2 * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
4 * Copyright (c) 2007-2008 Sam Leffler, Errno Consulting
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
17 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
18 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
19 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
21 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
22 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
23 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
24 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
25 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 #include <sys/cdefs.h>
30 __FBSDID("$FreeBSD$");
34 * IEEE 802.11 HOSTAP mode support.
39 #include <sys/param.h>
40 #include <sys/systm.h>
42 #include <sys/malloc.h>
43 #include <sys/kernel.h>
45 #include <sys/socket.h>
46 #include <sys/sockio.h>
47 #include <sys/endian.h>
48 #include <sys/errno.h>
50 #include <sys/sysctl.h>
53 #include <net/if_var.h>
54 #include <net/if_media.h>
55 #include <net/if_llc.h>
56 #include <net/if_private.h>
57 #include <net/ethernet.h>
61 #include <net80211/ieee80211_var.h>
62 #include <net80211/ieee80211_hostap.h>
63 #include <net80211/ieee80211_input.h>
64 #ifdef IEEE80211_SUPPORT_SUPERG
65 #include <net80211/ieee80211_superg.h>
67 #include <net80211/ieee80211_wds.h>
68 #include <net80211/ieee80211_vht.h>
69 #include <net80211/ieee80211_sta.h> /* for parse_wmeie */
71 #define IEEE80211_RATE2MBS(r) (((r) & IEEE80211_RATE_VAL) / 2)
73 static void hostap_vattach(struct ieee80211vap *);
74 static int hostap_newstate(struct ieee80211vap *, enum ieee80211_state, int);
75 static int hostap_input(struct ieee80211_node *ni, struct mbuf *m,
76 const struct ieee80211_rx_stats *,
78 static void hostap_deliver_data(struct ieee80211vap *,
79 struct ieee80211_node *, struct mbuf *);
80 static void hostap_recv_mgmt(struct ieee80211_node *, struct mbuf *,
81 int subtype, const struct ieee80211_rx_stats *rxs, int rssi, int nf);
82 static void hostap_recv_ctl(struct ieee80211_node *, struct mbuf *, int);
85 ieee80211_hostap_attach(struct ieee80211com *ic)
87 ic->ic_vattach[IEEE80211_M_HOSTAP] = hostap_vattach;
91 ieee80211_hostap_detach(struct ieee80211com *ic)
96 hostap_vdetach(struct ieee80211vap *vap)
101 hostap_vattach(struct ieee80211vap *vap)
103 vap->iv_newstate = hostap_newstate;
104 vap->iv_input = hostap_input;
105 vap->iv_recv_mgmt = hostap_recv_mgmt;
106 vap->iv_recv_ctl = hostap_recv_ctl;
107 vap->iv_opdetach = hostap_vdetach;
108 vap->iv_deliver_data = hostap_deliver_data;
109 vap->iv_recv_pspoll = ieee80211_recv_pspoll;
113 sta_disassoc(void *arg, struct ieee80211_node *ni)
116 if (ni->ni_associd != 0) {
117 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_DISASSOC,
118 IEEE80211_REASON_ASSOC_LEAVE);
119 ieee80211_node_leave(ni);
124 sta_csa(void *arg, struct ieee80211_node *ni)
126 struct ieee80211vap *vap = ni->ni_vap;
128 if (ni->ni_associd != 0)
129 if (ni->ni_inact > vap->iv_inact_init) {
130 ni->ni_inact = vap->iv_inact_init;
131 IEEE80211_NOTE(vap, IEEE80211_MSG_INACT, ni,
132 "%s: inact %u", __func__, ni->ni_inact);
137 sta_drop(void *arg, struct ieee80211_node *ni)
140 if (ni->ni_associd != 0)
141 ieee80211_node_leave(ni);
145 * Does a channel change require associated stations to re-associate
146 * so protocol state is correct. This is used when doing CSA across
147 * bands or similar (e.g. HT -> legacy).
150 isbandchange(struct ieee80211com *ic)
152 return ((ic->ic_bsschan->ic_flags ^ ic->ic_csa_newchan->ic_flags) &
153 (IEEE80211_CHAN_2GHZ | IEEE80211_CHAN_5GHZ | IEEE80211_CHAN_HALF |
154 IEEE80211_CHAN_QUARTER | IEEE80211_CHAN_HT)) != 0;
158 * IEEE80211_M_HOSTAP vap state machine handler.
161 hostap_newstate(struct ieee80211vap *vap, enum ieee80211_state nstate, int arg)
163 struct ieee80211com *ic = vap->iv_ic;
164 enum ieee80211_state ostate;
166 IEEE80211_LOCK_ASSERT(ic);
168 ostate = vap->iv_state;
169 IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE, "%s: %s -> %s (%d)\n",
170 __func__, ieee80211_state_name[ostate],
171 ieee80211_state_name[nstate], arg);
172 vap->iv_state = nstate; /* state transition */
173 if (ostate != IEEE80211_S_SCAN)
174 ieee80211_cancel_scan(vap); /* background scan */
176 case IEEE80211_S_INIT:
178 case IEEE80211_S_SCAN:
179 ieee80211_cancel_scan(vap);
181 case IEEE80211_S_CAC:
182 ieee80211_dfs_cac_stop(vap);
184 case IEEE80211_S_RUN:
185 ieee80211_iterate_nodes_vap(&ic->ic_sta, vap,
191 if (ostate != IEEE80211_S_INIT) {
192 /* NB: optimize INIT -> INIT case */
193 ieee80211_reset_bss(vap);
195 if (vap->iv_auth->ia_detach != NULL)
196 vap->iv_auth->ia_detach(vap);
198 case IEEE80211_S_SCAN:
200 case IEEE80211_S_CSA:
201 case IEEE80211_S_RUN:
202 ieee80211_iterate_nodes_vap(&ic->ic_sta, vap,
205 * Clear overlapping BSS state; the beacon frame
206 * will be reconstructed on transition to the RUN
207 * state and the timeout routines check if the flag
208 * is set before doing anything so this is sufficient.
210 vap->iv_flags_ext &= ~IEEE80211_FEXT_NONERP_PR;
211 vap->iv_flags_ht &= ~IEEE80211_FHT_NONHT_PR;
212 /* XXX TODO: schedule deferred update? */
214 case IEEE80211_S_CAC:
216 * NB: We may get here because of a manual channel
217 * change in which case we need to stop CAC
218 * XXX no need to stop if ostate RUN but it's ok
220 ieee80211_dfs_cac_stop(vap);
222 case IEEE80211_S_INIT:
223 if (vap->iv_des_chan != IEEE80211_CHAN_ANYC &&
224 !IEEE80211_IS_CHAN_RADAR(vap->iv_des_chan)) {
226 * Already have a channel; bypass the
227 * scan and startup immediately.
228 * ieee80211_create_ibss will call back to
229 * move us to RUN state.
231 ieee80211_create_ibss(vap, vap->iv_des_chan);
235 * Initiate a scan. We can come here as a result
236 * of an IEEE80211_IOC_SCAN_REQ too in which case
237 * the vap will be marked with IEEE80211_FEXT_SCANREQ
238 * and the scan request parameters will be present
239 * in iv_scanreq. Otherwise we do the default.
241 if (vap->iv_flags_ext & IEEE80211_FEXT_SCANREQ) {
242 ieee80211_check_scan(vap,
243 vap->iv_scanreq_flags,
244 vap->iv_scanreq_duration,
245 vap->iv_scanreq_mindwell,
246 vap->iv_scanreq_maxdwell,
247 vap->iv_scanreq_nssid, vap->iv_scanreq_ssid);
248 vap->iv_flags_ext &= ~IEEE80211_FEXT_SCANREQ;
250 ieee80211_check_scan_current(vap);
252 case IEEE80211_S_SCAN:
254 * A state change requires a reset; scan.
256 ieee80211_check_scan_current(vap);
262 case IEEE80211_S_CAC:
264 * Start CAC on a DFS channel. We come here when starting
265 * a bss on a DFS channel (see ieee80211_create_ibss).
267 ieee80211_dfs_cac_start(vap);
269 case IEEE80211_S_RUN:
270 if (vap->iv_flags & IEEE80211_F_WPA) {
271 /* XXX validate prerequisites */
274 case IEEE80211_S_INIT:
276 * Already have a channel; bypass the
277 * scan and startup immediately.
278 * Note that ieee80211_create_ibss will call
279 * back to do a RUN->RUN state change.
281 ieee80211_create_ibss(vap,
282 ieee80211_ht_adjust_channel(ic,
283 ic->ic_curchan, vap->iv_flags_ht));
284 /* NB: iv_bss is changed on return */
286 case IEEE80211_S_CAC:
288 * NB: This is the normal state change when CAC
289 * expires and no radar was detected; no need to
290 * clear the CAC timer as it's already expired.
293 case IEEE80211_S_CSA:
295 * Shorten inactivity timer of associated stations
296 * to weed out sta's that don't follow a CSA.
298 ieee80211_iterate_nodes_vap(&ic->ic_sta, vap,
301 * Update bss node channel to reflect where
302 * we landed after CSA.
304 ieee80211_node_set_chan(vap->iv_bss,
305 ieee80211_ht_adjust_channel(ic, ic->ic_curchan,
306 ieee80211_htchanflags(vap->iv_bss->ni_chan)));
307 /* XXX bypass debug msgs */
309 case IEEE80211_S_SCAN:
310 case IEEE80211_S_RUN:
311 #ifdef IEEE80211_DEBUG
312 if (ieee80211_msg_debug(vap)) {
313 struct ieee80211_node *ni = vap->iv_bss;
315 "synchronized with %s ssid ",
316 ether_sprintf(ni->ni_bssid));
317 ieee80211_print_essid(ni->ni_essid,
320 printf(" channel %d start %uMb\n",
321 ieee80211_chan2ieee(ic, ic->ic_curchan),
322 IEEE80211_RATE2MBS(ni->ni_txrate));
330 * Start/stop the authenticator. We delay until here
331 * to allow configuration to happen out of order.
333 if (vap->iv_auth->ia_attach != NULL) {
334 /* XXX check failure */
335 vap->iv_auth->ia_attach(vap);
336 } else if (vap->iv_auth->ia_detach != NULL) {
337 vap->iv_auth->ia_detach(vap);
339 ieee80211_node_authorize(vap->iv_bss);
341 case IEEE80211_S_CSA:
342 if (ostate == IEEE80211_S_RUN && isbandchange(ic)) {
344 * On a ``band change'' silently drop associated
345 * stations as they must re-associate before they
346 * can pass traffic (as otherwise protocol state
347 * such as capabilities and the negotiated rate
348 * set may/will be wrong).
350 ieee80211_iterate_nodes_vap(&ic->ic_sta, vap,
361 hostap_deliver_data(struct ieee80211vap *vap,
362 struct ieee80211_node *ni, struct mbuf *m)
364 struct ether_header *eh = mtod(m, struct ether_header *);
365 struct ifnet *ifp = vap->iv_ifp;
367 /* clear driver/net80211 flags before passing up */
368 m->m_flags &= ~(M_MCAST | M_BCAST);
371 KASSERT(vap->iv_opmode == IEEE80211_M_HOSTAP,
372 ("gack, opmode %d", vap->iv_opmode));
376 if_inc_counter(ifp, IFCOUNTER_IPACKETS, 1);
377 IEEE80211_NODE_STAT(ni, rx_data);
378 IEEE80211_NODE_STAT_ADD(ni, rx_bytes, m->m_pkthdr.len);
379 if (ETHER_IS_MULTICAST(eh->ether_dhost)) {
380 m->m_flags |= M_MCAST; /* XXX M_BCAST? */
381 IEEE80211_NODE_STAT(ni, rx_mcast);
383 IEEE80211_NODE_STAT(ni, rx_ucast);
385 /* perform as a bridge within the AP */
386 if ((vap->iv_flags & IEEE80211_F_NOBRIDGE) == 0) {
387 struct mbuf *mcopy = NULL;
389 if (m->m_flags & M_MCAST) {
390 mcopy = m_dup(m, IEEE80211_M_NOWAIT);
392 if_inc_counter(ifp, IFCOUNTER_OERRORS, 1);
394 mcopy->m_flags |= M_MCAST;
397 * Check if the destination is associated with the
398 * same vap and authorized to receive traffic.
399 * Beware of traffic destined for the vap itself;
400 * sending it will not work; just let it be delivered
403 struct ieee80211_node *sta = ieee80211_find_vap_node(
404 &vap->iv_ic->ic_sta, vap, eh->ether_dhost);
406 if (ieee80211_node_is_authorized(sta)) {
408 * Beware of sending to ourself; this
409 * needs to happen via the normal
412 if (sta != vap->iv_bss) {
417 vap->iv_stats.is_rx_unauth++;
418 IEEE80211_NODE_STAT(sta, rx_unauth);
420 ieee80211_free_node(sta);
424 (void) ieee80211_vap_xmitpkt(vap, mcopy);
428 * Mark frame as coming from vap's interface.
430 m->m_pkthdr.rcvif = ifp;
431 if (m->m_flags & M_MCAST) {
433 * Spam DWDS vap's w/ multicast traffic.
435 /* XXX only if dwds in use? */
436 ieee80211_dwds_mcast(vap, m);
438 if (ni->ni_vlan != 0) {
439 /* attach vlan tag */
440 m->m_pkthdr.ether_vtag = ni->ni_vlan;
441 m->m_flags |= M_VLANTAG;
443 ifp->if_input(ifp, m);
448 * Decide if a received management frame should be
449 * printed when debugging is enabled. This filters some
450 * of the less interesting frames that come frequently
454 doprint(struct ieee80211vap *vap, int subtype)
457 case IEEE80211_FC0_SUBTYPE_BEACON:
458 return (vap->iv_ic->ic_flags & IEEE80211_F_SCAN);
459 case IEEE80211_FC0_SUBTYPE_PROBE_REQ:
466 * Process a received frame. The node associated with the sender
467 * should be supplied. If nothing was found in the node table then
468 * the caller is assumed to supply a reference to iv_bss instead.
469 * The RSSI and a timestamp are also supplied. The RSSI data is used
470 * during AP scanning to select a AP to associate with; it can have
471 * any units so long as values have consistent units and higher values
472 * mean ``better signal''. The receive timestamp is currently not used
473 * by the 802.11 layer.
476 hostap_input(struct ieee80211_node *ni, struct mbuf *m,
477 const struct ieee80211_rx_stats *rxs, int rssi, int nf)
479 struct ieee80211vap *vap = ni->ni_vap;
480 struct ieee80211com *ic = ni->ni_ic;
481 struct ifnet *ifp = vap->iv_ifp;
482 struct ieee80211_frame *wh;
483 struct ieee80211_key *key;
484 struct ether_header *eh;
485 int hdrspace, need_tap = 1; /* mbuf need to be tapped. */
486 uint8_t dir, type, subtype, qos;
488 int is_hw_decrypted = 0;
489 int has_decrypted = 0;
492 * Some devices do hardware decryption all the way through
493 * to pretending the frame wasn't encrypted in the first place.
494 * So, tag it appropriately so it isn't discarded inappropriately.
496 if ((rxs != NULL) && (rxs->c_pktflags & IEEE80211_RX_F_DECRYPTED))
499 if (m->m_flags & M_AMPDU_MPDU) {
501 * Fastpath for A-MPDU reorder q resubmission. Frames
502 * w/ M_AMPDU_MPDU marked have already passed through
503 * here but were received out of order and been held on
504 * the reorder queue. When resubmitted they are marked
505 * with the M_AMPDU_MPDU flag and we can bypass most of
506 * the normal processing.
508 wh = mtod(m, struct ieee80211_frame *);
509 type = IEEE80211_FC0_TYPE_DATA;
510 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK;
511 subtype = IEEE80211_FC0_SUBTYPE_QOS_DATA;
512 hdrspace = ieee80211_hdrspace(ic, wh); /* XXX optimize? */
516 KASSERT(ni != NULL, ("null node"));
517 ni->ni_inact = ni->ni_inact_reload;
519 type = -1; /* undefined */
521 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_min)) {
522 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
523 ni->ni_macaddr, NULL,
524 "too short (1): len %u", m->m_pkthdr.len);
525 vap->iv_stats.is_rx_tooshort++;
529 * Bit of a cheat here, we use a pointer for a 3-address
530 * frame format but don't reference fields past outside
531 * ieee80211_frame_min w/o first validating the data is
534 wh = mtod(m, struct ieee80211_frame *);
536 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) !=
537 IEEE80211_FC0_VERSION_0) {
538 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
539 ni->ni_macaddr, NULL, "wrong version, fc %02x:%02x",
540 wh->i_fc[0], wh->i_fc[1]);
541 vap->iv_stats.is_rx_badversion++;
545 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK;
546 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
547 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK;
548 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) {
549 if (dir != IEEE80211_FC1_DIR_NODS)
551 else if (type == IEEE80211_FC0_TYPE_CTL)
554 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) {
555 IEEE80211_DISCARD_MAC(vap,
556 IEEE80211_MSG_ANY, ni->ni_macaddr,
557 NULL, "too short (2): len %u",
559 vap->iv_stats.is_rx_tooshort++;
565 * Validate the bssid.
567 if (!(type == IEEE80211_FC0_TYPE_MGT &&
568 subtype == IEEE80211_FC0_SUBTYPE_BEACON) &&
569 !IEEE80211_ADDR_EQ(bssid, vap->iv_bss->ni_bssid) &&
570 !IEEE80211_ADDR_EQ(bssid, ifp->if_broadcastaddr)) {
571 /* not interested in */
572 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
573 bssid, NULL, "%s", "not to bss");
574 vap->iv_stats.is_rx_wrongbss++;
578 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi);
580 if (IEEE80211_HAS_SEQ(type, subtype)) {
581 uint8_t tid = ieee80211_gettid(wh);
582 if (IEEE80211_QOS_HAS_SEQ(wh) &&
583 TID_TO_WME_AC(tid) >= WME_AC_VI)
584 ic->ic_wme.wme_hipri_traffic++;
585 if (! ieee80211_check_rxseq(ni, wh, bssid, rxs))
591 case IEEE80211_FC0_TYPE_DATA:
592 hdrspace = ieee80211_hdrspace(ic, wh);
593 if (m->m_len < hdrspace &&
594 (m = m_pullup(m, hdrspace)) == NULL) {
595 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
596 ni->ni_macaddr, NULL,
597 "data too short: expecting %u", hdrspace);
598 vap->iv_stats.is_rx_tooshort++;
601 if (!(dir == IEEE80211_FC1_DIR_TODS ||
602 (dir == IEEE80211_FC1_DIR_DSTODS &&
603 (vap->iv_flags & IEEE80211_F_DWDS)))) {
604 if (dir != IEEE80211_FC1_DIR_DSTODS) {
605 IEEE80211_DISCARD(vap,
606 IEEE80211_MSG_INPUT, wh, "data",
607 "incorrect dir 0x%x", dir);
609 IEEE80211_DISCARD(vap,
610 IEEE80211_MSG_INPUT |
611 IEEE80211_MSG_WDS, wh,
613 "%s", "DWDS not enabled");
615 vap->iv_stats.is_rx_wrongdir++;
618 /* check if source STA is associated */
619 if (ni == vap->iv_bss) {
620 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
621 wh, "data", "%s", "unknown src");
622 ieee80211_send_error(ni, wh->i_addr2,
623 IEEE80211_FC0_SUBTYPE_DEAUTH,
624 IEEE80211_REASON_NOT_AUTHED);
625 vap->iv_stats.is_rx_notassoc++;
628 if (ni->ni_associd == 0) {
629 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
630 wh, "data", "%s", "unassoc src");
631 IEEE80211_SEND_MGMT(ni,
632 IEEE80211_FC0_SUBTYPE_DISASSOC,
633 IEEE80211_REASON_NOT_ASSOCED);
634 vap->iv_stats.is_rx_notassoc++;
639 * Check for power save state change.
640 * XXX out-of-order A-MPDU frames?
642 if (((wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) ^
643 (ni->ni_flags & IEEE80211_NODE_PWR_MGT)))
645 wh->i_fc[1] & IEEE80211_FC1_PWR_MGT);
647 * For 4-address packets handle WDS discovery
648 * notifications. Once a WDS link is setup frames
649 * are just delivered to the WDS vap (see below).
651 if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap == NULL) {
652 if (!ieee80211_node_is_authorized(ni)) {
653 IEEE80211_DISCARD(vap,
654 IEEE80211_MSG_INPUT |
655 IEEE80211_MSG_WDS, wh,
657 "%s", "unauthorized port");
658 vap->iv_stats.is_rx_unauth++;
659 IEEE80211_NODE_STAT(ni, rx_unauth);
662 ieee80211_dwds_discover(ni, m);
667 * Handle A-MPDU re-ordering. If the frame is to be
668 * processed directly then ieee80211_ampdu_reorder
669 * will return 0; otherwise it has consumed the mbuf
670 * and we should do nothing more with it.
672 if ((m->m_flags & M_AMPDU) &&
673 ieee80211_ampdu_reorder(ni, m, rxs) != 0) {
680 * Handle privacy requirements. Note that we
681 * must not be preempted from here until after
682 * we (potentially) call ieee80211_crypto_demic;
683 * otherwise we may violate assumptions in the
684 * crypto cipher modules used to do delayed update
685 * of replay sequence numbers.
687 if (is_hw_decrypted || IEEE80211_IS_PROTECTED(wh)) {
688 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
690 * Discard encrypted frames when privacy is off.
692 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
693 wh, "WEP", "%s", "PRIVACY off");
694 vap->iv_stats.is_rx_noprivacy++;
695 IEEE80211_NODE_STAT(ni, rx_noprivacy);
698 if (ieee80211_crypto_decap(ni, m, hdrspace, &key) == 0) {
699 /* NB: stats+msgs handled in crypto_decap */
700 IEEE80211_NODE_STAT(ni, rx_wepfail);
703 wh = mtod(m, struct ieee80211_frame *);
704 wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED;
707 /* XXX M_WEP and IEEE80211_F_PRIVACY */
712 * Save QoS bits for use below--before we strip the header.
714 if (subtype == IEEE80211_FC0_SUBTYPE_QOS_DATA)
715 qos = ieee80211_getqos(wh)[0];
720 * Next up, any fragmentation.
722 if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) {
723 m = ieee80211_defrag(ni, m, hdrspace, has_decrypted);
725 /* Fragment dropped or frame not complete yet */
729 wh = NULL; /* no longer valid, catch any uses */
732 * Next strip any MSDU crypto bits.
734 if (key != NULL && !ieee80211_crypto_demic(vap, key, m, 0)) {
735 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
736 ni->ni_macaddr, "data", "%s", "demic error");
737 vap->iv_stats.is_rx_demicfail++;
738 IEEE80211_NODE_STAT(ni, rx_demicfail);
741 /* copy to listener after decrypt */
742 if (ieee80211_radiotap_active_vap(vap))
743 ieee80211_radiotap_rx(vap, m);
746 * Finally, strip the 802.11 header.
748 m = ieee80211_decap(vap, m, hdrspace, qos);
750 /* XXX mask bit to check for both */
751 /* don't count Null data frames as errors */
752 if (subtype == IEEE80211_FC0_SUBTYPE_NODATA ||
753 subtype == IEEE80211_FC0_SUBTYPE_QOS_NULL)
755 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
756 ni->ni_macaddr, "data", "%s", "decap error");
757 vap->iv_stats.is_rx_decap++;
758 IEEE80211_NODE_STAT(ni, rx_decap);
761 if (!(qos & IEEE80211_QOS_AMSDU))
762 eh = mtod(m, struct ether_header *);
765 if (!ieee80211_node_is_authorized(ni)) {
767 * Deny any non-PAE frames received prior to
768 * authorization. For open/shared-key
769 * authentication the port is mark authorized
770 * after authentication completes. For 802.1x
771 * the port is not marked authorized by the
772 * authenticator until the handshake has completed.
775 eh->ether_type != htons(ETHERTYPE_PAE)) {
776 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
777 ni->ni_macaddr, "data", "unauthorized or "
778 "unknown port: ether type 0x%x len %u",
779 eh == NULL ? -1 : eh->ether_type,
781 vap->iv_stats.is_rx_unauth++;
782 IEEE80211_NODE_STAT(ni, rx_unauth);
787 * When denying unencrypted frames, discard
788 * any non-PAE frames received without encryption.
790 if ((vap->iv_flags & IEEE80211_F_DROPUNENC) &&
791 ((has_decrypted == 0) && (m->m_flags & M_WEP) == 0) &&
792 (is_hw_decrypted == 0) &&
794 eh->ether_type != htons(ETHERTYPE_PAE))) {
796 * Drop unencrypted frames.
798 vap->iv_stats.is_rx_unencrypted++;
799 IEEE80211_NODE_STAT(ni, rx_unencrypted);
803 /* XXX require HT? */
804 if (qos & IEEE80211_QOS_AMSDU) {
805 m = ieee80211_decap_amsdu(ni, m);
807 return IEEE80211_FC0_TYPE_DATA;
809 #ifdef IEEE80211_SUPPORT_SUPERG
810 m = ieee80211_decap_fastframe(vap, ni, m);
812 return IEEE80211_FC0_TYPE_DATA;
815 if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap != NULL)
816 ieee80211_deliver_data(ni->ni_wdsvap, ni, m);
818 hostap_deliver_data(vap, ni, m);
819 return IEEE80211_FC0_TYPE_DATA;
821 case IEEE80211_FC0_TYPE_MGT:
822 vap->iv_stats.is_rx_mgmt++;
823 IEEE80211_NODE_STAT(ni, rx_mgmt);
824 if (dir != IEEE80211_FC1_DIR_NODS) {
825 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
826 wh, "mgt", "incorrect dir 0x%x", dir);
827 vap->iv_stats.is_rx_wrongdir++;
830 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) {
831 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
832 ni->ni_macaddr, "mgt", "too short: len %u",
834 vap->iv_stats.is_rx_tooshort++;
837 if (IEEE80211_IS_MULTICAST(wh->i_addr2)) {
838 /* ensure return frames are unicast */
839 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
840 wh, NULL, "source is multicast: %s",
841 ether_sprintf(wh->i_addr2));
842 vap->iv_stats.is_rx_mgtdiscard++; /* XXX stat */
845 #ifdef IEEE80211_DEBUG
846 if ((ieee80211_msg_debug(vap) && doprint(vap, subtype)) ||
847 ieee80211_msg_dumppkts(vap)) {
848 if_printf(ifp, "received %s from %s rssi %d\n",
849 ieee80211_mgt_subtype_name(subtype),
850 ether_sprintf(wh->i_addr2), rssi);
853 if (IEEE80211_IS_PROTECTED(wh)) {
854 if (subtype != IEEE80211_FC0_SUBTYPE_AUTH) {
856 * Only shared key auth frames with a challenge
857 * should be encrypted, discard all others.
859 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
861 "%s", "WEP set but not permitted");
862 vap->iv_stats.is_rx_mgtdiscard++; /* XXX */
865 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
867 * Discard encrypted frames when privacy is off.
869 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
870 wh, NULL, "%s", "WEP set but PRIVACY off");
871 vap->iv_stats.is_rx_noprivacy++;
874 hdrspace = ieee80211_hdrspace(ic, wh);
875 if (ieee80211_crypto_decap(ni, m, hdrspace, &key) == 0) {
876 /* NB: stats+msgs handled in crypto_decap */
879 wh = mtod(m, struct ieee80211_frame *);
880 wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED;
884 * Pass the packet to radiotap before calling iv_recv_mgmt().
885 * Otherwise iv_recv_mgmt() might pass another packet to
886 * radiotap, resulting in out of order packet captures.
888 if (ieee80211_radiotap_active_vap(vap))
889 ieee80211_radiotap_rx(vap, m);
891 vap->iv_recv_mgmt(ni, m, subtype, rxs, rssi, nf);
894 case IEEE80211_FC0_TYPE_CTL:
895 vap->iv_stats.is_rx_ctl++;
896 IEEE80211_NODE_STAT(ni, rx_ctrl);
897 vap->iv_recv_ctl(ni, m, subtype);
900 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
901 wh, "bad", "frame type 0x%x", type);
902 /* should not come here */
906 if_inc_counter(ifp, IFCOUNTER_IERRORS, 1);
909 if (need_tap && ieee80211_radiotap_active_vap(vap))
910 ieee80211_radiotap_rx(vap, m);
917 hostap_auth_open(struct ieee80211_node *ni, struct ieee80211_frame *wh,
918 int rssi, int nf, uint16_t seq, uint16_t status)
920 struct ieee80211vap *vap = ni->ni_vap;
922 KASSERT(vap->iv_state == IEEE80211_S_RUN, ("state %d", vap->iv_state));
924 if (ni->ni_authmode == IEEE80211_AUTH_SHARED) {
925 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
926 ni->ni_macaddr, "open auth",
927 "bad sta auth mode %u", ni->ni_authmode);
928 vap->iv_stats.is_rx_bad_auth++; /* XXX */
930 * Clear any challenge text that may be there if
931 * a previous shared key auth failed and then an
932 * open auth is attempted.
934 if (ni->ni_challenge != NULL) {
935 IEEE80211_FREE(ni->ni_challenge, M_80211_NODE);
936 ni->ni_challenge = NULL;
938 /* XXX hack to workaround calling convention */
939 ieee80211_send_error(ni, wh->i_addr2,
940 IEEE80211_FC0_SUBTYPE_AUTH,
941 (seq + 1) | (IEEE80211_STATUS_ALG<<16));
944 if (seq != IEEE80211_AUTH_OPEN_REQUEST) {
945 vap->iv_stats.is_rx_bad_auth++;
948 /* always accept open authentication requests */
949 if (ni == vap->iv_bss) {
950 ni = ieee80211_dup_bss(vap, wh->i_addr2);
953 } else if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0)
954 (void) ieee80211_ref_node(ni);
956 * Mark the node as referenced to reflect that it's
957 * reference count has been bumped to insure it remains
958 * after the transaction completes.
960 ni->ni_flags |= IEEE80211_NODE_AREF;
962 * Mark the node as requiring a valid association id
963 * before outbound traffic is permitted.
965 ni->ni_flags |= IEEE80211_NODE_ASSOCID;
967 if (vap->iv_acl != NULL &&
968 vap->iv_acl->iac_getpolicy(vap) == IEEE80211_MACCMD_POLICY_RADIUS) {
970 * When the ACL policy is set to RADIUS we defer the
971 * authorization to a user agent. Dispatch an event,
972 * a subsequent MLME call will decide the fate of the
973 * station. If the user agent is not present then the
974 * node will be reclaimed due to inactivity.
976 IEEE80211_NOTE_MAC(vap,
977 IEEE80211_MSG_AUTH | IEEE80211_MSG_ACL, ni->ni_macaddr,
978 "%s", "station authentication defered (radius acl)");
979 ieee80211_notify_node_auth(ni);
981 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1);
982 IEEE80211_NOTE_MAC(vap,
983 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, ni->ni_macaddr,
984 "%s", "station authenticated (open)");
986 * When 802.1x is not in use mark the port
987 * authorized at this point so traffic can flow.
989 if (ni->ni_authmode != IEEE80211_AUTH_8021X)
990 ieee80211_node_authorize(ni);
995 hostap_auth_shared(struct ieee80211_node *ni, struct ieee80211_frame *wh,
996 uint8_t *frm, uint8_t *efrm, int rssi, int nf,
997 uint16_t seq, uint16_t status)
999 struct ieee80211vap *vap = ni->ni_vap;
1003 KASSERT(vap->iv_state == IEEE80211_S_RUN, ("state %d", vap->iv_state));
1006 * NB: this can happen as we allow pre-shared key
1007 * authentication to be enabled w/o wep being turned
1008 * on so that configuration of these can be done
1009 * in any order. It may be better to enforce the
1010 * ordering in which case this check would just be
1011 * for sanity/consistency.
1013 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
1014 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1015 ni->ni_macaddr, "shared key auth",
1016 "%s", " PRIVACY is disabled");
1017 estatus = IEEE80211_STATUS_ALG;
1021 * Pre-shared key authentication is evil; accept
1022 * it only if explicitly configured (it is supported
1023 * mainly for compatibility with clients like Mac OS X).
1025 if (ni->ni_authmode != IEEE80211_AUTH_AUTO &&
1026 ni->ni_authmode != IEEE80211_AUTH_SHARED) {
1027 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1028 ni->ni_macaddr, "shared key auth",
1029 "bad sta auth mode %u", ni->ni_authmode);
1030 vap->iv_stats.is_rx_bad_auth++; /* XXX maybe a unique error? */
1031 estatus = IEEE80211_STATUS_ALG;
1036 if (frm + 1 < efrm) {
1037 if ((frm[1] + 2) > (efrm - frm)) {
1038 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1039 ni->ni_macaddr, "shared key auth",
1040 "ie %d/%d too long",
1041 frm[0], (frm[1] + 2) - (efrm - frm));
1042 vap->iv_stats.is_rx_bad_auth++;
1043 estatus = IEEE80211_STATUS_CHALLENGE;
1046 if (*frm == IEEE80211_ELEMID_CHALLENGE)
1051 case IEEE80211_AUTH_SHARED_CHALLENGE:
1052 case IEEE80211_AUTH_SHARED_RESPONSE:
1053 if (challenge == NULL) {
1054 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1055 ni->ni_macaddr, "shared key auth",
1056 "%s", "no challenge");
1057 vap->iv_stats.is_rx_bad_auth++;
1058 estatus = IEEE80211_STATUS_CHALLENGE;
1061 if (challenge[1] != IEEE80211_CHALLENGE_LEN) {
1062 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1063 ni->ni_macaddr, "shared key auth",
1064 "bad challenge len %d", challenge[1]);
1065 vap->iv_stats.is_rx_bad_auth++;
1066 estatus = IEEE80211_STATUS_CHALLENGE;
1073 case IEEE80211_AUTH_SHARED_REQUEST:
1075 #ifdef IEEE80211_DEBUG
1079 if (ni == vap->iv_bss) {
1080 ni = ieee80211_dup_bss(vap, wh->i_addr2);
1082 /* NB: no way to return an error */
1085 #ifdef IEEE80211_DEBUG
1089 if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0)
1090 (void) ieee80211_ref_node(ni);
1091 #ifdef IEEE80211_DEBUG
1096 * Mark the node as referenced to reflect that it's
1097 * reference count has been bumped to insure it remains
1098 * after the transaction completes.
1100 ni->ni_flags |= IEEE80211_NODE_AREF;
1102 * Mark the node as requiring a valid association id
1103 * before outbound traffic is permitted.
1105 ni->ni_flags |= IEEE80211_NODE_ASSOCID;
1106 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi);
1108 if (!ieee80211_alloc_challenge(ni)) {
1109 /* NB: don't return error so they rexmit */
1112 net80211_get_random_bytes(ni->ni_challenge,
1113 IEEE80211_CHALLENGE_LEN);
1114 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
1115 ni, "shared key %sauth request", allocbs ? "" : "re");
1117 * When the ACL policy is set to RADIUS we defer the
1118 * authorization to a user agent. Dispatch an event,
1119 * a subsequent MLME call will decide the fate of the
1120 * station. If the user agent is not present then the
1121 * node will be reclaimed due to inactivity.
1123 if (vap->iv_acl != NULL &&
1124 vap->iv_acl->iac_getpolicy(vap) == IEEE80211_MACCMD_POLICY_RADIUS) {
1125 IEEE80211_NOTE_MAC(vap,
1126 IEEE80211_MSG_AUTH | IEEE80211_MSG_ACL,
1128 "%s", "station authentication defered (radius acl)");
1129 ieee80211_notify_node_auth(ni);
1134 case IEEE80211_AUTH_SHARED_RESPONSE:
1135 if (ni == vap->iv_bss) {
1136 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1137 ni->ni_macaddr, "shared key response",
1138 "%s", "unknown station");
1139 /* NB: don't send a response */
1142 if (ni->ni_challenge == NULL) {
1143 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1144 ni->ni_macaddr, "shared key response",
1145 "%s", "no challenge recorded");
1146 vap->iv_stats.is_rx_bad_auth++;
1147 estatus = IEEE80211_STATUS_CHALLENGE;
1150 if (memcmp(ni->ni_challenge, &challenge[2],
1151 challenge[1]) != 0) {
1152 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1153 ni->ni_macaddr, "shared key response",
1154 "%s", "challenge mismatch");
1155 vap->iv_stats.is_rx_auth_fail++;
1156 estatus = IEEE80211_STATUS_CHALLENGE;
1159 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
1160 ni, "%s", "station authenticated (shared key)");
1161 ieee80211_node_authorize(ni);
1164 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1165 ni->ni_macaddr, "shared key auth",
1167 vap->iv_stats.is_rx_bad_auth++;
1168 estatus = IEEE80211_STATUS_SEQUENCE;
1171 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1);
1175 * Send an error response; but only when operating as an AP.
1177 /* XXX hack to workaround calling convention */
1178 ieee80211_send_error(ni, wh->i_addr2,
1179 IEEE80211_FC0_SUBTYPE_AUTH,
1180 (seq + 1) | (estatus<<16));
1184 * Convert a WPA cipher selector OUI to an internal
1185 * cipher algorithm. Where appropriate we also
1186 * record any key length.
1189 wpa_cipher(const uint8_t *sel, uint8_t *keylen, uint8_t *cipher)
1191 #define WPA_SEL(x) (((x)<<24)|WPA_OUI)
1192 uint32_t w = le32dec(sel);
1195 case WPA_SEL(WPA_CSE_NULL):
1196 *cipher = IEEE80211_CIPHER_NONE;
1198 case WPA_SEL(WPA_CSE_WEP40):
1200 *keylen = 40 / NBBY;
1201 *cipher = IEEE80211_CIPHER_WEP;
1203 case WPA_SEL(WPA_CSE_WEP104):
1205 *keylen = 104 / NBBY;
1206 *cipher = IEEE80211_CIPHER_WEP;
1208 case WPA_SEL(WPA_CSE_TKIP):
1209 *cipher = IEEE80211_CIPHER_TKIP;
1211 case WPA_SEL(WPA_CSE_CCMP):
1212 *cipher = IEEE80211_CIPHER_AES_CCM;
1223 * Convert a WPA key management/authentication algorithm
1224 * to an internal code.
1227 wpa_keymgmt(const uint8_t *sel)
1229 #define WPA_SEL(x) (((x)<<24)|WPA_OUI)
1230 uint32_t w = le32dec(sel);
1233 case WPA_SEL(WPA_ASE_8021X_UNSPEC):
1234 return WPA_ASE_8021X_UNSPEC;
1235 case WPA_SEL(WPA_ASE_8021X_PSK):
1236 return WPA_ASE_8021X_PSK;
1237 case WPA_SEL(WPA_ASE_NONE):
1238 return WPA_ASE_NONE;
1240 return 0; /* NB: so is discarded */
1245 * Parse a WPA information element to collect parameters.
1246 * Note that we do not validate security parameters; that
1247 * is handled by the authenticator; the parsing done here
1248 * is just for internal use in making operational decisions.
1251 ieee80211_parse_wpa(struct ieee80211vap *vap, const uint8_t *frm,
1252 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh)
1254 uint8_t len = frm[1];
1259 * Check the length once for fixed parts: OUI, type,
1260 * version, mcast cipher, and 2 selector counts.
1261 * Other, variable-length data, must be checked separately.
1263 if ((vap->iv_flags & IEEE80211_F_WPA1) == 0) {
1264 IEEE80211_DISCARD_IE(vap,
1265 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1266 wh, "WPA", "not WPA, flags 0x%x", vap->iv_flags);
1267 return IEEE80211_REASON_IE_INVALID;
1270 IEEE80211_DISCARD_IE(vap,
1271 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1272 wh, "WPA", "too short, len %u", len);
1273 return IEEE80211_REASON_IE_INVALID;
1275 frm += 6, len -= 4; /* NB: len is payload only */
1276 /* NB: iswpaoui already validated the OUI and type */
1278 if (w != WPA_VERSION) {
1279 IEEE80211_DISCARD_IE(vap,
1280 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1281 wh, "WPA", "bad version %u", w);
1282 return IEEE80211_REASON_IE_INVALID;
1286 memset(rsn, 0, sizeof(*rsn));
1288 /* multicast/group cipher */
1289 error = wpa_cipher(frm, &rsn->rsn_mcastkeylen, &rsn->rsn_mcastcipher);
1291 IEEE80211_DISCARD_IE(vap,
1292 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1293 wh, "WPA", "unknown mcast cipher suite %08X",
1295 return IEEE80211_REASON_GROUP_CIPHER_INVALID;
1299 /* unicast ciphers */
1303 IEEE80211_DISCARD_IE(vap,
1304 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1305 wh, "WPA", "ucast cipher data too short; len %u, n %u",
1307 return IEEE80211_REASON_IE_INVALID;
1310 for (; n > 0; n--) {
1313 error = wpa_cipher(frm, &rsn->rsn_ucastkeylen, &cipher);
1320 IEEE80211_DISCARD_IE(vap,
1321 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1322 wh, "WPA", "no usable pairwise cipher suite found (w=%d)",
1324 return IEEE80211_REASON_PAIRWISE_CIPHER_INVALID;
1327 if (w & (1 << IEEE80211_CIPHER_AES_CCM))
1328 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM;
1330 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP;
1332 /* key management algorithms */
1336 IEEE80211_DISCARD_IE(vap,
1337 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1338 wh, "WPA", "key mgmt alg data too short; len %u, n %u",
1340 return IEEE80211_REASON_IE_INVALID;
1343 for (; n > 0; n--) {
1344 w |= wpa_keymgmt(frm);
1347 if (w & WPA_ASE_8021X_UNSPEC)
1348 rsn->rsn_keymgmt = WPA_ASE_8021X_UNSPEC;
1350 rsn->rsn_keymgmt = WPA_ASE_8021X_PSK;
1352 if (len > 2) /* optional capabilities */
1353 rsn->rsn_caps = le16dec(frm);
1359 * Convert an RSN cipher selector OUI to an internal
1360 * cipher algorithm. Where appropriate we also
1361 * record any key length.
1364 rsn_cipher(const uint8_t *sel, uint8_t *keylen, uint8_t *cipher)
1366 #define RSN_SEL(x) (((x)<<24)|RSN_OUI)
1367 uint32_t w = le32dec(sel);
1370 case RSN_SEL(RSN_CSE_NULL):
1371 *cipher = IEEE80211_CIPHER_NONE;
1373 case RSN_SEL(RSN_CSE_WEP40):
1375 *keylen = 40 / NBBY;
1376 *cipher = IEEE80211_CIPHER_WEP;
1378 case RSN_SEL(RSN_CSE_WEP104):
1380 *keylen = 104 / NBBY;
1381 *cipher = IEEE80211_CIPHER_WEP;
1383 case RSN_SEL(RSN_CSE_TKIP):
1384 *cipher = IEEE80211_CIPHER_TKIP;
1386 case RSN_SEL(RSN_CSE_CCMP):
1387 *cipher = IEEE80211_CIPHER_AES_CCM;
1389 case RSN_SEL(RSN_CSE_WRAP):
1390 *cipher = IEEE80211_CIPHER_AES_OCB;
1401 * Convert an RSN key management/authentication algorithm
1402 * to an internal code.
1405 rsn_keymgmt(const uint8_t *sel)
1407 #define RSN_SEL(x) (((x)<<24)|RSN_OUI)
1408 uint32_t w = le32dec(sel);
1411 case RSN_SEL(RSN_ASE_8021X_UNSPEC):
1412 return RSN_ASE_8021X_UNSPEC;
1413 case RSN_SEL(RSN_ASE_8021X_PSK):
1414 return RSN_ASE_8021X_PSK;
1415 case RSN_SEL(RSN_ASE_NONE):
1416 return RSN_ASE_NONE;
1418 return 0; /* NB: so is discarded */
1423 * Parse a WPA/RSN information element to collect parameters
1424 * and validate the parameters against what has been
1425 * configured for the system.
1428 ieee80211_parse_rsn(struct ieee80211vap *vap, const uint8_t *frm,
1429 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh)
1431 uint8_t len = frm[1];
1436 * Check the length once for fixed parts:
1437 * version, mcast cipher, and 2 selector counts.
1438 * Other, variable-length data, must be checked separately.
1440 if ((vap->iv_flags & IEEE80211_F_WPA2) == 0) {
1441 IEEE80211_DISCARD_IE(vap,
1442 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1443 wh, "WPA", "not RSN, flags 0x%x", vap->iv_flags);
1444 return IEEE80211_REASON_IE_INVALID;
1446 /* XXX may be shorter */
1448 IEEE80211_DISCARD_IE(vap,
1449 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1450 wh, "RSN", "too short, len %u", len);
1451 return IEEE80211_REASON_IE_INVALID;
1455 if (w != RSN_VERSION) {
1456 IEEE80211_DISCARD_IE(vap,
1457 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1458 wh, "RSN", "bad version %u", w);
1459 return IEEE80211_REASON_UNSUPP_RSN_IE_VERSION;
1463 memset(rsn, 0, sizeof(*rsn));
1465 /* multicast/group cipher */
1466 error = rsn_cipher(frm, &rsn->rsn_mcastkeylen, &rsn->rsn_mcastcipher);
1468 IEEE80211_DISCARD_IE(vap,
1469 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1470 wh, "RSN", "unknown mcast cipher suite %08X",
1472 return IEEE80211_REASON_GROUP_CIPHER_INVALID;
1474 if (rsn->rsn_mcastcipher == IEEE80211_CIPHER_NONE) {
1475 IEEE80211_DISCARD_IE(vap,
1476 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1477 wh, "RSN", "invalid mcast cipher suite %d",
1478 rsn->rsn_mcastcipher);
1479 return IEEE80211_REASON_GROUP_CIPHER_INVALID;
1483 /* unicast ciphers */
1487 IEEE80211_DISCARD_IE(vap,
1488 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1489 wh, "RSN", "ucast cipher data too short; len %u, n %u",
1491 return IEEE80211_REASON_IE_INVALID;
1495 for (; n > 0; n--) {
1498 error = rsn_cipher(frm, &rsn->rsn_ucastkeylen, &cipher);
1504 if (w & (1 << IEEE80211_CIPHER_AES_CCM))
1505 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM;
1506 else if (w & (1 << IEEE80211_CIPHER_AES_OCB))
1507 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_OCB;
1508 else if (w & (1 << IEEE80211_CIPHER_TKIP))
1509 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP;
1510 else if ((w & (1 << IEEE80211_CIPHER_NONE)) &&
1511 (rsn->rsn_mcastcipher == IEEE80211_CIPHER_WEP ||
1512 rsn->rsn_mcastcipher == IEEE80211_CIPHER_TKIP))
1513 rsn->rsn_ucastcipher = IEEE80211_CIPHER_NONE;
1515 IEEE80211_DISCARD_IE(vap,
1516 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1517 wh, "RSN", "no usable pairwise cipher suite found (w=%d)",
1519 return IEEE80211_REASON_PAIRWISE_CIPHER_INVALID;
1522 /* key management algorithms */
1526 IEEE80211_DISCARD_IE(vap,
1527 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1528 wh, "RSN", "key mgmt alg data too short; len %u, n %u",
1530 return IEEE80211_REASON_IE_INVALID;
1533 for (; n > 0; n--) {
1534 w |= rsn_keymgmt(frm);
1537 if (w & RSN_ASE_8021X_UNSPEC)
1538 rsn->rsn_keymgmt = RSN_ASE_8021X_UNSPEC;
1540 rsn->rsn_keymgmt = RSN_ASE_8021X_PSK;
1542 /* optional RSN capabilities */
1544 rsn->rsn_caps = le16dec(frm);
1551 * WPA/802.11i association request processing.
1554 wpa_assocreq(struct ieee80211_node *ni, struct ieee80211_rsnparms *rsnparms,
1555 const struct ieee80211_frame *wh, const uint8_t *wpa,
1556 const uint8_t *rsn, uint16_t capinfo)
1558 struct ieee80211vap *vap = ni->ni_vap;
1562 ni->ni_flags &= ~(IEEE80211_NODE_WPS|IEEE80211_NODE_TSN);
1563 if (wpa == NULL && rsn == NULL) {
1564 if (vap->iv_flags_ext & IEEE80211_FEXT_WPS) {
1566 * W-Fi Protected Setup (WPS) permits
1567 * clients to associate and pass EAPOL frames
1568 * to establish initial credentials.
1570 ni->ni_flags |= IEEE80211_NODE_WPS;
1573 if ((vap->iv_flags_ext & IEEE80211_FEXT_TSN) &&
1574 (capinfo & IEEE80211_CAPINFO_PRIVACY)) {
1576 * Transitional Security Network. Permits clients
1577 * to associate and use WEP while WPA is configured.
1579 ni->ni_flags |= IEEE80211_NODE_TSN;
1582 IEEE80211_DISCARD(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA,
1583 wh, NULL, "%s", "no WPA/RSN IE in association request");
1584 vap->iv_stats.is_rx_assoc_badwpaie++;
1585 reason = IEEE80211_REASON_IE_INVALID;
1588 /* assert right association security credentials */
1589 badwparsn = 0; /* NB: to silence compiler */
1590 switch (vap->iv_flags & IEEE80211_F_WPA) {
1591 case IEEE80211_F_WPA1:
1592 badwparsn = (wpa == NULL);
1594 case IEEE80211_F_WPA2:
1595 badwparsn = (rsn == NULL);
1597 case IEEE80211_F_WPA1|IEEE80211_F_WPA2:
1598 badwparsn = (wpa == NULL && rsn == NULL);
1602 IEEE80211_DISCARD(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA,
1604 "%s", "missing WPA/RSN IE in association request");
1605 vap->iv_stats.is_rx_assoc_badwpaie++;
1606 reason = IEEE80211_REASON_IE_INVALID;
1610 * Parse WPA/RSN information element.
1613 reason = ieee80211_parse_wpa(vap, wpa, rsnparms, wh);
1615 reason = ieee80211_parse_rsn(vap, rsn, rsnparms, wh);
1617 /* XXX wpa->rsn fallback? */
1618 /* XXX distinguish WPA/RSN? */
1619 vap->iv_stats.is_rx_assoc_badwpaie++;
1622 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, ni,
1623 "%s ie: mc %u/%u uc %u/%u key %u caps 0x%x",
1624 wpa != NULL ? "WPA" : "RSN",
1625 rsnparms->rsn_mcastcipher, rsnparms->rsn_mcastkeylen,
1626 rsnparms->rsn_ucastcipher, rsnparms->rsn_ucastkeylen,
1627 rsnparms->rsn_keymgmt, rsnparms->rsn_caps);
1631 ieee80211_node_deauth(ni, reason);
1635 /* XXX find a better place for definition */
1636 struct l2_update_frame {
1637 struct ether_header eh;
1645 * Deliver a TGf L2UF frame on behalf of a station.
1646 * This primes any bridge when the station is roaming
1647 * between ap's on the same wired network.
1650 ieee80211_deliver_l2uf(struct ieee80211_node *ni)
1652 struct ieee80211vap *vap = ni->ni_vap;
1653 struct ifnet *ifp = vap->iv_ifp;
1655 struct l2_update_frame *l2uf;
1656 struct ether_header *eh;
1658 m = m_gethdr(IEEE80211_M_NOWAIT, MT_DATA);
1660 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC, ni,
1661 "%s", "no mbuf for l2uf frame");
1662 vap->iv_stats.is_rx_nobuf++; /* XXX not right */
1665 l2uf = mtod(m, struct l2_update_frame *);
1667 /* dst: Broadcast address */
1668 IEEE80211_ADDR_COPY(eh->ether_dhost, ifp->if_broadcastaddr);
1669 /* src: associated STA */
1670 IEEE80211_ADDR_COPY(eh->ether_shost, ni->ni_macaddr);
1671 eh->ether_type = htons(sizeof(*l2uf) - sizeof(*eh));
1675 l2uf->control = 0xf5;
1676 l2uf->xid[0] = 0x81;
1677 l2uf->xid[1] = 0x80;
1678 l2uf->xid[2] = 0x00;
1680 m->m_pkthdr.len = m->m_len = sizeof(*l2uf);
1681 hostap_deliver_data(vap, ni, m);
1685 ratesetmismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh,
1686 int reassoc, int resp, const char *tag, int rate)
1688 IEEE80211_NOTE_MAC(ni->ni_vap, IEEE80211_MSG_ANY, wh->i_addr2,
1689 "deny %s request, %s rate set mismatch, rate/MCS %d",
1690 reassoc ? "reassoc" : "assoc", tag, rate & IEEE80211_RATE_VAL);
1691 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_BASIC_RATE);
1692 ieee80211_node_leave(ni);
1696 capinfomismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh,
1697 int reassoc, int resp, const char *tag, int capinfo)
1699 struct ieee80211vap *vap = ni->ni_vap;
1701 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ANY, wh->i_addr2,
1702 "deny %s request, %s mismatch 0x%x",
1703 reassoc ? "reassoc" : "assoc", tag, capinfo);
1704 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_CAPINFO);
1705 ieee80211_node_leave(ni);
1706 vap->iv_stats.is_rx_assoc_capmismatch++;
1710 htcapmismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh,
1711 int reassoc, int resp)
1713 IEEE80211_NOTE_MAC(ni->ni_vap, IEEE80211_MSG_ANY, wh->i_addr2,
1714 "deny %s request, %s missing HT ie", reassoc ? "reassoc" : "assoc");
1715 /* XXX no better code */
1716 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_MISSING_HT_CAPS);
1717 ieee80211_node_leave(ni);
1721 authalgreject(struct ieee80211_node *ni, const struct ieee80211_frame *wh,
1722 int algo, int seq, int status)
1724 struct ieee80211vap *vap = ni->ni_vap;
1726 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
1727 wh, NULL, "unsupported alg %d", algo);
1728 vap->iv_stats.is_rx_auth_unsupported++;
1729 ieee80211_send_error(ni, wh->i_addr2, IEEE80211_FC0_SUBTYPE_AUTH,
1730 seq | (status << 16));
1734 ishtmixed(const uint8_t *ie)
1736 const struct ieee80211_ie_htinfo *ht =
1737 (const struct ieee80211_ie_htinfo *) ie;
1738 return (ht->hi_byte2 & IEEE80211_HTINFO_OPMODE) ==
1739 IEEE80211_HTINFO_OPMODE_MIXED;
1743 is11bclient(const uint8_t *rates, const uint8_t *xrates)
1745 static const uint32_t brates = (1<<2*1)|(1<<2*2)|(1<<11)|(1<<2*11);
1748 /* NB: the 11b clients we care about will not have xrates */
1749 if (xrates != NULL || rates == NULL)
1751 for (i = 0; i < rates[1]; i++) {
1752 int r = rates[2+i] & IEEE80211_RATE_VAL;
1753 if (r > 2*11 || ((1<<r) & brates) == 0)
1760 hostap_recv_mgmt(struct ieee80211_node *ni, struct mbuf *m0,
1761 int subtype, const struct ieee80211_rx_stats *rxs, int rssi, int nf)
1763 struct ieee80211vap *vap = ni->ni_vap;
1764 struct ieee80211com *ic = ni->ni_ic;
1765 struct ieee80211_frame *wh;
1766 uint8_t *frm, *efrm, *sfrm;
1767 uint8_t *ssid, *rates, *xrates, *wpa, *rsn, *wme, *ath, *htcap;
1768 uint8_t *vhtcap, *vhtinfo;
1772 wh = mtod(m0, struct ieee80211_frame *);
1773 frm = (uint8_t *)&wh[1];
1774 efrm = mtod(m0, uint8_t *) + m0->m_len;
1776 case IEEE80211_FC0_SUBTYPE_PROBE_RESP:
1778 * We process beacon/probe response frames when scanning;
1779 * otherwise we check beacon frames for overlapping non-ERP
1780 * BSS in 11g and/or overlapping legacy BSS when in HT.
1782 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) {
1783 vap->iv_stats.is_rx_mgtdiscard++;
1787 case IEEE80211_FC0_SUBTYPE_BEACON: {
1788 struct ieee80211_scanparams scan;
1790 /* NB: accept off-channel frames */
1791 /* XXX TODO: use rxstatus to determine off-channel details */
1792 if (ieee80211_parse_beacon(ni, m0, ic->ic_curchan, &scan) &~ IEEE80211_BPARSE_OFFCHAN)
1795 * Count frame now that we know it's to be processed.
1797 if (subtype == IEEE80211_FC0_SUBTYPE_BEACON) {
1798 vap->iv_stats.is_rx_beacon++; /* XXX remove */
1799 IEEE80211_NODE_STAT(ni, rx_beacons);
1801 IEEE80211_NODE_STAT(ni, rx_proberesp);
1803 * If scanning, just pass information to the scan module.
1805 if (ic->ic_flags & IEEE80211_F_SCAN) {
1806 if (scan.status == 0 && /* NB: on channel */
1807 (ic->ic_flags_ext & IEEE80211_FEXT_PROBECHAN)) {
1809 * Actively scanning a channel marked passive;
1810 * send a probe request now that we know there
1811 * is 802.11 traffic present.
1813 * XXX check if the beacon we recv'd gives
1814 * us what we need and suppress the probe req
1816 ieee80211_probe_curchan(vap, 1);
1817 ic->ic_flags_ext &= ~IEEE80211_FEXT_PROBECHAN;
1819 ieee80211_add_scan(vap, ic->ic_curchan, &scan, wh,
1824 * Check beacon for overlapping bss w/ non ERP stations.
1825 * If we detect one and protection is configured but not
1826 * enabled, enable it and start a timer that'll bring us
1827 * out if we stop seeing the bss.
1829 if (IEEE80211_IS_CHAN_ANYG(ic->ic_curchan) &&
1830 scan.status == 0 && /* NB: on-channel */
1831 ((scan.erp & 0x100) == 0 || /* NB: no ERP, 11b sta*/
1832 (scan.erp & IEEE80211_ERP_NON_ERP_PRESENT))) {
1833 vap->iv_lastnonerp = ticks;
1834 vap->iv_flags_ext |= IEEE80211_FEXT_NONERP_PR;
1836 * XXX TODO: this may need to check all VAPs?
1838 if (vap->iv_protmode != IEEE80211_PROT_NONE &&
1839 (vap->iv_flags & IEEE80211_F_USEPROT) == 0) {
1840 IEEE80211_NOTE_FRAME(vap,
1841 IEEE80211_MSG_ASSOC, wh,
1842 "non-ERP present on channel %d "
1843 "(saw erp 0x%x from channel %d), "
1844 "enable use of protection",
1845 ic->ic_curchan->ic_ieee,
1846 scan.erp, scan.chan);
1847 vap->iv_flags |= IEEE80211_F_USEPROT;
1848 ieee80211_vap_update_erp_protmode(vap);
1852 * Check beacon for non-HT station on HT channel
1853 * and update HT BSS occupancy as appropriate.
1855 if (IEEE80211_IS_CHAN_HT(ic->ic_curchan)) {
1856 if (scan.status & IEEE80211_BPARSE_OFFCHAN) {
1858 * Off control channel; only check frames
1859 * that come in the extension channel when
1860 * operating w/ HT40.
1862 if (!IEEE80211_IS_CHAN_HT40(ic->ic_curchan))
1864 if (scan.chan != ic->ic_curchan->ic_extieee)
1867 if (scan.htinfo == NULL) {
1868 ieee80211_htprot_update(vap,
1869 IEEE80211_HTINFO_OPMODE_PROTOPT |
1870 IEEE80211_HTINFO_NONHT_PRESENT);
1871 } else if (ishtmixed(scan.htinfo)) {
1872 /* XXX? take NONHT_PRESENT from beacon? */
1873 ieee80211_htprot_update(vap,
1874 IEEE80211_HTINFO_OPMODE_MIXED |
1875 IEEE80211_HTINFO_NONHT_PRESENT);
1881 case IEEE80211_FC0_SUBTYPE_PROBE_REQ:
1882 if (vap->iv_state != IEEE80211_S_RUN) {
1883 vap->iv_stats.is_rx_mgtdiscard++;
1887 * Consult the ACL policy module if setup.
1889 if (vap->iv_acl != NULL && !vap->iv_acl->iac_check(vap, wh)) {
1890 IEEE80211_DISCARD(vap, IEEE80211_MSG_ACL,
1891 wh, NULL, "%s", "disallowed by ACL");
1892 vap->iv_stats.is_rx_acl++;
1896 * prreq frame format
1898 * [tlv] supported rates
1899 * [tlv] extended supported rates
1901 ssid = rates = xrates = NULL;
1902 while (efrm - frm > 1) {
1903 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return);
1905 case IEEE80211_ELEMID_SSID:
1908 case IEEE80211_ELEMID_RATES:
1911 case IEEE80211_ELEMID_XRATES:
1917 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return);
1919 IEEE80211_VERIFY_ELEMENT(xrates,
1920 IEEE80211_RATE_MAXSIZE - rates[1], return);
1921 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN, return);
1922 IEEE80211_VERIFY_SSID(vap->iv_bss, ssid, return);
1923 if ((vap->iv_flags & IEEE80211_F_HIDESSID) && ssid[1] == 0) {
1924 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
1926 "%s", "no ssid with ssid suppression enabled");
1927 vap->iv_stats.is_rx_ssidmismatch++; /*XXX*/
1931 /* XXX find a better class or define it's own */
1932 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_INPUT, wh->i_addr2,
1933 "%s", "recv probe req");
1935 * Some legacy 11b clients cannot hack a complete
1936 * probe response frame. When the request includes
1937 * only a bare-bones rate set, communicate this to
1938 * the transmit side.
1940 ieee80211_send_proberesp(vap, wh->i_addr2,
1941 is11bclient(rates, xrates) ? IEEE80211_SEND_LEGACY_11B : 0);
1944 case IEEE80211_FC0_SUBTYPE_AUTH: {
1945 uint16_t algo, seq, status;
1947 if (vap->iv_state != IEEE80211_S_RUN) {
1948 vap->iv_stats.is_rx_mgtdiscard++;
1951 if (!IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_bss->ni_bssid)) {
1952 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
1953 wh, NULL, "%s", "wrong bssid");
1954 vap->iv_stats.is_rx_wrongbss++; /*XXX unique stat?*/
1964 IEEE80211_VERIFY_LENGTH(efrm - frm, 6, return);
1965 algo = le16toh(*(uint16_t *)frm);
1966 seq = le16toh(*(uint16_t *)(frm + 2));
1967 status = le16toh(*(uint16_t *)(frm + 4));
1968 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_AUTH, wh->i_addr2,
1969 "recv auth frame with algorithm %d seq %d", algo, seq);
1971 * Consult the ACL policy module if setup.
1973 if (vap->iv_acl != NULL && !vap->iv_acl->iac_check(vap, wh)) {
1974 IEEE80211_DISCARD(vap, IEEE80211_MSG_ACL,
1975 wh, NULL, "%s", "disallowed by ACL");
1976 vap->iv_stats.is_rx_acl++;
1977 ieee80211_send_error(ni, wh->i_addr2,
1978 IEEE80211_FC0_SUBTYPE_AUTH,
1979 (seq+1) | (IEEE80211_STATUS_UNSPECIFIED<<16));
1982 if (vap->iv_flags & IEEE80211_F_COUNTERM) {
1983 IEEE80211_DISCARD(vap,
1984 IEEE80211_MSG_AUTH | IEEE80211_MSG_CRYPTO,
1985 wh, NULL, "%s", "TKIP countermeasures enabled");
1986 vap->iv_stats.is_rx_auth_countermeasures++;
1987 ieee80211_send_error(ni, wh->i_addr2,
1988 IEEE80211_FC0_SUBTYPE_AUTH,
1989 IEEE80211_REASON_MIC_FAILURE);
1992 if (algo == IEEE80211_AUTH_ALG_SHARED)
1993 hostap_auth_shared(ni, wh, frm + 6, efrm, rssi, nf,
1995 else if (algo == IEEE80211_AUTH_ALG_OPEN)
1996 hostap_auth_open(ni, wh, rssi, nf, seq, status);
1997 else if (algo == IEEE80211_AUTH_ALG_LEAP) {
1998 authalgreject(ni, wh, algo,
1999 seq+1, IEEE80211_STATUS_ALG);
2003 * We assume that an unknown algorithm is the result
2004 * of a decryption failure on a shared key auth frame;
2005 * return a status code appropriate for that instead
2006 * of IEEE80211_STATUS_ALG.
2008 * NB: a seq# of 4 is intentional; the decrypted
2009 * frame likely has a bogus seq value.
2011 authalgreject(ni, wh, algo,
2012 4, IEEE80211_STATUS_CHALLENGE);
2018 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ:
2019 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: {
2020 uint16_t capinfo, lintval;
2021 struct ieee80211_rsnparms rsnparms;
2023 if (vap->iv_state != IEEE80211_S_RUN) {
2024 vap->iv_stats.is_rx_mgtdiscard++;
2027 if (!IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_bss->ni_bssid)) {
2028 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
2029 wh, NULL, "%s", "wrong bssid");
2030 vap->iv_stats.is_rx_assoc_bss++;
2033 if (subtype == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) {
2035 resp = IEEE80211_FC0_SUBTYPE_REASSOC_RESP;
2038 resp = IEEE80211_FC0_SUBTYPE_ASSOC_RESP;
2040 if (ni == vap->iv_bss) {
2041 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ANY, wh->i_addr2,
2042 "deny %s request, sta not authenticated",
2043 reassoc ? "reassoc" : "assoc");
2044 ieee80211_send_error(ni, wh->i_addr2,
2045 IEEE80211_FC0_SUBTYPE_DEAUTH,
2046 IEEE80211_REASON_ASSOC_NOT_AUTHED);
2047 vap->iv_stats.is_rx_assoc_notauth++;
2052 * asreq frame format
2053 * [2] capability information
2054 * [2] listen interval
2055 * [6*] current AP address (reassoc only)
2057 * [tlv] supported rates
2058 * [tlv] extended supported rates
2060 * [tlv] HT capabilities
2061 * [tlv] Atheros capabilities
2063 IEEE80211_VERIFY_LENGTH(efrm - frm, (reassoc ? 10 : 4), return);
2064 capinfo = le16toh(*(uint16_t *)frm); frm += 2;
2065 lintval = le16toh(*(uint16_t *)frm); frm += 2;
2067 frm += 6; /* ignore current AP info */
2068 ssid = rates = xrates = wpa = rsn = wme = ath = htcap = NULL;
2069 vhtcap = vhtinfo = NULL;
2071 while (efrm - frm > 1) {
2072 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return);
2074 case IEEE80211_ELEMID_SSID:
2077 case IEEE80211_ELEMID_RATES:
2080 case IEEE80211_ELEMID_XRATES:
2083 case IEEE80211_ELEMID_RSN:
2086 case IEEE80211_ELEMID_HTCAP:
2089 case IEEE80211_ELEMID_VHT_CAP:
2092 case IEEE80211_ELEMID_VHT_OPMODE:
2095 case IEEE80211_ELEMID_VENDOR:
2098 else if (iswmeinfo(frm))
2100 #ifdef IEEE80211_SUPPORT_SUPERG
2101 else if (isatherosoui(frm))
2104 else if (vap->iv_flags_ht & IEEE80211_FHT_HTCOMPAT) {
2105 if (ishtcapoui(frm) && htcap == NULL)
2112 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return);
2114 IEEE80211_VERIFY_ELEMENT(xrates,
2115 IEEE80211_RATE_MAXSIZE - rates[1], return);
2116 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN, return);
2117 IEEE80211_VERIFY_SSID(vap->iv_bss, ssid, return);
2118 if (htcap != NULL) {
2119 IEEE80211_VERIFY_LENGTH(htcap[1],
2120 htcap[0] == IEEE80211_ELEMID_VENDOR ?
2121 4 + sizeof(struct ieee80211_ie_htcap)-2 :
2122 sizeof(struct ieee80211_ie_htcap)-2,
2123 return); /* XXX just NULL out? */
2126 /* Validate VHT IEs */
2127 if (vhtcap != NULL) {
2128 IEEE80211_VERIFY_LENGTH(vhtcap[1],
2129 sizeof(struct ieee80211_ie_vhtcap) - 2,
2132 if (vhtinfo != NULL) {
2133 IEEE80211_VERIFY_LENGTH(vhtinfo[1],
2134 sizeof(struct ieee80211_ie_vht_operation) - 2,
2138 if ((vap->iv_flags & IEEE80211_F_WPA) &&
2139 !wpa_assocreq(ni, &rsnparms, wh, wpa, rsn, capinfo))
2141 /* discard challenge after association */
2142 if (ni->ni_challenge != NULL) {
2143 IEEE80211_FREE(ni->ni_challenge, M_80211_NODE);
2144 ni->ni_challenge = NULL;
2146 /* NB: 802.11 spec says to ignore station's privacy bit */
2147 if ((capinfo & IEEE80211_CAPINFO_ESS) == 0) {
2148 capinfomismatch(ni, wh, reassoc, resp,
2149 "capability", capinfo);
2153 * Disallow re-associate w/ invalid slot time setting.
2155 if (ni->ni_associd != 0 &&
2156 IEEE80211_IS_CHAN_ANYG(ic->ic_bsschan) &&
2157 ((ni->ni_capinfo ^ capinfo) & IEEE80211_CAPINFO_SHORT_SLOTTIME)) {
2158 capinfomismatch(ni, wh, reassoc, resp,
2159 "slot time", capinfo);
2162 rate = ieee80211_setup_rates(ni, rates, xrates,
2163 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE |
2164 IEEE80211_F_DONEGO | IEEE80211_F_DODEL);
2165 if (rate & IEEE80211_RATE_BASIC) {
2166 ratesetmismatch(ni, wh, reassoc, resp, "legacy", rate);
2167 vap->iv_stats.is_rx_assoc_norate++;
2171 * If constrained to 11g-only stations reject an
2172 * 11b-only station. We cheat a bit here by looking
2173 * at the max negotiated xmit rate and assuming anyone
2174 * with a best rate <24Mb/s is an 11b station.
2176 if ((vap->iv_flags & IEEE80211_F_PUREG) && rate < 48) {
2177 ratesetmismatch(ni, wh, reassoc, resp, "11g", rate);
2178 vap->iv_stats.is_rx_assoc_norate++;
2183 * Do HT rate set handling and setup HT node state.
2185 ni->ni_chan = vap->iv_bss->ni_chan;
2188 if (IEEE80211_IS_CHAN_VHT(ni->ni_chan) &&
2191 /* XXX TODO; see below */
2192 printf("%s: VHT TODO!\n", __func__);
2193 ieee80211_vht_node_init(ni);
2194 ieee80211_vht_update_cap(ni, vhtcap, vhtinfo);
2195 } else if (ni->ni_flags & IEEE80211_NODE_VHT)
2196 ieee80211_vht_node_cleanup(ni);
2199 if (IEEE80211_IS_CHAN_HT(ni->ni_chan) && htcap != NULL) {
2200 rate = ieee80211_setup_htrates(ni, htcap,
2201 IEEE80211_F_DOFMCS | IEEE80211_F_DONEGO |
2203 if (rate & IEEE80211_RATE_BASIC) {
2204 ratesetmismatch(ni, wh, reassoc, resp,
2206 vap->iv_stats.is_ht_assoc_norate++;
2209 ieee80211_ht_node_init(ni);
2210 ieee80211_ht_updatehtcap(ni, htcap);
2211 } else if (ni->ni_flags & IEEE80211_NODE_HT)
2212 ieee80211_ht_node_cleanup(ni);
2214 /* Finally - this will use HT/VHT info to change node channel */
2215 if (IEEE80211_IS_CHAN_HT(ni->ni_chan) && htcap != NULL) {
2216 ieee80211_ht_updatehtcap_final(ni);
2219 #ifdef IEEE80211_SUPPORT_SUPERG
2220 /* Always do ff node cleanup; for A-MSDU */
2221 ieee80211_ff_node_cleanup(ni);
2224 * Allow AMPDU operation only with unencrypted traffic
2225 * or AES-CCM; the 11n spec only specifies these ciphers
2226 * so permitting any others is undefined and can lead
2227 * to interoperability problems.
2229 if ((ni->ni_flags & IEEE80211_NODE_HT) &&
2230 (((vap->iv_flags & IEEE80211_F_WPA) &&
2231 rsnparms.rsn_ucastcipher != IEEE80211_CIPHER_AES_CCM) ||
2232 (vap->iv_flags & (IEEE80211_F_WPA|IEEE80211_F_PRIVACY)) == IEEE80211_F_PRIVACY)) {
2234 IEEE80211_MSG_ASSOC | IEEE80211_MSG_11N, ni,
2235 "disallow HT use because WEP or TKIP requested, "
2236 "capinfo 0x%x ucastcipher %d", capinfo,
2237 rsnparms.rsn_ucastcipher);
2238 ieee80211_ht_node_cleanup(ni);
2239 #ifdef IEEE80211_SUPPORT_SUPERG
2240 /* Always do ff node cleanup; for A-MSDU */
2241 ieee80211_ff_node_cleanup(ni);
2243 vap->iv_stats.is_ht_assoc_downgrade++;
2246 * If constrained to 11n-only stations reject legacy stations.
2248 if ((vap->iv_flags_ht & IEEE80211_FHT_PUREN) &&
2249 (ni->ni_flags & IEEE80211_NODE_HT) == 0) {
2250 htcapmismatch(ni, wh, reassoc, resp);
2251 vap->iv_stats.is_ht_assoc_nohtcap++;
2254 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi);
2256 ni->ni_intval = lintval;
2257 ni->ni_capinfo = capinfo;
2258 ni->ni_fhdwell = vap->iv_bss->ni_fhdwell;
2259 ni->ni_fhindex = vap->iv_bss->ni_fhindex;
2262 * XXX maybe better to just expand
2264 if (ieee80211_ies_init(&ni->ni_ies, sfrm, efrm - sfrm)) {
2265 #define setie(_ie, _off) ieee80211_ies_setie(ni->ni_ies, _ie, _off)
2267 setie(wpa_ie, wpa - sfrm);
2269 setie(rsn_ie, rsn - sfrm);
2271 setie(htcap_ie, htcap - sfrm);
2273 setie(wme_ie, wme - sfrm);
2275 * Mark node as capable of QoS.
2277 ni->ni_flags |= IEEE80211_NODE_QOS;
2278 if (ieee80211_parse_wmeie(wme, wh, ni) > 0) {
2279 if (ni->ni_uapsd != 0)
2281 IEEE80211_NODE_UAPSD;
2284 ~IEEE80211_NODE_UAPSD;
2288 ~(IEEE80211_NODE_QOS |
2289 IEEE80211_NODE_UAPSD);
2290 #ifdef IEEE80211_SUPPORT_SUPERG
2292 setie(ath_ie, ath - sfrm);
2294 * Parse ATH station parameters.
2296 ieee80211_parse_ath(ni, ni->ni_ies.ath_ie);
2299 ni->ni_ath_flags = 0;
2302 ni->ni_flags &= ~IEEE80211_NODE_QOS;
2303 ni->ni_flags &= ~IEEE80211_NODE_UAPSD;
2304 ni->ni_ath_flags = 0;
2306 ieee80211_node_join(ni, resp);
2307 ieee80211_deliver_l2uf(ni);
2311 case IEEE80211_FC0_SUBTYPE_DEAUTH:
2312 case IEEE80211_FC0_SUBTYPE_DISASSOC: {
2313 #ifdef IEEE80211_DEBUG
2317 if (vap->iv_state != IEEE80211_S_RUN ||
2318 /* NB: can happen when in promiscuous mode */
2319 !IEEE80211_ADDR_EQ(wh->i_addr1, vap->iv_myaddr)) {
2320 vap->iv_stats.is_rx_mgtdiscard++;
2324 * deauth/disassoc frame format
2327 IEEE80211_VERIFY_LENGTH(efrm - frm, 2, return);
2328 #ifdef IEEE80211_DEBUG
2329 reason = le16toh(*(uint16_t *)frm);
2331 if (subtype == IEEE80211_FC0_SUBTYPE_DEAUTH) {
2332 vap->iv_stats.is_rx_deauth++;
2333 IEEE80211_NODE_STAT(ni, rx_deauth);
2335 vap->iv_stats.is_rx_disassoc++;
2336 IEEE80211_NODE_STAT(ni, rx_disassoc);
2338 IEEE80211_NOTE(vap, IEEE80211_MSG_AUTH, ni,
2339 "recv %s (reason: %d (%s))",
2340 ieee80211_mgt_subtype_name(subtype),
2341 reason, ieee80211_reason_to_string(reason));
2342 if (ni != vap->iv_bss)
2343 ieee80211_node_leave(ni);
2347 case IEEE80211_FC0_SUBTYPE_ACTION:
2348 case IEEE80211_FC0_SUBTYPE_ACTION_NOACK:
2349 if (ni == vap->iv_bss) {
2350 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
2351 wh, NULL, "%s", "unknown node");
2352 vap->iv_stats.is_rx_mgtdiscard++;
2353 } else if (!IEEE80211_ADDR_EQ(vap->iv_myaddr, wh->i_addr1) &&
2354 !IEEE80211_IS_MULTICAST(wh->i_addr1)) {
2355 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
2356 wh, NULL, "%s", "not for us");
2357 vap->iv_stats.is_rx_mgtdiscard++;
2358 } else if (vap->iv_state != IEEE80211_S_RUN) {
2359 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
2360 wh, NULL, "wrong state %s",
2361 ieee80211_state_name[vap->iv_state]);
2362 vap->iv_stats.is_rx_mgtdiscard++;
2364 if (ieee80211_parse_action(ni, m0) == 0)
2365 (void)ic->ic_recv_action(ni, wh, frm, efrm);
2369 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP:
2370 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP:
2371 case IEEE80211_FC0_SUBTYPE_TIMING_ADV:
2372 case IEEE80211_FC0_SUBTYPE_ATIM:
2373 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
2374 wh, NULL, "%s", "not handled");
2375 vap->iv_stats.is_rx_mgtdiscard++;
2379 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
2380 wh, "mgt", "subtype 0x%x not handled", subtype);
2381 vap->iv_stats.is_rx_badsubtype++;
2387 hostap_recv_ctl(struct ieee80211_node *ni, struct mbuf *m, int subtype)
2390 case IEEE80211_FC0_SUBTYPE_PS_POLL:
2391 ni->ni_vap->iv_recv_pspoll(ni, m);
2393 case IEEE80211_FC0_SUBTYPE_BAR:
2394 ieee80211_recv_bar(ni, m);
2400 * Process a received ps-poll frame.
2403 ieee80211_recv_pspoll(struct ieee80211_node *ni, struct mbuf *m0)
2405 struct ieee80211vap *vap = ni->ni_vap;
2406 struct ieee80211com *ic = vap->iv_ic;
2407 struct ieee80211_frame_min *wh;
2412 wh = mtod(m0, struct ieee80211_frame_min *);
2413 if (ni->ni_associd == 0) {
2414 IEEE80211_DISCARD(vap,
2415 IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG,
2416 (struct ieee80211_frame *) wh, NULL,
2417 "%s", "unassociated station");
2418 vap->iv_stats.is_ps_unassoc++;
2419 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_DEAUTH,
2420 IEEE80211_REASON_NOT_ASSOCED);
2424 aid = le16toh(*(uint16_t *)wh->i_dur);
2425 if (aid != ni->ni_associd) {
2426 IEEE80211_DISCARD(vap,
2427 IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG,
2428 (struct ieee80211_frame *) wh, NULL,
2429 "aid mismatch: sta aid 0x%x poll aid 0x%x",
2430 ni->ni_associd, aid);
2431 vap->iv_stats.is_ps_badaid++;
2433 * NB: We used to deauth the station but it turns out
2434 * the Blackberry Curve 8230 (and perhaps other devices)
2435 * sometimes send the wrong AID when WME is negotiated.
2436 * Being more lenient here seems ok as we already check
2437 * the station is associated and we only return frames
2438 * queued for the station (i.e. we don't use the AID).
2443 /* Okay, take the first queued packet and put it out... */
2444 m = ieee80211_node_psq_dequeue(ni, &qlen);
2446 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_POWER, wh->i_addr2,
2447 "%s", "recv ps-poll, but queue empty");
2448 ieee80211_send_nulldata(ieee80211_ref_node(ni));
2449 vap->iv_stats.is_ps_qempty++; /* XXX node stat */
2450 if (vap->iv_set_tim != NULL)
2451 vap->iv_set_tim(ni, 0); /* just in case */
2455 * If there are more packets, set the more packets bit
2456 * in the packet dispatched to the station; otherwise
2457 * turn off the TIM bit.
2460 IEEE80211_NOTE(vap, IEEE80211_MSG_POWER, ni,
2461 "recv ps-poll, send packet, %u still queued", qlen);
2462 m->m_flags |= M_MORE_DATA;
2464 IEEE80211_NOTE(vap, IEEE80211_MSG_POWER, ni,
2465 "%s", "recv ps-poll, send packet, queue empty");
2466 if (vap->iv_set_tim != NULL)
2467 vap->iv_set_tim(ni, 0);
2469 m->m_flags |= M_PWR_SAV; /* bypass PS handling */
2472 * Do the right thing; if it's an encap'ed frame then
2473 * call ieee80211_parent_xmitpkt() else
2474 * call ieee80211_vap_xmitpkt().
2476 if (m->m_flags & M_ENCAP) {
2477 (void) ieee80211_parent_xmitpkt(ic, m);
2479 (void) ieee80211_vap_xmitpkt(vap, m);