1 /*
2 * wpa_supplicant - TDLS
3 * Copyright (c) 2010-2011, Atheros Communications
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "utils/includes.h"
10
11 #include "utils/common.h"
12 #include "utils/eloop.h"
13 #include "utils/os.h"
14 #include "common/ieee802_11_defs.h"
15 #include "crypto/sha256.h"
16 #include "crypto/crypto.h"
17 #include "crypto/aes_wrap.h"
18 #include "rsn_supp/wpa.h"
19 #include "rsn_supp/wpa_ie.h"
20 #include "rsn_supp/wpa_i.h"
21 #include "drivers/driver.h"
22 #include "l2_packet/l2_packet.h"
23
24 #ifdef CONFIG_TDLS_TESTING
25 #define TDLS_TESTING_LONG_FRAME BIT(0)
26 #define TDLS_TESTING_ALT_RSN_IE BIT(1)
27 #define TDLS_TESTING_DIFF_BSSID BIT(2)
28 #define TDLS_TESTING_SHORT_LIFETIME BIT(3)
29 #define TDLS_TESTING_WRONG_LIFETIME_RESP BIT(4)
30 #define TDLS_TESTING_WRONG_LIFETIME_CONF BIT(5)
31 #define TDLS_TESTING_LONG_LIFETIME BIT(6)
32 #define TDLS_TESTING_CONCURRENT_INIT BIT(7)
33 #define TDLS_TESTING_NO_TPK_EXPIRATION BIT(8)
34 #define TDLS_TESTING_DECLINE_RESP BIT(9)
35 #define TDLS_TESTING_IGNORE_AP_PROHIBIT BIT(10)
36 #define TDLS_TESTING_WRONG_MIC BIT(11)
37 unsigned int tdls_testing = 0;
38 #endif /* CONFIG_TDLS_TESTING */
39
40 #define TPK_LIFETIME 43200 /* 12 hours */
41 #define TPK_M1_RETRY_COUNT 3
42 #define TPK_M1_TIMEOUT 5000 /* in milliseconds */
43 #define TPK_M2_RETRY_COUNT 10
44 #define TPK_M2_TIMEOUT 500 /* in milliseconds */
45
46 #define TDLS_MIC_LEN 16
47
48 #define TDLS_TIMEOUT_LEN 4
49
50 struct wpa_tdls_ftie {
51 u8 ie_type; /* FTIE */
52 u8 ie_len;
53 u8 mic_ctrl[2];
54 u8 mic[TDLS_MIC_LEN];
55 u8 Anonce[WPA_NONCE_LEN]; /* Responder Nonce in TDLS */
56 u8 Snonce[WPA_NONCE_LEN]; /* Initiator Nonce in TDLS */
57 /* followed by optional elements */
58 } STRUCT_PACKED;
59
60 struct wpa_tdls_timeoutie {
61 u8 ie_type; /* Timeout IE */
62 u8 ie_len;
63 u8 interval_type;
64 u8 value[TDLS_TIMEOUT_LEN];
65 } STRUCT_PACKED;
66
67 struct wpa_tdls_lnkid {
68 u8 ie_type; /* Link Identifier IE */
69 u8 ie_len;
70 u8 bssid[ETH_ALEN];
71 u8 init_sta[ETH_ALEN];
72 u8 resp_sta[ETH_ALEN];
73 } STRUCT_PACKED;
74
75 /* TDLS frame headers as per IEEE Std 802.11z-2010 */
76 struct wpa_tdls_frame {
77 u8 payloadtype; /* IEEE80211_TDLS_RFTYPE */
78 u8 category; /* Category */
79 u8 action; /* Action (enum tdls_frame_type) */
80 } STRUCT_PACKED;
81
82 static u8 * wpa_add_tdls_timeoutie(u8 *pos, u8 *ie, size_t ie_len, u32 tsecs);
83 static void wpa_tdls_tpk_retry_timeout(void *eloop_ctx, void *timeout_ctx);
84 static void wpa_tdls_peer_free(struct wpa_sm *sm, struct wpa_tdls_peer *peer);
85 static void wpa_tdls_disable_peer_link(struct wpa_sm *sm,
86 struct wpa_tdls_peer *peer);
87 static int wpa_tdls_send_teardown(struct wpa_sm *sm, const u8 *addr,
88 u16 reason_code);
89
90
91 #define TDLS_MAX_IE_LEN 80
92 #define IEEE80211_MAX_SUPP_RATES 32
93
94 struct wpa_tdls_peer {
95 struct wpa_tdls_peer *next;
96 unsigned int reconfig_key:1;
97 int initiator; /* whether this end was initiator for TDLS setup */
98 u8 addr[ETH_ALEN]; /* other end MAC address */
99 u8 inonce[WPA_NONCE_LEN]; /* Initiator Nonce */
100 u8 rnonce[WPA_NONCE_LEN]; /* Responder Nonce */
101 u8 rsnie_i[TDLS_MAX_IE_LEN]; /* Initiator RSN IE */
102 size_t rsnie_i_len;
103 u8 rsnie_p[TDLS_MAX_IE_LEN]; /* Peer RSN IE */
104 size_t rsnie_p_len;
105 u32 lifetime;
106 int cipher; /* Selected cipher (WPA_CIPHER_*) */
107 u8 dtoken;
108
109 struct tpk {
110 u8 kck[16]; /* TPK-KCK */
111 u8 tk[16]; /* TPK-TK; assuming only CCMP will be used */
112 } tpk;
113 int tpk_set;
114 int tpk_success;
115 int tpk_in_progress;
116
117 struct tpk_timer {
118 u8 dest[ETH_ALEN];
119 int count; /* Retry Count */
120 int timer; /* Timeout in milliseconds */
121 u8 action_code; /* TDLS frame type */
122 u8 dialog_token;
123 u16 status_code;
124 u32 peer_capab;
125 int buf_len; /* length of TPK message for retransmission */
126 u8 *buf; /* buffer for TPK message */
127 } sm_tmr;
128
129 u16 capability;
130
131 u8 supp_rates[IEEE80211_MAX_SUPP_RATES];
132 size_t supp_rates_len;
133
134 struct ieee80211_ht_capabilities *ht_capabilities;
135 struct ieee80211_vht_capabilities *vht_capabilities;
136
137 u8 qos_info;
138
139 u16 aid;
140
141 u8 *ext_capab;
142 size_t ext_capab_len;
143
144 u8 *supp_channels;
145 size_t supp_channels_len;
146
147 u8 *supp_oper_classes;
148 size_t supp_oper_classes_len;
149
150 u8 wmm_capable;
151 };
152
153
wpa_tdls_get_privacy(struct wpa_sm * sm)154 static int wpa_tdls_get_privacy(struct wpa_sm *sm)
155 {
156 /*
157 * Get info needed from supplicant to check if the current BSS supports
158 * security. Other than OPEN mode, rest are considered secured
159 * WEP/WPA/WPA2 hence TDLS frames are processed for TPK handshake.
160 */
161 return sm->pairwise_cipher != WPA_CIPHER_NONE;
162 }
163
164
wpa_add_ie(u8 * pos,const u8 * ie,size_t ie_len)165 static u8 * wpa_add_ie(u8 *pos, const u8 *ie, size_t ie_len)
166 {
167 os_memcpy(pos, ie, ie_len);
168 return pos + ie_len;
169 }
170
171
wpa_tdls_del_key(struct wpa_sm * sm,struct wpa_tdls_peer * peer)172 static int wpa_tdls_del_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
173 {
174 if (wpa_sm_set_key(sm, WPA_ALG_NONE, peer->addr,
175 0, 0, NULL, 0, NULL, 0) < 0) {
176 wpa_printf(MSG_WARNING, "TDLS: Failed to delete TPK-TK from "
177 "the driver");
178 return -1;
179 }
180
181 return 0;
182 }
183
184
wpa_tdls_set_key(struct wpa_sm * sm,struct wpa_tdls_peer * peer)185 static int wpa_tdls_set_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
186 {
187 u8 key_len;
188 u8 rsc[6];
189 enum wpa_alg alg;
190
191 os_memset(rsc, 0, 6);
192
193 switch (peer->cipher) {
194 case WPA_CIPHER_CCMP:
195 alg = WPA_ALG_CCMP;
196 key_len = 16;
197 break;
198 case WPA_CIPHER_NONE:
199 wpa_printf(MSG_DEBUG, "TDLS: Pairwise Cipher Suite: "
200 "NONE - do not use pairwise keys");
201 return -1;
202 default:
203 wpa_printf(MSG_WARNING, "TDLS: Unsupported pairwise cipher %d",
204 sm->pairwise_cipher);
205 return -1;
206 }
207
208 if (wpa_sm_set_key(sm, alg, peer->addr, -1, 1,
209 rsc, sizeof(rsc), peer->tpk.tk, key_len) < 0) {
210 wpa_printf(MSG_WARNING, "TDLS: Failed to set TPK to the "
211 "driver");
212 return -1;
213 }
214 return 0;
215 }
216
217
wpa_tdls_send_tpk_msg(struct wpa_sm * sm,const u8 * dst,u8 action_code,u8 dialog_token,u16 status_code,u32 peer_capab,int initiator,const u8 * buf,size_t len)218 static int wpa_tdls_send_tpk_msg(struct wpa_sm *sm, const u8 *dst,
219 u8 action_code, u8 dialog_token,
220 u16 status_code, u32 peer_capab,
221 int initiator, const u8 *buf, size_t len)
222 {
223 return wpa_sm_send_tdls_mgmt(sm, dst, action_code, dialog_token,
224 status_code, peer_capab, initiator, buf,
225 len);
226 }
227
228
wpa_tdls_tpk_send(struct wpa_sm * sm,const u8 * dest,u8 action_code,u8 dialog_token,u16 status_code,u32 peer_capab,int initiator,const u8 * msg,size_t msg_len)229 static int wpa_tdls_tpk_send(struct wpa_sm *sm, const u8 *dest, u8 action_code,
230 u8 dialog_token, u16 status_code, u32 peer_capab,
231 int initiator, const u8 *msg, size_t msg_len)
232 {
233 struct wpa_tdls_peer *peer;
234
235 wpa_printf(MSG_DEBUG, "TDLS: TPK send dest=" MACSTR " action_code=%u "
236 "dialog_token=%u status_code=%u peer_capab=%u initiator=%d "
237 "msg_len=%u",
238 MAC2STR(dest), action_code, dialog_token, status_code,
239 peer_capab, initiator, (unsigned int) msg_len);
240
241 if (wpa_tdls_send_tpk_msg(sm, dest, action_code, dialog_token,
242 status_code, peer_capab, initiator, msg,
243 msg_len)) {
244 wpa_printf(MSG_INFO, "TDLS: Failed to send message "
245 "(action_code=%u)", action_code);
246 return -1;
247 }
248
249 if (action_code == WLAN_TDLS_SETUP_CONFIRM ||
250 action_code == WLAN_TDLS_TEARDOWN ||
251 action_code == WLAN_TDLS_DISCOVERY_REQUEST ||
252 action_code == WLAN_TDLS_DISCOVERY_RESPONSE)
253 return 0; /* No retries */
254
255 for (peer = sm->tdls; peer; peer = peer->next) {
256 if (os_memcmp(peer->addr, dest, ETH_ALEN) == 0)
257 break;
258 }
259
260 if (peer == NULL) {
261 wpa_printf(MSG_INFO, "TDLS: No matching entry found for "
262 "retry " MACSTR, MAC2STR(dest));
263 return 0;
264 }
265
266 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer);
267
268 if (action_code == WLAN_TDLS_SETUP_RESPONSE) {
269 peer->sm_tmr.count = TPK_M2_RETRY_COUNT;
270 peer->sm_tmr.timer = TPK_M2_TIMEOUT;
271 } else {
272 peer->sm_tmr.count = TPK_M1_RETRY_COUNT;
273 peer->sm_tmr.timer = TPK_M1_TIMEOUT;
274 }
275
276 /* Copy message to resend on timeout */
277 os_memcpy(peer->sm_tmr.dest, dest, ETH_ALEN);
278 peer->sm_tmr.action_code = action_code;
279 peer->sm_tmr.dialog_token = dialog_token;
280 peer->sm_tmr.status_code = status_code;
281 peer->sm_tmr.peer_capab = peer_capab;
282 peer->sm_tmr.buf_len = msg_len;
283 os_free(peer->sm_tmr.buf);
284 peer->sm_tmr.buf = os_malloc(msg_len);
285 if (peer->sm_tmr.buf == NULL)
286 return -1;
287 os_memcpy(peer->sm_tmr.buf, msg, msg_len);
288
289 wpa_printf(MSG_DEBUG, "TDLS: Retry timeout registered "
290 "(action_code=%u)", action_code);
291 eloop_register_timeout(peer->sm_tmr.timer / 1000,
292 (peer->sm_tmr.timer % 1000) * 1000,
293 wpa_tdls_tpk_retry_timeout, sm, peer);
294 return 0;
295 }
296
297
wpa_tdls_do_teardown(struct wpa_sm * sm,struct wpa_tdls_peer * peer,u16 reason_code)298 static int wpa_tdls_do_teardown(struct wpa_sm *sm, struct wpa_tdls_peer *peer,
299 u16 reason_code)
300 {
301 int ret;
302
303 ret = wpa_tdls_send_teardown(sm, peer->addr, reason_code);
304 /* disable the link after teardown was sent */
305 wpa_tdls_disable_peer_link(sm, peer);
306
307 return ret;
308 }
309
310
wpa_tdls_tpk_retry_timeout(void * eloop_ctx,void * timeout_ctx)311 static void wpa_tdls_tpk_retry_timeout(void *eloop_ctx, void *timeout_ctx)
312 {
313
314 struct wpa_sm *sm = eloop_ctx;
315 struct wpa_tdls_peer *peer = timeout_ctx;
316
317 if (peer->sm_tmr.count) {
318 peer->sm_tmr.count--;
319
320 wpa_printf(MSG_INFO, "TDLS: Retrying sending of message "
321 "(action_code=%u)",
322 peer->sm_tmr.action_code);
323
324 if (peer->sm_tmr.buf == NULL) {
325 wpa_printf(MSG_INFO, "TDLS: No retry buffer available "
326 "for action_code=%u",
327 peer->sm_tmr.action_code);
328 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm,
329 peer);
330 return;
331 }
332
333 /* resend TPK Handshake Message to Peer */
334 if (wpa_tdls_send_tpk_msg(sm, peer->sm_tmr.dest,
335 peer->sm_tmr.action_code,
336 peer->sm_tmr.dialog_token,
337 peer->sm_tmr.status_code,
338 peer->sm_tmr.peer_capab,
339 peer->initiator,
340 peer->sm_tmr.buf,
341 peer->sm_tmr.buf_len)) {
342 wpa_printf(MSG_INFO, "TDLS: Failed to retry "
343 "transmission");
344 }
345
346 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer);
347 eloop_register_timeout(peer->sm_tmr.timer / 1000,
348 (peer->sm_tmr.timer % 1000) * 1000,
349 wpa_tdls_tpk_retry_timeout, sm, peer);
350 } else {
351 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer);
352
353 wpa_printf(MSG_DEBUG, "TDLS: Sending Teardown Request");
354 wpa_tdls_do_teardown(sm, peer,
355 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED);
356 }
357 }
358
359
wpa_tdls_tpk_retry_timeout_cancel(struct wpa_sm * sm,struct wpa_tdls_peer * peer,u8 action_code)360 static void wpa_tdls_tpk_retry_timeout_cancel(struct wpa_sm *sm,
361 struct wpa_tdls_peer *peer,
362 u8 action_code)
363 {
364 if (action_code == peer->sm_tmr.action_code) {
365 wpa_printf(MSG_DEBUG, "TDLS: Retry timeout cancelled for "
366 "action_code=%u", action_code);
367
368 /* Cancel Timeout registered */
369 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer);
370
371 /* free all resources meant for retry */
372 os_free(peer->sm_tmr.buf);
373 peer->sm_tmr.buf = NULL;
374
375 peer->sm_tmr.count = 0;
376 peer->sm_tmr.timer = 0;
377 peer->sm_tmr.buf_len = 0;
378 peer->sm_tmr.action_code = 0xff;
379 } else {
380 wpa_printf(MSG_INFO, "TDLS: Error in cancelling retry timeout "
381 "(Unknown action_code=%u)", action_code);
382 }
383 }
384
385
wpa_tdls_generate_tpk(struct wpa_tdls_peer * peer,const u8 * own_addr,const u8 * bssid)386 static void wpa_tdls_generate_tpk(struct wpa_tdls_peer *peer,
387 const u8 *own_addr, const u8 *bssid)
388 {
389 u8 key_input[SHA256_MAC_LEN];
390 const u8 *nonce[2];
391 size_t len[2];
392 u8 data[3 * ETH_ALEN];
393
394 /* IEEE Std 802.11z-2010 8.5.9.1:
395 * TPK-Key-Input = SHA-256(min(SNonce, ANonce) || max(SNonce, ANonce))
396 */
397 len[0] = WPA_NONCE_LEN;
398 len[1] = WPA_NONCE_LEN;
399 if (os_memcmp(peer->inonce, peer->rnonce, WPA_NONCE_LEN) < 0) {
400 nonce[0] = peer->inonce;
401 nonce[1] = peer->rnonce;
402 } else {
403 nonce[0] = peer->rnonce;
404 nonce[1] = peer->inonce;
405 }
406 wpa_hexdump(MSG_DEBUG, "TDLS: min(Nonce)", nonce[0], WPA_NONCE_LEN);
407 wpa_hexdump(MSG_DEBUG, "TDLS: max(Nonce)", nonce[1], WPA_NONCE_LEN);
408 sha256_vector(2, nonce, len, key_input);
409 wpa_hexdump_key(MSG_DEBUG, "TDLS: TPK-Key-Input",
410 key_input, SHA256_MAC_LEN);
411
412 /*
413 * TPK-Key-Data = KDF-N_KEY(TPK-Key-Input, "TDLS PMK",
414 * min(MAC_I, MAC_R) || max(MAC_I, MAC_R) || BSSID || N_KEY)
415 * TODO: is N_KEY really included in KDF Context and if so, in which
416 * presentation format (little endian 16-bit?) is it used? It gets
417 * added by the KDF anyway..
418 */
419
420 if (os_memcmp(own_addr, peer->addr, ETH_ALEN) < 0) {
421 os_memcpy(data, own_addr, ETH_ALEN);
422 os_memcpy(data + ETH_ALEN, peer->addr, ETH_ALEN);
423 } else {
424 os_memcpy(data, peer->addr, ETH_ALEN);
425 os_memcpy(data + ETH_ALEN, own_addr, ETH_ALEN);
426 }
427 os_memcpy(data + 2 * ETH_ALEN, bssid, ETH_ALEN);
428 wpa_hexdump(MSG_DEBUG, "TDLS: KDF Context", data, sizeof(data));
429
430 sha256_prf(key_input, SHA256_MAC_LEN, "TDLS PMK", data, sizeof(data),
431 (u8 *) &peer->tpk, sizeof(peer->tpk));
432 wpa_hexdump_key(MSG_DEBUG, "TDLS: TPK-KCK",
433 peer->tpk.kck, sizeof(peer->tpk.kck));
434 wpa_hexdump_key(MSG_DEBUG, "TDLS: TPK-TK",
435 peer->tpk.tk, sizeof(peer->tpk.tk));
436 peer->tpk_set = 1;
437 }
438
439
440 /**
441 * wpa_tdls_ftie_mic - Calculate TDLS FTIE MIC
442 * @kck: TPK-KCK
443 * @lnkid: Pointer to the beginning of Link Identifier IE
444 * @rsnie: Pointer to the beginning of RSN IE used for handshake
445 * @timeoutie: Pointer to the beginning of Timeout IE used for handshake
446 * @ftie: Pointer to the beginning of FT IE
447 * @mic: Pointer for writing MIC
448 *
449 * Calculate MIC for TDLS frame.
450 */
wpa_tdls_ftie_mic(const u8 * kck,u8 trans_seq,const u8 * lnkid,const u8 * rsnie,const u8 * timeoutie,const u8 * ftie,u8 * mic)451 static int wpa_tdls_ftie_mic(const u8 *kck, u8 trans_seq, const u8 *lnkid,
452 const u8 *rsnie, const u8 *timeoutie,
453 const u8 *ftie, u8 *mic)
454 {
455 u8 *buf, *pos;
456 struct wpa_tdls_ftie *_ftie;
457 const struct wpa_tdls_lnkid *_lnkid;
458 int ret;
459 int len = 2 * ETH_ALEN + 1 + 2 + lnkid[1] + 2 + rsnie[1] +
460 2 + timeoutie[1] + 2 + ftie[1];
461 buf = os_zalloc(len);
462 if (!buf) {
463 wpa_printf(MSG_WARNING, "TDLS: No memory for MIC calculation");
464 return -1;
465 }
466
467 pos = buf;
468 _lnkid = (const struct wpa_tdls_lnkid *) lnkid;
469 /* 1) TDLS initiator STA MAC address */
470 os_memcpy(pos, _lnkid->init_sta, ETH_ALEN);
471 pos += ETH_ALEN;
472 /* 2) TDLS responder STA MAC address */
473 os_memcpy(pos, _lnkid->resp_sta, ETH_ALEN);
474 pos += ETH_ALEN;
475 /* 3) Transaction Sequence number */
476 *pos++ = trans_seq;
477 /* 4) Link Identifier IE */
478 os_memcpy(pos, lnkid, 2 + lnkid[1]);
479 pos += 2 + lnkid[1];
480 /* 5) RSN IE */
481 os_memcpy(pos, rsnie, 2 + rsnie[1]);
482 pos += 2 + rsnie[1];
483 /* 6) Timeout Interval IE */
484 os_memcpy(pos, timeoutie, 2 + timeoutie[1]);
485 pos += 2 + timeoutie[1];
486 /* 7) FTIE, with the MIC field of the FTIE set to 0 */
487 os_memcpy(pos, ftie, 2 + ftie[1]);
488 _ftie = (struct wpa_tdls_ftie *) pos;
489 os_memset(_ftie->mic, 0, TDLS_MIC_LEN);
490 pos += 2 + ftie[1];
491
492 wpa_hexdump(MSG_DEBUG, "TDLS: Data for FTIE MIC", buf, pos - buf);
493 wpa_hexdump_key(MSG_DEBUG, "TDLS: KCK", kck, 16);
494 ret = omac1_aes_128(kck, buf, pos - buf, mic);
495 os_free(buf);
496 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE MIC", mic, 16);
497 return ret;
498 }
499
500
501 /**
502 * wpa_tdls_key_mic_teardown - Calculate TDLS FTIE MIC for Teardown frame
503 * @kck: TPK-KCK
504 * @trans_seq: Transaction Sequence Number (4 - Teardown)
505 * @rcode: Reason code for Teardown
506 * @dtoken: Dialog Token used for that particular link
507 * @lnkid: Pointer to the beginning of Link Identifier IE
508 * @ftie: Pointer to the beginning of FT IE
509 * @mic: Pointer for writing MIC
510 *
511 * Calculate MIC for TDLS frame.
512 */
wpa_tdls_key_mic_teardown(const u8 * kck,u8 trans_seq,u16 rcode,u8 dtoken,const u8 * lnkid,const u8 * ftie,u8 * mic)513 static int wpa_tdls_key_mic_teardown(const u8 *kck, u8 trans_seq, u16 rcode,
514 u8 dtoken, const u8 *lnkid,
515 const u8 *ftie, u8 *mic)
516 {
517 u8 *buf, *pos;
518 struct wpa_tdls_ftie *_ftie;
519 int ret;
520 int len;
521
522 if (lnkid == NULL)
523 return -1;
524
525 len = 2 + lnkid[1] + sizeof(rcode) + sizeof(dtoken) +
526 sizeof(trans_seq) + 2 + ftie[1];
527
528 buf = os_zalloc(len);
529 if (!buf) {
530 wpa_printf(MSG_WARNING, "TDLS: No memory for MIC calculation");
531 return -1;
532 }
533
534 pos = buf;
535 /* 1) Link Identifier IE */
536 os_memcpy(pos, lnkid, 2 + lnkid[1]);
537 pos += 2 + lnkid[1];
538 /* 2) Reason Code */
539 WPA_PUT_LE16(pos, rcode);
540 pos += sizeof(rcode);
541 /* 3) Dialog token */
542 *pos++ = dtoken;
543 /* 4) Transaction Sequence number */
544 *pos++ = trans_seq;
545 /* 7) FTIE, with the MIC field of the FTIE set to 0 */
546 os_memcpy(pos, ftie, 2 + ftie[1]);
547 _ftie = (struct wpa_tdls_ftie *) pos;
548 os_memset(_ftie->mic, 0, TDLS_MIC_LEN);
549 pos += 2 + ftie[1];
550
551 wpa_hexdump(MSG_DEBUG, "TDLS: Data for FTIE MIC", buf, pos - buf);
552 wpa_hexdump_key(MSG_DEBUG, "TDLS: KCK", kck, 16);
553 ret = omac1_aes_128(kck, buf, pos - buf, mic);
554 os_free(buf);
555 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE MIC", mic, 16);
556 return ret;
557 }
558
559
wpa_supplicant_verify_tdls_mic(u8 trans_seq,struct wpa_tdls_peer * peer,const u8 * lnkid,const u8 * timeoutie,const struct wpa_tdls_ftie * ftie)560 static int wpa_supplicant_verify_tdls_mic(u8 trans_seq,
561 struct wpa_tdls_peer *peer,
562 const u8 *lnkid, const u8 *timeoutie,
563 const struct wpa_tdls_ftie *ftie)
564 {
565 u8 mic[16];
566
567 if (peer->tpk_set) {
568 wpa_tdls_ftie_mic(peer->tpk.kck, trans_seq, lnkid,
569 peer->rsnie_p, timeoutie, (u8 *) ftie,
570 mic);
571 if (os_memcmp_const(mic, ftie->mic, 16) != 0) {
572 wpa_printf(MSG_INFO, "TDLS: Invalid MIC in FTIE - "
573 "dropping packet");
574 wpa_hexdump(MSG_DEBUG, "TDLS: Received MIC",
575 ftie->mic, 16);
576 wpa_hexdump(MSG_DEBUG, "TDLS: Calculated MIC",
577 mic, 16);
578 return -1;
579 }
580 } else {
581 wpa_printf(MSG_WARNING, "TDLS: Could not verify TDLS MIC, "
582 "TPK not set - dropping packet");
583 return -1;
584 }
585 return 0;
586 }
587
588
wpa_supplicant_verify_tdls_mic_teardown(u8 trans_seq,u16 rcode,u8 dtoken,struct wpa_tdls_peer * peer,const u8 * lnkid,const struct wpa_tdls_ftie * ftie)589 static int wpa_supplicant_verify_tdls_mic_teardown(
590 u8 trans_seq, u16 rcode, u8 dtoken, struct wpa_tdls_peer *peer,
591 const u8 *lnkid, const struct wpa_tdls_ftie *ftie)
592 {
593 u8 mic[16];
594
595 if (peer->tpk_set) {
596 wpa_tdls_key_mic_teardown(peer->tpk.kck, trans_seq, rcode,
597 dtoken, lnkid, (u8 *) ftie, mic);
598 if (os_memcmp_const(mic, ftie->mic, 16) != 0) {
599 wpa_printf(MSG_INFO, "TDLS: Invalid MIC in Teardown - "
600 "dropping packet");
601 return -1;
602 }
603 } else {
604 wpa_printf(MSG_INFO, "TDLS: Could not verify TDLS Teardown "
605 "MIC, TPK not set - dropping packet");
606 return -1;
607 }
608 return 0;
609 }
610
611
wpa_tdls_tpk_timeout(void * eloop_ctx,void * timeout_ctx)612 static void wpa_tdls_tpk_timeout(void *eloop_ctx, void *timeout_ctx)
613 {
614 struct wpa_sm *sm = eloop_ctx;
615 struct wpa_tdls_peer *peer = timeout_ctx;
616
617 /*
618 * On TPK lifetime expiration, we have an option of either tearing down
619 * the direct link or trying to re-initiate it. The selection of what
620 * to do is not strictly speaking controlled by our role in the expired
621 * link, but for now, use that to select whether to renew or tear down
622 * the link.
623 */
624
625 if (peer->initiator) {
626 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime expired for " MACSTR
627 " - try to renew", MAC2STR(peer->addr));
628 wpa_tdls_start(sm, peer->addr);
629 } else {
630 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime expired for " MACSTR
631 " - tear down", MAC2STR(peer->addr));
632 wpa_tdls_do_teardown(sm, peer,
633 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED);
634 }
635 }
636
637
wpa_tdls_peer_remove_from_list(struct wpa_sm * sm,struct wpa_tdls_peer * peer)638 static void wpa_tdls_peer_remove_from_list(struct wpa_sm *sm,
639 struct wpa_tdls_peer *peer)
640 {
641 struct wpa_tdls_peer *cur, *prev;
642
643 cur = sm->tdls;
644 prev = NULL;
645 while (cur && cur != peer) {
646 prev = cur;
647 cur = cur->next;
648 }
649
650 if (cur != peer) {
651 wpa_printf(MSG_ERROR, "TDLS: Could not find peer " MACSTR
652 " to remove it from the list",
653 MAC2STR(peer->addr));
654 return;
655 }
656
657 if (prev)
658 prev->next = peer->next;
659 else
660 sm->tdls = peer->next;
661 }
662
663
wpa_tdls_peer_clear(struct wpa_sm * sm,struct wpa_tdls_peer * peer)664 static void wpa_tdls_peer_clear(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
665 {
666 wpa_printf(MSG_DEBUG, "TDLS: Clear state for peer " MACSTR,
667 MAC2STR(peer->addr));
668 eloop_cancel_timeout(wpa_tdls_tpk_timeout, sm, peer);
669 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer);
670 peer->reconfig_key = 0;
671 peer->initiator = 0;
672 peer->tpk_in_progress = 0;
673 os_free(peer->sm_tmr.buf);
674 peer->sm_tmr.buf = NULL;
675 os_free(peer->ht_capabilities);
676 peer->ht_capabilities = NULL;
677 os_free(peer->vht_capabilities);
678 peer->vht_capabilities = NULL;
679 os_free(peer->ext_capab);
680 peer->ext_capab = NULL;
681 os_free(peer->supp_channels);
682 peer->supp_channels = NULL;
683 os_free(peer->supp_oper_classes);
684 peer->supp_oper_classes = NULL;
685 peer->rsnie_i_len = peer->rsnie_p_len = 0;
686 peer->cipher = 0;
687 peer->qos_info = 0;
688 peer->wmm_capable = 0;
689 peer->tpk_set = peer->tpk_success = 0;
690 os_memset(&peer->tpk, 0, sizeof(peer->tpk));
691 os_memset(peer->inonce, 0, WPA_NONCE_LEN);
692 os_memset(peer->rnonce, 0, WPA_NONCE_LEN);
693 }
694
695
wpa_tdls_peer_free(struct wpa_sm * sm,struct wpa_tdls_peer * peer)696 static void wpa_tdls_peer_free(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
697 {
698 wpa_tdls_peer_clear(sm, peer);
699 wpa_tdls_peer_remove_from_list(sm, peer);
700 os_free(peer);
701 }
702
703
wpa_tdls_linkid(struct wpa_sm * sm,struct wpa_tdls_peer * peer,struct wpa_tdls_lnkid * lnkid)704 static void wpa_tdls_linkid(struct wpa_sm *sm, struct wpa_tdls_peer *peer,
705 struct wpa_tdls_lnkid *lnkid)
706 {
707 lnkid->ie_type = WLAN_EID_LINK_ID;
708 lnkid->ie_len = 3 * ETH_ALEN;
709 os_memcpy(lnkid->bssid, sm->bssid, ETH_ALEN);
710 if (peer->initiator) {
711 os_memcpy(lnkid->init_sta, sm->own_addr, ETH_ALEN);
712 os_memcpy(lnkid->resp_sta, peer->addr, ETH_ALEN);
713 } else {
714 os_memcpy(lnkid->init_sta, peer->addr, ETH_ALEN);
715 os_memcpy(lnkid->resp_sta, sm->own_addr, ETH_ALEN);
716 }
717 }
718
719
wpa_tdls_send_teardown(struct wpa_sm * sm,const u8 * addr,u16 reason_code)720 static int wpa_tdls_send_teardown(struct wpa_sm *sm, const u8 *addr,
721 u16 reason_code)
722 {
723 struct wpa_tdls_peer *peer;
724 struct wpa_tdls_ftie *ftie;
725 struct wpa_tdls_lnkid lnkid;
726 u8 dialog_token;
727 u8 *rbuf, *pos;
728 int ielen;
729
730 if (sm->tdls_disabled || !sm->tdls_supported)
731 return -1;
732
733 /* Find the node and free from the list */
734 for (peer = sm->tdls; peer; peer = peer->next) {
735 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0)
736 break;
737 }
738
739 if (peer == NULL) {
740 wpa_printf(MSG_INFO, "TDLS: No matching entry found for "
741 "Teardown " MACSTR, MAC2STR(addr));
742 return 0;
743 }
744
745 dialog_token = peer->dtoken;
746
747 wpa_printf(MSG_DEBUG, "TDLS: TDLS Teardown for " MACSTR,
748 MAC2STR(addr));
749
750 ielen = 0;
751 if (wpa_tdls_get_privacy(sm) && peer->tpk_set && peer->tpk_success) {
752 /* To add FTIE for Teardown request and compute MIC */
753 ielen += sizeof(*ftie);
754 #ifdef CONFIG_TDLS_TESTING
755 if (tdls_testing & TDLS_TESTING_LONG_FRAME)
756 ielen += 170;
757 #endif /* CONFIG_TDLS_TESTING */
758 }
759
760 rbuf = os_zalloc(ielen + 1);
761 if (rbuf == NULL)
762 return -1;
763 pos = rbuf;
764
765 if (!wpa_tdls_get_privacy(sm) || !peer->tpk_set || !peer->tpk_success)
766 goto skip_ies;
767
768 ftie = (struct wpa_tdls_ftie *) pos;
769 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION;
770 /* Using the recent nonce which should be for CONFIRM frame */
771 os_memcpy(ftie->Anonce, peer->rnonce, WPA_NONCE_LEN);
772 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN);
773 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2;
774 pos = (u8 *) (ftie + 1);
775 #ifdef CONFIG_TDLS_TESTING
776 if (tdls_testing & TDLS_TESTING_LONG_FRAME) {
777 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to "
778 "FTIE");
779 ftie->ie_len += 170;
780 *pos++ = 255; /* FTIE subelem */
781 *pos++ = 168; /* FTIE subelem length */
782 pos += 168;
783 }
784 #endif /* CONFIG_TDLS_TESTING */
785 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE for TDLS Teardown handshake",
786 (u8 *) ftie, pos - (u8 *) ftie);
787
788 /* compute MIC before sending */
789 wpa_tdls_linkid(sm, peer, &lnkid);
790 wpa_tdls_key_mic_teardown(peer->tpk.kck, 4, reason_code,
791 dialog_token, (u8 *) &lnkid, (u8 *) ftie,
792 ftie->mic);
793
794 skip_ies:
795 /* TODO: register for a Timeout handler, if Teardown is not received at
796 * the other end, then try again another time */
797
798 /* request driver to send Teardown using this FTIE */
799 wpa_tdls_tpk_send(sm, addr, WLAN_TDLS_TEARDOWN, 0,
800 reason_code, 0, peer->initiator, rbuf, pos - rbuf);
801 os_free(rbuf);
802
803 return 0;
804 }
805
806
wpa_tdls_teardown_link(struct wpa_sm * sm,const u8 * addr,u16 reason_code)807 int wpa_tdls_teardown_link(struct wpa_sm *sm, const u8 *addr, u16 reason_code)
808 {
809 struct wpa_tdls_peer *peer;
810
811 if (sm->tdls_disabled || !sm->tdls_supported)
812 return -1;
813
814 for (peer = sm->tdls; peer; peer = peer->next) {
815 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0)
816 break;
817 }
818
819 if (peer == NULL) {
820 wpa_printf(MSG_DEBUG, "TDLS: Could not find peer " MACSTR
821 " for link Teardown", MAC2STR(addr));
822 return -1;
823 }
824
825 if (!peer->tpk_success) {
826 wpa_printf(MSG_DEBUG, "TDLS: Peer " MACSTR
827 " not connected - cannot Teardown link", MAC2STR(addr));
828 return -1;
829 }
830
831 return wpa_tdls_do_teardown(sm, peer, reason_code);
832 }
833
834
wpa_tdls_disable_peer_link(struct wpa_sm * sm,struct wpa_tdls_peer * peer)835 static void wpa_tdls_disable_peer_link(struct wpa_sm *sm,
836 struct wpa_tdls_peer *peer)
837 {
838 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr);
839 wpa_tdls_peer_free(sm, peer);
840 }
841
842
wpa_tdls_disable_unreachable_link(struct wpa_sm * sm,const u8 * addr)843 void wpa_tdls_disable_unreachable_link(struct wpa_sm *sm, const u8 *addr)
844 {
845 struct wpa_tdls_peer *peer;
846
847 for (peer = sm->tdls; peer; peer = peer->next) {
848 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0)
849 break;
850 }
851
852 if (!peer || !peer->tpk_success) {
853 wpa_printf(MSG_DEBUG, "TDLS: Peer " MACSTR
854 " not connected - cannot teardown unreachable link",
855 MAC2STR(addr));
856 return;
857 }
858
859 if (wpa_tdls_is_external_setup(sm)) {
860 /*
861 * Disable the link, send a teardown packet through the
862 * AP, and then reset link data.
863 */
864 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, addr);
865 wpa_tdls_send_teardown(sm, addr,
866 WLAN_REASON_TDLS_TEARDOWN_UNREACHABLE);
867 wpa_tdls_peer_free(sm, peer);
868 } else {
869 wpa_tdls_disable_peer_link(sm, peer);
870 }
871 }
872
873
wpa_tdls_get_link_status(struct wpa_sm * sm,const u8 * addr)874 const char * wpa_tdls_get_link_status(struct wpa_sm *sm, const u8 *addr)
875 {
876 struct wpa_tdls_peer *peer;
877
878 if (sm->tdls_disabled || !sm->tdls_supported)
879 return "disabled";
880
881 for (peer = sm->tdls; peer; peer = peer->next) {
882 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0)
883 break;
884 }
885
886 if (peer == NULL)
887 return "peer does not exist";
888
889 if (!peer->tpk_success)
890 return "peer not connected";
891
892 return "connected";
893 }
894
895
wpa_tdls_recv_teardown(struct wpa_sm * sm,const u8 * src_addr,const u8 * buf,size_t len)896 static int wpa_tdls_recv_teardown(struct wpa_sm *sm, const u8 *src_addr,
897 const u8 *buf, size_t len)
898 {
899 struct wpa_tdls_peer *peer = NULL;
900 struct wpa_tdls_ftie *ftie;
901 struct wpa_tdls_lnkid *lnkid;
902 struct wpa_eapol_ie_parse kde;
903 u16 reason_code;
904 const u8 *pos;
905 int ielen;
906
907 /* Find the node and free from the list */
908 for (peer = sm->tdls; peer; peer = peer->next) {
909 if (os_memcmp(peer->addr, src_addr, ETH_ALEN) == 0)
910 break;
911 }
912
913 if (peer == NULL) {
914 wpa_printf(MSG_INFO, "TDLS: No matching entry found for "
915 "Teardown " MACSTR, MAC2STR(src_addr));
916 return 0;
917 }
918
919 pos = buf;
920 pos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */;
921
922 reason_code = WPA_GET_LE16(pos);
923 pos += 2;
924
925 wpa_printf(MSG_DEBUG, "TDLS: TDLS Teardown Request from " MACSTR
926 " (reason code %u)", MAC2STR(src_addr), reason_code);
927
928 ielen = len - (pos - buf); /* start of IE in buf */
929 if (wpa_supplicant_parse_ies((const u8 *) pos, ielen, &kde) < 0) {
930 wpa_printf(MSG_INFO, "TDLS: Failed to parse IEs in Teardown");
931 return -1;
932 }
933
934 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) {
935 wpa_printf(MSG_INFO, "TDLS: No Link Identifier IE in TDLS "
936 "Teardown");
937 return -1;
938 }
939 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid;
940
941 if (!wpa_tdls_get_privacy(sm) || !peer->tpk_set || !peer->tpk_success)
942 goto skip_ftie;
943
944 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie)) {
945 wpa_printf(MSG_INFO, "TDLS: No FTIE in TDLS Teardown");
946 return -1;
947 }
948
949 ftie = (struct wpa_tdls_ftie *) kde.ftie;
950
951 /* Process MIC check to see if TDLS Teardown is right */
952 if (wpa_supplicant_verify_tdls_mic_teardown(4, reason_code,
953 peer->dtoken, peer,
954 (u8 *) lnkid, ftie) < 0) {
955 wpa_printf(MSG_DEBUG, "TDLS: MIC failure for TDLS "
956 "Teardown Request from " MACSTR, MAC2STR(src_addr));
957 return -1;
958 }
959
960 skip_ftie:
961 /*
962 * Request the driver to disable the direct link and clear associated
963 * keys.
964 */
965 wpa_tdls_disable_peer_link(sm, peer);
966 return 0;
967 }
968
969
970 /**
971 * wpa_tdls_send_error - To send suitable TDLS status response with
972 * appropriate status code mentioning reason for error/failure.
973 * @dst - MAC addr of Peer station
974 * @tdls_action - TDLS frame type for which error code is sent
975 * @initiator - was this end the initiator of the connection
976 * @status - status code mentioning reason
977 */
978
wpa_tdls_send_error(struct wpa_sm * sm,const u8 * dst,u8 tdls_action,u8 dialog_token,int initiator,u16 status)979 static int wpa_tdls_send_error(struct wpa_sm *sm, const u8 *dst,
980 u8 tdls_action, u8 dialog_token, int initiator,
981 u16 status)
982 {
983 wpa_printf(MSG_DEBUG, "TDLS: Sending error to " MACSTR
984 " (action=%u status=%u)",
985 MAC2STR(dst), tdls_action, status);
986 return wpa_tdls_tpk_send(sm, dst, tdls_action, dialog_token, status,
987 0, initiator, NULL, 0);
988 }
989
990
991 static struct wpa_tdls_peer *
wpa_tdls_add_peer(struct wpa_sm * sm,const u8 * addr,int * existing)992 wpa_tdls_add_peer(struct wpa_sm *sm, const u8 *addr, int *existing)
993 {
994 struct wpa_tdls_peer *peer;
995
996 if (existing)
997 *existing = 0;
998 for (peer = sm->tdls; peer; peer = peer->next) {
999 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) {
1000 if (existing)
1001 *existing = 1;
1002 return peer; /* re-use existing entry */
1003 }
1004 }
1005
1006 wpa_printf(MSG_INFO, "TDLS: Creating peer entry for " MACSTR,
1007 MAC2STR(addr));
1008
1009 peer = os_zalloc(sizeof(*peer));
1010 if (peer == NULL)
1011 return NULL;
1012
1013 os_memcpy(peer->addr, addr, ETH_ALEN);
1014 peer->next = sm->tdls;
1015 sm->tdls = peer;
1016
1017 return peer;
1018 }
1019
1020
wpa_tdls_send_tpk_m1(struct wpa_sm * sm,struct wpa_tdls_peer * peer)1021 static int wpa_tdls_send_tpk_m1(struct wpa_sm *sm,
1022 struct wpa_tdls_peer *peer)
1023 {
1024 size_t buf_len;
1025 struct wpa_tdls_timeoutie timeoutie;
1026 u16 rsn_capab;
1027 struct wpa_tdls_ftie *ftie;
1028 u8 *rbuf, *pos, *count_pos;
1029 u16 count;
1030 struct rsn_ie_hdr *hdr;
1031 int status;
1032
1033 if (!wpa_tdls_get_privacy(sm)) {
1034 wpa_printf(MSG_DEBUG, "TDLS: No security used on the link");
1035 peer->rsnie_i_len = 0;
1036 goto skip_rsnie;
1037 }
1038
1039 /*
1040 * TPK Handshake Message 1:
1041 * FTIE: ANonce=0, SNonce=initiator nonce MIC=0, DataKDs=(RSNIE_I,
1042 * Timeout Interval IE))
1043 */
1044
1045 /* Filling RSN IE */
1046 hdr = (struct rsn_ie_hdr *) peer->rsnie_i;
1047 hdr->elem_id = WLAN_EID_RSN;
1048 WPA_PUT_LE16(hdr->version, RSN_VERSION);
1049
1050 pos = (u8 *) (hdr + 1);
1051 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED);
1052 pos += RSN_SELECTOR_LEN;
1053 count_pos = pos;
1054 pos += 2;
1055
1056 count = 0;
1057
1058 /*
1059 * AES-CCMP is the default Encryption preferred for TDLS, so
1060 * RSN IE is filled only with CCMP CIPHER
1061 * Note: TKIP is not used to encrypt TDLS link.
1062 *
1063 * Regardless of the cipher used on the AP connection, select CCMP
1064 * here.
1065 */
1066 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP);
1067 pos += RSN_SELECTOR_LEN;
1068 count++;
1069
1070 WPA_PUT_LE16(count_pos, count);
1071
1072 WPA_PUT_LE16(pos, 1);
1073 pos += 2;
1074 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_TPK_HANDSHAKE);
1075 pos += RSN_SELECTOR_LEN;
1076
1077 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED;
1078 rsn_capab |= RSN_NUM_REPLAY_COUNTERS_16 << 2;
1079 #ifdef CONFIG_TDLS_TESTING
1080 if (tdls_testing & TDLS_TESTING_ALT_RSN_IE) {
1081 wpa_printf(MSG_DEBUG, "TDLS: Use alternative RSN IE for "
1082 "testing");
1083 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED;
1084 }
1085 #endif /* CONFIG_TDLS_TESTING */
1086 WPA_PUT_LE16(pos, rsn_capab);
1087 pos += 2;
1088 #ifdef CONFIG_TDLS_TESTING
1089 if (tdls_testing & TDLS_TESTING_ALT_RSN_IE) {
1090 /* Number of PMKIDs */
1091 *pos++ = 0x00;
1092 *pos++ = 0x00;
1093 }
1094 #endif /* CONFIG_TDLS_TESTING */
1095
1096 hdr->len = (pos - peer->rsnie_i) - 2;
1097 peer->rsnie_i_len = pos - peer->rsnie_i;
1098 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE for TPK handshake",
1099 peer->rsnie_i, peer->rsnie_i_len);
1100
1101 skip_rsnie:
1102 buf_len = 0;
1103 if (wpa_tdls_get_privacy(sm))
1104 buf_len += peer->rsnie_i_len + sizeof(struct wpa_tdls_ftie) +
1105 sizeof(struct wpa_tdls_timeoutie);
1106 #ifdef CONFIG_TDLS_TESTING
1107 if (wpa_tdls_get_privacy(sm) &&
1108 (tdls_testing & TDLS_TESTING_LONG_FRAME))
1109 buf_len += 170;
1110 if (tdls_testing & TDLS_TESTING_DIFF_BSSID)
1111 buf_len += sizeof(struct wpa_tdls_lnkid);
1112 #endif /* CONFIG_TDLS_TESTING */
1113 rbuf = os_zalloc(buf_len + 1);
1114 if (rbuf == NULL) {
1115 wpa_tdls_peer_free(sm, peer);
1116 return -1;
1117 }
1118 pos = rbuf;
1119
1120 if (!wpa_tdls_get_privacy(sm))
1121 goto skip_ies;
1122
1123 /* Initiator RSN IE */
1124 pos = wpa_add_ie(pos, peer->rsnie_i, peer->rsnie_i_len);
1125
1126 ftie = (struct wpa_tdls_ftie *) pos;
1127 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION;
1128 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2;
1129
1130 if (os_get_random(peer->inonce, WPA_NONCE_LEN)) {
1131 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1132 "TDLS: Failed to get random data for initiator Nonce");
1133 os_free(rbuf);
1134 wpa_tdls_peer_free(sm, peer);
1135 return -1;
1136 }
1137 wpa_hexdump(MSG_DEBUG, "TDLS: Initiator Nonce for TPK handshake",
1138 peer->inonce, WPA_NONCE_LEN);
1139 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN);
1140
1141 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE for TPK Handshake M1",
1142 (u8 *) ftie, sizeof(struct wpa_tdls_ftie));
1143
1144 pos = (u8 *) (ftie + 1);
1145
1146 #ifdef CONFIG_TDLS_TESTING
1147 if (tdls_testing & TDLS_TESTING_LONG_FRAME) {
1148 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to "
1149 "FTIE");
1150 ftie->ie_len += 170;
1151 *pos++ = 255; /* FTIE subelem */
1152 *pos++ = 168; /* FTIE subelem length */
1153 pos += 168;
1154 }
1155 #endif /* CONFIG_TDLS_TESTING */
1156
1157 /* Lifetime */
1158 peer->lifetime = TPK_LIFETIME;
1159 #ifdef CONFIG_TDLS_TESTING
1160 if (tdls_testing & TDLS_TESTING_SHORT_LIFETIME) {
1161 wpa_printf(MSG_DEBUG, "TDLS: Testing - use short TPK "
1162 "lifetime");
1163 peer->lifetime = 301;
1164 }
1165 if (tdls_testing & TDLS_TESTING_LONG_LIFETIME) {
1166 wpa_printf(MSG_DEBUG, "TDLS: Testing - use long TPK "
1167 "lifetime");
1168 peer->lifetime = 0xffffffff;
1169 }
1170 #endif /* CONFIG_TDLS_TESTING */
1171 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie,
1172 sizeof(timeoutie), peer->lifetime);
1173 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds", peer->lifetime);
1174
1175 skip_ies:
1176
1177 #ifdef CONFIG_TDLS_TESTING
1178 if (tdls_testing & TDLS_TESTING_DIFF_BSSID) {
1179 wpa_printf(MSG_DEBUG, "TDLS: Testing - use incorrect BSSID in "
1180 "Link Identifier");
1181 struct wpa_tdls_lnkid *l = (struct wpa_tdls_lnkid *) pos;
1182 wpa_tdls_linkid(sm, peer, l);
1183 l->bssid[5] ^= 0x01;
1184 pos += sizeof(*l);
1185 }
1186 #endif /* CONFIG_TDLS_TESTING */
1187
1188 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Setup Request / TPK "
1189 "Handshake Message 1 (peer " MACSTR ")",
1190 MAC2STR(peer->addr));
1191
1192 status = wpa_tdls_tpk_send(sm, peer->addr, WLAN_TDLS_SETUP_REQUEST,
1193 1, 0, 0, peer->initiator, rbuf, pos - rbuf);
1194 os_free(rbuf);
1195
1196 return status;
1197 }
1198
1199
wpa_tdls_send_tpk_m2(struct wpa_sm * sm,const unsigned char * src_addr,u8 dtoken,struct wpa_tdls_lnkid * lnkid,const struct wpa_tdls_peer * peer)1200 static int wpa_tdls_send_tpk_m2(struct wpa_sm *sm,
1201 const unsigned char *src_addr, u8 dtoken,
1202 struct wpa_tdls_lnkid *lnkid,
1203 const struct wpa_tdls_peer *peer)
1204 {
1205 u8 *rbuf, *pos;
1206 size_t buf_len;
1207 u32 lifetime;
1208 struct wpa_tdls_timeoutie timeoutie;
1209 struct wpa_tdls_ftie *ftie;
1210 int status;
1211
1212 buf_len = 0;
1213 if (wpa_tdls_get_privacy(sm)) {
1214 /* Peer RSN IE, FTIE(Initiator Nonce, Responder Nonce),
1215 * Lifetime */
1216 buf_len += peer->rsnie_i_len + sizeof(struct wpa_tdls_ftie) +
1217 sizeof(struct wpa_tdls_timeoutie);
1218 #ifdef CONFIG_TDLS_TESTING
1219 if (tdls_testing & TDLS_TESTING_LONG_FRAME)
1220 buf_len += 170;
1221 #endif /* CONFIG_TDLS_TESTING */
1222 }
1223
1224 rbuf = os_zalloc(buf_len + 1);
1225 if (rbuf == NULL)
1226 return -1;
1227 pos = rbuf;
1228
1229 if (!wpa_tdls_get_privacy(sm))
1230 goto skip_ies;
1231
1232 /* Peer RSN IE */
1233 pos = wpa_add_ie(pos, peer->rsnie_p, peer->rsnie_p_len);
1234
1235 ftie = (struct wpa_tdls_ftie *) pos;
1236 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION;
1237 /* TODO: ftie->mic_control to set 2-RESPONSE */
1238 os_memcpy(ftie->Anonce, peer->rnonce, WPA_NONCE_LEN);
1239 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN);
1240 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2;
1241 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE for TPK M2",
1242 (u8 *) ftie, sizeof(*ftie));
1243
1244 pos = (u8 *) (ftie + 1);
1245
1246 #ifdef CONFIG_TDLS_TESTING
1247 if (tdls_testing & TDLS_TESTING_LONG_FRAME) {
1248 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to "
1249 "FTIE");
1250 ftie->ie_len += 170;
1251 *pos++ = 255; /* FTIE subelem */
1252 *pos++ = 168; /* FTIE subelem length */
1253 pos += 168;
1254 }
1255 #endif /* CONFIG_TDLS_TESTING */
1256
1257 /* Lifetime */
1258 lifetime = peer->lifetime;
1259 #ifdef CONFIG_TDLS_TESTING
1260 if (tdls_testing & TDLS_TESTING_WRONG_LIFETIME_RESP) {
1261 wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong TPK "
1262 "lifetime in response");
1263 lifetime++;
1264 }
1265 #endif /* CONFIG_TDLS_TESTING */
1266 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie,
1267 sizeof(timeoutie), lifetime);
1268 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds from initiator",
1269 lifetime);
1270
1271 /* compute MIC before sending */
1272 wpa_tdls_ftie_mic(peer->tpk.kck, 2, (u8 *) lnkid, peer->rsnie_p,
1273 (u8 *) &timeoutie, (u8 *) ftie, ftie->mic);
1274 #ifdef CONFIG_TDLS_TESTING
1275 if (tdls_testing & TDLS_TESTING_WRONG_MIC) {
1276 wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong MIC");
1277 ftie->mic[0] ^= 0x01;
1278 }
1279 #endif /* CONFIG_TDLS_TESTING */
1280
1281 skip_ies:
1282 status = wpa_tdls_tpk_send(sm, src_addr, WLAN_TDLS_SETUP_RESPONSE,
1283 dtoken, 0, 0, peer->initiator, rbuf,
1284 pos - rbuf);
1285 os_free(rbuf);
1286
1287 return status;
1288 }
1289
1290
wpa_tdls_send_tpk_m3(struct wpa_sm * sm,const unsigned char * src_addr,u8 dtoken,struct wpa_tdls_lnkid * lnkid,const struct wpa_tdls_peer * peer)1291 static int wpa_tdls_send_tpk_m3(struct wpa_sm *sm,
1292 const unsigned char *src_addr, u8 dtoken,
1293 struct wpa_tdls_lnkid *lnkid,
1294 const struct wpa_tdls_peer *peer)
1295 {
1296 u8 *rbuf, *pos;
1297 size_t buf_len;
1298 struct wpa_tdls_ftie *ftie;
1299 struct wpa_tdls_timeoutie timeoutie;
1300 u32 lifetime;
1301 int status;
1302 u32 peer_capab = 0;
1303
1304 buf_len = 0;
1305 if (wpa_tdls_get_privacy(sm)) {
1306 /* Peer RSN IE, FTIE(Initiator Nonce, Responder Nonce),
1307 * Lifetime */
1308 buf_len += peer->rsnie_i_len + sizeof(struct wpa_tdls_ftie) +
1309 sizeof(struct wpa_tdls_timeoutie);
1310 #ifdef CONFIG_TDLS_TESTING
1311 if (tdls_testing & TDLS_TESTING_LONG_FRAME)
1312 buf_len += 170;
1313 #endif /* CONFIG_TDLS_TESTING */
1314 }
1315
1316 rbuf = os_zalloc(buf_len + 1);
1317 if (rbuf == NULL)
1318 return -1;
1319 pos = rbuf;
1320
1321 if (!wpa_tdls_get_privacy(sm))
1322 goto skip_ies;
1323
1324 /* Peer RSN IE */
1325 pos = wpa_add_ie(pos, peer->rsnie_p, peer->rsnie_p_len);
1326
1327 ftie = (struct wpa_tdls_ftie *) pos;
1328 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION;
1329 /*TODO: ftie->mic_control to set 3-CONFIRM */
1330 os_memcpy(ftie->Anonce, peer->rnonce, WPA_NONCE_LEN);
1331 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN);
1332 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2;
1333
1334 pos = (u8 *) (ftie + 1);
1335
1336 #ifdef CONFIG_TDLS_TESTING
1337 if (tdls_testing & TDLS_TESTING_LONG_FRAME) {
1338 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to "
1339 "FTIE");
1340 ftie->ie_len += 170;
1341 *pos++ = 255; /* FTIE subelem */
1342 *pos++ = 168; /* FTIE subelem length */
1343 pos += 168;
1344 }
1345 #endif /* CONFIG_TDLS_TESTING */
1346
1347 /* Lifetime */
1348 lifetime = peer->lifetime;
1349 #ifdef CONFIG_TDLS_TESTING
1350 if (tdls_testing & TDLS_TESTING_WRONG_LIFETIME_CONF) {
1351 wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong TPK "
1352 "lifetime in confirm");
1353 lifetime++;
1354 }
1355 #endif /* CONFIG_TDLS_TESTING */
1356 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie,
1357 sizeof(timeoutie), lifetime);
1358 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds",
1359 lifetime);
1360
1361 /* compute MIC before sending */
1362 wpa_tdls_ftie_mic(peer->tpk.kck, 3, (u8 *) lnkid, peer->rsnie_p,
1363 (u8 *) &timeoutie, (u8 *) ftie, ftie->mic);
1364 #ifdef CONFIG_TDLS_TESTING
1365 if (tdls_testing & TDLS_TESTING_WRONG_MIC) {
1366 wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong MIC");
1367 ftie->mic[0] ^= 0x01;
1368 }
1369 #endif /* CONFIG_TDLS_TESTING */
1370
1371 skip_ies:
1372
1373 if (peer->vht_capabilities)
1374 peer_capab |= TDLS_PEER_VHT;
1375 if (peer->ht_capabilities)
1376 peer_capab |= TDLS_PEER_HT;
1377 if (peer->wmm_capable)
1378 peer_capab |= TDLS_PEER_WMM;
1379
1380 status = wpa_tdls_tpk_send(sm, src_addr, WLAN_TDLS_SETUP_CONFIRM,
1381 dtoken, 0, peer_capab, peer->initiator,
1382 rbuf, pos - rbuf);
1383 os_free(rbuf);
1384
1385 return status;
1386 }
1387
1388
wpa_tdls_send_discovery_response(struct wpa_sm * sm,struct wpa_tdls_peer * peer,u8 dialog_token)1389 static int wpa_tdls_send_discovery_response(struct wpa_sm *sm,
1390 struct wpa_tdls_peer *peer,
1391 u8 dialog_token)
1392 {
1393 size_t buf_len = 0;
1394 struct wpa_tdls_timeoutie timeoutie;
1395 u16 rsn_capab;
1396 u8 *rbuf, *pos, *count_pos;
1397 u16 count;
1398 struct rsn_ie_hdr *hdr;
1399 int status;
1400
1401 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Discovery Response "
1402 "(peer " MACSTR ")", MAC2STR(peer->addr));
1403 if (!wpa_tdls_get_privacy(sm))
1404 goto skip_rsn_ies;
1405
1406 /* Filling RSN IE */
1407 hdr = (struct rsn_ie_hdr *) peer->rsnie_i;
1408 hdr->elem_id = WLAN_EID_RSN;
1409 WPA_PUT_LE16(hdr->version, RSN_VERSION);
1410 pos = (u8 *) (hdr + 1);
1411 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED);
1412 pos += RSN_SELECTOR_LEN;
1413 count_pos = pos;
1414 pos += 2;
1415 count = 0;
1416
1417 /*
1418 * AES-CCMP is the default encryption preferred for TDLS, so
1419 * RSN IE is filled only with CCMP cipher suite.
1420 * Note: TKIP is not used to encrypt TDLS link.
1421 *
1422 * Regardless of the cipher used on the AP connection, select CCMP
1423 * here.
1424 */
1425 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP);
1426 pos += RSN_SELECTOR_LEN;
1427 count++;
1428 WPA_PUT_LE16(count_pos, count);
1429 WPA_PUT_LE16(pos, 1);
1430 pos += 2;
1431 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_TPK_HANDSHAKE);
1432 pos += RSN_SELECTOR_LEN;
1433
1434 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED;
1435 rsn_capab |= RSN_NUM_REPLAY_COUNTERS_16 << 2;
1436 WPA_PUT_LE16(pos, rsn_capab);
1437 pos += 2;
1438 hdr->len = (pos - (u8 *) hdr) - 2;
1439 peer->rsnie_i_len = pos - peer->rsnie_i;
1440
1441 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE for Discovery Response",
1442 (u8 *) hdr, hdr->len + 2);
1443 skip_rsn_ies:
1444 buf_len = 0;
1445 if (wpa_tdls_get_privacy(sm)) {
1446 /* Peer RSN IE, Lifetime */
1447 buf_len += peer->rsnie_i_len +
1448 sizeof(struct wpa_tdls_timeoutie);
1449 }
1450 rbuf = os_zalloc(buf_len + 1);
1451 if (rbuf == NULL) {
1452 wpa_tdls_peer_free(sm, peer);
1453 return -1;
1454 }
1455 pos = rbuf;
1456
1457 if (!wpa_tdls_get_privacy(sm))
1458 goto skip_ies;
1459 /* Initiator RSN IE */
1460 pos = wpa_add_ie(pos, peer->rsnie_i, peer->rsnie_i_len);
1461 /* Lifetime */
1462 peer->lifetime = TPK_LIFETIME;
1463 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie,
1464 sizeof(timeoutie), peer->lifetime);
1465 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds", peer->lifetime);
1466 skip_ies:
1467 status = wpa_tdls_tpk_send(sm, peer->addr, WLAN_TDLS_DISCOVERY_RESPONSE,
1468 dialog_token, 0, 0, 0, rbuf, pos - rbuf);
1469 os_free(rbuf);
1470
1471 return status;
1472 }
1473
1474
1475 static int
wpa_tdls_process_discovery_request(struct wpa_sm * sm,const u8 * addr,const u8 * buf,size_t len)1476 wpa_tdls_process_discovery_request(struct wpa_sm *sm, const u8 *addr,
1477 const u8 *buf, size_t len)
1478 {
1479 struct wpa_eapol_ie_parse kde;
1480 const struct wpa_tdls_lnkid *lnkid;
1481 struct wpa_tdls_peer *peer;
1482 size_t min_req_len = sizeof(struct wpa_tdls_frame) +
1483 1 /* dialog token */ + sizeof(struct wpa_tdls_lnkid);
1484 u8 dialog_token;
1485
1486 wpa_printf(MSG_DEBUG, "TDLS: Discovery Request from " MACSTR,
1487 MAC2STR(addr));
1488
1489 if (len < min_req_len) {
1490 wpa_printf(MSG_DEBUG, "TDLS Discovery Request is too short: "
1491 "%d", (int) len);
1492 return -1;
1493 }
1494
1495 dialog_token = buf[sizeof(struct wpa_tdls_frame)];
1496
1497 /*
1498 * Some APs will tack on a weird IE to the end of a TDLS
1499 * discovery request packet. This needn't fail the response,
1500 * since the required IE are verified separately.
1501 */
1502 if (wpa_supplicant_parse_ies(buf + sizeof(struct wpa_tdls_frame) + 1,
1503 len - (sizeof(struct wpa_tdls_frame) + 1),
1504 &kde) < 0) {
1505 wpa_printf(MSG_DEBUG,
1506 "TDLS: Failed to parse IEs in Discovery Request - ignore as an interop workaround");
1507 }
1508
1509 if (!kde.lnkid) {
1510 wpa_printf(MSG_DEBUG, "TDLS: Link ID not found in Discovery "
1511 "Request");
1512 return -1;
1513 }
1514
1515 lnkid = (const struct wpa_tdls_lnkid *) kde.lnkid;
1516
1517 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) {
1518 wpa_printf(MSG_DEBUG, "TDLS: Discovery Request from different "
1519 " BSS " MACSTR, MAC2STR(lnkid->bssid));
1520 return -1;
1521 }
1522
1523 peer = wpa_tdls_add_peer(sm, addr, NULL);
1524 if (peer == NULL)
1525 return -1;
1526
1527 return wpa_tdls_send_discovery_response(sm, peer, dialog_token);
1528 }
1529
1530
wpa_tdls_send_discovery_request(struct wpa_sm * sm,const u8 * addr)1531 int wpa_tdls_send_discovery_request(struct wpa_sm *sm, const u8 *addr)
1532 {
1533 if (sm->tdls_disabled || !sm->tdls_supported)
1534 return -1;
1535
1536 wpa_printf(MSG_DEBUG, "TDLS: Sending Discovery Request to peer "
1537 MACSTR, MAC2STR(addr));
1538 return wpa_tdls_tpk_send(sm, addr, WLAN_TDLS_DISCOVERY_REQUEST,
1539 1, 0, 0, 1, NULL, 0);
1540 }
1541
1542
copy_supp_rates(const struct wpa_eapol_ie_parse * kde,struct wpa_tdls_peer * peer)1543 static int copy_supp_rates(const struct wpa_eapol_ie_parse *kde,
1544 struct wpa_tdls_peer *peer)
1545 {
1546 if (!kde->supp_rates) {
1547 wpa_printf(MSG_DEBUG, "TDLS: No supported rates received");
1548 return -1;
1549 }
1550 peer->supp_rates_len = merge_byte_arrays(
1551 peer->supp_rates, sizeof(peer->supp_rates),
1552 kde->supp_rates + 2, kde->supp_rates_len - 2,
1553 kde->ext_supp_rates ? kde->ext_supp_rates + 2 : NULL,
1554 kde->ext_supp_rates_len - 2);
1555 return 0;
1556 }
1557
1558
copy_peer_ht_capab(const struct wpa_eapol_ie_parse * kde,struct wpa_tdls_peer * peer)1559 static int copy_peer_ht_capab(const struct wpa_eapol_ie_parse *kde,
1560 struct wpa_tdls_peer *peer)
1561 {
1562 if (!kde->ht_capabilities ||
1563 kde->ht_capabilities_len <
1564 sizeof(struct ieee80211_ht_capabilities) ) {
1565 wpa_printf(MSG_DEBUG, "TDLS: No supported ht capabilities "
1566 "received");
1567 return 0;
1568 }
1569
1570 if (!peer->ht_capabilities) {
1571 peer->ht_capabilities =
1572 os_zalloc(sizeof(struct ieee80211_ht_capabilities));
1573 if (peer->ht_capabilities == NULL)
1574 return -1;
1575 }
1576
1577 os_memcpy(peer->ht_capabilities, kde->ht_capabilities,
1578 sizeof(struct ieee80211_ht_capabilities));
1579 wpa_hexdump(MSG_DEBUG, "TDLS: Peer HT capabilities",
1580 (u8 *) peer->ht_capabilities,
1581 sizeof(struct ieee80211_ht_capabilities));
1582
1583 return 0;
1584 }
1585
1586
copy_peer_vht_capab(const struct wpa_eapol_ie_parse * kde,struct wpa_tdls_peer * peer)1587 static int copy_peer_vht_capab(const struct wpa_eapol_ie_parse *kde,
1588 struct wpa_tdls_peer *peer)
1589 {
1590 if (!kde->vht_capabilities ||
1591 kde->vht_capabilities_len <
1592 sizeof(struct ieee80211_vht_capabilities) ) {
1593 wpa_printf(MSG_DEBUG, "TDLS: No supported vht capabilities "
1594 "received");
1595 return 0;
1596 }
1597
1598 if (!peer->vht_capabilities) {
1599 peer->vht_capabilities =
1600 os_zalloc(sizeof(struct ieee80211_vht_capabilities));
1601 if (peer->vht_capabilities == NULL)
1602 return -1;
1603 }
1604
1605 os_memcpy(peer->vht_capabilities, kde->vht_capabilities,
1606 sizeof(struct ieee80211_vht_capabilities));
1607 wpa_hexdump(MSG_DEBUG, "TDLS: Peer VHT capabilities",
1608 (u8 *) peer->vht_capabilities,
1609 sizeof(struct ieee80211_vht_capabilities));
1610
1611 return 0;
1612 }
1613
1614
copy_peer_ext_capab(const struct wpa_eapol_ie_parse * kde,struct wpa_tdls_peer * peer)1615 static int copy_peer_ext_capab(const struct wpa_eapol_ie_parse *kde,
1616 struct wpa_tdls_peer *peer)
1617 {
1618 if (!kde->ext_capab) {
1619 wpa_printf(MSG_DEBUG, "TDLS: No extended capabilities "
1620 "received");
1621 return 0;
1622 }
1623
1624 if (!peer->ext_capab || peer->ext_capab_len < kde->ext_capab_len - 2) {
1625 /* Need to allocate buffer to fit the new information */
1626 os_free(peer->ext_capab);
1627 peer->ext_capab = os_zalloc(kde->ext_capab_len - 2);
1628 if (peer->ext_capab == NULL)
1629 return -1;
1630 }
1631
1632 peer->ext_capab_len = kde->ext_capab_len - 2;
1633 os_memcpy(peer->ext_capab, kde->ext_capab + 2, peer->ext_capab_len);
1634
1635 return 0;
1636 }
1637
1638
copy_peer_wmm_capab(const struct wpa_eapol_ie_parse * kde,struct wpa_tdls_peer * peer)1639 static int copy_peer_wmm_capab(const struct wpa_eapol_ie_parse *kde,
1640 struct wpa_tdls_peer *peer)
1641 {
1642 struct wmm_information_element *wmm;
1643
1644 if (!kde->wmm) {
1645 wpa_printf(MSG_DEBUG, "TDLS: No supported WMM capabilities received");
1646 return 0;
1647 }
1648
1649 if (kde->wmm_len < sizeof(struct wmm_information_element)) {
1650 wpa_printf(MSG_DEBUG, "TDLS: Invalid supported WMM capabilities received");
1651 return -1;
1652 }
1653
1654 wmm = (struct wmm_information_element *) kde->wmm;
1655 peer->qos_info = wmm->qos_info;
1656
1657 peer->wmm_capable = 1;
1658
1659 wpa_printf(MSG_DEBUG, "TDLS: Peer WMM QOS Info 0x%x", peer->qos_info);
1660 return 0;
1661 }
1662
1663
copy_peer_supp_channels(const struct wpa_eapol_ie_parse * kde,struct wpa_tdls_peer * peer)1664 static int copy_peer_supp_channels(const struct wpa_eapol_ie_parse *kde,
1665 struct wpa_tdls_peer *peer)
1666 {
1667 if (!kde->supp_channels) {
1668 wpa_printf(MSG_DEBUG, "TDLS: No supported channels received");
1669 return 0;
1670 }
1671
1672 if (!peer->supp_channels ||
1673 peer->supp_channels_len < kde->supp_channels_len) {
1674 os_free(peer->supp_channels);
1675 peer->supp_channels = os_zalloc(kde->supp_channels_len);
1676 if (peer->supp_channels == NULL)
1677 return -1;
1678 }
1679
1680 peer->supp_channels_len = kde->supp_channels_len;
1681
1682 os_memcpy(peer->supp_channels, kde->supp_channels,
1683 peer->supp_channels_len);
1684 wpa_hexdump(MSG_DEBUG, "TDLS: Peer Supported Channels",
1685 (u8 *) peer->supp_channels, peer->supp_channels_len);
1686 return 0;
1687 }
1688
1689
copy_peer_supp_oper_classes(const struct wpa_eapol_ie_parse * kde,struct wpa_tdls_peer * peer)1690 static int copy_peer_supp_oper_classes(const struct wpa_eapol_ie_parse *kde,
1691 struct wpa_tdls_peer *peer)
1692 {
1693 if (!kde->supp_oper_classes) {
1694 wpa_printf(MSG_DEBUG, "TDLS: No supported operating classes received");
1695 return 0;
1696 }
1697
1698 if (!peer->supp_oper_classes ||
1699 peer->supp_oper_classes_len < kde->supp_oper_classes_len) {
1700 os_free(peer->supp_oper_classes);
1701 peer->supp_oper_classes = os_zalloc(kde->supp_oper_classes_len);
1702 if (peer->supp_oper_classes == NULL)
1703 return -1;
1704 }
1705
1706 peer->supp_oper_classes_len = kde->supp_oper_classes_len;
1707 os_memcpy(peer->supp_oper_classes, kde->supp_oper_classes,
1708 peer->supp_oper_classes_len);
1709 wpa_hexdump(MSG_DEBUG, "TDLS: Peer Supported Operating Classes",
1710 (u8 *) peer->supp_oper_classes,
1711 peer->supp_oper_classes_len);
1712 return 0;
1713 }
1714
1715
wpa_tdls_addset_peer(struct wpa_sm * sm,struct wpa_tdls_peer * peer,int add)1716 static int wpa_tdls_addset_peer(struct wpa_sm *sm, struct wpa_tdls_peer *peer,
1717 int add)
1718 {
1719 return wpa_sm_tdls_peer_addset(sm, peer->addr, add, peer->aid,
1720 peer->capability,
1721 peer->supp_rates, peer->supp_rates_len,
1722 peer->ht_capabilities,
1723 peer->vht_capabilities,
1724 peer->qos_info, peer->wmm_capable,
1725 peer->ext_capab, peer->ext_capab_len,
1726 peer->supp_channels,
1727 peer->supp_channels_len,
1728 peer->supp_oper_classes,
1729 peer->supp_oper_classes_len);
1730 }
1731
1732
wpa_tdls_process_tpk_m1(struct wpa_sm * sm,const u8 * src_addr,const u8 * buf,size_t len)1733 static int wpa_tdls_process_tpk_m1(struct wpa_sm *sm, const u8 *src_addr,
1734 const u8 *buf, size_t len)
1735 {
1736 struct wpa_tdls_peer *peer;
1737 struct wpa_eapol_ie_parse kde;
1738 struct wpa_ie_data ie;
1739 int cipher;
1740 const u8 *cpos;
1741 struct wpa_tdls_ftie *ftie = NULL;
1742 struct wpa_tdls_timeoutie *timeoutie;
1743 struct wpa_tdls_lnkid *lnkid;
1744 u32 lifetime = 0;
1745 #if 0
1746 struct rsn_ie_hdr *hdr;
1747 u8 *pos;
1748 u16 rsn_capab;
1749 u16 rsn_ver;
1750 #endif
1751 u8 dtoken;
1752 u16 ielen;
1753 u16 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
1754 int tdls_prohibited = sm->tdls_prohibited;
1755 int existing_peer = 0;
1756
1757 if (len < 3 + 3)
1758 return -1;
1759
1760 cpos = buf;
1761 cpos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */;
1762
1763 /* driver had already verified the frame format */
1764 dtoken = *cpos++; /* dialog token */
1765
1766 wpa_printf(MSG_INFO, "TDLS: Dialog Token in TPK M1 %d", dtoken);
1767
1768 peer = wpa_tdls_add_peer(sm, src_addr, &existing_peer);
1769 if (peer == NULL)
1770 goto error;
1771
1772 /* If found, use existing entry instead of adding a new one;
1773 * how to handle the case where both ends initiate at the
1774 * same time? */
1775 if (existing_peer) {
1776 if (peer->tpk_success) {
1777 wpa_printf(MSG_DEBUG, "TDLS: TDLS Setup Request while "
1778 "direct link is enabled - tear down the "
1779 "old link first");
1780 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr);
1781 wpa_tdls_peer_clear(sm, peer);
1782 } else if (peer->initiator) {
1783 /*
1784 * An entry is already present, so check if we already
1785 * sent a TDLS Setup Request. If so, compare MAC
1786 * addresses and let the STA with the lower MAC address
1787 * continue as the initiator. The other negotiation is
1788 * terminated.
1789 */
1790 if (os_memcmp(sm->own_addr, src_addr, ETH_ALEN) < 0) {
1791 wpa_printf(MSG_DEBUG, "TDLS: Discard request "
1792 "from peer with higher address "
1793 MACSTR, MAC2STR(src_addr));
1794 return -1;
1795 } else {
1796 wpa_printf(MSG_DEBUG, "TDLS: Accept request "
1797 "from peer with lower address "
1798 MACSTR " (terminate previously "
1799 "initiated negotiation",
1800 MAC2STR(src_addr));
1801 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK,
1802 peer->addr);
1803 wpa_tdls_peer_clear(sm, peer);
1804 }
1805 }
1806 }
1807
1808 /* capability information */
1809 peer->capability = WPA_GET_LE16(cpos);
1810 cpos += 2;
1811
1812 ielen = len - (cpos - buf); /* start of IE in buf */
1813 if (wpa_supplicant_parse_ies(cpos, ielen, &kde) < 0) {
1814 wpa_printf(MSG_INFO, "TDLS: Failed to parse IEs in TPK M1");
1815 goto error;
1816 }
1817
1818 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) {
1819 wpa_printf(MSG_INFO, "TDLS: No valid Link Identifier IE in "
1820 "TPK M1");
1821 goto error;
1822 }
1823 wpa_hexdump(MSG_DEBUG, "TDLS: Link ID Received from TPK M1",
1824 kde.lnkid, kde.lnkid_len);
1825 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid;
1826 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) {
1827 wpa_printf(MSG_INFO, "TDLS: TPK M1 from diff BSS");
1828 status = WLAN_STATUS_REQUEST_DECLINED;
1829 goto error;
1830 }
1831
1832 wpa_printf(MSG_DEBUG, "TDLS: TPK M1 - TPK initiator " MACSTR,
1833 MAC2STR(src_addr));
1834
1835 if (copy_supp_rates(&kde, peer) < 0)
1836 goto error;
1837
1838 if (copy_peer_ht_capab(&kde, peer) < 0)
1839 goto error;
1840
1841 if (copy_peer_vht_capab(&kde, peer) < 0)
1842 goto error;
1843
1844 if (copy_peer_ext_capab(&kde, peer) < 0)
1845 goto error;
1846
1847 if (copy_peer_supp_channels(&kde, peer) < 0)
1848 goto error;
1849
1850 if (copy_peer_supp_oper_classes(&kde, peer) < 0)
1851 goto error;
1852
1853 peer->qos_info = kde.qosinfo;
1854
1855 /* Overwrite with the qos_info obtained in WMM IE */
1856 if (copy_peer_wmm_capab(&kde, peer) < 0)
1857 goto error;
1858
1859 peer->aid = kde.aid;
1860
1861 #ifdef CONFIG_TDLS_TESTING
1862 if (tdls_testing & TDLS_TESTING_CONCURRENT_INIT) {
1863 peer = wpa_tdls_add_peer(sm, src_addr, NULL);
1864 if (peer == NULL)
1865 goto error;
1866 wpa_printf(MSG_DEBUG, "TDLS: Testing concurrent initiation of "
1867 "TDLS setup - send own request");
1868 peer->initiator = 1;
1869 wpa_sm_tdls_peer_addset(sm, peer->addr, 1, 0, 0, NULL, 0, NULL,
1870 NULL, 0, 0, NULL, 0, NULL, 0, NULL, 0);
1871 wpa_tdls_send_tpk_m1(sm, peer);
1872 }
1873
1874 if ((tdls_testing & TDLS_TESTING_IGNORE_AP_PROHIBIT) &&
1875 tdls_prohibited) {
1876 wpa_printf(MSG_DEBUG, "TDLS: Testing - ignore AP prohibition "
1877 "on TDLS");
1878 tdls_prohibited = 0;
1879 }
1880 #endif /* CONFIG_TDLS_TESTING */
1881
1882 if (tdls_prohibited) {
1883 wpa_printf(MSG_INFO, "TDLS: TDLS prohibited in this BSS");
1884 status = WLAN_STATUS_REQUEST_DECLINED;
1885 goto error;
1886 }
1887
1888 if (!wpa_tdls_get_privacy(sm)) {
1889 if (kde.rsn_ie) {
1890 wpa_printf(MSG_INFO, "TDLS: RSN IE in TPK M1 while "
1891 "security is disabled");
1892 status = WLAN_STATUS_SECURITY_DISABLED;
1893 goto error;
1894 }
1895 goto skip_rsn;
1896 }
1897
1898 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie) ||
1899 kde.rsn_ie == NULL) {
1900 wpa_printf(MSG_INFO, "TDLS: No FTIE or RSN IE in TPK M1");
1901 status = WLAN_STATUS_INVALID_PARAMETERS;
1902 goto error;
1903 }
1904
1905 if (kde.rsn_ie_len > TDLS_MAX_IE_LEN) {
1906 wpa_printf(MSG_INFO, "TDLS: Too long Initiator RSN IE in "
1907 "TPK M1");
1908 status = WLAN_STATUS_INVALID_RSNIE;
1909 goto error;
1910 }
1911
1912 if (wpa_parse_wpa_ie_rsn(kde.rsn_ie, kde.rsn_ie_len, &ie) < 0) {
1913 wpa_printf(MSG_INFO, "TDLS: Failed to parse RSN IE in TPK M1");
1914 status = WLAN_STATUS_INVALID_RSNIE;
1915 goto error;
1916 }
1917
1918 cipher = ie.pairwise_cipher;
1919 if (cipher & WPA_CIPHER_CCMP) {
1920 wpa_printf(MSG_DEBUG, "TDLS: Using CCMP for direct link");
1921 cipher = WPA_CIPHER_CCMP;
1922 } else {
1923 wpa_printf(MSG_INFO, "TDLS: No acceptable cipher in TPK M1");
1924 status = WLAN_STATUS_PAIRWISE_CIPHER_NOT_VALID;
1925 goto error;
1926 }
1927
1928 if ((ie.capabilities &
1929 (WPA_CAPABILITY_NO_PAIRWISE | WPA_CAPABILITY_PEERKEY_ENABLED)) !=
1930 WPA_CAPABILITY_PEERKEY_ENABLED) {
1931 wpa_printf(MSG_INFO, "TDLS: Invalid RSN Capabilities in "
1932 "TPK M1");
1933 status = WLAN_STATUS_INVALID_RSN_IE_CAPAB;
1934 goto error;
1935 }
1936
1937 /* Lifetime */
1938 if (kde.key_lifetime == NULL) {
1939 wpa_printf(MSG_INFO, "TDLS: No Key Lifetime IE in TPK M1");
1940 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME;
1941 goto error;
1942 }
1943 timeoutie = (struct wpa_tdls_timeoutie *) kde.key_lifetime;
1944 lifetime = WPA_GET_LE32(timeoutie->value);
1945 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds", lifetime);
1946 if (lifetime < 300) {
1947 wpa_printf(MSG_INFO, "TDLS: Too short TPK lifetime");
1948 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME;
1949 goto error;
1950 }
1951
1952 skip_rsn:
1953 #ifdef CONFIG_TDLS_TESTING
1954 if (tdls_testing & TDLS_TESTING_CONCURRENT_INIT) {
1955 if (os_memcmp(sm->own_addr, peer->addr, ETH_ALEN) < 0) {
1956 /*
1957 * The request frame from us is going to win, so do not
1958 * replace information based on this request frame from
1959 * the peer.
1960 */
1961 goto skip_rsn_check;
1962 }
1963 }
1964 #endif /* CONFIG_TDLS_TESTING */
1965
1966 peer->initiator = 0; /* Need to check */
1967 peer->dtoken = dtoken;
1968
1969 if (!wpa_tdls_get_privacy(sm)) {
1970 peer->rsnie_i_len = 0;
1971 peer->rsnie_p_len = 0;
1972 peer->cipher = WPA_CIPHER_NONE;
1973 goto skip_rsn_check;
1974 }
1975
1976 ftie = (struct wpa_tdls_ftie *) kde.ftie;
1977 os_memcpy(peer->rsnie_i, kde.rsn_ie, kde.rsn_ie_len);
1978 peer->rsnie_i_len = kde.rsn_ie_len;
1979 peer->cipher = cipher;
1980
1981 if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0) {
1982 /*
1983 * There is no point in updating the RNonce for every obtained
1984 * TPK M1 frame (e.g., retransmission due to timeout) with the
1985 * same INonce (SNonce in FTIE). However, if the TPK M1 is
1986 * retransmitted with a different INonce, update the RNonce
1987 * since this is for a new TDLS session.
1988 */
1989 wpa_printf(MSG_DEBUG,
1990 "TDLS: New TPK M1 INonce - generate new RNonce");
1991 os_memcpy(peer->inonce, ftie->Snonce, WPA_NONCE_LEN);
1992 if (os_get_random(peer->rnonce, WPA_NONCE_LEN)) {
1993 wpa_msg(sm->ctx->ctx, MSG_WARNING,
1994 "TDLS: Failed to get random data for responder nonce");
1995 goto error;
1996 }
1997 }
1998
1999 #if 0
2000 /* get version info from RSNIE received from Peer */
2001 hdr = (struct rsn_ie_hdr *) kde.rsn_ie;
2002 rsn_ver = WPA_GET_LE16(hdr->version);
2003
2004 /* use min(peer's version, out version) */
2005 if (rsn_ver > RSN_VERSION)
2006 rsn_ver = RSN_VERSION;
2007
2008 hdr = (struct rsn_ie_hdr *) peer->rsnie_p;
2009
2010 hdr->elem_id = WLAN_EID_RSN;
2011 WPA_PUT_LE16(hdr->version, rsn_ver);
2012 pos = (u8 *) (hdr + 1);
2013
2014 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED);
2015 pos += RSN_SELECTOR_LEN;
2016 /* Include only the selected cipher in pairwise cipher suite */
2017 WPA_PUT_LE16(pos, 1);
2018 pos += 2;
2019 if (cipher == WPA_CIPHER_CCMP)
2020 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP);
2021 pos += RSN_SELECTOR_LEN;
2022
2023 WPA_PUT_LE16(pos, 1);
2024 pos += 2;
2025 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_TPK_HANDSHAKE);
2026 pos += RSN_SELECTOR_LEN;
2027
2028 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED;
2029 rsn_capab |= RSN_NUM_REPLAY_COUNTERS_16 << 2;
2030 WPA_PUT_LE16(pos, rsn_capab);
2031 pos += 2;
2032
2033 hdr->len = (pos - peer->rsnie_p) - 2;
2034 peer->rsnie_p_len = pos - peer->rsnie_p;
2035 #endif
2036
2037 /* temp fix: validation of RSNIE later */
2038 os_memcpy(peer->rsnie_p, peer->rsnie_i, peer->rsnie_i_len);
2039 peer->rsnie_p_len = peer->rsnie_i_len;
2040
2041 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE for TPK handshake",
2042 peer->rsnie_p, peer->rsnie_p_len);
2043
2044 peer->lifetime = lifetime;
2045
2046 wpa_tdls_generate_tpk(peer, sm->own_addr, sm->bssid);
2047
2048 skip_rsn_check:
2049 #ifdef CONFIG_TDLS_TESTING
2050 if (tdls_testing & TDLS_TESTING_CONCURRENT_INIT)
2051 goto skip_add_peer;
2052 #endif /* CONFIG_TDLS_TESTING */
2053
2054 /* add supported rates, capabilities, and qos_info to the TDLS peer */
2055 if (wpa_tdls_addset_peer(sm, peer, 1) < 0)
2056 goto error;
2057
2058 #ifdef CONFIG_TDLS_TESTING
2059 skip_add_peer:
2060 #endif /* CONFIG_TDLS_TESTING */
2061 peer->tpk_in_progress = 1;
2062
2063 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Setup Response / TPK M2");
2064 if (wpa_tdls_send_tpk_m2(sm, src_addr, dtoken, lnkid, peer) < 0) {
2065 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr);
2066 goto error;
2067 }
2068
2069 return 0;
2070
2071 error:
2072 wpa_tdls_send_error(sm, src_addr, WLAN_TDLS_SETUP_RESPONSE, dtoken, 0,
2073 status);
2074 if (peer)
2075 wpa_tdls_peer_free(sm, peer);
2076 return -1;
2077 }
2078
2079
wpa_tdls_enable_link(struct wpa_sm * sm,struct wpa_tdls_peer * peer)2080 static int wpa_tdls_enable_link(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
2081 {
2082 peer->tpk_success = 1;
2083 peer->tpk_in_progress = 0;
2084 eloop_cancel_timeout(wpa_tdls_tpk_timeout, sm, peer);
2085 if (wpa_tdls_get_privacy(sm)) {
2086 u32 lifetime = peer->lifetime;
2087 /*
2088 * Start the initiator process a bit earlier to avoid race
2089 * condition with the responder sending teardown request.
2090 */
2091 if (lifetime > 3 && peer->initiator)
2092 lifetime -= 3;
2093 eloop_register_timeout(lifetime, 0, wpa_tdls_tpk_timeout,
2094 sm, peer);
2095 #ifdef CONFIG_TDLS_TESTING
2096 if (tdls_testing & TDLS_TESTING_NO_TPK_EXPIRATION) {
2097 wpa_printf(MSG_DEBUG, "TDLS: Testing - disable TPK "
2098 "expiration");
2099 eloop_cancel_timeout(wpa_tdls_tpk_timeout, sm, peer);
2100 }
2101 #endif /* CONFIG_TDLS_TESTING */
2102 }
2103
2104 if (peer->reconfig_key && wpa_tdls_set_key(sm, peer) < 0) {
2105 wpa_printf(MSG_INFO, "TDLS: Could not configure key to the "
2106 "driver");
2107 return -1;
2108 }
2109 peer->reconfig_key = 0;
2110
2111 return wpa_sm_tdls_oper(sm, TDLS_ENABLE_LINK, peer->addr);
2112 }
2113
2114
wpa_tdls_process_tpk_m2(struct wpa_sm * sm,const u8 * src_addr,const u8 * buf,size_t len)2115 static int wpa_tdls_process_tpk_m2(struct wpa_sm *sm, const u8 *src_addr,
2116 const u8 *buf, size_t len)
2117 {
2118 struct wpa_tdls_peer *peer;
2119 struct wpa_eapol_ie_parse kde;
2120 struct wpa_ie_data ie;
2121 int cipher;
2122 struct wpa_tdls_ftie *ftie;
2123 struct wpa_tdls_timeoutie *timeoutie;
2124 struct wpa_tdls_lnkid *lnkid;
2125 u32 lifetime;
2126 u8 dtoken;
2127 int ielen;
2128 u16 status;
2129 const u8 *pos;
2130 int ret = 0;
2131
2132 wpa_printf(MSG_DEBUG, "TDLS: Received TDLS Setup Response / TPK M2 "
2133 "(Peer " MACSTR ")", MAC2STR(src_addr));
2134 for (peer = sm->tdls; peer; peer = peer->next) {
2135 if (os_memcmp(peer->addr, src_addr, ETH_ALEN) == 0)
2136 break;
2137 }
2138 if (peer == NULL) {
2139 wpa_printf(MSG_INFO, "TDLS: No matching peer found for "
2140 "TPK M2: " MACSTR, MAC2STR(src_addr));
2141 return -1;
2142 }
2143 if (!peer->initiator) {
2144 /*
2145 * This may happen if both devices try to initiate TDLS at the
2146 * same time and we accept the TPK M1 from the peer in
2147 * wpa_tdls_process_tpk_m1() and clear our previous state.
2148 */
2149 wpa_printf(MSG_INFO, "TDLS: We were not the initiator, so "
2150 "ignore TPK M2 from " MACSTR, MAC2STR(src_addr));
2151 return -1;
2152 }
2153 wpa_tdls_tpk_retry_timeout_cancel(sm, peer, WLAN_TDLS_SETUP_REQUEST);
2154
2155 if (len < 3 + 2 + 1) {
2156 wpa_tdls_disable_peer_link(sm, peer);
2157 return -1;
2158 }
2159
2160 pos = buf;
2161 pos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */;
2162 status = WPA_GET_LE16(pos);
2163 pos += 2 /* status code */;
2164
2165 if (status != WLAN_STATUS_SUCCESS) {
2166 wpa_printf(MSG_INFO, "TDLS: Status code in TPK M2: %u",
2167 status);
2168 wpa_tdls_disable_peer_link(sm, peer);
2169 return -1;
2170 }
2171
2172 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
2173
2174 /* TODO: need to verify dialog token matches here or in kernel */
2175 dtoken = *pos++; /* dialog token */
2176
2177 wpa_printf(MSG_DEBUG, "TDLS: Dialog Token in TPK M2 %d", dtoken);
2178
2179 if (len < 3 + 2 + 1 + 2) {
2180 wpa_tdls_disable_peer_link(sm, peer);
2181 return -1;
2182 }
2183
2184 /* capability information */
2185 peer->capability = WPA_GET_LE16(pos);
2186 pos += 2;
2187
2188 ielen = len - (pos - buf); /* start of IE in buf */
2189 if (wpa_supplicant_parse_ies(pos, ielen, &kde) < 0) {
2190 wpa_printf(MSG_INFO, "TDLS: Failed to parse IEs in TPK M2");
2191 goto error;
2192 }
2193
2194 #ifdef CONFIG_TDLS_TESTING
2195 if (tdls_testing & TDLS_TESTING_DECLINE_RESP) {
2196 wpa_printf(MSG_DEBUG, "TDLS: Testing - decline response");
2197 status = WLAN_STATUS_REQUEST_DECLINED;
2198 goto error;
2199 }
2200 #endif /* CONFIG_TDLS_TESTING */
2201
2202 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) {
2203 wpa_printf(MSG_INFO, "TDLS: No valid Link Identifier IE in "
2204 "TPK M2");
2205 goto error;
2206 }
2207 wpa_hexdump(MSG_DEBUG, "TDLS: Link ID Received from TPK M2",
2208 kde.lnkid, kde.lnkid_len);
2209 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid;
2210
2211 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) {
2212 wpa_printf(MSG_INFO, "TDLS: TPK M2 from different BSS");
2213 status = WLAN_STATUS_NOT_IN_SAME_BSS;
2214 goto error;
2215 }
2216
2217 if (copy_supp_rates(&kde, peer) < 0)
2218 goto error;
2219
2220 if (copy_peer_ht_capab(&kde, peer) < 0)
2221 goto error;
2222
2223 if (copy_peer_vht_capab(&kde, peer) < 0)
2224 goto error;
2225
2226 if (copy_peer_ext_capab(&kde, peer) < 0)
2227 goto error;
2228
2229 if (copy_peer_supp_channels(&kde, peer) < 0)
2230 goto error;
2231
2232 if (copy_peer_supp_oper_classes(&kde, peer) < 0)
2233 goto error;
2234
2235 peer->qos_info = kde.qosinfo;
2236
2237 /* Overwrite with the qos_info obtained in WMM IE */
2238 if (copy_peer_wmm_capab(&kde, peer) < 0)
2239 goto error;
2240
2241 peer->aid = kde.aid;
2242
2243 if (!wpa_tdls_get_privacy(sm)) {
2244 peer->rsnie_p_len = 0;
2245 peer->cipher = WPA_CIPHER_NONE;
2246 goto skip_rsn;
2247 }
2248
2249 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie) ||
2250 kde.rsn_ie == NULL) {
2251 wpa_printf(MSG_INFO, "TDLS: No FTIE or RSN IE in TPK M2");
2252 status = WLAN_STATUS_INVALID_PARAMETERS;
2253 goto error;
2254 }
2255 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Received from TPK M2",
2256 kde.rsn_ie, kde.rsn_ie_len);
2257
2258 if (kde.rsn_ie_len > TDLS_MAX_IE_LEN) {
2259 wpa_printf(MSG_INFO,
2260 "TDLS: Too long Responder RSN IE in TPK M2");
2261 status = WLAN_STATUS_INVALID_RSNIE;
2262 goto error;
2263 }
2264
2265 /*
2266 * FIX: bitwise comparison of RSN IE is not the correct way of
2267 * validation this. It can be different, but certain fields must
2268 * match. Since we list only a single pairwise cipher in TPK M1, the
2269 * memcmp is likely to work in most cases, though.
2270 */
2271 if (kde.rsn_ie_len != peer->rsnie_i_len ||
2272 os_memcmp(peer->rsnie_i, kde.rsn_ie, peer->rsnie_i_len) != 0) {
2273 wpa_printf(MSG_INFO, "TDLS: RSN IE in TPK M2 does "
2274 "not match with RSN IE used in TPK M1");
2275 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Sent in TPK M1",
2276 peer->rsnie_i, peer->rsnie_i_len);
2277 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Received from TPK M2",
2278 kde.rsn_ie, kde.rsn_ie_len);
2279 status = WLAN_STATUS_INVALID_RSNIE;
2280 goto error;
2281 }
2282
2283 if (wpa_parse_wpa_ie_rsn(kde.rsn_ie, kde.rsn_ie_len, &ie) < 0) {
2284 wpa_printf(MSG_INFO, "TDLS: Failed to parse RSN IE in TPK M2");
2285 status = WLAN_STATUS_INVALID_RSNIE;
2286 goto error;
2287 }
2288
2289 cipher = ie.pairwise_cipher;
2290 if (cipher == WPA_CIPHER_CCMP) {
2291 wpa_printf(MSG_DEBUG, "TDLS: Using CCMP for direct link");
2292 cipher = WPA_CIPHER_CCMP;
2293 } else {
2294 wpa_printf(MSG_INFO, "TDLS: No acceptable cipher in TPK M2");
2295 status = WLAN_STATUS_PAIRWISE_CIPHER_NOT_VALID;
2296 goto error;
2297 }
2298
2299 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE Received from TPK M2",
2300 kde.ftie, sizeof(*ftie));
2301 ftie = (struct wpa_tdls_ftie *) kde.ftie;
2302
2303 if (!os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) == 0) {
2304 wpa_printf(MSG_INFO, "TDLS: FTIE SNonce in TPK M2 does "
2305 "not match with FTIE SNonce used in TPK M1");
2306 /* Silently discard the frame */
2307 return -1;
2308 }
2309
2310 /* Responder Nonce and RSN IE */
2311 os_memcpy(peer->rnonce, ftie->Anonce, WPA_NONCE_LEN);
2312 os_memcpy(peer->rsnie_p, kde.rsn_ie, kde.rsn_ie_len);
2313 peer->rsnie_p_len = kde.rsn_ie_len;
2314 peer->cipher = cipher;
2315
2316 /* Lifetime */
2317 if (kde.key_lifetime == NULL) {
2318 wpa_printf(MSG_INFO, "TDLS: No Key Lifetime IE in TPK M2");
2319 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME;
2320 goto error;
2321 }
2322 timeoutie = (struct wpa_tdls_timeoutie *) kde.key_lifetime;
2323 lifetime = WPA_GET_LE32(timeoutie->value);
2324 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds in TPK M2",
2325 lifetime);
2326 if (lifetime != peer->lifetime) {
2327 wpa_printf(MSG_INFO, "TDLS: Unexpected TPK lifetime %u in "
2328 "TPK M2 (expected %u)", lifetime, peer->lifetime);
2329 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME;
2330 goto error;
2331 }
2332
2333 wpa_tdls_generate_tpk(peer, sm->own_addr, sm->bssid);
2334
2335 /* Process MIC check to see if TPK M2 is right */
2336 if (wpa_supplicant_verify_tdls_mic(2, peer, (u8 *) lnkid,
2337 (u8 *) timeoutie, ftie) < 0) {
2338 /* Discard the frame */
2339 wpa_tdls_del_key(sm, peer);
2340 wpa_tdls_disable_peer_link(sm, peer);
2341 return -1;
2342 }
2343
2344 if (wpa_tdls_set_key(sm, peer) < 0) {
2345 /*
2346 * Some drivers may not be able to config the key prior to full
2347 * STA entry having been configured.
2348 */
2349 wpa_printf(MSG_DEBUG, "TDLS: Try to configure TPK again after "
2350 "STA entry is complete");
2351 peer->reconfig_key = 1;
2352 }
2353
2354 skip_rsn:
2355 peer->dtoken = dtoken;
2356
2357 /* add supported rates, capabilities, and qos_info to the TDLS peer */
2358 if (wpa_tdls_addset_peer(sm, peer, 0) < 0)
2359 goto error;
2360
2361 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Setup Confirm / "
2362 "TPK Handshake Message 3");
2363 if (wpa_tdls_send_tpk_m3(sm, src_addr, dtoken, lnkid, peer) < 0)
2364 goto error;
2365
2366 if (!peer->tpk_success) {
2367 /*
2368 * Enable Link only when tpk_success is 0, signifying that this
2369 * processing of TPK M2 frame is not because of a retransmission
2370 * during TDLS setup handshake.
2371 */
2372 ret = wpa_tdls_enable_link(sm, peer);
2373 if (ret < 0) {
2374 wpa_printf(MSG_DEBUG, "TDLS: Could not enable link");
2375 wpa_tdls_do_teardown(
2376 sm, peer,
2377 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED);
2378 }
2379 }
2380 return ret;
2381
2382 error:
2383 wpa_tdls_send_error(sm, src_addr, WLAN_TDLS_SETUP_CONFIRM, dtoken, 1,
2384 status);
2385 wpa_tdls_disable_peer_link(sm, peer);
2386 return -1;
2387 }
2388
2389
wpa_tdls_process_tpk_m3(struct wpa_sm * sm,const u8 * src_addr,const u8 * buf,size_t len)2390 static int wpa_tdls_process_tpk_m3(struct wpa_sm *sm, const u8 *src_addr,
2391 const u8 *buf, size_t len)
2392 {
2393 struct wpa_tdls_peer *peer;
2394 struct wpa_eapol_ie_parse kde;
2395 struct wpa_tdls_ftie *ftie;
2396 struct wpa_tdls_timeoutie *timeoutie;
2397 struct wpa_tdls_lnkid *lnkid;
2398 int ielen;
2399 u16 status;
2400 const u8 *pos;
2401 u32 lifetime;
2402 int ret = 0;
2403
2404 wpa_printf(MSG_DEBUG, "TDLS: Received TDLS Setup Confirm / TPK M3 "
2405 "(Peer " MACSTR ")", MAC2STR(src_addr));
2406 for (peer = sm->tdls; peer; peer = peer->next) {
2407 if (os_memcmp(peer->addr, src_addr, ETH_ALEN) == 0)
2408 break;
2409 }
2410 if (peer == NULL) {
2411 wpa_printf(MSG_INFO, "TDLS: No matching peer found for "
2412 "TPK M3: " MACSTR, MAC2STR(src_addr));
2413 return -1;
2414 }
2415 wpa_tdls_tpk_retry_timeout_cancel(sm, peer, WLAN_TDLS_SETUP_RESPONSE);
2416
2417 if (len < 3 + 3)
2418 goto error;
2419 pos = buf;
2420 pos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */;
2421
2422 status = WPA_GET_LE16(pos);
2423
2424 if (status != 0) {
2425 wpa_printf(MSG_INFO, "TDLS: Status code in TPK M3: %u",
2426 status);
2427 goto error;
2428 }
2429 pos += 2 /* status code */ + 1 /* dialog token */;
2430
2431 ielen = len - (pos - buf); /* start of IE in buf */
2432
2433 /*
2434 * Don't reject the message if failing to parse IEs. The IEs we need are
2435 * explicitly checked below. Some APs piggy-back broken IEs to the end
2436 * of a TDLS Confirm packet, which will fail the link if we don't ignore
2437 * this error.
2438 */
2439 if (wpa_supplicant_parse_ies((const u8 *) pos, ielen, &kde) < 0) {
2440 wpa_printf(MSG_DEBUG,
2441 "TDLS: Failed to parse KDEs in TPK M3 - ignore as an interop workaround");
2442 }
2443
2444 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) {
2445 wpa_printf(MSG_INFO, "TDLS: No Link Identifier IE in TPK M3");
2446 goto error;
2447 }
2448 wpa_hexdump(MSG_DEBUG, "TDLS: Link ID Received from TPK M3",
2449 (u8 *) kde.lnkid, kde.lnkid_len);
2450 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid;
2451
2452 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) {
2453 wpa_printf(MSG_INFO, "TDLS: TPK M3 from diff BSS");
2454 goto error;
2455 }
2456
2457 if (!wpa_tdls_get_privacy(sm))
2458 goto skip_rsn;
2459
2460 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie)) {
2461 wpa_printf(MSG_INFO, "TDLS: No FTIE in TPK M3");
2462 goto error;
2463 }
2464 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE Received from TPK M3",
2465 kde.ftie, sizeof(*ftie));
2466 ftie = (struct wpa_tdls_ftie *) kde.ftie;
2467
2468 if (kde.rsn_ie == NULL) {
2469 wpa_printf(MSG_INFO, "TDLS: No RSN IE in TPK M3");
2470 goto error;
2471 }
2472 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Received from TPK M3",
2473 kde.rsn_ie, kde.rsn_ie_len);
2474 if (kde.rsn_ie_len != peer->rsnie_p_len ||
2475 os_memcmp(kde.rsn_ie, peer->rsnie_p, peer->rsnie_p_len) != 0) {
2476 wpa_printf(MSG_INFO, "TDLS: RSN IE in TPK M3 does not match "
2477 "with the one sent in TPK M2");
2478 goto error;
2479 }
2480
2481 if (!os_memcmp(peer->rnonce, ftie->Anonce, WPA_NONCE_LEN) == 0) {
2482 wpa_printf(MSG_INFO, "TDLS: FTIE ANonce in TPK M3 does "
2483 "not match with FTIE ANonce used in TPK M2");
2484 goto error;
2485 }
2486
2487 if (!os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) == 0) {
2488 wpa_printf(MSG_INFO, "TDLS: FTIE SNonce in TPK M3 does not "
2489 "match with FTIE SNonce used in TPK M1");
2490 goto error;
2491 }
2492
2493 if (kde.key_lifetime == NULL) {
2494 wpa_printf(MSG_INFO, "TDLS: No Key Lifetime IE in TPK M3");
2495 goto error;
2496 }
2497 timeoutie = (struct wpa_tdls_timeoutie *) kde.key_lifetime;
2498 wpa_hexdump(MSG_DEBUG, "TDLS: Timeout IE Received from TPK M3",
2499 (u8 *) timeoutie, sizeof(*timeoutie));
2500 lifetime = WPA_GET_LE32(timeoutie->value);
2501 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds in TPK M3",
2502 lifetime);
2503 if (lifetime != peer->lifetime) {
2504 wpa_printf(MSG_INFO, "TDLS: Unexpected TPK lifetime %u in "
2505 "TPK M3 (expected %u)", lifetime, peer->lifetime);
2506 goto error;
2507 }
2508
2509 if (wpa_supplicant_verify_tdls_mic(3, peer, (u8 *) lnkid,
2510 (u8 *) timeoutie, ftie) < 0) {
2511 wpa_tdls_del_key(sm, peer);
2512 goto error;
2513 }
2514
2515 if (wpa_tdls_set_key(sm, peer) < 0) {
2516 /*
2517 * Some drivers may not be able to config the key prior to full
2518 * STA entry having been configured.
2519 */
2520 wpa_printf(MSG_DEBUG, "TDLS: Try to configure TPK again after "
2521 "STA entry is complete");
2522 peer->reconfig_key = 1;
2523 }
2524
2525 skip_rsn:
2526 /* add supported rates, capabilities, and qos_info to the TDLS peer */
2527 if (wpa_tdls_addset_peer(sm, peer, 0) < 0)
2528 goto error;
2529
2530 if (!peer->tpk_success) {
2531 /*
2532 * Enable Link only when tpk_success is 0, signifying that this
2533 * processing of TPK M3 frame is not because of a retransmission
2534 * during TDLS setup handshake.
2535 */
2536 ret = wpa_tdls_enable_link(sm, peer);
2537 if (ret < 0) {
2538 wpa_printf(MSG_DEBUG, "TDLS: Could not enable link");
2539 goto error;
2540 }
2541 }
2542 return ret;
2543 error:
2544 wpa_tdls_do_teardown(sm, peer, WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED);
2545 return -1;
2546 }
2547
2548
wpa_add_tdls_timeoutie(u8 * pos,u8 * ie,size_t ie_len,u32 tsecs)2549 static u8 * wpa_add_tdls_timeoutie(u8 *pos, u8 *ie, size_t ie_len, u32 tsecs)
2550 {
2551 struct wpa_tdls_timeoutie *lifetime = (struct wpa_tdls_timeoutie *) ie;
2552
2553 os_memset(lifetime, 0, ie_len);
2554 lifetime->ie_type = WLAN_EID_TIMEOUT_INTERVAL;
2555 lifetime->ie_len = sizeof(struct wpa_tdls_timeoutie) - 2;
2556 lifetime->interval_type = WLAN_TIMEOUT_KEY_LIFETIME;
2557 WPA_PUT_LE32(lifetime->value, tsecs);
2558 os_memcpy(pos, ie, ie_len);
2559 return pos + ie_len;
2560 }
2561
2562
2563 /**
2564 * wpa_tdls_start - Initiate TDLS handshake (send TPK Handshake Message 1)
2565 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2566 * @peer: MAC address of the peer STA
2567 * Returns: 0 on success, or -1 on failure
2568 *
2569 * Send TPK Handshake Message 1 info to driver to start TDLS
2570 * handshake with the peer.
2571 */
wpa_tdls_start(struct wpa_sm * sm,const u8 * addr)2572 int wpa_tdls_start(struct wpa_sm *sm, const u8 *addr)
2573 {
2574 struct wpa_tdls_peer *peer;
2575 int tdls_prohibited = sm->tdls_prohibited;
2576
2577 if (sm->tdls_disabled || !sm->tdls_supported)
2578 return -1;
2579
2580 #ifdef CONFIG_TDLS_TESTING
2581 if ((tdls_testing & TDLS_TESTING_IGNORE_AP_PROHIBIT) &&
2582 tdls_prohibited) {
2583 wpa_printf(MSG_DEBUG, "TDLS: Testing - ignore AP prohibition "
2584 "on TDLS");
2585 tdls_prohibited = 0;
2586 }
2587 #endif /* CONFIG_TDLS_TESTING */
2588
2589 if (tdls_prohibited) {
2590 wpa_printf(MSG_DEBUG, "TDLS: TDLS is prohibited in this BSS - "
2591 "reject request to start setup");
2592 return -1;
2593 }
2594
2595 peer = wpa_tdls_add_peer(sm, addr, NULL);
2596 if (peer == NULL)
2597 return -1;
2598
2599 if (peer->tpk_in_progress) {
2600 wpa_printf(MSG_DEBUG, "TDLS: Setup is already in progress with the peer");
2601 return 0;
2602 }
2603
2604 peer->initiator = 1;
2605
2606 /* add the peer to the driver as a "setup in progress" peer */
2607 if (wpa_sm_tdls_peer_addset(sm, peer->addr, 1, 0, 0, NULL, 0, NULL,
2608 NULL, 0, 0, NULL, 0, NULL, 0, NULL, 0)) {
2609 wpa_tdls_disable_peer_link(sm, peer);
2610 return -1;
2611 }
2612
2613 peer->tpk_in_progress = 1;
2614
2615 if (wpa_tdls_send_tpk_m1(sm, peer) < 0) {
2616 wpa_tdls_disable_peer_link(sm, peer);
2617 return -1;
2618 }
2619
2620 return 0;
2621 }
2622
2623
wpa_tdls_remove(struct wpa_sm * sm,const u8 * addr)2624 void wpa_tdls_remove(struct wpa_sm *sm, const u8 *addr)
2625 {
2626 struct wpa_tdls_peer *peer;
2627
2628 if (sm->tdls_disabled || !sm->tdls_supported)
2629 return;
2630
2631 for (peer = sm->tdls; peer; peer = peer->next) {
2632 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0)
2633 break;
2634 }
2635
2636 if (peer == NULL || !peer->tpk_success)
2637 return;
2638
2639 if (sm->tdls_external_setup) {
2640 /*
2641 * Disable previous link to allow renegotiation to be completed
2642 * on AP path.
2643 */
2644 wpa_tdls_do_teardown(sm, peer,
2645 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED);
2646 }
2647 }
2648
2649
2650 /**
2651 * wpa_supplicant_rx_tdls - Receive TDLS data frame
2652 *
2653 * This function is called to receive TDLS (ethertype = 0x890d) data frames.
2654 */
wpa_supplicant_rx_tdls(void * ctx,const u8 * src_addr,const u8 * buf,size_t len)2655 static void wpa_supplicant_rx_tdls(void *ctx, const u8 *src_addr,
2656 const u8 *buf, size_t len)
2657 {
2658 struct wpa_sm *sm = ctx;
2659 struct wpa_tdls_frame *tf;
2660
2661 wpa_hexdump(MSG_DEBUG, "TDLS: Received Data frame encapsulation",
2662 buf, len);
2663
2664 if (sm->tdls_disabled || !sm->tdls_supported) {
2665 wpa_printf(MSG_DEBUG, "TDLS: Discard message - TDLS disabled "
2666 "or unsupported by driver");
2667 return;
2668 }
2669
2670 if (os_memcmp(src_addr, sm->own_addr, ETH_ALEN) == 0) {
2671 wpa_printf(MSG_DEBUG, "TDLS: Discard copy of own message");
2672 return;
2673 }
2674
2675 if (len < sizeof(*tf)) {
2676 wpa_printf(MSG_INFO, "TDLS: Drop too short frame");
2677 return;
2678 }
2679
2680 /* Check to make sure its a valid encapsulated TDLS frame */
2681 tf = (struct wpa_tdls_frame *) buf;
2682 if (tf->payloadtype != 2 /* TDLS_RFTYPE */ ||
2683 tf->category != WLAN_ACTION_TDLS) {
2684 wpa_printf(MSG_INFO, "TDLS: Invalid frame - payloadtype=%u "
2685 "category=%u action=%u",
2686 tf->payloadtype, tf->category, tf->action);
2687 return;
2688 }
2689
2690 switch (tf->action) {
2691 case WLAN_TDLS_SETUP_REQUEST:
2692 wpa_tdls_process_tpk_m1(sm, src_addr, buf, len);
2693 break;
2694 case WLAN_TDLS_SETUP_RESPONSE:
2695 wpa_tdls_process_tpk_m2(sm, src_addr, buf, len);
2696 break;
2697 case WLAN_TDLS_SETUP_CONFIRM:
2698 wpa_tdls_process_tpk_m3(sm, src_addr, buf, len);
2699 break;
2700 case WLAN_TDLS_TEARDOWN:
2701 wpa_tdls_recv_teardown(sm, src_addr, buf, len);
2702 break;
2703 case WLAN_TDLS_DISCOVERY_REQUEST:
2704 wpa_tdls_process_discovery_request(sm, src_addr, buf, len);
2705 break;
2706 default:
2707 /* Kernel code will process remaining frames */
2708 wpa_printf(MSG_DEBUG, "TDLS: Ignore TDLS frame action code %u",
2709 tf->action);
2710 break;
2711 }
2712 }
2713
2714
2715 /**
2716 * wpa_tdls_init - Initialize driver interface parameters for TDLS
2717 * @wpa_s: Pointer to wpa_supplicant data
2718 * Returns: 0 on success, -1 on failure
2719 *
2720 * This function is called to initialize driver interface parameters for TDLS.
2721 * wpa_drv_init() must have been called before this function to initialize the
2722 * driver interface.
2723 */
wpa_tdls_init(struct wpa_sm * sm)2724 int wpa_tdls_init(struct wpa_sm *sm)
2725 {
2726 if (sm == NULL)
2727 return -1;
2728
2729 sm->l2_tdls = l2_packet_init(sm->bridge_ifname ? sm->bridge_ifname :
2730 sm->ifname,
2731 sm->own_addr,
2732 ETH_P_80211_ENCAP, wpa_supplicant_rx_tdls,
2733 sm, 0);
2734 if (sm->l2_tdls == NULL) {
2735 wpa_printf(MSG_ERROR, "TDLS: Failed to open l2_packet "
2736 "connection");
2737 return -1;
2738 }
2739
2740 /*
2741 * Drivers that support TDLS but don't implement the get_capa callback
2742 * are assumed to perform everything internally
2743 */
2744 if (wpa_sm_tdls_get_capa(sm, &sm->tdls_supported,
2745 &sm->tdls_external_setup) < 0) {
2746 sm->tdls_supported = 1;
2747 sm->tdls_external_setup = 0;
2748 }
2749
2750 wpa_printf(MSG_DEBUG, "TDLS: TDLS operation%s supported by "
2751 "driver", sm->tdls_supported ? "" : " not");
2752 wpa_printf(MSG_DEBUG, "TDLS: Driver uses %s link setup",
2753 sm->tdls_external_setup ? "external" : "internal");
2754
2755 return 0;
2756 }
2757
2758
wpa_tdls_teardown_peers(struct wpa_sm * sm)2759 void wpa_tdls_teardown_peers(struct wpa_sm *sm)
2760 {
2761 struct wpa_tdls_peer *peer, *tmp;
2762
2763 peer = sm->tdls;
2764
2765 wpa_printf(MSG_DEBUG, "TDLS: Tear down peers");
2766
2767 while (peer) {
2768 tmp = peer->next;
2769 wpa_printf(MSG_DEBUG, "TDLS: Tear down peer " MACSTR,
2770 MAC2STR(peer->addr));
2771 if (sm->tdls_external_setup)
2772 wpa_tdls_do_teardown(sm, peer,
2773 WLAN_REASON_DEAUTH_LEAVING);
2774 else
2775 wpa_sm_tdls_oper(sm, TDLS_TEARDOWN, peer->addr);
2776
2777 peer = tmp;
2778 }
2779 }
2780
2781
wpa_tdls_remove_peers(struct wpa_sm * sm)2782 static void wpa_tdls_remove_peers(struct wpa_sm *sm)
2783 {
2784 struct wpa_tdls_peer *peer, *tmp;
2785
2786 peer = sm->tdls;
2787
2788 while (peer) {
2789 int res;
2790 tmp = peer->next;
2791 res = wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr);
2792 wpa_printf(MSG_DEBUG, "TDLS: Remove peer " MACSTR " (res=%d)",
2793 MAC2STR(peer->addr), res);
2794 wpa_tdls_peer_free(sm, peer);
2795 peer = tmp;
2796 }
2797 }
2798
2799
2800 /**
2801 * wpa_tdls_deinit - Deinitialize driver interface parameters for TDLS
2802 *
2803 * This function is called to recover driver interface parameters for TDLS
2804 * and frees resources allocated for it.
2805 */
wpa_tdls_deinit(struct wpa_sm * sm)2806 void wpa_tdls_deinit(struct wpa_sm *sm)
2807 {
2808 if (sm == NULL)
2809 return;
2810
2811 if (sm->l2_tdls)
2812 l2_packet_deinit(sm->l2_tdls);
2813 sm->l2_tdls = NULL;
2814
2815 wpa_tdls_remove_peers(sm);
2816 }
2817
2818
wpa_tdls_assoc(struct wpa_sm * sm)2819 void wpa_tdls_assoc(struct wpa_sm *sm)
2820 {
2821 wpa_printf(MSG_DEBUG, "TDLS: Remove peers on association");
2822 wpa_tdls_remove_peers(sm);
2823 }
2824
2825
wpa_tdls_disassoc(struct wpa_sm * sm)2826 void wpa_tdls_disassoc(struct wpa_sm *sm)
2827 {
2828 wpa_printf(MSG_DEBUG, "TDLS: Remove peers on disassociation");
2829 wpa_tdls_remove_peers(sm);
2830 }
2831
2832
wpa_tdls_prohibited(const u8 * ies,size_t len)2833 static int wpa_tdls_prohibited(const u8 *ies, size_t len)
2834 {
2835 struct wpa_eapol_ie_parse elems;
2836
2837 if (ies == NULL)
2838 return 0;
2839
2840 if (wpa_supplicant_parse_ies(ies, len, &elems) < 0)
2841 return 0;
2842
2843 if (elems.ext_capab == NULL || elems.ext_capab_len < 2 + 5)
2844 return 0;
2845
2846 /* bit 38 - TDLS Prohibited */
2847 return !!(elems.ext_capab[2 + 4] & 0x40);
2848 }
2849
2850
wpa_tdls_ap_ies(struct wpa_sm * sm,const u8 * ies,size_t len)2851 void wpa_tdls_ap_ies(struct wpa_sm *sm, const u8 *ies, size_t len)
2852 {
2853 sm->tdls_prohibited = wpa_tdls_prohibited(ies, len);
2854 wpa_printf(MSG_DEBUG, "TDLS: TDLS is %s in the target BSS",
2855 sm->tdls_prohibited ? "prohibited" : "allowed");
2856 }
2857
2858
wpa_tdls_assoc_resp_ies(struct wpa_sm * sm,const u8 * ies,size_t len)2859 void wpa_tdls_assoc_resp_ies(struct wpa_sm *sm, const u8 *ies, size_t len)
2860 {
2861 if (!sm->tdls_prohibited && wpa_tdls_prohibited(ies, len)) {
2862 wpa_printf(MSG_DEBUG, "TDLS: TDLS prohibited based on "
2863 "(Re)Association Response IEs");
2864 sm->tdls_prohibited = 1;
2865 }
2866 }
2867
2868
wpa_tdls_enable(struct wpa_sm * sm,int enabled)2869 void wpa_tdls_enable(struct wpa_sm *sm, int enabled)
2870 {
2871 wpa_printf(MSG_DEBUG, "TDLS: %s", enabled ? "enabled" : "disabled");
2872 sm->tdls_disabled = !enabled;
2873 }
2874
2875
wpa_tdls_is_external_setup(struct wpa_sm * sm)2876 int wpa_tdls_is_external_setup(struct wpa_sm *sm)
2877 {
2878 return sm->tdls_external_setup;
2879 }
2880