2 * Received Data frame processing for TDLS packets
3 * Copyright (c) 2010, Jouni Malinen <j@w1.fi>
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
9 #include "utils/includes.h"
11 #include "utils/common.h"
12 #include "crypto/sha256.h"
13 #include "crypto/crypto.h"
14 #include "crypto/aes_wrap.h"
15 #include "common/ieee802_11_defs.h"
16 #include "common/ieee802_11_common.h"
20 static struct wlantest_tdls
* get_tdls(struct wlantest
*wt
, const u8
*linkid
,
21 int create_new
, const u8
*bssid
)
23 struct wlantest_bss
*bss
;
24 struct wlantest_sta
*init
, *resp
;
25 struct wlantest_tdls
*tdls
;
27 bss
= bss_find(wt
, linkid
);
28 if (bss
== NULL
&& bssid
) {
29 bss
= bss_find(wt
, bssid
);
31 add_note(wt
, MSG_INFO
, "TDLS: Incorrect BSSID " MACSTR
32 " in LinkId?! (init=" MACSTR
" resp="
34 MAC2STR(linkid
), MAC2STR(linkid
+ ETH_ALEN
),
35 MAC2STR(linkid
+ 2 * ETH_ALEN
));
40 init
= sta_find(bss
, linkid
+ ETH_ALEN
);
44 resp
= sta_find(bss
, linkid
+ 2 * ETH_ALEN
);
48 dl_list_for_each(tdls
, &bss
->tdls
, struct wlantest_tdls
, list
) {
49 if (tdls
->init
== init
&& tdls
->resp
== resp
)
56 add_note(wt
, MSG_DEBUG
, "Add new TDLS link context: initiator " MACSTR
57 " responder " MACSTR
" BSSID " MACSTR
,
58 MAC2STR(linkid
+ ETH_ALEN
),
59 MAC2STR(linkid
+ 2 * ETH_ALEN
),
62 tdls
= os_zalloc(sizeof(*tdls
));
67 dl_list_add(&bss
->tdls
, &tdls
->list
);
72 static int tdls_derive_tpk(struct wlantest_tdls
*tdls
, const u8
*bssid
,
73 const u8
*ftie
, u8 ftie_len
)
75 const struct rsn_ftie
*f
;
76 u8 key_input
[SHA256_MAC_LEN
];
79 u8 data
[3 * ETH_ALEN
];
81 if (ftie
== NULL
|| ftie_len
< sizeof(struct rsn_ftie
))
84 f
= (const struct rsn_ftie
*) ftie
;
85 wpa_hexdump(MSG_DEBUG
, "TDLS ANonce", f
->anonce
, WPA_NONCE_LEN
);
86 wpa_hexdump(MSG_DEBUG
, "TDLS SNonce", f
->snonce
, WPA_NONCE_LEN
);
89 * IEEE Std 802.11z-2010 8.5.9.1:
90 * TPK-Key-Input = SHA-256(min(SNonce, ANonce) || max(SNonce, ANonce))
92 len
[0] = WPA_NONCE_LEN
;
93 len
[1] = WPA_NONCE_LEN
;
94 if (os_memcmp(f
->anonce
, f
->snonce
, WPA_NONCE_LEN
) < 0) {
101 sha256_vector(2, nonce
, len
, key_input
);
102 wpa_hexdump_key(MSG_DEBUG
, "TDLS: TPK-Key-Input",
103 key_input
, SHA256_MAC_LEN
);
106 * TPK-Key-Data = KDF-N_KEY(TPK-Key-Input, "TDLS PMK",
107 * min(MAC_I, MAC_R) || max(MAC_I, MAC_R) || BSSID || N_KEY)
108 * TODO: is N_KEY really included in KDF Context and if so, in which
109 * presentation format (little endian 16-bit?) is it used? It gets
110 * added by the KDF anyway..
113 if (os_memcmp(tdls
->init
->addr
, tdls
->resp
->addr
, ETH_ALEN
) < 0) {
114 os_memcpy(data
, tdls
->init
->addr
, ETH_ALEN
);
115 os_memcpy(data
+ ETH_ALEN
, tdls
->resp
->addr
, ETH_ALEN
);
117 os_memcpy(data
, tdls
->resp
->addr
, ETH_ALEN
);
118 os_memcpy(data
+ ETH_ALEN
, tdls
->init
->addr
, ETH_ALEN
);
120 os_memcpy(data
+ 2 * ETH_ALEN
, bssid
, ETH_ALEN
);
121 wpa_hexdump(MSG_DEBUG
, "TDLS: KDF Context", data
, sizeof(data
));
123 sha256_prf(key_input
, SHA256_MAC_LEN
, "TDLS PMK", data
, sizeof(data
),
124 (u8
*) &tdls
->tpk
, sizeof(tdls
->tpk
));
125 wpa_hexdump_key(MSG_DEBUG
, "TDLS: TPK-KCK",
126 tdls
->tpk
.kck
, sizeof(tdls
->tpk
.kck
));
127 wpa_hexdump_key(MSG_DEBUG
, "TDLS: TPK-TK",
128 tdls
->tpk
.tk
, sizeof(tdls
->tpk
.tk
));
134 static int tdls_verify_mic(struct wlantest
*wt
, struct wlantest_tdls
*tdls
,
135 u8 trans_seq
, struct ieee802_11_elems
*elems
)
141 const struct rsn_ftie
*rx_ftie
;
142 struct rsn_ftie
*tmp_ftie
;
144 if (elems
->link_id
== NULL
|| elems
->rsn_ie
== NULL
||
145 elems
->timeout_int
== NULL
|| elems
->ftie
== NULL
||
146 elems
->ftie_len
< sizeof(struct rsn_ftie
))
149 len
= 2 * ETH_ALEN
+ 1 + 2 + 18 + 2 + elems
->rsn_ie_len
+
150 2 + 5 + 2 + elems
->ftie_len
;
152 buf
= os_zalloc(len
);
157 /* 1) TDLS initiator STA MAC address */
158 os_memcpy(pos
, elems
->link_id
+ ETH_ALEN
, ETH_ALEN
);
160 /* 2) TDLS responder STA MAC address */
161 os_memcpy(pos
, elems
->link_id
+ 2 * ETH_ALEN
, ETH_ALEN
);
163 /* 3) Transaction Sequence number */
165 /* 4) Link Identifier IE */
166 os_memcpy(pos
, elems
->link_id
- 2, 2 + 18);
169 os_memcpy(pos
, elems
->rsn_ie
- 2, 2 + elems
->rsn_ie_len
);
170 pos
+= 2 + elems
->rsn_ie_len
;
171 /* 6) Timeout Interval IE */
172 os_memcpy(pos
, elems
->timeout_int
- 2, 2 + 5);
174 /* 7) FTIE, with the MIC field of the FTIE set to 0 */
175 os_memcpy(pos
, elems
->ftie
- 2, 2 + elems
->ftie_len
);
177 tmp_ftie
= (struct rsn_ftie
*) pos
;
178 os_memset(tmp_ftie
->mic
, 0, 16);
179 pos
+= elems
->ftie_len
;
181 wpa_hexdump(MSG_DEBUG
, "TDLS: Data for FTIE MIC", buf
, pos
- buf
);
182 wpa_hexdump_key(MSG_DEBUG
, "TDLS: KCK", tdls
->tpk
.kck
, 16);
183 ret
= omac1_aes_128(tdls
->tpk
.kck
, buf
, pos
- buf
, mic
);
187 wpa_hexdump(MSG_DEBUG
, "TDLS: FTIE MIC", mic
, 16);
188 rx_ftie
= (const struct rsn_ftie
*) elems
->ftie
;
190 if (os_memcmp(mic
, rx_ftie
->mic
, 16) == 0) {
191 add_note(wt
, MSG_DEBUG
, "TDLS: Valid MIC");
194 add_note(wt
, MSG_DEBUG
, "TDLS: Invalid MIC");
199 static void rx_data_tdls_setup_request(struct wlantest
*wt
, const u8
*bssid
,
200 const u8
*sta_addr
, const u8
*dst
,
202 const u8
*data
, size_t len
)
204 struct ieee802_11_elems elems
;
205 struct wlantest_tdls
*tdls
;
206 u8 linkid
[3 * ETH_ALEN
];
209 add_note(wt
, MSG_INFO
, "Too short TDLS Setup Request " MACSTR
210 " -> " MACSTR
, MAC2STR(src
), MAC2STR(dst
));
213 wpa_printf(MSG_DEBUG
, "TDLS Setup Request " MACSTR
" -> "
214 MACSTR
, MAC2STR(src
), MAC2STR(dst
));
216 if (ieee802_11_parse_elems(data
+ 3, len
- 3, &elems
, 1) ==
217 ParseFailed
|| elems
.link_id
== NULL
)
219 wpa_printf(MSG_DEBUG
, "TDLS Link Identifier: BSSID " MACSTR
220 " initiator STA " MACSTR
" responder STA " MACSTR
,
221 MAC2STR(elems
.link_id
), MAC2STR(elems
.link_id
+ ETH_ALEN
),
222 MAC2STR(elems
.link_id
+ 2 * ETH_ALEN
));
223 tdls
= get_tdls(wt
, elems
.link_id
, 1, bssid
);
225 tdls
->counters
[WLANTEST_TDLS_COUNTER_SETUP_REQ
]++;
226 tdls
->dialog_token
= data
[0];
227 if (elems
.ftie
&& elems
.ftie_len
>= sizeof(struct rsn_ftie
)) {
228 const struct rsn_ftie
*f
;
229 f
= (const struct rsn_ftie
*) elems
.ftie
;
230 os_memcpy(tdls
->inonce
, f
->snonce
, WPA_NONCE_LEN
);
234 /* Check whether reverse direction context exists already */
235 os_memcpy(linkid
, bssid
, ETH_ALEN
);
236 os_memcpy(linkid
+ ETH_ALEN
, dst
, ETH_ALEN
);
237 os_memcpy(linkid
+ 2 * ETH_ALEN
, src
, ETH_ALEN
);
238 tdls
= get_tdls(wt
, linkid
, 0, bssid
);
240 add_note(wt
, MSG_INFO
, "Reverse direction TDLS context exists");
244 static void rx_data_tdls_setup_response_failure(struct wlantest
*wt
,
247 u8 dialog_token
, u16 status
)
249 struct wlantest_bss
*bss
;
250 struct wlantest_tdls
*tdls
;
251 struct wlantest_sta
*sta
;
253 if (status
== WLAN_STATUS_SUCCESS
) {
254 add_note(wt
, MSG_INFO
, "TDLS: Invalid TDLS Setup Response from "
255 MACSTR
, MAC2STR(sta_addr
));
259 bss
= bss_find(wt
, bssid
);
262 sta
= sta_find(bss
, sta_addr
);
266 dl_list_for_each(tdls
, &bss
->tdls
, struct wlantest_tdls
, list
) {
267 if (tdls
->resp
== sta
) {
268 if (dialog_token
!= tdls
->dialog_token
) {
269 add_note(wt
, MSG_DEBUG
, "TDLS: Dialog token "
270 "mismatch in TDLS Setup Response "
274 add_note(wt
, MSG_DEBUG
, "TDLS: Found matching TDLS "
275 "setup session based on dialog token");
277 WLANTEST_TDLS_COUNTER_SETUP_RESP_FAIL
]++;
284 static void rx_data_tdls_setup_response(struct wlantest
*wt
, const u8
*bssid
,
285 const u8
*sta_addr
, const u8
*dst
,
287 const u8
*data
, size_t len
)
290 struct ieee802_11_elems elems
;
291 struct wlantest_tdls
*tdls
;
294 add_note(wt
, MSG_INFO
, "Too short TDLS Setup Response " MACSTR
295 " -> " MACSTR
, MAC2STR(src
), MAC2STR(dst
));
298 status
= WPA_GET_LE16(data
);
299 wpa_printf(MSG_DEBUG
, "TDLS Setup Response " MACSTR
" -> "
300 MACSTR
" (status %d)",
301 MAC2STR(src
), MAC2STR(dst
), status
);
302 if (len
< 5 && status
== 0) {
303 add_note(wt
, MSG_INFO
, "Too short TDLS Setup Response " MACSTR
304 " -> " MACSTR
, MAC2STR(src
), MAC2STR(dst
));
309 ieee802_11_parse_elems(data
+ 5, len
- 5, &elems
, 1) ==
310 ParseFailed
|| elems
.link_id
== NULL
) {
311 /* Need to match TDLS link based on Dialog Token */
312 rx_data_tdls_setup_response_failure(wt
, bssid
, sta_addr
,
316 wpa_printf(MSG_DEBUG
, "TDLS Link Identifier: BSSID " MACSTR
317 " initiator STA " MACSTR
" responder STA " MACSTR
,
318 MAC2STR(elems
.link_id
), MAC2STR(elems
.link_id
+ ETH_ALEN
),
319 MAC2STR(elems
.link_id
+ 2 * ETH_ALEN
));
321 tdls
= get_tdls(wt
, elems
.link_id
, 1, bssid
);
323 add_note(wt
, MSG_INFO
, "No match TDLS context found");
327 tdls
->counters
[WLANTEST_TDLS_COUNTER_SETUP_RESP_FAIL
]++;
329 tdls
->counters
[WLANTEST_TDLS_COUNTER_SETUP_RESP_OK
]++;
331 if (status
!= WLAN_STATUS_SUCCESS
)
334 if (elems
.ftie
&& elems
.ftie_len
>= sizeof(struct rsn_ftie
)) {
335 const struct rsn_ftie
*f
;
336 f
= (const struct rsn_ftie
*) elems
.ftie
;
337 if (os_memcmp(tdls
->inonce
, f
->snonce
, WPA_NONCE_LEN
) != 0) {
338 add_note(wt
, MSG_INFO
, "Mismatch in TDLS initiator "
341 os_memcpy(tdls
->rnonce
, f
->anonce
, WPA_NONCE_LEN
);
344 if (tdls_derive_tpk(tdls
, bssid
, elems
.ftie
, elems
.ftie_len
) < 1)
346 if (tdls_verify_mic(wt
, tdls
, 2, &elems
) == 0) {
347 tdls
->dialog_token
= data
[2];
348 add_note(wt
, MSG_DEBUG
, "TDLS: Dialog Token for the link: %u",
354 static void rx_data_tdls_setup_confirm_failure(struct wlantest
*wt
,
357 u8 dialog_token
, u16 status
)
359 struct wlantest_bss
*bss
;
360 struct wlantest_tdls
*tdls
;
361 struct wlantest_sta
*sta
;
363 if (status
== WLAN_STATUS_SUCCESS
) {
364 add_note(wt
, MSG_INFO
, "TDLS: Invalid TDLS Setup Confirm from "
365 MACSTR
, MAC2STR(src
));
369 bss
= bss_find(wt
, bssid
);
372 sta
= sta_find(bss
, src
);
376 dl_list_for_each(tdls
, &bss
->tdls
, struct wlantest_tdls
, list
) {
377 if (tdls
->init
== sta
) {
378 if (dialog_token
!= tdls
->dialog_token
) {
379 add_note(wt
, MSG_DEBUG
, "TDLS: Dialog token "
380 "mismatch in TDLS Setup Confirm "
384 add_note(wt
, MSG_DEBUG
, "TDLS: Found matching TDLS "
385 "setup session based on dialog token");
387 WLANTEST_TDLS_COUNTER_SETUP_CONF_FAIL
]++;
394 static void rx_data_tdls_setup_confirm(struct wlantest
*wt
, const u8
*bssid
,
395 const u8
*sta_addr
, const u8
*dst
,
397 const u8
*data
, size_t len
)
400 struct ieee802_11_elems elems
;
401 struct wlantest_tdls
*tdls
;
402 u8 link_id
[3 * ETH_ALEN
];
405 add_note(wt
, MSG_INFO
, "Too short TDLS Setup Confirm " MACSTR
406 " -> " MACSTR
, MAC2STR(src
), MAC2STR(dst
));
409 status
= WPA_GET_LE16(data
);
410 wpa_printf(MSG_DEBUG
, "TDLS Setup Confirm " MACSTR
" -> "
411 MACSTR
" (status %d)",
412 MAC2STR(src
), MAC2STR(dst
), status
);
414 if (ieee802_11_parse_elems(data
+ 3, len
- 3, &elems
, 1) ==
415 ParseFailed
|| elems
.link_id
== NULL
) {
416 /* Need to match TDLS link based on Dialog Token */
417 rx_data_tdls_setup_confirm_failure(wt
, bssid
, src
,
421 wpa_printf(MSG_DEBUG
, "TDLS Link Identifier: BSSID " MACSTR
422 " initiator STA " MACSTR
" responder STA " MACSTR
,
423 MAC2STR(elems
.link_id
), MAC2STR(elems
.link_id
+ ETH_ALEN
),
424 MAC2STR(elems
.link_id
+ 2 * ETH_ALEN
));
426 tdls
= get_tdls(wt
, elems
.link_id
, 1, bssid
);
430 tdls
->counters
[WLANTEST_TDLS_COUNTER_SETUP_CONF_FAIL
]++;
432 tdls
->counters
[WLANTEST_TDLS_COUNTER_SETUP_CONF_OK
]++;
434 if (status
!= WLAN_STATUS_SUCCESS
)
437 if (elems
.ftie
&& elems
.ftie_len
>= sizeof(struct rsn_ftie
)) {
438 const struct rsn_ftie
*f
;
439 f
= (const struct rsn_ftie
*) elems
.ftie
;
440 if (os_memcmp(tdls
->inonce
, f
->snonce
, WPA_NONCE_LEN
) != 0) {
441 add_note(wt
, MSG_INFO
, "Mismatch in TDLS initiator "
444 if (os_memcmp(tdls
->rnonce
, f
->anonce
, WPA_NONCE_LEN
) != 0) {
445 add_note(wt
, MSG_INFO
, "Mismatch in TDLS responder "
451 if (tdls_derive_tpk(tdls
, bssid
, elems
.ftie
, elems
.ftie_len
) < 1) {
452 if (elems
.ftie
== NULL
)
456 if (tdls_verify_mic(wt
, tdls
, 3, &elems
) == 0) {
457 tdls
->dialog_token
= data
[2];
458 add_note(wt
, MSG_DEBUG
, "TDLS: Link up - Dialog Token: %u",
464 * The TDLS link itself is bidirectional, but there is explicit
465 * initiator/responder roles. Remove the other direction of the link
466 * (if it exists) to make sure that the link counters are stored for
467 * the current TDLS entery.
469 os_memcpy(link_id
, elems
.link_id
, ETH_ALEN
);
470 os_memcpy(link_id
+ ETH_ALEN
, elems
.link_id
+ 2 * ETH_ALEN
, ETH_ALEN
);
471 os_memcpy(link_id
+ 2 * ETH_ALEN
, elems
.link_id
+ ETH_ALEN
, ETH_ALEN
);
472 tdls
= get_tdls(wt
, link_id
, 0, bssid
);
474 add_note(wt
, MSG_DEBUG
, "TDLS: Remove reverse link entry");
480 static int tdls_verify_mic_teardown(struct wlantest
*wt
,
481 struct wlantest_tdls
*tdls
, u8 trans_seq
,
482 const u8
*reason_code
,
483 struct ieee802_11_elems
*elems
)
489 const struct rsn_ftie
*rx_ftie
;
490 struct rsn_ftie
*tmp_ftie
;
492 if (elems
->link_id
== NULL
|| elems
->ftie
== NULL
||
493 elems
->ftie_len
< sizeof(struct rsn_ftie
))
496 len
= 2 + 18 + 2 + 1 + 1 + 2 + elems
->ftie_len
;
498 buf
= os_zalloc(len
);
503 /* 1) Link Identifier IE */
504 os_memcpy(pos
, elems
->link_id
- 2, 2 + 18);
507 os_memcpy(pos
, reason_code
, 2);
509 /* 3) Dialog token */
510 *pos
++ = tdls
->dialog_token
;
511 /* 4) Transaction Sequence number */
513 /* 5) FTIE, with the MIC field of the FTIE set to 0 */
514 os_memcpy(pos
, elems
->ftie
- 2, 2 + elems
->ftie_len
);
516 tmp_ftie
= (struct rsn_ftie
*) pos
;
517 os_memset(tmp_ftie
->mic
, 0, 16);
518 pos
+= elems
->ftie_len
;
520 wpa_hexdump(MSG_DEBUG
, "TDLS: Data for FTIE MIC", buf
, pos
- buf
);
521 wpa_hexdump_key(MSG_DEBUG
, "TDLS: KCK", tdls
->tpk
.kck
, 16);
522 ret
= omac1_aes_128(tdls
->tpk
.kck
, buf
, pos
- buf
, mic
);
526 wpa_hexdump(MSG_DEBUG
, "TDLS: FTIE MIC", mic
, 16);
527 rx_ftie
= (const struct rsn_ftie
*) elems
->ftie
;
529 if (os_memcmp(mic
, rx_ftie
->mic
, 16) == 0) {
530 add_note(wt
, MSG_DEBUG
, "TDLS: Valid MIC");
533 add_note(wt
, MSG_DEBUG
, "TDLS: Invalid MIC");
538 static void rx_data_tdls_teardown(struct wlantest
*wt
, const u8
*bssid
,
539 const u8
*sta_addr
, const u8
*dst
,
541 const u8
*data
, size_t len
)
544 struct ieee802_11_elems elems
;
545 struct wlantest_tdls
*tdls
;
549 reason
= WPA_GET_LE16(data
);
550 wpa_printf(MSG_DEBUG
, "TDLS Teardown " MACSTR
" -> "
551 MACSTR
" (reason %d)",
552 MAC2STR(src
), MAC2STR(dst
), reason
);
554 if (ieee802_11_parse_elems(data
+ 2, len
- 2, &elems
, 1) ==
555 ParseFailed
|| elems
.link_id
== NULL
)
557 wpa_printf(MSG_DEBUG
, "TDLS Link Identifier: BSSID " MACSTR
558 " initiator STA " MACSTR
" responder STA " MACSTR
,
559 MAC2STR(elems
.link_id
), MAC2STR(elems
.link_id
+ ETH_ALEN
),
560 MAC2STR(elems
.link_id
+ 2 * ETH_ALEN
));
562 tdls
= get_tdls(wt
, elems
.link_id
, 1, bssid
);
565 add_note(wt
, MSG_DEBUG
, "TDLS: Link down");
567 tdls
->counters
[WLANTEST_TDLS_COUNTER_TEARDOWN
]++;
568 tdls_verify_mic_teardown(wt
, tdls
, 4, data
, &elems
);
573 static void rx_data_tdls(struct wlantest
*wt
, const u8
*bssid
,
574 const u8
*sta_addr
, const u8
*dst
, const u8
*src
,
575 const u8
*data
, size_t len
)
577 /* data contains the payload of a TDLS Action frame */
578 if (len
< 2 || data
[0] != WLAN_ACTION_TDLS
) {
579 wpa_hexdump(MSG_DEBUG
, "Unrecognized encapsulated TDLS frame",
585 case WLAN_TDLS_SETUP_REQUEST
:
586 rx_data_tdls_setup_request(wt
, bssid
, sta_addr
, dst
, src
,
589 case WLAN_TDLS_SETUP_RESPONSE
:
590 rx_data_tdls_setup_response(wt
, bssid
, sta_addr
, dst
, src
,
593 case WLAN_TDLS_SETUP_CONFIRM
:
594 rx_data_tdls_setup_confirm(wt
, bssid
, sta_addr
, dst
, src
,
597 case WLAN_TDLS_TEARDOWN
:
598 rx_data_tdls_teardown(wt
, bssid
, sta_addr
, dst
, src
, data
+ 2,
601 case WLAN_TDLS_DISCOVERY_REQUEST
:
602 wpa_printf(MSG_DEBUG
, "TDLS Discovery Request " MACSTR
" -> "
603 MACSTR
, MAC2STR(src
), MAC2STR(dst
));
609 void rx_data_80211_encap(struct wlantest
*wt
, const u8
*bssid
,
610 const u8
*sta_addr
, const u8
*dst
, const u8
*src
,
611 const u8
*data
, size_t len
)
613 wpa_hexdump(MSG_EXCESSIVE
, "802.11 data encap frame", data
, len
);
617 rx_data_tdls(wt
, bssid
, sta_addr
, dst
, src
, data
+ 1, len
- 1);