1 /*
2 * wpa_supplicant - TDLS
3 * Copyright (c) 2010-2011, Atheros Communications
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "utils/includes.h"
10
11 #include "utils/common.h"
12 #include "utils/eloop.h"
13 #include "utils/os.h"
14 #include "common/ieee802_11_defs.h"
15 #include "crypto/sha256.h"
16 #include "crypto/crypto.h"
17 #include "crypto/aes_wrap.h"
18 #include "rsn_supp/wpa.h"
19 #include "rsn_supp/wpa_ie.h"
20 #include "rsn_supp/wpa_i.h"
21 #include "drivers/driver.h"
22 #include "l2_packet/l2_packet.h"
23
24 #ifdef CONFIG_TDLS_TESTING
25 #define TDLS_TESTING_LONG_FRAME BIT(0)
26 #define TDLS_TESTING_ALT_RSN_IE BIT(1)
27 #define TDLS_TESTING_DIFF_BSSID BIT(2)
28 #define TDLS_TESTING_SHORT_LIFETIME BIT(3)
29 #define TDLS_TESTING_WRONG_LIFETIME_RESP BIT(4)
30 #define TDLS_TESTING_WRONG_LIFETIME_CONF BIT(5)
31 #define TDLS_TESTING_LONG_LIFETIME BIT(6)
32 #define TDLS_TESTING_CONCURRENT_INIT BIT(7)
33 #define TDLS_TESTING_NO_TPK_EXPIRATION BIT(8)
34 #define TDLS_TESTING_DECLINE_RESP BIT(9)
35 #define TDLS_TESTING_IGNORE_AP_PROHIBIT BIT(10)
36 #define TDLS_TESTING_WRONG_MIC BIT(11)
37 unsigned int tdls_testing = 0;
38 #endif /* CONFIG_TDLS_TESTING */
39
40 #define TPK_LIFETIME 43200 /* 12 hours */
41 #define TPK_M1_RETRY_COUNT 3
42 #define TPK_M1_TIMEOUT 5000 /* in milliseconds */
43 #define TPK_M2_RETRY_COUNT 10
44 #define TPK_M2_TIMEOUT 500 /* in milliseconds */
45
46 #define TDLS_MIC_LEN 16
47
48 #define TDLS_TIMEOUT_LEN 4
49
50 struct wpa_tdls_ftie {
51 u8 ie_type; /* FTIE */
52 u8 ie_len;
53 u8 mic_ctrl[2];
54 u8 mic[TDLS_MIC_LEN];
55 u8 Anonce[WPA_NONCE_LEN]; /* Responder Nonce in TDLS */
56 u8 Snonce[WPA_NONCE_LEN]; /* Initiator Nonce in TDLS */
57 /* followed by optional elements */
58 } STRUCT_PACKED;
59
60 struct wpa_tdls_timeoutie {
61 u8 ie_type; /* Timeout IE */
62 u8 ie_len;
63 u8 interval_type;
64 u8 value[TDLS_TIMEOUT_LEN];
65 } STRUCT_PACKED;
66
67 struct wpa_tdls_lnkid {
68 u8 ie_type; /* Link Identifier IE */
69 u8 ie_len;
70 u8 bssid[ETH_ALEN];
71 u8 init_sta[ETH_ALEN];
72 u8 resp_sta[ETH_ALEN];
73 } STRUCT_PACKED;
74
75 /* TDLS frame headers as per IEEE Std 802.11z-2010 */
76 struct wpa_tdls_frame {
77 u8 payloadtype; /* IEEE80211_TDLS_RFTYPE */
78 u8 category; /* Category */
79 u8 action; /* Action (enum tdls_frame_type) */
80 } STRUCT_PACKED;
81
82 static u8 * wpa_add_tdls_timeoutie(u8 *pos, u8 *ie, size_t ie_len, u32 tsecs);
83 static void wpa_tdls_tpk_retry_timeout(void *eloop_ctx, void *timeout_ctx);
84 static void wpa_tdls_peer_free(struct wpa_sm *sm, struct wpa_tdls_peer *peer);
85 static void wpa_tdls_disable_peer_link(struct wpa_sm *sm,
86 struct wpa_tdls_peer *peer);
87 static int wpa_tdls_send_teardown(struct wpa_sm *sm, const u8 *addr,
88 u16 reason_code);
89
90
91 #define TDLS_MAX_IE_LEN 80
92 #define IEEE80211_MAX_SUPP_RATES 32
93
94 struct wpa_tdls_peer {
95 struct wpa_tdls_peer *next;
96 unsigned int reconfig_key:1;
97 int initiator; /* whether this end was initiator for TDLS setup */
98 u8 addr[ETH_ALEN]; /* other end MAC address */
99 u8 inonce[WPA_NONCE_LEN]; /* Initiator Nonce */
100 u8 rnonce[WPA_NONCE_LEN]; /* Responder Nonce */
101 u8 rsnie_i[TDLS_MAX_IE_LEN]; /* Initiator RSN IE */
102 size_t rsnie_i_len;
103 u8 rsnie_p[TDLS_MAX_IE_LEN]; /* Peer RSN IE */
104 size_t rsnie_p_len;
105 u32 lifetime;
106 int cipher; /* Selected cipher (WPA_CIPHER_*) */
107 u8 dtoken;
108
109 struct tpk {
110 u8 kck[16]; /* TPK-KCK */
111 u8 tk[16]; /* TPK-TK; assuming only CCMP will be used */
112 } tpk;
113 int tpk_set;
114 int tpk_success;
115 int tpk_in_progress;
116
117 struct tpk_timer {
118 u8 dest[ETH_ALEN];
119 int count; /* Retry Count */
120 int timer; /* Timeout in milliseconds */
121 u8 action_code; /* TDLS frame type */
122 u8 dialog_token;
123 u16 status_code;
124 u32 peer_capab;
125 int buf_len; /* length of TPK message for retransmission */
126 u8 *buf; /* buffer for TPK message */
127 } sm_tmr;
128
129 u16 capability;
130
131 u8 supp_rates[IEEE80211_MAX_SUPP_RATES];
132 size_t supp_rates_len;
133
134 struct ieee80211_ht_capabilities *ht_capabilities;
135 struct ieee80211_vht_capabilities *vht_capabilities;
136
137 u8 qos_info;
138
139 u16 aid;
140
141 u8 *ext_capab;
142 size_t ext_capab_len;
143
144 u8 *supp_channels;
145 size_t supp_channels_len;
146
147 u8 *supp_oper_classes;
148 size_t supp_oper_classes_len;
149
150 u8 wmm_capable;
151 };
152
153
wpa_tdls_get_privacy(struct wpa_sm * sm)154 static int wpa_tdls_get_privacy(struct wpa_sm *sm)
155 {
156 /*
157 * Get info needed from supplicant to check if the current BSS supports
158 * security. Other than OPEN mode, rest are considered secured
159 * WEP/WPA/WPA2 hence TDLS frames are processed for TPK handshake.
160 */
161 return sm->pairwise_cipher != WPA_CIPHER_NONE;
162 }
163
164
wpa_add_ie(u8 * pos,const u8 * ie,size_t ie_len)165 static u8 * wpa_add_ie(u8 *pos, const u8 *ie, size_t ie_len)
166 {
167 os_memcpy(pos, ie, ie_len);
168 return pos + ie_len;
169 }
170
171
wpa_tdls_del_key(struct wpa_sm * sm,struct wpa_tdls_peer * peer)172 static int wpa_tdls_del_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
173 {
174 if (wpa_sm_set_key(sm, WPA_ALG_NONE, peer->addr,
175 0, 0, NULL, 0, NULL, 0) < 0) {
176 wpa_printf(MSG_WARNING, "TDLS: Failed to delete TPK-TK from "
177 "the driver");
178 return -1;
179 }
180
181 return 0;
182 }
183
184
wpa_tdls_set_key(struct wpa_sm * sm,struct wpa_tdls_peer * peer)185 static int wpa_tdls_set_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
186 {
187 u8 key_len;
188 u8 rsc[6];
189 enum wpa_alg alg;
190
191 os_memset(rsc, 0, 6);
192
193 switch (peer->cipher) {
194 case WPA_CIPHER_CCMP:
195 alg = WPA_ALG_CCMP;
196 key_len = 16;
197 break;
198 case WPA_CIPHER_NONE:
199 wpa_printf(MSG_DEBUG, "TDLS: Pairwise Cipher Suite: "
200 "NONE - do not use pairwise keys");
201 return -1;
202 default:
203 wpa_printf(MSG_WARNING, "TDLS: Unsupported pairwise cipher %d",
204 sm->pairwise_cipher);
205 return -1;
206 }
207
208 if (wpa_sm_set_key(sm, alg, peer->addr, -1, 1,
209 rsc, sizeof(rsc), peer->tpk.tk, key_len) < 0) {
210 wpa_printf(MSG_WARNING, "TDLS: Failed to set TPK to the "
211 "driver");
212 return -1;
213 }
214 return 0;
215 }
216
217
wpa_tdls_send_tpk_msg(struct wpa_sm * sm,const u8 * dst,u8 action_code,u8 dialog_token,u16 status_code,u32 peer_capab,const u8 * buf,size_t len)218 static int wpa_tdls_send_tpk_msg(struct wpa_sm *sm, const u8 *dst,
219 u8 action_code, u8 dialog_token,
220 u16 status_code, u32 peer_capab,
221 const u8 *buf, size_t len)
222 {
223 return wpa_sm_send_tdls_mgmt(sm, dst, action_code, dialog_token,
224 status_code, peer_capab, buf, len);
225 }
226
227
wpa_tdls_tpk_send(struct wpa_sm * sm,const u8 * dest,u8 action_code,u8 dialog_token,u16 status_code,u32 peer_capab,const u8 * msg,size_t msg_len)228 static int wpa_tdls_tpk_send(struct wpa_sm *sm, const u8 *dest, u8 action_code,
229 u8 dialog_token, u16 status_code, u32 peer_capab,
230 const u8 *msg, size_t msg_len)
231 {
232 struct wpa_tdls_peer *peer;
233
234 wpa_printf(MSG_DEBUG, "TDLS: TPK send dest=" MACSTR " action_code=%u "
235 "dialog_token=%u status_code=%u peer_capab=%u msg_len=%u",
236 MAC2STR(dest), action_code, dialog_token, status_code,
237 peer_capab, (unsigned int) msg_len);
238
239 if (wpa_tdls_send_tpk_msg(sm, dest, action_code, dialog_token,
240 status_code, peer_capab, msg, msg_len)) {
241 wpa_printf(MSG_INFO, "TDLS: Failed to send message "
242 "(action_code=%u)", action_code);
243 return -1;
244 }
245
246 if (action_code == WLAN_TDLS_SETUP_CONFIRM ||
247 action_code == WLAN_TDLS_TEARDOWN ||
248 action_code == WLAN_TDLS_DISCOVERY_REQUEST ||
249 action_code == WLAN_TDLS_DISCOVERY_RESPONSE)
250 return 0; /* No retries */
251
252 for (peer = sm->tdls; peer; peer = peer->next) {
253 if (os_memcmp(peer->addr, dest, ETH_ALEN) == 0)
254 break;
255 }
256
257 if (peer == NULL) {
258 wpa_printf(MSG_INFO, "TDLS: No matching entry found for "
259 "retry " MACSTR, MAC2STR(dest));
260 return 0;
261 }
262
263 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer);
264
265 if (action_code == WLAN_TDLS_SETUP_RESPONSE) {
266 peer->sm_tmr.count = TPK_M2_RETRY_COUNT;
267 peer->sm_tmr.timer = TPK_M2_TIMEOUT;
268 } else {
269 peer->sm_tmr.count = TPK_M1_RETRY_COUNT;
270 peer->sm_tmr.timer = TPK_M1_TIMEOUT;
271 }
272
273 /* Copy message to resend on timeout */
274 os_memcpy(peer->sm_tmr.dest, dest, ETH_ALEN);
275 peer->sm_tmr.action_code = action_code;
276 peer->sm_tmr.dialog_token = dialog_token;
277 peer->sm_tmr.status_code = status_code;
278 peer->sm_tmr.peer_capab = peer_capab;
279 peer->sm_tmr.buf_len = msg_len;
280 os_free(peer->sm_tmr.buf);
281 peer->sm_tmr.buf = os_malloc(msg_len);
282 if (peer->sm_tmr.buf == NULL)
283 return -1;
284 os_memcpy(peer->sm_tmr.buf, msg, msg_len);
285
286 wpa_printf(MSG_DEBUG, "TDLS: Retry timeout registered "
287 "(action_code=%u)", action_code);
288 eloop_register_timeout(peer->sm_tmr.timer / 1000,
289 (peer->sm_tmr.timer % 1000) * 1000,
290 wpa_tdls_tpk_retry_timeout, sm, peer);
291 return 0;
292 }
293
294
wpa_tdls_do_teardown(struct wpa_sm * sm,struct wpa_tdls_peer * peer,u16 reason_code)295 static int wpa_tdls_do_teardown(struct wpa_sm *sm, struct wpa_tdls_peer *peer,
296 u16 reason_code)
297 {
298 int ret;
299
300 ret = wpa_tdls_send_teardown(sm, peer->addr, reason_code);
301 /* disable the link after teardown was sent */
302 wpa_tdls_disable_peer_link(sm, peer);
303
304 return ret;
305 }
306
307
wpa_tdls_tpk_retry_timeout(void * eloop_ctx,void * timeout_ctx)308 static void wpa_tdls_tpk_retry_timeout(void *eloop_ctx, void *timeout_ctx)
309 {
310
311 struct wpa_sm *sm = eloop_ctx;
312 struct wpa_tdls_peer *peer = timeout_ctx;
313
314 if (peer->sm_tmr.count) {
315 peer->sm_tmr.count--;
316
317 wpa_printf(MSG_INFO, "TDLS: Retrying sending of message "
318 "(action_code=%u)",
319 peer->sm_tmr.action_code);
320
321 if (peer->sm_tmr.buf == NULL) {
322 wpa_printf(MSG_INFO, "TDLS: No retry buffer available "
323 "for action_code=%u",
324 peer->sm_tmr.action_code);
325 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm,
326 peer);
327 return;
328 }
329
330 /* resend TPK Handshake Message to Peer */
331 if (wpa_tdls_send_tpk_msg(sm, peer->sm_tmr.dest,
332 peer->sm_tmr.action_code,
333 peer->sm_tmr.dialog_token,
334 peer->sm_tmr.status_code,
335 peer->sm_tmr.peer_capab,
336 peer->sm_tmr.buf,
337 peer->sm_tmr.buf_len)) {
338 wpa_printf(MSG_INFO, "TDLS: Failed to retry "
339 "transmission");
340 }
341
342 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer);
343 eloop_register_timeout(peer->sm_tmr.timer / 1000,
344 (peer->sm_tmr.timer % 1000) * 1000,
345 wpa_tdls_tpk_retry_timeout, sm, peer);
346 } else {
347 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer);
348
349 wpa_printf(MSG_DEBUG, "TDLS: Sending Teardown Request");
350 wpa_tdls_do_teardown(sm, peer,
351 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED);
352 }
353 }
354
355
wpa_tdls_tpk_retry_timeout_cancel(struct wpa_sm * sm,struct wpa_tdls_peer * peer,u8 action_code)356 static void wpa_tdls_tpk_retry_timeout_cancel(struct wpa_sm *sm,
357 struct wpa_tdls_peer *peer,
358 u8 action_code)
359 {
360 if (action_code == peer->sm_tmr.action_code) {
361 wpa_printf(MSG_DEBUG, "TDLS: Retry timeout cancelled for "
362 "action_code=%u", action_code);
363
364 /* Cancel Timeout registered */
365 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer);
366
367 /* free all resources meant for retry */
368 os_free(peer->sm_tmr.buf);
369 peer->sm_tmr.buf = NULL;
370
371 peer->sm_tmr.count = 0;
372 peer->sm_tmr.timer = 0;
373 peer->sm_tmr.buf_len = 0;
374 peer->sm_tmr.action_code = 0xff;
375 } else {
376 wpa_printf(MSG_INFO, "TDLS: Error in cancelling retry timeout "
377 "(Unknown action_code=%u)", action_code);
378 }
379 }
380
381
wpa_tdls_generate_tpk(struct wpa_tdls_peer * peer,const u8 * own_addr,const u8 * bssid)382 static void wpa_tdls_generate_tpk(struct wpa_tdls_peer *peer,
383 const u8 *own_addr, const u8 *bssid)
384 {
385 u8 key_input[SHA256_MAC_LEN];
386 const u8 *nonce[2];
387 size_t len[2];
388 u8 data[3 * ETH_ALEN];
389
390 /* IEEE Std 802.11z-2010 8.5.9.1:
391 * TPK-Key-Input = SHA-256(min(SNonce, ANonce) || max(SNonce, ANonce))
392 */
393 len[0] = WPA_NONCE_LEN;
394 len[1] = WPA_NONCE_LEN;
395 if (os_memcmp(peer->inonce, peer->rnonce, WPA_NONCE_LEN) < 0) {
396 nonce[0] = peer->inonce;
397 nonce[1] = peer->rnonce;
398 } else {
399 nonce[0] = peer->rnonce;
400 nonce[1] = peer->inonce;
401 }
402 wpa_hexdump(MSG_DEBUG, "TDLS: min(Nonce)", nonce[0], WPA_NONCE_LEN);
403 wpa_hexdump(MSG_DEBUG, "TDLS: max(Nonce)", nonce[1], WPA_NONCE_LEN);
404 sha256_vector(2, nonce, len, key_input);
405 wpa_hexdump_key(MSG_DEBUG, "TDLS: TPK-Key-Input",
406 key_input, SHA256_MAC_LEN);
407
408 /*
409 * TPK-Key-Data = KDF-N_KEY(TPK-Key-Input, "TDLS PMK",
410 * min(MAC_I, MAC_R) || max(MAC_I, MAC_R) || BSSID || N_KEY)
411 * TODO: is N_KEY really included in KDF Context and if so, in which
412 * presentation format (little endian 16-bit?) is it used? It gets
413 * added by the KDF anyway..
414 */
415
416 if (os_memcmp(own_addr, peer->addr, ETH_ALEN) < 0) {
417 os_memcpy(data, own_addr, ETH_ALEN);
418 os_memcpy(data + ETH_ALEN, peer->addr, ETH_ALEN);
419 } else {
420 os_memcpy(data, peer->addr, ETH_ALEN);
421 os_memcpy(data + ETH_ALEN, own_addr, ETH_ALEN);
422 }
423 os_memcpy(data + 2 * ETH_ALEN, bssid, ETH_ALEN);
424 wpa_hexdump(MSG_DEBUG, "TDLS: KDF Context", data, sizeof(data));
425
426 sha256_prf(key_input, SHA256_MAC_LEN, "TDLS PMK", data, sizeof(data),
427 (u8 *) &peer->tpk, sizeof(peer->tpk));
428 wpa_hexdump_key(MSG_DEBUG, "TDLS: TPK-KCK",
429 peer->tpk.kck, sizeof(peer->tpk.kck));
430 wpa_hexdump_key(MSG_DEBUG, "TDLS: TPK-TK",
431 peer->tpk.tk, sizeof(peer->tpk.tk));
432 peer->tpk_set = 1;
433 }
434
435
436 /**
437 * wpa_tdls_ftie_mic - Calculate TDLS FTIE MIC
438 * @kck: TPK-KCK
439 * @lnkid: Pointer to the beginning of Link Identifier IE
440 * @rsnie: Pointer to the beginning of RSN IE used for handshake
441 * @timeoutie: Pointer to the beginning of Timeout IE used for handshake
442 * @ftie: Pointer to the beginning of FT IE
443 * @mic: Pointer for writing MIC
444 *
445 * Calculate MIC for TDLS frame.
446 */
wpa_tdls_ftie_mic(const u8 * kck,u8 trans_seq,const u8 * lnkid,const u8 * rsnie,const u8 * timeoutie,const u8 * ftie,u8 * mic)447 static int wpa_tdls_ftie_mic(const u8 *kck, u8 trans_seq, const u8 *lnkid,
448 const u8 *rsnie, const u8 *timeoutie,
449 const u8 *ftie, u8 *mic)
450 {
451 u8 *buf, *pos;
452 struct wpa_tdls_ftie *_ftie;
453 const struct wpa_tdls_lnkid *_lnkid;
454 int ret;
455 int len = 2 * ETH_ALEN + 1 + 2 + lnkid[1] + 2 + rsnie[1] +
456 2 + timeoutie[1] + 2 + ftie[1];
457 buf = os_zalloc(len);
458 if (!buf) {
459 wpa_printf(MSG_WARNING, "TDLS: No memory for MIC calculation");
460 return -1;
461 }
462
463 pos = buf;
464 _lnkid = (const struct wpa_tdls_lnkid *) lnkid;
465 /* 1) TDLS initiator STA MAC address */
466 os_memcpy(pos, _lnkid->init_sta, ETH_ALEN);
467 pos += ETH_ALEN;
468 /* 2) TDLS responder STA MAC address */
469 os_memcpy(pos, _lnkid->resp_sta, ETH_ALEN);
470 pos += ETH_ALEN;
471 /* 3) Transaction Sequence number */
472 *pos++ = trans_seq;
473 /* 4) Link Identifier IE */
474 os_memcpy(pos, lnkid, 2 + lnkid[1]);
475 pos += 2 + lnkid[1];
476 /* 5) RSN IE */
477 os_memcpy(pos, rsnie, 2 + rsnie[1]);
478 pos += 2 + rsnie[1];
479 /* 6) Timeout Interval IE */
480 os_memcpy(pos, timeoutie, 2 + timeoutie[1]);
481 pos += 2 + timeoutie[1];
482 /* 7) FTIE, with the MIC field of the FTIE set to 0 */
483 os_memcpy(pos, ftie, 2 + ftie[1]);
484 _ftie = (struct wpa_tdls_ftie *) pos;
485 os_memset(_ftie->mic, 0, TDLS_MIC_LEN);
486 pos += 2 + ftie[1];
487
488 wpa_hexdump(MSG_DEBUG, "TDLS: Data for FTIE MIC", buf, pos - buf);
489 wpa_hexdump_key(MSG_DEBUG, "TDLS: KCK", kck, 16);
490 ret = omac1_aes_128(kck, buf, pos - buf, mic);
491 os_free(buf);
492 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE MIC", mic, 16);
493 return ret;
494 }
495
496
497 /**
498 * wpa_tdls_key_mic_teardown - Calculate TDLS FTIE MIC for Teardown frame
499 * @kck: TPK-KCK
500 * @trans_seq: Transaction Sequence Number (4 - Teardown)
501 * @rcode: Reason code for Teardown
502 * @dtoken: Dialog Token used for that particular link
503 * @lnkid: Pointer to the beginning of Link Identifier IE
504 * @ftie: Pointer to the beginning of FT IE
505 * @mic: Pointer for writing MIC
506 *
507 * Calculate MIC for TDLS frame.
508 */
wpa_tdls_key_mic_teardown(const u8 * kck,u8 trans_seq,u16 rcode,u8 dtoken,const u8 * lnkid,const u8 * ftie,u8 * mic)509 static int wpa_tdls_key_mic_teardown(const u8 *kck, u8 trans_seq, u16 rcode,
510 u8 dtoken, const u8 *lnkid,
511 const u8 *ftie, u8 *mic)
512 {
513 u8 *buf, *pos;
514 struct wpa_tdls_ftie *_ftie;
515 int ret;
516 int len;
517
518 if (lnkid == NULL)
519 return -1;
520
521 len = 2 + lnkid[1] + sizeof(rcode) + sizeof(dtoken) +
522 sizeof(trans_seq) + 2 + ftie[1];
523
524 buf = os_zalloc(len);
525 if (!buf) {
526 wpa_printf(MSG_WARNING, "TDLS: No memory for MIC calculation");
527 return -1;
528 }
529
530 pos = buf;
531 /* 1) Link Identifier IE */
532 os_memcpy(pos, lnkid, 2 + lnkid[1]);
533 pos += 2 + lnkid[1];
534 /* 2) Reason Code */
535 WPA_PUT_LE16(pos, rcode);
536 pos += sizeof(rcode);
537 /* 3) Dialog token */
538 *pos++ = dtoken;
539 /* 4) Transaction Sequence number */
540 *pos++ = trans_seq;
541 /* 7) FTIE, with the MIC field of the FTIE set to 0 */
542 os_memcpy(pos, ftie, 2 + ftie[1]);
543 _ftie = (struct wpa_tdls_ftie *) pos;
544 os_memset(_ftie->mic, 0, TDLS_MIC_LEN);
545 pos += 2 + ftie[1];
546
547 wpa_hexdump(MSG_DEBUG, "TDLS: Data for FTIE MIC", buf, pos - buf);
548 wpa_hexdump_key(MSG_DEBUG, "TDLS: KCK", kck, 16);
549 ret = omac1_aes_128(kck, buf, pos - buf, mic);
550 os_free(buf);
551 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE MIC", mic, 16);
552 return ret;
553 }
554
555
wpa_supplicant_verify_tdls_mic(u8 trans_seq,struct wpa_tdls_peer * peer,const u8 * lnkid,const u8 * timeoutie,const struct wpa_tdls_ftie * ftie)556 static int wpa_supplicant_verify_tdls_mic(u8 trans_seq,
557 struct wpa_tdls_peer *peer,
558 const u8 *lnkid, const u8 *timeoutie,
559 const struct wpa_tdls_ftie *ftie)
560 {
561 u8 mic[16];
562
563 if (peer->tpk_set) {
564 wpa_tdls_ftie_mic(peer->tpk.kck, trans_seq, lnkid,
565 peer->rsnie_p, timeoutie, (u8 *) ftie,
566 mic);
567 if (os_memcmp_const(mic, ftie->mic, 16) != 0) {
568 wpa_printf(MSG_INFO, "TDLS: Invalid MIC in FTIE - "
569 "dropping packet");
570 wpa_hexdump(MSG_DEBUG, "TDLS: Received MIC",
571 ftie->mic, 16);
572 wpa_hexdump(MSG_DEBUG, "TDLS: Calculated MIC",
573 mic, 16);
574 return -1;
575 }
576 } else {
577 wpa_printf(MSG_WARNING, "TDLS: Could not verify TDLS MIC, "
578 "TPK not set - dropping packet");
579 return -1;
580 }
581 return 0;
582 }
583
584
wpa_supplicant_verify_tdls_mic_teardown(u8 trans_seq,u16 rcode,u8 dtoken,struct wpa_tdls_peer * peer,const u8 * lnkid,const struct wpa_tdls_ftie * ftie)585 static int wpa_supplicant_verify_tdls_mic_teardown(
586 u8 trans_seq, u16 rcode, u8 dtoken, struct wpa_tdls_peer *peer,
587 const u8 *lnkid, const struct wpa_tdls_ftie *ftie)
588 {
589 u8 mic[16];
590
591 if (peer->tpk_set) {
592 wpa_tdls_key_mic_teardown(peer->tpk.kck, trans_seq, rcode,
593 dtoken, lnkid, (u8 *) ftie, mic);
594 if (os_memcmp_const(mic, ftie->mic, 16) != 0) {
595 wpa_printf(MSG_INFO, "TDLS: Invalid MIC in Teardown - "
596 "dropping packet");
597 return -1;
598 }
599 } else {
600 wpa_printf(MSG_INFO, "TDLS: Could not verify TDLS Teardown "
601 "MIC, TPK not set - dropping packet");
602 return -1;
603 }
604 return 0;
605 }
606
607
wpa_tdls_tpk_timeout(void * eloop_ctx,void * timeout_ctx)608 static void wpa_tdls_tpk_timeout(void *eloop_ctx, void *timeout_ctx)
609 {
610 struct wpa_sm *sm = eloop_ctx;
611 struct wpa_tdls_peer *peer = timeout_ctx;
612
613 /*
614 * On TPK lifetime expiration, we have an option of either tearing down
615 * the direct link or trying to re-initiate it. The selection of what
616 * to do is not strictly speaking controlled by our role in the expired
617 * link, but for now, use that to select whether to renew or tear down
618 * the link.
619 */
620
621 if (peer->initiator) {
622 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime expired for " MACSTR
623 " - try to renew", MAC2STR(peer->addr));
624 wpa_tdls_start(sm, peer->addr);
625 } else {
626 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime expired for " MACSTR
627 " - tear down", MAC2STR(peer->addr));
628 wpa_tdls_do_teardown(sm, peer,
629 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED);
630 }
631 }
632
633
wpa_tdls_peer_remove_from_list(struct wpa_sm * sm,struct wpa_tdls_peer * peer)634 static void wpa_tdls_peer_remove_from_list(struct wpa_sm *sm,
635 struct wpa_tdls_peer *peer)
636 {
637 struct wpa_tdls_peer *cur, *prev;
638
639 cur = sm->tdls;
640 prev = NULL;
641 while (cur && cur != peer) {
642 prev = cur;
643 cur = cur->next;
644 }
645
646 if (cur != peer) {
647 wpa_printf(MSG_ERROR, "TDLS: Could not find peer " MACSTR
648 " to remove it from the list",
649 MAC2STR(peer->addr));
650 return;
651 }
652
653 if (prev)
654 prev->next = peer->next;
655 else
656 sm->tdls = peer->next;
657 }
658
659
wpa_tdls_peer_clear(struct wpa_sm * sm,struct wpa_tdls_peer * peer)660 static void wpa_tdls_peer_clear(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
661 {
662 wpa_printf(MSG_DEBUG, "TDLS: Clear state for peer " MACSTR,
663 MAC2STR(peer->addr));
664 eloop_cancel_timeout(wpa_tdls_tpk_timeout, sm, peer);
665 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer);
666 peer->reconfig_key = 0;
667 peer->initiator = 0;
668 peer->tpk_in_progress = 0;
669 os_free(peer->sm_tmr.buf);
670 peer->sm_tmr.buf = NULL;
671 os_free(peer->ht_capabilities);
672 peer->ht_capabilities = NULL;
673 os_free(peer->vht_capabilities);
674 peer->vht_capabilities = NULL;
675 os_free(peer->ext_capab);
676 peer->ext_capab = NULL;
677 os_free(peer->supp_channels);
678 peer->supp_channels = NULL;
679 os_free(peer->supp_oper_classes);
680 peer->supp_oper_classes = NULL;
681 peer->rsnie_i_len = peer->rsnie_p_len = 0;
682 peer->cipher = 0;
683 peer->qos_info = 0;
684 peer->wmm_capable = 0;
685 peer->tpk_set = peer->tpk_success = 0;
686 os_memset(&peer->tpk, 0, sizeof(peer->tpk));
687 os_memset(peer->inonce, 0, WPA_NONCE_LEN);
688 os_memset(peer->rnonce, 0, WPA_NONCE_LEN);
689 }
690
691
wpa_tdls_peer_free(struct wpa_sm * sm,struct wpa_tdls_peer * peer)692 static void wpa_tdls_peer_free(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
693 {
694 wpa_tdls_peer_clear(sm, peer);
695 wpa_tdls_peer_remove_from_list(sm, peer);
696 os_free(peer);
697 }
698
699
wpa_tdls_linkid(struct wpa_sm * sm,struct wpa_tdls_peer * peer,struct wpa_tdls_lnkid * lnkid)700 static void wpa_tdls_linkid(struct wpa_sm *sm, struct wpa_tdls_peer *peer,
701 struct wpa_tdls_lnkid *lnkid)
702 {
703 lnkid->ie_type = WLAN_EID_LINK_ID;
704 lnkid->ie_len = 3 * ETH_ALEN;
705 os_memcpy(lnkid->bssid, sm->bssid, ETH_ALEN);
706 if (peer->initiator) {
707 os_memcpy(lnkid->init_sta, sm->own_addr, ETH_ALEN);
708 os_memcpy(lnkid->resp_sta, peer->addr, ETH_ALEN);
709 } else {
710 os_memcpy(lnkid->init_sta, peer->addr, ETH_ALEN);
711 os_memcpy(lnkid->resp_sta, sm->own_addr, ETH_ALEN);
712 }
713 }
714
715
wpa_tdls_send_teardown(struct wpa_sm * sm,const u8 * addr,u16 reason_code)716 static int wpa_tdls_send_teardown(struct wpa_sm *sm, const u8 *addr,
717 u16 reason_code)
718 {
719 struct wpa_tdls_peer *peer;
720 struct wpa_tdls_ftie *ftie;
721 struct wpa_tdls_lnkid lnkid;
722 u8 dialog_token;
723 u8 *rbuf, *pos;
724 int ielen;
725
726 if (sm->tdls_disabled || !sm->tdls_supported)
727 return -1;
728
729 /* Find the node and free from the list */
730 for (peer = sm->tdls; peer; peer = peer->next) {
731 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0)
732 break;
733 }
734
735 if (peer == NULL) {
736 wpa_printf(MSG_INFO, "TDLS: No matching entry found for "
737 "Teardown " MACSTR, MAC2STR(addr));
738 return 0;
739 }
740
741 dialog_token = peer->dtoken;
742
743 wpa_printf(MSG_DEBUG, "TDLS: TDLS Teardown for " MACSTR,
744 MAC2STR(addr));
745
746 ielen = 0;
747 if (wpa_tdls_get_privacy(sm) && peer->tpk_set && peer->tpk_success) {
748 /* To add FTIE for Teardown request and compute MIC */
749 ielen += sizeof(*ftie);
750 #ifdef CONFIG_TDLS_TESTING
751 if (tdls_testing & TDLS_TESTING_LONG_FRAME)
752 ielen += 170;
753 #endif /* CONFIG_TDLS_TESTING */
754 }
755
756 rbuf = os_zalloc(ielen + 1);
757 if (rbuf == NULL)
758 return -1;
759 pos = rbuf;
760
761 if (!wpa_tdls_get_privacy(sm) || !peer->tpk_set || !peer->tpk_success)
762 goto skip_ies;
763
764 ftie = (struct wpa_tdls_ftie *) pos;
765 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION;
766 /* Using the recent nonce which should be for CONFIRM frame */
767 os_memcpy(ftie->Anonce, peer->rnonce, WPA_NONCE_LEN);
768 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN);
769 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2;
770 pos = (u8 *) (ftie + 1);
771 #ifdef CONFIG_TDLS_TESTING
772 if (tdls_testing & TDLS_TESTING_LONG_FRAME) {
773 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to "
774 "FTIE");
775 ftie->ie_len += 170;
776 *pos++ = 255; /* FTIE subelem */
777 *pos++ = 168; /* FTIE subelem length */
778 pos += 168;
779 }
780 #endif /* CONFIG_TDLS_TESTING */
781 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE for TDLS Teardown handshake",
782 (u8 *) ftie, pos - (u8 *) ftie);
783
784 /* compute MIC before sending */
785 wpa_tdls_linkid(sm, peer, &lnkid);
786 wpa_tdls_key_mic_teardown(peer->tpk.kck, 4, reason_code,
787 dialog_token, (u8 *) &lnkid, (u8 *) ftie,
788 ftie->mic);
789
790 skip_ies:
791 /* TODO: register for a Timeout handler, if Teardown is not received at
792 * the other end, then try again another time */
793
794 /* request driver to send Teardown using this FTIE */
795 wpa_tdls_tpk_send(sm, addr, WLAN_TDLS_TEARDOWN, 0,
796 reason_code, 0, rbuf, pos - rbuf);
797 os_free(rbuf);
798
799 return 0;
800 }
801
802
wpa_tdls_teardown_link(struct wpa_sm * sm,const u8 * addr,u16 reason_code)803 int wpa_tdls_teardown_link(struct wpa_sm *sm, const u8 *addr, u16 reason_code)
804 {
805 struct wpa_tdls_peer *peer;
806
807 if (sm->tdls_disabled || !sm->tdls_supported)
808 return -1;
809
810 for (peer = sm->tdls; peer; peer = peer->next) {
811 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0)
812 break;
813 }
814
815 if (peer == NULL) {
816 wpa_printf(MSG_DEBUG, "TDLS: Could not find peer " MACSTR
817 " for link Teardown", MAC2STR(addr));
818 return -1;
819 }
820
821 if (!peer->tpk_success) {
822 wpa_printf(MSG_DEBUG, "TDLS: Peer " MACSTR
823 " not connected - cannot Teardown link", MAC2STR(addr));
824 return -1;
825 }
826
827 return wpa_tdls_do_teardown(sm, peer, reason_code);
828 }
829
830
wpa_tdls_disable_peer_link(struct wpa_sm * sm,struct wpa_tdls_peer * peer)831 static void wpa_tdls_disable_peer_link(struct wpa_sm *sm,
832 struct wpa_tdls_peer *peer)
833 {
834 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr);
835 wpa_tdls_peer_free(sm, peer);
836 }
837
838
wpa_tdls_disable_unreachable_link(struct wpa_sm * sm,const u8 * addr)839 void wpa_tdls_disable_unreachable_link(struct wpa_sm *sm, const u8 *addr)
840 {
841 struct wpa_tdls_peer *peer;
842
843 for (peer = sm->tdls; peer; peer = peer->next) {
844 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0)
845 break;
846 }
847
848 if (!peer || !peer->tpk_success) {
849 wpa_printf(MSG_DEBUG, "TDLS: Peer " MACSTR
850 " not connected - cannot teardown unreachable link",
851 MAC2STR(addr));
852 return;
853 }
854
855 if (wpa_tdls_is_external_setup(sm)) {
856 /*
857 * Disable the link, send a teardown packet through the
858 * AP, and then reset link data.
859 */
860 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, addr);
861 wpa_tdls_send_teardown(sm, addr,
862 WLAN_REASON_TDLS_TEARDOWN_UNREACHABLE);
863 wpa_tdls_peer_free(sm, peer);
864 } else {
865 wpa_tdls_disable_peer_link(sm, peer);
866 }
867 }
868
869
wpa_tdls_get_link_status(struct wpa_sm * sm,const u8 * addr)870 const char * wpa_tdls_get_link_status(struct wpa_sm *sm, const u8 *addr)
871 {
872 struct wpa_tdls_peer *peer;
873
874 if (sm->tdls_disabled || !sm->tdls_supported)
875 return "disabled";
876
877 for (peer = sm->tdls; peer; peer = peer->next) {
878 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0)
879 break;
880 }
881
882 if (peer == NULL)
883 return "peer does not exist";
884
885 if (!peer->tpk_success)
886 return "peer not connected";
887
888 return "connected";
889 }
890
891
wpa_tdls_recv_teardown(struct wpa_sm * sm,const u8 * src_addr,const u8 * buf,size_t len)892 static int wpa_tdls_recv_teardown(struct wpa_sm *sm, const u8 *src_addr,
893 const u8 *buf, size_t len)
894 {
895 struct wpa_tdls_peer *peer = NULL;
896 struct wpa_tdls_ftie *ftie;
897 struct wpa_tdls_lnkid *lnkid;
898 struct wpa_eapol_ie_parse kde;
899 u16 reason_code;
900 const u8 *pos;
901 int ielen;
902
903 /* Find the node and free from the list */
904 for (peer = sm->tdls; peer; peer = peer->next) {
905 if (os_memcmp(peer->addr, src_addr, ETH_ALEN) == 0)
906 break;
907 }
908
909 if (peer == NULL) {
910 wpa_printf(MSG_INFO, "TDLS: No matching entry found for "
911 "Teardown " MACSTR, MAC2STR(src_addr));
912 return 0;
913 }
914
915 pos = buf;
916 pos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */;
917
918 reason_code = WPA_GET_LE16(pos);
919 pos += 2;
920
921 wpa_printf(MSG_DEBUG, "TDLS: TDLS Teardown Request from " MACSTR
922 " (reason code %u)", MAC2STR(src_addr), reason_code);
923
924 ielen = len - (pos - buf); /* start of IE in buf */
925 if (wpa_supplicant_parse_ies((const u8 *) pos, ielen, &kde) < 0) {
926 wpa_printf(MSG_INFO, "TDLS: Failed to parse IEs in Teardown");
927 return -1;
928 }
929
930 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) {
931 wpa_printf(MSG_INFO, "TDLS: No Link Identifier IE in TDLS "
932 "Teardown");
933 return -1;
934 }
935 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid;
936
937 if (!wpa_tdls_get_privacy(sm) || !peer->tpk_set || !peer->tpk_success)
938 goto skip_ftie;
939
940 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie)) {
941 wpa_printf(MSG_INFO, "TDLS: No FTIE in TDLS Teardown");
942 return -1;
943 }
944
945 ftie = (struct wpa_tdls_ftie *) kde.ftie;
946
947 /* Process MIC check to see if TDLS Teardown is right */
948 if (wpa_supplicant_verify_tdls_mic_teardown(4, reason_code,
949 peer->dtoken, peer,
950 (u8 *) lnkid, ftie) < 0) {
951 wpa_printf(MSG_DEBUG, "TDLS: MIC failure for TDLS "
952 "Teardown Request from " MACSTR, MAC2STR(src_addr));
953 return -1;
954 }
955
956 skip_ftie:
957 /*
958 * Request the driver to disable the direct link and clear associated
959 * keys.
960 */
961 wpa_tdls_disable_peer_link(sm, peer);
962 return 0;
963 }
964
965
966 /**
967 * wpa_tdls_send_error - To send suitable TDLS status response with
968 * appropriate status code mentioning reason for error/failure.
969 * @dst - MAC addr of Peer station
970 * @tdls_action - TDLS frame type for which error code is sent
971 * @status - status code mentioning reason
972 */
973
wpa_tdls_send_error(struct wpa_sm * sm,const u8 * dst,u8 tdls_action,u8 dialog_token,u16 status)974 static int wpa_tdls_send_error(struct wpa_sm *sm, const u8 *dst,
975 u8 tdls_action, u8 dialog_token, u16 status)
976 {
977 wpa_printf(MSG_DEBUG, "TDLS: Sending error to " MACSTR
978 " (action=%u status=%u)",
979 MAC2STR(dst), tdls_action, status);
980 return wpa_tdls_tpk_send(sm, dst, tdls_action, dialog_token, status,
981 0, NULL, 0);
982 }
983
984
985 static struct wpa_tdls_peer *
wpa_tdls_add_peer(struct wpa_sm * sm,const u8 * addr,int * existing)986 wpa_tdls_add_peer(struct wpa_sm *sm, const u8 *addr, int *existing)
987 {
988 struct wpa_tdls_peer *peer;
989
990 if (existing)
991 *existing = 0;
992 for (peer = sm->tdls; peer; peer = peer->next) {
993 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) {
994 if (existing)
995 *existing = 1;
996 return peer; /* re-use existing entry */
997 }
998 }
999
1000 wpa_printf(MSG_INFO, "TDLS: Creating peer entry for " MACSTR,
1001 MAC2STR(addr));
1002
1003 peer = os_zalloc(sizeof(*peer));
1004 if (peer == NULL)
1005 return NULL;
1006
1007 os_memcpy(peer->addr, addr, ETH_ALEN);
1008 peer->next = sm->tdls;
1009 sm->tdls = peer;
1010
1011 return peer;
1012 }
1013
1014
wpa_tdls_send_tpk_m1(struct wpa_sm * sm,struct wpa_tdls_peer * peer)1015 static int wpa_tdls_send_tpk_m1(struct wpa_sm *sm,
1016 struct wpa_tdls_peer *peer)
1017 {
1018 size_t buf_len;
1019 struct wpa_tdls_timeoutie timeoutie;
1020 u16 rsn_capab;
1021 struct wpa_tdls_ftie *ftie;
1022 u8 *rbuf, *pos, *count_pos;
1023 u16 count;
1024 struct rsn_ie_hdr *hdr;
1025 int status;
1026
1027 if (!wpa_tdls_get_privacy(sm)) {
1028 wpa_printf(MSG_DEBUG, "TDLS: No security used on the link");
1029 peer->rsnie_i_len = 0;
1030 goto skip_rsnie;
1031 }
1032
1033 /*
1034 * TPK Handshake Message 1:
1035 * FTIE: ANonce=0, SNonce=initiator nonce MIC=0, DataKDs=(RSNIE_I,
1036 * Timeout Interval IE))
1037 */
1038
1039 /* Filling RSN IE */
1040 hdr = (struct rsn_ie_hdr *) peer->rsnie_i;
1041 hdr->elem_id = WLAN_EID_RSN;
1042 WPA_PUT_LE16(hdr->version, RSN_VERSION);
1043
1044 pos = (u8 *) (hdr + 1);
1045 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED);
1046 pos += RSN_SELECTOR_LEN;
1047 count_pos = pos;
1048 pos += 2;
1049
1050 count = 0;
1051
1052 /*
1053 * AES-CCMP is the default Encryption preferred for TDLS, so
1054 * RSN IE is filled only with CCMP CIPHER
1055 * Note: TKIP is not used to encrypt TDLS link.
1056 *
1057 * Regardless of the cipher used on the AP connection, select CCMP
1058 * here.
1059 */
1060 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP);
1061 pos += RSN_SELECTOR_LEN;
1062 count++;
1063
1064 WPA_PUT_LE16(count_pos, count);
1065
1066 WPA_PUT_LE16(pos, 1);
1067 pos += 2;
1068 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_TPK_HANDSHAKE);
1069 pos += RSN_SELECTOR_LEN;
1070
1071 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED;
1072 rsn_capab |= RSN_NUM_REPLAY_COUNTERS_16 << 2;
1073 #ifdef CONFIG_TDLS_TESTING
1074 if (tdls_testing & TDLS_TESTING_ALT_RSN_IE) {
1075 wpa_printf(MSG_DEBUG, "TDLS: Use alternative RSN IE for "
1076 "testing");
1077 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED;
1078 }
1079 #endif /* CONFIG_TDLS_TESTING */
1080 WPA_PUT_LE16(pos, rsn_capab);
1081 pos += 2;
1082 #ifdef CONFIG_TDLS_TESTING
1083 if (tdls_testing & TDLS_TESTING_ALT_RSN_IE) {
1084 /* Number of PMKIDs */
1085 *pos++ = 0x00;
1086 *pos++ = 0x00;
1087 }
1088 #endif /* CONFIG_TDLS_TESTING */
1089
1090 hdr->len = (pos - peer->rsnie_i) - 2;
1091 peer->rsnie_i_len = pos - peer->rsnie_i;
1092 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE for TPK handshake",
1093 peer->rsnie_i, peer->rsnie_i_len);
1094
1095 skip_rsnie:
1096 buf_len = 0;
1097 if (wpa_tdls_get_privacy(sm))
1098 buf_len += peer->rsnie_i_len + sizeof(struct wpa_tdls_ftie) +
1099 sizeof(struct wpa_tdls_timeoutie);
1100 #ifdef CONFIG_TDLS_TESTING
1101 if (wpa_tdls_get_privacy(sm) &&
1102 (tdls_testing & TDLS_TESTING_LONG_FRAME))
1103 buf_len += 170;
1104 if (tdls_testing & TDLS_TESTING_DIFF_BSSID)
1105 buf_len += sizeof(struct wpa_tdls_lnkid);
1106 #endif /* CONFIG_TDLS_TESTING */
1107 rbuf = os_zalloc(buf_len + 1);
1108 if (rbuf == NULL) {
1109 wpa_tdls_peer_free(sm, peer);
1110 return -1;
1111 }
1112 pos = rbuf;
1113
1114 if (!wpa_tdls_get_privacy(sm))
1115 goto skip_ies;
1116
1117 /* Initiator RSN IE */
1118 pos = wpa_add_ie(pos, peer->rsnie_i, peer->rsnie_i_len);
1119
1120 ftie = (struct wpa_tdls_ftie *) pos;
1121 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION;
1122 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2;
1123
1124 if (os_get_random(peer->inonce, WPA_NONCE_LEN)) {
1125 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1126 "TDLS: Failed to get random data for initiator Nonce");
1127 os_free(rbuf);
1128 wpa_tdls_peer_free(sm, peer);
1129 return -1;
1130 }
1131 wpa_hexdump(MSG_DEBUG, "TDLS: Initiator Nonce for TPK handshake",
1132 peer->inonce, WPA_NONCE_LEN);
1133 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN);
1134
1135 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE for TPK Handshake M1",
1136 (u8 *) ftie, sizeof(struct wpa_tdls_ftie));
1137
1138 pos = (u8 *) (ftie + 1);
1139
1140 #ifdef CONFIG_TDLS_TESTING
1141 if (tdls_testing & TDLS_TESTING_LONG_FRAME) {
1142 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to "
1143 "FTIE");
1144 ftie->ie_len += 170;
1145 *pos++ = 255; /* FTIE subelem */
1146 *pos++ = 168; /* FTIE subelem length */
1147 pos += 168;
1148 }
1149 #endif /* CONFIG_TDLS_TESTING */
1150
1151 /* Lifetime */
1152 peer->lifetime = TPK_LIFETIME;
1153 #ifdef CONFIG_TDLS_TESTING
1154 if (tdls_testing & TDLS_TESTING_SHORT_LIFETIME) {
1155 wpa_printf(MSG_DEBUG, "TDLS: Testing - use short TPK "
1156 "lifetime");
1157 peer->lifetime = 301;
1158 }
1159 if (tdls_testing & TDLS_TESTING_LONG_LIFETIME) {
1160 wpa_printf(MSG_DEBUG, "TDLS: Testing - use long TPK "
1161 "lifetime");
1162 peer->lifetime = 0xffffffff;
1163 }
1164 #endif /* CONFIG_TDLS_TESTING */
1165 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie,
1166 sizeof(timeoutie), peer->lifetime);
1167 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds", peer->lifetime);
1168
1169 skip_ies:
1170
1171 #ifdef CONFIG_TDLS_TESTING
1172 if (tdls_testing & TDLS_TESTING_DIFF_BSSID) {
1173 wpa_printf(MSG_DEBUG, "TDLS: Testing - use incorrect BSSID in "
1174 "Link Identifier");
1175 struct wpa_tdls_lnkid *l = (struct wpa_tdls_lnkid *) pos;
1176 wpa_tdls_linkid(sm, peer, l);
1177 l->bssid[5] ^= 0x01;
1178 pos += sizeof(*l);
1179 }
1180 #endif /* CONFIG_TDLS_TESTING */
1181
1182 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Setup Request / TPK "
1183 "Handshake Message 1 (peer " MACSTR ")",
1184 MAC2STR(peer->addr));
1185
1186 status = wpa_tdls_tpk_send(sm, peer->addr, WLAN_TDLS_SETUP_REQUEST,
1187 1, 0, 0, rbuf, pos - rbuf);
1188 os_free(rbuf);
1189
1190 return status;
1191 }
1192
1193
wpa_tdls_send_tpk_m2(struct wpa_sm * sm,const unsigned char * src_addr,u8 dtoken,struct wpa_tdls_lnkid * lnkid,const struct wpa_tdls_peer * peer)1194 static int wpa_tdls_send_tpk_m2(struct wpa_sm *sm,
1195 const unsigned char *src_addr, u8 dtoken,
1196 struct wpa_tdls_lnkid *lnkid,
1197 const struct wpa_tdls_peer *peer)
1198 {
1199 u8 *rbuf, *pos;
1200 size_t buf_len;
1201 u32 lifetime;
1202 struct wpa_tdls_timeoutie timeoutie;
1203 struct wpa_tdls_ftie *ftie;
1204 int status;
1205
1206 buf_len = 0;
1207 if (wpa_tdls_get_privacy(sm)) {
1208 /* Peer RSN IE, FTIE(Initiator Nonce, Responder Nonce),
1209 * Lifetime */
1210 buf_len += peer->rsnie_i_len + sizeof(struct wpa_tdls_ftie) +
1211 sizeof(struct wpa_tdls_timeoutie);
1212 #ifdef CONFIG_TDLS_TESTING
1213 if (tdls_testing & TDLS_TESTING_LONG_FRAME)
1214 buf_len += 170;
1215 #endif /* CONFIG_TDLS_TESTING */
1216 }
1217
1218 rbuf = os_zalloc(buf_len + 1);
1219 if (rbuf == NULL)
1220 return -1;
1221 pos = rbuf;
1222
1223 if (!wpa_tdls_get_privacy(sm))
1224 goto skip_ies;
1225
1226 /* Peer RSN IE */
1227 pos = wpa_add_ie(pos, peer->rsnie_p, peer->rsnie_p_len);
1228
1229 ftie = (struct wpa_tdls_ftie *) pos;
1230 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION;
1231 /* TODO: ftie->mic_control to set 2-RESPONSE */
1232 os_memcpy(ftie->Anonce, peer->rnonce, WPA_NONCE_LEN);
1233 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN);
1234 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2;
1235 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE for TPK M2",
1236 (u8 *) ftie, sizeof(*ftie));
1237
1238 pos = (u8 *) (ftie + 1);
1239
1240 #ifdef CONFIG_TDLS_TESTING
1241 if (tdls_testing & TDLS_TESTING_LONG_FRAME) {
1242 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to "
1243 "FTIE");
1244 ftie->ie_len += 170;
1245 *pos++ = 255; /* FTIE subelem */
1246 *pos++ = 168; /* FTIE subelem length */
1247 pos += 168;
1248 }
1249 #endif /* CONFIG_TDLS_TESTING */
1250
1251 /* Lifetime */
1252 lifetime = peer->lifetime;
1253 #ifdef CONFIG_TDLS_TESTING
1254 if (tdls_testing & TDLS_TESTING_WRONG_LIFETIME_RESP) {
1255 wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong TPK "
1256 "lifetime in response");
1257 lifetime++;
1258 }
1259 #endif /* CONFIG_TDLS_TESTING */
1260 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie,
1261 sizeof(timeoutie), lifetime);
1262 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds from initiator",
1263 lifetime);
1264
1265 /* compute MIC before sending */
1266 wpa_tdls_ftie_mic(peer->tpk.kck, 2, (u8 *) lnkid, peer->rsnie_p,
1267 (u8 *) &timeoutie, (u8 *) ftie, ftie->mic);
1268 #ifdef CONFIG_TDLS_TESTING
1269 if (tdls_testing & TDLS_TESTING_WRONG_MIC) {
1270 wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong MIC");
1271 ftie->mic[0] ^= 0x01;
1272 }
1273 #endif /* CONFIG_TDLS_TESTING */
1274
1275 skip_ies:
1276 status = wpa_tdls_tpk_send(sm, src_addr, WLAN_TDLS_SETUP_RESPONSE,
1277 dtoken, 0, 0, rbuf, pos - rbuf);
1278 os_free(rbuf);
1279
1280 return status;
1281 }
1282
1283
wpa_tdls_send_tpk_m3(struct wpa_sm * sm,const unsigned char * src_addr,u8 dtoken,struct wpa_tdls_lnkid * lnkid,const struct wpa_tdls_peer * peer)1284 static int wpa_tdls_send_tpk_m3(struct wpa_sm *sm,
1285 const unsigned char *src_addr, u8 dtoken,
1286 struct wpa_tdls_lnkid *lnkid,
1287 const struct wpa_tdls_peer *peer)
1288 {
1289 u8 *rbuf, *pos;
1290 size_t buf_len;
1291 struct wpa_tdls_ftie *ftie;
1292 struct wpa_tdls_timeoutie timeoutie;
1293 u32 lifetime;
1294 int status;
1295 u32 peer_capab = 0;
1296
1297 buf_len = 0;
1298 if (wpa_tdls_get_privacy(sm)) {
1299 /* Peer RSN IE, FTIE(Initiator Nonce, Responder Nonce),
1300 * Lifetime */
1301 buf_len += peer->rsnie_i_len + sizeof(struct wpa_tdls_ftie) +
1302 sizeof(struct wpa_tdls_timeoutie);
1303 #ifdef CONFIG_TDLS_TESTING
1304 if (tdls_testing & TDLS_TESTING_LONG_FRAME)
1305 buf_len += 170;
1306 #endif /* CONFIG_TDLS_TESTING */
1307 }
1308
1309 rbuf = os_zalloc(buf_len + 1);
1310 if (rbuf == NULL)
1311 return -1;
1312 pos = rbuf;
1313
1314 if (!wpa_tdls_get_privacy(sm))
1315 goto skip_ies;
1316
1317 /* Peer RSN IE */
1318 pos = wpa_add_ie(pos, peer->rsnie_p, peer->rsnie_p_len);
1319
1320 ftie = (struct wpa_tdls_ftie *) pos;
1321 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION;
1322 /*TODO: ftie->mic_control to set 3-CONFIRM */
1323 os_memcpy(ftie->Anonce, peer->rnonce, WPA_NONCE_LEN);
1324 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN);
1325 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2;
1326
1327 pos = (u8 *) (ftie + 1);
1328
1329 #ifdef CONFIG_TDLS_TESTING
1330 if (tdls_testing & TDLS_TESTING_LONG_FRAME) {
1331 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to "
1332 "FTIE");
1333 ftie->ie_len += 170;
1334 *pos++ = 255; /* FTIE subelem */
1335 *pos++ = 168; /* FTIE subelem length */
1336 pos += 168;
1337 }
1338 #endif /* CONFIG_TDLS_TESTING */
1339
1340 /* Lifetime */
1341 lifetime = peer->lifetime;
1342 #ifdef CONFIG_TDLS_TESTING
1343 if (tdls_testing & TDLS_TESTING_WRONG_LIFETIME_CONF) {
1344 wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong TPK "
1345 "lifetime in confirm");
1346 lifetime++;
1347 }
1348 #endif /* CONFIG_TDLS_TESTING */
1349 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie,
1350 sizeof(timeoutie), lifetime);
1351 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds",
1352 lifetime);
1353
1354 /* compute MIC before sending */
1355 wpa_tdls_ftie_mic(peer->tpk.kck, 3, (u8 *) lnkid, peer->rsnie_p,
1356 (u8 *) &timeoutie, (u8 *) ftie, ftie->mic);
1357 #ifdef CONFIG_TDLS_TESTING
1358 if (tdls_testing & TDLS_TESTING_WRONG_MIC) {
1359 wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong MIC");
1360 ftie->mic[0] ^= 0x01;
1361 }
1362 #endif /* CONFIG_TDLS_TESTING */
1363
1364 skip_ies:
1365
1366 if (peer->vht_capabilities)
1367 peer_capab |= TDLS_PEER_VHT;
1368 if (peer->ht_capabilities)
1369 peer_capab |= TDLS_PEER_HT;
1370 if (peer->wmm_capable)
1371 peer_capab |= TDLS_PEER_WMM;
1372
1373 status = wpa_tdls_tpk_send(sm, src_addr, WLAN_TDLS_SETUP_CONFIRM,
1374 dtoken, 0, peer_capab, rbuf, pos - rbuf);
1375 os_free(rbuf);
1376
1377 return status;
1378 }
1379
1380
wpa_tdls_send_discovery_response(struct wpa_sm * sm,struct wpa_tdls_peer * peer,u8 dialog_token)1381 static int wpa_tdls_send_discovery_response(struct wpa_sm *sm,
1382 struct wpa_tdls_peer *peer,
1383 u8 dialog_token)
1384 {
1385 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Discovery Response "
1386 "(peer " MACSTR ")", MAC2STR(peer->addr));
1387
1388 return wpa_tdls_tpk_send(sm, peer->addr, WLAN_TDLS_DISCOVERY_RESPONSE,
1389 dialog_token, 0, 0, NULL, 0);
1390 }
1391
1392
1393 static int
wpa_tdls_process_discovery_request(struct wpa_sm * sm,const u8 * addr,const u8 * buf,size_t len)1394 wpa_tdls_process_discovery_request(struct wpa_sm *sm, const u8 *addr,
1395 const u8 *buf, size_t len)
1396 {
1397 struct wpa_eapol_ie_parse kde;
1398 const struct wpa_tdls_lnkid *lnkid;
1399 struct wpa_tdls_peer *peer;
1400 size_t min_req_len = sizeof(struct wpa_tdls_frame) +
1401 1 /* dialog token */ + sizeof(struct wpa_tdls_lnkid);
1402 u8 dialog_token;
1403
1404 wpa_printf(MSG_DEBUG, "TDLS: Discovery Request from " MACSTR,
1405 MAC2STR(addr));
1406
1407 if (len < min_req_len) {
1408 wpa_printf(MSG_DEBUG, "TDLS Discovery Request is too short: "
1409 "%d", (int) len);
1410 return -1;
1411 }
1412
1413 dialog_token = buf[sizeof(struct wpa_tdls_frame)];
1414
1415 /*
1416 * Some APs will tack on a weird IE to the end of a TDLS
1417 * discovery request packet. This needn't fail the response,
1418 * since the required IE are verified separately.
1419 */
1420 if (wpa_supplicant_parse_ies(buf + sizeof(struct wpa_tdls_frame) + 1,
1421 len - (sizeof(struct wpa_tdls_frame) + 1),
1422 &kde) < 0) {
1423 wpa_printf(MSG_DEBUG,
1424 "TDLS: Failed to parse IEs in Discovery Request - ignore as an interop workaround");
1425 }
1426
1427 if (!kde.lnkid) {
1428 wpa_printf(MSG_DEBUG, "TDLS: Link ID not found in Discovery "
1429 "Request");
1430 return -1;
1431 }
1432
1433 lnkid = (const struct wpa_tdls_lnkid *) kde.lnkid;
1434
1435 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) {
1436 wpa_printf(MSG_DEBUG, "TDLS: Discovery Request from different "
1437 " BSS " MACSTR, MAC2STR(lnkid->bssid));
1438 return -1;
1439 }
1440
1441 peer = wpa_tdls_add_peer(sm, addr, NULL);
1442 if (peer == NULL)
1443 return -1;
1444
1445 return wpa_tdls_send_discovery_response(sm, peer, dialog_token);
1446 }
1447
1448
wpa_tdls_send_discovery_request(struct wpa_sm * sm,const u8 * addr)1449 int wpa_tdls_send_discovery_request(struct wpa_sm *sm, const u8 *addr)
1450 {
1451 if (sm->tdls_disabled || !sm->tdls_supported)
1452 return -1;
1453
1454 wpa_printf(MSG_DEBUG, "TDLS: Sending Discovery Request to peer "
1455 MACSTR, MAC2STR(addr));
1456 return wpa_tdls_tpk_send(sm, addr, WLAN_TDLS_DISCOVERY_REQUEST,
1457 1, 0, 0, NULL, 0);
1458 }
1459
1460
copy_supp_rates(const struct wpa_eapol_ie_parse * kde,struct wpa_tdls_peer * peer)1461 static int copy_supp_rates(const struct wpa_eapol_ie_parse *kde,
1462 struct wpa_tdls_peer *peer)
1463 {
1464 if (!kde->supp_rates) {
1465 wpa_printf(MSG_DEBUG, "TDLS: No supported rates received");
1466 return -1;
1467 }
1468 peer->supp_rates_len = merge_byte_arrays(
1469 peer->supp_rates, sizeof(peer->supp_rates),
1470 kde->supp_rates + 2, kde->supp_rates_len - 2,
1471 kde->ext_supp_rates ? kde->ext_supp_rates + 2 : NULL,
1472 kde->ext_supp_rates_len - 2);
1473 return 0;
1474 }
1475
1476
copy_peer_ht_capab(const struct wpa_eapol_ie_parse * kde,struct wpa_tdls_peer * peer)1477 static int copy_peer_ht_capab(const struct wpa_eapol_ie_parse *kde,
1478 struct wpa_tdls_peer *peer)
1479 {
1480 if (!kde->ht_capabilities ||
1481 kde->ht_capabilities_len <
1482 sizeof(struct ieee80211_ht_capabilities) ) {
1483 wpa_printf(MSG_DEBUG, "TDLS: No supported ht capabilities "
1484 "received");
1485 return 0;
1486 }
1487
1488 if (!peer->ht_capabilities) {
1489 peer->ht_capabilities =
1490 os_zalloc(sizeof(struct ieee80211_ht_capabilities));
1491 if (peer->ht_capabilities == NULL)
1492 return -1;
1493 }
1494
1495 os_memcpy(peer->ht_capabilities, kde->ht_capabilities,
1496 sizeof(struct ieee80211_ht_capabilities));
1497 wpa_hexdump(MSG_DEBUG, "TDLS: Peer HT capabilities",
1498 (u8 *) peer->ht_capabilities,
1499 sizeof(struct ieee80211_ht_capabilities));
1500
1501 return 0;
1502 }
1503
1504
copy_peer_vht_capab(const struct wpa_eapol_ie_parse * kde,struct wpa_tdls_peer * peer)1505 static int copy_peer_vht_capab(const struct wpa_eapol_ie_parse *kde,
1506 struct wpa_tdls_peer *peer)
1507 {
1508 if (!kde->vht_capabilities ||
1509 kde->vht_capabilities_len <
1510 sizeof(struct ieee80211_vht_capabilities) ) {
1511 wpa_printf(MSG_DEBUG, "TDLS: No supported vht capabilities "
1512 "received");
1513 return 0;
1514 }
1515
1516 if (!peer->vht_capabilities) {
1517 peer->vht_capabilities =
1518 os_zalloc(sizeof(struct ieee80211_vht_capabilities));
1519 if (peer->vht_capabilities == NULL)
1520 return -1;
1521 }
1522
1523 os_memcpy(peer->vht_capabilities, kde->vht_capabilities,
1524 sizeof(struct ieee80211_vht_capabilities));
1525 wpa_hexdump(MSG_DEBUG, "TDLS: Peer VHT capabilities",
1526 (u8 *) peer->vht_capabilities,
1527 sizeof(struct ieee80211_vht_capabilities));
1528
1529 return 0;
1530 }
1531
1532
copy_peer_ext_capab(const struct wpa_eapol_ie_parse * kde,struct wpa_tdls_peer * peer)1533 static int copy_peer_ext_capab(const struct wpa_eapol_ie_parse *kde,
1534 struct wpa_tdls_peer *peer)
1535 {
1536 if (!kde->ext_capab) {
1537 wpa_printf(MSG_DEBUG, "TDLS: No extended capabilities "
1538 "received");
1539 return 0;
1540 }
1541
1542 if (!peer->ext_capab || peer->ext_capab_len < kde->ext_capab_len - 2) {
1543 /* Need to allocate buffer to fit the new information */
1544 os_free(peer->ext_capab);
1545 peer->ext_capab = os_zalloc(kde->ext_capab_len - 2);
1546 if (peer->ext_capab == NULL)
1547 return -1;
1548 }
1549
1550 peer->ext_capab_len = kde->ext_capab_len - 2;
1551 os_memcpy(peer->ext_capab, kde->ext_capab + 2, peer->ext_capab_len);
1552
1553 return 0;
1554 }
1555
1556
copy_peer_wmm_capab(const struct wpa_eapol_ie_parse * kde,struct wpa_tdls_peer * peer)1557 static int copy_peer_wmm_capab(const struct wpa_eapol_ie_parse *kde,
1558 struct wpa_tdls_peer *peer)
1559 {
1560 struct wmm_information_element *wmm;
1561
1562 if (!kde->wmm) {
1563 wpa_printf(MSG_DEBUG, "TDLS: No supported WMM capabilities received");
1564 return 0;
1565 }
1566
1567 if (kde->wmm_len < sizeof(struct wmm_information_element)) {
1568 wpa_printf(MSG_DEBUG, "TDLS: Invalid supported WMM capabilities received");
1569 return -1;
1570 }
1571
1572 wmm = (struct wmm_information_element *) kde->wmm;
1573 peer->qos_info = wmm->qos_info;
1574
1575 peer->wmm_capable = 1;
1576
1577 wpa_printf(MSG_DEBUG, "TDLS: Peer WMM QOS Info 0x%x", peer->qos_info);
1578 return 0;
1579 }
1580
1581
copy_peer_supp_channels(const struct wpa_eapol_ie_parse * kde,struct wpa_tdls_peer * peer)1582 static int copy_peer_supp_channels(const struct wpa_eapol_ie_parse *kde,
1583 struct wpa_tdls_peer *peer)
1584 {
1585 if (!kde->supp_channels) {
1586 wpa_printf(MSG_DEBUG, "TDLS: No supported channels received");
1587 return 0;
1588 }
1589
1590 if (!peer->supp_channels ||
1591 peer->supp_channels_len < kde->supp_channels_len) {
1592 os_free(peer->supp_channels);
1593 peer->supp_channels = os_zalloc(kde->supp_channels_len);
1594 if (peer->supp_channels == NULL)
1595 return -1;
1596 }
1597
1598 peer->supp_channels_len = kde->supp_channels_len;
1599
1600 os_memcpy(peer->supp_channels, kde->supp_channels,
1601 peer->supp_channels_len);
1602 wpa_hexdump(MSG_DEBUG, "TDLS: Peer Supported Channels",
1603 (u8 *) peer->supp_channels, peer->supp_channels_len);
1604 return 0;
1605 }
1606
1607
copy_peer_supp_oper_classes(const struct wpa_eapol_ie_parse * kde,struct wpa_tdls_peer * peer)1608 static int copy_peer_supp_oper_classes(const struct wpa_eapol_ie_parse *kde,
1609 struct wpa_tdls_peer *peer)
1610 {
1611 if (!kde->supp_oper_classes) {
1612 wpa_printf(MSG_DEBUG, "TDLS: No supported operating classes received");
1613 return 0;
1614 }
1615
1616 if (!peer->supp_oper_classes ||
1617 peer->supp_oper_classes_len < kde->supp_oper_classes_len) {
1618 os_free(peer->supp_oper_classes);
1619 peer->supp_oper_classes = os_zalloc(kde->supp_oper_classes_len);
1620 if (peer->supp_oper_classes == NULL)
1621 return -1;
1622 }
1623
1624 peer->supp_oper_classes_len = kde->supp_oper_classes_len;
1625 os_memcpy(peer->supp_oper_classes, kde->supp_oper_classes,
1626 peer->supp_oper_classes_len);
1627 wpa_hexdump(MSG_DEBUG, "TDLS: Peer Supported Operating Classes",
1628 (u8 *) peer->supp_oper_classes,
1629 peer->supp_oper_classes_len);
1630 return 0;
1631 }
1632
1633
wpa_tdls_addset_peer(struct wpa_sm * sm,struct wpa_tdls_peer * peer,int add)1634 static int wpa_tdls_addset_peer(struct wpa_sm *sm, struct wpa_tdls_peer *peer,
1635 int add)
1636 {
1637 return wpa_sm_tdls_peer_addset(sm, peer->addr, add, peer->aid,
1638 peer->capability,
1639 peer->supp_rates, peer->supp_rates_len,
1640 peer->ht_capabilities,
1641 peer->vht_capabilities,
1642 peer->qos_info, peer->ext_capab,
1643 peer->ext_capab_len,
1644 peer->supp_channels,
1645 peer->supp_channels_len,
1646 peer->supp_oper_classes,
1647 peer->supp_oper_classes_len);
1648 }
1649
1650
wpa_tdls_process_tpk_m1(struct wpa_sm * sm,const u8 * src_addr,const u8 * buf,size_t len)1651 static int wpa_tdls_process_tpk_m1(struct wpa_sm *sm, const u8 *src_addr,
1652 const u8 *buf, size_t len)
1653 {
1654 struct wpa_tdls_peer *peer;
1655 struct wpa_eapol_ie_parse kde;
1656 struct wpa_ie_data ie;
1657 int cipher;
1658 const u8 *cpos;
1659 struct wpa_tdls_ftie *ftie = NULL;
1660 struct wpa_tdls_timeoutie *timeoutie;
1661 struct wpa_tdls_lnkid *lnkid;
1662 u32 lifetime = 0;
1663 #if 0
1664 struct rsn_ie_hdr *hdr;
1665 u8 *pos;
1666 u16 rsn_capab;
1667 u16 rsn_ver;
1668 #endif
1669 u8 dtoken;
1670 u16 ielen;
1671 u16 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
1672 int tdls_prohibited = sm->tdls_prohibited;
1673 int existing_peer = 0;
1674
1675 if (len < 3 + 3)
1676 return -1;
1677
1678 cpos = buf;
1679 cpos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */;
1680
1681 /* driver had already verified the frame format */
1682 dtoken = *cpos++; /* dialog token */
1683
1684 wpa_printf(MSG_INFO, "TDLS: Dialog Token in TPK M1 %d", dtoken);
1685
1686 peer = wpa_tdls_add_peer(sm, src_addr, &existing_peer);
1687 if (peer == NULL)
1688 goto error;
1689
1690 /* If found, use existing entry instead of adding a new one;
1691 * how to handle the case where both ends initiate at the
1692 * same time? */
1693 if (existing_peer) {
1694 if (peer->tpk_success) {
1695 wpa_printf(MSG_DEBUG, "TDLS: TDLS Setup Request while "
1696 "direct link is enabled - tear down the "
1697 "old link first");
1698 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr);
1699 wpa_tdls_peer_clear(sm, peer);
1700 } else if (peer->initiator) {
1701 /*
1702 * An entry is already present, so check if we already
1703 * sent a TDLS Setup Request. If so, compare MAC
1704 * addresses and let the STA with the lower MAC address
1705 * continue as the initiator. The other negotiation is
1706 * terminated.
1707 */
1708 if (os_memcmp(sm->own_addr, src_addr, ETH_ALEN) < 0) {
1709 wpa_printf(MSG_DEBUG, "TDLS: Discard request "
1710 "from peer with higher address "
1711 MACSTR, MAC2STR(src_addr));
1712 return -1;
1713 } else {
1714 wpa_printf(MSG_DEBUG, "TDLS: Accept request "
1715 "from peer with lower address "
1716 MACSTR " (terminate previously "
1717 "initiated negotiation",
1718 MAC2STR(src_addr));
1719 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK,
1720 peer->addr);
1721 wpa_tdls_peer_clear(sm, peer);
1722 }
1723 }
1724 }
1725
1726 /* capability information */
1727 peer->capability = WPA_GET_LE16(cpos);
1728 cpos += 2;
1729
1730 ielen = len - (cpos - buf); /* start of IE in buf */
1731 if (wpa_supplicant_parse_ies(cpos, ielen, &kde) < 0) {
1732 wpa_printf(MSG_INFO, "TDLS: Failed to parse IEs in TPK M1");
1733 goto error;
1734 }
1735
1736 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) {
1737 wpa_printf(MSG_INFO, "TDLS: No valid Link Identifier IE in "
1738 "TPK M1");
1739 goto error;
1740 }
1741 wpa_hexdump(MSG_DEBUG, "TDLS: Link ID Received from TPK M1",
1742 kde.lnkid, kde.lnkid_len);
1743 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid;
1744 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) {
1745 wpa_printf(MSG_INFO, "TDLS: TPK M1 from diff BSS");
1746 status = WLAN_STATUS_NOT_IN_SAME_BSS;
1747 goto error;
1748 }
1749
1750 wpa_printf(MSG_DEBUG, "TDLS: TPK M1 - TPK initiator " MACSTR,
1751 MAC2STR(src_addr));
1752
1753 if (copy_supp_rates(&kde, peer) < 0)
1754 goto error;
1755
1756 if (copy_peer_ht_capab(&kde, peer) < 0)
1757 goto error;
1758
1759 if (copy_peer_vht_capab(&kde, peer) < 0)
1760 goto error;
1761
1762 if (copy_peer_ext_capab(&kde, peer) < 0)
1763 goto error;
1764
1765 if (copy_peer_supp_channels(&kde, peer) < 0)
1766 goto error;
1767
1768 if (copy_peer_supp_oper_classes(&kde, peer) < 0)
1769 goto error;
1770
1771 peer->qos_info = kde.qosinfo;
1772
1773 /* Overwrite with the qos_info obtained in WMM IE */
1774 if (copy_peer_wmm_capab(&kde, peer) < 0)
1775 goto error;
1776
1777 peer->aid = kde.aid;
1778
1779 #ifdef CONFIG_TDLS_TESTING
1780 if (tdls_testing & TDLS_TESTING_CONCURRENT_INIT) {
1781 peer = wpa_tdls_add_peer(sm, src_addr, NULL);
1782 if (peer == NULL)
1783 goto error;
1784 wpa_printf(MSG_DEBUG, "TDLS: Testing concurrent initiation of "
1785 "TDLS setup - send own request");
1786 peer->initiator = 1;
1787 wpa_tdls_send_tpk_m1(sm, peer);
1788 }
1789
1790 if ((tdls_testing & TDLS_TESTING_IGNORE_AP_PROHIBIT) &&
1791 tdls_prohibited) {
1792 wpa_printf(MSG_DEBUG, "TDLS: Testing - ignore AP prohibition "
1793 "on TDLS");
1794 tdls_prohibited = 0;
1795 }
1796 #endif /* CONFIG_TDLS_TESTING */
1797
1798 if (tdls_prohibited) {
1799 wpa_printf(MSG_INFO, "TDLS: TDLS prohibited in this BSS");
1800 status = WLAN_STATUS_REQUEST_DECLINED;
1801 goto error;
1802 }
1803
1804 if (!wpa_tdls_get_privacy(sm)) {
1805 if (kde.rsn_ie) {
1806 wpa_printf(MSG_INFO, "TDLS: RSN IE in TPK M1 while "
1807 "security is disabled");
1808 status = WLAN_STATUS_SECURITY_DISABLED;
1809 goto error;
1810 }
1811 goto skip_rsn;
1812 }
1813
1814 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie) ||
1815 kde.rsn_ie == NULL) {
1816 wpa_printf(MSG_INFO, "TDLS: No FTIE or RSN IE in TPK M1");
1817 status = WLAN_STATUS_INVALID_PARAMETERS;
1818 goto error;
1819 }
1820
1821 if (kde.rsn_ie_len > TDLS_MAX_IE_LEN) {
1822 wpa_printf(MSG_INFO, "TDLS: Too long Initiator RSN IE in "
1823 "TPK M1");
1824 status = WLAN_STATUS_INVALID_RSNIE;
1825 goto error;
1826 }
1827
1828 if (wpa_parse_wpa_ie_rsn(kde.rsn_ie, kde.rsn_ie_len, &ie) < 0) {
1829 wpa_printf(MSG_INFO, "TDLS: Failed to parse RSN IE in TPK M1");
1830 status = WLAN_STATUS_INVALID_RSNIE;
1831 goto error;
1832 }
1833
1834 cipher = ie.pairwise_cipher;
1835 if (cipher & WPA_CIPHER_CCMP) {
1836 wpa_printf(MSG_DEBUG, "TDLS: Using CCMP for direct link");
1837 cipher = WPA_CIPHER_CCMP;
1838 } else {
1839 wpa_printf(MSG_INFO, "TDLS: No acceptable cipher in TPK M1");
1840 status = WLAN_STATUS_PAIRWISE_CIPHER_NOT_VALID;
1841 goto error;
1842 }
1843
1844 if ((ie.capabilities &
1845 (WPA_CAPABILITY_NO_PAIRWISE | WPA_CAPABILITY_PEERKEY_ENABLED)) !=
1846 WPA_CAPABILITY_PEERKEY_ENABLED) {
1847 wpa_printf(MSG_INFO, "TDLS: Invalid RSN Capabilities in "
1848 "TPK M1");
1849 status = WLAN_STATUS_INVALID_RSN_IE_CAPAB;
1850 goto error;
1851 }
1852
1853 /* Lifetime */
1854 if (kde.key_lifetime == NULL) {
1855 wpa_printf(MSG_INFO, "TDLS: No Key Lifetime IE in TPK M1");
1856 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME;
1857 goto error;
1858 }
1859 timeoutie = (struct wpa_tdls_timeoutie *) kde.key_lifetime;
1860 lifetime = WPA_GET_LE32(timeoutie->value);
1861 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds", lifetime);
1862 if (lifetime < 300) {
1863 wpa_printf(MSG_INFO, "TDLS: Too short TPK lifetime");
1864 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME;
1865 goto error;
1866 }
1867
1868 skip_rsn:
1869 #ifdef CONFIG_TDLS_TESTING
1870 if (tdls_testing & TDLS_TESTING_CONCURRENT_INIT) {
1871 if (os_memcmp(sm->own_addr, peer->addr, ETH_ALEN) < 0) {
1872 /*
1873 * The request frame from us is going to win, so do not
1874 * replace information based on this request frame from
1875 * the peer.
1876 */
1877 goto skip_rsn_check;
1878 }
1879 }
1880 #endif /* CONFIG_TDLS_TESTING */
1881
1882 peer->initiator = 0; /* Need to check */
1883 peer->dtoken = dtoken;
1884
1885 if (!wpa_tdls_get_privacy(sm)) {
1886 peer->rsnie_i_len = 0;
1887 peer->rsnie_p_len = 0;
1888 peer->cipher = WPA_CIPHER_NONE;
1889 goto skip_rsn_check;
1890 }
1891
1892 ftie = (struct wpa_tdls_ftie *) kde.ftie;
1893 os_memcpy(peer->rsnie_i, kde.rsn_ie, kde.rsn_ie_len);
1894 peer->rsnie_i_len = kde.rsn_ie_len;
1895 peer->cipher = cipher;
1896
1897 if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0) {
1898 /*
1899 * There is no point in updating the RNonce for every obtained
1900 * TPK M1 frame (e.g., retransmission due to timeout) with the
1901 * same INonce (SNonce in FTIE). However, if the TPK M1 is
1902 * retransmitted with a different INonce, update the RNonce
1903 * since this is for a new TDLS session.
1904 */
1905 wpa_printf(MSG_DEBUG,
1906 "TDLS: New TPK M1 INonce - generate new RNonce");
1907 os_memcpy(peer->inonce, ftie->Snonce, WPA_NONCE_LEN);
1908 if (os_get_random(peer->rnonce, WPA_NONCE_LEN)) {
1909 wpa_msg(sm->ctx->ctx, MSG_WARNING,
1910 "TDLS: Failed to get random data for responder nonce");
1911 goto error;
1912 }
1913 }
1914
1915 #if 0
1916 /* get version info from RSNIE received from Peer */
1917 hdr = (struct rsn_ie_hdr *) kde.rsn_ie;
1918 rsn_ver = WPA_GET_LE16(hdr->version);
1919
1920 /* use min(peer's version, out version) */
1921 if (rsn_ver > RSN_VERSION)
1922 rsn_ver = RSN_VERSION;
1923
1924 hdr = (struct rsn_ie_hdr *) peer->rsnie_p;
1925
1926 hdr->elem_id = WLAN_EID_RSN;
1927 WPA_PUT_LE16(hdr->version, rsn_ver);
1928 pos = (u8 *) (hdr + 1);
1929
1930 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED);
1931 pos += RSN_SELECTOR_LEN;
1932 /* Include only the selected cipher in pairwise cipher suite */
1933 WPA_PUT_LE16(pos, 1);
1934 pos += 2;
1935 if (cipher == WPA_CIPHER_CCMP)
1936 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP);
1937 pos += RSN_SELECTOR_LEN;
1938
1939 WPA_PUT_LE16(pos, 1);
1940 pos += 2;
1941 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_TPK_HANDSHAKE);
1942 pos += RSN_SELECTOR_LEN;
1943
1944 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED;
1945 rsn_capab |= RSN_NUM_REPLAY_COUNTERS_16 << 2;
1946 WPA_PUT_LE16(pos, rsn_capab);
1947 pos += 2;
1948
1949 hdr->len = (pos - peer->rsnie_p) - 2;
1950 peer->rsnie_p_len = pos - peer->rsnie_p;
1951 #endif
1952
1953 /* temp fix: validation of RSNIE later */
1954 os_memcpy(peer->rsnie_p, peer->rsnie_i, peer->rsnie_i_len);
1955 peer->rsnie_p_len = peer->rsnie_i_len;
1956
1957 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE for TPK handshake",
1958 peer->rsnie_p, peer->rsnie_p_len);
1959
1960 peer->lifetime = lifetime;
1961
1962 wpa_tdls_generate_tpk(peer, sm->own_addr, sm->bssid);
1963
1964 skip_rsn_check:
1965 /* add supported rates, capabilities, and qos_info to the TDLS peer */
1966 if (wpa_tdls_addset_peer(sm, peer, 1) < 0)
1967 goto error;
1968
1969 peer->tpk_in_progress = 1;
1970
1971 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Setup Response / TPK M2");
1972 if (wpa_tdls_send_tpk_m2(sm, src_addr, dtoken, lnkid, peer) < 0) {
1973 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr);
1974 goto error;
1975 }
1976
1977 return 0;
1978
1979 error:
1980 wpa_tdls_send_error(sm, src_addr, WLAN_TDLS_SETUP_RESPONSE, dtoken,
1981 status);
1982 if (peer)
1983 wpa_tdls_peer_free(sm, peer);
1984 return -1;
1985 }
1986
1987
wpa_tdls_enable_link(struct wpa_sm * sm,struct wpa_tdls_peer * peer)1988 static int wpa_tdls_enable_link(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
1989 {
1990 peer->tpk_success = 1;
1991 peer->tpk_in_progress = 0;
1992 eloop_cancel_timeout(wpa_tdls_tpk_timeout, sm, peer);
1993 if (wpa_tdls_get_privacy(sm)) {
1994 u32 lifetime = peer->lifetime;
1995 /*
1996 * Start the initiator process a bit earlier to avoid race
1997 * condition with the responder sending teardown request.
1998 */
1999 if (lifetime > 3 && peer->initiator)
2000 lifetime -= 3;
2001 eloop_register_timeout(lifetime, 0, wpa_tdls_tpk_timeout,
2002 sm, peer);
2003 #ifdef CONFIG_TDLS_TESTING
2004 if (tdls_testing & TDLS_TESTING_NO_TPK_EXPIRATION) {
2005 wpa_printf(MSG_DEBUG, "TDLS: Testing - disable TPK "
2006 "expiration");
2007 eloop_cancel_timeout(wpa_tdls_tpk_timeout, sm, peer);
2008 }
2009 #endif /* CONFIG_TDLS_TESTING */
2010 }
2011
2012 if (peer->reconfig_key && wpa_tdls_set_key(sm, peer) < 0) {
2013 wpa_printf(MSG_INFO, "TDLS: Could not configure key to the "
2014 "driver");
2015 return -1;
2016 }
2017 peer->reconfig_key = 0;
2018
2019 return wpa_sm_tdls_oper(sm, TDLS_ENABLE_LINK, peer->addr);
2020 }
2021
2022
wpa_tdls_process_tpk_m2(struct wpa_sm * sm,const u8 * src_addr,const u8 * buf,size_t len)2023 static int wpa_tdls_process_tpk_m2(struct wpa_sm *sm, const u8 *src_addr,
2024 const u8 *buf, size_t len)
2025 {
2026 struct wpa_tdls_peer *peer;
2027 struct wpa_eapol_ie_parse kde;
2028 struct wpa_ie_data ie;
2029 int cipher;
2030 struct wpa_tdls_ftie *ftie;
2031 struct wpa_tdls_timeoutie *timeoutie;
2032 struct wpa_tdls_lnkid *lnkid;
2033 u32 lifetime;
2034 u8 dtoken;
2035 int ielen;
2036 u16 status;
2037 const u8 *pos;
2038 int ret = 0;
2039
2040 wpa_printf(MSG_DEBUG, "TDLS: Received TDLS Setup Response / TPK M2 "
2041 "(Peer " MACSTR ")", MAC2STR(src_addr));
2042 for (peer = sm->tdls; peer; peer = peer->next) {
2043 if (os_memcmp(peer->addr, src_addr, ETH_ALEN) == 0)
2044 break;
2045 }
2046 if (peer == NULL) {
2047 wpa_printf(MSG_INFO, "TDLS: No matching peer found for "
2048 "TPK M2: " MACSTR, MAC2STR(src_addr));
2049 return -1;
2050 }
2051 if (!peer->initiator) {
2052 /*
2053 * This may happen if both devices try to initiate TDLS at the
2054 * same time and we accept the TPK M1 from the peer in
2055 * wpa_tdls_process_tpk_m1() and clear our previous state.
2056 */
2057 wpa_printf(MSG_INFO, "TDLS: We were not the initiator, so "
2058 "ignore TPK M2 from " MACSTR, MAC2STR(src_addr));
2059 return -1;
2060 }
2061 wpa_tdls_tpk_retry_timeout_cancel(sm, peer, WLAN_TDLS_SETUP_REQUEST);
2062
2063 if (len < 3 + 2 + 1) {
2064 wpa_tdls_disable_peer_link(sm, peer);
2065 return -1;
2066 }
2067
2068 pos = buf;
2069 pos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */;
2070 status = WPA_GET_LE16(pos);
2071 pos += 2 /* status code */;
2072
2073 if (status != WLAN_STATUS_SUCCESS) {
2074 wpa_printf(MSG_INFO, "TDLS: Status code in TPK M2: %u",
2075 status);
2076 wpa_tdls_disable_peer_link(sm, peer);
2077 return -1;
2078 }
2079
2080 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
2081
2082 /* TODO: need to verify dialog token matches here or in kernel */
2083 dtoken = *pos++; /* dialog token */
2084
2085 wpa_printf(MSG_DEBUG, "TDLS: Dialog Token in TPK M2 %d", dtoken);
2086
2087 if (len < 3 + 2 + 1 + 2) {
2088 wpa_tdls_disable_peer_link(sm, peer);
2089 return -1;
2090 }
2091
2092 /* capability information */
2093 peer->capability = WPA_GET_LE16(pos);
2094 pos += 2;
2095
2096 ielen = len - (pos - buf); /* start of IE in buf */
2097 if (wpa_supplicant_parse_ies(pos, ielen, &kde) < 0) {
2098 wpa_printf(MSG_INFO, "TDLS: Failed to parse IEs in TPK M2");
2099 goto error;
2100 }
2101
2102 #ifdef CONFIG_TDLS_TESTING
2103 if (tdls_testing & TDLS_TESTING_DECLINE_RESP) {
2104 wpa_printf(MSG_DEBUG, "TDLS: Testing - decline response");
2105 status = WLAN_STATUS_REQUEST_DECLINED;
2106 goto error;
2107 }
2108 #endif /* CONFIG_TDLS_TESTING */
2109
2110 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) {
2111 wpa_printf(MSG_INFO, "TDLS: No valid Link Identifier IE in "
2112 "TPK M2");
2113 goto error;
2114 }
2115 wpa_hexdump(MSG_DEBUG, "TDLS: Link ID Received from TPK M2",
2116 kde.lnkid, kde.lnkid_len);
2117 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid;
2118
2119 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) {
2120 wpa_printf(MSG_INFO, "TDLS: TPK M2 from different BSS");
2121 status = WLAN_STATUS_NOT_IN_SAME_BSS;
2122 goto error;
2123 }
2124
2125 if (copy_supp_rates(&kde, peer) < 0)
2126 goto error;
2127
2128 if (copy_peer_ht_capab(&kde, peer) < 0)
2129 goto error;
2130
2131 if (copy_peer_vht_capab(&kde, peer) < 0)
2132 goto error;
2133
2134 if (copy_peer_ext_capab(&kde, peer) < 0)
2135 goto error;
2136
2137 if (copy_peer_supp_channels(&kde, peer) < 0)
2138 goto error;
2139
2140 if (copy_peer_supp_oper_classes(&kde, peer) < 0)
2141 goto error;
2142
2143 peer->qos_info = kde.qosinfo;
2144
2145 /* Overwrite with the qos_info obtained in WMM IE */
2146 if (copy_peer_wmm_capab(&kde, peer) < 0)
2147 goto error;
2148
2149 peer->aid = kde.aid;
2150
2151 if (!wpa_tdls_get_privacy(sm)) {
2152 peer->rsnie_p_len = 0;
2153 peer->cipher = WPA_CIPHER_NONE;
2154 goto skip_rsn;
2155 }
2156
2157 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie) ||
2158 kde.rsn_ie == NULL) {
2159 wpa_printf(MSG_INFO, "TDLS: No FTIE or RSN IE in TPK M2");
2160 status = WLAN_STATUS_INVALID_PARAMETERS;
2161 goto error;
2162 }
2163 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Received from TPK M2",
2164 kde.rsn_ie, kde.rsn_ie_len);
2165
2166 if (kde.rsn_ie_len > TDLS_MAX_IE_LEN) {
2167 wpa_printf(MSG_INFO,
2168 "TDLS: Too long Responder RSN IE in TPK M2");
2169 status = WLAN_STATUS_INVALID_RSNIE;
2170 goto error;
2171 }
2172
2173 /*
2174 * FIX: bitwise comparison of RSN IE is not the correct way of
2175 * validation this. It can be different, but certain fields must
2176 * match. Since we list only a single pairwise cipher in TPK M1, the
2177 * memcmp is likely to work in most cases, though.
2178 */
2179 if (kde.rsn_ie_len != peer->rsnie_i_len ||
2180 os_memcmp(peer->rsnie_i, kde.rsn_ie, peer->rsnie_i_len) != 0) {
2181 wpa_printf(MSG_INFO, "TDLS: RSN IE in TPK M2 does "
2182 "not match with RSN IE used in TPK M1");
2183 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Sent in TPK M1",
2184 peer->rsnie_i, peer->rsnie_i_len);
2185 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Received from TPK M2",
2186 kde.rsn_ie, kde.rsn_ie_len);
2187 status = WLAN_STATUS_INVALID_RSNIE;
2188 goto error;
2189 }
2190
2191 if (wpa_parse_wpa_ie_rsn(kde.rsn_ie, kde.rsn_ie_len, &ie) < 0) {
2192 wpa_printf(MSG_INFO, "TDLS: Failed to parse RSN IE in TPK M2");
2193 status = WLAN_STATUS_INVALID_RSNIE;
2194 goto error;
2195 }
2196
2197 cipher = ie.pairwise_cipher;
2198 if (cipher == WPA_CIPHER_CCMP) {
2199 wpa_printf(MSG_DEBUG, "TDLS: Using CCMP for direct link");
2200 cipher = WPA_CIPHER_CCMP;
2201 } else {
2202 wpa_printf(MSG_INFO, "TDLS: No acceptable cipher in TPK M2");
2203 status = WLAN_STATUS_PAIRWISE_CIPHER_NOT_VALID;
2204 goto error;
2205 }
2206
2207 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE Received from TPK M2",
2208 kde.ftie, sizeof(*ftie));
2209 ftie = (struct wpa_tdls_ftie *) kde.ftie;
2210
2211 if (!os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) == 0) {
2212 wpa_printf(MSG_INFO, "TDLS: FTIE SNonce in TPK M2 does "
2213 "not match with FTIE SNonce used in TPK M1");
2214 /* Silently discard the frame */
2215 return -1;
2216 }
2217
2218 /* Responder Nonce and RSN IE */
2219 os_memcpy(peer->rnonce, ftie->Anonce, WPA_NONCE_LEN);
2220 os_memcpy(peer->rsnie_p, kde.rsn_ie, kde.rsn_ie_len);
2221 peer->rsnie_p_len = kde.rsn_ie_len;
2222 peer->cipher = cipher;
2223
2224 /* Lifetime */
2225 if (kde.key_lifetime == NULL) {
2226 wpa_printf(MSG_INFO, "TDLS: No Key Lifetime IE in TPK M2");
2227 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME;
2228 goto error;
2229 }
2230 timeoutie = (struct wpa_tdls_timeoutie *) kde.key_lifetime;
2231 lifetime = WPA_GET_LE32(timeoutie->value);
2232 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds in TPK M2",
2233 lifetime);
2234 if (lifetime != peer->lifetime) {
2235 wpa_printf(MSG_INFO, "TDLS: Unexpected TPK lifetime %u in "
2236 "TPK M2 (expected %u)", lifetime, peer->lifetime);
2237 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME;
2238 goto error;
2239 }
2240
2241 wpa_tdls_generate_tpk(peer, sm->own_addr, sm->bssid);
2242
2243 /* Process MIC check to see if TPK M2 is right */
2244 if (wpa_supplicant_verify_tdls_mic(2, peer, (u8 *) lnkid,
2245 (u8 *) timeoutie, ftie) < 0) {
2246 /* Discard the frame */
2247 wpa_tdls_del_key(sm, peer);
2248 wpa_tdls_disable_peer_link(sm, peer);
2249 return -1;
2250 }
2251
2252 if (wpa_tdls_set_key(sm, peer) < 0) {
2253 /*
2254 * Some drivers may not be able to config the key prior to full
2255 * STA entry having been configured.
2256 */
2257 wpa_printf(MSG_DEBUG, "TDLS: Try to configure TPK again after "
2258 "STA entry is complete");
2259 peer->reconfig_key = 1;
2260 }
2261
2262 skip_rsn:
2263 peer->dtoken = dtoken;
2264
2265 /* add supported rates, capabilities, and qos_info to the TDLS peer */
2266 if (wpa_tdls_addset_peer(sm, peer, 0) < 0)
2267 goto error;
2268
2269 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Setup Confirm / "
2270 "TPK Handshake Message 3");
2271 if (wpa_tdls_send_tpk_m3(sm, src_addr, dtoken, lnkid, peer) < 0)
2272 goto error;
2273
2274 if (!peer->tpk_success) {
2275 /*
2276 * Enable Link only when tpk_success is 0, signifying that this
2277 * processing of TPK M2 frame is not because of a retransmission
2278 * during TDLS setup handshake.
2279 */
2280 ret = wpa_tdls_enable_link(sm, peer);
2281 if (ret < 0) {
2282 wpa_printf(MSG_DEBUG, "TDLS: Could not enable link");
2283 wpa_tdls_do_teardown(
2284 sm, peer,
2285 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED);
2286 }
2287 }
2288 return ret;
2289
2290 error:
2291 wpa_tdls_send_error(sm, src_addr, WLAN_TDLS_SETUP_CONFIRM, dtoken,
2292 status);
2293 wpa_tdls_disable_peer_link(sm, peer);
2294 return -1;
2295 }
2296
2297
wpa_tdls_process_tpk_m3(struct wpa_sm * sm,const u8 * src_addr,const u8 * buf,size_t len)2298 static int wpa_tdls_process_tpk_m3(struct wpa_sm *sm, const u8 *src_addr,
2299 const u8 *buf, size_t len)
2300 {
2301 struct wpa_tdls_peer *peer;
2302 struct wpa_eapol_ie_parse kde;
2303 struct wpa_tdls_ftie *ftie;
2304 struct wpa_tdls_timeoutie *timeoutie;
2305 struct wpa_tdls_lnkid *lnkid;
2306 int ielen;
2307 u16 status;
2308 const u8 *pos;
2309 u32 lifetime;
2310 int ret = 0;
2311
2312 wpa_printf(MSG_DEBUG, "TDLS: Received TDLS Setup Confirm / TPK M3 "
2313 "(Peer " MACSTR ")", MAC2STR(src_addr));
2314 for (peer = sm->tdls; peer; peer = peer->next) {
2315 if (os_memcmp(peer->addr, src_addr, ETH_ALEN) == 0)
2316 break;
2317 }
2318 if (peer == NULL) {
2319 wpa_printf(MSG_INFO, "TDLS: No matching peer found for "
2320 "TPK M3: " MACSTR, MAC2STR(src_addr));
2321 return -1;
2322 }
2323 wpa_tdls_tpk_retry_timeout_cancel(sm, peer, WLAN_TDLS_SETUP_RESPONSE);
2324
2325 if (len < 3 + 3)
2326 goto error;
2327 pos = buf;
2328 pos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */;
2329
2330 status = WPA_GET_LE16(pos);
2331
2332 if (status != 0) {
2333 wpa_printf(MSG_INFO, "TDLS: Status code in TPK M3: %u",
2334 status);
2335 goto error;
2336 }
2337 pos += 2 /* status code */ + 1 /* dialog token */;
2338
2339 ielen = len - (pos - buf); /* start of IE in buf */
2340
2341 /*
2342 * Don't reject the message if failing to parse IEs. The IEs we need are
2343 * explicitly checked below. Some APs piggy-back broken IEs to the end
2344 * of a TDLS Confirm packet, which will fail the link if we don't ignore
2345 * this error.
2346 */
2347 if (wpa_supplicant_parse_ies((const u8 *) pos, ielen, &kde) < 0) {
2348 wpa_printf(MSG_DEBUG,
2349 "TDLS: Failed to parse KDEs in TPK M3 - ignore as an interop workaround");
2350 }
2351
2352 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) {
2353 wpa_printf(MSG_INFO, "TDLS: No Link Identifier IE in TPK M3");
2354 goto error;
2355 }
2356 wpa_hexdump(MSG_DEBUG, "TDLS: Link ID Received from TPK M3",
2357 (u8 *) kde.lnkid, kde.lnkid_len);
2358 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid;
2359
2360 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) {
2361 wpa_printf(MSG_INFO, "TDLS: TPK M3 from diff BSS");
2362 goto error;
2363 }
2364
2365 if (!wpa_tdls_get_privacy(sm))
2366 goto skip_rsn;
2367
2368 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie)) {
2369 wpa_printf(MSG_INFO, "TDLS: No FTIE in TPK M3");
2370 goto error;
2371 }
2372 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE Received from TPK M3",
2373 kde.ftie, sizeof(*ftie));
2374 ftie = (struct wpa_tdls_ftie *) kde.ftie;
2375
2376 if (kde.rsn_ie == NULL) {
2377 wpa_printf(MSG_INFO, "TDLS: No RSN IE in TPK M3");
2378 goto error;
2379 }
2380 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Received from TPK M3",
2381 kde.rsn_ie, kde.rsn_ie_len);
2382 if (kde.rsn_ie_len != peer->rsnie_p_len ||
2383 os_memcmp(kde.rsn_ie, peer->rsnie_p, peer->rsnie_p_len) != 0) {
2384 wpa_printf(MSG_INFO, "TDLS: RSN IE in TPK M3 does not match "
2385 "with the one sent in TPK M2");
2386 goto error;
2387 }
2388
2389 if (!os_memcmp(peer->rnonce, ftie->Anonce, WPA_NONCE_LEN) == 0) {
2390 wpa_printf(MSG_INFO, "TDLS: FTIE ANonce in TPK M3 does "
2391 "not match with FTIE ANonce used in TPK M2");
2392 goto error;
2393 }
2394
2395 if (!os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) == 0) {
2396 wpa_printf(MSG_INFO, "TDLS: FTIE SNonce in TPK M3 does not "
2397 "match with FTIE SNonce used in TPK M1");
2398 goto error;
2399 }
2400
2401 if (kde.key_lifetime == NULL) {
2402 wpa_printf(MSG_INFO, "TDLS: No Key Lifetime IE in TPK M3");
2403 goto error;
2404 }
2405 timeoutie = (struct wpa_tdls_timeoutie *) kde.key_lifetime;
2406 wpa_hexdump(MSG_DEBUG, "TDLS: Timeout IE Received from TPK M3",
2407 (u8 *) timeoutie, sizeof(*timeoutie));
2408 lifetime = WPA_GET_LE32(timeoutie->value);
2409 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds in TPK M3",
2410 lifetime);
2411 if (lifetime != peer->lifetime) {
2412 wpa_printf(MSG_INFO, "TDLS: Unexpected TPK lifetime %u in "
2413 "TPK M3 (expected %u)", lifetime, peer->lifetime);
2414 goto error;
2415 }
2416
2417 if (wpa_supplicant_verify_tdls_mic(3, peer, (u8 *) lnkid,
2418 (u8 *) timeoutie, ftie) < 0) {
2419 wpa_tdls_del_key(sm, peer);
2420 goto error;
2421 }
2422
2423 if (wpa_tdls_set_key(sm, peer) < 0) {
2424 /*
2425 * Some drivers may not be able to config the key prior to full
2426 * STA entry having been configured.
2427 */
2428 wpa_printf(MSG_DEBUG, "TDLS: Try to configure TPK again after "
2429 "STA entry is complete");
2430 peer->reconfig_key = 1;
2431 }
2432
2433 skip_rsn:
2434 /* add supported rates, capabilities, and qos_info to the TDLS peer */
2435 if (wpa_tdls_addset_peer(sm, peer, 0) < 0)
2436 goto error;
2437
2438 if (!peer->tpk_success) {
2439 /*
2440 * Enable Link only when tpk_success is 0, signifying that this
2441 * processing of TPK M3 frame is not because of a retransmission
2442 * during TDLS setup handshake.
2443 */
2444 ret = wpa_tdls_enable_link(sm, peer);
2445 if (ret < 0) {
2446 wpa_printf(MSG_DEBUG, "TDLS: Could not enable link");
2447 goto error;
2448 }
2449 }
2450 return ret;
2451 error:
2452 wpa_tdls_do_teardown(sm, peer, WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED);
2453 return -1;
2454 }
2455
2456
wpa_add_tdls_timeoutie(u8 * pos,u8 * ie,size_t ie_len,u32 tsecs)2457 static u8 * wpa_add_tdls_timeoutie(u8 *pos, u8 *ie, size_t ie_len, u32 tsecs)
2458 {
2459 struct wpa_tdls_timeoutie *lifetime = (struct wpa_tdls_timeoutie *) ie;
2460
2461 os_memset(lifetime, 0, ie_len);
2462 lifetime->ie_type = WLAN_EID_TIMEOUT_INTERVAL;
2463 lifetime->ie_len = sizeof(struct wpa_tdls_timeoutie) - 2;
2464 lifetime->interval_type = WLAN_TIMEOUT_KEY_LIFETIME;
2465 WPA_PUT_LE32(lifetime->value, tsecs);
2466 os_memcpy(pos, ie, ie_len);
2467 return pos + ie_len;
2468 }
2469
2470
2471 /**
2472 * wpa_tdls_start - Initiate TDLS handshake (send TPK Handshake Message 1)
2473 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2474 * @peer: MAC address of the peer STA
2475 * Returns: 0 on success, or -1 on failure
2476 *
2477 * Send TPK Handshake Message 1 info to driver to start TDLS
2478 * handshake with the peer.
2479 */
wpa_tdls_start(struct wpa_sm * sm,const u8 * addr)2480 int wpa_tdls_start(struct wpa_sm *sm, const u8 *addr)
2481 {
2482 struct wpa_tdls_peer *peer;
2483 int tdls_prohibited = sm->tdls_prohibited;
2484
2485 if (sm->tdls_disabled || !sm->tdls_supported)
2486 return -1;
2487
2488 #ifdef CONFIG_TDLS_TESTING
2489 if ((tdls_testing & TDLS_TESTING_IGNORE_AP_PROHIBIT) &&
2490 tdls_prohibited) {
2491 wpa_printf(MSG_DEBUG, "TDLS: Testing - ignore AP prohibition "
2492 "on TDLS");
2493 tdls_prohibited = 0;
2494 }
2495 #endif /* CONFIG_TDLS_TESTING */
2496
2497 if (tdls_prohibited) {
2498 wpa_printf(MSG_DEBUG, "TDLS: TDLS is prohibited in this BSS - "
2499 "reject request to start setup");
2500 return -1;
2501 }
2502
2503 peer = wpa_tdls_add_peer(sm, addr, NULL);
2504 if (peer == NULL)
2505 return -1;
2506
2507 if (peer->tpk_in_progress) {
2508 wpa_printf(MSG_DEBUG, "TDLS: Setup is already in progress with the peer");
2509 return 0;
2510 }
2511
2512 peer->initiator = 1;
2513
2514 /* add the peer to the driver as a "setup in progress" peer */
2515 if (wpa_sm_tdls_peer_addset(sm, peer->addr, 1, 0, 0, NULL, 0, NULL,
2516 NULL, 0, NULL, 0, NULL, 0, NULL, 0)) {
2517 wpa_tdls_disable_peer_link(sm, peer);
2518 return -1;
2519 }
2520
2521 peer->tpk_in_progress = 1;
2522
2523 if (wpa_tdls_send_tpk_m1(sm, peer) < 0) {
2524 wpa_tdls_disable_peer_link(sm, peer);
2525 return -1;
2526 }
2527
2528 return 0;
2529 }
2530
2531
wpa_tdls_remove(struct wpa_sm * sm,const u8 * addr)2532 void wpa_tdls_remove(struct wpa_sm *sm, const u8 *addr)
2533 {
2534 struct wpa_tdls_peer *peer;
2535
2536 if (sm->tdls_disabled || !sm->tdls_supported)
2537 return;
2538
2539 for (peer = sm->tdls; peer; peer = peer->next) {
2540 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0)
2541 break;
2542 }
2543
2544 if (peer == NULL || !peer->tpk_success)
2545 return;
2546
2547 if (sm->tdls_external_setup) {
2548 /*
2549 * Disable previous link to allow renegotiation to be completed
2550 * on AP path.
2551 */
2552 wpa_tdls_do_teardown(sm, peer,
2553 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED);
2554 }
2555 }
2556
2557
2558 /**
2559 * wpa_supplicant_rx_tdls - Receive TDLS data frame
2560 *
2561 * This function is called to receive TDLS (ethertype = 0x890d) data frames.
2562 */
wpa_supplicant_rx_tdls(void * ctx,const u8 * src_addr,const u8 * buf,size_t len)2563 static void wpa_supplicant_rx_tdls(void *ctx, const u8 *src_addr,
2564 const u8 *buf, size_t len)
2565 {
2566 struct wpa_sm *sm = ctx;
2567 struct wpa_tdls_frame *tf;
2568
2569 wpa_hexdump(MSG_DEBUG, "TDLS: Received Data frame encapsulation",
2570 buf, len);
2571
2572 if (sm->tdls_disabled || !sm->tdls_supported) {
2573 wpa_printf(MSG_DEBUG, "TDLS: Discard message - TDLS disabled "
2574 "or unsupported by driver");
2575 return;
2576 }
2577
2578 if (os_memcmp(src_addr, sm->own_addr, ETH_ALEN) == 0) {
2579 wpa_printf(MSG_DEBUG, "TDLS: Discard copy of own message");
2580 return;
2581 }
2582
2583 if (len < sizeof(*tf)) {
2584 wpa_printf(MSG_INFO, "TDLS: Drop too short frame");
2585 return;
2586 }
2587
2588 /* Check to make sure its a valid encapsulated TDLS frame */
2589 tf = (struct wpa_tdls_frame *) buf;
2590 if (tf->payloadtype != 2 /* TDLS_RFTYPE */ ||
2591 tf->category != WLAN_ACTION_TDLS) {
2592 wpa_printf(MSG_INFO, "TDLS: Invalid frame - payloadtype=%u "
2593 "category=%u action=%u",
2594 tf->payloadtype, tf->category, tf->action);
2595 return;
2596 }
2597
2598 switch (tf->action) {
2599 case WLAN_TDLS_SETUP_REQUEST:
2600 wpa_tdls_process_tpk_m1(sm, src_addr, buf, len);
2601 break;
2602 case WLAN_TDLS_SETUP_RESPONSE:
2603 wpa_tdls_process_tpk_m2(sm, src_addr, buf, len);
2604 break;
2605 case WLAN_TDLS_SETUP_CONFIRM:
2606 wpa_tdls_process_tpk_m3(sm, src_addr, buf, len);
2607 break;
2608 case WLAN_TDLS_TEARDOWN:
2609 wpa_tdls_recv_teardown(sm, src_addr, buf, len);
2610 break;
2611 case WLAN_TDLS_DISCOVERY_REQUEST:
2612 wpa_tdls_process_discovery_request(sm, src_addr, buf, len);
2613 break;
2614 default:
2615 /* Kernel code will process remaining frames */
2616 wpa_printf(MSG_DEBUG, "TDLS: Ignore TDLS frame action code %u",
2617 tf->action);
2618 break;
2619 }
2620 }
2621
2622
2623 /**
2624 * wpa_tdls_init - Initialize driver interface parameters for TDLS
2625 * @wpa_s: Pointer to wpa_supplicant data
2626 * Returns: 0 on success, -1 on failure
2627 *
2628 * This function is called to initialize driver interface parameters for TDLS.
2629 * wpa_drv_init() must have been called before this function to initialize the
2630 * driver interface.
2631 */
wpa_tdls_init(struct wpa_sm * sm)2632 int wpa_tdls_init(struct wpa_sm *sm)
2633 {
2634 if (sm == NULL)
2635 return -1;
2636
2637 sm->l2_tdls = l2_packet_init(sm->bridge_ifname ? sm->bridge_ifname :
2638 sm->ifname,
2639 sm->own_addr,
2640 ETH_P_80211_ENCAP, wpa_supplicant_rx_tdls,
2641 sm, 0);
2642 if (sm->l2_tdls == NULL) {
2643 wpa_printf(MSG_ERROR, "TDLS: Failed to open l2_packet "
2644 "connection");
2645 return -1;
2646 }
2647
2648 /*
2649 * Drivers that support TDLS but don't implement the get_capa callback
2650 * are assumed to perform everything internally
2651 */
2652 if (wpa_sm_tdls_get_capa(sm, &sm->tdls_supported,
2653 &sm->tdls_external_setup) < 0) {
2654 sm->tdls_supported = 1;
2655 sm->tdls_external_setup = 0;
2656 }
2657
2658 wpa_printf(MSG_DEBUG, "TDLS: TDLS operation%s supported by "
2659 "driver", sm->tdls_supported ? "" : " not");
2660 wpa_printf(MSG_DEBUG, "TDLS: Driver uses %s link setup",
2661 sm->tdls_external_setup ? "external" : "internal");
2662
2663 return 0;
2664 }
2665
2666
wpa_tdls_teardown_peers(struct wpa_sm * sm)2667 void wpa_tdls_teardown_peers(struct wpa_sm *sm)
2668 {
2669 struct wpa_tdls_peer *peer, *tmp;
2670
2671 peer = sm->tdls;
2672
2673 wpa_printf(MSG_DEBUG, "TDLS: Tear down peers");
2674
2675 while (peer) {
2676 tmp = peer->next;
2677 wpa_printf(MSG_DEBUG, "TDLS: Tear down peer " MACSTR,
2678 MAC2STR(peer->addr));
2679 if (sm->tdls_external_setup)
2680 wpa_tdls_do_teardown(sm, peer,
2681 WLAN_REASON_DEAUTH_LEAVING);
2682 else
2683 wpa_sm_tdls_oper(sm, TDLS_TEARDOWN, peer->addr);
2684
2685 peer = tmp;
2686 }
2687 }
2688
2689
wpa_tdls_remove_peers(struct wpa_sm * sm)2690 static void wpa_tdls_remove_peers(struct wpa_sm *sm)
2691 {
2692 struct wpa_tdls_peer *peer, *tmp;
2693
2694 peer = sm->tdls;
2695
2696 while (peer) {
2697 int res;
2698 tmp = peer->next;
2699 res = wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr);
2700 wpa_printf(MSG_DEBUG, "TDLS: Remove peer " MACSTR " (res=%d)",
2701 MAC2STR(peer->addr), res);
2702 wpa_tdls_peer_free(sm, peer);
2703 peer = tmp;
2704 }
2705 }
2706
2707
2708 /**
2709 * wpa_tdls_deinit - Deinitialize driver interface parameters for TDLS
2710 *
2711 * This function is called to recover driver interface parameters for TDLS
2712 * and frees resources allocated for it.
2713 */
wpa_tdls_deinit(struct wpa_sm * sm)2714 void wpa_tdls_deinit(struct wpa_sm *sm)
2715 {
2716 if (sm == NULL)
2717 return;
2718
2719 if (sm->l2_tdls)
2720 l2_packet_deinit(sm->l2_tdls);
2721 sm->l2_tdls = NULL;
2722
2723 wpa_tdls_remove_peers(sm);
2724 }
2725
2726
wpa_tdls_assoc(struct wpa_sm * sm)2727 void wpa_tdls_assoc(struct wpa_sm *sm)
2728 {
2729 wpa_printf(MSG_DEBUG, "TDLS: Remove peers on association");
2730 wpa_tdls_remove_peers(sm);
2731 }
2732
2733
wpa_tdls_disassoc(struct wpa_sm * sm)2734 void wpa_tdls_disassoc(struct wpa_sm *sm)
2735 {
2736 wpa_printf(MSG_DEBUG, "TDLS: Remove peers on disassociation");
2737 wpa_tdls_remove_peers(sm);
2738 }
2739
2740
wpa_tdls_prohibited(const u8 * ies,size_t len)2741 static int wpa_tdls_prohibited(const u8 *ies, size_t len)
2742 {
2743 struct wpa_eapol_ie_parse elems;
2744
2745 if (ies == NULL)
2746 return 0;
2747
2748 if (wpa_supplicant_parse_ies(ies, len, &elems) < 0)
2749 return 0;
2750
2751 if (elems.ext_capab == NULL || elems.ext_capab_len < 2 + 5)
2752 return 0;
2753
2754 /* bit 38 - TDLS Prohibited */
2755 return !!(elems.ext_capab[2 + 4] & 0x40);
2756 }
2757
2758
wpa_tdls_ap_ies(struct wpa_sm * sm,const u8 * ies,size_t len)2759 void wpa_tdls_ap_ies(struct wpa_sm *sm, const u8 *ies, size_t len)
2760 {
2761 sm->tdls_prohibited = wpa_tdls_prohibited(ies, len);
2762 wpa_printf(MSG_DEBUG, "TDLS: TDLS is %s in the target BSS",
2763 sm->tdls_prohibited ? "prohibited" : "allowed");
2764 }
2765
2766
wpa_tdls_assoc_resp_ies(struct wpa_sm * sm,const u8 * ies,size_t len)2767 void wpa_tdls_assoc_resp_ies(struct wpa_sm *sm, const u8 *ies, size_t len)
2768 {
2769 if (!sm->tdls_prohibited && wpa_tdls_prohibited(ies, len)) {
2770 wpa_printf(MSG_DEBUG, "TDLS: TDLS prohibited based on "
2771 "(Re)Association Response IEs");
2772 sm->tdls_prohibited = 1;
2773 }
2774 }
2775
2776
wpa_tdls_enable(struct wpa_sm * sm,int enabled)2777 void wpa_tdls_enable(struct wpa_sm *sm, int enabled)
2778 {
2779 wpa_printf(MSG_DEBUG, "TDLS: %s", enabled ? "enabled" : "disabled");
2780 sm->tdls_disabled = !enabled;
2781 }
2782
2783
wpa_tdls_is_external_setup(struct wpa_sm * sm)2784 int wpa_tdls_is_external_setup(struct wpa_sm *sm)
2785 {
2786 return sm->tdls_external_setup;
2787 }
2788