krackattacks/src/fst/fst_session.c

/*
 * FST module - FST Session implementation
 * Copyright (c) 2014, Qualcomm Atheros, Inc.
 *
 * This software may be distributed under the terms of the BSD license.
 * See README for more details.
 */

#include "utils/includes.h"

#include "utils/common.h"
#include "utils/eloop.h"
#include "common/defs.h"
#include "fst/fst_internal.h"
#include "fst/fst_defs.h"
#include "fst/fst_ctrl_iface.h"
#ifdef CONFIG_FST_TEST
#include "fst/fst_ctrl_defs.h"
#endif /* CONFIG_FST_TEST */

#define US_80211_TU 1024

#define US_TO_TU(m) ((m) * / US_80211_TU)
#define TU_TO_US(m) ((m) * US_80211_TU)

#define FST_LLT_SWITCH_IMMEDIATELY 0

#define fst_printf_session(s, level, format, ...) \
	fst_printf((level), "%u (0x%08x): [" MACSTR "," MACSTR "] :" format, \
		   (s)->id, (s)->data.fsts_id, \
		   MAC2STR((s)->data.old_peer_addr), \
		   MAC2STR((s)->data.new_peer_addr), \
		   ##__VA_ARGS__)

#define fst_printf_siface(s, iface, level, format, ...) \
	fst_printf_session((s), (level), "%s: " format, \
			   fst_iface_get_name(iface), ##__VA_ARGS__)

#define fst_printf_sframe(s, is_old, level, format, ...) \
	fst_printf_siface((s), \
		(is_old) ? (s)->data.old_iface : (s)->data.new_iface, \
		(level), format, ##__VA_ARGS__)

#define FST_LLT_MS_DEFAULT 50
#define FST_ACTION_MAX_SUPPORTED   FST_ACTION_ON_CHANNEL_TUNNEL

const char * const fst_action_names[] = {
	[FST_ACTION_SETUP_REQUEST]     = "Setup Request",
	[FST_ACTION_SETUP_RESPONSE]    = "Setup Response",
	[FST_ACTION_TEAR_DOWN]         = "Tear Down",
	[FST_ACTION_ACK_REQUEST]       = "Ack Request",
	[FST_ACTION_ACK_RESPONSE]      = "Ack Response",
	[FST_ACTION_ON_CHANNEL_TUNNEL] = "On Channel Tunnel",
};

struct fst_session {
	struct {
		/* Session configuration that can be zeroed on reset */
		u8 old_peer_addr[ETH_ALEN];
		u8 new_peer_addr[ETH_ALEN];
		struct fst_iface *new_iface;
		struct fst_iface *old_iface;
		u32 llt_ms;
		u8 pending_setup_req_dlgt;
		u32 fsts_id; /* FSTS ID, see spec, 8.4.2.147
			      * Session Transition element */
	} data;
	/* Session object internal fields which won't be zeroed on reset */
	struct dl_list global_sessions_lentry;
	u32 id; /* Session object ID used to identify
		 * specific session object */
	struct fst_group *group;
	enum fst_session_state state;
	Boolean stt_armed;
};

static struct dl_list global_sessions_list;
static u32 global_session_id = 0;

#define foreach_fst_session(s) \
	dl_list_for_each((s), &global_sessions_list, \
			 struct fst_session, global_sessions_lentry)

#define foreach_fst_session_safe(s, temp) \
	dl_list_for_each_safe((s), (temp), &global_sessions_list, \
			      struct fst_session, global_sessions_lentry)


static void fst_session_global_inc_id(void)
{
	global_session_id++;
	if (global_session_id == FST_INVALID_SESSION_ID)
		global_session_id++;
}


int fst_session_global_init(void)
{
	dl_list_init(&global_sessions_list);
	return 0;
}


void fst_session_global_deinit(void)
{
	WPA_ASSERT(dl_list_empty(&global_sessions_list));
}


static inline void fst_session_notify_ctrl(struct fst_session *s,
					   enum fst_event_type event_type,
					   union fst_event_extra *extra)
{
	foreach_fst_ctrl_call(on_event, event_type, NULL, s, extra);
}


static void fst_session_set_state(struct fst_session *s,
				  enum fst_session_state state,
				  union fst_session_state_switch_extra *extra)
{
	if (s->state != state) {
		union fst_event_extra evext = {
			.session_state = {
				.old_state = s->state,
				.new_state = state,
			},
		};

		if (extra)
			evext.session_state.extra = *extra;
		fst_session_notify_ctrl(s, EVENT_FST_SESSION_STATE_CHANGED,
					&evext);
		fst_printf_session(s, MSG_INFO, "State: %s => %s",
				   fst_session_state_name(s->state),
				   fst_session_state_name(state));
		s->state = state;
	}
}


static u32 fst_find_free_session_id(void)
{
	u32 i, id = FST_INVALID_SESSION_ID;
	struct fst_session *s;

	for (i = 0; i < (u32) -1; i++) {
		Boolean in_use = FALSE;

		foreach_fst_session(s) {
			if (s->id == global_session_id) {
				fst_session_global_inc_id();
				in_use = TRUE;
				break;
			}
		}
		if (!in_use) {
			id = global_session_id;
			fst_session_global_inc_id();
			break;
		}
	}

	return id;
}


static void fst_session_timeout_handler(void *eloop_data, void *user_ctx)
{
	struct fst_session *s = user_ctx;
	union fst_session_state_switch_extra extra = {
		.to_initial = {
			.reason = REASON_STT,
		},
	};

	fst_printf_session(s, MSG_WARNING, "Session State Timeout");
	fst_session_set_state(s, FST_SESSION_STATE_INITIAL, &extra);
}


static void fst_session_stt_arm(struct fst_session *s)
{
	/* Action frames sometimes get delayed. Use relaxed timeout (2*) */
	eloop_register_timeout(0, 2 * TU_TO_US(FST_DEFAULT_SESSION_TIMEOUT_TU),
			       fst_session_timeout_handler, NULL, s);
	s->stt_armed = TRUE;
}


static void fst_session_stt_disarm(struct fst_session *s)
{
	if (s->stt_armed) {
		eloop_cancel_timeout(fst_session_timeout_handler, NULL, s);
		s->stt_armed = FALSE;
	}
}


static Boolean fst_session_is_in_transition(struct fst_session *s)
{
	/* See spec, 10.32.2.2  Transitioning between states */
	return s->stt_armed;
}


static int fst_session_is_in_progress(struct fst_session *s)
{
	return s->state != FST_SESSION_STATE_INITIAL;
}


static int fst_session_is_ready_pending(struct fst_session *s)
{
	return s->state == FST_SESSION_STATE_SETUP_COMPLETION &&
		fst_session_is_in_transition(s);
}


static int fst_session_is_ready(struct fst_session *s)
{
	return s->state == FST_SESSION_STATE_SETUP_COMPLETION &&
		!fst_session_is_in_transition(s);
}


static int fst_session_is_switch_requested(struct fst_session *s)
{
	return s->state == FST_SESSION_STATE_TRANSITION_DONE &&
		fst_session_is_in_transition(s);
}


static struct fst_session *
fst_find_session_in_progress(const u8 *peer_addr, struct fst_group *g)
{
	struct fst_session *s;

	foreach_fst_session(s) {
		if (s->group == g &&
		    (os_memcmp(s->data.old_peer_addr, peer_addr,
			       ETH_ALEN) == 0 ||
		     os_memcmp(s->data.new_peer_addr, peer_addr,
			       ETH_ALEN) == 0) &&
		    fst_session_is_in_progress(s))
			return s;
	}

	return NULL;
}


static void fst_session_reset_ex(struct fst_session *s, enum fst_reason reason)
{
	union fst_session_state_switch_extra evext = {
		.to_initial = {
			.reason = reason,
		},
	};

	if (s->state == FST_SESSION_STATE_SETUP_COMPLETION ||
	    s->state == FST_SESSION_STATE_TRANSITION_DONE)
		fst_session_tear_down_setup(s);
	fst_session_stt_disarm(s);
	os_memset(&s->data, 0, sizeof(s->data));
	fst_session_set_state(s, FST_SESSION_STATE_INITIAL, &evext);
}


static int fst_session_send_action(struct fst_session *s, Boolean old_iface,
				   const void *payload, size_t size,
				   const struct wpabuf *extra_buf)
{
	size_t len;
	int res;
	struct wpabuf *buf;
	u8 action;
	struct fst_iface *iface =
		old_iface ? s->data.old_iface : s->data.new_iface;

	WPA_ASSERT(payload != NULL);
	WPA_ASSERT(size != 0);

	action = *(const u8 *) payload;

	WPA_ASSERT(action <= FST_ACTION_MAX_SUPPORTED);

	if (!iface) {
		fst_printf_session(s, MSG_ERROR,
				   "no %s interface for FST Action '%s' sending",
				   old_iface ? "old" : "new",
				   fst_action_names[action]);
		return -1;
	}

	len = sizeof(u8) /* category */ + size;
	if (extra_buf)
		len += wpabuf_size(extra_buf);

	buf = wpabuf_alloc(len);
	if (!buf) {
		fst_printf_session(s, MSG_ERROR,
				   "cannot allocate buffer of %zu bytes for FST Action '%s' sending",
				   len, fst_action_names[action]);
		return -1;
	}

	wpabuf_put_u8(buf, WLAN_ACTION_FST);
	wpabuf_put_data(buf, payload, size);
	if (extra_buf)
		wpabuf_put_buf(buf, extra_buf);

	res = fst_iface_send_action(iface,
				    old_iface ? s->data.old_peer_addr :
				    s->data.new_peer_addr, buf);
	if (res < 0)
		fst_printf_siface(s, iface, MSG_ERROR,
				  "failed to send FST Action '%s'",
				  fst_action_names[action]);
	else
		fst_printf_siface(s, iface, MSG_DEBUG, "FST Action '%s' sent",
				  fst_action_names[action]);
	wpabuf_free(buf);

	return res;
}


static int fst_session_send_tear_down(struct fst_session *s)
{
	struct fst_tear_down td;
	int res;

	if (!fst_session_is_in_progress(s)) {
		fst_printf_session(s, MSG_ERROR, "No FST setup to tear down");
		return -1;
	}

	WPA_ASSERT(s->data.old_iface != NULL);
	WPA_ASSERT(s->data.new_iface != NULL);

	os_memset(&td, 0, sizeof(td));

	td.action = FST_ACTION_TEAR_DOWN;
	td.fsts_id = host_to_le32(s->data.fsts_id);

	res = fst_session_send_action(s, TRUE, &td, sizeof(td), NULL);
	if (!res)
		fst_printf_sframe(s, TRUE, MSG_INFO, "FST TearDown sent");
	else
		fst_printf_sframe(s, TRUE, MSG_ERROR,
				  "failed to send FST TearDown");

	return res;
}


static void fst_session_handle_setup_request(struct fst_iface *iface,
					     const struct ieee80211_mgmt *mgmt,
					     size_t frame_len)
{
	struct fst_session *s;
	const struct fst_setup_req *req;
	struct fst_iface *new_iface = NULL;
	struct fst_group *g;
	u8 new_iface_peer_addr[ETH_ALEN];
	const struct wpabuf *peer_mbies;
	size_t plen;

	if (frame_len < IEEE80211_HDRLEN + 1 + sizeof(*req))  {
		fst_printf_iface(iface, MSG_WARNING,
				 "FST Request dropped: too short (%zu < %zu)",
				 frame_len,
				 IEEE80211_HDRLEN + 1 + sizeof(*req));
		return;
	}
	plen = frame_len - IEEE80211_HDRLEN - 1;
	req = (const struct fst_setup_req *)
		(((const u8 *) mgmt) + IEEE80211_HDRLEN + 1);
	if (req->stie.element_id != WLAN_EID_SESSION_TRANSITION ||
	    req->stie.length < 11) {
		fst_printf_iface(iface, MSG_WARNING,
				 "FST Request dropped: invalid STIE");
		return;
	}

	if (req->stie.new_band_id == req->stie.old_band_id) {
		fst_printf_iface(iface, MSG_WARNING,
				 "FST Request dropped: new and old band IDs are the same");
		return;
	}

	g = fst_iface_get_group(iface);

	if (plen > sizeof(*req)) {
		fst_iface_update_mb_ie(iface, mgmt->sa, (const u8 *) (req + 1),
				       plen - sizeof(*req));
		fst_printf_iface(iface, MSG_INFO,
				 "FST Request: MB IEs updated for " MACSTR,
				 MAC2STR(mgmt->sa));
	}

	peer_mbies = fst_iface_get_peer_mb_ie(iface, mgmt->sa);
	if (peer_mbies) {
		new_iface = fst_group_get_new_iface_by_stie_and_mbie(
			g, wpabuf_head(peer_mbies), wpabuf_len(peer_mbies),
			&req->stie, new_iface_peer_addr);
		if (new_iface)
			fst_printf_iface(iface, MSG_INFO,
					 "FST Request: new iface (%s:" MACSTR
					 ") found by MB IEs",
					 fst_iface_get_name(new_iface),
					 MAC2STR(new_iface_peer_addr));
	}

	if (!new_iface) {
		new_iface = fst_group_find_new_iface_by_stie(
			g, iface, mgmt->sa, &req->stie,
			new_iface_peer_addr);
		if (new_iface)
			fst_printf_iface(iface, MSG_INFO,
					 "FST Request: new iface (%s:" MACSTR
					 ") found by others",
					 fst_iface_get_name(new_iface),
					 MAC2STR(new_iface_peer_addr));
	}

	if (!new_iface) {
		fst_printf_iface(iface, MSG_WARNING,
				 "FST Request dropped: new iface not found");
		return;
	}

	s = fst_find_session_in_progress(mgmt->sa, g);
	if (s) {
		union fst_session_state_switch_extra evext = {
			.to_initial = {
				.reason = REASON_SETUP,
			},
		};

		/*
		 * 10.32.2.2  Transitioning between states:
		 * Upon receipt of an FST Setup Request frame, the responder
		 * shall respond with an FST Setup Response frame unless it has
		 * a pending FST Setup Request frame addressed to the initiator
		 * and the responder has a numerically larger MAC address than
		 * the initiator’s MAC address, in which case, the responder
		 * shall delete the received FST Setup Request.
		 */
		if (fst_session_is_ready_pending(s) &&
		    /* waiting for Setup Response */
		    os_memcmp(mgmt->da, mgmt->sa, ETH_ALEN) > 0) {
			fst_printf_session(s, MSG_WARNING,
					   "FST Request dropped due to MAC comparison (our MAC is "
					   MACSTR ")",
					   MAC2STR(mgmt->da));
			return;
		}

		/*
		 * State is SETUP_COMPLETION (either in transition or not) or
		 * TRANSITION_DONE (in transition).
		 * Setup Request arriving in this state could mean:
		 * 1. peer sent it before receiving our Setup Request (race
		 *    condition)
		 * 2. peer didn't receive our Setup Response. Peer is retrying
		 *    after STT timeout
		 * 3. peer's FST state machines are out of sync due to some
		 *    other reason
		 *
		 * We will reset our session and create a new one instead.
		 */

		fst_printf_session(s, MSG_WARNING,
			"resetting due to FST request");

		/*
		 * If FST Setup Request arrived with the same FSTS ID as one we
		 * initialized before, there's no need to tear down the session.
		 * Moreover, as FSTS ID is the same, the other side will
		 * associate this tear down with the session it initiated that
		 * will break the sync.
		 */
		if (le_to_host32(req->stie.fsts_id) != s->data.fsts_id)
			fst_session_send_tear_down(s);
		else
			fst_printf_session(s, MSG_WARNING,
					   "Skipping TearDown as the FST request has the same FSTS ID as initiated");
		fst_session_set_state(s, FST_SESSION_STATE_INITIAL, &evext);
		fst_session_stt_disarm(s);
	}

	s = fst_session_create(g);
	if (!s) {
		fst_printf(MSG_WARNING,
			   "FST Request dropped: cannot create session for %s and %s",
			   fst_iface_get_name(iface),
			   fst_iface_get_name(new_iface));
		return;
	}

	fst_session_set_iface(s, iface, TRUE);
	fst_session_set_peer_addr(s, mgmt->sa, TRUE);
	fst_session_set_iface(s, new_iface, FALSE);
	fst_session_set_peer_addr(s, new_iface_peer_addr, FALSE);
	fst_session_set_llt(s, FST_LLT_VAL_TO_MS(le_to_host32(req->llt)));
	s->data.pending_setup_req_dlgt = req->dialog_token;
	s->data.fsts_id = le_to_host32(req->stie.fsts_id);

	fst_session_stt_arm(s);

	fst_session_notify_ctrl(s, EVENT_FST_SETUP, NULL);

	fst_session_set_state(s, FST_SESSION_STATE_SETUP_COMPLETION, NULL);
}


static void fst_session_handle_setup_response(struct fst_session *s,
					      struct fst_iface *iface,
					      const struct ieee80211_mgmt *mgmt,
					      size_t frame_len)
{
	const struct fst_setup_res *res;
	size_t plen = frame_len - IEEE80211_HDRLEN - 1;
	enum hostapd_hw_mode hw_mode;
	u8 channel;
	union fst_session_state_switch_extra evext = {
		.to_initial = {
			.reject_code = 0,
		},
	};

	if (iface != s->data.old_iface) {
		fst_printf_session(s, MSG_WARNING,
				   "FST Response dropped: %s is not the old iface",
				   fst_iface_get_name(iface));
		return;
	}

	if (!fst_session_is_ready_pending(s)) {
		fst_printf_session(s, MSG_WARNING,
				   "FST Response dropped due to wrong state: %s",
				   fst_session_state_name(s->state));
		return;
	}

	if (plen < sizeof(*res)) {
		fst_printf_session(s, MSG_WARNING,
				   "Too short FST Response dropped");
		return;
	}
	res = (const struct fst_setup_res *)
		(((const u8 *) mgmt) + IEEE80211_HDRLEN + 1);
	if (res->stie.element_id != WLAN_EID_SESSION_TRANSITION ||
	    res->stie.length < 11) {
		fst_printf_iface(iface, MSG_WARNING,
				 "FST Response dropped: invalid STIE");
		return;
	}

	if (res->dialog_token != s->data.pending_setup_req_dlgt)  {
		fst_printf_session(s, MSG_WARNING,
				   "FST Response dropped due to wrong dialog token (%u != %u)",
				   s->data.pending_setup_req_dlgt,
				   res->dialog_token);
		return;
	}

	if (res->status_code == WLAN_STATUS_SUCCESS &&
	    le_to_host32(res->stie.fsts_id) != s->data.fsts_id) {
		fst_printf_session(s, MSG_WARNING,
				   "FST Response dropped due to wrong FST Session ID (%u)",
				   le_to_host32(res->stie.fsts_id));
		return;
	}

	fst_session_stt_disarm(s);

	if (res->status_code != WLAN_STATUS_SUCCESS) {
		/*
		 * 10.32.2.2  Transitioning between states
		 * The initiator shall set the STT to the value of the
		 * FSTSessionTimeOut field at ... and at each ACK frame sent in
		 * response to a received FST Setup Response with the Status
		 * Code field equal to PENDING_ADMITTING_FST_SESSION or
		 * PENDING_GAP_IN_BA_WINDOW.
		 */
		evext.to_initial.reason = REASON_REJECT;
		evext.to_initial.reject_code = res->status_code;
		evext.to_initial.initiator = FST_INITIATOR_REMOTE;
		fst_session_set_state(s, FST_SESSION_STATE_INITIAL, &evext);
		fst_printf_session(s, MSG_WARNING,
				   "FST Setup rejected by remote side with status %u",
				   res->status_code);
		return;
	}

	fst_iface_get_channel_info(s->data.new_iface, &hw_mode, &channel);

	if (fst_hw_mode_to_band(hw_mode) != res->stie.new_band_id) {
		evext.to_initial.reason = REASON_ERROR_PARAMS;
		fst_session_set_state(s, FST_SESSION_STATE_INITIAL, &evext);
		fst_printf_session(s, MSG_WARNING,
				   "invalid FST Setup parameters");
		fst_session_tear_down_setup(s);
		return;
	}

	fst_printf_session(s, MSG_INFO,
			   "%s: FST Setup established for %s (llt=%u)",
			   fst_iface_get_name(s->data.old_iface),
			   fst_iface_get_name(s->data.new_iface),
			   s->data.llt_ms);

	fst_session_notify_ctrl(s, EVENT_FST_ESTABLISHED, NULL);

	if (s->data.llt_ms == FST_LLT_SWITCH_IMMEDIATELY)
		fst_session_initiate_switch(s);
}


static void fst_session_handle_tear_down(struct fst_session *s,
					 struct fst_iface *iface,
					 const struct ieee80211_mgmt *mgmt,
					 size_t frame_len)
{
	const struct fst_tear_down *td;
	size_t plen = frame_len - IEEE80211_HDRLEN - 1;
	union fst_session_state_switch_extra evext = {
		.to_initial = {
			.reason = REASON_TEARDOWN,
			.initiator = FST_INITIATOR_REMOTE,
		},
	};

	if (plen < sizeof(*td)) {
		fst_printf_session(s, MSG_WARNING,
				   "Too short FST Tear Down dropped");
		return;
	}
	td = (const struct fst_tear_down *)
		(((const u8 *) mgmt) + IEEE80211_HDRLEN + 1);

	if (le_to_host32(td->fsts_id) != s->data.fsts_id) {
		fst_printf_siface(s, iface, MSG_WARNING,
				  "tear down for wrong FST Setup ID (%u)",
				  le_to_host32(td->fsts_id));
		return;
	}

	fst_session_stt_disarm(s);

	fst_session_set_state(s, FST_SESSION_STATE_INITIAL, &evext);
}


static void fst_session_handle_ack_request(struct fst_session *s,
					   struct fst_iface *iface,
					   const struct ieee80211_mgmt *mgmt,
					   size_t frame_len)
{
	const struct fst_ack_req *req;
	size_t plen = frame_len - IEEE80211_HDRLEN - 1;
	struct fst_ack_res res;
	union fst_session_state_switch_extra evext = {
		.to_initial = {
			.reason = REASON_SWITCH,
			.initiator = FST_INITIATOR_REMOTE,
		},
	};

	if (!fst_session_is_ready(s) && !fst_session_is_switch_requested(s)) {
		fst_printf_siface(s, iface, MSG_ERROR,
				  "cannot initiate switch due to wrong session state (%s)",
				  fst_session_state_name(s->state));
		return;
	}

	WPA_ASSERT(s->data.new_iface != NULL);

	if (iface != s->data.new_iface) {
		fst_printf_siface(s, iface, MSG_ERROR,
				  "Ack received on wrong interface");
		return;
	}

	if (plen < sizeof(*req)) {
		fst_printf_session(s, MSG_WARNING,
				   "Too short FST Ack Request dropped");
		return;
	}
	req = (const struct fst_ack_req *)
		(((const u8 *) mgmt) + IEEE80211_HDRLEN + 1);

	if (le_to_host32(req->fsts_id) != s->data.fsts_id) {
		fst_printf_siface(s, iface, MSG_WARNING,
				  "Ack for wrong FST Setup ID (%u)",
				  le_to_host32(req->fsts_id));
		return;
	}

	os_memset(&res, 0, sizeof(res));

	res.action = FST_ACTION_ACK_RESPONSE;
	res.dialog_token = req->dialog_token;
	res.fsts_id = req->fsts_id;

	if (!fst_session_send_action(s, FALSE, &res, sizeof(res), NULL)) {
		fst_printf_sframe(s, FALSE, MSG_INFO, "FST Ack Response sent");
		fst_session_stt_disarm(s);
		fst_session_set_state(s, FST_SESSION_STATE_TRANSITION_DONE,
				      NULL);
		fst_session_set_state(s, FST_SESSION_STATE_TRANSITION_CONFIRMED,
				      NULL);
		fst_session_set_state(s, FST_SESSION_STATE_INITIAL, &evext);
	}
}


static void
fst_session_handle_ack_response(struct fst_session *s,
				struct fst_iface *iface,
				const struct ieee80211_mgmt *mgmt,
				size_t frame_len)
{
	const struct fst_ack_res *res;
	size_t plen = frame_len - IEEE80211_HDRLEN - 1;
	union fst_session_state_switch_extra evext = {
		.to_initial = {
			.reason = REASON_SWITCH,
			.initiator = FST_INITIATOR_LOCAL,
		},
	};

	if (!fst_session_is_switch_requested(s)) {
		fst_printf_siface(s, iface, MSG_ERROR,
				  "Ack Response in inappropriate session state (%s)",
				  fst_session_state_name(s->state));
		return;
	}

	WPA_ASSERT(s->data.new_iface != NULL);

	if (iface != s->data.new_iface) {
		fst_printf_siface(s, iface, MSG_ERROR,
				  "Ack response received on wrong interface");
		return;
	}

	if (plen < sizeof(*res)) {
		fst_printf_session(s, MSG_WARNING,
				   "Too short FST Ack Response dropped");
		return;
	}
	res = (const struct fst_ack_res *)
		(((const u8 *) mgmt) + IEEE80211_HDRLEN + 1);

	if (le_to_host32(res->fsts_id) != s->data.fsts_id) {
		fst_printf_siface(s, iface, MSG_ERROR,
				  "Ack response for wrong FST Setup ID (%u)",
				  le_to_host32(res->fsts_id));
		return;
	}

	fst_session_set_state(s, FST_SESSION_STATE_TRANSITION_CONFIRMED, NULL);
	fst_session_set_state(s, FST_SESSION_STATE_INITIAL, &evext);

	fst_session_stt_disarm(s);
}


struct fst_session * fst_session_create(struct fst_group *g)
{
	struct fst_session *s;
	u32 id;

	WPA_ASSERT(!is_zero_ether_addr(own_addr));

	id = fst_find_free_session_id();
	if (id == FST_INVALID_SESSION_ID) {
		fst_printf(MSG_ERROR, "Cannot assign new session ID");
		return NULL;
	}

	s = os_zalloc(sizeof(*s));
	if (!s) {
		fst_printf(MSG_ERROR, "Cannot allocate new session object");
		return NULL;
	}

	s->id = id;
	s->group = g;
	s->state = FST_SESSION_STATE_INITIAL;

	s->data.llt_ms = FST_LLT_MS_DEFAULT;

	fst_printf(MSG_INFO, "Session %u created", s->id);

	dl_list_add_tail(&global_sessions_list, &s->global_sessions_lentry);

	foreach_fst_ctrl_call(on_session_added, s);

	return s;
}


void fst_session_set_iface(struct fst_session *s, struct fst_iface *iface,
			   Boolean is_old)
{
	if (is_old)
		s->data.old_iface = iface;
	else
		s->data.new_iface = iface;

}


void fst_session_set_llt(struct fst_session *s, u32 llt)
{
	s->data.llt_ms = llt;
}


void fst_session_set_peer_addr(struct fst_session *s, const u8 *addr,
			       Boolean is_old)
{
	u8 *a = is_old ? s->data.old_peer_addr : s->data.new_peer_addr;

	os_memcpy(a, addr, ETH_ALEN);
}


int fst_session_initiate_setup(struct fst_session *s)
{
	struct fst_setup_req req;
	int res;
	u32 fsts_id;
	u8 dialog_token;
	struct fst_session *_s;

	if (fst_session_is_in_progress(s)) {
		fst_printf_session(s, MSG_ERROR, "Session in progress");
		return -EINVAL;
	}

	if (is_zero_ether_addr(s->data.old_peer_addr)) {
		fst_printf_session(s, MSG_ERROR, "No old peer MAC address");
		return -EINVAL;
	}

	if (is_zero_ether_addr(s->data.new_peer_addr)) {
		fst_printf_session(s, MSG_ERROR, "No new peer MAC address");
		return -EINVAL;
	}

	if (!s->data.old_iface) {
		fst_printf_session(s, MSG_ERROR, "No old interface defined");
		return -EINVAL;
	}

	if (!s->data.new_iface) {
		fst_printf_session(s, MSG_ERROR, "No new interface defined");
		return -EINVAL;
	}

	if (s->data.new_iface == s->data.old_iface) {
		fst_printf_session(s, MSG_ERROR,
				   "Same interface set as old and new");
		return -EINVAL;
	}

	if (!fst_iface_is_connected(s->data.old_iface, s->data.old_peer_addr,
				    FALSE)) {
		fst_printf_session(s, MSG_ERROR,
				   "The preset old peer address is not connected");
		return -EINVAL;
	}

	if (!fst_iface_is_connected(s->data.new_iface, s->data.new_peer_addr,
				    FALSE)) {
		fst_printf_session(s, MSG_ERROR,
				   "The preset new peer address is not connected");
		return -EINVAL;
	}

	_s = fst_find_session_in_progress(s->data.old_peer_addr, s->group);
	if (_s) {
		fst_printf_session(s, MSG_ERROR,
				   "There is another session in progress (old): %u",
				   _s->id);
		return -EINVAL;
	}

	_s = fst_find_session_in_progress(s->data.new_peer_addr, s->group);
	if (_s) {
		fst_printf_session(s, MSG_ERROR,
				   "There is another session in progress (new): %u",
				   _s->id);
		return -EINVAL;
	}

	dialog_token = fst_group_assign_dialog_token(s->group);
	fsts_id = fst_group_assign_fsts_id(s->group);

	os_memset(&req, 0, sizeof(req));

	fst_printf_siface(s, s->data.old_iface, MSG_INFO,
		"initiating FST setup for %s (llt=%u ms)",
		fst_iface_get_name(s->data.new_iface), s->data.llt_ms);

	req.action = FST_ACTION_SETUP_REQUEST;
	req.dialog_token = dialog_token;
	req.llt = host_to_le32(FST_LLT_MS_TO_VAL(s->data.llt_ms));
	/* 8.4.2.147 Session Transition element */
	req.stie.element_id = WLAN_EID_SESSION_TRANSITION;
	req.stie.length = sizeof(req.stie) - 2;
	req.stie.fsts_id = host_to_le32(fsts_id);
	req.stie.session_control = SESSION_CONTROL(SESSION_TYPE_BSS, 0);

	req.stie.new_band_id = fst_iface_get_band_id(s->data.new_iface);
	req.stie.new_band_op = 1;
	req.stie.new_band_setup = 0;

	req.stie.old_band_id = fst_iface_get_band_id(s->data.old_iface);
	req.stie.old_band_op = 1;
	req.stie.old_band_setup = 0;

	res = fst_session_send_action(s, TRUE, &req, sizeof(req),
				      fst_iface_get_mbie(s->data.old_iface));
	if (!res) {
		s->data.fsts_id = fsts_id;
		s->data.pending_setup_req_dlgt = dialog_token;
		fst_printf_sframe(s, TRUE, MSG_INFO, "FST Setup Request sent");
		fst_session_set_state(s, FST_SESSION_STATE_SETUP_COMPLETION,
				      NULL);

		fst_session_stt_arm(s);
	}

	return res;
}


int fst_session_respond(struct fst_session *s, u8 status_code)
{
	struct fst_setup_res res;
	enum hostapd_hw_mode hw_mode;
	u8 channel;

	if (!fst_session_is_ready_pending(s)) {
		fst_printf_session(s, MSG_ERROR, "incorrect state: %s",
				   fst_session_state_name(s->state));
		return -EINVAL;
	}

	if (is_zero_ether_addr(s->data.old_peer_addr)) {
		fst_printf_session(s, MSG_ERROR, "No peer MAC address");
		return -EINVAL;
	}

	if (!s->data.old_iface) {
		fst_printf_session(s, MSG_ERROR, "No old interface defined");
		return -EINVAL;
	}

	if (!s->data.new_iface) {
		fst_printf_session(s, MSG_ERROR, "No new interface defined");
		return -EINVAL;
	}

	if (s->data.new_iface == s->data.old_iface) {
		fst_printf_session(s, MSG_ERROR,
				   "Same interface set as old and new");
		return -EINVAL;
	}

	if (!fst_iface_is_connected(s->data.old_iface,
				    s->data.old_peer_addr, FALSE)) {
		fst_printf_session(s, MSG_ERROR,
				   "The preset peer address is not in the peer list");
		return -EINVAL;
	}

	fst_session_stt_disarm(s);

	os_memset(&res, 0, sizeof(res));

	res.action = FST_ACTION_SETUP_RESPONSE;
	res.dialog_token = s->data.pending_setup_req_dlgt;
	res.status_code = status_code;

	res.stie.element_id = WLAN_EID_SESSION_TRANSITION;
	res.stie.length = sizeof(res.stie) - 2;

	if (status_code == WLAN_STATUS_SUCCESS) {
		res.stie.fsts_id = host_to_le32(s->data.fsts_id);
		res.stie.session_control = SESSION_CONTROL(SESSION_TYPE_BSS, 0);

		fst_iface_get_channel_info(s->data.new_iface, &hw_mode,
					   &channel);
		res.stie.new_band_id = fst_hw_mode_to_band(hw_mode);
		res.stie.new_band_op = 1;
		res.stie.new_band_setup = 0;

		fst_iface_get_channel_info(s->data.old_iface, &hw_mode,
					   &channel);
		res.stie.old_band_id = fst_hw_mode_to_band(hw_mode);
		res.stie.old_band_op = 1;
		res.stie.old_band_setup = 0;

		fst_printf_session(s, MSG_INFO,
				   "%s: FST Setup Request accepted for %s (llt=%u)",
				   fst_iface_get_name(s->data.old_iface),
				   fst_iface_get_name(s->data.new_iface),
				   s->data.llt_ms);
	} else {
		fst_printf_session(s, MSG_WARNING,
				   "%s: FST Setup Request rejected with code %d",
				   fst_iface_get_name(s->data.old_iface),
				   status_code);
	}

	if (fst_session_send_action(s, TRUE, &res, sizeof(res),
				    fst_iface_get_mbie(s->data.old_iface))) {
		fst_printf_sframe(s, TRUE, MSG_ERROR,
				  "cannot send FST Setup Response with code %d",
				  status_code);
		return -EINVAL;
	}

	fst_printf_sframe(s, TRUE, MSG_INFO, "FST Setup Response sent");

	if (status_code != WLAN_STATUS_SUCCESS) {
		union fst_session_state_switch_extra evext = {
			.to_initial = {
				.reason = REASON_REJECT,
				.reject_code = status_code,
				.initiator = FST_INITIATOR_LOCAL,
			},
		};
		fst_session_set_state(s, FST_SESSION_STATE_INITIAL, &evext);
	}

	return 0;
}


int fst_session_initiate_switch(struct fst_session *s)
{
	struct fst_ack_req req;
	int res;
	u8 dialog_token;

	if (!fst_session_is_ready(s)) {
		fst_printf_session(s, MSG_ERROR,
				   "cannot initiate switch due to wrong setup state (%d)",
				   s->state);
		return -1;
	}

	dialog_token = fst_group_assign_dialog_token(s->group);

	WPA_ASSERT(s->data.new_iface != NULL);
	WPA_ASSERT(s->data.old_iface != NULL);

	fst_printf_session(s, MSG_INFO, "initiating FST switch: %s => %s",
			   fst_iface_get_name(s->data.old_iface),
			   fst_iface_get_name(s->data.new_iface));

	os_memset(&req, 0, sizeof(req));

	req.action = FST_ACTION_ACK_REQUEST;
	req.dialog_token = dialog_token;
	req.fsts_id = host_to_le32(s->data.fsts_id);

	res = fst_session_send_action(s, FALSE, &req, sizeof(req), NULL);
	if (!res) {
		fst_printf_sframe(s, FALSE, MSG_INFO, "FST Ack Request sent");
		fst_session_set_state(s, FST_SESSION_STATE_TRANSITION_DONE,
				      NULL);
		fst_session_stt_arm(s);
	} else {
		fst_printf_sframe(s, FALSE, MSG_ERROR,
				  "Cannot send FST Ack Request");
	}

	return res;
}


void fst_session_handle_action(struct fst_session *s,
			       struct fst_iface *iface,
			       const struct ieee80211_mgmt *mgmt,
			       size_t frame_len)
{
	switch (mgmt->u.action.u.fst_action.action) {
	case FST_ACTION_SETUP_REQUEST:
		WPA_ASSERT(0);
		break;
	case FST_ACTION_SETUP_RESPONSE:
		fst_session_handle_setup_response(s, iface, mgmt, frame_len);
		break;
	case FST_ACTION_TEAR_DOWN:
		fst_session_handle_tear_down(s, iface, mgmt, frame_len);
		break;
	case FST_ACTION_ACK_REQUEST:
		fst_session_handle_ack_request(s, iface, mgmt, frame_len);
		break;
	case FST_ACTION_ACK_RESPONSE:
		fst_session_handle_ack_response(s, iface, mgmt, frame_len);
		break;
	case FST_ACTION_ON_CHANNEL_TUNNEL:
	default:
		fst_printf_sframe(s, FALSE, MSG_ERROR,
				  "Unsupported FST Action frame");
		break;
	}
}


int fst_session_tear_down_setup(struct fst_session *s)
{
	int res;
	union fst_session_state_switch_extra evext = {
		.to_initial = {
			.reason = REASON_TEARDOWN,
			.initiator = FST_INITIATOR_LOCAL,
		},
	};

	res = fst_session_send_tear_down(s);

	fst_session_set_state(s, FST_SESSION_STATE_INITIAL, &evext);

	return res;
}


void fst_session_reset(struct fst_session *s)
{
	fst_session_reset_ex(s, REASON_RESET);
}


void fst_session_delete(struct fst_session *s)
{
	fst_printf(MSG_INFO, "Session %u deleted", s->id);
	dl_list_del(&s->global_sessions_lentry);
	foreach_fst_ctrl_call(on_session_removed, s);
	os_free(s);
}


struct fst_group * fst_session_get_group(struct fst_session *s)
{
	return s->group;
}


struct fst_iface * fst_session_get_iface(struct fst_session *s, Boolean is_old)
{
	return is_old ? s->data.old_iface : s->data.new_iface;
}


u32 fst_session_get_id(struct fst_session *s)
{
	return s->id;
}


const u8 * fst_session_get_peer_addr(struct fst_session *s, Boolean is_old)
{
	return is_old ? s->data.old_peer_addr : s->data.new_peer_addr;
}


u32 fst_session_get_llt(struct fst_session *s)
{
	return s->data.llt_ms;
}


enum fst_session_state fst_session_get_state(struct fst_session *s)
{
	return s->state;
}


struct fst_session * fst_session_get_by_id(u32 id)
{
	struct fst_session *s;

	foreach_fst_session(s) {
		if (id == s->id)
			return s;
	}

	return NULL;
}


void fst_session_enum(struct fst_group *g, fst_session_enum_clb clb, void *ctx)
{
	struct fst_session *s;

	foreach_fst_session(s) {
		if (!g || s->group == g)
			clb(s->group, s, ctx);
	}
}


void fst_session_on_action_rx(struct fst_iface *iface,
			      const struct ieee80211_mgmt *mgmt,
			      size_t len)
{
	struct fst_session *s;

	if (len < IEEE80211_HDRLEN + 2 ||
	    mgmt->u.action.category != WLAN_ACTION_FST) {
		fst_printf_iface(iface, MSG_ERROR,
				 "invalid Action frame received");
		return;
	}

	if (mgmt->u.action.u.fst_action.action <= FST_ACTION_MAX_SUPPORTED) {
		fst_printf_iface(iface, MSG_DEBUG,
				 "FST Action '%s' received!",
				 fst_action_names[mgmt->u.action.u.fst_action.action]);
	} else {
		fst_printf_iface(iface, MSG_WARNING,
				 "unknown FST Action (%u) received!",
				 mgmt->u.action.u.fst_action.action);
		return;
	}

	if (mgmt->u.action.u.fst_action.action == FST_ACTION_SETUP_REQUEST) {
		fst_session_handle_setup_request(iface, mgmt, len);
		return;
	}

	s = fst_find_session_in_progress(mgmt->sa, fst_iface_get_group(iface));
	if (s) {
		fst_session_handle_action(s, iface, mgmt, len);
	} else {
		fst_printf_iface(iface, MSG_WARNING,
				 "FST Action '%s' dropped: no session in progress found",
				 fst_action_names[mgmt->u.action.u.fst_action.action]);
	}
}


int fst_session_set_str_ifname(struct fst_session *s, const char *ifname,
			       Boolean is_old)
{
	struct fst_group *g = fst_session_get_group(s);
	struct fst_iface *i;

	i = fst_group_get_iface_by_name(g, ifname);
	if (!i) {
		fst_printf_session(s, MSG_WARNING,
				   "Cannot set iface %s: no such iface within group '%s'",
				   ifname, fst_group_get_id(g));
		return -1;
	}

	fst_session_set_iface(s, i, is_old);

	return 0;
}


int fst_session_set_str_peer_addr(struct fst_session *s, const char *mac,
				  Boolean is_old)
{
	u8 peer_addr[ETH_ALEN];
	int res = fst_read_peer_addr(mac, peer_addr);

	if (res)
		return res;

	fst_session_set_peer_addr(s, peer_addr, is_old);

	return 0;
}


int fst_session_set_str_llt(struct fst_session *s, const char *llt_str)
{
	char *endp;
	long int llt = strtol(llt_str, &endp, 0);

	if (*endp || llt < 0 || (unsigned long int) llt > FST_MAX_LLT_MS) {
		fst_printf_session(s, MSG_WARNING,
				   "Cannot set llt %s: Invalid llt value (1..%u expected)",
				   llt_str, FST_MAX_LLT_MS);
		return -1;
	}
	fst_session_set_llt(s, (u32) llt);

	return 0;
}


void fst_session_global_on_iface_detached(struct fst_iface *iface)
{
	struct fst_session *s;

	foreach_fst_session(s) {
		if (fst_session_is_in_progress(s) &&
		    (s->data.new_iface == iface ||
		     s->data.old_iface == iface))
			fst_session_reset_ex(s, REASON_DETACH_IFACE);
	}
}


struct fst_session * fst_session_global_get_first_by_group(struct fst_group *g)
{
	struct fst_session *s;

	foreach_fst_session(s) {
		if (s->group == g)
			return s;
	}

	return NULL;
}


#ifdef CONFIG_FST_TEST

static int get_group_fill_session(struct fst_group **g, struct fst_session *s)
{
	const u8 *old_addr, *new_addr;
	struct fst_get_peer_ctx *ctx;

	os_memset(s, 0, sizeof(*s));
	foreach_fst_group(*g) {
		s->data.new_iface = fst_group_first_iface(*g);
		if (s->data.new_iface)
			break;
	}
	if (!s->data.new_iface)
		return -EINVAL;

	s->data.old_iface = dl_list_entry(s->data.new_iface->group_lentry.next,
					  struct fst_iface, group_lentry);
	if (!s->data.old_iface)
		return -EINVAL;

	old_addr = fst_iface_get_peer_first(s->data.old_iface, &ctx, TRUE);
	if (!old_addr)
		return -EINVAL;

	new_addr = fst_iface_get_peer_first(s->data.new_iface, &ctx, TRUE);
	if (!new_addr)
		return -EINVAL;

	os_memcpy(s->data.old_peer_addr, old_addr, ETH_ALEN);
	os_memcpy(s->data.new_peer_addr, new_addr, ETH_ALEN);

	return 0;
}


#define FST_MAX_COMMAND_WORD_NAME_LENGTH 16

int fst_test_req_send_fst_request(const char *params)
{
	int fsts_id;
	Boolean is_valid;
	char *endp;
	struct fst_setup_req req;
	struct fst_session s;
	struct fst_group *g;
	enum hostapd_hw_mode hw_mode;
	u8 channel;
	char additional_param[FST_MAX_COMMAND_WORD_NAME_LENGTH];

	if (params[0] != ' ')
		return -EINVAL;
	params++;
	fsts_id = fst_read_next_int_param(params, &is_valid, &endp);
	if (!is_valid)
		return -EINVAL;

	if (get_group_fill_session(&g, &s))
		return -EINVAL;

	req.action = FST_ACTION_SETUP_REQUEST;
	req.dialog_token = g->dialog_token;
	req.llt = host_to_le32(FST_LLT_MS_DEFAULT);
	/* 8.4.2.147 Session Transition element */
	req.stie.element_id = WLAN_EID_SESSION_TRANSITION;
	req.stie.length = sizeof(req.stie) - 2;
	req.stie.fsts_id = host_to_le32(fsts_id);
	req.stie.session_control = SESSION_CONTROL(SESSION_TYPE_BSS, 0);

	fst_iface_get_channel_info(s.data.new_iface, &hw_mode, &channel);
	req.stie.new_band_id = fst_hw_mode_to_band(hw_mode);
	req.stie.new_band_op = 1;
	req.stie.new_band_setup = 0;

	fst_iface_get_channel_info(s.data.old_iface, &hw_mode, &channel);
	req.stie.old_band_id = fst_hw_mode_to_band(hw_mode);
	req.stie.old_band_op = 1;
	req.stie.old_band_setup = 0;

	if (!fst_read_next_text_param(endp, additional_param,
				       sizeof(additional_param), &endp)) {
		if (!os_strcasecmp(additional_param, FST_CTR_PVAL_BAD_NEW_BAND))
			req.stie.new_band_id = req.stie.old_band_id;
	}

	return fst_session_send_action(&s, TRUE, &req, sizeof(req),
				       s.data.old_iface->mb_ie);
}


int fst_test_req_send_fst_response(const char *params)
{
	int fsts_id;
	Boolean is_valid;
	char *endp;
	struct fst_setup_res res;
	struct fst_session s;
	struct fst_group *g;
	enum hostapd_hw_mode hw_mode;
	u8 status_code;
	u8 channel;
	char response[FST_MAX_COMMAND_WORD_NAME_LENGTH];
	struct fst_session *_s;

	if (params[0] != ' ')
		return -EINVAL;
	params++;
	fsts_id = fst_read_next_int_param(params, &is_valid, &endp);
	if (!is_valid)
		return -EINVAL;

	if (get_group_fill_session(&g, &s))
		return -EINVAL;

	status_code = WLAN_STATUS_SUCCESS;
	if (!fst_read_next_text_param(endp, response, sizeof(response),
				      &endp)) {
		if (!os_strcasecmp(response, FST_CS_PVAL_RESPONSE_REJECT))
			status_code = WLAN_STATUS_PENDING_ADMITTING_FST_SESSION;
	}

	os_memset(&res, 0, sizeof(res));

	res.action = FST_ACTION_SETUP_RESPONSE;
	/*
	 * If some session has just received an FST Setup Request, then
	 * use the correct dialog token copied from this request.
	 */
	_s = fst_find_session_in_progress(fst_session_get_peer_addr(&s, TRUE),
					  g);
	res.dialog_token = (_s && fst_session_is_ready_pending(_s)) ?
		_s->data.pending_setup_req_dlgt : g->dialog_token;
	res.status_code  = status_code;

	res.stie.element_id = WLAN_EID_SESSION_TRANSITION;
	res.stie.length = sizeof(res.stie) - 2;

	if (res.status_code == WLAN_STATUS_SUCCESS) {
		res.stie.fsts_id = host_to_le32(fsts_id);
		res.stie.session_control = SESSION_CONTROL(SESSION_TYPE_BSS, 0);

		fst_iface_get_channel_info(s.data.new_iface, &hw_mode,
					    &channel);
		res.stie.new_band_id = fst_hw_mode_to_band(hw_mode);
		res.stie.new_band_op = 1;
		res.stie.new_band_setup = 0;

		fst_iface_get_channel_info(s.data.old_iface, &hw_mode,
					   &channel);
		res.stie.old_band_id = fst_hw_mode_to_band(hw_mode);
		res.stie.old_band_op = 1;
		res.stie.old_band_setup = 0;
	}

	if (!fst_read_next_text_param(endp, response, sizeof(response),
				      &endp)) {
		if (!os_strcasecmp(response, FST_CTR_PVAL_BAD_NEW_BAND))
			res.stie.new_band_id = res.stie.old_band_id;
	}

	return fst_session_send_action(&s, TRUE, &res, sizeof(res),
				       s.data.old_iface->mb_ie);
}


int fst_test_req_send_ack_request(const char *params)
{
	int fsts_id;
	Boolean is_valid;
	char *endp;
	struct fst_ack_req req;
	struct fst_session s;
	struct fst_group *g;

	if (params[0] != ' ')
		return -EINVAL;
	params++;
	fsts_id = fst_read_next_int_param(params, &is_valid, &endp);
	if (!is_valid)
		return -EINVAL;

	if (get_group_fill_session(&g, &s))
		return -EINVAL;

	os_memset(&req, 0, sizeof(req));
	req.action = FST_ACTION_ACK_REQUEST;
	req.dialog_token = g->dialog_token;
	req.fsts_id = host_to_le32(fsts_id);

	return fst_session_send_action(&s, FALSE, &req, sizeof(req), NULL);
}


int fst_test_req_send_ack_response(const char *params)
{
	int fsts_id;
	Boolean is_valid;
	char *endp;
	struct fst_ack_res res;
	struct fst_session s;
	struct fst_group *g;

	if (params[0] != ' ')
		return -EINVAL;
	params++;
	fsts_id = fst_read_next_int_param(params, &is_valid, &endp);
	if (!is_valid)
		return -EINVAL;

	if (get_group_fill_session(&g, &s))
		return -EINVAL;

	os_memset(&res, 0, sizeof(res));
	res.action = FST_ACTION_ACK_RESPONSE;
	res.dialog_token = g->dialog_token;
	res.fsts_id = host_to_le32(fsts_id);

	return fst_session_send_action(&s, FALSE, &res, sizeof(res), NULL);
}


int fst_test_req_send_tear_down(const char *params)
{
	int fsts_id;
	Boolean is_valid;
	char *endp;
	struct fst_tear_down td;
	struct fst_session s;
	struct fst_group *g;

	if (params[0] != ' ')
		return -EINVAL;
	params++;
	fsts_id = fst_read_next_int_param(params, &is_valid, &endp);
	if (!is_valid)
		return -EINVAL;

	if (get_group_fill_session(&g, &s))
		return -EINVAL;

	os_memset(&td, 0, sizeof(td));
	td.action = FST_ACTION_TEAR_DOWN;
	td.fsts_id = host_to_le32(fsts_id);

	return fst_session_send_action(&s, TRUE, &td, sizeof(td), NULL);
}


u32 fst_test_req_get_fsts_id(const char *params)
{
	int sid;
	Boolean is_valid;
	char *endp;
	struct fst_session *s;

	if (params[0] != ' ')
		return FST_FSTS_ID_NOT_FOUND;
	params++;
	sid = fst_read_next_int_param(params, &is_valid, &endp);
	if (!is_valid)
		return FST_FSTS_ID_NOT_FOUND;

	s = fst_session_get_by_id(sid);
	if (!s)
		return FST_FSTS_ID_NOT_FOUND;

	return s->data.fsts_id;
}


int fst_test_req_get_local_mbies(const char *request, char *buf, size_t buflen)
{
	char *endp;
	char ifname[FST_MAX_COMMAND_WORD_NAME_LENGTH];
	struct fst_group *g;
	struct fst_iface *iface;

	if (request[0] != ' ')
		return -EINVAL;
	request++;
	if (fst_read_next_text_param(request, ifname, sizeof(ifname), &endp) ||
	    !*ifname)
		goto problem;
	g = dl_list_first(&fst_global_groups_list, struct fst_group,
			  global_groups_lentry);
	if (!g)
		goto problem;
	iface = fst_group_get_iface_by_name(g, ifname);
	if (!iface || !iface->mb_ie)
		goto problem;
	return wpa_snprintf_hex(buf, buflen, wpabuf_head(iface->mb_ie),
				wpabuf_len(iface->mb_ie));

problem:
	return os_snprintf(buf, buflen, "FAIL\n");
}

#endif /* CONFIG_FST_TEST */