2 * wpa_supplicant - TDLS
3 * Copyright (c) 2010-2011, Atheros Communications
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
9 #include "utils/includes.h"
11 #include "utils/common.h"
12 #include "utils/eloop.h"
14 #include "common/ieee802_11_defs.h"
15 #include "common/ieee802_11_common.h"
16 #include "crypto/sha256.h"
17 #include "crypto/crypto.h"
18 #include "crypto/aes_wrap.h"
19 #include "rsn_supp/wpa.h"
20 #include "rsn_supp/wpa_ie.h"
21 #include "rsn_supp/wpa_i.h"
22 #include "drivers/driver.h"
23 #include "l2_packet/l2_packet.h"
25 #ifdef CONFIG_TDLS_TESTING
26 #define TDLS_TESTING_LONG_FRAME BIT(0)
27 #define TDLS_TESTING_ALT_RSN_IE BIT(1)
28 #define TDLS_TESTING_DIFF_BSSID BIT(2)
29 #define TDLS_TESTING_SHORT_LIFETIME BIT(3)
30 #define TDLS_TESTING_WRONG_LIFETIME_RESP BIT(4)
31 #define TDLS_TESTING_WRONG_LIFETIME_CONF BIT(5)
32 #define TDLS_TESTING_LONG_LIFETIME BIT(6)
33 #define TDLS_TESTING_CONCURRENT_INIT BIT(7)
34 #define TDLS_TESTING_NO_TPK_EXPIRATION BIT(8)
35 #define TDLS_TESTING_DECLINE_RESP BIT(9)
36 #define TDLS_TESTING_IGNORE_AP_PROHIBIT BIT(10)
37 #define TDLS_TESTING_WRONG_MIC BIT(11)
38 unsigned int tdls_testing = 0;
39 #endif /* CONFIG_TDLS_TESTING */
41 #define TPK_LIFETIME 43200 /* 12 hours */
42 #define TPK_M1_RETRY_COUNT 3
43 #define TPK_M1_TIMEOUT 5000 /* in milliseconds */
44 #define TPK_M2_RETRY_COUNT 10
45 #define TPK_M2_TIMEOUT 500 /* in milliseconds */
47 #define TDLS_MIC_LEN 16
49 #define TDLS_TIMEOUT_LEN 4
51 struct wpa_tdls_ftie {
52 u8 ie_type; /* FTIE */
56 u8 Anonce[WPA_NONCE_LEN]; /* Responder Nonce in TDLS */
57 u8 Snonce[WPA_NONCE_LEN]; /* Initiator Nonce in TDLS */
58 /* followed by optional elements */
61 struct wpa_tdls_timeoutie {
62 u8 ie_type; /* Timeout IE */
65 u8 value[TDLS_TIMEOUT_LEN];
68 struct wpa_tdls_lnkid {
69 u8 ie_type; /* Link Identifier IE */
72 u8 init_sta[ETH_ALEN];
73 u8 resp_sta[ETH_ALEN];
76 /* TDLS frame headers as per IEEE Std 802.11z-2010 */
77 struct wpa_tdls_frame {
78 u8 payloadtype; /* IEEE80211_TDLS_RFTYPE */
79 u8 category; /* Category */
80 u8 action; /* Action (enum tdls_frame_type) */
83 static u8 * wpa_add_tdls_timeoutie(u8 *pos, u8 *ie, size_t ie_len, u32 tsecs);
84 static void wpa_tdls_tpk_retry_timeout(void *eloop_ctx, void *timeout_ctx);
85 static void wpa_tdls_peer_free(struct wpa_sm *sm, struct wpa_tdls_peer *peer);
86 static void wpa_tdls_disable_peer_link(struct wpa_sm *sm,
87 struct wpa_tdls_peer *peer);
88 static int wpa_tdls_send_teardown(struct wpa_sm *sm, const u8 *addr,
92 #define TDLS_MAX_IE_LEN 80
93 #define IEEE80211_MAX_SUPP_RATES 32
95 struct wpa_tdls_peer {
96 struct wpa_tdls_peer *next;
97 unsigned int reconfig_key:1;
98 int initiator; /* whether this end was initiator for TDLS setup */
99 u8 addr[ETH_ALEN]; /* other end MAC address */
100 u8 inonce[WPA_NONCE_LEN]; /* Initiator Nonce */
101 u8 rnonce[WPA_NONCE_LEN]; /* Responder Nonce */
102 u8 rsnie_i[TDLS_MAX_IE_LEN]; /* Initiator RSN IE */
104 u8 rsnie_p[TDLS_MAX_IE_LEN]; /* Peer RSN IE */
107 int cipher; /* Selected cipher (WPA_CIPHER_*) */
111 u8 kck[16]; /* TPK-KCK */
112 u8 tk[16]; /* TPK-TK; assuming only CCMP will be used */
115 int tk_set; /* TPK-TK configured to the driver */
121 int count; /* Retry Count */
122 int timer; /* Timeout in milliseconds */
123 u8 action_code; /* TDLS frame type */
127 int buf_len; /* length of TPK message for retransmission */
128 u8 *buf; /* buffer for TPK message */
133 u8 supp_rates[IEEE80211_MAX_SUPP_RATES];
134 size_t supp_rates_len;
136 struct ieee80211_ht_capabilities *ht_capabilities;
137 struct ieee80211_vht_capabilities *vht_capabilities;
144 size_t ext_capab_len;
147 size_t supp_channels_len;
149 u8 *supp_oper_classes;
150 size_t supp_oper_classes_len;
154 /* channel switch currently enabled */
155 int chan_switch_enabled;
159 static int wpa_tdls_get_privacy(struct wpa_sm *sm)
162 * Get info needed from supplicant to check if the current BSS supports
163 * security. Other than OPEN mode, rest are considered secured
164 * WEP/WPA/WPA2 hence TDLS frames are processed for TPK handshake.
166 return sm->pairwise_cipher != WPA_CIPHER_NONE;
170 static u8 * wpa_add_ie(u8 *pos, const u8 *ie, size_t ie_len)
172 os_memcpy(pos, ie, ie_len);
177 static int wpa_tdls_del_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
179 if (wpa_sm_set_key(sm, WPA_ALG_NONE, peer->addr,
180 0, 0, NULL, 0, NULL, 0) < 0) {
181 wpa_printf(MSG_WARNING, "TDLS: Failed to delete TPK-TK from "
190 static int wpa_tdls_set_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
198 * This same TPK-TK has already been configured to the driver
199 * and this new configuration attempt (likely due to an
200 * unexpected retransmitted frame) would result in clearing
201 * the TX/RX sequence number which can break security, so must
202 * not allow that to happen.
204 wpa_printf(MSG_INFO, "TDLS: TPK-TK for the peer " MACSTR
205 " has already been configured to the driver - do not reconfigure",
206 MAC2STR(peer->addr));
210 os_memset(rsc, 0, 6);
212 switch (peer->cipher) {
213 case WPA_CIPHER_CCMP:
217 case WPA_CIPHER_NONE:
218 wpa_printf(MSG_DEBUG, "TDLS: Pairwise Cipher Suite: "
219 "NONE - do not use pairwise keys");
222 wpa_printf(MSG_WARNING, "TDLS: Unsupported pairwise cipher %d",
223 sm->pairwise_cipher);
227 wpa_printf(MSG_DEBUG, "TDLS: Configure pairwise key for peer " MACSTR,
228 MAC2STR(peer->addr));
229 if (wpa_sm_set_key(sm, alg, peer->addr, -1, 1,
230 rsc, sizeof(rsc), peer->tpk.tk, key_len) < 0) {
231 wpa_printf(MSG_WARNING, "TDLS: Failed to set TPK to the "
240 static int wpa_tdls_send_tpk_msg(struct wpa_sm *sm, const u8 *dst,
241 u8 action_code, u8 dialog_token,
242 u16 status_code, u32 peer_capab,
243 int initiator, const u8 *buf, size_t len)
245 return wpa_sm_send_tdls_mgmt(sm, dst, action_code, dialog_token,
246 status_code, peer_capab, initiator, buf,
251 static int wpa_tdls_tpk_send(struct wpa_sm *sm, const u8 *dest, u8 action_code,
252 u8 dialog_token, u16 status_code, u32 peer_capab,
253 int initiator, const u8 *msg, size_t msg_len)
255 struct wpa_tdls_peer *peer;
257 wpa_printf(MSG_DEBUG, "TDLS: TPK send dest=" MACSTR " action_code=%u "
258 "dialog_token=%u status_code=%u peer_capab=%u initiator=%d "
260 MAC2STR(dest), action_code, dialog_token, status_code,
261 peer_capab, initiator, (unsigned int) msg_len);
263 if (wpa_tdls_send_tpk_msg(sm, dest, action_code, dialog_token,
264 status_code, peer_capab, initiator, msg,
266 wpa_printf(MSG_INFO, "TDLS: Failed to send message "
267 "(action_code=%u)", action_code);
271 if (action_code == WLAN_TDLS_SETUP_CONFIRM ||
272 action_code == WLAN_TDLS_TEARDOWN ||
273 action_code == WLAN_TDLS_DISCOVERY_REQUEST ||
274 action_code == WLAN_TDLS_DISCOVERY_RESPONSE)
275 return 0; /* No retries */
277 for (peer = sm->tdls; peer; peer = peer->next) {
278 if (os_memcmp(peer->addr, dest, ETH_ALEN) == 0)
283 wpa_printf(MSG_INFO, "TDLS: No matching entry found for "
284 "retry " MACSTR, MAC2STR(dest));
288 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer);
290 if (action_code == WLAN_TDLS_SETUP_RESPONSE) {
291 peer->sm_tmr.count = TPK_M2_RETRY_COUNT;
292 peer->sm_tmr.timer = TPK_M2_TIMEOUT;
294 peer->sm_tmr.count = TPK_M1_RETRY_COUNT;
295 peer->sm_tmr.timer = TPK_M1_TIMEOUT;
298 /* Copy message to resend on timeout */
299 os_memcpy(peer->sm_tmr.dest, dest, ETH_ALEN);
300 peer->sm_tmr.action_code = action_code;
301 peer->sm_tmr.dialog_token = dialog_token;
302 peer->sm_tmr.status_code = status_code;
303 peer->sm_tmr.peer_capab = peer_capab;
304 peer->sm_tmr.buf_len = msg_len;
305 os_free(peer->sm_tmr.buf);
306 peer->sm_tmr.buf = os_malloc(msg_len);
307 if (peer->sm_tmr.buf == NULL)
309 os_memcpy(peer->sm_tmr.buf, msg, msg_len);
311 wpa_printf(MSG_DEBUG, "TDLS: Retry timeout registered "
312 "(action_code=%u)", action_code);
313 eloop_register_timeout(peer->sm_tmr.timer / 1000,
314 (peer->sm_tmr.timer % 1000) * 1000,
315 wpa_tdls_tpk_retry_timeout, sm, peer);
320 static int wpa_tdls_do_teardown(struct wpa_sm *sm, struct wpa_tdls_peer *peer,
325 ret = wpa_tdls_send_teardown(sm, peer->addr, reason_code);
326 /* disable the link after teardown was sent */
327 wpa_tdls_disable_peer_link(sm, peer);
333 static void wpa_tdls_tpk_retry_timeout(void *eloop_ctx, void *timeout_ctx)
336 struct wpa_sm *sm = eloop_ctx;
337 struct wpa_tdls_peer *peer = timeout_ctx;
339 if (peer->sm_tmr.count) {
340 peer->sm_tmr.count--;
342 wpa_printf(MSG_INFO, "TDLS: Retrying sending of message "
344 peer->sm_tmr.action_code);
346 if (peer->sm_tmr.buf == NULL) {
347 wpa_printf(MSG_INFO, "TDLS: No retry buffer available "
348 "for action_code=%u",
349 peer->sm_tmr.action_code);
350 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm,
355 /* resend TPK Handshake Message to Peer */
356 if (wpa_tdls_send_tpk_msg(sm, peer->sm_tmr.dest,
357 peer->sm_tmr.action_code,
358 peer->sm_tmr.dialog_token,
359 peer->sm_tmr.status_code,
360 peer->sm_tmr.peer_capab,
363 peer->sm_tmr.buf_len)) {
364 wpa_printf(MSG_INFO, "TDLS: Failed to retry "
368 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer);
369 eloop_register_timeout(peer->sm_tmr.timer / 1000,
370 (peer->sm_tmr.timer % 1000) * 1000,
371 wpa_tdls_tpk_retry_timeout, sm, peer);
373 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer);
375 wpa_printf(MSG_DEBUG, "TDLS: Sending Teardown Request");
376 wpa_tdls_do_teardown(sm, peer,
377 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED);
382 static void wpa_tdls_tpk_retry_timeout_cancel(struct wpa_sm *sm,
383 struct wpa_tdls_peer *peer,
386 if (action_code == peer->sm_tmr.action_code) {
387 wpa_printf(MSG_DEBUG, "TDLS: Retry timeout cancelled for "
388 "action_code=%u", action_code);
390 /* Cancel Timeout registered */
391 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer);
393 /* free all resources meant for retry */
394 os_free(peer->sm_tmr.buf);
395 peer->sm_tmr.buf = NULL;
397 peer->sm_tmr.count = 0;
398 peer->sm_tmr.timer = 0;
399 peer->sm_tmr.buf_len = 0;
400 peer->sm_tmr.action_code = 0xff;
402 wpa_printf(MSG_INFO, "TDLS: Error in cancelling retry timeout "
403 "(Unknown action_code=%u)", action_code);
408 static void wpa_tdls_generate_tpk(struct wpa_tdls_peer *peer,
409 const u8 *own_addr, const u8 *bssid)
411 u8 key_input[SHA256_MAC_LEN];
414 u8 data[3 * ETH_ALEN];
416 /* IEEE Std 802.11z-2010 8.5.9.1:
417 * TPK-Key-Input = SHA-256(min(SNonce, ANonce) || max(SNonce, ANonce))
419 len[0] = WPA_NONCE_LEN;
420 len[1] = WPA_NONCE_LEN;
421 if (os_memcmp(peer->inonce, peer->rnonce, WPA_NONCE_LEN) < 0) {
422 nonce[0] = peer->inonce;
423 nonce[1] = peer->rnonce;
425 nonce[0] = peer->rnonce;
426 nonce[1] = peer->inonce;
428 wpa_hexdump(MSG_DEBUG, "TDLS: min(Nonce)", nonce[0], WPA_NONCE_LEN);
429 wpa_hexdump(MSG_DEBUG, "TDLS: max(Nonce)", nonce[1], WPA_NONCE_LEN);
430 sha256_vector(2, nonce, len, key_input);
431 wpa_hexdump_key(MSG_DEBUG, "TDLS: TPK-Key-Input",
432 key_input, SHA256_MAC_LEN);
435 * TPK-Key-Data = KDF-N_KEY(TPK-Key-Input, "TDLS PMK",
436 * min(MAC_I, MAC_R) || max(MAC_I, MAC_R) || BSSID || N_KEY)
437 * TODO: is N_KEY really included in KDF Context and if so, in which
438 * presentation format (little endian 16-bit?) is it used? It gets
439 * added by the KDF anyway..
442 if (os_memcmp(own_addr, peer->addr, ETH_ALEN) < 0) {
443 os_memcpy(data, own_addr, ETH_ALEN);
444 os_memcpy(data + ETH_ALEN, peer->addr, ETH_ALEN);
446 os_memcpy(data, peer->addr, ETH_ALEN);
447 os_memcpy(data + ETH_ALEN, own_addr, ETH_ALEN);
449 os_memcpy(data + 2 * ETH_ALEN, bssid, ETH_ALEN);
450 wpa_hexdump(MSG_DEBUG, "TDLS: KDF Context", data, sizeof(data));
452 sha256_prf(key_input, SHA256_MAC_LEN, "TDLS PMK", data, sizeof(data),
453 (u8 *) &peer->tpk, sizeof(peer->tpk));
454 wpa_hexdump_key(MSG_DEBUG, "TDLS: TPK-KCK",
455 peer->tpk.kck, sizeof(peer->tpk.kck));
456 wpa_hexdump_key(MSG_DEBUG, "TDLS: TPK-TK",
457 peer->tpk.tk, sizeof(peer->tpk.tk));
463 * wpa_tdls_ftie_mic - Calculate TDLS FTIE MIC
465 * @lnkid: Pointer to the beginning of Link Identifier IE
466 * @rsnie: Pointer to the beginning of RSN IE used for handshake
467 * @timeoutie: Pointer to the beginning of Timeout IE used for handshake
468 * @ftie: Pointer to the beginning of FT IE
469 * @mic: Pointer for writing MIC
471 * Calculate MIC for TDLS frame.
473 static int wpa_tdls_ftie_mic(const u8 *kck, u8 trans_seq, const u8 *lnkid,
474 const u8 *rsnie, const u8 *timeoutie,
475 const u8 *ftie, u8 *mic)
478 struct wpa_tdls_ftie *_ftie;
479 const struct wpa_tdls_lnkid *_lnkid;
481 int len = 2 * ETH_ALEN + 1 + 2 + lnkid[1] + 2 + rsnie[1] +
482 2 + timeoutie[1] + 2 + ftie[1];
483 buf = os_zalloc(len);
485 wpa_printf(MSG_WARNING, "TDLS: No memory for MIC calculation");
490 _lnkid = (const struct wpa_tdls_lnkid *) lnkid;
491 /* 1) TDLS initiator STA MAC address */
492 os_memcpy(pos, _lnkid->init_sta, ETH_ALEN);
494 /* 2) TDLS responder STA MAC address */
495 os_memcpy(pos, _lnkid->resp_sta, ETH_ALEN);
497 /* 3) Transaction Sequence number */
499 /* 4) Link Identifier IE */
500 os_memcpy(pos, lnkid, 2 + lnkid[1]);
503 os_memcpy(pos, rsnie, 2 + rsnie[1]);
505 /* 6) Timeout Interval IE */
506 os_memcpy(pos, timeoutie, 2 + timeoutie[1]);
507 pos += 2 + timeoutie[1];
508 /* 7) FTIE, with the MIC field of the FTIE set to 0 */
509 os_memcpy(pos, ftie, 2 + ftie[1]);
510 _ftie = (struct wpa_tdls_ftie *) pos;
511 os_memset(_ftie->mic, 0, TDLS_MIC_LEN);
514 wpa_hexdump(MSG_DEBUG, "TDLS: Data for FTIE MIC", buf, pos - buf);
515 wpa_hexdump_key(MSG_DEBUG, "TDLS: KCK", kck, 16);
516 ret = omac1_aes_128(kck, buf, pos - buf, mic);
518 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE MIC", mic, 16);
524 * wpa_tdls_key_mic_teardown - Calculate TDLS FTIE MIC for Teardown frame
526 * @trans_seq: Transaction Sequence Number (4 - Teardown)
527 * @rcode: Reason code for Teardown
528 * @dtoken: Dialog Token used for that particular link
529 * @lnkid: Pointer to the beginning of Link Identifier IE
530 * @ftie: Pointer to the beginning of FT IE
531 * @mic: Pointer for writing MIC
533 * Calculate MIC for TDLS frame.
535 static int wpa_tdls_key_mic_teardown(const u8 *kck, u8 trans_seq, u16 rcode,
536 u8 dtoken, const u8 *lnkid,
537 const u8 *ftie, u8 *mic)
540 struct wpa_tdls_ftie *_ftie;
547 len = 2 + lnkid[1] + sizeof(rcode) + sizeof(dtoken) +
548 sizeof(trans_seq) + 2 + ftie[1];
550 buf = os_zalloc(len);
552 wpa_printf(MSG_WARNING, "TDLS: No memory for MIC calculation");
557 /* 1) Link Identifier IE */
558 os_memcpy(pos, lnkid, 2 + lnkid[1]);
561 WPA_PUT_LE16(pos, rcode);
562 pos += sizeof(rcode);
563 /* 3) Dialog token */
565 /* 4) Transaction Sequence number */
567 /* 7) FTIE, with the MIC field of the FTIE set to 0 */
568 os_memcpy(pos, ftie, 2 + ftie[1]);
569 _ftie = (struct wpa_tdls_ftie *) pos;
570 os_memset(_ftie->mic, 0, TDLS_MIC_LEN);
573 wpa_hexdump(MSG_DEBUG, "TDLS: Data for FTIE MIC", buf, pos - buf);
574 wpa_hexdump_key(MSG_DEBUG, "TDLS: KCK", kck, 16);
575 ret = omac1_aes_128(kck, buf, pos - buf, mic);
577 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE MIC", mic, 16);
582 static int wpa_supplicant_verify_tdls_mic(u8 trans_seq,
583 struct wpa_tdls_peer *peer,
584 const u8 *lnkid, const u8 *timeoutie,
585 const struct wpa_tdls_ftie *ftie)
590 wpa_tdls_ftie_mic(peer->tpk.kck, trans_seq, lnkid,
591 peer->rsnie_p, timeoutie, (u8 *) ftie,
593 if (os_memcmp_const(mic, ftie->mic, 16) != 0) {
594 wpa_printf(MSG_INFO, "TDLS: Invalid MIC in FTIE - "
596 wpa_hexdump(MSG_DEBUG, "TDLS: Received MIC",
598 wpa_hexdump(MSG_DEBUG, "TDLS: Calculated MIC",
603 wpa_printf(MSG_WARNING, "TDLS: Could not verify TDLS MIC, "
604 "TPK not set - dropping packet");
611 static int wpa_supplicant_verify_tdls_mic_teardown(
612 u8 trans_seq, u16 rcode, u8 dtoken, struct wpa_tdls_peer *peer,
613 const u8 *lnkid, const struct wpa_tdls_ftie *ftie)
618 wpa_tdls_key_mic_teardown(peer->tpk.kck, trans_seq, rcode,
619 dtoken, lnkid, (u8 *) ftie, mic);
620 if (os_memcmp_const(mic, ftie->mic, 16) != 0) {
621 wpa_printf(MSG_INFO, "TDLS: Invalid MIC in Teardown - "
626 wpa_printf(MSG_INFO, "TDLS: Could not verify TDLS Teardown "
627 "MIC, TPK not set - dropping packet");
634 static void wpa_tdls_tpk_timeout(void *eloop_ctx, void *timeout_ctx)
636 struct wpa_sm *sm = eloop_ctx;
637 struct wpa_tdls_peer *peer = timeout_ctx;
640 * On TPK lifetime expiration, we have an option of either tearing down
641 * the direct link or trying to re-initiate it. The selection of what
642 * to do is not strictly speaking controlled by our role in the expired
643 * link, but for now, use that to select whether to renew or tear down
647 if (peer->initiator) {
650 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime expired for " MACSTR
651 " - try to renew", MAC2STR(peer->addr));
652 /* cache the peer address before do_teardown */
653 os_memcpy(addr, peer->addr, ETH_ALEN);
654 wpa_tdls_do_teardown(sm, peer,
655 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED);
656 wpa_tdls_start(sm, addr);
658 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime expired for " MACSTR
659 " - tear down", MAC2STR(peer->addr));
660 wpa_tdls_do_teardown(sm, peer,
661 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED);
666 static void wpa_tdls_peer_remove_from_list(struct wpa_sm *sm,
667 struct wpa_tdls_peer *peer)
669 struct wpa_tdls_peer *cur, *prev;
673 while (cur && cur != peer) {
679 wpa_printf(MSG_ERROR, "TDLS: Could not find peer " MACSTR
680 " to remove it from the list",
681 MAC2STR(peer->addr));
686 prev->next = peer->next;
688 sm->tdls = peer->next;
692 static void wpa_tdls_peer_clear(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
694 wpa_printf(MSG_DEBUG, "TDLS: Clear state for peer " MACSTR,
695 MAC2STR(peer->addr));
696 eloop_cancel_timeout(wpa_tdls_tpk_timeout, sm, peer);
697 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer);
698 peer->reconfig_key = 0;
700 peer->tpk_in_progress = 0;
701 os_free(peer->sm_tmr.buf);
702 peer->sm_tmr.buf = NULL;
703 os_free(peer->ht_capabilities);
704 peer->ht_capabilities = NULL;
705 os_free(peer->vht_capabilities);
706 peer->vht_capabilities = NULL;
707 os_free(peer->ext_capab);
708 peer->ext_capab = NULL;
709 os_free(peer->supp_channels);
710 peer->supp_channels = NULL;
711 os_free(peer->supp_oper_classes);
712 peer->supp_oper_classes = NULL;
713 peer->rsnie_i_len = peer->rsnie_p_len = 0;
716 peer->wmm_capable = 0;
717 peer->tk_set = peer->tpk_set = peer->tpk_success = 0;
718 peer->chan_switch_enabled = 0;
719 os_memset(&peer->tpk, 0, sizeof(peer->tpk));
720 os_memset(peer->inonce, 0, WPA_NONCE_LEN);
721 os_memset(peer->rnonce, 0, WPA_NONCE_LEN);
725 static void wpa_tdls_peer_free(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
727 wpa_tdls_peer_clear(sm, peer);
728 wpa_tdls_peer_remove_from_list(sm, peer);
733 static void wpa_tdls_linkid(struct wpa_sm *sm, struct wpa_tdls_peer *peer,
734 struct wpa_tdls_lnkid *lnkid)
736 lnkid->ie_type = WLAN_EID_LINK_ID;
737 lnkid->ie_len = 3 * ETH_ALEN;
738 os_memcpy(lnkid->bssid, sm->bssid, ETH_ALEN);
739 if (peer->initiator) {
740 os_memcpy(lnkid->init_sta, sm->own_addr, ETH_ALEN);
741 os_memcpy(lnkid->resp_sta, peer->addr, ETH_ALEN);
743 os_memcpy(lnkid->init_sta, peer->addr, ETH_ALEN);
744 os_memcpy(lnkid->resp_sta, sm->own_addr, ETH_ALEN);
749 static int wpa_tdls_send_teardown(struct wpa_sm *sm, const u8 *addr,
752 struct wpa_tdls_peer *peer;
753 struct wpa_tdls_ftie *ftie;
754 struct wpa_tdls_lnkid lnkid;
759 if (sm->tdls_disabled || !sm->tdls_supported)
762 /* Find the node and free from the list */
763 for (peer = sm->tdls; peer; peer = peer->next) {
764 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0)
769 wpa_printf(MSG_INFO, "TDLS: No matching entry found for "
770 "Teardown " MACSTR, MAC2STR(addr));
774 /* Cancel active channel switch before teardown */
775 if (peer->chan_switch_enabled) {
776 wpa_printf(MSG_DEBUG, "TDLS: First returning link with " MACSTR
777 " to base channel", MAC2STR(addr));
778 wpa_sm_tdls_disable_channel_switch(sm, peer->addr);
781 dialog_token = peer->dtoken;
783 wpa_printf(MSG_DEBUG, "TDLS: TDLS Teardown for " MACSTR,
787 if (wpa_tdls_get_privacy(sm) && peer->tpk_set && peer->tpk_success) {
788 /* To add FTIE for Teardown request and compute MIC */
789 ielen += sizeof(*ftie);
790 #ifdef CONFIG_TDLS_TESTING
791 if (tdls_testing & TDLS_TESTING_LONG_FRAME)
793 #endif /* CONFIG_TDLS_TESTING */
796 rbuf = os_zalloc(ielen + 1);
801 if (!wpa_tdls_get_privacy(sm) || !peer->tpk_set || !peer->tpk_success)
804 ftie = (struct wpa_tdls_ftie *) pos;
805 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION;
806 /* Using the recent nonce which should be for CONFIRM frame */
807 os_memcpy(ftie->Anonce, peer->rnonce, WPA_NONCE_LEN);
808 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN);
809 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2;
810 pos = (u8 *) (ftie + 1);
811 #ifdef CONFIG_TDLS_TESTING
812 if (tdls_testing & TDLS_TESTING_LONG_FRAME) {
813 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to "
816 *pos++ = 255; /* FTIE subelem */
817 *pos++ = 168; /* FTIE subelem length */
820 #endif /* CONFIG_TDLS_TESTING */
821 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE for TDLS Teardown handshake",
822 (u8 *) ftie, pos - (u8 *) ftie);
824 /* compute MIC before sending */
825 wpa_tdls_linkid(sm, peer, &lnkid);
826 wpa_tdls_key_mic_teardown(peer->tpk.kck, 4, reason_code,
827 dialog_token, (u8 *) &lnkid, (u8 *) ftie,
831 /* TODO: register for a Timeout handler, if Teardown is not received at
832 * the other end, then try again another time */
834 /* request driver to send Teardown using this FTIE */
835 wpa_tdls_tpk_send(sm, addr, WLAN_TDLS_TEARDOWN, 0,
836 reason_code, 0, peer->initiator, rbuf, pos - rbuf);
843 int wpa_tdls_teardown_link(struct wpa_sm *sm, const u8 *addr, u16 reason_code)
845 struct wpa_tdls_peer *peer;
847 if (sm->tdls_disabled || !sm->tdls_supported)
850 for (peer = sm->tdls; peer; peer = peer->next) {
851 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0)
856 wpa_printf(MSG_DEBUG, "TDLS: Could not find peer " MACSTR
857 " for link Teardown", MAC2STR(addr));
861 if (!peer->tpk_success) {
862 wpa_printf(MSG_DEBUG, "TDLS: Peer " MACSTR
863 " not connected - cannot Teardown link", MAC2STR(addr));
867 return wpa_tdls_do_teardown(sm, peer, reason_code);
871 static void wpa_tdls_disable_peer_link(struct wpa_sm *sm,
872 struct wpa_tdls_peer *peer)
874 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr);
875 wpa_tdls_peer_free(sm, peer);
879 void wpa_tdls_disable_unreachable_link(struct wpa_sm *sm, const u8 *addr)
881 struct wpa_tdls_peer *peer;
883 for (peer = sm->tdls; peer; peer = peer->next) {
884 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0)
888 if (!peer || !peer->tpk_success) {
889 wpa_printf(MSG_DEBUG, "TDLS: Peer " MACSTR
890 " not connected - cannot teardown unreachable link",
895 if (wpa_tdls_is_external_setup(sm)) {
897 * Get us on the base channel, disable the link, send a
898 * teardown packet through the AP, and then reset link data.
900 if (peer->chan_switch_enabled)
901 wpa_sm_tdls_disable_channel_switch(sm, peer->addr);
902 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, addr);
903 wpa_tdls_send_teardown(sm, addr,
904 WLAN_REASON_TDLS_TEARDOWN_UNREACHABLE);
905 wpa_tdls_peer_free(sm, peer);
907 wpa_tdls_disable_peer_link(sm, peer);
912 const char * wpa_tdls_get_link_status(struct wpa_sm *sm, const u8 *addr)
914 struct wpa_tdls_peer *peer;
916 if (sm->tdls_disabled || !sm->tdls_supported)
919 for (peer = sm->tdls; peer; peer = peer->next) {
920 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0)
925 return "peer does not exist";
927 if (!peer->tpk_success)
928 return "peer not connected";
934 static int wpa_tdls_recv_teardown(struct wpa_sm *sm, const u8 *src_addr,
935 const u8 *buf, size_t len)
937 struct wpa_tdls_peer *peer = NULL;
938 struct wpa_tdls_ftie *ftie;
939 struct wpa_tdls_lnkid *lnkid;
940 struct wpa_eapol_ie_parse kde;
945 /* Find the node and free from the list */
946 for (peer = sm->tdls; peer; peer = peer->next) {
947 if (os_memcmp(peer->addr, src_addr, ETH_ALEN) == 0)
952 wpa_printf(MSG_INFO, "TDLS: No matching entry found for "
953 "Teardown " MACSTR, MAC2STR(src_addr));
958 pos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */;
960 reason_code = WPA_GET_LE16(pos);
963 wpa_printf(MSG_DEBUG, "TDLS: TDLS Teardown Request from " MACSTR
964 " (reason code %u)", MAC2STR(src_addr), reason_code);
966 ielen = len - (pos - buf); /* start of IE in buf */
969 * Don't reject the message if failing to parse IEs. The IEs we need are
970 * explicitly checked below. Some APs may add arbitrary padding to the
971 * end of short TDLS frames and that would look like invalid IEs.
973 if (wpa_supplicant_parse_ies((const u8 *) pos, ielen, &kde) < 0)
974 wpa_printf(MSG_DEBUG,
975 "TDLS: Failed to parse IEs in Teardown - ignore as an interop workaround");
977 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) {
978 wpa_printf(MSG_INFO, "TDLS: No Link Identifier IE in TDLS "
982 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid;
984 if (!wpa_tdls_get_privacy(sm) || !peer->tpk_set || !peer->tpk_success)
987 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie)) {
988 wpa_printf(MSG_INFO, "TDLS: No FTIE in TDLS Teardown");
992 ftie = (struct wpa_tdls_ftie *) kde.ftie;
994 /* Process MIC check to see if TDLS Teardown is right */
995 if (wpa_supplicant_verify_tdls_mic_teardown(4, reason_code,
997 (u8 *) lnkid, ftie) < 0) {
998 wpa_printf(MSG_DEBUG, "TDLS: MIC failure for TDLS "
999 "Teardown Request from " MACSTR, MAC2STR(src_addr));
1005 * Request the driver to disable the direct link and clear associated
1008 wpa_tdls_disable_peer_link(sm, peer);
1014 * wpa_tdls_send_error - To send suitable TDLS status response with
1015 * appropriate status code mentioning reason for error/failure.
1016 * @dst - MAC addr of Peer station
1017 * @tdls_action - TDLS frame type for which error code is sent
1018 * @initiator - was this end the initiator of the connection
1019 * @status - status code mentioning reason
1022 static int wpa_tdls_send_error(struct wpa_sm *sm, const u8 *dst,
1023 u8 tdls_action, u8 dialog_token, int initiator,
1026 wpa_printf(MSG_DEBUG, "TDLS: Sending error to " MACSTR
1027 " (action=%u status=%u)",
1028 MAC2STR(dst), tdls_action, status);
1029 return wpa_tdls_tpk_send(sm, dst, tdls_action, dialog_token, status,
1030 0, initiator, NULL, 0);
1034 static struct wpa_tdls_peer *
1035 wpa_tdls_add_peer(struct wpa_sm *sm, const u8 *addr, int *existing)
1037 struct wpa_tdls_peer *peer;
1041 for (peer = sm->tdls; peer; peer = peer->next) {
1042 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) {
1045 return peer; /* re-use existing entry */
1049 wpa_printf(MSG_INFO, "TDLS: Creating peer entry for " MACSTR,
1052 peer = os_zalloc(sizeof(*peer));
1056 os_memcpy(peer->addr, addr, ETH_ALEN);
1057 peer->next = sm->tdls;
1064 static int wpa_tdls_send_tpk_m1(struct wpa_sm *sm,
1065 struct wpa_tdls_peer *peer)
1068 struct wpa_tdls_timeoutie timeoutie;
1070 struct wpa_tdls_ftie *ftie;
1071 u8 *rbuf, *pos, *count_pos;
1073 struct rsn_ie_hdr *hdr;
1076 if (!wpa_tdls_get_privacy(sm)) {
1077 wpa_printf(MSG_DEBUG, "TDLS: No security used on the link");
1078 peer->rsnie_i_len = 0;
1083 * TPK Handshake Message 1:
1084 * FTIE: ANonce=0, SNonce=initiator nonce MIC=0, DataKDs=(RSNIE_I,
1085 * Timeout Interval IE))
1088 /* Filling RSN IE */
1089 hdr = (struct rsn_ie_hdr *) peer->rsnie_i;
1090 hdr->elem_id = WLAN_EID_RSN;
1091 WPA_PUT_LE16(hdr->version, RSN_VERSION);
1093 pos = (u8 *) (hdr + 1);
1094 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED);
1095 pos += RSN_SELECTOR_LEN;
1102 * AES-CCMP is the default Encryption preferred for TDLS, so
1103 * RSN IE is filled only with CCMP CIPHER
1104 * Note: TKIP is not used to encrypt TDLS link.
1106 * Regardless of the cipher used on the AP connection, select CCMP
1109 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP);
1110 pos += RSN_SELECTOR_LEN;
1113 WPA_PUT_LE16(count_pos, count);
1115 WPA_PUT_LE16(pos, 1);
1117 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_TPK_HANDSHAKE);
1118 pos += RSN_SELECTOR_LEN;
1120 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED;
1121 rsn_capab |= RSN_NUM_REPLAY_COUNTERS_16 << 2;
1122 #ifdef CONFIG_TDLS_TESTING
1123 if (tdls_testing & TDLS_TESTING_ALT_RSN_IE) {
1124 wpa_printf(MSG_DEBUG, "TDLS: Use alternative RSN IE for "
1126 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED;
1128 #endif /* CONFIG_TDLS_TESTING */
1129 WPA_PUT_LE16(pos, rsn_capab);
1131 #ifdef CONFIG_TDLS_TESTING
1132 if (tdls_testing & TDLS_TESTING_ALT_RSN_IE) {
1133 /* Number of PMKIDs */
1137 #endif /* CONFIG_TDLS_TESTING */
1139 hdr->len = (pos - peer->rsnie_i) - 2;
1140 peer->rsnie_i_len = pos - peer->rsnie_i;
1141 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE for TPK handshake",
1142 peer->rsnie_i, peer->rsnie_i_len);
1146 if (wpa_tdls_get_privacy(sm))
1147 buf_len += peer->rsnie_i_len + sizeof(struct wpa_tdls_ftie) +
1148 sizeof(struct wpa_tdls_timeoutie);
1149 #ifdef CONFIG_TDLS_TESTING
1150 if (wpa_tdls_get_privacy(sm) &&
1151 (tdls_testing & TDLS_TESTING_LONG_FRAME))
1153 if (tdls_testing & TDLS_TESTING_DIFF_BSSID)
1154 buf_len += sizeof(struct wpa_tdls_lnkid);
1155 #endif /* CONFIG_TDLS_TESTING */
1156 rbuf = os_zalloc(buf_len + 1);
1158 wpa_tdls_peer_free(sm, peer);
1163 if (!wpa_tdls_get_privacy(sm))
1166 /* Initiator RSN IE */
1167 pos = wpa_add_ie(pos, peer->rsnie_i, peer->rsnie_i_len);
1169 ftie = (struct wpa_tdls_ftie *) pos;
1170 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION;
1171 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2;
1173 if (os_get_random(peer->inonce, WPA_NONCE_LEN)) {
1174 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1175 "TDLS: Failed to get random data for initiator Nonce");
1177 wpa_tdls_peer_free(sm, peer);
1180 peer->tk_set = 0; /* A new nonce results in a new TK */
1181 wpa_hexdump(MSG_DEBUG, "TDLS: Initiator Nonce for TPK handshake",
1182 peer->inonce, WPA_NONCE_LEN);
1183 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN);
1185 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE for TPK Handshake M1",
1186 (u8 *) ftie, sizeof(struct wpa_tdls_ftie));
1188 pos = (u8 *) (ftie + 1);
1190 #ifdef CONFIG_TDLS_TESTING
1191 if (tdls_testing & TDLS_TESTING_LONG_FRAME) {
1192 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to "
1194 ftie->ie_len += 170;
1195 *pos++ = 255; /* FTIE subelem */
1196 *pos++ = 168; /* FTIE subelem length */
1199 #endif /* CONFIG_TDLS_TESTING */
1202 peer->lifetime = TPK_LIFETIME;
1203 #ifdef CONFIG_TDLS_TESTING
1204 if (tdls_testing & TDLS_TESTING_SHORT_LIFETIME) {
1205 wpa_printf(MSG_DEBUG, "TDLS: Testing - use short TPK "
1207 peer->lifetime = 301;
1209 if (tdls_testing & TDLS_TESTING_LONG_LIFETIME) {
1210 wpa_printf(MSG_DEBUG, "TDLS: Testing - use long TPK "
1212 peer->lifetime = 0xffffffff;
1214 #endif /* CONFIG_TDLS_TESTING */
1215 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie,
1216 sizeof(timeoutie), peer->lifetime);
1217 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds", peer->lifetime);
1221 #ifdef CONFIG_TDLS_TESTING
1222 if (tdls_testing & TDLS_TESTING_DIFF_BSSID) {
1223 wpa_printf(MSG_DEBUG, "TDLS: Testing - use incorrect BSSID in "
1225 struct wpa_tdls_lnkid *l = (struct wpa_tdls_lnkid *) pos;
1226 wpa_tdls_linkid(sm, peer, l);
1227 l->bssid[5] ^= 0x01;
1230 #endif /* CONFIG_TDLS_TESTING */
1232 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Setup Request / TPK "
1233 "Handshake Message 1 (peer " MACSTR ")",
1234 MAC2STR(peer->addr));
1236 status = wpa_tdls_tpk_send(sm, peer->addr, WLAN_TDLS_SETUP_REQUEST,
1237 1, 0, 0, peer->initiator, rbuf, pos - rbuf);
1244 static int wpa_tdls_send_tpk_m2(struct wpa_sm *sm,
1245 const unsigned char *src_addr, u8 dtoken,
1246 struct wpa_tdls_lnkid *lnkid,
1247 const struct wpa_tdls_peer *peer)
1252 struct wpa_tdls_timeoutie timeoutie;
1253 struct wpa_tdls_ftie *ftie;
1257 if (wpa_tdls_get_privacy(sm)) {
1258 /* Peer RSN IE, FTIE(Initiator Nonce, Responder Nonce),
1260 buf_len += peer->rsnie_i_len + sizeof(struct wpa_tdls_ftie) +
1261 sizeof(struct wpa_tdls_timeoutie);
1262 #ifdef CONFIG_TDLS_TESTING
1263 if (tdls_testing & TDLS_TESTING_LONG_FRAME)
1265 #endif /* CONFIG_TDLS_TESTING */
1268 rbuf = os_zalloc(buf_len + 1);
1273 if (!wpa_tdls_get_privacy(sm))
1277 pos = wpa_add_ie(pos, peer->rsnie_p, peer->rsnie_p_len);
1279 ftie = (struct wpa_tdls_ftie *) pos;
1280 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION;
1281 /* TODO: ftie->mic_control to set 2-RESPONSE */
1282 os_memcpy(ftie->Anonce, peer->rnonce, WPA_NONCE_LEN);
1283 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN);
1284 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2;
1285 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE for TPK M2",
1286 (u8 *) ftie, sizeof(*ftie));
1288 pos = (u8 *) (ftie + 1);
1290 #ifdef CONFIG_TDLS_TESTING
1291 if (tdls_testing & TDLS_TESTING_LONG_FRAME) {
1292 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to "
1294 ftie->ie_len += 170;
1295 *pos++ = 255; /* FTIE subelem */
1296 *pos++ = 168; /* FTIE subelem length */
1299 #endif /* CONFIG_TDLS_TESTING */
1302 lifetime = peer->lifetime;
1303 #ifdef CONFIG_TDLS_TESTING
1304 if (tdls_testing & TDLS_TESTING_WRONG_LIFETIME_RESP) {
1305 wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong TPK "
1306 "lifetime in response");
1309 #endif /* CONFIG_TDLS_TESTING */
1310 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie,
1311 sizeof(timeoutie), lifetime);
1312 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds from initiator",
1315 /* compute MIC before sending */
1316 wpa_tdls_ftie_mic(peer->tpk.kck, 2, (u8 *) lnkid, peer->rsnie_p,
1317 (u8 *) &timeoutie, (u8 *) ftie, ftie->mic);
1318 #ifdef CONFIG_TDLS_TESTING
1319 if (tdls_testing & TDLS_TESTING_WRONG_MIC) {
1320 wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong MIC");
1321 ftie->mic[0] ^= 0x01;
1323 #endif /* CONFIG_TDLS_TESTING */
1326 status = wpa_tdls_tpk_send(sm, src_addr, WLAN_TDLS_SETUP_RESPONSE,
1327 dtoken, 0, 0, peer->initiator, rbuf,
1335 static int wpa_tdls_send_tpk_m3(struct wpa_sm *sm,
1336 const unsigned char *src_addr, u8 dtoken,
1337 struct wpa_tdls_lnkid *lnkid,
1338 const struct wpa_tdls_peer *peer)
1342 struct wpa_tdls_ftie *ftie;
1343 struct wpa_tdls_timeoutie timeoutie;
1349 if (wpa_tdls_get_privacy(sm)) {
1350 /* Peer RSN IE, FTIE(Initiator Nonce, Responder Nonce),
1352 buf_len += peer->rsnie_i_len + sizeof(struct wpa_tdls_ftie) +
1353 sizeof(struct wpa_tdls_timeoutie);
1354 #ifdef CONFIG_TDLS_TESTING
1355 if (tdls_testing & TDLS_TESTING_LONG_FRAME)
1357 #endif /* CONFIG_TDLS_TESTING */
1360 rbuf = os_zalloc(buf_len + 1);
1365 if (!wpa_tdls_get_privacy(sm))
1369 pos = wpa_add_ie(pos, peer->rsnie_p, peer->rsnie_p_len);
1371 ftie = (struct wpa_tdls_ftie *) pos;
1372 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION;
1373 /*TODO: ftie->mic_control to set 3-CONFIRM */
1374 os_memcpy(ftie->Anonce, peer->rnonce, WPA_NONCE_LEN);
1375 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN);
1376 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2;
1378 pos = (u8 *) (ftie + 1);
1380 #ifdef CONFIG_TDLS_TESTING
1381 if (tdls_testing & TDLS_TESTING_LONG_FRAME) {
1382 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to "
1384 ftie->ie_len += 170;
1385 *pos++ = 255; /* FTIE subelem */
1386 *pos++ = 168; /* FTIE subelem length */
1389 #endif /* CONFIG_TDLS_TESTING */
1392 lifetime = peer->lifetime;
1393 #ifdef CONFIG_TDLS_TESTING
1394 if (tdls_testing & TDLS_TESTING_WRONG_LIFETIME_CONF) {
1395 wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong TPK "
1396 "lifetime in confirm");
1399 #endif /* CONFIG_TDLS_TESTING */
1400 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie,
1401 sizeof(timeoutie), lifetime);
1402 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds",
1405 /* compute MIC before sending */
1406 wpa_tdls_ftie_mic(peer->tpk.kck, 3, (u8 *) lnkid, peer->rsnie_p,
1407 (u8 *) &timeoutie, (u8 *) ftie, ftie->mic);
1408 #ifdef CONFIG_TDLS_TESTING
1409 if (tdls_testing & TDLS_TESTING_WRONG_MIC) {
1410 wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong MIC");
1411 ftie->mic[0] ^= 0x01;
1413 #endif /* CONFIG_TDLS_TESTING */
1417 if (peer->vht_capabilities)
1418 peer_capab |= TDLS_PEER_VHT;
1419 if (peer->ht_capabilities)
1420 peer_capab |= TDLS_PEER_HT;
1421 if (peer->wmm_capable)
1422 peer_capab |= TDLS_PEER_WMM;
1424 status = wpa_tdls_tpk_send(sm, src_addr, WLAN_TDLS_SETUP_CONFIRM,
1425 dtoken, 0, peer_capab, peer->initiator,
1433 static int wpa_tdls_send_discovery_response(struct wpa_sm *sm,
1434 struct wpa_tdls_peer *peer,
1438 struct wpa_tdls_timeoutie timeoutie;
1440 u8 *rbuf, *pos, *count_pos;
1442 struct rsn_ie_hdr *hdr;
1445 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Discovery Response "
1446 "(peer " MACSTR ")", MAC2STR(peer->addr));
1447 if (!wpa_tdls_get_privacy(sm))
1450 /* Filling RSN IE */
1451 hdr = (struct rsn_ie_hdr *) peer->rsnie_i;
1452 hdr->elem_id = WLAN_EID_RSN;
1453 WPA_PUT_LE16(hdr->version, RSN_VERSION);
1454 pos = (u8 *) (hdr + 1);
1455 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED);
1456 pos += RSN_SELECTOR_LEN;
1462 * AES-CCMP is the default encryption preferred for TDLS, so
1463 * RSN IE is filled only with CCMP cipher suite.
1464 * Note: TKIP is not used to encrypt TDLS link.
1466 * Regardless of the cipher used on the AP connection, select CCMP
1469 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP);
1470 pos += RSN_SELECTOR_LEN;
1472 WPA_PUT_LE16(count_pos, count);
1473 WPA_PUT_LE16(pos, 1);
1475 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_TPK_HANDSHAKE);
1476 pos += RSN_SELECTOR_LEN;
1478 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED;
1479 rsn_capab |= RSN_NUM_REPLAY_COUNTERS_16 << 2;
1480 WPA_PUT_LE16(pos, rsn_capab);
1482 hdr->len = (pos - (u8 *) hdr) - 2;
1483 peer->rsnie_i_len = pos - peer->rsnie_i;
1485 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE for Discovery Response",
1486 (u8 *) hdr, hdr->len + 2);
1489 if (wpa_tdls_get_privacy(sm)) {
1490 /* Peer RSN IE, Lifetime */
1491 buf_len += peer->rsnie_i_len +
1492 sizeof(struct wpa_tdls_timeoutie);
1494 rbuf = os_zalloc(buf_len + 1);
1496 wpa_tdls_peer_free(sm, peer);
1501 if (!wpa_tdls_get_privacy(sm))
1503 /* Initiator RSN IE */
1504 pos = wpa_add_ie(pos, peer->rsnie_i, peer->rsnie_i_len);
1506 peer->lifetime = TPK_LIFETIME;
1507 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie,
1508 sizeof(timeoutie), peer->lifetime);
1509 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds", peer->lifetime);
1511 status = wpa_tdls_tpk_send(sm, peer->addr, WLAN_TDLS_DISCOVERY_RESPONSE,
1512 dialog_token, 0, 0, 0, rbuf, pos - rbuf);
1520 wpa_tdls_process_discovery_request(struct wpa_sm *sm, const u8 *addr,
1521 const u8 *buf, size_t len)
1523 struct wpa_eapol_ie_parse kde;
1524 const struct wpa_tdls_lnkid *lnkid;
1525 struct wpa_tdls_peer *peer;
1526 size_t min_req_len = sizeof(struct wpa_tdls_frame) +
1527 1 /* dialog token */ + sizeof(struct wpa_tdls_lnkid);
1530 wpa_printf(MSG_DEBUG, "TDLS: Discovery Request from " MACSTR,
1533 if (len < min_req_len) {
1534 wpa_printf(MSG_DEBUG, "TDLS Discovery Request is too short: "
1539 dialog_token = buf[sizeof(struct wpa_tdls_frame)];
1542 * Some APs will tack on a weird IE to the end of a TDLS
1543 * discovery request packet. This needn't fail the response,
1544 * since the required IE are verified separately.
1546 if (wpa_supplicant_parse_ies(buf + sizeof(struct wpa_tdls_frame) + 1,
1547 len - (sizeof(struct wpa_tdls_frame) + 1),
1549 wpa_printf(MSG_DEBUG,
1550 "TDLS: Failed to parse IEs in Discovery Request - ignore as an interop workaround");
1554 wpa_printf(MSG_DEBUG, "TDLS: Link ID not found in Discovery "
1559 lnkid = (const struct wpa_tdls_lnkid *) kde.lnkid;
1561 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) {
1562 wpa_printf(MSG_DEBUG, "TDLS: Discovery Request from different "
1563 " BSS " MACSTR, MAC2STR(lnkid->bssid));
1567 peer = wpa_tdls_add_peer(sm, addr, NULL);
1571 return wpa_tdls_send_discovery_response(sm, peer, dialog_token);
1575 int wpa_tdls_send_discovery_request(struct wpa_sm *sm, const u8 *addr)
1577 if (sm->tdls_disabled || !sm->tdls_supported)
1580 wpa_printf(MSG_DEBUG, "TDLS: Sending Discovery Request to peer "
1581 MACSTR, MAC2STR(addr));
1582 return wpa_tdls_tpk_send(sm, addr, WLAN_TDLS_DISCOVERY_REQUEST,
1583 1, 0, 0, 1, NULL, 0);
1587 static int copy_supp_rates(const struct wpa_eapol_ie_parse *kde,
1588 struct wpa_tdls_peer *peer)
1590 if (!kde->supp_rates) {
1591 wpa_printf(MSG_DEBUG, "TDLS: No supported rates received");
1594 peer->supp_rates_len = merge_byte_arrays(
1595 peer->supp_rates, sizeof(peer->supp_rates),
1596 kde->supp_rates + 2, kde->supp_rates_len - 2,
1597 kde->ext_supp_rates ? kde->ext_supp_rates + 2 : NULL,
1598 kde->ext_supp_rates_len - 2);
1603 static int copy_peer_ht_capab(const struct wpa_eapol_ie_parse *kde,
1604 struct wpa_tdls_peer *peer)
1606 if (!kde->ht_capabilities) {
1607 wpa_printf(MSG_DEBUG, "TDLS: No supported ht capabilities "
1612 if (!peer->ht_capabilities) {
1613 peer->ht_capabilities =
1614 os_zalloc(sizeof(struct ieee80211_ht_capabilities));
1615 if (peer->ht_capabilities == NULL)
1619 os_memcpy(peer->ht_capabilities, kde->ht_capabilities,
1620 sizeof(struct ieee80211_ht_capabilities));
1621 wpa_hexdump(MSG_DEBUG, "TDLS: Peer HT capabilities",
1622 (u8 *) peer->ht_capabilities,
1623 sizeof(struct ieee80211_ht_capabilities));
1629 static int copy_peer_vht_capab(const struct wpa_eapol_ie_parse *kde,
1630 struct wpa_tdls_peer *peer)
1632 if (!kde->vht_capabilities) {
1633 wpa_printf(MSG_DEBUG, "TDLS: No supported vht capabilities "
1638 if (!peer->vht_capabilities) {
1639 peer->vht_capabilities =
1640 os_zalloc(sizeof(struct ieee80211_vht_capabilities));
1641 if (peer->vht_capabilities == NULL)
1645 os_memcpy(peer->vht_capabilities, kde->vht_capabilities,
1646 sizeof(struct ieee80211_vht_capabilities));
1647 wpa_hexdump(MSG_DEBUG, "TDLS: Peer VHT capabilities",
1648 (u8 *) peer->vht_capabilities,
1649 sizeof(struct ieee80211_vht_capabilities));
1655 static int copy_peer_ext_capab(const struct wpa_eapol_ie_parse *kde,
1656 struct wpa_tdls_peer *peer)
1658 if (!kde->ext_capab) {
1659 wpa_printf(MSG_DEBUG, "TDLS: No extended capabilities "
1664 if (!peer->ext_capab || peer->ext_capab_len < kde->ext_capab_len - 2) {
1665 /* Need to allocate buffer to fit the new information */
1666 os_free(peer->ext_capab);
1667 peer->ext_capab = os_zalloc(kde->ext_capab_len - 2);
1668 if (peer->ext_capab == NULL)
1672 peer->ext_capab_len = kde->ext_capab_len - 2;
1673 os_memcpy(peer->ext_capab, kde->ext_capab + 2, peer->ext_capab_len);
1679 static int copy_peer_wmm_capab(const struct wpa_eapol_ie_parse *kde,
1680 struct wpa_tdls_peer *peer)
1682 struct wmm_information_element *wmm;
1685 wpa_printf(MSG_DEBUG, "TDLS: No supported WMM capabilities received");
1689 if (kde->wmm_len < sizeof(struct wmm_information_element)) {
1690 wpa_printf(MSG_DEBUG, "TDLS: Invalid supported WMM capabilities received");
1694 wmm = (struct wmm_information_element *) kde->wmm;
1695 peer->qos_info = wmm->qos_info;
1697 peer->wmm_capable = 1;
1699 wpa_printf(MSG_DEBUG, "TDLS: Peer WMM QOS Info 0x%x", peer->qos_info);
1704 static int copy_peer_supp_channels(const struct wpa_eapol_ie_parse *kde,
1705 struct wpa_tdls_peer *peer)
1707 if (!kde->supp_channels) {
1708 wpa_printf(MSG_DEBUG, "TDLS: No supported channels received");
1712 if (!peer->supp_channels ||
1713 peer->supp_channels_len < kde->supp_channels_len) {
1714 os_free(peer->supp_channels);
1715 peer->supp_channels = os_zalloc(kde->supp_channels_len);
1716 if (peer->supp_channels == NULL)
1720 peer->supp_channels_len = kde->supp_channels_len;
1722 os_memcpy(peer->supp_channels, kde->supp_channels,
1723 peer->supp_channels_len);
1724 wpa_hexdump(MSG_DEBUG, "TDLS: Peer Supported Channels",
1725 (u8 *) peer->supp_channels, peer->supp_channels_len);
1730 static int copy_peer_supp_oper_classes(const struct wpa_eapol_ie_parse *kde,
1731 struct wpa_tdls_peer *peer)
1733 if (!kde->supp_oper_classes) {
1734 wpa_printf(MSG_DEBUG, "TDLS: No supported operating classes received");
1738 if (!peer->supp_oper_classes ||
1739 peer->supp_oper_classes_len < kde->supp_oper_classes_len) {
1740 os_free(peer->supp_oper_classes);
1741 peer->supp_oper_classes = os_zalloc(kde->supp_oper_classes_len);
1742 if (peer->supp_oper_classes == NULL)
1746 peer->supp_oper_classes_len = kde->supp_oper_classes_len;
1747 os_memcpy(peer->supp_oper_classes, kde->supp_oper_classes,
1748 peer->supp_oper_classes_len);
1749 wpa_hexdump(MSG_DEBUG, "TDLS: Peer Supported Operating Classes",
1750 (u8 *) peer->supp_oper_classes,
1751 peer->supp_oper_classes_len);
1756 static int wpa_tdls_addset_peer(struct wpa_sm *sm, struct wpa_tdls_peer *peer,
1759 return wpa_sm_tdls_peer_addset(sm, peer->addr, add, peer->aid,
1761 peer->supp_rates, peer->supp_rates_len,
1762 peer->ht_capabilities,
1763 peer->vht_capabilities,
1764 peer->qos_info, peer->wmm_capable,
1765 peer->ext_capab, peer->ext_capab_len,
1766 peer->supp_channels,
1767 peer->supp_channels_len,
1768 peer->supp_oper_classes,
1769 peer->supp_oper_classes_len);
1773 static int tdls_nonce_set(const u8 *nonce)
1777 for (i = 0; i < WPA_NONCE_LEN; i++) {
1786 static int wpa_tdls_process_tpk_m1(struct wpa_sm *sm, const u8 *src_addr,
1787 const u8 *buf, size_t len)
1789 struct wpa_tdls_peer *peer;
1790 struct wpa_eapol_ie_parse kde;
1791 struct wpa_ie_data ie;
1794 struct wpa_tdls_ftie *ftie = NULL;
1795 struct wpa_tdls_timeoutie *timeoutie;
1796 struct wpa_tdls_lnkid *lnkid;
1799 struct rsn_ie_hdr *hdr;
1806 u16 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
1807 int tdls_prohibited = sm->tdls_prohibited;
1808 int existing_peer = 0;
1814 cpos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */;
1816 /* driver had already verified the frame format */
1817 dtoken = *cpos++; /* dialog token */
1819 wpa_printf(MSG_INFO, "TDLS: Dialog Token in TPK M1 %d", dtoken);
1821 peer = wpa_tdls_add_peer(sm, src_addr, &existing_peer);
1825 /* If found, use existing entry instead of adding a new one;
1826 * how to handle the case where both ends initiate at the
1828 if (existing_peer) {
1829 if (peer->tpk_success) {
1830 wpa_printf(MSG_DEBUG, "TDLS: TDLS Setup Request while "
1831 "direct link is enabled - tear down the "
1833 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr);
1834 wpa_tdls_peer_clear(sm, peer);
1835 } else if (peer->initiator) {
1837 * An entry is already present, so check if we already
1838 * sent a TDLS Setup Request. If so, compare MAC
1839 * addresses and let the STA with the lower MAC address
1840 * continue as the initiator. The other negotiation is
1843 if (os_memcmp(sm->own_addr, src_addr, ETH_ALEN) < 0) {
1844 wpa_printf(MSG_DEBUG, "TDLS: Discard request "
1845 "from peer with higher address "
1846 MACSTR, MAC2STR(src_addr));
1849 wpa_printf(MSG_DEBUG, "TDLS: Accept request "
1850 "from peer with lower address "
1851 MACSTR " (terminate previously "
1852 "initiated negotiation",
1854 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK,
1856 wpa_tdls_peer_clear(sm, peer);
1861 /* capability information */
1862 peer->capability = WPA_GET_LE16(cpos);
1865 ielen = len - (cpos - buf); /* start of IE in buf */
1868 * Don't reject the message if failing to parse IEs. The IEs we need are
1869 * explicitly checked below. Some APs may add arbitrary padding to the
1870 * end of short TDLS frames and that would look like invalid IEs.
1872 if (wpa_supplicant_parse_ies(cpos, ielen, &kde) < 0)
1873 wpa_printf(MSG_DEBUG,
1874 "TDLS: Failed to parse IEs in TPK M1 - ignore as an interop workaround");
1876 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) {
1877 wpa_printf(MSG_INFO, "TDLS: No valid Link Identifier IE in "
1881 wpa_hexdump(MSG_DEBUG, "TDLS: Link ID Received from TPK M1",
1882 kde.lnkid, kde.lnkid_len);
1883 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid;
1884 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) {
1885 wpa_printf(MSG_INFO, "TDLS: TPK M1 from diff BSS");
1886 status = WLAN_STATUS_REQUEST_DECLINED;
1890 wpa_printf(MSG_DEBUG, "TDLS: TPK M1 - TPK initiator " MACSTR,
1893 if (copy_supp_rates(&kde, peer) < 0)
1896 if (copy_peer_ht_capab(&kde, peer) < 0)
1899 if (copy_peer_vht_capab(&kde, peer) < 0)
1902 if (copy_peer_ext_capab(&kde, peer) < 0)
1905 if (copy_peer_supp_channels(&kde, peer) < 0)
1908 if (copy_peer_supp_oper_classes(&kde, peer) < 0)
1911 peer->qos_info = kde.qosinfo;
1913 /* Overwrite with the qos_info obtained in WMM IE */
1914 if (copy_peer_wmm_capab(&kde, peer) < 0)
1917 peer->aid = kde.aid;
1919 #ifdef CONFIG_TDLS_TESTING
1920 if (tdls_testing & TDLS_TESTING_CONCURRENT_INIT) {
1921 peer = wpa_tdls_add_peer(sm, src_addr, NULL);
1924 wpa_printf(MSG_DEBUG, "TDLS: Testing concurrent initiation of "
1925 "TDLS setup - send own request");
1926 peer->initiator = 1;
1927 wpa_sm_tdls_peer_addset(sm, peer->addr, 1, 0, 0, NULL, 0, NULL,
1928 NULL, 0, 0, NULL, 0, NULL, 0, NULL, 0);
1929 wpa_tdls_send_tpk_m1(sm, peer);
1932 if ((tdls_testing & TDLS_TESTING_IGNORE_AP_PROHIBIT) &&
1934 wpa_printf(MSG_DEBUG, "TDLS: Testing - ignore AP prohibition "
1936 tdls_prohibited = 0;
1938 #endif /* CONFIG_TDLS_TESTING */
1940 if (tdls_prohibited) {
1941 wpa_printf(MSG_INFO, "TDLS: TDLS prohibited in this BSS");
1942 status = WLAN_STATUS_REQUEST_DECLINED;
1946 if (!wpa_tdls_get_privacy(sm)) {
1948 wpa_printf(MSG_INFO, "TDLS: RSN IE in TPK M1 while "
1949 "security is disabled");
1950 status = WLAN_STATUS_SECURITY_DISABLED;
1956 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie) ||
1957 kde.rsn_ie == NULL) {
1958 wpa_printf(MSG_INFO, "TDLS: No FTIE or RSN IE in TPK M1");
1959 status = WLAN_STATUS_INVALID_PARAMETERS;
1963 if (kde.rsn_ie_len > TDLS_MAX_IE_LEN) {
1964 wpa_printf(MSG_INFO, "TDLS: Too long Initiator RSN IE in "
1966 status = WLAN_STATUS_INVALID_RSNIE;
1970 if (wpa_parse_wpa_ie_rsn(kde.rsn_ie, kde.rsn_ie_len, &ie) < 0) {
1971 wpa_printf(MSG_INFO, "TDLS: Failed to parse RSN IE in TPK M1");
1972 status = WLAN_STATUS_INVALID_RSNIE;
1976 cipher = ie.pairwise_cipher;
1977 if (cipher & WPA_CIPHER_CCMP) {
1978 wpa_printf(MSG_DEBUG, "TDLS: Using CCMP for direct link");
1979 cipher = WPA_CIPHER_CCMP;
1981 wpa_printf(MSG_INFO, "TDLS: No acceptable cipher in TPK M1");
1982 status = WLAN_STATUS_PAIRWISE_CIPHER_NOT_VALID;
1986 if ((ie.capabilities &
1987 (WPA_CAPABILITY_NO_PAIRWISE | WPA_CAPABILITY_PEERKEY_ENABLED)) !=
1988 WPA_CAPABILITY_PEERKEY_ENABLED) {
1989 wpa_printf(MSG_INFO, "TDLS: Invalid RSN Capabilities in "
1991 status = WLAN_STATUS_INVALID_RSN_IE_CAPAB;
1996 if (kde.key_lifetime == NULL) {
1997 wpa_printf(MSG_INFO, "TDLS: No Key Lifetime IE in TPK M1");
1998 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME;
2001 timeoutie = (struct wpa_tdls_timeoutie *) kde.key_lifetime;
2002 lifetime = WPA_GET_LE32(timeoutie->value);
2003 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds", lifetime);
2004 if (lifetime < 300) {
2005 wpa_printf(MSG_INFO, "TDLS: Too short TPK lifetime");
2006 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME;
2011 #ifdef CONFIG_TDLS_TESTING
2012 if (tdls_testing & TDLS_TESTING_CONCURRENT_INIT) {
2013 if (os_memcmp(sm->own_addr, peer->addr, ETH_ALEN) < 0) {
2015 * The request frame from us is going to win, so do not
2016 * replace information based on this request frame from
2019 goto skip_rsn_check;
2022 #endif /* CONFIG_TDLS_TESTING */
2024 peer->initiator = 0; /* Need to check */
2025 peer->dtoken = dtoken;
2027 if (!wpa_tdls_get_privacy(sm)) {
2028 peer->rsnie_i_len = 0;
2029 peer->rsnie_p_len = 0;
2030 peer->cipher = WPA_CIPHER_NONE;
2031 goto skip_rsn_check;
2034 ftie = (struct wpa_tdls_ftie *) kde.ftie;
2035 os_memcpy(peer->rsnie_i, kde.rsn_ie, kde.rsn_ie_len);
2036 peer->rsnie_i_len = kde.rsn_ie_len;
2037 peer->cipher = cipher;
2039 if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0 ||
2040 !tdls_nonce_set(peer->inonce)) {
2042 * There is no point in updating the RNonce for every obtained
2043 * TPK M1 frame (e.g., retransmission due to timeout) with the
2044 * same INonce (SNonce in FTIE). However, if the TPK M1 is
2045 * retransmitted with a different INonce, update the RNonce
2046 * since this is for a new TDLS session.
2048 wpa_printf(MSG_DEBUG,
2049 "TDLS: New TPK M1 INonce - generate new RNonce");
2050 os_memcpy(peer->inonce, ftie->Snonce, WPA_NONCE_LEN);
2051 if (os_get_random(peer->rnonce, WPA_NONCE_LEN)) {
2052 wpa_msg(sm->ctx->ctx, MSG_WARNING,
2053 "TDLS: Failed to get random data for responder nonce");
2056 peer->tk_set = 0; /* A new nonce results in a new TK */
2060 /* get version info from RSNIE received from Peer */
2061 hdr = (struct rsn_ie_hdr *) kde.rsn_ie;
2062 rsn_ver = WPA_GET_LE16(hdr->version);
2064 /* use min(peer's version, out version) */
2065 if (rsn_ver > RSN_VERSION)
2066 rsn_ver = RSN_VERSION;
2068 hdr = (struct rsn_ie_hdr *) peer->rsnie_p;
2070 hdr->elem_id = WLAN_EID_RSN;
2071 WPA_PUT_LE16(hdr->version, rsn_ver);
2072 pos = (u8 *) (hdr + 1);
2074 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED);
2075 pos += RSN_SELECTOR_LEN;
2076 /* Include only the selected cipher in pairwise cipher suite */
2077 WPA_PUT_LE16(pos, 1);
2079 if (cipher == WPA_CIPHER_CCMP)
2080 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP);
2081 pos += RSN_SELECTOR_LEN;
2083 WPA_PUT_LE16(pos, 1);
2085 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_TPK_HANDSHAKE);
2086 pos += RSN_SELECTOR_LEN;
2088 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED;
2089 rsn_capab |= RSN_NUM_REPLAY_COUNTERS_16 << 2;
2090 WPA_PUT_LE16(pos, rsn_capab);
2093 hdr->len = (pos - peer->rsnie_p) - 2;
2094 peer->rsnie_p_len = pos - peer->rsnie_p;
2097 /* temp fix: validation of RSNIE later */
2098 os_memcpy(peer->rsnie_p, peer->rsnie_i, peer->rsnie_i_len);
2099 peer->rsnie_p_len = peer->rsnie_i_len;
2101 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE for TPK handshake",
2102 peer->rsnie_p, peer->rsnie_p_len);
2104 peer->lifetime = lifetime;
2106 wpa_tdls_generate_tpk(peer, sm->own_addr, sm->bssid);
2109 #ifdef CONFIG_TDLS_TESTING
2110 if (tdls_testing & TDLS_TESTING_CONCURRENT_INIT)
2112 #endif /* CONFIG_TDLS_TESTING */
2114 /* add supported rates, capabilities, and qos_info to the TDLS peer */
2115 if (wpa_tdls_addset_peer(sm, peer, 1) < 0)
2118 #ifdef CONFIG_TDLS_TESTING
2120 #endif /* CONFIG_TDLS_TESTING */
2121 peer->tpk_in_progress = 1;
2123 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Setup Response / TPK M2");
2124 if (wpa_tdls_send_tpk_m2(sm, src_addr, dtoken, lnkid, peer) < 0) {
2125 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr);
2132 wpa_tdls_send_error(sm, src_addr, WLAN_TDLS_SETUP_RESPONSE, dtoken, 0,
2135 wpa_tdls_peer_free(sm, peer);
2140 static int wpa_tdls_enable_link(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
2142 peer->tpk_success = 1;
2143 peer->tpk_in_progress = 0;
2144 eloop_cancel_timeout(wpa_tdls_tpk_timeout, sm, peer);
2145 if (wpa_tdls_get_privacy(sm)) {
2146 u32 lifetime = peer->lifetime;
2148 * Start the initiator process a bit earlier to avoid race
2149 * condition with the responder sending teardown request.
2151 if (lifetime > 3 && peer->initiator)
2153 eloop_register_timeout(lifetime, 0, wpa_tdls_tpk_timeout,
2155 #ifdef CONFIG_TDLS_TESTING
2156 if (tdls_testing & TDLS_TESTING_NO_TPK_EXPIRATION) {
2157 wpa_printf(MSG_DEBUG, "TDLS: Testing - disable TPK "
2159 eloop_cancel_timeout(wpa_tdls_tpk_timeout, sm, peer);
2161 #endif /* CONFIG_TDLS_TESTING */
2164 if (peer->reconfig_key && wpa_tdls_set_key(sm, peer) < 0) {
2165 wpa_printf(MSG_INFO, "TDLS: Could not configure key to the "
2169 peer->reconfig_key = 0;
2171 return wpa_sm_tdls_oper(sm, TDLS_ENABLE_LINK, peer->addr);
2175 static int wpa_tdls_process_tpk_m2(struct wpa_sm *sm, const u8 *src_addr,
2176 const u8 *buf, size_t len)
2178 struct wpa_tdls_peer *peer;
2179 struct wpa_eapol_ie_parse kde;
2180 struct wpa_ie_data ie;
2182 struct wpa_tdls_ftie *ftie;
2183 struct wpa_tdls_timeoutie *timeoutie;
2184 struct wpa_tdls_lnkid *lnkid;
2192 wpa_printf(MSG_DEBUG, "TDLS: Received TDLS Setup Response / TPK M2 "
2193 "(Peer " MACSTR ")", MAC2STR(src_addr));
2194 for (peer = sm->tdls; peer; peer = peer->next) {
2195 if (os_memcmp(peer->addr, src_addr, ETH_ALEN) == 0)
2199 wpa_printf(MSG_INFO, "TDLS: No matching peer found for "
2200 "TPK M2: " MACSTR, MAC2STR(src_addr));
2203 if (!peer->initiator) {
2205 * This may happen if both devices try to initiate TDLS at the
2206 * same time and we accept the TPK M1 from the peer in
2207 * wpa_tdls_process_tpk_m1() and clear our previous state.
2209 wpa_printf(MSG_INFO, "TDLS: We were not the initiator, so "
2210 "ignore TPK M2 from " MACSTR, MAC2STR(src_addr));
2214 if (peer->tpk_success) {
2215 wpa_printf(MSG_INFO, "TDLS: Ignore incoming TPK M2 retry, from "
2216 MACSTR " as TPK M3 was already sent",
2221 wpa_tdls_tpk_retry_timeout_cancel(sm, peer, WLAN_TDLS_SETUP_REQUEST);
2223 if (len < 3 + 2 + 1) {
2224 wpa_tdls_disable_peer_link(sm, peer);
2229 pos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */;
2230 status = WPA_GET_LE16(pos);
2231 pos += 2 /* status code */;
2233 if (status != WLAN_STATUS_SUCCESS) {
2234 wpa_printf(MSG_INFO, "TDLS: Status code in TPK M2: %u",
2236 wpa_tdls_disable_peer_link(sm, peer);
2240 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
2242 /* TODO: need to verify dialog token matches here or in kernel */
2243 dtoken = *pos++; /* dialog token */
2245 wpa_printf(MSG_DEBUG, "TDLS: Dialog Token in TPK M2 %d", dtoken);
2247 if (len < 3 + 2 + 1 + 2) {
2248 wpa_tdls_disable_peer_link(sm, peer);
2252 /* capability information */
2253 peer->capability = WPA_GET_LE16(pos);
2256 ielen = len - (pos - buf); /* start of IE in buf */
2259 * Don't reject the message if failing to parse IEs. The IEs we need are
2260 * explicitly checked below. Some APs may add arbitrary padding to the
2261 * end of short TDLS frames and that would look like invalid IEs.
2263 if (wpa_supplicant_parse_ies(pos, ielen, &kde) < 0)
2264 wpa_printf(MSG_DEBUG,
2265 "TDLS: Failed to parse IEs in TPK M2 - ignore as an interop workaround");
2267 #ifdef CONFIG_TDLS_TESTING
2268 if (tdls_testing & TDLS_TESTING_DECLINE_RESP) {
2269 wpa_printf(MSG_DEBUG, "TDLS: Testing - decline response");
2270 status = WLAN_STATUS_REQUEST_DECLINED;
2273 #endif /* CONFIG_TDLS_TESTING */
2275 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) {
2276 wpa_printf(MSG_INFO, "TDLS: No valid Link Identifier IE in "
2280 wpa_hexdump(MSG_DEBUG, "TDLS: Link ID Received from TPK M2",
2281 kde.lnkid, kde.lnkid_len);
2282 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid;
2284 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) {
2285 wpa_printf(MSG_INFO, "TDLS: TPK M2 from different BSS");
2286 status = WLAN_STATUS_NOT_IN_SAME_BSS;
2290 if (copy_supp_rates(&kde, peer) < 0)
2293 if (copy_peer_ht_capab(&kde, peer) < 0)
2296 if (copy_peer_vht_capab(&kde, peer) < 0)
2299 if (copy_peer_ext_capab(&kde, peer) < 0)
2302 if (copy_peer_supp_channels(&kde, peer) < 0)
2305 if (copy_peer_supp_oper_classes(&kde, peer) < 0)
2308 peer->qos_info = kde.qosinfo;
2310 /* Overwrite with the qos_info obtained in WMM IE */
2311 if (copy_peer_wmm_capab(&kde, peer) < 0)
2314 peer->aid = kde.aid;
2316 if (!wpa_tdls_get_privacy(sm)) {
2317 peer->rsnie_p_len = 0;
2318 peer->cipher = WPA_CIPHER_NONE;
2322 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie) ||
2323 kde.rsn_ie == NULL) {
2324 wpa_printf(MSG_INFO, "TDLS: No FTIE or RSN IE in TPK M2");
2325 status = WLAN_STATUS_INVALID_PARAMETERS;
2328 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Received from TPK M2",
2329 kde.rsn_ie, kde.rsn_ie_len);
2331 if (kde.rsn_ie_len > TDLS_MAX_IE_LEN) {
2332 wpa_printf(MSG_INFO,
2333 "TDLS: Too long Responder RSN IE in TPK M2");
2334 status = WLAN_STATUS_INVALID_RSNIE;
2339 * FIX: bitwise comparison of RSN IE is not the correct way of
2340 * validation this. It can be different, but certain fields must
2341 * match. Since we list only a single pairwise cipher in TPK M1, the
2342 * memcmp is likely to work in most cases, though.
2344 if (kde.rsn_ie_len != peer->rsnie_i_len ||
2345 os_memcmp(peer->rsnie_i, kde.rsn_ie, peer->rsnie_i_len) != 0) {
2346 wpa_printf(MSG_INFO, "TDLS: RSN IE in TPK M2 does "
2347 "not match with RSN IE used in TPK M1");
2348 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Sent in TPK M1",
2349 peer->rsnie_i, peer->rsnie_i_len);
2350 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Received from TPK M2",
2351 kde.rsn_ie, kde.rsn_ie_len);
2352 status = WLAN_STATUS_INVALID_RSNIE;
2356 if (wpa_parse_wpa_ie_rsn(kde.rsn_ie, kde.rsn_ie_len, &ie) < 0) {
2357 wpa_printf(MSG_INFO, "TDLS: Failed to parse RSN IE in TPK M2");
2358 status = WLAN_STATUS_INVALID_RSNIE;
2362 cipher = ie.pairwise_cipher;
2363 if (cipher == WPA_CIPHER_CCMP) {
2364 wpa_printf(MSG_DEBUG, "TDLS: Using CCMP for direct link");
2365 cipher = WPA_CIPHER_CCMP;
2367 wpa_printf(MSG_INFO, "TDLS: No acceptable cipher in TPK M2");
2368 status = WLAN_STATUS_PAIRWISE_CIPHER_NOT_VALID;
2372 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE Received from TPK M2",
2373 kde.ftie, sizeof(*ftie));
2374 ftie = (struct wpa_tdls_ftie *) kde.ftie;
2376 if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0) {
2377 wpa_printf(MSG_INFO, "TDLS: FTIE SNonce in TPK M2 does "
2378 "not match with FTIE SNonce used in TPK M1");
2379 /* Silently discard the frame */
2383 /* Responder Nonce and RSN IE */
2384 os_memcpy(peer->rnonce, ftie->Anonce, WPA_NONCE_LEN);
2385 os_memcpy(peer->rsnie_p, kde.rsn_ie, kde.rsn_ie_len);
2386 peer->rsnie_p_len = kde.rsn_ie_len;
2387 peer->cipher = cipher;
2390 if (kde.key_lifetime == NULL) {
2391 wpa_printf(MSG_INFO, "TDLS: No Key Lifetime IE in TPK M2");
2392 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME;
2395 timeoutie = (struct wpa_tdls_timeoutie *) kde.key_lifetime;
2396 lifetime = WPA_GET_LE32(timeoutie->value);
2397 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds in TPK M2",
2399 if (lifetime != peer->lifetime) {
2400 wpa_printf(MSG_INFO, "TDLS: Unexpected TPK lifetime %u in "
2401 "TPK M2 (expected %u)", lifetime, peer->lifetime);
2402 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME;
2406 wpa_tdls_generate_tpk(peer, sm->own_addr, sm->bssid);
2408 /* Process MIC check to see if TPK M2 is right */
2409 if (wpa_supplicant_verify_tdls_mic(2, peer, (u8 *) lnkid,
2410 (u8 *) timeoutie, ftie) < 0) {
2411 /* Discard the frame */
2412 wpa_tdls_del_key(sm, peer);
2413 wpa_tdls_disable_peer_link(sm, peer);
2417 if (wpa_tdls_set_key(sm, peer) < 0) {
2419 * Some drivers may not be able to config the key prior to full
2420 * STA entry having been configured.
2422 wpa_printf(MSG_DEBUG, "TDLS: Try to configure TPK again after "
2423 "STA entry is complete");
2424 peer->reconfig_key = 1;
2428 peer->dtoken = dtoken;
2430 /* add supported rates, capabilities, and qos_info to the TDLS peer */
2431 if (wpa_tdls_addset_peer(sm, peer, 0) < 0)
2434 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Setup Confirm / "
2435 "TPK Handshake Message 3");
2436 if (wpa_tdls_send_tpk_m3(sm, src_addr, dtoken, lnkid, peer) < 0)
2439 if (!peer->tpk_success) {
2441 * Enable Link only when tpk_success is 0, signifying that this
2442 * processing of TPK M2 frame is not because of a retransmission
2443 * during TDLS setup handshake.
2445 ret = wpa_tdls_enable_link(sm, peer);
2447 wpa_printf(MSG_DEBUG, "TDLS: Could not enable link");
2448 wpa_tdls_do_teardown(
2450 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED);
2456 wpa_tdls_send_error(sm, src_addr, WLAN_TDLS_SETUP_CONFIRM, dtoken, 1,
2459 wpa_tdls_disable_peer_link(sm, peer);
2464 static int wpa_tdls_process_tpk_m3(struct wpa_sm *sm, const u8 *src_addr,
2465 const u8 *buf, size_t len)
2467 struct wpa_tdls_peer *peer;
2468 struct wpa_eapol_ie_parse kde;
2469 struct wpa_tdls_ftie *ftie;
2470 struct wpa_tdls_timeoutie *timeoutie;
2471 struct wpa_tdls_lnkid *lnkid;
2478 wpa_printf(MSG_DEBUG, "TDLS: Received TDLS Setup Confirm / TPK M3 "
2479 "(Peer " MACSTR ")", MAC2STR(src_addr));
2480 for (peer = sm->tdls; peer; peer = peer->next) {
2481 if (os_memcmp(peer->addr, src_addr, ETH_ALEN) == 0)
2485 wpa_printf(MSG_INFO, "TDLS: No matching peer found for "
2486 "TPK M3: " MACSTR, MAC2STR(src_addr));
2489 wpa_tdls_tpk_retry_timeout_cancel(sm, peer, WLAN_TDLS_SETUP_RESPONSE);
2494 pos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */;
2496 status = WPA_GET_LE16(pos);
2499 wpa_printf(MSG_INFO, "TDLS: Status code in TPK M3: %u",
2503 pos += 2 /* status code */ + 1 /* dialog token */;
2505 ielen = len - (pos - buf); /* start of IE in buf */
2508 * Don't reject the message if failing to parse IEs. The IEs we need are
2509 * explicitly checked below. Some APs piggy-back broken IEs to the end
2510 * of a TDLS Confirm packet, which will fail the link if we don't ignore
2513 if (wpa_supplicant_parse_ies((const u8 *) pos, ielen, &kde) < 0) {
2514 wpa_printf(MSG_DEBUG,
2515 "TDLS: Failed to parse KDEs in TPK M3 - ignore as an interop workaround");
2518 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) {
2519 wpa_printf(MSG_INFO, "TDLS: No Link Identifier IE in TPK M3");
2522 wpa_hexdump(MSG_DEBUG, "TDLS: Link ID Received from TPK M3",
2523 (u8 *) kde.lnkid, kde.lnkid_len);
2524 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid;
2526 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) {
2527 wpa_printf(MSG_INFO, "TDLS: TPK M3 from diff BSS");
2531 if (!wpa_tdls_get_privacy(sm))
2534 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie)) {
2535 wpa_printf(MSG_INFO, "TDLS: No FTIE in TPK M3");
2538 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE Received from TPK M3",
2539 kde.ftie, sizeof(*ftie));
2540 ftie = (struct wpa_tdls_ftie *) kde.ftie;
2542 if (kde.rsn_ie == NULL) {
2543 wpa_printf(MSG_INFO, "TDLS: No RSN IE in TPK M3");
2546 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Received from TPK M3",
2547 kde.rsn_ie, kde.rsn_ie_len);
2548 if (kde.rsn_ie_len != peer->rsnie_p_len ||
2549 os_memcmp(kde.rsn_ie, peer->rsnie_p, peer->rsnie_p_len) != 0) {
2550 wpa_printf(MSG_INFO, "TDLS: RSN IE in TPK M3 does not match "
2551 "with the one sent in TPK M2");
2555 if (os_memcmp(peer->rnonce, ftie->Anonce, WPA_NONCE_LEN) != 0) {
2556 wpa_printf(MSG_INFO, "TDLS: FTIE ANonce in TPK M3 does "
2557 "not match with FTIE ANonce used in TPK M2");
2561 if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0) {
2562 wpa_printf(MSG_INFO, "TDLS: FTIE SNonce in TPK M3 does not "
2563 "match with FTIE SNonce used in TPK M1");
2567 if (kde.key_lifetime == NULL) {
2568 wpa_printf(MSG_INFO, "TDLS: No Key Lifetime IE in TPK M3");
2571 timeoutie = (struct wpa_tdls_timeoutie *) kde.key_lifetime;
2572 wpa_hexdump(MSG_DEBUG, "TDLS: Timeout IE Received from TPK M3",
2573 (u8 *) timeoutie, sizeof(*timeoutie));
2574 lifetime = WPA_GET_LE32(timeoutie->value);
2575 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds in TPK M3",
2577 if (lifetime != peer->lifetime) {
2578 wpa_printf(MSG_INFO, "TDLS: Unexpected TPK lifetime %u in "
2579 "TPK M3 (expected %u)", lifetime, peer->lifetime);
2583 if (wpa_supplicant_verify_tdls_mic(3, peer, (u8 *) lnkid,
2584 (u8 *) timeoutie, ftie) < 0) {
2585 wpa_tdls_del_key(sm, peer);
2589 if (wpa_tdls_set_key(sm, peer) < 0) {
2591 * Some drivers may not be able to config the key prior to full
2592 * STA entry having been configured.
2594 wpa_printf(MSG_DEBUG, "TDLS: Try to configure TPK again after "
2595 "STA entry is complete");
2596 peer->reconfig_key = 1;
2600 /* add supported rates, capabilities, and qos_info to the TDLS peer */
2601 if (wpa_tdls_addset_peer(sm, peer, 0) < 0)
2604 if (!peer->tpk_success) {
2606 * Enable Link only when tpk_success is 0, signifying that this
2607 * processing of TPK M3 frame is not because of a retransmission
2608 * during TDLS setup handshake.
2610 ret = wpa_tdls_enable_link(sm, peer);
2612 wpa_printf(MSG_DEBUG, "TDLS: Could not enable link");
2618 wpa_tdls_do_teardown(sm, peer, WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED);
2623 static u8 * wpa_add_tdls_timeoutie(u8 *pos, u8 *ie, size_t ie_len, u32 tsecs)
2625 struct wpa_tdls_timeoutie *lifetime = (struct wpa_tdls_timeoutie *) ie;
2627 os_memset(lifetime, 0, ie_len);
2628 lifetime->ie_type = WLAN_EID_TIMEOUT_INTERVAL;
2629 lifetime->ie_len = sizeof(struct wpa_tdls_timeoutie) - 2;
2630 lifetime->interval_type = WLAN_TIMEOUT_KEY_LIFETIME;
2631 WPA_PUT_LE32(lifetime->value, tsecs);
2632 os_memcpy(pos, ie, ie_len);
2633 return pos + ie_len;
2638 * wpa_tdls_start - Initiate TDLS handshake (send TPK Handshake Message 1)
2639 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2640 * @peer: MAC address of the peer STA
2641 * Returns: 0 on success, or -1 on failure
2643 * Send TPK Handshake Message 1 info to driver to start TDLS
2644 * handshake with the peer.
2646 int wpa_tdls_start(struct wpa_sm *sm, const u8 *addr)
2648 struct wpa_tdls_peer *peer;
2649 int tdls_prohibited = sm->tdls_prohibited;
2651 if (sm->tdls_disabled || !sm->tdls_supported)
2654 #ifdef CONFIG_TDLS_TESTING
2655 if ((tdls_testing & TDLS_TESTING_IGNORE_AP_PROHIBIT) &&
2657 wpa_printf(MSG_DEBUG, "TDLS: Testing - ignore AP prohibition "
2659 tdls_prohibited = 0;
2661 #endif /* CONFIG_TDLS_TESTING */
2663 if (tdls_prohibited) {
2664 wpa_printf(MSG_DEBUG, "TDLS: TDLS is prohibited in this BSS - "
2665 "reject request to start setup");
2669 peer = wpa_tdls_add_peer(sm, addr, NULL);
2673 if (peer->tpk_in_progress) {
2674 wpa_printf(MSG_DEBUG, "TDLS: Setup is already in progress with the peer");
2678 peer->initiator = 1;
2680 /* add the peer to the driver as a "setup in progress" peer */
2681 if (wpa_sm_tdls_peer_addset(sm, peer->addr, 1, 0, 0, NULL, 0, NULL,
2682 NULL, 0, 0, NULL, 0, NULL, 0, NULL, 0)) {
2683 wpa_tdls_disable_peer_link(sm, peer);
2687 peer->tpk_in_progress = 1;
2689 if (wpa_tdls_send_tpk_m1(sm, peer) < 0) {
2690 wpa_tdls_disable_peer_link(sm, peer);
2698 void wpa_tdls_remove(struct wpa_sm *sm, const u8 *addr)
2700 struct wpa_tdls_peer *peer;
2702 if (sm->tdls_disabled || !sm->tdls_supported)
2705 for (peer = sm->tdls; peer; peer = peer->next) {
2706 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0)
2710 if (peer == NULL || !peer->tpk_success)
2713 if (sm->tdls_external_setup) {
2715 * Disable previous link to allow renegotiation to be completed
2718 wpa_tdls_do_teardown(sm, peer,
2719 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED);
2725 * wpa_supplicant_rx_tdls - Receive TDLS data frame
2727 * This function is called to receive TDLS (ethertype = 0x890d) data frames.
2729 static void wpa_supplicant_rx_tdls(void *ctx, const u8 *src_addr,
2730 const u8 *buf, size_t len)
2732 struct wpa_sm *sm = ctx;
2733 struct wpa_tdls_frame *tf;
2735 wpa_hexdump(MSG_DEBUG, "TDLS: Received Data frame encapsulation",
2738 if (sm->tdls_disabled || !sm->tdls_supported) {
2739 wpa_printf(MSG_DEBUG, "TDLS: Discard message - TDLS disabled "
2740 "or unsupported by driver");
2744 if (os_memcmp(src_addr, sm->own_addr, ETH_ALEN) == 0) {
2745 wpa_printf(MSG_DEBUG, "TDLS: Discard copy of own message");
2749 if (len < sizeof(*tf)) {
2750 wpa_printf(MSG_INFO, "TDLS: Drop too short frame");
2754 /* Check to make sure its a valid encapsulated TDLS frame */
2755 tf = (struct wpa_tdls_frame *) buf;
2756 if (tf->payloadtype != 2 /* TDLS_RFTYPE */ ||
2757 tf->category != WLAN_ACTION_TDLS) {
2758 wpa_printf(MSG_INFO, "TDLS: Invalid frame - payloadtype=%u "
2759 "category=%u action=%u",
2760 tf->payloadtype, tf->category, tf->action);
2764 switch (tf->action) {
2765 case WLAN_TDLS_SETUP_REQUEST:
2766 wpa_tdls_process_tpk_m1(sm, src_addr, buf, len);
2768 case WLAN_TDLS_SETUP_RESPONSE:
2769 wpa_tdls_process_tpk_m2(sm, src_addr, buf, len);
2771 case WLAN_TDLS_SETUP_CONFIRM:
2772 wpa_tdls_process_tpk_m3(sm, src_addr, buf, len);
2774 case WLAN_TDLS_TEARDOWN:
2775 wpa_tdls_recv_teardown(sm, src_addr, buf, len);
2777 case WLAN_TDLS_DISCOVERY_REQUEST:
2778 wpa_tdls_process_discovery_request(sm, src_addr, buf, len);
2781 /* Kernel code will process remaining frames */
2782 wpa_printf(MSG_DEBUG, "TDLS: Ignore TDLS frame action code %u",
2790 * wpa_tdls_init - Initialize driver interface parameters for TDLS
2791 * @wpa_s: Pointer to wpa_supplicant data
2792 * Returns: 0 on success, -1 on failure
2794 * This function is called to initialize driver interface parameters for TDLS.
2795 * wpa_drv_init() must have been called before this function to initialize the
2798 int wpa_tdls_init(struct wpa_sm *sm)
2803 sm->l2_tdls = l2_packet_init(sm->bridge_ifname ? sm->bridge_ifname :
2806 ETH_P_80211_ENCAP, wpa_supplicant_rx_tdls,
2808 if (sm->l2_tdls == NULL) {
2809 wpa_printf(MSG_ERROR, "TDLS: Failed to open l2_packet "
2815 * Drivers that support TDLS but don't implement the get_capa callback
2816 * are assumed to perform everything internally
2818 if (wpa_sm_tdls_get_capa(sm, &sm->tdls_supported,
2819 &sm->tdls_external_setup,
2820 &sm->tdls_chan_switch) < 0) {
2821 sm->tdls_supported = 1;
2822 sm->tdls_external_setup = 0;
2825 wpa_printf(MSG_DEBUG, "TDLS: TDLS operation%s supported by "
2826 "driver", sm->tdls_supported ? "" : " not");
2827 wpa_printf(MSG_DEBUG, "TDLS: Driver uses %s link setup",
2828 sm->tdls_external_setup ? "external" : "internal");
2829 wpa_printf(MSG_DEBUG, "TDLS: Driver %s TDLS channel switching",
2830 sm->tdls_chan_switch ? "supports" : "does not support");
2836 void wpa_tdls_teardown_peers(struct wpa_sm *sm)
2838 struct wpa_tdls_peer *peer, *tmp;
2844 wpa_printf(MSG_DEBUG, "TDLS: Tear down peers");
2848 wpa_printf(MSG_DEBUG, "TDLS: Tear down peer " MACSTR,
2849 MAC2STR(peer->addr));
2850 if (sm->tdls_external_setup)
2851 wpa_tdls_do_teardown(sm, peer,
2852 WLAN_REASON_DEAUTH_LEAVING);
2854 wpa_sm_tdls_oper(sm, TDLS_TEARDOWN, peer->addr);
2861 static void wpa_tdls_remove_peers(struct wpa_sm *sm)
2863 struct wpa_tdls_peer *peer, *tmp;
2870 res = wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr);
2871 wpa_printf(MSG_DEBUG, "TDLS: Remove peer " MACSTR " (res=%d)",
2872 MAC2STR(peer->addr), res);
2873 wpa_tdls_peer_free(sm, peer);
2880 * wpa_tdls_deinit - Deinitialize driver interface parameters for TDLS
2882 * This function is called to recover driver interface parameters for TDLS
2883 * and frees resources allocated for it.
2885 void wpa_tdls_deinit(struct wpa_sm *sm)
2891 l2_packet_deinit(sm->l2_tdls);
2894 wpa_tdls_remove_peers(sm);
2898 void wpa_tdls_assoc(struct wpa_sm *sm)
2900 wpa_printf(MSG_DEBUG, "TDLS: Remove peers on association");
2901 wpa_tdls_remove_peers(sm);
2905 void wpa_tdls_disassoc(struct wpa_sm *sm)
2907 wpa_printf(MSG_DEBUG, "TDLS: Remove peers on disassociation");
2908 wpa_tdls_remove_peers(sm);
2912 static int wpa_tdls_prohibited(struct ieee802_11_elems *elems)
2914 /* bit 38 - TDLS Prohibited */
2915 return !!(elems->ext_capab[2 + 4] & 0x40);
2919 static int wpa_tdls_chan_switch_prohibited(struct ieee802_11_elems *elems)
2921 /* bit 39 - TDLS Channel Switch Prohibited */
2922 return !!(elems->ext_capab[2 + 4] & 0x80);
2926 void wpa_tdls_ap_ies(struct wpa_sm *sm, const u8 *ies, size_t len)
2928 struct ieee802_11_elems elems;
2930 sm->tdls_prohibited = 0;
2931 sm->tdls_chan_switch_prohibited = 0;
2934 ieee802_11_parse_elems(ies, len, &elems, 0) == ParseFailed ||
2935 elems.ext_capab == NULL || elems.ext_capab_len < 2 + 5)
2938 sm->tdls_prohibited = wpa_tdls_prohibited(&elems);
2939 wpa_printf(MSG_DEBUG, "TDLS: TDLS is %s in the target BSS",
2940 sm->tdls_prohibited ? "prohibited" : "allowed");
2941 sm->tdls_chan_switch_prohibited =
2942 wpa_tdls_chan_switch_prohibited(&elems);
2943 wpa_printf(MSG_DEBUG, "TDLS: TDLS channel switch %s in the target BSS",
2944 sm->tdls_chan_switch_prohibited ? "prohibited" : "allowed");
2948 void wpa_tdls_assoc_resp_ies(struct wpa_sm *sm, const u8 *ies, size_t len)
2950 struct ieee802_11_elems elems;
2953 ieee802_11_parse_elems(ies, len, &elems, 0) == ParseFailed ||
2954 elems.ext_capab == NULL || elems.ext_capab_len < 2 + 5)
2957 if (!sm->tdls_prohibited && wpa_tdls_prohibited(&elems)) {
2958 wpa_printf(MSG_DEBUG, "TDLS: TDLS prohibited based on "
2959 "(Re)Association Response IEs");
2960 sm->tdls_prohibited = 1;
2963 if (!sm->tdls_chan_switch_prohibited &&
2964 wpa_tdls_chan_switch_prohibited(&elems)) {
2965 wpa_printf(MSG_DEBUG,
2966 "TDLS: TDLS channel switch prohibited based on (Re)Association Response IEs");
2967 sm->tdls_chan_switch_prohibited = 1;
2972 void wpa_tdls_enable(struct wpa_sm *sm, int enabled)
2974 wpa_printf(MSG_DEBUG, "TDLS: %s", enabled ? "enabled" : "disabled");
2975 sm->tdls_disabled = !enabled;
2979 int wpa_tdls_is_external_setup(struct wpa_sm *sm)
2981 return sm->tdls_external_setup;
2985 int wpa_tdls_enable_chan_switch(struct wpa_sm *sm, const u8 *addr,
2987 struct hostapd_freq_params *freq_params)
2989 struct wpa_tdls_peer *peer;
2992 if (sm->tdls_disabled || !sm->tdls_supported)
2995 if (!sm->tdls_chan_switch) {
2996 wpa_printf(MSG_DEBUG,
2997 "TDLS: Channel switching not supported by the driver");
3001 if (sm->tdls_chan_switch_prohibited) {
3002 wpa_printf(MSG_DEBUG,
3003 "TDLS: Channel switching is prohibited in this BSS - reject request to switch channel");
3007 for (peer = sm->tdls; peer; peer = peer->next) {
3008 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0)
3012 if (peer == NULL || !peer->tpk_success) {
3013 wpa_printf(MSG_ERROR, "TDLS: Peer " MACSTR
3014 " not found for channel switching", MAC2STR(addr));
3018 if (peer->chan_switch_enabled) {
3019 wpa_printf(MSG_DEBUG, "TDLS: Peer " MACSTR
3020 " already has channel switching enabled",
3025 ret = wpa_sm_tdls_enable_channel_switch(sm, peer->addr,
3026 oper_class, freq_params);
3028 peer->chan_switch_enabled = 1;
3034 int wpa_tdls_disable_chan_switch(struct wpa_sm *sm, const u8 *addr)
3036 struct wpa_tdls_peer *peer;
3038 if (sm->tdls_disabled || !sm->tdls_supported)
3041 for (peer = sm->tdls; peer; peer = peer->next) {
3042 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0)
3046 if (!peer || !peer->chan_switch_enabled) {
3047 wpa_printf(MSG_ERROR, "TDLS: Channel switching not enabled for "
3048 MACSTR, MAC2STR(addr));
3052 /* ignore the return value */
3053 wpa_sm_tdls_disable_channel_switch(sm, peer->addr);
3055 peer->chan_switch_enabled = 0;