wpa_supplicant: Initial Revision 0.8.X
Based on:
commit 0725cc7b7efc434910e89865c42eda7ce61bbf08
Author: Jouni Malinen <j@w1.fi>
Date: Thu Apr 21 20:41:01 2011 +0300
Enable CONFIG_DRIVER_NL80211=y in the default configuration
nl80211 should be preferred over WEXT with any recent Linux
kernel version.
Change-Id: I26aec5afbbd4f4a1f5fd900912545b6f5050de64
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
diff --git a/src/rsn_supp/tdls.c b/src/rsn_supp/tdls.c
new file mode 100644
index 0000000..e751867
--- /dev/null
+++ b/src/rsn_supp/tdls.c
@@ -0,0 +1,2069 @@
+/*
+ * wpa_supplicant - TDLS
+ * Copyright (c) 2010-2011, Atheros Communications
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ *
+ * Alternatively, this software may be distributed under the terms of BSD
+ * license.
+ *
+ * See README and COPYING for more details.
+ */
+
+#include "utils/includes.h"
+
+#include "utils/common.h"
+#include "utils/eloop.h"
+#include "utils/os.h"
+#include "common/ieee802_11_defs.h"
+#include "crypto/sha256.h"
+#include "crypto/crypto.h"
+#include "crypto/aes_wrap.h"
+#include "rsn_supp/wpa.h"
+#include "rsn_supp/wpa_ie.h"
+#include "rsn_supp/wpa_i.h"
+#include "drivers/driver.h"
+#include "l2_packet/l2_packet.h"
+
+#ifdef CONFIG_TDLS_TESTING
+#define TDLS_TESTING_LONG_FRAME BIT(0)
+#define TDLS_TESTING_ALT_RSN_IE BIT(1)
+#define TDLS_TESTING_DIFF_BSSID BIT(2)
+#define TDLS_TESTING_SHORT_LIFETIME BIT(3)
+#define TDLS_TESTING_WRONG_LIFETIME_RESP BIT(4)
+#define TDLS_TESTING_WRONG_LIFETIME_CONF BIT(5)
+#define TDLS_TESTING_LONG_LIFETIME BIT(6)
+#define TDLS_TESTING_CONCURRENT_INIT BIT(7)
+#define TDLS_TESTING_NO_TPK_EXPIRATION BIT(8)
+#define TDLS_TESTING_DECLINE_RESP BIT(9)
+#define TDLS_TESTING_IGNORE_AP_PROHIBIT BIT(10)
+unsigned int tdls_testing = 0;
+#endif /* CONFIG_TDLS_TESTING */
+
+#define TPK_LIFETIME 43200 /* 12 hours */
+#define TPK_RETRY_COUNT 3
+#define TPK_TIMEOUT 5000 /* in milliseconds */
+
+#define TDLS_MIC_LEN 16
+
+#define TDLS_TIMEOUT_LEN 4
+
+struct wpa_tdls_ftie {
+ u8 ie_type; /* FTIE */
+ u8 ie_len;
+ u8 mic_ctrl[2];
+ u8 mic[TDLS_MIC_LEN];
+ u8 Anonce[WPA_NONCE_LEN]; /* Responder Nonce in TDLS */
+ u8 Snonce[WPA_NONCE_LEN]; /* Initiator Nonce in TDLS */
+ /* followed by optional elements */
+} STRUCT_PACKED;
+
+struct wpa_tdls_timeoutie {
+ u8 ie_type; /* Timeout IE */
+ u8 ie_len;
+ u8 interval_type;
+ u8 value[TDLS_TIMEOUT_LEN];
+} STRUCT_PACKED;
+
+struct wpa_tdls_lnkid {
+ u8 ie_type; /* Link Identifier IE */
+ u8 ie_len;
+ u8 bssid[ETH_ALEN];
+ u8 init_sta[ETH_ALEN];
+ u8 resp_sta[ETH_ALEN];
+} STRUCT_PACKED;
+
+/* TDLS frame headers as per IEEE Std 802.11z-2010 */
+struct wpa_tdls_frame {
+ u8 payloadtype; /* IEEE80211_TDLS_RFTYPE */
+ u8 category; /* Category */
+ u8 action; /* Action (enum tdls_frame_type) */
+} STRUCT_PACKED;
+
+static u8 * wpa_add_tdls_timeoutie(u8 *pos, u8 *ie, size_t ie_len, u32 tsecs);
+static void wpa_tdls_tpk_retry_timeout(void *eloop_ctx, void *timeout_ctx);
+static void wpa_tdls_peer_free(struct wpa_sm *sm, struct wpa_tdls_peer *peer);
+
+
+#define TDLS_MAX_IE_LEN 80
+struct wpa_tdls_peer {
+ struct wpa_tdls_peer *next;
+ int initiator; /* whether this end was initiator for TDLS setup */
+ u8 addr[ETH_ALEN]; /* other end MAC address */
+ u8 inonce[WPA_NONCE_LEN]; /* Initiator Nonce */
+ u8 rnonce[WPA_NONCE_LEN]; /* Responder Nonce */
+ u8 rsnie_i[TDLS_MAX_IE_LEN]; /* Initiator RSN IE */
+ size_t rsnie_i_len;
+ u8 rsnie_p[TDLS_MAX_IE_LEN]; /* Peer RSN IE */
+ size_t rsnie_p_len;
+ u32 lifetime;
+ int cipher; /* Selected cipher (WPA_CIPHER_*) */
+ u8 dtoken;
+
+ struct tpk {
+ u8 kck[16]; /* TPK-KCK */
+ u8 tk[16]; /* TPK-TK; assuming only CCMP will be used */
+ } tpk;
+ int tpk_set;
+ int tpk_success;
+
+ struct tpk_timer {
+ u8 dest[ETH_ALEN];
+ int count; /* Retry Count */
+ int timer; /* Timeout in milliseconds */
+ u8 action_code; /* TDLS frame type */
+ u8 dialog_token;
+ u16 status_code;
+ int buf_len; /* length of TPK message for retransmission */
+ u8 *buf; /* buffer for TPK message */
+ } sm_tmr;
+};
+
+
+static int wpa_tdls_get_privacy(struct wpa_sm *sm)
+{
+ /*
+ * Get info needed from supplicant to check if the current BSS supports
+ * security. Other than OPEN mode, rest are considered secured
+ * WEP/WPA/WPA2 hence TDLS frames are processed for TPK handshake.
+ */
+ return sm->pairwise_cipher != WPA_CIPHER_NONE;
+}
+
+
+static u8 * wpa_add_ie(u8 *pos, const u8 *ie, size_t ie_len)
+{
+ os_memcpy(pos, ie, ie_len);
+ return pos + ie_len;
+}
+
+
+static int wpa_tdls_del_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
+{
+ if (wpa_sm_set_key(sm, WPA_ALG_NONE, peer->addr,
+ 0, 0, NULL, 0, NULL, 0) < 0) {
+ wpa_printf(MSG_WARNING, "TDLS: Failed to delete TPK-TK from "
+ "the driver");
+ return -1;
+ }
+
+ return 0;
+}
+
+
+static int wpa_tdls_set_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
+{
+ u8 key_len;
+ u8 rsc[6];
+ enum wpa_alg alg;
+
+ os_memset(rsc, 0, 6);
+
+ switch (peer->cipher) {
+ case WPA_CIPHER_CCMP:
+ alg = WPA_ALG_CCMP;
+ key_len = 16;
+ break;
+ case WPA_CIPHER_NONE:
+ wpa_printf(MSG_DEBUG, "TDLS: Pairwise Cipher Suite: "
+ "NONE - do not use pairwise keys");
+ return -1;
+ default:
+ wpa_printf(MSG_WARNING, "TDLS: Unsupported pairwise cipher %d",
+ sm->pairwise_cipher);
+ return -1;
+ }
+
+ if (wpa_sm_set_key(sm, alg, peer->addr, -1, 1,
+ rsc, sizeof(rsc), peer->tpk.tk, key_len) < 0) {
+ wpa_printf(MSG_WARNING, "TDLS: Failed to set TPK to the "
+ "driver");
+ return -1;
+ }
+ return 0;
+}
+
+
+static int wpa_tdls_send_tpk_msg(struct wpa_sm *sm, const u8 *dst,
+ u8 action_code, u8 dialog_token,
+ u16 status_code, const u8 *buf, size_t len)
+{
+ return wpa_sm_send_tdls_mgmt(sm, dst, action_code, dialog_token,
+ status_code, buf, len);
+}
+
+
+static int wpa_tdls_tpk_send(struct wpa_sm *sm, const u8 *dest, u8 action_code,
+ u8 dialog_token, u16 status_code,
+ const u8 *msg, size_t msg_len)
+{
+ struct wpa_tdls_peer *peer;
+
+ wpa_printf(MSG_DEBUG, "TDLS: TPK send dest=" MACSTR " action_code=%u "
+ "dialog_token=%u status_code=%u msg_len=%u",
+ MAC2STR(dest), action_code, dialog_token, status_code,
+ (unsigned int) msg_len);
+
+ if (wpa_tdls_send_tpk_msg(sm, dest, action_code, dialog_token,
+ status_code, msg, msg_len)) {
+ wpa_printf(MSG_INFO, "TDLS: Failed to send message "
+ "(action_code=%u)", action_code);
+ return -1;
+ }
+
+ if (action_code == WLAN_TDLS_SETUP_CONFIRM ||
+ action_code == WLAN_TDLS_TEARDOWN)
+ return 0; /* No retries */
+
+ for (peer = sm->tdls; peer; peer = peer->next) {
+ if (os_memcmp(peer->addr, dest, ETH_ALEN) == 0)
+ break;
+ }
+
+ if (peer == NULL) {
+ wpa_printf(MSG_INFO, "TDLS: No matching entry found for "
+ "retry " MACSTR, MAC2STR(dest));
+ return 0;
+ }
+
+ eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer);
+
+ peer->sm_tmr.count = TPK_RETRY_COUNT;
+ peer->sm_tmr.timer = TPK_TIMEOUT;
+
+ /* Copy message to resend on timeout */
+ os_memcpy(peer->sm_tmr.dest, dest, ETH_ALEN);
+ peer->sm_tmr.action_code = action_code;
+ peer->sm_tmr.dialog_token = dialog_token;
+ peer->sm_tmr.status_code = status_code;
+ peer->sm_tmr.buf_len = msg_len;
+ os_free(peer->sm_tmr.buf);
+ peer->sm_tmr.buf = os_malloc(msg_len);
+ if (peer->sm_tmr.buf == NULL)
+ return -1;
+ os_memcpy(peer->sm_tmr.buf, msg, msg_len);
+
+ wpa_printf(MSG_DEBUG, "TDLS: Retry timeout registered "
+ "(action_code=%u)", action_code);
+ eloop_register_timeout(peer->sm_tmr.timer / 1000, 0,
+ wpa_tdls_tpk_retry_timeout, sm, peer);
+ return 0;
+}
+
+
+static void wpa_tdls_tpk_retry_timeout(void *eloop_ctx, void *timeout_ctx)
+{
+
+ struct wpa_sm *sm = eloop_ctx;
+ struct wpa_tdls_peer *peer = timeout_ctx;
+
+ if (peer->sm_tmr.count) {
+ peer->sm_tmr.count--;
+ peer->sm_tmr.timer = TPK_TIMEOUT;
+
+ wpa_printf(MSG_INFO, "TDLS: Retrying sending of message "
+ "(action_code=%u)",
+ peer->sm_tmr.action_code);
+
+ if (peer->sm_tmr.buf == NULL) {
+ wpa_printf(MSG_INFO, "TDLS: No retry buffer available "
+ "for action_code=%u",
+ peer->sm_tmr.action_code);
+ eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm,
+ peer);
+ return;
+ }
+
+ /* resend TPK Handshake Message to Peer */
+ if (wpa_tdls_send_tpk_msg(sm, peer->sm_tmr.dest,
+ peer->sm_tmr.action_code,
+ peer->sm_tmr.dialog_token,
+ peer->sm_tmr.status_code,
+ peer->sm_tmr.buf,
+ peer->sm_tmr.buf_len)) {
+ wpa_printf(MSG_INFO, "TDLS: Failed to retry "
+ "transmission");
+ }
+
+ eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer);
+ eloop_register_timeout(peer->sm_tmr.timer / 1000, 0,
+ wpa_tdls_tpk_retry_timeout, sm, peer);
+ } else {
+ wpa_printf(MSG_INFO, "Sending Tear_Down Request");
+ wpa_sm_tdls_oper(sm, TDLS_TEARDOWN, peer->addr);
+
+ wpa_printf(MSG_INFO, "Clearing SM: Peerkey(" MACSTR ")",
+ MAC2STR(peer->addr));
+ eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer);
+
+ /* clear the Peerkey statemachine */
+ wpa_tdls_peer_free(sm, peer);
+ }
+}
+
+
+static void wpa_tdls_tpk_retry_timeout_cancel(struct wpa_sm *sm,
+ struct wpa_tdls_peer *peer,
+ u8 action_code)
+{
+ if (action_code == peer->sm_tmr.action_code) {
+ wpa_printf(MSG_DEBUG, "TDLS: Retry timeout cancelled for "
+ "action_code=%u", action_code);
+
+ /* Cancel Timeout registered */
+ eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer);
+
+ /* free all resources meant for retry */
+ os_free(peer->sm_tmr.buf);
+ peer->sm_tmr.buf = NULL;
+
+ peer->sm_tmr.count = 0;
+ peer->sm_tmr.timer = 0;
+ peer->sm_tmr.buf_len = 0;
+ peer->sm_tmr.action_code = 0xff;
+ } else {
+ wpa_printf(MSG_INFO, "TDLS: Error in cancelling retry timeout "
+ "(Unknown action_code=%u)", action_code);
+ }
+}
+
+
+static void wpa_tdls_generate_tpk(struct wpa_tdls_peer *peer,
+ const u8 *own_addr, const u8 *bssid)
+{
+ u8 key_input[SHA256_MAC_LEN];
+ const u8 *nonce[2];
+ size_t len[2];
+ u8 data[3 * ETH_ALEN];
+
+ /* IEEE Std 802.11z-2010 8.5.9.1:
+ * TPK-Key-Input = SHA-256(min(SNonce, ANonce) || max(SNonce, ANonce))
+ */
+ len[0] = WPA_NONCE_LEN;
+ len[1] = WPA_NONCE_LEN;
+ if (os_memcmp(peer->inonce, peer->rnonce, WPA_NONCE_LEN) < 0) {
+ nonce[0] = peer->inonce;
+ nonce[1] = peer->rnonce;
+ } else {
+ nonce[0] = peer->rnonce;
+ nonce[1] = peer->inonce;
+ }
+ wpa_hexdump(MSG_DEBUG, "TDLS: min(Nonce)", nonce[0], WPA_NONCE_LEN);
+ wpa_hexdump(MSG_DEBUG, "TDLS: max(Nonce)", nonce[1], WPA_NONCE_LEN);
+ sha256_vector(2, nonce, len, key_input);
+ wpa_hexdump_key(MSG_DEBUG, "TDLS: TPK-Key-Input",
+ key_input, SHA256_MAC_LEN);
+
+ /*
+ * TPK-Key-Data = KDF-N_KEY(TPK-Key-Input, "TDLS PMK",
+ * min(MAC_I, MAC_R) || max(MAC_I, MAC_R) || BSSID || N_KEY)
+ * TODO: is N_KEY really included in KDF Context and if so, in which
+ * presentation format (little endian 16-bit?) is it used? It gets
+ * added by the KDF anyway..
+ */
+
+ if (os_memcmp(own_addr, peer->addr, ETH_ALEN) < 0) {
+ os_memcpy(data, own_addr, ETH_ALEN);
+ os_memcpy(data + ETH_ALEN, peer->addr, ETH_ALEN);
+ } else {
+ os_memcpy(data, peer->addr, ETH_ALEN);
+ os_memcpy(data + ETH_ALEN, own_addr, ETH_ALEN);
+ }
+ os_memcpy(data + 2 * ETH_ALEN, bssid, ETH_ALEN);
+ wpa_hexdump(MSG_DEBUG, "TDLS: KDF Context", data, sizeof(data));
+
+ sha256_prf(key_input, SHA256_MAC_LEN, "TDLS PMK", data, sizeof(data),
+ (u8 *) &peer->tpk, sizeof(peer->tpk));
+ wpa_hexdump_key(MSG_DEBUG, "TDLS: TPK-KCK",
+ peer->tpk.kck, sizeof(peer->tpk.kck));
+ wpa_hexdump_key(MSG_DEBUG, "TDLS: TPK-TK",
+ peer->tpk.tk, sizeof(peer->tpk.tk));
+ peer->tpk_set = 1;
+}
+
+
+/**
+ * wpa_tdls_ftie_mic - Calculate TDLS FTIE MIC
+ * @kck: TPK-KCK
+ * @lnkid: Pointer to the beginning of Link Identifier IE
+ * @rsnie: Pointer to the beginning of RSN IE used for handshake
+ * @timeoutie: Pointer to the beginning of Timeout IE used for handshake
+ * @ftie: Pointer to the beginning of FT IE
+ * @mic: Pointer for writing MIC
+ *
+ * Calculate MIC for TDLS frame.
+ */
+static int wpa_tdls_ftie_mic(const u8 *kck, u8 trans_seq, const u8 *lnkid,
+ const u8 *rsnie, const u8 *timeoutie,
+ const u8 *ftie, u8 *mic)
+{
+ u8 *buf, *pos;
+ struct wpa_tdls_ftie *_ftie;
+ const struct wpa_tdls_lnkid *_lnkid;
+ int ret;
+ int len = 2 * ETH_ALEN + 1 + 2 + lnkid[1] + 2 + rsnie[1] +
+ 2 + timeoutie[1] + 2 + ftie[1];
+ buf = os_zalloc(len);
+ if (!buf) {
+ wpa_printf(MSG_WARNING, "TDLS: No memory for MIC calculation");
+ return -1;
+ }
+
+ pos = buf;
+ _lnkid = (const struct wpa_tdls_lnkid *) lnkid;
+ /* 1) TDLS initiator STA MAC address */
+ os_memcpy(pos, _lnkid->init_sta, ETH_ALEN);
+ pos += ETH_ALEN;
+ /* 2) TDLS responder STA MAC address */
+ os_memcpy(pos, _lnkid->resp_sta, ETH_ALEN);
+ pos += ETH_ALEN;
+ /* 3) Transaction Sequence number */
+ *pos++ = trans_seq;
+ /* 4) Link Identifier IE */
+ os_memcpy(pos, lnkid, 2 + lnkid[1]);
+ pos += 2 + lnkid[1];
+ /* 5) RSN IE */
+ os_memcpy(pos, rsnie, 2 + rsnie[1]);
+ pos += 2 + rsnie[1];
+ /* 6) Timeout Interval IE */
+ os_memcpy(pos, timeoutie, 2 + timeoutie[1]);
+ pos += 2 + timeoutie[1];
+ /* 7) FTIE, with the MIC field of the FTIE set to 0 */
+ os_memcpy(pos, ftie, 2 + ftie[1]);
+ _ftie = (struct wpa_tdls_ftie *) pos;
+ os_memset(_ftie->mic, 0, TDLS_MIC_LEN);
+ pos += 2 + ftie[1];
+
+ wpa_hexdump(MSG_DEBUG, "TDLS: Data for FTIE MIC", buf, pos - buf);
+ wpa_hexdump_key(MSG_DEBUG, "TDLS: KCK", kck, 16);
+ ret = omac1_aes_128(kck, buf, pos - buf, mic);
+ os_free(buf);
+ wpa_hexdump(MSG_DEBUG, "TDLS: FTIE MIC", mic, 16);
+ return ret;
+}
+
+
+/**
+ * wpa_tdls_key_mic_teardown - Calculate TDLS FTIE MIC for Teardown frame
+ * @kck: TPK-KCK
+ * @trans_seq: Transaction Sequence Number (4 - Teardown)
+ * @rcode: Reason code for Teardown
+ * @dtoken: Dialog Token used for that particular link
+ * @lnkid: Pointer to the beginning of Link Identifier IE
+ * @ftie: Pointer to the beginning of FT IE
+ * @mic: Pointer for writing MIC
+ *
+ * Calculate MIC for TDLS frame.
+ */
+static int wpa_tdls_key_mic_teardown(const u8 *kck, u8 trans_seq, u16 rcode,
+ u8 dtoken, const u8 *lnkid,
+ const u8 *ftie, u8 *mic)
+{
+ u8 *buf, *pos;
+ struct wpa_tdls_ftie *_ftie;
+ int ret;
+ int len;
+
+ if (lnkid == NULL)
+ return -1;
+
+ len = 2 + lnkid[1] + sizeof(rcode) + sizeof(dtoken) +
+ sizeof(trans_seq) + 2 + ftie[1];
+
+ buf = os_zalloc(len);
+ if (!buf) {
+ wpa_printf(MSG_WARNING, "TDLS: No memory for MIC calculation");
+ return -1;
+ }
+
+ pos = buf;
+ /* 1) Link Identifier IE */
+ os_memcpy(pos, lnkid, 2 + lnkid[1]);
+ pos += 2 + lnkid[1];
+ /* 2) Reason Code */
+ WPA_PUT_LE16(pos, rcode);
+ pos += sizeof(rcode);
+ /* 3) Dialog token */
+ *pos++ = dtoken;
+ /* 4) Transaction Sequence number */
+ *pos++ = trans_seq;
+ /* 7) FTIE, with the MIC field of the FTIE set to 0 */
+ os_memcpy(pos, ftie, 2 + ftie[1]);
+ _ftie = (struct wpa_tdls_ftie *) pos;
+ os_memset(_ftie->mic, 0, TDLS_MIC_LEN);
+ pos += 2 + ftie[1];
+
+ wpa_hexdump(MSG_DEBUG, "TDLS: Data for FTIE MIC", buf, pos - buf);
+ wpa_hexdump_key(MSG_DEBUG, "TDLS: KCK", kck, 16);
+ ret = omac1_aes_128(kck, buf, pos - buf, mic);
+ os_free(buf);
+ wpa_hexdump(MSG_DEBUG, "TDLS: FTIE MIC", mic, 16);
+ return ret;
+}
+
+
+static int wpa_supplicant_verify_tdls_mic(u8 trans_seq,
+ struct wpa_tdls_peer *peer,
+ const u8 *lnkid, const u8 *timeoutie,
+ const struct wpa_tdls_ftie *ftie)
+{
+ u8 mic[16];
+
+ if (peer->tpk_set) {
+ wpa_tdls_ftie_mic(peer->tpk.kck, trans_seq, lnkid,
+ peer->rsnie_p, timeoutie, (u8 *) ftie,
+ mic);
+ if (os_memcmp(mic, ftie->mic, 16) != 0) {
+ wpa_printf(MSG_INFO, "TDLS: Invalid MIC in FTIE - "
+ "dropping packet");
+ wpa_hexdump(MSG_DEBUG, "TDLS: Received MIC",
+ ftie->mic, 16);
+ wpa_hexdump(MSG_DEBUG, "TDLS: Calculated MIC",
+ mic, 16);
+ return -1;
+ }
+ } else {
+ wpa_printf(MSG_WARNING, "TDLS: Could not verify TDLS MIC, "
+ "TPK not set - dropping packet");
+ return -1;
+ }
+ return 0;
+}
+
+
+static int wpa_supplicant_verify_tdls_mic_teardown(
+ u8 trans_seq, u16 rcode, u8 dtoken, struct wpa_tdls_peer *peer,
+ const u8 *lnkid, const struct wpa_tdls_ftie *ftie)
+{
+ u8 mic[16];
+
+ if (peer->tpk_set) {
+ wpa_tdls_key_mic_teardown(peer->tpk.kck, trans_seq, rcode,
+ dtoken, lnkid, (u8 *) ftie, mic);
+ if (os_memcmp(mic, ftie->mic, 16) != 0) {
+ wpa_printf(MSG_INFO, "TDLS: Invalid MIC in Teardown - "
+ "dropping packet");
+ return -1;
+ }
+ } else {
+ wpa_printf(MSG_INFO, "TDLS: Could not verify TDLS Teardown "
+ "MIC, TPK not set - dropping packet");
+ return -1;
+ }
+ return 0;
+}
+
+
+static void wpa_tdls_tpk_timeout(void *eloop_ctx, void *timeout_ctx)
+{
+ struct wpa_sm *sm = eloop_ctx;
+ struct wpa_tdls_peer *peer = timeout_ctx;
+
+ /*
+ * On TPK lifetime expiration, we have an option of either tearing down
+ * the direct link or trying to re-initiate it. The selection of what
+ * to do is not strictly speaking controlled by our role in the expired
+ * link, but for now, use that to select whether to renew or tear down
+ * the link.
+ */
+
+ if (peer->initiator) {
+ wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime expired for " MACSTR
+ " - try to renew", MAC2STR(peer->addr));
+ wpa_tdls_start(sm, peer->addr);
+ } else {
+ wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime expired for " MACSTR
+ " - tear down", MAC2STR(peer->addr));
+ wpa_sm_tdls_oper(sm, TDLS_TEARDOWN, peer->addr);
+ }
+}
+
+
+static void wpa_tdls_peer_free(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
+{
+ wpa_printf(MSG_DEBUG, "TDLS: Clear state for peer " MACSTR,
+ MAC2STR(peer->addr));
+ eloop_cancel_timeout(wpa_tdls_tpk_timeout, sm, peer);
+ eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer);
+ peer->initiator = 0;
+ os_free(peer->sm_tmr.buf);
+ peer->sm_tmr.buf = NULL;
+ peer->rsnie_i_len = peer->rsnie_p_len = 0;
+ peer->cipher = 0;
+ peer->tpk_set = peer->tpk_success = 0;
+ os_memset(&peer->tpk, 0, sizeof(peer->tpk));
+ os_memset(peer->inonce, 0, WPA_NONCE_LEN);
+ os_memset(peer->rnonce, 0, WPA_NONCE_LEN);
+}
+
+
+static void wpa_tdls_linkid(struct wpa_sm *sm, struct wpa_tdls_peer *peer,
+ struct wpa_tdls_lnkid *lnkid)
+{
+ lnkid->ie_type = WLAN_EID_LINK_ID;
+ lnkid->ie_len = 3 * ETH_ALEN;
+ os_memcpy(lnkid->bssid, sm->bssid, ETH_ALEN);
+ if (peer->initiator) {
+ os_memcpy(lnkid->init_sta, sm->own_addr, ETH_ALEN);
+ os_memcpy(lnkid->resp_sta, peer->addr, ETH_ALEN);
+ } else {
+ os_memcpy(lnkid->init_sta, peer->addr, ETH_ALEN);
+ os_memcpy(lnkid->resp_sta, sm->own_addr, ETH_ALEN);
+ }
+}
+
+
+int wpa_tdls_recv_teardown_notify(struct wpa_sm *sm, const u8 *addr,
+ u16 reason_code)
+{
+ struct wpa_tdls_peer *peer;
+ struct wpa_tdls_ftie *ftie;
+ struct wpa_tdls_lnkid lnkid;
+ u8 dialog_token;
+ u8 *rbuf, *pos;
+ int ielen;
+
+ if (sm->tdls_disabled)
+ return -1;
+
+ /* Find the node and free from the list */
+ for (peer = sm->tdls; peer; peer = peer->next) {
+ if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0)
+ break;
+ }
+
+ if (peer == NULL) {
+ wpa_printf(MSG_INFO, "TDLS: No matching entry found for "
+ "Teardown " MACSTR, MAC2STR(addr));
+ return 0;
+ }
+
+ dialog_token = peer->dtoken;
+
+ wpa_printf(MSG_DEBUG, "TDLS: TDLS Teardown for " MACSTR,
+ MAC2STR(addr));
+
+ ielen = 0;
+ if (wpa_tdls_get_privacy(sm) && peer->tpk_set && peer->tpk_success) {
+ /* To add FTIE for Teardown request and compute MIC */
+ ielen += sizeof(*ftie);
+#ifdef CONFIG_TDLS_TESTING
+ if (tdls_testing & TDLS_TESTING_LONG_FRAME)
+ ielen += 170;
+#endif /* CONFIG_TDLS_TESTING */
+ }
+
+ rbuf = os_zalloc(ielen + 1);
+ if (rbuf == NULL)
+ return -1;
+ pos = rbuf;
+
+ if (!wpa_tdls_get_privacy(sm) || !peer->tpk_set || !peer->tpk_success)
+ goto skip_ies;
+
+ ftie = (struct wpa_tdls_ftie *) pos;
+ ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION;
+ /* Using the recent nonce which should be for CONFIRM frame */
+ os_memcpy(ftie->Anonce, peer->rnonce, WPA_NONCE_LEN);
+ os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN);
+ ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2;
+ pos = (u8 *) (ftie + 1);
+#ifdef CONFIG_TDLS_TESTING
+ if (tdls_testing & TDLS_TESTING_LONG_FRAME) {
+ wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to "
+ "FTIE");
+ ftie->ie_len += 170;
+ *pos++ = 255; /* FTIE subelem */
+ *pos++ = 168; /* FTIE subelem length */
+ }
+#endif /* CONFIG_TDLS_TESTING */
+ wpa_hexdump(MSG_DEBUG, "TDLS: FTIE for TDLS Teardown handshake",
+ (u8 *) ftie, sizeof(*ftie));
+
+ /* compute MIC before sending */
+ wpa_tdls_linkid(sm, peer, &lnkid);
+ wpa_tdls_key_mic_teardown(peer->tpk.kck, 4, reason_code,
+ dialog_token, (u8 *) &lnkid, (u8 *) ftie,
+ ftie->mic);
+
+skip_ies:
+ /* TODO: register for a Timeout handler, if Teardown is not received at
+ * the other end, then try again another time */
+
+ /* request driver to send Teardown using this FTIE */
+ wpa_tdls_tpk_send(sm, addr, WLAN_TDLS_TEARDOWN, 0,
+ WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED, rbuf,
+ pos - rbuf);
+ os_free(rbuf);
+
+ /* clear the Peerkey statemachine */
+ wpa_tdls_peer_free(sm, peer);
+
+ return 0;
+}
+
+
+static int wpa_tdls_recv_teardown(struct wpa_sm *sm, const u8 *src_addr,
+ const u8 *buf, size_t len)
+{
+ struct wpa_tdls_peer *peer = NULL;
+ struct wpa_tdls_ftie *ftie;
+ struct wpa_tdls_lnkid *lnkid;
+ struct wpa_eapol_ie_parse kde;
+ u16 reason_code;
+ const u8 *pos;
+ int ielen;
+
+ /* Find the node and free from the list */
+ for (peer = sm->tdls; peer; peer = peer->next) {
+ if (os_memcmp(peer->addr, src_addr, ETH_ALEN) == 0)
+ break;
+ }
+
+ if (peer == NULL) {
+ wpa_printf(MSG_INFO, "TDLS: No matching entry found for "
+ "Teardown " MACSTR, MAC2STR(src_addr));
+ return 0;
+ }
+
+ pos = buf;
+ pos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */;
+
+ reason_code = WPA_GET_LE16(pos);
+ pos += 2;
+
+ wpa_printf(MSG_DEBUG, "TDLS: TDLS Teardown Request from " MACSTR
+ " (reason code %u)", MAC2STR(src_addr), reason_code);
+
+ ielen = len - (pos - buf); /* start of IE in buf */
+ if (wpa_supplicant_parse_ies((const u8 *) pos, ielen, &kde) < 0) {
+ wpa_printf(MSG_INFO, "TDLS: Failed to parse IEs in Teardown");
+ return -1;
+ }
+
+ if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) {
+ wpa_printf(MSG_INFO, "TDLS: No Link Identifier IE in TDLS "
+ "Teardown");
+ return -1;
+ }
+ lnkid = (struct wpa_tdls_lnkid *) kde.lnkid;
+
+ if (!wpa_tdls_get_privacy(sm) || !peer->tpk_set || !peer->tpk_success)
+ goto skip_ftie;
+
+ if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie)) {
+ wpa_printf(MSG_INFO, "TDLS: No FTIE in TDLS Teardown");
+ return -1;
+ }
+
+ ftie = (struct wpa_tdls_ftie *) kde.ftie;
+
+ /* Process MIC check to see if TDLS Teardown is right */
+ if (wpa_supplicant_verify_tdls_mic_teardown(4, reason_code,
+ peer->dtoken, peer,
+ (u8 *) lnkid, ftie) < 0) {
+ wpa_printf(MSG_DEBUG, "TDLS: MIC failure for TDLS "
+ "Teardown Request from " MACSTR, MAC2STR(src_addr));
+ return -1;
+ }
+
+skip_ftie:
+ /*
+ * Request the driver to disable the direct link and clear associated
+ * keys.
+ */
+ wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, src_addr);
+
+ /* clear the Peerkey statemachine */
+ wpa_tdls_peer_free(sm, peer);
+
+ return 0;
+}
+
+
+/**
+ * wpa_tdls_send_error - To send suitable TDLS status response with
+ * appropriate status code mentioning reason for error/failure.
+ * @dst - MAC addr of Peer station
+ * @tdls_action - TDLS frame type for which error code is sent
+ * @status - status code mentioning reason
+ */
+
+static int wpa_tdls_send_error(struct wpa_sm *sm, const u8 *dst,
+ u8 tdls_action, u8 dialog_token, u16 status)
+{
+ wpa_printf(MSG_DEBUG, "TDLS: Sending error to " MACSTR
+ " (action=%u status=%u)",
+ MAC2STR(dst), tdls_action, status);
+ return wpa_tdls_tpk_send(sm, dst, tdls_action, dialog_token, status,
+ NULL, 0);
+}
+
+
+static int wpa_tdls_send_tpk_m1(struct wpa_sm *sm,
+ struct wpa_tdls_peer *peer)
+{
+ size_t buf_len;
+ struct wpa_tdls_timeoutie timeoutie;
+ u16 rsn_capab;
+ struct wpa_tdls_ftie *ftie;
+ u8 *rbuf, *pos, *count_pos;
+ u16 count;
+ struct rsn_ie_hdr *hdr;
+
+ if (!wpa_tdls_get_privacy(sm)) {
+ wpa_printf(MSG_DEBUG, "TDLS: No security used on the link");
+ peer->rsnie_i_len = 0;
+ goto skip_rsnie;
+ }
+
+ /*
+ * TPK Handshake Message 1:
+ * FTIE: ANonce=0, SNonce=initiator nonce MIC=0, DataKDs=(RSNIE_I,
+ * Timeout Interval IE))
+ */
+
+ /* Filling RSN IE */
+ hdr = (struct rsn_ie_hdr *) peer->rsnie_i;
+ hdr->elem_id = WLAN_EID_RSN;
+ WPA_PUT_LE16(hdr->version, RSN_VERSION);
+
+ pos = (u8 *) (hdr + 1);
+ RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED);
+ pos += RSN_SELECTOR_LEN;
+ count_pos = pos;
+ pos += 2;
+
+ count = 0;
+
+ /*
+ * AES-CCMP is the default Encryption preferred for TDLS, so
+ * RSN IE is filled only with CCMP CIPHER
+ * Note: TKIP is not used to encrypt TDLS link.
+ *
+ * Regardless of the cipher used on the AP connection, select CCMP
+ * here.
+ */
+ RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP);
+ pos += RSN_SELECTOR_LEN;
+ count++;
+
+ WPA_PUT_LE16(count_pos, count);
+
+ WPA_PUT_LE16(pos, 1);
+ pos += 2;
+ RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_TPK_HANDSHAKE);
+ pos += RSN_SELECTOR_LEN;
+
+ rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED;
+ rsn_capab |= RSN_NUM_REPLAY_COUNTERS_16 << 2;
+#ifdef CONFIG_TDLS_TESTING
+ if (tdls_testing & TDLS_TESTING_ALT_RSN_IE) {
+ wpa_printf(MSG_DEBUG, "TDLS: Use alternative RSN IE for "
+ "testing");
+ rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED;
+ }
+#endif /* CONFIG_TDLS_TESTING */
+ WPA_PUT_LE16(pos, rsn_capab);
+ pos += 2;
+#ifdef CONFIG_TDLS_TESTING
+ if (tdls_testing & TDLS_TESTING_ALT_RSN_IE) {
+ /* Number of PMKIDs */
+ *pos++ = 0x00;
+ *pos++ = 0x00;
+ }
+#endif /* CONFIG_TDLS_TESTING */
+
+ hdr->len = (pos - peer->rsnie_i) - 2;
+ peer->rsnie_i_len = pos - peer->rsnie_i;
+ wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE for TPK handshake",
+ peer->rsnie_i, peer->rsnie_i_len);
+
+skip_rsnie:
+ buf_len = 0;
+ if (wpa_tdls_get_privacy(sm))
+ buf_len += peer->rsnie_i_len + sizeof(struct wpa_tdls_ftie) +
+ sizeof(struct wpa_tdls_timeoutie);
+#ifdef CONFIG_TDLS_TESTING
+ if (wpa_tdls_get_privacy(sm) &&
+ (tdls_testing & TDLS_TESTING_LONG_FRAME))
+ buf_len += 170;
+ if (tdls_testing & TDLS_TESTING_DIFF_BSSID)
+ buf_len += sizeof(struct wpa_tdls_lnkid);
+#endif /* CONFIG_TDLS_TESTING */
+ rbuf = os_zalloc(buf_len + 1);
+ if (rbuf == NULL) {
+ wpa_tdls_peer_free(sm, peer);
+ return -1;
+ }
+ pos = rbuf;
+
+ if (!wpa_tdls_get_privacy(sm))
+ goto skip_ies;
+
+ /* Initiator RSN IE */
+ pos = wpa_add_ie(pos, peer->rsnie_i, peer->rsnie_i_len);
+
+ ftie = (struct wpa_tdls_ftie *) pos;
+ ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION;
+ ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2;
+
+ if (os_get_random(peer->inonce, WPA_NONCE_LEN)) {
+ wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
+ "TDLS: Failed to get random data for initiator Nonce");
+ os_free(rbuf);
+ wpa_tdls_peer_free(sm, peer);
+ return -1;
+ }
+ wpa_hexdump(MSG_DEBUG, "TDLS: Initiator Nonce for TPK handshake",
+ peer->inonce, WPA_NONCE_LEN);
+ os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN);
+
+ wpa_hexdump(MSG_DEBUG, "TDLS: FTIE for TPK Handshake M1",
+ (u8 *) ftie, sizeof(struct wpa_tdls_ftie));
+
+ pos = (u8 *) (ftie + 1);
+
+#ifdef CONFIG_TDLS_TESTING
+ if (tdls_testing & TDLS_TESTING_LONG_FRAME) {
+ wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to "
+ "FTIE");
+ ftie->ie_len += 170;
+ *pos++ = 255; /* FTIE subelem */
+ *pos++ = 168; /* FTIE subelem length */
+ pos += 168;
+ }
+#endif /* CONFIG_TDLS_TESTING */
+
+ /* Lifetime */
+ peer->lifetime = TPK_LIFETIME;
+#ifdef CONFIG_TDLS_TESTING
+ if (tdls_testing & TDLS_TESTING_SHORT_LIFETIME) {
+ wpa_printf(MSG_DEBUG, "TDLS: Testing - use short TPK "
+ "lifetime");
+ peer->lifetime = 301;
+ }
+ if (tdls_testing & TDLS_TESTING_LONG_LIFETIME) {
+ wpa_printf(MSG_DEBUG, "TDLS: Testing - use long TPK "
+ "lifetime");
+ peer->lifetime = 0xffffffff;
+ }
+#endif /* CONFIG_TDLS_TESTING */
+ pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie,
+ sizeof(timeoutie), peer->lifetime);
+ wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds", peer->lifetime);
+
+skip_ies:
+
+#ifdef CONFIG_TDLS_TESTING
+ if (tdls_testing & TDLS_TESTING_DIFF_BSSID) {
+ wpa_printf(MSG_DEBUG, "TDLS: Testing - use incorrect BSSID in "
+ "Link Identifier");
+ struct wpa_tdls_lnkid *l = (struct wpa_tdls_lnkid *) pos;
+ wpa_tdls_linkid(sm, peer, l);
+ l->bssid[5] ^= 0x01;
+ pos += sizeof(*l);
+ }
+#endif /* CONFIG_TDLS_TESTING */
+
+ wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Setup Request / TPK "
+ "Handshake Message 1 (peer " MACSTR ")",
+ MAC2STR(peer->addr));
+
+ wpa_tdls_tpk_send(sm, peer->addr, WLAN_TDLS_SETUP_REQUEST, 0, 0,
+ rbuf, pos - rbuf);
+ os_free(rbuf);
+
+ return 0;
+}
+
+
+static int wpa_tdls_send_tpk_m2(struct wpa_sm *sm,
+ const unsigned char *src_addr, u8 dtoken,
+ struct wpa_tdls_lnkid *lnkid,
+ const struct wpa_tdls_peer *peer)
+{
+ u8 *rbuf, *pos;
+ size_t buf_len;
+ u32 lifetime;
+ struct wpa_tdls_timeoutie timeoutie;
+ struct wpa_tdls_ftie *ftie;
+
+ buf_len = 0;
+ if (wpa_tdls_get_privacy(sm)) {
+ /* Peer RSN IE, FTIE(Initiator Nonce, Responder Nonce),
+ * Lifetime */
+ buf_len += peer->rsnie_i_len + sizeof(struct wpa_tdls_ftie) +
+ sizeof(struct wpa_tdls_timeoutie);
+#ifdef CONFIG_TDLS_TESTING
+ if (tdls_testing & TDLS_TESTING_LONG_FRAME)
+ buf_len += 170;
+#endif /* CONFIG_TDLS_TESTING */
+ }
+
+ rbuf = os_zalloc(buf_len + 1);
+ if (rbuf == NULL)
+ return -1;
+ pos = rbuf;
+
+ if (!wpa_tdls_get_privacy(sm))
+ goto skip_ies;
+
+ /* Peer RSN IE */
+ pos = wpa_add_ie(pos, peer->rsnie_p, peer->rsnie_p_len);
+
+ ftie = (struct wpa_tdls_ftie *) pos;
+ ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION;
+ /* TODO: ftie->mic_control to set 2-RESPONSE */
+ os_memcpy(ftie->Anonce, peer->rnonce, WPA_NONCE_LEN);
+ os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN);
+ ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2;
+ wpa_hexdump(MSG_DEBUG, "TDLS: FTIE for TPK M2",
+ (u8 *) ftie, sizeof(*ftie));
+
+ pos = (u8 *) (ftie + 1);
+
+#ifdef CONFIG_TDLS_TESTING
+ if (tdls_testing & TDLS_TESTING_LONG_FRAME) {
+ wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to "
+ "FTIE");
+ ftie->ie_len += 170;
+ *pos++ = 255; /* FTIE subelem */
+ *pos++ = 168; /* FTIE subelem length */
+ pos += 168;
+ }
+#endif /* CONFIG_TDLS_TESTING */
+
+ /* Lifetime */
+ lifetime = peer->lifetime;
+#ifdef CONFIG_TDLS_TESTING
+ if (tdls_testing & TDLS_TESTING_WRONG_LIFETIME_RESP) {
+ wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong TPK "
+ "lifetime in response");
+ lifetime++;
+ }
+#endif /* CONFIG_TDLS_TESTING */
+ pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie,
+ sizeof(timeoutie), lifetime);
+ wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds from initiator",
+ lifetime);
+
+ /* compute MIC before sending */
+ wpa_tdls_ftie_mic(peer->tpk.kck, 2, (u8 *) lnkid, peer->rsnie_p,
+ (u8 *) &timeoutie, (u8 *) ftie, ftie->mic);
+
+skip_ies:
+ wpa_tdls_tpk_send(sm, src_addr, WLAN_TDLS_SETUP_RESPONSE, dtoken, 0,
+ rbuf, pos - rbuf);
+ os_free(rbuf);
+
+ return 0;
+}
+
+
+static int wpa_tdls_send_tpk_m3(struct wpa_sm *sm,
+ const unsigned char *src_addr, u8 dtoken,
+ struct wpa_tdls_lnkid *lnkid,
+ const struct wpa_tdls_peer *peer)
+{
+ u8 *rbuf, *pos;
+ size_t buf_len;
+ struct wpa_tdls_ftie *ftie;
+ struct wpa_tdls_timeoutie timeoutie;
+ u32 lifetime;
+
+ buf_len = 0;
+ if (wpa_tdls_get_privacy(sm)) {
+ /* Peer RSN IE, FTIE(Initiator Nonce, Responder Nonce),
+ * Lifetime */
+ buf_len += peer->rsnie_i_len + sizeof(struct wpa_tdls_ftie) +
+ sizeof(struct wpa_tdls_timeoutie);
+#ifdef CONFIG_TDLS_TESTING
+ if (tdls_testing & TDLS_TESTING_LONG_FRAME)
+ buf_len += 170;
+#endif /* CONFIG_TDLS_TESTING */
+ }
+
+ rbuf = os_zalloc(buf_len + 1);
+ if (rbuf == NULL)
+ return -1;
+ pos = rbuf;
+
+ if (!wpa_tdls_get_privacy(sm))
+ goto skip_ies;
+
+ /* Peer RSN IE */
+ pos = wpa_add_ie(pos, peer->rsnie_p, peer->rsnie_p_len);
+
+ ftie = (struct wpa_tdls_ftie *) pos;
+ ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION;
+ /*TODO: ftie->mic_control to set 3-CONFIRM */
+ os_memcpy(ftie->Anonce, peer->rnonce, WPA_NONCE_LEN);
+ os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN);
+ ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2;
+
+ pos = (u8 *) (ftie + 1);
+
+#ifdef CONFIG_TDLS_TESTING
+ if (tdls_testing & TDLS_TESTING_LONG_FRAME) {
+ wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to "
+ "FTIE");
+ ftie->ie_len += 170;
+ *pos++ = 255; /* FTIE subelem */
+ *pos++ = 168; /* FTIE subelem length */
+ pos += 168;
+ }
+#endif /* CONFIG_TDLS_TESTING */
+
+ /* Lifetime */
+ lifetime = peer->lifetime;
+#ifdef CONFIG_TDLS_TESTING
+ if (tdls_testing & TDLS_TESTING_WRONG_LIFETIME_CONF) {
+ wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong TPK "
+ "lifetime in confirm");
+ lifetime++;
+ }
+#endif /* CONFIG_TDLS_TESTING */
+ pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie,
+ sizeof(timeoutie), lifetime);
+ wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds",
+ lifetime);
+
+ /* compute MIC before sending */
+ wpa_tdls_ftie_mic(peer->tpk.kck, 3, (u8 *) lnkid, peer->rsnie_p,
+ (u8 *) &timeoutie, (u8 *) ftie, ftie->mic);
+
+skip_ies:
+ wpa_tdls_tpk_send(sm, src_addr, WLAN_TDLS_SETUP_CONFIRM, dtoken, 0,
+ rbuf, pos - rbuf);
+ os_free(rbuf);
+
+ return 0;
+}
+
+
+static int wpa_tdls_process_tpk_m1(struct wpa_sm *sm, const u8 *src_addr,
+ const u8 *buf, size_t len)
+{
+ struct wpa_tdls_peer *peer;
+ struct wpa_eapol_ie_parse kde;
+ struct wpa_ie_data ie;
+ int cipher;
+ const u8 *cpos;
+ struct wpa_tdls_ftie *ftie = NULL;
+ struct wpa_tdls_timeoutie *timeoutie;
+ struct wpa_tdls_lnkid *lnkid;
+ u32 lifetime = 0;
+#if 0
+ struct rsn_ie_hdr *hdr;
+ u8 *pos;
+ u16 rsn_capab;
+ u16 rsn_ver;
+#endif
+ u8 dtoken;
+ u16 ielen;
+ u16 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
+ int tdls_prohibited = sm->tdls_prohibited;
+
+ if (len < 3 + 3)
+ return -1;
+
+ cpos = buf;
+ cpos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */;
+
+ /* driver had already verified the frame format */
+ dtoken = *cpos++; /* dialog token */
+
+ wpa_printf(MSG_INFO, "TDLS: Dialog Token in TPK M1 %d", dtoken);
+
+ cpos += 2; /* capability information */
+
+ ielen = len - (cpos - buf); /* start of IE in buf */
+ if (wpa_supplicant_parse_ies(cpos, ielen, &kde) < 0) {
+ wpa_printf(MSG_INFO, "TDLS: Failed to parse IEs in TPK M1");
+ goto error;
+ }
+
+ if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) {
+ wpa_printf(MSG_INFO, "TDLS: No valid Link Identifier IE in "
+ "TPK M1");
+ goto error;
+ }
+ wpa_hexdump(MSG_DEBUG, "TDLS: Link ID Received from TPK M1",
+ kde.lnkid, kde.lnkid_len);
+ lnkid = (struct wpa_tdls_lnkid *) kde.lnkid;
+ if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) {
+ wpa_printf(MSG_INFO, "TDLS: TPK M1 from diff BSS");
+ status = WLAN_STATUS_NOT_IN_SAME_BSS;
+ goto error;
+ }
+
+ wpa_printf(MSG_DEBUG, "TDLS: TPK M1 - TPK initiator " MACSTR,
+ MAC2STR(src_addr));
+
+#ifdef CONFIG_TDLS_TESTING
+ if (tdls_testing & TDLS_TESTING_CONCURRENT_INIT) {
+ for (peer = sm->tdls; peer; peer = peer->next) {
+ if (os_memcmp(peer->addr, src_addr, ETH_ALEN) == 0)
+ break;
+ }
+ if (peer == NULL) {
+ peer = os_zalloc(sizeof(*peer));
+ if (peer == NULL)
+ goto error;
+ os_memcpy(peer->addr, src_addr, ETH_ALEN);
+ peer->next = sm->tdls;
+ sm->tdls = peer;
+ }
+ wpa_printf(MSG_DEBUG, "TDLS: Testing concurrent initiation of "
+ "TDLS setup - send own request");
+ peer->initiator = 1;
+ wpa_tdls_send_tpk_m1(sm, peer);
+ }
+
+ if ((tdls_testing & TDLS_TESTING_IGNORE_AP_PROHIBIT) &&
+ tdls_prohibited) {
+ wpa_printf(MSG_DEBUG, "TDLS: Testing - ignore AP prohibition "
+ "on TDLS");
+ tdls_prohibited = 0;
+ }
+#endif /* CONFIG_TDLS_TESTING */
+
+ if (tdls_prohibited) {
+ wpa_printf(MSG_INFO, "TDLS: TDLS prohibited in this BSS");
+ status = WLAN_STATUS_REQUEST_DECLINED;
+ goto error;
+ }
+
+ if (!wpa_tdls_get_privacy(sm)) {
+ if (kde.rsn_ie) {
+ wpa_printf(MSG_INFO, "TDLS: RSN IE in TPK M1 while "
+ "security is disabled");
+ status = WLAN_STATUS_SECURITY_DISABLED;
+ goto error;
+ }
+ goto skip_rsn;
+ }
+
+ if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie) ||
+ kde.rsn_ie == NULL) {
+ wpa_printf(MSG_INFO, "TDLS: No FTIE or RSN IE in TPK M1");
+ status = WLAN_STATUS_INVALID_PARAMETERS;
+ goto error;
+ }
+
+ if (kde.rsn_ie_len > TDLS_MAX_IE_LEN) {
+ wpa_printf(MSG_INFO, "TDLS: Too long Initiator RSN IE in "
+ "TPK M1");
+ status = WLAN_STATUS_INVALID_RSNIE;
+ goto error;
+ }
+
+ if (wpa_parse_wpa_ie_rsn(kde.rsn_ie, kde.rsn_ie_len, &ie) < 0) {
+ wpa_printf(MSG_INFO, "TDLS: Failed to parse RSN IE in TPK M1");
+ status = WLAN_STATUS_INVALID_RSNIE;
+ goto error;
+ }
+
+ cipher = ie.pairwise_cipher;
+ if (cipher & WPA_CIPHER_CCMP) {
+ wpa_printf(MSG_DEBUG, "TDLS: Using CCMP for direct link");
+ cipher = WPA_CIPHER_CCMP;
+ } else {
+ wpa_printf(MSG_INFO, "TDLS: No acceptable cipher in TPK M1");
+ status = WLAN_STATUS_PAIRWISE_CIPHER_NOT_VALID;
+ goto error;
+ }
+
+ if ((ie.capabilities &
+ (WPA_CAPABILITY_NO_PAIRWISE | WPA_CAPABILITY_PEERKEY_ENABLED)) !=
+ WPA_CAPABILITY_PEERKEY_ENABLED) {
+ wpa_printf(MSG_INFO, "TDLS: Invalid RSN Capabilities in "
+ "TPK M1");
+ status = WLAN_STATUS_INVALID_RSN_IE_CAPAB;
+ goto error;
+ }
+
+ /* Lifetime */
+ if (kde.key_lifetime == NULL) {
+ wpa_printf(MSG_INFO, "TDLS: No Key Lifetime IE in TPK M1");
+ status = WLAN_STATUS_UNACCEPTABLE_LIFETIME;
+ goto error;
+ }
+ timeoutie = (struct wpa_tdls_timeoutie *) kde.key_lifetime;
+ lifetime = WPA_GET_LE32(timeoutie->value);
+ wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds", lifetime);
+ if (lifetime < 300) {
+ wpa_printf(MSG_INFO, "TDLS: Too short TPK lifetime");
+ status = WLAN_STATUS_UNACCEPTABLE_LIFETIME;
+ goto error;
+ }
+
+skip_rsn:
+ /* Find existing entry and if found, use that instead of adding
+ * a new one; how to handle the case where both ends initiate at the
+ * same time? */
+ for (peer = sm->tdls; peer; peer = peer->next) {
+ if (os_memcmp(peer->addr, src_addr, ETH_ALEN) == 0)
+ break;
+ }
+
+ if (peer == NULL) {
+ wpa_printf(MSG_INFO, "TDLS: No matching entry found for "
+ "peer, creating one for " MACSTR,
+ MAC2STR(src_addr));
+ peer = os_malloc(sizeof(*peer));
+ if (peer == NULL)
+ goto error;
+ os_memset(peer, 0, sizeof(*peer));
+ os_memcpy(peer->addr, src_addr, ETH_ALEN);
+ peer->next = sm->tdls;
+ sm->tdls = peer;
+ } else {
+ if (peer->tpk_success) {
+ wpa_printf(MSG_DEBUG, "TDLS: TDLS Setup Request while "
+ "direct link is enabled - tear down the "
+ "old link first");
+#if 0
+ /* TODO: Disabling the link would be more proper
+ * operation here, but it seems to trigger a race with
+ * some drivers handling the new request frame. */
+ wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, src_addr);
+#else
+ wpa_tdls_del_key(sm, peer);
+#endif
+ wpa_tdls_peer_free(sm, peer);
+ }
+
+ /*
+ * An entry is already present, so check if we already sent a
+ * TDLS Setup Request. If so, compare MAC addresses and let the
+ * STA with the lower MAC address continue as the initiator.
+ * The other negotiation is terminated.
+ */
+ if (peer->initiator) {
+ if (os_memcmp(sm->own_addr, src_addr, ETH_ALEN) < 0) {
+ wpa_printf(MSG_DEBUG, "TDLS: Discard request "
+ "from peer with higher address "
+ MACSTR, MAC2STR(src_addr));
+ return -1;
+ } else {
+ wpa_printf(MSG_DEBUG, "TDLS: Accept request "
+ "from peer with lower address "
+ MACSTR " (terminate previously "
+ "initiated negotiation",
+ MAC2STR(src_addr));
+ wpa_tdls_peer_free(sm, peer);
+ }
+ }
+ }
+
+ peer->initiator = 0; /* Need to check */
+ peer->dtoken = dtoken;
+
+ if (!wpa_tdls_get_privacy(sm)) {
+ peer->rsnie_i_len = 0;
+ peer->rsnie_p_len = 0;
+ peer->cipher = WPA_CIPHER_NONE;
+ goto skip_rsn_check;
+ }
+
+ ftie = (struct wpa_tdls_ftie *) kde.ftie;
+ os_memcpy(peer->inonce, ftie->Snonce, WPA_NONCE_LEN);
+ os_memcpy(peer->rsnie_i, kde.rsn_ie, kde.rsn_ie_len);
+ peer->rsnie_i_len = kde.rsn_ie_len;
+ peer->cipher = cipher;
+
+ if (os_get_random(peer->rnonce, WPA_NONCE_LEN)) {
+ wpa_msg(sm->ctx->ctx, MSG_WARNING,
+ "TDLS: Failed to get random data for responder nonce");
+ wpa_tdls_peer_free(sm, peer);
+ goto error;
+ }
+
+#if 0
+ /* get version info from RSNIE received from Peer */
+ hdr = (struct rsn_ie_hdr *) kde.rsn_ie;
+ rsn_ver = WPA_GET_LE16(hdr->version);
+
+ /* use min(peer's version, out version) */
+ if (rsn_ver > RSN_VERSION)
+ rsn_ver = RSN_VERSION;
+
+ hdr = (struct rsn_ie_hdr *) peer->rsnie_p;
+
+ hdr->elem_id = WLAN_EID_RSN;
+ WPA_PUT_LE16(hdr->version, rsn_ver);
+ pos = (u8 *) (hdr + 1);
+
+ RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED);
+ pos += RSN_SELECTOR_LEN;
+ /* Include only the selected cipher in pairwise cipher suite */
+ WPA_PUT_LE16(pos, 1);
+ pos += 2;
+ if (cipher == WPA_CIPHER_CCMP)
+ RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP);
+ pos += RSN_SELECTOR_LEN;
+
+ WPA_PUT_LE16(pos, 1);
+ pos += 2;
+ RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_TPK_HANDSHAKE);
+ pos += RSN_SELECTOR_LEN;
+
+ rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED;
+ rsn_capab |= RSN_NUM_REPLAY_COUNTERS_16 << 2;
+ WPA_PUT_LE16(pos, rsn_capab);
+ pos += 2;
+
+ hdr->len = (pos - peer->rsnie_p) - 2;
+ peer->rsnie_p_len = pos - peer->rsnie_p;
+#endif
+
+ /* temp fix: validation of RSNIE later */
+ os_memcpy(peer->rsnie_p, peer->rsnie_i, peer->rsnie_i_len);
+ peer->rsnie_p_len = peer->rsnie_i_len;
+
+ wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE for TPK handshake",
+ peer->rsnie_p, peer->rsnie_p_len);
+
+ peer->lifetime = lifetime;
+
+ wpa_tdls_generate_tpk(peer, sm->own_addr, sm->bssid);
+
+skip_rsn_check:
+ wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Setup Response / TPK M2");
+ wpa_tdls_send_tpk_m2(sm, src_addr, dtoken, lnkid, peer);
+
+ return 0;
+
+error:
+ wpa_tdls_send_error(sm, src_addr, WLAN_TDLS_SETUP_RESPONSE, dtoken,
+ status);
+ return -1;
+}
+
+
+static void wpa_tdls_enable_link(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
+{
+ peer->tpk_success = 1;
+ eloop_cancel_timeout(wpa_tdls_tpk_timeout, sm, peer);
+ if (wpa_tdls_get_privacy(sm)) {
+ u32 lifetime = peer->lifetime;
+ /*
+ * Start the initiator process a bit earlier to avoid race
+ * condition with the responder sending teardown request.
+ */
+ if (lifetime > 3 && peer->initiator)
+ lifetime -= 3;
+ eloop_register_timeout(lifetime, 0, wpa_tdls_tpk_timeout,
+ sm, peer);
+#ifdef CONFIG_TDLS_TESTING
+ if (tdls_testing & TDLS_TESTING_NO_TPK_EXPIRATION) {
+ wpa_printf(MSG_DEBUG, "TDLS: Testing - disable TPK "
+ "expiration");
+ eloop_cancel_timeout(wpa_tdls_tpk_timeout, sm, peer);
+ }
+#endif /* CONFIG_TDLS_TESTING */
+ }
+ wpa_sm_tdls_oper(sm, TDLS_ENABLE_LINK, peer->addr);
+}
+
+
+static int wpa_tdls_process_tpk_m2(struct wpa_sm *sm, const u8 *src_addr,
+ const u8 *buf, size_t len)
+{
+ struct wpa_tdls_peer *peer;
+ struct wpa_eapol_ie_parse kde;
+ struct wpa_ie_data ie;
+ int cipher;
+ struct wpa_tdls_ftie *ftie;
+ struct wpa_tdls_timeoutie *timeoutie;
+ struct wpa_tdls_lnkid *lnkid;
+ u32 lifetime;
+ u8 dtoken;
+ int ielen;
+ u16 status;
+ const u8 *pos;
+
+ wpa_printf(MSG_DEBUG, "TDLS: Received TDLS Setup Response / TPK M2 "
+ "(Peer " MACSTR ")", MAC2STR(src_addr));
+ for (peer = sm->tdls; peer; peer = peer->next) {
+ if (os_memcmp(peer->addr, src_addr, ETH_ALEN) == 0)
+ break;
+ }
+ if (peer == NULL) {
+ wpa_printf(MSG_INFO, "TDLS: No matching peer found for "
+ "TPK M2: " MACSTR, MAC2STR(src_addr));
+ return -1;
+ }
+ wpa_tdls_tpk_retry_timeout_cancel(sm, peer, WLAN_TDLS_SETUP_REQUEST);
+
+ if (len < 3 + 2 + 1)
+ return -1;
+ pos = buf;
+ pos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */;
+ status = WPA_GET_LE16(pos);
+ pos += 2 /* status code */;
+
+ if (status != WLAN_STATUS_SUCCESS) {
+ wpa_printf(MSG_INFO, "TDLS: Status code in TPK M2: %u",
+ status);
+ return -1;
+ }
+
+ status = WLAN_STATUS_UNSPECIFIED_FAILURE;
+
+ /* TODO: need to verify dialog token matches here or in kernel */
+ dtoken = *pos++; /* dialog token */
+
+ wpa_printf(MSG_DEBUG, "TDLS: Dialog Token in TPK M2 %d", dtoken);
+
+ if (len < 3 + 2 + 1 + 2)
+ return -1;
+ pos += 2; /* capability information */
+
+ ielen = len - (pos - buf); /* start of IE in buf */
+ if (wpa_supplicant_parse_ies(pos, ielen, &kde) < 0) {
+ wpa_printf(MSG_INFO, "TDLS: Failed to parse IEs in TPK M2");
+ goto error;
+ }
+
+#ifdef CONFIG_TDLS_TESTING
+ if (tdls_testing & TDLS_TESTING_DECLINE_RESP) {
+ wpa_printf(MSG_DEBUG, "TDLS: Testing - decline response");
+ status = WLAN_STATUS_REQUEST_DECLINED;
+ goto error;
+ }
+#endif /* CONFIG_TDLS_TESTING */
+
+ if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) {
+ wpa_printf(MSG_INFO, "TDLS: No valid Link Identifier IE in "
+ "TPK M2");
+ goto error;
+ }
+ wpa_hexdump(MSG_DEBUG, "TDLS: Link ID Received from TPK M2",
+ kde.lnkid, kde.lnkid_len);
+ lnkid = (struct wpa_tdls_lnkid *) kde.lnkid;
+
+ if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) {
+ wpa_printf(MSG_INFO, "TDLS: TPK M2 from different BSS");
+ status = WLAN_STATUS_NOT_IN_SAME_BSS;
+ goto error;
+ }
+
+ if (!wpa_tdls_get_privacy(sm)) {
+ peer->rsnie_p_len = 0;
+ peer->cipher = WPA_CIPHER_NONE;
+ goto skip_rsn;
+ }
+
+ if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie) ||
+ kde.rsn_ie == NULL) {
+ wpa_printf(MSG_INFO, "TDLS: No FTIE or RSN IE in TPK M2");
+ status = WLAN_STATUS_INVALID_PARAMETERS;
+ goto error;
+ }
+ wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Received from TPK M2",
+ kde.rsn_ie, kde.rsn_ie_len);
+
+ /*
+ * FIX: bitwise comparison of RSN IE is not the correct way of
+ * validation this. It can be different, but certain fields must
+ * match. Since we list only a single pairwise cipher in TPK M1, the
+ * memcmp is likely to work in most cases, though.
+ */
+ if (kde.rsn_ie_len != peer->rsnie_i_len ||
+ os_memcmp(peer->rsnie_i, kde.rsn_ie, peer->rsnie_i_len) != 0) {
+ wpa_printf(MSG_INFO, "TDLS: RSN IE in TPK M2 does "
+ "not match with RSN IE used in TPK M1");
+ wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Sent in TPK M1",
+ peer->rsnie_i, peer->rsnie_i_len);
+ wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Received from TPK M2",
+ kde.rsn_ie, kde.rsn_ie_len);
+ status = WLAN_STATUS_INVALID_RSNIE;
+ goto error;
+ }
+
+ if (wpa_parse_wpa_ie_rsn(kde.rsn_ie, kde.rsn_ie_len, &ie) < 0) {
+ wpa_printf(MSG_INFO, "TDLS: Failed to parse RSN IE in TPK M2");
+ status = WLAN_STATUS_INVALID_RSNIE;
+ goto error;
+ }
+
+ cipher = ie.pairwise_cipher;
+ if (cipher == WPA_CIPHER_CCMP) {
+ wpa_printf(MSG_DEBUG, "TDLS: Using CCMP for direct link");
+ cipher = WPA_CIPHER_CCMP;
+ } else {
+ wpa_printf(MSG_INFO, "TDLS: No acceptable cipher in TPK M2");
+ status = WLAN_STATUS_PAIRWISE_CIPHER_NOT_VALID;
+ goto error;
+ }
+
+ wpa_hexdump(MSG_DEBUG, "TDLS: FTIE Received from TPK M2",
+ kde.ftie, sizeof(*ftie));
+ ftie = (struct wpa_tdls_ftie *) kde.ftie;
+
+ if (!os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) == 0) {
+ wpa_printf(MSG_INFO, "TDLS: FTIE SNonce in TPK M2 does "
+ "not match with FTIE SNonce used in TPK M1");
+ /* Silently discard the frame */
+ return -1;
+ }
+
+ /* Responder Nonce and RSN IE */
+ os_memcpy(peer->rnonce, ftie->Anonce, WPA_NONCE_LEN);
+ os_memcpy(peer->rsnie_p, kde.rsn_ie, kde.rsn_ie_len);
+ peer->rsnie_p_len = kde.rsn_ie_len;
+ peer->cipher = cipher;
+
+ /* Lifetime */
+ if (kde.key_lifetime == NULL) {
+ wpa_printf(MSG_INFO, "TDLS: No Key Lifetime IE in TPK M2");
+ status = WLAN_STATUS_UNACCEPTABLE_LIFETIME;
+ goto error;
+ }
+ timeoutie = (struct wpa_tdls_timeoutie *) kde.key_lifetime;
+ lifetime = WPA_GET_LE32(timeoutie->value);
+ wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds in TPK M2",
+ lifetime);
+ if (lifetime != peer->lifetime) {
+ wpa_printf(MSG_INFO, "TDLS: Unexpected TPK lifetime %u in "
+ "TPK M2 (expected %u)", lifetime, peer->lifetime);
+ status = WLAN_STATUS_UNACCEPTABLE_LIFETIME;
+ goto error;
+ }
+
+ wpa_tdls_generate_tpk(peer, sm->own_addr, sm->bssid);
+
+ /* Process MIC check to see if TPK M2 is right */
+ if (wpa_supplicant_verify_tdls_mic(2, peer, (u8 *) lnkid,
+ (u8 *) timeoutie, ftie) < 0) {
+ /* Discard the frame */
+ wpa_tdls_del_key(sm, peer);
+ wpa_tdls_peer_free(sm, peer);
+ return -1;
+ }
+
+ wpa_tdls_set_key(sm, peer);
+
+skip_rsn:
+ peer->dtoken = dtoken;
+
+ wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Setup Confirm / "
+ "TPK Handshake Message 3");
+ wpa_tdls_send_tpk_m3(sm, src_addr, dtoken, lnkid, peer);
+
+ wpa_tdls_enable_link(sm, peer);
+
+ return 0;
+
+error:
+ wpa_tdls_send_error(sm, src_addr, WLAN_TDLS_SETUP_CONFIRM, dtoken,
+ status);
+ return -1;
+}
+
+
+static int wpa_tdls_process_tpk_m3(struct wpa_sm *sm, const u8 *src_addr,
+ const u8 *buf, size_t len)
+{
+ struct wpa_tdls_peer *peer;
+ struct wpa_eapol_ie_parse kde;
+ struct wpa_tdls_ftie *ftie;
+ struct wpa_tdls_timeoutie *timeoutie;
+ struct wpa_tdls_lnkid *lnkid;
+ int ielen;
+ u16 status;
+ const u8 *pos;
+ u32 lifetime;
+
+ wpa_printf(MSG_DEBUG, "TDLS: Received TDLS Setup Confirm / TPK M3 "
+ "(Peer " MACSTR ")", MAC2STR(src_addr));
+ for (peer = sm->tdls; peer; peer = peer->next) {
+ if (os_memcmp(peer->addr, src_addr, ETH_ALEN) == 0)
+ break;
+ }
+ if (peer == NULL) {
+ wpa_printf(MSG_INFO, "TDLS: No matching peer found for "
+ "TPK M3: " MACSTR, MAC2STR(src_addr));
+ return -1;
+ }
+ wpa_tdls_tpk_retry_timeout_cancel(sm, peer, WLAN_TDLS_SETUP_RESPONSE);
+
+ if (len < 3 + 3)
+ return -1;
+ pos = buf;
+ pos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */;
+
+ status = WPA_GET_LE16(pos);
+
+ if (status != 0) {
+ wpa_printf(MSG_INFO, "TDLS: Status code in TPK M3: %u",
+ status);
+ return -1;
+ }
+ pos += 2 /* status code */ + 1 /* dialog token */;
+
+ ielen = len - (pos - buf); /* start of IE in buf */
+ if (wpa_supplicant_parse_ies((const u8 *) pos, ielen, &kde) < 0) {
+ wpa_printf(MSG_INFO, "TDLS: Failed to parse KDEs in TPK M3");
+ return -1;
+ }
+
+ if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) {
+ wpa_printf(MSG_INFO, "TDLS: No Link Identifier IE in TPK M3");
+ return -1;
+ }
+ wpa_hexdump(MSG_DEBUG, "TDLS: Link ID Received from TPK M3",
+ (u8 *) kde.lnkid, kde.lnkid_len);
+ lnkid = (struct wpa_tdls_lnkid *) kde.lnkid;
+
+ if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) {
+ wpa_printf(MSG_INFO, "TDLS: TPK M3 from diff BSS");
+ return -1;
+ }
+
+ if (!wpa_tdls_get_privacy(sm))
+ goto skip_rsn;
+
+ if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie)) {
+ wpa_printf(MSG_INFO, "TDLS: No FTIE in TPK M3");
+ return -1;
+ }
+ wpa_hexdump(MSG_DEBUG, "TDLS: FTIE Received from TPK M3",
+ kde.ftie, sizeof(*ftie));
+ ftie = (struct wpa_tdls_ftie *) kde.ftie;
+
+ if (kde.rsn_ie == NULL) {
+ wpa_printf(MSG_INFO, "TDLS: No RSN IE in TPK M3");
+ return -1;
+ }
+ wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Received from TPK M3",
+ kde.rsn_ie, kde.rsn_ie_len);
+ if (kde.rsn_ie_len != peer->rsnie_p_len ||
+ os_memcmp(kde.rsn_ie, peer->rsnie_p, peer->rsnie_p_len) != 0) {
+ wpa_printf(MSG_INFO, "TDLS: RSN IE in TPK M3 does not match "
+ "with the one sent in TPK M2");
+ return -1;
+ }
+
+ if (!os_memcmp(peer->rnonce, ftie->Anonce, WPA_NONCE_LEN) == 0) {
+ wpa_printf(MSG_INFO, "TDLS: FTIE ANonce in TPK M3 does "
+ "not match with FTIE ANonce used in TPK M2");
+ return -1;
+ }
+
+ if (!os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) == 0) {
+ wpa_printf(MSG_INFO, "TDLS: FTIE SNonce in TPK M3 does not "
+ "match with FTIE SNonce used in TPK M1");
+ return -1;
+ }
+
+ if (kde.key_lifetime == NULL) {
+ wpa_printf(MSG_INFO, "TDLS: No Key Lifetime IE in TPK M3");
+ return -1;
+ }
+ timeoutie = (struct wpa_tdls_timeoutie *) kde.key_lifetime;
+ wpa_hexdump(MSG_DEBUG, "TDLS: Timeout IE Received from TPK M3",
+ (u8 *) timeoutie, sizeof(*timeoutie));
+ lifetime = WPA_GET_LE32(timeoutie->value);
+ wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds in TPK M3",
+ lifetime);
+ if (lifetime != peer->lifetime) {
+ wpa_printf(MSG_INFO, "TDLS: Unexpected TPK lifetime %u in "
+ "TPK M3 (expected %u)", lifetime, peer->lifetime);
+ return -1;
+ }
+
+ if (wpa_supplicant_verify_tdls_mic(3, peer, (u8 *) lnkid,
+ (u8 *) timeoutie, ftie) < 0) {
+ wpa_tdls_del_key(sm, peer);
+ wpa_tdls_peer_free(sm, peer);
+ return -1;
+ }
+
+ if (wpa_tdls_set_key(sm, peer) < 0)
+ return -1;
+
+skip_rsn:
+ wpa_tdls_enable_link(sm, peer);
+
+ return 0;
+}
+
+
+static u8 * wpa_add_tdls_timeoutie(u8 *pos, u8 *ie, size_t ie_len, u32 tsecs)
+{
+ struct wpa_tdls_timeoutie *lifetime = (struct wpa_tdls_timeoutie *) ie;
+
+ os_memset(lifetime, 0, ie_len);
+ lifetime->ie_type = WLAN_EID_TIMEOUT_INTERVAL;
+ lifetime->ie_len = sizeof(struct wpa_tdls_timeoutie) - 2;
+ lifetime->interval_type = WLAN_TIMEOUT_KEY_LIFETIME;
+ WPA_PUT_LE32(lifetime->value, tsecs);
+ os_memcpy(pos, ie, ie_len);
+ return pos + ie_len;
+}
+
+
+/**
+ * wpa_tdls_start - Initiate TDLS handshake (send TPK Handshake Message 1)
+ * @sm: Pointer to WPA state machine data from wpa_sm_init()
+ * @peer: MAC address of the peer STA
+ * Returns: 0 on success, or -1 on failure
+ *
+ * Send TPK Handshake Message 1 info to driver to start TDLS
+ * handshake with the peer.
+ */
+int wpa_tdls_start(struct wpa_sm *sm, const u8 *addr)
+{
+ struct wpa_tdls_peer *peer;
+ int tdls_prohibited = sm->tdls_prohibited;
+
+ if (sm->tdls_disabled)
+ return -1;
+
+#ifdef CONFIG_TDLS_TESTING
+ if ((tdls_testing & TDLS_TESTING_IGNORE_AP_PROHIBIT) &&
+ tdls_prohibited) {
+ wpa_printf(MSG_DEBUG, "TDLS: Testing - ignore AP prohibition "
+ "on TDLS");
+ tdls_prohibited = 0;
+ }
+#endif /* CONFIG_TDLS_TESTING */
+
+ if (tdls_prohibited) {
+ wpa_printf(MSG_DEBUG, "TDLS: TDLS is prohibited in this BSS - "
+ "reject request to start setup");
+ return -1;
+ }
+
+ /* Find existing entry and if found, use that instead of adding
+ * a new one */
+ for (peer = sm->tdls; peer; peer = peer->next) {
+ if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0)
+ break;
+ }
+
+ if (peer == NULL) {
+ wpa_printf(MSG_INFO, "TDLS: No matching entry found for "
+ "peer, creating one for " MACSTR, MAC2STR(addr));
+ peer = os_malloc(sizeof(*peer));
+ if (peer == NULL)
+ return -1;
+ os_memset(peer, 0, sizeof(*peer));
+ os_memcpy(peer->addr, addr, ETH_ALEN);
+ peer->next = sm->tdls;
+ sm->tdls = peer;
+ }
+
+ peer->initiator = 1;
+
+ return wpa_tdls_send_tpk_m1(sm, peer);
+}
+
+
+int wpa_tdls_reneg(struct wpa_sm *sm, const u8 *addr)
+{
+ struct wpa_tdls_peer *peer;
+
+ if (sm->tdls_disabled)
+ return -1;
+
+ for (peer = sm->tdls; peer; peer = peer->next) {
+ if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0)
+ break;
+ }
+
+ if (peer == NULL || !peer->tpk_success)
+ return -1;
+
+ return wpa_tdls_start(sm, addr);
+}
+
+
+/**
+ * wpa_supplicant_rx_tdls - Receive TDLS data frame
+ *
+ * This function is called to receive TDLS (ethertype = 0x890d) data frames.
+ */
+static void wpa_supplicant_rx_tdls(void *ctx, const u8 *src_addr,
+ const u8 *buf, size_t len)
+{
+ struct wpa_sm *sm = ctx;
+ struct wpa_tdls_frame *tf;
+
+ wpa_hexdump(MSG_DEBUG, "TDLS: Received Data frame encapsulation",
+ buf, len);
+
+ if (sm->tdls_disabled) {
+ wpa_printf(MSG_DEBUG, "TDLS: Discard message - TDLS disabled");
+ return;
+ }
+
+ if (os_memcmp(src_addr, sm->own_addr, ETH_ALEN) == 0) {
+ wpa_printf(MSG_DEBUG, "TDLS: Discard copy of own message");
+ return;
+ }
+
+ if (len < sizeof(*tf)) {
+ wpa_printf(MSG_INFO, "TDLS: Drop too short frame");
+ return;
+ }
+
+ /* Check to make sure its a valid encapsulated TDLS frame */
+ tf = (struct wpa_tdls_frame *) buf;
+ if (tf->payloadtype != 2 /* TDLS_RFTYPE */ ||
+ tf->category != WLAN_ACTION_TDLS) {
+ wpa_printf(MSG_INFO, "TDLS: Invalid frame - payloadtype=%u "
+ "category=%u action=%u",
+ tf->payloadtype, tf->category, tf->action);
+ return;
+ }
+
+ switch (tf->action) {
+ case WLAN_TDLS_SETUP_REQUEST:
+ wpa_tdls_process_tpk_m1(sm, src_addr, buf, len);
+ break;
+ case WLAN_TDLS_SETUP_RESPONSE:
+ wpa_tdls_process_tpk_m2(sm, src_addr, buf, len);
+ break;
+ case WLAN_TDLS_SETUP_CONFIRM:
+ wpa_tdls_process_tpk_m3(sm, src_addr, buf, len);
+ break;
+ case WLAN_TDLS_TEARDOWN:
+ wpa_tdls_recv_teardown(sm, src_addr, buf, len);
+ break;
+ default:
+ /* Kernel code will process remaining frames */
+ wpa_printf(MSG_DEBUG, "TDLS: Ignore TDLS frame action code %u",
+ tf->action);
+ break;
+ }
+}
+
+
+/**
+ * wpa_tdls_init - Initialize driver interface parameters for TDLS
+ * @wpa_s: Pointer to wpa_supplicant data
+ * Returns: 0 on success, -1 on failure
+ *
+ * This function is called to initialize driver interface parameters for TDLS.
+ * wpa_drv_init() must have been called before this function to initialize the
+ * driver interface.
+ */
+int wpa_tdls_init(struct wpa_sm *sm)
+{
+ if (sm == NULL)
+ return -1;
+
+ sm->l2_tdls = l2_packet_init(sm->ifname, sm->own_addr,
+ ETH_P_80211_ENCAP, wpa_supplicant_rx_tdls,
+ sm, 0);
+ if (sm->l2_tdls == NULL) {
+ wpa_printf(MSG_ERROR, "TDLS: Failed to open l2_packet "
+ "connection");
+ return -1;
+ }
+
+ return 0;
+}
+
+
+static void wpa_tdls_remove_peers(struct wpa_sm *sm)
+{
+ struct wpa_tdls_peer *peer, *tmp;
+
+ peer = sm->tdls;
+ sm->tdls = NULL;
+
+ while (peer) {
+ int res;
+ tmp = peer->next;
+ res = wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr);
+ wpa_printf(MSG_DEBUG, "TDLS: Remove peer " MACSTR " (res=%d)",
+ MAC2STR(peer->addr), res);
+ wpa_tdls_peer_free(sm, peer);
+ os_free(peer);
+ peer = tmp;
+ }
+}
+
+
+/**
+ * wpa_tdls_deinit - Deinitialize driver interface parameters for TDLS
+ *
+ * This function is called to recover driver interface parameters for TDLS
+ * and frees resources allocated for it.
+ */
+void wpa_tdls_deinit(struct wpa_sm *sm)
+{
+ if (sm == NULL)
+ return;
+
+ if (sm->l2_tdls)
+ l2_packet_deinit(sm->l2_tdls);
+ sm->l2_tdls = NULL;
+
+ wpa_tdls_remove_peers(sm);
+}
+
+
+void wpa_tdls_assoc(struct wpa_sm *sm)
+{
+ wpa_printf(MSG_DEBUG, "TDLS: Remove peers on association");
+ wpa_tdls_remove_peers(sm);
+}
+
+
+void wpa_tdls_disassoc(struct wpa_sm *sm)
+{
+ wpa_printf(MSG_DEBUG, "TDLS: Remove peers on disassociation");
+ wpa_tdls_remove_peers(sm);
+}
+
+
+static int wpa_tdls_prohibited(const u8 *ies, size_t len)
+{
+ struct wpa_eapol_ie_parse elems;
+
+ if (ies == NULL)
+ return 0;
+
+ if (wpa_supplicant_parse_ies(ies, len, &elems) < 0)
+ return 0;
+
+ if (elems.ext_capab == NULL || elems.ext_capab_len < 2 + 5)
+ return 0;
+
+ /* bit 38 - TDLS Prohibited */
+ return !!(elems.ext_capab[2 + 4] & 0x40);
+}
+
+
+void wpa_tdls_ap_ies(struct wpa_sm *sm, const u8 *ies, size_t len)
+{
+ sm->tdls_prohibited = wpa_tdls_prohibited(ies, len);
+ wpa_printf(MSG_DEBUG, "TDLS: TDLS is %s in the target BSS",
+ sm->tdls_prohibited ? "prohibited" : "allowed");
+}
+
+
+void wpa_tdls_assoc_resp_ies(struct wpa_sm *sm, const u8 *ies, size_t len)
+{
+ if (!sm->tdls_prohibited && wpa_tdls_prohibited(ies, len)) {
+ wpa_printf(MSG_DEBUG, "TDLS: TDLS prohibited based on "
+ "(Re)Association Response IEs");
+ sm->tdls_prohibited = 1;
+ }
+}
+
+
+void wpa_tdls_enable(struct wpa_sm *sm, int enabled)
+{
+ wpa_printf(MSG_DEBUG, "TDLS: %s", enabled ? "enabled" : "disabled");
+ sm->tdls_disabled = !enabled;
+}