2 * wpa_supplicant - TDLS
3 * Copyright (c) 2010-2011, Atheros Communications
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
9 #include "utils/includes.h"
11 #include "utils/common.h"
12 #include "utils/eloop.h"
14 #include "common/ieee802_11_defs.h"
15 #include "common/ieee802_11_common.h"
16 #include "crypto/sha256.h"
17 #include "crypto/crypto.h"
18 #include "crypto/aes_wrap.h"
19 #include "rsn_supp/wpa.h"
20 #include "rsn_supp/wpa_ie.h"
21 #include "rsn_supp/wpa_i.h"
22 #include "drivers/driver.h"
23 #include "l2_packet/l2_packet.h"
25 #ifdef CONFIG_TDLS_TESTING
26 #define TDLS_TESTING_LONG_FRAME BIT(0)
27 #define TDLS_TESTING_ALT_RSN_IE BIT(1)
28 #define TDLS_TESTING_DIFF_BSSID BIT(2)
29 #define TDLS_TESTING_SHORT_LIFETIME BIT(3)
30 #define TDLS_TESTING_WRONG_LIFETIME_RESP BIT(4)
31 #define TDLS_TESTING_WRONG_LIFETIME_CONF BIT(5)
32 #define TDLS_TESTING_LONG_LIFETIME BIT(6)
33 #define TDLS_TESTING_CONCURRENT_INIT BIT(7)
34 #define TDLS_TESTING_NO_TPK_EXPIRATION BIT(8)
35 #define TDLS_TESTING_DECLINE_RESP BIT(9)
36 #define TDLS_TESTING_IGNORE_AP_PROHIBIT BIT(10)
37 #define TDLS_TESTING_WRONG_MIC BIT(11)
38 unsigned int tdls_testing = 0;
39 #endif /* CONFIG_TDLS_TESTING */
41 #define TPK_LIFETIME 43200 /* 12 hours */
42 #define TPK_M1_RETRY_COUNT 3
43 #define TPK_M1_TIMEOUT 5000 /* in milliseconds */
44 #define TPK_M2_RETRY_COUNT 10
45 #define TPK_M2_TIMEOUT 500 /* in milliseconds */
47 #define TDLS_MIC_LEN 16
49 #define TDLS_TIMEOUT_LEN 4
51 struct wpa_tdls_ftie {
52 u8 ie_type; /* FTIE */
56 u8 Anonce[WPA_NONCE_LEN]; /* Responder Nonce in TDLS */
57 u8 Snonce[WPA_NONCE_LEN]; /* Initiator Nonce in TDLS */
58 /* followed by optional elements */
61 struct wpa_tdls_timeoutie {
62 u8 ie_type; /* Timeout IE */
65 u8 value[TDLS_TIMEOUT_LEN];
68 struct wpa_tdls_lnkid {
69 u8 ie_type; /* Link Identifier IE */
72 u8 init_sta[ETH_ALEN];
73 u8 resp_sta[ETH_ALEN];
76 /* TDLS frame headers as per IEEE Std 802.11z-2010 */
77 struct wpa_tdls_frame {
78 u8 payloadtype; /* IEEE80211_TDLS_RFTYPE */
79 u8 category; /* Category */
80 u8 action; /* Action (enum tdls_frame_type) */
83 static u8 * wpa_add_tdls_timeoutie(u8 *pos, u8 *ie, size_t ie_len, u32 tsecs);
84 static void wpa_tdls_tpk_retry_timeout(void *eloop_ctx, void *timeout_ctx);
85 static void wpa_tdls_peer_free(struct wpa_sm *sm, struct wpa_tdls_peer *peer);
86 static void wpa_tdls_disable_peer_link(struct wpa_sm *sm,
87 struct wpa_tdls_peer *peer);
88 static int wpa_tdls_send_teardown(struct wpa_sm *sm, const u8 *addr,
92 #define TDLS_MAX_IE_LEN 80
93 #define IEEE80211_MAX_SUPP_RATES 32
95 struct wpa_tdls_peer {
96 struct wpa_tdls_peer *next;
97 unsigned int reconfig_key:1;
98 int initiator; /* whether this end was initiator for TDLS setup */
99 u8 addr[ETH_ALEN]; /* other end MAC address */
100 u8 inonce[WPA_NONCE_LEN]; /* Initiator Nonce */
101 u8 rnonce[WPA_NONCE_LEN]; /* Responder Nonce */
102 u8 rsnie_i[TDLS_MAX_IE_LEN]; /* Initiator RSN IE */
104 u8 rsnie_p[TDLS_MAX_IE_LEN]; /* Peer RSN IE */
107 int cipher; /* Selected cipher (WPA_CIPHER_*) */
111 u8 kck[16]; /* TPK-KCK */
112 u8 tk[16]; /* TPK-TK; assuming only CCMP will be used */
115 int tk_set; /* TPK-TK configured to the driver */
121 int count; /* Retry Count */
122 int timer; /* Timeout in milliseconds */
123 u8 action_code; /* TDLS frame type */
127 int buf_len; /* length of TPK message for retransmission */
128 u8 *buf; /* buffer for TPK message */
133 u8 supp_rates[IEEE80211_MAX_SUPP_RATES];
134 size_t supp_rates_len;
136 struct ieee80211_ht_capabilities *ht_capabilities;
137 struct ieee80211_vht_capabilities *vht_capabilities;
144 size_t ext_capab_len;
147 size_t supp_channels_len;
149 u8 *supp_oper_classes;
150 size_t supp_oper_classes_len;
154 /* channel switch currently enabled */
155 int chan_switch_enabled;
159 static int wpa_tdls_get_privacy(struct wpa_sm *sm)
162 * Get info needed from supplicant to check if the current BSS supports
163 * security. Other than OPEN mode, rest are considered secured
164 * WEP/WPA/WPA2 hence TDLS frames are processed for TPK handshake.
166 return sm->pairwise_cipher != WPA_CIPHER_NONE;
170 static u8 * wpa_add_ie(u8 *pos, const u8 *ie, size_t ie_len)
172 os_memcpy(pos, ie, ie_len);
177 static int wpa_tdls_del_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
179 if (wpa_sm_set_key(sm, WPA_ALG_NONE, peer->addr,
180 0, 0, NULL, 0, NULL, 0) < 0) {
181 wpa_printf(MSG_WARNING, "TDLS: Failed to delete TPK-TK from "
190 static int wpa_tdls_set_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
198 * This same TPK-TK has already been configured to the driver
199 * and this new configuration attempt (likely due to an
200 * unexpected retransmitted frame) would result in clearing
201 * the TX/RX sequence number which can break security, so must
202 * not allow that to happen.
204 wpa_printf(MSG_INFO, "TDLS: TPK-TK for the peer " MACSTR
205 " has already been configured to the driver - do not reconfigure",
206 MAC2STR(peer->addr));
210 os_memset(rsc, 0, 6);
212 switch (peer->cipher) {
213 case WPA_CIPHER_CCMP:
217 case WPA_CIPHER_NONE:
218 wpa_printf(MSG_DEBUG, "TDLS: Pairwise Cipher Suite: "
219 "NONE - do not use pairwise keys");
222 wpa_printf(MSG_WARNING, "TDLS: Unsupported pairwise cipher %d",
223 sm->pairwise_cipher);
227 wpa_printf(MSG_DEBUG, "TDLS: Configure pairwise key for peer " MACSTR,
228 MAC2STR(peer->addr));
229 if (wpa_sm_set_key(sm, alg, peer->addr, -1, 1,
230 rsc, sizeof(rsc), peer->tpk.tk, key_len) < 0) {
231 wpa_printf(MSG_WARNING, "TDLS: Failed to set TPK to the "
240 static int wpa_tdls_send_tpk_msg(struct wpa_sm *sm, const u8 *dst,
241 u8 action_code, u8 dialog_token,
242 u16 status_code, u32 peer_capab,
243 int initiator, const u8 *buf, size_t len)
245 return wpa_sm_send_tdls_mgmt(sm, dst, action_code, dialog_token,
246 status_code, peer_capab, initiator, buf,
251 static int wpa_tdls_tpk_send(struct wpa_sm *sm, const u8 *dest, u8 action_code,
252 u8 dialog_token, u16 status_code, u32 peer_capab,
253 int initiator, const u8 *msg, size_t msg_len)
255 struct wpa_tdls_peer *peer;
257 wpa_printf(MSG_DEBUG, "TDLS: TPK send dest=" MACSTR " action_code=%u "
258 "dialog_token=%u status_code=%u peer_capab=%u initiator=%d "
260 MAC2STR(dest), action_code, dialog_token, status_code,
261 peer_capab, initiator, (unsigned int) msg_len);
263 if (wpa_tdls_send_tpk_msg(sm, dest, action_code, dialog_token,
264 status_code, peer_capab, initiator, msg,
266 wpa_printf(MSG_INFO, "TDLS: Failed to send message "
267 "(action_code=%u)", action_code);
271 if (action_code == WLAN_TDLS_SETUP_CONFIRM ||
272 action_code == WLAN_TDLS_TEARDOWN ||
273 action_code == WLAN_TDLS_DISCOVERY_REQUEST ||
274 action_code == WLAN_TDLS_DISCOVERY_RESPONSE)
275 return 0; /* No retries */
277 for (peer = sm->tdls; peer; peer = peer->next) {
278 if (os_memcmp(peer->addr, dest, ETH_ALEN) == 0)
283 wpa_printf(MSG_INFO, "TDLS: No matching entry found for "
284 "retry " MACSTR, MAC2STR(dest));
288 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer);
290 if (action_code == WLAN_TDLS_SETUP_RESPONSE) {
291 peer->sm_tmr.count = TPK_M2_RETRY_COUNT;
292 peer->sm_tmr.timer = TPK_M2_TIMEOUT;
294 peer->sm_tmr.count = TPK_M1_RETRY_COUNT;
295 peer->sm_tmr.timer = TPK_M1_TIMEOUT;
298 /* Copy message to resend on timeout */
299 os_memcpy(peer->sm_tmr.dest, dest, ETH_ALEN);
300 peer->sm_tmr.action_code = action_code;
301 peer->sm_tmr.dialog_token = dialog_token;
302 peer->sm_tmr.status_code = status_code;
303 peer->sm_tmr.peer_capab = peer_capab;
304 peer->sm_tmr.buf_len = msg_len;
305 os_free(peer->sm_tmr.buf);
306 peer->sm_tmr.buf = os_malloc(msg_len);
307 if (peer->sm_tmr.buf == NULL)
309 os_memcpy(peer->sm_tmr.buf, msg, msg_len);
311 wpa_printf(MSG_DEBUG, "TDLS: Retry timeout registered "
312 "(action_code=%u)", action_code);
313 eloop_register_timeout(peer->sm_tmr.timer / 1000,
314 (peer->sm_tmr.timer % 1000) * 1000,
315 wpa_tdls_tpk_retry_timeout, sm, peer);
320 static int wpa_tdls_do_teardown(struct wpa_sm *sm, struct wpa_tdls_peer *peer,
325 ret = wpa_tdls_send_teardown(sm, peer->addr, reason_code);
326 /* disable the link after teardown was sent */
327 wpa_tdls_disable_peer_link(sm, peer);
333 static void wpa_tdls_tpk_retry_timeout(void *eloop_ctx, void *timeout_ctx)
336 struct wpa_sm *sm = eloop_ctx;
337 struct wpa_tdls_peer *peer = timeout_ctx;
339 if (peer->sm_tmr.count) {
340 peer->sm_tmr.count--;
342 wpa_printf(MSG_INFO, "TDLS: Retrying sending of message "
344 peer->sm_tmr.action_code);
346 if (peer->sm_tmr.buf == NULL) {
347 wpa_printf(MSG_INFO, "TDLS: No retry buffer available "
348 "for action_code=%u",
349 peer->sm_tmr.action_code);
350 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm,
355 /* resend TPK Handshake Message to Peer */
356 if (wpa_tdls_send_tpk_msg(sm, peer->sm_tmr.dest,
357 peer->sm_tmr.action_code,
358 peer->sm_tmr.dialog_token,
359 peer->sm_tmr.status_code,
360 peer->sm_tmr.peer_capab,
363 peer->sm_tmr.buf_len)) {
364 wpa_printf(MSG_INFO, "TDLS: Failed to retry "
368 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer);
369 eloop_register_timeout(peer->sm_tmr.timer / 1000,
370 (peer->sm_tmr.timer % 1000) * 1000,
371 wpa_tdls_tpk_retry_timeout, sm, peer);
373 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer);
375 wpa_printf(MSG_DEBUG, "TDLS: Sending Teardown Request");
376 wpa_tdls_do_teardown(sm, peer,
377 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED);
382 static void wpa_tdls_tpk_retry_timeout_cancel(struct wpa_sm *sm,
383 struct wpa_tdls_peer *peer,
386 if (action_code == peer->sm_tmr.action_code) {
387 wpa_printf(MSG_DEBUG, "TDLS: Retry timeout cancelled for "
388 "action_code=%u", action_code);
390 /* Cancel Timeout registered */
391 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer);
393 /* free all resources meant for retry */
394 os_free(peer->sm_tmr.buf);
395 peer->sm_tmr.buf = NULL;
397 peer->sm_tmr.count = 0;
398 peer->sm_tmr.timer = 0;
399 peer->sm_tmr.buf_len = 0;
400 peer->sm_tmr.action_code = 0xff;
402 wpa_printf(MSG_INFO, "TDLS: Error in cancelling retry timeout "
403 "(Unknown action_code=%u)", action_code);
408 static void wpa_tdls_generate_tpk(struct wpa_tdls_peer *peer,
409 const u8 *own_addr, const u8 *bssid)
411 u8 key_input[SHA256_MAC_LEN];
414 u8 data[3 * ETH_ALEN];
416 /* IEEE Std 802.11z-2010 8.5.9.1:
417 * TPK-Key-Input = SHA-256(min(SNonce, ANonce) || max(SNonce, ANonce))
419 len[0] = WPA_NONCE_LEN;
420 len[1] = WPA_NONCE_LEN;
421 if (os_memcmp(peer->inonce, peer->rnonce, WPA_NONCE_LEN) < 0) {
422 nonce[0] = peer->inonce;
423 nonce[1] = peer->rnonce;
425 nonce[0] = peer->rnonce;
426 nonce[1] = peer->inonce;
428 wpa_hexdump(MSG_DEBUG, "TDLS: min(Nonce)", nonce[0], WPA_NONCE_LEN);
429 wpa_hexdump(MSG_DEBUG, "TDLS: max(Nonce)", nonce[1], WPA_NONCE_LEN);
430 sha256_vector(2, nonce, len, key_input);
431 wpa_hexdump_key(MSG_DEBUG, "TDLS: TPK-Key-Input",
432 key_input, SHA256_MAC_LEN);
435 * TPK-Key-Data = KDF-N_KEY(TPK-Key-Input, "TDLS PMK",
436 * min(MAC_I, MAC_R) || max(MAC_I, MAC_R) || BSSID || N_KEY)
437 * TODO: is N_KEY really included in KDF Context and if so, in which
438 * presentation format (little endian 16-bit?) is it used? It gets
439 * added by the KDF anyway..
442 if (os_memcmp(own_addr, peer->addr, ETH_ALEN) < 0) {
443 os_memcpy(data, own_addr, ETH_ALEN);
444 os_memcpy(data + ETH_ALEN, peer->addr, ETH_ALEN);
446 os_memcpy(data, peer->addr, ETH_ALEN);
447 os_memcpy(data + ETH_ALEN, own_addr, ETH_ALEN);
449 os_memcpy(data + 2 * ETH_ALEN, bssid, ETH_ALEN);
450 wpa_hexdump(MSG_DEBUG, "TDLS: KDF Context", data, sizeof(data));
452 sha256_prf(key_input, SHA256_MAC_LEN, "TDLS PMK", data, sizeof(data),
453 (u8 *) &peer->tpk, sizeof(peer->tpk));
454 wpa_hexdump_key(MSG_DEBUG, "TDLS: TPK-KCK",
455 peer->tpk.kck, sizeof(peer->tpk.kck));
456 wpa_hexdump_key(MSG_DEBUG, "TDLS: TPK-TK",
457 peer->tpk.tk, sizeof(peer->tpk.tk));
463 * wpa_tdls_ftie_mic - Calculate TDLS FTIE MIC
465 * @lnkid: Pointer to the beginning of Link Identifier IE
466 * @rsnie: Pointer to the beginning of RSN IE used for handshake
467 * @timeoutie: Pointer to the beginning of Timeout IE used for handshake
468 * @ftie: Pointer to the beginning of FT IE
469 * @mic: Pointer for writing MIC
471 * Calculate MIC for TDLS frame.
473 static int wpa_tdls_ftie_mic(const u8 *kck, u8 trans_seq, const u8 *lnkid,
474 const u8 *rsnie, const u8 *timeoutie,
475 const u8 *ftie, u8 *mic)
478 struct wpa_tdls_ftie *_ftie;
479 const struct wpa_tdls_lnkid *_lnkid;
481 int len = 2 * ETH_ALEN + 1 + 2 + lnkid[1] + 2 + rsnie[1] +
482 2 + timeoutie[1] + 2 + ftie[1];
483 buf = os_zalloc(len);
485 wpa_printf(MSG_WARNING, "TDLS: No memory for MIC calculation");
490 _lnkid = (const struct wpa_tdls_lnkid *) lnkid;
491 /* 1) TDLS initiator STA MAC address */
492 os_memcpy(pos, _lnkid->init_sta, ETH_ALEN);
494 /* 2) TDLS responder STA MAC address */
495 os_memcpy(pos, _lnkid->resp_sta, ETH_ALEN);
497 /* 3) Transaction Sequence number */
499 /* 4) Link Identifier IE */
500 os_memcpy(pos, lnkid, 2 + lnkid[1]);
503 os_memcpy(pos, rsnie, 2 + rsnie[1]);
505 /* 6) Timeout Interval IE */
506 os_memcpy(pos, timeoutie, 2 + timeoutie[1]);
507 pos += 2 + timeoutie[1];
508 /* 7) FTIE, with the MIC field of the FTIE set to 0 */
509 os_memcpy(pos, ftie, 2 + ftie[1]);
510 _ftie = (struct wpa_tdls_ftie *) pos;
511 os_memset(_ftie->mic, 0, TDLS_MIC_LEN);
514 wpa_hexdump(MSG_DEBUG, "TDLS: Data for FTIE MIC", buf, pos - buf);
515 wpa_hexdump_key(MSG_DEBUG, "TDLS: KCK", kck, 16);
516 ret = omac1_aes_128(kck, buf, pos - buf, mic);
518 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE MIC", mic, 16);
524 * wpa_tdls_key_mic_teardown - Calculate TDLS FTIE MIC for Teardown frame
526 * @trans_seq: Transaction Sequence Number (4 - Teardown)
527 * @rcode: Reason code for Teardown
528 * @dtoken: Dialog Token used for that particular link
529 * @lnkid: Pointer to the beginning of Link Identifier IE
530 * @ftie: Pointer to the beginning of FT IE
531 * @mic: Pointer for writing MIC
533 * Calculate MIC for TDLS frame.
535 static int wpa_tdls_key_mic_teardown(const u8 *kck, u8 trans_seq, u16 rcode,
536 u8 dtoken, const u8 *lnkid,
537 const u8 *ftie, u8 *mic)
540 struct wpa_tdls_ftie *_ftie;
547 len = 2 + lnkid[1] + sizeof(rcode) + sizeof(dtoken) +
548 sizeof(trans_seq) + 2 + ftie[1];
550 buf = os_zalloc(len);
552 wpa_printf(MSG_WARNING, "TDLS: No memory for MIC calculation");
557 /* 1) Link Identifier IE */
558 os_memcpy(pos, lnkid, 2 + lnkid[1]);
561 WPA_PUT_LE16(pos, rcode);
562 pos += sizeof(rcode);
563 /* 3) Dialog token */
565 /* 4) Transaction Sequence number */
567 /* 7) FTIE, with the MIC field of the FTIE set to 0 */
568 os_memcpy(pos, ftie, 2 + ftie[1]);
569 _ftie = (struct wpa_tdls_ftie *) pos;
570 os_memset(_ftie->mic, 0, TDLS_MIC_LEN);
573 wpa_hexdump(MSG_DEBUG, "TDLS: Data for FTIE MIC", buf, pos - buf);
574 wpa_hexdump_key(MSG_DEBUG, "TDLS: KCK", kck, 16);
575 ret = omac1_aes_128(kck, buf, pos - buf, mic);
577 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE MIC", mic, 16);
582 static int wpa_supplicant_verify_tdls_mic(u8 trans_seq,
583 struct wpa_tdls_peer *peer,
584 const u8 *lnkid, const u8 *timeoutie,
585 const struct wpa_tdls_ftie *ftie)
590 wpa_tdls_ftie_mic(peer->tpk.kck, trans_seq, lnkid,
591 peer->rsnie_p, timeoutie, (u8 *) ftie,
593 if (os_memcmp_const(mic, ftie->mic, 16) != 0) {
594 wpa_printf(MSG_INFO, "TDLS: Invalid MIC in FTIE - "
596 wpa_hexdump(MSG_DEBUG, "TDLS: Received MIC",
598 wpa_hexdump(MSG_DEBUG, "TDLS: Calculated MIC",
603 wpa_printf(MSG_WARNING, "TDLS: Could not verify TDLS MIC, "
604 "TPK not set - dropping packet");
611 static int wpa_supplicant_verify_tdls_mic_teardown(
612 u8 trans_seq, u16 rcode, u8 dtoken, struct wpa_tdls_peer *peer,
613 const u8 *lnkid, const struct wpa_tdls_ftie *ftie)
618 wpa_tdls_key_mic_teardown(peer->tpk.kck, trans_seq, rcode,
619 dtoken, lnkid, (u8 *) ftie, mic);
620 if (os_memcmp_const(mic, ftie->mic, 16) != 0) {
621 wpa_printf(MSG_INFO, "TDLS: Invalid MIC in Teardown - "
626 wpa_printf(MSG_INFO, "TDLS: Could not verify TDLS Teardown "
627 "MIC, TPK not set - dropping packet");
634 static void wpa_tdls_tpk_timeout(void *eloop_ctx, void *timeout_ctx)
636 struct wpa_sm *sm = eloop_ctx;
637 struct wpa_tdls_peer *peer = timeout_ctx;
640 * On TPK lifetime expiration, we have an option of either tearing down
641 * the direct link or trying to re-initiate it. The selection of what
642 * to do is not strictly speaking controlled by our role in the expired
643 * link, but for now, use that to select whether to renew or tear down
647 if (peer->initiator) {
648 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime expired for " MACSTR
649 " - try to renew", MAC2STR(peer->addr));
650 wpa_tdls_start(sm, peer->addr);
652 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime expired for " MACSTR
653 " - tear down", MAC2STR(peer->addr));
654 wpa_tdls_do_teardown(sm, peer,
655 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED);
660 static void wpa_tdls_peer_remove_from_list(struct wpa_sm *sm,
661 struct wpa_tdls_peer *peer)
663 struct wpa_tdls_peer *cur, *prev;
667 while (cur && cur != peer) {
673 wpa_printf(MSG_ERROR, "TDLS: Could not find peer " MACSTR
674 " to remove it from the list",
675 MAC2STR(peer->addr));
680 prev->next = peer->next;
682 sm->tdls = peer->next;
686 static void wpa_tdls_peer_clear(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
688 wpa_printf(MSG_DEBUG, "TDLS: Clear state for peer " MACSTR,
689 MAC2STR(peer->addr));
690 eloop_cancel_timeout(wpa_tdls_tpk_timeout, sm, peer);
691 eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer);
692 peer->reconfig_key = 0;
694 peer->tpk_in_progress = 0;
695 os_free(peer->sm_tmr.buf);
696 peer->sm_tmr.buf = NULL;
697 os_free(peer->ht_capabilities);
698 peer->ht_capabilities = NULL;
699 os_free(peer->vht_capabilities);
700 peer->vht_capabilities = NULL;
701 os_free(peer->ext_capab);
702 peer->ext_capab = NULL;
703 os_free(peer->supp_channels);
704 peer->supp_channels = NULL;
705 os_free(peer->supp_oper_classes);
706 peer->supp_oper_classes = NULL;
707 peer->rsnie_i_len = peer->rsnie_p_len = 0;
710 peer->wmm_capable = 0;
711 peer->tk_set = peer->tpk_set = peer->tpk_success = 0;
712 peer->chan_switch_enabled = 0;
713 os_memset(&peer->tpk, 0, sizeof(peer->tpk));
714 os_memset(peer->inonce, 0, WPA_NONCE_LEN);
715 os_memset(peer->rnonce, 0, WPA_NONCE_LEN);
719 static void wpa_tdls_peer_free(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
721 wpa_tdls_peer_clear(sm, peer);
722 wpa_tdls_peer_remove_from_list(sm, peer);
727 static void wpa_tdls_linkid(struct wpa_sm *sm, struct wpa_tdls_peer *peer,
728 struct wpa_tdls_lnkid *lnkid)
730 lnkid->ie_type = WLAN_EID_LINK_ID;
731 lnkid->ie_len = 3 * ETH_ALEN;
732 os_memcpy(lnkid->bssid, sm->bssid, ETH_ALEN);
733 if (peer->initiator) {
734 os_memcpy(lnkid->init_sta, sm->own_addr, ETH_ALEN);
735 os_memcpy(lnkid->resp_sta, peer->addr, ETH_ALEN);
737 os_memcpy(lnkid->init_sta, peer->addr, ETH_ALEN);
738 os_memcpy(lnkid->resp_sta, sm->own_addr, ETH_ALEN);
743 static int wpa_tdls_send_teardown(struct wpa_sm *sm, const u8 *addr,
746 struct wpa_tdls_peer *peer;
747 struct wpa_tdls_ftie *ftie;
748 struct wpa_tdls_lnkid lnkid;
753 if (sm->tdls_disabled || !sm->tdls_supported)
756 /* Find the node and free from the list */
757 for (peer = sm->tdls; peer; peer = peer->next) {
758 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0)
763 wpa_printf(MSG_INFO, "TDLS: No matching entry found for "
764 "Teardown " MACSTR, MAC2STR(addr));
768 /* Cancel active channel switch before teardown */
769 if (peer->chan_switch_enabled) {
770 wpa_printf(MSG_DEBUG, "TDLS: First returning link with " MACSTR
771 " to base channel", MAC2STR(addr));
772 wpa_sm_tdls_disable_channel_switch(sm, peer->addr);
775 dialog_token = peer->dtoken;
777 wpa_printf(MSG_DEBUG, "TDLS: TDLS Teardown for " MACSTR,
781 if (wpa_tdls_get_privacy(sm) && peer->tpk_set && peer->tpk_success) {
782 /* To add FTIE for Teardown request and compute MIC */
783 ielen += sizeof(*ftie);
784 #ifdef CONFIG_TDLS_TESTING
785 if (tdls_testing & TDLS_TESTING_LONG_FRAME)
787 #endif /* CONFIG_TDLS_TESTING */
790 rbuf = os_zalloc(ielen + 1);
795 if (!wpa_tdls_get_privacy(sm) || !peer->tpk_set || !peer->tpk_success)
798 ftie = (struct wpa_tdls_ftie *) pos;
799 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION;
800 /* Using the recent nonce which should be for CONFIRM frame */
801 os_memcpy(ftie->Anonce, peer->rnonce, WPA_NONCE_LEN);
802 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN);
803 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2;
804 pos = (u8 *) (ftie + 1);
805 #ifdef CONFIG_TDLS_TESTING
806 if (tdls_testing & TDLS_TESTING_LONG_FRAME) {
807 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to "
810 *pos++ = 255; /* FTIE subelem */
811 *pos++ = 168; /* FTIE subelem length */
814 #endif /* CONFIG_TDLS_TESTING */
815 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE for TDLS Teardown handshake",
816 (u8 *) ftie, pos - (u8 *) ftie);
818 /* compute MIC before sending */
819 wpa_tdls_linkid(sm, peer, &lnkid);
820 wpa_tdls_key_mic_teardown(peer->tpk.kck, 4, reason_code,
821 dialog_token, (u8 *) &lnkid, (u8 *) ftie,
825 /* TODO: register for a Timeout handler, if Teardown is not received at
826 * the other end, then try again another time */
828 /* request driver to send Teardown using this FTIE */
829 wpa_tdls_tpk_send(sm, addr, WLAN_TDLS_TEARDOWN, 0,
830 reason_code, 0, peer->initiator, rbuf, pos - rbuf);
837 int wpa_tdls_teardown_link(struct wpa_sm *sm, const u8 *addr, u16 reason_code)
839 struct wpa_tdls_peer *peer;
841 if (sm->tdls_disabled || !sm->tdls_supported)
844 for (peer = sm->tdls; peer; peer = peer->next) {
845 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0)
850 wpa_printf(MSG_DEBUG, "TDLS: Could not find peer " MACSTR
851 " for link Teardown", MAC2STR(addr));
855 if (!peer->tpk_success) {
856 wpa_printf(MSG_DEBUG, "TDLS: Peer " MACSTR
857 " not connected - cannot Teardown link", MAC2STR(addr));
861 return wpa_tdls_do_teardown(sm, peer, reason_code);
865 static void wpa_tdls_disable_peer_link(struct wpa_sm *sm,
866 struct wpa_tdls_peer *peer)
868 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr);
869 wpa_tdls_peer_free(sm, peer);
873 void wpa_tdls_disable_unreachable_link(struct wpa_sm *sm, const u8 *addr)
875 struct wpa_tdls_peer *peer;
877 for (peer = sm->tdls; peer; peer = peer->next) {
878 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0)
882 if (!peer || !peer->tpk_success) {
883 wpa_printf(MSG_DEBUG, "TDLS: Peer " MACSTR
884 " not connected - cannot teardown unreachable link",
889 if (wpa_tdls_is_external_setup(sm)) {
891 * Get us on the base channel, disable the link, send a
892 * teardown packet through the AP, and then reset link data.
894 if (peer->chan_switch_enabled)
895 wpa_sm_tdls_disable_channel_switch(sm, peer->addr);
896 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, addr);
897 wpa_tdls_send_teardown(sm, addr,
898 WLAN_REASON_TDLS_TEARDOWN_UNREACHABLE);
899 wpa_tdls_peer_free(sm, peer);
901 wpa_tdls_disable_peer_link(sm, peer);
906 const char * wpa_tdls_get_link_status(struct wpa_sm *sm, const u8 *addr)
908 struct wpa_tdls_peer *peer;
910 if (sm->tdls_disabled || !sm->tdls_supported)
913 for (peer = sm->tdls; peer; peer = peer->next) {
914 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0)
919 return "peer does not exist";
921 if (!peer->tpk_success)
922 return "peer not connected";
928 static int wpa_tdls_recv_teardown(struct wpa_sm *sm, const u8 *src_addr,
929 const u8 *buf, size_t len)
931 struct wpa_tdls_peer *peer = NULL;
932 struct wpa_tdls_ftie *ftie;
933 struct wpa_tdls_lnkid *lnkid;
934 struct wpa_eapol_ie_parse kde;
939 /* Find the node and free from the list */
940 for (peer = sm->tdls; peer; peer = peer->next) {
941 if (os_memcmp(peer->addr, src_addr, ETH_ALEN) == 0)
946 wpa_printf(MSG_INFO, "TDLS: No matching entry found for "
947 "Teardown " MACSTR, MAC2STR(src_addr));
952 pos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */;
954 reason_code = WPA_GET_LE16(pos);
957 wpa_printf(MSG_DEBUG, "TDLS: TDLS Teardown Request from " MACSTR
958 " (reason code %u)", MAC2STR(src_addr), reason_code);
960 ielen = len - (pos - buf); /* start of IE in buf */
963 * Don't reject the message if failing to parse IEs. The IEs we need are
964 * explicitly checked below. Some APs may add arbitrary padding to the
965 * end of short TDLS frames and that would look like invalid IEs.
967 if (wpa_supplicant_parse_ies((const u8 *) pos, ielen, &kde) < 0)
968 wpa_printf(MSG_DEBUG,
969 "TDLS: Failed to parse IEs in Teardown - ignore as an interop workaround");
971 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) {
972 wpa_printf(MSG_INFO, "TDLS: No Link Identifier IE in TDLS "
976 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid;
978 if (!wpa_tdls_get_privacy(sm) || !peer->tpk_set || !peer->tpk_success)
981 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie)) {
982 wpa_printf(MSG_INFO, "TDLS: No FTIE in TDLS Teardown");
986 ftie = (struct wpa_tdls_ftie *) kde.ftie;
988 /* Process MIC check to see if TDLS Teardown is right */
989 if (wpa_supplicant_verify_tdls_mic_teardown(4, reason_code,
991 (u8 *) lnkid, ftie) < 0) {
992 wpa_printf(MSG_DEBUG, "TDLS: MIC failure for TDLS "
993 "Teardown Request from " MACSTR, MAC2STR(src_addr));
999 * Request the driver to disable the direct link and clear associated
1002 wpa_tdls_disable_peer_link(sm, peer);
1008 * wpa_tdls_send_error - To send suitable TDLS status response with
1009 * appropriate status code mentioning reason for error/failure.
1010 * @dst - MAC addr of Peer station
1011 * @tdls_action - TDLS frame type for which error code is sent
1012 * @initiator - was this end the initiator of the connection
1013 * @status - status code mentioning reason
1016 static int wpa_tdls_send_error(struct wpa_sm *sm, const u8 *dst,
1017 u8 tdls_action, u8 dialog_token, int initiator,
1020 wpa_printf(MSG_DEBUG, "TDLS: Sending error to " MACSTR
1021 " (action=%u status=%u)",
1022 MAC2STR(dst), tdls_action, status);
1023 return wpa_tdls_tpk_send(sm, dst, tdls_action, dialog_token, status,
1024 0, initiator, NULL, 0);
1028 static struct wpa_tdls_peer *
1029 wpa_tdls_add_peer(struct wpa_sm *sm, const u8 *addr, int *existing)
1031 struct wpa_tdls_peer *peer;
1035 for (peer = sm->tdls; peer; peer = peer->next) {
1036 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) {
1039 return peer; /* re-use existing entry */
1043 wpa_printf(MSG_INFO, "TDLS: Creating peer entry for " MACSTR,
1046 peer = os_zalloc(sizeof(*peer));
1050 os_memcpy(peer->addr, addr, ETH_ALEN);
1051 peer->next = sm->tdls;
1058 static int wpa_tdls_send_tpk_m1(struct wpa_sm *sm,
1059 struct wpa_tdls_peer *peer)
1062 struct wpa_tdls_timeoutie timeoutie;
1064 struct wpa_tdls_ftie *ftie;
1065 u8 *rbuf, *pos, *count_pos;
1067 struct rsn_ie_hdr *hdr;
1070 if (!wpa_tdls_get_privacy(sm)) {
1071 wpa_printf(MSG_DEBUG, "TDLS: No security used on the link");
1072 peer->rsnie_i_len = 0;
1077 * TPK Handshake Message 1:
1078 * FTIE: ANonce=0, SNonce=initiator nonce MIC=0, DataKDs=(RSNIE_I,
1079 * Timeout Interval IE))
1082 /* Filling RSN IE */
1083 hdr = (struct rsn_ie_hdr *) peer->rsnie_i;
1084 hdr->elem_id = WLAN_EID_RSN;
1085 WPA_PUT_LE16(hdr->version, RSN_VERSION);
1087 pos = (u8 *) (hdr + 1);
1088 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED);
1089 pos += RSN_SELECTOR_LEN;
1096 * AES-CCMP is the default Encryption preferred for TDLS, so
1097 * RSN IE is filled only with CCMP CIPHER
1098 * Note: TKIP is not used to encrypt TDLS link.
1100 * Regardless of the cipher used on the AP connection, select CCMP
1103 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP);
1104 pos += RSN_SELECTOR_LEN;
1107 WPA_PUT_LE16(count_pos, count);
1109 WPA_PUT_LE16(pos, 1);
1111 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_TPK_HANDSHAKE);
1112 pos += RSN_SELECTOR_LEN;
1114 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED;
1115 rsn_capab |= RSN_NUM_REPLAY_COUNTERS_16 << 2;
1116 #ifdef CONFIG_TDLS_TESTING
1117 if (tdls_testing & TDLS_TESTING_ALT_RSN_IE) {
1118 wpa_printf(MSG_DEBUG, "TDLS: Use alternative RSN IE for "
1120 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED;
1122 #endif /* CONFIG_TDLS_TESTING */
1123 WPA_PUT_LE16(pos, rsn_capab);
1125 #ifdef CONFIG_TDLS_TESTING
1126 if (tdls_testing & TDLS_TESTING_ALT_RSN_IE) {
1127 /* Number of PMKIDs */
1131 #endif /* CONFIG_TDLS_TESTING */
1133 hdr->len = (pos - peer->rsnie_i) - 2;
1134 peer->rsnie_i_len = pos - peer->rsnie_i;
1135 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE for TPK handshake",
1136 peer->rsnie_i, peer->rsnie_i_len);
1140 if (wpa_tdls_get_privacy(sm))
1141 buf_len += peer->rsnie_i_len + sizeof(struct wpa_tdls_ftie) +
1142 sizeof(struct wpa_tdls_timeoutie);
1143 #ifdef CONFIG_TDLS_TESTING
1144 if (wpa_tdls_get_privacy(sm) &&
1145 (tdls_testing & TDLS_TESTING_LONG_FRAME))
1147 if (tdls_testing & TDLS_TESTING_DIFF_BSSID)
1148 buf_len += sizeof(struct wpa_tdls_lnkid);
1149 #endif /* CONFIG_TDLS_TESTING */
1150 rbuf = os_zalloc(buf_len + 1);
1152 wpa_tdls_peer_free(sm, peer);
1157 if (!wpa_tdls_get_privacy(sm))
1160 /* Initiator RSN IE */
1161 pos = wpa_add_ie(pos, peer->rsnie_i, peer->rsnie_i_len);
1163 ftie = (struct wpa_tdls_ftie *) pos;
1164 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION;
1165 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2;
1167 if (os_get_random(peer->inonce, WPA_NONCE_LEN)) {
1168 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1169 "TDLS: Failed to get random data for initiator Nonce");
1171 wpa_tdls_peer_free(sm, peer);
1174 peer->tk_set = 0; /* A new nonce results in a new TK */
1175 wpa_hexdump(MSG_DEBUG, "TDLS: Initiator Nonce for TPK handshake",
1176 peer->inonce, WPA_NONCE_LEN);
1177 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN);
1179 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE for TPK Handshake M1",
1180 (u8 *) ftie, sizeof(struct wpa_tdls_ftie));
1182 pos = (u8 *) (ftie + 1);
1184 #ifdef CONFIG_TDLS_TESTING
1185 if (tdls_testing & TDLS_TESTING_LONG_FRAME) {
1186 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to "
1188 ftie->ie_len += 170;
1189 *pos++ = 255; /* FTIE subelem */
1190 *pos++ = 168; /* FTIE subelem length */
1193 #endif /* CONFIG_TDLS_TESTING */
1196 peer->lifetime = TPK_LIFETIME;
1197 #ifdef CONFIG_TDLS_TESTING
1198 if (tdls_testing & TDLS_TESTING_SHORT_LIFETIME) {
1199 wpa_printf(MSG_DEBUG, "TDLS: Testing - use short TPK "
1201 peer->lifetime = 301;
1203 if (tdls_testing & TDLS_TESTING_LONG_LIFETIME) {
1204 wpa_printf(MSG_DEBUG, "TDLS: Testing - use long TPK "
1206 peer->lifetime = 0xffffffff;
1208 #endif /* CONFIG_TDLS_TESTING */
1209 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie,
1210 sizeof(timeoutie), peer->lifetime);
1211 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds", peer->lifetime);
1215 #ifdef CONFIG_TDLS_TESTING
1216 if (tdls_testing & TDLS_TESTING_DIFF_BSSID) {
1217 wpa_printf(MSG_DEBUG, "TDLS: Testing - use incorrect BSSID in "
1219 struct wpa_tdls_lnkid *l = (struct wpa_tdls_lnkid *) pos;
1220 wpa_tdls_linkid(sm, peer, l);
1221 l->bssid[5] ^= 0x01;
1224 #endif /* CONFIG_TDLS_TESTING */
1226 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Setup Request / TPK "
1227 "Handshake Message 1 (peer " MACSTR ")",
1228 MAC2STR(peer->addr));
1230 status = wpa_tdls_tpk_send(sm, peer->addr, WLAN_TDLS_SETUP_REQUEST,
1231 1, 0, 0, peer->initiator, rbuf, pos - rbuf);
1238 static int wpa_tdls_send_tpk_m2(struct wpa_sm *sm,
1239 const unsigned char *src_addr, u8 dtoken,
1240 struct wpa_tdls_lnkid *lnkid,
1241 const struct wpa_tdls_peer *peer)
1246 struct wpa_tdls_timeoutie timeoutie;
1247 struct wpa_tdls_ftie *ftie;
1251 if (wpa_tdls_get_privacy(sm)) {
1252 /* Peer RSN IE, FTIE(Initiator Nonce, Responder Nonce),
1254 buf_len += peer->rsnie_i_len + sizeof(struct wpa_tdls_ftie) +
1255 sizeof(struct wpa_tdls_timeoutie);
1256 #ifdef CONFIG_TDLS_TESTING
1257 if (tdls_testing & TDLS_TESTING_LONG_FRAME)
1259 #endif /* CONFIG_TDLS_TESTING */
1262 rbuf = os_zalloc(buf_len + 1);
1267 if (!wpa_tdls_get_privacy(sm))
1271 pos = wpa_add_ie(pos, peer->rsnie_p, peer->rsnie_p_len);
1273 ftie = (struct wpa_tdls_ftie *) pos;
1274 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION;
1275 /* TODO: ftie->mic_control to set 2-RESPONSE */
1276 os_memcpy(ftie->Anonce, peer->rnonce, WPA_NONCE_LEN);
1277 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN);
1278 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2;
1279 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE for TPK M2",
1280 (u8 *) ftie, sizeof(*ftie));
1282 pos = (u8 *) (ftie + 1);
1284 #ifdef CONFIG_TDLS_TESTING
1285 if (tdls_testing & TDLS_TESTING_LONG_FRAME) {
1286 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to "
1288 ftie->ie_len += 170;
1289 *pos++ = 255; /* FTIE subelem */
1290 *pos++ = 168; /* FTIE subelem length */
1293 #endif /* CONFIG_TDLS_TESTING */
1296 lifetime = peer->lifetime;
1297 #ifdef CONFIG_TDLS_TESTING
1298 if (tdls_testing & TDLS_TESTING_WRONG_LIFETIME_RESP) {
1299 wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong TPK "
1300 "lifetime in response");
1303 #endif /* CONFIG_TDLS_TESTING */
1304 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie,
1305 sizeof(timeoutie), lifetime);
1306 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds from initiator",
1309 /* compute MIC before sending */
1310 wpa_tdls_ftie_mic(peer->tpk.kck, 2, (u8 *) lnkid, peer->rsnie_p,
1311 (u8 *) &timeoutie, (u8 *) ftie, ftie->mic);
1312 #ifdef CONFIG_TDLS_TESTING
1313 if (tdls_testing & TDLS_TESTING_WRONG_MIC) {
1314 wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong MIC");
1315 ftie->mic[0] ^= 0x01;
1317 #endif /* CONFIG_TDLS_TESTING */
1320 status = wpa_tdls_tpk_send(sm, src_addr, WLAN_TDLS_SETUP_RESPONSE,
1321 dtoken, 0, 0, peer->initiator, rbuf,
1329 static int wpa_tdls_send_tpk_m3(struct wpa_sm *sm,
1330 const unsigned char *src_addr, u8 dtoken,
1331 struct wpa_tdls_lnkid *lnkid,
1332 const struct wpa_tdls_peer *peer)
1336 struct wpa_tdls_ftie *ftie;
1337 struct wpa_tdls_timeoutie timeoutie;
1343 if (wpa_tdls_get_privacy(sm)) {
1344 /* Peer RSN IE, FTIE(Initiator Nonce, Responder Nonce),
1346 buf_len += peer->rsnie_i_len + sizeof(struct wpa_tdls_ftie) +
1347 sizeof(struct wpa_tdls_timeoutie);
1348 #ifdef CONFIG_TDLS_TESTING
1349 if (tdls_testing & TDLS_TESTING_LONG_FRAME)
1351 #endif /* CONFIG_TDLS_TESTING */
1354 rbuf = os_zalloc(buf_len + 1);
1359 if (!wpa_tdls_get_privacy(sm))
1363 pos = wpa_add_ie(pos, peer->rsnie_p, peer->rsnie_p_len);
1365 ftie = (struct wpa_tdls_ftie *) pos;
1366 ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION;
1367 /*TODO: ftie->mic_control to set 3-CONFIRM */
1368 os_memcpy(ftie->Anonce, peer->rnonce, WPA_NONCE_LEN);
1369 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN);
1370 ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2;
1372 pos = (u8 *) (ftie + 1);
1374 #ifdef CONFIG_TDLS_TESTING
1375 if (tdls_testing & TDLS_TESTING_LONG_FRAME) {
1376 wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to "
1378 ftie->ie_len += 170;
1379 *pos++ = 255; /* FTIE subelem */
1380 *pos++ = 168; /* FTIE subelem length */
1383 #endif /* CONFIG_TDLS_TESTING */
1386 lifetime = peer->lifetime;
1387 #ifdef CONFIG_TDLS_TESTING
1388 if (tdls_testing & TDLS_TESTING_WRONG_LIFETIME_CONF) {
1389 wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong TPK "
1390 "lifetime in confirm");
1393 #endif /* CONFIG_TDLS_TESTING */
1394 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie,
1395 sizeof(timeoutie), lifetime);
1396 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds",
1399 /* compute MIC before sending */
1400 wpa_tdls_ftie_mic(peer->tpk.kck, 3, (u8 *) lnkid, peer->rsnie_p,
1401 (u8 *) &timeoutie, (u8 *) ftie, ftie->mic);
1402 #ifdef CONFIG_TDLS_TESTING
1403 if (tdls_testing & TDLS_TESTING_WRONG_MIC) {
1404 wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong MIC");
1405 ftie->mic[0] ^= 0x01;
1407 #endif /* CONFIG_TDLS_TESTING */
1411 if (peer->vht_capabilities)
1412 peer_capab |= TDLS_PEER_VHT;
1413 if (peer->ht_capabilities)
1414 peer_capab |= TDLS_PEER_HT;
1415 if (peer->wmm_capable)
1416 peer_capab |= TDLS_PEER_WMM;
1418 status = wpa_tdls_tpk_send(sm, src_addr, WLAN_TDLS_SETUP_CONFIRM,
1419 dtoken, 0, peer_capab, peer->initiator,
1427 static int wpa_tdls_send_discovery_response(struct wpa_sm *sm,
1428 struct wpa_tdls_peer *peer,
1432 struct wpa_tdls_timeoutie timeoutie;
1434 u8 *rbuf, *pos, *count_pos;
1436 struct rsn_ie_hdr *hdr;
1439 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Discovery Response "
1440 "(peer " MACSTR ")", MAC2STR(peer->addr));
1441 if (!wpa_tdls_get_privacy(sm))
1444 /* Filling RSN IE */
1445 hdr = (struct rsn_ie_hdr *) peer->rsnie_i;
1446 hdr->elem_id = WLAN_EID_RSN;
1447 WPA_PUT_LE16(hdr->version, RSN_VERSION);
1448 pos = (u8 *) (hdr + 1);
1449 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED);
1450 pos += RSN_SELECTOR_LEN;
1456 * AES-CCMP is the default encryption preferred for TDLS, so
1457 * RSN IE is filled only with CCMP cipher suite.
1458 * Note: TKIP is not used to encrypt TDLS link.
1460 * Regardless of the cipher used on the AP connection, select CCMP
1463 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP);
1464 pos += RSN_SELECTOR_LEN;
1466 WPA_PUT_LE16(count_pos, count);
1467 WPA_PUT_LE16(pos, 1);
1469 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_TPK_HANDSHAKE);
1470 pos += RSN_SELECTOR_LEN;
1472 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED;
1473 rsn_capab |= RSN_NUM_REPLAY_COUNTERS_16 << 2;
1474 WPA_PUT_LE16(pos, rsn_capab);
1476 hdr->len = (pos - (u8 *) hdr) - 2;
1477 peer->rsnie_i_len = pos - peer->rsnie_i;
1479 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE for Discovery Response",
1480 (u8 *) hdr, hdr->len + 2);
1483 if (wpa_tdls_get_privacy(sm)) {
1484 /* Peer RSN IE, Lifetime */
1485 buf_len += peer->rsnie_i_len +
1486 sizeof(struct wpa_tdls_timeoutie);
1488 rbuf = os_zalloc(buf_len + 1);
1490 wpa_tdls_peer_free(sm, peer);
1495 if (!wpa_tdls_get_privacy(sm))
1497 /* Initiator RSN IE */
1498 pos = wpa_add_ie(pos, peer->rsnie_i, peer->rsnie_i_len);
1500 peer->lifetime = TPK_LIFETIME;
1501 pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie,
1502 sizeof(timeoutie), peer->lifetime);
1503 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds", peer->lifetime);
1505 status = wpa_tdls_tpk_send(sm, peer->addr, WLAN_TDLS_DISCOVERY_RESPONSE,
1506 dialog_token, 0, 0, 0, rbuf, pos - rbuf);
1514 wpa_tdls_process_discovery_request(struct wpa_sm *sm, const u8 *addr,
1515 const u8 *buf, size_t len)
1517 struct wpa_eapol_ie_parse kde;
1518 const struct wpa_tdls_lnkid *lnkid;
1519 struct wpa_tdls_peer *peer;
1520 size_t min_req_len = sizeof(struct wpa_tdls_frame) +
1521 1 /* dialog token */ + sizeof(struct wpa_tdls_lnkid);
1524 wpa_printf(MSG_DEBUG, "TDLS: Discovery Request from " MACSTR,
1527 if (len < min_req_len) {
1528 wpa_printf(MSG_DEBUG, "TDLS Discovery Request is too short: "
1533 dialog_token = buf[sizeof(struct wpa_tdls_frame)];
1536 * Some APs will tack on a weird IE to the end of a TDLS
1537 * discovery request packet. This needn't fail the response,
1538 * since the required IE are verified separately.
1540 if (wpa_supplicant_parse_ies(buf + sizeof(struct wpa_tdls_frame) + 1,
1541 len - (sizeof(struct wpa_tdls_frame) + 1),
1543 wpa_printf(MSG_DEBUG,
1544 "TDLS: Failed to parse IEs in Discovery Request - ignore as an interop workaround");
1548 wpa_printf(MSG_DEBUG, "TDLS: Link ID not found in Discovery "
1553 lnkid = (const struct wpa_tdls_lnkid *) kde.lnkid;
1555 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) {
1556 wpa_printf(MSG_DEBUG, "TDLS: Discovery Request from different "
1557 " BSS " MACSTR, MAC2STR(lnkid->bssid));
1561 peer = wpa_tdls_add_peer(sm, addr, NULL);
1565 return wpa_tdls_send_discovery_response(sm, peer, dialog_token);
1569 int wpa_tdls_send_discovery_request(struct wpa_sm *sm, const u8 *addr)
1571 if (sm->tdls_disabled || !sm->tdls_supported)
1574 wpa_printf(MSG_DEBUG, "TDLS: Sending Discovery Request to peer "
1575 MACSTR, MAC2STR(addr));
1576 return wpa_tdls_tpk_send(sm, addr, WLAN_TDLS_DISCOVERY_REQUEST,
1577 1, 0, 0, 1, NULL, 0);
1581 static int copy_supp_rates(const struct wpa_eapol_ie_parse *kde,
1582 struct wpa_tdls_peer *peer)
1584 if (!kde->supp_rates) {
1585 wpa_printf(MSG_DEBUG, "TDLS: No supported rates received");
1588 peer->supp_rates_len = merge_byte_arrays(
1589 peer->supp_rates, sizeof(peer->supp_rates),
1590 kde->supp_rates + 2, kde->supp_rates_len - 2,
1591 kde->ext_supp_rates ? kde->ext_supp_rates + 2 : NULL,
1592 kde->ext_supp_rates_len - 2);
1597 static int copy_peer_ht_capab(const struct wpa_eapol_ie_parse *kde,
1598 struct wpa_tdls_peer *peer)
1600 if (!kde->ht_capabilities) {
1601 wpa_printf(MSG_DEBUG, "TDLS: No supported ht capabilities "
1606 if (!peer->ht_capabilities) {
1607 peer->ht_capabilities =
1608 os_zalloc(sizeof(struct ieee80211_ht_capabilities));
1609 if (peer->ht_capabilities == NULL)
1613 os_memcpy(peer->ht_capabilities, kde->ht_capabilities,
1614 sizeof(struct ieee80211_ht_capabilities));
1615 wpa_hexdump(MSG_DEBUG, "TDLS: Peer HT capabilities",
1616 (u8 *) peer->ht_capabilities,
1617 sizeof(struct ieee80211_ht_capabilities));
1623 static int copy_peer_vht_capab(const struct wpa_eapol_ie_parse *kde,
1624 struct wpa_tdls_peer *peer)
1626 if (!kde->vht_capabilities) {
1627 wpa_printf(MSG_DEBUG, "TDLS: No supported vht capabilities "
1632 if (!peer->vht_capabilities) {
1633 peer->vht_capabilities =
1634 os_zalloc(sizeof(struct ieee80211_vht_capabilities));
1635 if (peer->vht_capabilities == NULL)
1639 os_memcpy(peer->vht_capabilities, kde->vht_capabilities,
1640 sizeof(struct ieee80211_vht_capabilities));
1641 wpa_hexdump(MSG_DEBUG, "TDLS: Peer VHT capabilities",
1642 (u8 *) peer->vht_capabilities,
1643 sizeof(struct ieee80211_vht_capabilities));
1649 static int copy_peer_ext_capab(const struct wpa_eapol_ie_parse *kde,
1650 struct wpa_tdls_peer *peer)
1652 if (!kde->ext_capab) {
1653 wpa_printf(MSG_DEBUG, "TDLS: No extended capabilities "
1658 if (!peer->ext_capab || peer->ext_capab_len < kde->ext_capab_len - 2) {
1659 /* Need to allocate buffer to fit the new information */
1660 os_free(peer->ext_capab);
1661 peer->ext_capab = os_zalloc(kde->ext_capab_len - 2);
1662 if (peer->ext_capab == NULL)
1666 peer->ext_capab_len = kde->ext_capab_len - 2;
1667 os_memcpy(peer->ext_capab, kde->ext_capab + 2, peer->ext_capab_len);
1673 static int copy_peer_wmm_capab(const struct wpa_eapol_ie_parse *kde,
1674 struct wpa_tdls_peer *peer)
1676 struct wmm_information_element *wmm;
1679 wpa_printf(MSG_DEBUG, "TDLS: No supported WMM capabilities received");
1683 if (kde->wmm_len < sizeof(struct wmm_information_element)) {
1684 wpa_printf(MSG_DEBUG, "TDLS: Invalid supported WMM capabilities received");
1688 wmm = (struct wmm_information_element *) kde->wmm;
1689 peer->qos_info = wmm->qos_info;
1691 peer->wmm_capable = 1;
1693 wpa_printf(MSG_DEBUG, "TDLS: Peer WMM QOS Info 0x%x", peer->qos_info);
1698 static int copy_peer_supp_channels(const struct wpa_eapol_ie_parse *kde,
1699 struct wpa_tdls_peer *peer)
1701 if (!kde->supp_channels) {
1702 wpa_printf(MSG_DEBUG, "TDLS: No supported channels received");
1706 if (!peer->supp_channels ||
1707 peer->supp_channels_len < kde->supp_channels_len) {
1708 os_free(peer->supp_channels);
1709 peer->supp_channels = os_zalloc(kde->supp_channels_len);
1710 if (peer->supp_channels == NULL)
1714 peer->supp_channels_len = kde->supp_channels_len;
1716 os_memcpy(peer->supp_channels, kde->supp_channels,
1717 peer->supp_channels_len);
1718 wpa_hexdump(MSG_DEBUG, "TDLS: Peer Supported Channels",
1719 (u8 *) peer->supp_channels, peer->supp_channels_len);
1724 static int copy_peer_supp_oper_classes(const struct wpa_eapol_ie_parse *kde,
1725 struct wpa_tdls_peer *peer)
1727 if (!kde->supp_oper_classes) {
1728 wpa_printf(MSG_DEBUG, "TDLS: No supported operating classes received");
1732 if (!peer->supp_oper_classes ||
1733 peer->supp_oper_classes_len < kde->supp_oper_classes_len) {
1734 os_free(peer->supp_oper_classes);
1735 peer->supp_oper_classes = os_zalloc(kde->supp_oper_classes_len);
1736 if (peer->supp_oper_classes == NULL)
1740 peer->supp_oper_classes_len = kde->supp_oper_classes_len;
1741 os_memcpy(peer->supp_oper_classes, kde->supp_oper_classes,
1742 peer->supp_oper_classes_len);
1743 wpa_hexdump(MSG_DEBUG, "TDLS: Peer Supported Operating Classes",
1744 (u8 *) peer->supp_oper_classes,
1745 peer->supp_oper_classes_len);
1750 static int wpa_tdls_addset_peer(struct wpa_sm *sm, struct wpa_tdls_peer *peer,
1753 return wpa_sm_tdls_peer_addset(sm, peer->addr, add, peer->aid,
1755 peer->supp_rates, peer->supp_rates_len,
1756 peer->ht_capabilities,
1757 peer->vht_capabilities,
1758 peer->qos_info, peer->wmm_capable,
1759 peer->ext_capab, peer->ext_capab_len,
1760 peer->supp_channels,
1761 peer->supp_channels_len,
1762 peer->supp_oper_classes,
1763 peer->supp_oper_classes_len);
1767 static int tdls_nonce_set(const u8 *nonce)
1771 for (i = 0; i < WPA_NONCE_LEN; i++) {
1780 static int wpa_tdls_process_tpk_m1(struct wpa_sm *sm, const u8 *src_addr,
1781 const u8 *buf, size_t len)
1783 struct wpa_tdls_peer *peer;
1784 struct wpa_eapol_ie_parse kde;
1785 struct wpa_ie_data ie;
1788 struct wpa_tdls_ftie *ftie = NULL;
1789 struct wpa_tdls_timeoutie *timeoutie;
1790 struct wpa_tdls_lnkid *lnkid;
1793 struct rsn_ie_hdr *hdr;
1800 u16 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
1801 int tdls_prohibited = sm->tdls_prohibited;
1802 int existing_peer = 0;
1808 cpos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */;
1810 /* driver had already verified the frame format */
1811 dtoken = *cpos++; /* dialog token */
1813 wpa_printf(MSG_INFO, "TDLS: Dialog Token in TPK M1 %d", dtoken);
1815 peer = wpa_tdls_add_peer(sm, src_addr, &existing_peer);
1819 /* If found, use existing entry instead of adding a new one;
1820 * how to handle the case where both ends initiate at the
1822 if (existing_peer) {
1823 if (peer->tpk_success) {
1824 wpa_printf(MSG_DEBUG, "TDLS: TDLS Setup Request while "
1825 "direct link is enabled - tear down the "
1827 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr);
1828 wpa_tdls_peer_clear(sm, peer);
1829 } else if (peer->initiator) {
1831 * An entry is already present, so check if we already
1832 * sent a TDLS Setup Request. If so, compare MAC
1833 * addresses and let the STA with the lower MAC address
1834 * continue as the initiator. The other negotiation is
1837 if (os_memcmp(sm->own_addr, src_addr, ETH_ALEN) < 0) {
1838 wpa_printf(MSG_DEBUG, "TDLS: Discard request "
1839 "from peer with higher address "
1840 MACSTR, MAC2STR(src_addr));
1843 wpa_printf(MSG_DEBUG, "TDLS: Accept request "
1844 "from peer with lower address "
1845 MACSTR " (terminate previously "
1846 "initiated negotiation",
1848 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK,
1850 wpa_tdls_peer_clear(sm, peer);
1855 /* capability information */
1856 peer->capability = WPA_GET_LE16(cpos);
1859 ielen = len - (cpos - buf); /* start of IE in buf */
1862 * Don't reject the message if failing to parse IEs. The IEs we need are
1863 * explicitly checked below. Some APs may add arbitrary padding to the
1864 * end of short TDLS frames and that would look like invalid IEs.
1866 if (wpa_supplicant_parse_ies(cpos, ielen, &kde) < 0)
1867 wpa_printf(MSG_DEBUG,
1868 "TDLS: Failed to parse IEs in TPK M1 - ignore as an interop workaround");
1870 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) {
1871 wpa_printf(MSG_INFO, "TDLS: No valid Link Identifier IE in "
1875 wpa_hexdump(MSG_DEBUG, "TDLS: Link ID Received from TPK M1",
1876 kde.lnkid, kde.lnkid_len);
1877 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid;
1878 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) {
1879 wpa_printf(MSG_INFO, "TDLS: TPK M1 from diff BSS");
1880 status = WLAN_STATUS_REQUEST_DECLINED;
1884 wpa_printf(MSG_DEBUG, "TDLS: TPK M1 - TPK initiator " MACSTR,
1887 if (copy_supp_rates(&kde, peer) < 0)
1890 if (copy_peer_ht_capab(&kde, peer) < 0)
1893 if (copy_peer_vht_capab(&kde, peer) < 0)
1896 if (copy_peer_ext_capab(&kde, peer) < 0)
1899 if (copy_peer_supp_channels(&kde, peer) < 0)
1902 if (copy_peer_supp_oper_classes(&kde, peer) < 0)
1905 peer->qos_info = kde.qosinfo;
1907 /* Overwrite with the qos_info obtained in WMM IE */
1908 if (copy_peer_wmm_capab(&kde, peer) < 0)
1911 peer->aid = kde.aid;
1913 #ifdef CONFIG_TDLS_TESTING
1914 if (tdls_testing & TDLS_TESTING_CONCURRENT_INIT) {
1915 peer = wpa_tdls_add_peer(sm, src_addr, NULL);
1918 wpa_printf(MSG_DEBUG, "TDLS: Testing concurrent initiation of "
1919 "TDLS setup - send own request");
1920 peer->initiator = 1;
1921 wpa_sm_tdls_peer_addset(sm, peer->addr, 1, 0, 0, NULL, 0, NULL,
1922 NULL, 0, 0, NULL, 0, NULL, 0, NULL, 0);
1923 wpa_tdls_send_tpk_m1(sm, peer);
1926 if ((tdls_testing & TDLS_TESTING_IGNORE_AP_PROHIBIT) &&
1928 wpa_printf(MSG_DEBUG, "TDLS: Testing - ignore AP prohibition "
1930 tdls_prohibited = 0;
1932 #endif /* CONFIG_TDLS_TESTING */
1934 if (tdls_prohibited) {
1935 wpa_printf(MSG_INFO, "TDLS: TDLS prohibited in this BSS");
1936 status = WLAN_STATUS_REQUEST_DECLINED;
1940 if (!wpa_tdls_get_privacy(sm)) {
1942 wpa_printf(MSG_INFO, "TDLS: RSN IE in TPK M1 while "
1943 "security is disabled");
1944 status = WLAN_STATUS_SECURITY_DISABLED;
1950 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie) ||
1951 kde.rsn_ie == NULL) {
1952 wpa_printf(MSG_INFO, "TDLS: No FTIE or RSN IE in TPK M1");
1953 status = WLAN_STATUS_INVALID_PARAMETERS;
1957 if (kde.rsn_ie_len > TDLS_MAX_IE_LEN) {
1958 wpa_printf(MSG_INFO, "TDLS: Too long Initiator RSN IE in "
1960 status = WLAN_STATUS_INVALID_RSNIE;
1964 if (wpa_parse_wpa_ie_rsn(kde.rsn_ie, kde.rsn_ie_len, &ie) < 0) {
1965 wpa_printf(MSG_INFO, "TDLS: Failed to parse RSN IE in TPK M1");
1966 status = WLAN_STATUS_INVALID_RSNIE;
1970 cipher = ie.pairwise_cipher;
1971 if (cipher & WPA_CIPHER_CCMP) {
1972 wpa_printf(MSG_DEBUG, "TDLS: Using CCMP for direct link");
1973 cipher = WPA_CIPHER_CCMP;
1975 wpa_printf(MSG_INFO, "TDLS: No acceptable cipher in TPK M1");
1976 status = WLAN_STATUS_PAIRWISE_CIPHER_NOT_VALID;
1980 if ((ie.capabilities &
1981 (WPA_CAPABILITY_NO_PAIRWISE | WPA_CAPABILITY_PEERKEY_ENABLED)) !=
1982 WPA_CAPABILITY_PEERKEY_ENABLED) {
1983 wpa_printf(MSG_INFO, "TDLS: Invalid RSN Capabilities in "
1985 status = WLAN_STATUS_INVALID_RSN_IE_CAPAB;
1990 if (kde.key_lifetime == NULL) {
1991 wpa_printf(MSG_INFO, "TDLS: No Key Lifetime IE in TPK M1");
1992 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME;
1995 timeoutie = (struct wpa_tdls_timeoutie *) kde.key_lifetime;
1996 lifetime = WPA_GET_LE32(timeoutie->value);
1997 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds", lifetime);
1998 if (lifetime < 300) {
1999 wpa_printf(MSG_INFO, "TDLS: Too short TPK lifetime");
2000 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME;
2005 #ifdef CONFIG_TDLS_TESTING
2006 if (tdls_testing & TDLS_TESTING_CONCURRENT_INIT) {
2007 if (os_memcmp(sm->own_addr, peer->addr, ETH_ALEN) < 0) {
2009 * The request frame from us is going to win, so do not
2010 * replace information based on this request frame from
2013 goto skip_rsn_check;
2016 #endif /* CONFIG_TDLS_TESTING */
2018 peer->initiator = 0; /* Need to check */
2019 peer->dtoken = dtoken;
2021 if (!wpa_tdls_get_privacy(sm)) {
2022 peer->rsnie_i_len = 0;
2023 peer->rsnie_p_len = 0;
2024 peer->cipher = WPA_CIPHER_NONE;
2025 goto skip_rsn_check;
2028 ftie = (struct wpa_tdls_ftie *) kde.ftie;
2029 os_memcpy(peer->rsnie_i, kde.rsn_ie, kde.rsn_ie_len);
2030 peer->rsnie_i_len = kde.rsn_ie_len;
2031 peer->cipher = cipher;
2033 if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0 ||
2034 !tdls_nonce_set(peer->inonce)) {
2036 * There is no point in updating the RNonce for every obtained
2037 * TPK M1 frame (e.g., retransmission due to timeout) with the
2038 * same INonce (SNonce in FTIE). However, if the TPK M1 is
2039 * retransmitted with a different INonce, update the RNonce
2040 * since this is for a new TDLS session.
2042 wpa_printf(MSG_DEBUG,
2043 "TDLS: New TPK M1 INonce - generate new RNonce");
2044 os_memcpy(peer->inonce, ftie->Snonce, WPA_NONCE_LEN);
2045 if (os_get_random(peer->rnonce, WPA_NONCE_LEN)) {
2046 wpa_msg(sm->ctx->ctx, MSG_WARNING,
2047 "TDLS: Failed to get random data for responder nonce");
2050 peer->tk_set = 0; /* A new nonce results in a new TK */
2054 /* get version info from RSNIE received from Peer */
2055 hdr = (struct rsn_ie_hdr *) kde.rsn_ie;
2056 rsn_ver = WPA_GET_LE16(hdr->version);
2058 /* use min(peer's version, out version) */
2059 if (rsn_ver > RSN_VERSION)
2060 rsn_ver = RSN_VERSION;
2062 hdr = (struct rsn_ie_hdr *) peer->rsnie_p;
2064 hdr->elem_id = WLAN_EID_RSN;
2065 WPA_PUT_LE16(hdr->version, rsn_ver);
2066 pos = (u8 *) (hdr + 1);
2068 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED);
2069 pos += RSN_SELECTOR_LEN;
2070 /* Include only the selected cipher in pairwise cipher suite */
2071 WPA_PUT_LE16(pos, 1);
2073 if (cipher == WPA_CIPHER_CCMP)
2074 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP);
2075 pos += RSN_SELECTOR_LEN;
2077 WPA_PUT_LE16(pos, 1);
2079 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_TPK_HANDSHAKE);
2080 pos += RSN_SELECTOR_LEN;
2082 rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED;
2083 rsn_capab |= RSN_NUM_REPLAY_COUNTERS_16 << 2;
2084 WPA_PUT_LE16(pos, rsn_capab);
2087 hdr->len = (pos - peer->rsnie_p) - 2;
2088 peer->rsnie_p_len = pos - peer->rsnie_p;
2091 /* temp fix: validation of RSNIE later */
2092 os_memcpy(peer->rsnie_p, peer->rsnie_i, peer->rsnie_i_len);
2093 peer->rsnie_p_len = peer->rsnie_i_len;
2095 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE for TPK handshake",
2096 peer->rsnie_p, peer->rsnie_p_len);
2098 peer->lifetime = lifetime;
2100 wpa_tdls_generate_tpk(peer, sm->own_addr, sm->bssid);
2103 #ifdef CONFIG_TDLS_TESTING
2104 if (tdls_testing & TDLS_TESTING_CONCURRENT_INIT)
2106 #endif /* CONFIG_TDLS_TESTING */
2108 /* add supported rates, capabilities, and qos_info to the TDLS peer */
2109 if (wpa_tdls_addset_peer(sm, peer, 1) < 0)
2112 #ifdef CONFIG_TDLS_TESTING
2114 #endif /* CONFIG_TDLS_TESTING */
2115 peer->tpk_in_progress = 1;
2117 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Setup Response / TPK M2");
2118 if (wpa_tdls_send_tpk_m2(sm, src_addr, dtoken, lnkid, peer) < 0) {
2119 wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr);
2126 wpa_tdls_send_error(sm, src_addr, WLAN_TDLS_SETUP_RESPONSE, dtoken, 0,
2129 wpa_tdls_peer_free(sm, peer);
2134 static int wpa_tdls_enable_link(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
2136 peer->tpk_success = 1;
2137 peer->tpk_in_progress = 0;
2138 eloop_cancel_timeout(wpa_tdls_tpk_timeout, sm, peer);
2139 if (wpa_tdls_get_privacy(sm)) {
2140 u32 lifetime = peer->lifetime;
2142 * Start the initiator process a bit earlier to avoid race
2143 * condition with the responder sending teardown request.
2145 if (lifetime > 3 && peer->initiator)
2147 eloop_register_timeout(lifetime, 0, wpa_tdls_tpk_timeout,
2149 #ifdef CONFIG_TDLS_TESTING
2150 if (tdls_testing & TDLS_TESTING_NO_TPK_EXPIRATION) {
2151 wpa_printf(MSG_DEBUG, "TDLS: Testing - disable TPK "
2153 eloop_cancel_timeout(wpa_tdls_tpk_timeout, sm, peer);
2155 #endif /* CONFIG_TDLS_TESTING */
2158 if (peer->reconfig_key && wpa_tdls_set_key(sm, peer) < 0) {
2159 wpa_printf(MSG_INFO, "TDLS: Could not configure key to the "
2163 peer->reconfig_key = 0;
2165 return wpa_sm_tdls_oper(sm, TDLS_ENABLE_LINK, peer->addr);
2169 static int wpa_tdls_process_tpk_m2(struct wpa_sm *sm, const u8 *src_addr,
2170 const u8 *buf, size_t len)
2172 struct wpa_tdls_peer *peer;
2173 struct wpa_eapol_ie_parse kde;
2174 struct wpa_ie_data ie;
2176 struct wpa_tdls_ftie *ftie;
2177 struct wpa_tdls_timeoutie *timeoutie;
2178 struct wpa_tdls_lnkid *lnkid;
2186 wpa_printf(MSG_DEBUG, "TDLS: Received TDLS Setup Response / TPK M2 "
2187 "(Peer " MACSTR ")", MAC2STR(src_addr));
2188 for (peer = sm->tdls; peer; peer = peer->next) {
2189 if (os_memcmp(peer->addr, src_addr, ETH_ALEN) == 0)
2193 wpa_printf(MSG_INFO, "TDLS: No matching peer found for "
2194 "TPK M2: " MACSTR, MAC2STR(src_addr));
2197 if (!peer->initiator) {
2199 * This may happen if both devices try to initiate TDLS at the
2200 * same time and we accept the TPK M1 from the peer in
2201 * wpa_tdls_process_tpk_m1() and clear our previous state.
2203 wpa_printf(MSG_INFO, "TDLS: We were not the initiator, so "
2204 "ignore TPK M2 from " MACSTR, MAC2STR(src_addr));
2208 if (peer->tpk_success) {
2209 wpa_printf(MSG_INFO, "TDLS: Ignore incoming TPK M2 retry, from "
2210 MACSTR " as TPK M3 was already sent",
2215 wpa_tdls_tpk_retry_timeout_cancel(sm, peer, WLAN_TDLS_SETUP_REQUEST);
2217 if (len < 3 + 2 + 1) {
2218 wpa_tdls_disable_peer_link(sm, peer);
2223 pos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */;
2224 status = WPA_GET_LE16(pos);
2225 pos += 2 /* status code */;
2227 if (status != WLAN_STATUS_SUCCESS) {
2228 wpa_printf(MSG_INFO, "TDLS: Status code in TPK M2: %u",
2230 wpa_tdls_disable_peer_link(sm, peer);
2234 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
2236 /* TODO: need to verify dialog token matches here or in kernel */
2237 dtoken = *pos++; /* dialog token */
2239 wpa_printf(MSG_DEBUG, "TDLS: Dialog Token in TPK M2 %d", dtoken);
2241 if (len < 3 + 2 + 1 + 2) {
2242 wpa_tdls_disable_peer_link(sm, peer);
2246 /* capability information */
2247 peer->capability = WPA_GET_LE16(pos);
2250 ielen = len - (pos - buf); /* start of IE in buf */
2253 * Don't reject the message if failing to parse IEs. The IEs we need are
2254 * explicitly checked below. Some APs may add arbitrary padding to the
2255 * end of short TDLS frames and that would look like invalid IEs.
2257 if (wpa_supplicant_parse_ies(pos, ielen, &kde) < 0)
2258 wpa_printf(MSG_DEBUG,
2259 "TDLS: Failed to parse IEs in TPK M2 - ignore as an interop workaround");
2261 #ifdef CONFIG_TDLS_TESTING
2262 if (tdls_testing & TDLS_TESTING_DECLINE_RESP) {
2263 wpa_printf(MSG_DEBUG, "TDLS: Testing - decline response");
2264 status = WLAN_STATUS_REQUEST_DECLINED;
2267 #endif /* CONFIG_TDLS_TESTING */
2269 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) {
2270 wpa_printf(MSG_INFO, "TDLS: No valid Link Identifier IE in "
2274 wpa_hexdump(MSG_DEBUG, "TDLS: Link ID Received from TPK M2",
2275 kde.lnkid, kde.lnkid_len);
2276 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid;
2278 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) {
2279 wpa_printf(MSG_INFO, "TDLS: TPK M2 from different BSS");
2280 status = WLAN_STATUS_NOT_IN_SAME_BSS;
2284 if (copy_supp_rates(&kde, peer) < 0)
2287 if (copy_peer_ht_capab(&kde, peer) < 0)
2290 if (copy_peer_vht_capab(&kde, peer) < 0)
2293 if (copy_peer_ext_capab(&kde, peer) < 0)
2296 if (copy_peer_supp_channels(&kde, peer) < 0)
2299 if (copy_peer_supp_oper_classes(&kde, peer) < 0)
2302 peer->qos_info = kde.qosinfo;
2304 /* Overwrite with the qos_info obtained in WMM IE */
2305 if (copy_peer_wmm_capab(&kde, peer) < 0)
2308 peer->aid = kde.aid;
2310 if (!wpa_tdls_get_privacy(sm)) {
2311 peer->rsnie_p_len = 0;
2312 peer->cipher = WPA_CIPHER_NONE;
2316 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie) ||
2317 kde.rsn_ie == NULL) {
2318 wpa_printf(MSG_INFO, "TDLS: No FTIE or RSN IE in TPK M2");
2319 status = WLAN_STATUS_INVALID_PARAMETERS;
2322 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Received from TPK M2",
2323 kde.rsn_ie, kde.rsn_ie_len);
2325 if (kde.rsn_ie_len > TDLS_MAX_IE_LEN) {
2326 wpa_printf(MSG_INFO,
2327 "TDLS: Too long Responder RSN IE in TPK M2");
2328 status = WLAN_STATUS_INVALID_RSNIE;
2333 * FIX: bitwise comparison of RSN IE is not the correct way of
2334 * validation this. It can be different, but certain fields must
2335 * match. Since we list only a single pairwise cipher in TPK M1, the
2336 * memcmp is likely to work in most cases, though.
2338 if (kde.rsn_ie_len != peer->rsnie_i_len ||
2339 os_memcmp(peer->rsnie_i, kde.rsn_ie, peer->rsnie_i_len) != 0) {
2340 wpa_printf(MSG_INFO, "TDLS: RSN IE in TPK M2 does "
2341 "not match with RSN IE used in TPK M1");
2342 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Sent in TPK M1",
2343 peer->rsnie_i, peer->rsnie_i_len);
2344 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Received from TPK M2",
2345 kde.rsn_ie, kde.rsn_ie_len);
2346 status = WLAN_STATUS_INVALID_RSNIE;
2350 if (wpa_parse_wpa_ie_rsn(kde.rsn_ie, kde.rsn_ie_len, &ie) < 0) {
2351 wpa_printf(MSG_INFO, "TDLS: Failed to parse RSN IE in TPK M2");
2352 status = WLAN_STATUS_INVALID_RSNIE;
2356 cipher = ie.pairwise_cipher;
2357 if (cipher == WPA_CIPHER_CCMP) {
2358 wpa_printf(MSG_DEBUG, "TDLS: Using CCMP for direct link");
2359 cipher = WPA_CIPHER_CCMP;
2361 wpa_printf(MSG_INFO, "TDLS: No acceptable cipher in TPK M2");
2362 status = WLAN_STATUS_PAIRWISE_CIPHER_NOT_VALID;
2366 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE Received from TPK M2",
2367 kde.ftie, sizeof(*ftie));
2368 ftie = (struct wpa_tdls_ftie *) kde.ftie;
2370 if (!os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) == 0) {
2371 wpa_printf(MSG_INFO, "TDLS: FTIE SNonce in TPK M2 does "
2372 "not match with FTIE SNonce used in TPK M1");
2373 /* Silently discard the frame */
2377 /* Responder Nonce and RSN IE */
2378 os_memcpy(peer->rnonce, ftie->Anonce, WPA_NONCE_LEN);
2379 os_memcpy(peer->rsnie_p, kde.rsn_ie, kde.rsn_ie_len);
2380 peer->rsnie_p_len = kde.rsn_ie_len;
2381 peer->cipher = cipher;
2384 if (kde.key_lifetime == NULL) {
2385 wpa_printf(MSG_INFO, "TDLS: No Key Lifetime IE in TPK M2");
2386 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME;
2389 timeoutie = (struct wpa_tdls_timeoutie *) kde.key_lifetime;
2390 lifetime = WPA_GET_LE32(timeoutie->value);
2391 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds in TPK M2",
2393 if (lifetime != peer->lifetime) {
2394 wpa_printf(MSG_INFO, "TDLS: Unexpected TPK lifetime %u in "
2395 "TPK M2 (expected %u)", lifetime, peer->lifetime);
2396 status = WLAN_STATUS_UNACCEPTABLE_LIFETIME;
2400 wpa_tdls_generate_tpk(peer, sm->own_addr, sm->bssid);
2402 /* Process MIC check to see if TPK M2 is right */
2403 if (wpa_supplicant_verify_tdls_mic(2, peer, (u8 *) lnkid,
2404 (u8 *) timeoutie, ftie) < 0) {
2405 /* Discard the frame */
2406 wpa_tdls_del_key(sm, peer);
2407 wpa_tdls_disable_peer_link(sm, peer);
2411 if (wpa_tdls_set_key(sm, peer) < 0) {
2413 * Some drivers may not be able to config the key prior to full
2414 * STA entry having been configured.
2416 wpa_printf(MSG_DEBUG, "TDLS: Try to configure TPK again after "
2417 "STA entry is complete");
2418 peer->reconfig_key = 1;
2422 peer->dtoken = dtoken;
2424 /* add supported rates, capabilities, and qos_info to the TDLS peer */
2425 if (wpa_tdls_addset_peer(sm, peer, 0) < 0)
2428 wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Setup Confirm / "
2429 "TPK Handshake Message 3");
2430 if (wpa_tdls_send_tpk_m3(sm, src_addr, dtoken, lnkid, peer) < 0)
2433 if (!peer->tpk_success) {
2435 * Enable Link only when tpk_success is 0, signifying that this
2436 * processing of TPK M2 frame is not because of a retransmission
2437 * during TDLS setup handshake.
2439 ret = wpa_tdls_enable_link(sm, peer);
2441 wpa_printf(MSG_DEBUG, "TDLS: Could not enable link");
2442 wpa_tdls_do_teardown(
2444 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED);
2450 wpa_tdls_send_error(sm, src_addr, WLAN_TDLS_SETUP_CONFIRM, dtoken, 1,
2452 wpa_tdls_disable_peer_link(sm, peer);
2457 static int wpa_tdls_process_tpk_m3(struct wpa_sm *sm, const u8 *src_addr,
2458 const u8 *buf, size_t len)
2460 struct wpa_tdls_peer *peer;
2461 struct wpa_eapol_ie_parse kde;
2462 struct wpa_tdls_ftie *ftie;
2463 struct wpa_tdls_timeoutie *timeoutie;
2464 struct wpa_tdls_lnkid *lnkid;
2471 wpa_printf(MSG_DEBUG, "TDLS: Received TDLS Setup Confirm / TPK M3 "
2472 "(Peer " MACSTR ")", MAC2STR(src_addr));
2473 for (peer = sm->tdls; peer; peer = peer->next) {
2474 if (os_memcmp(peer->addr, src_addr, ETH_ALEN) == 0)
2478 wpa_printf(MSG_INFO, "TDLS: No matching peer found for "
2479 "TPK M3: " MACSTR, MAC2STR(src_addr));
2482 wpa_tdls_tpk_retry_timeout_cancel(sm, peer, WLAN_TDLS_SETUP_RESPONSE);
2487 pos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */;
2489 status = WPA_GET_LE16(pos);
2492 wpa_printf(MSG_INFO, "TDLS: Status code in TPK M3: %u",
2496 pos += 2 /* status code */ + 1 /* dialog token */;
2498 ielen = len - (pos - buf); /* start of IE in buf */
2501 * Don't reject the message if failing to parse IEs. The IEs we need are
2502 * explicitly checked below. Some APs piggy-back broken IEs to the end
2503 * of a TDLS Confirm packet, which will fail the link if we don't ignore
2506 if (wpa_supplicant_parse_ies((const u8 *) pos, ielen, &kde) < 0) {
2507 wpa_printf(MSG_DEBUG,
2508 "TDLS: Failed to parse KDEs in TPK M3 - ignore as an interop workaround");
2511 if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) {
2512 wpa_printf(MSG_INFO, "TDLS: No Link Identifier IE in TPK M3");
2515 wpa_hexdump(MSG_DEBUG, "TDLS: Link ID Received from TPK M3",
2516 (u8 *) kde.lnkid, kde.lnkid_len);
2517 lnkid = (struct wpa_tdls_lnkid *) kde.lnkid;
2519 if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) {
2520 wpa_printf(MSG_INFO, "TDLS: TPK M3 from diff BSS");
2524 if (!wpa_tdls_get_privacy(sm))
2527 if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie)) {
2528 wpa_printf(MSG_INFO, "TDLS: No FTIE in TPK M3");
2531 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE Received from TPK M3",
2532 kde.ftie, sizeof(*ftie));
2533 ftie = (struct wpa_tdls_ftie *) kde.ftie;
2535 if (kde.rsn_ie == NULL) {
2536 wpa_printf(MSG_INFO, "TDLS: No RSN IE in TPK M3");
2539 wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Received from TPK M3",
2540 kde.rsn_ie, kde.rsn_ie_len);
2541 if (kde.rsn_ie_len != peer->rsnie_p_len ||
2542 os_memcmp(kde.rsn_ie, peer->rsnie_p, peer->rsnie_p_len) != 0) {
2543 wpa_printf(MSG_INFO, "TDLS: RSN IE in TPK M3 does not match "
2544 "with the one sent in TPK M2");
2548 if (!os_memcmp(peer->rnonce, ftie->Anonce, WPA_NONCE_LEN) == 0) {
2549 wpa_printf(MSG_INFO, "TDLS: FTIE ANonce in TPK M3 does "
2550 "not match with FTIE ANonce used in TPK M2");
2554 if (!os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) == 0) {
2555 wpa_printf(MSG_INFO, "TDLS: FTIE SNonce in TPK M3 does not "
2556 "match with FTIE SNonce used in TPK M1");
2560 if (kde.key_lifetime == NULL) {
2561 wpa_printf(MSG_INFO, "TDLS: No Key Lifetime IE in TPK M3");
2564 timeoutie = (struct wpa_tdls_timeoutie *) kde.key_lifetime;
2565 wpa_hexdump(MSG_DEBUG, "TDLS: Timeout IE Received from TPK M3",
2566 (u8 *) timeoutie, sizeof(*timeoutie));
2567 lifetime = WPA_GET_LE32(timeoutie->value);
2568 wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds in TPK M3",
2570 if (lifetime != peer->lifetime) {
2571 wpa_printf(MSG_INFO, "TDLS: Unexpected TPK lifetime %u in "
2572 "TPK M3 (expected %u)", lifetime, peer->lifetime);
2576 if (wpa_supplicant_verify_tdls_mic(3, peer, (u8 *) lnkid,
2577 (u8 *) timeoutie, ftie) < 0) {
2578 wpa_tdls_del_key(sm, peer);
2582 if (wpa_tdls_set_key(sm, peer) < 0) {
2584 * Some drivers may not be able to config the key prior to full
2585 * STA entry having been configured.
2587 wpa_printf(MSG_DEBUG, "TDLS: Try to configure TPK again after "
2588 "STA entry is complete");
2589 peer->reconfig_key = 1;
2593 /* add supported rates, capabilities, and qos_info to the TDLS peer */
2594 if (wpa_tdls_addset_peer(sm, peer, 0) < 0)
2597 if (!peer->tpk_success) {
2599 * Enable Link only when tpk_success is 0, signifying that this
2600 * processing of TPK M3 frame is not because of a retransmission
2601 * during TDLS setup handshake.
2603 ret = wpa_tdls_enable_link(sm, peer);
2605 wpa_printf(MSG_DEBUG, "TDLS: Could not enable link");
2611 wpa_tdls_do_teardown(sm, peer, WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED);
2616 static u8 * wpa_add_tdls_timeoutie(u8 *pos, u8 *ie, size_t ie_len, u32 tsecs)
2618 struct wpa_tdls_timeoutie *lifetime = (struct wpa_tdls_timeoutie *) ie;
2620 os_memset(lifetime, 0, ie_len);
2621 lifetime->ie_type = WLAN_EID_TIMEOUT_INTERVAL;
2622 lifetime->ie_len = sizeof(struct wpa_tdls_timeoutie) - 2;
2623 lifetime->interval_type = WLAN_TIMEOUT_KEY_LIFETIME;
2624 WPA_PUT_LE32(lifetime->value, tsecs);
2625 os_memcpy(pos, ie, ie_len);
2626 return pos + ie_len;
2631 * wpa_tdls_start - Initiate TDLS handshake (send TPK Handshake Message 1)
2632 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2633 * @peer: MAC address of the peer STA
2634 * Returns: 0 on success, or -1 on failure
2636 * Send TPK Handshake Message 1 info to driver to start TDLS
2637 * handshake with the peer.
2639 int wpa_tdls_start(struct wpa_sm *sm, const u8 *addr)
2641 struct wpa_tdls_peer *peer;
2642 int tdls_prohibited = sm->tdls_prohibited;
2644 if (sm->tdls_disabled || !sm->tdls_supported)
2647 #ifdef CONFIG_TDLS_TESTING
2648 if ((tdls_testing & TDLS_TESTING_IGNORE_AP_PROHIBIT) &&
2650 wpa_printf(MSG_DEBUG, "TDLS: Testing - ignore AP prohibition "
2652 tdls_prohibited = 0;
2654 #endif /* CONFIG_TDLS_TESTING */
2656 if (tdls_prohibited) {
2657 wpa_printf(MSG_DEBUG, "TDLS: TDLS is prohibited in this BSS - "
2658 "reject request to start setup");
2662 peer = wpa_tdls_add_peer(sm, addr, NULL);
2666 if (peer->tpk_in_progress) {
2667 wpa_printf(MSG_DEBUG, "TDLS: Setup is already in progress with the peer");
2671 peer->initiator = 1;
2673 /* add the peer to the driver as a "setup in progress" peer */
2674 if (wpa_sm_tdls_peer_addset(sm, peer->addr, 1, 0, 0, NULL, 0, NULL,
2675 NULL, 0, 0, NULL, 0, NULL, 0, NULL, 0)) {
2676 wpa_tdls_disable_peer_link(sm, peer);
2680 peer->tpk_in_progress = 1;
2682 if (wpa_tdls_send_tpk_m1(sm, peer) < 0) {
2683 wpa_tdls_disable_peer_link(sm, peer);
2691 void wpa_tdls_remove(struct wpa_sm *sm, const u8 *addr)
2693 struct wpa_tdls_peer *peer;
2695 if (sm->tdls_disabled || !sm->tdls_supported)
2698 for (peer = sm->tdls; peer; peer = peer->next) {
2699 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0)
2703 if (peer == NULL || !peer->tpk_success)
2706 if (sm->tdls_external_setup) {
2708 * Disable previous link to allow renegotiation to be completed
2711 wpa_tdls_do_teardown(sm, peer,
2712 WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED);
2718 * wpa_supplicant_rx_tdls - Receive TDLS data frame
2720 * This function is called to receive TDLS (ethertype = 0x890d) data frames.
2722 static void wpa_supplicant_rx_tdls(void *ctx, const u8 *src_addr,
2723 const u8 *buf, size_t len)
2725 struct wpa_sm *sm = ctx;
2726 struct wpa_tdls_frame *tf;
2728 wpa_hexdump(MSG_DEBUG, "TDLS: Received Data frame encapsulation",
2731 if (sm->tdls_disabled || !sm->tdls_supported) {
2732 wpa_printf(MSG_DEBUG, "TDLS: Discard message - TDLS disabled "
2733 "or unsupported by driver");
2737 if (os_memcmp(src_addr, sm->own_addr, ETH_ALEN) == 0) {
2738 wpa_printf(MSG_DEBUG, "TDLS: Discard copy of own message");
2742 if (len < sizeof(*tf)) {
2743 wpa_printf(MSG_INFO, "TDLS: Drop too short frame");
2747 /* Check to make sure its a valid encapsulated TDLS frame */
2748 tf = (struct wpa_tdls_frame *) buf;
2749 if (tf->payloadtype != 2 /* TDLS_RFTYPE */ ||
2750 tf->category != WLAN_ACTION_TDLS) {
2751 wpa_printf(MSG_INFO, "TDLS: Invalid frame - payloadtype=%u "
2752 "category=%u action=%u",
2753 tf->payloadtype, tf->category, tf->action);
2757 switch (tf->action) {
2758 case WLAN_TDLS_SETUP_REQUEST:
2759 wpa_tdls_process_tpk_m1(sm, src_addr, buf, len);
2761 case WLAN_TDLS_SETUP_RESPONSE:
2762 wpa_tdls_process_tpk_m2(sm, src_addr, buf, len);
2764 case WLAN_TDLS_SETUP_CONFIRM:
2765 wpa_tdls_process_tpk_m3(sm, src_addr, buf, len);
2767 case WLAN_TDLS_TEARDOWN:
2768 wpa_tdls_recv_teardown(sm, src_addr, buf, len);
2770 case WLAN_TDLS_DISCOVERY_REQUEST:
2771 wpa_tdls_process_discovery_request(sm, src_addr, buf, len);
2774 /* Kernel code will process remaining frames */
2775 wpa_printf(MSG_DEBUG, "TDLS: Ignore TDLS frame action code %u",
2783 * wpa_tdls_init - Initialize driver interface parameters for TDLS
2784 * @wpa_s: Pointer to wpa_supplicant data
2785 * Returns: 0 on success, -1 on failure
2787 * This function is called to initialize driver interface parameters for TDLS.
2788 * wpa_drv_init() must have been called before this function to initialize the
2791 int wpa_tdls_init(struct wpa_sm *sm)
2796 sm->l2_tdls = l2_packet_init(sm->bridge_ifname ? sm->bridge_ifname :
2799 ETH_P_80211_ENCAP, wpa_supplicant_rx_tdls,
2801 if (sm->l2_tdls == NULL) {
2802 wpa_printf(MSG_ERROR, "TDLS: Failed to open l2_packet "
2808 * Drivers that support TDLS but don't implement the get_capa callback
2809 * are assumed to perform everything internally
2811 if (wpa_sm_tdls_get_capa(sm, &sm->tdls_supported,
2812 &sm->tdls_external_setup,
2813 &sm->tdls_chan_switch) < 0) {
2814 sm->tdls_supported = 1;
2815 sm->tdls_external_setup = 0;
2818 wpa_printf(MSG_DEBUG, "TDLS: TDLS operation%s supported by "
2819 "driver", sm->tdls_supported ? "" : " not");
2820 wpa_printf(MSG_DEBUG, "TDLS: Driver uses %s link setup",
2821 sm->tdls_external_setup ? "external" : "internal");
2822 wpa_printf(MSG_DEBUG, "TDLS: Driver %s TDLS channel switching",
2823 sm->tdls_chan_switch ? "supports" : "does not support");
2829 void wpa_tdls_teardown_peers(struct wpa_sm *sm)
2831 struct wpa_tdls_peer *peer, *tmp;
2837 wpa_printf(MSG_DEBUG, "TDLS: Tear down peers");
2841 wpa_printf(MSG_DEBUG, "TDLS: Tear down peer " MACSTR,
2842 MAC2STR(peer->addr));
2843 if (sm->tdls_external_setup)
2844 wpa_tdls_do_teardown(sm, peer,
2845 WLAN_REASON_DEAUTH_LEAVING);
2847 wpa_sm_tdls_oper(sm, TDLS_TEARDOWN, peer->addr);
2854 static void wpa_tdls_remove_peers(struct wpa_sm *sm)
2856 struct wpa_tdls_peer *peer, *tmp;
2863 res = wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr);
2864 wpa_printf(MSG_DEBUG, "TDLS: Remove peer " MACSTR " (res=%d)",
2865 MAC2STR(peer->addr), res);
2866 wpa_tdls_peer_free(sm, peer);
2873 * wpa_tdls_deinit - Deinitialize driver interface parameters for TDLS
2875 * This function is called to recover driver interface parameters for TDLS
2876 * and frees resources allocated for it.
2878 void wpa_tdls_deinit(struct wpa_sm *sm)
2884 l2_packet_deinit(sm->l2_tdls);
2887 wpa_tdls_remove_peers(sm);
2891 void wpa_tdls_assoc(struct wpa_sm *sm)
2893 wpa_printf(MSG_DEBUG, "TDLS: Remove peers on association");
2894 wpa_tdls_remove_peers(sm);
2898 void wpa_tdls_disassoc(struct wpa_sm *sm)
2900 wpa_printf(MSG_DEBUG, "TDLS: Remove peers on disassociation");
2901 wpa_tdls_remove_peers(sm);
2905 static int wpa_tdls_prohibited(struct ieee802_11_elems *elems)
2907 /* bit 38 - TDLS Prohibited */
2908 return !!(elems->ext_capab[2 + 4] & 0x40);
2912 static int wpa_tdls_chan_switch_prohibited(struct ieee802_11_elems *elems)
2914 /* bit 39 - TDLS Channel Switch Prohibited */
2915 return !!(elems->ext_capab[2 + 4] & 0x80);
2919 void wpa_tdls_ap_ies(struct wpa_sm *sm, const u8 *ies, size_t len)
2921 struct ieee802_11_elems elems;
2923 sm->tdls_prohibited = 0;
2924 sm->tdls_chan_switch_prohibited = 0;
2927 ieee802_11_parse_elems(ies, len, &elems, 0) == ParseFailed ||
2928 elems.ext_capab == NULL || elems.ext_capab_len < 2 + 5)
2931 sm->tdls_prohibited = wpa_tdls_prohibited(&elems);
2932 wpa_printf(MSG_DEBUG, "TDLS: TDLS is %s in the target BSS",
2933 sm->tdls_prohibited ? "prohibited" : "allowed");
2934 sm->tdls_chan_switch_prohibited =
2935 wpa_tdls_chan_switch_prohibited(&elems);
2936 wpa_printf(MSG_DEBUG, "TDLS: TDLS channel switch %s in the target BSS",
2937 sm->tdls_chan_switch_prohibited ? "prohibited" : "allowed");
2941 void wpa_tdls_assoc_resp_ies(struct wpa_sm *sm, const u8 *ies, size_t len)
2943 struct ieee802_11_elems elems;
2946 ieee802_11_parse_elems(ies, len, &elems, 0) == ParseFailed ||
2947 elems.ext_capab == NULL || elems.ext_capab_len < 2 + 5)
2950 if (!sm->tdls_prohibited && wpa_tdls_prohibited(&elems)) {
2951 wpa_printf(MSG_DEBUG, "TDLS: TDLS prohibited based on "
2952 "(Re)Association Response IEs");
2953 sm->tdls_prohibited = 1;
2956 if (!sm->tdls_chan_switch_prohibited &&
2957 wpa_tdls_chan_switch_prohibited(&elems)) {
2958 wpa_printf(MSG_DEBUG,
2959 "TDLS: TDLS channel switch prohibited based on (Re)Association Response IEs");
2960 sm->tdls_chan_switch_prohibited = 1;
2965 void wpa_tdls_enable(struct wpa_sm *sm, int enabled)
2967 wpa_printf(MSG_DEBUG, "TDLS: %s", enabled ? "enabled" : "disabled");
2968 sm->tdls_disabled = !enabled;
2972 int wpa_tdls_is_external_setup(struct wpa_sm *sm)
2974 return sm->tdls_external_setup;
2978 int wpa_tdls_enable_chan_switch(struct wpa_sm *sm, const u8 *addr,
2980 struct hostapd_freq_params *freq_params)
2982 struct wpa_tdls_peer *peer;
2985 if (sm->tdls_disabled || !sm->tdls_supported)
2988 if (!sm->tdls_chan_switch) {
2989 wpa_printf(MSG_DEBUG,
2990 "TDLS: Channel switching not supported by the driver");
2994 if (sm->tdls_chan_switch_prohibited) {
2995 wpa_printf(MSG_DEBUG,
2996 "TDLS: Channel switching is prohibited in this BSS - reject request to switch channel");
3000 for (peer = sm->tdls; peer; peer = peer->next) {
3001 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0)
3005 if (peer == NULL || !peer->tpk_success) {
3006 wpa_printf(MSG_ERROR, "TDLS: Peer " MACSTR
3007 " not found for channel switching", MAC2STR(addr));
3011 if (peer->chan_switch_enabled) {
3012 wpa_printf(MSG_DEBUG, "TDLS: Peer " MACSTR
3013 " already has channel switching enabled",
3018 ret = wpa_sm_tdls_enable_channel_switch(sm, peer->addr,
3019 oper_class, freq_params);
3021 peer->chan_switch_enabled = 1;
3027 int wpa_tdls_disable_chan_switch(struct wpa_sm *sm, const u8 *addr)
3029 struct wpa_tdls_peer *peer;
3031 if (sm->tdls_disabled || !sm->tdls_supported)
3034 for (peer = sm->tdls; peer; peer = peer->next) {
3035 if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0)
3039 if (!peer || !peer->chan_switch_enabled) {
3040 wpa_printf(MSG_ERROR, "TDLS: Channel switching not enabled for "
3041 MACSTR, MAC2STR(addr));
3045 /* ignore the return value */
3046 wpa_sm_tdls_disable_channel_switch(sm, peer->addr);
3048 peer->chan_switch_enabled = 0;