xref: /freebsd/contrib/wpa/wpa_supplicant/mesh_mpm.c (revision 13ea0450a9c8742119d36f3bf8f47accdce46e54)
1 /*
2  * WPA Supplicant - Basic mesh peer management
3  * Copyright (c) 2013-2014, cozybit, Inc.  All rights reserved.
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #include "utils/includes.h"
10 
11 #include "utils/common.h"
12 #include "utils/eloop.h"
13 #include "common/ieee802_11_defs.h"
14 #include "common/hw_features_common.h"
15 #include "ap/hostapd.h"
16 #include "ap/sta_info.h"
17 #include "ap/ieee802_11.h"
18 #include "ap/wpa_auth.h"
19 #include "wpa_supplicant_i.h"
20 #include "driver_i.h"
21 #include "mesh_mpm.h"
22 #include "mesh_rsn.h"
23 #include "notify.h"
24 
25 struct mesh_peer_mgmt_ie {
26 	const u8 *proto_id; /* Mesh Peering Protocol Identifier (2 octets) */
27 	const u8 *llid; /* Local Link ID (2 octets) */
28 	const u8 *plid; /* Peer Link ID (conditional, 2 octets) */
29 	const u8 *reason; /* Reason Code (conditional, 2 octets) */
30 	const u8 *chosen_pmk; /* Chosen PMK (optional, 16 octets) */
31 };
32 
33 static void plink_timer(void *eloop_ctx, void *user_data);
34 
35 
36 enum plink_event {
37 	PLINK_UNDEFINED,
38 	OPN_ACPT,
39 	OPN_RJCT,
40 	CNF_ACPT,
41 	CNF_RJCT,
42 	CLS_ACPT,
43 	REQ_RJCT
44 };
45 
46 static const char * const mplstate[] = {
47 	[0] = "UNINITIALIZED",
48 	[PLINK_IDLE] = "IDLE",
49 	[PLINK_OPN_SNT] = "OPN_SNT",
50 	[PLINK_OPN_RCVD] = "OPN_RCVD",
51 	[PLINK_CNF_RCVD] = "CNF_RCVD",
52 	[PLINK_ESTAB] = "ESTAB",
53 	[PLINK_HOLDING] = "HOLDING",
54 	[PLINK_BLOCKED] = "BLOCKED"
55 };
56 
57 static const char * const mplevent[] = {
58 	[PLINK_UNDEFINED] = "UNDEFINED",
59 	[OPN_ACPT] = "OPN_ACPT",
60 	[OPN_RJCT] = "OPN_RJCT",
61 	[CNF_ACPT] = "CNF_ACPT",
62 	[CNF_RJCT] = "CNF_RJCT",
63 	[CLS_ACPT] = "CLS_ACPT",
64 	[REQ_RJCT] = "REQ_RJCT",
65 };
66 
67 
68 static int mesh_mpm_parse_peer_mgmt(struct wpa_supplicant *wpa_s,
69 				    u8 action_field,
70 				    const u8 *ie, size_t len,
71 				    struct mesh_peer_mgmt_ie *mpm_ie)
72 {
73 	os_memset(mpm_ie, 0, sizeof(*mpm_ie));
74 
75 	/* Remove optional Chosen PMK field at end */
76 	if (len >= SAE_PMKID_LEN) {
77 		mpm_ie->chosen_pmk = ie + len - SAE_PMKID_LEN;
78 		len -= SAE_PMKID_LEN;
79 	}
80 
81 	if ((action_field == PLINK_OPEN && len != 4) ||
82 	    (action_field == PLINK_CONFIRM && len != 6) ||
83 	    (action_field == PLINK_CLOSE && len != 6 && len != 8)) {
84 		wpa_msg(wpa_s, MSG_DEBUG, "MPM: Invalid peer mgmt ie");
85 		return -1;
86 	}
87 
88 	/* required fields */
89 	if (len < 4)
90 		return -1;
91 	mpm_ie->proto_id = ie;
92 	mpm_ie->llid = ie + 2;
93 	ie += 4;
94 	len -= 4;
95 
96 	/* close reason is always present at end for close */
97 	if (action_field == PLINK_CLOSE) {
98 		if (len < 2)
99 			return -1;
100 		mpm_ie->reason = ie + len - 2;
101 		len -= 2;
102 	}
103 
104 	/* Peer Link ID, present for confirm, and possibly close */
105 	if (len >= 2)
106 		mpm_ie->plid = ie;
107 
108 	return 0;
109 }
110 
111 
112 static int plink_free_count(struct hostapd_data *hapd)
113 {
114 	if (hapd->max_plinks > hapd->num_plinks)
115 		return hapd->max_plinks - hapd->num_plinks;
116 	return 0;
117 }
118 
119 
120 static u16 copy_supp_rates(struct wpa_supplicant *wpa_s,
121 			   struct sta_info *sta,
122 			   struct ieee802_11_elems *elems)
123 {
124 	if (!elems->supp_rates) {
125 		wpa_msg(wpa_s, MSG_ERROR, "no supported rates from " MACSTR,
126 			MAC2STR(sta->addr));
127 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
128 	}
129 
130 	if (elems->supp_rates_len + elems->ext_supp_rates_len >
131 	    sizeof(sta->supported_rates)) {
132 		wpa_msg(wpa_s, MSG_ERROR,
133 			"Invalid supported rates element length " MACSTR
134 			" %d+%d", MAC2STR(sta->addr), elems->supp_rates_len,
135 			elems->ext_supp_rates_len);
136 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
137 	}
138 
139 	sta->supported_rates_len = merge_byte_arrays(
140 		sta->supported_rates, sizeof(sta->supported_rates),
141 		elems->supp_rates, elems->supp_rates_len,
142 		elems->ext_supp_rates, elems->ext_supp_rates_len);
143 
144 	return WLAN_STATUS_SUCCESS;
145 }
146 
147 
148 /* return true if elems from a neighbor match this MBSS */
149 static Boolean matches_local(struct wpa_supplicant *wpa_s,
150 			     struct ieee802_11_elems *elems)
151 {
152 	struct mesh_conf *mconf = wpa_s->ifmsh->mconf;
153 
154 	if (elems->mesh_config_len < 5)
155 		return FALSE;
156 
157 	return (mconf->meshid_len == elems->mesh_id_len &&
158 		os_memcmp(mconf->meshid, elems->mesh_id,
159 			  elems->mesh_id_len) == 0 &&
160 		mconf->mesh_pp_id == elems->mesh_config[0] &&
161 		mconf->mesh_pm_id == elems->mesh_config[1] &&
162 		mconf->mesh_cc_id == elems->mesh_config[2] &&
163 		mconf->mesh_sp_id == elems->mesh_config[3] &&
164 		mconf->mesh_auth_id == elems->mesh_config[4]);
165 }
166 
167 
168 /* check if local link id is already used with another peer */
169 static Boolean llid_in_use(struct wpa_supplicant *wpa_s, u16 llid)
170 {
171 	struct sta_info *sta;
172 	struct hostapd_data *hapd = wpa_s->ifmsh->bss[0];
173 
174 	for (sta = hapd->sta_list; sta; sta = sta->next) {
175 		if (sta->my_lid == llid)
176 			return TRUE;
177 	}
178 
179 	return FALSE;
180 }
181 
182 
183 /* generate an llid for a link and set to initial state */
184 static void mesh_mpm_init_link(struct wpa_supplicant *wpa_s,
185 			       struct sta_info *sta)
186 {
187 	u16 llid;
188 
189 	do {
190 		if (os_get_random((u8 *) &llid, sizeof(llid)) < 0)
191 			continue;
192 	} while (!llid || llid_in_use(wpa_s, llid));
193 
194 	sta->my_lid = llid;
195 	sta->peer_lid = 0;
196 	sta->peer_aid = 0;
197 
198 	/*
199 	 * We do not use wpa_mesh_set_plink_state() here because there is no
200 	 * entry in kernel yet.
201 	 */
202 	sta->plink_state = PLINK_IDLE;
203 }
204 
205 
206 static void mesh_mpm_send_plink_action(struct wpa_supplicant *wpa_s,
207 				       struct sta_info *sta,
208 				       enum plink_action_field type,
209 				       u16 close_reason)
210 {
211 	struct wpabuf *buf;
212 	struct hostapd_iface *ifmsh = wpa_s->ifmsh;
213 	struct hostapd_data *bss = ifmsh->bss[0];
214 	struct mesh_conf *conf = ifmsh->mconf;
215 	u8 supp_rates[2 + 2 + 32];
216 	u8 *pos, *cat;
217 	u8 ie_len, add_plid = 0;
218 	int ret;
219 	int ampe = conf->security & MESH_CONF_SEC_AMPE;
220 	size_t buf_len;
221 
222 	if (!sta)
223 		return;
224 
225 	buf_len = 2 +      /* Category and Action */
226 		  2 +      /* capability info */
227 		  2 +      /* AID */
228 		  2 + 8 +  /* supported rates */
229 		  2 + (32 - 8) +
230 		  2 + 32 + /* mesh ID */
231 		  2 + 7 +  /* mesh config */
232 		  2 + 24 + /* peering management */
233 		  2 + 96 + /* AMPE */
234 		  2 + 16;  /* MIC */
235 #ifdef CONFIG_IEEE80211N
236 	if (type != PLINK_CLOSE && wpa_s->mesh_ht_enabled) {
237 		buf_len += 2 + 26 + /* HT capabilities */
238 			   2 + 22;  /* HT operation */
239 	}
240 #endif /* CONFIG_IEEE80211N */
241 #ifdef CONFIG_IEEE80211AC
242 	if (type != PLINK_CLOSE && wpa_s->mesh_vht_enabled) {
243 		buf_len += 2 + 12 + /* VHT Capabilities */
244 			   2 + 5;  /* VHT Operation */
245 	}
246 #endif /* CONFIG_IEEE80211AC */
247 	if (type != PLINK_CLOSE)
248 		buf_len += conf->rsn_ie_len; /* RSN IE */
249 
250 	buf = wpabuf_alloc(buf_len);
251 	if (!buf)
252 		return;
253 
254 	cat = wpabuf_mhead_u8(buf);
255 	wpabuf_put_u8(buf, WLAN_ACTION_SELF_PROTECTED);
256 	wpabuf_put_u8(buf, type);
257 
258 	if (type != PLINK_CLOSE) {
259 		u8 info;
260 
261 		/* capability info */
262 		wpabuf_put_le16(buf, ampe ? IEEE80211_CAP_PRIVACY : 0);
263 
264 		/* aid */
265 		if (type == PLINK_CONFIRM)
266 			wpabuf_put_le16(buf, sta->aid);
267 
268 		/* IE: supp + ext. supp rates */
269 		pos = hostapd_eid_supp_rates(bss, supp_rates);
270 		pos = hostapd_eid_ext_supp_rates(bss, pos);
271 		wpabuf_put_data(buf, supp_rates, pos - supp_rates);
272 
273 		/* IE: RSN IE */
274 		wpabuf_put_data(buf, conf->rsn_ie, conf->rsn_ie_len);
275 
276 		/* IE: Mesh ID */
277 		wpabuf_put_u8(buf, WLAN_EID_MESH_ID);
278 		wpabuf_put_u8(buf, conf->meshid_len);
279 		wpabuf_put_data(buf, conf->meshid, conf->meshid_len);
280 
281 		/* IE: mesh conf */
282 		wpabuf_put_u8(buf, WLAN_EID_MESH_CONFIG);
283 		wpabuf_put_u8(buf, 7);
284 		wpabuf_put_u8(buf, conf->mesh_pp_id);
285 		wpabuf_put_u8(buf, conf->mesh_pm_id);
286 		wpabuf_put_u8(buf, conf->mesh_cc_id);
287 		wpabuf_put_u8(buf, conf->mesh_sp_id);
288 		wpabuf_put_u8(buf, conf->mesh_auth_id);
289 		info = (bss->num_plinks > 63 ? 63 : bss->num_plinks) << 1;
290 		/* TODO: Add Connected to Mesh Gate/AS subfields */
291 		wpabuf_put_u8(buf, info);
292 		/* always forwarding & accepting plinks for now */
293 		wpabuf_put_u8(buf, MESH_CAP_ACCEPT_ADDITIONAL_PEER |
294 			      MESH_CAP_FORWARDING);
295 	} else {	/* Peer closing frame */
296 		/* IE: Mesh ID */
297 		wpabuf_put_u8(buf, WLAN_EID_MESH_ID);
298 		wpabuf_put_u8(buf, conf->meshid_len);
299 		wpabuf_put_data(buf, conf->meshid, conf->meshid_len);
300 	}
301 
302 	/* IE: Mesh Peering Management element */
303 	ie_len = 4;
304 	if (ampe)
305 		ie_len += PMKID_LEN;
306 	switch (type) {
307 	case PLINK_OPEN:
308 		break;
309 	case PLINK_CONFIRM:
310 		ie_len += 2;
311 		add_plid = 1;
312 		break;
313 	case PLINK_CLOSE:
314 		ie_len += 2;
315 		add_plid = 1;
316 		ie_len += 2; /* reason code */
317 		break;
318 	}
319 
320 	wpabuf_put_u8(buf, WLAN_EID_PEER_MGMT);
321 	wpabuf_put_u8(buf, ie_len);
322 	/* peering protocol */
323 	if (ampe)
324 		wpabuf_put_le16(buf, 1);
325 	else
326 		wpabuf_put_le16(buf, 0);
327 	wpabuf_put_le16(buf, sta->my_lid);
328 	if (add_plid)
329 		wpabuf_put_le16(buf, sta->peer_lid);
330 	if (type == PLINK_CLOSE)
331 		wpabuf_put_le16(buf, close_reason);
332 	if (ampe) {
333 		if (sta->sae == NULL) {
334 			wpa_msg(wpa_s, MSG_INFO, "Mesh MPM: no SAE session");
335 			goto fail;
336 		}
337 		mesh_rsn_get_pmkid(wpa_s->mesh_rsn, sta,
338 				   wpabuf_put(buf, PMKID_LEN));
339 	}
340 
341 #ifdef CONFIG_IEEE80211N
342 	if (type != PLINK_CLOSE && wpa_s->mesh_ht_enabled) {
343 		u8 ht_capa_oper[2 + 26 + 2 + 22];
344 
345 		pos = hostapd_eid_ht_capabilities(bss, ht_capa_oper);
346 		pos = hostapd_eid_ht_operation(bss, pos);
347 		wpabuf_put_data(buf, ht_capa_oper, pos - ht_capa_oper);
348 	}
349 #endif /* CONFIG_IEEE80211N */
350 #ifdef CONFIG_IEEE80211AC
351 	if (type != PLINK_CLOSE && wpa_s->mesh_vht_enabled) {
352 		u8 vht_capa_oper[2 + 12 + 2 + 5];
353 
354 		pos = hostapd_eid_vht_capabilities(bss, vht_capa_oper, 0);
355 		pos = hostapd_eid_vht_operation(bss, pos);
356 		wpabuf_put_data(buf, vht_capa_oper, pos - vht_capa_oper);
357 	}
358 #endif /* CONFIG_IEEE80211AC */
359 
360 	if (ampe && mesh_rsn_protect_frame(wpa_s->mesh_rsn, sta, cat, buf)) {
361 		wpa_msg(wpa_s, MSG_INFO,
362 			"Mesh MPM: failed to add AMPE and MIC IE");
363 		goto fail;
364 	}
365 
366 	wpa_msg(wpa_s, MSG_DEBUG, "Mesh MPM: Sending peering frame type %d to "
367 		MACSTR " (my_lid=0x%x peer_lid=0x%x)",
368 		type, MAC2STR(sta->addr), sta->my_lid, sta->peer_lid);
369 	ret = wpa_drv_send_action(wpa_s, wpa_s->assoc_freq, 0,
370 				  sta->addr, wpa_s->own_addr, wpa_s->own_addr,
371 				  wpabuf_head(buf), wpabuf_len(buf), 0);
372 	if (ret < 0)
373 		wpa_msg(wpa_s, MSG_INFO,
374 			"Mesh MPM: failed to send peering frame");
375 
376 fail:
377 	wpabuf_free(buf);
378 }
379 
380 
381 /* configure peering state in ours and driver's station entry */
382 void wpa_mesh_set_plink_state(struct wpa_supplicant *wpa_s,
383 			      struct sta_info *sta,
384 			      enum mesh_plink_state state)
385 {
386 	struct hostapd_sta_add_params params;
387 	int ret;
388 
389 	wpa_msg(wpa_s, MSG_DEBUG, "MPM set " MACSTR " from %s into %s",
390 		MAC2STR(sta->addr), mplstate[sta->plink_state],
391 		mplstate[state]);
392 	sta->plink_state = state;
393 
394 	os_memset(&params, 0, sizeof(params));
395 	params.addr = sta->addr;
396 	params.plink_state = state;
397 	params.peer_aid = sta->peer_aid;
398 	params.set = 1;
399 
400 	ret = wpa_drv_sta_add(wpa_s, &params);
401 	if (ret) {
402 		wpa_msg(wpa_s, MSG_ERROR, "Driver failed to set " MACSTR
403 			": %d", MAC2STR(sta->addr), ret);
404 	}
405 }
406 
407 
408 static void mesh_mpm_fsm_restart(struct wpa_supplicant *wpa_s,
409 				 struct sta_info *sta)
410 {
411 	struct hostapd_data *hapd = wpa_s->ifmsh->bss[0];
412 
413 	eloop_cancel_timeout(plink_timer, wpa_s, sta);
414 
415 	ap_free_sta(hapd, sta);
416 }
417 
418 
419 static void plink_timer(void *eloop_ctx, void *user_data)
420 {
421 	struct wpa_supplicant *wpa_s = eloop_ctx;
422 	struct sta_info *sta = user_data;
423 	u16 reason = 0;
424 	struct mesh_conf *conf = wpa_s->ifmsh->mconf;
425 	struct hostapd_data *hapd = wpa_s->ifmsh->bss[0];
426 
427 	switch (sta->plink_state) {
428 	case PLINK_OPN_RCVD:
429 	case PLINK_OPN_SNT:
430 		/* retry timer */
431 		if (sta->mpm_retries < conf->dot11MeshMaxRetries) {
432 			eloop_register_timeout(
433 				conf->dot11MeshRetryTimeout / 1000,
434 				(conf->dot11MeshRetryTimeout % 1000) * 1000,
435 				plink_timer, wpa_s, sta);
436 			mesh_mpm_send_plink_action(wpa_s, sta, PLINK_OPEN, 0);
437 			sta->mpm_retries++;
438 			break;
439 		}
440 		reason = WLAN_REASON_MESH_MAX_RETRIES;
441 		/* fall through */
442 
443 	case PLINK_CNF_RCVD:
444 		/* confirm timer */
445 		if (!reason)
446 			reason = WLAN_REASON_MESH_CONFIRM_TIMEOUT;
447 		wpa_mesh_set_plink_state(wpa_s, sta, PLINK_HOLDING);
448 		eloop_register_timeout(conf->dot11MeshHoldingTimeout / 1000,
449 			(conf->dot11MeshHoldingTimeout % 1000) * 1000,
450 			plink_timer, wpa_s, sta);
451 		mesh_mpm_send_plink_action(wpa_s, sta, PLINK_CLOSE, reason);
452 		break;
453 	case PLINK_HOLDING:
454 		/* holding timer */
455 
456 		if (sta->mesh_sae_pmksa_caching) {
457 			wpa_printf(MSG_DEBUG, "MPM: Peer " MACSTR
458 				   " looks like it does not support mesh SAE PMKSA caching, so remove the cached entry for it",
459 				   MAC2STR(sta->addr));
460 			wpa_auth_pmksa_remove(hapd->wpa_auth, sta->addr);
461 		}
462 		mesh_mpm_fsm_restart(wpa_s, sta);
463 		break;
464 	default:
465 		break;
466 	}
467 }
468 
469 
470 /* initiate peering with station */
471 static void
472 mesh_mpm_plink_open(struct wpa_supplicant *wpa_s, struct sta_info *sta,
473 		    enum mesh_plink_state next_state)
474 {
475 	struct mesh_conf *conf = wpa_s->ifmsh->mconf;
476 
477 	eloop_cancel_timeout(plink_timer, wpa_s, sta);
478 	eloop_register_timeout(conf->dot11MeshRetryTimeout / 1000,
479 			       (conf->dot11MeshRetryTimeout % 1000) * 1000,
480 			       plink_timer, wpa_s, sta);
481 	mesh_mpm_send_plink_action(wpa_s, sta, PLINK_OPEN, 0);
482 	wpa_mesh_set_plink_state(wpa_s, sta, next_state);
483 }
484 
485 
486 static int mesh_mpm_plink_close(struct hostapd_data *hapd, struct sta_info *sta,
487 				void *ctx)
488 {
489 	struct wpa_supplicant *wpa_s = ctx;
490 	int reason = WLAN_REASON_MESH_PEERING_CANCELLED;
491 
492 	if (sta) {
493 		wpa_mesh_set_plink_state(wpa_s, sta, PLINK_HOLDING);
494 		mesh_mpm_send_plink_action(wpa_s, sta, PLINK_CLOSE, reason);
495 		wpa_printf(MSG_DEBUG, "MPM closing plink sta=" MACSTR,
496 			   MAC2STR(sta->addr));
497 		eloop_cancel_timeout(plink_timer, wpa_s, sta);
498 		return 0;
499 	}
500 
501 	return 1;
502 }
503 
504 
505 int mesh_mpm_close_peer(struct wpa_supplicant *wpa_s, const u8 *addr)
506 {
507 	struct hostapd_data *hapd;
508 	struct sta_info *sta;
509 
510 	if (!wpa_s->ifmsh) {
511 		wpa_msg(wpa_s, MSG_INFO, "Mesh is not prepared yet");
512 		return -1;
513 	}
514 
515 	hapd = wpa_s->ifmsh->bss[0];
516 	sta = ap_get_sta(hapd, addr);
517 	if (!sta) {
518 		wpa_msg(wpa_s, MSG_INFO, "No such mesh peer");
519 		return -1;
520 	}
521 
522 	return mesh_mpm_plink_close(hapd, sta, wpa_s) == 0 ? 0 : -1;
523 }
524 
525 
526 static void peer_add_timer(void *eloop_ctx, void *user_data)
527 {
528 	struct wpa_supplicant *wpa_s = eloop_ctx;
529 	struct hostapd_data *hapd = wpa_s->ifmsh->bss[0];
530 
531 	os_memset(hapd->mesh_required_peer, 0, ETH_ALEN);
532 }
533 
534 
535 int mesh_mpm_connect_peer(struct wpa_supplicant *wpa_s, const u8 *addr,
536 			  int duration)
537 {
538 	struct wpa_ssid *ssid = wpa_s->current_ssid;
539 	struct hostapd_data *hapd;
540 	struct sta_info *sta;
541 	struct mesh_conf *conf;
542 
543 	if (!wpa_s->ifmsh) {
544 		wpa_msg(wpa_s, MSG_INFO, "Mesh is not prepared yet");
545 		return -1;
546 	}
547 
548 	if (!ssid || !ssid->no_auto_peer) {
549 		wpa_msg(wpa_s, MSG_INFO,
550 			"This command is available only with no_auto_peer mesh network");
551 		return -1;
552 	}
553 
554 	hapd = wpa_s->ifmsh->bss[0];
555 	conf = wpa_s->ifmsh->mconf;
556 
557 	sta = ap_get_sta(hapd, addr);
558 	if (!sta) {
559 		wpa_msg(wpa_s, MSG_INFO, "No such mesh peer");
560 		return -1;
561 	}
562 
563 	if ((PLINK_OPN_SNT <= sta->plink_state &&
564 	    sta->plink_state <= PLINK_ESTAB) ||
565 	    (sta->sae && sta->sae->state > SAE_NOTHING)) {
566 		wpa_msg(wpa_s, MSG_INFO,
567 			"Specified peer is connecting/connected");
568 		return -1;
569 	}
570 
571 	if (conf->security == MESH_CONF_SEC_NONE) {
572 		mesh_mpm_plink_open(wpa_s, sta, PLINK_OPN_SNT);
573 	} else {
574 		mesh_rsn_auth_sae_sta(wpa_s, sta);
575 		os_memcpy(hapd->mesh_required_peer, addr, ETH_ALEN);
576 		eloop_register_timeout(duration == -1 ? 10 : duration, 0,
577 				       peer_add_timer, wpa_s, NULL);
578 	}
579 
580 	return 0;
581 }
582 
583 
584 void mesh_mpm_deinit(struct wpa_supplicant *wpa_s, struct hostapd_iface *ifmsh)
585 {
586 	struct hostapd_data *hapd = ifmsh->bss[0];
587 
588 	/* notify peers we're leaving */
589 	ap_for_each_sta(hapd, mesh_mpm_plink_close, wpa_s);
590 
591 	hapd->num_plinks = 0;
592 	hostapd_free_stas(hapd);
593 	eloop_cancel_timeout(peer_add_timer, wpa_s, NULL);
594 }
595 
596 
597 /* for mesh_rsn to indicate this peer has completed authentication, and we're
598  * ready to start AMPE */
599 void mesh_mpm_auth_peer(struct wpa_supplicant *wpa_s, const u8 *addr)
600 {
601 	struct hostapd_data *data = wpa_s->ifmsh->bss[0];
602 	struct hostapd_sta_add_params params;
603 	struct sta_info *sta;
604 	int ret;
605 
606 	sta = ap_get_sta(data, addr);
607 	if (!sta) {
608 		wpa_msg(wpa_s, MSG_DEBUG, "no such mesh peer");
609 		return;
610 	}
611 
612 	/* TODO: Should do nothing if this STA is already authenticated, but
613 	 * the AP code already sets this flag. */
614 	sta->flags |= WLAN_STA_AUTH;
615 
616 	mesh_rsn_init_ampe_sta(wpa_s, sta);
617 
618 	os_memset(&params, 0, sizeof(params));
619 	params.addr = sta->addr;
620 	params.flags = WPA_STA_AUTHENTICATED | WPA_STA_AUTHORIZED;
621 	params.set = 1;
622 
623 	wpa_msg(wpa_s, MSG_DEBUG, "MPM authenticating " MACSTR,
624 		MAC2STR(sta->addr));
625 	ret = wpa_drv_sta_add(wpa_s, &params);
626 	if (ret) {
627 		wpa_msg(wpa_s, MSG_ERROR,
628 			"Driver failed to set " MACSTR ": %d",
629 			MAC2STR(sta->addr), ret);
630 	}
631 
632 	if (!sta->my_lid)
633 		mesh_mpm_init_link(wpa_s, sta);
634 
635 	mesh_mpm_plink_open(wpa_s, sta, PLINK_OPN_SNT);
636 }
637 
638 /*
639  * Initialize a sta_info structure for a peer and upload it into the driver
640  * in preparation for beginning authentication or peering. This is done when a
641  * Beacon (secure or open mesh) or a peering open frame (for open mesh) is
642  * received from the peer for the first time.
643  */
644 static struct sta_info * mesh_mpm_add_peer(struct wpa_supplicant *wpa_s,
645 					   const u8 *addr,
646 					   struct ieee802_11_elems *elems)
647 {
648 	struct hostapd_sta_add_params params;
649 	struct mesh_conf *conf = wpa_s->ifmsh->mconf;
650 	struct hostapd_data *data = wpa_s->ifmsh->bss[0];
651 	struct sta_info *sta;
652 #ifdef CONFIG_IEEE80211N
653 	struct ieee80211_ht_operation *oper;
654 #endif /* CONFIG_IEEE80211N */
655 	int ret;
656 
657 	if (elems->mesh_config_len >= 7 &&
658 	    !(elems->mesh_config[6] & MESH_CAP_ACCEPT_ADDITIONAL_PEER)) {
659 		wpa_msg(wpa_s, MSG_DEBUG,
660 			"mesh: Ignore a crowded peer " MACSTR,
661 			MAC2STR(addr));
662 		return NULL;
663 	}
664 
665 	sta = ap_get_sta(data, addr);
666 	if (!sta) {
667 		sta = ap_sta_add(data, addr);
668 		if (!sta)
669 			return NULL;
670 	}
671 
672 	/* Set WMM by default since Mesh STAs are QoS STAs */
673 	sta->flags |= WLAN_STA_WMM;
674 
675 	/* initialize sta */
676 	if (copy_supp_rates(wpa_s, sta, elems)) {
677 		ap_free_sta(data, sta);
678 		return NULL;
679 	}
680 
681 	if (!sta->my_lid)
682 		mesh_mpm_init_link(wpa_s, sta);
683 
684 #ifdef CONFIG_IEEE80211N
685 	copy_sta_ht_capab(data, sta, elems->ht_capabilities);
686 
687 	oper = (struct ieee80211_ht_operation *) elems->ht_operation;
688 	if (oper &&
689 	    !(oper->ht_param & HT_INFO_HT_PARAM_STA_CHNL_WIDTH) &&
690 	    sta->ht_capabilities) {
691 		wpa_msg(wpa_s, MSG_DEBUG, MACSTR
692 			" does not support 40 MHz bandwidth",
693 			MAC2STR(sta->addr));
694 		set_disable_ht40(sta->ht_capabilities, 1);
695 	}
696 
697 	update_ht_state(data, sta);
698 #endif /* CONFIG_IEEE80211N */
699 
700 #ifdef CONFIG_IEEE80211AC
701 	copy_sta_vht_capab(data, sta, elems->vht_capabilities);
702 	set_sta_vht_opmode(data, sta, elems->vht_opmode_notif);
703 #endif /* CONFIG_IEEE80211AC */
704 
705 	if (hostapd_get_aid(data, sta) < 0) {
706 		wpa_msg(wpa_s, MSG_ERROR, "No AIDs available");
707 		ap_free_sta(data, sta);
708 		return NULL;
709 	}
710 
711 	/* insert into driver */
712 	os_memset(&params, 0, sizeof(params));
713 	params.supp_rates = sta->supported_rates;
714 	params.supp_rates_len = sta->supported_rates_len;
715 	params.addr = addr;
716 	params.plink_state = sta->plink_state;
717 	params.aid = sta->aid;
718 	params.peer_aid = sta->peer_aid;
719 	params.listen_interval = 100;
720 	params.ht_capabilities = sta->ht_capabilities;
721 	params.vht_capabilities = sta->vht_capabilities;
722 	params.flags |= WPA_STA_WMM;
723 	params.flags_mask |= WPA_STA_AUTHENTICATED;
724 	if (conf->security == MESH_CONF_SEC_NONE) {
725 		params.flags |= WPA_STA_AUTHORIZED;
726 		params.flags |= WPA_STA_AUTHENTICATED;
727 	} else {
728 		sta->flags |= WLAN_STA_MFP;
729 		params.flags |= WPA_STA_MFP;
730 	}
731 
732 	ret = wpa_drv_sta_add(wpa_s, &params);
733 	if (ret) {
734 		wpa_msg(wpa_s, MSG_ERROR,
735 			"Driver failed to insert " MACSTR ": %d",
736 			MAC2STR(addr), ret);
737 		ap_free_sta(data, sta);
738 		return NULL;
739 	}
740 
741 	return sta;
742 }
743 
744 
745 void wpa_mesh_new_mesh_peer(struct wpa_supplicant *wpa_s, const u8 *addr,
746 			    struct ieee802_11_elems *elems)
747 {
748 	struct mesh_conf *conf = wpa_s->ifmsh->mconf;
749 	struct hostapd_data *data = wpa_s->ifmsh->bss[0];
750 	struct sta_info *sta;
751 	struct wpa_ssid *ssid = wpa_s->current_ssid;
752 
753 	sta = mesh_mpm_add_peer(wpa_s, addr, elems);
754 	if (!sta)
755 		return;
756 
757 	if (ssid && ssid->no_auto_peer &&
758 	    (is_zero_ether_addr(data->mesh_required_peer) ||
759 	     os_memcmp(data->mesh_required_peer, addr, ETH_ALEN) != 0)) {
760 		wpa_msg(wpa_s, MSG_INFO, "will not initiate new peer link with "
761 			MACSTR " because of no_auto_peer", MAC2STR(addr));
762 		if (data->mesh_pending_auth) {
763 			struct os_reltime age;
764 			const struct ieee80211_mgmt *mgmt;
765 			struct hostapd_frame_info fi;
766 
767 			mgmt = wpabuf_head(data->mesh_pending_auth);
768 			os_reltime_age(&data->mesh_pending_auth_time, &age);
769 			if (age.sec < 2 &&
770 			    os_memcmp(mgmt->sa, addr, ETH_ALEN) == 0) {
771 				wpa_printf(MSG_DEBUG,
772 					   "mesh: Process pending Authentication frame from %u.%06u seconds ago",
773 					   (unsigned int) age.sec,
774 					   (unsigned int) age.usec);
775 				os_memset(&fi, 0, sizeof(fi));
776 				ieee802_11_mgmt(
777 					data,
778 					wpabuf_head(data->mesh_pending_auth),
779 					wpabuf_len(data->mesh_pending_auth),
780 					&fi);
781 			}
782 			wpabuf_free(data->mesh_pending_auth);
783 			data->mesh_pending_auth = NULL;
784 		}
785 		return;
786 	}
787 
788 	if (conf->security == MESH_CONF_SEC_NONE) {
789 		if (sta->plink_state < PLINK_OPN_SNT ||
790 		    sta->plink_state > PLINK_ESTAB)
791 			mesh_mpm_plink_open(wpa_s, sta, PLINK_OPN_SNT);
792 	} else {
793 		mesh_rsn_auth_sae_sta(wpa_s, sta);
794 	}
795 }
796 
797 
798 void mesh_mpm_mgmt_rx(struct wpa_supplicant *wpa_s, struct rx_mgmt *rx_mgmt)
799 {
800 	struct hostapd_frame_info fi;
801 
802 	os_memset(&fi, 0, sizeof(fi));
803 	fi.datarate = rx_mgmt->datarate;
804 	fi.ssi_signal = rx_mgmt->ssi_signal;
805 	ieee802_11_mgmt(wpa_s->ifmsh->bss[0], rx_mgmt->frame,
806 			rx_mgmt->frame_len, &fi);
807 }
808 
809 
810 static void mesh_mpm_plink_estab(struct wpa_supplicant *wpa_s,
811 				 struct sta_info *sta)
812 {
813 	struct hostapd_data *hapd = wpa_s->ifmsh->bss[0];
814 	struct mesh_conf *conf = wpa_s->ifmsh->mconf;
815 	u8 seq[6] = {};
816 
817 	wpa_msg(wpa_s, MSG_INFO, "mesh plink with " MACSTR " established",
818 		MAC2STR(sta->addr));
819 
820 	if (conf->security & MESH_CONF_SEC_AMPE) {
821 		wpa_hexdump_key(MSG_DEBUG, "mesh: MTK", sta->mtk, sta->mtk_len);
822 		wpa_drv_set_key(wpa_s, wpa_cipher_to_alg(conf->pairwise_cipher),
823 				sta->addr, 0, 0, seq, sizeof(seq),
824 				sta->mtk, sta->mtk_len);
825 
826 		wpa_hexdump_key(MSG_DEBUG, "mesh: RX MGTK Key RSC",
827 				sta->mgtk_rsc, sizeof(sta->mgtk_rsc));
828 		wpa_hexdump_key(MSG_DEBUG, "mesh: RX MGTK",
829 				sta->mgtk, sta->mgtk_len);
830 		wpa_drv_set_key(wpa_s, wpa_cipher_to_alg(conf->group_cipher),
831 				sta->addr, sta->mgtk_key_id, 0,
832 				sta->mgtk_rsc, sizeof(sta->mgtk_rsc),
833 				sta->mgtk, sta->mgtk_len);
834 
835 		if (sta->igtk_len) {
836 			wpa_hexdump_key(MSG_DEBUG, "mesh: RX IGTK Key RSC",
837 					sta->igtk_rsc, sizeof(sta->igtk_rsc));
838 			wpa_hexdump_key(MSG_DEBUG, "mesh: RX IGTK",
839 					sta->igtk, sta->igtk_len);
840 			wpa_drv_set_key(
841 				wpa_s,
842 				wpa_cipher_to_alg(conf->mgmt_group_cipher),
843 				sta->addr, sta->igtk_key_id, 0,
844 				sta->igtk_rsc, sizeof(sta->igtk_rsc),
845 				sta->igtk, sta->igtk_len);
846 		}
847 	}
848 
849 	wpa_mesh_set_plink_state(wpa_s, sta, PLINK_ESTAB);
850 	hapd->num_plinks++;
851 
852 	sta->flags |= WLAN_STA_ASSOC;
853 	sta->mesh_sae_pmksa_caching = 0;
854 
855 	eloop_cancel_timeout(peer_add_timer, wpa_s, NULL);
856 	peer_add_timer(wpa_s, NULL);
857 	eloop_cancel_timeout(plink_timer, wpa_s, sta);
858 
859 	/* Send ctrl event */
860 	wpa_msg(wpa_s, MSG_INFO, MESH_PEER_CONNECTED MACSTR,
861 		MAC2STR(sta->addr));
862 
863 	/* Send D-Bus event */
864 	wpas_notify_mesh_peer_connected(wpa_s, sta->addr);
865 }
866 
867 
868 static void mesh_mpm_fsm(struct wpa_supplicant *wpa_s, struct sta_info *sta,
869 			 enum plink_event event, u16 reason)
870 {
871 	struct hostapd_data *hapd = wpa_s->ifmsh->bss[0];
872 	struct mesh_conf *conf = wpa_s->ifmsh->mconf;
873 
874 	wpa_msg(wpa_s, MSG_DEBUG, "MPM " MACSTR " state %s event %s",
875 		MAC2STR(sta->addr), mplstate[sta->plink_state],
876 		mplevent[event]);
877 
878 	switch (sta->plink_state) {
879 	case PLINK_IDLE:
880 		switch (event) {
881 		case CLS_ACPT:
882 			mesh_mpm_fsm_restart(wpa_s, sta);
883 			break;
884 		case OPN_ACPT:
885 			mesh_mpm_plink_open(wpa_s, sta, PLINK_OPN_RCVD);
886 			mesh_mpm_send_plink_action(wpa_s, sta, PLINK_CONFIRM,
887 						   0);
888 			break;
889 		case REQ_RJCT:
890 			mesh_mpm_send_plink_action(wpa_s, sta,
891 						   PLINK_CLOSE, reason);
892 			break;
893 		default:
894 			break;
895 		}
896 		break;
897 	case PLINK_OPN_SNT:
898 		switch (event) {
899 		case OPN_RJCT:
900 		case CNF_RJCT:
901 			if (!reason)
902 				reason = WLAN_REASON_MESH_CONFIG_POLICY_VIOLATION;
903 			/* fall-through */
904 		case CLS_ACPT:
905 			wpa_mesh_set_plink_state(wpa_s, sta, PLINK_HOLDING);
906 			if (!reason)
907 				reason = WLAN_REASON_MESH_CLOSE_RCVD;
908 			eloop_register_timeout(
909 				conf->dot11MeshHoldingTimeout / 1000,
910 				(conf->dot11MeshHoldingTimeout % 1000) * 1000,
911 				plink_timer, wpa_s, sta);
912 			mesh_mpm_send_plink_action(wpa_s, sta,
913 						   PLINK_CLOSE, reason);
914 			break;
915 		case OPN_ACPT:
916 			/* retry timer is left untouched */
917 			wpa_mesh_set_plink_state(wpa_s, sta, PLINK_OPN_RCVD);
918 			mesh_mpm_send_plink_action(wpa_s, sta,
919 						   PLINK_CONFIRM, 0);
920 			break;
921 		case CNF_ACPT:
922 			wpa_mesh_set_plink_state(wpa_s, sta, PLINK_CNF_RCVD);
923 			eloop_cancel_timeout(plink_timer, wpa_s, sta);
924 			eloop_register_timeout(
925 				conf->dot11MeshConfirmTimeout / 1000,
926 				(conf->dot11MeshConfirmTimeout % 1000) * 1000,
927 				plink_timer, wpa_s, sta);
928 			break;
929 		default:
930 			break;
931 		}
932 		break;
933 	case PLINK_OPN_RCVD:
934 		switch (event) {
935 		case OPN_RJCT:
936 		case CNF_RJCT:
937 			if (!reason)
938 				reason = WLAN_REASON_MESH_CONFIG_POLICY_VIOLATION;
939 			/* fall-through */
940 		case CLS_ACPT:
941 			wpa_mesh_set_plink_state(wpa_s, sta, PLINK_HOLDING);
942 			if (!reason)
943 				reason = WLAN_REASON_MESH_CLOSE_RCVD;
944 			eloop_register_timeout(
945 				conf->dot11MeshHoldingTimeout / 1000,
946 				(conf->dot11MeshHoldingTimeout % 1000) * 1000,
947 				plink_timer, wpa_s, sta);
948 			sta->mpm_close_reason = reason;
949 			mesh_mpm_send_plink_action(wpa_s, sta,
950 						   PLINK_CLOSE, reason);
951 			break;
952 		case OPN_ACPT:
953 			mesh_mpm_send_plink_action(wpa_s, sta,
954 						   PLINK_CONFIRM, 0);
955 			break;
956 		case CNF_ACPT:
957 			if (conf->security & MESH_CONF_SEC_AMPE)
958 				mesh_rsn_derive_mtk(wpa_s, sta);
959 			mesh_mpm_plink_estab(wpa_s, sta);
960 			break;
961 		default:
962 			break;
963 		}
964 		break;
965 	case PLINK_CNF_RCVD:
966 		switch (event) {
967 		case OPN_RJCT:
968 		case CNF_RJCT:
969 			if (!reason)
970 				reason = WLAN_REASON_MESH_CONFIG_POLICY_VIOLATION;
971 			/* fall-through */
972 		case CLS_ACPT:
973 			wpa_mesh_set_plink_state(wpa_s, sta, PLINK_HOLDING);
974 			if (!reason)
975 				reason = WLAN_REASON_MESH_CLOSE_RCVD;
976 			eloop_register_timeout(
977 				conf->dot11MeshHoldingTimeout / 1000,
978 				(conf->dot11MeshHoldingTimeout % 1000) * 1000,
979 				plink_timer, wpa_s, sta);
980 			sta->mpm_close_reason = reason;
981 			mesh_mpm_send_plink_action(wpa_s, sta,
982 						   PLINK_CLOSE, reason);
983 			break;
984 		case OPN_ACPT:
985 			if (conf->security & MESH_CONF_SEC_AMPE)
986 				mesh_rsn_derive_mtk(wpa_s, sta);
987 			mesh_mpm_plink_estab(wpa_s, sta);
988 			mesh_mpm_send_plink_action(wpa_s, sta,
989 						   PLINK_CONFIRM, 0);
990 			break;
991 		default:
992 			break;
993 		}
994 		break;
995 	case PLINK_ESTAB:
996 		switch (event) {
997 		case OPN_RJCT:
998 		case CNF_RJCT:
999 		case CLS_ACPT:
1000 			wpa_mesh_set_plink_state(wpa_s, sta, PLINK_HOLDING);
1001 			if (!reason)
1002 				reason = WLAN_REASON_MESH_CLOSE_RCVD;
1003 
1004 			eloop_register_timeout(
1005 				conf->dot11MeshHoldingTimeout / 1000,
1006 				(conf->dot11MeshHoldingTimeout % 1000) * 1000,
1007 				plink_timer, wpa_s, sta);
1008 			sta->mpm_close_reason = reason;
1009 
1010 			wpa_msg(wpa_s, MSG_INFO, "mesh plink with " MACSTR
1011 				" closed with reason %d",
1012 				MAC2STR(sta->addr), reason);
1013 
1014 			wpa_msg(wpa_s, MSG_INFO, MESH_PEER_DISCONNECTED MACSTR,
1015 				MAC2STR(sta->addr));
1016 
1017 			/* Send D-Bus event */
1018 			wpas_notify_mesh_peer_disconnected(wpa_s, sta->addr,
1019 							   reason);
1020 
1021 			hapd->num_plinks--;
1022 
1023 			mesh_mpm_send_plink_action(wpa_s, sta,
1024 						   PLINK_CLOSE, reason);
1025 			break;
1026 		case OPN_ACPT:
1027 			mesh_mpm_send_plink_action(wpa_s, sta,
1028 						   PLINK_CONFIRM, 0);
1029 			break;
1030 		default:
1031 			break;
1032 		}
1033 		break;
1034 	case PLINK_HOLDING:
1035 		switch (event) {
1036 		case CLS_ACPT:
1037 			mesh_mpm_fsm_restart(wpa_s, sta);
1038 			break;
1039 		case OPN_ACPT:
1040 		case CNF_ACPT:
1041 		case OPN_RJCT:
1042 		case CNF_RJCT:
1043 			reason = sta->mpm_close_reason;
1044 			mesh_mpm_send_plink_action(wpa_s, sta,
1045 						   PLINK_CLOSE, reason);
1046 			break;
1047 		default:
1048 			break;
1049 		}
1050 		break;
1051 	default:
1052 		wpa_msg(wpa_s, MSG_DEBUG,
1053 			"Unsupported MPM event %s for state %s",
1054 			mplevent[event], mplstate[sta->plink_state]);
1055 		break;
1056 	}
1057 }
1058 
1059 
1060 void mesh_mpm_action_rx(struct wpa_supplicant *wpa_s,
1061 			const struct ieee80211_mgmt *mgmt, size_t len)
1062 {
1063 	u8 action_field;
1064 	struct hostapd_data *hapd = wpa_s->ifmsh->bss[0];
1065 	struct mesh_conf *mconf = wpa_s->ifmsh->mconf;
1066 	struct sta_info *sta;
1067 	u16 plid = 0, llid = 0, aid = 0;
1068 	enum plink_event event;
1069 	struct ieee802_11_elems elems;
1070 	struct mesh_peer_mgmt_ie peer_mgmt_ie;
1071 	const u8 *ies;
1072 	size_t ie_len;
1073 	int ret;
1074 	u16 reason = 0;
1075 
1076 	if (mgmt->u.action.category != WLAN_ACTION_SELF_PROTECTED)
1077 		return;
1078 
1079 	action_field = mgmt->u.action.u.slf_prot_action.action;
1080 	if (action_field != PLINK_OPEN &&
1081 	    action_field != PLINK_CONFIRM &&
1082 	    action_field != PLINK_CLOSE)
1083 		return;
1084 
1085 	ies = mgmt->u.action.u.slf_prot_action.variable;
1086 	ie_len = (const u8 *) mgmt + len -
1087 		mgmt->u.action.u.slf_prot_action.variable;
1088 
1089 	/* at least expect mesh id and peering mgmt */
1090 	if (ie_len < 2 + 2) {
1091 		wpa_printf(MSG_DEBUG,
1092 			   "MPM: Ignore too short action frame %u ie_len %u",
1093 			   action_field, (unsigned int) ie_len);
1094 		return;
1095 	}
1096 	wpa_printf(MSG_DEBUG, "MPM: Received PLINK action %u", action_field);
1097 
1098 	if (action_field == PLINK_OPEN || action_field == PLINK_CONFIRM) {
1099 		wpa_printf(MSG_DEBUG, "MPM: Capability 0x%x",
1100 			   WPA_GET_LE16(ies));
1101 		ies += 2;	/* capability */
1102 		ie_len -= 2;
1103 	}
1104 	if (action_field == PLINK_CONFIRM) {
1105 		aid = WPA_GET_LE16(ies);
1106 		wpa_printf(MSG_DEBUG, "MPM: AID 0x%x", aid);
1107 		ies += 2;	/* aid */
1108 		ie_len -= 2;
1109 	}
1110 
1111 	/* check for mesh peering, mesh id and mesh config IEs */
1112 	if (ieee802_11_parse_elems(ies, ie_len, &elems, 0) == ParseFailed) {
1113 		wpa_printf(MSG_DEBUG, "MPM: Failed to parse PLINK IEs");
1114 		return;
1115 	}
1116 	if (!elems.peer_mgmt) {
1117 		wpa_printf(MSG_DEBUG,
1118 			   "MPM: No Mesh Peering Management element");
1119 		return;
1120 	}
1121 	if (action_field != PLINK_CLOSE) {
1122 		if (!elems.mesh_id || !elems.mesh_config) {
1123 			wpa_printf(MSG_DEBUG,
1124 				   "MPM: No Mesh ID or Mesh Configuration element");
1125 			return;
1126 		}
1127 
1128 		if (!matches_local(wpa_s, &elems)) {
1129 			wpa_printf(MSG_DEBUG,
1130 				   "MPM: Mesh ID or Mesh Configuration element do not match local MBSS");
1131 			return;
1132 		}
1133 	}
1134 
1135 	ret = mesh_mpm_parse_peer_mgmt(wpa_s, action_field,
1136 				       elems.peer_mgmt,
1137 				       elems.peer_mgmt_len,
1138 				       &peer_mgmt_ie);
1139 	if (ret) {
1140 		wpa_printf(MSG_DEBUG, "MPM: Mesh parsing rejected frame");
1141 		return;
1142 	}
1143 
1144 	/* the sender's llid is our plid and vice-versa */
1145 	plid = WPA_GET_LE16(peer_mgmt_ie.llid);
1146 	if (peer_mgmt_ie.plid)
1147 		llid = WPA_GET_LE16(peer_mgmt_ie.plid);
1148 	wpa_printf(MSG_DEBUG, "MPM: plid=0x%x llid=0x%x", plid, llid);
1149 
1150 	if (action_field == PLINK_CLOSE)
1151 		wpa_printf(MSG_DEBUG, "MPM: close reason=%u",
1152 			   WPA_GET_LE16(peer_mgmt_ie.reason));
1153 
1154 	sta = ap_get_sta(hapd, mgmt->sa);
1155 
1156 	/*
1157 	 * If this is an open frame from an unknown STA, and this is an
1158 	 * open mesh, then go ahead and add the peer before proceeding.
1159 	 */
1160 	if (!sta && action_field == PLINK_OPEN &&
1161 	    (!(mconf->security & MESH_CONF_SEC_AMPE) ||
1162 	     wpa_auth_pmksa_get(hapd->wpa_auth, mgmt->sa, NULL)))
1163 		sta = mesh_mpm_add_peer(wpa_s, mgmt->sa, &elems);
1164 
1165 	if (!sta) {
1166 		wpa_printf(MSG_DEBUG, "MPM: No STA entry for peer");
1167 		return;
1168 	}
1169 
1170 #ifdef CONFIG_SAE
1171 	/* peer is in sae_accepted? */
1172 	if (sta->sae && sta->sae->state != SAE_ACCEPTED) {
1173 		wpa_printf(MSG_DEBUG, "MPM: SAE not yet accepted for peer");
1174 		return;
1175 	}
1176 #endif /* CONFIG_SAE */
1177 
1178 	if (!sta->my_lid)
1179 		mesh_mpm_init_link(wpa_s, sta);
1180 
1181 	if (mconf->security & MESH_CONF_SEC_AMPE) {
1182 		int res;
1183 
1184 		res = mesh_rsn_process_ampe(wpa_s, sta, &elems,
1185 					    &mgmt->u.action.category,
1186 					    peer_mgmt_ie.chosen_pmk,
1187 					    ies, ie_len);
1188 		if (res) {
1189 			wpa_printf(MSG_DEBUG,
1190 				   "MPM: RSN process rejected frame (res=%d)",
1191 				   res);
1192 			if (action_field == PLINK_OPEN && res == -2) {
1193 				/* AES-SIV decryption failed */
1194 				mesh_mpm_fsm(wpa_s, sta, OPN_RJCT,
1195 					     WLAN_REASON_MESH_INVALID_GTK);
1196 			}
1197 			return;
1198 		}
1199 	}
1200 
1201 	if (sta->plink_state == PLINK_BLOCKED) {
1202 		wpa_printf(MSG_DEBUG, "MPM: PLINK_BLOCKED");
1203 		return;
1204 	}
1205 
1206 	/* Now we will figure out the appropriate event... */
1207 	switch (action_field) {
1208 	case PLINK_OPEN:
1209 		if (plink_free_count(hapd) == 0) {
1210 			event = REQ_RJCT;
1211 			reason = WLAN_REASON_MESH_MAX_PEERS;
1212 			wpa_printf(MSG_INFO,
1213 				   "MPM: Peer link num over quota(%d)",
1214 				   hapd->max_plinks);
1215 		} else if (sta->peer_lid && sta->peer_lid != plid) {
1216 			wpa_printf(MSG_DEBUG,
1217 				   "MPM: peer_lid mismatch: 0x%x != 0x%x",
1218 				   sta->peer_lid, plid);
1219 			return; /* no FSM event */
1220 		} else {
1221 			sta->peer_lid = plid;
1222 			event = OPN_ACPT;
1223 		}
1224 		break;
1225 	case PLINK_CONFIRM:
1226 		if (plink_free_count(hapd) == 0) {
1227 			event = REQ_RJCT;
1228 			reason = WLAN_REASON_MESH_MAX_PEERS;
1229 			wpa_printf(MSG_INFO,
1230 				   "MPM: Peer link num over quota(%d)",
1231 				   hapd->max_plinks);
1232 		} else if (sta->my_lid != llid ||
1233 			   (sta->peer_lid && sta->peer_lid != plid)) {
1234 			wpa_printf(MSG_DEBUG,
1235 				   "MPM: lid mismatch: my_lid: 0x%x != 0x%x or peer_lid: 0x%x != 0x%x",
1236 				   sta->my_lid, llid, sta->peer_lid, plid);
1237 			return; /* no FSM event */
1238 		} else {
1239 			if (!sta->peer_lid)
1240 				sta->peer_lid = plid;
1241 			sta->peer_aid = aid;
1242 			event = CNF_ACPT;
1243 		}
1244 		break;
1245 	case PLINK_CLOSE:
1246 		if (sta->plink_state == PLINK_ESTAB)
1247 			/* Do not check for llid or plid. This does not
1248 			 * follow the standard but since multiple plinks
1249 			 * per cand are not supported, it is necessary in
1250 			 * order to avoid a livelock when MP A sees an
1251 			 * establish peer link to MP B but MP B does not
1252 			 * see it. This can be caused by a timeout in
1253 			 * B's peer link establishment or B being
1254 			 * restarted.
1255 			 */
1256 			event = CLS_ACPT;
1257 		else if (sta->peer_lid != plid) {
1258 			wpa_printf(MSG_DEBUG,
1259 				   "MPM: peer_lid mismatch: 0x%x != 0x%x",
1260 				   sta->peer_lid, plid);
1261 			return; /* no FSM event */
1262 		} else if (peer_mgmt_ie.plid && sta->my_lid != llid) {
1263 			wpa_printf(MSG_DEBUG,
1264 				   "MPM: my_lid mismatch: 0x%x != 0x%x",
1265 				   sta->my_lid, llid);
1266 			return; /* no FSM event */
1267 		} else {
1268 			event = CLS_ACPT;
1269 		}
1270 		break;
1271 	default:
1272 		/*
1273 		 * This cannot be hit due to the action_field check above, but
1274 		 * compilers may not be able to figure that out and can warn
1275 		 * about uninitialized event below.
1276 		 */
1277 		return;
1278 	}
1279 	mesh_mpm_fsm(wpa_s, sta, event, reason);
1280 }
1281 
1282 
1283 /* called by ap_free_sta */
1284 void mesh_mpm_free_sta(struct hostapd_data *hapd, struct sta_info *sta)
1285 {
1286 	if (sta->plink_state == PLINK_ESTAB)
1287 		hapd->num_plinks--;
1288 	eloop_cancel_timeout(plink_timer, ELOOP_ALL_CTX, sta);
1289 	eloop_cancel_timeout(mesh_auth_timer, ELOOP_ALL_CTX, sta);
1290 }
1291