2 * Copyright (c) 2007-2008 Sam Leffler, Errno Consulting
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
15 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
16 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
17 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
18 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
19 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
21 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
23 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
26 #include <sys/cdefs.h>
28 __FBSDID("$FreeBSD$");
32 * IEEE 802.11 HOSTAP mode support.
37 #include <sys/param.h>
38 #include <sys/systm.h>
40 #include <sys/malloc.h>
41 #include <sys/kernel.h>
43 #include <sys/socket.h>
44 #include <sys/sockio.h>
45 #include <sys/endian.h>
46 #include <sys/errno.h>
48 #include <sys/sysctl.h>
51 #include <net/if_media.h>
52 #include <net/if_llc.h>
53 #include <net/ethernet.h>
57 #include <net80211/ieee80211_var.h>
58 #include <net80211/ieee80211_hostap.h>
59 #include <net80211/ieee80211_input.h>
60 #ifdef IEEE80211_SUPPORT_SUPERG
61 #include <net80211/ieee80211_superg.h>
63 #include <net80211/ieee80211_wds.h>
65 #define IEEE80211_RATE2MBS(r) (((r) & IEEE80211_RATE_VAL) / 2)
67 static void hostap_vattach(struct ieee80211vap *);
68 static int hostap_newstate(struct ieee80211vap *, enum ieee80211_state, int);
69 static int hostap_input(struct ieee80211_node *ni, struct mbuf *m,
71 static void hostap_deliver_data(struct ieee80211vap *,
72 struct ieee80211_node *, struct mbuf *);
73 static void hostap_recv_mgmt(struct ieee80211_node *, struct mbuf *,
74 int subtype, int rssi, int nf);
75 static void hostap_recv_ctl(struct ieee80211_node *, struct mbuf *, int);
76 static void hostap_recv_pspoll(struct ieee80211_node *, struct mbuf *);
79 ieee80211_hostap_attach(struct ieee80211com *ic)
81 ic->ic_vattach[IEEE80211_M_HOSTAP] = hostap_vattach;
85 ieee80211_hostap_detach(struct ieee80211com *ic)
90 hostap_vdetach(struct ieee80211vap *vap)
95 hostap_vattach(struct ieee80211vap *vap)
97 vap->iv_newstate = hostap_newstate;
98 vap->iv_input = hostap_input;
99 vap->iv_recv_mgmt = hostap_recv_mgmt;
100 vap->iv_recv_ctl = hostap_recv_ctl;
101 vap->iv_opdetach = hostap_vdetach;
102 vap->iv_deliver_data = hostap_deliver_data;
106 sta_disassoc(void *arg, struct ieee80211_node *ni)
108 struct ieee80211vap *vap = arg;
110 if (ni->ni_vap == vap && ni->ni_associd != 0) {
111 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_DISASSOC,
112 IEEE80211_REASON_ASSOC_LEAVE);
113 ieee80211_node_leave(ni);
118 * IEEE80211_M_HOSTAP vap state machine handler.
121 hostap_newstate(struct ieee80211vap *vap, enum ieee80211_state nstate, int arg)
123 struct ieee80211com *ic = vap->iv_ic;
124 enum ieee80211_state ostate;
126 IEEE80211_LOCK_ASSERT(ic);
128 ostate = vap->iv_state;
129 IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE, "%s: %s -> %s (%d)\n",
130 __func__, ieee80211_state_name[ostate],
131 ieee80211_state_name[nstate], arg);
132 vap->iv_state = nstate; /* state transition */
133 if (ostate != IEEE80211_S_SCAN)
134 ieee80211_cancel_scan(vap); /* background scan */
136 case IEEE80211_S_INIT:
138 case IEEE80211_S_SCAN:
139 ieee80211_cancel_scan(vap);
141 case IEEE80211_S_CAC:
142 ieee80211_dfs_cac_stop(vap);
144 case IEEE80211_S_RUN:
145 ieee80211_iterate_nodes(&ic->ic_sta, sta_disassoc, vap);
150 if (ostate != IEEE80211_S_INIT) {
151 /* NB: optimize INIT -> INIT case */
152 ieee80211_reset_bss(vap);
154 if (vap->iv_auth->ia_detach != NULL)
155 vap->iv_auth->ia_detach(vap);
157 case IEEE80211_S_SCAN:
159 case IEEE80211_S_CSA:
160 case IEEE80211_S_RUN:
161 ieee80211_iterate_nodes(&ic->ic_sta, sta_disassoc, vap);
163 * Clear overlapping BSS state; the beacon frame
164 * will be reconstructed on transition to the RUN
165 * state and the timeout routines check if the flag
166 * is set before doing anything so this is sufficient.
168 ic->ic_flags_ext &= ~IEEE80211_FEXT_NONERP_PR;
169 ic->ic_flags_ext &= ~IEEE80211_FEXT_NONHT_PR;
171 case IEEE80211_S_CAC:
173 * NB: We may get here because of a manual channel
174 * change in which case we need to stop CAC
175 * XXX no need to stop if ostate RUN but it's ok
177 ieee80211_dfs_cac_stop(vap);
179 case IEEE80211_S_INIT:
180 if (vap->iv_des_chan != IEEE80211_CHAN_ANYC &&
181 !IEEE80211_IS_CHAN_RADAR(vap->iv_des_chan)) {
183 * Already have a channel; bypass the
184 * scan and startup immediately.
185 * ieee80211_create_ibss will call back to
186 * move us to RUN state.
188 ieee80211_create_ibss(vap, vap->iv_des_chan);
192 * Initiate a scan. We can come here as a result
193 * of an IEEE80211_IOC_SCAN_REQ too in which case
194 * the vap will be marked with IEEE80211_FEXT_SCANREQ
195 * and the scan request parameters will be present
196 * in iv_scanreq. Otherwise we do the default.
198 if (vap->iv_flags_ext & IEEE80211_FEXT_SCANREQ) {
199 ieee80211_check_scan(vap,
200 vap->iv_scanreq_flags,
201 vap->iv_scanreq_duration,
202 vap->iv_scanreq_mindwell,
203 vap->iv_scanreq_maxdwell,
204 vap->iv_scanreq_nssid, vap->iv_scanreq_ssid);
205 vap->iv_flags_ext &= ~IEEE80211_FEXT_SCANREQ;
207 ieee80211_check_scan_current(vap);
209 case IEEE80211_S_SCAN:
211 * A state change requires a reset; scan.
213 ieee80211_check_scan_current(vap);
219 case IEEE80211_S_CAC:
221 * Start CAC on a DFS channel. We come here when starting
222 * a bss on a DFS channel (see ieee80211_create_ibss).
224 ieee80211_dfs_cac_start(vap);
226 case IEEE80211_S_RUN:
227 if (vap->iv_flags & IEEE80211_F_WPA) {
228 /* XXX validate prerequisites */
231 case IEEE80211_S_INIT:
233 * Already have a channel; bypass the
234 * scan and startup immediately.
235 * Note that ieee80211_create_ibss will call
236 * back to do a RUN->RUN state change.
238 ieee80211_create_ibss(vap,
239 ieee80211_ht_adjust_channel(ic,
240 ic->ic_curchan, vap->iv_flags_ext));
241 /* NB: iv_bss is changed on return */
243 case IEEE80211_S_CAC:
245 * NB: This is the normal state change when CAC
246 * expires and no radar was detected; no need to
247 * clear the CAC timer as it's already expired.
250 case IEEE80211_S_CSA:
252 * Update bss node channel to reflect where
253 * we landed after CSA.
255 ieee80211_node_set_chan(vap->iv_bss,
256 ieee80211_ht_adjust_channel(ic, ic->ic_curchan,
257 ieee80211_htchanflags(vap->iv_bss->ni_chan)));
258 /* XXX bypass debug msgs */
260 case IEEE80211_S_SCAN:
261 case IEEE80211_S_RUN:
262 #ifdef IEEE80211_DEBUG
263 if (ieee80211_msg_debug(vap)) {
264 struct ieee80211_node *ni = vap->iv_bss;
266 "synchronized with %s ssid ",
267 ether_sprintf(ni->ni_bssid));
268 ieee80211_print_essid(ni->ni_essid,
271 printf(" channel %d start %uMb\n",
272 ieee80211_chan2ieee(ic, ic->ic_curchan),
273 IEEE80211_RATE2MBS(ni->ni_txrate));
281 * Start/stop the authenticator. We delay until here
282 * to allow configuration to happen out of order.
284 if (vap->iv_auth->ia_attach != NULL) {
285 /* XXX check failure */
286 vap->iv_auth->ia_attach(vap);
287 } else if (vap->iv_auth->ia_detach != NULL) {
288 vap->iv_auth->ia_detach(vap);
290 ieee80211_node_authorize(vap->iv_bss);
299 hostap_deliver_data(struct ieee80211vap *vap,
300 struct ieee80211_node *ni, struct mbuf *m)
302 struct ether_header *eh = mtod(m, struct ether_header *);
303 struct ifnet *ifp = vap->iv_ifp;
305 KASSERT(vap->iv_opmode == IEEE80211_M_HOSTAP,
306 ("gack, opmode %d", vap->iv_opmode));
311 IEEE80211_NODE_STAT(ni, rx_data);
312 IEEE80211_NODE_STAT_ADD(ni, rx_bytes, m->m_pkthdr.len);
313 if (ETHER_IS_MULTICAST(eh->ether_dhost)) {
314 m->m_flags |= M_MCAST; /* XXX M_BCAST? */
315 IEEE80211_NODE_STAT(ni, rx_mcast);
317 IEEE80211_NODE_STAT(ni, rx_ucast);
319 /* clear driver/net80211 flags before passing up */
320 m->m_flags &= ~M_80211_RX;
322 /* perform as a bridge within the AP */
323 if ((vap->iv_flags & IEEE80211_F_NOBRIDGE) == 0) {
324 struct mbuf *mcopy = NULL;
326 if (m->m_flags & M_MCAST) {
327 mcopy = m_dup(m, M_DONTWAIT);
331 mcopy->m_flags |= M_MCAST;
334 * Check if the destination is associated with the
335 * same vap and authorized to receive traffic.
336 * Beware of traffic destined for the vap itself;
337 * sending it will not work; just let it be delivered
340 struct ieee80211_node *sta = ieee80211_find_vap_node(
341 &vap->iv_ic->ic_sta, vap, eh->ether_dhost);
343 if (ieee80211_node_is_authorized(sta)) {
345 * Beware of sending to ourself; this
346 * needs to happen via the normal
349 if (sta != vap->iv_bss) {
354 vap->iv_stats.is_rx_unauth++;
355 IEEE80211_NODE_STAT(sta, rx_unauth);
357 ieee80211_free_node(sta);
362 len = mcopy->m_pkthdr.len;
363 err = ifp->if_transmit(ifp, mcopy);
365 /* NB: IFQ_HANDOFF reclaims mcopy */
373 * Mark frame as coming from vap's interface.
375 m->m_pkthdr.rcvif = ifp;
376 if (m->m_flags & M_MCAST) {
378 * Spam DWDS vap's w/ multicast traffic.
380 /* XXX only if dwds in use? */
381 ieee80211_dwds_mcast(vap, m);
383 if (ni->ni_vlan != 0) {
384 /* attach vlan tag */
385 m->m_pkthdr.ether_vtag = ni->ni_vlan;
386 m->m_flags |= M_VLANTAG;
388 ifp->if_input(ifp, m);
393 * Decide if a received management frame should be
394 * printed when debugging is enabled. This filters some
395 * of the less interesting frames that come frequently
399 doprint(struct ieee80211vap *vap, int subtype)
402 case IEEE80211_FC0_SUBTYPE_BEACON:
403 return (vap->iv_ic->ic_flags & IEEE80211_F_SCAN);
404 case IEEE80211_FC0_SUBTYPE_PROBE_REQ:
411 * Process a received frame. The node associated with the sender
412 * should be supplied. If nothing was found in the node table then
413 * the caller is assumed to supply a reference to iv_bss instead.
414 * The RSSI and a timestamp are also supplied. The RSSI data is used
415 * during AP scanning to select a AP to associate with; it can have
416 * any units so long as values have consistent units and higher values
417 * mean ``better signal''. The receive timestamp is currently not used
418 * by the 802.11 layer.
421 hostap_input(struct ieee80211_node *ni, struct mbuf *m, int rssi, int nf)
423 #define SEQ_LEQ(a,b) ((int)((a)-(b)) <= 0)
424 #define HAS_SEQ(type) ((type & 0x4) == 0)
425 struct ieee80211vap *vap = ni->ni_vap;
426 struct ieee80211com *ic = ni->ni_ic;
427 struct ifnet *ifp = vap->iv_ifp;
428 struct ieee80211_frame *wh;
429 struct ieee80211_key *key;
430 struct ether_header *eh;
431 int hdrspace, need_tap;
432 uint8_t dir, type, subtype, qos;
436 if (m->m_flags & M_AMPDU_MPDU) {
438 * Fastpath for A-MPDU reorder q resubmission. Frames
439 * w/ M_AMPDU_MPDU marked have already passed through
440 * here but were received out of order and been held on
441 * the reorder queue. When resubmitted they are marked
442 * with the M_AMPDU_MPDU flag and we can bypass most of
443 * the normal processing.
445 wh = mtod(m, struct ieee80211_frame *);
446 type = IEEE80211_FC0_TYPE_DATA;
447 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK;
448 subtype = IEEE80211_FC0_SUBTYPE_QOS;
449 hdrspace = ieee80211_hdrspace(ic, wh); /* XXX optimize? */
453 KASSERT(ni != NULL, ("null node"));
454 ni->ni_inact = ni->ni_inact_reload;
456 need_tap = 1; /* mbuf need to be tapped. */
457 type = -1; /* undefined */
459 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_min)) {
460 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
461 ni->ni_macaddr, NULL,
462 "too short (1): len %u", m->m_pkthdr.len);
463 vap->iv_stats.is_rx_tooshort++;
467 * Bit of a cheat here, we use a pointer for a 3-address
468 * frame format but don't reference fields past outside
469 * ieee80211_frame_min w/o first validating the data is
472 wh = mtod(m, struct ieee80211_frame *);
474 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) !=
475 IEEE80211_FC0_VERSION_0) {
476 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
477 ni->ni_macaddr, NULL, "wrong version, fc %02x:%02x",
478 wh->i_fc[0], wh->i_fc[1]);
479 vap->iv_stats.is_rx_badversion++;
483 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK;
484 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
485 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK;
486 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) {
487 if (dir != IEEE80211_FC1_DIR_NODS)
489 else if (type == IEEE80211_FC0_TYPE_CTL)
492 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) {
493 IEEE80211_DISCARD_MAC(vap,
494 IEEE80211_MSG_ANY, ni->ni_macaddr,
495 NULL, "too short (2): len %u",
497 vap->iv_stats.is_rx_tooshort++;
503 * Validate the bssid.
505 if (!(type == IEEE80211_FC0_TYPE_MGT &&
506 subtype == IEEE80211_FC0_SUBTYPE_BEACON) &&
507 !IEEE80211_ADDR_EQ(bssid, vap->iv_bss->ni_bssid) &&
508 !IEEE80211_ADDR_EQ(bssid, ifp->if_broadcastaddr)) {
509 /* not interested in */
510 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
511 bssid, NULL, "%s", "not to bss");
512 vap->iv_stats.is_rx_wrongbss++;
516 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi);
519 uint8_t tid = ieee80211_gettid(wh);
520 if (IEEE80211_QOS_HAS_SEQ(wh) &&
521 TID_TO_WME_AC(tid) >= WME_AC_VI)
522 ic->ic_wme.wme_hipri_traffic++;
523 rxseq = le16toh(*(uint16_t *)wh->i_seq);
524 if ((ni->ni_flags & IEEE80211_NODE_HT) == 0 &&
525 (wh->i_fc[1] & IEEE80211_FC1_RETRY) &&
526 SEQ_LEQ(rxseq, ni->ni_rxseqs[tid])) {
527 /* duplicate, discard */
528 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
530 "seqno <%u,%u> fragno <%u,%u> tid %u",
531 rxseq >> IEEE80211_SEQ_SEQ_SHIFT,
532 ni->ni_rxseqs[tid] >>
533 IEEE80211_SEQ_SEQ_SHIFT,
534 rxseq & IEEE80211_SEQ_FRAG_MASK,
536 IEEE80211_SEQ_FRAG_MASK,
538 vap->iv_stats.is_rx_dup++;
539 IEEE80211_NODE_STAT(ni, rx_dup);
542 ni->ni_rxseqs[tid] = rxseq;
547 case IEEE80211_FC0_TYPE_DATA:
548 hdrspace = ieee80211_hdrspace(ic, wh);
549 if (m->m_len < hdrspace &&
550 (m = m_pullup(m, hdrspace)) == NULL) {
551 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
552 ni->ni_macaddr, NULL,
553 "data too short: expecting %u", hdrspace);
554 vap->iv_stats.is_rx_tooshort++;
557 if (!(dir == IEEE80211_FC1_DIR_TODS ||
558 (dir == IEEE80211_FC1_DIR_DSTODS &&
559 (vap->iv_flags & IEEE80211_F_DWDS)))) {
560 if (dir != IEEE80211_FC1_DIR_DSTODS) {
561 IEEE80211_DISCARD(vap,
562 IEEE80211_MSG_INPUT, wh, "data",
563 "incorrect dir 0x%x", dir);
565 IEEE80211_DISCARD(vap,
566 IEEE80211_MSG_INPUT |
567 IEEE80211_MSG_WDS, wh,
569 "%s", "DWDS not enabled");
571 vap->iv_stats.is_rx_wrongdir++;
574 /* check if source STA is associated */
575 if (ni == vap->iv_bss) {
576 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
577 wh, "data", "%s", "unknown src");
578 ieee80211_send_error(ni, wh->i_addr2,
579 IEEE80211_FC0_SUBTYPE_DEAUTH,
580 IEEE80211_REASON_NOT_AUTHED);
581 vap->iv_stats.is_rx_notassoc++;
584 if (ni->ni_associd == 0) {
585 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
586 wh, "data", "%s", "unassoc src");
587 IEEE80211_SEND_MGMT(ni,
588 IEEE80211_FC0_SUBTYPE_DISASSOC,
589 IEEE80211_REASON_NOT_ASSOCED);
590 vap->iv_stats.is_rx_notassoc++;
595 * Check for power save state change.
596 * XXX out-of-order A-MPDU frames?
598 if (((wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) ^
599 (ni->ni_flags & IEEE80211_NODE_PWR_MGT)))
600 ieee80211_node_pwrsave(ni,
601 wh->i_fc[1] & IEEE80211_FC1_PWR_MGT);
603 * For 4-address packets handle WDS discovery
604 * notifications. Once a WDS link is setup frames
605 * are just delivered to the WDS vap (see below).
607 if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap == NULL) {
608 if (!ieee80211_node_is_authorized(ni)) {
609 IEEE80211_DISCARD(vap,
610 IEEE80211_MSG_INPUT |
611 IEEE80211_MSG_WDS, wh,
613 "%s", "unauthorized port");
614 vap->iv_stats.is_rx_unauth++;
615 IEEE80211_NODE_STAT(ni, rx_unauth);
618 ieee80211_dwds_discover(ni, m);
623 * Handle A-MPDU re-ordering. If the frame is to be
624 * processed directly then ieee80211_ampdu_reorder
625 * will return 0; otherwise it has consumed the mbuf
626 * and we should do nothing more with it.
628 if ((m->m_flags & M_AMPDU) &&
629 ieee80211_ampdu_reorder(ni, m) != 0) {
636 * Handle privacy requirements. Note that we
637 * must not be preempted from here until after
638 * we (potentially) call ieee80211_crypto_demic;
639 * otherwise we may violate assumptions in the
640 * crypto cipher modules used to do delayed update
641 * of replay sequence numbers.
643 if (wh->i_fc[1] & IEEE80211_FC1_WEP) {
644 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
646 * Discard encrypted frames when privacy is off.
648 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
649 wh, "WEP", "%s", "PRIVACY off");
650 vap->iv_stats.is_rx_noprivacy++;
651 IEEE80211_NODE_STAT(ni, rx_noprivacy);
654 key = ieee80211_crypto_decap(ni, m, hdrspace);
656 /* NB: stats+msgs handled in crypto_decap */
657 IEEE80211_NODE_STAT(ni, rx_wepfail);
660 wh = mtod(m, struct ieee80211_frame *);
661 wh->i_fc[1] &= ~IEEE80211_FC1_WEP;
663 /* XXX M_WEP and IEEE80211_F_PRIVACY */
668 * Save QoS bits for use below--before we strip the header.
670 if (subtype == IEEE80211_FC0_SUBTYPE_QOS) {
671 qos = (dir == IEEE80211_FC1_DIR_DSTODS) ?
672 ((struct ieee80211_qosframe_addr4 *)wh)->i_qos[0] :
673 ((struct ieee80211_qosframe *)wh)->i_qos[0];
678 * Next up, any fragmentation.
680 if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) {
681 m = ieee80211_defrag(ni, m, hdrspace);
683 /* Fragment dropped or frame not complete yet */
687 wh = NULL; /* no longer valid, catch any uses */
690 * Next strip any MSDU crypto bits.
692 if (key != NULL && !ieee80211_crypto_demic(vap, key, m, 0)) {
693 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
694 ni->ni_macaddr, "data", "%s", "demic error");
695 vap->iv_stats.is_rx_demicfail++;
696 IEEE80211_NODE_STAT(ni, rx_demicfail);
699 /* copy to listener after decrypt */
700 if (ieee80211_radiotap_active_vap(vap))
701 ieee80211_radiotap_rx(vap, m);
704 * Finally, strip the 802.11 header.
706 m = ieee80211_decap(vap, m, hdrspace);
708 /* XXX mask bit to check for both */
709 /* don't count Null data frames as errors */
710 if (subtype == IEEE80211_FC0_SUBTYPE_NODATA ||
711 subtype == IEEE80211_FC0_SUBTYPE_QOS_NULL)
713 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
714 ni->ni_macaddr, "data", "%s", "decap error");
715 vap->iv_stats.is_rx_decap++;
716 IEEE80211_NODE_STAT(ni, rx_decap);
719 eh = mtod(m, struct ether_header *);
720 if (!ieee80211_node_is_authorized(ni)) {
722 * Deny any non-PAE frames received prior to
723 * authorization. For open/shared-key
724 * authentication the port is mark authorized
725 * after authentication completes. For 802.1x
726 * the port is not marked authorized by the
727 * authenticator until the handshake has completed.
729 if (eh->ether_type != htons(ETHERTYPE_PAE)) {
730 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
731 eh->ether_shost, "data",
732 "unauthorized port: ether type 0x%x len %u",
733 eh->ether_type, m->m_pkthdr.len);
734 vap->iv_stats.is_rx_unauth++;
735 IEEE80211_NODE_STAT(ni, rx_unauth);
740 * When denying unencrypted frames, discard
741 * any non-PAE frames received without encryption.
743 if ((vap->iv_flags & IEEE80211_F_DROPUNENC) &&
744 (key == NULL && (m->m_flags & M_WEP) == 0) &&
745 eh->ether_type != htons(ETHERTYPE_PAE)) {
747 * Drop unencrypted frames.
749 vap->iv_stats.is_rx_unencrypted++;
750 IEEE80211_NODE_STAT(ni, rx_unencrypted);
754 /* XXX require HT? */
755 if (qos & IEEE80211_QOS_AMSDU) {
756 m = ieee80211_decap_amsdu(ni, m);
758 return IEEE80211_FC0_TYPE_DATA;
760 #ifdef IEEE80211_SUPPORT_SUPERG
761 m = ieee80211_decap_fastframe(vap, ni, m);
763 return IEEE80211_FC0_TYPE_DATA;
766 if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap != NULL)
767 ieee80211_deliver_data(ni->ni_wdsvap, ni, m);
769 hostap_deliver_data(vap, ni, m);
770 return IEEE80211_FC0_TYPE_DATA;
772 case IEEE80211_FC0_TYPE_MGT:
773 vap->iv_stats.is_rx_mgmt++;
774 IEEE80211_NODE_STAT(ni, rx_mgmt);
775 if (dir != IEEE80211_FC1_DIR_NODS) {
776 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
777 wh, "mgt", "incorrect dir 0x%x", dir);
778 vap->iv_stats.is_rx_wrongdir++;
781 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) {
782 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
783 ni->ni_macaddr, "mgt", "too short: len %u",
785 vap->iv_stats.is_rx_tooshort++;
788 if (IEEE80211_IS_MULTICAST(wh->i_addr2)) {
789 /* ensure return frames are unicast */
790 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
791 wh, NULL, "source is multicast: %s",
792 ether_sprintf(wh->i_addr2));
793 vap->iv_stats.is_rx_mgtdiscard++; /* XXX stat */
796 #ifdef IEEE80211_DEBUG
797 if ((ieee80211_msg_debug(vap) && doprint(vap, subtype)) ||
798 ieee80211_msg_dumppkts(vap)) {
799 if_printf(ifp, "received %s from %s rssi %d\n",
800 ieee80211_mgt_subtype_name[subtype >>
801 IEEE80211_FC0_SUBTYPE_SHIFT],
802 ether_sprintf(wh->i_addr2), rssi);
805 if (wh->i_fc[1] & IEEE80211_FC1_WEP) {
806 if (subtype != IEEE80211_FC0_SUBTYPE_AUTH) {
808 * Only shared key auth frames with a challenge
809 * should be encrypted, discard all others.
811 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
813 "%s", "WEP set but not permitted");
814 vap->iv_stats.is_rx_mgtdiscard++; /* XXX */
817 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
819 * Discard encrypted frames when privacy is off.
821 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
822 wh, NULL, "%s", "WEP set but PRIVACY off");
823 vap->iv_stats.is_rx_noprivacy++;
826 hdrspace = ieee80211_hdrspace(ic, wh);
827 key = ieee80211_crypto_decap(ni, m, hdrspace);
829 /* NB: stats+msgs handled in crypto_decap */
832 wh = mtod(m, struct ieee80211_frame *);
833 wh->i_fc[1] &= ~IEEE80211_FC1_WEP;
835 vap->iv_recv_mgmt(ni, m, subtype, rssi, nf);
838 case IEEE80211_FC0_TYPE_CTL:
839 vap->iv_stats.is_rx_ctl++;
840 IEEE80211_NODE_STAT(ni, rx_ctrl);
841 vap->iv_recv_ctl(ni, m, subtype);
844 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
845 wh, "bad", "frame type 0x%x", type);
846 /* should not come here */
853 if (need_tap && ieee80211_radiotap_active_vap(vap))
854 ieee80211_radiotap_rx(vap, m);
862 hostap_auth_open(struct ieee80211_node *ni, struct ieee80211_frame *wh,
863 int rssi, int nf, uint16_t seq, uint16_t status)
865 struct ieee80211vap *vap = ni->ni_vap;
867 KASSERT(vap->iv_state == IEEE80211_S_RUN, ("state %d", vap->iv_state));
869 if (ni->ni_authmode == IEEE80211_AUTH_SHARED) {
870 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
871 ni->ni_macaddr, "open auth",
872 "bad sta auth mode %u", ni->ni_authmode);
873 vap->iv_stats.is_rx_bad_auth++; /* XXX */
875 * Clear any challenge text that may be there if
876 * a previous shared key auth failed and then an
877 * open auth is attempted.
879 if (ni->ni_challenge != NULL) {
880 free(ni->ni_challenge, M_80211_NODE);
881 ni->ni_challenge = NULL;
883 /* XXX hack to workaround calling convention */
884 ieee80211_send_error(ni, wh->i_addr2,
885 IEEE80211_FC0_SUBTYPE_AUTH,
886 (seq + 1) | (IEEE80211_STATUS_ALG<<16));
889 if (seq != IEEE80211_AUTH_OPEN_REQUEST) {
890 vap->iv_stats.is_rx_bad_auth++;
893 /* always accept open authentication requests */
894 if (ni == vap->iv_bss) {
895 ni = ieee80211_dup_bss(vap, wh->i_addr2);
898 } else if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0)
899 (void) ieee80211_ref_node(ni);
901 * Mark the node as referenced to reflect that it's
902 * reference count has been bumped to insure it remains
903 * after the transaction completes.
905 ni->ni_flags |= IEEE80211_NODE_AREF;
907 * Mark the node as requiring a valid association id
908 * before outbound traffic is permitted.
910 ni->ni_flags |= IEEE80211_NODE_ASSOCID;
912 if (vap->iv_acl != NULL &&
913 vap->iv_acl->iac_getpolicy(vap) == IEEE80211_MACCMD_POLICY_RADIUS) {
915 * When the ACL policy is set to RADIUS we defer the
916 * authorization to a user agent. Dispatch an event,
917 * a subsequent MLME call will decide the fate of the
918 * station. If the user agent is not present then the
919 * node will be reclaimed due to inactivity.
921 IEEE80211_NOTE_MAC(vap,
922 IEEE80211_MSG_AUTH | IEEE80211_MSG_ACL, ni->ni_macaddr,
923 "%s", "station authentication defered (radius acl)");
924 ieee80211_notify_node_auth(ni);
926 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1);
927 IEEE80211_NOTE_MAC(vap,
928 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, ni->ni_macaddr,
929 "%s", "station authenticated (open)");
931 * When 802.1x is not in use mark the port
932 * authorized at this point so traffic can flow.
934 if (ni->ni_authmode != IEEE80211_AUTH_8021X)
935 ieee80211_node_authorize(ni);
940 hostap_auth_shared(struct ieee80211_node *ni, struct ieee80211_frame *wh,
941 uint8_t *frm, uint8_t *efrm, int rssi, int nf,
942 uint16_t seq, uint16_t status)
944 struct ieee80211vap *vap = ni->ni_vap;
946 int allocbs, estatus;
948 KASSERT(vap->iv_state == IEEE80211_S_RUN, ("state %d", vap->iv_state));
951 * NB: this can happen as we allow pre-shared key
952 * authentication to be enabled w/o wep being turned
953 * on so that configuration of these can be done
954 * in any order. It may be better to enforce the
955 * ordering in which case this check would just be
956 * for sanity/consistency.
958 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
959 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
960 ni->ni_macaddr, "shared key auth",
961 "%s", " PRIVACY is disabled");
962 estatus = IEEE80211_STATUS_ALG;
966 * Pre-shared key authentication is evil; accept
967 * it only if explicitly configured (it is supported
968 * mainly for compatibility with clients like Mac OS X).
970 if (ni->ni_authmode != IEEE80211_AUTH_AUTO &&
971 ni->ni_authmode != IEEE80211_AUTH_SHARED) {
972 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
973 ni->ni_macaddr, "shared key auth",
974 "bad sta auth mode %u", ni->ni_authmode);
975 vap->iv_stats.is_rx_bad_auth++; /* XXX maybe a unique error? */
976 estatus = IEEE80211_STATUS_ALG;
981 if (frm + 1 < efrm) {
982 if ((frm[1] + 2) > (efrm - frm)) {
983 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
984 ni->ni_macaddr, "shared key auth",
986 frm[0], (frm[1] + 2) - (efrm - frm));
987 vap->iv_stats.is_rx_bad_auth++;
988 estatus = IEEE80211_STATUS_CHALLENGE;
991 if (*frm == IEEE80211_ELEMID_CHALLENGE)
996 case IEEE80211_AUTH_SHARED_CHALLENGE:
997 case IEEE80211_AUTH_SHARED_RESPONSE:
998 if (challenge == NULL) {
999 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1000 ni->ni_macaddr, "shared key auth",
1001 "%s", "no challenge");
1002 vap->iv_stats.is_rx_bad_auth++;
1003 estatus = IEEE80211_STATUS_CHALLENGE;
1006 if (challenge[1] != IEEE80211_CHALLENGE_LEN) {
1007 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1008 ni->ni_macaddr, "shared key auth",
1009 "bad challenge len %d", challenge[1]);
1010 vap->iv_stats.is_rx_bad_auth++;
1011 estatus = IEEE80211_STATUS_CHALLENGE;
1018 case IEEE80211_AUTH_SHARED_REQUEST:
1019 if (ni == vap->iv_bss) {
1020 ni = ieee80211_dup_bss(vap, wh->i_addr2);
1022 /* NB: no way to return an error */
1027 if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0)
1028 (void) ieee80211_ref_node(ni);
1032 * Mark the node as referenced to reflect that it's
1033 * reference count has been bumped to insure it remains
1034 * after the transaction completes.
1036 ni->ni_flags |= IEEE80211_NODE_AREF;
1038 * Mark the node as requiring a valid associatio id
1039 * before outbound traffic is permitted.
1041 ni->ni_flags |= IEEE80211_NODE_ASSOCID;
1042 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi);
1044 if (!ieee80211_alloc_challenge(ni)) {
1045 /* NB: don't return error so they rexmit */
1048 get_random_bytes(ni->ni_challenge,
1049 IEEE80211_CHALLENGE_LEN);
1050 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
1051 ni, "shared key %sauth request", allocbs ? "" : "re");
1053 * When the ACL policy is set to RADIUS we defer the
1054 * authorization to a user agent. Dispatch an event,
1055 * a subsequent MLME call will decide the fate of the
1056 * station. If the user agent is not present then the
1057 * node will be reclaimed due to inactivity.
1059 if (vap->iv_acl != NULL &&
1060 vap->iv_acl->iac_getpolicy(vap) == IEEE80211_MACCMD_POLICY_RADIUS) {
1061 IEEE80211_NOTE_MAC(vap,
1062 IEEE80211_MSG_AUTH | IEEE80211_MSG_ACL,
1064 "%s", "station authentication defered (radius acl)");
1065 ieee80211_notify_node_auth(ni);
1069 case IEEE80211_AUTH_SHARED_RESPONSE:
1070 if (ni == vap->iv_bss) {
1071 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1072 ni->ni_macaddr, "shared key response",
1073 "%s", "unknown station");
1074 /* NB: don't send a response */
1077 if (ni->ni_challenge == NULL) {
1078 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1079 ni->ni_macaddr, "shared key response",
1080 "%s", "no challenge recorded");
1081 vap->iv_stats.is_rx_bad_auth++;
1082 estatus = IEEE80211_STATUS_CHALLENGE;
1085 if (memcmp(ni->ni_challenge, &challenge[2],
1086 challenge[1]) != 0) {
1087 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1088 ni->ni_macaddr, "shared key response",
1089 "%s", "challenge mismatch");
1090 vap->iv_stats.is_rx_auth_fail++;
1091 estatus = IEEE80211_STATUS_CHALLENGE;
1094 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
1095 ni, "%s", "station authenticated (shared key)");
1096 ieee80211_node_authorize(ni);
1099 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1100 ni->ni_macaddr, "shared key auth",
1102 vap->iv_stats.is_rx_bad_auth++;
1103 estatus = IEEE80211_STATUS_SEQUENCE;
1106 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1);
1110 * Send an error response; but only when operating as an AP.
1112 /* XXX hack to workaround calling convention */
1113 ieee80211_send_error(ni, wh->i_addr2,
1114 IEEE80211_FC0_SUBTYPE_AUTH,
1115 (seq + 1) | (estatus<<16));
1119 * Convert a WPA cipher selector OUI to an internal
1120 * cipher algorithm. Where appropriate we also
1121 * record any key length.
1124 wpa_cipher(const uint8_t *sel, uint8_t *keylen)
1126 #define WPA_SEL(x) (((x)<<24)|WPA_OUI)
1127 uint32_t w = LE_READ_4(sel);
1130 case WPA_SEL(WPA_CSE_NULL):
1131 return IEEE80211_CIPHER_NONE;
1132 case WPA_SEL(WPA_CSE_WEP40):
1134 *keylen = 40 / NBBY;
1135 return IEEE80211_CIPHER_WEP;
1136 case WPA_SEL(WPA_CSE_WEP104):
1138 *keylen = 104 / NBBY;
1139 return IEEE80211_CIPHER_WEP;
1140 case WPA_SEL(WPA_CSE_TKIP):
1141 return IEEE80211_CIPHER_TKIP;
1142 case WPA_SEL(WPA_CSE_CCMP):
1143 return IEEE80211_CIPHER_AES_CCM;
1145 return 32; /* NB: so 1<< is discarded */
1150 * Convert a WPA key management/authentication algorithm
1151 * to an internal code.
1154 wpa_keymgmt(const uint8_t *sel)
1156 #define WPA_SEL(x) (((x)<<24)|WPA_OUI)
1157 uint32_t w = LE_READ_4(sel);
1160 case WPA_SEL(WPA_ASE_8021X_UNSPEC):
1161 return WPA_ASE_8021X_UNSPEC;
1162 case WPA_SEL(WPA_ASE_8021X_PSK):
1163 return WPA_ASE_8021X_PSK;
1164 case WPA_SEL(WPA_ASE_NONE):
1165 return WPA_ASE_NONE;
1167 return 0; /* NB: so is discarded */
1172 * Parse a WPA information element to collect parameters.
1173 * Note that we do not validate security parameters; that
1174 * is handled by the authenticator; the parsing done here
1175 * is just for internal use in making operational decisions.
1178 ieee80211_parse_wpa(struct ieee80211vap *vap, const uint8_t *frm,
1179 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh)
1181 uint8_t len = frm[1];
1186 * Check the length once for fixed parts: OUI, type,
1187 * version, mcast cipher, and 2 selector counts.
1188 * Other, variable-length data, must be checked separately.
1190 if ((vap->iv_flags & IEEE80211_F_WPA1) == 0) {
1191 IEEE80211_DISCARD_IE(vap,
1192 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1193 wh, "WPA", "not WPA, flags 0x%x", vap->iv_flags);
1194 return IEEE80211_REASON_IE_INVALID;
1197 IEEE80211_DISCARD_IE(vap,
1198 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1199 wh, "WPA", "too short, len %u", len);
1200 return IEEE80211_REASON_IE_INVALID;
1202 frm += 6, len -= 4; /* NB: len is payload only */
1203 /* NB: iswapoui already validated the OUI and type */
1205 if (w != WPA_VERSION) {
1206 IEEE80211_DISCARD_IE(vap,
1207 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1208 wh, "WPA", "bad version %u", w);
1209 return IEEE80211_REASON_IE_INVALID;
1213 memset(rsn, 0, sizeof(*rsn));
1215 /* multicast/group cipher */
1216 rsn->rsn_mcastcipher = wpa_cipher(frm, &rsn->rsn_mcastkeylen);
1219 /* unicast ciphers */
1223 IEEE80211_DISCARD_IE(vap,
1224 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1225 wh, "WPA", "ucast cipher data too short; len %u, n %u",
1227 return IEEE80211_REASON_IE_INVALID;
1230 for (; n > 0; n--) {
1231 w |= 1<<wpa_cipher(frm, &rsn->rsn_ucastkeylen);
1234 if (w & (1<<IEEE80211_CIPHER_TKIP))
1235 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP;
1237 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM;
1239 /* key management algorithms */
1243 IEEE80211_DISCARD_IE(vap,
1244 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1245 wh, "WPA", "key mgmt alg data too short; len %u, n %u",
1247 return IEEE80211_REASON_IE_INVALID;
1250 for (; n > 0; n--) {
1251 w |= wpa_keymgmt(frm);
1254 if (w & WPA_ASE_8021X_UNSPEC)
1255 rsn->rsn_keymgmt = WPA_ASE_8021X_UNSPEC;
1257 rsn->rsn_keymgmt = WPA_ASE_8021X_PSK;
1259 if (len > 2) /* optional capabilities */
1260 rsn->rsn_caps = LE_READ_2(frm);
1266 * Convert an RSN cipher selector OUI to an internal
1267 * cipher algorithm. Where appropriate we also
1268 * record any key length.
1271 rsn_cipher(const uint8_t *sel, uint8_t *keylen)
1273 #define RSN_SEL(x) (((x)<<24)|RSN_OUI)
1274 uint32_t w = LE_READ_4(sel);
1277 case RSN_SEL(RSN_CSE_NULL):
1278 return IEEE80211_CIPHER_NONE;
1279 case RSN_SEL(RSN_CSE_WEP40):
1281 *keylen = 40 / NBBY;
1282 return IEEE80211_CIPHER_WEP;
1283 case RSN_SEL(RSN_CSE_WEP104):
1285 *keylen = 104 / NBBY;
1286 return IEEE80211_CIPHER_WEP;
1287 case RSN_SEL(RSN_CSE_TKIP):
1288 return IEEE80211_CIPHER_TKIP;
1289 case RSN_SEL(RSN_CSE_CCMP):
1290 return IEEE80211_CIPHER_AES_CCM;
1291 case RSN_SEL(RSN_CSE_WRAP):
1292 return IEEE80211_CIPHER_AES_OCB;
1294 return 32; /* NB: so 1<< is discarded */
1299 * Convert an RSN key management/authentication algorithm
1300 * to an internal code.
1303 rsn_keymgmt(const uint8_t *sel)
1305 #define RSN_SEL(x) (((x)<<24)|RSN_OUI)
1306 uint32_t w = LE_READ_4(sel);
1309 case RSN_SEL(RSN_ASE_8021X_UNSPEC):
1310 return RSN_ASE_8021X_UNSPEC;
1311 case RSN_SEL(RSN_ASE_8021X_PSK):
1312 return RSN_ASE_8021X_PSK;
1313 case RSN_SEL(RSN_ASE_NONE):
1314 return RSN_ASE_NONE;
1316 return 0; /* NB: so is discarded */
1321 * Parse a WPA/RSN information element to collect parameters
1322 * and validate the parameters against what has been
1323 * configured for the system.
1326 ieee80211_parse_rsn(struct ieee80211vap *vap, const uint8_t *frm,
1327 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh)
1329 uint8_t len = frm[1];
1334 * Check the length once for fixed parts:
1335 * version, mcast cipher, and 2 selector counts.
1336 * Other, variable-length data, must be checked separately.
1338 if ((vap->iv_flags & IEEE80211_F_WPA2) == 0) {
1339 IEEE80211_DISCARD_IE(vap,
1340 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1341 wh, "WPA", "not RSN, flags 0x%x", vap->iv_flags);
1342 return IEEE80211_REASON_IE_INVALID;
1345 IEEE80211_DISCARD_IE(vap,
1346 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1347 wh, "RSN", "too short, len %u", len);
1348 return IEEE80211_REASON_IE_INVALID;
1352 if (w != RSN_VERSION) {
1353 IEEE80211_DISCARD_IE(vap,
1354 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1355 wh, "RSN", "bad version %u", w);
1356 return IEEE80211_REASON_IE_INVALID;
1360 memset(rsn, 0, sizeof(*rsn));
1362 /* multicast/group cipher */
1363 rsn->rsn_mcastcipher = rsn_cipher(frm, &rsn->rsn_mcastkeylen);
1366 /* unicast ciphers */
1370 IEEE80211_DISCARD_IE(vap,
1371 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1372 wh, "RSN", "ucast cipher data too short; len %u, n %u",
1374 return IEEE80211_REASON_IE_INVALID;
1377 for (; n > 0; n--) {
1378 w |= 1<<rsn_cipher(frm, &rsn->rsn_ucastkeylen);
1381 if (w & (1<<IEEE80211_CIPHER_TKIP))
1382 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP;
1384 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM;
1386 /* key management algorithms */
1390 IEEE80211_DISCARD_IE(vap,
1391 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1392 wh, "RSN", "key mgmt alg data too short; len %u, n %u",
1394 return IEEE80211_REASON_IE_INVALID;
1397 for (; n > 0; n--) {
1398 w |= rsn_keymgmt(frm);
1401 if (w & RSN_ASE_8021X_UNSPEC)
1402 rsn->rsn_keymgmt = RSN_ASE_8021X_UNSPEC;
1404 rsn->rsn_keymgmt = RSN_ASE_8021X_PSK;
1406 /* optional RSN capabilities */
1408 rsn->rsn_caps = LE_READ_2(frm);
1415 * WPA/802.11i assocation request processing.
1418 wpa_assocreq(struct ieee80211_node *ni, struct ieee80211_rsnparms *rsnparms,
1419 const struct ieee80211_frame *wh, const uint8_t *wpa,
1420 const uint8_t *rsn, uint16_t capinfo)
1422 struct ieee80211vap *vap = ni->ni_vap;
1426 ni->ni_flags &= ~(IEEE80211_NODE_WPS|IEEE80211_NODE_TSN);
1427 if (wpa == NULL && rsn == NULL) {
1428 if (vap->iv_flags_ext & IEEE80211_FEXT_WPS) {
1430 * W-Fi Protected Setup (WPS) permits
1431 * clients to associate and pass EAPOL frames
1432 * to establish initial credentials.
1434 ni->ni_flags |= IEEE80211_NODE_WPS;
1437 if ((vap->iv_flags_ext & IEEE80211_FEXT_TSN) &&
1438 (capinfo & IEEE80211_CAPINFO_PRIVACY)) {
1440 * Transitional Security Network. Permits clients
1441 * to associate and use WEP while WPA is configured.
1443 ni->ni_flags |= IEEE80211_NODE_TSN;
1446 IEEE80211_DISCARD(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA,
1447 wh, NULL, "%s", "no WPA/RSN IE in association request");
1448 vap->iv_stats.is_rx_assoc_badwpaie++;
1449 reason = IEEE80211_REASON_IE_INVALID;
1452 /* assert right association security credentials */
1453 badwparsn = 0; /* NB: to silence compiler */
1454 switch (vap->iv_flags & IEEE80211_F_WPA) {
1455 case IEEE80211_F_WPA1:
1456 badwparsn = (wpa == NULL);
1458 case IEEE80211_F_WPA2:
1459 badwparsn = (rsn == NULL);
1461 case IEEE80211_F_WPA1|IEEE80211_F_WPA2:
1462 badwparsn = (wpa == NULL && rsn == NULL);
1466 IEEE80211_DISCARD(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA,
1468 "%s", "missing WPA/RSN IE in association request");
1469 vap->iv_stats.is_rx_assoc_badwpaie++;
1470 reason = IEEE80211_REASON_IE_INVALID;
1474 * Parse WPA/RSN information element.
1477 reason = ieee80211_parse_wpa(vap, wpa, rsnparms, wh);
1479 reason = ieee80211_parse_rsn(vap, rsn, rsnparms, wh);
1481 /* XXX distinguish WPA/RSN? */
1482 vap->iv_stats.is_rx_assoc_badwpaie++;
1485 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, ni,
1486 "%s ie: mc %u/%u uc %u/%u key %u caps 0x%x",
1487 wpa != NULL ? "WPA" : "RSN",
1488 rsnparms->rsn_mcastcipher, rsnparms->rsn_mcastkeylen,
1489 rsnparms->rsn_ucastcipher, rsnparms->rsn_ucastkeylen,
1490 rsnparms->rsn_keymgmt, rsnparms->rsn_caps);
1494 ieee80211_node_deauth(ni, reason);
1498 /* XXX find a better place for definition */
1499 struct l2_update_frame {
1500 struct ether_header eh;
1508 * Deliver a TGf L2UF frame on behalf of a station.
1509 * This primes any bridge when the station is roaming
1510 * between ap's on the same wired network.
1513 ieee80211_deliver_l2uf(struct ieee80211_node *ni)
1515 struct ieee80211vap *vap = ni->ni_vap;
1516 struct ifnet *ifp = vap->iv_ifp;
1518 struct l2_update_frame *l2uf;
1519 struct ether_header *eh;
1521 m = m_gethdr(M_NOWAIT, MT_DATA);
1523 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC, ni,
1524 "%s", "no mbuf for l2uf frame");
1525 vap->iv_stats.is_rx_nobuf++; /* XXX not right */
1528 l2uf = mtod(m, struct l2_update_frame *);
1530 /* dst: Broadcast address */
1531 IEEE80211_ADDR_COPY(eh->ether_dhost, ifp->if_broadcastaddr);
1532 /* src: associated STA */
1533 IEEE80211_ADDR_COPY(eh->ether_shost, ni->ni_macaddr);
1534 eh->ether_type = htons(sizeof(*l2uf) - sizeof(*eh));
1538 l2uf->control = 0xf5;
1539 l2uf->xid[0] = 0x81;
1540 l2uf->xid[1] = 0x80;
1541 l2uf->xid[2] = 0x00;
1543 m->m_pkthdr.len = m->m_len = sizeof(*l2uf);
1544 hostap_deliver_data(vap, ni, m);
1548 ratesetmismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh,
1549 int reassoc, int resp, const char *tag, int rate)
1551 IEEE80211_NOTE_MAC(ni->ni_vap, IEEE80211_MSG_ANY, wh->i_addr2,
1552 "deny %s request, %s rate set mismatch, rate/MCS %d",
1553 reassoc ? "reassoc" : "assoc", tag, rate & IEEE80211_RATE_VAL);
1554 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_BASIC_RATE);
1555 ieee80211_node_leave(ni);
1559 capinfomismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh,
1560 int reassoc, int resp, const char *tag, int capinfo)
1562 struct ieee80211vap *vap = ni->ni_vap;
1564 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ANY, wh->i_addr2,
1565 "deny %s request, %s mismatch 0x%x",
1566 reassoc ? "reassoc" : "assoc", tag, capinfo);
1567 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_CAPINFO);
1568 ieee80211_node_leave(ni);
1569 vap->iv_stats.is_rx_assoc_capmismatch++;
1573 htcapmismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh,
1574 int reassoc, int resp)
1576 IEEE80211_NOTE_MAC(ni->ni_vap, IEEE80211_MSG_ANY, wh->i_addr2,
1577 "deny %s request, %s missing HT ie", reassoc ? "reassoc" : "assoc");
1578 /* XXX no better code */
1579 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_OTHER);
1580 ieee80211_node_leave(ni);
1584 authalgreject(struct ieee80211_node *ni, const struct ieee80211_frame *wh,
1585 int algo, int seq, int status)
1587 struct ieee80211vap *vap = ni->ni_vap;
1589 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
1590 wh, NULL, "unsupported alg %d", algo);
1591 vap->iv_stats.is_rx_auth_unsupported++;
1592 ieee80211_send_error(ni, wh->i_addr2, IEEE80211_FC0_SUBTYPE_AUTH,
1593 seq | (status << 16));
1597 ishtmixed(const uint8_t *ie)
1599 const struct ieee80211_ie_htinfo *ht =
1600 (const struct ieee80211_ie_htinfo *) ie;
1601 return (ht->hi_byte2 & IEEE80211_HTINFO_OPMODE) ==
1602 IEEE80211_HTINFO_OPMODE_MIXED;
1606 is11bclient(const uint8_t *rates, const uint8_t *xrates)
1608 static const uint32_t brates = (1<<2*1)|(1<<2*2)|(1<<11)|(1<<2*11);
1611 /* NB: the 11b clients we care about will not have xrates */
1612 if (xrates != NULL || rates == NULL)
1614 for (i = 0; i < rates[1]; i++) {
1615 int r = rates[2+i] & IEEE80211_RATE_VAL;
1616 if (r > 2*11 || ((1<<r) & brates) == 0)
1623 hostap_recv_mgmt(struct ieee80211_node *ni, struct mbuf *m0,
1624 int subtype, int rssi, int nf)
1626 struct ieee80211vap *vap = ni->ni_vap;
1627 struct ieee80211com *ic = ni->ni_ic;
1628 struct ieee80211_frame *wh;
1629 uint8_t *frm, *efrm, *sfrm;
1630 uint8_t *ssid, *rates, *xrates, *wpa, *rsn, *wme, *ath, *htcap;
1634 wh = mtod(m0, struct ieee80211_frame *);
1635 frm = (uint8_t *)&wh[1];
1636 efrm = mtod(m0, uint8_t *) + m0->m_len;
1638 case IEEE80211_FC0_SUBTYPE_PROBE_RESP:
1639 case IEEE80211_FC0_SUBTYPE_BEACON: {
1640 struct ieee80211_scanparams scan;
1642 * We process beacon/probe response frames when scanning;
1643 * otherwise we check beacon frames for overlapping non-ERP
1644 * BSS in 11g and/or overlapping legacy BSS when in HT.
1646 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0 &&
1647 subtype == IEEE80211_FC0_SUBTYPE_PROBE_RESP) {
1648 vap->iv_stats.is_rx_mgtdiscard++;
1651 /* NB: accept off-channel frames */
1652 if (ieee80211_parse_beacon(ni, m0, &scan) &~ IEEE80211_BPARSE_OFFCHAN)
1655 * Count frame now that we know it's to be processed.
1657 if (subtype == IEEE80211_FC0_SUBTYPE_BEACON) {
1658 vap->iv_stats.is_rx_beacon++; /* XXX remove */
1659 IEEE80211_NODE_STAT(ni, rx_beacons);
1661 IEEE80211_NODE_STAT(ni, rx_proberesp);
1663 * If scanning, just pass information to the scan module.
1665 if (ic->ic_flags & IEEE80211_F_SCAN) {
1666 if (scan.status == 0 && /* NB: on channel */
1667 (ic->ic_flags_ext & IEEE80211_FEXT_PROBECHAN)) {
1669 * Actively scanning a channel marked passive;
1670 * send a probe request now that we know there
1671 * is 802.11 traffic present.
1673 * XXX check if the beacon we recv'd gives
1674 * us what we need and suppress the probe req
1676 ieee80211_probe_curchan(vap, 1);
1677 ic->ic_flags_ext &= ~IEEE80211_FEXT_PROBECHAN;
1679 ieee80211_add_scan(vap, &scan, wh, subtype, rssi, nf);
1683 * Check beacon for overlapping bss w/ non ERP stations.
1684 * If we detect one and protection is configured but not
1685 * enabled, enable it and start a timer that'll bring us
1686 * out if we stop seeing the bss.
1688 if (IEEE80211_IS_CHAN_ANYG(ic->ic_curchan) &&
1689 scan.status == 0 && /* NB: on-channel */
1690 ((scan.erp & 0x100) == 0 || /* NB: no ERP, 11b sta*/
1691 (scan.erp & IEEE80211_ERP_NON_ERP_PRESENT))) {
1692 ic->ic_lastnonerp = ticks;
1693 ic->ic_flags_ext |= IEEE80211_FEXT_NONERP_PR;
1694 if (ic->ic_protmode != IEEE80211_PROT_NONE &&
1695 (ic->ic_flags & IEEE80211_F_USEPROT) == 0) {
1696 IEEE80211_NOTE_FRAME(vap,
1697 IEEE80211_MSG_ASSOC, wh,
1698 "non-ERP present on channel %d "
1699 "(saw erp 0x%x from channel %d), "
1700 "enable use of protection",
1701 ic->ic_curchan->ic_ieee,
1702 scan.erp, scan.chan);
1703 ic->ic_flags |= IEEE80211_F_USEPROT;
1704 ieee80211_notify_erp(ic);
1708 * Check beacon for non-HT station on HT channel
1709 * and update HT BSS occupancy as appropriate.
1711 if (IEEE80211_IS_CHAN_HT(ic->ic_curchan)) {
1712 if (scan.status & IEEE80211_BPARSE_OFFCHAN) {
1714 * Off control channel; only check frames
1715 * that come in the extension channel when
1716 * operating w/ HT40.
1718 if (!IEEE80211_IS_CHAN_HT40(ic->ic_curchan))
1720 if (scan.chan != ic->ic_curchan->ic_extieee)
1723 if (scan.htinfo == NULL) {
1724 ieee80211_htprot_update(ic,
1725 IEEE80211_HTINFO_OPMODE_PROTOPT |
1726 IEEE80211_HTINFO_NONHT_PRESENT);
1727 } else if (ishtmixed(scan.htinfo)) {
1728 /* XXX? take NONHT_PRESENT from beacon? */
1729 ieee80211_htprot_update(ic,
1730 IEEE80211_HTINFO_OPMODE_MIXED |
1731 IEEE80211_HTINFO_NONHT_PRESENT);
1737 case IEEE80211_FC0_SUBTYPE_PROBE_REQ:
1738 if (vap->iv_state != IEEE80211_S_RUN) {
1739 vap->iv_stats.is_rx_mgtdiscard++;
1743 * prreq frame format
1745 * [tlv] supported rates
1746 * [tlv] extended supported rates
1748 ssid = rates = xrates = NULL;
1750 while (efrm - frm > 1) {
1751 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return);
1753 case IEEE80211_ELEMID_SSID:
1756 case IEEE80211_ELEMID_RATES:
1759 case IEEE80211_ELEMID_XRATES:
1765 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return);
1767 IEEE80211_VERIFY_ELEMENT(xrates,
1768 IEEE80211_RATE_MAXSIZE - rates[1], return);
1769 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN, return);
1770 IEEE80211_VERIFY_SSID(vap->iv_bss, ssid, return);
1771 if ((vap->iv_flags & IEEE80211_F_HIDESSID) && ssid[1] == 0) {
1772 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
1774 "%s", "no ssid with ssid suppression enabled");
1775 vap->iv_stats.is_rx_ssidmismatch++; /*XXX*/
1779 /* XXX find a better class or define it's own */
1780 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_INPUT, wh->i_addr2,
1781 "%s", "recv probe req");
1783 * Some legacy 11b clients cannot hack a complete
1784 * probe response frame. When the request includes
1785 * only a bare-bones rate set, communicate this to
1786 * the transmit side.
1788 ieee80211_send_proberesp(vap, wh->i_addr2,
1789 is11bclient(rates, xrates) ? IEEE80211_SEND_LEGACY_11B : 0);
1792 case IEEE80211_FC0_SUBTYPE_AUTH: {
1793 uint16_t algo, seq, status;
1795 if (vap->iv_state != IEEE80211_S_RUN) {
1796 vap->iv_stats.is_rx_mgtdiscard++;
1799 if (!IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_bss->ni_bssid)) {
1800 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
1801 wh, NULL, "%s", "wrong bssid");
1802 vap->iv_stats.is_rx_wrongbss++; /*XXX unique stat?*/
1812 IEEE80211_VERIFY_LENGTH(efrm - frm, 6, return);
1813 algo = le16toh(*(uint16_t *)frm);
1814 seq = le16toh(*(uint16_t *)(frm + 2));
1815 status = le16toh(*(uint16_t *)(frm + 4));
1816 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_AUTH, wh->i_addr2,
1817 "recv auth frame with algorithm %d seq %d", algo, seq);
1819 * Consult the ACL policy module if setup.
1821 if (vap->iv_acl != NULL &&
1822 !vap->iv_acl->iac_check(vap, wh->i_addr2)) {
1823 IEEE80211_DISCARD(vap, IEEE80211_MSG_ACL,
1824 wh, NULL, "%s", "disallowed by ACL");
1825 vap->iv_stats.is_rx_acl++;
1826 ieee80211_send_error(ni, wh->i_addr2,
1827 IEEE80211_FC0_SUBTYPE_AUTH,
1828 (seq+1) | (IEEE80211_STATUS_UNSPECIFIED<<16));
1831 if (vap->iv_flags & IEEE80211_F_COUNTERM) {
1832 IEEE80211_DISCARD(vap,
1833 IEEE80211_MSG_AUTH | IEEE80211_MSG_CRYPTO,
1834 wh, NULL, "%s", "TKIP countermeasures enabled");
1835 vap->iv_stats.is_rx_auth_countermeasures++;
1836 ieee80211_send_error(ni, wh->i_addr2,
1837 IEEE80211_FC0_SUBTYPE_AUTH,
1838 IEEE80211_REASON_MIC_FAILURE);
1841 if (algo == IEEE80211_AUTH_ALG_SHARED)
1842 hostap_auth_shared(ni, wh, frm + 6, efrm, rssi, nf,
1844 else if (algo == IEEE80211_AUTH_ALG_OPEN)
1845 hostap_auth_open(ni, wh, rssi, nf, seq, status);
1846 else if (algo == IEEE80211_AUTH_ALG_LEAP) {
1847 authalgreject(ni, wh, algo,
1848 seq+1, IEEE80211_STATUS_ALG);
1852 * We assume that an unknown algorithm is the result
1853 * of a decryption failure on a shared key auth frame;
1854 * return a status code appropriate for that instead
1855 * of IEEE80211_STATUS_ALG.
1857 * NB: a seq# of 4 is intentional; the decrypted
1858 * frame likely has a bogus seq value.
1860 authalgreject(ni, wh, algo,
1861 4, IEEE80211_STATUS_CHALLENGE);
1867 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ:
1868 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: {
1869 uint16_t capinfo, lintval;
1870 struct ieee80211_rsnparms rsnparms;
1872 if (vap->iv_state != IEEE80211_S_RUN) {
1873 vap->iv_stats.is_rx_mgtdiscard++;
1876 if (!IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_bss->ni_bssid)) {
1877 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
1878 wh, NULL, "%s", "wrong bssid");
1879 vap->iv_stats.is_rx_assoc_bss++;
1882 if (subtype == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) {
1884 resp = IEEE80211_FC0_SUBTYPE_REASSOC_RESP;
1887 resp = IEEE80211_FC0_SUBTYPE_ASSOC_RESP;
1889 if (ni == vap->iv_bss) {
1890 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ANY, wh->i_addr2,
1891 "deny %s request, sta not authenticated",
1892 reassoc ? "reassoc" : "assoc");
1893 ieee80211_send_error(ni, wh->i_addr2,
1894 IEEE80211_FC0_SUBTYPE_DEAUTH,
1895 IEEE80211_REASON_ASSOC_NOT_AUTHED);
1896 vap->iv_stats.is_rx_assoc_notauth++;
1901 * asreq frame format
1902 * [2] capability information
1903 * [2] listen interval
1904 * [6*] current AP address (reassoc only)
1906 * [tlv] supported rates
1907 * [tlv] extended supported rates
1909 * [tlv] HT capabilities
1910 * [tlv] Atheros capabilities
1912 IEEE80211_VERIFY_LENGTH(efrm - frm, (reassoc ? 10 : 4), return);
1913 capinfo = le16toh(*(uint16_t *)frm); frm += 2;
1914 lintval = le16toh(*(uint16_t *)frm); frm += 2;
1916 frm += 6; /* ignore current AP info */
1917 ssid = rates = xrates = wpa = rsn = wme = ath = htcap = NULL;
1919 while (efrm - frm > 1) {
1920 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return);
1922 case IEEE80211_ELEMID_SSID:
1925 case IEEE80211_ELEMID_RATES:
1928 case IEEE80211_ELEMID_XRATES:
1931 case IEEE80211_ELEMID_RSN:
1934 case IEEE80211_ELEMID_HTCAP:
1937 case IEEE80211_ELEMID_VENDOR:
1940 else if (iswmeinfo(frm))
1942 #ifdef IEEE80211_SUPPORT_SUPERG
1943 else if (isatherosoui(frm))
1946 else if (vap->iv_flags_ext & IEEE80211_FEXT_HTCOMPAT) {
1947 if (ishtcapoui(frm) && htcap == NULL)
1954 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return);
1956 IEEE80211_VERIFY_ELEMENT(xrates,
1957 IEEE80211_RATE_MAXSIZE - rates[1], return);
1958 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN, return);
1959 IEEE80211_VERIFY_SSID(vap->iv_bss, ssid, return);
1960 if (htcap != NULL) {
1961 IEEE80211_VERIFY_LENGTH(htcap[1],
1962 htcap[0] == IEEE80211_ELEMID_VENDOR ?
1963 4 + sizeof(struct ieee80211_ie_htcap)-2 :
1964 sizeof(struct ieee80211_ie_htcap)-2,
1965 return); /* XXX just NULL out? */
1968 if ((vap->iv_flags & IEEE80211_F_WPA) &&
1969 !wpa_assocreq(ni, &rsnparms, wh, wpa, rsn, capinfo))
1971 /* discard challenge after association */
1972 if (ni->ni_challenge != NULL) {
1973 free(ni->ni_challenge, M_80211_NODE);
1974 ni->ni_challenge = NULL;
1976 /* NB: 802.11 spec says to ignore station's privacy bit */
1977 if ((capinfo & IEEE80211_CAPINFO_ESS) == 0) {
1978 capinfomismatch(ni, wh, reassoc, resp,
1979 "capability", capinfo);
1983 * Disallow re-associate w/ invalid slot time setting.
1985 if (ni->ni_associd != 0 &&
1986 IEEE80211_IS_CHAN_ANYG(ic->ic_bsschan) &&
1987 ((ni->ni_capinfo ^ capinfo) & IEEE80211_CAPINFO_SHORT_SLOTTIME)) {
1988 capinfomismatch(ni, wh, reassoc, resp,
1989 "slot time", capinfo);
1992 rate = ieee80211_setup_rates(ni, rates, xrates,
1993 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE |
1994 IEEE80211_F_DONEGO | IEEE80211_F_DODEL);
1995 if (rate & IEEE80211_RATE_BASIC) {
1996 ratesetmismatch(ni, wh, reassoc, resp, "legacy", rate);
1997 vap->iv_stats.is_rx_assoc_norate++;
2001 * If constrained to 11g-only stations reject an
2002 * 11b-only station. We cheat a bit here by looking
2003 * at the max negotiated xmit rate and assuming anyone
2004 * with a best rate <24Mb/s is an 11b station.
2006 if ((vap->iv_flags & IEEE80211_F_PUREG) && rate < 48) {
2007 ratesetmismatch(ni, wh, reassoc, resp, "11g", rate);
2008 vap->iv_stats.is_rx_assoc_norate++;
2012 * Do HT rate set handling and setup HT node state.
2014 ni->ni_chan = vap->iv_bss->ni_chan;
2015 if (IEEE80211_IS_CHAN_HT(ni->ni_chan) && htcap != NULL) {
2016 rate = ieee80211_setup_htrates(ni, htcap,
2017 IEEE80211_F_DOFMCS | IEEE80211_F_DONEGO |
2019 if (rate & IEEE80211_RATE_BASIC) {
2020 ratesetmismatch(ni, wh, reassoc, resp,
2022 vap->iv_stats.is_ht_assoc_norate++;
2025 ieee80211_ht_node_init(ni);
2026 ieee80211_ht_updatehtcap(ni, htcap);
2027 } else if (ni->ni_flags & IEEE80211_NODE_HT)
2028 ieee80211_ht_node_cleanup(ni);
2029 #ifdef IEEE80211_SUPPORT_SUPERG
2030 else if (ni->ni_ath_flags & IEEE80211_NODE_ATH)
2031 ieee80211_ff_node_cleanup(ni);
2034 * Allow AMPDU operation only with unencrypted traffic
2035 * or AES-CCM; the 11n spec only specifies these ciphers
2036 * so permitting any others is undefined and can lead
2037 * to interoperability problems.
2039 if ((ni->ni_flags & IEEE80211_NODE_HT) &&
2040 (((vap->iv_flags & IEEE80211_F_WPA) &&
2041 rsnparms.rsn_ucastcipher != IEEE80211_CIPHER_AES_CCM) ||
2042 (vap->iv_flags & (IEEE80211_F_WPA|IEEE80211_F_PRIVACY)) == IEEE80211_F_PRIVACY)) {
2044 IEEE80211_MSG_ASSOC | IEEE80211_MSG_11N, ni,
2045 "disallow HT use because WEP or TKIP requested, "
2046 "capinfo 0x%x ucastcipher %d", capinfo,
2047 rsnparms.rsn_ucastcipher);
2048 ieee80211_ht_node_cleanup(ni);
2049 vap->iv_stats.is_ht_assoc_downgrade++;
2052 * If constrained to 11n-only stations reject legacy stations.
2054 if ((vap->iv_flags_ext & IEEE80211_FEXT_PUREN) &&
2055 (ni->ni_flags & IEEE80211_NODE_HT) == 0) {
2056 htcapmismatch(ni, wh, reassoc, resp);
2057 vap->iv_stats.is_ht_assoc_nohtcap++;
2060 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi);
2062 ni->ni_intval = lintval;
2063 ni->ni_capinfo = capinfo;
2064 ni->ni_fhdwell = vap->iv_bss->ni_fhdwell;
2065 ni->ni_fhindex = vap->iv_bss->ni_fhindex;
2068 * XXX maybe better to just expand
2070 if (ieee80211_ies_init(&ni->ni_ies, sfrm, efrm - sfrm)) {
2071 #define setie(_ie, _off) ieee80211_ies_setie(ni->ni_ies, _ie, _off)
2073 setie(wpa_ie, wpa - sfrm);
2075 setie(rsn_ie, rsn - sfrm);
2077 setie(htcap_ie, htcap - sfrm);
2079 setie(wme_ie, wme - sfrm);
2081 * Mark node as capable of QoS.
2083 ni->ni_flags |= IEEE80211_NODE_QOS;
2085 ni->ni_flags &= ~IEEE80211_NODE_QOS;
2086 #ifdef IEEE80211_SUPPORT_SUPERG
2088 setie(ath_ie, ath - sfrm);
2090 * Parse ATH station parameters.
2092 ieee80211_parse_ath(ni, ni->ni_ies.ath_ie);
2095 ni->ni_ath_flags = 0;
2098 ni->ni_flags &= ~IEEE80211_NODE_QOS;
2099 ni->ni_ath_flags = 0;
2101 ieee80211_node_join(ni, resp);
2102 ieee80211_deliver_l2uf(ni);
2106 case IEEE80211_FC0_SUBTYPE_DEAUTH:
2107 case IEEE80211_FC0_SUBTYPE_DISASSOC: {
2110 if (vap->iv_state != IEEE80211_S_RUN ||
2111 /* NB: can happen when in promiscuous mode */
2112 !IEEE80211_ADDR_EQ(wh->i_addr1, vap->iv_myaddr)) {
2113 vap->iv_stats.is_rx_mgtdiscard++;
2117 * deauth/disassoc frame format
2120 IEEE80211_VERIFY_LENGTH(efrm - frm, 2, return);
2121 reason = le16toh(*(uint16_t *)frm);
2122 if (subtype == IEEE80211_FC0_SUBTYPE_DEAUTH) {
2123 vap->iv_stats.is_rx_deauth++;
2124 IEEE80211_NODE_STAT(ni, rx_deauth);
2126 vap->iv_stats.is_rx_disassoc++;
2127 IEEE80211_NODE_STAT(ni, rx_disassoc);
2129 IEEE80211_NOTE(vap, IEEE80211_MSG_AUTH, ni,
2130 "recv %s (reason %d)", ieee80211_mgt_subtype_name[subtype >>
2131 IEEE80211_FC0_SUBTYPE_SHIFT], reason);
2132 if (ni != vap->iv_bss)
2133 ieee80211_node_leave(ni);
2137 case IEEE80211_FC0_SUBTYPE_ACTION:
2138 if (vap->iv_state == IEEE80211_S_RUN) {
2139 if (ieee80211_parse_action(ni, m0) == 0)
2140 ic->ic_recv_action(ni, frm, efrm);
2142 vap->iv_stats.is_rx_mgtdiscard++;
2145 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP:
2146 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP:
2148 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
2149 wh, "mgt", "subtype 0x%x not handled", subtype);
2150 vap->iv_stats.is_rx_badsubtype++;
2156 hostap_recv_ctl(struct ieee80211_node *ni, struct mbuf *m, int subtype)
2159 case IEEE80211_FC0_SUBTYPE_PS_POLL:
2160 hostap_recv_pspoll(ni, m);
2162 case IEEE80211_FC0_SUBTYPE_BAR:
2163 ieee80211_recv_bar(ni, m);
2169 * Process a received ps-poll frame.
2172 hostap_recv_pspoll(struct ieee80211_node *ni, struct mbuf *m0)
2174 struct ieee80211vap *vap = ni->ni_vap;
2175 struct ieee80211_frame_min *wh;
2181 wh = mtod(m0, struct ieee80211_frame_min *);
2182 if (ni->ni_associd == 0) {
2183 IEEE80211_DISCARD(vap,
2184 IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG,
2185 (struct ieee80211_frame *) wh, NULL,
2186 "%s", "unassociated station");
2187 vap->iv_stats.is_ps_unassoc++;
2188 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_DEAUTH,
2189 IEEE80211_REASON_NOT_ASSOCED);
2193 aid = le16toh(*(uint16_t *)wh->i_dur);
2194 if (aid != ni->ni_associd) {
2195 IEEE80211_DISCARD(vap,
2196 IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG,
2197 (struct ieee80211_frame *) wh, NULL,
2198 "aid mismatch: sta aid 0x%x poll aid 0x%x",
2199 ni->ni_associd, aid);
2200 vap->iv_stats.is_ps_badaid++;
2202 * NB: We used to deauth the station but it turns out
2203 * the Blackberry Curve 8230 (and perhaps other devices)
2204 * sometimes send the wrong AID when WME is negotiated.
2205 * Being more lenient here seems ok as we already check
2206 * the station is associated and we only return frames
2207 * queued for the station (i.e. we don't use the AID).
2212 /* Okay, take the first queued packet and put it out... */
2213 m = ieee80211_node_psq_dequeue(ni, &qlen);
2215 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_POWER, wh->i_addr2,
2216 "%s", "recv ps-poll, but queue empty");
2217 ieee80211_send_nulldata(ieee80211_ref_node(ni));
2218 vap->iv_stats.is_ps_qempty++; /* XXX node stat */
2219 if (vap->iv_set_tim != NULL)
2220 vap->iv_set_tim(ni, 0); /* just in case */
2224 * If there are more packets, set the more packets bit
2225 * in the packet dispatched to the station; otherwise
2226 * turn off the TIM bit.
2229 IEEE80211_NOTE(vap, IEEE80211_MSG_POWER, ni,
2230 "recv ps-poll, send packet, %u still queued", qlen);
2231 m->m_flags |= M_MORE_DATA;
2233 IEEE80211_NOTE(vap, IEEE80211_MSG_POWER, ni,
2234 "%s", "recv ps-poll, send packet, queue empty");
2235 if (vap->iv_set_tim != NULL)
2236 vap->iv_set_tim(ni, 0);
2238 m->m_flags |= M_PWR_SAV; /* bypass PS handling */
2240 if (m->m_flags & M_ENCAP)
2241 ifp = vap->iv_ic->ic_ifp;
2244 IF_ENQUEUE(&ifp->if_snd, m);