tdls.c revision 43cb578dfe2c492257636f6234a24178ed27789e
1/* 2 * wpa_supplicant - TDLS 3 * Copyright (c) 2010-2011, Atheros Communications 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9#include "utils/includes.h" 10 11#include "utils/common.h" 12#include "utils/eloop.h" 13#include "utils/os.h" 14#include "common/ieee802_11_defs.h" 15#include "crypto/sha256.h" 16#include "crypto/crypto.h" 17#include "crypto/aes_wrap.h" 18#include "rsn_supp/wpa.h" 19#include "rsn_supp/wpa_ie.h" 20#include "rsn_supp/wpa_i.h" 21#include "drivers/driver.h" 22#include "l2_packet/l2_packet.h" 23 24#ifdef CONFIG_TDLS_TESTING 25#define TDLS_TESTING_LONG_FRAME BIT(0) 26#define TDLS_TESTING_ALT_RSN_IE BIT(1) 27#define TDLS_TESTING_DIFF_BSSID BIT(2) 28#define TDLS_TESTING_SHORT_LIFETIME BIT(3) 29#define TDLS_TESTING_WRONG_LIFETIME_RESP BIT(4) 30#define TDLS_TESTING_WRONG_LIFETIME_CONF BIT(5) 31#define TDLS_TESTING_LONG_LIFETIME BIT(6) 32#define TDLS_TESTING_CONCURRENT_INIT BIT(7) 33#define TDLS_TESTING_NO_TPK_EXPIRATION BIT(8) 34#define TDLS_TESTING_DECLINE_RESP BIT(9) 35#define TDLS_TESTING_IGNORE_AP_PROHIBIT BIT(10) 36#define TDLS_TESTING_WRONG_MIC BIT(11) 37unsigned int tdls_testing = 0; 38#endif /* CONFIG_TDLS_TESTING */ 39 40#define TPK_LIFETIME 43200 /* 12 hours */ 41#define TPK_M1_RETRY_COUNT 3 42#define TPK_M1_TIMEOUT 5000 /* in milliseconds */ 43#define TPK_M2_RETRY_COUNT 10 44#define TPK_M2_TIMEOUT 500 /* in milliseconds */ 45 46#define TDLS_MIC_LEN 16 47 48#define TDLS_TIMEOUT_LEN 4 49 50struct wpa_tdls_ftie { 51 u8 ie_type; /* FTIE */ 52 u8 ie_len; 53 u8 mic_ctrl[2]; 54 u8 mic[TDLS_MIC_LEN]; 55 u8 Anonce[WPA_NONCE_LEN]; /* Responder Nonce in TDLS */ 56 u8 Snonce[WPA_NONCE_LEN]; /* Initiator Nonce in TDLS */ 57 /* followed by optional elements */ 58} STRUCT_PACKED; 59 60struct wpa_tdls_timeoutie { 61 u8 ie_type; /* Timeout IE */ 62 u8 ie_len; 63 u8 interval_type; 64 u8 value[TDLS_TIMEOUT_LEN]; 65} STRUCT_PACKED; 66 67struct wpa_tdls_lnkid { 68 u8 ie_type; /* Link Identifier IE */ 69 u8 ie_len; 70 u8 bssid[ETH_ALEN]; 71 u8 init_sta[ETH_ALEN]; 72 u8 resp_sta[ETH_ALEN]; 73} STRUCT_PACKED; 74 75/* TDLS frame headers as per IEEE Std 802.11z-2010 */ 76struct wpa_tdls_frame { 77 u8 payloadtype; /* IEEE80211_TDLS_RFTYPE */ 78 u8 category; /* Category */ 79 u8 action; /* Action (enum tdls_frame_type) */ 80} STRUCT_PACKED; 81 82static u8 * wpa_add_tdls_timeoutie(u8 *pos, u8 *ie, size_t ie_len, u32 tsecs); 83static void wpa_tdls_tpk_retry_timeout(void *eloop_ctx, void *timeout_ctx); 84static void wpa_tdls_peer_free(struct wpa_sm *sm, struct wpa_tdls_peer *peer); 85static void wpa_tdls_disable_peer_link(struct wpa_sm *sm, 86 struct wpa_tdls_peer *peer); 87static int wpa_tdls_send_teardown(struct wpa_sm *sm, const u8 *addr, 88 u16 reason_code); 89 90 91#define TDLS_MAX_IE_LEN 80 92#define IEEE80211_MAX_SUPP_RATES 32 93 94struct wpa_tdls_peer { 95 struct wpa_tdls_peer *next; 96 unsigned int reconfig_key:1; 97 int initiator; /* whether this end was initiator for TDLS setup */ 98 u8 addr[ETH_ALEN]; /* other end MAC address */ 99 u8 inonce[WPA_NONCE_LEN]; /* Initiator Nonce */ 100 u8 rnonce[WPA_NONCE_LEN]; /* Responder Nonce */ 101 u8 rsnie_i[TDLS_MAX_IE_LEN]; /* Initiator RSN IE */ 102 size_t rsnie_i_len; 103 u8 rsnie_p[TDLS_MAX_IE_LEN]; /* Peer RSN IE */ 104 size_t rsnie_p_len; 105 u32 lifetime; 106 int cipher; /* Selected cipher (WPA_CIPHER_*) */ 107 u8 dtoken; 108 109 struct tpk { 110 u8 kck[16]; /* TPK-KCK */ 111 u8 tk[16]; /* TPK-TK; assuming only CCMP will be used */ 112 } tpk; 113 int tpk_set; 114 int tpk_success; 115 int tpk_in_progress; 116 117 struct tpk_timer { 118 u8 dest[ETH_ALEN]; 119 int count; /* Retry Count */ 120 int timer; /* Timeout in milliseconds */ 121 u8 action_code; /* TDLS frame type */ 122 u8 dialog_token; 123 u16 status_code; 124 u32 peer_capab; 125 int buf_len; /* length of TPK message for retransmission */ 126 u8 *buf; /* buffer for TPK message */ 127 } sm_tmr; 128 129 u16 capability; 130 131 u8 supp_rates[IEEE80211_MAX_SUPP_RATES]; 132 size_t supp_rates_len; 133 134 struct ieee80211_ht_capabilities *ht_capabilities; 135 struct ieee80211_vht_capabilities *vht_capabilities; 136 137 u8 qos_info; 138 139 u16 aid; 140 141 u8 *ext_capab; 142 size_t ext_capab_len; 143 144 u8 *supp_channels; 145 size_t supp_channels_len; 146 147 u8 *supp_oper_classes; 148 size_t supp_oper_classes_len; 149 150 u8 wmm_capable; 151}; 152 153 154static int wpa_tdls_get_privacy(struct wpa_sm *sm) 155{ 156 /* 157 * Get info needed from supplicant to check if the current BSS supports 158 * security. Other than OPEN mode, rest are considered secured 159 * WEP/WPA/WPA2 hence TDLS frames are processed for TPK handshake. 160 */ 161 return sm->pairwise_cipher != WPA_CIPHER_NONE; 162} 163 164 165static u8 * wpa_add_ie(u8 *pos, const u8 *ie, size_t ie_len) 166{ 167 os_memcpy(pos, ie, ie_len); 168 return pos + ie_len; 169} 170 171 172static int wpa_tdls_del_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer) 173{ 174 if (wpa_sm_set_key(sm, WPA_ALG_NONE, peer->addr, 175 0, 0, NULL, 0, NULL, 0) < 0) { 176 wpa_printf(MSG_WARNING, "TDLS: Failed to delete TPK-TK from " 177 "the driver"); 178 return -1; 179 } 180 181 return 0; 182} 183 184 185static int wpa_tdls_set_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer) 186{ 187 u8 key_len; 188 u8 rsc[6]; 189 enum wpa_alg alg; 190 191 os_memset(rsc, 0, 6); 192 193 switch (peer->cipher) { 194 case WPA_CIPHER_CCMP: 195 alg = WPA_ALG_CCMP; 196 key_len = 16; 197 break; 198 case WPA_CIPHER_NONE: 199 wpa_printf(MSG_DEBUG, "TDLS: Pairwise Cipher Suite: " 200 "NONE - do not use pairwise keys"); 201 return -1; 202 default: 203 wpa_printf(MSG_WARNING, "TDLS: Unsupported pairwise cipher %d", 204 sm->pairwise_cipher); 205 return -1; 206 } 207 208 if (wpa_sm_set_key(sm, alg, peer->addr, -1, 1, 209 rsc, sizeof(rsc), peer->tpk.tk, key_len) < 0) { 210 wpa_printf(MSG_WARNING, "TDLS: Failed to set TPK to the " 211 "driver"); 212 return -1; 213 } 214 return 0; 215} 216 217 218static int wpa_tdls_send_tpk_msg(struct wpa_sm *sm, const u8 *dst, 219 u8 action_code, u8 dialog_token, 220 u16 status_code, u32 peer_capab, 221 const u8 *buf, size_t len) 222{ 223 return wpa_sm_send_tdls_mgmt(sm, dst, action_code, dialog_token, 224 status_code, peer_capab, buf, len); 225} 226 227 228static int wpa_tdls_tpk_send(struct wpa_sm *sm, const u8 *dest, u8 action_code, 229 u8 dialog_token, u16 status_code, u32 peer_capab, 230 const u8 *msg, size_t msg_len) 231{ 232 struct wpa_tdls_peer *peer; 233 234 wpa_printf(MSG_DEBUG, "TDLS: TPK send dest=" MACSTR " action_code=%u " 235 "dialog_token=%u status_code=%u peer_capab=%u msg_len=%u", 236 MAC2STR(dest), action_code, dialog_token, status_code, 237 peer_capab, (unsigned int) msg_len); 238 239 if (wpa_tdls_send_tpk_msg(sm, dest, action_code, dialog_token, 240 status_code, peer_capab, msg, msg_len)) { 241 wpa_printf(MSG_INFO, "TDLS: Failed to send message " 242 "(action_code=%u)", action_code); 243 return -1; 244 } 245 246 if (action_code == WLAN_TDLS_SETUP_CONFIRM || 247 action_code == WLAN_TDLS_TEARDOWN || 248 action_code == WLAN_TDLS_DISCOVERY_REQUEST || 249 action_code == WLAN_TDLS_DISCOVERY_RESPONSE) 250 return 0; /* No retries */ 251 252 for (peer = sm->tdls; peer; peer = peer->next) { 253 if (os_memcmp(peer->addr, dest, ETH_ALEN) == 0) 254 break; 255 } 256 257 if (peer == NULL) { 258 wpa_printf(MSG_INFO, "TDLS: No matching entry found for " 259 "retry " MACSTR, MAC2STR(dest)); 260 return 0; 261 } 262 263 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer); 264 265 if (action_code == WLAN_TDLS_SETUP_RESPONSE) { 266 peer->sm_tmr.count = TPK_M2_RETRY_COUNT; 267 peer->sm_tmr.timer = TPK_M2_TIMEOUT; 268 } else { 269 peer->sm_tmr.count = TPK_M1_RETRY_COUNT; 270 peer->sm_tmr.timer = TPK_M1_TIMEOUT; 271 } 272 273 /* Copy message to resend on timeout */ 274 os_memcpy(peer->sm_tmr.dest, dest, ETH_ALEN); 275 peer->sm_tmr.action_code = action_code; 276 peer->sm_tmr.dialog_token = dialog_token; 277 peer->sm_tmr.status_code = status_code; 278 peer->sm_tmr.peer_capab = peer_capab; 279 peer->sm_tmr.buf_len = msg_len; 280 os_free(peer->sm_tmr.buf); 281 peer->sm_tmr.buf = os_malloc(msg_len); 282 if (peer->sm_tmr.buf == NULL) 283 return -1; 284 os_memcpy(peer->sm_tmr.buf, msg, msg_len); 285 286 wpa_printf(MSG_DEBUG, "TDLS: Retry timeout registered " 287 "(action_code=%u)", action_code); 288 eloop_register_timeout(peer->sm_tmr.timer / 1000, 289 (peer->sm_tmr.timer % 1000) * 1000, 290 wpa_tdls_tpk_retry_timeout, sm, peer); 291 return 0; 292} 293 294 295static int wpa_tdls_do_teardown(struct wpa_sm *sm, struct wpa_tdls_peer *peer, 296 u16 reason_code) 297{ 298 int ret; 299 300 ret = wpa_tdls_send_teardown(sm, peer->addr, reason_code); 301 /* disable the link after teardown was sent */ 302 wpa_tdls_disable_peer_link(sm, peer); 303 304 return ret; 305} 306 307 308static void wpa_tdls_tpk_retry_timeout(void *eloop_ctx, void *timeout_ctx) 309{ 310 311 struct wpa_sm *sm = eloop_ctx; 312 struct wpa_tdls_peer *peer = timeout_ctx; 313 314 if (peer->sm_tmr.count) { 315 peer->sm_tmr.count--; 316 317 wpa_printf(MSG_INFO, "TDLS: Retrying sending of message " 318 "(action_code=%u)", 319 peer->sm_tmr.action_code); 320 321 if (peer->sm_tmr.buf == NULL) { 322 wpa_printf(MSG_INFO, "TDLS: No retry buffer available " 323 "for action_code=%u", 324 peer->sm_tmr.action_code); 325 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, 326 peer); 327 return; 328 } 329 330 /* resend TPK Handshake Message to Peer */ 331 if (wpa_tdls_send_tpk_msg(sm, peer->sm_tmr.dest, 332 peer->sm_tmr.action_code, 333 peer->sm_tmr.dialog_token, 334 peer->sm_tmr.status_code, 335 peer->sm_tmr.peer_capab, 336 peer->sm_tmr.buf, 337 peer->sm_tmr.buf_len)) { 338 wpa_printf(MSG_INFO, "TDLS: Failed to retry " 339 "transmission"); 340 } 341 342 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer); 343 eloop_register_timeout(peer->sm_tmr.timer / 1000, 344 (peer->sm_tmr.timer % 1000) * 1000, 345 wpa_tdls_tpk_retry_timeout, sm, peer); 346 } else { 347 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer); 348 349 wpa_printf(MSG_DEBUG, "TDLS: Sending Teardown Request"); 350 wpa_tdls_do_teardown(sm, peer, 351 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED); 352 } 353} 354 355 356static void wpa_tdls_tpk_retry_timeout_cancel(struct wpa_sm *sm, 357 struct wpa_tdls_peer *peer, 358 u8 action_code) 359{ 360 if (action_code == peer->sm_tmr.action_code) { 361 wpa_printf(MSG_DEBUG, "TDLS: Retry timeout cancelled for " 362 "action_code=%u", action_code); 363 364 /* Cancel Timeout registered */ 365 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer); 366 367 /* free all resources meant for retry */ 368 os_free(peer->sm_tmr.buf); 369 peer->sm_tmr.buf = NULL; 370 371 peer->sm_tmr.count = 0; 372 peer->sm_tmr.timer = 0; 373 peer->sm_tmr.buf_len = 0; 374 peer->sm_tmr.action_code = 0xff; 375 } else { 376 wpa_printf(MSG_INFO, "TDLS: Error in cancelling retry timeout " 377 "(Unknown action_code=%u)", action_code); 378 } 379} 380 381 382static void wpa_tdls_generate_tpk(struct wpa_tdls_peer *peer, 383 const u8 *own_addr, const u8 *bssid) 384{ 385 u8 key_input[SHA256_MAC_LEN]; 386 const u8 *nonce[2]; 387 size_t len[2]; 388 u8 data[3 * ETH_ALEN]; 389 390 /* IEEE Std 802.11z-2010 8.5.9.1: 391 * TPK-Key-Input = SHA-256(min(SNonce, ANonce) || max(SNonce, ANonce)) 392 */ 393 len[0] = WPA_NONCE_LEN; 394 len[1] = WPA_NONCE_LEN; 395 if (os_memcmp(peer->inonce, peer->rnonce, WPA_NONCE_LEN) < 0) { 396 nonce[0] = peer->inonce; 397 nonce[1] = peer->rnonce; 398 } else { 399 nonce[0] = peer->rnonce; 400 nonce[1] = peer->inonce; 401 } 402 wpa_hexdump(MSG_DEBUG, "TDLS: min(Nonce)", nonce[0], WPA_NONCE_LEN); 403 wpa_hexdump(MSG_DEBUG, "TDLS: max(Nonce)", nonce[1], WPA_NONCE_LEN); 404 sha256_vector(2, nonce, len, key_input); 405 wpa_hexdump_key(MSG_DEBUG, "TDLS: TPK-Key-Input", 406 key_input, SHA256_MAC_LEN); 407 408 /* 409 * TPK-Key-Data = KDF-N_KEY(TPK-Key-Input, "TDLS PMK", 410 * min(MAC_I, MAC_R) || max(MAC_I, MAC_R) || BSSID || N_KEY) 411 * TODO: is N_KEY really included in KDF Context and if so, in which 412 * presentation format (little endian 16-bit?) is it used? It gets 413 * added by the KDF anyway.. 414 */ 415 416 if (os_memcmp(own_addr, peer->addr, ETH_ALEN) < 0) { 417 os_memcpy(data, own_addr, ETH_ALEN); 418 os_memcpy(data + ETH_ALEN, peer->addr, ETH_ALEN); 419 } else { 420 os_memcpy(data, peer->addr, ETH_ALEN); 421 os_memcpy(data + ETH_ALEN, own_addr, ETH_ALEN); 422 } 423 os_memcpy(data + 2 * ETH_ALEN, bssid, ETH_ALEN); 424 wpa_hexdump(MSG_DEBUG, "TDLS: KDF Context", data, sizeof(data)); 425 426 sha256_prf(key_input, SHA256_MAC_LEN, "TDLS PMK", data, sizeof(data), 427 (u8 *) &peer->tpk, sizeof(peer->tpk)); 428 wpa_hexdump_key(MSG_DEBUG, "TDLS: TPK-KCK", 429 peer->tpk.kck, sizeof(peer->tpk.kck)); 430 wpa_hexdump_key(MSG_DEBUG, "TDLS: TPK-TK", 431 peer->tpk.tk, sizeof(peer->tpk.tk)); 432 peer->tpk_set = 1; 433} 434 435 436/** 437 * wpa_tdls_ftie_mic - Calculate TDLS FTIE MIC 438 * @kck: TPK-KCK 439 * @lnkid: Pointer to the beginning of Link Identifier IE 440 * @rsnie: Pointer to the beginning of RSN IE used for handshake 441 * @timeoutie: Pointer to the beginning of Timeout IE used for handshake 442 * @ftie: Pointer to the beginning of FT IE 443 * @mic: Pointer for writing MIC 444 * 445 * Calculate MIC for TDLS frame. 446 */ 447static int wpa_tdls_ftie_mic(const u8 *kck, u8 trans_seq, const u8 *lnkid, 448 const u8 *rsnie, const u8 *timeoutie, 449 const u8 *ftie, u8 *mic) 450{ 451 u8 *buf, *pos; 452 struct wpa_tdls_ftie *_ftie; 453 const struct wpa_tdls_lnkid *_lnkid; 454 int ret; 455 int len = 2 * ETH_ALEN + 1 + 2 + lnkid[1] + 2 + rsnie[1] + 456 2 + timeoutie[1] + 2 + ftie[1]; 457 buf = os_zalloc(len); 458 if (!buf) { 459 wpa_printf(MSG_WARNING, "TDLS: No memory for MIC calculation"); 460 return -1; 461 } 462 463 pos = buf; 464 _lnkid = (const struct wpa_tdls_lnkid *) lnkid; 465 /* 1) TDLS initiator STA MAC address */ 466 os_memcpy(pos, _lnkid->init_sta, ETH_ALEN); 467 pos += ETH_ALEN; 468 /* 2) TDLS responder STA MAC address */ 469 os_memcpy(pos, _lnkid->resp_sta, ETH_ALEN); 470 pos += ETH_ALEN; 471 /* 3) Transaction Sequence number */ 472 *pos++ = trans_seq; 473 /* 4) Link Identifier IE */ 474 os_memcpy(pos, lnkid, 2 + lnkid[1]); 475 pos += 2 + lnkid[1]; 476 /* 5) RSN IE */ 477 os_memcpy(pos, rsnie, 2 + rsnie[1]); 478 pos += 2 + rsnie[1]; 479 /* 6) Timeout Interval IE */ 480 os_memcpy(pos, timeoutie, 2 + timeoutie[1]); 481 pos += 2 + timeoutie[1]; 482 /* 7) FTIE, with the MIC field of the FTIE set to 0 */ 483 os_memcpy(pos, ftie, 2 + ftie[1]); 484 _ftie = (struct wpa_tdls_ftie *) pos; 485 os_memset(_ftie->mic, 0, TDLS_MIC_LEN); 486 pos += 2 + ftie[1]; 487 488 wpa_hexdump(MSG_DEBUG, "TDLS: Data for FTIE MIC", buf, pos - buf); 489 wpa_hexdump_key(MSG_DEBUG, "TDLS: KCK", kck, 16); 490 ret = omac1_aes_128(kck, buf, pos - buf, mic); 491 os_free(buf); 492 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE MIC", mic, 16); 493 return ret; 494} 495 496 497/** 498 * wpa_tdls_key_mic_teardown - Calculate TDLS FTIE MIC for Teardown frame 499 * @kck: TPK-KCK 500 * @trans_seq: Transaction Sequence Number (4 - Teardown) 501 * @rcode: Reason code for Teardown 502 * @dtoken: Dialog Token used for that particular link 503 * @lnkid: Pointer to the beginning of Link Identifier IE 504 * @ftie: Pointer to the beginning of FT IE 505 * @mic: Pointer for writing MIC 506 * 507 * Calculate MIC for TDLS frame. 508 */ 509static int wpa_tdls_key_mic_teardown(const u8 *kck, u8 trans_seq, u16 rcode, 510 u8 dtoken, const u8 *lnkid, 511 const u8 *ftie, u8 *mic) 512{ 513 u8 *buf, *pos; 514 struct wpa_tdls_ftie *_ftie; 515 int ret; 516 int len; 517 518 if (lnkid == NULL) 519 return -1; 520 521 len = 2 + lnkid[1] + sizeof(rcode) + sizeof(dtoken) + 522 sizeof(trans_seq) + 2 + ftie[1]; 523 524 buf = os_zalloc(len); 525 if (!buf) { 526 wpa_printf(MSG_WARNING, "TDLS: No memory for MIC calculation"); 527 return -1; 528 } 529 530 pos = buf; 531 /* 1) Link Identifier IE */ 532 os_memcpy(pos, lnkid, 2 + lnkid[1]); 533 pos += 2 + lnkid[1]; 534 /* 2) Reason Code */ 535 WPA_PUT_LE16(pos, rcode); 536 pos += sizeof(rcode); 537 /* 3) Dialog token */ 538 *pos++ = dtoken; 539 /* 4) Transaction Sequence number */ 540 *pos++ = trans_seq; 541 /* 7) FTIE, with the MIC field of the FTIE set to 0 */ 542 os_memcpy(pos, ftie, 2 + ftie[1]); 543 _ftie = (struct wpa_tdls_ftie *) pos; 544 os_memset(_ftie->mic, 0, TDLS_MIC_LEN); 545 pos += 2 + ftie[1]; 546 547 wpa_hexdump(MSG_DEBUG, "TDLS: Data for FTIE MIC", buf, pos - buf); 548 wpa_hexdump_key(MSG_DEBUG, "TDLS: KCK", kck, 16); 549 ret = omac1_aes_128(kck, buf, pos - buf, mic); 550 os_free(buf); 551 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE MIC", mic, 16); 552 return ret; 553} 554 555 556static int wpa_supplicant_verify_tdls_mic(u8 trans_seq, 557 struct wpa_tdls_peer *peer, 558 const u8 *lnkid, const u8 *timeoutie, 559 const struct wpa_tdls_ftie *ftie) 560{ 561 u8 mic[16]; 562 563 if (peer->tpk_set) { 564 wpa_tdls_ftie_mic(peer->tpk.kck, trans_seq, lnkid, 565 peer->rsnie_p, timeoutie, (u8 *) ftie, 566 mic); 567 if (os_memcmp(mic, ftie->mic, 16) != 0) { 568 wpa_printf(MSG_INFO, "TDLS: Invalid MIC in FTIE - " 569 "dropping packet"); 570 wpa_hexdump(MSG_DEBUG, "TDLS: Received MIC", 571 ftie->mic, 16); 572 wpa_hexdump(MSG_DEBUG, "TDLS: Calculated MIC", 573 mic, 16); 574 return -1; 575 } 576 } else { 577 wpa_printf(MSG_WARNING, "TDLS: Could not verify TDLS MIC, " 578 "TPK not set - dropping packet"); 579 return -1; 580 } 581 return 0; 582} 583 584 585static int wpa_supplicant_verify_tdls_mic_teardown( 586 u8 trans_seq, u16 rcode, u8 dtoken, struct wpa_tdls_peer *peer, 587 const u8 *lnkid, const struct wpa_tdls_ftie *ftie) 588{ 589 u8 mic[16]; 590 591 if (peer->tpk_set) { 592 wpa_tdls_key_mic_teardown(peer->tpk.kck, trans_seq, rcode, 593 dtoken, lnkid, (u8 *) ftie, mic); 594 if (os_memcmp(mic, ftie->mic, 16) != 0) { 595 wpa_printf(MSG_INFO, "TDLS: Invalid MIC in Teardown - " 596 "dropping packet"); 597 return -1; 598 } 599 } else { 600 wpa_printf(MSG_INFO, "TDLS: Could not verify TDLS Teardown " 601 "MIC, TPK not set - dropping packet"); 602 return -1; 603 } 604 return 0; 605} 606 607 608static void wpa_tdls_tpk_timeout(void *eloop_ctx, void *timeout_ctx) 609{ 610 struct wpa_sm *sm = eloop_ctx; 611 struct wpa_tdls_peer *peer = timeout_ctx; 612 613 /* 614 * On TPK lifetime expiration, we have an option of either tearing down 615 * the direct link or trying to re-initiate it. The selection of what 616 * to do is not strictly speaking controlled by our role in the expired 617 * link, but for now, use that to select whether to renew or tear down 618 * the link. 619 */ 620 621 if (peer->initiator) { 622 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime expired for " MACSTR 623 " - try to renew", MAC2STR(peer->addr)); 624 wpa_tdls_start(sm, peer->addr); 625 } else { 626 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime expired for " MACSTR 627 " - tear down", MAC2STR(peer->addr)); 628 wpa_tdls_do_teardown(sm, peer, 629 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED); 630 } 631} 632 633 634static void wpa_tdls_peer_free(struct wpa_sm *sm, struct wpa_tdls_peer *peer) 635{ 636 wpa_printf(MSG_DEBUG, "TDLS: Clear state for peer " MACSTR, 637 MAC2STR(peer->addr)); 638 eloop_cancel_timeout(wpa_tdls_tpk_timeout, sm, peer); 639 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer); 640 peer->reconfig_key = 0; 641 peer->initiator = 0; 642 peer->tpk_in_progress = 0; 643 os_free(peer->sm_tmr.buf); 644 peer->sm_tmr.buf = NULL; 645 os_free(peer->ht_capabilities); 646 peer->ht_capabilities = NULL; 647 os_free(peer->vht_capabilities); 648 peer->vht_capabilities = NULL; 649 os_free(peer->ext_capab); 650 peer->ext_capab = NULL; 651 os_free(peer->supp_channels); 652 peer->supp_channels = NULL; 653 os_free(peer->supp_oper_classes); 654 peer->supp_oper_classes = NULL; 655 peer->rsnie_i_len = peer->rsnie_p_len = 0; 656 peer->cipher = 0; 657 peer->qos_info = 0; 658 peer->wmm_capable = 0; 659 peer->tpk_set = peer->tpk_success = 0; 660 os_memset(&peer->tpk, 0, sizeof(peer->tpk)); 661 os_memset(peer->inonce, 0, WPA_NONCE_LEN); 662 os_memset(peer->rnonce, 0, WPA_NONCE_LEN); 663} 664 665 666static void wpa_tdls_linkid(struct wpa_sm *sm, struct wpa_tdls_peer *peer, 667 struct wpa_tdls_lnkid *lnkid) 668{ 669 lnkid->ie_type = WLAN_EID_LINK_ID; 670 lnkid->ie_len = 3 * ETH_ALEN; 671 os_memcpy(lnkid->bssid, sm->bssid, ETH_ALEN); 672 if (peer->initiator) { 673 os_memcpy(lnkid->init_sta, sm->own_addr, ETH_ALEN); 674 os_memcpy(lnkid->resp_sta, peer->addr, ETH_ALEN); 675 } else { 676 os_memcpy(lnkid->init_sta, peer->addr, ETH_ALEN); 677 os_memcpy(lnkid->resp_sta, sm->own_addr, ETH_ALEN); 678 } 679} 680 681 682static int wpa_tdls_send_teardown(struct wpa_sm *sm, const u8 *addr, 683 u16 reason_code) 684{ 685 struct wpa_tdls_peer *peer; 686 struct wpa_tdls_ftie *ftie; 687 struct wpa_tdls_lnkid lnkid; 688 u8 dialog_token; 689 u8 *rbuf, *pos; 690 int ielen; 691 692 if (sm->tdls_disabled || !sm->tdls_supported) 693 return -1; 694 695 /* Find the node and free from the list */ 696 for (peer = sm->tdls; peer; peer = peer->next) { 697 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 698 break; 699 } 700 701 if (peer == NULL) { 702 wpa_printf(MSG_INFO, "TDLS: No matching entry found for " 703 "Teardown " MACSTR, MAC2STR(addr)); 704 return 0; 705 } 706 707 dialog_token = peer->dtoken; 708 709 wpa_printf(MSG_DEBUG, "TDLS: TDLS Teardown for " MACSTR, 710 MAC2STR(addr)); 711 712 ielen = 0; 713 if (wpa_tdls_get_privacy(sm) && peer->tpk_set && peer->tpk_success) { 714 /* To add FTIE for Teardown request and compute MIC */ 715 ielen += sizeof(*ftie); 716#ifdef CONFIG_TDLS_TESTING 717 if (tdls_testing & TDLS_TESTING_LONG_FRAME) 718 ielen += 170; 719#endif /* CONFIG_TDLS_TESTING */ 720 } 721 722 rbuf = os_zalloc(ielen + 1); 723 if (rbuf == NULL) 724 return -1; 725 pos = rbuf; 726 727 if (!wpa_tdls_get_privacy(sm) || !peer->tpk_set || !peer->tpk_success) 728 goto skip_ies; 729 730 ftie = (struct wpa_tdls_ftie *) pos; 731 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION; 732 /* Using the recent nonce which should be for CONFIRM frame */ 733 os_memcpy(ftie->Anonce, peer->rnonce, WPA_NONCE_LEN); 734 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN); 735 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2; 736 pos = (u8 *) (ftie + 1); 737#ifdef CONFIG_TDLS_TESTING 738 if (tdls_testing & TDLS_TESTING_LONG_FRAME) { 739 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to " 740 "FTIE"); 741 ftie->ie_len += 170; 742 *pos++ = 255; /* FTIE subelem */ 743 *pos++ = 168; /* FTIE subelem length */ 744 pos += 168; 745 } 746#endif /* CONFIG_TDLS_TESTING */ 747 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE for TDLS Teardown handshake", 748 (u8 *) ftie, pos - (u8 *) ftie); 749 750 /* compute MIC before sending */ 751 wpa_tdls_linkid(sm, peer, &lnkid); 752 wpa_tdls_key_mic_teardown(peer->tpk.kck, 4, reason_code, 753 dialog_token, (u8 *) &lnkid, (u8 *) ftie, 754 ftie->mic); 755 756skip_ies: 757 /* TODO: register for a Timeout handler, if Teardown is not received at 758 * the other end, then try again another time */ 759 760 /* request driver to send Teardown using this FTIE */ 761 wpa_tdls_tpk_send(sm, addr, WLAN_TDLS_TEARDOWN, 0, 762 reason_code, 0, rbuf, pos - rbuf); 763 os_free(rbuf); 764 765 return 0; 766} 767 768 769int wpa_tdls_teardown_link(struct wpa_sm *sm, const u8 *addr, u16 reason_code) 770{ 771 struct wpa_tdls_peer *peer; 772 773 if (sm->tdls_disabled || !sm->tdls_supported) 774 return -1; 775 776 for (peer = sm->tdls; peer; peer = peer->next) { 777 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 778 break; 779 } 780 781 if (peer == NULL) { 782 wpa_printf(MSG_DEBUG, "TDLS: Could not find peer " MACSTR 783 " for link Teardown", MAC2STR(addr)); 784 return -1; 785 } 786 787 if (!peer->tpk_success) { 788 wpa_printf(MSG_DEBUG, "TDLS: Peer " MACSTR 789 " not connected - cannot Teardown link", MAC2STR(addr)); 790 return -1; 791 } 792 793 return wpa_tdls_do_teardown(sm, peer, reason_code); 794} 795 796 797static void wpa_tdls_disable_peer_link(struct wpa_sm *sm, 798 struct wpa_tdls_peer *peer) 799{ 800 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr); 801 wpa_tdls_peer_free(sm, peer); 802} 803 804 805void wpa_tdls_disable_unreachable_link(struct wpa_sm *sm, const u8 *addr) 806{ 807 struct wpa_tdls_peer *peer; 808 809 for (peer = sm->tdls; peer; peer = peer->next) { 810 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 811 break; 812 } 813 814 if (!peer || !peer->tpk_success) { 815 wpa_printf(MSG_DEBUG, "TDLS: Peer " MACSTR 816 " not connected - cannot teardown unreachable link", 817 MAC2STR(addr)); 818 return; 819 } 820 821 if (wpa_tdls_is_external_setup(sm)) { 822 /* 823 * Disable the link, send a teardown packet through the 824 * AP, and then reset link data. 825 */ 826 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, addr); 827 wpa_tdls_send_teardown(sm, addr, 828 WLAN_REASON_TDLS_TEARDOWN_UNREACHABLE); 829 wpa_tdls_peer_free(sm, peer); 830 } else { 831 wpa_tdls_disable_peer_link(sm, peer); 832 } 833} 834 835 836const char * wpa_tdls_get_link_status(struct wpa_sm *sm, const u8 *addr) 837{ 838 struct wpa_tdls_peer *peer; 839 840 if (sm->tdls_disabled || !sm->tdls_supported) 841 return "disabled"; 842 843 for (peer = sm->tdls; peer; peer = peer->next) { 844 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 845 break; 846 } 847 848 if (peer == NULL) 849 return "peer does not exist"; 850 851 if (!peer->tpk_success) 852 return "peer not connected"; 853 854 return "connected"; 855} 856 857 858static int wpa_tdls_recv_teardown(struct wpa_sm *sm, const u8 *src_addr, 859 const u8 *buf, size_t len) 860{ 861 struct wpa_tdls_peer *peer = NULL; 862 struct wpa_tdls_ftie *ftie; 863 struct wpa_tdls_lnkid *lnkid; 864 struct wpa_eapol_ie_parse kde; 865 u16 reason_code; 866 const u8 *pos; 867 int ielen; 868 869 /* Find the node and free from the list */ 870 for (peer = sm->tdls; peer; peer = peer->next) { 871 if (os_memcmp(peer->addr, src_addr, ETH_ALEN) == 0) 872 break; 873 } 874 875 if (peer == NULL) { 876 wpa_printf(MSG_INFO, "TDLS: No matching entry found for " 877 "Teardown " MACSTR, MAC2STR(src_addr)); 878 return 0; 879 } 880 881 pos = buf; 882 pos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */; 883 884 reason_code = WPA_GET_LE16(pos); 885 pos += 2; 886 887 wpa_printf(MSG_DEBUG, "TDLS: TDLS Teardown Request from " MACSTR 888 " (reason code %u)", MAC2STR(src_addr), reason_code); 889 890 ielen = len - (pos - buf); /* start of IE in buf */ 891 if (wpa_supplicant_parse_ies((const u8 *) pos, ielen, &kde) < 0) { 892 wpa_printf(MSG_INFO, "TDLS: Failed to parse IEs in Teardown"); 893 return -1; 894 } 895 896 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) { 897 wpa_printf(MSG_INFO, "TDLS: No Link Identifier IE in TDLS " 898 "Teardown"); 899 return -1; 900 } 901 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid; 902 903 if (!wpa_tdls_get_privacy(sm) || !peer->tpk_set || !peer->tpk_success) 904 goto skip_ftie; 905 906 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie)) { 907 wpa_printf(MSG_INFO, "TDLS: No FTIE in TDLS Teardown"); 908 return -1; 909 } 910 911 ftie = (struct wpa_tdls_ftie *) kde.ftie; 912 913 /* Process MIC check to see if TDLS Teardown is right */ 914 if (wpa_supplicant_verify_tdls_mic_teardown(4, reason_code, 915 peer->dtoken, peer, 916 (u8 *) lnkid, ftie) < 0) { 917 wpa_printf(MSG_DEBUG, "TDLS: MIC failure for TDLS " 918 "Teardown Request from " MACSTR, MAC2STR(src_addr)); 919 return -1; 920 } 921 922skip_ftie: 923 /* 924 * Request the driver to disable the direct link and clear associated 925 * keys. 926 */ 927 wpa_tdls_disable_peer_link(sm, peer); 928 return 0; 929} 930 931 932/** 933 * wpa_tdls_send_error - To send suitable TDLS status response with 934 * appropriate status code mentioning reason for error/failure. 935 * @dst - MAC addr of Peer station 936 * @tdls_action - TDLS frame type for which error code is sent 937 * @status - status code mentioning reason 938 */ 939 940static int wpa_tdls_send_error(struct wpa_sm *sm, const u8 *dst, 941 u8 tdls_action, u8 dialog_token, u16 status) 942{ 943 wpa_printf(MSG_DEBUG, "TDLS: Sending error to " MACSTR 944 " (action=%u status=%u)", 945 MAC2STR(dst), tdls_action, status); 946 return wpa_tdls_tpk_send(sm, dst, tdls_action, dialog_token, status, 947 0, NULL, 0); 948} 949 950 951static struct wpa_tdls_peer * 952wpa_tdls_add_peer(struct wpa_sm *sm, const u8 *addr, int *existing) 953{ 954 struct wpa_tdls_peer *peer; 955 956 if (existing) 957 *existing = 0; 958 for (peer = sm->tdls; peer; peer = peer->next) { 959 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) { 960 if (existing) 961 *existing = 1; 962 return peer; /* re-use existing entry */ 963 } 964 } 965 966 wpa_printf(MSG_INFO, "TDLS: Creating peer entry for " MACSTR, 967 MAC2STR(addr)); 968 969 peer = os_zalloc(sizeof(*peer)); 970 if (peer == NULL) 971 return NULL; 972 973 os_memcpy(peer->addr, addr, ETH_ALEN); 974 peer->next = sm->tdls; 975 sm->tdls = peer; 976 977 return peer; 978} 979 980 981static int wpa_tdls_send_tpk_m1(struct wpa_sm *sm, 982 struct wpa_tdls_peer *peer) 983{ 984 size_t buf_len; 985 struct wpa_tdls_timeoutie timeoutie; 986 u16 rsn_capab; 987 struct wpa_tdls_ftie *ftie; 988 u8 *rbuf, *pos, *count_pos; 989 u16 count; 990 struct rsn_ie_hdr *hdr; 991 int status; 992 993 if (!wpa_tdls_get_privacy(sm)) { 994 wpa_printf(MSG_DEBUG, "TDLS: No security used on the link"); 995 peer->rsnie_i_len = 0; 996 goto skip_rsnie; 997 } 998 999 /* 1000 * TPK Handshake Message 1: 1001 * FTIE: ANonce=0, SNonce=initiator nonce MIC=0, DataKDs=(RSNIE_I, 1002 * Timeout Interval IE)) 1003 */ 1004 1005 /* Filling RSN IE */ 1006 hdr = (struct rsn_ie_hdr *) peer->rsnie_i; 1007 hdr->elem_id = WLAN_EID_RSN; 1008 WPA_PUT_LE16(hdr->version, RSN_VERSION); 1009 1010 pos = (u8 *) (hdr + 1); 1011 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED); 1012 pos += RSN_SELECTOR_LEN; 1013 count_pos = pos; 1014 pos += 2; 1015 1016 count = 0; 1017 1018 /* 1019 * AES-CCMP is the default Encryption preferred for TDLS, so 1020 * RSN IE is filled only with CCMP CIPHER 1021 * Note: TKIP is not used to encrypt TDLS link. 1022 * 1023 * Regardless of the cipher used on the AP connection, select CCMP 1024 * here. 1025 */ 1026 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP); 1027 pos += RSN_SELECTOR_LEN; 1028 count++; 1029 1030 WPA_PUT_LE16(count_pos, count); 1031 1032 WPA_PUT_LE16(pos, 1); 1033 pos += 2; 1034 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_TPK_HANDSHAKE); 1035 pos += RSN_SELECTOR_LEN; 1036 1037 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED; 1038 rsn_capab |= RSN_NUM_REPLAY_COUNTERS_16 << 2; 1039#ifdef CONFIG_TDLS_TESTING 1040 if (tdls_testing & TDLS_TESTING_ALT_RSN_IE) { 1041 wpa_printf(MSG_DEBUG, "TDLS: Use alternative RSN IE for " 1042 "testing"); 1043 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED; 1044 } 1045#endif /* CONFIG_TDLS_TESTING */ 1046 WPA_PUT_LE16(pos, rsn_capab); 1047 pos += 2; 1048#ifdef CONFIG_TDLS_TESTING 1049 if (tdls_testing & TDLS_TESTING_ALT_RSN_IE) { 1050 /* Number of PMKIDs */ 1051 *pos++ = 0x00; 1052 *pos++ = 0x00; 1053 } 1054#endif /* CONFIG_TDLS_TESTING */ 1055 1056 hdr->len = (pos - peer->rsnie_i) - 2; 1057 peer->rsnie_i_len = pos - peer->rsnie_i; 1058 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE for TPK handshake", 1059 peer->rsnie_i, peer->rsnie_i_len); 1060 1061skip_rsnie: 1062 buf_len = 0; 1063 if (wpa_tdls_get_privacy(sm)) 1064 buf_len += peer->rsnie_i_len + sizeof(struct wpa_tdls_ftie) + 1065 sizeof(struct wpa_tdls_timeoutie); 1066#ifdef CONFIG_TDLS_TESTING 1067 if (wpa_tdls_get_privacy(sm) && 1068 (tdls_testing & TDLS_TESTING_LONG_FRAME)) 1069 buf_len += 170; 1070 if (tdls_testing & TDLS_TESTING_DIFF_BSSID) 1071 buf_len += sizeof(struct wpa_tdls_lnkid); 1072#endif /* CONFIG_TDLS_TESTING */ 1073 rbuf = os_zalloc(buf_len + 1); 1074 if (rbuf == NULL) { 1075 wpa_tdls_peer_free(sm, peer); 1076 return -1; 1077 } 1078 pos = rbuf; 1079 1080 if (!wpa_tdls_get_privacy(sm)) 1081 goto skip_ies; 1082 1083 /* Initiator RSN IE */ 1084 pos = wpa_add_ie(pos, peer->rsnie_i, peer->rsnie_i_len); 1085 1086 ftie = (struct wpa_tdls_ftie *) pos; 1087 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION; 1088 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2; 1089 1090 if (os_get_random(peer->inonce, WPA_NONCE_LEN)) { 1091 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1092 "TDLS: Failed to get random data for initiator Nonce"); 1093 os_free(rbuf); 1094 wpa_tdls_peer_free(sm, peer); 1095 return -1; 1096 } 1097 wpa_hexdump(MSG_DEBUG, "TDLS: Initiator Nonce for TPK handshake", 1098 peer->inonce, WPA_NONCE_LEN); 1099 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN); 1100 1101 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE for TPK Handshake M1", 1102 (u8 *) ftie, sizeof(struct wpa_tdls_ftie)); 1103 1104 pos = (u8 *) (ftie + 1); 1105 1106#ifdef CONFIG_TDLS_TESTING 1107 if (tdls_testing & TDLS_TESTING_LONG_FRAME) { 1108 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to " 1109 "FTIE"); 1110 ftie->ie_len += 170; 1111 *pos++ = 255; /* FTIE subelem */ 1112 *pos++ = 168; /* FTIE subelem length */ 1113 pos += 168; 1114 } 1115#endif /* CONFIG_TDLS_TESTING */ 1116 1117 /* Lifetime */ 1118 peer->lifetime = TPK_LIFETIME; 1119#ifdef CONFIG_TDLS_TESTING 1120 if (tdls_testing & TDLS_TESTING_SHORT_LIFETIME) { 1121 wpa_printf(MSG_DEBUG, "TDLS: Testing - use short TPK " 1122 "lifetime"); 1123 peer->lifetime = 301; 1124 } 1125 if (tdls_testing & TDLS_TESTING_LONG_LIFETIME) { 1126 wpa_printf(MSG_DEBUG, "TDLS: Testing - use long TPK " 1127 "lifetime"); 1128 peer->lifetime = 0xffffffff; 1129 } 1130#endif /* CONFIG_TDLS_TESTING */ 1131 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie, 1132 sizeof(timeoutie), peer->lifetime); 1133 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds", peer->lifetime); 1134 1135skip_ies: 1136 1137#ifdef CONFIG_TDLS_TESTING 1138 if (tdls_testing & TDLS_TESTING_DIFF_BSSID) { 1139 wpa_printf(MSG_DEBUG, "TDLS: Testing - use incorrect BSSID in " 1140 "Link Identifier"); 1141 struct wpa_tdls_lnkid *l = (struct wpa_tdls_lnkid *) pos; 1142 wpa_tdls_linkid(sm, peer, l); 1143 l->bssid[5] ^= 0x01; 1144 pos += sizeof(*l); 1145 } 1146#endif /* CONFIG_TDLS_TESTING */ 1147 1148 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Setup Request / TPK " 1149 "Handshake Message 1 (peer " MACSTR ")", 1150 MAC2STR(peer->addr)); 1151 1152 status = wpa_tdls_tpk_send(sm, peer->addr, WLAN_TDLS_SETUP_REQUEST, 1153 1, 0, 0, rbuf, pos - rbuf); 1154 os_free(rbuf); 1155 1156 return status; 1157} 1158 1159 1160static int wpa_tdls_send_tpk_m2(struct wpa_sm *sm, 1161 const unsigned char *src_addr, u8 dtoken, 1162 struct wpa_tdls_lnkid *lnkid, 1163 const struct wpa_tdls_peer *peer) 1164{ 1165 u8 *rbuf, *pos; 1166 size_t buf_len; 1167 u32 lifetime; 1168 struct wpa_tdls_timeoutie timeoutie; 1169 struct wpa_tdls_ftie *ftie; 1170 int status; 1171 1172 buf_len = 0; 1173 if (wpa_tdls_get_privacy(sm)) { 1174 /* Peer RSN IE, FTIE(Initiator Nonce, Responder Nonce), 1175 * Lifetime */ 1176 buf_len += peer->rsnie_i_len + sizeof(struct wpa_tdls_ftie) + 1177 sizeof(struct wpa_tdls_timeoutie); 1178#ifdef CONFIG_TDLS_TESTING 1179 if (tdls_testing & TDLS_TESTING_LONG_FRAME) 1180 buf_len += 170; 1181#endif /* CONFIG_TDLS_TESTING */ 1182 } 1183 1184 rbuf = os_zalloc(buf_len + 1); 1185 if (rbuf == NULL) 1186 return -1; 1187 pos = rbuf; 1188 1189 if (!wpa_tdls_get_privacy(sm)) 1190 goto skip_ies; 1191 1192 /* Peer RSN IE */ 1193 pos = wpa_add_ie(pos, peer->rsnie_p, peer->rsnie_p_len); 1194 1195 ftie = (struct wpa_tdls_ftie *) pos; 1196 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION; 1197 /* TODO: ftie->mic_control to set 2-RESPONSE */ 1198 os_memcpy(ftie->Anonce, peer->rnonce, WPA_NONCE_LEN); 1199 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN); 1200 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2; 1201 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE for TPK M2", 1202 (u8 *) ftie, sizeof(*ftie)); 1203 1204 pos = (u8 *) (ftie + 1); 1205 1206#ifdef CONFIG_TDLS_TESTING 1207 if (tdls_testing & TDLS_TESTING_LONG_FRAME) { 1208 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to " 1209 "FTIE"); 1210 ftie->ie_len += 170; 1211 *pos++ = 255; /* FTIE subelem */ 1212 *pos++ = 168; /* FTIE subelem length */ 1213 pos += 168; 1214 } 1215#endif /* CONFIG_TDLS_TESTING */ 1216 1217 /* Lifetime */ 1218 lifetime = peer->lifetime; 1219#ifdef CONFIG_TDLS_TESTING 1220 if (tdls_testing & TDLS_TESTING_WRONG_LIFETIME_RESP) { 1221 wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong TPK " 1222 "lifetime in response"); 1223 lifetime++; 1224 } 1225#endif /* CONFIG_TDLS_TESTING */ 1226 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie, 1227 sizeof(timeoutie), lifetime); 1228 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds from initiator", 1229 lifetime); 1230 1231 /* compute MIC before sending */ 1232 wpa_tdls_ftie_mic(peer->tpk.kck, 2, (u8 *) lnkid, peer->rsnie_p, 1233 (u8 *) &timeoutie, (u8 *) ftie, ftie->mic); 1234#ifdef CONFIG_TDLS_TESTING 1235 if (tdls_testing & TDLS_TESTING_WRONG_MIC) { 1236 wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong MIC"); 1237 ftie->mic[0] ^= 0x01; 1238 } 1239#endif /* CONFIG_TDLS_TESTING */ 1240 1241skip_ies: 1242 status = wpa_tdls_tpk_send(sm, src_addr, WLAN_TDLS_SETUP_RESPONSE, 1243 dtoken, 0, 0, rbuf, pos - rbuf); 1244 os_free(rbuf); 1245 1246 return status; 1247} 1248 1249 1250static int wpa_tdls_send_tpk_m3(struct wpa_sm *sm, 1251 const unsigned char *src_addr, u8 dtoken, 1252 struct wpa_tdls_lnkid *lnkid, 1253 const struct wpa_tdls_peer *peer) 1254{ 1255 u8 *rbuf, *pos; 1256 size_t buf_len; 1257 struct wpa_tdls_ftie *ftie; 1258 struct wpa_tdls_timeoutie timeoutie; 1259 u32 lifetime; 1260 int status; 1261 u32 peer_capab = 0; 1262 1263 buf_len = 0; 1264 if (wpa_tdls_get_privacy(sm)) { 1265 /* Peer RSN IE, FTIE(Initiator Nonce, Responder Nonce), 1266 * Lifetime */ 1267 buf_len += peer->rsnie_i_len + sizeof(struct wpa_tdls_ftie) + 1268 sizeof(struct wpa_tdls_timeoutie); 1269#ifdef CONFIG_TDLS_TESTING 1270 if (tdls_testing & TDLS_TESTING_LONG_FRAME) 1271 buf_len += 170; 1272#endif /* CONFIG_TDLS_TESTING */ 1273 } 1274 1275 rbuf = os_zalloc(buf_len + 1); 1276 if (rbuf == NULL) 1277 return -1; 1278 pos = rbuf; 1279 1280 if (!wpa_tdls_get_privacy(sm)) 1281 goto skip_ies; 1282 1283 /* Peer RSN IE */ 1284 pos = wpa_add_ie(pos, peer->rsnie_p, peer->rsnie_p_len); 1285 1286 ftie = (struct wpa_tdls_ftie *) pos; 1287 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION; 1288 /*TODO: ftie->mic_control to set 3-CONFIRM */ 1289 os_memcpy(ftie->Anonce, peer->rnonce, WPA_NONCE_LEN); 1290 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN); 1291 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2; 1292 1293 pos = (u8 *) (ftie + 1); 1294 1295#ifdef CONFIG_TDLS_TESTING 1296 if (tdls_testing & TDLS_TESTING_LONG_FRAME) { 1297 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to " 1298 "FTIE"); 1299 ftie->ie_len += 170; 1300 *pos++ = 255; /* FTIE subelem */ 1301 *pos++ = 168; /* FTIE subelem length */ 1302 pos += 168; 1303 } 1304#endif /* CONFIG_TDLS_TESTING */ 1305 1306 /* Lifetime */ 1307 lifetime = peer->lifetime; 1308#ifdef CONFIG_TDLS_TESTING 1309 if (tdls_testing & TDLS_TESTING_WRONG_LIFETIME_CONF) { 1310 wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong TPK " 1311 "lifetime in confirm"); 1312 lifetime++; 1313 } 1314#endif /* CONFIG_TDLS_TESTING */ 1315 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie, 1316 sizeof(timeoutie), lifetime); 1317 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds", 1318 lifetime); 1319 1320 /* compute MIC before sending */ 1321 wpa_tdls_ftie_mic(peer->tpk.kck, 3, (u8 *) lnkid, peer->rsnie_p, 1322 (u8 *) &timeoutie, (u8 *) ftie, ftie->mic); 1323#ifdef CONFIG_TDLS_TESTING 1324 if (tdls_testing & TDLS_TESTING_WRONG_MIC) { 1325 wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong MIC"); 1326 ftie->mic[0] ^= 0x01; 1327 } 1328#endif /* CONFIG_TDLS_TESTING */ 1329 1330skip_ies: 1331 1332 if (peer->vht_capabilities) 1333 peer_capab |= TDLS_PEER_VHT; 1334 if (peer->ht_capabilities) 1335 peer_capab |= TDLS_PEER_HT; 1336 if (peer->wmm_capable) 1337 peer_capab |= TDLS_PEER_WMM; 1338 1339 status = wpa_tdls_tpk_send(sm, src_addr, WLAN_TDLS_SETUP_CONFIRM, 1340 dtoken, 0, peer_capab, rbuf, pos - rbuf); 1341 os_free(rbuf); 1342 1343 return status; 1344} 1345 1346 1347static int wpa_tdls_send_discovery_response(struct wpa_sm *sm, 1348 struct wpa_tdls_peer *peer, 1349 u8 dialog_token) 1350{ 1351 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Discovery Response " 1352 "(peer " MACSTR ")", MAC2STR(peer->addr)); 1353 1354 return wpa_tdls_tpk_send(sm, peer->addr, WLAN_TDLS_DISCOVERY_RESPONSE, 1355 dialog_token, 0, 0, NULL, 0); 1356} 1357 1358 1359static int 1360wpa_tdls_process_discovery_request(struct wpa_sm *sm, const u8 *addr, 1361 const u8 *buf, size_t len) 1362{ 1363 struct wpa_eapol_ie_parse kde; 1364 const struct wpa_tdls_lnkid *lnkid; 1365 struct wpa_tdls_peer *peer; 1366 size_t min_req_len = sizeof(struct wpa_tdls_frame) + 1367 1 /* dialog token */ + sizeof(struct wpa_tdls_lnkid); 1368 u8 dialog_token; 1369 1370 wpa_printf(MSG_DEBUG, "TDLS: Discovery Request from " MACSTR, 1371 MAC2STR(addr)); 1372 1373 if (len < min_req_len) { 1374 wpa_printf(MSG_DEBUG, "TDLS Discovery Request is too short: " 1375 "%d", (int) len); 1376 return -1; 1377 } 1378 1379 dialog_token = buf[sizeof(struct wpa_tdls_frame)]; 1380 1381 if (wpa_supplicant_parse_ies(buf + sizeof(struct wpa_tdls_frame) + 1, 1382 len - (sizeof(struct wpa_tdls_frame) + 1), 1383 &kde) < 0) 1384 return -1; 1385 1386 if (!kde.lnkid) { 1387 wpa_printf(MSG_DEBUG, "TDLS: Link ID not found in Discovery " 1388 "Request"); 1389 return -1; 1390 } 1391 1392 lnkid = (const struct wpa_tdls_lnkid *) kde.lnkid; 1393 1394 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) { 1395 wpa_printf(MSG_DEBUG, "TDLS: Discovery Request from different " 1396 " BSS " MACSTR, MAC2STR(lnkid->bssid)); 1397 return -1; 1398 } 1399 1400 peer = wpa_tdls_add_peer(sm, addr, NULL); 1401 if (peer == NULL) 1402 return -1; 1403 1404 return wpa_tdls_send_discovery_response(sm, peer, dialog_token); 1405} 1406 1407 1408int wpa_tdls_send_discovery_request(struct wpa_sm *sm, const u8 *addr) 1409{ 1410 if (sm->tdls_disabled || !sm->tdls_supported) 1411 return -1; 1412 1413 wpa_printf(MSG_DEBUG, "TDLS: Sending Discovery Request to peer " 1414 MACSTR, MAC2STR(addr)); 1415 return wpa_tdls_tpk_send(sm, addr, WLAN_TDLS_DISCOVERY_REQUEST, 1416 1, 0, 0, NULL, 0); 1417} 1418 1419 1420static int copy_supp_rates(const struct wpa_eapol_ie_parse *kde, 1421 struct wpa_tdls_peer *peer) 1422{ 1423 if (!kde->supp_rates) { 1424 wpa_printf(MSG_DEBUG, "TDLS: No supported rates received"); 1425 return -1; 1426 } 1427 peer->supp_rates_len = merge_byte_arrays( 1428 peer->supp_rates, sizeof(peer->supp_rates), 1429 kde->supp_rates + 2, kde->supp_rates_len - 2, 1430 kde->ext_supp_rates ? kde->ext_supp_rates + 2 : NULL, 1431 kde->ext_supp_rates_len - 2); 1432 return 0; 1433} 1434 1435 1436static int copy_peer_ht_capab(const struct wpa_eapol_ie_parse *kde, 1437 struct wpa_tdls_peer *peer) 1438{ 1439 if (!kde->ht_capabilities || 1440 kde->ht_capabilities_len < 1441 sizeof(struct ieee80211_ht_capabilities) ) { 1442 wpa_printf(MSG_DEBUG, "TDLS: No supported ht capabilities " 1443 "received"); 1444 return 0; 1445 } 1446 1447 if (!peer->ht_capabilities) { 1448 peer->ht_capabilities = 1449 os_zalloc(sizeof(struct ieee80211_ht_capabilities)); 1450 if (peer->ht_capabilities == NULL) 1451 return -1; 1452 } 1453 1454 os_memcpy(peer->ht_capabilities, kde->ht_capabilities, 1455 sizeof(struct ieee80211_ht_capabilities)); 1456 wpa_hexdump(MSG_DEBUG, "TDLS: Peer HT capabilities", 1457 (u8 *) peer->ht_capabilities, 1458 sizeof(struct ieee80211_ht_capabilities)); 1459 1460 return 0; 1461} 1462 1463 1464static int copy_peer_vht_capab(const struct wpa_eapol_ie_parse *kde, 1465 struct wpa_tdls_peer *peer) 1466{ 1467 if (!kde->vht_capabilities || 1468 kde->vht_capabilities_len < 1469 sizeof(struct ieee80211_vht_capabilities) ) { 1470 wpa_printf(MSG_DEBUG, "TDLS: No supported vht capabilities " 1471 "received"); 1472 return 0; 1473 } 1474 1475 if (!peer->vht_capabilities) { 1476 peer->vht_capabilities = 1477 os_zalloc(sizeof(struct ieee80211_vht_capabilities)); 1478 if (peer->vht_capabilities == NULL) 1479 return -1; 1480 } 1481 1482 os_memcpy(peer->vht_capabilities, kde->vht_capabilities, 1483 sizeof(struct ieee80211_vht_capabilities)); 1484 wpa_hexdump(MSG_DEBUG, "TDLS: Peer VHT capabilities", 1485 (u8 *) peer->vht_capabilities, 1486 sizeof(struct ieee80211_vht_capabilities)); 1487 1488 return 0; 1489} 1490 1491 1492static int copy_peer_ext_capab(const struct wpa_eapol_ie_parse *kde, 1493 struct wpa_tdls_peer *peer) 1494{ 1495 if (!kde->ext_capab) { 1496 wpa_printf(MSG_DEBUG, "TDLS: No extended capabilities " 1497 "received"); 1498 return 0; 1499 } 1500 1501 if (!peer->ext_capab || peer->ext_capab_len < kde->ext_capab_len - 2) { 1502 /* Need to allocate buffer to fit the new information */ 1503 os_free(peer->ext_capab); 1504 peer->ext_capab = os_zalloc(kde->ext_capab_len - 2); 1505 if (peer->ext_capab == NULL) 1506 return -1; 1507 } 1508 1509 peer->ext_capab_len = kde->ext_capab_len - 2; 1510 os_memcpy(peer->ext_capab, kde->ext_capab + 2, peer->ext_capab_len); 1511 1512 return 0; 1513} 1514 1515 1516static int copy_peer_wmm_capab(const struct wpa_eapol_ie_parse *kde, 1517 struct wpa_tdls_peer *peer) 1518{ 1519 struct wmm_information_element *wmm; 1520 1521 if (!kde->wmm) { 1522 wpa_printf(MSG_DEBUG, "TDLS: No supported WMM capabilities received"); 1523 return 0; 1524 } 1525 1526 if (kde->wmm_len < sizeof(struct wmm_information_element)) { 1527 wpa_printf(MSG_DEBUG, "TDLS: Invalid supported WMM capabilities received"); 1528 return -1; 1529 } 1530 1531 wmm = (struct wmm_information_element *) kde->wmm; 1532 peer->qos_info = wmm->qos_info; 1533 1534 peer->wmm_capable = 1; 1535 1536 wpa_printf(MSG_DEBUG, "TDLS: Peer WMM QOS Info 0x%x", peer->qos_info); 1537 return 0; 1538} 1539 1540 1541static int copy_peer_supp_channels(const struct wpa_eapol_ie_parse *kde, 1542 struct wpa_tdls_peer *peer) 1543{ 1544 if (!kde->supp_channels) { 1545 wpa_printf(MSG_DEBUG, "TDLS: No supported channels received"); 1546 return 0; 1547 } 1548 1549 if (!peer->supp_channels || 1550 peer->supp_channels_len < kde->supp_channels_len) { 1551 os_free(peer->supp_channels); 1552 peer->supp_channels = os_zalloc(kde->supp_channels_len); 1553 if (peer->supp_channels == NULL) 1554 return -1; 1555 } 1556 1557 peer->supp_channels_len = kde->supp_channels_len; 1558 1559 os_memcpy(peer->supp_channels, kde->supp_channels, 1560 peer->supp_channels_len); 1561 wpa_hexdump(MSG_DEBUG, "TDLS: Peer Supported Channels", 1562 (u8 *) peer->supp_channels, peer->supp_channels_len); 1563 return 0; 1564} 1565 1566 1567static int copy_peer_supp_oper_classes(const struct wpa_eapol_ie_parse *kde, 1568 struct wpa_tdls_peer *peer) 1569{ 1570 if (!kde->supp_oper_classes) { 1571 wpa_printf(MSG_DEBUG, "TDLS: No supported operating classes received"); 1572 return 0; 1573 } 1574 1575 if (!peer->supp_oper_classes || 1576 peer->supp_oper_classes_len < kde->supp_oper_classes_len) { 1577 os_free(peer->supp_oper_classes); 1578 peer->supp_oper_classes = os_zalloc(kde->supp_oper_classes_len); 1579 if (peer->supp_oper_classes == NULL) 1580 return -1; 1581 } 1582 1583 peer->supp_oper_classes_len = kde->supp_oper_classes_len; 1584 os_memcpy(peer->supp_oper_classes, kde->supp_oper_classes, 1585 peer->supp_oper_classes_len); 1586 wpa_hexdump(MSG_DEBUG, "TDLS: Peer Supported Operating Classes", 1587 (u8 *) peer->supp_oper_classes, 1588 peer->supp_oper_classes_len); 1589 return 0; 1590} 1591 1592 1593static int wpa_tdls_process_tpk_m1(struct wpa_sm *sm, const u8 *src_addr, 1594 const u8 *buf, size_t len) 1595{ 1596 struct wpa_tdls_peer *peer; 1597 struct wpa_eapol_ie_parse kde; 1598 struct wpa_ie_data ie; 1599 int cipher; 1600 const u8 *cpos; 1601 struct wpa_tdls_ftie *ftie = NULL; 1602 struct wpa_tdls_timeoutie *timeoutie; 1603 struct wpa_tdls_lnkid *lnkid; 1604 u32 lifetime = 0; 1605#if 0 1606 struct rsn_ie_hdr *hdr; 1607 u8 *pos; 1608 u16 rsn_capab; 1609 u16 rsn_ver; 1610#endif 1611 u8 dtoken; 1612 u16 ielen; 1613 u16 status = WLAN_STATUS_UNSPECIFIED_FAILURE; 1614 int tdls_prohibited = sm->tdls_prohibited; 1615 int existing_peer = 0; 1616 1617 if (len < 3 + 3) 1618 return -1; 1619 1620 cpos = buf; 1621 cpos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */; 1622 1623 /* driver had already verified the frame format */ 1624 dtoken = *cpos++; /* dialog token */ 1625 1626 wpa_printf(MSG_INFO, "TDLS: Dialog Token in TPK M1 %d", dtoken); 1627 1628 peer = wpa_tdls_add_peer(sm, src_addr, &existing_peer); 1629 if (peer == NULL) 1630 goto error; 1631 1632 /* If found, use existing entry instead of adding a new one; 1633 * how to handle the case where both ends initiate at the 1634 * same time? */ 1635 if (existing_peer) { 1636 if (peer->tpk_success) { 1637 wpa_printf(MSG_DEBUG, "TDLS: TDLS Setup Request while " 1638 "direct link is enabled - tear down the " 1639 "old link first"); 1640 wpa_tdls_disable_peer_link(sm, peer); 1641 } 1642 1643 /* 1644 * An entry is already present, so check if we already sent a 1645 * TDLS Setup Request. If so, compare MAC addresses and let the 1646 * STA with the lower MAC address continue as the initiator. 1647 * The other negotiation is terminated. 1648 */ 1649 if (peer->initiator) { 1650 if (os_memcmp(sm->own_addr, src_addr, ETH_ALEN) < 0) { 1651 wpa_printf(MSG_DEBUG, "TDLS: Discard request " 1652 "from peer with higher address " 1653 MACSTR, MAC2STR(src_addr)); 1654 return -1; 1655 } else { 1656 wpa_printf(MSG_DEBUG, "TDLS: Accept request " 1657 "from peer with lower address " 1658 MACSTR " (terminate previously " 1659 "initiated negotiation", 1660 MAC2STR(src_addr)); 1661 wpa_tdls_disable_peer_link(sm, peer); 1662 } 1663 } 1664 } 1665 1666 /* capability information */ 1667 peer->capability = WPA_GET_LE16(cpos); 1668 cpos += 2; 1669 1670 ielen = len - (cpos - buf); /* start of IE in buf */ 1671 if (wpa_supplicant_parse_ies(cpos, ielen, &kde) < 0) { 1672 wpa_printf(MSG_INFO, "TDLS: Failed to parse IEs in TPK M1"); 1673 goto error; 1674 } 1675 1676 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) { 1677 wpa_printf(MSG_INFO, "TDLS: No valid Link Identifier IE in " 1678 "TPK M1"); 1679 goto error; 1680 } 1681 wpa_hexdump(MSG_DEBUG, "TDLS: Link ID Received from TPK M1", 1682 kde.lnkid, kde.lnkid_len); 1683 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid; 1684 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) { 1685 wpa_printf(MSG_INFO, "TDLS: TPK M1 from diff BSS"); 1686 status = WLAN_STATUS_NOT_IN_SAME_BSS; 1687 goto error; 1688 } 1689 1690 wpa_printf(MSG_DEBUG, "TDLS: TPK M1 - TPK initiator " MACSTR, 1691 MAC2STR(src_addr)); 1692 1693 if (copy_supp_rates(&kde, peer) < 0) 1694 goto error; 1695 1696 if (copy_peer_ht_capab(&kde, peer) < 0) 1697 goto error; 1698 1699 if (copy_peer_vht_capab(&kde, peer) < 0) 1700 goto error; 1701 1702 if (copy_peer_ext_capab(&kde, peer) < 0) 1703 goto error; 1704 1705 if (copy_peer_supp_channels(&kde, peer) < 0) 1706 goto error; 1707 1708 if (copy_peer_supp_oper_classes(&kde, peer) < 0) 1709 goto error; 1710 1711 peer->qos_info = kde.qosinfo; 1712 1713 /* Overwrite with the qos_info obtained in WMM IE */ 1714 if (copy_peer_wmm_capab(&kde, peer) < 0) 1715 goto error; 1716 1717 peer->aid = kde.aid; 1718 1719#ifdef CONFIG_TDLS_TESTING 1720 if (tdls_testing & TDLS_TESTING_CONCURRENT_INIT) { 1721 peer = wpa_tdls_add_peer(sm, src_addr, NULL); 1722 if (peer == NULL) 1723 goto error; 1724 wpa_printf(MSG_DEBUG, "TDLS: Testing concurrent initiation of " 1725 "TDLS setup - send own request"); 1726 peer->initiator = 1; 1727 wpa_tdls_send_tpk_m1(sm, peer); 1728 } 1729 1730 if ((tdls_testing & TDLS_TESTING_IGNORE_AP_PROHIBIT) && 1731 tdls_prohibited) { 1732 wpa_printf(MSG_DEBUG, "TDLS: Testing - ignore AP prohibition " 1733 "on TDLS"); 1734 tdls_prohibited = 0; 1735 } 1736#endif /* CONFIG_TDLS_TESTING */ 1737 1738 if (tdls_prohibited) { 1739 wpa_printf(MSG_INFO, "TDLS: TDLS prohibited in this BSS"); 1740 status = WLAN_STATUS_REQUEST_DECLINED; 1741 goto error; 1742 } 1743 1744 if (!wpa_tdls_get_privacy(sm)) { 1745 if (kde.rsn_ie) { 1746 wpa_printf(MSG_INFO, "TDLS: RSN IE in TPK M1 while " 1747 "security is disabled"); 1748 status = WLAN_STATUS_SECURITY_DISABLED; 1749 goto error; 1750 } 1751 goto skip_rsn; 1752 } 1753 1754 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie) || 1755 kde.rsn_ie == NULL) { 1756 wpa_printf(MSG_INFO, "TDLS: No FTIE or RSN IE in TPK M1"); 1757 status = WLAN_STATUS_INVALID_PARAMETERS; 1758 goto error; 1759 } 1760 1761 if (kde.rsn_ie_len > TDLS_MAX_IE_LEN) { 1762 wpa_printf(MSG_INFO, "TDLS: Too long Initiator RSN IE in " 1763 "TPK M1"); 1764 status = WLAN_STATUS_INVALID_RSNIE; 1765 goto error; 1766 } 1767 1768 if (wpa_parse_wpa_ie_rsn(kde.rsn_ie, kde.rsn_ie_len, &ie) < 0) { 1769 wpa_printf(MSG_INFO, "TDLS: Failed to parse RSN IE in TPK M1"); 1770 status = WLAN_STATUS_INVALID_RSNIE; 1771 goto error; 1772 } 1773 1774 cipher = ie.pairwise_cipher; 1775 if (cipher & WPA_CIPHER_CCMP) { 1776 wpa_printf(MSG_DEBUG, "TDLS: Using CCMP for direct link"); 1777 cipher = WPA_CIPHER_CCMP; 1778 } else { 1779 wpa_printf(MSG_INFO, "TDLS: No acceptable cipher in TPK M1"); 1780 status = WLAN_STATUS_PAIRWISE_CIPHER_NOT_VALID; 1781 goto error; 1782 } 1783 1784 if ((ie.capabilities & 1785 (WPA_CAPABILITY_NO_PAIRWISE | WPA_CAPABILITY_PEERKEY_ENABLED)) != 1786 WPA_CAPABILITY_PEERKEY_ENABLED) { 1787 wpa_printf(MSG_INFO, "TDLS: Invalid RSN Capabilities in " 1788 "TPK M1"); 1789 status = WLAN_STATUS_INVALID_RSN_IE_CAPAB; 1790 goto error; 1791 } 1792 1793 /* Lifetime */ 1794 if (kde.key_lifetime == NULL) { 1795 wpa_printf(MSG_INFO, "TDLS: No Key Lifetime IE in TPK M1"); 1796 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME; 1797 goto error; 1798 } 1799 timeoutie = (struct wpa_tdls_timeoutie *) kde.key_lifetime; 1800 lifetime = WPA_GET_LE32(timeoutie->value); 1801 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds", lifetime); 1802 if (lifetime < 300) { 1803 wpa_printf(MSG_INFO, "TDLS: Too short TPK lifetime"); 1804 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME; 1805 goto error; 1806 } 1807 1808skip_rsn: 1809#ifdef CONFIG_TDLS_TESTING 1810 if (tdls_testing & TDLS_TESTING_CONCURRENT_INIT) { 1811 if (os_memcmp(sm->own_addr, peer->addr, ETH_ALEN) < 0) { 1812 /* 1813 * The request frame from us is going to win, so do not 1814 * replace information based on this request frame from 1815 * the peer. 1816 */ 1817 goto skip_rsn_check; 1818 } 1819 } 1820#endif /* CONFIG_TDLS_TESTING */ 1821 1822 peer->initiator = 0; /* Need to check */ 1823 peer->dtoken = dtoken; 1824 1825 if (!wpa_tdls_get_privacy(sm)) { 1826 peer->rsnie_i_len = 0; 1827 peer->rsnie_p_len = 0; 1828 peer->cipher = WPA_CIPHER_NONE; 1829 goto skip_rsn_check; 1830 } 1831 1832 ftie = (struct wpa_tdls_ftie *) kde.ftie; 1833 os_memcpy(peer->rsnie_i, kde.rsn_ie, kde.rsn_ie_len); 1834 peer->rsnie_i_len = kde.rsn_ie_len; 1835 peer->cipher = cipher; 1836 1837 if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0) { 1838 /* 1839 * There is no point in updating the RNonce for every obtained 1840 * TPK M1 frame (e.g., retransmission due to timeout) with the 1841 * same INonce (SNonce in FTIE). However, if the TPK M1 is 1842 * retransmitted with a different INonce, update the RNonce 1843 * since this is for a new TDLS session. 1844 */ 1845 wpa_printf(MSG_DEBUG, 1846 "TDLS: New TPK M1 INonce - generate new RNonce"); 1847 os_memcpy(peer->inonce, ftie->Snonce, WPA_NONCE_LEN); 1848 if (os_get_random(peer->rnonce, WPA_NONCE_LEN)) { 1849 wpa_msg(sm->ctx->ctx, MSG_WARNING, 1850 "TDLS: Failed to get random data for responder nonce"); 1851 goto error; 1852 } 1853 } 1854 1855#if 0 1856 /* get version info from RSNIE received from Peer */ 1857 hdr = (struct rsn_ie_hdr *) kde.rsn_ie; 1858 rsn_ver = WPA_GET_LE16(hdr->version); 1859 1860 /* use min(peer's version, out version) */ 1861 if (rsn_ver > RSN_VERSION) 1862 rsn_ver = RSN_VERSION; 1863 1864 hdr = (struct rsn_ie_hdr *) peer->rsnie_p; 1865 1866 hdr->elem_id = WLAN_EID_RSN; 1867 WPA_PUT_LE16(hdr->version, rsn_ver); 1868 pos = (u8 *) (hdr + 1); 1869 1870 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED); 1871 pos += RSN_SELECTOR_LEN; 1872 /* Include only the selected cipher in pairwise cipher suite */ 1873 WPA_PUT_LE16(pos, 1); 1874 pos += 2; 1875 if (cipher == WPA_CIPHER_CCMP) 1876 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP); 1877 pos += RSN_SELECTOR_LEN; 1878 1879 WPA_PUT_LE16(pos, 1); 1880 pos += 2; 1881 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_TPK_HANDSHAKE); 1882 pos += RSN_SELECTOR_LEN; 1883 1884 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED; 1885 rsn_capab |= RSN_NUM_REPLAY_COUNTERS_16 << 2; 1886 WPA_PUT_LE16(pos, rsn_capab); 1887 pos += 2; 1888 1889 hdr->len = (pos - peer->rsnie_p) - 2; 1890 peer->rsnie_p_len = pos - peer->rsnie_p; 1891#endif 1892 1893 /* temp fix: validation of RSNIE later */ 1894 os_memcpy(peer->rsnie_p, peer->rsnie_i, peer->rsnie_i_len); 1895 peer->rsnie_p_len = peer->rsnie_i_len; 1896 1897 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE for TPK handshake", 1898 peer->rsnie_p, peer->rsnie_p_len); 1899 1900 peer->lifetime = lifetime; 1901 1902 wpa_tdls_generate_tpk(peer, sm->own_addr, sm->bssid); 1903 1904skip_rsn_check: 1905 /* add the peer to the driver as a "setup in progress" peer */ 1906 if (wpa_sm_tdls_peer_addset(sm, peer->addr, 1, 0, 0, NULL, 0, NULL, 1907 NULL, 0, NULL, 0, NULL, 0, NULL, 0)) 1908 goto error; 1909 1910 peer->tpk_in_progress = 1; 1911 1912 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Setup Response / TPK M2"); 1913 if (wpa_tdls_send_tpk_m2(sm, src_addr, dtoken, lnkid, peer) < 0) { 1914 wpa_tdls_disable_peer_link(sm, peer); 1915 goto error; 1916 } 1917 1918 return 0; 1919 1920error: 1921 wpa_tdls_send_error(sm, src_addr, WLAN_TDLS_SETUP_RESPONSE, dtoken, 1922 status); 1923 if (peer) 1924 wpa_tdls_peer_free(sm, peer); 1925 return -1; 1926} 1927 1928 1929static int wpa_tdls_enable_link(struct wpa_sm *sm, struct wpa_tdls_peer *peer) 1930{ 1931 peer->tpk_success = 1; 1932 peer->tpk_in_progress = 0; 1933 eloop_cancel_timeout(wpa_tdls_tpk_timeout, sm, peer); 1934 if (wpa_tdls_get_privacy(sm)) { 1935 u32 lifetime = peer->lifetime; 1936 /* 1937 * Start the initiator process a bit earlier to avoid race 1938 * condition with the responder sending teardown request. 1939 */ 1940 if (lifetime > 3 && peer->initiator) 1941 lifetime -= 3; 1942 eloop_register_timeout(lifetime, 0, wpa_tdls_tpk_timeout, 1943 sm, peer); 1944#ifdef CONFIG_TDLS_TESTING 1945 if (tdls_testing & TDLS_TESTING_NO_TPK_EXPIRATION) { 1946 wpa_printf(MSG_DEBUG, "TDLS: Testing - disable TPK " 1947 "expiration"); 1948 eloop_cancel_timeout(wpa_tdls_tpk_timeout, sm, peer); 1949 } 1950#endif /* CONFIG_TDLS_TESTING */ 1951 } 1952 1953 /* add supported rates, capabilities, and qos_info to the TDLS peer */ 1954 if (wpa_sm_tdls_peer_addset(sm, peer->addr, 0, peer->aid, 1955 peer->capability, 1956 peer->supp_rates, peer->supp_rates_len, 1957 peer->ht_capabilities, 1958 peer->vht_capabilities, 1959 peer->qos_info, peer->ext_capab, 1960 peer->ext_capab_len, 1961 peer->supp_channels, 1962 peer->supp_channels_len, 1963 peer->supp_oper_classes, 1964 peer->supp_oper_classes_len) < 0) 1965 return -1; 1966 1967 if (peer->reconfig_key && wpa_tdls_set_key(sm, peer) < 0) { 1968 wpa_printf(MSG_INFO, "TDLS: Could not configure key to the " 1969 "driver"); 1970 return -1; 1971 } 1972 peer->reconfig_key = 0; 1973 1974 return wpa_sm_tdls_oper(sm, TDLS_ENABLE_LINK, peer->addr); 1975} 1976 1977 1978static int wpa_tdls_process_tpk_m2(struct wpa_sm *sm, const u8 *src_addr, 1979 const u8 *buf, size_t len) 1980{ 1981 struct wpa_tdls_peer *peer; 1982 struct wpa_eapol_ie_parse kde; 1983 struct wpa_ie_data ie; 1984 int cipher; 1985 struct wpa_tdls_ftie *ftie; 1986 struct wpa_tdls_timeoutie *timeoutie; 1987 struct wpa_tdls_lnkid *lnkid; 1988 u32 lifetime; 1989 u8 dtoken; 1990 int ielen; 1991 u16 status; 1992 const u8 *pos; 1993 int ret = 0; 1994 1995 wpa_printf(MSG_DEBUG, "TDLS: Received TDLS Setup Response / TPK M2 " 1996 "(Peer " MACSTR ")", MAC2STR(src_addr)); 1997 for (peer = sm->tdls; peer; peer = peer->next) { 1998 if (os_memcmp(peer->addr, src_addr, ETH_ALEN) == 0) 1999 break; 2000 } 2001 if (peer == NULL) { 2002 wpa_printf(MSG_INFO, "TDLS: No matching peer found for " 2003 "TPK M2: " MACSTR, MAC2STR(src_addr)); 2004 return -1; 2005 } 2006 if (!peer->initiator) { 2007 /* 2008 * This may happen if both devices try to initiate TDLS at the 2009 * same time and we accept the TPK M1 from the peer in 2010 * wpa_tdls_process_tpk_m1() and clear our previous state. 2011 */ 2012 wpa_printf(MSG_INFO, "TDLS: We were not the initiator, so " 2013 "ignore TPK M2 from " MACSTR, MAC2STR(src_addr)); 2014 return -1; 2015 } 2016 wpa_tdls_tpk_retry_timeout_cancel(sm, peer, WLAN_TDLS_SETUP_REQUEST); 2017 2018 if (len < 3 + 2 + 1) { 2019 wpa_tdls_disable_peer_link(sm, peer); 2020 return -1; 2021 } 2022 2023 pos = buf; 2024 pos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */; 2025 status = WPA_GET_LE16(pos); 2026 pos += 2 /* status code */; 2027 2028 if (status != WLAN_STATUS_SUCCESS) { 2029 wpa_printf(MSG_INFO, "TDLS: Status code in TPK M2: %u", 2030 status); 2031 wpa_tdls_disable_peer_link(sm, peer); 2032 return -1; 2033 } 2034 2035 status = WLAN_STATUS_UNSPECIFIED_FAILURE; 2036 2037 /* TODO: need to verify dialog token matches here or in kernel */ 2038 dtoken = *pos++; /* dialog token */ 2039 2040 wpa_printf(MSG_DEBUG, "TDLS: Dialog Token in TPK M2 %d", dtoken); 2041 2042 if (len < 3 + 2 + 1 + 2) { 2043 wpa_tdls_disable_peer_link(sm, peer); 2044 return -1; 2045 } 2046 2047 /* capability information */ 2048 peer->capability = WPA_GET_LE16(pos); 2049 pos += 2; 2050 2051 ielen = len - (pos - buf); /* start of IE in buf */ 2052 if (wpa_supplicant_parse_ies(pos, ielen, &kde) < 0) { 2053 wpa_printf(MSG_INFO, "TDLS: Failed to parse IEs in TPK M2"); 2054 goto error; 2055 } 2056 2057#ifdef CONFIG_TDLS_TESTING 2058 if (tdls_testing & TDLS_TESTING_DECLINE_RESP) { 2059 wpa_printf(MSG_DEBUG, "TDLS: Testing - decline response"); 2060 status = WLAN_STATUS_REQUEST_DECLINED; 2061 goto error; 2062 } 2063#endif /* CONFIG_TDLS_TESTING */ 2064 2065 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) { 2066 wpa_printf(MSG_INFO, "TDLS: No valid Link Identifier IE in " 2067 "TPK M2"); 2068 goto error; 2069 } 2070 wpa_hexdump(MSG_DEBUG, "TDLS: Link ID Received from TPK M2", 2071 kde.lnkid, kde.lnkid_len); 2072 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid; 2073 2074 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) { 2075 wpa_printf(MSG_INFO, "TDLS: TPK M2 from different BSS"); 2076 status = WLAN_STATUS_NOT_IN_SAME_BSS; 2077 goto error; 2078 } 2079 2080 if (copy_supp_rates(&kde, peer) < 0) 2081 goto error; 2082 2083 if (copy_peer_ht_capab(&kde, peer) < 0) 2084 goto error; 2085 2086 if (copy_peer_vht_capab(&kde, peer) < 0) 2087 goto error; 2088 2089 if (copy_peer_ext_capab(&kde, peer) < 0) 2090 goto error; 2091 2092 if (copy_peer_supp_channels(&kde, peer) < 0) 2093 goto error; 2094 2095 if (copy_peer_supp_oper_classes(&kde, peer) < 0) 2096 goto error; 2097 2098 peer->qos_info = kde.qosinfo; 2099 2100 /* Overwrite with the qos_info obtained in WMM IE */ 2101 if (copy_peer_wmm_capab(&kde, peer) < 0) 2102 goto error; 2103 2104 peer->aid = kde.aid; 2105 2106 if (!wpa_tdls_get_privacy(sm)) { 2107 peer->rsnie_p_len = 0; 2108 peer->cipher = WPA_CIPHER_NONE; 2109 goto skip_rsn; 2110 } 2111 2112 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie) || 2113 kde.rsn_ie == NULL) { 2114 wpa_printf(MSG_INFO, "TDLS: No FTIE or RSN IE in TPK M2"); 2115 status = WLAN_STATUS_INVALID_PARAMETERS; 2116 goto error; 2117 } 2118 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Received from TPK M2", 2119 kde.rsn_ie, kde.rsn_ie_len); 2120 2121 if (kde.rsn_ie_len > TDLS_MAX_IE_LEN) { 2122 wpa_printf(MSG_INFO, 2123 "TDLS: Too long Responder RSN IE in TPK M2"); 2124 status = WLAN_STATUS_INVALID_RSNIE; 2125 goto error; 2126 } 2127 2128 /* 2129 * FIX: bitwise comparison of RSN IE is not the correct way of 2130 * validation this. It can be different, but certain fields must 2131 * match. Since we list only a single pairwise cipher in TPK M1, the 2132 * memcmp is likely to work in most cases, though. 2133 */ 2134 if (kde.rsn_ie_len != peer->rsnie_i_len || 2135 os_memcmp(peer->rsnie_i, kde.rsn_ie, peer->rsnie_i_len) != 0) { 2136 wpa_printf(MSG_INFO, "TDLS: RSN IE in TPK M2 does " 2137 "not match with RSN IE used in TPK M1"); 2138 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Sent in TPK M1", 2139 peer->rsnie_i, peer->rsnie_i_len); 2140 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Received from TPK M2", 2141 kde.rsn_ie, kde.rsn_ie_len); 2142 status = WLAN_STATUS_INVALID_RSNIE; 2143 goto error; 2144 } 2145 2146 if (wpa_parse_wpa_ie_rsn(kde.rsn_ie, kde.rsn_ie_len, &ie) < 0) { 2147 wpa_printf(MSG_INFO, "TDLS: Failed to parse RSN IE in TPK M2"); 2148 status = WLAN_STATUS_INVALID_RSNIE; 2149 goto error; 2150 } 2151 2152 cipher = ie.pairwise_cipher; 2153 if (cipher == WPA_CIPHER_CCMP) { 2154 wpa_printf(MSG_DEBUG, "TDLS: Using CCMP for direct link"); 2155 cipher = WPA_CIPHER_CCMP; 2156 } else { 2157 wpa_printf(MSG_INFO, "TDLS: No acceptable cipher in TPK M2"); 2158 status = WLAN_STATUS_PAIRWISE_CIPHER_NOT_VALID; 2159 goto error; 2160 } 2161 2162 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE Received from TPK M2", 2163 kde.ftie, sizeof(*ftie)); 2164 ftie = (struct wpa_tdls_ftie *) kde.ftie; 2165 2166 if (!os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) == 0) { 2167 wpa_printf(MSG_INFO, "TDLS: FTIE SNonce in TPK M2 does " 2168 "not match with FTIE SNonce used in TPK M1"); 2169 /* Silently discard the frame */ 2170 return -1; 2171 } 2172 2173 /* Responder Nonce and RSN IE */ 2174 os_memcpy(peer->rnonce, ftie->Anonce, WPA_NONCE_LEN); 2175 os_memcpy(peer->rsnie_p, kde.rsn_ie, kde.rsn_ie_len); 2176 peer->rsnie_p_len = kde.rsn_ie_len; 2177 peer->cipher = cipher; 2178 2179 /* Lifetime */ 2180 if (kde.key_lifetime == NULL) { 2181 wpa_printf(MSG_INFO, "TDLS: No Key Lifetime IE in TPK M2"); 2182 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME; 2183 goto error; 2184 } 2185 timeoutie = (struct wpa_tdls_timeoutie *) kde.key_lifetime; 2186 lifetime = WPA_GET_LE32(timeoutie->value); 2187 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds in TPK M2", 2188 lifetime); 2189 if (lifetime != peer->lifetime) { 2190 wpa_printf(MSG_INFO, "TDLS: Unexpected TPK lifetime %u in " 2191 "TPK M2 (expected %u)", lifetime, peer->lifetime); 2192 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME; 2193 goto error; 2194 } 2195 2196 wpa_tdls_generate_tpk(peer, sm->own_addr, sm->bssid); 2197 2198 /* Process MIC check to see if TPK M2 is right */ 2199 if (wpa_supplicant_verify_tdls_mic(2, peer, (u8 *) lnkid, 2200 (u8 *) timeoutie, ftie) < 0) { 2201 /* Discard the frame */ 2202 wpa_tdls_del_key(sm, peer); 2203 wpa_tdls_disable_peer_link(sm, peer); 2204 return -1; 2205 } 2206 2207 if (wpa_tdls_set_key(sm, peer) < 0) { 2208 /* 2209 * Some drivers may not be able to config the key prior to full 2210 * STA entry having been configured. 2211 */ 2212 wpa_printf(MSG_DEBUG, "TDLS: Try to configure TPK again after " 2213 "STA entry is complete"); 2214 peer->reconfig_key = 1; 2215 } 2216 2217skip_rsn: 2218 peer->dtoken = dtoken; 2219 2220 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Setup Confirm / " 2221 "TPK Handshake Message 3"); 2222 if (wpa_tdls_send_tpk_m3(sm, src_addr, dtoken, lnkid, peer) < 0) { 2223 wpa_tdls_disable_peer_link(sm, peer); 2224 return -1; 2225 } 2226 2227 if (!peer->tpk_success) { 2228 /* 2229 * Enable Link only when tpk_success is 0, signifying that this 2230 * processing of TPK M2 frame is not because of a retransmission 2231 * during TDLS setup handshake. 2232 */ 2233 ret = wpa_tdls_enable_link(sm, peer); 2234 if (ret < 0) { 2235 wpa_printf(MSG_DEBUG, "TDLS: Could not enable link"); 2236 wpa_tdls_do_teardown( 2237 sm, peer, 2238 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED); 2239 } 2240 } 2241 return ret; 2242 2243error: 2244 wpa_tdls_send_error(sm, src_addr, WLAN_TDLS_SETUP_CONFIRM, dtoken, 2245 status); 2246 wpa_tdls_disable_peer_link(sm, peer); 2247 return -1; 2248} 2249 2250 2251static int wpa_tdls_process_tpk_m3(struct wpa_sm *sm, const u8 *src_addr, 2252 const u8 *buf, size_t len) 2253{ 2254 struct wpa_tdls_peer *peer; 2255 struct wpa_eapol_ie_parse kde; 2256 struct wpa_tdls_ftie *ftie; 2257 struct wpa_tdls_timeoutie *timeoutie; 2258 struct wpa_tdls_lnkid *lnkid; 2259 int ielen; 2260 u16 status; 2261 const u8 *pos; 2262 u32 lifetime; 2263 int ret = 0; 2264 2265 wpa_printf(MSG_DEBUG, "TDLS: Received TDLS Setup Confirm / TPK M3 " 2266 "(Peer " MACSTR ")", MAC2STR(src_addr)); 2267 for (peer = sm->tdls; peer; peer = peer->next) { 2268 if (os_memcmp(peer->addr, src_addr, ETH_ALEN) == 0) 2269 break; 2270 } 2271 if (peer == NULL) { 2272 wpa_printf(MSG_INFO, "TDLS: No matching peer found for " 2273 "TPK M3: " MACSTR, MAC2STR(src_addr)); 2274 return -1; 2275 } 2276 wpa_tdls_tpk_retry_timeout_cancel(sm, peer, WLAN_TDLS_SETUP_RESPONSE); 2277 2278 if (len < 3 + 3) 2279 goto error; 2280 pos = buf; 2281 pos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */; 2282 2283 status = WPA_GET_LE16(pos); 2284 2285 if (status != 0) { 2286 wpa_printf(MSG_INFO, "TDLS: Status code in TPK M3: %u", 2287 status); 2288 goto error; 2289 } 2290 pos += 2 /* status code */ + 1 /* dialog token */; 2291 2292 ielen = len - (pos - buf); /* start of IE in buf */ 2293 if (wpa_supplicant_parse_ies((const u8 *) pos, ielen, &kde) < 0) { 2294 wpa_printf(MSG_INFO, "TDLS: Failed to parse KDEs in TPK M3"); 2295 goto error; 2296 } 2297 2298 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) { 2299 wpa_printf(MSG_INFO, "TDLS: No Link Identifier IE in TPK M3"); 2300 goto error; 2301 } 2302 wpa_hexdump(MSG_DEBUG, "TDLS: Link ID Received from TPK M3", 2303 (u8 *) kde.lnkid, kde.lnkid_len); 2304 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid; 2305 2306 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) { 2307 wpa_printf(MSG_INFO, "TDLS: TPK M3 from diff BSS"); 2308 goto error; 2309 } 2310 2311 if (!wpa_tdls_get_privacy(sm)) 2312 goto skip_rsn; 2313 2314 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie)) { 2315 wpa_printf(MSG_INFO, "TDLS: No FTIE in TPK M3"); 2316 goto error; 2317 } 2318 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE Received from TPK M3", 2319 kde.ftie, sizeof(*ftie)); 2320 ftie = (struct wpa_tdls_ftie *) kde.ftie; 2321 2322 if (kde.rsn_ie == NULL) { 2323 wpa_printf(MSG_INFO, "TDLS: No RSN IE in TPK M3"); 2324 goto error; 2325 } 2326 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Received from TPK M3", 2327 kde.rsn_ie, kde.rsn_ie_len); 2328 if (kde.rsn_ie_len != peer->rsnie_p_len || 2329 os_memcmp(kde.rsn_ie, peer->rsnie_p, peer->rsnie_p_len) != 0) { 2330 wpa_printf(MSG_INFO, "TDLS: RSN IE in TPK M3 does not match " 2331 "with the one sent in TPK M2"); 2332 goto error; 2333 } 2334 2335 if (!os_memcmp(peer->rnonce, ftie->Anonce, WPA_NONCE_LEN) == 0) { 2336 wpa_printf(MSG_INFO, "TDLS: FTIE ANonce in TPK M3 does " 2337 "not match with FTIE ANonce used in TPK M2"); 2338 goto error; 2339 } 2340 2341 if (!os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) == 0) { 2342 wpa_printf(MSG_INFO, "TDLS: FTIE SNonce in TPK M3 does not " 2343 "match with FTIE SNonce used in TPK M1"); 2344 goto error; 2345 } 2346 2347 if (kde.key_lifetime == NULL) { 2348 wpa_printf(MSG_INFO, "TDLS: No Key Lifetime IE in TPK M3"); 2349 goto error; 2350 } 2351 timeoutie = (struct wpa_tdls_timeoutie *) kde.key_lifetime; 2352 wpa_hexdump(MSG_DEBUG, "TDLS: Timeout IE Received from TPK M3", 2353 (u8 *) timeoutie, sizeof(*timeoutie)); 2354 lifetime = WPA_GET_LE32(timeoutie->value); 2355 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds in TPK M3", 2356 lifetime); 2357 if (lifetime != peer->lifetime) { 2358 wpa_printf(MSG_INFO, "TDLS: Unexpected TPK lifetime %u in " 2359 "TPK M3 (expected %u)", lifetime, peer->lifetime); 2360 goto error; 2361 } 2362 2363 if (wpa_supplicant_verify_tdls_mic(3, peer, (u8 *) lnkid, 2364 (u8 *) timeoutie, ftie) < 0) { 2365 wpa_tdls_del_key(sm, peer); 2366 goto error; 2367 } 2368 2369 if (wpa_tdls_set_key(sm, peer) < 0) { 2370 /* 2371 * Some drivers may not be able to config the key prior to full 2372 * STA entry having been configured. 2373 */ 2374 wpa_printf(MSG_DEBUG, "TDLS: Try to configure TPK again after " 2375 "STA entry is complete"); 2376 peer->reconfig_key = 1; 2377 } 2378 2379skip_rsn: 2380 if (!peer->tpk_success) { 2381 /* 2382 * Enable Link only when tpk_success is 0, signifying that this 2383 * processing of TPK M3 frame is not because of a retransmission 2384 * during TDLS setup handshake. 2385 */ 2386 ret = wpa_tdls_enable_link(sm, peer); 2387 if (ret < 0) { 2388 wpa_printf(MSG_DEBUG, "TDLS: Could not enable link"); 2389 wpa_tdls_do_teardown( 2390 sm, peer, 2391 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED); 2392 } 2393 } 2394 return ret; 2395error: 2396 wpa_tdls_disable_peer_link(sm, peer); 2397 return -1; 2398} 2399 2400 2401static u8 * wpa_add_tdls_timeoutie(u8 *pos, u8 *ie, size_t ie_len, u32 tsecs) 2402{ 2403 struct wpa_tdls_timeoutie *lifetime = (struct wpa_tdls_timeoutie *) ie; 2404 2405 os_memset(lifetime, 0, ie_len); 2406 lifetime->ie_type = WLAN_EID_TIMEOUT_INTERVAL; 2407 lifetime->ie_len = sizeof(struct wpa_tdls_timeoutie) - 2; 2408 lifetime->interval_type = WLAN_TIMEOUT_KEY_LIFETIME; 2409 WPA_PUT_LE32(lifetime->value, tsecs); 2410 os_memcpy(pos, ie, ie_len); 2411 return pos + ie_len; 2412} 2413 2414 2415/** 2416 * wpa_tdls_start - Initiate TDLS handshake (send TPK Handshake Message 1) 2417 * @sm: Pointer to WPA state machine data from wpa_sm_init() 2418 * @peer: MAC address of the peer STA 2419 * Returns: 0 on success, or -1 on failure 2420 * 2421 * Send TPK Handshake Message 1 info to driver to start TDLS 2422 * handshake with the peer. 2423 */ 2424int wpa_tdls_start(struct wpa_sm *sm, const u8 *addr) 2425{ 2426 struct wpa_tdls_peer *peer; 2427 int tdls_prohibited = sm->tdls_prohibited; 2428 2429 if (sm->tdls_disabled || !sm->tdls_supported) 2430 return -1; 2431 2432#ifdef CONFIG_TDLS_TESTING 2433 if ((tdls_testing & TDLS_TESTING_IGNORE_AP_PROHIBIT) && 2434 tdls_prohibited) { 2435 wpa_printf(MSG_DEBUG, "TDLS: Testing - ignore AP prohibition " 2436 "on TDLS"); 2437 tdls_prohibited = 0; 2438 } 2439#endif /* CONFIG_TDLS_TESTING */ 2440 2441 if (tdls_prohibited) { 2442 wpa_printf(MSG_DEBUG, "TDLS: TDLS is prohibited in this BSS - " 2443 "reject request to start setup"); 2444 return -1; 2445 } 2446 2447 peer = wpa_tdls_add_peer(sm, addr, NULL); 2448 if (peer == NULL) 2449 return -1; 2450 2451 if (peer->tpk_in_progress) { 2452 wpa_printf(MSG_DEBUG, "TDLS: Setup is already in progress with the peer"); 2453 return 0; 2454 } 2455 2456 peer->initiator = 1; 2457 2458 /* add the peer to the driver as a "setup in progress" peer */ 2459 wpa_sm_tdls_peer_addset(sm, peer->addr, 1, 0, 0, NULL, 0, NULL, NULL, 0, 2460 NULL, 0, NULL, 0, NULL, 0); 2461 2462 peer->tpk_in_progress = 1; 2463 2464 if (wpa_tdls_send_tpk_m1(sm, peer) < 0) { 2465 wpa_tdls_disable_peer_link(sm, peer); 2466 return -1; 2467 } 2468 2469 return 0; 2470} 2471 2472 2473void wpa_tdls_remove(struct wpa_sm *sm, const u8 *addr) 2474{ 2475 struct wpa_tdls_peer *peer; 2476 2477 if (sm->tdls_disabled || !sm->tdls_supported) 2478 return; 2479 2480 for (peer = sm->tdls; peer; peer = peer->next) { 2481 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 2482 break; 2483 } 2484 2485 if (peer == NULL || !peer->tpk_success) 2486 return; 2487 2488 if (sm->tdls_external_setup) { 2489 /* 2490 * Disable previous link to allow renegotiation to be completed 2491 * on AP path. 2492 */ 2493 wpa_tdls_do_teardown(sm, peer, 2494 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED); 2495 } 2496} 2497 2498 2499/** 2500 * wpa_supplicant_rx_tdls - Receive TDLS data frame 2501 * 2502 * This function is called to receive TDLS (ethertype = 0x890d) data frames. 2503 */ 2504static void wpa_supplicant_rx_tdls(void *ctx, const u8 *src_addr, 2505 const u8 *buf, size_t len) 2506{ 2507 struct wpa_sm *sm = ctx; 2508 struct wpa_tdls_frame *tf; 2509 2510 wpa_hexdump(MSG_DEBUG, "TDLS: Received Data frame encapsulation", 2511 buf, len); 2512 2513 if (sm->tdls_disabled || !sm->tdls_supported) { 2514 wpa_printf(MSG_DEBUG, "TDLS: Discard message - TDLS disabled " 2515 "or unsupported by driver"); 2516 return; 2517 } 2518 2519 if (os_memcmp(src_addr, sm->own_addr, ETH_ALEN) == 0) { 2520 wpa_printf(MSG_DEBUG, "TDLS: Discard copy of own message"); 2521 return; 2522 } 2523 2524 if (len < sizeof(*tf)) { 2525 wpa_printf(MSG_INFO, "TDLS: Drop too short frame"); 2526 return; 2527 } 2528 2529 /* Check to make sure its a valid encapsulated TDLS frame */ 2530 tf = (struct wpa_tdls_frame *) buf; 2531 if (tf->payloadtype != 2 /* TDLS_RFTYPE */ || 2532 tf->category != WLAN_ACTION_TDLS) { 2533 wpa_printf(MSG_INFO, "TDLS: Invalid frame - payloadtype=%u " 2534 "category=%u action=%u", 2535 tf->payloadtype, tf->category, tf->action); 2536 return; 2537 } 2538 2539 switch (tf->action) { 2540 case WLAN_TDLS_SETUP_REQUEST: 2541 wpa_tdls_process_tpk_m1(sm, src_addr, buf, len); 2542 break; 2543 case WLAN_TDLS_SETUP_RESPONSE: 2544 wpa_tdls_process_tpk_m2(sm, src_addr, buf, len); 2545 break; 2546 case WLAN_TDLS_SETUP_CONFIRM: 2547 wpa_tdls_process_tpk_m3(sm, src_addr, buf, len); 2548 break; 2549 case WLAN_TDLS_TEARDOWN: 2550 wpa_tdls_recv_teardown(sm, src_addr, buf, len); 2551 break; 2552 case WLAN_TDLS_DISCOVERY_REQUEST: 2553 wpa_tdls_process_discovery_request(sm, src_addr, buf, len); 2554 break; 2555 default: 2556 /* Kernel code will process remaining frames */ 2557 wpa_printf(MSG_DEBUG, "TDLS: Ignore TDLS frame action code %u", 2558 tf->action); 2559 break; 2560 } 2561} 2562 2563 2564/** 2565 * wpa_tdls_init - Initialize driver interface parameters for TDLS 2566 * @wpa_s: Pointer to wpa_supplicant data 2567 * Returns: 0 on success, -1 on failure 2568 * 2569 * This function is called to initialize driver interface parameters for TDLS. 2570 * wpa_drv_init() must have been called before this function to initialize the 2571 * driver interface. 2572 */ 2573int wpa_tdls_init(struct wpa_sm *sm) 2574{ 2575 if (sm == NULL) 2576 return -1; 2577 2578 sm->l2_tdls = l2_packet_init(sm->bridge_ifname ? sm->bridge_ifname : 2579 sm->ifname, 2580 sm->own_addr, 2581 ETH_P_80211_ENCAP, wpa_supplicant_rx_tdls, 2582 sm, 0); 2583 if (sm->l2_tdls == NULL) { 2584 wpa_printf(MSG_ERROR, "TDLS: Failed to open l2_packet " 2585 "connection"); 2586 return -1; 2587 } 2588 2589 /* 2590 * Drivers that support TDLS but don't implement the get_capa callback 2591 * are assumed to perform everything internally 2592 */ 2593 if (wpa_sm_tdls_get_capa(sm, &sm->tdls_supported, 2594 &sm->tdls_external_setup) < 0) { 2595 sm->tdls_supported = 1; 2596 sm->tdls_external_setup = 0; 2597 } 2598 2599 wpa_printf(MSG_DEBUG, "TDLS: TDLS operation%s supported by " 2600 "driver", sm->tdls_supported ? "" : " not"); 2601 wpa_printf(MSG_DEBUG, "TDLS: Driver uses %s link setup", 2602 sm->tdls_external_setup ? "external" : "internal"); 2603 2604 return 0; 2605} 2606 2607 2608void wpa_tdls_teardown_peers(struct wpa_sm *sm) 2609{ 2610 struct wpa_tdls_peer *peer; 2611 2612 peer = sm->tdls; 2613 2614 wpa_printf(MSG_DEBUG, "TDLS: Tear down peers"); 2615 2616 while (peer) { 2617 wpa_printf(MSG_DEBUG, "TDLS: Tear down peer " MACSTR, 2618 MAC2STR(peer->addr)); 2619 if (sm->tdls_external_setup) 2620 wpa_tdls_do_teardown(sm, peer, 2621 WLAN_REASON_DEAUTH_LEAVING); 2622 else 2623 wpa_sm_tdls_oper(sm, TDLS_TEARDOWN, peer->addr); 2624 2625 peer = peer->next; 2626 } 2627} 2628 2629 2630static void wpa_tdls_remove_peers(struct wpa_sm *sm) 2631{ 2632 struct wpa_tdls_peer *peer, *tmp; 2633 2634 peer = sm->tdls; 2635 sm->tdls = NULL; 2636 2637 while (peer) { 2638 int res; 2639 tmp = peer->next; 2640 res = wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr); 2641 wpa_printf(MSG_DEBUG, "TDLS: Remove peer " MACSTR " (res=%d)", 2642 MAC2STR(peer->addr), res); 2643 wpa_tdls_peer_free(sm, peer); 2644 os_free(peer); 2645 peer = tmp; 2646 } 2647} 2648 2649 2650/** 2651 * wpa_tdls_deinit - Deinitialize driver interface parameters for TDLS 2652 * 2653 * This function is called to recover driver interface parameters for TDLS 2654 * and frees resources allocated for it. 2655 */ 2656void wpa_tdls_deinit(struct wpa_sm *sm) 2657{ 2658 if (sm == NULL) 2659 return; 2660 2661 if (sm->l2_tdls) 2662 l2_packet_deinit(sm->l2_tdls); 2663 sm->l2_tdls = NULL; 2664 2665 wpa_tdls_remove_peers(sm); 2666} 2667 2668 2669void wpa_tdls_assoc(struct wpa_sm *sm) 2670{ 2671 wpa_printf(MSG_DEBUG, "TDLS: Remove peers on association"); 2672 wpa_tdls_remove_peers(sm); 2673} 2674 2675 2676void wpa_tdls_disassoc(struct wpa_sm *sm) 2677{ 2678 wpa_printf(MSG_DEBUG, "TDLS: Remove peers on disassociation"); 2679 wpa_tdls_remove_peers(sm); 2680} 2681 2682 2683static int wpa_tdls_prohibited(const u8 *ies, size_t len) 2684{ 2685 struct wpa_eapol_ie_parse elems; 2686 2687 if (ies == NULL) 2688 return 0; 2689 2690 if (wpa_supplicant_parse_ies(ies, len, &elems) < 0) 2691 return 0; 2692 2693 if (elems.ext_capab == NULL || elems.ext_capab_len < 2 + 5) 2694 return 0; 2695 2696 /* bit 38 - TDLS Prohibited */ 2697 return !!(elems.ext_capab[2 + 4] & 0x40); 2698} 2699 2700 2701void wpa_tdls_ap_ies(struct wpa_sm *sm, const u8 *ies, size_t len) 2702{ 2703 sm->tdls_prohibited = wpa_tdls_prohibited(ies, len); 2704 wpa_printf(MSG_DEBUG, "TDLS: TDLS is %s in the target BSS", 2705 sm->tdls_prohibited ? "prohibited" : "allowed"); 2706} 2707 2708 2709void wpa_tdls_assoc_resp_ies(struct wpa_sm *sm, const u8 *ies, size_t len) 2710{ 2711 if (!sm->tdls_prohibited && wpa_tdls_prohibited(ies, len)) { 2712 wpa_printf(MSG_DEBUG, "TDLS: TDLS prohibited based on " 2713 "(Re)Association Response IEs"); 2714 sm->tdls_prohibited = 1; 2715 } 2716} 2717 2718 2719void wpa_tdls_enable(struct wpa_sm *sm, int enabled) 2720{ 2721 wpa_printf(MSG_DEBUG, "TDLS: %s", enabled ? "enabled" : "disabled"); 2722 sm->tdls_disabled = !enabled; 2723} 2724 2725 2726int wpa_tdls_is_external_setup(struct wpa_sm *sm) 2727{ 2728 return sm->tdls_external_setup; 2729} 2730