1 /*
2 * wpa_supplicant - TDLS
3 * Copyright (c) 2010-2011, Atheros Communications
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "utils/includes.h"
10
11 #include "utils/common.h"
12 #include "utils/eloop.h"
13 #include "utils/os.h"
14 #include "common/ieee802_11_defs.h"
15 #include "common/ieee802_11_common.h"
16 #include "crypto/sha256.h"
17 #include "crypto/crypto.h"
18 #include "crypto/aes_wrap.h"
19 #include "rsn_supp/wpa.h"
20 #include "rsn_supp/wpa_ie.h"
21 #include "rsn_supp/wpa_i.h"
22 #include "drivers/driver.h"
23 #include "l2_packet/l2_packet.h"
24
25 #ifdef CONFIG_TDLS_TESTING
26 #define TDLS_TESTING_LONG_FRAME BIT(0)
27 #define TDLS_TESTING_ALT_RSN_IE BIT(1)
28 #define TDLS_TESTING_DIFF_BSSID BIT(2)
29 #define TDLS_TESTING_SHORT_LIFETIME BIT(3)
30 #define TDLS_TESTING_WRONG_LIFETIME_RESP BIT(4)
31 #define TDLS_TESTING_WRONG_LIFETIME_CONF BIT(5)
32 #define TDLS_TESTING_LONG_LIFETIME BIT(6)
33 #define TDLS_TESTING_CONCURRENT_INIT BIT(7)
34 #define TDLS_TESTING_NO_TPK_EXPIRATION BIT(8)
35 #define TDLS_TESTING_DECLINE_RESP BIT(9)
36 #define TDLS_TESTING_IGNORE_AP_PROHIBIT BIT(10)
37 #define TDLS_TESTING_WRONG_MIC BIT(11)
38 #define TDLS_TESTING_DOUBLE_TPK_M2 BIT(12)
39 unsigned int tdls_testing = 0;
40 #endif /* CONFIG_TDLS_TESTING */
41
42 #define TPK_LIFETIME 43200 /* 12 hours */
43 #define TPK_M1_RETRY_COUNT 3
44 #define TPK_M1_TIMEOUT 5000 /* in milliseconds */
45 #define TPK_M2_RETRY_COUNT 10
46 #define TPK_M2_TIMEOUT 500 /* in milliseconds */
47
48 #define TDLS_MIC_LEN 16
49
50 #define TDLS_TIMEOUT_LEN 4
51
52 struct wpa_tdls_ftie {
53 u8 ie_type; /* FTIE */
54 u8 ie_len;
55 u8 mic_ctrl[2];
56 u8 mic[TDLS_MIC_LEN];
57 u8 Anonce[WPA_NONCE_LEN]; /* Responder Nonce in TDLS */
58 u8 Snonce[WPA_NONCE_LEN]; /* Initiator Nonce in TDLS */
59 /* followed by optional elements */
60 } STRUCT_PACKED;
61
62 struct wpa_tdls_timeoutie {
63 u8 ie_type; /* Timeout IE */
64 u8 ie_len;
65 u8 interval_type;
66 u8 value[TDLS_TIMEOUT_LEN];
67 } STRUCT_PACKED;
68
69 struct wpa_tdls_lnkid {
70 u8 ie_type; /* Link Identifier IE */
71 u8 ie_len;
72 u8 bssid[ETH_ALEN];
73 u8 init_sta[ETH_ALEN];
74 u8 resp_sta[ETH_ALEN];
75 } STRUCT_PACKED;
76
77 /* TDLS frame headers as per IEEE Std 802.11z-2010 */
78 struct wpa_tdls_frame {
79 u8 payloadtype; /* IEEE80211_TDLS_RFTYPE */
80 u8 category; /* Category */
81 u8 action; /* Action (enum tdls_frame_type) */
82 } STRUCT_PACKED;
83
84 static u8 * wpa_add_tdls_timeoutie(u8 *pos, u8 *ie, size_t ie_len, u32 tsecs);
85 static void wpa_tdls_tpk_retry_timeout(void *eloop_ctx, void *timeout_ctx);
86 static void wpa_tdls_peer_free(struct wpa_sm *sm, struct wpa_tdls_peer *peer);
87 static void wpa_tdls_disable_peer_link(struct wpa_sm *sm,
88 struct wpa_tdls_peer *peer);
89 static int wpa_tdls_send_teardown(struct wpa_sm *sm, const u8 *addr,
90 u16 reason_code);
91
92
93 #define TDLS_MAX_IE_LEN 80
94 #define IEEE80211_MAX_SUPP_RATES 32
95
96 struct wpa_tdls_peer {
97 struct wpa_tdls_peer *next;
98 unsigned int reconfig_key:1;
99 int initiator; /* whether this end was initiator for TDLS setup */
100 u8 addr[ETH_ALEN]; /* other end MAC address */
101 u8 inonce[WPA_NONCE_LEN]; /* Initiator Nonce */
102 u8 rnonce[WPA_NONCE_LEN]; /* Responder Nonce */
103 u8 rsnie_i[TDLS_MAX_IE_LEN]; /* Initiator RSN IE */
104 size_t rsnie_i_len;
105 u8 rsnie_p[TDLS_MAX_IE_LEN]; /* Peer RSN IE */
106 size_t rsnie_p_len;
107 u32 lifetime;
108 int cipher; /* Selected cipher (WPA_CIPHER_*) */
109 u8 dtoken;
110
111 struct tpk {
112 u8 kck[16]; /* TPK-KCK */
113 u8 tk[16]; /* TPK-TK; assuming only CCMP will be used */
114 } tpk;
115 int tpk_set;
116 int tk_set; /* TPK-TK configured to the driver */
117 int tpk_success;
118 int tpk_in_progress;
119
120 struct tpk_timer {
121 u8 dest[ETH_ALEN];
122 int count; /* Retry Count */
123 int timer; /* Timeout in milliseconds */
124 u8 action_code; /* TDLS frame type */
125 u8 dialog_token;
126 u16 status_code;
127 u32 peer_capab;
128 int buf_len; /* length of TPK message for retransmission */
129 u8 *buf; /* buffer for TPK message */
130 } sm_tmr;
131
132 u16 capability;
133
134 u8 supp_rates[IEEE80211_MAX_SUPP_RATES];
135 size_t supp_rates_len;
136
137 struct ieee80211_ht_capabilities *ht_capabilities;
138 struct ieee80211_vht_capabilities *vht_capabilities;
139 struct ieee80211_he_capabilities *he_capabilities;
140 size_t he_capab_len;
141 struct ieee80211_he_6ghz_band_cap *he_6ghz_band_capabilities;
142
143 u8 qos_info;
144
145 u16 aid;
146
147 u8 *ext_capab;
148 size_t ext_capab_len;
149
150 u8 *supp_channels;
151 size_t supp_channels_len;
152
153 u8 *supp_oper_classes;
154 size_t supp_oper_classes_len;
155
156 u8 wmm_capable;
157
158 /* channel switch currently enabled */
159 int chan_switch_enabled;
160 };
161
162
wpa_tdls_get_privacy(struct wpa_sm * sm)163 static int wpa_tdls_get_privacy(struct wpa_sm *sm)
164 {
165 /*
166 * Get info needed from supplicant to check if the current BSS supports
167 * security. Other than OPEN mode, rest are considered secured
168 * WEP/WPA/WPA2 hence TDLS frames are processed for TPK handshake.
169 */
170 return sm->pairwise_cipher != WPA_CIPHER_NONE;
171 }
172
173
wpa_add_ie(u8 * pos,const u8 * ie,size_t ie_len)174 static u8 * wpa_add_ie(u8 *pos, const u8 *ie, size_t ie_len)
175 {
176 os_memcpy(pos, ie, ie_len);
177 return pos + ie_len;
178 }
179
180
wpa_tdls_del_key(struct wpa_sm * sm,struct wpa_tdls_peer * peer)181 static int wpa_tdls_del_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
182 {
183 if (wpa_sm_set_key(sm, WPA_ALG_NONE, peer->addr,
184 0, 0, NULL, 0, NULL, 0, KEY_FLAG_PAIRWISE) < 0) {
185 wpa_printf(MSG_WARNING, "TDLS: Failed to delete TPK-TK from "
186 "the driver");
187 return -1;
188 }
189
190 return 0;
191 }
192
193
wpa_tdls_set_key(struct wpa_sm * sm,struct wpa_tdls_peer * peer)194 static int wpa_tdls_set_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
195 {
196 u8 key_len;
197 u8 rsc[6];
198 enum wpa_alg alg;
199
200 if (peer->tk_set) {
201 /*
202 * This same TPK-TK has already been configured to the driver
203 * and this new configuration attempt (likely due to an
204 * unexpected retransmitted frame) would result in clearing
205 * the TX/RX sequence number which can break security, so must
206 * not allow that to happen.
207 */
208 wpa_printf(MSG_INFO, "TDLS: TPK-TK for the peer " MACSTR
209 " has already been configured to the driver - do not reconfigure",
210 MAC2STR(peer->addr));
211 return -1;
212 }
213
214 os_memset(rsc, 0, 6);
215
216 switch (peer->cipher) {
217 case WPA_CIPHER_CCMP:
218 alg = WPA_ALG_CCMP;
219 key_len = 16;
220 break;
221 case WPA_CIPHER_NONE:
222 wpa_printf(MSG_DEBUG, "TDLS: Pairwise Cipher Suite: "
223 "NONE - do not use pairwise keys");
224 return -1;
225 default:
226 wpa_printf(MSG_WARNING, "TDLS: Unsupported pairwise cipher %d",
227 sm->pairwise_cipher);
228 return -1;
229 }
230
231 wpa_printf(MSG_DEBUG, "TDLS: Configure pairwise key for peer " MACSTR,
232 MAC2STR(peer->addr));
233 if (wpa_sm_set_key(sm, alg, peer->addr, 0, 1, rsc, sizeof(rsc),
234 peer->tpk.tk, key_len,
235 KEY_FLAG_PAIRWISE_RX_TX) < 0) {
236 wpa_printf(MSG_WARNING, "TDLS: Failed to set TPK to the "
237 "driver");
238 return -1;
239 }
240 peer->tk_set = 1;
241 return 0;
242 }
243
244
wpa_tdls_send_tpk_msg(struct wpa_sm * sm,const u8 * dst,u8 action_code,u8 dialog_token,u16 status_code,u32 peer_capab,int initiator,const u8 * buf,size_t len)245 static int wpa_tdls_send_tpk_msg(struct wpa_sm *sm, const u8 *dst,
246 u8 action_code, u8 dialog_token,
247 u16 status_code, u32 peer_capab,
248 int initiator, const u8 *buf, size_t len)
249 {
250 return wpa_sm_send_tdls_mgmt(sm, dst, action_code, dialog_token,
251 status_code, peer_capab, initiator, buf,
252 len);
253 }
254
255
wpa_tdls_tpk_send(struct wpa_sm * sm,const u8 * dest,u8 action_code,u8 dialog_token,u16 status_code,u32 peer_capab,int initiator,const u8 * msg,size_t msg_len)256 static int wpa_tdls_tpk_send(struct wpa_sm *sm, const u8 *dest, u8 action_code,
257 u8 dialog_token, u16 status_code, u32 peer_capab,
258 int initiator, const u8 *msg, size_t msg_len)
259 {
260 struct wpa_tdls_peer *peer;
261
262 wpa_printf(MSG_DEBUG, "TDLS: TPK send dest=" MACSTR " action_code=%u "
263 "dialog_token=%u status_code=%u peer_capab=%u initiator=%d "
264 "msg_len=%u",
265 MAC2STR(dest), action_code, dialog_token, status_code,
266 peer_capab, initiator, (unsigned int) msg_len);
267
268 if (wpa_tdls_send_tpk_msg(sm, dest, action_code, dialog_token,
269 status_code, peer_capab, initiator, msg,
270 msg_len)) {
271 wpa_printf(MSG_INFO, "TDLS: Failed to send message "
272 "(action_code=%u)", action_code);
273 return -1;
274 }
275
276 if (action_code == WLAN_TDLS_SETUP_CONFIRM ||
277 action_code == WLAN_TDLS_TEARDOWN ||
278 action_code == WLAN_TDLS_DISCOVERY_REQUEST ||
279 action_code == WLAN_TDLS_DISCOVERY_RESPONSE)
280 return 0; /* No retries */
281
282 for (peer = sm->tdls; peer; peer = peer->next) {
283 if (os_memcmp(peer->addr, dest, ETH_ALEN) == 0)
284 break;
285 }
286
287 if (peer == NULL) {
288 wpa_printf(MSG_INFO, "TDLS: No matching entry found for "
289 "retry " MACSTR, MAC2STR(dest));
290 return 0;
291 }
292
293 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer);
294
295 if (action_code == WLAN_TDLS_SETUP_RESPONSE) {
296 peer->sm_tmr.count = TPK_M2_RETRY_COUNT;
297 peer->sm_tmr.timer = TPK_M2_TIMEOUT;
298 } else {
299 peer->sm_tmr.count = TPK_M1_RETRY_COUNT;
300 peer->sm_tmr.timer = TPK_M1_TIMEOUT;
301 }
302
303 /* Copy message to resend on timeout */
304 os_memcpy(peer->sm_tmr.dest, dest, ETH_ALEN);
305 peer->sm_tmr.action_code = action_code;
306 peer->sm_tmr.dialog_token = dialog_token;
307 peer->sm_tmr.status_code = status_code;
308 peer->sm_tmr.peer_capab = peer_capab;
309 peer->sm_tmr.buf_len = msg_len;
310 os_free(peer->sm_tmr.buf);
311 peer->sm_tmr.buf = os_memdup(msg, msg_len);
312 if (peer->sm_tmr.buf == NULL)
313 return -1;
314
315 wpa_printf(MSG_DEBUG, "TDLS: Retry timeout registered "
316 "(action_code=%u)", action_code);
317 eloop_register_timeout(peer->sm_tmr.timer / 1000,
318 (peer->sm_tmr.timer % 1000) * 1000,
319 wpa_tdls_tpk_retry_timeout, sm, peer);
320 return 0;
321 }
322
323
wpa_tdls_do_teardown(struct wpa_sm * sm,struct wpa_tdls_peer * peer,u16 reason_code)324 static int wpa_tdls_do_teardown(struct wpa_sm *sm, struct wpa_tdls_peer *peer,
325 u16 reason_code)
326 {
327 int ret;
328
329 ret = wpa_tdls_send_teardown(sm, peer->addr, reason_code);
330 /* disable the link after teardown was sent */
331 wpa_tdls_disable_peer_link(sm, peer);
332
333 return ret;
334 }
335
336
wpa_tdls_tpk_retry_timeout(void * eloop_ctx,void * timeout_ctx)337 static void wpa_tdls_tpk_retry_timeout(void *eloop_ctx, void *timeout_ctx)
338 {
339
340 struct wpa_sm *sm = eloop_ctx;
341 struct wpa_tdls_peer *peer = timeout_ctx;
342
343 if (peer->sm_tmr.count) {
344 peer->sm_tmr.count--;
345
346 wpa_printf(MSG_INFO, "TDLS: Retrying sending of message "
347 "(action_code=%u)",
348 peer->sm_tmr.action_code);
349
350 if (peer->sm_tmr.buf == NULL) {
351 wpa_printf(MSG_INFO, "TDLS: No retry buffer available "
352 "for action_code=%u",
353 peer->sm_tmr.action_code);
354 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm,
355 peer);
356 return;
357 }
358
359 /* resend TPK Handshake Message to Peer */
360 if (wpa_tdls_send_tpk_msg(sm, peer->sm_tmr.dest,
361 peer->sm_tmr.action_code,
362 peer->sm_tmr.dialog_token,
363 peer->sm_tmr.status_code,
364 peer->sm_tmr.peer_capab,
365 peer->initiator,
366 peer->sm_tmr.buf,
367 peer->sm_tmr.buf_len)) {
368 wpa_printf(MSG_INFO, "TDLS: Failed to retry "
369 "transmission");
370 }
371
372 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer);
373 eloop_register_timeout(peer->sm_tmr.timer / 1000,
374 (peer->sm_tmr.timer % 1000) * 1000,
375 wpa_tdls_tpk_retry_timeout, sm, peer);
376 } else {
377 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer);
378
379 wpa_printf(MSG_DEBUG, "TDLS: Sending Teardown Request");
380 wpa_tdls_do_teardown(sm, peer,
381 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED);
382 }
383 }
384
385
wpa_tdls_tpk_retry_timeout_cancel(struct wpa_sm * sm,struct wpa_tdls_peer * peer,u8 action_code)386 static void wpa_tdls_tpk_retry_timeout_cancel(struct wpa_sm *sm,
387 struct wpa_tdls_peer *peer,
388 u8 action_code)
389 {
390 if (action_code == peer->sm_tmr.action_code) {
391 wpa_printf(MSG_DEBUG, "TDLS: Retry timeout cancelled for "
392 "action_code=%u", action_code);
393
394 /* Cancel Timeout registered */
395 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer);
396
397 /* free all resources meant for retry */
398 os_free(peer->sm_tmr.buf);
399 peer->sm_tmr.buf = NULL;
400
401 peer->sm_tmr.count = 0;
402 peer->sm_tmr.timer = 0;
403 peer->sm_tmr.buf_len = 0;
404 peer->sm_tmr.action_code = 0xff;
405 } else {
406 wpa_printf(MSG_INFO, "TDLS: Error in cancelling retry timeout "
407 "(Unknown action_code=%u)", action_code);
408 }
409 }
410
411
wpa_tdls_generate_tpk(struct wpa_tdls_peer * peer,const u8 * own_addr,const u8 * bssid)412 static void wpa_tdls_generate_tpk(struct wpa_tdls_peer *peer,
413 const u8 *own_addr, const u8 *bssid)
414 {
415 u8 key_input[SHA256_MAC_LEN];
416 const u8 *nonce[2];
417 size_t len[2];
418 u8 data[3 * ETH_ALEN];
419
420 /* IEEE Std 802.11-2016 12.7.9.2:
421 * TPK-Key-Input = Hash(min(SNonce, ANonce) || max(SNonce, ANonce))
422 * Hash = SHA-256 for TDLS
423 */
424 len[0] = WPA_NONCE_LEN;
425 len[1] = WPA_NONCE_LEN;
426 if (os_memcmp(peer->inonce, peer->rnonce, WPA_NONCE_LEN) < 0) {
427 nonce[0] = peer->inonce;
428 nonce[1] = peer->rnonce;
429 } else {
430 nonce[0] = peer->rnonce;
431 nonce[1] = peer->inonce;
432 }
433 wpa_hexdump(MSG_DEBUG, "TDLS: min(Nonce)", nonce[0], WPA_NONCE_LEN);
434 wpa_hexdump(MSG_DEBUG, "TDLS: max(Nonce)", nonce[1], WPA_NONCE_LEN);
435 sha256_vector(2, nonce, len, key_input);
436 wpa_hexdump_key(MSG_DEBUG, "TDLS: TPK-Key-Input",
437 key_input, SHA256_MAC_LEN);
438
439 /*
440 * TPK = KDF-Hash-Length(TPK-Key-Input, "TDLS PMK",
441 * min(MAC_I, MAC_R) || max(MAC_I, MAC_R) || BSSID)
442 */
443
444 if (os_memcmp(own_addr, peer->addr, ETH_ALEN) < 0) {
445 os_memcpy(data, own_addr, ETH_ALEN);
446 os_memcpy(data + ETH_ALEN, peer->addr, ETH_ALEN);
447 } else {
448 os_memcpy(data, peer->addr, ETH_ALEN);
449 os_memcpy(data + ETH_ALEN, own_addr, ETH_ALEN);
450 }
451 os_memcpy(data + 2 * ETH_ALEN, bssid, ETH_ALEN);
452 wpa_hexdump(MSG_DEBUG, "TDLS: KDF Context", data, sizeof(data));
453
454 sha256_prf(key_input, SHA256_MAC_LEN, "TDLS PMK", data, sizeof(data),
455 (u8 *) &peer->tpk, sizeof(peer->tpk));
456 wpa_hexdump_key(MSG_DEBUG, "TDLS: TPK-KCK",
457 peer->tpk.kck, sizeof(peer->tpk.kck));
458 wpa_hexdump_key(MSG_DEBUG, "TDLS: TPK-TK",
459 peer->tpk.tk, sizeof(peer->tpk.tk));
460 peer->tpk_set = 1;
461 }
462
463
464 /**
465 * wpa_tdls_ftie_mic - Calculate TDLS FTIE MIC
466 * @kck: TPK-KCK
467 * @lnkid: Pointer to the beginning of Link Identifier IE
468 * @rsnie: Pointer to the beginning of RSN IE used for handshake
469 * @timeoutie: Pointer to the beginning of Timeout IE used for handshake
470 * @ftie: Pointer to the beginning of FT IE
471 * @mic: Pointer for writing MIC
472 *
473 * Calculate MIC for TDLS frame.
474 */
wpa_tdls_ftie_mic(const u8 * kck,u8 trans_seq,const u8 * lnkid,const u8 * rsnie,const u8 * timeoutie,const u8 * ftie,u8 * mic)475 static int wpa_tdls_ftie_mic(const u8 *kck, u8 trans_seq, const u8 *lnkid,
476 const u8 *rsnie, const u8 *timeoutie,
477 const u8 *ftie, u8 *mic)
478 {
479 u8 *buf, *pos;
480 struct wpa_tdls_ftie *_ftie;
481 const struct wpa_tdls_lnkid *_lnkid;
482 int ret;
483 int len = 2 * ETH_ALEN + 1 + 2 + lnkid[1] + 2 + rsnie[1] +
484 2 + timeoutie[1] + 2 + ftie[1];
485 buf = os_zalloc(len);
486 if (!buf) {
487 wpa_printf(MSG_WARNING, "TDLS: No memory for MIC calculation");
488 return -1;
489 }
490
491 pos = buf;
492 _lnkid = (const struct wpa_tdls_lnkid *) lnkid;
493 /* 1) TDLS initiator STA MAC address */
494 os_memcpy(pos, _lnkid->init_sta, ETH_ALEN);
495 pos += ETH_ALEN;
496 /* 2) TDLS responder STA MAC address */
497 os_memcpy(pos, _lnkid->resp_sta, ETH_ALEN);
498 pos += ETH_ALEN;
499 /* 3) Transaction Sequence number */
500 *pos++ = trans_seq;
501 /* 4) Link Identifier IE */
502 os_memcpy(pos, lnkid, 2 + lnkid[1]);
503 pos += 2 + lnkid[1];
504 /* 5) RSN IE */
505 os_memcpy(pos, rsnie, 2 + rsnie[1]);
506 pos += 2 + rsnie[1];
507 /* 6) Timeout Interval IE */
508 os_memcpy(pos, timeoutie, 2 + timeoutie[1]);
509 pos += 2 + timeoutie[1];
510 /* 7) FTIE, with the MIC field of the FTIE set to 0 */
511 os_memcpy(pos, ftie, 2 + ftie[1]);
512 _ftie = (struct wpa_tdls_ftie *) pos;
513 os_memset(_ftie->mic, 0, TDLS_MIC_LEN);
514 pos += 2 + ftie[1];
515
516 wpa_hexdump(MSG_DEBUG, "TDLS: Data for FTIE MIC", buf, pos - buf);
517 wpa_hexdump_key(MSG_DEBUG, "TDLS: KCK", kck, 16);
518 ret = omac1_aes_128(kck, buf, pos - buf, mic);
519 os_free(buf);
520 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE MIC", mic, 16);
521 return ret;
522 }
523
524
525 /**
526 * wpa_tdls_key_mic_teardown - Calculate TDLS FTIE MIC for Teardown frame
527 * @kck: TPK-KCK
528 * @trans_seq: Transaction Sequence Number (4 - Teardown)
529 * @rcode: Reason code for Teardown
530 * @dtoken: Dialog Token used for that particular link
531 * @lnkid: Pointer to the beginning of Link Identifier IE
532 * @ftie: Pointer to the beginning of FT IE
533 * @mic: Pointer for writing MIC
534 *
535 * Calculate MIC for TDLS frame.
536 */
wpa_tdls_key_mic_teardown(const u8 * kck,u8 trans_seq,u16 rcode,u8 dtoken,const u8 * lnkid,const u8 * ftie,u8 * mic)537 static int wpa_tdls_key_mic_teardown(const u8 *kck, u8 trans_seq, u16 rcode,
538 u8 dtoken, const u8 *lnkid,
539 const u8 *ftie, u8 *mic)
540 {
541 u8 *buf, *pos;
542 struct wpa_tdls_ftie *_ftie;
543 int ret;
544 int len;
545
546 if (lnkid == NULL)
547 return -1;
548
549 len = 2 + lnkid[1] + sizeof(rcode) + sizeof(dtoken) +
550 sizeof(trans_seq) + 2 + ftie[1];
551
552 buf = os_zalloc(len);
553 if (!buf) {
554 wpa_printf(MSG_WARNING, "TDLS: No memory for MIC calculation");
555 return -1;
556 }
557
558 pos = buf;
559 /* 1) Link Identifier IE */
560 os_memcpy(pos, lnkid, 2 + lnkid[1]);
561 pos += 2 + lnkid[1];
562 /* 2) Reason Code */
563 WPA_PUT_LE16(pos, rcode);
564 pos += sizeof(rcode);
565 /* 3) Dialog token */
566 *pos++ = dtoken;
567 /* 4) Transaction Sequence number */
568 *pos++ = trans_seq;
569 /* 7) FTIE, with the MIC field of the FTIE set to 0 */
570 os_memcpy(pos, ftie, 2 + ftie[1]);
571 _ftie = (struct wpa_tdls_ftie *) pos;
572 os_memset(_ftie->mic, 0, TDLS_MIC_LEN);
573 pos += 2 + ftie[1];
574
575 wpa_hexdump(MSG_DEBUG, "TDLS: Data for FTIE MIC", buf, pos - buf);
576 wpa_hexdump_key(MSG_DEBUG, "TDLS: KCK", kck, 16);
577 ret = omac1_aes_128(kck, buf, pos - buf, mic);
578 os_free(buf);
579 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE MIC", mic, 16);
580 return ret;
581 }
582
583
wpa_supplicant_verify_tdls_mic(u8 trans_seq,struct wpa_tdls_peer * peer,const u8 * lnkid,const u8 * timeoutie,const struct wpa_tdls_ftie * ftie)584 static int wpa_supplicant_verify_tdls_mic(u8 trans_seq,
585 struct wpa_tdls_peer *peer,
586 const u8 *lnkid, const u8 *timeoutie,
587 const struct wpa_tdls_ftie *ftie)
588 {
589 u8 mic[16];
590
591 if (peer->tpk_set) {
592 wpa_tdls_ftie_mic(peer->tpk.kck, trans_seq, lnkid,
593 peer->rsnie_p, timeoutie, (u8 *) ftie,
594 mic);
595 if (os_memcmp_const(mic, ftie->mic, 16) != 0) {
596 wpa_printf(MSG_INFO, "TDLS: Invalid MIC in FTIE - "
597 "dropping packet");
598 wpa_hexdump(MSG_DEBUG, "TDLS: Received MIC",
599 ftie->mic, 16);
600 wpa_hexdump(MSG_DEBUG, "TDLS: Calculated MIC",
601 mic, 16);
602 return -1;
603 }
604 } else {
605 wpa_printf(MSG_WARNING, "TDLS: Could not verify TDLS MIC, "
606 "TPK not set - dropping packet");
607 return -1;
608 }
609 return 0;
610 }
611
612
wpa_supplicant_verify_tdls_mic_teardown(u8 trans_seq,u16 rcode,u8 dtoken,struct wpa_tdls_peer * peer,const u8 * lnkid,const struct wpa_tdls_ftie * ftie)613 static int wpa_supplicant_verify_tdls_mic_teardown(
614 u8 trans_seq, u16 rcode, u8 dtoken, struct wpa_tdls_peer *peer,
615 const u8 *lnkid, const struct wpa_tdls_ftie *ftie)
616 {
617 u8 mic[16];
618
619 if (peer->tpk_set) {
620 wpa_tdls_key_mic_teardown(peer->tpk.kck, trans_seq, rcode,
621 dtoken, lnkid, (u8 *) ftie, mic);
622 if (os_memcmp_const(mic, ftie->mic, 16) != 0) {
623 wpa_printf(MSG_INFO, "TDLS: Invalid MIC in Teardown - "
624 "dropping packet");
625 return -1;
626 }
627 } else {
628 wpa_printf(MSG_INFO, "TDLS: Could not verify TDLS Teardown "
629 "MIC, TPK not set - dropping packet");
630 return -1;
631 }
632 return 0;
633 }
634
635
wpa_tdls_tpk_timeout(void * eloop_ctx,void * timeout_ctx)636 static void wpa_tdls_tpk_timeout(void *eloop_ctx, void *timeout_ctx)
637 {
638 struct wpa_sm *sm = eloop_ctx;
639 struct wpa_tdls_peer *peer = timeout_ctx;
640
641 /*
642 * On TPK lifetime expiration, we have an option of either tearing down
643 * the direct link or trying to re-initiate it. The selection of what
644 * to do is not strictly speaking controlled by our role in the expired
645 * link, but for now, use that to select whether to renew or tear down
646 * the link.
647 */
648
649 if (peer->initiator) {
650 u8 addr[ETH_ALEN];
651
652 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime expired for " MACSTR
653 " - try to renew", MAC2STR(peer->addr));
654 /* cache the peer address before do_teardown */
655 os_memcpy(addr, peer->addr, ETH_ALEN);
656 wpa_tdls_do_teardown(sm, peer,
657 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED);
658 wpa_tdls_start(sm, addr);
659 } else {
660 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime expired for " MACSTR
661 " - tear down", MAC2STR(peer->addr));
662 wpa_tdls_do_teardown(sm, peer,
663 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED);
664 }
665 }
666
667
wpa_tdls_peer_remove_from_list(struct wpa_sm * sm,struct wpa_tdls_peer * peer)668 static void wpa_tdls_peer_remove_from_list(struct wpa_sm *sm,
669 struct wpa_tdls_peer *peer)
670 {
671 struct wpa_tdls_peer *cur, *prev;
672
673 cur = sm->tdls;
674 prev = NULL;
675 while (cur && cur != peer) {
676 prev = cur;
677 cur = cur->next;
678 }
679
680 if (cur != peer) {
681 wpa_printf(MSG_ERROR, "TDLS: Could not find peer " MACSTR
682 " to remove it from the list",
683 MAC2STR(peer->addr));
684 return;
685 }
686
687 if (prev)
688 prev->next = peer->next;
689 else
690 sm->tdls = peer->next;
691 }
692
693
wpa_tdls_peer_clear(struct wpa_sm * sm,struct wpa_tdls_peer * peer)694 static void wpa_tdls_peer_clear(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
695 {
696 wpa_printf(MSG_DEBUG, "TDLS: Clear state for peer " MACSTR,
697 MAC2STR(peer->addr));
698 eloop_cancel_timeout(wpa_tdls_tpk_timeout, sm, peer);
699 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer);
700 peer->reconfig_key = 0;
701 peer->initiator = 0;
702 peer->tpk_in_progress = 0;
703 os_free(peer->sm_tmr.buf);
704 peer->sm_tmr.buf = NULL;
705 os_free(peer->ht_capabilities);
706 peer->ht_capabilities = NULL;
707 os_free(peer->vht_capabilities);
708 peer->vht_capabilities = NULL;
709 os_free(peer->he_capabilities);
710 peer->he_capabilities = NULL;
711 os_free(peer->he_6ghz_band_capabilities);
712 peer->he_6ghz_band_capabilities = NULL;
713 os_free(peer->ext_capab);
714 peer->ext_capab = NULL;
715 os_free(peer->supp_channels);
716 peer->supp_channels = NULL;
717 os_free(peer->supp_oper_classes);
718 peer->supp_oper_classes = NULL;
719 peer->rsnie_i_len = peer->rsnie_p_len = 0;
720 peer->cipher = 0;
721 peer->qos_info = 0;
722 peer->wmm_capable = 0;
723 peer->tk_set = peer->tpk_set = peer->tpk_success = 0;
724 peer->chan_switch_enabled = 0;
725 os_memset(&peer->tpk, 0, sizeof(peer->tpk));
726 os_memset(peer->inonce, 0, WPA_NONCE_LEN);
727 os_memset(peer->rnonce, 0, WPA_NONCE_LEN);
728 }
729
730
wpa_tdls_peer_free(struct wpa_sm * sm,struct wpa_tdls_peer * peer)731 static void wpa_tdls_peer_free(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
732 {
733 wpa_tdls_peer_clear(sm, peer);
734 wpa_tdls_peer_remove_from_list(sm, peer);
735 os_free(peer);
736 }
737
738
wpa_tdls_linkid(struct wpa_sm * sm,struct wpa_tdls_peer * peer,struct wpa_tdls_lnkid * lnkid)739 static void wpa_tdls_linkid(struct wpa_sm *sm, struct wpa_tdls_peer *peer,
740 struct wpa_tdls_lnkid *lnkid)
741 {
742 lnkid->ie_type = WLAN_EID_LINK_ID;
743 lnkid->ie_len = 3 * ETH_ALEN;
744 os_memcpy(lnkid->bssid, sm->bssid, ETH_ALEN);
745 if (peer->initiator) {
746 os_memcpy(lnkid->init_sta, sm->own_addr, ETH_ALEN);
747 os_memcpy(lnkid->resp_sta, peer->addr, ETH_ALEN);
748 } else {
749 os_memcpy(lnkid->init_sta, peer->addr, ETH_ALEN);
750 os_memcpy(lnkid->resp_sta, sm->own_addr, ETH_ALEN);
751 }
752 }
753
754
wpa_tdls_send_teardown(struct wpa_sm * sm,const u8 * addr,u16 reason_code)755 static int wpa_tdls_send_teardown(struct wpa_sm *sm, const u8 *addr,
756 u16 reason_code)
757 {
758 struct wpa_tdls_peer *peer;
759 struct wpa_tdls_ftie *ftie;
760 struct wpa_tdls_lnkid lnkid;
761 u8 dialog_token;
762 u8 *rbuf, *pos;
763 int ielen;
764
765 if (sm->tdls_disabled || !sm->tdls_supported)
766 return -1;
767
768 /* Find the node and free from the list */
769 for (peer = sm->tdls; peer; peer = peer->next) {
770 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0)
771 break;
772 }
773
774 if (peer == NULL) {
775 wpa_printf(MSG_INFO, "TDLS: No matching entry found for "
776 "Teardown " MACSTR, MAC2STR(addr));
777 return 0;
778 }
779
780 /* Cancel active channel switch before teardown */
781 if (peer->chan_switch_enabled) {
782 wpa_printf(MSG_DEBUG, "TDLS: First returning link with " MACSTR
783 " to base channel", MAC2STR(addr));
784 wpa_sm_tdls_disable_channel_switch(sm, peer->addr);
785 }
786
787 dialog_token = peer->dtoken;
788
789 wpa_printf(MSG_DEBUG, "TDLS: TDLS Teardown for " MACSTR,
790 MAC2STR(addr));
791
792 ielen = 0;
793 if (wpa_tdls_get_privacy(sm) && peer->tpk_set && peer->tpk_success) {
794 /* To add FTIE for Teardown request and compute MIC */
795 ielen += sizeof(*ftie);
796 #ifdef CONFIG_TDLS_TESTING
797 if (tdls_testing & TDLS_TESTING_LONG_FRAME)
798 ielen += 170;
799 #endif /* CONFIG_TDLS_TESTING */
800 }
801
802 rbuf = os_zalloc(ielen + 1);
803 if (rbuf == NULL)
804 return -1;
805 pos = rbuf;
806
807 if (!wpa_tdls_get_privacy(sm) || !peer->tpk_set || !peer->tpk_success)
808 goto skip_ies;
809
810 ftie = (struct wpa_tdls_ftie *) pos;
811 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION;
812 /* Using the recent nonce which should be for CONFIRM frame */
813 os_memcpy(ftie->Anonce, peer->rnonce, WPA_NONCE_LEN);
814 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN);
815 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2;
816 pos = (u8 *) (ftie + 1);
817 #ifdef CONFIG_TDLS_TESTING
818 if (tdls_testing & TDLS_TESTING_LONG_FRAME) {
819 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to "
820 "FTIE");
821 ftie->ie_len += 170;
822 *pos++ = 255; /* FTIE subelem */
823 *pos++ = 168; /* FTIE subelem length */
824 pos += 168;
825 }
826 #endif /* CONFIG_TDLS_TESTING */
827 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE for TDLS Teardown handshake",
828 (u8 *) ftie, pos - (u8 *) ftie);
829
830 /* compute MIC before sending */
831 wpa_tdls_linkid(sm, peer, &lnkid);
832 wpa_tdls_key_mic_teardown(peer->tpk.kck, 4, reason_code,
833 dialog_token, (u8 *) &lnkid, (u8 *) ftie,
834 ftie->mic);
835
836 skip_ies:
837 /* TODO: register for a Timeout handler, if Teardown is not received at
838 * the other end, then try again another time */
839
840 /* request driver to send Teardown using this FTIE */
841 wpa_tdls_tpk_send(sm, addr, WLAN_TDLS_TEARDOWN, 0,
842 reason_code, 0, peer->initiator, rbuf, pos - rbuf);
843 os_free(rbuf);
844
845 return 0;
846 }
847
848
wpa_tdls_teardown_link(struct wpa_sm * sm,const u8 * addr,u16 reason_code)849 int wpa_tdls_teardown_link(struct wpa_sm *sm, const u8 *addr, u16 reason_code)
850 {
851 struct wpa_tdls_peer *peer;
852
853 if (sm->tdls_disabled || !sm->tdls_supported)
854 return -1;
855
856 for (peer = sm->tdls; peer; peer = peer->next) {
857 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0)
858 break;
859 }
860
861 if (peer == NULL) {
862 wpa_printf(MSG_DEBUG, "TDLS: Could not find peer " MACSTR
863 " for link Teardown", MAC2STR(addr));
864 return -1;
865 }
866
867 if (!peer->tpk_success) {
868 wpa_printf(MSG_DEBUG, "TDLS: Peer " MACSTR
869 " not connected - cannot Teardown link", MAC2STR(addr));
870 return -1;
871 }
872
873 return wpa_tdls_do_teardown(sm, peer, reason_code);
874 }
875
876
wpa_tdls_disable_peer_link(struct wpa_sm * sm,struct wpa_tdls_peer * peer)877 static void wpa_tdls_disable_peer_link(struct wpa_sm *sm,
878 struct wpa_tdls_peer *peer)
879 {
880 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr);
881 wpa_tdls_peer_free(sm, peer);
882 }
883
884
wpa_tdls_disable_unreachable_link(struct wpa_sm * sm,const u8 * addr)885 void wpa_tdls_disable_unreachable_link(struct wpa_sm *sm, const u8 *addr)
886 {
887 struct wpa_tdls_peer *peer;
888
889 for (peer = sm->tdls; peer; peer = peer->next) {
890 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0)
891 break;
892 }
893
894 if (!peer || !peer->tpk_success) {
895 wpa_printf(MSG_DEBUG, "TDLS: Peer " MACSTR
896 " not connected - cannot teardown unreachable link",
897 MAC2STR(addr));
898 return;
899 }
900
901 if (wpa_tdls_is_external_setup(sm)) {
902 /*
903 * Get us on the base channel, disable the link, send a
904 * teardown packet through the AP, and then reset link data.
905 */
906 if (peer->chan_switch_enabled)
907 wpa_sm_tdls_disable_channel_switch(sm, peer->addr);
908 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, addr);
909 wpa_tdls_send_teardown(sm, addr,
910 WLAN_REASON_TDLS_TEARDOWN_UNREACHABLE);
911 wpa_tdls_peer_free(sm, peer);
912 } else {
913 wpa_tdls_disable_peer_link(sm, peer);
914 }
915 }
916
917
wpa_tdls_get_link_status(struct wpa_sm * sm,const u8 * addr)918 const char * wpa_tdls_get_link_status(struct wpa_sm *sm, const u8 *addr)
919 {
920 struct wpa_tdls_peer *peer;
921
922 if (sm->tdls_disabled || !sm->tdls_supported)
923 return "disabled";
924
925 for (peer = sm->tdls; peer; peer = peer->next) {
926 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0)
927 break;
928 }
929
930 if (peer == NULL)
931 return "peer does not exist";
932
933 if (!peer->tpk_success)
934 return "peer not connected";
935
936 return "connected";
937 }
938
939
wpa_tdls_recv_teardown(struct wpa_sm * sm,const u8 * src_addr,const u8 * buf,size_t len)940 static int wpa_tdls_recv_teardown(struct wpa_sm *sm, const u8 *src_addr,
941 const u8 *buf, size_t len)
942 {
943 struct wpa_tdls_peer *peer = NULL;
944 struct wpa_tdls_ftie *ftie;
945 struct wpa_tdls_lnkid *lnkid;
946 struct wpa_eapol_ie_parse kde;
947 u16 reason_code;
948 const u8 *pos;
949 int ielen;
950
951 /* Find the node and free from the list */
952 for (peer = sm->tdls; peer; peer = peer->next) {
953 if (os_memcmp(peer->addr, src_addr, ETH_ALEN) == 0)
954 break;
955 }
956
957 if (peer == NULL) {
958 wpa_printf(MSG_INFO, "TDLS: No matching entry found for "
959 "Teardown " MACSTR, MAC2STR(src_addr));
960 return 0;
961 }
962
963 pos = buf;
964 pos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */;
965
966 reason_code = WPA_GET_LE16(pos);
967 pos += 2;
968
969 wpa_printf(MSG_DEBUG, "TDLS: TDLS Teardown Request from " MACSTR
970 " (reason code %u)", MAC2STR(src_addr), reason_code);
971
972 ielen = len - (pos - buf); /* start of IE in buf */
973
974 /*
975 * Don't reject the message if failing to parse IEs. The IEs we need are
976 * explicitly checked below. Some APs may add arbitrary padding to the
977 * end of short TDLS frames and that would look like invalid IEs.
978 */
979 if (wpa_supplicant_parse_ies((const u8 *) pos, ielen, &kde) < 0)
980 wpa_printf(MSG_DEBUG,
981 "TDLS: Failed to parse IEs in Teardown - ignore as an interop workaround");
982
983 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) {
984 wpa_printf(MSG_INFO, "TDLS: No Link Identifier IE in TDLS "
985 "Teardown");
986 return -1;
987 }
988 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid;
989
990 if (!wpa_tdls_get_privacy(sm) || !peer->tpk_set || !peer->tpk_success)
991 goto skip_ftie;
992
993 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie)) {
994 wpa_printf(MSG_INFO, "TDLS: No FTIE in TDLS Teardown");
995 return -1;
996 }
997
998 ftie = (struct wpa_tdls_ftie *) kde.ftie;
999
1000 /* Process MIC check to see if TDLS Teardown is right */
1001 if (wpa_supplicant_verify_tdls_mic_teardown(4, reason_code,
1002 peer->dtoken, peer,
1003 (u8 *) lnkid, ftie) < 0) {
1004 wpa_printf(MSG_DEBUG, "TDLS: MIC failure for TDLS "
1005 "Teardown Request from " MACSTR, MAC2STR(src_addr));
1006 return -1;
1007 }
1008
1009 skip_ftie:
1010 /*
1011 * Request the driver to disable the direct link and clear associated
1012 * keys.
1013 */
1014 wpa_tdls_disable_peer_link(sm, peer);
1015 return 0;
1016 }
1017
1018
1019 /**
1020 * wpa_tdls_send_error - To send suitable TDLS status response with
1021 * appropriate status code mentioning reason for error/failure.
1022 * @dst - MAC addr of Peer station
1023 * @tdls_action - TDLS frame type for which error code is sent
1024 * @initiator - was this end the initiator of the connection
1025 * @status - status code mentioning reason
1026 */
1027
wpa_tdls_send_error(struct wpa_sm * sm,const u8 * dst,u8 tdls_action,u8 dialog_token,int initiator,u16 status)1028 static int wpa_tdls_send_error(struct wpa_sm *sm, const u8 *dst,
1029 u8 tdls_action, u8 dialog_token, int initiator,
1030 u16 status)
1031 {
1032 wpa_printf(MSG_DEBUG, "TDLS: Sending error to " MACSTR
1033 " (action=%u status=%u)",
1034 MAC2STR(dst), tdls_action, status);
1035 return wpa_tdls_tpk_send(sm, dst, tdls_action, dialog_token, status,
1036 0, initiator, NULL, 0);
1037 }
1038
1039
1040 static struct wpa_tdls_peer *
wpa_tdls_add_peer(struct wpa_sm * sm,const u8 * addr,int * existing)1041 wpa_tdls_add_peer(struct wpa_sm *sm, const u8 *addr, int *existing)
1042 {
1043 struct wpa_tdls_peer *peer;
1044
1045 if (existing)
1046 *existing = 0;
1047 for (peer = sm->tdls; peer; peer = peer->next) {
1048 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) {
1049 if (existing)
1050 *existing = 1;
1051 return peer; /* re-use existing entry */
1052 }
1053 }
1054
1055 wpa_printf(MSG_INFO, "TDLS: Creating peer entry for " MACSTR,
1056 MAC2STR(addr));
1057
1058 peer = os_zalloc(sizeof(*peer));
1059 if (peer == NULL)
1060 return NULL;
1061
1062 os_memcpy(peer->addr, addr, ETH_ALEN);
1063 peer->next = sm->tdls;
1064 sm->tdls = peer;
1065
1066 return peer;
1067 }
1068
1069
wpa_tdls_send_tpk_m1(struct wpa_sm * sm,struct wpa_tdls_peer * peer)1070 static int wpa_tdls_send_tpk_m1(struct wpa_sm *sm,
1071 struct wpa_tdls_peer *peer)
1072 {
1073 size_t buf_len;
1074 struct wpa_tdls_timeoutie timeoutie;
1075 u16 rsn_capab;
1076 struct wpa_tdls_ftie *ftie;
1077 u8 *rbuf, *pos, *count_pos;
1078 u16 count;
1079 struct rsn_ie_hdr *hdr;
1080 int status;
1081
1082 if (!wpa_tdls_get_privacy(sm)) {
1083 wpa_printf(MSG_DEBUG, "TDLS: No security used on the link");
1084 peer->rsnie_i_len = 0;
1085 goto skip_rsnie;
1086 }
1087
1088 /*
1089 * TPK Handshake Message 1:
1090 * FTIE: ANonce=0, SNonce=initiator nonce MIC=0, DataKDs=(RSNIE_I,
1091 * Timeout Interval IE))
1092 */
1093
1094 /* Filling RSN IE */
1095 hdr = (struct rsn_ie_hdr *) peer->rsnie_i;
1096 hdr->elem_id = WLAN_EID_RSN;
1097 WPA_PUT_LE16(hdr->version, RSN_VERSION);
1098
1099 pos = (u8 *) (hdr + 1);
1100 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED);
1101 pos += RSN_SELECTOR_LEN;
1102 count_pos = pos;
1103 pos += 2;
1104
1105 count = 0;
1106
1107 /*
1108 * AES-CCMP is the default Encryption preferred for TDLS, so
1109 * RSN IE is filled only with CCMP CIPHER
1110 * Note: TKIP is not used to encrypt TDLS link.
1111 *
1112 * Regardless of the cipher used on the AP connection, select CCMP
1113 * here.
1114 */
1115 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP);
1116 pos += RSN_SELECTOR_LEN;
1117 count++;
1118
1119 WPA_PUT_LE16(count_pos, count);
1120
1121 WPA_PUT_LE16(pos, 1);
1122 pos += 2;
1123 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_TPK_HANDSHAKE);
1124 pos += RSN_SELECTOR_LEN;
1125
1126 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED;
1127 rsn_capab |= RSN_NUM_REPLAY_COUNTERS_16 << 2;
1128 #ifdef CONFIG_TDLS_TESTING
1129 if (tdls_testing & TDLS_TESTING_ALT_RSN_IE) {
1130 wpa_printf(MSG_DEBUG, "TDLS: Use alternative RSN IE for "
1131 "testing");
1132 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED;
1133 }
1134 #endif /* CONFIG_TDLS_TESTING */
1135 WPA_PUT_LE16(pos, rsn_capab);
1136 pos += 2;
1137 #ifdef CONFIG_TDLS_TESTING
1138 if (tdls_testing & TDLS_TESTING_ALT_RSN_IE) {
1139 /* Number of PMKIDs */
1140 *pos++ = 0x00;
1141 *pos++ = 0x00;
1142 }
1143 #endif /* CONFIG_TDLS_TESTING */
1144
1145 hdr->len = (pos - peer->rsnie_i) - 2;
1146 peer->rsnie_i_len = pos - peer->rsnie_i;
1147 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE for TPK handshake",
1148 peer->rsnie_i, peer->rsnie_i_len);
1149
1150 skip_rsnie:
1151 buf_len = 0;
1152 if (wpa_tdls_get_privacy(sm))
1153 buf_len += peer->rsnie_i_len + sizeof(struct wpa_tdls_ftie) +
1154 sizeof(struct wpa_tdls_timeoutie);
1155 #ifdef CONFIG_TDLS_TESTING
1156 if (wpa_tdls_get_privacy(sm) &&
1157 (tdls_testing & TDLS_TESTING_LONG_FRAME))
1158 buf_len += 170;
1159 if (tdls_testing & TDLS_TESTING_DIFF_BSSID)
1160 buf_len += sizeof(struct wpa_tdls_lnkid);
1161 #endif /* CONFIG_TDLS_TESTING */
1162 rbuf = os_zalloc(buf_len + 1);
1163 if (rbuf == NULL) {
1164 wpa_tdls_peer_free(sm, peer);
1165 return -2;
1166 }
1167 pos = rbuf;
1168
1169 if (!wpa_tdls_get_privacy(sm))
1170 goto skip_ies;
1171
1172 /* Initiator RSN IE */
1173 pos = wpa_add_ie(pos, peer->rsnie_i, peer->rsnie_i_len);
1174
1175 ftie = (struct wpa_tdls_ftie *) pos;
1176 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION;
1177 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2;
1178
1179 if (os_get_random(peer->inonce, WPA_NONCE_LEN)) {
1180 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1181 "TDLS: Failed to get random data for initiator Nonce");
1182 os_free(rbuf);
1183 wpa_tdls_peer_free(sm, peer);
1184 return -2;
1185 }
1186 peer->tk_set = 0; /* A new nonce results in a new TK */
1187 wpa_hexdump(MSG_DEBUG, "TDLS: Initiator Nonce for TPK handshake",
1188 peer->inonce, WPA_NONCE_LEN);
1189 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN);
1190
1191 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE for TPK Handshake M1",
1192 (u8 *) ftie, sizeof(struct wpa_tdls_ftie));
1193
1194 pos = (u8 *) (ftie + 1);
1195
1196 #ifdef CONFIG_TDLS_TESTING
1197 if (tdls_testing & TDLS_TESTING_LONG_FRAME) {
1198 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to "
1199 "FTIE");
1200 ftie->ie_len += 170;
1201 *pos++ = 255; /* FTIE subelem */
1202 *pos++ = 168; /* FTIE subelem length */
1203 pos += 168;
1204 }
1205 #endif /* CONFIG_TDLS_TESTING */
1206
1207 /* Lifetime */
1208 peer->lifetime = TPK_LIFETIME;
1209 #ifdef CONFIG_TDLS_TESTING
1210 if (tdls_testing & TDLS_TESTING_SHORT_LIFETIME) {
1211 wpa_printf(MSG_DEBUG, "TDLS: Testing - use short TPK "
1212 "lifetime");
1213 peer->lifetime = 301;
1214 }
1215 if (tdls_testing & TDLS_TESTING_LONG_LIFETIME) {
1216 wpa_printf(MSG_DEBUG, "TDLS: Testing - use long TPK "
1217 "lifetime");
1218 peer->lifetime = 0xffffffff;
1219 }
1220 #endif /* CONFIG_TDLS_TESTING */
1221 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie,
1222 sizeof(timeoutie), peer->lifetime);
1223 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds", peer->lifetime);
1224
1225 skip_ies:
1226
1227 #ifdef CONFIG_TDLS_TESTING
1228 if (tdls_testing & TDLS_TESTING_DIFF_BSSID) {
1229 struct wpa_tdls_lnkid *l = (struct wpa_tdls_lnkid *) pos;
1230
1231 wpa_printf(MSG_DEBUG, "TDLS: Testing - use incorrect BSSID in "
1232 "Link Identifier");
1233 wpa_tdls_linkid(sm, peer, l);
1234 l->bssid[5] ^= 0x01;
1235 pos += sizeof(*l);
1236 }
1237 #endif /* CONFIG_TDLS_TESTING */
1238
1239 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Setup Request / TPK "
1240 "Handshake Message 1 (peer " MACSTR ")",
1241 MAC2STR(peer->addr));
1242
1243 status = wpa_tdls_tpk_send(sm, peer->addr, WLAN_TDLS_SETUP_REQUEST,
1244 1, 0, 0, peer->initiator, rbuf, pos - rbuf);
1245 os_free(rbuf);
1246
1247 return status;
1248 }
1249
1250
wpa_tdls_send_tpk_m2(struct wpa_sm * sm,const unsigned char * src_addr,u8 dtoken,struct wpa_tdls_lnkid * lnkid,const struct wpa_tdls_peer * peer)1251 static int wpa_tdls_send_tpk_m2(struct wpa_sm *sm,
1252 const unsigned char *src_addr, u8 dtoken,
1253 struct wpa_tdls_lnkid *lnkid,
1254 const struct wpa_tdls_peer *peer)
1255 {
1256 u8 *rbuf, *pos;
1257 size_t buf_len;
1258 u32 lifetime;
1259 struct wpa_tdls_timeoutie timeoutie;
1260 struct wpa_tdls_ftie *ftie;
1261 int status;
1262
1263 buf_len = 0;
1264 if (wpa_tdls_get_privacy(sm)) {
1265 /* Peer RSN IE, FTIE(Initiator Nonce, Responder Nonce),
1266 * Lifetime */
1267 buf_len += peer->rsnie_i_len + sizeof(struct wpa_tdls_ftie) +
1268 sizeof(struct wpa_tdls_timeoutie);
1269 #ifdef CONFIG_TDLS_TESTING
1270 if (tdls_testing & TDLS_TESTING_LONG_FRAME)
1271 buf_len += 170;
1272 #endif /* CONFIG_TDLS_TESTING */
1273 }
1274
1275 rbuf = os_zalloc(buf_len + 1);
1276 if (rbuf == NULL)
1277 return -1;
1278 pos = rbuf;
1279
1280 if (!wpa_tdls_get_privacy(sm))
1281 goto skip_ies;
1282
1283 /* Peer RSN IE */
1284 pos = wpa_add_ie(pos, peer->rsnie_p, peer->rsnie_p_len);
1285
1286 ftie = (struct wpa_tdls_ftie *) pos;
1287 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION;
1288 /* TODO: ftie->mic_control to set 2-RESPONSE */
1289 os_memcpy(ftie->Anonce, peer->rnonce, WPA_NONCE_LEN);
1290 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN);
1291 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2;
1292 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE for TPK M2",
1293 (u8 *) ftie, sizeof(*ftie));
1294
1295 pos = (u8 *) (ftie + 1);
1296
1297 #ifdef CONFIG_TDLS_TESTING
1298 if (tdls_testing & TDLS_TESTING_LONG_FRAME) {
1299 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to "
1300 "FTIE");
1301 ftie->ie_len += 170;
1302 *pos++ = 255; /* FTIE subelem */
1303 *pos++ = 168; /* FTIE subelem length */
1304 pos += 168;
1305 }
1306 #endif /* CONFIG_TDLS_TESTING */
1307
1308 /* Lifetime */
1309 lifetime = peer->lifetime;
1310 #ifdef CONFIG_TDLS_TESTING
1311 if (tdls_testing & TDLS_TESTING_WRONG_LIFETIME_RESP) {
1312 wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong TPK "
1313 "lifetime in response");
1314 lifetime++;
1315 }
1316 #endif /* CONFIG_TDLS_TESTING */
1317 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie,
1318 sizeof(timeoutie), lifetime);
1319 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds from initiator",
1320 lifetime);
1321
1322 /* compute MIC before sending */
1323 wpa_tdls_ftie_mic(peer->tpk.kck, 2, (u8 *) lnkid, peer->rsnie_p,
1324 (u8 *) &timeoutie, (u8 *) ftie, ftie->mic);
1325 #ifdef CONFIG_TDLS_TESTING
1326 if (tdls_testing & TDLS_TESTING_WRONG_MIC) {
1327 wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong MIC");
1328 ftie->mic[0] ^= 0x01;
1329 }
1330 #endif /* CONFIG_TDLS_TESTING */
1331
1332 skip_ies:
1333 status = wpa_tdls_tpk_send(sm, src_addr, WLAN_TDLS_SETUP_RESPONSE,
1334 dtoken, 0, 0, peer->initiator, rbuf,
1335 pos - rbuf);
1336 os_free(rbuf);
1337
1338 return status;
1339 }
1340
1341
wpa_tdls_send_tpk_m3(struct wpa_sm * sm,const unsigned char * src_addr,u8 dtoken,struct wpa_tdls_lnkid * lnkid,const struct wpa_tdls_peer * peer)1342 static int wpa_tdls_send_tpk_m3(struct wpa_sm *sm,
1343 const unsigned char *src_addr, u8 dtoken,
1344 struct wpa_tdls_lnkid *lnkid,
1345 const struct wpa_tdls_peer *peer)
1346 {
1347 u8 *rbuf, *pos;
1348 size_t buf_len;
1349 struct wpa_tdls_ftie *ftie;
1350 struct wpa_tdls_timeoutie timeoutie;
1351 u32 lifetime;
1352 int status;
1353 u32 peer_capab = 0;
1354
1355 buf_len = 0;
1356 if (wpa_tdls_get_privacy(sm)) {
1357 /* Peer RSN IE, FTIE(Initiator Nonce, Responder Nonce),
1358 * Lifetime */
1359 buf_len += peer->rsnie_i_len + sizeof(struct wpa_tdls_ftie) +
1360 sizeof(struct wpa_tdls_timeoutie);
1361 #ifdef CONFIG_TDLS_TESTING
1362 if (tdls_testing & TDLS_TESTING_LONG_FRAME)
1363 buf_len += 170;
1364 #endif /* CONFIG_TDLS_TESTING */
1365 }
1366
1367 rbuf = os_zalloc(buf_len + 1);
1368 if (rbuf == NULL)
1369 return -1;
1370 pos = rbuf;
1371
1372 if (!wpa_tdls_get_privacy(sm))
1373 goto skip_ies;
1374
1375 /* Peer RSN IE */
1376 pos = wpa_add_ie(pos, peer->rsnie_p, peer->rsnie_p_len);
1377
1378 ftie = (struct wpa_tdls_ftie *) pos;
1379 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION;
1380 /*TODO: ftie->mic_control to set 3-CONFIRM */
1381 os_memcpy(ftie->Anonce, peer->rnonce, WPA_NONCE_LEN);
1382 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN);
1383 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2;
1384
1385 pos = (u8 *) (ftie + 1);
1386
1387 #ifdef CONFIG_TDLS_TESTING
1388 if (tdls_testing & TDLS_TESTING_LONG_FRAME) {
1389 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to "
1390 "FTIE");
1391 ftie->ie_len += 170;
1392 *pos++ = 255; /* FTIE subelem */
1393 *pos++ = 168; /* FTIE subelem length */
1394 pos += 168;
1395 }
1396 #endif /* CONFIG_TDLS_TESTING */
1397
1398 /* Lifetime */
1399 lifetime = peer->lifetime;
1400 #ifdef CONFIG_TDLS_TESTING
1401 if (tdls_testing & TDLS_TESTING_WRONG_LIFETIME_CONF) {
1402 wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong TPK "
1403 "lifetime in confirm");
1404 lifetime++;
1405 }
1406 #endif /* CONFIG_TDLS_TESTING */
1407 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie,
1408 sizeof(timeoutie), lifetime);
1409 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds",
1410 lifetime);
1411
1412 /* compute MIC before sending */
1413 wpa_tdls_ftie_mic(peer->tpk.kck, 3, (u8 *) lnkid, peer->rsnie_p,
1414 (u8 *) &timeoutie, (u8 *) ftie, ftie->mic);
1415 #ifdef CONFIG_TDLS_TESTING
1416 if (tdls_testing & TDLS_TESTING_WRONG_MIC) {
1417 wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong MIC");
1418 ftie->mic[0] ^= 0x01;
1419 }
1420 #endif /* CONFIG_TDLS_TESTING */
1421
1422 skip_ies:
1423
1424 if (peer->he_capabilities)
1425 peer_capab |= TDLS_PEER_HE;
1426 if (peer->vht_capabilities)
1427 peer_capab |= TDLS_PEER_VHT;
1428 if (peer->ht_capabilities)
1429 peer_capab |= TDLS_PEER_HT;
1430 if (peer->wmm_capable)
1431 peer_capab |= TDLS_PEER_WMM;
1432
1433 status = wpa_tdls_tpk_send(sm, src_addr, WLAN_TDLS_SETUP_CONFIRM,
1434 dtoken, 0, peer_capab, peer->initiator,
1435 rbuf, pos - rbuf);
1436 os_free(rbuf);
1437
1438 return status;
1439 }
1440
1441
wpa_tdls_send_discovery_response(struct wpa_sm * sm,struct wpa_tdls_peer * peer,u8 dialog_token)1442 static int wpa_tdls_send_discovery_response(struct wpa_sm *sm,
1443 struct wpa_tdls_peer *peer,
1444 u8 dialog_token)
1445 {
1446 size_t buf_len = 0;
1447 struct wpa_tdls_timeoutie timeoutie;
1448 u16 rsn_capab;
1449 u8 *rbuf, *pos, *count_pos;
1450 u16 count;
1451 struct rsn_ie_hdr *hdr;
1452 int status;
1453
1454 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Discovery Response "
1455 "(peer " MACSTR ")", MAC2STR(peer->addr));
1456 if (!wpa_tdls_get_privacy(sm))
1457 goto skip_rsn_ies;
1458
1459 /* Filling RSN IE */
1460 hdr = (struct rsn_ie_hdr *) peer->rsnie_i;
1461 hdr->elem_id = WLAN_EID_RSN;
1462 WPA_PUT_LE16(hdr->version, RSN_VERSION);
1463 pos = (u8 *) (hdr + 1);
1464 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED);
1465 pos += RSN_SELECTOR_LEN;
1466 count_pos = pos;
1467 pos += 2;
1468 count = 0;
1469
1470 /*
1471 * AES-CCMP is the default encryption preferred for TDLS, so
1472 * RSN IE is filled only with CCMP cipher suite.
1473 * Note: TKIP is not used to encrypt TDLS link.
1474 *
1475 * Regardless of the cipher used on the AP connection, select CCMP
1476 * here.
1477 */
1478 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP);
1479 pos += RSN_SELECTOR_LEN;
1480 count++;
1481 WPA_PUT_LE16(count_pos, count);
1482 WPA_PUT_LE16(pos, 1);
1483 pos += 2;
1484 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_TPK_HANDSHAKE);
1485 pos += RSN_SELECTOR_LEN;
1486
1487 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED;
1488 rsn_capab |= RSN_NUM_REPLAY_COUNTERS_16 << 2;
1489 WPA_PUT_LE16(pos, rsn_capab);
1490 pos += 2;
1491 hdr->len = (pos - (u8 *) hdr) - 2;
1492 peer->rsnie_i_len = pos - peer->rsnie_i;
1493
1494 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE for Discovery Response",
1495 (u8 *) hdr, hdr->len + 2);
1496 skip_rsn_ies:
1497 buf_len = 0;
1498 if (wpa_tdls_get_privacy(sm)) {
1499 /* Peer RSN IE, Lifetime */
1500 buf_len += peer->rsnie_i_len +
1501 sizeof(struct wpa_tdls_timeoutie);
1502 }
1503 rbuf = os_zalloc(buf_len + 1);
1504 if (rbuf == NULL) {
1505 wpa_tdls_peer_free(sm, peer);
1506 return -1;
1507 }
1508 pos = rbuf;
1509
1510 if (!wpa_tdls_get_privacy(sm))
1511 goto skip_ies;
1512 /* Initiator RSN IE */
1513 pos = wpa_add_ie(pos, peer->rsnie_i, peer->rsnie_i_len);
1514 /* Lifetime */
1515 peer->lifetime = TPK_LIFETIME;
1516 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie,
1517 sizeof(timeoutie), peer->lifetime);
1518 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds", peer->lifetime);
1519 skip_ies:
1520 status = wpa_tdls_tpk_send(sm, peer->addr, WLAN_TDLS_DISCOVERY_RESPONSE,
1521 dialog_token, 0, 0, 0, rbuf, pos - rbuf);
1522 os_free(rbuf);
1523
1524 return status;
1525 }
1526
1527
1528 static int
wpa_tdls_process_discovery_request(struct wpa_sm * sm,const u8 * addr,const u8 * buf,size_t len)1529 wpa_tdls_process_discovery_request(struct wpa_sm *sm, const u8 *addr,
1530 const u8 *buf, size_t len)
1531 {
1532 struct wpa_eapol_ie_parse kde;
1533 const struct wpa_tdls_lnkid *lnkid;
1534 struct wpa_tdls_peer *peer;
1535 size_t min_req_len = sizeof(struct wpa_tdls_frame) +
1536 1 /* dialog token */ + sizeof(struct wpa_tdls_lnkid);
1537 u8 dialog_token;
1538
1539 wpa_printf(MSG_DEBUG, "TDLS: Discovery Request from " MACSTR,
1540 MAC2STR(addr));
1541
1542 if (len < min_req_len) {
1543 wpa_printf(MSG_DEBUG, "TDLS Discovery Request is too short: "
1544 "%d", (int) len);
1545 return -1;
1546 }
1547
1548 dialog_token = buf[sizeof(struct wpa_tdls_frame)];
1549
1550 /*
1551 * Some APs will tack on a weird IE to the end of a TDLS
1552 * discovery request packet. This needn't fail the response,
1553 * since the required IE are verified separately.
1554 */
1555 if (wpa_supplicant_parse_ies(buf + sizeof(struct wpa_tdls_frame) + 1,
1556 len - (sizeof(struct wpa_tdls_frame) + 1),
1557 &kde) < 0) {
1558 wpa_printf(MSG_DEBUG,
1559 "TDLS: Failed to parse IEs in Discovery Request - ignore as an interop workaround");
1560 }
1561
1562 if (!kde.lnkid) {
1563 wpa_printf(MSG_DEBUG, "TDLS: Link ID not found in Discovery "
1564 "Request");
1565 return -1;
1566 }
1567
1568 lnkid = (const struct wpa_tdls_lnkid *) kde.lnkid;
1569
1570 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) {
1571 wpa_printf(MSG_DEBUG, "TDLS: Discovery Request from different "
1572 " BSS " MACSTR, MAC2STR(lnkid->bssid));
1573 return -1;
1574 }
1575
1576 peer = wpa_tdls_add_peer(sm, addr, NULL);
1577 if (peer == NULL)
1578 return -1;
1579
1580 return wpa_tdls_send_discovery_response(sm, peer, dialog_token);
1581 }
1582
1583
wpa_tdls_send_discovery_request(struct wpa_sm * sm,const u8 * addr)1584 int wpa_tdls_send_discovery_request(struct wpa_sm *sm, const u8 *addr)
1585 {
1586 if (sm->tdls_disabled || !sm->tdls_supported)
1587 return -1;
1588
1589 wpa_printf(MSG_DEBUG, "TDLS: Sending Discovery Request to peer "
1590 MACSTR, MAC2STR(addr));
1591 return wpa_tdls_tpk_send(sm, addr, WLAN_TDLS_DISCOVERY_REQUEST,
1592 1, 0, 0, 1, NULL, 0);
1593 }
1594
1595
copy_supp_rates(const struct wpa_eapol_ie_parse * kde,struct wpa_tdls_peer * peer)1596 static int copy_supp_rates(const struct wpa_eapol_ie_parse *kde,
1597 struct wpa_tdls_peer *peer)
1598 {
1599 if (!kde->supp_rates) {
1600 wpa_printf(MSG_DEBUG, "TDLS: No supported rates received");
1601 return -1;
1602 }
1603 peer->supp_rates_len = merge_byte_arrays(
1604 peer->supp_rates, sizeof(peer->supp_rates),
1605 kde->supp_rates + 2, kde->supp_rates_len - 2,
1606 kde->ext_supp_rates ? kde->ext_supp_rates + 2 : NULL,
1607 kde->ext_supp_rates ? kde->ext_supp_rates_len - 2 : 0);
1608 return 0;
1609 }
1610
1611
copy_peer_ht_capab(const struct wpa_eapol_ie_parse * kde,struct wpa_tdls_peer * peer)1612 static int copy_peer_ht_capab(const struct wpa_eapol_ie_parse *kde,
1613 struct wpa_tdls_peer *peer)
1614 {
1615 if (!kde->ht_capabilities) {
1616 wpa_printf(MSG_DEBUG, "TDLS: No supported ht capabilities "
1617 "received");
1618 return 0;
1619 }
1620
1621 if (!peer->ht_capabilities) {
1622 peer->ht_capabilities =
1623 os_zalloc(sizeof(struct ieee80211_ht_capabilities));
1624 if (peer->ht_capabilities == NULL)
1625 return -1;
1626 }
1627
1628 os_memcpy(peer->ht_capabilities, kde->ht_capabilities,
1629 sizeof(struct ieee80211_ht_capabilities));
1630 wpa_hexdump(MSG_DEBUG, "TDLS: Peer HT capabilities",
1631 (u8 *) peer->ht_capabilities,
1632 sizeof(struct ieee80211_ht_capabilities));
1633
1634 return 0;
1635 }
1636
1637
copy_peer_vht_capab(const struct wpa_eapol_ie_parse * kde,struct wpa_tdls_peer * peer)1638 static int copy_peer_vht_capab(const struct wpa_eapol_ie_parse *kde,
1639 struct wpa_tdls_peer *peer)
1640 {
1641 if (!kde->vht_capabilities) {
1642 wpa_printf(MSG_DEBUG, "TDLS: No supported vht capabilities "
1643 "received");
1644 return 0;
1645 }
1646
1647 if (!peer->vht_capabilities) {
1648 peer->vht_capabilities =
1649 os_zalloc(sizeof(struct ieee80211_vht_capabilities));
1650 if (peer->vht_capabilities == NULL)
1651 return -1;
1652 }
1653
1654 os_memcpy(peer->vht_capabilities, kde->vht_capabilities,
1655 sizeof(struct ieee80211_vht_capabilities));
1656 wpa_hexdump(MSG_DEBUG, "TDLS: Peer VHT capabilities",
1657 (u8 *) peer->vht_capabilities,
1658 sizeof(struct ieee80211_vht_capabilities));
1659
1660 return 0;
1661 }
1662
1663
copy_peer_he_capab(const struct wpa_eapol_ie_parse * kde,struct wpa_tdls_peer * peer)1664 static int copy_peer_he_capab(const struct wpa_eapol_ie_parse *kde,
1665 struct wpa_tdls_peer *peer)
1666 {
1667 if (!kde->he_capabilities) {
1668 wpa_printf(MSG_DEBUG, "TDLS: No HE capabilities received");
1669 return 0;
1670 }
1671
1672 os_free(peer->he_capabilities);
1673 peer->he_capab_len = 0;
1674 peer->he_capabilities = os_memdup(kde->he_capabilities,
1675 kde->he_capab_len);
1676 if (!peer->he_capabilities)
1677 return -1;
1678
1679 peer->he_capab_len = kde->he_capab_len;
1680 wpa_hexdump(MSG_DEBUG, "TDLS: Peer HE capabilities",
1681 peer->he_capabilities, peer->he_capab_len);
1682
1683 return 0;
1684 }
1685
1686
copy_peer_he_6ghz_band_capab(const struct wpa_eapol_ie_parse * kde,struct wpa_tdls_peer * peer)1687 static int copy_peer_he_6ghz_band_capab(const struct wpa_eapol_ie_parse *kde,
1688 struct wpa_tdls_peer *peer)
1689 {
1690 if (!kde->he_6ghz_capabilities) {
1691 wpa_printf(MSG_DEBUG,
1692 "TDLS: No HE 6 GHz band capabilities received");
1693 return 0;
1694 }
1695
1696 if (!peer->he_6ghz_band_capabilities) {
1697 peer->he_6ghz_band_capabilities =
1698 os_zalloc(sizeof(struct ieee80211_he_6ghz_band_cap));
1699 if (peer->he_6ghz_band_capabilities == NULL)
1700 return -1;
1701 }
1702
1703 os_memcpy(peer->he_6ghz_band_capabilities, kde->he_6ghz_capabilities,
1704 sizeof(struct ieee80211_he_6ghz_band_cap));
1705
1706 wpa_hexdump(MSG_DEBUG, "TDLS: Peer 6 GHz band HE capabilities",
1707 peer->he_6ghz_band_capabilities,
1708 sizeof(struct ieee80211_he_6ghz_band_cap));
1709
1710 return 0;
1711 }
1712
1713
copy_peer_ext_capab(const struct wpa_eapol_ie_parse * kde,struct wpa_tdls_peer * peer)1714 static int copy_peer_ext_capab(const struct wpa_eapol_ie_parse *kde,
1715 struct wpa_tdls_peer *peer)
1716 {
1717 if (!kde->ext_capab) {
1718 wpa_printf(MSG_DEBUG, "TDLS: No extended capabilities "
1719 "received");
1720 return 0;
1721 }
1722
1723 if (!peer->ext_capab || peer->ext_capab_len < kde->ext_capab_len - 2) {
1724 /* Need to allocate buffer to fit the new information */
1725 os_free(peer->ext_capab);
1726 peer->ext_capab = os_zalloc(kde->ext_capab_len - 2);
1727 if (peer->ext_capab == NULL)
1728 return -1;
1729 }
1730
1731 peer->ext_capab_len = kde->ext_capab_len - 2;
1732 os_memcpy(peer->ext_capab, kde->ext_capab + 2, peer->ext_capab_len);
1733
1734 return 0;
1735 }
1736
1737
copy_peer_wmm_capab(const struct wpa_eapol_ie_parse * kde,struct wpa_tdls_peer * peer)1738 static int copy_peer_wmm_capab(const struct wpa_eapol_ie_parse *kde,
1739 struct wpa_tdls_peer *peer)
1740 {
1741 struct wmm_information_element *wmm;
1742
1743 if (!kde->wmm) {
1744 wpa_printf(MSG_DEBUG, "TDLS: No supported WMM capabilities received");
1745 return 0;
1746 }
1747
1748 if (kde->wmm_len < sizeof(struct wmm_information_element)) {
1749 wpa_printf(MSG_DEBUG, "TDLS: Invalid supported WMM capabilities received");
1750 return -1;
1751 }
1752
1753 wmm = (struct wmm_information_element *) kde->wmm;
1754 peer->qos_info = wmm->qos_info;
1755
1756 peer->wmm_capable = 1;
1757
1758 wpa_printf(MSG_DEBUG, "TDLS: Peer WMM QOS Info 0x%x", peer->qos_info);
1759 return 0;
1760 }
1761
1762
copy_peer_supp_channels(const struct wpa_eapol_ie_parse * kde,struct wpa_tdls_peer * peer)1763 static int copy_peer_supp_channels(const struct wpa_eapol_ie_parse *kde,
1764 struct wpa_tdls_peer *peer)
1765 {
1766 if (!kde->supp_channels) {
1767 wpa_printf(MSG_DEBUG, "TDLS: No supported channels received");
1768 return 0;
1769 }
1770
1771 if (!peer->supp_channels ||
1772 peer->supp_channels_len < kde->supp_channels_len) {
1773 os_free(peer->supp_channels);
1774 peer->supp_channels = os_zalloc(kde->supp_channels_len);
1775 if (peer->supp_channels == NULL)
1776 return -1;
1777 }
1778
1779 peer->supp_channels_len = kde->supp_channels_len;
1780
1781 os_memcpy(peer->supp_channels, kde->supp_channels,
1782 peer->supp_channels_len);
1783 wpa_hexdump(MSG_DEBUG, "TDLS: Peer Supported Channels",
1784 (u8 *) peer->supp_channels, peer->supp_channels_len);
1785 return 0;
1786 }
1787
1788
copy_peer_supp_oper_classes(const struct wpa_eapol_ie_parse * kde,struct wpa_tdls_peer * peer)1789 static int copy_peer_supp_oper_classes(const struct wpa_eapol_ie_parse *kde,
1790 struct wpa_tdls_peer *peer)
1791 {
1792 if (!kde->supp_oper_classes) {
1793 wpa_printf(MSG_DEBUG, "TDLS: No supported operating classes received");
1794 return 0;
1795 }
1796
1797 if (!peer->supp_oper_classes ||
1798 peer->supp_oper_classes_len < kde->supp_oper_classes_len) {
1799 os_free(peer->supp_oper_classes);
1800 peer->supp_oper_classes = os_zalloc(kde->supp_oper_classes_len);
1801 if (peer->supp_oper_classes == NULL)
1802 return -1;
1803 }
1804
1805 peer->supp_oper_classes_len = kde->supp_oper_classes_len;
1806 os_memcpy(peer->supp_oper_classes, kde->supp_oper_classes,
1807 peer->supp_oper_classes_len);
1808 wpa_hexdump(MSG_DEBUG, "TDLS: Peer Supported Operating Classes",
1809 (u8 *) peer->supp_oper_classes,
1810 peer->supp_oper_classes_len);
1811 return 0;
1812 }
1813
1814
wpa_tdls_addset_peer(struct wpa_sm * sm,struct wpa_tdls_peer * peer,int add)1815 static int wpa_tdls_addset_peer(struct wpa_sm *sm, struct wpa_tdls_peer *peer,
1816 int add)
1817 {
1818 return wpa_sm_tdls_peer_addset(sm, peer->addr, add, peer->aid,
1819 peer->capability,
1820 peer->supp_rates, peer->supp_rates_len,
1821 peer->ht_capabilities,
1822 peer->vht_capabilities,
1823 peer->he_capabilities,
1824 peer->he_capab_len,
1825 peer->he_6ghz_band_capabilities,
1826 peer->qos_info, peer->wmm_capable,
1827 peer->ext_capab, peer->ext_capab_len,
1828 peer->supp_channels,
1829 peer->supp_channels_len,
1830 peer->supp_oper_classes,
1831 peer->supp_oper_classes_len);
1832 }
1833
1834
tdls_nonce_set(const u8 * nonce)1835 static int tdls_nonce_set(const u8 *nonce)
1836 {
1837 int i;
1838
1839 for (i = 0; i < WPA_NONCE_LEN; i++) {
1840 if (nonce[i])
1841 return 1;
1842 }
1843
1844 return 0;
1845 }
1846
1847
wpa_tdls_process_tpk_m1(struct wpa_sm * sm,const u8 * src_addr,const u8 * buf,size_t len)1848 static int wpa_tdls_process_tpk_m1(struct wpa_sm *sm, const u8 *src_addr,
1849 const u8 *buf, size_t len)
1850 {
1851 struct wpa_tdls_peer *peer;
1852 struct wpa_eapol_ie_parse kde;
1853 struct wpa_ie_data ie;
1854 int cipher;
1855 const u8 *cpos;
1856 struct wpa_tdls_ftie *ftie = NULL;
1857 struct wpa_tdls_timeoutie *timeoutie;
1858 struct wpa_tdls_lnkid *lnkid;
1859 u32 lifetime = 0;
1860 #if 0
1861 struct rsn_ie_hdr *hdr;
1862 u8 *pos;
1863 u16 rsn_capab;
1864 u16 rsn_ver;
1865 #endif
1866 u8 dtoken;
1867 u16 ielen;
1868 u16 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
1869 int tdls_prohibited = sm->tdls_prohibited;
1870 int existing_peer = 0;
1871
1872 if (len < 3 + 3)
1873 return -1;
1874
1875 cpos = buf;
1876 cpos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */;
1877
1878 /* driver had already verified the frame format */
1879 dtoken = *cpos++; /* dialog token */
1880
1881 wpa_printf(MSG_INFO, "TDLS: Dialog Token in TPK M1 %d", dtoken);
1882
1883 peer = wpa_tdls_add_peer(sm, src_addr, &existing_peer);
1884 if (peer == NULL)
1885 goto error;
1886
1887 /* If found, use existing entry instead of adding a new one;
1888 * how to handle the case where both ends initiate at the
1889 * same time? */
1890 if (existing_peer) {
1891 if (peer->tpk_success) {
1892 wpa_printf(MSG_DEBUG, "TDLS: TDLS Setup Request while "
1893 "direct link is enabled - tear down the "
1894 "old link first");
1895 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr);
1896 wpa_tdls_peer_clear(sm, peer);
1897 } else if (peer->initiator) {
1898 /*
1899 * An entry is already present, so check if we already
1900 * sent a TDLS Setup Request. If so, compare MAC
1901 * addresses and let the STA with the lower MAC address
1902 * continue as the initiator. The other negotiation is
1903 * terminated.
1904 */
1905 if (os_memcmp(sm->own_addr, src_addr, ETH_ALEN) < 0) {
1906 wpa_printf(MSG_DEBUG, "TDLS: Discard request "
1907 "from peer with higher address "
1908 MACSTR, MAC2STR(src_addr));
1909 return -1;
1910 } else {
1911 wpa_printf(MSG_DEBUG, "TDLS: Accept request "
1912 "from peer with lower address "
1913 MACSTR " (terminate previously "
1914 "initiated negotiation",
1915 MAC2STR(src_addr));
1916 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK,
1917 peer->addr);
1918 wpa_tdls_peer_clear(sm, peer);
1919 }
1920 }
1921 }
1922
1923 /* capability information */
1924 peer->capability = WPA_GET_LE16(cpos);
1925 cpos += 2;
1926
1927 ielen = len - (cpos - buf); /* start of IE in buf */
1928
1929 /*
1930 * Don't reject the message if failing to parse IEs. The IEs we need are
1931 * explicitly checked below. Some APs may add arbitrary padding to the
1932 * end of short TDLS frames and that would look like invalid IEs.
1933 */
1934 if (wpa_supplicant_parse_ies(cpos, ielen, &kde) < 0)
1935 wpa_printf(MSG_DEBUG,
1936 "TDLS: Failed to parse IEs in TPK M1 - ignore as an interop workaround");
1937
1938 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) {
1939 wpa_printf(MSG_INFO, "TDLS: No valid Link Identifier IE in "
1940 "TPK M1");
1941 goto error;
1942 }
1943 wpa_hexdump(MSG_DEBUG, "TDLS: Link ID Received from TPK M1",
1944 kde.lnkid, kde.lnkid_len);
1945 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid;
1946 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) {
1947 wpa_printf(MSG_INFO, "TDLS: TPK M1 from diff BSS");
1948 status = WLAN_STATUS_REQUEST_DECLINED;
1949 goto error;
1950 }
1951
1952 wpa_printf(MSG_DEBUG, "TDLS: TPK M1 - TPK initiator " MACSTR,
1953 MAC2STR(src_addr));
1954
1955 if (copy_supp_rates(&kde, peer) < 0)
1956 goto error;
1957
1958 if (copy_peer_ht_capab(&kde, peer) < 0)
1959 goto error;
1960
1961 if (copy_peer_vht_capab(&kde, peer) < 0 ||
1962 copy_peer_he_capab(&kde, peer) < 0 ||
1963 copy_peer_he_6ghz_band_capab(&kde, peer) < 0)
1964 goto error;
1965
1966 if (copy_peer_ext_capab(&kde, peer) < 0)
1967 goto error;
1968
1969 if (copy_peer_supp_channels(&kde, peer) < 0)
1970 goto error;
1971
1972 if (copy_peer_supp_oper_classes(&kde, peer) < 0)
1973 goto error;
1974
1975 peer->qos_info = kde.qosinfo;
1976
1977 /* Overwrite with the qos_info obtained in WMM IE */
1978 if (copy_peer_wmm_capab(&kde, peer) < 0)
1979 goto error;
1980
1981 peer->aid = kde.aid;
1982
1983 #ifdef CONFIG_TDLS_TESTING
1984 if (tdls_testing & TDLS_TESTING_CONCURRENT_INIT) {
1985 peer = wpa_tdls_add_peer(sm, src_addr, NULL);
1986 if (peer == NULL)
1987 goto error;
1988 wpa_printf(MSG_DEBUG, "TDLS: Testing concurrent initiation of "
1989 "TDLS setup - send own request");
1990 peer->initiator = 1;
1991 wpa_sm_tdls_peer_addset(sm, peer->addr, 1, 0, 0, NULL, 0, NULL,
1992 NULL, NULL, 0, NULL, 0, 0, NULL, 0,
1993 NULL, 0, NULL, 0);
1994 if (wpa_tdls_send_tpk_m1(sm, peer) == -2) {
1995 peer = NULL;
1996 goto error;
1997 }
1998 }
1999
2000 if ((tdls_testing & TDLS_TESTING_IGNORE_AP_PROHIBIT) &&
2001 tdls_prohibited) {
2002 wpa_printf(MSG_DEBUG, "TDLS: Testing - ignore AP prohibition "
2003 "on TDLS");
2004 tdls_prohibited = 0;
2005 }
2006 #endif /* CONFIG_TDLS_TESTING */
2007
2008 if (tdls_prohibited) {
2009 wpa_printf(MSG_INFO, "TDLS: TDLS prohibited in this BSS");
2010 status = WLAN_STATUS_REQUEST_DECLINED;
2011 goto error;
2012 }
2013
2014 if (!wpa_tdls_get_privacy(sm)) {
2015 if (kde.rsn_ie) {
2016 wpa_printf(MSG_INFO, "TDLS: RSN IE in TPK M1 while "
2017 "security is disabled");
2018 status = WLAN_STATUS_SECURITY_DISABLED;
2019 goto error;
2020 }
2021 goto skip_rsn;
2022 }
2023
2024 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie) ||
2025 kde.rsn_ie == NULL) {
2026 wpa_printf(MSG_INFO, "TDLS: No FTIE or RSN IE in TPK M1");
2027 status = WLAN_STATUS_INVALID_PARAMETERS;
2028 goto error;
2029 }
2030
2031 if (kde.rsn_ie_len > TDLS_MAX_IE_LEN) {
2032 wpa_printf(MSG_INFO, "TDLS: Too long Initiator RSN IE in "
2033 "TPK M1");
2034 status = WLAN_STATUS_INVALID_RSNIE;
2035 goto error;
2036 }
2037
2038 if (wpa_parse_wpa_ie_rsn(kde.rsn_ie, kde.rsn_ie_len, &ie) < 0) {
2039 wpa_printf(MSG_INFO, "TDLS: Failed to parse RSN IE in TPK M1");
2040 status = WLAN_STATUS_INVALID_RSNIE;
2041 goto error;
2042 }
2043
2044 cipher = ie.pairwise_cipher;
2045 if (cipher & WPA_CIPHER_CCMP) {
2046 wpa_printf(MSG_DEBUG, "TDLS: Using CCMP for direct link");
2047 cipher = WPA_CIPHER_CCMP;
2048 } else {
2049 wpa_printf(MSG_INFO, "TDLS: No acceptable cipher in TPK M1");
2050 status = WLAN_STATUS_PAIRWISE_CIPHER_NOT_VALID;
2051 goto error;
2052 }
2053
2054 if ((ie.capabilities &
2055 (WPA_CAPABILITY_NO_PAIRWISE | WPA_CAPABILITY_PEERKEY_ENABLED)) !=
2056 WPA_CAPABILITY_PEERKEY_ENABLED) {
2057 wpa_printf(MSG_INFO, "TDLS: Invalid RSN Capabilities in "
2058 "TPK M1");
2059 status = WLAN_STATUS_INVALID_RSN_IE_CAPAB;
2060 goto error;
2061 }
2062
2063 /* Lifetime */
2064 if (kde.key_lifetime == NULL) {
2065 wpa_printf(MSG_INFO, "TDLS: No Key Lifetime IE in TPK M1");
2066 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME;
2067 goto error;
2068 }
2069 timeoutie = (struct wpa_tdls_timeoutie *) kde.key_lifetime;
2070 lifetime = WPA_GET_LE32(timeoutie->value);
2071 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds", lifetime);
2072 if (lifetime < 300) {
2073 wpa_printf(MSG_INFO, "TDLS: Too short TPK lifetime");
2074 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME;
2075 goto error;
2076 }
2077
2078 skip_rsn:
2079 #ifdef CONFIG_TDLS_TESTING
2080 if (tdls_testing & TDLS_TESTING_CONCURRENT_INIT) {
2081 if (os_memcmp(sm->own_addr, peer->addr, ETH_ALEN) < 0) {
2082 /*
2083 * The request frame from us is going to win, so do not
2084 * replace information based on this request frame from
2085 * the peer.
2086 */
2087 goto skip_rsn_check;
2088 }
2089 }
2090 #endif /* CONFIG_TDLS_TESTING */
2091
2092 peer->initiator = 0; /* Need to check */
2093 peer->dtoken = dtoken;
2094
2095 if (!wpa_tdls_get_privacy(sm)) {
2096 peer->rsnie_i_len = 0;
2097 peer->rsnie_p_len = 0;
2098 peer->cipher = WPA_CIPHER_NONE;
2099 goto skip_rsn_check;
2100 }
2101
2102 ftie = (struct wpa_tdls_ftie *) kde.ftie;
2103 os_memcpy(peer->rsnie_i, kde.rsn_ie, kde.rsn_ie_len);
2104 peer->rsnie_i_len = kde.rsn_ie_len;
2105 peer->cipher = cipher;
2106
2107 if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0 ||
2108 !tdls_nonce_set(peer->inonce)) {
2109 /*
2110 * There is no point in updating the RNonce for every obtained
2111 * TPK M1 frame (e.g., retransmission due to timeout) with the
2112 * same INonce (SNonce in FTIE). However, if the TPK M1 is
2113 * retransmitted with a different INonce, update the RNonce
2114 * since this is for a new TDLS session.
2115 */
2116 wpa_printf(MSG_DEBUG,
2117 "TDLS: New TPK M1 INonce - generate new RNonce");
2118 os_memcpy(peer->inonce, ftie->Snonce, WPA_NONCE_LEN);
2119 if (os_get_random(peer->rnonce, WPA_NONCE_LEN)) {
2120 wpa_msg(sm->ctx->ctx, MSG_WARNING,
2121 "TDLS: Failed to get random data for responder nonce");
2122 goto error;
2123 }
2124 peer->tk_set = 0; /* A new nonce results in a new TK */
2125 }
2126
2127 #if 0
2128 /* get version info from RSNIE received from Peer */
2129 hdr = (struct rsn_ie_hdr *) kde.rsn_ie;
2130 rsn_ver = WPA_GET_LE16(hdr->version);
2131
2132 /* use min(peer's version, out version) */
2133 if (rsn_ver > RSN_VERSION)
2134 rsn_ver = RSN_VERSION;
2135
2136 hdr = (struct rsn_ie_hdr *) peer->rsnie_p;
2137
2138 hdr->elem_id = WLAN_EID_RSN;
2139 WPA_PUT_LE16(hdr->version, rsn_ver);
2140 pos = (u8 *) (hdr + 1);
2141
2142 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED);
2143 pos += RSN_SELECTOR_LEN;
2144 /* Include only the selected cipher in pairwise cipher suite */
2145 WPA_PUT_LE16(pos, 1);
2146 pos += 2;
2147 if (cipher == WPA_CIPHER_CCMP)
2148 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP);
2149 pos += RSN_SELECTOR_LEN;
2150
2151 WPA_PUT_LE16(pos, 1);
2152 pos += 2;
2153 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_TPK_HANDSHAKE);
2154 pos += RSN_SELECTOR_LEN;
2155
2156 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED;
2157 rsn_capab |= RSN_NUM_REPLAY_COUNTERS_16 << 2;
2158 WPA_PUT_LE16(pos, rsn_capab);
2159 pos += 2;
2160
2161 hdr->len = (pos - peer->rsnie_p) - 2;
2162 peer->rsnie_p_len = pos - peer->rsnie_p;
2163 #endif
2164
2165 /* temp fix: validation of RSNIE later */
2166 os_memcpy(peer->rsnie_p, peer->rsnie_i, peer->rsnie_i_len);
2167 peer->rsnie_p_len = peer->rsnie_i_len;
2168
2169 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE for TPK handshake",
2170 peer->rsnie_p, peer->rsnie_p_len);
2171
2172 peer->lifetime = lifetime;
2173
2174 wpa_tdls_generate_tpk(peer, sm->own_addr, sm->bssid);
2175
2176 skip_rsn_check:
2177 #ifdef CONFIG_TDLS_TESTING
2178 if (tdls_testing & TDLS_TESTING_CONCURRENT_INIT)
2179 goto skip_add_peer;
2180 #endif /* CONFIG_TDLS_TESTING */
2181
2182 /* add supported rates, capabilities, and qos_info to the TDLS peer */
2183 if (wpa_tdls_addset_peer(sm, peer, 1) < 0)
2184 goto error;
2185
2186 #ifdef CONFIG_TDLS_TESTING
2187 skip_add_peer:
2188 #endif /* CONFIG_TDLS_TESTING */
2189 peer->tpk_in_progress = 1;
2190
2191 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Setup Response / TPK M2");
2192 if (wpa_tdls_send_tpk_m2(sm, src_addr, dtoken, lnkid, peer) < 0) {
2193 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr);
2194 goto error;
2195 }
2196
2197 #ifdef CONFIG_TDLS_TESTING
2198 if (tdls_testing & TDLS_TESTING_DOUBLE_TPK_M2) {
2199 wpa_printf(MSG_INFO, "TDLS: Testing - Send another TPK M2");
2200 wpa_tdls_send_tpk_m2(sm, src_addr, dtoken, lnkid, peer);
2201 }
2202 #endif /* CONFIG_TDLS_TESTING */
2203
2204 return 0;
2205
2206 error:
2207 wpa_tdls_send_error(sm, src_addr, WLAN_TDLS_SETUP_RESPONSE, dtoken, 0,
2208 status);
2209 if (peer)
2210 wpa_tdls_peer_free(sm, peer);
2211 return -1;
2212 }
2213
2214
wpa_tdls_enable_link(struct wpa_sm * sm,struct wpa_tdls_peer * peer)2215 static int wpa_tdls_enable_link(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
2216 {
2217 peer->tpk_success = 1;
2218 peer->tpk_in_progress = 0;
2219 eloop_cancel_timeout(wpa_tdls_tpk_timeout, sm, peer);
2220 if (wpa_tdls_get_privacy(sm)) {
2221 u32 lifetime = peer->lifetime;
2222 /*
2223 * Start the initiator process a bit earlier to avoid race
2224 * condition with the responder sending teardown request.
2225 */
2226 if (lifetime > 3 && peer->initiator)
2227 lifetime -= 3;
2228 eloop_register_timeout(lifetime, 0, wpa_tdls_tpk_timeout,
2229 sm, peer);
2230 #ifdef CONFIG_TDLS_TESTING
2231 if (tdls_testing & TDLS_TESTING_NO_TPK_EXPIRATION) {
2232 wpa_printf(MSG_DEBUG,
2233 "TDLS: Testing - disable TPK expiration");
2234 eloop_cancel_timeout(wpa_tdls_tpk_timeout, sm, peer);
2235 }
2236 #endif /* CONFIG_TDLS_TESTING */
2237 }
2238
2239 if (peer->reconfig_key && wpa_tdls_set_key(sm, peer) < 0) {
2240 wpa_printf(MSG_INFO, "TDLS: Could not configure key to the "
2241 "driver");
2242 return -1;
2243 }
2244 peer->reconfig_key = 0;
2245
2246 return wpa_sm_tdls_oper(sm, TDLS_ENABLE_LINK, peer->addr);
2247 }
2248
2249
wpa_tdls_process_tpk_m2(struct wpa_sm * sm,const u8 * src_addr,const u8 * buf,size_t len)2250 static int wpa_tdls_process_tpk_m2(struct wpa_sm *sm, const u8 *src_addr,
2251 const u8 *buf, size_t len)
2252 {
2253 struct wpa_tdls_peer *peer;
2254 struct wpa_eapol_ie_parse kde;
2255 struct wpa_ie_data ie;
2256 int cipher;
2257 struct wpa_tdls_ftie *ftie;
2258 struct wpa_tdls_timeoutie *timeoutie;
2259 struct wpa_tdls_lnkid *lnkid;
2260 u32 lifetime;
2261 u8 dtoken;
2262 int ielen;
2263 u16 status;
2264 const u8 *pos;
2265 int ret = 0;
2266
2267 wpa_printf(MSG_DEBUG, "TDLS: Received TDLS Setup Response / TPK M2 "
2268 "(Peer " MACSTR ")", MAC2STR(src_addr));
2269 for (peer = sm->tdls; peer; peer = peer->next) {
2270 if (os_memcmp(peer->addr, src_addr, ETH_ALEN) == 0)
2271 break;
2272 }
2273 if (peer == NULL) {
2274 wpa_printf(MSG_INFO, "TDLS: No matching peer found for "
2275 "TPK M2: " MACSTR, MAC2STR(src_addr));
2276 return -1;
2277 }
2278 if (!peer->initiator) {
2279 /*
2280 * This may happen if both devices try to initiate TDLS at the
2281 * same time and we accept the TPK M1 from the peer in
2282 * wpa_tdls_process_tpk_m1() and clear our previous state.
2283 */
2284 wpa_printf(MSG_INFO, "TDLS: We were not the initiator, so "
2285 "ignore TPK M2 from " MACSTR, MAC2STR(src_addr));
2286 return -1;
2287 }
2288
2289 if (peer->tpk_success) {
2290 wpa_printf(MSG_INFO, "TDLS: Ignore incoming TPK M2 retry, from "
2291 MACSTR " as TPK M3 was already sent",
2292 MAC2STR(src_addr));
2293 return 0;
2294 }
2295
2296 wpa_tdls_tpk_retry_timeout_cancel(sm, peer, WLAN_TDLS_SETUP_REQUEST);
2297
2298 if (len < 3 + 2 + 1) {
2299 wpa_tdls_disable_peer_link(sm, peer);
2300 return -1;
2301 }
2302
2303 pos = buf;
2304 pos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */;
2305 status = WPA_GET_LE16(pos);
2306 pos += 2 /* status code */;
2307
2308 if (status != WLAN_STATUS_SUCCESS) {
2309 wpa_printf(MSG_INFO, "TDLS: Status code in TPK M2: %u",
2310 status);
2311 wpa_tdls_disable_peer_link(sm, peer);
2312 return -1;
2313 }
2314
2315 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
2316
2317 /* TODO: need to verify dialog token matches here or in kernel */
2318 dtoken = *pos++; /* dialog token */
2319
2320 wpa_printf(MSG_DEBUG, "TDLS: Dialog Token in TPK M2 %d", dtoken);
2321
2322 if (len < 3 + 2 + 1 + 2) {
2323 wpa_tdls_disable_peer_link(sm, peer);
2324 return -1;
2325 }
2326
2327 /* capability information */
2328 peer->capability = WPA_GET_LE16(pos);
2329 pos += 2;
2330
2331 ielen = len - (pos - buf); /* start of IE in buf */
2332
2333 /*
2334 * Don't reject the message if failing to parse IEs. The IEs we need are
2335 * explicitly checked below. Some APs may add arbitrary padding to the
2336 * end of short TDLS frames and that would look like invalid IEs.
2337 */
2338 if (wpa_supplicant_parse_ies(pos, ielen, &kde) < 0)
2339 wpa_printf(MSG_DEBUG,
2340 "TDLS: Failed to parse IEs in TPK M2 - ignore as an interop workaround");
2341
2342 #ifdef CONFIG_TDLS_TESTING
2343 if (tdls_testing & TDLS_TESTING_DECLINE_RESP) {
2344 wpa_printf(MSG_DEBUG, "TDLS: Testing - decline response");
2345 status = WLAN_STATUS_REQUEST_DECLINED;
2346 goto error;
2347 }
2348 #endif /* CONFIG_TDLS_TESTING */
2349
2350 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) {
2351 wpa_printf(MSG_INFO, "TDLS: No valid Link Identifier IE in "
2352 "TPK M2");
2353 goto error;
2354 }
2355 wpa_hexdump(MSG_DEBUG, "TDLS: Link ID Received from TPK M2",
2356 kde.lnkid, kde.lnkid_len);
2357 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid;
2358
2359 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) {
2360 wpa_printf(MSG_INFO, "TDLS: TPK M2 from different BSS");
2361 status = WLAN_STATUS_NOT_IN_SAME_BSS;
2362 goto error;
2363 }
2364
2365 if (copy_supp_rates(&kde, peer) < 0)
2366 goto error;
2367
2368 if (copy_peer_ht_capab(&kde, peer) < 0)
2369 goto error;
2370
2371 if (copy_peer_vht_capab(&kde, peer) < 0 ||
2372 copy_peer_he_capab(&kde, peer) < 0 ||
2373 copy_peer_he_6ghz_band_capab(&kde, peer) < 0)
2374 goto error;
2375
2376 if (copy_peer_ext_capab(&kde, peer) < 0)
2377 goto error;
2378
2379 if (copy_peer_supp_channels(&kde, peer) < 0)
2380 goto error;
2381
2382 if (copy_peer_supp_oper_classes(&kde, peer) < 0)
2383 goto error;
2384
2385 peer->qos_info = kde.qosinfo;
2386
2387 /* Overwrite with the qos_info obtained in WMM IE */
2388 if (copy_peer_wmm_capab(&kde, peer) < 0)
2389 goto error;
2390
2391 peer->aid = kde.aid;
2392
2393 if (!wpa_tdls_get_privacy(sm)) {
2394 peer->rsnie_p_len = 0;
2395 peer->cipher = WPA_CIPHER_NONE;
2396 goto skip_rsn;
2397 }
2398
2399 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie) ||
2400 kde.rsn_ie == NULL) {
2401 wpa_printf(MSG_INFO, "TDLS: No FTIE or RSN IE in TPK M2");
2402 status = WLAN_STATUS_INVALID_PARAMETERS;
2403 goto error;
2404 }
2405 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Received from TPK M2",
2406 kde.rsn_ie, kde.rsn_ie_len);
2407
2408 if (kde.rsn_ie_len > TDLS_MAX_IE_LEN) {
2409 wpa_printf(MSG_INFO,
2410 "TDLS: Too long Responder RSN IE in TPK M2");
2411 status = WLAN_STATUS_INVALID_RSNIE;
2412 goto error;
2413 }
2414
2415 /*
2416 * FIX: bitwise comparison of RSN IE is not the correct way of
2417 * validation this. It can be different, but certain fields must
2418 * match. Since we list only a single pairwise cipher in TPK M1, the
2419 * memcmp is likely to work in most cases, though.
2420 */
2421 if (kde.rsn_ie_len != peer->rsnie_i_len ||
2422 os_memcmp(peer->rsnie_i, kde.rsn_ie, peer->rsnie_i_len) != 0) {
2423 wpa_printf(MSG_INFO, "TDLS: RSN IE in TPK M2 does "
2424 "not match with RSN IE used in TPK M1");
2425 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Sent in TPK M1",
2426 peer->rsnie_i, peer->rsnie_i_len);
2427 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Received from TPK M2",
2428 kde.rsn_ie, kde.rsn_ie_len);
2429 status = WLAN_STATUS_INVALID_RSNIE;
2430 goto error;
2431 }
2432
2433 if (wpa_parse_wpa_ie_rsn(kde.rsn_ie, kde.rsn_ie_len, &ie) < 0) {
2434 wpa_printf(MSG_INFO, "TDLS: Failed to parse RSN IE in TPK M2");
2435 status = WLAN_STATUS_INVALID_RSNIE;
2436 goto error;
2437 }
2438
2439 cipher = ie.pairwise_cipher;
2440 if (cipher == WPA_CIPHER_CCMP) {
2441 wpa_printf(MSG_DEBUG, "TDLS: Using CCMP for direct link");
2442 cipher = WPA_CIPHER_CCMP;
2443 } else {
2444 wpa_printf(MSG_INFO, "TDLS: No acceptable cipher in TPK M2");
2445 status = WLAN_STATUS_PAIRWISE_CIPHER_NOT_VALID;
2446 goto error;
2447 }
2448
2449 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE Received from TPK M2",
2450 kde.ftie, sizeof(*ftie));
2451 ftie = (struct wpa_tdls_ftie *) kde.ftie;
2452
2453 if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0) {
2454 wpa_printf(MSG_INFO, "TDLS: FTIE SNonce in TPK M2 does "
2455 "not match with FTIE SNonce used in TPK M1");
2456 /* Silently discard the frame */
2457 return -1;
2458 }
2459
2460 /* Responder Nonce and RSN IE */
2461 os_memcpy(peer->rnonce, ftie->Anonce, WPA_NONCE_LEN);
2462 os_memcpy(peer->rsnie_p, kde.rsn_ie, kde.rsn_ie_len);
2463 peer->rsnie_p_len = kde.rsn_ie_len;
2464 peer->cipher = cipher;
2465
2466 /* Lifetime */
2467 if (kde.key_lifetime == NULL) {
2468 wpa_printf(MSG_INFO, "TDLS: No Key Lifetime IE in TPK M2");
2469 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME;
2470 goto error;
2471 }
2472 timeoutie = (struct wpa_tdls_timeoutie *) kde.key_lifetime;
2473 lifetime = WPA_GET_LE32(timeoutie->value);
2474 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds in TPK M2",
2475 lifetime);
2476 if (lifetime != peer->lifetime) {
2477 wpa_printf(MSG_INFO, "TDLS: Unexpected TPK lifetime %u in "
2478 "TPK M2 (expected %u)", lifetime, peer->lifetime);
2479 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME;
2480 goto error;
2481 }
2482
2483 wpa_tdls_generate_tpk(peer, sm->own_addr, sm->bssid);
2484
2485 /* Process MIC check to see if TPK M2 is right */
2486 if (wpa_supplicant_verify_tdls_mic(2, peer, (u8 *) lnkid,
2487 (u8 *) timeoutie, ftie) < 0) {
2488 /* Discard the frame */
2489 wpa_tdls_del_key(sm, peer);
2490 wpa_tdls_disable_peer_link(sm, peer);
2491 return -1;
2492 }
2493
2494 if (wpa_tdls_set_key(sm, peer) < 0) {
2495 /*
2496 * Some drivers may not be able to config the key prior to full
2497 * STA entry having been configured.
2498 */
2499 wpa_printf(MSG_DEBUG, "TDLS: Try to configure TPK again after "
2500 "STA entry is complete");
2501 peer->reconfig_key = 1;
2502 }
2503
2504 skip_rsn:
2505 peer->dtoken = dtoken;
2506
2507 /* add supported rates, capabilities, and qos_info to the TDLS peer */
2508 if (wpa_tdls_addset_peer(sm, peer, 0) < 0)
2509 goto error;
2510
2511 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Setup Confirm / "
2512 "TPK Handshake Message 3");
2513 if (wpa_tdls_send_tpk_m3(sm, src_addr, dtoken, lnkid, peer) < 0)
2514 goto error_no_msg;
2515
2516 if (!peer->tpk_success) {
2517 /*
2518 * Enable Link only when tpk_success is 0, signifying that this
2519 * processing of TPK M2 frame is not because of a retransmission
2520 * during TDLS setup handshake.
2521 */
2522 ret = wpa_tdls_enable_link(sm, peer);
2523 if (ret < 0) {
2524 wpa_printf(MSG_DEBUG, "TDLS: Could not enable link");
2525 wpa_tdls_do_teardown(
2526 sm, peer,
2527 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED);
2528 }
2529 }
2530 return ret;
2531
2532 error:
2533 wpa_tdls_send_error(sm, src_addr, WLAN_TDLS_SETUP_CONFIRM, dtoken, 1,
2534 status);
2535 error_no_msg:
2536 wpa_tdls_disable_peer_link(sm, peer);
2537 return -1;
2538 }
2539
2540
wpa_tdls_process_tpk_m3(struct wpa_sm * sm,const u8 * src_addr,const u8 * buf,size_t len)2541 static int wpa_tdls_process_tpk_m3(struct wpa_sm *sm, const u8 *src_addr,
2542 const u8 *buf, size_t len)
2543 {
2544 struct wpa_tdls_peer *peer;
2545 struct wpa_eapol_ie_parse kde;
2546 struct wpa_tdls_ftie *ftie;
2547 struct wpa_tdls_timeoutie *timeoutie;
2548 struct wpa_tdls_lnkid *lnkid;
2549 int ielen;
2550 u16 status;
2551 const u8 *pos;
2552 u32 lifetime;
2553 int ret = 0;
2554
2555 wpa_printf(MSG_DEBUG, "TDLS: Received TDLS Setup Confirm / TPK M3 "
2556 "(Peer " MACSTR ")", MAC2STR(src_addr));
2557 for (peer = sm->tdls; peer; peer = peer->next) {
2558 if (os_memcmp(peer->addr, src_addr, ETH_ALEN) == 0)
2559 break;
2560 }
2561 if (peer == NULL) {
2562 wpa_printf(MSG_INFO, "TDLS: No matching peer found for "
2563 "TPK M3: " MACSTR, MAC2STR(src_addr));
2564 return -1;
2565 }
2566 wpa_tdls_tpk_retry_timeout_cancel(sm, peer, WLAN_TDLS_SETUP_RESPONSE);
2567
2568 if (len < 3 + 3)
2569 goto error;
2570 pos = buf;
2571 pos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */;
2572
2573 status = WPA_GET_LE16(pos);
2574
2575 if (status != 0) {
2576 wpa_printf(MSG_INFO, "TDLS: Status code in TPK M3: %u",
2577 status);
2578 goto error;
2579 }
2580 pos += 2 /* status code */ + 1 /* dialog token */;
2581
2582 ielen = len - (pos - buf); /* start of IE in buf */
2583
2584 /*
2585 * Don't reject the message if failing to parse IEs. The IEs we need are
2586 * explicitly checked below. Some APs piggy-back broken IEs to the end
2587 * of a TDLS Confirm packet, which will fail the link if we don't ignore
2588 * this error.
2589 */
2590 if (wpa_supplicant_parse_ies((const u8 *) pos, ielen, &kde) < 0) {
2591 wpa_printf(MSG_DEBUG,
2592 "TDLS: Failed to parse KDEs in TPK M3 - ignore as an interop workaround");
2593 }
2594
2595 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) {
2596 wpa_printf(MSG_INFO, "TDLS: No Link Identifier IE in TPK M3");
2597 goto error;
2598 }
2599 wpa_hexdump(MSG_DEBUG, "TDLS: Link ID Received from TPK M3",
2600 (u8 *) kde.lnkid, kde.lnkid_len);
2601 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid;
2602
2603 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) {
2604 wpa_printf(MSG_INFO, "TDLS: TPK M3 from diff BSS");
2605 goto error;
2606 }
2607
2608 if (!wpa_tdls_get_privacy(sm))
2609 goto skip_rsn;
2610
2611 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie)) {
2612 wpa_printf(MSG_INFO, "TDLS: No FTIE in TPK M3");
2613 goto error;
2614 }
2615 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE Received from TPK M3",
2616 kde.ftie, sizeof(*ftie));
2617 ftie = (struct wpa_tdls_ftie *) kde.ftie;
2618
2619 if (kde.rsn_ie == NULL) {
2620 wpa_printf(MSG_INFO, "TDLS: No RSN IE in TPK M3");
2621 goto error;
2622 }
2623 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Received from TPK M3",
2624 kde.rsn_ie, kde.rsn_ie_len);
2625 if (kde.rsn_ie_len != peer->rsnie_p_len ||
2626 os_memcmp(kde.rsn_ie, peer->rsnie_p, peer->rsnie_p_len) != 0) {
2627 wpa_printf(MSG_INFO, "TDLS: RSN IE in TPK M3 does not match "
2628 "with the one sent in TPK M2");
2629 goto error;
2630 }
2631
2632 if (os_memcmp(peer->rnonce, ftie->Anonce, WPA_NONCE_LEN) != 0) {
2633 wpa_printf(MSG_INFO, "TDLS: FTIE ANonce in TPK M3 does "
2634 "not match with FTIE ANonce used in TPK M2");
2635 goto error;
2636 }
2637
2638 if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0) {
2639 wpa_printf(MSG_INFO, "TDLS: FTIE SNonce in TPK M3 does not "
2640 "match with FTIE SNonce used in TPK M1");
2641 goto error;
2642 }
2643
2644 if (kde.key_lifetime == NULL) {
2645 wpa_printf(MSG_INFO, "TDLS: No Key Lifetime IE in TPK M3");
2646 goto error;
2647 }
2648 timeoutie = (struct wpa_tdls_timeoutie *) kde.key_lifetime;
2649 wpa_hexdump(MSG_DEBUG, "TDLS: Timeout IE Received from TPK M3",
2650 (u8 *) timeoutie, sizeof(*timeoutie));
2651 lifetime = WPA_GET_LE32(timeoutie->value);
2652 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds in TPK M3",
2653 lifetime);
2654 if (lifetime != peer->lifetime) {
2655 wpa_printf(MSG_INFO, "TDLS: Unexpected TPK lifetime %u in "
2656 "TPK M3 (expected %u)", lifetime, peer->lifetime);
2657 goto error;
2658 }
2659
2660 if (wpa_supplicant_verify_tdls_mic(3, peer, (u8 *) lnkid,
2661 (u8 *) timeoutie, ftie) < 0) {
2662 wpa_tdls_del_key(sm, peer);
2663 goto error;
2664 }
2665
2666 if (wpa_tdls_set_key(sm, peer) < 0) {
2667 /*
2668 * Some drivers may not be able to config the key prior to full
2669 * STA entry having been configured.
2670 */
2671 wpa_printf(MSG_DEBUG, "TDLS: Try to configure TPK again after "
2672 "STA entry is complete");
2673 peer->reconfig_key = 1;
2674 }
2675
2676 skip_rsn:
2677 /* add supported rates, capabilities, and qos_info to the TDLS peer */
2678 if (wpa_tdls_addset_peer(sm, peer, 0) < 0)
2679 goto error;
2680
2681 if (!peer->tpk_success) {
2682 /*
2683 * Enable Link only when tpk_success is 0, signifying that this
2684 * processing of TPK M3 frame is not because of a retransmission
2685 * during TDLS setup handshake.
2686 */
2687 ret = wpa_tdls_enable_link(sm, peer);
2688 if (ret < 0) {
2689 wpa_printf(MSG_DEBUG, "TDLS: Could not enable link");
2690 goto error;
2691 }
2692 }
2693 return ret;
2694 error:
2695 wpa_tdls_do_teardown(sm, peer, WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED);
2696 return -1;
2697 }
2698
2699
wpa_add_tdls_timeoutie(u8 * pos,u8 * ie,size_t ie_len,u32 tsecs)2700 static u8 * wpa_add_tdls_timeoutie(u8 *pos, u8 *ie, size_t ie_len, u32 tsecs)
2701 {
2702 struct wpa_tdls_timeoutie *lifetime = (struct wpa_tdls_timeoutie *) ie;
2703
2704 os_memset(lifetime, 0, ie_len);
2705 lifetime->ie_type = WLAN_EID_TIMEOUT_INTERVAL;
2706 lifetime->ie_len = sizeof(struct wpa_tdls_timeoutie) - 2;
2707 lifetime->interval_type = WLAN_TIMEOUT_KEY_LIFETIME;
2708 WPA_PUT_LE32(lifetime->value, tsecs);
2709 os_memcpy(pos, ie, ie_len);
2710 return pos + ie_len;
2711 }
2712
2713
2714 /**
2715 * wpa_tdls_start - Initiate TDLS handshake (send TPK Handshake Message 1)
2716 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2717 * @peer: MAC address of the peer STA
2718 * Returns: 0 on success, or -1 on failure
2719 *
2720 * Send TPK Handshake Message 1 info to driver to start TDLS
2721 * handshake with the peer.
2722 */
wpa_tdls_start(struct wpa_sm * sm,const u8 * addr)2723 int wpa_tdls_start(struct wpa_sm *sm, const u8 *addr)
2724 {
2725 struct wpa_tdls_peer *peer;
2726 int tdls_prohibited = sm->tdls_prohibited;
2727 int res;
2728
2729 if (sm->tdls_disabled || !sm->tdls_supported)
2730 return -1;
2731
2732 #ifdef CONFIG_TDLS_TESTING
2733 if ((tdls_testing & TDLS_TESTING_IGNORE_AP_PROHIBIT) &&
2734 tdls_prohibited) {
2735 wpa_printf(MSG_DEBUG, "TDLS: Testing - ignore AP prohibition "
2736 "on TDLS");
2737 tdls_prohibited = 0;
2738 }
2739 #endif /* CONFIG_TDLS_TESTING */
2740
2741 if (tdls_prohibited) {
2742 wpa_printf(MSG_DEBUG, "TDLS: TDLS is prohibited in this BSS - "
2743 "reject request to start setup");
2744 return -1;
2745 }
2746
2747 peer = wpa_tdls_add_peer(sm, addr, NULL);
2748 if (peer == NULL)
2749 return -1;
2750
2751 if (peer->tpk_in_progress) {
2752 wpa_printf(MSG_DEBUG, "TDLS: Setup is already in progress with the peer");
2753 return 0;
2754 }
2755
2756 peer->initiator = 1;
2757
2758 /* add the peer to the driver as a "setup in progress" peer */
2759 if (wpa_sm_tdls_peer_addset(sm, peer->addr, 1, 0, 0, NULL, 0, NULL,
2760 NULL, NULL, 0, NULL, 0, 0, NULL, 0, NULL, 0,
2761 NULL, 0)) {
2762 wpa_tdls_disable_peer_link(sm, peer);
2763 return -1;
2764 }
2765
2766 peer->tpk_in_progress = 1;
2767
2768 res = wpa_tdls_send_tpk_m1(sm, peer);
2769 if (res < 0) {
2770 if (res != -2)
2771 wpa_tdls_disable_peer_link(sm, peer);
2772 return -1;
2773 }
2774
2775 return 0;
2776 }
2777
2778
wpa_tdls_remove(struct wpa_sm * sm,const u8 * addr)2779 void wpa_tdls_remove(struct wpa_sm *sm, const u8 *addr)
2780 {
2781 struct wpa_tdls_peer *peer;
2782
2783 if (sm->tdls_disabled || !sm->tdls_supported)
2784 return;
2785
2786 for (peer = sm->tdls; peer; peer = peer->next) {
2787 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0)
2788 break;
2789 }
2790
2791 if (peer == NULL || !peer->tpk_success)
2792 return;
2793
2794 if (sm->tdls_external_setup) {
2795 /*
2796 * Disable previous link to allow renegotiation to be completed
2797 * on AP path.
2798 */
2799 wpa_tdls_do_teardown(sm, peer,
2800 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED);
2801 }
2802 }
2803
2804
2805 /**
2806 * wpa_supplicant_rx_tdls - Receive TDLS data frame
2807 *
2808 * This function is called to receive TDLS (ethertype = 0x890d) data frames.
2809 */
wpa_supplicant_rx_tdls(void * ctx,const u8 * src_addr,const u8 * buf,size_t len)2810 static void wpa_supplicant_rx_tdls(void *ctx, const u8 *src_addr,
2811 const u8 *buf, size_t len)
2812 {
2813 struct wpa_sm *sm = ctx;
2814 struct wpa_tdls_frame *tf;
2815
2816 wpa_hexdump(MSG_DEBUG, "TDLS: Received Data frame encapsulation",
2817 buf, len);
2818
2819 if (sm->tdls_disabled || !sm->tdls_supported) {
2820 wpa_printf(MSG_DEBUG, "TDLS: Discard message - TDLS disabled "
2821 "or unsupported by driver");
2822 return;
2823 }
2824
2825 if (os_memcmp(src_addr, sm->own_addr, ETH_ALEN) == 0) {
2826 wpa_printf(MSG_DEBUG, "TDLS: Discard copy of own message");
2827 return;
2828 }
2829
2830 if (len < sizeof(*tf)) {
2831 wpa_printf(MSG_INFO, "TDLS: Drop too short frame");
2832 return;
2833 }
2834
2835 /* Check to make sure its a valid encapsulated TDLS frame */
2836 tf = (struct wpa_tdls_frame *) buf;
2837 if (tf->payloadtype != 2 /* TDLS_RFTYPE */ ||
2838 tf->category != WLAN_ACTION_TDLS) {
2839 wpa_printf(MSG_INFO, "TDLS: Invalid frame - payloadtype=%u "
2840 "category=%u action=%u",
2841 tf->payloadtype, tf->category, tf->action);
2842 return;
2843 }
2844
2845 switch (tf->action) {
2846 case WLAN_TDLS_SETUP_REQUEST:
2847 wpa_tdls_process_tpk_m1(sm, src_addr, buf, len);
2848 break;
2849 case WLAN_TDLS_SETUP_RESPONSE:
2850 wpa_tdls_process_tpk_m2(sm, src_addr, buf, len);
2851 break;
2852 case WLAN_TDLS_SETUP_CONFIRM:
2853 wpa_tdls_process_tpk_m3(sm, src_addr, buf, len);
2854 break;
2855 case WLAN_TDLS_TEARDOWN:
2856 wpa_tdls_recv_teardown(sm, src_addr, buf, len);
2857 break;
2858 case WLAN_TDLS_DISCOVERY_REQUEST:
2859 wpa_tdls_process_discovery_request(sm, src_addr, buf, len);
2860 break;
2861 default:
2862 /* Kernel code will process remaining frames */
2863 wpa_printf(MSG_DEBUG, "TDLS: Ignore TDLS frame action code %u",
2864 tf->action);
2865 break;
2866 }
2867 }
2868
2869
2870 /**
2871 * wpa_tdls_init - Initialize driver interface parameters for TDLS
2872 * @wpa_s: Pointer to wpa_supplicant data
2873 * Returns: 0 on success, -1 on failure
2874 *
2875 * This function is called to initialize driver interface parameters for TDLS.
2876 * wpa_drv_init() must have been called before this function to initialize the
2877 * driver interface.
2878 */
wpa_tdls_init(struct wpa_sm * sm)2879 int wpa_tdls_init(struct wpa_sm *sm)
2880 {
2881 if (sm == NULL)
2882 return -1;
2883
2884 if (sm->l2_tdls) {
2885 l2_packet_deinit(sm->l2_tdls);
2886 sm->l2_tdls = NULL;
2887 }
2888
2889 sm->l2_tdls = l2_packet_init(sm->bridge_ifname ? sm->bridge_ifname :
2890 sm->ifname,
2891 sm->own_addr,
2892 ETH_P_80211_ENCAP, wpa_supplicant_rx_tdls,
2893 sm, 0);
2894 if (sm->l2_tdls == NULL) {
2895 wpa_printf(MSG_ERROR, "TDLS: Failed to open l2_packet "
2896 "connection");
2897 return -1;
2898 }
2899
2900 /*
2901 * Drivers that support TDLS but don't implement the get_capa callback
2902 * are assumed to perform everything internally
2903 */
2904 if (wpa_sm_tdls_get_capa(sm, &sm->tdls_supported,
2905 &sm->tdls_external_setup,
2906 &sm->tdls_chan_switch) < 0) {
2907 sm->tdls_supported = 1;
2908 sm->tdls_external_setup = 0;
2909 }
2910
2911 wpa_printf(MSG_DEBUG, "TDLS: TDLS operation%s supported by "
2912 "driver", sm->tdls_supported ? "" : " not");
2913 wpa_printf(MSG_DEBUG, "TDLS: Driver uses %s link setup",
2914 sm->tdls_external_setup ? "external" : "internal");
2915 wpa_printf(MSG_DEBUG, "TDLS: Driver %s TDLS channel switching",
2916 sm->tdls_chan_switch ? "supports" : "does not support");
2917
2918 return 0;
2919 }
2920
2921
wpa_tdls_teardown_peers(struct wpa_sm * sm)2922 void wpa_tdls_teardown_peers(struct wpa_sm *sm)
2923 {
2924 struct wpa_tdls_peer *peer, *tmp;
2925
2926 if (!sm)
2927 return;
2928 peer = sm->tdls;
2929
2930 wpa_printf(MSG_DEBUG, "TDLS: Tear down peers");
2931
2932 while (peer) {
2933 tmp = peer->next;
2934 wpa_printf(MSG_DEBUG, "TDLS: Tear down peer " MACSTR,
2935 MAC2STR(peer->addr));
2936 if (sm->tdls_external_setup)
2937 wpa_tdls_do_teardown(sm, peer,
2938 WLAN_REASON_DEAUTH_LEAVING);
2939 else
2940 wpa_sm_tdls_oper(sm, TDLS_TEARDOWN, peer->addr);
2941
2942 peer = tmp;
2943 }
2944 }
2945
2946
wpa_tdls_remove_peers(struct wpa_sm * sm)2947 static void wpa_tdls_remove_peers(struct wpa_sm *sm)
2948 {
2949 struct wpa_tdls_peer *peer, *tmp;
2950
2951 peer = sm->tdls;
2952
2953 while (peer) {
2954 int res;
2955 tmp = peer->next;
2956 res = wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr);
2957 wpa_printf(MSG_DEBUG, "TDLS: Remove peer " MACSTR " (res=%d)",
2958 MAC2STR(peer->addr), res);
2959 wpa_tdls_peer_free(sm, peer);
2960 peer = tmp;
2961 }
2962 }
2963
2964
2965 /**
2966 * wpa_tdls_deinit - Deinitialize driver interface parameters for TDLS
2967 *
2968 * This function is called to recover driver interface parameters for TDLS
2969 * and frees resources allocated for it.
2970 */
wpa_tdls_deinit(struct wpa_sm * sm)2971 void wpa_tdls_deinit(struct wpa_sm *sm)
2972 {
2973 if (sm == NULL)
2974 return;
2975
2976 if (sm->l2_tdls)
2977 l2_packet_deinit(sm->l2_tdls);
2978 sm->l2_tdls = NULL;
2979
2980 wpa_tdls_remove_peers(sm);
2981 }
2982
2983
wpa_tdls_assoc(struct wpa_sm * sm)2984 void wpa_tdls_assoc(struct wpa_sm *sm)
2985 {
2986 wpa_printf(MSG_DEBUG, "TDLS: Remove peers on association");
2987 wpa_tdls_remove_peers(sm);
2988 }
2989
2990
wpa_tdls_disassoc(struct wpa_sm * sm)2991 void wpa_tdls_disassoc(struct wpa_sm *sm)
2992 {
2993 wpa_printf(MSG_DEBUG, "TDLS: Remove peers on disassociation");
2994 wpa_tdls_remove_peers(sm);
2995 }
2996
2997
wpa_tdls_prohibited(struct ieee802_11_elems * elems)2998 static int wpa_tdls_prohibited(struct ieee802_11_elems *elems)
2999 {
3000 /* bit 38 - TDLS Prohibited */
3001 return !!(elems->ext_capab[4] & 0x40);
3002 }
3003
3004
wpa_tdls_chan_switch_prohibited(struct ieee802_11_elems * elems)3005 static int wpa_tdls_chan_switch_prohibited(struct ieee802_11_elems *elems)
3006 {
3007 /* bit 39 - TDLS Channel Switch Prohibited */
3008 return !!(elems->ext_capab[4] & 0x80);
3009 }
3010
3011
wpa_tdls_ap_ies(struct wpa_sm * sm,const u8 * ies,size_t len)3012 void wpa_tdls_ap_ies(struct wpa_sm *sm, const u8 *ies, size_t len)
3013 {
3014 struct ieee802_11_elems elems;
3015
3016 sm->tdls_prohibited = 0;
3017 sm->tdls_chan_switch_prohibited = 0;
3018
3019 if (ies == NULL ||
3020 ieee802_11_parse_elems(ies, len, &elems, 0) == ParseFailed ||
3021 elems.ext_capab == NULL || elems.ext_capab_len < 5)
3022 return;
3023
3024 sm->tdls_prohibited = wpa_tdls_prohibited(&elems);
3025 wpa_printf(MSG_DEBUG, "TDLS: TDLS is %s in the target BSS",
3026 sm->tdls_prohibited ? "prohibited" : "allowed");
3027 sm->tdls_chan_switch_prohibited =
3028 wpa_tdls_chan_switch_prohibited(&elems);
3029 wpa_printf(MSG_DEBUG, "TDLS: TDLS channel switch %s in the target BSS",
3030 sm->tdls_chan_switch_prohibited ? "prohibited" : "allowed");
3031 }
3032
3033
wpa_tdls_assoc_resp_ies(struct wpa_sm * sm,const u8 * ies,size_t len)3034 void wpa_tdls_assoc_resp_ies(struct wpa_sm *sm, const u8 *ies, size_t len)
3035 {
3036 struct ieee802_11_elems elems;
3037
3038 if (ies == NULL ||
3039 ieee802_11_parse_elems(ies, len, &elems, 0) == ParseFailed ||
3040 elems.ext_capab == NULL || elems.ext_capab_len < 5)
3041 return;
3042
3043 if (!sm->tdls_prohibited && wpa_tdls_prohibited(&elems)) {
3044 wpa_printf(MSG_DEBUG, "TDLS: TDLS prohibited based on "
3045 "(Re)Association Response IEs");
3046 sm->tdls_prohibited = 1;
3047 }
3048
3049 if (!sm->tdls_chan_switch_prohibited &&
3050 wpa_tdls_chan_switch_prohibited(&elems)) {
3051 wpa_printf(MSG_DEBUG,
3052 "TDLS: TDLS channel switch prohibited based on (Re)Association Response IEs");
3053 sm->tdls_chan_switch_prohibited = 1;
3054 }
3055 }
3056
3057
wpa_tdls_enable(struct wpa_sm * sm,int enabled)3058 void wpa_tdls_enable(struct wpa_sm *sm, int enabled)
3059 {
3060 wpa_printf(MSG_DEBUG, "TDLS: %s", enabled ? "enabled" : "disabled");
3061 sm->tdls_disabled = !enabled;
3062 }
3063
3064
wpa_tdls_is_external_setup(struct wpa_sm * sm)3065 int wpa_tdls_is_external_setup(struct wpa_sm *sm)
3066 {
3067 return sm->tdls_external_setup;
3068 }
3069
3070
wpa_tdls_enable_chan_switch(struct wpa_sm * sm,const u8 * addr,u8 oper_class,struct hostapd_freq_params * freq_params)3071 int wpa_tdls_enable_chan_switch(struct wpa_sm *sm, const u8 *addr,
3072 u8 oper_class,
3073 struct hostapd_freq_params *freq_params)
3074 {
3075 struct wpa_tdls_peer *peer;
3076 int ret;
3077
3078 if (sm->tdls_disabled || !sm->tdls_supported)
3079 return -1;
3080
3081 if (!sm->tdls_chan_switch) {
3082 wpa_printf(MSG_DEBUG,
3083 "TDLS: Channel switching not supported by the driver");
3084 return -1;
3085 }
3086
3087 if (sm->tdls_chan_switch_prohibited) {
3088 wpa_printf(MSG_DEBUG,
3089 "TDLS: Channel switching is prohibited in this BSS - reject request to switch channel");
3090 return -1;
3091 }
3092
3093 for (peer = sm->tdls; peer; peer = peer->next) {
3094 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0)
3095 break;
3096 }
3097
3098 if (peer == NULL || !peer->tpk_success) {
3099 wpa_printf(MSG_ERROR, "TDLS: Peer " MACSTR
3100 " not found for channel switching", MAC2STR(addr));
3101 return -1;
3102 }
3103
3104 if (peer->chan_switch_enabled) {
3105 wpa_printf(MSG_DEBUG, "TDLS: Peer " MACSTR
3106 " already has channel switching enabled",
3107 MAC2STR(addr));
3108 return 0;
3109 }
3110
3111 ret = wpa_sm_tdls_enable_channel_switch(sm, peer->addr,
3112 oper_class, freq_params);
3113 if (!ret)
3114 peer->chan_switch_enabled = 1;
3115
3116 return ret;
3117 }
3118
3119
wpa_tdls_disable_chan_switch(struct wpa_sm * sm,const u8 * addr)3120 int wpa_tdls_disable_chan_switch(struct wpa_sm *sm, const u8 *addr)
3121 {
3122 struct wpa_tdls_peer *peer;
3123
3124 if (sm->tdls_disabled || !sm->tdls_supported)
3125 return -1;
3126
3127 for (peer = sm->tdls; peer; peer = peer->next) {
3128 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0)
3129 break;
3130 }
3131
3132 if (!peer || !peer->chan_switch_enabled) {
3133 wpa_printf(MSG_ERROR, "TDLS: Channel switching not enabled for "
3134 MACSTR, MAC2STR(addr));
3135 return -1;
3136 }
3137
3138 /* ignore the return value */
3139 wpa_sm_tdls_disable_channel_switch(sm, peer->addr);
3140
3141 peer->chan_switch_enabled = 0;
3142 return 0;
3143 }
3144
