tdls.c revision 324698
1224135Sdim/* 2224135Sdim * wpa_supplicant - TDLS 3224135Sdim * Copyright (c) 2010-2011, Atheros Communications 4224135Sdim * 5224135Sdim * This software may be distributed under the terms of the BSD license. 6224135Sdim * See README for more details. 7224135Sdim */ 8224135Sdim 9224135Sdim#include "utils/includes.h" 10224135Sdim 11239462Sdim#include "utils/common.h" 12224135Sdim#include "utils/eloop.h" 13249423Sdim#include "utils/os.h" 14224135Sdim#include "common/ieee802_11_defs.h" 15224135Sdim#include "common/ieee802_11_common.h" 16224135Sdim#include "crypto/sha256.h" 17224135Sdim#include "crypto/crypto.h" 18224135Sdim#include "crypto/aes_wrap.h" 19224135Sdim#include "rsn_supp/wpa.h" 20224135Sdim#include "rsn_supp/wpa_ie.h" 21224135Sdim#include "rsn_supp/wpa_i.h" 22224135Sdim#include "drivers/driver.h" 23224135Sdim#include "l2_packet/l2_packet.h" 24224135Sdim 25224135Sdim#ifdef CONFIG_TDLS_TESTING 26224135Sdim#define TDLS_TESTING_LONG_FRAME BIT(0) 27224135Sdim#define TDLS_TESTING_ALT_RSN_IE BIT(1) 28224135Sdim#define TDLS_TESTING_DIFF_BSSID BIT(2) 29224135Sdim#define TDLS_TESTING_SHORT_LIFETIME BIT(3) 30224135Sdim#define TDLS_TESTING_WRONG_LIFETIME_RESP BIT(4) 31224135Sdim#define TDLS_TESTING_WRONG_LIFETIME_CONF BIT(5) 32224135Sdim#define TDLS_TESTING_LONG_LIFETIME BIT(6) 33224135Sdim#define TDLS_TESTING_CONCURRENT_INIT BIT(7) 34224135Sdim#define TDLS_TESTING_NO_TPK_EXPIRATION BIT(8) 35224135Sdim#define TDLS_TESTING_DECLINE_RESP BIT(9) 36224135Sdim#define TDLS_TESTING_IGNORE_AP_PROHIBIT BIT(10) 37224135Sdim#define TDLS_TESTING_WRONG_MIC BIT(11) 38224135Sdimunsigned int tdls_testing = 0; 39224135Sdim#endif /* CONFIG_TDLS_TESTING */ 40224135Sdim 41224135Sdim#define TPK_LIFETIME 43200 /* 12 hours */ 42224135Sdim#define TPK_M1_RETRY_COUNT 3 43224135Sdim#define TPK_M1_TIMEOUT 5000 /* in milliseconds */ 44224135Sdim#define TPK_M2_RETRY_COUNT 10 45224135Sdim#define TPK_M2_TIMEOUT 500 /* in milliseconds */ 46224135Sdim 47224135Sdim#define TDLS_MIC_LEN 16 48226633Sdim 49224135Sdim#define TDLS_TIMEOUT_LEN 4 50226633Sdim 51224135Sdimstruct wpa_tdls_ftie { 52224135Sdim u8 ie_type; /* FTIE */ 53224135Sdim u8 ie_len; 54224135Sdim u8 mic_ctrl[2]; 55224135Sdim u8 mic[TDLS_MIC_LEN]; 56224135Sdim u8 Anonce[WPA_NONCE_LEN]; /* Responder Nonce in TDLS */ 57224135Sdim u8 Snonce[WPA_NONCE_LEN]; /* Initiator Nonce in TDLS */ 58224135Sdim /* followed by optional elements */ 59224135Sdim} STRUCT_PACKED; 60224135Sdim 61224135Sdimstruct wpa_tdls_timeoutie { 62224135Sdim u8 ie_type; /* Timeout IE */ 63224135Sdim u8 ie_len; 64224135Sdim u8 interval_type; 65224135Sdim u8 value[TDLS_TIMEOUT_LEN]; 66224135Sdim} STRUCT_PACKED; 67224135Sdim 68224135Sdimstruct wpa_tdls_lnkid { 69224135Sdim u8 ie_type; /* Link Identifier IE */ 70224135Sdim u8 ie_len; 71224135Sdim u8 bssid[ETH_ALEN]; 72226633Sdim u8 init_sta[ETH_ALEN]; 73224135Sdim u8 resp_sta[ETH_ALEN]; 74224135Sdim} STRUCT_PACKED; 75226633Sdim 76226633Sdim/* TDLS frame headers as per IEEE Std 802.11z-2010 */ 77224135Sdimstruct wpa_tdls_frame { 78224135Sdim u8 payloadtype; /* IEEE80211_TDLS_RFTYPE */ 79224135Sdim u8 category; /* Category */ 80224135Sdim u8 action; /* Action (enum tdls_frame_type) */ 81224135Sdim} STRUCT_PACKED; 82224135Sdim 83224135Sdimstatic u8 * wpa_add_tdls_timeoutie(u8 *pos, u8 *ie, size_t ie_len, u32 tsecs); 84224135Sdimstatic void wpa_tdls_tpk_retry_timeout(void *eloop_ctx, void *timeout_ctx); 85224135Sdimstatic void wpa_tdls_peer_free(struct wpa_sm *sm, struct wpa_tdls_peer *peer); 86224135Sdimstatic void wpa_tdls_disable_peer_link(struct wpa_sm *sm, 87224135Sdim struct wpa_tdls_peer *peer); 88224135Sdimstatic int wpa_tdls_send_teardown(struct wpa_sm *sm, const u8 *addr, 89224135Sdim u16 reason_code); 90224135Sdim 91224135Sdim 92224135Sdim#define TDLS_MAX_IE_LEN 80 93224135Sdim#define IEEE80211_MAX_SUPP_RATES 32 94224135Sdim 95224135Sdimstruct wpa_tdls_peer { 96224135Sdim struct wpa_tdls_peer *next; 97224135Sdim unsigned int reconfig_key:1; 98224135Sdim int initiator; /* whether this end was initiator for TDLS setup */ 99224135Sdim u8 addr[ETH_ALEN]; /* other end MAC address */ 100224135Sdim u8 inonce[WPA_NONCE_LEN]; /* Initiator Nonce */ 101224135Sdim u8 rnonce[WPA_NONCE_LEN]; /* Responder Nonce */ 102224135Sdim u8 rsnie_i[TDLS_MAX_IE_LEN]; /* Initiator RSN IE */ 103224135Sdim size_t rsnie_i_len; 104224135Sdim u8 rsnie_p[TDLS_MAX_IE_LEN]; /* Peer RSN IE */ 105224135Sdim size_t rsnie_p_len; 106226633Sdim u32 lifetime; 107224135Sdim int cipher; /* Selected cipher (WPA_CIPHER_*) */ 108224135Sdim u8 dtoken; 109224135Sdim 110224135Sdim struct tpk { 111224135Sdim u8 kck[16]; /* TPK-KCK */ 112224135Sdim u8 tk[16]; /* TPK-TK; assuming only CCMP will be used */ 113224135Sdim } tpk; 114224135Sdim int tpk_set; 115224135Sdim int tk_set; /* TPK-TK configured to the driver */ 116224135Sdim int tpk_success; 117224135Sdim int tpk_in_progress; 118224135Sdim 119224135Sdim struct tpk_timer { 120224135Sdim u8 dest[ETH_ALEN]; 121224135Sdim int count; /* Retry Count */ 122224135Sdim int timer; /* Timeout in milliseconds */ 123224135Sdim u8 action_code; /* TDLS frame type */ 124224135Sdim u8 dialog_token; 125224135Sdim u16 status_code; 126234353Sdim u32 peer_capab; 127234353Sdim int buf_len; /* length of TPK message for retransmission */ 128224135Sdim u8 *buf; /* buffer for TPK message */ 129224135Sdim } sm_tmr; 130224135Sdim 131224135Sdim u16 capability; 132224135Sdim 133224135Sdim u8 supp_rates[IEEE80211_MAX_SUPP_RATES]; 134226633Sdim size_t supp_rates_len; 135226633Sdim 136224135Sdim struct ieee80211_ht_capabilities *ht_capabilities; 137224135Sdim struct ieee80211_vht_capabilities *vht_capabilities; 138226633Sdim 139224135Sdim u8 qos_info; 140226633Sdim 141226633Sdim u16 aid; 142226633Sdim 143224135Sdim u8 *ext_capab; 144224135Sdim size_t ext_capab_len; 145224135Sdim 146226633Sdim u8 *supp_channels; 147224135Sdim size_t supp_channels_len; 148224135Sdim 149224135Sdim u8 *supp_oper_classes; 150224135Sdim size_t supp_oper_classes_len; 151224135Sdim 152224135Sdim u8 wmm_capable; 153224135Sdim 154224135Sdim /* channel switch currently enabled */ 155226633Sdim int chan_switch_enabled; 156224135Sdim}; 157224135Sdim 158224135Sdim 159224135Sdimstatic int wpa_tdls_get_privacy(struct wpa_sm *sm) 160224135Sdim{ 161224135Sdim /* 162226633Sdim * Get info needed from supplicant to check if the current BSS supports 163226633Sdim * security. Other than OPEN mode, rest are considered secured 164224135Sdim * WEP/WPA/WPA2 hence TDLS frames are processed for TPK handshake. 165226633Sdim */ 166224135Sdim return sm->pairwise_cipher != WPA_CIPHER_NONE; 167224135Sdim} 168224135Sdim 169224135Sdim 170224135Sdimstatic u8 * wpa_add_ie(u8 *pos, const u8 *ie, size_t ie_len) 171224135Sdim{ 172224135Sdim os_memcpy(pos, ie, ie_len); 173224135Sdim return pos + ie_len; 174224135Sdim} 175224135Sdim 176224135Sdim 177224135Sdimstatic int wpa_tdls_del_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer) 178224135Sdim{ 179224135Sdim if (wpa_sm_set_key(sm, WPA_ALG_NONE, peer->addr, 180224135Sdim 0, 0, NULL, 0, NULL, 0) < 0) { 181224135Sdim wpa_printf(MSG_WARNING, "TDLS: Failed to delete TPK-TK from " 182224135Sdim "the driver"); 183224135Sdim return -1; 184224135Sdim } 185224135Sdim 186224135Sdim return 0; 187224135Sdim} 188224135Sdim 189224135Sdim 190224135Sdimstatic int wpa_tdls_set_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer) 191224135Sdim{ 192224135Sdim u8 key_len; 193224135Sdim u8 rsc[6]; 194224135Sdim enum wpa_alg alg; 195224135Sdim 196224135Sdim if (peer->tk_set) { 197224135Sdim /* 198224135Sdim * This same TPK-TK has already been configured to the driver 199224135Sdim * and this new configuration attempt (likely due to an 200224135Sdim * unexpected retransmitted frame) would result in clearing 201224135Sdim * the TX/RX sequence number which can break security, so must 202224135Sdim * not allow that to happen. 203224135Sdim */ 204224135Sdim wpa_printf(MSG_INFO, "TDLS: TPK-TK for the peer " MACSTR 205224135Sdim " has already been configured to the driver - do not reconfigure", 206224135Sdim MAC2STR(peer->addr)); 207224135Sdim return -1; 208224135Sdim } 209224135Sdim 210224135Sdim os_memset(rsc, 0, 6); 211224135Sdim 212224135Sdim switch (peer->cipher) { 213224135Sdim case WPA_CIPHER_CCMP: 214224135Sdim alg = WPA_ALG_CCMP; 215224135Sdim key_len = 16; 216224135Sdim break; 217224135Sdim case WPA_CIPHER_NONE: 218224135Sdim wpa_printf(MSG_DEBUG, "TDLS: Pairwise Cipher Suite: " 219224135Sdim "NONE - do not use pairwise keys"); 220224135Sdim return -1; 221224135Sdim default: 222224135Sdim wpa_printf(MSG_WARNING, "TDLS: Unsupported pairwise cipher %d", 223224135Sdim sm->pairwise_cipher); 224224135Sdim return -1; 225224135Sdim } 226224135Sdim 227224135Sdim wpa_printf(MSG_DEBUG, "TDLS: Configure pairwise key for peer " MACSTR, 228224135Sdim MAC2STR(peer->addr)); 229224135Sdim if (wpa_sm_set_key(sm, alg, peer->addr, -1, 1, 230224135Sdim rsc, sizeof(rsc), peer->tpk.tk, key_len) < 0) { 231224135Sdim wpa_printf(MSG_WARNING, "TDLS: Failed to set TPK to the " 232224135Sdim "driver"); 233224135Sdim return -1; 234224135Sdim } 235224135Sdim peer->tk_set = 1; 236224135Sdim return 0; 237224135Sdim} 238224135Sdim 239224135Sdim 240224135Sdimstatic int wpa_tdls_send_tpk_msg(struct wpa_sm *sm, const u8 *dst, 241224135Sdim u8 action_code, u8 dialog_token, 242224135Sdim u16 status_code, u32 peer_capab, 243224135Sdim int initiator, const u8 *buf, size_t len) 244224135Sdim{ 245224135Sdim return wpa_sm_send_tdls_mgmt(sm, dst, action_code, dialog_token, 246224135Sdim status_code, peer_capab, initiator, buf, 247224135Sdim len); 248224135Sdim} 249224135Sdim 250224135Sdim 251224135Sdimstatic int wpa_tdls_tpk_send(struct wpa_sm *sm, const u8 *dest, u8 action_code, 252224135Sdim u8 dialog_token, u16 status_code, u32 peer_capab, 253224135Sdim int initiator, const u8 *msg, size_t msg_len) 254224135Sdim{ 255224135Sdim struct wpa_tdls_peer *peer; 256224135Sdim 257224135Sdim wpa_printf(MSG_DEBUG, "TDLS: TPK send dest=" MACSTR " action_code=%u " 258224135Sdim "dialog_token=%u status_code=%u peer_capab=%u initiator=%d " 259224135Sdim "msg_len=%u", 260224135Sdim MAC2STR(dest), action_code, dialog_token, status_code, 261224135Sdim peer_capab, initiator, (unsigned int) msg_len); 262224135Sdim 263224135Sdim if (wpa_tdls_send_tpk_msg(sm, dest, action_code, dialog_token, 264224135Sdim status_code, peer_capab, initiator, msg, 265224135Sdim msg_len)) { 266224135Sdim wpa_printf(MSG_INFO, "TDLS: Failed to send message " 267224135Sdim "(action_code=%u)", action_code); 268224135Sdim return -1; 269224135Sdim } 270224135Sdim 271224135Sdim if (action_code == WLAN_TDLS_SETUP_CONFIRM || 272224135Sdim action_code == WLAN_TDLS_TEARDOWN || 273224135Sdim action_code == WLAN_TDLS_DISCOVERY_REQUEST || 274224135Sdim action_code == WLAN_TDLS_DISCOVERY_RESPONSE) 275224135Sdim return 0; /* No retries */ 276224135Sdim 277224135Sdim for (peer = sm->tdls; peer; peer = peer->next) { 278224135Sdim if (os_memcmp(peer->addr, dest, ETH_ALEN) == 0) 279224135Sdim break; 280224135Sdim } 281224135Sdim 282224135Sdim if (peer == NULL) { 283224135Sdim wpa_printf(MSG_INFO, "TDLS: No matching entry found for " 284224135Sdim "retry " MACSTR, MAC2STR(dest)); 285224135Sdim return 0; 286224135Sdim } 287224135Sdim 288224135Sdim eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer); 289224135Sdim 290224135Sdim if (action_code == WLAN_TDLS_SETUP_RESPONSE) { 291224135Sdim peer->sm_tmr.count = TPK_M2_RETRY_COUNT; 292224135Sdim peer->sm_tmr.timer = TPK_M2_TIMEOUT; 293224135Sdim } else { 294224135Sdim peer->sm_tmr.count = TPK_M1_RETRY_COUNT; 295224135Sdim peer->sm_tmr.timer = TPK_M1_TIMEOUT; 296224135Sdim } 297224135Sdim 298224135Sdim /* Copy message to resend on timeout */ 299224135Sdim os_memcpy(peer->sm_tmr.dest, dest, ETH_ALEN); 300224135Sdim peer->sm_tmr.action_code = action_code; 301224135Sdim peer->sm_tmr.dialog_token = dialog_token; 302224135Sdim peer->sm_tmr.status_code = status_code; 303224135Sdim peer->sm_tmr.peer_capab = peer_capab; 304224135Sdim peer->sm_tmr.buf_len = msg_len; 305224135Sdim os_free(peer->sm_tmr.buf); 306224135Sdim peer->sm_tmr.buf = os_malloc(msg_len); 307224135Sdim if (peer->sm_tmr.buf == NULL) 308224135Sdim return -1; 309224135Sdim os_memcpy(peer->sm_tmr.buf, msg, msg_len); 310224135Sdim 311224135Sdim wpa_printf(MSG_DEBUG, "TDLS: Retry timeout registered " 312224135Sdim "(action_code=%u)", action_code); 313224135Sdim eloop_register_timeout(peer->sm_tmr.timer / 1000, 314224135Sdim (peer->sm_tmr.timer % 1000) * 1000, 315224135Sdim wpa_tdls_tpk_retry_timeout, sm, peer); 316224135Sdim return 0; 317224135Sdim} 318224135Sdim 319224135Sdim 320224135Sdimstatic int wpa_tdls_do_teardown(struct wpa_sm *sm, struct wpa_tdls_peer *peer, 321224135Sdim u16 reason_code) 322224135Sdim{ 323224135Sdim int ret; 324224135Sdim 325224135Sdim ret = wpa_tdls_send_teardown(sm, peer->addr, reason_code); 326224135Sdim /* disable the link after teardown was sent */ 327224135Sdim wpa_tdls_disable_peer_link(sm, peer); 328224135Sdim 329224135Sdim return ret; 330224135Sdim} 331224135Sdim 332224135Sdim 333224135Sdimstatic void wpa_tdls_tpk_retry_timeout(void *eloop_ctx, void *timeout_ctx) 334224135Sdim{ 335224135Sdim 336224135Sdim struct wpa_sm *sm = eloop_ctx; 337224135Sdim struct wpa_tdls_peer *peer = timeout_ctx; 338224135Sdim 339224135Sdim if (peer->sm_tmr.count) { 340224135Sdim peer->sm_tmr.count--; 341224135Sdim 342224135Sdim wpa_printf(MSG_INFO, "TDLS: Retrying sending of message " 343224135Sdim "(action_code=%u)", 344224135Sdim peer->sm_tmr.action_code); 345224135Sdim 346224135Sdim if (peer->sm_tmr.buf == NULL) { 347224135Sdim wpa_printf(MSG_INFO, "TDLS: No retry buffer available " 348224135Sdim "for action_code=%u", 349224135Sdim peer->sm_tmr.action_code); 350224135Sdim eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, 351224135Sdim peer); 352224135Sdim return; 353224135Sdim } 354224135Sdim 355224135Sdim /* resend TPK Handshake Message to Peer */ 356224135Sdim if (wpa_tdls_send_tpk_msg(sm, peer->sm_tmr.dest, 357224135Sdim peer->sm_tmr.action_code, 358224135Sdim peer->sm_tmr.dialog_token, 359224135Sdim peer->sm_tmr.status_code, 360224135Sdim peer->sm_tmr.peer_capab, 361224135Sdim peer->initiator, 362224135Sdim peer->sm_tmr.buf, 363224135Sdim peer->sm_tmr.buf_len)) { 364224135Sdim wpa_printf(MSG_INFO, "TDLS: Failed to retry " 365224135Sdim "transmission"); 366224135Sdim } 367224135Sdim 368226633Sdim eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer); 369224135Sdim eloop_register_timeout(peer->sm_tmr.timer / 1000, 370224135Sdim (peer->sm_tmr.timer % 1000) * 1000, 371224135Sdim wpa_tdls_tpk_retry_timeout, sm, peer); 372224135Sdim } else { 373224135Sdim eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer); 374224135Sdim 375224135Sdim wpa_printf(MSG_DEBUG, "TDLS: Sending Teardown Request"); 376224135Sdim wpa_tdls_do_teardown(sm, peer, 377224135Sdim WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED); 378224135Sdim } 379224135Sdim} 380224135Sdim 381224135Sdim 382224135Sdimstatic void wpa_tdls_tpk_retry_timeout_cancel(struct wpa_sm *sm, 383224135Sdim struct wpa_tdls_peer *peer, 384224135Sdim u8 action_code) 385224135Sdim{ 386224135Sdim if (action_code == peer->sm_tmr.action_code) { 387226633Sdim wpa_printf(MSG_DEBUG, "TDLS: Retry timeout cancelled for " 388224135Sdim "action_code=%u", action_code); 389224135Sdim 390224135Sdim /* Cancel Timeout registered */ 391224135Sdim eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer); 392224135Sdim 393224135Sdim /* free all resources meant for retry */ 394224135Sdim os_free(peer->sm_tmr.buf); 395224135Sdim peer->sm_tmr.buf = NULL; 396224135Sdim 397224135Sdim peer->sm_tmr.count = 0; 398224135Sdim peer->sm_tmr.timer = 0; 399224135Sdim peer->sm_tmr.buf_len = 0; 400226633Sdim peer->sm_tmr.action_code = 0xff; 401224135Sdim } else { 402224135Sdim wpa_printf(MSG_INFO, "TDLS: Error in cancelling retry timeout " 403224135Sdim "(Unknown action_code=%u)", action_code); 404224135Sdim } 405224135Sdim} 406224135Sdim 407224135Sdim 408224135Sdimstatic void wpa_tdls_generate_tpk(struct wpa_tdls_peer *peer, 409224135Sdim const u8 *own_addr, const u8 *bssid) 410224135Sdim{ 411224135Sdim u8 key_input[SHA256_MAC_LEN]; 412224135Sdim const u8 *nonce[2]; 413224135Sdim size_t len[2]; 414224135Sdim u8 data[3 * ETH_ALEN]; 415224135Sdim 416224135Sdim /* IEEE Std 802.11z-2010 8.5.9.1: 417224135Sdim * TPK-Key-Input = SHA-256(min(SNonce, ANonce) || max(SNonce, ANonce)) 418224135Sdim */ 419224135Sdim len[0] = WPA_NONCE_LEN; 420224135Sdim len[1] = WPA_NONCE_LEN; 421224135Sdim if (os_memcmp(peer->inonce, peer->rnonce, WPA_NONCE_LEN) < 0) { 422226633Sdim nonce[0] = peer->inonce; 423224135Sdim nonce[1] = peer->rnonce; 424224135Sdim } else { 425224135Sdim nonce[0] = peer->rnonce; 426224135Sdim nonce[1] = peer->inonce; 427224135Sdim } 428224135Sdim wpa_hexdump(MSG_DEBUG, "TDLS: min(Nonce)", nonce[0], WPA_NONCE_LEN); 429226633Sdim wpa_hexdump(MSG_DEBUG, "TDLS: max(Nonce)", nonce[1], WPA_NONCE_LEN); 430224135Sdim sha256_vector(2, nonce, len, key_input); 431224135Sdim wpa_hexdump_key(MSG_DEBUG, "TDLS: TPK-Key-Input", 432224135Sdim key_input, SHA256_MAC_LEN); 433224135Sdim 434224135Sdim /* 435224135Sdim * TPK-Key-Data = KDF-N_KEY(TPK-Key-Input, "TDLS PMK", 436224135Sdim * min(MAC_I, MAC_R) || max(MAC_I, MAC_R) || BSSID || N_KEY) 437224135Sdim * TODO: is N_KEY really included in KDF Context and if so, in which 438224135Sdim * presentation format (little endian 16-bit?) is it used? It gets 439224135Sdim * added by the KDF anyway.. 440224135Sdim */ 441224135Sdim 442224135Sdim if (os_memcmp(own_addr, peer->addr, ETH_ALEN) < 0) { 443224135Sdim os_memcpy(data, own_addr, ETH_ALEN); 444224135Sdim os_memcpy(data + ETH_ALEN, peer->addr, ETH_ALEN); 445224135Sdim } else { 446224135Sdim os_memcpy(data, peer->addr, ETH_ALEN); 447224135Sdim os_memcpy(data + ETH_ALEN, own_addr, ETH_ALEN); 448224135Sdim } 449224135Sdim os_memcpy(data + 2 * ETH_ALEN, bssid, ETH_ALEN); 450224135Sdim wpa_hexdump(MSG_DEBUG, "TDLS: KDF Context", data, sizeof(data)); 451224135Sdim 452224135Sdim sha256_prf(key_input, SHA256_MAC_LEN, "TDLS PMK", data, sizeof(data), 453224135Sdim (u8 *) &peer->tpk, sizeof(peer->tpk)); 454224135Sdim wpa_hexdump_key(MSG_DEBUG, "TDLS: TPK-KCK", 455224135Sdim peer->tpk.kck, sizeof(peer->tpk.kck)); 456224135Sdim wpa_hexdump_key(MSG_DEBUG, "TDLS: TPK-TK", 457224135Sdim peer->tpk.tk, sizeof(peer->tpk.tk)); 458224135Sdim peer->tpk_set = 1; 459224135Sdim} 460224135Sdim 461224135Sdim 462224135Sdim/** 463224135Sdim * wpa_tdls_ftie_mic - Calculate TDLS FTIE MIC 464224135Sdim * @kck: TPK-KCK 465224135Sdim * @lnkid: Pointer to the beginning of Link Identifier IE 466224135Sdim * @rsnie: Pointer to the beginning of RSN IE used for handshake 467224135Sdim * @timeoutie: Pointer to the beginning of Timeout IE used for handshake 468224135Sdim * @ftie: Pointer to the beginning of FT IE 469224135Sdim * @mic: Pointer for writing MIC 470224135Sdim * 471224135Sdim * Calculate MIC for TDLS frame. 472224135Sdim */ 473224135Sdimstatic int wpa_tdls_ftie_mic(const u8 *kck, u8 trans_seq, const u8 *lnkid, 474224135Sdim const u8 *rsnie, const u8 *timeoutie, 475224135Sdim const u8 *ftie, u8 *mic) 476224135Sdim{ 477224135Sdim u8 *buf, *pos; 478224135Sdim struct wpa_tdls_ftie *_ftie; 479224135Sdim const struct wpa_tdls_lnkid *_lnkid; 480224135Sdim int ret; 481224135Sdim int len = 2 * ETH_ALEN + 1 + 2 + lnkid[1] + 2 + rsnie[1] + 482224135Sdim 2 + timeoutie[1] + 2 + ftie[1]; 483226633Sdim buf = os_zalloc(len); 484224135Sdim if (!buf) { 485226633Sdim wpa_printf(MSG_WARNING, "TDLS: No memory for MIC calculation"); 486224135Sdim return -1; 487224135Sdim } 488224135Sdim 489224135Sdim pos = buf; 490224135Sdim _lnkid = (const struct wpa_tdls_lnkid *) lnkid; 491224135Sdim /* 1) TDLS initiator STA MAC address */ 492224135Sdim os_memcpy(pos, _lnkid->init_sta, ETH_ALEN); 493224135Sdim pos += ETH_ALEN; 494224135Sdim /* 2) TDLS responder STA MAC address */ 495224135Sdim os_memcpy(pos, _lnkid->resp_sta, ETH_ALEN); 496224135Sdim pos += ETH_ALEN; 497226633Sdim /* 3) Transaction Sequence number */ 498224135Sdim *pos++ = trans_seq; 499224135Sdim /* 4) Link Identifier IE */ 500226633Sdim os_memcpy(pos, lnkid, 2 + lnkid[1]); 501224135Sdim pos += 2 + lnkid[1]; 502224135Sdim /* 5) RSN IE */ 503224135Sdim os_memcpy(pos, rsnie, 2 + rsnie[1]); 504224135Sdim pos += 2 + rsnie[1]; 505224135Sdim /* 6) Timeout Interval IE */ 506224135Sdim os_memcpy(pos, timeoutie, 2 + timeoutie[1]); 507226633Sdim pos += 2 + timeoutie[1]; 508296417Sdim /* 7) FTIE, with the MIC field of the FTIE set to 0 */ 509296417Sdim os_memcpy(pos, ftie, 2 + ftie[1]); 510224135Sdim _ftie = (struct wpa_tdls_ftie *) pos; 511296417Sdim os_memset(_ftie->mic, 0, TDLS_MIC_LEN); 512224135Sdim pos += 2 + ftie[1]; 513224135Sdim 514224135Sdim wpa_hexdump(MSG_DEBUG, "TDLS: Data for FTIE MIC", buf, pos - buf); 515224135Sdim wpa_hexdump_key(MSG_DEBUG, "TDLS: KCK", kck, 16); 516224135Sdim ret = omac1_aes_128(kck, buf, pos - buf, mic); 517224135Sdim os_free(buf); 518224135Sdim wpa_hexdump(MSG_DEBUG, "TDLS: FTIE MIC", mic, 16); 519224135Sdim return ret; 520224135Sdim} 521224135Sdim 522224135Sdim 523224135Sdim/** 524224135Sdim * wpa_tdls_key_mic_teardown - Calculate TDLS FTIE MIC for Teardown frame 525224135Sdim * @kck: TPK-KCK 526224135Sdim * @trans_seq: Transaction Sequence Number (4 - Teardown) 527224135Sdim * @rcode: Reason code for Teardown 528224135Sdim * @dtoken: Dialog Token used for that particular link 529224135Sdim * @lnkid: Pointer to the beginning of Link Identifier IE 530224135Sdim * @ftie: Pointer to the beginning of FT IE 531224135Sdim * @mic: Pointer for writing MIC 532224135Sdim * 533224135Sdim * Calculate MIC for TDLS frame. 534224135Sdim */ 535224135Sdimstatic int wpa_tdls_key_mic_teardown(const u8 *kck, u8 trans_seq, u16 rcode, 536224135Sdim u8 dtoken, const u8 *lnkid, 537224135Sdim const u8 *ftie, u8 *mic) 538224135Sdim{ 539224135Sdim u8 *buf, *pos; 540224135Sdim struct wpa_tdls_ftie *_ftie; 541224135Sdim int ret; 542224135Sdim int len; 543224135Sdim 544224135Sdim if (lnkid == NULL) 545224135Sdim return -1; 546224135Sdim 547224135Sdim len = 2 + lnkid[1] + sizeof(rcode) + sizeof(dtoken) + 548224135Sdim sizeof(trans_seq) + 2 + ftie[1]; 549224135Sdim 550224135Sdim buf = os_zalloc(len); 551224135Sdim if (!buf) { 552224135Sdim wpa_printf(MSG_WARNING, "TDLS: No memory for MIC calculation"); 553224135Sdim return -1; 554224135Sdim } 555224135Sdim 556224135Sdim pos = buf; 557224135Sdim /* 1) Link Identifier IE */ 558224135Sdim os_memcpy(pos, lnkid, 2 + lnkid[1]); 559224135Sdim pos += 2 + lnkid[1]; 560224135Sdim /* 2) Reason Code */ 561224135Sdim WPA_PUT_LE16(pos, rcode); 562224135Sdim pos += sizeof(rcode); 563224135Sdim /* 3) Dialog token */ 564224135Sdim *pos++ = dtoken; 565224135Sdim /* 4) Transaction Sequence number */ 566224135Sdim *pos++ = trans_seq; 567224135Sdim /* 7) FTIE, with the MIC field of the FTIE set to 0 */ 568224135Sdim os_memcpy(pos, ftie, 2 + ftie[1]); 569224135Sdim _ftie = (struct wpa_tdls_ftie *) pos; 570224135Sdim os_memset(_ftie->mic, 0, TDLS_MIC_LEN); 571224135Sdim pos += 2 + ftie[1]; 572224135Sdim 573224135Sdim wpa_hexdump(MSG_DEBUG, "TDLS: Data for FTIE MIC", buf, pos - buf); 574224135Sdim wpa_hexdump_key(MSG_DEBUG, "TDLS: KCK", kck, 16); 575224135Sdim ret = omac1_aes_128(kck, buf, pos - buf, mic); 576224135Sdim os_free(buf); 577224135Sdim wpa_hexdump(MSG_DEBUG, "TDLS: FTIE MIC", mic, 16); 578224135Sdim return ret; 579224135Sdim} 580224135Sdim 581224135Sdim 582224135Sdimstatic int wpa_supplicant_verify_tdls_mic(u8 trans_seq, 583280031Sdim struct wpa_tdls_peer *peer, 584224135Sdim const u8 *lnkid, const u8 *timeoutie, 585224135Sdim const struct wpa_tdls_ftie *ftie) 586224135Sdim{ 587224135Sdim u8 mic[16]; 588224135Sdim 589224135Sdim if (peer->tpk_set) { 590224135Sdim wpa_tdls_ftie_mic(peer->tpk.kck, trans_seq, lnkid, 591224135Sdim peer->rsnie_p, timeoutie, (u8 *) ftie, 592224135Sdim mic); 593226633Sdim if (os_memcmp_const(mic, ftie->mic, 16) != 0) { 594224135Sdim wpa_printf(MSG_INFO, "TDLS: Invalid MIC in FTIE - " 595224135Sdim "dropping packet"); 596224135Sdim wpa_hexdump(MSG_DEBUG, "TDLS: Received MIC", 597224135Sdim ftie->mic, 16); 598224135Sdim wpa_hexdump(MSG_DEBUG, "TDLS: Calculated MIC", 599226633Sdim mic, 16); 600224135Sdim return -1; 601224135Sdim } 602276479Sdim } else { 603224135Sdim wpa_printf(MSG_WARNING, "TDLS: Could not verify TDLS MIC, " 604224135Sdim "TPK not set - dropping packet"); 605224135Sdim return -1; 606224135Sdim } 607224135Sdim return 0; 608224135Sdim} 609224135Sdim 610224135Sdim 611224135Sdimstatic int wpa_supplicant_verify_tdls_mic_teardown( 612224135Sdim u8 trans_seq, u16 rcode, u8 dtoken, struct wpa_tdls_peer *peer, 613224135Sdim const u8 *lnkid, const struct wpa_tdls_ftie *ftie) 614224135Sdim{ 615224135Sdim u8 mic[16]; 616224135Sdim 617224135Sdim if (peer->tpk_set) { 618224135Sdim wpa_tdls_key_mic_teardown(peer->tpk.kck, trans_seq, rcode, 619224135Sdim dtoken, lnkid, (u8 *) ftie, mic); 620224135Sdim if (os_memcmp_const(mic, ftie->mic, 16) != 0) { 621224135Sdim wpa_printf(MSG_INFO, "TDLS: Invalid MIC in Teardown - " 622224135Sdim "dropping packet"); 623226633Sdim return -1; 624224135Sdim } 625224135Sdim } else { 626224135Sdim wpa_printf(MSG_INFO, "TDLS: Could not verify TDLS Teardown " 627224135Sdim "MIC, TPK not set - dropping packet"); 628226633Sdim return -1; 629224135Sdim } 630224135Sdim return 0; 631224135Sdim} 632224135Sdim 633224135Sdim 634224135Sdimstatic void wpa_tdls_tpk_timeout(void *eloop_ctx, void *timeout_ctx) 635224135Sdim{ 636224135Sdim struct wpa_sm *sm = eloop_ctx; 637224135Sdim struct wpa_tdls_peer *peer = timeout_ctx; 638224135Sdim 639224135Sdim /* 640226633Sdim * On TPK lifetime expiration, we have an option of either tearing down 641224135Sdim * the direct link or trying to re-initiate it. The selection of what 642224135Sdim * to do is not strictly speaking controlled by our role in the expired 643224135Sdim * link, but for now, use that to select whether to renew or tear down 644224135Sdim * the link. 645224135Sdim */ 646224135Sdim 647224135Sdim if (peer->initiator) { 648224135Sdim wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime expired for " MACSTR 649226633Sdim " - try to renew", MAC2STR(peer->addr)); 650224135Sdim wpa_tdls_start(sm, peer->addr); 651224135Sdim } else { 652224135Sdim wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime expired for " MACSTR 653226633Sdim " - tear down", MAC2STR(peer->addr)); 654226633Sdim wpa_tdls_do_teardown(sm, peer, 655224135Sdim WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED); 656224135Sdim } 657224135Sdim} 658224135Sdim 659224135Sdim 660224135Sdimstatic void wpa_tdls_peer_remove_from_list(struct wpa_sm *sm, 661224135Sdim struct wpa_tdls_peer *peer) 662224135Sdim{ 663224135Sdim struct wpa_tdls_peer *cur, *prev; 664224135Sdim 665226633Sdim cur = sm->tdls; 666224135Sdim prev = NULL; 667224135Sdim while (cur && cur != peer) { 668224135Sdim prev = cur; 669224135Sdim cur = cur->next; 670224135Sdim } 671224135Sdim 672224135Sdim if (cur != peer) { 673224135Sdim wpa_printf(MSG_ERROR, "TDLS: Could not find peer " MACSTR 674276479Sdim " to remove it from the list", 675276479Sdim MAC2STR(peer->addr)); 676276479Sdim return; 677224135Sdim } 678276479Sdim 679224135Sdim if (prev) 680224135Sdim prev->next = peer->next; 681276479Sdim else 682234353Sdim sm->tdls = peer->next; 683276479Sdim} 684234353Sdim 685234353Sdim 686276479Sdimstatic void wpa_tdls_peer_clear(struct wpa_sm *sm, struct wpa_tdls_peer *peer) 687276479Sdim{ 688276479Sdim wpa_printf(MSG_DEBUG, "TDLS: Clear state for peer " MACSTR, 689276479Sdim MAC2STR(peer->addr)); 690276479Sdim eloop_cancel_timeout(wpa_tdls_tpk_timeout, sm, peer); 691276479Sdim eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer); 692224135Sdim peer->reconfig_key = 0; 693276479Sdim peer->initiator = 0; 694224135Sdim peer->tpk_in_progress = 0; 695 os_free(peer->sm_tmr.buf); 696 peer->sm_tmr.buf = NULL; 697 os_free(peer->ht_capabilities); 698 peer->ht_capabilities = NULL; 699 os_free(peer->vht_capabilities); 700 peer->vht_capabilities = NULL; 701 os_free(peer->ext_capab); 702 peer->ext_capab = NULL; 703 os_free(peer->supp_channels); 704 peer->supp_channels = NULL; 705 os_free(peer->supp_oper_classes); 706 peer->supp_oper_classes = NULL; 707 peer->rsnie_i_len = peer->rsnie_p_len = 0; 708 peer->cipher = 0; 709 peer->qos_info = 0; 710 peer->wmm_capable = 0; 711 peer->tk_set = peer->tpk_set = peer->tpk_success = 0; 712 peer->chan_switch_enabled = 0; 713 os_memset(&peer->tpk, 0, sizeof(peer->tpk)); 714 os_memset(peer->inonce, 0, WPA_NONCE_LEN); 715 os_memset(peer->rnonce, 0, WPA_NONCE_LEN); 716} 717 718 719static void wpa_tdls_peer_free(struct wpa_sm *sm, struct wpa_tdls_peer *peer) 720{ 721 wpa_tdls_peer_clear(sm, peer); 722 wpa_tdls_peer_remove_from_list(sm, peer); 723 os_free(peer); 724} 725 726 727static void wpa_tdls_linkid(struct wpa_sm *sm, struct wpa_tdls_peer *peer, 728 struct wpa_tdls_lnkid *lnkid) 729{ 730 lnkid->ie_type = WLAN_EID_LINK_ID; 731 lnkid->ie_len = 3 * ETH_ALEN; 732 os_memcpy(lnkid->bssid, sm->bssid, ETH_ALEN); 733 if (peer->initiator) { 734 os_memcpy(lnkid->init_sta, sm->own_addr, ETH_ALEN); 735 os_memcpy(lnkid->resp_sta, peer->addr, ETH_ALEN); 736 } else { 737 os_memcpy(lnkid->init_sta, peer->addr, ETH_ALEN); 738 os_memcpy(lnkid->resp_sta, sm->own_addr, ETH_ALEN); 739 } 740} 741 742 743static int wpa_tdls_send_teardown(struct wpa_sm *sm, const u8 *addr, 744 u16 reason_code) 745{ 746 struct wpa_tdls_peer *peer; 747 struct wpa_tdls_ftie *ftie; 748 struct wpa_tdls_lnkid lnkid; 749 u8 dialog_token; 750 u8 *rbuf, *pos; 751 int ielen; 752 753 if (sm->tdls_disabled || !sm->tdls_supported) 754 return -1; 755 756 /* Find the node and free from the list */ 757 for (peer = sm->tdls; peer; peer = peer->next) { 758 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 759 break; 760 } 761 762 if (peer == NULL) { 763 wpa_printf(MSG_INFO, "TDLS: No matching entry found for " 764 "Teardown " MACSTR, MAC2STR(addr)); 765 return 0; 766 } 767 768 /* Cancel active channel switch before teardown */ 769 if (peer->chan_switch_enabled) { 770 wpa_printf(MSG_DEBUG, "TDLS: First returning link with " MACSTR 771 " to base channel", MAC2STR(addr)); 772 wpa_sm_tdls_disable_channel_switch(sm, peer->addr); 773 } 774 775 dialog_token = peer->dtoken; 776 777 wpa_printf(MSG_DEBUG, "TDLS: TDLS Teardown for " MACSTR, 778 MAC2STR(addr)); 779 780 ielen = 0; 781 if (wpa_tdls_get_privacy(sm) && peer->tpk_set && peer->tpk_success) { 782 /* To add FTIE for Teardown request and compute MIC */ 783 ielen += sizeof(*ftie); 784#ifdef CONFIG_TDLS_TESTING 785 if (tdls_testing & TDLS_TESTING_LONG_FRAME) 786 ielen += 170; 787#endif /* CONFIG_TDLS_TESTING */ 788 } 789 790 rbuf = os_zalloc(ielen + 1); 791 if (rbuf == NULL) 792 return -1; 793 pos = rbuf; 794 795 if (!wpa_tdls_get_privacy(sm) || !peer->tpk_set || !peer->tpk_success) 796 goto skip_ies; 797 798 ftie = (struct wpa_tdls_ftie *) pos; 799 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION; 800 /* Using the recent nonce which should be for CONFIRM frame */ 801 os_memcpy(ftie->Anonce, peer->rnonce, WPA_NONCE_LEN); 802 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN); 803 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2; 804 pos = (u8 *) (ftie + 1); 805#ifdef CONFIG_TDLS_TESTING 806 if (tdls_testing & TDLS_TESTING_LONG_FRAME) { 807 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to " 808 "FTIE"); 809 ftie->ie_len += 170; 810 *pos++ = 255; /* FTIE subelem */ 811 *pos++ = 168; /* FTIE subelem length */ 812 pos += 168; 813 } 814#endif /* CONFIG_TDLS_TESTING */ 815 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE for TDLS Teardown handshake", 816 (u8 *) ftie, pos - (u8 *) ftie); 817 818 /* compute MIC before sending */ 819 wpa_tdls_linkid(sm, peer, &lnkid); 820 wpa_tdls_key_mic_teardown(peer->tpk.kck, 4, reason_code, 821 dialog_token, (u8 *) &lnkid, (u8 *) ftie, 822 ftie->mic); 823 824skip_ies: 825 /* TODO: register for a Timeout handler, if Teardown is not received at 826 * the other end, then try again another time */ 827 828 /* request driver to send Teardown using this FTIE */ 829 wpa_tdls_tpk_send(sm, addr, WLAN_TDLS_TEARDOWN, 0, 830 reason_code, 0, peer->initiator, rbuf, pos - rbuf); 831 os_free(rbuf); 832 833 return 0; 834} 835 836 837int wpa_tdls_teardown_link(struct wpa_sm *sm, const u8 *addr, u16 reason_code) 838{ 839 struct wpa_tdls_peer *peer; 840 841 if (sm->tdls_disabled || !sm->tdls_supported) 842 return -1; 843 844 for (peer = sm->tdls; peer; peer = peer->next) { 845 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 846 break; 847 } 848 849 if (peer == NULL) { 850 wpa_printf(MSG_DEBUG, "TDLS: Could not find peer " MACSTR 851 " for link Teardown", MAC2STR(addr)); 852 return -1; 853 } 854 855 if (!peer->tpk_success) { 856 wpa_printf(MSG_DEBUG, "TDLS: Peer " MACSTR 857 " not connected - cannot Teardown link", MAC2STR(addr)); 858 return -1; 859 } 860 861 return wpa_tdls_do_teardown(sm, peer, reason_code); 862} 863 864 865static void wpa_tdls_disable_peer_link(struct wpa_sm *sm, 866 struct wpa_tdls_peer *peer) 867{ 868 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr); 869 wpa_tdls_peer_free(sm, peer); 870} 871 872 873void wpa_tdls_disable_unreachable_link(struct wpa_sm *sm, const u8 *addr) 874{ 875 struct wpa_tdls_peer *peer; 876 877 for (peer = sm->tdls; peer; peer = peer->next) { 878 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 879 break; 880 } 881 882 if (!peer || !peer->tpk_success) { 883 wpa_printf(MSG_DEBUG, "TDLS: Peer " MACSTR 884 " not connected - cannot teardown unreachable link", 885 MAC2STR(addr)); 886 return; 887 } 888 889 if (wpa_tdls_is_external_setup(sm)) { 890 /* 891 * Get us on the base channel, disable the link, send a 892 * teardown packet through the AP, and then reset link data. 893 */ 894 if (peer->chan_switch_enabled) 895 wpa_sm_tdls_disable_channel_switch(sm, peer->addr); 896 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, addr); 897 wpa_tdls_send_teardown(sm, addr, 898 WLAN_REASON_TDLS_TEARDOWN_UNREACHABLE); 899 wpa_tdls_peer_free(sm, peer); 900 } else { 901 wpa_tdls_disable_peer_link(sm, peer); 902 } 903} 904 905 906const char * wpa_tdls_get_link_status(struct wpa_sm *sm, const u8 *addr) 907{ 908 struct wpa_tdls_peer *peer; 909 910 if (sm->tdls_disabled || !sm->tdls_supported) 911 return "disabled"; 912 913 for (peer = sm->tdls; peer; peer = peer->next) { 914 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 915 break; 916 } 917 918 if (peer == NULL) 919 return "peer does not exist"; 920 921 if (!peer->tpk_success) 922 return "peer not connected"; 923 924 return "connected"; 925} 926 927 928static int wpa_tdls_recv_teardown(struct wpa_sm *sm, const u8 *src_addr, 929 const u8 *buf, size_t len) 930{ 931 struct wpa_tdls_peer *peer = NULL; 932 struct wpa_tdls_ftie *ftie; 933 struct wpa_tdls_lnkid *lnkid; 934 struct wpa_eapol_ie_parse kde; 935 u16 reason_code; 936 const u8 *pos; 937 int ielen; 938 939 /* Find the node and free from the list */ 940 for (peer = sm->tdls; peer; peer = peer->next) { 941 if (os_memcmp(peer->addr, src_addr, ETH_ALEN) == 0) 942 break; 943 } 944 945 if (peer == NULL) { 946 wpa_printf(MSG_INFO, "TDLS: No matching entry found for " 947 "Teardown " MACSTR, MAC2STR(src_addr)); 948 return 0; 949 } 950 951 pos = buf; 952 pos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */; 953 954 reason_code = WPA_GET_LE16(pos); 955 pos += 2; 956 957 wpa_printf(MSG_DEBUG, "TDLS: TDLS Teardown Request from " MACSTR 958 " (reason code %u)", MAC2STR(src_addr), reason_code); 959 960 ielen = len - (pos - buf); /* start of IE in buf */ 961 962 /* 963 * Don't reject the message if failing to parse IEs. The IEs we need are 964 * explicitly checked below. Some APs may add arbitrary padding to the 965 * end of short TDLS frames and that would look like invalid IEs. 966 */ 967 if (wpa_supplicant_parse_ies((const u8 *) pos, ielen, &kde) < 0) 968 wpa_printf(MSG_DEBUG, 969 "TDLS: Failed to parse IEs in Teardown - ignore as an interop workaround"); 970 971 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) { 972 wpa_printf(MSG_INFO, "TDLS: No Link Identifier IE in TDLS " 973 "Teardown"); 974 return -1; 975 } 976 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid; 977 978 if (!wpa_tdls_get_privacy(sm) || !peer->tpk_set || !peer->tpk_success) 979 goto skip_ftie; 980 981 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie)) { 982 wpa_printf(MSG_INFO, "TDLS: No FTIE in TDLS Teardown"); 983 return -1; 984 } 985 986 ftie = (struct wpa_tdls_ftie *) kde.ftie; 987 988 /* Process MIC check to see if TDLS Teardown is right */ 989 if (wpa_supplicant_verify_tdls_mic_teardown(4, reason_code, 990 peer->dtoken, peer, 991 (u8 *) lnkid, ftie) < 0) { 992 wpa_printf(MSG_DEBUG, "TDLS: MIC failure for TDLS " 993 "Teardown Request from " MACSTR, MAC2STR(src_addr)); 994 return -1; 995 } 996 997skip_ftie: 998 /* 999 * Request the driver to disable the direct link and clear associated 1000 * keys. 1001 */ 1002 wpa_tdls_disable_peer_link(sm, peer); 1003 return 0; 1004} 1005 1006 1007/** 1008 * wpa_tdls_send_error - To send suitable TDLS status response with 1009 * appropriate status code mentioning reason for error/failure. 1010 * @dst - MAC addr of Peer station 1011 * @tdls_action - TDLS frame type for which error code is sent 1012 * @initiator - was this end the initiator of the connection 1013 * @status - status code mentioning reason 1014 */ 1015 1016static int wpa_tdls_send_error(struct wpa_sm *sm, const u8 *dst, 1017 u8 tdls_action, u8 dialog_token, int initiator, 1018 u16 status) 1019{ 1020 wpa_printf(MSG_DEBUG, "TDLS: Sending error to " MACSTR 1021 " (action=%u status=%u)", 1022 MAC2STR(dst), tdls_action, status); 1023 return wpa_tdls_tpk_send(sm, dst, tdls_action, dialog_token, status, 1024 0, initiator, NULL, 0); 1025} 1026 1027 1028static struct wpa_tdls_peer * 1029wpa_tdls_add_peer(struct wpa_sm *sm, const u8 *addr, int *existing) 1030{ 1031 struct wpa_tdls_peer *peer; 1032 1033 if (existing) 1034 *existing = 0; 1035 for (peer = sm->tdls; peer; peer = peer->next) { 1036 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) { 1037 if (existing) 1038 *existing = 1; 1039 return peer; /* re-use existing entry */ 1040 } 1041 } 1042 1043 wpa_printf(MSG_INFO, "TDLS: Creating peer entry for " MACSTR, 1044 MAC2STR(addr)); 1045 1046 peer = os_zalloc(sizeof(*peer)); 1047 if (peer == NULL) 1048 return NULL; 1049 1050 os_memcpy(peer->addr, addr, ETH_ALEN); 1051 peer->next = sm->tdls; 1052 sm->tdls = peer; 1053 1054 return peer; 1055} 1056 1057 1058static int wpa_tdls_send_tpk_m1(struct wpa_sm *sm, 1059 struct wpa_tdls_peer *peer) 1060{ 1061 size_t buf_len; 1062 struct wpa_tdls_timeoutie timeoutie; 1063 u16 rsn_capab; 1064 struct wpa_tdls_ftie *ftie; 1065 u8 *rbuf, *pos, *count_pos; 1066 u16 count; 1067 struct rsn_ie_hdr *hdr; 1068 int status; 1069 1070 if (!wpa_tdls_get_privacy(sm)) { 1071 wpa_printf(MSG_DEBUG, "TDLS: No security used on the link"); 1072 peer->rsnie_i_len = 0; 1073 goto skip_rsnie; 1074 } 1075 1076 /* 1077 * TPK Handshake Message 1: 1078 * FTIE: ANonce=0, SNonce=initiator nonce MIC=0, DataKDs=(RSNIE_I, 1079 * Timeout Interval IE)) 1080 */ 1081 1082 /* Filling RSN IE */ 1083 hdr = (struct rsn_ie_hdr *) peer->rsnie_i; 1084 hdr->elem_id = WLAN_EID_RSN; 1085 WPA_PUT_LE16(hdr->version, RSN_VERSION); 1086 1087 pos = (u8 *) (hdr + 1); 1088 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED); 1089 pos += RSN_SELECTOR_LEN; 1090 count_pos = pos; 1091 pos += 2; 1092 1093 count = 0; 1094 1095 /* 1096 * AES-CCMP is the default Encryption preferred for TDLS, so 1097 * RSN IE is filled only with CCMP CIPHER 1098 * Note: TKIP is not used to encrypt TDLS link. 1099 * 1100 * Regardless of the cipher used on the AP connection, select CCMP 1101 * here. 1102 */ 1103 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP); 1104 pos += RSN_SELECTOR_LEN; 1105 count++; 1106 1107 WPA_PUT_LE16(count_pos, count); 1108 1109 WPA_PUT_LE16(pos, 1); 1110 pos += 2; 1111 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_TPK_HANDSHAKE); 1112 pos += RSN_SELECTOR_LEN; 1113 1114 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED; 1115 rsn_capab |= RSN_NUM_REPLAY_COUNTERS_16 << 2; 1116#ifdef CONFIG_TDLS_TESTING 1117 if (tdls_testing & TDLS_TESTING_ALT_RSN_IE) { 1118 wpa_printf(MSG_DEBUG, "TDLS: Use alternative RSN IE for " 1119 "testing"); 1120 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED; 1121 } 1122#endif /* CONFIG_TDLS_TESTING */ 1123 WPA_PUT_LE16(pos, rsn_capab); 1124 pos += 2; 1125#ifdef CONFIG_TDLS_TESTING 1126 if (tdls_testing & TDLS_TESTING_ALT_RSN_IE) { 1127 /* Number of PMKIDs */ 1128 *pos++ = 0x00; 1129 *pos++ = 0x00; 1130 } 1131#endif /* CONFIG_TDLS_TESTING */ 1132 1133 hdr->len = (pos - peer->rsnie_i) - 2; 1134 peer->rsnie_i_len = pos - peer->rsnie_i; 1135 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE for TPK handshake", 1136 peer->rsnie_i, peer->rsnie_i_len); 1137 1138skip_rsnie: 1139 buf_len = 0; 1140 if (wpa_tdls_get_privacy(sm)) 1141 buf_len += peer->rsnie_i_len + sizeof(struct wpa_tdls_ftie) + 1142 sizeof(struct wpa_tdls_timeoutie); 1143#ifdef CONFIG_TDLS_TESTING 1144 if (wpa_tdls_get_privacy(sm) && 1145 (tdls_testing & TDLS_TESTING_LONG_FRAME)) 1146 buf_len += 170; 1147 if (tdls_testing & TDLS_TESTING_DIFF_BSSID) 1148 buf_len += sizeof(struct wpa_tdls_lnkid); 1149#endif /* CONFIG_TDLS_TESTING */ 1150 rbuf = os_zalloc(buf_len + 1); 1151 if (rbuf == NULL) { 1152 wpa_tdls_peer_free(sm, peer); 1153 return -1; 1154 } 1155 pos = rbuf; 1156 1157 if (!wpa_tdls_get_privacy(sm)) 1158 goto skip_ies; 1159 1160 /* Initiator RSN IE */ 1161 pos = wpa_add_ie(pos, peer->rsnie_i, peer->rsnie_i_len); 1162 1163 ftie = (struct wpa_tdls_ftie *) pos; 1164 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION; 1165 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2; 1166 1167 if (os_get_random(peer->inonce, WPA_NONCE_LEN)) { 1168 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1169 "TDLS: Failed to get random data for initiator Nonce"); 1170 os_free(rbuf); 1171 wpa_tdls_peer_free(sm, peer); 1172 return -1; 1173 } 1174 peer->tk_set = 0; /* A new nonce results in a new TK */ 1175 wpa_hexdump(MSG_DEBUG, "TDLS: Initiator Nonce for TPK handshake", 1176 peer->inonce, WPA_NONCE_LEN); 1177 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN); 1178 1179 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE for TPK Handshake M1", 1180 (u8 *) ftie, sizeof(struct wpa_tdls_ftie)); 1181 1182 pos = (u8 *) (ftie + 1); 1183 1184#ifdef CONFIG_TDLS_TESTING 1185 if (tdls_testing & TDLS_TESTING_LONG_FRAME) { 1186 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to " 1187 "FTIE"); 1188 ftie->ie_len += 170; 1189 *pos++ = 255; /* FTIE subelem */ 1190 *pos++ = 168; /* FTIE subelem length */ 1191 pos += 168; 1192 } 1193#endif /* CONFIG_TDLS_TESTING */ 1194 1195 /* Lifetime */ 1196 peer->lifetime = TPK_LIFETIME; 1197#ifdef CONFIG_TDLS_TESTING 1198 if (tdls_testing & TDLS_TESTING_SHORT_LIFETIME) { 1199 wpa_printf(MSG_DEBUG, "TDLS: Testing - use short TPK " 1200 "lifetime"); 1201 peer->lifetime = 301; 1202 } 1203 if (tdls_testing & TDLS_TESTING_LONG_LIFETIME) { 1204 wpa_printf(MSG_DEBUG, "TDLS: Testing - use long TPK " 1205 "lifetime"); 1206 peer->lifetime = 0xffffffff; 1207 } 1208#endif /* CONFIG_TDLS_TESTING */ 1209 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie, 1210 sizeof(timeoutie), peer->lifetime); 1211 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds", peer->lifetime); 1212 1213skip_ies: 1214 1215#ifdef CONFIG_TDLS_TESTING 1216 if (tdls_testing & TDLS_TESTING_DIFF_BSSID) { 1217 wpa_printf(MSG_DEBUG, "TDLS: Testing - use incorrect BSSID in " 1218 "Link Identifier"); 1219 struct wpa_tdls_lnkid *l = (struct wpa_tdls_lnkid *) pos; 1220 wpa_tdls_linkid(sm, peer, l); 1221 l->bssid[5] ^= 0x01; 1222 pos += sizeof(*l); 1223 } 1224#endif /* CONFIG_TDLS_TESTING */ 1225 1226 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Setup Request / TPK " 1227 "Handshake Message 1 (peer " MACSTR ")", 1228 MAC2STR(peer->addr)); 1229 1230 status = wpa_tdls_tpk_send(sm, peer->addr, WLAN_TDLS_SETUP_REQUEST, 1231 1, 0, 0, peer->initiator, rbuf, pos - rbuf); 1232 os_free(rbuf); 1233 1234 return status; 1235} 1236 1237 1238static int wpa_tdls_send_tpk_m2(struct wpa_sm *sm, 1239 const unsigned char *src_addr, u8 dtoken, 1240 struct wpa_tdls_lnkid *lnkid, 1241 const struct wpa_tdls_peer *peer) 1242{ 1243 u8 *rbuf, *pos; 1244 size_t buf_len; 1245 u32 lifetime; 1246 struct wpa_tdls_timeoutie timeoutie; 1247 struct wpa_tdls_ftie *ftie; 1248 int status; 1249 1250 buf_len = 0; 1251 if (wpa_tdls_get_privacy(sm)) { 1252 /* Peer RSN IE, FTIE(Initiator Nonce, Responder Nonce), 1253 * Lifetime */ 1254 buf_len += peer->rsnie_i_len + sizeof(struct wpa_tdls_ftie) + 1255 sizeof(struct wpa_tdls_timeoutie); 1256#ifdef CONFIG_TDLS_TESTING 1257 if (tdls_testing & TDLS_TESTING_LONG_FRAME) 1258 buf_len += 170; 1259#endif /* CONFIG_TDLS_TESTING */ 1260 } 1261 1262 rbuf = os_zalloc(buf_len + 1); 1263 if (rbuf == NULL) 1264 return -1; 1265 pos = rbuf; 1266 1267 if (!wpa_tdls_get_privacy(sm)) 1268 goto skip_ies; 1269 1270 /* Peer RSN IE */ 1271 pos = wpa_add_ie(pos, peer->rsnie_p, peer->rsnie_p_len); 1272 1273 ftie = (struct wpa_tdls_ftie *) pos; 1274 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION; 1275 /* TODO: ftie->mic_control to set 2-RESPONSE */ 1276 os_memcpy(ftie->Anonce, peer->rnonce, WPA_NONCE_LEN); 1277 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN); 1278 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2; 1279 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE for TPK M2", 1280 (u8 *) ftie, sizeof(*ftie)); 1281 1282 pos = (u8 *) (ftie + 1); 1283 1284#ifdef CONFIG_TDLS_TESTING 1285 if (tdls_testing & TDLS_TESTING_LONG_FRAME) { 1286 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to " 1287 "FTIE"); 1288 ftie->ie_len += 170; 1289 *pos++ = 255; /* FTIE subelem */ 1290 *pos++ = 168; /* FTIE subelem length */ 1291 pos += 168; 1292 } 1293#endif /* CONFIG_TDLS_TESTING */ 1294 1295 /* Lifetime */ 1296 lifetime = peer->lifetime; 1297#ifdef CONFIG_TDLS_TESTING 1298 if (tdls_testing & TDLS_TESTING_WRONG_LIFETIME_RESP) { 1299 wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong TPK " 1300 "lifetime in response"); 1301 lifetime++; 1302 } 1303#endif /* CONFIG_TDLS_TESTING */ 1304 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie, 1305 sizeof(timeoutie), lifetime); 1306 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds from initiator", 1307 lifetime); 1308 1309 /* compute MIC before sending */ 1310 wpa_tdls_ftie_mic(peer->tpk.kck, 2, (u8 *) lnkid, peer->rsnie_p, 1311 (u8 *) &timeoutie, (u8 *) ftie, ftie->mic); 1312#ifdef CONFIG_TDLS_TESTING 1313 if (tdls_testing & TDLS_TESTING_WRONG_MIC) { 1314 wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong MIC"); 1315 ftie->mic[0] ^= 0x01; 1316 } 1317#endif /* CONFIG_TDLS_TESTING */ 1318 1319skip_ies: 1320 status = wpa_tdls_tpk_send(sm, src_addr, WLAN_TDLS_SETUP_RESPONSE, 1321 dtoken, 0, 0, peer->initiator, rbuf, 1322 pos - rbuf); 1323 os_free(rbuf); 1324 1325 return status; 1326} 1327 1328 1329static int wpa_tdls_send_tpk_m3(struct wpa_sm *sm, 1330 const unsigned char *src_addr, u8 dtoken, 1331 struct wpa_tdls_lnkid *lnkid, 1332 const struct wpa_tdls_peer *peer) 1333{ 1334 u8 *rbuf, *pos; 1335 size_t buf_len; 1336 struct wpa_tdls_ftie *ftie; 1337 struct wpa_tdls_timeoutie timeoutie; 1338 u32 lifetime; 1339 int status; 1340 u32 peer_capab = 0; 1341 1342 buf_len = 0; 1343 if (wpa_tdls_get_privacy(sm)) { 1344 /* Peer RSN IE, FTIE(Initiator Nonce, Responder Nonce), 1345 * Lifetime */ 1346 buf_len += peer->rsnie_i_len + sizeof(struct wpa_tdls_ftie) + 1347 sizeof(struct wpa_tdls_timeoutie); 1348#ifdef CONFIG_TDLS_TESTING 1349 if (tdls_testing & TDLS_TESTING_LONG_FRAME) 1350 buf_len += 170; 1351#endif /* CONFIG_TDLS_TESTING */ 1352 } 1353 1354 rbuf = os_zalloc(buf_len + 1); 1355 if (rbuf == NULL) 1356 return -1; 1357 pos = rbuf; 1358 1359 if (!wpa_tdls_get_privacy(sm)) 1360 goto skip_ies; 1361 1362 /* Peer RSN IE */ 1363 pos = wpa_add_ie(pos, peer->rsnie_p, peer->rsnie_p_len); 1364 1365 ftie = (struct wpa_tdls_ftie *) pos; 1366 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION; 1367 /*TODO: ftie->mic_control to set 3-CONFIRM */ 1368 os_memcpy(ftie->Anonce, peer->rnonce, WPA_NONCE_LEN); 1369 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN); 1370 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2; 1371 1372 pos = (u8 *) (ftie + 1); 1373 1374#ifdef CONFIG_TDLS_TESTING 1375 if (tdls_testing & TDLS_TESTING_LONG_FRAME) { 1376 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to " 1377 "FTIE"); 1378 ftie->ie_len += 170; 1379 *pos++ = 255; /* FTIE subelem */ 1380 *pos++ = 168; /* FTIE subelem length */ 1381 pos += 168; 1382 } 1383#endif /* CONFIG_TDLS_TESTING */ 1384 1385 /* Lifetime */ 1386 lifetime = peer->lifetime; 1387#ifdef CONFIG_TDLS_TESTING 1388 if (tdls_testing & TDLS_TESTING_WRONG_LIFETIME_CONF) { 1389 wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong TPK " 1390 "lifetime in confirm"); 1391 lifetime++; 1392 } 1393#endif /* CONFIG_TDLS_TESTING */ 1394 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie, 1395 sizeof(timeoutie), lifetime); 1396 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds", 1397 lifetime); 1398 1399 /* compute MIC before sending */ 1400 wpa_tdls_ftie_mic(peer->tpk.kck, 3, (u8 *) lnkid, peer->rsnie_p, 1401 (u8 *) &timeoutie, (u8 *) ftie, ftie->mic); 1402#ifdef CONFIG_TDLS_TESTING 1403 if (tdls_testing & TDLS_TESTING_WRONG_MIC) { 1404 wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong MIC"); 1405 ftie->mic[0] ^= 0x01; 1406 } 1407#endif /* CONFIG_TDLS_TESTING */ 1408 1409skip_ies: 1410 1411 if (peer->vht_capabilities) 1412 peer_capab |= TDLS_PEER_VHT; 1413 if (peer->ht_capabilities) 1414 peer_capab |= TDLS_PEER_HT; 1415 if (peer->wmm_capable) 1416 peer_capab |= TDLS_PEER_WMM; 1417 1418 status = wpa_tdls_tpk_send(sm, src_addr, WLAN_TDLS_SETUP_CONFIRM, 1419 dtoken, 0, peer_capab, peer->initiator, 1420 rbuf, pos - rbuf); 1421 os_free(rbuf); 1422 1423 return status; 1424} 1425 1426 1427static int wpa_tdls_send_discovery_response(struct wpa_sm *sm, 1428 struct wpa_tdls_peer *peer, 1429 u8 dialog_token) 1430{ 1431 size_t buf_len = 0; 1432 struct wpa_tdls_timeoutie timeoutie; 1433 u16 rsn_capab; 1434 u8 *rbuf, *pos, *count_pos; 1435 u16 count; 1436 struct rsn_ie_hdr *hdr; 1437 int status; 1438 1439 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Discovery Response " 1440 "(peer " MACSTR ")", MAC2STR(peer->addr)); 1441 if (!wpa_tdls_get_privacy(sm)) 1442 goto skip_rsn_ies; 1443 1444 /* Filling RSN IE */ 1445 hdr = (struct rsn_ie_hdr *) peer->rsnie_i; 1446 hdr->elem_id = WLAN_EID_RSN; 1447 WPA_PUT_LE16(hdr->version, RSN_VERSION); 1448 pos = (u8 *) (hdr + 1); 1449 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED); 1450 pos += RSN_SELECTOR_LEN; 1451 count_pos = pos; 1452 pos += 2; 1453 count = 0; 1454 1455 /* 1456 * AES-CCMP is the default encryption preferred for TDLS, so 1457 * RSN IE is filled only with CCMP cipher suite. 1458 * Note: TKIP is not used to encrypt TDLS link. 1459 * 1460 * Regardless of the cipher used on the AP connection, select CCMP 1461 * here. 1462 */ 1463 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP); 1464 pos += RSN_SELECTOR_LEN; 1465 count++; 1466 WPA_PUT_LE16(count_pos, count); 1467 WPA_PUT_LE16(pos, 1); 1468 pos += 2; 1469 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_TPK_HANDSHAKE); 1470 pos += RSN_SELECTOR_LEN; 1471 1472 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED; 1473 rsn_capab |= RSN_NUM_REPLAY_COUNTERS_16 << 2; 1474 WPA_PUT_LE16(pos, rsn_capab); 1475 pos += 2; 1476 hdr->len = (pos - (u8 *) hdr) - 2; 1477 peer->rsnie_i_len = pos - peer->rsnie_i; 1478 1479 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE for Discovery Response", 1480 (u8 *) hdr, hdr->len + 2); 1481skip_rsn_ies: 1482 buf_len = 0; 1483 if (wpa_tdls_get_privacy(sm)) { 1484 /* Peer RSN IE, Lifetime */ 1485 buf_len += peer->rsnie_i_len + 1486 sizeof(struct wpa_tdls_timeoutie); 1487 } 1488 rbuf = os_zalloc(buf_len + 1); 1489 if (rbuf == NULL) { 1490 wpa_tdls_peer_free(sm, peer); 1491 return -1; 1492 } 1493 pos = rbuf; 1494 1495 if (!wpa_tdls_get_privacy(sm)) 1496 goto skip_ies; 1497 /* Initiator RSN IE */ 1498 pos = wpa_add_ie(pos, peer->rsnie_i, peer->rsnie_i_len); 1499 /* Lifetime */ 1500 peer->lifetime = TPK_LIFETIME; 1501 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie, 1502 sizeof(timeoutie), peer->lifetime); 1503 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds", peer->lifetime); 1504skip_ies: 1505 status = wpa_tdls_tpk_send(sm, peer->addr, WLAN_TDLS_DISCOVERY_RESPONSE, 1506 dialog_token, 0, 0, 0, rbuf, pos - rbuf); 1507 os_free(rbuf); 1508 1509 return status; 1510} 1511 1512 1513static int 1514wpa_tdls_process_discovery_request(struct wpa_sm *sm, const u8 *addr, 1515 const u8 *buf, size_t len) 1516{ 1517 struct wpa_eapol_ie_parse kde; 1518 const struct wpa_tdls_lnkid *lnkid; 1519 struct wpa_tdls_peer *peer; 1520 size_t min_req_len = sizeof(struct wpa_tdls_frame) + 1521 1 /* dialog token */ + sizeof(struct wpa_tdls_lnkid); 1522 u8 dialog_token; 1523 1524 wpa_printf(MSG_DEBUG, "TDLS: Discovery Request from " MACSTR, 1525 MAC2STR(addr)); 1526 1527 if (len < min_req_len) { 1528 wpa_printf(MSG_DEBUG, "TDLS Discovery Request is too short: " 1529 "%d", (int) len); 1530 return -1; 1531 } 1532 1533 dialog_token = buf[sizeof(struct wpa_tdls_frame)]; 1534 1535 /* 1536 * Some APs will tack on a weird IE to the end of a TDLS 1537 * discovery request packet. This needn't fail the response, 1538 * since the required IE are verified separately. 1539 */ 1540 if (wpa_supplicant_parse_ies(buf + sizeof(struct wpa_tdls_frame) + 1, 1541 len - (sizeof(struct wpa_tdls_frame) + 1), 1542 &kde) < 0) { 1543 wpa_printf(MSG_DEBUG, 1544 "TDLS: Failed to parse IEs in Discovery Request - ignore as an interop workaround"); 1545 } 1546 1547 if (!kde.lnkid) { 1548 wpa_printf(MSG_DEBUG, "TDLS: Link ID not found in Discovery " 1549 "Request"); 1550 return -1; 1551 } 1552 1553 lnkid = (const struct wpa_tdls_lnkid *) kde.lnkid; 1554 1555 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) { 1556 wpa_printf(MSG_DEBUG, "TDLS: Discovery Request from different " 1557 " BSS " MACSTR, MAC2STR(lnkid->bssid)); 1558 return -1; 1559 } 1560 1561 peer = wpa_tdls_add_peer(sm, addr, NULL); 1562 if (peer == NULL) 1563 return -1; 1564 1565 return wpa_tdls_send_discovery_response(sm, peer, dialog_token); 1566} 1567 1568 1569int wpa_tdls_send_discovery_request(struct wpa_sm *sm, const u8 *addr) 1570{ 1571 if (sm->tdls_disabled || !sm->tdls_supported) 1572 return -1; 1573 1574 wpa_printf(MSG_DEBUG, "TDLS: Sending Discovery Request to peer " 1575 MACSTR, MAC2STR(addr)); 1576 return wpa_tdls_tpk_send(sm, addr, WLAN_TDLS_DISCOVERY_REQUEST, 1577 1, 0, 0, 1, NULL, 0); 1578} 1579 1580 1581static int copy_supp_rates(const struct wpa_eapol_ie_parse *kde, 1582 struct wpa_tdls_peer *peer) 1583{ 1584 if (!kde->supp_rates) { 1585 wpa_printf(MSG_DEBUG, "TDLS: No supported rates received"); 1586 return -1; 1587 } 1588 peer->supp_rates_len = merge_byte_arrays( 1589 peer->supp_rates, sizeof(peer->supp_rates), 1590 kde->supp_rates + 2, kde->supp_rates_len - 2, 1591 kde->ext_supp_rates ? kde->ext_supp_rates + 2 : NULL, 1592 kde->ext_supp_rates_len - 2); 1593 return 0; 1594} 1595 1596 1597static int copy_peer_ht_capab(const struct wpa_eapol_ie_parse *kde, 1598 struct wpa_tdls_peer *peer) 1599{ 1600 if (!kde->ht_capabilities) { 1601 wpa_printf(MSG_DEBUG, "TDLS: No supported ht capabilities " 1602 "received"); 1603 return 0; 1604 } 1605 1606 if (!peer->ht_capabilities) { 1607 peer->ht_capabilities = 1608 os_zalloc(sizeof(struct ieee80211_ht_capabilities)); 1609 if (peer->ht_capabilities == NULL) 1610 return -1; 1611 } 1612 1613 os_memcpy(peer->ht_capabilities, kde->ht_capabilities, 1614 sizeof(struct ieee80211_ht_capabilities)); 1615 wpa_hexdump(MSG_DEBUG, "TDLS: Peer HT capabilities", 1616 (u8 *) peer->ht_capabilities, 1617 sizeof(struct ieee80211_ht_capabilities)); 1618 1619 return 0; 1620} 1621 1622 1623static int copy_peer_vht_capab(const struct wpa_eapol_ie_parse *kde, 1624 struct wpa_tdls_peer *peer) 1625{ 1626 if (!kde->vht_capabilities) { 1627 wpa_printf(MSG_DEBUG, "TDLS: No supported vht capabilities " 1628 "received"); 1629 return 0; 1630 } 1631 1632 if (!peer->vht_capabilities) { 1633 peer->vht_capabilities = 1634 os_zalloc(sizeof(struct ieee80211_vht_capabilities)); 1635 if (peer->vht_capabilities == NULL) 1636 return -1; 1637 } 1638 1639 os_memcpy(peer->vht_capabilities, kde->vht_capabilities, 1640 sizeof(struct ieee80211_vht_capabilities)); 1641 wpa_hexdump(MSG_DEBUG, "TDLS: Peer VHT capabilities", 1642 (u8 *) peer->vht_capabilities, 1643 sizeof(struct ieee80211_vht_capabilities)); 1644 1645 return 0; 1646} 1647 1648 1649static int copy_peer_ext_capab(const struct wpa_eapol_ie_parse *kde, 1650 struct wpa_tdls_peer *peer) 1651{ 1652 if (!kde->ext_capab) { 1653 wpa_printf(MSG_DEBUG, "TDLS: No extended capabilities " 1654 "received"); 1655 return 0; 1656 } 1657 1658 if (!peer->ext_capab || peer->ext_capab_len < kde->ext_capab_len - 2) { 1659 /* Need to allocate buffer to fit the new information */ 1660 os_free(peer->ext_capab); 1661 peer->ext_capab = os_zalloc(kde->ext_capab_len - 2); 1662 if (peer->ext_capab == NULL) 1663 return -1; 1664 } 1665 1666 peer->ext_capab_len = kde->ext_capab_len - 2; 1667 os_memcpy(peer->ext_capab, kde->ext_capab + 2, peer->ext_capab_len); 1668 1669 return 0; 1670} 1671 1672 1673static int copy_peer_wmm_capab(const struct wpa_eapol_ie_parse *kde, 1674 struct wpa_tdls_peer *peer) 1675{ 1676 struct wmm_information_element *wmm; 1677 1678 if (!kde->wmm) { 1679 wpa_printf(MSG_DEBUG, "TDLS: No supported WMM capabilities received"); 1680 return 0; 1681 } 1682 1683 if (kde->wmm_len < sizeof(struct wmm_information_element)) { 1684 wpa_printf(MSG_DEBUG, "TDLS: Invalid supported WMM capabilities received"); 1685 return -1; 1686 } 1687 1688 wmm = (struct wmm_information_element *) kde->wmm; 1689 peer->qos_info = wmm->qos_info; 1690 1691 peer->wmm_capable = 1; 1692 1693 wpa_printf(MSG_DEBUG, "TDLS: Peer WMM QOS Info 0x%x", peer->qos_info); 1694 return 0; 1695} 1696 1697 1698static int copy_peer_supp_channels(const struct wpa_eapol_ie_parse *kde, 1699 struct wpa_tdls_peer *peer) 1700{ 1701 if (!kde->supp_channels) { 1702 wpa_printf(MSG_DEBUG, "TDLS: No supported channels received"); 1703 return 0; 1704 } 1705 1706 if (!peer->supp_channels || 1707 peer->supp_channels_len < kde->supp_channels_len) { 1708 os_free(peer->supp_channels); 1709 peer->supp_channels = os_zalloc(kde->supp_channels_len); 1710 if (peer->supp_channels == NULL) 1711 return -1; 1712 } 1713 1714 peer->supp_channels_len = kde->supp_channels_len; 1715 1716 os_memcpy(peer->supp_channels, kde->supp_channels, 1717 peer->supp_channels_len); 1718 wpa_hexdump(MSG_DEBUG, "TDLS: Peer Supported Channels", 1719 (u8 *) peer->supp_channels, peer->supp_channels_len); 1720 return 0; 1721} 1722 1723 1724static int copy_peer_supp_oper_classes(const struct wpa_eapol_ie_parse *kde, 1725 struct wpa_tdls_peer *peer) 1726{ 1727 if (!kde->supp_oper_classes) { 1728 wpa_printf(MSG_DEBUG, "TDLS: No supported operating classes received"); 1729 return 0; 1730 } 1731 1732 if (!peer->supp_oper_classes || 1733 peer->supp_oper_classes_len < kde->supp_oper_classes_len) { 1734 os_free(peer->supp_oper_classes); 1735 peer->supp_oper_classes = os_zalloc(kde->supp_oper_classes_len); 1736 if (peer->supp_oper_classes == NULL) 1737 return -1; 1738 } 1739 1740 peer->supp_oper_classes_len = kde->supp_oper_classes_len; 1741 os_memcpy(peer->supp_oper_classes, kde->supp_oper_classes, 1742 peer->supp_oper_classes_len); 1743 wpa_hexdump(MSG_DEBUG, "TDLS: Peer Supported Operating Classes", 1744 (u8 *) peer->supp_oper_classes, 1745 peer->supp_oper_classes_len); 1746 return 0; 1747} 1748 1749 1750static int wpa_tdls_addset_peer(struct wpa_sm *sm, struct wpa_tdls_peer *peer, 1751 int add) 1752{ 1753 return wpa_sm_tdls_peer_addset(sm, peer->addr, add, peer->aid, 1754 peer->capability, 1755 peer->supp_rates, peer->supp_rates_len, 1756 peer->ht_capabilities, 1757 peer->vht_capabilities, 1758 peer->qos_info, peer->wmm_capable, 1759 peer->ext_capab, peer->ext_capab_len, 1760 peer->supp_channels, 1761 peer->supp_channels_len, 1762 peer->supp_oper_classes, 1763 peer->supp_oper_classes_len); 1764} 1765 1766 1767static int tdls_nonce_set(const u8 *nonce) 1768{ 1769 int i; 1770 1771 for (i = 0; i < WPA_NONCE_LEN; i++) { 1772 if (nonce[i]) 1773 return 1; 1774 } 1775 1776 return 0; 1777} 1778 1779 1780static int wpa_tdls_process_tpk_m1(struct wpa_sm *sm, const u8 *src_addr, 1781 const u8 *buf, size_t len) 1782{ 1783 struct wpa_tdls_peer *peer; 1784 struct wpa_eapol_ie_parse kde; 1785 struct wpa_ie_data ie; 1786 int cipher; 1787 const u8 *cpos; 1788 struct wpa_tdls_ftie *ftie = NULL; 1789 struct wpa_tdls_timeoutie *timeoutie; 1790 struct wpa_tdls_lnkid *lnkid; 1791 u32 lifetime = 0; 1792#if 0 1793 struct rsn_ie_hdr *hdr; 1794 u8 *pos; 1795 u16 rsn_capab; 1796 u16 rsn_ver; 1797#endif 1798 u8 dtoken; 1799 u16 ielen; 1800 u16 status = WLAN_STATUS_UNSPECIFIED_FAILURE; 1801 int tdls_prohibited = sm->tdls_prohibited; 1802 int existing_peer = 0; 1803 1804 if (len < 3 + 3) 1805 return -1; 1806 1807 cpos = buf; 1808 cpos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */; 1809 1810 /* driver had already verified the frame format */ 1811 dtoken = *cpos++; /* dialog token */ 1812 1813 wpa_printf(MSG_INFO, "TDLS: Dialog Token in TPK M1 %d", dtoken); 1814 1815 peer = wpa_tdls_add_peer(sm, src_addr, &existing_peer); 1816 if (peer == NULL) 1817 goto error; 1818 1819 /* If found, use existing entry instead of adding a new one; 1820 * how to handle the case where both ends initiate at the 1821 * same time? */ 1822 if (existing_peer) { 1823 if (peer->tpk_success) { 1824 wpa_printf(MSG_DEBUG, "TDLS: TDLS Setup Request while " 1825 "direct link is enabled - tear down the " 1826 "old link first"); 1827 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr); 1828 wpa_tdls_peer_clear(sm, peer); 1829 } else if (peer->initiator) { 1830 /* 1831 * An entry is already present, so check if we already 1832 * sent a TDLS Setup Request. If so, compare MAC 1833 * addresses and let the STA with the lower MAC address 1834 * continue as the initiator. The other negotiation is 1835 * terminated. 1836 */ 1837 if (os_memcmp(sm->own_addr, src_addr, ETH_ALEN) < 0) { 1838 wpa_printf(MSG_DEBUG, "TDLS: Discard request " 1839 "from peer with higher address " 1840 MACSTR, MAC2STR(src_addr)); 1841 return -1; 1842 } else { 1843 wpa_printf(MSG_DEBUG, "TDLS: Accept request " 1844 "from peer with lower address " 1845 MACSTR " (terminate previously " 1846 "initiated negotiation", 1847 MAC2STR(src_addr)); 1848 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, 1849 peer->addr); 1850 wpa_tdls_peer_clear(sm, peer); 1851 } 1852 } 1853 } 1854 1855 /* capability information */ 1856 peer->capability = WPA_GET_LE16(cpos); 1857 cpos += 2; 1858 1859 ielen = len - (cpos - buf); /* start of IE in buf */ 1860 1861 /* 1862 * Don't reject the message if failing to parse IEs. The IEs we need are 1863 * explicitly checked below. Some APs may add arbitrary padding to the 1864 * end of short TDLS frames and that would look like invalid IEs. 1865 */ 1866 if (wpa_supplicant_parse_ies(cpos, ielen, &kde) < 0) 1867 wpa_printf(MSG_DEBUG, 1868 "TDLS: Failed to parse IEs in TPK M1 - ignore as an interop workaround"); 1869 1870 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) { 1871 wpa_printf(MSG_INFO, "TDLS: No valid Link Identifier IE in " 1872 "TPK M1"); 1873 goto error; 1874 } 1875 wpa_hexdump(MSG_DEBUG, "TDLS: Link ID Received from TPK M1", 1876 kde.lnkid, kde.lnkid_len); 1877 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid; 1878 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) { 1879 wpa_printf(MSG_INFO, "TDLS: TPK M1 from diff BSS"); 1880 status = WLAN_STATUS_REQUEST_DECLINED; 1881 goto error; 1882 } 1883 1884 wpa_printf(MSG_DEBUG, "TDLS: TPK M1 - TPK initiator " MACSTR, 1885 MAC2STR(src_addr)); 1886 1887 if (copy_supp_rates(&kde, peer) < 0) 1888 goto error; 1889 1890 if (copy_peer_ht_capab(&kde, peer) < 0) 1891 goto error; 1892 1893 if (copy_peer_vht_capab(&kde, peer) < 0) 1894 goto error; 1895 1896 if (copy_peer_ext_capab(&kde, peer) < 0) 1897 goto error; 1898 1899 if (copy_peer_supp_channels(&kde, peer) < 0) 1900 goto error; 1901 1902 if (copy_peer_supp_oper_classes(&kde, peer) < 0) 1903 goto error; 1904 1905 peer->qos_info = kde.qosinfo; 1906 1907 /* Overwrite with the qos_info obtained in WMM IE */ 1908 if (copy_peer_wmm_capab(&kde, peer) < 0) 1909 goto error; 1910 1911 peer->aid = kde.aid; 1912 1913#ifdef CONFIG_TDLS_TESTING 1914 if (tdls_testing & TDLS_TESTING_CONCURRENT_INIT) { 1915 peer = wpa_tdls_add_peer(sm, src_addr, NULL); 1916 if (peer == NULL) 1917 goto error; 1918 wpa_printf(MSG_DEBUG, "TDLS: Testing concurrent initiation of " 1919 "TDLS setup - send own request"); 1920 peer->initiator = 1; 1921 wpa_sm_tdls_peer_addset(sm, peer->addr, 1, 0, 0, NULL, 0, NULL, 1922 NULL, 0, 0, NULL, 0, NULL, 0, NULL, 0); 1923 wpa_tdls_send_tpk_m1(sm, peer); 1924 } 1925 1926 if ((tdls_testing & TDLS_TESTING_IGNORE_AP_PROHIBIT) && 1927 tdls_prohibited) { 1928 wpa_printf(MSG_DEBUG, "TDLS: Testing - ignore AP prohibition " 1929 "on TDLS"); 1930 tdls_prohibited = 0; 1931 } 1932#endif /* CONFIG_TDLS_TESTING */ 1933 1934 if (tdls_prohibited) { 1935 wpa_printf(MSG_INFO, "TDLS: TDLS prohibited in this BSS"); 1936 status = WLAN_STATUS_REQUEST_DECLINED; 1937 goto error; 1938 } 1939 1940 if (!wpa_tdls_get_privacy(sm)) { 1941 if (kde.rsn_ie) { 1942 wpa_printf(MSG_INFO, "TDLS: RSN IE in TPK M1 while " 1943 "security is disabled"); 1944 status = WLAN_STATUS_SECURITY_DISABLED; 1945 goto error; 1946 } 1947 goto skip_rsn; 1948 } 1949 1950 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie) || 1951 kde.rsn_ie == NULL) { 1952 wpa_printf(MSG_INFO, "TDLS: No FTIE or RSN IE in TPK M1"); 1953 status = WLAN_STATUS_INVALID_PARAMETERS; 1954 goto error; 1955 } 1956 1957 if (kde.rsn_ie_len > TDLS_MAX_IE_LEN) { 1958 wpa_printf(MSG_INFO, "TDLS: Too long Initiator RSN IE in " 1959 "TPK M1"); 1960 status = WLAN_STATUS_INVALID_RSNIE; 1961 goto error; 1962 } 1963 1964 if (wpa_parse_wpa_ie_rsn(kde.rsn_ie, kde.rsn_ie_len, &ie) < 0) { 1965 wpa_printf(MSG_INFO, "TDLS: Failed to parse RSN IE in TPK M1"); 1966 status = WLAN_STATUS_INVALID_RSNIE; 1967 goto error; 1968 } 1969 1970 cipher = ie.pairwise_cipher; 1971 if (cipher & WPA_CIPHER_CCMP) { 1972 wpa_printf(MSG_DEBUG, "TDLS: Using CCMP for direct link"); 1973 cipher = WPA_CIPHER_CCMP; 1974 } else { 1975 wpa_printf(MSG_INFO, "TDLS: No acceptable cipher in TPK M1"); 1976 status = WLAN_STATUS_PAIRWISE_CIPHER_NOT_VALID; 1977 goto error; 1978 } 1979 1980 if ((ie.capabilities & 1981 (WPA_CAPABILITY_NO_PAIRWISE | WPA_CAPABILITY_PEERKEY_ENABLED)) != 1982 WPA_CAPABILITY_PEERKEY_ENABLED) { 1983 wpa_printf(MSG_INFO, "TDLS: Invalid RSN Capabilities in " 1984 "TPK M1"); 1985 status = WLAN_STATUS_INVALID_RSN_IE_CAPAB; 1986 goto error; 1987 } 1988 1989 /* Lifetime */ 1990 if (kde.key_lifetime == NULL) { 1991 wpa_printf(MSG_INFO, "TDLS: No Key Lifetime IE in TPK M1"); 1992 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME; 1993 goto error; 1994 } 1995 timeoutie = (struct wpa_tdls_timeoutie *) kde.key_lifetime; 1996 lifetime = WPA_GET_LE32(timeoutie->value); 1997 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds", lifetime); 1998 if (lifetime < 300) { 1999 wpa_printf(MSG_INFO, "TDLS: Too short TPK lifetime"); 2000 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME; 2001 goto error; 2002 } 2003 2004skip_rsn: 2005#ifdef CONFIG_TDLS_TESTING 2006 if (tdls_testing & TDLS_TESTING_CONCURRENT_INIT) { 2007 if (os_memcmp(sm->own_addr, peer->addr, ETH_ALEN) < 0) { 2008 /* 2009 * The request frame from us is going to win, so do not 2010 * replace information based on this request frame from 2011 * the peer. 2012 */ 2013 goto skip_rsn_check; 2014 } 2015 } 2016#endif /* CONFIG_TDLS_TESTING */ 2017 2018 peer->initiator = 0; /* Need to check */ 2019 peer->dtoken = dtoken; 2020 2021 if (!wpa_tdls_get_privacy(sm)) { 2022 peer->rsnie_i_len = 0; 2023 peer->rsnie_p_len = 0; 2024 peer->cipher = WPA_CIPHER_NONE; 2025 goto skip_rsn_check; 2026 } 2027 2028 ftie = (struct wpa_tdls_ftie *) kde.ftie; 2029 os_memcpy(peer->rsnie_i, kde.rsn_ie, kde.rsn_ie_len); 2030 peer->rsnie_i_len = kde.rsn_ie_len; 2031 peer->cipher = cipher; 2032 2033 if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0 || 2034 !tdls_nonce_set(peer->inonce)) { 2035 /* 2036 * There is no point in updating the RNonce for every obtained 2037 * TPK M1 frame (e.g., retransmission due to timeout) with the 2038 * same INonce (SNonce in FTIE). However, if the TPK M1 is 2039 * retransmitted with a different INonce, update the RNonce 2040 * since this is for a new TDLS session. 2041 */ 2042 wpa_printf(MSG_DEBUG, 2043 "TDLS: New TPK M1 INonce - generate new RNonce"); 2044 os_memcpy(peer->inonce, ftie->Snonce, WPA_NONCE_LEN); 2045 if (os_get_random(peer->rnonce, WPA_NONCE_LEN)) { 2046 wpa_msg(sm->ctx->ctx, MSG_WARNING, 2047 "TDLS: Failed to get random data for responder nonce"); 2048 goto error; 2049 } 2050 peer->tk_set = 0; /* A new nonce results in a new TK */ 2051 } 2052 2053#if 0 2054 /* get version info from RSNIE received from Peer */ 2055 hdr = (struct rsn_ie_hdr *) kde.rsn_ie; 2056 rsn_ver = WPA_GET_LE16(hdr->version); 2057 2058 /* use min(peer's version, out version) */ 2059 if (rsn_ver > RSN_VERSION) 2060 rsn_ver = RSN_VERSION; 2061 2062 hdr = (struct rsn_ie_hdr *) peer->rsnie_p; 2063 2064 hdr->elem_id = WLAN_EID_RSN; 2065 WPA_PUT_LE16(hdr->version, rsn_ver); 2066 pos = (u8 *) (hdr + 1); 2067 2068 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED); 2069 pos += RSN_SELECTOR_LEN; 2070 /* Include only the selected cipher in pairwise cipher suite */ 2071 WPA_PUT_LE16(pos, 1); 2072 pos += 2; 2073 if (cipher == WPA_CIPHER_CCMP) 2074 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP); 2075 pos += RSN_SELECTOR_LEN; 2076 2077 WPA_PUT_LE16(pos, 1); 2078 pos += 2; 2079 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_TPK_HANDSHAKE); 2080 pos += RSN_SELECTOR_LEN; 2081 2082 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED; 2083 rsn_capab |= RSN_NUM_REPLAY_COUNTERS_16 << 2; 2084 WPA_PUT_LE16(pos, rsn_capab); 2085 pos += 2; 2086 2087 hdr->len = (pos - peer->rsnie_p) - 2; 2088 peer->rsnie_p_len = pos - peer->rsnie_p; 2089#endif 2090 2091 /* temp fix: validation of RSNIE later */ 2092 os_memcpy(peer->rsnie_p, peer->rsnie_i, peer->rsnie_i_len); 2093 peer->rsnie_p_len = peer->rsnie_i_len; 2094 2095 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE for TPK handshake", 2096 peer->rsnie_p, peer->rsnie_p_len); 2097 2098 peer->lifetime = lifetime; 2099 2100 wpa_tdls_generate_tpk(peer, sm->own_addr, sm->bssid); 2101 2102skip_rsn_check: 2103#ifdef CONFIG_TDLS_TESTING 2104 if (tdls_testing & TDLS_TESTING_CONCURRENT_INIT) 2105 goto skip_add_peer; 2106#endif /* CONFIG_TDLS_TESTING */ 2107 2108 /* add supported rates, capabilities, and qos_info to the TDLS peer */ 2109 if (wpa_tdls_addset_peer(sm, peer, 1) < 0) 2110 goto error; 2111 2112#ifdef CONFIG_TDLS_TESTING 2113skip_add_peer: 2114#endif /* CONFIG_TDLS_TESTING */ 2115 peer->tpk_in_progress = 1; 2116 2117 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Setup Response / TPK M2"); 2118 if (wpa_tdls_send_tpk_m2(sm, src_addr, dtoken, lnkid, peer) < 0) { 2119 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr); 2120 goto error; 2121 } 2122 2123 return 0; 2124 2125error: 2126 wpa_tdls_send_error(sm, src_addr, WLAN_TDLS_SETUP_RESPONSE, dtoken, 0, 2127 status); 2128 if (peer) 2129 wpa_tdls_peer_free(sm, peer); 2130 return -1; 2131} 2132 2133 2134static int wpa_tdls_enable_link(struct wpa_sm *sm, struct wpa_tdls_peer *peer) 2135{ 2136 peer->tpk_success = 1; 2137 peer->tpk_in_progress = 0; 2138 eloop_cancel_timeout(wpa_tdls_tpk_timeout, sm, peer); 2139 if (wpa_tdls_get_privacy(sm)) { 2140 u32 lifetime = peer->lifetime; 2141 /* 2142 * Start the initiator process a bit earlier to avoid race 2143 * condition with the responder sending teardown request. 2144 */ 2145 if (lifetime > 3 && peer->initiator) 2146 lifetime -= 3; 2147 eloop_register_timeout(lifetime, 0, wpa_tdls_tpk_timeout, 2148 sm, peer); 2149#ifdef CONFIG_TDLS_TESTING 2150 if (tdls_testing & TDLS_TESTING_NO_TPK_EXPIRATION) { 2151 wpa_printf(MSG_DEBUG, "TDLS: Testing - disable TPK " 2152 "expiration"); 2153 eloop_cancel_timeout(wpa_tdls_tpk_timeout, sm, peer); 2154 } 2155#endif /* CONFIG_TDLS_TESTING */ 2156 } 2157 2158 if (peer->reconfig_key && wpa_tdls_set_key(sm, peer) < 0) { 2159 wpa_printf(MSG_INFO, "TDLS: Could not configure key to the " 2160 "driver"); 2161 return -1; 2162 } 2163 peer->reconfig_key = 0; 2164 2165 return wpa_sm_tdls_oper(sm, TDLS_ENABLE_LINK, peer->addr); 2166} 2167 2168 2169static int wpa_tdls_process_tpk_m2(struct wpa_sm *sm, const u8 *src_addr, 2170 const u8 *buf, size_t len) 2171{ 2172 struct wpa_tdls_peer *peer; 2173 struct wpa_eapol_ie_parse kde; 2174 struct wpa_ie_data ie; 2175 int cipher; 2176 struct wpa_tdls_ftie *ftie; 2177 struct wpa_tdls_timeoutie *timeoutie; 2178 struct wpa_tdls_lnkid *lnkid; 2179 u32 lifetime; 2180 u8 dtoken; 2181 int ielen; 2182 u16 status; 2183 const u8 *pos; 2184 int ret = 0; 2185 2186 wpa_printf(MSG_DEBUG, "TDLS: Received TDLS Setup Response / TPK M2 " 2187 "(Peer " MACSTR ")", MAC2STR(src_addr)); 2188 for (peer = sm->tdls; peer; peer = peer->next) { 2189 if (os_memcmp(peer->addr, src_addr, ETH_ALEN) == 0) 2190 break; 2191 } 2192 if (peer == NULL) { 2193 wpa_printf(MSG_INFO, "TDLS: No matching peer found for " 2194 "TPK M2: " MACSTR, MAC2STR(src_addr)); 2195 return -1; 2196 } 2197 if (!peer->initiator) { 2198 /* 2199 * This may happen if both devices try to initiate TDLS at the 2200 * same time and we accept the TPK M1 from the peer in 2201 * wpa_tdls_process_tpk_m1() and clear our previous state. 2202 */ 2203 wpa_printf(MSG_INFO, "TDLS: We were not the initiator, so " 2204 "ignore TPK M2 from " MACSTR, MAC2STR(src_addr)); 2205 return -1; 2206 } 2207 2208 if (peer->tpk_success) { 2209 wpa_printf(MSG_INFO, "TDLS: Ignore incoming TPK M2 retry, from " 2210 MACSTR " as TPK M3 was already sent", 2211 MAC2STR(src_addr)); 2212 return 0; 2213 } 2214 2215 wpa_tdls_tpk_retry_timeout_cancel(sm, peer, WLAN_TDLS_SETUP_REQUEST); 2216 2217 if (len < 3 + 2 + 1) { 2218 wpa_tdls_disable_peer_link(sm, peer); 2219 return -1; 2220 } 2221 2222 pos = buf; 2223 pos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */; 2224 status = WPA_GET_LE16(pos); 2225 pos += 2 /* status code */; 2226 2227 if (status != WLAN_STATUS_SUCCESS) { 2228 wpa_printf(MSG_INFO, "TDLS: Status code in TPK M2: %u", 2229 status); 2230 wpa_tdls_disable_peer_link(sm, peer); 2231 return -1; 2232 } 2233 2234 status = WLAN_STATUS_UNSPECIFIED_FAILURE; 2235 2236 /* TODO: need to verify dialog token matches here or in kernel */ 2237 dtoken = *pos++; /* dialog token */ 2238 2239 wpa_printf(MSG_DEBUG, "TDLS: Dialog Token in TPK M2 %d", dtoken); 2240 2241 if (len < 3 + 2 + 1 + 2) { 2242 wpa_tdls_disable_peer_link(sm, peer); 2243 return -1; 2244 } 2245 2246 /* capability information */ 2247 peer->capability = WPA_GET_LE16(pos); 2248 pos += 2; 2249 2250 ielen = len - (pos - buf); /* start of IE in buf */ 2251 2252 /* 2253 * Don't reject the message if failing to parse IEs. The IEs we need are 2254 * explicitly checked below. Some APs may add arbitrary padding to the 2255 * end of short TDLS frames and that would look like invalid IEs. 2256 */ 2257 if (wpa_supplicant_parse_ies(pos, ielen, &kde) < 0) 2258 wpa_printf(MSG_DEBUG, 2259 "TDLS: Failed to parse IEs in TPK M2 - ignore as an interop workaround"); 2260 2261#ifdef CONFIG_TDLS_TESTING 2262 if (tdls_testing & TDLS_TESTING_DECLINE_RESP) { 2263 wpa_printf(MSG_DEBUG, "TDLS: Testing - decline response"); 2264 status = WLAN_STATUS_REQUEST_DECLINED; 2265 goto error; 2266 } 2267#endif /* CONFIG_TDLS_TESTING */ 2268 2269 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) { 2270 wpa_printf(MSG_INFO, "TDLS: No valid Link Identifier IE in " 2271 "TPK M2"); 2272 goto error; 2273 } 2274 wpa_hexdump(MSG_DEBUG, "TDLS: Link ID Received from TPK M2", 2275 kde.lnkid, kde.lnkid_len); 2276 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid; 2277 2278 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) { 2279 wpa_printf(MSG_INFO, "TDLS: TPK M2 from different BSS"); 2280 status = WLAN_STATUS_NOT_IN_SAME_BSS; 2281 goto error; 2282 } 2283 2284 if (copy_supp_rates(&kde, peer) < 0) 2285 goto error; 2286 2287 if (copy_peer_ht_capab(&kde, peer) < 0) 2288 goto error; 2289 2290 if (copy_peer_vht_capab(&kde, peer) < 0) 2291 goto error; 2292 2293 if (copy_peer_ext_capab(&kde, peer) < 0) 2294 goto error; 2295 2296 if (copy_peer_supp_channels(&kde, peer) < 0) 2297 goto error; 2298 2299 if (copy_peer_supp_oper_classes(&kde, peer) < 0) 2300 goto error; 2301 2302 peer->qos_info = kde.qosinfo; 2303 2304 /* Overwrite with the qos_info obtained in WMM IE */ 2305 if (copy_peer_wmm_capab(&kde, peer) < 0) 2306 goto error; 2307 2308 peer->aid = kde.aid; 2309 2310 if (!wpa_tdls_get_privacy(sm)) { 2311 peer->rsnie_p_len = 0; 2312 peer->cipher = WPA_CIPHER_NONE; 2313 goto skip_rsn; 2314 } 2315 2316 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie) || 2317 kde.rsn_ie == NULL) { 2318 wpa_printf(MSG_INFO, "TDLS: No FTIE or RSN IE in TPK M2"); 2319 status = WLAN_STATUS_INVALID_PARAMETERS; 2320 goto error; 2321 } 2322 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Received from TPK M2", 2323 kde.rsn_ie, kde.rsn_ie_len); 2324 2325 if (kde.rsn_ie_len > TDLS_MAX_IE_LEN) { 2326 wpa_printf(MSG_INFO, 2327 "TDLS: Too long Responder RSN IE in TPK M2"); 2328 status = WLAN_STATUS_INVALID_RSNIE; 2329 goto error; 2330 } 2331 2332 /* 2333 * FIX: bitwise comparison of RSN IE is not the correct way of 2334 * validation this. It can be different, but certain fields must 2335 * match. Since we list only a single pairwise cipher in TPK M1, the 2336 * memcmp is likely to work in most cases, though. 2337 */ 2338 if (kde.rsn_ie_len != peer->rsnie_i_len || 2339 os_memcmp(peer->rsnie_i, kde.rsn_ie, peer->rsnie_i_len) != 0) { 2340 wpa_printf(MSG_INFO, "TDLS: RSN IE in TPK M2 does " 2341 "not match with RSN IE used in TPK M1"); 2342 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Sent in TPK M1", 2343 peer->rsnie_i, peer->rsnie_i_len); 2344 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Received from TPK M2", 2345 kde.rsn_ie, kde.rsn_ie_len); 2346 status = WLAN_STATUS_INVALID_RSNIE; 2347 goto error; 2348 } 2349 2350 if (wpa_parse_wpa_ie_rsn(kde.rsn_ie, kde.rsn_ie_len, &ie) < 0) { 2351 wpa_printf(MSG_INFO, "TDLS: Failed to parse RSN IE in TPK M2"); 2352 status = WLAN_STATUS_INVALID_RSNIE; 2353 goto error; 2354 } 2355 2356 cipher = ie.pairwise_cipher; 2357 if (cipher == WPA_CIPHER_CCMP) { 2358 wpa_printf(MSG_DEBUG, "TDLS: Using CCMP for direct link"); 2359 cipher = WPA_CIPHER_CCMP; 2360 } else { 2361 wpa_printf(MSG_INFO, "TDLS: No acceptable cipher in TPK M2"); 2362 status = WLAN_STATUS_PAIRWISE_CIPHER_NOT_VALID; 2363 goto error; 2364 } 2365 2366 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE Received from TPK M2", 2367 kde.ftie, sizeof(*ftie)); 2368 ftie = (struct wpa_tdls_ftie *) kde.ftie; 2369 2370 if (!os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) == 0) { 2371 wpa_printf(MSG_INFO, "TDLS: FTIE SNonce in TPK M2 does " 2372 "not match with FTIE SNonce used in TPK M1"); 2373 /* Silently discard the frame */ 2374 return -1; 2375 } 2376 2377 /* Responder Nonce and RSN IE */ 2378 os_memcpy(peer->rnonce, ftie->Anonce, WPA_NONCE_LEN); 2379 os_memcpy(peer->rsnie_p, kde.rsn_ie, kde.rsn_ie_len); 2380 peer->rsnie_p_len = kde.rsn_ie_len; 2381 peer->cipher = cipher; 2382 2383 /* Lifetime */ 2384 if (kde.key_lifetime == NULL) { 2385 wpa_printf(MSG_INFO, "TDLS: No Key Lifetime IE in TPK M2"); 2386 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME; 2387 goto error; 2388 } 2389 timeoutie = (struct wpa_tdls_timeoutie *) kde.key_lifetime; 2390 lifetime = WPA_GET_LE32(timeoutie->value); 2391 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds in TPK M2", 2392 lifetime); 2393 if (lifetime != peer->lifetime) { 2394 wpa_printf(MSG_INFO, "TDLS: Unexpected TPK lifetime %u in " 2395 "TPK M2 (expected %u)", lifetime, peer->lifetime); 2396 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME; 2397 goto error; 2398 } 2399 2400 wpa_tdls_generate_tpk(peer, sm->own_addr, sm->bssid); 2401 2402 /* Process MIC check to see if TPK M2 is right */ 2403 if (wpa_supplicant_verify_tdls_mic(2, peer, (u8 *) lnkid, 2404 (u8 *) timeoutie, ftie) < 0) { 2405 /* Discard the frame */ 2406 wpa_tdls_del_key(sm, peer); 2407 wpa_tdls_disable_peer_link(sm, peer); 2408 return -1; 2409 } 2410 2411 if (wpa_tdls_set_key(sm, peer) < 0) { 2412 /* 2413 * Some drivers may not be able to config the key prior to full 2414 * STA entry having been configured. 2415 */ 2416 wpa_printf(MSG_DEBUG, "TDLS: Try to configure TPK again after " 2417 "STA entry is complete"); 2418 peer->reconfig_key = 1; 2419 } 2420 2421skip_rsn: 2422 peer->dtoken = dtoken; 2423 2424 /* add supported rates, capabilities, and qos_info to the TDLS peer */ 2425 if (wpa_tdls_addset_peer(sm, peer, 0) < 0) 2426 goto error; 2427 2428 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Setup Confirm / " 2429 "TPK Handshake Message 3"); 2430 if (wpa_tdls_send_tpk_m3(sm, src_addr, dtoken, lnkid, peer) < 0) 2431 goto error; 2432 2433 if (!peer->tpk_success) { 2434 /* 2435 * Enable Link only when tpk_success is 0, signifying that this 2436 * processing of TPK M2 frame is not because of a retransmission 2437 * during TDLS setup handshake. 2438 */ 2439 ret = wpa_tdls_enable_link(sm, peer); 2440 if (ret < 0) { 2441 wpa_printf(MSG_DEBUG, "TDLS: Could not enable link"); 2442 wpa_tdls_do_teardown( 2443 sm, peer, 2444 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED); 2445 } 2446 } 2447 return ret; 2448 2449error: 2450 wpa_tdls_send_error(sm, src_addr, WLAN_TDLS_SETUP_CONFIRM, dtoken, 1, 2451 status); 2452 wpa_tdls_disable_peer_link(sm, peer); 2453 return -1; 2454} 2455 2456 2457static int wpa_tdls_process_tpk_m3(struct wpa_sm *sm, const u8 *src_addr, 2458 const u8 *buf, size_t len) 2459{ 2460 struct wpa_tdls_peer *peer; 2461 struct wpa_eapol_ie_parse kde; 2462 struct wpa_tdls_ftie *ftie; 2463 struct wpa_tdls_timeoutie *timeoutie; 2464 struct wpa_tdls_lnkid *lnkid; 2465 int ielen; 2466 u16 status; 2467 const u8 *pos; 2468 u32 lifetime; 2469 int ret = 0; 2470 2471 wpa_printf(MSG_DEBUG, "TDLS: Received TDLS Setup Confirm / TPK M3 " 2472 "(Peer " MACSTR ")", MAC2STR(src_addr)); 2473 for (peer = sm->tdls; peer; peer = peer->next) { 2474 if (os_memcmp(peer->addr, src_addr, ETH_ALEN) == 0) 2475 break; 2476 } 2477 if (peer == NULL) { 2478 wpa_printf(MSG_INFO, "TDLS: No matching peer found for " 2479 "TPK M3: " MACSTR, MAC2STR(src_addr)); 2480 return -1; 2481 } 2482 wpa_tdls_tpk_retry_timeout_cancel(sm, peer, WLAN_TDLS_SETUP_RESPONSE); 2483 2484 if (len < 3 + 3) 2485 goto error; 2486 pos = buf; 2487 pos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */; 2488 2489 status = WPA_GET_LE16(pos); 2490 2491 if (status != 0) { 2492 wpa_printf(MSG_INFO, "TDLS: Status code in TPK M3: %u", 2493 status); 2494 goto error; 2495 } 2496 pos += 2 /* status code */ + 1 /* dialog token */; 2497 2498 ielen = len - (pos - buf); /* start of IE in buf */ 2499 2500 /* 2501 * Don't reject the message if failing to parse IEs. The IEs we need are 2502 * explicitly checked below. Some APs piggy-back broken IEs to the end 2503 * of a TDLS Confirm packet, which will fail the link if we don't ignore 2504 * this error. 2505 */ 2506 if (wpa_supplicant_parse_ies((const u8 *) pos, ielen, &kde) < 0) { 2507 wpa_printf(MSG_DEBUG, 2508 "TDLS: Failed to parse KDEs in TPK M3 - ignore as an interop workaround"); 2509 } 2510 2511 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) { 2512 wpa_printf(MSG_INFO, "TDLS: No Link Identifier IE in TPK M3"); 2513 goto error; 2514 } 2515 wpa_hexdump(MSG_DEBUG, "TDLS: Link ID Received from TPK M3", 2516 (u8 *) kde.lnkid, kde.lnkid_len); 2517 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid; 2518 2519 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) { 2520 wpa_printf(MSG_INFO, "TDLS: TPK M3 from diff BSS"); 2521 goto error; 2522 } 2523 2524 if (!wpa_tdls_get_privacy(sm)) 2525 goto skip_rsn; 2526 2527 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie)) { 2528 wpa_printf(MSG_INFO, "TDLS: No FTIE in TPK M3"); 2529 goto error; 2530 } 2531 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE Received from TPK M3", 2532 kde.ftie, sizeof(*ftie)); 2533 ftie = (struct wpa_tdls_ftie *) kde.ftie; 2534 2535 if (kde.rsn_ie == NULL) { 2536 wpa_printf(MSG_INFO, "TDLS: No RSN IE in TPK M3"); 2537 goto error; 2538 } 2539 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Received from TPK M3", 2540 kde.rsn_ie, kde.rsn_ie_len); 2541 if (kde.rsn_ie_len != peer->rsnie_p_len || 2542 os_memcmp(kde.rsn_ie, peer->rsnie_p, peer->rsnie_p_len) != 0) { 2543 wpa_printf(MSG_INFO, "TDLS: RSN IE in TPK M3 does not match " 2544 "with the one sent in TPK M2"); 2545 goto error; 2546 } 2547 2548 if (!os_memcmp(peer->rnonce, ftie->Anonce, WPA_NONCE_LEN) == 0) { 2549 wpa_printf(MSG_INFO, "TDLS: FTIE ANonce in TPK M3 does " 2550 "not match with FTIE ANonce used in TPK M2"); 2551 goto error; 2552 } 2553 2554 if (!os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) == 0) { 2555 wpa_printf(MSG_INFO, "TDLS: FTIE SNonce in TPK M3 does not " 2556 "match with FTIE SNonce used in TPK M1"); 2557 goto error; 2558 } 2559 2560 if (kde.key_lifetime == NULL) { 2561 wpa_printf(MSG_INFO, "TDLS: No Key Lifetime IE in TPK M3"); 2562 goto error; 2563 } 2564 timeoutie = (struct wpa_tdls_timeoutie *) kde.key_lifetime; 2565 wpa_hexdump(MSG_DEBUG, "TDLS: Timeout IE Received from TPK M3", 2566 (u8 *) timeoutie, sizeof(*timeoutie)); 2567 lifetime = WPA_GET_LE32(timeoutie->value); 2568 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds in TPK M3", 2569 lifetime); 2570 if (lifetime != peer->lifetime) { 2571 wpa_printf(MSG_INFO, "TDLS: Unexpected TPK lifetime %u in " 2572 "TPK M3 (expected %u)", lifetime, peer->lifetime); 2573 goto error; 2574 } 2575 2576 if (wpa_supplicant_verify_tdls_mic(3, peer, (u8 *) lnkid, 2577 (u8 *) timeoutie, ftie) < 0) { 2578 wpa_tdls_del_key(sm, peer); 2579 goto error; 2580 } 2581 2582 if (wpa_tdls_set_key(sm, peer) < 0) { 2583 /* 2584 * Some drivers may not be able to config the key prior to full 2585 * STA entry having been configured. 2586 */ 2587 wpa_printf(MSG_DEBUG, "TDLS: Try to configure TPK again after " 2588 "STA entry is complete"); 2589 peer->reconfig_key = 1; 2590 } 2591 2592skip_rsn: 2593 /* add supported rates, capabilities, and qos_info to the TDLS peer */ 2594 if (wpa_tdls_addset_peer(sm, peer, 0) < 0) 2595 goto error; 2596 2597 if (!peer->tpk_success) { 2598 /* 2599 * Enable Link only when tpk_success is 0, signifying that this 2600 * processing of TPK M3 frame is not because of a retransmission 2601 * during TDLS setup handshake. 2602 */ 2603 ret = wpa_tdls_enable_link(sm, peer); 2604 if (ret < 0) { 2605 wpa_printf(MSG_DEBUG, "TDLS: Could not enable link"); 2606 goto error; 2607 } 2608 } 2609 return ret; 2610error: 2611 wpa_tdls_do_teardown(sm, peer, WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED); 2612 return -1; 2613} 2614 2615 2616static u8 * wpa_add_tdls_timeoutie(u8 *pos, u8 *ie, size_t ie_len, u32 tsecs) 2617{ 2618 struct wpa_tdls_timeoutie *lifetime = (struct wpa_tdls_timeoutie *) ie; 2619 2620 os_memset(lifetime, 0, ie_len); 2621 lifetime->ie_type = WLAN_EID_TIMEOUT_INTERVAL; 2622 lifetime->ie_len = sizeof(struct wpa_tdls_timeoutie) - 2; 2623 lifetime->interval_type = WLAN_TIMEOUT_KEY_LIFETIME; 2624 WPA_PUT_LE32(lifetime->value, tsecs); 2625 os_memcpy(pos, ie, ie_len); 2626 return pos + ie_len; 2627} 2628 2629 2630/** 2631 * wpa_tdls_start - Initiate TDLS handshake (send TPK Handshake Message 1) 2632 * @sm: Pointer to WPA state machine data from wpa_sm_init() 2633 * @peer: MAC address of the peer STA 2634 * Returns: 0 on success, or -1 on failure 2635 * 2636 * Send TPK Handshake Message 1 info to driver to start TDLS 2637 * handshake with the peer. 2638 */ 2639int wpa_tdls_start(struct wpa_sm *sm, const u8 *addr) 2640{ 2641 struct wpa_tdls_peer *peer; 2642 int tdls_prohibited = sm->tdls_prohibited; 2643 2644 if (sm->tdls_disabled || !sm->tdls_supported) 2645 return -1; 2646 2647#ifdef CONFIG_TDLS_TESTING 2648 if ((tdls_testing & TDLS_TESTING_IGNORE_AP_PROHIBIT) && 2649 tdls_prohibited) { 2650 wpa_printf(MSG_DEBUG, "TDLS: Testing - ignore AP prohibition " 2651 "on TDLS"); 2652 tdls_prohibited = 0; 2653 } 2654#endif /* CONFIG_TDLS_TESTING */ 2655 2656 if (tdls_prohibited) { 2657 wpa_printf(MSG_DEBUG, "TDLS: TDLS is prohibited in this BSS - " 2658 "reject request to start setup"); 2659 return -1; 2660 } 2661 2662 peer = wpa_tdls_add_peer(sm, addr, NULL); 2663 if (peer == NULL) 2664 return -1; 2665 2666 if (peer->tpk_in_progress) { 2667 wpa_printf(MSG_DEBUG, "TDLS: Setup is already in progress with the peer"); 2668 return 0; 2669 } 2670 2671 peer->initiator = 1; 2672 2673 /* add the peer to the driver as a "setup in progress" peer */ 2674 if (wpa_sm_tdls_peer_addset(sm, peer->addr, 1, 0, 0, NULL, 0, NULL, 2675 NULL, 0, 0, NULL, 0, NULL, 0, NULL, 0)) { 2676 wpa_tdls_disable_peer_link(sm, peer); 2677 return -1; 2678 } 2679 2680 peer->tpk_in_progress = 1; 2681 2682 if (wpa_tdls_send_tpk_m1(sm, peer) < 0) { 2683 wpa_tdls_disable_peer_link(sm, peer); 2684 return -1; 2685 } 2686 2687 return 0; 2688} 2689 2690 2691void wpa_tdls_remove(struct wpa_sm *sm, const u8 *addr) 2692{ 2693 struct wpa_tdls_peer *peer; 2694 2695 if (sm->tdls_disabled || !sm->tdls_supported) 2696 return; 2697 2698 for (peer = sm->tdls; peer; peer = peer->next) { 2699 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 2700 break; 2701 } 2702 2703 if (peer == NULL || !peer->tpk_success) 2704 return; 2705 2706 if (sm->tdls_external_setup) { 2707 /* 2708 * Disable previous link to allow renegotiation to be completed 2709 * on AP path. 2710 */ 2711 wpa_tdls_do_teardown(sm, peer, 2712 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED); 2713 } 2714} 2715 2716 2717/** 2718 * wpa_supplicant_rx_tdls - Receive TDLS data frame 2719 * 2720 * This function is called to receive TDLS (ethertype = 0x890d) data frames. 2721 */ 2722static void wpa_supplicant_rx_tdls(void *ctx, const u8 *src_addr, 2723 const u8 *buf, size_t len) 2724{ 2725 struct wpa_sm *sm = ctx; 2726 struct wpa_tdls_frame *tf; 2727 2728 wpa_hexdump(MSG_DEBUG, "TDLS: Received Data frame encapsulation", 2729 buf, len); 2730 2731 if (sm->tdls_disabled || !sm->tdls_supported) { 2732 wpa_printf(MSG_DEBUG, "TDLS: Discard message - TDLS disabled " 2733 "or unsupported by driver"); 2734 return; 2735 } 2736 2737 if (os_memcmp(src_addr, sm->own_addr, ETH_ALEN) == 0) { 2738 wpa_printf(MSG_DEBUG, "TDLS: Discard copy of own message"); 2739 return; 2740 } 2741 2742 if (len < sizeof(*tf)) { 2743 wpa_printf(MSG_INFO, "TDLS: Drop too short frame"); 2744 return; 2745 } 2746 2747 /* Check to make sure its a valid encapsulated TDLS frame */ 2748 tf = (struct wpa_tdls_frame *) buf; 2749 if (tf->payloadtype != 2 /* TDLS_RFTYPE */ || 2750 tf->category != WLAN_ACTION_TDLS) { 2751 wpa_printf(MSG_INFO, "TDLS: Invalid frame - payloadtype=%u " 2752 "category=%u action=%u", 2753 tf->payloadtype, tf->category, tf->action); 2754 return; 2755 } 2756 2757 switch (tf->action) { 2758 case WLAN_TDLS_SETUP_REQUEST: 2759 wpa_tdls_process_tpk_m1(sm, src_addr, buf, len); 2760 break; 2761 case WLAN_TDLS_SETUP_RESPONSE: 2762 wpa_tdls_process_tpk_m2(sm, src_addr, buf, len); 2763 break; 2764 case WLAN_TDLS_SETUP_CONFIRM: 2765 wpa_tdls_process_tpk_m3(sm, src_addr, buf, len); 2766 break; 2767 case WLAN_TDLS_TEARDOWN: 2768 wpa_tdls_recv_teardown(sm, src_addr, buf, len); 2769 break; 2770 case WLAN_TDLS_DISCOVERY_REQUEST: 2771 wpa_tdls_process_discovery_request(sm, src_addr, buf, len); 2772 break; 2773 default: 2774 /* Kernel code will process remaining frames */ 2775 wpa_printf(MSG_DEBUG, "TDLS: Ignore TDLS frame action code %u", 2776 tf->action); 2777 break; 2778 } 2779} 2780 2781 2782/** 2783 * wpa_tdls_init - Initialize driver interface parameters for TDLS 2784 * @wpa_s: Pointer to wpa_supplicant data 2785 * Returns: 0 on success, -1 on failure 2786 * 2787 * This function is called to initialize driver interface parameters for TDLS. 2788 * wpa_drv_init() must have been called before this function to initialize the 2789 * driver interface. 2790 */ 2791int wpa_tdls_init(struct wpa_sm *sm) 2792{ 2793 if (sm == NULL) 2794 return -1; 2795 2796 sm->l2_tdls = l2_packet_init(sm->bridge_ifname ? sm->bridge_ifname : 2797 sm->ifname, 2798 sm->own_addr, 2799 ETH_P_80211_ENCAP, wpa_supplicant_rx_tdls, 2800 sm, 0); 2801 if (sm->l2_tdls == NULL) { 2802 wpa_printf(MSG_ERROR, "TDLS: Failed to open l2_packet " 2803 "connection"); 2804 return -1; 2805 } 2806 2807 /* 2808 * Drivers that support TDLS but don't implement the get_capa callback 2809 * are assumed to perform everything internally 2810 */ 2811 if (wpa_sm_tdls_get_capa(sm, &sm->tdls_supported, 2812 &sm->tdls_external_setup, 2813 &sm->tdls_chan_switch) < 0) { 2814 sm->tdls_supported = 1; 2815 sm->tdls_external_setup = 0; 2816 } 2817 2818 wpa_printf(MSG_DEBUG, "TDLS: TDLS operation%s supported by " 2819 "driver", sm->tdls_supported ? "" : " not"); 2820 wpa_printf(MSG_DEBUG, "TDLS: Driver uses %s link setup", 2821 sm->tdls_external_setup ? "external" : "internal"); 2822 wpa_printf(MSG_DEBUG, "TDLS: Driver %s TDLS channel switching", 2823 sm->tdls_chan_switch ? "supports" : "does not support"); 2824 2825 return 0; 2826} 2827 2828 2829void wpa_tdls_teardown_peers(struct wpa_sm *sm) 2830{ 2831 struct wpa_tdls_peer *peer, *tmp; 2832 2833 if (!sm) 2834 return; 2835 peer = sm->tdls; 2836 2837 wpa_printf(MSG_DEBUG, "TDLS: Tear down peers"); 2838 2839 while (peer) { 2840 tmp = peer->next; 2841 wpa_printf(MSG_DEBUG, "TDLS: Tear down peer " MACSTR, 2842 MAC2STR(peer->addr)); 2843 if (sm->tdls_external_setup) 2844 wpa_tdls_do_teardown(sm, peer, 2845 WLAN_REASON_DEAUTH_LEAVING); 2846 else 2847 wpa_sm_tdls_oper(sm, TDLS_TEARDOWN, peer->addr); 2848 2849 peer = tmp; 2850 } 2851} 2852 2853 2854static void wpa_tdls_remove_peers(struct wpa_sm *sm) 2855{ 2856 struct wpa_tdls_peer *peer, *tmp; 2857 2858 peer = sm->tdls; 2859 2860 while (peer) { 2861 int res; 2862 tmp = peer->next; 2863 res = wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr); 2864 wpa_printf(MSG_DEBUG, "TDLS: Remove peer " MACSTR " (res=%d)", 2865 MAC2STR(peer->addr), res); 2866 wpa_tdls_peer_free(sm, peer); 2867 peer = tmp; 2868 } 2869} 2870 2871 2872/** 2873 * wpa_tdls_deinit - Deinitialize driver interface parameters for TDLS 2874 * 2875 * This function is called to recover driver interface parameters for TDLS 2876 * and frees resources allocated for it. 2877 */ 2878void wpa_tdls_deinit(struct wpa_sm *sm) 2879{ 2880 if (sm == NULL) 2881 return; 2882 2883 if (sm->l2_tdls) 2884 l2_packet_deinit(sm->l2_tdls); 2885 sm->l2_tdls = NULL; 2886 2887 wpa_tdls_remove_peers(sm); 2888} 2889 2890 2891void wpa_tdls_assoc(struct wpa_sm *sm) 2892{ 2893 wpa_printf(MSG_DEBUG, "TDLS: Remove peers on association"); 2894 wpa_tdls_remove_peers(sm); 2895} 2896 2897 2898void wpa_tdls_disassoc(struct wpa_sm *sm) 2899{ 2900 wpa_printf(MSG_DEBUG, "TDLS: Remove peers on disassociation"); 2901 wpa_tdls_remove_peers(sm); 2902} 2903 2904 2905static int wpa_tdls_prohibited(struct ieee802_11_elems *elems) 2906{ 2907 /* bit 38 - TDLS Prohibited */ 2908 return !!(elems->ext_capab[2 + 4] & 0x40); 2909} 2910 2911 2912static int wpa_tdls_chan_switch_prohibited(struct ieee802_11_elems *elems) 2913{ 2914 /* bit 39 - TDLS Channel Switch Prohibited */ 2915 return !!(elems->ext_capab[2 + 4] & 0x80); 2916} 2917 2918 2919void wpa_tdls_ap_ies(struct wpa_sm *sm, const u8 *ies, size_t len) 2920{ 2921 struct ieee802_11_elems elems; 2922 2923 sm->tdls_prohibited = 0; 2924 sm->tdls_chan_switch_prohibited = 0; 2925 2926 if (ies == NULL || 2927 ieee802_11_parse_elems(ies, len, &elems, 0) == ParseFailed || 2928 elems.ext_capab == NULL || elems.ext_capab_len < 2 + 5) 2929 return; 2930 2931 sm->tdls_prohibited = wpa_tdls_prohibited(&elems); 2932 wpa_printf(MSG_DEBUG, "TDLS: TDLS is %s in the target BSS", 2933 sm->tdls_prohibited ? "prohibited" : "allowed"); 2934 sm->tdls_chan_switch_prohibited = 2935 wpa_tdls_chan_switch_prohibited(&elems); 2936 wpa_printf(MSG_DEBUG, "TDLS: TDLS channel switch %s in the target BSS", 2937 sm->tdls_chan_switch_prohibited ? "prohibited" : "allowed"); 2938} 2939 2940 2941void wpa_tdls_assoc_resp_ies(struct wpa_sm *sm, const u8 *ies, size_t len) 2942{ 2943 struct ieee802_11_elems elems; 2944 2945 if (ies == NULL || 2946 ieee802_11_parse_elems(ies, len, &elems, 0) == ParseFailed || 2947 elems.ext_capab == NULL || elems.ext_capab_len < 2 + 5) 2948 return; 2949 2950 if (!sm->tdls_prohibited && wpa_tdls_prohibited(&elems)) { 2951 wpa_printf(MSG_DEBUG, "TDLS: TDLS prohibited based on " 2952 "(Re)Association Response IEs"); 2953 sm->tdls_prohibited = 1; 2954 } 2955 2956 if (!sm->tdls_chan_switch_prohibited && 2957 wpa_tdls_chan_switch_prohibited(&elems)) { 2958 wpa_printf(MSG_DEBUG, 2959 "TDLS: TDLS channel switch prohibited based on (Re)Association Response IEs"); 2960 sm->tdls_chan_switch_prohibited = 1; 2961 } 2962} 2963 2964 2965void wpa_tdls_enable(struct wpa_sm *sm, int enabled) 2966{ 2967 wpa_printf(MSG_DEBUG, "TDLS: %s", enabled ? "enabled" : "disabled"); 2968 sm->tdls_disabled = !enabled; 2969} 2970 2971 2972int wpa_tdls_is_external_setup(struct wpa_sm *sm) 2973{ 2974 return sm->tdls_external_setup; 2975} 2976 2977 2978int wpa_tdls_enable_chan_switch(struct wpa_sm *sm, const u8 *addr, 2979 u8 oper_class, 2980 struct hostapd_freq_params *freq_params) 2981{ 2982 struct wpa_tdls_peer *peer; 2983 int ret; 2984 2985 if (sm->tdls_disabled || !sm->tdls_supported) 2986 return -1; 2987 2988 if (!sm->tdls_chan_switch) { 2989 wpa_printf(MSG_DEBUG, 2990 "TDLS: Channel switching not supported by the driver"); 2991 return -1; 2992 } 2993 2994 if (sm->tdls_chan_switch_prohibited) { 2995 wpa_printf(MSG_DEBUG, 2996 "TDLS: Channel switching is prohibited in this BSS - reject request to switch channel"); 2997 return -1; 2998 } 2999 3000 for (peer = sm->tdls; peer; peer = peer->next) { 3001 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 3002 break; 3003 } 3004 3005 if (peer == NULL || !peer->tpk_success) { 3006 wpa_printf(MSG_ERROR, "TDLS: Peer " MACSTR 3007 " not found for channel switching", MAC2STR(addr)); 3008 return -1; 3009 } 3010 3011 if (peer->chan_switch_enabled) { 3012 wpa_printf(MSG_DEBUG, "TDLS: Peer " MACSTR 3013 " already has channel switching enabled", 3014 MAC2STR(addr)); 3015 return 0; 3016 } 3017 3018 ret = wpa_sm_tdls_enable_channel_switch(sm, peer->addr, 3019 oper_class, freq_params); 3020 if (!ret) 3021 peer->chan_switch_enabled = 1; 3022 3023 return ret; 3024} 3025 3026 3027int wpa_tdls_disable_chan_switch(struct wpa_sm *sm, const u8 *addr) 3028{ 3029 struct wpa_tdls_peer *peer; 3030 3031 if (sm->tdls_disabled || !sm->tdls_supported) 3032 return -1; 3033 3034 for (peer = sm->tdls; peer; peer = peer->next) { 3035 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 3036 break; 3037 } 3038 3039 if (!peer || !peer->chan_switch_enabled) { 3040 wpa_printf(MSG_ERROR, "TDLS: Channel switching not enabled for " 3041 MACSTR, MAC2STR(addr)); 3042 return -1; 3043 } 3044 3045 /* ignore the return value */ 3046 wpa_sm_tdls_disable_channel_switch(sm, peer->addr); 3047 3048 peer->chan_switch_enabled = 0; 3049 return 0; 3050} 3051