tdls.c revision df5a7e4c5c64890c2425bb47d665bbce4992b676
1/* 2 * wpa_supplicant - TDLS 3 * Copyright (c) 2010-2011, Atheros Communications 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9#include "utils/includes.h" 10 11#include "utils/common.h" 12#include "utils/eloop.h" 13#include "utils/os.h" 14#include "common/ieee802_11_defs.h" 15#include "crypto/sha256.h" 16#include "crypto/crypto.h" 17#include "crypto/aes_wrap.h" 18#include "rsn_supp/wpa.h" 19#include "rsn_supp/wpa_ie.h" 20#include "rsn_supp/wpa_i.h" 21#include "drivers/driver.h" 22#include "l2_packet/l2_packet.h" 23 24#ifdef CONFIG_TDLS_TESTING 25#define TDLS_TESTING_LONG_FRAME BIT(0) 26#define TDLS_TESTING_ALT_RSN_IE BIT(1) 27#define TDLS_TESTING_DIFF_BSSID BIT(2) 28#define TDLS_TESTING_SHORT_LIFETIME BIT(3) 29#define TDLS_TESTING_WRONG_LIFETIME_RESP BIT(4) 30#define TDLS_TESTING_WRONG_LIFETIME_CONF BIT(5) 31#define TDLS_TESTING_LONG_LIFETIME BIT(6) 32#define TDLS_TESTING_CONCURRENT_INIT BIT(7) 33#define TDLS_TESTING_NO_TPK_EXPIRATION BIT(8) 34#define TDLS_TESTING_DECLINE_RESP BIT(9) 35#define TDLS_TESTING_IGNORE_AP_PROHIBIT BIT(10) 36unsigned int tdls_testing = 0; 37#endif /* CONFIG_TDLS_TESTING */ 38 39#define TPK_LIFETIME 43200 /* 12 hours */ 40#define TPK_M1_RETRY_COUNT 3 41#define TPK_M1_TIMEOUT 5000 /* in milliseconds */ 42#define TPK_M2_RETRY_COUNT 10 43#define TPK_M2_TIMEOUT 500 /* in milliseconds */ 44 45#define TDLS_MIC_LEN 16 46 47#define TDLS_TIMEOUT_LEN 4 48 49struct wpa_tdls_ftie { 50 u8 ie_type; /* FTIE */ 51 u8 ie_len; 52 u8 mic_ctrl[2]; 53 u8 mic[TDLS_MIC_LEN]; 54 u8 Anonce[WPA_NONCE_LEN]; /* Responder Nonce in TDLS */ 55 u8 Snonce[WPA_NONCE_LEN]; /* Initiator Nonce in TDLS */ 56 /* followed by optional elements */ 57} STRUCT_PACKED; 58 59struct wpa_tdls_timeoutie { 60 u8 ie_type; /* Timeout IE */ 61 u8 ie_len; 62 u8 interval_type; 63 u8 value[TDLS_TIMEOUT_LEN]; 64} STRUCT_PACKED; 65 66struct wpa_tdls_lnkid { 67 u8 ie_type; /* Link Identifier IE */ 68 u8 ie_len; 69 u8 bssid[ETH_ALEN]; 70 u8 init_sta[ETH_ALEN]; 71 u8 resp_sta[ETH_ALEN]; 72} STRUCT_PACKED; 73 74/* TDLS frame headers as per IEEE Std 802.11z-2010 */ 75struct wpa_tdls_frame { 76 u8 payloadtype; /* IEEE80211_TDLS_RFTYPE */ 77 u8 category; /* Category */ 78 u8 action; /* Action (enum tdls_frame_type) */ 79} STRUCT_PACKED; 80 81static u8 * wpa_add_tdls_timeoutie(u8 *pos, u8 *ie, size_t ie_len, u32 tsecs); 82static void wpa_tdls_tpk_retry_timeout(void *eloop_ctx, void *timeout_ctx); 83static void wpa_tdls_peer_free(struct wpa_sm *sm, struct wpa_tdls_peer *peer); 84static void wpa_tdls_disable_peer_link(struct wpa_sm *sm, 85 struct wpa_tdls_peer *peer); 86 87 88#define TDLS_MAX_IE_LEN 80 89#define IEEE80211_MAX_SUPP_RATES 32 90 91struct wpa_tdls_peer { 92 struct wpa_tdls_peer *next; 93 unsigned int reconfig_key:1; 94 int initiator; /* whether this end was initiator for TDLS setup */ 95 u8 addr[ETH_ALEN]; /* other end MAC address */ 96 u8 inonce[WPA_NONCE_LEN]; /* Initiator Nonce */ 97 u8 rnonce[WPA_NONCE_LEN]; /* Responder Nonce */ 98 u8 rsnie_i[TDLS_MAX_IE_LEN]; /* Initiator RSN IE */ 99 size_t rsnie_i_len; 100 u8 rsnie_p[TDLS_MAX_IE_LEN]; /* Peer RSN IE */ 101 size_t rsnie_p_len; 102 u32 lifetime; 103 int cipher; /* Selected cipher (WPA_CIPHER_*) */ 104 u8 dtoken; 105 106 struct tpk { 107 u8 kck[16]; /* TPK-KCK */ 108 u8 tk[16]; /* TPK-TK; assuming only CCMP will be used */ 109 } tpk; 110 int tpk_set; 111 int tpk_success; 112 int tpk_in_progress; 113 114 struct tpk_timer { 115 u8 dest[ETH_ALEN]; 116 int count; /* Retry Count */ 117 int timer; /* Timeout in milliseconds */ 118 u8 action_code; /* TDLS frame type */ 119 u8 dialog_token; 120 u16 status_code; 121 u32 peer_capab; 122 int buf_len; /* length of TPK message for retransmission */ 123 u8 *buf; /* buffer for TPK message */ 124 } sm_tmr; 125 126 u16 capability; 127 128 u8 supp_rates[IEEE80211_MAX_SUPP_RATES]; 129 size_t supp_rates_len; 130 131 struct ieee80211_ht_capabilities *ht_capabilities; 132 struct ieee80211_vht_capabilities *vht_capabilities; 133 134 u8 qos_info; 135 136 u16 aid; 137 138 u8 *ext_capab; 139 size_t ext_capab_len; 140 141 u8 *supp_channels; 142 size_t supp_channels_len; 143 144 u8 *supp_oper_classes; 145 size_t supp_oper_classes_len; 146 147 u8 wmm_capable; 148}; 149 150 151static int wpa_tdls_get_privacy(struct wpa_sm *sm) 152{ 153 /* 154 * Get info needed from supplicant to check if the current BSS supports 155 * security. Other than OPEN mode, rest are considered secured 156 * WEP/WPA/WPA2 hence TDLS frames are processed for TPK handshake. 157 */ 158 return sm->pairwise_cipher != WPA_CIPHER_NONE; 159} 160 161 162static u8 * wpa_add_ie(u8 *pos, const u8 *ie, size_t ie_len) 163{ 164 os_memcpy(pos, ie, ie_len); 165 return pos + ie_len; 166} 167 168 169static int wpa_tdls_del_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer) 170{ 171 if (wpa_sm_set_key(sm, WPA_ALG_NONE, peer->addr, 172 0, 0, NULL, 0, NULL, 0) < 0) { 173 wpa_printf(MSG_WARNING, "TDLS: Failed to delete TPK-TK from " 174 "the driver"); 175 return -1; 176 } 177 178 return 0; 179} 180 181 182static int wpa_tdls_set_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer) 183{ 184 u8 key_len; 185 u8 rsc[6]; 186 enum wpa_alg alg; 187 188 os_memset(rsc, 0, 6); 189 190 switch (peer->cipher) { 191 case WPA_CIPHER_CCMP: 192 alg = WPA_ALG_CCMP; 193 key_len = 16; 194 break; 195 case WPA_CIPHER_NONE: 196 wpa_printf(MSG_DEBUG, "TDLS: Pairwise Cipher Suite: " 197 "NONE - do not use pairwise keys"); 198 return -1; 199 default: 200 wpa_printf(MSG_WARNING, "TDLS: Unsupported pairwise cipher %d", 201 sm->pairwise_cipher); 202 return -1; 203 } 204 205 if (wpa_sm_set_key(sm, alg, peer->addr, -1, 1, 206 rsc, sizeof(rsc), peer->tpk.tk, key_len) < 0) { 207 wpa_printf(MSG_WARNING, "TDLS: Failed to set TPK to the " 208 "driver"); 209 return -1; 210 } 211 return 0; 212} 213 214 215static int wpa_tdls_send_tpk_msg(struct wpa_sm *sm, const u8 *dst, 216 u8 action_code, u8 dialog_token, 217 u16 status_code, u32 peer_capab, 218 const u8 *buf, size_t len) 219{ 220 return wpa_sm_send_tdls_mgmt(sm, dst, action_code, dialog_token, 221 status_code, peer_capab, buf, len); 222} 223 224 225static int wpa_tdls_tpk_send(struct wpa_sm *sm, const u8 *dest, u8 action_code, 226 u8 dialog_token, u16 status_code, u32 peer_capab, 227 const u8 *msg, size_t msg_len) 228{ 229 struct wpa_tdls_peer *peer; 230 231 wpa_printf(MSG_DEBUG, "TDLS: TPK send dest=" MACSTR " action_code=%u " 232 "dialog_token=%u status_code=%u msg_len=%u", 233 MAC2STR(dest), action_code, dialog_token, status_code, 234 (unsigned int) msg_len); 235 236 if (wpa_tdls_send_tpk_msg(sm, dest, action_code, dialog_token, 237 status_code, peer_capab, msg, msg_len)) { 238 wpa_printf(MSG_INFO, "TDLS: Failed to send message " 239 "(action_code=%u)", action_code); 240 return -1; 241 } 242 243 if (action_code == WLAN_TDLS_SETUP_CONFIRM || 244 action_code == WLAN_TDLS_TEARDOWN || 245 action_code == WLAN_TDLS_DISCOVERY_REQUEST || 246 action_code == WLAN_TDLS_DISCOVERY_RESPONSE) 247 return 0; /* No retries */ 248 249 for (peer = sm->tdls; peer; peer = peer->next) { 250 if (os_memcmp(peer->addr, dest, ETH_ALEN) == 0) 251 break; 252 } 253 254 if (peer == NULL) { 255 wpa_printf(MSG_INFO, "TDLS: No matching entry found for " 256 "retry " MACSTR, MAC2STR(dest)); 257 return 0; 258 } 259 260 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer); 261 262 if (action_code == WLAN_TDLS_SETUP_RESPONSE) { 263 peer->sm_tmr.count = TPK_M2_RETRY_COUNT; 264 peer->sm_tmr.timer = TPK_M2_TIMEOUT; 265 } else { 266 peer->sm_tmr.count = TPK_M1_RETRY_COUNT; 267 peer->sm_tmr.timer = TPK_M1_TIMEOUT; 268 } 269 270 /* Copy message to resend on timeout */ 271 os_memcpy(peer->sm_tmr.dest, dest, ETH_ALEN); 272 peer->sm_tmr.action_code = action_code; 273 peer->sm_tmr.dialog_token = dialog_token; 274 peer->sm_tmr.status_code = status_code; 275 peer->sm_tmr.peer_capab = peer_capab; 276 peer->sm_tmr.buf_len = msg_len; 277 os_free(peer->sm_tmr.buf); 278 peer->sm_tmr.buf = os_malloc(msg_len); 279 if (peer->sm_tmr.buf == NULL) 280 return -1; 281 os_memcpy(peer->sm_tmr.buf, msg, msg_len); 282 283 wpa_printf(MSG_DEBUG, "TDLS: Retry timeout registered " 284 "(action_code=%u)", action_code); 285 eloop_register_timeout(peer->sm_tmr.timer / 1000, 286 (peer->sm_tmr.timer % 1000) * 1000, 287 wpa_tdls_tpk_retry_timeout, sm, peer); 288 return 0; 289} 290 291 292static int wpa_tdls_do_teardown(struct wpa_sm *sm, struct wpa_tdls_peer *peer, 293 u16 reason_code) 294{ 295 int ret; 296 297 ret = wpa_tdls_send_teardown(sm, peer->addr, reason_code); 298 /* disable the link after teardown was sent */ 299 wpa_tdls_disable_peer_link(sm, peer); 300 301 return ret; 302} 303 304 305static void wpa_tdls_tpk_retry_timeout(void *eloop_ctx, void *timeout_ctx) 306{ 307 308 struct wpa_sm *sm = eloop_ctx; 309 struct wpa_tdls_peer *peer = timeout_ctx; 310 311 if (peer->sm_tmr.count) { 312 peer->sm_tmr.count--; 313 314 wpa_printf(MSG_INFO, "TDLS: Retrying sending of message " 315 "(action_code=%u)", 316 peer->sm_tmr.action_code); 317 318 if (peer->sm_tmr.buf == NULL) { 319 wpa_printf(MSG_INFO, "TDLS: No retry buffer available " 320 "for action_code=%u", 321 peer->sm_tmr.action_code); 322 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, 323 peer); 324 return; 325 } 326 327 /* resend TPK Handshake Message to Peer */ 328 if (wpa_tdls_send_tpk_msg(sm, peer->sm_tmr.dest, 329 peer->sm_tmr.action_code, 330 peer->sm_tmr.dialog_token, 331 peer->sm_tmr.status_code, 332 peer->sm_tmr.peer_capab, 333 peer->sm_tmr.buf, 334 peer->sm_tmr.buf_len)) { 335 wpa_printf(MSG_INFO, "TDLS: Failed to retry " 336 "transmission"); 337 } 338 339 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer); 340 eloop_register_timeout(peer->sm_tmr.timer / 1000, 341 (peer->sm_tmr.timer % 1000) * 1000, 342 wpa_tdls_tpk_retry_timeout, sm, peer); 343 } else { 344 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer); 345 346 wpa_printf(MSG_DEBUG, "TDLS: Sending Teardown Request"); 347 wpa_tdls_do_teardown(sm, peer, 348 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED); 349 } 350} 351 352 353static void wpa_tdls_tpk_retry_timeout_cancel(struct wpa_sm *sm, 354 struct wpa_tdls_peer *peer, 355 u8 action_code) 356{ 357 if (action_code == peer->sm_tmr.action_code) { 358 wpa_printf(MSG_DEBUG, "TDLS: Retry timeout cancelled for " 359 "action_code=%u", action_code); 360 361 /* Cancel Timeout registered */ 362 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer); 363 364 /* free all resources meant for retry */ 365 os_free(peer->sm_tmr.buf); 366 peer->sm_tmr.buf = NULL; 367 368 peer->sm_tmr.count = 0; 369 peer->sm_tmr.timer = 0; 370 peer->sm_tmr.buf_len = 0; 371 peer->sm_tmr.action_code = 0xff; 372 } else { 373 wpa_printf(MSG_INFO, "TDLS: Error in cancelling retry timeout " 374 "(Unknown action_code=%u)", action_code); 375 } 376} 377 378 379static void wpa_tdls_generate_tpk(struct wpa_tdls_peer *peer, 380 const u8 *own_addr, const u8 *bssid) 381{ 382 u8 key_input[SHA256_MAC_LEN]; 383 const u8 *nonce[2]; 384 size_t len[2]; 385 u8 data[3 * ETH_ALEN]; 386 387 /* IEEE Std 802.11z-2010 8.5.9.1: 388 * TPK-Key-Input = SHA-256(min(SNonce, ANonce) || max(SNonce, ANonce)) 389 */ 390 len[0] = WPA_NONCE_LEN; 391 len[1] = WPA_NONCE_LEN; 392 if (os_memcmp(peer->inonce, peer->rnonce, WPA_NONCE_LEN) < 0) { 393 nonce[0] = peer->inonce; 394 nonce[1] = peer->rnonce; 395 } else { 396 nonce[0] = peer->rnonce; 397 nonce[1] = peer->inonce; 398 } 399 wpa_hexdump(MSG_DEBUG, "TDLS: min(Nonce)", nonce[0], WPA_NONCE_LEN); 400 wpa_hexdump(MSG_DEBUG, "TDLS: max(Nonce)", nonce[1], WPA_NONCE_LEN); 401 sha256_vector(2, nonce, len, key_input); 402 wpa_hexdump_key(MSG_DEBUG, "TDLS: TPK-Key-Input", 403 key_input, SHA256_MAC_LEN); 404 405 /* 406 * TPK-Key-Data = KDF-N_KEY(TPK-Key-Input, "TDLS PMK", 407 * min(MAC_I, MAC_R) || max(MAC_I, MAC_R) || BSSID || N_KEY) 408 * TODO: is N_KEY really included in KDF Context and if so, in which 409 * presentation format (little endian 16-bit?) is it used? It gets 410 * added by the KDF anyway.. 411 */ 412 413 if (os_memcmp(own_addr, peer->addr, ETH_ALEN) < 0) { 414 os_memcpy(data, own_addr, ETH_ALEN); 415 os_memcpy(data + ETH_ALEN, peer->addr, ETH_ALEN); 416 } else { 417 os_memcpy(data, peer->addr, ETH_ALEN); 418 os_memcpy(data + ETH_ALEN, own_addr, ETH_ALEN); 419 } 420 os_memcpy(data + 2 * ETH_ALEN, bssid, ETH_ALEN); 421 wpa_hexdump(MSG_DEBUG, "TDLS: KDF Context", data, sizeof(data)); 422 423 sha256_prf(key_input, SHA256_MAC_LEN, "TDLS PMK", data, sizeof(data), 424 (u8 *) &peer->tpk, sizeof(peer->tpk)); 425 wpa_hexdump_key(MSG_DEBUG, "TDLS: TPK-KCK", 426 peer->tpk.kck, sizeof(peer->tpk.kck)); 427 wpa_hexdump_key(MSG_DEBUG, "TDLS: TPK-TK", 428 peer->tpk.tk, sizeof(peer->tpk.tk)); 429 peer->tpk_set = 1; 430} 431 432 433/** 434 * wpa_tdls_ftie_mic - Calculate TDLS FTIE MIC 435 * @kck: TPK-KCK 436 * @lnkid: Pointer to the beginning of Link Identifier IE 437 * @rsnie: Pointer to the beginning of RSN IE used for handshake 438 * @timeoutie: Pointer to the beginning of Timeout IE used for handshake 439 * @ftie: Pointer to the beginning of FT IE 440 * @mic: Pointer for writing MIC 441 * 442 * Calculate MIC for TDLS frame. 443 */ 444static int wpa_tdls_ftie_mic(const u8 *kck, u8 trans_seq, const u8 *lnkid, 445 const u8 *rsnie, const u8 *timeoutie, 446 const u8 *ftie, u8 *mic) 447{ 448 u8 *buf, *pos; 449 struct wpa_tdls_ftie *_ftie; 450 const struct wpa_tdls_lnkid *_lnkid; 451 int ret; 452 int len = 2 * ETH_ALEN + 1 + 2 + lnkid[1] + 2 + rsnie[1] + 453 2 + timeoutie[1] + 2 + ftie[1]; 454 buf = os_zalloc(len); 455 if (!buf) { 456 wpa_printf(MSG_WARNING, "TDLS: No memory for MIC calculation"); 457 return -1; 458 } 459 460 pos = buf; 461 _lnkid = (const struct wpa_tdls_lnkid *) lnkid; 462 /* 1) TDLS initiator STA MAC address */ 463 os_memcpy(pos, _lnkid->init_sta, ETH_ALEN); 464 pos += ETH_ALEN; 465 /* 2) TDLS responder STA MAC address */ 466 os_memcpy(pos, _lnkid->resp_sta, ETH_ALEN); 467 pos += ETH_ALEN; 468 /* 3) Transaction Sequence number */ 469 *pos++ = trans_seq; 470 /* 4) Link Identifier IE */ 471 os_memcpy(pos, lnkid, 2 + lnkid[1]); 472 pos += 2 + lnkid[1]; 473 /* 5) RSN IE */ 474 os_memcpy(pos, rsnie, 2 + rsnie[1]); 475 pos += 2 + rsnie[1]; 476 /* 6) Timeout Interval IE */ 477 os_memcpy(pos, timeoutie, 2 + timeoutie[1]); 478 pos += 2 + timeoutie[1]; 479 /* 7) FTIE, with the MIC field of the FTIE set to 0 */ 480 os_memcpy(pos, ftie, 2 + ftie[1]); 481 _ftie = (struct wpa_tdls_ftie *) pos; 482 os_memset(_ftie->mic, 0, TDLS_MIC_LEN); 483 pos += 2 + ftie[1]; 484 485 wpa_hexdump(MSG_DEBUG, "TDLS: Data for FTIE MIC", buf, pos - buf); 486 wpa_hexdump_key(MSG_DEBUG, "TDLS: KCK", kck, 16); 487 ret = omac1_aes_128(kck, buf, pos - buf, mic); 488 os_free(buf); 489 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE MIC", mic, 16); 490 return ret; 491} 492 493 494/** 495 * wpa_tdls_key_mic_teardown - Calculate TDLS FTIE MIC for Teardown frame 496 * @kck: TPK-KCK 497 * @trans_seq: Transaction Sequence Number (4 - Teardown) 498 * @rcode: Reason code for Teardown 499 * @dtoken: Dialog Token used for that particular link 500 * @lnkid: Pointer to the beginning of Link Identifier IE 501 * @ftie: Pointer to the beginning of FT IE 502 * @mic: Pointer for writing MIC 503 * 504 * Calculate MIC for TDLS frame. 505 */ 506static int wpa_tdls_key_mic_teardown(const u8 *kck, u8 trans_seq, u16 rcode, 507 u8 dtoken, const u8 *lnkid, 508 const u8 *ftie, u8 *mic) 509{ 510 u8 *buf, *pos; 511 struct wpa_tdls_ftie *_ftie; 512 int ret; 513 int len; 514 515 if (lnkid == NULL) 516 return -1; 517 518 len = 2 + lnkid[1] + sizeof(rcode) + sizeof(dtoken) + 519 sizeof(trans_seq) + 2 + ftie[1]; 520 521 buf = os_zalloc(len); 522 if (!buf) { 523 wpa_printf(MSG_WARNING, "TDLS: No memory for MIC calculation"); 524 return -1; 525 } 526 527 pos = buf; 528 /* 1) Link Identifier IE */ 529 os_memcpy(pos, lnkid, 2 + lnkid[1]); 530 pos += 2 + lnkid[1]; 531 /* 2) Reason Code */ 532 WPA_PUT_LE16(pos, rcode); 533 pos += sizeof(rcode); 534 /* 3) Dialog token */ 535 *pos++ = dtoken; 536 /* 4) Transaction Sequence number */ 537 *pos++ = trans_seq; 538 /* 7) FTIE, with the MIC field of the FTIE set to 0 */ 539 os_memcpy(pos, ftie, 2 + ftie[1]); 540 _ftie = (struct wpa_tdls_ftie *) pos; 541 os_memset(_ftie->mic, 0, TDLS_MIC_LEN); 542 pos += 2 + ftie[1]; 543 544 wpa_hexdump(MSG_DEBUG, "TDLS: Data for FTIE MIC", buf, pos - buf); 545 wpa_hexdump_key(MSG_DEBUG, "TDLS: KCK", kck, 16); 546 ret = omac1_aes_128(kck, buf, pos - buf, mic); 547 os_free(buf); 548 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE MIC", mic, 16); 549 return ret; 550} 551 552 553static int wpa_supplicant_verify_tdls_mic(u8 trans_seq, 554 struct wpa_tdls_peer *peer, 555 const u8 *lnkid, const u8 *timeoutie, 556 const struct wpa_tdls_ftie *ftie) 557{ 558 u8 mic[16]; 559 560 if (peer->tpk_set) { 561 wpa_tdls_ftie_mic(peer->tpk.kck, trans_seq, lnkid, 562 peer->rsnie_p, timeoutie, (u8 *) ftie, 563 mic); 564 if (os_memcmp(mic, ftie->mic, 16) != 0) { 565 wpa_printf(MSG_INFO, "TDLS: Invalid MIC in FTIE - " 566 "dropping packet"); 567 wpa_hexdump(MSG_DEBUG, "TDLS: Received MIC", 568 ftie->mic, 16); 569 wpa_hexdump(MSG_DEBUG, "TDLS: Calculated MIC", 570 mic, 16); 571 return -1; 572 } 573 } else { 574 wpa_printf(MSG_WARNING, "TDLS: Could not verify TDLS MIC, " 575 "TPK not set - dropping packet"); 576 return -1; 577 } 578 return 0; 579} 580 581 582static int wpa_supplicant_verify_tdls_mic_teardown( 583 u8 trans_seq, u16 rcode, u8 dtoken, struct wpa_tdls_peer *peer, 584 const u8 *lnkid, const struct wpa_tdls_ftie *ftie) 585{ 586 u8 mic[16]; 587 588 if (peer->tpk_set) { 589 wpa_tdls_key_mic_teardown(peer->tpk.kck, trans_seq, rcode, 590 dtoken, lnkid, (u8 *) ftie, mic); 591 if (os_memcmp(mic, ftie->mic, 16) != 0) { 592 wpa_printf(MSG_INFO, "TDLS: Invalid MIC in Teardown - " 593 "dropping packet"); 594 return -1; 595 } 596 } else { 597 wpa_printf(MSG_INFO, "TDLS: Could not verify TDLS Teardown " 598 "MIC, TPK not set - dropping packet"); 599 return -1; 600 } 601 return 0; 602} 603 604 605static void wpa_tdls_tpk_timeout(void *eloop_ctx, void *timeout_ctx) 606{ 607 struct wpa_sm *sm = eloop_ctx; 608 struct wpa_tdls_peer *peer = timeout_ctx; 609 610 /* 611 * On TPK lifetime expiration, we have an option of either tearing down 612 * the direct link or trying to re-initiate it. The selection of what 613 * to do is not strictly speaking controlled by our role in the expired 614 * link, but for now, use that to select whether to renew or tear down 615 * the link. 616 */ 617 618 if (peer->initiator) { 619 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime expired for " MACSTR 620 " - try to renew", MAC2STR(peer->addr)); 621 wpa_tdls_start(sm, peer->addr); 622 } else { 623 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime expired for " MACSTR 624 " - tear down", MAC2STR(peer->addr)); 625 wpa_tdls_do_teardown(sm, peer, 626 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED); 627 } 628} 629 630 631static void wpa_tdls_peer_free(struct wpa_sm *sm, struct wpa_tdls_peer *peer) 632{ 633 wpa_printf(MSG_DEBUG, "TDLS: Clear state for peer " MACSTR, 634 MAC2STR(peer->addr)); 635 eloop_cancel_timeout(wpa_tdls_tpk_timeout, sm, peer); 636 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer); 637 peer->reconfig_key = 0; 638 peer->initiator = 0; 639 peer->tpk_in_progress = 0; 640 os_free(peer->sm_tmr.buf); 641 peer->sm_tmr.buf = NULL; 642 os_free(peer->ht_capabilities); 643 peer->ht_capabilities = NULL; 644 os_free(peer->vht_capabilities); 645 peer->vht_capabilities = NULL; 646 os_free(peer->ext_capab); 647 peer->ext_capab = NULL; 648 os_free(peer->supp_channels); 649 peer->supp_channels = NULL; 650 os_free(peer->supp_oper_classes); 651 peer->supp_oper_classes = NULL; 652 peer->rsnie_i_len = peer->rsnie_p_len = 0; 653 peer->cipher = 0; 654 peer->qos_info = 0; 655 peer->wmm_capable = 0; 656 peer->tpk_set = peer->tpk_success = 0; 657 os_memset(&peer->tpk, 0, sizeof(peer->tpk)); 658 os_memset(peer->inonce, 0, WPA_NONCE_LEN); 659 os_memset(peer->rnonce, 0, WPA_NONCE_LEN); 660} 661 662 663static void wpa_tdls_linkid(struct wpa_sm *sm, struct wpa_tdls_peer *peer, 664 struct wpa_tdls_lnkid *lnkid) 665{ 666 lnkid->ie_type = WLAN_EID_LINK_ID; 667 lnkid->ie_len = 3 * ETH_ALEN; 668 os_memcpy(lnkid->bssid, sm->bssid, ETH_ALEN); 669 if (peer->initiator) { 670 os_memcpy(lnkid->init_sta, sm->own_addr, ETH_ALEN); 671 os_memcpy(lnkid->resp_sta, peer->addr, ETH_ALEN); 672 } else { 673 os_memcpy(lnkid->init_sta, peer->addr, ETH_ALEN); 674 os_memcpy(lnkid->resp_sta, sm->own_addr, ETH_ALEN); 675 } 676} 677 678 679int wpa_tdls_send_teardown(struct wpa_sm *sm, const u8 *addr, u16 reason_code) 680{ 681 struct wpa_tdls_peer *peer; 682 struct wpa_tdls_ftie *ftie; 683 struct wpa_tdls_lnkid lnkid; 684 u8 dialog_token; 685 u8 *rbuf, *pos; 686 int ielen; 687 688 if (sm->tdls_disabled || !sm->tdls_supported) 689 return -1; 690 691 /* Find the node and free from the list */ 692 for (peer = sm->tdls; peer; peer = peer->next) { 693 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 694 break; 695 } 696 697 if (peer == NULL) { 698 wpa_printf(MSG_INFO, "TDLS: No matching entry found for " 699 "Teardown " MACSTR, MAC2STR(addr)); 700 return 0; 701 } 702 703 dialog_token = peer->dtoken; 704 705 wpa_printf(MSG_DEBUG, "TDLS: TDLS Teardown for " MACSTR, 706 MAC2STR(addr)); 707 708 ielen = 0; 709 if (wpa_tdls_get_privacy(sm) && peer->tpk_set && peer->tpk_success) { 710 /* To add FTIE for Teardown request and compute MIC */ 711 ielen += sizeof(*ftie); 712#ifdef CONFIG_TDLS_TESTING 713 if (tdls_testing & TDLS_TESTING_LONG_FRAME) 714 ielen += 170; 715#endif /* CONFIG_TDLS_TESTING */ 716 } 717 718 rbuf = os_zalloc(ielen + 1); 719 if (rbuf == NULL) 720 return -1; 721 pos = rbuf; 722 723 if (!wpa_tdls_get_privacy(sm) || !peer->tpk_set || !peer->tpk_success) 724 goto skip_ies; 725 726 ftie = (struct wpa_tdls_ftie *) pos; 727 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION; 728 /* Using the recent nonce which should be for CONFIRM frame */ 729 os_memcpy(ftie->Anonce, peer->rnonce, WPA_NONCE_LEN); 730 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN); 731 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2; 732 pos = (u8 *) (ftie + 1); 733#ifdef CONFIG_TDLS_TESTING 734 if (tdls_testing & TDLS_TESTING_LONG_FRAME) { 735 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to " 736 "FTIE"); 737 ftie->ie_len += 170; 738 *pos++ = 255; /* FTIE subelem */ 739 *pos++ = 168; /* FTIE subelem length */ 740 pos += 168; 741 } 742#endif /* CONFIG_TDLS_TESTING */ 743 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE for TDLS Teardown handshake", 744 (u8 *) ftie, pos - (u8 *) ftie); 745 746 /* compute MIC before sending */ 747 wpa_tdls_linkid(sm, peer, &lnkid); 748 wpa_tdls_key_mic_teardown(peer->tpk.kck, 4, reason_code, 749 dialog_token, (u8 *) &lnkid, (u8 *) ftie, 750 ftie->mic); 751 752skip_ies: 753 /* TODO: register for a Timeout handler, if Teardown is not received at 754 * the other end, then try again another time */ 755 756 /* request driver to send Teardown using this FTIE */ 757 wpa_tdls_tpk_send(sm, addr, WLAN_TDLS_TEARDOWN, 0, 758 reason_code, 0, rbuf, pos - rbuf); 759 os_free(rbuf); 760 761 /* clear the Peerkey statemachine */ 762 wpa_tdls_peer_free(sm, peer); 763 764 return 0; 765} 766 767 768int wpa_tdls_teardown_link(struct wpa_sm *sm, const u8 *addr, u16 reason_code) 769{ 770 struct wpa_tdls_peer *peer; 771 772 if (sm->tdls_disabled || !sm->tdls_supported) 773 return -1; 774 775 for (peer = sm->tdls; peer; peer = peer->next) { 776 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 777 break; 778 } 779 780 if (peer == NULL) { 781 wpa_printf(MSG_DEBUG, "TDLS: Could not find peer " MACSTR 782 " for link Teardown", MAC2STR(addr)); 783 return -1; 784 } 785 786 if (!peer->tpk_success) { 787 wpa_printf(MSG_DEBUG, "TDLS: Peer " MACSTR 788 " not connected - cannot Teardown link", MAC2STR(addr)); 789 return -1; 790 } 791 792 return wpa_tdls_do_teardown(sm, peer, reason_code); 793} 794 795 796static void wpa_tdls_disable_peer_link(struct wpa_sm *sm, 797 struct wpa_tdls_peer *peer) 798{ 799 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr); 800 wpa_tdls_peer_free(sm, peer); 801} 802 803 804void wpa_tdls_disable_link(struct wpa_sm *sm, const u8 *addr) 805{ 806 struct wpa_tdls_peer *peer; 807 808 for (peer = sm->tdls; peer; peer = peer->next) { 809 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 810 break; 811 } 812 813 if (peer) 814 wpa_tdls_disable_peer_link(sm, peer); 815} 816 817 818const char * wpa_tdls_get_link_status(struct wpa_sm *sm, const u8 *addr) 819{ 820 struct wpa_tdls_peer *peer; 821 822 if (sm->tdls_disabled || !sm->tdls_supported) 823 return "disabled"; 824 825 for (peer = sm->tdls; peer; peer = peer->next) { 826 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 827 break; 828 } 829 830 if (peer == NULL) 831 return "peer does not exist"; 832 833 if (!peer->tpk_success) 834 return "peer not connected"; 835 836 return "connected"; 837} 838 839 840static int wpa_tdls_recv_teardown(struct wpa_sm *sm, const u8 *src_addr, 841 const u8 *buf, size_t len) 842{ 843 struct wpa_tdls_peer *peer = NULL; 844 struct wpa_tdls_ftie *ftie; 845 struct wpa_tdls_lnkid *lnkid; 846 struct wpa_eapol_ie_parse kde; 847 u16 reason_code; 848 const u8 *pos; 849 int ielen; 850 851 /* Find the node and free from the list */ 852 for (peer = sm->tdls; peer; peer = peer->next) { 853 if (os_memcmp(peer->addr, src_addr, ETH_ALEN) == 0) 854 break; 855 } 856 857 if (peer == NULL) { 858 wpa_printf(MSG_INFO, "TDLS: No matching entry found for " 859 "Teardown " MACSTR, MAC2STR(src_addr)); 860 return 0; 861 } 862 863 pos = buf; 864 pos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */; 865 866 reason_code = WPA_GET_LE16(pos); 867 pos += 2; 868 869 wpa_printf(MSG_DEBUG, "TDLS: TDLS Teardown Request from " MACSTR 870 " (reason code %u)", MAC2STR(src_addr), reason_code); 871 872 ielen = len - (pos - buf); /* start of IE in buf */ 873 if (wpa_supplicant_parse_ies((const u8 *) pos, ielen, &kde) < 0) { 874 wpa_printf(MSG_INFO, "TDLS: Failed to parse IEs in Teardown"); 875 return -1; 876 } 877 878 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) { 879 wpa_printf(MSG_INFO, "TDLS: No Link Identifier IE in TDLS " 880 "Teardown"); 881 return -1; 882 } 883 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid; 884 885 if (!wpa_tdls_get_privacy(sm) || !peer->tpk_set || !peer->tpk_success) 886 goto skip_ftie; 887 888 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie)) { 889 wpa_printf(MSG_INFO, "TDLS: No FTIE in TDLS Teardown"); 890 return -1; 891 } 892 893 ftie = (struct wpa_tdls_ftie *) kde.ftie; 894 895 /* Process MIC check to see if TDLS Teardown is right */ 896 if (wpa_supplicant_verify_tdls_mic_teardown(4, reason_code, 897 peer->dtoken, peer, 898 (u8 *) lnkid, ftie) < 0) { 899 wpa_printf(MSG_DEBUG, "TDLS: MIC failure for TDLS " 900 "Teardown Request from " MACSTR, MAC2STR(src_addr)); 901 return -1; 902 } 903 904skip_ftie: 905 /* 906 * Request the driver to disable the direct link and clear associated 907 * keys. 908 */ 909 wpa_tdls_disable_peer_link(sm, peer); 910 return 0; 911} 912 913 914/** 915 * wpa_tdls_send_error - To send suitable TDLS status response with 916 * appropriate status code mentioning reason for error/failure. 917 * @dst - MAC addr of Peer station 918 * @tdls_action - TDLS frame type for which error code is sent 919 * @status - status code mentioning reason 920 */ 921 922static int wpa_tdls_send_error(struct wpa_sm *sm, const u8 *dst, 923 u8 tdls_action, u8 dialog_token, u16 status) 924{ 925 wpa_printf(MSG_DEBUG, "TDLS: Sending error to " MACSTR 926 " (action=%u status=%u)", 927 MAC2STR(dst), tdls_action, status); 928 return wpa_tdls_tpk_send(sm, dst, tdls_action, dialog_token, status, 929 0, NULL, 0); 930} 931 932 933static struct wpa_tdls_peer * 934wpa_tdls_add_peer(struct wpa_sm *sm, const u8 *addr, int *existing) 935{ 936 struct wpa_tdls_peer *peer; 937 938 if (existing) 939 *existing = 0; 940 for (peer = sm->tdls; peer; peer = peer->next) { 941 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) { 942 if (existing) 943 *existing = 1; 944 return peer; /* re-use existing entry */ 945 } 946 } 947 948 wpa_printf(MSG_INFO, "TDLS: Creating peer entry for " MACSTR, 949 MAC2STR(addr)); 950 951 peer = os_zalloc(sizeof(*peer)); 952 if (peer == NULL) 953 return NULL; 954 955 os_memcpy(peer->addr, addr, ETH_ALEN); 956 peer->next = sm->tdls; 957 sm->tdls = peer; 958 959 return peer; 960} 961 962 963static int wpa_tdls_send_tpk_m1(struct wpa_sm *sm, 964 struct wpa_tdls_peer *peer) 965{ 966 size_t buf_len; 967 struct wpa_tdls_timeoutie timeoutie; 968 u16 rsn_capab; 969 struct wpa_tdls_ftie *ftie; 970 u8 *rbuf, *pos, *count_pos; 971 u16 count; 972 struct rsn_ie_hdr *hdr; 973 int status; 974 975 if (!wpa_tdls_get_privacy(sm)) { 976 wpa_printf(MSG_DEBUG, "TDLS: No security used on the link"); 977 peer->rsnie_i_len = 0; 978 goto skip_rsnie; 979 } 980 981 /* 982 * TPK Handshake Message 1: 983 * FTIE: ANonce=0, SNonce=initiator nonce MIC=0, DataKDs=(RSNIE_I, 984 * Timeout Interval IE)) 985 */ 986 987 /* Filling RSN IE */ 988 hdr = (struct rsn_ie_hdr *) peer->rsnie_i; 989 hdr->elem_id = WLAN_EID_RSN; 990 WPA_PUT_LE16(hdr->version, RSN_VERSION); 991 992 pos = (u8 *) (hdr + 1); 993 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED); 994 pos += RSN_SELECTOR_LEN; 995 count_pos = pos; 996 pos += 2; 997 998 count = 0; 999 1000 /* 1001 * AES-CCMP is the default Encryption preferred for TDLS, so 1002 * RSN IE is filled only with CCMP CIPHER 1003 * Note: TKIP is not used to encrypt TDLS link. 1004 * 1005 * Regardless of the cipher used on the AP connection, select CCMP 1006 * here. 1007 */ 1008 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP); 1009 pos += RSN_SELECTOR_LEN; 1010 count++; 1011 1012 WPA_PUT_LE16(count_pos, count); 1013 1014 WPA_PUT_LE16(pos, 1); 1015 pos += 2; 1016 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_TPK_HANDSHAKE); 1017 pos += RSN_SELECTOR_LEN; 1018 1019 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED; 1020 rsn_capab |= RSN_NUM_REPLAY_COUNTERS_16 << 2; 1021#ifdef CONFIG_TDLS_TESTING 1022 if (tdls_testing & TDLS_TESTING_ALT_RSN_IE) { 1023 wpa_printf(MSG_DEBUG, "TDLS: Use alternative RSN IE for " 1024 "testing"); 1025 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED; 1026 } 1027#endif /* CONFIG_TDLS_TESTING */ 1028 WPA_PUT_LE16(pos, rsn_capab); 1029 pos += 2; 1030#ifdef CONFIG_TDLS_TESTING 1031 if (tdls_testing & TDLS_TESTING_ALT_RSN_IE) { 1032 /* Number of PMKIDs */ 1033 *pos++ = 0x00; 1034 *pos++ = 0x00; 1035 } 1036#endif /* CONFIG_TDLS_TESTING */ 1037 1038 hdr->len = (pos - peer->rsnie_i) - 2; 1039 peer->rsnie_i_len = pos - peer->rsnie_i; 1040 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE for TPK handshake", 1041 peer->rsnie_i, peer->rsnie_i_len); 1042 1043skip_rsnie: 1044 buf_len = 0; 1045 if (wpa_tdls_get_privacy(sm)) 1046 buf_len += peer->rsnie_i_len + sizeof(struct wpa_tdls_ftie) + 1047 sizeof(struct wpa_tdls_timeoutie); 1048#ifdef CONFIG_TDLS_TESTING 1049 if (wpa_tdls_get_privacy(sm) && 1050 (tdls_testing & TDLS_TESTING_LONG_FRAME)) 1051 buf_len += 170; 1052 if (tdls_testing & TDLS_TESTING_DIFF_BSSID) 1053 buf_len += sizeof(struct wpa_tdls_lnkid); 1054#endif /* CONFIG_TDLS_TESTING */ 1055 rbuf = os_zalloc(buf_len + 1); 1056 if (rbuf == NULL) { 1057 wpa_tdls_peer_free(sm, peer); 1058 return -1; 1059 } 1060 pos = rbuf; 1061 1062 if (!wpa_tdls_get_privacy(sm)) 1063 goto skip_ies; 1064 1065 /* Initiator RSN IE */ 1066 pos = wpa_add_ie(pos, peer->rsnie_i, peer->rsnie_i_len); 1067 1068 ftie = (struct wpa_tdls_ftie *) pos; 1069 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION; 1070 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2; 1071 1072 if (os_get_random(peer->inonce, WPA_NONCE_LEN)) { 1073 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1074 "TDLS: Failed to get random data for initiator Nonce"); 1075 os_free(rbuf); 1076 wpa_tdls_peer_free(sm, peer); 1077 return -1; 1078 } 1079 wpa_hexdump(MSG_DEBUG, "TDLS: Initiator Nonce for TPK handshake", 1080 peer->inonce, WPA_NONCE_LEN); 1081 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN); 1082 1083 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE for TPK Handshake M1", 1084 (u8 *) ftie, sizeof(struct wpa_tdls_ftie)); 1085 1086 pos = (u8 *) (ftie + 1); 1087 1088#ifdef CONFIG_TDLS_TESTING 1089 if (tdls_testing & TDLS_TESTING_LONG_FRAME) { 1090 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to " 1091 "FTIE"); 1092 ftie->ie_len += 170; 1093 *pos++ = 255; /* FTIE subelem */ 1094 *pos++ = 168; /* FTIE subelem length */ 1095 pos += 168; 1096 } 1097#endif /* CONFIG_TDLS_TESTING */ 1098 1099 /* Lifetime */ 1100 peer->lifetime = TPK_LIFETIME; 1101#ifdef CONFIG_TDLS_TESTING 1102 if (tdls_testing & TDLS_TESTING_SHORT_LIFETIME) { 1103 wpa_printf(MSG_DEBUG, "TDLS: Testing - use short TPK " 1104 "lifetime"); 1105 peer->lifetime = 301; 1106 } 1107 if (tdls_testing & TDLS_TESTING_LONG_LIFETIME) { 1108 wpa_printf(MSG_DEBUG, "TDLS: Testing - use long TPK " 1109 "lifetime"); 1110 peer->lifetime = 0xffffffff; 1111 } 1112#endif /* CONFIG_TDLS_TESTING */ 1113 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie, 1114 sizeof(timeoutie), peer->lifetime); 1115 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds", peer->lifetime); 1116 1117skip_ies: 1118 1119#ifdef CONFIG_TDLS_TESTING 1120 if (tdls_testing & TDLS_TESTING_DIFF_BSSID) { 1121 wpa_printf(MSG_DEBUG, "TDLS: Testing - use incorrect BSSID in " 1122 "Link Identifier"); 1123 struct wpa_tdls_lnkid *l = (struct wpa_tdls_lnkid *) pos; 1124 wpa_tdls_linkid(sm, peer, l); 1125 l->bssid[5] ^= 0x01; 1126 pos += sizeof(*l); 1127 } 1128#endif /* CONFIG_TDLS_TESTING */ 1129 1130 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Setup Request / TPK " 1131 "Handshake Message 1 (peer " MACSTR ")", 1132 MAC2STR(peer->addr)); 1133 1134 status = wpa_tdls_tpk_send(sm, peer->addr, WLAN_TDLS_SETUP_REQUEST, 1135 1, 0, 0, rbuf, pos - rbuf); 1136 os_free(rbuf); 1137 1138 return status; 1139} 1140 1141 1142static int wpa_tdls_send_tpk_m2(struct wpa_sm *sm, 1143 const unsigned char *src_addr, u8 dtoken, 1144 struct wpa_tdls_lnkid *lnkid, 1145 const struct wpa_tdls_peer *peer) 1146{ 1147 u8 *rbuf, *pos; 1148 size_t buf_len; 1149 u32 lifetime; 1150 struct wpa_tdls_timeoutie timeoutie; 1151 struct wpa_tdls_ftie *ftie; 1152 int status; 1153 1154 buf_len = 0; 1155 if (wpa_tdls_get_privacy(sm)) { 1156 /* Peer RSN IE, FTIE(Initiator Nonce, Responder Nonce), 1157 * Lifetime */ 1158 buf_len += peer->rsnie_i_len + sizeof(struct wpa_tdls_ftie) + 1159 sizeof(struct wpa_tdls_timeoutie); 1160#ifdef CONFIG_TDLS_TESTING 1161 if (tdls_testing & TDLS_TESTING_LONG_FRAME) 1162 buf_len += 170; 1163#endif /* CONFIG_TDLS_TESTING */ 1164 } 1165 1166 rbuf = os_zalloc(buf_len + 1); 1167 if (rbuf == NULL) 1168 return -1; 1169 pos = rbuf; 1170 1171 if (!wpa_tdls_get_privacy(sm)) 1172 goto skip_ies; 1173 1174 /* Peer RSN IE */ 1175 pos = wpa_add_ie(pos, peer->rsnie_p, peer->rsnie_p_len); 1176 1177 ftie = (struct wpa_tdls_ftie *) pos; 1178 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION; 1179 /* TODO: ftie->mic_control to set 2-RESPONSE */ 1180 os_memcpy(ftie->Anonce, peer->rnonce, WPA_NONCE_LEN); 1181 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN); 1182 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2; 1183 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE for TPK M2", 1184 (u8 *) ftie, sizeof(*ftie)); 1185 1186 pos = (u8 *) (ftie + 1); 1187 1188#ifdef CONFIG_TDLS_TESTING 1189 if (tdls_testing & TDLS_TESTING_LONG_FRAME) { 1190 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to " 1191 "FTIE"); 1192 ftie->ie_len += 170; 1193 *pos++ = 255; /* FTIE subelem */ 1194 *pos++ = 168; /* FTIE subelem length */ 1195 pos += 168; 1196 } 1197#endif /* CONFIG_TDLS_TESTING */ 1198 1199 /* Lifetime */ 1200 lifetime = peer->lifetime; 1201#ifdef CONFIG_TDLS_TESTING 1202 if (tdls_testing & TDLS_TESTING_WRONG_LIFETIME_RESP) { 1203 wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong TPK " 1204 "lifetime in response"); 1205 lifetime++; 1206 } 1207#endif /* CONFIG_TDLS_TESTING */ 1208 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie, 1209 sizeof(timeoutie), lifetime); 1210 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds from initiator", 1211 lifetime); 1212 1213 /* compute MIC before sending */ 1214 wpa_tdls_ftie_mic(peer->tpk.kck, 2, (u8 *) lnkid, peer->rsnie_p, 1215 (u8 *) &timeoutie, (u8 *) ftie, ftie->mic); 1216 1217skip_ies: 1218 status = wpa_tdls_tpk_send(sm, src_addr, WLAN_TDLS_SETUP_RESPONSE, 1219 dtoken, 0, 0, rbuf, pos - rbuf); 1220 os_free(rbuf); 1221 1222 return status; 1223} 1224 1225 1226static int wpa_tdls_send_tpk_m3(struct wpa_sm *sm, 1227 const unsigned char *src_addr, u8 dtoken, 1228 struct wpa_tdls_lnkid *lnkid, 1229 const struct wpa_tdls_peer *peer) 1230{ 1231 u8 *rbuf, *pos; 1232 size_t buf_len; 1233 struct wpa_tdls_ftie *ftie; 1234 struct wpa_tdls_timeoutie timeoutie; 1235 u32 lifetime; 1236 int status; 1237 u32 peer_capab = 0; 1238 1239 buf_len = 0; 1240 if (wpa_tdls_get_privacy(sm)) { 1241 /* Peer RSN IE, FTIE(Initiator Nonce, Responder Nonce), 1242 * Lifetime */ 1243 buf_len += peer->rsnie_i_len + sizeof(struct wpa_tdls_ftie) + 1244 sizeof(struct wpa_tdls_timeoutie); 1245#ifdef CONFIG_TDLS_TESTING 1246 if (tdls_testing & TDLS_TESTING_LONG_FRAME) 1247 buf_len += 170; 1248#endif /* CONFIG_TDLS_TESTING */ 1249 } 1250 1251 rbuf = os_zalloc(buf_len + 1); 1252 if (rbuf == NULL) 1253 return -1; 1254 pos = rbuf; 1255 1256 if (!wpa_tdls_get_privacy(sm)) 1257 goto skip_ies; 1258 1259 /* Peer RSN IE */ 1260 pos = wpa_add_ie(pos, peer->rsnie_p, peer->rsnie_p_len); 1261 1262 ftie = (struct wpa_tdls_ftie *) pos; 1263 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION; 1264 /*TODO: ftie->mic_control to set 3-CONFIRM */ 1265 os_memcpy(ftie->Anonce, peer->rnonce, WPA_NONCE_LEN); 1266 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN); 1267 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2; 1268 1269 pos = (u8 *) (ftie + 1); 1270 1271#ifdef CONFIG_TDLS_TESTING 1272 if (tdls_testing & TDLS_TESTING_LONG_FRAME) { 1273 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to " 1274 "FTIE"); 1275 ftie->ie_len += 170; 1276 *pos++ = 255; /* FTIE subelem */ 1277 *pos++ = 168; /* FTIE subelem length */ 1278 pos += 168; 1279 } 1280#endif /* CONFIG_TDLS_TESTING */ 1281 1282 /* Lifetime */ 1283 lifetime = peer->lifetime; 1284#ifdef CONFIG_TDLS_TESTING 1285 if (tdls_testing & TDLS_TESTING_WRONG_LIFETIME_CONF) { 1286 wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong TPK " 1287 "lifetime in confirm"); 1288 lifetime++; 1289 } 1290#endif /* CONFIG_TDLS_TESTING */ 1291 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie, 1292 sizeof(timeoutie), lifetime); 1293 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds", 1294 lifetime); 1295 1296 /* compute MIC before sending */ 1297 wpa_tdls_ftie_mic(peer->tpk.kck, 3, (u8 *) lnkid, peer->rsnie_p, 1298 (u8 *) &timeoutie, (u8 *) ftie, ftie->mic); 1299 1300 if (peer->vht_capabilities) 1301 peer_capab |= TDLS_PEER_VHT; 1302 else if (peer->ht_capabilities) 1303 peer_capab |= TDLS_PEER_HT; 1304 else if (peer->wmm_capable) 1305 peer_capab |= TDLS_PEER_WMM; 1306 1307skip_ies: 1308 status = wpa_tdls_tpk_send(sm, src_addr, WLAN_TDLS_SETUP_CONFIRM, 1309 dtoken, 0, peer_capab, rbuf, pos - rbuf); 1310 os_free(rbuf); 1311 1312 return status; 1313} 1314 1315 1316static int wpa_tdls_send_discovery_response(struct wpa_sm *sm, 1317 struct wpa_tdls_peer *peer, 1318 u8 dialog_token) 1319{ 1320 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Discovery Response " 1321 "(peer " MACSTR ")", MAC2STR(peer->addr)); 1322 1323 return wpa_tdls_tpk_send(sm, peer->addr, WLAN_TDLS_DISCOVERY_RESPONSE, 1324 dialog_token, 0, 0, NULL, 0); 1325} 1326 1327 1328static int 1329wpa_tdls_process_discovery_request(struct wpa_sm *sm, const u8 *addr, 1330 const u8 *buf, size_t len) 1331{ 1332 struct wpa_eapol_ie_parse kde; 1333 const struct wpa_tdls_lnkid *lnkid; 1334 struct wpa_tdls_peer *peer; 1335 size_t min_req_len = sizeof(struct wpa_tdls_frame) + 1336 1 /* dialog token */ + sizeof(struct wpa_tdls_lnkid); 1337 u8 dialog_token; 1338 1339 wpa_printf(MSG_DEBUG, "TDLS: Discovery Request from " MACSTR, 1340 MAC2STR(addr)); 1341 1342 if (len < min_req_len) { 1343 wpa_printf(MSG_DEBUG, "TDLS Discovery Request is too short: " 1344 "%d", (int) len); 1345 return -1; 1346 } 1347 1348 dialog_token = buf[sizeof(struct wpa_tdls_frame)]; 1349 1350 if (wpa_supplicant_parse_ies(buf + sizeof(struct wpa_tdls_frame) + 1, 1351 len - (sizeof(struct wpa_tdls_frame) + 1), 1352 &kde) < 0) 1353 return -1; 1354 1355 if (!kde.lnkid) { 1356 wpa_printf(MSG_DEBUG, "TDLS: Link ID not found in Discovery " 1357 "Request"); 1358 return -1; 1359 } 1360 1361 lnkid = (const struct wpa_tdls_lnkid *) kde.lnkid; 1362 1363 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) { 1364 wpa_printf(MSG_DEBUG, "TDLS: Discovery Request from different " 1365 " BSS " MACSTR, MAC2STR(lnkid->bssid)); 1366 return -1; 1367 } 1368 1369 peer = wpa_tdls_add_peer(sm, addr, NULL); 1370 if (peer == NULL) 1371 return -1; 1372 1373 return wpa_tdls_send_discovery_response(sm, peer, dialog_token); 1374} 1375 1376 1377int wpa_tdls_send_discovery_request(struct wpa_sm *sm, const u8 *addr) 1378{ 1379 if (sm->tdls_disabled || !sm->tdls_supported) 1380 return -1; 1381 1382 wpa_printf(MSG_DEBUG, "TDLS: Sending Discovery Request to peer " 1383 MACSTR, MAC2STR(addr)); 1384 return wpa_tdls_tpk_send(sm, addr, WLAN_TDLS_DISCOVERY_REQUEST, 1385 1, 0, 0, NULL, 0); 1386} 1387 1388 1389static int copy_supp_rates(const struct wpa_eapol_ie_parse *kde, 1390 struct wpa_tdls_peer *peer) 1391{ 1392 if (!kde->supp_rates) { 1393 wpa_printf(MSG_DEBUG, "TDLS: No supported rates received"); 1394 return -1; 1395 } 1396 peer->supp_rates_len = merge_byte_arrays( 1397 peer->supp_rates, sizeof(peer->supp_rates), 1398 kde->supp_rates + 2, kde->supp_rates_len - 2, 1399 kde->ext_supp_rates ? kde->ext_supp_rates + 2 : NULL, 1400 kde->ext_supp_rates_len - 2); 1401 return 0; 1402} 1403 1404 1405static int copy_peer_ht_capab(const struct wpa_eapol_ie_parse *kde, 1406 struct wpa_tdls_peer *peer) 1407{ 1408 if (!kde->ht_capabilities || 1409 kde->ht_capabilities_len < 1410 sizeof(struct ieee80211_ht_capabilities) ) { 1411 wpa_printf(MSG_DEBUG, "TDLS: No supported ht capabilities " 1412 "received"); 1413 return 0; 1414 } 1415 1416 if (!peer->ht_capabilities) { 1417 peer->ht_capabilities = 1418 os_zalloc(sizeof(struct ieee80211_ht_capabilities)); 1419 if (peer->ht_capabilities == NULL) 1420 return -1; 1421 } 1422 1423 os_memcpy(peer->ht_capabilities, kde->ht_capabilities, 1424 sizeof(struct ieee80211_ht_capabilities)); 1425 wpa_hexdump(MSG_DEBUG, "TDLS: Peer HT capabilities", 1426 (u8 *) peer->ht_capabilities, 1427 sizeof(struct ieee80211_ht_capabilities)); 1428 1429 return 0; 1430} 1431 1432 1433static int copy_peer_vht_capab(const struct wpa_eapol_ie_parse *kde, 1434 struct wpa_tdls_peer *peer) 1435{ 1436 if (!kde->vht_capabilities || 1437 kde->vht_capabilities_len < 1438 sizeof(struct ieee80211_vht_capabilities) ) { 1439 wpa_printf(MSG_DEBUG, "TDLS: No supported vht capabilities " 1440 "received"); 1441 return 0; 1442 } 1443 1444 if (!peer->vht_capabilities) { 1445 peer->vht_capabilities = 1446 os_zalloc(sizeof(struct ieee80211_vht_capabilities)); 1447 if (peer->vht_capabilities == NULL) 1448 return -1; 1449 } 1450 1451 os_memcpy(peer->vht_capabilities, kde->vht_capabilities, 1452 sizeof(struct ieee80211_vht_capabilities)); 1453 wpa_hexdump(MSG_DEBUG, "TDLS: Peer VHT capabilities", 1454 (u8 *) peer->vht_capabilities, 1455 sizeof(struct ieee80211_vht_capabilities)); 1456 1457 return 0; 1458} 1459 1460 1461static int copy_peer_ext_capab(const struct wpa_eapol_ie_parse *kde, 1462 struct wpa_tdls_peer *peer) 1463{ 1464 if (!kde->ext_capab) { 1465 wpa_printf(MSG_DEBUG, "TDLS: No extended capabilities " 1466 "received"); 1467 return 0; 1468 } 1469 1470 if (!peer->ext_capab || peer->ext_capab_len < kde->ext_capab_len - 2) { 1471 /* Need to allocate buffer to fit the new information */ 1472 os_free(peer->ext_capab); 1473 peer->ext_capab = os_zalloc(kde->ext_capab_len - 2); 1474 if (peer->ext_capab == NULL) 1475 return -1; 1476 } 1477 1478 peer->ext_capab_len = kde->ext_capab_len - 2; 1479 os_memcpy(peer->ext_capab, kde->ext_capab + 2, peer->ext_capab_len); 1480 1481 return 0; 1482} 1483 1484 1485static int copy_peer_wmm_capab(const struct wpa_eapol_ie_parse *kde, 1486 struct wpa_tdls_peer *peer) 1487{ 1488 struct wmm_information_element *wmm; 1489 1490 if (!kde->wmm) { 1491 wpa_printf(MSG_DEBUG, "TDLS: No supported WMM capabilities received"); 1492 return 0; 1493 } 1494 1495 if (kde->wmm_len < sizeof(struct wmm_information_element)) { 1496 wpa_printf(MSG_DEBUG, "TDLS: Invalid supported WMM capabilities received"); 1497 return -1; 1498 } 1499 1500 wmm = (struct wmm_information_element *) kde->wmm; 1501 peer->qos_info = wmm->qos_info; 1502 1503 peer->wmm_capable = 1; 1504 1505 wpa_printf(MSG_DEBUG, "TDLS: Peer WMM QOS Info 0x%x", peer->qos_info); 1506 return 0; 1507} 1508 1509 1510static int copy_peer_supp_channels(const struct wpa_eapol_ie_parse *kde, 1511 struct wpa_tdls_peer *peer) 1512{ 1513 if (!kde->supp_channels) { 1514 wpa_printf(MSG_DEBUG, "TDLS: No supported channels received"); 1515 return 0; 1516 } 1517 1518 if (!peer->supp_channels || 1519 peer->supp_channels_len < kde->supp_channels_len) { 1520 os_free(peer->supp_channels); 1521 peer->supp_channels = os_zalloc(kde->supp_channels_len); 1522 if (peer->supp_channels == NULL) 1523 return -1; 1524 } 1525 1526 peer->supp_channels_len = kde->supp_channels_len; 1527 1528 os_memcpy(peer->supp_channels, kde->supp_channels, 1529 peer->supp_channels_len); 1530 wpa_hexdump(MSG_DEBUG, "TDLS: Peer Supported Channels", 1531 (u8 *) peer->supp_channels, peer->supp_channels_len); 1532 return 0; 1533} 1534 1535 1536static int copy_peer_supp_oper_classes(const struct wpa_eapol_ie_parse *kde, 1537 struct wpa_tdls_peer *peer) 1538{ 1539 if (!kde->supp_oper_classes) { 1540 wpa_printf(MSG_DEBUG, "TDLS: No supported operating classes received"); 1541 return 0; 1542 } 1543 1544 if (!peer->supp_oper_classes || 1545 peer->supp_oper_classes_len < kde->supp_oper_classes_len) { 1546 os_free(peer->supp_oper_classes); 1547 peer->supp_oper_classes = os_zalloc(kde->supp_oper_classes_len); 1548 if (peer->supp_oper_classes == NULL) 1549 return -1; 1550 } 1551 1552 peer->supp_oper_classes_len = kde->supp_oper_classes_len; 1553 os_memcpy(peer->supp_oper_classes, kde->supp_oper_classes, 1554 peer->supp_oper_classes_len); 1555 wpa_hexdump(MSG_DEBUG, "TDLS: Peer Supported Operating Classes", 1556 (u8 *) peer->supp_oper_classes, 1557 peer->supp_oper_classes_len); 1558 return 0; 1559} 1560 1561 1562static int wpa_tdls_process_tpk_m1(struct wpa_sm *sm, const u8 *src_addr, 1563 const u8 *buf, size_t len) 1564{ 1565 struct wpa_tdls_peer *peer; 1566 struct wpa_eapol_ie_parse kde; 1567 struct wpa_ie_data ie; 1568 int cipher; 1569 const u8 *cpos; 1570 struct wpa_tdls_ftie *ftie = NULL; 1571 struct wpa_tdls_timeoutie *timeoutie; 1572 struct wpa_tdls_lnkid *lnkid; 1573 u32 lifetime = 0; 1574#if 0 1575 struct rsn_ie_hdr *hdr; 1576 u8 *pos; 1577 u16 rsn_capab; 1578 u16 rsn_ver; 1579#endif 1580 u8 dtoken; 1581 u16 ielen; 1582 u16 status = WLAN_STATUS_UNSPECIFIED_FAILURE; 1583 int tdls_prohibited = sm->tdls_prohibited; 1584 int existing_peer = 0; 1585 1586 if (len < 3 + 3) 1587 return -1; 1588 1589 cpos = buf; 1590 cpos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */; 1591 1592 /* driver had already verified the frame format */ 1593 dtoken = *cpos++; /* dialog token */ 1594 1595 wpa_printf(MSG_INFO, "TDLS: Dialog Token in TPK M1 %d", dtoken); 1596 1597 peer = wpa_tdls_add_peer(sm, src_addr, &existing_peer); 1598 if (peer == NULL) 1599 goto error; 1600 1601 /* If found, use existing entry instead of adding a new one; 1602 * how to handle the case where both ends initiate at the 1603 * same time? */ 1604 if (existing_peer) { 1605 if (peer->tpk_success) { 1606 wpa_printf(MSG_DEBUG, "TDLS: TDLS Setup Request while " 1607 "direct link is enabled - tear down the " 1608 "old link first"); 1609 wpa_tdls_disable_peer_link(sm, peer); 1610 } 1611 1612 /* 1613 * An entry is already present, so check if we already sent a 1614 * TDLS Setup Request. If so, compare MAC addresses and let the 1615 * STA with the lower MAC address continue as the initiator. 1616 * The other negotiation is terminated. 1617 */ 1618 if (peer->initiator) { 1619 if (os_memcmp(sm->own_addr, src_addr, ETH_ALEN) < 0) { 1620 wpa_printf(MSG_DEBUG, "TDLS: Discard request " 1621 "from peer with higher address " 1622 MACSTR, MAC2STR(src_addr)); 1623 return -1; 1624 } else { 1625 wpa_printf(MSG_DEBUG, "TDLS: Accept request " 1626 "from peer with lower address " 1627 MACSTR " (terminate previously " 1628 "initiated negotiation", 1629 MAC2STR(src_addr)); 1630 wpa_tdls_disable_peer_link(sm, peer); 1631 } 1632 } 1633 } 1634 1635 /* capability information */ 1636 peer->capability = WPA_GET_LE16(cpos); 1637 cpos += 2; 1638 1639 ielen = len - (cpos - buf); /* start of IE in buf */ 1640 if (wpa_supplicant_parse_ies(cpos, ielen, &kde) < 0) { 1641 wpa_printf(MSG_INFO, "TDLS: Failed to parse IEs in TPK M1"); 1642 goto error; 1643 } 1644 1645 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) { 1646 wpa_printf(MSG_INFO, "TDLS: No valid Link Identifier IE in " 1647 "TPK M1"); 1648 goto error; 1649 } 1650 wpa_hexdump(MSG_DEBUG, "TDLS: Link ID Received from TPK M1", 1651 kde.lnkid, kde.lnkid_len); 1652 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid; 1653 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) { 1654 wpa_printf(MSG_INFO, "TDLS: TPK M1 from diff BSS"); 1655 status = WLAN_STATUS_NOT_IN_SAME_BSS; 1656 goto error; 1657 } 1658 1659 wpa_printf(MSG_DEBUG, "TDLS: TPK M1 - TPK initiator " MACSTR, 1660 MAC2STR(src_addr)); 1661 1662 if (copy_supp_rates(&kde, peer) < 0) 1663 goto error; 1664 1665 if (copy_peer_ht_capab(&kde, peer) < 0) 1666 goto error; 1667 1668 if (copy_peer_vht_capab(&kde, peer) < 0) 1669 goto error; 1670 1671 if (copy_peer_ext_capab(&kde, peer) < 0) 1672 goto error; 1673 1674 if (copy_peer_supp_channels(&kde, peer) < 0) 1675 goto error; 1676 1677 if (copy_peer_supp_oper_classes(&kde, peer) < 0) 1678 goto error; 1679 1680 peer->qos_info = kde.qosinfo; 1681 1682 /* Overwrite with the qos_info obtained in WMM IE */ 1683 if (copy_peer_wmm_capab(&kde, peer) < 0) 1684 goto error; 1685 1686 peer->aid = kde.aid; 1687 1688#ifdef CONFIG_TDLS_TESTING 1689 if (tdls_testing & TDLS_TESTING_CONCURRENT_INIT) { 1690 peer = wpa_tdls_add_peer(sm, src_addr, NULL); 1691 if (peer == NULL) 1692 goto error; 1693 wpa_printf(MSG_DEBUG, "TDLS: Testing concurrent initiation of " 1694 "TDLS setup - send own request"); 1695 peer->initiator = 1; 1696 wpa_tdls_send_tpk_m1(sm, peer); 1697 } 1698 1699 if ((tdls_testing & TDLS_TESTING_IGNORE_AP_PROHIBIT) && 1700 tdls_prohibited) { 1701 wpa_printf(MSG_DEBUG, "TDLS: Testing - ignore AP prohibition " 1702 "on TDLS"); 1703 tdls_prohibited = 0; 1704 } 1705#endif /* CONFIG_TDLS_TESTING */ 1706 1707 if (tdls_prohibited) { 1708 wpa_printf(MSG_INFO, "TDLS: TDLS prohibited in this BSS"); 1709 status = WLAN_STATUS_REQUEST_DECLINED; 1710 goto error; 1711 } 1712 1713 if (!wpa_tdls_get_privacy(sm)) { 1714 if (kde.rsn_ie) { 1715 wpa_printf(MSG_INFO, "TDLS: RSN IE in TPK M1 while " 1716 "security is disabled"); 1717 status = WLAN_STATUS_SECURITY_DISABLED; 1718 goto error; 1719 } 1720 goto skip_rsn; 1721 } 1722 1723 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie) || 1724 kde.rsn_ie == NULL) { 1725 wpa_printf(MSG_INFO, "TDLS: No FTIE or RSN IE in TPK M1"); 1726 status = WLAN_STATUS_INVALID_PARAMETERS; 1727 goto error; 1728 } 1729 1730 if (kde.rsn_ie_len > TDLS_MAX_IE_LEN) { 1731 wpa_printf(MSG_INFO, "TDLS: Too long Initiator RSN IE in " 1732 "TPK M1"); 1733 status = WLAN_STATUS_INVALID_RSNIE; 1734 goto error; 1735 } 1736 1737 if (wpa_parse_wpa_ie_rsn(kde.rsn_ie, kde.rsn_ie_len, &ie) < 0) { 1738 wpa_printf(MSG_INFO, "TDLS: Failed to parse RSN IE in TPK M1"); 1739 status = WLAN_STATUS_INVALID_RSNIE; 1740 goto error; 1741 } 1742 1743 cipher = ie.pairwise_cipher; 1744 if (cipher & WPA_CIPHER_CCMP) { 1745 wpa_printf(MSG_DEBUG, "TDLS: Using CCMP for direct link"); 1746 cipher = WPA_CIPHER_CCMP; 1747 } else { 1748 wpa_printf(MSG_INFO, "TDLS: No acceptable cipher in TPK M1"); 1749 status = WLAN_STATUS_PAIRWISE_CIPHER_NOT_VALID; 1750 goto error; 1751 } 1752 1753 if ((ie.capabilities & 1754 (WPA_CAPABILITY_NO_PAIRWISE | WPA_CAPABILITY_PEERKEY_ENABLED)) != 1755 WPA_CAPABILITY_PEERKEY_ENABLED) { 1756 wpa_printf(MSG_INFO, "TDLS: Invalid RSN Capabilities in " 1757 "TPK M1"); 1758 status = WLAN_STATUS_INVALID_RSN_IE_CAPAB; 1759 goto error; 1760 } 1761 1762 /* Lifetime */ 1763 if (kde.key_lifetime == NULL) { 1764 wpa_printf(MSG_INFO, "TDLS: No Key Lifetime IE in TPK M1"); 1765 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME; 1766 goto error; 1767 } 1768 timeoutie = (struct wpa_tdls_timeoutie *) kde.key_lifetime; 1769 lifetime = WPA_GET_LE32(timeoutie->value); 1770 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds", lifetime); 1771 if (lifetime < 300) { 1772 wpa_printf(MSG_INFO, "TDLS: Too short TPK lifetime"); 1773 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME; 1774 goto error; 1775 } 1776 1777skip_rsn: 1778#ifdef CONFIG_TDLS_TESTING 1779 if (tdls_testing & TDLS_TESTING_CONCURRENT_INIT) { 1780 if (os_memcmp(sm->own_addr, peer->addr, ETH_ALEN) < 0) { 1781 /* 1782 * The request frame from us is going to win, so do not 1783 * replace information based on this request frame from 1784 * the peer. 1785 */ 1786 goto skip_rsn_check; 1787 } 1788 } 1789#endif /* CONFIG_TDLS_TESTING */ 1790 1791 peer->initiator = 0; /* Need to check */ 1792 peer->dtoken = dtoken; 1793 1794 if (!wpa_tdls_get_privacy(sm)) { 1795 peer->rsnie_i_len = 0; 1796 peer->rsnie_p_len = 0; 1797 peer->cipher = WPA_CIPHER_NONE; 1798 goto skip_rsn_check; 1799 } 1800 1801 ftie = (struct wpa_tdls_ftie *) kde.ftie; 1802 os_memcpy(peer->rsnie_i, kde.rsn_ie, kde.rsn_ie_len); 1803 peer->rsnie_i_len = kde.rsn_ie_len; 1804 peer->cipher = cipher; 1805 1806 if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0) { 1807 /* 1808 * There is no point in updating the RNonce for every obtained 1809 * TPK M1 frame (e.g., retransmission due to timeout) with the 1810 * same INonce (SNonce in FTIE). However, if the TPK M1 is 1811 * retransmitted with a different INonce, update the RNonce 1812 * since this is for a new TDLS session. 1813 */ 1814 wpa_printf(MSG_DEBUG, 1815 "TDLS: New TPK M1 INonce - generate new RNonce"); 1816 os_memcpy(peer->inonce, ftie->Snonce, WPA_NONCE_LEN); 1817 if (os_get_random(peer->rnonce, WPA_NONCE_LEN)) { 1818 wpa_msg(sm->ctx->ctx, MSG_WARNING, 1819 "TDLS: Failed to get random data for responder nonce"); 1820 wpa_tdls_peer_free(sm, peer); 1821 goto error; 1822 } 1823 } 1824 1825#if 0 1826 /* get version info from RSNIE received from Peer */ 1827 hdr = (struct rsn_ie_hdr *) kde.rsn_ie; 1828 rsn_ver = WPA_GET_LE16(hdr->version); 1829 1830 /* use min(peer's version, out version) */ 1831 if (rsn_ver > RSN_VERSION) 1832 rsn_ver = RSN_VERSION; 1833 1834 hdr = (struct rsn_ie_hdr *) peer->rsnie_p; 1835 1836 hdr->elem_id = WLAN_EID_RSN; 1837 WPA_PUT_LE16(hdr->version, rsn_ver); 1838 pos = (u8 *) (hdr + 1); 1839 1840 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED); 1841 pos += RSN_SELECTOR_LEN; 1842 /* Include only the selected cipher in pairwise cipher suite */ 1843 WPA_PUT_LE16(pos, 1); 1844 pos += 2; 1845 if (cipher == WPA_CIPHER_CCMP) 1846 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP); 1847 pos += RSN_SELECTOR_LEN; 1848 1849 WPA_PUT_LE16(pos, 1); 1850 pos += 2; 1851 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_TPK_HANDSHAKE); 1852 pos += RSN_SELECTOR_LEN; 1853 1854 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED; 1855 rsn_capab |= RSN_NUM_REPLAY_COUNTERS_16 << 2; 1856 WPA_PUT_LE16(pos, rsn_capab); 1857 pos += 2; 1858 1859 hdr->len = (pos - peer->rsnie_p) - 2; 1860 peer->rsnie_p_len = pos - peer->rsnie_p; 1861#endif 1862 1863 /* temp fix: validation of RSNIE later */ 1864 os_memcpy(peer->rsnie_p, peer->rsnie_i, peer->rsnie_i_len); 1865 peer->rsnie_p_len = peer->rsnie_i_len; 1866 1867 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE for TPK handshake", 1868 peer->rsnie_p, peer->rsnie_p_len); 1869 1870 peer->lifetime = lifetime; 1871 1872 wpa_tdls_generate_tpk(peer, sm->own_addr, sm->bssid); 1873 1874skip_rsn_check: 1875 /* add the peer to the driver as a "setup in progress" peer */ 1876 wpa_sm_tdls_peer_addset(sm, peer->addr, 1, 0, 0, NULL, 0, NULL, NULL, 0, 1877 NULL, 0, NULL, 0, NULL, 0); 1878 peer->tpk_in_progress = 1; 1879 1880 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Setup Response / TPK M2"); 1881 if (wpa_tdls_send_tpk_m2(sm, src_addr, dtoken, lnkid, peer) < 0) { 1882 wpa_tdls_disable_peer_link(sm, peer); 1883 goto error; 1884 } 1885 1886 return 0; 1887 1888error: 1889 wpa_tdls_send_error(sm, src_addr, WLAN_TDLS_SETUP_RESPONSE, dtoken, 1890 status); 1891 return -1; 1892} 1893 1894 1895static int wpa_tdls_enable_link(struct wpa_sm *sm, struct wpa_tdls_peer *peer) 1896{ 1897 peer->tpk_success = 1; 1898 peer->tpk_in_progress = 0; 1899 eloop_cancel_timeout(wpa_tdls_tpk_timeout, sm, peer); 1900 if (wpa_tdls_get_privacy(sm)) { 1901 u32 lifetime = peer->lifetime; 1902 /* 1903 * Start the initiator process a bit earlier to avoid race 1904 * condition with the responder sending teardown request. 1905 */ 1906 if (lifetime > 3 && peer->initiator) 1907 lifetime -= 3; 1908 eloop_register_timeout(lifetime, 0, wpa_tdls_tpk_timeout, 1909 sm, peer); 1910#ifdef CONFIG_TDLS_TESTING 1911 if (tdls_testing & TDLS_TESTING_NO_TPK_EXPIRATION) { 1912 wpa_printf(MSG_DEBUG, "TDLS: Testing - disable TPK " 1913 "expiration"); 1914 eloop_cancel_timeout(wpa_tdls_tpk_timeout, sm, peer); 1915 } 1916#endif /* CONFIG_TDLS_TESTING */ 1917 } 1918 1919 /* add supported rates, capabilities, and qos_info to the TDLS peer */ 1920 if (wpa_sm_tdls_peer_addset(sm, peer->addr, 0, peer->aid, 1921 peer->capability, 1922 peer->supp_rates, peer->supp_rates_len, 1923 peer->ht_capabilities, 1924 peer->vht_capabilities, 1925 peer->qos_info, peer->ext_capab, 1926 peer->ext_capab_len, 1927 peer->supp_channels, 1928 peer->supp_channels_len, 1929 peer->supp_oper_classes, 1930 peer->supp_oper_classes_len) < 0) 1931 return -1; 1932 1933 if (peer->reconfig_key && wpa_tdls_set_key(sm, peer) < 0) { 1934 wpa_printf(MSG_INFO, "TDLS: Could not configure key to the " 1935 "driver"); 1936 return -1; 1937 } 1938 peer->reconfig_key = 0; 1939 1940 return wpa_sm_tdls_oper(sm, TDLS_ENABLE_LINK, peer->addr); 1941} 1942 1943 1944static int wpa_tdls_process_tpk_m2(struct wpa_sm *sm, const u8 *src_addr, 1945 const u8 *buf, size_t len) 1946{ 1947 struct wpa_tdls_peer *peer; 1948 struct wpa_eapol_ie_parse kde; 1949 struct wpa_ie_data ie; 1950 int cipher; 1951 struct wpa_tdls_ftie *ftie; 1952 struct wpa_tdls_timeoutie *timeoutie; 1953 struct wpa_tdls_lnkid *lnkid; 1954 u32 lifetime; 1955 u8 dtoken; 1956 int ielen; 1957 u16 status; 1958 const u8 *pos; 1959 int ret = 0; 1960 1961 wpa_printf(MSG_DEBUG, "TDLS: Received TDLS Setup Response / TPK M2 " 1962 "(Peer " MACSTR ")", MAC2STR(src_addr)); 1963 for (peer = sm->tdls; peer; peer = peer->next) { 1964 if (os_memcmp(peer->addr, src_addr, ETH_ALEN) == 0) 1965 break; 1966 } 1967 if (peer == NULL) { 1968 wpa_printf(MSG_INFO, "TDLS: No matching peer found for " 1969 "TPK M2: " MACSTR, MAC2STR(src_addr)); 1970 return -1; 1971 } 1972 if (!peer->initiator) { 1973 /* 1974 * This may happen if both devices try to initiate TDLS at the 1975 * same time and we accept the TPK M1 from the peer in 1976 * wpa_tdls_process_tpk_m1() and clear our previous state. 1977 */ 1978 wpa_printf(MSG_INFO, "TDLS: We were not the initiator, so " 1979 "ignore TPK M2 from " MACSTR, MAC2STR(src_addr)); 1980 return -1; 1981 } 1982 wpa_tdls_tpk_retry_timeout_cancel(sm, peer, WLAN_TDLS_SETUP_REQUEST); 1983 1984 if (len < 3 + 2 + 1) { 1985 wpa_tdls_disable_peer_link(sm, peer); 1986 return -1; 1987 } 1988 1989 pos = buf; 1990 pos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */; 1991 status = WPA_GET_LE16(pos); 1992 pos += 2 /* status code */; 1993 1994 if (status != WLAN_STATUS_SUCCESS) { 1995 wpa_printf(MSG_INFO, "TDLS: Status code in TPK M2: %u", 1996 status); 1997 wpa_tdls_disable_peer_link(sm, peer); 1998 return -1; 1999 } 2000 2001 status = WLAN_STATUS_UNSPECIFIED_FAILURE; 2002 2003 /* TODO: need to verify dialog token matches here or in kernel */ 2004 dtoken = *pos++; /* dialog token */ 2005 2006 wpa_printf(MSG_DEBUG, "TDLS: Dialog Token in TPK M2 %d", dtoken); 2007 2008 if (len < 3 + 2 + 1 + 2) { 2009 wpa_tdls_disable_peer_link(sm, peer); 2010 return -1; 2011 } 2012 2013 /* capability information */ 2014 peer->capability = WPA_GET_LE16(pos); 2015 pos += 2; 2016 2017 ielen = len - (pos - buf); /* start of IE in buf */ 2018 if (wpa_supplicant_parse_ies(pos, ielen, &kde) < 0) { 2019 wpa_printf(MSG_INFO, "TDLS: Failed to parse IEs in TPK M2"); 2020 goto error; 2021 } 2022 2023#ifdef CONFIG_TDLS_TESTING 2024 if (tdls_testing & TDLS_TESTING_DECLINE_RESP) { 2025 wpa_printf(MSG_DEBUG, "TDLS: Testing - decline response"); 2026 status = WLAN_STATUS_REQUEST_DECLINED; 2027 goto error; 2028 } 2029#endif /* CONFIG_TDLS_TESTING */ 2030 2031 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) { 2032 wpa_printf(MSG_INFO, "TDLS: No valid Link Identifier IE in " 2033 "TPK M2"); 2034 goto error; 2035 } 2036 wpa_hexdump(MSG_DEBUG, "TDLS: Link ID Received from TPK M2", 2037 kde.lnkid, kde.lnkid_len); 2038 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid; 2039 2040 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) { 2041 wpa_printf(MSG_INFO, "TDLS: TPK M2 from different BSS"); 2042 status = WLAN_STATUS_NOT_IN_SAME_BSS; 2043 goto error; 2044 } 2045 2046 if (copy_supp_rates(&kde, peer) < 0) 2047 goto error; 2048 2049 if (copy_peer_ht_capab(&kde, peer) < 0) 2050 goto error; 2051 2052 if (copy_peer_vht_capab(&kde, peer) < 0) 2053 goto error; 2054 2055 if (copy_peer_ext_capab(&kde, peer) < 0) 2056 goto error; 2057 2058 if (copy_peer_supp_channels(&kde, peer) < 0) 2059 goto error; 2060 2061 if (copy_peer_supp_oper_classes(&kde, peer) < 0) 2062 goto error; 2063 2064 peer->qos_info = kde.qosinfo; 2065 2066 /* Overwrite with the qos_info obtained in WMM IE */ 2067 if (copy_peer_wmm_capab(&kde, peer) < 0) 2068 goto error; 2069 2070 peer->aid = kde.aid; 2071 2072 if (!wpa_tdls_get_privacy(sm)) { 2073 peer->rsnie_p_len = 0; 2074 peer->cipher = WPA_CIPHER_NONE; 2075 goto skip_rsn; 2076 } 2077 2078 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie) || 2079 kde.rsn_ie == NULL) { 2080 wpa_printf(MSG_INFO, "TDLS: No FTIE or RSN IE in TPK M2"); 2081 status = WLAN_STATUS_INVALID_PARAMETERS; 2082 goto error; 2083 } 2084 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Received from TPK M2", 2085 kde.rsn_ie, kde.rsn_ie_len); 2086 2087 /* 2088 * FIX: bitwise comparison of RSN IE is not the correct way of 2089 * validation this. It can be different, but certain fields must 2090 * match. Since we list only a single pairwise cipher in TPK M1, the 2091 * memcmp is likely to work in most cases, though. 2092 */ 2093 if (kde.rsn_ie_len != peer->rsnie_i_len || 2094 os_memcmp(peer->rsnie_i, kde.rsn_ie, peer->rsnie_i_len) != 0) { 2095 wpa_printf(MSG_INFO, "TDLS: RSN IE in TPK M2 does " 2096 "not match with RSN IE used in TPK M1"); 2097 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Sent in TPK M1", 2098 peer->rsnie_i, peer->rsnie_i_len); 2099 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Received from TPK M2", 2100 kde.rsn_ie, kde.rsn_ie_len); 2101 status = WLAN_STATUS_INVALID_RSNIE; 2102 goto error; 2103 } 2104 2105 if (wpa_parse_wpa_ie_rsn(kde.rsn_ie, kde.rsn_ie_len, &ie) < 0) { 2106 wpa_printf(MSG_INFO, "TDLS: Failed to parse RSN IE in TPK M2"); 2107 status = WLAN_STATUS_INVALID_RSNIE; 2108 goto error; 2109 } 2110 2111 cipher = ie.pairwise_cipher; 2112 if (cipher == WPA_CIPHER_CCMP) { 2113 wpa_printf(MSG_DEBUG, "TDLS: Using CCMP for direct link"); 2114 cipher = WPA_CIPHER_CCMP; 2115 } else { 2116 wpa_printf(MSG_INFO, "TDLS: No acceptable cipher in TPK M2"); 2117 status = WLAN_STATUS_PAIRWISE_CIPHER_NOT_VALID; 2118 goto error; 2119 } 2120 2121 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE Received from TPK M2", 2122 kde.ftie, sizeof(*ftie)); 2123 ftie = (struct wpa_tdls_ftie *) kde.ftie; 2124 2125 if (!os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) == 0) { 2126 wpa_printf(MSG_INFO, "TDLS: FTIE SNonce in TPK M2 does " 2127 "not match with FTIE SNonce used in TPK M1"); 2128 /* Silently discard the frame */ 2129 return -1; 2130 } 2131 2132 /* Responder Nonce and RSN IE */ 2133 os_memcpy(peer->rnonce, ftie->Anonce, WPA_NONCE_LEN); 2134 os_memcpy(peer->rsnie_p, kde.rsn_ie, kde.rsn_ie_len); 2135 peer->rsnie_p_len = kde.rsn_ie_len; 2136 peer->cipher = cipher; 2137 2138 /* Lifetime */ 2139 if (kde.key_lifetime == NULL) { 2140 wpa_printf(MSG_INFO, "TDLS: No Key Lifetime IE in TPK M2"); 2141 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME; 2142 goto error; 2143 } 2144 timeoutie = (struct wpa_tdls_timeoutie *) kde.key_lifetime; 2145 lifetime = WPA_GET_LE32(timeoutie->value); 2146 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds in TPK M2", 2147 lifetime); 2148 if (lifetime != peer->lifetime) { 2149 wpa_printf(MSG_INFO, "TDLS: Unexpected TPK lifetime %u in " 2150 "TPK M2 (expected %u)", lifetime, peer->lifetime); 2151 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME; 2152 goto error; 2153 } 2154 2155 wpa_tdls_generate_tpk(peer, sm->own_addr, sm->bssid); 2156 2157 /* Process MIC check to see if TPK M2 is right */ 2158 if (wpa_supplicant_verify_tdls_mic(2, peer, (u8 *) lnkid, 2159 (u8 *) timeoutie, ftie) < 0) { 2160 /* Discard the frame */ 2161 wpa_tdls_del_key(sm, peer); 2162 wpa_tdls_disable_peer_link(sm, peer); 2163 return -1; 2164 } 2165 2166 if (wpa_tdls_set_key(sm, peer) < 0) { 2167 /* 2168 * Some drivers may not be able to config the key prior to full 2169 * STA entry having been configured. 2170 */ 2171 wpa_printf(MSG_DEBUG, "TDLS: Try to configure TPK again after " 2172 "STA entry is complete"); 2173 peer->reconfig_key = 1; 2174 } 2175 2176skip_rsn: 2177 peer->dtoken = dtoken; 2178 2179 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Setup Confirm / " 2180 "TPK Handshake Message 3"); 2181 if (wpa_tdls_send_tpk_m3(sm, src_addr, dtoken, lnkid, peer) < 0) { 2182 wpa_tdls_disable_peer_link(sm, peer); 2183 return -1; 2184 } 2185 2186 if (!peer->tpk_success) { 2187 /* 2188 * Enable Link only when tpk_success is 0, signifying that this 2189 * processing of TPK M2 frame is not because of a retransmission 2190 * during TDLS setup handshake. 2191 */ 2192 ret = wpa_tdls_enable_link(sm, peer); 2193 if (ret < 0) { 2194 wpa_printf(MSG_DEBUG, "TDLS: Could not enable link"); 2195 wpa_tdls_do_teardown( 2196 sm, peer, 2197 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED); 2198 } 2199 } 2200 return ret; 2201 2202error: 2203 wpa_tdls_send_error(sm, src_addr, WLAN_TDLS_SETUP_CONFIRM, dtoken, 2204 status); 2205 wpa_tdls_disable_peer_link(sm, peer); 2206 return -1; 2207} 2208 2209 2210static int wpa_tdls_process_tpk_m3(struct wpa_sm *sm, const u8 *src_addr, 2211 const u8 *buf, size_t len) 2212{ 2213 struct wpa_tdls_peer *peer; 2214 struct wpa_eapol_ie_parse kde; 2215 struct wpa_tdls_ftie *ftie; 2216 struct wpa_tdls_timeoutie *timeoutie; 2217 struct wpa_tdls_lnkid *lnkid; 2218 int ielen; 2219 u16 status; 2220 const u8 *pos; 2221 u32 lifetime; 2222 int ret = 0; 2223 2224 wpa_printf(MSG_DEBUG, "TDLS: Received TDLS Setup Confirm / TPK M3 " 2225 "(Peer " MACSTR ")", MAC2STR(src_addr)); 2226 for (peer = sm->tdls; peer; peer = peer->next) { 2227 if (os_memcmp(peer->addr, src_addr, ETH_ALEN) == 0) 2228 break; 2229 } 2230 if (peer == NULL) { 2231 wpa_printf(MSG_INFO, "TDLS: No matching peer found for " 2232 "TPK M3: " MACSTR, MAC2STR(src_addr)); 2233 return -1; 2234 } 2235 wpa_tdls_tpk_retry_timeout_cancel(sm, peer, WLAN_TDLS_SETUP_RESPONSE); 2236 2237 if (len < 3 + 3) 2238 goto error; 2239 pos = buf; 2240 pos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */; 2241 2242 status = WPA_GET_LE16(pos); 2243 2244 if (status != 0) { 2245 wpa_printf(MSG_INFO, "TDLS: Status code in TPK M3: %u", 2246 status); 2247 goto error; 2248 } 2249 pos += 2 /* status code */ + 1 /* dialog token */; 2250 2251 ielen = len - (pos - buf); /* start of IE in buf */ 2252 if (wpa_supplicant_parse_ies((const u8 *) pos, ielen, &kde) < 0) { 2253 wpa_printf(MSG_INFO, "TDLS: Failed to parse KDEs in TPK M3"); 2254 goto error; 2255 } 2256 2257 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) { 2258 wpa_printf(MSG_INFO, "TDLS: No Link Identifier IE in TPK M3"); 2259 goto error; 2260 } 2261 wpa_hexdump(MSG_DEBUG, "TDLS: Link ID Received from TPK M3", 2262 (u8 *) kde.lnkid, kde.lnkid_len); 2263 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid; 2264 2265 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) { 2266 wpa_printf(MSG_INFO, "TDLS: TPK M3 from diff BSS"); 2267 goto error; 2268 } 2269 2270 if (!wpa_tdls_get_privacy(sm)) 2271 goto skip_rsn; 2272 2273 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie)) { 2274 wpa_printf(MSG_INFO, "TDLS: No FTIE in TPK M3"); 2275 goto error; 2276 } 2277 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE Received from TPK M3", 2278 kde.ftie, sizeof(*ftie)); 2279 ftie = (struct wpa_tdls_ftie *) kde.ftie; 2280 2281 if (kde.rsn_ie == NULL) { 2282 wpa_printf(MSG_INFO, "TDLS: No RSN IE in TPK M3"); 2283 goto error; 2284 } 2285 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Received from TPK M3", 2286 kde.rsn_ie, kde.rsn_ie_len); 2287 if (kde.rsn_ie_len != peer->rsnie_p_len || 2288 os_memcmp(kde.rsn_ie, peer->rsnie_p, peer->rsnie_p_len) != 0) { 2289 wpa_printf(MSG_INFO, "TDLS: RSN IE in TPK M3 does not match " 2290 "with the one sent in TPK M2"); 2291 goto error; 2292 } 2293 2294 if (!os_memcmp(peer->rnonce, ftie->Anonce, WPA_NONCE_LEN) == 0) { 2295 wpa_printf(MSG_INFO, "TDLS: FTIE ANonce in TPK M3 does " 2296 "not match with FTIE ANonce used in TPK M2"); 2297 goto error; 2298 } 2299 2300 if (!os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) == 0) { 2301 wpa_printf(MSG_INFO, "TDLS: FTIE SNonce in TPK M3 does not " 2302 "match with FTIE SNonce used in TPK M1"); 2303 goto error; 2304 } 2305 2306 if (kde.key_lifetime == NULL) { 2307 wpa_printf(MSG_INFO, "TDLS: No Key Lifetime IE in TPK M3"); 2308 goto error; 2309 } 2310 timeoutie = (struct wpa_tdls_timeoutie *) kde.key_lifetime; 2311 wpa_hexdump(MSG_DEBUG, "TDLS: Timeout IE Received from TPK M3", 2312 (u8 *) timeoutie, sizeof(*timeoutie)); 2313 lifetime = WPA_GET_LE32(timeoutie->value); 2314 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds in TPK M3", 2315 lifetime); 2316 if (lifetime != peer->lifetime) { 2317 wpa_printf(MSG_INFO, "TDLS: Unexpected TPK lifetime %u in " 2318 "TPK M3 (expected %u)", lifetime, peer->lifetime); 2319 goto error; 2320 } 2321 2322 if (wpa_supplicant_verify_tdls_mic(3, peer, (u8 *) lnkid, 2323 (u8 *) timeoutie, ftie) < 0) { 2324 wpa_tdls_del_key(sm, peer); 2325 goto error; 2326 } 2327 2328 if (wpa_tdls_set_key(sm, peer) < 0) { 2329 /* 2330 * Some drivers may not be able to config the key prior to full 2331 * STA entry having been configured. 2332 */ 2333 wpa_printf(MSG_DEBUG, "TDLS: Try to configure TPK again after " 2334 "STA entry is complete"); 2335 peer->reconfig_key = 1; 2336 } 2337 2338skip_rsn: 2339 if (!peer->tpk_success) { 2340 /* 2341 * Enable Link only when tpk_success is 0, signifying that this 2342 * processing of TPK M3 frame is not because of a retransmission 2343 * during TDLS setup handshake. 2344 */ 2345 ret = wpa_tdls_enable_link(sm, peer); 2346 if (ret < 0) { 2347 wpa_printf(MSG_DEBUG, "TDLS: Could not enable link"); 2348 wpa_tdls_do_teardown( 2349 sm, peer, 2350 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED); 2351 } 2352 } 2353 return ret; 2354error: 2355 wpa_tdls_disable_peer_link(sm, peer); 2356 return -1; 2357} 2358 2359 2360static u8 * wpa_add_tdls_timeoutie(u8 *pos, u8 *ie, size_t ie_len, u32 tsecs) 2361{ 2362 struct wpa_tdls_timeoutie *lifetime = (struct wpa_tdls_timeoutie *) ie; 2363 2364 os_memset(lifetime, 0, ie_len); 2365 lifetime->ie_type = WLAN_EID_TIMEOUT_INTERVAL; 2366 lifetime->ie_len = sizeof(struct wpa_tdls_timeoutie) - 2; 2367 lifetime->interval_type = WLAN_TIMEOUT_KEY_LIFETIME; 2368 WPA_PUT_LE32(lifetime->value, tsecs); 2369 os_memcpy(pos, ie, ie_len); 2370 return pos + ie_len; 2371} 2372 2373 2374/** 2375 * wpa_tdls_start - Initiate TDLS handshake (send TPK Handshake Message 1) 2376 * @sm: Pointer to WPA state machine data from wpa_sm_init() 2377 * @peer: MAC address of the peer STA 2378 * Returns: 0 on success, or -1 on failure 2379 * 2380 * Send TPK Handshake Message 1 info to driver to start TDLS 2381 * handshake with the peer. 2382 */ 2383int wpa_tdls_start(struct wpa_sm *sm, const u8 *addr) 2384{ 2385 struct wpa_tdls_peer *peer; 2386 int tdls_prohibited = sm->tdls_prohibited; 2387 2388 if (sm->tdls_disabled || !sm->tdls_supported) 2389 return -1; 2390 2391#ifdef CONFIG_TDLS_TESTING 2392 if ((tdls_testing & TDLS_TESTING_IGNORE_AP_PROHIBIT) && 2393 tdls_prohibited) { 2394 wpa_printf(MSG_DEBUG, "TDLS: Testing - ignore AP prohibition " 2395 "on TDLS"); 2396 tdls_prohibited = 0; 2397 } 2398#endif /* CONFIG_TDLS_TESTING */ 2399 2400 if (tdls_prohibited) { 2401 wpa_printf(MSG_DEBUG, "TDLS: TDLS is prohibited in this BSS - " 2402 "reject request to start setup"); 2403 return -1; 2404 } 2405 2406 peer = wpa_tdls_add_peer(sm, addr, NULL); 2407 if (peer == NULL) 2408 return -1; 2409 2410 if (peer->tpk_in_progress) { 2411 wpa_printf(MSG_DEBUG, "TDLS: Setup is already in progress with the peer"); 2412 return 0; 2413 } 2414 2415 peer->initiator = 1; 2416 2417 /* add the peer to the driver as a "setup in progress" peer */ 2418 wpa_sm_tdls_peer_addset(sm, peer->addr, 1, 0, 0, NULL, 0, NULL, NULL, 0, 2419 NULL, 0, NULL, 0, NULL, 0); 2420 2421 peer->tpk_in_progress = 1; 2422 2423 if (wpa_tdls_send_tpk_m1(sm, peer) < 0) { 2424 wpa_tdls_disable_peer_link(sm, peer); 2425 return -1; 2426 } 2427 2428 return 0; 2429} 2430 2431 2432void wpa_tdls_remove(struct wpa_sm *sm, const u8 *addr) 2433{ 2434 struct wpa_tdls_peer *peer; 2435 2436 if (sm->tdls_disabled || !sm->tdls_supported) 2437 return; 2438 2439 for (peer = sm->tdls; peer; peer = peer->next) { 2440 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) 2441 break; 2442 } 2443 2444 if (peer == NULL || !peer->tpk_success) 2445 return; 2446 2447 if (sm->tdls_external_setup) { 2448 /* 2449 * Disable previous link to allow renegotiation to be completed 2450 * on AP path. 2451 */ 2452 wpa_tdls_disable_peer_link(sm, peer); 2453 } 2454} 2455 2456 2457/** 2458 * wpa_supplicant_rx_tdls - Receive TDLS data frame 2459 * 2460 * This function is called to receive TDLS (ethertype = 0x890d) data frames. 2461 */ 2462static void wpa_supplicant_rx_tdls(void *ctx, const u8 *src_addr, 2463 const u8 *buf, size_t len) 2464{ 2465 struct wpa_sm *sm = ctx; 2466 struct wpa_tdls_frame *tf; 2467 2468 wpa_hexdump(MSG_DEBUG, "TDLS: Received Data frame encapsulation", 2469 buf, len); 2470 2471 if (sm->tdls_disabled || !sm->tdls_supported) { 2472 wpa_printf(MSG_DEBUG, "TDLS: Discard message - TDLS disabled " 2473 "or unsupported by driver"); 2474 return; 2475 } 2476 2477 if (os_memcmp(src_addr, sm->own_addr, ETH_ALEN) == 0) { 2478 wpa_printf(MSG_DEBUG, "TDLS: Discard copy of own message"); 2479 return; 2480 } 2481 2482 if (len < sizeof(*tf)) { 2483 wpa_printf(MSG_INFO, "TDLS: Drop too short frame"); 2484 return; 2485 } 2486 2487 /* Check to make sure its a valid encapsulated TDLS frame */ 2488 tf = (struct wpa_tdls_frame *) buf; 2489 if (tf->payloadtype != 2 /* TDLS_RFTYPE */ || 2490 tf->category != WLAN_ACTION_TDLS) { 2491 wpa_printf(MSG_INFO, "TDLS: Invalid frame - payloadtype=%u " 2492 "category=%u action=%u", 2493 tf->payloadtype, tf->category, tf->action); 2494 return; 2495 } 2496 2497 switch (tf->action) { 2498 case WLAN_TDLS_SETUP_REQUEST: 2499 wpa_tdls_process_tpk_m1(sm, src_addr, buf, len); 2500 break; 2501 case WLAN_TDLS_SETUP_RESPONSE: 2502 wpa_tdls_process_tpk_m2(sm, src_addr, buf, len); 2503 break; 2504 case WLAN_TDLS_SETUP_CONFIRM: 2505 wpa_tdls_process_tpk_m3(sm, src_addr, buf, len); 2506 break; 2507 case WLAN_TDLS_TEARDOWN: 2508 wpa_tdls_recv_teardown(sm, src_addr, buf, len); 2509 break; 2510 case WLAN_TDLS_DISCOVERY_REQUEST: 2511 wpa_tdls_process_discovery_request(sm, src_addr, buf, len); 2512 break; 2513 default: 2514 /* Kernel code will process remaining frames */ 2515 wpa_printf(MSG_DEBUG, "TDLS: Ignore TDLS frame action code %u", 2516 tf->action); 2517 break; 2518 } 2519} 2520 2521 2522/** 2523 * wpa_tdls_init - Initialize driver interface parameters for TDLS 2524 * @wpa_s: Pointer to wpa_supplicant data 2525 * Returns: 0 on success, -1 on failure 2526 * 2527 * This function is called to initialize driver interface parameters for TDLS. 2528 * wpa_drv_init() must have been called before this function to initialize the 2529 * driver interface. 2530 */ 2531int wpa_tdls_init(struct wpa_sm *sm) 2532{ 2533 if (sm == NULL) 2534 return -1; 2535 2536 sm->l2_tdls = l2_packet_init(sm->bridge_ifname ? sm->bridge_ifname : 2537 sm->ifname, 2538 sm->own_addr, 2539 ETH_P_80211_ENCAP, wpa_supplicant_rx_tdls, 2540 sm, 0); 2541 if (sm->l2_tdls == NULL) { 2542 wpa_printf(MSG_ERROR, "TDLS: Failed to open l2_packet " 2543 "connection"); 2544 return -1; 2545 } 2546 2547 /* 2548 * Drivers that support TDLS but don't implement the get_capa callback 2549 * are assumed to perform everything internally 2550 */ 2551 if (wpa_sm_tdls_get_capa(sm, &sm->tdls_supported, 2552 &sm->tdls_external_setup) < 0) { 2553 sm->tdls_supported = 1; 2554 sm->tdls_external_setup = 0; 2555 } 2556 2557 wpa_printf(MSG_DEBUG, "TDLS: TDLS operation%s supported by " 2558 "driver", sm->tdls_supported ? "" : " not"); 2559 wpa_printf(MSG_DEBUG, "TDLS: Driver uses %s link setup", 2560 sm->tdls_external_setup ? "external" : "internal"); 2561 2562 return 0; 2563} 2564 2565 2566void wpa_tdls_teardown_peers(struct wpa_sm *sm) 2567{ 2568 struct wpa_tdls_peer *peer; 2569 2570 peer = sm->tdls; 2571 2572 wpa_printf(MSG_DEBUG, "TDLS: Tear down peers"); 2573 2574 while (peer) { 2575 wpa_printf(MSG_DEBUG, "TDLS: Tear down peer " MACSTR, 2576 MAC2STR(peer->addr)); 2577 if (sm->tdls_external_setup) 2578 wpa_tdls_send_teardown(sm, peer->addr, 2579 WLAN_REASON_DEAUTH_LEAVING); 2580 else 2581 wpa_sm_tdls_oper(sm, TDLS_TEARDOWN, peer->addr); 2582 2583 peer = peer->next; 2584 } 2585} 2586 2587 2588static void wpa_tdls_remove_peers(struct wpa_sm *sm) 2589{ 2590 struct wpa_tdls_peer *peer, *tmp; 2591 2592 peer = sm->tdls; 2593 sm->tdls = NULL; 2594 2595 while (peer) { 2596 int res; 2597 tmp = peer->next; 2598 res = wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr); 2599 wpa_printf(MSG_DEBUG, "TDLS: Remove peer " MACSTR " (res=%d)", 2600 MAC2STR(peer->addr), res); 2601 wpa_tdls_peer_free(sm, peer); 2602 os_free(peer); 2603 peer = tmp; 2604 } 2605} 2606 2607 2608/** 2609 * wpa_tdls_deinit - Deinitialize driver interface parameters for TDLS 2610 * 2611 * This function is called to recover driver interface parameters for TDLS 2612 * and frees resources allocated for it. 2613 */ 2614void wpa_tdls_deinit(struct wpa_sm *sm) 2615{ 2616 if (sm == NULL) 2617 return; 2618 2619 if (sm->l2_tdls) 2620 l2_packet_deinit(sm->l2_tdls); 2621 sm->l2_tdls = NULL; 2622 2623 wpa_tdls_remove_peers(sm); 2624} 2625 2626 2627void wpa_tdls_assoc(struct wpa_sm *sm) 2628{ 2629 wpa_printf(MSG_DEBUG, "TDLS: Remove peers on association"); 2630 wpa_tdls_remove_peers(sm); 2631} 2632 2633 2634void wpa_tdls_disassoc(struct wpa_sm *sm) 2635{ 2636 wpa_printf(MSG_DEBUG, "TDLS: Remove peers on disassociation"); 2637 wpa_tdls_remove_peers(sm); 2638} 2639 2640 2641static int wpa_tdls_prohibited(const u8 *ies, size_t len) 2642{ 2643 struct wpa_eapol_ie_parse elems; 2644 2645 if (ies == NULL) 2646 return 0; 2647 2648 if (wpa_supplicant_parse_ies(ies, len, &elems) < 0) 2649 return 0; 2650 2651 if (elems.ext_capab == NULL || elems.ext_capab_len < 2 + 5) 2652 return 0; 2653 2654 /* bit 38 - TDLS Prohibited */ 2655 return !!(elems.ext_capab[2 + 4] & 0x40); 2656} 2657 2658 2659void wpa_tdls_ap_ies(struct wpa_sm *sm, const u8 *ies, size_t len) 2660{ 2661 sm->tdls_prohibited = wpa_tdls_prohibited(ies, len); 2662 wpa_printf(MSG_DEBUG, "TDLS: TDLS is %s in the target BSS", 2663 sm->tdls_prohibited ? "prohibited" : "allowed"); 2664} 2665 2666 2667void wpa_tdls_assoc_resp_ies(struct wpa_sm *sm, const u8 *ies, size_t len) 2668{ 2669 if (!sm->tdls_prohibited && wpa_tdls_prohibited(ies, len)) { 2670 wpa_printf(MSG_DEBUG, "TDLS: TDLS prohibited based on " 2671 "(Re)Association Response IEs"); 2672 sm->tdls_prohibited = 1; 2673 } 2674} 2675 2676 2677void wpa_tdls_enable(struct wpa_sm *sm, int enabled) 2678{ 2679 wpa_printf(MSG_DEBUG, "TDLS: %s", enabled ? "enabled" : "disabled"); 2680 sm->tdls_disabled = !enabled; 2681} 2682 2683 2684int wpa_tdls_is_external_setup(struct wpa_sm *sm) 2685{ 2686 return sm->tdls_external_setup; 2687} 2688