2 * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
4 * Copyright (c) 2007-2008 Sam Leffler, Errno Consulting
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
17 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
18 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
19 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
21 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
22 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
23 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
24 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
25 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 #include <sys/cdefs.h>
30 __FBSDID("$FreeBSD$");
34 * IEEE 802.11 HOSTAP mode support.
39 #include <sys/param.h>
40 #include <sys/systm.h>
42 #include <sys/malloc.h>
43 #include <sys/kernel.h>
45 #include <sys/socket.h>
46 #include <sys/sockio.h>
47 #include <sys/endian.h>
48 #include <sys/errno.h>
50 #include <sys/sysctl.h>
53 #include <net/if_var.h>
54 #include <net/if_media.h>
55 #include <net/if_llc.h>
56 #include <net/ethernet.h>
60 #include <net80211/ieee80211_var.h>
61 #include <net80211/ieee80211_hostap.h>
62 #include <net80211/ieee80211_input.h>
63 #ifdef IEEE80211_SUPPORT_SUPERG
64 #include <net80211/ieee80211_superg.h>
66 #include <net80211/ieee80211_wds.h>
67 #include <net80211/ieee80211_vht.h>
69 #define IEEE80211_RATE2MBS(r) (((r) & IEEE80211_RATE_VAL) / 2)
71 static void hostap_vattach(struct ieee80211vap *);
72 static int hostap_newstate(struct ieee80211vap *, enum ieee80211_state, int);
73 static int hostap_input(struct ieee80211_node *ni, struct mbuf *m,
74 const struct ieee80211_rx_stats *,
76 static void hostap_deliver_data(struct ieee80211vap *,
77 struct ieee80211_node *, struct mbuf *);
78 static void hostap_recv_mgmt(struct ieee80211_node *, struct mbuf *,
79 int subtype, const struct ieee80211_rx_stats *rxs, int rssi, int nf);
80 static void hostap_recv_ctl(struct ieee80211_node *, struct mbuf *, int);
83 ieee80211_hostap_attach(struct ieee80211com *ic)
85 ic->ic_vattach[IEEE80211_M_HOSTAP] = hostap_vattach;
89 ieee80211_hostap_detach(struct ieee80211com *ic)
94 hostap_vdetach(struct ieee80211vap *vap)
99 hostap_vattach(struct ieee80211vap *vap)
101 vap->iv_newstate = hostap_newstate;
102 vap->iv_input = hostap_input;
103 vap->iv_recv_mgmt = hostap_recv_mgmt;
104 vap->iv_recv_ctl = hostap_recv_ctl;
105 vap->iv_opdetach = hostap_vdetach;
106 vap->iv_deliver_data = hostap_deliver_data;
107 vap->iv_recv_pspoll = ieee80211_recv_pspoll;
111 sta_disassoc(void *arg, struct ieee80211_node *ni)
114 if (ni->ni_associd != 0) {
115 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_DISASSOC,
116 IEEE80211_REASON_ASSOC_LEAVE);
117 ieee80211_node_leave(ni);
122 sta_csa(void *arg, struct ieee80211_node *ni)
124 struct ieee80211vap *vap = ni->ni_vap;
126 if (ni->ni_associd != 0)
127 if (ni->ni_inact > vap->iv_inact_init) {
128 ni->ni_inact = vap->iv_inact_init;
129 IEEE80211_NOTE(vap, IEEE80211_MSG_INACT, ni,
130 "%s: inact %u", __func__, ni->ni_inact);
135 sta_drop(void *arg, struct ieee80211_node *ni)
138 if (ni->ni_associd != 0)
139 ieee80211_node_leave(ni);
143 * Does a channel change require associated stations to re-associate
144 * so protocol state is correct. This is used when doing CSA across
145 * bands or similar (e.g. HT -> legacy).
148 isbandchange(struct ieee80211com *ic)
150 return ((ic->ic_bsschan->ic_flags ^ ic->ic_csa_newchan->ic_flags) &
151 (IEEE80211_CHAN_2GHZ | IEEE80211_CHAN_5GHZ | IEEE80211_CHAN_HALF |
152 IEEE80211_CHAN_QUARTER | IEEE80211_CHAN_HT)) != 0;
156 * IEEE80211_M_HOSTAP vap state machine handler.
159 hostap_newstate(struct ieee80211vap *vap, enum ieee80211_state nstate, int arg)
161 struct ieee80211com *ic = vap->iv_ic;
162 enum ieee80211_state ostate;
164 IEEE80211_LOCK_ASSERT(ic);
166 ostate = vap->iv_state;
167 IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE, "%s: %s -> %s (%d)\n",
168 __func__, ieee80211_state_name[ostate],
169 ieee80211_state_name[nstate], arg);
170 vap->iv_state = nstate; /* state transition */
171 if (ostate != IEEE80211_S_SCAN)
172 ieee80211_cancel_scan(vap); /* background scan */
174 case IEEE80211_S_INIT:
176 case IEEE80211_S_SCAN:
177 ieee80211_cancel_scan(vap);
179 case IEEE80211_S_CAC:
180 ieee80211_dfs_cac_stop(vap);
182 case IEEE80211_S_RUN:
183 ieee80211_iterate_nodes_vap(&ic->ic_sta, vap,
189 if (ostate != IEEE80211_S_INIT) {
190 /* NB: optimize INIT -> INIT case */
191 ieee80211_reset_bss(vap);
193 if (vap->iv_auth->ia_detach != NULL)
194 vap->iv_auth->ia_detach(vap);
196 case IEEE80211_S_SCAN:
198 case IEEE80211_S_CSA:
199 case IEEE80211_S_RUN:
200 ieee80211_iterate_nodes_vap(&ic->ic_sta, vap,
203 * Clear overlapping BSS state; the beacon frame
204 * will be reconstructed on transition to the RUN
205 * state and the timeout routines check if the flag
206 * is set before doing anything so this is sufficient.
208 ic->ic_flags_ext &= ~IEEE80211_FEXT_NONERP_PR;
209 ic->ic_flags_ht &= ~IEEE80211_FHT_NONHT_PR;
211 case IEEE80211_S_CAC:
213 * NB: We may get here because of a manual channel
214 * change in which case we need to stop CAC
215 * XXX no need to stop if ostate RUN but it's ok
217 ieee80211_dfs_cac_stop(vap);
219 case IEEE80211_S_INIT:
220 if (vap->iv_des_chan != IEEE80211_CHAN_ANYC &&
221 !IEEE80211_IS_CHAN_RADAR(vap->iv_des_chan)) {
223 * Already have a channel; bypass the
224 * scan and startup immediately.
225 * ieee80211_create_ibss will call back to
226 * move us to RUN state.
228 ieee80211_create_ibss(vap, vap->iv_des_chan);
232 * Initiate a scan. We can come here as a result
233 * of an IEEE80211_IOC_SCAN_REQ too in which case
234 * the vap will be marked with IEEE80211_FEXT_SCANREQ
235 * and the scan request parameters will be present
236 * in iv_scanreq. Otherwise we do the default.
238 if (vap->iv_flags_ext & IEEE80211_FEXT_SCANREQ) {
239 ieee80211_check_scan(vap,
240 vap->iv_scanreq_flags,
241 vap->iv_scanreq_duration,
242 vap->iv_scanreq_mindwell,
243 vap->iv_scanreq_maxdwell,
244 vap->iv_scanreq_nssid, vap->iv_scanreq_ssid);
245 vap->iv_flags_ext &= ~IEEE80211_FEXT_SCANREQ;
247 ieee80211_check_scan_current(vap);
249 case IEEE80211_S_SCAN:
251 * A state change requires a reset; scan.
253 ieee80211_check_scan_current(vap);
259 case IEEE80211_S_CAC:
261 * Start CAC on a DFS channel. We come here when starting
262 * a bss on a DFS channel (see ieee80211_create_ibss).
264 ieee80211_dfs_cac_start(vap);
266 case IEEE80211_S_RUN:
267 if (vap->iv_flags & IEEE80211_F_WPA) {
268 /* XXX validate prerequisites */
271 case IEEE80211_S_INIT:
273 * Already have a channel; bypass the
274 * scan and startup immediately.
275 * Note that ieee80211_create_ibss will call
276 * back to do a RUN->RUN state change.
278 ieee80211_create_ibss(vap,
279 ieee80211_ht_adjust_channel(ic,
280 ic->ic_curchan, vap->iv_flags_ht));
281 /* NB: iv_bss is changed on return */
283 case IEEE80211_S_CAC:
285 * NB: This is the normal state change when CAC
286 * expires and no radar was detected; no need to
287 * clear the CAC timer as it's already expired.
290 case IEEE80211_S_CSA:
292 * Shorten inactivity timer of associated stations
293 * to weed out sta's that don't follow a CSA.
295 ieee80211_iterate_nodes_vap(&ic->ic_sta, vap,
298 * Update bss node channel to reflect where
299 * we landed after CSA.
301 ieee80211_node_set_chan(vap->iv_bss,
302 ieee80211_ht_adjust_channel(ic, ic->ic_curchan,
303 ieee80211_htchanflags(vap->iv_bss->ni_chan)));
304 /* XXX bypass debug msgs */
306 case IEEE80211_S_SCAN:
307 case IEEE80211_S_RUN:
308 #ifdef IEEE80211_DEBUG
309 if (ieee80211_msg_debug(vap)) {
310 struct ieee80211_node *ni = vap->iv_bss;
312 "synchronized with %s ssid ",
313 ether_sprintf(ni->ni_bssid));
314 ieee80211_print_essid(ni->ni_essid,
317 printf(" channel %d start %uMb\n",
318 ieee80211_chan2ieee(ic, ic->ic_curchan),
319 IEEE80211_RATE2MBS(ni->ni_txrate));
327 * Start/stop the authenticator. We delay until here
328 * to allow configuration to happen out of order.
330 if (vap->iv_auth->ia_attach != NULL) {
331 /* XXX check failure */
332 vap->iv_auth->ia_attach(vap);
333 } else if (vap->iv_auth->ia_detach != NULL) {
334 vap->iv_auth->ia_detach(vap);
336 ieee80211_node_authorize(vap->iv_bss);
338 case IEEE80211_S_CSA:
339 if (ostate == IEEE80211_S_RUN && isbandchange(ic)) {
341 * On a ``band change'' silently drop associated
342 * stations as they must re-associate before they
343 * can pass traffic (as otherwise protocol state
344 * such as capabilities and the negotiated rate
345 * set may/will be wrong).
347 ieee80211_iterate_nodes_vap(&ic->ic_sta, vap,
358 hostap_deliver_data(struct ieee80211vap *vap,
359 struct ieee80211_node *ni, struct mbuf *m)
361 struct ether_header *eh = mtod(m, struct ether_header *);
362 struct ifnet *ifp = vap->iv_ifp;
364 /* clear driver/net80211 flags before passing up */
365 m->m_flags &= ~(M_MCAST | M_BCAST);
368 KASSERT(vap->iv_opmode == IEEE80211_M_HOSTAP,
369 ("gack, opmode %d", vap->iv_opmode));
373 if_inc_counter(ifp, IFCOUNTER_IPACKETS, 1);
374 IEEE80211_NODE_STAT(ni, rx_data);
375 IEEE80211_NODE_STAT_ADD(ni, rx_bytes, m->m_pkthdr.len);
376 if (ETHER_IS_MULTICAST(eh->ether_dhost)) {
377 m->m_flags |= M_MCAST; /* XXX M_BCAST? */
378 IEEE80211_NODE_STAT(ni, rx_mcast);
380 IEEE80211_NODE_STAT(ni, rx_ucast);
382 /* perform as a bridge within the AP */
383 if ((vap->iv_flags & IEEE80211_F_NOBRIDGE) == 0) {
384 struct mbuf *mcopy = NULL;
386 if (m->m_flags & M_MCAST) {
387 mcopy = m_dup(m, M_NOWAIT);
389 if_inc_counter(ifp, IFCOUNTER_OERRORS, 1);
391 mcopy->m_flags |= M_MCAST;
394 * Check if the destination is associated with the
395 * same vap and authorized to receive traffic.
396 * Beware of traffic destined for the vap itself;
397 * sending it will not work; just let it be delivered
400 struct ieee80211_node *sta = ieee80211_find_vap_node(
401 &vap->iv_ic->ic_sta, vap, eh->ether_dhost);
403 if (ieee80211_node_is_authorized(sta)) {
405 * Beware of sending to ourself; this
406 * needs to happen via the normal
409 if (sta != vap->iv_bss) {
414 vap->iv_stats.is_rx_unauth++;
415 IEEE80211_NODE_STAT(sta, rx_unauth);
417 ieee80211_free_node(sta);
421 (void) ieee80211_vap_xmitpkt(vap, mcopy);
425 * Mark frame as coming from vap's interface.
427 m->m_pkthdr.rcvif = ifp;
428 if (m->m_flags & M_MCAST) {
430 * Spam DWDS vap's w/ multicast traffic.
432 /* XXX only if dwds in use? */
433 ieee80211_dwds_mcast(vap, m);
435 if (ni->ni_vlan != 0) {
436 /* attach vlan tag */
437 m->m_pkthdr.ether_vtag = ni->ni_vlan;
438 m->m_flags |= M_VLANTAG;
440 ifp->if_input(ifp, m);
445 * Decide if a received management frame should be
446 * printed when debugging is enabled. This filters some
447 * of the less interesting frames that come frequently
451 doprint(struct ieee80211vap *vap, int subtype)
454 case IEEE80211_FC0_SUBTYPE_BEACON:
455 return (vap->iv_ic->ic_flags & IEEE80211_F_SCAN);
456 case IEEE80211_FC0_SUBTYPE_PROBE_REQ:
463 * Process a received frame. The node associated with the sender
464 * should be supplied. If nothing was found in the node table then
465 * the caller is assumed to supply a reference to iv_bss instead.
466 * The RSSI and a timestamp are also supplied. The RSSI data is used
467 * during AP scanning to select a AP to associate with; it can have
468 * any units so long as values have consistent units and higher values
469 * mean ``better signal''. The receive timestamp is currently not used
470 * by the 802.11 layer.
473 hostap_input(struct ieee80211_node *ni, struct mbuf *m,
474 const struct ieee80211_rx_stats *rxs, int rssi, int nf)
476 struct ieee80211vap *vap = ni->ni_vap;
477 struct ieee80211com *ic = ni->ni_ic;
478 struct ifnet *ifp = vap->iv_ifp;
479 struct ieee80211_frame *wh;
480 struct ieee80211_key *key;
481 struct ether_header *eh;
482 int hdrspace, need_tap = 1; /* mbuf need to be tapped. */
483 uint8_t dir, type, subtype, qos;
485 int is_hw_decrypted = 0;
486 int has_decrypted = 0;
489 * Some devices do hardware decryption all the way through
490 * to pretending the frame wasn't encrypted in the first place.
491 * So, tag it appropriately so it isn't discarded inappropriately.
493 if ((rxs != NULL) && (rxs->c_pktflags & IEEE80211_RX_F_DECRYPTED))
496 if (m->m_flags & M_AMPDU_MPDU) {
498 * Fastpath for A-MPDU reorder q resubmission. Frames
499 * w/ M_AMPDU_MPDU marked have already passed through
500 * here but were received out of order and been held on
501 * the reorder queue. When resubmitted they are marked
502 * with the M_AMPDU_MPDU flag and we can bypass most of
503 * the normal processing.
505 wh = mtod(m, struct ieee80211_frame *);
506 type = IEEE80211_FC0_TYPE_DATA;
507 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK;
508 subtype = IEEE80211_FC0_SUBTYPE_QOS;
509 hdrspace = ieee80211_hdrspace(ic, wh); /* XXX optimize? */
513 KASSERT(ni != NULL, ("null node"));
514 ni->ni_inact = ni->ni_inact_reload;
516 type = -1; /* undefined */
518 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_min)) {
519 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
520 ni->ni_macaddr, NULL,
521 "too short (1): len %u", m->m_pkthdr.len);
522 vap->iv_stats.is_rx_tooshort++;
526 * Bit of a cheat here, we use a pointer for a 3-address
527 * frame format but don't reference fields past outside
528 * ieee80211_frame_min w/o first validating the data is
531 wh = mtod(m, struct ieee80211_frame *);
533 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) !=
534 IEEE80211_FC0_VERSION_0) {
535 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
536 ni->ni_macaddr, NULL, "wrong version, fc %02x:%02x",
537 wh->i_fc[0], wh->i_fc[1]);
538 vap->iv_stats.is_rx_badversion++;
542 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK;
543 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
544 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK;
545 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) {
546 if (dir != IEEE80211_FC1_DIR_NODS)
548 else if (type == IEEE80211_FC0_TYPE_CTL)
551 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) {
552 IEEE80211_DISCARD_MAC(vap,
553 IEEE80211_MSG_ANY, ni->ni_macaddr,
554 NULL, "too short (2): len %u",
556 vap->iv_stats.is_rx_tooshort++;
562 * Validate the bssid.
564 if (!(type == IEEE80211_FC0_TYPE_MGT &&
565 subtype == IEEE80211_FC0_SUBTYPE_BEACON) &&
566 !IEEE80211_ADDR_EQ(bssid, vap->iv_bss->ni_bssid) &&
567 !IEEE80211_ADDR_EQ(bssid, ifp->if_broadcastaddr)) {
568 /* not interested in */
569 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
570 bssid, NULL, "%s", "not to bss");
571 vap->iv_stats.is_rx_wrongbss++;
575 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi);
577 if (IEEE80211_HAS_SEQ(type, subtype)) {
578 uint8_t tid = ieee80211_gettid(wh);
579 if (IEEE80211_QOS_HAS_SEQ(wh) &&
580 TID_TO_WME_AC(tid) >= WME_AC_VI)
581 ic->ic_wme.wme_hipri_traffic++;
582 if (! ieee80211_check_rxseq(ni, wh, bssid, rxs))
588 case IEEE80211_FC0_TYPE_DATA:
589 hdrspace = ieee80211_hdrspace(ic, wh);
590 if (m->m_len < hdrspace &&
591 (m = m_pullup(m, hdrspace)) == NULL) {
592 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
593 ni->ni_macaddr, NULL,
594 "data too short: expecting %u", hdrspace);
595 vap->iv_stats.is_rx_tooshort++;
598 if (!(dir == IEEE80211_FC1_DIR_TODS ||
599 (dir == IEEE80211_FC1_DIR_DSTODS &&
600 (vap->iv_flags & IEEE80211_F_DWDS)))) {
601 if (dir != IEEE80211_FC1_DIR_DSTODS) {
602 IEEE80211_DISCARD(vap,
603 IEEE80211_MSG_INPUT, wh, "data",
604 "incorrect dir 0x%x", dir);
606 IEEE80211_DISCARD(vap,
607 IEEE80211_MSG_INPUT |
608 IEEE80211_MSG_WDS, wh,
610 "%s", "DWDS not enabled");
612 vap->iv_stats.is_rx_wrongdir++;
615 /* check if source STA is associated */
616 if (ni == vap->iv_bss) {
617 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
618 wh, "data", "%s", "unknown src");
619 ieee80211_send_error(ni, wh->i_addr2,
620 IEEE80211_FC0_SUBTYPE_DEAUTH,
621 IEEE80211_REASON_NOT_AUTHED);
622 vap->iv_stats.is_rx_notassoc++;
625 if (ni->ni_associd == 0) {
626 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
627 wh, "data", "%s", "unassoc src");
628 IEEE80211_SEND_MGMT(ni,
629 IEEE80211_FC0_SUBTYPE_DISASSOC,
630 IEEE80211_REASON_NOT_ASSOCED);
631 vap->iv_stats.is_rx_notassoc++;
636 * Check for power save state change.
637 * XXX out-of-order A-MPDU frames?
639 if (((wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) ^
640 (ni->ni_flags & IEEE80211_NODE_PWR_MGT)))
642 wh->i_fc[1] & IEEE80211_FC1_PWR_MGT);
644 * For 4-address packets handle WDS discovery
645 * notifications. Once a WDS link is setup frames
646 * are just delivered to the WDS vap (see below).
648 if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap == NULL) {
649 if (!ieee80211_node_is_authorized(ni)) {
650 IEEE80211_DISCARD(vap,
651 IEEE80211_MSG_INPUT |
652 IEEE80211_MSG_WDS, wh,
654 "%s", "unauthorized port");
655 vap->iv_stats.is_rx_unauth++;
656 IEEE80211_NODE_STAT(ni, rx_unauth);
659 ieee80211_dwds_discover(ni, m);
664 * Handle A-MPDU re-ordering. If the frame is to be
665 * processed directly then ieee80211_ampdu_reorder
666 * will return 0; otherwise it has consumed the mbuf
667 * and we should do nothing more with it.
669 if ((m->m_flags & M_AMPDU) &&
670 ieee80211_ampdu_reorder(ni, m, rxs) != 0) {
677 * Handle privacy requirements. Note that we
678 * must not be preempted from here until after
679 * we (potentially) call ieee80211_crypto_demic;
680 * otherwise we may violate assumptions in the
681 * crypto cipher modules used to do delayed update
682 * of replay sequence numbers.
684 if (is_hw_decrypted || wh->i_fc[1] & IEEE80211_FC1_PROTECTED) {
685 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
687 * Discard encrypted frames when privacy is off.
689 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
690 wh, "WEP", "%s", "PRIVACY off");
691 vap->iv_stats.is_rx_noprivacy++;
692 IEEE80211_NODE_STAT(ni, rx_noprivacy);
695 if (ieee80211_crypto_decap(ni, m, hdrspace, &key) == 0) {
696 /* NB: stats+msgs handled in crypto_decap */
697 IEEE80211_NODE_STAT(ni, rx_wepfail);
700 wh = mtod(m, struct ieee80211_frame *);
701 wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED;
704 /* XXX M_WEP and IEEE80211_F_PRIVACY */
709 * Save QoS bits for use below--before we strip the header.
711 if (subtype == IEEE80211_FC0_SUBTYPE_QOS) {
712 qos = (dir == IEEE80211_FC1_DIR_DSTODS) ?
713 ((struct ieee80211_qosframe_addr4 *)wh)->i_qos[0] :
714 ((struct ieee80211_qosframe *)wh)->i_qos[0];
719 * Next up, any fragmentation.
721 if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) {
722 m = ieee80211_defrag(ni, m, hdrspace);
724 /* Fragment dropped or frame not complete yet */
728 wh = NULL; /* no longer valid, catch any uses */
731 * Next strip any MSDU crypto bits.
733 if (key != NULL && !ieee80211_crypto_demic(vap, key, m, 0)) {
734 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
735 ni->ni_macaddr, "data", "%s", "demic error");
736 vap->iv_stats.is_rx_demicfail++;
737 IEEE80211_NODE_STAT(ni, rx_demicfail);
740 /* copy to listener after decrypt */
741 if (ieee80211_radiotap_active_vap(vap))
742 ieee80211_radiotap_rx(vap, m);
745 * Finally, strip the 802.11 header.
747 m = ieee80211_decap(vap, m, hdrspace);
749 /* XXX mask bit to check for both */
750 /* don't count Null data frames as errors */
751 if (subtype == IEEE80211_FC0_SUBTYPE_NODATA ||
752 subtype == IEEE80211_FC0_SUBTYPE_QOS_NULL)
754 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
755 ni->ni_macaddr, "data", "%s", "decap error");
756 vap->iv_stats.is_rx_decap++;
757 IEEE80211_NODE_STAT(ni, rx_decap);
760 eh = mtod(m, struct ether_header *);
761 if (!ieee80211_node_is_authorized(ni)) {
763 * Deny any non-PAE frames received prior to
764 * authorization. For open/shared-key
765 * authentication the port is mark authorized
766 * after authentication completes. For 802.1x
767 * the port is not marked authorized by the
768 * authenticator until the handshake has completed.
770 if (eh->ether_type != htons(ETHERTYPE_PAE)) {
771 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
772 eh->ether_shost, "data",
773 "unauthorized port: ether type 0x%x len %u",
774 eh->ether_type, m->m_pkthdr.len);
775 vap->iv_stats.is_rx_unauth++;
776 IEEE80211_NODE_STAT(ni, rx_unauth);
781 * When denying unencrypted frames, discard
782 * any non-PAE frames received without encryption.
784 if ((vap->iv_flags & IEEE80211_F_DROPUNENC) &&
785 ((has_decrypted == 0) && (m->m_flags & M_WEP) == 0) &&
786 (is_hw_decrypted == 0) &&
787 eh->ether_type != htons(ETHERTYPE_PAE)) {
789 * Drop unencrypted frames.
791 vap->iv_stats.is_rx_unencrypted++;
792 IEEE80211_NODE_STAT(ni, rx_unencrypted);
796 /* XXX require HT? */
797 if (qos & IEEE80211_QOS_AMSDU) {
798 m = ieee80211_decap_amsdu(ni, m);
800 return IEEE80211_FC0_TYPE_DATA;
802 #ifdef IEEE80211_SUPPORT_SUPERG
803 m = ieee80211_decap_fastframe(vap, ni, m);
805 return IEEE80211_FC0_TYPE_DATA;
808 if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap != NULL)
809 ieee80211_deliver_data(ni->ni_wdsvap, ni, m);
811 hostap_deliver_data(vap, ni, m);
812 return IEEE80211_FC0_TYPE_DATA;
814 case IEEE80211_FC0_TYPE_MGT:
815 vap->iv_stats.is_rx_mgmt++;
816 IEEE80211_NODE_STAT(ni, rx_mgmt);
817 if (dir != IEEE80211_FC1_DIR_NODS) {
818 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
819 wh, "mgt", "incorrect dir 0x%x", dir);
820 vap->iv_stats.is_rx_wrongdir++;
823 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) {
824 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
825 ni->ni_macaddr, "mgt", "too short: len %u",
827 vap->iv_stats.is_rx_tooshort++;
830 if (IEEE80211_IS_MULTICAST(wh->i_addr2)) {
831 /* ensure return frames are unicast */
832 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
833 wh, NULL, "source is multicast: %s",
834 ether_sprintf(wh->i_addr2));
835 vap->iv_stats.is_rx_mgtdiscard++; /* XXX stat */
838 #ifdef IEEE80211_DEBUG
839 if ((ieee80211_msg_debug(vap) && doprint(vap, subtype)) ||
840 ieee80211_msg_dumppkts(vap)) {
841 if_printf(ifp, "received %s from %s rssi %d\n",
842 ieee80211_mgt_subtype_name(subtype),
843 ether_sprintf(wh->i_addr2), rssi);
846 if (wh->i_fc[1] & IEEE80211_FC1_PROTECTED) {
847 if (subtype != IEEE80211_FC0_SUBTYPE_AUTH) {
849 * Only shared key auth frames with a challenge
850 * should be encrypted, discard all others.
852 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
854 "%s", "WEP set but not permitted");
855 vap->iv_stats.is_rx_mgtdiscard++; /* XXX */
858 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
860 * Discard encrypted frames when privacy is off.
862 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
863 wh, NULL, "%s", "WEP set but PRIVACY off");
864 vap->iv_stats.is_rx_noprivacy++;
867 hdrspace = ieee80211_hdrspace(ic, wh);
868 if (ieee80211_crypto_decap(ni, m, hdrspace, &key) == 0) {
869 /* NB: stats+msgs handled in crypto_decap */
872 wh = mtod(m, struct ieee80211_frame *);
873 wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED;
877 * Pass the packet to radiotap before calling iv_recv_mgmt().
878 * Otherwise iv_recv_mgmt() might pass another packet to
879 * radiotap, resulting in out of order packet captures.
881 if (ieee80211_radiotap_active_vap(vap))
882 ieee80211_radiotap_rx(vap, m);
884 vap->iv_recv_mgmt(ni, m, subtype, rxs, rssi, nf);
887 case IEEE80211_FC0_TYPE_CTL:
888 vap->iv_stats.is_rx_ctl++;
889 IEEE80211_NODE_STAT(ni, rx_ctrl);
890 vap->iv_recv_ctl(ni, m, subtype);
893 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
894 wh, "bad", "frame type 0x%x", type);
895 /* should not come here */
899 if_inc_counter(ifp, IFCOUNTER_IERRORS, 1);
902 if (need_tap && ieee80211_radiotap_active_vap(vap))
903 ieee80211_radiotap_rx(vap, m);
910 hostap_auth_open(struct ieee80211_node *ni, struct ieee80211_frame *wh,
911 int rssi, int nf, uint16_t seq, uint16_t status)
913 struct ieee80211vap *vap = ni->ni_vap;
915 KASSERT(vap->iv_state == IEEE80211_S_RUN, ("state %d", vap->iv_state));
917 if (ni->ni_authmode == IEEE80211_AUTH_SHARED) {
918 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
919 ni->ni_macaddr, "open auth",
920 "bad sta auth mode %u", ni->ni_authmode);
921 vap->iv_stats.is_rx_bad_auth++; /* XXX */
923 * Clear any challenge text that may be there if
924 * a previous shared key auth failed and then an
925 * open auth is attempted.
927 if (ni->ni_challenge != NULL) {
928 IEEE80211_FREE(ni->ni_challenge, M_80211_NODE);
929 ni->ni_challenge = NULL;
931 /* XXX hack to workaround calling convention */
932 ieee80211_send_error(ni, wh->i_addr2,
933 IEEE80211_FC0_SUBTYPE_AUTH,
934 (seq + 1) | (IEEE80211_STATUS_ALG<<16));
937 if (seq != IEEE80211_AUTH_OPEN_REQUEST) {
938 vap->iv_stats.is_rx_bad_auth++;
941 /* always accept open authentication requests */
942 if (ni == vap->iv_bss) {
943 ni = ieee80211_dup_bss(vap, wh->i_addr2);
946 } else if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0)
947 (void) ieee80211_ref_node(ni);
949 * Mark the node as referenced to reflect that it's
950 * reference count has been bumped to insure it remains
951 * after the transaction completes.
953 ni->ni_flags |= IEEE80211_NODE_AREF;
955 * Mark the node as requiring a valid association id
956 * before outbound traffic is permitted.
958 ni->ni_flags |= IEEE80211_NODE_ASSOCID;
960 if (vap->iv_acl != NULL &&
961 vap->iv_acl->iac_getpolicy(vap) == IEEE80211_MACCMD_POLICY_RADIUS) {
963 * When the ACL policy is set to RADIUS we defer the
964 * authorization to a user agent. Dispatch an event,
965 * a subsequent MLME call will decide the fate of the
966 * station. If the user agent is not present then the
967 * node will be reclaimed due to inactivity.
969 IEEE80211_NOTE_MAC(vap,
970 IEEE80211_MSG_AUTH | IEEE80211_MSG_ACL, ni->ni_macaddr,
971 "%s", "station authentication defered (radius acl)");
972 ieee80211_notify_node_auth(ni);
974 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1);
975 IEEE80211_NOTE_MAC(vap,
976 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, ni->ni_macaddr,
977 "%s", "station authenticated (open)");
979 * When 802.1x is not in use mark the port
980 * authorized at this point so traffic can flow.
982 if (ni->ni_authmode != IEEE80211_AUTH_8021X)
983 ieee80211_node_authorize(ni);
988 hostap_auth_shared(struct ieee80211_node *ni, struct ieee80211_frame *wh,
989 uint8_t *frm, uint8_t *efrm, int rssi, int nf,
990 uint16_t seq, uint16_t status)
992 struct ieee80211vap *vap = ni->ni_vap;
994 int allocbs, estatus;
996 KASSERT(vap->iv_state == IEEE80211_S_RUN, ("state %d", vap->iv_state));
999 * NB: this can happen as we allow pre-shared key
1000 * authentication to be enabled w/o wep being turned
1001 * on so that configuration of these can be done
1002 * in any order. It may be better to enforce the
1003 * ordering in which case this check would just be
1004 * for sanity/consistency.
1006 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
1007 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1008 ni->ni_macaddr, "shared key auth",
1009 "%s", " PRIVACY is disabled");
1010 estatus = IEEE80211_STATUS_ALG;
1014 * Pre-shared key authentication is evil; accept
1015 * it only if explicitly configured (it is supported
1016 * mainly for compatibility with clients like Mac OS X).
1018 if (ni->ni_authmode != IEEE80211_AUTH_AUTO &&
1019 ni->ni_authmode != IEEE80211_AUTH_SHARED) {
1020 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1021 ni->ni_macaddr, "shared key auth",
1022 "bad sta auth mode %u", ni->ni_authmode);
1023 vap->iv_stats.is_rx_bad_auth++; /* XXX maybe a unique error? */
1024 estatus = IEEE80211_STATUS_ALG;
1029 if (frm + 1 < efrm) {
1030 if ((frm[1] + 2) > (efrm - frm)) {
1031 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1032 ni->ni_macaddr, "shared key auth",
1033 "ie %d/%d too long",
1034 frm[0], (frm[1] + 2) - (efrm - frm));
1035 vap->iv_stats.is_rx_bad_auth++;
1036 estatus = IEEE80211_STATUS_CHALLENGE;
1039 if (*frm == IEEE80211_ELEMID_CHALLENGE)
1044 case IEEE80211_AUTH_SHARED_CHALLENGE:
1045 case IEEE80211_AUTH_SHARED_RESPONSE:
1046 if (challenge == NULL) {
1047 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1048 ni->ni_macaddr, "shared key auth",
1049 "%s", "no challenge");
1050 vap->iv_stats.is_rx_bad_auth++;
1051 estatus = IEEE80211_STATUS_CHALLENGE;
1054 if (challenge[1] != IEEE80211_CHALLENGE_LEN) {
1055 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1056 ni->ni_macaddr, "shared key auth",
1057 "bad challenge len %d", challenge[1]);
1058 vap->iv_stats.is_rx_bad_auth++;
1059 estatus = IEEE80211_STATUS_CHALLENGE;
1066 case IEEE80211_AUTH_SHARED_REQUEST:
1067 if (ni == vap->iv_bss) {
1068 ni = ieee80211_dup_bss(vap, wh->i_addr2);
1070 /* NB: no way to return an error */
1075 if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0)
1076 (void) ieee80211_ref_node(ni);
1080 * Mark the node as referenced to reflect that it's
1081 * reference count has been bumped to insure it remains
1082 * after the transaction completes.
1084 ni->ni_flags |= IEEE80211_NODE_AREF;
1086 * Mark the node as requiring a valid association id
1087 * before outbound traffic is permitted.
1089 ni->ni_flags |= IEEE80211_NODE_ASSOCID;
1090 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi);
1092 if (!ieee80211_alloc_challenge(ni)) {
1093 /* NB: don't return error so they rexmit */
1096 get_random_bytes(ni->ni_challenge,
1097 IEEE80211_CHALLENGE_LEN);
1098 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
1099 ni, "shared key %sauth request", allocbs ? "" : "re");
1101 * When the ACL policy is set to RADIUS we defer the
1102 * authorization to a user agent. Dispatch an event,
1103 * a subsequent MLME call will decide the fate of the
1104 * station. If the user agent is not present then the
1105 * node will be reclaimed due to inactivity.
1107 if (vap->iv_acl != NULL &&
1108 vap->iv_acl->iac_getpolicy(vap) == IEEE80211_MACCMD_POLICY_RADIUS) {
1109 IEEE80211_NOTE_MAC(vap,
1110 IEEE80211_MSG_AUTH | IEEE80211_MSG_ACL,
1112 "%s", "station authentication defered (radius acl)");
1113 ieee80211_notify_node_auth(ni);
1117 case IEEE80211_AUTH_SHARED_RESPONSE:
1118 if (ni == vap->iv_bss) {
1119 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1120 ni->ni_macaddr, "shared key response",
1121 "%s", "unknown station");
1122 /* NB: don't send a response */
1125 if (ni->ni_challenge == NULL) {
1126 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1127 ni->ni_macaddr, "shared key response",
1128 "%s", "no challenge recorded");
1129 vap->iv_stats.is_rx_bad_auth++;
1130 estatus = IEEE80211_STATUS_CHALLENGE;
1133 if (memcmp(ni->ni_challenge, &challenge[2],
1134 challenge[1]) != 0) {
1135 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1136 ni->ni_macaddr, "shared key response",
1137 "%s", "challenge mismatch");
1138 vap->iv_stats.is_rx_auth_fail++;
1139 estatus = IEEE80211_STATUS_CHALLENGE;
1142 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
1143 ni, "%s", "station authenticated (shared key)");
1144 ieee80211_node_authorize(ni);
1147 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1148 ni->ni_macaddr, "shared key auth",
1150 vap->iv_stats.is_rx_bad_auth++;
1151 estatus = IEEE80211_STATUS_SEQUENCE;
1154 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1);
1158 * Send an error response; but only when operating as an AP.
1160 /* XXX hack to workaround calling convention */
1161 ieee80211_send_error(ni, wh->i_addr2,
1162 IEEE80211_FC0_SUBTYPE_AUTH,
1163 (seq + 1) | (estatus<<16));
1167 * Convert a WPA cipher selector OUI to an internal
1168 * cipher algorithm. Where appropriate we also
1169 * record any key length.
1172 wpa_cipher(const uint8_t *sel, uint8_t *keylen, uint8_t *cipher)
1174 #define WPA_SEL(x) (((x)<<24)|WPA_OUI)
1175 uint32_t w = le32dec(sel);
1178 case WPA_SEL(WPA_CSE_NULL):
1179 *cipher = IEEE80211_CIPHER_NONE;
1181 case WPA_SEL(WPA_CSE_WEP40):
1183 *keylen = 40 / NBBY;
1184 *cipher = IEEE80211_CIPHER_WEP;
1186 case WPA_SEL(WPA_CSE_WEP104):
1188 *keylen = 104 / NBBY;
1189 *cipher = IEEE80211_CIPHER_WEP;
1191 case WPA_SEL(WPA_CSE_TKIP):
1192 *cipher = IEEE80211_CIPHER_TKIP;
1194 case WPA_SEL(WPA_CSE_CCMP):
1195 *cipher = IEEE80211_CIPHER_AES_CCM;
1206 * Convert a WPA key management/authentication algorithm
1207 * to an internal code.
1210 wpa_keymgmt(const uint8_t *sel)
1212 #define WPA_SEL(x) (((x)<<24)|WPA_OUI)
1213 uint32_t w = le32dec(sel);
1216 case WPA_SEL(WPA_ASE_8021X_UNSPEC):
1217 return WPA_ASE_8021X_UNSPEC;
1218 case WPA_SEL(WPA_ASE_8021X_PSK):
1219 return WPA_ASE_8021X_PSK;
1220 case WPA_SEL(WPA_ASE_NONE):
1221 return WPA_ASE_NONE;
1223 return 0; /* NB: so is discarded */
1228 * Parse a WPA information element to collect parameters.
1229 * Note that we do not validate security parameters; that
1230 * is handled by the authenticator; the parsing done here
1231 * is just for internal use in making operational decisions.
1234 ieee80211_parse_wpa(struct ieee80211vap *vap, const uint8_t *frm,
1235 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh)
1237 uint8_t len = frm[1];
1242 * Check the length once for fixed parts: OUI, type,
1243 * version, mcast cipher, and 2 selector counts.
1244 * Other, variable-length data, must be checked separately.
1246 if ((vap->iv_flags & IEEE80211_F_WPA1) == 0) {
1247 IEEE80211_DISCARD_IE(vap,
1248 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1249 wh, "WPA", "not WPA, flags 0x%x", vap->iv_flags);
1250 return IEEE80211_REASON_IE_INVALID;
1253 IEEE80211_DISCARD_IE(vap,
1254 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1255 wh, "WPA", "too short, len %u", len);
1256 return IEEE80211_REASON_IE_INVALID;
1258 frm += 6, len -= 4; /* NB: len is payload only */
1259 /* NB: iswpaoui already validated the OUI and type */
1261 if (w != WPA_VERSION) {
1262 IEEE80211_DISCARD_IE(vap,
1263 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1264 wh, "WPA", "bad version %u", w);
1265 return IEEE80211_REASON_IE_INVALID;
1269 memset(rsn, 0, sizeof(*rsn));
1271 /* multicast/group cipher */
1272 error = wpa_cipher(frm, &rsn->rsn_mcastkeylen, &rsn->rsn_mcastcipher);
1274 IEEE80211_DISCARD_IE(vap,
1275 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1276 wh, "WPA", "unknown mcast cipher suite %08X",
1278 return IEEE80211_REASON_GROUP_CIPHER_INVALID;
1282 /* unicast ciphers */
1286 IEEE80211_DISCARD_IE(vap,
1287 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1288 wh, "WPA", "ucast cipher data too short; len %u, n %u",
1290 return IEEE80211_REASON_IE_INVALID;
1293 for (; n > 0; n--) {
1296 error = wpa_cipher(frm, &rsn->rsn_ucastkeylen, &cipher);
1303 IEEE80211_DISCARD_IE(vap,
1304 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1305 wh, "WPA", "no usable pairwise cipher suite found (w=%d)",
1307 return IEEE80211_REASON_PAIRWISE_CIPHER_INVALID;
1310 if (w & (1 << IEEE80211_CIPHER_AES_CCM))
1311 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM;
1313 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP;
1315 /* key management algorithms */
1319 IEEE80211_DISCARD_IE(vap,
1320 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1321 wh, "WPA", "key mgmt alg data too short; len %u, n %u",
1323 return IEEE80211_REASON_IE_INVALID;
1326 for (; n > 0; n--) {
1327 w |= wpa_keymgmt(frm);
1330 if (w & WPA_ASE_8021X_UNSPEC)
1331 rsn->rsn_keymgmt = WPA_ASE_8021X_UNSPEC;
1333 rsn->rsn_keymgmt = WPA_ASE_8021X_PSK;
1335 if (len > 2) /* optional capabilities */
1336 rsn->rsn_caps = le16dec(frm);
1342 * Convert an RSN cipher selector OUI to an internal
1343 * cipher algorithm. Where appropriate we also
1344 * record any key length.
1347 rsn_cipher(const uint8_t *sel, uint8_t *keylen, uint8_t *cipher)
1349 #define RSN_SEL(x) (((x)<<24)|RSN_OUI)
1350 uint32_t w = le32dec(sel);
1353 case RSN_SEL(RSN_CSE_NULL):
1354 *cipher = IEEE80211_CIPHER_NONE;
1356 case RSN_SEL(RSN_CSE_WEP40):
1358 *keylen = 40 / NBBY;
1359 *cipher = IEEE80211_CIPHER_WEP;
1361 case RSN_SEL(RSN_CSE_WEP104):
1363 *keylen = 104 / NBBY;
1364 *cipher = IEEE80211_CIPHER_WEP;
1366 case RSN_SEL(RSN_CSE_TKIP):
1367 *cipher = IEEE80211_CIPHER_TKIP;
1369 case RSN_SEL(RSN_CSE_CCMP):
1370 *cipher = IEEE80211_CIPHER_AES_CCM;
1372 case RSN_SEL(RSN_CSE_WRAP):
1373 *cipher = IEEE80211_CIPHER_AES_OCB;
1384 * Convert an RSN key management/authentication algorithm
1385 * to an internal code.
1388 rsn_keymgmt(const uint8_t *sel)
1390 #define RSN_SEL(x) (((x)<<24)|RSN_OUI)
1391 uint32_t w = le32dec(sel);
1394 case RSN_SEL(RSN_ASE_8021X_UNSPEC):
1395 return RSN_ASE_8021X_UNSPEC;
1396 case RSN_SEL(RSN_ASE_8021X_PSK):
1397 return RSN_ASE_8021X_PSK;
1398 case RSN_SEL(RSN_ASE_NONE):
1399 return RSN_ASE_NONE;
1401 return 0; /* NB: so is discarded */
1406 * Parse a WPA/RSN information element to collect parameters
1407 * and validate the parameters against what has been
1408 * configured for the system.
1411 ieee80211_parse_rsn(struct ieee80211vap *vap, const uint8_t *frm,
1412 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh)
1414 uint8_t len = frm[1];
1419 * Check the length once for fixed parts:
1420 * version, mcast cipher, and 2 selector counts.
1421 * Other, variable-length data, must be checked separately.
1423 if ((vap->iv_flags & IEEE80211_F_WPA2) == 0) {
1424 IEEE80211_DISCARD_IE(vap,
1425 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1426 wh, "WPA", "not RSN, flags 0x%x", vap->iv_flags);
1427 return IEEE80211_REASON_IE_INVALID;
1429 /* XXX may be shorter */
1431 IEEE80211_DISCARD_IE(vap,
1432 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1433 wh, "RSN", "too short, len %u", len);
1434 return IEEE80211_REASON_IE_INVALID;
1438 if (w != RSN_VERSION) {
1439 IEEE80211_DISCARD_IE(vap,
1440 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1441 wh, "RSN", "bad version %u", w);
1442 return IEEE80211_REASON_UNSUPP_RSN_IE_VERSION;
1446 memset(rsn, 0, sizeof(*rsn));
1448 /* multicast/group cipher */
1449 error = rsn_cipher(frm, &rsn->rsn_mcastkeylen, &rsn->rsn_mcastcipher);
1451 IEEE80211_DISCARD_IE(vap,
1452 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1453 wh, "RSN", "unknown mcast cipher suite %08X",
1455 return IEEE80211_REASON_GROUP_CIPHER_INVALID;
1457 if (rsn->rsn_mcastcipher == IEEE80211_CIPHER_NONE) {
1458 IEEE80211_DISCARD_IE(vap,
1459 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1460 wh, "RSN", "invalid mcast cipher suite %d",
1461 rsn->rsn_mcastcipher);
1462 return IEEE80211_REASON_GROUP_CIPHER_INVALID;
1466 /* unicast ciphers */
1470 IEEE80211_DISCARD_IE(vap,
1471 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1472 wh, "RSN", "ucast cipher data too short; len %u, n %u",
1474 return IEEE80211_REASON_IE_INVALID;
1478 for (; n > 0; n--) {
1481 error = rsn_cipher(frm, &rsn->rsn_ucastkeylen, &cipher);
1487 if (w & (1 << IEEE80211_CIPHER_AES_CCM))
1488 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM;
1489 else if (w & (1 << IEEE80211_CIPHER_AES_OCB))
1490 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_OCB;
1491 else if (w & (1 << IEEE80211_CIPHER_TKIP))
1492 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP;
1493 else if ((w & (1 << IEEE80211_CIPHER_NONE)) &&
1494 (rsn->rsn_mcastcipher == IEEE80211_CIPHER_WEP ||
1495 rsn->rsn_mcastcipher == IEEE80211_CIPHER_TKIP))
1496 rsn->rsn_ucastcipher = IEEE80211_CIPHER_NONE;
1498 IEEE80211_DISCARD_IE(vap,
1499 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1500 wh, "RSN", "no usable pairwise cipher suite found (w=%d)",
1502 return IEEE80211_REASON_PAIRWISE_CIPHER_INVALID;
1505 /* key management algorithms */
1509 IEEE80211_DISCARD_IE(vap,
1510 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1511 wh, "RSN", "key mgmt alg data too short; len %u, n %u",
1513 return IEEE80211_REASON_IE_INVALID;
1516 for (; n > 0; n--) {
1517 w |= rsn_keymgmt(frm);
1520 if (w & RSN_ASE_8021X_UNSPEC)
1521 rsn->rsn_keymgmt = RSN_ASE_8021X_UNSPEC;
1523 rsn->rsn_keymgmt = RSN_ASE_8021X_PSK;
1525 /* optional RSN capabilities */
1527 rsn->rsn_caps = le16dec(frm);
1534 * WPA/802.11i association request processing.
1537 wpa_assocreq(struct ieee80211_node *ni, struct ieee80211_rsnparms *rsnparms,
1538 const struct ieee80211_frame *wh, const uint8_t *wpa,
1539 const uint8_t *rsn, uint16_t capinfo)
1541 struct ieee80211vap *vap = ni->ni_vap;
1545 ni->ni_flags &= ~(IEEE80211_NODE_WPS|IEEE80211_NODE_TSN);
1546 if (wpa == NULL && rsn == NULL) {
1547 if (vap->iv_flags_ext & IEEE80211_FEXT_WPS) {
1549 * W-Fi Protected Setup (WPS) permits
1550 * clients to associate and pass EAPOL frames
1551 * to establish initial credentials.
1553 ni->ni_flags |= IEEE80211_NODE_WPS;
1556 if ((vap->iv_flags_ext & IEEE80211_FEXT_TSN) &&
1557 (capinfo & IEEE80211_CAPINFO_PRIVACY)) {
1559 * Transitional Security Network. Permits clients
1560 * to associate and use WEP while WPA is configured.
1562 ni->ni_flags |= IEEE80211_NODE_TSN;
1565 IEEE80211_DISCARD(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA,
1566 wh, NULL, "%s", "no WPA/RSN IE in association request");
1567 vap->iv_stats.is_rx_assoc_badwpaie++;
1568 reason = IEEE80211_REASON_IE_INVALID;
1571 /* assert right association security credentials */
1572 badwparsn = 0; /* NB: to silence compiler */
1573 switch (vap->iv_flags & IEEE80211_F_WPA) {
1574 case IEEE80211_F_WPA1:
1575 badwparsn = (wpa == NULL);
1577 case IEEE80211_F_WPA2:
1578 badwparsn = (rsn == NULL);
1580 case IEEE80211_F_WPA1|IEEE80211_F_WPA2:
1581 badwparsn = (wpa == NULL && rsn == NULL);
1585 IEEE80211_DISCARD(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA,
1587 "%s", "missing WPA/RSN IE in association request");
1588 vap->iv_stats.is_rx_assoc_badwpaie++;
1589 reason = IEEE80211_REASON_IE_INVALID;
1593 * Parse WPA/RSN information element.
1596 reason = ieee80211_parse_wpa(vap, wpa, rsnparms, wh);
1598 reason = ieee80211_parse_rsn(vap, rsn, rsnparms, wh);
1600 /* XXX wpa->rsn fallback? */
1601 /* XXX distinguish WPA/RSN? */
1602 vap->iv_stats.is_rx_assoc_badwpaie++;
1605 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, ni,
1606 "%s ie: mc %u/%u uc %u/%u key %u caps 0x%x",
1607 wpa != NULL ? "WPA" : "RSN",
1608 rsnparms->rsn_mcastcipher, rsnparms->rsn_mcastkeylen,
1609 rsnparms->rsn_ucastcipher, rsnparms->rsn_ucastkeylen,
1610 rsnparms->rsn_keymgmt, rsnparms->rsn_caps);
1614 ieee80211_node_deauth(ni, reason);
1618 /* XXX find a better place for definition */
1619 struct l2_update_frame {
1620 struct ether_header eh;
1628 * Deliver a TGf L2UF frame on behalf of a station.
1629 * This primes any bridge when the station is roaming
1630 * between ap's on the same wired network.
1633 ieee80211_deliver_l2uf(struct ieee80211_node *ni)
1635 struct ieee80211vap *vap = ni->ni_vap;
1636 struct ifnet *ifp = vap->iv_ifp;
1638 struct l2_update_frame *l2uf;
1639 struct ether_header *eh;
1641 m = m_gethdr(M_NOWAIT, MT_DATA);
1643 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC, ni,
1644 "%s", "no mbuf for l2uf frame");
1645 vap->iv_stats.is_rx_nobuf++; /* XXX not right */
1648 l2uf = mtod(m, struct l2_update_frame *);
1650 /* dst: Broadcast address */
1651 IEEE80211_ADDR_COPY(eh->ether_dhost, ifp->if_broadcastaddr);
1652 /* src: associated STA */
1653 IEEE80211_ADDR_COPY(eh->ether_shost, ni->ni_macaddr);
1654 eh->ether_type = htons(sizeof(*l2uf) - sizeof(*eh));
1658 l2uf->control = 0xf5;
1659 l2uf->xid[0] = 0x81;
1660 l2uf->xid[1] = 0x80;
1661 l2uf->xid[2] = 0x00;
1663 m->m_pkthdr.len = m->m_len = sizeof(*l2uf);
1664 hostap_deliver_data(vap, ni, m);
1668 ratesetmismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh,
1669 int reassoc, int resp, const char *tag, int rate)
1671 IEEE80211_NOTE_MAC(ni->ni_vap, IEEE80211_MSG_ANY, wh->i_addr2,
1672 "deny %s request, %s rate set mismatch, rate/MCS %d",
1673 reassoc ? "reassoc" : "assoc", tag, rate & IEEE80211_RATE_VAL);
1674 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_BASIC_RATE);
1675 ieee80211_node_leave(ni);
1679 capinfomismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh,
1680 int reassoc, int resp, const char *tag, int capinfo)
1682 struct ieee80211vap *vap = ni->ni_vap;
1684 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ANY, wh->i_addr2,
1685 "deny %s request, %s mismatch 0x%x",
1686 reassoc ? "reassoc" : "assoc", tag, capinfo);
1687 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_CAPINFO);
1688 ieee80211_node_leave(ni);
1689 vap->iv_stats.is_rx_assoc_capmismatch++;
1693 htcapmismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh,
1694 int reassoc, int resp)
1696 IEEE80211_NOTE_MAC(ni->ni_vap, IEEE80211_MSG_ANY, wh->i_addr2,
1697 "deny %s request, %s missing HT ie", reassoc ? "reassoc" : "assoc");
1698 /* XXX no better code */
1699 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_MISSING_HT_CAPS);
1700 ieee80211_node_leave(ni);
1704 authalgreject(struct ieee80211_node *ni, const struct ieee80211_frame *wh,
1705 int algo, int seq, int status)
1707 struct ieee80211vap *vap = ni->ni_vap;
1709 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
1710 wh, NULL, "unsupported alg %d", algo);
1711 vap->iv_stats.is_rx_auth_unsupported++;
1712 ieee80211_send_error(ni, wh->i_addr2, IEEE80211_FC0_SUBTYPE_AUTH,
1713 seq | (status << 16));
1717 ishtmixed(const uint8_t *ie)
1719 const struct ieee80211_ie_htinfo *ht =
1720 (const struct ieee80211_ie_htinfo *) ie;
1721 return (ht->hi_byte2 & IEEE80211_HTINFO_OPMODE) ==
1722 IEEE80211_HTINFO_OPMODE_MIXED;
1726 is11bclient(const uint8_t *rates, const uint8_t *xrates)
1728 static const uint32_t brates = (1<<2*1)|(1<<2*2)|(1<<11)|(1<<2*11);
1731 /* NB: the 11b clients we care about will not have xrates */
1732 if (xrates != NULL || rates == NULL)
1734 for (i = 0; i < rates[1]; i++) {
1735 int r = rates[2+i] & IEEE80211_RATE_VAL;
1736 if (r > 2*11 || ((1<<r) & brates) == 0)
1743 hostap_recv_mgmt(struct ieee80211_node *ni, struct mbuf *m0,
1744 int subtype, const struct ieee80211_rx_stats *rxs, int rssi, int nf)
1746 struct ieee80211vap *vap = ni->ni_vap;
1747 struct ieee80211com *ic = ni->ni_ic;
1748 struct ieee80211_frame *wh;
1749 uint8_t *frm, *efrm, *sfrm;
1750 uint8_t *ssid, *rates, *xrates, *wpa, *rsn, *wme, *ath, *htcap;
1751 uint8_t *vhtcap, *vhtinfo;
1755 wh = mtod(m0, struct ieee80211_frame *);
1756 frm = (uint8_t *)&wh[1];
1757 efrm = mtod(m0, uint8_t *) + m0->m_len;
1759 case IEEE80211_FC0_SUBTYPE_PROBE_RESP:
1761 * We process beacon/probe response frames when scanning;
1762 * otherwise we check beacon frames for overlapping non-ERP
1763 * BSS in 11g and/or overlapping legacy BSS when in HT.
1765 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) {
1766 vap->iv_stats.is_rx_mgtdiscard++;
1770 case IEEE80211_FC0_SUBTYPE_BEACON: {
1771 struct ieee80211_scanparams scan;
1773 /* NB: accept off-channel frames */
1774 /* XXX TODO: use rxstatus to determine off-channel details */
1775 if (ieee80211_parse_beacon(ni, m0, ic->ic_curchan, &scan) &~ IEEE80211_BPARSE_OFFCHAN)
1778 * Count frame now that we know it's to be processed.
1780 if (subtype == IEEE80211_FC0_SUBTYPE_BEACON) {
1781 vap->iv_stats.is_rx_beacon++; /* XXX remove */
1782 IEEE80211_NODE_STAT(ni, rx_beacons);
1784 IEEE80211_NODE_STAT(ni, rx_proberesp);
1786 * If scanning, just pass information to the scan module.
1788 if (ic->ic_flags & IEEE80211_F_SCAN) {
1789 if (scan.status == 0 && /* NB: on channel */
1790 (ic->ic_flags_ext & IEEE80211_FEXT_PROBECHAN)) {
1792 * Actively scanning a channel marked passive;
1793 * send a probe request now that we know there
1794 * is 802.11 traffic present.
1796 * XXX check if the beacon we recv'd gives
1797 * us what we need and suppress the probe req
1799 ieee80211_probe_curchan(vap, 1);
1800 ic->ic_flags_ext &= ~IEEE80211_FEXT_PROBECHAN;
1802 ieee80211_add_scan(vap, ic->ic_curchan, &scan, wh,
1807 * Check beacon for overlapping bss w/ non ERP stations.
1808 * If we detect one and protection is configured but not
1809 * enabled, enable it and start a timer that'll bring us
1810 * out if we stop seeing the bss.
1812 if (IEEE80211_IS_CHAN_ANYG(ic->ic_curchan) &&
1813 scan.status == 0 && /* NB: on-channel */
1814 ((scan.erp & 0x100) == 0 || /* NB: no ERP, 11b sta*/
1815 (scan.erp & IEEE80211_ERP_NON_ERP_PRESENT))) {
1816 ic->ic_lastnonerp = ticks;
1817 ic->ic_flags_ext |= IEEE80211_FEXT_NONERP_PR;
1818 if (ic->ic_protmode != IEEE80211_PROT_NONE &&
1819 (ic->ic_flags & IEEE80211_F_USEPROT) == 0) {
1820 IEEE80211_NOTE_FRAME(vap,
1821 IEEE80211_MSG_ASSOC, wh,
1822 "non-ERP present on channel %d "
1823 "(saw erp 0x%x from channel %d), "
1824 "enable use of protection",
1825 ic->ic_curchan->ic_ieee,
1826 scan.erp, scan.chan);
1827 ic->ic_flags |= IEEE80211_F_USEPROT;
1828 ieee80211_notify_erp(ic);
1832 * Check beacon for non-HT station on HT channel
1833 * and update HT BSS occupancy as appropriate.
1835 if (IEEE80211_IS_CHAN_HT(ic->ic_curchan)) {
1836 if (scan.status & IEEE80211_BPARSE_OFFCHAN) {
1838 * Off control channel; only check frames
1839 * that come in the extension channel when
1840 * operating w/ HT40.
1842 if (!IEEE80211_IS_CHAN_HT40(ic->ic_curchan))
1844 if (scan.chan != ic->ic_curchan->ic_extieee)
1847 if (scan.htinfo == NULL) {
1848 ieee80211_htprot_update(ic,
1849 IEEE80211_HTINFO_OPMODE_PROTOPT |
1850 IEEE80211_HTINFO_NONHT_PRESENT);
1851 } else if (ishtmixed(scan.htinfo)) {
1852 /* XXX? take NONHT_PRESENT from beacon? */
1853 ieee80211_htprot_update(ic,
1854 IEEE80211_HTINFO_OPMODE_MIXED |
1855 IEEE80211_HTINFO_NONHT_PRESENT);
1861 case IEEE80211_FC0_SUBTYPE_PROBE_REQ:
1862 if (vap->iv_state != IEEE80211_S_RUN) {
1863 vap->iv_stats.is_rx_mgtdiscard++;
1867 * Consult the ACL policy module if setup.
1869 if (vap->iv_acl != NULL && !vap->iv_acl->iac_check(vap, wh)) {
1870 IEEE80211_DISCARD(vap, IEEE80211_MSG_ACL,
1871 wh, NULL, "%s", "disallowed by ACL");
1872 vap->iv_stats.is_rx_acl++;
1876 * prreq frame format
1878 * [tlv] supported rates
1879 * [tlv] extended supported rates
1881 ssid = rates = xrates = NULL;
1882 while (efrm - frm > 1) {
1883 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return);
1885 case IEEE80211_ELEMID_SSID:
1888 case IEEE80211_ELEMID_RATES:
1891 case IEEE80211_ELEMID_XRATES:
1897 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return);
1899 IEEE80211_VERIFY_ELEMENT(xrates,
1900 IEEE80211_RATE_MAXSIZE - rates[1], return);
1901 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN, return);
1902 IEEE80211_VERIFY_SSID(vap->iv_bss, ssid, return);
1903 if ((vap->iv_flags & IEEE80211_F_HIDESSID) && ssid[1] == 0) {
1904 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
1906 "%s", "no ssid with ssid suppression enabled");
1907 vap->iv_stats.is_rx_ssidmismatch++; /*XXX*/
1911 /* XXX find a better class or define it's own */
1912 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_INPUT, wh->i_addr2,
1913 "%s", "recv probe req");
1915 * Some legacy 11b clients cannot hack a complete
1916 * probe response frame. When the request includes
1917 * only a bare-bones rate set, communicate this to
1918 * the transmit side.
1920 ieee80211_send_proberesp(vap, wh->i_addr2,
1921 is11bclient(rates, xrates) ? IEEE80211_SEND_LEGACY_11B : 0);
1924 case IEEE80211_FC0_SUBTYPE_AUTH: {
1925 uint16_t algo, seq, status;
1927 if (vap->iv_state != IEEE80211_S_RUN) {
1928 vap->iv_stats.is_rx_mgtdiscard++;
1931 if (!IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_bss->ni_bssid)) {
1932 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
1933 wh, NULL, "%s", "wrong bssid");
1934 vap->iv_stats.is_rx_wrongbss++; /*XXX unique stat?*/
1944 IEEE80211_VERIFY_LENGTH(efrm - frm, 6, return);
1945 algo = le16toh(*(uint16_t *)frm);
1946 seq = le16toh(*(uint16_t *)(frm + 2));
1947 status = le16toh(*(uint16_t *)(frm + 4));
1948 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_AUTH, wh->i_addr2,
1949 "recv auth frame with algorithm %d seq %d", algo, seq);
1951 * Consult the ACL policy module if setup.
1953 if (vap->iv_acl != NULL && !vap->iv_acl->iac_check(vap, wh)) {
1954 IEEE80211_DISCARD(vap, IEEE80211_MSG_ACL,
1955 wh, NULL, "%s", "disallowed by ACL");
1956 vap->iv_stats.is_rx_acl++;
1957 ieee80211_send_error(ni, wh->i_addr2,
1958 IEEE80211_FC0_SUBTYPE_AUTH,
1959 (seq+1) | (IEEE80211_STATUS_UNSPECIFIED<<16));
1962 if (vap->iv_flags & IEEE80211_F_COUNTERM) {
1963 IEEE80211_DISCARD(vap,
1964 IEEE80211_MSG_AUTH | IEEE80211_MSG_CRYPTO,
1965 wh, NULL, "%s", "TKIP countermeasures enabled");
1966 vap->iv_stats.is_rx_auth_countermeasures++;
1967 ieee80211_send_error(ni, wh->i_addr2,
1968 IEEE80211_FC0_SUBTYPE_AUTH,
1969 IEEE80211_REASON_MIC_FAILURE);
1972 if (algo == IEEE80211_AUTH_ALG_SHARED)
1973 hostap_auth_shared(ni, wh, frm + 6, efrm, rssi, nf,
1975 else if (algo == IEEE80211_AUTH_ALG_OPEN)
1976 hostap_auth_open(ni, wh, rssi, nf, seq, status);
1977 else if (algo == IEEE80211_AUTH_ALG_LEAP) {
1978 authalgreject(ni, wh, algo,
1979 seq+1, IEEE80211_STATUS_ALG);
1983 * We assume that an unknown algorithm is the result
1984 * of a decryption failure on a shared key auth frame;
1985 * return a status code appropriate for that instead
1986 * of IEEE80211_STATUS_ALG.
1988 * NB: a seq# of 4 is intentional; the decrypted
1989 * frame likely has a bogus seq value.
1991 authalgreject(ni, wh, algo,
1992 4, IEEE80211_STATUS_CHALLENGE);
1998 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ:
1999 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: {
2000 uint16_t capinfo, lintval;
2001 struct ieee80211_rsnparms rsnparms;
2003 if (vap->iv_state != IEEE80211_S_RUN) {
2004 vap->iv_stats.is_rx_mgtdiscard++;
2007 if (!IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_bss->ni_bssid)) {
2008 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
2009 wh, NULL, "%s", "wrong bssid");
2010 vap->iv_stats.is_rx_assoc_bss++;
2013 if (subtype == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) {
2015 resp = IEEE80211_FC0_SUBTYPE_REASSOC_RESP;
2018 resp = IEEE80211_FC0_SUBTYPE_ASSOC_RESP;
2020 if (ni == vap->iv_bss) {
2021 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ANY, wh->i_addr2,
2022 "deny %s request, sta not authenticated",
2023 reassoc ? "reassoc" : "assoc");
2024 ieee80211_send_error(ni, wh->i_addr2,
2025 IEEE80211_FC0_SUBTYPE_DEAUTH,
2026 IEEE80211_REASON_ASSOC_NOT_AUTHED);
2027 vap->iv_stats.is_rx_assoc_notauth++;
2032 * asreq frame format
2033 * [2] capability information
2034 * [2] listen interval
2035 * [6*] current AP address (reassoc only)
2037 * [tlv] supported rates
2038 * [tlv] extended supported rates
2040 * [tlv] HT capabilities
2041 * [tlv] Atheros capabilities
2043 IEEE80211_VERIFY_LENGTH(efrm - frm, (reassoc ? 10 : 4), return);
2044 capinfo = le16toh(*(uint16_t *)frm); frm += 2;
2045 lintval = le16toh(*(uint16_t *)frm); frm += 2;
2047 frm += 6; /* ignore current AP info */
2048 ssid = rates = xrates = wpa = rsn = wme = ath = htcap = NULL;
2049 vhtcap = vhtinfo = NULL;
2051 while (efrm - frm > 1) {
2052 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return);
2054 case IEEE80211_ELEMID_SSID:
2057 case IEEE80211_ELEMID_RATES:
2060 case IEEE80211_ELEMID_XRATES:
2063 case IEEE80211_ELEMID_RSN:
2066 case IEEE80211_ELEMID_HTCAP:
2069 case IEEE80211_ELEMID_VHT_CAP:
2072 case IEEE80211_ELEMID_VHT_OPMODE:
2075 case IEEE80211_ELEMID_VENDOR:
2078 else if (iswmeinfo(frm))
2080 #ifdef IEEE80211_SUPPORT_SUPERG
2081 else if (isatherosoui(frm))
2084 else if (vap->iv_flags_ht & IEEE80211_FHT_HTCOMPAT) {
2085 if (ishtcapoui(frm) && htcap == NULL)
2092 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return);
2094 IEEE80211_VERIFY_ELEMENT(xrates,
2095 IEEE80211_RATE_MAXSIZE - rates[1], return);
2096 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN, return);
2097 IEEE80211_VERIFY_SSID(vap->iv_bss, ssid, return);
2098 if (htcap != NULL) {
2099 IEEE80211_VERIFY_LENGTH(htcap[1],
2100 htcap[0] == IEEE80211_ELEMID_VENDOR ?
2101 4 + sizeof(struct ieee80211_ie_htcap)-2 :
2102 sizeof(struct ieee80211_ie_htcap)-2,
2103 return); /* XXX just NULL out? */
2106 /* Validate VHT IEs */
2107 if (vhtcap != NULL) {
2108 IEEE80211_VERIFY_LENGTH(vhtcap[1],
2109 sizeof(struct ieee80211_ie_vhtcap) - 2,
2112 if (vhtinfo != NULL) {
2113 IEEE80211_VERIFY_LENGTH(vhtinfo[1],
2114 sizeof(struct ieee80211_ie_vht_operation) - 2,
2118 if ((vap->iv_flags & IEEE80211_F_WPA) &&
2119 !wpa_assocreq(ni, &rsnparms, wh, wpa, rsn, capinfo))
2121 /* discard challenge after association */
2122 if (ni->ni_challenge != NULL) {
2123 IEEE80211_FREE(ni->ni_challenge, M_80211_NODE);
2124 ni->ni_challenge = NULL;
2126 /* NB: 802.11 spec says to ignore station's privacy bit */
2127 if ((capinfo & IEEE80211_CAPINFO_ESS) == 0) {
2128 capinfomismatch(ni, wh, reassoc, resp,
2129 "capability", capinfo);
2133 * Disallow re-associate w/ invalid slot time setting.
2135 if (ni->ni_associd != 0 &&
2136 IEEE80211_IS_CHAN_ANYG(ic->ic_bsschan) &&
2137 ((ni->ni_capinfo ^ capinfo) & IEEE80211_CAPINFO_SHORT_SLOTTIME)) {
2138 capinfomismatch(ni, wh, reassoc, resp,
2139 "slot time", capinfo);
2142 rate = ieee80211_setup_rates(ni, rates, xrates,
2143 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE |
2144 IEEE80211_F_DONEGO | IEEE80211_F_DODEL);
2145 if (rate & IEEE80211_RATE_BASIC) {
2146 ratesetmismatch(ni, wh, reassoc, resp, "legacy", rate);
2147 vap->iv_stats.is_rx_assoc_norate++;
2151 * If constrained to 11g-only stations reject an
2152 * 11b-only station. We cheat a bit here by looking
2153 * at the max negotiated xmit rate and assuming anyone
2154 * with a best rate <24Mb/s is an 11b station.
2156 if ((vap->iv_flags & IEEE80211_F_PUREG) && rate < 48) {
2157 ratesetmismatch(ni, wh, reassoc, resp, "11g", rate);
2158 vap->iv_stats.is_rx_assoc_norate++;
2163 * Do HT rate set handling and setup HT node state.
2165 ni->ni_chan = vap->iv_bss->ni_chan;
2168 if (IEEE80211_IS_CHAN_VHT(ni->ni_chan) &&
2171 /* XXX TODO; see below */
2172 printf("%s: VHT TODO!\n", __func__);
2173 ieee80211_vht_node_init(ni);
2174 ieee80211_vht_update_cap(ni, vhtcap, vhtinfo);
2175 } else if (ni->ni_flags & IEEE80211_NODE_VHT)
2176 ieee80211_vht_node_cleanup(ni);
2179 if (IEEE80211_IS_CHAN_HT(ni->ni_chan) && htcap != NULL) {
2180 rate = ieee80211_setup_htrates(ni, htcap,
2181 IEEE80211_F_DOFMCS | IEEE80211_F_DONEGO |
2183 if (rate & IEEE80211_RATE_BASIC) {
2184 ratesetmismatch(ni, wh, reassoc, resp,
2186 vap->iv_stats.is_ht_assoc_norate++;
2189 ieee80211_ht_node_init(ni);
2190 ieee80211_ht_updatehtcap(ni, htcap);
2191 } else if (ni->ni_flags & IEEE80211_NODE_HT)
2192 ieee80211_ht_node_cleanup(ni);
2194 /* Finally - this will use HT/VHT info to change node channel */
2195 if (IEEE80211_IS_CHAN_HT(ni->ni_chan) && htcap != NULL) {
2196 ieee80211_ht_updatehtcap_final(ni);
2199 #ifdef IEEE80211_SUPPORT_SUPERG
2200 /* Always do ff node cleanup; for A-MSDU */
2201 ieee80211_ff_node_cleanup(ni);
2204 * Allow AMPDU operation only with unencrypted traffic
2205 * or AES-CCM; the 11n spec only specifies these ciphers
2206 * so permitting any others is undefined and can lead
2207 * to interoperability problems.
2209 if ((ni->ni_flags & IEEE80211_NODE_HT) &&
2210 (((vap->iv_flags & IEEE80211_F_WPA) &&
2211 rsnparms.rsn_ucastcipher != IEEE80211_CIPHER_AES_CCM) ||
2212 (vap->iv_flags & (IEEE80211_F_WPA|IEEE80211_F_PRIVACY)) == IEEE80211_F_PRIVACY)) {
2214 IEEE80211_MSG_ASSOC | IEEE80211_MSG_11N, ni,
2215 "disallow HT use because WEP or TKIP requested, "
2216 "capinfo 0x%x ucastcipher %d", capinfo,
2217 rsnparms.rsn_ucastcipher);
2218 ieee80211_ht_node_cleanup(ni);
2219 #ifdef IEEE80211_SUPPORT_SUPERG
2220 /* Always do ff node cleanup; for A-MSDU */
2221 ieee80211_ff_node_cleanup(ni);
2223 vap->iv_stats.is_ht_assoc_downgrade++;
2226 * If constrained to 11n-only stations reject legacy stations.
2228 if ((vap->iv_flags_ht & IEEE80211_FHT_PUREN) &&
2229 (ni->ni_flags & IEEE80211_NODE_HT) == 0) {
2230 htcapmismatch(ni, wh, reassoc, resp);
2231 vap->iv_stats.is_ht_assoc_nohtcap++;
2234 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi);
2236 ni->ni_intval = lintval;
2237 ni->ni_capinfo = capinfo;
2238 ni->ni_fhdwell = vap->iv_bss->ni_fhdwell;
2239 ni->ni_fhindex = vap->iv_bss->ni_fhindex;
2242 * XXX maybe better to just expand
2244 if (ieee80211_ies_init(&ni->ni_ies, sfrm, efrm - sfrm)) {
2245 #define setie(_ie, _off) ieee80211_ies_setie(ni->ni_ies, _ie, _off)
2247 setie(wpa_ie, wpa - sfrm);
2249 setie(rsn_ie, rsn - sfrm);
2251 setie(htcap_ie, htcap - sfrm);
2253 setie(wme_ie, wme - sfrm);
2255 * Mark node as capable of QoS.
2257 ni->ni_flags |= IEEE80211_NODE_QOS;
2259 ni->ni_flags &= ~IEEE80211_NODE_QOS;
2260 #ifdef IEEE80211_SUPPORT_SUPERG
2262 setie(ath_ie, ath - sfrm);
2264 * Parse ATH station parameters.
2266 ieee80211_parse_ath(ni, ni->ni_ies.ath_ie);
2269 ni->ni_ath_flags = 0;
2272 ni->ni_flags &= ~IEEE80211_NODE_QOS;
2273 ni->ni_ath_flags = 0;
2275 ieee80211_node_join(ni, resp);
2276 ieee80211_deliver_l2uf(ni);
2280 case IEEE80211_FC0_SUBTYPE_DEAUTH:
2281 case IEEE80211_FC0_SUBTYPE_DISASSOC: {
2284 if (vap->iv_state != IEEE80211_S_RUN ||
2285 /* NB: can happen when in promiscuous mode */
2286 !IEEE80211_ADDR_EQ(wh->i_addr1, vap->iv_myaddr)) {
2287 vap->iv_stats.is_rx_mgtdiscard++;
2291 * deauth/disassoc frame format
2294 IEEE80211_VERIFY_LENGTH(efrm - frm, 2, return);
2295 reason = le16toh(*(uint16_t *)frm);
2296 if (subtype == IEEE80211_FC0_SUBTYPE_DEAUTH) {
2297 vap->iv_stats.is_rx_deauth++;
2298 IEEE80211_NODE_STAT(ni, rx_deauth);
2300 vap->iv_stats.is_rx_disassoc++;
2301 IEEE80211_NODE_STAT(ni, rx_disassoc);
2303 IEEE80211_NOTE(vap, IEEE80211_MSG_AUTH, ni,
2304 "recv %s (reason: %d (%s))",
2305 ieee80211_mgt_subtype_name(subtype),
2306 reason, ieee80211_reason_to_string(reason));
2307 if (ni != vap->iv_bss)
2308 ieee80211_node_leave(ni);
2312 case IEEE80211_FC0_SUBTYPE_ACTION:
2313 case IEEE80211_FC0_SUBTYPE_ACTION_NOACK:
2314 if (ni == vap->iv_bss) {
2315 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
2316 wh, NULL, "%s", "unknown node");
2317 vap->iv_stats.is_rx_mgtdiscard++;
2318 } else if (!IEEE80211_ADDR_EQ(vap->iv_myaddr, wh->i_addr1) &&
2319 !IEEE80211_IS_MULTICAST(wh->i_addr1)) {
2320 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
2321 wh, NULL, "%s", "not for us");
2322 vap->iv_stats.is_rx_mgtdiscard++;
2323 } else if (vap->iv_state != IEEE80211_S_RUN) {
2324 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
2325 wh, NULL, "wrong state %s",
2326 ieee80211_state_name[vap->iv_state]);
2327 vap->iv_stats.is_rx_mgtdiscard++;
2329 if (ieee80211_parse_action(ni, m0) == 0)
2330 (void)ic->ic_recv_action(ni, wh, frm, efrm);
2334 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP:
2335 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP:
2336 case IEEE80211_FC0_SUBTYPE_TIMING_ADV:
2337 case IEEE80211_FC0_SUBTYPE_ATIM:
2338 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
2339 wh, NULL, "%s", "not handled");
2340 vap->iv_stats.is_rx_mgtdiscard++;
2344 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
2345 wh, "mgt", "subtype 0x%x not handled", subtype);
2346 vap->iv_stats.is_rx_badsubtype++;
2352 hostap_recv_ctl(struct ieee80211_node *ni, struct mbuf *m, int subtype)
2355 case IEEE80211_FC0_SUBTYPE_PS_POLL:
2356 ni->ni_vap->iv_recv_pspoll(ni, m);
2358 case IEEE80211_FC0_SUBTYPE_BAR:
2359 ieee80211_recv_bar(ni, m);
2365 * Process a received ps-poll frame.
2368 ieee80211_recv_pspoll(struct ieee80211_node *ni, struct mbuf *m0)
2370 struct ieee80211vap *vap = ni->ni_vap;
2371 struct ieee80211com *ic = vap->iv_ic;
2372 struct ieee80211_frame_min *wh;
2377 wh = mtod(m0, struct ieee80211_frame_min *);
2378 if (ni->ni_associd == 0) {
2379 IEEE80211_DISCARD(vap,
2380 IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG,
2381 (struct ieee80211_frame *) wh, NULL,
2382 "%s", "unassociated station");
2383 vap->iv_stats.is_ps_unassoc++;
2384 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_DEAUTH,
2385 IEEE80211_REASON_NOT_ASSOCED);
2389 aid = le16toh(*(uint16_t *)wh->i_dur);
2390 if (aid != ni->ni_associd) {
2391 IEEE80211_DISCARD(vap,
2392 IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG,
2393 (struct ieee80211_frame *) wh, NULL,
2394 "aid mismatch: sta aid 0x%x poll aid 0x%x",
2395 ni->ni_associd, aid);
2396 vap->iv_stats.is_ps_badaid++;
2398 * NB: We used to deauth the station but it turns out
2399 * the Blackberry Curve 8230 (and perhaps other devices)
2400 * sometimes send the wrong AID when WME is negotiated.
2401 * Being more lenient here seems ok as we already check
2402 * the station is associated and we only return frames
2403 * queued for the station (i.e. we don't use the AID).
2408 /* Okay, take the first queued packet and put it out... */
2409 m = ieee80211_node_psq_dequeue(ni, &qlen);
2411 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_POWER, wh->i_addr2,
2412 "%s", "recv ps-poll, but queue empty");
2413 ieee80211_send_nulldata(ieee80211_ref_node(ni));
2414 vap->iv_stats.is_ps_qempty++; /* XXX node stat */
2415 if (vap->iv_set_tim != NULL)
2416 vap->iv_set_tim(ni, 0); /* just in case */
2420 * If there are more packets, set the more packets bit
2421 * in the packet dispatched to the station; otherwise
2422 * turn off the TIM bit.
2425 IEEE80211_NOTE(vap, IEEE80211_MSG_POWER, ni,
2426 "recv ps-poll, send packet, %u still queued", qlen);
2427 m->m_flags |= M_MORE_DATA;
2429 IEEE80211_NOTE(vap, IEEE80211_MSG_POWER, ni,
2430 "%s", "recv ps-poll, send packet, queue empty");
2431 if (vap->iv_set_tim != NULL)
2432 vap->iv_set_tim(ni, 0);
2434 m->m_flags |= M_PWR_SAV; /* bypass PS handling */
2437 * Do the right thing; if it's an encap'ed frame then
2438 * call ieee80211_parent_xmitpkt() else
2439 * call ieee80211_vap_xmitpkt().
2441 if (m->m_flags & M_ENCAP) {
2442 (void) ieee80211_parent_xmitpkt(ic, m);
2444 (void) ieee80211_vap_xmitpkt(vap, m);