1 /*
2 * wpa_supplicant - TDLS
3 * Copyright (c) 2010-2011, Atheros Communications
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "utils/includes.h"
10
11 #include "utils/common.h"
12 #include "utils/eloop.h"
13 #include "utils/os.h"
14 #include "common/ieee802_11_defs.h"
15 #include "common/ieee802_11_common.h"
16 #include "crypto/sha256.h"
17 #include "crypto/crypto.h"
18 #include "crypto/aes_wrap.h"
19 #include "rsn_supp/wpa.h"
20 #include "rsn_supp/wpa_ie.h"
21 #include "rsn_supp/wpa_i.h"
22 #include "drivers/driver.h"
23 #include "l2_packet/l2_packet.h"
24
25 #ifdef CONFIG_TDLS_TESTING
26 #define TDLS_TESTING_LONG_FRAME BIT(0)
27 #define TDLS_TESTING_ALT_RSN_IE BIT(1)
28 #define TDLS_TESTING_DIFF_BSSID BIT(2)
29 #define TDLS_TESTING_SHORT_LIFETIME BIT(3)
30 #define TDLS_TESTING_WRONG_LIFETIME_RESP BIT(4)
31 #define TDLS_TESTING_WRONG_LIFETIME_CONF BIT(5)
32 #define TDLS_TESTING_LONG_LIFETIME BIT(6)
33 #define TDLS_TESTING_CONCURRENT_INIT BIT(7)
34 #define TDLS_TESTING_NO_TPK_EXPIRATION BIT(8)
35 #define TDLS_TESTING_DECLINE_RESP BIT(9)
36 #define TDLS_TESTING_IGNORE_AP_PROHIBIT BIT(10)
37 #define TDLS_TESTING_WRONG_MIC BIT(11)
38 unsigned int tdls_testing = 0;
39 #endif /* CONFIG_TDLS_TESTING */
40
41 #define TPK_LIFETIME 43200 /* 12 hours */
42 #define TPK_M1_RETRY_COUNT 3
43 #define TPK_M1_TIMEOUT 5000 /* in milliseconds */
44 #define TPK_M2_RETRY_COUNT 10
45 #define TPK_M2_TIMEOUT 500 /* in milliseconds */
46
47 #define TDLS_MIC_LEN 16
48
49 #define TDLS_TIMEOUT_LEN 4
50
51 struct wpa_tdls_ftie {
52 u8 ie_type; /* FTIE */
53 u8 ie_len;
54 u8 mic_ctrl[2];
55 u8 mic[TDLS_MIC_LEN];
56 u8 Anonce[WPA_NONCE_LEN]; /* Responder Nonce in TDLS */
57 u8 Snonce[WPA_NONCE_LEN]; /* Initiator Nonce in TDLS */
58 /* followed by optional elements */
59 } STRUCT_PACKED;
60
61 struct wpa_tdls_timeoutie {
62 u8 ie_type; /* Timeout IE */
63 u8 ie_len;
64 u8 interval_type;
65 u8 value[TDLS_TIMEOUT_LEN];
66 } STRUCT_PACKED;
67
68 struct wpa_tdls_lnkid {
69 u8 ie_type; /* Link Identifier IE */
70 u8 ie_len;
71 u8 bssid[ETH_ALEN];
72 u8 init_sta[ETH_ALEN];
73 u8 resp_sta[ETH_ALEN];
74 } STRUCT_PACKED;
75
76 /* TDLS frame headers as per IEEE Std 802.11z-2010 */
77 struct wpa_tdls_frame {
78 u8 payloadtype; /* IEEE80211_TDLS_RFTYPE */
79 u8 category; /* Category */
80 u8 action; /* Action (enum tdls_frame_type) */
81 } STRUCT_PACKED;
82
83 static u8 * wpa_add_tdls_timeoutie(u8 *pos, u8 *ie, size_t ie_len, u32 tsecs);
84 static void wpa_tdls_tpk_retry_timeout(void *eloop_ctx, void *timeout_ctx);
85 static void wpa_tdls_peer_free(struct wpa_sm *sm, struct wpa_tdls_peer *peer);
86 static void wpa_tdls_disable_peer_link(struct wpa_sm *sm,
87 struct wpa_tdls_peer *peer);
88 static int wpa_tdls_send_teardown(struct wpa_sm *sm, const u8 *addr,
89 u16 reason_code);
90
91
92 #define TDLS_MAX_IE_LEN 80
93 #define IEEE80211_MAX_SUPP_RATES 32
94
95 struct wpa_tdls_peer {
96 struct wpa_tdls_peer *next;
97 unsigned int reconfig_key:1;
98 int initiator; /* whether this end was initiator for TDLS setup */
99 u8 addr[ETH_ALEN]; /* other end MAC address */
100 u8 inonce[WPA_NONCE_LEN]; /* Initiator Nonce */
101 u8 rnonce[WPA_NONCE_LEN]; /* Responder Nonce */
102 u8 rsnie_i[TDLS_MAX_IE_LEN]; /* Initiator RSN IE */
103 size_t rsnie_i_len;
104 u8 rsnie_p[TDLS_MAX_IE_LEN]; /* Peer RSN IE */
105 size_t rsnie_p_len;
106 u32 lifetime;
107 int cipher; /* Selected cipher (WPA_CIPHER_*) */
108 u8 dtoken;
109
110 struct tpk {
111 u8 kck[16]; /* TPK-KCK */
112 u8 tk[16]; /* TPK-TK; assuming only CCMP will be used */
113 } tpk;
114 int tpk_set;
115 int tpk_success;
116 int tpk_in_progress;
117
118 struct tpk_timer {
119 u8 dest[ETH_ALEN];
120 int count; /* Retry Count */
121 int timer; /* Timeout in milliseconds */
122 u8 action_code; /* TDLS frame type */
123 u8 dialog_token;
124 u16 status_code;
125 u32 peer_capab;
126 int buf_len; /* length of TPK message for retransmission */
127 u8 *buf; /* buffer for TPK message */
128 } sm_tmr;
129
130 u16 capability;
131
132 u8 supp_rates[IEEE80211_MAX_SUPP_RATES];
133 size_t supp_rates_len;
134
135 struct ieee80211_ht_capabilities *ht_capabilities;
136 struct ieee80211_vht_capabilities *vht_capabilities;
137
138 u8 qos_info;
139
140 u16 aid;
141
142 u8 *ext_capab;
143 size_t ext_capab_len;
144
145 u8 *supp_channels;
146 size_t supp_channels_len;
147
148 u8 *supp_oper_classes;
149 size_t supp_oper_classes_len;
150
151 u8 wmm_capable;
152
153 /* channel switch currently enabled */
154 int chan_switch_enabled;
155 };
156
157
wpa_tdls_get_privacy(struct wpa_sm * sm)158 static int wpa_tdls_get_privacy(struct wpa_sm *sm)
159 {
160 /*
161 * Get info needed from supplicant to check if the current BSS supports
162 * security. Other than OPEN mode, rest are considered secured
163 * WEP/WPA/WPA2 hence TDLS frames are processed for TPK handshake.
164 */
165 return sm->pairwise_cipher != WPA_CIPHER_NONE;
166 }
167
168
wpa_add_ie(u8 * pos,const u8 * ie,size_t ie_len)169 static u8 * wpa_add_ie(u8 *pos, const u8 *ie, size_t ie_len)
170 {
171 os_memcpy(pos, ie, ie_len);
172 return pos + ie_len;
173 }
174
175
wpa_tdls_del_key(struct wpa_sm * sm,struct wpa_tdls_peer * peer)176 static int wpa_tdls_del_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
177 {
178 if (wpa_sm_set_key(sm, WPA_ALG_NONE, peer->addr,
179 0, 0, NULL, 0, NULL, 0) < 0) {
180 wpa_printf(MSG_WARNING, "TDLS: Failed to delete TPK-TK from "
181 "the driver");
182 return -1;
183 }
184
185 return 0;
186 }
187
188
wpa_tdls_set_key(struct wpa_sm * sm,struct wpa_tdls_peer * peer)189 static int wpa_tdls_set_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
190 {
191 u8 key_len;
192 u8 rsc[6];
193 enum wpa_alg alg;
194
195 os_memset(rsc, 0, 6);
196
197 switch (peer->cipher) {
198 case WPA_CIPHER_CCMP:
199 alg = WPA_ALG_CCMP;
200 key_len = 16;
201 break;
202 case WPA_CIPHER_NONE:
203 wpa_printf(MSG_DEBUG, "TDLS: Pairwise Cipher Suite: "
204 "NONE - do not use pairwise keys");
205 return -1;
206 default:
207 wpa_printf(MSG_WARNING, "TDLS: Unsupported pairwise cipher %d",
208 sm->pairwise_cipher);
209 return -1;
210 }
211
212 if (wpa_sm_set_key(sm, alg, peer->addr, -1, 1,
213 rsc, sizeof(rsc), peer->tpk.tk, key_len) < 0) {
214 wpa_printf(MSG_WARNING, "TDLS: Failed to set TPK to the "
215 "driver");
216 return -1;
217 }
218 return 0;
219 }
220
221
wpa_tdls_send_tpk_msg(struct wpa_sm * sm,const u8 * dst,u8 action_code,u8 dialog_token,u16 status_code,u32 peer_capab,int initiator,const u8 * buf,size_t len)222 static int wpa_tdls_send_tpk_msg(struct wpa_sm *sm, const u8 *dst,
223 u8 action_code, u8 dialog_token,
224 u16 status_code, u32 peer_capab,
225 int initiator, const u8 *buf, size_t len)
226 {
227 return wpa_sm_send_tdls_mgmt(sm, dst, action_code, dialog_token,
228 status_code, peer_capab, initiator, buf,
229 len);
230 }
231
232
wpa_tdls_tpk_send(struct wpa_sm * sm,const u8 * dest,u8 action_code,u8 dialog_token,u16 status_code,u32 peer_capab,int initiator,const u8 * msg,size_t msg_len)233 static int wpa_tdls_tpk_send(struct wpa_sm *sm, const u8 *dest, u8 action_code,
234 u8 dialog_token, u16 status_code, u32 peer_capab,
235 int initiator, const u8 *msg, size_t msg_len)
236 {
237 struct wpa_tdls_peer *peer;
238
239 wpa_printf(MSG_DEBUG, "TDLS: TPK send dest=" MACSTR " action_code=%u "
240 "dialog_token=%u status_code=%u peer_capab=%u initiator=%d "
241 "msg_len=%u",
242 MAC2STR(dest), action_code, dialog_token, status_code,
243 peer_capab, initiator, (unsigned int) msg_len);
244
245 if (wpa_tdls_send_tpk_msg(sm, dest, action_code, dialog_token,
246 status_code, peer_capab, initiator, msg,
247 msg_len)) {
248 wpa_printf(MSG_INFO, "TDLS: Failed to send message "
249 "(action_code=%u)", action_code);
250 return -1;
251 }
252
253 if (action_code == WLAN_TDLS_SETUP_CONFIRM ||
254 action_code == WLAN_TDLS_TEARDOWN ||
255 action_code == WLAN_TDLS_DISCOVERY_REQUEST ||
256 action_code == WLAN_TDLS_DISCOVERY_RESPONSE)
257 return 0; /* No retries */
258
259 for (peer = sm->tdls; peer; peer = peer->next) {
260 if (os_memcmp(peer->addr, dest, ETH_ALEN) == 0)
261 break;
262 }
263
264 if (peer == NULL) {
265 wpa_printf(MSG_INFO, "TDLS: No matching entry found for "
266 "retry " MACSTR, MAC2STR(dest));
267 return 0;
268 }
269
270 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer);
271
272 if (action_code == WLAN_TDLS_SETUP_RESPONSE) {
273 peer->sm_tmr.count = TPK_M2_RETRY_COUNT;
274 peer->sm_tmr.timer = TPK_M2_TIMEOUT;
275 } else {
276 peer->sm_tmr.count = TPK_M1_RETRY_COUNT;
277 peer->sm_tmr.timer = TPK_M1_TIMEOUT;
278 }
279
280 /* Copy message to resend on timeout */
281 os_memcpy(peer->sm_tmr.dest, dest, ETH_ALEN);
282 peer->sm_tmr.action_code = action_code;
283 peer->sm_tmr.dialog_token = dialog_token;
284 peer->sm_tmr.status_code = status_code;
285 peer->sm_tmr.peer_capab = peer_capab;
286 peer->sm_tmr.buf_len = msg_len;
287 os_free(peer->sm_tmr.buf);
288 peer->sm_tmr.buf = os_malloc(msg_len);
289 if (peer->sm_tmr.buf == NULL)
290 return -1;
291 os_memcpy(peer->sm_tmr.buf, msg, msg_len);
292
293 wpa_printf(MSG_DEBUG, "TDLS: Retry timeout registered "
294 "(action_code=%u)", action_code);
295 eloop_register_timeout(peer->sm_tmr.timer / 1000,
296 (peer->sm_tmr.timer % 1000) * 1000,
297 wpa_tdls_tpk_retry_timeout, sm, peer);
298 return 0;
299 }
300
301
wpa_tdls_do_teardown(struct wpa_sm * sm,struct wpa_tdls_peer * peer,u16 reason_code)302 static int wpa_tdls_do_teardown(struct wpa_sm *sm, struct wpa_tdls_peer *peer,
303 u16 reason_code)
304 {
305 int ret;
306
307 ret = wpa_tdls_send_teardown(sm, peer->addr, reason_code);
308 /* disable the link after teardown was sent */
309 wpa_tdls_disable_peer_link(sm, peer);
310
311 return ret;
312 }
313
314
wpa_tdls_tpk_retry_timeout(void * eloop_ctx,void * timeout_ctx)315 static void wpa_tdls_tpk_retry_timeout(void *eloop_ctx, void *timeout_ctx)
316 {
317
318 struct wpa_sm *sm = eloop_ctx;
319 struct wpa_tdls_peer *peer = timeout_ctx;
320
321 if (peer->sm_tmr.count) {
322 peer->sm_tmr.count--;
323
324 wpa_printf(MSG_INFO, "TDLS: Retrying sending of message "
325 "(action_code=%u)",
326 peer->sm_tmr.action_code);
327
328 if (peer->sm_tmr.buf == NULL) {
329 wpa_printf(MSG_INFO, "TDLS: No retry buffer available "
330 "for action_code=%u",
331 peer->sm_tmr.action_code);
332 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm,
333 peer);
334 return;
335 }
336
337 /* resend TPK Handshake Message to Peer */
338 if (wpa_tdls_send_tpk_msg(sm, peer->sm_tmr.dest,
339 peer->sm_tmr.action_code,
340 peer->sm_tmr.dialog_token,
341 peer->sm_tmr.status_code,
342 peer->sm_tmr.peer_capab,
343 peer->initiator,
344 peer->sm_tmr.buf,
345 peer->sm_tmr.buf_len)) {
346 wpa_printf(MSG_INFO, "TDLS: Failed to retry "
347 "transmission");
348 }
349
350 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer);
351 eloop_register_timeout(peer->sm_tmr.timer / 1000,
352 (peer->sm_tmr.timer % 1000) * 1000,
353 wpa_tdls_tpk_retry_timeout, sm, peer);
354 } else {
355 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer);
356
357 wpa_printf(MSG_DEBUG, "TDLS: Sending Teardown Request");
358 wpa_tdls_do_teardown(sm, peer,
359 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED);
360 }
361 }
362
363
wpa_tdls_tpk_retry_timeout_cancel(struct wpa_sm * sm,struct wpa_tdls_peer * peer,u8 action_code)364 static void wpa_tdls_tpk_retry_timeout_cancel(struct wpa_sm *sm,
365 struct wpa_tdls_peer *peer,
366 u8 action_code)
367 {
368 if (action_code == peer->sm_tmr.action_code) {
369 wpa_printf(MSG_DEBUG, "TDLS: Retry timeout cancelled for "
370 "action_code=%u", action_code);
371
372 /* Cancel Timeout registered */
373 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer);
374
375 /* free all resources meant for retry */
376 os_free(peer->sm_tmr.buf);
377 peer->sm_tmr.buf = NULL;
378
379 peer->sm_tmr.count = 0;
380 peer->sm_tmr.timer = 0;
381 peer->sm_tmr.buf_len = 0;
382 peer->sm_tmr.action_code = 0xff;
383 } else {
384 wpa_printf(MSG_INFO, "TDLS: Error in cancelling retry timeout "
385 "(Unknown action_code=%u)", action_code);
386 }
387 }
388
389
wpa_tdls_generate_tpk(struct wpa_tdls_peer * peer,const u8 * own_addr,const u8 * bssid)390 static void wpa_tdls_generate_tpk(struct wpa_tdls_peer *peer,
391 const u8 *own_addr, const u8 *bssid)
392 {
393 u8 key_input[SHA256_MAC_LEN];
394 const u8 *nonce[2];
395 size_t len[2];
396 u8 data[3 * ETH_ALEN];
397
398 /* IEEE Std 802.11z-2010 8.5.9.1:
399 * TPK-Key-Input = SHA-256(min(SNonce, ANonce) || max(SNonce, ANonce))
400 */
401 len[0] = WPA_NONCE_LEN;
402 len[1] = WPA_NONCE_LEN;
403 if (os_memcmp(peer->inonce, peer->rnonce, WPA_NONCE_LEN) < 0) {
404 nonce[0] = peer->inonce;
405 nonce[1] = peer->rnonce;
406 } else {
407 nonce[0] = peer->rnonce;
408 nonce[1] = peer->inonce;
409 }
410 wpa_hexdump(MSG_DEBUG, "TDLS: min(Nonce)", nonce[0], WPA_NONCE_LEN);
411 wpa_hexdump(MSG_DEBUG, "TDLS: max(Nonce)", nonce[1], WPA_NONCE_LEN);
412 sha256_vector(2, nonce, len, key_input);
413 wpa_hexdump_key(MSG_DEBUG, "TDLS: TPK-Key-Input",
414 key_input, SHA256_MAC_LEN);
415
416 /*
417 * TPK-Key-Data = KDF-N_KEY(TPK-Key-Input, "TDLS PMK",
418 * min(MAC_I, MAC_R) || max(MAC_I, MAC_R) || BSSID || N_KEY)
419 * TODO: is N_KEY really included in KDF Context and if so, in which
420 * presentation format (little endian 16-bit?) is it used? It gets
421 * added by the KDF anyway..
422 */
423
424 if (os_memcmp(own_addr, peer->addr, ETH_ALEN) < 0) {
425 os_memcpy(data, own_addr, ETH_ALEN);
426 os_memcpy(data + ETH_ALEN, peer->addr, ETH_ALEN);
427 } else {
428 os_memcpy(data, peer->addr, ETH_ALEN);
429 os_memcpy(data + ETH_ALEN, own_addr, ETH_ALEN);
430 }
431 os_memcpy(data + 2 * ETH_ALEN, bssid, ETH_ALEN);
432 wpa_hexdump(MSG_DEBUG, "TDLS: KDF Context", data, sizeof(data));
433
434 sha256_prf(key_input, SHA256_MAC_LEN, "TDLS PMK", data, sizeof(data),
435 (u8 *) &peer->tpk, sizeof(peer->tpk));
436 wpa_hexdump_key(MSG_DEBUG, "TDLS: TPK-KCK",
437 peer->tpk.kck, sizeof(peer->tpk.kck));
438 wpa_hexdump_key(MSG_DEBUG, "TDLS: TPK-TK",
439 peer->tpk.tk, sizeof(peer->tpk.tk));
440 peer->tpk_set = 1;
441 }
442
443
444 /**
445 * wpa_tdls_ftie_mic - Calculate TDLS FTIE MIC
446 * @kck: TPK-KCK
447 * @lnkid: Pointer to the beginning of Link Identifier IE
448 * @rsnie: Pointer to the beginning of RSN IE used for handshake
449 * @timeoutie: Pointer to the beginning of Timeout IE used for handshake
450 * @ftie: Pointer to the beginning of FT IE
451 * @mic: Pointer for writing MIC
452 *
453 * Calculate MIC for TDLS frame.
454 */
wpa_tdls_ftie_mic(const u8 * kck,u8 trans_seq,const u8 * lnkid,const u8 * rsnie,const u8 * timeoutie,const u8 * ftie,u8 * mic)455 static int wpa_tdls_ftie_mic(const u8 *kck, u8 trans_seq, const u8 *lnkid,
456 const u8 *rsnie, const u8 *timeoutie,
457 const u8 *ftie, u8 *mic)
458 {
459 u8 *buf, *pos;
460 struct wpa_tdls_ftie *_ftie;
461 const struct wpa_tdls_lnkid *_lnkid;
462 int ret;
463 int len = 2 * ETH_ALEN + 1 + 2 + lnkid[1] + 2 + rsnie[1] +
464 2 + timeoutie[1] + 2 + ftie[1];
465 buf = os_zalloc(len);
466 if (!buf) {
467 wpa_printf(MSG_WARNING, "TDLS: No memory for MIC calculation");
468 return -1;
469 }
470
471 pos = buf;
472 _lnkid = (const struct wpa_tdls_lnkid *) lnkid;
473 /* 1) TDLS initiator STA MAC address */
474 os_memcpy(pos, _lnkid->init_sta, ETH_ALEN);
475 pos += ETH_ALEN;
476 /* 2) TDLS responder STA MAC address */
477 os_memcpy(pos, _lnkid->resp_sta, ETH_ALEN);
478 pos += ETH_ALEN;
479 /* 3) Transaction Sequence number */
480 *pos++ = trans_seq;
481 /* 4) Link Identifier IE */
482 os_memcpy(pos, lnkid, 2 + lnkid[1]);
483 pos += 2 + lnkid[1];
484 /* 5) RSN IE */
485 os_memcpy(pos, rsnie, 2 + rsnie[1]);
486 pos += 2 + rsnie[1];
487 /* 6) Timeout Interval IE */
488 os_memcpy(pos, timeoutie, 2 + timeoutie[1]);
489 pos += 2 + timeoutie[1];
490 /* 7) FTIE, with the MIC field of the FTIE set to 0 */
491 os_memcpy(pos, ftie, 2 + ftie[1]);
492 _ftie = (struct wpa_tdls_ftie *) pos;
493 os_memset(_ftie->mic, 0, TDLS_MIC_LEN);
494 pos += 2 + ftie[1];
495
496 wpa_hexdump(MSG_DEBUG, "TDLS: Data for FTIE MIC", buf, pos - buf);
497 wpa_hexdump_key(MSG_DEBUG, "TDLS: KCK", kck, 16);
498 ret = omac1_aes_128(kck, buf, pos - buf, mic);
499 os_free(buf);
500 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE MIC", mic, 16);
501 return ret;
502 }
503
504
505 /**
506 * wpa_tdls_key_mic_teardown - Calculate TDLS FTIE MIC for Teardown frame
507 * @kck: TPK-KCK
508 * @trans_seq: Transaction Sequence Number (4 - Teardown)
509 * @rcode: Reason code for Teardown
510 * @dtoken: Dialog Token used for that particular link
511 * @lnkid: Pointer to the beginning of Link Identifier IE
512 * @ftie: Pointer to the beginning of FT IE
513 * @mic: Pointer for writing MIC
514 *
515 * Calculate MIC for TDLS frame.
516 */
wpa_tdls_key_mic_teardown(const u8 * kck,u8 trans_seq,u16 rcode,u8 dtoken,const u8 * lnkid,const u8 * ftie,u8 * mic)517 static int wpa_tdls_key_mic_teardown(const u8 *kck, u8 trans_seq, u16 rcode,
518 u8 dtoken, const u8 *lnkid,
519 const u8 *ftie, u8 *mic)
520 {
521 u8 *buf, *pos;
522 struct wpa_tdls_ftie *_ftie;
523 int ret;
524 int len;
525
526 if (lnkid == NULL)
527 return -1;
528
529 len = 2 + lnkid[1] + sizeof(rcode) + sizeof(dtoken) +
530 sizeof(trans_seq) + 2 + ftie[1];
531
532 buf = os_zalloc(len);
533 if (!buf) {
534 wpa_printf(MSG_WARNING, "TDLS: No memory for MIC calculation");
535 return -1;
536 }
537
538 pos = buf;
539 /* 1) Link Identifier IE */
540 os_memcpy(pos, lnkid, 2 + lnkid[1]);
541 pos += 2 + lnkid[1];
542 /* 2) Reason Code */
543 WPA_PUT_LE16(pos, rcode);
544 pos += sizeof(rcode);
545 /* 3) Dialog token */
546 *pos++ = dtoken;
547 /* 4) Transaction Sequence number */
548 *pos++ = trans_seq;
549 /* 7) FTIE, with the MIC field of the FTIE set to 0 */
550 os_memcpy(pos, ftie, 2 + ftie[1]);
551 _ftie = (struct wpa_tdls_ftie *) pos;
552 os_memset(_ftie->mic, 0, TDLS_MIC_LEN);
553 pos += 2 + ftie[1];
554
555 wpa_hexdump(MSG_DEBUG, "TDLS: Data for FTIE MIC", buf, pos - buf);
556 wpa_hexdump_key(MSG_DEBUG, "TDLS: KCK", kck, 16);
557 ret = omac1_aes_128(kck, buf, pos - buf, mic);
558 os_free(buf);
559 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE MIC", mic, 16);
560 return ret;
561 }
562
563
wpa_supplicant_verify_tdls_mic(u8 trans_seq,struct wpa_tdls_peer * peer,const u8 * lnkid,const u8 * timeoutie,const struct wpa_tdls_ftie * ftie)564 static int wpa_supplicant_verify_tdls_mic(u8 trans_seq,
565 struct wpa_tdls_peer *peer,
566 const u8 *lnkid, const u8 *timeoutie,
567 const struct wpa_tdls_ftie *ftie)
568 {
569 u8 mic[16];
570
571 if (peer->tpk_set) {
572 wpa_tdls_ftie_mic(peer->tpk.kck, trans_seq, lnkid,
573 peer->rsnie_p, timeoutie, (u8 *) ftie,
574 mic);
575 if (os_memcmp_const(mic, ftie->mic, 16) != 0) {
576 wpa_printf(MSG_INFO, "TDLS: Invalid MIC in FTIE - "
577 "dropping packet");
578 wpa_hexdump(MSG_DEBUG, "TDLS: Received MIC",
579 ftie->mic, 16);
580 wpa_hexdump(MSG_DEBUG, "TDLS: Calculated MIC",
581 mic, 16);
582 return -1;
583 }
584 } else {
585 wpa_printf(MSG_WARNING, "TDLS: Could not verify TDLS MIC, "
586 "TPK not set - dropping packet");
587 return -1;
588 }
589 return 0;
590 }
591
592
wpa_supplicant_verify_tdls_mic_teardown(u8 trans_seq,u16 rcode,u8 dtoken,struct wpa_tdls_peer * peer,const u8 * lnkid,const struct wpa_tdls_ftie * ftie)593 static int wpa_supplicant_verify_tdls_mic_teardown(
594 u8 trans_seq, u16 rcode, u8 dtoken, struct wpa_tdls_peer *peer,
595 const u8 *lnkid, const struct wpa_tdls_ftie *ftie)
596 {
597 u8 mic[16];
598
599 if (peer->tpk_set) {
600 wpa_tdls_key_mic_teardown(peer->tpk.kck, trans_seq, rcode,
601 dtoken, lnkid, (u8 *) ftie, mic);
602 if (os_memcmp_const(mic, ftie->mic, 16) != 0) {
603 wpa_printf(MSG_INFO, "TDLS: Invalid MIC in Teardown - "
604 "dropping packet");
605 return -1;
606 }
607 } else {
608 wpa_printf(MSG_INFO, "TDLS: Could not verify TDLS Teardown "
609 "MIC, TPK not set - dropping packet");
610 return -1;
611 }
612 return 0;
613 }
614
615
wpa_tdls_tpk_timeout(void * eloop_ctx,void * timeout_ctx)616 static void wpa_tdls_tpk_timeout(void *eloop_ctx, void *timeout_ctx)
617 {
618 struct wpa_sm *sm = eloop_ctx;
619 struct wpa_tdls_peer *peer = timeout_ctx;
620
621 /*
622 * On TPK lifetime expiration, we have an option of either tearing down
623 * the direct link or trying to re-initiate it. The selection of what
624 * to do is not strictly speaking controlled by our role in the expired
625 * link, but for now, use that to select whether to renew or tear down
626 * the link.
627 */
628
629 if (peer->initiator) {
630 u8 addr[ETH_ALEN];
631
632 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime expired for " MACSTR
633 " - try to renew", MAC2STR(peer->addr));
634 /* cache the peer address before do_teardown */
635 os_memcpy(addr, peer->addr, ETH_ALEN);
636 wpa_tdls_do_teardown(sm, peer,
637 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED);
638 wpa_tdls_start(sm, addr);
639 } else {
640 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime expired for " MACSTR
641 " - tear down", MAC2STR(peer->addr));
642 wpa_tdls_do_teardown(sm, peer,
643 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED);
644 }
645 }
646
647
wpa_tdls_peer_remove_from_list(struct wpa_sm * sm,struct wpa_tdls_peer * peer)648 static void wpa_tdls_peer_remove_from_list(struct wpa_sm *sm,
649 struct wpa_tdls_peer *peer)
650 {
651 struct wpa_tdls_peer *cur, *prev;
652
653 cur = sm->tdls;
654 prev = NULL;
655 while (cur && cur != peer) {
656 prev = cur;
657 cur = cur->next;
658 }
659
660 if (cur != peer) {
661 wpa_printf(MSG_ERROR, "TDLS: Could not find peer " MACSTR
662 " to remove it from the list",
663 MAC2STR(peer->addr));
664 return;
665 }
666
667 if (prev)
668 prev->next = peer->next;
669 else
670 sm->tdls = peer->next;
671 }
672
673
wpa_tdls_peer_clear(struct wpa_sm * sm,struct wpa_tdls_peer * peer)674 static void wpa_tdls_peer_clear(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
675 {
676 wpa_printf(MSG_DEBUG, "TDLS: Clear state for peer " MACSTR,
677 MAC2STR(peer->addr));
678 eloop_cancel_timeout(wpa_tdls_tpk_timeout, sm, peer);
679 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer);
680 peer->reconfig_key = 0;
681 peer->initiator = 0;
682 peer->tpk_in_progress = 0;
683 os_free(peer->sm_tmr.buf);
684 peer->sm_tmr.buf = NULL;
685 os_free(peer->ht_capabilities);
686 peer->ht_capabilities = NULL;
687 os_free(peer->vht_capabilities);
688 peer->vht_capabilities = NULL;
689 os_free(peer->ext_capab);
690 peer->ext_capab = NULL;
691 os_free(peer->supp_channels);
692 peer->supp_channels = NULL;
693 os_free(peer->supp_oper_classes);
694 peer->supp_oper_classes = NULL;
695 peer->rsnie_i_len = peer->rsnie_p_len = 0;
696 peer->cipher = 0;
697 peer->qos_info = 0;
698 peer->wmm_capable = 0;
699 peer->tpk_set = peer->tpk_success = 0;
700 peer->chan_switch_enabled = 0;
701 os_memset(&peer->tpk, 0, sizeof(peer->tpk));
702 os_memset(peer->inonce, 0, WPA_NONCE_LEN);
703 os_memset(peer->rnonce, 0, WPA_NONCE_LEN);
704 }
705
706
wpa_tdls_peer_free(struct wpa_sm * sm,struct wpa_tdls_peer * peer)707 static void wpa_tdls_peer_free(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
708 {
709 wpa_tdls_peer_clear(sm, peer);
710 wpa_tdls_peer_remove_from_list(sm, peer);
711 os_free(peer);
712 }
713
714
wpa_tdls_linkid(struct wpa_sm * sm,struct wpa_tdls_peer * peer,struct wpa_tdls_lnkid * lnkid)715 static void wpa_tdls_linkid(struct wpa_sm *sm, struct wpa_tdls_peer *peer,
716 struct wpa_tdls_lnkid *lnkid)
717 {
718 lnkid->ie_type = WLAN_EID_LINK_ID;
719 lnkid->ie_len = 3 * ETH_ALEN;
720 os_memcpy(lnkid->bssid, sm->bssid, ETH_ALEN);
721 if (peer->initiator) {
722 os_memcpy(lnkid->init_sta, sm->own_addr, ETH_ALEN);
723 os_memcpy(lnkid->resp_sta, peer->addr, ETH_ALEN);
724 } else {
725 os_memcpy(lnkid->init_sta, peer->addr, ETH_ALEN);
726 os_memcpy(lnkid->resp_sta, sm->own_addr, ETH_ALEN);
727 }
728 }
729
730
wpa_tdls_send_teardown(struct wpa_sm * sm,const u8 * addr,u16 reason_code)731 static int wpa_tdls_send_teardown(struct wpa_sm *sm, const u8 *addr,
732 u16 reason_code)
733 {
734 struct wpa_tdls_peer *peer;
735 struct wpa_tdls_ftie *ftie;
736 struct wpa_tdls_lnkid lnkid;
737 u8 dialog_token;
738 u8 *rbuf, *pos;
739 int ielen;
740
741 if (sm->tdls_disabled || !sm->tdls_supported)
742 return -1;
743
744 /* Find the node and free from the list */
745 for (peer = sm->tdls; peer; peer = peer->next) {
746 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0)
747 break;
748 }
749
750 if (peer == NULL) {
751 wpa_printf(MSG_INFO, "TDLS: No matching entry found for "
752 "Teardown " MACSTR, MAC2STR(addr));
753 return 0;
754 }
755
756 /* Cancel active channel switch before teardown */
757 if (peer->chan_switch_enabled) {
758 wpa_printf(MSG_DEBUG, "TDLS: First returning link with " MACSTR
759 " to base channel", MAC2STR(addr));
760 wpa_sm_tdls_disable_channel_switch(sm, peer->addr);
761 }
762
763 dialog_token = peer->dtoken;
764
765 wpa_printf(MSG_DEBUG, "TDLS: TDLS Teardown for " MACSTR,
766 MAC2STR(addr));
767
768 ielen = 0;
769 if (wpa_tdls_get_privacy(sm) && peer->tpk_set && peer->tpk_success) {
770 /* To add FTIE for Teardown request and compute MIC */
771 ielen += sizeof(*ftie);
772 #ifdef CONFIG_TDLS_TESTING
773 if (tdls_testing & TDLS_TESTING_LONG_FRAME)
774 ielen += 170;
775 #endif /* CONFIG_TDLS_TESTING */
776 }
777
778 rbuf = os_zalloc(ielen + 1);
779 if (rbuf == NULL)
780 return -1;
781 pos = rbuf;
782
783 if (!wpa_tdls_get_privacy(sm) || !peer->tpk_set || !peer->tpk_success)
784 goto skip_ies;
785
786 ftie = (struct wpa_tdls_ftie *) pos;
787 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION;
788 /* Using the recent nonce which should be for CONFIRM frame */
789 os_memcpy(ftie->Anonce, peer->rnonce, WPA_NONCE_LEN);
790 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN);
791 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2;
792 pos = (u8 *) (ftie + 1);
793 #ifdef CONFIG_TDLS_TESTING
794 if (tdls_testing & TDLS_TESTING_LONG_FRAME) {
795 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to "
796 "FTIE");
797 ftie->ie_len += 170;
798 *pos++ = 255; /* FTIE subelem */
799 *pos++ = 168; /* FTIE subelem length */
800 pos += 168;
801 }
802 #endif /* CONFIG_TDLS_TESTING */
803 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE for TDLS Teardown handshake",
804 (u8 *) ftie, pos - (u8 *) ftie);
805
806 /* compute MIC before sending */
807 wpa_tdls_linkid(sm, peer, &lnkid);
808 wpa_tdls_key_mic_teardown(peer->tpk.kck, 4, reason_code,
809 dialog_token, (u8 *) &lnkid, (u8 *) ftie,
810 ftie->mic);
811
812 skip_ies:
813 /* TODO: register for a Timeout handler, if Teardown is not received at
814 * the other end, then try again another time */
815
816 /* request driver to send Teardown using this FTIE */
817 wpa_tdls_tpk_send(sm, addr, WLAN_TDLS_TEARDOWN, 0,
818 reason_code, 0, peer->initiator, rbuf, pos - rbuf);
819 os_free(rbuf);
820
821 return 0;
822 }
823
824
wpa_tdls_teardown_link(struct wpa_sm * sm,const u8 * addr,u16 reason_code)825 int wpa_tdls_teardown_link(struct wpa_sm *sm, const u8 *addr, u16 reason_code)
826 {
827 struct wpa_tdls_peer *peer;
828
829 if (sm->tdls_disabled || !sm->tdls_supported)
830 return -1;
831
832 for (peer = sm->tdls; peer; peer = peer->next) {
833 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0)
834 break;
835 }
836
837 if (peer == NULL) {
838 wpa_printf(MSG_DEBUG, "TDLS: Could not find peer " MACSTR
839 " for link Teardown", MAC2STR(addr));
840 return -1;
841 }
842
843 if (!peer->tpk_success) {
844 wpa_printf(MSG_DEBUG, "TDLS: Peer " MACSTR
845 " not connected - cannot Teardown link", MAC2STR(addr));
846 return -1;
847 }
848
849 return wpa_tdls_do_teardown(sm, peer, reason_code);
850 }
851
852
wpa_tdls_disable_peer_link(struct wpa_sm * sm,struct wpa_tdls_peer * peer)853 static void wpa_tdls_disable_peer_link(struct wpa_sm *sm,
854 struct wpa_tdls_peer *peer)
855 {
856 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr);
857 wpa_tdls_peer_free(sm, peer);
858 }
859
860
wpa_tdls_disable_unreachable_link(struct wpa_sm * sm,const u8 * addr)861 void wpa_tdls_disable_unreachable_link(struct wpa_sm *sm, const u8 *addr)
862 {
863 struct wpa_tdls_peer *peer;
864
865 for (peer = sm->tdls; peer; peer = peer->next) {
866 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0)
867 break;
868 }
869
870 if (!peer || !peer->tpk_success) {
871 wpa_printf(MSG_DEBUG, "TDLS: Peer " MACSTR
872 " not connected - cannot teardown unreachable link",
873 MAC2STR(addr));
874 return;
875 }
876
877 if (wpa_tdls_is_external_setup(sm)) {
878 /*
879 * Get us on the base channel, disable the link, send a
880 * teardown packet through the AP, and then reset link data.
881 */
882 if (peer->chan_switch_enabled)
883 wpa_sm_tdls_disable_channel_switch(sm, peer->addr);
884 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, addr);
885 wpa_tdls_send_teardown(sm, addr,
886 WLAN_REASON_TDLS_TEARDOWN_UNREACHABLE);
887 wpa_tdls_peer_free(sm, peer);
888 } else {
889 wpa_tdls_disable_peer_link(sm, peer);
890 }
891 }
892
893
wpa_tdls_get_link_status(struct wpa_sm * sm,const u8 * addr)894 const char * wpa_tdls_get_link_status(struct wpa_sm *sm, const u8 *addr)
895 {
896 struct wpa_tdls_peer *peer;
897
898 if (sm->tdls_disabled || !sm->tdls_supported)
899 return "disabled";
900
901 for (peer = sm->tdls; peer; peer = peer->next) {
902 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0)
903 break;
904 }
905
906 if (peer == NULL)
907 return "peer does not exist";
908
909 if (!peer->tpk_success)
910 return "peer not connected";
911
912 return "connected";
913 }
914
915
wpa_tdls_recv_teardown(struct wpa_sm * sm,const u8 * src_addr,const u8 * buf,size_t len)916 static int wpa_tdls_recv_teardown(struct wpa_sm *sm, const u8 *src_addr,
917 const u8 *buf, size_t len)
918 {
919 struct wpa_tdls_peer *peer = NULL;
920 struct wpa_tdls_ftie *ftie;
921 struct wpa_tdls_lnkid *lnkid;
922 struct wpa_eapol_ie_parse kde;
923 u16 reason_code;
924 const u8 *pos;
925 int ielen;
926
927 /* Find the node and free from the list */
928 for (peer = sm->tdls; peer; peer = peer->next) {
929 if (os_memcmp(peer->addr, src_addr, ETH_ALEN) == 0)
930 break;
931 }
932
933 if (peer == NULL) {
934 wpa_printf(MSG_INFO, "TDLS: No matching entry found for "
935 "Teardown " MACSTR, MAC2STR(src_addr));
936 return 0;
937 }
938
939 pos = buf;
940 pos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */;
941
942 reason_code = WPA_GET_LE16(pos);
943 pos += 2;
944
945 wpa_printf(MSG_DEBUG, "TDLS: TDLS Teardown Request from " MACSTR
946 " (reason code %u)", MAC2STR(src_addr), reason_code);
947
948 ielen = len - (pos - buf); /* start of IE in buf */
949
950 /*
951 * Don't reject the message if failing to parse IEs. The IEs we need are
952 * explicitly checked below. Some APs may add arbitrary padding to the
953 * end of short TDLS frames and that would look like invalid IEs.
954 */
955 if (wpa_supplicant_parse_ies((const u8 *) pos, ielen, &kde) < 0)
956 wpa_printf(MSG_DEBUG,
957 "TDLS: Failed to parse IEs in Teardown - ignore as an interop workaround");
958
959 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) {
960 wpa_printf(MSG_INFO, "TDLS: No Link Identifier IE in TDLS "
961 "Teardown");
962 return -1;
963 }
964 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid;
965
966 if (!wpa_tdls_get_privacy(sm) || !peer->tpk_set || !peer->tpk_success)
967 goto skip_ftie;
968
969 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie)) {
970 wpa_printf(MSG_INFO, "TDLS: No FTIE in TDLS Teardown");
971 return -1;
972 }
973
974 ftie = (struct wpa_tdls_ftie *) kde.ftie;
975
976 /* Process MIC check to see if TDLS Teardown is right */
977 if (wpa_supplicant_verify_tdls_mic_teardown(4, reason_code,
978 peer->dtoken, peer,
979 (u8 *) lnkid, ftie) < 0) {
980 wpa_printf(MSG_DEBUG, "TDLS: MIC failure for TDLS "
981 "Teardown Request from " MACSTR, MAC2STR(src_addr));
982 return -1;
983 }
984
985 skip_ftie:
986 /*
987 * Request the driver to disable the direct link and clear associated
988 * keys.
989 */
990 wpa_tdls_disable_peer_link(sm, peer);
991 return 0;
992 }
993
994
995 /**
996 * wpa_tdls_send_error - To send suitable TDLS status response with
997 * appropriate status code mentioning reason for error/failure.
998 * @dst - MAC addr of Peer station
999 * @tdls_action - TDLS frame type for which error code is sent
1000 * @initiator - was this end the initiator of the connection
1001 * @status - status code mentioning reason
1002 */
1003
wpa_tdls_send_error(struct wpa_sm * sm,const u8 * dst,u8 tdls_action,u8 dialog_token,int initiator,u16 status)1004 static int wpa_tdls_send_error(struct wpa_sm *sm, const u8 *dst,
1005 u8 tdls_action, u8 dialog_token, int initiator,
1006 u16 status)
1007 {
1008 wpa_printf(MSG_DEBUG, "TDLS: Sending error to " MACSTR
1009 " (action=%u status=%u)",
1010 MAC2STR(dst), tdls_action, status);
1011 return wpa_tdls_tpk_send(sm, dst, tdls_action, dialog_token, status,
1012 0, initiator, NULL, 0);
1013 }
1014
1015
1016 static struct wpa_tdls_peer *
wpa_tdls_add_peer(struct wpa_sm * sm,const u8 * addr,int * existing)1017 wpa_tdls_add_peer(struct wpa_sm *sm, const u8 *addr, int *existing)
1018 {
1019 struct wpa_tdls_peer *peer;
1020
1021 if (existing)
1022 *existing = 0;
1023 for (peer = sm->tdls; peer; peer = peer->next) {
1024 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) {
1025 if (existing)
1026 *existing = 1;
1027 return peer; /* re-use existing entry */
1028 }
1029 }
1030
1031 wpa_printf(MSG_INFO, "TDLS: Creating peer entry for " MACSTR,
1032 MAC2STR(addr));
1033
1034 peer = os_zalloc(sizeof(*peer));
1035 if (peer == NULL)
1036 return NULL;
1037
1038 os_memcpy(peer->addr, addr, ETH_ALEN);
1039 peer->next = sm->tdls;
1040 sm->tdls = peer;
1041
1042 return peer;
1043 }
1044
1045
wpa_tdls_send_tpk_m1(struct wpa_sm * sm,struct wpa_tdls_peer * peer)1046 static int wpa_tdls_send_tpk_m1(struct wpa_sm *sm,
1047 struct wpa_tdls_peer *peer)
1048 {
1049 size_t buf_len;
1050 struct wpa_tdls_timeoutie timeoutie;
1051 u16 rsn_capab;
1052 struct wpa_tdls_ftie *ftie;
1053 u8 *rbuf, *pos, *count_pos;
1054 u16 count;
1055 struct rsn_ie_hdr *hdr;
1056 int status;
1057
1058 if (!wpa_tdls_get_privacy(sm)) {
1059 wpa_printf(MSG_DEBUG, "TDLS: No security used on the link");
1060 peer->rsnie_i_len = 0;
1061 goto skip_rsnie;
1062 }
1063
1064 /*
1065 * TPK Handshake Message 1:
1066 * FTIE: ANonce=0, SNonce=initiator nonce MIC=0, DataKDs=(RSNIE_I,
1067 * Timeout Interval IE))
1068 */
1069
1070 /* Filling RSN IE */
1071 hdr = (struct rsn_ie_hdr *) peer->rsnie_i;
1072 hdr->elem_id = WLAN_EID_RSN;
1073 WPA_PUT_LE16(hdr->version, RSN_VERSION);
1074
1075 pos = (u8 *) (hdr + 1);
1076 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED);
1077 pos += RSN_SELECTOR_LEN;
1078 count_pos = pos;
1079 pos += 2;
1080
1081 count = 0;
1082
1083 /*
1084 * AES-CCMP is the default Encryption preferred for TDLS, so
1085 * RSN IE is filled only with CCMP CIPHER
1086 * Note: TKIP is not used to encrypt TDLS link.
1087 *
1088 * Regardless of the cipher used on the AP connection, select CCMP
1089 * here.
1090 */
1091 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP);
1092 pos += RSN_SELECTOR_LEN;
1093 count++;
1094
1095 WPA_PUT_LE16(count_pos, count);
1096
1097 WPA_PUT_LE16(pos, 1);
1098 pos += 2;
1099 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_TPK_HANDSHAKE);
1100 pos += RSN_SELECTOR_LEN;
1101
1102 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED;
1103 rsn_capab |= RSN_NUM_REPLAY_COUNTERS_16 << 2;
1104 #ifdef CONFIG_TDLS_TESTING
1105 if (tdls_testing & TDLS_TESTING_ALT_RSN_IE) {
1106 wpa_printf(MSG_DEBUG, "TDLS: Use alternative RSN IE for "
1107 "testing");
1108 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED;
1109 }
1110 #endif /* CONFIG_TDLS_TESTING */
1111 WPA_PUT_LE16(pos, rsn_capab);
1112 pos += 2;
1113 #ifdef CONFIG_TDLS_TESTING
1114 if (tdls_testing & TDLS_TESTING_ALT_RSN_IE) {
1115 /* Number of PMKIDs */
1116 *pos++ = 0x00;
1117 *pos++ = 0x00;
1118 }
1119 #endif /* CONFIG_TDLS_TESTING */
1120
1121 hdr->len = (pos - peer->rsnie_i) - 2;
1122 peer->rsnie_i_len = pos - peer->rsnie_i;
1123 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE for TPK handshake",
1124 peer->rsnie_i, peer->rsnie_i_len);
1125
1126 skip_rsnie:
1127 buf_len = 0;
1128 if (wpa_tdls_get_privacy(sm))
1129 buf_len += peer->rsnie_i_len + sizeof(struct wpa_tdls_ftie) +
1130 sizeof(struct wpa_tdls_timeoutie);
1131 #ifdef CONFIG_TDLS_TESTING
1132 if (wpa_tdls_get_privacy(sm) &&
1133 (tdls_testing & TDLS_TESTING_LONG_FRAME))
1134 buf_len += 170;
1135 if (tdls_testing & TDLS_TESTING_DIFF_BSSID)
1136 buf_len += sizeof(struct wpa_tdls_lnkid);
1137 #endif /* CONFIG_TDLS_TESTING */
1138 rbuf = os_zalloc(buf_len + 1);
1139 if (rbuf == NULL) {
1140 wpa_tdls_peer_free(sm, peer);
1141 return -1;
1142 }
1143 pos = rbuf;
1144
1145 if (!wpa_tdls_get_privacy(sm))
1146 goto skip_ies;
1147
1148 /* Initiator RSN IE */
1149 pos = wpa_add_ie(pos, peer->rsnie_i, peer->rsnie_i_len);
1150
1151 ftie = (struct wpa_tdls_ftie *) pos;
1152 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION;
1153 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2;
1154
1155 if (os_get_random(peer->inonce, WPA_NONCE_LEN)) {
1156 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1157 "TDLS: Failed to get random data for initiator Nonce");
1158 os_free(rbuf);
1159 wpa_tdls_peer_free(sm, peer);
1160 return -1;
1161 }
1162 wpa_hexdump(MSG_DEBUG, "TDLS: Initiator Nonce for TPK handshake",
1163 peer->inonce, WPA_NONCE_LEN);
1164 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN);
1165
1166 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE for TPK Handshake M1",
1167 (u8 *) ftie, sizeof(struct wpa_tdls_ftie));
1168
1169 pos = (u8 *) (ftie + 1);
1170
1171 #ifdef CONFIG_TDLS_TESTING
1172 if (tdls_testing & TDLS_TESTING_LONG_FRAME) {
1173 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to "
1174 "FTIE");
1175 ftie->ie_len += 170;
1176 *pos++ = 255; /* FTIE subelem */
1177 *pos++ = 168; /* FTIE subelem length */
1178 pos += 168;
1179 }
1180 #endif /* CONFIG_TDLS_TESTING */
1181
1182 /* Lifetime */
1183 peer->lifetime = TPK_LIFETIME;
1184 #ifdef CONFIG_TDLS_TESTING
1185 if (tdls_testing & TDLS_TESTING_SHORT_LIFETIME) {
1186 wpa_printf(MSG_DEBUG, "TDLS: Testing - use short TPK "
1187 "lifetime");
1188 peer->lifetime = 301;
1189 }
1190 if (tdls_testing & TDLS_TESTING_LONG_LIFETIME) {
1191 wpa_printf(MSG_DEBUG, "TDLS: Testing - use long TPK "
1192 "lifetime");
1193 peer->lifetime = 0xffffffff;
1194 }
1195 #endif /* CONFIG_TDLS_TESTING */
1196 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie,
1197 sizeof(timeoutie), peer->lifetime);
1198 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds", peer->lifetime);
1199
1200 skip_ies:
1201
1202 #ifdef CONFIG_TDLS_TESTING
1203 if (tdls_testing & TDLS_TESTING_DIFF_BSSID) {
1204 wpa_printf(MSG_DEBUG, "TDLS: Testing - use incorrect BSSID in "
1205 "Link Identifier");
1206 struct wpa_tdls_lnkid *l = (struct wpa_tdls_lnkid *) pos;
1207 wpa_tdls_linkid(sm, peer, l);
1208 l->bssid[5] ^= 0x01;
1209 pos += sizeof(*l);
1210 }
1211 #endif /* CONFIG_TDLS_TESTING */
1212
1213 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Setup Request / TPK "
1214 "Handshake Message 1 (peer " MACSTR ")",
1215 MAC2STR(peer->addr));
1216
1217 status = wpa_tdls_tpk_send(sm, peer->addr, WLAN_TDLS_SETUP_REQUEST,
1218 1, 0, 0, peer->initiator, rbuf, pos - rbuf);
1219 os_free(rbuf);
1220
1221 return status;
1222 }
1223
1224
wpa_tdls_send_tpk_m2(struct wpa_sm * sm,const unsigned char * src_addr,u8 dtoken,struct wpa_tdls_lnkid * lnkid,const struct wpa_tdls_peer * peer)1225 static int wpa_tdls_send_tpk_m2(struct wpa_sm *sm,
1226 const unsigned char *src_addr, u8 dtoken,
1227 struct wpa_tdls_lnkid *lnkid,
1228 const struct wpa_tdls_peer *peer)
1229 {
1230 u8 *rbuf, *pos;
1231 size_t buf_len;
1232 u32 lifetime;
1233 struct wpa_tdls_timeoutie timeoutie;
1234 struct wpa_tdls_ftie *ftie;
1235 int status;
1236
1237 buf_len = 0;
1238 if (wpa_tdls_get_privacy(sm)) {
1239 /* Peer RSN IE, FTIE(Initiator Nonce, Responder Nonce),
1240 * Lifetime */
1241 buf_len += peer->rsnie_i_len + sizeof(struct wpa_tdls_ftie) +
1242 sizeof(struct wpa_tdls_timeoutie);
1243 #ifdef CONFIG_TDLS_TESTING
1244 if (tdls_testing & TDLS_TESTING_LONG_FRAME)
1245 buf_len += 170;
1246 #endif /* CONFIG_TDLS_TESTING */
1247 }
1248
1249 rbuf = os_zalloc(buf_len + 1);
1250 if (rbuf == NULL)
1251 return -1;
1252 pos = rbuf;
1253
1254 if (!wpa_tdls_get_privacy(sm))
1255 goto skip_ies;
1256
1257 /* Peer RSN IE */
1258 pos = wpa_add_ie(pos, peer->rsnie_p, peer->rsnie_p_len);
1259
1260 ftie = (struct wpa_tdls_ftie *) pos;
1261 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION;
1262 /* TODO: ftie->mic_control to set 2-RESPONSE */
1263 os_memcpy(ftie->Anonce, peer->rnonce, WPA_NONCE_LEN);
1264 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN);
1265 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2;
1266 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE for TPK M2",
1267 (u8 *) ftie, sizeof(*ftie));
1268
1269 pos = (u8 *) (ftie + 1);
1270
1271 #ifdef CONFIG_TDLS_TESTING
1272 if (tdls_testing & TDLS_TESTING_LONG_FRAME) {
1273 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to "
1274 "FTIE");
1275 ftie->ie_len += 170;
1276 *pos++ = 255; /* FTIE subelem */
1277 *pos++ = 168; /* FTIE subelem length */
1278 pos += 168;
1279 }
1280 #endif /* CONFIG_TDLS_TESTING */
1281
1282 /* Lifetime */
1283 lifetime = peer->lifetime;
1284 #ifdef CONFIG_TDLS_TESTING
1285 if (tdls_testing & TDLS_TESTING_WRONG_LIFETIME_RESP) {
1286 wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong TPK "
1287 "lifetime in response");
1288 lifetime++;
1289 }
1290 #endif /* CONFIG_TDLS_TESTING */
1291 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie,
1292 sizeof(timeoutie), lifetime);
1293 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds from initiator",
1294 lifetime);
1295
1296 /* compute MIC before sending */
1297 wpa_tdls_ftie_mic(peer->tpk.kck, 2, (u8 *) lnkid, peer->rsnie_p,
1298 (u8 *) &timeoutie, (u8 *) ftie, ftie->mic);
1299 #ifdef CONFIG_TDLS_TESTING
1300 if (tdls_testing & TDLS_TESTING_WRONG_MIC) {
1301 wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong MIC");
1302 ftie->mic[0] ^= 0x01;
1303 }
1304 #endif /* CONFIG_TDLS_TESTING */
1305
1306 skip_ies:
1307 status = wpa_tdls_tpk_send(sm, src_addr, WLAN_TDLS_SETUP_RESPONSE,
1308 dtoken, 0, 0, peer->initiator, rbuf,
1309 pos - rbuf);
1310 os_free(rbuf);
1311
1312 return status;
1313 }
1314
1315
wpa_tdls_send_tpk_m3(struct wpa_sm * sm,const unsigned char * src_addr,u8 dtoken,struct wpa_tdls_lnkid * lnkid,const struct wpa_tdls_peer * peer)1316 static int wpa_tdls_send_tpk_m3(struct wpa_sm *sm,
1317 const unsigned char *src_addr, u8 dtoken,
1318 struct wpa_tdls_lnkid *lnkid,
1319 const struct wpa_tdls_peer *peer)
1320 {
1321 u8 *rbuf, *pos;
1322 size_t buf_len;
1323 struct wpa_tdls_ftie *ftie;
1324 struct wpa_tdls_timeoutie timeoutie;
1325 u32 lifetime;
1326 int status;
1327 u32 peer_capab = 0;
1328
1329 buf_len = 0;
1330 if (wpa_tdls_get_privacy(sm)) {
1331 /* Peer RSN IE, FTIE(Initiator Nonce, Responder Nonce),
1332 * Lifetime */
1333 buf_len += peer->rsnie_i_len + sizeof(struct wpa_tdls_ftie) +
1334 sizeof(struct wpa_tdls_timeoutie);
1335 #ifdef CONFIG_TDLS_TESTING
1336 if (tdls_testing & TDLS_TESTING_LONG_FRAME)
1337 buf_len += 170;
1338 #endif /* CONFIG_TDLS_TESTING */
1339 }
1340
1341 rbuf = os_zalloc(buf_len + 1);
1342 if (rbuf == NULL)
1343 return -1;
1344 pos = rbuf;
1345
1346 if (!wpa_tdls_get_privacy(sm))
1347 goto skip_ies;
1348
1349 /* Peer RSN IE */
1350 pos = wpa_add_ie(pos, peer->rsnie_p, peer->rsnie_p_len);
1351
1352 ftie = (struct wpa_tdls_ftie *) pos;
1353 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION;
1354 /*TODO: ftie->mic_control to set 3-CONFIRM */
1355 os_memcpy(ftie->Anonce, peer->rnonce, WPA_NONCE_LEN);
1356 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN);
1357 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2;
1358
1359 pos = (u8 *) (ftie + 1);
1360
1361 #ifdef CONFIG_TDLS_TESTING
1362 if (tdls_testing & TDLS_TESTING_LONG_FRAME) {
1363 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to "
1364 "FTIE");
1365 ftie->ie_len += 170;
1366 *pos++ = 255; /* FTIE subelem */
1367 *pos++ = 168; /* FTIE subelem length */
1368 pos += 168;
1369 }
1370 #endif /* CONFIG_TDLS_TESTING */
1371
1372 /* Lifetime */
1373 lifetime = peer->lifetime;
1374 #ifdef CONFIG_TDLS_TESTING
1375 if (tdls_testing & TDLS_TESTING_WRONG_LIFETIME_CONF) {
1376 wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong TPK "
1377 "lifetime in confirm");
1378 lifetime++;
1379 }
1380 #endif /* CONFIG_TDLS_TESTING */
1381 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie,
1382 sizeof(timeoutie), lifetime);
1383 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds",
1384 lifetime);
1385
1386 /* compute MIC before sending */
1387 wpa_tdls_ftie_mic(peer->tpk.kck, 3, (u8 *) lnkid, peer->rsnie_p,
1388 (u8 *) &timeoutie, (u8 *) ftie, ftie->mic);
1389 #ifdef CONFIG_TDLS_TESTING
1390 if (tdls_testing & TDLS_TESTING_WRONG_MIC) {
1391 wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong MIC");
1392 ftie->mic[0] ^= 0x01;
1393 }
1394 #endif /* CONFIG_TDLS_TESTING */
1395
1396 skip_ies:
1397
1398 if (peer->vht_capabilities)
1399 peer_capab |= TDLS_PEER_VHT;
1400 if (peer->ht_capabilities)
1401 peer_capab |= TDLS_PEER_HT;
1402 if (peer->wmm_capable)
1403 peer_capab |= TDLS_PEER_WMM;
1404
1405 status = wpa_tdls_tpk_send(sm, src_addr, WLAN_TDLS_SETUP_CONFIRM,
1406 dtoken, 0, peer_capab, peer->initiator,
1407 rbuf, pos - rbuf);
1408 os_free(rbuf);
1409
1410 return status;
1411 }
1412
1413
wpa_tdls_send_discovery_response(struct wpa_sm * sm,struct wpa_tdls_peer * peer,u8 dialog_token)1414 static int wpa_tdls_send_discovery_response(struct wpa_sm *sm,
1415 struct wpa_tdls_peer *peer,
1416 u8 dialog_token)
1417 {
1418 size_t buf_len = 0;
1419 struct wpa_tdls_timeoutie timeoutie;
1420 u16 rsn_capab;
1421 u8 *rbuf, *pos, *count_pos;
1422 u16 count;
1423 struct rsn_ie_hdr *hdr;
1424 int status;
1425
1426 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Discovery Response "
1427 "(peer " MACSTR ")", MAC2STR(peer->addr));
1428 if (!wpa_tdls_get_privacy(sm))
1429 goto skip_rsn_ies;
1430
1431 /* Filling RSN IE */
1432 hdr = (struct rsn_ie_hdr *) peer->rsnie_i;
1433 hdr->elem_id = WLAN_EID_RSN;
1434 WPA_PUT_LE16(hdr->version, RSN_VERSION);
1435 pos = (u8 *) (hdr + 1);
1436 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED);
1437 pos += RSN_SELECTOR_LEN;
1438 count_pos = pos;
1439 pos += 2;
1440 count = 0;
1441
1442 /*
1443 * AES-CCMP is the default encryption preferred for TDLS, so
1444 * RSN IE is filled only with CCMP cipher suite.
1445 * Note: TKIP is not used to encrypt TDLS link.
1446 *
1447 * Regardless of the cipher used on the AP connection, select CCMP
1448 * here.
1449 */
1450 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP);
1451 pos += RSN_SELECTOR_LEN;
1452 count++;
1453 WPA_PUT_LE16(count_pos, count);
1454 WPA_PUT_LE16(pos, 1);
1455 pos += 2;
1456 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_TPK_HANDSHAKE);
1457 pos += RSN_SELECTOR_LEN;
1458
1459 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED;
1460 rsn_capab |= RSN_NUM_REPLAY_COUNTERS_16 << 2;
1461 WPA_PUT_LE16(pos, rsn_capab);
1462 pos += 2;
1463 hdr->len = (pos - (u8 *) hdr) - 2;
1464 peer->rsnie_i_len = pos - peer->rsnie_i;
1465
1466 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE for Discovery Response",
1467 (u8 *) hdr, hdr->len + 2);
1468 skip_rsn_ies:
1469 buf_len = 0;
1470 if (wpa_tdls_get_privacy(sm)) {
1471 /* Peer RSN IE, Lifetime */
1472 buf_len += peer->rsnie_i_len +
1473 sizeof(struct wpa_tdls_timeoutie);
1474 }
1475 rbuf = os_zalloc(buf_len + 1);
1476 if (rbuf == NULL) {
1477 wpa_tdls_peer_free(sm, peer);
1478 return -1;
1479 }
1480 pos = rbuf;
1481
1482 if (!wpa_tdls_get_privacy(sm))
1483 goto skip_ies;
1484 /* Initiator RSN IE */
1485 pos = wpa_add_ie(pos, peer->rsnie_i, peer->rsnie_i_len);
1486 /* Lifetime */
1487 peer->lifetime = TPK_LIFETIME;
1488 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie,
1489 sizeof(timeoutie), peer->lifetime);
1490 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds", peer->lifetime);
1491 skip_ies:
1492 status = wpa_tdls_tpk_send(sm, peer->addr, WLAN_TDLS_DISCOVERY_RESPONSE,
1493 dialog_token, 0, 0, 0, rbuf, pos - rbuf);
1494 os_free(rbuf);
1495
1496 return status;
1497 }
1498
1499
1500 static int
wpa_tdls_process_discovery_request(struct wpa_sm * sm,const u8 * addr,const u8 * buf,size_t len)1501 wpa_tdls_process_discovery_request(struct wpa_sm *sm, const u8 *addr,
1502 const u8 *buf, size_t len)
1503 {
1504 struct wpa_eapol_ie_parse kde;
1505 const struct wpa_tdls_lnkid *lnkid;
1506 struct wpa_tdls_peer *peer;
1507 size_t min_req_len = sizeof(struct wpa_tdls_frame) +
1508 1 /* dialog token */ + sizeof(struct wpa_tdls_lnkid);
1509 u8 dialog_token;
1510
1511 wpa_printf(MSG_DEBUG, "TDLS: Discovery Request from " MACSTR,
1512 MAC2STR(addr));
1513
1514 if (len < min_req_len) {
1515 wpa_printf(MSG_DEBUG, "TDLS Discovery Request is too short: "
1516 "%d", (int) len);
1517 return -1;
1518 }
1519
1520 dialog_token = buf[sizeof(struct wpa_tdls_frame)];
1521
1522 /*
1523 * Some APs will tack on a weird IE to the end of a TDLS
1524 * discovery request packet. This needn't fail the response,
1525 * since the required IE are verified separately.
1526 */
1527 if (wpa_supplicant_parse_ies(buf + sizeof(struct wpa_tdls_frame) + 1,
1528 len - (sizeof(struct wpa_tdls_frame) + 1),
1529 &kde) < 0) {
1530 wpa_printf(MSG_DEBUG,
1531 "TDLS: Failed to parse IEs in Discovery Request - ignore as an interop workaround");
1532 }
1533
1534 if (!kde.lnkid) {
1535 wpa_printf(MSG_DEBUG, "TDLS: Link ID not found in Discovery "
1536 "Request");
1537 return -1;
1538 }
1539
1540 lnkid = (const struct wpa_tdls_lnkid *) kde.lnkid;
1541
1542 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) {
1543 wpa_printf(MSG_DEBUG, "TDLS: Discovery Request from different "
1544 " BSS " MACSTR, MAC2STR(lnkid->bssid));
1545 return -1;
1546 }
1547
1548 peer = wpa_tdls_add_peer(sm, addr, NULL);
1549 if (peer == NULL)
1550 return -1;
1551
1552 return wpa_tdls_send_discovery_response(sm, peer, dialog_token);
1553 }
1554
1555
wpa_tdls_send_discovery_request(struct wpa_sm * sm,const u8 * addr)1556 int wpa_tdls_send_discovery_request(struct wpa_sm *sm, const u8 *addr)
1557 {
1558 if (sm->tdls_disabled || !sm->tdls_supported)
1559 return -1;
1560
1561 wpa_printf(MSG_DEBUG, "TDLS: Sending Discovery Request to peer "
1562 MACSTR, MAC2STR(addr));
1563 return wpa_tdls_tpk_send(sm, addr, WLAN_TDLS_DISCOVERY_REQUEST,
1564 1, 0, 0, 1, NULL, 0);
1565 }
1566
1567
copy_supp_rates(const struct wpa_eapol_ie_parse * kde,struct wpa_tdls_peer * peer)1568 static int copy_supp_rates(const struct wpa_eapol_ie_parse *kde,
1569 struct wpa_tdls_peer *peer)
1570 {
1571 if (!kde->supp_rates) {
1572 wpa_printf(MSG_DEBUG, "TDLS: No supported rates received");
1573 return -1;
1574 }
1575 peer->supp_rates_len = merge_byte_arrays(
1576 peer->supp_rates, sizeof(peer->supp_rates),
1577 kde->supp_rates + 2, kde->supp_rates_len - 2,
1578 kde->ext_supp_rates ? kde->ext_supp_rates + 2 : NULL,
1579 kde->ext_supp_rates_len - 2);
1580 return 0;
1581 }
1582
1583
copy_peer_ht_capab(const struct wpa_eapol_ie_parse * kde,struct wpa_tdls_peer * peer)1584 static int copy_peer_ht_capab(const struct wpa_eapol_ie_parse *kde,
1585 struct wpa_tdls_peer *peer)
1586 {
1587 if (!kde->ht_capabilities) {
1588 wpa_printf(MSG_DEBUG, "TDLS: No supported ht capabilities "
1589 "received");
1590 return 0;
1591 }
1592
1593 if (!peer->ht_capabilities) {
1594 peer->ht_capabilities =
1595 os_zalloc(sizeof(struct ieee80211_ht_capabilities));
1596 if (peer->ht_capabilities == NULL)
1597 return -1;
1598 }
1599
1600 os_memcpy(peer->ht_capabilities, kde->ht_capabilities,
1601 sizeof(struct ieee80211_ht_capabilities));
1602 wpa_hexdump(MSG_DEBUG, "TDLS: Peer HT capabilities",
1603 (u8 *) peer->ht_capabilities,
1604 sizeof(struct ieee80211_ht_capabilities));
1605
1606 return 0;
1607 }
1608
1609
copy_peer_vht_capab(const struct wpa_eapol_ie_parse * kde,struct wpa_tdls_peer * peer)1610 static int copy_peer_vht_capab(const struct wpa_eapol_ie_parse *kde,
1611 struct wpa_tdls_peer *peer)
1612 {
1613 if (!kde->vht_capabilities) {
1614 wpa_printf(MSG_DEBUG, "TDLS: No supported vht capabilities "
1615 "received");
1616 return 0;
1617 }
1618
1619 if (!peer->vht_capabilities) {
1620 peer->vht_capabilities =
1621 os_zalloc(sizeof(struct ieee80211_vht_capabilities));
1622 if (peer->vht_capabilities == NULL)
1623 return -1;
1624 }
1625
1626 os_memcpy(peer->vht_capabilities, kde->vht_capabilities,
1627 sizeof(struct ieee80211_vht_capabilities));
1628 wpa_hexdump(MSG_DEBUG, "TDLS: Peer VHT capabilities",
1629 (u8 *) peer->vht_capabilities,
1630 sizeof(struct ieee80211_vht_capabilities));
1631
1632 return 0;
1633 }
1634
1635
copy_peer_ext_capab(const struct wpa_eapol_ie_parse * kde,struct wpa_tdls_peer * peer)1636 static int copy_peer_ext_capab(const struct wpa_eapol_ie_parse *kde,
1637 struct wpa_tdls_peer *peer)
1638 {
1639 if (!kde->ext_capab) {
1640 wpa_printf(MSG_DEBUG, "TDLS: No extended capabilities "
1641 "received");
1642 return 0;
1643 }
1644
1645 if (!peer->ext_capab || peer->ext_capab_len < kde->ext_capab_len - 2) {
1646 /* Need to allocate buffer to fit the new information */
1647 os_free(peer->ext_capab);
1648 peer->ext_capab = os_zalloc(kde->ext_capab_len - 2);
1649 if (peer->ext_capab == NULL)
1650 return -1;
1651 }
1652
1653 peer->ext_capab_len = kde->ext_capab_len - 2;
1654 os_memcpy(peer->ext_capab, kde->ext_capab + 2, peer->ext_capab_len);
1655
1656 return 0;
1657 }
1658
1659
copy_peer_wmm_capab(const struct wpa_eapol_ie_parse * kde,struct wpa_tdls_peer * peer)1660 static int copy_peer_wmm_capab(const struct wpa_eapol_ie_parse *kde,
1661 struct wpa_tdls_peer *peer)
1662 {
1663 struct wmm_information_element *wmm;
1664
1665 if (!kde->wmm) {
1666 wpa_printf(MSG_DEBUG, "TDLS: No supported WMM capabilities received");
1667 return 0;
1668 }
1669
1670 if (kde->wmm_len < sizeof(struct wmm_information_element)) {
1671 wpa_printf(MSG_DEBUG, "TDLS: Invalid supported WMM capabilities received");
1672 return -1;
1673 }
1674
1675 wmm = (struct wmm_information_element *) kde->wmm;
1676 peer->qos_info = wmm->qos_info;
1677
1678 peer->wmm_capable = 1;
1679
1680 wpa_printf(MSG_DEBUG, "TDLS: Peer WMM QOS Info 0x%x", peer->qos_info);
1681 return 0;
1682 }
1683
1684
copy_peer_supp_channels(const struct wpa_eapol_ie_parse * kde,struct wpa_tdls_peer * peer)1685 static int copy_peer_supp_channels(const struct wpa_eapol_ie_parse *kde,
1686 struct wpa_tdls_peer *peer)
1687 {
1688 if (!kde->supp_channels) {
1689 wpa_printf(MSG_DEBUG, "TDLS: No supported channels received");
1690 return 0;
1691 }
1692
1693 if (!peer->supp_channels ||
1694 peer->supp_channels_len < kde->supp_channels_len) {
1695 os_free(peer->supp_channels);
1696 peer->supp_channels = os_zalloc(kde->supp_channels_len);
1697 if (peer->supp_channels == NULL)
1698 return -1;
1699 }
1700
1701 peer->supp_channels_len = kde->supp_channels_len;
1702
1703 os_memcpy(peer->supp_channels, kde->supp_channels,
1704 peer->supp_channels_len);
1705 wpa_hexdump(MSG_DEBUG, "TDLS: Peer Supported Channels",
1706 (u8 *) peer->supp_channels, peer->supp_channels_len);
1707 return 0;
1708 }
1709
1710
copy_peer_supp_oper_classes(const struct wpa_eapol_ie_parse * kde,struct wpa_tdls_peer * peer)1711 static int copy_peer_supp_oper_classes(const struct wpa_eapol_ie_parse *kde,
1712 struct wpa_tdls_peer *peer)
1713 {
1714 if (!kde->supp_oper_classes) {
1715 wpa_printf(MSG_DEBUG, "TDLS: No supported operating classes received");
1716 return 0;
1717 }
1718
1719 if (!peer->supp_oper_classes ||
1720 peer->supp_oper_classes_len < kde->supp_oper_classes_len) {
1721 os_free(peer->supp_oper_classes);
1722 peer->supp_oper_classes = os_zalloc(kde->supp_oper_classes_len);
1723 if (peer->supp_oper_classes == NULL)
1724 return -1;
1725 }
1726
1727 peer->supp_oper_classes_len = kde->supp_oper_classes_len;
1728 os_memcpy(peer->supp_oper_classes, kde->supp_oper_classes,
1729 peer->supp_oper_classes_len);
1730 wpa_hexdump(MSG_DEBUG, "TDLS: Peer Supported Operating Classes",
1731 (u8 *) peer->supp_oper_classes,
1732 peer->supp_oper_classes_len);
1733 return 0;
1734 }
1735
1736
wpa_tdls_addset_peer(struct wpa_sm * sm,struct wpa_tdls_peer * peer,int add)1737 static int wpa_tdls_addset_peer(struct wpa_sm *sm, struct wpa_tdls_peer *peer,
1738 int add)
1739 {
1740 return wpa_sm_tdls_peer_addset(sm, peer->addr, add, peer->aid,
1741 peer->capability,
1742 peer->supp_rates, peer->supp_rates_len,
1743 peer->ht_capabilities,
1744 peer->vht_capabilities,
1745 peer->qos_info, peer->wmm_capable,
1746 peer->ext_capab, peer->ext_capab_len,
1747 peer->supp_channels,
1748 peer->supp_channels_len,
1749 peer->supp_oper_classes,
1750 peer->supp_oper_classes_len);
1751 }
1752
1753
wpa_tdls_process_tpk_m1(struct wpa_sm * sm,const u8 * src_addr,const u8 * buf,size_t len)1754 static int wpa_tdls_process_tpk_m1(struct wpa_sm *sm, const u8 *src_addr,
1755 const u8 *buf, size_t len)
1756 {
1757 struct wpa_tdls_peer *peer;
1758 struct wpa_eapol_ie_parse kde;
1759 struct wpa_ie_data ie;
1760 int cipher;
1761 const u8 *cpos;
1762 struct wpa_tdls_ftie *ftie = NULL;
1763 struct wpa_tdls_timeoutie *timeoutie;
1764 struct wpa_tdls_lnkid *lnkid;
1765 u32 lifetime = 0;
1766 #if 0
1767 struct rsn_ie_hdr *hdr;
1768 u8 *pos;
1769 u16 rsn_capab;
1770 u16 rsn_ver;
1771 #endif
1772 u8 dtoken;
1773 u16 ielen;
1774 u16 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
1775 int tdls_prohibited = sm->tdls_prohibited;
1776 int existing_peer = 0;
1777
1778 if (len < 3 + 3)
1779 return -1;
1780
1781 cpos = buf;
1782 cpos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */;
1783
1784 /* driver had already verified the frame format */
1785 dtoken = *cpos++; /* dialog token */
1786
1787 wpa_printf(MSG_INFO, "TDLS: Dialog Token in TPK M1 %d", dtoken);
1788
1789 peer = wpa_tdls_add_peer(sm, src_addr, &existing_peer);
1790 if (peer == NULL)
1791 goto error;
1792
1793 /* If found, use existing entry instead of adding a new one;
1794 * how to handle the case where both ends initiate at the
1795 * same time? */
1796 if (existing_peer) {
1797 if (peer->tpk_success) {
1798 wpa_printf(MSG_DEBUG, "TDLS: TDLS Setup Request while "
1799 "direct link is enabled - tear down the "
1800 "old link first");
1801 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr);
1802 wpa_tdls_peer_clear(sm, peer);
1803 } else if (peer->initiator) {
1804 /*
1805 * An entry is already present, so check if we already
1806 * sent a TDLS Setup Request. If so, compare MAC
1807 * addresses and let the STA with the lower MAC address
1808 * continue as the initiator. The other negotiation is
1809 * terminated.
1810 */
1811 if (os_memcmp(sm->own_addr, src_addr, ETH_ALEN) < 0) {
1812 wpa_printf(MSG_DEBUG, "TDLS: Discard request "
1813 "from peer with higher address "
1814 MACSTR, MAC2STR(src_addr));
1815 return -1;
1816 } else {
1817 wpa_printf(MSG_DEBUG, "TDLS: Accept request "
1818 "from peer with lower address "
1819 MACSTR " (terminate previously "
1820 "initiated negotiation",
1821 MAC2STR(src_addr));
1822 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK,
1823 peer->addr);
1824 wpa_tdls_peer_clear(sm, peer);
1825 }
1826 }
1827 }
1828
1829 /* capability information */
1830 peer->capability = WPA_GET_LE16(cpos);
1831 cpos += 2;
1832
1833 ielen = len - (cpos - buf); /* start of IE in buf */
1834
1835 /*
1836 * Don't reject the message if failing to parse IEs. The IEs we need are
1837 * explicitly checked below. Some APs may add arbitrary padding to the
1838 * end of short TDLS frames and that would look like invalid IEs.
1839 */
1840 if (wpa_supplicant_parse_ies(cpos, ielen, &kde) < 0)
1841 wpa_printf(MSG_DEBUG,
1842 "TDLS: Failed to parse IEs in TPK M1 - ignore as an interop workaround");
1843
1844 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) {
1845 wpa_printf(MSG_INFO, "TDLS: No valid Link Identifier IE in "
1846 "TPK M1");
1847 goto error;
1848 }
1849 wpa_hexdump(MSG_DEBUG, "TDLS: Link ID Received from TPK M1",
1850 kde.lnkid, kde.lnkid_len);
1851 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid;
1852 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) {
1853 wpa_printf(MSG_INFO, "TDLS: TPK M1 from diff BSS");
1854 status = WLAN_STATUS_REQUEST_DECLINED;
1855 goto error;
1856 }
1857
1858 wpa_printf(MSG_DEBUG, "TDLS: TPK M1 - TPK initiator " MACSTR,
1859 MAC2STR(src_addr));
1860
1861 if (copy_supp_rates(&kde, peer) < 0)
1862 goto error;
1863
1864 if (copy_peer_ht_capab(&kde, peer) < 0)
1865 goto error;
1866
1867 if (copy_peer_vht_capab(&kde, peer) < 0)
1868 goto error;
1869
1870 if (copy_peer_ext_capab(&kde, peer) < 0)
1871 goto error;
1872
1873 if (copy_peer_supp_channels(&kde, peer) < 0)
1874 goto error;
1875
1876 if (copy_peer_supp_oper_classes(&kde, peer) < 0)
1877 goto error;
1878
1879 peer->qos_info = kde.qosinfo;
1880
1881 /* Overwrite with the qos_info obtained in WMM IE */
1882 if (copy_peer_wmm_capab(&kde, peer) < 0)
1883 goto error;
1884
1885 peer->aid = kde.aid;
1886
1887 #ifdef CONFIG_TDLS_TESTING
1888 if (tdls_testing & TDLS_TESTING_CONCURRENT_INIT) {
1889 peer = wpa_tdls_add_peer(sm, src_addr, NULL);
1890 if (peer == NULL)
1891 goto error;
1892 wpa_printf(MSG_DEBUG, "TDLS: Testing concurrent initiation of "
1893 "TDLS setup - send own request");
1894 peer->initiator = 1;
1895 wpa_sm_tdls_peer_addset(sm, peer->addr, 1, 0, 0, NULL, 0, NULL,
1896 NULL, 0, 0, NULL, 0, NULL, 0, NULL, 0);
1897 wpa_tdls_send_tpk_m1(sm, peer);
1898 }
1899
1900 if ((tdls_testing & TDLS_TESTING_IGNORE_AP_PROHIBIT) &&
1901 tdls_prohibited) {
1902 wpa_printf(MSG_DEBUG, "TDLS: Testing - ignore AP prohibition "
1903 "on TDLS");
1904 tdls_prohibited = 0;
1905 }
1906 #endif /* CONFIG_TDLS_TESTING */
1907
1908 if (tdls_prohibited) {
1909 wpa_printf(MSG_INFO, "TDLS: TDLS prohibited in this BSS");
1910 status = WLAN_STATUS_REQUEST_DECLINED;
1911 goto error;
1912 }
1913
1914 if (!wpa_tdls_get_privacy(sm)) {
1915 if (kde.rsn_ie) {
1916 wpa_printf(MSG_INFO, "TDLS: RSN IE in TPK M1 while "
1917 "security is disabled");
1918 status = WLAN_STATUS_SECURITY_DISABLED;
1919 goto error;
1920 }
1921 goto skip_rsn;
1922 }
1923
1924 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie) ||
1925 kde.rsn_ie == NULL) {
1926 wpa_printf(MSG_INFO, "TDLS: No FTIE or RSN IE in TPK M1");
1927 status = WLAN_STATUS_INVALID_PARAMETERS;
1928 goto error;
1929 }
1930
1931 if (kde.rsn_ie_len > TDLS_MAX_IE_LEN) {
1932 wpa_printf(MSG_INFO, "TDLS: Too long Initiator RSN IE in "
1933 "TPK M1");
1934 status = WLAN_STATUS_INVALID_RSNIE;
1935 goto error;
1936 }
1937
1938 if (wpa_parse_wpa_ie_rsn(kde.rsn_ie, kde.rsn_ie_len, &ie) < 0) {
1939 wpa_printf(MSG_INFO, "TDLS: Failed to parse RSN IE in TPK M1");
1940 status = WLAN_STATUS_INVALID_RSNIE;
1941 goto error;
1942 }
1943
1944 cipher = ie.pairwise_cipher;
1945 if (cipher & WPA_CIPHER_CCMP) {
1946 wpa_printf(MSG_DEBUG, "TDLS: Using CCMP for direct link");
1947 cipher = WPA_CIPHER_CCMP;
1948 } else {
1949 wpa_printf(MSG_INFO, "TDLS: No acceptable cipher in TPK M1");
1950 status = WLAN_STATUS_PAIRWISE_CIPHER_NOT_VALID;
1951 goto error;
1952 }
1953
1954 if ((ie.capabilities &
1955 (WPA_CAPABILITY_NO_PAIRWISE | WPA_CAPABILITY_PEERKEY_ENABLED)) !=
1956 WPA_CAPABILITY_PEERKEY_ENABLED) {
1957 wpa_printf(MSG_INFO, "TDLS: Invalid RSN Capabilities in "
1958 "TPK M1");
1959 status = WLAN_STATUS_INVALID_RSN_IE_CAPAB;
1960 goto error;
1961 }
1962
1963 /* Lifetime */
1964 if (kde.key_lifetime == NULL) {
1965 wpa_printf(MSG_INFO, "TDLS: No Key Lifetime IE in TPK M1");
1966 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME;
1967 goto error;
1968 }
1969 timeoutie = (struct wpa_tdls_timeoutie *) kde.key_lifetime;
1970 lifetime = WPA_GET_LE32(timeoutie->value);
1971 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds", lifetime);
1972 if (lifetime < 300) {
1973 wpa_printf(MSG_INFO, "TDLS: Too short TPK lifetime");
1974 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME;
1975 goto error;
1976 }
1977
1978 skip_rsn:
1979 #ifdef CONFIG_TDLS_TESTING
1980 if (tdls_testing & TDLS_TESTING_CONCURRENT_INIT) {
1981 if (os_memcmp(sm->own_addr, peer->addr, ETH_ALEN) < 0) {
1982 /*
1983 * The request frame from us is going to win, so do not
1984 * replace information based on this request frame from
1985 * the peer.
1986 */
1987 goto skip_rsn_check;
1988 }
1989 }
1990 #endif /* CONFIG_TDLS_TESTING */
1991
1992 peer->initiator = 0; /* Need to check */
1993 peer->dtoken = dtoken;
1994
1995 if (!wpa_tdls_get_privacy(sm)) {
1996 peer->rsnie_i_len = 0;
1997 peer->rsnie_p_len = 0;
1998 peer->cipher = WPA_CIPHER_NONE;
1999 goto skip_rsn_check;
2000 }
2001
2002 ftie = (struct wpa_tdls_ftie *) kde.ftie;
2003 os_memcpy(peer->rsnie_i, kde.rsn_ie, kde.rsn_ie_len);
2004 peer->rsnie_i_len = kde.rsn_ie_len;
2005 peer->cipher = cipher;
2006
2007 if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0) {
2008 /*
2009 * There is no point in updating the RNonce for every obtained
2010 * TPK M1 frame (e.g., retransmission due to timeout) with the
2011 * same INonce (SNonce in FTIE). However, if the TPK M1 is
2012 * retransmitted with a different INonce, update the RNonce
2013 * since this is for a new TDLS session.
2014 */
2015 wpa_printf(MSG_DEBUG,
2016 "TDLS: New TPK M1 INonce - generate new RNonce");
2017 os_memcpy(peer->inonce, ftie->Snonce, WPA_NONCE_LEN);
2018 if (os_get_random(peer->rnonce, WPA_NONCE_LEN)) {
2019 wpa_msg(sm->ctx->ctx, MSG_WARNING,
2020 "TDLS: Failed to get random data for responder nonce");
2021 goto error;
2022 }
2023 }
2024
2025 #if 0
2026 /* get version info from RSNIE received from Peer */
2027 hdr = (struct rsn_ie_hdr *) kde.rsn_ie;
2028 rsn_ver = WPA_GET_LE16(hdr->version);
2029
2030 /* use min(peer's version, out version) */
2031 if (rsn_ver > RSN_VERSION)
2032 rsn_ver = RSN_VERSION;
2033
2034 hdr = (struct rsn_ie_hdr *) peer->rsnie_p;
2035
2036 hdr->elem_id = WLAN_EID_RSN;
2037 WPA_PUT_LE16(hdr->version, rsn_ver);
2038 pos = (u8 *) (hdr + 1);
2039
2040 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED);
2041 pos += RSN_SELECTOR_LEN;
2042 /* Include only the selected cipher in pairwise cipher suite */
2043 WPA_PUT_LE16(pos, 1);
2044 pos += 2;
2045 if (cipher == WPA_CIPHER_CCMP)
2046 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP);
2047 pos += RSN_SELECTOR_LEN;
2048
2049 WPA_PUT_LE16(pos, 1);
2050 pos += 2;
2051 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_TPK_HANDSHAKE);
2052 pos += RSN_SELECTOR_LEN;
2053
2054 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED;
2055 rsn_capab |= RSN_NUM_REPLAY_COUNTERS_16 << 2;
2056 WPA_PUT_LE16(pos, rsn_capab);
2057 pos += 2;
2058
2059 hdr->len = (pos - peer->rsnie_p) - 2;
2060 peer->rsnie_p_len = pos - peer->rsnie_p;
2061 #endif
2062
2063 /* temp fix: validation of RSNIE later */
2064 os_memcpy(peer->rsnie_p, peer->rsnie_i, peer->rsnie_i_len);
2065 peer->rsnie_p_len = peer->rsnie_i_len;
2066
2067 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE for TPK handshake",
2068 peer->rsnie_p, peer->rsnie_p_len);
2069
2070 peer->lifetime = lifetime;
2071
2072 wpa_tdls_generate_tpk(peer, sm->own_addr, sm->bssid);
2073
2074 skip_rsn_check:
2075 #ifdef CONFIG_TDLS_TESTING
2076 if (tdls_testing & TDLS_TESTING_CONCURRENT_INIT)
2077 goto skip_add_peer;
2078 #endif /* CONFIG_TDLS_TESTING */
2079
2080 /* add supported rates, capabilities, and qos_info to the TDLS peer */
2081 if (wpa_tdls_addset_peer(sm, peer, 1) < 0)
2082 goto error;
2083
2084 #ifdef CONFIG_TDLS_TESTING
2085 skip_add_peer:
2086 #endif /* CONFIG_TDLS_TESTING */
2087 peer->tpk_in_progress = 1;
2088
2089 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Setup Response / TPK M2");
2090 if (wpa_tdls_send_tpk_m2(sm, src_addr, dtoken, lnkid, peer) < 0) {
2091 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr);
2092 goto error;
2093 }
2094
2095 return 0;
2096
2097 error:
2098 wpa_tdls_send_error(sm, src_addr, WLAN_TDLS_SETUP_RESPONSE, dtoken, 0,
2099 status);
2100 if (peer)
2101 wpa_tdls_peer_free(sm, peer);
2102 return -1;
2103 }
2104
2105
wpa_tdls_enable_link(struct wpa_sm * sm,struct wpa_tdls_peer * peer)2106 static int wpa_tdls_enable_link(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
2107 {
2108 peer->tpk_success = 1;
2109 peer->tpk_in_progress = 0;
2110 eloop_cancel_timeout(wpa_tdls_tpk_timeout, sm, peer);
2111 if (wpa_tdls_get_privacy(sm)) {
2112 u32 lifetime = peer->lifetime;
2113 /*
2114 * Start the initiator process a bit earlier to avoid race
2115 * condition with the responder sending teardown request.
2116 */
2117 if (lifetime > 3 && peer->initiator)
2118 lifetime -= 3;
2119 eloop_register_timeout(lifetime, 0, wpa_tdls_tpk_timeout,
2120 sm, peer);
2121 #ifdef CONFIG_TDLS_TESTING
2122 if (tdls_testing & TDLS_TESTING_NO_TPK_EXPIRATION) {
2123 wpa_printf(MSG_DEBUG, "TDLS: Testing - disable TPK "
2124 "expiration");
2125 eloop_cancel_timeout(wpa_tdls_tpk_timeout, sm, peer);
2126 }
2127 #endif /* CONFIG_TDLS_TESTING */
2128 }
2129
2130 if (peer->reconfig_key && wpa_tdls_set_key(sm, peer) < 0) {
2131 wpa_printf(MSG_INFO, "TDLS: Could not configure key to the "
2132 "driver");
2133 return -1;
2134 }
2135 peer->reconfig_key = 0;
2136
2137 return wpa_sm_tdls_oper(sm, TDLS_ENABLE_LINK, peer->addr);
2138 }
2139
2140
wpa_tdls_process_tpk_m2(struct wpa_sm * sm,const u8 * src_addr,const u8 * buf,size_t len)2141 static int wpa_tdls_process_tpk_m2(struct wpa_sm *sm, const u8 *src_addr,
2142 const u8 *buf, size_t len)
2143 {
2144 struct wpa_tdls_peer *peer;
2145 struct wpa_eapol_ie_parse kde;
2146 struct wpa_ie_data ie;
2147 int cipher;
2148 struct wpa_tdls_ftie *ftie;
2149 struct wpa_tdls_timeoutie *timeoutie;
2150 struct wpa_tdls_lnkid *lnkid;
2151 u32 lifetime;
2152 u8 dtoken;
2153 int ielen;
2154 u16 status;
2155 const u8 *pos;
2156 int ret = 0;
2157
2158 wpa_printf(MSG_DEBUG, "TDLS: Received TDLS Setup Response / TPK M2 "
2159 "(Peer " MACSTR ")", MAC2STR(src_addr));
2160 for (peer = sm->tdls; peer; peer = peer->next) {
2161 if (os_memcmp(peer->addr, src_addr, ETH_ALEN) == 0)
2162 break;
2163 }
2164 if (peer == NULL) {
2165 wpa_printf(MSG_INFO, "TDLS: No matching peer found for "
2166 "TPK M2: " MACSTR, MAC2STR(src_addr));
2167 return -1;
2168 }
2169 if (!peer->initiator) {
2170 /*
2171 * This may happen if both devices try to initiate TDLS at the
2172 * same time and we accept the TPK M1 from the peer in
2173 * wpa_tdls_process_tpk_m1() and clear our previous state.
2174 */
2175 wpa_printf(MSG_INFO, "TDLS: We were not the initiator, so "
2176 "ignore TPK M2 from " MACSTR, MAC2STR(src_addr));
2177 return -1;
2178 }
2179
2180 if (peer->tpk_success) {
2181 wpa_printf(MSG_INFO, "TDLS: Ignore incoming TPK M2 retry, from "
2182 MACSTR " as TPK M3 was already sent",
2183 MAC2STR(src_addr));
2184 return 0;
2185 }
2186
2187 wpa_tdls_tpk_retry_timeout_cancel(sm, peer, WLAN_TDLS_SETUP_REQUEST);
2188
2189 if (len < 3 + 2 + 1) {
2190 wpa_tdls_disable_peer_link(sm, peer);
2191 return -1;
2192 }
2193
2194 pos = buf;
2195 pos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */;
2196 status = WPA_GET_LE16(pos);
2197 pos += 2 /* status code */;
2198
2199 if (status != WLAN_STATUS_SUCCESS) {
2200 wpa_printf(MSG_INFO, "TDLS: Status code in TPK M2: %u",
2201 status);
2202 wpa_tdls_disable_peer_link(sm, peer);
2203 return -1;
2204 }
2205
2206 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
2207
2208 /* TODO: need to verify dialog token matches here or in kernel */
2209 dtoken = *pos++; /* dialog token */
2210
2211 wpa_printf(MSG_DEBUG, "TDLS: Dialog Token in TPK M2 %d", dtoken);
2212
2213 if (len < 3 + 2 + 1 + 2) {
2214 wpa_tdls_disable_peer_link(sm, peer);
2215 return -1;
2216 }
2217
2218 /* capability information */
2219 peer->capability = WPA_GET_LE16(pos);
2220 pos += 2;
2221
2222 ielen = len - (pos - buf); /* start of IE in buf */
2223
2224 /*
2225 * Don't reject the message if failing to parse IEs. The IEs we need are
2226 * explicitly checked below. Some APs may add arbitrary padding to the
2227 * end of short TDLS frames and that would look like invalid IEs.
2228 */
2229 if (wpa_supplicant_parse_ies(pos, ielen, &kde) < 0)
2230 wpa_printf(MSG_DEBUG,
2231 "TDLS: Failed to parse IEs in TPK M2 - ignore as an interop workaround");
2232
2233 #ifdef CONFIG_TDLS_TESTING
2234 if (tdls_testing & TDLS_TESTING_DECLINE_RESP) {
2235 wpa_printf(MSG_DEBUG, "TDLS: Testing - decline response");
2236 status = WLAN_STATUS_REQUEST_DECLINED;
2237 goto error;
2238 }
2239 #endif /* CONFIG_TDLS_TESTING */
2240
2241 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) {
2242 wpa_printf(MSG_INFO, "TDLS: No valid Link Identifier IE in "
2243 "TPK M2");
2244 goto error;
2245 }
2246 wpa_hexdump(MSG_DEBUG, "TDLS: Link ID Received from TPK M2",
2247 kde.lnkid, kde.lnkid_len);
2248 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid;
2249
2250 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) {
2251 wpa_printf(MSG_INFO, "TDLS: TPK M2 from different BSS");
2252 status = WLAN_STATUS_NOT_IN_SAME_BSS;
2253 goto error;
2254 }
2255
2256 if (copy_supp_rates(&kde, peer) < 0)
2257 goto error;
2258
2259 if (copy_peer_ht_capab(&kde, peer) < 0)
2260 goto error;
2261
2262 if (copy_peer_vht_capab(&kde, peer) < 0)
2263 goto error;
2264
2265 if (copy_peer_ext_capab(&kde, peer) < 0)
2266 goto error;
2267
2268 if (copy_peer_supp_channels(&kde, peer) < 0)
2269 goto error;
2270
2271 if (copy_peer_supp_oper_classes(&kde, peer) < 0)
2272 goto error;
2273
2274 peer->qos_info = kde.qosinfo;
2275
2276 /* Overwrite with the qos_info obtained in WMM IE */
2277 if (copy_peer_wmm_capab(&kde, peer) < 0)
2278 goto error;
2279
2280 peer->aid = kde.aid;
2281
2282 if (!wpa_tdls_get_privacy(sm)) {
2283 peer->rsnie_p_len = 0;
2284 peer->cipher = WPA_CIPHER_NONE;
2285 goto skip_rsn;
2286 }
2287
2288 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie) ||
2289 kde.rsn_ie == NULL) {
2290 wpa_printf(MSG_INFO, "TDLS: No FTIE or RSN IE in TPK M2");
2291 status = WLAN_STATUS_INVALID_PARAMETERS;
2292 goto error;
2293 }
2294 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Received from TPK M2",
2295 kde.rsn_ie, kde.rsn_ie_len);
2296
2297 if (kde.rsn_ie_len > TDLS_MAX_IE_LEN) {
2298 wpa_printf(MSG_INFO,
2299 "TDLS: Too long Responder RSN IE in TPK M2");
2300 status = WLAN_STATUS_INVALID_RSNIE;
2301 goto error;
2302 }
2303
2304 /*
2305 * FIX: bitwise comparison of RSN IE is not the correct way of
2306 * validation this. It can be different, but certain fields must
2307 * match. Since we list only a single pairwise cipher in TPK M1, the
2308 * memcmp is likely to work in most cases, though.
2309 */
2310 if (kde.rsn_ie_len != peer->rsnie_i_len ||
2311 os_memcmp(peer->rsnie_i, kde.rsn_ie, peer->rsnie_i_len) != 0) {
2312 wpa_printf(MSG_INFO, "TDLS: RSN IE in TPK M2 does "
2313 "not match with RSN IE used in TPK M1");
2314 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Sent in TPK M1",
2315 peer->rsnie_i, peer->rsnie_i_len);
2316 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Received from TPK M2",
2317 kde.rsn_ie, kde.rsn_ie_len);
2318 status = WLAN_STATUS_INVALID_RSNIE;
2319 goto error;
2320 }
2321
2322 if (wpa_parse_wpa_ie_rsn(kde.rsn_ie, kde.rsn_ie_len, &ie) < 0) {
2323 wpa_printf(MSG_INFO, "TDLS: Failed to parse RSN IE in TPK M2");
2324 status = WLAN_STATUS_INVALID_RSNIE;
2325 goto error;
2326 }
2327
2328 cipher = ie.pairwise_cipher;
2329 if (cipher == WPA_CIPHER_CCMP) {
2330 wpa_printf(MSG_DEBUG, "TDLS: Using CCMP for direct link");
2331 cipher = WPA_CIPHER_CCMP;
2332 } else {
2333 wpa_printf(MSG_INFO, "TDLS: No acceptable cipher in TPK M2");
2334 status = WLAN_STATUS_PAIRWISE_CIPHER_NOT_VALID;
2335 goto error;
2336 }
2337
2338 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE Received from TPK M2",
2339 kde.ftie, sizeof(*ftie));
2340 ftie = (struct wpa_tdls_ftie *) kde.ftie;
2341
2342 if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0) {
2343 wpa_printf(MSG_INFO, "TDLS: FTIE SNonce in TPK M2 does "
2344 "not match with FTIE SNonce used in TPK M1");
2345 /* Silently discard the frame */
2346 return -1;
2347 }
2348
2349 /* Responder Nonce and RSN IE */
2350 os_memcpy(peer->rnonce, ftie->Anonce, WPA_NONCE_LEN);
2351 os_memcpy(peer->rsnie_p, kde.rsn_ie, kde.rsn_ie_len);
2352 peer->rsnie_p_len = kde.rsn_ie_len;
2353 peer->cipher = cipher;
2354
2355 /* Lifetime */
2356 if (kde.key_lifetime == NULL) {
2357 wpa_printf(MSG_INFO, "TDLS: No Key Lifetime IE in TPK M2");
2358 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME;
2359 goto error;
2360 }
2361 timeoutie = (struct wpa_tdls_timeoutie *) kde.key_lifetime;
2362 lifetime = WPA_GET_LE32(timeoutie->value);
2363 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds in TPK M2",
2364 lifetime);
2365 if (lifetime != peer->lifetime) {
2366 wpa_printf(MSG_INFO, "TDLS: Unexpected TPK lifetime %u in "
2367 "TPK M2 (expected %u)", lifetime, peer->lifetime);
2368 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME;
2369 goto error;
2370 }
2371
2372 wpa_tdls_generate_tpk(peer, sm->own_addr, sm->bssid);
2373
2374 /* Process MIC check to see if TPK M2 is right */
2375 if (wpa_supplicant_verify_tdls_mic(2, peer, (u8 *) lnkid,
2376 (u8 *) timeoutie, ftie) < 0) {
2377 /* Discard the frame */
2378 wpa_tdls_del_key(sm, peer);
2379 wpa_tdls_disable_peer_link(sm, peer);
2380 return -1;
2381 }
2382
2383 if (wpa_tdls_set_key(sm, peer) < 0) {
2384 /*
2385 * Some drivers may not be able to config the key prior to full
2386 * STA entry having been configured.
2387 */
2388 wpa_printf(MSG_DEBUG, "TDLS: Try to configure TPK again after "
2389 "STA entry is complete");
2390 peer->reconfig_key = 1;
2391 }
2392
2393 skip_rsn:
2394 peer->dtoken = dtoken;
2395
2396 /* add supported rates, capabilities, and qos_info to the TDLS peer */
2397 if (wpa_tdls_addset_peer(sm, peer, 0) < 0)
2398 goto error;
2399
2400 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Setup Confirm / "
2401 "TPK Handshake Message 3");
2402 if (wpa_tdls_send_tpk_m3(sm, src_addr, dtoken, lnkid, peer) < 0)
2403 goto error_no_msg;
2404
2405 if (!peer->tpk_success) {
2406 /*
2407 * Enable Link only when tpk_success is 0, signifying that this
2408 * processing of TPK M2 frame is not because of a retransmission
2409 * during TDLS setup handshake.
2410 */
2411 ret = wpa_tdls_enable_link(sm, peer);
2412 if (ret < 0) {
2413 wpa_printf(MSG_DEBUG, "TDLS: Could not enable link");
2414 wpa_tdls_do_teardown(
2415 sm, peer,
2416 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED);
2417 }
2418 }
2419 return ret;
2420
2421 error:
2422 wpa_tdls_send_error(sm, src_addr, WLAN_TDLS_SETUP_CONFIRM, dtoken, 1,
2423 status);
2424 error_no_msg:
2425 wpa_tdls_disable_peer_link(sm, peer);
2426 return -1;
2427 }
2428
2429
wpa_tdls_process_tpk_m3(struct wpa_sm * sm,const u8 * src_addr,const u8 * buf,size_t len)2430 static int wpa_tdls_process_tpk_m3(struct wpa_sm *sm, const u8 *src_addr,
2431 const u8 *buf, size_t len)
2432 {
2433 struct wpa_tdls_peer *peer;
2434 struct wpa_eapol_ie_parse kde;
2435 struct wpa_tdls_ftie *ftie;
2436 struct wpa_tdls_timeoutie *timeoutie;
2437 struct wpa_tdls_lnkid *lnkid;
2438 int ielen;
2439 u16 status;
2440 const u8 *pos;
2441 u32 lifetime;
2442 int ret = 0;
2443
2444 wpa_printf(MSG_DEBUG, "TDLS: Received TDLS Setup Confirm / TPK M3 "
2445 "(Peer " MACSTR ")", MAC2STR(src_addr));
2446 for (peer = sm->tdls; peer; peer = peer->next) {
2447 if (os_memcmp(peer->addr, src_addr, ETH_ALEN) == 0)
2448 break;
2449 }
2450 if (peer == NULL) {
2451 wpa_printf(MSG_INFO, "TDLS: No matching peer found for "
2452 "TPK M3: " MACSTR, MAC2STR(src_addr));
2453 return -1;
2454 }
2455 wpa_tdls_tpk_retry_timeout_cancel(sm, peer, WLAN_TDLS_SETUP_RESPONSE);
2456
2457 if (len < 3 + 3)
2458 goto error;
2459 pos = buf;
2460 pos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */;
2461
2462 status = WPA_GET_LE16(pos);
2463
2464 if (status != 0) {
2465 wpa_printf(MSG_INFO, "TDLS: Status code in TPK M3: %u",
2466 status);
2467 goto error;
2468 }
2469 pos += 2 /* status code */ + 1 /* dialog token */;
2470
2471 ielen = len - (pos - buf); /* start of IE in buf */
2472
2473 /*
2474 * Don't reject the message if failing to parse IEs. The IEs we need are
2475 * explicitly checked below. Some APs piggy-back broken IEs to the end
2476 * of a TDLS Confirm packet, which will fail the link if we don't ignore
2477 * this error.
2478 */
2479 if (wpa_supplicant_parse_ies((const u8 *) pos, ielen, &kde) < 0) {
2480 wpa_printf(MSG_DEBUG,
2481 "TDLS: Failed to parse KDEs in TPK M3 - ignore as an interop workaround");
2482 }
2483
2484 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) {
2485 wpa_printf(MSG_INFO, "TDLS: No Link Identifier IE in TPK M3");
2486 goto error;
2487 }
2488 wpa_hexdump(MSG_DEBUG, "TDLS: Link ID Received from TPK M3",
2489 (u8 *) kde.lnkid, kde.lnkid_len);
2490 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid;
2491
2492 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) {
2493 wpa_printf(MSG_INFO, "TDLS: TPK M3 from diff BSS");
2494 goto error;
2495 }
2496
2497 if (!wpa_tdls_get_privacy(sm))
2498 goto skip_rsn;
2499
2500 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie)) {
2501 wpa_printf(MSG_INFO, "TDLS: No FTIE in TPK M3");
2502 goto error;
2503 }
2504 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE Received from TPK M3",
2505 kde.ftie, sizeof(*ftie));
2506 ftie = (struct wpa_tdls_ftie *) kde.ftie;
2507
2508 if (kde.rsn_ie == NULL) {
2509 wpa_printf(MSG_INFO, "TDLS: No RSN IE in TPK M3");
2510 goto error;
2511 }
2512 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Received from TPK M3",
2513 kde.rsn_ie, kde.rsn_ie_len);
2514 if (kde.rsn_ie_len != peer->rsnie_p_len ||
2515 os_memcmp(kde.rsn_ie, peer->rsnie_p, peer->rsnie_p_len) != 0) {
2516 wpa_printf(MSG_INFO, "TDLS: RSN IE in TPK M3 does not match "
2517 "with the one sent in TPK M2");
2518 goto error;
2519 }
2520
2521 if (os_memcmp(peer->rnonce, ftie->Anonce, WPA_NONCE_LEN) != 0) {
2522 wpa_printf(MSG_INFO, "TDLS: FTIE ANonce in TPK M3 does "
2523 "not match with FTIE ANonce used in TPK M2");
2524 goto error;
2525 }
2526
2527 if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0) {
2528 wpa_printf(MSG_INFO, "TDLS: FTIE SNonce in TPK M3 does not "
2529 "match with FTIE SNonce used in TPK M1");
2530 goto error;
2531 }
2532
2533 if (kde.key_lifetime == NULL) {
2534 wpa_printf(MSG_INFO, "TDLS: No Key Lifetime IE in TPK M3");
2535 goto error;
2536 }
2537 timeoutie = (struct wpa_tdls_timeoutie *) kde.key_lifetime;
2538 wpa_hexdump(MSG_DEBUG, "TDLS: Timeout IE Received from TPK M3",
2539 (u8 *) timeoutie, sizeof(*timeoutie));
2540 lifetime = WPA_GET_LE32(timeoutie->value);
2541 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds in TPK M3",
2542 lifetime);
2543 if (lifetime != peer->lifetime) {
2544 wpa_printf(MSG_INFO, "TDLS: Unexpected TPK lifetime %u in "
2545 "TPK M3 (expected %u)", lifetime, peer->lifetime);
2546 goto error;
2547 }
2548
2549 if (wpa_supplicant_verify_tdls_mic(3, peer, (u8 *) lnkid,
2550 (u8 *) timeoutie, ftie) < 0) {
2551 wpa_tdls_del_key(sm, peer);
2552 goto error;
2553 }
2554
2555 if (wpa_tdls_set_key(sm, peer) < 0) {
2556 /*
2557 * Some drivers may not be able to config the key prior to full
2558 * STA entry having been configured.
2559 */
2560 wpa_printf(MSG_DEBUG, "TDLS: Try to configure TPK again after "
2561 "STA entry is complete");
2562 peer->reconfig_key = 1;
2563 }
2564
2565 skip_rsn:
2566 /* add supported rates, capabilities, and qos_info to the TDLS peer */
2567 if (wpa_tdls_addset_peer(sm, peer, 0) < 0)
2568 goto error;
2569
2570 if (!peer->tpk_success) {
2571 /*
2572 * Enable Link only when tpk_success is 0, signifying that this
2573 * processing of TPK M3 frame is not because of a retransmission
2574 * during TDLS setup handshake.
2575 */
2576 ret = wpa_tdls_enable_link(sm, peer);
2577 if (ret < 0) {
2578 wpa_printf(MSG_DEBUG, "TDLS: Could not enable link");
2579 goto error;
2580 }
2581 }
2582 return ret;
2583 error:
2584 wpa_tdls_do_teardown(sm, peer, WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED);
2585 return -1;
2586 }
2587
2588
wpa_add_tdls_timeoutie(u8 * pos,u8 * ie,size_t ie_len,u32 tsecs)2589 static u8 * wpa_add_tdls_timeoutie(u8 *pos, u8 *ie, size_t ie_len, u32 tsecs)
2590 {
2591 struct wpa_tdls_timeoutie *lifetime = (struct wpa_tdls_timeoutie *) ie;
2592
2593 os_memset(lifetime, 0, ie_len);
2594 lifetime->ie_type = WLAN_EID_TIMEOUT_INTERVAL;
2595 lifetime->ie_len = sizeof(struct wpa_tdls_timeoutie) - 2;
2596 lifetime->interval_type = WLAN_TIMEOUT_KEY_LIFETIME;
2597 WPA_PUT_LE32(lifetime->value, tsecs);
2598 os_memcpy(pos, ie, ie_len);
2599 return pos + ie_len;
2600 }
2601
2602
2603 /**
2604 * wpa_tdls_start - Initiate TDLS handshake (send TPK Handshake Message 1)
2605 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2606 * @peer: MAC address of the peer STA
2607 * Returns: 0 on success, or -1 on failure
2608 *
2609 * Send TPK Handshake Message 1 info to driver to start TDLS
2610 * handshake with the peer.
2611 */
wpa_tdls_start(struct wpa_sm * sm,const u8 * addr)2612 int wpa_tdls_start(struct wpa_sm *sm, const u8 *addr)
2613 {
2614 struct wpa_tdls_peer *peer;
2615 int tdls_prohibited = sm->tdls_prohibited;
2616
2617 if (sm->tdls_disabled || !sm->tdls_supported)
2618 return -1;
2619
2620 #ifdef CONFIG_TDLS_TESTING
2621 if ((tdls_testing & TDLS_TESTING_IGNORE_AP_PROHIBIT) &&
2622 tdls_prohibited) {
2623 wpa_printf(MSG_DEBUG, "TDLS: Testing - ignore AP prohibition "
2624 "on TDLS");
2625 tdls_prohibited = 0;
2626 }
2627 #endif /* CONFIG_TDLS_TESTING */
2628
2629 if (tdls_prohibited) {
2630 wpa_printf(MSG_DEBUG, "TDLS: TDLS is prohibited in this BSS - "
2631 "reject request to start setup");
2632 return -1;
2633 }
2634
2635 peer = wpa_tdls_add_peer(sm, addr, NULL);
2636 if (peer == NULL)
2637 return -1;
2638
2639 if (peer->tpk_in_progress) {
2640 wpa_printf(MSG_DEBUG, "TDLS: Setup is already in progress with the peer");
2641 return 0;
2642 }
2643
2644 peer->initiator = 1;
2645
2646 /* add the peer to the driver as a "setup in progress" peer */
2647 if (wpa_sm_tdls_peer_addset(sm, peer->addr, 1, 0, 0, NULL, 0, NULL,
2648 NULL, 0, 0, NULL, 0, NULL, 0, NULL, 0)) {
2649 wpa_tdls_disable_peer_link(sm, peer);
2650 return -1;
2651 }
2652
2653 peer->tpk_in_progress = 1;
2654
2655 if (wpa_tdls_send_tpk_m1(sm, peer) < 0) {
2656 wpa_tdls_disable_peer_link(sm, peer);
2657 return -1;
2658 }
2659
2660 return 0;
2661 }
2662
2663
wpa_tdls_remove(struct wpa_sm * sm,const u8 * addr)2664 void wpa_tdls_remove(struct wpa_sm *sm, const u8 *addr)
2665 {
2666 struct wpa_tdls_peer *peer;
2667
2668 if (sm->tdls_disabled || !sm->tdls_supported)
2669 return;
2670
2671 for (peer = sm->tdls; peer; peer = peer->next) {
2672 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0)
2673 break;
2674 }
2675
2676 if (peer == NULL || !peer->tpk_success)
2677 return;
2678
2679 if (sm->tdls_external_setup) {
2680 /*
2681 * Disable previous link to allow renegotiation to be completed
2682 * on AP path.
2683 */
2684 wpa_tdls_do_teardown(sm, peer,
2685 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED);
2686 }
2687 }
2688
2689
2690 /**
2691 * wpa_supplicant_rx_tdls - Receive TDLS data frame
2692 *
2693 * This function is called to receive TDLS (ethertype = 0x890d) data frames.
2694 */
wpa_supplicant_rx_tdls(void * ctx,const u8 * src_addr,const u8 * buf,size_t len)2695 static void wpa_supplicant_rx_tdls(void *ctx, const u8 *src_addr,
2696 const u8 *buf, size_t len)
2697 {
2698 struct wpa_sm *sm = ctx;
2699 struct wpa_tdls_frame *tf;
2700
2701 wpa_hexdump(MSG_DEBUG, "TDLS: Received Data frame encapsulation",
2702 buf, len);
2703
2704 if (sm->tdls_disabled || !sm->tdls_supported) {
2705 wpa_printf(MSG_DEBUG, "TDLS: Discard message - TDLS disabled "
2706 "or unsupported by driver");
2707 return;
2708 }
2709
2710 if (os_memcmp(src_addr, sm->own_addr, ETH_ALEN) == 0) {
2711 wpa_printf(MSG_DEBUG, "TDLS: Discard copy of own message");
2712 return;
2713 }
2714
2715 if (len < sizeof(*tf)) {
2716 wpa_printf(MSG_INFO, "TDLS: Drop too short frame");
2717 return;
2718 }
2719
2720 /* Check to make sure its a valid encapsulated TDLS frame */
2721 tf = (struct wpa_tdls_frame *) buf;
2722 if (tf->payloadtype != 2 /* TDLS_RFTYPE */ ||
2723 tf->category != WLAN_ACTION_TDLS) {
2724 wpa_printf(MSG_INFO, "TDLS: Invalid frame - payloadtype=%u "
2725 "category=%u action=%u",
2726 tf->payloadtype, tf->category, tf->action);
2727 return;
2728 }
2729
2730 switch (tf->action) {
2731 case WLAN_TDLS_SETUP_REQUEST:
2732 wpa_tdls_process_tpk_m1(sm, src_addr, buf, len);
2733 break;
2734 case WLAN_TDLS_SETUP_RESPONSE:
2735 wpa_tdls_process_tpk_m2(sm, src_addr, buf, len);
2736 break;
2737 case WLAN_TDLS_SETUP_CONFIRM:
2738 wpa_tdls_process_tpk_m3(sm, src_addr, buf, len);
2739 break;
2740 case WLAN_TDLS_TEARDOWN:
2741 wpa_tdls_recv_teardown(sm, src_addr, buf, len);
2742 break;
2743 case WLAN_TDLS_DISCOVERY_REQUEST:
2744 wpa_tdls_process_discovery_request(sm, src_addr, buf, len);
2745 break;
2746 default:
2747 /* Kernel code will process remaining frames */
2748 wpa_printf(MSG_DEBUG, "TDLS: Ignore TDLS frame action code %u",
2749 tf->action);
2750 break;
2751 }
2752 }
2753
2754
2755 /**
2756 * wpa_tdls_init - Initialize driver interface parameters for TDLS
2757 * @wpa_s: Pointer to wpa_supplicant data
2758 * Returns: 0 on success, -1 on failure
2759 *
2760 * This function is called to initialize driver interface parameters for TDLS.
2761 * wpa_drv_init() must have been called before this function to initialize the
2762 * driver interface.
2763 */
wpa_tdls_init(struct wpa_sm * sm)2764 int wpa_tdls_init(struct wpa_sm *sm)
2765 {
2766 if (sm == NULL)
2767 return -1;
2768
2769 sm->l2_tdls = l2_packet_init(sm->bridge_ifname ? sm->bridge_ifname :
2770 sm->ifname,
2771 sm->own_addr,
2772 ETH_P_80211_ENCAP, wpa_supplicant_rx_tdls,
2773 sm, 0);
2774 if (sm->l2_tdls == NULL) {
2775 wpa_printf(MSG_ERROR, "TDLS: Failed to open l2_packet "
2776 "connection");
2777 return -1;
2778 }
2779
2780 /*
2781 * Drivers that support TDLS but don't implement the get_capa callback
2782 * are assumed to perform everything internally
2783 */
2784 if (wpa_sm_tdls_get_capa(sm, &sm->tdls_supported,
2785 &sm->tdls_external_setup,
2786 &sm->tdls_chan_switch) < 0) {
2787 sm->tdls_supported = 1;
2788 sm->tdls_external_setup = 0;
2789 }
2790
2791 wpa_printf(MSG_DEBUG, "TDLS: TDLS operation%s supported by "
2792 "driver", sm->tdls_supported ? "" : " not");
2793 wpa_printf(MSG_DEBUG, "TDLS: Driver uses %s link setup",
2794 sm->tdls_external_setup ? "external" : "internal");
2795 wpa_printf(MSG_DEBUG, "TDLS: Driver %s TDLS channel switching",
2796 sm->tdls_chan_switch ? "supports" : "does not support");
2797
2798 return 0;
2799 }
2800
2801
wpa_tdls_teardown_peers(struct wpa_sm * sm)2802 void wpa_tdls_teardown_peers(struct wpa_sm *sm)
2803 {
2804 struct wpa_tdls_peer *peer, *tmp;
2805
2806 if (!sm)
2807 return;
2808 peer = sm->tdls;
2809
2810 wpa_printf(MSG_DEBUG, "TDLS: Tear down peers");
2811
2812 while (peer) {
2813 tmp = peer->next;
2814 wpa_printf(MSG_DEBUG, "TDLS: Tear down peer " MACSTR,
2815 MAC2STR(peer->addr));
2816 if (sm->tdls_external_setup)
2817 wpa_tdls_do_teardown(sm, peer,
2818 WLAN_REASON_DEAUTH_LEAVING);
2819 else
2820 wpa_sm_tdls_oper(sm, TDLS_TEARDOWN, peer->addr);
2821
2822 peer = tmp;
2823 }
2824 }
2825
2826
wpa_tdls_remove_peers(struct wpa_sm * sm)2827 static void wpa_tdls_remove_peers(struct wpa_sm *sm)
2828 {
2829 struct wpa_tdls_peer *peer, *tmp;
2830
2831 peer = sm->tdls;
2832
2833 while (peer) {
2834 int res;
2835 tmp = peer->next;
2836 res = wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr);
2837 wpa_printf(MSG_DEBUG, "TDLS: Remove peer " MACSTR " (res=%d)",
2838 MAC2STR(peer->addr), res);
2839 wpa_tdls_peer_free(sm, peer);
2840 peer = tmp;
2841 }
2842 }
2843
2844
2845 /**
2846 * wpa_tdls_deinit - Deinitialize driver interface parameters for TDLS
2847 *
2848 * This function is called to recover driver interface parameters for TDLS
2849 * and frees resources allocated for it.
2850 */
wpa_tdls_deinit(struct wpa_sm * sm)2851 void wpa_tdls_deinit(struct wpa_sm *sm)
2852 {
2853 if (sm == NULL)
2854 return;
2855
2856 if (sm->l2_tdls)
2857 l2_packet_deinit(sm->l2_tdls);
2858 sm->l2_tdls = NULL;
2859
2860 wpa_tdls_remove_peers(sm);
2861 }
2862
2863
wpa_tdls_assoc(struct wpa_sm * sm)2864 void wpa_tdls_assoc(struct wpa_sm *sm)
2865 {
2866 wpa_printf(MSG_DEBUG, "TDLS: Remove peers on association");
2867 wpa_tdls_remove_peers(sm);
2868 }
2869
2870
wpa_tdls_disassoc(struct wpa_sm * sm)2871 void wpa_tdls_disassoc(struct wpa_sm *sm)
2872 {
2873 wpa_printf(MSG_DEBUG, "TDLS: Remove peers on disassociation");
2874 wpa_tdls_remove_peers(sm);
2875 }
2876
2877
wpa_tdls_prohibited(struct ieee802_11_elems * elems)2878 static int wpa_tdls_prohibited(struct ieee802_11_elems *elems)
2879 {
2880 /* bit 38 - TDLS Prohibited */
2881 return !!(elems->ext_capab[2 + 4] & 0x40);
2882 }
2883
2884
wpa_tdls_chan_switch_prohibited(struct ieee802_11_elems * elems)2885 static int wpa_tdls_chan_switch_prohibited(struct ieee802_11_elems *elems)
2886 {
2887 /* bit 39 - TDLS Channel Switch Prohibited */
2888 return !!(elems->ext_capab[2 + 4] & 0x80);
2889 }
2890
2891
wpa_tdls_ap_ies(struct wpa_sm * sm,const u8 * ies,size_t len)2892 void wpa_tdls_ap_ies(struct wpa_sm *sm, const u8 *ies, size_t len)
2893 {
2894 struct ieee802_11_elems elems;
2895
2896 sm->tdls_prohibited = 0;
2897 sm->tdls_chan_switch_prohibited = 0;
2898
2899 if (ies == NULL ||
2900 ieee802_11_parse_elems(ies, len, &elems, 0) == ParseFailed ||
2901 elems.ext_capab == NULL || elems.ext_capab_len < 2 + 5)
2902 return;
2903
2904 sm->tdls_prohibited = wpa_tdls_prohibited(&elems);
2905 wpa_printf(MSG_DEBUG, "TDLS: TDLS is %s in the target BSS",
2906 sm->tdls_prohibited ? "prohibited" : "allowed");
2907 sm->tdls_chan_switch_prohibited =
2908 wpa_tdls_chan_switch_prohibited(&elems);
2909 wpa_printf(MSG_DEBUG, "TDLS: TDLS channel switch %s in the target BSS",
2910 sm->tdls_chan_switch_prohibited ? "prohibited" : "allowed");
2911 }
2912
2913
wpa_tdls_assoc_resp_ies(struct wpa_sm * sm,const u8 * ies,size_t len)2914 void wpa_tdls_assoc_resp_ies(struct wpa_sm *sm, const u8 *ies, size_t len)
2915 {
2916 struct ieee802_11_elems elems;
2917
2918 if (ies == NULL ||
2919 ieee802_11_parse_elems(ies, len, &elems, 0) == ParseFailed ||
2920 elems.ext_capab == NULL || elems.ext_capab_len < 2 + 5)
2921 return;
2922
2923 if (!sm->tdls_prohibited && wpa_tdls_prohibited(&elems)) {
2924 wpa_printf(MSG_DEBUG, "TDLS: TDLS prohibited based on "
2925 "(Re)Association Response IEs");
2926 sm->tdls_prohibited = 1;
2927 }
2928
2929 if (!sm->tdls_chan_switch_prohibited &&
2930 wpa_tdls_chan_switch_prohibited(&elems)) {
2931 wpa_printf(MSG_DEBUG,
2932 "TDLS: TDLS channel switch prohibited based on (Re)Association Response IEs");
2933 sm->tdls_chan_switch_prohibited = 1;
2934 }
2935 }
2936
2937
wpa_tdls_enable(struct wpa_sm * sm,int enabled)2938 void wpa_tdls_enable(struct wpa_sm *sm, int enabled)
2939 {
2940 wpa_printf(MSG_DEBUG, "TDLS: %s", enabled ? "enabled" : "disabled");
2941 sm->tdls_disabled = !enabled;
2942 }
2943
2944
wpa_tdls_is_external_setup(struct wpa_sm * sm)2945 int wpa_tdls_is_external_setup(struct wpa_sm *sm)
2946 {
2947 return sm->tdls_external_setup;
2948 }
2949
2950
wpa_tdls_enable_chan_switch(struct wpa_sm * sm,const u8 * addr,u8 oper_class,struct hostapd_freq_params * freq_params)2951 int wpa_tdls_enable_chan_switch(struct wpa_sm *sm, const u8 *addr,
2952 u8 oper_class,
2953 struct hostapd_freq_params *freq_params)
2954 {
2955 struct wpa_tdls_peer *peer;
2956 int ret;
2957
2958 if (sm->tdls_disabled || !sm->tdls_supported)
2959 return -1;
2960
2961 if (!sm->tdls_chan_switch) {
2962 wpa_printf(MSG_DEBUG,
2963 "TDLS: Channel switching not supported by the driver");
2964 return -1;
2965 }
2966
2967 if (sm->tdls_chan_switch_prohibited) {
2968 wpa_printf(MSG_DEBUG,
2969 "TDLS: Channel switching is prohibited in this BSS - reject request to switch channel");
2970 return -1;
2971 }
2972
2973 for (peer = sm->tdls; peer; peer = peer->next) {
2974 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0)
2975 break;
2976 }
2977
2978 if (peer == NULL || !peer->tpk_success) {
2979 wpa_printf(MSG_ERROR, "TDLS: Peer " MACSTR
2980 " not found for channel switching", MAC2STR(addr));
2981 return -1;
2982 }
2983
2984 if (peer->chan_switch_enabled) {
2985 wpa_printf(MSG_DEBUG, "TDLS: Peer " MACSTR
2986 " already has channel switching enabled",
2987 MAC2STR(addr));
2988 return 0;
2989 }
2990
2991 ret = wpa_sm_tdls_enable_channel_switch(sm, peer->addr,
2992 oper_class, freq_params);
2993 if (!ret)
2994 peer->chan_switch_enabled = 1;
2995
2996 return ret;
2997 }
2998
2999
wpa_tdls_disable_chan_switch(struct wpa_sm * sm,const u8 * addr)3000 int wpa_tdls_disable_chan_switch(struct wpa_sm *sm, const u8 *addr)
3001 {
3002 struct wpa_tdls_peer *peer;
3003
3004 if (sm->tdls_disabled || !sm->tdls_supported)
3005 return -1;
3006
3007 for (peer = sm->tdls; peer; peer = peer->next) {
3008 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0)
3009 break;
3010 }
3011
3012 if (!peer || !peer->chan_switch_enabled) {
3013 wpa_printf(MSG_ERROR, "TDLS: Channel switching not enabled for "
3014 MACSTR, MAC2STR(addr));
3015 return -1;
3016 }
3017
3018 /* ignore the return value */
3019 wpa_sm_tdls_disable_channel_switch(sm, peer->addr);
3020
3021 peer->chan_switch_enabled = 0;
3022 return 0;
3023 }
3024