1 /*
2 * wpa_supplicant - TDLS
3 * Copyright (c) 2010-2011, Atheros Communications
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "utils/includes.h"
10
11 #include "utils/common.h"
12 #include "utils/eloop.h"
13 #include "utils/os.h"
14 #include "common/ieee802_11_defs.h"
15 #include "common/ieee802_11_common.h"
16 #include "crypto/sha256.h"
17 #include "crypto/crypto.h"
18 #include "crypto/aes_wrap.h"
19 #include "rsn_supp/wpa.h"
20 #include "rsn_supp/wpa_ie.h"
21 #include "rsn_supp/wpa_i.h"
22 #include "drivers/driver.h"
23 #include "l2_packet/l2_packet.h"
24
25 #ifdef CONFIG_TDLS_TESTING
26 #define TDLS_TESTING_LONG_FRAME BIT(0)
27 #define TDLS_TESTING_ALT_RSN_IE BIT(1)
28 #define TDLS_TESTING_DIFF_BSSID BIT(2)
29 #define TDLS_TESTING_SHORT_LIFETIME BIT(3)
30 #define TDLS_TESTING_WRONG_LIFETIME_RESP BIT(4)
31 #define TDLS_TESTING_WRONG_LIFETIME_CONF BIT(5)
32 #define TDLS_TESTING_LONG_LIFETIME BIT(6)
33 #define TDLS_TESTING_CONCURRENT_INIT BIT(7)
34 #define TDLS_TESTING_NO_TPK_EXPIRATION BIT(8)
35 #define TDLS_TESTING_DECLINE_RESP BIT(9)
36 #define TDLS_TESTING_IGNORE_AP_PROHIBIT BIT(10)
37 #define TDLS_TESTING_WRONG_MIC BIT(11)
38 #define TDLS_TESTING_DOUBLE_TPK_M2 BIT(12)
39 unsigned int tdls_testing = 0;
40 #endif /* CONFIG_TDLS_TESTING */
41
42 #define TPK_LIFETIME 43200 /* 12 hours */
43 #define TPK_M1_RETRY_COUNT 3
44 #define TPK_M1_TIMEOUT 5000 /* in milliseconds */
45 #define TPK_M2_RETRY_COUNT 10
46 #define TPK_M2_TIMEOUT 500 /* in milliseconds */
47
48 #define TDLS_MIC_LEN 16
49
50 #define TDLS_TIMEOUT_LEN 4
51
52 struct wpa_tdls_ftie {
53 u8 ie_type; /* FTIE */
54 u8 ie_len;
55 u8 mic_ctrl[2];
56 u8 mic[TDLS_MIC_LEN];
57 u8 Anonce[WPA_NONCE_LEN]; /* Responder Nonce in TDLS */
58 u8 Snonce[WPA_NONCE_LEN]; /* Initiator Nonce in TDLS */
59 /* followed by optional elements */
60 } STRUCT_PACKED;
61
62 struct wpa_tdls_timeoutie {
63 u8 ie_type; /* Timeout IE */
64 u8 ie_len;
65 u8 interval_type;
66 u8 value[TDLS_TIMEOUT_LEN];
67 } STRUCT_PACKED;
68
69 struct wpa_tdls_lnkid {
70 u8 ie_type; /* Link Identifier IE */
71 u8 ie_len;
72 u8 bssid[ETH_ALEN];
73 u8 init_sta[ETH_ALEN];
74 u8 resp_sta[ETH_ALEN];
75 } STRUCT_PACKED;
76
77 /* TDLS frame headers as per IEEE Std 802.11z-2010 */
78 struct wpa_tdls_frame {
79 u8 payloadtype; /* IEEE80211_TDLS_RFTYPE */
80 u8 category; /* Category */
81 u8 action; /* Action (enum tdls_frame_type) */
82 } STRUCT_PACKED;
83
84 static u8 * wpa_add_tdls_timeoutie(u8 *pos, u8 *ie, size_t ie_len, u32 tsecs);
85 static void wpa_tdls_tpk_retry_timeout(void *eloop_ctx, void *timeout_ctx);
86 static void wpa_tdls_peer_free(struct wpa_sm *sm, struct wpa_tdls_peer *peer);
87 static void wpa_tdls_disable_peer_link(struct wpa_sm *sm,
88 struct wpa_tdls_peer *peer);
89 static int wpa_tdls_send_teardown(struct wpa_sm *sm, const u8 *addr,
90 u16 reason_code);
91
92
93 #define TDLS_MAX_IE_LEN 80
94 #define IEEE80211_MAX_SUPP_RATES 32
95
96 struct wpa_tdls_peer {
97 struct wpa_tdls_peer *next;
98 unsigned int reconfig_key:1;
99 int initiator; /* whether this end was initiator for TDLS setup */
100 u8 addr[ETH_ALEN]; /* other end MAC address */
101 u8 inonce[WPA_NONCE_LEN]; /* Initiator Nonce */
102 u8 rnonce[WPA_NONCE_LEN]; /* Responder Nonce */
103 u8 rsnie_i[TDLS_MAX_IE_LEN]; /* Initiator RSN IE */
104 size_t rsnie_i_len;
105 u8 rsnie_p[TDLS_MAX_IE_LEN]; /* Peer RSN IE */
106 size_t rsnie_p_len;
107 u32 lifetime;
108 int cipher; /* Selected cipher (WPA_CIPHER_*) */
109 u8 dtoken;
110
111 struct tpk {
112 u8 kck[16]; /* TPK-KCK */
113 u8 tk[16]; /* TPK-TK; assuming only CCMP will be used */
114 } tpk;
115 int tpk_set;
116 int tk_set; /* TPK-TK configured to the driver */
117 int tpk_success;
118 int tpk_in_progress;
119
120 struct tpk_timer {
121 u8 dest[ETH_ALEN];
122 int count; /* Retry Count */
123 int timer; /* Timeout in milliseconds */
124 u8 action_code; /* TDLS frame type */
125 u8 dialog_token;
126 u16 status_code;
127 u32 peer_capab;
128 int buf_len; /* length of TPK message for retransmission */
129 u8 *buf; /* buffer for TPK message */
130 } sm_tmr;
131
132 u16 capability;
133
134 u8 supp_rates[IEEE80211_MAX_SUPP_RATES];
135 size_t supp_rates_len;
136
137 struct ieee80211_ht_capabilities *ht_capabilities;
138 struct ieee80211_vht_capabilities *vht_capabilities;
139 struct ieee80211_he_capabilities *he_capabilities;
140 size_t he_capab_len;
141 struct ieee80211_he_6ghz_band_cap *he_6ghz_band_capabilities;
142
143 u8 qos_info;
144
145 u16 aid;
146
147 u8 *ext_capab;
148 size_t ext_capab_len;
149
150 u8 *supp_channels;
151 size_t supp_channels_len;
152
153 u8 *supp_oper_classes;
154 size_t supp_oper_classes_len;
155
156 u8 wmm_capable;
157
158 /* channel switch currently enabled */
159 int chan_switch_enabled;
160 };
161
162
wpa_tdls_get_privacy(struct wpa_sm *sm)163 static int wpa_tdls_get_privacy(struct wpa_sm *sm)
164 {
165 /*
166 * Get info needed from supplicant to check if the current BSS supports
167 * security. Other than OPEN mode, rest are considered secured
168 * WEP/WPA/WPA2 hence TDLS frames are processed for TPK handshake.
169 */
170 return sm->pairwise_cipher != WPA_CIPHER_NONE;
171 }
172
173
wpa_add_ie(u8 *pos, const u8 *ie, size_t ie_len)174 static u8 * wpa_add_ie(u8 *pos, const u8 *ie, size_t ie_len)
175 {
176 os_memcpy(pos, ie, ie_len);
177 return pos + ie_len;
178 }
179
180
wpa_tdls_del_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer)181 static int wpa_tdls_del_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
182 {
183 #ifdef CONFIG_MLD_PATCH
184 if (wpa_sm_set_key(sm, -1, WPA_ALG_NONE, peer->addr,
185 #else
186 if (wpa_sm_set_key(sm, WPA_ALG_NONE, peer->addr,
187 #endif
188 0, 0, NULL, 0, NULL, 0, KEY_FLAG_PAIRWISE) < 0) {
189 wpa_printf(MSG_WARNING, "TDLS: Failed to delete TPK-TK from "
190 "the driver");
191 return -1;
192 }
193
194 return 0;
195 }
196
197
wpa_tdls_set_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer)198 static int wpa_tdls_set_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
199 {
200 u8 key_len;
201 u8 rsc[6];
202 enum wpa_alg alg;
203
204 if (peer->tk_set) {
205 /*
206 * This same TPK-TK has already been configured to the driver
207 * and this new configuration attempt (likely due to an
208 * unexpected retransmitted frame) would result in clearing
209 * the TX/RX sequence number which can break security, so must
210 * not allow that to happen.
211 */
212 wpa_printf(MSG_INFO, "TDLS: TPK-TK for the peer " MACSTR_SEC
213 " has already been configured to the driver - do not reconfigure",
214 MAC2STR_SEC(peer->addr));
215 return -1;
216 }
217
218 os_memset(rsc, 0, 6);
219
220 switch (peer->cipher) {
221 case WPA_CIPHER_CCMP:
222 alg = WPA_ALG_CCMP;
223 key_len = 16;
224 break;
225 case WPA_CIPHER_NONE:
226 wpa_printf(MSG_DEBUG, "TDLS: Pairwise Cipher Suite: "
227 "NONE - do not use pairwise keys");
228 return -1;
229 default:
230 wpa_printf(MSG_WARNING, "TDLS: Unsupported pairwise cipher %d",
231 sm->pairwise_cipher);
232 return -1;
233 }
234
235 wpa_printf(MSG_DEBUG, "TDLS: Configure pairwise key for peer " MACSTR_SEC,
236 MAC2STR_SEC(peer->addr));
237 #ifdef CONFIG_MLD_PATCH
238 if (wpa_sm_set_key(sm, -1, alg, peer->addr, 0, 1, rsc, sizeof(rsc),
239 #else
240 if (wpa_sm_set_key(sm, alg, peer->addr, 0, 1, rsc, sizeof(rsc),
241 #endif
242 peer->tpk.tk, key_len,
243 KEY_FLAG_PAIRWISE_RX_TX) < 0) {
244 wpa_printf(MSG_WARNING, "TDLS: Failed to set TPK to the "
245 "driver");
246 return -1;
247 }
248 peer->tk_set = 1;
249 return 0;
250 }
251
252
253 static int wpa_tdls_send_tpk_msg(struct wpa_sm *sm, const u8 *dst,
254 u8 action_code, u8 dialog_token,
255 u16 status_code, u32 peer_capab,
256 int initiator, const u8 *buf, size_t len)
257 {
258 return wpa_sm_send_tdls_mgmt(sm, dst, action_code, dialog_token,
259 status_code, peer_capab, initiator, buf,
260 len);
261 }
262
263
264 static int wpa_tdls_tpk_send(struct wpa_sm *sm, const u8 *dest, u8 action_code,
265 u8 dialog_token, u16 status_code, u32 peer_capab,
266 int initiator, const u8 *msg, size_t msg_len)
267 {
268 struct wpa_tdls_peer *peer;
269
270 wpa_printf(MSG_DEBUG, "TDLS: TPK send dest=" MACSTR_SEC " action_code=%u "
271 "dialog_token=%u status_code=%u peer_capab=%u initiator=%d "
272 "msg_len=%u",
273 MAC2STR_SEC(dest), action_code, dialog_token, status_code,
274 peer_capab, initiator, (unsigned int) msg_len);
275
276 if (wpa_tdls_send_tpk_msg(sm, dest, action_code, dialog_token,
277 status_code, peer_capab, initiator, msg,
278 msg_len)) {
279 wpa_printf(MSG_INFO, "TDLS: Failed to send message "
280 "(action_code=%u)", action_code);
281 return -1;
282 }
283
284 if (action_code == WLAN_TDLS_SETUP_CONFIRM ||
285 action_code == WLAN_TDLS_TEARDOWN ||
286 action_code == WLAN_TDLS_DISCOVERY_REQUEST ||
287 action_code == WLAN_TDLS_DISCOVERY_RESPONSE)
288 return 0; /* No retries */
289
290 for (peer = sm->tdls; peer; peer = peer->next) {
291 if (os_memcmp(peer->addr, dest, ETH_ALEN) == 0)
292 break;
293 }
294
295 if (peer == NULL) {
296 wpa_printf(MSG_INFO, "TDLS: No matching entry found for "
297 "retry " MACSTR_SEC, MAC2STR_SEC(dest));
298 return 0;
299 }
300
301 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer);
302
303 if (action_code == WLAN_TDLS_SETUP_RESPONSE) {
304 peer->sm_tmr.count = TPK_M2_RETRY_COUNT;
305 peer->sm_tmr.timer = TPK_M2_TIMEOUT;
306 } else {
307 peer->sm_tmr.count = TPK_M1_RETRY_COUNT;
308 peer->sm_tmr.timer = TPK_M1_TIMEOUT;
309 }
310
311 /* Copy message to resend on timeout */
312 os_memcpy(peer->sm_tmr.dest, dest, ETH_ALEN);
313 peer->sm_tmr.action_code = action_code;
314 peer->sm_tmr.dialog_token = dialog_token;
315 peer->sm_tmr.status_code = status_code;
316 peer->sm_tmr.peer_capab = peer_capab;
317 peer->sm_tmr.buf_len = msg_len;
318 os_free(peer->sm_tmr.buf);
319 peer->sm_tmr.buf = os_memdup(msg, msg_len);
320 if (peer->sm_tmr.buf == NULL)
321 return -1;
322
323 wpa_printf(MSG_DEBUG, "TDLS: Retry timeout registered "
324 "(action_code=%u)", action_code);
325 eloop_register_timeout(peer->sm_tmr.timer / 1000,
326 (peer->sm_tmr.timer % 1000) * 1000,
327 wpa_tdls_tpk_retry_timeout, sm, peer);
328 return 0;
329 }
330
331
332 static int wpa_tdls_do_teardown(struct wpa_sm *sm, struct wpa_tdls_peer *peer,
333 u16 reason_code)
334 {
335 int ret;
336
337 ret = wpa_tdls_send_teardown(sm, peer->addr, reason_code);
338 /* disable the link after teardown was sent */
339 wpa_tdls_disable_peer_link(sm, peer);
340
341 return ret;
342 }
343
344
345 static void wpa_tdls_tpk_retry_timeout(void *eloop_ctx, void *timeout_ctx)
346 {
347
348 struct wpa_sm *sm = eloop_ctx;
349 struct wpa_tdls_peer *peer = timeout_ctx;
350
351 if (peer->sm_tmr.count) {
352 peer->sm_tmr.count--;
353
354 wpa_printf(MSG_INFO, "TDLS: Retrying sending of message "
355 "(action_code=%u)",
356 peer->sm_tmr.action_code);
357
358 if (peer->sm_tmr.buf == NULL) {
359 wpa_printf(MSG_INFO, "TDLS: No retry buffer available "
360 "for action_code=%u",
361 peer->sm_tmr.action_code);
362 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm,
363 peer);
364 return;
365 }
366
367 /* resend TPK Handshake Message to Peer */
368 if (wpa_tdls_send_tpk_msg(sm, peer->sm_tmr.dest,
369 peer->sm_tmr.action_code,
370 peer->sm_tmr.dialog_token,
371 peer->sm_tmr.status_code,
372 peer->sm_tmr.peer_capab,
373 peer->initiator,
374 peer->sm_tmr.buf,
375 peer->sm_tmr.buf_len)) {
376 wpa_printf(MSG_INFO, "TDLS: Failed to retry "
377 "transmission");
378 }
379
380 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer);
381 eloop_register_timeout(peer->sm_tmr.timer / 1000,
382 (peer->sm_tmr.timer % 1000) * 1000,
383 wpa_tdls_tpk_retry_timeout, sm, peer);
384 } else {
385 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer);
386
387 wpa_printf(MSG_DEBUG, "TDLS: Sending Teardown Request");
388 wpa_tdls_do_teardown(sm, peer,
389 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED);
390 }
391 }
392
393
394 static void wpa_tdls_tpk_retry_timeout_cancel(struct wpa_sm *sm,
395 struct wpa_tdls_peer *peer,
396 u8 action_code)
397 {
398 if (action_code == peer->sm_tmr.action_code) {
399 wpa_printf(MSG_DEBUG, "TDLS: Retry timeout cancelled for "
400 "action_code=%u", action_code);
401
402 /* Cancel Timeout registered */
403 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer);
404
405 /* free all resources meant for retry */
406 os_free(peer->sm_tmr.buf);
407 peer->sm_tmr.buf = NULL;
408
409 peer->sm_tmr.count = 0;
410 peer->sm_tmr.timer = 0;
411 peer->sm_tmr.buf_len = 0;
412 peer->sm_tmr.action_code = 0xff;
413 } else {
414 wpa_printf(MSG_INFO, "TDLS: Error in cancelling retry timeout "
415 "(Unknown action_code=%u)", action_code);
416 }
417 }
418
419
420 static void wpa_tdls_generate_tpk(struct wpa_tdls_peer *peer,
421 const u8 *own_addr, const u8 *bssid)
422 {
423 u8 key_input[SHA256_MAC_LEN];
424 const u8 *nonce[2];
425 size_t len[2];
426 u8 data[3 * ETH_ALEN];
427
428 /* IEEE Std 802.11-2016 12.7.9.2:
429 * TPK-Key-Input = Hash(min(SNonce, ANonce) || max(SNonce, ANonce))
430 * Hash = SHA-256 for TDLS
431 */
432 len[0] = WPA_NONCE_LEN;
433 len[1] = WPA_NONCE_LEN;
434 if (os_memcmp(peer->inonce, peer->rnonce, WPA_NONCE_LEN) < 0) {
435 nonce[0] = peer->inonce;
436 nonce[1] = peer->rnonce;
437 } else {
438 nonce[0] = peer->rnonce;
439 nonce[1] = peer->inonce;
440 }
441 wpa_hexdump(MSG_DEBUG, "TDLS: min(Nonce)", nonce[0], WPA_NONCE_LEN);
442 wpa_hexdump(MSG_DEBUG, "TDLS: max(Nonce)", nonce[1], WPA_NONCE_LEN);
443 sha256_vector(2, nonce, len, key_input);
444 wpa_hexdump_key(MSG_DEBUG, "TDLS: TPK-Key-Input",
445 key_input, SHA256_MAC_LEN);
446
447 /*
448 * TPK = KDF-Hash-Length(TPK-Key-Input, "TDLS PMK",
449 * min(MAC_I, MAC_R) || max(MAC_I, MAC_R) || BSSID)
450 */
451
452 if (os_memcmp(own_addr, peer->addr, ETH_ALEN) < 0) {
453 os_memcpy(data, own_addr, ETH_ALEN);
454 os_memcpy(data + ETH_ALEN, peer->addr, ETH_ALEN);
455 } else {
456 os_memcpy(data, peer->addr, ETH_ALEN);
457 os_memcpy(data + ETH_ALEN, own_addr, ETH_ALEN);
458 }
459 os_memcpy(data + 2 * ETH_ALEN, bssid, ETH_ALEN);
460 wpa_hexdump(MSG_DEBUG, "TDLS: KDF Context", data, sizeof(data));
461
462 sha256_prf(key_input, SHA256_MAC_LEN, "TDLS PMK", data, sizeof(data),
463 (u8 *) &peer->tpk, sizeof(peer->tpk));
464 wpa_hexdump_key(MSG_DEBUG, "TDLS: TPK-KCK",
465 peer->tpk.kck, sizeof(peer->tpk.kck));
466 wpa_hexdump_key(MSG_DEBUG, "TDLS: TPK-TK",
467 peer->tpk.tk, sizeof(peer->tpk.tk));
468 peer->tpk_set = 1;
469 }
470
471
472 /**
473 * wpa_tdls_ftie_mic - Calculate TDLS FTIE MIC
474 * @kck: TPK-KCK
475 * @lnkid: Pointer to the beginning of Link Identifier IE
476 * @rsnie: Pointer to the beginning of RSN IE used for handshake
477 * @timeoutie: Pointer to the beginning of Timeout IE used for handshake
478 * @ftie: Pointer to the beginning of FT IE
479 * @mic: Pointer for writing MIC
480 *
481 * Calculate MIC for TDLS frame.
482 */
483 static int wpa_tdls_ftie_mic(const u8 *kck, u8 trans_seq, const u8 *lnkid,
484 const u8 *rsnie, const u8 *timeoutie,
485 const u8 *ftie, u8 *mic)
486 {
487 u8 *buf, *pos;
488 struct wpa_tdls_ftie *_ftie;
489 const struct wpa_tdls_lnkid *_lnkid;
490 int ret;
491 int len = 2 * ETH_ALEN + 1 + 2 + lnkid[1] + 2 + rsnie[1] +
492 2 + timeoutie[1] + 2 + ftie[1];
493 buf = os_zalloc(len);
494 if (!buf) {
495 wpa_printf(MSG_WARNING, "TDLS: No memory for MIC calculation");
496 return -1;
497 }
498
499 pos = buf;
500 _lnkid = (const struct wpa_tdls_lnkid *) lnkid;
501 /* 1) TDLS initiator STA MAC address */
502 os_memcpy(pos, _lnkid->init_sta, ETH_ALEN);
503 pos += ETH_ALEN;
504 /* 2) TDLS responder STA MAC address */
505 os_memcpy(pos, _lnkid->resp_sta, ETH_ALEN);
506 pos += ETH_ALEN;
507 /* 3) Transaction Sequence number */
508 *pos++ = trans_seq;
509 /* 4) Link Identifier IE */
510 os_memcpy(pos, lnkid, 2 + lnkid[1]);
511 pos += 2 + lnkid[1];
512 /* 5) RSN IE */
513 os_memcpy(pos, rsnie, 2 + rsnie[1]);
514 pos += 2 + rsnie[1];
515 /* 6) Timeout Interval IE */
516 os_memcpy(pos, timeoutie, 2 + timeoutie[1]);
517 pos += 2 + timeoutie[1];
518 /* 7) FTIE, with the MIC field of the FTIE set to 0 */
519 os_memcpy(pos, ftie, 2 + ftie[1]);
520 _ftie = (struct wpa_tdls_ftie *) pos;
521 os_memset(_ftie->mic, 0, TDLS_MIC_LEN);
522 pos += 2 + ftie[1];
523
524 wpa_hexdump(MSG_DEBUG, "TDLS: Data for FTIE MIC", buf, pos - buf);
525 wpa_hexdump_key(MSG_DEBUG, "TDLS: KCK", kck, 16);
526 ret = omac1_aes_128(kck, buf, pos - buf, mic);
527 os_free(buf);
528 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE MIC", mic, 16);
529 return ret;
530 }
531
532
533 /**
534 * wpa_tdls_key_mic_teardown - Calculate TDLS FTIE MIC for Teardown frame
535 * @kck: TPK-KCK
536 * @trans_seq: Transaction Sequence Number (4 - Teardown)
537 * @rcode: Reason code for Teardown
538 * @dtoken: Dialog Token used for that particular link
539 * @lnkid: Pointer to the beginning of Link Identifier IE
540 * @ftie: Pointer to the beginning of FT IE
541 * @mic: Pointer for writing MIC
542 *
543 * Calculate MIC for TDLS frame.
544 */
545 static int wpa_tdls_key_mic_teardown(const u8 *kck, u8 trans_seq, u16 rcode,
546 u8 dtoken, const u8 *lnkid,
547 const u8 *ftie, u8 *mic)
548 {
549 u8 *buf, *pos;
550 struct wpa_tdls_ftie *_ftie;
551 int ret;
552 int len;
553
554 if (lnkid == NULL)
555 return -1;
556
557 len = 2 + lnkid[1] + sizeof(rcode) + sizeof(dtoken) +
558 sizeof(trans_seq) + 2 + ftie[1];
559
560 buf = os_zalloc(len);
561 if (!buf) {
562 wpa_printf(MSG_WARNING, "TDLS: No memory for MIC calculation");
563 return -1;
564 }
565
566 pos = buf;
567 /* 1) Link Identifier IE */
568 os_memcpy(pos, lnkid, 2 + lnkid[1]);
569 pos += 2 + lnkid[1];
570 /* 2) Reason Code */
571 WPA_PUT_LE16(pos, rcode);
572 pos += sizeof(rcode);
573 /* 3) Dialog token */
574 *pos++ = dtoken;
575 /* 4) Transaction Sequence number */
576 *pos++ = trans_seq;
577 /* 7) FTIE, with the MIC field of the FTIE set to 0 */
578 os_memcpy(pos, ftie, 2 + ftie[1]);
579 _ftie = (struct wpa_tdls_ftie *) pos;
580 os_memset(_ftie->mic, 0, TDLS_MIC_LEN);
581 pos += 2 + ftie[1];
582
583 wpa_hexdump(MSG_DEBUG, "TDLS: Data for FTIE MIC", buf, pos - buf);
584 wpa_hexdump_key(MSG_DEBUG, "TDLS: KCK", kck, 16);
585 ret = omac1_aes_128(kck, buf, pos - buf, mic);
586 os_free(buf);
587 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE MIC", mic, 16);
588 return ret;
589 }
590
591
592 static int wpa_supplicant_verify_tdls_mic(u8 trans_seq,
593 struct wpa_tdls_peer *peer,
594 const u8 *lnkid, const u8 *timeoutie,
595 const struct wpa_tdls_ftie *ftie)
596 {
597 u8 mic[16];
598
599 if (peer->tpk_set) {
600 wpa_tdls_ftie_mic(peer->tpk.kck, trans_seq, lnkid,
601 peer->rsnie_p, timeoutie, (u8 *) ftie,
602 mic);
603 if (os_memcmp_const(mic, ftie->mic, 16) != 0) {
604 wpa_printf(MSG_INFO, "TDLS: Invalid MIC in FTIE - "
605 "dropping packet");
606 wpa_hexdump(MSG_DEBUG, "TDLS: Received MIC",
607 ftie->mic, 16);
608 wpa_hexdump(MSG_DEBUG, "TDLS: Calculated MIC",
609 mic, 16);
610 return -1;
611 }
612 } else {
613 wpa_printf(MSG_WARNING, "TDLS: Could not verify TDLS MIC, "
614 "TPK not set - dropping packet");
615 return -1;
616 }
617 return 0;
618 }
619
620
621 static int wpa_supplicant_verify_tdls_mic_teardown(
622 u8 trans_seq, u16 rcode, u8 dtoken, struct wpa_tdls_peer *peer,
623 const u8 *lnkid, const struct wpa_tdls_ftie *ftie)
624 {
625 u8 mic[16];
626
627 if (peer->tpk_set) {
628 wpa_tdls_key_mic_teardown(peer->tpk.kck, trans_seq, rcode,
629 dtoken, lnkid, (u8 *) ftie, mic);
630 if (os_memcmp_const(mic, ftie->mic, 16) != 0) {
631 wpa_printf(MSG_INFO, "TDLS: Invalid MIC in Teardown - "
632 "dropping packet");
633 return -1;
634 }
635 } else {
636 wpa_printf(MSG_INFO, "TDLS: Could not verify TDLS Teardown "
637 "MIC, TPK not set - dropping packet");
638 return -1;
639 }
640 return 0;
641 }
642
643
644 static void wpa_tdls_tpk_timeout(void *eloop_ctx, void *timeout_ctx)
645 {
646 struct wpa_sm *sm = eloop_ctx;
647 struct wpa_tdls_peer *peer = timeout_ctx;
648
649 /*
650 * On TPK lifetime expiration, we have an option of either tearing down
651 * the direct link or trying to re-initiate it. The selection of what
652 * to do is not strictly speaking controlled by our role in the expired
653 * link, but for now, use that to select whether to renew or tear down
654 * the link.
655 */
656
657 if (peer->initiator) {
658 u8 addr[ETH_ALEN];
659
660 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime expired for " MACSTR_SEC
661 " - try to renew", MAC2STR_SEC(peer->addr));
662 /* cache the peer address before do_teardown */
663 os_memcpy(addr, peer->addr, ETH_ALEN);
664 wpa_tdls_do_teardown(sm, peer,
665 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED);
666 wpa_tdls_start(sm, addr);
667 } else {
668 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime expired for " MACSTR_SEC
669 " - tear down", MAC2STR_SEC(peer->addr));
670 wpa_tdls_do_teardown(sm, peer,
671 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED);
672 }
673 }
674
675
676 static void wpa_tdls_peer_remove_from_list(struct wpa_sm *sm,
677 struct wpa_tdls_peer *peer)
678 {
679 struct wpa_tdls_peer *cur, *prev;
680
681 cur = sm->tdls;
682 prev = NULL;
683 while (cur && cur != peer) {
684 prev = cur;
685 cur = cur->next;
686 }
687
688 if (cur != peer) {
689 wpa_printf(MSG_ERROR, "TDLS: Could not find peer " MACSTR_SEC
690 " to remove it from the list",
691 MAC2STR_SEC(peer->addr));
692 return;
693 }
694
695 if (prev)
696 prev->next = peer->next;
697 else
698 sm->tdls = peer->next;
699 }
700
701
702 static void wpa_tdls_peer_clear(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
703 {
704 wpa_printf(MSG_DEBUG, "TDLS: Clear state for peer " MACSTR_SEC,
705 MAC2STR_SEC(peer->addr));
706 eloop_cancel_timeout(wpa_tdls_tpk_timeout, sm, peer);
707 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer);
708 peer->reconfig_key = 0;
709 peer->initiator = 0;
710 peer->tpk_in_progress = 0;
711 os_free(peer->sm_tmr.buf);
712 peer->sm_tmr.buf = NULL;
713 os_free(peer->ht_capabilities);
714 peer->ht_capabilities = NULL;
715 os_free(peer->vht_capabilities);
716 peer->vht_capabilities = NULL;
717 os_free(peer->he_capabilities);
718 peer->he_capabilities = NULL;
719 os_free(peer->he_6ghz_band_capabilities);
720 peer->he_6ghz_band_capabilities = NULL;
721 os_free(peer->ext_capab);
722 peer->ext_capab = NULL;
723 os_free(peer->supp_channels);
724 peer->supp_channels = NULL;
725 os_free(peer->supp_oper_classes);
726 peer->supp_oper_classes = NULL;
727 peer->rsnie_i_len = peer->rsnie_p_len = 0;
728 peer->cipher = 0;
729 peer->qos_info = 0;
730 peer->wmm_capable = 0;
731 peer->tk_set = peer->tpk_set = peer->tpk_success = 0;
732 peer->chan_switch_enabled = 0;
733 os_memset(&peer->tpk, 0, sizeof(peer->tpk));
734 os_memset(peer->inonce, 0, WPA_NONCE_LEN);
735 os_memset(peer->rnonce, 0, WPA_NONCE_LEN);
736 }
737
738
739 static void wpa_tdls_peer_free(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
740 {
741 wpa_tdls_peer_clear(sm, peer);
742 wpa_tdls_peer_remove_from_list(sm, peer);
743 os_free(peer);
744 }
745
746
747 static void wpa_tdls_linkid(struct wpa_sm *sm, struct wpa_tdls_peer *peer,
748 struct wpa_tdls_lnkid *lnkid)
749 {
750 lnkid->ie_type = WLAN_EID_LINK_ID;
751 lnkid->ie_len = 3 * ETH_ALEN;
752 os_memcpy(lnkid->bssid, sm->bssid, ETH_ALEN);
753 if (peer->initiator) {
754 os_memcpy(lnkid->init_sta, sm->own_addr, ETH_ALEN);
755 os_memcpy(lnkid->resp_sta, peer->addr, ETH_ALEN);
756 } else {
757 os_memcpy(lnkid->init_sta, peer->addr, ETH_ALEN);
758 os_memcpy(lnkid->resp_sta, sm->own_addr, ETH_ALEN);
759 }
760 }
761
762
763 static int wpa_tdls_send_teardown(struct wpa_sm *sm, const u8 *addr,
764 u16 reason_code)
765 {
766 struct wpa_tdls_peer *peer;
767 struct wpa_tdls_ftie *ftie;
768 struct wpa_tdls_lnkid lnkid;
769 u8 dialog_token;
770 u8 *rbuf, *pos;
771 int ielen;
772
773 if (sm->tdls_disabled || !sm->tdls_supported)
774 return -1;
775
776 /* Find the node and free from the list */
777 for (peer = sm->tdls; peer; peer = peer->next) {
778 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0)
779 break;
780 }
781
782 if (peer == NULL) {
783 wpa_printf(MSG_INFO, "TDLS: No matching entry found for "
784 "Teardown " MACSTR_SEC, MAC2STR_SEC(addr));
785 return 0;
786 }
787
788 /* Cancel active channel switch before teardown */
789 if (peer->chan_switch_enabled) {
790 wpa_printf(MSG_DEBUG, "TDLS: First returning link with " MACSTR_SEC
791 " to base channel", MAC2STR_SEC(addr));
792 wpa_sm_tdls_disable_channel_switch(sm, peer->addr);
793 }
794
795 dialog_token = peer->dtoken;
796
797 wpa_printf(MSG_DEBUG, "TDLS: TDLS Teardown for " MACSTR_SEC,
798 MAC2STR_SEC(addr));
799
800 ielen = 0;
801 if (wpa_tdls_get_privacy(sm) && peer->tpk_set && peer->tpk_success) {
802 /* To add FTIE for Teardown request and compute MIC */
803 ielen += sizeof(*ftie);
804 #ifdef CONFIG_TDLS_TESTING
805 if (tdls_testing & TDLS_TESTING_LONG_FRAME)
806 ielen += 170;
807 #endif /* CONFIG_TDLS_TESTING */
808 }
809
810 rbuf = os_zalloc(ielen + 1);
811 if (rbuf == NULL)
812 return -1;
813 pos = rbuf;
814
815 if (!wpa_tdls_get_privacy(sm) || !peer->tpk_set || !peer->tpk_success)
816 goto skip_ies;
817
818 ftie = (struct wpa_tdls_ftie *) pos;
819 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION;
820 /* Using the recent nonce which should be for CONFIRM frame */
821 os_memcpy(ftie->Anonce, peer->rnonce, WPA_NONCE_LEN);
822 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN);
823 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2;
824 pos = (u8 *) (ftie + 1);
825 #ifdef CONFIG_TDLS_TESTING
826 if (tdls_testing & TDLS_TESTING_LONG_FRAME) {
827 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to "
828 "FTIE");
829 ftie->ie_len += 170;
830 *pos++ = 255; /* FTIE subelem */
831 *pos++ = 168; /* FTIE subelem length */
832 pos += 168;
833 }
834 #endif /* CONFIG_TDLS_TESTING */
835 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE for TDLS Teardown handshake",
836 (u8 *) ftie, pos - (u8 *) ftie);
837
838 /* compute MIC before sending */
839 wpa_tdls_linkid(sm, peer, &lnkid);
840 wpa_tdls_key_mic_teardown(peer->tpk.kck, 4, reason_code,
841 dialog_token, (u8 *) &lnkid, (u8 *) ftie,
842 ftie->mic);
843
844 skip_ies:
845 /* TODO: register for a Timeout handler, if Teardown is not received at
846 * the other end, then try again another time */
847
848 /* request driver to send Teardown using this FTIE */
849 wpa_tdls_tpk_send(sm, addr, WLAN_TDLS_TEARDOWN, 0,
850 reason_code, 0, peer->initiator, rbuf, pos - rbuf);
851 os_free(rbuf);
852
853 return 0;
854 }
855
856
857 int wpa_tdls_teardown_link(struct wpa_sm *sm, const u8 *addr, u16 reason_code)
858 {
859 struct wpa_tdls_peer *peer;
860
861 if (sm->tdls_disabled || !sm->tdls_supported)
862 return -1;
863
864 for (peer = sm->tdls; peer; peer = peer->next) {
865 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0)
866 break;
867 }
868
869 if (peer == NULL) {
870 wpa_printf(MSG_DEBUG, "TDLS: Could not find peer " MACSTR_SEC
871 " for link Teardown", MAC2STR_SEC(addr));
872 return -1;
873 }
874
875 if (!peer->tpk_success) {
876 wpa_printf(MSG_DEBUG, "TDLS: Peer " MACSTR_SEC
877 " not connected - cannot Teardown link", MAC2STR_SEC(addr));
878 return -1;
879 }
880
881 return wpa_tdls_do_teardown(sm, peer, reason_code);
882 }
883
884
885 static void wpa_tdls_disable_peer_link(struct wpa_sm *sm,
886 struct wpa_tdls_peer *peer)
887 {
888 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr);
889 wpa_tdls_peer_free(sm, peer);
890 }
891
892
893 void wpa_tdls_disable_unreachable_link(struct wpa_sm *sm, const u8 *addr)
894 {
895 struct wpa_tdls_peer *peer;
896
897 for (peer = sm->tdls; peer; peer = peer->next) {
898 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0)
899 break;
900 }
901
902 if (!peer || !peer->tpk_success) {
903 wpa_printf(MSG_DEBUG, "TDLS: Peer " MACSTR_SEC
904 " not connected - cannot teardown unreachable link",
905 MAC2STR_SEC(addr));
906 return;
907 }
908
909 if (wpa_tdls_is_external_setup(sm)) {
910 /*
911 * Get us on the base channel, disable the link, send a
912 * teardown packet through the AP, and then reset link data.
913 */
914 if (peer->chan_switch_enabled)
915 wpa_sm_tdls_disable_channel_switch(sm, peer->addr);
916 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, addr);
917 wpa_tdls_send_teardown(sm, addr,
918 WLAN_REASON_TDLS_TEARDOWN_UNREACHABLE);
919 wpa_tdls_peer_free(sm, peer);
920 } else {
921 wpa_tdls_disable_peer_link(sm, peer);
922 }
923 }
924
925
926 const char * wpa_tdls_get_link_status(struct wpa_sm *sm, const u8 *addr)
927 {
928 struct wpa_tdls_peer *peer;
929
930 if (sm->tdls_disabled || !sm->tdls_supported)
931 return "disabled";
932
933 for (peer = sm->tdls; peer; peer = peer->next) {
934 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0)
935 break;
936 }
937
938 if (peer == NULL)
939 return "peer does not exist";
940
941 if (!peer->tpk_success)
942 return "peer not connected";
943
944 return "connected";
945 }
946
947
948 static int wpa_tdls_recv_teardown(struct wpa_sm *sm, const u8 *src_addr,
949 const u8 *buf, size_t len)
950 {
951 struct wpa_tdls_peer *peer = NULL;
952 struct wpa_tdls_ftie *ftie;
953 struct wpa_tdls_lnkid *lnkid;
954 struct wpa_eapol_ie_parse kde;
955 u16 reason_code;
956 const u8 *pos;
957 int ielen;
958
959 /* Find the node and free from the list */
960 for (peer = sm->tdls; peer; peer = peer->next) {
961 if (os_memcmp(peer->addr, src_addr, ETH_ALEN) == 0)
962 break;
963 }
964
965 if (peer == NULL) {
966 wpa_printf(MSG_INFO, "TDLS: No matching entry found for "
967 "Teardown " MACSTR_SEC, MAC2STR_SEC(src_addr));
968 return 0;
969 }
970
971 pos = buf;
972 pos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */;
973
974 reason_code = WPA_GET_LE16(pos);
975 pos += 2;
976
977 wpa_printf(MSG_DEBUG, "TDLS: TDLS Teardown Request from " MACSTR_SEC
978 " (reason code %u)", MAC2STR_SEC(src_addr), reason_code);
979
980 ielen = len - (pos - buf); /* start of IE in buf */
981
982 /*
983 * Don't reject the message if failing to parse IEs. The IEs we need are
984 * explicitly checked below. Some APs may add arbitrary padding to the
985 * end of short TDLS frames and that would look like invalid IEs.
986 */
987 if (wpa_supplicant_parse_ies((const u8 *) pos, ielen, &kde) < 0)
988 wpa_printf(MSG_DEBUG,
989 "TDLS: Failed to parse IEs in Teardown - ignore as an interop workaround");
990
991 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) {
992 wpa_printf(MSG_INFO, "TDLS: No Link Identifier IE in TDLS "
993 "Teardown");
994 return -1;
995 }
996 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid;
997
998 if (!wpa_tdls_get_privacy(sm) || !peer->tpk_set || !peer->tpk_success)
999 goto skip_ftie;
1000
1001 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie)) {
1002 wpa_printf(MSG_INFO, "TDLS: No FTIE in TDLS Teardown");
1003 return -1;
1004 }
1005
1006 ftie = (struct wpa_tdls_ftie *) kde.ftie;
1007
1008 /* Process MIC check to see if TDLS Teardown is right */
1009 if (wpa_supplicant_verify_tdls_mic_teardown(4, reason_code,
1010 peer->dtoken, peer,
1011 (u8 *) lnkid, ftie) < 0) {
1012 wpa_printf(MSG_DEBUG, "TDLS: MIC failure for TDLS "
1013 "Teardown Request from " MACSTR_SEC, MAC2STR_SEC(src_addr));
1014 return -1;
1015 }
1016
1017 skip_ftie:
1018 /*
1019 * Request the driver to disable the direct link and clear associated
1020 * keys.
1021 */
1022 wpa_tdls_disable_peer_link(sm, peer);
1023 return 0;
1024 }
1025
1026
1027 /**
1028 * wpa_tdls_send_error - To send suitable TDLS status response with
1029 * appropriate status code mentioning reason for error/failure.
1030 * @dst - MAC addr of Peer station
1031 * @tdls_action - TDLS frame type for which error code is sent
1032 * @initiator - was this end the initiator of the connection
1033 * @status - status code mentioning reason
1034 */
1035
1036 static int wpa_tdls_send_error(struct wpa_sm *sm, const u8 *dst,
1037 u8 tdls_action, u8 dialog_token, int initiator,
1038 u16 status)
1039 {
1040 wpa_printf(MSG_DEBUG, "TDLS: Sending error to " MACSTR_SEC
1041 " (action=%u status=%u)",
1042 MAC2STR_SEC(dst), tdls_action, status);
1043 return wpa_tdls_tpk_send(sm, dst, tdls_action, dialog_token, status,
1044 0, initiator, NULL, 0);
1045 }
1046
1047
1048 static struct wpa_tdls_peer *
1049 wpa_tdls_add_peer(struct wpa_sm *sm, const u8 *addr, int *existing)
1050 {
1051 struct wpa_tdls_peer *peer;
1052
1053 if (existing)
1054 *existing = 0;
1055 for (peer = sm->tdls; peer; peer = peer->next) {
1056 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) {
1057 if (existing)
1058 *existing = 1;
1059 return peer; /* re-use existing entry */
1060 }
1061 }
1062
1063 wpa_printf(MSG_INFO, "TDLS: Creating peer entry for " MACSTR_SEC,
1064 MAC2STR_SEC(addr));
1065
1066 peer = os_zalloc(sizeof(*peer));
1067 if (peer == NULL)
1068 return NULL;
1069
1070 os_memcpy(peer->addr, addr, ETH_ALEN);
1071 peer->next = sm->tdls;
1072 sm->tdls = peer;
1073
1074 return peer;
1075 }
1076
1077
1078 static int wpa_tdls_send_tpk_m1(struct wpa_sm *sm,
1079 struct wpa_tdls_peer *peer)
1080 {
1081 size_t buf_len;
1082 struct wpa_tdls_timeoutie timeoutie;
1083 u16 rsn_capab;
1084 struct wpa_tdls_ftie *ftie;
1085 u8 *rbuf, *pos, *count_pos;
1086 u16 count;
1087 struct rsn_ie_hdr *hdr;
1088 int status;
1089
1090 if (!wpa_tdls_get_privacy(sm)) {
1091 wpa_printf(MSG_DEBUG, "TDLS: No security used on the link");
1092 peer->rsnie_i_len = 0;
1093 goto skip_rsnie;
1094 }
1095
1096 /*
1097 * TPK Handshake Message 1:
1098 * FTIE: ANonce=0, SNonce=initiator nonce MIC=0, DataKDs=(RSNIE_I,
1099 * Timeout Interval IE))
1100 */
1101
1102 /* Filling RSN IE */
1103 hdr = (struct rsn_ie_hdr *) peer->rsnie_i;
1104 hdr->elem_id = WLAN_EID_RSN;
1105 WPA_PUT_LE16(hdr->version, RSN_VERSION);
1106
1107 pos = (u8 *) (hdr + 1);
1108 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED);
1109 pos += RSN_SELECTOR_LEN;
1110 count_pos = pos;
1111 pos += 2;
1112
1113 count = 0;
1114
1115 /*
1116 * AES-CCMP is the default Encryption preferred for TDLS, so
1117 * RSN IE is filled only with CCMP CIPHER
1118 * Note: TKIP is not used to encrypt TDLS link.
1119 *
1120 * Regardless of the cipher used on the AP connection, select CCMP
1121 * here.
1122 */
1123 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP);
1124 pos += RSN_SELECTOR_LEN;
1125 count++;
1126
1127 WPA_PUT_LE16(count_pos, count);
1128
1129 WPA_PUT_LE16(pos, 1);
1130 pos += 2;
1131 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_TPK_HANDSHAKE);
1132 pos += RSN_SELECTOR_LEN;
1133
1134 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED;
1135 rsn_capab |= RSN_NUM_REPLAY_COUNTERS_16 << 2;
1136 #ifdef CONFIG_TDLS_TESTING
1137 if (tdls_testing & TDLS_TESTING_ALT_RSN_IE) {
1138 wpa_printf(MSG_DEBUG, "TDLS: Use alternative RSN IE for "
1139 "testing");
1140 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED;
1141 }
1142 #endif /* CONFIG_TDLS_TESTING */
1143 WPA_PUT_LE16(pos, rsn_capab);
1144 pos += 2;
1145 #ifdef CONFIG_TDLS_TESTING
1146 if (tdls_testing & TDLS_TESTING_ALT_RSN_IE) {
1147 /* Number of PMKIDs */
1148 *pos++ = 0x00;
1149 *pos++ = 0x00;
1150 }
1151 #endif /* CONFIG_TDLS_TESTING */
1152
1153 hdr->len = (pos - peer->rsnie_i) - 2;
1154 peer->rsnie_i_len = pos - peer->rsnie_i;
1155 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE for TPK handshake",
1156 peer->rsnie_i, peer->rsnie_i_len);
1157
1158 skip_rsnie:
1159 buf_len = 0;
1160 if (wpa_tdls_get_privacy(sm))
1161 buf_len += peer->rsnie_i_len + sizeof(struct wpa_tdls_ftie) +
1162 sizeof(struct wpa_tdls_timeoutie);
1163 #ifdef CONFIG_TDLS_TESTING
1164 if (wpa_tdls_get_privacy(sm) &&
1165 (tdls_testing & TDLS_TESTING_LONG_FRAME))
1166 buf_len += 170;
1167 if (tdls_testing & TDLS_TESTING_DIFF_BSSID)
1168 buf_len += sizeof(struct wpa_tdls_lnkid);
1169 #endif /* CONFIG_TDLS_TESTING */
1170 rbuf = os_zalloc(buf_len + 1);
1171 if (rbuf == NULL) {
1172 wpa_tdls_peer_free(sm, peer);
1173 return -2;
1174 }
1175 pos = rbuf;
1176
1177 if (!wpa_tdls_get_privacy(sm))
1178 goto skip_ies;
1179
1180 /* Initiator RSN IE */
1181 pos = wpa_add_ie(pos, peer->rsnie_i, peer->rsnie_i_len);
1182
1183 ftie = (struct wpa_tdls_ftie *) pos;
1184 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION;
1185 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2;
1186
1187 if (os_get_random(peer->inonce, WPA_NONCE_LEN)) {
1188 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1189 "TDLS: Failed to get random data for initiator Nonce");
1190 os_free(rbuf);
1191 wpa_tdls_peer_free(sm, peer);
1192 return -2;
1193 }
1194 peer->tk_set = 0; /* A new nonce results in a new TK */
1195 wpa_hexdump(MSG_DEBUG, "TDLS: Initiator Nonce for TPK handshake",
1196 peer->inonce, WPA_NONCE_LEN);
1197 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN);
1198
1199 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE for TPK Handshake M1",
1200 (u8 *) ftie, sizeof(struct wpa_tdls_ftie));
1201
1202 pos = (u8 *) (ftie + 1);
1203
1204 #ifdef CONFIG_TDLS_TESTING
1205 if (tdls_testing & TDLS_TESTING_LONG_FRAME) {
1206 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to "
1207 "FTIE");
1208 ftie->ie_len += 170;
1209 *pos++ = 255; /* FTIE subelem */
1210 *pos++ = 168; /* FTIE subelem length */
1211 pos += 168;
1212 }
1213 #endif /* CONFIG_TDLS_TESTING */
1214
1215 /* Lifetime */
1216 peer->lifetime = TPK_LIFETIME;
1217 #ifdef CONFIG_TDLS_TESTING
1218 if (tdls_testing & TDLS_TESTING_SHORT_LIFETIME) {
1219 wpa_printf(MSG_DEBUG, "TDLS: Testing - use short TPK "
1220 "lifetime");
1221 peer->lifetime = 301;
1222 }
1223 if (tdls_testing & TDLS_TESTING_LONG_LIFETIME) {
1224 wpa_printf(MSG_DEBUG, "TDLS: Testing - use long TPK "
1225 "lifetime");
1226 peer->lifetime = 0xffffffff;
1227 }
1228 #endif /* CONFIG_TDLS_TESTING */
1229 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie,
1230 sizeof(timeoutie), peer->lifetime);
1231 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds", peer->lifetime);
1232
1233 skip_ies:
1234
1235 #ifdef CONFIG_TDLS_TESTING
1236 if (tdls_testing & TDLS_TESTING_DIFF_BSSID) {
1237 struct wpa_tdls_lnkid *l = (struct wpa_tdls_lnkid *) pos;
1238
1239 wpa_printf(MSG_DEBUG, "TDLS: Testing - use incorrect BSSID in "
1240 "Link Identifier");
1241 wpa_tdls_linkid(sm, peer, l);
1242 l->bssid[5] ^= 0x01;
1243 pos += sizeof(*l);
1244 }
1245 #endif /* CONFIG_TDLS_TESTING */
1246
1247 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Setup Request / TPK "
1248 "Handshake Message 1 (peer " MACSTR_SEC ")",
1249 MAC2STR_SEC(peer->addr));
1250
1251 status = wpa_tdls_tpk_send(sm, peer->addr, WLAN_TDLS_SETUP_REQUEST,
1252 1, 0, 0, peer->initiator, rbuf, pos - rbuf);
1253 os_free(rbuf);
1254
1255 return status;
1256 }
1257
1258
1259 static int wpa_tdls_send_tpk_m2(struct wpa_sm *sm,
1260 const unsigned char *src_addr, u8 dtoken,
1261 struct wpa_tdls_lnkid *lnkid,
1262 const struct wpa_tdls_peer *peer)
1263 {
1264 u8 *rbuf, *pos;
1265 size_t buf_len;
1266 u32 lifetime;
1267 struct wpa_tdls_timeoutie timeoutie;
1268 struct wpa_tdls_ftie *ftie;
1269 int status;
1270
1271 buf_len = 0;
1272 if (wpa_tdls_get_privacy(sm)) {
1273 /* Peer RSN IE, FTIE(Initiator Nonce, Responder Nonce),
1274 * Lifetime */
1275 buf_len += peer->rsnie_i_len + sizeof(struct wpa_tdls_ftie) +
1276 sizeof(struct wpa_tdls_timeoutie);
1277 #ifdef CONFIG_TDLS_TESTING
1278 if (tdls_testing & TDLS_TESTING_LONG_FRAME)
1279 buf_len += 170;
1280 #endif /* CONFIG_TDLS_TESTING */
1281 }
1282
1283 rbuf = os_zalloc(buf_len + 1);
1284 if (rbuf == NULL)
1285 return -1;
1286 pos = rbuf;
1287
1288 if (!wpa_tdls_get_privacy(sm))
1289 goto skip_ies;
1290
1291 /* Peer RSN IE */
1292 pos = wpa_add_ie(pos, peer->rsnie_p, peer->rsnie_p_len);
1293
1294 ftie = (struct wpa_tdls_ftie *) pos;
1295 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION;
1296 /* TODO: ftie->mic_control to set 2-RESPONSE */
1297 os_memcpy(ftie->Anonce, peer->rnonce, WPA_NONCE_LEN);
1298 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN);
1299 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2;
1300 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE for TPK M2",
1301 (u8 *) ftie, sizeof(*ftie));
1302
1303 pos = (u8 *) (ftie + 1);
1304
1305 #ifdef CONFIG_TDLS_TESTING
1306 if (tdls_testing & TDLS_TESTING_LONG_FRAME) {
1307 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to "
1308 "FTIE");
1309 ftie->ie_len += 170;
1310 *pos++ = 255; /* FTIE subelem */
1311 *pos++ = 168; /* FTIE subelem length */
1312 pos += 168;
1313 }
1314 #endif /* CONFIG_TDLS_TESTING */
1315
1316 /* Lifetime */
1317 lifetime = peer->lifetime;
1318 #ifdef CONFIG_TDLS_TESTING
1319 if (tdls_testing & TDLS_TESTING_WRONG_LIFETIME_RESP) {
1320 wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong TPK "
1321 "lifetime in response");
1322 lifetime++;
1323 }
1324 #endif /* CONFIG_TDLS_TESTING */
1325 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie,
1326 sizeof(timeoutie), lifetime);
1327 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds from initiator",
1328 lifetime);
1329
1330 /* compute MIC before sending */
1331 wpa_tdls_ftie_mic(peer->tpk.kck, 2, (u8 *) lnkid, peer->rsnie_p,
1332 (u8 *) &timeoutie, (u8 *) ftie, ftie->mic);
1333 #ifdef CONFIG_TDLS_TESTING
1334 if (tdls_testing & TDLS_TESTING_WRONG_MIC) {
1335 wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong MIC");
1336 ftie->mic[0] ^= 0x01;
1337 }
1338 #endif /* CONFIG_TDLS_TESTING */
1339
1340 skip_ies:
1341 status = wpa_tdls_tpk_send(sm, src_addr, WLAN_TDLS_SETUP_RESPONSE,
1342 dtoken, 0, 0, peer->initiator, rbuf,
1343 pos - rbuf);
1344 os_free(rbuf);
1345
1346 return status;
1347 }
1348
1349
1350 static int wpa_tdls_send_tpk_m3(struct wpa_sm *sm,
1351 const unsigned char *src_addr, u8 dtoken,
1352 struct wpa_tdls_lnkid *lnkid,
1353 const struct wpa_tdls_peer *peer)
1354 {
1355 u8 *rbuf, *pos;
1356 size_t buf_len;
1357 struct wpa_tdls_ftie *ftie;
1358 struct wpa_tdls_timeoutie timeoutie;
1359 u32 lifetime;
1360 int status;
1361 u32 peer_capab = 0;
1362
1363 buf_len = 0;
1364 if (wpa_tdls_get_privacy(sm)) {
1365 /* Peer RSN IE, FTIE(Initiator Nonce, Responder Nonce),
1366 * Lifetime */
1367 buf_len += peer->rsnie_i_len + sizeof(struct wpa_tdls_ftie) +
1368 sizeof(struct wpa_tdls_timeoutie);
1369 #ifdef CONFIG_TDLS_TESTING
1370 if (tdls_testing & TDLS_TESTING_LONG_FRAME)
1371 buf_len += 170;
1372 #endif /* CONFIG_TDLS_TESTING */
1373 }
1374
1375 rbuf = os_zalloc(buf_len + 1);
1376 if (rbuf == NULL)
1377 return -1;
1378 pos = rbuf;
1379
1380 if (!wpa_tdls_get_privacy(sm))
1381 goto skip_ies;
1382
1383 /* Peer RSN IE */
1384 pos = wpa_add_ie(pos, peer->rsnie_p, peer->rsnie_p_len);
1385
1386 ftie = (struct wpa_tdls_ftie *) pos;
1387 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION;
1388 /*TODO: ftie->mic_control to set 3-CONFIRM */
1389 os_memcpy(ftie->Anonce, peer->rnonce, WPA_NONCE_LEN);
1390 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN);
1391 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2;
1392
1393 pos = (u8 *) (ftie + 1);
1394
1395 #ifdef CONFIG_TDLS_TESTING
1396 if (tdls_testing & TDLS_TESTING_LONG_FRAME) {
1397 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to "
1398 "FTIE");
1399 ftie->ie_len += 170;
1400 *pos++ = 255; /* FTIE subelem */
1401 *pos++ = 168; /* FTIE subelem length */
1402 pos += 168;
1403 }
1404 #endif /* CONFIG_TDLS_TESTING */
1405
1406 /* Lifetime */
1407 lifetime = peer->lifetime;
1408 #ifdef CONFIG_TDLS_TESTING
1409 if (tdls_testing & TDLS_TESTING_WRONG_LIFETIME_CONF) {
1410 wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong TPK "
1411 "lifetime in confirm");
1412 lifetime++;
1413 }
1414 #endif /* CONFIG_TDLS_TESTING */
1415 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie,
1416 sizeof(timeoutie), lifetime);
1417 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds",
1418 lifetime);
1419
1420 /* compute MIC before sending */
1421 wpa_tdls_ftie_mic(peer->tpk.kck, 3, (u8 *) lnkid, peer->rsnie_p,
1422 (u8 *) &timeoutie, (u8 *) ftie, ftie->mic);
1423 #ifdef CONFIG_TDLS_TESTING
1424 if (tdls_testing & TDLS_TESTING_WRONG_MIC) {
1425 wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong MIC");
1426 ftie->mic[0] ^= 0x01;
1427 }
1428 #endif /* CONFIG_TDLS_TESTING */
1429
1430 skip_ies:
1431
1432 if (peer->he_capabilities)
1433 peer_capab |= TDLS_PEER_HE;
1434 if (peer->vht_capabilities)
1435 peer_capab |= TDLS_PEER_VHT;
1436 if (peer->ht_capabilities)
1437 peer_capab |= TDLS_PEER_HT;
1438 if (peer->wmm_capable)
1439 peer_capab |= TDLS_PEER_WMM;
1440
1441 status = wpa_tdls_tpk_send(sm, src_addr, WLAN_TDLS_SETUP_CONFIRM,
1442 dtoken, 0, peer_capab, peer->initiator,
1443 rbuf, pos - rbuf);
1444 os_free(rbuf);
1445
1446 return status;
1447 }
1448
1449
1450 static int wpa_tdls_send_discovery_response(struct wpa_sm *sm,
1451 struct wpa_tdls_peer *peer,
1452 u8 dialog_token)
1453 {
1454 size_t buf_len = 0;
1455 struct wpa_tdls_timeoutie timeoutie;
1456 u16 rsn_capab;
1457 u8 *rbuf, *pos, *count_pos;
1458 u16 count;
1459 struct rsn_ie_hdr *hdr;
1460 int status;
1461
1462 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Discovery Response "
1463 "(peer " MACSTR_SEC ")", MAC2STR_SEC(peer->addr));
1464 if (!wpa_tdls_get_privacy(sm))
1465 goto skip_rsn_ies;
1466
1467 /* Filling RSN IE */
1468 hdr = (struct rsn_ie_hdr *) peer->rsnie_i;
1469 hdr->elem_id = WLAN_EID_RSN;
1470 WPA_PUT_LE16(hdr->version, RSN_VERSION);
1471 pos = (u8 *) (hdr + 1);
1472 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED);
1473 pos += RSN_SELECTOR_LEN;
1474 count_pos = pos;
1475 pos += 2;
1476 count = 0;
1477
1478 /*
1479 * AES-CCMP is the default encryption preferred for TDLS, so
1480 * RSN IE is filled only with CCMP cipher suite.
1481 * Note: TKIP is not used to encrypt TDLS link.
1482 *
1483 * Regardless of the cipher used on the AP connection, select CCMP
1484 * here.
1485 */
1486 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP);
1487 pos += RSN_SELECTOR_LEN;
1488 count++;
1489 WPA_PUT_LE16(count_pos, count);
1490 WPA_PUT_LE16(pos, 1);
1491 pos += 2;
1492 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_TPK_HANDSHAKE);
1493 pos += RSN_SELECTOR_LEN;
1494
1495 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED;
1496 rsn_capab |= RSN_NUM_REPLAY_COUNTERS_16 << 2;
1497 WPA_PUT_LE16(pos, rsn_capab);
1498 pos += 2;
1499 hdr->len = (pos - (u8 *) hdr) - 2;
1500 peer->rsnie_i_len = pos - peer->rsnie_i;
1501
1502 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE for Discovery Response",
1503 (u8 *) hdr, hdr->len + 2);
1504 skip_rsn_ies:
1505 buf_len = 0;
1506 if (wpa_tdls_get_privacy(sm)) {
1507 /* Peer RSN IE, Lifetime */
1508 buf_len += peer->rsnie_i_len +
1509 sizeof(struct wpa_tdls_timeoutie);
1510 }
1511 rbuf = os_zalloc(buf_len + 1);
1512 if (rbuf == NULL) {
1513 wpa_tdls_peer_free(sm, peer);
1514 return -1;
1515 }
1516 pos = rbuf;
1517
1518 if (!wpa_tdls_get_privacy(sm))
1519 goto skip_ies;
1520 /* Initiator RSN IE */
1521 pos = wpa_add_ie(pos, peer->rsnie_i, peer->rsnie_i_len);
1522 /* Lifetime */
1523 peer->lifetime = TPK_LIFETIME;
1524 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie,
1525 sizeof(timeoutie), peer->lifetime);
1526 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds", peer->lifetime);
1527 skip_ies:
1528 status = wpa_tdls_tpk_send(sm, peer->addr, WLAN_TDLS_DISCOVERY_RESPONSE,
1529 dialog_token, 0, 0, 0, rbuf, pos - rbuf);
1530 os_free(rbuf);
1531
1532 return status;
1533 }
1534
1535
1536 static int
1537 wpa_tdls_process_discovery_request(struct wpa_sm *sm, const u8 *addr,
1538 const u8 *buf, size_t len)
1539 {
1540 struct wpa_eapol_ie_parse kde;
1541 const struct wpa_tdls_lnkid *lnkid;
1542 struct wpa_tdls_peer *peer;
1543 size_t min_req_len = sizeof(struct wpa_tdls_frame) +
1544 1 /* dialog token */ + sizeof(struct wpa_tdls_lnkid);
1545 u8 dialog_token;
1546
1547 wpa_printf(MSG_DEBUG, "TDLS: Discovery Request from " MACSTR_SEC,
1548 MAC2STR_SEC(addr));
1549
1550 if (len < min_req_len) {
1551 wpa_printf(MSG_DEBUG, "TDLS Discovery Request is too short: "
1552 "%d", (int) len);
1553 return -1;
1554 }
1555
1556 dialog_token = buf[sizeof(struct wpa_tdls_frame)];
1557
1558 /*
1559 * Some APs will tack on a weird IE to the end of a TDLS
1560 * discovery request packet. This needn't fail the response,
1561 * since the required IE are verified separately.
1562 */
1563 if (wpa_supplicant_parse_ies(buf + sizeof(struct wpa_tdls_frame) + 1,
1564 len - (sizeof(struct wpa_tdls_frame) + 1),
1565 &kde) < 0) {
1566 wpa_printf(MSG_DEBUG,
1567 "TDLS: Failed to parse IEs in Discovery Request - ignore as an interop workaround");
1568 }
1569
1570 if (!kde.lnkid) {
1571 wpa_printf(MSG_DEBUG, "TDLS: Link ID not found in Discovery "
1572 "Request");
1573 return -1;
1574 }
1575
1576 lnkid = (const struct wpa_tdls_lnkid *) kde.lnkid;
1577
1578 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) {
1579 wpa_printf(MSG_DEBUG, "TDLS: Discovery Request from different "
1580 " BSS " MACSTR_SEC, MAC2STR_SEC(lnkid->bssid));
1581 return -1;
1582 }
1583
1584 peer = wpa_tdls_add_peer(sm, addr, NULL);
1585 if (peer == NULL)
1586 return -1;
1587
1588 return wpa_tdls_send_discovery_response(sm, peer, dialog_token);
1589 }
1590
1591
1592 int wpa_tdls_send_discovery_request(struct wpa_sm *sm, const u8 *addr)
1593 {
1594 if (sm->tdls_disabled || !sm->tdls_supported)
1595 return -1;
1596
1597 wpa_printf(MSG_DEBUG, "TDLS: Sending Discovery Request to peer "
1598 MACSTR_SEC, MAC2STR_SEC(addr));
1599 return wpa_tdls_tpk_send(sm, addr, WLAN_TDLS_DISCOVERY_REQUEST,
1600 1, 0, 0, 1, NULL, 0);
1601 }
1602
1603
1604 static int copy_supp_rates(const struct wpa_eapol_ie_parse *kde,
1605 struct wpa_tdls_peer *peer)
1606 {
1607 if (!kde->supp_rates) {
1608 wpa_printf(MSG_DEBUG, "TDLS: No supported rates received");
1609 return -1;
1610 }
1611 peer->supp_rates_len = merge_byte_arrays(
1612 peer->supp_rates, sizeof(peer->supp_rates),
1613 kde->supp_rates + 2, kde->supp_rates_len - 2,
1614 kde->ext_supp_rates ? kde->ext_supp_rates + 2 : NULL,
1615 kde->ext_supp_rates ? kde->ext_supp_rates_len - 2 : 0);
1616 return 0;
1617 }
1618
1619
1620 static int copy_peer_ht_capab(const struct wpa_eapol_ie_parse *kde,
1621 struct wpa_tdls_peer *peer)
1622 {
1623 if (!kde->ht_capabilities) {
1624 wpa_printf(MSG_DEBUG, "TDLS: No supported ht capabilities "
1625 "received");
1626 return 0;
1627 }
1628
1629 if (!peer->ht_capabilities) {
1630 peer->ht_capabilities =
1631 os_zalloc(sizeof(struct ieee80211_ht_capabilities));
1632 if (peer->ht_capabilities == NULL)
1633 return -1;
1634 }
1635
1636 os_memcpy(peer->ht_capabilities, kde->ht_capabilities,
1637 sizeof(struct ieee80211_ht_capabilities));
1638 wpa_hexdump(MSG_DEBUG, "TDLS: Peer HT capabilities",
1639 (u8 *) peer->ht_capabilities,
1640 sizeof(struct ieee80211_ht_capabilities));
1641
1642 return 0;
1643 }
1644
1645
1646 static int copy_peer_vht_capab(const struct wpa_eapol_ie_parse *kde,
1647 struct wpa_tdls_peer *peer)
1648 {
1649 if (!kde->vht_capabilities) {
1650 wpa_printf(MSG_DEBUG, "TDLS: No supported vht capabilities "
1651 "received");
1652 return 0;
1653 }
1654
1655 if (!peer->vht_capabilities) {
1656 peer->vht_capabilities =
1657 os_zalloc(sizeof(struct ieee80211_vht_capabilities));
1658 if (peer->vht_capabilities == NULL)
1659 return -1;
1660 }
1661
1662 os_memcpy(peer->vht_capabilities, kde->vht_capabilities,
1663 sizeof(struct ieee80211_vht_capabilities));
1664 wpa_hexdump(MSG_DEBUG, "TDLS: Peer VHT capabilities",
1665 (u8 *) peer->vht_capabilities,
1666 sizeof(struct ieee80211_vht_capabilities));
1667
1668 return 0;
1669 }
1670
1671
1672 static int copy_peer_he_capab(const struct wpa_eapol_ie_parse *kde,
1673 struct wpa_tdls_peer *peer)
1674 {
1675 if (!kde->he_capabilities) {
1676 wpa_printf(MSG_DEBUG, "TDLS: No HE capabilities received");
1677 return 0;
1678 }
1679
1680 os_free(peer->he_capabilities);
1681 peer->he_capab_len = 0;
1682 peer->he_capabilities = os_memdup(kde->he_capabilities,
1683 kde->he_capab_len);
1684 if (!peer->he_capabilities)
1685 return -1;
1686
1687 peer->he_capab_len = kde->he_capab_len;
1688 wpa_hexdump(MSG_DEBUG, "TDLS: Peer HE capabilities",
1689 peer->he_capabilities, peer->he_capab_len);
1690
1691 return 0;
1692 }
1693
1694
1695 static int copy_peer_he_6ghz_band_capab(const struct wpa_eapol_ie_parse *kde,
1696 struct wpa_tdls_peer *peer)
1697 {
1698 if (!kde->he_6ghz_capabilities) {
1699 wpa_printf(MSG_DEBUG,
1700 "TDLS: No HE 6 GHz band capabilities received");
1701 return 0;
1702 }
1703
1704 if (!peer->he_6ghz_band_capabilities) {
1705 peer->he_6ghz_band_capabilities =
1706 os_zalloc(sizeof(struct ieee80211_he_6ghz_band_cap));
1707 if (peer->he_6ghz_band_capabilities == NULL)
1708 return -1;
1709 }
1710
1711 os_memcpy(peer->he_6ghz_band_capabilities, kde->he_6ghz_capabilities,
1712 sizeof(struct ieee80211_he_6ghz_band_cap));
1713
1714 wpa_hexdump(MSG_DEBUG, "TDLS: Peer 6 GHz band HE capabilities",
1715 peer->he_6ghz_band_capabilities,
1716 sizeof(struct ieee80211_he_6ghz_band_cap));
1717
1718 return 0;
1719 }
1720
1721
1722 static int copy_peer_ext_capab(const struct wpa_eapol_ie_parse *kde,
1723 struct wpa_tdls_peer *peer)
1724 {
1725 if (!kde->ext_capab) {
1726 wpa_printf(MSG_DEBUG, "TDLS: No extended capabilities "
1727 "received");
1728 return 0;
1729 }
1730
1731 if (!peer->ext_capab || peer->ext_capab_len < kde->ext_capab_len - 2) {
1732 /* Need to allocate buffer to fit the new information */
1733 os_free(peer->ext_capab);
1734 peer->ext_capab = os_zalloc(kde->ext_capab_len - 2);
1735 if (peer->ext_capab == NULL)
1736 return -1;
1737 }
1738
1739 peer->ext_capab_len = kde->ext_capab_len - 2;
1740 os_memcpy(peer->ext_capab, kde->ext_capab + 2, peer->ext_capab_len);
1741
1742 return 0;
1743 }
1744
1745
1746 static int copy_peer_wmm_capab(const struct wpa_eapol_ie_parse *kde,
1747 struct wpa_tdls_peer *peer)
1748 {
1749 struct wmm_information_element *wmm;
1750
1751 if (!kde->wmm) {
1752 wpa_printf(MSG_DEBUG, "TDLS: No supported WMM capabilities received");
1753 return 0;
1754 }
1755
1756 if (kde->wmm_len < sizeof(struct wmm_information_element)) {
1757 wpa_printf(MSG_DEBUG, "TDLS: Invalid supported WMM capabilities received");
1758 return -1;
1759 }
1760
1761 wmm = (struct wmm_information_element *) kde->wmm;
1762 peer->qos_info = wmm->qos_info;
1763
1764 peer->wmm_capable = 1;
1765
1766 wpa_printf(MSG_DEBUG, "TDLS: Peer WMM QOS Info 0x%x", peer->qos_info);
1767 return 0;
1768 }
1769
1770
1771 static int copy_peer_supp_channels(const struct wpa_eapol_ie_parse *kde,
1772 struct wpa_tdls_peer *peer)
1773 {
1774 if (!kde->supp_channels) {
1775 wpa_printf(MSG_DEBUG, "TDLS: No supported channels received");
1776 return 0;
1777 }
1778
1779 if (!peer->supp_channels ||
1780 peer->supp_channels_len < kde->supp_channels_len) {
1781 os_free(peer->supp_channels);
1782 peer->supp_channels = os_zalloc(kde->supp_channels_len);
1783 if (peer->supp_channels == NULL)
1784 return -1;
1785 }
1786
1787 peer->supp_channels_len = kde->supp_channels_len;
1788
1789 os_memcpy(peer->supp_channels, kde->supp_channels,
1790 peer->supp_channels_len);
1791 wpa_hexdump(MSG_DEBUG, "TDLS: Peer Supported Channels",
1792 (u8 *) peer->supp_channels, peer->supp_channels_len);
1793 return 0;
1794 }
1795
1796
1797 static int copy_peer_supp_oper_classes(const struct wpa_eapol_ie_parse *kde,
1798 struct wpa_tdls_peer *peer)
1799 {
1800 if (!kde->supp_oper_classes) {
1801 wpa_printf(MSG_DEBUG, "TDLS: No supported operating classes received");
1802 return 0;
1803 }
1804
1805 if (!peer->supp_oper_classes ||
1806 peer->supp_oper_classes_len < kde->supp_oper_classes_len) {
1807 os_free(peer->supp_oper_classes);
1808 peer->supp_oper_classes = os_zalloc(kde->supp_oper_classes_len);
1809 if (peer->supp_oper_classes == NULL)
1810 return -1;
1811 }
1812
1813 peer->supp_oper_classes_len = kde->supp_oper_classes_len;
1814 os_memcpy(peer->supp_oper_classes, kde->supp_oper_classes,
1815 peer->supp_oper_classes_len);
1816 wpa_hexdump(MSG_DEBUG, "TDLS: Peer Supported Operating Classes",
1817 (u8 *) peer->supp_oper_classes,
1818 peer->supp_oper_classes_len);
1819 return 0;
1820 }
1821
1822
1823 static int wpa_tdls_addset_peer(struct wpa_sm *sm, struct wpa_tdls_peer *peer,
1824 int add)
1825 {
1826 return wpa_sm_tdls_peer_addset(sm, peer->addr, add, peer->aid,
1827 peer->capability,
1828 peer->supp_rates, peer->supp_rates_len,
1829 peer->ht_capabilities,
1830 peer->vht_capabilities,
1831 peer->he_capabilities,
1832 peer->he_capab_len,
1833 peer->he_6ghz_band_capabilities,
1834 peer->qos_info, peer->wmm_capable,
1835 peer->ext_capab, peer->ext_capab_len,
1836 peer->supp_channels,
1837 peer->supp_channels_len,
1838 peer->supp_oper_classes,
1839 peer->supp_oper_classes_len);
1840 }
1841
1842
1843 static int tdls_nonce_set(const u8 *nonce)
1844 {
1845 int i;
1846
1847 for (i = 0; i < WPA_NONCE_LEN; i++) {
1848 if (nonce[i])
1849 return 1;
1850 }
1851
1852 return 0;
1853 }
1854
1855
1856 static int wpa_tdls_process_tpk_m1(struct wpa_sm *sm, const u8 *src_addr,
1857 const u8 *buf, size_t len)
1858 {
1859 struct wpa_tdls_peer *peer;
1860 struct wpa_eapol_ie_parse kde;
1861 struct wpa_ie_data ie;
1862 int cipher;
1863 const u8 *cpos;
1864 struct wpa_tdls_ftie *ftie = NULL;
1865 struct wpa_tdls_timeoutie *timeoutie;
1866 struct wpa_tdls_lnkid *lnkid;
1867 u32 lifetime = 0;
1868 #if 0
1869 struct rsn_ie_hdr *hdr;
1870 u8 *pos;
1871 u16 rsn_capab;
1872 u16 rsn_ver;
1873 #endif
1874 u8 dtoken;
1875 u16 ielen;
1876 u16 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
1877 int tdls_prohibited = sm->tdls_prohibited;
1878 int existing_peer = 0;
1879
1880 if (len < 3 + 3)
1881 return -1;
1882
1883 cpos = buf;
1884 cpos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */;
1885
1886 /* driver had already verified the frame format */
1887 dtoken = *cpos++; /* dialog token */
1888
1889 wpa_printf(MSG_INFO, "TDLS: Dialog Token in TPK M1 %d", dtoken);
1890
1891 peer = wpa_tdls_add_peer(sm, src_addr, &existing_peer);
1892 if (peer == NULL)
1893 goto error;
1894
1895 /* If found, use existing entry instead of adding a new one;
1896 * how to handle the case where both ends initiate at the
1897 * same time? */
1898 if (existing_peer) {
1899 if (peer->tpk_success) {
1900 wpa_printf(MSG_DEBUG, "TDLS: TDLS Setup Request while "
1901 "direct link is enabled - tear down the "
1902 "old link first");
1903 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr);
1904 wpa_tdls_peer_clear(sm, peer);
1905 } else if (peer->initiator) {
1906 /*
1907 * An entry is already present, so check if we already
1908 * sent a TDLS Setup Request. If so, compare MAC
1909 * addresses and let the STA with the lower MAC address
1910 * continue as the initiator. The other negotiation is
1911 * terminated.
1912 */
1913 if (os_memcmp(sm->own_addr, src_addr, ETH_ALEN) < 0) {
1914 wpa_printf(MSG_DEBUG, "TDLS: Discard request "
1915 "from peer with higher address "
1916 MACSTR_SEC, MAC2STR_SEC(src_addr));
1917 return -1;
1918 } else {
1919 wpa_printf(MSG_DEBUG, "TDLS: Accept request "
1920 "from peer with lower address "
1921 MACSTR_SEC " (terminate previously "
1922 "initiated negotiation",
1923 MAC2STR_SEC(src_addr));
1924 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK,
1925 peer->addr);
1926 wpa_tdls_peer_clear(sm, peer);
1927 }
1928 }
1929 }
1930
1931 /* capability information */
1932 peer->capability = WPA_GET_LE16(cpos);
1933 cpos += 2;
1934
1935 ielen = len - (cpos - buf); /* start of IE in buf */
1936
1937 /*
1938 * Don't reject the message if failing to parse IEs. The IEs we need are
1939 * explicitly checked below. Some APs may add arbitrary padding to the
1940 * end of short TDLS frames and that would look like invalid IEs.
1941 */
1942 if (wpa_supplicant_parse_ies(cpos, ielen, &kde) < 0)
1943 wpa_printf(MSG_DEBUG,
1944 "TDLS: Failed to parse IEs in TPK M1 - ignore as an interop workaround");
1945
1946 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) {
1947 wpa_printf(MSG_INFO, "TDLS: No valid Link Identifier IE in "
1948 "TPK M1");
1949 goto error;
1950 }
1951 wpa_hexdump(MSG_DEBUG, "TDLS: Link ID Received from TPK M1",
1952 kde.lnkid, kde.lnkid_len);
1953 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid;
1954 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) {
1955 wpa_printf(MSG_INFO, "TDLS: TPK M1 from diff BSS");
1956 status = WLAN_STATUS_REQUEST_DECLINED;
1957 goto error;
1958 }
1959
1960 wpa_printf(MSG_DEBUG, "TDLS: TPK M1 - TPK initiator " MACSTR_SEC,
1961 MAC2STR_SEC(src_addr));
1962
1963 if (copy_supp_rates(&kde, peer) < 0)
1964 goto error;
1965
1966 if (copy_peer_ht_capab(&kde, peer) < 0)
1967 goto error;
1968
1969 if (copy_peer_vht_capab(&kde, peer) < 0 ||
1970 copy_peer_he_capab(&kde, peer) < 0 ||
1971 copy_peer_he_6ghz_band_capab(&kde, peer) < 0)
1972 goto error;
1973
1974 if (copy_peer_ext_capab(&kde, peer) < 0)
1975 goto error;
1976
1977 if (copy_peer_supp_channels(&kde, peer) < 0)
1978 goto error;
1979
1980 if (copy_peer_supp_oper_classes(&kde, peer) < 0)
1981 goto error;
1982
1983 peer->qos_info = kde.qosinfo;
1984
1985 /* Overwrite with the qos_info obtained in WMM IE */
1986 if (copy_peer_wmm_capab(&kde, peer) < 0)
1987 goto error;
1988
1989 peer->aid = kde.aid;
1990
1991 #ifdef CONFIG_TDLS_TESTING
1992 if (tdls_testing & TDLS_TESTING_CONCURRENT_INIT) {
1993 peer = wpa_tdls_add_peer(sm, src_addr, NULL);
1994 if (peer == NULL)
1995 goto error;
1996 wpa_printf(MSG_DEBUG, "TDLS: Testing concurrent initiation of "
1997 "TDLS setup - send own request");
1998 peer->initiator = 1;
1999 wpa_sm_tdls_peer_addset(sm, peer->addr, 1, 0, 0, NULL, 0, NULL,
2000 NULL, NULL, 0, NULL, 0, 0, NULL, 0,
2001 NULL, 0, NULL, 0);
2002 if (wpa_tdls_send_tpk_m1(sm, peer) == -2) {
2003 peer = NULL;
2004 goto error;
2005 }
2006 }
2007
2008 if ((tdls_testing & TDLS_TESTING_IGNORE_AP_PROHIBIT) &&
2009 tdls_prohibited) {
2010 wpa_printf(MSG_DEBUG, "TDLS: Testing - ignore AP prohibition "
2011 "on TDLS");
2012 tdls_prohibited = 0;
2013 }
2014 #endif /* CONFIG_TDLS_TESTING */
2015
2016 if (tdls_prohibited) {
2017 wpa_printf(MSG_INFO, "TDLS: TDLS prohibited in this BSS");
2018 status = WLAN_STATUS_REQUEST_DECLINED;
2019 goto error;
2020 }
2021
2022 if (!wpa_tdls_get_privacy(sm)) {
2023 if (kde.rsn_ie) {
2024 wpa_printf(MSG_INFO, "TDLS: RSN IE in TPK M1 while "
2025 "security is disabled");
2026 status = WLAN_STATUS_SECURITY_DISABLED;
2027 goto error;
2028 }
2029 goto skip_rsn;
2030 }
2031
2032 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie) ||
2033 kde.rsn_ie == NULL) {
2034 wpa_printf(MSG_INFO, "TDLS: No FTIE or RSN IE in TPK M1");
2035 status = WLAN_STATUS_INVALID_PARAMETERS;
2036 goto error;
2037 }
2038
2039 if (kde.rsn_ie_len > TDLS_MAX_IE_LEN) {
2040 wpa_printf(MSG_INFO, "TDLS: Too long Initiator RSN IE in "
2041 "TPK M1");
2042 status = WLAN_STATUS_INVALID_RSNIE;
2043 goto error;
2044 }
2045
2046 if (wpa_parse_wpa_ie_rsn(kde.rsn_ie, kde.rsn_ie_len, &ie) < 0) {
2047 wpa_printf(MSG_INFO, "TDLS: Failed to parse RSN IE in TPK M1");
2048 status = WLAN_STATUS_INVALID_RSNIE;
2049 goto error;
2050 }
2051
2052 cipher = ie.pairwise_cipher;
2053 if (cipher & WPA_CIPHER_CCMP) {
2054 wpa_printf(MSG_DEBUG, "TDLS: Using CCMP for direct link");
2055 cipher = WPA_CIPHER_CCMP;
2056 } else {
2057 wpa_printf(MSG_INFO, "TDLS: No acceptable cipher in TPK M1");
2058 status = WLAN_STATUS_PAIRWISE_CIPHER_NOT_VALID;
2059 goto error;
2060 }
2061
2062 if ((ie.capabilities &
2063 (WPA_CAPABILITY_NO_PAIRWISE | WPA_CAPABILITY_PEERKEY_ENABLED)) !=
2064 WPA_CAPABILITY_PEERKEY_ENABLED) {
2065 wpa_printf(MSG_INFO, "TDLS: Invalid RSN Capabilities in "
2066 "TPK M1");
2067 status = WLAN_STATUS_INVALID_RSN_IE_CAPAB;
2068 goto error;
2069 }
2070
2071 /* Lifetime */
2072 if (kde.key_lifetime == NULL) {
2073 wpa_printf(MSG_INFO, "TDLS: No Key Lifetime IE in TPK M1");
2074 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME;
2075 goto error;
2076 }
2077 timeoutie = (struct wpa_tdls_timeoutie *) kde.key_lifetime;
2078 lifetime = WPA_GET_LE32(timeoutie->value);
2079 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds", lifetime);
2080 if (lifetime < 300) {
2081 wpa_printf(MSG_INFO, "TDLS: Too short TPK lifetime");
2082 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME;
2083 goto error;
2084 }
2085
2086 skip_rsn:
2087 #ifdef CONFIG_TDLS_TESTING
2088 if (tdls_testing & TDLS_TESTING_CONCURRENT_INIT) {
2089 if (os_memcmp(sm->own_addr, peer->addr, ETH_ALEN) < 0) {
2090 /*
2091 * The request frame from us is going to win, so do not
2092 * replace information based on this request frame from
2093 * the peer.
2094 */
2095 goto skip_rsn_check;
2096 }
2097 }
2098 #endif /* CONFIG_TDLS_TESTING */
2099
2100 peer->initiator = 0; /* Need to check */
2101 peer->dtoken = dtoken;
2102
2103 if (!wpa_tdls_get_privacy(sm)) {
2104 peer->rsnie_i_len = 0;
2105 peer->rsnie_p_len = 0;
2106 peer->cipher = WPA_CIPHER_NONE;
2107 goto skip_rsn_check;
2108 }
2109
2110 ftie = (struct wpa_tdls_ftie *) kde.ftie;
2111 os_memcpy(peer->rsnie_i, kde.rsn_ie, kde.rsn_ie_len);
2112 peer->rsnie_i_len = kde.rsn_ie_len;
2113 peer->cipher = cipher;
2114
2115 if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0 ||
2116 !tdls_nonce_set(peer->inonce)) {
2117 /*
2118 * There is no point in updating the RNonce for every obtained
2119 * TPK M1 frame (e.g., retransmission due to timeout) with the
2120 * same INonce (SNonce in FTIE). However, if the TPK M1 is
2121 * retransmitted with a different INonce, update the RNonce
2122 * since this is for a new TDLS session.
2123 */
2124 wpa_printf(MSG_DEBUG,
2125 "TDLS: New TPK M1 INonce - generate new RNonce");
2126 os_memcpy(peer->inonce, ftie->Snonce, WPA_NONCE_LEN);
2127 if (os_get_random(peer->rnonce, WPA_NONCE_LEN)) {
2128 wpa_msg(sm->ctx->ctx, MSG_WARNING,
2129 "TDLS: Failed to get random data for responder nonce");
2130 goto error;
2131 }
2132 peer->tk_set = 0; /* A new nonce results in a new TK */
2133 }
2134
2135 #if 0
2136 /* get version info from RSNIE received from Peer */
2137 hdr = (struct rsn_ie_hdr *) kde.rsn_ie;
2138 rsn_ver = WPA_GET_LE16(hdr->version);
2139
2140 /* use min(peer's version, out version) */
2141 if (rsn_ver > RSN_VERSION)
2142 rsn_ver = RSN_VERSION;
2143
2144 hdr = (struct rsn_ie_hdr *) peer->rsnie_p;
2145
2146 hdr->elem_id = WLAN_EID_RSN;
2147 WPA_PUT_LE16(hdr->version, rsn_ver);
2148 pos = (u8 *) (hdr + 1);
2149
2150 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED);
2151 pos += RSN_SELECTOR_LEN;
2152 /* Include only the selected cipher in pairwise cipher suite */
2153 WPA_PUT_LE16(pos, 1);
2154 pos += 2;
2155 if (cipher == WPA_CIPHER_CCMP)
2156 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP);
2157 pos += RSN_SELECTOR_LEN;
2158
2159 WPA_PUT_LE16(pos, 1);
2160 pos += 2;
2161 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_TPK_HANDSHAKE);
2162 pos += RSN_SELECTOR_LEN;
2163
2164 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED;
2165 rsn_capab |= RSN_NUM_REPLAY_COUNTERS_16 << 2;
2166 WPA_PUT_LE16(pos, rsn_capab);
2167 pos += 2;
2168
2169 hdr->len = (pos - peer->rsnie_p) - 2;
2170 peer->rsnie_p_len = pos - peer->rsnie_p;
2171 #endif
2172
2173 /* temp fix: validation of RSNIE later */
2174 os_memcpy(peer->rsnie_p, peer->rsnie_i, peer->rsnie_i_len);
2175 peer->rsnie_p_len = peer->rsnie_i_len;
2176
2177 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE for TPK handshake",
2178 peer->rsnie_p, peer->rsnie_p_len);
2179
2180 peer->lifetime = lifetime;
2181
2182 wpa_tdls_generate_tpk(peer, sm->own_addr, sm->bssid);
2183
2184 skip_rsn_check:
2185 #ifdef CONFIG_TDLS_TESTING
2186 if (tdls_testing & TDLS_TESTING_CONCURRENT_INIT)
2187 goto skip_add_peer;
2188 #endif /* CONFIG_TDLS_TESTING */
2189
2190 /* add supported rates, capabilities, and qos_info to the TDLS peer */
2191 if (wpa_tdls_addset_peer(sm, peer, 1) < 0)
2192 goto error;
2193
2194 #ifdef CONFIG_TDLS_TESTING
2195 skip_add_peer:
2196 #endif /* CONFIG_TDLS_TESTING */
2197 peer->tpk_in_progress = 1;
2198
2199 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Setup Response / TPK M2");
2200 if (wpa_tdls_send_tpk_m2(sm, src_addr, dtoken, lnkid, peer) < 0) {
2201 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr);
2202 goto error;
2203 }
2204
2205 #ifdef CONFIG_TDLS_TESTING
2206 if (tdls_testing & TDLS_TESTING_DOUBLE_TPK_M2) {
2207 wpa_printf(MSG_INFO, "TDLS: Testing - Send another TPK M2");
2208 wpa_tdls_send_tpk_m2(sm, src_addr, dtoken, lnkid, peer);
2209 }
2210 #endif /* CONFIG_TDLS_TESTING */
2211
2212 return 0;
2213
2214 error:
2215 wpa_tdls_send_error(sm, src_addr, WLAN_TDLS_SETUP_RESPONSE, dtoken, 0,
2216 status);
2217 if (peer)
2218 wpa_tdls_peer_free(sm, peer);
2219 return -1;
2220 }
2221
2222
2223 static int wpa_tdls_enable_link(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
2224 {
2225 peer->tpk_success = 1;
2226 peer->tpk_in_progress = 0;
2227 eloop_cancel_timeout(wpa_tdls_tpk_timeout, sm, peer);
2228 if (wpa_tdls_get_privacy(sm)) {
2229 u32 lifetime = peer->lifetime;
2230 /*
2231 * Start the initiator process a bit earlier to avoid race
2232 * condition with the responder sending teardown request.
2233 */
2234 if (lifetime > 3 && peer->initiator)
2235 lifetime -= 3;
2236 eloop_register_timeout(lifetime, 0, wpa_tdls_tpk_timeout,
2237 sm, peer);
2238 #ifdef CONFIG_TDLS_TESTING
2239 if (tdls_testing & TDLS_TESTING_NO_TPK_EXPIRATION) {
2240 wpa_printf(MSG_DEBUG,
2241 "TDLS: Testing - disable TPK expiration");
2242 eloop_cancel_timeout(wpa_tdls_tpk_timeout, sm, peer);
2243 }
2244 #endif /* CONFIG_TDLS_TESTING */
2245 }
2246
2247 if (peer->reconfig_key && wpa_tdls_set_key(sm, peer) < 0) {
2248 wpa_printf(MSG_INFO, "TDLS: Could not configure key to the "
2249 "driver");
2250 return -1;
2251 }
2252 peer->reconfig_key = 0;
2253
2254 return wpa_sm_tdls_oper(sm, TDLS_ENABLE_LINK, peer->addr);
2255 }
2256
2257
2258 static int wpa_tdls_process_tpk_m2(struct wpa_sm *sm, const u8 *src_addr,
2259 const u8 *buf, size_t len)
2260 {
2261 struct wpa_tdls_peer *peer;
2262 struct wpa_eapol_ie_parse kde;
2263 struct wpa_ie_data ie;
2264 int cipher;
2265 struct wpa_tdls_ftie *ftie;
2266 struct wpa_tdls_timeoutie *timeoutie;
2267 struct wpa_tdls_lnkid *lnkid;
2268 u32 lifetime;
2269 u8 dtoken;
2270 int ielen;
2271 u16 status;
2272 const u8 *pos;
2273 int ret = 0;
2274
2275 wpa_printf(MSG_DEBUG, "TDLS: Received TDLS Setup Response / TPK M2 "
2276 "(Peer " MACSTR_SEC ")", MAC2STR_SEC(src_addr));
2277 for (peer = sm->tdls; peer; peer = peer->next) {
2278 if (os_memcmp(peer->addr, src_addr, ETH_ALEN) == 0)
2279 break;
2280 }
2281 if (peer == NULL) {
2282 wpa_printf(MSG_INFO, "TDLS: No matching peer found for "
2283 "TPK M2: " MACSTR_SEC, MAC2STR_SEC(src_addr));
2284 return -1;
2285 }
2286 if (!peer->initiator) {
2287 /*
2288 * This may happen if both devices try to initiate TDLS at the
2289 * same time and we accept the TPK M1 from the peer in
2290 * wpa_tdls_process_tpk_m1() and clear our previous state.
2291 */
2292 wpa_printf(MSG_INFO, "TDLS: We were not the initiator, so "
2293 "ignore TPK M2 from " MACSTR_SEC, MAC2STR_SEC(src_addr));
2294 return -1;
2295 }
2296
2297 if (peer->tpk_success) {
2298 wpa_printf(MSG_INFO, "TDLS: Ignore incoming TPK M2 retry, from "
2299 MACSTR_SEC " as TPK M3 was already sent",
2300 MAC2STR_SEC(src_addr));
2301 return 0;
2302 }
2303
2304 wpa_tdls_tpk_retry_timeout_cancel(sm, peer, WLAN_TDLS_SETUP_REQUEST);
2305
2306 if (len < 3 + 2 + 1) {
2307 wpa_tdls_disable_peer_link(sm, peer);
2308 return -1;
2309 }
2310
2311 pos = buf;
2312 pos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */;
2313 status = WPA_GET_LE16(pos);
2314 pos += 2 /* status code */;
2315
2316 if (status != WLAN_STATUS_SUCCESS) {
2317 wpa_printf(MSG_INFO, "TDLS: Status code in TPK M2: %u",
2318 status);
2319 wpa_tdls_disable_peer_link(sm, peer);
2320 return -1;
2321 }
2322
2323 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
2324
2325 /* TODO: need to verify dialog token matches here or in kernel */
2326 dtoken = *pos++; /* dialog token */
2327
2328 wpa_printf(MSG_DEBUG, "TDLS: Dialog Token in TPK M2 %d", dtoken);
2329
2330 if (len < 3 + 2 + 1 + 2) {
2331 wpa_tdls_disable_peer_link(sm, peer);
2332 return -1;
2333 }
2334
2335 /* capability information */
2336 peer->capability = WPA_GET_LE16(pos);
2337 pos += 2;
2338
2339 ielen = len - (pos - buf); /* start of IE in buf */
2340
2341 /*
2342 * Don't reject the message if failing to parse IEs. The IEs we need are
2343 * explicitly checked below. Some APs may add arbitrary padding to the
2344 * end of short TDLS frames and that would look like invalid IEs.
2345 */
2346 if (wpa_supplicant_parse_ies(pos, ielen, &kde) < 0)
2347 wpa_printf(MSG_DEBUG,
2348 "TDLS: Failed to parse IEs in TPK M2 - ignore as an interop workaround");
2349
2350 #ifdef CONFIG_TDLS_TESTING
2351 if (tdls_testing & TDLS_TESTING_DECLINE_RESP) {
2352 wpa_printf(MSG_DEBUG, "TDLS: Testing - decline response");
2353 status = WLAN_STATUS_REQUEST_DECLINED;
2354 goto error;
2355 }
2356 #endif /* CONFIG_TDLS_TESTING */
2357
2358 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) {
2359 wpa_printf(MSG_INFO, "TDLS: No valid Link Identifier IE in "
2360 "TPK M2");
2361 goto error;
2362 }
2363 wpa_hexdump(MSG_DEBUG, "TDLS: Link ID Received from TPK M2",
2364 kde.lnkid, kde.lnkid_len);
2365 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid;
2366
2367 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) {
2368 wpa_printf(MSG_INFO, "TDLS: TPK M2 from different BSS");
2369 status = WLAN_STATUS_NOT_IN_SAME_BSS;
2370 goto error;
2371 }
2372
2373 if (copy_supp_rates(&kde, peer) < 0)
2374 goto error;
2375
2376 if (copy_peer_ht_capab(&kde, peer) < 0)
2377 goto error;
2378
2379 if (copy_peer_vht_capab(&kde, peer) < 0 ||
2380 copy_peer_he_capab(&kde, peer) < 0 ||
2381 copy_peer_he_6ghz_band_capab(&kde, peer) < 0)
2382 goto error;
2383
2384 if (copy_peer_ext_capab(&kde, peer) < 0)
2385 goto error;
2386
2387 if (copy_peer_supp_channels(&kde, peer) < 0)
2388 goto error;
2389
2390 if (copy_peer_supp_oper_classes(&kde, peer) < 0)
2391 goto error;
2392
2393 peer->qos_info = kde.qosinfo;
2394
2395 /* Overwrite with the qos_info obtained in WMM IE */
2396 if (copy_peer_wmm_capab(&kde, peer) < 0)
2397 goto error;
2398
2399 peer->aid = kde.aid;
2400
2401 if (!wpa_tdls_get_privacy(sm)) {
2402 peer->rsnie_p_len = 0;
2403 peer->cipher = WPA_CIPHER_NONE;
2404 goto skip_rsn;
2405 }
2406
2407 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie) ||
2408 kde.rsn_ie == NULL) {
2409 wpa_printf(MSG_INFO, "TDLS: No FTIE or RSN IE in TPK M2");
2410 status = WLAN_STATUS_INVALID_PARAMETERS;
2411 goto error;
2412 }
2413 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Received from TPK M2",
2414 kde.rsn_ie, kde.rsn_ie_len);
2415
2416 if (kde.rsn_ie_len > TDLS_MAX_IE_LEN) {
2417 wpa_printf(MSG_INFO,
2418 "TDLS: Too long Responder RSN IE in TPK M2");
2419 status = WLAN_STATUS_INVALID_RSNIE;
2420 goto error;
2421 }
2422
2423 /*
2424 * FIX: bitwise comparison of RSN IE is not the correct way of
2425 * validation this. It can be different, but certain fields must
2426 * match. Since we list only a single pairwise cipher in TPK M1, the
2427 * memcmp is likely to work in most cases, though.
2428 */
2429 if (kde.rsn_ie_len != peer->rsnie_i_len ||
2430 os_memcmp(peer->rsnie_i, kde.rsn_ie, peer->rsnie_i_len) != 0) {
2431 wpa_printf(MSG_INFO, "TDLS: RSN IE in TPK M2 does "
2432 "not match with RSN IE used in TPK M1");
2433 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Sent in TPK M1",
2434 peer->rsnie_i, peer->rsnie_i_len);
2435 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Received from TPK M2",
2436 kde.rsn_ie, kde.rsn_ie_len);
2437 status = WLAN_STATUS_INVALID_RSNIE;
2438 goto error;
2439 }
2440
2441 if (wpa_parse_wpa_ie_rsn(kde.rsn_ie, kde.rsn_ie_len, &ie) < 0) {
2442 wpa_printf(MSG_INFO, "TDLS: Failed to parse RSN IE in TPK M2");
2443 status = WLAN_STATUS_INVALID_RSNIE;
2444 goto error;
2445 }
2446
2447 cipher = ie.pairwise_cipher;
2448 if (cipher == WPA_CIPHER_CCMP) {
2449 wpa_printf(MSG_DEBUG, "TDLS: Using CCMP for direct link");
2450 cipher = WPA_CIPHER_CCMP;
2451 } else {
2452 wpa_printf(MSG_INFO, "TDLS: No acceptable cipher in TPK M2");
2453 status = WLAN_STATUS_PAIRWISE_CIPHER_NOT_VALID;
2454 goto error;
2455 }
2456
2457 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE Received from TPK M2",
2458 kde.ftie, sizeof(*ftie));
2459 ftie = (struct wpa_tdls_ftie *) kde.ftie;
2460
2461 if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0) {
2462 wpa_printf(MSG_INFO, "TDLS: FTIE SNonce in TPK M2 does "
2463 "not match with FTIE SNonce used in TPK M1");
2464 /* Silently discard the frame */
2465 return -1;
2466 }
2467
2468 /* Responder Nonce and RSN IE */
2469 os_memcpy(peer->rnonce, ftie->Anonce, WPA_NONCE_LEN);
2470 os_memcpy(peer->rsnie_p, kde.rsn_ie, kde.rsn_ie_len);
2471 peer->rsnie_p_len = kde.rsn_ie_len;
2472 peer->cipher = cipher;
2473
2474 /* Lifetime */
2475 if (kde.key_lifetime == NULL) {
2476 wpa_printf(MSG_INFO, "TDLS: No Key Lifetime IE in TPK M2");
2477 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME;
2478 goto error;
2479 }
2480 timeoutie = (struct wpa_tdls_timeoutie *) kde.key_lifetime;
2481 lifetime = WPA_GET_LE32(timeoutie->value);
2482 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds in TPK M2",
2483 lifetime);
2484 if (lifetime != peer->lifetime) {
2485 wpa_printf(MSG_INFO, "TDLS: Unexpected TPK lifetime %u in "
2486 "TPK M2 (expected %u)", lifetime, peer->lifetime);
2487 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME;
2488 goto error;
2489 }
2490
2491 wpa_tdls_generate_tpk(peer, sm->own_addr, sm->bssid);
2492
2493 /* Process MIC check to see if TPK M2 is right */
2494 if (wpa_supplicant_verify_tdls_mic(2, peer, (u8 *) lnkid,
2495 (u8 *) timeoutie, ftie) < 0) {
2496 /* Discard the frame */
2497 wpa_tdls_del_key(sm, peer);
2498 wpa_tdls_disable_peer_link(sm, peer);
2499 return -1;
2500 }
2501
2502 if (wpa_tdls_set_key(sm, peer) < 0) {
2503 /*
2504 * Some drivers may not be able to config the key prior to full
2505 * STA entry having been configured.
2506 */
2507 wpa_printf(MSG_DEBUG, "TDLS: Try to configure TPK again after "
2508 "STA entry is complete");
2509 peer->reconfig_key = 1;
2510 }
2511
2512 skip_rsn:
2513 peer->dtoken = dtoken;
2514
2515 /* add supported rates, capabilities, and qos_info to the TDLS peer */
2516 if (wpa_tdls_addset_peer(sm, peer, 0) < 0)
2517 goto error;
2518
2519 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Setup Confirm / "
2520 "TPK Handshake Message 3");
2521 if (wpa_tdls_send_tpk_m3(sm, src_addr, dtoken, lnkid, peer) < 0)
2522 goto error_no_msg;
2523
2524 if (!peer->tpk_success) {
2525 /*
2526 * Enable Link only when tpk_success is 0, signifying that this
2527 * processing of TPK M2 frame is not because of a retransmission
2528 * during TDLS setup handshake.
2529 */
2530 ret = wpa_tdls_enable_link(sm, peer);
2531 if (ret < 0) {
2532 wpa_printf(MSG_DEBUG, "TDLS: Could not enable link");
2533 wpa_tdls_do_teardown(
2534 sm, peer,
2535 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED);
2536 }
2537 }
2538 return ret;
2539
2540 error:
2541 wpa_tdls_send_error(sm, src_addr, WLAN_TDLS_SETUP_CONFIRM, dtoken, 1,
2542 status);
2543 error_no_msg:
2544 wpa_tdls_disable_peer_link(sm, peer);
2545 return -1;
2546 }
2547
2548
2549 static int wpa_tdls_process_tpk_m3(struct wpa_sm *sm, const u8 *src_addr,
2550 const u8 *buf, size_t len)
2551 {
2552 struct wpa_tdls_peer *peer;
2553 struct wpa_eapol_ie_parse kde;
2554 struct wpa_tdls_ftie *ftie;
2555 struct wpa_tdls_timeoutie *timeoutie;
2556 struct wpa_tdls_lnkid *lnkid;
2557 int ielen;
2558 u16 status;
2559 const u8 *pos;
2560 u32 lifetime;
2561 int ret = 0;
2562
2563 wpa_printf(MSG_DEBUG, "TDLS: Received TDLS Setup Confirm / TPK M3 "
2564 "(Peer " MACSTR_SEC ")", MAC2STR_SEC(src_addr));
2565 for (peer = sm->tdls; peer; peer = peer->next) {
2566 if (os_memcmp(peer->addr, src_addr, ETH_ALEN) == 0)
2567 break;
2568 }
2569 if (peer == NULL) {
2570 wpa_printf(MSG_INFO, "TDLS: No matching peer found for "
2571 "TPK M3: " MACSTR_SEC, MAC2STR_SEC(src_addr));
2572 return -1;
2573 }
2574 wpa_tdls_tpk_retry_timeout_cancel(sm, peer, WLAN_TDLS_SETUP_RESPONSE);
2575
2576 if (len < 3 + 3)
2577 goto error;
2578 pos = buf;
2579 pos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */;
2580
2581 status = WPA_GET_LE16(pos);
2582
2583 if (status != 0) {
2584 wpa_printf(MSG_INFO, "TDLS: Status code in TPK M3: %u",
2585 status);
2586 goto error;
2587 }
2588 pos += 2 /* status code */ + 1 /* dialog token */;
2589
2590 ielen = len - (pos - buf); /* start of IE in buf */
2591
2592 /*
2593 * Don't reject the message if failing to parse IEs. The IEs we need are
2594 * explicitly checked below. Some APs piggy-back broken IEs to the end
2595 * of a TDLS Confirm packet, which will fail the link if we don't ignore
2596 * this error.
2597 */
2598 if (wpa_supplicant_parse_ies((const u8 *) pos, ielen, &kde) < 0) {
2599 wpa_printf(MSG_DEBUG,
2600 "TDLS: Failed to parse KDEs in TPK M3 - ignore as an interop workaround");
2601 }
2602
2603 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) {
2604 wpa_printf(MSG_INFO, "TDLS: No Link Identifier IE in TPK M3");
2605 goto error;
2606 }
2607 wpa_hexdump(MSG_DEBUG, "TDLS: Link ID Received from TPK M3",
2608 (u8 *) kde.lnkid, kde.lnkid_len);
2609 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid;
2610
2611 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) {
2612 wpa_printf(MSG_INFO, "TDLS: TPK M3 from diff BSS");
2613 goto error;
2614 }
2615
2616 if (!wpa_tdls_get_privacy(sm))
2617 goto skip_rsn;
2618
2619 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie)) {
2620 wpa_printf(MSG_INFO, "TDLS: No FTIE in TPK M3");
2621 goto error;
2622 }
2623 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE Received from TPK M3",
2624 kde.ftie, sizeof(*ftie));
2625 ftie = (struct wpa_tdls_ftie *) kde.ftie;
2626
2627 if (kde.rsn_ie == NULL) {
2628 wpa_printf(MSG_INFO, "TDLS: No RSN IE in TPK M3");
2629 goto error;
2630 }
2631 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Received from TPK M3",
2632 kde.rsn_ie, kde.rsn_ie_len);
2633 if (kde.rsn_ie_len != peer->rsnie_p_len ||
2634 os_memcmp(kde.rsn_ie, peer->rsnie_p, peer->rsnie_p_len) != 0) {
2635 wpa_printf(MSG_INFO, "TDLS: RSN IE in TPK M3 does not match "
2636 "with the one sent in TPK M2");
2637 goto error;
2638 }
2639
2640 if (os_memcmp(peer->rnonce, ftie->Anonce, WPA_NONCE_LEN) != 0) {
2641 wpa_printf(MSG_INFO, "TDLS: FTIE ANonce in TPK M3 does "
2642 "not match with FTIE ANonce used in TPK M2");
2643 goto error;
2644 }
2645
2646 if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0) {
2647 wpa_printf(MSG_INFO, "TDLS: FTIE SNonce in TPK M3 does not "
2648 "match with FTIE SNonce used in TPK M1");
2649 goto error;
2650 }
2651
2652 if (kde.key_lifetime == NULL) {
2653 wpa_printf(MSG_INFO, "TDLS: No Key Lifetime IE in TPK M3");
2654 goto error;
2655 }
2656 timeoutie = (struct wpa_tdls_timeoutie *) kde.key_lifetime;
2657 wpa_hexdump(MSG_DEBUG, "TDLS: Timeout IE Received from TPK M3",
2658 (u8 *) timeoutie, sizeof(*timeoutie));
2659 lifetime = WPA_GET_LE32(timeoutie->value);
2660 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds in TPK M3",
2661 lifetime);
2662 if (lifetime != peer->lifetime) {
2663 wpa_printf(MSG_INFO, "TDLS: Unexpected TPK lifetime %u in "
2664 "TPK M3 (expected %u)", lifetime, peer->lifetime);
2665 goto error;
2666 }
2667
2668 if (wpa_supplicant_verify_tdls_mic(3, peer, (u8 *) lnkid,
2669 (u8 *) timeoutie, ftie) < 0) {
2670 wpa_tdls_del_key(sm, peer);
2671 goto error;
2672 }
2673
2674 if (wpa_tdls_set_key(sm, peer) < 0) {
2675 /*
2676 * Some drivers may not be able to config the key prior to full
2677 * STA entry having been configured.
2678 */
2679 wpa_printf(MSG_DEBUG, "TDLS: Try to configure TPK again after "
2680 "STA entry is complete");
2681 peer->reconfig_key = 1;
2682 }
2683
2684 skip_rsn:
2685 /* add supported rates, capabilities, and qos_info to the TDLS peer */
2686 if (wpa_tdls_addset_peer(sm, peer, 0) < 0)
2687 goto error;
2688
2689 if (!peer->tpk_success) {
2690 /*
2691 * Enable Link only when tpk_success is 0, signifying that this
2692 * processing of TPK M3 frame is not because of a retransmission
2693 * during TDLS setup handshake.
2694 */
2695 ret = wpa_tdls_enable_link(sm, peer);
2696 if (ret < 0) {
2697 wpa_printf(MSG_DEBUG, "TDLS: Could not enable link");
2698 goto error;
2699 }
2700 }
2701 return ret;
2702 error:
2703 wpa_tdls_do_teardown(sm, peer, WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED);
2704 return -1;
2705 }
2706
2707
2708 static u8 * wpa_add_tdls_timeoutie(u8 *pos, u8 *ie, size_t ie_len, u32 tsecs)
2709 {
2710 struct wpa_tdls_timeoutie *lifetime = (struct wpa_tdls_timeoutie *) ie;
2711
2712 os_memset(lifetime, 0, ie_len);
2713 lifetime->ie_type = WLAN_EID_TIMEOUT_INTERVAL;
2714 lifetime->ie_len = sizeof(struct wpa_tdls_timeoutie) - 2;
2715 lifetime->interval_type = WLAN_TIMEOUT_KEY_LIFETIME;
2716 WPA_PUT_LE32(lifetime->value, tsecs);
2717 os_memcpy(pos, ie, ie_len);
2718 return pos + ie_len;
2719 }
2720
2721
2722 /**
2723 * wpa_tdls_start - Initiate TDLS handshake (send TPK Handshake Message 1)
2724 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2725 * @peer: MAC address of the peer STA
2726 * Returns: 0 on success, or -1 on failure
2727 *
2728 * Send TPK Handshake Message 1 info to driver to start TDLS
2729 * handshake with the peer.
2730 */
2731 int wpa_tdls_start(struct wpa_sm *sm, const u8 *addr)
2732 {
2733 struct wpa_tdls_peer *peer;
2734 int tdls_prohibited = sm->tdls_prohibited;
2735 int res;
2736
2737 if (sm->tdls_disabled || !sm->tdls_supported)
2738 return -1;
2739
2740 #ifdef CONFIG_TDLS_TESTING
2741 if ((tdls_testing & TDLS_TESTING_IGNORE_AP_PROHIBIT) &&
2742 tdls_prohibited) {
2743 wpa_printf(MSG_DEBUG, "TDLS: Testing - ignore AP prohibition "
2744 "on TDLS");
2745 tdls_prohibited = 0;
2746 }
2747 #endif /* CONFIG_TDLS_TESTING */
2748
2749 if (tdls_prohibited) {
2750 wpa_printf(MSG_DEBUG, "TDLS: TDLS is prohibited in this BSS - "
2751 "reject request to start setup");
2752 return -1;
2753 }
2754
2755 peer = wpa_tdls_add_peer(sm, addr, NULL);
2756 if (peer == NULL)
2757 return -1;
2758
2759 if (peer->tpk_in_progress) {
2760 wpa_printf(MSG_DEBUG, "TDLS: Setup is already in progress with the peer");
2761 return 0;
2762 }
2763
2764 peer->initiator = 1;
2765
2766 /* add the peer to the driver as a "setup in progress" peer */
2767 if (wpa_sm_tdls_peer_addset(sm, peer->addr, 1, 0, 0, NULL, 0, NULL,
2768 NULL, NULL, 0, NULL, 0, 0, NULL, 0, NULL, 0,
2769 NULL, 0)) {
2770 wpa_tdls_disable_peer_link(sm, peer);
2771 return -1;
2772 }
2773
2774 peer->tpk_in_progress = 1;
2775
2776 res = wpa_tdls_send_tpk_m1(sm, peer);
2777 if (res < 0) {
2778 if (res != -2)
2779 wpa_tdls_disable_peer_link(sm, peer);
2780 return -1;
2781 }
2782
2783 return 0;
2784 }
2785
2786
2787 void wpa_tdls_remove(struct wpa_sm *sm, const u8 *addr)
2788 {
2789 struct wpa_tdls_peer *peer;
2790
2791 if (sm->tdls_disabled || !sm->tdls_supported)
2792 return;
2793
2794 for (peer = sm->tdls; peer; peer = peer->next) {
2795 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0)
2796 break;
2797 }
2798
2799 if (peer == NULL || !peer->tpk_success)
2800 return;
2801
2802 if (sm->tdls_external_setup) {
2803 /*
2804 * Disable previous link to allow renegotiation to be completed
2805 * on AP path.
2806 */
2807 wpa_tdls_do_teardown(sm, peer,
2808 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED);
2809 }
2810 }
2811
2812
2813 /**
2814 * wpa_supplicant_rx_tdls - Receive TDLS data frame
2815 *
2816 * This function is called to receive TDLS (ethertype = 0x890d) data frames.
2817 */
2818 static void wpa_supplicant_rx_tdls(void *ctx, const u8 *src_addr,
2819 const u8 *buf, size_t len)
2820 {
2821 struct wpa_sm *sm = ctx;
2822 struct wpa_tdls_frame *tf;
2823
2824 wpa_hexdump(MSG_DEBUG, "TDLS: Received Data frame encapsulation",
2825 buf, len);
2826
2827 if (sm->tdls_disabled || !sm->tdls_supported) {
2828 wpa_printf(MSG_DEBUG, "TDLS: Discard message - TDLS disabled "
2829 "or unsupported by driver");
2830 return;
2831 }
2832
2833 if (os_memcmp(src_addr, sm->own_addr, ETH_ALEN) == 0) {
2834 wpa_printf(MSG_DEBUG, "TDLS: Discard copy of own message");
2835 return;
2836 }
2837
2838 if (len < sizeof(*tf)) {
2839 wpa_printf(MSG_INFO, "TDLS: Drop too short frame");
2840 return;
2841 }
2842
2843 /* Check to make sure its a valid encapsulated TDLS frame */
2844 tf = (struct wpa_tdls_frame *) buf;
2845 if (tf->payloadtype != 2 /* TDLS_RFTYPE */ ||
2846 tf->category != WLAN_ACTION_TDLS) {
2847 wpa_printf(MSG_INFO, "TDLS: Invalid frame - payloadtype=%u "
2848 "category=%u action=%u",
2849 tf->payloadtype, tf->category, tf->action);
2850 return;
2851 }
2852
2853 switch (tf->action) {
2854 case WLAN_TDLS_SETUP_REQUEST:
2855 wpa_tdls_process_tpk_m1(sm, src_addr, buf, len);
2856 break;
2857 case WLAN_TDLS_SETUP_RESPONSE:
2858 wpa_tdls_process_tpk_m2(sm, src_addr, buf, len);
2859 break;
2860 case WLAN_TDLS_SETUP_CONFIRM:
2861 wpa_tdls_process_tpk_m3(sm, src_addr, buf, len);
2862 break;
2863 case WLAN_TDLS_TEARDOWN:
2864 wpa_tdls_recv_teardown(sm, src_addr, buf, len);
2865 break;
2866 case WLAN_TDLS_DISCOVERY_REQUEST:
2867 wpa_tdls_process_discovery_request(sm, src_addr, buf, len);
2868 break;
2869 default:
2870 /* Kernel code will process remaining frames */
2871 wpa_printf(MSG_DEBUG, "TDLS: Ignore TDLS frame action code %u",
2872 tf->action);
2873 break;
2874 }
2875 }
2876
2877
2878 /**
2879 * wpa_tdls_init - Initialize driver interface parameters for TDLS
2880 * @wpa_s: Pointer to wpa_supplicant data
2881 * Returns: 0 on success, -1 on failure
2882 *
2883 * This function is called to initialize driver interface parameters for TDLS.
2884 * wpa_drv_init() must have been called before this function to initialize the
2885 * driver interface.
2886 */
2887 int wpa_tdls_init(struct wpa_sm *sm)
2888 {
2889 if (sm == NULL)
2890 return -1;
2891
2892 if (sm->l2_tdls) {
2893 l2_packet_deinit(sm->l2_tdls);
2894 sm->l2_tdls = NULL;
2895 }
2896
2897 sm->l2_tdls = l2_packet_init(sm->bridge_ifname ? sm->bridge_ifname :
2898 sm->ifname,
2899 sm->own_addr,
2900 ETH_P_80211_ENCAP, wpa_supplicant_rx_tdls,
2901 sm, 0);
2902 if (sm->l2_tdls == NULL) {
2903 wpa_printf(MSG_ERROR, "TDLS: Failed to open l2_packet "
2904 "connection");
2905 return -1;
2906 }
2907
2908 /*
2909 * Drivers that support TDLS but don't implement the get_capa callback
2910 * are assumed to perform everything internally
2911 */
2912 if (wpa_sm_tdls_get_capa(sm, &sm->tdls_supported,
2913 &sm->tdls_external_setup,
2914 &sm->tdls_chan_switch) < 0) {
2915 sm->tdls_supported = 1;
2916 sm->tdls_external_setup = 0;
2917 }
2918
2919 wpa_printf(MSG_EXCESSIVE, "TDLS: TDLS operation%s supported by "
2920 "driver", sm->tdls_supported ? "" : " not");
2921 wpa_printf(MSG_EXCESSIVE, "TDLS: Driver uses %s link setup",
2922 sm->tdls_external_setup ? "external" : "internal");
2923 wpa_printf(MSG_EXCESSIVE, "TDLS: Driver %s TDLS channel switching",
2924 sm->tdls_chan_switch ? "supports" : "does not support");
2925
2926 return 0;
2927 }
2928
2929
2930 void wpa_tdls_teardown_peers(struct wpa_sm *sm)
2931 {
2932 struct wpa_tdls_peer *peer, *tmp;
2933
2934 if (!sm)
2935 return;
2936 peer = sm->tdls;
2937
2938 wpa_printf(MSG_EXCESSIVE, "TDLS: Tear down peers");
2939
2940 while (peer) {
2941 tmp = peer->next;
2942 wpa_printf(MSG_DEBUG, "TDLS: Tear down peer " MACSTR_SEC,
2943 MAC2STR_SEC(peer->addr));
2944 if (sm->tdls_external_setup)
2945 wpa_tdls_do_teardown(sm, peer,
2946 WLAN_REASON_DEAUTH_LEAVING);
2947 else
2948 wpa_sm_tdls_oper(sm, TDLS_TEARDOWN, peer->addr);
2949
2950 peer = tmp;
2951 }
2952 }
2953
2954
2955 static void wpa_tdls_remove_peers(struct wpa_sm *sm)
2956 {
2957 struct wpa_tdls_peer *peer, *tmp;
2958
2959 peer = sm->tdls;
2960
2961 while (peer) {
2962 int res;
2963 tmp = peer->next;
2964 res = wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr);
2965 wpa_printf(MSG_DEBUG, "TDLS: Remove peer " MACSTR_SEC " (res=%d)",
2966 MAC2STR_SEC(peer->addr), res);
2967 wpa_tdls_peer_free(sm, peer);
2968 peer = tmp;
2969 }
2970 }
2971
2972
2973 /**
2974 * wpa_tdls_deinit - Deinitialize driver interface parameters for TDLS
2975 *
2976 * This function is called to recover driver interface parameters for TDLS
2977 * and frees resources allocated for it.
2978 */
2979 void wpa_tdls_deinit(struct wpa_sm *sm)
2980 {
2981 if (sm == NULL)
2982 return;
2983
2984 if (sm->l2_tdls)
2985 l2_packet_deinit(sm->l2_tdls);
2986 sm->l2_tdls = NULL;
2987
2988 wpa_tdls_remove_peers(sm);
2989 }
2990
2991
2992 void wpa_tdls_assoc(struct wpa_sm *sm)
2993 {
2994 wpa_printf(MSG_EXCESSIVE, "TDLS: Remove peers on association");
2995 wpa_tdls_remove_peers(sm);
2996 }
2997
2998
2999 void wpa_tdls_disassoc(struct wpa_sm *sm)
3000 {
3001 wpa_printf(MSG_EXCESSIVE, "TDLS: Remove peers on disassociation");
3002 wpa_tdls_remove_peers(sm);
3003 }
3004
3005
3006 static int wpa_tdls_prohibited(struct ieee802_11_elems *elems)
3007 {
3008 /* bit 38 - TDLS Prohibited */
3009 return !!(elems->ext_capab[4] & 0x40);
3010 }
3011
3012
3013 static int wpa_tdls_chan_switch_prohibited(struct ieee802_11_elems *elems)
3014 {
3015 /* bit 39 - TDLS Channel Switch Prohibited */
3016 return !!(elems->ext_capab[4] & 0x80);
3017 }
3018
3019
3020 void wpa_tdls_ap_ies(struct wpa_sm *sm, const u8 *ies, size_t len)
3021 {
3022 struct ieee802_11_elems elems;
3023
3024 sm->tdls_prohibited = 0;
3025 sm->tdls_chan_switch_prohibited = 0;
3026
3027 if (ies == NULL ||
3028 ieee802_11_parse_elems(ies, len, &elems, 0) == ParseFailed ||
3029 elems.ext_capab == NULL || elems.ext_capab_len < 5)
3030 return;
3031
3032 sm->tdls_prohibited = wpa_tdls_prohibited(&elems);
3033 wpa_printf(MSG_EXCESSIVE, "TDLS: TDLS is %s in the target BSS",
3034 sm->tdls_prohibited ? "prohibited" : "allowed");
3035 sm->tdls_chan_switch_prohibited =
3036 wpa_tdls_chan_switch_prohibited(&elems);
3037 wpa_printf(MSG_EXCESSIVE, "TDLS: TDLS channel switch %s in the target BSS",
3038 sm->tdls_chan_switch_prohibited ? "prohibited" : "allowed");
3039 }
3040
3041
3042 void wpa_tdls_assoc_resp_ies(struct wpa_sm *sm, const u8 *ies, size_t len)
3043 {
3044 struct ieee802_11_elems elems;
3045
3046 if (ies == NULL ||
3047 ieee802_11_parse_elems(ies, len, &elems, 0) == ParseFailed ||
3048 elems.ext_capab == NULL || elems.ext_capab_len < 5)
3049 return;
3050
3051 if (!sm->tdls_prohibited && wpa_tdls_prohibited(&elems)) {
3052 wpa_printf(MSG_DEBUG, "TDLS: TDLS prohibited based on "
3053 "(Re)Association Response IEs");
3054 sm->tdls_prohibited = 1;
3055 }
3056
3057 if (!sm->tdls_chan_switch_prohibited &&
3058 wpa_tdls_chan_switch_prohibited(&elems)) {
3059 wpa_printf(MSG_DEBUG,
3060 "TDLS: TDLS channel switch prohibited based on (Re)Association Response IEs");
3061 sm->tdls_chan_switch_prohibited = 1;
3062 }
3063 }
3064
3065
3066 void wpa_tdls_enable(struct wpa_sm *sm, int enabled)
3067 {
3068 wpa_printf(MSG_DEBUG, "TDLS: %s", enabled ? "enabled" : "disabled");
3069 sm->tdls_disabled = !enabled;
3070 }
3071
3072
3073 int wpa_tdls_is_external_setup(struct wpa_sm *sm)
3074 {
3075 return sm->tdls_external_setup;
3076 }
3077
3078
3079 int wpa_tdls_enable_chan_switch(struct wpa_sm *sm, const u8 *addr,
3080 u8 oper_class,
3081 struct hostapd_freq_params *freq_params)
3082 {
3083 struct wpa_tdls_peer *peer;
3084 int ret;
3085
3086 if (sm->tdls_disabled || !sm->tdls_supported)
3087 return -1;
3088
3089 if (!sm->tdls_chan_switch) {
3090 wpa_printf(MSG_DEBUG,
3091 "TDLS: Channel switching not supported by the driver");
3092 return -1;
3093 }
3094
3095 if (sm->tdls_chan_switch_prohibited) {
3096 wpa_printf(MSG_DEBUG,
3097 "TDLS: Channel switching is prohibited in this BSS - reject request to switch channel");
3098 return -1;
3099 }
3100
3101 for (peer = sm->tdls; peer; peer = peer->next) {
3102 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0)
3103 break;
3104 }
3105
3106 if (peer == NULL || !peer->tpk_success) {
3107 wpa_printf(MSG_ERROR, "TDLS: Peer " MACSTR_SEC
3108 " not found for channel switching", MAC2STR_SEC(addr));
3109 return -1;
3110 }
3111
3112 if (peer->chan_switch_enabled) {
3113 wpa_printf(MSG_DEBUG, "TDLS: Peer " MACSTR_SEC
3114 " already has channel switching enabled",
3115 MAC2STR_SEC(addr));
3116 return 0;
3117 }
3118
3119 ret = wpa_sm_tdls_enable_channel_switch(sm, peer->addr,
3120 oper_class, freq_params);
3121 if (!ret)
3122 peer->chan_switch_enabled = 1;
3123
3124 return ret;
3125 }
3126
3127
3128 int wpa_tdls_disable_chan_switch(struct wpa_sm *sm, const u8 *addr)
3129 {
3130 struct wpa_tdls_peer *peer;
3131
3132 if (sm->tdls_disabled || !sm->tdls_supported)
3133 return -1;
3134
3135 for (peer = sm->tdls; peer; peer = peer->next) {
3136 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0)
3137 break;
3138 }
3139
3140 if (!peer || !peer->chan_switch_enabled) {
3141 wpa_printf(MSG_ERROR, "TDLS: Channel switching not enabled for "
3142 MACSTR_SEC, MAC2STR_SEC(addr));
3143 return -1;
3144 }
3145
3146 /* ignore the return value */
3147 wpa_sm_tdls_disable_channel_switch(sm, peer->addr);
3148
3149 peer->chan_switch_enabled = 0;
3150 return 0;
3151 }
3152