2 * wpa_supplicant - TDLS
3 * Copyright (c) 2010-2011, Atheros Communications
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
9 #include "utils/includes.h"
11 #include "utils/common.h"
12 #include "utils/eloop.h"
14 #include "common/ieee802_11_defs.h"
15 #include "crypto/sha256.h"
16 #include "crypto/crypto.h"
17 #include "crypto/aes_wrap.h"
18 #include "rsn_supp/wpa.h"
19 #include "rsn_supp/wpa_ie.h"
20 #include "rsn_supp/wpa_i.h"
21 #include "drivers/driver.h"
22 #include "l2_packet/l2_packet.h"
24 #ifdef CONFIG_TDLS_TESTING
25 #define TDLS_TESTING_LONG_FRAME BIT(0)
26 #define TDLS_TESTING_ALT_RSN_IE BIT(1)
27 #define TDLS_TESTING_DIFF_BSSID BIT(2)
28 #define TDLS_TESTING_SHORT_LIFETIME BIT(3)
29 #define TDLS_TESTING_WRONG_LIFETIME_RESP BIT(4)
30 #define TDLS_TESTING_WRONG_LIFETIME_CONF BIT(5)
31 #define TDLS_TESTING_LONG_LIFETIME BIT(6)
32 #define TDLS_TESTING_CONCURRENT_INIT BIT(7)
33 #define TDLS_TESTING_NO_TPK_EXPIRATION BIT(8)
34 #define TDLS_TESTING_DECLINE_RESP BIT(9)
35 #define TDLS_TESTING_IGNORE_AP_PROHIBIT BIT(10)
36 unsigned int tdls_testing = 0;
37 #endif /* CONFIG_TDLS_TESTING */
39 #define TPK_LIFETIME 43200 /* 12 hours */
40 #define TPK_RETRY_COUNT 3
41 #define TPK_TIMEOUT 5000 /* in milliseconds */
43 #define TDLS_MIC_LEN 16
45 #define TDLS_TIMEOUT_LEN 4
47 struct wpa_tdls_ftie {
48 u8 ie_type; /* FTIE */
52 u8 Anonce[WPA_NONCE_LEN]; /* Responder Nonce in TDLS */
53 u8 Snonce[WPA_NONCE_LEN]; /* Initiator Nonce in TDLS */
54 /* followed by optional elements */
57 struct wpa_tdls_timeoutie {
58 u8 ie_type; /* Timeout IE */
61 u8 value[TDLS_TIMEOUT_LEN];
64 struct wpa_tdls_lnkid {
65 u8 ie_type; /* Link Identifier IE */
68 u8 init_sta[ETH_ALEN];
69 u8 resp_sta[ETH_ALEN];
72 /* TDLS frame headers as per IEEE Std 802.11z-2010 */
73 struct wpa_tdls_frame {
74 u8 payloadtype; /* IEEE80211_TDLS_RFTYPE */
75 u8 category; /* Category */
76 u8 action; /* Action (enum tdls_frame_type) */
79 static u8 * wpa_add_tdls_timeoutie(u8 *pos, u8 *ie, size_t ie_len, u32 tsecs);
80 static void wpa_tdls_tpk_retry_timeout(void *eloop_ctx, void *timeout_ctx);
81 static void wpa_tdls_peer_free(struct wpa_sm *sm, struct wpa_tdls_peer *peer);
84 #define TDLS_MAX_IE_LEN 80
85 #define IEEE80211_MAX_SUPP_RATES 32
87 struct wpa_tdls_peer {
88 struct wpa_tdls_peer *next;
89 int initiator; /* whether this end was initiator for TDLS setup */
90 u8 addr[ETH_ALEN]; /* other end MAC address */
91 u8 inonce[WPA_NONCE_LEN]; /* Initiator Nonce */
92 u8 rnonce[WPA_NONCE_LEN]; /* Responder Nonce */
93 u8 rsnie_i[TDLS_MAX_IE_LEN]; /* Initiator RSN IE */
95 u8 rsnie_p[TDLS_MAX_IE_LEN]; /* Peer RSN IE */
98 int cipher; /* Selected cipher (WPA_CIPHER_*) */
102 u8 kck[16]; /* TPK-KCK */
103 u8 tk[16]; /* TPK-TK; assuming only CCMP will be used */
110 int count; /* Retry Count */
111 int timer; /* Timeout in milliseconds */
112 u8 action_code; /* TDLS frame type */
115 int buf_len; /* length of TPK message for retransmission */
116 u8 *buf; /* buffer for TPK message */
121 u8 supp_rates[IEEE80211_MAX_SUPP_RATES];
122 size_t supp_rates_len;
124 struct ieee80211_ht_capabilities *ht_capabilities;
125 struct ieee80211_vht_capabilities *vht_capabilities;
130 size_t ext_capab_len;
134 static int wpa_tdls_get_privacy(struct wpa_sm *sm)
137 * Get info needed from supplicant to check if the current BSS supports
138 * security. Other than OPEN mode, rest are considered secured
139 * WEP/WPA/WPA2 hence TDLS frames are processed for TPK handshake.
141 return sm->pairwise_cipher != WPA_CIPHER_NONE;
145 static u8 * wpa_add_ie(u8 *pos, const u8 *ie, size_t ie_len)
147 os_memcpy(pos, ie, ie_len);
152 static int wpa_tdls_del_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
154 if (wpa_sm_set_key(sm, WPA_ALG_NONE, peer->addr,
155 0, 0, NULL, 0, NULL, 0) < 0) {
156 wpa_printf(MSG_WARNING, "TDLS: Failed to delete TPK-TK from "
165 static int wpa_tdls_set_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
171 os_memset(rsc, 0, 6);
173 switch (peer->cipher) {
174 case WPA_CIPHER_CCMP:
178 case WPA_CIPHER_NONE:
179 wpa_printf(MSG_DEBUG, "TDLS: Pairwise Cipher Suite: "
180 "NONE - do not use pairwise keys");
183 wpa_printf(MSG_WARNING, "TDLS: Unsupported pairwise cipher %d",
184 sm->pairwise_cipher);
188 if (wpa_sm_set_key(sm, alg, peer->addr, -1, 1,
189 rsc, sizeof(rsc), peer->tpk.tk, key_len) < 0) {
190 wpa_printf(MSG_WARNING, "TDLS: Failed to set TPK to the "
198 static int wpa_tdls_send_tpk_msg(struct wpa_sm *sm, const u8 *dst,
199 u8 action_code, u8 dialog_token,
200 u16 status_code, const u8 *buf, size_t len)
202 return wpa_sm_send_tdls_mgmt(sm, dst, action_code, dialog_token,
203 status_code, buf, len);
207 static int wpa_tdls_tpk_send(struct wpa_sm *sm, const u8 *dest, u8 action_code,
208 u8 dialog_token, u16 status_code,
209 const u8 *msg, size_t msg_len)
211 struct wpa_tdls_peer *peer;
213 wpa_printf(MSG_DEBUG, "TDLS: TPK send dest=" MACSTR " action_code=%u "
214 "dialog_token=%u status_code=%u msg_len=%u",
215 MAC2STR(dest), action_code, dialog_token, status_code,
216 (unsigned int) msg_len);
218 if (wpa_tdls_send_tpk_msg(sm, dest, action_code, dialog_token,
219 status_code, msg, msg_len)) {
220 wpa_printf(MSG_INFO, "TDLS: Failed to send message "
221 "(action_code=%u)", action_code);
225 if (action_code == WLAN_TDLS_SETUP_CONFIRM ||
226 action_code == WLAN_TDLS_TEARDOWN ||
227 action_code == WLAN_TDLS_DISCOVERY_REQUEST ||
228 action_code == WLAN_TDLS_DISCOVERY_RESPONSE)
229 return 0; /* No retries */
231 for (peer = sm->tdls; peer; peer = peer->next) {
232 if (os_memcmp(peer->addr, dest, ETH_ALEN) == 0)
237 wpa_printf(MSG_INFO, "TDLS: No matching entry found for "
238 "retry " MACSTR, MAC2STR(dest));
242 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer);
244 peer->sm_tmr.count = TPK_RETRY_COUNT;
245 peer->sm_tmr.timer = TPK_TIMEOUT;
247 /* Copy message to resend on timeout */
248 os_memcpy(peer->sm_tmr.dest, dest, ETH_ALEN);
249 peer->sm_tmr.action_code = action_code;
250 peer->sm_tmr.dialog_token = dialog_token;
251 peer->sm_tmr.status_code = status_code;
252 peer->sm_tmr.buf_len = msg_len;
253 os_free(peer->sm_tmr.buf);
254 peer->sm_tmr.buf = os_malloc(msg_len);
255 if (peer->sm_tmr.buf == NULL)
257 os_memcpy(peer->sm_tmr.buf, msg, msg_len);
259 wpa_printf(MSG_DEBUG, "TDLS: Retry timeout registered "
260 "(action_code=%u)", action_code);
261 eloop_register_timeout(peer->sm_tmr.timer / 1000, 0,
262 wpa_tdls_tpk_retry_timeout, sm, peer);
267 static int wpa_tdls_do_teardown(struct wpa_sm *sm, struct wpa_tdls_peer *peer,
268 u16 reason_code, int free_peer)
272 if (sm->tdls_external_setup) {
273 ret = wpa_tdls_send_teardown(sm, peer->addr, reason_code);
275 /* disable the link after teardown was sent */
276 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr);
278 ret = wpa_sm_tdls_oper(sm, TDLS_TEARDOWN, peer->addr);
281 if (sm->tdls_external_setup || free_peer)
282 wpa_tdls_peer_free(sm, peer);
288 static void wpa_tdls_tpk_retry_timeout(void *eloop_ctx, void *timeout_ctx)
291 struct wpa_sm *sm = eloop_ctx;
292 struct wpa_tdls_peer *peer = timeout_ctx;
294 if (peer->sm_tmr.count) {
295 peer->sm_tmr.count--;
296 peer->sm_tmr.timer = TPK_TIMEOUT;
298 wpa_printf(MSG_INFO, "TDLS: Retrying sending of message "
300 peer->sm_tmr.action_code);
302 if (peer->sm_tmr.buf == NULL) {
303 wpa_printf(MSG_INFO, "TDLS: No retry buffer available "
304 "for action_code=%u",
305 peer->sm_tmr.action_code);
306 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm,
311 /* resend TPK Handshake Message to Peer */
312 if (wpa_tdls_send_tpk_msg(sm, peer->sm_tmr.dest,
313 peer->sm_tmr.action_code,
314 peer->sm_tmr.dialog_token,
315 peer->sm_tmr.status_code,
317 peer->sm_tmr.buf_len)) {
318 wpa_printf(MSG_INFO, "TDLS: Failed to retry "
322 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer);
323 eloop_register_timeout(peer->sm_tmr.timer / 1000, 0,
324 wpa_tdls_tpk_retry_timeout, sm, peer);
326 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer);
328 wpa_printf(MSG_DEBUG, "TDLS: Sending Teardown Request");
329 wpa_tdls_do_teardown(sm, peer,
330 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED, 1);
335 static void wpa_tdls_tpk_retry_timeout_cancel(struct wpa_sm *sm,
336 struct wpa_tdls_peer *peer,
339 if (action_code == peer->sm_tmr.action_code) {
340 wpa_printf(MSG_DEBUG, "TDLS: Retry timeout cancelled for "
341 "action_code=%u", action_code);
343 /* Cancel Timeout registered */
344 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer);
346 /* free all resources meant for retry */
347 os_free(peer->sm_tmr.buf);
348 peer->sm_tmr.buf = NULL;
350 peer->sm_tmr.count = 0;
351 peer->sm_tmr.timer = 0;
352 peer->sm_tmr.buf_len = 0;
353 peer->sm_tmr.action_code = 0xff;
355 wpa_printf(MSG_INFO, "TDLS: Error in cancelling retry timeout "
356 "(Unknown action_code=%u)", action_code);
361 static void wpa_tdls_generate_tpk(struct wpa_tdls_peer *peer,
362 const u8 *own_addr, const u8 *bssid)
364 u8 key_input[SHA256_MAC_LEN];
367 u8 data[3 * ETH_ALEN];
369 /* IEEE Std 802.11z-2010 8.5.9.1:
370 * TPK-Key-Input = SHA-256(min(SNonce, ANonce) || max(SNonce, ANonce))
372 len[0] = WPA_NONCE_LEN;
373 len[1] = WPA_NONCE_LEN;
374 if (os_memcmp(peer->inonce, peer->rnonce, WPA_NONCE_LEN) < 0) {
375 nonce[0] = peer->inonce;
376 nonce[1] = peer->rnonce;
378 nonce[0] = peer->rnonce;
379 nonce[1] = peer->inonce;
381 wpa_hexdump(MSG_DEBUG, "TDLS: min(Nonce)", nonce[0], WPA_NONCE_LEN);
382 wpa_hexdump(MSG_DEBUG, "TDLS: max(Nonce)", nonce[1], WPA_NONCE_LEN);
383 sha256_vector(2, nonce, len, key_input);
384 wpa_hexdump_key(MSG_DEBUG, "TDLS: TPK-Key-Input",
385 key_input, SHA256_MAC_LEN);
388 * TPK-Key-Data = KDF-N_KEY(TPK-Key-Input, "TDLS PMK",
389 * min(MAC_I, MAC_R) || max(MAC_I, MAC_R) || BSSID || N_KEY)
390 * TODO: is N_KEY really included in KDF Context and if so, in which
391 * presentation format (little endian 16-bit?) is it used? It gets
392 * added by the KDF anyway..
395 if (os_memcmp(own_addr, peer->addr, ETH_ALEN) < 0) {
396 os_memcpy(data, own_addr, ETH_ALEN);
397 os_memcpy(data + ETH_ALEN, peer->addr, ETH_ALEN);
399 os_memcpy(data, peer->addr, ETH_ALEN);
400 os_memcpy(data + ETH_ALEN, own_addr, ETH_ALEN);
402 os_memcpy(data + 2 * ETH_ALEN, bssid, ETH_ALEN);
403 wpa_hexdump(MSG_DEBUG, "TDLS: KDF Context", data, sizeof(data));
405 sha256_prf(key_input, SHA256_MAC_LEN, "TDLS PMK", data, sizeof(data),
406 (u8 *) &peer->tpk, sizeof(peer->tpk));
407 wpa_hexdump_key(MSG_DEBUG, "TDLS: TPK-KCK",
408 peer->tpk.kck, sizeof(peer->tpk.kck));
409 wpa_hexdump_key(MSG_DEBUG, "TDLS: TPK-TK",
410 peer->tpk.tk, sizeof(peer->tpk.tk));
416 * wpa_tdls_ftie_mic - Calculate TDLS FTIE MIC
418 * @lnkid: Pointer to the beginning of Link Identifier IE
419 * @rsnie: Pointer to the beginning of RSN IE used for handshake
420 * @timeoutie: Pointer to the beginning of Timeout IE used for handshake
421 * @ftie: Pointer to the beginning of FT IE
422 * @mic: Pointer for writing MIC
424 * Calculate MIC for TDLS frame.
426 static int wpa_tdls_ftie_mic(const u8 *kck, u8 trans_seq, const u8 *lnkid,
427 const u8 *rsnie, const u8 *timeoutie,
428 const u8 *ftie, u8 *mic)
431 struct wpa_tdls_ftie *_ftie;
432 const struct wpa_tdls_lnkid *_lnkid;
434 int len = 2 * ETH_ALEN + 1 + 2 + lnkid[1] + 2 + rsnie[1] +
435 2 + timeoutie[1] + 2 + ftie[1];
436 buf = os_zalloc(len);
438 wpa_printf(MSG_WARNING, "TDLS: No memory for MIC calculation");
443 _lnkid = (const struct wpa_tdls_lnkid *) lnkid;
444 /* 1) TDLS initiator STA MAC address */
445 os_memcpy(pos, _lnkid->init_sta, ETH_ALEN);
447 /* 2) TDLS responder STA MAC address */
448 os_memcpy(pos, _lnkid->resp_sta, ETH_ALEN);
450 /* 3) Transaction Sequence number */
452 /* 4) Link Identifier IE */
453 os_memcpy(pos, lnkid, 2 + lnkid[1]);
456 os_memcpy(pos, rsnie, 2 + rsnie[1]);
458 /* 6) Timeout Interval IE */
459 os_memcpy(pos, timeoutie, 2 + timeoutie[1]);
460 pos += 2 + timeoutie[1];
461 /* 7) FTIE, with the MIC field of the FTIE set to 0 */
462 os_memcpy(pos, ftie, 2 + ftie[1]);
463 _ftie = (struct wpa_tdls_ftie *) pos;
464 os_memset(_ftie->mic, 0, TDLS_MIC_LEN);
467 wpa_hexdump(MSG_DEBUG, "TDLS: Data for FTIE MIC", buf, pos - buf);
468 wpa_hexdump_key(MSG_DEBUG, "TDLS: KCK", kck, 16);
469 ret = omac1_aes_128(kck, buf, pos - buf, mic);
471 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE MIC", mic, 16);
477 * wpa_tdls_key_mic_teardown - Calculate TDLS FTIE MIC for Teardown frame
479 * @trans_seq: Transaction Sequence Number (4 - Teardown)
480 * @rcode: Reason code for Teardown
481 * @dtoken: Dialog Token used for that particular link
482 * @lnkid: Pointer to the beginning of Link Identifier IE
483 * @ftie: Pointer to the beginning of FT IE
484 * @mic: Pointer for writing MIC
486 * Calculate MIC for TDLS frame.
488 static int wpa_tdls_key_mic_teardown(const u8 *kck, u8 trans_seq, u16 rcode,
489 u8 dtoken, const u8 *lnkid,
490 const u8 *ftie, u8 *mic)
493 struct wpa_tdls_ftie *_ftie;
500 len = 2 + lnkid[1] + sizeof(rcode) + sizeof(dtoken) +
501 sizeof(trans_seq) + 2 + ftie[1];
503 buf = os_zalloc(len);
505 wpa_printf(MSG_WARNING, "TDLS: No memory for MIC calculation");
510 /* 1) Link Identifier IE */
511 os_memcpy(pos, lnkid, 2 + lnkid[1]);
514 WPA_PUT_LE16(pos, rcode);
515 pos += sizeof(rcode);
516 /* 3) Dialog token */
518 /* 4) Transaction Sequence number */
520 /* 7) FTIE, with the MIC field of the FTIE set to 0 */
521 os_memcpy(pos, ftie, 2 + ftie[1]);
522 _ftie = (struct wpa_tdls_ftie *) pos;
523 os_memset(_ftie->mic, 0, TDLS_MIC_LEN);
526 wpa_hexdump(MSG_DEBUG, "TDLS: Data for FTIE MIC", buf, pos - buf);
527 wpa_hexdump_key(MSG_DEBUG, "TDLS: KCK", kck, 16);
528 ret = omac1_aes_128(kck, buf, pos - buf, mic);
530 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE MIC", mic, 16);
535 static int wpa_supplicant_verify_tdls_mic(u8 trans_seq,
536 struct wpa_tdls_peer *peer,
537 const u8 *lnkid, const u8 *timeoutie,
538 const struct wpa_tdls_ftie *ftie)
543 wpa_tdls_ftie_mic(peer->tpk.kck, trans_seq, lnkid,
544 peer->rsnie_p, timeoutie, (u8 *) ftie,
546 if (os_memcmp(mic, ftie->mic, 16) != 0) {
547 wpa_printf(MSG_INFO, "TDLS: Invalid MIC in FTIE - "
549 wpa_hexdump(MSG_DEBUG, "TDLS: Received MIC",
551 wpa_hexdump(MSG_DEBUG, "TDLS: Calculated MIC",
556 wpa_printf(MSG_WARNING, "TDLS: Could not verify TDLS MIC, "
557 "TPK not set - dropping packet");
564 static int wpa_supplicant_verify_tdls_mic_teardown(
565 u8 trans_seq, u16 rcode, u8 dtoken, struct wpa_tdls_peer *peer,
566 const u8 *lnkid, const struct wpa_tdls_ftie *ftie)
571 wpa_tdls_key_mic_teardown(peer->tpk.kck, trans_seq, rcode,
572 dtoken, lnkid, (u8 *) ftie, mic);
573 if (os_memcmp(mic, ftie->mic, 16) != 0) {
574 wpa_printf(MSG_INFO, "TDLS: Invalid MIC in Teardown - "
579 wpa_printf(MSG_INFO, "TDLS: Could not verify TDLS Teardown "
580 "MIC, TPK not set - dropping packet");
587 static void wpa_tdls_tpk_timeout(void *eloop_ctx, void *timeout_ctx)
589 struct wpa_sm *sm = eloop_ctx;
590 struct wpa_tdls_peer *peer = timeout_ctx;
593 * On TPK lifetime expiration, we have an option of either tearing down
594 * the direct link or trying to re-initiate it. The selection of what
595 * to do is not strictly speaking controlled by our role in the expired
596 * link, but for now, use that to select whether to renew or tear down
600 if (peer->initiator) {
601 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime expired for " MACSTR
602 " - try to renew", MAC2STR(peer->addr));
603 wpa_tdls_start(sm, peer->addr);
605 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime expired for " MACSTR
606 " - tear down", MAC2STR(peer->addr));
607 wpa_tdls_do_teardown(sm, peer,
608 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED, 1);
613 static void wpa_tdls_peer_free(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
615 wpa_printf(MSG_DEBUG, "TDLS: Clear state for peer " MACSTR,
616 MAC2STR(peer->addr));
617 eloop_cancel_timeout(wpa_tdls_tpk_timeout, sm, peer);
618 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer);
620 os_free(peer->sm_tmr.buf);
621 peer->sm_tmr.buf = NULL;
622 os_free(peer->ht_capabilities);
623 peer->ht_capabilities = NULL;
624 os_free(peer->vht_capabilities);
625 peer->vht_capabilities = NULL;
626 os_free(peer->ext_capab);
627 peer->ext_capab = NULL;
628 peer->rsnie_i_len = peer->rsnie_p_len = 0;
630 peer->tpk_set = peer->tpk_success = 0;
631 os_memset(&peer->tpk, 0, sizeof(peer->tpk));
632 os_memset(peer->inonce, 0, WPA_NONCE_LEN);
633 os_memset(peer->rnonce, 0, WPA_NONCE_LEN);
637 static void wpa_tdls_linkid(struct wpa_sm *sm, struct wpa_tdls_peer *peer,
638 struct wpa_tdls_lnkid *lnkid)
640 lnkid->ie_type = WLAN_EID_LINK_ID;
641 lnkid->ie_len = 3 * ETH_ALEN;
642 os_memcpy(lnkid->bssid, sm->bssid, ETH_ALEN);
643 if (peer->initiator) {
644 os_memcpy(lnkid->init_sta, sm->own_addr, ETH_ALEN);
645 os_memcpy(lnkid->resp_sta, peer->addr, ETH_ALEN);
647 os_memcpy(lnkid->init_sta, peer->addr, ETH_ALEN);
648 os_memcpy(lnkid->resp_sta, sm->own_addr, ETH_ALEN);
653 int wpa_tdls_send_teardown(struct wpa_sm *sm, const u8 *addr, u16 reason_code)
655 struct wpa_tdls_peer *peer;
656 struct wpa_tdls_ftie *ftie;
657 struct wpa_tdls_lnkid lnkid;
662 if (sm->tdls_disabled || !sm->tdls_supported)
665 /* Find the node and free from the list */
666 for (peer = sm->tdls; peer; peer = peer->next) {
667 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0)
672 wpa_printf(MSG_INFO, "TDLS: No matching entry found for "
673 "Teardown " MACSTR, MAC2STR(addr));
677 dialog_token = peer->dtoken;
679 wpa_printf(MSG_DEBUG, "TDLS: TDLS Teardown for " MACSTR,
683 if (wpa_tdls_get_privacy(sm) && peer->tpk_set && peer->tpk_success) {
684 /* To add FTIE for Teardown request and compute MIC */
685 ielen += sizeof(*ftie);
686 #ifdef CONFIG_TDLS_TESTING
687 if (tdls_testing & TDLS_TESTING_LONG_FRAME)
689 #endif /* CONFIG_TDLS_TESTING */
692 rbuf = os_zalloc(ielen + 1);
697 if (!wpa_tdls_get_privacy(sm) || !peer->tpk_set || !peer->tpk_success) {
698 if (reason_code != WLAN_REASON_DEAUTH_LEAVING) {
699 /* Overwrite the reason code */
700 reason_code = WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED;
705 ftie = (struct wpa_tdls_ftie *) pos;
706 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION;
707 /* Using the recent nonce which should be for CONFIRM frame */
708 os_memcpy(ftie->Anonce, peer->rnonce, WPA_NONCE_LEN);
709 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN);
710 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2;
711 pos = (u8 *) (ftie + 1);
712 #ifdef CONFIG_TDLS_TESTING
713 if (tdls_testing & TDLS_TESTING_LONG_FRAME) {
714 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to "
717 *pos++ = 255; /* FTIE subelem */
718 *pos++ = 168; /* FTIE subelem length */
721 #endif /* CONFIG_TDLS_TESTING */
722 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE for TDLS Teardown handshake",
723 (u8 *) ftie, pos - (u8 *) ftie);
725 /* compute MIC before sending */
726 wpa_tdls_linkid(sm, peer, &lnkid);
727 wpa_tdls_key_mic_teardown(peer->tpk.kck, 4, reason_code,
728 dialog_token, (u8 *) &lnkid, (u8 *) ftie,
732 /* TODO: register for a Timeout handler, if Teardown is not received at
733 * the other end, then try again another time */
735 /* request driver to send Teardown using this FTIE */
736 wpa_tdls_tpk_send(sm, addr, WLAN_TDLS_TEARDOWN, 0,
737 reason_code, rbuf, pos - rbuf);
740 /* clear the Peerkey statemachine */
741 wpa_tdls_peer_free(sm, peer);
747 int wpa_tdls_teardown_link(struct wpa_sm *sm, const u8 *addr, u16 reason_code)
749 struct wpa_tdls_peer *peer;
751 if (sm->tdls_disabled || !sm->tdls_supported)
754 for (peer = sm->tdls; peer; peer = peer->next) {
755 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0)
760 wpa_printf(MSG_DEBUG, "TDLS: Could not find peer " MACSTR
761 " for link Teardown", MAC2STR(addr));
765 if (!peer->tpk_success) {
766 wpa_printf(MSG_DEBUG, "TDLS: Peer " MACSTR
767 " not connected - cannot Teardown link", MAC2STR(addr));
771 return wpa_tdls_do_teardown(sm, peer, reason_code, 0);
775 void wpa_tdls_disable_link(struct wpa_sm *sm, const u8 *addr)
777 struct wpa_tdls_peer *peer;
779 for (peer = sm->tdls; peer; peer = peer->next) {
780 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0)
785 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, addr);
786 wpa_tdls_peer_free(sm, peer);
791 static int wpa_tdls_recv_teardown(struct wpa_sm *sm, const u8 *src_addr,
792 const u8 *buf, size_t len)
794 struct wpa_tdls_peer *peer = NULL;
795 struct wpa_tdls_ftie *ftie;
796 struct wpa_tdls_lnkid *lnkid;
797 struct wpa_eapol_ie_parse kde;
802 /* Find the node and free from the list */
803 for (peer = sm->tdls; peer; peer = peer->next) {
804 if (os_memcmp(peer->addr, src_addr, ETH_ALEN) == 0)
809 wpa_printf(MSG_INFO, "TDLS: No matching entry found for "
810 "Teardown " MACSTR, MAC2STR(src_addr));
815 pos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */;
817 reason_code = WPA_GET_LE16(pos);
820 wpa_printf(MSG_DEBUG, "TDLS: TDLS Teardown Request from " MACSTR
821 " (reason code %u)", MAC2STR(src_addr), reason_code);
823 ielen = len - (pos - buf); /* start of IE in buf */
824 if (wpa_supplicant_parse_ies((const u8 *) pos, ielen, &kde) < 0) {
825 wpa_printf(MSG_INFO, "TDLS: Failed to parse IEs in Teardown");
829 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) {
830 wpa_printf(MSG_INFO, "TDLS: No Link Identifier IE in TDLS "
834 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid;
836 if (!wpa_tdls_get_privacy(sm) || !peer->tpk_set || !peer->tpk_success)
839 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie)) {
840 wpa_printf(MSG_INFO, "TDLS: No FTIE in TDLS Teardown");
844 ftie = (struct wpa_tdls_ftie *) kde.ftie;
846 /* Process MIC check to see if TDLS Teardown is right */
847 if (wpa_supplicant_verify_tdls_mic_teardown(4, reason_code,
849 (u8 *) lnkid, ftie) < 0) {
850 wpa_printf(MSG_DEBUG, "TDLS: MIC failure for TDLS "
851 "Teardown Request from " MACSTR, MAC2STR(src_addr));
857 * Request the driver to disable the direct link and clear associated
860 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, src_addr);
862 /* clear the Peerkey statemachine */
863 wpa_tdls_peer_free(sm, peer);
870 * wpa_tdls_send_error - To send suitable TDLS status response with
871 * appropriate status code mentioning reason for error/failure.
872 * @dst - MAC addr of Peer station
873 * @tdls_action - TDLS frame type for which error code is sent
874 * @status - status code mentioning reason
877 static int wpa_tdls_send_error(struct wpa_sm *sm, const u8 *dst,
878 u8 tdls_action, u8 dialog_token, u16 status)
880 wpa_printf(MSG_DEBUG, "TDLS: Sending error to " MACSTR
881 " (action=%u status=%u)",
882 MAC2STR(dst), tdls_action, status);
883 return wpa_tdls_tpk_send(sm, dst, tdls_action, dialog_token, status,
888 static struct wpa_tdls_peer *
889 wpa_tdls_add_peer(struct wpa_sm *sm, const u8 *addr, int *existing)
891 struct wpa_tdls_peer *peer;
895 for (peer = sm->tdls; peer; peer = peer->next) {
896 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) {
899 return peer; /* re-use existing entry */
903 wpa_printf(MSG_INFO, "TDLS: Creating peer entry for " MACSTR,
906 peer = os_zalloc(sizeof(*peer));
910 os_memcpy(peer->addr, addr, ETH_ALEN);
911 peer->next = sm->tdls;
918 static int wpa_tdls_send_tpk_m1(struct wpa_sm *sm,
919 struct wpa_tdls_peer *peer)
922 struct wpa_tdls_timeoutie timeoutie;
924 struct wpa_tdls_ftie *ftie;
925 u8 *rbuf, *pos, *count_pos;
927 struct rsn_ie_hdr *hdr;
929 if (!wpa_tdls_get_privacy(sm)) {
930 wpa_printf(MSG_DEBUG, "TDLS: No security used on the link");
931 peer->rsnie_i_len = 0;
936 * TPK Handshake Message 1:
937 * FTIE: ANonce=0, SNonce=initiator nonce MIC=0, DataKDs=(RSNIE_I,
938 * Timeout Interval IE))
942 hdr = (struct rsn_ie_hdr *) peer->rsnie_i;
943 hdr->elem_id = WLAN_EID_RSN;
944 WPA_PUT_LE16(hdr->version, RSN_VERSION);
946 pos = (u8 *) (hdr + 1);
947 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED);
948 pos += RSN_SELECTOR_LEN;
955 * AES-CCMP is the default Encryption preferred for TDLS, so
956 * RSN IE is filled only with CCMP CIPHER
957 * Note: TKIP is not used to encrypt TDLS link.
959 * Regardless of the cipher used on the AP connection, select CCMP
962 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP);
963 pos += RSN_SELECTOR_LEN;
966 WPA_PUT_LE16(count_pos, count);
968 WPA_PUT_LE16(pos, 1);
970 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_TPK_HANDSHAKE);
971 pos += RSN_SELECTOR_LEN;
973 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED;
974 rsn_capab |= RSN_NUM_REPLAY_COUNTERS_16 << 2;
975 #ifdef CONFIG_TDLS_TESTING
976 if (tdls_testing & TDLS_TESTING_ALT_RSN_IE) {
977 wpa_printf(MSG_DEBUG, "TDLS: Use alternative RSN IE for "
979 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED;
981 #endif /* CONFIG_TDLS_TESTING */
982 WPA_PUT_LE16(pos, rsn_capab);
984 #ifdef CONFIG_TDLS_TESTING
985 if (tdls_testing & TDLS_TESTING_ALT_RSN_IE) {
986 /* Number of PMKIDs */
990 #endif /* CONFIG_TDLS_TESTING */
992 hdr->len = (pos - peer->rsnie_i) - 2;
993 peer->rsnie_i_len = pos - peer->rsnie_i;
994 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE for TPK handshake",
995 peer->rsnie_i, peer->rsnie_i_len);
999 if (wpa_tdls_get_privacy(sm))
1000 buf_len += peer->rsnie_i_len + sizeof(struct wpa_tdls_ftie) +
1001 sizeof(struct wpa_tdls_timeoutie);
1002 #ifdef CONFIG_TDLS_TESTING
1003 if (wpa_tdls_get_privacy(sm) &&
1004 (tdls_testing & TDLS_TESTING_LONG_FRAME))
1006 if (tdls_testing & TDLS_TESTING_DIFF_BSSID)
1007 buf_len += sizeof(struct wpa_tdls_lnkid);
1008 #endif /* CONFIG_TDLS_TESTING */
1009 rbuf = os_zalloc(buf_len + 1);
1011 wpa_tdls_peer_free(sm, peer);
1016 if (!wpa_tdls_get_privacy(sm))
1019 /* Initiator RSN IE */
1020 pos = wpa_add_ie(pos, peer->rsnie_i, peer->rsnie_i_len);
1022 ftie = (struct wpa_tdls_ftie *) pos;
1023 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION;
1024 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2;
1026 if (os_get_random(peer->inonce, WPA_NONCE_LEN)) {
1027 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1028 "TDLS: Failed to get random data for initiator Nonce");
1030 wpa_tdls_peer_free(sm, peer);
1033 wpa_hexdump(MSG_DEBUG, "TDLS: Initiator Nonce for TPK handshake",
1034 peer->inonce, WPA_NONCE_LEN);
1035 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN);
1037 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE for TPK Handshake M1",
1038 (u8 *) ftie, sizeof(struct wpa_tdls_ftie));
1040 pos = (u8 *) (ftie + 1);
1042 #ifdef CONFIG_TDLS_TESTING
1043 if (tdls_testing & TDLS_TESTING_LONG_FRAME) {
1044 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to "
1046 ftie->ie_len += 170;
1047 *pos++ = 255; /* FTIE subelem */
1048 *pos++ = 168; /* FTIE subelem length */
1051 #endif /* CONFIG_TDLS_TESTING */
1054 peer->lifetime = TPK_LIFETIME;
1055 #ifdef CONFIG_TDLS_TESTING
1056 if (tdls_testing & TDLS_TESTING_SHORT_LIFETIME) {
1057 wpa_printf(MSG_DEBUG, "TDLS: Testing - use short TPK "
1059 peer->lifetime = 301;
1061 if (tdls_testing & TDLS_TESTING_LONG_LIFETIME) {
1062 wpa_printf(MSG_DEBUG, "TDLS: Testing - use long TPK "
1064 peer->lifetime = 0xffffffff;
1066 #endif /* CONFIG_TDLS_TESTING */
1067 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie,
1068 sizeof(timeoutie), peer->lifetime);
1069 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds", peer->lifetime);
1073 #ifdef CONFIG_TDLS_TESTING
1074 if (tdls_testing & TDLS_TESTING_DIFF_BSSID) {
1075 wpa_printf(MSG_DEBUG, "TDLS: Testing - use incorrect BSSID in "
1077 struct wpa_tdls_lnkid *l = (struct wpa_tdls_lnkid *) pos;
1078 wpa_tdls_linkid(sm, peer, l);
1079 l->bssid[5] ^= 0x01;
1082 #endif /* CONFIG_TDLS_TESTING */
1084 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Setup Request / TPK "
1085 "Handshake Message 1 (peer " MACSTR ")",
1086 MAC2STR(peer->addr));
1088 wpa_tdls_tpk_send(sm, peer->addr, WLAN_TDLS_SETUP_REQUEST, 1, 0,
1096 static int wpa_tdls_send_tpk_m2(struct wpa_sm *sm,
1097 const unsigned char *src_addr, u8 dtoken,
1098 struct wpa_tdls_lnkid *lnkid,
1099 const struct wpa_tdls_peer *peer)
1104 struct wpa_tdls_timeoutie timeoutie;
1105 struct wpa_tdls_ftie *ftie;
1108 if (wpa_tdls_get_privacy(sm)) {
1109 /* Peer RSN IE, FTIE(Initiator Nonce, Responder Nonce),
1111 buf_len += peer->rsnie_i_len + sizeof(struct wpa_tdls_ftie) +
1112 sizeof(struct wpa_tdls_timeoutie);
1113 #ifdef CONFIG_TDLS_TESTING
1114 if (tdls_testing & TDLS_TESTING_LONG_FRAME)
1116 #endif /* CONFIG_TDLS_TESTING */
1119 rbuf = os_zalloc(buf_len + 1);
1124 if (!wpa_tdls_get_privacy(sm))
1128 pos = wpa_add_ie(pos, peer->rsnie_p, peer->rsnie_p_len);
1130 ftie = (struct wpa_tdls_ftie *) pos;
1131 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION;
1132 /* TODO: ftie->mic_control to set 2-RESPONSE */
1133 os_memcpy(ftie->Anonce, peer->rnonce, WPA_NONCE_LEN);
1134 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN);
1135 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2;
1136 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE for TPK M2",
1137 (u8 *) ftie, sizeof(*ftie));
1139 pos = (u8 *) (ftie + 1);
1141 #ifdef CONFIG_TDLS_TESTING
1142 if (tdls_testing & TDLS_TESTING_LONG_FRAME) {
1143 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to "
1145 ftie->ie_len += 170;
1146 *pos++ = 255; /* FTIE subelem */
1147 *pos++ = 168; /* FTIE subelem length */
1150 #endif /* CONFIG_TDLS_TESTING */
1153 lifetime = peer->lifetime;
1154 #ifdef CONFIG_TDLS_TESTING
1155 if (tdls_testing & TDLS_TESTING_WRONG_LIFETIME_RESP) {
1156 wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong TPK "
1157 "lifetime in response");
1160 #endif /* CONFIG_TDLS_TESTING */
1161 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie,
1162 sizeof(timeoutie), lifetime);
1163 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds from initiator",
1166 /* compute MIC before sending */
1167 wpa_tdls_ftie_mic(peer->tpk.kck, 2, (u8 *) lnkid, peer->rsnie_p,
1168 (u8 *) &timeoutie, (u8 *) ftie, ftie->mic);
1171 wpa_tdls_tpk_send(sm, src_addr, WLAN_TDLS_SETUP_RESPONSE, dtoken, 0,
1179 static int wpa_tdls_send_tpk_m3(struct wpa_sm *sm,
1180 const unsigned char *src_addr, u8 dtoken,
1181 struct wpa_tdls_lnkid *lnkid,
1182 const struct wpa_tdls_peer *peer)
1186 struct wpa_tdls_ftie *ftie;
1187 struct wpa_tdls_timeoutie timeoutie;
1191 if (wpa_tdls_get_privacy(sm)) {
1192 /* Peer RSN IE, FTIE(Initiator Nonce, Responder Nonce),
1194 buf_len += peer->rsnie_i_len + sizeof(struct wpa_tdls_ftie) +
1195 sizeof(struct wpa_tdls_timeoutie);
1196 #ifdef CONFIG_TDLS_TESTING
1197 if (tdls_testing & TDLS_TESTING_LONG_FRAME)
1199 #endif /* CONFIG_TDLS_TESTING */
1202 rbuf = os_zalloc(buf_len + 1);
1207 if (!wpa_tdls_get_privacy(sm))
1211 pos = wpa_add_ie(pos, peer->rsnie_p, peer->rsnie_p_len);
1213 ftie = (struct wpa_tdls_ftie *) pos;
1214 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION;
1215 /*TODO: ftie->mic_control to set 3-CONFIRM */
1216 os_memcpy(ftie->Anonce, peer->rnonce, WPA_NONCE_LEN);
1217 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN);
1218 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2;
1220 pos = (u8 *) (ftie + 1);
1222 #ifdef CONFIG_TDLS_TESTING
1223 if (tdls_testing & TDLS_TESTING_LONG_FRAME) {
1224 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to "
1226 ftie->ie_len += 170;
1227 *pos++ = 255; /* FTIE subelem */
1228 *pos++ = 168; /* FTIE subelem length */
1231 #endif /* CONFIG_TDLS_TESTING */
1234 lifetime = peer->lifetime;
1235 #ifdef CONFIG_TDLS_TESTING
1236 if (tdls_testing & TDLS_TESTING_WRONG_LIFETIME_CONF) {
1237 wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong TPK "
1238 "lifetime in confirm");
1241 #endif /* CONFIG_TDLS_TESTING */
1242 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie,
1243 sizeof(timeoutie), lifetime);
1244 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds",
1247 /* compute MIC before sending */
1248 wpa_tdls_ftie_mic(peer->tpk.kck, 3, (u8 *) lnkid, peer->rsnie_p,
1249 (u8 *) &timeoutie, (u8 *) ftie, ftie->mic);
1252 wpa_tdls_tpk_send(sm, src_addr, WLAN_TDLS_SETUP_CONFIRM, dtoken, 0,
1260 static int wpa_tdls_send_discovery_response(struct wpa_sm *sm,
1261 struct wpa_tdls_peer *peer,
1264 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Discovery Response "
1265 "(peer " MACSTR ")", MAC2STR(peer->addr));
1267 return wpa_tdls_tpk_send(sm, peer->addr, WLAN_TDLS_DISCOVERY_RESPONSE,
1268 dialog_token, 0, NULL, 0);
1273 wpa_tdls_process_discovery_request(struct wpa_sm *sm, const u8 *addr,
1274 const u8 *buf, size_t len)
1276 struct wpa_eapol_ie_parse kde;
1277 const struct wpa_tdls_lnkid *lnkid;
1278 struct wpa_tdls_peer *peer;
1279 size_t min_req_len = sizeof(struct wpa_tdls_frame) +
1280 1 /* dialog token */ + sizeof(struct wpa_tdls_lnkid);
1283 wpa_printf(MSG_DEBUG, "TDLS: Discovery Request from " MACSTR,
1286 if (len < min_req_len) {
1287 wpa_printf(MSG_DEBUG, "TDLS Discovery Request is too short: "
1292 dialog_token = buf[sizeof(struct wpa_tdls_frame)];
1294 if (wpa_supplicant_parse_ies(buf + sizeof(struct wpa_tdls_frame) + 1,
1295 len - (sizeof(struct wpa_tdls_frame) + 1),
1300 wpa_printf(MSG_DEBUG, "TDLS: Link ID not found in Discovery "
1305 lnkid = (const struct wpa_tdls_lnkid *) kde.lnkid;
1307 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) {
1308 wpa_printf(MSG_DEBUG, "TDLS: Discovery Request from different "
1309 " BSS " MACSTR, MAC2STR(lnkid->bssid));
1313 peer = wpa_tdls_add_peer(sm, addr, NULL);
1317 return wpa_tdls_send_discovery_response(sm, peer, dialog_token);
1321 int wpa_tdls_send_discovery_request(struct wpa_sm *sm, const u8 *addr)
1323 if (sm->tdls_disabled || !sm->tdls_supported)
1326 wpa_printf(MSG_DEBUG, "TDLS: Sending Discovery Request to peer "
1327 MACSTR, MAC2STR(addr));
1328 return wpa_tdls_tpk_send(sm, addr, WLAN_TDLS_DISCOVERY_REQUEST,
1333 static int copy_supp_rates(const struct wpa_eapol_ie_parse *kde,
1334 struct wpa_tdls_peer *peer)
1336 if (!kde->supp_rates) {
1337 wpa_printf(MSG_DEBUG, "TDLS: No supported rates received");
1340 peer->supp_rates_len = merge_byte_arrays(
1341 peer->supp_rates, sizeof(peer->supp_rates),
1342 kde->supp_rates + 2, kde->supp_rates_len - 2,
1343 kde->ext_supp_rates + 2, kde->ext_supp_rates_len - 2);
1348 static int copy_peer_ht_capab(const struct wpa_eapol_ie_parse *kde,
1349 struct wpa_tdls_peer *peer)
1351 if (!kde->ht_capabilities ||
1352 kde->ht_capabilities_len <
1353 sizeof(struct ieee80211_ht_capabilities) ) {
1354 wpa_printf(MSG_DEBUG, "TDLS: No supported ht capabilities "
1359 if (!peer->ht_capabilities) {
1360 peer->ht_capabilities =
1361 os_zalloc(sizeof(struct ieee80211_ht_capabilities));
1362 if (peer->ht_capabilities == NULL)
1366 os_memcpy(peer->ht_capabilities, kde->ht_capabilities,
1367 sizeof(struct ieee80211_ht_capabilities));
1368 wpa_hexdump(MSG_DEBUG, "TDLS: Peer HT capabilities",
1369 (u8 *) peer->ht_capabilities,
1370 sizeof(struct ieee80211_ht_capabilities));
1376 static int copy_peer_vht_capab(const struct wpa_eapol_ie_parse *kde,
1377 struct wpa_tdls_peer *peer)
1379 if (!kde->vht_capabilities ||
1380 kde->vht_capabilities_len <
1381 sizeof(struct ieee80211_vht_capabilities) ) {
1382 wpa_printf(MSG_DEBUG, "TDLS: No supported vht capabilities "
1387 if (!peer->vht_capabilities) {
1388 peer->vht_capabilities =
1389 os_zalloc(sizeof(struct ieee80211_vht_capabilities));
1390 if (peer->vht_capabilities == NULL)
1394 os_memcpy(peer->vht_capabilities, kde->vht_capabilities,
1395 sizeof(struct ieee80211_vht_capabilities));
1396 wpa_hexdump(MSG_DEBUG, "TDLS: Peer VHT capabilities",
1397 (u8 *) peer->vht_capabilities,
1398 sizeof(struct ieee80211_vht_capabilities));
1404 static int copy_peer_ext_capab(const struct wpa_eapol_ie_parse *kde,
1405 struct wpa_tdls_peer *peer)
1407 if (!kde->ext_capab) {
1408 wpa_printf(MSG_DEBUG, "TDLS: No extended capabilities "
1413 if (!peer->ext_capab || peer->ext_capab_len < kde->ext_capab_len - 2) {
1414 /* Need to allocate buffer to fit the new information */
1415 os_free(peer->ext_capab);
1416 peer->ext_capab = os_zalloc(kde->ext_capab_len - 2);
1417 if (peer->ext_capab == NULL)
1421 peer->ext_capab_len = kde->ext_capab_len - 2;
1422 os_memcpy(peer->ext_capab, kde->ext_capab + 2, peer->ext_capab_len);
1428 static int wpa_tdls_process_tpk_m1(struct wpa_sm *sm, const u8 *src_addr,
1429 const u8 *buf, size_t len)
1431 struct wpa_tdls_peer *peer;
1432 struct wpa_eapol_ie_parse kde;
1433 struct wpa_ie_data ie;
1436 struct wpa_tdls_ftie *ftie = NULL;
1437 struct wpa_tdls_timeoutie *timeoutie;
1438 struct wpa_tdls_lnkid *lnkid;
1441 struct rsn_ie_hdr *hdr;
1448 u16 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
1449 int tdls_prohibited = sm->tdls_prohibited;
1450 int existing_peer = 0;
1456 cpos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */;
1458 /* driver had already verified the frame format */
1459 dtoken = *cpos++; /* dialog token */
1461 wpa_printf(MSG_INFO, "TDLS: Dialog Token in TPK M1 %d", dtoken);
1463 peer = wpa_tdls_add_peer(sm, src_addr, &existing_peer);
1467 /* If found, use existing entry instead of adding a new one;
1468 * how to handle the case where both ends initiate at the
1470 if (existing_peer) {
1471 if (peer->tpk_success) {
1472 wpa_printf(MSG_DEBUG, "TDLS: TDLS Setup Request while "
1473 "direct link is enabled - tear down the "
1476 /* TODO: Disabling the link would be more proper
1477 * operation here, but it seems to trigger a race with
1478 * some drivers handling the new request frame. */
1479 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, src_addr);
1481 if (sm->tdls_external_setup)
1482 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK,
1485 wpa_tdls_del_key(sm, peer);
1487 wpa_tdls_peer_free(sm, peer);
1491 * An entry is already present, so check if we already sent a
1492 * TDLS Setup Request. If so, compare MAC addresses and let the
1493 * STA with the lower MAC address continue as the initiator.
1494 * The other negotiation is terminated.
1496 if (peer->initiator) {
1497 if (os_memcmp(sm->own_addr, src_addr, ETH_ALEN) < 0) {
1498 wpa_printf(MSG_DEBUG, "TDLS: Discard request "
1499 "from peer with higher address "
1500 MACSTR, MAC2STR(src_addr));
1503 wpa_printf(MSG_DEBUG, "TDLS: Accept request "
1504 "from peer with lower address "
1505 MACSTR " (terminate previously "
1506 "initiated negotiation",
1508 wpa_tdls_disable_link(sm, peer->addr);
1513 /* capability information */
1514 peer->capability = WPA_GET_LE16(cpos);
1517 ielen = len - (cpos - buf); /* start of IE in buf */
1518 if (wpa_supplicant_parse_ies(cpos, ielen, &kde) < 0) {
1519 wpa_printf(MSG_INFO, "TDLS: Failed to parse IEs in TPK M1");
1523 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) {
1524 wpa_printf(MSG_INFO, "TDLS: No valid Link Identifier IE in "
1528 wpa_hexdump(MSG_DEBUG, "TDLS: Link ID Received from TPK M1",
1529 kde.lnkid, kde.lnkid_len);
1530 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid;
1531 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) {
1532 wpa_printf(MSG_INFO, "TDLS: TPK M1 from diff BSS");
1533 status = WLAN_STATUS_NOT_IN_SAME_BSS;
1537 wpa_printf(MSG_DEBUG, "TDLS: TPK M1 - TPK initiator " MACSTR,
1540 if (copy_supp_rates(&kde, peer) < 0)
1543 if (copy_peer_ht_capab(&kde, peer) < 0)
1546 if (copy_peer_vht_capab(&kde, peer) < 0)
1549 if (copy_peer_ext_capab(&kde, peer) < 0)
1552 peer->qos_info = kde.qosinfo;
1554 #ifdef CONFIG_TDLS_TESTING
1555 if (tdls_testing & TDLS_TESTING_CONCURRENT_INIT) {
1556 peer = wpa_tdls_add_peer(sm, src_addr, NULL);
1559 wpa_printf(MSG_DEBUG, "TDLS: Testing concurrent initiation of "
1560 "TDLS setup - send own request");
1561 peer->initiator = 1;
1562 wpa_tdls_send_tpk_m1(sm, peer);
1565 if ((tdls_testing & TDLS_TESTING_IGNORE_AP_PROHIBIT) &&
1567 wpa_printf(MSG_DEBUG, "TDLS: Testing - ignore AP prohibition "
1569 tdls_prohibited = 0;
1571 #endif /* CONFIG_TDLS_TESTING */
1573 if (tdls_prohibited) {
1574 wpa_printf(MSG_INFO, "TDLS: TDLS prohibited in this BSS");
1575 status = WLAN_STATUS_REQUEST_DECLINED;
1579 if (!wpa_tdls_get_privacy(sm)) {
1581 wpa_printf(MSG_INFO, "TDLS: RSN IE in TPK M1 while "
1582 "security is disabled");
1583 status = WLAN_STATUS_SECURITY_DISABLED;
1589 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie) ||
1590 kde.rsn_ie == NULL) {
1591 wpa_printf(MSG_INFO, "TDLS: No FTIE or RSN IE in TPK M1");
1592 status = WLAN_STATUS_INVALID_PARAMETERS;
1596 if (kde.rsn_ie_len > TDLS_MAX_IE_LEN) {
1597 wpa_printf(MSG_INFO, "TDLS: Too long Initiator RSN IE in "
1599 status = WLAN_STATUS_INVALID_RSNIE;
1603 if (wpa_parse_wpa_ie_rsn(kde.rsn_ie, kde.rsn_ie_len, &ie) < 0) {
1604 wpa_printf(MSG_INFO, "TDLS: Failed to parse RSN IE in TPK M1");
1605 status = WLAN_STATUS_INVALID_RSNIE;
1609 cipher = ie.pairwise_cipher;
1610 if (cipher & WPA_CIPHER_CCMP) {
1611 wpa_printf(MSG_DEBUG, "TDLS: Using CCMP for direct link");
1612 cipher = WPA_CIPHER_CCMP;
1614 wpa_printf(MSG_INFO, "TDLS: No acceptable cipher in TPK M1");
1615 status = WLAN_STATUS_PAIRWISE_CIPHER_NOT_VALID;
1619 if ((ie.capabilities &
1620 (WPA_CAPABILITY_NO_PAIRWISE | WPA_CAPABILITY_PEERKEY_ENABLED)) !=
1621 WPA_CAPABILITY_PEERKEY_ENABLED) {
1622 wpa_printf(MSG_INFO, "TDLS: Invalid RSN Capabilities in "
1624 status = WLAN_STATUS_INVALID_RSN_IE_CAPAB;
1629 if (kde.key_lifetime == NULL) {
1630 wpa_printf(MSG_INFO, "TDLS: No Key Lifetime IE in TPK M1");
1631 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME;
1634 timeoutie = (struct wpa_tdls_timeoutie *) kde.key_lifetime;
1635 lifetime = WPA_GET_LE32(timeoutie->value);
1636 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds", lifetime);
1637 if (lifetime < 300) {
1638 wpa_printf(MSG_INFO, "TDLS: Too short TPK lifetime");
1639 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME;
1644 #ifdef CONFIG_TDLS_TESTING
1645 if (tdls_testing & TDLS_TESTING_CONCURRENT_INIT) {
1646 if (os_memcmp(sm->own_addr, peer->addr, ETH_ALEN) < 0) {
1648 * The request frame from us is going to win, so do not
1649 * replace information based on this request frame from
1652 goto skip_rsn_check;
1655 #endif /* CONFIG_TDLS_TESTING */
1657 peer->initiator = 0; /* Need to check */
1658 peer->dtoken = dtoken;
1660 if (!wpa_tdls_get_privacy(sm)) {
1661 peer->rsnie_i_len = 0;
1662 peer->rsnie_p_len = 0;
1663 peer->cipher = WPA_CIPHER_NONE;
1664 goto skip_rsn_check;
1667 ftie = (struct wpa_tdls_ftie *) kde.ftie;
1668 os_memcpy(peer->inonce, ftie->Snonce, WPA_NONCE_LEN);
1669 os_memcpy(peer->rsnie_i, kde.rsn_ie, kde.rsn_ie_len);
1670 peer->rsnie_i_len = kde.rsn_ie_len;
1671 peer->cipher = cipher;
1673 if (os_get_random(peer->rnonce, WPA_NONCE_LEN)) {
1674 wpa_msg(sm->ctx->ctx, MSG_WARNING,
1675 "TDLS: Failed to get random data for responder nonce");
1676 wpa_tdls_peer_free(sm, peer);
1681 /* get version info from RSNIE received from Peer */
1682 hdr = (struct rsn_ie_hdr *) kde.rsn_ie;
1683 rsn_ver = WPA_GET_LE16(hdr->version);
1685 /* use min(peer's version, out version) */
1686 if (rsn_ver > RSN_VERSION)
1687 rsn_ver = RSN_VERSION;
1689 hdr = (struct rsn_ie_hdr *) peer->rsnie_p;
1691 hdr->elem_id = WLAN_EID_RSN;
1692 WPA_PUT_LE16(hdr->version, rsn_ver);
1693 pos = (u8 *) (hdr + 1);
1695 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED);
1696 pos += RSN_SELECTOR_LEN;
1697 /* Include only the selected cipher in pairwise cipher suite */
1698 WPA_PUT_LE16(pos, 1);
1700 if (cipher == WPA_CIPHER_CCMP)
1701 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP);
1702 pos += RSN_SELECTOR_LEN;
1704 WPA_PUT_LE16(pos, 1);
1706 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_TPK_HANDSHAKE);
1707 pos += RSN_SELECTOR_LEN;
1709 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED;
1710 rsn_capab |= RSN_NUM_REPLAY_COUNTERS_16 << 2;
1711 WPA_PUT_LE16(pos, rsn_capab);
1714 hdr->len = (pos - peer->rsnie_p) - 2;
1715 peer->rsnie_p_len = pos - peer->rsnie_p;
1718 /* temp fix: validation of RSNIE later */
1719 os_memcpy(peer->rsnie_p, peer->rsnie_i, peer->rsnie_i_len);
1720 peer->rsnie_p_len = peer->rsnie_i_len;
1722 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE for TPK handshake",
1723 peer->rsnie_p, peer->rsnie_p_len);
1725 peer->lifetime = lifetime;
1727 wpa_tdls_generate_tpk(peer, sm->own_addr, sm->bssid);
1730 /* add the peer to the driver as a "setup in progress" peer */
1731 wpa_sm_tdls_peer_addset(sm, peer->addr, 1, 0, NULL, 0, NULL, NULL, 0,
1734 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Setup Response / TPK M2");
1735 if (wpa_tdls_send_tpk_m2(sm, src_addr, dtoken, lnkid, peer) < 0) {
1736 wpa_tdls_disable_link(sm, peer->addr);
1743 wpa_tdls_send_error(sm, src_addr, WLAN_TDLS_SETUP_RESPONSE, dtoken,
1749 static void wpa_tdls_enable_link(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
1751 peer->tpk_success = 1;
1752 eloop_cancel_timeout(wpa_tdls_tpk_timeout, sm, peer);
1753 if (wpa_tdls_get_privacy(sm)) {
1754 u32 lifetime = peer->lifetime;
1756 * Start the initiator process a bit earlier to avoid race
1757 * condition with the responder sending teardown request.
1759 if (lifetime > 3 && peer->initiator)
1761 eloop_register_timeout(lifetime, 0, wpa_tdls_tpk_timeout,
1763 #ifdef CONFIG_TDLS_TESTING
1764 if (tdls_testing & TDLS_TESTING_NO_TPK_EXPIRATION) {
1765 wpa_printf(MSG_DEBUG, "TDLS: Testing - disable TPK "
1767 eloop_cancel_timeout(wpa_tdls_tpk_timeout, sm, peer);
1769 #endif /* CONFIG_TDLS_TESTING */
1772 /* add supported rates, capabilities, and qos_info to the TDLS peer */
1773 wpa_sm_tdls_peer_addset(sm, peer->addr, 0, peer->capability,
1774 peer->supp_rates, peer->supp_rates_len,
1775 peer->ht_capabilities, peer->vht_capabilities,
1776 peer->qos_info, peer->ext_capab,
1777 peer->ext_capab_len);
1779 wpa_sm_tdls_oper(sm, TDLS_ENABLE_LINK, peer->addr);
1783 static int wpa_tdls_process_tpk_m2(struct wpa_sm *sm, const u8 *src_addr,
1784 const u8 *buf, size_t len)
1786 struct wpa_tdls_peer *peer;
1787 struct wpa_eapol_ie_parse kde;
1788 struct wpa_ie_data ie;
1790 struct wpa_tdls_ftie *ftie;
1791 struct wpa_tdls_timeoutie *timeoutie;
1792 struct wpa_tdls_lnkid *lnkid;
1799 wpa_printf(MSG_DEBUG, "TDLS: Received TDLS Setup Response / TPK M2 "
1800 "(Peer " MACSTR ")", MAC2STR(src_addr));
1801 for (peer = sm->tdls; peer; peer = peer->next) {
1802 if (os_memcmp(peer->addr, src_addr, ETH_ALEN) == 0)
1806 wpa_printf(MSG_INFO, "TDLS: No matching peer found for "
1807 "TPK M2: " MACSTR, MAC2STR(src_addr));
1810 if (!peer->initiator) {
1812 * This may happen if both devices try to initiate TDLS at the
1813 * same time and we accept the TPK M1 from the peer in
1814 * wpa_tdls_process_tpk_m1() and clear our previous state.
1816 wpa_printf(MSG_INFO, "TDLS: We were not the initiator, so "
1817 "ignore TPK M2 from " MACSTR, MAC2STR(src_addr));
1820 wpa_tdls_tpk_retry_timeout_cancel(sm, peer, WLAN_TDLS_SETUP_REQUEST);
1822 if (len < 3 + 2 + 1)
1825 pos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */;
1826 status = WPA_GET_LE16(pos);
1827 pos += 2 /* status code */;
1829 if (status != WLAN_STATUS_SUCCESS) {
1830 wpa_printf(MSG_INFO, "TDLS: Status code in TPK M2: %u",
1832 if (sm->tdls_external_setup)
1833 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, src_addr);
1837 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
1839 /* TODO: need to verify dialog token matches here or in kernel */
1840 dtoken = *pos++; /* dialog token */
1842 wpa_printf(MSG_DEBUG, "TDLS: Dialog Token in TPK M2 %d", dtoken);
1844 if (len < 3 + 2 + 1 + 2)
1847 /* capability information */
1848 peer->capability = WPA_GET_LE16(pos);
1851 ielen = len - (pos - buf); /* start of IE in buf */
1852 if (wpa_supplicant_parse_ies(pos, ielen, &kde) < 0) {
1853 wpa_printf(MSG_INFO, "TDLS: Failed to parse IEs in TPK M2");
1857 #ifdef CONFIG_TDLS_TESTING
1858 if (tdls_testing & TDLS_TESTING_DECLINE_RESP) {
1859 wpa_printf(MSG_DEBUG, "TDLS: Testing - decline response");
1860 status = WLAN_STATUS_REQUEST_DECLINED;
1863 #endif /* CONFIG_TDLS_TESTING */
1865 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) {
1866 wpa_printf(MSG_INFO, "TDLS: No valid Link Identifier IE in "
1870 wpa_hexdump(MSG_DEBUG, "TDLS: Link ID Received from TPK M2",
1871 kde.lnkid, kde.lnkid_len);
1872 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid;
1874 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) {
1875 wpa_printf(MSG_INFO, "TDLS: TPK M2 from different BSS");
1876 status = WLAN_STATUS_NOT_IN_SAME_BSS;
1880 if (copy_supp_rates(&kde, peer) < 0)
1883 if (copy_peer_ht_capab(&kde, peer) < 0)
1886 if (copy_peer_vht_capab(&kde, peer) < 0)
1889 if (copy_peer_ext_capab(&kde, peer) < 0)
1892 peer->qos_info = kde.qosinfo;
1894 if (!wpa_tdls_get_privacy(sm)) {
1895 peer->rsnie_p_len = 0;
1896 peer->cipher = WPA_CIPHER_NONE;
1900 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie) ||
1901 kde.rsn_ie == NULL) {
1902 wpa_printf(MSG_INFO, "TDLS: No FTIE or RSN IE in TPK M2");
1903 status = WLAN_STATUS_INVALID_PARAMETERS;
1906 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Received from TPK M2",
1907 kde.rsn_ie, kde.rsn_ie_len);
1910 * FIX: bitwise comparison of RSN IE is not the correct way of
1911 * validation this. It can be different, but certain fields must
1912 * match. Since we list only a single pairwise cipher in TPK M1, the
1913 * memcmp is likely to work in most cases, though.
1915 if (kde.rsn_ie_len != peer->rsnie_i_len ||
1916 os_memcmp(peer->rsnie_i, kde.rsn_ie, peer->rsnie_i_len) != 0) {
1917 wpa_printf(MSG_INFO, "TDLS: RSN IE in TPK M2 does "
1918 "not match with RSN IE used in TPK M1");
1919 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Sent in TPK M1",
1920 peer->rsnie_i, peer->rsnie_i_len);
1921 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Received from TPK M2",
1922 kde.rsn_ie, kde.rsn_ie_len);
1923 status = WLAN_STATUS_INVALID_RSNIE;
1927 if (wpa_parse_wpa_ie_rsn(kde.rsn_ie, kde.rsn_ie_len, &ie) < 0) {
1928 wpa_printf(MSG_INFO, "TDLS: Failed to parse RSN IE in TPK M2");
1929 status = WLAN_STATUS_INVALID_RSNIE;
1933 cipher = ie.pairwise_cipher;
1934 if (cipher == WPA_CIPHER_CCMP) {
1935 wpa_printf(MSG_DEBUG, "TDLS: Using CCMP for direct link");
1936 cipher = WPA_CIPHER_CCMP;
1938 wpa_printf(MSG_INFO, "TDLS: No acceptable cipher in TPK M2");
1939 status = WLAN_STATUS_PAIRWISE_CIPHER_NOT_VALID;
1943 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE Received from TPK M2",
1944 kde.ftie, sizeof(*ftie));
1945 ftie = (struct wpa_tdls_ftie *) kde.ftie;
1947 if (!os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) == 0) {
1948 wpa_printf(MSG_INFO, "TDLS: FTIE SNonce in TPK M2 does "
1949 "not match with FTIE SNonce used in TPK M1");
1950 /* Silently discard the frame */
1954 /* Responder Nonce and RSN IE */
1955 os_memcpy(peer->rnonce, ftie->Anonce, WPA_NONCE_LEN);
1956 os_memcpy(peer->rsnie_p, kde.rsn_ie, kde.rsn_ie_len);
1957 peer->rsnie_p_len = kde.rsn_ie_len;
1958 peer->cipher = cipher;
1961 if (kde.key_lifetime == NULL) {
1962 wpa_printf(MSG_INFO, "TDLS: No Key Lifetime IE in TPK M2");
1963 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME;
1966 timeoutie = (struct wpa_tdls_timeoutie *) kde.key_lifetime;
1967 lifetime = WPA_GET_LE32(timeoutie->value);
1968 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds in TPK M2",
1970 if (lifetime != peer->lifetime) {
1971 wpa_printf(MSG_INFO, "TDLS: Unexpected TPK lifetime %u in "
1972 "TPK M2 (expected %u)", lifetime, peer->lifetime);
1973 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME;
1977 wpa_tdls_generate_tpk(peer, sm->own_addr, sm->bssid);
1979 /* Process MIC check to see if TPK M2 is right */
1980 if (wpa_supplicant_verify_tdls_mic(2, peer, (u8 *) lnkid,
1981 (u8 *) timeoutie, ftie) < 0) {
1982 /* Discard the frame */
1983 wpa_tdls_del_key(sm, peer);
1984 wpa_tdls_peer_free(sm, peer);
1985 if (sm->tdls_external_setup)
1986 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, src_addr);
1990 wpa_tdls_set_key(sm, peer);
1993 peer->dtoken = dtoken;
1995 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Setup Confirm / "
1996 "TPK Handshake Message 3");
1997 wpa_tdls_send_tpk_m3(sm, src_addr, dtoken, lnkid, peer);
1999 wpa_tdls_enable_link(sm, peer);
2004 wpa_tdls_send_error(sm, src_addr, WLAN_TDLS_SETUP_CONFIRM, dtoken,
2006 if (sm->tdls_external_setup)
2007 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, src_addr);
2012 static int wpa_tdls_process_tpk_m3(struct wpa_sm *sm, const u8 *src_addr,
2013 const u8 *buf, size_t len)
2015 struct wpa_tdls_peer *peer;
2016 struct wpa_eapol_ie_parse kde;
2017 struct wpa_tdls_ftie *ftie;
2018 struct wpa_tdls_timeoutie *timeoutie;
2019 struct wpa_tdls_lnkid *lnkid;
2025 wpa_printf(MSG_DEBUG, "TDLS: Received TDLS Setup Confirm / TPK M3 "
2026 "(Peer " MACSTR ")", MAC2STR(src_addr));
2027 for (peer = sm->tdls; peer; peer = peer->next) {
2028 if (os_memcmp(peer->addr, src_addr, ETH_ALEN) == 0)
2032 wpa_printf(MSG_INFO, "TDLS: No matching peer found for "
2033 "TPK M3: " MACSTR, MAC2STR(src_addr));
2036 wpa_tdls_tpk_retry_timeout_cancel(sm, peer, WLAN_TDLS_SETUP_RESPONSE);
2041 pos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */;
2043 status = WPA_GET_LE16(pos);
2046 wpa_printf(MSG_INFO, "TDLS: Status code in TPK M3: %u",
2048 if (sm->tdls_external_setup)
2049 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, src_addr);
2052 pos += 2 /* status code */ + 1 /* dialog token */;
2054 ielen = len - (pos - buf); /* start of IE in buf */
2055 if (wpa_supplicant_parse_ies((const u8 *) pos, ielen, &kde) < 0) {
2056 wpa_printf(MSG_INFO, "TDLS: Failed to parse KDEs in TPK M3");
2060 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) {
2061 wpa_printf(MSG_INFO, "TDLS: No Link Identifier IE in TPK M3");
2064 wpa_hexdump(MSG_DEBUG, "TDLS: Link ID Received from TPK M3",
2065 (u8 *) kde.lnkid, kde.lnkid_len);
2066 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid;
2068 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) {
2069 wpa_printf(MSG_INFO, "TDLS: TPK M3 from diff BSS");
2073 if (!wpa_tdls_get_privacy(sm))
2076 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie)) {
2077 wpa_printf(MSG_INFO, "TDLS: No FTIE in TPK M3");
2080 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE Received from TPK M3",
2081 kde.ftie, sizeof(*ftie));
2082 ftie = (struct wpa_tdls_ftie *) kde.ftie;
2084 if (kde.rsn_ie == NULL) {
2085 wpa_printf(MSG_INFO, "TDLS: No RSN IE in TPK M3");
2088 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Received from TPK M3",
2089 kde.rsn_ie, kde.rsn_ie_len);
2090 if (kde.rsn_ie_len != peer->rsnie_p_len ||
2091 os_memcmp(kde.rsn_ie, peer->rsnie_p, peer->rsnie_p_len) != 0) {
2092 wpa_printf(MSG_INFO, "TDLS: RSN IE in TPK M3 does not match "
2093 "with the one sent in TPK M2");
2097 if (!os_memcmp(peer->rnonce, ftie->Anonce, WPA_NONCE_LEN) == 0) {
2098 wpa_printf(MSG_INFO, "TDLS: FTIE ANonce in TPK M3 does "
2099 "not match with FTIE ANonce used in TPK M2");
2103 if (!os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) == 0) {
2104 wpa_printf(MSG_INFO, "TDLS: FTIE SNonce in TPK M3 does not "
2105 "match with FTIE SNonce used in TPK M1");
2109 if (kde.key_lifetime == NULL) {
2110 wpa_printf(MSG_INFO, "TDLS: No Key Lifetime IE in TPK M3");
2113 timeoutie = (struct wpa_tdls_timeoutie *) kde.key_lifetime;
2114 wpa_hexdump(MSG_DEBUG, "TDLS: Timeout IE Received from TPK M3",
2115 (u8 *) timeoutie, sizeof(*timeoutie));
2116 lifetime = WPA_GET_LE32(timeoutie->value);
2117 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds in TPK M3",
2119 if (lifetime != peer->lifetime) {
2120 wpa_printf(MSG_INFO, "TDLS: Unexpected TPK lifetime %u in "
2121 "TPK M3 (expected %u)", lifetime, peer->lifetime);
2122 if (sm->tdls_external_setup)
2123 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, src_addr);
2127 if (wpa_supplicant_verify_tdls_mic(3, peer, (u8 *) lnkid,
2128 (u8 *) timeoutie, ftie) < 0) {
2129 wpa_tdls_del_key(sm, peer);
2130 wpa_tdls_peer_free(sm, peer);
2134 if (wpa_tdls_set_key(sm, peer) < 0)
2138 wpa_tdls_enable_link(sm, peer);
2144 static u8 * wpa_add_tdls_timeoutie(u8 *pos, u8 *ie, size_t ie_len, u32 tsecs)
2146 struct wpa_tdls_timeoutie *lifetime = (struct wpa_tdls_timeoutie *) ie;
2148 os_memset(lifetime, 0, ie_len);
2149 lifetime->ie_type = WLAN_EID_TIMEOUT_INTERVAL;
2150 lifetime->ie_len = sizeof(struct wpa_tdls_timeoutie) - 2;
2151 lifetime->interval_type = WLAN_TIMEOUT_KEY_LIFETIME;
2152 WPA_PUT_LE32(lifetime->value, tsecs);
2153 os_memcpy(pos, ie, ie_len);
2154 return pos + ie_len;
2159 * wpa_tdls_start - Initiate TDLS handshake (send TPK Handshake Message 1)
2160 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2161 * @peer: MAC address of the peer STA
2162 * Returns: 0 on success, or -1 on failure
2164 * Send TPK Handshake Message 1 info to driver to start TDLS
2165 * handshake with the peer.
2167 int wpa_tdls_start(struct wpa_sm *sm, const u8 *addr)
2169 struct wpa_tdls_peer *peer;
2170 int tdls_prohibited = sm->tdls_prohibited;
2172 if (sm->tdls_disabled || !sm->tdls_supported)
2175 #ifdef CONFIG_TDLS_TESTING
2176 if ((tdls_testing & TDLS_TESTING_IGNORE_AP_PROHIBIT) &&
2178 wpa_printf(MSG_DEBUG, "TDLS: Testing - ignore AP prohibition "
2180 tdls_prohibited = 0;
2182 #endif /* CONFIG_TDLS_TESTING */
2184 if (tdls_prohibited) {
2185 wpa_printf(MSG_DEBUG, "TDLS: TDLS is prohibited in this BSS - "
2186 "reject request to start setup");
2190 peer = wpa_tdls_add_peer(sm, addr, NULL);
2194 peer->initiator = 1;
2196 /* add the peer to the driver as a "setup in progress" peer */
2197 wpa_sm_tdls_peer_addset(sm, peer->addr, 1, 0, NULL, 0, NULL, NULL, 0,
2200 if (wpa_tdls_send_tpk_m1(sm, peer) < 0) {
2201 wpa_tdls_disable_link(sm, peer->addr);
2209 void wpa_tdls_remove(struct wpa_sm *sm, const u8 *addr)
2211 struct wpa_tdls_peer *peer;
2213 if (sm->tdls_disabled || !sm->tdls_supported)
2216 for (peer = sm->tdls; peer; peer = peer->next) {
2217 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0)
2221 if (peer == NULL || !peer->tpk_success)
2224 if (sm->tdls_external_setup) {
2226 * Disable previous link to allow renegotiation to be completed
2229 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr);
2235 * wpa_supplicant_rx_tdls - Receive TDLS data frame
2237 * This function is called to receive TDLS (ethertype = 0x890d) data frames.
2239 static void wpa_supplicant_rx_tdls(void *ctx, const u8 *src_addr,
2240 const u8 *buf, size_t len)
2242 struct wpa_sm *sm = ctx;
2243 struct wpa_tdls_frame *tf;
2245 wpa_hexdump(MSG_DEBUG, "TDLS: Received Data frame encapsulation",
2248 if (sm->tdls_disabled || !sm->tdls_supported) {
2249 wpa_printf(MSG_DEBUG, "TDLS: Discard message - TDLS disabled "
2250 "or unsupported by driver");
2254 if (os_memcmp(src_addr, sm->own_addr, ETH_ALEN) == 0) {
2255 wpa_printf(MSG_DEBUG, "TDLS: Discard copy of own message");
2259 if (len < sizeof(*tf)) {
2260 wpa_printf(MSG_INFO, "TDLS: Drop too short frame");
2264 /* Check to make sure its a valid encapsulated TDLS frame */
2265 tf = (struct wpa_tdls_frame *) buf;
2266 if (tf->payloadtype != 2 /* TDLS_RFTYPE */ ||
2267 tf->category != WLAN_ACTION_TDLS) {
2268 wpa_printf(MSG_INFO, "TDLS: Invalid frame - payloadtype=%u "
2269 "category=%u action=%u",
2270 tf->payloadtype, tf->category, tf->action);
2274 switch (tf->action) {
2275 case WLAN_TDLS_SETUP_REQUEST:
2276 wpa_tdls_process_tpk_m1(sm, src_addr, buf, len);
2278 case WLAN_TDLS_SETUP_RESPONSE:
2279 wpa_tdls_process_tpk_m2(sm, src_addr, buf, len);
2281 case WLAN_TDLS_SETUP_CONFIRM:
2282 wpa_tdls_process_tpk_m3(sm, src_addr, buf, len);
2284 case WLAN_TDLS_TEARDOWN:
2285 wpa_tdls_recv_teardown(sm, src_addr, buf, len);
2287 case WLAN_TDLS_DISCOVERY_REQUEST:
2288 wpa_tdls_process_discovery_request(sm, src_addr, buf, len);
2291 /* Kernel code will process remaining frames */
2292 wpa_printf(MSG_DEBUG, "TDLS: Ignore TDLS frame action code %u",
2300 * wpa_tdls_init - Initialize driver interface parameters for TDLS
2301 * @wpa_s: Pointer to wpa_supplicant data
2302 * Returns: 0 on success, -1 on failure
2304 * This function is called to initialize driver interface parameters for TDLS.
2305 * wpa_drv_init() must have been called before this function to initialize the
2308 int wpa_tdls_init(struct wpa_sm *sm)
2313 sm->l2_tdls = l2_packet_init(sm->bridge_ifname ? sm->bridge_ifname :
2316 ETH_P_80211_ENCAP, wpa_supplicant_rx_tdls,
2318 if (sm->l2_tdls == NULL) {
2319 wpa_printf(MSG_ERROR, "TDLS: Failed to open l2_packet "
2325 * Drivers that support TDLS but don't implement the get_capa callback
2326 * are assumed to perform everything internally
2328 if (wpa_sm_tdls_get_capa(sm, &sm->tdls_supported,
2329 &sm->tdls_external_setup) < 0) {
2330 sm->tdls_supported = 1;
2331 sm->tdls_external_setup = 0;
2334 wpa_printf(MSG_DEBUG, "TDLS: TDLS operation%s supported by "
2335 "driver", sm->tdls_supported ? "" : " not");
2336 wpa_printf(MSG_DEBUG, "TDLS: Driver uses %s link setup",
2337 sm->tdls_external_setup ? "external" : "internal");
2343 void wpa_tdls_teardown_peers(struct wpa_sm *sm)
2345 struct wpa_tdls_peer *peer;
2349 wpa_printf(MSG_DEBUG, "TDLS: Tear down peers");
2352 wpa_printf(MSG_DEBUG, "TDLS: Tear down peer " MACSTR,
2353 MAC2STR(peer->addr));
2354 if (sm->tdls_external_setup)
2355 wpa_tdls_send_teardown(sm, peer->addr,
2356 WLAN_REASON_DEAUTH_LEAVING);
2358 wpa_sm_tdls_oper(sm, TDLS_TEARDOWN, peer->addr);
2365 static void wpa_tdls_remove_peers(struct wpa_sm *sm)
2367 struct wpa_tdls_peer *peer, *tmp;
2375 res = wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr);
2376 wpa_printf(MSG_DEBUG, "TDLS: Remove peer " MACSTR " (res=%d)",
2377 MAC2STR(peer->addr), res);
2378 wpa_tdls_peer_free(sm, peer);
2386 * wpa_tdls_deinit - Deinitialize driver interface parameters for TDLS
2388 * This function is called to recover driver interface parameters for TDLS
2389 * and frees resources allocated for it.
2391 void wpa_tdls_deinit(struct wpa_sm *sm)
2397 l2_packet_deinit(sm->l2_tdls);
2400 wpa_tdls_remove_peers(sm);
2404 void wpa_tdls_assoc(struct wpa_sm *sm)
2406 wpa_printf(MSG_DEBUG, "TDLS: Remove peers on association");
2407 wpa_tdls_remove_peers(sm);
2411 void wpa_tdls_disassoc(struct wpa_sm *sm)
2413 wpa_printf(MSG_DEBUG, "TDLS: Remove peers on disassociation");
2414 wpa_tdls_remove_peers(sm);
2418 static int wpa_tdls_prohibited(const u8 *ies, size_t len)
2420 struct wpa_eapol_ie_parse elems;
2425 if (wpa_supplicant_parse_ies(ies, len, &elems) < 0)
2428 if (elems.ext_capab == NULL || elems.ext_capab_len < 2 + 5)
2431 /* bit 38 - TDLS Prohibited */
2432 return !!(elems.ext_capab[2 + 4] & 0x40);
2436 void wpa_tdls_ap_ies(struct wpa_sm *sm, const u8 *ies, size_t len)
2438 sm->tdls_prohibited = wpa_tdls_prohibited(ies, len);
2439 wpa_printf(MSG_DEBUG, "TDLS: TDLS is %s in the target BSS",
2440 sm->tdls_prohibited ? "prohibited" : "allowed");
2444 void wpa_tdls_assoc_resp_ies(struct wpa_sm *sm, const u8 *ies, size_t len)
2446 if (!sm->tdls_prohibited && wpa_tdls_prohibited(ies, len)) {
2447 wpa_printf(MSG_DEBUG, "TDLS: TDLS prohibited based on "
2448 "(Re)Association Response IEs");
2449 sm->tdls_prohibited = 1;
2454 void wpa_tdls_enable(struct wpa_sm *sm, int enabled)
2456 wpa_printf(MSG_DEBUG, "TDLS: %s", enabled ? "enabled" : "disabled");
2457 sm->tdls_disabled = !enabled;
2461 int wpa_tdls_is_external_setup(struct wpa_sm *sm)
2463 return sm->tdls_external_setup;