2 * Copyright (c) 2007-2008 Sam Leffler, Errno Consulting
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
15 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
16 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
17 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
18 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
19 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
21 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
23 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
26 #include <sys/cdefs.h>
28 __FBSDID("$FreeBSD$");
32 * IEEE 802.11 HOSTAP mode support.
37 #include <sys/param.h>
38 #include <sys/systm.h>
40 #include <sys/malloc.h>
41 #include <sys/kernel.h>
43 #include <sys/socket.h>
44 #include <sys/sockio.h>
45 #include <sys/endian.h>
46 #include <sys/errno.h>
48 #include <sys/sysctl.h>
51 #include <net/if_media.h>
52 #include <net/if_llc.h>
53 #include <net/ethernet.h>
57 #include <net80211/ieee80211_var.h>
58 #include <net80211/ieee80211_hostap.h>
59 #include <net80211/ieee80211_input.h>
60 #include <net80211/ieee80211_wds.h>
62 #define IEEE80211_RATE2MBS(r) (((r) & IEEE80211_RATE_VAL) / 2)
64 static void hostap_vattach(struct ieee80211vap *);
65 static int hostap_newstate(struct ieee80211vap *, enum ieee80211_state, int);
66 static int hostap_input(struct ieee80211_node *ni, struct mbuf *m,
67 int rssi, int noise, uint32_t rstamp);
68 static void hostap_deliver_data(struct ieee80211vap *,
69 struct ieee80211_node *, struct mbuf *);
70 static void hostap_recv_mgmt(struct ieee80211_node *, struct mbuf *,
71 int subtype, int rssi, int noise, uint32_t rstamp);
72 static void hostap_recv_pspoll(struct ieee80211_node *, struct mbuf *);
75 ieee80211_hostap_attach(struct ieee80211com *ic)
77 ic->ic_vattach[IEEE80211_M_HOSTAP] = hostap_vattach;
81 ieee80211_hostap_detach(struct ieee80211com *ic)
86 hostap_vdetach(struct ieee80211vap *vap)
91 hostap_vattach(struct ieee80211vap *vap)
93 vap->iv_newstate = hostap_newstate;
94 vap->iv_input = hostap_input;
95 vap->iv_recv_mgmt = hostap_recv_mgmt;
96 vap->iv_opdetach = hostap_vdetach;
97 vap->iv_deliver_data = hostap_deliver_data;
101 sta_disassoc(void *arg, struct ieee80211_node *ni)
103 struct ieee80211vap *vap = arg;
105 if (ni->ni_vap == vap && ni->ni_associd != 0) {
106 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_DISASSOC,
107 IEEE80211_REASON_ASSOC_LEAVE);
108 ieee80211_node_leave(ni);
113 * IEEE80211_M_HOSTAP vap state machine handler.
116 hostap_newstate(struct ieee80211vap *vap, enum ieee80211_state nstate, int arg)
118 struct ieee80211com *ic = vap->iv_ic;
119 enum ieee80211_state ostate;
121 IEEE80211_LOCK_ASSERT(ic);
123 ostate = vap->iv_state;
124 IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE, "%s: %s -> %s (%d)\n",
125 __func__, ieee80211_state_name[ostate],
126 ieee80211_state_name[nstate], arg);
127 vap->iv_state = nstate; /* state transition */
128 if (ostate != IEEE80211_S_SCAN)
129 ieee80211_cancel_scan(vap); /* background scan */
131 case IEEE80211_S_INIT:
133 case IEEE80211_S_SCAN:
134 ieee80211_cancel_scan(vap);
136 case IEEE80211_S_CAC:
137 ieee80211_dfs_cac_stop(vap);
139 case IEEE80211_S_RUN:
140 ieee80211_iterate_nodes(&ic->ic_sta, sta_disassoc, vap);
145 if (ostate != IEEE80211_S_INIT) {
146 /* NB: optimize INIT -> INIT case */
147 ieee80211_reset_bss(vap);
149 if (vap->iv_auth->ia_detach != NULL)
150 vap->iv_auth->ia_detach(vap);
152 case IEEE80211_S_SCAN:
154 case IEEE80211_S_CSA:
155 case IEEE80211_S_RUN:
156 ieee80211_iterate_nodes(&ic->ic_sta, sta_disassoc, vap);
158 * Clear overlapping BSS state; the beacon frame
159 * will be reconstructed on transition to the RUN
160 * state and the timeout routines check if the flag
161 * is set before doing anything so this is sufficient.
163 ic->ic_flags_ext &= ~IEEE80211_FEXT_NONERP_PR;
164 ic->ic_flags_ext &= ~IEEE80211_FEXT_NONHT_PR;
166 case IEEE80211_S_CAC:
168 * NB: We may get here because of a manual channel
169 * change in which case we need to stop CAC
170 * XXX no need to stop if ostate RUN but it's ok
172 ieee80211_dfs_cac_stop(vap);
174 case IEEE80211_S_INIT:
175 if (vap->iv_des_chan != IEEE80211_CHAN_ANYC &&
176 !IEEE80211_IS_CHAN_RADAR(vap->iv_des_chan)) {
178 * Already have a channel; bypass the
179 * scan and startup immediately.
180 * ieee80211_create_ibss will call back to
181 * move us to RUN state.
183 ieee80211_create_ibss(vap, vap->iv_des_chan);
187 * Initiate a scan. We can come here as a result
188 * of an IEEE80211_IOC_SCAN_REQ too in which case
189 * the vap will be marked with IEEE80211_FEXT_SCANREQ
190 * and the scan request parameters will be present
191 * in iv_scanreq. Otherwise we do the default.
193 if (vap->iv_flags_ext & IEEE80211_FEXT_SCANREQ) {
194 ieee80211_check_scan(vap,
195 vap->iv_scanreq_flags,
196 vap->iv_scanreq_duration,
197 vap->iv_scanreq_mindwell,
198 vap->iv_scanreq_maxdwell,
199 vap->iv_scanreq_nssid, vap->iv_scanreq_ssid);
200 vap->iv_flags_ext &= ~IEEE80211_FEXT_SCANREQ;
202 ieee80211_check_scan_current(vap);
204 case IEEE80211_S_SCAN:
206 * A state change requires a reset; scan.
208 ieee80211_check_scan_current(vap);
214 case IEEE80211_S_CAC:
216 * Start CAC on a DFS channel. We come here when starting
217 * a bss on a DFS channel (see ieee80211_create_ibss).
219 ieee80211_dfs_cac_start(vap);
221 case IEEE80211_S_RUN:
222 if (vap->iv_flags & IEEE80211_F_WPA) {
223 /* XXX validate prerequisites */
226 case IEEE80211_S_INIT:
228 * Already have a channel; bypass the
229 * scan and startup immediately.
230 * Note that ieee80211_create_ibss will call
231 * back to do a RUN->RUN state change.
233 ieee80211_create_ibss(vap,
234 ieee80211_ht_adjust_channel(ic,
235 ic->ic_curchan, vap->iv_flags_ext));
236 /* NB: iv_bss is changed on return */
238 case IEEE80211_S_CAC:
240 * NB: This is the normal state change when CAC
241 * expires and no radar was detected; no need to
242 * clear the CAC timer as it's already expired.
245 case IEEE80211_S_CSA:
247 * Update bss node channel to reflect where
248 * we landed after CSA.
250 ieee80211_node_set_chan(vap->iv_bss,
251 ieee80211_ht_adjust_channel(ic, ic->ic_curchan,
252 ieee80211_htchanflags(vap->iv_bss->ni_chan)));
253 /* XXX bypass debug msgs */
255 case IEEE80211_S_SCAN:
256 case IEEE80211_S_RUN:
257 #ifdef IEEE80211_DEBUG
258 if (ieee80211_msg_debug(vap)) {
259 struct ieee80211_node *ni = vap->iv_bss;
261 "synchronized with %s ssid ",
262 ether_sprintf(ni->ni_bssid));
263 ieee80211_print_essid(ni->ni_essid,
266 printf(" channel %d start %uMb\n",
267 ieee80211_chan2ieee(ic, ic->ic_curchan),
268 IEEE80211_RATE2MBS(ni->ni_txrate));
276 * Start/stop the authenticator. We delay until here
277 * to allow configuration to happen out of order.
279 if (vap->iv_auth->ia_attach != NULL) {
280 /* XXX check failure */
281 vap->iv_auth->ia_attach(vap);
282 } else if (vap->iv_auth->ia_detach != NULL) {
283 vap->iv_auth->ia_detach(vap);
285 ieee80211_node_authorize(vap->iv_bss);
294 hostap_deliver_data(struct ieee80211vap *vap,
295 struct ieee80211_node *ni, struct mbuf *m)
297 struct ether_header *eh = mtod(m, struct ether_header *);
298 struct ifnet *ifp = vap->iv_ifp;
300 KASSERT(vap->iv_opmode == IEEE80211_M_HOSTAP,
301 ("gack, opmode %d", vap->iv_opmode));
306 IEEE80211_NODE_STAT(ni, rx_data);
307 IEEE80211_NODE_STAT_ADD(ni, rx_bytes, m->m_pkthdr.len);
308 if (ETHER_IS_MULTICAST(eh->ether_dhost)) {
309 m->m_flags |= M_MCAST; /* XXX M_BCAST? */
310 IEEE80211_NODE_STAT(ni, rx_mcast);
312 IEEE80211_NODE_STAT(ni, rx_ucast);
314 /* clear driver/net80211 flags before passing up */
315 m->m_flags &= ~M_80211_RX;
317 /* perform as a bridge within the AP */
318 if ((vap->iv_flags & IEEE80211_F_NOBRIDGE) == 0) {
319 struct mbuf *mcopy = NULL;
321 if (m->m_flags & M_MCAST) {
322 mcopy = m_dup(m, M_DONTWAIT);
326 mcopy->m_flags |= M_MCAST;
329 * Check if the destination is associated with the
330 * same vap and authorized to receive traffic.
331 * Beware of traffic destined for the vap itself;
332 * sending it will not work; just let it be delivered
335 struct ieee80211_node *sta = ieee80211_find_vap_node(
336 &vap->iv_ic->ic_sta, vap, eh->ether_dhost);
338 if (ieee80211_node_is_authorized(sta)) {
340 * Beware of sending to ourself; this
341 * needs to happen via the normal
344 if (sta != vap->iv_bss) {
349 vap->iv_stats.is_rx_unauth++;
350 IEEE80211_NODE_STAT(sta, rx_unauth);
352 ieee80211_free_node(sta);
357 len = mcopy->m_pkthdr.len;
358 err = (ifp->if_transmit)(ifp, mcopy);
360 /* NB: IFQ_HANDOFF reclaims mcopy */
368 * Mark frame as coming from vap's interface.
370 m->m_pkthdr.rcvif = ifp;
371 if (m->m_flags & M_MCAST) {
373 * Spam DWDS vap's w/ multicast traffic.
375 /* XXX only if dwds in use? */
376 ieee80211_dwds_mcast(vap, m);
378 if (ni->ni_vlan != 0) {
379 /* attach vlan tag */
380 m->m_pkthdr.ether_vtag = ni->ni_vlan;
381 m->m_flags |= M_VLANTAG;
383 ifp->if_input(ifp, m);
388 * Decide if a received management frame should be
389 * printed when debugging is enabled. This filters some
390 * of the less interesting frames that come frequently
394 doprint(struct ieee80211vap *vap, int subtype)
397 case IEEE80211_FC0_SUBTYPE_BEACON:
398 return (vap->iv_ic->ic_flags & IEEE80211_F_SCAN);
399 case IEEE80211_FC0_SUBTYPE_PROBE_REQ:
406 * Process a received frame. The node associated with the sender
407 * should be supplied. If nothing was found in the node table then
408 * the caller is assumed to supply a reference to iv_bss instead.
409 * The RSSI and a timestamp are also supplied. The RSSI data is used
410 * during AP scanning to select a AP to associate with; it can have
411 * any units so long as values have consistent units and higher values
412 * mean ``better signal''. The receive timestamp is currently not used
413 * by the 802.11 layer.
416 hostap_input(struct ieee80211_node *ni, struct mbuf *m,
417 int rssi, int noise, uint32_t rstamp)
419 #define SEQ_LEQ(a,b) ((int)((a)-(b)) <= 0)
420 #define HAS_SEQ(type) ((type & 0x4) == 0)
421 struct ieee80211vap *vap = ni->ni_vap;
422 struct ieee80211com *ic = ni->ni_ic;
423 struct ifnet *ifp = vap->iv_ifp;
424 struct ieee80211_frame *wh;
425 struct ieee80211_key *key;
426 struct ether_header *eh;
427 int hdrspace, need_tap;
428 uint8_t dir, type, subtype, qos;
432 if (m->m_flags & M_AMPDU_MPDU) {
434 * Fastpath for A-MPDU reorder q resubmission. Frames
435 * w/ M_AMPDU_MPDU marked have already passed through
436 * here but were received out of order and been held on
437 * the reorder queue. When resubmitted they are marked
438 * with the M_AMPDU_MPDU flag and we can bypass most of
439 * the normal processing.
441 wh = mtod(m, struct ieee80211_frame *);
442 type = IEEE80211_FC0_TYPE_DATA;
443 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK;
444 subtype = IEEE80211_FC0_SUBTYPE_QOS;
445 hdrspace = ieee80211_hdrspace(ic, wh); /* XXX optimize? */
449 KASSERT(ni != NULL, ("null node"));
450 ni->ni_inact = ni->ni_inact_reload;
452 need_tap = 1; /* mbuf need to be tapped. */
453 type = -1; /* undefined */
455 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_min)) {
456 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
457 ni->ni_macaddr, NULL,
458 "too short (1): len %u", m->m_pkthdr.len);
459 vap->iv_stats.is_rx_tooshort++;
463 * Bit of a cheat here, we use a pointer for a 3-address
464 * frame format but don't reference fields past outside
465 * ieee80211_frame_min w/o first validating the data is
468 wh = mtod(m, struct ieee80211_frame *);
470 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) !=
471 IEEE80211_FC0_VERSION_0) {
472 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
473 ni->ni_macaddr, NULL, "wrong version %x", wh->i_fc[0]);
474 vap->iv_stats.is_rx_badversion++;
478 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK;
479 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
480 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK;
481 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) {
482 if (dir != IEEE80211_FC1_DIR_NODS)
484 else if (type == IEEE80211_FC0_TYPE_CTL)
487 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) {
488 IEEE80211_DISCARD_MAC(vap,
489 IEEE80211_MSG_ANY, ni->ni_macaddr,
490 NULL, "too short (2): len %u",
492 vap->iv_stats.is_rx_tooshort++;
498 * Validate the bssid.
500 if (!(type == IEEE80211_FC0_TYPE_MGT &&
501 subtype == IEEE80211_FC0_SUBTYPE_BEACON) &&
502 !IEEE80211_ADDR_EQ(bssid, vap->iv_bss->ni_bssid) &&
503 !IEEE80211_ADDR_EQ(bssid, ifp->if_broadcastaddr)) {
504 /* not interested in */
505 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
506 bssid, NULL, "%s", "not to bss");
507 vap->iv_stats.is_rx_wrongbss++;
511 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi);
512 ni->ni_noise = noise;
513 ni->ni_rstamp = rstamp;
515 uint8_t tid = ieee80211_gettid(wh);
516 if (IEEE80211_QOS_HAS_SEQ(wh) &&
517 TID_TO_WME_AC(tid) >= WME_AC_VI)
518 ic->ic_wme.wme_hipri_traffic++;
519 rxseq = le16toh(*(uint16_t *)wh->i_seq);
520 if ((ni->ni_flags & IEEE80211_NODE_HT) == 0 &&
521 (wh->i_fc[1] & IEEE80211_FC1_RETRY) &&
522 SEQ_LEQ(rxseq, ni->ni_rxseqs[tid])) {
523 /* duplicate, discard */
524 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
526 "seqno <%u,%u> fragno <%u,%u> tid %u",
527 rxseq >> IEEE80211_SEQ_SEQ_SHIFT,
528 ni->ni_rxseqs[tid] >>
529 IEEE80211_SEQ_SEQ_SHIFT,
530 rxseq & IEEE80211_SEQ_FRAG_MASK,
532 IEEE80211_SEQ_FRAG_MASK,
534 vap->iv_stats.is_rx_dup++;
535 IEEE80211_NODE_STAT(ni, rx_dup);
538 ni->ni_rxseqs[tid] = rxseq;
543 case IEEE80211_FC0_TYPE_DATA:
544 hdrspace = ieee80211_hdrspace(ic, wh);
545 if (m->m_len < hdrspace &&
546 (m = m_pullup(m, hdrspace)) == NULL) {
547 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
548 ni->ni_macaddr, NULL,
549 "data too short: expecting %u", hdrspace);
550 vap->iv_stats.is_rx_tooshort++;
553 if (!(dir == IEEE80211_FC1_DIR_TODS ||
554 (dir == IEEE80211_FC1_DIR_DSTODS &&
555 (vap->iv_flags & IEEE80211_F_DWDS)))) {
556 if (dir != IEEE80211_FC1_DIR_DSTODS) {
557 IEEE80211_DISCARD(vap,
558 IEEE80211_MSG_INPUT, wh, "data",
559 "incorrect dir 0x%x", dir);
561 IEEE80211_DISCARD(vap,
562 IEEE80211_MSG_INPUT |
563 IEEE80211_MSG_WDS, wh,
565 "%s", "DWDS not enabled");
567 vap->iv_stats.is_rx_wrongdir++;
570 /* check if source STA is associated */
571 if (ni == vap->iv_bss) {
572 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
573 wh, "data", "%s", "unknown src");
574 ieee80211_send_error(ni, wh->i_addr2,
575 IEEE80211_FC0_SUBTYPE_DEAUTH,
576 IEEE80211_REASON_NOT_AUTHED);
577 vap->iv_stats.is_rx_notassoc++;
580 if (ni->ni_associd == 0) {
581 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
582 wh, "data", "%s", "unassoc src");
583 IEEE80211_SEND_MGMT(ni,
584 IEEE80211_FC0_SUBTYPE_DISASSOC,
585 IEEE80211_REASON_NOT_ASSOCED);
586 vap->iv_stats.is_rx_notassoc++;
591 * Check for power save state change.
592 * XXX out-of-order A-MPDU frames?
594 if (((wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) ^
595 (ni->ni_flags & IEEE80211_NODE_PWR_MGT)))
596 ieee80211_node_pwrsave(ni,
597 wh->i_fc[1] & IEEE80211_FC1_PWR_MGT);
599 * For 4-address packets handle WDS discovery
600 * notifications. Once a WDS link is setup frames
601 * are just delivered to the WDS vap (see below).
603 if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap == NULL) {
604 if (!ieee80211_node_is_authorized(ni)) {
605 IEEE80211_DISCARD(vap,
606 IEEE80211_MSG_INPUT |
607 IEEE80211_MSG_WDS, wh,
609 "%s", "unauthorized port");
610 vap->iv_stats.is_rx_unauth++;
611 IEEE80211_NODE_STAT(ni, rx_unauth);
614 ieee80211_dwds_discover(ni, m);
619 * Handle A-MPDU re-ordering. If the frame is to be
620 * processed directly then ieee80211_ampdu_reorder
621 * will return 0; otherwise it has consumed the mbuf
622 * and we should do nothing more with it.
624 if ((m->m_flags & M_AMPDU) &&
625 ieee80211_ampdu_reorder(ni, m) != 0) {
632 * Handle privacy requirements. Note that we
633 * must not be preempted from here until after
634 * we (potentially) call ieee80211_crypto_demic;
635 * otherwise we may violate assumptions in the
636 * crypto cipher modules used to do delayed update
637 * of replay sequence numbers.
639 if (wh->i_fc[1] & IEEE80211_FC1_WEP) {
640 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
642 * Discard encrypted frames when privacy is off.
644 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
645 wh, "WEP", "%s", "PRIVACY off");
646 vap->iv_stats.is_rx_noprivacy++;
647 IEEE80211_NODE_STAT(ni, rx_noprivacy);
650 key = ieee80211_crypto_decap(ni, m, hdrspace);
652 /* NB: stats+msgs handled in crypto_decap */
653 IEEE80211_NODE_STAT(ni, rx_wepfail);
656 wh = mtod(m, struct ieee80211_frame *);
657 wh->i_fc[1] &= ~IEEE80211_FC1_WEP;
659 /* XXX M_WEP and IEEE80211_F_PRIVACY */
664 * Save QoS bits for use below--before we strip the header.
666 if (subtype == IEEE80211_FC0_SUBTYPE_QOS) {
667 qos = (dir == IEEE80211_FC1_DIR_DSTODS) ?
668 ((struct ieee80211_qosframe_addr4 *)wh)->i_qos[0] :
669 ((struct ieee80211_qosframe *)wh)->i_qos[0];
674 * Next up, any fragmentation.
676 if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) {
677 m = ieee80211_defrag(ni, m, hdrspace);
679 /* Fragment dropped or frame not complete yet */
683 wh = NULL; /* no longer valid, catch any uses */
686 * Next strip any MSDU crypto bits.
688 if (key != NULL && !ieee80211_crypto_demic(vap, key, m, 0)) {
689 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
690 ni->ni_macaddr, "data", "%s", "demic error");
691 vap->iv_stats.is_rx_demicfail++;
692 IEEE80211_NODE_STAT(ni, rx_demicfail);
695 /* copy to listener after decrypt */
696 if (bpf_peers_present(vap->iv_rawbpf))
697 bpf_mtap(vap->iv_rawbpf, m);
700 * Finally, strip the 802.11 header.
702 m = ieee80211_decap(vap, m, hdrspace);
704 /* XXX mask bit to check for both */
705 /* don't count Null data frames as errors */
706 if (subtype == IEEE80211_FC0_SUBTYPE_NODATA ||
707 subtype == IEEE80211_FC0_SUBTYPE_QOS_NULL)
709 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
710 ni->ni_macaddr, "data", "%s", "decap error");
711 vap->iv_stats.is_rx_decap++;
712 IEEE80211_NODE_STAT(ni, rx_decap);
715 eh = mtod(m, struct ether_header *);
716 if (!ieee80211_node_is_authorized(ni)) {
718 * Deny any non-PAE frames received prior to
719 * authorization. For open/shared-key
720 * authentication the port is mark authorized
721 * after authentication completes. For 802.1x
722 * the port is not marked authorized by the
723 * authenticator until the handshake has completed.
725 if (eh->ether_type != htons(ETHERTYPE_PAE)) {
726 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
727 eh->ether_shost, "data",
728 "unauthorized port: ether type 0x%x len %u",
729 eh->ether_type, m->m_pkthdr.len);
730 vap->iv_stats.is_rx_unauth++;
731 IEEE80211_NODE_STAT(ni, rx_unauth);
736 * When denying unencrypted frames, discard
737 * any non-PAE frames received without encryption.
739 if ((vap->iv_flags & IEEE80211_F_DROPUNENC) &&
740 (key == NULL && (m->m_flags & M_WEP) == 0) &&
741 eh->ether_type != htons(ETHERTYPE_PAE)) {
743 * Drop unencrypted frames.
745 vap->iv_stats.is_rx_unencrypted++;
746 IEEE80211_NODE_STAT(ni, rx_unencrypted);
750 /* XXX require HT? */
751 if (qos & IEEE80211_QOS_AMSDU) {
752 m = ieee80211_decap_amsdu(ni, m);
754 return IEEE80211_FC0_TYPE_DATA;
755 } else if (IEEE80211_ATH_CAP(vap, ni, IEEE80211_NODE_FF) &&
756 #define FF_LLC_SIZE (sizeof(struct ether_header) + sizeof(struct llc))
757 m->m_pkthdr.len >= 3*FF_LLC_SIZE) {
761 * Check for fast-frame tunnel encapsulation.
763 if (m->m_len < FF_LLC_SIZE &&
764 (m = m_pullup(m, FF_LLC_SIZE)) == NULL) {
765 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
766 ni->ni_macaddr, "fast-frame",
767 "%s", "m_pullup(llc) failed");
768 vap->iv_stats.is_rx_tooshort++;
769 return IEEE80211_FC0_TYPE_DATA;
771 llc = (struct llc *)(mtod(m, uint8_t *) +
772 sizeof(struct ether_header));
773 if (llc->llc_snap.ether_type == htons(ATH_FF_ETH_TYPE)) {
774 m_adj(m, FF_LLC_SIZE);
775 m = ieee80211_decap_fastframe(ni, m);
777 return IEEE80211_FC0_TYPE_DATA;
781 if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap != NULL)
782 ieee80211_deliver_data(ni->ni_wdsvap, ni, m);
784 hostap_deliver_data(vap, ni, m);
785 return IEEE80211_FC0_TYPE_DATA;
787 case IEEE80211_FC0_TYPE_MGT:
788 vap->iv_stats.is_rx_mgmt++;
789 IEEE80211_NODE_STAT(ni, rx_mgmt);
790 if (dir != IEEE80211_FC1_DIR_NODS) {
791 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
792 wh, "mgt", "incorrect dir 0x%x", dir);
793 vap->iv_stats.is_rx_wrongdir++;
796 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) {
797 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
798 ni->ni_macaddr, "mgt", "too short: len %u",
800 vap->iv_stats.is_rx_tooshort++;
803 if (IEEE80211_IS_MULTICAST(wh->i_addr2)) {
804 /* ensure return frames are unicast */
805 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
806 wh, NULL, "source is multicast: %s",
807 ether_sprintf(wh->i_addr2));
808 vap->iv_stats.is_rx_mgtdiscard++; /* XXX stat */
811 #ifdef IEEE80211_DEBUG
812 if ((ieee80211_msg_debug(vap) && doprint(vap, subtype)) ||
813 ieee80211_msg_dumppkts(vap)) {
814 if_printf(ifp, "received %s from %s rssi %d\n",
815 ieee80211_mgt_subtype_name[subtype >>
816 IEEE80211_FC0_SUBTYPE_SHIFT],
817 ether_sprintf(wh->i_addr2), rssi);
820 if (wh->i_fc[1] & IEEE80211_FC1_WEP) {
821 if (subtype != IEEE80211_FC0_SUBTYPE_AUTH) {
823 * Only shared key auth frames with a challenge
824 * should be encrypted, discard all others.
826 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
828 "%s", "WEP set but not permitted");
829 vap->iv_stats.is_rx_mgtdiscard++; /* XXX */
832 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
834 * Discard encrypted frames when privacy is off.
836 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
837 wh, NULL, "%s", "WEP set but PRIVACY off");
838 vap->iv_stats.is_rx_noprivacy++;
841 hdrspace = ieee80211_hdrspace(ic, wh);
842 key = ieee80211_crypto_decap(ni, m, hdrspace);
844 /* NB: stats+msgs handled in crypto_decap */
847 wh = mtod(m, struct ieee80211_frame *);
848 wh->i_fc[1] &= ~IEEE80211_FC1_WEP;
850 if (bpf_peers_present(vap->iv_rawbpf))
851 bpf_mtap(vap->iv_rawbpf, m);
852 vap->iv_recv_mgmt(ni, m, subtype, rssi, noise, rstamp);
854 return IEEE80211_FC0_TYPE_MGT;
856 case IEEE80211_FC0_TYPE_CTL:
857 vap->iv_stats.is_rx_ctl++;
858 IEEE80211_NODE_STAT(ni, rx_ctrl);
860 case IEEE80211_FC0_SUBTYPE_PS_POLL:
861 hostap_recv_pspoll(ni, m);
863 case IEEE80211_FC0_SUBTYPE_BAR:
864 ieee80211_recv_bar(ni, m);
869 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
870 wh, "bad", "frame type 0x%x", type);
871 /* should not come here */
878 if (bpf_peers_present(vap->iv_rawbpf) && need_tap)
879 bpf_mtap(vap->iv_rawbpf, m);
887 hostap_auth_open(struct ieee80211_node *ni, struct ieee80211_frame *wh,
888 int rssi, int noise, uint32_t rstamp, uint16_t seq, uint16_t status)
890 struct ieee80211vap *vap = ni->ni_vap;
892 KASSERT(vap->iv_state == IEEE80211_S_RUN, ("state %d", vap->iv_state));
894 if (ni->ni_authmode == IEEE80211_AUTH_SHARED) {
895 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
896 ni->ni_macaddr, "open auth",
897 "bad sta auth mode %u", ni->ni_authmode);
898 vap->iv_stats.is_rx_bad_auth++; /* XXX */
900 * Clear any challenge text that may be there if
901 * a previous shared key auth failed and then an
902 * open auth is attempted.
904 if (ni->ni_challenge != NULL) {
905 free(ni->ni_challenge, M_80211_NODE);
906 ni->ni_challenge = NULL;
908 /* XXX hack to workaround calling convention */
909 ieee80211_send_error(ni, wh->i_addr2,
910 IEEE80211_FC0_SUBTYPE_AUTH,
911 (seq + 1) | (IEEE80211_STATUS_ALG<<16));
914 if (seq != IEEE80211_AUTH_OPEN_REQUEST) {
915 vap->iv_stats.is_rx_bad_auth++;
918 /* always accept open authentication requests */
919 if (ni == vap->iv_bss) {
920 ni = ieee80211_dup_bss(vap, wh->i_addr2);
923 } else if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0)
924 (void) ieee80211_ref_node(ni);
926 * Mark the node as referenced to reflect that it's
927 * reference count has been bumped to insure it remains
928 * after the transaction completes.
930 ni->ni_flags |= IEEE80211_NODE_AREF;
932 * Mark the node as requiring a valid association id
933 * before outbound traffic is permitted.
935 ni->ni_flags |= IEEE80211_NODE_ASSOCID;
937 if (vap->iv_acl != NULL &&
938 vap->iv_acl->iac_getpolicy(vap) == IEEE80211_MACCMD_POLICY_RADIUS) {
940 * When the ACL policy is set to RADIUS we defer the
941 * authorization to a user agent. Dispatch an event,
942 * a subsequent MLME call will decide the fate of the
943 * station. If the user agent is not present then the
944 * node will be reclaimed due to inactivity.
946 IEEE80211_NOTE_MAC(vap,
947 IEEE80211_MSG_AUTH | IEEE80211_MSG_ACL, ni->ni_macaddr,
948 "%s", "station authentication defered (radius acl)");
949 ieee80211_notify_node_auth(ni);
951 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1);
952 IEEE80211_NOTE_MAC(vap,
953 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, ni->ni_macaddr,
954 "%s", "station authenticated (open)");
956 * When 802.1x is not in use mark the port
957 * authorized at this point so traffic can flow.
959 if (ni->ni_authmode != IEEE80211_AUTH_8021X)
960 ieee80211_node_authorize(ni);
965 hostap_auth_shared(struct ieee80211_node *ni, struct ieee80211_frame *wh,
966 uint8_t *frm, uint8_t *efrm, int rssi, int noise, uint32_t rstamp,
967 uint16_t seq, uint16_t status)
969 struct ieee80211vap *vap = ni->ni_vap;
971 int allocbs, estatus;
973 KASSERT(vap->iv_state == IEEE80211_S_RUN, ("state %d", vap->iv_state));
976 * NB: this can happen as we allow pre-shared key
977 * authentication to be enabled w/o wep being turned
978 * on so that configuration of these can be done
979 * in any order. It may be better to enforce the
980 * ordering in which case this check would just be
981 * for sanity/consistency.
983 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
984 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
985 ni->ni_macaddr, "shared key auth",
986 "%s", " PRIVACY is disabled");
987 estatus = IEEE80211_STATUS_ALG;
991 * Pre-shared key authentication is evil; accept
992 * it only if explicitly configured (it is supported
993 * mainly for compatibility with clients like Mac OS X).
995 if (ni->ni_authmode != IEEE80211_AUTH_AUTO &&
996 ni->ni_authmode != IEEE80211_AUTH_SHARED) {
997 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
998 ni->ni_macaddr, "shared key auth",
999 "bad sta auth mode %u", ni->ni_authmode);
1000 vap->iv_stats.is_rx_bad_auth++; /* XXX maybe a unique error? */
1001 estatus = IEEE80211_STATUS_ALG;
1006 if (frm + 1 < efrm) {
1007 if ((frm[1] + 2) > (efrm - frm)) {
1008 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1009 ni->ni_macaddr, "shared key auth",
1010 "ie %d/%d too long",
1011 frm[0], (frm[1] + 2) - (efrm - frm));
1012 vap->iv_stats.is_rx_bad_auth++;
1013 estatus = IEEE80211_STATUS_CHALLENGE;
1016 if (*frm == IEEE80211_ELEMID_CHALLENGE)
1021 case IEEE80211_AUTH_SHARED_CHALLENGE:
1022 case IEEE80211_AUTH_SHARED_RESPONSE:
1023 if (challenge == NULL) {
1024 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1025 ni->ni_macaddr, "shared key auth",
1026 "%s", "no challenge");
1027 vap->iv_stats.is_rx_bad_auth++;
1028 estatus = IEEE80211_STATUS_CHALLENGE;
1031 if (challenge[1] != IEEE80211_CHALLENGE_LEN) {
1032 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1033 ni->ni_macaddr, "shared key auth",
1034 "bad challenge len %d", challenge[1]);
1035 vap->iv_stats.is_rx_bad_auth++;
1036 estatus = IEEE80211_STATUS_CHALLENGE;
1043 case IEEE80211_AUTH_SHARED_REQUEST:
1044 if (ni == vap->iv_bss) {
1045 ni = ieee80211_dup_bss(vap, wh->i_addr2);
1047 /* NB: no way to return an error */
1052 if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0)
1053 (void) ieee80211_ref_node(ni);
1057 * Mark the node as referenced to reflect that it's
1058 * reference count has been bumped to insure it remains
1059 * after the transaction completes.
1061 ni->ni_flags |= IEEE80211_NODE_AREF;
1063 * Mark the node as requiring a valid associatio id
1064 * before outbound traffic is permitted.
1066 ni->ni_flags |= IEEE80211_NODE_ASSOCID;
1067 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi);
1068 ni->ni_noise = noise;
1069 ni->ni_rstamp = rstamp;
1070 if (!ieee80211_alloc_challenge(ni)) {
1071 /* NB: don't return error so they rexmit */
1074 get_random_bytes(ni->ni_challenge,
1075 IEEE80211_CHALLENGE_LEN);
1076 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
1077 ni, "shared key %sauth request", allocbs ? "" : "re");
1079 * When the ACL policy is set to RADIUS we defer the
1080 * authorization to a user agent. Dispatch an event,
1081 * a subsequent MLME call will decide the fate of the
1082 * station. If the user agent is not present then the
1083 * node will be reclaimed due to inactivity.
1085 if (vap->iv_acl != NULL &&
1086 vap->iv_acl->iac_getpolicy(vap) == IEEE80211_MACCMD_POLICY_RADIUS) {
1087 IEEE80211_NOTE_MAC(vap,
1088 IEEE80211_MSG_AUTH | IEEE80211_MSG_ACL,
1090 "%s", "station authentication defered (radius acl)");
1091 ieee80211_notify_node_auth(ni);
1095 case IEEE80211_AUTH_SHARED_RESPONSE:
1096 if (ni == vap->iv_bss) {
1097 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1098 ni->ni_macaddr, "shared key response",
1099 "%s", "unknown station");
1100 /* NB: don't send a response */
1103 if (ni->ni_challenge == NULL) {
1104 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1105 ni->ni_macaddr, "shared key response",
1106 "%s", "no challenge recorded");
1107 vap->iv_stats.is_rx_bad_auth++;
1108 estatus = IEEE80211_STATUS_CHALLENGE;
1111 if (memcmp(ni->ni_challenge, &challenge[2],
1112 challenge[1]) != 0) {
1113 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1114 ni->ni_macaddr, "shared key response",
1115 "%s", "challenge mismatch");
1116 vap->iv_stats.is_rx_auth_fail++;
1117 estatus = IEEE80211_STATUS_CHALLENGE;
1120 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
1121 ni, "%s", "station authenticated (shared key)");
1122 ieee80211_node_authorize(ni);
1125 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1126 ni->ni_macaddr, "shared key auth",
1128 vap->iv_stats.is_rx_bad_auth++;
1129 estatus = IEEE80211_STATUS_SEQUENCE;
1132 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1);
1136 * Send an error response; but only when operating as an AP.
1138 /* XXX hack to workaround calling convention */
1139 ieee80211_send_error(ni, wh->i_addr2,
1140 IEEE80211_FC0_SUBTYPE_AUTH,
1141 (seq + 1) | (estatus<<16));
1145 * Convert a WPA cipher selector OUI to an internal
1146 * cipher algorithm. Where appropriate we also
1147 * record any key length.
1150 wpa_cipher(const uint8_t *sel, uint8_t *keylen)
1152 #define WPA_SEL(x) (((x)<<24)|WPA_OUI)
1153 uint32_t w = LE_READ_4(sel);
1156 case WPA_SEL(WPA_CSE_NULL):
1157 return IEEE80211_CIPHER_NONE;
1158 case WPA_SEL(WPA_CSE_WEP40):
1160 *keylen = 40 / NBBY;
1161 return IEEE80211_CIPHER_WEP;
1162 case WPA_SEL(WPA_CSE_WEP104):
1164 *keylen = 104 / NBBY;
1165 return IEEE80211_CIPHER_WEP;
1166 case WPA_SEL(WPA_CSE_TKIP):
1167 return IEEE80211_CIPHER_TKIP;
1168 case WPA_SEL(WPA_CSE_CCMP):
1169 return IEEE80211_CIPHER_AES_CCM;
1171 return 32; /* NB: so 1<< is discarded */
1176 * Convert a WPA key management/authentication algorithm
1177 * to an internal code.
1180 wpa_keymgmt(const uint8_t *sel)
1182 #define WPA_SEL(x) (((x)<<24)|WPA_OUI)
1183 uint32_t w = LE_READ_4(sel);
1186 case WPA_SEL(WPA_ASE_8021X_UNSPEC):
1187 return WPA_ASE_8021X_UNSPEC;
1188 case WPA_SEL(WPA_ASE_8021X_PSK):
1189 return WPA_ASE_8021X_PSK;
1190 case WPA_SEL(WPA_ASE_NONE):
1191 return WPA_ASE_NONE;
1193 return 0; /* NB: so is discarded */
1198 * Parse a WPA information element to collect parameters.
1199 * Note that we do not validate security parameters; that
1200 * is handled by the authenticator; the parsing done here
1201 * is just for internal use in making operational decisions.
1204 ieee80211_parse_wpa(struct ieee80211vap *vap, const uint8_t *frm,
1205 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh)
1207 uint8_t len = frm[1];
1212 * Check the length once for fixed parts: OUI, type,
1213 * version, mcast cipher, and 2 selector counts.
1214 * Other, variable-length data, must be checked separately.
1216 if ((vap->iv_flags & IEEE80211_F_WPA1) == 0) {
1217 IEEE80211_DISCARD_IE(vap,
1218 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1219 wh, "WPA", "not WPA, flags 0x%x", vap->iv_flags);
1220 return IEEE80211_REASON_IE_INVALID;
1223 IEEE80211_DISCARD_IE(vap,
1224 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1225 wh, "WPA", "too short, len %u", len);
1226 return IEEE80211_REASON_IE_INVALID;
1228 frm += 6, len -= 4; /* NB: len is payload only */
1229 /* NB: iswapoui already validated the OUI and type */
1231 if (w != WPA_VERSION) {
1232 IEEE80211_DISCARD_IE(vap,
1233 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1234 wh, "WPA", "bad version %u", w);
1235 return IEEE80211_REASON_IE_INVALID;
1239 memset(rsn, 0, sizeof(*rsn));
1241 /* multicast/group cipher */
1242 rsn->rsn_mcastcipher = wpa_cipher(frm, &rsn->rsn_mcastkeylen);
1245 /* unicast ciphers */
1249 IEEE80211_DISCARD_IE(vap,
1250 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1251 wh, "WPA", "ucast cipher data too short; len %u, n %u",
1253 return IEEE80211_REASON_IE_INVALID;
1256 for (; n > 0; n--) {
1257 w |= 1<<wpa_cipher(frm, &rsn->rsn_ucastkeylen);
1260 if (w & (1<<IEEE80211_CIPHER_TKIP))
1261 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP;
1263 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM;
1265 /* key management algorithms */
1269 IEEE80211_DISCARD_IE(vap,
1270 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1271 wh, "WPA", "key mgmt alg data too short; len %u, n %u",
1273 return IEEE80211_REASON_IE_INVALID;
1276 for (; n > 0; n--) {
1277 w |= wpa_keymgmt(frm);
1280 if (w & WPA_ASE_8021X_UNSPEC)
1281 rsn->rsn_keymgmt = WPA_ASE_8021X_UNSPEC;
1283 rsn->rsn_keymgmt = WPA_ASE_8021X_PSK;
1285 if (len > 2) /* optional capabilities */
1286 rsn->rsn_caps = LE_READ_2(frm);
1292 * Convert an RSN cipher selector OUI to an internal
1293 * cipher algorithm. Where appropriate we also
1294 * record any key length.
1297 rsn_cipher(const uint8_t *sel, uint8_t *keylen)
1299 #define RSN_SEL(x) (((x)<<24)|RSN_OUI)
1300 uint32_t w = LE_READ_4(sel);
1303 case RSN_SEL(RSN_CSE_NULL):
1304 return IEEE80211_CIPHER_NONE;
1305 case RSN_SEL(RSN_CSE_WEP40):
1307 *keylen = 40 / NBBY;
1308 return IEEE80211_CIPHER_WEP;
1309 case RSN_SEL(RSN_CSE_WEP104):
1311 *keylen = 104 / NBBY;
1312 return IEEE80211_CIPHER_WEP;
1313 case RSN_SEL(RSN_CSE_TKIP):
1314 return IEEE80211_CIPHER_TKIP;
1315 case RSN_SEL(RSN_CSE_CCMP):
1316 return IEEE80211_CIPHER_AES_CCM;
1317 case RSN_SEL(RSN_CSE_WRAP):
1318 return IEEE80211_CIPHER_AES_OCB;
1320 return 32; /* NB: so 1<< is discarded */
1325 * Convert an RSN key management/authentication algorithm
1326 * to an internal code.
1329 rsn_keymgmt(const uint8_t *sel)
1331 #define RSN_SEL(x) (((x)<<24)|RSN_OUI)
1332 uint32_t w = LE_READ_4(sel);
1335 case RSN_SEL(RSN_ASE_8021X_UNSPEC):
1336 return RSN_ASE_8021X_UNSPEC;
1337 case RSN_SEL(RSN_ASE_8021X_PSK):
1338 return RSN_ASE_8021X_PSK;
1339 case RSN_SEL(RSN_ASE_NONE):
1340 return RSN_ASE_NONE;
1342 return 0; /* NB: so is discarded */
1347 * Parse a WPA/RSN information element to collect parameters
1348 * and validate the parameters against what has been
1349 * configured for the system.
1352 ieee80211_parse_rsn(struct ieee80211vap *vap, const uint8_t *frm,
1353 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh)
1355 uint8_t len = frm[1];
1360 * Check the length once for fixed parts:
1361 * version, mcast cipher, and 2 selector counts.
1362 * Other, variable-length data, must be checked separately.
1364 if ((vap->iv_flags & IEEE80211_F_WPA2) == 0) {
1365 IEEE80211_DISCARD_IE(vap,
1366 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1367 wh, "WPA", "not RSN, flags 0x%x", vap->iv_flags);
1368 return IEEE80211_REASON_IE_INVALID;
1371 IEEE80211_DISCARD_IE(vap,
1372 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1373 wh, "RSN", "too short, len %u", len);
1374 return IEEE80211_REASON_IE_INVALID;
1378 if (w != RSN_VERSION) {
1379 IEEE80211_DISCARD_IE(vap,
1380 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1381 wh, "RSN", "bad version %u", w);
1382 return IEEE80211_REASON_IE_INVALID;
1386 memset(rsn, 0, sizeof(*rsn));
1388 /* multicast/group cipher */
1389 rsn->rsn_mcastcipher = rsn_cipher(frm, &rsn->rsn_mcastkeylen);
1392 /* unicast ciphers */
1396 IEEE80211_DISCARD_IE(vap,
1397 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1398 wh, "RSN", "ucast cipher data too short; len %u, n %u",
1400 return IEEE80211_REASON_IE_INVALID;
1403 for (; n > 0; n--) {
1404 w |= 1<<rsn_cipher(frm, &rsn->rsn_ucastkeylen);
1407 if (w & (1<<IEEE80211_CIPHER_TKIP))
1408 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP;
1410 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM;
1412 /* key management algorithms */
1416 IEEE80211_DISCARD_IE(vap,
1417 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1418 wh, "RSN", "key mgmt alg data too short; len %u, n %u",
1420 return IEEE80211_REASON_IE_INVALID;
1423 for (; n > 0; n--) {
1424 w |= rsn_keymgmt(frm);
1427 if (w & RSN_ASE_8021X_UNSPEC)
1428 rsn->rsn_keymgmt = RSN_ASE_8021X_UNSPEC;
1430 rsn->rsn_keymgmt = RSN_ASE_8021X_PSK;
1432 /* optional RSN capabilities */
1434 rsn->rsn_caps = LE_READ_2(frm);
1441 * WPA/802.11i assocation request processing.
1444 wpa_assocreq(struct ieee80211_node *ni, struct ieee80211_rsnparms *rsnparms,
1445 const struct ieee80211_frame *wh, const uint8_t *wpa,
1446 const uint8_t *rsn, uint16_t capinfo)
1448 struct ieee80211vap *vap = ni->ni_vap;
1452 ni->ni_flags &= ~(IEEE80211_NODE_WPS|IEEE80211_NODE_TSN);
1453 if (wpa == NULL && rsn == NULL) {
1454 if (vap->iv_flags_ext & IEEE80211_FEXT_WPS) {
1456 * W-Fi Protected Setup (WPS) permits
1457 * clients to associate and pass EAPOL frames
1458 * to establish initial credentials.
1460 ni->ni_flags |= IEEE80211_NODE_WPS;
1463 if ((vap->iv_flags_ext & IEEE80211_FEXT_TSN) &&
1464 (capinfo & IEEE80211_CAPINFO_PRIVACY)) {
1466 * Transitional Security Network. Permits clients
1467 * to associate and use WEP while WPA is configured.
1469 ni->ni_flags |= IEEE80211_NODE_TSN;
1472 IEEE80211_DISCARD(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA,
1473 wh, NULL, "%s", "no WPA/RSN IE in association request");
1474 vap->iv_stats.is_rx_assoc_badwpaie++;
1475 reason = IEEE80211_REASON_IE_INVALID;
1478 /* assert right association security credentials */
1479 badwparsn = 0; /* NB: to silence compiler */
1480 switch (vap->iv_flags & IEEE80211_F_WPA) {
1481 case IEEE80211_F_WPA1:
1482 badwparsn = (wpa == NULL);
1484 case IEEE80211_F_WPA2:
1485 badwparsn = (rsn == NULL);
1487 case IEEE80211_F_WPA1|IEEE80211_F_WPA2:
1488 badwparsn = (wpa == NULL && rsn == NULL);
1492 IEEE80211_DISCARD(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA,
1494 "%s", "missing WPA/RSN IE in association request");
1495 vap->iv_stats.is_rx_assoc_badwpaie++;
1496 reason = IEEE80211_REASON_IE_INVALID;
1500 * Parse WPA/RSN information element.
1503 reason = ieee80211_parse_wpa(vap, wpa, rsnparms, wh);
1505 reason = ieee80211_parse_rsn(vap, rsn, rsnparms, wh);
1507 /* XXX distinguish WPA/RSN? */
1508 vap->iv_stats.is_rx_assoc_badwpaie++;
1511 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, ni,
1512 "%s ie: mc %u/%u uc %u/%u key %u caps 0x%x",
1513 wpa != NULL ? "WPA" : "RSN",
1514 rsnparms->rsn_mcastcipher, rsnparms->rsn_mcastkeylen,
1515 rsnparms->rsn_ucastcipher, rsnparms->rsn_ucastkeylen,
1516 rsnparms->rsn_keymgmt, rsnparms->rsn_caps);
1520 ieee80211_node_deauth(ni, reason);
1524 /* XXX find a better place for definition */
1525 struct l2_update_frame {
1526 struct ether_header eh;
1534 * Deliver a TGf L2UF frame on behalf of a station.
1535 * This primes any bridge when the station is roaming
1536 * between ap's on the same wired network.
1539 ieee80211_deliver_l2uf(struct ieee80211_node *ni)
1541 struct ieee80211vap *vap = ni->ni_vap;
1542 struct ifnet *ifp = vap->iv_ifp;
1544 struct l2_update_frame *l2uf;
1545 struct ether_header *eh;
1547 m = m_gethdr(M_NOWAIT, MT_DATA);
1549 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC, ni,
1550 "%s", "no mbuf for l2uf frame");
1551 vap->iv_stats.is_rx_nobuf++; /* XXX not right */
1554 l2uf = mtod(m, struct l2_update_frame *);
1556 /* dst: Broadcast address */
1557 IEEE80211_ADDR_COPY(eh->ether_dhost, ifp->if_broadcastaddr);
1558 /* src: associated STA */
1559 IEEE80211_ADDR_COPY(eh->ether_shost, ni->ni_macaddr);
1560 eh->ether_type = htons(sizeof(*l2uf) - sizeof(*eh));
1564 l2uf->control = 0xf5;
1565 l2uf->xid[0] = 0x81;
1566 l2uf->xid[1] = 0x80;
1567 l2uf->xid[2] = 0x00;
1569 m->m_pkthdr.len = m->m_len = sizeof(*l2uf);
1570 hostap_deliver_data(vap, ni, m);
1574 ratesetmismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh,
1575 int reassoc, int resp, const char *tag, int rate)
1577 IEEE80211_NOTE_MAC(ni->ni_vap, IEEE80211_MSG_ANY, wh->i_addr2,
1578 "deny %s request, %s rate set mismatch, rate/MCS %d",
1579 reassoc ? "reassoc" : "assoc", tag, rate & IEEE80211_RATE_VAL);
1580 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_BASIC_RATE);
1581 ieee80211_node_leave(ni);
1585 capinfomismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh,
1586 int reassoc, int resp, const char *tag, int capinfo)
1588 struct ieee80211vap *vap = ni->ni_vap;
1590 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ANY, wh->i_addr2,
1591 "deny %s request, %s mismatch 0x%x",
1592 reassoc ? "reassoc" : "assoc", tag, capinfo);
1593 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_CAPINFO);
1594 ieee80211_node_leave(ni);
1595 vap->iv_stats.is_rx_assoc_capmismatch++;
1599 htcapmismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh,
1600 int reassoc, int resp)
1602 IEEE80211_NOTE_MAC(ni->ni_vap, IEEE80211_MSG_ANY, wh->i_addr2,
1603 "deny %s request, %s missing HT ie", reassoc ? "reassoc" : "assoc");
1604 /* XXX no better code */
1605 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_OTHER);
1606 ieee80211_node_leave(ni);
1610 authalgreject(struct ieee80211_node *ni, const struct ieee80211_frame *wh,
1611 int algo, int seq, int status)
1613 struct ieee80211vap *vap = ni->ni_vap;
1615 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
1616 wh, NULL, "unsupported alg %d", algo);
1617 vap->iv_stats.is_rx_auth_unsupported++;
1618 ieee80211_send_error(ni, wh->i_addr2, IEEE80211_FC0_SUBTYPE_AUTH,
1619 seq | (status << 16));
1623 ishtmixed(const uint8_t *ie)
1625 const struct ieee80211_ie_htinfo *ht =
1626 (const struct ieee80211_ie_htinfo *) ie;
1627 return (ht->hi_byte2 & IEEE80211_HTINFO_OPMODE) ==
1628 IEEE80211_HTINFO_OPMODE_MIXED;
1632 is11bclient(const uint8_t *rates, const uint8_t *xrates)
1634 static const uint32_t brates = (1<<2*1)|(1<<2*2)|(1<<11)|(1<<2*11);
1637 /* NB: the 11b clients we care about will not have xrates */
1638 if (xrates != NULL || rates == NULL)
1640 for (i = 0; i < rates[1]; i++) {
1641 int r = rates[2+i] & IEEE80211_RATE_VAL;
1642 if (r > 2*11 || ((1<<r) & brates) == 0)
1649 hostap_recv_mgmt(struct ieee80211_node *ni, struct mbuf *m0,
1650 int subtype, int rssi, int noise, uint32_t rstamp)
1652 struct ieee80211vap *vap = ni->ni_vap;
1653 struct ieee80211com *ic = ni->ni_ic;
1654 struct ieee80211_frame *wh;
1655 uint8_t *frm, *efrm, *sfrm;
1656 uint8_t *ssid, *rates, *xrates, *wpa, *rsn, *wme, *ath, *htcap;
1660 wh = mtod(m0, struct ieee80211_frame *);
1661 frm = (uint8_t *)&wh[1];
1662 efrm = mtod(m0, uint8_t *) + m0->m_len;
1664 case IEEE80211_FC0_SUBTYPE_PROBE_RESP:
1665 case IEEE80211_FC0_SUBTYPE_BEACON: {
1666 struct ieee80211_scanparams scan;
1668 * We process beacon/probe response frames when scanning;
1669 * otherwise we check beacon frames for overlapping non-ERP
1670 * BSS in 11g and/or overlapping legacy BSS when in HT.
1672 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0 &&
1673 subtype == IEEE80211_FC0_SUBTYPE_PROBE_RESP) {
1674 vap->iv_stats.is_rx_mgtdiscard++;
1677 /* NB: accept off-channel frames */
1678 if (ieee80211_parse_beacon(ni, m0, &scan) &~ IEEE80211_BPARSE_OFFCHAN)
1681 * Count frame now that we know it's to be processed.
1683 if (subtype == IEEE80211_FC0_SUBTYPE_BEACON) {
1684 vap->iv_stats.is_rx_beacon++; /* XXX remove */
1685 IEEE80211_NODE_STAT(ni, rx_beacons);
1687 IEEE80211_NODE_STAT(ni, rx_proberesp);
1689 * If scanning, just pass information to the scan module.
1691 if (ic->ic_flags & IEEE80211_F_SCAN) {
1692 if (scan.status == 0 && /* NB: on channel */
1693 (ic->ic_flags_ext & IEEE80211_FEXT_PROBECHAN)) {
1695 * Actively scanning a channel marked passive;
1696 * send a probe request now that we know there
1697 * is 802.11 traffic present.
1699 * XXX check if the beacon we recv'd gives
1700 * us what we need and suppress the probe req
1702 ieee80211_probe_curchan(vap, 1);
1703 ic->ic_flags_ext &= ~IEEE80211_FEXT_PROBECHAN;
1705 ieee80211_add_scan(vap, &scan, wh,
1706 subtype, rssi, noise, rstamp);
1710 * Check beacon for overlapping bss w/ non ERP stations.
1711 * If we detect one and protection is configured but not
1712 * enabled, enable it and start a timer that'll bring us
1713 * out if we stop seeing the bss.
1715 if (IEEE80211_IS_CHAN_ANYG(ic->ic_curchan) &&
1716 scan.status == 0 && /* NB: on-channel */
1717 ((scan.erp & 0x100) == 0 || /* NB: no ERP, 11b sta*/
1718 (scan.erp & IEEE80211_ERP_NON_ERP_PRESENT))) {
1719 ic->ic_lastnonerp = ticks;
1720 ic->ic_flags_ext |= IEEE80211_FEXT_NONERP_PR;
1721 if (ic->ic_protmode != IEEE80211_PROT_NONE &&
1722 (ic->ic_flags & IEEE80211_F_USEPROT) == 0) {
1723 IEEE80211_NOTE_FRAME(vap,
1724 IEEE80211_MSG_ASSOC, wh,
1725 "non-ERP present on channel %d "
1726 "(saw erp 0x%x from channel %d), "
1727 "enable use of protection",
1728 ic->ic_curchan->ic_ieee,
1729 scan.erp, scan.chan);
1730 ic->ic_flags |= IEEE80211_F_USEPROT;
1731 ieee80211_notify_erp(ic);
1735 * Check beacon for non-HT station on HT channel
1736 * and update HT BSS occupancy as appropriate.
1738 if (IEEE80211_IS_CHAN_HT(ic->ic_curchan)) {
1739 if (scan.status & IEEE80211_BPARSE_OFFCHAN) {
1741 * Off control channel; only check frames
1742 * that come in the extension channel when
1743 * operating w/ HT40.
1745 if (!IEEE80211_IS_CHAN_HT40(ic->ic_curchan))
1747 if (scan.chan != ic->ic_curchan->ic_extieee)
1750 if (scan.htinfo == NULL) {
1751 ieee80211_htprot_update(ic,
1752 IEEE80211_HTINFO_OPMODE_PROTOPT |
1753 IEEE80211_HTINFO_NONHT_PRESENT);
1754 } else if (ishtmixed(scan.htinfo)) {
1755 /* XXX? take NONHT_PRESENT from beacon? */
1756 ieee80211_htprot_update(ic,
1757 IEEE80211_HTINFO_OPMODE_MIXED |
1758 IEEE80211_HTINFO_NONHT_PRESENT);
1764 case IEEE80211_FC0_SUBTYPE_PROBE_REQ:
1765 if (vap->iv_state != IEEE80211_S_RUN) {
1766 vap->iv_stats.is_rx_mgtdiscard++;
1770 * prreq frame format
1772 * [tlv] supported rates
1773 * [tlv] extended supported rates
1775 ssid = rates = xrates = NULL;
1777 while (efrm - frm > 1) {
1778 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return);
1780 case IEEE80211_ELEMID_SSID:
1783 case IEEE80211_ELEMID_RATES:
1786 case IEEE80211_ELEMID_XRATES:
1792 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return);
1794 IEEE80211_VERIFY_ELEMENT(xrates,
1795 IEEE80211_RATE_MAXSIZE - rates[1], return);
1796 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN, return);
1797 IEEE80211_VERIFY_SSID(vap->iv_bss, ssid, return);
1798 if ((vap->iv_flags & IEEE80211_F_HIDESSID) && ssid[1] == 0) {
1799 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
1801 "%s", "no ssid with ssid suppression enabled");
1802 vap->iv_stats.is_rx_ssidmismatch++; /*XXX*/
1806 /* XXX find a better class or define it's own */
1807 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_INPUT, wh->i_addr2,
1808 "%s", "recv probe req");
1810 * Some legacy 11b clients cannot hack a complete
1811 * probe response frame. When the request includes
1812 * only a bare-bones rate set, communicate this to
1813 * the transmit side.
1815 ieee80211_send_proberesp(vap, wh->i_addr2,
1816 is11bclient(rates, xrates) ? IEEE80211_SEND_LEGACY_11B : 0);
1819 case IEEE80211_FC0_SUBTYPE_AUTH: {
1820 uint16_t algo, seq, status;
1822 if (vap->iv_state != IEEE80211_S_RUN) {
1823 vap->iv_stats.is_rx_mgtdiscard++;
1826 if (!IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_bss->ni_bssid)) {
1827 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
1828 wh, NULL, "%s", "wrong bssid");
1829 vap->iv_stats.is_rx_wrongbss++; /*XXX unique stat?*/
1839 IEEE80211_VERIFY_LENGTH(efrm - frm, 6, return);
1840 algo = le16toh(*(uint16_t *)frm);
1841 seq = le16toh(*(uint16_t *)(frm + 2));
1842 status = le16toh(*(uint16_t *)(frm + 4));
1843 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_AUTH, wh->i_addr2,
1844 "recv auth frame with algorithm %d seq %d", algo, seq);
1846 * Consult the ACL policy module if setup.
1848 if (vap->iv_acl != NULL &&
1849 !vap->iv_acl->iac_check(vap, wh->i_addr2)) {
1850 IEEE80211_DISCARD(vap, IEEE80211_MSG_ACL,
1851 wh, NULL, "%s", "disallowed by ACL");
1852 vap->iv_stats.is_rx_acl++;
1853 ieee80211_send_error(ni, wh->i_addr2,
1854 IEEE80211_FC0_SUBTYPE_AUTH,
1855 (seq+1) | (IEEE80211_STATUS_UNSPECIFIED<<16));
1858 if (vap->iv_flags & IEEE80211_F_COUNTERM) {
1859 IEEE80211_DISCARD(vap,
1860 IEEE80211_MSG_AUTH | IEEE80211_MSG_CRYPTO,
1861 wh, NULL, "%s", "TKIP countermeasures enabled");
1862 vap->iv_stats.is_rx_auth_countermeasures++;
1863 ieee80211_send_error(ni, wh->i_addr2,
1864 IEEE80211_FC0_SUBTYPE_AUTH,
1865 IEEE80211_REASON_MIC_FAILURE);
1868 if (algo == IEEE80211_AUTH_ALG_SHARED)
1869 hostap_auth_shared(ni, wh, frm + 6, efrm, rssi,
1870 noise, rstamp, seq, status);
1871 else if (algo == IEEE80211_AUTH_ALG_OPEN)
1872 hostap_auth_open(ni, wh, rssi, noise, rstamp,
1874 else if (algo == IEEE80211_AUTH_ALG_LEAP) {
1875 authalgreject(ni, wh, algo,
1876 seq+1, IEEE80211_STATUS_ALG);
1880 * We assume that an unknown algorithm is the result
1881 * of a decryption failure on a shared key auth frame;
1882 * return a status code appropriate for that instead
1883 * of IEEE80211_STATUS_ALG.
1885 * NB: a seq# of 4 is intentional; the decrypted
1886 * frame likely has a bogus seq value.
1888 authalgreject(ni, wh, algo,
1889 4, IEEE80211_STATUS_CHALLENGE);
1895 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ:
1896 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: {
1897 uint16_t capinfo, lintval;
1898 struct ieee80211_rsnparms rsnparms;
1900 if (vap->iv_state != IEEE80211_S_RUN) {
1901 vap->iv_stats.is_rx_mgtdiscard++;
1904 if (!IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_bss->ni_bssid)) {
1905 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
1906 wh, NULL, "%s", "wrong bssid");
1907 vap->iv_stats.is_rx_assoc_bss++;
1910 if (subtype == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) {
1912 resp = IEEE80211_FC0_SUBTYPE_REASSOC_RESP;
1915 resp = IEEE80211_FC0_SUBTYPE_ASSOC_RESP;
1917 if (ni == vap->iv_bss) {
1918 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ANY, wh->i_addr2,
1919 "deny %s request, sta not authenticated",
1920 reassoc ? "reassoc" : "assoc");
1921 ieee80211_send_error(ni, wh->i_addr2,
1922 IEEE80211_FC0_SUBTYPE_DEAUTH,
1923 IEEE80211_REASON_ASSOC_NOT_AUTHED);
1924 vap->iv_stats.is_rx_assoc_notauth++;
1929 * asreq frame format
1930 * [2] capability information
1931 * [2] listen interval
1932 * [6*] current AP address (reassoc only)
1934 * [tlv] supported rates
1935 * [tlv] extended supported rates
1937 * [tlv] HT capabilities
1938 * [tlv] Atheros capabilities
1940 IEEE80211_VERIFY_LENGTH(efrm - frm, (reassoc ? 10 : 4), return);
1941 capinfo = le16toh(*(uint16_t *)frm); frm += 2;
1942 lintval = le16toh(*(uint16_t *)frm); frm += 2;
1944 frm += 6; /* ignore current AP info */
1945 ssid = rates = xrates = wpa = rsn = wme = ath = htcap = NULL;
1947 while (efrm - frm > 1) {
1948 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return);
1950 case IEEE80211_ELEMID_SSID:
1953 case IEEE80211_ELEMID_RATES:
1956 case IEEE80211_ELEMID_XRATES:
1959 case IEEE80211_ELEMID_RSN:
1962 case IEEE80211_ELEMID_HTCAP:
1965 case IEEE80211_ELEMID_VENDOR:
1968 else if (iswmeinfo(frm))
1970 else if (isatherosoui(frm))
1972 else if (vap->iv_flags_ext & IEEE80211_FEXT_HTCOMPAT) {
1973 if (ishtcapoui(frm) && htcap == NULL)
1980 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return);
1982 IEEE80211_VERIFY_ELEMENT(xrates,
1983 IEEE80211_RATE_MAXSIZE - rates[1], return);
1984 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN, return);
1985 IEEE80211_VERIFY_SSID(vap->iv_bss, ssid, return);
1986 if (htcap != NULL) {
1987 IEEE80211_VERIFY_LENGTH(htcap[1],
1988 htcap[0] == IEEE80211_ELEMID_VENDOR ?
1989 4 + sizeof(struct ieee80211_ie_htcap)-2 :
1990 sizeof(struct ieee80211_ie_htcap)-2,
1991 return); /* XXX just NULL out? */
1994 if ((vap->iv_flags & IEEE80211_F_WPA) &&
1995 !wpa_assocreq(ni, &rsnparms, wh, wpa, rsn, capinfo))
1997 /* discard challenge after association */
1998 if (ni->ni_challenge != NULL) {
1999 free(ni->ni_challenge, M_80211_NODE);
2000 ni->ni_challenge = NULL;
2002 /* NB: 802.11 spec says to ignore station's privacy bit */
2003 if ((capinfo & IEEE80211_CAPINFO_ESS) == 0) {
2004 capinfomismatch(ni, wh, reassoc, resp,
2005 "capability", capinfo);
2009 * Disallow re-associate w/ invalid slot time setting.
2011 if (ni->ni_associd != 0 &&
2012 IEEE80211_IS_CHAN_ANYG(ic->ic_bsschan) &&
2013 ((ni->ni_capinfo ^ capinfo) & IEEE80211_CAPINFO_SHORT_SLOTTIME)) {
2014 capinfomismatch(ni, wh, reassoc, resp,
2015 "slot time", capinfo);
2018 rate = ieee80211_setup_rates(ni, rates, xrates,
2019 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE |
2020 IEEE80211_F_DONEGO | IEEE80211_F_DODEL);
2021 if (rate & IEEE80211_RATE_BASIC) {
2022 ratesetmismatch(ni, wh, reassoc, resp, "legacy", rate);
2023 vap->iv_stats.is_rx_assoc_norate++;
2027 * If constrained to 11g-only stations reject an
2028 * 11b-only station. We cheat a bit here by looking
2029 * at the max negotiated xmit rate and assuming anyone
2030 * with a best rate <24Mb/s is an 11b station.
2032 if ((vap->iv_flags & IEEE80211_F_PUREG) && rate < 48) {
2033 ratesetmismatch(ni, wh, reassoc, resp, "11g", rate);
2034 vap->iv_stats.is_rx_assoc_norate++;
2038 * Do HT rate set handling and setup HT node state.
2040 ni->ni_chan = vap->iv_bss->ni_chan;
2041 if (IEEE80211_IS_CHAN_HT(ni->ni_chan) && htcap != NULL) {
2042 rate = ieee80211_setup_htrates(ni, htcap,
2043 IEEE80211_F_DOFMCS | IEEE80211_F_DONEGO |
2045 if (rate & IEEE80211_RATE_BASIC) {
2046 ratesetmismatch(ni, wh, reassoc, resp,
2048 vap->iv_stats.is_ht_assoc_norate++;
2051 ieee80211_ht_node_init(ni);
2052 ieee80211_ht_updatehtcap(ni, htcap);
2053 } else if (ni->ni_flags & IEEE80211_NODE_HT)
2054 ieee80211_ht_node_cleanup(ni);
2056 * Allow AMPDU operation only with unencrypted traffic
2057 * or AES-CCM; the 11n spec only specifies these ciphers
2058 * so permitting any others is undefined and can lead
2059 * to interoperability problems.
2061 if ((ni->ni_flags & IEEE80211_NODE_HT) &&
2062 (((vap->iv_flags & IEEE80211_F_WPA) &&
2063 rsnparms.rsn_ucastcipher != IEEE80211_CIPHER_AES_CCM) ||
2064 (vap->iv_flags & (IEEE80211_F_WPA|IEEE80211_F_PRIVACY)) == IEEE80211_F_PRIVACY)) {
2066 IEEE80211_MSG_ASSOC | IEEE80211_MSG_11N, ni,
2067 "disallow HT use because WEP or TKIP requested, "
2068 "capinfo 0x%x ucastcipher %d", capinfo,
2069 rsnparms.rsn_ucastcipher);
2070 ieee80211_ht_node_cleanup(ni);
2071 vap->iv_stats.is_ht_assoc_downgrade++;
2074 * If constrained to 11n-only stations reject legacy stations.
2076 if ((vap->iv_flags_ext & IEEE80211_FEXT_PUREN) &&
2077 (ni->ni_flags & IEEE80211_NODE_HT) == 0) {
2078 htcapmismatch(ni, wh, reassoc, resp);
2079 vap->iv_stats.is_ht_assoc_nohtcap++;
2082 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi);
2083 ni->ni_noise = noise;
2084 ni->ni_rstamp = rstamp;
2085 ni->ni_intval = lintval;
2086 ni->ni_capinfo = capinfo;
2087 ni->ni_fhdwell = vap->iv_bss->ni_fhdwell;
2088 ni->ni_fhindex = vap->iv_bss->ni_fhindex;
2091 * XXX maybe better to just expand
2093 if (ieee80211_ies_init(&ni->ni_ies, sfrm, efrm - sfrm)) {
2094 #define setie(_ie, _off) ieee80211_ies_setie(ni->ni_ies, _ie, _off)
2096 setie(wpa_ie, wpa - sfrm);
2098 setie(rsn_ie, rsn - sfrm);
2100 setie(htcap_ie, htcap - sfrm);
2102 setie(wme_ie, wme - sfrm);
2104 * Mark node as capable of QoS.
2106 ni->ni_flags |= IEEE80211_NODE_QOS;
2108 ni->ni_flags &= ~IEEE80211_NODE_QOS;
2110 setie(ath_ie, ath - sfrm);
2112 * Parse ATH station parameters.
2114 ieee80211_parse_ath(ni, ni->ni_ies.ath_ie);
2116 ni->ni_ath_flags = 0;
2119 ni->ni_flags &= ~IEEE80211_NODE_QOS;
2120 ni->ni_ath_flags = 0;
2122 ieee80211_node_join(ni, resp);
2123 ieee80211_deliver_l2uf(ni);
2127 case IEEE80211_FC0_SUBTYPE_DEAUTH:
2128 case IEEE80211_FC0_SUBTYPE_DISASSOC: {
2131 if (vap->iv_state != IEEE80211_S_RUN ||
2132 /* NB: can happen when in promiscuous mode */
2133 !IEEE80211_ADDR_EQ(wh->i_addr1, vap->iv_myaddr)) {
2134 vap->iv_stats.is_rx_mgtdiscard++;
2138 * deauth/disassoc frame format
2141 IEEE80211_VERIFY_LENGTH(efrm - frm, 2, return);
2142 reason = le16toh(*(uint16_t *)frm);
2143 if (subtype == IEEE80211_FC0_SUBTYPE_DEAUTH) {
2144 vap->iv_stats.is_rx_deauth++;
2145 IEEE80211_NODE_STAT(ni, rx_deauth);
2147 vap->iv_stats.is_rx_disassoc++;
2148 IEEE80211_NODE_STAT(ni, rx_disassoc);
2150 IEEE80211_NOTE(vap, IEEE80211_MSG_AUTH, ni,
2151 "recv %s (reason %d)", ieee80211_mgt_subtype_name[subtype >>
2152 IEEE80211_FC0_SUBTYPE_SHIFT], reason);
2153 if (ni != vap->iv_bss)
2154 ieee80211_node_leave(ni);
2158 case IEEE80211_FC0_SUBTYPE_ACTION:
2159 if (vap->iv_state == IEEE80211_S_RUN) {
2160 if (ieee80211_parse_action(ni, m0) == 0)
2161 ic->ic_recv_action(ni, frm, efrm);
2163 vap->iv_stats.is_rx_mgtdiscard++;
2166 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP:
2167 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP:
2169 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
2170 wh, "mgt", "subtype 0x%x not handled", subtype);
2171 vap->iv_stats.is_rx_badsubtype++;
2177 * Process a received ps-poll frame.
2180 hostap_recv_pspoll(struct ieee80211_node *ni, struct mbuf *m0)
2182 struct ieee80211vap *vap = ni->ni_vap;
2183 struct ieee80211_frame_min *wh;
2189 wh = mtod(m0, struct ieee80211_frame_min *);
2190 if (ni->ni_associd == 0) {
2191 IEEE80211_DISCARD(vap,
2192 IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG,
2193 (struct ieee80211_frame *) wh, NULL,
2194 "%s", "unassociated station");
2195 vap->iv_stats.is_ps_unassoc++;
2196 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_DEAUTH,
2197 IEEE80211_REASON_NOT_ASSOCED);
2201 aid = le16toh(*(uint16_t *)wh->i_dur);
2202 if (aid != ni->ni_associd) {
2203 IEEE80211_DISCARD(vap,
2204 IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG,
2205 (struct ieee80211_frame *) wh, NULL,
2206 "aid mismatch: sta aid 0x%x poll aid 0x%x",
2207 ni->ni_associd, aid);
2208 vap->iv_stats.is_ps_badaid++;
2210 * NB: We used to deauth the station but it turns out
2211 * the Blackberry Curve 8230 (and perhaps other devices)
2212 * sometimes send the wrong AID when WME is negotiated.
2213 * Being more lenient here seems ok as we already check
2214 * the station is associated and we only return frames
2215 * queued for the station (i.e. we don't use the AID).
2220 /* Okay, take the first queued packet and put it out... */
2221 m = ieee80211_node_psq_dequeue(ni, &qlen);
2223 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_POWER, wh->i_addr2,
2224 "%s", "recv ps-poll, but queue empty");
2225 ieee80211_send_nulldata(ieee80211_ref_node(ni));
2226 vap->iv_stats.is_ps_qempty++; /* XXX node stat */
2227 if (vap->iv_set_tim != NULL)
2228 vap->iv_set_tim(ni, 0); /* just in case */
2232 * If there are more packets, set the more packets bit
2233 * in the packet dispatched to the station; otherwise
2234 * turn off the TIM bit.
2237 IEEE80211_NOTE(vap, IEEE80211_MSG_POWER, ni,
2238 "recv ps-poll, send packet, %u still queued", qlen);
2239 m->m_flags |= M_MORE_DATA;
2241 IEEE80211_NOTE(vap, IEEE80211_MSG_POWER, ni,
2242 "%s", "recv ps-poll, send packet, queue empty");
2243 if (vap->iv_set_tim != NULL)
2244 vap->iv_set_tim(ni, 0);
2246 m->m_flags |= M_PWR_SAV; /* bypass PS handling */
2248 if (m->m_flags & M_ENCAP)
2249 ifp = vap->iv_ic->ic_ifp;
2252 IF_ENQUEUE(&ifp->if_snd, m);