tdls.c revision 8b43e82b5aa16d167d3e2696b7827c412b0e0a00
1/* 2 * wpa_supplicant - TDLS 3 * Copyright (c) 2010-2011, Atheros Communications 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9#include "utils/includes.h" 10 11#include "utils/common.h" 12#include "utils/eloop.h" 13#include "utils/os.h" 14#include "common/ieee802_11_defs.h" 15#include "crypto/sha256.h" 16#include "crypto/crypto.h" 17#include "crypto/aes_wrap.h" 18#include "rsn_supp/wpa.h" 19#include "rsn_supp/wpa_ie.h" 20#include "rsn_supp/wpa_i.h" 21#include "drivers/driver.h" 22#include "l2_packet/l2_packet.h" 23 24#ifdef CONFIG_TDLS_TESTING 25#define TDLS_TESTING_LONG_FRAME BIT(0) 26#define TDLS_TESTING_ALT_RSN_IE BIT(1) 27#define TDLS_TESTING_DIFF_BSSID BIT(2) 28#define TDLS_TESTING_SHORT_LIFETIME BIT(3) 29#define TDLS_TESTING_WRONG_LIFETIME_RESP BIT(4) 30#define TDLS_TESTING_WRONG_LIFETIME_CONF BIT(5) 31#define TDLS_TESTING_LONG_LIFETIME BIT(6) 32#define TDLS_TESTING_CONCURRENT_INIT BIT(7) 33#define TDLS_TESTING_NO_TPK_EXPIRATION BIT(8) 34#define TDLS_TESTING_DECLINE_RESP BIT(9) 35#define TDLS_TESTING_IGNORE_AP_PROHIBIT BIT(10) 36unsigned int tdls_testing = 0; 37#endif /* CONFIG_TDLS_TESTING */ 38 39#define TPK_LIFETIME 43200 /* 12 hours */ 40#define TPK_M1_RETRY_COUNT 3 41#define TPK_M1_TIMEOUT 5000 /* in milliseconds */ 42#define TPK_M2_RETRY_COUNT 10 43#define TPK_M2_TIMEOUT 500 /* in milliseconds */ 44 45#define TDLS_MIC_LEN 16 46 47#define TDLS_TIMEOUT_LEN 4 48 49struct wpa_tdls_ftie { 50 u8 ie_type; /* FTIE */ 51 u8 ie_len; 52 u8 mic_ctrl[2]; 53 u8 mic[TDLS_MIC_LEN]; 54 u8 Anonce[WPA_NONCE_LEN]; /* Responder Nonce in TDLS */ 55 u8 Snonce[WPA_NONCE_LEN]; /* Initiator Nonce in TDLS */ 56 /* followed by optional elements */ 57} STRUCT_PACKED; 58 59struct wpa_tdls_timeoutie { 60 u8 ie_type; /* Timeout IE */ 61 u8 ie_len; 62 u8 interval_type; 63 u8 value[TDLS_TIMEOUT_LEN]; 64} STRUCT_PACKED; 65 66struct wpa_tdls_lnkid { 67 u8 ie_type; /* Link Identifier IE */ 68 u8 ie_len; 69 u8 bssid[ETH_ALEN]; 70 u8 init_sta[ETH_ALEN]; 71 u8 resp_sta[ETH_ALEN]; 72} STRUCT_PACKED; 73 74/* TDLS frame headers as per IEEE Std 802.11z-2010 */ 75struct wpa_tdls_frame { 76 u8 payloadtype; /* IEEE80211_TDLS_RFTYPE */ 77 u8 category; /* Category */ 78 u8 action; /* Action (enum tdls_frame_type) */ 79} STRUCT_PACKED; 80 81static u8 * wpa_add_tdls_timeoutie(u8 *pos, u8 *ie, size_t ie_len, u32 tsecs); 82static void wpa_tdls_tpk_retry_timeout(void *eloop_ctx, void *timeout_ctx); 83static void wpa_tdls_peer_free(struct wpa_sm *sm, struct wpa_tdls_peer *peer); 84static void wpa_tdls_disable_peer_link(struct wpa_sm *sm, 85 struct wpa_tdls_peer *peer); 86 87 88#define TDLS_MAX_IE_LEN 80 89#define IEEE80211_MAX_SUPP_RATES 32 90 91struct wpa_tdls_peer { 92 struct wpa_tdls_peer *next; 93 unsigned int reconfig_key:1; 94 int initiator; /* whether this end was initiator for TDLS setup */ 95 u8 addr[ETH_ALEN]; /* other end MAC address */ 96 u8 inonce[WPA_NONCE_LEN]; /* Initiator Nonce */ 97 u8 rnonce[WPA_NONCE_LEN]; /* Responder Nonce */ 98 u8 rsnie_i[TDLS_MAX_IE_LEN]; /* Initiator RSN IE */ 99 size_t rsnie_i_len; 100 u8 rsnie_p[TDLS_MAX_IE_LEN]; /* Peer RSN IE */ 101 size_t rsnie_p_len; 102 u32 lifetime; 103 int cipher; /* Selected cipher (WPA_CIPHER_*) */ 104 u8 dtoken; 105 106 struct tpk { 107 u8 kck[16]; /* TPK-KCK */ 108 u8 tk[16]; /* TPK-TK; assuming only CCMP will be used */ 109 } tpk; 110 int tpk_set; 111 int tpk_success; 112 113 struct tpk_timer { 114 u8 dest[ETH_ALEN]; 115 int count; /* Retry Count */ 116 int timer; /* Timeout in milliseconds */ 117 u8 action_code; /* TDLS frame type */ 118 u8 dialog_token; 119 u16 status_code; 120 int buf_len; /* length of TPK message for retransmission */ 121 u8 *buf; /* buffer for TPK message */ 122 } sm_tmr; 123 124 u16 capability; 125 126 u8 supp_rates[IEEE80211_MAX_SUPP_RATES]; 127 size_t supp_rates_len; 128 129 struct ieee80211_ht_capabilities *ht_capabilities; 130 struct ieee80211_vht_capabilities *vht_capabilities; 131 132 u8 qos_info; 133 134 u16 aid; 135 136 u8 *ext_capab; 137 size_t ext_capab_len; 138}; 139 140 141static int wpa_tdls_get_privacy(struct wpa_sm *sm) 142{ 143 /* 144 * Get info needed from supplicant to check if the current BSS supports 145 * security. Other than OPEN mode, rest are considered secured 146 * WEP/WPA/WPA2 hence TDLS frames are processed for TPK handshake. 147 */ 148 return sm->pairwise_cipher != WPA_CIPHER_NONE; 149} 150 151 152static u8 * wpa_add_ie(u8 *pos, const u8 *ie, size_t ie_len) 153{ 154 os_memcpy(pos, ie, ie_len); 155 return pos + ie_len; 156} 157 158 159static int wpa_tdls_del_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer) 160{ 161 if (wpa_sm_set_key(sm, WPA_ALG_NONE, peer->addr, 162 0, 0, NULL, 0, NULL, 0) < 0) { 163 wpa_printf(MSG_WARNING, "TDLS: Failed to delete TPK-TK from " 164 "the driver"); 165 return -1; 166 } 167 168 return 0; 169} 170 171 172static int wpa_tdls_set_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer) 173{ 174 u8 key_len; 175 u8 rsc[6]; 176 enum wpa_alg alg; 177 178 os_memset(rsc, 0, 6); 179 180 switch (peer->cipher) { 181 case WPA_CIPHER_CCMP: 182 alg = WPA_ALG_CCMP; 183 key_len = 16; 184 break; 185 case WPA_CIPHER_NONE: 186 wpa_printf(MSG_DEBUG, "TDLS: Pairwise Cipher Suite: " 187 "NONE - do not use pairwise keys"); 188 return -1; 189 default: 190 wpa_printf(MSG_WARNING, "TDLS: Unsupported pairwise cipher %d", 191 sm->pairwise_cipher); 192 return -1; 193 } 194 195 if (wpa_sm_set_key(sm, alg, peer->addr, -1, 1, 196 rsc, sizeof(rsc), peer->tpk.tk, key_len) < 0) { 197 wpa_printf(MSG_WARNING, "TDLS: Failed to set TPK to the " 198 "driver"); 199 return -1; 200 } 201 return 0; 202} 203 204 205static int wpa_tdls_send_tpk_msg(struct wpa_sm *sm, const u8 *dst, 206 u8 action_code, u8 dialog_token, 207 u16 status_code, const u8 *buf, size_t len) 208{ 209 return wpa_sm_send_tdls_mgmt(sm, dst, action_code, dialog_token, 210 status_code, buf, len); 211} 212 213 214static int wpa_tdls_tpk_send(struct wpa_sm *sm, const u8 *dest, u8 action_code, 215 u8 dialog_token, u16 status_code, 216 const u8 *msg, size_t msg_len) 217{ 218 struct wpa_tdls_peer *peer; 219 220 wpa_printf(MSG_DEBUG, "TDLS: TPK send dest=" MACSTR " action_code=%u " 221 "dialog_token=%u status_code=%u msg_len=%u", 222 MAC2STR(dest), action_code, dialog_token, status_code, 223 (unsigned int) msg_len); 224 225 if (wpa_tdls_send_tpk_msg(sm, dest, action_code, dialog_token, 226 status_code, msg, msg_len)) { 227 wpa_printf(MSG_INFO, "TDLS: Failed to send message " 228 "(action_code=%u)", action_code); 229 return -1; 230 } 231 232 if (action_code == WLAN_TDLS_SETUP_CONFIRM || 233 action_code == WLAN_TDLS_TEARDOWN || 234 action_code == WLAN_TDLS_DISCOVERY_REQUEST || 235 action_code == WLAN_TDLS_DISCOVERY_RESPONSE) 236 return 0; /* No retries */ 237 238 for (peer = sm->tdls; peer; peer = peer->next) { 239 if (os_memcmp(peer->addr, dest, ETH_ALEN) == 0) 240 break; 241 } 242 243 if (peer == NULL) { 244 wpa_printf(MSG_INFO, "TDLS: No matching entry found for " 245 "retry " MACSTR, MAC2STR(dest)); 246 return 0; 247 } 248 249 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer); 250 251 if (action_code == WLAN_TDLS_SETUP_RESPONSE) { 252 peer->sm_tmr.count = TPK_M2_RETRY_COUNT; 253 peer->sm_tmr.timer = TPK_M2_TIMEOUT; 254 } else { 255 peer->sm_tmr.count = TPK_M1_RETRY_COUNT; 256 peer->sm_tmr.timer = TPK_M1_TIMEOUT; 257 } 258 259 /* Copy message to resend on timeout */ 260 os_memcpy(peer->sm_tmr.dest, dest, ETH_ALEN); 261 peer->sm_tmr.action_code = action_code; 262 peer->sm_tmr.dialog_token = dialog_token; 263 peer->sm_tmr.status_code = status_code; 264 peer->sm_tmr.buf_len = msg_len; 265 os_free(peer->sm_tmr.buf); 266 peer->sm_tmr.buf = os_malloc(msg_len); 267 if (peer->sm_tmr.buf == NULL) 268 return -1; 269 os_memcpy(peer->sm_tmr.buf, msg, msg_len); 270 271 wpa_printf(MSG_DEBUG, "TDLS: Retry timeout registered " 272 "(action_code=%u)", action_code); 273 eloop_register_timeout(peer->sm_tmr.timer / 1000, 274 (peer->sm_tmr.timer % 1000) * 1000, 275 wpa_tdls_tpk_retry_timeout, sm, peer); 276 return 0; 277} 278 279 280static int wpa_tdls_do_teardown(struct wpa_sm *sm, struct wpa_tdls_peer *peer, 281 u16 reason_code) 282{ 283 int ret; 284 285 ret = wpa_tdls_send_teardown(sm, peer->addr, reason_code); 286 /* disable the link after teardown was sent */ 287 wpa_tdls_disable_peer_link(sm, peer); 288 289 return ret; 290} 291 292 293static void wpa_tdls_tpk_retry_timeout(void *eloop_ctx, void *timeout_ctx) 294{ 295 296 struct wpa_sm *sm = eloop_ctx; 297 struct wpa_tdls_peer *peer = timeout_ctx; 298 299 if (peer->sm_tmr.count) { 300 peer->sm_tmr.count--; 301 302 wpa_printf(MSG_INFO, "TDLS: Retrying sending of message " 303 "(action_code=%u)", 304 peer->sm_tmr.action_code); 305 306 if (peer->sm_tmr.buf == NULL) { 307 wpa_printf(MSG_INFO, "TDLS: No retry buffer available " 308 "for action_code=%u", 309 peer->sm_tmr.action_code); 310 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, 311 peer); 312 return; 313 } 314 315 /* resend TPK Handshake Message to Peer */ 316 if (wpa_tdls_send_tpk_msg(sm, peer->sm_tmr.dest, 317 peer->sm_tmr.action_code, 318 peer->sm_tmr.dialog_token, 319 peer->sm_tmr.status_code, 320 peer->sm_tmr.buf, 321 peer->sm_tmr.buf_len)) { 322 wpa_printf(MSG_INFO, "TDLS: Failed to retry " 323 "transmission"); 324 } 325 326 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer); 327 eloop_register_timeout(peer->sm_tmr.timer / 1000, 328 (peer->sm_tmr.timer % 1000) * 1000, 329 wpa_tdls_tpk_retry_timeout, sm, peer); 330 } else { 331 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer); 332 333 wpa_printf(MSG_DEBUG, "TDLS: Sending Teardown Request"); 334 wpa_tdls_do_teardown(sm, peer, 335 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED); 336 } 337} 338 339 340static void wpa_tdls_tpk_retry_timeout_cancel(struct wpa_sm *sm, 341 struct wpa_tdls_peer *peer, 342 u8 action_code) 343{ 344 if (action_code == peer->sm_tmr.action_code) { 345 wpa_printf(MSG_DEBUG, "TDLS: Retry timeout cancelled for " 346 "action_code=%u", action_code); 347 348 /* Cancel Timeout registered */ 349 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer); 350 351 /* free all resources meant for retry */ 352 os_free(peer->sm_tmr.buf); 353 peer->sm_tmr.buf = NULL; 354 355 peer->sm_tmr.count = 0; 356 peer->sm_tmr.timer = 0; 357 peer->sm_tmr.buf_len = 0; 358 peer->sm_tmr.action_code = 0xff; 359 } else { 360 wpa_printf(MSG_INFO, "TDLS: Error in cancelling retry timeout " 361 "(Unknown action_code=%u)", action_code); 362 } 363} 364 365 366static void wpa_tdls_generate_tpk(struct wpa_tdls_peer *peer, 367 const u8 *own_addr, const u8 *bssid) 368{ 369 u8 key_input[SHA256_MAC_LEN]; 370 const u8 *nonce[2]; 371 size_t len[2]; 372 u8 data[3 * ETH_ALEN]; 373 374 /* IEEE Std 802.11z-2010 8.5.9.1: 375 * TPK-Key-Input = SHA-256(min(SNonce, ANonce) || max(SNonce, ANonce)) 376 */ 377 len[0] = WPA_NONCE_LEN; 378 len[1] = WPA_NONCE_LEN; 379 if (os_memcmp(peer->inonce, peer->rnonce, WPA_NONCE_LEN) < 0) { 380 nonce[0] = peer->inonce; 381 nonce[1] = peer->rnonce; 382 } else { 383 nonce[0] = peer->rnonce; 384 nonce[1] = peer->inonce; 385 } 386 wpa_hexdump(MSG_DEBUG, "TDLS: min(Nonce)", nonce[0], WPA_NONCE_LEN); 387 wpa_hexdump(MSG_DEBUG, "TDLS: max(Nonce)", nonce[1], WPA_NONCE_LEN); 388 sha256_vector(2, nonce, len, key_input); 389 wpa_hexdump_key(MSG_DEBUG, "TDLS: TPK-Key-Input", 390 key_input, SHA256_MAC_LEN); 391 392 /* 393 * TPK-Key-Data = KDF-N_KEY(TPK-Key-Input, "TDLS PMK", 394 * min(MAC_I, MAC_R) || max(MAC_I, MAC_R) || BSSID || N_KEY) 395 * TODO: is N_KEY really included in KDF Context and if so, in which 396 * presentation format (little endian 16-bit?) is it used? It gets 397 * added by the KDF anyway.. 398 */ 399 400 if (os_memcmp(own_addr, peer->addr, ETH_ALEN) < 0) { 401 os_memcpy(data, own_addr, ETH_ALEN); 402 os_memcpy(data + ETH_ALEN, peer->addr, ETH_ALEN); 403 } else { 404 os_memcpy(data, peer->addr, ETH_ALEN); 405 os_memcpy(data + ETH_ALEN, own_addr, ETH_ALEN); 406 } 407 os_memcpy(data + 2 * ETH_ALEN, bssid, ETH_ALEN); 408 wpa_hexdump(MSG_DEBUG, "TDLS: KDF Context", data, sizeof(data)); 409 410 sha256_prf(key_input, SHA256_MAC_LEN, "TDLS PMK", data, sizeof(data), 411 (u8 *) &peer->tpk, sizeof(peer->tpk)); 412 wpa_hexdump_key(MSG_DEBUG, "TDLS: TPK-KCK", 413 peer->tpk.kck, sizeof(peer->tpk.kck)); 414 wpa_hexdump_key(MSG_DEBUG, "TDLS: TPK-TK", 415 peer->tpk.tk, sizeof(peer->tpk.tk)); 416 peer->tpk_set = 1; 417} 418 419 420/** 421 * wpa_tdls_ftie_mic - Calculate TDLS FTIE MIC 422 * @kck: TPK-KCK 423 * @lnkid: Pointer to the beginning of Link Identifier IE 424 * @rsnie: Pointer to the beginning of RSN IE used for handshake 425 * @timeoutie: Pointer to the beginning of Timeout IE used for handshake 426 * @ftie: Pointer to the beginning of FT IE 427 * @mic: Pointer for writing MIC 428 * 429 * Calculate MIC for TDLS frame. 430 */ 431static int wpa_tdls_ftie_mic(const u8 *kck, u8 trans_seq, const u8 *lnkid, 432 const u8 *rsnie, const u8 *timeoutie, 433 const u8 *ftie, u8 *mic) 434{ 435 u8 *buf, *pos; 436 struct wpa_tdls_ftie *_ftie; 437 const struct wpa_tdls_lnkid *_lnkid; 438 int ret; 439 int len = 2 * ETH_ALEN + 1 + 2 + lnkid[1] + 2 + rsnie[1] + 440 2 + timeoutie[1] + 2 + ftie[1]; 441 buf = os_zalloc(len); 442 if (!buf) { 443 wpa_printf(MSG_WARNING, "TDLS: No memory for MIC calculation"); 444 return -1; 445 } 446 447 pos = buf; 448 _lnkid = (const struct wpa_tdls_lnkid *) lnkid; 449 /* 1) TDLS initiator STA MAC address */ 450 os_memcpy(pos, _lnkid->init_sta, ETH_ALEN); 451 pos += ETH_ALEN; 452 /* 2) TDLS responder STA MAC address */ 453 os_memcpy(pos, _lnkid->resp_sta, ETH_ALEN); 454 pos += ETH_ALEN; 455 /* 3) Transaction Sequence number */ 456 *pos++ = trans_seq; 457 /* 4) Link Identifier IE */ 458 os_memcpy(pos, lnkid, 2 + lnkid[1]); 459 pos += 2 + lnkid[1]; 460 /* 5) RSN IE */ 461 os_memcpy(pos, rsnie, 2 + rsnie[1]); 462 pos += 2 + rsnie[1]; 463 /* 6) Timeout Interval IE */ 464 os_memcpy(pos, timeoutie, 2 + timeoutie[1]); 465 pos += 2 + timeoutie[1]; 466 /* 7) FTIE, with the MIC field of the FTIE set to 0 */ 467 os_memcpy(pos, ftie, 2 + ftie[1]); 468 _ftie = (struct wpa_tdls_ftie *) pos; 469 os_memset(_ftie->mic, 0, TDLS_MIC_LEN); 470 pos += 2 + ftie[1]; 471 472 wpa_hexdump(MSG_DEBUG, "TDLS: Data for FTIE MIC", buf, pos - buf); 473 wpa_hexdump_key(MSG_DEBUG, "TDLS: KCK", kck, 16); 474 ret = omac1_aes_128(kck, buf, pos - buf, mic); 475 os_free(buf); 476 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE MIC", mic, 16); 477 return ret; 478} 479 480 481/** 482 * wpa_tdls_key_mic_teardown - Calculate TDLS FTIE MIC for Teardown frame 483 * @kck: TPK-KCK 484 * @trans_seq: Transaction Sequence Number (4 - Teardown) 485 * @rcode: Reason code for Teardown 486 * @dtoken: Dialog Token used for that particular link 487 * @lnkid: Pointer to the beginning of Link Identifier IE 488 * @ftie: Pointer to the beginning of FT IE 489 * @mic: Pointer for writing MIC 490 * 491 * Calculate MIC for TDLS frame. 492 */ 493static int wpa_tdls_key_mic_teardown(const u8 *kck, u8 trans_seq, u16 rcode, 494 u8 dtoken, const u8 *lnkid, 495 const u8 *ftie, u8 *mic) 496{ 497 u8 *buf, *pos; 498 struct wpa_tdls_ftie *_ftie; 499 int ret; 500 int len; 501 502 if (lnkid == NULL) 503 return -1; 504 505 len = 2 + lnkid[1] + sizeof(rcode) + sizeof(dtoken) + 506 sizeof(trans_seq) + 2 + ftie[1]; 507 508 buf = os_zalloc(len); 509 if (!buf) { 510 wpa_printf(MSG_WARNING, "TDLS: No memory for MIC calculation"); 511 return -1; 512 } 513 514 pos = buf; 515 /* 1) Link Identifier IE */ 516 os_memcpy(pos, lnkid, 2 + lnkid[1]); 517 pos += 2 + lnkid[1]; 518 /* 2) Reason Code */ 519 WPA_PUT_LE16(pos, rcode); 520 pos += sizeof(rcode); 521 /* 3) Dialog token */ 522 *pos++ = dtoken; 523 /* 4) Transaction Sequence number */ 524 *pos++ = trans_seq; 525 /* 7) FTIE, with the MIC field of the FTIE set to 0 */ 526 os_memcpy(pos, ftie, 2 + ftie[1]); 527 _ftie = (struct wpa_tdls_ftie *) pos; 528 os_memset(_ftie->mic, 0, TDLS_MIC_LEN); 529 pos += 2 + ftie[1]; 530 531 wpa_hexdump(MSG_DEBUG, "TDLS: Data for FTIE MIC", buf, pos - buf); 532 wpa_hexdump_key(MSG_DEBUG, "TDLS: KCK", kck, 16); 533 ret = omac1_aes_128(kck, buf, pos - buf, mic); 534 os_free(buf); 535 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE MIC", mic, 16); 536 return ret; 537} 538 539 540static int wpa_supplicant_verify_tdls_mic(u8 trans_seq, 541 struct wpa_tdls_peer *peer, 542 const u8 *lnkid, const u8 *timeoutie, 543 const struct wpa_tdls_ftie *ftie) 544{ 545 u8 mic[16]; 546 547 if (peer->tpk_set) { 548 wpa_tdls_ftie_mic(peer->tpk.kck, trans_seq, lnkid, 549 peer->rsnie_p, timeoutie, (u8 *) ftie, 550 mic); 551 if (os_memcmp(mic, ftie->mic, 16) != 0) { 552 wpa_printf(MSG_INFO, "TDLS: Invalid MIC in FTIE - " 553 "dropping packet"); 554 wpa_hexdump(MSG_DEBUG, "TDLS: Received MIC", 555 ftie->mic, 16); 556 wpa_hexdump(MSG_DEBUG, "TDLS: Calculated MIC", 557 mic, 16); 558 return -1; 559 } 560 } else { 561 wpa_printf(MSG_WARNING, "TDLS: Could not verify TDLS MIC, " 562 "TPK not set - dropping packet"); 563 return -1; 564 } 565 return 0; 566} 567 568 569static int wpa_supplicant_verify_tdls_mic_teardown( 570 u8 trans_seq, u16 rcode, u8 dtoken, struct wpa_tdls_peer *peer, 571 const u8 *lnkid, const struct wpa_tdls_ftie *ftie) 572{ 573 u8 mic[16]; 574 575 if (peer->tpk_set) { 576 wpa_tdls_key_mic_teardown(peer->tpk.kck, trans_seq, rcode, 577 dtoken, lnkid, (u8 *) ftie, mic); 578 if (os_memcmp(mic, ftie->mic, 16) != 0) { 579 wpa_printf(MSG_INFO, "TDLS: Invalid MIC in Teardown - " 580 "dropping packet"); 581 return -1; 582 } 583 } else { 584 wpa_printf(MSG_INFO, "TDLS: Could not verify TDLS Teardown " 585 "MIC, TPK not set - dropping packet"); 586 return -1; 587 } 588 return 0; 589} 590 591 592static void wpa_tdls_tpk_timeout(void *eloop_ctx, void *timeout_ctx) 593{ 594 struct wpa_sm *sm = eloop_ctx; 595 struct wpa_tdls_peer *peer = timeout_ctx; 596 597 /* 598 * On TPK lifetime expiration, we have an option of either tearing down 599 * the direct link or trying to re-initiate it. The selection of what 600 * to do is not strictly speaking controlled by our role in the expired 601 * link, but for now, use that to select whether to renew or tear down 602 * the link. 603 */ 604 605 if (peer->initiator) { 606 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime expired for " MACSTR 607 " - try to renew", MAC2STR(peer->addr)); 608 wpa_tdls_start(sm, peer->addr); 609 } else { 610 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime expired for " MACSTR 611 " - tear down", MAC2STR(peer->addr)); 612 wpa_tdls_do_teardown(sm, peer, 613 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED); 614 } 615} 616 617 618static void wpa_tdls_peer_free(struct wpa_sm *sm, struct wpa_tdls_peer *peer) 619{ 620 wpa_printf(MSG_DEBUG, "TDLS: Clear state for peer " MACSTR, 621 MAC2STR(peer->addr)); 622 eloop_cancel_timeout(wpa_tdls_tpk_timeout, sm, peer); 623 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer); 624 peer->reconfig_key = 0; 625 peer->initiator = 0; 626 os_free(peer->sm_tmr.buf); 627 peer->sm_tmr.buf = NULL; 628 os_free(peer->ht_capabilities); 629 peer->ht_capabilities = NULL; 630 os_free(peer->vht_capabilities); 631 peer->vht_capabilities = NULL; 632 os_free(peer->ext_capab); 633 peer->ext_capab = NULL; 634 peer->rsnie_i_len = peer->rsnie_p_len = 0; 635 peer->cipher = 0; 636 peer->tpk_set = peer->tpk_success = 0; 637 os_memset(&peer->tpk, 0, sizeof(peer->tpk)); 638 os_memset(peer->inonce, 0, WPA_NONCE_LEN); 639 os_memset(peer->rnonce, 0, WPA_NONCE_LEN); 640} 641 642 643static void wpa_tdls_linkid(struct wpa_sm *sm, struct wpa_tdls_peer *peer, 644 struct wpa_tdls_lnkid *lnkid) 645{ 646 lnkid->ie_type = WLAN_EID_LINK_ID; 647 lnkid->ie_len = 3 * ETH_ALEN; 648 os_memcpy(lnkid->bssid, sm->bssid, ETH_ALEN); 649 if (peer->initiator) { 650 os_memcpy(lnkid->init_sta, sm->own_addr, ETH_ALEN); 651 os_memcpy(lnkid->resp_sta, peer->addr, ETH_ALEN); 652 } else { 653 os_memcpy(lnkid->init_sta, peer->addr, ETH_ALEN); 654 os_memcpy(lnkid->resp_sta, sm->own_addr, ETH_ALEN); 655 } 656} 657 658 659int wpa_tdls_send_teardown(struct wpa_sm *sm, const u8 *addr, u16 reason_code) 660{ 661 struct wpa_tdls_peer *peer; 662 struct wpa_tdls_ftie *ftie; 663 struct wpa_tdls_lnkid lnkid; 664 u8 dialog_token; 665 u8 *rbuf, *pos; 666 int ielen; 667 668 if (sm->tdls_disabled || !sm->tdls_supported) 669 return -1; 670 671 /* Find the node and free from the list */ 672 for (peer = sm->tdls; peer; peer = peer->next) { 673 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 674 break; 675 } 676 677 if (peer == NULL) { 678 wpa_printf(MSG_INFO, "TDLS: No matching entry found for " 679 "Teardown " MACSTR, MAC2STR(addr)); 680 return 0; 681 } 682 683 dialog_token = peer->dtoken; 684 685 wpa_printf(MSG_DEBUG, "TDLS: TDLS Teardown for " MACSTR, 686 MAC2STR(addr)); 687 688 ielen = 0; 689 if (wpa_tdls_get_privacy(sm) && peer->tpk_set && peer->tpk_success) { 690 /* To add FTIE for Teardown request and compute MIC */ 691 ielen += sizeof(*ftie); 692#ifdef CONFIG_TDLS_TESTING 693 if (tdls_testing & TDLS_TESTING_LONG_FRAME) 694 ielen += 170; 695#endif /* CONFIG_TDLS_TESTING */ 696 } 697 698 rbuf = os_zalloc(ielen + 1); 699 if (rbuf == NULL) 700 return -1; 701 pos = rbuf; 702 703 if (!wpa_tdls_get_privacy(sm) || !peer->tpk_set || !peer->tpk_success) 704 goto skip_ies; 705 706 ftie = (struct wpa_tdls_ftie *) pos; 707 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION; 708 /* Using the recent nonce which should be for CONFIRM frame */ 709 os_memcpy(ftie->Anonce, peer->rnonce, WPA_NONCE_LEN); 710 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN); 711 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2; 712 pos = (u8 *) (ftie + 1); 713#ifdef CONFIG_TDLS_TESTING 714 if (tdls_testing & TDLS_TESTING_LONG_FRAME) { 715 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to " 716 "FTIE"); 717 ftie->ie_len += 170; 718 *pos++ = 255; /* FTIE subelem */ 719 *pos++ = 168; /* FTIE subelem length */ 720 pos += 168; 721 } 722#endif /* CONFIG_TDLS_TESTING */ 723 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE for TDLS Teardown handshake", 724 (u8 *) ftie, pos - (u8 *) ftie); 725 726 /* compute MIC before sending */ 727 wpa_tdls_linkid(sm, peer, &lnkid); 728 wpa_tdls_key_mic_teardown(peer->tpk.kck, 4, reason_code, 729 dialog_token, (u8 *) &lnkid, (u8 *) ftie, 730 ftie->mic); 731 732skip_ies: 733 /* TODO: register for a Timeout handler, if Teardown is not received at 734 * the other end, then try again another time */ 735 736 /* request driver to send Teardown using this FTIE */ 737 wpa_tdls_tpk_send(sm, addr, WLAN_TDLS_TEARDOWN, 0, 738 reason_code, rbuf, pos - rbuf); 739 os_free(rbuf); 740 741 /* clear the Peerkey statemachine */ 742 wpa_tdls_peer_free(sm, peer); 743 744 return 0; 745} 746 747 748int wpa_tdls_teardown_link(struct wpa_sm *sm, const u8 *addr, u16 reason_code) 749{ 750 struct wpa_tdls_peer *peer; 751 752 if (sm->tdls_disabled || !sm->tdls_supported) 753 return -1; 754 755 for (peer = sm->tdls; peer; peer = peer->next) { 756 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 757 break; 758 } 759 760 if (peer == NULL) { 761 wpa_printf(MSG_DEBUG, "TDLS: Could not find peer " MACSTR 762 " for link Teardown", MAC2STR(addr)); 763 return -1; 764 } 765 766 if (!peer->tpk_success) { 767 wpa_printf(MSG_DEBUG, "TDLS: Peer " MACSTR 768 " not connected - cannot Teardown link", MAC2STR(addr)); 769 return -1; 770 } 771 772 return wpa_tdls_do_teardown(sm, peer, reason_code); 773} 774 775 776static void wpa_tdls_disable_peer_link(struct wpa_sm *sm, 777 struct wpa_tdls_peer *peer) 778{ 779 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr); 780 wpa_tdls_peer_free(sm, peer); 781} 782 783 784void wpa_tdls_disable_link(struct wpa_sm *sm, const u8 *addr) 785{ 786 struct wpa_tdls_peer *peer; 787 788 for (peer = sm->tdls; peer; peer = peer->next) { 789 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 790 break; 791 } 792 793 if (peer) 794 wpa_tdls_disable_peer_link(sm, peer); 795} 796 797 798static int wpa_tdls_recv_teardown(struct wpa_sm *sm, const u8 *src_addr, 799 const u8 *buf, size_t len) 800{ 801 struct wpa_tdls_peer *peer = NULL; 802 struct wpa_tdls_ftie *ftie; 803 struct wpa_tdls_lnkid *lnkid; 804 struct wpa_eapol_ie_parse kde; 805 u16 reason_code; 806 const u8 *pos; 807 int ielen; 808 809 /* Find the node and free from the list */ 810 for (peer = sm->tdls; peer; peer = peer->next) { 811 if (os_memcmp(peer->addr, src_addr, ETH_ALEN) == 0) 812 break; 813 } 814 815 if (peer == NULL) { 816 wpa_printf(MSG_INFO, "TDLS: No matching entry found for " 817 "Teardown " MACSTR, MAC2STR(src_addr)); 818 return 0; 819 } 820 821 pos = buf; 822 pos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */; 823 824 reason_code = WPA_GET_LE16(pos); 825 pos += 2; 826 827 wpa_printf(MSG_DEBUG, "TDLS: TDLS Teardown Request from " MACSTR 828 " (reason code %u)", MAC2STR(src_addr), reason_code); 829 830 ielen = len - (pos - buf); /* start of IE in buf */ 831 if (wpa_supplicant_parse_ies((const u8 *) pos, ielen, &kde) < 0) { 832 wpa_printf(MSG_INFO, "TDLS: Failed to parse IEs in Teardown"); 833 return -1; 834 } 835 836 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) { 837 wpa_printf(MSG_INFO, "TDLS: No Link Identifier IE in TDLS " 838 "Teardown"); 839 return -1; 840 } 841 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid; 842 843 if (!wpa_tdls_get_privacy(sm) || !peer->tpk_set || !peer->tpk_success) 844 goto skip_ftie; 845 846 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie)) { 847 wpa_printf(MSG_INFO, "TDLS: No FTIE in TDLS Teardown"); 848 return -1; 849 } 850 851 ftie = (struct wpa_tdls_ftie *) kde.ftie; 852 853 /* Process MIC check to see if TDLS Teardown is right */ 854 if (wpa_supplicant_verify_tdls_mic_teardown(4, reason_code, 855 peer->dtoken, peer, 856 (u8 *) lnkid, ftie) < 0) { 857 wpa_printf(MSG_DEBUG, "TDLS: MIC failure for TDLS " 858 "Teardown Request from " MACSTR, MAC2STR(src_addr)); 859 return -1; 860 } 861 862skip_ftie: 863 /* 864 * Request the driver to disable the direct link and clear associated 865 * keys. 866 */ 867 wpa_tdls_disable_peer_link(sm, peer); 868 return 0; 869} 870 871 872/** 873 * wpa_tdls_send_error - To send suitable TDLS status response with 874 * appropriate status code mentioning reason for error/failure. 875 * @dst - MAC addr of Peer station 876 * @tdls_action - TDLS frame type for which error code is sent 877 * @status - status code mentioning reason 878 */ 879 880static int wpa_tdls_send_error(struct wpa_sm *sm, const u8 *dst, 881 u8 tdls_action, u8 dialog_token, u16 status) 882{ 883 wpa_printf(MSG_DEBUG, "TDLS: Sending error to " MACSTR 884 " (action=%u status=%u)", 885 MAC2STR(dst), tdls_action, status); 886 return wpa_tdls_tpk_send(sm, dst, tdls_action, dialog_token, status, 887 NULL, 0); 888} 889 890 891static struct wpa_tdls_peer * 892wpa_tdls_add_peer(struct wpa_sm *sm, const u8 *addr, int *existing) 893{ 894 struct wpa_tdls_peer *peer; 895 896 if (existing) 897 *existing = 0; 898 for (peer = sm->tdls; peer; peer = peer->next) { 899 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) { 900 if (existing) 901 *existing = 1; 902 return peer; /* re-use existing entry */ 903 } 904 } 905 906 wpa_printf(MSG_INFO, "TDLS: Creating peer entry for " MACSTR, 907 MAC2STR(addr)); 908 909 peer = os_zalloc(sizeof(*peer)); 910 if (peer == NULL) 911 return NULL; 912 913 os_memcpy(peer->addr, addr, ETH_ALEN); 914 peer->next = sm->tdls; 915 sm->tdls = peer; 916 917 return peer; 918} 919 920 921static int wpa_tdls_send_tpk_m1(struct wpa_sm *sm, 922 struct wpa_tdls_peer *peer) 923{ 924 size_t buf_len; 925 struct wpa_tdls_timeoutie timeoutie; 926 u16 rsn_capab; 927 struct wpa_tdls_ftie *ftie; 928 u8 *rbuf, *pos, *count_pos; 929 u16 count; 930 struct rsn_ie_hdr *hdr; 931 int status; 932 933 if (!wpa_tdls_get_privacy(sm)) { 934 wpa_printf(MSG_DEBUG, "TDLS: No security used on the link"); 935 peer->rsnie_i_len = 0; 936 goto skip_rsnie; 937 } 938 939 /* 940 * TPK Handshake Message 1: 941 * FTIE: ANonce=0, SNonce=initiator nonce MIC=0, DataKDs=(RSNIE_I, 942 * Timeout Interval IE)) 943 */ 944 945 /* Filling RSN IE */ 946 hdr = (struct rsn_ie_hdr *) peer->rsnie_i; 947 hdr->elem_id = WLAN_EID_RSN; 948 WPA_PUT_LE16(hdr->version, RSN_VERSION); 949 950 pos = (u8 *) (hdr + 1); 951 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED); 952 pos += RSN_SELECTOR_LEN; 953 count_pos = pos; 954 pos += 2; 955 956 count = 0; 957 958 /* 959 * AES-CCMP is the default Encryption preferred for TDLS, so 960 * RSN IE is filled only with CCMP CIPHER 961 * Note: TKIP is not used to encrypt TDLS link. 962 * 963 * Regardless of the cipher used on the AP connection, select CCMP 964 * here. 965 */ 966 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP); 967 pos += RSN_SELECTOR_LEN; 968 count++; 969 970 WPA_PUT_LE16(count_pos, count); 971 972 WPA_PUT_LE16(pos, 1); 973 pos += 2; 974 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_TPK_HANDSHAKE); 975 pos += RSN_SELECTOR_LEN; 976 977 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED; 978 rsn_capab |= RSN_NUM_REPLAY_COUNTERS_16 << 2; 979#ifdef CONFIG_TDLS_TESTING 980 if (tdls_testing & TDLS_TESTING_ALT_RSN_IE) { 981 wpa_printf(MSG_DEBUG, "TDLS: Use alternative RSN IE for " 982 "testing"); 983 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED; 984 } 985#endif /* CONFIG_TDLS_TESTING */ 986 WPA_PUT_LE16(pos, rsn_capab); 987 pos += 2; 988#ifdef CONFIG_TDLS_TESTING 989 if (tdls_testing & TDLS_TESTING_ALT_RSN_IE) { 990 /* Number of PMKIDs */ 991 *pos++ = 0x00; 992 *pos++ = 0x00; 993 } 994#endif /* CONFIG_TDLS_TESTING */ 995 996 hdr->len = (pos - peer->rsnie_i) - 2; 997 peer->rsnie_i_len = pos - peer->rsnie_i; 998 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE for TPK handshake", 999 peer->rsnie_i, peer->rsnie_i_len); 1000 1001skip_rsnie: 1002 buf_len = 0; 1003 if (wpa_tdls_get_privacy(sm)) 1004 buf_len += peer->rsnie_i_len + sizeof(struct wpa_tdls_ftie) + 1005 sizeof(struct wpa_tdls_timeoutie); 1006#ifdef CONFIG_TDLS_TESTING 1007 if (wpa_tdls_get_privacy(sm) && 1008 (tdls_testing & TDLS_TESTING_LONG_FRAME)) 1009 buf_len += 170; 1010 if (tdls_testing & TDLS_TESTING_DIFF_BSSID) 1011 buf_len += sizeof(struct wpa_tdls_lnkid); 1012#endif /* CONFIG_TDLS_TESTING */ 1013 rbuf = os_zalloc(buf_len + 1); 1014 if (rbuf == NULL) { 1015 wpa_tdls_peer_free(sm, peer); 1016 return -1; 1017 } 1018 pos = rbuf; 1019 1020 if (!wpa_tdls_get_privacy(sm)) 1021 goto skip_ies; 1022 1023 /* Initiator RSN IE */ 1024 pos = wpa_add_ie(pos, peer->rsnie_i, peer->rsnie_i_len); 1025 1026 ftie = (struct wpa_tdls_ftie *) pos; 1027 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION; 1028 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2; 1029 1030 if (os_get_random(peer->inonce, WPA_NONCE_LEN)) { 1031 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1032 "TDLS: Failed to get random data for initiator Nonce"); 1033 os_free(rbuf); 1034 wpa_tdls_peer_free(sm, peer); 1035 return -1; 1036 } 1037 wpa_hexdump(MSG_DEBUG, "TDLS: Initiator Nonce for TPK handshake", 1038 peer->inonce, WPA_NONCE_LEN); 1039 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN); 1040 1041 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE for TPK Handshake M1", 1042 (u8 *) ftie, sizeof(struct wpa_tdls_ftie)); 1043 1044 pos = (u8 *) (ftie + 1); 1045 1046#ifdef CONFIG_TDLS_TESTING 1047 if (tdls_testing & TDLS_TESTING_LONG_FRAME) { 1048 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to " 1049 "FTIE"); 1050 ftie->ie_len += 170; 1051 *pos++ = 255; /* FTIE subelem */ 1052 *pos++ = 168; /* FTIE subelem length */ 1053 pos += 168; 1054 } 1055#endif /* CONFIG_TDLS_TESTING */ 1056 1057 /* Lifetime */ 1058 peer->lifetime = TPK_LIFETIME; 1059#ifdef CONFIG_TDLS_TESTING 1060 if (tdls_testing & TDLS_TESTING_SHORT_LIFETIME) { 1061 wpa_printf(MSG_DEBUG, "TDLS: Testing - use short TPK " 1062 "lifetime"); 1063 peer->lifetime = 301; 1064 } 1065 if (tdls_testing & TDLS_TESTING_LONG_LIFETIME) { 1066 wpa_printf(MSG_DEBUG, "TDLS: Testing - use long TPK " 1067 "lifetime"); 1068 peer->lifetime = 0xffffffff; 1069 } 1070#endif /* CONFIG_TDLS_TESTING */ 1071 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie, 1072 sizeof(timeoutie), peer->lifetime); 1073 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds", peer->lifetime); 1074 1075skip_ies: 1076 1077#ifdef CONFIG_TDLS_TESTING 1078 if (tdls_testing & TDLS_TESTING_DIFF_BSSID) { 1079 wpa_printf(MSG_DEBUG, "TDLS: Testing - use incorrect BSSID in " 1080 "Link Identifier"); 1081 struct wpa_tdls_lnkid *l = (struct wpa_tdls_lnkid *) pos; 1082 wpa_tdls_linkid(sm, peer, l); 1083 l->bssid[5] ^= 0x01; 1084 pos += sizeof(*l); 1085 } 1086#endif /* CONFIG_TDLS_TESTING */ 1087 1088 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Setup Request / TPK " 1089 "Handshake Message 1 (peer " MACSTR ")", 1090 MAC2STR(peer->addr)); 1091 1092 status = wpa_tdls_tpk_send(sm, peer->addr, WLAN_TDLS_SETUP_REQUEST, 1093 1, 0, rbuf, pos - rbuf); 1094 os_free(rbuf); 1095 1096 return status; 1097} 1098 1099 1100static int wpa_tdls_send_tpk_m2(struct wpa_sm *sm, 1101 const unsigned char *src_addr, u8 dtoken, 1102 struct wpa_tdls_lnkid *lnkid, 1103 const struct wpa_tdls_peer *peer) 1104{ 1105 u8 *rbuf, *pos; 1106 size_t buf_len; 1107 u32 lifetime; 1108 struct wpa_tdls_timeoutie timeoutie; 1109 struct wpa_tdls_ftie *ftie; 1110 int status; 1111 1112 buf_len = 0; 1113 if (wpa_tdls_get_privacy(sm)) { 1114 /* Peer RSN IE, FTIE(Initiator Nonce, Responder Nonce), 1115 * Lifetime */ 1116 buf_len += peer->rsnie_i_len + sizeof(struct wpa_tdls_ftie) + 1117 sizeof(struct wpa_tdls_timeoutie); 1118#ifdef CONFIG_TDLS_TESTING 1119 if (tdls_testing & TDLS_TESTING_LONG_FRAME) 1120 buf_len += 170; 1121#endif /* CONFIG_TDLS_TESTING */ 1122 } 1123 1124 rbuf = os_zalloc(buf_len + 1); 1125 if (rbuf == NULL) 1126 return -1; 1127 pos = rbuf; 1128 1129 if (!wpa_tdls_get_privacy(sm)) 1130 goto skip_ies; 1131 1132 /* Peer RSN IE */ 1133 pos = wpa_add_ie(pos, peer->rsnie_p, peer->rsnie_p_len); 1134 1135 ftie = (struct wpa_tdls_ftie *) pos; 1136 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION; 1137 /* TODO: ftie->mic_control to set 2-RESPONSE */ 1138 os_memcpy(ftie->Anonce, peer->rnonce, WPA_NONCE_LEN); 1139 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN); 1140 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2; 1141 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE for TPK M2", 1142 (u8 *) ftie, sizeof(*ftie)); 1143 1144 pos = (u8 *) (ftie + 1); 1145 1146#ifdef CONFIG_TDLS_TESTING 1147 if (tdls_testing & TDLS_TESTING_LONG_FRAME) { 1148 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to " 1149 "FTIE"); 1150 ftie->ie_len += 170; 1151 *pos++ = 255; /* FTIE subelem */ 1152 *pos++ = 168; /* FTIE subelem length */ 1153 pos += 168; 1154 } 1155#endif /* CONFIG_TDLS_TESTING */ 1156 1157 /* Lifetime */ 1158 lifetime = peer->lifetime; 1159#ifdef CONFIG_TDLS_TESTING 1160 if (tdls_testing & TDLS_TESTING_WRONG_LIFETIME_RESP) { 1161 wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong TPK " 1162 "lifetime in response"); 1163 lifetime++; 1164 } 1165#endif /* CONFIG_TDLS_TESTING */ 1166 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie, 1167 sizeof(timeoutie), lifetime); 1168 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds from initiator", 1169 lifetime); 1170 1171 /* compute MIC before sending */ 1172 wpa_tdls_ftie_mic(peer->tpk.kck, 2, (u8 *) lnkid, peer->rsnie_p, 1173 (u8 *) &timeoutie, (u8 *) ftie, ftie->mic); 1174 1175skip_ies: 1176 status = wpa_tdls_tpk_send(sm, src_addr, WLAN_TDLS_SETUP_RESPONSE, 1177 dtoken, 0, rbuf, pos - rbuf); 1178 os_free(rbuf); 1179 1180 return status; 1181} 1182 1183 1184static int wpa_tdls_send_tpk_m3(struct wpa_sm *sm, 1185 const unsigned char *src_addr, u8 dtoken, 1186 struct wpa_tdls_lnkid *lnkid, 1187 const struct wpa_tdls_peer *peer) 1188{ 1189 u8 *rbuf, *pos; 1190 size_t buf_len; 1191 struct wpa_tdls_ftie *ftie; 1192 struct wpa_tdls_timeoutie timeoutie; 1193 u32 lifetime; 1194 int status; 1195 1196 buf_len = 0; 1197 if (wpa_tdls_get_privacy(sm)) { 1198 /* Peer RSN IE, FTIE(Initiator Nonce, Responder Nonce), 1199 * Lifetime */ 1200 buf_len += peer->rsnie_i_len + sizeof(struct wpa_tdls_ftie) + 1201 sizeof(struct wpa_tdls_timeoutie); 1202#ifdef CONFIG_TDLS_TESTING 1203 if (tdls_testing & TDLS_TESTING_LONG_FRAME) 1204 buf_len += 170; 1205#endif /* CONFIG_TDLS_TESTING */ 1206 } 1207 1208 rbuf = os_zalloc(buf_len + 1); 1209 if (rbuf == NULL) 1210 return -1; 1211 pos = rbuf; 1212 1213 if (!wpa_tdls_get_privacy(sm)) 1214 goto skip_ies; 1215 1216 /* Peer RSN IE */ 1217 pos = wpa_add_ie(pos, peer->rsnie_p, peer->rsnie_p_len); 1218 1219 ftie = (struct wpa_tdls_ftie *) pos; 1220 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION; 1221 /*TODO: ftie->mic_control to set 3-CONFIRM */ 1222 os_memcpy(ftie->Anonce, peer->rnonce, WPA_NONCE_LEN); 1223 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN); 1224 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2; 1225 1226 pos = (u8 *) (ftie + 1); 1227 1228#ifdef CONFIG_TDLS_TESTING 1229 if (tdls_testing & TDLS_TESTING_LONG_FRAME) { 1230 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to " 1231 "FTIE"); 1232 ftie->ie_len += 170; 1233 *pos++ = 255; /* FTIE subelem */ 1234 *pos++ = 168; /* FTIE subelem length */ 1235 pos += 168; 1236 } 1237#endif /* CONFIG_TDLS_TESTING */ 1238 1239 /* Lifetime */ 1240 lifetime = peer->lifetime; 1241#ifdef CONFIG_TDLS_TESTING 1242 if (tdls_testing & TDLS_TESTING_WRONG_LIFETIME_CONF) { 1243 wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong TPK " 1244 "lifetime in confirm"); 1245 lifetime++; 1246 } 1247#endif /* CONFIG_TDLS_TESTING */ 1248 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie, 1249 sizeof(timeoutie), lifetime); 1250 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds", 1251 lifetime); 1252 1253 /* compute MIC before sending */ 1254 wpa_tdls_ftie_mic(peer->tpk.kck, 3, (u8 *) lnkid, peer->rsnie_p, 1255 (u8 *) &timeoutie, (u8 *) ftie, ftie->mic); 1256 1257skip_ies: 1258 status = wpa_tdls_tpk_send(sm, src_addr, WLAN_TDLS_SETUP_CONFIRM, 1259 dtoken, 0, rbuf, pos - rbuf); 1260 os_free(rbuf); 1261 1262 return status; 1263} 1264 1265 1266static int wpa_tdls_send_discovery_response(struct wpa_sm *sm, 1267 struct wpa_tdls_peer *peer, 1268 u8 dialog_token) 1269{ 1270 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Discovery Response " 1271 "(peer " MACSTR ")", MAC2STR(peer->addr)); 1272 1273 return wpa_tdls_tpk_send(sm, peer->addr, WLAN_TDLS_DISCOVERY_RESPONSE, 1274 dialog_token, 0, NULL, 0); 1275} 1276 1277 1278static int 1279wpa_tdls_process_discovery_request(struct wpa_sm *sm, const u8 *addr, 1280 const u8 *buf, size_t len) 1281{ 1282 struct wpa_eapol_ie_parse kde; 1283 const struct wpa_tdls_lnkid *lnkid; 1284 struct wpa_tdls_peer *peer; 1285 size_t min_req_len = sizeof(struct wpa_tdls_frame) + 1286 1 /* dialog token */ + sizeof(struct wpa_tdls_lnkid); 1287 u8 dialog_token; 1288 1289 wpa_printf(MSG_DEBUG, "TDLS: Discovery Request from " MACSTR, 1290 MAC2STR(addr)); 1291 1292 if (len < min_req_len) { 1293 wpa_printf(MSG_DEBUG, "TDLS Discovery Request is too short: " 1294 "%d", (int) len); 1295 return -1; 1296 } 1297 1298 dialog_token = buf[sizeof(struct wpa_tdls_frame)]; 1299 1300 if (wpa_supplicant_parse_ies(buf + sizeof(struct wpa_tdls_frame) + 1, 1301 len - (sizeof(struct wpa_tdls_frame) + 1), 1302 &kde) < 0) 1303 return -1; 1304 1305 if (!kde.lnkid) { 1306 wpa_printf(MSG_DEBUG, "TDLS: Link ID not found in Discovery " 1307 "Request"); 1308 return -1; 1309 } 1310 1311 lnkid = (const struct wpa_tdls_lnkid *) kde.lnkid; 1312 1313 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) { 1314 wpa_printf(MSG_DEBUG, "TDLS: Discovery Request from different " 1315 " BSS " MACSTR, MAC2STR(lnkid->bssid)); 1316 return -1; 1317 } 1318 1319 peer = wpa_tdls_add_peer(sm, addr, NULL); 1320 if (peer == NULL) 1321 return -1; 1322 1323 return wpa_tdls_send_discovery_response(sm, peer, dialog_token); 1324} 1325 1326 1327int wpa_tdls_send_discovery_request(struct wpa_sm *sm, const u8 *addr) 1328{ 1329 if (sm->tdls_disabled || !sm->tdls_supported) 1330 return -1; 1331 1332 wpa_printf(MSG_DEBUG, "TDLS: Sending Discovery Request to peer " 1333 MACSTR, MAC2STR(addr)); 1334 return wpa_tdls_tpk_send(sm, addr, WLAN_TDLS_DISCOVERY_REQUEST, 1335 1, 0, NULL, 0); 1336} 1337 1338 1339static int copy_supp_rates(const struct wpa_eapol_ie_parse *kde, 1340 struct wpa_tdls_peer *peer) 1341{ 1342 if (!kde->supp_rates) { 1343 wpa_printf(MSG_DEBUG, "TDLS: No supported rates received"); 1344 return -1; 1345 } 1346 peer->supp_rates_len = merge_byte_arrays( 1347 peer->supp_rates, sizeof(peer->supp_rates), 1348 kde->supp_rates + 2, kde->supp_rates_len - 2, 1349 kde->ext_supp_rates ? kde->ext_supp_rates + 2 : NULL, 1350 kde->ext_supp_rates_len - 2); 1351 return 0; 1352} 1353 1354 1355static int copy_peer_ht_capab(const struct wpa_eapol_ie_parse *kde, 1356 struct wpa_tdls_peer *peer) 1357{ 1358 if (!kde->ht_capabilities || 1359 kde->ht_capabilities_len < 1360 sizeof(struct ieee80211_ht_capabilities) ) { 1361 wpa_printf(MSG_DEBUG, "TDLS: No supported ht capabilities " 1362 "received"); 1363 return 0; 1364 } 1365 1366 if (!peer->ht_capabilities) { 1367 peer->ht_capabilities = 1368 os_zalloc(sizeof(struct ieee80211_ht_capabilities)); 1369 if (peer->ht_capabilities == NULL) 1370 return -1; 1371 } 1372 1373 os_memcpy(peer->ht_capabilities, kde->ht_capabilities, 1374 sizeof(struct ieee80211_ht_capabilities)); 1375 wpa_hexdump(MSG_DEBUG, "TDLS: Peer HT capabilities", 1376 (u8 *) peer->ht_capabilities, 1377 sizeof(struct ieee80211_ht_capabilities)); 1378 1379 return 0; 1380} 1381 1382 1383static int copy_peer_vht_capab(const struct wpa_eapol_ie_parse *kde, 1384 struct wpa_tdls_peer *peer) 1385{ 1386 if (!kde->vht_capabilities || 1387 kde->vht_capabilities_len < 1388 sizeof(struct ieee80211_vht_capabilities) ) { 1389 wpa_printf(MSG_DEBUG, "TDLS: No supported vht capabilities " 1390 "received"); 1391 return 0; 1392 } 1393 1394 if (!peer->vht_capabilities) { 1395 peer->vht_capabilities = 1396 os_zalloc(sizeof(struct ieee80211_vht_capabilities)); 1397 if (peer->vht_capabilities == NULL) 1398 return -1; 1399 } 1400 1401 os_memcpy(peer->vht_capabilities, kde->vht_capabilities, 1402 sizeof(struct ieee80211_vht_capabilities)); 1403 wpa_hexdump(MSG_DEBUG, "TDLS: Peer VHT capabilities", 1404 (u8 *) peer->vht_capabilities, 1405 sizeof(struct ieee80211_vht_capabilities)); 1406 1407 return 0; 1408} 1409 1410 1411static int copy_peer_ext_capab(const struct wpa_eapol_ie_parse *kde, 1412 struct wpa_tdls_peer *peer) 1413{ 1414 if (!kde->ext_capab) { 1415 wpa_printf(MSG_DEBUG, "TDLS: No extended capabilities " 1416 "received"); 1417 return 0; 1418 } 1419 1420 if (!peer->ext_capab || peer->ext_capab_len < kde->ext_capab_len - 2) { 1421 /* Need to allocate buffer to fit the new information */ 1422 os_free(peer->ext_capab); 1423 peer->ext_capab = os_zalloc(kde->ext_capab_len - 2); 1424 if (peer->ext_capab == NULL) 1425 return -1; 1426 } 1427 1428 peer->ext_capab_len = kde->ext_capab_len - 2; 1429 os_memcpy(peer->ext_capab, kde->ext_capab + 2, peer->ext_capab_len); 1430 1431 return 0; 1432} 1433 1434 1435static int wpa_tdls_process_tpk_m1(struct wpa_sm *sm, const u8 *src_addr, 1436 const u8 *buf, size_t len) 1437{ 1438 struct wpa_tdls_peer *peer; 1439 struct wpa_eapol_ie_parse kde; 1440 struct wpa_ie_data ie; 1441 int cipher; 1442 const u8 *cpos; 1443 struct wpa_tdls_ftie *ftie = NULL; 1444 struct wpa_tdls_timeoutie *timeoutie; 1445 struct wpa_tdls_lnkid *lnkid; 1446 u32 lifetime = 0; 1447#if 0 1448 struct rsn_ie_hdr *hdr; 1449 u8 *pos; 1450 u16 rsn_capab; 1451 u16 rsn_ver; 1452#endif 1453 u8 dtoken; 1454 u16 ielen; 1455 u16 status = WLAN_STATUS_UNSPECIFIED_FAILURE; 1456 int tdls_prohibited = sm->tdls_prohibited; 1457 int existing_peer = 0; 1458 1459 if (len < 3 + 3) 1460 return -1; 1461 1462 cpos = buf; 1463 cpos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */; 1464 1465 /* driver had already verified the frame format */ 1466 dtoken = *cpos++; /* dialog token */ 1467 1468 wpa_printf(MSG_INFO, "TDLS: Dialog Token in TPK M1 %d", dtoken); 1469 1470 peer = wpa_tdls_add_peer(sm, src_addr, &existing_peer); 1471 if (peer == NULL) 1472 goto error; 1473 1474 /* If found, use existing entry instead of adding a new one; 1475 * how to handle the case where both ends initiate at the 1476 * same time? */ 1477 if (existing_peer) { 1478 if (peer->tpk_success) { 1479 wpa_printf(MSG_DEBUG, "TDLS: TDLS Setup Request while " 1480 "direct link is enabled - tear down the " 1481 "old link first"); 1482 wpa_tdls_disable_peer_link(sm, peer); 1483 } 1484 1485 /* 1486 * An entry is already present, so check if we already sent a 1487 * TDLS Setup Request. If so, compare MAC addresses and let the 1488 * STA with the lower MAC address continue as the initiator. 1489 * The other negotiation is terminated. 1490 */ 1491 if (peer->initiator) { 1492 if (os_memcmp(sm->own_addr, src_addr, ETH_ALEN) < 0) { 1493 wpa_printf(MSG_DEBUG, "TDLS: Discard request " 1494 "from peer with higher address " 1495 MACSTR, MAC2STR(src_addr)); 1496 return -1; 1497 } else { 1498 wpa_printf(MSG_DEBUG, "TDLS: Accept request " 1499 "from peer with lower address " 1500 MACSTR " (terminate previously " 1501 "initiated negotiation", 1502 MAC2STR(src_addr)); 1503 wpa_tdls_disable_peer_link(sm, peer); 1504 } 1505 } 1506 } 1507 1508 /* capability information */ 1509 peer->capability = WPA_GET_LE16(cpos); 1510 cpos += 2; 1511 1512 ielen = len - (cpos - buf); /* start of IE in buf */ 1513 if (wpa_supplicant_parse_ies(cpos, ielen, &kde) < 0) { 1514 wpa_printf(MSG_INFO, "TDLS: Failed to parse IEs in TPK M1"); 1515 goto error; 1516 } 1517 1518 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) { 1519 wpa_printf(MSG_INFO, "TDLS: No valid Link Identifier IE in " 1520 "TPK M1"); 1521 goto error; 1522 } 1523 wpa_hexdump(MSG_DEBUG, "TDLS: Link ID Received from TPK M1", 1524 kde.lnkid, kde.lnkid_len); 1525 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid; 1526 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) { 1527 wpa_printf(MSG_INFO, "TDLS: TPK M1 from diff BSS"); 1528 status = WLAN_STATUS_NOT_IN_SAME_BSS; 1529 goto error; 1530 } 1531 1532 wpa_printf(MSG_DEBUG, "TDLS: TPK M1 - TPK initiator " MACSTR, 1533 MAC2STR(src_addr)); 1534 1535 if (copy_supp_rates(&kde, peer) < 0) 1536 goto error; 1537 1538 if (copy_peer_ht_capab(&kde, peer) < 0) 1539 goto error; 1540 1541 if (copy_peer_vht_capab(&kde, peer) < 0) 1542 goto error; 1543 1544 if (copy_peer_ext_capab(&kde, peer) < 0) 1545 goto error; 1546 1547 peer->qos_info = kde.qosinfo; 1548 1549 peer->aid = kde.aid; 1550 1551#ifdef CONFIG_TDLS_TESTING 1552 if (tdls_testing & TDLS_TESTING_CONCURRENT_INIT) { 1553 peer = wpa_tdls_add_peer(sm, src_addr, NULL); 1554 if (peer == NULL) 1555 goto error; 1556 wpa_printf(MSG_DEBUG, "TDLS: Testing concurrent initiation of " 1557 "TDLS setup - send own request"); 1558 peer->initiator = 1; 1559 wpa_tdls_send_tpk_m1(sm, peer); 1560 } 1561 1562 if ((tdls_testing & TDLS_TESTING_IGNORE_AP_PROHIBIT) && 1563 tdls_prohibited) { 1564 wpa_printf(MSG_DEBUG, "TDLS: Testing - ignore AP prohibition " 1565 "on TDLS"); 1566 tdls_prohibited = 0; 1567 } 1568#endif /* CONFIG_TDLS_TESTING */ 1569 1570 if (tdls_prohibited) { 1571 wpa_printf(MSG_INFO, "TDLS: TDLS prohibited in this BSS"); 1572 status = WLAN_STATUS_REQUEST_DECLINED; 1573 goto error; 1574 } 1575 1576 if (!wpa_tdls_get_privacy(sm)) { 1577 if (kde.rsn_ie) { 1578 wpa_printf(MSG_INFO, "TDLS: RSN IE in TPK M1 while " 1579 "security is disabled"); 1580 status = WLAN_STATUS_SECURITY_DISABLED; 1581 goto error; 1582 } 1583 goto skip_rsn; 1584 } 1585 1586 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie) || 1587 kde.rsn_ie == NULL) { 1588 wpa_printf(MSG_INFO, "TDLS: No FTIE or RSN IE in TPK M1"); 1589 status = WLAN_STATUS_INVALID_PARAMETERS; 1590 goto error; 1591 } 1592 1593 if (kde.rsn_ie_len > TDLS_MAX_IE_LEN) { 1594 wpa_printf(MSG_INFO, "TDLS: Too long Initiator RSN IE in " 1595 "TPK M1"); 1596 status = WLAN_STATUS_INVALID_RSNIE; 1597 goto error; 1598 } 1599 1600 if (wpa_parse_wpa_ie_rsn(kde.rsn_ie, kde.rsn_ie_len, &ie) < 0) { 1601 wpa_printf(MSG_INFO, "TDLS: Failed to parse RSN IE in TPK M1"); 1602 status = WLAN_STATUS_INVALID_RSNIE; 1603 goto error; 1604 } 1605 1606 cipher = ie.pairwise_cipher; 1607 if (cipher & WPA_CIPHER_CCMP) { 1608 wpa_printf(MSG_DEBUG, "TDLS: Using CCMP for direct link"); 1609 cipher = WPA_CIPHER_CCMP; 1610 } else { 1611 wpa_printf(MSG_INFO, "TDLS: No acceptable cipher in TPK M1"); 1612 status = WLAN_STATUS_PAIRWISE_CIPHER_NOT_VALID; 1613 goto error; 1614 } 1615 1616 if ((ie.capabilities & 1617 (WPA_CAPABILITY_NO_PAIRWISE | WPA_CAPABILITY_PEERKEY_ENABLED)) != 1618 WPA_CAPABILITY_PEERKEY_ENABLED) { 1619 wpa_printf(MSG_INFO, "TDLS: Invalid RSN Capabilities in " 1620 "TPK M1"); 1621 status = WLAN_STATUS_INVALID_RSN_IE_CAPAB; 1622 goto error; 1623 } 1624 1625 /* Lifetime */ 1626 if (kde.key_lifetime == NULL) { 1627 wpa_printf(MSG_INFO, "TDLS: No Key Lifetime IE in TPK M1"); 1628 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME; 1629 goto error; 1630 } 1631 timeoutie = (struct wpa_tdls_timeoutie *) kde.key_lifetime; 1632 lifetime = WPA_GET_LE32(timeoutie->value); 1633 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds", lifetime); 1634 if (lifetime < 300) { 1635 wpa_printf(MSG_INFO, "TDLS: Too short TPK lifetime"); 1636 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME; 1637 goto error; 1638 } 1639 1640skip_rsn: 1641#ifdef CONFIG_TDLS_TESTING 1642 if (tdls_testing & TDLS_TESTING_CONCURRENT_INIT) { 1643 if (os_memcmp(sm->own_addr, peer->addr, ETH_ALEN) < 0) { 1644 /* 1645 * The request frame from us is going to win, so do not 1646 * replace information based on this request frame from 1647 * the peer. 1648 */ 1649 goto skip_rsn_check; 1650 } 1651 } 1652#endif /* CONFIG_TDLS_TESTING */ 1653 1654 peer->initiator = 0; /* Need to check */ 1655 peer->dtoken = dtoken; 1656 1657 if (!wpa_tdls_get_privacy(sm)) { 1658 peer->rsnie_i_len = 0; 1659 peer->rsnie_p_len = 0; 1660 peer->cipher = WPA_CIPHER_NONE; 1661 goto skip_rsn_check; 1662 } 1663 1664 ftie = (struct wpa_tdls_ftie *) kde.ftie; 1665 os_memcpy(peer->rsnie_i, kde.rsn_ie, kde.rsn_ie_len); 1666 peer->rsnie_i_len = kde.rsn_ie_len; 1667 peer->cipher = cipher; 1668 1669 if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0) { 1670 /* 1671 * There is no point in updating the RNonce for every obtained 1672 * TPK M1 frame (e.g., retransmission due to timeout) with the 1673 * same INonce (SNonce in FTIE). However, if the TPK M1 is 1674 * retransmitted with a different INonce, update the RNonce 1675 * since this is for a new TDLS session. 1676 */ 1677 wpa_printf(MSG_DEBUG, 1678 "TDLS: New TPK M1 INonce - generate new RNonce"); 1679 os_memcpy(peer->inonce, ftie->Snonce, WPA_NONCE_LEN); 1680 if (os_get_random(peer->rnonce, WPA_NONCE_LEN)) { 1681 wpa_msg(sm->ctx->ctx, MSG_WARNING, 1682 "TDLS: Failed to get random data for responder nonce"); 1683 wpa_tdls_peer_free(sm, peer); 1684 goto error; 1685 } 1686 } 1687 1688#if 0 1689 /* get version info from RSNIE received from Peer */ 1690 hdr = (struct rsn_ie_hdr *) kde.rsn_ie; 1691 rsn_ver = WPA_GET_LE16(hdr->version); 1692 1693 /* use min(peer's version, out version) */ 1694 if (rsn_ver > RSN_VERSION) 1695 rsn_ver = RSN_VERSION; 1696 1697 hdr = (struct rsn_ie_hdr *) peer->rsnie_p; 1698 1699 hdr->elem_id = WLAN_EID_RSN; 1700 WPA_PUT_LE16(hdr->version, rsn_ver); 1701 pos = (u8 *) (hdr + 1); 1702 1703 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED); 1704 pos += RSN_SELECTOR_LEN; 1705 /* Include only the selected cipher in pairwise cipher suite */ 1706 WPA_PUT_LE16(pos, 1); 1707 pos += 2; 1708 if (cipher == WPA_CIPHER_CCMP) 1709 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP); 1710 pos += RSN_SELECTOR_LEN; 1711 1712 WPA_PUT_LE16(pos, 1); 1713 pos += 2; 1714 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_TPK_HANDSHAKE); 1715 pos += RSN_SELECTOR_LEN; 1716 1717 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED; 1718 rsn_capab |= RSN_NUM_REPLAY_COUNTERS_16 << 2; 1719 WPA_PUT_LE16(pos, rsn_capab); 1720 pos += 2; 1721 1722 hdr->len = (pos - peer->rsnie_p) - 2; 1723 peer->rsnie_p_len = pos - peer->rsnie_p; 1724#endif 1725 1726 /* temp fix: validation of RSNIE later */ 1727 os_memcpy(peer->rsnie_p, peer->rsnie_i, peer->rsnie_i_len); 1728 peer->rsnie_p_len = peer->rsnie_i_len; 1729 1730 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE for TPK handshake", 1731 peer->rsnie_p, peer->rsnie_p_len); 1732 1733 peer->lifetime = lifetime; 1734 1735 wpa_tdls_generate_tpk(peer, sm->own_addr, sm->bssid); 1736 1737skip_rsn_check: 1738 /* add the peer to the driver as a "setup in progress" peer */ 1739 wpa_sm_tdls_peer_addset(sm, peer->addr, 1, 0, 0, NULL, 0, NULL, NULL, 0, 1740 NULL, 0); 1741 1742 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Setup Response / TPK M2"); 1743 if (wpa_tdls_send_tpk_m2(sm, src_addr, dtoken, lnkid, peer) < 0) { 1744 wpa_tdls_disable_peer_link(sm, peer); 1745 goto error; 1746 } 1747 1748 return 0; 1749 1750error: 1751 wpa_tdls_send_error(sm, src_addr, WLAN_TDLS_SETUP_RESPONSE, dtoken, 1752 status); 1753 return -1; 1754} 1755 1756 1757static int wpa_tdls_enable_link(struct wpa_sm *sm, struct wpa_tdls_peer *peer) 1758{ 1759 peer->tpk_success = 1; 1760 eloop_cancel_timeout(wpa_tdls_tpk_timeout, sm, peer); 1761 if (wpa_tdls_get_privacy(sm)) { 1762 u32 lifetime = peer->lifetime; 1763 /* 1764 * Start the initiator process a bit earlier to avoid race 1765 * condition with the responder sending teardown request. 1766 */ 1767 if (lifetime > 3 && peer->initiator) 1768 lifetime -= 3; 1769 eloop_register_timeout(lifetime, 0, wpa_tdls_tpk_timeout, 1770 sm, peer); 1771#ifdef CONFIG_TDLS_TESTING 1772 if (tdls_testing & TDLS_TESTING_NO_TPK_EXPIRATION) { 1773 wpa_printf(MSG_DEBUG, "TDLS: Testing - disable TPK " 1774 "expiration"); 1775 eloop_cancel_timeout(wpa_tdls_tpk_timeout, sm, peer); 1776 } 1777#endif /* CONFIG_TDLS_TESTING */ 1778 } 1779 1780 /* add supported rates, capabilities, and qos_info to the TDLS peer */ 1781 if (wpa_sm_tdls_peer_addset(sm, peer->addr, 0, peer->aid, 1782 peer->capability, 1783 peer->supp_rates, peer->supp_rates_len, 1784 peer->ht_capabilities, 1785 peer->vht_capabilities, 1786 peer->qos_info, peer->ext_capab, 1787 peer->ext_capab_len) < 0) 1788 return -1; 1789 1790 if (peer->reconfig_key && wpa_tdls_set_key(sm, peer) < 0) { 1791 wpa_printf(MSG_INFO, "TDLS: Could not configure key to the " 1792 "driver"); 1793 return -1; 1794 } 1795 peer->reconfig_key = 0; 1796 1797 return wpa_sm_tdls_oper(sm, TDLS_ENABLE_LINK, peer->addr); 1798} 1799 1800 1801static int wpa_tdls_process_tpk_m2(struct wpa_sm *sm, const u8 *src_addr, 1802 const u8 *buf, size_t len) 1803{ 1804 struct wpa_tdls_peer *peer; 1805 struct wpa_eapol_ie_parse kde; 1806 struct wpa_ie_data ie; 1807 int cipher; 1808 struct wpa_tdls_ftie *ftie; 1809 struct wpa_tdls_timeoutie *timeoutie; 1810 struct wpa_tdls_lnkid *lnkid; 1811 u32 lifetime; 1812 u8 dtoken; 1813 int ielen; 1814 u16 status; 1815 const u8 *pos; 1816 int ret; 1817 1818 wpa_printf(MSG_DEBUG, "TDLS: Received TDLS Setup Response / TPK M2 " 1819 "(Peer " MACSTR ")", MAC2STR(src_addr)); 1820 for (peer = sm->tdls; peer; peer = peer->next) { 1821 if (os_memcmp(peer->addr, src_addr, ETH_ALEN) == 0) 1822 break; 1823 } 1824 if (peer == NULL) { 1825 wpa_printf(MSG_INFO, "TDLS: No matching peer found for " 1826 "TPK M2: " MACSTR, MAC2STR(src_addr)); 1827 return -1; 1828 } 1829 if (!peer->initiator) { 1830 /* 1831 * This may happen if both devices try to initiate TDLS at the 1832 * same time and we accept the TPK M1 from the peer in 1833 * wpa_tdls_process_tpk_m1() and clear our previous state. 1834 */ 1835 wpa_printf(MSG_INFO, "TDLS: We were not the initiator, so " 1836 "ignore TPK M2 from " MACSTR, MAC2STR(src_addr)); 1837 return -1; 1838 } 1839 wpa_tdls_tpk_retry_timeout_cancel(sm, peer, WLAN_TDLS_SETUP_REQUEST); 1840 1841 if (len < 3 + 2 + 1) { 1842 wpa_tdls_disable_peer_link(sm, peer); 1843 return -1; 1844 } 1845 1846 pos = buf; 1847 pos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */; 1848 status = WPA_GET_LE16(pos); 1849 pos += 2 /* status code */; 1850 1851 if (status != WLAN_STATUS_SUCCESS) { 1852 wpa_printf(MSG_INFO, "TDLS: Status code in TPK M2: %u", 1853 status); 1854 wpa_tdls_disable_peer_link(sm, peer); 1855 return -1; 1856 } 1857 1858 status = WLAN_STATUS_UNSPECIFIED_FAILURE; 1859 1860 /* TODO: need to verify dialog token matches here or in kernel */ 1861 dtoken = *pos++; /* dialog token */ 1862 1863 wpa_printf(MSG_DEBUG, "TDLS: Dialog Token in TPK M2 %d", dtoken); 1864 1865 if (len < 3 + 2 + 1 + 2) { 1866 wpa_tdls_disable_peer_link(sm, peer); 1867 return -1; 1868 } 1869 1870 /* capability information */ 1871 peer->capability = WPA_GET_LE16(pos); 1872 pos += 2; 1873 1874 ielen = len - (pos - buf); /* start of IE in buf */ 1875 if (wpa_supplicant_parse_ies(pos, ielen, &kde) < 0) { 1876 wpa_printf(MSG_INFO, "TDLS: Failed to parse IEs in TPK M2"); 1877 goto error; 1878 } 1879 1880#ifdef CONFIG_TDLS_TESTING 1881 if (tdls_testing & TDLS_TESTING_DECLINE_RESP) { 1882 wpa_printf(MSG_DEBUG, "TDLS: Testing - decline response"); 1883 status = WLAN_STATUS_REQUEST_DECLINED; 1884 goto error; 1885 } 1886#endif /* CONFIG_TDLS_TESTING */ 1887 1888 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) { 1889 wpa_printf(MSG_INFO, "TDLS: No valid Link Identifier IE in " 1890 "TPK M2"); 1891 goto error; 1892 } 1893 wpa_hexdump(MSG_DEBUG, "TDLS: Link ID Received from TPK M2", 1894 kde.lnkid, kde.lnkid_len); 1895 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid; 1896 1897 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) { 1898 wpa_printf(MSG_INFO, "TDLS: TPK M2 from different BSS"); 1899 status = WLAN_STATUS_NOT_IN_SAME_BSS; 1900 goto error; 1901 } 1902 1903 if (copy_supp_rates(&kde, peer) < 0) 1904 goto error; 1905 1906 if (copy_peer_ht_capab(&kde, peer) < 0) 1907 goto error; 1908 1909 if (copy_peer_vht_capab(&kde, peer) < 0) 1910 goto error; 1911 1912 if (copy_peer_ext_capab(&kde, peer) < 0) 1913 goto error; 1914 1915 peer->qos_info = kde.qosinfo; 1916 1917 peer->aid = kde.aid; 1918 1919 if (!wpa_tdls_get_privacy(sm)) { 1920 peer->rsnie_p_len = 0; 1921 peer->cipher = WPA_CIPHER_NONE; 1922 goto skip_rsn; 1923 } 1924 1925 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie) || 1926 kde.rsn_ie == NULL) { 1927 wpa_printf(MSG_INFO, "TDLS: No FTIE or RSN IE in TPK M2"); 1928 status = WLAN_STATUS_INVALID_PARAMETERS; 1929 goto error; 1930 } 1931 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Received from TPK M2", 1932 kde.rsn_ie, kde.rsn_ie_len); 1933 1934 /* 1935 * FIX: bitwise comparison of RSN IE is not the correct way of 1936 * validation this. It can be different, but certain fields must 1937 * match. Since we list only a single pairwise cipher in TPK M1, the 1938 * memcmp is likely to work in most cases, though. 1939 */ 1940 if (kde.rsn_ie_len != peer->rsnie_i_len || 1941 os_memcmp(peer->rsnie_i, kde.rsn_ie, peer->rsnie_i_len) != 0) { 1942 wpa_printf(MSG_INFO, "TDLS: RSN IE in TPK M2 does " 1943 "not match with RSN IE used in TPK M1"); 1944 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Sent in TPK M1", 1945 peer->rsnie_i, peer->rsnie_i_len); 1946 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Received from TPK M2", 1947 kde.rsn_ie, kde.rsn_ie_len); 1948 status = WLAN_STATUS_INVALID_RSNIE; 1949 goto error; 1950 } 1951 1952 if (wpa_parse_wpa_ie_rsn(kde.rsn_ie, kde.rsn_ie_len, &ie) < 0) { 1953 wpa_printf(MSG_INFO, "TDLS: Failed to parse RSN IE in TPK M2"); 1954 status = WLAN_STATUS_INVALID_RSNIE; 1955 goto error; 1956 } 1957 1958 cipher = ie.pairwise_cipher; 1959 if (cipher == WPA_CIPHER_CCMP) { 1960 wpa_printf(MSG_DEBUG, "TDLS: Using CCMP for direct link"); 1961 cipher = WPA_CIPHER_CCMP; 1962 } else { 1963 wpa_printf(MSG_INFO, "TDLS: No acceptable cipher in TPK M2"); 1964 status = WLAN_STATUS_PAIRWISE_CIPHER_NOT_VALID; 1965 goto error; 1966 } 1967 1968 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE Received from TPK M2", 1969 kde.ftie, sizeof(*ftie)); 1970 ftie = (struct wpa_tdls_ftie *) kde.ftie; 1971 1972 if (!os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) == 0) { 1973 wpa_printf(MSG_INFO, "TDLS: FTIE SNonce in TPK M2 does " 1974 "not match with FTIE SNonce used in TPK M1"); 1975 /* Silently discard the frame */ 1976 return -1; 1977 } 1978 1979 /* Responder Nonce and RSN IE */ 1980 os_memcpy(peer->rnonce, ftie->Anonce, WPA_NONCE_LEN); 1981 os_memcpy(peer->rsnie_p, kde.rsn_ie, kde.rsn_ie_len); 1982 peer->rsnie_p_len = kde.rsn_ie_len; 1983 peer->cipher = cipher; 1984 1985 /* Lifetime */ 1986 if (kde.key_lifetime == NULL) { 1987 wpa_printf(MSG_INFO, "TDLS: No Key Lifetime IE in TPK M2"); 1988 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME; 1989 goto error; 1990 } 1991 timeoutie = (struct wpa_tdls_timeoutie *) kde.key_lifetime; 1992 lifetime = WPA_GET_LE32(timeoutie->value); 1993 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds in TPK M2", 1994 lifetime); 1995 if (lifetime != peer->lifetime) { 1996 wpa_printf(MSG_INFO, "TDLS: Unexpected TPK lifetime %u in " 1997 "TPK M2 (expected %u)", lifetime, peer->lifetime); 1998 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME; 1999 goto error; 2000 } 2001 2002 wpa_tdls_generate_tpk(peer, sm->own_addr, sm->bssid); 2003 2004 /* Process MIC check to see if TPK M2 is right */ 2005 if (wpa_supplicant_verify_tdls_mic(2, peer, (u8 *) lnkid, 2006 (u8 *) timeoutie, ftie) < 0) { 2007 /* Discard the frame */ 2008 wpa_tdls_del_key(sm, peer); 2009 wpa_tdls_disable_peer_link(sm, peer); 2010 return -1; 2011 } 2012 2013 if (wpa_tdls_set_key(sm, peer) < 0) { 2014 /* 2015 * Some drivers may not be able to config the key prior to full 2016 * STA entry having been configured. 2017 */ 2018 wpa_printf(MSG_DEBUG, "TDLS: Try to configure TPK again after " 2019 "STA entry is complete"); 2020 peer->reconfig_key = 1; 2021 } 2022 2023skip_rsn: 2024 peer->dtoken = dtoken; 2025 2026 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Setup Confirm / " 2027 "TPK Handshake Message 3"); 2028 if (wpa_tdls_send_tpk_m3(sm, src_addr, dtoken, lnkid, peer) < 0) { 2029 wpa_tdls_disable_peer_link(sm, peer); 2030 return -1; 2031 } 2032 2033 ret = wpa_tdls_enable_link(sm, peer); 2034 if (ret < 0) { 2035 wpa_printf(MSG_DEBUG, "TDLS: Could not enable link"); 2036 wpa_tdls_do_teardown(sm, peer, 2037 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED); 2038 } 2039 return ret; 2040 2041error: 2042 wpa_tdls_send_error(sm, src_addr, WLAN_TDLS_SETUP_CONFIRM, dtoken, 2043 status); 2044 wpa_tdls_disable_peer_link(sm, peer); 2045 return -1; 2046} 2047 2048 2049static int wpa_tdls_process_tpk_m3(struct wpa_sm *sm, const u8 *src_addr, 2050 const u8 *buf, size_t len) 2051{ 2052 struct wpa_tdls_peer *peer; 2053 struct wpa_eapol_ie_parse kde; 2054 struct wpa_tdls_ftie *ftie; 2055 struct wpa_tdls_timeoutie *timeoutie; 2056 struct wpa_tdls_lnkid *lnkid; 2057 int ielen; 2058 u16 status; 2059 const u8 *pos; 2060 u32 lifetime; 2061 int ret; 2062 2063 wpa_printf(MSG_DEBUG, "TDLS: Received TDLS Setup Confirm / TPK M3 " 2064 "(Peer " MACSTR ")", MAC2STR(src_addr)); 2065 for (peer = sm->tdls; peer; peer = peer->next) { 2066 if (os_memcmp(peer->addr, src_addr, ETH_ALEN) == 0) 2067 break; 2068 } 2069 if (peer == NULL) { 2070 wpa_printf(MSG_INFO, "TDLS: No matching peer found for " 2071 "TPK M3: " MACSTR, MAC2STR(src_addr)); 2072 return -1; 2073 } 2074 wpa_tdls_tpk_retry_timeout_cancel(sm, peer, WLAN_TDLS_SETUP_RESPONSE); 2075 2076 if (len < 3 + 3) 2077 goto error; 2078 pos = buf; 2079 pos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */; 2080 2081 status = WPA_GET_LE16(pos); 2082 2083 if (status != 0) { 2084 wpa_printf(MSG_INFO, "TDLS: Status code in TPK M3: %u", 2085 status); 2086 goto error; 2087 } 2088 pos += 2 /* status code */ + 1 /* dialog token */; 2089 2090 ielen = len - (pos - buf); /* start of IE in buf */ 2091 if (wpa_supplicant_parse_ies((const u8 *) pos, ielen, &kde) < 0) { 2092 wpa_printf(MSG_INFO, "TDLS: Failed to parse KDEs in TPK M3"); 2093 goto error; 2094 } 2095 2096 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) { 2097 wpa_printf(MSG_INFO, "TDLS: No Link Identifier IE in TPK M3"); 2098 goto error; 2099 } 2100 wpa_hexdump(MSG_DEBUG, "TDLS: Link ID Received from TPK M3", 2101 (u8 *) kde.lnkid, kde.lnkid_len); 2102 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid; 2103 2104 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) { 2105 wpa_printf(MSG_INFO, "TDLS: TPK M3 from diff BSS"); 2106 goto error; 2107 } 2108 2109 if (!wpa_tdls_get_privacy(sm)) 2110 goto skip_rsn; 2111 2112 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie)) { 2113 wpa_printf(MSG_INFO, "TDLS: No FTIE in TPK M3"); 2114 goto error; 2115 } 2116 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE Received from TPK M3", 2117 kde.ftie, sizeof(*ftie)); 2118 ftie = (struct wpa_tdls_ftie *) kde.ftie; 2119 2120 if (kde.rsn_ie == NULL) { 2121 wpa_printf(MSG_INFO, "TDLS: No RSN IE in TPK M3"); 2122 goto error; 2123 } 2124 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Received from TPK M3", 2125 kde.rsn_ie, kde.rsn_ie_len); 2126 if (kde.rsn_ie_len != peer->rsnie_p_len || 2127 os_memcmp(kde.rsn_ie, peer->rsnie_p, peer->rsnie_p_len) != 0) { 2128 wpa_printf(MSG_INFO, "TDLS: RSN IE in TPK M3 does not match " 2129 "with the one sent in TPK M2"); 2130 goto error; 2131 } 2132 2133 if (!os_memcmp(peer->rnonce, ftie->Anonce, WPA_NONCE_LEN) == 0) { 2134 wpa_printf(MSG_INFO, "TDLS: FTIE ANonce in TPK M3 does " 2135 "not match with FTIE ANonce used in TPK M2"); 2136 goto error; 2137 } 2138 2139 if (!os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) == 0) { 2140 wpa_printf(MSG_INFO, "TDLS: FTIE SNonce in TPK M3 does not " 2141 "match with FTIE SNonce used in TPK M1"); 2142 goto error; 2143 } 2144 2145 if (kde.key_lifetime == NULL) { 2146 wpa_printf(MSG_INFO, "TDLS: No Key Lifetime IE in TPK M3"); 2147 goto error; 2148 } 2149 timeoutie = (struct wpa_tdls_timeoutie *) kde.key_lifetime; 2150 wpa_hexdump(MSG_DEBUG, "TDLS: Timeout IE Received from TPK M3", 2151 (u8 *) timeoutie, sizeof(*timeoutie)); 2152 lifetime = WPA_GET_LE32(timeoutie->value); 2153 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds in TPK M3", 2154 lifetime); 2155 if (lifetime != peer->lifetime) { 2156 wpa_printf(MSG_INFO, "TDLS: Unexpected TPK lifetime %u in " 2157 "TPK M3 (expected %u)", lifetime, peer->lifetime); 2158 goto error; 2159 } 2160 2161 if (wpa_supplicant_verify_tdls_mic(3, peer, (u8 *) lnkid, 2162 (u8 *) timeoutie, ftie) < 0) { 2163 wpa_tdls_del_key(sm, peer); 2164 goto error; 2165 } 2166 2167 if (wpa_tdls_set_key(sm, peer) < 0) { 2168 /* 2169 * Some drivers may not be able to config the key prior to full 2170 * STA entry having been configured. 2171 */ 2172 wpa_printf(MSG_DEBUG, "TDLS: Try to configure TPK again after " 2173 "STA entry is complete"); 2174 peer->reconfig_key = 1; 2175 } 2176 2177skip_rsn: 2178 ret = wpa_tdls_enable_link(sm, peer); 2179 if (ret < 0) { 2180 wpa_printf(MSG_DEBUG, "TDLS: Could not enable link"); 2181 wpa_tdls_do_teardown(sm, peer, 2182 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED); 2183 } 2184 return ret; 2185error: 2186 wpa_tdls_disable_peer_link(sm, peer); 2187 return -1; 2188} 2189 2190 2191static u8 * wpa_add_tdls_timeoutie(u8 *pos, u8 *ie, size_t ie_len, u32 tsecs) 2192{ 2193 struct wpa_tdls_timeoutie *lifetime = (struct wpa_tdls_timeoutie *) ie; 2194 2195 os_memset(lifetime, 0, ie_len); 2196 lifetime->ie_type = WLAN_EID_TIMEOUT_INTERVAL; 2197 lifetime->ie_len = sizeof(struct wpa_tdls_timeoutie) - 2; 2198 lifetime->interval_type = WLAN_TIMEOUT_KEY_LIFETIME; 2199 WPA_PUT_LE32(lifetime->value, tsecs); 2200 os_memcpy(pos, ie, ie_len); 2201 return pos + ie_len; 2202} 2203 2204 2205/** 2206 * wpa_tdls_start - Initiate TDLS handshake (send TPK Handshake Message 1) 2207 * @sm: Pointer to WPA state machine data from wpa_sm_init() 2208 * @peer: MAC address of the peer STA 2209 * Returns: 0 on success, or -1 on failure 2210 * 2211 * Send TPK Handshake Message 1 info to driver to start TDLS 2212 * handshake with the peer. 2213 */ 2214int wpa_tdls_start(struct wpa_sm *sm, const u8 *addr) 2215{ 2216 struct wpa_tdls_peer *peer; 2217 int tdls_prohibited = sm->tdls_prohibited; 2218 2219 if (sm->tdls_disabled || !sm->tdls_supported) 2220 return -1; 2221 2222#ifdef CONFIG_TDLS_TESTING 2223 if ((tdls_testing & TDLS_TESTING_IGNORE_AP_PROHIBIT) && 2224 tdls_prohibited) { 2225 wpa_printf(MSG_DEBUG, "TDLS: Testing - ignore AP prohibition " 2226 "on TDLS"); 2227 tdls_prohibited = 0; 2228 } 2229#endif /* CONFIG_TDLS_TESTING */ 2230 2231 if (tdls_prohibited) { 2232 wpa_printf(MSG_DEBUG, "TDLS: TDLS is prohibited in this BSS - " 2233 "reject request to start setup"); 2234 return -1; 2235 } 2236 2237 peer = wpa_tdls_add_peer(sm, addr, NULL); 2238 if (peer == NULL) 2239 return -1; 2240 2241 peer->initiator = 1; 2242 2243 /* add the peer to the driver as a "setup in progress" peer */ 2244 wpa_sm_tdls_peer_addset(sm, peer->addr, 1, 0, 0, NULL, 0, NULL, NULL, 0, 2245 NULL, 0); 2246 2247 if (wpa_tdls_send_tpk_m1(sm, peer) < 0) { 2248 wpa_tdls_disable_peer_link(sm, peer); 2249 return -1; 2250 } 2251 2252 return 0; 2253} 2254 2255 2256void wpa_tdls_remove(struct wpa_sm *sm, const u8 *addr) 2257{ 2258 struct wpa_tdls_peer *peer; 2259 2260 if (sm->tdls_disabled || !sm->tdls_supported) 2261 return; 2262 2263 for (peer = sm->tdls; peer; peer = peer->next) { 2264 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 2265 break; 2266 } 2267 2268 if (peer == NULL || !peer->tpk_success) 2269 return; 2270 2271 if (sm->tdls_external_setup) { 2272 /* 2273 * Disable previous link to allow renegotiation to be completed 2274 * on AP path. 2275 */ 2276 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr); 2277 } 2278} 2279 2280 2281/** 2282 * wpa_supplicant_rx_tdls - Receive TDLS data frame 2283 * 2284 * This function is called to receive TDLS (ethertype = 0x890d) data frames. 2285 */ 2286static void wpa_supplicant_rx_tdls(void *ctx, const u8 *src_addr, 2287 const u8 *buf, size_t len) 2288{ 2289 struct wpa_sm *sm = ctx; 2290 struct wpa_tdls_frame *tf; 2291 2292 wpa_hexdump(MSG_DEBUG, "TDLS: Received Data frame encapsulation", 2293 buf, len); 2294 2295 if (sm->tdls_disabled || !sm->tdls_supported) { 2296 wpa_printf(MSG_DEBUG, "TDLS: Discard message - TDLS disabled " 2297 "or unsupported by driver"); 2298 return; 2299 } 2300 2301 if (os_memcmp(src_addr, sm->own_addr, ETH_ALEN) == 0) { 2302 wpa_printf(MSG_DEBUG, "TDLS: Discard copy of own message"); 2303 return; 2304 } 2305 2306 if (len < sizeof(*tf)) { 2307 wpa_printf(MSG_INFO, "TDLS: Drop too short frame"); 2308 return; 2309 } 2310 2311 /* Check to make sure its a valid encapsulated TDLS frame */ 2312 tf = (struct wpa_tdls_frame *) buf; 2313 if (tf->payloadtype != 2 /* TDLS_RFTYPE */ || 2314 tf->category != WLAN_ACTION_TDLS) { 2315 wpa_printf(MSG_INFO, "TDLS: Invalid frame - payloadtype=%u " 2316 "category=%u action=%u", 2317 tf->payloadtype, tf->category, tf->action); 2318 return; 2319 } 2320 2321 switch (tf->action) { 2322 case WLAN_TDLS_SETUP_REQUEST: 2323 wpa_tdls_process_tpk_m1(sm, src_addr, buf, len); 2324 break; 2325 case WLAN_TDLS_SETUP_RESPONSE: 2326 wpa_tdls_process_tpk_m2(sm, src_addr, buf, len); 2327 break; 2328 case WLAN_TDLS_SETUP_CONFIRM: 2329 wpa_tdls_process_tpk_m3(sm, src_addr, buf, len); 2330 break; 2331 case WLAN_TDLS_TEARDOWN: 2332 wpa_tdls_recv_teardown(sm, src_addr, buf, len); 2333 break; 2334 case WLAN_TDLS_DISCOVERY_REQUEST: 2335 wpa_tdls_process_discovery_request(sm, src_addr, buf, len); 2336 break; 2337 default: 2338 /* Kernel code will process remaining frames */ 2339 wpa_printf(MSG_DEBUG, "TDLS: Ignore TDLS frame action code %u", 2340 tf->action); 2341 break; 2342 } 2343} 2344 2345 2346/** 2347 * wpa_tdls_init - Initialize driver interface parameters for TDLS 2348 * @wpa_s: Pointer to wpa_supplicant data 2349 * Returns: 0 on success, -1 on failure 2350 * 2351 * This function is called to initialize driver interface parameters for TDLS. 2352 * wpa_drv_init() must have been called before this function to initialize the 2353 * driver interface. 2354 */ 2355int wpa_tdls_init(struct wpa_sm *sm) 2356{ 2357 if (sm == NULL) 2358 return -1; 2359 2360 sm->l2_tdls = l2_packet_init(sm->bridge_ifname ? sm->bridge_ifname : 2361 sm->ifname, 2362 sm->own_addr, 2363 ETH_P_80211_ENCAP, wpa_supplicant_rx_tdls, 2364 sm, 0); 2365 if (sm->l2_tdls == NULL) { 2366 wpa_printf(MSG_ERROR, "TDLS: Failed to open l2_packet " 2367 "connection"); 2368 return -1; 2369 } 2370 2371 /* 2372 * Drivers that support TDLS but don't implement the get_capa callback 2373 * are assumed to perform everything internally 2374 */ 2375 if (wpa_sm_tdls_get_capa(sm, &sm->tdls_supported, 2376 &sm->tdls_external_setup) < 0) { 2377 sm->tdls_supported = 1; 2378 sm->tdls_external_setup = 0; 2379 } 2380 2381 wpa_printf(MSG_DEBUG, "TDLS: TDLS operation%s supported by " 2382 "driver", sm->tdls_supported ? "" : " not"); 2383 wpa_printf(MSG_DEBUG, "TDLS: Driver uses %s link setup", 2384 sm->tdls_external_setup ? "external" : "internal"); 2385 2386 return 0; 2387} 2388 2389 2390void wpa_tdls_teardown_peers(struct wpa_sm *sm) 2391{ 2392 struct wpa_tdls_peer *peer; 2393 2394 peer = sm->tdls; 2395 2396 wpa_printf(MSG_DEBUG, "TDLS: Tear down peers"); 2397 2398 while (peer) { 2399 wpa_printf(MSG_DEBUG, "TDLS: Tear down peer " MACSTR, 2400 MAC2STR(peer->addr)); 2401 if (sm->tdls_external_setup) 2402 wpa_tdls_send_teardown(sm, peer->addr, 2403 WLAN_REASON_DEAUTH_LEAVING); 2404 else 2405 wpa_sm_tdls_oper(sm, TDLS_TEARDOWN, peer->addr); 2406 2407 peer = peer->next; 2408 } 2409} 2410 2411 2412static void wpa_tdls_remove_peers(struct wpa_sm *sm) 2413{ 2414 struct wpa_tdls_peer *peer, *tmp; 2415 2416 peer = sm->tdls; 2417 sm->tdls = NULL; 2418 2419 while (peer) { 2420 int res; 2421 tmp = peer->next; 2422 res = wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr); 2423 wpa_printf(MSG_DEBUG, "TDLS: Remove peer " MACSTR " (res=%d)", 2424 MAC2STR(peer->addr), res); 2425 wpa_tdls_peer_free(sm, peer); 2426 os_free(peer); 2427 peer = tmp; 2428 } 2429} 2430 2431 2432/** 2433 * wpa_tdls_deinit - Deinitialize driver interface parameters for TDLS 2434 * 2435 * This function is called to recover driver interface parameters for TDLS 2436 * and frees resources allocated for it. 2437 */ 2438void wpa_tdls_deinit(struct wpa_sm *sm) 2439{ 2440 if (sm == NULL) 2441 return; 2442 2443 if (sm->l2_tdls) 2444 l2_packet_deinit(sm->l2_tdls); 2445 sm->l2_tdls = NULL; 2446 2447 wpa_tdls_remove_peers(sm); 2448} 2449 2450 2451void wpa_tdls_assoc(struct wpa_sm *sm) 2452{ 2453 wpa_printf(MSG_DEBUG, "TDLS: Remove peers on association"); 2454 wpa_tdls_remove_peers(sm); 2455} 2456 2457 2458void wpa_tdls_disassoc(struct wpa_sm *sm) 2459{ 2460 wpa_printf(MSG_DEBUG, "TDLS: Remove peers on disassociation"); 2461 wpa_tdls_remove_peers(sm); 2462} 2463 2464 2465static int wpa_tdls_prohibited(const u8 *ies, size_t len) 2466{ 2467 struct wpa_eapol_ie_parse elems; 2468 2469 if (ies == NULL) 2470 return 0; 2471 2472 if (wpa_supplicant_parse_ies(ies, len, &elems) < 0) 2473 return 0; 2474 2475 if (elems.ext_capab == NULL || elems.ext_capab_len < 2 + 5) 2476 return 0; 2477 2478 /* bit 38 - TDLS Prohibited */ 2479 return !!(elems.ext_capab[2 + 4] & 0x40); 2480} 2481 2482 2483void wpa_tdls_ap_ies(struct wpa_sm *sm, const u8 *ies, size_t len) 2484{ 2485 sm->tdls_prohibited = wpa_tdls_prohibited(ies, len); 2486 wpa_printf(MSG_DEBUG, "TDLS: TDLS is %s in the target BSS", 2487 sm->tdls_prohibited ? "prohibited" : "allowed"); 2488} 2489 2490 2491void wpa_tdls_assoc_resp_ies(struct wpa_sm *sm, const u8 *ies, size_t len) 2492{ 2493 if (!sm->tdls_prohibited && wpa_tdls_prohibited(ies, len)) { 2494 wpa_printf(MSG_DEBUG, "TDLS: TDLS prohibited based on " 2495 "(Re)Association Response IEs"); 2496 sm->tdls_prohibited = 1; 2497 } 2498} 2499 2500 2501void wpa_tdls_enable(struct wpa_sm *sm, int enabled) 2502{ 2503 wpa_printf(MSG_DEBUG, "TDLS: %s", enabled ? "enabled" : "disabled"); 2504 sm->tdls_disabled = !enabled; 2505} 2506 2507 2508int wpa_tdls_is_external_setup(struct wpa_sm *sm) 2509{ 2510 return sm->tdls_external_setup; 2511} 2512