1 /*
2 * wpa_supplicant - TDLS
3 * Copyright (c) 2010-2011, Atheros Communications
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "utils/includes.h"
10
11 #include "utils/common.h"
12 #include "utils/eloop.h"
13 #include "utils/os.h"
14 #include "common/ieee802_11_defs.h"
15 #include "common/ieee802_11_common.h"
16 #include "crypto/sha256.h"
17 #include "crypto/crypto.h"
18 #include "crypto/aes_wrap.h"
19 #include "rsn_supp/wpa.h"
20 #include "rsn_supp/wpa_ie.h"
21 #include "rsn_supp/wpa_i.h"
22 #include "drivers/driver.h"
23 #include "l2_packet/l2_packet.h"
24
25 #ifdef CONFIG_TDLS_TESTING
26 #define TDLS_TESTING_LONG_FRAME BIT(0)
27 #define TDLS_TESTING_ALT_RSN_IE BIT(1)
28 #define TDLS_TESTING_DIFF_BSSID BIT(2)
29 #define TDLS_TESTING_SHORT_LIFETIME BIT(3)
30 #define TDLS_TESTING_WRONG_LIFETIME_RESP BIT(4)
31 #define TDLS_TESTING_WRONG_LIFETIME_CONF BIT(5)
32 #define TDLS_TESTING_LONG_LIFETIME BIT(6)
33 #define TDLS_TESTING_CONCURRENT_INIT BIT(7)
34 #define TDLS_TESTING_NO_TPK_EXPIRATION BIT(8)
35 #define TDLS_TESTING_DECLINE_RESP BIT(9)
36 #define TDLS_TESTING_IGNORE_AP_PROHIBIT BIT(10)
37 #define TDLS_TESTING_WRONG_MIC BIT(11)
38 #define TDLS_TESTING_DOUBLE_TPK_M2 BIT(12)
39 unsigned int tdls_testing = 0;
40 #endif /* CONFIG_TDLS_TESTING */
41
42 #define TPK_LIFETIME 43200 /* 12 hours */
43 #define TPK_M1_RETRY_COUNT 3
44 #define TPK_M1_TIMEOUT 5000 /* in milliseconds */
45 #define TPK_M2_RETRY_COUNT 10
46 #define TPK_M2_TIMEOUT 500 /* in milliseconds */
47
48 #define TDLS_MIC_LEN 16
49
50 #define TDLS_TIMEOUT_LEN 4
51
52 struct wpa_tdls_ftie {
53 u8 ie_type; /* FTIE */
54 u8 ie_len;
55 u8 mic_ctrl[2];
56 u8 mic[TDLS_MIC_LEN];
57 u8 Anonce[WPA_NONCE_LEN]; /* Responder Nonce in TDLS */
58 u8 Snonce[WPA_NONCE_LEN]; /* Initiator Nonce in TDLS */
59 /* followed by optional elements */
60 } STRUCT_PACKED;
61
62 struct wpa_tdls_timeoutie {
63 u8 ie_type; /* Timeout IE */
64 u8 ie_len;
65 u8 interval_type;
66 u8 value[TDLS_TIMEOUT_LEN];
67 } STRUCT_PACKED;
68
69 struct wpa_tdls_lnkid {
70 u8 ie_type; /* Link Identifier IE */
71 u8 ie_len;
72 u8 bssid[ETH_ALEN];
73 u8 init_sta[ETH_ALEN];
74 u8 resp_sta[ETH_ALEN];
75 } STRUCT_PACKED;
76
77 /* TDLS frame headers as per IEEE Std 802.11z-2010 */
78 struct wpa_tdls_frame {
79 u8 payloadtype; /* IEEE80211_TDLS_RFTYPE */
80 u8 category; /* Category */
81 u8 action; /* Action (enum tdls_frame_type) */
82 } STRUCT_PACKED;
83
84 static u8 * wpa_add_tdls_timeoutie(u8 *pos, u8 *ie, size_t ie_len, u32 tsecs);
85 static void wpa_tdls_tpk_retry_timeout(void *eloop_ctx, void *timeout_ctx);
86 static void wpa_tdls_peer_free(struct wpa_sm *sm, struct wpa_tdls_peer *peer);
87 static void wpa_tdls_disable_peer_link(struct wpa_sm *sm,
88 struct wpa_tdls_peer *peer);
89 static int wpa_tdls_send_teardown(struct wpa_sm *sm, const u8 *addr,
90 u16 reason_code);
91
92
93 #define TDLS_MAX_IE_LEN 80
94 #define IEEE80211_MAX_SUPP_RATES 32
95
96 struct wpa_tdls_peer {
97 struct wpa_tdls_peer *next;
98 unsigned int reconfig_key:1;
99 int initiator; /* whether this end was initiator for TDLS setup */
100 u8 addr[ETH_ALEN]; /* other end MAC address */
101 u8 inonce[WPA_NONCE_LEN]; /* Initiator Nonce */
102 u8 rnonce[WPA_NONCE_LEN]; /* Responder Nonce */
103 u8 rsnie_i[TDLS_MAX_IE_LEN]; /* Initiator RSN IE */
104 size_t rsnie_i_len;
105 u8 rsnie_p[TDLS_MAX_IE_LEN]; /* Peer RSN IE */
106 size_t rsnie_p_len;
107 u32 lifetime;
108 int cipher; /* Selected cipher (WPA_CIPHER_*) */
109 u8 dtoken;
110
111 struct tpk {
112 u8 kck[16]; /* TPK-KCK */
113 u8 tk[16]; /* TPK-TK; assuming only CCMP will be used */
114 } tpk;
115 int tpk_set;
116 int tk_set; /* TPK-TK configured to the driver */
117 int tpk_success;
118 int tpk_in_progress;
119
120 struct tpk_timer {
121 u8 dest[ETH_ALEN];
122 int count; /* Retry Count */
123 int timer; /* Timeout in milliseconds */
124 u8 action_code; /* TDLS frame type */
125 u8 dialog_token;
126 u16 status_code;
127 u32 peer_capab;
128 int buf_len; /* length of TPK message for retransmission */
129 u8 *buf; /* buffer for TPK message */
130 } sm_tmr;
131
132 u16 capability;
133
134 u8 supp_rates[IEEE80211_MAX_SUPP_RATES];
135 size_t supp_rates_len;
136
137 struct ieee80211_ht_capabilities *ht_capabilities;
138 struct ieee80211_vht_capabilities *vht_capabilities;
139 struct ieee80211_he_capabilities *he_capabilities;
140 size_t he_capab_len;
141 struct ieee80211_he_6ghz_band_cap *he_6ghz_band_capabilities;
142 struct ieee80211_eht_capabilities *eht_capabilities;
143 size_t eht_capab_len;
144
145 u8 qos_info;
146
147 u16 aid;
148
149 u8 *ext_capab;
150 size_t ext_capab_len;
151
152 u8 *supp_channels;
153 size_t supp_channels_len;
154
155 u8 *supp_oper_classes;
156 size_t supp_oper_classes_len;
157
158 u8 wmm_capable;
159
160 /* channel switch currently enabled */
161 int chan_switch_enabled;
162
163 int mld_link_id;
164 };
165
166
wpa_tdls_get_link_bssid(struct wpa_sm * sm,int link_id)167 static const u8 * wpa_tdls_get_link_bssid(struct wpa_sm *sm, int link_id)
168 {
169 if (link_id >= 0)
170 return sm->mlo.links[link_id].bssid;
171 return sm->bssid;
172 }
173
174
wpa_tdls_get_privacy(struct wpa_sm * sm)175 static int wpa_tdls_get_privacy(struct wpa_sm *sm)
176 {
177 /*
178 * Get info needed from supplicant to check if the current BSS supports
179 * security. Other than OPEN mode, rest are considered secured
180 * WEP/WPA/WPA2 hence TDLS frames are processed for TPK handshake.
181 */
182 return sm->pairwise_cipher != WPA_CIPHER_NONE;
183 }
184
185
wpa_add_ie(u8 * pos,const u8 * ie,size_t ie_len)186 static u8 * wpa_add_ie(u8 *pos, const u8 *ie, size_t ie_len)
187 {
188 os_memcpy(pos, ie, ie_len);
189 return pos + ie_len;
190 }
191
192
wpa_tdls_del_key(struct wpa_sm * sm,struct wpa_tdls_peer * peer)193 static int wpa_tdls_del_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
194 {
195 if (wpa_sm_set_key(sm, -1, WPA_ALG_NONE, peer->addr,
196 0, 0, NULL, 0, NULL, 0, KEY_FLAG_PAIRWISE) < 0) {
197 wpa_printf(MSG_WARNING, "TDLS: Failed to delete TPK-TK from "
198 "the driver");
199 return -1;
200 }
201
202 return 0;
203 }
204
205
wpa_tdls_set_key(struct wpa_sm * sm,struct wpa_tdls_peer * peer)206 static int wpa_tdls_set_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
207 {
208 u8 key_len;
209 u8 rsc[6];
210 enum wpa_alg alg;
211
212 if (peer->tk_set) {
213 /*
214 * This same TPK-TK has already been configured to the driver
215 * and this new configuration attempt (likely due to an
216 * unexpected retransmitted frame) would result in clearing
217 * the TX/RX sequence number which can break security, so must
218 * not allow that to happen.
219 */
220 wpa_printf(MSG_INFO, "TDLS: TPK-TK for the peer " MACSTR
221 " has already been configured to the driver - do not reconfigure",
222 MAC2STR(peer->addr));
223 return -1;
224 }
225
226 os_memset(rsc, 0, 6);
227
228 switch (peer->cipher) {
229 case WPA_CIPHER_CCMP:
230 alg = WPA_ALG_CCMP;
231 key_len = 16;
232 break;
233 case WPA_CIPHER_NONE:
234 wpa_printf(MSG_DEBUG, "TDLS: Pairwise Cipher Suite: "
235 "NONE - do not use pairwise keys");
236 return -1;
237 default:
238 wpa_printf(MSG_WARNING, "TDLS: Unsupported pairwise cipher %d",
239 sm->pairwise_cipher);
240 return -1;
241 }
242
243 wpa_printf(MSG_DEBUG, "TDLS: Configure pairwise key for peer " MACSTR,
244 MAC2STR(peer->addr));
245 if (wpa_sm_set_key(sm, -1, alg, peer->addr, 0, 1, rsc, sizeof(rsc),
246 peer->tpk.tk, key_len,
247 KEY_FLAG_PAIRWISE_RX_TX) < 0) {
248 wpa_printf(MSG_WARNING, "TDLS: Failed to set TPK to the "
249 "driver");
250 return -1;
251 }
252 peer->tk_set = 1;
253 return 0;
254 }
255
256
wpa_tdls_send_tpk_msg(struct wpa_sm * sm,const u8 * dst,u8 action_code,u8 dialog_token,u16 status_code,u32 peer_capab,int initiator,const u8 * buf,size_t len,int link_id)257 static int wpa_tdls_send_tpk_msg(struct wpa_sm *sm, const u8 *dst,
258 u8 action_code, u8 dialog_token,
259 u16 status_code, u32 peer_capab,
260 int initiator, const u8 *buf, size_t len,
261 int link_id)
262 {
263 return wpa_sm_send_tdls_mgmt(sm, dst, action_code, dialog_token,
264 status_code, peer_capab, initiator, buf,
265 len, link_id);
266 }
267
268
wpa_tdls_tpk_send(struct wpa_sm * sm,const u8 * dest,u8 action_code,u8 dialog_token,u16 status_code,u32 peer_capab,int initiator,const u8 * msg,size_t msg_len,int link_id)269 static int wpa_tdls_tpk_send(struct wpa_sm *sm, const u8 *dest, u8 action_code,
270 u8 dialog_token, u16 status_code, u32 peer_capab,
271 int initiator, const u8 *msg, size_t msg_len,
272 int link_id)
273 {
274 struct wpa_tdls_peer *peer;
275
276 wpa_printf(MSG_DEBUG, "TDLS: TPK send dest=" MACSTR " action_code=%u "
277 "dialog_token=%u status_code=%u peer_capab=%u initiator=%d "
278 "msg_len=%u",
279 MAC2STR(dest), action_code, dialog_token, status_code,
280 peer_capab, initiator, (unsigned int) msg_len);
281
282 if (wpa_tdls_send_tpk_msg(sm, dest, action_code, dialog_token,
283 status_code, peer_capab, initiator, msg,
284 msg_len, link_id)) {
285 wpa_printf(MSG_INFO, "TDLS: Failed to send message "
286 "(action_code=%u)", action_code);
287 return -1;
288 }
289
290 if (action_code == WLAN_TDLS_SETUP_CONFIRM ||
291 action_code == WLAN_TDLS_TEARDOWN ||
292 action_code == WLAN_TDLS_DISCOVERY_REQUEST ||
293 action_code == WLAN_TDLS_DISCOVERY_RESPONSE)
294 return 0; /* No retries */
295
296 for (peer = sm->tdls; peer; peer = peer->next) {
297 if (os_memcmp(peer->addr, dest, ETH_ALEN) == 0)
298 break;
299 }
300
301 if (peer == NULL) {
302 wpa_printf(MSG_INFO, "TDLS: No matching entry found for "
303 "retry " MACSTR, MAC2STR(dest));
304 return 0;
305 }
306
307 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer);
308
309 if (action_code == WLAN_TDLS_SETUP_RESPONSE) {
310 peer->sm_tmr.count = TPK_M2_RETRY_COUNT;
311 peer->sm_tmr.timer = TPK_M2_TIMEOUT;
312 } else {
313 peer->sm_tmr.count = TPK_M1_RETRY_COUNT;
314 peer->sm_tmr.timer = TPK_M1_TIMEOUT;
315 }
316
317 /* Copy message to resend on timeout */
318 os_memcpy(peer->sm_tmr.dest, dest, ETH_ALEN);
319 peer->sm_tmr.action_code = action_code;
320 peer->sm_tmr.dialog_token = dialog_token;
321 peer->sm_tmr.status_code = status_code;
322 peer->sm_tmr.peer_capab = peer_capab;
323 peer->sm_tmr.buf_len = msg_len;
324 os_free(peer->sm_tmr.buf);
325 peer->sm_tmr.buf = os_memdup(msg, msg_len);
326 if (peer->sm_tmr.buf == NULL)
327 return -1;
328
329 wpa_printf(MSG_DEBUG, "TDLS: Retry timeout registered "
330 "(action_code=%u)", action_code);
331 eloop_register_timeout(peer->sm_tmr.timer / 1000,
332 (peer->sm_tmr.timer % 1000) * 1000,
333 wpa_tdls_tpk_retry_timeout, sm, peer);
334 return 0;
335 }
336
337
wpa_tdls_do_teardown(struct wpa_sm * sm,struct wpa_tdls_peer * peer,u16 reason_code)338 static int wpa_tdls_do_teardown(struct wpa_sm *sm, struct wpa_tdls_peer *peer,
339 u16 reason_code)
340 {
341 int ret;
342
343 ret = wpa_tdls_send_teardown(sm, peer->addr, reason_code);
344 /* disable the link after teardown was sent */
345 wpa_tdls_disable_peer_link(sm, peer);
346
347 return ret;
348 }
349
350
wpa_tdls_tpk_retry_timeout(void * eloop_ctx,void * timeout_ctx)351 static void wpa_tdls_tpk_retry_timeout(void *eloop_ctx, void *timeout_ctx)
352 {
353
354 struct wpa_sm *sm = eloop_ctx;
355 struct wpa_tdls_peer *peer = timeout_ctx;
356
357 if (peer->sm_tmr.count) {
358 peer->sm_tmr.count--;
359
360 wpa_printf(MSG_INFO, "TDLS: Retrying sending of message "
361 "(action_code=%u)",
362 peer->sm_tmr.action_code);
363
364 if (peer->sm_tmr.buf == NULL) {
365 wpa_printf(MSG_INFO, "TDLS: No retry buffer available "
366 "for action_code=%u",
367 peer->sm_tmr.action_code);
368 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm,
369 peer);
370 return;
371 }
372
373 /* resend TPK Handshake Message to Peer */
374 if (wpa_tdls_send_tpk_msg(sm, peer->sm_tmr.dest,
375 peer->sm_tmr.action_code,
376 peer->sm_tmr.dialog_token,
377 peer->sm_tmr.status_code,
378 peer->sm_tmr.peer_capab,
379 peer->initiator,
380 peer->sm_tmr.buf,
381 peer->sm_tmr.buf_len, -1)) {
382 wpa_printf(MSG_INFO, "TDLS: Failed to retry "
383 "transmission");
384 }
385
386 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer);
387 eloop_register_timeout(peer->sm_tmr.timer / 1000,
388 (peer->sm_tmr.timer % 1000) * 1000,
389 wpa_tdls_tpk_retry_timeout, sm, peer);
390 } else {
391 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer);
392
393 wpa_printf(MSG_DEBUG, "TDLS: Sending Teardown Request");
394 wpa_tdls_do_teardown(sm, peer,
395 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED);
396 }
397 }
398
399
wpa_tdls_tpk_retry_timeout_cancel(struct wpa_sm * sm,struct wpa_tdls_peer * peer,u8 action_code)400 static void wpa_tdls_tpk_retry_timeout_cancel(struct wpa_sm *sm,
401 struct wpa_tdls_peer *peer,
402 u8 action_code)
403 {
404 if (action_code == peer->sm_tmr.action_code) {
405 wpa_printf(MSG_DEBUG, "TDLS: Retry timeout cancelled for "
406 "action_code=%u", action_code);
407
408 /* Cancel Timeout registered */
409 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer);
410
411 /* free all resources meant for retry */
412 os_free(peer->sm_tmr.buf);
413 peer->sm_tmr.buf = NULL;
414
415 peer->sm_tmr.count = 0;
416 peer->sm_tmr.timer = 0;
417 peer->sm_tmr.buf_len = 0;
418 peer->sm_tmr.action_code = 0xff;
419 } else {
420 wpa_printf(MSG_INFO, "TDLS: Error in cancelling retry timeout "
421 "(Unknown action_code=%u)", action_code);
422 }
423 }
424
425
wpa_tdls_generate_tpk(struct wpa_tdls_peer * peer,const u8 * own_addr,const u8 * bssid)426 static void wpa_tdls_generate_tpk(struct wpa_tdls_peer *peer,
427 const u8 *own_addr, const u8 *bssid)
428 {
429 u8 key_input[SHA256_MAC_LEN];
430 const u8 *nonce[2];
431 size_t len[2];
432 u8 data[3 * ETH_ALEN];
433
434 /* IEEE Std 802.11-2016 12.7.9.2:
435 * TPK-Key-Input = Hash(min(SNonce, ANonce) || max(SNonce, ANonce))
436 * Hash = SHA-256 for TDLS
437 */
438 len[0] = WPA_NONCE_LEN;
439 len[1] = WPA_NONCE_LEN;
440 if (os_memcmp(peer->inonce, peer->rnonce, WPA_NONCE_LEN) < 0) {
441 nonce[0] = peer->inonce;
442 nonce[1] = peer->rnonce;
443 } else {
444 nonce[0] = peer->rnonce;
445 nonce[1] = peer->inonce;
446 }
447 wpa_hexdump(MSG_DEBUG, "TDLS: min(Nonce)", nonce[0], WPA_NONCE_LEN);
448 wpa_hexdump(MSG_DEBUG, "TDLS: max(Nonce)", nonce[1], WPA_NONCE_LEN);
449 sha256_vector(2, nonce, len, key_input);
450 wpa_hexdump_key(MSG_DEBUG, "TDLS: TPK-Key-Input",
451 key_input, SHA256_MAC_LEN);
452
453 /*
454 * TPK = KDF-Hash-Length(TPK-Key-Input, "TDLS PMK",
455 * min(MAC_I, MAC_R) || max(MAC_I, MAC_R) || BSSID)
456 */
457
458 if (os_memcmp(own_addr, peer->addr, ETH_ALEN) < 0) {
459 os_memcpy(data, own_addr, ETH_ALEN);
460 os_memcpy(data + ETH_ALEN, peer->addr, ETH_ALEN);
461 } else {
462 os_memcpy(data, peer->addr, ETH_ALEN);
463 os_memcpy(data + ETH_ALEN, own_addr, ETH_ALEN);
464 }
465 os_memcpy(data + 2 * ETH_ALEN, bssid, ETH_ALEN);
466 wpa_hexdump(MSG_DEBUG, "TDLS: KDF Context", data, sizeof(data));
467
468 sha256_prf(key_input, SHA256_MAC_LEN, "TDLS PMK", data, sizeof(data),
469 (u8 *) &peer->tpk, sizeof(peer->tpk));
470 wpa_hexdump_key(MSG_DEBUG, "TDLS: TPK-KCK",
471 peer->tpk.kck, sizeof(peer->tpk.kck));
472 wpa_hexdump_key(MSG_DEBUG, "TDLS: TPK-TK",
473 peer->tpk.tk, sizeof(peer->tpk.tk));
474 peer->tpk_set = 1;
475 }
476
477
478 /**
479 * wpa_tdls_ftie_mic - Calculate TDLS FTIE MIC
480 * @kck: TPK-KCK
481 * @lnkid: Pointer to the beginning of Link Identifier IE
482 * @rsne: Pointer to the beginning of RSNE used for handshake
483 * @rsne_len: Length of RSNE in octets
484 * @timeoutie: Pointer to the beginning of Timeout IE used for handshake
485 * @fte: Pointer to the beginning of FTE
486 * @fre_len: Length of FTE in octets
487 * @mic: Pointer for writing MIC
488 *
489 * Calculate MIC for TDLS frame.
490 */
wpa_tdls_ftie_mic(const u8 * kck,u8 trans_seq,const u8 * lnkid,const u8 * rsne,size_t rsne_len,const u8 * timeoutie,const u8 * fte,size_t fte_len,u8 * mic)491 static int wpa_tdls_ftie_mic(const u8 *kck, u8 trans_seq, const u8 *lnkid,
492 const u8 *rsne, size_t rsne_len,
493 const u8 *timeoutie,
494 const u8 *fte, size_t fte_len, u8 *mic)
495 {
496 u8 *buf, *pos;
497 struct wpa_tdls_ftie *_ftie;
498 const struct wpa_tdls_lnkid *_lnkid;
499 int ret;
500 int len = 2 * ETH_ALEN + 1 + 2 + lnkid[1] + rsne_len +
501 2 + timeoutie[1] + fte_len;
502 buf = os_zalloc(len);
503 if (!buf) {
504 wpa_printf(MSG_WARNING, "TDLS: No memory for MIC calculation");
505 return -1;
506 }
507
508 pos = buf;
509 _lnkid = (const struct wpa_tdls_lnkid *) lnkid;
510 /* 1) TDLS initiator STA MAC address */
511 os_memcpy(pos, _lnkid->init_sta, ETH_ALEN);
512 pos += ETH_ALEN;
513 /* 2) TDLS responder STA MAC address */
514 os_memcpy(pos, _lnkid->resp_sta, ETH_ALEN);
515 pos += ETH_ALEN;
516 /* 3) Transaction Sequence number */
517 *pos++ = trans_seq;
518 /* 4) Link Identifier IE */
519 os_memcpy(pos, lnkid, 2 + lnkid[1]);
520 pos += 2 + lnkid[1];
521 /* 5) RSN IE */
522 os_memcpy(pos, rsne, rsne_len);
523 pos += rsne_len;
524 /* 6) Timeout Interval IE */
525 os_memcpy(pos, timeoutie, 2 + timeoutie[1]);
526 pos += 2 + timeoutie[1];
527 /* 7) FTIE, with the MIC field of the FTIE set to 0 */
528 os_memcpy(pos, fte, fte_len);
529 _ftie = (struct wpa_tdls_ftie *) pos;
530 os_memset(_ftie->mic, 0, TDLS_MIC_LEN);
531 pos += fte_len;
532
533 wpa_hexdump(MSG_DEBUG, "TDLS: Data for FTIE MIC", buf, pos - buf);
534 wpa_hexdump_key(MSG_DEBUG, "TDLS: KCK", kck, 16);
535 ret = omac1_aes_128(kck, buf, pos - buf, mic);
536 os_free(buf);
537 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE MIC", mic, 16);
538 return ret;
539 }
540
541
542 /**
543 * wpa_tdls_key_mic_teardown - Calculate TDLS FTIE MIC for Teardown frame
544 * @kck: TPK-KCK
545 * @trans_seq: Transaction Sequence Number (4 - Teardown)
546 * @rcode: Reason code for Teardown
547 * @dtoken: Dialog Token used for that particular link
548 * @lnkid: Pointer to the beginning of Link Identifier IE
549 * @fte: Pointer to the beginning of FTE
550 * @fre_len: Length of FTE in octets
551 * @mic: Pointer for writing MIC
552 *
553 * Calculate MIC for TDLS frame.
554 */
wpa_tdls_key_mic_teardown(const u8 * kck,u8 trans_seq,u16 rcode,u8 dtoken,const u8 * lnkid,const u8 * fte,size_t fte_len,u8 * mic)555 static int wpa_tdls_key_mic_teardown(const u8 *kck, u8 trans_seq, u16 rcode,
556 u8 dtoken, const u8 *lnkid,
557 const u8 *fte, size_t fte_len, u8 *mic)
558 {
559 u8 *buf, *pos;
560 struct wpa_tdls_ftie *_ftie;
561 int ret;
562 int len;
563
564 if (lnkid == NULL)
565 return -1;
566
567 len = 2 + lnkid[1] + sizeof(rcode) + sizeof(dtoken) +
568 sizeof(trans_seq) + fte_len;
569
570 buf = os_zalloc(len);
571 if (!buf) {
572 wpa_printf(MSG_WARNING, "TDLS: No memory for MIC calculation");
573 return -1;
574 }
575
576 pos = buf;
577 /* 1) Link Identifier IE */
578 os_memcpy(pos, lnkid, 2 + lnkid[1]);
579 pos += 2 + lnkid[1];
580 /* 2) Reason Code */
581 WPA_PUT_LE16(pos, rcode);
582 pos += sizeof(rcode);
583 /* 3) Dialog token */
584 *pos++ = dtoken;
585 /* 4) Transaction Sequence number */
586 *pos++ = trans_seq;
587 /* 7) FTIE, with the MIC field of the FTIE set to 0 */
588 os_memcpy(pos, fte, fte_len);
589 _ftie = (struct wpa_tdls_ftie *) pos;
590 os_memset(_ftie->mic, 0, TDLS_MIC_LEN);
591 pos += fte_len;
592
593 wpa_hexdump(MSG_DEBUG, "TDLS: Data for FTIE MIC", buf, pos - buf);
594 wpa_hexdump_key(MSG_DEBUG, "TDLS: KCK", kck, 16);
595 ret = omac1_aes_128(kck, buf, pos - buf, mic);
596 os_free(buf);
597 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE MIC", mic, 16);
598 return ret;
599 }
600
601
wpa_supplicant_verify_tdls_mic(u8 trans_seq,struct wpa_tdls_peer * peer,const u8 * lnkid,const u8 * timeoutie,const struct wpa_tdls_ftie * ftie,size_t fte_len)602 static int wpa_supplicant_verify_tdls_mic(u8 trans_seq,
603 struct wpa_tdls_peer *peer,
604 const u8 *lnkid, const u8 *timeoutie,
605 const struct wpa_tdls_ftie *ftie,
606 size_t fte_len)
607 {
608 u8 mic[16];
609
610 if (peer->tpk_set) {
611 wpa_tdls_ftie_mic(peer->tpk.kck, trans_seq, lnkid,
612 peer->rsnie_p, peer->rsnie_p_len, timeoutie,
613 (const u8 *) ftie, fte_len, mic);
614 if (os_memcmp_const(mic, ftie->mic, 16) != 0) {
615 wpa_printf(MSG_INFO, "TDLS: Invalid MIC in FTIE - "
616 "dropping packet");
617 wpa_hexdump(MSG_DEBUG, "TDLS: Received MIC",
618 ftie->mic, 16);
619 wpa_hexdump(MSG_DEBUG, "TDLS: Calculated MIC",
620 mic, 16);
621 return -1;
622 }
623 } else {
624 wpa_printf(MSG_WARNING, "TDLS: Could not verify TDLS MIC, "
625 "TPK not set - dropping packet");
626 return -1;
627 }
628 return 0;
629 }
630
631
wpa_supplicant_verify_tdls_mic_teardown(u8 trans_seq,u16 rcode,u8 dtoken,struct wpa_tdls_peer * peer,const u8 * lnkid,const struct wpa_tdls_ftie * ftie,size_t fte_len)632 static int wpa_supplicant_verify_tdls_mic_teardown(
633 u8 trans_seq, u16 rcode, u8 dtoken, struct wpa_tdls_peer *peer,
634 const u8 *lnkid, const struct wpa_tdls_ftie *ftie, size_t fte_len)
635 {
636 u8 mic[16];
637
638 if (peer->tpk_set) {
639 wpa_tdls_key_mic_teardown(peer->tpk.kck, trans_seq, rcode,
640 dtoken, lnkid, (const u8 *) ftie,
641 fte_len, mic);
642 if (os_memcmp_const(mic, ftie->mic, 16) != 0) {
643 wpa_printf(MSG_INFO, "TDLS: Invalid MIC in Teardown - "
644 "dropping packet");
645 return -1;
646 }
647 } else {
648 wpa_printf(MSG_INFO, "TDLS: Could not verify TDLS Teardown "
649 "MIC, TPK not set - dropping packet");
650 return -1;
651 }
652 return 0;
653 }
654
655
wpa_tdls_tpk_timeout(void * eloop_ctx,void * timeout_ctx)656 static void wpa_tdls_tpk_timeout(void *eloop_ctx, void *timeout_ctx)
657 {
658 struct wpa_sm *sm = eloop_ctx;
659 struct wpa_tdls_peer *peer = timeout_ctx;
660
661 /*
662 * On TPK lifetime expiration, we have an option of either tearing down
663 * the direct link or trying to re-initiate it. The selection of what
664 * to do is not strictly speaking controlled by our role in the expired
665 * link, but for now, use that to select whether to renew or tear down
666 * the link.
667 */
668
669 if (peer->initiator) {
670 u8 addr[ETH_ALEN];
671
672 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime expired for " MACSTR
673 " - try to renew", MAC2STR(peer->addr));
674 /* cache the peer address before do_teardown */
675 os_memcpy(addr, peer->addr, ETH_ALEN);
676 wpa_tdls_do_teardown(sm, peer,
677 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED);
678 wpa_tdls_start(sm, addr);
679 } else {
680 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime expired for " MACSTR
681 " - tear down", MAC2STR(peer->addr));
682 wpa_tdls_do_teardown(sm, peer,
683 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED);
684 }
685 }
686
687
wpa_tdls_peer_remove_from_list(struct wpa_sm * sm,struct wpa_tdls_peer * peer)688 static void wpa_tdls_peer_remove_from_list(struct wpa_sm *sm,
689 struct wpa_tdls_peer *peer)
690 {
691 struct wpa_tdls_peer *cur, *prev;
692
693 cur = sm->tdls;
694 prev = NULL;
695 while (cur && cur != peer) {
696 prev = cur;
697 cur = cur->next;
698 }
699
700 if (cur != peer) {
701 wpa_printf(MSG_ERROR, "TDLS: Could not find peer " MACSTR
702 " to remove it from the list",
703 MAC2STR(peer->addr));
704 return;
705 }
706
707 if (prev)
708 prev->next = peer->next;
709 else
710 sm->tdls = peer->next;
711 }
712
713
wpa_tdls_peer_clear(struct wpa_sm * sm,struct wpa_tdls_peer * peer)714 static void wpa_tdls_peer_clear(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
715 {
716 wpa_printf(MSG_DEBUG, "TDLS: Clear state for peer " MACSTR,
717 MAC2STR(peer->addr));
718 eloop_cancel_timeout(wpa_tdls_tpk_timeout, sm, peer);
719 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer);
720 peer->reconfig_key = 0;
721 peer->initiator = 0;
722 peer->tpk_in_progress = 0;
723 os_free(peer->sm_tmr.buf);
724 peer->sm_tmr.buf = NULL;
725 os_free(peer->ht_capabilities);
726 peer->ht_capabilities = NULL;
727 os_free(peer->vht_capabilities);
728 peer->vht_capabilities = NULL;
729 os_free(peer->he_capabilities);
730 peer->he_capabilities = NULL;
731 os_free(peer->he_6ghz_band_capabilities);
732 peer->he_6ghz_band_capabilities = NULL;
733 os_free(peer->eht_capabilities);
734 peer->eht_capabilities = NULL;
735 os_free(peer->ext_capab);
736 peer->ext_capab = NULL;
737 os_free(peer->supp_channels);
738 peer->supp_channels = NULL;
739 os_free(peer->supp_oper_classes);
740 peer->supp_oper_classes = NULL;
741 peer->rsnie_i_len = peer->rsnie_p_len = 0;
742 peer->cipher = 0;
743 peer->qos_info = 0;
744 peer->wmm_capable = 0;
745 peer->tk_set = peer->tpk_set = peer->tpk_success = 0;
746 peer->chan_switch_enabled = 0;
747 os_memset(&peer->tpk, 0, sizeof(peer->tpk));
748 os_memset(peer->inonce, 0, WPA_NONCE_LEN);
749 os_memset(peer->rnonce, 0, WPA_NONCE_LEN);
750 peer->mld_link_id = -1;
751 }
752
753
wpa_tdls_peer_free(struct wpa_sm * sm,struct wpa_tdls_peer * peer)754 static void wpa_tdls_peer_free(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
755 {
756 wpa_tdls_peer_clear(sm, peer);
757 wpa_tdls_peer_remove_from_list(sm, peer);
758 os_free(peer);
759 }
760
761
wpa_tdls_linkid(struct wpa_sm * sm,struct wpa_tdls_peer * peer,struct wpa_tdls_lnkid * lnkid)762 static void wpa_tdls_linkid(struct wpa_sm *sm, struct wpa_tdls_peer *peer,
763 struct wpa_tdls_lnkid *lnkid)
764 {
765 lnkid->ie_type = WLAN_EID_LINK_ID;
766 lnkid->ie_len = 3 * ETH_ALEN;
767 os_memcpy(lnkid->bssid, wpa_tdls_get_link_bssid(sm, peer->mld_link_id),
768 ETH_ALEN);
769 if (peer->initiator) {
770 os_memcpy(lnkid->init_sta, sm->own_addr, ETH_ALEN);
771 os_memcpy(lnkid->resp_sta, peer->addr, ETH_ALEN);
772 } else {
773 os_memcpy(lnkid->init_sta, peer->addr, ETH_ALEN);
774 os_memcpy(lnkid->resp_sta, sm->own_addr, ETH_ALEN);
775 }
776 }
777
778
wpa_tdls_send_teardown(struct wpa_sm * sm,const u8 * addr,u16 reason_code)779 static int wpa_tdls_send_teardown(struct wpa_sm *sm, const u8 *addr,
780 u16 reason_code)
781 {
782 struct wpa_tdls_peer *peer;
783 struct wpa_tdls_ftie *ftie;
784 struct wpa_tdls_lnkid lnkid;
785 u8 dialog_token;
786 u8 *rbuf, *pos;
787 int ielen;
788
789 if (sm->tdls_disabled || !sm->tdls_supported)
790 return -1;
791
792 /* Find the node and free from the list */
793 for (peer = sm->tdls; peer; peer = peer->next) {
794 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0)
795 break;
796 }
797
798 if (peer == NULL) {
799 wpa_printf(MSG_INFO, "TDLS: No matching entry found for "
800 "Teardown " MACSTR, MAC2STR(addr));
801 return 0;
802 }
803
804 /* Cancel active channel switch before teardown */
805 if (peer->chan_switch_enabled) {
806 wpa_printf(MSG_DEBUG, "TDLS: First returning link with " MACSTR
807 " to base channel", MAC2STR(addr));
808 wpa_sm_tdls_disable_channel_switch(sm, peer->addr);
809 }
810
811 dialog_token = peer->dtoken;
812
813 wpa_printf(MSG_DEBUG, "TDLS: TDLS Teardown for " MACSTR,
814 MAC2STR(addr));
815
816 ielen = 0;
817 if (wpa_tdls_get_privacy(sm) && peer->tpk_set && peer->tpk_success) {
818 /* To add FTIE for Teardown request and compute MIC */
819 ielen += sizeof(*ftie);
820 #ifdef CONFIG_TDLS_TESTING
821 if (tdls_testing & TDLS_TESTING_LONG_FRAME)
822 ielen += 170;
823 #endif /* CONFIG_TDLS_TESTING */
824 }
825
826 rbuf = os_zalloc(ielen + 1);
827 if (rbuf == NULL)
828 return -1;
829 pos = rbuf;
830
831 if (!wpa_tdls_get_privacy(sm) || !peer->tpk_set || !peer->tpk_success)
832 goto skip_ies;
833
834 ftie = (struct wpa_tdls_ftie *) pos;
835 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION;
836 /* Using the recent nonce which should be for CONFIRM frame */
837 os_memcpy(ftie->Anonce, peer->rnonce, WPA_NONCE_LEN);
838 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN);
839 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2;
840 pos = (u8 *) (ftie + 1);
841 #ifdef CONFIG_TDLS_TESTING
842 if (tdls_testing & TDLS_TESTING_LONG_FRAME) {
843 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to "
844 "FTIE");
845 ftie->ie_len += 170;
846 *pos++ = 255; /* FTIE subelem */
847 *pos++ = 168; /* FTIE subelem length */
848 pos += 168;
849 }
850 #endif /* CONFIG_TDLS_TESTING */
851 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE for TDLS Teardown handshake",
852 (u8 *) ftie, pos - (u8 *) ftie);
853
854 /* compute MIC before sending */
855 wpa_tdls_linkid(sm, peer, &lnkid);
856 wpa_tdls_key_mic_teardown(peer->tpk.kck, 4, reason_code,
857 dialog_token, (const u8 *) &lnkid,
858 (const u8 *) ftie, 2 + ftie->ie_len,
859 ftie->mic);
860
861 skip_ies:
862 /* TODO: register for a Timeout handler, if Teardown is not received at
863 * the other end, then try again another time */
864
865 /* request driver to send Teardown using this FTIE */
866 wpa_tdls_tpk_send(sm, addr, WLAN_TDLS_TEARDOWN, 0,
867 reason_code, 0, peer->initiator, rbuf, pos - rbuf,
868 -1);
869 os_free(rbuf);
870
871 return 0;
872 }
873
874
wpa_tdls_teardown_link(struct wpa_sm * sm,const u8 * addr,u16 reason_code)875 int wpa_tdls_teardown_link(struct wpa_sm *sm, const u8 *addr, u16 reason_code)
876 {
877 struct wpa_tdls_peer *peer;
878
879 if (sm->tdls_disabled || !sm->tdls_supported)
880 return -1;
881
882 for (peer = sm->tdls; peer; peer = peer->next) {
883 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0)
884 break;
885 }
886
887 if (peer == NULL) {
888 wpa_printf(MSG_DEBUG, "TDLS: Could not find peer " MACSTR
889 " for link Teardown", MAC2STR(addr));
890 return -1;
891 }
892
893 if (!peer->tpk_success) {
894 wpa_printf(MSG_DEBUG, "TDLS: Peer " MACSTR
895 " not connected - cannot Teardown link", MAC2STR(addr));
896 return -1;
897 }
898
899 return wpa_tdls_do_teardown(sm, peer, reason_code);
900 }
901
902
wpa_tdls_disable_peer_link(struct wpa_sm * sm,struct wpa_tdls_peer * peer)903 static void wpa_tdls_disable_peer_link(struct wpa_sm *sm,
904 struct wpa_tdls_peer *peer)
905 {
906 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr);
907 wpa_tdls_peer_free(sm, peer);
908 }
909
910
wpa_tdls_disable_unreachable_link(struct wpa_sm * sm,const u8 * addr)911 void wpa_tdls_disable_unreachable_link(struct wpa_sm *sm, const u8 *addr)
912 {
913 struct wpa_tdls_peer *peer;
914
915 for (peer = sm->tdls; peer; peer = peer->next) {
916 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0)
917 break;
918 }
919
920 if (!peer || !peer->tpk_success) {
921 wpa_printf(MSG_DEBUG, "TDLS: Peer " MACSTR
922 " not connected - cannot teardown unreachable link",
923 MAC2STR(addr));
924 return;
925 }
926
927 if (wpa_tdls_is_external_setup(sm)) {
928 /*
929 * Get us on the base channel, disable the link, send a
930 * teardown packet through the AP, and then reset link data.
931 */
932 if (peer->chan_switch_enabled)
933 wpa_sm_tdls_disable_channel_switch(sm, peer->addr);
934 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, addr);
935 wpa_tdls_send_teardown(sm, addr,
936 WLAN_REASON_TDLS_TEARDOWN_UNREACHABLE);
937 wpa_tdls_peer_free(sm, peer);
938 } else {
939 wpa_tdls_disable_peer_link(sm, peer);
940 }
941 }
942
943
wpa_tdls_get_link_status(struct wpa_sm * sm,const u8 * addr)944 const char * wpa_tdls_get_link_status(struct wpa_sm *sm, const u8 *addr)
945 {
946 struct wpa_tdls_peer *peer;
947
948 if (sm->tdls_disabled || !sm->tdls_supported)
949 return "disabled";
950
951 for (peer = sm->tdls; peer; peer = peer->next) {
952 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0)
953 break;
954 }
955
956 if (peer == NULL)
957 return "peer does not exist";
958
959 if (!peer->tpk_success)
960 return "peer not connected";
961
962 return "connected";
963 }
964
965
wpa_tdls_recv_teardown(struct wpa_sm * sm,const u8 * src_addr,const u8 * buf,size_t len)966 static int wpa_tdls_recv_teardown(struct wpa_sm *sm, const u8 *src_addr,
967 const u8 *buf, size_t len)
968 {
969 struct wpa_tdls_peer *peer = NULL;
970 struct wpa_tdls_ftie *ftie;
971 struct wpa_tdls_lnkid *lnkid;
972 struct wpa_eapol_ie_parse kde;
973 u16 reason_code;
974 const u8 *pos;
975 int ielen;
976
977 /* Find the node and free from the list */
978 for (peer = sm->tdls; peer; peer = peer->next) {
979 if (os_memcmp(peer->addr, src_addr, ETH_ALEN) == 0)
980 break;
981 }
982
983 if (peer == NULL) {
984 wpa_printf(MSG_INFO, "TDLS: No matching entry found for "
985 "Teardown " MACSTR, MAC2STR(src_addr));
986 return 0;
987 }
988
989 pos = buf;
990 pos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */;
991
992 reason_code = WPA_GET_LE16(pos);
993 pos += 2;
994
995 wpa_printf(MSG_DEBUG, "TDLS: TDLS Teardown Request from " MACSTR
996 " (reason code %u)", MAC2STR(src_addr), reason_code);
997
998 ielen = len - (pos - buf); /* start of IE in buf */
999
1000 /*
1001 * Don't reject the message if failing to parse IEs. The IEs we need are
1002 * explicitly checked below. Some APs may add arbitrary padding to the
1003 * end of short TDLS frames and that would look like invalid IEs.
1004 */
1005 if (wpa_supplicant_parse_ies((const u8 *) pos, ielen, &kde) < 0)
1006 wpa_printf(MSG_DEBUG,
1007 "TDLS: Failed to parse IEs in Teardown - ignore as an interop workaround");
1008
1009 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) {
1010 wpa_printf(MSG_INFO, "TDLS: No Link Identifier IE in TDLS "
1011 "Teardown");
1012 return -1;
1013 }
1014 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid;
1015
1016 if (!wpa_tdls_get_privacy(sm) || !peer->tpk_set || !peer->tpk_success)
1017 goto skip_ftie;
1018
1019 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie)) {
1020 wpa_printf(MSG_INFO, "TDLS: No FTIE in TDLS Teardown");
1021 return -1;
1022 }
1023
1024 ftie = (struct wpa_tdls_ftie *) kde.ftie;
1025
1026 /* Process MIC check to see if TDLS Teardown is right */
1027 if (wpa_supplicant_verify_tdls_mic_teardown(4, reason_code,
1028 peer->dtoken, peer,
1029 (const u8 *) lnkid,
1030 ftie, kde.ftie_len) < 0) {
1031 wpa_printf(MSG_DEBUG, "TDLS: MIC failure for TDLS "
1032 "Teardown Request from " MACSTR, MAC2STR(src_addr));
1033 return -1;
1034 }
1035
1036 skip_ftie:
1037 /*
1038 * Request the driver to disable the direct link and clear associated
1039 * keys.
1040 */
1041 wpa_tdls_disable_peer_link(sm, peer);
1042 return 0;
1043 }
1044
1045
1046 /**
1047 * wpa_tdls_send_error - To send suitable TDLS status response with
1048 * appropriate status code mentioning reason for error/failure.
1049 * @dst - MAC addr of Peer station
1050 * @tdls_action - TDLS frame type for which error code is sent
1051 * @initiator - was this end the initiator of the connection
1052 * @status - status code mentioning reason
1053 */
1054
wpa_tdls_send_error(struct wpa_sm * sm,const u8 * dst,u8 tdls_action,u8 dialog_token,int initiator,u16 status)1055 static int wpa_tdls_send_error(struct wpa_sm *sm, const u8 *dst,
1056 u8 tdls_action, u8 dialog_token, int initiator,
1057 u16 status)
1058 {
1059 wpa_printf(MSG_DEBUG, "TDLS: Sending error to " MACSTR
1060 " (action=%u status=%u)",
1061 MAC2STR(dst), tdls_action, status);
1062 return wpa_tdls_tpk_send(sm, dst, tdls_action, dialog_token, status,
1063 0, initiator, NULL, 0, -1);
1064 }
1065
1066
1067 static struct wpa_tdls_peer *
wpa_tdls_add_peer(struct wpa_sm * sm,const u8 * addr,int * existing)1068 wpa_tdls_add_peer(struct wpa_sm *sm, const u8 *addr, int *existing)
1069 {
1070 struct wpa_tdls_peer *peer;
1071
1072 if (existing)
1073 *existing = 0;
1074 for (peer = sm->tdls; peer; peer = peer->next) {
1075 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) {
1076 if (existing)
1077 *existing = 1;
1078 return peer; /* re-use existing entry */
1079 }
1080 }
1081
1082 wpa_printf(MSG_INFO, "TDLS: Creating peer entry for " MACSTR,
1083 MAC2STR(addr));
1084
1085 peer = os_zalloc(sizeof(*peer));
1086 if (peer == NULL)
1087 return NULL;
1088
1089 os_memcpy(peer->addr, addr, ETH_ALEN);
1090 peer->mld_link_id = -1;
1091 peer->next = sm->tdls;
1092 sm->tdls = peer;
1093
1094 return peer;
1095 }
1096
1097
wpa_tdls_send_tpk_m1(struct wpa_sm * sm,struct wpa_tdls_peer * peer)1098 static int wpa_tdls_send_tpk_m1(struct wpa_sm *sm,
1099 struct wpa_tdls_peer *peer)
1100 {
1101 size_t buf_len;
1102 struct wpa_tdls_timeoutie timeoutie;
1103 u16 rsn_capab;
1104 struct wpa_tdls_ftie *ftie;
1105 u8 *rbuf, *pos, *count_pos;
1106 u16 count;
1107 struct rsn_ie_hdr *hdr;
1108 int status;
1109
1110 if (!wpa_tdls_get_privacy(sm)) {
1111 wpa_printf(MSG_DEBUG, "TDLS: No security used on the link");
1112 peer->rsnie_i_len = 0;
1113 goto skip_rsnie;
1114 }
1115
1116 /*
1117 * TPK Handshake Message 1:
1118 * FTIE: ANonce=0, SNonce=initiator nonce MIC=0, DataKDs=(RSNIE_I,
1119 * Timeout Interval IE))
1120 */
1121
1122 /* Filling RSN IE */
1123 hdr = (struct rsn_ie_hdr *) peer->rsnie_i;
1124 hdr->elem_id = WLAN_EID_RSN;
1125 WPA_PUT_LE16(hdr->version, RSN_VERSION);
1126
1127 pos = (u8 *) (hdr + 1);
1128 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED);
1129 pos += RSN_SELECTOR_LEN;
1130 count_pos = pos;
1131 pos += 2;
1132
1133 count = 0;
1134
1135 /*
1136 * AES-CCMP is the default Encryption preferred for TDLS, so
1137 * RSN IE is filled only with CCMP CIPHER
1138 * Note: TKIP is not used to encrypt TDLS link.
1139 *
1140 * Regardless of the cipher used on the AP connection, select CCMP
1141 * here.
1142 */
1143 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP);
1144 pos += RSN_SELECTOR_LEN;
1145 count++;
1146
1147 WPA_PUT_LE16(count_pos, count);
1148
1149 WPA_PUT_LE16(pos, 1);
1150 pos += 2;
1151 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_TPK_HANDSHAKE);
1152 pos += RSN_SELECTOR_LEN;
1153
1154 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED;
1155 rsn_capab |= RSN_NUM_REPLAY_COUNTERS_16 << 2;
1156 #ifdef CONFIG_TDLS_TESTING
1157 if (tdls_testing & TDLS_TESTING_ALT_RSN_IE) {
1158 wpa_printf(MSG_DEBUG, "TDLS: Use alternative RSN IE for "
1159 "testing");
1160 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED;
1161 }
1162 #endif /* CONFIG_TDLS_TESTING */
1163 WPA_PUT_LE16(pos, rsn_capab);
1164 pos += 2;
1165 #ifdef CONFIG_TDLS_TESTING
1166 if (tdls_testing & TDLS_TESTING_ALT_RSN_IE) {
1167 /* Number of PMKIDs */
1168 *pos++ = 0x00;
1169 *pos++ = 0x00;
1170 }
1171 #endif /* CONFIG_TDLS_TESTING */
1172
1173 hdr->len = (pos - peer->rsnie_i) - 2;
1174 peer->rsnie_i_len = pos - peer->rsnie_i;
1175 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE for TPK handshake",
1176 peer->rsnie_i, peer->rsnie_i_len);
1177
1178 skip_rsnie:
1179 buf_len = 0;
1180 if (wpa_tdls_get_privacy(sm))
1181 buf_len += peer->rsnie_i_len + sizeof(struct wpa_tdls_ftie) +
1182 sizeof(struct wpa_tdls_timeoutie);
1183 #ifdef CONFIG_TDLS_TESTING
1184 if (wpa_tdls_get_privacy(sm) &&
1185 (tdls_testing & TDLS_TESTING_LONG_FRAME))
1186 buf_len += 170;
1187 if (tdls_testing & TDLS_TESTING_DIFF_BSSID)
1188 buf_len += sizeof(struct wpa_tdls_lnkid);
1189 #endif /* CONFIG_TDLS_TESTING */
1190 rbuf = os_zalloc(buf_len + 1);
1191 if (rbuf == NULL) {
1192 wpa_tdls_peer_free(sm, peer);
1193 return -2;
1194 }
1195 pos = rbuf;
1196
1197 if (!wpa_tdls_get_privacy(sm))
1198 goto skip_ies;
1199
1200 /* Initiator RSN IE */
1201 pos = wpa_add_ie(pos, peer->rsnie_i, peer->rsnie_i_len);
1202
1203 ftie = (struct wpa_tdls_ftie *) pos;
1204 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION;
1205 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2;
1206
1207 if (os_get_random(peer->inonce, WPA_NONCE_LEN)) {
1208 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1209 "TDLS: Failed to get random data for initiator Nonce");
1210 os_free(rbuf);
1211 wpa_tdls_peer_free(sm, peer);
1212 return -2;
1213 }
1214 peer->tk_set = 0; /* A new nonce results in a new TK */
1215 wpa_hexdump(MSG_DEBUG, "TDLS: Initiator Nonce for TPK handshake",
1216 peer->inonce, WPA_NONCE_LEN);
1217 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN);
1218
1219 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE for TPK Handshake M1",
1220 (u8 *) ftie, sizeof(struct wpa_tdls_ftie));
1221
1222 pos = (u8 *) (ftie + 1);
1223
1224 #ifdef CONFIG_TDLS_TESTING
1225 if (tdls_testing & TDLS_TESTING_LONG_FRAME) {
1226 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to "
1227 "FTIE");
1228 ftie->ie_len += 170;
1229 *pos++ = 255; /* FTIE subelem */
1230 *pos++ = 168; /* FTIE subelem length */
1231 pos += 168;
1232 }
1233 #endif /* CONFIG_TDLS_TESTING */
1234
1235 /* Lifetime */
1236 peer->lifetime = TPK_LIFETIME;
1237 #ifdef CONFIG_TDLS_TESTING
1238 if (tdls_testing & TDLS_TESTING_SHORT_LIFETIME) {
1239 wpa_printf(MSG_DEBUG, "TDLS: Testing - use short TPK "
1240 "lifetime");
1241 peer->lifetime = 301;
1242 }
1243 if (tdls_testing & TDLS_TESTING_LONG_LIFETIME) {
1244 wpa_printf(MSG_DEBUG, "TDLS: Testing - use long TPK "
1245 "lifetime");
1246 peer->lifetime = 0xffffffff;
1247 }
1248 #endif /* CONFIG_TDLS_TESTING */
1249 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie,
1250 sizeof(timeoutie), peer->lifetime);
1251 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds", peer->lifetime);
1252
1253 skip_ies:
1254
1255 #ifdef CONFIG_TDLS_TESTING
1256 if (tdls_testing & TDLS_TESTING_DIFF_BSSID) {
1257 struct wpa_tdls_lnkid *l = (struct wpa_tdls_lnkid *) pos;
1258
1259 wpa_printf(MSG_DEBUG, "TDLS: Testing - use incorrect BSSID in "
1260 "Link Identifier");
1261 wpa_tdls_linkid(sm, peer, l);
1262 l->bssid[5] ^= 0x01;
1263 pos += sizeof(*l);
1264 }
1265 #endif /* CONFIG_TDLS_TESTING */
1266
1267 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Setup Request / TPK "
1268 "Handshake Message 1 (peer " MACSTR ")",
1269 MAC2STR(peer->addr));
1270
1271 status = wpa_tdls_tpk_send(sm, peer->addr, WLAN_TDLS_SETUP_REQUEST,
1272 1, 0, 0, peer->initiator, rbuf, pos - rbuf,
1273 -1);
1274 os_free(rbuf);
1275
1276 return status;
1277 }
1278
1279
wpa_tdls_send_tpk_m2(struct wpa_sm * sm,const unsigned char * src_addr,u8 dtoken,struct wpa_tdls_lnkid * lnkid,const struct wpa_tdls_peer * peer)1280 static int wpa_tdls_send_tpk_m2(struct wpa_sm *sm,
1281 const unsigned char *src_addr, u8 dtoken,
1282 struct wpa_tdls_lnkid *lnkid,
1283 const struct wpa_tdls_peer *peer)
1284 {
1285 u8 *rbuf, *pos;
1286 size_t buf_len;
1287 u32 lifetime;
1288 struct wpa_tdls_timeoutie timeoutie;
1289 struct wpa_tdls_ftie *ftie;
1290 int status;
1291
1292 buf_len = 0;
1293 if (wpa_tdls_get_privacy(sm)) {
1294 /* Peer RSN IE, FTIE(Initiator Nonce, Responder Nonce),
1295 * Lifetime */
1296 buf_len += peer->rsnie_i_len + sizeof(struct wpa_tdls_ftie) +
1297 sizeof(struct wpa_tdls_timeoutie);
1298 #ifdef CONFIG_TDLS_TESTING
1299 if (tdls_testing & TDLS_TESTING_LONG_FRAME)
1300 buf_len += 170;
1301 #endif /* CONFIG_TDLS_TESTING */
1302 }
1303
1304 rbuf = os_zalloc(buf_len + 1);
1305 if (rbuf == NULL)
1306 return -1;
1307 pos = rbuf;
1308
1309 if (!wpa_tdls_get_privacy(sm))
1310 goto skip_ies;
1311
1312 /* Peer RSN IE */
1313 pos = wpa_add_ie(pos, peer->rsnie_p, peer->rsnie_p_len);
1314
1315 ftie = (struct wpa_tdls_ftie *) pos;
1316 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION;
1317 /* TODO: ftie->mic_control to set 2-RESPONSE */
1318 os_memcpy(ftie->Anonce, peer->rnonce, WPA_NONCE_LEN);
1319 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN);
1320 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2;
1321 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE for TPK M2",
1322 (u8 *) ftie, sizeof(*ftie));
1323
1324 pos = (u8 *) (ftie + 1);
1325
1326 #ifdef CONFIG_TDLS_TESTING
1327 if (tdls_testing & TDLS_TESTING_LONG_FRAME) {
1328 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to "
1329 "FTIE");
1330 ftie->ie_len += 170;
1331 *pos++ = 255; /* FTIE subelem */
1332 *pos++ = 168; /* FTIE subelem length */
1333 pos += 168;
1334 }
1335 #endif /* CONFIG_TDLS_TESTING */
1336
1337 /* Lifetime */
1338 lifetime = peer->lifetime;
1339 #ifdef CONFIG_TDLS_TESTING
1340 if (tdls_testing & TDLS_TESTING_WRONG_LIFETIME_RESP) {
1341 wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong TPK "
1342 "lifetime in response");
1343 lifetime++;
1344 }
1345 #endif /* CONFIG_TDLS_TESTING */
1346 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie,
1347 sizeof(timeoutie), lifetime);
1348 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds from initiator",
1349 lifetime);
1350
1351 /* compute MIC before sending */
1352 wpa_tdls_ftie_mic(peer->tpk.kck, 2, (const u8 *) lnkid, peer->rsnie_p,
1353 peer->rsnie_p_len, (const u8 *) &timeoutie,
1354 (const u8 *) ftie, 2 + ftie->ie_len, ftie->mic);
1355 #ifdef CONFIG_TDLS_TESTING
1356 if (tdls_testing & TDLS_TESTING_WRONG_MIC) {
1357 wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong MIC");
1358 ftie->mic[0] ^= 0x01;
1359 }
1360 #endif /* CONFIG_TDLS_TESTING */
1361
1362 skip_ies:
1363 status = wpa_tdls_tpk_send(sm, src_addr, WLAN_TDLS_SETUP_RESPONSE,
1364 dtoken, 0, 0, peer->initiator, rbuf,
1365 pos - rbuf, -1);
1366 os_free(rbuf);
1367
1368 return status;
1369 }
1370
1371
wpa_tdls_send_tpk_m3(struct wpa_sm * sm,const unsigned char * src_addr,u8 dtoken,struct wpa_tdls_lnkid * lnkid,const struct wpa_tdls_peer * peer)1372 static int wpa_tdls_send_tpk_m3(struct wpa_sm *sm,
1373 const unsigned char *src_addr, u8 dtoken,
1374 struct wpa_tdls_lnkid *lnkid,
1375 const struct wpa_tdls_peer *peer)
1376 {
1377 u8 *rbuf, *pos;
1378 size_t buf_len;
1379 struct wpa_tdls_ftie *ftie;
1380 struct wpa_tdls_timeoutie timeoutie;
1381 u32 lifetime;
1382 int status;
1383 u32 peer_capab = 0;
1384
1385 buf_len = 0;
1386 if (wpa_tdls_get_privacy(sm)) {
1387 /* Peer RSN IE, FTIE(Initiator Nonce, Responder Nonce),
1388 * Lifetime */
1389 buf_len += peer->rsnie_i_len + sizeof(struct wpa_tdls_ftie) +
1390 sizeof(struct wpa_tdls_timeoutie);
1391 #ifdef CONFIG_TDLS_TESTING
1392 if (tdls_testing & TDLS_TESTING_LONG_FRAME)
1393 buf_len += 170;
1394 #endif /* CONFIG_TDLS_TESTING */
1395 }
1396
1397 rbuf = os_zalloc(buf_len + 1);
1398 if (rbuf == NULL)
1399 return -1;
1400 pos = rbuf;
1401
1402 if (!wpa_tdls_get_privacy(sm))
1403 goto skip_ies;
1404
1405 /* Peer RSN IE */
1406 pos = wpa_add_ie(pos, peer->rsnie_p, peer->rsnie_p_len);
1407
1408 ftie = (struct wpa_tdls_ftie *) pos;
1409 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION;
1410 /*TODO: ftie->mic_control to set 3-CONFIRM */
1411 os_memcpy(ftie->Anonce, peer->rnonce, WPA_NONCE_LEN);
1412 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN);
1413 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2;
1414
1415 pos = (u8 *) (ftie + 1);
1416
1417 #ifdef CONFIG_TDLS_TESTING
1418 if (tdls_testing & TDLS_TESTING_LONG_FRAME) {
1419 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to "
1420 "FTIE");
1421 ftie->ie_len += 170;
1422 *pos++ = 255; /* FTIE subelem */
1423 *pos++ = 168; /* FTIE subelem length */
1424 pos += 168;
1425 }
1426 #endif /* CONFIG_TDLS_TESTING */
1427
1428 /* Lifetime */
1429 lifetime = peer->lifetime;
1430 #ifdef CONFIG_TDLS_TESTING
1431 if (tdls_testing & TDLS_TESTING_WRONG_LIFETIME_CONF) {
1432 wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong TPK "
1433 "lifetime in confirm");
1434 lifetime++;
1435 }
1436 #endif /* CONFIG_TDLS_TESTING */
1437 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie,
1438 sizeof(timeoutie), lifetime);
1439 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds",
1440 lifetime);
1441
1442 /* compute MIC before sending */
1443 wpa_tdls_ftie_mic(peer->tpk.kck, 3, (const u8 *) lnkid, peer->rsnie_p,
1444 peer->rsnie_p_len, (const u8 *) &timeoutie,
1445 (const u8 *) ftie, 2 + ftie->ie_len, ftie->mic);
1446 #ifdef CONFIG_TDLS_TESTING
1447 if (tdls_testing & TDLS_TESTING_WRONG_MIC) {
1448 wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong MIC");
1449 ftie->mic[0] ^= 0x01;
1450 }
1451 #endif /* CONFIG_TDLS_TESTING */
1452
1453 skip_ies:
1454
1455 if (peer->he_capabilities)
1456 peer_capab |= TDLS_PEER_HE;
1457 if (peer->vht_capabilities)
1458 peer_capab |= TDLS_PEER_VHT;
1459 if (peer->ht_capabilities)
1460 peer_capab |= TDLS_PEER_HT;
1461 if (peer->wmm_capable)
1462 peer_capab |= TDLS_PEER_WMM;
1463
1464 status = wpa_tdls_tpk_send(sm, src_addr, WLAN_TDLS_SETUP_CONFIRM,
1465 dtoken, 0, peer_capab, peer->initiator,
1466 rbuf, pos - rbuf, -1);
1467 os_free(rbuf);
1468
1469 return status;
1470 }
1471
1472
wpa_tdls_send_discovery_response(struct wpa_sm * sm,struct wpa_tdls_peer * peer,u8 dialog_token,int link_id)1473 static int wpa_tdls_send_discovery_response(struct wpa_sm *sm,
1474 struct wpa_tdls_peer *peer,
1475 u8 dialog_token, int link_id)
1476 {
1477 size_t buf_len = 0;
1478 struct wpa_tdls_timeoutie timeoutie;
1479 u16 rsn_capab;
1480 u8 *rbuf, *pos, *count_pos;
1481 u16 count;
1482 struct rsn_ie_hdr *hdr;
1483 int status;
1484
1485 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Discovery Response "
1486 "(peer " MACSTR ")", MAC2STR(peer->addr));
1487 if (!wpa_tdls_get_privacy(sm))
1488 goto skip_rsn_ies;
1489
1490 /* Filling RSN IE */
1491 hdr = (struct rsn_ie_hdr *) peer->rsnie_i;
1492 hdr->elem_id = WLAN_EID_RSN;
1493 WPA_PUT_LE16(hdr->version, RSN_VERSION);
1494 pos = (u8 *) (hdr + 1);
1495 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED);
1496 pos += RSN_SELECTOR_LEN;
1497 count_pos = pos;
1498 pos += 2;
1499 count = 0;
1500
1501 /*
1502 * AES-CCMP is the default encryption preferred for TDLS, so
1503 * RSN IE is filled only with CCMP cipher suite.
1504 * Note: TKIP is not used to encrypt TDLS link.
1505 *
1506 * Regardless of the cipher used on the AP connection, select CCMP
1507 * here.
1508 */
1509 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP);
1510 pos += RSN_SELECTOR_LEN;
1511 count++;
1512 WPA_PUT_LE16(count_pos, count);
1513 WPA_PUT_LE16(pos, 1);
1514 pos += 2;
1515 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_TPK_HANDSHAKE);
1516 pos += RSN_SELECTOR_LEN;
1517
1518 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED;
1519 rsn_capab |= RSN_NUM_REPLAY_COUNTERS_16 << 2;
1520 WPA_PUT_LE16(pos, rsn_capab);
1521 pos += 2;
1522 hdr->len = (pos - (u8 *) hdr) - 2;
1523 peer->rsnie_i_len = pos - peer->rsnie_i;
1524
1525 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE for Discovery Response",
1526 (u8 *) hdr, hdr->len + 2);
1527 skip_rsn_ies:
1528 buf_len = 0;
1529 if (wpa_tdls_get_privacy(sm)) {
1530 /* Peer RSN IE, Lifetime */
1531 buf_len += peer->rsnie_i_len +
1532 sizeof(struct wpa_tdls_timeoutie);
1533 }
1534 rbuf = os_zalloc(buf_len + 1);
1535 if (rbuf == NULL) {
1536 wpa_tdls_peer_free(sm, peer);
1537 return -1;
1538 }
1539 pos = rbuf;
1540
1541 if (!wpa_tdls_get_privacy(sm))
1542 goto skip_ies;
1543 /* Initiator RSN IE */
1544 pos = wpa_add_ie(pos, peer->rsnie_i, peer->rsnie_i_len);
1545 /* Lifetime */
1546 peer->lifetime = TPK_LIFETIME;
1547 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie,
1548 sizeof(timeoutie), peer->lifetime);
1549 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds", peer->lifetime);
1550 skip_ies:
1551 status = wpa_tdls_tpk_send(sm, peer->addr, WLAN_TDLS_DISCOVERY_RESPONSE,
1552 dialog_token, 0, 0, 0, rbuf, pos - rbuf,
1553 link_id);
1554 os_free(rbuf);
1555
1556 return status;
1557 }
1558
1559
wpa_tdls_is_lnkid_bss_valid(struct wpa_sm * sm,const struct wpa_tdls_lnkid * lnkid,int * link_id)1560 static bool wpa_tdls_is_lnkid_bss_valid(struct wpa_sm *sm,
1561 const struct wpa_tdls_lnkid *lnkid,
1562 int *link_id)
1563 {
1564 *link_id = -1;
1565
1566 if (!sm->mlo.valid_links) {
1567 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0)
1568 return false;
1569 } else {
1570 int i;
1571
1572 for (i = 0; i < MAX_NUM_MLD_LINKS; i++) {
1573 if ((sm->mlo.valid_links & BIT(i)) &&
1574 os_memcmp(lnkid->bssid, sm->mlo.links[i].bssid,
1575 ETH_ALEN) == 0) {
1576 *link_id = i;
1577 break;
1578 }
1579 }
1580 if (*link_id < 0) {
1581 wpa_printf(MSG_DEBUG,
1582 "TDLS: MLD link not found for linkid BSS "
1583 MACSTR, MAC2STR(lnkid->bssid));
1584 return false;
1585 }
1586 }
1587
1588 return true;
1589 }
1590
1591
1592 static int
wpa_tdls_process_discovery_request(struct wpa_sm * sm,const u8 * addr,const u8 * buf,size_t len)1593 wpa_tdls_process_discovery_request(struct wpa_sm *sm, const u8 *addr,
1594 const u8 *buf, size_t len)
1595 {
1596 struct wpa_eapol_ie_parse kde;
1597 const struct wpa_tdls_lnkid *lnkid;
1598 struct wpa_tdls_peer *peer;
1599 size_t min_req_len = sizeof(struct wpa_tdls_frame) +
1600 1 /* dialog token */ + sizeof(struct wpa_tdls_lnkid);
1601 u8 dialog_token;
1602 int link_id = -1;
1603
1604 wpa_printf(MSG_DEBUG, "TDLS: Discovery Request from " MACSTR,
1605 MAC2STR(addr));
1606
1607 if (len < min_req_len) {
1608 wpa_printf(MSG_DEBUG, "TDLS Discovery Request is too short: "
1609 "%d", (int) len);
1610 return -1;
1611 }
1612
1613 dialog_token = buf[sizeof(struct wpa_tdls_frame)];
1614
1615 /*
1616 * Some APs will tack on a weird IE to the end of a TDLS
1617 * discovery request packet. This needn't fail the response,
1618 * since the required IE are verified separately.
1619 */
1620 if (wpa_supplicant_parse_ies(buf + sizeof(struct wpa_tdls_frame) + 1,
1621 len - (sizeof(struct wpa_tdls_frame) + 1),
1622 &kde) < 0) {
1623 wpa_printf(MSG_DEBUG,
1624 "TDLS: Failed to parse IEs in Discovery Request - ignore as an interop workaround");
1625 }
1626
1627 if (!kde.lnkid) {
1628 wpa_printf(MSG_DEBUG, "TDLS: Link ID not found in Discovery "
1629 "Request");
1630 return -1;
1631 }
1632
1633 lnkid = (const struct wpa_tdls_lnkid *) kde.lnkid;
1634
1635 if (!wpa_tdls_is_lnkid_bss_valid(sm, lnkid, &link_id)) {
1636 wpa_printf(MSG_DEBUG,
1637 "TDLS: Discovery Request from different BSS "
1638 MACSTR, MAC2STR(lnkid->bssid));
1639 return -1;
1640 }
1641
1642 peer = wpa_tdls_add_peer(sm, addr, NULL);
1643 if (peer == NULL)
1644 return -1;
1645
1646 return wpa_tdls_send_discovery_response(sm, peer, dialog_token,
1647 link_id);
1648 }
1649
1650
wpa_tdls_send_discovery_request(struct wpa_sm * sm,const u8 * addr)1651 int wpa_tdls_send_discovery_request(struct wpa_sm *sm, const u8 *addr)
1652 {
1653 if (sm->tdls_disabled || !sm->tdls_supported)
1654 return -1;
1655
1656 wpa_printf(MSG_DEBUG, "TDLS: Sending Discovery Request to peer "
1657 MACSTR, MAC2STR(addr));
1658 return wpa_tdls_tpk_send(sm, addr, WLAN_TDLS_DISCOVERY_REQUEST,
1659 1, 0, 0, 1, NULL, 0, -1);
1660 }
1661
1662
copy_supp_rates(const struct wpa_eapol_ie_parse * kde,struct wpa_tdls_peer * peer)1663 static int copy_supp_rates(const struct wpa_eapol_ie_parse *kde,
1664 struct wpa_tdls_peer *peer)
1665 {
1666 if (!kde->supp_rates) {
1667 wpa_printf(MSG_DEBUG, "TDLS: No supported rates received");
1668 return -1;
1669 }
1670 peer->supp_rates_len = merge_byte_arrays(
1671 peer->supp_rates, sizeof(peer->supp_rates),
1672 kde->supp_rates + 2, kde->supp_rates_len - 2,
1673 kde->ext_supp_rates ? kde->ext_supp_rates + 2 : NULL,
1674 kde->ext_supp_rates ? kde->ext_supp_rates_len - 2 : 0);
1675 return 0;
1676 }
1677
1678
copy_peer_ht_capab(const struct wpa_eapol_ie_parse * kde,struct wpa_tdls_peer * peer)1679 static int copy_peer_ht_capab(const struct wpa_eapol_ie_parse *kde,
1680 struct wpa_tdls_peer *peer)
1681 {
1682 if (!kde->ht_capabilities) {
1683 wpa_printf(MSG_DEBUG, "TDLS: No supported ht capabilities "
1684 "received");
1685 return 0;
1686 }
1687
1688 if (!peer->ht_capabilities) {
1689 peer->ht_capabilities =
1690 os_zalloc(sizeof(struct ieee80211_ht_capabilities));
1691 if (peer->ht_capabilities == NULL)
1692 return -1;
1693 }
1694
1695 os_memcpy(peer->ht_capabilities, kde->ht_capabilities,
1696 sizeof(struct ieee80211_ht_capabilities));
1697 wpa_hexdump(MSG_DEBUG, "TDLS: Peer HT capabilities",
1698 (u8 *) peer->ht_capabilities,
1699 sizeof(struct ieee80211_ht_capabilities));
1700
1701 return 0;
1702 }
1703
1704
copy_peer_vht_capab(const struct wpa_eapol_ie_parse * kde,struct wpa_tdls_peer * peer)1705 static int copy_peer_vht_capab(const struct wpa_eapol_ie_parse *kde,
1706 struct wpa_tdls_peer *peer)
1707 {
1708 if (!kde->vht_capabilities) {
1709 wpa_printf(MSG_DEBUG, "TDLS: No supported vht capabilities "
1710 "received");
1711 return 0;
1712 }
1713
1714 if (!peer->vht_capabilities) {
1715 peer->vht_capabilities =
1716 os_zalloc(sizeof(struct ieee80211_vht_capabilities));
1717 if (peer->vht_capabilities == NULL)
1718 return -1;
1719 }
1720
1721 os_memcpy(peer->vht_capabilities, kde->vht_capabilities,
1722 sizeof(struct ieee80211_vht_capabilities));
1723 wpa_hexdump(MSG_DEBUG, "TDLS: Peer VHT capabilities",
1724 (u8 *) peer->vht_capabilities,
1725 sizeof(struct ieee80211_vht_capabilities));
1726
1727 return 0;
1728 }
1729
1730
copy_peer_he_capab(const struct wpa_eapol_ie_parse * kde,struct wpa_tdls_peer * peer)1731 static int copy_peer_he_capab(const struct wpa_eapol_ie_parse *kde,
1732 struct wpa_tdls_peer *peer)
1733 {
1734 if (!kde->he_capabilities) {
1735 wpa_printf(MSG_DEBUG, "TDLS: No HE capabilities received");
1736 return 0;
1737 }
1738
1739 os_free(peer->he_capabilities);
1740 peer->he_capab_len = 0;
1741 peer->he_capabilities = os_memdup(kde->he_capabilities,
1742 kde->he_capab_len);
1743 if (!peer->he_capabilities)
1744 return -1;
1745
1746 peer->he_capab_len = kde->he_capab_len;
1747 wpa_hexdump(MSG_DEBUG, "TDLS: Peer HE capabilities",
1748 peer->he_capabilities, peer->he_capab_len);
1749
1750 return 0;
1751 }
1752
1753
copy_peer_he_6ghz_band_capab(const struct wpa_eapol_ie_parse * kde,struct wpa_tdls_peer * peer)1754 static int copy_peer_he_6ghz_band_capab(const struct wpa_eapol_ie_parse *kde,
1755 struct wpa_tdls_peer *peer)
1756 {
1757 if (!kde->he_6ghz_capabilities) {
1758 wpa_printf(MSG_DEBUG,
1759 "TDLS: No HE 6 GHz band capabilities received");
1760 return 0;
1761 }
1762
1763 if (!peer->he_6ghz_band_capabilities) {
1764 peer->he_6ghz_band_capabilities =
1765 os_zalloc(sizeof(struct ieee80211_he_6ghz_band_cap));
1766 if (peer->he_6ghz_band_capabilities == NULL)
1767 return -1;
1768 }
1769
1770 os_memcpy(peer->he_6ghz_band_capabilities, kde->he_6ghz_capabilities,
1771 sizeof(struct ieee80211_he_6ghz_band_cap));
1772
1773 wpa_hexdump(MSG_DEBUG, "TDLS: Peer 6 GHz band HE capabilities",
1774 peer->he_6ghz_band_capabilities,
1775 sizeof(struct ieee80211_he_6ghz_band_cap));
1776
1777 return 0;
1778 }
1779
1780
copy_peer_ext_capab(const struct wpa_eapol_ie_parse * kde,struct wpa_tdls_peer * peer)1781 static int copy_peer_ext_capab(const struct wpa_eapol_ie_parse *kde,
1782 struct wpa_tdls_peer *peer)
1783 {
1784 if (!kde->ext_capab) {
1785 wpa_printf(MSG_DEBUG, "TDLS: No extended capabilities "
1786 "received");
1787 return 0;
1788 }
1789
1790 if (!peer->ext_capab || peer->ext_capab_len < kde->ext_capab_len - 2) {
1791 /* Need to allocate buffer to fit the new information */
1792 os_free(peer->ext_capab);
1793 peer->ext_capab = os_zalloc(kde->ext_capab_len - 2);
1794 if (peer->ext_capab == NULL)
1795 return -1;
1796 }
1797
1798 peer->ext_capab_len = kde->ext_capab_len - 2;
1799 os_memcpy(peer->ext_capab, kde->ext_capab + 2, peer->ext_capab_len);
1800
1801 return 0;
1802 }
1803
1804
copy_peer_eht_capab(const struct wpa_eapol_ie_parse * kde,struct wpa_tdls_peer * peer)1805 static int copy_peer_eht_capab(const struct wpa_eapol_ie_parse *kde,
1806 struct wpa_tdls_peer *peer)
1807 {
1808 if (!kde->eht_capabilities) {
1809 wpa_printf(MSG_DEBUG, "TDLS: No EHT capabilities received");
1810 return 0;
1811 }
1812
1813 os_free(peer->eht_capabilities);
1814 peer->eht_capab_len = 0;
1815 peer->eht_capabilities = os_memdup(kde->eht_capabilities,
1816 kde->eht_capab_len);
1817 if (!peer->eht_capabilities)
1818 return -1;
1819
1820 peer->eht_capab_len = kde->eht_capab_len;
1821 wpa_hexdump(MSG_DEBUG, "TDLS: Peer EHT capabilities",
1822 peer->eht_capabilities, peer->eht_capab_len);
1823
1824 return 0;
1825 }
1826
1827
copy_peer_wmm_capab(const struct wpa_eapol_ie_parse * kde,struct wpa_tdls_peer * peer)1828 static int copy_peer_wmm_capab(const struct wpa_eapol_ie_parse *kde,
1829 struct wpa_tdls_peer *peer)
1830 {
1831 struct wmm_information_element *wmm;
1832
1833 if (!kde->wmm) {
1834 wpa_printf(MSG_DEBUG, "TDLS: No supported WMM capabilities received");
1835 return 0;
1836 }
1837
1838 if (kde->wmm_len < sizeof(struct wmm_information_element)) {
1839 wpa_printf(MSG_DEBUG, "TDLS: Invalid supported WMM capabilities received");
1840 return -1;
1841 }
1842
1843 wmm = (struct wmm_information_element *) kde->wmm;
1844 peer->qos_info = wmm->qos_info;
1845
1846 peer->wmm_capable = 1;
1847
1848 wpa_printf(MSG_DEBUG, "TDLS: Peer WMM QOS Info 0x%x", peer->qos_info);
1849 return 0;
1850 }
1851
1852
copy_peer_supp_channels(const struct wpa_eapol_ie_parse * kde,struct wpa_tdls_peer * peer)1853 static int copy_peer_supp_channels(const struct wpa_eapol_ie_parse *kde,
1854 struct wpa_tdls_peer *peer)
1855 {
1856 if (!kde->supp_channels) {
1857 wpa_printf(MSG_DEBUG, "TDLS: No supported channels received");
1858 return 0;
1859 }
1860
1861 if (!peer->supp_channels ||
1862 peer->supp_channels_len < kde->supp_channels_len) {
1863 os_free(peer->supp_channels);
1864 peer->supp_channels = os_zalloc(kde->supp_channels_len);
1865 if (peer->supp_channels == NULL)
1866 return -1;
1867 }
1868
1869 peer->supp_channels_len = kde->supp_channels_len;
1870
1871 os_memcpy(peer->supp_channels, kde->supp_channels,
1872 peer->supp_channels_len);
1873 wpa_hexdump(MSG_DEBUG, "TDLS: Peer Supported Channels",
1874 (u8 *) peer->supp_channels, peer->supp_channels_len);
1875 return 0;
1876 }
1877
1878
copy_peer_supp_oper_classes(const struct wpa_eapol_ie_parse * kde,struct wpa_tdls_peer * peer)1879 static int copy_peer_supp_oper_classes(const struct wpa_eapol_ie_parse *kde,
1880 struct wpa_tdls_peer *peer)
1881 {
1882 if (!kde->supp_oper_classes) {
1883 wpa_printf(MSG_DEBUG, "TDLS: No supported operating classes received");
1884 return 0;
1885 }
1886
1887 if (!peer->supp_oper_classes ||
1888 peer->supp_oper_classes_len < kde->supp_oper_classes_len) {
1889 os_free(peer->supp_oper_classes);
1890 peer->supp_oper_classes = os_zalloc(kde->supp_oper_classes_len);
1891 if (peer->supp_oper_classes == NULL)
1892 return -1;
1893 }
1894
1895 peer->supp_oper_classes_len = kde->supp_oper_classes_len;
1896 os_memcpy(peer->supp_oper_classes, kde->supp_oper_classes,
1897 peer->supp_oper_classes_len);
1898 wpa_hexdump(MSG_DEBUG, "TDLS: Peer Supported Operating Classes",
1899 (u8 *) peer->supp_oper_classes,
1900 peer->supp_oper_classes_len);
1901 return 0;
1902 }
1903
1904
wpa_tdls_addset_peer(struct wpa_sm * sm,struct wpa_tdls_peer * peer,int add)1905 static int wpa_tdls_addset_peer(struct wpa_sm *sm, struct wpa_tdls_peer *peer,
1906 int add)
1907 {
1908 return wpa_sm_tdls_peer_addset(sm, peer->addr, add, peer->aid,
1909 peer->capability,
1910 peer->supp_rates, peer->supp_rates_len,
1911 peer->ht_capabilities,
1912 peer->vht_capabilities,
1913 peer->he_capabilities,
1914 peer->he_capab_len,
1915 peer->he_6ghz_band_capabilities,
1916 peer->qos_info, peer->wmm_capable,
1917 peer->ext_capab, peer->ext_capab_len,
1918 peer->supp_channels,
1919 peer->supp_channels_len,
1920 peer->supp_oper_classes,
1921 peer->supp_oper_classes_len,
1922 peer->eht_capabilities,
1923 peer->eht_capab_len,
1924 peer->mld_link_id);
1925 }
1926
1927
tdls_nonce_set(const u8 * nonce)1928 static int tdls_nonce_set(const u8 *nonce)
1929 {
1930 int i;
1931
1932 for (i = 0; i < WPA_NONCE_LEN; i++) {
1933 if (nonce[i])
1934 return 1;
1935 }
1936
1937 return 0;
1938 }
1939
1940
wpa_tdls_process_tpk_m1(struct wpa_sm * sm,const u8 * src_addr,const u8 * buf,size_t len)1941 static int wpa_tdls_process_tpk_m1(struct wpa_sm *sm, const u8 *src_addr,
1942 const u8 *buf, size_t len)
1943 {
1944 struct wpa_tdls_peer *peer;
1945 struct wpa_eapol_ie_parse kde;
1946 struct wpa_ie_data ie;
1947 int cipher;
1948 const u8 *cpos;
1949 struct wpa_tdls_ftie *ftie = NULL;
1950 struct wpa_tdls_timeoutie *timeoutie;
1951 struct wpa_tdls_lnkid *lnkid;
1952 u32 lifetime = 0;
1953 #if 0
1954 struct rsn_ie_hdr *hdr;
1955 u8 *pos;
1956 u16 rsn_capab;
1957 u16 rsn_ver;
1958 #endif
1959 u8 dtoken;
1960 u16 ielen;
1961 u16 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
1962 int tdls_prohibited = sm->tdls_prohibited;
1963 int existing_peer = 0;
1964 int link_id = -1;
1965
1966 if (len < 3 + 3)
1967 return -1;
1968
1969 cpos = buf;
1970 cpos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */;
1971
1972 /* driver had already verified the frame format */
1973 dtoken = *cpos++; /* dialog token */
1974
1975 wpa_printf(MSG_INFO, "TDLS: Dialog Token in TPK M1 %d", dtoken);
1976
1977 peer = wpa_tdls_add_peer(sm, src_addr, &existing_peer);
1978 if (peer == NULL)
1979 goto error;
1980
1981 /* If found, use existing entry instead of adding a new one;
1982 * how to handle the case where both ends initiate at the
1983 * same time? */
1984 if (existing_peer) {
1985 if (peer->tpk_success) {
1986 wpa_printf(MSG_DEBUG, "TDLS: TDLS Setup Request while "
1987 "direct link is enabled - tear down the "
1988 "old link first");
1989 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr);
1990 wpa_tdls_peer_clear(sm, peer);
1991 } else if (peer->initiator) {
1992 /*
1993 * An entry is already present, so check if we already
1994 * sent a TDLS Setup Request. If so, compare MAC
1995 * addresses and let the STA with the lower MAC address
1996 * continue as the initiator. The other negotiation is
1997 * terminated.
1998 */
1999 if (os_memcmp(sm->own_addr, src_addr, ETH_ALEN) < 0) {
2000 wpa_printf(MSG_DEBUG, "TDLS: Discard request "
2001 "from peer with higher address "
2002 MACSTR, MAC2STR(src_addr));
2003 return -1;
2004 } else {
2005 wpa_printf(MSG_DEBUG, "TDLS: Accept request "
2006 "from peer with lower address "
2007 MACSTR " (terminate previously "
2008 "initiated negotiation",
2009 MAC2STR(src_addr));
2010 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK,
2011 peer->addr);
2012 wpa_tdls_peer_clear(sm, peer);
2013 }
2014 }
2015 }
2016
2017 /* capability information */
2018 peer->capability = WPA_GET_LE16(cpos);
2019 cpos += 2;
2020
2021 ielen = len - (cpos - buf); /* start of IE in buf */
2022
2023 /*
2024 * Don't reject the message if failing to parse IEs. The IEs we need are
2025 * explicitly checked below. Some APs may add arbitrary padding to the
2026 * end of short TDLS frames and that would look like invalid IEs.
2027 */
2028 if (wpa_supplicant_parse_ies(cpos, ielen, &kde) < 0)
2029 wpa_printf(MSG_DEBUG,
2030 "TDLS: Failed to parse IEs in TPK M1 - ignore as an interop workaround");
2031
2032 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) {
2033 wpa_printf(MSG_INFO, "TDLS: No valid Link Identifier IE in "
2034 "TPK M1");
2035 goto error;
2036 }
2037 wpa_hexdump(MSG_DEBUG, "TDLS: Link ID Received from TPK M1",
2038 kde.lnkid, kde.lnkid_len);
2039 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid;
2040
2041 if (!wpa_tdls_is_lnkid_bss_valid(sm, lnkid, &link_id)) {
2042 wpa_printf(MSG_INFO, "TDLS: TPK M1 from diff BSS "
2043 MACSTR, MAC2STR(lnkid->bssid));
2044 status = WLAN_STATUS_REQUEST_DECLINED;
2045 goto error;
2046 }
2047
2048 peer->mld_link_id = link_id;
2049 wpa_printf(MSG_DEBUG, "TDLS: TPK M1 - TPK initiator " MACSTR,
2050 MAC2STR(src_addr));
2051
2052 if (copy_supp_rates(&kde, peer) < 0)
2053 goto error;
2054
2055 if (copy_peer_ht_capab(&kde, peer) < 0)
2056 goto error;
2057
2058 if (copy_peer_vht_capab(&kde, peer) < 0 ||
2059 copy_peer_he_capab(&kde, peer) < 0 ||
2060 copy_peer_he_6ghz_band_capab(&kde, peer) < 0)
2061 goto error;
2062
2063 if (copy_peer_eht_capab(&kde, peer) < 0)
2064 goto error;
2065
2066 if (copy_peer_ext_capab(&kde, peer) < 0)
2067 goto error;
2068
2069 if (copy_peer_supp_channels(&kde, peer) < 0)
2070 goto error;
2071
2072 if (copy_peer_supp_oper_classes(&kde, peer) < 0)
2073 goto error;
2074
2075 peer->qos_info = kde.qosinfo;
2076
2077 /* Overwrite with the qos_info obtained in WMM IE */
2078 if (copy_peer_wmm_capab(&kde, peer) < 0)
2079 goto error;
2080
2081 peer->aid = kde.aid;
2082
2083 #ifdef CONFIG_TDLS_TESTING
2084 if (tdls_testing & TDLS_TESTING_CONCURRENT_INIT) {
2085 peer = wpa_tdls_add_peer(sm, src_addr, NULL);
2086 if (peer == NULL)
2087 goto error;
2088 wpa_printf(MSG_DEBUG, "TDLS: Testing concurrent initiation of "
2089 "TDLS setup - send own request");
2090 peer->initiator = 1;
2091 wpa_sm_tdls_peer_addset(sm, peer->addr, 1, 0, 0, NULL, 0, NULL,
2092 NULL, NULL, 0, NULL, 0, 0, NULL, 0,
2093 NULL, 0, NULL, 0, NULL, 0, link_id);
2094 if (wpa_tdls_send_tpk_m1(sm, peer) == -2) {
2095 peer = NULL;
2096 goto error;
2097 }
2098 }
2099
2100 if ((tdls_testing & TDLS_TESTING_IGNORE_AP_PROHIBIT) &&
2101 tdls_prohibited) {
2102 wpa_printf(MSG_DEBUG, "TDLS: Testing - ignore AP prohibition "
2103 "on TDLS");
2104 tdls_prohibited = 0;
2105 }
2106 #endif /* CONFIG_TDLS_TESTING */
2107
2108 if (tdls_prohibited) {
2109 wpa_printf(MSG_INFO, "TDLS: TDLS prohibited in this BSS");
2110 status = WLAN_STATUS_REQUEST_DECLINED;
2111 goto error;
2112 }
2113
2114 if (!wpa_tdls_get_privacy(sm)) {
2115 if (kde.rsn_ie) {
2116 wpa_printf(MSG_INFO, "TDLS: RSN IE in TPK M1 while "
2117 "security is disabled");
2118 status = WLAN_STATUS_SECURITY_DISABLED;
2119 goto error;
2120 }
2121 goto skip_rsn;
2122 }
2123
2124 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie) ||
2125 kde.rsn_ie == NULL) {
2126 wpa_printf(MSG_INFO, "TDLS: No FTIE or RSN IE in TPK M1");
2127 status = WLAN_STATUS_INVALID_PARAMETERS;
2128 goto error;
2129 }
2130
2131 if (kde.rsn_ie_len > TDLS_MAX_IE_LEN) {
2132 wpa_printf(MSG_INFO, "TDLS: Too long Initiator RSN IE in "
2133 "TPK M1");
2134 status = WLAN_STATUS_INVALID_RSNIE;
2135 goto error;
2136 }
2137
2138 if (wpa_parse_wpa_ie_rsn(kde.rsn_ie, kde.rsn_ie_len, &ie) < 0) {
2139 wpa_printf(MSG_INFO, "TDLS: Failed to parse RSN IE in TPK M1");
2140 status = WLAN_STATUS_INVALID_RSNIE;
2141 goto error;
2142 }
2143
2144 cipher = ie.pairwise_cipher;
2145 if (cipher & WPA_CIPHER_CCMP) {
2146 wpa_printf(MSG_DEBUG, "TDLS: Using CCMP for direct link");
2147 cipher = WPA_CIPHER_CCMP;
2148 } else {
2149 wpa_printf(MSG_INFO, "TDLS: No acceptable cipher in TPK M1");
2150 status = WLAN_STATUS_PAIRWISE_CIPHER_NOT_VALID;
2151 goto error;
2152 }
2153
2154 if ((ie.capabilities &
2155 (WPA_CAPABILITY_NO_PAIRWISE | WPA_CAPABILITY_PEERKEY_ENABLED)) !=
2156 WPA_CAPABILITY_PEERKEY_ENABLED) {
2157 wpa_printf(MSG_INFO, "TDLS: Invalid RSN Capabilities in "
2158 "TPK M1");
2159 status = WLAN_STATUS_INVALID_RSN_IE_CAPAB;
2160 goto error;
2161 }
2162
2163 /* Lifetime */
2164 if (kde.key_lifetime == NULL) {
2165 wpa_printf(MSG_INFO, "TDLS: No Key Lifetime IE in TPK M1");
2166 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME;
2167 goto error;
2168 }
2169 timeoutie = (struct wpa_tdls_timeoutie *) kde.key_lifetime;
2170 lifetime = WPA_GET_LE32(timeoutie->value);
2171 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds", lifetime);
2172 if (lifetime < 300) {
2173 wpa_printf(MSG_INFO, "TDLS: Too short TPK lifetime");
2174 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME;
2175 goto error;
2176 }
2177
2178 skip_rsn:
2179 #ifdef CONFIG_TDLS_TESTING
2180 if (tdls_testing & TDLS_TESTING_CONCURRENT_INIT) {
2181 if (os_memcmp(sm->own_addr, peer->addr, ETH_ALEN) < 0) {
2182 /*
2183 * The request frame from us is going to win, so do not
2184 * replace information based on this request frame from
2185 * the peer.
2186 */
2187 goto skip_rsn_check;
2188 }
2189 }
2190 #endif /* CONFIG_TDLS_TESTING */
2191
2192 peer->initiator = 0; /* Need to check */
2193 peer->dtoken = dtoken;
2194
2195 if (!wpa_tdls_get_privacy(sm)) {
2196 peer->rsnie_i_len = 0;
2197 peer->rsnie_p_len = 0;
2198 peer->cipher = WPA_CIPHER_NONE;
2199 goto skip_rsn_check;
2200 }
2201
2202 ftie = (struct wpa_tdls_ftie *) kde.ftie;
2203 os_memcpy(peer->rsnie_i, kde.rsn_ie, kde.rsn_ie_len);
2204 peer->rsnie_i_len = kde.rsn_ie_len;
2205 peer->cipher = cipher;
2206
2207 if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0 ||
2208 !tdls_nonce_set(peer->inonce)) {
2209 /*
2210 * There is no point in updating the RNonce for every obtained
2211 * TPK M1 frame (e.g., retransmission due to timeout) with the
2212 * same INonce (SNonce in FTIE). However, if the TPK M1 is
2213 * retransmitted with a different INonce, update the RNonce
2214 * since this is for a new TDLS session.
2215 */
2216 wpa_printf(MSG_DEBUG,
2217 "TDLS: New TPK M1 INonce - generate new RNonce");
2218 os_memcpy(peer->inonce, ftie->Snonce, WPA_NONCE_LEN);
2219 if (os_get_random(peer->rnonce, WPA_NONCE_LEN)) {
2220 wpa_msg(sm->ctx->ctx, MSG_WARNING,
2221 "TDLS: Failed to get random data for responder nonce");
2222 goto error;
2223 }
2224 peer->tk_set = 0; /* A new nonce results in a new TK */
2225 }
2226
2227 #if 0
2228 /* get version info from RSNIE received from Peer */
2229 hdr = (struct rsn_ie_hdr *) kde.rsn_ie;
2230 rsn_ver = WPA_GET_LE16(hdr->version);
2231
2232 /* use min(peer's version, out version) */
2233 if (rsn_ver > RSN_VERSION)
2234 rsn_ver = RSN_VERSION;
2235
2236 hdr = (struct rsn_ie_hdr *) peer->rsnie_p;
2237
2238 hdr->elem_id = WLAN_EID_RSN;
2239 WPA_PUT_LE16(hdr->version, rsn_ver);
2240 pos = (u8 *) (hdr + 1);
2241
2242 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED);
2243 pos += RSN_SELECTOR_LEN;
2244 /* Include only the selected cipher in pairwise cipher suite */
2245 WPA_PUT_LE16(pos, 1);
2246 pos += 2;
2247 if (cipher == WPA_CIPHER_CCMP)
2248 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP);
2249 pos += RSN_SELECTOR_LEN;
2250
2251 WPA_PUT_LE16(pos, 1);
2252 pos += 2;
2253 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_TPK_HANDSHAKE);
2254 pos += RSN_SELECTOR_LEN;
2255
2256 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED;
2257 rsn_capab |= RSN_NUM_REPLAY_COUNTERS_16 << 2;
2258 WPA_PUT_LE16(pos, rsn_capab);
2259 pos += 2;
2260
2261 hdr->len = (pos - peer->rsnie_p) - 2;
2262 peer->rsnie_p_len = pos - peer->rsnie_p;
2263 #endif
2264
2265 /* temp fix: validation of RSNIE later */
2266 os_memcpy(peer->rsnie_p, peer->rsnie_i, peer->rsnie_i_len);
2267 peer->rsnie_p_len = peer->rsnie_i_len;
2268
2269 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE for TPK handshake",
2270 peer->rsnie_p, peer->rsnie_p_len);
2271
2272 peer->lifetime = lifetime;
2273
2274 if (peer->mld_link_id >= 0)
2275 wpa_printf(MSG_DEBUG, "TDLS: Use link ID %u for TPK derivation",
2276 peer->mld_link_id);
2277 wpa_tdls_generate_tpk(peer, sm->own_addr,
2278 wpa_tdls_get_link_bssid(sm, peer->mld_link_id));
2279
2280 skip_rsn_check:
2281 #ifdef CONFIG_TDLS_TESTING
2282 if (tdls_testing & TDLS_TESTING_CONCURRENT_INIT)
2283 goto skip_add_peer;
2284 #endif /* CONFIG_TDLS_TESTING */
2285
2286 /* add supported rates, capabilities, and qos_info to the TDLS peer */
2287 if (wpa_tdls_addset_peer(sm, peer, 1) < 0)
2288 goto error;
2289
2290 #ifdef CONFIG_TDLS_TESTING
2291 skip_add_peer:
2292 #endif /* CONFIG_TDLS_TESTING */
2293 peer->tpk_in_progress = 1;
2294
2295 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Setup Response / TPK M2");
2296 if (wpa_tdls_send_tpk_m2(sm, src_addr, dtoken, lnkid, peer) < 0) {
2297 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr);
2298 goto error;
2299 }
2300
2301 #ifdef CONFIG_TDLS_TESTING
2302 if (tdls_testing & TDLS_TESTING_DOUBLE_TPK_M2) {
2303 wpa_printf(MSG_INFO, "TDLS: Testing - Send another TPK M2");
2304 wpa_tdls_send_tpk_m2(sm, src_addr, dtoken, lnkid, peer);
2305 }
2306 #endif /* CONFIG_TDLS_TESTING */
2307
2308 return 0;
2309
2310 error:
2311 wpa_tdls_send_error(sm, src_addr, WLAN_TDLS_SETUP_RESPONSE, dtoken, 0,
2312 status);
2313 if (peer)
2314 wpa_tdls_peer_free(sm, peer);
2315 return -1;
2316 }
2317
2318
wpa_tdls_enable_link(struct wpa_sm * sm,struct wpa_tdls_peer * peer)2319 static int wpa_tdls_enable_link(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
2320 {
2321 peer->tpk_success = 1;
2322 peer->tpk_in_progress = 0;
2323 eloop_cancel_timeout(wpa_tdls_tpk_timeout, sm, peer);
2324 if (wpa_tdls_get_privacy(sm)) {
2325 u32 lifetime = peer->lifetime;
2326 /*
2327 * Start the initiator process a bit earlier to avoid race
2328 * condition with the responder sending teardown request.
2329 */
2330 if (lifetime > 3 && peer->initiator)
2331 lifetime -= 3;
2332 eloop_register_timeout(lifetime, 0, wpa_tdls_tpk_timeout,
2333 sm, peer);
2334 #ifdef CONFIG_TDLS_TESTING
2335 if (tdls_testing & TDLS_TESTING_NO_TPK_EXPIRATION) {
2336 wpa_printf(MSG_DEBUG,
2337 "TDLS: Testing - disable TPK expiration");
2338 eloop_cancel_timeout(wpa_tdls_tpk_timeout, sm, peer);
2339 }
2340 #endif /* CONFIG_TDLS_TESTING */
2341 }
2342
2343 if (peer->reconfig_key && wpa_tdls_set_key(sm, peer) < 0) {
2344 wpa_printf(MSG_INFO, "TDLS: Could not configure key to the "
2345 "driver");
2346 return -1;
2347 }
2348 peer->reconfig_key = 0;
2349
2350 return wpa_sm_tdls_oper(sm, TDLS_ENABLE_LINK, peer->addr);
2351 }
2352
2353
wpa_tdls_process_tpk_m2(struct wpa_sm * sm,const u8 * src_addr,const u8 * buf,size_t len)2354 static int wpa_tdls_process_tpk_m2(struct wpa_sm *sm, const u8 *src_addr,
2355 const u8 *buf, size_t len)
2356 {
2357 struct wpa_tdls_peer *peer;
2358 struct wpa_eapol_ie_parse kde;
2359 struct wpa_ie_data ie;
2360 int cipher;
2361 struct wpa_tdls_ftie *ftie;
2362 struct wpa_tdls_timeoutie *timeoutie;
2363 struct wpa_tdls_lnkid *lnkid;
2364 u32 lifetime;
2365 u8 dtoken;
2366 int ielen;
2367 u16 status;
2368 const u8 *pos;
2369 int ret = 0;
2370
2371 wpa_printf(MSG_DEBUG, "TDLS: Received TDLS Setup Response / TPK M2 "
2372 "(Peer " MACSTR ")", MAC2STR(src_addr));
2373 for (peer = sm->tdls; peer; peer = peer->next) {
2374 if (os_memcmp(peer->addr, src_addr, ETH_ALEN) == 0)
2375 break;
2376 }
2377 if (peer == NULL) {
2378 wpa_printf(MSG_INFO, "TDLS: No matching peer found for "
2379 "TPK M2: " MACSTR, MAC2STR(src_addr));
2380 return -1;
2381 }
2382 if (!peer->initiator) {
2383 /*
2384 * This may happen if both devices try to initiate TDLS at the
2385 * same time and we accept the TPK M1 from the peer in
2386 * wpa_tdls_process_tpk_m1() and clear our previous state.
2387 */
2388 wpa_printf(MSG_INFO, "TDLS: We were not the initiator, so "
2389 "ignore TPK M2 from " MACSTR, MAC2STR(src_addr));
2390 return -1;
2391 }
2392
2393 if (peer->tpk_success) {
2394 wpa_printf(MSG_INFO, "TDLS: Ignore incoming TPK M2 retry, from "
2395 MACSTR " as TPK M3 was already sent",
2396 MAC2STR(src_addr));
2397 return 0;
2398 }
2399
2400 wpa_tdls_tpk_retry_timeout_cancel(sm, peer, WLAN_TDLS_SETUP_REQUEST);
2401
2402 if (len < 3 + 2 + 1) {
2403 wpa_tdls_disable_peer_link(sm, peer);
2404 return -1;
2405 }
2406
2407 pos = buf;
2408 pos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */;
2409 status = WPA_GET_LE16(pos);
2410 pos += 2 /* status code */;
2411
2412 if (status != WLAN_STATUS_SUCCESS) {
2413 wpa_printf(MSG_INFO, "TDLS: Status code in TPK M2: %u",
2414 status);
2415 wpa_tdls_disable_peer_link(sm, peer);
2416 return -1;
2417 }
2418
2419 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
2420
2421 /* TODO: need to verify dialog token matches here or in kernel */
2422 dtoken = *pos++; /* dialog token */
2423
2424 wpa_printf(MSG_DEBUG, "TDLS: Dialog Token in TPK M2 %d", dtoken);
2425
2426 if (len < 3 + 2 + 1 + 2) {
2427 wpa_tdls_disable_peer_link(sm, peer);
2428 return -1;
2429 }
2430
2431 /* capability information */
2432 peer->capability = WPA_GET_LE16(pos);
2433 pos += 2;
2434
2435 ielen = len - (pos - buf); /* start of IE in buf */
2436
2437 /*
2438 * Don't reject the message if failing to parse IEs. The IEs we need are
2439 * explicitly checked below. Some APs may add arbitrary padding to the
2440 * end of short TDLS frames and that would look like invalid IEs.
2441 */
2442 if (wpa_supplicant_parse_ies(pos, ielen, &kde) < 0)
2443 wpa_printf(MSG_DEBUG,
2444 "TDLS: Failed to parse IEs in TPK M2 - ignore as an interop workaround");
2445
2446 #ifdef CONFIG_TDLS_TESTING
2447 if (tdls_testing & TDLS_TESTING_DECLINE_RESP) {
2448 wpa_printf(MSG_DEBUG, "TDLS: Testing - decline response");
2449 status = WLAN_STATUS_REQUEST_DECLINED;
2450 goto error;
2451 }
2452 #endif /* CONFIG_TDLS_TESTING */
2453
2454 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) {
2455 wpa_printf(MSG_INFO, "TDLS: No valid Link Identifier IE in "
2456 "TPK M2");
2457 goto error;
2458 }
2459 wpa_hexdump(MSG_DEBUG, "TDLS: Link ID Received from TPK M2",
2460 kde.lnkid, kde.lnkid_len);
2461 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid;
2462
2463 if (os_memcmp(sm->bssid, wpa_tdls_get_link_bssid(sm, peer->mld_link_id),
2464 ETH_ALEN) != 0) {
2465 wpa_printf(MSG_INFO, "TDLS: TPK M2 from different BSS");
2466 status = WLAN_STATUS_NOT_IN_SAME_BSS;
2467 goto error;
2468 }
2469
2470 if (copy_supp_rates(&kde, peer) < 0)
2471 goto error;
2472
2473 if (copy_peer_ht_capab(&kde, peer) < 0)
2474 goto error;
2475
2476 if (copy_peer_vht_capab(&kde, peer) < 0 ||
2477 copy_peer_he_capab(&kde, peer) < 0 ||
2478 copy_peer_he_6ghz_band_capab(&kde, peer) < 0)
2479 goto error;
2480
2481 if (copy_peer_eht_capab(&kde, peer) < 0)
2482 goto error;
2483
2484 if (copy_peer_ext_capab(&kde, peer) < 0)
2485 goto error;
2486
2487 if (copy_peer_supp_channels(&kde, peer) < 0)
2488 goto error;
2489
2490 if (copy_peer_supp_oper_classes(&kde, peer) < 0)
2491 goto error;
2492
2493 peer->qos_info = kde.qosinfo;
2494
2495 /* Overwrite with the qos_info obtained in WMM IE */
2496 if (copy_peer_wmm_capab(&kde, peer) < 0)
2497 goto error;
2498
2499 peer->aid = kde.aid;
2500
2501 if (!wpa_tdls_get_privacy(sm)) {
2502 peer->rsnie_p_len = 0;
2503 peer->cipher = WPA_CIPHER_NONE;
2504 goto skip_rsn;
2505 }
2506
2507 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie) ||
2508 kde.rsn_ie == NULL) {
2509 wpa_printf(MSG_INFO, "TDLS: No FTIE or RSN IE in TPK M2");
2510 status = WLAN_STATUS_INVALID_PARAMETERS;
2511 goto error;
2512 }
2513 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Received from TPK M2",
2514 kde.rsn_ie, kde.rsn_ie_len);
2515
2516 if (kde.rsn_ie_len > TDLS_MAX_IE_LEN) {
2517 wpa_printf(MSG_INFO,
2518 "TDLS: Too long Responder RSN IE in TPK M2");
2519 status = WLAN_STATUS_INVALID_RSNIE;
2520 goto error;
2521 }
2522
2523 /*
2524 * FIX: bitwise comparison of RSN IE is not the correct way of
2525 * validation this. It can be different, but certain fields must
2526 * match. Since we list only a single pairwise cipher in TPK M1, the
2527 * memcmp is likely to work in most cases, though.
2528 */
2529 if (kde.rsn_ie_len != peer->rsnie_i_len ||
2530 os_memcmp(peer->rsnie_i, kde.rsn_ie, peer->rsnie_i_len) != 0) {
2531 wpa_printf(MSG_INFO, "TDLS: RSN IE in TPK M2 does "
2532 "not match with RSN IE used in TPK M1");
2533 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Sent in TPK M1",
2534 peer->rsnie_i, peer->rsnie_i_len);
2535 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Received from TPK M2",
2536 kde.rsn_ie, kde.rsn_ie_len);
2537 status = WLAN_STATUS_INVALID_RSNIE;
2538 goto error;
2539 }
2540
2541 if (wpa_parse_wpa_ie_rsn(kde.rsn_ie, kde.rsn_ie_len, &ie) < 0) {
2542 wpa_printf(MSG_INFO, "TDLS: Failed to parse RSN IE in TPK M2");
2543 status = WLAN_STATUS_INVALID_RSNIE;
2544 goto error;
2545 }
2546
2547 cipher = ie.pairwise_cipher;
2548 if (cipher == WPA_CIPHER_CCMP) {
2549 wpa_printf(MSG_DEBUG, "TDLS: Using CCMP for direct link");
2550 cipher = WPA_CIPHER_CCMP;
2551 } else {
2552 wpa_printf(MSG_INFO, "TDLS: No acceptable cipher in TPK M2");
2553 status = WLAN_STATUS_PAIRWISE_CIPHER_NOT_VALID;
2554 goto error;
2555 }
2556
2557 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE Received from TPK M2",
2558 kde.ftie, sizeof(*ftie));
2559 ftie = (struct wpa_tdls_ftie *) kde.ftie;
2560
2561 if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0) {
2562 wpa_printf(MSG_INFO, "TDLS: FTIE SNonce in TPK M2 does "
2563 "not match with FTIE SNonce used in TPK M1");
2564 /* Silently discard the frame */
2565 return -1;
2566 }
2567
2568 /* Responder Nonce and RSN IE */
2569 os_memcpy(peer->rnonce, ftie->Anonce, WPA_NONCE_LEN);
2570 os_memcpy(peer->rsnie_p, kde.rsn_ie, kde.rsn_ie_len);
2571 peer->rsnie_p_len = kde.rsn_ie_len;
2572 peer->cipher = cipher;
2573
2574 /* Lifetime */
2575 if (kde.key_lifetime == NULL) {
2576 wpa_printf(MSG_INFO, "TDLS: No Key Lifetime IE in TPK M2");
2577 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME;
2578 goto error;
2579 }
2580 timeoutie = (struct wpa_tdls_timeoutie *) kde.key_lifetime;
2581 lifetime = WPA_GET_LE32(timeoutie->value);
2582 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds in TPK M2",
2583 lifetime);
2584 if (lifetime != peer->lifetime) {
2585 wpa_printf(MSG_INFO, "TDLS: Unexpected TPK lifetime %u in "
2586 "TPK M2 (expected %u)", lifetime, peer->lifetime);
2587 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME;
2588 goto error;
2589 }
2590
2591 if (peer->mld_link_id >= 0)
2592 wpa_printf(MSG_DEBUG, "TDLS: Use link ID %u for TPK derivation",
2593 peer->mld_link_id);
2594 wpa_tdls_generate_tpk(peer, sm->own_addr,
2595 wpa_tdls_get_link_bssid(sm, peer->mld_link_id));
2596
2597 /* Process MIC check to see if TPK M2 is right */
2598 if (wpa_supplicant_verify_tdls_mic(2, peer, (const u8 *) lnkid,
2599 (const u8 *) timeoutie, ftie,
2600 kde.ftie_len) < 0) {
2601 /* Discard the frame */
2602 wpa_tdls_del_key(sm, peer);
2603 wpa_tdls_disable_peer_link(sm, peer);
2604 return -1;
2605 }
2606
2607 if (wpa_tdls_set_key(sm, peer) < 0) {
2608 /*
2609 * Some drivers may not be able to config the key prior to full
2610 * STA entry having been configured.
2611 */
2612 wpa_printf(MSG_DEBUG, "TDLS: Try to configure TPK again after "
2613 "STA entry is complete");
2614 peer->reconfig_key = 1;
2615 }
2616
2617 skip_rsn:
2618 peer->dtoken = dtoken;
2619
2620 /* add supported rates, capabilities, and qos_info to the TDLS peer */
2621 if (wpa_tdls_addset_peer(sm, peer, 0) < 0)
2622 goto error;
2623
2624 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Setup Confirm / "
2625 "TPK Handshake Message 3");
2626 if (wpa_tdls_send_tpk_m3(sm, src_addr, dtoken, lnkid, peer) < 0)
2627 goto error_no_msg;
2628
2629 if (!peer->tpk_success) {
2630 /*
2631 * Enable Link only when tpk_success is 0, signifying that this
2632 * processing of TPK M2 frame is not because of a retransmission
2633 * during TDLS setup handshake.
2634 */
2635 ret = wpa_tdls_enable_link(sm, peer);
2636 if (ret < 0) {
2637 wpa_printf(MSG_DEBUG, "TDLS: Could not enable link");
2638 wpa_tdls_do_teardown(
2639 sm, peer,
2640 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED);
2641 }
2642 }
2643 return ret;
2644
2645 error:
2646 wpa_tdls_send_error(sm, src_addr, WLAN_TDLS_SETUP_CONFIRM, dtoken, 1,
2647 status);
2648 error_no_msg:
2649 wpa_tdls_disable_peer_link(sm, peer);
2650 return -1;
2651 }
2652
2653
wpa_tdls_process_tpk_m3(struct wpa_sm * sm,const u8 * src_addr,const u8 * buf,size_t len)2654 static int wpa_tdls_process_tpk_m3(struct wpa_sm *sm, const u8 *src_addr,
2655 const u8 *buf, size_t len)
2656 {
2657 struct wpa_tdls_peer *peer;
2658 struct wpa_eapol_ie_parse kde;
2659 struct wpa_tdls_ftie *ftie;
2660 struct wpa_tdls_timeoutie *timeoutie;
2661 struct wpa_tdls_lnkid *lnkid;
2662 int ielen;
2663 u16 status;
2664 const u8 *pos;
2665 u32 lifetime;
2666 int ret = 0;
2667
2668 wpa_printf(MSG_DEBUG, "TDLS: Received TDLS Setup Confirm / TPK M3 "
2669 "(Peer " MACSTR ")", MAC2STR(src_addr));
2670 for (peer = sm->tdls; peer; peer = peer->next) {
2671 if (os_memcmp(peer->addr, src_addr, ETH_ALEN) == 0)
2672 break;
2673 }
2674 if (peer == NULL) {
2675 wpa_printf(MSG_INFO, "TDLS: No matching peer found for "
2676 "TPK M3: " MACSTR, MAC2STR(src_addr));
2677 return -1;
2678 }
2679 wpa_tdls_tpk_retry_timeout_cancel(sm, peer, WLAN_TDLS_SETUP_RESPONSE);
2680
2681 if (len < 3 + 3)
2682 goto error;
2683 pos = buf;
2684 pos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */;
2685
2686 status = WPA_GET_LE16(pos);
2687
2688 if (status != 0) {
2689 wpa_printf(MSG_INFO, "TDLS: Status code in TPK M3: %u",
2690 status);
2691 goto error;
2692 }
2693 pos += 2 /* status code */ + 1 /* dialog token */;
2694
2695 ielen = len - (pos - buf); /* start of IE in buf */
2696
2697 /*
2698 * Don't reject the message if failing to parse IEs. The IEs we need are
2699 * explicitly checked below. Some APs piggy-back broken IEs to the end
2700 * of a TDLS Confirm packet, which will fail the link if we don't ignore
2701 * this error.
2702 */
2703 if (wpa_supplicant_parse_ies((const u8 *) pos, ielen, &kde) < 0) {
2704 wpa_printf(MSG_DEBUG,
2705 "TDLS: Failed to parse KDEs in TPK M3 - ignore as an interop workaround");
2706 }
2707
2708 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) {
2709 wpa_printf(MSG_INFO, "TDLS: No Link Identifier IE in TPK M3");
2710 goto error;
2711 }
2712 wpa_hexdump(MSG_DEBUG, "TDLS: Link ID Received from TPK M3",
2713 (u8 *) kde.lnkid, kde.lnkid_len);
2714 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid;
2715
2716 if (os_memcmp(wpa_tdls_get_link_bssid(sm, peer->mld_link_id),
2717 lnkid->bssid, ETH_ALEN) != 0) {
2718 wpa_printf(MSG_INFO, "TDLS: TPK M3 from diff BSS");
2719 goto error;
2720 }
2721
2722 if (!wpa_tdls_get_privacy(sm))
2723 goto skip_rsn;
2724
2725 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie)) {
2726 wpa_printf(MSG_INFO, "TDLS: No FTIE in TPK M3");
2727 goto error;
2728 }
2729 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE Received from TPK M3",
2730 kde.ftie, sizeof(*ftie));
2731 ftie = (struct wpa_tdls_ftie *) kde.ftie;
2732
2733 if (kde.rsn_ie == NULL) {
2734 wpa_printf(MSG_INFO, "TDLS: No RSN IE in TPK M3");
2735 goto error;
2736 }
2737 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Received from TPK M3",
2738 kde.rsn_ie, kde.rsn_ie_len);
2739 if (kde.rsn_ie_len != peer->rsnie_p_len ||
2740 os_memcmp(kde.rsn_ie, peer->rsnie_p, peer->rsnie_p_len) != 0) {
2741 wpa_printf(MSG_INFO, "TDLS: RSN IE in TPK M3 does not match "
2742 "with the one sent in TPK M2");
2743 goto error;
2744 }
2745
2746 if (os_memcmp(peer->rnonce, ftie->Anonce, WPA_NONCE_LEN) != 0) {
2747 wpa_printf(MSG_INFO, "TDLS: FTIE ANonce in TPK M3 does "
2748 "not match with FTIE ANonce used in TPK M2");
2749 goto error;
2750 }
2751
2752 if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0) {
2753 wpa_printf(MSG_INFO, "TDLS: FTIE SNonce in TPK M3 does not "
2754 "match with FTIE SNonce used in TPK M1");
2755 goto error;
2756 }
2757
2758 if (kde.key_lifetime == NULL) {
2759 wpa_printf(MSG_INFO, "TDLS: No Key Lifetime IE in TPK M3");
2760 goto error;
2761 }
2762 timeoutie = (struct wpa_tdls_timeoutie *) kde.key_lifetime;
2763 wpa_hexdump(MSG_DEBUG, "TDLS: Timeout IE Received from TPK M3",
2764 (u8 *) timeoutie, sizeof(*timeoutie));
2765 lifetime = WPA_GET_LE32(timeoutie->value);
2766 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds in TPK M3",
2767 lifetime);
2768 if (lifetime != peer->lifetime) {
2769 wpa_printf(MSG_INFO, "TDLS: Unexpected TPK lifetime %u in "
2770 "TPK M3 (expected %u)", lifetime, peer->lifetime);
2771 goto error;
2772 }
2773
2774 if (wpa_supplicant_verify_tdls_mic(3, peer, (const u8 *) lnkid,
2775 (const u8 *) timeoutie, ftie,
2776 kde.ftie_len) < 0) {
2777 wpa_tdls_del_key(sm, peer);
2778 goto error;
2779 }
2780
2781 if (wpa_tdls_set_key(sm, peer) < 0) {
2782 /*
2783 * Some drivers may not be able to config the key prior to full
2784 * STA entry having been configured.
2785 */
2786 wpa_printf(MSG_DEBUG, "TDLS: Try to configure TPK again after "
2787 "STA entry is complete");
2788 peer->reconfig_key = 1;
2789 }
2790
2791 skip_rsn:
2792 /* add supported rates, capabilities, and qos_info to the TDLS peer */
2793 if (wpa_tdls_addset_peer(sm, peer, 0) < 0)
2794 goto error;
2795
2796 if (!peer->tpk_success) {
2797 /*
2798 * Enable Link only when tpk_success is 0, signifying that this
2799 * processing of TPK M3 frame is not because of a retransmission
2800 * during TDLS setup handshake.
2801 */
2802 ret = wpa_tdls_enable_link(sm, peer);
2803 if (ret < 0) {
2804 wpa_printf(MSG_DEBUG, "TDLS: Could not enable link");
2805 goto error;
2806 }
2807 }
2808 return ret;
2809 error:
2810 wpa_tdls_do_teardown(sm, peer, WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED);
2811 return -1;
2812 }
2813
2814
wpa_add_tdls_timeoutie(u8 * pos,u8 * ie,size_t ie_len,u32 tsecs)2815 static u8 * wpa_add_tdls_timeoutie(u8 *pos, u8 *ie, size_t ie_len, u32 tsecs)
2816 {
2817 struct wpa_tdls_timeoutie *lifetime = (struct wpa_tdls_timeoutie *) ie;
2818
2819 os_memset(lifetime, 0, ie_len);
2820 lifetime->ie_type = WLAN_EID_TIMEOUT_INTERVAL;
2821 lifetime->ie_len = sizeof(struct wpa_tdls_timeoutie) - 2;
2822 lifetime->interval_type = WLAN_TIMEOUT_KEY_LIFETIME;
2823 WPA_PUT_LE32(lifetime->value, tsecs);
2824 os_memcpy(pos, ie, ie_len);
2825 return pos + ie_len;
2826 }
2827
2828
2829 /**
2830 * wpa_tdls_start - Initiate TDLS handshake (send TPK Handshake Message 1)
2831 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2832 * @peer: MAC address of the peer STA
2833 * Returns: 0 on success, or -1 on failure
2834 *
2835 * Send TPK Handshake Message 1 info to driver to start TDLS
2836 * handshake with the peer.
2837 */
wpa_tdls_start(struct wpa_sm * sm,const u8 * addr)2838 int wpa_tdls_start(struct wpa_sm *sm, const u8 *addr)
2839 {
2840 struct wpa_tdls_peer *peer;
2841 int tdls_prohibited = sm->tdls_prohibited;
2842 int res;
2843
2844 if (sm->tdls_disabled || !sm->tdls_supported)
2845 return -1;
2846
2847 #ifdef CONFIG_TDLS_TESTING
2848 if ((tdls_testing & TDLS_TESTING_IGNORE_AP_PROHIBIT) &&
2849 tdls_prohibited) {
2850 wpa_printf(MSG_DEBUG, "TDLS: Testing - ignore AP prohibition "
2851 "on TDLS");
2852 tdls_prohibited = 0;
2853 }
2854 #endif /* CONFIG_TDLS_TESTING */
2855
2856 if (tdls_prohibited) {
2857 wpa_printf(MSG_DEBUG, "TDLS: TDLS is prohibited in this BSS - "
2858 "reject request to start setup");
2859 return -1;
2860 }
2861
2862 peer = wpa_tdls_add_peer(sm, addr, NULL);
2863 if (peer == NULL)
2864 return -1;
2865
2866 if (peer->tpk_in_progress) {
2867 wpa_printf(MSG_DEBUG, "TDLS: Setup is already in progress with the peer");
2868 return 0;
2869 }
2870
2871 peer->initiator = 1;
2872
2873 /* add the peer to the driver as a "setup in progress" peer */
2874 if (wpa_sm_tdls_peer_addset(sm, peer->addr, 1, 0, 0, NULL, 0, NULL,
2875 NULL, NULL, 0, NULL, 0, 0, NULL, 0, NULL, 0,
2876 NULL, 0, NULL, 0, peer->mld_link_id)) {
2877 wpa_tdls_disable_peer_link(sm, peer);
2878 return -1;
2879 }
2880
2881 peer->tpk_in_progress = 1;
2882
2883 res = wpa_tdls_send_tpk_m1(sm, peer);
2884 if (res < 0) {
2885 if (res != -2)
2886 wpa_tdls_disable_peer_link(sm, peer);
2887 return -1;
2888 }
2889
2890 return 0;
2891 }
2892
2893
wpa_tdls_remove(struct wpa_sm * sm,const u8 * addr)2894 void wpa_tdls_remove(struct wpa_sm *sm, const u8 *addr)
2895 {
2896 struct wpa_tdls_peer *peer;
2897
2898 if (sm->tdls_disabled || !sm->tdls_supported)
2899 return;
2900
2901 for (peer = sm->tdls; peer; peer = peer->next) {
2902 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0)
2903 break;
2904 }
2905
2906 if (peer == NULL || !peer->tpk_success)
2907 return;
2908
2909 if (sm->tdls_external_setup) {
2910 /*
2911 * Disable previous link to allow renegotiation to be completed
2912 * on AP path.
2913 */
2914 wpa_tdls_do_teardown(sm, peer,
2915 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED);
2916 }
2917 }
2918
2919
2920 /**
2921 * wpa_supplicant_rx_tdls - Receive TDLS data frame
2922 *
2923 * This function is called to receive TDLS (ethertype = 0x890d) data frames.
2924 */
wpa_supplicant_rx_tdls(void * ctx,const u8 * src_addr,const u8 * buf,size_t len)2925 static void wpa_supplicant_rx_tdls(void *ctx, const u8 *src_addr,
2926 const u8 *buf, size_t len)
2927 {
2928 struct wpa_sm *sm = ctx;
2929 struct wpa_tdls_frame *tf;
2930
2931 wpa_hexdump(MSG_DEBUG, "TDLS: Received Data frame encapsulation",
2932 buf, len);
2933
2934 if (sm->tdls_disabled || !sm->tdls_supported) {
2935 wpa_printf(MSG_DEBUG, "TDLS: Discard message - TDLS disabled "
2936 "or unsupported by driver");
2937 return;
2938 }
2939
2940 if (os_memcmp(src_addr, sm->own_addr, ETH_ALEN) == 0) {
2941 wpa_printf(MSG_DEBUG, "TDLS: Discard copy of own message");
2942 return;
2943 }
2944
2945 if (len < sizeof(*tf)) {
2946 wpa_printf(MSG_INFO, "TDLS: Drop too short frame");
2947 return;
2948 }
2949
2950 /* Check to make sure its a valid encapsulated TDLS frame */
2951 tf = (struct wpa_tdls_frame *) buf;
2952 if (tf->payloadtype != 2 /* TDLS_RFTYPE */ ||
2953 tf->category != WLAN_ACTION_TDLS) {
2954 wpa_printf(MSG_INFO, "TDLS: Invalid frame - payloadtype=%u "
2955 "category=%u action=%u",
2956 tf->payloadtype, tf->category, tf->action);
2957 return;
2958 }
2959
2960 switch (tf->action) {
2961 case WLAN_TDLS_SETUP_REQUEST:
2962 wpa_tdls_process_tpk_m1(sm, src_addr, buf, len);
2963 break;
2964 case WLAN_TDLS_SETUP_RESPONSE:
2965 wpa_tdls_process_tpk_m2(sm, src_addr, buf, len);
2966 break;
2967 case WLAN_TDLS_SETUP_CONFIRM:
2968 wpa_tdls_process_tpk_m3(sm, src_addr, buf, len);
2969 break;
2970 case WLAN_TDLS_TEARDOWN:
2971 wpa_tdls_recv_teardown(sm, src_addr, buf, len);
2972 break;
2973 case WLAN_TDLS_DISCOVERY_REQUEST:
2974 wpa_tdls_process_discovery_request(sm, src_addr, buf, len);
2975 break;
2976 default:
2977 /* Kernel code will process remaining frames */
2978 wpa_printf(MSG_DEBUG, "TDLS: Ignore TDLS frame action code %u",
2979 tf->action);
2980 break;
2981 }
2982 }
2983
2984
2985 /**
2986 * wpa_tdls_init - Initialize driver interface parameters for TDLS
2987 * @wpa_s: Pointer to wpa_supplicant data
2988 * Returns: 0 on success, -1 on failure
2989 *
2990 * This function is called to initialize driver interface parameters for TDLS.
2991 * wpa_drv_init() must have been called before this function to initialize the
2992 * driver interface.
2993 */
wpa_tdls_init(struct wpa_sm * sm)2994 int wpa_tdls_init(struct wpa_sm *sm)
2995 {
2996 if (sm == NULL)
2997 return -1;
2998
2999 if (sm->l2_tdls) {
3000 l2_packet_deinit(sm->l2_tdls);
3001 sm->l2_tdls = NULL;
3002 }
3003
3004 sm->l2_tdls = l2_packet_init(sm->bridge_ifname ? sm->bridge_ifname :
3005 sm->ifname,
3006 sm->own_addr,
3007 ETH_P_80211_ENCAP, wpa_supplicant_rx_tdls,
3008 sm, 0);
3009 if (sm->l2_tdls == NULL) {
3010 wpa_printf(MSG_ERROR, "TDLS: Failed to open l2_packet "
3011 "connection");
3012 return -1;
3013 }
3014
3015 /*
3016 * Drivers that support TDLS but don't implement the get_capa callback
3017 * are assumed to perform everything internally
3018 */
3019 if (wpa_sm_tdls_get_capa(sm, &sm->tdls_supported,
3020 &sm->tdls_external_setup,
3021 &sm->tdls_chan_switch) < 0) {
3022 sm->tdls_supported = 1;
3023 sm->tdls_external_setup = 0;
3024 }
3025
3026 wpa_printf(MSG_DEBUG, "TDLS: TDLS operation%s supported by "
3027 "driver", sm->tdls_supported ? "" : " not");
3028 wpa_printf(MSG_DEBUG, "TDLS: Driver uses %s link setup",
3029 sm->tdls_external_setup ? "external" : "internal");
3030 wpa_printf(MSG_DEBUG, "TDLS: Driver %s TDLS channel switching",
3031 sm->tdls_chan_switch ? "supports" : "does not support");
3032
3033 return 0;
3034 }
3035
3036
wpa_tdls_teardown_peers(struct wpa_sm * sm)3037 void wpa_tdls_teardown_peers(struct wpa_sm *sm)
3038 {
3039 struct wpa_tdls_peer *peer, *tmp;
3040
3041 if (!sm)
3042 return;
3043 peer = sm->tdls;
3044
3045 wpa_printf(MSG_DEBUG, "TDLS: Tear down peers");
3046
3047 while (peer) {
3048 tmp = peer->next;
3049 wpa_printf(MSG_DEBUG, "TDLS: Tear down peer " MACSTR,
3050 MAC2STR(peer->addr));
3051 if (sm->tdls_external_setup)
3052 wpa_tdls_do_teardown(sm, peer,
3053 WLAN_REASON_DEAUTH_LEAVING);
3054 else
3055 wpa_sm_tdls_oper(sm, TDLS_TEARDOWN, peer->addr);
3056
3057 peer = tmp;
3058 }
3059 }
3060
3061
wpa_tdls_remove_peers(struct wpa_sm * sm)3062 static void wpa_tdls_remove_peers(struct wpa_sm *sm)
3063 {
3064 struct wpa_tdls_peer *peer, *tmp;
3065
3066 peer = sm->tdls;
3067
3068 while (peer) {
3069 int res;
3070 tmp = peer->next;
3071 res = wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr);
3072 wpa_printf(MSG_DEBUG, "TDLS: Remove peer " MACSTR " (res=%d)",
3073 MAC2STR(peer->addr), res);
3074 wpa_tdls_peer_free(sm, peer);
3075 peer = tmp;
3076 }
3077 }
3078
3079
3080 /**
3081 * wpa_tdls_deinit - Deinitialize driver interface parameters for TDLS
3082 *
3083 * This function is called to recover driver interface parameters for TDLS
3084 * and frees resources allocated for it.
3085 */
wpa_tdls_deinit(struct wpa_sm * sm)3086 void wpa_tdls_deinit(struct wpa_sm *sm)
3087 {
3088 if (sm == NULL)
3089 return;
3090
3091 if (sm->l2_tdls)
3092 l2_packet_deinit(sm->l2_tdls);
3093 sm->l2_tdls = NULL;
3094
3095 wpa_tdls_remove_peers(sm);
3096 }
3097
3098
wpa_tdls_assoc(struct wpa_sm * sm)3099 void wpa_tdls_assoc(struct wpa_sm *sm)
3100 {
3101 wpa_printf(MSG_DEBUG, "TDLS: Remove peers on association");
3102 wpa_tdls_remove_peers(sm);
3103 }
3104
3105
wpa_tdls_disassoc(struct wpa_sm * sm)3106 void wpa_tdls_disassoc(struct wpa_sm *sm)
3107 {
3108 wpa_printf(MSG_DEBUG, "TDLS: Remove peers on disassociation");
3109 wpa_tdls_remove_peers(sm);
3110 }
3111
3112
wpa_tdls_prohibited(struct ieee802_11_elems * elems)3113 static int wpa_tdls_prohibited(struct ieee802_11_elems *elems)
3114 {
3115 /* bit 38 - TDLS Prohibited */
3116 return !!(elems->ext_capab[4] & 0x40);
3117 }
3118
3119
wpa_tdls_chan_switch_prohibited(struct ieee802_11_elems * elems)3120 static int wpa_tdls_chan_switch_prohibited(struct ieee802_11_elems *elems)
3121 {
3122 /* bit 39 - TDLS Channel Switch Prohibited */
3123 return !!(elems->ext_capab[4] & 0x80);
3124 }
3125
3126
wpa_tdls_ap_ies(struct wpa_sm * sm,const u8 * ies,size_t len)3127 void wpa_tdls_ap_ies(struct wpa_sm *sm, const u8 *ies, size_t len)
3128 {
3129 struct ieee802_11_elems elems;
3130
3131 sm->tdls_prohibited = 0;
3132 sm->tdls_chan_switch_prohibited = 0;
3133
3134 if (ies == NULL ||
3135 ieee802_11_parse_elems(ies, len, &elems, 0) == ParseFailed ||
3136 elems.ext_capab == NULL || elems.ext_capab_len < 5)
3137 return;
3138
3139 sm->tdls_prohibited = wpa_tdls_prohibited(&elems);
3140 wpa_printf(MSG_DEBUG, "TDLS: TDLS is %s in the target BSS",
3141 sm->tdls_prohibited ? "prohibited" : "allowed");
3142 sm->tdls_chan_switch_prohibited =
3143 wpa_tdls_chan_switch_prohibited(&elems);
3144 wpa_printf(MSG_DEBUG, "TDLS: TDLS channel switch %s in the target BSS",
3145 sm->tdls_chan_switch_prohibited ? "prohibited" : "allowed");
3146 }
3147
3148
wpa_tdls_assoc_resp_ies(struct wpa_sm * sm,const u8 * ies,size_t len)3149 void wpa_tdls_assoc_resp_ies(struct wpa_sm *sm, const u8 *ies, size_t len)
3150 {
3151 struct ieee802_11_elems elems;
3152
3153 if (ies == NULL ||
3154 ieee802_11_parse_elems(ies, len, &elems, 0) == ParseFailed ||
3155 elems.ext_capab == NULL || elems.ext_capab_len < 5)
3156 return;
3157
3158 if (!sm->tdls_prohibited && wpa_tdls_prohibited(&elems)) {
3159 wpa_printf(MSG_DEBUG, "TDLS: TDLS prohibited based on "
3160 "(Re)Association Response IEs");
3161 sm->tdls_prohibited = 1;
3162 }
3163
3164 if (!sm->tdls_chan_switch_prohibited &&
3165 wpa_tdls_chan_switch_prohibited(&elems)) {
3166 wpa_printf(MSG_DEBUG,
3167 "TDLS: TDLS channel switch prohibited based on (Re)Association Response IEs");
3168 sm->tdls_chan_switch_prohibited = 1;
3169 }
3170 }
3171
3172
wpa_tdls_enable(struct wpa_sm * sm,int enabled)3173 void wpa_tdls_enable(struct wpa_sm *sm, int enabled)
3174 {
3175 wpa_printf(MSG_DEBUG, "TDLS: %s", enabled ? "enabled" : "disabled");
3176 sm->tdls_disabled = !enabled;
3177 }
3178
3179
wpa_tdls_is_external_setup(struct wpa_sm * sm)3180 int wpa_tdls_is_external_setup(struct wpa_sm *sm)
3181 {
3182 return sm->tdls_external_setup;
3183 }
3184
3185
wpa_tdls_process_discovery_response(struct wpa_sm * sm,const u8 * addr,const u8 * buf,size_t len)3186 int wpa_tdls_process_discovery_response(struct wpa_sm *sm, const u8 *addr,
3187 const u8 *buf, size_t len)
3188 {
3189 struct ieee802_11_elems elems;
3190 struct wpa_tdls_lnkid lnkid;
3191 struct wpa_tdls_peer *peer;
3192 size_t min_req_len = 1 /* Dialog Token */ + 2 /* Capability */ +
3193 sizeof(struct wpa_tdls_lnkid);
3194 int link_id = -1;
3195
3196 wpa_printf(MSG_DEBUG, "TDLS: Process Discovery Response from " MACSTR,
3197 MAC2STR(addr));
3198
3199 if (len < min_req_len) {
3200 wpa_printf(MSG_DEBUG, "TDLS Discovery Resp is too short: %zu",
3201 len);
3202 return -1;
3203 }
3204
3205 /* Elements start after the three octets of fixed field (one octet for
3206 * the Dialog Token field and two octets for the Capability field. */
3207 if (ieee802_11_parse_elems(buf + 3, len - 3, &elems, 1) ==
3208 ParseFailed) {
3209 wpa_printf(MSG_DEBUG,
3210 "TDLS: Failed to parse IEs in Discovery Response");
3211 return -1;
3212 }
3213
3214 if (!elems.link_id) {
3215 wpa_printf(MSG_DEBUG,
3216 "TDLS: Link Identifier element not found in Discovery Response");
3217 return -1;
3218 }
3219
3220 os_memcpy(&lnkid.bssid[0], elems.link_id, sizeof(lnkid) - 2);
3221
3222 if (!wpa_tdls_is_lnkid_bss_valid(sm, &lnkid, &link_id)) {
3223 wpa_printf(MSG_DEBUG,
3224 "TDLS: Discovery Response from different BSS "
3225 MACSTR, MAC2STR(lnkid.bssid));
3226 return -1;
3227 }
3228
3229 peer = wpa_tdls_add_peer(sm, addr, NULL);
3230 if (!peer) {
3231 wpa_printf(MSG_DEBUG, "TDLS: Could not add peer entry");
3232 return -1;
3233 }
3234
3235 peer->mld_link_id = link_id;
3236 wpa_printf(MSG_DEBUG, "TDLS: Link identifier BSS: " MACSTR
3237 " , link id: %u", MAC2STR(lnkid.bssid), link_id);
3238
3239 return 0;
3240 }
3241
3242
wpa_tdls_enable_chan_switch(struct wpa_sm * sm,const u8 * addr,u8 oper_class,struct hostapd_freq_params * freq_params)3243 int wpa_tdls_enable_chan_switch(struct wpa_sm *sm, const u8 *addr,
3244 u8 oper_class,
3245 struct hostapd_freq_params *freq_params)
3246 {
3247 struct wpa_tdls_peer *peer;
3248 int ret;
3249
3250 if (sm->tdls_disabled || !sm->tdls_supported)
3251 return -1;
3252
3253 if (!sm->tdls_chan_switch) {
3254 wpa_printf(MSG_DEBUG,
3255 "TDLS: Channel switching not supported by the driver");
3256 return -1;
3257 }
3258
3259 if (sm->tdls_chan_switch_prohibited) {
3260 wpa_printf(MSG_DEBUG,
3261 "TDLS: Channel switching is prohibited in this BSS - reject request to switch channel");
3262 return -1;
3263 }
3264
3265 for (peer = sm->tdls; peer; peer = peer->next) {
3266 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0)
3267 break;
3268 }
3269
3270 if (peer == NULL || !peer->tpk_success) {
3271 wpa_printf(MSG_ERROR, "TDLS: Peer " MACSTR
3272 " not found for channel switching", MAC2STR(addr));
3273 return -1;
3274 }
3275
3276 if (peer->chan_switch_enabled) {
3277 wpa_printf(MSG_DEBUG, "TDLS: Peer " MACSTR
3278 " already has channel switching enabled",
3279 MAC2STR(addr));
3280 return 0;
3281 }
3282
3283 ret = wpa_sm_tdls_enable_channel_switch(sm, peer->addr,
3284 oper_class, freq_params);
3285 if (!ret)
3286 peer->chan_switch_enabled = 1;
3287
3288 return ret;
3289 }
3290
3291
wpa_tdls_disable_chan_switch(struct wpa_sm * sm,const u8 * addr)3292 int wpa_tdls_disable_chan_switch(struct wpa_sm *sm, const u8 *addr)
3293 {
3294 struct wpa_tdls_peer *peer;
3295
3296 if (sm->tdls_disabled || !sm->tdls_supported)
3297 return -1;
3298
3299 for (peer = sm->tdls; peer; peer = peer->next) {
3300 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0)
3301 break;
3302 }
3303
3304 if (!peer || !peer->chan_switch_enabled) {
3305 wpa_printf(MSG_ERROR, "TDLS: Channel switching not enabled for "
3306 MACSTR, MAC2STR(addr));
3307 return -1;
3308 }
3309
3310 /* ignore the return value */
3311 wpa_sm_tdls_disable_channel_switch(sm, peer->addr);
3312
3313 peer->chan_switch_enabled = 0;
3314 return 0;
3315 }
3316