tdls.c revision b36ed7cd946148d829f311de8fe53ea3ffaaffe3
1/* 2 * wpa_supplicant - TDLS 3 * Copyright (c) 2010-2011, Atheros Communications 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9#include "utils/includes.h" 10 11#include "utils/common.h" 12#include "utils/eloop.h" 13#include "utils/os.h" 14#include "common/ieee802_11_defs.h" 15#include "crypto/sha256.h" 16#include "crypto/crypto.h" 17#include "crypto/aes_wrap.h" 18#include "rsn_supp/wpa.h" 19#include "rsn_supp/wpa_ie.h" 20#include "rsn_supp/wpa_i.h" 21#include "drivers/driver.h" 22#include "l2_packet/l2_packet.h" 23 24#ifdef CONFIG_TDLS_TESTING 25#define TDLS_TESTING_LONG_FRAME BIT(0) 26#define TDLS_TESTING_ALT_RSN_IE BIT(1) 27#define TDLS_TESTING_DIFF_BSSID BIT(2) 28#define TDLS_TESTING_SHORT_LIFETIME BIT(3) 29#define TDLS_TESTING_WRONG_LIFETIME_RESP BIT(4) 30#define TDLS_TESTING_WRONG_LIFETIME_CONF BIT(5) 31#define TDLS_TESTING_LONG_LIFETIME BIT(6) 32#define TDLS_TESTING_CONCURRENT_INIT BIT(7) 33#define TDLS_TESTING_NO_TPK_EXPIRATION BIT(8) 34#define TDLS_TESTING_DECLINE_RESP BIT(9) 35#define TDLS_TESTING_IGNORE_AP_PROHIBIT BIT(10) 36unsigned int tdls_testing = 0; 37#endif /* CONFIG_TDLS_TESTING */ 38 39#define TPK_LIFETIME 43200 /* 12 hours */ 40#define TPK_M1_RETRY_COUNT 3 41#define TPK_M1_TIMEOUT 5000 /* in milliseconds */ 42#define TPK_M2_RETRY_COUNT 10 43#define TPK_M2_TIMEOUT 500 /* in milliseconds */ 44 45#define TDLS_MIC_LEN 16 46 47#define TDLS_TIMEOUT_LEN 4 48 49struct wpa_tdls_ftie { 50 u8 ie_type; /* FTIE */ 51 u8 ie_len; 52 u8 mic_ctrl[2]; 53 u8 mic[TDLS_MIC_LEN]; 54 u8 Anonce[WPA_NONCE_LEN]; /* Responder Nonce in TDLS */ 55 u8 Snonce[WPA_NONCE_LEN]; /* Initiator Nonce in TDLS */ 56 /* followed by optional elements */ 57} STRUCT_PACKED; 58 59struct wpa_tdls_timeoutie { 60 u8 ie_type; /* Timeout IE */ 61 u8 ie_len; 62 u8 interval_type; 63 u8 value[TDLS_TIMEOUT_LEN]; 64} STRUCT_PACKED; 65 66struct wpa_tdls_lnkid { 67 u8 ie_type; /* Link Identifier IE */ 68 u8 ie_len; 69 u8 bssid[ETH_ALEN]; 70 u8 init_sta[ETH_ALEN]; 71 u8 resp_sta[ETH_ALEN]; 72} STRUCT_PACKED; 73 74/* TDLS frame headers as per IEEE Std 802.11z-2010 */ 75struct wpa_tdls_frame { 76 u8 payloadtype; /* IEEE80211_TDLS_RFTYPE */ 77 u8 category; /* Category */ 78 u8 action; /* Action (enum tdls_frame_type) */ 79} STRUCT_PACKED; 80 81static u8 * wpa_add_tdls_timeoutie(u8 *pos, u8 *ie, size_t ie_len, u32 tsecs); 82static void wpa_tdls_tpk_retry_timeout(void *eloop_ctx, void *timeout_ctx); 83static void wpa_tdls_peer_free(struct wpa_sm *sm, struct wpa_tdls_peer *peer); 84static void wpa_tdls_disable_peer_link(struct wpa_sm *sm, 85 struct wpa_tdls_peer *peer); 86 87 88#define TDLS_MAX_IE_LEN 80 89#define IEEE80211_MAX_SUPP_RATES 32 90 91struct wpa_tdls_peer { 92 struct wpa_tdls_peer *next; 93 unsigned int reconfig_key:1; 94 int initiator; /* whether this end was initiator for TDLS setup */ 95 u8 addr[ETH_ALEN]; /* other end MAC address */ 96 u8 inonce[WPA_NONCE_LEN]; /* Initiator Nonce */ 97 u8 rnonce[WPA_NONCE_LEN]; /* Responder Nonce */ 98 u8 rsnie_i[TDLS_MAX_IE_LEN]; /* Initiator RSN IE */ 99 size_t rsnie_i_len; 100 u8 rsnie_p[TDLS_MAX_IE_LEN]; /* Peer RSN IE */ 101 size_t rsnie_p_len; 102 u32 lifetime; 103 int cipher; /* Selected cipher (WPA_CIPHER_*) */ 104 u8 dtoken; 105 106 struct tpk { 107 u8 kck[16]; /* TPK-KCK */ 108 u8 tk[16]; /* TPK-TK; assuming only CCMP will be used */ 109 } tpk; 110 int tpk_set; 111 int tpk_success; 112 int tpk_in_progress; 113 114 struct tpk_timer { 115 u8 dest[ETH_ALEN]; 116 int count; /* Retry Count */ 117 int timer; /* Timeout in milliseconds */ 118 u8 action_code; /* TDLS frame type */ 119 u8 dialog_token; 120 u16 status_code; 121 int buf_len; /* length of TPK message for retransmission */ 122 u8 *buf; /* buffer for TPK message */ 123 } sm_tmr; 124 125 u16 capability; 126 127 u8 supp_rates[IEEE80211_MAX_SUPP_RATES]; 128 size_t supp_rates_len; 129 130 struct ieee80211_ht_capabilities *ht_capabilities; 131 struct ieee80211_vht_capabilities *vht_capabilities; 132 133 u8 qos_info; 134 135 u16 aid; 136 137 u8 *ext_capab; 138 size_t ext_capab_len; 139 140 u8 *supp_channels; 141 size_t supp_channels_len; 142 143 u8 *supp_oper_classes; 144 size_t supp_oper_classes_len; 145}; 146 147 148static int wpa_tdls_get_privacy(struct wpa_sm *sm) 149{ 150 /* 151 * Get info needed from supplicant to check if the current BSS supports 152 * security. Other than OPEN mode, rest are considered secured 153 * WEP/WPA/WPA2 hence TDLS frames are processed for TPK handshake. 154 */ 155 return sm->pairwise_cipher != WPA_CIPHER_NONE; 156} 157 158 159static u8 * wpa_add_ie(u8 *pos, const u8 *ie, size_t ie_len) 160{ 161 os_memcpy(pos, ie, ie_len); 162 return pos + ie_len; 163} 164 165 166static int wpa_tdls_del_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer) 167{ 168 if (wpa_sm_set_key(sm, WPA_ALG_NONE, peer->addr, 169 0, 0, NULL, 0, NULL, 0) < 0) { 170 wpa_printf(MSG_WARNING, "TDLS: Failed to delete TPK-TK from " 171 "the driver"); 172 return -1; 173 } 174 175 return 0; 176} 177 178 179static int wpa_tdls_set_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer) 180{ 181 u8 key_len; 182 u8 rsc[6]; 183 enum wpa_alg alg; 184 185 os_memset(rsc, 0, 6); 186 187 switch (peer->cipher) { 188 case WPA_CIPHER_CCMP: 189 alg = WPA_ALG_CCMP; 190 key_len = 16; 191 break; 192 case WPA_CIPHER_NONE: 193 wpa_printf(MSG_DEBUG, "TDLS: Pairwise Cipher Suite: " 194 "NONE - do not use pairwise keys"); 195 return -1; 196 default: 197 wpa_printf(MSG_WARNING, "TDLS: Unsupported pairwise cipher %d", 198 sm->pairwise_cipher); 199 return -1; 200 } 201 202 if (wpa_sm_set_key(sm, alg, peer->addr, -1, 1, 203 rsc, sizeof(rsc), peer->tpk.tk, key_len) < 0) { 204 wpa_printf(MSG_WARNING, "TDLS: Failed to set TPK to the " 205 "driver"); 206 return -1; 207 } 208 return 0; 209} 210 211 212static int wpa_tdls_send_tpk_msg(struct wpa_sm *sm, const u8 *dst, 213 u8 action_code, u8 dialog_token, 214 u16 status_code, const u8 *buf, size_t len) 215{ 216 return wpa_sm_send_tdls_mgmt(sm, dst, action_code, dialog_token, 217 status_code, buf, len); 218} 219 220 221static int wpa_tdls_tpk_send(struct wpa_sm *sm, const u8 *dest, u8 action_code, 222 u8 dialog_token, u16 status_code, 223 const u8 *msg, size_t msg_len) 224{ 225 struct wpa_tdls_peer *peer; 226 227 wpa_printf(MSG_DEBUG, "TDLS: TPK send dest=" MACSTR " action_code=%u " 228 "dialog_token=%u status_code=%u msg_len=%u", 229 MAC2STR(dest), action_code, dialog_token, status_code, 230 (unsigned int) msg_len); 231 232 if (wpa_tdls_send_tpk_msg(sm, dest, action_code, dialog_token, 233 status_code, msg, msg_len)) { 234 wpa_printf(MSG_INFO, "TDLS: Failed to send message " 235 "(action_code=%u)", action_code); 236 return -1; 237 } 238 239 if (action_code == WLAN_TDLS_SETUP_CONFIRM || 240 action_code == WLAN_TDLS_TEARDOWN || 241 action_code == WLAN_TDLS_DISCOVERY_REQUEST || 242 action_code == WLAN_TDLS_DISCOVERY_RESPONSE) 243 return 0; /* No retries */ 244 245 for (peer = sm->tdls; peer; peer = peer->next) { 246 if (os_memcmp(peer->addr, dest, ETH_ALEN) == 0) 247 break; 248 } 249 250 if (peer == NULL) { 251 wpa_printf(MSG_INFO, "TDLS: No matching entry found for " 252 "retry " MACSTR, MAC2STR(dest)); 253 return 0; 254 } 255 256 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer); 257 258 if (action_code == WLAN_TDLS_SETUP_RESPONSE) { 259 peer->sm_tmr.count = TPK_M2_RETRY_COUNT; 260 peer->sm_tmr.timer = TPK_M2_TIMEOUT; 261 } else { 262 peer->sm_tmr.count = TPK_M1_RETRY_COUNT; 263 peer->sm_tmr.timer = TPK_M1_TIMEOUT; 264 } 265 266 /* Copy message to resend on timeout */ 267 os_memcpy(peer->sm_tmr.dest, dest, ETH_ALEN); 268 peer->sm_tmr.action_code = action_code; 269 peer->sm_tmr.dialog_token = dialog_token; 270 peer->sm_tmr.status_code = status_code; 271 peer->sm_tmr.buf_len = msg_len; 272 os_free(peer->sm_tmr.buf); 273 peer->sm_tmr.buf = os_malloc(msg_len); 274 if (peer->sm_tmr.buf == NULL) 275 return -1; 276 os_memcpy(peer->sm_tmr.buf, msg, msg_len); 277 278 wpa_printf(MSG_DEBUG, "TDLS: Retry timeout registered " 279 "(action_code=%u)", action_code); 280 eloop_register_timeout(peer->sm_tmr.timer / 1000, 281 (peer->sm_tmr.timer % 1000) * 1000, 282 wpa_tdls_tpk_retry_timeout, sm, peer); 283 return 0; 284} 285 286 287static int wpa_tdls_do_teardown(struct wpa_sm *sm, struct wpa_tdls_peer *peer, 288 u16 reason_code) 289{ 290 int ret; 291 292 ret = wpa_tdls_send_teardown(sm, peer->addr, reason_code); 293 /* disable the link after teardown was sent */ 294 wpa_tdls_disable_peer_link(sm, peer); 295 296 return ret; 297} 298 299 300static void wpa_tdls_tpk_retry_timeout(void *eloop_ctx, void *timeout_ctx) 301{ 302 303 struct wpa_sm *sm = eloop_ctx; 304 struct wpa_tdls_peer *peer = timeout_ctx; 305 306 if (peer->sm_tmr.count) { 307 peer->sm_tmr.count--; 308 309 wpa_printf(MSG_INFO, "TDLS: Retrying sending of message " 310 "(action_code=%u)", 311 peer->sm_tmr.action_code); 312 313 if (peer->sm_tmr.buf == NULL) { 314 wpa_printf(MSG_INFO, "TDLS: No retry buffer available " 315 "for action_code=%u", 316 peer->sm_tmr.action_code); 317 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, 318 peer); 319 return; 320 } 321 322 /* resend TPK Handshake Message to Peer */ 323 if (wpa_tdls_send_tpk_msg(sm, peer->sm_tmr.dest, 324 peer->sm_tmr.action_code, 325 peer->sm_tmr.dialog_token, 326 peer->sm_tmr.status_code, 327 peer->sm_tmr.buf, 328 peer->sm_tmr.buf_len)) { 329 wpa_printf(MSG_INFO, "TDLS: Failed to retry " 330 "transmission"); 331 } 332 333 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer); 334 eloop_register_timeout(peer->sm_tmr.timer / 1000, 335 (peer->sm_tmr.timer % 1000) * 1000, 336 wpa_tdls_tpk_retry_timeout, sm, peer); 337 } else { 338 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer); 339 340 wpa_printf(MSG_DEBUG, "TDLS: Sending Teardown Request"); 341 wpa_tdls_do_teardown(sm, peer, 342 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED); 343 } 344} 345 346 347static void wpa_tdls_tpk_retry_timeout_cancel(struct wpa_sm *sm, 348 struct wpa_tdls_peer *peer, 349 u8 action_code) 350{ 351 if (action_code == peer->sm_tmr.action_code) { 352 wpa_printf(MSG_DEBUG, "TDLS: Retry timeout cancelled for " 353 "action_code=%u", action_code); 354 355 /* Cancel Timeout registered */ 356 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer); 357 358 /* free all resources meant for retry */ 359 os_free(peer->sm_tmr.buf); 360 peer->sm_tmr.buf = NULL; 361 362 peer->sm_tmr.count = 0; 363 peer->sm_tmr.timer = 0; 364 peer->sm_tmr.buf_len = 0; 365 peer->sm_tmr.action_code = 0xff; 366 } else { 367 wpa_printf(MSG_INFO, "TDLS: Error in cancelling retry timeout " 368 "(Unknown action_code=%u)", action_code); 369 } 370} 371 372 373static void wpa_tdls_generate_tpk(struct wpa_tdls_peer *peer, 374 const u8 *own_addr, const u8 *bssid) 375{ 376 u8 key_input[SHA256_MAC_LEN]; 377 const u8 *nonce[2]; 378 size_t len[2]; 379 u8 data[3 * ETH_ALEN]; 380 381 /* IEEE Std 802.11z-2010 8.5.9.1: 382 * TPK-Key-Input = SHA-256(min(SNonce, ANonce) || max(SNonce, ANonce)) 383 */ 384 len[0] = WPA_NONCE_LEN; 385 len[1] = WPA_NONCE_LEN; 386 if (os_memcmp(peer->inonce, peer->rnonce, WPA_NONCE_LEN) < 0) { 387 nonce[0] = peer->inonce; 388 nonce[1] = peer->rnonce; 389 } else { 390 nonce[0] = peer->rnonce; 391 nonce[1] = peer->inonce; 392 } 393 wpa_hexdump(MSG_DEBUG, "TDLS: min(Nonce)", nonce[0], WPA_NONCE_LEN); 394 wpa_hexdump(MSG_DEBUG, "TDLS: max(Nonce)", nonce[1], WPA_NONCE_LEN); 395 sha256_vector(2, nonce, len, key_input); 396 wpa_hexdump_key(MSG_DEBUG, "TDLS: TPK-Key-Input", 397 key_input, SHA256_MAC_LEN); 398 399 /* 400 * TPK-Key-Data = KDF-N_KEY(TPK-Key-Input, "TDLS PMK", 401 * min(MAC_I, MAC_R) || max(MAC_I, MAC_R) || BSSID || N_KEY) 402 * TODO: is N_KEY really included in KDF Context and if so, in which 403 * presentation format (little endian 16-bit?) is it used? It gets 404 * added by the KDF anyway.. 405 */ 406 407 if (os_memcmp(own_addr, peer->addr, ETH_ALEN) < 0) { 408 os_memcpy(data, own_addr, ETH_ALEN); 409 os_memcpy(data + ETH_ALEN, peer->addr, ETH_ALEN); 410 } else { 411 os_memcpy(data, peer->addr, ETH_ALEN); 412 os_memcpy(data + ETH_ALEN, own_addr, ETH_ALEN); 413 } 414 os_memcpy(data + 2 * ETH_ALEN, bssid, ETH_ALEN); 415 wpa_hexdump(MSG_DEBUG, "TDLS: KDF Context", data, sizeof(data)); 416 417 sha256_prf(key_input, SHA256_MAC_LEN, "TDLS PMK", data, sizeof(data), 418 (u8 *) &peer->tpk, sizeof(peer->tpk)); 419 wpa_hexdump_key(MSG_DEBUG, "TDLS: TPK-KCK", 420 peer->tpk.kck, sizeof(peer->tpk.kck)); 421 wpa_hexdump_key(MSG_DEBUG, "TDLS: TPK-TK", 422 peer->tpk.tk, sizeof(peer->tpk.tk)); 423 peer->tpk_set = 1; 424} 425 426 427/** 428 * wpa_tdls_ftie_mic - Calculate TDLS FTIE MIC 429 * @kck: TPK-KCK 430 * @lnkid: Pointer to the beginning of Link Identifier IE 431 * @rsnie: Pointer to the beginning of RSN IE used for handshake 432 * @timeoutie: Pointer to the beginning of Timeout IE used for handshake 433 * @ftie: Pointer to the beginning of FT IE 434 * @mic: Pointer for writing MIC 435 * 436 * Calculate MIC for TDLS frame. 437 */ 438static int wpa_tdls_ftie_mic(const u8 *kck, u8 trans_seq, const u8 *lnkid, 439 const u8 *rsnie, const u8 *timeoutie, 440 const u8 *ftie, u8 *mic) 441{ 442 u8 *buf, *pos; 443 struct wpa_tdls_ftie *_ftie; 444 const struct wpa_tdls_lnkid *_lnkid; 445 int ret; 446 int len = 2 * ETH_ALEN + 1 + 2 + lnkid[1] + 2 + rsnie[1] + 447 2 + timeoutie[1] + 2 + ftie[1]; 448 buf = os_zalloc(len); 449 if (!buf) { 450 wpa_printf(MSG_WARNING, "TDLS: No memory for MIC calculation"); 451 return -1; 452 } 453 454 pos = buf; 455 _lnkid = (const struct wpa_tdls_lnkid *) lnkid; 456 /* 1) TDLS initiator STA MAC address */ 457 os_memcpy(pos, _lnkid->init_sta, ETH_ALEN); 458 pos += ETH_ALEN; 459 /* 2) TDLS responder STA MAC address */ 460 os_memcpy(pos, _lnkid->resp_sta, ETH_ALEN); 461 pos += ETH_ALEN; 462 /* 3) Transaction Sequence number */ 463 *pos++ = trans_seq; 464 /* 4) Link Identifier IE */ 465 os_memcpy(pos, lnkid, 2 + lnkid[1]); 466 pos += 2 + lnkid[1]; 467 /* 5) RSN IE */ 468 os_memcpy(pos, rsnie, 2 + rsnie[1]); 469 pos += 2 + rsnie[1]; 470 /* 6) Timeout Interval IE */ 471 os_memcpy(pos, timeoutie, 2 + timeoutie[1]); 472 pos += 2 + timeoutie[1]; 473 /* 7) FTIE, with the MIC field of the FTIE set to 0 */ 474 os_memcpy(pos, ftie, 2 + ftie[1]); 475 _ftie = (struct wpa_tdls_ftie *) pos; 476 os_memset(_ftie->mic, 0, TDLS_MIC_LEN); 477 pos += 2 + ftie[1]; 478 479 wpa_hexdump(MSG_DEBUG, "TDLS: Data for FTIE MIC", buf, pos - buf); 480 wpa_hexdump_key(MSG_DEBUG, "TDLS: KCK", kck, 16); 481 ret = omac1_aes_128(kck, buf, pos - buf, mic); 482 os_free(buf); 483 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE MIC", mic, 16); 484 return ret; 485} 486 487 488/** 489 * wpa_tdls_key_mic_teardown - Calculate TDLS FTIE MIC for Teardown frame 490 * @kck: TPK-KCK 491 * @trans_seq: Transaction Sequence Number (4 - Teardown) 492 * @rcode: Reason code for Teardown 493 * @dtoken: Dialog Token used for that particular link 494 * @lnkid: Pointer to the beginning of Link Identifier IE 495 * @ftie: Pointer to the beginning of FT IE 496 * @mic: Pointer for writing MIC 497 * 498 * Calculate MIC for TDLS frame. 499 */ 500static int wpa_tdls_key_mic_teardown(const u8 *kck, u8 trans_seq, u16 rcode, 501 u8 dtoken, const u8 *lnkid, 502 const u8 *ftie, u8 *mic) 503{ 504 u8 *buf, *pos; 505 struct wpa_tdls_ftie *_ftie; 506 int ret; 507 int len; 508 509 if (lnkid == NULL) 510 return -1; 511 512 len = 2 + lnkid[1] + sizeof(rcode) + sizeof(dtoken) + 513 sizeof(trans_seq) + 2 + ftie[1]; 514 515 buf = os_zalloc(len); 516 if (!buf) { 517 wpa_printf(MSG_WARNING, "TDLS: No memory for MIC calculation"); 518 return -1; 519 } 520 521 pos = buf; 522 /* 1) Link Identifier IE */ 523 os_memcpy(pos, lnkid, 2 + lnkid[1]); 524 pos += 2 + lnkid[1]; 525 /* 2) Reason Code */ 526 WPA_PUT_LE16(pos, rcode); 527 pos += sizeof(rcode); 528 /* 3) Dialog token */ 529 *pos++ = dtoken; 530 /* 4) Transaction Sequence number */ 531 *pos++ = trans_seq; 532 /* 7) FTIE, with the MIC field of the FTIE set to 0 */ 533 os_memcpy(pos, ftie, 2 + ftie[1]); 534 _ftie = (struct wpa_tdls_ftie *) pos; 535 os_memset(_ftie->mic, 0, TDLS_MIC_LEN); 536 pos += 2 + ftie[1]; 537 538 wpa_hexdump(MSG_DEBUG, "TDLS: Data for FTIE MIC", buf, pos - buf); 539 wpa_hexdump_key(MSG_DEBUG, "TDLS: KCK", kck, 16); 540 ret = omac1_aes_128(kck, buf, pos - buf, mic); 541 os_free(buf); 542 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE MIC", mic, 16); 543 return ret; 544} 545 546 547static int wpa_supplicant_verify_tdls_mic(u8 trans_seq, 548 struct wpa_tdls_peer *peer, 549 const u8 *lnkid, const u8 *timeoutie, 550 const struct wpa_tdls_ftie *ftie) 551{ 552 u8 mic[16]; 553 554 if (peer->tpk_set) { 555 wpa_tdls_ftie_mic(peer->tpk.kck, trans_seq, lnkid, 556 peer->rsnie_p, timeoutie, (u8 *) ftie, 557 mic); 558 if (os_memcmp(mic, ftie->mic, 16) != 0) { 559 wpa_printf(MSG_INFO, "TDLS: Invalid MIC in FTIE - " 560 "dropping packet"); 561 wpa_hexdump(MSG_DEBUG, "TDLS: Received MIC", 562 ftie->mic, 16); 563 wpa_hexdump(MSG_DEBUG, "TDLS: Calculated MIC", 564 mic, 16); 565 return -1; 566 } 567 } else { 568 wpa_printf(MSG_WARNING, "TDLS: Could not verify TDLS MIC, " 569 "TPK not set - dropping packet"); 570 return -1; 571 } 572 return 0; 573} 574 575 576static int wpa_supplicant_verify_tdls_mic_teardown( 577 u8 trans_seq, u16 rcode, u8 dtoken, struct wpa_tdls_peer *peer, 578 const u8 *lnkid, const struct wpa_tdls_ftie *ftie) 579{ 580 u8 mic[16]; 581 582 if (peer->tpk_set) { 583 wpa_tdls_key_mic_teardown(peer->tpk.kck, trans_seq, rcode, 584 dtoken, lnkid, (u8 *) ftie, mic); 585 if (os_memcmp(mic, ftie->mic, 16) != 0) { 586 wpa_printf(MSG_INFO, "TDLS: Invalid MIC in Teardown - " 587 "dropping packet"); 588 return -1; 589 } 590 } else { 591 wpa_printf(MSG_INFO, "TDLS: Could not verify TDLS Teardown " 592 "MIC, TPK not set - dropping packet"); 593 return -1; 594 } 595 return 0; 596} 597 598 599static void wpa_tdls_tpk_timeout(void *eloop_ctx, void *timeout_ctx) 600{ 601 struct wpa_sm *sm = eloop_ctx; 602 struct wpa_tdls_peer *peer = timeout_ctx; 603 604 /* 605 * On TPK lifetime expiration, we have an option of either tearing down 606 * the direct link or trying to re-initiate it. The selection of what 607 * to do is not strictly speaking controlled by our role in the expired 608 * link, but for now, use that to select whether to renew or tear down 609 * the link. 610 */ 611 612 if (peer->initiator) { 613 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime expired for " MACSTR 614 " - try to renew", MAC2STR(peer->addr)); 615 wpa_tdls_start(sm, peer->addr); 616 } else { 617 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime expired for " MACSTR 618 " - tear down", MAC2STR(peer->addr)); 619 wpa_tdls_do_teardown(sm, peer, 620 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED); 621 } 622} 623 624 625static void wpa_tdls_peer_free(struct wpa_sm *sm, struct wpa_tdls_peer *peer) 626{ 627 wpa_printf(MSG_DEBUG, "TDLS: Clear state for peer " MACSTR, 628 MAC2STR(peer->addr)); 629 eloop_cancel_timeout(wpa_tdls_tpk_timeout, sm, peer); 630 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer); 631 peer->reconfig_key = 0; 632 peer->initiator = 0; 633 peer->tpk_in_progress = 0; 634 os_free(peer->sm_tmr.buf); 635 peer->sm_tmr.buf = NULL; 636 os_free(peer->ht_capabilities); 637 peer->ht_capabilities = NULL; 638 os_free(peer->vht_capabilities); 639 peer->vht_capabilities = NULL; 640 os_free(peer->ext_capab); 641 peer->ext_capab = NULL; 642 os_free(peer->supp_channels); 643 peer->supp_channels = NULL; 644 os_free(peer->supp_oper_classes); 645 peer->supp_oper_classes = NULL; 646 peer->rsnie_i_len = peer->rsnie_p_len = 0; 647 peer->cipher = 0; 648 peer->tpk_set = peer->tpk_success = 0; 649 os_memset(&peer->tpk, 0, sizeof(peer->tpk)); 650 os_memset(peer->inonce, 0, WPA_NONCE_LEN); 651 os_memset(peer->rnonce, 0, WPA_NONCE_LEN); 652} 653 654 655static void wpa_tdls_linkid(struct wpa_sm *sm, struct wpa_tdls_peer *peer, 656 struct wpa_tdls_lnkid *lnkid) 657{ 658 lnkid->ie_type = WLAN_EID_LINK_ID; 659 lnkid->ie_len = 3 * ETH_ALEN; 660 os_memcpy(lnkid->bssid, sm->bssid, ETH_ALEN); 661 if (peer->initiator) { 662 os_memcpy(lnkid->init_sta, sm->own_addr, ETH_ALEN); 663 os_memcpy(lnkid->resp_sta, peer->addr, ETH_ALEN); 664 } else { 665 os_memcpy(lnkid->init_sta, peer->addr, ETH_ALEN); 666 os_memcpy(lnkid->resp_sta, sm->own_addr, ETH_ALEN); 667 } 668} 669 670 671int wpa_tdls_send_teardown(struct wpa_sm *sm, const u8 *addr, u16 reason_code) 672{ 673 struct wpa_tdls_peer *peer; 674 struct wpa_tdls_ftie *ftie; 675 struct wpa_tdls_lnkid lnkid; 676 u8 dialog_token; 677 u8 *rbuf, *pos; 678 int ielen; 679 680 if (sm->tdls_disabled || !sm->tdls_supported) 681 return -1; 682 683 /* Find the node and free from the list */ 684 for (peer = sm->tdls; peer; peer = peer->next) { 685 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 686 break; 687 } 688 689 if (peer == NULL) { 690 wpa_printf(MSG_INFO, "TDLS: No matching entry found for " 691 "Teardown " MACSTR, MAC2STR(addr)); 692 return 0; 693 } 694 695 dialog_token = peer->dtoken; 696 697 wpa_printf(MSG_DEBUG, "TDLS: TDLS Teardown for " MACSTR, 698 MAC2STR(addr)); 699 700 ielen = 0; 701 if (wpa_tdls_get_privacy(sm) && peer->tpk_set && peer->tpk_success) { 702 /* To add FTIE for Teardown request and compute MIC */ 703 ielen += sizeof(*ftie); 704#ifdef CONFIG_TDLS_TESTING 705 if (tdls_testing & TDLS_TESTING_LONG_FRAME) 706 ielen += 170; 707#endif /* CONFIG_TDLS_TESTING */ 708 } 709 710 rbuf = os_zalloc(ielen + 1); 711 if (rbuf == NULL) 712 return -1; 713 pos = rbuf; 714 715 if (!wpa_tdls_get_privacy(sm) || !peer->tpk_set || !peer->tpk_success) 716 goto skip_ies; 717 718 ftie = (struct wpa_tdls_ftie *) pos; 719 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION; 720 /* Using the recent nonce which should be for CONFIRM frame */ 721 os_memcpy(ftie->Anonce, peer->rnonce, WPA_NONCE_LEN); 722 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN); 723 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2; 724 pos = (u8 *) (ftie + 1); 725#ifdef CONFIG_TDLS_TESTING 726 if (tdls_testing & TDLS_TESTING_LONG_FRAME) { 727 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to " 728 "FTIE"); 729 ftie->ie_len += 170; 730 *pos++ = 255; /* FTIE subelem */ 731 *pos++ = 168; /* FTIE subelem length */ 732 pos += 168; 733 } 734#endif /* CONFIG_TDLS_TESTING */ 735 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE for TDLS Teardown handshake", 736 (u8 *) ftie, pos - (u8 *) ftie); 737 738 /* compute MIC before sending */ 739 wpa_tdls_linkid(sm, peer, &lnkid); 740 wpa_tdls_key_mic_teardown(peer->tpk.kck, 4, reason_code, 741 dialog_token, (u8 *) &lnkid, (u8 *) ftie, 742 ftie->mic); 743 744skip_ies: 745 /* TODO: register for a Timeout handler, if Teardown is not received at 746 * the other end, then try again another time */ 747 748 /* request driver to send Teardown using this FTIE */ 749 wpa_tdls_tpk_send(sm, addr, WLAN_TDLS_TEARDOWN, 0, 750 reason_code, rbuf, pos - rbuf); 751 os_free(rbuf); 752 753 /* clear the Peerkey statemachine */ 754 wpa_tdls_peer_free(sm, peer); 755 756 return 0; 757} 758 759 760int wpa_tdls_teardown_link(struct wpa_sm *sm, const u8 *addr, u16 reason_code) 761{ 762 struct wpa_tdls_peer *peer; 763 764 if (sm->tdls_disabled || !sm->tdls_supported) 765 return -1; 766 767 for (peer = sm->tdls; peer; peer = peer->next) { 768 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 769 break; 770 } 771 772 if (peer == NULL) { 773 wpa_printf(MSG_DEBUG, "TDLS: Could not find peer " MACSTR 774 " for link Teardown", MAC2STR(addr)); 775 return -1; 776 } 777 778 if (!peer->tpk_success) { 779 wpa_printf(MSG_DEBUG, "TDLS: Peer " MACSTR 780 " not connected - cannot Teardown link", MAC2STR(addr)); 781 return -1; 782 } 783 784 return wpa_tdls_do_teardown(sm, peer, reason_code); 785} 786 787 788static void wpa_tdls_disable_peer_link(struct wpa_sm *sm, 789 struct wpa_tdls_peer *peer) 790{ 791 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr); 792 wpa_tdls_peer_free(sm, peer); 793} 794 795 796void wpa_tdls_disable_link(struct wpa_sm *sm, const u8 *addr) 797{ 798 struct wpa_tdls_peer *peer; 799 800 for (peer = sm->tdls; peer; peer = peer->next) { 801 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 802 break; 803 } 804 805 if (peer) 806 wpa_tdls_disable_peer_link(sm, peer); 807} 808 809 810const char * wpa_tdls_get_link_status(struct wpa_sm *sm, const u8 *addr) 811{ 812 struct wpa_tdls_peer *peer; 813 814 if (sm->tdls_disabled || !sm->tdls_supported) 815 return "disabled"; 816 817 for (peer = sm->tdls; peer; peer = peer->next) { 818 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 819 break; 820 } 821 822 if (peer == NULL) 823 return "peer does not exist"; 824 825 if (!peer->tpk_success) 826 return "peer not connected"; 827 828 return "connected"; 829} 830 831 832static int wpa_tdls_recv_teardown(struct wpa_sm *sm, const u8 *src_addr, 833 const u8 *buf, size_t len) 834{ 835 struct wpa_tdls_peer *peer = NULL; 836 struct wpa_tdls_ftie *ftie; 837 struct wpa_tdls_lnkid *lnkid; 838 struct wpa_eapol_ie_parse kde; 839 u16 reason_code; 840 const u8 *pos; 841 int ielen; 842 843 /* Find the node and free from the list */ 844 for (peer = sm->tdls; peer; peer = peer->next) { 845 if (os_memcmp(peer->addr, src_addr, ETH_ALEN) == 0) 846 break; 847 } 848 849 if (peer == NULL) { 850 wpa_printf(MSG_INFO, "TDLS: No matching entry found for " 851 "Teardown " MACSTR, MAC2STR(src_addr)); 852 return 0; 853 } 854 855 pos = buf; 856 pos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */; 857 858 reason_code = WPA_GET_LE16(pos); 859 pos += 2; 860 861 wpa_printf(MSG_DEBUG, "TDLS: TDLS Teardown Request from " MACSTR 862 " (reason code %u)", MAC2STR(src_addr), reason_code); 863 864 ielen = len - (pos - buf); /* start of IE in buf */ 865 if (wpa_supplicant_parse_ies((const u8 *) pos, ielen, &kde) < 0) { 866 wpa_printf(MSG_INFO, "TDLS: Failed to parse IEs in Teardown"); 867 return -1; 868 } 869 870 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) { 871 wpa_printf(MSG_INFO, "TDLS: No Link Identifier IE in TDLS " 872 "Teardown"); 873 return -1; 874 } 875 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid; 876 877 if (!wpa_tdls_get_privacy(sm) || !peer->tpk_set || !peer->tpk_success) 878 goto skip_ftie; 879 880 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie)) { 881 wpa_printf(MSG_INFO, "TDLS: No FTIE in TDLS Teardown"); 882 return -1; 883 } 884 885 ftie = (struct wpa_tdls_ftie *) kde.ftie; 886 887 /* Process MIC check to see if TDLS Teardown is right */ 888 if (wpa_supplicant_verify_tdls_mic_teardown(4, reason_code, 889 peer->dtoken, peer, 890 (u8 *) lnkid, ftie) < 0) { 891 wpa_printf(MSG_DEBUG, "TDLS: MIC failure for TDLS " 892 "Teardown Request from " MACSTR, MAC2STR(src_addr)); 893 return -1; 894 } 895 896skip_ftie: 897 /* 898 * Request the driver to disable the direct link and clear associated 899 * keys. 900 */ 901 wpa_tdls_disable_peer_link(sm, peer); 902 return 0; 903} 904 905 906/** 907 * wpa_tdls_send_error - To send suitable TDLS status response with 908 * appropriate status code mentioning reason for error/failure. 909 * @dst - MAC addr of Peer station 910 * @tdls_action - TDLS frame type for which error code is sent 911 * @status - status code mentioning reason 912 */ 913 914static int wpa_tdls_send_error(struct wpa_sm *sm, const u8 *dst, 915 u8 tdls_action, u8 dialog_token, u16 status) 916{ 917 wpa_printf(MSG_DEBUG, "TDLS: Sending error to " MACSTR 918 " (action=%u status=%u)", 919 MAC2STR(dst), tdls_action, status); 920 return wpa_tdls_tpk_send(sm, dst, tdls_action, dialog_token, status, 921 NULL, 0); 922} 923 924 925static struct wpa_tdls_peer * 926wpa_tdls_add_peer(struct wpa_sm *sm, const u8 *addr, int *existing) 927{ 928 struct wpa_tdls_peer *peer; 929 930 if (existing) 931 *existing = 0; 932 for (peer = sm->tdls; peer; peer = peer->next) { 933 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) { 934 if (existing) 935 *existing = 1; 936 return peer; /* re-use existing entry */ 937 } 938 } 939 940 wpa_printf(MSG_INFO, "TDLS: Creating peer entry for " MACSTR, 941 MAC2STR(addr)); 942 943 peer = os_zalloc(sizeof(*peer)); 944 if (peer == NULL) 945 return NULL; 946 947 os_memcpy(peer->addr, addr, ETH_ALEN); 948 peer->next = sm->tdls; 949 sm->tdls = peer; 950 951 return peer; 952} 953 954 955static int wpa_tdls_send_tpk_m1(struct wpa_sm *sm, 956 struct wpa_tdls_peer *peer) 957{ 958 size_t buf_len; 959 struct wpa_tdls_timeoutie timeoutie; 960 u16 rsn_capab; 961 struct wpa_tdls_ftie *ftie; 962 u8 *rbuf, *pos, *count_pos; 963 u16 count; 964 struct rsn_ie_hdr *hdr; 965 int status; 966 967 if (!wpa_tdls_get_privacy(sm)) { 968 wpa_printf(MSG_DEBUG, "TDLS: No security used on the link"); 969 peer->rsnie_i_len = 0; 970 goto skip_rsnie; 971 } 972 973 /* 974 * TPK Handshake Message 1: 975 * FTIE: ANonce=0, SNonce=initiator nonce MIC=0, DataKDs=(RSNIE_I, 976 * Timeout Interval IE)) 977 */ 978 979 /* Filling RSN IE */ 980 hdr = (struct rsn_ie_hdr *) peer->rsnie_i; 981 hdr->elem_id = WLAN_EID_RSN; 982 WPA_PUT_LE16(hdr->version, RSN_VERSION); 983 984 pos = (u8 *) (hdr + 1); 985 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED); 986 pos += RSN_SELECTOR_LEN; 987 count_pos = pos; 988 pos += 2; 989 990 count = 0; 991 992 /* 993 * AES-CCMP is the default Encryption preferred for TDLS, so 994 * RSN IE is filled only with CCMP CIPHER 995 * Note: TKIP is not used to encrypt TDLS link. 996 * 997 * Regardless of the cipher used on the AP connection, select CCMP 998 * here. 999 */ 1000 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP); 1001 pos += RSN_SELECTOR_LEN; 1002 count++; 1003 1004 WPA_PUT_LE16(count_pos, count); 1005 1006 WPA_PUT_LE16(pos, 1); 1007 pos += 2; 1008 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_TPK_HANDSHAKE); 1009 pos += RSN_SELECTOR_LEN; 1010 1011 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED; 1012 rsn_capab |= RSN_NUM_REPLAY_COUNTERS_16 << 2; 1013#ifdef CONFIG_TDLS_TESTING 1014 if (tdls_testing & TDLS_TESTING_ALT_RSN_IE) { 1015 wpa_printf(MSG_DEBUG, "TDLS: Use alternative RSN IE for " 1016 "testing"); 1017 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED; 1018 } 1019#endif /* CONFIG_TDLS_TESTING */ 1020 WPA_PUT_LE16(pos, rsn_capab); 1021 pos += 2; 1022#ifdef CONFIG_TDLS_TESTING 1023 if (tdls_testing & TDLS_TESTING_ALT_RSN_IE) { 1024 /* Number of PMKIDs */ 1025 *pos++ = 0x00; 1026 *pos++ = 0x00; 1027 } 1028#endif /* CONFIG_TDLS_TESTING */ 1029 1030 hdr->len = (pos - peer->rsnie_i) - 2; 1031 peer->rsnie_i_len = pos - peer->rsnie_i; 1032 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE for TPK handshake", 1033 peer->rsnie_i, peer->rsnie_i_len); 1034 1035skip_rsnie: 1036 buf_len = 0; 1037 if (wpa_tdls_get_privacy(sm)) 1038 buf_len += peer->rsnie_i_len + sizeof(struct wpa_tdls_ftie) + 1039 sizeof(struct wpa_tdls_timeoutie); 1040#ifdef CONFIG_TDLS_TESTING 1041 if (wpa_tdls_get_privacy(sm) && 1042 (tdls_testing & TDLS_TESTING_LONG_FRAME)) 1043 buf_len += 170; 1044 if (tdls_testing & TDLS_TESTING_DIFF_BSSID) 1045 buf_len += sizeof(struct wpa_tdls_lnkid); 1046#endif /* CONFIG_TDLS_TESTING */ 1047 rbuf = os_zalloc(buf_len + 1); 1048 if (rbuf == NULL) { 1049 wpa_tdls_peer_free(sm, peer); 1050 return -1; 1051 } 1052 pos = rbuf; 1053 1054 if (!wpa_tdls_get_privacy(sm)) 1055 goto skip_ies; 1056 1057 /* Initiator RSN IE */ 1058 pos = wpa_add_ie(pos, peer->rsnie_i, peer->rsnie_i_len); 1059 1060 ftie = (struct wpa_tdls_ftie *) pos; 1061 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION; 1062 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2; 1063 1064 if (os_get_random(peer->inonce, WPA_NONCE_LEN)) { 1065 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1066 "TDLS: Failed to get random data for initiator Nonce"); 1067 os_free(rbuf); 1068 wpa_tdls_peer_free(sm, peer); 1069 return -1; 1070 } 1071 wpa_hexdump(MSG_DEBUG, "TDLS: Initiator Nonce for TPK handshake", 1072 peer->inonce, WPA_NONCE_LEN); 1073 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN); 1074 1075 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE for TPK Handshake M1", 1076 (u8 *) ftie, sizeof(struct wpa_tdls_ftie)); 1077 1078 pos = (u8 *) (ftie + 1); 1079 1080#ifdef CONFIG_TDLS_TESTING 1081 if (tdls_testing & TDLS_TESTING_LONG_FRAME) { 1082 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to " 1083 "FTIE"); 1084 ftie->ie_len += 170; 1085 *pos++ = 255; /* FTIE subelem */ 1086 *pos++ = 168; /* FTIE subelem length */ 1087 pos += 168; 1088 } 1089#endif /* CONFIG_TDLS_TESTING */ 1090 1091 /* Lifetime */ 1092 peer->lifetime = TPK_LIFETIME; 1093#ifdef CONFIG_TDLS_TESTING 1094 if (tdls_testing & TDLS_TESTING_SHORT_LIFETIME) { 1095 wpa_printf(MSG_DEBUG, "TDLS: Testing - use short TPK " 1096 "lifetime"); 1097 peer->lifetime = 301; 1098 } 1099 if (tdls_testing & TDLS_TESTING_LONG_LIFETIME) { 1100 wpa_printf(MSG_DEBUG, "TDLS: Testing - use long TPK " 1101 "lifetime"); 1102 peer->lifetime = 0xffffffff; 1103 } 1104#endif /* CONFIG_TDLS_TESTING */ 1105 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie, 1106 sizeof(timeoutie), peer->lifetime); 1107 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds", peer->lifetime); 1108 1109skip_ies: 1110 1111#ifdef CONFIG_TDLS_TESTING 1112 if (tdls_testing & TDLS_TESTING_DIFF_BSSID) { 1113 wpa_printf(MSG_DEBUG, "TDLS: Testing - use incorrect BSSID in " 1114 "Link Identifier"); 1115 struct wpa_tdls_lnkid *l = (struct wpa_tdls_lnkid *) pos; 1116 wpa_tdls_linkid(sm, peer, l); 1117 l->bssid[5] ^= 0x01; 1118 pos += sizeof(*l); 1119 } 1120#endif /* CONFIG_TDLS_TESTING */ 1121 1122 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Setup Request / TPK " 1123 "Handshake Message 1 (peer " MACSTR ")", 1124 MAC2STR(peer->addr)); 1125 1126 status = wpa_tdls_tpk_send(sm, peer->addr, WLAN_TDLS_SETUP_REQUEST, 1127 1, 0, rbuf, pos - rbuf); 1128 os_free(rbuf); 1129 1130 return status; 1131} 1132 1133 1134static int wpa_tdls_send_tpk_m2(struct wpa_sm *sm, 1135 const unsigned char *src_addr, u8 dtoken, 1136 struct wpa_tdls_lnkid *lnkid, 1137 const struct wpa_tdls_peer *peer) 1138{ 1139 u8 *rbuf, *pos; 1140 size_t buf_len; 1141 u32 lifetime; 1142 struct wpa_tdls_timeoutie timeoutie; 1143 struct wpa_tdls_ftie *ftie; 1144 int status; 1145 1146 buf_len = 0; 1147 if (wpa_tdls_get_privacy(sm)) { 1148 /* Peer RSN IE, FTIE(Initiator Nonce, Responder Nonce), 1149 * Lifetime */ 1150 buf_len += peer->rsnie_i_len + sizeof(struct wpa_tdls_ftie) + 1151 sizeof(struct wpa_tdls_timeoutie); 1152#ifdef CONFIG_TDLS_TESTING 1153 if (tdls_testing & TDLS_TESTING_LONG_FRAME) 1154 buf_len += 170; 1155#endif /* CONFIG_TDLS_TESTING */ 1156 } 1157 1158 rbuf = os_zalloc(buf_len + 1); 1159 if (rbuf == NULL) 1160 return -1; 1161 pos = rbuf; 1162 1163 if (!wpa_tdls_get_privacy(sm)) 1164 goto skip_ies; 1165 1166 /* Peer RSN IE */ 1167 pos = wpa_add_ie(pos, peer->rsnie_p, peer->rsnie_p_len); 1168 1169 ftie = (struct wpa_tdls_ftie *) pos; 1170 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION; 1171 /* TODO: ftie->mic_control to set 2-RESPONSE */ 1172 os_memcpy(ftie->Anonce, peer->rnonce, WPA_NONCE_LEN); 1173 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN); 1174 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2; 1175 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE for TPK M2", 1176 (u8 *) ftie, sizeof(*ftie)); 1177 1178 pos = (u8 *) (ftie + 1); 1179 1180#ifdef CONFIG_TDLS_TESTING 1181 if (tdls_testing & TDLS_TESTING_LONG_FRAME) { 1182 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to " 1183 "FTIE"); 1184 ftie->ie_len += 170; 1185 *pos++ = 255; /* FTIE subelem */ 1186 *pos++ = 168; /* FTIE subelem length */ 1187 pos += 168; 1188 } 1189#endif /* CONFIG_TDLS_TESTING */ 1190 1191 /* Lifetime */ 1192 lifetime = peer->lifetime; 1193#ifdef CONFIG_TDLS_TESTING 1194 if (tdls_testing & TDLS_TESTING_WRONG_LIFETIME_RESP) { 1195 wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong TPK " 1196 "lifetime in response"); 1197 lifetime++; 1198 } 1199#endif /* CONFIG_TDLS_TESTING */ 1200 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie, 1201 sizeof(timeoutie), lifetime); 1202 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds from initiator", 1203 lifetime); 1204 1205 /* compute MIC before sending */ 1206 wpa_tdls_ftie_mic(peer->tpk.kck, 2, (u8 *) lnkid, peer->rsnie_p, 1207 (u8 *) &timeoutie, (u8 *) ftie, ftie->mic); 1208 1209skip_ies: 1210 status = wpa_tdls_tpk_send(sm, src_addr, WLAN_TDLS_SETUP_RESPONSE, 1211 dtoken, 0, rbuf, pos - rbuf); 1212 os_free(rbuf); 1213 1214 return status; 1215} 1216 1217 1218static int wpa_tdls_send_tpk_m3(struct wpa_sm *sm, 1219 const unsigned char *src_addr, u8 dtoken, 1220 struct wpa_tdls_lnkid *lnkid, 1221 const struct wpa_tdls_peer *peer) 1222{ 1223 u8 *rbuf, *pos; 1224 size_t buf_len; 1225 struct wpa_tdls_ftie *ftie; 1226 struct wpa_tdls_timeoutie timeoutie; 1227 u32 lifetime; 1228 int status; 1229 1230 buf_len = 0; 1231 if (wpa_tdls_get_privacy(sm)) { 1232 /* Peer RSN IE, FTIE(Initiator Nonce, Responder Nonce), 1233 * Lifetime */ 1234 buf_len += peer->rsnie_i_len + sizeof(struct wpa_tdls_ftie) + 1235 sizeof(struct wpa_tdls_timeoutie); 1236#ifdef CONFIG_TDLS_TESTING 1237 if (tdls_testing & TDLS_TESTING_LONG_FRAME) 1238 buf_len += 170; 1239#endif /* CONFIG_TDLS_TESTING */ 1240 } 1241 1242 rbuf = os_zalloc(buf_len + 1); 1243 if (rbuf == NULL) 1244 return -1; 1245 pos = rbuf; 1246 1247 if (!wpa_tdls_get_privacy(sm)) 1248 goto skip_ies; 1249 1250 /* Peer RSN IE */ 1251 pos = wpa_add_ie(pos, peer->rsnie_p, peer->rsnie_p_len); 1252 1253 ftie = (struct wpa_tdls_ftie *) pos; 1254 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION; 1255 /*TODO: ftie->mic_control to set 3-CONFIRM */ 1256 os_memcpy(ftie->Anonce, peer->rnonce, WPA_NONCE_LEN); 1257 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN); 1258 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2; 1259 1260 pos = (u8 *) (ftie + 1); 1261 1262#ifdef CONFIG_TDLS_TESTING 1263 if (tdls_testing & TDLS_TESTING_LONG_FRAME) { 1264 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to " 1265 "FTIE"); 1266 ftie->ie_len += 170; 1267 *pos++ = 255; /* FTIE subelem */ 1268 *pos++ = 168; /* FTIE subelem length */ 1269 pos += 168; 1270 } 1271#endif /* CONFIG_TDLS_TESTING */ 1272 1273 /* Lifetime */ 1274 lifetime = peer->lifetime; 1275#ifdef CONFIG_TDLS_TESTING 1276 if (tdls_testing & TDLS_TESTING_WRONG_LIFETIME_CONF) { 1277 wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong TPK " 1278 "lifetime in confirm"); 1279 lifetime++; 1280 } 1281#endif /* CONFIG_TDLS_TESTING */ 1282 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie, 1283 sizeof(timeoutie), lifetime); 1284 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds", 1285 lifetime); 1286 1287 /* compute MIC before sending */ 1288 wpa_tdls_ftie_mic(peer->tpk.kck, 3, (u8 *) lnkid, peer->rsnie_p, 1289 (u8 *) &timeoutie, (u8 *) ftie, ftie->mic); 1290 1291skip_ies: 1292 status = wpa_tdls_tpk_send(sm, src_addr, WLAN_TDLS_SETUP_CONFIRM, 1293 dtoken, 0, rbuf, pos - rbuf); 1294 os_free(rbuf); 1295 1296 return status; 1297} 1298 1299 1300static int wpa_tdls_send_discovery_response(struct wpa_sm *sm, 1301 struct wpa_tdls_peer *peer, 1302 u8 dialog_token) 1303{ 1304 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Discovery Response " 1305 "(peer " MACSTR ")", MAC2STR(peer->addr)); 1306 1307 return wpa_tdls_tpk_send(sm, peer->addr, WLAN_TDLS_DISCOVERY_RESPONSE, 1308 dialog_token, 0, NULL, 0); 1309} 1310 1311 1312static int 1313wpa_tdls_process_discovery_request(struct wpa_sm *sm, const u8 *addr, 1314 const u8 *buf, size_t len) 1315{ 1316 struct wpa_eapol_ie_parse kde; 1317 const struct wpa_tdls_lnkid *lnkid; 1318 struct wpa_tdls_peer *peer; 1319 size_t min_req_len = sizeof(struct wpa_tdls_frame) + 1320 1 /* dialog token */ + sizeof(struct wpa_tdls_lnkid); 1321 u8 dialog_token; 1322 1323 wpa_printf(MSG_DEBUG, "TDLS: Discovery Request from " MACSTR, 1324 MAC2STR(addr)); 1325 1326 if (len < min_req_len) { 1327 wpa_printf(MSG_DEBUG, "TDLS Discovery Request is too short: " 1328 "%d", (int) len); 1329 return -1; 1330 } 1331 1332 dialog_token = buf[sizeof(struct wpa_tdls_frame)]; 1333 1334 if (wpa_supplicant_parse_ies(buf + sizeof(struct wpa_tdls_frame) + 1, 1335 len - (sizeof(struct wpa_tdls_frame) + 1), 1336 &kde) < 0) 1337 return -1; 1338 1339 if (!kde.lnkid) { 1340 wpa_printf(MSG_DEBUG, "TDLS: Link ID not found in Discovery " 1341 "Request"); 1342 return -1; 1343 } 1344 1345 lnkid = (const struct wpa_tdls_lnkid *) kde.lnkid; 1346 1347 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) { 1348 wpa_printf(MSG_DEBUG, "TDLS: Discovery Request from different " 1349 " BSS " MACSTR, MAC2STR(lnkid->bssid)); 1350 return -1; 1351 } 1352 1353 peer = wpa_tdls_add_peer(sm, addr, NULL); 1354 if (peer == NULL) 1355 return -1; 1356 1357 return wpa_tdls_send_discovery_response(sm, peer, dialog_token); 1358} 1359 1360 1361int wpa_tdls_send_discovery_request(struct wpa_sm *sm, const u8 *addr) 1362{ 1363 if (sm->tdls_disabled || !sm->tdls_supported) 1364 return -1; 1365 1366 wpa_printf(MSG_DEBUG, "TDLS: Sending Discovery Request to peer " 1367 MACSTR, MAC2STR(addr)); 1368 return wpa_tdls_tpk_send(sm, addr, WLAN_TDLS_DISCOVERY_REQUEST, 1369 1, 0, NULL, 0); 1370} 1371 1372 1373static int copy_supp_rates(const struct wpa_eapol_ie_parse *kde, 1374 struct wpa_tdls_peer *peer) 1375{ 1376 if (!kde->supp_rates) { 1377 wpa_printf(MSG_DEBUG, "TDLS: No supported rates received"); 1378 return -1; 1379 } 1380 peer->supp_rates_len = merge_byte_arrays( 1381 peer->supp_rates, sizeof(peer->supp_rates), 1382 kde->supp_rates + 2, kde->supp_rates_len - 2, 1383 kde->ext_supp_rates ? kde->ext_supp_rates + 2 : NULL, 1384 kde->ext_supp_rates_len - 2); 1385 return 0; 1386} 1387 1388 1389static int copy_peer_ht_capab(const struct wpa_eapol_ie_parse *kde, 1390 struct wpa_tdls_peer *peer) 1391{ 1392 if (!kde->ht_capabilities || 1393 kde->ht_capabilities_len < 1394 sizeof(struct ieee80211_ht_capabilities) ) { 1395 wpa_printf(MSG_DEBUG, "TDLS: No supported ht capabilities " 1396 "received"); 1397 return 0; 1398 } 1399 1400 if (!peer->ht_capabilities) { 1401 peer->ht_capabilities = 1402 os_zalloc(sizeof(struct ieee80211_ht_capabilities)); 1403 if (peer->ht_capabilities == NULL) 1404 return -1; 1405 } 1406 1407 os_memcpy(peer->ht_capabilities, kde->ht_capabilities, 1408 sizeof(struct ieee80211_ht_capabilities)); 1409 wpa_hexdump(MSG_DEBUG, "TDLS: Peer HT capabilities", 1410 (u8 *) peer->ht_capabilities, 1411 sizeof(struct ieee80211_ht_capabilities)); 1412 1413 return 0; 1414} 1415 1416 1417static int copy_peer_vht_capab(const struct wpa_eapol_ie_parse *kde, 1418 struct wpa_tdls_peer *peer) 1419{ 1420 if (!kde->vht_capabilities || 1421 kde->vht_capabilities_len < 1422 sizeof(struct ieee80211_vht_capabilities) ) { 1423 wpa_printf(MSG_DEBUG, "TDLS: No supported vht capabilities " 1424 "received"); 1425 return 0; 1426 } 1427 1428 if (!peer->vht_capabilities) { 1429 peer->vht_capabilities = 1430 os_zalloc(sizeof(struct ieee80211_vht_capabilities)); 1431 if (peer->vht_capabilities == NULL) 1432 return -1; 1433 } 1434 1435 os_memcpy(peer->vht_capabilities, kde->vht_capabilities, 1436 sizeof(struct ieee80211_vht_capabilities)); 1437 wpa_hexdump(MSG_DEBUG, "TDLS: Peer VHT capabilities", 1438 (u8 *) peer->vht_capabilities, 1439 sizeof(struct ieee80211_vht_capabilities)); 1440 1441 return 0; 1442} 1443 1444 1445static int copy_peer_ext_capab(const struct wpa_eapol_ie_parse *kde, 1446 struct wpa_tdls_peer *peer) 1447{ 1448 if (!kde->ext_capab) { 1449 wpa_printf(MSG_DEBUG, "TDLS: No extended capabilities " 1450 "received"); 1451 return 0; 1452 } 1453 1454 if (!peer->ext_capab || peer->ext_capab_len < kde->ext_capab_len - 2) { 1455 /* Need to allocate buffer to fit the new information */ 1456 os_free(peer->ext_capab); 1457 peer->ext_capab = os_zalloc(kde->ext_capab_len - 2); 1458 if (peer->ext_capab == NULL) 1459 return -1; 1460 } 1461 1462 peer->ext_capab_len = kde->ext_capab_len - 2; 1463 os_memcpy(peer->ext_capab, kde->ext_capab + 2, peer->ext_capab_len); 1464 1465 return 0; 1466} 1467 1468 1469static int copy_peer_wmm_capab(const struct wpa_eapol_ie_parse *kde, 1470 struct wpa_tdls_peer *peer) 1471{ 1472 struct wmm_information_element *wmm; 1473 1474 if (!kde->wmm) { 1475 wpa_printf(MSG_DEBUG, "TDLS: No supported WMM capabilities received"); 1476 return 0; 1477 } 1478 1479 if (kde->wmm_len < sizeof(struct wmm_information_element)) { 1480 wpa_printf(MSG_DEBUG, "TDLS: Invalid supported WMM capabilities received"); 1481 return -1; 1482 } 1483 1484 wmm = (struct wmm_information_element *) kde->wmm; 1485 peer->qos_info = wmm->qos_info; 1486 1487 wpa_printf(MSG_DEBUG, "TDLS: Peer WMM QOS Info 0x%x", peer->qos_info); 1488 return 0; 1489} 1490 1491 1492static int copy_peer_supp_channels(const struct wpa_eapol_ie_parse *kde, 1493 struct wpa_tdls_peer *peer) 1494{ 1495 if (!kde->supp_channels) { 1496 wpa_printf(MSG_DEBUG, "TDLS: No supported channels received"); 1497 return 0; 1498 } 1499 1500 if (!peer->supp_channels || 1501 peer->supp_channels_len < kde->supp_channels_len) { 1502 os_free(peer->supp_channels); 1503 peer->supp_channels = os_zalloc(kde->supp_channels_len); 1504 if (peer->supp_channels == NULL) 1505 return -1; 1506 } 1507 1508 peer->supp_channels_len = kde->supp_channels_len; 1509 1510 os_memcpy(peer->supp_channels, kde->supp_channels, 1511 peer->supp_channels_len); 1512 wpa_hexdump(MSG_DEBUG, "TDLS: Peer Supported Channels", 1513 (u8 *) peer->supp_channels, peer->supp_channels_len); 1514 return 0; 1515} 1516 1517 1518static int copy_peer_supp_oper_classes(const struct wpa_eapol_ie_parse *kde, 1519 struct wpa_tdls_peer *peer) 1520{ 1521 if (!kde->supp_oper_classes) { 1522 wpa_printf(MSG_DEBUG, "TDLS: No supported operating classes received"); 1523 return 0; 1524 } 1525 1526 if (!peer->supp_oper_classes || 1527 peer->supp_oper_classes_len < kde->supp_oper_classes_len) { 1528 os_free(peer->supp_oper_classes); 1529 peer->supp_oper_classes = os_zalloc(kde->supp_oper_classes_len); 1530 if (peer->supp_oper_classes == NULL) 1531 return -1; 1532 } 1533 1534 peer->supp_oper_classes_len = kde->supp_oper_classes_len; 1535 os_memcpy(peer->supp_oper_classes, kde->supp_oper_classes, 1536 peer->supp_oper_classes_len); 1537 wpa_hexdump(MSG_DEBUG, "TDLS: Peer Supported Operating Classes", 1538 (u8 *) peer->supp_oper_classes, 1539 peer->supp_oper_classes_len); 1540 return 0; 1541} 1542 1543 1544static int wpa_tdls_process_tpk_m1(struct wpa_sm *sm, const u8 *src_addr, 1545 const u8 *buf, size_t len) 1546{ 1547 struct wpa_tdls_peer *peer; 1548 struct wpa_eapol_ie_parse kde; 1549 struct wpa_ie_data ie; 1550 int cipher; 1551 const u8 *cpos; 1552 struct wpa_tdls_ftie *ftie = NULL; 1553 struct wpa_tdls_timeoutie *timeoutie; 1554 struct wpa_tdls_lnkid *lnkid; 1555 u32 lifetime = 0; 1556#if 0 1557 struct rsn_ie_hdr *hdr; 1558 u8 *pos; 1559 u16 rsn_capab; 1560 u16 rsn_ver; 1561#endif 1562 u8 dtoken; 1563 u16 ielen; 1564 u16 status = WLAN_STATUS_UNSPECIFIED_FAILURE; 1565 int tdls_prohibited = sm->tdls_prohibited; 1566 int existing_peer = 0; 1567 1568 if (len < 3 + 3) 1569 return -1; 1570 1571 cpos = buf; 1572 cpos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */; 1573 1574 /* driver had already verified the frame format */ 1575 dtoken = *cpos++; /* dialog token */ 1576 1577 wpa_printf(MSG_INFO, "TDLS: Dialog Token in TPK M1 %d", dtoken); 1578 1579 peer = wpa_tdls_add_peer(sm, src_addr, &existing_peer); 1580 if (peer == NULL) 1581 goto error; 1582 1583 /* If found, use existing entry instead of adding a new one; 1584 * how to handle the case where both ends initiate at the 1585 * same time? */ 1586 if (existing_peer) { 1587 if (peer->tpk_success) { 1588 wpa_printf(MSG_DEBUG, "TDLS: TDLS Setup Request while " 1589 "direct link is enabled - tear down the " 1590 "old link first"); 1591 wpa_tdls_disable_peer_link(sm, peer); 1592 } 1593 1594 /* 1595 * An entry is already present, so check if we already sent a 1596 * TDLS Setup Request. If so, compare MAC addresses and let the 1597 * STA with the lower MAC address continue as the initiator. 1598 * The other negotiation is terminated. 1599 */ 1600 if (peer->initiator) { 1601 if (os_memcmp(sm->own_addr, src_addr, ETH_ALEN) < 0) { 1602 wpa_printf(MSG_DEBUG, "TDLS: Discard request " 1603 "from peer with higher address " 1604 MACSTR, MAC2STR(src_addr)); 1605 return -1; 1606 } else { 1607 wpa_printf(MSG_DEBUG, "TDLS: Accept request " 1608 "from peer with lower address " 1609 MACSTR " (terminate previously " 1610 "initiated negotiation", 1611 MAC2STR(src_addr)); 1612 wpa_tdls_disable_peer_link(sm, peer); 1613 } 1614 } 1615 } 1616 1617 /* capability information */ 1618 peer->capability = WPA_GET_LE16(cpos); 1619 cpos += 2; 1620 1621 ielen = len - (cpos - buf); /* start of IE in buf */ 1622 if (wpa_supplicant_parse_ies(cpos, ielen, &kde) < 0) { 1623 wpa_printf(MSG_INFO, "TDLS: Failed to parse IEs in TPK M1"); 1624 goto error; 1625 } 1626 1627 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) { 1628 wpa_printf(MSG_INFO, "TDLS: No valid Link Identifier IE in " 1629 "TPK M1"); 1630 goto error; 1631 } 1632 wpa_hexdump(MSG_DEBUG, "TDLS: Link ID Received from TPK M1", 1633 kde.lnkid, kde.lnkid_len); 1634 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid; 1635 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) { 1636 wpa_printf(MSG_INFO, "TDLS: TPK M1 from diff BSS"); 1637 status = WLAN_STATUS_NOT_IN_SAME_BSS; 1638 goto error; 1639 } 1640 1641 wpa_printf(MSG_DEBUG, "TDLS: TPK M1 - TPK initiator " MACSTR, 1642 MAC2STR(src_addr)); 1643 1644 if (copy_supp_rates(&kde, peer) < 0) 1645 goto error; 1646 1647 if (copy_peer_ht_capab(&kde, peer) < 0) 1648 goto error; 1649 1650 if (copy_peer_vht_capab(&kde, peer) < 0) 1651 goto error; 1652 1653 if (copy_peer_ext_capab(&kde, peer) < 0) 1654 goto error; 1655 1656 if (copy_peer_supp_channels(&kde, peer) < 0) 1657 goto error; 1658 1659 if (copy_peer_supp_oper_classes(&kde, peer) < 0) 1660 goto error; 1661 1662 peer->qos_info = kde.qosinfo; 1663 1664 /* Overwrite with the qos_info obtained in WMM IE */ 1665 if (copy_peer_wmm_capab(&kde, peer) < 0) 1666 goto error; 1667 1668 peer->aid = kde.aid; 1669 1670#ifdef CONFIG_TDLS_TESTING 1671 if (tdls_testing & TDLS_TESTING_CONCURRENT_INIT) { 1672 peer = wpa_tdls_add_peer(sm, src_addr, NULL); 1673 if (peer == NULL) 1674 goto error; 1675 wpa_printf(MSG_DEBUG, "TDLS: Testing concurrent initiation of " 1676 "TDLS setup - send own request"); 1677 peer->initiator = 1; 1678 wpa_tdls_send_tpk_m1(sm, peer); 1679 } 1680 1681 if ((tdls_testing & TDLS_TESTING_IGNORE_AP_PROHIBIT) && 1682 tdls_prohibited) { 1683 wpa_printf(MSG_DEBUG, "TDLS: Testing - ignore AP prohibition " 1684 "on TDLS"); 1685 tdls_prohibited = 0; 1686 } 1687#endif /* CONFIG_TDLS_TESTING */ 1688 1689 if (tdls_prohibited) { 1690 wpa_printf(MSG_INFO, "TDLS: TDLS prohibited in this BSS"); 1691 status = WLAN_STATUS_REQUEST_DECLINED; 1692 goto error; 1693 } 1694 1695 if (!wpa_tdls_get_privacy(sm)) { 1696 if (kde.rsn_ie) { 1697 wpa_printf(MSG_INFO, "TDLS: RSN IE in TPK M1 while " 1698 "security is disabled"); 1699 status = WLAN_STATUS_SECURITY_DISABLED; 1700 goto error; 1701 } 1702 goto skip_rsn; 1703 } 1704 1705 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie) || 1706 kde.rsn_ie == NULL) { 1707 wpa_printf(MSG_INFO, "TDLS: No FTIE or RSN IE in TPK M1"); 1708 status = WLAN_STATUS_INVALID_PARAMETERS; 1709 goto error; 1710 } 1711 1712 if (kde.rsn_ie_len > TDLS_MAX_IE_LEN) { 1713 wpa_printf(MSG_INFO, "TDLS: Too long Initiator RSN IE in " 1714 "TPK M1"); 1715 status = WLAN_STATUS_INVALID_RSNIE; 1716 goto error; 1717 } 1718 1719 if (wpa_parse_wpa_ie_rsn(kde.rsn_ie, kde.rsn_ie_len, &ie) < 0) { 1720 wpa_printf(MSG_INFO, "TDLS: Failed to parse RSN IE in TPK M1"); 1721 status = WLAN_STATUS_INVALID_RSNIE; 1722 goto error; 1723 } 1724 1725 cipher = ie.pairwise_cipher; 1726 if (cipher & WPA_CIPHER_CCMP) { 1727 wpa_printf(MSG_DEBUG, "TDLS: Using CCMP for direct link"); 1728 cipher = WPA_CIPHER_CCMP; 1729 } else { 1730 wpa_printf(MSG_INFO, "TDLS: No acceptable cipher in TPK M1"); 1731 status = WLAN_STATUS_PAIRWISE_CIPHER_NOT_VALID; 1732 goto error; 1733 } 1734 1735 if ((ie.capabilities & 1736 (WPA_CAPABILITY_NO_PAIRWISE | WPA_CAPABILITY_PEERKEY_ENABLED)) != 1737 WPA_CAPABILITY_PEERKEY_ENABLED) { 1738 wpa_printf(MSG_INFO, "TDLS: Invalid RSN Capabilities in " 1739 "TPK M1"); 1740 status = WLAN_STATUS_INVALID_RSN_IE_CAPAB; 1741 goto error; 1742 } 1743 1744 /* Lifetime */ 1745 if (kde.key_lifetime == NULL) { 1746 wpa_printf(MSG_INFO, "TDLS: No Key Lifetime IE in TPK M1"); 1747 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME; 1748 goto error; 1749 } 1750 timeoutie = (struct wpa_tdls_timeoutie *) kde.key_lifetime; 1751 lifetime = WPA_GET_LE32(timeoutie->value); 1752 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds", lifetime); 1753 if (lifetime < 300) { 1754 wpa_printf(MSG_INFO, "TDLS: Too short TPK lifetime"); 1755 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME; 1756 goto error; 1757 } 1758 1759skip_rsn: 1760#ifdef CONFIG_TDLS_TESTING 1761 if (tdls_testing & TDLS_TESTING_CONCURRENT_INIT) { 1762 if (os_memcmp(sm->own_addr, peer->addr, ETH_ALEN) < 0) { 1763 /* 1764 * The request frame from us is going to win, so do not 1765 * replace information based on this request frame from 1766 * the peer. 1767 */ 1768 goto skip_rsn_check; 1769 } 1770 } 1771#endif /* CONFIG_TDLS_TESTING */ 1772 1773 peer->initiator = 0; /* Need to check */ 1774 peer->dtoken = dtoken; 1775 1776 if (!wpa_tdls_get_privacy(sm)) { 1777 peer->rsnie_i_len = 0; 1778 peer->rsnie_p_len = 0; 1779 peer->cipher = WPA_CIPHER_NONE; 1780 goto skip_rsn_check; 1781 } 1782 1783 ftie = (struct wpa_tdls_ftie *) kde.ftie; 1784 os_memcpy(peer->rsnie_i, kde.rsn_ie, kde.rsn_ie_len); 1785 peer->rsnie_i_len = kde.rsn_ie_len; 1786 peer->cipher = cipher; 1787 1788 if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0) { 1789 /* 1790 * There is no point in updating the RNonce for every obtained 1791 * TPK M1 frame (e.g., retransmission due to timeout) with the 1792 * same INonce (SNonce in FTIE). However, if the TPK M1 is 1793 * retransmitted with a different INonce, update the RNonce 1794 * since this is for a new TDLS session. 1795 */ 1796 wpa_printf(MSG_DEBUG, 1797 "TDLS: New TPK M1 INonce - generate new RNonce"); 1798 os_memcpy(peer->inonce, ftie->Snonce, WPA_NONCE_LEN); 1799 if (os_get_random(peer->rnonce, WPA_NONCE_LEN)) { 1800 wpa_msg(sm->ctx->ctx, MSG_WARNING, 1801 "TDLS: Failed to get random data for responder nonce"); 1802 wpa_tdls_peer_free(sm, peer); 1803 goto error; 1804 } 1805 } 1806 1807#if 0 1808 /* get version info from RSNIE received from Peer */ 1809 hdr = (struct rsn_ie_hdr *) kde.rsn_ie; 1810 rsn_ver = WPA_GET_LE16(hdr->version); 1811 1812 /* use min(peer's version, out version) */ 1813 if (rsn_ver > RSN_VERSION) 1814 rsn_ver = RSN_VERSION; 1815 1816 hdr = (struct rsn_ie_hdr *) peer->rsnie_p; 1817 1818 hdr->elem_id = WLAN_EID_RSN; 1819 WPA_PUT_LE16(hdr->version, rsn_ver); 1820 pos = (u8 *) (hdr + 1); 1821 1822 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED); 1823 pos += RSN_SELECTOR_LEN; 1824 /* Include only the selected cipher in pairwise cipher suite */ 1825 WPA_PUT_LE16(pos, 1); 1826 pos += 2; 1827 if (cipher == WPA_CIPHER_CCMP) 1828 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP); 1829 pos += RSN_SELECTOR_LEN; 1830 1831 WPA_PUT_LE16(pos, 1); 1832 pos += 2; 1833 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_TPK_HANDSHAKE); 1834 pos += RSN_SELECTOR_LEN; 1835 1836 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED; 1837 rsn_capab |= RSN_NUM_REPLAY_COUNTERS_16 << 2; 1838 WPA_PUT_LE16(pos, rsn_capab); 1839 pos += 2; 1840 1841 hdr->len = (pos - peer->rsnie_p) - 2; 1842 peer->rsnie_p_len = pos - peer->rsnie_p; 1843#endif 1844 1845 /* temp fix: validation of RSNIE later */ 1846 os_memcpy(peer->rsnie_p, peer->rsnie_i, peer->rsnie_i_len); 1847 peer->rsnie_p_len = peer->rsnie_i_len; 1848 1849 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE for TPK handshake", 1850 peer->rsnie_p, peer->rsnie_p_len); 1851 1852 peer->lifetime = lifetime; 1853 1854 wpa_tdls_generate_tpk(peer, sm->own_addr, sm->bssid); 1855 1856skip_rsn_check: 1857 /* add the peer to the driver as a "setup in progress" peer */ 1858 wpa_sm_tdls_peer_addset(sm, peer->addr, 1, 0, 0, NULL, 0, NULL, NULL, 0, 1859 NULL, 0, NULL, 0, NULL, 0); 1860 peer->tpk_in_progress = 1; 1861 1862 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Setup Response / TPK M2"); 1863 if (wpa_tdls_send_tpk_m2(sm, src_addr, dtoken, lnkid, peer) < 0) { 1864 wpa_tdls_disable_peer_link(sm, peer); 1865 goto error; 1866 } 1867 1868 return 0; 1869 1870error: 1871 wpa_tdls_send_error(sm, src_addr, WLAN_TDLS_SETUP_RESPONSE, dtoken, 1872 status); 1873 return -1; 1874} 1875 1876 1877static int wpa_tdls_enable_link(struct wpa_sm *sm, struct wpa_tdls_peer *peer) 1878{ 1879 peer->tpk_success = 1; 1880 peer->tpk_in_progress = 0; 1881 eloop_cancel_timeout(wpa_tdls_tpk_timeout, sm, peer); 1882 if (wpa_tdls_get_privacy(sm)) { 1883 u32 lifetime = peer->lifetime; 1884 /* 1885 * Start the initiator process a bit earlier to avoid race 1886 * condition with the responder sending teardown request. 1887 */ 1888 if (lifetime > 3 && peer->initiator) 1889 lifetime -= 3; 1890 eloop_register_timeout(lifetime, 0, wpa_tdls_tpk_timeout, 1891 sm, peer); 1892#ifdef CONFIG_TDLS_TESTING 1893 if (tdls_testing & TDLS_TESTING_NO_TPK_EXPIRATION) { 1894 wpa_printf(MSG_DEBUG, "TDLS: Testing - disable TPK " 1895 "expiration"); 1896 eloop_cancel_timeout(wpa_tdls_tpk_timeout, sm, peer); 1897 } 1898#endif /* CONFIG_TDLS_TESTING */ 1899 } 1900 1901 /* add supported rates, capabilities, and qos_info to the TDLS peer */ 1902 if (wpa_sm_tdls_peer_addset(sm, peer->addr, 0, peer->aid, 1903 peer->capability, 1904 peer->supp_rates, peer->supp_rates_len, 1905 peer->ht_capabilities, 1906 peer->vht_capabilities, 1907 peer->qos_info, peer->ext_capab, 1908 peer->ext_capab_len, 1909 peer->supp_channels, 1910 peer->supp_channels_len, 1911 peer->supp_oper_classes, 1912 peer->supp_oper_classes_len) < 0) 1913 return -1; 1914 1915 if (peer->reconfig_key && wpa_tdls_set_key(sm, peer) < 0) { 1916 wpa_printf(MSG_INFO, "TDLS: Could not configure key to the " 1917 "driver"); 1918 return -1; 1919 } 1920 peer->reconfig_key = 0; 1921 1922 return wpa_sm_tdls_oper(sm, TDLS_ENABLE_LINK, peer->addr); 1923} 1924 1925 1926static int wpa_tdls_process_tpk_m2(struct wpa_sm *sm, const u8 *src_addr, 1927 const u8 *buf, size_t len) 1928{ 1929 struct wpa_tdls_peer *peer; 1930 struct wpa_eapol_ie_parse kde; 1931 struct wpa_ie_data ie; 1932 int cipher; 1933 struct wpa_tdls_ftie *ftie; 1934 struct wpa_tdls_timeoutie *timeoutie; 1935 struct wpa_tdls_lnkid *lnkid; 1936 u32 lifetime; 1937 u8 dtoken; 1938 int ielen; 1939 u16 status; 1940 const u8 *pos; 1941 int ret = 0; 1942 1943 wpa_printf(MSG_DEBUG, "TDLS: Received TDLS Setup Response / TPK M2 " 1944 "(Peer " MACSTR ")", MAC2STR(src_addr)); 1945 for (peer = sm->tdls; peer; peer = peer->next) { 1946 if (os_memcmp(peer->addr, src_addr, ETH_ALEN) == 0) 1947 break; 1948 } 1949 if (peer == NULL) { 1950 wpa_printf(MSG_INFO, "TDLS: No matching peer found for " 1951 "TPK M2: " MACSTR, MAC2STR(src_addr)); 1952 return -1; 1953 } 1954 if (!peer->initiator) { 1955 /* 1956 * This may happen if both devices try to initiate TDLS at the 1957 * same time and we accept the TPK M1 from the peer in 1958 * wpa_tdls_process_tpk_m1() and clear our previous state. 1959 */ 1960 wpa_printf(MSG_INFO, "TDLS: We were not the initiator, so " 1961 "ignore TPK M2 from " MACSTR, MAC2STR(src_addr)); 1962 return -1; 1963 } 1964 wpa_tdls_tpk_retry_timeout_cancel(sm, peer, WLAN_TDLS_SETUP_REQUEST); 1965 1966 if (len < 3 + 2 + 1) { 1967 wpa_tdls_disable_peer_link(sm, peer); 1968 return -1; 1969 } 1970 1971 pos = buf; 1972 pos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */; 1973 status = WPA_GET_LE16(pos); 1974 pos += 2 /* status code */; 1975 1976 if (status != WLAN_STATUS_SUCCESS) { 1977 wpa_printf(MSG_INFO, "TDLS: Status code in TPK M2: %u", 1978 status); 1979 wpa_tdls_disable_peer_link(sm, peer); 1980 return -1; 1981 } 1982 1983 status = WLAN_STATUS_UNSPECIFIED_FAILURE; 1984 1985 /* TODO: need to verify dialog token matches here or in kernel */ 1986 dtoken = *pos++; /* dialog token */ 1987 1988 wpa_printf(MSG_DEBUG, "TDLS: Dialog Token in TPK M2 %d", dtoken); 1989 1990 if (len < 3 + 2 + 1 + 2) { 1991 wpa_tdls_disable_peer_link(sm, peer); 1992 return -1; 1993 } 1994 1995 /* capability information */ 1996 peer->capability = WPA_GET_LE16(pos); 1997 pos += 2; 1998 1999 ielen = len - (pos - buf); /* start of IE in buf */ 2000 if (wpa_supplicant_parse_ies(pos, ielen, &kde) < 0) { 2001 wpa_printf(MSG_INFO, "TDLS: Failed to parse IEs in TPK M2"); 2002 goto error; 2003 } 2004 2005#ifdef CONFIG_TDLS_TESTING 2006 if (tdls_testing & TDLS_TESTING_DECLINE_RESP) { 2007 wpa_printf(MSG_DEBUG, "TDLS: Testing - decline response"); 2008 status = WLAN_STATUS_REQUEST_DECLINED; 2009 goto error; 2010 } 2011#endif /* CONFIG_TDLS_TESTING */ 2012 2013 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) { 2014 wpa_printf(MSG_INFO, "TDLS: No valid Link Identifier IE in " 2015 "TPK M2"); 2016 goto error; 2017 } 2018 wpa_hexdump(MSG_DEBUG, "TDLS: Link ID Received from TPK M2", 2019 kde.lnkid, kde.lnkid_len); 2020 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid; 2021 2022 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) { 2023 wpa_printf(MSG_INFO, "TDLS: TPK M2 from different BSS"); 2024 status = WLAN_STATUS_NOT_IN_SAME_BSS; 2025 goto error; 2026 } 2027 2028 if (copy_supp_rates(&kde, peer) < 0) 2029 goto error; 2030 2031 if (copy_peer_ht_capab(&kde, peer) < 0) 2032 goto error; 2033 2034 if (copy_peer_vht_capab(&kde, peer) < 0) 2035 goto error; 2036 2037 if (copy_peer_ext_capab(&kde, peer) < 0) 2038 goto error; 2039 2040 if (copy_peer_supp_channels(&kde, peer) < 0) 2041 goto error; 2042 2043 if (copy_peer_supp_oper_classes(&kde, peer) < 0) 2044 goto error; 2045 2046 peer->qos_info = kde.qosinfo; 2047 2048 /* Overwrite with the qos_info obtained in WMM IE */ 2049 if (copy_peer_wmm_capab(&kde, peer) < 0) 2050 goto error; 2051 2052 peer->aid = kde.aid; 2053 2054 if (!wpa_tdls_get_privacy(sm)) { 2055 peer->rsnie_p_len = 0; 2056 peer->cipher = WPA_CIPHER_NONE; 2057 goto skip_rsn; 2058 } 2059 2060 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie) || 2061 kde.rsn_ie == NULL) { 2062 wpa_printf(MSG_INFO, "TDLS: No FTIE or RSN IE in TPK M2"); 2063 status = WLAN_STATUS_INVALID_PARAMETERS; 2064 goto error; 2065 } 2066 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Received from TPK M2", 2067 kde.rsn_ie, kde.rsn_ie_len); 2068 2069 /* 2070 * FIX: bitwise comparison of RSN IE is not the correct way of 2071 * validation this. It can be different, but certain fields must 2072 * match. Since we list only a single pairwise cipher in TPK M1, the 2073 * memcmp is likely to work in most cases, though. 2074 */ 2075 if (kde.rsn_ie_len != peer->rsnie_i_len || 2076 os_memcmp(peer->rsnie_i, kde.rsn_ie, peer->rsnie_i_len) != 0) { 2077 wpa_printf(MSG_INFO, "TDLS: RSN IE in TPK M2 does " 2078 "not match with RSN IE used in TPK M1"); 2079 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Sent in TPK M1", 2080 peer->rsnie_i, peer->rsnie_i_len); 2081 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Received from TPK M2", 2082 kde.rsn_ie, kde.rsn_ie_len); 2083 status = WLAN_STATUS_INVALID_RSNIE; 2084 goto error; 2085 } 2086 2087 if (wpa_parse_wpa_ie_rsn(kde.rsn_ie, kde.rsn_ie_len, &ie) < 0) { 2088 wpa_printf(MSG_INFO, "TDLS: Failed to parse RSN IE in TPK M2"); 2089 status = WLAN_STATUS_INVALID_RSNIE; 2090 goto error; 2091 } 2092 2093 cipher = ie.pairwise_cipher; 2094 if (cipher == WPA_CIPHER_CCMP) { 2095 wpa_printf(MSG_DEBUG, "TDLS: Using CCMP for direct link"); 2096 cipher = WPA_CIPHER_CCMP; 2097 } else { 2098 wpa_printf(MSG_INFO, "TDLS: No acceptable cipher in TPK M2"); 2099 status = WLAN_STATUS_PAIRWISE_CIPHER_NOT_VALID; 2100 goto error; 2101 } 2102 2103 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE Received from TPK M2", 2104 kde.ftie, sizeof(*ftie)); 2105 ftie = (struct wpa_tdls_ftie *) kde.ftie; 2106 2107 if (!os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) == 0) { 2108 wpa_printf(MSG_INFO, "TDLS: FTIE SNonce in TPK M2 does " 2109 "not match with FTIE SNonce used in TPK M1"); 2110 /* Silently discard the frame */ 2111 return -1; 2112 } 2113 2114 /* Responder Nonce and RSN IE */ 2115 os_memcpy(peer->rnonce, ftie->Anonce, WPA_NONCE_LEN); 2116 os_memcpy(peer->rsnie_p, kde.rsn_ie, kde.rsn_ie_len); 2117 peer->rsnie_p_len = kde.rsn_ie_len; 2118 peer->cipher = cipher; 2119 2120 /* Lifetime */ 2121 if (kde.key_lifetime == NULL) { 2122 wpa_printf(MSG_INFO, "TDLS: No Key Lifetime IE in TPK M2"); 2123 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME; 2124 goto error; 2125 } 2126 timeoutie = (struct wpa_tdls_timeoutie *) kde.key_lifetime; 2127 lifetime = WPA_GET_LE32(timeoutie->value); 2128 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds in TPK M2", 2129 lifetime); 2130 if (lifetime != peer->lifetime) { 2131 wpa_printf(MSG_INFO, "TDLS: Unexpected TPK lifetime %u in " 2132 "TPK M2 (expected %u)", lifetime, peer->lifetime); 2133 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME; 2134 goto error; 2135 } 2136 2137 wpa_tdls_generate_tpk(peer, sm->own_addr, sm->bssid); 2138 2139 /* Process MIC check to see if TPK M2 is right */ 2140 if (wpa_supplicant_verify_tdls_mic(2, peer, (u8 *) lnkid, 2141 (u8 *) timeoutie, ftie) < 0) { 2142 /* Discard the frame */ 2143 wpa_tdls_del_key(sm, peer); 2144 wpa_tdls_disable_peer_link(sm, peer); 2145 return -1; 2146 } 2147 2148 if (wpa_tdls_set_key(sm, peer) < 0) { 2149 /* 2150 * Some drivers may not be able to config the key prior to full 2151 * STA entry having been configured. 2152 */ 2153 wpa_printf(MSG_DEBUG, "TDLS: Try to configure TPK again after " 2154 "STA entry is complete"); 2155 peer->reconfig_key = 1; 2156 } 2157 2158skip_rsn: 2159 peer->dtoken = dtoken; 2160 2161 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Setup Confirm / " 2162 "TPK Handshake Message 3"); 2163 if (wpa_tdls_send_tpk_m3(sm, src_addr, dtoken, lnkid, peer) < 0) { 2164 wpa_tdls_disable_peer_link(sm, peer); 2165 return -1; 2166 } 2167 2168 if (!peer->tpk_success) { 2169 /* 2170 * Enable Link only when tpk_success is 0, signifying that this 2171 * processing of TPK M2 frame is not because of a retransmission 2172 * during TDLS setup handshake. 2173 */ 2174 ret = wpa_tdls_enable_link(sm, peer); 2175 if (ret < 0) { 2176 wpa_printf(MSG_DEBUG, "TDLS: Could not enable link"); 2177 wpa_tdls_do_teardown( 2178 sm, peer, 2179 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED); 2180 } 2181 } 2182 return ret; 2183 2184error: 2185 wpa_tdls_send_error(sm, src_addr, WLAN_TDLS_SETUP_CONFIRM, dtoken, 2186 status); 2187 wpa_tdls_disable_peer_link(sm, peer); 2188 return -1; 2189} 2190 2191 2192static int wpa_tdls_process_tpk_m3(struct wpa_sm *sm, const u8 *src_addr, 2193 const u8 *buf, size_t len) 2194{ 2195 struct wpa_tdls_peer *peer; 2196 struct wpa_eapol_ie_parse kde; 2197 struct wpa_tdls_ftie *ftie; 2198 struct wpa_tdls_timeoutie *timeoutie; 2199 struct wpa_tdls_lnkid *lnkid; 2200 int ielen; 2201 u16 status; 2202 const u8 *pos; 2203 u32 lifetime; 2204 int ret = 0; 2205 2206 wpa_printf(MSG_DEBUG, "TDLS: Received TDLS Setup Confirm / TPK M3 " 2207 "(Peer " MACSTR ")", MAC2STR(src_addr)); 2208 for (peer = sm->tdls; peer; peer = peer->next) { 2209 if (os_memcmp(peer->addr, src_addr, ETH_ALEN) == 0) 2210 break; 2211 } 2212 if (peer == NULL) { 2213 wpa_printf(MSG_INFO, "TDLS: No matching peer found for " 2214 "TPK M3: " MACSTR, MAC2STR(src_addr)); 2215 return -1; 2216 } 2217 wpa_tdls_tpk_retry_timeout_cancel(sm, peer, WLAN_TDLS_SETUP_RESPONSE); 2218 2219 if (len < 3 + 3) 2220 goto error; 2221 pos = buf; 2222 pos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */; 2223 2224 status = WPA_GET_LE16(pos); 2225 2226 if (status != 0) { 2227 wpa_printf(MSG_INFO, "TDLS: Status code in TPK M3: %u", 2228 status); 2229 goto error; 2230 } 2231 pos += 2 /* status code */ + 1 /* dialog token */; 2232 2233 ielen = len - (pos - buf); /* start of IE in buf */ 2234 if (wpa_supplicant_parse_ies((const u8 *) pos, ielen, &kde) < 0) { 2235 wpa_printf(MSG_INFO, "TDLS: Failed to parse KDEs in TPK M3"); 2236 goto error; 2237 } 2238 2239 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) { 2240 wpa_printf(MSG_INFO, "TDLS: No Link Identifier IE in TPK M3"); 2241 goto error; 2242 } 2243 wpa_hexdump(MSG_DEBUG, "TDLS: Link ID Received from TPK M3", 2244 (u8 *) kde.lnkid, kde.lnkid_len); 2245 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid; 2246 2247 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) { 2248 wpa_printf(MSG_INFO, "TDLS: TPK M3 from diff BSS"); 2249 goto error; 2250 } 2251 2252 if (!wpa_tdls_get_privacy(sm)) 2253 goto skip_rsn; 2254 2255 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie)) { 2256 wpa_printf(MSG_INFO, "TDLS: No FTIE in TPK M3"); 2257 goto error; 2258 } 2259 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE Received from TPK M3", 2260 kde.ftie, sizeof(*ftie)); 2261 ftie = (struct wpa_tdls_ftie *) kde.ftie; 2262 2263 if (kde.rsn_ie == NULL) { 2264 wpa_printf(MSG_INFO, "TDLS: No RSN IE in TPK M3"); 2265 goto error; 2266 } 2267 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Received from TPK M3", 2268 kde.rsn_ie, kde.rsn_ie_len); 2269 if (kde.rsn_ie_len != peer->rsnie_p_len || 2270 os_memcmp(kde.rsn_ie, peer->rsnie_p, peer->rsnie_p_len) != 0) { 2271 wpa_printf(MSG_INFO, "TDLS: RSN IE in TPK M3 does not match " 2272 "with the one sent in TPK M2"); 2273 goto error; 2274 } 2275 2276 if (!os_memcmp(peer->rnonce, ftie->Anonce, WPA_NONCE_LEN) == 0) { 2277 wpa_printf(MSG_INFO, "TDLS: FTIE ANonce in TPK M3 does " 2278 "not match with FTIE ANonce used in TPK M2"); 2279 goto error; 2280 } 2281 2282 if (!os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) == 0) { 2283 wpa_printf(MSG_INFO, "TDLS: FTIE SNonce in TPK M3 does not " 2284 "match with FTIE SNonce used in TPK M1"); 2285 goto error; 2286 } 2287 2288 if (kde.key_lifetime == NULL) { 2289 wpa_printf(MSG_INFO, "TDLS: No Key Lifetime IE in TPK M3"); 2290 goto error; 2291 } 2292 timeoutie = (struct wpa_tdls_timeoutie *) kde.key_lifetime; 2293 wpa_hexdump(MSG_DEBUG, "TDLS: Timeout IE Received from TPK M3", 2294 (u8 *) timeoutie, sizeof(*timeoutie)); 2295 lifetime = WPA_GET_LE32(timeoutie->value); 2296 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds in TPK M3", 2297 lifetime); 2298 if (lifetime != peer->lifetime) { 2299 wpa_printf(MSG_INFO, "TDLS: Unexpected TPK lifetime %u in " 2300 "TPK M3 (expected %u)", lifetime, peer->lifetime); 2301 goto error; 2302 } 2303 2304 if (wpa_supplicant_verify_tdls_mic(3, peer, (u8 *) lnkid, 2305 (u8 *) timeoutie, ftie) < 0) { 2306 wpa_tdls_del_key(sm, peer); 2307 goto error; 2308 } 2309 2310 if (wpa_tdls_set_key(sm, peer) < 0) { 2311 /* 2312 * Some drivers may not be able to config the key prior to full 2313 * STA entry having been configured. 2314 */ 2315 wpa_printf(MSG_DEBUG, "TDLS: Try to configure TPK again after " 2316 "STA entry is complete"); 2317 peer->reconfig_key = 1; 2318 } 2319 2320skip_rsn: 2321 if (!peer->tpk_success) { 2322 /* 2323 * Enable Link only when tpk_success is 0, signifying that this 2324 * processing of TPK M3 frame is not because of a retransmission 2325 * during TDLS setup handshake. 2326 */ 2327 ret = wpa_tdls_enable_link(sm, peer); 2328 if (ret < 0) { 2329 wpa_printf(MSG_DEBUG, "TDLS: Could not enable link"); 2330 wpa_tdls_do_teardown( 2331 sm, peer, 2332 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED); 2333 } 2334 } 2335 return ret; 2336error: 2337 wpa_tdls_disable_peer_link(sm, peer); 2338 return -1; 2339} 2340 2341 2342static u8 * wpa_add_tdls_timeoutie(u8 *pos, u8 *ie, size_t ie_len, u32 tsecs) 2343{ 2344 struct wpa_tdls_timeoutie *lifetime = (struct wpa_tdls_timeoutie *) ie; 2345 2346 os_memset(lifetime, 0, ie_len); 2347 lifetime->ie_type = WLAN_EID_TIMEOUT_INTERVAL; 2348 lifetime->ie_len = sizeof(struct wpa_tdls_timeoutie) - 2; 2349 lifetime->interval_type = WLAN_TIMEOUT_KEY_LIFETIME; 2350 WPA_PUT_LE32(lifetime->value, tsecs); 2351 os_memcpy(pos, ie, ie_len); 2352 return pos + ie_len; 2353} 2354 2355 2356/** 2357 * wpa_tdls_start - Initiate TDLS handshake (send TPK Handshake Message 1) 2358 * @sm: Pointer to WPA state machine data from wpa_sm_init() 2359 * @peer: MAC address of the peer STA 2360 * Returns: 0 on success, or -1 on failure 2361 * 2362 * Send TPK Handshake Message 1 info to driver to start TDLS 2363 * handshake with the peer. 2364 */ 2365int wpa_tdls_start(struct wpa_sm *sm, const u8 *addr) 2366{ 2367 struct wpa_tdls_peer *peer; 2368 int tdls_prohibited = sm->tdls_prohibited; 2369 2370 if (sm->tdls_disabled || !sm->tdls_supported) 2371 return -1; 2372 2373#ifdef CONFIG_TDLS_TESTING 2374 if ((tdls_testing & TDLS_TESTING_IGNORE_AP_PROHIBIT) && 2375 tdls_prohibited) { 2376 wpa_printf(MSG_DEBUG, "TDLS: Testing - ignore AP prohibition " 2377 "on TDLS"); 2378 tdls_prohibited = 0; 2379 } 2380#endif /* CONFIG_TDLS_TESTING */ 2381 2382 if (tdls_prohibited) { 2383 wpa_printf(MSG_DEBUG, "TDLS: TDLS is prohibited in this BSS - " 2384 "reject request to start setup"); 2385 return -1; 2386 } 2387 2388 peer = wpa_tdls_add_peer(sm, addr, NULL); 2389 if (peer == NULL) 2390 return -1; 2391 2392 if (peer->tpk_in_progress) { 2393 wpa_printf(MSG_DEBUG, "TDLS: Setup is already in progress with the peer"); 2394 return 0; 2395 } 2396 2397 peer->initiator = 1; 2398 2399 /* add the peer to the driver as a "setup in progress" peer */ 2400 wpa_sm_tdls_peer_addset(sm, peer->addr, 1, 0, 0, NULL, 0, NULL, NULL, 0, 2401 NULL, 0, NULL, 0, NULL, 0); 2402 2403 peer->tpk_in_progress = 1; 2404 2405 if (wpa_tdls_send_tpk_m1(sm, peer) < 0) { 2406 wpa_tdls_disable_peer_link(sm, peer); 2407 return -1; 2408 } 2409 2410 return 0; 2411} 2412 2413 2414void wpa_tdls_remove(struct wpa_sm *sm, const u8 *addr) 2415{ 2416 struct wpa_tdls_peer *peer; 2417 2418 if (sm->tdls_disabled || !sm->tdls_supported) 2419 return; 2420 2421 for (peer = sm->tdls; peer; peer = peer->next) { 2422 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 2423 break; 2424 } 2425 2426 if (peer == NULL || !peer->tpk_success) 2427 return; 2428 2429 if (sm->tdls_external_setup) { 2430 /* 2431 * Disable previous link to allow renegotiation to be completed 2432 * on AP path. 2433 */ 2434 wpa_tdls_disable_peer_link(sm, peer); 2435 } 2436} 2437 2438 2439/** 2440 * wpa_supplicant_rx_tdls - Receive TDLS data frame 2441 * 2442 * This function is called to receive TDLS (ethertype = 0x890d) data frames. 2443 */ 2444static void wpa_supplicant_rx_tdls(void *ctx, const u8 *src_addr, 2445 const u8 *buf, size_t len) 2446{ 2447 struct wpa_sm *sm = ctx; 2448 struct wpa_tdls_frame *tf; 2449 2450 wpa_hexdump(MSG_DEBUG, "TDLS: Received Data frame encapsulation", 2451 buf, len); 2452 2453 if (sm->tdls_disabled || !sm->tdls_supported) { 2454 wpa_printf(MSG_DEBUG, "TDLS: Discard message - TDLS disabled " 2455 "or unsupported by driver"); 2456 return; 2457 } 2458 2459 if (os_memcmp(src_addr, sm->own_addr, ETH_ALEN) == 0) { 2460 wpa_printf(MSG_DEBUG, "TDLS: Discard copy of own message"); 2461 return; 2462 } 2463 2464 if (len < sizeof(*tf)) { 2465 wpa_printf(MSG_INFO, "TDLS: Drop too short frame"); 2466 return; 2467 } 2468 2469 /* Check to make sure its a valid encapsulated TDLS frame */ 2470 tf = (struct wpa_tdls_frame *) buf; 2471 if (tf->payloadtype != 2 /* TDLS_RFTYPE */ || 2472 tf->category != WLAN_ACTION_TDLS) { 2473 wpa_printf(MSG_INFO, "TDLS: Invalid frame - payloadtype=%u " 2474 "category=%u action=%u", 2475 tf->payloadtype, tf->category, tf->action); 2476 return; 2477 } 2478 2479 switch (tf->action) { 2480 case WLAN_TDLS_SETUP_REQUEST: 2481 wpa_tdls_process_tpk_m1(sm, src_addr, buf, len); 2482 break; 2483 case WLAN_TDLS_SETUP_RESPONSE: 2484 wpa_tdls_process_tpk_m2(sm, src_addr, buf, len); 2485 break; 2486 case WLAN_TDLS_SETUP_CONFIRM: 2487 wpa_tdls_process_tpk_m3(sm, src_addr, buf, len); 2488 break; 2489 case WLAN_TDLS_TEARDOWN: 2490 wpa_tdls_recv_teardown(sm, src_addr, buf, len); 2491 break; 2492 case WLAN_TDLS_DISCOVERY_REQUEST: 2493 wpa_tdls_process_discovery_request(sm, src_addr, buf, len); 2494 break; 2495 default: 2496 /* Kernel code will process remaining frames */ 2497 wpa_printf(MSG_DEBUG, "TDLS: Ignore TDLS frame action code %u", 2498 tf->action); 2499 break; 2500 } 2501} 2502 2503 2504/** 2505 * wpa_tdls_init - Initialize driver interface parameters for TDLS 2506 * @wpa_s: Pointer to wpa_supplicant data 2507 * Returns: 0 on success, -1 on failure 2508 * 2509 * This function is called to initialize driver interface parameters for TDLS. 2510 * wpa_drv_init() must have been called before this function to initialize the 2511 * driver interface. 2512 */ 2513int wpa_tdls_init(struct wpa_sm *sm) 2514{ 2515 if (sm == NULL) 2516 return -1; 2517 2518 sm->l2_tdls = l2_packet_init(sm->bridge_ifname ? sm->bridge_ifname : 2519 sm->ifname, 2520 sm->own_addr, 2521 ETH_P_80211_ENCAP, wpa_supplicant_rx_tdls, 2522 sm, 0); 2523 if (sm->l2_tdls == NULL) { 2524 wpa_printf(MSG_ERROR, "TDLS: Failed to open l2_packet " 2525 "connection"); 2526 return -1; 2527 } 2528 2529 /* 2530 * Drivers that support TDLS but don't implement the get_capa callback 2531 * are assumed to perform everything internally 2532 */ 2533 if (wpa_sm_tdls_get_capa(sm, &sm->tdls_supported, 2534 &sm->tdls_external_setup) < 0) { 2535 sm->tdls_supported = 1; 2536 sm->tdls_external_setup = 0; 2537 } 2538 2539 wpa_printf(MSG_DEBUG, "TDLS: TDLS operation%s supported by " 2540 "driver", sm->tdls_supported ? "" : " not"); 2541 wpa_printf(MSG_DEBUG, "TDLS: Driver uses %s link setup", 2542 sm->tdls_external_setup ? "external" : "internal"); 2543 2544 return 0; 2545} 2546 2547 2548void wpa_tdls_teardown_peers(struct wpa_sm *sm) 2549{ 2550 struct wpa_tdls_peer *peer; 2551 2552 peer = sm->tdls; 2553 2554 wpa_printf(MSG_DEBUG, "TDLS: Tear down peers"); 2555 2556 while (peer) { 2557 wpa_printf(MSG_DEBUG, "TDLS: Tear down peer " MACSTR, 2558 MAC2STR(peer->addr)); 2559 if (sm->tdls_external_setup) 2560 wpa_tdls_send_teardown(sm, peer->addr, 2561 WLAN_REASON_DEAUTH_LEAVING); 2562 else 2563 wpa_sm_tdls_oper(sm, TDLS_TEARDOWN, peer->addr); 2564 2565 peer = peer->next; 2566 } 2567} 2568 2569 2570static void wpa_tdls_remove_peers(struct wpa_sm *sm) 2571{ 2572 struct wpa_tdls_peer *peer, *tmp; 2573 2574 peer = sm->tdls; 2575 sm->tdls = NULL; 2576 2577 while (peer) { 2578 int res; 2579 tmp = peer->next; 2580 res = wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr); 2581 wpa_printf(MSG_DEBUG, "TDLS: Remove peer " MACSTR " (res=%d)", 2582 MAC2STR(peer->addr), res); 2583 wpa_tdls_peer_free(sm, peer); 2584 os_free(peer); 2585 peer = tmp; 2586 } 2587} 2588 2589 2590/** 2591 * wpa_tdls_deinit - Deinitialize driver interface parameters for TDLS 2592 * 2593 * This function is called to recover driver interface parameters for TDLS 2594 * and frees resources allocated for it. 2595 */ 2596void wpa_tdls_deinit(struct wpa_sm *sm) 2597{ 2598 if (sm == NULL) 2599 return; 2600 2601 if (sm->l2_tdls) 2602 l2_packet_deinit(sm->l2_tdls); 2603 sm->l2_tdls = NULL; 2604 2605 wpa_tdls_remove_peers(sm); 2606} 2607 2608 2609void wpa_tdls_assoc(struct wpa_sm *sm) 2610{ 2611 wpa_printf(MSG_DEBUG, "TDLS: Remove peers on association"); 2612 wpa_tdls_remove_peers(sm); 2613} 2614 2615 2616void wpa_tdls_disassoc(struct wpa_sm *sm) 2617{ 2618 wpa_printf(MSG_DEBUG, "TDLS: Remove peers on disassociation"); 2619 wpa_tdls_remove_peers(sm); 2620} 2621 2622 2623static int wpa_tdls_prohibited(const u8 *ies, size_t len) 2624{ 2625 struct wpa_eapol_ie_parse elems; 2626 2627 if (ies == NULL) 2628 return 0; 2629 2630 if (wpa_supplicant_parse_ies(ies, len, &elems) < 0) 2631 return 0; 2632 2633 if (elems.ext_capab == NULL || elems.ext_capab_len < 2 + 5) 2634 return 0; 2635 2636 /* bit 38 - TDLS Prohibited */ 2637 return !!(elems.ext_capab[2 + 4] & 0x40); 2638} 2639 2640 2641void wpa_tdls_ap_ies(struct wpa_sm *sm, const u8 *ies, size_t len) 2642{ 2643 sm->tdls_prohibited = wpa_tdls_prohibited(ies, len); 2644 wpa_printf(MSG_DEBUG, "TDLS: TDLS is %s in the target BSS", 2645 sm->tdls_prohibited ? "prohibited" : "allowed"); 2646} 2647 2648 2649void wpa_tdls_assoc_resp_ies(struct wpa_sm *sm, const u8 *ies, size_t len) 2650{ 2651 if (!sm->tdls_prohibited && wpa_tdls_prohibited(ies, len)) { 2652 wpa_printf(MSG_DEBUG, "TDLS: TDLS prohibited based on " 2653 "(Re)Association Response IEs"); 2654 sm->tdls_prohibited = 1; 2655 } 2656} 2657 2658 2659void wpa_tdls_enable(struct wpa_sm *sm, int enabled) 2660{ 2661 wpa_printf(MSG_DEBUG, "TDLS: %s", enabled ? "enabled" : "disabled"); 2662 sm->tdls_disabled = !enabled; 2663} 2664 2665 2666int wpa_tdls_is_external_setup(struct wpa_sm *sm) 2667{ 2668 return sm->tdls_external_setup; 2669} 2670