xref: /freebsd/contrib/wpa/src/rsn_supp/tdls.c (revision 6ba2210ee039f2f12878c217bcf058e9c8b26b29)
1 /*
2  * wpa_supplicant - TDLS
3  * Copyright (c) 2010-2011, Atheros Communications
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #include "utils/includes.h"
10 
11 #include "utils/common.h"
12 #include "utils/eloop.h"
13 #include "utils/os.h"
14 #include "common/ieee802_11_defs.h"
15 #include "common/ieee802_11_common.h"
16 #include "crypto/sha256.h"
17 #include "crypto/crypto.h"
18 #include "crypto/aes_wrap.h"
19 #include "rsn_supp/wpa.h"
20 #include "rsn_supp/wpa_ie.h"
21 #include "rsn_supp/wpa_i.h"
22 #include "drivers/driver.h"
23 #include "l2_packet/l2_packet.h"
24 
25 #ifdef CONFIG_TDLS_TESTING
26 #define TDLS_TESTING_LONG_FRAME BIT(0)
27 #define TDLS_TESTING_ALT_RSN_IE BIT(1)
28 #define TDLS_TESTING_DIFF_BSSID BIT(2)
29 #define TDLS_TESTING_SHORT_LIFETIME BIT(3)
30 #define TDLS_TESTING_WRONG_LIFETIME_RESP BIT(4)
31 #define TDLS_TESTING_WRONG_LIFETIME_CONF BIT(5)
32 #define TDLS_TESTING_LONG_LIFETIME BIT(6)
33 #define TDLS_TESTING_CONCURRENT_INIT BIT(7)
34 #define TDLS_TESTING_NO_TPK_EXPIRATION BIT(8)
35 #define TDLS_TESTING_DECLINE_RESP BIT(9)
36 #define TDLS_TESTING_IGNORE_AP_PROHIBIT BIT(10)
37 #define TDLS_TESTING_WRONG_MIC BIT(11)
38 #define TDLS_TESTING_DOUBLE_TPK_M2 BIT(12)
39 unsigned int tdls_testing = 0;
40 #endif /* CONFIG_TDLS_TESTING */
41 
42 #define TPK_LIFETIME 43200 /* 12 hours */
43 #define TPK_M1_RETRY_COUNT 3
44 #define TPK_M1_TIMEOUT 5000 /* in milliseconds */
45 #define TPK_M2_RETRY_COUNT 10
46 #define TPK_M2_TIMEOUT 500 /* in milliseconds */
47 
48 #define TDLS_MIC_LEN		16
49 
50 #define TDLS_TIMEOUT_LEN	4
51 
52 struct wpa_tdls_ftie {
53 	u8 ie_type; /* FTIE */
54 	u8 ie_len;
55 	u8 mic_ctrl[2];
56 	u8 mic[TDLS_MIC_LEN];
57 	u8 Anonce[WPA_NONCE_LEN]; /* Responder Nonce in TDLS */
58 	u8 Snonce[WPA_NONCE_LEN]; /* Initiator Nonce in TDLS */
59 	/* followed by optional elements */
60 } STRUCT_PACKED;
61 
62 struct wpa_tdls_timeoutie {
63 	u8 ie_type; /* Timeout IE */
64 	u8 ie_len;
65 	u8 interval_type;
66 	u8 value[TDLS_TIMEOUT_LEN];
67 } STRUCT_PACKED;
68 
69 struct wpa_tdls_lnkid {
70 	u8 ie_type; /* Link Identifier IE */
71 	u8 ie_len;
72 	u8 bssid[ETH_ALEN];
73 	u8 init_sta[ETH_ALEN];
74 	u8 resp_sta[ETH_ALEN];
75 } STRUCT_PACKED;
76 
77 /* TDLS frame headers as per IEEE Std 802.11z-2010 */
78 struct wpa_tdls_frame {
79 	u8 payloadtype; /* IEEE80211_TDLS_RFTYPE */
80 	u8 category; /* Category */
81 	u8 action; /* Action (enum tdls_frame_type) */
82 } STRUCT_PACKED;
83 
84 static u8 * wpa_add_tdls_timeoutie(u8 *pos, u8 *ie, size_t ie_len, u32 tsecs);
85 static void wpa_tdls_tpk_retry_timeout(void *eloop_ctx, void *timeout_ctx);
86 static void wpa_tdls_peer_free(struct wpa_sm *sm, struct wpa_tdls_peer *peer);
87 static void wpa_tdls_disable_peer_link(struct wpa_sm *sm,
88 				       struct wpa_tdls_peer *peer);
89 static int wpa_tdls_send_teardown(struct wpa_sm *sm, const u8 *addr,
90 				  u16 reason_code);
91 
92 
93 #define TDLS_MAX_IE_LEN 80
94 #define IEEE80211_MAX_SUPP_RATES 32
95 
96 struct wpa_tdls_peer {
97 	struct wpa_tdls_peer *next;
98 	unsigned int reconfig_key:1;
99 	int initiator; /* whether this end was initiator for TDLS setup */
100 	u8 addr[ETH_ALEN]; /* other end MAC address */
101 	u8 inonce[WPA_NONCE_LEN]; /* Initiator Nonce */
102 	u8 rnonce[WPA_NONCE_LEN]; /* Responder Nonce */
103 	u8 rsnie_i[TDLS_MAX_IE_LEN]; /* Initiator RSN IE */
104 	size_t rsnie_i_len;
105 	u8 rsnie_p[TDLS_MAX_IE_LEN]; /* Peer RSN IE */
106 	size_t rsnie_p_len;
107 	u32 lifetime;
108 	int cipher; /* Selected cipher (WPA_CIPHER_*) */
109 	u8 dtoken;
110 
111 	struct tpk {
112 		u8 kck[16]; /* TPK-KCK */
113 		u8 tk[16]; /* TPK-TK; assuming only CCMP will be used */
114 	} tpk;
115 	int tpk_set;
116 	int tk_set; /* TPK-TK configured to the driver */
117 	int tpk_success;
118 	int tpk_in_progress;
119 
120 	struct tpk_timer {
121 		u8 dest[ETH_ALEN];
122 		int count;      /* Retry Count */
123 		int timer;      /* Timeout in milliseconds */
124 		u8 action_code; /* TDLS frame type */
125 		u8 dialog_token;
126 		u16 status_code;
127 		u32 peer_capab;
128 		int buf_len;    /* length of TPK message for retransmission */
129 		u8 *buf;        /* buffer for TPK message */
130 	} sm_tmr;
131 
132 	u16 capability;
133 
134 	u8 supp_rates[IEEE80211_MAX_SUPP_RATES];
135 	size_t supp_rates_len;
136 
137 	struct ieee80211_ht_capabilities *ht_capabilities;
138 	struct ieee80211_vht_capabilities *vht_capabilities;
139 	struct ieee80211_he_capabilities *he_capabilities;
140 	size_t he_capab_len;
141 
142 	u8 qos_info;
143 
144 	u16 aid;
145 
146 	u8 *ext_capab;
147 	size_t ext_capab_len;
148 
149 	u8 *supp_channels;
150 	size_t supp_channels_len;
151 
152 	u8 *supp_oper_classes;
153 	size_t supp_oper_classes_len;
154 
155 	u8 wmm_capable;
156 
157 	/* channel switch currently enabled */
158 	int chan_switch_enabled;
159 };
160 
161 
162 static int wpa_tdls_get_privacy(struct wpa_sm *sm)
163 {
164 	/*
165 	 * Get info needed from supplicant to check if the current BSS supports
166 	 * security. Other than OPEN mode, rest are considered secured
167 	 * WEP/WPA/WPA2 hence TDLS frames are processed for TPK handshake.
168 	 */
169 	return sm->pairwise_cipher != WPA_CIPHER_NONE;
170 }
171 
172 
173 static u8 * wpa_add_ie(u8 *pos, const u8 *ie, size_t ie_len)
174 {
175 	os_memcpy(pos, ie, ie_len);
176 	return pos + ie_len;
177 }
178 
179 
180 static int wpa_tdls_del_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
181 {
182 	if (wpa_sm_set_key(sm, WPA_ALG_NONE, peer->addr,
183 			   0, 0, NULL, 0, NULL, 0, KEY_FLAG_PAIRWISE) < 0) {
184 		wpa_printf(MSG_WARNING, "TDLS: Failed to delete TPK-TK from "
185 			   "the driver");
186 		return -1;
187 	}
188 
189 	return 0;
190 }
191 
192 
193 static int wpa_tdls_set_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
194 {
195 	u8 key_len;
196 	u8 rsc[6];
197 	enum wpa_alg alg;
198 
199 	if (peer->tk_set) {
200 		/*
201 		 * This same TPK-TK has already been configured to the driver
202 		 * and this new configuration attempt (likely due to an
203 		 * unexpected retransmitted frame) would result in clearing
204 		 * the TX/RX sequence number which can break security, so must
205 		 * not allow that to happen.
206 		 */
207 		wpa_printf(MSG_INFO, "TDLS: TPK-TK for the peer " MACSTR
208 			   " has already been configured to the driver - do not reconfigure",
209 			   MAC2STR(peer->addr));
210 		return -1;
211 	}
212 
213 	os_memset(rsc, 0, 6);
214 
215 	switch (peer->cipher) {
216 	case WPA_CIPHER_CCMP:
217 		alg = WPA_ALG_CCMP;
218 		key_len = 16;
219 		break;
220 	case WPA_CIPHER_NONE:
221 		wpa_printf(MSG_DEBUG, "TDLS: Pairwise Cipher Suite: "
222 			   "NONE - do not use pairwise keys");
223 		return -1;
224 	default:
225 		wpa_printf(MSG_WARNING, "TDLS: Unsupported pairwise cipher %d",
226 			   sm->pairwise_cipher);
227 		return -1;
228 	}
229 
230 	wpa_printf(MSG_DEBUG, "TDLS: Configure pairwise key for peer " MACSTR,
231 		   MAC2STR(peer->addr));
232 	if (wpa_sm_set_key(sm, alg, peer->addr, 0, 1, rsc, sizeof(rsc),
233 			   peer->tpk.tk, key_len,
234 			   KEY_FLAG_PAIRWISE_RX_TX) < 0) {
235 		wpa_printf(MSG_WARNING, "TDLS: Failed to set TPK to the "
236 			   "driver");
237 		return -1;
238 	}
239 	peer->tk_set = 1;
240 	return 0;
241 }
242 
243 
244 static int wpa_tdls_send_tpk_msg(struct wpa_sm *sm, const u8 *dst,
245 				 u8 action_code, u8 dialog_token,
246 				 u16 status_code, u32 peer_capab,
247 				 int initiator, const u8 *buf, size_t len)
248 {
249 	return wpa_sm_send_tdls_mgmt(sm, dst, action_code, dialog_token,
250 				     status_code, peer_capab, initiator, buf,
251 				     len);
252 }
253 
254 
255 static int wpa_tdls_tpk_send(struct wpa_sm *sm, const u8 *dest, u8 action_code,
256 			     u8 dialog_token, u16 status_code, u32 peer_capab,
257 			     int initiator, const u8 *msg, size_t msg_len)
258 {
259 	struct wpa_tdls_peer *peer;
260 
261 	wpa_printf(MSG_DEBUG, "TDLS: TPK send dest=" MACSTR " action_code=%u "
262 		   "dialog_token=%u status_code=%u peer_capab=%u initiator=%d "
263 		   "msg_len=%u",
264 		   MAC2STR(dest), action_code, dialog_token, status_code,
265 		   peer_capab, initiator, (unsigned int) msg_len);
266 
267 	if (wpa_tdls_send_tpk_msg(sm, dest, action_code, dialog_token,
268 				  status_code, peer_capab, initiator, msg,
269 				  msg_len)) {
270 		wpa_printf(MSG_INFO, "TDLS: Failed to send message "
271 			   "(action_code=%u)", action_code);
272 		return -1;
273 	}
274 
275 	if (action_code == WLAN_TDLS_SETUP_CONFIRM ||
276 	    action_code == WLAN_TDLS_TEARDOWN ||
277 	    action_code == WLAN_TDLS_DISCOVERY_REQUEST ||
278 	    action_code == WLAN_TDLS_DISCOVERY_RESPONSE)
279 		return 0; /* No retries */
280 
281 	for (peer = sm->tdls; peer; peer = peer->next) {
282 		if (os_memcmp(peer->addr, dest, ETH_ALEN) == 0)
283 			break;
284 	}
285 
286 	if (peer == NULL) {
287 		wpa_printf(MSG_INFO, "TDLS: No matching entry found for "
288 			   "retry " MACSTR, MAC2STR(dest));
289 		return 0;
290 	}
291 
292 	eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer);
293 
294 	if (action_code == WLAN_TDLS_SETUP_RESPONSE) {
295 		peer->sm_tmr.count = TPK_M2_RETRY_COUNT;
296 		peer->sm_tmr.timer = TPK_M2_TIMEOUT;
297 	} else {
298 		peer->sm_tmr.count = TPK_M1_RETRY_COUNT;
299 		peer->sm_tmr.timer = TPK_M1_TIMEOUT;
300 	}
301 
302 	/* Copy message to resend on timeout */
303 	os_memcpy(peer->sm_tmr.dest, dest, ETH_ALEN);
304 	peer->sm_tmr.action_code = action_code;
305 	peer->sm_tmr.dialog_token = dialog_token;
306 	peer->sm_tmr.status_code = status_code;
307 	peer->sm_tmr.peer_capab = peer_capab;
308 	peer->sm_tmr.buf_len = msg_len;
309 	os_free(peer->sm_tmr.buf);
310 	peer->sm_tmr.buf = os_memdup(msg, msg_len);
311 	if (peer->sm_tmr.buf == NULL)
312 		return -1;
313 
314 	wpa_printf(MSG_DEBUG, "TDLS: Retry timeout registered "
315 		   "(action_code=%u)", action_code);
316 	eloop_register_timeout(peer->sm_tmr.timer / 1000,
317 			       (peer->sm_tmr.timer % 1000) * 1000,
318 			       wpa_tdls_tpk_retry_timeout, sm, peer);
319 	return 0;
320 }
321 
322 
323 static int wpa_tdls_do_teardown(struct wpa_sm *sm, struct wpa_tdls_peer *peer,
324 				u16 reason_code)
325 {
326 	int ret;
327 
328 	ret = wpa_tdls_send_teardown(sm, peer->addr, reason_code);
329 	/* disable the link after teardown was sent */
330 	wpa_tdls_disable_peer_link(sm, peer);
331 
332 	return ret;
333 }
334 
335 
336 static void wpa_tdls_tpk_retry_timeout(void *eloop_ctx, void *timeout_ctx)
337 {
338 
339 	struct wpa_sm *sm = eloop_ctx;
340 	struct wpa_tdls_peer *peer = timeout_ctx;
341 
342 	if (peer->sm_tmr.count) {
343 		peer->sm_tmr.count--;
344 
345 		wpa_printf(MSG_INFO, "TDLS: Retrying sending of message "
346 			   "(action_code=%u)",
347 			   peer->sm_tmr.action_code);
348 
349 		if (peer->sm_tmr.buf == NULL) {
350 			wpa_printf(MSG_INFO, "TDLS: No retry buffer available "
351 				   "for action_code=%u",
352 				   peer->sm_tmr.action_code);
353 			eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm,
354 					     peer);
355 			return;
356 		}
357 
358 		/* resend TPK Handshake Message to Peer */
359 		if (wpa_tdls_send_tpk_msg(sm, peer->sm_tmr.dest,
360 					  peer->sm_tmr.action_code,
361 					  peer->sm_tmr.dialog_token,
362 					  peer->sm_tmr.status_code,
363 					  peer->sm_tmr.peer_capab,
364 					  peer->initiator,
365 					  peer->sm_tmr.buf,
366 					  peer->sm_tmr.buf_len)) {
367 			wpa_printf(MSG_INFO, "TDLS: Failed to retry "
368 				   "transmission");
369 		}
370 
371 		eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer);
372 		eloop_register_timeout(peer->sm_tmr.timer / 1000,
373 				       (peer->sm_tmr.timer % 1000) * 1000,
374 				       wpa_tdls_tpk_retry_timeout, sm, peer);
375 	} else {
376 		eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer);
377 
378 		wpa_printf(MSG_DEBUG, "TDLS: Sending Teardown Request");
379 		wpa_tdls_do_teardown(sm, peer,
380 				     WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED);
381 	}
382 }
383 
384 
385 static void wpa_tdls_tpk_retry_timeout_cancel(struct wpa_sm *sm,
386 					      struct wpa_tdls_peer *peer,
387 					      u8 action_code)
388 {
389 	if (action_code == peer->sm_tmr.action_code) {
390 		wpa_printf(MSG_DEBUG, "TDLS: Retry timeout cancelled for "
391 			   "action_code=%u", action_code);
392 
393 		/* Cancel Timeout registered */
394 		eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer);
395 
396 		/* free all resources meant for retry */
397 		os_free(peer->sm_tmr.buf);
398 		peer->sm_tmr.buf = NULL;
399 
400 		peer->sm_tmr.count = 0;
401 		peer->sm_tmr.timer = 0;
402 		peer->sm_tmr.buf_len = 0;
403 		peer->sm_tmr.action_code = 0xff;
404 	} else {
405 		wpa_printf(MSG_INFO, "TDLS: Error in cancelling retry timeout "
406 			   "(Unknown action_code=%u)", action_code);
407 	}
408 }
409 
410 
411 static void wpa_tdls_generate_tpk(struct wpa_tdls_peer *peer,
412 				  const u8 *own_addr, const u8 *bssid)
413 {
414 	u8 key_input[SHA256_MAC_LEN];
415 	const u8 *nonce[2];
416 	size_t len[2];
417 	u8 data[3 * ETH_ALEN];
418 
419 	/* IEEE Std 802.11-2016 12.7.9.2:
420 	 * TPK-Key-Input = Hash(min(SNonce, ANonce) || max(SNonce, ANonce))
421 	 * Hash = SHA-256 for TDLS
422 	 */
423 	len[0] = WPA_NONCE_LEN;
424 	len[1] = WPA_NONCE_LEN;
425 	if (os_memcmp(peer->inonce, peer->rnonce, WPA_NONCE_LEN) < 0) {
426 		nonce[0] = peer->inonce;
427 		nonce[1] = peer->rnonce;
428 	} else {
429 		nonce[0] = peer->rnonce;
430 		nonce[1] = peer->inonce;
431 	}
432 	wpa_hexdump(MSG_DEBUG, "TDLS: min(Nonce)", nonce[0], WPA_NONCE_LEN);
433 	wpa_hexdump(MSG_DEBUG, "TDLS: max(Nonce)", nonce[1], WPA_NONCE_LEN);
434 	sha256_vector(2, nonce, len, key_input);
435 	wpa_hexdump_key(MSG_DEBUG, "TDLS: TPK-Key-Input",
436 			key_input, SHA256_MAC_LEN);
437 
438 	/*
439 	 * TPK = KDF-Hash-Length(TPK-Key-Input, "TDLS PMK",
440 	 *	min(MAC_I, MAC_R) || max(MAC_I, MAC_R) || BSSID)
441 	 */
442 
443 	if (os_memcmp(own_addr, peer->addr, ETH_ALEN) < 0) {
444 		os_memcpy(data, own_addr, ETH_ALEN);
445 		os_memcpy(data + ETH_ALEN, peer->addr, ETH_ALEN);
446 	} else {
447 		os_memcpy(data, peer->addr, ETH_ALEN);
448 		os_memcpy(data + ETH_ALEN, own_addr, ETH_ALEN);
449 	}
450 	os_memcpy(data + 2 * ETH_ALEN, bssid, ETH_ALEN);
451 	wpa_hexdump(MSG_DEBUG, "TDLS: KDF Context", data, sizeof(data));
452 
453 	sha256_prf(key_input, SHA256_MAC_LEN, "TDLS PMK", data, sizeof(data),
454 		   (u8 *) &peer->tpk, sizeof(peer->tpk));
455 	wpa_hexdump_key(MSG_DEBUG, "TDLS: TPK-KCK",
456 			peer->tpk.kck, sizeof(peer->tpk.kck));
457 	wpa_hexdump_key(MSG_DEBUG, "TDLS: TPK-TK",
458 			peer->tpk.tk, sizeof(peer->tpk.tk));
459 	peer->tpk_set = 1;
460 }
461 
462 
463 /**
464  * wpa_tdls_ftie_mic - Calculate TDLS FTIE MIC
465  * @kck: TPK-KCK
466  * @lnkid: Pointer to the beginning of Link Identifier IE
467  * @rsnie: Pointer to the beginning of RSN IE used for handshake
468  * @timeoutie: Pointer to the beginning of Timeout IE used for handshake
469  * @ftie: Pointer to the beginning of FT IE
470  * @mic: Pointer for writing MIC
471  *
472  * Calculate MIC for TDLS frame.
473  */
474 static int wpa_tdls_ftie_mic(const u8 *kck, u8 trans_seq, const u8 *lnkid,
475 			     const u8 *rsnie, const u8 *timeoutie,
476 			     const u8 *ftie, u8 *mic)
477 {
478 	u8 *buf, *pos;
479 	struct wpa_tdls_ftie *_ftie;
480 	const struct wpa_tdls_lnkid *_lnkid;
481 	int ret;
482 	int len = 2 * ETH_ALEN + 1 + 2 + lnkid[1] + 2 + rsnie[1] +
483 		2 + timeoutie[1] + 2 + ftie[1];
484 	buf = os_zalloc(len);
485 	if (!buf) {
486 		wpa_printf(MSG_WARNING, "TDLS: No memory for MIC calculation");
487 		return -1;
488 	}
489 
490 	pos = buf;
491 	_lnkid = (const struct wpa_tdls_lnkid *) lnkid;
492 	/* 1) TDLS initiator STA MAC address */
493 	os_memcpy(pos, _lnkid->init_sta, ETH_ALEN);
494 	pos += ETH_ALEN;
495 	/* 2) TDLS responder STA MAC address */
496 	os_memcpy(pos, _lnkid->resp_sta, ETH_ALEN);
497 	pos += ETH_ALEN;
498 	/* 3) Transaction Sequence number */
499 	*pos++ = trans_seq;
500 	/* 4) Link Identifier IE */
501 	os_memcpy(pos, lnkid, 2 + lnkid[1]);
502 	pos += 2 + lnkid[1];
503 	/* 5) RSN IE */
504 	os_memcpy(pos, rsnie, 2 + rsnie[1]);
505 	pos += 2 + rsnie[1];
506 	/* 6) Timeout Interval IE */
507 	os_memcpy(pos, timeoutie, 2 + timeoutie[1]);
508 	pos += 2 + timeoutie[1];
509 	/* 7) FTIE, with the MIC field of the FTIE set to 0 */
510 	os_memcpy(pos, ftie, 2 + ftie[1]);
511 	_ftie = (struct wpa_tdls_ftie *) pos;
512 	os_memset(_ftie->mic, 0, TDLS_MIC_LEN);
513 	pos += 2 + ftie[1];
514 
515 	wpa_hexdump(MSG_DEBUG, "TDLS: Data for FTIE MIC", buf, pos - buf);
516 	wpa_hexdump_key(MSG_DEBUG, "TDLS: KCK", kck, 16);
517 	ret = omac1_aes_128(kck, buf, pos - buf, mic);
518 	os_free(buf);
519 	wpa_hexdump(MSG_DEBUG, "TDLS: FTIE MIC", mic, 16);
520 	return ret;
521 }
522 
523 
524 /**
525  * wpa_tdls_key_mic_teardown - Calculate TDLS FTIE MIC for Teardown frame
526  * @kck: TPK-KCK
527  * @trans_seq: Transaction Sequence Number (4 - Teardown)
528  * @rcode: Reason code for Teardown
529  * @dtoken: Dialog Token used for that particular link
530  * @lnkid: Pointer to the beginning of Link Identifier IE
531  * @ftie: Pointer to the beginning of FT IE
532  * @mic: Pointer for writing MIC
533  *
534  * Calculate MIC for TDLS frame.
535  */
536 static int wpa_tdls_key_mic_teardown(const u8 *kck, u8 trans_seq, u16 rcode,
537 				     u8 dtoken, const u8 *lnkid,
538 				     const u8 *ftie, u8 *mic)
539 {
540 	u8 *buf, *pos;
541 	struct wpa_tdls_ftie *_ftie;
542 	int ret;
543 	int len;
544 
545 	if (lnkid == NULL)
546 		return -1;
547 
548 	len = 2 + lnkid[1] + sizeof(rcode) + sizeof(dtoken) +
549 		sizeof(trans_seq) + 2 + ftie[1];
550 
551 	buf = os_zalloc(len);
552 	if (!buf) {
553 		wpa_printf(MSG_WARNING, "TDLS: No memory for MIC calculation");
554 		return -1;
555 	}
556 
557 	pos = buf;
558 	/* 1) Link Identifier IE */
559 	os_memcpy(pos, lnkid, 2 + lnkid[1]);
560 	pos += 2 + lnkid[1];
561 	/* 2) Reason Code */
562 	WPA_PUT_LE16(pos, rcode);
563 	pos += sizeof(rcode);
564 	/* 3) Dialog token */
565 	*pos++ = dtoken;
566 	/* 4) Transaction Sequence number */
567 	*pos++ = trans_seq;
568 	/* 7) FTIE, with the MIC field of the FTIE set to 0 */
569 	os_memcpy(pos, ftie, 2 + ftie[1]);
570 	_ftie = (struct wpa_tdls_ftie *) pos;
571 	os_memset(_ftie->mic, 0, TDLS_MIC_LEN);
572 	pos += 2 + ftie[1];
573 
574 	wpa_hexdump(MSG_DEBUG, "TDLS: Data for FTIE MIC", buf, pos - buf);
575 	wpa_hexdump_key(MSG_DEBUG, "TDLS: KCK", kck, 16);
576 	ret = omac1_aes_128(kck, buf, pos - buf, mic);
577 	os_free(buf);
578 	wpa_hexdump(MSG_DEBUG, "TDLS: FTIE MIC", mic, 16);
579 	return ret;
580 }
581 
582 
583 static int wpa_supplicant_verify_tdls_mic(u8 trans_seq,
584 					  struct wpa_tdls_peer *peer,
585 					  const u8 *lnkid, const u8 *timeoutie,
586 					  const struct wpa_tdls_ftie *ftie)
587 {
588 	u8 mic[16];
589 
590 	if (peer->tpk_set) {
591 		wpa_tdls_ftie_mic(peer->tpk.kck, trans_seq, lnkid,
592 				  peer->rsnie_p, timeoutie, (u8 *) ftie,
593 				  mic);
594 		if (os_memcmp_const(mic, ftie->mic, 16) != 0) {
595 			wpa_printf(MSG_INFO, "TDLS: Invalid MIC in FTIE - "
596 				   "dropping packet");
597 			wpa_hexdump(MSG_DEBUG, "TDLS: Received MIC",
598 				    ftie->mic, 16);
599 			wpa_hexdump(MSG_DEBUG, "TDLS: Calculated MIC",
600 				    mic, 16);
601 			return -1;
602 		}
603 	} else {
604 		wpa_printf(MSG_WARNING, "TDLS: Could not verify TDLS MIC, "
605 			   "TPK not set - dropping packet");
606 		return -1;
607 	}
608 	return 0;
609 }
610 
611 
612 static int wpa_supplicant_verify_tdls_mic_teardown(
613 	u8 trans_seq, u16 rcode, u8 dtoken, struct wpa_tdls_peer *peer,
614 	const u8 *lnkid, const struct wpa_tdls_ftie *ftie)
615 {
616 	u8 mic[16];
617 
618 	if (peer->tpk_set) {
619 		wpa_tdls_key_mic_teardown(peer->tpk.kck, trans_seq, rcode,
620 					  dtoken, lnkid, (u8 *) ftie, mic);
621 		if (os_memcmp_const(mic, ftie->mic, 16) != 0) {
622 			wpa_printf(MSG_INFO, "TDLS: Invalid MIC in Teardown - "
623 				   "dropping packet");
624 			return -1;
625 		}
626 	} else {
627 		wpa_printf(MSG_INFO, "TDLS: Could not verify TDLS Teardown "
628 			   "MIC, TPK not set - dropping packet");
629 		return -1;
630 	}
631 	return 0;
632 }
633 
634 
635 static void wpa_tdls_tpk_timeout(void *eloop_ctx, void *timeout_ctx)
636 {
637 	struct wpa_sm *sm = eloop_ctx;
638 	struct wpa_tdls_peer *peer = timeout_ctx;
639 
640 	/*
641 	 * On TPK lifetime expiration, we have an option of either tearing down
642 	 * the direct link or trying to re-initiate it. The selection of what
643 	 * to do is not strictly speaking controlled by our role in the expired
644 	 * link, but for now, use that to select whether to renew or tear down
645 	 * the link.
646 	 */
647 
648 	if (peer->initiator) {
649 		u8 addr[ETH_ALEN];
650 
651 		wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime expired for " MACSTR
652 			   " - try to renew", MAC2STR(peer->addr));
653 		/* cache the peer address before do_teardown */
654 		os_memcpy(addr, peer->addr, ETH_ALEN);
655 		wpa_tdls_do_teardown(sm, peer,
656 				     WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED);
657 		wpa_tdls_start(sm, addr);
658 	} else {
659 		wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime expired for " MACSTR
660 			   " - tear down", MAC2STR(peer->addr));
661 		wpa_tdls_do_teardown(sm, peer,
662 				     WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED);
663 	}
664 }
665 
666 
667 static void wpa_tdls_peer_remove_from_list(struct wpa_sm *sm,
668 					   struct wpa_tdls_peer *peer)
669 {
670 	struct wpa_tdls_peer *cur, *prev;
671 
672 	cur = sm->tdls;
673 	prev = NULL;
674 	while (cur && cur != peer) {
675 		prev = cur;
676 		cur = cur->next;
677 	}
678 
679 	if (cur != peer) {
680 		wpa_printf(MSG_ERROR, "TDLS: Could not find peer " MACSTR
681 			   " to remove it from the list",
682 			   MAC2STR(peer->addr));
683 		return;
684 	}
685 
686 	if (prev)
687 		prev->next = peer->next;
688 	else
689 		sm->tdls = peer->next;
690 }
691 
692 
693 static void wpa_tdls_peer_clear(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
694 {
695 	wpa_printf(MSG_DEBUG, "TDLS: Clear state for peer " MACSTR,
696 		   MAC2STR(peer->addr));
697 	eloop_cancel_timeout(wpa_tdls_tpk_timeout, sm, peer);
698 	eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer);
699 	peer->reconfig_key = 0;
700 	peer->initiator = 0;
701 	peer->tpk_in_progress = 0;
702 	os_free(peer->sm_tmr.buf);
703 	peer->sm_tmr.buf = NULL;
704 	os_free(peer->ht_capabilities);
705 	peer->ht_capabilities = NULL;
706 	os_free(peer->vht_capabilities);
707 	peer->vht_capabilities = NULL;
708 	os_free(peer->he_capabilities);
709 	peer->he_capabilities = NULL;
710 	os_free(peer->ext_capab);
711 	peer->ext_capab = NULL;
712 	os_free(peer->supp_channels);
713 	peer->supp_channels = NULL;
714 	os_free(peer->supp_oper_classes);
715 	peer->supp_oper_classes = NULL;
716 	peer->rsnie_i_len = peer->rsnie_p_len = 0;
717 	peer->cipher = 0;
718 	peer->qos_info = 0;
719 	peer->wmm_capable = 0;
720 	peer->tk_set = peer->tpk_set = peer->tpk_success = 0;
721 	peer->chan_switch_enabled = 0;
722 	os_memset(&peer->tpk, 0, sizeof(peer->tpk));
723 	os_memset(peer->inonce, 0, WPA_NONCE_LEN);
724 	os_memset(peer->rnonce, 0, WPA_NONCE_LEN);
725 }
726 
727 
728 static void wpa_tdls_peer_free(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
729 {
730 	wpa_tdls_peer_clear(sm, peer);
731 	wpa_tdls_peer_remove_from_list(sm, peer);
732 	os_free(peer);
733 }
734 
735 
736 static void wpa_tdls_linkid(struct wpa_sm *sm, struct wpa_tdls_peer *peer,
737 			    struct wpa_tdls_lnkid *lnkid)
738 {
739 	lnkid->ie_type = WLAN_EID_LINK_ID;
740 	lnkid->ie_len = 3 * ETH_ALEN;
741 	os_memcpy(lnkid->bssid, sm->bssid, ETH_ALEN);
742 	if (peer->initiator) {
743 		os_memcpy(lnkid->init_sta, sm->own_addr, ETH_ALEN);
744 		os_memcpy(lnkid->resp_sta, peer->addr, ETH_ALEN);
745 	} else {
746 		os_memcpy(lnkid->init_sta, peer->addr, ETH_ALEN);
747 		os_memcpy(lnkid->resp_sta, sm->own_addr, ETH_ALEN);
748 	}
749 }
750 
751 
752 static int wpa_tdls_send_teardown(struct wpa_sm *sm, const u8 *addr,
753 				  u16 reason_code)
754 {
755 	struct wpa_tdls_peer *peer;
756 	struct wpa_tdls_ftie *ftie;
757 	struct wpa_tdls_lnkid lnkid;
758 	u8 dialog_token;
759 	u8 *rbuf, *pos;
760 	int ielen;
761 
762 	if (sm->tdls_disabled || !sm->tdls_supported)
763 		return -1;
764 
765 	/* Find the node and free from the list */
766 	for (peer = sm->tdls; peer; peer = peer->next) {
767 		if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0)
768 			break;
769 	}
770 
771 	if (peer == NULL) {
772 		wpa_printf(MSG_INFO, "TDLS: No matching entry found for "
773 			   "Teardown " MACSTR, MAC2STR(addr));
774 		return 0;
775 	}
776 
777 	/* Cancel active channel switch before teardown */
778 	if (peer->chan_switch_enabled) {
779 		wpa_printf(MSG_DEBUG, "TDLS: First returning link with " MACSTR
780 			   " to base channel", MAC2STR(addr));
781 		wpa_sm_tdls_disable_channel_switch(sm, peer->addr);
782 	}
783 
784 	dialog_token = peer->dtoken;
785 
786 	wpa_printf(MSG_DEBUG, "TDLS: TDLS Teardown for " MACSTR,
787 		   MAC2STR(addr));
788 
789 	ielen = 0;
790 	if (wpa_tdls_get_privacy(sm) && peer->tpk_set && peer->tpk_success) {
791 		/* To add FTIE for Teardown request and compute MIC */
792 		ielen += sizeof(*ftie);
793 #ifdef CONFIG_TDLS_TESTING
794 		if (tdls_testing & TDLS_TESTING_LONG_FRAME)
795 			ielen += 170;
796 #endif /* CONFIG_TDLS_TESTING */
797 	}
798 
799 	rbuf = os_zalloc(ielen + 1);
800 	if (rbuf == NULL)
801 		return -1;
802 	pos = rbuf;
803 
804 	if (!wpa_tdls_get_privacy(sm) || !peer->tpk_set || !peer->tpk_success)
805 		goto skip_ies;
806 
807 	ftie = (struct wpa_tdls_ftie *) pos;
808 	ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION;
809 	/* Using the recent nonce which should be for CONFIRM frame */
810 	os_memcpy(ftie->Anonce, peer->rnonce, WPA_NONCE_LEN);
811 	os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN);
812 	ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2;
813 	pos = (u8 *) (ftie + 1);
814 #ifdef CONFIG_TDLS_TESTING
815 	if (tdls_testing & TDLS_TESTING_LONG_FRAME) {
816 		wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to "
817 			   "FTIE");
818 		ftie->ie_len += 170;
819 		*pos++ = 255; /* FTIE subelem */
820 		*pos++ = 168; /* FTIE subelem length */
821 		pos += 168;
822 	}
823 #endif /* CONFIG_TDLS_TESTING */
824 	wpa_hexdump(MSG_DEBUG, "TDLS: FTIE for TDLS Teardown handshake",
825 		    (u8 *) ftie, pos - (u8 *) ftie);
826 
827 	/* compute MIC before sending */
828 	wpa_tdls_linkid(sm, peer, &lnkid);
829 	wpa_tdls_key_mic_teardown(peer->tpk.kck, 4, reason_code,
830 				  dialog_token, (u8 *) &lnkid, (u8 *) ftie,
831 				  ftie->mic);
832 
833 skip_ies:
834 	/* TODO: register for a Timeout handler, if Teardown is not received at
835 	 * the other end, then try again another time */
836 
837 	/* request driver to send Teardown using this FTIE */
838 	wpa_tdls_tpk_send(sm, addr, WLAN_TDLS_TEARDOWN, 0,
839 			  reason_code, 0, peer->initiator, rbuf, pos - rbuf);
840 	os_free(rbuf);
841 
842 	return 0;
843 }
844 
845 
846 int wpa_tdls_teardown_link(struct wpa_sm *sm, const u8 *addr, u16 reason_code)
847 {
848 	struct wpa_tdls_peer *peer;
849 
850 	if (sm->tdls_disabled || !sm->tdls_supported)
851 		return -1;
852 
853 	for (peer = sm->tdls; peer; peer = peer->next) {
854 		if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0)
855 			break;
856 	}
857 
858 	if (peer == NULL) {
859 		wpa_printf(MSG_DEBUG, "TDLS: Could not find peer " MACSTR
860 		   " for link Teardown", MAC2STR(addr));
861 		return -1;
862 	}
863 
864 	if (!peer->tpk_success) {
865 		wpa_printf(MSG_DEBUG, "TDLS: Peer " MACSTR
866 		   " not connected - cannot Teardown link", MAC2STR(addr));
867 		return -1;
868 	}
869 
870 	return wpa_tdls_do_teardown(sm, peer, reason_code);
871 }
872 
873 
874 static void wpa_tdls_disable_peer_link(struct wpa_sm *sm,
875 				       struct wpa_tdls_peer *peer)
876 {
877 	wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr);
878 	wpa_tdls_peer_free(sm, peer);
879 }
880 
881 
882 void wpa_tdls_disable_unreachable_link(struct wpa_sm *sm, const u8 *addr)
883 {
884 	struct wpa_tdls_peer *peer;
885 
886 	for (peer = sm->tdls; peer; peer = peer->next) {
887 		if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0)
888 			break;
889 	}
890 
891 	if (!peer || !peer->tpk_success) {
892 		wpa_printf(MSG_DEBUG, "TDLS: Peer " MACSTR
893 			   " not connected - cannot teardown unreachable link",
894 			   MAC2STR(addr));
895 		return;
896 	}
897 
898 	if (wpa_tdls_is_external_setup(sm)) {
899 		/*
900 		 * Get us on the base channel, disable the link, send a
901 		 * teardown packet through the AP, and then reset link data.
902 		 */
903 		if (peer->chan_switch_enabled)
904 			wpa_sm_tdls_disable_channel_switch(sm, peer->addr);
905 		wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, addr);
906 		wpa_tdls_send_teardown(sm, addr,
907 				       WLAN_REASON_TDLS_TEARDOWN_UNREACHABLE);
908 		wpa_tdls_peer_free(sm, peer);
909 	} else {
910 		wpa_tdls_disable_peer_link(sm, peer);
911 	}
912 }
913 
914 
915 const char * wpa_tdls_get_link_status(struct wpa_sm *sm, const u8 *addr)
916 {
917 	struct wpa_tdls_peer *peer;
918 
919 	if (sm->tdls_disabled || !sm->tdls_supported)
920 		return "disabled";
921 
922 	for (peer = sm->tdls; peer; peer = peer->next) {
923 		if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0)
924 			break;
925 	}
926 
927 	if (peer == NULL)
928 		return "peer does not exist";
929 
930 	if (!peer->tpk_success)
931 		return "peer not connected";
932 
933 	return "connected";
934 }
935 
936 
937 static int wpa_tdls_recv_teardown(struct wpa_sm *sm, const u8 *src_addr,
938 				  const u8 *buf, size_t len)
939 {
940 	struct wpa_tdls_peer *peer = NULL;
941 	struct wpa_tdls_ftie *ftie;
942 	struct wpa_tdls_lnkid *lnkid;
943 	struct wpa_eapol_ie_parse kde;
944 	u16 reason_code;
945 	const u8 *pos;
946 	int ielen;
947 
948 	/* Find the node and free from the list */
949 	for (peer = sm->tdls; peer; peer = peer->next) {
950 		if (os_memcmp(peer->addr, src_addr, ETH_ALEN) == 0)
951 			break;
952 	}
953 
954 	if (peer == NULL) {
955 		wpa_printf(MSG_INFO, "TDLS: No matching entry found for "
956 			   "Teardown " MACSTR, MAC2STR(src_addr));
957 		return 0;
958 	}
959 
960 	pos = buf;
961 	pos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */;
962 
963 	reason_code = WPA_GET_LE16(pos);
964 	pos += 2;
965 
966 	wpa_printf(MSG_DEBUG, "TDLS: TDLS Teardown Request from " MACSTR
967 		   " (reason code %u)", MAC2STR(src_addr), reason_code);
968 
969 	ielen = len - (pos - buf); /* start of IE in buf */
970 
971 	/*
972 	 * Don't reject the message if failing to parse IEs. The IEs we need are
973 	 * explicitly checked below. Some APs may add arbitrary padding to the
974 	 * end of short TDLS frames and that would look like invalid IEs.
975 	 */
976 	if (wpa_supplicant_parse_ies((const u8 *) pos, ielen, &kde) < 0)
977 		wpa_printf(MSG_DEBUG,
978 			   "TDLS: Failed to parse IEs in Teardown - ignore as an interop workaround");
979 
980 	if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) {
981 		wpa_printf(MSG_INFO, "TDLS: No Link Identifier IE in TDLS "
982 			   "Teardown");
983 		return -1;
984 	}
985 	lnkid = (struct wpa_tdls_lnkid *) kde.lnkid;
986 
987 	if (!wpa_tdls_get_privacy(sm) || !peer->tpk_set || !peer->tpk_success)
988 		goto skip_ftie;
989 
990 	if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie)) {
991 		wpa_printf(MSG_INFO, "TDLS: No FTIE in TDLS Teardown");
992 		return -1;
993 	}
994 
995 	ftie = (struct wpa_tdls_ftie *) kde.ftie;
996 
997 	/* Process MIC check to see if TDLS Teardown is right */
998 	if (wpa_supplicant_verify_tdls_mic_teardown(4, reason_code,
999 						    peer->dtoken, peer,
1000 						    (u8 *) lnkid, ftie) < 0) {
1001 		wpa_printf(MSG_DEBUG, "TDLS: MIC failure for TDLS "
1002 			   "Teardown Request from " MACSTR, MAC2STR(src_addr));
1003 		return -1;
1004 	}
1005 
1006 skip_ftie:
1007 	/*
1008 	 * Request the driver to disable the direct link and clear associated
1009 	 * keys.
1010 	 */
1011 	wpa_tdls_disable_peer_link(sm, peer);
1012 	return 0;
1013 }
1014 
1015 
1016 /**
1017  * wpa_tdls_send_error - To send suitable TDLS status response with
1018  *	appropriate status code mentioning reason for error/failure.
1019  * @dst 	- MAC addr of Peer station
1020  * @tdls_action - TDLS frame type for which error code is sent
1021  * @initiator   - was this end the initiator of the connection
1022  * @status 	- status code mentioning reason
1023  */
1024 
1025 static int wpa_tdls_send_error(struct wpa_sm *sm, const u8 *dst,
1026 			       u8 tdls_action, u8 dialog_token, int initiator,
1027 			       u16 status)
1028 {
1029 	wpa_printf(MSG_DEBUG, "TDLS: Sending error to " MACSTR
1030 		   " (action=%u status=%u)",
1031 		   MAC2STR(dst), tdls_action, status);
1032 	return wpa_tdls_tpk_send(sm, dst, tdls_action, dialog_token, status,
1033 				 0, initiator, NULL, 0);
1034 }
1035 
1036 
1037 static struct wpa_tdls_peer *
1038 wpa_tdls_add_peer(struct wpa_sm *sm, const u8 *addr, int *existing)
1039 {
1040 	struct wpa_tdls_peer *peer;
1041 
1042 	if (existing)
1043 		*existing = 0;
1044 	for (peer = sm->tdls; peer; peer = peer->next) {
1045 		if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0) {
1046 			if (existing)
1047 				*existing = 1;
1048 			return peer; /* re-use existing entry */
1049 		}
1050 	}
1051 
1052 	wpa_printf(MSG_INFO, "TDLS: Creating peer entry for " MACSTR,
1053 		   MAC2STR(addr));
1054 
1055 	peer = os_zalloc(sizeof(*peer));
1056 	if (peer == NULL)
1057 		return NULL;
1058 
1059 	os_memcpy(peer->addr, addr, ETH_ALEN);
1060 	peer->next = sm->tdls;
1061 	sm->tdls = peer;
1062 
1063 	return peer;
1064 }
1065 
1066 
1067 static int wpa_tdls_send_tpk_m1(struct wpa_sm *sm,
1068 				struct wpa_tdls_peer *peer)
1069 {
1070 	size_t buf_len;
1071 	struct wpa_tdls_timeoutie timeoutie;
1072 	u16 rsn_capab;
1073 	struct wpa_tdls_ftie *ftie;
1074 	u8 *rbuf, *pos, *count_pos;
1075 	u16 count;
1076 	struct rsn_ie_hdr *hdr;
1077 	int status;
1078 
1079 	if (!wpa_tdls_get_privacy(sm)) {
1080 		wpa_printf(MSG_DEBUG, "TDLS: No security used on the link");
1081 		peer->rsnie_i_len = 0;
1082 		goto skip_rsnie;
1083 	}
1084 
1085 	/*
1086 	 * TPK Handshake Message 1:
1087 	 * FTIE: ANonce=0, SNonce=initiator nonce MIC=0, DataKDs=(RSNIE_I,
1088 	 * Timeout Interval IE))
1089 	 */
1090 
1091 	/* Filling RSN IE */
1092 	hdr = (struct rsn_ie_hdr *) peer->rsnie_i;
1093 	hdr->elem_id = WLAN_EID_RSN;
1094 	WPA_PUT_LE16(hdr->version, RSN_VERSION);
1095 
1096 	pos = (u8 *) (hdr + 1);
1097 	RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED);
1098 	pos += RSN_SELECTOR_LEN;
1099 	count_pos = pos;
1100 	pos += 2;
1101 
1102 	count = 0;
1103 
1104 	/*
1105 	 * AES-CCMP is the default Encryption preferred for TDLS, so
1106 	 * RSN IE is filled only with CCMP CIPHER
1107 	 * Note: TKIP is not used to encrypt TDLS link.
1108 	 *
1109 	 * Regardless of the cipher used on the AP connection, select CCMP
1110 	 * here.
1111 	 */
1112 	RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP);
1113 	pos += RSN_SELECTOR_LEN;
1114 	count++;
1115 
1116 	WPA_PUT_LE16(count_pos, count);
1117 
1118 	WPA_PUT_LE16(pos, 1);
1119 	pos += 2;
1120 	RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_TPK_HANDSHAKE);
1121 	pos += RSN_SELECTOR_LEN;
1122 
1123 	rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED;
1124 	rsn_capab |= RSN_NUM_REPLAY_COUNTERS_16 << 2;
1125 #ifdef CONFIG_TDLS_TESTING
1126 	if (tdls_testing & TDLS_TESTING_ALT_RSN_IE) {
1127 		wpa_printf(MSG_DEBUG, "TDLS: Use alternative RSN IE for "
1128 			   "testing");
1129 		rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED;
1130 	}
1131 #endif /* CONFIG_TDLS_TESTING */
1132 	WPA_PUT_LE16(pos, rsn_capab);
1133 	pos += 2;
1134 #ifdef CONFIG_TDLS_TESTING
1135 	if (tdls_testing & TDLS_TESTING_ALT_RSN_IE) {
1136 		/* Number of PMKIDs */
1137 		*pos++ = 0x00;
1138 		*pos++ = 0x00;
1139 	}
1140 #endif /* CONFIG_TDLS_TESTING */
1141 
1142 	hdr->len = (pos - peer->rsnie_i) - 2;
1143 	peer->rsnie_i_len = pos - peer->rsnie_i;
1144 	wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE for TPK handshake",
1145 		    peer->rsnie_i, peer->rsnie_i_len);
1146 
1147 skip_rsnie:
1148 	buf_len = 0;
1149 	if (wpa_tdls_get_privacy(sm))
1150 		buf_len += peer->rsnie_i_len + sizeof(struct wpa_tdls_ftie) +
1151 			sizeof(struct wpa_tdls_timeoutie);
1152 #ifdef CONFIG_TDLS_TESTING
1153 	if (wpa_tdls_get_privacy(sm) &&
1154 	    (tdls_testing & TDLS_TESTING_LONG_FRAME))
1155 		buf_len += 170;
1156 	if (tdls_testing & TDLS_TESTING_DIFF_BSSID)
1157 		buf_len += sizeof(struct wpa_tdls_lnkid);
1158 #endif /* CONFIG_TDLS_TESTING */
1159 	rbuf = os_zalloc(buf_len + 1);
1160 	if (rbuf == NULL) {
1161 		wpa_tdls_peer_free(sm, peer);
1162 		return -2;
1163 	}
1164 	pos = rbuf;
1165 
1166 	if (!wpa_tdls_get_privacy(sm))
1167 		goto skip_ies;
1168 
1169 	/* Initiator RSN IE */
1170 	pos = wpa_add_ie(pos, peer->rsnie_i, peer->rsnie_i_len);
1171 
1172 	ftie = (struct wpa_tdls_ftie *) pos;
1173 	ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION;
1174 	ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2;
1175 
1176 	if (os_get_random(peer->inonce, WPA_NONCE_LEN)) {
1177 		wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1178 			"TDLS: Failed to get random data for initiator Nonce");
1179 		os_free(rbuf);
1180 		wpa_tdls_peer_free(sm, peer);
1181 		return -2;
1182 	}
1183 	peer->tk_set = 0; /* A new nonce results in a new TK */
1184 	wpa_hexdump(MSG_DEBUG, "TDLS: Initiator Nonce for TPK handshake",
1185 		    peer->inonce, WPA_NONCE_LEN);
1186 	os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN);
1187 
1188 	wpa_hexdump(MSG_DEBUG, "TDLS: FTIE for TPK Handshake M1",
1189 		    (u8 *) ftie, sizeof(struct wpa_tdls_ftie));
1190 
1191 	pos = (u8 *) (ftie + 1);
1192 
1193 #ifdef CONFIG_TDLS_TESTING
1194 	if (tdls_testing & TDLS_TESTING_LONG_FRAME) {
1195 		wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to "
1196 			   "FTIE");
1197 		ftie->ie_len += 170;
1198 		*pos++ = 255; /* FTIE subelem */
1199 		*pos++ = 168; /* FTIE subelem length */
1200 		pos += 168;
1201 	}
1202 #endif /* CONFIG_TDLS_TESTING */
1203 
1204 	/* Lifetime */
1205 	peer->lifetime = TPK_LIFETIME;
1206 #ifdef CONFIG_TDLS_TESTING
1207 	if (tdls_testing & TDLS_TESTING_SHORT_LIFETIME) {
1208 		wpa_printf(MSG_DEBUG, "TDLS: Testing - use short TPK "
1209 			   "lifetime");
1210 		peer->lifetime = 301;
1211 	}
1212 	if (tdls_testing & TDLS_TESTING_LONG_LIFETIME) {
1213 		wpa_printf(MSG_DEBUG, "TDLS: Testing - use long TPK "
1214 			   "lifetime");
1215 		peer->lifetime = 0xffffffff;
1216 	}
1217 #endif /* CONFIG_TDLS_TESTING */
1218 	pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie,
1219 				     sizeof(timeoutie), peer->lifetime);
1220 	wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds", peer->lifetime);
1221 
1222 skip_ies:
1223 
1224 #ifdef CONFIG_TDLS_TESTING
1225 	if (tdls_testing & TDLS_TESTING_DIFF_BSSID) {
1226 		struct wpa_tdls_lnkid *l = (struct wpa_tdls_lnkid *) pos;
1227 
1228 		wpa_printf(MSG_DEBUG, "TDLS: Testing - use incorrect BSSID in "
1229 			   "Link Identifier");
1230 		wpa_tdls_linkid(sm, peer, l);
1231 		l->bssid[5] ^= 0x01;
1232 		pos += sizeof(*l);
1233 	}
1234 #endif /* CONFIG_TDLS_TESTING */
1235 
1236 	wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Setup Request / TPK "
1237 		   "Handshake Message 1 (peer " MACSTR ")",
1238 		   MAC2STR(peer->addr));
1239 
1240 	status = wpa_tdls_tpk_send(sm, peer->addr, WLAN_TDLS_SETUP_REQUEST,
1241 				   1, 0, 0, peer->initiator, rbuf, pos - rbuf);
1242 	os_free(rbuf);
1243 
1244 	return status;
1245 }
1246 
1247 
1248 static int wpa_tdls_send_tpk_m2(struct wpa_sm *sm,
1249 				const unsigned char *src_addr, u8 dtoken,
1250 				struct wpa_tdls_lnkid *lnkid,
1251 				const struct wpa_tdls_peer *peer)
1252 {
1253 	u8 *rbuf, *pos;
1254 	size_t buf_len;
1255 	u32 lifetime;
1256 	struct wpa_tdls_timeoutie timeoutie;
1257 	struct wpa_tdls_ftie *ftie;
1258 	int status;
1259 
1260 	buf_len = 0;
1261 	if (wpa_tdls_get_privacy(sm)) {
1262 		/* Peer RSN IE, FTIE(Initiator Nonce, Responder Nonce),
1263 		 * Lifetime */
1264 		buf_len += peer->rsnie_i_len + sizeof(struct wpa_tdls_ftie) +
1265 			sizeof(struct wpa_tdls_timeoutie);
1266 #ifdef CONFIG_TDLS_TESTING
1267 		if (tdls_testing & TDLS_TESTING_LONG_FRAME)
1268 			buf_len += 170;
1269 #endif /* CONFIG_TDLS_TESTING */
1270 	}
1271 
1272 	rbuf = os_zalloc(buf_len + 1);
1273 	if (rbuf == NULL)
1274 		return -1;
1275 	pos = rbuf;
1276 
1277 	if (!wpa_tdls_get_privacy(sm))
1278 		goto skip_ies;
1279 
1280 	/* Peer RSN IE */
1281 	pos = wpa_add_ie(pos, peer->rsnie_p, peer->rsnie_p_len);
1282 
1283 	ftie = (struct wpa_tdls_ftie *) pos;
1284 	ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION;
1285 	/* TODO: ftie->mic_control to set 2-RESPONSE */
1286 	os_memcpy(ftie->Anonce, peer->rnonce, WPA_NONCE_LEN);
1287 	os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN);
1288 	ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2;
1289 	wpa_hexdump(MSG_DEBUG, "TDLS: FTIE for TPK M2",
1290 		    (u8 *) ftie, sizeof(*ftie));
1291 
1292 	pos = (u8 *) (ftie + 1);
1293 
1294 #ifdef CONFIG_TDLS_TESTING
1295 	if (tdls_testing & TDLS_TESTING_LONG_FRAME) {
1296 		wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to "
1297 			   "FTIE");
1298 		ftie->ie_len += 170;
1299 		*pos++ = 255; /* FTIE subelem */
1300 		*pos++ = 168; /* FTIE subelem length */
1301 		pos += 168;
1302 	}
1303 #endif /* CONFIG_TDLS_TESTING */
1304 
1305 	/* Lifetime */
1306 	lifetime = peer->lifetime;
1307 #ifdef CONFIG_TDLS_TESTING
1308 	if (tdls_testing & TDLS_TESTING_WRONG_LIFETIME_RESP) {
1309 		wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong TPK "
1310 			   "lifetime in response");
1311 		lifetime++;
1312 	}
1313 #endif /* CONFIG_TDLS_TESTING */
1314 	pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie,
1315 				     sizeof(timeoutie), lifetime);
1316 	wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds from initiator",
1317 		   lifetime);
1318 
1319 	/* compute MIC before sending */
1320 	wpa_tdls_ftie_mic(peer->tpk.kck, 2, (u8 *) lnkid, peer->rsnie_p,
1321 			  (u8 *) &timeoutie, (u8 *) ftie, ftie->mic);
1322 #ifdef CONFIG_TDLS_TESTING
1323 	if (tdls_testing & TDLS_TESTING_WRONG_MIC) {
1324 		wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong MIC");
1325 		ftie->mic[0] ^= 0x01;
1326 	}
1327 #endif /* CONFIG_TDLS_TESTING */
1328 
1329 skip_ies:
1330 	status = wpa_tdls_tpk_send(sm, src_addr, WLAN_TDLS_SETUP_RESPONSE,
1331 				   dtoken, 0, 0, peer->initiator, rbuf,
1332 				   pos - rbuf);
1333 	os_free(rbuf);
1334 
1335 	return status;
1336 }
1337 
1338 
1339 static int wpa_tdls_send_tpk_m3(struct wpa_sm *sm,
1340 				const unsigned char *src_addr, u8 dtoken,
1341 				struct wpa_tdls_lnkid *lnkid,
1342 				const struct wpa_tdls_peer *peer)
1343 {
1344 	u8 *rbuf, *pos;
1345 	size_t buf_len;
1346 	struct wpa_tdls_ftie *ftie;
1347 	struct wpa_tdls_timeoutie timeoutie;
1348 	u32 lifetime;
1349 	int status;
1350 	u32 peer_capab = 0;
1351 
1352 	buf_len = 0;
1353 	if (wpa_tdls_get_privacy(sm)) {
1354 		/* Peer RSN IE, FTIE(Initiator Nonce, Responder Nonce),
1355 		 * Lifetime */
1356 		buf_len += peer->rsnie_i_len + sizeof(struct wpa_tdls_ftie) +
1357 			sizeof(struct wpa_tdls_timeoutie);
1358 #ifdef CONFIG_TDLS_TESTING
1359 		if (tdls_testing & TDLS_TESTING_LONG_FRAME)
1360 			buf_len += 170;
1361 #endif /* CONFIG_TDLS_TESTING */
1362 	}
1363 
1364 	rbuf = os_zalloc(buf_len + 1);
1365 	if (rbuf == NULL)
1366 		return -1;
1367 	pos = rbuf;
1368 
1369 	if (!wpa_tdls_get_privacy(sm))
1370 		goto skip_ies;
1371 
1372 	/* Peer RSN IE */
1373 	pos = wpa_add_ie(pos, peer->rsnie_p, peer->rsnie_p_len);
1374 
1375 	ftie = (struct wpa_tdls_ftie *) pos;
1376 	ftie->ie_type = WLAN_EID_FAST_BSS_TRANSITION;
1377 	/*TODO: ftie->mic_control to set 3-CONFIRM */
1378 	os_memcpy(ftie->Anonce, peer->rnonce, WPA_NONCE_LEN);
1379 	os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN);
1380 	ftie->ie_len = sizeof(struct wpa_tdls_ftie) - 2;
1381 
1382 	pos = (u8 *) (ftie + 1);
1383 
1384 #ifdef CONFIG_TDLS_TESTING
1385 	if (tdls_testing & TDLS_TESTING_LONG_FRAME) {
1386 		wpa_printf(MSG_DEBUG, "TDLS: Testing - add extra subelem to "
1387 			   "FTIE");
1388 		ftie->ie_len += 170;
1389 		*pos++ = 255; /* FTIE subelem */
1390 		*pos++ = 168; /* FTIE subelem length */
1391 		pos += 168;
1392 	}
1393 #endif /* CONFIG_TDLS_TESTING */
1394 
1395 	/* Lifetime */
1396 	lifetime = peer->lifetime;
1397 #ifdef CONFIG_TDLS_TESTING
1398 	if (tdls_testing & TDLS_TESTING_WRONG_LIFETIME_CONF) {
1399 		wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong TPK "
1400 			   "lifetime in confirm");
1401 		lifetime++;
1402 	}
1403 #endif /* CONFIG_TDLS_TESTING */
1404 	pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie,
1405 				     sizeof(timeoutie), lifetime);
1406 	wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds",
1407 		   lifetime);
1408 
1409 	/* compute MIC before sending */
1410 	wpa_tdls_ftie_mic(peer->tpk.kck, 3, (u8 *) lnkid, peer->rsnie_p,
1411 			  (u8 *) &timeoutie, (u8 *) ftie, ftie->mic);
1412 #ifdef CONFIG_TDLS_TESTING
1413 	if (tdls_testing & TDLS_TESTING_WRONG_MIC) {
1414 		wpa_printf(MSG_DEBUG, "TDLS: Testing - use wrong MIC");
1415 		ftie->mic[0] ^= 0x01;
1416 	}
1417 #endif /* CONFIG_TDLS_TESTING */
1418 
1419 skip_ies:
1420 
1421 	if (peer->he_capabilities)
1422 		peer_capab |= TDLS_PEER_HE;
1423 	if (peer->vht_capabilities)
1424 		peer_capab |= TDLS_PEER_VHT;
1425 	if (peer->ht_capabilities)
1426 		peer_capab |= TDLS_PEER_HT;
1427 	if (peer->wmm_capable)
1428 		peer_capab |= TDLS_PEER_WMM;
1429 
1430 	status = wpa_tdls_tpk_send(sm, src_addr, WLAN_TDLS_SETUP_CONFIRM,
1431 				   dtoken, 0, peer_capab, peer->initiator,
1432 				   rbuf, pos - rbuf);
1433 	os_free(rbuf);
1434 
1435 	return status;
1436 }
1437 
1438 
1439 static int wpa_tdls_send_discovery_response(struct wpa_sm *sm,
1440 					    struct wpa_tdls_peer *peer,
1441 					    u8 dialog_token)
1442 {
1443 	size_t buf_len = 0;
1444 	struct wpa_tdls_timeoutie timeoutie;
1445 	u16 rsn_capab;
1446 	u8 *rbuf, *pos, *count_pos;
1447 	u16 count;
1448 	struct rsn_ie_hdr *hdr;
1449 	int status;
1450 
1451 	wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Discovery Response "
1452 		   "(peer " MACSTR ")", MAC2STR(peer->addr));
1453 	if (!wpa_tdls_get_privacy(sm))
1454 		goto skip_rsn_ies;
1455 
1456 	/* Filling RSN IE */
1457 	hdr = (struct rsn_ie_hdr *) peer->rsnie_i;
1458 	hdr->elem_id = WLAN_EID_RSN;
1459 	WPA_PUT_LE16(hdr->version, RSN_VERSION);
1460 	pos = (u8 *) (hdr + 1);
1461 	RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED);
1462 	pos += RSN_SELECTOR_LEN;
1463 	count_pos = pos;
1464 	pos += 2;
1465 	count = 0;
1466 
1467 	/*
1468 	* AES-CCMP is the default encryption preferred for TDLS, so
1469 	* RSN IE is filled only with CCMP cipher suite.
1470 	* Note: TKIP is not used to encrypt TDLS link.
1471 	*
1472 	* Regardless of the cipher used on the AP connection, select CCMP
1473 	* here.
1474 	*/
1475 	RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP);
1476 	pos += RSN_SELECTOR_LEN;
1477 	count++;
1478 	WPA_PUT_LE16(count_pos, count);
1479 	WPA_PUT_LE16(pos, 1);
1480 	pos += 2;
1481 	RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_TPK_HANDSHAKE);
1482 	pos += RSN_SELECTOR_LEN;
1483 
1484 	rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED;
1485 	rsn_capab |= RSN_NUM_REPLAY_COUNTERS_16 << 2;
1486 	WPA_PUT_LE16(pos, rsn_capab);
1487 	pos += 2;
1488 	hdr->len = (pos - (u8 *) hdr) - 2;
1489 	peer->rsnie_i_len = pos - peer->rsnie_i;
1490 
1491 	wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE for Discovery Response",
1492 		    (u8 *) hdr, hdr->len + 2);
1493 skip_rsn_ies:
1494 	buf_len = 0;
1495 	if (wpa_tdls_get_privacy(sm)) {
1496 		/* Peer RSN IE, Lifetime */
1497 		buf_len += peer->rsnie_i_len +
1498 			sizeof(struct wpa_tdls_timeoutie);
1499 	}
1500 	rbuf = os_zalloc(buf_len + 1);
1501 	if (rbuf == NULL) {
1502 		wpa_tdls_peer_free(sm, peer);
1503 		return -1;
1504 	}
1505 	pos = rbuf;
1506 
1507 	if (!wpa_tdls_get_privacy(sm))
1508 		goto skip_ies;
1509 	/* Initiator RSN IE */
1510 	pos = wpa_add_ie(pos, peer->rsnie_i, peer->rsnie_i_len);
1511 	/* Lifetime */
1512 	peer->lifetime = TPK_LIFETIME;
1513 	pos = wpa_add_tdls_timeoutie(pos, (u8 *) &timeoutie,
1514 				     sizeof(timeoutie), peer->lifetime);
1515 	wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds", peer->lifetime);
1516 skip_ies:
1517 	status = wpa_tdls_tpk_send(sm, peer->addr, WLAN_TDLS_DISCOVERY_RESPONSE,
1518 				   dialog_token, 0, 0, 0, rbuf, pos - rbuf);
1519 	os_free(rbuf);
1520 
1521 	return status;
1522 }
1523 
1524 
1525 static int
1526 wpa_tdls_process_discovery_request(struct wpa_sm *sm, const u8 *addr,
1527 				   const u8 *buf, size_t len)
1528 {
1529 	struct wpa_eapol_ie_parse kde;
1530 	const struct wpa_tdls_lnkid *lnkid;
1531 	struct wpa_tdls_peer *peer;
1532 	size_t min_req_len = sizeof(struct wpa_tdls_frame) +
1533 		1 /* dialog token */ + sizeof(struct wpa_tdls_lnkid);
1534 	u8 dialog_token;
1535 
1536 	wpa_printf(MSG_DEBUG, "TDLS: Discovery Request from " MACSTR,
1537 		   MAC2STR(addr));
1538 
1539 	if (len < min_req_len) {
1540 		wpa_printf(MSG_DEBUG, "TDLS Discovery Request is too short: "
1541 			   "%d", (int) len);
1542 		return -1;
1543 	}
1544 
1545 	dialog_token = buf[sizeof(struct wpa_tdls_frame)];
1546 
1547 	/*
1548 	 * Some APs will tack on a weird IE to the end of a TDLS
1549 	 * discovery request packet. This needn't fail the response,
1550 	 * since the required IE are verified separately.
1551 	 */
1552 	if (wpa_supplicant_parse_ies(buf + sizeof(struct wpa_tdls_frame) + 1,
1553 				     len - (sizeof(struct wpa_tdls_frame) + 1),
1554 				     &kde) < 0) {
1555 		wpa_printf(MSG_DEBUG,
1556 			   "TDLS: Failed to parse IEs in Discovery Request - ignore as an interop workaround");
1557 	}
1558 
1559 	if (!kde.lnkid) {
1560 		wpa_printf(MSG_DEBUG, "TDLS: Link ID not found in Discovery "
1561 			   "Request");
1562 		return -1;
1563 	}
1564 
1565 	lnkid = (const struct wpa_tdls_lnkid *) kde.lnkid;
1566 
1567 	if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) {
1568 		wpa_printf(MSG_DEBUG, "TDLS: Discovery Request from different "
1569 			   " BSS " MACSTR, MAC2STR(lnkid->bssid));
1570 		return -1;
1571 	}
1572 
1573 	peer = wpa_tdls_add_peer(sm, addr, NULL);
1574 	if (peer == NULL)
1575 		return -1;
1576 
1577 	return wpa_tdls_send_discovery_response(sm, peer, dialog_token);
1578 }
1579 
1580 
1581 int wpa_tdls_send_discovery_request(struct wpa_sm *sm, const u8 *addr)
1582 {
1583 	if (sm->tdls_disabled || !sm->tdls_supported)
1584 		return -1;
1585 
1586 	wpa_printf(MSG_DEBUG, "TDLS: Sending Discovery Request to peer "
1587 		   MACSTR, MAC2STR(addr));
1588 	return wpa_tdls_tpk_send(sm, addr, WLAN_TDLS_DISCOVERY_REQUEST,
1589 				 1, 0, 0, 1, NULL, 0);
1590 }
1591 
1592 
1593 static int copy_supp_rates(const struct wpa_eapol_ie_parse *kde,
1594 			   struct wpa_tdls_peer *peer)
1595 {
1596 	if (!kde->supp_rates) {
1597 		wpa_printf(MSG_DEBUG, "TDLS: No supported rates received");
1598 		return -1;
1599 	}
1600 	peer->supp_rates_len = merge_byte_arrays(
1601 		peer->supp_rates, sizeof(peer->supp_rates),
1602 		kde->supp_rates + 2, kde->supp_rates_len - 2,
1603 		kde->ext_supp_rates ? kde->ext_supp_rates + 2 : NULL,
1604 		kde->ext_supp_rates ? kde->ext_supp_rates_len - 2 : 0);
1605 	return 0;
1606 }
1607 
1608 
1609 static int copy_peer_ht_capab(const struct wpa_eapol_ie_parse *kde,
1610 			      struct wpa_tdls_peer *peer)
1611 {
1612 	if (!kde->ht_capabilities) {
1613 		wpa_printf(MSG_DEBUG, "TDLS: No supported ht capabilities "
1614 			   "received");
1615 		return 0;
1616 	}
1617 
1618 	if (!peer->ht_capabilities) {
1619 		peer->ht_capabilities =
1620                         os_zalloc(sizeof(struct ieee80211_ht_capabilities));
1621 		if (peer->ht_capabilities == NULL)
1622                         return -1;
1623 	}
1624 
1625 	os_memcpy(peer->ht_capabilities, kde->ht_capabilities,
1626                   sizeof(struct ieee80211_ht_capabilities));
1627 	wpa_hexdump(MSG_DEBUG, "TDLS: Peer HT capabilities",
1628 		    (u8 *) peer->ht_capabilities,
1629 		    sizeof(struct ieee80211_ht_capabilities));
1630 
1631 	return 0;
1632 }
1633 
1634 
1635 static int copy_peer_vht_capab(const struct wpa_eapol_ie_parse *kde,
1636 			      struct wpa_tdls_peer *peer)
1637 {
1638 	if (!kde->vht_capabilities) {
1639 		wpa_printf(MSG_DEBUG, "TDLS: No supported vht capabilities "
1640 			   "received");
1641 		return 0;
1642 	}
1643 
1644 	if (!peer->vht_capabilities) {
1645 		peer->vht_capabilities =
1646                         os_zalloc(sizeof(struct ieee80211_vht_capabilities));
1647 		if (peer->vht_capabilities == NULL)
1648                         return -1;
1649 	}
1650 
1651 	os_memcpy(peer->vht_capabilities, kde->vht_capabilities,
1652                   sizeof(struct ieee80211_vht_capabilities));
1653 	wpa_hexdump(MSG_DEBUG, "TDLS: Peer VHT capabilities",
1654 		    (u8 *) peer->vht_capabilities,
1655 		    sizeof(struct ieee80211_vht_capabilities));
1656 
1657 	return 0;
1658 }
1659 
1660 
1661 static int copy_peer_he_capab(const struct wpa_eapol_ie_parse *kde,
1662 			      struct wpa_tdls_peer *peer)
1663 {
1664 	if (!kde->he_capabilities) {
1665 		wpa_printf(MSG_DEBUG, "TDLS: No HE capabilities received");
1666 		return 0;
1667 	}
1668 
1669 	os_free(peer->he_capabilities);
1670 	peer->he_capab_len = 0;
1671 	peer->he_capabilities = os_memdup(kde->he_capabilities,
1672 					  kde->he_capab_len);
1673 	if (!peer->he_capabilities)
1674 		return -1;
1675 
1676 	peer->he_capab_len = kde->he_capab_len;
1677 	wpa_hexdump(MSG_DEBUG, "TDLS: Peer HE capabilities",
1678 		    peer->he_capabilities, peer->he_capab_len);
1679 
1680 	return 0;
1681 }
1682 
1683 
1684 static int copy_peer_ext_capab(const struct wpa_eapol_ie_parse *kde,
1685 			       struct wpa_tdls_peer *peer)
1686 {
1687 	if (!kde->ext_capab) {
1688 		wpa_printf(MSG_DEBUG, "TDLS: No extended capabilities "
1689 			   "received");
1690 		return 0;
1691 	}
1692 
1693 	if (!peer->ext_capab || peer->ext_capab_len < kde->ext_capab_len - 2) {
1694 		/* Need to allocate buffer to fit the new information */
1695 		os_free(peer->ext_capab);
1696 		peer->ext_capab = os_zalloc(kde->ext_capab_len - 2);
1697 		if (peer->ext_capab == NULL)
1698 			return -1;
1699 	}
1700 
1701 	peer->ext_capab_len = kde->ext_capab_len - 2;
1702 	os_memcpy(peer->ext_capab, kde->ext_capab + 2, peer->ext_capab_len);
1703 
1704 	return 0;
1705 }
1706 
1707 
1708 static int copy_peer_wmm_capab(const struct wpa_eapol_ie_parse *kde,
1709 			       struct wpa_tdls_peer *peer)
1710 {
1711 	struct wmm_information_element *wmm;
1712 
1713 	if (!kde->wmm) {
1714 		wpa_printf(MSG_DEBUG, "TDLS: No supported WMM capabilities received");
1715 		return 0;
1716 	}
1717 
1718 	if (kde->wmm_len < sizeof(struct wmm_information_element)) {
1719 		wpa_printf(MSG_DEBUG, "TDLS: Invalid supported WMM capabilities received");
1720 		return -1;
1721 	}
1722 
1723 	wmm = (struct wmm_information_element *) kde->wmm;
1724 	peer->qos_info = wmm->qos_info;
1725 
1726 	peer->wmm_capable = 1;
1727 
1728 	wpa_printf(MSG_DEBUG, "TDLS: Peer WMM QOS Info 0x%x", peer->qos_info);
1729 	return 0;
1730 }
1731 
1732 
1733 static int copy_peer_supp_channels(const struct wpa_eapol_ie_parse *kde,
1734 				   struct wpa_tdls_peer *peer)
1735 {
1736 	if (!kde->supp_channels) {
1737 		wpa_printf(MSG_DEBUG, "TDLS: No supported channels received");
1738 		return 0;
1739 	}
1740 
1741 	if (!peer->supp_channels ||
1742 	    peer->supp_channels_len < kde->supp_channels_len) {
1743 		os_free(peer->supp_channels);
1744 		peer->supp_channels = os_zalloc(kde->supp_channels_len);
1745 		if (peer->supp_channels == NULL)
1746 			return -1;
1747 	}
1748 
1749 	peer->supp_channels_len = kde->supp_channels_len;
1750 
1751 	os_memcpy(peer->supp_channels, kde->supp_channels,
1752 		  peer->supp_channels_len);
1753 	wpa_hexdump(MSG_DEBUG, "TDLS: Peer Supported Channels",
1754 		    (u8 *) peer->supp_channels, peer->supp_channels_len);
1755 	return 0;
1756 }
1757 
1758 
1759 static int copy_peer_supp_oper_classes(const struct wpa_eapol_ie_parse *kde,
1760 				       struct wpa_tdls_peer *peer)
1761 {
1762 	if (!kde->supp_oper_classes) {
1763 		wpa_printf(MSG_DEBUG, "TDLS: No supported operating classes received");
1764 		return 0;
1765 	}
1766 
1767 	if (!peer->supp_oper_classes ||
1768 	    peer->supp_oper_classes_len < kde->supp_oper_classes_len) {
1769 		os_free(peer->supp_oper_classes);
1770 		peer->supp_oper_classes = os_zalloc(kde->supp_oper_classes_len);
1771 		if (peer->supp_oper_classes == NULL)
1772 			return -1;
1773 	}
1774 
1775 	peer->supp_oper_classes_len = kde->supp_oper_classes_len;
1776 	os_memcpy(peer->supp_oper_classes, kde->supp_oper_classes,
1777 		  peer->supp_oper_classes_len);
1778 	wpa_hexdump(MSG_DEBUG, "TDLS: Peer Supported Operating Classes",
1779 		    (u8 *) peer->supp_oper_classes,
1780 		    peer->supp_oper_classes_len);
1781 	return 0;
1782 }
1783 
1784 
1785 static int wpa_tdls_addset_peer(struct wpa_sm *sm, struct wpa_tdls_peer *peer,
1786 				int add)
1787 {
1788 	return wpa_sm_tdls_peer_addset(sm, peer->addr, add, peer->aid,
1789 				       peer->capability,
1790 				       peer->supp_rates, peer->supp_rates_len,
1791 				       peer->ht_capabilities,
1792 				       peer->vht_capabilities,
1793 				       peer->he_capabilities,
1794 				       peer->he_capab_len,
1795 				       peer->qos_info, peer->wmm_capable,
1796 				       peer->ext_capab, peer->ext_capab_len,
1797 				       peer->supp_channels,
1798 				       peer->supp_channels_len,
1799 				       peer->supp_oper_classes,
1800 				       peer->supp_oper_classes_len);
1801 }
1802 
1803 
1804 static int tdls_nonce_set(const u8 *nonce)
1805 {
1806 	int i;
1807 
1808 	for (i = 0; i < WPA_NONCE_LEN; i++) {
1809 		if (nonce[i])
1810 			return 1;
1811 	}
1812 
1813 	return 0;
1814 }
1815 
1816 
1817 static int wpa_tdls_process_tpk_m1(struct wpa_sm *sm, const u8 *src_addr,
1818 				   const u8 *buf, size_t len)
1819 {
1820 	struct wpa_tdls_peer *peer;
1821 	struct wpa_eapol_ie_parse kde;
1822 	struct wpa_ie_data ie;
1823 	int cipher;
1824 	const u8 *cpos;
1825 	struct wpa_tdls_ftie *ftie = NULL;
1826 	struct wpa_tdls_timeoutie *timeoutie;
1827 	struct wpa_tdls_lnkid *lnkid;
1828 	u32 lifetime = 0;
1829 #if 0
1830 	struct rsn_ie_hdr *hdr;
1831 	u8 *pos;
1832 	u16 rsn_capab;
1833 	u16 rsn_ver;
1834 #endif
1835 	u8 dtoken;
1836 	u16 ielen;
1837 	u16 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
1838 	int tdls_prohibited = sm->tdls_prohibited;
1839 	int existing_peer = 0;
1840 
1841 	if (len < 3 + 3)
1842 		return -1;
1843 
1844 	cpos = buf;
1845 	cpos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */;
1846 
1847 	/* driver had already verified the frame format */
1848 	dtoken = *cpos++; /* dialog token */
1849 
1850 	wpa_printf(MSG_INFO, "TDLS: Dialog Token in TPK M1 %d", dtoken);
1851 
1852 	peer = wpa_tdls_add_peer(sm, src_addr, &existing_peer);
1853 	if (peer == NULL)
1854 		goto error;
1855 
1856 	/* If found, use existing entry instead of adding a new one;
1857 	 * how to handle the case where both ends initiate at the
1858 	 * same time? */
1859 	if (existing_peer) {
1860 		if (peer->tpk_success) {
1861 			wpa_printf(MSG_DEBUG, "TDLS: TDLS Setup Request while "
1862 				   "direct link is enabled - tear down the "
1863 				   "old link first");
1864 			wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr);
1865 			wpa_tdls_peer_clear(sm, peer);
1866 		} else if (peer->initiator) {
1867 			/*
1868 			 * An entry is already present, so check if we already
1869 			 * sent a TDLS Setup Request. If so, compare MAC
1870 			 * addresses and let the STA with the lower MAC address
1871 			 * continue as the initiator. The other negotiation is
1872 			 * terminated.
1873 			 */
1874 			if (os_memcmp(sm->own_addr, src_addr, ETH_ALEN) < 0) {
1875 				wpa_printf(MSG_DEBUG, "TDLS: Discard request "
1876 					   "from peer with higher address "
1877 					   MACSTR, MAC2STR(src_addr));
1878 				return -1;
1879 			} else {
1880 				wpa_printf(MSG_DEBUG, "TDLS: Accept request "
1881 					   "from peer with lower address "
1882 					   MACSTR " (terminate previously "
1883 					   "initiated negotiation",
1884 					   MAC2STR(src_addr));
1885 				wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK,
1886 						 peer->addr);
1887 				wpa_tdls_peer_clear(sm, peer);
1888 			}
1889 		}
1890 	}
1891 
1892 	/* capability information */
1893 	peer->capability = WPA_GET_LE16(cpos);
1894 	cpos += 2;
1895 
1896 	ielen = len - (cpos - buf); /* start of IE in buf */
1897 
1898 	/*
1899 	 * Don't reject the message if failing to parse IEs. The IEs we need are
1900 	 * explicitly checked below. Some APs may add arbitrary padding to the
1901 	 * end of short TDLS frames and that would look like invalid IEs.
1902 	 */
1903 	if (wpa_supplicant_parse_ies(cpos, ielen, &kde) < 0)
1904 		wpa_printf(MSG_DEBUG,
1905 			   "TDLS: Failed to parse IEs in TPK M1 - ignore as an interop workaround");
1906 
1907 	if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) {
1908 		wpa_printf(MSG_INFO, "TDLS: No valid Link Identifier IE in "
1909 			   "TPK M1");
1910 		goto error;
1911 	}
1912 	wpa_hexdump(MSG_DEBUG, "TDLS: Link ID Received from TPK M1",
1913 		    kde.lnkid, kde.lnkid_len);
1914 	lnkid = (struct wpa_tdls_lnkid *) kde.lnkid;
1915 	if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) {
1916 		wpa_printf(MSG_INFO, "TDLS: TPK M1 from diff BSS");
1917 		status = WLAN_STATUS_REQUEST_DECLINED;
1918 		goto error;
1919 	}
1920 
1921 	wpa_printf(MSG_DEBUG, "TDLS: TPK M1 - TPK initiator " MACSTR,
1922 		   MAC2STR(src_addr));
1923 
1924 	if (copy_supp_rates(&kde, peer) < 0)
1925 		goto error;
1926 
1927 	if (copy_peer_ht_capab(&kde, peer) < 0)
1928 		goto error;
1929 
1930 	if (copy_peer_vht_capab(&kde, peer) < 0 ||
1931 	    copy_peer_he_capab(&kde, peer) < 0)
1932 		goto error;
1933 
1934 	if (copy_peer_ext_capab(&kde, peer) < 0)
1935 		goto error;
1936 
1937 	if (copy_peer_supp_channels(&kde, peer) < 0)
1938 		goto error;
1939 
1940 	if (copy_peer_supp_oper_classes(&kde, peer) < 0)
1941 		goto error;
1942 
1943 	peer->qos_info = kde.qosinfo;
1944 
1945 	/* Overwrite with the qos_info obtained in WMM IE */
1946 	if (copy_peer_wmm_capab(&kde, peer) < 0)
1947 		goto error;
1948 
1949 	peer->aid = kde.aid;
1950 
1951 #ifdef CONFIG_TDLS_TESTING
1952 	if (tdls_testing & TDLS_TESTING_CONCURRENT_INIT) {
1953 		peer = wpa_tdls_add_peer(sm, src_addr, NULL);
1954 		if (peer == NULL)
1955 			goto error;
1956 		wpa_printf(MSG_DEBUG, "TDLS: Testing concurrent initiation of "
1957 			   "TDLS setup - send own request");
1958 		peer->initiator = 1;
1959 		wpa_sm_tdls_peer_addset(sm, peer->addr, 1, 0, 0, NULL, 0, NULL,
1960 					NULL, NULL, 0, 0, 0, NULL, 0, NULL, 0,
1961 					NULL, 0);
1962 		if (wpa_tdls_send_tpk_m1(sm, peer) == -2) {
1963 			peer = NULL;
1964 			goto error;
1965 		}
1966 	}
1967 
1968 	if ((tdls_testing & TDLS_TESTING_IGNORE_AP_PROHIBIT) &&
1969 	    tdls_prohibited) {
1970 		wpa_printf(MSG_DEBUG, "TDLS: Testing - ignore AP prohibition "
1971 			   "on TDLS");
1972 		tdls_prohibited = 0;
1973 	}
1974 #endif /* CONFIG_TDLS_TESTING */
1975 
1976 	if (tdls_prohibited) {
1977 		wpa_printf(MSG_INFO, "TDLS: TDLS prohibited in this BSS");
1978 		status = WLAN_STATUS_REQUEST_DECLINED;
1979 		goto error;
1980 	}
1981 
1982 	if (!wpa_tdls_get_privacy(sm)) {
1983 		if (kde.rsn_ie) {
1984 			wpa_printf(MSG_INFO, "TDLS: RSN IE in TPK M1 while "
1985 				   "security is disabled");
1986 			status = WLAN_STATUS_SECURITY_DISABLED;
1987 			goto error;
1988 		}
1989 		goto skip_rsn;
1990 	}
1991 
1992 	if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie) ||
1993 	    kde.rsn_ie == NULL) {
1994 		wpa_printf(MSG_INFO, "TDLS: No FTIE or RSN IE in TPK M1");
1995 		status = WLAN_STATUS_INVALID_PARAMETERS;
1996 		goto error;
1997 	}
1998 
1999 	if (kde.rsn_ie_len > TDLS_MAX_IE_LEN) {
2000 		wpa_printf(MSG_INFO, "TDLS: Too long Initiator RSN IE in "
2001 			   "TPK M1");
2002 		status = WLAN_STATUS_INVALID_RSNIE;
2003 		goto error;
2004 	}
2005 
2006 	if (wpa_parse_wpa_ie_rsn(kde.rsn_ie, kde.rsn_ie_len, &ie) < 0) {
2007 		wpa_printf(MSG_INFO, "TDLS: Failed to parse RSN IE in TPK M1");
2008 		status = WLAN_STATUS_INVALID_RSNIE;
2009 		goto error;
2010 	}
2011 
2012 	cipher = ie.pairwise_cipher;
2013 	if (cipher & WPA_CIPHER_CCMP) {
2014 		wpa_printf(MSG_DEBUG, "TDLS: Using CCMP for direct link");
2015 		cipher = WPA_CIPHER_CCMP;
2016 	} else {
2017 		wpa_printf(MSG_INFO, "TDLS: No acceptable cipher in TPK M1");
2018 		status = WLAN_STATUS_PAIRWISE_CIPHER_NOT_VALID;
2019 		goto error;
2020 	}
2021 
2022 	if ((ie.capabilities &
2023 	     (WPA_CAPABILITY_NO_PAIRWISE | WPA_CAPABILITY_PEERKEY_ENABLED)) !=
2024 	    WPA_CAPABILITY_PEERKEY_ENABLED) {
2025 		wpa_printf(MSG_INFO, "TDLS: Invalid RSN Capabilities in "
2026 			   "TPK M1");
2027 		status = WLAN_STATUS_INVALID_RSN_IE_CAPAB;
2028 		goto error;
2029 	}
2030 
2031 	/* Lifetime */
2032 	if (kde.key_lifetime == NULL) {
2033 		wpa_printf(MSG_INFO, "TDLS: No Key Lifetime IE in TPK M1");
2034 		status = WLAN_STATUS_UNACCEPTABLE_LIFETIME;
2035 		goto error;
2036 	}
2037 	timeoutie = (struct wpa_tdls_timeoutie *) kde.key_lifetime;
2038 	lifetime = WPA_GET_LE32(timeoutie->value);
2039 	wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds", lifetime);
2040 	if (lifetime < 300) {
2041 		wpa_printf(MSG_INFO, "TDLS: Too short TPK lifetime");
2042 		status = WLAN_STATUS_UNACCEPTABLE_LIFETIME;
2043 		goto error;
2044 	}
2045 
2046 skip_rsn:
2047 #ifdef CONFIG_TDLS_TESTING
2048 	if (tdls_testing & TDLS_TESTING_CONCURRENT_INIT) {
2049 		if (os_memcmp(sm->own_addr, peer->addr, ETH_ALEN) < 0) {
2050 			/*
2051 			 * The request frame from us is going to win, so do not
2052 			 * replace information based on this request frame from
2053 			 * the peer.
2054 			 */
2055 			goto skip_rsn_check;
2056 		}
2057 	}
2058 #endif /* CONFIG_TDLS_TESTING */
2059 
2060 	peer->initiator = 0; /* Need to check */
2061 	peer->dtoken = dtoken;
2062 
2063 	if (!wpa_tdls_get_privacy(sm)) {
2064 		peer->rsnie_i_len = 0;
2065 		peer->rsnie_p_len = 0;
2066 		peer->cipher = WPA_CIPHER_NONE;
2067 		goto skip_rsn_check;
2068 	}
2069 
2070 	ftie = (struct wpa_tdls_ftie *) kde.ftie;
2071 	os_memcpy(peer->rsnie_i, kde.rsn_ie, kde.rsn_ie_len);
2072 	peer->rsnie_i_len = kde.rsn_ie_len;
2073 	peer->cipher = cipher;
2074 
2075 	if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0 ||
2076 	    !tdls_nonce_set(peer->inonce)) {
2077 		/*
2078 		 * There is no point in updating the RNonce for every obtained
2079 		 * TPK M1 frame (e.g., retransmission due to timeout) with the
2080 		 * same INonce (SNonce in FTIE). However, if the TPK M1 is
2081 		 * retransmitted with a different INonce, update the RNonce
2082 		 * since this is for a new TDLS session.
2083 		 */
2084 		wpa_printf(MSG_DEBUG,
2085 			   "TDLS: New TPK M1 INonce - generate new RNonce");
2086 		os_memcpy(peer->inonce, ftie->Snonce, WPA_NONCE_LEN);
2087 		if (os_get_random(peer->rnonce, WPA_NONCE_LEN)) {
2088 			wpa_msg(sm->ctx->ctx, MSG_WARNING,
2089 				"TDLS: Failed to get random data for responder nonce");
2090 			goto error;
2091 		}
2092 		peer->tk_set = 0; /* A new nonce results in a new TK */
2093 	}
2094 
2095 #if 0
2096 	/* get version info from RSNIE received from Peer */
2097 	hdr = (struct rsn_ie_hdr *) kde.rsn_ie;
2098 	rsn_ver = WPA_GET_LE16(hdr->version);
2099 
2100 	/* use min(peer's version, out version) */
2101 	if (rsn_ver > RSN_VERSION)
2102 		rsn_ver = RSN_VERSION;
2103 
2104 	hdr = (struct rsn_ie_hdr *) peer->rsnie_p;
2105 
2106 	hdr->elem_id = WLAN_EID_RSN;
2107 	WPA_PUT_LE16(hdr->version, rsn_ver);
2108 	pos = (u8 *) (hdr + 1);
2109 
2110 	RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED);
2111 	pos += RSN_SELECTOR_LEN;
2112 	/* Include only the selected cipher in pairwise cipher suite */
2113 	WPA_PUT_LE16(pos, 1);
2114 	pos += 2;
2115 	if (cipher == WPA_CIPHER_CCMP)
2116 		RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP);
2117 	pos += RSN_SELECTOR_LEN;
2118 
2119 	WPA_PUT_LE16(pos, 1);
2120 	pos += 2;
2121 	RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_TPK_HANDSHAKE);
2122 	pos += RSN_SELECTOR_LEN;
2123 
2124 	rsn_capab = WPA_CAPABILITY_PEERKEY_ENABLED;
2125 	rsn_capab |= RSN_NUM_REPLAY_COUNTERS_16 << 2;
2126 	WPA_PUT_LE16(pos, rsn_capab);
2127 	pos += 2;
2128 
2129 	hdr->len = (pos - peer->rsnie_p) - 2;
2130 	peer->rsnie_p_len = pos - peer->rsnie_p;
2131 #endif
2132 
2133 	/* temp fix: validation of RSNIE later */
2134 	os_memcpy(peer->rsnie_p, peer->rsnie_i, peer->rsnie_i_len);
2135 	peer->rsnie_p_len = peer->rsnie_i_len;
2136 
2137 	wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE for TPK handshake",
2138 		    peer->rsnie_p, peer->rsnie_p_len);
2139 
2140 	peer->lifetime = lifetime;
2141 
2142 	wpa_tdls_generate_tpk(peer, sm->own_addr, sm->bssid);
2143 
2144 skip_rsn_check:
2145 #ifdef CONFIG_TDLS_TESTING
2146 	if (tdls_testing & TDLS_TESTING_CONCURRENT_INIT)
2147 		goto skip_add_peer;
2148 #endif /* CONFIG_TDLS_TESTING */
2149 
2150 	/* add supported rates, capabilities, and qos_info to the TDLS peer */
2151 	if (wpa_tdls_addset_peer(sm, peer, 1) < 0)
2152 		goto error;
2153 
2154 #ifdef CONFIG_TDLS_TESTING
2155 skip_add_peer:
2156 #endif /* CONFIG_TDLS_TESTING */
2157 	peer->tpk_in_progress = 1;
2158 
2159 	wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Setup Response / TPK M2");
2160 	if (wpa_tdls_send_tpk_m2(sm, src_addr, dtoken, lnkid, peer) < 0) {
2161 		wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr);
2162 		goto error;
2163 	}
2164 
2165 #ifdef CONFIG_TDLS_TESTING
2166 	if (tdls_testing & TDLS_TESTING_DOUBLE_TPK_M2) {
2167 		wpa_printf(MSG_INFO, "TDLS: Testing - Send another TPK M2");
2168 		wpa_tdls_send_tpk_m2(sm, src_addr, dtoken, lnkid, peer);
2169 	}
2170 #endif /* CONFIG_TDLS_TESTING */
2171 
2172 	return 0;
2173 
2174 error:
2175 	wpa_tdls_send_error(sm, src_addr, WLAN_TDLS_SETUP_RESPONSE, dtoken, 0,
2176 			    status);
2177 	if (peer)
2178 		wpa_tdls_peer_free(sm, peer);
2179 	return -1;
2180 }
2181 
2182 
2183 static int wpa_tdls_enable_link(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
2184 {
2185 	peer->tpk_success = 1;
2186 	peer->tpk_in_progress = 0;
2187 	eloop_cancel_timeout(wpa_tdls_tpk_timeout, sm, peer);
2188 	if (wpa_tdls_get_privacy(sm)) {
2189 		u32 lifetime = peer->lifetime;
2190 		/*
2191 		 * Start the initiator process a bit earlier to avoid race
2192 		 * condition with the responder sending teardown request.
2193 		 */
2194 		if (lifetime > 3 && peer->initiator)
2195 			lifetime -= 3;
2196 		eloop_register_timeout(lifetime, 0, wpa_tdls_tpk_timeout,
2197 				       sm, peer);
2198 #ifdef CONFIG_TDLS_TESTING
2199 		if (tdls_testing & TDLS_TESTING_NO_TPK_EXPIRATION) {
2200 			wpa_printf(MSG_DEBUG,
2201 				   "TDLS: Testing - disable TPK expiration");
2202 			eloop_cancel_timeout(wpa_tdls_tpk_timeout, sm, peer);
2203 		}
2204 #endif /* CONFIG_TDLS_TESTING */
2205 	}
2206 
2207 	if (peer->reconfig_key && wpa_tdls_set_key(sm, peer) < 0) {
2208 		wpa_printf(MSG_INFO, "TDLS: Could not configure key to the "
2209 			   "driver");
2210 		return -1;
2211 	}
2212 	peer->reconfig_key = 0;
2213 
2214 	return wpa_sm_tdls_oper(sm, TDLS_ENABLE_LINK, peer->addr);
2215 }
2216 
2217 
2218 static int wpa_tdls_process_tpk_m2(struct wpa_sm *sm, const u8 *src_addr,
2219 				   const u8 *buf, size_t len)
2220 {
2221 	struct wpa_tdls_peer *peer;
2222 	struct wpa_eapol_ie_parse kde;
2223 	struct wpa_ie_data ie;
2224 	int cipher;
2225 	struct wpa_tdls_ftie *ftie;
2226 	struct wpa_tdls_timeoutie *timeoutie;
2227 	struct wpa_tdls_lnkid *lnkid;
2228 	u32 lifetime;
2229 	u8 dtoken;
2230 	int ielen;
2231 	u16 status;
2232 	const u8 *pos;
2233 	int ret = 0;
2234 
2235 	wpa_printf(MSG_DEBUG, "TDLS: Received TDLS Setup Response / TPK M2 "
2236 		   "(Peer " MACSTR ")", MAC2STR(src_addr));
2237 	for (peer = sm->tdls; peer; peer = peer->next) {
2238 		if (os_memcmp(peer->addr, src_addr, ETH_ALEN) == 0)
2239 			break;
2240 	}
2241 	if (peer == NULL) {
2242 		wpa_printf(MSG_INFO, "TDLS: No matching peer found for "
2243 			   "TPK M2: " MACSTR, MAC2STR(src_addr));
2244 		return -1;
2245 	}
2246 	if (!peer->initiator) {
2247 		/*
2248 		 * This may happen if both devices try to initiate TDLS at the
2249 		 * same time and we accept the TPK M1 from the peer in
2250 		 * wpa_tdls_process_tpk_m1() and clear our previous state.
2251 		 */
2252 		wpa_printf(MSG_INFO, "TDLS: We were not the initiator, so "
2253 			   "ignore TPK M2 from " MACSTR, MAC2STR(src_addr));
2254 		return -1;
2255 	}
2256 
2257 	if (peer->tpk_success) {
2258 		wpa_printf(MSG_INFO, "TDLS: Ignore incoming TPK M2 retry, from "
2259 			   MACSTR " as TPK M3 was already sent",
2260 			   MAC2STR(src_addr));
2261 		return 0;
2262 	}
2263 
2264 	wpa_tdls_tpk_retry_timeout_cancel(sm, peer, WLAN_TDLS_SETUP_REQUEST);
2265 
2266 	if (len < 3 + 2 + 1) {
2267 		wpa_tdls_disable_peer_link(sm, peer);
2268 		return -1;
2269 	}
2270 
2271 	pos = buf;
2272 	pos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */;
2273 	status = WPA_GET_LE16(pos);
2274 	pos += 2 /* status code */;
2275 
2276 	if (status != WLAN_STATUS_SUCCESS) {
2277 		wpa_printf(MSG_INFO, "TDLS: Status code in TPK M2: %u",
2278 			   status);
2279 		wpa_tdls_disable_peer_link(sm, peer);
2280 		return -1;
2281 	}
2282 
2283 	status = WLAN_STATUS_UNSPECIFIED_FAILURE;
2284 
2285 	/* TODO: need to verify dialog token matches here or in kernel */
2286 	dtoken = *pos++; /* dialog token */
2287 
2288 	wpa_printf(MSG_DEBUG, "TDLS: Dialog Token in TPK M2 %d", dtoken);
2289 
2290 	if (len < 3 + 2 + 1 + 2) {
2291 		wpa_tdls_disable_peer_link(sm, peer);
2292 		return -1;
2293 	}
2294 
2295 	/* capability information */
2296 	peer->capability = WPA_GET_LE16(pos);
2297 	pos += 2;
2298 
2299 	ielen = len - (pos - buf); /* start of IE in buf */
2300 
2301 	/*
2302 	 * Don't reject the message if failing to parse IEs. The IEs we need are
2303 	 * explicitly checked below. Some APs may add arbitrary padding to the
2304 	 * end of short TDLS frames and that would look like invalid IEs.
2305 	 */
2306 	if (wpa_supplicant_parse_ies(pos, ielen, &kde) < 0)
2307 		wpa_printf(MSG_DEBUG,
2308 			   "TDLS: Failed to parse IEs in TPK M2 - ignore as an interop workaround");
2309 
2310 #ifdef CONFIG_TDLS_TESTING
2311 	if (tdls_testing & TDLS_TESTING_DECLINE_RESP) {
2312 		wpa_printf(MSG_DEBUG, "TDLS: Testing - decline response");
2313 		status = WLAN_STATUS_REQUEST_DECLINED;
2314 		goto error;
2315 	}
2316 #endif /* CONFIG_TDLS_TESTING */
2317 
2318 	if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) {
2319 		wpa_printf(MSG_INFO, "TDLS: No valid Link Identifier IE in "
2320 			   "TPK M2");
2321 		goto error;
2322 	}
2323 	wpa_hexdump(MSG_DEBUG, "TDLS: Link ID Received from TPK M2",
2324 		    kde.lnkid, kde.lnkid_len);
2325 	lnkid = (struct wpa_tdls_lnkid *) kde.lnkid;
2326 
2327 	if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) {
2328 		wpa_printf(MSG_INFO, "TDLS: TPK M2 from different BSS");
2329 		status = WLAN_STATUS_NOT_IN_SAME_BSS;
2330 		goto error;
2331 	}
2332 
2333 	if (copy_supp_rates(&kde, peer) < 0)
2334 		goto error;
2335 
2336 	if (copy_peer_ht_capab(&kde, peer) < 0)
2337 		goto error;
2338 
2339 	if (copy_peer_vht_capab(&kde, peer) < 0 ||
2340 	    copy_peer_he_capab(&kde, peer) < 0)
2341 		goto error;
2342 
2343 	if (copy_peer_ext_capab(&kde, peer) < 0)
2344 		goto error;
2345 
2346 	if (copy_peer_supp_channels(&kde, peer) < 0)
2347 		goto error;
2348 
2349 	if (copy_peer_supp_oper_classes(&kde, peer) < 0)
2350 		goto error;
2351 
2352 	peer->qos_info = kde.qosinfo;
2353 
2354 	/* Overwrite with the qos_info obtained in WMM IE */
2355 	if (copy_peer_wmm_capab(&kde, peer) < 0)
2356 		goto error;
2357 
2358 	peer->aid = kde.aid;
2359 
2360 	if (!wpa_tdls_get_privacy(sm)) {
2361 		peer->rsnie_p_len = 0;
2362 		peer->cipher = WPA_CIPHER_NONE;
2363 		goto skip_rsn;
2364 	}
2365 
2366 	if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie) ||
2367 	    kde.rsn_ie == NULL) {
2368 		wpa_printf(MSG_INFO, "TDLS: No FTIE or RSN IE in TPK M2");
2369 		status = WLAN_STATUS_INVALID_PARAMETERS;
2370 		goto error;
2371 	}
2372 	wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Received from TPK M2",
2373 		    kde.rsn_ie, kde.rsn_ie_len);
2374 
2375 	if (kde.rsn_ie_len > TDLS_MAX_IE_LEN) {
2376 		wpa_printf(MSG_INFO,
2377 			   "TDLS: Too long Responder RSN IE in TPK M2");
2378 		status = WLAN_STATUS_INVALID_RSNIE;
2379 		goto error;
2380 	}
2381 
2382 	/*
2383 	 * FIX: bitwise comparison of RSN IE is not the correct way of
2384 	 * validation this. It can be different, but certain fields must
2385 	 * match. Since we list only a single pairwise cipher in TPK M1, the
2386 	 * memcmp is likely to work in most cases, though.
2387 	 */
2388 	if (kde.rsn_ie_len != peer->rsnie_i_len ||
2389 	    os_memcmp(peer->rsnie_i, kde.rsn_ie, peer->rsnie_i_len) != 0) {
2390 		wpa_printf(MSG_INFO, "TDLS: RSN IE in TPK M2 does "
2391 			   "not match with RSN IE used in TPK M1");
2392 		wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Sent in TPK M1",
2393 			    peer->rsnie_i, peer->rsnie_i_len);
2394 		wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Received from TPK M2",
2395 			    kde.rsn_ie, kde.rsn_ie_len);
2396 		status = WLAN_STATUS_INVALID_RSNIE;
2397 		goto error;
2398 	}
2399 
2400 	if (wpa_parse_wpa_ie_rsn(kde.rsn_ie, kde.rsn_ie_len, &ie) < 0) {
2401 		wpa_printf(MSG_INFO, "TDLS: Failed to parse RSN IE in TPK M2");
2402 		status = WLAN_STATUS_INVALID_RSNIE;
2403 		goto error;
2404 	}
2405 
2406 	cipher = ie.pairwise_cipher;
2407 	if (cipher == WPA_CIPHER_CCMP) {
2408 		wpa_printf(MSG_DEBUG, "TDLS: Using CCMP for direct link");
2409 		cipher = WPA_CIPHER_CCMP;
2410 	} else {
2411 		wpa_printf(MSG_INFO, "TDLS: No acceptable cipher in TPK M2");
2412 		status = WLAN_STATUS_PAIRWISE_CIPHER_NOT_VALID;
2413 		goto error;
2414 	}
2415 
2416 	wpa_hexdump(MSG_DEBUG, "TDLS: FTIE Received from TPK M2",
2417 		    kde.ftie, sizeof(*ftie));
2418 	ftie = (struct wpa_tdls_ftie *) kde.ftie;
2419 
2420 	if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0) {
2421 		wpa_printf(MSG_INFO, "TDLS: FTIE SNonce in TPK M2 does "
2422 			   "not match with FTIE SNonce used in TPK M1");
2423 		/* Silently discard the frame */
2424 		return -1;
2425 	}
2426 
2427 	/* Responder Nonce and RSN IE */
2428 	os_memcpy(peer->rnonce, ftie->Anonce, WPA_NONCE_LEN);
2429 	os_memcpy(peer->rsnie_p, kde.rsn_ie, kde.rsn_ie_len);
2430 	peer->rsnie_p_len = kde.rsn_ie_len;
2431 	peer->cipher = cipher;
2432 
2433 	/* Lifetime */
2434 	if (kde.key_lifetime == NULL) {
2435 		wpa_printf(MSG_INFO, "TDLS: No Key Lifetime IE in TPK M2");
2436 		status = WLAN_STATUS_UNACCEPTABLE_LIFETIME;
2437 		goto error;
2438 	}
2439 	timeoutie = (struct wpa_tdls_timeoutie *) kde.key_lifetime;
2440 	lifetime = WPA_GET_LE32(timeoutie->value);
2441 	wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds in TPK M2",
2442 		   lifetime);
2443 	if (lifetime != peer->lifetime) {
2444 		wpa_printf(MSG_INFO, "TDLS: Unexpected TPK lifetime %u in "
2445 			   "TPK M2 (expected %u)", lifetime, peer->lifetime);
2446 		status = WLAN_STATUS_UNACCEPTABLE_LIFETIME;
2447 		goto error;
2448 	}
2449 
2450 	wpa_tdls_generate_tpk(peer, sm->own_addr, sm->bssid);
2451 
2452 	/* Process MIC check to see if TPK M2 is right */
2453 	if (wpa_supplicant_verify_tdls_mic(2, peer, (u8 *) lnkid,
2454 					   (u8 *) timeoutie, ftie) < 0) {
2455 		/* Discard the frame */
2456 		wpa_tdls_del_key(sm, peer);
2457 		wpa_tdls_disable_peer_link(sm, peer);
2458 		return -1;
2459 	}
2460 
2461 	if (wpa_tdls_set_key(sm, peer) < 0) {
2462 		/*
2463 		 * Some drivers may not be able to config the key prior to full
2464 		 * STA entry having been configured.
2465 		 */
2466 		wpa_printf(MSG_DEBUG, "TDLS: Try to configure TPK again after "
2467 			   "STA entry is complete");
2468 		peer->reconfig_key = 1;
2469 	}
2470 
2471 skip_rsn:
2472 	peer->dtoken = dtoken;
2473 
2474 	/* add supported rates, capabilities, and qos_info to the TDLS peer */
2475 	if (wpa_tdls_addset_peer(sm, peer, 0) < 0)
2476 		goto error;
2477 
2478 	wpa_printf(MSG_DEBUG, "TDLS: Sending TDLS Setup Confirm / "
2479 		   "TPK Handshake Message 3");
2480 	if (wpa_tdls_send_tpk_m3(sm, src_addr, dtoken, lnkid, peer) < 0)
2481 		goto error_no_msg;
2482 
2483 	if (!peer->tpk_success) {
2484 		/*
2485 		 * Enable Link only when tpk_success is 0, signifying that this
2486 		 * processing of TPK M2 frame is not because of a retransmission
2487 		 * during TDLS setup handshake.
2488 		 */
2489 		ret = wpa_tdls_enable_link(sm, peer);
2490 		if (ret < 0) {
2491 			wpa_printf(MSG_DEBUG, "TDLS: Could not enable link");
2492 			wpa_tdls_do_teardown(
2493 				sm, peer,
2494 				WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED);
2495 		}
2496 	}
2497 	return ret;
2498 
2499 error:
2500 	wpa_tdls_send_error(sm, src_addr, WLAN_TDLS_SETUP_CONFIRM, dtoken, 1,
2501 			    status);
2502 error_no_msg:
2503 	wpa_tdls_disable_peer_link(sm, peer);
2504 	return -1;
2505 }
2506 
2507 
2508 static int wpa_tdls_process_tpk_m3(struct wpa_sm *sm, const u8 *src_addr,
2509 				   const u8 *buf, size_t len)
2510 {
2511 	struct wpa_tdls_peer *peer;
2512 	struct wpa_eapol_ie_parse kde;
2513 	struct wpa_tdls_ftie *ftie;
2514 	struct wpa_tdls_timeoutie *timeoutie;
2515 	struct wpa_tdls_lnkid *lnkid;
2516 	int ielen;
2517 	u16 status;
2518 	const u8 *pos;
2519 	u32 lifetime;
2520 	int ret = 0;
2521 
2522 	wpa_printf(MSG_DEBUG, "TDLS: Received TDLS Setup Confirm / TPK M3 "
2523 		   "(Peer " MACSTR ")", MAC2STR(src_addr));
2524 	for (peer = sm->tdls; peer; peer = peer->next) {
2525 		if (os_memcmp(peer->addr, src_addr, ETH_ALEN) == 0)
2526 			break;
2527 	}
2528 	if (peer == NULL) {
2529 		wpa_printf(MSG_INFO, "TDLS: No matching peer found for "
2530 			   "TPK M3: " MACSTR, MAC2STR(src_addr));
2531 		return -1;
2532 	}
2533 	wpa_tdls_tpk_retry_timeout_cancel(sm, peer, WLAN_TDLS_SETUP_RESPONSE);
2534 
2535 	if (len < 3 + 3)
2536 		goto error;
2537 	pos = buf;
2538 	pos += 1 /* pkt_type */ + 1 /* Category */ + 1 /* Action */;
2539 
2540 	status = WPA_GET_LE16(pos);
2541 
2542 	if (status != 0) {
2543 		wpa_printf(MSG_INFO, "TDLS: Status code in TPK M3: %u",
2544 			   status);
2545 		goto error;
2546 	}
2547 	pos += 2 /* status code */ + 1 /* dialog token */;
2548 
2549 	ielen = len - (pos - buf); /* start of IE in buf */
2550 
2551 	/*
2552 	 * Don't reject the message if failing to parse IEs. The IEs we need are
2553 	 * explicitly checked below. Some APs piggy-back broken IEs to the end
2554 	 * of a TDLS Confirm packet, which will fail the link if we don't ignore
2555 	 * this error.
2556 	 */
2557 	if (wpa_supplicant_parse_ies((const u8 *) pos, ielen, &kde) < 0) {
2558 		wpa_printf(MSG_DEBUG,
2559 			   "TDLS: Failed to parse KDEs in TPK M3 - ignore as an interop workaround");
2560 	}
2561 
2562 	if (kde.lnkid == NULL || kde.lnkid_len < 3 * ETH_ALEN) {
2563 		wpa_printf(MSG_INFO, "TDLS: No Link Identifier IE in TPK M3");
2564 		goto error;
2565 	}
2566 	wpa_hexdump(MSG_DEBUG, "TDLS: Link ID Received from TPK M3",
2567 		    (u8 *) kde.lnkid, kde.lnkid_len);
2568 	lnkid = (struct wpa_tdls_lnkid *) kde.lnkid;
2569 
2570 	if (os_memcmp(sm->bssid, lnkid->bssid, ETH_ALEN) != 0) {
2571 		wpa_printf(MSG_INFO, "TDLS: TPK M3 from diff BSS");
2572 		goto error;
2573 	}
2574 
2575 	if (!wpa_tdls_get_privacy(sm))
2576 		goto skip_rsn;
2577 
2578 	if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie)) {
2579 		wpa_printf(MSG_INFO, "TDLS: No FTIE in TPK M3");
2580 		goto error;
2581 	}
2582 	wpa_hexdump(MSG_DEBUG, "TDLS: FTIE Received from TPK M3",
2583 		    kde.ftie, sizeof(*ftie));
2584 	ftie = (struct wpa_tdls_ftie *) kde.ftie;
2585 
2586 	if (kde.rsn_ie == NULL) {
2587 		wpa_printf(MSG_INFO, "TDLS: No RSN IE in TPK M3");
2588 		goto error;
2589 	}
2590 	wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Received from TPK M3",
2591 		    kde.rsn_ie, kde.rsn_ie_len);
2592 	if (kde.rsn_ie_len != peer->rsnie_p_len ||
2593 	    os_memcmp(kde.rsn_ie, peer->rsnie_p, peer->rsnie_p_len) != 0) {
2594 		wpa_printf(MSG_INFO, "TDLS: RSN IE in TPK M3 does not match "
2595 			   "with the one sent in TPK M2");
2596 		goto error;
2597 	}
2598 
2599 	if (os_memcmp(peer->rnonce, ftie->Anonce, WPA_NONCE_LEN) != 0) {
2600 		wpa_printf(MSG_INFO, "TDLS: FTIE ANonce in TPK M3 does "
2601 			   "not match with FTIE ANonce used in TPK M2");
2602 		goto error;
2603 	}
2604 
2605 	if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0) {
2606 		wpa_printf(MSG_INFO, "TDLS: FTIE SNonce in TPK M3 does not "
2607 			   "match with FTIE SNonce used in TPK M1");
2608 		goto error;
2609 	}
2610 
2611 	if (kde.key_lifetime == NULL) {
2612 		wpa_printf(MSG_INFO, "TDLS: No Key Lifetime IE in TPK M3");
2613 		goto error;
2614 	}
2615 	timeoutie = (struct wpa_tdls_timeoutie *) kde.key_lifetime;
2616 	wpa_hexdump(MSG_DEBUG, "TDLS: Timeout IE Received from TPK M3",
2617 		    (u8 *) timeoutie, sizeof(*timeoutie));
2618 	lifetime = WPA_GET_LE32(timeoutie->value);
2619 	wpa_printf(MSG_DEBUG, "TDLS: TPK lifetime %u seconds in TPK M3",
2620 		   lifetime);
2621 	if (lifetime != peer->lifetime) {
2622 		wpa_printf(MSG_INFO, "TDLS: Unexpected TPK lifetime %u in "
2623 			   "TPK M3 (expected %u)", lifetime, peer->lifetime);
2624 		goto error;
2625 	}
2626 
2627 	if (wpa_supplicant_verify_tdls_mic(3, peer, (u8 *) lnkid,
2628 					   (u8 *) timeoutie, ftie) < 0) {
2629 		wpa_tdls_del_key(sm, peer);
2630 		goto error;
2631 	}
2632 
2633 	if (wpa_tdls_set_key(sm, peer) < 0) {
2634 		/*
2635 		 * Some drivers may not be able to config the key prior to full
2636 		 * STA entry having been configured.
2637 		 */
2638 		wpa_printf(MSG_DEBUG, "TDLS: Try to configure TPK again after "
2639 			   "STA entry is complete");
2640 		peer->reconfig_key = 1;
2641 	}
2642 
2643 skip_rsn:
2644 	/* add supported rates, capabilities, and qos_info to the TDLS peer */
2645 	if (wpa_tdls_addset_peer(sm, peer, 0) < 0)
2646 		goto error;
2647 
2648 	if (!peer->tpk_success) {
2649 		/*
2650 		 * Enable Link only when tpk_success is 0, signifying that this
2651 		 * processing of TPK M3 frame is not because of a retransmission
2652 		 * during TDLS setup handshake.
2653 		 */
2654 		ret = wpa_tdls_enable_link(sm, peer);
2655 		if (ret < 0) {
2656 			wpa_printf(MSG_DEBUG, "TDLS: Could not enable link");
2657 			goto error;
2658 		}
2659 	}
2660 	return ret;
2661 error:
2662 	wpa_tdls_do_teardown(sm, peer, WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED);
2663 	return -1;
2664 }
2665 
2666 
2667 static u8 * wpa_add_tdls_timeoutie(u8 *pos, u8 *ie, size_t ie_len, u32 tsecs)
2668 {
2669 	struct wpa_tdls_timeoutie *lifetime = (struct wpa_tdls_timeoutie *) ie;
2670 
2671 	os_memset(lifetime, 0, ie_len);
2672 	lifetime->ie_type = WLAN_EID_TIMEOUT_INTERVAL;
2673 	lifetime->ie_len = sizeof(struct wpa_tdls_timeoutie) - 2;
2674 	lifetime->interval_type = WLAN_TIMEOUT_KEY_LIFETIME;
2675 	WPA_PUT_LE32(lifetime->value, tsecs);
2676 	os_memcpy(pos, ie, ie_len);
2677 	return pos + ie_len;
2678 }
2679 
2680 
2681 /**
2682  * wpa_tdls_start - Initiate TDLS handshake (send TPK Handshake Message 1)
2683  * @sm: Pointer to WPA state machine data from wpa_sm_init()
2684  * @peer: MAC address of the peer STA
2685  * Returns: 0 on success, or -1 on failure
2686  *
2687  * Send TPK Handshake Message 1 info to driver to start TDLS
2688  * handshake with the peer.
2689  */
2690 int wpa_tdls_start(struct wpa_sm *sm, const u8 *addr)
2691 {
2692 	struct wpa_tdls_peer *peer;
2693 	int tdls_prohibited = sm->tdls_prohibited;
2694 	int res;
2695 
2696 	if (sm->tdls_disabled || !sm->tdls_supported)
2697 		return -1;
2698 
2699 #ifdef CONFIG_TDLS_TESTING
2700 	if ((tdls_testing & TDLS_TESTING_IGNORE_AP_PROHIBIT) &&
2701 	    tdls_prohibited) {
2702 		wpa_printf(MSG_DEBUG, "TDLS: Testing - ignore AP prohibition "
2703 			   "on TDLS");
2704 		tdls_prohibited = 0;
2705 	}
2706 #endif /* CONFIG_TDLS_TESTING */
2707 
2708 	if (tdls_prohibited) {
2709 		wpa_printf(MSG_DEBUG, "TDLS: TDLS is prohibited in this BSS - "
2710 			   "reject request to start setup");
2711 		return -1;
2712 	}
2713 
2714 	peer = wpa_tdls_add_peer(sm, addr, NULL);
2715 	if (peer == NULL)
2716 		return -1;
2717 
2718 	if (peer->tpk_in_progress) {
2719 		wpa_printf(MSG_DEBUG, "TDLS: Setup is already in progress with the peer");
2720 		return 0;
2721 	}
2722 
2723 	peer->initiator = 1;
2724 
2725 	/* add the peer to the driver as a "setup in progress" peer */
2726 	if (wpa_sm_tdls_peer_addset(sm, peer->addr, 1, 0, 0, NULL, 0, NULL,
2727 				    NULL, NULL, 0, 0, 0, NULL, 0, NULL, 0,
2728 				    NULL, 0)) {
2729 		wpa_tdls_disable_peer_link(sm, peer);
2730 		return -1;
2731 	}
2732 
2733 	peer->tpk_in_progress = 1;
2734 
2735 	res = wpa_tdls_send_tpk_m1(sm, peer);
2736 	if (res < 0) {
2737 		if (res != -2)
2738 			wpa_tdls_disable_peer_link(sm, peer);
2739 		return -1;
2740 	}
2741 
2742 	return 0;
2743 }
2744 
2745 
2746 void wpa_tdls_remove(struct wpa_sm *sm, const u8 *addr)
2747 {
2748 	struct wpa_tdls_peer *peer;
2749 
2750 	if (sm->tdls_disabled || !sm->tdls_supported)
2751 		return;
2752 
2753 	for (peer = sm->tdls; peer; peer = peer->next) {
2754 		if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0)
2755 			break;
2756 	}
2757 
2758 	if (peer == NULL || !peer->tpk_success)
2759 		return;
2760 
2761 	if (sm->tdls_external_setup) {
2762 		/*
2763 		 * Disable previous link to allow renegotiation to be completed
2764 		 * on AP path.
2765 		 */
2766 		wpa_tdls_do_teardown(sm, peer,
2767 				     WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED);
2768 	}
2769 }
2770 
2771 
2772 /**
2773  * wpa_supplicant_rx_tdls - Receive TDLS data frame
2774  *
2775  * This function is called to receive TDLS (ethertype = 0x890d) data frames.
2776  */
2777 static void wpa_supplicant_rx_tdls(void *ctx, const u8 *src_addr,
2778 				   const u8 *buf, size_t len)
2779 {
2780 	struct wpa_sm *sm = ctx;
2781 	struct wpa_tdls_frame *tf;
2782 
2783 	wpa_hexdump(MSG_DEBUG, "TDLS: Received Data frame encapsulation",
2784 		    buf, len);
2785 
2786 	if (sm->tdls_disabled || !sm->tdls_supported) {
2787 		wpa_printf(MSG_DEBUG, "TDLS: Discard message - TDLS disabled "
2788 			   "or unsupported by driver");
2789 		return;
2790 	}
2791 
2792 	if (os_memcmp(src_addr, sm->own_addr, ETH_ALEN) == 0) {
2793 		wpa_printf(MSG_DEBUG, "TDLS: Discard copy of own message");
2794 		return;
2795 	}
2796 
2797 	if (len < sizeof(*tf)) {
2798 		wpa_printf(MSG_INFO, "TDLS: Drop too short frame");
2799 		return;
2800 	}
2801 
2802 	/* Check to make sure its a valid encapsulated TDLS frame */
2803 	tf = (struct wpa_tdls_frame *) buf;
2804 	if (tf->payloadtype != 2 /* TDLS_RFTYPE */ ||
2805 	    tf->category != WLAN_ACTION_TDLS) {
2806 		wpa_printf(MSG_INFO, "TDLS: Invalid frame - payloadtype=%u "
2807 			   "category=%u action=%u",
2808 			   tf->payloadtype, tf->category, tf->action);
2809 		return;
2810 	}
2811 
2812 	switch (tf->action) {
2813 	case WLAN_TDLS_SETUP_REQUEST:
2814 		wpa_tdls_process_tpk_m1(sm, src_addr, buf, len);
2815 		break;
2816 	case WLAN_TDLS_SETUP_RESPONSE:
2817 		wpa_tdls_process_tpk_m2(sm, src_addr, buf, len);
2818 		break;
2819 	case WLAN_TDLS_SETUP_CONFIRM:
2820 		wpa_tdls_process_tpk_m3(sm, src_addr, buf, len);
2821 		break;
2822 	case WLAN_TDLS_TEARDOWN:
2823 		wpa_tdls_recv_teardown(sm, src_addr, buf, len);
2824 		break;
2825 	case WLAN_TDLS_DISCOVERY_REQUEST:
2826 		wpa_tdls_process_discovery_request(sm, src_addr, buf, len);
2827 		break;
2828 	default:
2829 		/* Kernel code will process remaining frames */
2830 		wpa_printf(MSG_DEBUG, "TDLS: Ignore TDLS frame action code %u",
2831 			   tf->action);
2832 		break;
2833 	}
2834 }
2835 
2836 
2837 /**
2838  * wpa_tdls_init - Initialize driver interface parameters for TDLS
2839  * @wpa_s: Pointer to wpa_supplicant data
2840  * Returns: 0 on success, -1 on failure
2841  *
2842  * This function is called to initialize driver interface parameters for TDLS.
2843  * wpa_drv_init() must have been called before this function to initialize the
2844  * driver interface.
2845  */
2846 int wpa_tdls_init(struct wpa_sm *sm)
2847 {
2848 	if (sm == NULL)
2849 		return -1;
2850 
2851 	if (sm->l2_tdls) {
2852 		l2_packet_deinit(sm->l2_tdls);
2853 		sm->l2_tdls = NULL;
2854 	}
2855 
2856 	sm->l2_tdls = l2_packet_init(sm->bridge_ifname ? sm->bridge_ifname :
2857 				     sm->ifname,
2858 				     sm->own_addr,
2859 				     ETH_P_80211_ENCAP, wpa_supplicant_rx_tdls,
2860 				     sm, 0);
2861 	if (sm->l2_tdls == NULL) {
2862 		wpa_printf(MSG_ERROR, "TDLS: Failed to open l2_packet "
2863 			   "connection");
2864 		return -1;
2865 	}
2866 
2867 	/*
2868 	 * Drivers that support TDLS but don't implement the get_capa callback
2869 	 * are assumed to perform everything internally
2870 	 */
2871 	if (wpa_sm_tdls_get_capa(sm, &sm->tdls_supported,
2872 				 &sm->tdls_external_setup,
2873 				 &sm->tdls_chan_switch) < 0) {
2874 		sm->tdls_supported = 1;
2875 		sm->tdls_external_setup = 0;
2876 	}
2877 
2878 	wpa_printf(MSG_DEBUG, "TDLS: TDLS operation%s supported by "
2879 		   "driver", sm->tdls_supported ? "" : " not");
2880 	wpa_printf(MSG_DEBUG, "TDLS: Driver uses %s link setup",
2881 		   sm->tdls_external_setup ? "external" : "internal");
2882 	wpa_printf(MSG_DEBUG, "TDLS: Driver %s TDLS channel switching",
2883 		   sm->tdls_chan_switch ? "supports" : "does not support");
2884 
2885 	return 0;
2886 }
2887 
2888 
2889 void wpa_tdls_teardown_peers(struct wpa_sm *sm)
2890 {
2891 	struct wpa_tdls_peer *peer, *tmp;
2892 
2893 	if (!sm)
2894 		return;
2895 	peer = sm->tdls;
2896 
2897 	wpa_printf(MSG_DEBUG, "TDLS: Tear down peers");
2898 
2899 	while (peer) {
2900 		tmp = peer->next;
2901 		wpa_printf(MSG_DEBUG, "TDLS: Tear down peer " MACSTR,
2902 			   MAC2STR(peer->addr));
2903 		if (sm->tdls_external_setup)
2904 			wpa_tdls_do_teardown(sm, peer,
2905 					     WLAN_REASON_DEAUTH_LEAVING);
2906 		else
2907 			wpa_sm_tdls_oper(sm, TDLS_TEARDOWN, peer->addr);
2908 
2909 		peer = tmp;
2910 	}
2911 }
2912 
2913 
2914 static void wpa_tdls_remove_peers(struct wpa_sm *sm)
2915 {
2916 	struct wpa_tdls_peer *peer, *tmp;
2917 
2918 	peer = sm->tdls;
2919 
2920 	while (peer) {
2921 		int res;
2922 		tmp = peer->next;
2923 		res = wpa_sm_tdls_oper(sm, TDLS_DISABLE_LINK, peer->addr);
2924 		wpa_printf(MSG_DEBUG, "TDLS: Remove peer " MACSTR " (res=%d)",
2925 			   MAC2STR(peer->addr), res);
2926 		wpa_tdls_peer_free(sm, peer);
2927 		peer = tmp;
2928 	}
2929 }
2930 
2931 
2932 /**
2933  * wpa_tdls_deinit - Deinitialize driver interface parameters for TDLS
2934  *
2935  * This function is called to recover driver interface parameters for TDLS
2936  * and frees resources allocated for it.
2937  */
2938 void wpa_tdls_deinit(struct wpa_sm *sm)
2939 {
2940 	if (sm == NULL)
2941 		return;
2942 
2943 	if (sm->l2_tdls)
2944 		l2_packet_deinit(sm->l2_tdls);
2945 	sm->l2_tdls = NULL;
2946 
2947 	wpa_tdls_remove_peers(sm);
2948 }
2949 
2950 
2951 void wpa_tdls_assoc(struct wpa_sm *sm)
2952 {
2953 	wpa_printf(MSG_DEBUG, "TDLS: Remove peers on association");
2954 	wpa_tdls_remove_peers(sm);
2955 }
2956 
2957 
2958 void wpa_tdls_disassoc(struct wpa_sm *sm)
2959 {
2960 	wpa_printf(MSG_DEBUG, "TDLS: Remove peers on disassociation");
2961 	wpa_tdls_remove_peers(sm);
2962 }
2963 
2964 
2965 static int wpa_tdls_prohibited(struct ieee802_11_elems *elems)
2966 {
2967 	/* bit 38 - TDLS Prohibited */
2968 	return !!(elems->ext_capab[4] & 0x40);
2969 }
2970 
2971 
2972 static int wpa_tdls_chan_switch_prohibited(struct ieee802_11_elems *elems)
2973 {
2974 	/* bit 39 - TDLS Channel Switch Prohibited */
2975 	return !!(elems->ext_capab[4] & 0x80);
2976 }
2977 
2978 
2979 void wpa_tdls_ap_ies(struct wpa_sm *sm, const u8 *ies, size_t len)
2980 {
2981 	struct ieee802_11_elems elems;
2982 
2983 	sm->tdls_prohibited = 0;
2984 	sm->tdls_chan_switch_prohibited = 0;
2985 
2986 	if (ies == NULL ||
2987 	    ieee802_11_parse_elems(ies, len, &elems, 0) == ParseFailed ||
2988 	    elems.ext_capab == NULL || elems.ext_capab_len < 5)
2989 		return;
2990 
2991 	sm->tdls_prohibited = wpa_tdls_prohibited(&elems);
2992 	wpa_printf(MSG_DEBUG, "TDLS: TDLS is %s in the target BSS",
2993 		   sm->tdls_prohibited ? "prohibited" : "allowed");
2994 	sm->tdls_chan_switch_prohibited =
2995 		wpa_tdls_chan_switch_prohibited(&elems);
2996 	wpa_printf(MSG_DEBUG, "TDLS: TDLS channel switch %s in the target BSS",
2997 		   sm->tdls_chan_switch_prohibited ? "prohibited" : "allowed");
2998 }
2999 
3000 
3001 void wpa_tdls_assoc_resp_ies(struct wpa_sm *sm, const u8 *ies, size_t len)
3002 {
3003 	struct ieee802_11_elems elems;
3004 
3005 	if (ies == NULL ||
3006 	    ieee802_11_parse_elems(ies, len, &elems, 0) == ParseFailed ||
3007 	    elems.ext_capab == NULL || elems.ext_capab_len < 5)
3008 		return;
3009 
3010 	if (!sm->tdls_prohibited && wpa_tdls_prohibited(&elems)) {
3011 		wpa_printf(MSG_DEBUG, "TDLS: TDLS prohibited based on "
3012 			   "(Re)Association Response IEs");
3013 		sm->tdls_prohibited = 1;
3014 	}
3015 
3016 	if (!sm->tdls_chan_switch_prohibited &&
3017 	    wpa_tdls_chan_switch_prohibited(&elems)) {
3018 		wpa_printf(MSG_DEBUG,
3019 			   "TDLS: TDLS channel switch prohibited based on (Re)Association Response IEs");
3020 		sm->tdls_chan_switch_prohibited = 1;
3021 	}
3022 }
3023 
3024 
3025 void wpa_tdls_enable(struct wpa_sm *sm, int enabled)
3026 {
3027 	wpa_printf(MSG_DEBUG, "TDLS: %s", enabled ? "enabled" : "disabled");
3028 	sm->tdls_disabled = !enabled;
3029 }
3030 
3031 
3032 int wpa_tdls_is_external_setup(struct wpa_sm *sm)
3033 {
3034 	return sm->tdls_external_setup;
3035 }
3036 
3037 
3038 int wpa_tdls_enable_chan_switch(struct wpa_sm *sm, const u8 *addr,
3039 				u8 oper_class,
3040 				struct hostapd_freq_params *freq_params)
3041 {
3042 	struct wpa_tdls_peer *peer;
3043 	int ret;
3044 
3045 	if (sm->tdls_disabled || !sm->tdls_supported)
3046 		return -1;
3047 
3048 	if (!sm->tdls_chan_switch) {
3049 		wpa_printf(MSG_DEBUG,
3050 			   "TDLS: Channel switching not supported by the driver");
3051 		return -1;
3052 	}
3053 
3054 	if (sm->tdls_chan_switch_prohibited) {
3055 		wpa_printf(MSG_DEBUG,
3056 			   "TDLS: Channel switching is prohibited in this BSS - reject request to switch channel");
3057 		return -1;
3058 	}
3059 
3060 	for (peer = sm->tdls; peer; peer = peer->next) {
3061 		if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0)
3062 			break;
3063 	}
3064 
3065 	if (peer == NULL || !peer->tpk_success) {
3066 		wpa_printf(MSG_ERROR, "TDLS: Peer " MACSTR
3067 			   " not found for channel switching", MAC2STR(addr));
3068 		return -1;
3069 	}
3070 
3071 	if (peer->chan_switch_enabled) {
3072 		wpa_printf(MSG_DEBUG, "TDLS: Peer " MACSTR
3073 			   " already has channel switching enabled",
3074 			   MAC2STR(addr));
3075 		return 0;
3076 	}
3077 
3078 	ret = wpa_sm_tdls_enable_channel_switch(sm, peer->addr,
3079 						oper_class, freq_params);
3080 	if (!ret)
3081 		peer->chan_switch_enabled = 1;
3082 
3083 	return ret;
3084 }
3085 
3086 
3087 int wpa_tdls_disable_chan_switch(struct wpa_sm *sm, const u8 *addr)
3088 {
3089 	struct wpa_tdls_peer *peer;
3090 
3091 	if (sm->tdls_disabled || !sm->tdls_supported)
3092 		return -1;
3093 
3094 	for (peer = sm->tdls; peer; peer = peer->next) {
3095 		if (os_memcmp(peer->addr, addr, ETH_ALEN) == 0)
3096 			break;
3097 	}
3098 
3099 	if (!peer || !peer->chan_switch_enabled) {
3100 		wpa_printf(MSG_ERROR, "TDLS: Channel switching not enabled for "
3101 			   MACSTR, MAC2STR(addr));
3102 		return -1;
3103 	}
3104 
3105 	/* ignore the return value */
3106 	wpa_sm_tdls_disable_channel_switch(sm, peer->addr);
3107 
3108 	peer->chan_switch_enabled = 0;
3109 	return 0;
3110 }
3111