xref: /freebsd/contrib/wpa/src/rsn_supp/tdls.c (revision 257e70f1d5ee61037c8c59b116538d3b6b1427a2)
1 /*
2  * wpa_supplicant - TDLS
3  * Copyright (c) 2010-2011, Atheros Communications
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #include "utils/includes.h"
10 
11 #include "utils/common.h"
12 #include "utils/eloop.h"
13 #include "utils/os.h"
14 #include "common/ieee802_11_defs.h"
15 #include "common/ieee802_11_common.h"
16 #include "crypto/sha256.h"
17 #include "crypto/crypto.h"
18 #include "crypto/aes_wrap.h"
19 #include "rsn_supp/wpa.h"
20 #include "rsn_supp/wpa_ie.h"
21 #include "rsn_supp/wpa_i.h"
22 #include "drivers/driver.h"
23 #include "l2_packet/l2_packet.h"
24 
25 #ifdef CONFIG_TDLS_TESTING
26 #define TDLS_TESTING_LONG_FRAME BIT(0)
27 #define TDLS_TESTING_ALT_RSN_IE BIT(1)
28 #define TDLS_TESTING_DIFF_BSSID BIT(2)
29 #define TDLS_TESTING_SHORT_LIFETIME BIT(3)
30 #define TDLS_TESTING_WRONG_LIFETIME_RESP BIT(4)
31 #define TDLS_TESTING_WRONG_LIFETIME_CONF BIT(5)
32 #define TDLS_TESTING_LONG_LIFETIME BIT(6)
33 #define TDLS_TESTING_CONCURRENT_INIT BIT(7)
34 #define TDLS_TESTING_NO_TPK_EXPIRATION BIT(8)
35 #define TDLS_TESTING_DECLINE_RESP BIT(9)
36 #define TDLS_TESTING_IGNORE_AP_PROHIBIT BIT(10)
37 #define TDLS_TESTING_WRONG_MIC BIT(11)
38 #define TDLS_TESTING_DOUBLE_TPK_M2 BIT(12)
39 unsigned int tdls_testing = 0;
40 #endif /* CONFIG_TDLS_TESTING */
41 
42 #define TPK_LIFETIME 43200 /* 12 hours */
43 #define TPK_M1_RETRY_COUNT 3
44 #define TPK_M1_TIMEOUT 5000 /* in milliseconds */
45 #define TPK_M2_RETRY_COUNT 10
46 #define TPK_M2_TIMEOUT 500 /* in milliseconds */
47 
48 #define TDLS_MIC_LEN		16
49 
50 #define TDLS_TIMEOUT_LEN	4
51 
52 struct wpa_tdls_ftie {
53 	u8 ie_type; /* FTIE */
54 	u8 ie_len;
55 	u8 mic_ctrl[2];
56 	u8 mic[TDLS_MIC_LEN];
57 	u8 Anonce[WPA_NONCE_LEN]; /* Responder Nonce in TDLS */
58 	u8 Snonce[WPA_NONCE_LEN]; /* Initiator Nonce in TDLS */
59 	/* followed by optional elements */
60 } STRUCT_PACKED;
61 
62 struct wpa_tdls_timeoutie {
63 	u8 ie_type; /* Timeout IE */
64 	u8 ie_len;
65 	u8 interval_type;
66 	u8 value[TDLS_TIMEOUT_LEN];
67 } STRUCT_PACKED;
68 
69 struct wpa_tdls_lnkid {
70 	u8 ie_type; /* Link Identifier IE */
71 	u8 ie_len;
72 	u8 bssid[ETH_ALEN];
73 	u8 init_sta[ETH_ALEN];
74 	u8 resp_sta[ETH_ALEN];
75 } STRUCT_PACKED;
76 
77 /* TDLS frame headers as per IEEE Std 802.11z-2010 */
78 struct wpa_tdls_frame {
79 	u8 payloadtype; /* IEEE80211_TDLS_RFTYPE */
80 	u8 category; /* Category */
81 	u8 action; /* Action (enum tdls_frame_type) */
82 } STRUCT_PACKED;
83 
84 static u8 * wpa_add_tdls_timeoutie(u8 *pos, u8 *ie, size_t ie_len, u32 tsecs);
85 static void wpa_tdls_tpk_retry_timeout(void *eloop_ctx, void *timeout_ctx);
86 static void wpa_tdls_peer_free(struct wpa_sm *sm, struct wpa_tdls_peer *peer);
87 static void wpa_tdls_disable_peer_link(struct wpa_sm *sm,
88 				       struct wpa_tdls_peer *peer);
89 static int wpa_tdls_send_teardown(struct wpa_sm *sm, const u8 *addr,
90 				  u16 reason_code);
91 
92 
93 #define TDLS_MAX_IE_LEN 80
94 #define IEEE80211_MAX_SUPP_RATES 32
95 
96 struct wpa_tdls_peer {
97 	struct wpa_tdls_peer *next;
98 	unsigned int reconfig_key:1;
99 	int initiator; /* whether this end was initiator for TDLS setup */
100 	u8 addr[ETH_ALEN]; /* other end MAC address */
101 	u8 inonce[WPA_NONCE_LEN]; /* Initiator Nonce */
102 	u8 rnonce[WPA_NONCE_LEN]; /* Responder Nonce */
103 	u8 rsnie_i[TDLS_MAX_IE_LEN]; /* Initiator RSN IE */
104 	size_t rsnie_i_len;
105 	u8 rsnie_p[TDLS_MAX_IE_LEN]; /* Peer RSN IE */
106 	size_t rsnie_p_len;
107 	u32 lifetime;
108 	int cipher; /* Selected cipher (WPA_CIPHER_*) */
109 	u8 dtoken;
110 
111 	struct tpk {
112 		u8 kck[16]; /* TPK-KCK */
113 		u8 tk[16]; /* TPK-TK; assuming only CCMP will be used */
114 	} tpk;
115 	int tpk_set;
116 	int tk_set; /* TPK-TK configured to the driver */
117 	int tpk_success;
118 	int tpk_in_progress;
119 
120 	struct tpk_timer {
121 		u8 dest[ETH_ALEN];
122 		int count;      /* Retry Count */
123 		int timer;      /* Timeout in milliseconds */
124 		u8 action_code; /* TDLS frame type */
125 		u8 dialog_token;
126 		u16 status_code;
127 		u32 peer_capab;
128 		int buf_len;    /* length of TPK message for retransmission */
129 		u8 *buf;        /* buffer for TPK message */
130 	} sm_tmr;
131 
132 	u16 capability;
133 
134 	u8 supp_rates[IEEE80211_MAX_SUPP_RATES];
135 	size_t supp_rates_len;
136 
137 	struct ieee80211_ht_capabilities *ht_capabilities;
138 	struct ieee80211_vht_capabilities *vht_capabilities;
139 	struct ieee80211_he_capabilities *he_capabilities;
140 	size_t he_capab_len;
141 	struct ieee80211_he_6ghz_band_cap *he_6ghz_band_capabilities;
142 
143 	u8 qos_info;
144 
145 	u16 aid;
146 
147 	u8 *ext_capab;
148 	size_t ext_capab_len;
149 
150 	u8 *supp_channels;
151 	size_t supp_channels_len;
152 
153 	u8 *supp_oper_classes;
154 	size_t supp_oper_classes_len;
155 
156 	u8 wmm_capable;
157 
158 	/* channel switch currently enabled */
159 	int chan_switch_enabled;
160 };
161 
162 
163 static int wpa_tdls_get_privacy(struct wpa_sm *sm)
164 {
165 	/*
166 	 * Get info needed from supplicant to check if the current BSS supports
167 	 * security. Other than OPEN mode, rest are considered secured
168 	 * WEP/WPA/WPA2 hence TDLS frames are processed for TPK handshake.
169 	 */
170 	return sm->pairwise_cipher != WPA_CIPHER_NONE;
171 }
172 
173 
174 static u8 * wpa_add_ie(u8 *pos, const u8 *ie, size_t ie_len)
175 {
176 	os_memcpy(pos, ie, ie_len);
177 	return pos + ie_len;
178 }
179 
180 
181 static int wpa_tdls_del_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
182 {
183 	if (wpa_sm_set_key(sm, WPA_ALG_NONE, peer->addr,
184 			   0, 0, NULL, 0, NULL, 0, KEY_FLAG_PAIRWISE) < 0) {
185 		wpa_printf(MSG_WARNING, "TDLS: Failed to delete TPK-TK from "
186 			   "the driver");
187 		return -1;
188 	}
189 
190 	return 0;
191 }
192 
193 
194 static int wpa_tdls_set_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
195 {
196 	u8 key_len;
197 	u8 rsc[6];
198 	enum wpa_alg alg;
199 
200 	if (peer->tk_set) {
201 		/*
202 		 * This same TPK-TK has already been configured to the driver
203 		 * and this new configuration attempt (likely due to an
204 		 * unexpected retransmitted frame) would result in clearing
205 		 * the TX/RX sequence number which can break security, so must
206 		 * not allow that to happen.
207 		 */
208 		wpa_printf(MSG_INFO, "TDLS: TPK-TK for the peer " MACSTR
209 			   " has already been configured to the driver - do not reconfigure",
210 			   MAC2STR(peer->addr));
211 		return -1;
212 	}
213 
214 	os_memset(rsc, 0, 6);
215 
216 	switch (peer->cipher) {
217 	case WPA_CIPHER_CCMP:
218 		alg = WPA_ALG_CCMP;
219 		key_len = 16;
220 		break;
221 	case WPA_CIPHER_NONE:
222 		wpa_printf(MSG_DEBUG, "TDLS: Pairwise Cipher Suite: "
223 			   "NONE - do not use pairwise keys");
224 		return -1;
225 	default:
226 		wpa_printf(MSG_WARNING, "TDLS: Unsupported pairwise cipher %d",
227 			   sm->pairwise_cipher);
228 		return -1;
229 	}
230 
231 	wpa_printf(MSG_DEBUG, "TDLS: Configure pairwise key for peer " MACSTR,
232 		   MAC2STR(peer->addr));
233 	if (wpa_sm_set_key(sm, alg, peer->addr, 0, 1, rsc, sizeof(rsc),
234 			   peer->tpk.tk, key_len,
235 			   KEY_FLAG_PAIRWISE_RX_TX) < 0) {
236 		wpa_printf(MSG_WARNING, "TDLS: Failed to set TPK to the "
237 			   "driver");
238 		return -1;
239 	}
240 	peer->tk_set = 1;
241 	return 0;
242 }
243 
244 
245 static int wpa_tdls_send_tpk_msg(struct wpa_sm *sm, const u8 *dst,
246 				 u8 action_code, u8 dialog_token,
247 				 u16 status_code, u32 peer_capab,
248 				 int initiator, const u8 *buf, size_t len)
249 {
250 	return wpa_sm_send_tdls_mgmt(sm, dst, action_code, dialog_token,
251 				     status_code, peer_capab, initiator, buf,
252 				     len);
253 }
254 
255 
256 static int wpa_tdls_tpk_send(struct wpa_sm *sm, const u8 *dest, u8 action_code,
257 			     u8 dialog_token, u16 status_code, u32 peer_capab,
258 			     int initiator, const u8 *msg, size_t msg_len)
259 {
260 	struct wpa_tdls_peer *peer;
261 
262 	wpa_printf(MSG_DEBUG, "TDLS: TPK send dest=" MACSTR " action_code=%u "
263 		   "dialog_token=%u status_code=%u peer_capab=%u initiator=%d "
264 		   "msg_len=%u",
265 		   MAC2STR(dest), action_code, dialog_token, status_code,
266 		   peer_capab, initiator, (unsigned int) msg_len);
267 
268 	if (wpa_tdls_send_tpk_msg(sm, dest, action_code, dialog_token,
269 				  status_code, peer_capab, initiator, msg,
270 				  msg_len)) {
271 		wpa_printf(MSG_INFO, "TDLS: Failed to send message "
272 			   "(action_code=%u)", action_code);
273 		return -1;
274 	}
275 
276 	if (action_code == WLAN_TDLS_SETUP_CONFIRM ||
277 	    action_code == WLAN_TDLS_TEARDOWN ||
278 	    action_code == WLAN_TDLS_DISCOVERY_REQUEST ||
279 	    action_code == WLAN_TDLS_DISCOVERY_RESPONSE)
280 		return 0; /* No retries */
281 
282 	for (peer = sm->tdls; peer; peer = peer->next) {
283 		if (os_memcmp(peer->addr, dest, ETH_ALEN) == 0)
284 			break;
285 	}
286 
287 	if (peer == NULL) {
288 		wpa_printf(MSG_INFO, "TDLS: No matching entry found for "
289 			   "retry " MACSTR, MAC2STR(dest));
290 		return 0;
291 	}
292 
293 	eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer);
294 
295 	if (action_code == WLAN_TDLS_SETUP_RESPONSE) {
296 		peer->sm_tmr.count = TPK_M2_RETRY_COUNT;
297 		peer->sm_tmr.timer = TPK_M2_TIMEOUT;
298 	} else {
299 		peer->sm_tmr.count = TPK_M1_RETRY_COUNT;
300 		peer->sm_tmr.timer = TPK_M1_TIMEOUT;
301 	}
302 
303 	/* Copy message to resend on timeout */
304 	os_memcpy(peer->sm_tmr.dest, dest, ETH_ALEN);
305 	peer->sm_tmr.action_code = action_code;
306 	peer->sm_tmr.dialog_token = dialog_token;
307 	peer->sm_tmr.status_code = status_code;
308 	peer->sm_tmr.peer_capab = peer_capab;
309 	peer->sm_tmr.buf_len = msg_len;
310 	os_free(peer->sm_tmr.buf);
311 	peer->sm_tmr.buf = os_memdup(msg, msg_len);
312 	if (peer->sm_tmr.buf == NULL)
313 		return -1;
314 
315 	wpa_printf(MSG_DEBUG, "TDLS: Retry timeout registered "
316 		   "(action_code=%u)", action_code);
317 	eloop_register_timeout(peer->sm_tmr.timer / 1000,
318 			       (peer->sm_tmr.timer % 1000) * 1000,
319 			       wpa_tdls_tpk_retry_timeout, sm, peer);
320 	return 0;
321 }
322 
323 
324 static int wpa_tdls_do_teardown(struct wpa_sm *sm, struct wpa_tdls_peer *peer,
325 				u16 reason_code)
326 {
327 	int ret;
328 
329 	ret = wpa_tdls_send_teardown(sm, peer->addr, reason_code);
330 	/* disable the link after teardown was sent */
331 	wpa_tdls_disable_peer_link(sm, peer);
332 
333 	return ret;
334 }
335 
336 
337 static void wpa_tdls_tpk_retry_timeout(void *eloop_ctx, void *timeout_ctx)
338 {
339 
340 	struct wpa_sm *sm = eloop_ctx;
341 	struct wpa_tdls_peer *peer = timeout_ctx;
342 
343 	if (peer->sm_tmr.count) {
344 		peer->sm_tmr.count--;
345 
346 		wpa_printf(MSG_INFO, "TDLS: Retrying sending of message "
347 			   "(action_code=%u)",
348 			   peer->sm_tmr.action_code);
349 
350 		if (peer->sm_tmr.buf == NULL) {
351 			wpa_printf(MSG_INFO, "TDLS: No retry buffer available "
352 				   "for action_code=%u",
353 				   peer->sm_tmr.action_code);
354 			eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm,
355 					     peer);
356 			return;
357 		}
358 
359 		/* resend TPK Handshake Message to Peer */
360 		if (wpa_tdls_send_tpk_msg(sm, peer->sm_tmr.dest,
361 					  peer->sm_tmr.action_code,
362 					  peer->sm_tmr.dialog_token,
363 					  peer->sm_tmr.status_code,
364 					  peer->sm_tmr.peer_capab,
365 					  peer->initiator,
366 					  peer->sm_tmr.buf,
367 					  peer->sm_tmr.buf_len)) {
368 			wpa_printf(MSG_INFO, "TDLS: Failed to retry "
369 				   "transmission");
370 		}
371 
372 		eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer);
373 		eloop_register_timeout(peer->sm_tmr.timer / 1000,
374 				       (peer->sm_tmr.timer % 1000) * 1000,
375 				       wpa_tdls_tpk_retry_timeout, sm, peer);
376 	} else {
377 		eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer);
378 
379 		wpa_printf(MSG_DEBUG, "TDLS: Sending Teardown Request");
380 		wpa_tdls_do_teardown(sm, peer,
381 				     WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED);
382 	}
383 }
384 
385 
386 static void wpa_tdls_tpk_retry_timeout_cancel(struct wpa_sm *sm,
387 					      struct wpa_tdls_peer *peer,
388 					      u8 action_code)
389 {
390 	if (action_code == peer->sm_tmr.action_code) {
391 		wpa_printf(MSG_DEBUG, "TDLS: Retry timeout cancelled for "
392 			   "action_code=%u", action_code);
393 
394 		/* Cancel Timeout registered */
395 		eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer);
396 
397 		/* free all resources meant for retry */
398 		os_free(peer->sm_tmr.buf);
399 		peer->sm_tmr.buf = NULL;
400 
401 		peer->sm_tmr.count = 0;
402 		peer->sm_tmr.timer = 0;
403 		peer->sm_tmr.buf_len = 0;
404 		peer->sm_tmr.action_code = 0xff;
405 	} else {
406 		wpa_printf(MSG_INFO, "TDLS: Error in cancelling retry timeout "
407 			   "(Unknown action_code=%u)", action_code);
408 	}
409 }
410 
411 
412 static void wpa_tdls_generate_tpk(struct wpa_tdls_peer *peer,
413 				  const u8 *own_addr, const u8 *bssid)
414 {
415 	u8 key_input[SHA256_MAC_LEN];
416 	const u8 *nonce[2];
417 	size_t len[2];
418 	u8 data[3 * ETH_ALEN];
419 
420 	/* IEEE Std 802.11-2016 12.7.9.2:
421 	 * TPK-Key-Input = Hash(min(SNonce, ANonce) || max(SNonce, ANonce))
422 	 * Hash = SHA-256 for TDLS
423 	 */
424 	len[0] = WPA_NONCE_LEN;
425 	len[1] = WPA_NONCE_LEN;
426 	if (os_memcmp(peer->inonce, peer->rnonce, WPA_NONCE_LEN) < 0) {
427 		nonce[0] = peer->inonce;
428 		nonce[1] = peer->rnonce;
429 	} else {
430 		nonce[0] = peer->rnonce;
431 		nonce[1] = peer->inonce;
432 	}
433 	wpa_hexdump(MSG_DEBUG, "TDLS: min(Nonce)", nonce[0], WPA_NONCE_LEN);
434 	wpa_hexdump(MSG_DEBUG, "TDLS: max(Nonce)", nonce[1], WPA_NONCE_LEN);
435 	sha256_vector(2, nonce, len, key_input);
436 	wpa_hexdump_key(MSG_DEBUG, "TDLS: TPK-Key-Input",
437 			key_input, SHA256_MAC_LEN);
438 
439 	/*
440 	 * TPK = KDF-Hash-Length(TPK-Key-Input, "TDLS PMK",
441 	 *	min(MAC_I, MAC_R) || max(MAC_I, MAC_R) || BSSID)
442 	 */
443 
444 	if (os_memcmp(own_addr, peer->addr, ETH_ALEN) < 0) {
445 		os_memcpy(data, own_addr, ETH_ALEN);
446 		os_memcpy(data + ETH_ALEN, peer->addr, ETH_ALEN);
447 	} else {
448 		os_memcpy(data, peer->addr, ETH_ALEN);
449 		os_memcpy(data + ETH_ALEN, own_addr, ETH_ALEN);
450 	}
451 	os_memcpy(data + 2 * ETH_ALEN, bssid, ETH_ALEN);
452 	wpa_hexdump(MSG_DEBUG, "TDLS: KDF Context", data, sizeof(data));
453 
454 	sha256_prf(key_input, SHA256_MAC_LEN, "TDLS PMK", data, sizeof(data),
455 		   (u8 *) &peer->tpk, sizeof(peer->tpk));
456 	wpa_hexdump_key(MSG_DEBUG, "TDLS: TPK-KCK",
457 			peer->tpk.kck, sizeof(peer->tpk.kck));
458 	wpa_hexdump_key(MSG_DEBUG, "TDLS: TPK-TK",
459 			peer->tpk.tk, sizeof(peer->tpk.tk));
460 	peer->tpk_set = 1;
461 }
462 
463 
464 /**
465  * wpa_tdls_ftie_mic - Calculate TDLS FTIE MIC
466  * @kck: TPK-KCK
467  * @lnkid: Pointer to the beginning of Link Identifier IE
468  * @rsnie: Pointer to the beginning of RSN IE used for handshake
469  * @timeoutie: Pointer to the beginning of Timeout IE used for handshake
470  * @ftie: Pointer to the beginning of FT IE
471  * @mic: Pointer for writing MIC
472  *
473  * Calculate MIC for TDLS frame.
474  */
475 static int wpa_tdls_ftie_mic(const u8 *kck, u8 trans_seq, const u8 *lnkid,
476 			     const u8 *rsnie, const u8 *timeoutie,
477 			     const u8 *ftie, u8 *mic)
478 {
479 	u8 *buf, *pos;
480 	struct wpa_tdls_ftie *_ftie;
481 	const struct wpa_tdls_lnkid *_lnkid;
482 	int ret;
483 	int len = 2 * ETH_ALEN + 1 + 2 + lnkid[1] + 2 + rsnie[1] +
484 		2 + timeoutie[1] + 2 + ftie[1];
485 	buf = os_zalloc(len);
486 	if (!buf) {
487 		wpa_printf(MSG_WARNING, "TDLS: No memory for MIC calculation");
488 		return -1;
489 	}
490 
491 	pos = buf;
492 	_lnkid = (const struct wpa_tdls_lnkid *) lnkid;
493 	/* 1) TDLS initiator STA MAC address */
494 	os_memcpy(pos, _lnkid->init_sta, ETH_ALEN);
495 	pos += ETH_ALEN;
496 	/* 2) TDLS responder STA MAC address */
497 	os_memcpy(pos, _lnkid->resp_sta, ETH_ALEN);
498 	pos += ETH_ALEN;
499 	/* 3) Transaction Sequence number */
500 	*pos++ = trans_seq;
501 	/* 4) Link Identifier IE */
502 	os_memcpy(pos, lnkid, 2 + lnkid[1]);
503 	pos += 2 + lnkid[1];
504 	/* 5) RSN IE */
505 	os_memcpy(pos, rsnie, 2 + rsnie[1]);
506 	pos += 2 + rsnie[1];
507 	/* 6) Timeout Interval IE */
508 	os_memcpy(pos, timeoutie, 2 + timeoutie[1]);
509 	pos += 2 + timeoutie[1];
510 	/* 7) FTIE, with the MIC field of the FTIE set to 0 */
511 	os_memcpy(pos, ftie, 2 + ftie[1]);
512 	_ftie = (struct wpa_tdls_ftie *) pos;
513 	os_memset(_ftie->mic, 0, TDLS_MIC_LEN);
514 	pos += 2 + ftie[1];
515 
516 	wpa_hexdump(MSG_DEBUG, "TDLS: Data for FTIE MIC", buf, pos - buf);
517 	wpa_hexdump_key(MSG_DEBUG, "TDLS: KCK", kck, 16);
518 	ret = omac1_aes_128(kck, buf, pos - buf, mic);
519 	os_free(buf);
520 	wpa_hexdump(MSG_DEBUG, "TDLS: FTIE MIC", mic, 16);
521 	return ret;
522 }
523 
524 
525 /**
526  * wpa_tdls_key_mic_teardown - Calculate TDLS FTIE MIC for Teardown frame
527  * @kck: TPK-KCK
528  * @trans_seq: Transaction Sequence Number (4 - Teardown)
529  * @rcode: Reason code for Teardown
530  * @dtoken: Dialog Token used for that particular link
531  * @lnkid: Pointer to the beginning of Link Identifier IE
532  * @ftie: Pointer to the beginning of FT IE
533  * @mic: Pointer for writing MIC
534  *
535  * Calculate MIC for TDLS frame.
536  */
537 static int wpa_tdls_key_mic_teardown(const u8 *kck, u8 trans_seq, u16 rcode,
538 				     u8 dtoken, const u8 *lnkid,
539 				     const u8 *ftie, u8 *mic)
540 {
541 	u8 *buf, *pos;
542 	struct wpa_tdls_ftie *_ftie;
543 	int ret;
544 	int len;
545 
546 	if (lnkid == NULL)
547 		return -1;
548 
549 	len = 2 + lnkid[1] + sizeof(rcode) + sizeof(dtoken) +
550 		sizeof(trans_seq) + 2 + ftie[1];
551 
552 	buf = os_zalloc(len);
553 	if (!buf) {
554 		wpa_printf(MSG_WARNING, "TDLS: No memory for MIC calculation");
555 		return -1;
556 	}
557 
558 	pos = buf;
559 	/* 1) Link Identifier IE */
560 	os_memcpy(pos, lnkid, 2 + lnkid[1]);
561 	pos += 2 + lnkid[1];
562 	/* 2) Reason Code */
563 	WPA_PUT_LE16(pos, rcode);
564 	pos += sizeof(rcode);
565 	/* 3) Dialog token */
566 	*pos++ = dtoken;
567 	/* 4) Transaction Sequence number */
568 	*pos++ = trans_seq;
569 	/* 7) FTIE, with the MIC field of the FTIE set to 0 */
570 	os_memcpy(pos, ftie, 2 + ftie[1]);
571 	_ftie = (struct wpa_tdls_ftie *) pos;
572 	os_memset(_ftie->mic, 0, TDLS_MIC_LEN);
573 	pos += 2 + ftie[1];
574 
575 	wpa_hexdump(MSG_DEBUG, "TDLS: Data for FTIE MIC", buf, pos - buf);
576 	wpa_hexdump_key(MSG_DEBUG, "TDLS: KCK", kck, 16);
577 	ret = omac1_aes_128(kck, buf, pos - buf, mic);
578 	os_free(buf);
579 	wpa_hexdump(MSG_DEBUG, "TDLS: FTIE MIC", mic, 16);
580 	return ret;
581 }
582 
583 
584 static int wpa_supplicant_verify_tdls_mic(u8 trans_seq,
585 					  struct wpa_tdls_peer *peer,
586 					  const u8 *lnkid, const u8 *timeoutie,
587 					  const struct wpa_tdls_ftie *ftie)
588 {
589 	u8 mic[16];
590 
591 	if (peer->tpk_set) {
592 		wpa_tdls_ftie_mic(peer->tpk.kck, trans_seq, lnkid,
593 				  peer->rsnie_p, timeoutie, (u8 *) ftie,
594 				  mic);
595 		if (os_memcmp_const(mic, ftie->mic, 16) != 0) {
596 			wpa_printf(MSG_INFO, "TDLS: Invalid MIC in FTIE - "
597 				   "dropping packet");
598 			wpa_hexdump(MSG_DEBUG, "TDLS: Received MIC",
599 				    ftie->mic, 16);
600 			wpa_hexdump(MSG_DEBUG, "TDLS: Calculated MIC",
601 				    mic, 16);
602 			return -1;
603 		}
604 	} else {
605 		wpa_printf(MSG_WARNING, "TDLS: Could not verify TDLS MIC, "
606 			   "TPK not set - dropping packet");
607 		return -1;
608 	}
609 	return 0;
610 }
611 
612 
613 static int wpa_supplicant_verify_tdls_mic_teardown(
614 	u8 trans_seq, u16 rcode, u8 dtoken, struct wpa_tdls_peer *peer,
615 	const u8 *lnkid, const struct wpa_tdls_ftie *ftie)
616 {
617 	u8 mic[16];
618 
619 	if (peer->tpk_set) {
620 		wpa_tdls_key_mic_teardown(peer->tpk.kck, trans_seq, rcode,
621 					  dtoken, lnkid, (u8 *) ftie, mic);
622 		if (os_memcmp_const(mic, ftie->mic, 16) != 0) {
623 			wpa_printf(MSG_INFO, "TDLS: Invalid MIC in Teardown - "
624 				   "dropping packet");
625 			return -1;
626 		}
627 	} else {
628 		wpa_printf(MSG_INFO, "TDLS: Could not verify TDLS Teardown "
629 			   "MIC, TPK not set - dropping packet");
630 		return -1;
631 	}
632 	return 0;
633 }
634 
635 
636 static void wpa_tdls_tpk_timeout(void *eloop_ctx, void *timeout_ctx)
637 {
638 	struct wpa_sm *sm = eloop_ctx;
639 	struct wpa_tdls_peer *peer = timeout_ctx;
640 
641 	/*
642 	 * On TPK lifetime expiration, we have an option of either tearing down
643 	 * the direct link or trying to re-initiate it. The selection of what
644 	 * to do is not strictly speaking controlled by our role in the expired
645 	 * link, but for now, use that to select whether to renew or tear down
646 	 * the link.
647 	 */
648 
649 	if (peer->initiator) {
650 		u8 addr[ETH_ALEN];
651 
652 		wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime expired for " MACSTR
653 			   " - try to renew", MAC2STR(peer->addr));
654 		/* cache the peer address before do_teardown */
655 		os_memcpy(addr, peer->addr, ETH_ALEN);
656 		wpa_tdls_do_teardown(sm, peer,
657 				     WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED);
658 		wpa_tdls_start(sm, addr);
659 	} else {
660 		wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime expired for " MACSTR
661 			   " - tear down", MAC2STR(peer->addr));
662 		wpa_tdls_do_teardown(sm, peer,
663 				     WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED);
664 	}
665 }
666 
667 
668 static void wpa_tdls_peer_remove_from_list(struct wpa_sm *sm,
669 					   struct wpa_tdls_peer *peer)
670 {
671 	struct wpa_tdls_peer *cur, *prev;
672 
673 	cur = sm->tdls;
674 	prev = NULL;
675 	while (cur && cur != peer) {
676 		prev = cur;
677 		cur = cur->next;
678 	}
679 
680 	if (cur != peer) {
681 		wpa_printf(MSG_ERROR, "TDLS: Could not find peer " MACSTR
682 			   " to remove it from the list",
683 			   MAC2STR(peer->addr));
684 		return;
685 	}
686 
687 	if (prev)
688 		prev->next = peer->next;
689 	else
690 		sm->tdls = peer->next;
691 }
692 
693 
694 static void wpa_tdls_peer_clear(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
695 {
696 	wpa_printf(MSG_DEBUG, "TDLS: Clear state for peer " MACSTR,
697 		   MAC2STR(peer->addr));
698 	eloop_cancel_timeout(wpa_tdls_tpk_timeout, sm, peer);
699 	eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer);
700 	peer->reconfig_key = 0;
701 	peer->initiator = 0;
702 	peer->tpk_in_progress = 0;
703 	os_free(peer->sm_tmr.buf);
704 	peer->sm_tmr.buf = NULL;
705 	os_free(peer->ht_capabilities);
706 	peer->ht_capabilities = NULL;
707 	os_free(peer->vht_capabilities);
708 	peer->vht_capabilities = NULL;
709 	os_free(peer->he_capabilities);
710 	peer->he_capabilities = NULL;
711 	os_free(peer->he_6ghz_band_capabilities);
712 	peer->he_6ghz_band_capabilities = NULL;
713 	os_free(peer->ext_capab);
714 	peer->ext_capab = NULL;
715 	os_free(peer->supp_channels);
716 	peer->supp_channels = NULL;
717 	os_free(peer->supp_oper_classes);
718 	peer->supp_oper_classes = NULL;
719 	peer->rsnie_i_len = peer->rsnie_p_len = 0;
720 	peer->cipher = 0;
721 	peer->qos_info = 0;
722 	peer->wmm_capable = 0;
723 	peer->tk_set = peer->tpk_set = peer->tpk_success = 0;
724 	peer->chan_switch_enabled = 0;
725 	os_memset(&peer->tpk, 0, sizeof(peer->tpk));
726 	os_memset(peer->inonce, 0, WPA_NONCE_LEN);
727 	os_memset(peer->rnonce, 0, WPA_NONCE_LEN);
728 }
729 
730 
731 static void wpa_tdls_peer_free(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
732 {
733 	wpa_tdls_peer_clear(sm, peer);
734 	wpa_tdls_peer_remove_from_list(sm, peer);
735 	os_free(peer);
736 }
737 
738 
739 static void wpa_tdls_linkid(struct wpa_sm *sm, struct wpa_tdls_peer *peer,
740 			    struct wpa_tdls_lnkid *lnkid)
741 {
742 	lnkid->ie_type = WLAN_EID_LINK_ID;
743 	lnkid->ie_len = 3 * ETH_ALEN;
744 	os_memcpy(lnkid->bssid, sm->bssid, ETH_ALEN);
745 	if (peer->initiator) {
746 		os_memcpy(lnkid->init_sta, sm->own_addr, ETH_ALEN);
747 		os_memcpy(lnkid->resp_sta, peer->addr, ETH_ALEN);
748 	} else {
749 		os_memcpy(lnkid->init_sta, peer->addr, ETH_ALEN);
750 		os_memcpy(lnkid->resp_sta, sm->own_addr, ETH_ALEN);
751 	}
752 }
753 
754 
755 static int wpa_tdls_send_teardown(struct wpa_sm *sm, const u8 *addr,
756 				  u16 reason_code)
757 {
758 	struct wpa_tdls_peer *peer;
759 	struct wpa_tdls_ftie *ftie;
760 	struct wpa_tdls_lnkid lnkid;
761 	u8 dialog_token;
762 	u8 *rbuf, *pos;
763 	int ielen;
764 
765 	if (sm->tdls_disabled || !sm->tdls_supported)
766 		return -1;
767 
768 	/* Find the node and free from the list */
769 	for (peer = sm->tdls; peer; peer = peer->next) {
770 		if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0)
771 			break;
772 	}
773 
774 	if (peer == NULL) {
775 		wpa_printf(MSG_INFO, "TDLS: No matching entry found for "
776 			   "Teardown " MACSTR, MAC2STR(addr));
777 		return 0;
778 	}
779 
780 	/* Cancel active channel switch before teardown */
781 	if (peer->chan_switch_enabled) {
782 		wpa_printf(MSG_DEBUG, "TDLS: First returning link with " MACSTR
783 			   " to base channel", MAC2STR(addr));
784 		wpa_sm_tdls_disable_channel_switch(sm, peer->addr);
785 	}
786 
787 	dialog_token = peer->dtoken;
788 
789 	wpa_printf(MSG_DEBUG, "TDLS: TDLS Teardown for " MACSTR,
790 		   MAC2STR(addr));
791 
792 	ielen = 0;
793 	if (wpa_tdls_get_privacy(sm) && peer->tpk_set && peer->tpk_success) {
794 		/* To add FTIE for Teardown request and compute MIC */
795 		ielen += sizeof(*ftie);
796 #ifdef CONFIG_TDLS_TESTING
797 		if (tdls_testing & TDLS_TESTING_LONG_FRAME)
798 			ielen += 170;
799 #endif /* CONFIG_TDLS_TESTING */
800 	}
801 
802 	rbuf = os_zalloc(ielen + 1);
803 	if (rbuf == NULL)
804 		return -1;
805 	pos = rbuf;
806 
807 	if (!wpa_tdls_get_privacy(sm) || !peer->tpk_set || !peer->tpk_success)
808 		goto skip_ies;
809 
810 	ftie = (struct wpa_tdls_ftie *) pos;
811 	ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION;
812 	/* Using the recent nonce which should be for CONFIRM frame */
813 	os_memcpy(ftie->Anonce, peer->rnonce, WPA_NONCE_LEN);
814 	os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN);
815 	ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2;
816 	pos = (u8 *) (ftie + 1);
817 #ifdef CONFIG_TDLS_TESTING
818 	if (tdls_testing & TDLS_TESTING_LONG_FRAME) {
819 		wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to "
820 			   "FTIE");
821 		ftie->ie_len += 170;
822 		*pos++ = 255; /* FTIE subelem */
823 		*pos++ = 168; /* FTIE subelem length */
824 		pos += 168;
825 	}
826 #endif /* CONFIG_TDLS_TESTING */
827 	wpa_hexdump(MSG_DEBUG, "TDLS: FTIE for TDLS Teardown handshake",
828 		    (u8 *) ftie, pos - (u8 *) ftie);
829 
830 	/* compute MIC before sending */
831 	wpa_tdls_linkid(sm, peer, &lnkid);
832 	wpa_tdls_key_mic_teardown(peer->tpk.kck, 4, reason_code,
833 				  dialog_token, (u8 *) &lnkid, (u8 *) ftie,
834 				  ftie->mic);
835 
836 skip_ies:
837 	/* TODO: register for a Timeout handler, if Teardown is not received at
838 	 * the other end, then try again another time */
839 
840 	/* request driver to send Teardown using this FTIE */
841 	wpa_tdls_tpk_send(sm, addr, WLAN_TDLS_TEARDOWN, 0,
842 			  reason_code, 0, peer->initiator, rbuf, pos - rbuf);
843 	os_free(rbuf);
844 
845 	return 0;
846 }
847 
848 
849 int wpa_tdls_teardown_link(struct wpa_sm *sm, const u8 *addr, u16 reason_code)
850 {
851 	struct wpa_tdls_peer *peer;
852 
853 	if (sm->tdls_disabled || !sm->tdls_supported)
854 		return -1;
855 
856 	for (peer = sm->tdls; peer; peer = peer->next) {
857 		if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0)
858 			break;
859 	}
860 
861 	if (peer == NULL) {
862 		wpa_printf(MSG_DEBUG, "TDLS: Could not find peer " MACSTR
863 		   " for link Teardown", MAC2STR(addr));
864 		return -1;
865 	}
866 
867 	if (!peer->tpk_success) {
868 		wpa_printf(MSG_DEBUG, "TDLS: Peer " MACSTR
869 		   " not connected - cannot Teardown link", MAC2STR(addr));
870 		return -1;
871 	}
872 
873 	return wpa_tdls_do_teardown(sm, peer, reason_code);
874 }
875 
876 
877 static void wpa_tdls_disable_peer_link(struct wpa_sm *sm,
878 				       struct wpa_tdls_peer *peer)
879 {
880 	wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr);
881 	wpa_tdls_peer_free(sm, peer);
882 }
883 
884 
885 void wpa_tdls_disable_unreachable_link(struct wpa_sm *sm, const u8 *addr)
886 {
887 	struct wpa_tdls_peer *peer;
888 
889 	for (peer = sm->tdls; peer; peer = peer->next) {
890 		if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0)
891 			break;
892 	}
893 
894 	if (!peer || !peer->tpk_success) {
895 		wpa_printf(MSG_DEBUG, "TDLS: Peer " MACSTR
896 			   " not connected - cannot teardown unreachable link",
897 			   MAC2STR(addr));
898 		return;
899 	}
900 
901 	if (wpa_tdls_is_external_setup(sm)) {
902 		/*
903 		 * Get us on the base channel, disable the link, send a
904 		 * teardown packet through the AP, and then reset link data.
905 		 */
906 		if (peer->chan_switch_enabled)
907 			wpa_sm_tdls_disable_channel_switch(sm, peer->addr);
908 		wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, addr);
909 		wpa_tdls_send_teardown(sm, addr,
910 				       WLAN_REASON_TDLS_TEARDOWN_UNREACHABLE);
911 		wpa_tdls_peer_free(sm, peer);
912 	} else {
913 		wpa_tdls_disable_peer_link(sm, peer);
914 	}
915 }
916 
917 
918 const char * wpa_tdls_get_link_status(struct wpa_sm *sm, const u8 *addr)
919 {
920 	struct wpa_tdls_peer *peer;
921 
922 	if (sm->tdls_disabled || !sm->tdls_supported)
923 		return "disabled";
924 
925 	for (peer = sm->tdls; peer; peer = peer->next) {
926 		if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0)
927 			break;
928 	}
929 
930 	if (peer == NULL)
931 		return "peer does not exist";
932 
933 	if (!peer->tpk_success)
934 		return "peer not connected";
935 
936 	return "connected";
937 }
938 
939 
940 static int wpa_tdls_recv_teardown(struct wpa_sm *sm, const u8 *src_addr,
941 				  const u8 *buf, size_t len)
942 {
943 	struct wpa_tdls_peer *peer = NULL;
944 	struct wpa_tdls_ftie *ftie;
945 	struct wpa_tdls_lnkid *lnkid;
946 	struct wpa_eapol_ie_parse kde;
947 	u16 reason_code;
948 	const u8 *pos;
949 	int ielen;
950 
951 	/* Find the node and free from the list */
952 	for (peer = sm->tdls; peer; peer = peer->next) {
953 		if (os_memcmp(peer->addr, src_addr, ETH_ALEN) == 0)
954 			break;
955 	}
956 
957 	if (peer == NULL) {
958 		wpa_printf(MSG_INFO, "TDLS: No matching entry found for "
959 			   "Teardown " MACSTR, MAC2STR(src_addr));
960 		return 0;
961 	}
962 
963 	pos = buf;
964 	pos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */;
965 
966 	reason_code = WPA_GET_LE16(pos);
967 	pos += 2;
968 
969 	wpa_printf(MSG_DEBUG, "TDLS: TDLS Teardown Request from " MACSTR
970 		   " (reason code %u)", MAC2STR(src_addr), reason_code);
971 
972 	ielen = len - (pos - buf); /* start of IE in buf */
973 
974 	/*
975 	 * Don't reject the message if failing to parse IEs. The IEs we need are
976 	 * explicitly checked below. Some APs may add arbitrary padding to the
977 	 * end of short TDLS frames and that would look like invalid IEs.
978 	 */
979 	if (wpa_supplicant_parse_ies((const u8 *) pos, ielen, &kde) < 0)
980 		wpa_printf(MSG_DEBUG,
981 			   "TDLS: Failed to parse IEs in Teardown - ignore as an interop workaround");
982 
983 	if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) {
984 		wpa_printf(MSG_INFO, "TDLS: No Link Identifier IE in TDLS "
985 			   "Teardown");
986 		return -1;
987 	}
988 	lnkid = (struct wpa_tdls_lnkid *) kde.lnkid;
989 
990 	if (!wpa_tdls_get_privacy(sm) || !peer->tpk_set || !peer->tpk_success)
991 		goto skip_ftie;
992 
993 	if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie)) {
994 		wpa_printf(MSG_INFO, "TDLS: No FTIE in TDLS Teardown");
995 		return -1;
996 	}
997 
998 	ftie = (struct wpa_tdls_ftie *) kde.ftie;
999 
1000 	/* Process MIC check to see if TDLS Teardown is right */
1001 	if (wpa_supplicant_verify_tdls_mic_teardown(4, reason_code,
1002 						    peer->dtoken, peer,
1003 						    (u8 *) lnkid, ftie) < 0) {
1004 		wpa_printf(MSG_DEBUG, "TDLS: MIC failure for TDLS "
1005 			   "Teardown Request from " MACSTR, MAC2STR(src_addr));
1006 		return -1;
1007 	}
1008 
1009 skip_ftie:
1010 	/*
1011 	 * Request the driver to disable the direct link and clear associated
1012 	 * keys.
1013 	 */
1014 	wpa_tdls_disable_peer_link(sm, peer);
1015 	return 0;
1016 }
1017 
1018 
1019 /**
1020  * wpa_tdls_send_error - To send suitable TDLS status response with
1021  *	appropriate status code mentioning reason for error/failure.
1022  * @dst 	- MAC addr of Peer station
1023  * @tdls_action - TDLS frame type for which error code is sent
1024  * @initiator   - was this end the initiator of the connection
1025  * @status 	- status code mentioning reason
1026  */
1027 
1028 static int wpa_tdls_send_error(struct wpa_sm *sm, const u8 *dst,
1029 			       u8 tdls_action, u8 dialog_token, int initiator,
1030 			       u16 status)
1031 {
1032 	wpa_printf(MSG_DEBUG, "TDLS: Sending error to " MACSTR
1033 		   " (action=%u status=%u)",
1034 		   MAC2STR(dst), tdls_action, status);
1035 	return wpa_tdls_tpk_send(sm, dst, tdls_action, dialog_token, status,
1036 				 0, initiator, NULL, 0);
1037 }
1038 
1039 
1040 static struct wpa_tdls_peer *
1041 wpa_tdls_add_peer(struct wpa_sm *sm, const u8 *addr, int *existing)
1042 {
1043 	struct wpa_tdls_peer *peer;
1044 
1045 	if (existing)
1046 		*existing = 0;
1047 	for (peer = sm->tdls; peer; peer = peer->next) {
1048 		if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) {
1049 			if (existing)
1050 				*existing = 1;
1051 			return peer; /* re-use existing entry */
1052 		}
1053 	}
1054 
1055 	wpa_printf(MSG_INFO, "TDLS: Creating peer entry for " MACSTR,
1056 		   MAC2STR(addr));
1057 
1058 	peer = os_zalloc(sizeof(*peer));
1059 	if (peer == NULL)
1060 		return NULL;
1061 
1062 	os_memcpy(peer->addr, addr, ETH_ALEN);
1063 	peer->next = sm->tdls;
1064 	sm->tdls = peer;
1065 
1066 	return peer;
1067 }
1068 
1069 
1070 static int wpa_tdls_send_tpk_m1(struct wpa_sm *sm,
1071 				struct wpa_tdls_peer *peer)
1072 {
1073 	size_t buf_len;
1074 	struct wpa_tdls_timeoutie timeoutie;
1075 	u16 rsn_capab;
1076 	struct wpa_tdls_ftie *ftie;
1077 	u8 *rbuf, *pos, *count_pos;
1078 	u16 count;
1079 	struct rsn_ie_hdr *hdr;
1080 	int status;
1081 
1082 	if (!wpa_tdls_get_privacy(sm)) {
1083 		wpa_printf(MSG_DEBUG, "TDLS: No security used on the link");
1084 		peer->rsnie_i_len = 0;
1085 		goto skip_rsnie;
1086 	}
1087 
1088 	/*
1089 	 * TPK Handshake Message 1:
1090 	 * FTIE: ANonce=0, SNonce=initiator nonce MIC=0, DataKDs=(RSNIE_I,
1091 	 * Timeout Interval IE))
1092 	 */
1093 
1094 	/* Filling RSN IE */
1095 	hdr = (struct rsn_ie_hdr *) peer->rsnie_i;
1096 	hdr->elem_id = WLAN_EID_RSN;
1097 	WPA_PUT_LE16(hdr->version, RSN_VERSION);
1098 
1099 	pos = (u8 *) (hdr + 1);
1100 	RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED);
1101 	pos += RSN_SELECTOR_LEN;
1102 	count_pos = pos;
1103 	pos += 2;
1104 
1105 	count = 0;
1106 
1107 	/*
1108 	 * AES-CCMP is the default Encryption preferred for TDLS, so
1109 	 * RSN IE is filled only with CCMP CIPHER
1110 	 * Note: TKIP is not used to encrypt TDLS link.
1111 	 *
1112 	 * Regardless of the cipher used on the AP connection, select CCMP
1113 	 * here.
1114 	 */
1115 	RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP);
1116 	pos += RSN_SELECTOR_LEN;
1117 	count++;
1118 
1119 	WPA_PUT_LE16(count_pos, count);
1120 
1121 	WPA_PUT_LE16(pos, 1);
1122 	pos += 2;
1123 	RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_TPK_HANDSHAKE);
1124 	pos += RSN_SELECTOR_LEN;
1125 
1126 	rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED;
1127 	rsn_capab |= RSN_NUM_REPLAY_COUNTERS_16 << 2;
1128 #ifdef CONFIG_TDLS_TESTING
1129 	if (tdls_testing & TDLS_TESTING_ALT_RSN_IE) {
1130 		wpa_printf(MSG_DEBUG, "TDLS: Use alternative RSN IE for "
1131 			   "testing");
1132 		rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED;
1133 	}
1134 #endif /* CONFIG_TDLS_TESTING */
1135 	WPA_PUT_LE16(pos, rsn_capab);
1136 	pos += 2;
1137 #ifdef CONFIG_TDLS_TESTING
1138 	if (tdls_testing & TDLS_TESTING_ALT_RSN_IE) {
1139 		/* Number of PMKIDs */
1140 		*pos++ = 0x00;
1141 		*pos++ = 0x00;
1142 	}
1143 #endif /* CONFIG_TDLS_TESTING */
1144 
1145 	hdr->len = (pos - peer->rsnie_i) - 2;
1146 	peer->rsnie_i_len = pos - peer->rsnie_i;
1147 	wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE for TPK handshake",
1148 		    peer->rsnie_i, peer->rsnie_i_len);
1149 
1150 skip_rsnie:
1151 	buf_len = 0;
1152 	if (wpa_tdls_get_privacy(sm))
1153 		buf_len += peer->rsnie_i_len + sizeof(struct wpa_tdls_ftie) +
1154 			sizeof(struct wpa_tdls_timeoutie);
1155 #ifdef CONFIG_TDLS_TESTING
1156 	if (wpa_tdls_get_privacy(sm) &&
1157 	    (tdls_testing & TDLS_TESTING_LONG_FRAME))
1158 		buf_len += 170;
1159 	if (tdls_testing & TDLS_TESTING_DIFF_BSSID)
1160 		buf_len += sizeof(struct wpa_tdls_lnkid);
1161 #endif /* CONFIG_TDLS_TESTING */
1162 	rbuf = os_zalloc(buf_len + 1);
1163 	if (rbuf == NULL) {
1164 		wpa_tdls_peer_free(sm, peer);
1165 		return -2;
1166 	}
1167 	pos = rbuf;
1168 
1169 	if (!wpa_tdls_get_privacy(sm))
1170 		goto skip_ies;
1171 
1172 	/* Initiator RSN IE */
1173 	pos = wpa_add_ie(pos, peer->rsnie_i, peer->rsnie_i_len);
1174 
1175 	ftie = (struct wpa_tdls_ftie *) pos;
1176 	ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION;
1177 	ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2;
1178 
1179 	if (os_get_random(peer->inonce, WPA_NONCE_LEN)) {
1180 		wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1181 			"TDLS: Failed to get random data for initiator Nonce");
1182 		os_free(rbuf);
1183 		wpa_tdls_peer_free(sm, peer);
1184 		return -2;
1185 	}
1186 	peer->tk_set = 0; /* A new nonce results in a new TK */
1187 	wpa_hexdump(MSG_DEBUG, "TDLS: Initiator Nonce for TPK handshake",
1188 		    peer->inonce, WPA_NONCE_LEN);
1189 	os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN);
1190 
1191 	wpa_hexdump(MSG_DEBUG, "TDLS: FTIE for TPK Handshake M1",
1192 		    (u8 *) ftie, sizeof(struct wpa_tdls_ftie));
1193 
1194 	pos = (u8 *) (ftie + 1);
1195 
1196 #ifdef CONFIG_TDLS_TESTING
1197 	if (tdls_testing & TDLS_TESTING_LONG_FRAME) {
1198 		wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to "
1199 			   "FTIE");
1200 		ftie->ie_len += 170;
1201 		*pos++ = 255; /* FTIE subelem */
1202 		*pos++ = 168; /* FTIE subelem length */
1203 		pos += 168;
1204 	}
1205 #endif /* CONFIG_TDLS_TESTING */
1206 
1207 	/* Lifetime */
1208 	peer->lifetime = TPK_LIFETIME;
1209 #ifdef CONFIG_TDLS_TESTING
1210 	if (tdls_testing & TDLS_TESTING_SHORT_LIFETIME) {
1211 		wpa_printf(MSG_DEBUG, "TDLS: Testing - use short TPK "
1212 			   "lifetime");
1213 		peer->lifetime = 301;
1214 	}
1215 	if (tdls_testing & TDLS_TESTING_LONG_LIFETIME) {
1216 		wpa_printf(MSG_DEBUG, "TDLS: Testing - use long TPK "
1217 			   "lifetime");
1218 		peer->lifetime = 0xffffffff;
1219 	}
1220 #endif /* CONFIG_TDLS_TESTING */
1221 	pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie,
1222 				     sizeof(timeoutie), peer->lifetime);
1223 	wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds", peer->lifetime);
1224 
1225 skip_ies:
1226 
1227 #ifdef CONFIG_TDLS_TESTING
1228 	if (tdls_testing & TDLS_TESTING_DIFF_BSSID) {
1229 		struct wpa_tdls_lnkid *l = (struct wpa_tdls_lnkid *) pos;
1230 
1231 		wpa_printf(MSG_DEBUG, "TDLS: Testing - use incorrect BSSID in "
1232 			   "Link Identifier");
1233 		wpa_tdls_linkid(sm, peer, l);
1234 		l->bssid[5] ^= 0x01;
1235 		pos += sizeof(*l);
1236 	}
1237 #endif /* CONFIG_TDLS_TESTING */
1238 
1239 	wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Setup Request / TPK "
1240 		   "Handshake Message 1 (peer " MACSTR ")",
1241 		   MAC2STR(peer->addr));
1242 
1243 	status = wpa_tdls_tpk_send(sm, peer->addr, WLAN_TDLS_SETUP_REQUEST,
1244 				   1, 0, 0, peer->initiator, rbuf, pos - rbuf);
1245 	os_free(rbuf);
1246 
1247 	return status;
1248 }
1249 
1250 
1251 static int wpa_tdls_send_tpk_m2(struct wpa_sm *sm,
1252 				const unsigned char *src_addr, u8 dtoken,
1253 				struct wpa_tdls_lnkid *lnkid,
1254 				const struct wpa_tdls_peer *peer)
1255 {
1256 	u8 *rbuf, *pos;
1257 	size_t buf_len;
1258 	u32 lifetime;
1259 	struct wpa_tdls_timeoutie timeoutie;
1260 	struct wpa_tdls_ftie *ftie;
1261 	int status;
1262 
1263 	buf_len = 0;
1264 	if (wpa_tdls_get_privacy(sm)) {
1265 		/* Peer RSN IE, FTIE(Initiator Nonce, Responder Nonce),
1266 		 * Lifetime */
1267 		buf_len += peer->rsnie_i_len + sizeof(struct wpa_tdls_ftie) +
1268 			sizeof(struct wpa_tdls_timeoutie);
1269 #ifdef CONFIG_TDLS_TESTING
1270 		if (tdls_testing & TDLS_TESTING_LONG_FRAME)
1271 			buf_len += 170;
1272 #endif /* CONFIG_TDLS_TESTING */
1273 	}
1274 
1275 	rbuf = os_zalloc(buf_len + 1);
1276 	if (rbuf == NULL)
1277 		return -1;
1278 	pos = rbuf;
1279 
1280 	if (!wpa_tdls_get_privacy(sm))
1281 		goto skip_ies;
1282 
1283 	/* Peer RSN IE */
1284 	pos = wpa_add_ie(pos, peer->rsnie_p, peer->rsnie_p_len);
1285 
1286 	ftie = (struct wpa_tdls_ftie *) pos;
1287 	ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION;
1288 	/* TODO: ftie->mic_control to set 2-RESPONSE */
1289 	os_memcpy(ftie->Anonce, peer->rnonce, WPA_NONCE_LEN);
1290 	os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN);
1291 	ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2;
1292 	wpa_hexdump(MSG_DEBUG, "TDLS: FTIE for TPK M2",
1293 		    (u8 *) ftie, sizeof(*ftie));
1294 
1295 	pos = (u8 *) (ftie + 1);
1296 
1297 #ifdef CONFIG_TDLS_TESTING
1298 	if (tdls_testing & TDLS_TESTING_LONG_FRAME) {
1299 		wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to "
1300 			   "FTIE");
1301 		ftie->ie_len += 170;
1302 		*pos++ = 255; /* FTIE subelem */
1303 		*pos++ = 168; /* FTIE subelem length */
1304 		pos += 168;
1305 	}
1306 #endif /* CONFIG_TDLS_TESTING */
1307 
1308 	/* Lifetime */
1309 	lifetime = peer->lifetime;
1310 #ifdef CONFIG_TDLS_TESTING
1311 	if (tdls_testing & TDLS_TESTING_WRONG_LIFETIME_RESP) {
1312 		wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong TPK "
1313 			   "lifetime in response");
1314 		lifetime++;
1315 	}
1316 #endif /* CONFIG_TDLS_TESTING */
1317 	pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie,
1318 				     sizeof(timeoutie), lifetime);
1319 	wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds from initiator",
1320 		   lifetime);
1321 
1322 	/* compute MIC before sending */
1323 	wpa_tdls_ftie_mic(peer->tpk.kck, 2, (u8 *) lnkid, peer->rsnie_p,
1324 			  (u8 *) &timeoutie, (u8 *) ftie, ftie->mic);
1325 #ifdef CONFIG_TDLS_TESTING
1326 	if (tdls_testing & TDLS_TESTING_WRONG_MIC) {
1327 		wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong MIC");
1328 		ftie->mic[0] ^= 0x01;
1329 	}
1330 #endif /* CONFIG_TDLS_TESTING */
1331 
1332 skip_ies:
1333 	status = wpa_tdls_tpk_send(sm, src_addr, WLAN_TDLS_SETUP_RESPONSE,
1334 				   dtoken, 0, 0, peer->initiator, rbuf,
1335 				   pos - rbuf);
1336 	os_free(rbuf);
1337 
1338 	return status;
1339 }
1340 
1341 
1342 static int wpa_tdls_send_tpk_m3(struct wpa_sm *sm,
1343 				const unsigned char *src_addr, u8 dtoken,
1344 				struct wpa_tdls_lnkid *lnkid,
1345 				const struct wpa_tdls_peer *peer)
1346 {
1347 	u8 *rbuf, *pos;
1348 	size_t buf_len;
1349 	struct wpa_tdls_ftie *ftie;
1350 	struct wpa_tdls_timeoutie timeoutie;
1351 	u32 lifetime;
1352 	int status;
1353 	u32 peer_capab = 0;
1354 
1355 	buf_len = 0;
1356 	if (wpa_tdls_get_privacy(sm)) {
1357 		/* Peer RSN IE, FTIE(Initiator Nonce, Responder Nonce),
1358 		 * Lifetime */
1359 		buf_len += peer->rsnie_i_len + sizeof(struct wpa_tdls_ftie) +
1360 			sizeof(struct wpa_tdls_timeoutie);
1361 #ifdef CONFIG_TDLS_TESTING
1362 		if (tdls_testing & TDLS_TESTING_LONG_FRAME)
1363 			buf_len += 170;
1364 #endif /* CONFIG_TDLS_TESTING */
1365 	}
1366 
1367 	rbuf = os_zalloc(buf_len + 1);
1368 	if (rbuf == NULL)
1369 		return -1;
1370 	pos = rbuf;
1371 
1372 	if (!wpa_tdls_get_privacy(sm))
1373 		goto skip_ies;
1374 
1375 	/* Peer RSN IE */
1376 	pos = wpa_add_ie(pos, peer->rsnie_p, peer->rsnie_p_len);
1377 
1378 	ftie = (struct wpa_tdls_ftie *) pos;
1379 	ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION;
1380 	/*TODO: ftie->mic_control to set 3-CONFIRM */
1381 	os_memcpy(ftie->Anonce, peer->rnonce, WPA_NONCE_LEN);
1382 	os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN);
1383 	ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2;
1384 
1385 	pos = (u8 *) (ftie + 1);
1386 
1387 #ifdef CONFIG_TDLS_TESTING
1388 	if (tdls_testing & TDLS_TESTING_LONG_FRAME) {
1389 		wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to "
1390 			   "FTIE");
1391 		ftie->ie_len += 170;
1392 		*pos++ = 255; /* FTIE subelem */
1393 		*pos++ = 168; /* FTIE subelem length */
1394 		pos += 168;
1395 	}
1396 #endif /* CONFIG_TDLS_TESTING */
1397 
1398 	/* Lifetime */
1399 	lifetime = peer->lifetime;
1400 #ifdef CONFIG_TDLS_TESTING
1401 	if (tdls_testing & TDLS_TESTING_WRONG_LIFETIME_CONF) {
1402 		wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong TPK "
1403 			   "lifetime in confirm");
1404 		lifetime++;
1405 	}
1406 #endif /* CONFIG_TDLS_TESTING */
1407 	pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie,
1408 				     sizeof(timeoutie), lifetime);
1409 	wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds",
1410 		   lifetime);
1411 
1412 	/* compute MIC before sending */
1413 	wpa_tdls_ftie_mic(peer->tpk.kck, 3, (u8 *) lnkid, peer->rsnie_p,
1414 			  (u8 *) &timeoutie, (u8 *) ftie, ftie->mic);
1415 #ifdef CONFIG_TDLS_TESTING
1416 	if (tdls_testing & TDLS_TESTING_WRONG_MIC) {
1417 		wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong MIC");
1418 		ftie->mic[0] ^= 0x01;
1419 	}
1420 #endif /* CONFIG_TDLS_TESTING */
1421 
1422 skip_ies:
1423 
1424 	if (peer->he_capabilities)
1425 		peer_capab |= TDLS_PEER_HE;
1426 	if (peer->vht_capabilities)
1427 		peer_capab |= TDLS_PEER_VHT;
1428 	if (peer->ht_capabilities)
1429 		peer_capab |= TDLS_PEER_HT;
1430 	if (peer->wmm_capable)
1431 		peer_capab |= TDLS_PEER_WMM;
1432 
1433 	status = wpa_tdls_tpk_send(sm, src_addr, WLAN_TDLS_SETUP_CONFIRM,
1434 				   dtoken, 0, peer_capab, peer->initiator,
1435 				   rbuf, pos - rbuf);
1436 	os_free(rbuf);
1437 
1438 	return status;
1439 }
1440 
1441 
1442 static int wpa_tdls_send_discovery_response(struct wpa_sm *sm,
1443 					    struct wpa_tdls_peer *peer,
1444 					    u8 dialog_token)
1445 {
1446 	size_t buf_len = 0;
1447 	struct wpa_tdls_timeoutie timeoutie;
1448 	u16 rsn_capab;
1449 	u8 *rbuf, *pos, *count_pos;
1450 	u16 count;
1451 	struct rsn_ie_hdr *hdr;
1452 	int status;
1453 
1454 	wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Discovery Response "
1455 		   "(peer " MACSTR ")", MAC2STR(peer->addr));
1456 	if (!wpa_tdls_get_privacy(sm))
1457 		goto skip_rsn_ies;
1458 
1459 	/* Filling RSN IE */
1460 	hdr = (struct rsn_ie_hdr *) peer->rsnie_i;
1461 	hdr->elem_id = WLAN_EID_RSN;
1462 	WPA_PUT_LE16(hdr->version, RSN_VERSION);
1463 	pos = (u8 *) (hdr + 1);
1464 	RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED);
1465 	pos += RSN_SELECTOR_LEN;
1466 	count_pos = pos;
1467 	pos += 2;
1468 	count = 0;
1469 
1470 	/*
1471 	* AES-CCMP is the default encryption preferred for TDLS, so
1472 	* RSN IE is filled only with CCMP cipher suite.
1473 	* Note: TKIP is not used to encrypt TDLS link.
1474 	*
1475 	* Regardless of the cipher used on the AP connection, select CCMP
1476 	* here.
1477 	*/
1478 	RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP);
1479 	pos += RSN_SELECTOR_LEN;
1480 	count++;
1481 	WPA_PUT_LE16(count_pos, count);
1482 	WPA_PUT_LE16(pos, 1);
1483 	pos += 2;
1484 	RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_TPK_HANDSHAKE);
1485 	pos += RSN_SELECTOR_LEN;
1486 
1487 	rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED;
1488 	rsn_capab |= RSN_NUM_REPLAY_COUNTERS_16 << 2;
1489 	WPA_PUT_LE16(pos, rsn_capab);
1490 	pos += 2;
1491 	hdr->len = (pos - (u8 *) hdr) - 2;
1492 	peer->rsnie_i_len = pos - peer->rsnie_i;
1493 
1494 	wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE for Discovery Response",
1495 		    (u8 *) hdr, hdr->len + 2);
1496 skip_rsn_ies:
1497 	buf_len = 0;
1498 	if (wpa_tdls_get_privacy(sm)) {
1499 		/* Peer RSN IE, Lifetime */
1500 		buf_len += peer->rsnie_i_len +
1501 			sizeof(struct wpa_tdls_timeoutie);
1502 	}
1503 	rbuf = os_zalloc(buf_len + 1);
1504 	if (rbuf == NULL) {
1505 		wpa_tdls_peer_free(sm, peer);
1506 		return -1;
1507 	}
1508 	pos = rbuf;
1509 
1510 	if (!wpa_tdls_get_privacy(sm))
1511 		goto skip_ies;
1512 	/* Initiator RSN IE */
1513 	pos = wpa_add_ie(pos, peer->rsnie_i, peer->rsnie_i_len);
1514 	/* Lifetime */
1515 	peer->lifetime = TPK_LIFETIME;
1516 	pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie,
1517 				     sizeof(timeoutie), peer->lifetime);
1518 	wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds", peer->lifetime);
1519 skip_ies:
1520 	status = wpa_tdls_tpk_send(sm, peer->addr, WLAN_TDLS_DISCOVERY_RESPONSE,
1521 				   dialog_token, 0, 0, 0, rbuf, pos - rbuf);
1522 	os_free(rbuf);
1523 
1524 	return status;
1525 }
1526 
1527 
1528 static int
1529 wpa_tdls_process_discovery_request(struct wpa_sm *sm, const u8 *addr,
1530 				   const u8 *buf, size_t len)
1531 {
1532 	struct wpa_eapol_ie_parse kde;
1533 	const struct wpa_tdls_lnkid *lnkid;
1534 	struct wpa_tdls_peer *peer;
1535 	size_t min_req_len = sizeof(struct wpa_tdls_frame) +
1536 		1 /* dialog token */ + sizeof(struct wpa_tdls_lnkid);
1537 	u8 dialog_token;
1538 
1539 	wpa_printf(MSG_DEBUG, "TDLS: Discovery Request from " MACSTR,
1540 		   MAC2STR(addr));
1541 
1542 	if (len < min_req_len) {
1543 		wpa_printf(MSG_DEBUG, "TDLS Discovery Request is too short: "
1544 			   "%d", (int) len);
1545 		return -1;
1546 	}
1547 
1548 	dialog_token = buf[sizeof(struct wpa_tdls_frame)];
1549 
1550 	/*
1551 	 * Some APs will tack on a weird IE to the end of a TDLS
1552 	 * discovery request packet. This needn't fail the response,
1553 	 * since the required IE are verified separately.
1554 	 */
1555 	if (wpa_supplicant_parse_ies(buf + sizeof(struct wpa_tdls_frame) + 1,
1556 				     len - (sizeof(struct wpa_tdls_frame) + 1),
1557 				     &kde) < 0) {
1558 		wpa_printf(MSG_DEBUG,
1559 			   "TDLS: Failed to parse IEs in Discovery Request - ignore as an interop workaround");
1560 	}
1561 
1562 	if (!kde.lnkid) {
1563 		wpa_printf(MSG_DEBUG, "TDLS: Link ID not found in Discovery "
1564 			   "Request");
1565 		return -1;
1566 	}
1567 
1568 	lnkid = (const struct wpa_tdls_lnkid *) kde.lnkid;
1569 
1570 	if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) {
1571 		wpa_printf(MSG_DEBUG, "TDLS: Discovery Request from different "
1572 			   " BSS " MACSTR, MAC2STR(lnkid->bssid));
1573 		return -1;
1574 	}
1575 
1576 	peer = wpa_tdls_add_peer(sm, addr, NULL);
1577 	if (peer == NULL)
1578 		return -1;
1579 
1580 	return wpa_tdls_send_discovery_response(sm, peer, dialog_token);
1581 }
1582 
1583 
1584 int wpa_tdls_send_discovery_request(struct wpa_sm *sm, const u8 *addr)
1585 {
1586 	if (sm->tdls_disabled || !sm->tdls_supported)
1587 		return -1;
1588 
1589 	wpa_printf(MSG_DEBUG, "TDLS: Sending Discovery Request to peer "
1590 		   MACSTR, MAC2STR(addr));
1591 	return wpa_tdls_tpk_send(sm, addr, WLAN_TDLS_DISCOVERY_REQUEST,
1592 				 1, 0, 0, 1, NULL, 0);
1593 }
1594 
1595 
1596 static int copy_supp_rates(const struct wpa_eapol_ie_parse *kde,
1597 			   struct wpa_tdls_peer *peer)
1598 {
1599 	if (!kde->supp_rates) {
1600 		wpa_printf(MSG_DEBUG, "TDLS: No supported rates received");
1601 		return -1;
1602 	}
1603 	peer->supp_rates_len = merge_byte_arrays(
1604 		peer->supp_rates, sizeof(peer->supp_rates),
1605 		kde->supp_rates + 2, kde->supp_rates_len - 2,
1606 		kde->ext_supp_rates ? kde->ext_supp_rates + 2 : NULL,
1607 		kde->ext_supp_rates ? kde->ext_supp_rates_len - 2 : 0);
1608 	return 0;
1609 }
1610 
1611 
1612 static int copy_peer_ht_capab(const struct wpa_eapol_ie_parse *kde,
1613 			      struct wpa_tdls_peer *peer)
1614 {
1615 	if (!kde->ht_capabilities) {
1616 		wpa_printf(MSG_DEBUG, "TDLS: No supported ht capabilities "
1617 			   "received");
1618 		return 0;
1619 	}
1620 
1621 	if (!peer->ht_capabilities) {
1622 		peer->ht_capabilities =
1623                         os_zalloc(sizeof(struct ieee80211_ht_capabilities));
1624 		if (peer->ht_capabilities == NULL)
1625                         return -1;
1626 	}
1627 
1628 	os_memcpy(peer->ht_capabilities, kde->ht_capabilities,
1629                   sizeof(struct ieee80211_ht_capabilities));
1630 	wpa_hexdump(MSG_DEBUG, "TDLS: Peer HT capabilities",
1631 		    (u8 *) peer->ht_capabilities,
1632 		    sizeof(struct ieee80211_ht_capabilities));
1633 
1634 	return 0;
1635 }
1636 
1637 
1638 static int copy_peer_vht_capab(const struct wpa_eapol_ie_parse *kde,
1639 			      struct wpa_tdls_peer *peer)
1640 {
1641 	if (!kde->vht_capabilities) {
1642 		wpa_printf(MSG_DEBUG, "TDLS: No supported vht capabilities "
1643 			   "received");
1644 		return 0;
1645 	}
1646 
1647 	if (!peer->vht_capabilities) {
1648 		peer->vht_capabilities =
1649                         os_zalloc(sizeof(struct ieee80211_vht_capabilities));
1650 		if (peer->vht_capabilities == NULL)
1651                         return -1;
1652 	}
1653 
1654 	os_memcpy(peer->vht_capabilities, kde->vht_capabilities,
1655                   sizeof(struct ieee80211_vht_capabilities));
1656 	wpa_hexdump(MSG_DEBUG, "TDLS: Peer VHT capabilities",
1657 		    (u8 *) peer->vht_capabilities,
1658 		    sizeof(struct ieee80211_vht_capabilities));
1659 
1660 	return 0;
1661 }
1662 
1663 
1664 static int copy_peer_he_capab(const struct wpa_eapol_ie_parse *kde,
1665 			      struct wpa_tdls_peer *peer)
1666 {
1667 	if (!kde->he_capabilities) {
1668 		wpa_printf(MSG_DEBUG, "TDLS: No HE capabilities received");
1669 		return 0;
1670 	}
1671 
1672 	os_free(peer->he_capabilities);
1673 	peer->he_capab_len = 0;
1674 	peer->he_capabilities = os_memdup(kde->he_capabilities,
1675 					  kde->he_capab_len);
1676 	if (!peer->he_capabilities)
1677 		return -1;
1678 
1679 	peer->he_capab_len = kde->he_capab_len;
1680 	wpa_hexdump(MSG_DEBUG, "TDLS: Peer HE capabilities",
1681 		    peer->he_capabilities, peer->he_capab_len);
1682 
1683 	return 0;
1684 }
1685 
1686 
1687 static int copy_peer_he_6ghz_band_capab(const struct wpa_eapol_ie_parse *kde,
1688 					struct wpa_tdls_peer *peer)
1689 {
1690 	if (!kde->he_6ghz_capabilities) {
1691 		wpa_printf(MSG_DEBUG,
1692 			   "TDLS: No HE 6 GHz band capabilities received");
1693 		return 0;
1694 	}
1695 
1696 	if (!peer->he_6ghz_band_capabilities) {
1697 		peer->he_6ghz_band_capabilities =
1698 			os_zalloc(sizeof(struct ieee80211_he_6ghz_band_cap));
1699 		if (peer->he_6ghz_band_capabilities == NULL)
1700 			return -1;
1701 	}
1702 
1703 	os_memcpy(peer->he_6ghz_band_capabilities, kde->he_6ghz_capabilities,
1704 		  sizeof(struct ieee80211_he_6ghz_band_cap));
1705 
1706 	wpa_hexdump(MSG_DEBUG, "TDLS: Peer 6 GHz band HE capabilities",
1707 		    peer->he_6ghz_band_capabilities,
1708 		    sizeof(struct ieee80211_he_6ghz_band_cap));
1709 
1710 	return 0;
1711 }
1712 
1713 
1714 static int copy_peer_ext_capab(const struct wpa_eapol_ie_parse *kde,
1715 			       struct wpa_tdls_peer *peer)
1716 {
1717 	if (!kde->ext_capab) {
1718 		wpa_printf(MSG_DEBUG, "TDLS: No extended capabilities "
1719 			   "received");
1720 		return 0;
1721 	}
1722 
1723 	if (!peer->ext_capab || peer->ext_capab_len < kde->ext_capab_len - 2) {
1724 		/* Need to allocate buffer to fit the new information */
1725 		os_free(peer->ext_capab);
1726 		peer->ext_capab = os_zalloc(kde->ext_capab_len - 2);
1727 		if (peer->ext_capab == NULL)
1728 			return -1;
1729 	}
1730 
1731 	peer->ext_capab_len = kde->ext_capab_len - 2;
1732 	os_memcpy(peer->ext_capab, kde->ext_capab + 2, peer->ext_capab_len);
1733 
1734 	return 0;
1735 }
1736 
1737 
1738 static int copy_peer_wmm_capab(const struct wpa_eapol_ie_parse *kde,
1739 			       struct wpa_tdls_peer *peer)
1740 {
1741 	struct wmm_information_element *wmm;
1742 
1743 	if (!kde->wmm) {
1744 		wpa_printf(MSG_DEBUG, "TDLS: No supported WMM capabilities received");
1745 		return 0;
1746 	}
1747 
1748 	if (kde->wmm_len < sizeof(struct wmm_information_element)) {
1749 		wpa_printf(MSG_DEBUG, "TDLS: Invalid supported WMM capabilities received");
1750 		return -1;
1751 	}
1752 
1753 	wmm = (struct wmm_information_element *) kde->wmm;
1754 	peer->qos_info = wmm->qos_info;
1755 
1756 	peer->wmm_capable = 1;
1757 
1758 	wpa_printf(MSG_DEBUG, "TDLS: Peer WMM QOS Info 0x%x", peer->qos_info);
1759 	return 0;
1760 }
1761 
1762 
1763 static int copy_peer_supp_channels(const struct wpa_eapol_ie_parse *kde,
1764 				   struct wpa_tdls_peer *peer)
1765 {
1766 	if (!kde->supp_channels) {
1767 		wpa_printf(MSG_DEBUG, "TDLS: No supported channels received");
1768 		return 0;
1769 	}
1770 
1771 	if (!peer->supp_channels ||
1772 	    peer->supp_channels_len < kde->supp_channels_len) {
1773 		os_free(peer->supp_channels);
1774 		peer->supp_channels = os_zalloc(kde->supp_channels_len);
1775 		if (peer->supp_channels == NULL)
1776 			return -1;
1777 	}
1778 
1779 	peer->supp_channels_len = kde->supp_channels_len;
1780 
1781 	os_memcpy(peer->supp_channels, kde->supp_channels,
1782 		  peer->supp_channels_len);
1783 	wpa_hexdump(MSG_DEBUG, "TDLS: Peer Supported Channels",
1784 		    (u8 *) peer->supp_channels, peer->supp_channels_len);
1785 	return 0;
1786 }
1787 
1788 
1789 static int copy_peer_supp_oper_classes(const struct wpa_eapol_ie_parse *kde,
1790 				       struct wpa_tdls_peer *peer)
1791 {
1792 	if (!kde->supp_oper_classes) {
1793 		wpa_printf(MSG_DEBUG, "TDLS: No supported operating classes received");
1794 		return 0;
1795 	}
1796 
1797 	if (!peer->supp_oper_classes ||
1798 	    peer->supp_oper_classes_len < kde->supp_oper_classes_len) {
1799 		os_free(peer->supp_oper_classes);
1800 		peer->supp_oper_classes = os_zalloc(kde->supp_oper_classes_len);
1801 		if (peer->supp_oper_classes == NULL)
1802 			return -1;
1803 	}
1804 
1805 	peer->supp_oper_classes_len = kde->supp_oper_classes_len;
1806 	os_memcpy(peer->supp_oper_classes, kde->supp_oper_classes,
1807 		  peer->supp_oper_classes_len);
1808 	wpa_hexdump(MSG_DEBUG, "TDLS: Peer Supported Operating Classes",
1809 		    (u8 *) peer->supp_oper_classes,
1810 		    peer->supp_oper_classes_len);
1811 	return 0;
1812 }
1813 
1814 
1815 static int wpa_tdls_addset_peer(struct wpa_sm *sm, struct wpa_tdls_peer *peer,
1816 				int add)
1817 {
1818 	return wpa_sm_tdls_peer_addset(sm, peer->addr, add, peer->aid,
1819 				       peer->capability,
1820 				       peer->supp_rates, peer->supp_rates_len,
1821 				       peer->ht_capabilities,
1822 				       peer->vht_capabilities,
1823 				       peer->he_capabilities,
1824 				       peer->he_capab_len,
1825 				       peer->he_6ghz_band_capabilities,
1826 				       peer->qos_info, peer->wmm_capable,
1827 				       peer->ext_capab, peer->ext_capab_len,
1828 				       peer->supp_channels,
1829 				       peer->supp_channels_len,
1830 				       peer->supp_oper_classes,
1831 				       peer->supp_oper_classes_len);
1832 }
1833 
1834 
1835 static int tdls_nonce_set(const u8 *nonce)
1836 {
1837 	int i;
1838 
1839 	for (i = 0; i < WPA_NONCE_LEN; i++) {
1840 		if (nonce[i])
1841 			return 1;
1842 	}
1843 
1844 	return 0;
1845 }
1846 
1847 
1848 static int wpa_tdls_process_tpk_m1(struct wpa_sm *sm, const u8 *src_addr,
1849 				   const u8 *buf, size_t len)
1850 {
1851 	struct wpa_tdls_peer *peer;
1852 	struct wpa_eapol_ie_parse kde;
1853 	struct wpa_ie_data ie;
1854 	int cipher;
1855 	const u8 *cpos;
1856 	struct wpa_tdls_ftie *ftie = NULL;
1857 	struct wpa_tdls_timeoutie *timeoutie;
1858 	struct wpa_tdls_lnkid *lnkid;
1859 	u32 lifetime = 0;
1860 #if 0
1861 	struct rsn_ie_hdr *hdr;
1862 	u8 *pos;
1863 	u16 rsn_capab;
1864 	u16 rsn_ver;
1865 #endif
1866 	u8 dtoken;
1867 	u16 ielen;
1868 	u16 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
1869 	int tdls_prohibited = sm->tdls_prohibited;
1870 	int existing_peer = 0;
1871 
1872 	if (len < 3 + 3)
1873 		return -1;
1874 
1875 	cpos = buf;
1876 	cpos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */;
1877 
1878 	/* driver had already verified the frame format */
1879 	dtoken = *cpos++; /* dialog token */
1880 
1881 	wpa_printf(MSG_INFO, "TDLS: Dialog Token in TPK M1 %d", dtoken);
1882 
1883 	peer = wpa_tdls_add_peer(sm, src_addr, &existing_peer);
1884 	if (peer == NULL)
1885 		goto error;
1886 
1887 	/* If found, use existing entry instead of adding a new one;
1888 	 * how to handle the case where both ends initiate at the
1889 	 * same time? */
1890 	if (existing_peer) {
1891 		if (peer->tpk_success) {
1892 			wpa_printf(MSG_DEBUG, "TDLS: TDLS Setup Request while "
1893 				   "direct link is enabled - tear down the "
1894 				   "old link first");
1895 			wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr);
1896 			wpa_tdls_peer_clear(sm, peer);
1897 		} else if (peer->initiator) {
1898 			/*
1899 			 * An entry is already present, so check if we already
1900 			 * sent a TDLS Setup Request. If so, compare MAC
1901 			 * addresses and let the STA with the lower MAC address
1902 			 * continue as the initiator. The other negotiation is
1903 			 * terminated.
1904 			 */
1905 			if (os_memcmp(sm->own_addr, src_addr, ETH_ALEN) < 0) {
1906 				wpa_printf(MSG_DEBUG, "TDLS: Discard request "
1907 					   "from peer with higher address "
1908 					   MACSTR, MAC2STR(src_addr));
1909 				return -1;
1910 			} else {
1911 				wpa_printf(MSG_DEBUG, "TDLS: Accept request "
1912 					   "from peer with lower address "
1913 					   MACSTR " (terminate previously "
1914 					   "initiated negotiation",
1915 					   MAC2STR(src_addr));
1916 				wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK,
1917 						 peer->addr);
1918 				wpa_tdls_peer_clear(sm, peer);
1919 			}
1920 		}
1921 	}
1922 
1923 	/* capability information */
1924 	peer->capability = WPA_GET_LE16(cpos);
1925 	cpos += 2;
1926 
1927 	ielen = len - (cpos - buf); /* start of IE in buf */
1928 
1929 	/*
1930 	 * Don't reject the message if failing to parse IEs. The IEs we need are
1931 	 * explicitly checked below. Some APs may add arbitrary padding to the
1932 	 * end of short TDLS frames and that would look like invalid IEs.
1933 	 */
1934 	if (wpa_supplicant_parse_ies(cpos, ielen, &kde) < 0)
1935 		wpa_printf(MSG_DEBUG,
1936 			   "TDLS: Failed to parse IEs in TPK M1 - ignore as an interop workaround");
1937 
1938 	if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) {
1939 		wpa_printf(MSG_INFO, "TDLS: No valid Link Identifier IE in "
1940 			   "TPK M1");
1941 		goto error;
1942 	}
1943 	wpa_hexdump(MSG_DEBUG, "TDLS: Link ID Received from TPK M1",
1944 		    kde.lnkid, kde.lnkid_len);
1945 	lnkid = (struct wpa_tdls_lnkid *) kde.lnkid;
1946 	if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) {
1947 		wpa_printf(MSG_INFO, "TDLS: TPK M1 from diff BSS");
1948 		status = WLAN_STATUS_REQUEST_DECLINED;
1949 		goto error;
1950 	}
1951 
1952 	wpa_printf(MSG_DEBUG, "TDLS: TPK M1 - TPK initiator " MACSTR,
1953 		   MAC2STR(src_addr));
1954 
1955 	if (copy_supp_rates(&kde, peer) < 0)
1956 		goto error;
1957 
1958 	if (copy_peer_ht_capab(&kde, peer) < 0)
1959 		goto error;
1960 
1961 	if (copy_peer_vht_capab(&kde, peer) < 0 ||
1962 	    copy_peer_he_capab(&kde, peer) < 0 ||
1963 	    copy_peer_he_6ghz_band_capab(&kde, peer) < 0)
1964 		goto error;
1965 
1966 	if (copy_peer_ext_capab(&kde, peer) < 0)
1967 		goto error;
1968 
1969 	if (copy_peer_supp_channels(&kde, peer) < 0)
1970 		goto error;
1971 
1972 	if (copy_peer_supp_oper_classes(&kde, peer) < 0)
1973 		goto error;
1974 
1975 	peer->qos_info = kde.qosinfo;
1976 
1977 	/* Overwrite with the qos_info obtained in WMM IE */
1978 	if (copy_peer_wmm_capab(&kde, peer) < 0)
1979 		goto error;
1980 
1981 	peer->aid = kde.aid;
1982 
1983 #ifdef CONFIG_TDLS_TESTING
1984 	if (tdls_testing & TDLS_TESTING_CONCURRENT_INIT) {
1985 		peer = wpa_tdls_add_peer(sm, src_addr, NULL);
1986 		if (peer == NULL)
1987 			goto error;
1988 		wpa_printf(MSG_DEBUG, "TDLS: Testing concurrent initiation of "
1989 			   "TDLS setup - send own request");
1990 		peer->initiator = 1;
1991 		wpa_sm_tdls_peer_addset(sm, peer->addr, 1, 0, 0, NULL, 0, NULL,
1992 					NULL, NULL, 0, NULL, 0, 0, NULL, 0,
1993 					NULL, 0, NULL, 0);
1994 		if (wpa_tdls_send_tpk_m1(sm, peer) == -2) {
1995 			peer = NULL;
1996 			goto error;
1997 		}
1998 	}
1999 
2000 	if ((tdls_testing & TDLS_TESTING_IGNORE_AP_PROHIBIT) &&
2001 	    tdls_prohibited) {
2002 		wpa_printf(MSG_DEBUG, "TDLS: Testing - ignore AP prohibition "
2003 			   "on TDLS");
2004 		tdls_prohibited = 0;
2005 	}
2006 #endif /* CONFIG_TDLS_TESTING */
2007 
2008 	if (tdls_prohibited) {
2009 		wpa_printf(MSG_INFO, "TDLS: TDLS prohibited in this BSS");
2010 		status = WLAN_STATUS_REQUEST_DECLINED;
2011 		goto error;
2012 	}
2013 
2014 	if (!wpa_tdls_get_privacy(sm)) {
2015 		if (kde.rsn_ie) {
2016 			wpa_printf(MSG_INFO, "TDLS: RSN IE in TPK M1 while "
2017 				   "security is disabled");
2018 			status = WLAN_STATUS_SECURITY_DISABLED;
2019 			goto error;
2020 		}
2021 		goto skip_rsn;
2022 	}
2023 
2024 	if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie) ||
2025 	    kde.rsn_ie == NULL) {
2026 		wpa_printf(MSG_INFO, "TDLS: No FTIE or RSN IE in TPK M1");
2027 		status = WLAN_STATUS_INVALID_PARAMETERS;
2028 		goto error;
2029 	}
2030 
2031 	if (kde.rsn_ie_len > TDLS_MAX_IE_LEN) {
2032 		wpa_printf(MSG_INFO, "TDLS: Too long Initiator RSN IE in "
2033 			   "TPK M1");
2034 		status = WLAN_STATUS_INVALID_RSNIE;
2035 		goto error;
2036 	}
2037 
2038 	if (wpa_parse_wpa_ie_rsn(kde.rsn_ie, kde.rsn_ie_len, &ie) < 0) {
2039 		wpa_printf(MSG_INFO, "TDLS: Failed to parse RSN IE in TPK M1");
2040 		status = WLAN_STATUS_INVALID_RSNIE;
2041 		goto error;
2042 	}
2043 
2044 	cipher = ie.pairwise_cipher;
2045 	if (cipher & WPA_CIPHER_CCMP) {
2046 		wpa_printf(MSG_DEBUG, "TDLS: Using CCMP for direct link");
2047 		cipher = WPA_CIPHER_CCMP;
2048 	} else {
2049 		wpa_printf(MSG_INFO, "TDLS: No acceptable cipher in TPK M1");
2050 		status = WLAN_STATUS_PAIRWISE_CIPHER_NOT_VALID;
2051 		goto error;
2052 	}
2053 
2054 	if ((ie.capabilities &
2055 	     (WPA_CAPABILITY_NO_PAIRWISE | WPA_CAPABILITY_PEERKEY_ENABLED)) !=
2056 	    WPA_CAPABILITY_PEERKEY_ENABLED) {
2057 		wpa_printf(MSG_INFO, "TDLS: Invalid RSN Capabilities in "
2058 			   "TPK M1");
2059 		status = WLAN_STATUS_INVALID_RSN_IE_CAPAB;
2060 		goto error;
2061 	}
2062 
2063 	/* Lifetime */
2064 	if (kde.key_lifetime == NULL) {
2065 		wpa_printf(MSG_INFO, "TDLS: No Key Lifetime IE in TPK M1");
2066 		status = WLAN_STATUS_UNACCEPTABLE_LIFETIME;
2067 		goto error;
2068 	}
2069 	timeoutie = (struct wpa_tdls_timeoutie *) kde.key_lifetime;
2070 	lifetime = WPA_GET_LE32(timeoutie->value);
2071 	wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds", lifetime);
2072 	if (lifetime < 300) {
2073 		wpa_printf(MSG_INFO, "TDLS: Too short TPK lifetime");
2074 		status = WLAN_STATUS_UNACCEPTABLE_LIFETIME;
2075 		goto error;
2076 	}
2077 
2078 skip_rsn:
2079 #ifdef CONFIG_TDLS_TESTING
2080 	if (tdls_testing & TDLS_TESTING_CONCURRENT_INIT) {
2081 		if (os_memcmp(sm->own_addr, peer->addr, ETH_ALEN) < 0) {
2082 			/*
2083 			 * The request frame from us is going to win, so do not
2084 			 * replace information based on this request frame from
2085 			 * the peer.
2086 			 */
2087 			goto skip_rsn_check;
2088 		}
2089 	}
2090 #endif /* CONFIG_TDLS_TESTING */
2091 
2092 	peer->initiator = 0; /* Need to check */
2093 	peer->dtoken = dtoken;
2094 
2095 	if (!wpa_tdls_get_privacy(sm)) {
2096 		peer->rsnie_i_len = 0;
2097 		peer->rsnie_p_len = 0;
2098 		peer->cipher = WPA_CIPHER_NONE;
2099 		goto skip_rsn_check;
2100 	}
2101 
2102 	ftie = (struct wpa_tdls_ftie *) kde.ftie;
2103 	os_memcpy(peer->rsnie_i, kde.rsn_ie, kde.rsn_ie_len);
2104 	peer->rsnie_i_len = kde.rsn_ie_len;
2105 	peer->cipher = cipher;
2106 
2107 	if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0 ||
2108 	    !tdls_nonce_set(peer->inonce)) {
2109 		/*
2110 		 * There is no point in updating the RNonce for every obtained
2111 		 * TPK M1 frame (e.g., retransmission due to timeout) with the
2112 		 * same INonce (SNonce in FTIE). However, if the TPK M1 is
2113 		 * retransmitted with a different INonce, update the RNonce
2114 		 * since this is for a new TDLS session.
2115 		 */
2116 		wpa_printf(MSG_DEBUG,
2117 			   "TDLS: New TPK M1 INonce - generate new RNonce");
2118 		os_memcpy(peer->inonce, ftie->Snonce, WPA_NONCE_LEN);
2119 		if (os_get_random(peer->rnonce, WPA_NONCE_LEN)) {
2120 			wpa_msg(sm->ctx->ctx, MSG_WARNING,
2121 				"TDLS: Failed to get random data for responder nonce");
2122 			goto error;
2123 		}
2124 		peer->tk_set = 0; /* A new nonce results in a new TK */
2125 	}
2126 
2127 #if 0
2128 	/* get version info from RSNIE received from Peer */
2129 	hdr = (struct rsn_ie_hdr *) kde.rsn_ie;
2130 	rsn_ver = WPA_GET_LE16(hdr->version);
2131 
2132 	/* use min(peer's version, out version) */
2133 	if (rsn_ver > RSN_VERSION)
2134 		rsn_ver = RSN_VERSION;
2135 
2136 	hdr = (struct rsn_ie_hdr *) peer->rsnie_p;
2137 
2138 	hdr->elem_id = WLAN_EID_RSN;
2139 	WPA_PUT_LE16(hdr->version, rsn_ver);
2140 	pos = (u8 *) (hdr + 1);
2141 
2142 	RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED);
2143 	pos += RSN_SELECTOR_LEN;
2144 	/* Include only the selected cipher in pairwise cipher suite */
2145 	WPA_PUT_LE16(pos, 1);
2146 	pos += 2;
2147 	if (cipher == WPA_CIPHER_CCMP)
2148 		RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP);
2149 	pos += RSN_SELECTOR_LEN;
2150 
2151 	WPA_PUT_LE16(pos, 1);
2152 	pos += 2;
2153 	RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_TPK_HANDSHAKE);
2154 	pos += RSN_SELECTOR_LEN;
2155 
2156 	rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED;
2157 	rsn_capab |= RSN_NUM_REPLAY_COUNTERS_16 << 2;
2158 	WPA_PUT_LE16(pos, rsn_capab);
2159 	pos += 2;
2160 
2161 	hdr->len = (pos - peer->rsnie_p) - 2;
2162 	peer->rsnie_p_len = pos - peer->rsnie_p;
2163 #endif
2164 
2165 	/* temp fix: validation of RSNIE later */
2166 	os_memcpy(peer->rsnie_p, peer->rsnie_i, peer->rsnie_i_len);
2167 	peer->rsnie_p_len = peer->rsnie_i_len;
2168 
2169 	wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE for TPK handshake",
2170 		    peer->rsnie_p, peer->rsnie_p_len);
2171 
2172 	peer->lifetime = lifetime;
2173 
2174 	wpa_tdls_generate_tpk(peer, sm->own_addr, sm->bssid);
2175 
2176 skip_rsn_check:
2177 #ifdef CONFIG_TDLS_TESTING
2178 	if (tdls_testing & TDLS_TESTING_CONCURRENT_INIT)
2179 		goto skip_add_peer;
2180 #endif /* CONFIG_TDLS_TESTING */
2181 
2182 	/* add supported rates, capabilities, and qos_info to the TDLS peer */
2183 	if (wpa_tdls_addset_peer(sm, peer, 1) < 0)
2184 		goto error;
2185 
2186 #ifdef CONFIG_TDLS_TESTING
2187 skip_add_peer:
2188 #endif /* CONFIG_TDLS_TESTING */
2189 	peer->tpk_in_progress = 1;
2190 
2191 	wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Setup Response / TPK M2");
2192 	if (wpa_tdls_send_tpk_m2(sm, src_addr, dtoken, lnkid, peer) < 0) {
2193 		wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr);
2194 		goto error;
2195 	}
2196 
2197 #ifdef CONFIG_TDLS_TESTING
2198 	if (tdls_testing & TDLS_TESTING_DOUBLE_TPK_M2) {
2199 		wpa_printf(MSG_INFO, "TDLS: Testing - Send another TPK M2");
2200 		wpa_tdls_send_tpk_m2(sm, src_addr, dtoken, lnkid, peer);
2201 	}
2202 #endif /* CONFIG_TDLS_TESTING */
2203 
2204 	return 0;
2205 
2206 error:
2207 	wpa_tdls_send_error(sm, src_addr, WLAN_TDLS_SETUP_RESPONSE, dtoken, 0,
2208 			    status);
2209 	if (peer)
2210 		wpa_tdls_peer_free(sm, peer);
2211 	return -1;
2212 }
2213 
2214 
2215 static int wpa_tdls_enable_link(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
2216 {
2217 	peer->tpk_success = 1;
2218 	peer->tpk_in_progress = 0;
2219 	eloop_cancel_timeout(wpa_tdls_tpk_timeout, sm, peer);
2220 	if (wpa_tdls_get_privacy(sm)) {
2221 		u32 lifetime = peer->lifetime;
2222 		/*
2223 		 * Start the initiator process a bit earlier to avoid race
2224 		 * condition with the responder sending teardown request.
2225 		 */
2226 		if (lifetime > 3 && peer->initiator)
2227 			lifetime -= 3;
2228 		eloop_register_timeout(lifetime, 0, wpa_tdls_tpk_timeout,
2229 				       sm, peer);
2230 #ifdef CONFIG_TDLS_TESTING
2231 		if (tdls_testing & TDLS_TESTING_NO_TPK_EXPIRATION) {
2232 			wpa_printf(MSG_DEBUG,
2233 				   "TDLS: Testing - disable TPK expiration");
2234 			eloop_cancel_timeout(wpa_tdls_tpk_timeout, sm, peer);
2235 		}
2236 #endif /* CONFIG_TDLS_TESTING */
2237 	}
2238 
2239 	if (peer->reconfig_key && wpa_tdls_set_key(sm, peer) < 0) {
2240 		wpa_printf(MSG_INFO, "TDLS: Could not configure key to the "
2241 			   "driver");
2242 		return -1;
2243 	}
2244 	peer->reconfig_key = 0;
2245 
2246 	return wpa_sm_tdls_oper(sm, TDLS_ENABLE_LINK, peer->addr);
2247 }
2248 
2249 
2250 static int wpa_tdls_process_tpk_m2(struct wpa_sm *sm, const u8 *src_addr,
2251 				   const u8 *buf, size_t len)
2252 {
2253 	struct wpa_tdls_peer *peer;
2254 	struct wpa_eapol_ie_parse kde;
2255 	struct wpa_ie_data ie;
2256 	int cipher;
2257 	struct wpa_tdls_ftie *ftie;
2258 	struct wpa_tdls_timeoutie *timeoutie;
2259 	struct wpa_tdls_lnkid *lnkid;
2260 	u32 lifetime;
2261 	u8 dtoken;
2262 	int ielen;
2263 	u16 status;
2264 	const u8 *pos;
2265 	int ret = 0;
2266 
2267 	wpa_printf(MSG_DEBUG, "TDLS: Received TDLS Setup Response / TPK M2 "
2268 		   "(Peer " MACSTR ")", MAC2STR(src_addr));
2269 	for (peer = sm->tdls; peer; peer = peer->next) {
2270 		if (os_memcmp(peer->addr, src_addr, ETH_ALEN) == 0)
2271 			break;
2272 	}
2273 	if (peer == NULL) {
2274 		wpa_printf(MSG_INFO, "TDLS: No matching peer found for "
2275 			   "TPK M2: " MACSTR, MAC2STR(src_addr));
2276 		return -1;
2277 	}
2278 	if (!peer->initiator) {
2279 		/*
2280 		 * This may happen if both devices try to initiate TDLS at the
2281 		 * same time and we accept the TPK M1 from the peer in
2282 		 * wpa_tdls_process_tpk_m1() and clear our previous state.
2283 		 */
2284 		wpa_printf(MSG_INFO, "TDLS: We were not the initiator, so "
2285 			   "ignore TPK M2 from " MACSTR, MAC2STR(src_addr));
2286 		return -1;
2287 	}
2288 
2289 	if (peer->tpk_success) {
2290 		wpa_printf(MSG_INFO, "TDLS: Ignore incoming TPK M2 retry, from "
2291 			   MACSTR " as TPK M3 was already sent",
2292 			   MAC2STR(src_addr));
2293 		return 0;
2294 	}
2295 
2296 	wpa_tdls_tpk_retry_timeout_cancel(sm, peer, WLAN_TDLS_SETUP_REQUEST);
2297 
2298 	if (len < 3 + 2 + 1) {
2299 		wpa_tdls_disable_peer_link(sm, peer);
2300 		return -1;
2301 	}
2302 
2303 	pos = buf;
2304 	pos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */;
2305 	status = WPA_GET_LE16(pos);
2306 	pos += 2 /* status code */;
2307 
2308 	if (status != WLAN_STATUS_SUCCESS) {
2309 		wpa_printf(MSG_INFO, "TDLS: Status code in TPK M2: %u",
2310 			   status);
2311 		wpa_tdls_disable_peer_link(sm, peer);
2312 		return -1;
2313 	}
2314 
2315 	status = WLAN_STATUS_UNSPECIFIED_FAILURE;
2316 
2317 	/* TODO: need to verify dialog token matches here or in kernel */
2318 	dtoken = *pos++; /* dialog token */
2319 
2320 	wpa_printf(MSG_DEBUG, "TDLS: Dialog Token in TPK M2 %d", dtoken);
2321 
2322 	if (len < 3 + 2 + 1 + 2) {
2323 		wpa_tdls_disable_peer_link(sm, peer);
2324 		return -1;
2325 	}
2326 
2327 	/* capability information */
2328 	peer->capability = WPA_GET_LE16(pos);
2329 	pos += 2;
2330 
2331 	ielen = len - (pos - buf); /* start of IE in buf */
2332 
2333 	/*
2334 	 * Don't reject the message if failing to parse IEs. The IEs we need are
2335 	 * explicitly checked below. Some APs may add arbitrary padding to the
2336 	 * end of short TDLS frames and that would look like invalid IEs.
2337 	 */
2338 	if (wpa_supplicant_parse_ies(pos, ielen, &kde) < 0)
2339 		wpa_printf(MSG_DEBUG,
2340 			   "TDLS: Failed to parse IEs in TPK M2 - ignore as an interop workaround");
2341 
2342 #ifdef CONFIG_TDLS_TESTING
2343 	if (tdls_testing & TDLS_TESTING_DECLINE_RESP) {
2344 		wpa_printf(MSG_DEBUG, "TDLS: Testing - decline response");
2345 		status = WLAN_STATUS_REQUEST_DECLINED;
2346 		goto error;
2347 	}
2348 #endif /* CONFIG_TDLS_TESTING */
2349 
2350 	if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) {
2351 		wpa_printf(MSG_INFO, "TDLS: No valid Link Identifier IE in "
2352 			   "TPK M2");
2353 		goto error;
2354 	}
2355 	wpa_hexdump(MSG_DEBUG, "TDLS: Link ID Received from TPK M2",
2356 		    kde.lnkid, kde.lnkid_len);
2357 	lnkid = (struct wpa_tdls_lnkid *) kde.lnkid;
2358 
2359 	if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) {
2360 		wpa_printf(MSG_INFO, "TDLS: TPK M2 from different BSS");
2361 		status = WLAN_STATUS_NOT_IN_SAME_BSS;
2362 		goto error;
2363 	}
2364 
2365 	if (copy_supp_rates(&kde, peer) < 0)
2366 		goto error;
2367 
2368 	if (copy_peer_ht_capab(&kde, peer) < 0)
2369 		goto error;
2370 
2371 	if (copy_peer_vht_capab(&kde, peer) < 0 ||
2372 	    copy_peer_he_capab(&kde, peer) < 0 ||
2373 	    copy_peer_he_6ghz_band_capab(&kde, peer) < 0)
2374 		goto error;
2375 
2376 	if (copy_peer_ext_capab(&kde, peer) < 0)
2377 		goto error;
2378 
2379 	if (copy_peer_supp_channels(&kde, peer) < 0)
2380 		goto error;
2381 
2382 	if (copy_peer_supp_oper_classes(&kde, peer) < 0)
2383 		goto error;
2384 
2385 	peer->qos_info = kde.qosinfo;
2386 
2387 	/* Overwrite with the qos_info obtained in WMM IE */
2388 	if (copy_peer_wmm_capab(&kde, peer) < 0)
2389 		goto error;
2390 
2391 	peer->aid = kde.aid;
2392 
2393 	if (!wpa_tdls_get_privacy(sm)) {
2394 		peer->rsnie_p_len = 0;
2395 		peer->cipher = WPA_CIPHER_NONE;
2396 		goto skip_rsn;
2397 	}
2398 
2399 	if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie) ||
2400 	    kde.rsn_ie == NULL) {
2401 		wpa_printf(MSG_INFO, "TDLS: No FTIE or RSN IE in TPK M2");
2402 		status = WLAN_STATUS_INVALID_PARAMETERS;
2403 		goto error;
2404 	}
2405 	wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Received from TPK M2",
2406 		    kde.rsn_ie, kde.rsn_ie_len);
2407 
2408 	if (kde.rsn_ie_len > TDLS_MAX_IE_LEN) {
2409 		wpa_printf(MSG_INFO,
2410 			   "TDLS: Too long Responder RSN IE in TPK M2");
2411 		status = WLAN_STATUS_INVALID_RSNIE;
2412 		goto error;
2413 	}
2414 
2415 	/*
2416 	 * FIX: bitwise comparison of RSN IE is not the correct way of
2417 	 * validation this. It can be different, but certain fields must
2418 	 * match. Since we list only a single pairwise cipher in TPK M1, the
2419 	 * memcmp is likely to work in most cases, though.
2420 	 */
2421 	if (kde.rsn_ie_len != peer->rsnie_i_len ||
2422 	    os_memcmp(peer->rsnie_i, kde.rsn_ie, peer->rsnie_i_len) != 0) {
2423 		wpa_printf(MSG_INFO, "TDLS: RSN IE in TPK M2 does "
2424 			   "not match with RSN IE used in TPK M1");
2425 		wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Sent in TPK M1",
2426 			    peer->rsnie_i, peer->rsnie_i_len);
2427 		wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Received from TPK M2",
2428 			    kde.rsn_ie, kde.rsn_ie_len);
2429 		status = WLAN_STATUS_INVALID_RSNIE;
2430 		goto error;
2431 	}
2432 
2433 	if (wpa_parse_wpa_ie_rsn(kde.rsn_ie, kde.rsn_ie_len, &ie) < 0) {
2434 		wpa_printf(MSG_INFO, "TDLS: Failed to parse RSN IE in TPK M2");
2435 		status = WLAN_STATUS_INVALID_RSNIE;
2436 		goto error;
2437 	}
2438 
2439 	cipher = ie.pairwise_cipher;
2440 	if (cipher == WPA_CIPHER_CCMP) {
2441 		wpa_printf(MSG_DEBUG, "TDLS: Using CCMP for direct link");
2442 		cipher = WPA_CIPHER_CCMP;
2443 	} else {
2444 		wpa_printf(MSG_INFO, "TDLS: No acceptable cipher in TPK M2");
2445 		status = WLAN_STATUS_PAIRWISE_CIPHER_NOT_VALID;
2446 		goto error;
2447 	}
2448 
2449 	wpa_hexdump(MSG_DEBUG, "TDLS: FTIE Received from TPK M2",
2450 		    kde.ftie, sizeof(*ftie));
2451 	ftie = (struct wpa_tdls_ftie *) kde.ftie;
2452 
2453 	if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0) {
2454 		wpa_printf(MSG_INFO, "TDLS: FTIE SNonce in TPK M2 does "
2455 			   "not match with FTIE SNonce used in TPK M1");
2456 		/* Silently discard the frame */
2457 		return -1;
2458 	}
2459 
2460 	/* Responder Nonce and RSN IE */
2461 	os_memcpy(peer->rnonce, ftie->Anonce, WPA_NONCE_LEN);
2462 	os_memcpy(peer->rsnie_p, kde.rsn_ie, kde.rsn_ie_len);
2463 	peer->rsnie_p_len = kde.rsn_ie_len;
2464 	peer->cipher = cipher;
2465 
2466 	/* Lifetime */
2467 	if (kde.key_lifetime == NULL) {
2468 		wpa_printf(MSG_INFO, "TDLS: No Key Lifetime IE in TPK M2");
2469 		status = WLAN_STATUS_UNACCEPTABLE_LIFETIME;
2470 		goto error;
2471 	}
2472 	timeoutie = (struct wpa_tdls_timeoutie *) kde.key_lifetime;
2473 	lifetime = WPA_GET_LE32(timeoutie->value);
2474 	wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds in TPK M2",
2475 		   lifetime);
2476 	if (lifetime != peer->lifetime) {
2477 		wpa_printf(MSG_INFO, "TDLS: Unexpected TPK lifetime %u in "
2478 			   "TPK M2 (expected %u)", lifetime, peer->lifetime);
2479 		status = WLAN_STATUS_UNACCEPTABLE_LIFETIME;
2480 		goto error;
2481 	}
2482 
2483 	wpa_tdls_generate_tpk(peer, sm->own_addr, sm->bssid);
2484 
2485 	/* Process MIC check to see if TPK M2 is right */
2486 	if (wpa_supplicant_verify_tdls_mic(2, peer, (u8 *) lnkid,
2487 					   (u8 *) timeoutie, ftie) < 0) {
2488 		/* Discard the frame */
2489 		wpa_tdls_del_key(sm, peer);
2490 		wpa_tdls_disable_peer_link(sm, peer);
2491 		return -1;
2492 	}
2493 
2494 	if (wpa_tdls_set_key(sm, peer) < 0) {
2495 		/*
2496 		 * Some drivers may not be able to config the key prior to full
2497 		 * STA entry having been configured.
2498 		 */
2499 		wpa_printf(MSG_DEBUG, "TDLS: Try to configure TPK again after "
2500 			   "STA entry is complete");
2501 		peer->reconfig_key = 1;
2502 	}
2503 
2504 skip_rsn:
2505 	peer->dtoken = dtoken;
2506 
2507 	/* add supported rates, capabilities, and qos_info to the TDLS peer */
2508 	if (wpa_tdls_addset_peer(sm, peer, 0) < 0)
2509 		goto error;
2510 
2511 	wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Setup Confirm / "
2512 		   "TPK Handshake Message 3");
2513 	if (wpa_tdls_send_tpk_m3(sm, src_addr, dtoken, lnkid, peer) < 0)
2514 		goto error_no_msg;
2515 
2516 	if (!peer->tpk_success) {
2517 		/*
2518 		 * Enable Link only when tpk_success is 0, signifying that this
2519 		 * processing of TPK M2 frame is not because of a retransmission
2520 		 * during TDLS setup handshake.
2521 		 */
2522 		ret = wpa_tdls_enable_link(sm, peer);
2523 		if (ret < 0) {
2524 			wpa_printf(MSG_DEBUG, "TDLS: Could not enable link");
2525 			wpa_tdls_do_teardown(
2526 				sm, peer,
2527 				WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED);
2528 		}
2529 	}
2530 	return ret;
2531 
2532 error:
2533 	wpa_tdls_send_error(sm, src_addr, WLAN_TDLS_SETUP_CONFIRM, dtoken, 1,
2534 			    status);
2535 error_no_msg:
2536 	wpa_tdls_disable_peer_link(sm, peer);
2537 	return -1;
2538 }
2539 
2540 
2541 static int wpa_tdls_process_tpk_m3(struct wpa_sm *sm, const u8 *src_addr,
2542 				   const u8 *buf, size_t len)
2543 {
2544 	struct wpa_tdls_peer *peer;
2545 	struct wpa_eapol_ie_parse kde;
2546 	struct wpa_tdls_ftie *ftie;
2547 	struct wpa_tdls_timeoutie *timeoutie;
2548 	struct wpa_tdls_lnkid *lnkid;
2549 	int ielen;
2550 	u16 status;
2551 	const u8 *pos;
2552 	u32 lifetime;
2553 	int ret = 0;
2554 
2555 	wpa_printf(MSG_DEBUG, "TDLS: Received TDLS Setup Confirm / TPK M3 "
2556 		   "(Peer " MACSTR ")", MAC2STR(src_addr));
2557 	for (peer = sm->tdls; peer; peer = peer->next) {
2558 		if (os_memcmp(peer->addr, src_addr, ETH_ALEN) == 0)
2559 			break;
2560 	}
2561 	if (peer == NULL) {
2562 		wpa_printf(MSG_INFO, "TDLS: No matching peer found for "
2563 			   "TPK M3: " MACSTR, MAC2STR(src_addr));
2564 		return -1;
2565 	}
2566 	wpa_tdls_tpk_retry_timeout_cancel(sm, peer, WLAN_TDLS_SETUP_RESPONSE);
2567 
2568 	if (len < 3 + 3)
2569 		goto error;
2570 	pos = buf;
2571 	pos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */;
2572 
2573 	status = WPA_GET_LE16(pos);
2574 
2575 	if (status != 0) {
2576 		wpa_printf(MSG_INFO, "TDLS: Status code in TPK M3: %u",
2577 			   status);
2578 		goto error;
2579 	}
2580 	pos += 2 /* status code */ + 1 /* dialog token */;
2581 
2582 	ielen = len - (pos - buf); /* start of IE in buf */
2583 
2584 	/*
2585 	 * Don't reject the message if failing to parse IEs. The IEs we need are
2586 	 * explicitly checked below. Some APs piggy-back broken IEs to the end
2587 	 * of a TDLS Confirm packet, which will fail the link if we don't ignore
2588 	 * this error.
2589 	 */
2590 	if (wpa_supplicant_parse_ies((const u8 *) pos, ielen, &kde) < 0) {
2591 		wpa_printf(MSG_DEBUG,
2592 			   "TDLS: Failed to parse KDEs in TPK M3 - ignore as an interop workaround");
2593 	}
2594 
2595 	if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) {
2596 		wpa_printf(MSG_INFO, "TDLS: No Link Identifier IE in TPK M3");
2597 		goto error;
2598 	}
2599 	wpa_hexdump(MSG_DEBUG, "TDLS: Link ID Received from TPK M3",
2600 		    (u8 *) kde.lnkid, kde.lnkid_len);
2601 	lnkid = (struct wpa_tdls_lnkid *) kde.lnkid;
2602 
2603 	if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) {
2604 		wpa_printf(MSG_INFO, "TDLS: TPK M3 from diff BSS");
2605 		goto error;
2606 	}
2607 
2608 	if (!wpa_tdls_get_privacy(sm))
2609 		goto skip_rsn;
2610 
2611 	if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie)) {
2612 		wpa_printf(MSG_INFO, "TDLS: No FTIE in TPK M3");
2613 		goto error;
2614 	}
2615 	wpa_hexdump(MSG_DEBUG, "TDLS: FTIE Received from TPK M3",
2616 		    kde.ftie, sizeof(*ftie));
2617 	ftie = (struct wpa_tdls_ftie *) kde.ftie;
2618 
2619 	if (kde.rsn_ie == NULL) {
2620 		wpa_printf(MSG_INFO, "TDLS: No RSN IE in TPK M3");
2621 		goto error;
2622 	}
2623 	wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Received from TPK M3",
2624 		    kde.rsn_ie, kde.rsn_ie_len);
2625 	if (kde.rsn_ie_len != peer->rsnie_p_len ||
2626 	    os_memcmp(kde.rsn_ie, peer->rsnie_p, peer->rsnie_p_len) != 0) {
2627 		wpa_printf(MSG_INFO, "TDLS: RSN IE in TPK M3 does not match "
2628 			   "with the one sent in TPK M2");
2629 		goto error;
2630 	}
2631 
2632 	if (os_memcmp(peer->rnonce, ftie->Anonce, WPA_NONCE_LEN) != 0) {
2633 		wpa_printf(MSG_INFO, "TDLS: FTIE ANonce in TPK M3 does "
2634 			   "not match with FTIE ANonce used in TPK M2");
2635 		goto error;
2636 	}
2637 
2638 	if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0) {
2639 		wpa_printf(MSG_INFO, "TDLS: FTIE SNonce in TPK M3 does not "
2640 			   "match with FTIE SNonce used in TPK M1");
2641 		goto error;
2642 	}
2643 
2644 	if (kde.key_lifetime == NULL) {
2645 		wpa_printf(MSG_INFO, "TDLS: No Key Lifetime IE in TPK M3");
2646 		goto error;
2647 	}
2648 	timeoutie = (struct wpa_tdls_timeoutie *) kde.key_lifetime;
2649 	wpa_hexdump(MSG_DEBUG, "TDLS: Timeout IE Received from TPK M3",
2650 		    (u8 *) timeoutie, sizeof(*timeoutie));
2651 	lifetime = WPA_GET_LE32(timeoutie->value);
2652 	wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds in TPK M3",
2653 		   lifetime);
2654 	if (lifetime != peer->lifetime) {
2655 		wpa_printf(MSG_INFO, "TDLS: Unexpected TPK lifetime %u in "
2656 			   "TPK M3 (expected %u)", lifetime, peer->lifetime);
2657 		goto error;
2658 	}
2659 
2660 	if (wpa_supplicant_verify_tdls_mic(3, peer, (u8 *) lnkid,
2661 					   (u8 *) timeoutie, ftie) < 0) {
2662 		wpa_tdls_del_key(sm, peer);
2663 		goto error;
2664 	}
2665 
2666 	if (wpa_tdls_set_key(sm, peer) < 0) {
2667 		/*
2668 		 * Some drivers may not be able to config the key prior to full
2669 		 * STA entry having been configured.
2670 		 */
2671 		wpa_printf(MSG_DEBUG, "TDLS: Try to configure TPK again after "
2672 			   "STA entry is complete");
2673 		peer->reconfig_key = 1;
2674 	}
2675 
2676 skip_rsn:
2677 	/* add supported rates, capabilities, and qos_info to the TDLS peer */
2678 	if (wpa_tdls_addset_peer(sm, peer, 0) < 0)
2679 		goto error;
2680 
2681 	if (!peer->tpk_success) {
2682 		/*
2683 		 * Enable Link only when tpk_success is 0, signifying that this
2684 		 * processing of TPK M3 frame is not because of a retransmission
2685 		 * during TDLS setup handshake.
2686 		 */
2687 		ret = wpa_tdls_enable_link(sm, peer);
2688 		if (ret < 0) {
2689 			wpa_printf(MSG_DEBUG, "TDLS: Could not enable link");
2690 			goto error;
2691 		}
2692 	}
2693 	return ret;
2694 error:
2695 	wpa_tdls_do_teardown(sm, peer, WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED);
2696 	return -1;
2697 }
2698 
2699 
2700 static u8 * wpa_add_tdls_timeoutie(u8 *pos, u8 *ie, size_t ie_len, u32 tsecs)
2701 {
2702 	struct wpa_tdls_timeoutie *lifetime = (struct wpa_tdls_timeoutie *) ie;
2703 
2704 	os_memset(lifetime, 0, ie_len);
2705 	lifetime->ie_type = WLAN_EID_TIMEOUT_INTERVAL;
2706 	lifetime->ie_len = sizeof(struct wpa_tdls_timeoutie) - 2;
2707 	lifetime->interval_type = WLAN_TIMEOUT_KEY_LIFETIME;
2708 	WPA_PUT_LE32(lifetime->value, tsecs);
2709 	os_memcpy(pos, ie, ie_len);
2710 	return pos + ie_len;
2711 }
2712 
2713 
2714 /**
2715  * wpa_tdls_start - Initiate TDLS handshake (send TPK Handshake Message 1)
2716  * @sm: Pointer to WPA state machine data from wpa_sm_init()
2717  * @peer: MAC address of the peer STA
2718  * Returns: 0 on success, or -1 on failure
2719  *
2720  * Send TPK Handshake Message 1 info to driver to start TDLS
2721  * handshake with the peer.
2722  */
2723 int wpa_tdls_start(struct wpa_sm *sm, const u8 *addr)
2724 {
2725 	struct wpa_tdls_peer *peer;
2726 	int tdls_prohibited = sm->tdls_prohibited;
2727 	int res;
2728 
2729 	if (sm->tdls_disabled || !sm->tdls_supported)
2730 		return -1;
2731 
2732 #ifdef CONFIG_TDLS_TESTING
2733 	if ((tdls_testing & TDLS_TESTING_IGNORE_AP_PROHIBIT) &&
2734 	    tdls_prohibited) {
2735 		wpa_printf(MSG_DEBUG, "TDLS: Testing - ignore AP prohibition "
2736 			   "on TDLS");
2737 		tdls_prohibited = 0;
2738 	}
2739 #endif /* CONFIG_TDLS_TESTING */
2740 
2741 	if (tdls_prohibited) {
2742 		wpa_printf(MSG_DEBUG, "TDLS: TDLS is prohibited in this BSS - "
2743 			   "reject request to start setup");
2744 		return -1;
2745 	}
2746 
2747 	peer = wpa_tdls_add_peer(sm, addr, NULL);
2748 	if (peer == NULL)
2749 		return -1;
2750 
2751 	if (peer->tpk_in_progress) {
2752 		wpa_printf(MSG_DEBUG, "TDLS: Setup is already in progress with the peer");
2753 		return 0;
2754 	}
2755 
2756 	peer->initiator = 1;
2757 
2758 	/* add the peer to the driver as a "setup in progress" peer */
2759 	if (wpa_sm_tdls_peer_addset(sm, peer->addr, 1, 0, 0, NULL, 0, NULL,
2760 				    NULL, NULL, 0, NULL, 0, 0, NULL, 0, NULL, 0,
2761 				    NULL, 0)) {
2762 		wpa_tdls_disable_peer_link(sm, peer);
2763 		return -1;
2764 	}
2765 
2766 	peer->tpk_in_progress = 1;
2767 
2768 	res = wpa_tdls_send_tpk_m1(sm, peer);
2769 	if (res < 0) {
2770 		if (res != -2)
2771 			wpa_tdls_disable_peer_link(sm, peer);
2772 		return -1;
2773 	}
2774 
2775 	return 0;
2776 }
2777 
2778 
2779 void wpa_tdls_remove(struct wpa_sm *sm, const u8 *addr)
2780 {
2781 	struct wpa_tdls_peer *peer;
2782 
2783 	if (sm->tdls_disabled || !sm->tdls_supported)
2784 		return;
2785 
2786 	for (peer = sm->tdls; peer; peer = peer->next) {
2787 		if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0)
2788 			break;
2789 	}
2790 
2791 	if (peer == NULL || !peer->tpk_success)
2792 		return;
2793 
2794 	if (sm->tdls_external_setup) {
2795 		/*
2796 		 * Disable previous link to allow renegotiation to be completed
2797 		 * on AP path.
2798 		 */
2799 		wpa_tdls_do_teardown(sm, peer,
2800 				     WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED);
2801 	}
2802 }
2803 
2804 
2805 /**
2806  * wpa_supplicant_rx_tdls - Receive TDLS data frame
2807  *
2808  * This function is called to receive TDLS (ethertype = 0x890d) data frames.
2809  */
2810 static void wpa_supplicant_rx_tdls(void *ctx, const u8 *src_addr,
2811 				   const u8 *buf, size_t len)
2812 {
2813 	struct wpa_sm *sm = ctx;
2814 	struct wpa_tdls_frame *tf;
2815 
2816 	wpa_hexdump(MSG_DEBUG, "TDLS: Received Data frame encapsulation",
2817 		    buf, len);
2818 
2819 	if (sm->tdls_disabled || !sm->tdls_supported) {
2820 		wpa_printf(MSG_DEBUG, "TDLS: Discard message - TDLS disabled "
2821 			   "or unsupported by driver");
2822 		return;
2823 	}
2824 
2825 	if (os_memcmp(src_addr, sm->own_addr, ETH_ALEN) == 0) {
2826 		wpa_printf(MSG_DEBUG, "TDLS: Discard copy of own message");
2827 		return;
2828 	}
2829 
2830 	if (len < sizeof(*tf)) {
2831 		wpa_printf(MSG_INFO, "TDLS: Drop too short frame");
2832 		return;
2833 	}
2834 
2835 	/* Check to make sure its a valid encapsulated TDLS frame */
2836 	tf = (struct wpa_tdls_frame *) buf;
2837 	if (tf->payloadtype != 2 /* TDLS_RFTYPE */ ||
2838 	    tf->category != WLAN_ACTION_TDLS) {
2839 		wpa_printf(MSG_INFO, "TDLS: Invalid frame - payloadtype=%u "
2840 			   "category=%u action=%u",
2841 			   tf->payloadtype, tf->category, tf->action);
2842 		return;
2843 	}
2844 
2845 	switch (tf->action) {
2846 	case WLAN_TDLS_SETUP_REQUEST:
2847 		wpa_tdls_process_tpk_m1(sm, src_addr, buf, len);
2848 		break;
2849 	case WLAN_TDLS_SETUP_RESPONSE:
2850 		wpa_tdls_process_tpk_m2(sm, src_addr, buf, len);
2851 		break;
2852 	case WLAN_TDLS_SETUP_CONFIRM:
2853 		wpa_tdls_process_tpk_m3(sm, src_addr, buf, len);
2854 		break;
2855 	case WLAN_TDLS_TEARDOWN:
2856 		wpa_tdls_recv_teardown(sm, src_addr, buf, len);
2857 		break;
2858 	case WLAN_TDLS_DISCOVERY_REQUEST:
2859 		wpa_tdls_process_discovery_request(sm, src_addr, buf, len);
2860 		break;
2861 	default:
2862 		/* Kernel code will process remaining frames */
2863 		wpa_printf(MSG_DEBUG, "TDLS: Ignore TDLS frame action code %u",
2864 			   tf->action);
2865 		break;
2866 	}
2867 }
2868 
2869 
2870 /**
2871  * wpa_tdls_init - Initialize driver interface parameters for TDLS
2872  * @wpa_s: Pointer to wpa_supplicant data
2873  * Returns: 0 on success, -1 on failure
2874  *
2875  * This function is called to initialize driver interface parameters for TDLS.
2876  * wpa_drv_init() must have been called before this function to initialize the
2877  * driver interface.
2878  */
2879 int wpa_tdls_init(struct wpa_sm *sm)
2880 {
2881 	if (sm == NULL)
2882 		return -1;
2883 
2884 	if (sm->l2_tdls) {
2885 		l2_packet_deinit(sm->l2_tdls);
2886 		sm->l2_tdls = NULL;
2887 	}
2888 
2889 	sm->l2_tdls = l2_packet_init(sm->bridge_ifname ? sm->bridge_ifname :
2890 				     sm->ifname,
2891 				     sm->own_addr,
2892 				     ETH_P_80211_ENCAP, wpa_supplicant_rx_tdls,
2893 				     sm, 0);
2894 	if (sm->l2_tdls == NULL) {
2895 		wpa_printf(MSG_ERROR, "TDLS: Failed to open l2_packet "
2896 			   "connection");
2897 		return -1;
2898 	}
2899 
2900 	/*
2901 	 * Drivers that support TDLS but don't implement the get_capa callback
2902 	 * are assumed to perform everything internally
2903 	 */
2904 	if (wpa_sm_tdls_get_capa(sm, &sm->tdls_supported,
2905 				 &sm->tdls_external_setup,
2906 				 &sm->tdls_chan_switch) < 0) {
2907 		sm->tdls_supported = 1;
2908 		sm->tdls_external_setup = 0;
2909 	}
2910 
2911 	wpa_printf(MSG_DEBUG, "TDLS: TDLS operation%s supported by "
2912 		   "driver", sm->tdls_supported ? "" : " not");
2913 	wpa_printf(MSG_DEBUG, "TDLS: Driver uses %s link setup",
2914 		   sm->tdls_external_setup ? "external" : "internal");
2915 	wpa_printf(MSG_DEBUG, "TDLS: Driver %s TDLS channel switching",
2916 		   sm->tdls_chan_switch ? "supports" : "does not support");
2917 
2918 	return 0;
2919 }
2920 
2921 
2922 void wpa_tdls_teardown_peers(struct wpa_sm *sm)
2923 {
2924 	struct wpa_tdls_peer *peer, *tmp;
2925 
2926 	if (!sm)
2927 		return;
2928 	peer = sm->tdls;
2929 
2930 	wpa_printf(MSG_DEBUG, "TDLS: Tear down peers");
2931 
2932 	while (peer) {
2933 		tmp = peer->next;
2934 		wpa_printf(MSG_DEBUG, "TDLS: Tear down peer " MACSTR,
2935 			   MAC2STR(peer->addr));
2936 		if (sm->tdls_external_setup)
2937 			wpa_tdls_do_teardown(sm, peer,
2938 					     WLAN_REASON_DEAUTH_LEAVING);
2939 		else
2940 			wpa_sm_tdls_oper(sm, TDLS_TEARDOWN, peer->addr);
2941 
2942 		peer = tmp;
2943 	}
2944 }
2945 
2946 
2947 static void wpa_tdls_remove_peers(struct wpa_sm *sm)
2948 {
2949 	struct wpa_tdls_peer *peer, *tmp;
2950 
2951 	peer = sm->tdls;
2952 
2953 	while (peer) {
2954 		int res;
2955 		tmp = peer->next;
2956 		res = wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr);
2957 		wpa_printf(MSG_DEBUG, "TDLS: Remove peer " MACSTR " (res=%d)",
2958 			   MAC2STR(peer->addr), res);
2959 		wpa_tdls_peer_free(sm, peer);
2960 		peer = tmp;
2961 	}
2962 }
2963 
2964 
2965 /**
2966  * wpa_tdls_deinit - Deinitialize driver interface parameters for TDLS
2967  *
2968  * This function is called to recover driver interface parameters for TDLS
2969  * and frees resources allocated for it.
2970  */
2971 void wpa_tdls_deinit(struct wpa_sm *sm)
2972 {
2973 	if (sm == NULL)
2974 		return;
2975 
2976 	if (sm->l2_tdls)
2977 		l2_packet_deinit(sm->l2_tdls);
2978 	sm->l2_tdls = NULL;
2979 
2980 	wpa_tdls_remove_peers(sm);
2981 }
2982 
2983 
2984 void wpa_tdls_assoc(struct wpa_sm *sm)
2985 {
2986 	wpa_printf(MSG_DEBUG, "TDLS: Remove peers on association");
2987 	wpa_tdls_remove_peers(sm);
2988 }
2989 
2990 
2991 void wpa_tdls_disassoc(struct wpa_sm *sm)
2992 {
2993 	wpa_printf(MSG_DEBUG, "TDLS: Remove peers on disassociation");
2994 	wpa_tdls_remove_peers(sm);
2995 }
2996 
2997 
2998 static int wpa_tdls_prohibited(struct ieee802_11_elems *elems)
2999 {
3000 	/* bit 38 - TDLS Prohibited */
3001 	return !!(elems->ext_capab[4] & 0x40);
3002 }
3003 
3004 
3005 static int wpa_tdls_chan_switch_prohibited(struct ieee802_11_elems *elems)
3006 {
3007 	/* bit 39 - TDLS Channel Switch Prohibited */
3008 	return !!(elems->ext_capab[4] & 0x80);
3009 }
3010 
3011 
3012 void wpa_tdls_ap_ies(struct wpa_sm *sm, const u8 *ies, size_t len)
3013 {
3014 	struct ieee802_11_elems elems;
3015 
3016 	sm->tdls_prohibited = 0;
3017 	sm->tdls_chan_switch_prohibited = 0;
3018 
3019 	if (ies == NULL ||
3020 	    ieee802_11_parse_elems(ies, len, &elems, 0) == ParseFailed ||
3021 	    elems.ext_capab == NULL || elems.ext_capab_len < 5)
3022 		return;
3023 
3024 	sm->tdls_prohibited = wpa_tdls_prohibited(&elems);
3025 	wpa_printf(MSG_DEBUG, "TDLS: TDLS is %s in the target BSS",
3026 		   sm->tdls_prohibited ? "prohibited" : "allowed");
3027 	sm->tdls_chan_switch_prohibited =
3028 		wpa_tdls_chan_switch_prohibited(&elems);
3029 	wpa_printf(MSG_DEBUG, "TDLS: TDLS channel switch %s in the target BSS",
3030 		   sm->tdls_chan_switch_prohibited ? "prohibited" : "allowed");
3031 }
3032 
3033 
3034 void wpa_tdls_assoc_resp_ies(struct wpa_sm *sm, const u8 *ies, size_t len)
3035 {
3036 	struct ieee802_11_elems elems;
3037 
3038 	if (ies == NULL ||
3039 	    ieee802_11_parse_elems(ies, len, &elems, 0) == ParseFailed ||
3040 	    elems.ext_capab == NULL || elems.ext_capab_len < 5)
3041 		return;
3042 
3043 	if (!sm->tdls_prohibited && wpa_tdls_prohibited(&elems)) {
3044 		wpa_printf(MSG_DEBUG, "TDLS: TDLS prohibited based on "
3045 			   "(Re)Association Response IEs");
3046 		sm->tdls_prohibited = 1;
3047 	}
3048 
3049 	if (!sm->tdls_chan_switch_prohibited &&
3050 	    wpa_tdls_chan_switch_prohibited(&elems)) {
3051 		wpa_printf(MSG_DEBUG,
3052 			   "TDLS: TDLS channel switch prohibited based on (Re)Association Response IEs");
3053 		sm->tdls_chan_switch_prohibited = 1;
3054 	}
3055 }
3056 
3057 
3058 void wpa_tdls_enable(struct wpa_sm *sm, int enabled)
3059 {
3060 	wpa_printf(MSG_DEBUG, "TDLS: %s", enabled ? "enabled" : "disabled");
3061 	sm->tdls_disabled = !enabled;
3062 }
3063 
3064 
3065 int wpa_tdls_is_external_setup(struct wpa_sm *sm)
3066 {
3067 	return sm->tdls_external_setup;
3068 }
3069 
3070 
3071 int wpa_tdls_enable_chan_switch(struct wpa_sm *sm, const u8 *addr,
3072 				u8 oper_class,
3073 				struct hostapd_freq_params *freq_params)
3074 {
3075 	struct wpa_tdls_peer *peer;
3076 	int ret;
3077 
3078 	if (sm->tdls_disabled || !sm->tdls_supported)
3079 		return -1;
3080 
3081 	if (!sm->tdls_chan_switch) {
3082 		wpa_printf(MSG_DEBUG,
3083 			   "TDLS: Channel switching not supported by the driver");
3084 		return -1;
3085 	}
3086 
3087 	if (sm->tdls_chan_switch_prohibited) {
3088 		wpa_printf(MSG_DEBUG,
3089 			   "TDLS: Channel switching is prohibited in this BSS - reject request to switch channel");
3090 		return -1;
3091 	}
3092 
3093 	for (peer = sm->tdls; peer; peer = peer->next) {
3094 		if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0)
3095 			break;
3096 	}
3097 
3098 	if (peer == NULL || !peer->tpk_success) {
3099 		wpa_printf(MSG_ERROR, "TDLS: Peer " MACSTR
3100 			   " not found for channel switching", MAC2STR(addr));
3101 		return -1;
3102 	}
3103 
3104 	if (peer->chan_switch_enabled) {
3105 		wpa_printf(MSG_DEBUG, "TDLS: Peer " MACSTR
3106 			   " already has channel switching enabled",
3107 			   MAC2STR(addr));
3108 		return 0;
3109 	}
3110 
3111 	ret = wpa_sm_tdls_enable_channel_switch(sm, peer->addr,
3112 						oper_class, freq_params);
3113 	if (!ret)
3114 		peer->chan_switch_enabled = 1;
3115 
3116 	return ret;
3117 }
3118 
3119 
3120 int wpa_tdls_disable_chan_switch(struct wpa_sm *sm, const u8 *addr)
3121 {
3122 	struct wpa_tdls_peer *peer;
3123 
3124 	if (sm->tdls_disabled || !sm->tdls_supported)
3125 		return -1;
3126 
3127 	for (peer = sm->tdls; peer; peer = peer->next) {
3128 		if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0)
3129 			break;
3130 	}
3131 
3132 	if (!peer || !peer->chan_switch_enabled) {
3133 		wpa_printf(MSG_ERROR, "TDLS: Channel switching not enabled for "
3134 			   MACSTR, MAC2STR(addr));
3135 		return -1;
3136 	}
3137 
3138 	/* ignore the return value */
3139 	wpa_sm_tdls_disable_channel_switch(sm, peer->addr);
3140 
3141 	peer->chan_switch_enabled = 0;
3142 	return 0;
3143 }
3144