tdls.c revision 8da800a193fb6f8832218715f82a7b4e2d2ad338
1/* 2 * wpa_supplicant - TDLS 3 * Copyright (c) 2010-2011, Atheros Communications 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9#include "utils/includes.h" 10 11#include "utils/common.h" 12#include "utils/eloop.h" 13#include "utils/os.h" 14#include "common/ieee802_11_defs.h" 15#include "crypto/sha256.h" 16#include "crypto/crypto.h" 17#include "crypto/aes_wrap.h" 18#include "rsn_supp/wpa.h" 19#include "rsn_supp/wpa_ie.h" 20#include "rsn_supp/wpa_i.h" 21#include "drivers/driver.h" 22#include "l2_packet/l2_packet.h" 23 24#ifdef CONFIG_TDLS_TESTING 25#define TDLS_TESTING_LONG_FRAME BIT(0) 26#define TDLS_TESTING_ALT_RSN_IE BIT(1) 27#define TDLS_TESTING_DIFF_BSSID BIT(2) 28#define TDLS_TESTING_SHORT_LIFETIME BIT(3) 29#define TDLS_TESTING_WRONG_LIFETIME_RESP BIT(4) 30#define TDLS_TESTING_WRONG_LIFETIME_CONF BIT(5) 31#define TDLS_TESTING_LONG_LIFETIME BIT(6) 32#define TDLS_TESTING_CONCURRENT_INIT BIT(7) 33#define TDLS_TESTING_NO_TPK_EXPIRATION BIT(8) 34#define TDLS_TESTING_DECLINE_RESP BIT(9) 35#define TDLS_TESTING_IGNORE_AP_PROHIBIT BIT(10) 36unsigned int tdls_testing = 0; 37#endif /* CONFIG_TDLS_TESTING */ 38 39#define TPK_LIFETIME 43200 /* 12 hours */ 40#define TPK_RETRY_COUNT 3 41#define TPK_TIMEOUT 5000 /* in milliseconds */ 42 43#define TDLS_MIC_LEN 16 44 45#define TDLS_TIMEOUT_LEN 4 46 47struct wpa_tdls_ftie { 48 u8 ie_type; /* FTIE */ 49 u8 ie_len; 50 u8 mic_ctrl[2]; 51 u8 mic[TDLS_MIC_LEN]; 52 u8 Anonce[WPA_NONCE_LEN]; /* Responder Nonce in TDLS */ 53 u8 Snonce[WPA_NONCE_LEN]; /* Initiator Nonce in TDLS */ 54 /* followed by optional elements */ 55} STRUCT_PACKED; 56 57struct wpa_tdls_timeoutie { 58 u8 ie_type; /* Timeout IE */ 59 u8 ie_len; 60 u8 interval_type; 61 u8 value[TDLS_TIMEOUT_LEN]; 62} STRUCT_PACKED; 63 64struct wpa_tdls_lnkid { 65 u8 ie_type; /* Link Identifier IE */ 66 u8 ie_len; 67 u8 bssid[ETH_ALEN]; 68 u8 init_sta[ETH_ALEN]; 69 u8 resp_sta[ETH_ALEN]; 70} STRUCT_PACKED; 71 72/* TDLS frame headers as per IEEE Std 802.11z-2010 */ 73struct wpa_tdls_frame { 74 u8 payloadtype; /* IEEE80211_TDLS_RFTYPE */ 75 u8 category; /* Category */ 76 u8 action; /* Action (enum tdls_frame_type) */ 77} STRUCT_PACKED; 78 79static u8 * wpa_add_tdls_timeoutie(u8 *pos, u8 *ie, size_t ie_len, u32 tsecs); 80static void wpa_tdls_tpk_retry_timeout(void *eloop_ctx, void *timeout_ctx); 81static void wpa_tdls_peer_free(struct wpa_sm *sm, struct wpa_tdls_peer *peer); 82 83 84#define TDLS_MAX_IE_LEN 80 85#define IEEE80211_MAX_SUPP_RATES 32 86 87struct wpa_tdls_peer { 88 struct wpa_tdls_peer *next; 89 unsigned int reconfig_key:1; 90 int initiator; /* whether this end was initiator for TDLS setup */ 91 u8 addr[ETH_ALEN]; /* other end MAC address */ 92 u8 inonce[WPA_NONCE_LEN]; /* Initiator Nonce */ 93 u8 rnonce[WPA_NONCE_LEN]; /* Responder Nonce */ 94 u8 rsnie_i[TDLS_MAX_IE_LEN]; /* Initiator RSN IE */ 95 size_t rsnie_i_len; 96 u8 rsnie_p[TDLS_MAX_IE_LEN]; /* Peer RSN IE */ 97 size_t rsnie_p_len; 98 u32 lifetime; 99 int cipher; /* Selected cipher (WPA_CIPHER_*) */ 100 u8 dtoken; 101 102 struct tpk { 103 u8 kck[16]; /* TPK-KCK */ 104 u8 tk[16]; /* TPK-TK; assuming only CCMP will be used */ 105 } tpk; 106 int tpk_set; 107 int tpk_success; 108 109 struct tpk_timer { 110 u8 dest[ETH_ALEN]; 111 int count; /* Retry Count */ 112 int timer; /* Timeout in milliseconds */ 113 u8 action_code; /* TDLS frame type */ 114 u8 dialog_token; 115 u16 status_code; 116 int buf_len; /* length of TPK message for retransmission */ 117 u8 *buf; /* buffer for TPK message */ 118 } sm_tmr; 119 120 u16 capability; 121 122 u8 supp_rates[IEEE80211_MAX_SUPP_RATES]; 123 size_t supp_rates_len; 124 125 struct ieee80211_ht_capabilities *ht_capabilities; 126 struct ieee80211_vht_capabilities *vht_capabilities; 127 128 u8 qos_info; 129 130 u8 *ext_capab; 131 size_t ext_capab_len; 132}; 133 134 135static int wpa_tdls_get_privacy(struct wpa_sm *sm) 136{ 137 /* 138 * Get info needed from supplicant to check if the current BSS supports 139 * security. Other than OPEN mode, rest are considered secured 140 * WEP/WPA/WPA2 hence TDLS frames are processed for TPK handshake. 141 */ 142 return sm->pairwise_cipher != WPA_CIPHER_NONE; 143} 144 145 146static u8 * wpa_add_ie(u8 *pos, const u8 *ie, size_t ie_len) 147{ 148 os_memcpy(pos, ie, ie_len); 149 return pos + ie_len; 150} 151 152 153static int wpa_tdls_del_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer) 154{ 155 if (wpa_sm_set_key(sm, WPA_ALG_NONE, peer->addr, 156 0, 0, NULL, 0, NULL, 0) < 0) { 157 wpa_printf(MSG_WARNING, "TDLS: Failed to delete TPK-TK from " 158 "the driver"); 159 return -1; 160 } 161 162 return 0; 163} 164 165 166static int wpa_tdls_set_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer) 167{ 168 u8 key_len; 169 u8 rsc[6]; 170 enum wpa_alg alg; 171 172 os_memset(rsc, 0, 6); 173 174 switch (peer->cipher) { 175 case WPA_CIPHER_CCMP: 176 alg = WPA_ALG_CCMP; 177 key_len = 16; 178 break; 179 case WPA_CIPHER_NONE: 180 wpa_printf(MSG_DEBUG, "TDLS: Pairwise Cipher Suite: " 181 "NONE - do not use pairwise keys"); 182 return -1; 183 default: 184 wpa_printf(MSG_WARNING, "TDLS: Unsupported pairwise cipher %d", 185 sm->pairwise_cipher); 186 return -1; 187 } 188 189 if (wpa_sm_set_key(sm, alg, peer->addr, -1, 1, 190 rsc, sizeof(rsc), peer->tpk.tk, key_len) < 0) { 191 wpa_printf(MSG_WARNING, "TDLS: Failed to set TPK to the " 192 "driver"); 193 return -1; 194 } 195 return 0; 196} 197 198 199static int wpa_tdls_send_tpk_msg(struct wpa_sm *sm, const u8 *dst, 200 u8 action_code, u8 dialog_token, 201 u16 status_code, const u8 *buf, size_t len) 202{ 203 return wpa_sm_send_tdls_mgmt(sm, dst, action_code, dialog_token, 204 status_code, buf, len); 205} 206 207 208static int wpa_tdls_tpk_send(struct wpa_sm *sm, const u8 *dest, u8 action_code, 209 u8 dialog_token, u16 status_code, 210 const u8 *msg, size_t msg_len) 211{ 212 struct wpa_tdls_peer *peer; 213 214 wpa_printf(MSG_DEBUG, "TDLS: TPK send dest=" MACSTR " action_code=%u " 215 "dialog_token=%u status_code=%u msg_len=%u", 216 MAC2STR(dest), action_code, dialog_token, status_code, 217 (unsigned int) msg_len); 218 219 if (wpa_tdls_send_tpk_msg(sm, dest, action_code, dialog_token, 220 status_code, msg, msg_len)) { 221 wpa_printf(MSG_INFO, "TDLS: Failed to send message " 222 "(action_code=%u)", action_code); 223 return -1; 224 } 225 226 if (action_code == WLAN_TDLS_SETUP_CONFIRM || 227 action_code == WLAN_TDLS_TEARDOWN || 228 action_code == WLAN_TDLS_DISCOVERY_REQUEST || 229 action_code == WLAN_TDLS_DISCOVERY_RESPONSE) 230 return 0; /* No retries */ 231 232 for (peer = sm->tdls; peer; peer = peer->next) { 233 if (os_memcmp(peer->addr, dest, ETH_ALEN) == 0) 234 break; 235 } 236 237 if (peer == NULL) { 238 wpa_printf(MSG_INFO, "TDLS: No matching entry found for " 239 "retry " MACSTR, MAC2STR(dest)); 240 return 0; 241 } 242 243 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer); 244 245 peer->sm_tmr.count = TPK_RETRY_COUNT; 246 peer->sm_tmr.timer = TPK_TIMEOUT; 247 248 /* Copy message to resend on timeout */ 249 os_memcpy(peer->sm_tmr.dest, dest, ETH_ALEN); 250 peer->sm_tmr.action_code = action_code; 251 peer->sm_tmr.dialog_token = dialog_token; 252 peer->sm_tmr.status_code = status_code; 253 peer->sm_tmr.buf_len = msg_len; 254 os_free(peer->sm_tmr.buf); 255 peer->sm_tmr.buf = os_malloc(msg_len); 256 if (peer->sm_tmr.buf == NULL) 257 return -1; 258 os_memcpy(peer->sm_tmr.buf, msg, msg_len); 259 260 wpa_printf(MSG_DEBUG, "TDLS: Retry timeout registered " 261 "(action_code=%u)", action_code); 262 eloop_register_timeout(peer->sm_tmr.timer / 1000, 0, 263 wpa_tdls_tpk_retry_timeout, sm, peer); 264 return 0; 265} 266 267 268static int wpa_tdls_do_teardown(struct wpa_sm *sm, struct wpa_tdls_peer *peer, 269 u16 reason_code, int free_peer) 270{ 271 int ret; 272 273 if (sm->tdls_external_setup) { 274 ret = wpa_tdls_send_teardown(sm, peer->addr, reason_code); 275 276 /* disable the link after teardown was sent */ 277 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr); 278 } else { 279 ret = wpa_sm_tdls_oper(sm, TDLS_TEARDOWN, peer->addr); 280 } 281 282 if (sm->tdls_external_setup || free_peer) 283 wpa_tdls_peer_free(sm, peer); 284 285 return ret; 286} 287 288 289static void wpa_tdls_tpk_retry_timeout(void *eloop_ctx, void *timeout_ctx) 290{ 291 292 struct wpa_sm *sm = eloop_ctx; 293 struct wpa_tdls_peer *peer = timeout_ctx; 294 295 if (peer->sm_tmr.count) { 296 peer->sm_tmr.count--; 297 peer->sm_tmr.timer = TPK_TIMEOUT; 298 299 wpa_printf(MSG_INFO, "TDLS: Retrying sending of message " 300 "(action_code=%u)", 301 peer->sm_tmr.action_code); 302 303 if (peer->sm_tmr.buf == NULL) { 304 wpa_printf(MSG_INFO, "TDLS: No retry buffer available " 305 "for action_code=%u", 306 peer->sm_tmr.action_code); 307 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, 308 peer); 309 return; 310 } 311 312 /* resend TPK Handshake Message to Peer */ 313 if (wpa_tdls_send_tpk_msg(sm, peer->sm_tmr.dest, 314 peer->sm_tmr.action_code, 315 peer->sm_tmr.dialog_token, 316 peer->sm_tmr.status_code, 317 peer->sm_tmr.buf, 318 peer->sm_tmr.buf_len)) { 319 wpa_printf(MSG_INFO, "TDLS: Failed to retry " 320 "transmission"); 321 } 322 323 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer); 324 eloop_register_timeout(peer->sm_tmr.timer / 1000, 0, 325 wpa_tdls_tpk_retry_timeout, sm, peer); 326 } else { 327 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer); 328 329 wpa_printf(MSG_DEBUG, "TDLS: Sending Teardown Request"); 330 wpa_tdls_do_teardown(sm, peer, 331 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED, 1); 332 } 333} 334 335 336static void wpa_tdls_tpk_retry_timeout_cancel(struct wpa_sm *sm, 337 struct wpa_tdls_peer *peer, 338 u8 action_code) 339{ 340 if (action_code == peer->sm_tmr.action_code) { 341 wpa_printf(MSG_DEBUG, "TDLS: Retry timeout cancelled for " 342 "action_code=%u", action_code); 343 344 /* Cancel Timeout registered */ 345 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer); 346 347 /* free all resources meant for retry */ 348 os_free(peer->sm_tmr.buf); 349 peer->sm_tmr.buf = NULL; 350 351 peer->sm_tmr.count = 0; 352 peer->sm_tmr.timer = 0; 353 peer->sm_tmr.buf_len = 0; 354 peer->sm_tmr.action_code = 0xff; 355 } else { 356 wpa_printf(MSG_INFO, "TDLS: Error in cancelling retry timeout " 357 "(Unknown action_code=%u)", action_code); 358 } 359} 360 361 362static void wpa_tdls_generate_tpk(struct wpa_tdls_peer *peer, 363 const u8 *own_addr, const u8 *bssid) 364{ 365 u8 key_input[SHA256_MAC_LEN]; 366 const u8 *nonce[2]; 367 size_t len[2]; 368 u8 data[3 * ETH_ALEN]; 369 370 /* IEEE Std 802.11z-2010 8.5.9.1: 371 * TPK-Key-Input = SHA-256(min(SNonce, ANonce) || max(SNonce, ANonce)) 372 */ 373 len[0] = WPA_NONCE_LEN; 374 len[1] = WPA_NONCE_LEN; 375 if (os_memcmp(peer->inonce, peer->rnonce, WPA_NONCE_LEN) < 0) { 376 nonce[0] = peer->inonce; 377 nonce[1] = peer->rnonce; 378 } else { 379 nonce[0] = peer->rnonce; 380 nonce[1] = peer->inonce; 381 } 382 wpa_hexdump(MSG_DEBUG, "TDLS: min(Nonce)", nonce[0], WPA_NONCE_LEN); 383 wpa_hexdump(MSG_DEBUG, "TDLS: max(Nonce)", nonce[1], WPA_NONCE_LEN); 384 sha256_vector(2, nonce, len, key_input); 385 wpa_hexdump_key(MSG_DEBUG, "TDLS: TPK-Key-Input", 386 key_input, SHA256_MAC_LEN); 387 388 /* 389 * TPK-Key-Data = KDF-N_KEY(TPK-Key-Input, "TDLS PMK", 390 * min(MAC_I, MAC_R) || max(MAC_I, MAC_R) || BSSID || N_KEY) 391 * TODO: is N_KEY really included in KDF Context and if so, in which 392 * presentation format (little endian 16-bit?) is it used? It gets 393 * added by the KDF anyway.. 394 */ 395 396 if (os_memcmp(own_addr, peer->addr, ETH_ALEN) < 0) { 397 os_memcpy(data, own_addr, ETH_ALEN); 398 os_memcpy(data + ETH_ALEN, peer->addr, ETH_ALEN); 399 } else { 400 os_memcpy(data, peer->addr, ETH_ALEN); 401 os_memcpy(data + ETH_ALEN, own_addr, ETH_ALEN); 402 } 403 os_memcpy(data + 2 * ETH_ALEN, bssid, ETH_ALEN); 404 wpa_hexdump(MSG_DEBUG, "TDLS: KDF Context", data, sizeof(data)); 405 406 sha256_prf(key_input, SHA256_MAC_LEN, "TDLS PMK", data, sizeof(data), 407 (u8 *) &peer->tpk, sizeof(peer->tpk)); 408 wpa_hexdump_key(MSG_DEBUG, "TDLS: TPK-KCK", 409 peer->tpk.kck, sizeof(peer->tpk.kck)); 410 wpa_hexdump_key(MSG_DEBUG, "TDLS: TPK-TK", 411 peer->tpk.tk, sizeof(peer->tpk.tk)); 412 peer->tpk_set = 1; 413} 414 415 416/** 417 * wpa_tdls_ftie_mic - Calculate TDLS FTIE MIC 418 * @kck: TPK-KCK 419 * @lnkid: Pointer to the beginning of Link Identifier IE 420 * @rsnie: Pointer to the beginning of RSN IE used for handshake 421 * @timeoutie: Pointer to the beginning of Timeout IE used for handshake 422 * @ftie: Pointer to the beginning of FT IE 423 * @mic: Pointer for writing MIC 424 * 425 * Calculate MIC for TDLS frame. 426 */ 427static int wpa_tdls_ftie_mic(const u8 *kck, u8 trans_seq, const u8 *lnkid, 428 const u8 *rsnie, const u8 *timeoutie, 429 const u8 *ftie, u8 *mic) 430{ 431 u8 *buf, *pos; 432 struct wpa_tdls_ftie *_ftie; 433 const struct wpa_tdls_lnkid *_lnkid; 434 int ret; 435 int len = 2 * ETH_ALEN + 1 + 2 + lnkid[1] + 2 + rsnie[1] + 436 2 + timeoutie[1] + 2 + ftie[1]; 437 buf = os_zalloc(len); 438 if (!buf) { 439 wpa_printf(MSG_WARNING, "TDLS: No memory for MIC calculation"); 440 return -1; 441 } 442 443 pos = buf; 444 _lnkid = (const struct wpa_tdls_lnkid *) lnkid; 445 /* 1) TDLS initiator STA MAC address */ 446 os_memcpy(pos, _lnkid->init_sta, ETH_ALEN); 447 pos += ETH_ALEN; 448 /* 2) TDLS responder STA MAC address */ 449 os_memcpy(pos, _lnkid->resp_sta, ETH_ALEN); 450 pos += ETH_ALEN; 451 /* 3) Transaction Sequence number */ 452 *pos++ = trans_seq; 453 /* 4) Link Identifier IE */ 454 os_memcpy(pos, lnkid, 2 + lnkid[1]); 455 pos += 2 + lnkid[1]; 456 /* 5) RSN IE */ 457 os_memcpy(pos, rsnie, 2 + rsnie[1]); 458 pos += 2 + rsnie[1]; 459 /* 6) Timeout Interval IE */ 460 os_memcpy(pos, timeoutie, 2 + timeoutie[1]); 461 pos += 2 + timeoutie[1]; 462 /* 7) FTIE, with the MIC field of the FTIE set to 0 */ 463 os_memcpy(pos, ftie, 2 + ftie[1]); 464 _ftie = (struct wpa_tdls_ftie *) pos; 465 os_memset(_ftie->mic, 0, TDLS_MIC_LEN); 466 pos += 2 + ftie[1]; 467 468 wpa_hexdump(MSG_DEBUG, "TDLS: Data for FTIE MIC", buf, pos - buf); 469 wpa_hexdump_key(MSG_DEBUG, "TDLS: KCK", kck, 16); 470 ret = omac1_aes_128(kck, buf, pos - buf, mic); 471 os_free(buf); 472 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE MIC", mic, 16); 473 return ret; 474} 475 476 477/** 478 * wpa_tdls_key_mic_teardown - Calculate TDLS FTIE MIC for Teardown frame 479 * @kck: TPK-KCK 480 * @trans_seq: Transaction Sequence Number (4 - Teardown) 481 * @rcode: Reason code for Teardown 482 * @dtoken: Dialog Token used for that particular link 483 * @lnkid: Pointer to the beginning of Link Identifier IE 484 * @ftie: Pointer to the beginning of FT IE 485 * @mic: Pointer for writing MIC 486 * 487 * Calculate MIC for TDLS frame. 488 */ 489static int wpa_tdls_key_mic_teardown(const u8 *kck, u8 trans_seq, u16 rcode, 490 u8 dtoken, const u8 *lnkid, 491 const u8 *ftie, u8 *mic) 492{ 493 u8 *buf, *pos; 494 struct wpa_tdls_ftie *_ftie; 495 int ret; 496 int len; 497 498 if (lnkid == NULL) 499 return -1; 500 501 len = 2 + lnkid[1] + sizeof(rcode) + sizeof(dtoken) + 502 sizeof(trans_seq) + 2 + ftie[1]; 503 504 buf = os_zalloc(len); 505 if (!buf) { 506 wpa_printf(MSG_WARNING, "TDLS: No memory for MIC calculation"); 507 return -1; 508 } 509 510 pos = buf; 511 /* 1) Link Identifier IE */ 512 os_memcpy(pos, lnkid, 2 + lnkid[1]); 513 pos += 2 + lnkid[1]; 514 /* 2) Reason Code */ 515 WPA_PUT_LE16(pos, rcode); 516 pos += sizeof(rcode); 517 /* 3) Dialog token */ 518 *pos++ = dtoken; 519 /* 4) Transaction Sequence number */ 520 *pos++ = trans_seq; 521 /* 7) FTIE, with the MIC field of the FTIE set to 0 */ 522 os_memcpy(pos, ftie, 2 + ftie[1]); 523 _ftie = (struct wpa_tdls_ftie *) pos; 524 os_memset(_ftie->mic, 0, TDLS_MIC_LEN); 525 pos += 2 + ftie[1]; 526 527 wpa_hexdump(MSG_DEBUG, "TDLS: Data for FTIE MIC", buf, pos - buf); 528 wpa_hexdump_key(MSG_DEBUG, "TDLS: KCK", kck, 16); 529 ret = omac1_aes_128(kck, buf, pos - buf, mic); 530 os_free(buf); 531 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE MIC", mic, 16); 532 return ret; 533} 534 535 536static int wpa_supplicant_verify_tdls_mic(u8 trans_seq, 537 struct wpa_tdls_peer *peer, 538 const u8 *lnkid, const u8 *timeoutie, 539 const struct wpa_tdls_ftie *ftie) 540{ 541 u8 mic[16]; 542 543 if (peer->tpk_set) { 544 wpa_tdls_ftie_mic(peer->tpk.kck, trans_seq, lnkid, 545 peer->rsnie_p, timeoutie, (u8 *) ftie, 546 mic); 547 if (os_memcmp(mic, ftie->mic, 16) != 0) { 548 wpa_printf(MSG_INFO, "TDLS: Invalid MIC in FTIE - " 549 "dropping packet"); 550 wpa_hexdump(MSG_DEBUG, "TDLS: Received MIC", 551 ftie->mic, 16); 552 wpa_hexdump(MSG_DEBUG, "TDLS: Calculated MIC", 553 mic, 16); 554 return -1; 555 } 556 } else { 557 wpa_printf(MSG_WARNING, "TDLS: Could not verify TDLS MIC, " 558 "TPK not set - dropping packet"); 559 return -1; 560 } 561 return 0; 562} 563 564 565static int wpa_supplicant_verify_tdls_mic_teardown( 566 u8 trans_seq, u16 rcode, u8 dtoken, struct wpa_tdls_peer *peer, 567 const u8 *lnkid, const struct wpa_tdls_ftie *ftie) 568{ 569 u8 mic[16]; 570 571 if (peer->tpk_set) { 572 wpa_tdls_key_mic_teardown(peer->tpk.kck, trans_seq, rcode, 573 dtoken, lnkid, (u8 *) ftie, mic); 574 if (os_memcmp(mic, ftie->mic, 16) != 0) { 575 wpa_printf(MSG_INFO, "TDLS: Invalid MIC in Teardown - " 576 "dropping packet"); 577 return -1; 578 } 579 } else { 580 wpa_printf(MSG_INFO, "TDLS: Could not verify TDLS Teardown " 581 "MIC, TPK not set - dropping packet"); 582 return -1; 583 } 584 return 0; 585} 586 587 588static void wpa_tdls_tpk_timeout(void *eloop_ctx, void *timeout_ctx) 589{ 590 struct wpa_sm *sm = eloop_ctx; 591 struct wpa_tdls_peer *peer = timeout_ctx; 592 593 /* 594 * On TPK lifetime expiration, we have an option of either tearing down 595 * the direct link or trying to re-initiate it. The selection of what 596 * to do is not strictly speaking controlled by our role in the expired 597 * link, but for now, use that to select whether to renew or tear down 598 * the link. 599 */ 600 601 if (peer->initiator) { 602 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime expired for " MACSTR 603 " - try to renew", MAC2STR(peer->addr)); 604 wpa_tdls_start(sm, peer->addr); 605 } else { 606 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime expired for " MACSTR 607 " - tear down", MAC2STR(peer->addr)); 608 wpa_tdls_do_teardown(sm, peer, 609 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED, 1); 610 } 611} 612 613 614static void wpa_tdls_peer_free(struct wpa_sm *sm, struct wpa_tdls_peer *peer) 615{ 616 wpa_printf(MSG_DEBUG, "TDLS: Clear state for peer " MACSTR, 617 MAC2STR(peer->addr)); 618 eloop_cancel_timeout(wpa_tdls_tpk_timeout, sm, peer); 619 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer); 620 peer->reconfig_key = 0; 621 peer->initiator = 0; 622 os_free(peer->sm_tmr.buf); 623 peer->sm_tmr.buf = NULL; 624 os_free(peer->ht_capabilities); 625 peer->ht_capabilities = NULL; 626 os_free(peer->vht_capabilities); 627 peer->vht_capabilities = NULL; 628 os_free(peer->ext_capab); 629 peer->ext_capab = NULL; 630 peer->rsnie_i_len = peer->rsnie_p_len = 0; 631 peer->cipher = 0; 632 peer->tpk_set = peer->tpk_success = 0; 633 os_memset(&peer->tpk, 0, sizeof(peer->tpk)); 634 os_memset(peer->inonce, 0, WPA_NONCE_LEN); 635 os_memset(peer->rnonce, 0, WPA_NONCE_LEN); 636} 637 638 639static void wpa_tdls_linkid(struct wpa_sm *sm, struct wpa_tdls_peer *peer, 640 struct wpa_tdls_lnkid *lnkid) 641{ 642 lnkid->ie_type = WLAN_EID_LINK_ID; 643 lnkid->ie_len = 3 * ETH_ALEN; 644 os_memcpy(lnkid->bssid, sm->bssid, ETH_ALEN); 645 if (peer->initiator) { 646 os_memcpy(lnkid->init_sta, sm->own_addr, ETH_ALEN); 647 os_memcpy(lnkid->resp_sta, peer->addr, ETH_ALEN); 648 } else { 649 os_memcpy(lnkid->init_sta, peer->addr, ETH_ALEN); 650 os_memcpy(lnkid->resp_sta, sm->own_addr, ETH_ALEN); 651 } 652} 653 654 655int wpa_tdls_send_teardown(struct wpa_sm *sm, const u8 *addr, u16 reason_code) 656{ 657 struct wpa_tdls_peer *peer; 658 struct wpa_tdls_ftie *ftie; 659 struct wpa_tdls_lnkid lnkid; 660 u8 dialog_token; 661 u8 *rbuf, *pos; 662 int ielen; 663 664 if (sm->tdls_disabled || !sm->tdls_supported) 665 return -1; 666 667 /* Find the node and free from the list */ 668 for (peer = sm->tdls; peer; peer = peer->next) { 669 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 670 break; 671 } 672 673 if (peer == NULL) { 674 wpa_printf(MSG_INFO, "TDLS: No matching entry found for " 675 "Teardown " MACSTR, MAC2STR(addr)); 676 return 0; 677 } 678 679 dialog_token = peer->dtoken; 680 681 wpa_printf(MSG_DEBUG, "TDLS: TDLS Teardown for " MACSTR, 682 MAC2STR(addr)); 683 684 ielen = 0; 685 if (wpa_tdls_get_privacy(sm) && peer->tpk_set && peer->tpk_success) { 686 /* To add FTIE for Teardown request and compute MIC */ 687 ielen += sizeof(*ftie); 688#ifdef CONFIG_TDLS_TESTING 689 if (tdls_testing & TDLS_TESTING_LONG_FRAME) 690 ielen += 170; 691#endif /* CONFIG_TDLS_TESTING */ 692 } 693 694 rbuf = os_zalloc(ielen + 1); 695 if (rbuf == NULL) 696 return -1; 697 pos = rbuf; 698 699 if (!wpa_tdls_get_privacy(sm) || !peer->tpk_set || !peer->tpk_success) { 700 if (reason_code != WLAN_REASON_DEAUTH_LEAVING) { 701 /* Overwrite the reason code */ 702 reason_code = WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED; 703 } 704 goto skip_ies; 705 } 706 707 ftie = (struct wpa_tdls_ftie *) pos; 708 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION; 709 /* Using the recent nonce which should be for CONFIRM frame */ 710 os_memcpy(ftie->Anonce, peer->rnonce, WPA_NONCE_LEN); 711 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN); 712 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2; 713 pos = (u8 *) (ftie + 1); 714#ifdef CONFIG_TDLS_TESTING 715 if (tdls_testing & TDLS_TESTING_LONG_FRAME) { 716 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to " 717 "FTIE"); 718 ftie->ie_len += 170; 719 *pos++ = 255; /* FTIE subelem */ 720 *pos++ = 168; /* FTIE subelem length */ 721 pos += 168; 722 } 723#endif /* CONFIG_TDLS_TESTING */ 724 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE for TDLS Teardown handshake", 725 (u8 *) ftie, pos - (u8 *) ftie); 726 727 /* compute MIC before sending */ 728 wpa_tdls_linkid(sm, peer, &lnkid); 729 wpa_tdls_key_mic_teardown(peer->tpk.kck, 4, reason_code, 730 dialog_token, (u8 *) &lnkid, (u8 *) ftie, 731 ftie->mic); 732 733skip_ies: 734 /* TODO: register for a Timeout handler, if Teardown is not received at 735 * the other end, then try again another time */ 736 737 /* request driver to send Teardown using this FTIE */ 738 wpa_tdls_tpk_send(sm, addr, WLAN_TDLS_TEARDOWN, 0, 739 reason_code, rbuf, pos - rbuf); 740 os_free(rbuf); 741 742 /* clear the Peerkey statemachine */ 743 wpa_tdls_peer_free(sm, peer); 744 745 return 0; 746} 747 748 749int wpa_tdls_teardown_link(struct wpa_sm *sm, const u8 *addr, u16 reason_code) 750{ 751 struct wpa_tdls_peer *peer; 752 753 if (sm->tdls_disabled || !sm->tdls_supported) 754 return -1; 755 756 for (peer = sm->tdls; peer; peer = peer->next) { 757 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 758 break; 759 } 760 761 if (peer == NULL) { 762 wpa_printf(MSG_DEBUG, "TDLS: Could not find peer " MACSTR 763 " for link Teardown", MAC2STR(addr)); 764 return -1; 765 } 766 767 if (!peer->tpk_success) { 768 wpa_printf(MSG_DEBUG, "TDLS: Peer " MACSTR 769 " not connected - cannot Teardown link", MAC2STR(addr)); 770 return -1; 771 } 772 773 return wpa_tdls_do_teardown(sm, peer, reason_code, 0); 774} 775 776 777void wpa_tdls_disable_link(struct wpa_sm *sm, const u8 *addr) 778{ 779 struct wpa_tdls_peer *peer; 780 781 for (peer = sm->tdls; peer; peer = peer->next) { 782 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 783 break; 784 } 785 786 if (peer) { 787 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, addr); 788 wpa_tdls_peer_free(sm, peer); 789 } 790} 791 792 793static int wpa_tdls_recv_teardown(struct wpa_sm *sm, const u8 *src_addr, 794 const u8 *buf, size_t len) 795{ 796 struct wpa_tdls_peer *peer = NULL; 797 struct wpa_tdls_ftie *ftie; 798 struct wpa_tdls_lnkid *lnkid; 799 struct wpa_eapol_ie_parse kde; 800 u16 reason_code; 801 const u8 *pos; 802 int ielen; 803 804 /* Find the node and free from the list */ 805 for (peer = sm->tdls; peer; peer = peer->next) { 806 if (os_memcmp(peer->addr, src_addr, ETH_ALEN) == 0) 807 break; 808 } 809 810 if (peer == NULL) { 811 wpa_printf(MSG_INFO, "TDLS: No matching entry found for " 812 "Teardown " MACSTR, MAC2STR(src_addr)); 813 return 0; 814 } 815 816 pos = buf; 817 pos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */; 818 819 reason_code = WPA_GET_LE16(pos); 820 pos += 2; 821 822 wpa_printf(MSG_DEBUG, "TDLS: TDLS Teardown Request from " MACSTR 823 " (reason code %u)", MAC2STR(src_addr), reason_code); 824 825 ielen = len - (pos - buf); /* start of IE in buf */ 826 if (wpa_supplicant_parse_ies((const u8 *) pos, ielen, &kde) < 0) { 827 wpa_printf(MSG_INFO, "TDLS: Failed to parse IEs in Teardown"); 828 return -1; 829 } 830 831 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) { 832 wpa_printf(MSG_INFO, "TDLS: No Link Identifier IE in TDLS " 833 "Teardown"); 834 return -1; 835 } 836 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid; 837 838 if (!wpa_tdls_get_privacy(sm) || !peer->tpk_set || !peer->tpk_success) 839 goto skip_ftie; 840 841 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie)) { 842 wpa_printf(MSG_INFO, "TDLS: No FTIE in TDLS Teardown"); 843 return -1; 844 } 845 846 ftie = (struct wpa_tdls_ftie *) kde.ftie; 847 848 /* Process MIC check to see if TDLS Teardown is right */ 849 if (wpa_supplicant_verify_tdls_mic_teardown(4, reason_code, 850 peer->dtoken, peer, 851 (u8 *) lnkid, ftie) < 0) { 852 wpa_printf(MSG_DEBUG, "TDLS: MIC failure for TDLS " 853 "Teardown Request from " MACSTR, MAC2STR(src_addr)); 854 return -1; 855 } 856 857skip_ftie: 858 /* 859 * Request the driver to disable the direct link and clear associated 860 * keys. 861 */ 862 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, src_addr); 863 864 /* clear the Peerkey statemachine */ 865 wpa_tdls_peer_free(sm, peer); 866 867 return 0; 868} 869 870 871/** 872 * wpa_tdls_send_error - To send suitable TDLS status response with 873 * appropriate status code mentioning reason for error/failure. 874 * @dst - MAC addr of Peer station 875 * @tdls_action - TDLS frame type for which error code is sent 876 * @status - status code mentioning reason 877 */ 878 879static int wpa_tdls_send_error(struct wpa_sm *sm, const u8 *dst, 880 u8 tdls_action, u8 dialog_token, u16 status) 881{ 882 wpa_printf(MSG_DEBUG, "TDLS: Sending error to " MACSTR 883 " (action=%u status=%u)", 884 MAC2STR(dst), tdls_action, status); 885 return wpa_tdls_tpk_send(sm, dst, tdls_action, dialog_token, status, 886 NULL, 0); 887} 888 889 890static struct wpa_tdls_peer * 891wpa_tdls_add_peer(struct wpa_sm *sm, const u8 *addr, int *existing) 892{ 893 struct wpa_tdls_peer *peer; 894 895 if (existing) 896 *existing = 0; 897 for (peer = sm->tdls; peer; peer = peer->next) { 898 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) { 899 if (existing) 900 *existing = 1; 901 return peer; /* re-use existing entry */ 902 } 903 } 904 905 wpa_printf(MSG_INFO, "TDLS: Creating peer entry for " MACSTR, 906 MAC2STR(addr)); 907 908 peer = os_zalloc(sizeof(*peer)); 909 if (peer == NULL) 910 return NULL; 911 912 os_memcpy(peer->addr, addr, ETH_ALEN); 913 peer->next = sm->tdls; 914 sm->tdls = peer; 915 916 return peer; 917} 918 919 920static int wpa_tdls_send_tpk_m1(struct wpa_sm *sm, 921 struct wpa_tdls_peer *peer) 922{ 923 size_t buf_len; 924 struct wpa_tdls_timeoutie timeoutie; 925 u16 rsn_capab; 926 struct wpa_tdls_ftie *ftie; 927 u8 *rbuf, *pos, *count_pos; 928 u16 count; 929 struct rsn_ie_hdr *hdr; 930 931 if (!wpa_tdls_get_privacy(sm)) { 932 wpa_printf(MSG_DEBUG, "TDLS: No security used on the link"); 933 peer->rsnie_i_len = 0; 934 goto skip_rsnie; 935 } 936 937 /* 938 * TPK Handshake Message 1: 939 * FTIE: ANonce=0, SNonce=initiator nonce MIC=0, DataKDs=(RSNIE_I, 940 * Timeout Interval IE)) 941 */ 942 943 /* Filling RSN IE */ 944 hdr = (struct rsn_ie_hdr *) peer->rsnie_i; 945 hdr->elem_id = WLAN_EID_RSN; 946 WPA_PUT_LE16(hdr->version, RSN_VERSION); 947 948 pos = (u8 *) (hdr + 1); 949 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED); 950 pos += RSN_SELECTOR_LEN; 951 count_pos = pos; 952 pos += 2; 953 954 count = 0; 955 956 /* 957 * AES-CCMP is the default Encryption preferred for TDLS, so 958 * RSN IE is filled only with CCMP CIPHER 959 * Note: TKIP is not used to encrypt TDLS link. 960 * 961 * Regardless of the cipher used on the AP connection, select CCMP 962 * here. 963 */ 964 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP); 965 pos += RSN_SELECTOR_LEN; 966 count++; 967 968 WPA_PUT_LE16(count_pos, count); 969 970 WPA_PUT_LE16(pos, 1); 971 pos += 2; 972 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_TPK_HANDSHAKE); 973 pos += RSN_SELECTOR_LEN; 974 975 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED; 976 rsn_capab |= RSN_NUM_REPLAY_COUNTERS_16 << 2; 977#ifdef CONFIG_TDLS_TESTING 978 if (tdls_testing & TDLS_TESTING_ALT_RSN_IE) { 979 wpa_printf(MSG_DEBUG, "TDLS: Use alternative RSN IE for " 980 "testing"); 981 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED; 982 } 983#endif /* CONFIG_TDLS_TESTING */ 984 WPA_PUT_LE16(pos, rsn_capab); 985 pos += 2; 986#ifdef CONFIG_TDLS_TESTING 987 if (tdls_testing & TDLS_TESTING_ALT_RSN_IE) { 988 /* Number of PMKIDs */ 989 *pos++ = 0x00; 990 *pos++ = 0x00; 991 } 992#endif /* CONFIG_TDLS_TESTING */ 993 994 hdr->len = (pos - peer->rsnie_i) - 2; 995 peer->rsnie_i_len = pos - peer->rsnie_i; 996 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE for TPK handshake", 997 peer->rsnie_i, peer->rsnie_i_len); 998 999skip_rsnie: 1000 buf_len = 0; 1001 if (wpa_tdls_get_privacy(sm)) 1002 buf_len += peer->rsnie_i_len + sizeof(struct wpa_tdls_ftie) + 1003 sizeof(struct wpa_tdls_timeoutie); 1004#ifdef CONFIG_TDLS_TESTING 1005 if (wpa_tdls_get_privacy(sm) && 1006 (tdls_testing & TDLS_TESTING_LONG_FRAME)) 1007 buf_len += 170; 1008 if (tdls_testing & TDLS_TESTING_DIFF_BSSID) 1009 buf_len += sizeof(struct wpa_tdls_lnkid); 1010#endif /* CONFIG_TDLS_TESTING */ 1011 rbuf = os_zalloc(buf_len + 1); 1012 if (rbuf == NULL) { 1013 wpa_tdls_peer_free(sm, peer); 1014 return -1; 1015 } 1016 pos = rbuf; 1017 1018 if (!wpa_tdls_get_privacy(sm)) 1019 goto skip_ies; 1020 1021 /* Initiator RSN IE */ 1022 pos = wpa_add_ie(pos, peer->rsnie_i, peer->rsnie_i_len); 1023 1024 ftie = (struct wpa_tdls_ftie *) pos; 1025 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION; 1026 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2; 1027 1028 if (os_get_random(peer->inonce, WPA_NONCE_LEN)) { 1029 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1030 "TDLS: Failed to get random data for initiator Nonce"); 1031 os_free(rbuf); 1032 wpa_tdls_peer_free(sm, peer); 1033 return -1; 1034 } 1035 wpa_hexdump(MSG_DEBUG, "TDLS: Initiator Nonce for TPK handshake", 1036 peer->inonce, WPA_NONCE_LEN); 1037 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN); 1038 1039 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE for TPK Handshake M1", 1040 (u8 *) ftie, sizeof(struct wpa_tdls_ftie)); 1041 1042 pos = (u8 *) (ftie + 1); 1043 1044#ifdef CONFIG_TDLS_TESTING 1045 if (tdls_testing & TDLS_TESTING_LONG_FRAME) { 1046 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to " 1047 "FTIE"); 1048 ftie->ie_len += 170; 1049 *pos++ = 255; /* FTIE subelem */ 1050 *pos++ = 168; /* FTIE subelem length */ 1051 pos += 168; 1052 } 1053#endif /* CONFIG_TDLS_TESTING */ 1054 1055 /* Lifetime */ 1056 peer->lifetime = TPK_LIFETIME; 1057#ifdef CONFIG_TDLS_TESTING 1058 if (tdls_testing & TDLS_TESTING_SHORT_LIFETIME) { 1059 wpa_printf(MSG_DEBUG, "TDLS: Testing - use short TPK " 1060 "lifetime"); 1061 peer->lifetime = 301; 1062 } 1063 if (tdls_testing & TDLS_TESTING_LONG_LIFETIME) { 1064 wpa_printf(MSG_DEBUG, "TDLS: Testing - use long TPK " 1065 "lifetime"); 1066 peer->lifetime = 0xffffffff; 1067 } 1068#endif /* CONFIG_TDLS_TESTING */ 1069 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie, 1070 sizeof(timeoutie), peer->lifetime); 1071 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds", peer->lifetime); 1072 1073skip_ies: 1074 1075#ifdef CONFIG_TDLS_TESTING 1076 if (tdls_testing & TDLS_TESTING_DIFF_BSSID) { 1077 wpa_printf(MSG_DEBUG, "TDLS: Testing - use incorrect BSSID in " 1078 "Link Identifier"); 1079 struct wpa_tdls_lnkid *l = (struct wpa_tdls_lnkid *) pos; 1080 wpa_tdls_linkid(sm, peer, l); 1081 l->bssid[5] ^= 0x01; 1082 pos += sizeof(*l); 1083 } 1084#endif /* CONFIG_TDLS_TESTING */ 1085 1086 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Setup Request / TPK " 1087 "Handshake Message 1 (peer " MACSTR ")", 1088 MAC2STR(peer->addr)); 1089 1090 wpa_tdls_tpk_send(sm, peer->addr, WLAN_TDLS_SETUP_REQUEST, 1, 0, 1091 rbuf, pos - rbuf); 1092 os_free(rbuf); 1093 1094 return 0; 1095} 1096 1097 1098static int wpa_tdls_send_tpk_m2(struct wpa_sm *sm, 1099 const unsigned char *src_addr, u8 dtoken, 1100 struct wpa_tdls_lnkid *lnkid, 1101 const struct wpa_tdls_peer *peer) 1102{ 1103 u8 *rbuf, *pos; 1104 size_t buf_len; 1105 u32 lifetime; 1106 struct wpa_tdls_timeoutie timeoutie; 1107 struct wpa_tdls_ftie *ftie; 1108 1109 buf_len = 0; 1110 if (wpa_tdls_get_privacy(sm)) { 1111 /* Peer RSN IE, FTIE(Initiator Nonce, Responder Nonce), 1112 * Lifetime */ 1113 buf_len += peer->rsnie_i_len + sizeof(struct wpa_tdls_ftie) + 1114 sizeof(struct wpa_tdls_timeoutie); 1115#ifdef CONFIG_TDLS_TESTING 1116 if (tdls_testing & TDLS_TESTING_LONG_FRAME) 1117 buf_len += 170; 1118#endif /* CONFIG_TDLS_TESTING */ 1119 } 1120 1121 rbuf = os_zalloc(buf_len + 1); 1122 if (rbuf == NULL) 1123 return -1; 1124 pos = rbuf; 1125 1126 if (!wpa_tdls_get_privacy(sm)) 1127 goto skip_ies; 1128 1129 /* Peer RSN IE */ 1130 pos = wpa_add_ie(pos, peer->rsnie_p, peer->rsnie_p_len); 1131 1132 ftie = (struct wpa_tdls_ftie *) pos; 1133 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION; 1134 /* TODO: ftie->mic_control to set 2-RESPONSE */ 1135 os_memcpy(ftie->Anonce, peer->rnonce, WPA_NONCE_LEN); 1136 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN); 1137 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2; 1138 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE for TPK M2", 1139 (u8 *) ftie, sizeof(*ftie)); 1140 1141 pos = (u8 *) (ftie + 1); 1142 1143#ifdef CONFIG_TDLS_TESTING 1144 if (tdls_testing & TDLS_TESTING_LONG_FRAME) { 1145 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to " 1146 "FTIE"); 1147 ftie->ie_len += 170; 1148 *pos++ = 255; /* FTIE subelem */ 1149 *pos++ = 168; /* FTIE subelem length */ 1150 pos += 168; 1151 } 1152#endif /* CONFIG_TDLS_TESTING */ 1153 1154 /* Lifetime */ 1155 lifetime = peer->lifetime; 1156#ifdef CONFIG_TDLS_TESTING 1157 if (tdls_testing & TDLS_TESTING_WRONG_LIFETIME_RESP) { 1158 wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong TPK " 1159 "lifetime in response"); 1160 lifetime++; 1161 } 1162#endif /* CONFIG_TDLS_TESTING */ 1163 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie, 1164 sizeof(timeoutie), lifetime); 1165 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds from initiator", 1166 lifetime); 1167 1168 /* compute MIC before sending */ 1169 wpa_tdls_ftie_mic(peer->tpk.kck, 2, (u8 *) lnkid, peer->rsnie_p, 1170 (u8 *) &timeoutie, (u8 *) ftie, ftie->mic); 1171 1172skip_ies: 1173 wpa_tdls_tpk_send(sm, src_addr, WLAN_TDLS_SETUP_RESPONSE, dtoken, 0, 1174 rbuf, pos - rbuf); 1175 os_free(rbuf); 1176 1177 return 0; 1178} 1179 1180 1181static int wpa_tdls_send_tpk_m3(struct wpa_sm *sm, 1182 const unsigned char *src_addr, u8 dtoken, 1183 struct wpa_tdls_lnkid *lnkid, 1184 const struct wpa_tdls_peer *peer) 1185{ 1186 u8 *rbuf, *pos; 1187 size_t buf_len; 1188 struct wpa_tdls_ftie *ftie; 1189 struct wpa_tdls_timeoutie timeoutie; 1190 u32 lifetime; 1191 1192 buf_len = 0; 1193 if (wpa_tdls_get_privacy(sm)) { 1194 /* Peer RSN IE, FTIE(Initiator Nonce, Responder Nonce), 1195 * Lifetime */ 1196 buf_len += peer->rsnie_i_len + sizeof(struct wpa_tdls_ftie) + 1197 sizeof(struct wpa_tdls_timeoutie); 1198#ifdef CONFIG_TDLS_TESTING 1199 if (tdls_testing & TDLS_TESTING_LONG_FRAME) 1200 buf_len += 170; 1201#endif /* CONFIG_TDLS_TESTING */ 1202 } 1203 1204 rbuf = os_zalloc(buf_len + 1); 1205 if (rbuf == NULL) 1206 return -1; 1207 pos = rbuf; 1208 1209 if (!wpa_tdls_get_privacy(sm)) 1210 goto skip_ies; 1211 1212 /* Peer RSN IE */ 1213 pos = wpa_add_ie(pos, peer->rsnie_p, peer->rsnie_p_len); 1214 1215 ftie = (struct wpa_tdls_ftie *) pos; 1216 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION; 1217 /*TODO: ftie->mic_control to set 3-CONFIRM */ 1218 os_memcpy(ftie->Anonce, peer->rnonce, WPA_NONCE_LEN); 1219 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN); 1220 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2; 1221 1222 pos = (u8 *) (ftie + 1); 1223 1224#ifdef CONFIG_TDLS_TESTING 1225 if (tdls_testing & TDLS_TESTING_LONG_FRAME) { 1226 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to " 1227 "FTIE"); 1228 ftie->ie_len += 170; 1229 *pos++ = 255; /* FTIE subelem */ 1230 *pos++ = 168; /* FTIE subelem length */ 1231 pos += 168; 1232 } 1233#endif /* CONFIG_TDLS_TESTING */ 1234 1235 /* Lifetime */ 1236 lifetime = peer->lifetime; 1237#ifdef CONFIG_TDLS_TESTING 1238 if (tdls_testing & TDLS_TESTING_WRONG_LIFETIME_CONF) { 1239 wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong TPK " 1240 "lifetime in confirm"); 1241 lifetime++; 1242 } 1243#endif /* CONFIG_TDLS_TESTING */ 1244 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie, 1245 sizeof(timeoutie), lifetime); 1246 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds", 1247 lifetime); 1248 1249 /* compute MIC before sending */ 1250 wpa_tdls_ftie_mic(peer->tpk.kck, 3, (u8 *) lnkid, peer->rsnie_p, 1251 (u8 *) &timeoutie, (u8 *) ftie, ftie->mic); 1252 1253skip_ies: 1254 wpa_tdls_tpk_send(sm, src_addr, WLAN_TDLS_SETUP_CONFIRM, dtoken, 0, 1255 rbuf, pos - rbuf); 1256 os_free(rbuf); 1257 1258 return 0; 1259} 1260 1261 1262static int wpa_tdls_send_discovery_response(struct wpa_sm *sm, 1263 struct wpa_tdls_peer *peer, 1264 u8 dialog_token) 1265{ 1266 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Discovery Response " 1267 "(peer " MACSTR ")", MAC2STR(peer->addr)); 1268 1269 return wpa_tdls_tpk_send(sm, peer->addr, WLAN_TDLS_DISCOVERY_RESPONSE, 1270 dialog_token, 0, NULL, 0); 1271} 1272 1273 1274static int 1275wpa_tdls_process_discovery_request(struct wpa_sm *sm, const u8 *addr, 1276 const u8 *buf, size_t len) 1277{ 1278 struct wpa_eapol_ie_parse kde; 1279 const struct wpa_tdls_lnkid *lnkid; 1280 struct wpa_tdls_peer *peer; 1281 size_t min_req_len = sizeof(struct wpa_tdls_frame) + 1282 1 /* dialog token */ + sizeof(struct wpa_tdls_lnkid); 1283 u8 dialog_token; 1284 1285 wpa_printf(MSG_DEBUG, "TDLS: Discovery Request from " MACSTR, 1286 MAC2STR(addr)); 1287 1288 if (len < min_req_len) { 1289 wpa_printf(MSG_DEBUG, "TDLS Discovery Request is too short: " 1290 "%d", (int) len); 1291 return -1; 1292 } 1293 1294 dialog_token = buf[sizeof(struct wpa_tdls_frame)]; 1295 1296 if (wpa_supplicant_parse_ies(buf + sizeof(struct wpa_tdls_frame) + 1, 1297 len - (sizeof(struct wpa_tdls_frame) + 1), 1298 &kde) < 0) 1299 return -1; 1300 1301 if (!kde.lnkid) { 1302 wpa_printf(MSG_DEBUG, "TDLS: Link ID not found in Discovery " 1303 "Request"); 1304 return -1; 1305 } 1306 1307 lnkid = (const struct wpa_tdls_lnkid *) kde.lnkid; 1308 1309 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) { 1310 wpa_printf(MSG_DEBUG, "TDLS: Discovery Request from different " 1311 " BSS " MACSTR, MAC2STR(lnkid->bssid)); 1312 return -1; 1313 } 1314 1315 peer = wpa_tdls_add_peer(sm, addr, NULL); 1316 if (peer == NULL) 1317 return -1; 1318 1319 return wpa_tdls_send_discovery_response(sm, peer, dialog_token); 1320} 1321 1322 1323int wpa_tdls_send_discovery_request(struct wpa_sm *sm, const u8 *addr) 1324{ 1325 if (sm->tdls_disabled || !sm->tdls_supported) 1326 return -1; 1327 1328 wpa_printf(MSG_DEBUG, "TDLS: Sending Discovery Request to peer " 1329 MACSTR, MAC2STR(addr)); 1330 return wpa_tdls_tpk_send(sm, addr, WLAN_TDLS_DISCOVERY_REQUEST, 1331 1, 0, NULL, 0); 1332} 1333 1334 1335static int copy_supp_rates(const struct wpa_eapol_ie_parse *kde, 1336 struct wpa_tdls_peer *peer) 1337{ 1338 if (!kde->supp_rates) { 1339 wpa_printf(MSG_DEBUG, "TDLS: No supported rates received"); 1340 return -1; 1341 } 1342 peer->supp_rates_len = merge_byte_arrays( 1343 peer->supp_rates, sizeof(peer->supp_rates), 1344 kde->supp_rates + 2, kde->supp_rates_len - 2, 1345 kde->ext_supp_rates + 2, kde->ext_supp_rates_len - 2); 1346 return 0; 1347} 1348 1349 1350static int copy_peer_ht_capab(const struct wpa_eapol_ie_parse *kde, 1351 struct wpa_tdls_peer *peer) 1352{ 1353 if (!kde->ht_capabilities || 1354 kde->ht_capabilities_len < 1355 sizeof(struct ieee80211_ht_capabilities) ) { 1356 wpa_printf(MSG_DEBUG, "TDLS: No supported ht capabilities " 1357 "received"); 1358 return 0; 1359 } 1360 1361 if (!peer->ht_capabilities) { 1362 peer->ht_capabilities = 1363 os_zalloc(sizeof(struct ieee80211_ht_capabilities)); 1364 if (peer->ht_capabilities == NULL) 1365 return -1; 1366 } 1367 1368 os_memcpy(peer->ht_capabilities, kde->ht_capabilities, 1369 sizeof(struct ieee80211_ht_capabilities)); 1370 wpa_hexdump(MSG_DEBUG, "TDLS: Peer HT capabilities", 1371 (u8 *) peer->ht_capabilities, 1372 sizeof(struct ieee80211_ht_capabilities)); 1373 1374 return 0; 1375} 1376 1377 1378static int copy_peer_vht_capab(const struct wpa_eapol_ie_parse *kde, 1379 struct wpa_tdls_peer *peer) 1380{ 1381 if (!kde->vht_capabilities || 1382 kde->vht_capabilities_len < 1383 sizeof(struct ieee80211_vht_capabilities) ) { 1384 wpa_printf(MSG_DEBUG, "TDLS: No supported vht capabilities " 1385 "received"); 1386 return 0; 1387 } 1388 1389 if (!peer->vht_capabilities) { 1390 peer->vht_capabilities = 1391 os_zalloc(sizeof(struct ieee80211_vht_capabilities)); 1392 if (peer->vht_capabilities == NULL) 1393 return -1; 1394 } 1395 1396 os_memcpy(peer->vht_capabilities, kde->vht_capabilities, 1397 sizeof(struct ieee80211_vht_capabilities)); 1398 wpa_hexdump(MSG_DEBUG, "TDLS: Peer VHT capabilities", 1399 (u8 *) peer->vht_capabilities, 1400 sizeof(struct ieee80211_vht_capabilities)); 1401 1402 return 0; 1403} 1404 1405 1406static int copy_peer_ext_capab(const struct wpa_eapol_ie_parse *kde, 1407 struct wpa_tdls_peer *peer) 1408{ 1409 if (!kde->ext_capab) { 1410 wpa_printf(MSG_DEBUG, "TDLS: No extended capabilities " 1411 "received"); 1412 return 0; 1413 } 1414 1415 if (!peer->ext_capab || peer->ext_capab_len < kde->ext_capab_len - 2) { 1416 /* Need to allocate buffer to fit the new information */ 1417 os_free(peer->ext_capab); 1418 peer->ext_capab = os_zalloc(kde->ext_capab_len - 2); 1419 if (peer->ext_capab == NULL) 1420 return -1; 1421 } 1422 1423 peer->ext_capab_len = kde->ext_capab_len - 2; 1424 os_memcpy(peer->ext_capab, kde->ext_capab + 2, peer->ext_capab_len); 1425 1426 return 0; 1427} 1428 1429 1430static int wpa_tdls_process_tpk_m1(struct wpa_sm *sm, const u8 *src_addr, 1431 const u8 *buf, size_t len) 1432{ 1433 struct wpa_tdls_peer *peer; 1434 struct wpa_eapol_ie_parse kde; 1435 struct wpa_ie_data ie; 1436 int cipher; 1437 const u8 *cpos; 1438 struct wpa_tdls_ftie *ftie = NULL; 1439 struct wpa_tdls_timeoutie *timeoutie; 1440 struct wpa_tdls_lnkid *lnkid; 1441 u32 lifetime = 0; 1442#if 0 1443 struct rsn_ie_hdr *hdr; 1444 u8 *pos; 1445 u16 rsn_capab; 1446 u16 rsn_ver; 1447#endif 1448 u8 dtoken; 1449 u16 ielen; 1450 u16 status = WLAN_STATUS_UNSPECIFIED_FAILURE; 1451 int tdls_prohibited = sm->tdls_prohibited; 1452 int existing_peer = 0; 1453 1454 if (len < 3 + 3) 1455 return -1; 1456 1457 cpos = buf; 1458 cpos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */; 1459 1460 /* driver had already verified the frame format */ 1461 dtoken = *cpos++; /* dialog token */ 1462 1463 wpa_printf(MSG_INFO, "TDLS: Dialog Token in TPK M1 %d", dtoken); 1464 1465 peer = wpa_tdls_add_peer(sm, src_addr, &existing_peer); 1466 if (peer == NULL) 1467 goto error; 1468 1469 /* If found, use existing entry instead of adding a new one; 1470 * how to handle the case where both ends initiate at the 1471 * same time? */ 1472 if (existing_peer) { 1473 if (peer->tpk_success) { 1474 wpa_printf(MSG_DEBUG, "TDLS: TDLS Setup Request while " 1475 "direct link is enabled - tear down the " 1476 "old link first"); 1477#if 0 1478 /* TODO: Disabling the link would be more proper 1479 * operation here, but it seems to trigger a race with 1480 * some drivers handling the new request frame. */ 1481 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, src_addr); 1482#else 1483 if (sm->tdls_external_setup) 1484 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, 1485 src_addr); 1486 else 1487 wpa_tdls_del_key(sm, peer); 1488#endif 1489 wpa_tdls_peer_free(sm, peer); 1490 } 1491 1492 /* 1493 * An entry is already present, so check if we already sent a 1494 * TDLS Setup Request. If so, compare MAC addresses and let the 1495 * STA with the lower MAC address continue as the initiator. 1496 * The other negotiation is terminated. 1497 */ 1498 if (peer->initiator) { 1499 if (os_memcmp(sm->own_addr, src_addr, ETH_ALEN) < 0) { 1500 wpa_printf(MSG_DEBUG, "TDLS: Discard request " 1501 "from peer with higher address " 1502 MACSTR, MAC2STR(src_addr)); 1503 return -1; 1504 } else { 1505 wpa_printf(MSG_DEBUG, "TDLS: Accept request " 1506 "from peer with lower address " 1507 MACSTR " (terminate previously " 1508 "initiated negotiation", 1509 MAC2STR(src_addr)); 1510 if (sm->tdls_external_setup) 1511 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, 1512 src_addr); 1513 else 1514 wpa_tdls_del_key(sm, peer); 1515 wpa_tdls_peer_free(sm, peer); 1516 } 1517 } 1518 } 1519 1520 /* capability information */ 1521 peer->capability = WPA_GET_LE16(cpos); 1522 cpos += 2; 1523 1524 ielen = len - (cpos - buf); /* start of IE in buf */ 1525 if (wpa_supplicant_parse_ies(cpos, ielen, &kde) < 0) { 1526 wpa_printf(MSG_INFO, "TDLS: Failed to parse IEs in TPK M1"); 1527 goto error; 1528 } 1529 1530 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) { 1531 wpa_printf(MSG_INFO, "TDLS: No valid Link Identifier IE in " 1532 "TPK M1"); 1533 goto error; 1534 } 1535 wpa_hexdump(MSG_DEBUG, "TDLS: Link ID Received from TPK M1", 1536 kde.lnkid, kde.lnkid_len); 1537 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid; 1538 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) { 1539 wpa_printf(MSG_INFO, "TDLS: TPK M1 from diff BSS"); 1540 status = WLAN_STATUS_NOT_IN_SAME_BSS; 1541 goto error; 1542 } 1543 1544 wpa_printf(MSG_DEBUG, "TDLS: TPK M1 - TPK initiator " MACSTR, 1545 MAC2STR(src_addr)); 1546 1547 if (copy_supp_rates(&kde, peer) < 0) 1548 goto error; 1549 1550 if (copy_peer_ht_capab(&kde, peer) < 0) 1551 goto error; 1552 1553 if (copy_peer_vht_capab(&kde, peer) < 0) 1554 goto error; 1555 1556 if (copy_peer_ext_capab(&kde, peer) < 0) 1557 goto error; 1558 1559 peer->qos_info = kde.qosinfo; 1560 1561#ifdef CONFIG_TDLS_TESTING 1562 if (tdls_testing & TDLS_TESTING_CONCURRENT_INIT) { 1563 peer = wpa_tdls_add_peer(sm, src_addr, NULL); 1564 if (peer == NULL) 1565 goto error; 1566 wpa_printf(MSG_DEBUG, "TDLS: Testing concurrent initiation of " 1567 "TDLS setup - send own request"); 1568 peer->initiator = 1; 1569 wpa_tdls_send_tpk_m1(sm, peer); 1570 } 1571 1572 if ((tdls_testing & TDLS_TESTING_IGNORE_AP_PROHIBIT) && 1573 tdls_prohibited) { 1574 wpa_printf(MSG_DEBUG, "TDLS: Testing - ignore AP prohibition " 1575 "on TDLS"); 1576 tdls_prohibited = 0; 1577 } 1578#endif /* CONFIG_TDLS_TESTING */ 1579 1580 if (tdls_prohibited) { 1581 wpa_printf(MSG_INFO, "TDLS: TDLS prohibited in this BSS"); 1582 status = WLAN_STATUS_REQUEST_DECLINED; 1583 goto error; 1584 } 1585 1586 if (!wpa_tdls_get_privacy(sm)) { 1587 if (kde.rsn_ie) { 1588 wpa_printf(MSG_INFO, "TDLS: RSN IE in TPK M1 while " 1589 "security is disabled"); 1590 status = WLAN_STATUS_SECURITY_DISABLED; 1591 goto error; 1592 } 1593 goto skip_rsn; 1594 } 1595 1596 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie) || 1597 kde.rsn_ie == NULL) { 1598 wpa_printf(MSG_INFO, "TDLS: No FTIE or RSN IE in TPK M1"); 1599 status = WLAN_STATUS_INVALID_PARAMETERS; 1600 goto error; 1601 } 1602 1603 if (kde.rsn_ie_len > TDLS_MAX_IE_LEN) { 1604 wpa_printf(MSG_INFO, "TDLS: Too long Initiator RSN IE in " 1605 "TPK M1"); 1606 status = WLAN_STATUS_INVALID_RSNIE; 1607 goto error; 1608 } 1609 1610 if (wpa_parse_wpa_ie_rsn(kde.rsn_ie, kde.rsn_ie_len, &ie) < 0) { 1611 wpa_printf(MSG_INFO, "TDLS: Failed to parse RSN IE in TPK M1"); 1612 status = WLAN_STATUS_INVALID_RSNIE; 1613 goto error; 1614 } 1615 1616 cipher = ie.pairwise_cipher; 1617 if (cipher & WPA_CIPHER_CCMP) { 1618 wpa_printf(MSG_DEBUG, "TDLS: Using CCMP for direct link"); 1619 cipher = WPA_CIPHER_CCMP; 1620 } else { 1621 wpa_printf(MSG_INFO, "TDLS: No acceptable cipher in TPK M1"); 1622 status = WLAN_STATUS_PAIRWISE_CIPHER_NOT_VALID; 1623 goto error; 1624 } 1625 1626 if ((ie.capabilities & 1627 (WPA_CAPABILITY_NO_PAIRWISE | WPA_CAPABILITY_PEERKEY_ENABLED)) != 1628 WPA_CAPABILITY_PEERKEY_ENABLED) { 1629 wpa_printf(MSG_INFO, "TDLS: Invalid RSN Capabilities in " 1630 "TPK M1"); 1631 status = WLAN_STATUS_INVALID_RSN_IE_CAPAB; 1632 goto error; 1633 } 1634 1635 /* Lifetime */ 1636 if (kde.key_lifetime == NULL) { 1637 wpa_printf(MSG_INFO, "TDLS: No Key Lifetime IE in TPK M1"); 1638 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME; 1639 goto error; 1640 } 1641 timeoutie = (struct wpa_tdls_timeoutie *) kde.key_lifetime; 1642 lifetime = WPA_GET_LE32(timeoutie->value); 1643 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds", lifetime); 1644 if (lifetime < 300) { 1645 wpa_printf(MSG_INFO, "TDLS: Too short TPK lifetime"); 1646 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME; 1647 goto error; 1648 } 1649 1650skip_rsn: 1651#ifdef CONFIG_TDLS_TESTING 1652 if (tdls_testing & TDLS_TESTING_CONCURRENT_INIT) { 1653 if (os_memcmp(sm->own_addr, peer->addr, ETH_ALEN) < 0) { 1654 /* 1655 * The request frame from us is going to win, so do not 1656 * replace information based on this request frame from 1657 * the peer. 1658 */ 1659 goto skip_rsn_check; 1660 } 1661 } 1662#endif /* CONFIG_TDLS_TESTING */ 1663 1664 peer->initiator = 0; /* Need to check */ 1665 peer->dtoken = dtoken; 1666 1667 if (!wpa_tdls_get_privacy(sm)) { 1668 peer->rsnie_i_len = 0; 1669 peer->rsnie_p_len = 0; 1670 peer->cipher = WPA_CIPHER_NONE; 1671 goto skip_rsn_check; 1672 } 1673 1674 ftie = (struct wpa_tdls_ftie *) kde.ftie; 1675 os_memcpy(peer->inonce, ftie->Snonce, WPA_NONCE_LEN); 1676 os_memcpy(peer->rsnie_i, kde.rsn_ie, kde.rsn_ie_len); 1677 peer->rsnie_i_len = kde.rsn_ie_len; 1678 peer->cipher = cipher; 1679 1680 if (os_get_random(peer->rnonce, WPA_NONCE_LEN)) { 1681 wpa_msg(sm->ctx->ctx, MSG_WARNING, 1682 "TDLS: Failed to get random data for responder nonce"); 1683 wpa_tdls_peer_free(sm, peer); 1684 goto error; 1685 } 1686 1687#if 0 1688 /* get version info from RSNIE received from Peer */ 1689 hdr = (struct rsn_ie_hdr *) kde.rsn_ie; 1690 rsn_ver = WPA_GET_LE16(hdr->version); 1691 1692 /* use min(peer's version, out version) */ 1693 if (rsn_ver > RSN_VERSION) 1694 rsn_ver = RSN_VERSION; 1695 1696 hdr = (struct rsn_ie_hdr *) peer->rsnie_p; 1697 1698 hdr->elem_id = WLAN_EID_RSN; 1699 WPA_PUT_LE16(hdr->version, rsn_ver); 1700 pos = (u8 *) (hdr + 1); 1701 1702 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED); 1703 pos += RSN_SELECTOR_LEN; 1704 /* Include only the selected cipher in pairwise cipher suite */ 1705 WPA_PUT_LE16(pos, 1); 1706 pos += 2; 1707 if (cipher == WPA_CIPHER_CCMP) 1708 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP); 1709 pos += RSN_SELECTOR_LEN; 1710 1711 WPA_PUT_LE16(pos, 1); 1712 pos += 2; 1713 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_TPK_HANDSHAKE); 1714 pos += RSN_SELECTOR_LEN; 1715 1716 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED; 1717 rsn_capab |= RSN_NUM_REPLAY_COUNTERS_16 << 2; 1718 WPA_PUT_LE16(pos, rsn_capab); 1719 pos += 2; 1720 1721 hdr->len = (pos - peer->rsnie_p) - 2; 1722 peer->rsnie_p_len = pos - peer->rsnie_p; 1723#endif 1724 1725 /* temp fix: validation of RSNIE later */ 1726 os_memcpy(peer->rsnie_p, peer->rsnie_i, peer->rsnie_i_len); 1727 peer->rsnie_p_len = peer->rsnie_i_len; 1728 1729 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE for TPK handshake", 1730 peer->rsnie_p, peer->rsnie_p_len); 1731 1732 peer->lifetime = lifetime; 1733 1734 wpa_tdls_generate_tpk(peer, sm->own_addr, sm->bssid); 1735 1736skip_rsn_check: 1737 /* add the peer to the driver as a "setup in progress" peer */ 1738 wpa_sm_tdls_peer_addset(sm, peer->addr, 1, 0, NULL, 0, NULL, NULL, 0, 1739 NULL, 0); 1740 1741 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Setup Response / TPK M2"); 1742 if (wpa_tdls_send_tpk_m2(sm, src_addr, dtoken, lnkid, peer) < 0) { 1743 wpa_tdls_disable_link(sm, peer->addr); 1744 goto error; 1745 } 1746 1747 return 0; 1748 1749error: 1750 wpa_tdls_send_error(sm, src_addr, WLAN_TDLS_SETUP_RESPONSE, dtoken, 1751 status); 1752 return -1; 1753} 1754 1755 1756static int wpa_tdls_enable_link(struct wpa_sm *sm, struct wpa_tdls_peer *peer) 1757{ 1758 peer->tpk_success = 1; 1759 eloop_cancel_timeout(wpa_tdls_tpk_timeout, sm, peer); 1760 if (wpa_tdls_get_privacy(sm)) { 1761 u32 lifetime = peer->lifetime; 1762 /* 1763 * Start the initiator process a bit earlier to avoid race 1764 * condition with the responder sending teardown request. 1765 */ 1766 if (lifetime > 3 && peer->initiator) 1767 lifetime -= 3; 1768 eloop_register_timeout(lifetime, 0, wpa_tdls_tpk_timeout, 1769 sm, peer); 1770#ifdef CONFIG_TDLS_TESTING 1771 if (tdls_testing & TDLS_TESTING_NO_TPK_EXPIRATION) { 1772 wpa_printf(MSG_DEBUG, "TDLS: Testing - disable TPK " 1773 "expiration"); 1774 eloop_cancel_timeout(wpa_tdls_tpk_timeout, sm, peer); 1775 } 1776#endif /* CONFIG_TDLS_TESTING */ 1777 } 1778 1779 /* add supported rates, capabilities, and qos_info to the TDLS peer */ 1780 if (wpa_sm_tdls_peer_addset(sm, peer->addr, 0, peer->capability, 1781 peer->supp_rates, peer->supp_rates_len, 1782 peer->ht_capabilities, 1783 peer->vht_capabilities, 1784 peer->qos_info, peer->ext_capab, 1785 peer->ext_capab_len) < 0) 1786 return -1; 1787 1788 if (peer->reconfig_key && wpa_tdls_set_key(sm, peer) < 0) { 1789 wpa_printf(MSG_INFO, "TDLS: Could not configure key to the " 1790 "driver"); 1791 return -1; 1792 } 1793 peer->reconfig_key = 0; 1794 1795 return wpa_sm_tdls_oper(sm, TDLS_ENABLE_LINK, peer->addr); 1796} 1797 1798 1799static int wpa_tdls_process_tpk_m2(struct wpa_sm *sm, const u8 *src_addr, 1800 const u8 *buf, size_t len) 1801{ 1802 struct wpa_tdls_peer *peer; 1803 struct wpa_eapol_ie_parse kde; 1804 struct wpa_ie_data ie; 1805 int cipher; 1806 struct wpa_tdls_ftie *ftie; 1807 struct wpa_tdls_timeoutie *timeoutie; 1808 struct wpa_tdls_lnkid *lnkid; 1809 u32 lifetime; 1810 u8 dtoken; 1811 int ielen; 1812 u16 status; 1813 const u8 *pos; 1814 int ret; 1815 1816 wpa_printf(MSG_DEBUG, "TDLS: Received TDLS Setup Response / TPK M2 " 1817 "(Peer " MACSTR ")", MAC2STR(src_addr)); 1818 for (peer = sm->tdls; peer; peer = peer->next) { 1819 if (os_memcmp(peer->addr, src_addr, ETH_ALEN) == 0) 1820 break; 1821 } 1822 if (peer == NULL) { 1823 wpa_printf(MSG_INFO, "TDLS: No matching peer found for " 1824 "TPK M2: " MACSTR, MAC2STR(src_addr)); 1825 return -1; 1826 } 1827 if (!peer->initiator) { 1828 /* 1829 * This may happen if both devices try to initiate TDLS at the 1830 * same time and we accept the TPK M1 from the peer in 1831 * wpa_tdls_process_tpk_m1() and clear our previous state. 1832 */ 1833 wpa_printf(MSG_INFO, "TDLS: We were not the initiator, so " 1834 "ignore TPK M2 from " MACSTR, MAC2STR(src_addr)); 1835 return -1; 1836 } 1837 wpa_tdls_tpk_retry_timeout_cancel(sm, peer, WLAN_TDLS_SETUP_REQUEST); 1838 1839 if (len < 3 + 2 + 1) 1840 return -1; 1841 pos = buf; 1842 pos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */; 1843 status = WPA_GET_LE16(pos); 1844 pos += 2 /* status code */; 1845 1846 if (status != WLAN_STATUS_SUCCESS) { 1847 wpa_printf(MSG_INFO, "TDLS: Status code in TPK M2: %u", 1848 status); 1849 if (sm->tdls_external_setup) 1850 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, src_addr); 1851 return -1; 1852 } 1853 1854 status = WLAN_STATUS_UNSPECIFIED_FAILURE; 1855 1856 /* TODO: need to verify dialog token matches here or in kernel */ 1857 dtoken = *pos++; /* dialog token */ 1858 1859 wpa_printf(MSG_DEBUG, "TDLS: Dialog Token in TPK M2 %d", dtoken); 1860 1861 if (len < 3 + 2 + 1 + 2) 1862 return -1; 1863 1864 /* capability information */ 1865 peer->capability = WPA_GET_LE16(pos); 1866 pos += 2; 1867 1868 ielen = len - (pos - buf); /* start of IE in buf */ 1869 if (wpa_supplicant_parse_ies(pos, ielen, &kde) < 0) { 1870 wpa_printf(MSG_INFO, "TDLS: Failed to parse IEs in TPK M2"); 1871 goto error; 1872 } 1873 1874#ifdef CONFIG_TDLS_TESTING 1875 if (tdls_testing & TDLS_TESTING_DECLINE_RESP) { 1876 wpa_printf(MSG_DEBUG, "TDLS: Testing - decline response"); 1877 status = WLAN_STATUS_REQUEST_DECLINED; 1878 goto error; 1879 } 1880#endif /* CONFIG_TDLS_TESTING */ 1881 1882 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) { 1883 wpa_printf(MSG_INFO, "TDLS: No valid Link Identifier IE in " 1884 "TPK M2"); 1885 goto error; 1886 } 1887 wpa_hexdump(MSG_DEBUG, "TDLS: Link ID Received from TPK M2", 1888 kde.lnkid, kde.lnkid_len); 1889 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid; 1890 1891 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) { 1892 wpa_printf(MSG_INFO, "TDLS: TPK M2 from different BSS"); 1893 status = WLAN_STATUS_NOT_IN_SAME_BSS; 1894 goto error; 1895 } 1896 1897 if (copy_supp_rates(&kde, peer) < 0) 1898 goto error; 1899 1900 if (copy_peer_ht_capab(&kde, peer) < 0) 1901 goto error; 1902 1903 if (copy_peer_vht_capab(&kde, peer) < 0) 1904 goto error; 1905 1906 if (copy_peer_ext_capab(&kde, peer) < 0) 1907 goto error; 1908 1909 peer->qos_info = kde.qosinfo; 1910 1911 if (!wpa_tdls_get_privacy(sm)) { 1912 peer->rsnie_p_len = 0; 1913 peer->cipher = WPA_CIPHER_NONE; 1914 goto skip_rsn; 1915 } 1916 1917 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie) || 1918 kde.rsn_ie == NULL) { 1919 wpa_printf(MSG_INFO, "TDLS: No FTIE or RSN IE in TPK M2"); 1920 status = WLAN_STATUS_INVALID_PARAMETERS; 1921 goto error; 1922 } 1923 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Received from TPK M2", 1924 kde.rsn_ie, kde.rsn_ie_len); 1925 1926 /* 1927 * FIX: bitwise comparison of RSN IE is not the correct way of 1928 * validation this. It can be different, but certain fields must 1929 * match. Since we list only a single pairwise cipher in TPK M1, the 1930 * memcmp is likely to work in most cases, though. 1931 */ 1932 if (kde.rsn_ie_len != peer->rsnie_i_len || 1933 os_memcmp(peer->rsnie_i, kde.rsn_ie, peer->rsnie_i_len) != 0) { 1934 wpa_printf(MSG_INFO, "TDLS: RSN IE in TPK M2 does " 1935 "not match with RSN IE used in TPK M1"); 1936 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Sent in TPK M1", 1937 peer->rsnie_i, peer->rsnie_i_len); 1938 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Received from TPK M2", 1939 kde.rsn_ie, kde.rsn_ie_len); 1940 status = WLAN_STATUS_INVALID_RSNIE; 1941 goto error; 1942 } 1943 1944 if (wpa_parse_wpa_ie_rsn(kde.rsn_ie, kde.rsn_ie_len, &ie) < 0) { 1945 wpa_printf(MSG_INFO, "TDLS: Failed to parse RSN IE in TPK M2"); 1946 status = WLAN_STATUS_INVALID_RSNIE; 1947 goto error; 1948 } 1949 1950 cipher = ie.pairwise_cipher; 1951 if (cipher == WPA_CIPHER_CCMP) { 1952 wpa_printf(MSG_DEBUG, "TDLS: Using CCMP for direct link"); 1953 cipher = WPA_CIPHER_CCMP; 1954 } else { 1955 wpa_printf(MSG_INFO, "TDLS: No acceptable cipher in TPK M2"); 1956 status = WLAN_STATUS_PAIRWISE_CIPHER_NOT_VALID; 1957 goto error; 1958 } 1959 1960 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE Received from TPK M2", 1961 kde.ftie, sizeof(*ftie)); 1962 ftie = (struct wpa_tdls_ftie *) kde.ftie; 1963 1964 if (!os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) == 0) { 1965 wpa_printf(MSG_INFO, "TDLS: FTIE SNonce in TPK M2 does " 1966 "not match with FTIE SNonce used in TPK M1"); 1967 /* Silently discard the frame */ 1968 return -1; 1969 } 1970 1971 /* Responder Nonce and RSN IE */ 1972 os_memcpy(peer->rnonce, ftie->Anonce, WPA_NONCE_LEN); 1973 os_memcpy(peer->rsnie_p, kde.rsn_ie, kde.rsn_ie_len); 1974 peer->rsnie_p_len = kde.rsn_ie_len; 1975 peer->cipher = cipher; 1976 1977 /* Lifetime */ 1978 if (kde.key_lifetime == NULL) { 1979 wpa_printf(MSG_INFO, "TDLS: No Key Lifetime IE in TPK M2"); 1980 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME; 1981 goto error; 1982 } 1983 timeoutie = (struct wpa_tdls_timeoutie *) kde.key_lifetime; 1984 lifetime = WPA_GET_LE32(timeoutie->value); 1985 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds in TPK M2", 1986 lifetime); 1987 if (lifetime != peer->lifetime) { 1988 wpa_printf(MSG_INFO, "TDLS: Unexpected TPK lifetime %u in " 1989 "TPK M2 (expected %u)", lifetime, peer->lifetime); 1990 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME; 1991 goto error; 1992 } 1993 1994 wpa_tdls_generate_tpk(peer, sm->own_addr, sm->bssid); 1995 1996 /* Process MIC check to see if TPK M2 is right */ 1997 if (wpa_supplicant_verify_tdls_mic(2, peer, (u8 *) lnkid, 1998 (u8 *) timeoutie, ftie) < 0) { 1999 /* Discard the frame */ 2000 wpa_tdls_del_key(sm, peer); 2001 wpa_tdls_peer_free(sm, peer); 2002 if (sm->tdls_external_setup) 2003 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, src_addr); 2004 return -1; 2005 } 2006 2007 if (wpa_tdls_set_key(sm, peer) < 0) { 2008 /* 2009 * Some drivers may not be able to config the key prior to full 2010 * STA entry having been configured. 2011 */ 2012 wpa_printf(MSG_DEBUG, "TDLS: Try to configure TPK again after " 2013 "STA entry is complete"); 2014 peer->reconfig_key = 1; 2015 } 2016 2017skip_rsn: 2018 peer->dtoken = dtoken; 2019 2020 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Setup Confirm / " 2021 "TPK Handshake Message 3"); 2022 wpa_tdls_send_tpk_m3(sm, src_addr, dtoken, lnkid, peer); 2023 2024 ret = wpa_tdls_enable_link(sm, peer); 2025 if (ret < 0) { 2026 wpa_printf(MSG_DEBUG, "TDLS: Could not enable link"); 2027 wpa_tdls_do_teardown(sm, peer, 2028 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED, 1); 2029 } 2030 return ret; 2031 2032error: 2033 wpa_tdls_send_error(sm, src_addr, WLAN_TDLS_SETUP_CONFIRM, dtoken, 2034 status); 2035 if (sm->tdls_external_setup) 2036 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, src_addr); 2037 return -1; 2038} 2039 2040 2041static int wpa_tdls_process_tpk_m3(struct wpa_sm *sm, const u8 *src_addr, 2042 const u8 *buf, size_t len) 2043{ 2044 struct wpa_tdls_peer *peer; 2045 struct wpa_eapol_ie_parse kde; 2046 struct wpa_tdls_ftie *ftie; 2047 struct wpa_tdls_timeoutie *timeoutie; 2048 struct wpa_tdls_lnkid *lnkid; 2049 int ielen; 2050 u16 status; 2051 const u8 *pos; 2052 u32 lifetime; 2053 int ret; 2054 2055 wpa_printf(MSG_DEBUG, "TDLS: Received TDLS Setup Confirm / TPK M3 " 2056 "(Peer " MACSTR ")", MAC2STR(src_addr)); 2057 for (peer = sm->tdls; peer; peer = peer->next) { 2058 if (os_memcmp(peer->addr, src_addr, ETH_ALEN) == 0) 2059 break; 2060 } 2061 if (peer == NULL) { 2062 wpa_printf(MSG_INFO, "TDLS: No matching peer found for " 2063 "TPK M3: " MACSTR, MAC2STR(src_addr)); 2064 return -1; 2065 } 2066 wpa_tdls_tpk_retry_timeout_cancel(sm, peer, WLAN_TDLS_SETUP_RESPONSE); 2067 2068 if (len < 3 + 3) 2069 return -1; 2070 pos = buf; 2071 pos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */; 2072 2073 status = WPA_GET_LE16(pos); 2074 2075 if (status != 0) { 2076 wpa_printf(MSG_INFO, "TDLS: Status code in TPK M3: %u", 2077 status); 2078 if (sm->tdls_external_setup) 2079 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, src_addr); 2080 return -1; 2081 } 2082 pos += 2 /* status code */ + 1 /* dialog token */; 2083 2084 ielen = len - (pos - buf); /* start of IE in buf */ 2085 if (wpa_supplicant_parse_ies((const u8 *) pos, ielen, &kde) < 0) { 2086 wpa_printf(MSG_INFO, "TDLS: Failed to parse KDEs in TPK M3"); 2087 return -1; 2088 } 2089 2090 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) { 2091 wpa_printf(MSG_INFO, "TDLS: No Link Identifier IE in TPK M3"); 2092 return -1; 2093 } 2094 wpa_hexdump(MSG_DEBUG, "TDLS: Link ID Received from TPK M3", 2095 (u8 *) kde.lnkid, kde.lnkid_len); 2096 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid; 2097 2098 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) { 2099 wpa_printf(MSG_INFO, "TDLS: TPK M3 from diff BSS"); 2100 return -1; 2101 } 2102 2103 if (!wpa_tdls_get_privacy(sm)) 2104 goto skip_rsn; 2105 2106 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie)) { 2107 wpa_printf(MSG_INFO, "TDLS: No FTIE in TPK M3"); 2108 return -1; 2109 } 2110 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE Received from TPK M3", 2111 kde.ftie, sizeof(*ftie)); 2112 ftie = (struct wpa_tdls_ftie *) kde.ftie; 2113 2114 if (kde.rsn_ie == NULL) { 2115 wpa_printf(MSG_INFO, "TDLS: No RSN IE in TPK M3"); 2116 return -1; 2117 } 2118 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Received from TPK M3", 2119 kde.rsn_ie, kde.rsn_ie_len); 2120 if (kde.rsn_ie_len != peer->rsnie_p_len || 2121 os_memcmp(kde.rsn_ie, peer->rsnie_p, peer->rsnie_p_len) != 0) { 2122 wpa_printf(MSG_INFO, "TDLS: RSN IE in TPK M3 does not match " 2123 "with the one sent in TPK M2"); 2124 return -1; 2125 } 2126 2127 if (!os_memcmp(peer->rnonce, ftie->Anonce, WPA_NONCE_LEN) == 0) { 2128 wpa_printf(MSG_INFO, "TDLS: FTIE ANonce in TPK M3 does " 2129 "not match with FTIE ANonce used in TPK M2"); 2130 return -1; 2131 } 2132 2133 if (!os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) == 0) { 2134 wpa_printf(MSG_INFO, "TDLS: FTIE SNonce in TPK M3 does not " 2135 "match with FTIE SNonce used in TPK M1"); 2136 return -1; 2137 } 2138 2139 if (kde.key_lifetime == NULL) { 2140 wpa_printf(MSG_INFO, "TDLS: No Key Lifetime IE in TPK M3"); 2141 return -1; 2142 } 2143 timeoutie = (struct wpa_tdls_timeoutie *) kde.key_lifetime; 2144 wpa_hexdump(MSG_DEBUG, "TDLS: Timeout IE Received from TPK M3", 2145 (u8 *) timeoutie, sizeof(*timeoutie)); 2146 lifetime = WPA_GET_LE32(timeoutie->value); 2147 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds in TPK M3", 2148 lifetime); 2149 if (lifetime != peer->lifetime) { 2150 wpa_printf(MSG_INFO, "TDLS: Unexpected TPK lifetime %u in " 2151 "TPK M3 (expected %u)", lifetime, peer->lifetime); 2152 if (sm->tdls_external_setup) 2153 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, src_addr); 2154 return -1; 2155 } 2156 2157 if (wpa_supplicant_verify_tdls_mic(3, peer, (u8 *) lnkid, 2158 (u8 *) timeoutie, ftie) < 0) { 2159 wpa_tdls_del_key(sm, peer); 2160 wpa_tdls_peer_free(sm, peer); 2161 return -1; 2162 } 2163 2164 if (wpa_tdls_set_key(sm, peer) < 0) { 2165 /* 2166 * Some drivers may not be able to config the key prior to full 2167 * STA entry having been configured. 2168 */ 2169 wpa_printf(MSG_DEBUG, "TDLS: Try to configure TPK again after " 2170 "STA entry is complete"); 2171 peer->reconfig_key = 1; 2172 } 2173 2174skip_rsn: 2175 ret = wpa_tdls_enable_link(sm, peer); 2176 if (ret < 0) { 2177 wpa_printf(MSG_DEBUG, "TDLS: Could not enable link"); 2178 wpa_tdls_do_teardown(sm, peer, 2179 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED, 1); 2180 } 2181 return ret; 2182} 2183 2184 2185static u8 * wpa_add_tdls_timeoutie(u8 *pos, u8 *ie, size_t ie_len, u32 tsecs) 2186{ 2187 struct wpa_tdls_timeoutie *lifetime = (struct wpa_tdls_timeoutie *) ie; 2188 2189 os_memset(lifetime, 0, ie_len); 2190 lifetime->ie_type = WLAN_EID_TIMEOUT_INTERVAL; 2191 lifetime->ie_len = sizeof(struct wpa_tdls_timeoutie) - 2; 2192 lifetime->interval_type = WLAN_TIMEOUT_KEY_LIFETIME; 2193 WPA_PUT_LE32(lifetime->value, tsecs); 2194 os_memcpy(pos, ie, ie_len); 2195 return pos + ie_len; 2196} 2197 2198 2199/** 2200 * wpa_tdls_start - Initiate TDLS handshake (send TPK Handshake Message 1) 2201 * @sm: Pointer to WPA state machine data from wpa_sm_init() 2202 * @peer: MAC address of the peer STA 2203 * Returns: 0 on success, or -1 on failure 2204 * 2205 * Send TPK Handshake Message 1 info to driver to start TDLS 2206 * handshake with the peer. 2207 */ 2208int wpa_tdls_start(struct wpa_sm *sm, const u8 *addr) 2209{ 2210 struct wpa_tdls_peer *peer; 2211 int tdls_prohibited = sm->tdls_prohibited; 2212 2213 if (sm->tdls_disabled || !sm->tdls_supported) 2214 return -1; 2215 2216#ifdef CONFIG_TDLS_TESTING 2217 if ((tdls_testing & TDLS_TESTING_IGNORE_AP_PROHIBIT) && 2218 tdls_prohibited) { 2219 wpa_printf(MSG_DEBUG, "TDLS: Testing - ignore AP prohibition " 2220 "on TDLS"); 2221 tdls_prohibited = 0; 2222 } 2223#endif /* CONFIG_TDLS_TESTING */ 2224 2225 if (tdls_prohibited) { 2226 wpa_printf(MSG_DEBUG, "TDLS: TDLS is prohibited in this BSS - " 2227 "reject request to start setup"); 2228 return -1; 2229 } 2230 2231 peer = wpa_tdls_add_peer(sm, addr, NULL); 2232 if (peer == NULL) 2233 return -1; 2234 2235 peer->initiator = 1; 2236 2237 /* add the peer to the driver as a "setup in progress" peer */ 2238 wpa_sm_tdls_peer_addset(sm, peer->addr, 1, 0, NULL, 0, NULL, NULL, 0, 2239 NULL, 0); 2240 2241 if (wpa_tdls_send_tpk_m1(sm, peer) < 0) { 2242 wpa_tdls_disable_link(sm, peer->addr); 2243 return -1; 2244 } 2245 2246 return 0; 2247} 2248 2249 2250void wpa_tdls_remove(struct wpa_sm *sm, const u8 *addr) 2251{ 2252 struct wpa_tdls_peer *peer; 2253 2254 if (sm->tdls_disabled || !sm->tdls_supported) 2255 return; 2256 2257 for (peer = sm->tdls; peer; peer = peer->next) { 2258 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 2259 break; 2260 } 2261 2262 if (peer == NULL || !peer->tpk_success) 2263 return; 2264 2265 if (sm->tdls_external_setup) { 2266 /* 2267 * Disable previous link to allow renegotiation to be completed 2268 * on AP path. 2269 */ 2270 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr); 2271 } 2272} 2273 2274 2275/** 2276 * wpa_supplicant_rx_tdls - Receive TDLS data frame 2277 * 2278 * This function is called to receive TDLS (ethertype = 0x890d) data frames. 2279 */ 2280static void wpa_supplicant_rx_tdls(void *ctx, const u8 *src_addr, 2281 const u8 *buf, size_t len) 2282{ 2283 struct wpa_sm *sm = ctx; 2284 struct wpa_tdls_frame *tf; 2285 2286 wpa_hexdump(MSG_DEBUG, "TDLS: Received Data frame encapsulation", 2287 buf, len); 2288 2289 if (sm->tdls_disabled || !sm->tdls_supported) { 2290 wpa_printf(MSG_DEBUG, "TDLS: Discard message - TDLS disabled " 2291 "or unsupported by driver"); 2292 return; 2293 } 2294 2295 if (os_memcmp(src_addr, sm->own_addr, ETH_ALEN) == 0) { 2296 wpa_printf(MSG_DEBUG, "TDLS: Discard copy of own message"); 2297 return; 2298 } 2299 2300 if (len < sizeof(*tf)) { 2301 wpa_printf(MSG_INFO, "TDLS: Drop too short frame"); 2302 return; 2303 } 2304 2305 /* Check to make sure its a valid encapsulated TDLS frame */ 2306 tf = (struct wpa_tdls_frame *) buf; 2307 if (tf->payloadtype != 2 /* TDLS_RFTYPE */ || 2308 tf->category != WLAN_ACTION_TDLS) { 2309 wpa_printf(MSG_INFO, "TDLS: Invalid frame - payloadtype=%u " 2310 "category=%u action=%u", 2311 tf->payloadtype, tf->category, tf->action); 2312 return; 2313 } 2314 2315 switch (tf->action) { 2316 case WLAN_TDLS_SETUP_REQUEST: 2317 wpa_tdls_process_tpk_m1(sm, src_addr, buf, len); 2318 break; 2319 case WLAN_TDLS_SETUP_RESPONSE: 2320 wpa_tdls_process_tpk_m2(sm, src_addr, buf, len); 2321 break; 2322 case WLAN_TDLS_SETUP_CONFIRM: 2323 wpa_tdls_process_tpk_m3(sm, src_addr, buf, len); 2324 break; 2325 case WLAN_TDLS_TEARDOWN: 2326 wpa_tdls_recv_teardown(sm, src_addr, buf, len); 2327 break; 2328 case WLAN_TDLS_DISCOVERY_REQUEST: 2329 wpa_tdls_process_discovery_request(sm, src_addr, buf, len); 2330 break; 2331 default: 2332 /* Kernel code will process remaining frames */ 2333 wpa_printf(MSG_DEBUG, "TDLS: Ignore TDLS frame action code %u", 2334 tf->action); 2335 break; 2336 } 2337} 2338 2339 2340/** 2341 * wpa_tdls_init - Initialize driver interface parameters for TDLS 2342 * @wpa_s: Pointer to wpa_supplicant data 2343 * Returns: 0 on success, -1 on failure 2344 * 2345 * This function is called to initialize driver interface parameters for TDLS. 2346 * wpa_drv_init() must have been called before this function to initialize the 2347 * driver interface. 2348 */ 2349int wpa_tdls_init(struct wpa_sm *sm) 2350{ 2351 if (sm == NULL) 2352 return -1; 2353 2354 sm->l2_tdls = l2_packet_init(sm->bridge_ifname ? sm->bridge_ifname : 2355 sm->ifname, 2356 sm->own_addr, 2357 ETH_P_80211_ENCAP, wpa_supplicant_rx_tdls, 2358 sm, 0); 2359 if (sm->l2_tdls == NULL) { 2360 wpa_printf(MSG_ERROR, "TDLS: Failed to open l2_packet " 2361 "connection"); 2362 return -1; 2363 } 2364 2365 /* 2366 * Drivers that support TDLS but don't implement the get_capa callback 2367 * are assumed to perform everything internally 2368 */ 2369 if (wpa_sm_tdls_get_capa(sm, &sm->tdls_supported, 2370 &sm->tdls_external_setup) < 0) { 2371 sm->tdls_supported = 1; 2372 sm->tdls_external_setup = 0; 2373 } 2374 2375 wpa_printf(MSG_DEBUG, "TDLS: TDLS operation%s supported by " 2376 "driver", sm->tdls_supported ? "" : " not"); 2377 wpa_printf(MSG_DEBUG, "TDLS: Driver uses %s link setup", 2378 sm->tdls_external_setup ? "external" : "internal"); 2379 2380 return 0; 2381} 2382 2383 2384void wpa_tdls_teardown_peers(struct wpa_sm *sm) 2385{ 2386 struct wpa_tdls_peer *peer; 2387 2388 peer = sm->tdls; 2389 2390 wpa_printf(MSG_DEBUG, "TDLS: Tear down peers"); 2391 2392 while (peer) { 2393 wpa_printf(MSG_DEBUG, "TDLS: Tear down peer " MACSTR, 2394 MAC2STR(peer->addr)); 2395 if (sm->tdls_external_setup) 2396 wpa_tdls_send_teardown(sm, peer->addr, 2397 WLAN_REASON_DEAUTH_LEAVING); 2398 else 2399 wpa_sm_tdls_oper(sm, TDLS_TEARDOWN, peer->addr); 2400 2401 peer = peer->next; 2402 } 2403} 2404 2405 2406static void wpa_tdls_remove_peers(struct wpa_sm *sm) 2407{ 2408 struct wpa_tdls_peer *peer, *tmp; 2409 2410 peer = sm->tdls; 2411 sm->tdls = NULL; 2412 2413 while (peer) { 2414 int res; 2415 tmp = peer->next; 2416 res = wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr); 2417 wpa_printf(MSG_DEBUG, "TDLS: Remove peer " MACSTR " (res=%d)", 2418 MAC2STR(peer->addr), res); 2419 wpa_tdls_peer_free(sm, peer); 2420 os_free(peer); 2421 peer = tmp; 2422 } 2423} 2424 2425 2426/** 2427 * wpa_tdls_deinit - Deinitialize driver interface parameters for TDLS 2428 * 2429 * This function is called to recover driver interface parameters for TDLS 2430 * and frees resources allocated for it. 2431 */ 2432void wpa_tdls_deinit(struct wpa_sm *sm) 2433{ 2434 if (sm == NULL) 2435 return; 2436 2437 if (sm->l2_tdls) 2438 l2_packet_deinit(sm->l2_tdls); 2439 sm->l2_tdls = NULL; 2440 2441 wpa_tdls_remove_peers(sm); 2442} 2443 2444 2445void wpa_tdls_assoc(struct wpa_sm *sm) 2446{ 2447 wpa_printf(MSG_DEBUG, "TDLS: Remove peers on association"); 2448 wpa_tdls_remove_peers(sm); 2449} 2450 2451 2452void wpa_tdls_disassoc(struct wpa_sm *sm) 2453{ 2454 wpa_printf(MSG_DEBUG, "TDLS: Remove peers on disassociation"); 2455 wpa_tdls_remove_peers(sm); 2456} 2457 2458 2459static int wpa_tdls_prohibited(const u8 *ies, size_t len) 2460{ 2461 struct wpa_eapol_ie_parse elems; 2462 2463 if (ies == NULL) 2464 return 0; 2465 2466 if (wpa_supplicant_parse_ies(ies, len, &elems) < 0) 2467 return 0; 2468 2469 if (elems.ext_capab == NULL || elems.ext_capab_len < 2 + 5) 2470 return 0; 2471 2472 /* bit 38 - TDLS Prohibited */ 2473 return !!(elems.ext_capab[2 + 4] & 0x40); 2474} 2475 2476 2477void wpa_tdls_ap_ies(struct wpa_sm *sm, const u8 *ies, size_t len) 2478{ 2479 sm->tdls_prohibited = wpa_tdls_prohibited(ies, len); 2480 wpa_printf(MSG_DEBUG, "TDLS: TDLS is %s in the target BSS", 2481 sm->tdls_prohibited ? "prohibited" : "allowed"); 2482} 2483 2484 2485void wpa_tdls_assoc_resp_ies(struct wpa_sm *sm, const u8 *ies, size_t len) 2486{ 2487 if (!sm->tdls_prohibited && wpa_tdls_prohibited(ies, len)) { 2488 wpa_printf(MSG_DEBUG, "TDLS: TDLS prohibited based on " 2489 "(Re)Association Response IEs"); 2490 sm->tdls_prohibited = 1; 2491 } 2492} 2493 2494 2495void wpa_tdls_enable(struct wpa_sm *sm, int enabled) 2496{ 2497 wpa_printf(MSG_DEBUG, "TDLS: %s", enabled ? "enabled" : "disabled"); 2498 sm->tdls_disabled = !enabled; 2499} 2500 2501 2502int wpa_tdls_is_external_setup(struct wpa_sm *sm) 2503{ 2504 return sm->tdls_external_setup; 2505} 2506