2 * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
4 * Copyright (c) 2007-2008 Sam Leffler, Errno Consulting
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
17 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
18 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
19 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
21 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
22 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
23 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
24 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
25 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 #include <sys/cdefs.h>
30 __FBSDID("$FreeBSD$");
34 * IEEE 802.11 HOSTAP mode support.
39 #include <sys/param.h>
40 #include <sys/systm.h>
42 #include <sys/malloc.h>
43 #include <sys/kernel.h>
45 #include <sys/socket.h>
46 #include <sys/sockio.h>
47 #include <sys/endian.h>
48 #include <sys/errno.h>
50 #include <sys/sysctl.h>
53 #include <net/if_var.h>
54 #include <net/if_media.h>
55 #include <net/if_llc.h>
56 #include <net/ethernet.h>
60 #include <net80211/ieee80211_var.h>
61 #include <net80211/ieee80211_hostap.h>
62 #include <net80211/ieee80211_input.h>
63 #ifdef IEEE80211_SUPPORT_SUPERG
64 #include <net80211/ieee80211_superg.h>
66 #include <net80211/ieee80211_wds.h>
67 #include <net80211/ieee80211_vht.h>
68 #include <net80211/ieee80211_sta.h> /* for parse_wmeie */
70 #define IEEE80211_RATE2MBS(r) (((r) & IEEE80211_RATE_VAL) / 2)
72 static void hostap_vattach(struct ieee80211vap *);
73 static int hostap_newstate(struct ieee80211vap *, enum ieee80211_state, int);
74 static int hostap_input(struct ieee80211_node *ni, struct mbuf *m,
75 const struct ieee80211_rx_stats *,
77 static void hostap_deliver_data(struct ieee80211vap *,
78 struct ieee80211_node *, struct mbuf *);
79 static void hostap_recv_mgmt(struct ieee80211_node *, struct mbuf *,
80 int subtype, const struct ieee80211_rx_stats *rxs, int rssi, int nf);
81 static void hostap_recv_ctl(struct ieee80211_node *, struct mbuf *, int);
84 ieee80211_hostap_attach(struct ieee80211com *ic)
86 ic->ic_vattach[IEEE80211_M_HOSTAP] = hostap_vattach;
90 ieee80211_hostap_detach(struct ieee80211com *ic)
95 hostap_vdetach(struct ieee80211vap *vap)
100 hostap_vattach(struct ieee80211vap *vap)
102 vap->iv_newstate = hostap_newstate;
103 vap->iv_input = hostap_input;
104 vap->iv_recv_mgmt = hostap_recv_mgmt;
105 vap->iv_recv_ctl = hostap_recv_ctl;
106 vap->iv_opdetach = hostap_vdetach;
107 vap->iv_deliver_data = hostap_deliver_data;
108 vap->iv_recv_pspoll = ieee80211_recv_pspoll;
112 sta_disassoc(void *arg, struct ieee80211_node *ni)
115 if (ni->ni_associd != 0) {
116 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_DISASSOC,
117 IEEE80211_REASON_ASSOC_LEAVE);
118 ieee80211_node_leave(ni);
123 sta_csa(void *arg, struct ieee80211_node *ni)
125 struct ieee80211vap *vap = ni->ni_vap;
127 if (ni->ni_associd != 0)
128 if (ni->ni_inact > vap->iv_inact_init) {
129 ni->ni_inact = vap->iv_inact_init;
130 IEEE80211_NOTE(vap, IEEE80211_MSG_INACT, ni,
131 "%s: inact %u", __func__, ni->ni_inact);
136 sta_drop(void *arg, struct ieee80211_node *ni)
139 if (ni->ni_associd != 0)
140 ieee80211_node_leave(ni);
144 * Does a channel change require associated stations to re-associate
145 * so protocol state is correct. This is used when doing CSA across
146 * bands or similar (e.g. HT -> legacy).
149 isbandchange(struct ieee80211com *ic)
151 return ((ic->ic_bsschan->ic_flags ^ ic->ic_csa_newchan->ic_flags) &
152 (IEEE80211_CHAN_2GHZ | IEEE80211_CHAN_5GHZ | IEEE80211_CHAN_HALF |
153 IEEE80211_CHAN_QUARTER | IEEE80211_CHAN_HT)) != 0;
157 * IEEE80211_M_HOSTAP vap state machine handler.
160 hostap_newstate(struct ieee80211vap *vap, enum ieee80211_state nstate, int arg)
162 struct ieee80211com *ic = vap->iv_ic;
163 enum ieee80211_state ostate;
165 IEEE80211_LOCK_ASSERT(ic);
167 ostate = vap->iv_state;
168 IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE, "%s: %s -> %s (%d)\n",
169 __func__, ieee80211_state_name[ostate],
170 ieee80211_state_name[nstate], arg);
171 vap->iv_state = nstate; /* state transition */
172 if (ostate != IEEE80211_S_SCAN)
173 ieee80211_cancel_scan(vap); /* background scan */
175 case IEEE80211_S_INIT:
177 case IEEE80211_S_SCAN:
178 ieee80211_cancel_scan(vap);
180 case IEEE80211_S_CAC:
181 ieee80211_dfs_cac_stop(vap);
183 case IEEE80211_S_RUN:
184 ieee80211_iterate_nodes_vap(&ic->ic_sta, vap,
190 if (ostate != IEEE80211_S_INIT) {
191 /* NB: optimize INIT -> INIT case */
192 ieee80211_reset_bss(vap);
194 if (vap->iv_auth->ia_detach != NULL)
195 vap->iv_auth->ia_detach(vap);
197 case IEEE80211_S_SCAN:
199 case IEEE80211_S_CSA:
200 case IEEE80211_S_RUN:
201 ieee80211_iterate_nodes_vap(&ic->ic_sta, vap,
204 * Clear overlapping BSS state; the beacon frame
205 * will be reconstructed on transition to the RUN
206 * state and the timeout routines check if the flag
207 * is set before doing anything so this is sufficient.
209 ic->ic_flags_ext &= ~IEEE80211_FEXT_NONERP_PR;
210 ic->ic_flags_ht &= ~IEEE80211_FHT_NONHT_PR;
212 case IEEE80211_S_CAC:
214 * NB: We may get here because of a manual channel
215 * change in which case we need to stop CAC
216 * XXX no need to stop if ostate RUN but it's ok
218 ieee80211_dfs_cac_stop(vap);
220 case IEEE80211_S_INIT:
221 if (vap->iv_des_chan != IEEE80211_CHAN_ANYC &&
222 !IEEE80211_IS_CHAN_RADAR(vap->iv_des_chan)) {
224 * Already have a channel; bypass the
225 * scan and startup immediately.
226 * ieee80211_create_ibss will call back to
227 * move us to RUN state.
229 ieee80211_create_ibss(vap, vap->iv_des_chan);
233 * Initiate a scan. We can come here as a result
234 * of an IEEE80211_IOC_SCAN_REQ too in which case
235 * the vap will be marked with IEEE80211_FEXT_SCANREQ
236 * and the scan request parameters will be present
237 * in iv_scanreq. Otherwise we do the default.
239 if (vap->iv_flags_ext & IEEE80211_FEXT_SCANREQ) {
240 ieee80211_check_scan(vap,
241 vap->iv_scanreq_flags,
242 vap->iv_scanreq_duration,
243 vap->iv_scanreq_mindwell,
244 vap->iv_scanreq_maxdwell,
245 vap->iv_scanreq_nssid, vap->iv_scanreq_ssid);
246 vap->iv_flags_ext &= ~IEEE80211_FEXT_SCANREQ;
248 ieee80211_check_scan_current(vap);
250 case IEEE80211_S_SCAN:
252 * A state change requires a reset; scan.
254 ieee80211_check_scan_current(vap);
260 case IEEE80211_S_CAC:
262 * Start CAC on a DFS channel. We come here when starting
263 * a bss on a DFS channel (see ieee80211_create_ibss).
265 ieee80211_dfs_cac_start(vap);
267 case IEEE80211_S_RUN:
268 if (vap->iv_flags & IEEE80211_F_WPA) {
269 /* XXX validate prerequisites */
272 case IEEE80211_S_INIT:
274 * Already have a channel; bypass the
275 * scan and startup immediately.
276 * Note that ieee80211_create_ibss will call
277 * back to do a RUN->RUN state change.
279 ieee80211_create_ibss(vap,
280 ieee80211_ht_adjust_channel(ic,
281 ic->ic_curchan, vap->iv_flags_ht));
282 /* NB: iv_bss is changed on return */
284 case IEEE80211_S_CAC:
286 * NB: This is the normal state change when CAC
287 * expires and no radar was detected; no need to
288 * clear the CAC timer as it's already expired.
291 case IEEE80211_S_CSA:
293 * Shorten inactivity timer of associated stations
294 * to weed out sta's that don't follow a CSA.
296 ieee80211_iterate_nodes_vap(&ic->ic_sta, vap,
299 * Update bss node channel to reflect where
300 * we landed after CSA.
302 ieee80211_node_set_chan(vap->iv_bss,
303 ieee80211_ht_adjust_channel(ic, ic->ic_curchan,
304 ieee80211_htchanflags(vap->iv_bss->ni_chan)));
305 /* XXX bypass debug msgs */
307 case IEEE80211_S_SCAN:
308 case IEEE80211_S_RUN:
309 #ifdef IEEE80211_DEBUG
310 if (ieee80211_msg_debug(vap)) {
311 struct ieee80211_node *ni = vap->iv_bss;
313 "synchronized with %s ssid ",
314 ether_sprintf(ni->ni_bssid));
315 ieee80211_print_essid(ni->ni_essid,
318 printf(" channel %d start %uMb\n",
319 ieee80211_chan2ieee(ic, ic->ic_curchan),
320 IEEE80211_RATE2MBS(ni->ni_txrate));
328 * Start/stop the authenticator. We delay until here
329 * to allow configuration to happen out of order.
331 if (vap->iv_auth->ia_attach != NULL) {
332 /* XXX check failure */
333 vap->iv_auth->ia_attach(vap);
334 } else if (vap->iv_auth->ia_detach != NULL) {
335 vap->iv_auth->ia_detach(vap);
337 ieee80211_node_authorize(vap->iv_bss);
339 case IEEE80211_S_CSA:
340 if (ostate == IEEE80211_S_RUN && isbandchange(ic)) {
342 * On a ``band change'' silently drop associated
343 * stations as they must re-associate before they
344 * can pass traffic (as otherwise protocol state
345 * such as capabilities and the negotiated rate
346 * set may/will be wrong).
348 ieee80211_iterate_nodes_vap(&ic->ic_sta, vap,
359 hostap_deliver_data(struct ieee80211vap *vap,
360 struct ieee80211_node *ni, struct mbuf *m)
362 struct ether_header *eh = mtod(m, struct ether_header *);
363 struct ifnet *ifp = vap->iv_ifp;
365 /* clear driver/net80211 flags before passing up */
366 m->m_flags &= ~(M_MCAST | M_BCAST);
369 KASSERT(vap->iv_opmode == IEEE80211_M_HOSTAP,
370 ("gack, opmode %d", vap->iv_opmode));
374 if_inc_counter(ifp, IFCOUNTER_IPACKETS, 1);
375 IEEE80211_NODE_STAT(ni, rx_data);
376 IEEE80211_NODE_STAT_ADD(ni, rx_bytes, m->m_pkthdr.len);
377 if (ETHER_IS_MULTICAST(eh->ether_dhost)) {
378 m->m_flags |= M_MCAST; /* XXX M_BCAST? */
379 IEEE80211_NODE_STAT(ni, rx_mcast);
381 IEEE80211_NODE_STAT(ni, rx_ucast);
383 /* perform as a bridge within the AP */
384 if ((vap->iv_flags & IEEE80211_F_NOBRIDGE) == 0) {
385 struct mbuf *mcopy = NULL;
387 if (m->m_flags & M_MCAST) {
388 mcopy = m_dup(m, M_NOWAIT);
390 if_inc_counter(ifp, IFCOUNTER_OERRORS, 1);
392 mcopy->m_flags |= M_MCAST;
395 * Check if the destination is associated with the
396 * same vap and authorized to receive traffic.
397 * Beware of traffic destined for the vap itself;
398 * sending it will not work; just let it be delivered
401 struct ieee80211_node *sta = ieee80211_find_vap_node(
402 &vap->iv_ic->ic_sta, vap, eh->ether_dhost);
404 if (ieee80211_node_is_authorized(sta)) {
406 * Beware of sending to ourself; this
407 * needs to happen via the normal
410 if (sta != vap->iv_bss) {
415 vap->iv_stats.is_rx_unauth++;
416 IEEE80211_NODE_STAT(sta, rx_unauth);
418 ieee80211_free_node(sta);
422 (void) ieee80211_vap_xmitpkt(vap, mcopy);
426 * Mark frame as coming from vap's interface.
428 m->m_pkthdr.rcvif = ifp;
429 if (m->m_flags & M_MCAST) {
431 * Spam DWDS vap's w/ multicast traffic.
433 /* XXX only if dwds in use? */
434 ieee80211_dwds_mcast(vap, m);
436 if (ni->ni_vlan != 0) {
437 /* attach vlan tag */
438 m->m_pkthdr.ether_vtag = ni->ni_vlan;
439 m->m_flags |= M_VLANTAG;
441 ifp->if_input(ifp, m);
446 * Decide if a received management frame should be
447 * printed when debugging is enabled. This filters some
448 * of the less interesting frames that come frequently
452 doprint(struct ieee80211vap *vap, int subtype)
455 case IEEE80211_FC0_SUBTYPE_BEACON:
456 return (vap->iv_ic->ic_flags & IEEE80211_F_SCAN);
457 case IEEE80211_FC0_SUBTYPE_PROBE_REQ:
464 * Process a received frame. The node associated with the sender
465 * should be supplied. If nothing was found in the node table then
466 * the caller is assumed to supply a reference to iv_bss instead.
467 * The RSSI and a timestamp are also supplied. The RSSI data is used
468 * during AP scanning to select a AP to associate with; it can have
469 * any units so long as values have consistent units and higher values
470 * mean ``better signal''. The receive timestamp is currently not used
471 * by the 802.11 layer.
474 hostap_input(struct ieee80211_node *ni, struct mbuf *m,
475 const struct ieee80211_rx_stats *rxs, int rssi, int nf)
477 struct ieee80211vap *vap = ni->ni_vap;
478 struct ieee80211com *ic = ni->ni_ic;
479 struct ifnet *ifp = vap->iv_ifp;
480 struct ieee80211_frame *wh;
481 struct ieee80211_key *key;
482 struct ether_header *eh;
483 int hdrspace, need_tap = 1; /* mbuf need to be tapped. */
484 uint8_t dir, type, subtype, qos;
486 int is_hw_decrypted = 0;
487 int has_decrypted = 0;
490 * Some devices do hardware decryption all the way through
491 * to pretending the frame wasn't encrypted in the first place.
492 * So, tag it appropriately so it isn't discarded inappropriately.
494 if ((rxs != NULL) && (rxs->c_pktflags & IEEE80211_RX_F_DECRYPTED))
497 if (m->m_flags & M_AMPDU_MPDU) {
499 * Fastpath for A-MPDU reorder q resubmission. Frames
500 * w/ M_AMPDU_MPDU marked have already passed through
501 * here but were received out of order and been held on
502 * the reorder queue. When resubmitted they are marked
503 * with the M_AMPDU_MPDU flag and we can bypass most of
504 * the normal processing.
506 wh = mtod(m, struct ieee80211_frame *);
507 type = IEEE80211_FC0_TYPE_DATA;
508 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK;
509 subtype = IEEE80211_FC0_SUBTYPE_QOS;
510 hdrspace = ieee80211_hdrspace(ic, wh); /* XXX optimize? */
514 KASSERT(ni != NULL, ("null node"));
515 ni->ni_inact = ni->ni_inact_reload;
517 type = -1; /* undefined */
519 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_min)) {
520 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
521 ni->ni_macaddr, NULL,
522 "too short (1): len %u", m->m_pkthdr.len);
523 vap->iv_stats.is_rx_tooshort++;
527 * Bit of a cheat here, we use a pointer for a 3-address
528 * frame format but don't reference fields past outside
529 * ieee80211_frame_min w/o first validating the data is
532 wh = mtod(m, struct ieee80211_frame *);
534 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) !=
535 IEEE80211_FC0_VERSION_0) {
536 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
537 ni->ni_macaddr, NULL, "wrong version, fc %02x:%02x",
538 wh->i_fc[0], wh->i_fc[1]);
539 vap->iv_stats.is_rx_badversion++;
543 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK;
544 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
545 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK;
546 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) {
547 if (dir != IEEE80211_FC1_DIR_NODS)
549 else if (type == IEEE80211_FC0_TYPE_CTL)
552 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) {
553 IEEE80211_DISCARD_MAC(vap,
554 IEEE80211_MSG_ANY, ni->ni_macaddr,
555 NULL, "too short (2): len %u",
557 vap->iv_stats.is_rx_tooshort++;
563 * Validate the bssid.
565 if (!(type == IEEE80211_FC0_TYPE_MGT &&
566 subtype == IEEE80211_FC0_SUBTYPE_BEACON) &&
567 !IEEE80211_ADDR_EQ(bssid, vap->iv_bss->ni_bssid) &&
568 !IEEE80211_ADDR_EQ(bssid, ifp->if_broadcastaddr)) {
569 /* not interested in */
570 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
571 bssid, NULL, "%s", "not to bss");
572 vap->iv_stats.is_rx_wrongbss++;
576 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi);
578 if (IEEE80211_HAS_SEQ(type, subtype)) {
579 uint8_t tid = ieee80211_gettid(wh);
580 if (IEEE80211_QOS_HAS_SEQ(wh) &&
581 TID_TO_WME_AC(tid) >= WME_AC_VI)
582 ic->ic_wme.wme_hipri_traffic++;
583 if (! ieee80211_check_rxseq(ni, wh, bssid, rxs))
589 case IEEE80211_FC0_TYPE_DATA:
590 hdrspace = ieee80211_hdrspace(ic, wh);
591 if (m->m_len < hdrspace &&
592 (m = m_pullup(m, hdrspace)) == NULL) {
593 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
594 ni->ni_macaddr, NULL,
595 "data too short: expecting %u", hdrspace);
596 vap->iv_stats.is_rx_tooshort++;
599 if (!(dir == IEEE80211_FC1_DIR_TODS ||
600 (dir == IEEE80211_FC1_DIR_DSTODS &&
601 (vap->iv_flags & IEEE80211_F_DWDS)))) {
602 if (dir != IEEE80211_FC1_DIR_DSTODS) {
603 IEEE80211_DISCARD(vap,
604 IEEE80211_MSG_INPUT, wh, "data",
605 "incorrect dir 0x%x", dir);
607 IEEE80211_DISCARD(vap,
608 IEEE80211_MSG_INPUT |
609 IEEE80211_MSG_WDS, wh,
611 "%s", "DWDS not enabled");
613 vap->iv_stats.is_rx_wrongdir++;
616 /* check if source STA is associated */
617 if (ni == vap->iv_bss) {
618 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
619 wh, "data", "%s", "unknown src");
620 ieee80211_send_error(ni, wh->i_addr2,
621 IEEE80211_FC0_SUBTYPE_DEAUTH,
622 IEEE80211_REASON_NOT_AUTHED);
623 vap->iv_stats.is_rx_notassoc++;
626 if (ni->ni_associd == 0) {
627 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
628 wh, "data", "%s", "unassoc src");
629 IEEE80211_SEND_MGMT(ni,
630 IEEE80211_FC0_SUBTYPE_DISASSOC,
631 IEEE80211_REASON_NOT_ASSOCED);
632 vap->iv_stats.is_rx_notassoc++;
637 * Check for power save state change.
638 * XXX out-of-order A-MPDU frames?
640 if (((wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) ^
641 (ni->ni_flags & IEEE80211_NODE_PWR_MGT)))
643 wh->i_fc[1] & IEEE80211_FC1_PWR_MGT);
645 * For 4-address packets handle WDS discovery
646 * notifications. Once a WDS link is setup frames
647 * are just delivered to the WDS vap (see below).
649 if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap == NULL) {
650 if (!ieee80211_node_is_authorized(ni)) {
651 IEEE80211_DISCARD(vap,
652 IEEE80211_MSG_INPUT |
653 IEEE80211_MSG_WDS, wh,
655 "%s", "unauthorized port");
656 vap->iv_stats.is_rx_unauth++;
657 IEEE80211_NODE_STAT(ni, rx_unauth);
660 ieee80211_dwds_discover(ni, m);
665 * Handle A-MPDU re-ordering. If the frame is to be
666 * processed directly then ieee80211_ampdu_reorder
667 * will return 0; otherwise it has consumed the mbuf
668 * and we should do nothing more with it.
670 if ((m->m_flags & M_AMPDU) &&
671 ieee80211_ampdu_reorder(ni, m, rxs) != 0) {
678 * Handle privacy requirements. Note that we
679 * must not be preempted from here until after
680 * we (potentially) call ieee80211_crypto_demic;
681 * otherwise we may violate assumptions in the
682 * crypto cipher modules used to do delayed update
683 * of replay sequence numbers.
685 if (is_hw_decrypted || wh->i_fc[1] & IEEE80211_FC1_PROTECTED) {
686 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
688 * Discard encrypted frames when privacy is off.
690 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
691 wh, "WEP", "%s", "PRIVACY off");
692 vap->iv_stats.is_rx_noprivacy++;
693 IEEE80211_NODE_STAT(ni, rx_noprivacy);
696 if (ieee80211_crypto_decap(ni, m, hdrspace, &key) == 0) {
697 /* NB: stats+msgs handled in crypto_decap */
698 IEEE80211_NODE_STAT(ni, rx_wepfail);
701 wh = mtod(m, struct ieee80211_frame *);
702 wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED;
705 /* XXX M_WEP and IEEE80211_F_PRIVACY */
710 * Save QoS bits for use below--before we strip the header.
712 if (subtype == IEEE80211_FC0_SUBTYPE_QOS)
713 qos = ieee80211_getqos(wh)[0];
718 * Next up, any fragmentation.
720 if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) {
721 m = ieee80211_defrag(ni, m, hdrspace);
723 /* Fragment dropped or frame not complete yet */
727 wh = NULL; /* no longer valid, catch any uses */
730 * Next strip any MSDU crypto bits.
732 if (key != NULL && !ieee80211_crypto_demic(vap, key, m, 0)) {
733 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
734 ni->ni_macaddr, "data", "%s", "demic error");
735 vap->iv_stats.is_rx_demicfail++;
736 IEEE80211_NODE_STAT(ni, rx_demicfail);
739 /* copy to listener after decrypt */
740 if (ieee80211_radiotap_active_vap(vap))
741 ieee80211_radiotap_rx(vap, m);
744 * Finally, strip the 802.11 header.
746 m = ieee80211_decap(vap, m, hdrspace);
748 /* XXX mask bit to check for both */
749 /* don't count Null data frames as errors */
750 if (subtype == IEEE80211_FC0_SUBTYPE_NODATA ||
751 subtype == IEEE80211_FC0_SUBTYPE_QOS_NULL)
753 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
754 ni->ni_macaddr, "data", "%s", "decap error");
755 vap->iv_stats.is_rx_decap++;
756 IEEE80211_NODE_STAT(ni, rx_decap);
759 eh = mtod(m, struct ether_header *);
760 if (!ieee80211_node_is_authorized(ni)) {
762 * Deny any non-PAE frames received prior to
763 * authorization. For open/shared-key
764 * authentication the port is mark authorized
765 * after authentication completes. For 802.1x
766 * the port is not marked authorized by the
767 * authenticator until the handshake has completed.
769 if (eh->ether_type != htons(ETHERTYPE_PAE)) {
770 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
771 eh->ether_shost, "data",
772 "unauthorized port: ether type 0x%x len %u",
773 eh->ether_type, m->m_pkthdr.len);
774 vap->iv_stats.is_rx_unauth++;
775 IEEE80211_NODE_STAT(ni, rx_unauth);
780 * When denying unencrypted frames, discard
781 * any non-PAE frames received without encryption.
783 if ((vap->iv_flags & IEEE80211_F_DROPUNENC) &&
784 ((has_decrypted == 0) && (m->m_flags & M_WEP) == 0) &&
785 (is_hw_decrypted == 0) &&
786 eh->ether_type != htons(ETHERTYPE_PAE)) {
788 * Drop unencrypted frames.
790 vap->iv_stats.is_rx_unencrypted++;
791 IEEE80211_NODE_STAT(ni, rx_unencrypted);
795 /* XXX require HT? */
796 if (qos & IEEE80211_QOS_AMSDU) {
797 m = ieee80211_decap_amsdu(ni, m);
799 return IEEE80211_FC0_TYPE_DATA;
801 #ifdef IEEE80211_SUPPORT_SUPERG
802 m = ieee80211_decap_fastframe(vap, ni, m);
804 return IEEE80211_FC0_TYPE_DATA;
807 if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap != NULL)
808 ieee80211_deliver_data(ni->ni_wdsvap, ni, m);
810 hostap_deliver_data(vap, ni, m);
811 return IEEE80211_FC0_TYPE_DATA;
813 case IEEE80211_FC0_TYPE_MGT:
814 vap->iv_stats.is_rx_mgmt++;
815 IEEE80211_NODE_STAT(ni, rx_mgmt);
816 if (dir != IEEE80211_FC1_DIR_NODS) {
817 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
818 wh, "mgt", "incorrect dir 0x%x", dir);
819 vap->iv_stats.is_rx_wrongdir++;
822 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) {
823 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
824 ni->ni_macaddr, "mgt", "too short: len %u",
826 vap->iv_stats.is_rx_tooshort++;
829 if (IEEE80211_IS_MULTICAST(wh->i_addr2)) {
830 /* ensure return frames are unicast */
831 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
832 wh, NULL, "source is multicast: %s",
833 ether_sprintf(wh->i_addr2));
834 vap->iv_stats.is_rx_mgtdiscard++; /* XXX stat */
837 #ifdef IEEE80211_DEBUG
838 if ((ieee80211_msg_debug(vap) && doprint(vap, subtype)) ||
839 ieee80211_msg_dumppkts(vap)) {
840 if_printf(ifp, "received %s from %s rssi %d\n",
841 ieee80211_mgt_subtype_name(subtype),
842 ether_sprintf(wh->i_addr2), rssi);
845 if (wh->i_fc[1] & IEEE80211_FC1_PROTECTED) {
846 if (subtype != IEEE80211_FC0_SUBTYPE_AUTH) {
848 * Only shared key auth frames with a challenge
849 * should be encrypted, discard all others.
851 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
853 "%s", "WEP set but not permitted");
854 vap->iv_stats.is_rx_mgtdiscard++; /* XXX */
857 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
859 * Discard encrypted frames when privacy is off.
861 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
862 wh, NULL, "%s", "WEP set but PRIVACY off");
863 vap->iv_stats.is_rx_noprivacy++;
866 hdrspace = ieee80211_hdrspace(ic, wh);
867 if (ieee80211_crypto_decap(ni, m, hdrspace, &key) == 0) {
868 /* NB: stats+msgs handled in crypto_decap */
871 wh = mtod(m, struct ieee80211_frame *);
872 wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED;
876 * Pass the packet to radiotap before calling iv_recv_mgmt().
877 * Otherwise iv_recv_mgmt() might pass another packet to
878 * radiotap, resulting in out of order packet captures.
880 if (ieee80211_radiotap_active_vap(vap))
881 ieee80211_radiotap_rx(vap, m);
883 vap->iv_recv_mgmt(ni, m, subtype, rxs, rssi, nf);
886 case IEEE80211_FC0_TYPE_CTL:
887 vap->iv_stats.is_rx_ctl++;
888 IEEE80211_NODE_STAT(ni, rx_ctrl);
889 vap->iv_recv_ctl(ni, m, subtype);
892 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
893 wh, "bad", "frame type 0x%x", type);
894 /* should not come here */
898 if_inc_counter(ifp, IFCOUNTER_IERRORS, 1);
901 if (need_tap && ieee80211_radiotap_active_vap(vap))
902 ieee80211_radiotap_rx(vap, m);
909 hostap_auth_open(struct ieee80211_node *ni, struct ieee80211_frame *wh,
910 int rssi, int nf, uint16_t seq, uint16_t status)
912 struct ieee80211vap *vap = ni->ni_vap;
914 KASSERT(vap->iv_state == IEEE80211_S_RUN, ("state %d", vap->iv_state));
916 if (ni->ni_authmode == IEEE80211_AUTH_SHARED) {
917 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
918 ni->ni_macaddr, "open auth",
919 "bad sta auth mode %u", ni->ni_authmode);
920 vap->iv_stats.is_rx_bad_auth++; /* XXX */
922 * Clear any challenge text that may be there if
923 * a previous shared key auth failed and then an
924 * open auth is attempted.
926 if (ni->ni_challenge != NULL) {
927 IEEE80211_FREE(ni->ni_challenge, M_80211_NODE);
928 ni->ni_challenge = NULL;
930 /* XXX hack to workaround calling convention */
931 ieee80211_send_error(ni, wh->i_addr2,
932 IEEE80211_FC0_SUBTYPE_AUTH,
933 (seq + 1) | (IEEE80211_STATUS_ALG<<16));
936 if (seq != IEEE80211_AUTH_OPEN_REQUEST) {
937 vap->iv_stats.is_rx_bad_auth++;
940 /* always accept open authentication requests */
941 if (ni == vap->iv_bss) {
942 ni = ieee80211_dup_bss(vap, wh->i_addr2);
945 } else if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0)
946 (void) ieee80211_ref_node(ni);
948 * Mark the node as referenced to reflect that it's
949 * reference count has been bumped to insure it remains
950 * after the transaction completes.
952 ni->ni_flags |= IEEE80211_NODE_AREF;
954 * Mark the node as requiring a valid association id
955 * before outbound traffic is permitted.
957 ni->ni_flags |= IEEE80211_NODE_ASSOCID;
959 if (vap->iv_acl != NULL &&
960 vap->iv_acl->iac_getpolicy(vap) == IEEE80211_MACCMD_POLICY_RADIUS) {
962 * When the ACL policy is set to RADIUS we defer the
963 * authorization to a user agent. Dispatch an event,
964 * a subsequent MLME call will decide the fate of the
965 * station. If the user agent is not present then the
966 * node will be reclaimed due to inactivity.
968 IEEE80211_NOTE_MAC(vap,
969 IEEE80211_MSG_AUTH | IEEE80211_MSG_ACL, ni->ni_macaddr,
970 "%s", "station authentication defered (radius acl)");
971 ieee80211_notify_node_auth(ni);
973 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1);
974 IEEE80211_NOTE_MAC(vap,
975 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, ni->ni_macaddr,
976 "%s", "station authenticated (open)");
978 * When 802.1x is not in use mark the port
979 * authorized at this point so traffic can flow.
981 if (ni->ni_authmode != IEEE80211_AUTH_8021X)
982 ieee80211_node_authorize(ni);
987 hostap_auth_shared(struct ieee80211_node *ni, struct ieee80211_frame *wh,
988 uint8_t *frm, uint8_t *efrm, int rssi, int nf,
989 uint16_t seq, uint16_t status)
991 struct ieee80211vap *vap = ni->ni_vap;
993 int allocbs, estatus;
995 KASSERT(vap->iv_state == IEEE80211_S_RUN, ("state %d", vap->iv_state));
998 * NB: this can happen as we allow pre-shared key
999 * authentication to be enabled w/o wep being turned
1000 * on so that configuration of these can be done
1001 * in any order. It may be better to enforce the
1002 * ordering in which case this check would just be
1003 * for sanity/consistency.
1005 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
1006 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1007 ni->ni_macaddr, "shared key auth",
1008 "%s", " PRIVACY is disabled");
1009 estatus = IEEE80211_STATUS_ALG;
1013 * Pre-shared key authentication is evil; accept
1014 * it only if explicitly configured (it is supported
1015 * mainly for compatibility with clients like Mac OS X).
1017 if (ni->ni_authmode != IEEE80211_AUTH_AUTO &&
1018 ni->ni_authmode != IEEE80211_AUTH_SHARED) {
1019 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1020 ni->ni_macaddr, "shared key auth",
1021 "bad sta auth mode %u", ni->ni_authmode);
1022 vap->iv_stats.is_rx_bad_auth++; /* XXX maybe a unique error? */
1023 estatus = IEEE80211_STATUS_ALG;
1028 if (frm + 1 < efrm) {
1029 if ((frm[1] + 2) > (efrm - frm)) {
1030 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1031 ni->ni_macaddr, "shared key auth",
1032 "ie %d/%d too long",
1033 frm[0], (frm[1] + 2) - (efrm - frm));
1034 vap->iv_stats.is_rx_bad_auth++;
1035 estatus = IEEE80211_STATUS_CHALLENGE;
1038 if (*frm == IEEE80211_ELEMID_CHALLENGE)
1043 case IEEE80211_AUTH_SHARED_CHALLENGE:
1044 case IEEE80211_AUTH_SHARED_RESPONSE:
1045 if (challenge == NULL) {
1046 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1047 ni->ni_macaddr, "shared key auth",
1048 "%s", "no challenge");
1049 vap->iv_stats.is_rx_bad_auth++;
1050 estatus = IEEE80211_STATUS_CHALLENGE;
1053 if (challenge[1] != IEEE80211_CHALLENGE_LEN) {
1054 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1055 ni->ni_macaddr, "shared key auth",
1056 "bad challenge len %d", challenge[1]);
1057 vap->iv_stats.is_rx_bad_auth++;
1058 estatus = IEEE80211_STATUS_CHALLENGE;
1065 case IEEE80211_AUTH_SHARED_REQUEST:
1066 if (ni == vap->iv_bss) {
1067 ni = ieee80211_dup_bss(vap, wh->i_addr2);
1069 /* NB: no way to return an error */
1074 if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0)
1075 (void) ieee80211_ref_node(ni);
1079 * Mark the node as referenced to reflect that it's
1080 * reference count has been bumped to insure it remains
1081 * after the transaction completes.
1083 ni->ni_flags |= IEEE80211_NODE_AREF;
1085 * Mark the node as requiring a valid association id
1086 * before outbound traffic is permitted.
1088 ni->ni_flags |= IEEE80211_NODE_ASSOCID;
1089 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi);
1091 if (!ieee80211_alloc_challenge(ni)) {
1092 /* NB: don't return error so they rexmit */
1095 get_random_bytes(ni->ni_challenge,
1096 IEEE80211_CHALLENGE_LEN);
1097 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
1098 ni, "shared key %sauth request", allocbs ? "" : "re");
1100 * When the ACL policy is set to RADIUS we defer the
1101 * authorization to a user agent. Dispatch an event,
1102 * a subsequent MLME call will decide the fate of the
1103 * station. If the user agent is not present then the
1104 * node will be reclaimed due to inactivity.
1106 if (vap->iv_acl != NULL &&
1107 vap->iv_acl->iac_getpolicy(vap) == IEEE80211_MACCMD_POLICY_RADIUS) {
1108 IEEE80211_NOTE_MAC(vap,
1109 IEEE80211_MSG_AUTH | IEEE80211_MSG_ACL,
1111 "%s", "station authentication defered (radius acl)");
1112 ieee80211_notify_node_auth(ni);
1116 case IEEE80211_AUTH_SHARED_RESPONSE:
1117 if (ni == vap->iv_bss) {
1118 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1119 ni->ni_macaddr, "shared key response",
1120 "%s", "unknown station");
1121 /* NB: don't send a response */
1124 if (ni->ni_challenge == NULL) {
1125 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1126 ni->ni_macaddr, "shared key response",
1127 "%s", "no challenge recorded");
1128 vap->iv_stats.is_rx_bad_auth++;
1129 estatus = IEEE80211_STATUS_CHALLENGE;
1132 if (memcmp(ni->ni_challenge, &challenge[2],
1133 challenge[1]) != 0) {
1134 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1135 ni->ni_macaddr, "shared key response",
1136 "%s", "challenge mismatch");
1137 vap->iv_stats.is_rx_auth_fail++;
1138 estatus = IEEE80211_STATUS_CHALLENGE;
1141 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
1142 ni, "%s", "station authenticated (shared key)");
1143 ieee80211_node_authorize(ni);
1146 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1147 ni->ni_macaddr, "shared key auth",
1149 vap->iv_stats.is_rx_bad_auth++;
1150 estatus = IEEE80211_STATUS_SEQUENCE;
1153 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1);
1157 * Send an error response; but only when operating as an AP.
1159 /* XXX hack to workaround calling convention */
1160 ieee80211_send_error(ni, wh->i_addr2,
1161 IEEE80211_FC0_SUBTYPE_AUTH,
1162 (seq + 1) | (estatus<<16));
1166 * Convert a WPA cipher selector OUI to an internal
1167 * cipher algorithm. Where appropriate we also
1168 * record any key length.
1171 wpa_cipher(const uint8_t *sel, uint8_t *keylen, uint8_t *cipher)
1173 #define WPA_SEL(x) (((x)<<24)|WPA_OUI)
1174 uint32_t w = le32dec(sel);
1177 case WPA_SEL(WPA_CSE_NULL):
1178 *cipher = IEEE80211_CIPHER_NONE;
1180 case WPA_SEL(WPA_CSE_WEP40):
1182 *keylen = 40 / NBBY;
1183 *cipher = IEEE80211_CIPHER_WEP;
1185 case WPA_SEL(WPA_CSE_WEP104):
1187 *keylen = 104 / NBBY;
1188 *cipher = IEEE80211_CIPHER_WEP;
1190 case WPA_SEL(WPA_CSE_TKIP):
1191 *cipher = IEEE80211_CIPHER_TKIP;
1193 case WPA_SEL(WPA_CSE_CCMP):
1194 *cipher = IEEE80211_CIPHER_AES_CCM;
1205 * Convert a WPA key management/authentication algorithm
1206 * to an internal code.
1209 wpa_keymgmt(const uint8_t *sel)
1211 #define WPA_SEL(x) (((x)<<24)|WPA_OUI)
1212 uint32_t w = le32dec(sel);
1215 case WPA_SEL(WPA_ASE_8021X_UNSPEC):
1216 return WPA_ASE_8021X_UNSPEC;
1217 case WPA_SEL(WPA_ASE_8021X_PSK):
1218 return WPA_ASE_8021X_PSK;
1219 case WPA_SEL(WPA_ASE_NONE):
1220 return WPA_ASE_NONE;
1222 return 0; /* NB: so is discarded */
1227 * Parse a WPA information element to collect parameters.
1228 * Note that we do not validate security parameters; that
1229 * is handled by the authenticator; the parsing done here
1230 * is just for internal use in making operational decisions.
1233 ieee80211_parse_wpa(struct ieee80211vap *vap, const uint8_t *frm,
1234 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh)
1236 uint8_t len = frm[1];
1241 * Check the length once for fixed parts: OUI, type,
1242 * version, mcast cipher, and 2 selector counts.
1243 * Other, variable-length data, must be checked separately.
1245 if ((vap->iv_flags & IEEE80211_F_WPA1) == 0) {
1246 IEEE80211_DISCARD_IE(vap,
1247 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1248 wh, "WPA", "not WPA, flags 0x%x", vap->iv_flags);
1249 return IEEE80211_REASON_IE_INVALID;
1252 IEEE80211_DISCARD_IE(vap,
1253 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1254 wh, "WPA", "too short, len %u", len);
1255 return IEEE80211_REASON_IE_INVALID;
1257 frm += 6, len -= 4; /* NB: len is payload only */
1258 /* NB: iswpaoui already validated the OUI and type */
1260 if (w != WPA_VERSION) {
1261 IEEE80211_DISCARD_IE(vap,
1262 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1263 wh, "WPA", "bad version %u", w);
1264 return IEEE80211_REASON_IE_INVALID;
1268 memset(rsn, 0, sizeof(*rsn));
1270 /* multicast/group cipher */
1271 error = wpa_cipher(frm, &rsn->rsn_mcastkeylen, &rsn->rsn_mcastcipher);
1273 IEEE80211_DISCARD_IE(vap,
1274 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1275 wh, "WPA", "unknown mcast cipher suite %08X",
1277 return IEEE80211_REASON_GROUP_CIPHER_INVALID;
1281 /* unicast ciphers */
1285 IEEE80211_DISCARD_IE(vap,
1286 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1287 wh, "WPA", "ucast cipher data too short; len %u, n %u",
1289 return IEEE80211_REASON_IE_INVALID;
1292 for (; n > 0; n--) {
1295 error = wpa_cipher(frm, &rsn->rsn_ucastkeylen, &cipher);
1302 IEEE80211_DISCARD_IE(vap,
1303 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1304 wh, "WPA", "no usable pairwise cipher suite found (w=%d)",
1306 return IEEE80211_REASON_PAIRWISE_CIPHER_INVALID;
1309 if (w & (1 << IEEE80211_CIPHER_AES_CCM))
1310 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM;
1312 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP;
1314 /* key management algorithms */
1318 IEEE80211_DISCARD_IE(vap,
1319 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1320 wh, "WPA", "key mgmt alg data too short; len %u, n %u",
1322 return IEEE80211_REASON_IE_INVALID;
1325 for (; n > 0; n--) {
1326 w |= wpa_keymgmt(frm);
1329 if (w & WPA_ASE_8021X_UNSPEC)
1330 rsn->rsn_keymgmt = WPA_ASE_8021X_UNSPEC;
1332 rsn->rsn_keymgmt = WPA_ASE_8021X_PSK;
1334 if (len > 2) /* optional capabilities */
1335 rsn->rsn_caps = le16dec(frm);
1341 * Convert an RSN cipher selector OUI to an internal
1342 * cipher algorithm. Where appropriate we also
1343 * record any key length.
1346 rsn_cipher(const uint8_t *sel, uint8_t *keylen, uint8_t *cipher)
1348 #define RSN_SEL(x) (((x)<<24)|RSN_OUI)
1349 uint32_t w = le32dec(sel);
1352 case RSN_SEL(RSN_CSE_NULL):
1353 *cipher = IEEE80211_CIPHER_NONE;
1355 case RSN_SEL(RSN_CSE_WEP40):
1357 *keylen = 40 / NBBY;
1358 *cipher = IEEE80211_CIPHER_WEP;
1360 case RSN_SEL(RSN_CSE_WEP104):
1362 *keylen = 104 / NBBY;
1363 *cipher = IEEE80211_CIPHER_WEP;
1365 case RSN_SEL(RSN_CSE_TKIP):
1366 *cipher = IEEE80211_CIPHER_TKIP;
1368 case RSN_SEL(RSN_CSE_CCMP):
1369 *cipher = IEEE80211_CIPHER_AES_CCM;
1371 case RSN_SEL(RSN_CSE_WRAP):
1372 *cipher = IEEE80211_CIPHER_AES_OCB;
1383 * Convert an RSN key management/authentication algorithm
1384 * to an internal code.
1387 rsn_keymgmt(const uint8_t *sel)
1389 #define RSN_SEL(x) (((x)<<24)|RSN_OUI)
1390 uint32_t w = le32dec(sel);
1393 case RSN_SEL(RSN_ASE_8021X_UNSPEC):
1394 return RSN_ASE_8021X_UNSPEC;
1395 case RSN_SEL(RSN_ASE_8021X_PSK):
1396 return RSN_ASE_8021X_PSK;
1397 case RSN_SEL(RSN_ASE_NONE):
1398 return RSN_ASE_NONE;
1400 return 0; /* NB: so is discarded */
1405 * Parse a WPA/RSN information element to collect parameters
1406 * and validate the parameters against what has been
1407 * configured for the system.
1410 ieee80211_parse_rsn(struct ieee80211vap *vap, const uint8_t *frm,
1411 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh)
1413 uint8_t len = frm[1];
1418 * Check the length once for fixed parts:
1419 * version, mcast cipher, and 2 selector counts.
1420 * Other, variable-length data, must be checked separately.
1422 if ((vap->iv_flags & IEEE80211_F_WPA2) == 0) {
1423 IEEE80211_DISCARD_IE(vap,
1424 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1425 wh, "WPA", "not RSN, flags 0x%x", vap->iv_flags);
1426 return IEEE80211_REASON_IE_INVALID;
1428 /* XXX may be shorter */
1430 IEEE80211_DISCARD_IE(vap,
1431 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1432 wh, "RSN", "too short, len %u", len);
1433 return IEEE80211_REASON_IE_INVALID;
1437 if (w != RSN_VERSION) {
1438 IEEE80211_DISCARD_IE(vap,
1439 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1440 wh, "RSN", "bad version %u", w);
1441 return IEEE80211_REASON_UNSUPP_RSN_IE_VERSION;
1445 memset(rsn, 0, sizeof(*rsn));
1447 /* multicast/group cipher */
1448 error = rsn_cipher(frm, &rsn->rsn_mcastkeylen, &rsn->rsn_mcastcipher);
1450 IEEE80211_DISCARD_IE(vap,
1451 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1452 wh, "RSN", "unknown mcast cipher suite %08X",
1454 return IEEE80211_REASON_GROUP_CIPHER_INVALID;
1456 if (rsn->rsn_mcastcipher == IEEE80211_CIPHER_NONE) {
1457 IEEE80211_DISCARD_IE(vap,
1458 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1459 wh, "RSN", "invalid mcast cipher suite %d",
1460 rsn->rsn_mcastcipher);
1461 return IEEE80211_REASON_GROUP_CIPHER_INVALID;
1465 /* unicast ciphers */
1469 IEEE80211_DISCARD_IE(vap,
1470 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1471 wh, "RSN", "ucast cipher data too short; len %u, n %u",
1473 return IEEE80211_REASON_IE_INVALID;
1477 for (; n > 0; n--) {
1480 error = rsn_cipher(frm, &rsn->rsn_ucastkeylen, &cipher);
1486 if (w & (1 << IEEE80211_CIPHER_AES_CCM))
1487 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM;
1488 else if (w & (1 << IEEE80211_CIPHER_AES_OCB))
1489 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_OCB;
1490 else if (w & (1 << IEEE80211_CIPHER_TKIP))
1491 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP;
1492 else if ((w & (1 << IEEE80211_CIPHER_NONE)) &&
1493 (rsn->rsn_mcastcipher == IEEE80211_CIPHER_WEP ||
1494 rsn->rsn_mcastcipher == IEEE80211_CIPHER_TKIP))
1495 rsn->rsn_ucastcipher = IEEE80211_CIPHER_NONE;
1497 IEEE80211_DISCARD_IE(vap,
1498 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1499 wh, "RSN", "no usable pairwise cipher suite found (w=%d)",
1501 return IEEE80211_REASON_PAIRWISE_CIPHER_INVALID;
1504 /* key management algorithms */
1508 IEEE80211_DISCARD_IE(vap,
1509 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1510 wh, "RSN", "key mgmt alg data too short; len %u, n %u",
1512 return IEEE80211_REASON_IE_INVALID;
1515 for (; n > 0; n--) {
1516 w |= rsn_keymgmt(frm);
1519 if (w & RSN_ASE_8021X_UNSPEC)
1520 rsn->rsn_keymgmt = RSN_ASE_8021X_UNSPEC;
1522 rsn->rsn_keymgmt = RSN_ASE_8021X_PSK;
1524 /* optional RSN capabilities */
1526 rsn->rsn_caps = le16dec(frm);
1533 * WPA/802.11i association request processing.
1536 wpa_assocreq(struct ieee80211_node *ni, struct ieee80211_rsnparms *rsnparms,
1537 const struct ieee80211_frame *wh, const uint8_t *wpa,
1538 const uint8_t *rsn, uint16_t capinfo)
1540 struct ieee80211vap *vap = ni->ni_vap;
1544 ni->ni_flags &= ~(IEEE80211_NODE_WPS|IEEE80211_NODE_TSN);
1545 if (wpa == NULL && rsn == NULL) {
1546 if (vap->iv_flags_ext & IEEE80211_FEXT_WPS) {
1548 * W-Fi Protected Setup (WPS) permits
1549 * clients to associate and pass EAPOL frames
1550 * to establish initial credentials.
1552 ni->ni_flags |= IEEE80211_NODE_WPS;
1555 if ((vap->iv_flags_ext & IEEE80211_FEXT_TSN) &&
1556 (capinfo & IEEE80211_CAPINFO_PRIVACY)) {
1558 * Transitional Security Network. Permits clients
1559 * to associate and use WEP while WPA is configured.
1561 ni->ni_flags |= IEEE80211_NODE_TSN;
1564 IEEE80211_DISCARD(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA,
1565 wh, NULL, "%s", "no WPA/RSN IE in association request");
1566 vap->iv_stats.is_rx_assoc_badwpaie++;
1567 reason = IEEE80211_REASON_IE_INVALID;
1570 /* assert right association security credentials */
1571 badwparsn = 0; /* NB: to silence compiler */
1572 switch (vap->iv_flags & IEEE80211_F_WPA) {
1573 case IEEE80211_F_WPA1:
1574 badwparsn = (wpa == NULL);
1576 case IEEE80211_F_WPA2:
1577 badwparsn = (rsn == NULL);
1579 case IEEE80211_F_WPA1|IEEE80211_F_WPA2:
1580 badwparsn = (wpa == NULL && rsn == NULL);
1584 IEEE80211_DISCARD(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA,
1586 "%s", "missing WPA/RSN IE in association request");
1587 vap->iv_stats.is_rx_assoc_badwpaie++;
1588 reason = IEEE80211_REASON_IE_INVALID;
1592 * Parse WPA/RSN information element.
1595 reason = ieee80211_parse_wpa(vap, wpa, rsnparms, wh);
1597 reason = ieee80211_parse_rsn(vap, rsn, rsnparms, wh);
1599 /* XXX wpa->rsn fallback? */
1600 /* XXX distinguish WPA/RSN? */
1601 vap->iv_stats.is_rx_assoc_badwpaie++;
1604 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, ni,
1605 "%s ie: mc %u/%u uc %u/%u key %u caps 0x%x",
1606 wpa != NULL ? "WPA" : "RSN",
1607 rsnparms->rsn_mcastcipher, rsnparms->rsn_mcastkeylen,
1608 rsnparms->rsn_ucastcipher, rsnparms->rsn_ucastkeylen,
1609 rsnparms->rsn_keymgmt, rsnparms->rsn_caps);
1613 ieee80211_node_deauth(ni, reason);
1617 /* XXX find a better place for definition */
1618 struct l2_update_frame {
1619 struct ether_header eh;
1627 * Deliver a TGf L2UF frame on behalf of a station.
1628 * This primes any bridge when the station is roaming
1629 * between ap's on the same wired network.
1632 ieee80211_deliver_l2uf(struct ieee80211_node *ni)
1634 struct ieee80211vap *vap = ni->ni_vap;
1635 struct ifnet *ifp = vap->iv_ifp;
1637 struct l2_update_frame *l2uf;
1638 struct ether_header *eh;
1640 m = m_gethdr(M_NOWAIT, MT_DATA);
1642 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC, ni,
1643 "%s", "no mbuf for l2uf frame");
1644 vap->iv_stats.is_rx_nobuf++; /* XXX not right */
1647 l2uf = mtod(m, struct l2_update_frame *);
1649 /* dst: Broadcast address */
1650 IEEE80211_ADDR_COPY(eh->ether_dhost, ifp->if_broadcastaddr);
1651 /* src: associated STA */
1652 IEEE80211_ADDR_COPY(eh->ether_shost, ni->ni_macaddr);
1653 eh->ether_type = htons(sizeof(*l2uf) - sizeof(*eh));
1657 l2uf->control = 0xf5;
1658 l2uf->xid[0] = 0x81;
1659 l2uf->xid[1] = 0x80;
1660 l2uf->xid[2] = 0x00;
1662 m->m_pkthdr.len = m->m_len = sizeof(*l2uf);
1663 hostap_deliver_data(vap, ni, m);
1667 ratesetmismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh,
1668 int reassoc, int resp, const char *tag, int rate)
1670 IEEE80211_NOTE_MAC(ni->ni_vap, IEEE80211_MSG_ANY, wh->i_addr2,
1671 "deny %s request, %s rate set mismatch, rate/MCS %d",
1672 reassoc ? "reassoc" : "assoc", tag, rate & IEEE80211_RATE_VAL);
1673 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_BASIC_RATE);
1674 ieee80211_node_leave(ni);
1678 capinfomismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh,
1679 int reassoc, int resp, const char *tag, int capinfo)
1681 struct ieee80211vap *vap = ni->ni_vap;
1683 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ANY, wh->i_addr2,
1684 "deny %s request, %s mismatch 0x%x",
1685 reassoc ? "reassoc" : "assoc", tag, capinfo);
1686 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_CAPINFO);
1687 ieee80211_node_leave(ni);
1688 vap->iv_stats.is_rx_assoc_capmismatch++;
1692 htcapmismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh,
1693 int reassoc, int resp)
1695 IEEE80211_NOTE_MAC(ni->ni_vap, IEEE80211_MSG_ANY, wh->i_addr2,
1696 "deny %s request, %s missing HT ie", reassoc ? "reassoc" : "assoc");
1697 /* XXX no better code */
1698 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_MISSING_HT_CAPS);
1699 ieee80211_node_leave(ni);
1703 authalgreject(struct ieee80211_node *ni, const struct ieee80211_frame *wh,
1704 int algo, int seq, int status)
1706 struct ieee80211vap *vap = ni->ni_vap;
1708 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
1709 wh, NULL, "unsupported alg %d", algo);
1710 vap->iv_stats.is_rx_auth_unsupported++;
1711 ieee80211_send_error(ni, wh->i_addr2, IEEE80211_FC0_SUBTYPE_AUTH,
1712 seq | (status << 16));
1716 ishtmixed(const uint8_t *ie)
1718 const struct ieee80211_ie_htinfo *ht =
1719 (const struct ieee80211_ie_htinfo *) ie;
1720 return (ht->hi_byte2 & IEEE80211_HTINFO_OPMODE) ==
1721 IEEE80211_HTINFO_OPMODE_MIXED;
1725 is11bclient(const uint8_t *rates, const uint8_t *xrates)
1727 static const uint32_t brates = (1<<2*1)|(1<<2*2)|(1<<11)|(1<<2*11);
1730 /* NB: the 11b clients we care about will not have xrates */
1731 if (xrates != NULL || rates == NULL)
1733 for (i = 0; i < rates[1]; i++) {
1734 int r = rates[2+i] & IEEE80211_RATE_VAL;
1735 if (r > 2*11 || ((1<<r) & brates) == 0)
1742 hostap_recv_mgmt(struct ieee80211_node *ni, struct mbuf *m0,
1743 int subtype, const struct ieee80211_rx_stats *rxs, int rssi, int nf)
1745 struct ieee80211vap *vap = ni->ni_vap;
1746 struct ieee80211com *ic = ni->ni_ic;
1747 struct ieee80211_frame *wh;
1748 uint8_t *frm, *efrm, *sfrm;
1749 uint8_t *ssid, *rates, *xrates, *wpa, *rsn, *wme, *ath, *htcap;
1750 uint8_t *vhtcap, *vhtinfo;
1754 wh = mtod(m0, struct ieee80211_frame *);
1755 frm = (uint8_t *)&wh[1];
1756 efrm = mtod(m0, uint8_t *) + m0->m_len;
1758 case IEEE80211_FC0_SUBTYPE_PROBE_RESP:
1760 * We process beacon/probe response frames when scanning;
1761 * otherwise we check beacon frames for overlapping non-ERP
1762 * BSS in 11g and/or overlapping legacy BSS when in HT.
1764 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) {
1765 vap->iv_stats.is_rx_mgtdiscard++;
1769 case IEEE80211_FC0_SUBTYPE_BEACON: {
1770 struct ieee80211_scanparams scan;
1772 /* NB: accept off-channel frames */
1773 /* XXX TODO: use rxstatus to determine off-channel details */
1774 if (ieee80211_parse_beacon(ni, m0, ic->ic_curchan, &scan) &~ IEEE80211_BPARSE_OFFCHAN)
1777 * Count frame now that we know it's to be processed.
1779 if (subtype == IEEE80211_FC0_SUBTYPE_BEACON) {
1780 vap->iv_stats.is_rx_beacon++; /* XXX remove */
1781 IEEE80211_NODE_STAT(ni, rx_beacons);
1783 IEEE80211_NODE_STAT(ni, rx_proberesp);
1785 * If scanning, just pass information to the scan module.
1787 if (ic->ic_flags & IEEE80211_F_SCAN) {
1788 if (scan.status == 0 && /* NB: on channel */
1789 (ic->ic_flags_ext & IEEE80211_FEXT_PROBECHAN)) {
1791 * Actively scanning a channel marked passive;
1792 * send a probe request now that we know there
1793 * is 802.11 traffic present.
1795 * XXX check if the beacon we recv'd gives
1796 * us what we need and suppress the probe req
1798 ieee80211_probe_curchan(vap, 1);
1799 ic->ic_flags_ext &= ~IEEE80211_FEXT_PROBECHAN;
1801 ieee80211_add_scan(vap, ic->ic_curchan, &scan, wh,
1806 * Check beacon for overlapping bss w/ non ERP stations.
1807 * If we detect one and protection is configured but not
1808 * enabled, enable it and start a timer that'll bring us
1809 * out if we stop seeing the bss.
1811 if (IEEE80211_IS_CHAN_ANYG(ic->ic_curchan) &&
1812 scan.status == 0 && /* NB: on-channel */
1813 ((scan.erp & 0x100) == 0 || /* NB: no ERP, 11b sta*/
1814 (scan.erp & IEEE80211_ERP_NON_ERP_PRESENT))) {
1815 ic->ic_lastnonerp = ticks;
1816 ic->ic_flags_ext |= IEEE80211_FEXT_NONERP_PR;
1817 if (ic->ic_protmode != IEEE80211_PROT_NONE &&
1818 (ic->ic_flags & IEEE80211_F_USEPROT) == 0) {
1819 IEEE80211_NOTE_FRAME(vap,
1820 IEEE80211_MSG_ASSOC, wh,
1821 "non-ERP present on channel %d "
1822 "(saw erp 0x%x from channel %d), "
1823 "enable use of protection",
1824 ic->ic_curchan->ic_ieee,
1825 scan.erp, scan.chan);
1826 ic->ic_flags |= IEEE80211_F_USEPROT;
1827 ieee80211_notify_erp(ic);
1831 * Check beacon for non-HT station on HT channel
1832 * and update HT BSS occupancy as appropriate.
1834 if (IEEE80211_IS_CHAN_HT(ic->ic_curchan)) {
1835 if (scan.status & IEEE80211_BPARSE_OFFCHAN) {
1837 * Off control channel; only check frames
1838 * that come in the extension channel when
1839 * operating w/ HT40.
1841 if (!IEEE80211_IS_CHAN_HT40(ic->ic_curchan))
1843 if (scan.chan != ic->ic_curchan->ic_extieee)
1846 if (scan.htinfo == NULL) {
1847 ieee80211_htprot_update(ic,
1848 IEEE80211_HTINFO_OPMODE_PROTOPT |
1849 IEEE80211_HTINFO_NONHT_PRESENT);
1850 } else if (ishtmixed(scan.htinfo)) {
1851 /* XXX? take NONHT_PRESENT from beacon? */
1852 ieee80211_htprot_update(ic,
1853 IEEE80211_HTINFO_OPMODE_MIXED |
1854 IEEE80211_HTINFO_NONHT_PRESENT);
1860 case IEEE80211_FC0_SUBTYPE_PROBE_REQ:
1861 if (vap->iv_state != IEEE80211_S_RUN) {
1862 vap->iv_stats.is_rx_mgtdiscard++;
1866 * Consult the ACL policy module if setup.
1868 if (vap->iv_acl != NULL && !vap->iv_acl->iac_check(vap, wh)) {
1869 IEEE80211_DISCARD(vap, IEEE80211_MSG_ACL,
1870 wh, NULL, "%s", "disallowed by ACL");
1871 vap->iv_stats.is_rx_acl++;
1875 * prreq frame format
1877 * [tlv] supported rates
1878 * [tlv] extended supported rates
1880 ssid = rates = xrates = NULL;
1881 while (efrm - frm > 1) {
1882 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return);
1884 case IEEE80211_ELEMID_SSID:
1887 case IEEE80211_ELEMID_RATES:
1890 case IEEE80211_ELEMID_XRATES:
1896 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return);
1898 IEEE80211_VERIFY_ELEMENT(xrates,
1899 IEEE80211_RATE_MAXSIZE - rates[1], return);
1900 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN, return);
1901 IEEE80211_VERIFY_SSID(vap->iv_bss, ssid, return);
1902 if ((vap->iv_flags & IEEE80211_F_HIDESSID) && ssid[1] == 0) {
1903 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
1905 "%s", "no ssid with ssid suppression enabled");
1906 vap->iv_stats.is_rx_ssidmismatch++; /*XXX*/
1910 /* XXX find a better class or define it's own */
1911 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_INPUT, wh->i_addr2,
1912 "%s", "recv probe req");
1914 * Some legacy 11b clients cannot hack a complete
1915 * probe response frame. When the request includes
1916 * only a bare-bones rate set, communicate this to
1917 * the transmit side.
1919 ieee80211_send_proberesp(vap, wh->i_addr2,
1920 is11bclient(rates, xrates) ? IEEE80211_SEND_LEGACY_11B : 0);
1923 case IEEE80211_FC0_SUBTYPE_AUTH: {
1924 uint16_t algo, seq, status;
1926 if (vap->iv_state != IEEE80211_S_RUN) {
1927 vap->iv_stats.is_rx_mgtdiscard++;
1930 if (!IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_bss->ni_bssid)) {
1931 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
1932 wh, NULL, "%s", "wrong bssid");
1933 vap->iv_stats.is_rx_wrongbss++; /*XXX unique stat?*/
1943 IEEE80211_VERIFY_LENGTH(efrm - frm, 6, return);
1944 algo = le16toh(*(uint16_t *)frm);
1945 seq = le16toh(*(uint16_t *)(frm + 2));
1946 status = le16toh(*(uint16_t *)(frm + 4));
1947 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_AUTH, wh->i_addr2,
1948 "recv auth frame with algorithm %d seq %d", algo, seq);
1950 * Consult the ACL policy module if setup.
1952 if (vap->iv_acl != NULL && !vap->iv_acl->iac_check(vap, wh)) {
1953 IEEE80211_DISCARD(vap, IEEE80211_MSG_ACL,
1954 wh, NULL, "%s", "disallowed by ACL");
1955 vap->iv_stats.is_rx_acl++;
1956 ieee80211_send_error(ni, wh->i_addr2,
1957 IEEE80211_FC0_SUBTYPE_AUTH,
1958 (seq+1) | (IEEE80211_STATUS_UNSPECIFIED<<16));
1961 if (vap->iv_flags & IEEE80211_F_COUNTERM) {
1962 IEEE80211_DISCARD(vap,
1963 IEEE80211_MSG_AUTH | IEEE80211_MSG_CRYPTO,
1964 wh, NULL, "%s", "TKIP countermeasures enabled");
1965 vap->iv_stats.is_rx_auth_countermeasures++;
1966 ieee80211_send_error(ni, wh->i_addr2,
1967 IEEE80211_FC0_SUBTYPE_AUTH,
1968 IEEE80211_REASON_MIC_FAILURE);
1971 if (algo == IEEE80211_AUTH_ALG_SHARED)
1972 hostap_auth_shared(ni, wh, frm + 6, efrm, rssi, nf,
1974 else if (algo == IEEE80211_AUTH_ALG_OPEN)
1975 hostap_auth_open(ni, wh, rssi, nf, seq, status);
1976 else if (algo == IEEE80211_AUTH_ALG_LEAP) {
1977 authalgreject(ni, wh, algo,
1978 seq+1, IEEE80211_STATUS_ALG);
1982 * We assume that an unknown algorithm is the result
1983 * of a decryption failure on a shared key auth frame;
1984 * return a status code appropriate for that instead
1985 * of IEEE80211_STATUS_ALG.
1987 * NB: a seq# of 4 is intentional; the decrypted
1988 * frame likely has a bogus seq value.
1990 authalgreject(ni, wh, algo,
1991 4, IEEE80211_STATUS_CHALLENGE);
1997 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ:
1998 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: {
1999 uint16_t capinfo, lintval;
2000 struct ieee80211_rsnparms rsnparms;
2002 if (vap->iv_state != IEEE80211_S_RUN) {
2003 vap->iv_stats.is_rx_mgtdiscard++;
2006 if (!IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_bss->ni_bssid)) {
2007 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
2008 wh, NULL, "%s", "wrong bssid");
2009 vap->iv_stats.is_rx_assoc_bss++;
2012 if (subtype == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) {
2014 resp = IEEE80211_FC0_SUBTYPE_REASSOC_RESP;
2017 resp = IEEE80211_FC0_SUBTYPE_ASSOC_RESP;
2019 if (ni == vap->iv_bss) {
2020 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ANY, wh->i_addr2,
2021 "deny %s request, sta not authenticated",
2022 reassoc ? "reassoc" : "assoc");
2023 ieee80211_send_error(ni, wh->i_addr2,
2024 IEEE80211_FC0_SUBTYPE_DEAUTH,
2025 IEEE80211_REASON_ASSOC_NOT_AUTHED);
2026 vap->iv_stats.is_rx_assoc_notauth++;
2031 * asreq frame format
2032 * [2] capability information
2033 * [2] listen interval
2034 * [6*] current AP address (reassoc only)
2036 * [tlv] supported rates
2037 * [tlv] extended supported rates
2039 * [tlv] HT capabilities
2040 * [tlv] Atheros capabilities
2042 IEEE80211_VERIFY_LENGTH(efrm - frm, (reassoc ? 10 : 4), return);
2043 capinfo = le16toh(*(uint16_t *)frm); frm += 2;
2044 lintval = le16toh(*(uint16_t *)frm); frm += 2;
2046 frm += 6; /* ignore current AP info */
2047 ssid = rates = xrates = wpa = rsn = wme = ath = htcap = NULL;
2048 vhtcap = vhtinfo = NULL;
2050 while (efrm - frm > 1) {
2051 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return);
2053 case IEEE80211_ELEMID_SSID:
2056 case IEEE80211_ELEMID_RATES:
2059 case IEEE80211_ELEMID_XRATES:
2062 case IEEE80211_ELEMID_RSN:
2065 case IEEE80211_ELEMID_HTCAP:
2068 case IEEE80211_ELEMID_VHT_CAP:
2071 case IEEE80211_ELEMID_VHT_OPMODE:
2074 case IEEE80211_ELEMID_VENDOR:
2077 else if (iswmeinfo(frm))
2079 #ifdef IEEE80211_SUPPORT_SUPERG
2080 else if (isatherosoui(frm))
2083 else if (vap->iv_flags_ht & IEEE80211_FHT_HTCOMPAT) {
2084 if (ishtcapoui(frm) && htcap == NULL)
2091 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return);
2093 IEEE80211_VERIFY_ELEMENT(xrates,
2094 IEEE80211_RATE_MAXSIZE - rates[1], return);
2095 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN, return);
2096 IEEE80211_VERIFY_SSID(vap->iv_bss, ssid, return);
2097 if (htcap != NULL) {
2098 IEEE80211_VERIFY_LENGTH(htcap[1],
2099 htcap[0] == IEEE80211_ELEMID_VENDOR ?
2100 4 + sizeof(struct ieee80211_ie_htcap)-2 :
2101 sizeof(struct ieee80211_ie_htcap)-2,
2102 return); /* XXX just NULL out? */
2105 /* Validate VHT IEs */
2106 if (vhtcap != NULL) {
2107 IEEE80211_VERIFY_LENGTH(vhtcap[1],
2108 sizeof(struct ieee80211_ie_vhtcap) - 2,
2111 if (vhtinfo != NULL) {
2112 IEEE80211_VERIFY_LENGTH(vhtinfo[1],
2113 sizeof(struct ieee80211_ie_vht_operation) - 2,
2117 if ((vap->iv_flags & IEEE80211_F_WPA) &&
2118 !wpa_assocreq(ni, &rsnparms, wh, wpa, rsn, capinfo))
2120 /* discard challenge after association */
2121 if (ni->ni_challenge != NULL) {
2122 IEEE80211_FREE(ni->ni_challenge, M_80211_NODE);
2123 ni->ni_challenge = NULL;
2125 /* NB: 802.11 spec says to ignore station's privacy bit */
2126 if ((capinfo & IEEE80211_CAPINFO_ESS) == 0) {
2127 capinfomismatch(ni, wh, reassoc, resp,
2128 "capability", capinfo);
2132 * Disallow re-associate w/ invalid slot time setting.
2134 if (ni->ni_associd != 0 &&
2135 IEEE80211_IS_CHAN_ANYG(ic->ic_bsschan) &&
2136 ((ni->ni_capinfo ^ capinfo) & IEEE80211_CAPINFO_SHORT_SLOTTIME)) {
2137 capinfomismatch(ni, wh, reassoc, resp,
2138 "slot time", capinfo);
2141 rate = ieee80211_setup_rates(ni, rates, xrates,
2142 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE |
2143 IEEE80211_F_DONEGO | IEEE80211_F_DODEL);
2144 if (rate & IEEE80211_RATE_BASIC) {
2145 ratesetmismatch(ni, wh, reassoc, resp, "legacy", rate);
2146 vap->iv_stats.is_rx_assoc_norate++;
2150 * If constrained to 11g-only stations reject an
2151 * 11b-only station. We cheat a bit here by looking
2152 * at the max negotiated xmit rate and assuming anyone
2153 * with a best rate <24Mb/s is an 11b station.
2155 if ((vap->iv_flags & IEEE80211_F_PUREG) && rate < 48) {
2156 ratesetmismatch(ni, wh, reassoc, resp, "11g", rate);
2157 vap->iv_stats.is_rx_assoc_norate++;
2162 * Do HT rate set handling and setup HT node state.
2164 ni->ni_chan = vap->iv_bss->ni_chan;
2167 if (IEEE80211_IS_CHAN_VHT(ni->ni_chan) &&
2170 /* XXX TODO; see below */
2171 printf("%s: VHT TODO!\n", __func__);
2172 ieee80211_vht_node_init(ni);
2173 ieee80211_vht_update_cap(ni, vhtcap, vhtinfo);
2174 } else if (ni->ni_flags & IEEE80211_NODE_VHT)
2175 ieee80211_vht_node_cleanup(ni);
2178 if (IEEE80211_IS_CHAN_HT(ni->ni_chan) && htcap != NULL) {
2179 rate = ieee80211_setup_htrates(ni, htcap,
2180 IEEE80211_F_DOFMCS | IEEE80211_F_DONEGO |
2182 if (rate & IEEE80211_RATE_BASIC) {
2183 ratesetmismatch(ni, wh, reassoc, resp,
2185 vap->iv_stats.is_ht_assoc_norate++;
2188 ieee80211_ht_node_init(ni);
2189 ieee80211_ht_updatehtcap(ni, htcap);
2190 } else if (ni->ni_flags & IEEE80211_NODE_HT)
2191 ieee80211_ht_node_cleanup(ni);
2193 /* Finally - this will use HT/VHT info to change node channel */
2194 if (IEEE80211_IS_CHAN_HT(ni->ni_chan) && htcap != NULL) {
2195 ieee80211_ht_updatehtcap_final(ni);
2198 #ifdef IEEE80211_SUPPORT_SUPERG
2199 /* Always do ff node cleanup; for A-MSDU */
2200 ieee80211_ff_node_cleanup(ni);
2203 * Allow AMPDU operation only with unencrypted traffic
2204 * or AES-CCM; the 11n spec only specifies these ciphers
2205 * so permitting any others is undefined and can lead
2206 * to interoperability problems.
2208 if ((ni->ni_flags & IEEE80211_NODE_HT) &&
2209 (((vap->iv_flags & IEEE80211_F_WPA) &&
2210 rsnparms.rsn_ucastcipher != IEEE80211_CIPHER_AES_CCM) ||
2211 (vap->iv_flags & (IEEE80211_F_WPA|IEEE80211_F_PRIVACY)) == IEEE80211_F_PRIVACY)) {
2213 IEEE80211_MSG_ASSOC | IEEE80211_MSG_11N, ni,
2214 "disallow HT use because WEP or TKIP requested, "
2215 "capinfo 0x%x ucastcipher %d", capinfo,
2216 rsnparms.rsn_ucastcipher);
2217 ieee80211_ht_node_cleanup(ni);
2218 #ifdef IEEE80211_SUPPORT_SUPERG
2219 /* Always do ff node cleanup; for A-MSDU */
2220 ieee80211_ff_node_cleanup(ni);
2222 vap->iv_stats.is_ht_assoc_downgrade++;
2225 * If constrained to 11n-only stations reject legacy stations.
2227 if ((vap->iv_flags_ht & IEEE80211_FHT_PUREN) &&
2228 (ni->ni_flags & IEEE80211_NODE_HT) == 0) {
2229 htcapmismatch(ni, wh, reassoc, resp);
2230 vap->iv_stats.is_ht_assoc_nohtcap++;
2233 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi);
2235 ni->ni_intval = lintval;
2236 ni->ni_capinfo = capinfo;
2237 ni->ni_fhdwell = vap->iv_bss->ni_fhdwell;
2238 ni->ni_fhindex = vap->iv_bss->ni_fhindex;
2241 * XXX maybe better to just expand
2243 if (ieee80211_ies_init(&ni->ni_ies, sfrm, efrm - sfrm)) {
2244 #define setie(_ie, _off) ieee80211_ies_setie(ni->ni_ies, _ie, _off)
2246 setie(wpa_ie, wpa - sfrm);
2248 setie(rsn_ie, rsn - sfrm);
2250 setie(htcap_ie, htcap - sfrm);
2252 setie(wme_ie, wme - sfrm);
2254 * Mark node as capable of QoS.
2256 ni->ni_flags |= IEEE80211_NODE_QOS;
2257 if (ieee80211_parse_wmeie(wme, wh, ni) > 0) {
2258 if (ni->ni_uapsd != 0)
2260 IEEE80211_NODE_UAPSD;
2263 ~IEEE80211_NODE_UAPSD;
2267 ~(IEEE80211_NODE_QOS |
2268 IEEE80211_NODE_UAPSD);
2269 #ifdef IEEE80211_SUPPORT_SUPERG
2271 setie(ath_ie, ath - sfrm);
2273 * Parse ATH station parameters.
2275 ieee80211_parse_ath(ni, ni->ni_ies.ath_ie);
2278 ni->ni_ath_flags = 0;
2281 ni->ni_flags &= ~IEEE80211_NODE_QOS;
2282 ni->ni_flags &= ~IEEE80211_NODE_UAPSD;
2283 ni->ni_ath_flags = 0;
2285 ieee80211_node_join(ni, resp);
2286 ieee80211_deliver_l2uf(ni);
2290 case IEEE80211_FC0_SUBTYPE_DEAUTH:
2291 case IEEE80211_FC0_SUBTYPE_DISASSOC: {
2294 if (vap->iv_state != IEEE80211_S_RUN ||
2295 /* NB: can happen when in promiscuous mode */
2296 !IEEE80211_ADDR_EQ(wh->i_addr1, vap->iv_myaddr)) {
2297 vap->iv_stats.is_rx_mgtdiscard++;
2301 * deauth/disassoc frame format
2304 IEEE80211_VERIFY_LENGTH(efrm - frm, 2, return);
2305 reason = le16toh(*(uint16_t *)frm);
2306 if (subtype == IEEE80211_FC0_SUBTYPE_DEAUTH) {
2307 vap->iv_stats.is_rx_deauth++;
2308 IEEE80211_NODE_STAT(ni, rx_deauth);
2310 vap->iv_stats.is_rx_disassoc++;
2311 IEEE80211_NODE_STAT(ni, rx_disassoc);
2313 IEEE80211_NOTE(vap, IEEE80211_MSG_AUTH, ni,
2314 "recv %s (reason: %d (%s))",
2315 ieee80211_mgt_subtype_name(subtype),
2316 reason, ieee80211_reason_to_string(reason));
2317 if (ni != vap->iv_bss)
2318 ieee80211_node_leave(ni);
2322 case IEEE80211_FC0_SUBTYPE_ACTION:
2323 case IEEE80211_FC0_SUBTYPE_ACTION_NOACK:
2324 if (ni == vap->iv_bss) {
2325 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
2326 wh, NULL, "%s", "unknown node");
2327 vap->iv_stats.is_rx_mgtdiscard++;
2328 } else if (!IEEE80211_ADDR_EQ(vap->iv_myaddr, wh->i_addr1) &&
2329 !IEEE80211_IS_MULTICAST(wh->i_addr1)) {
2330 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
2331 wh, NULL, "%s", "not for us");
2332 vap->iv_stats.is_rx_mgtdiscard++;
2333 } else if (vap->iv_state != IEEE80211_S_RUN) {
2334 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
2335 wh, NULL, "wrong state %s",
2336 ieee80211_state_name[vap->iv_state]);
2337 vap->iv_stats.is_rx_mgtdiscard++;
2339 if (ieee80211_parse_action(ni, m0) == 0)
2340 (void)ic->ic_recv_action(ni, wh, frm, efrm);
2344 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP:
2345 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP:
2346 case IEEE80211_FC0_SUBTYPE_TIMING_ADV:
2347 case IEEE80211_FC0_SUBTYPE_ATIM:
2348 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
2349 wh, NULL, "%s", "not handled");
2350 vap->iv_stats.is_rx_mgtdiscard++;
2354 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
2355 wh, "mgt", "subtype 0x%x not handled", subtype);
2356 vap->iv_stats.is_rx_badsubtype++;
2362 hostap_recv_ctl(struct ieee80211_node *ni, struct mbuf *m, int subtype)
2365 case IEEE80211_FC0_SUBTYPE_PS_POLL:
2366 ni->ni_vap->iv_recv_pspoll(ni, m);
2368 case IEEE80211_FC0_SUBTYPE_BAR:
2369 ieee80211_recv_bar(ni, m);
2375 * Process a received ps-poll frame.
2378 ieee80211_recv_pspoll(struct ieee80211_node *ni, struct mbuf *m0)
2380 struct ieee80211vap *vap = ni->ni_vap;
2381 struct ieee80211com *ic = vap->iv_ic;
2382 struct ieee80211_frame_min *wh;
2387 wh = mtod(m0, struct ieee80211_frame_min *);
2388 if (ni->ni_associd == 0) {
2389 IEEE80211_DISCARD(vap,
2390 IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG,
2391 (struct ieee80211_frame *) wh, NULL,
2392 "%s", "unassociated station");
2393 vap->iv_stats.is_ps_unassoc++;
2394 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_DEAUTH,
2395 IEEE80211_REASON_NOT_ASSOCED);
2399 aid = le16toh(*(uint16_t *)wh->i_dur);
2400 if (aid != ni->ni_associd) {
2401 IEEE80211_DISCARD(vap,
2402 IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG,
2403 (struct ieee80211_frame *) wh, NULL,
2404 "aid mismatch: sta aid 0x%x poll aid 0x%x",
2405 ni->ni_associd, aid);
2406 vap->iv_stats.is_ps_badaid++;
2408 * NB: We used to deauth the station but it turns out
2409 * the Blackberry Curve 8230 (and perhaps other devices)
2410 * sometimes send the wrong AID when WME is negotiated.
2411 * Being more lenient here seems ok as we already check
2412 * the station is associated and we only return frames
2413 * queued for the station (i.e. we don't use the AID).
2418 /* Okay, take the first queued packet and put it out... */
2419 m = ieee80211_node_psq_dequeue(ni, &qlen);
2421 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_POWER, wh->i_addr2,
2422 "%s", "recv ps-poll, but queue empty");
2423 ieee80211_send_nulldata(ieee80211_ref_node(ni));
2424 vap->iv_stats.is_ps_qempty++; /* XXX node stat */
2425 if (vap->iv_set_tim != NULL)
2426 vap->iv_set_tim(ni, 0); /* just in case */
2430 * If there are more packets, set the more packets bit
2431 * in the packet dispatched to the station; otherwise
2432 * turn off the TIM bit.
2435 IEEE80211_NOTE(vap, IEEE80211_MSG_POWER, ni,
2436 "recv ps-poll, send packet, %u still queued", qlen);
2437 m->m_flags |= M_MORE_DATA;
2439 IEEE80211_NOTE(vap, IEEE80211_MSG_POWER, ni,
2440 "%s", "recv ps-poll, send packet, queue empty");
2441 if (vap->iv_set_tim != NULL)
2442 vap->iv_set_tim(ni, 0);
2444 m->m_flags |= M_PWR_SAV; /* bypass PS handling */
2447 * Do the right thing; if it's an encap'ed frame then
2448 * call ieee80211_parent_xmitpkt() else
2449 * call ieee80211_vap_xmitpkt().
2451 if (m->m_flags & M_ENCAP) {
2452 (void) ieee80211_parent_xmitpkt(ic, m);
2454 (void) ieee80211_vap_xmitpkt(vap, m);