 559 pos += 2 + lnkid[1]; 560 /* 2) Reason Code */ 561 WPA_PUT_LE16(pos, rcode); 562 pos += sizeof(rcode); 563 /* 3) Dialog token */ 564 *pos++ = dtoken; 565 /* 4) Transaction Sequence number */ 566 *pos++ = trans_seq; 567 /* 7) FTIE, with the MIC field of the FTIE set to 0 */ 568 os_memcpy(pos, ftie, 2 + ftie[1]); 569 _ftie = (struct wpa_tdls_ftie *) pos; 570 os_memset(_ftie->mic, 0, TDLS_MIC_LEN); 571 pos += 2 + ftie[1]; 572 573 wpa_hexdump(MSG_DEBUG, "TDLS: Data for FTIE MIC", buf, pos - buf); 574 wpa_hexdump_key(MSG_DEBUG, "TDLS: KCK", kck, 16); 575 ret = omac1_aes_128(kck, buf, pos - buf, mic); 576 os_free(buf); 577 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE MIC", mic, 16); 578 return ret; 579 } 580 581 582 static int wpa_supplicant_verify_tdls_mic(u8 trans_seq, 583 struct wpa_tdls_peer *peer, 584 const u8 *lnkid, const u8 *timeoutie, 585 const struct wpa_tdls_ftie *ftie) 586 { 587 u8 mic[16]; 588 589 if (peer->tpk_set) { 590 wpa_tdls_ftie_mic(peer->tpk.kck, trans_seq, lnkid, 591 peer->rsnie_p, timeoutie, (u8 *) ftie, 592 mic); 593 if (os_memcmp_const(mic, ftie->mic, 16) != 0) { 594 wpa_printf(MSG_INFO, "TDLS: Invalid MIC in FTIE - " 595 "dropping packet"); 596 wpa_hexdump(MSG_DEBUG, "TDLS: Received MIC", 597 ftie->mic, 16); 598 wpa_hexdump(MSG_DEBUG, "TDLS: Calculated MIC", 599 mic, 16); 600 return -1; 601 } 602 } else { 603 wpa_printf(MSG_WARNING, "TDLS: Could not verify TDLS MIC, " 604 "TPK not set - dropping packet"); 605 return -1; 606 } 607 return 0; 608 } 609 610 611 static int wpa_supplicant_verify_tdls_mic_teardown( 612 u8 trans_seq, u16 rcode, u8 dtoken, struct wpa_tdls_peer *peer, 613 const u8 *lnkid, const struct wpa_tdls_ftie *ftie) 614 { 615 u8 mic[16]; 616 617 if (peer->tpk_set) { 618 wpa_tdls_key_mic_teardown(peer->tpk.kck, trans_seq, rcode, 619 dtoken, lnkid, (u8 *) ftie, mic); 620 if (os_memcmp_const(mic, ftie->mic, 16) != 0) { 621 wpa_printf(MSG_INFO, "TDLS: Invalid MIC in Teardown - " 622 "dropping packet"); 623 return -1; 624 } 625 } else { 626 wpa_printf(MSG_INFO, "TDLS: Could not verify TDLS Teardown " 627 "MIC, TPK not set - dropping packet"); 628 return -1; 629 } 630 return 0; 631 } 632 633 634 static void wpa_tdls_tpk_timeout(void *eloop_ctx, void *timeout_ctx) 635 { 636 struct wpa_sm *sm = eloop_ctx; 637 struct wpa_tdls_peer *peer = timeout_ctx; 638 639 /* 640 * On TPK lifetime expiration, we have an option of either tearing down 641 * the direct link or trying to re-initiate it. The selection of what 642 * to do is not strictly speaking controlled by our role in the expired 643 * link, but for now, use that to select whether to renew or tear down 644 * the link. 645 */ 646 647 if (peer->initiator) { 648 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime expired for " MACSTR 649 " - try to renew", MAC2STR(peer->addr)); 650 wpa_tdls_start(sm, peer->addr); 651 } else { 652 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime expired for " MACSTR 653 " - tear down", MAC2STR(peer->addr)); 654 wpa_tdls_do_teardown(sm, peer, 655 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED); 656 } 657 } 658 659 660 static void wpa_tdls_peer_remove_from_list(struct wpa_sm *sm, 661 struct wpa_tdls_peer *peer) 662 { 663 struct wpa_tdls_peer *cur, *prev; 664 665 cur = sm->tdls; 666 prev = NULL; 667 while (cur && cur != peer) { 668 prev = cur; 669 cur = cur->next; 670 } 671 672 if (cur != peer) { 673 wpa_printf(MSG_ERROR, "TDLS: Could not find peer " MACSTR 674 " to remove it from the list", 675 MAC2STR(peer->addr)); 676 return; 677 } 678 679 if (prev) 680 prev->next = peer->next; 681 else 682 sm->tdls = peer->next; 683 } 684 685 686 static void wpa_tdls_peer_clear(struct wpa_sm *sm, struct wpa_tdls_peer *peer) 687 { 688 wpa_printf(MSG_DEBUG, "TDLS: Clear state for peer " MACSTR, 689 MAC2STR(peer->addr)); 690 eloop_cancel_timeout(wpa_tdls_tpk_timeout, sm, peer); 691 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer); 692 peer->reconfig_key = 0; 693 peer->initiator = 0; 694 peer->tpk_in_progress = 0; 695 os_free(peer->sm_tmr.buf); 696 peer->sm_tmr.buf = NULL; 697 os_free(peer->ht_capabilities); 698 peer->ht_capabilities = NULL; 699 os_free(peer->vht_capabilities); 700 peer->vht_capabilities = NULL; 701 os_free(peer->ext_capab); 702 peer->ext_capab = NULL; 703 os_free(peer->supp_channels); 704 peer->supp_channels = NULL; 705 os_free(peer->supp_oper_classes); 706 peer->supp_oper_classes = NULL; 707 peer->rsnie_i_len = peer->rsnie_p_len = 0; 708 peer->cipher = 0; 709 peer->qos_info = 0; 710 peer->wmm_capable = 0; 711 peer->tk_set = peer->tpk_set = peer->tpk_success = 0; 712 peer->chan_switch_enabled = 0; 713 os_memset(&peer->tpk, 0, sizeof(peer->tpk)); 714 os_memset(peer->inonce, 0, WPA_NONCE_LEN); 715 os_memset(peer->rnonce, 0, WPA_NONCE_LEN); 716 } 717 718 719 static void wpa_tdls_peer_free(struct wpa_sm *sm, struct wpa_tdls_peer *peer) 720 { 721 wpa_tdls_peer_clear(sm, peer); 722 wpa_tdls_peer_remove_from_list(sm, peer); 723 os_free(peer); 724 } 725 726 727 static void wpa_tdls_linkid(struct wpa_sm *sm, struct wpa_tdls_peer *peer, 728 struct wpa_tdls_lnkid *lnkid) 729 { 730 lnkid->ie_type = WLAN_EID_LINK_ID; 731 lnkid->ie_len = 3 * ETH_ALEN; 732 os_memcpy(lnkid->bssid, sm->bssid, ETH_ALEN); 733 if (peer->initiator) { 734 os_memcpy(lnkid->init_sta, sm->own_addr, ETH_ALEN); 735 os_memcpy(lnkid->resp_sta, peer->addr, ETH_ALEN); 736 } else { 737 os_memcpy(lnkid->init_sta, peer->addr, ETH_ALEN); 738 os_memcpy(lnkid->resp_sta, sm->own_addr, ETH_ALEN); 739 } 740 } 741 742 743 static int wpa_tdls_send_teardown(struct wpa_sm *sm, const u8 *addr, 744 u16 reason_code) 745 { 746 struct wpa_tdls_peer *peer; 747 struct wpa_tdls_ftie *ftie; 748 struct wpa_tdls_lnkid lnkid; 749 u8 dialog_token; 750 u8 *rbuf, *pos; 751 int ielen; 752 753 if (sm->tdls_disabled || !sm->tdls_supported) 754 return -1; 755 756 /* Find the node and free from the list */ 757 for (peer = sm->tdls; peer; peer = peer->next) { 758 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 759 break; 760 } 761 762 if (peer == NULL) { 763 wpa_printf(MSG_INFO, "TDLS: No matching entry found for " 764 "Teardown " MACSTR, MAC2STR(addr)); 765 return 0; 766 } 767 768 /* Cancel active channel switch before teardown */ 769 if (peer->chan_switch_enabled) { 770 wpa_printf(MSG_DEBUG, "TDLS: First returning link with " MACSTR 771 " to base channel", MAC2STR(addr)); 772 wpa_sm_tdls_disable_channel_switch(sm, peer->addr); 773 } 774 775 dialog_token = peer->dtoken; 776 777 wpa_printf(MSG_DEBUG, "TDLS: TDLS Teardown for " MACSTR, 778 MAC2STR(addr)); 779 780 ielen = 0; 781 if (wpa_tdls_get_privacy(sm) && peer->tpk_set && peer->tpk_success) { 782 /* To add FTIE for Teardown request and compute MIC */ 783 ielen += sizeof(*ftie); 784 #ifdef CONFIG_TDLS_TESTING 785 if (tdls_testing & TDLS_TESTING_LONG_FRAME) 786 ielen += 170; 787 #endif /* CONFIG_TDLS_TESTING */ 788 } 789 790 rbuf = os_zalloc(ielen + 1); 791 if (rbuf == NULL) 792 return -1; 793 pos = rbuf; 794 795 if (!wpa_tdls_get_privacy(sm) || !peer->tpk_set || !peer->tpk_success) 796 goto skip_ies; 797 798 ftie = (struct wpa_tdls_ftie *) pos; 799 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION; 800 /* Using the recent nonce which should be for CONFIRM frame */ 801 os_memcpy(ftie->Anonce, peer->rnonce, WPA_NONCE_LEN); 802 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN); 803 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2; 804 pos = (u8 *) (ftie + 1); 805 #ifdef CONFIG_TDLS_TESTING 806 if (tdls_testing & TDLS_TESTING_LONG_FRAME) { 807 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to " 808 "FTIE"); 809 ftie->ie_len += 170; 810 *pos++ = 255; /* FTIE subelem */ 811 *pos++ = 168; /* FTIE subelem length */ 812 pos += 168; 813 } 814 #endif /* CONFIG_TDLS_TESTING */ 815 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE for TDLS Teardown handshake", 816 (u8 *) ftie, pos - (u8 *) ftie); 817 818 /* compute MIC before sending */ 819 wpa_tdls_linkid(sm, peer, &lnkid); 820 wpa_tdls_key_mic_teardown(peer->tpk.kck, 4, reason_code, 821 dialog_token, (u8 *) &lnkid, (u8 *) ftie, 822 ftie->mic); 823 824 skip_ies: 825 /* TODO: register for a Timeout handler, if Teardown is not received at 826 * the other end, then try again another time */ 827 828 /* request driver to send Teardown using this FTIE */ 829 wpa_tdls_tpk_send(sm, addr, WLAN_TDLS_TEARDOWN, 0, 830 reason_code, 0, peer->initiator, rbuf, pos - rbuf); 831 os_free(rbuf); 832 833 return 0; 834 } 835 836 837 int wpa_tdls_teardown_link(struct wpa_sm *sm, const u8 *addr, u16 reason_code) 838 { 839 struct wpa_tdls_peer *peer; 840 841 if (sm->tdls_disabled || !sm->tdls_supported) 842 return -1; 843 844 for (peer = sm->tdls; peer; peer = peer->next) { 845 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 846 break; 847 } 848 849 if (peer == NULL) { 850 wpa_printf(MSG_DEBUG, "TDLS: Could not find peer " MACSTR 851 " for link Teardown", MAC2STR(addr)); 852 return -1; 853 } 854 855 if (!peer->tpk_success) { 856 wpa_printf(MSG_DEBUG, "TDLS: Peer " MACSTR 857 " not connected - cannot Teardown link", MAC2STR(addr)); 858 return -1; 859 } 860 861 return wpa_tdls_do_teardown(sm, peer, reason_code); 862 } 863 864 865 static void wpa_tdls_disable_peer_link(struct wpa_sm *sm, 866 struct wpa_tdls_peer *peer) 867 { 868 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr); 869 wpa_tdls_peer_free(sm, peer); 870 } 871 872 873 void wpa_tdls_disable_unreachable_link(struct wpa_sm *sm, const u8 *addr) 874 { 875 struct wpa_tdls_peer *peer; 876 877 for (peer = sm->tdls; peer; peer = peer->next) { 878 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 879 break; 880 } 881 882 if (!peer || !peer->tpk_success) { 883 wpa_printf(MSG_DEBUG, "TDLS: Peer " MACSTR 884 " not connected - cannot teardown unreachable link", 885 MAC2STR(addr)); 886 return; 887 } 888 889 if (wpa_tdls_is_external_setup(sm)) { 890 /* 891 * Get us on the base channel, disable the link, send a 892 * teardown packet through the AP, and then reset link data. 893 */ 894 if (peer->chan_switch_enabled) 895 wpa_sm_tdls_disable_channel_switch(sm, peer->addr); 896 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, addr); 897 wpa_tdls_send_teardown(sm, addr, 898 WLAN_REASON_TDLS_TEARDOWN_UNREACHABLE); 899 wpa_tdls_peer_free(sm, peer); 900 } else { 901 wpa_tdls_disable_peer_link(sm, peer); 902 } 903 } 904 905 906 const char * wpa_tdls_get_link_status(struct wpa_sm *sm, const u8 *addr) 907 { 908 struct wpa_tdls_peer *peer; 909 910 if (sm->tdls_disabled || !sm->tdls_supported) 911 return "disabled"; 912 913 for (peer = sm->tdls; peer; peer = peer->next) { 914 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 915 break; 916 } 917 918 if (peer == NULL) 919 return "peer does not exist"; 920 921 if (!peer->tpk_success) 922 return "peer not connected"; 923 924 return "connected"; 925 } 926 927 928 static int wpa_tdls_recv_teardown(struct wpa_sm *sm, const u8 *src_addr, 929 const u8 *buf, size_t len) 930 { 931 struct wpa_tdls_peer *peer = NULL; 932 struct wpa_tdls_ftie *ftie; 933 struct wpa_tdls_lnkid *lnkid; 934 struct wpa_eapol_ie_parse kde; 935 u16 reason_code; 936 const u8 *pos; 937 int ielen; 938 939 /* Find the node and free from the list */ 940 for (peer = sm->tdls; peer; peer = peer->next) { 941 if (os_memcmp(peer->addr, src_addr, ETH_ALEN) == 0) 942 break; 943 } 944 945 if (peer == NULL) { 946 wpa_printf(MSG_INFO, "TDLS: No matching entry found for " 947 "Teardown " MACSTR, MAC2STR(src_addr)); 948 return 0; 949 } 950 951 pos = buf; 952 pos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */; 953 954 reason_code = WPA_GET_LE16(pos); 955 pos += 2; 956 957 wpa_printf(MSG_DEBUG, "TDLS: TDLS Teardown Request from " MACSTR 958 " (reason code %u)", MAC2STR(src_addr), reason_code); 959 960 ielen = len - (pos - buf); /* start of IE in buf */ 961 962 /* 963 * Don't reject the message if failing to parse IEs. The IEs we need are 964 * explicitly checked below. Some APs may add arbitrary padding to the 965 * end of short TDLS frames and that would look like invalid IEs. 966 */ 967 if (wpa_supplicant_parse_ies((const u8 *) pos, ielen, &kde) < 0) 968 wpa_printf(MSG_DEBUG, 969 "TDLS: Failed to parse IEs in Teardown - ignore as an interop workaround"); 970 971 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) { 972 wpa_printf(MSG_INFO, "TDLS: No Link Identifier IE in TDLS " 973 "Teardown"); 974 return -1; 975 } 976 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid; 977 978 if (!wpa_tdls_get_privacy(sm) || !peer->tpk_set || !peer->tpk_success) 979 goto skip_ftie; 980 981 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie)) { 982 wpa_printf(MSG_INFO, "TDLS: No FTIE in TDLS Teardown"); 983 return -1; 984 } 985 986 ftie = (struct wpa_tdls_ftie *) kde.ftie; 987 988 /* Process MIC check to see if TDLS Teardown is right */ 989 if (wpa_supplicant_verify_tdls_mic_teardown(4, reason_code, 990 peer->dtoken, peer, 991 (u8 *) lnkid, ftie) < 0) { 992 wpa_printf(MSG_DEBUG, "TDLS: MIC failure for TDLS " 993 "Teardown Request from " MACSTR, MAC2STR(src_addr)); 994 return -1; 995 } 996 997 skip_ftie: 998 /* 999 * Request the driver to disable the direct link and clear associated 1000 * keys. 1001 */ 1002 wpa_tdls_disable_peer_link(sm, peer); 1003 return 0; 1004 } 1005 1006 1007 /** 1008 * wpa_tdls_send_error - To send suitable TDLS status response with 1009 * appropriate status code mentioning reason for error/failure. 1010 * @dst - MAC addr of Peer station 1011 * @tdls_action - TDLS frame type for which error code is sent 1012 * @initiator - was this end the initiator of the connection 1013 * @status - status code mentioning reason 1014 */ 1015 1016 static int wpa_tdls_send_error(struct wpa_sm *sm, const u8 *dst, 1017 u8 tdls_action, u8 dialog_token, int initiator, 1018 u16 status) 1019 { 1020 wpa_printf(MSG_DEBUG, "TDLS: Sending error to " MACSTR 1021 " (action=%u status=%u)", 1022 MAC2STR(dst), tdls_action, status); 1023 return wpa_tdls_tpk_send(sm, dst, tdls_action, dialog_token, status, 1024 0, initiator, NULL, 0); 1025 } 1026 1027 1028 static struct wpa_tdls_peer * 1029 wpa_tdls_add_peer(struct wpa_sm *sm, const u8 *addr, int *existing) 1030 { 1031 struct wpa_tdls_peer *peer; 1032 1033 if (existing) 1034 *existing = 0; 1035 for (peer = sm->tdls; peer; peer = peer->next) { 1036 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) { 1037 if (existing) 1038 *existing = 1; 1039 return peer; /* re-use existing entry */ 1040 } 1041 } 1042 1043 wpa_printf(MSG_INFO, "TDLS: Creating peer entry for " MACSTR, 1044 MAC2STR(addr)); 1045 1046 peer = os_zalloc(sizeof(*peer)); 1047 if (peer == NULL) 1048 return NULL; 1049 1050 os_memcpy(peer->addr, addr, ETH_ALEN); 1051 peer->next = sm->tdls; 1052 sm->tdls = peer; 1053 1054 return peer; 1055 } 1056 1057 1058 static int wpa_tdls_send_tpk_m1(struct wpa_sm *sm, 1059 struct wpa_tdls_peer *peer) 1060 { 1061 size_t buf_len; 1062 struct wpa_tdls_timeoutie timeoutie; 1063 u16 rsn_capab; 1064 struct wpa_tdls_ftie *ftie; 1065 u8 *rbuf, *pos, *count_pos; 1066 u16 count; 1067 struct rsn_ie_hdr *hdr; 1068 int status; 1069 1070 if (!wpa_tdls_get_privacy(sm)) { 1071 wpa_printf(MSG_DEBUG, "TDLS: No security used on the link"); 1072 peer->rsnie_i_len = 0; 1073 goto skip_rsnie; 1074 } 1075 1076 /* 1077 * TPK Handshake Message 1: 1078 * FTIE: ANonce=0, SNonce=initiator nonce MIC=0, DataKDs=(RSNIE_I, 1079 * Timeout Interval IE)) 1080 */ 1081 1082 /* Filling RSN IE */ 1083 hdr = (struct rsn_ie_hdr *) peer->rsnie_i; 1084 hdr->elem_id = WLAN_EID_RSN; 1085 WPA_PUT_LE16(hdr->version, RSN_VERSION); 1086 1087 pos = (u8 *) (hdr + 1); 1088 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED); 1089 pos += RSN_SELECTOR_LEN; 1090 count_pos = pos; 1091 pos += 2; 1092 1093 count = 0; 1094 1095 /* 1096 * AES-CCMP is the default Encryption preferred for TDLS, so 1097 * RSN IE is filled only with CCMP CIPHER 1098 * Note: TKIP is not used to encrypt TDLS link. 1099 * 1100 * Regardless of the cipher used on the AP connection, select CCMP 1101 * here. 1102 */ 1103 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP); 1104 pos += RSN_SELECTOR_LEN; 1105 count++; 1106 1107 WPA_PUT_LE16(count_pos, count); 1108 1109 WPA_PUT_LE16(pos, 1); 1110 pos += 2; 1111 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_TPK_HANDSHAKE); 1112 pos += RSN_SELECTOR_LEN; 1113 1114 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED; 1115 rsn_capab |= RSN_NUM_REPLAY_COUNTERS_16 << 2; 1116 #ifdef CONFIG_TDLS_TESTING 1117 if (tdls_testing & TDLS_TESTING_ALT_RSN_IE) { 1118 wpa_printf(MSG_DEBUG, "TDLS: Use alternative RSN IE for " 1119 "testing"); 1120 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED; 1121 } 1122 #endif /* CONFIG_TDLS_TESTING */ 1123 WPA_PUT_LE16(pos, rsn_capab); 1124 pos += 2; 1125 #ifdef CONFIG_TDLS_TESTING 1126 if (tdls_testing & TDLS_TESTING_ALT_RSN_IE) { 1127 /* Number of PMKIDs */ 1128 *pos++ = 0x00; 1129 *pos++ = 0x00; 1130 } 1131 #endif /* CONFIG_TDLS_TESTING */ 1132 1133 hdr->len = (pos - peer->rsnie_i) - 2; 1134 peer->rsnie_i_len = pos - peer->rsnie_i; 1135 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE for TPK handshake", 1136 peer->rsnie_i, peer->rsnie_i_len); 1137 1138 skip_rsnie: 1139 buf_len = 0; 1140 if (wpa_tdls_get_privacy(sm)) 1141 buf_len += peer->rsnie_i_len + sizeof(struct wpa_tdls_ftie) + 1142 sizeof(struct wpa_tdls_timeoutie); 1143 #ifdef CONFIG_TDLS_TESTING 1144 if (wpa_tdls_get_privacy(sm) && 1145 (tdls_testing & TDLS_TESTING_LONG_FRAME)) 1146 buf_len += 170; 1147 if (tdls_testing & TDLS_TESTING_DIFF_BSSID) 1148 buf_len += sizeof(struct wpa_tdls_lnkid); 1149 #endif /* CONFIG_TDLS_TESTING */ 1150 rbuf = os_zalloc(buf_len + 1); 1151 if (rbuf == NULL) { 1152 wpa_tdls_peer_free(sm, peer); 1153 return -1; 1154 } 1155 pos = rbuf; 1156 1157 if (!wpa_tdls_get_privacy(sm)) 1158 goto skip_ies; 1159 1160 /* Initiator RSN IE */ 1161 pos = wpa_add_ie(pos, peer->rsnie_i, peer->rsnie_i_len); 1162 1163 ftie = (struct wpa_tdls_ftie *) pos; 1164 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION; 1165 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2; 1166 1167 if (os_get_random(peer->inonce, WPA_NONCE_LEN)) { 1168 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1169 "TDLS: Failed to get random data for initiator Nonce"); 1170 os_free(rbuf); 1171 wpa_tdls_peer_free(sm, peer); 1172 return -1; 1173 } 1174 peer->tk_set = 0; /* A new nonce results in a new TK */ 1175 wpa_hexdump(MSG_DEBUG, "TDLS: Initiator Nonce for TPK handshake", 1176 peer->inonce, WPA_NONCE_LEN); 1177 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN); 1178 1179 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE for TPK Handshake M1", 1180 (u8 *) ftie, sizeof(struct wpa_tdls_ftie)); 1181 1182 pos = (u8 *) (ftie + 1); 1183 1184 #ifdef CONFIG_TDLS_TESTING 1185 if (tdls_testing & TDLS_TESTING_LONG_FRAME) { 1186 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to " 1187 "FTIE"); 1188 ftie->ie_len += 170; 1189 *pos++ = 255; /* FTIE subelem */ 1190 *pos++ = 168; /* FTIE subelem length */ 1191 pos += 168; 1192 } 1193 #endif /* CONFIG_TDLS_TESTING */ 1194 1195 /* Lifetime */ 1196 peer->lifetime = TPK_LIFETIME; 1197 #ifdef CONFIG_TDLS_TESTING 1198 if (tdls_testing & TDLS_TESTING_SHORT_LIFETIME) { 1199 wpa_printf(MSG_DEBUG, "TDLS: Testing - use short TPK " 1200 "lifetime"); 1201 peer->lifetime = 301; 1202 } 1203 if (tdls_testing & TDLS_TESTING_LONG_LIFETIME) { 1204 wpa_printf(MSG_DEBUG, "TDLS: Testing - use long TPK " 1205 "lifetime"); 1206 peer->lifetime = 0xffffffff; 1207 } 1208 #endif /* CONFIG_TDLS_TESTING */ 1209 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie, 1210 sizeof(timeoutie), peer->lifetime); 1211 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds", peer->lifetime); 1212 1213 skip_ies: 1214 1215 #ifdef CONFIG_TDLS_TESTING 1216 if (tdls_testing & TDLS_TESTING_DIFF_BSSID) { 1217 wpa_printf(MSG_DEBUG, "TDLS: Testing - use incorrect BSSID in " 1218 "Link Identifier"); 1219 struct wpa_tdls_lnkid *l = (struct wpa_tdls_lnkid *) pos; 1220 wpa_tdls_linkid(sm, peer, l); 1221 l->bssid[5] ^= 0x01; 1222 pos += sizeof(*l); 1223 } 1224 #endif /* CONFIG_TDLS_TESTING */ 1225 1226 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Setup Request / TPK " 1227 "Handshake Message 1 (peer " MACSTR ")", 1228 MAC2STR(peer->addr)); 1229 1230 status = wpa_tdls_tpk_send(sm, peer->addr, WLAN_TDLS_SETUP_REQUEST, 1231 1, 0, 0, peer->initiator, rbuf, pos - rbuf); 1232 os_free(rbuf); 1233 1234 return status; 1235 } 1236 1237 1238 static int wpa_tdls_send_tpk_m2(struct wpa_sm *sm, 1239 const unsigned char *src_addr, u8 dtoken, 1240 struct wpa_tdls_lnkid *lnkid, 1241 const struct wpa_tdls_peer *peer) 1242 { 1243 u8 *rbuf, *pos; 1244 size_t buf_len; 1245 u32 lifetime; 1246 struct wpa_tdls_timeoutie timeoutie; 1247 struct wpa_tdls_ftie *ftie; 1248 int status; 1249 1250 buf_len = 0; 1251 if (wpa_tdls_get_privacy(sm)) { 1252 /* Peer RSN IE, FTIE(Initiator Nonce, Responder Nonce), 1253 * Lifetime */ 1254 buf_len += peer->rsnie_i_len + sizeof(struct wpa_tdls_ftie) + 1255 sizeof(struct wpa_tdls_timeoutie); 1256 #ifdef CONFIG_TDLS_TESTING 1257 if (tdls_testing & TDLS_TESTING_LONG_FRAME) 1258 buf_len += 170; 1259 #endif /* CONFIG_TDLS_TESTING */ 1260 } 1261 1262 rbuf = os_zalloc(buf_len + 1); 1263 if (rbuf == NULL) 1264 return -1; 1265 pos = rbuf; 1266 1267 if (!wpa_tdls_get_privacy(sm)) 1268 goto skip_ies; 1269 1270 /* Peer RSN IE */ 1271 pos = wpa_add_ie(pos, peer->rsnie_p, peer->rsnie_p_len); 1272 1273 ftie = (struct wpa_tdls_ftie *) pos; 1274 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION; 1275 /* TODO: ftie->mic_control to set 2-RESPONSE */ 1276 os_memcpy(ftie->Anonce, peer->rnonce, WPA_NONCE_LEN); 1277 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN); 1278 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2; 1279 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE for TPK M2", 1280 (u8 *) ftie, sizeof(*ftie)); 1281 1282 pos = (u8 *) (ftie + 1); 1283 1284 #ifdef CONFIG_TDLS_TESTING 1285 if (tdls_testing & TDLS_TESTING_LONG_FRAME) { 1286 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to " 1287 "FTIE"); 1288 ftie->ie_len += 170; 1289 *pos++ = 255; /* FTIE subelem */ 1290 *pos++ = 168; /* FTIE subelem length */ 1291 pos += 168; 1292 } 1293 #endif /* CONFIG_TDLS_TESTING */ 1294 1295 /* Lifetime */ 1296 lifetime = peer->lifetime; 1297 #ifdef CONFIG_TDLS_TESTING 1298 if (tdls_testing & TDLS_TESTING_WRONG_LIFETIME_RESP) { 1299 wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong TPK " 1300 "lifetime in response"); 1301 lifetime++; 1302 } 1303 #endif /* CONFIG_TDLS_TESTING */ 1304 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie, 1305 sizeof(timeoutie), lifetime); 1306 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds from initiator", 1307 lifetime); 1308 1309 /* compute MIC before sending */ 1310 wpa_tdls_ftie_mic(peer->tpk.kck, 2, (u8 *) lnkid, peer->rsnie_p, 1311 (u8 *) &timeoutie, (u8 *) ftie, ftie->mic); 1312 #ifdef CONFIG_TDLS_TESTING 1313 if (tdls_testing & TDLS_TESTING_WRONG_MIC) { 1314 wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong MIC"); 1315 ftie->mic[0] ^= 0x01; 1316 } 1317 #endif /* CONFIG_TDLS_TESTING */ 1318 1319 skip_ies: 1320 status = wpa_tdls_tpk_send(sm, src_addr, WLAN_TDLS_SETUP_RESPONSE, 1321 dtoken, 0, 0, peer->initiator, rbuf, 1322 pos - rbuf); 1323 os_free(rbuf); 1324 1325 return status; 1326 } 1327 1328 1329 static int wpa_tdls_send_tpk_m3(struct wpa_sm *sm, 1330 const unsigned char *src_addr, u8 dtoken, 1331 struct wpa_tdls_lnkid *lnkid, 1332 const struct wpa_tdls_peer *peer) 1333 { 1334 u8 *rbuf, *pos; 1335 size_t buf_len; 1336 struct wpa_tdls_ftie *ftie; 1337 struct wpa_tdls_timeoutie timeoutie; 1338 u32 lifetime; 1339 int status; 1340 u32 peer_capab = 0; 1341 1342 buf_len = 0; 1343 if (wpa_tdls_get_privacy(sm)) { 1344 /* Peer RSN IE, FTIE(Initiator Nonce, Responder Nonce), 1345 * Lifetime */ 1346 buf_len += peer->rsnie_i_len + sizeof(struct wpa_tdls_ftie) + 1347 sizeof(struct wpa_tdls_timeoutie); 1348 #ifdef CONFIG_TDLS_TESTING 1349 if (tdls_testing & TDLS_TESTING_LONG_FRAME) 1350 buf_len += 170; 1351 #endif /* CONFIG_TDLS_TESTING */ 1352 } 1353 1354 rbuf = os_zalloc(buf_len + 1); 1355 if (rbuf == NULL) 1356 return -1; 1357 pos = rbuf; 1358 1359 if (!wpa_tdls_get_privacy(sm)) 1360 goto skip_ies; 1361 1362 /* Peer RSN IE */ 1363 pos = wpa_add_ie(pos, peer->rsnie_p, peer->rsnie_p_len); 1364 1365 ftie = (struct wpa_tdls_ftie *) pos; 1366 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION; 1367 /*TODO: ftie->mic_control to set 3-CONFIRM */ 1368 os_memcpy(ftie->Anonce, peer->rnonce, WPA_NONCE_LEN); 1369 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN); 1370 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2; 1371 1372 pos = (u8 *) (ftie + 1); 1373 1374 #ifdef CONFIG_TDLS_TESTING 1375 if (tdls_testing & TDLS_TESTING_LONG_FRAME) { 1376 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to " 1377 "FTIE"); 1378 ftie->ie_len += 170; 1379 *pos++ = 255; /* FTIE subelem */ 1380 *pos++ = 168; /* FTIE subelem length */ 1381 pos += 168; 1382 } 1383 #endif /* CONFIG_TDLS_TESTING */ 1384 1385 /* Lifetime */ 1386 lifetime = peer->lifetime; 1387 #ifdef CONFIG_TDLS_TESTING 1388 if (tdls_testing & TDLS_TESTING_WRONG_LIFETIME_CONF) { 1389 wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong TPK " 1390 "lifetime in confirm"); 1391 lifetime++; 1392 } 1393 #endif /* CONFIG_TDLS_TESTING */ 1394 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie, 1395 sizeof(timeoutie), lifetime); 1396 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds", 1397 lifetime); 1398 1399 /* compute MIC before sending */ 1400 wpa_tdls_ftie_mic(peer->tpk.kck, 3, (u8 *) lnkid, peer->rsnie_p, 1401 (u8 *) &timeoutie, (u8 *) ftie, ftie->mic); 1402 #ifdef CONFIG_TDLS_TESTING 1403 if (tdls_testing & TDLS_TESTING_WRONG_MIC) { 1404 wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong MIC"); 1405 ftie->mic[0] ^= 0x01; 1406 } 1407 #endif /* CONFIG_TDLS_TESTING */ 1408 1409 skip_ies: 1410 1411 if (peer->vht_capabilities) 1412 peer_capab |= TDLS_PEER_VHT; 1413 if (peer->ht_capabilities) 1414 peer_capab |= TDLS_PEER_HT; 1415 if (peer->wmm_capable) 1416 peer_capab |= TDLS_PEER_WMM; 1417 1418 status = wpa_tdls_tpk_send(sm, src_addr, WLAN_TDLS_SETUP_CONFIRM, 1419 dtoken, 0, peer_capab, peer->initiator, 1420 rbuf, pos - rbuf); 1421 os_free(rbuf); 1422 1423 return status; 1424 } 1425 1426 1427 static int wpa_tdls_send_discovery_response(struct wpa_sm *sm, 1428 struct wpa_tdls_peer *peer, 1429 u8 dialog_token) 1430 { 1431 size_t buf_len = 0; 1432 struct wpa_tdls_timeoutie timeoutie; 1433 u16 rsn_capab; 1434 u8 *rbuf, *pos, *count_pos; 1435 u16 count; 1436 struct rsn_ie_hdr *hdr; 1437 int status; 1438 1439 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Discovery Response " 1440 "(peer " MACSTR ")", MAC2STR(peer->addr)); 1441 if (!wpa_tdls_get_privacy(sm)) 1442 goto skip_rsn_ies; 1443 1444 /* Filling RSN IE */ 1445 hdr = (struct rsn_ie_hdr *) peer->rsnie_i; 1446 hdr->elem_id = WLAN_EID_RSN; 1447 WPA_PUT_LE16(hdr->version, RSN_VERSION); 1448 pos = (u8 *) (hdr + 1); 1449 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED); 1450 pos += RSN_SELECTOR_LEN; 1451 count_pos = pos; 1452 pos += 2; 1453 count = 0; 1454 1455 /* 1456 * AES-CCMP is the default encryption preferred for TDLS, so 1457 * RSN IE is filled only with CCMP cipher suite. 1458 * Note: TKIP is not used to encrypt TDLS link. 1459 * 1460 * Regardless of the cipher used on the AP connection, select CCMP 1461 * here. 1462 */ 1463 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP); 1464 pos += RSN_SELECTOR_LEN; 1465 count++; 1466 WPA_PUT_LE16(count_pos, count); 1467 WPA_PUT_LE16(pos, 1); 1468 pos += 2; 1469 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_TPK_HANDSHAKE); 1470 pos += RSN_SELECTOR_LEN; 1471 1472 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED; 1473 rsn_capab |= RSN_NUM_REPLAY_COUNTERS_16 << 2; 1474 WPA_PUT_LE16(pos, rsn_capab); 1475 pos += 2; 1476 hdr->len = (pos - (u8 *) hdr) - 2; 1477 peer->rsnie_i_len = pos - peer->rsnie_i; 1478 1479 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE for Discovery Response", 1480 (u8 *) hdr, hdr->len + 2); 1481 skip_rsn_ies: 1482 buf_len = 0; 1483 if (wpa_tdls_get_privacy(sm)) { 1484 /* Peer RSN IE, Lifetime */ 1485 buf_len += peer->rsnie_i_len + 1486 sizeof(struct wpa_tdls_timeoutie); 1487 } 1488 rbuf = os_zalloc(buf_len + 1); 1489 if (rbuf == NULL) { 1490 wpa_tdls_peer_free(sm, peer); 1491 return -1; 1492 } 1493 pos = rbuf; 1494 1495 if (!wpa_tdls_get_privacy(sm)) 1496 goto skip_ies; 1497 /* Initiator RSN IE */ 1498 pos = wpa_add_ie(pos, peer->rsnie_i, peer->rsnie_i_len); 1499 /* Lifetime */ 1500 peer->lifetime = TPK_LIFETIME; 1501 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie, 1502 sizeof(timeoutie), peer->lifetime); 1503 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds", peer->lifetime); 1504 skip_ies: 1505 status = wpa_tdls_tpk_send(sm, peer->addr, WLAN_TDLS_DISCOVERY_RESPONSE, 1506 dialog_token, 0, 0, 0, rbuf, pos - rbuf); 1507 os_free(rbuf); 1508 1509 return status; 1510 } 1511 1512 1513 static int 1514 wpa_tdls_process_discovery_request(struct wpa_sm *sm, const u8 *addr, 1515 const u8 *buf, size_t len) 1516 { 1517 struct wpa_eapol_ie_parse kde; 1518 const struct wpa_tdls_lnkid *lnkid; 1519 struct wpa_tdls_peer *peer; 1520 size_t min_req_len = sizeof(struct wpa_tdls_frame) + 1521 1 /* dialog token */ + sizeof(struct wpa_tdls_lnkid); 1522 u8 dialog_token; 1523 1524 wpa_printf(MSG_DEBUG, "TDLS: Discovery Request from " MACSTR, 1525 MAC2STR(addr)); 1526 1527 if (len < min_req_len) { 1528 wpa_printf(MSG_DEBUG, "TDLS Discovery Request is too short: " 1529 "%d", (int) len); 1530 return -1; 1531 } 1532 1533 dialog_token = buf[sizeof(struct wpa_tdls_frame)]; 1534 1535 /* 1536 * Some APs will tack on a weird IE to the end of a TDLS 1537 * discovery request packet. This needn't fail the response, 1538 * since the required IE are verified separately. 1539 */ 1540 if (wpa_supplicant_parse_ies(buf + sizeof(struct wpa_tdls_frame) + 1, 1541 len - (sizeof(struct wpa_tdls_frame) + 1), 1542 &kde) < 0) { 1543 wpa_printf(MSG_DEBUG, 1544 "TDLS: Failed to parse IEs in Discovery Request - ignore as an interop workaround"); 1545 } 1546 1547 if (!kde.lnkid) { 1548 wpa_printf(MSG_DEBUG, "TDLS: Link ID not found in Discovery " 1549 "Request"); 1550 return -1; 1551 } 1552 1553 lnkid = (const struct wpa_tdls_lnkid *) kde.lnkid; 1554 1555 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) { 1556 wpa_printf(MSG_DEBUG, "TDLS: Discovery Request from different " 1557 " BSS " MACSTR, MAC2STR(lnkid->bssid)); 1558 return -1; 1559 } 1560 1561 peer = wpa_tdls_add_peer(sm, addr, NULL); 1562 if (peer == NULL) 1563 return -1; 1564 1565 return wpa_tdls_send_discovery_response(sm, peer, dialog_token); 1566 } 1567 1568 1569 int wpa_tdls_send_discovery_request(struct wpa_sm *sm, const u8 *addr) 1570 { 1571 if (sm->tdls_disabled || !sm->tdls_supported) 1572 return -1; 1573 1574 wpa_printf(MSG_DEBUG, "TDLS: Sending Discovery Request to peer " 1575 MACSTR, MAC2STR(addr)); 1576 return wpa_tdls_tpk_send(sm, addr, WLAN_TDLS_DISCOVERY_REQUEST, 1577 1, 0, 0, 1, NULL, 0); 1578 } 1579 1580 1581 static int copy_supp_rates(const struct wpa_eapol_ie_parse *kde, 1582 struct wpa_tdls_peer *peer) 1583 { 1584 if (!kde->supp_rates) { 1585 wpa_printf(MSG_DEBUG, "TDLS: No supported rates received"); 1586 return -1; 1587 } 1588 peer->supp_rates_len = merge_byte_arrays( 1589 peer->supp_rates, sizeof(peer->supp_rates), 1590 kde->supp_rates + 2, kde->supp_rates_len - 2, 1591 kde->ext_supp_rates ? kde->ext_supp_rates + 2 : NULL, 1592 kde->ext_supp_rates_len - 2); 1593 return 0; 1594 } 1595 1596 1597 static int copy_peer_ht_capab(const struct wpa_eapol_ie_parse *kde, 1598 struct wpa_tdls_peer *peer) 1599 { 1600 if (!kde->ht_capabilities) { 1601 wpa_printf(MSG_DEBUG, "TDLS: No supported ht capabilities " 1602 "received"); 1603 return 0; 1604 } 1605 1606 if (!peer->ht_capabilities) { 1607 peer->ht_capabilities = 1608 os_zalloc(sizeof(struct ieee80211_ht_capabilities)); 1609 if (peer->ht_capabilities == NULL) 1610 return -1; 1611 } 1612 1613 os_memcpy(peer->ht_capabilities, kde->ht_capabilities, 1614 sizeof(struct ieee80211_ht_capabilities)); 1615 wpa_hexdump(MSG_DEBUG, "TDLS: Peer HT capabilities", 1616 (u8 *) peer->ht_capabilities, 1617 sizeof(struct ieee80211_ht_capabilities)); 1618 1619 return 0; 1620 } 1621 1622 1623 static int copy_peer_vht_capab(const struct wpa_eapol_ie_parse *kde, 1624 struct wpa_tdls_peer *peer) 1625 { 1626 if (!kde->vht_capabilities) { 1627 wpa_printf(MSG_DEBUG, "TDLS: No supported vht capabilities " 1628 "received"); 1629 return 0; 1630 } 1631 1632 if (!peer->vht_capabilities) { 1633 peer->vht_capabilities = 1634 os_zalloc(sizeof(struct ieee80211_vht_capabilities)); 1635 if (peer->vht_capabilities == NULL) 1636 return -1; 1637 } 1638 1639 os_memcpy(peer->vht_capabilities, kde->vht_capabilities, 1640 sizeof(struct ieee80211_vht_capabilities)); 1641 wpa_hexdump(MSG_DEBUG, "TDLS: Peer VHT capabilities", 1642 (u8 *) peer->vht_capabilities, 1643 sizeof(struct ieee80211_vht_capabilities)); 1644 1645 return 0; 1646 } 1647 1648 1649 static int copy_peer_ext_capab(const struct wpa_eapol_ie_parse *kde, 1650 struct wpa_tdls_peer *peer) 1651 { 1652 if (!kde->ext_capab) { 1653 wpa_printf(MSG_DEBUG, "TDLS: No extended capabilities " 1654 "received"); 1655 return 0; 1656 } 1657 1658 if (!peer->ext_capab || peer->ext_capab_len < kde->ext_capab_len - 2) { 1659 /* Need to allocate buffer to fit the new information */ 1660 os_free(peer->ext_capab); 1661 peer->ext_capab = os_zalloc(kde->ext_capab_len - 2); 1662 if (peer->ext_capab == NULL) 1663 return -1; 1664 } 1665 1666 peer->ext_capab_len = kde->ext_capab_len - 2; 1667 os_memcpy(peer->ext_capab, kde->ext_capab + 2, peer->ext_capab_len); 1668 1669 return 0; 1670 } 1671 1672 1673 static int copy_peer_wmm_capab(const struct wpa_eapol_ie_parse *kde, 1674 struct wpa_tdls_peer *peer) 1675 { 1676 struct wmm_information_element *wmm; 1677 1678 if (!kde->wmm) { 1679 wpa_printf(MSG_DEBUG, "TDLS: No supported WMM capabilities received"); 1680 return 0; 1681 } 1682 1683 if (kde->wmm_len < sizeof(struct wmm_information_element)) { 1684 wpa_printf(MSG_DEBUG, "TDLS: Invalid supported WMM capabilities received"); 1685 return -1; 1686 } 1687 1688 wmm = (struct wmm_information_element *) kde->wmm; 1689 peer->qos_info = wmm->qos_info; 1690 1691 peer->wmm_capable = 1; 1692 1693 wpa_printf(MSG_DEBUG, "TDLS: Peer WMM QOS Info 0x%x", peer->qos_info); 1694 return 0; 1695 } 1696 1697 1698 static int copy_peer_supp_channels(const struct wpa_eapol_ie_parse *kde, 1699 struct wpa_tdls_peer *peer) 1700 { 1701 if (!kde->supp_channels) { 1702 wpa_printf(MSG_DEBUG, "TDLS: No supported channels received"); 1703 return 0; 1704 } 1705 1706 if (!peer->supp_channels || 1707 peer->supp_channels_len < kde->supp_channels_len) { 1708 os_free(peer->supp_channels); 1709 peer->supp_channels = os_zalloc(kde->supp_channels_len); 1710 if (peer->supp_channels == NULL) 1711 return -1; 1712 } 1713 1714 peer->supp_channels_len = kde->supp_channels_len; 1715 1716 os_memcpy(peer->supp_channels, kde->supp_channels, 1717 peer->supp_channels_len); 1718 wpa_hexdump(MSG_DEBUG, "TDLS: Peer Supported Channels", 1719 (u8 *) peer->supp_channels, peer->supp_channels_len); 1720 return 0; 1721 } 1722 1723 1724 static int copy_peer_supp_oper_classes(const struct wpa_eapol_ie_parse *kde, 1725 struct wpa_tdls_peer *peer) 1726 { 1727 if (!kde->supp_oper_classes) { 1728 wpa_printf(MSG_DEBUG, "TDLS: No supported operating classes received"); 1729 return 0; 1730 } 1731 1732 if (!peer->supp_oper_classes || 1733 peer->supp_oper_classes_len < kde->supp_oper_classes_len) { 1734 os_free(peer->supp_oper_classes); 1735 peer->supp_oper_classes = os_zalloc(kde->supp_oper_classes_len); 1736 if (peer->supp_oper_classes == NULL) 1737 return -1; 1738 } 1739 1740 peer->supp_oper_classes_len = kde->supp_oper_classes_len; 1741 os_memcpy(peer->supp_oper_classes, kde->supp_oper_classes, 1742 peer->supp_oper_classes_len); 1743 wpa_hexdump(MSG_DEBUG, "TDLS: Peer Supported Operating Classes", 1744 (u8 *) peer->supp_oper_classes, 1745 peer->supp_oper_classes_len); 1746 return 0; 1747 } 1748 1749 1750 static int wpa_tdls_addset_peer(struct wpa_sm *sm, struct wpa_tdls_peer *peer, 1751 int add) 1752 { 1753 return wpa_sm_tdls_peer_addset(sm, peer->addr, add, peer->aid, 1754 peer->capability, 1755 peer->supp_rates, peer->supp_rates_len, 1756 peer->ht_capabilities, 1757 peer->vht_capabilities, 1758 peer->qos_info, peer->wmm_capable, 1759 peer->ext_capab, peer->ext_capab_len, 1760 peer->supp_channels, 1761 peer->supp_channels_len, 1762 peer->supp_oper_classes, 1763 peer->supp_oper_classes_len); 1764 } 1765 1766 1767 static int tdls_nonce_set(const u8 *nonce) 1768 { 1769 int i; 1770 1771 for (i = 0; i < WPA_NONCE_LEN; i++) { 1772 if (nonce[i]) 1773 return 1; 1774 } 1775 1776 return 0; 1777 } 1778 1779 1780 static int wpa_tdls_process_tpk_m1(struct wpa_sm *sm, const u8 *src_addr, 1781 const u8 *buf, size_t len) 1782 { 1783 struct wpa_tdls_peer *peer; 1784 struct wpa_eapol_ie_parse kde; 1785 struct wpa_ie_data ie; 1786 int cipher; 1787 const u8 *cpos; 1788 struct wpa_tdls_ftie *ftie = NULL; 1789 struct wpa_tdls_timeoutie *timeoutie; 1790 struct wpa_tdls_lnkid *lnkid; 1791 u32 lifetime = 0; 1792 #if 0 1793 struct rsn_ie_hdr *hdr; 1794 u8 *pos; 1795 u16 rsn_capab; 1796 u16 rsn_ver; 1797 #endif 1798 u8 dtoken; 1799 u16 ielen; 1800 u16 status = WLAN_STATUS_UNSPECIFIED_FAILURE; 1801 int tdls_prohibited = sm->tdls_prohibited; 1802 int existing_peer = 0; 1803 1804 if (len < 3 + 3) 1805 return -1; 1806 1807 cpos = buf; 1808 cpos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */; 1809 1810 /* driver had already verified the frame format */ 1811 dtoken = *cpos++; /* dialog token */ 1812 1813 wpa_printf(MSG_INFO, "TDLS: Dialog Token in TPK M1 %d", dtoken); 1814 1815 peer = wpa_tdls_add_peer(sm, src_addr, &existing_peer); 1816 if (peer == NULL) 1817 goto error; 1818 1819 /* If found, use existing entry instead of adding a new one; 1820 * how to handle the case where both ends initiate at the 1821 * same time? */ 1822 if (existing_peer) { 1823 if (peer->tpk_success) { 1824 wpa_printf(MSG_DEBUG, "TDLS: TDLS Setup Request while " 1825 "direct link is enabled - tear down the " 1826 "old link first"); 1827 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr); 1828 wpa_tdls_peer_clear(sm, peer); 1829 } else if (peer->initiator) { 1830 /* 1831 * An entry is already present, so check if we already 1832 * sent a TDLS Setup Request. If so, compare MAC 1833 * addresses and let the STA with the lower MAC address 1834 * continue as the initiator. The other negotiation is 1835 * terminated. 1836 */ 1837 if (os_memcmp(sm->own_addr, src_addr, ETH_ALEN) < 0) { 1838 wpa_printf(MSG_DEBUG, "TDLS: Discard request " 1839 "from peer with higher address " 1840 MACSTR, MAC2STR(src_addr)); 1841 return -1; 1842 } else { 1843 wpa_printf(MSG_DEBUG, "TDLS: Accept request " 1844 "from peer with lower address " 1845 MACSTR " (terminate previously " 1846 "initiated negotiation", 1847 MAC2STR(src_addr)); 1848 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, 1849 peer->addr); 1850 wpa_tdls_peer_clear(sm, peer); 1851 } 1852 } 1853 } 1854 1855 /* capability information */ 1856 peer->capability = WPA_GET_LE16(cpos); 1857 cpos += 2; 1858 1859 ielen = len - (cpos - buf); /* start of IE in buf */ 1860 1861 /* 1862 * Don't reject the message if failing to parse IEs. The IEs we need are 1863 * explicitly checked below. Some APs may add arbitrary padding to the 1864 * end of short TDLS frames and that would look like invalid IEs. 1865 */ 1866 if (wpa_supplicant_parse_ies(cpos, ielen, &kde) < 0) 1867 wpa_printf(MSG_DEBUG, 1868 "TDLS: Failed to parse IEs in TPK M1 - ignore as an interop workaround"); 1869 1870 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) { 1871 wpa_printf(MSG_INFO, "TDLS: No valid Link Identifier IE in " 1872 "TPK M1"); 1873 goto error; 1874 } 1875 wpa_hexdump(MSG_DEBUG, "TDLS: Link ID Received from TPK M1", 1876 kde.lnkid, kde.lnkid_len); 1877 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid; 1878 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) { 1879 wpa_printf(MSG_INFO, "TDLS: TPK M1 from diff BSS"); 1880 status = WLAN_STATUS_REQUEST_DECLINED; 1881 goto error; 1882 } 1883 1884 wpa_printf(MSG_DEBUG, "TDLS: TPK M1 - TPK initiator " MACSTR, 1885 MAC2STR(src_addr)); 1886 1887 if (copy_supp_rates(&kde, peer) < 0) 1888 goto error; 1889 1890 if (copy_peer_ht_capab(&kde, peer) < 0) 1891 goto error; 1892 1893 if (copy_peer_vht_capab(&kde, peer) < 0) 1894 goto error; 1895 1896 if (copy_peer_ext_capab(&kde, peer) < 0) 1897 goto error; 1898 1899 if (copy_peer_supp_channels(&kde, peer) < 0) 1900 goto error; 1901 1902 if (copy_peer_supp_oper_classes(&kde, peer) < 0) 1903 goto error; 1904 1905 peer->qos_info = kde.qosinfo; 1906 1907 /* Overwrite with the qos_info obtained in WMM IE */ 1908 if (copy_peer_wmm_capab(&kde, peer) < 0) 1909 goto error; 1910 1911 peer->aid = kde.aid; 1912 1913 #ifdef CONFIG_TDLS_TESTING 1914 if (tdls_testing & TDLS_TESTING_CONCURRENT_INIT) { 1915 peer = wpa_tdls_add_peer(sm, src_addr, NULL); 1916 if (peer == NULL) 1917 goto error; 1918 wpa_printf(MSG_DEBUG, "TDLS: Testing concurrent initiation of " 1919 "TDLS setup - send own request"); 1920 peer->initiator = 1; 1921 wpa_sm_tdls_peer_addset(sm, peer->addr, 1, 0, 0, NULL, 0, NULL, 1922 NULL, 0, 0, NULL, 0, NULL, 0, NULL, 0); 1923 wpa_tdls_send_tpk_m1(sm, peer); 1924 } 1925 1926 if ((tdls_testing & TDLS_TESTING_IGNORE_AP_PROHIBIT) && 1927 tdls_prohibited) { 1928 wpa_printf(MSG_DEBUG, "TDLS: Testing - ignore AP prohibition " 1929 "on TDLS"); 1930 tdls_prohibited = 0; 1931 } 1932 #endif /* CONFIG_TDLS_TESTING */ 1933 1934 if (tdls_prohibited) { 1935 wpa_printf(MSG_INFO, "TDLS: TDLS prohibited in this BSS"); 1936 status = WLAN_STATUS_REQUEST_DECLINED; 1937 goto error; 1938 } 1939 1940 if (!wpa_tdls_get_privacy(sm)) { 1941 if (kde.rsn_ie) { 1942 wpa_printf(MSG_INFO, "TDLS: RSN IE in TPK M1 while " 1943 "security is disabled"); 1944 status = WLAN_STATUS_SECURITY_DISABLED; 1945 goto error; 1946 } 1947 goto skip_rsn; 1948 } 1949 1950 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie) || 1951 kde.rsn_ie == NULL) { 1952 wpa_printf(MSG_INFO, "TDLS: No FTIE or RSN IE in TPK M1"); 1953 status = WLAN_STATUS_INVALID_PARAMETERS; 1954 goto error; 1955 } 1956 1957 if (kde.rsn_ie_len > TDLS_MAX_IE_LEN) { 1958 wpa_printf(MSG_INFO, "TDLS: Too long Initiator RSN IE in " 1959 "TPK M1"); 1960 status = WLAN_STATUS_INVALID_RSNIE; 1961 goto error; 1962 } 1963 1964 if (wpa_parse_wpa_ie_rsn(kde.rsn_ie, kde.rsn_ie_len, &ie) < 0) { 1965 wpa_printf(MSG_INFO, "TDLS: Failed to parse RSN IE in TPK M1"); 1966 status = WLAN_STATUS_INVALID_RSNIE; 1967 goto error; 1968 } 1969 1970 cipher = ie.pairwise_cipher; 1971 if (cipher & WPA_CIPHER_CCMP) { 1972 wpa_printf(MSG_DEBUG, "TDLS: Using CCMP for direct link"); 1973 cipher = WPA_CIPHER_CCMP; 1974 } else { 1975 wpa_printf(MSG_INFO, "TDLS: No acceptable cipher in TPK M1"); 1976 status = WLAN_STATUS_PAIRWISE_CIPHER_NOT_VALID; 1977 goto error; 1978 } 1979 1980 if ((ie.capabilities & 1981 (WPA_CAPABILITY_NO_PAIRWISE | WPA_CAPABILITY_PEERKEY_ENABLED)) != 1982 WPA_CAPABILITY_PEERKEY_ENABLED) { 1983 wpa_printf(MSG_INFO, "TDLS: Invalid RSN Capabilities in " 1984 "TPK M1"); 1985 status = WLAN_STATUS_INVALID_RSN_IE_CAPAB; 1986 goto error; 1987 } 1988 1989 /* Lifetime */ 1990 if (kde.key_lifetime == NULL) { 1991 wpa_printf(MSG_INFO, "TDLS: No Key Lifetime IE in TPK M1"); 1992 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME; 1993 goto error; 1994 } 1995 timeoutie = (struct wpa_tdls_timeoutie *) kde.key_lifetime; 1996 lifetime = WPA_GET_LE32(timeoutie->value); 1997 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds", lifetime); 1998 if (lifetime < 300) { 1999 wpa_printf(MSG_INFO, "TDLS: Too short TPK lifetime"); 2000 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME; 2001 goto error; 2002 } 2003 2004 skip_rsn: 2005 #ifdef CONFIG_TDLS_TESTING 2006 if (tdls_testing & TDLS_TESTING_CONCURRENT_INIT) { 2007 if (os_memcmp(sm->own_addr, peer->addr, ETH_ALEN) < 0) { 2008 /* 2009 * The request frame from us is going to win, so do not 2010 * replace information based on this request frame from 2011 * the peer. 2012 */ 2013 goto skip_rsn_check; 2014 } 2015 } 2016 #endif /* CONFIG_TDLS_TESTING */ 2017 2018 peer->initiator = 0; /* Need to check */ 2019 peer->dtoken = dtoken; 2020 2021 if (!wpa_tdls_get_privacy(sm)) { 2022 peer->rsnie_i_len = 0; 2023 peer->rsnie_p_len = 0; 2024 peer->cipher = WPA_CIPHER_NONE; 2025 goto skip_rsn_check; 2026 } 2027 2028 ftie = (struct wpa_tdls_ftie *) kde.ftie; 2029 os_memcpy(peer->rsnie_i, kde.rsn_ie, kde.rsn_ie_len); 2030 peer->rsnie_i_len = kde.rsn_ie_len; 2031 peer->cipher = cipher; 2032 2033 if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0 || 2034 !tdls_nonce_set(peer->inonce)) { 2035 /* 2036 * There is no point in updating the RNonce for every obtained 2037 * TPK M1 frame (e.g., retransmission due to timeout) with the 2038 * same INonce (SNonce in FTIE). However, if the TPK M1 is 2039 * retransmitted with a different INonce, update the RNonce 2040 * since this is for a new TDLS session. 2041 */ 2042 wpa_printf(MSG_DEBUG, 2043 "TDLS: New TPK M1 INonce - generate new RNonce"); 2044 os_memcpy(peer->inonce, ftie->Snonce, WPA_NONCE_LEN); 2045 if (os_get_random(peer->rnonce, WPA_NONCE_LEN)) { 2046 wpa_msg(sm->ctx->ctx, MSG_WARNING, 2047 "TDLS: Failed to get random data for responder nonce"); 2048 goto error; 2049 } 2050 peer->tk_set = 0; /* A new nonce results in a new TK */ 2051 } 2052 2053 #if 0 2054 /* get version info from RSNIE received from Peer */ 2055 hdr = (struct rsn_ie_hdr *) kde.rsn_ie; 2056 rsn_ver = WPA_GET_LE16(hdr->version); 2057 2058 /* use min(peer's version, out version) */ 2059 if (rsn_ver > RSN_VERSION) 2060 rsn_ver = RSN_VERSION; 2061 2062 hdr = (struct rsn_ie_hdr *) peer->rsnie_p; 2063 2064 hdr->elem_id = WLAN_EID_RSN; 2065 WPA_PUT_LE16(hdr->version, rsn_ver); 2066 pos = (u8 *) (hdr + 1); 2067 2068 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED); 2069 pos += RSN_SELECTOR_LEN; 2070 /* Include only the selected cipher in pairwise cipher suite */ 2071 WPA_PUT_LE16(pos, 1); 2072 pos += 2; 2073 if (cipher == WPA_CIPHER_CCMP) 2074 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP); 2075 pos += RSN_SELECTOR_LEN; 2076 2077 WPA_PUT_LE16(pos, 1); 2078 pos += 2; 2079 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_TPK_HANDSHAKE); 2080 pos += RSN_SELECTOR_LEN; 2081 2082 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED; 2083 rsn_capab |= RSN_NUM_REPLAY_COUNTERS_16 << 2; 2084 WPA_PUT_LE16(pos, rsn_capab); 2085 pos += 2; 2086 2087 hdr->len = (pos - peer->rsnie_p) - 2; 2088 peer->rsnie_p_len = pos - peer->rsnie_p; 2089 #endif 2090 2091 /* temp fix: validation of RSNIE later */ 2092 os_memcpy(peer->rsnie_p, peer->rsnie_i, peer->rsnie_i_len); 2093 peer->rsnie_p_len = peer->rsnie_i_len; 2094 2095 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE for TPK handshake", 2096 peer->rsnie_p, peer->rsnie_p_len); 2097 2098 peer->lifetime = lifetime; 2099 2100 wpa_tdls_generate_tpk(peer, sm->own_addr, sm->bssid); 2101 2102 skip_rsn_check: 2103 #ifdef CONFIG_TDLS_TESTING 2104 if (tdls_testing & TDLS_TESTING_CONCURRENT_INIT) 2105 goto skip_add_peer; 2106 #endif /* CONFIG_TDLS_TESTING */ 2107 2108 /* add supported rates, capabilities, and qos_info to the TDLS peer */ 2109 if (wpa_tdls_addset_peer(sm, peer, 1) < 0) 2110 goto error; 2111 2112 #ifdef CONFIG_TDLS_TESTING 2113 skip_add_peer: 2114 #endif /* CONFIG_TDLS_TESTING */ 2115 peer->tpk_in_progress = 1; 2116 2117 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Setup Response / TPK M2"); 2118 if (wpa_tdls_send_tpk_m2(sm, src_addr, dtoken, lnkid, peer) < 0) { 2119 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr); 2120 goto error; 2121 } 2122 2123 return 0; 2124 2125 error: 2126 wpa_tdls_send_error(sm, src_addr, WLAN_TDLS_SETUP_RESPONSE, dtoken, 0, 2127 status); 2128 if (peer) 2129 wpa_tdls_peer_free(sm, peer); 2130 return -1; 2131 } 2132 2133 2134 static int wpa_tdls_enable_link(struct wpa_sm *sm, struct wpa_tdls_peer *peer) 2135 { 2136 peer->tpk_success = 1; 2137 peer->tpk_in_progress = 0; 2138 eloop_cancel_timeout(wpa_tdls_tpk_timeout, sm, peer); 2139 if (wpa_tdls_get_privacy(sm)) { 2140 u32 lifetime = peer->lifetime; 2141 /* 2142 * Start the initiator process a bit earlier to avoid race 2143 * condition with the responder sending teardown request. 2144 */ 2145 if (lifetime > 3 && peer->initiator) 2146 lifetime -= 3; 2147 eloop_register_timeout(lifetime, 0, wpa_tdls_tpk_timeout, 2148 sm, peer); 2149 #ifdef CONFIG_TDLS_TESTING 2150 if (tdls_testing & TDLS_TESTING_NO_TPK_EXPIRATION) { 2151 wpa_printf(MSG_DEBUG, "TDLS: Testing - disable TPK " 2152 "expiration"); 2153 eloop_cancel_timeout(wpa_tdls_tpk_timeout, sm, peer); 2154 } 2155 #endif /* CONFIG_TDLS_TESTING */ 2156 } 2157 2158 if (peer->reconfig_key && wpa_tdls_set_key(sm, peer) < 0) { 2159 wpa_printf(MSG_INFO, "TDLS: Could not configure key to the " 2160 "driver"); 2161 return -1; 2162 } 2163 peer->reconfig_key = 0; 2164 2165 return wpa_sm_tdls_oper(sm, TDLS_ENABLE_LINK, peer->addr); 2166 } 2167 2168 2169 static int wpa_tdls_process_tpk_m2(struct wpa_sm *sm, const u8 *src_addr, 2170 const u8 *buf, size_t len) 2171 { 2172 struct wpa_tdls_peer *peer; 2173 struct wpa_eapol_ie_parse kde; 2174 struct wpa_ie_data ie; 2175 int cipher; 2176 struct wpa_tdls_ftie *ftie; 2177 struct wpa_tdls_timeoutie *timeoutie; 2178 struct wpa_tdls_lnkid *lnkid; 2179 u32 lifetime; 2180 u8 dtoken; 2181 int ielen; 2182 u16 status; 2183 const u8 *pos; 2184 int ret = 0; 2185 2186 wpa_printf(MSG_DEBUG, "TDLS: Received TDLS Setup Response / TPK M2 " 2187 "(Peer " MACSTR ")", MAC2STR(src_addr)); 2188 for (peer = sm->tdls; peer; peer = peer->next) { 2189 if (os_memcmp(peer->addr, src_addr, ETH_ALEN) == 0) 2190 break; 2191 } 2192 if (peer == NULL) { 2193 wpa_printf(MSG_INFO, "TDLS: No matching peer found for " 2194 "TPK M2: " MACSTR, MAC2STR(src_addr)); 2195 return -1; 2196 } 2197 if (!peer->initiator) { 2198 /* 2199 * This may happen if both devices try to initiate TDLS at the 2200 * same time and we accept the TPK M1 from the peer in 2201 * wpa_tdls_process_tpk_m1() and clear our previous state. 2202 */ 2203 wpa_printf(MSG_INFO, "TDLS: We were not the initiator, so " 2204 "ignore TPK M2 from " MACSTR, MAC2STR(src_addr)); 2205 return -1; 2206 } 2207 2208 if (peer->tpk_success) { 2209 wpa_printf(MSG_INFO, "TDLS: Ignore incoming TPK M2 retry, from " 2210 MACSTR " as TPK M3 was already sent", 2211 MAC2STR(src_addr)); 2212 return 0; 2213 } 2214 2215 wpa_tdls_tpk_retry_timeout_cancel(sm, peer, WLAN_TDLS_SETUP_REQUEST); 2216 2217 if (len < 3 + 2 + 1) { 2218 wpa_tdls_disable_peer_link(sm, peer); 2219 return -1; 2220 } 2221 2222 pos = buf; 2223 pos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */; 2224 status = WPA_GET_LE16(pos); 2225 pos += 2 /* status code */; 2226 2227 if (status != WLAN_STATUS_SUCCESS) { 2228 wpa_printf(MSG_INFO, "TDLS: Status code in TPK M2: %u", 2229 status); 2230 wpa_tdls_disable_peer_link(sm, peer); 2231 return -1; 2232 } 2233 2234 status = WLAN_STATUS_UNSPECIFIED_FAILURE; 2235 2236 /* TODO: need to verify dialog token matches here or in kernel */ 2237 dtoken = *pos++; /* dialog token */ 2238 2239 wpa_printf(MSG_DEBUG, "TDLS: Dialog Token in TPK M2 %d", dtoken); 2240 2241 if (len < 3 + 2 + 1 + 2) { 2242 wpa_tdls_disable_peer_link(sm, peer); 2243 return -1; 2244 } 2245 2246 /* capability information */ 2247 peer->capability = WPA_GET_LE16(pos); 2248 pos += 2; 2249 2250 ielen = len - (pos - buf); /* start of IE in buf */ 2251 2252 /* 2253 * Don't reject the message if failing to parse IEs. The IEs we need are 2254 * explicitly checked below. Some APs may add arbitrary padding to the 2255 * end of short TDLS frames and that would look like invalid IEs. 2256 */ 2257 if (wpa_supplicant_parse_ies(pos, ielen, &kde) < 0) 2258 wpa_printf(MSG_DEBUG, 2259 "TDLS: Failed to parse IEs in TPK M2 - ignore as an interop workaround"); 2260 2261 #ifdef CONFIG_TDLS_TESTING 2262 if (tdls_testing & TDLS_TESTING_DECLINE_RESP) { 2263 wpa_printf(MSG_DEBUG, "TDLS: Testing - decline response"); 2264 status = WLAN_STATUS_REQUEST_DECLINED; 2265 goto error; 2266 } 2267 #endif /* CONFIG_TDLS_TESTING */ 2268 2269 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) { 2270 wpa_printf(MSG_INFO, "TDLS: No valid Link Identifier IE in " 2271 "TPK M2"); 2272 goto error; 2273 } 2274 wpa_hexdump(MSG_DEBUG, "TDLS: Link ID Received from TPK M2", 2275 kde.lnkid, kde.lnkid_len); 2276 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid; 2277 2278 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) { 2279 wpa_printf(MSG_INFO, "TDLS: TPK M2 from different BSS"); 2280 status = WLAN_STATUS_NOT_IN_SAME_BSS; 2281 goto error; 2282 } 2283 2284 if (copy_supp_rates(&kde, peer) < 0) 2285 goto error; 2286 2287 if (copy_peer_ht_capab(&kde, peer) < 0) 2288 goto error; 2289 2290 if (copy_peer_vht_capab(&kde, peer) < 0) 2291 goto error; 2292 2293 if (copy_peer_ext_capab(&kde, peer) < 0) 2294 goto error; 2295 2296 if (copy_peer_supp_channels(&kde, peer) < 0) 2297 goto error; 2298 2299 if (copy_peer_supp_oper_classes(&kde, peer) < 0) 2300 goto error; 2301 2302 peer->qos_info = kde.qosinfo; 2303 2304 /* Overwrite with the qos_info obtained in WMM IE */ 2305 if (copy_peer_wmm_capab(&kde, peer) < 0) 2306 goto error; 2307 2308 peer->aid = kde.aid; 2309 2310 if (!wpa_tdls_get_privacy(sm)) { 2311 peer->rsnie_p_len = 0; 2312 peer->cipher = WPA_CIPHER_NONE; 2313 goto skip_rsn; 2314 } 2315 2316 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie) || 2317 kde.rsn_ie == NULL) { 2318 wpa_printf(MSG_INFO, "TDLS: No FTIE or RSN IE in TPK M2"); 2319 status = WLAN_STATUS_INVALID_PARAMETERS; 2320 goto error; 2321 } 2322 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Received from TPK M2", 2323 kde.rsn_ie, kde.rsn_ie_len); 2324 2325 if (kde.rsn_ie_len > TDLS_MAX_IE_LEN) { 2326 wpa_printf(MSG_INFO, 2327 "TDLS: Too long Responder RSN IE in TPK M2"); 2328 status = WLAN_STATUS_INVALID_RSNIE; 2329 goto error; 2330 } 2331 2332 /* 2333 * FIX: bitwise comparison of RSN IE is not the correct way of 2334 * validation this. It can be different, but certain fields must 2335 * match. Since we list only a single pairwise cipher in TPK M1, the 2336 * memcmp is likely to work in most cases, though. 2337 */ 2338 if (kde.rsn_ie_len != peer->rsnie_i_len || 2339 os_memcmp(peer->rsnie_i, kde.rsn_ie, peer->rsnie_i_len) != 0) { 2340 wpa_printf(MSG_INFO, "TDLS: RSN IE in TPK M2 does " 2341 "not match with RSN IE used in TPK M1"); 2342 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Sent in TPK M1", 2343 peer->rsnie_i, peer->rsnie_i_len); 2344 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Received from TPK M2", 2345 kde.rsn_ie, kde.rsn_ie_len); 2346 status = WLAN_STATUS_INVALID_RSNIE; 2347 goto error; 2348 } 2349 2350 if (wpa_parse_wpa_ie_rsn(kde.rsn_ie, kde.rsn_ie_len, &ie) < 0) { 2351 wpa_printf(MSG_INFO, "TDLS: Failed to parse RSN IE in TPK M2"); 2352 status = WLAN_STATUS_INVALID_RSNIE; 2353 goto error; 2354 } 2355 2356 cipher = ie.pairwise_cipher; 2357 if (cipher == WPA_CIPHER_CCMP) { 2358 wpa_printf(MSG_DEBUG, "TDLS: Using CCMP for direct link"); 2359 cipher = WPA_CIPHER_CCMP; 2360 } else { 2361 wpa_printf(MSG_INFO, "TDLS: No acceptable cipher in TPK M2"); 2362 status = WLAN_STATUS_PAIRWISE_CIPHER_NOT_VALID; 2363 goto error; 2364 } 2365 2366 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE Received from TPK M2", 2367 kde.ftie, sizeof(*ftie)); 2368 ftie = (struct wpa_tdls_ftie *) kde.ftie; 2369 2370 if (!os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) == 0) { 2371 wpa_printf(MSG_INFO, "TDLS: FTIE SNonce in TPK M2 does " 2372 "not match with FTIE SNonce used in TPK M1"); 2373 /* Silently discard the frame */ 2374 return -1; 2375 } 2376 2377 /* Responder Nonce and RSN IE */ 2378 os_memcpy(peer->rnonce, ftie->Anonce, WPA_NONCE_LEN); 2379 os_memcpy(peer->rsnie_p, kde.rsn_ie, kde.rsn_ie_len); 2380 peer->rsnie_p_len = kde.rsn_ie_len; 2381 peer->cipher = cipher; 2382 2383 /* Lifetime */ 2384 if (kde.key_lifetime == NULL) { 2385 wpa_printf(MSG_INFO, "TDLS: No Key Lifetime IE in TPK M2"); 2386 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME; 2387 goto error; 2388 } 2389 timeoutie = (struct wpa_tdls_timeoutie *) kde.key_lifetime; 2390 lifetime = WPA_GET_LE32(timeoutie->value); 2391 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds in TPK M2", 2392 lifetime); 2393 if (lifetime != peer->lifetime) { 2394 wpa_printf(MSG_INFO, "TDLS: Unexpected TPK lifetime %u in " 2395 "TPK M2 (expected %u)", lifetime, peer->lifetime); 2396 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME; 2397 goto error; 2398 } 2399 2400 wpa_tdls_generate_tpk(peer, sm->own_addr, sm->bssid); 2401 2402 /* Process MIC check to see if TPK M2 is right */ 2403 if (wpa_supplicant_verify_tdls_mic(2, peer, (u8 *) lnkid, 2404 (u8 *) timeoutie, ftie) < 0) { 2405 /* Discard the frame */ 2406 wpa_tdls_del_key(sm, peer); 2407 wpa_tdls_disable_peer_link(sm, peer); 2408 return -1; 2409 } 2410 2411 if (wpa_tdls_set_key(sm, peer) < 0) { 2412 /* 2413 * Some drivers may not be able to config the key prior to full 2414 * STA entry having been configured. 2415 */ 2416 wpa_printf(MSG_DEBUG, "TDLS: Try to configure TPK again after " 2417 "STA entry is complete"); 2418 peer->reconfig_key = 1; 2419 } 2420 2421 skip_rsn: 2422 peer->dtoken = dtoken; 2423 2424 /* add supported rates, capabilities, and qos_info to the TDLS peer */ 2425 if (wpa_tdls_addset_peer(sm, peer, 0) < 0) 2426 goto error; 2427 2428 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Setup Confirm / " 2429 "TPK Handshake Message 3"); 2430 if (wpa_tdls_send_tpk_m3(sm, src_addr, dtoken, lnkid, peer) < 0) 2431 goto error; 2432 2433 if (!peer->tpk_success) { 2434 /* 2435 * Enable Link only when tpk_success is 0, signifying that this 2436 * processing of TPK M2 frame is not because of a retransmission 2437 * during TDLS setup handshake. 2438 */ 2439 ret = wpa_tdls_enable_link(sm, peer); 2440 if (ret < 0) { 2441 wpa_printf(MSG_DEBUG, "TDLS: Could not enable link"); 2442 wpa_tdls_do_teardown( 2443 sm, peer, 2444 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED); 2445 } 2446 } 2447 return ret; 2448 2449 error: 2450 wpa_tdls_send_error(sm, src_addr, WLAN_TDLS_SETUP_CONFIRM, dtoken, 1, 2451 status); 2452 wpa_tdls_disable_peer_link(sm, peer); 2453 return -1; 2454 } 2455 2456 2457 static int wpa_tdls_process_tpk_m3(struct wpa_sm *sm, const u8 *src_addr, 2458 const u8 *buf, size_t len) 2459 { 2460 struct wpa_tdls_peer *peer; 2461 struct wpa_eapol_ie_parse kde; 2462 struct wpa_tdls_ftie *ftie; 2463 struct wpa_tdls_timeoutie *timeoutie; 2464 struct wpa_tdls_lnkid *lnkid; 2465 int ielen; 2466 u16 status; 2467 const u8 *pos; 2468 u32 lifetime; 2469 int ret = 0; 2470 2471 wpa_printf(MSG_DEBUG, "TDLS: Received TDLS Setup Confirm / TPK M3 " 2472 "(Peer " MACSTR ")", MAC2STR(src_addr)); 2473 for (peer = sm->tdls; peer; peer = peer->next) { 2474 if (os_memcmp(peer->addr, src_addr, ETH_ALEN) == 0) 2475 break; 2476 } 2477 if (peer == NULL) { 2478 wpa_printf(MSG_INFO, "TDLS: No matching peer found for " 2479 "TPK M3: " MACSTR, MAC2STR(src_addr)); 2480 return -1; 2481 } 2482 wpa_tdls_tpk_retry_timeout_cancel(sm, peer, WLAN_TDLS_SETUP_RESPONSE); 2483 2484 if (len < 3 + 3) 2485 goto error; 2486 pos = buf; 2487 pos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */; 2488 2489 status = WPA_GET_LE16(pos); 2490 2491 if (status != 0) { 2492 wpa_printf(MSG_INFO, "TDLS: Status code in TPK M3: %u", 2493 status); 2494 goto error; 2495 } 2496 pos += 2 /* status code */ + 1 /* dialog token */; 2497 2498 ielen = len - (pos - buf); /* start of IE in buf */ 2499 2500 /* 2501 * Don't reject the message if failing to parse IEs. The IEs we need are 2502 * explicitly checked below. Some APs piggy-back broken IEs to the end 2503 * of a TDLS Confirm packet, which will fail the link if we don't ignore 2504 * this error. 2505 */ 2506 if (wpa_supplicant_parse_ies((const u8 *) pos, ielen, &kde) < 0) { 2507 wpa_printf(MSG_DEBUG, 2508 "TDLS: Failed to parse KDEs in TPK M3 - ignore as an interop workaround"); 2509 } 2510 2511 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) { 2512 wpa_printf(MSG_INFO, "TDLS: No Link Identifier IE in TPK M3"); 2513 goto error; 2514 } 2515 wpa_hexdump(MSG_DEBUG, "TDLS: Link ID Received from TPK M3", 2516 (u8 *) kde.lnkid, kde.lnkid_len); 2517 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid; 2518 2519 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) { 2520 wpa_printf(MSG_INFO, "TDLS: TPK M3 from diff BSS"); 2521 goto error; 2522 } 2523 2524 if (!wpa_tdls_get_privacy(sm)) 2525 goto skip_rsn; 2526 2527 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie)) { 2528 wpa_printf(MSG_INFO, "TDLS: No FTIE in TPK M3"); 2529 goto error; 2530 } 2531 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE Received from TPK M3", 2532 kde.ftie, sizeof(*ftie)); 2533 ftie = (struct wpa_tdls_ftie *) kde.ftie; 2534 2535 if (kde.rsn_ie == NULL) { 2536 wpa_printf(MSG_INFO, "TDLS: No RSN IE in TPK M3"); 2537 goto error; 2538 } 2539 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Received from TPK M3", 2540 kde.rsn_ie, kde.rsn_ie_len); 2541 if (kde.rsn_ie_len != peer->rsnie_p_len || 2542 os_memcmp(kde.rsn_ie, peer->rsnie_p, peer->rsnie_p_len) != 0) { 2543 wpa_printf(MSG_INFO, "TDLS: RSN IE in TPK M3 does not match " 2544 "with the one sent in TPK M2"); 2545 goto error; 2546 } 2547 2548 if (!os_memcmp(peer->rnonce, ftie->Anonce, WPA_NONCE_LEN) == 0) { 2549 wpa_printf(MSG_INFO, "TDLS: FTIE ANonce in TPK M3 does " 2550 "not match with FTIE ANonce used in TPK M2"); 2551 goto error; 2552 } 2553 2554 if (!os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) == 0) { 2555 wpa_printf(MSG_INFO, "TDLS: FTIE SNonce in TPK M3 does not " 2556 "match with FTIE SNonce used in TPK M1"); 2557 goto error; 2558 } 2559 2560 if (kde.key_lifetime == NULL) { 2561 wpa_printf(MSG_INFO, "TDLS: No Key Lifetime IE in TPK M3"); 2562 goto error; 2563 } 2564 timeoutie = (struct wpa_tdls_timeoutie *) kde.key_lifetime; 2565 wpa_hexdump(MSG_DEBUG, "TDLS: Timeout IE Received from TPK M3", 2566 (u8 *) timeoutie, sizeof(*timeoutie)); 2567 lifetime = WPA_GET_LE32(timeoutie->value); 2568 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds in TPK M3", 2569 lifetime); 2570 if (lifetime != peer->lifetime) { 2571 wpa_printf(MSG_INFO, "TDLS: Unexpected TPK lifetime %u in " 2572 "TPK M3 (expected %u)", lifetime, peer->lifetime); 2573 goto error; 2574 } 2575 2576 if (wpa_supplicant_verify_tdls_mic(3, peer, (u8 *) lnkid, 2577 (u8 *) timeoutie, ftie) < 0) { 2578 wpa_tdls_del_key(sm, peer); 2579 goto error; 2580 } 2581 2582 if (wpa_tdls_set_key(sm, peer) < 0) { 2583 /* 2584 * Some drivers may not be able to config the key prior to full 2585 * STA entry having been configured. 2586 */ 2587 wpa_printf(MSG_DEBUG, "TDLS: Try to configure TPK again after " 2588 "STA entry is complete"); 2589 peer->reconfig_key = 1; 2590 } 2591 2592 skip_rsn: 2593 /* add supported rates, capabilities, and qos_info to the TDLS peer */ 2594 if (wpa_tdls_addset_peer(sm, peer, 0) < 0) 2595 goto error; 2596 2597 if (!peer->tpk_success) { 2598 /* 2599 * Enable Link only when tpk_success is 0, signifying that this 2600 * processing of TPK M3 frame is not because of a retransmission 2601 * during TDLS setup handshake. 2602 */ 2603 ret = wpa_tdls_enable_link(sm, peer); 2604 if (ret < 0) { 2605 wpa_printf(MSG_DEBUG, "TDLS: Could not enable link"); 2606 goto error; 2607 } 2608 } 2609 return ret; 2610 error: 2611 wpa_tdls_do_teardown(sm, peer, WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED); 2612 return -1; 2613 } 2614 2615 2616 static u8 * wpa_add_tdls_timeoutie(u8 *pos, u8 *ie, size_t ie_len, u32 tsecs) 2617 { 2618 struct wpa_tdls_timeoutie *lifetime = (struct wpa_tdls_timeoutie *) ie; 2619 2620 os_memset(lifetime, 0, ie_len); 2621 lifetime->ie_type = WLAN_EID_TIMEOUT_INTERVAL; 2622 lifetime->ie_len = sizeof(struct wpa_tdls_timeoutie) - 2; 2623 lifetime->interval_type = WLAN_TIMEOUT_KEY_LIFETIME; 2624 WPA_PUT_LE32(lifetime->value, tsecs); 2625 os_memcpy(pos, ie, ie_len); 2626 return pos + ie_len; 2627 } 2628 2629 2630 /** 2631 * wpa_tdls_start - Initiate TDLS handshake (send TPK Handshake Message 1) 2632 * @sm: Pointer to WPA state machine data from wpa_sm_init() 2633 * @peer: MAC address of the peer STA 2634 * Returns: 0 on success, or -1 on failure 2635 * 2636 * Send TPK Handshake Message 1 info to driver to start TDLS 2637 * handshake with the peer. 2638 */ 2639 int wpa_tdls_start(struct wpa_sm *sm, const u8 *addr) 2640 { 2641 struct wpa_tdls_peer *peer; 2642 int tdls_prohibited = sm->tdls_prohibited; 2643 2644 if (sm->tdls_disabled || !sm->tdls_supported) 2645 return -1; 2646 2647 #ifdef CONFIG_TDLS_TESTING 2648 if ((tdls_testing & TDLS_TESTING_IGNORE_AP_PROHIBIT) && 2649 tdls_prohibited) { 2650 wpa_printf(MSG_DEBUG, "TDLS: Testing - ignore AP prohibition " 2651 "on TDLS"); 2652 tdls_prohibited = 0; 2653 } 2654 #endif /* CONFIG_TDLS_TESTING */ 2655 2656 if (tdls_prohibited) { 2657 wpa_printf(MSG_DEBUG, "TDLS: TDLS is prohibited in this BSS - " 2658 "reject request to start setup"); 2659 return -1; 2660 } 2661 2662 peer = wpa_tdls_add_peer(sm, addr, NULL); 2663 if (peer == NULL) 2664 return -1; 2665 2666 if (peer->tpk_in_progress) { 2667 wpa_printf(MSG_DEBUG, "TDLS: Setup is already in progress with the peer"); 2668 return 0; 2669 } 2670 2671 peer->initiator = 1; 2672 2673 /* add the peer to the driver as a "setup in progress" peer */ 2674 if (wpa_sm_tdls_peer_addset(sm, peer->addr, 1, 0, 0, NULL, 0, NULL, 2675 NULL, 0, 0, NULL, 0, NULL, 0, NULL, 0)) { 2676 wpa_tdls_disable_peer_link(sm, peer); 2677 return -1; 2678 } 2679 2680 peer->tpk_in_progress = 1; 2681 2682 if (wpa_tdls_send_tpk_m1(sm, peer) < 0) { 2683 wpa_tdls_disable_peer_link(sm, peer); 2684 return -1; 2685 } 2686 2687 return 0; 2688 } 2689 2690 2691 void wpa_tdls_remove(struct wpa_sm *sm, const u8 *addr) 2692 { 2693 struct wpa_tdls_peer *peer; 2694 2695 if (sm->tdls_disabled || !sm->tdls_supported) 2696 return; 2697 2698 for (peer = sm->tdls; peer; peer = peer->next) { 2699 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 2700 break; 2701 } 2702 2703 if (peer == NULL || !peer->tpk_success) 2704 return; 2705 2706 if (sm->tdls_external_setup) { 2707 /* 2708 * Disable previous link to allow renegotiation to be completed 2709 * on AP path. 2710 */ 2711 wpa_tdls_do_teardown(sm, peer, 2712 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED); 2713 } 2714 } 2715 2716 2717 /** 2718 * wpa_supplicant_rx_tdls - Receive TDLS data frame 2719 * 2720 * This function is called to receive TDLS (ethertype = 0x890d) data frames. 2721 */ 2722 static void wpa_supplicant_rx_tdls(void *ctx, const u8 *src_addr, 2723 const u8 *buf, size_t len) 2724 { 2725 struct wpa_sm *sm = ctx; 2726 struct wpa_tdls_frame *tf; 2727 2728 wpa_hexdump(MSG_DEBUG, "TDLS: Received Data frame encapsulation", 2729 buf, len); 2730 2731 if (sm->tdls_disabled || !sm->tdls_supported) { 2732 wpa_printf(MSG_DEBUG, "TDLS: Discard message - TDLS disabled " 2733 "or unsupported by driver"); 2734 return; 2735 } 2736 2737 if (os_memcmp(src_addr, sm->own_addr, ETH_ALEN) == 0) { 2738 wpa_printf(MSG_DEBUG, "TDLS: Discard copy of own message"); 2739 return; 2740 } 2741 2742 if (len < sizeof(*tf)) { 2743 wpa_printf(MSG_INFO, "TDLS: Drop too short frame"); 2744 return; 2745 } 2746 2747 /* Check to make sure its a valid encapsulated TDLS frame */ 2748 tf = (struct wpa_tdls_frame *) buf; 2749 if (tf->payloadtype != 2 /* TDLS_RFTYPE */ || 2750 tf->category != WLAN_ACTION_TDLS) { 2751 wpa_printf(MSG_INFO, "TDLS: Invalid frame - payloadtype=%u " 2752 "category=%u action=%u", 2753 tf->payloadtype, tf->category, tf->action); 2754 return; 2755 } 2756 2757 switch (tf->action) { 2758 case WLAN_TDLS_SETUP_REQUEST: 2759 wpa_tdls_process_tpk_m1(sm, src_addr, buf, len); 2760 break; 2761 case WLAN_TDLS_SETUP_RESPONSE: 2762 wpa_tdls_process_tpk_m2(sm, src_addr, buf, len); 2763 break; 2764 case WLAN_TDLS_SETUP_CONFIRM: 2765 wpa_tdls_process_tpk_m3(sm, src_addr, buf, len); 2766 break; 2767 case WLAN_TDLS_TEARDOWN: 2768 wpa_tdls_recv_teardown(sm, src_addr, buf, len); 2769 break; 2770 case WLAN_TDLS_DISCOVERY_REQUEST: 2771 wpa_tdls_process_discovery_request(sm, src_addr, buf, len); 2772 break; 2773 default: 2774 /* Kernel code will process remaining frames */ 2775 wpa_printf(MSG_DEBUG, "TDLS: Ignore TDLS frame action code %u", 2776 tf->action); 2777 break; 2778 } 2779 } 2780 2781 2782 /** 2783 * wpa_tdls_init - Initialize driver interface parameters for TDLS 2784 * @wpa_s: Pointer to wpa_supplicant data 2785 * Returns: 0 on success, -1 on failure 2786 * 2787 * This function is called to initialize driver interface parameters for TDLS. 2788 * wpa_drv_init() must have been called before this function to initialize the 2789 * driver interface. 2790 */ 2791 int wpa_tdls_init(struct wpa_sm *sm) 2792 { 2793 if (sm == NULL) 2794 return -1; 2795 2796 sm->l2_tdls = l2_packet_init(sm->bridge_ifname ? sm->bridge_ifname : 2797 sm->ifname, 2798 sm->own_addr, 2799 ETH_P_80211_ENCAP, wpa_supplicant_rx_tdls, 2800 sm, 0); 2801 if (sm->l2_tdls == NULL) { 2802 wpa_printf(MSG_ERROR, "TDLS: Failed to open l2_packet " 2803 "connection"); 2804 return -1; 2805 } 2806 2807 /* 2808 * Drivers that support TDLS but don't implement the get_capa callback 2809 * are assumed to perform everything internally 2810 */ 2811 if (wpa_sm_tdls_get_capa(sm, &sm->tdls_supported, 2812 &sm->tdls_external_setup, 2813 &sm->tdls_chan_switch) < 0) { 2814 sm->tdls_supported = 1; 2815 sm->tdls_external_setup = 0; 2816 } 2817 2818 wpa_printf(MSG_DEBUG, "TDLS: TDLS operation%s supported by " 2819 "driver", sm->tdls_supported ? "" : " not"); 2820 wpa_printf(MSG_DEBUG, "TDLS: Driver uses %s link setup", 2821 sm->tdls_external_setup ? "external" : "internal"); 2822 wpa_printf(MSG_DEBUG, "TDLS: Driver %s TDLS channel switching", 2823 sm->tdls_chan_switch ? "supports" : "does not support"); 2824 2825 return 0; 2826 } 2827 2828 2829 void wpa_tdls_teardown_peers(struct wpa_sm *sm) 2830 { 2831 struct wpa_tdls_peer *peer, *tmp; 2832 2833 if (!sm) 2834 return; 2835 peer = sm->tdls; 2836 2837 wpa_printf(MSG_DEBUG, "TDLS: Tear down peers"); 2838 2839 while (peer) { 2840 tmp = peer->next; 2841 wpa_printf(MSG_DEBUG, "TDLS: Tear down peer " MACSTR, 2842 MAC2STR(peer->addr)); 2843 if (sm->tdls_external_setup) 2844 wpa_tdls_do_teardown(sm, peer, 2845 WLAN_REASON_DEAUTH_LEAVING); 2846 else 2847 wpa_sm_tdls_oper(sm, TDLS_TEARDOWN, peer->addr); 2848 2849 peer = tmp; 2850 } 2851 } 2852 2853 2854 static void wpa_tdls_remove_peers(struct wpa_sm *sm) 2855 { 2856 struct wpa_tdls_peer *peer, *tmp; 2857 2858 peer = sm->tdls; 2859 2860 while (peer) { 2861 int res; 2862 tmp = peer->next; 2863 res = wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr); 2864 wpa_printf(MSG_DEBUG, "TDLS: Remove peer " MACSTR " (res=%d)", 2865 MAC2STR(peer->addr), res); 2866 wpa_tdls_peer_free(sm, peer); 2867 peer = tmp; 2868 } 2869 } 2870 2871 2872 /** 2873 * wpa_tdls_deinit - Deinitialize driver interface parameters for TDLS 2874 * 2875 * This function is called to recover driver interface parameters for TDLS 2876 * and frees resources allocated for it. 2877 */ 2878 void wpa_tdls_deinit(struct wpa_sm *sm) 2879 { 2880 if (sm == NULL) 2881 return; 2882 2883 if (sm->l2_tdls) 2884 l2_packet_deinit(sm->l2_tdls); 2885 sm->l2_tdls = NULL; 2886 2887 wpa_tdls_remove_peers(sm); 2888 } 2889 2890 2891 void wpa_tdls_assoc(struct wpa_sm *sm) 2892 { 2893 wpa_printf(MSG_DEBUG, "TDLS: Remove peers on association"); 2894 wpa_tdls_remove_peers(sm); 2895 } 2896 2897 2898 void wpa_tdls_disassoc(struct wpa_sm *sm) 2899 { 2900 wpa_printf(MSG_DEBUG, "TDLS: Remove peers on disassociation"); 2901 wpa_tdls_remove_peers(sm); 2902 } 2903 2904 2905 static int wpa_tdls_prohibited(struct ieee802_11_elems *elems) 2906 { 2907 /* bit 38 - TDLS Prohibited */ 2908 return !!(elems->ext_capab[2 + 4] & 0x40); 2909 } 2910 2911 2912 static int wpa_tdls_chan_switch_prohibited(struct ieee802_11_elems *elems) 2913 { 2914 /* bit 39 - TDLS Channel Switch Prohibited */ 2915 return !!(elems->ext_capab[2 + 4] & 0x80); 2916 } 2917 2918 2919 void wpa_tdls_ap_ies(struct wpa_sm *sm, const u8 *ies, size_t len) 2920 { 2921 struct ieee802_11_elems elems; 2922 2923 sm->tdls_prohibited = 0; 2924 sm->tdls_chan_switch_prohibited = 0; 2925 2926 if (ies == NULL || 2927 ieee802_11_parse_elems(ies, len, &elems, 0) == ParseFailed || 2928 elems.ext_capab == NULL || elems.ext_capab_len < 2 + 5) 2929 return; 2930 2931 sm->tdls_prohibited = wpa_tdls_prohibited(&elems); 2932 wpa_printf(MSG_DEBUG, "TDLS: TDLS is %s in the target BSS", 2933 sm->tdls_prohibited ? "prohibited" : "allowed"); 2934 sm->tdls_chan_switch_prohibited = 2935 wpa_tdls_chan_switch_prohibited(&elems); 2936 wpa_printf(MSG_DEBUG, "TDLS: TDLS channel switch %s in the target BSS", 2937 sm->tdls_chan_switch_prohibited ? "prohibited" : "allowed"); 2938 } 2939 2940 2941 void wpa_tdls_assoc_resp_ies(struct wpa_sm *sm, const u8 *ies, size_t len) 2942 { 2943 struct ieee802_11_elems elems; 2944 2945 if (ies == NULL || 2946 ieee802_11_parse_elems(ies, len, &elems, 0) == ParseFailed || 2947 elems.ext_capab == NULL || elems.ext_capab_len < 2 + 5) 2948 return; 2949 2950 if (!sm->tdls_prohibited && wpa_tdls_prohibited(&elems)) { 2951 wpa_printf(MSG_DEBUG, "TDLS: TDLS prohibited based on " 2952 "(Re)Association Response IEs"); 2953 sm->tdls_prohibited = 1; 2954 } 2955 2956 if (!sm->tdls_chan_switch_prohibited && 2957 wpa_tdls_chan_switch_prohibited(&elems)) { 2958 wpa_printf(MSG_DEBUG, 2959 "TDLS: TDLS channel switch prohibited based on (Re)Association Response IEs"); 2960 sm->tdls_chan_switch_prohibited = 1; 2961 } 2962 } 2963 2964 2965 void wpa_tdls_enable(struct wpa_sm *sm, int enabled) 2966 { 2967 wpa_printf(MSG_DEBUG, "TDLS: %s", enabled ? "enabled" : "disabled"); 2968 sm->tdls_disabled = !enabled; 2969 } 2970 2971 2972 int wpa_tdls_is_external_setup(struct wpa_sm *sm) 2973 { 2974 return sm->tdls_external_setup; 2975 } 2976 2977 2978 int wpa_tdls_enable_chan_switch(struct wpa_sm *sm, const u8 *addr, 2979 u8 oper_class, 2980 struct hostapd_freq_params *freq_params) 2981 { 2982 struct wpa_tdls_peer *peer; 2983 int ret; 2984 2985 if (sm->tdls_disabled || !sm->tdls_supported) 2986 return -1; 2987 2988 if (!sm->tdls_chan_switch) { 2989 wpa_printf(MSG_DEBUG, 2990 "TDLS: Channel switching not supported by the driver"); 2991 return -1; 2992 } 2993 2994 if (sm->tdls_chan_switch_prohibited) { 2995 wpa_printf(MSG_DEBUG, 2996 "TDLS: Channel switching is prohibited in this BSS - reject request to switch channel"); 2997 return -1; 2998 } 2999 3000 for (peer = sm->tdls; peer; peer = peer->next) { 3001 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 3002 break; 3003 } 3004 3005 if (peer == NULL || !peer->tpk_success) { 3006 wpa_printf(MSG_ERROR, "TDLS: Peer " MACSTR 3007 " not found for channel switching", MAC2STR(addr)); 3008 return -1; 3009 } 3010 3011 if (peer->chan_switch_enabled) { 3012 wpa_printf(MSG_DEBUG, "TDLS: Peer " MACSTR 3013 " already has channel switching enabled", 3014 MAC2STR(addr)); 3015 return 0; 3016 } 3017 3018 ret = wpa_sm_tdls_enable_channel_switch(sm, peer->addr, 3019 oper_class, freq_params); 3020 if (!ret) 3021 peer->chan_switch_enabled = 1; 3022 3023 return ret; 3024 } 3025 3026 3027 int wpa_tdls_disable_chan_switch(struct wpa_sm *sm, const u8 *addr) 3028 { 3029 struct wpa_tdls_peer *peer; 3030 3031 if (sm->tdls_disabled || !sm->tdls_supported) 3032 return -1; 3033 3034 for (peer = sm->tdls; peer; peer = peer->next) { 3035 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 3036 break; 3037 } 3038 3039 if (!peer || !peer->chan_switch_enabled) { 3040 wpa_printf(MSG_ERROR, "TDLS: Channel switching not enabled for " 3041 MACSTR, MAC2STR(addr)); 3042 return -1; 3043 } 3044 3045 /* ignore the return value */ 3046 wpa_sm_tdls_disable_channel_switch(sm, peer->addr); 3047 3048 peer->chan_switch_enabled = 0; 3049 return 0; 3050 } 3051