2 * Copyright (c) 2007-2008 Sam Leffler, Errno Consulting
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
15 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
16 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
17 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
18 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
19 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
21 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
23 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
26 #include <sys/cdefs.h>
28 __FBSDID("$FreeBSD$");
32 * IEEE 802.11 HOSTAP mode support.
37 #include <sys/param.h>
38 #include <sys/systm.h>
40 #include <sys/malloc.h>
41 #include <sys/kernel.h>
43 #include <sys/socket.h>
44 #include <sys/sockio.h>
45 #include <sys/endian.h>
46 #include <sys/errno.h>
48 #include <sys/sysctl.h>
51 #include <net/if_media.h>
52 #include <net/if_llc.h>
53 #include <net/ethernet.h>
57 #include <net80211/ieee80211_var.h>
58 #include <net80211/ieee80211_hostap.h>
59 #include <net80211/ieee80211_input.h>
60 #ifdef IEEE80211_SUPPORT_SUPERG
61 #include <net80211/ieee80211_superg.h>
63 #include <net80211/ieee80211_wds.h>
65 #define IEEE80211_RATE2MBS(r) (((r) & IEEE80211_RATE_VAL) / 2)
67 static void hostap_vattach(struct ieee80211vap *);
68 static int hostap_newstate(struct ieee80211vap *, enum ieee80211_state, int);
69 static int hostap_input(struct ieee80211_node *ni, struct mbuf *m,
70 int rssi, int noise, uint32_t rstamp);
71 static void hostap_deliver_data(struct ieee80211vap *,
72 struct ieee80211_node *, struct mbuf *);
73 static void hostap_recv_mgmt(struct ieee80211_node *, struct mbuf *,
74 int subtype, int rssi, int noise, uint32_t rstamp);
75 static void hostap_recv_pspoll(struct ieee80211_node *, struct mbuf *);
78 ieee80211_hostap_attach(struct ieee80211com *ic)
80 ic->ic_vattach[IEEE80211_M_HOSTAP] = hostap_vattach;
84 ieee80211_hostap_detach(struct ieee80211com *ic)
89 hostap_vdetach(struct ieee80211vap *vap)
94 hostap_vattach(struct ieee80211vap *vap)
96 vap->iv_newstate = hostap_newstate;
97 vap->iv_input = hostap_input;
98 vap->iv_recv_mgmt = hostap_recv_mgmt;
99 vap->iv_opdetach = hostap_vdetach;
100 vap->iv_deliver_data = hostap_deliver_data;
104 sta_disassoc(void *arg, struct ieee80211_node *ni)
106 struct ieee80211vap *vap = arg;
108 if (ni->ni_vap == vap && ni->ni_associd != 0) {
109 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_DISASSOC,
110 IEEE80211_REASON_ASSOC_LEAVE);
111 ieee80211_node_leave(ni);
116 * IEEE80211_M_HOSTAP vap state machine handler.
119 hostap_newstate(struct ieee80211vap *vap, enum ieee80211_state nstate, int arg)
121 struct ieee80211com *ic = vap->iv_ic;
122 enum ieee80211_state ostate;
124 IEEE80211_LOCK_ASSERT(ic);
126 ostate = vap->iv_state;
127 IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE, "%s: %s -> %s (%d)\n",
128 __func__, ieee80211_state_name[ostate],
129 ieee80211_state_name[nstate], arg);
130 vap->iv_state = nstate; /* state transition */
131 if (ostate != IEEE80211_S_SCAN)
132 ieee80211_cancel_scan(vap); /* background scan */
134 case IEEE80211_S_INIT:
136 case IEEE80211_S_SCAN:
137 ieee80211_cancel_scan(vap);
139 case IEEE80211_S_CAC:
140 ieee80211_dfs_cac_stop(vap);
142 case IEEE80211_S_RUN:
143 ieee80211_iterate_nodes(&ic->ic_sta, sta_disassoc, vap);
148 if (ostate != IEEE80211_S_INIT) {
149 /* NB: optimize INIT -> INIT case */
150 ieee80211_reset_bss(vap);
152 if (vap->iv_auth->ia_detach != NULL)
153 vap->iv_auth->ia_detach(vap);
155 case IEEE80211_S_SCAN:
157 case IEEE80211_S_CSA:
158 case IEEE80211_S_RUN:
159 ieee80211_iterate_nodes(&ic->ic_sta, sta_disassoc, vap);
161 * Clear overlapping BSS state; the beacon frame
162 * will be reconstructed on transition to the RUN
163 * state and the timeout routines check if the flag
164 * is set before doing anything so this is sufficient.
166 ic->ic_flags_ext &= ~IEEE80211_FEXT_NONERP_PR;
167 ic->ic_flags_ext &= ~IEEE80211_FEXT_NONHT_PR;
169 case IEEE80211_S_CAC:
171 * NB: We may get here because of a manual channel
172 * change in which case we need to stop CAC
173 * XXX no need to stop if ostate RUN but it's ok
175 ieee80211_dfs_cac_stop(vap);
177 case IEEE80211_S_INIT:
178 if (vap->iv_des_chan != IEEE80211_CHAN_ANYC &&
179 !IEEE80211_IS_CHAN_RADAR(vap->iv_des_chan)) {
181 * Already have a channel; bypass the
182 * scan and startup immediately.
183 * ieee80211_create_ibss will call back to
184 * move us to RUN state.
186 ieee80211_create_ibss(vap, vap->iv_des_chan);
190 * Initiate a scan. We can come here as a result
191 * of an IEEE80211_IOC_SCAN_REQ too in which case
192 * the vap will be marked with IEEE80211_FEXT_SCANREQ
193 * and the scan request parameters will be present
194 * in iv_scanreq. Otherwise we do the default.
196 if (vap->iv_flags_ext & IEEE80211_FEXT_SCANREQ) {
197 ieee80211_check_scan(vap,
198 vap->iv_scanreq_flags,
199 vap->iv_scanreq_duration,
200 vap->iv_scanreq_mindwell,
201 vap->iv_scanreq_maxdwell,
202 vap->iv_scanreq_nssid, vap->iv_scanreq_ssid);
203 vap->iv_flags_ext &= ~IEEE80211_FEXT_SCANREQ;
205 ieee80211_check_scan_current(vap);
207 case IEEE80211_S_SCAN:
209 * A state change requires a reset; scan.
211 ieee80211_check_scan_current(vap);
217 case IEEE80211_S_CAC:
219 * Start CAC on a DFS channel. We come here when starting
220 * a bss on a DFS channel (see ieee80211_create_ibss).
222 ieee80211_dfs_cac_start(vap);
224 case IEEE80211_S_RUN:
225 if (vap->iv_flags & IEEE80211_F_WPA) {
226 /* XXX validate prerequisites */
229 case IEEE80211_S_INIT:
231 * Already have a channel; bypass the
232 * scan and startup immediately.
233 * Note that ieee80211_create_ibss will call
234 * back to do a RUN->RUN state change.
236 ieee80211_create_ibss(vap,
237 ieee80211_ht_adjust_channel(ic,
238 ic->ic_curchan, vap->iv_flags_ext));
239 /* NB: iv_bss is changed on return */
241 case IEEE80211_S_CAC:
243 * NB: This is the normal state change when CAC
244 * expires and no radar was detected; no need to
245 * clear the CAC timer as it's already expired.
248 case IEEE80211_S_CSA:
250 * Update bss node channel to reflect where
251 * we landed after CSA.
253 ieee80211_node_set_chan(vap->iv_bss,
254 ieee80211_ht_adjust_channel(ic, ic->ic_curchan,
255 ieee80211_htchanflags(vap->iv_bss->ni_chan)));
256 /* XXX bypass debug msgs */
258 case IEEE80211_S_SCAN:
259 case IEEE80211_S_RUN:
260 #ifdef IEEE80211_DEBUG
261 if (ieee80211_msg_debug(vap)) {
262 struct ieee80211_node *ni = vap->iv_bss;
264 "synchronized with %s ssid ",
265 ether_sprintf(ni->ni_bssid));
266 ieee80211_print_essid(ni->ni_essid,
269 printf(" channel %d start %uMb\n",
270 ieee80211_chan2ieee(ic, ic->ic_curchan),
271 IEEE80211_RATE2MBS(ni->ni_txrate));
279 * Start/stop the authenticator. We delay until here
280 * to allow configuration to happen out of order.
282 if (vap->iv_auth->ia_attach != NULL) {
283 /* XXX check failure */
284 vap->iv_auth->ia_attach(vap);
285 } else if (vap->iv_auth->ia_detach != NULL) {
286 vap->iv_auth->ia_detach(vap);
288 ieee80211_node_authorize(vap->iv_bss);
297 hostap_deliver_data(struct ieee80211vap *vap,
298 struct ieee80211_node *ni, struct mbuf *m)
300 struct ether_header *eh = mtod(m, struct ether_header *);
301 struct ifnet *ifp = vap->iv_ifp;
303 KASSERT(vap->iv_opmode == IEEE80211_M_HOSTAP,
304 ("gack, opmode %d", vap->iv_opmode));
309 IEEE80211_NODE_STAT(ni, rx_data);
310 IEEE80211_NODE_STAT_ADD(ni, rx_bytes, m->m_pkthdr.len);
311 if (ETHER_IS_MULTICAST(eh->ether_dhost)) {
312 m->m_flags |= M_MCAST; /* XXX M_BCAST? */
313 IEEE80211_NODE_STAT(ni, rx_mcast);
315 IEEE80211_NODE_STAT(ni, rx_ucast);
317 /* clear driver/net80211 flags before passing up */
318 m->m_flags &= ~M_80211_RX;
320 /* perform as a bridge within the AP */
321 if ((vap->iv_flags & IEEE80211_F_NOBRIDGE) == 0) {
322 struct mbuf *mcopy = NULL;
324 if (m->m_flags & M_MCAST) {
325 mcopy = m_dup(m, M_DONTWAIT);
329 mcopy->m_flags |= M_MCAST;
332 * Check if the destination is associated with the
333 * same vap and authorized to receive traffic.
334 * Beware of traffic destined for the vap itself;
335 * sending it will not work; just let it be delivered
338 struct ieee80211_node *sta = ieee80211_find_vap_node(
339 &vap->iv_ic->ic_sta, vap, eh->ether_dhost);
341 if (ieee80211_node_is_authorized(sta)) {
343 * Beware of sending to ourself; this
344 * needs to happen via the normal
347 if (sta != vap->iv_bss) {
352 vap->iv_stats.is_rx_unauth++;
353 IEEE80211_NODE_STAT(sta, rx_unauth);
355 ieee80211_free_node(sta);
360 len = mcopy->m_pkthdr.len;
361 err = ifp->if_transmit(ifp, mcopy);
363 /* NB: IFQ_HANDOFF reclaims mcopy */
371 * Mark frame as coming from vap's interface.
373 m->m_pkthdr.rcvif = ifp;
374 if (m->m_flags & M_MCAST) {
376 * Spam DWDS vap's w/ multicast traffic.
378 /* XXX only if dwds in use? */
379 ieee80211_dwds_mcast(vap, m);
381 if (ni->ni_vlan != 0) {
382 /* attach vlan tag */
383 m->m_pkthdr.ether_vtag = ni->ni_vlan;
384 m->m_flags |= M_VLANTAG;
386 ifp->if_input(ifp, m);
391 * Decide if a received management frame should be
392 * printed when debugging is enabled. This filters some
393 * of the less interesting frames that come frequently
397 doprint(struct ieee80211vap *vap, int subtype)
400 case IEEE80211_FC0_SUBTYPE_BEACON:
401 return (vap->iv_ic->ic_flags & IEEE80211_F_SCAN);
402 case IEEE80211_FC0_SUBTYPE_PROBE_REQ:
409 * Process a received frame. The node associated with the sender
410 * should be supplied. If nothing was found in the node table then
411 * the caller is assumed to supply a reference to iv_bss instead.
412 * The RSSI and a timestamp are also supplied. The RSSI data is used
413 * during AP scanning to select a AP to associate with; it can have
414 * any units so long as values have consistent units and higher values
415 * mean ``better signal''. The receive timestamp is currently not used
416 * by the 802.11 layer.
419 hostap_input(struct ieee80211_node *ni, struct mbuf *m,
420 int rssi, int noise, uint32_t rstamp)
422 #define SEQ_LEQ(a,b) ((int)((a)-(b)) <= 0)
423 #define HAS_SEQ(type) ((type & 0x4) == 0)
424 struct ieee80211vap *vap = ni->ni_vap;
425 struct ieee80211com *ic = ni->ni_ic;
426 struct ifnet *ifp = vap->iv_ifp;
427 struct ieee80211_frame *wh;
428 struct ieee80211_key *key;
429 struct ether_header *eh;
430 int hdrspace, need_tap;
431 uint8_t dir, type, subtype, qos;
435 if (m->m_flags & M_AMPDU_MPDU) {
437 * Fastpath for A-MPDU reorder q resubmission. Frames
438 * w/ M_AMPDU_MPDU marked have already passed through
439 * here but were received out of order and been held on
440 * the reorder queue. When resubmitted they are marked
441 * with the M_AMPDU_MPDU flag and we can bypass most of
442 * the normal processing.
444 wh = mtod(m, struct ieee80211_frame *);
445 type = IEEE80211_FC0_TYPE_DATA;
446 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK;
447 subtype = IEEE80211_FC0_SUBTYPE_QOS;
448 hdrspace = ieee80211_hdrspace(ic, wh); /* XXX optimize? */
452 KASSERT(ni != NULL, ("null node"));
453 ni->ni_inact = ni->ni_inact_reload;
455 need_tap = 1; /* mbuf need to be tapped. */
456 type = -1; /* undefined */
458 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_min)) {
459 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
460 ni->ni_macaddr, NULL,
461 "too short (1): len %u", m->m_pkthdr.len);
462 vap->iv_stats.is_rx_tooshort++;
466 * Bit of a cheat here, we use a pointer for a 3-address
467 * frame format but don't reference fields past outside
468 * ieee80211_frame_min w/o first validating the data is
471 wh = mtod(m, struct ieee80211_frame *);
473 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) !=
474 IEEE80211_FC0_VERSION_0) {
475 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
476 ni->ni_macaddr, NULL, "wrong version %x", wh->i_fc[0]);
477 vap->iv_stats.is_rx_badversion++;
481 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK;
482 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
483 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK;
484 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) {
485 if (dir != IEEE80211_FC1_DIR_NODS)
487 else if (type == IEEE80211_FC0_TYPE_CTL)
490 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) {
491 IEEE80211_DISCARD_MAC(vap,
492 IEEE80211_MSG_ANY, ni->ni_macaddr,
493 NULL, "too short (2): len %u",
495 vap->iv_stats.is_rx_tooshort++;
501 * Validate the bssid.
503 if (!(type == IEEE80211_FC0_TYPE_MGT &&
504 subtype == IEEE80211_FC0_SUBTYPE_BEACON) &&
505 !IEEE80211_ADDR_EQ(bssid, vap->iv_bss->ni_bssid) &&
506 !IEEE80211_ADDR_EQ(bssid, ifp->if_broadcastaddr)) {
507 /* not interested in */
508 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
509 bssid, NULL, "%s", "not to bss");
510 vap->iv_stats.is_rx_wrongbss++;
514 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi);
515 ni->ni_noise = noise;
516 ni->ni_rstamp = rstamp;
518 uint8_t tid = ieee80211_gettid(wh);
519 if (IEEE80211_QOS_HAS_SEQ(wh) &&
520 TID_TO_WME_AC(tid) >= WME_AC_VI)
521 ic->ic_wme.wme_hipri_traffic++;
522 rxseq = le16toh(*(uint16_t *)wh->i_seq);
523 if ((ni->ni_flags & IEEE80211_NODE_HT) == 0 &&
524 (wh->i_fc[1] & IEEE80211_FC1_RETRY) &&
525 SEQ_LEQ(rxseq, ni->ni_rxseqs[tid])) {
526 /* duplicate, discard */
527 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
529 "seqno <%u,%u> fragno <%u,%u> tid %u",
530 rxseq >> IEEE80211_SEQ_SEQ_SHIFT,
531 ni->ni_rxseqs[tid] >>
532 IEEE80211_SEQ_SEQ_SHIFT,
533 rxseq & IEEE80211_SEQ_FRAG_MASK,
535 IEEE80211_SEQ_FRAG_MASK,
537 vap->iv_stats.is_rx_dup++;
538 IEEE80211_NODE_STAT(ni, rx_dup);
541 ni->ni_rxseqs[tid] = rxseq;
546 case IEEE80211_FC0_TYPE_DATA:
547 hdrspace = ieee80211_hdrspace(ic, wh);
548 if (m->m_len < hdrspace &&
549 (m = m_pullup(m, hdrspace)) == NULL) {
550 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
551 ni->ni_macaddr, NULL,
552 "data too short: expecting %u", hdrspace);
553 vap->iv_stats.is_rx_tooshort++;
556 if (!(dir == IEEE80211_FC1_DIR_TODS ||
557 (dir == IEEE80211_FC1_DIR_DSTODS &&
558 (vap->iv_flags & IEEE80211_F_DWDS)))) {
559 if (dir != IEEE80211_FC1_DIR_DSTODS) {
560 IEEE80211_DISCARD(vap,
561 IEEE80211_MSG_INPUT, wh, "data",
562 "incorrect dir 0x%x", dir);
564 IEEE80211_DISCARD(vap,
565 IEEE80211_MSG_INPUT |
566 IEEE80211_MSG_WDS, wh,
568 "%s", "DWDS not enabled");
570 vap->iv_stats.is_rx_wrongdir++;
573 /* check if source STA is associated */
574 if (ni == vap->iv_bss) {
575 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
576 wh, "data", "%s", "unknown src");
577 ieee80211_send_error(ni, wh->i_addr2,
578 IEEE80211_FC0_SUBTYPE_DEAUTH,
579 IEEE80211_REASON_NOT_AUTHED);
580 vap->iv_stats.is_rx_notassoc++;
583 if (ni->ni_associd == 0) {
584 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
585 wh, "data", "%s", "unassoc src");
586 IEEE80211_SEND_MGMT(ni,
587 IEEE80211_FC0_SUBTYPE_DISASSOC,
588 IEEE80211_REASON_NOT_ASSOCED);
589 vap->iv_stats.is_rx_notassoc++;
594 * Check for power save state change.
595 * XXX out-of-order A-MPDU frames?
597 if (((wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) ^
598 (ni->ni_flags & IEEE80211_NODE_PWR_MGT)))
599 ieee80211_node_pwrsave(ni,
600 wh->i_fc[1] & IEEE80211_FC1_PWR_MGT);
602 * For 4-address packets handle WDS discovery
603 * notifications. Once a WDS link is setup frames
604 * are just delivered to the WDS vap (see below).
606 if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap == NULL) {
607 if (!ieee80211_node_is_authorized(ni)) {
608 IEEE80211_DISCARD(vap,
609 IEEE80211_MSG_INPUT |
610 IEEE80211_MSG_WDS, wh,
612 "%s", "unauthorized port");
613 vap->iv_stats.is_rx_unauth++;
614 IEEE80211_NODE_STAT(ni, rx_unauth);
617 ieee80211_dwds_discover(ni, m);
622 * Handle A-MPDU re-ordering. If the frame is to be
623 * processed directly then ieee80211_ampdu_reorder
624 * will return 0; otherwise it has consumed the mbuf
625 * and we should do nothing more with it.
627 if ((m->m_flags & M_AMPDU) &&
628 ieee80211_ampdu_reorder(ni, m) != 0) {
635 * Handle privacy requirements. Note that we
636 * must not be preempted from here until after
637 * we (potentially) call ieee80211_crypto_demic;
638 * otherwise we may violate assumptions in the
639 * crypto cipher modules used to do delayed update
640 * of replay sequence numbers.
642 if (wh->i_fc[1] & IEEE80211_FC1_WEP) {
643 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
645 * Discard encrypted frames when privacy is off.
647 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
648 wh, "WEP", "%s", "PRIVACY off");
649 vap->iv_stats.is_rx_noprivacy++;
650 IEEE80211_NODE_STAT(ni, rx_noprivacy);
653 key = ieee80211_crypto_decap(ni, m, hdrspace);
655 /* NB: stats+msgs handled in crypto_decap */
656 IEEE80211_NODE_STAT(ni, rx_wepfail);
659 wh = mtod(m, struct ieee80211_frame *);
660 wh->i_fc[1] &= ~IEEE80211_FC1_WEP;
662 /* XXX M_WEP and IEEE80211_F_PRIVACY */
667 * Save QoS bits for use below--before we strip the header.
669 if (subtype == IEEE80211_FC0_SUBTYPE_QOS) {
670 qos = (dir == IEEE80211_FC1_DIR_DSTODS) ?
671 ((struct ieee80211_qosframe_addr4 *)wh)->i_qos[0] :
672 ((struct ieee80211_qosframe *)wh)->i_qos[0];
677 * Next up, any fragmentation.
679 if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) {
680 m = ieee80211_defrag(ni, m, hdrspace);
682 /* Fragment dropped or frame not complete yet */
686 wh = NULL; /* no longer valid, catch any uses */
689 * Next strip any MSDU crypto bits.
691 if (key != NULL && !ieee80211_crypto_demic(vap, key, m, 0)) {
692 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
693 ni->ni_macaddr, "data", "%s", "demic error");
694 vap->iv_stats.is_rx_demicfail++;
695 IEEE80211_NODE_STAT(ni, rx_demicfail);
698 /* copy to listener after decrypt */
699 if (bpf_peers_present(vap->iv_rawbpf))
700 bpf_mtap(vap->iv_rawbpf, m);
703 * Finally, strip the 802.11 header.
705 m = ieee80211_decap(vap, m, hdrspace);
707 /* XXX mask bit to check for both */
708 /* don't count Null data frames as errors */
709 if (subtype == IEEE80211_FC0_SUBTYPE_NODATA ||
710 subtype == IEEE80211_FC0_SUBTYPE_QOS_NULL)
712 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
713 ni->ni_macaddr, "data", "%s", "decap error");
714 vap->iv_stats.is_rx_decap++;
715 IEEE80211_NODE_STAT(ni, rx_decap);
718 eh = mtod(m, struct ether_header *);
719 if (!ieee80211_node_is_authorized(ni)) {
721 * Deny any non-PAE frames received prior to
722 * authorization. For open/shared-key
723 * authentication the port is mark authorized
724 * after authentication completes. For 802.1x
725 * the port is not marked authorized by the
726 * authenticator until the handshake has completed.
728 if (eh->ether_type != htons(ETHERTYPE_PAE)) {
729 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
730 eh->ether_shost, "data",
731 "unauthorized port: ether type 0x%x len %u",
732 eh->ether_type, m->m_pkthdr.len);
733 vap->iv_stats.is_rx_unauth++;
734 IEEE80211_NODE_STAT(ni, rx_unauth);
739 * When denying unencrypted frames, discard
740 * any non-PAE frames received without encryption.
742 if ((vap->iv_flags & IEEE80211_F_DROPUNENC) &&
743 (key == NULL && (m->m_flags & M_WEP) == 0) &&
744 eh->ether_type != htons(ETHERTYPE_PAE)) {
746 * Drop unencrypted frames.
748 vap->iv_stats.is_rx_unencrypted++;
749 IEEE80211_NODE_STAT(ni, rx_unencrypted);
753 /* XXX require HT? */
754 if (qos & IEEE80211_QOS_AMSDU) {
755 m = ieee80211_decap_amsdu(ni, m);
757 return IEEE80211_FC0_TYPE_DATA;
759 #ifdef IEEE80211_SUPPORT_SUPERG
760 m = ieee80211_decap_fastframe(vap, ni, m);
762 return IEEE80211_FC0_TYPE_DATA;
765 if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap != NULL)
766 ieee80211_deliver_data(ni->ni_wdsvap, ni, m);
768 hostap_deliver_data(vap, ni, m);
769 return IEEE80211_FC0_TYPE_DATA;
771 case IEEE80211_FC0_TYPE_MGT:
772 vap->iv_stats.is_rx_mgmt++;
773 IEEE80211_NODE_STAT(ni, rx_mgmt);
774 if (dir != IEEE80211_FC1_DIR_NODS) {
775 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
776 wh, "mgt", "incorrect dir 0x%x", dir);
777 vap->iv_stats.is_rx_wrongdir++;
780 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) {
781 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
782 ni->ni_macaddr, "mgt", "too short: len %u",
784 vap->iv_stats.is_rx_tooshort++;
787 if (IEEE80211_IS_MULTICAST(wh->i_addr2)) {
788 /* ensure return frames are unicast */
789 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
790 wh, NULL, "source is multicast: %s",
791 ether_sprintf(wh->i_addr2));
792 vap->iv_stats.is_rx_mgtdiscard++; /* XXX stat */
795 #ifdef IEEE80211_DEBUG
796 if ((ieee80211_msg_debug(vap) && doprint(vap, subtype)) ||
797 ieee80211_msg_dumppkts(vap)) {
798 if_printf(ifp, "received %s from %s rssi %d\n",
799 ieee80211_mgt_subtype_name[subtype >>
800 IEEE80211_FC0_SUBTYPE_SHIFT],
801 ether_sprintf(wh->i_addr2), rssi);
804 if (wh->i_fc[1] & IEEE80211_FC1_WEP) {
805 if (subtype != IEEE80211_FC0_SUBTYPE_AUTH) {
807 * Only shared key auth frames with a challenge
808 * should be encrypted, discard all others.
810 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
812 "%s", "WEP set but not permitted");
813 vap->iv_stats.is_rx_mgtdiscard++; /* XXX */
816 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
818 * Discard encrypted frames when privacy is off.
820 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
821 wh, NULL, "%s", "WEP set but PRIVACY off");
822 vap->iv_stats.is_rx_noprivacy++;
825 hdrspace = ieee80211_hdrspace(ic, wh);
826 key = ieee80211_crypto_decap(ni, m, hdrspace);
828 /* NB: stats+msgs handled in crypto_decap */
831 wh = mtod(m, struct ieee80211_frame *);
832 wh->i_fc[1] &= ~IEEE80211_FC1_WEP;
834 if (bpf_peers_present(vap->iv_rawbpf))
835 bpf_mtap(vap->iv_rawbpf, m);
836 vap->iv_recv_mgmt(ni, m, subtype, rssi, noise, rstamp);
838 return IEEE80211_FC0_TYPE_MGT;
840 case IEEE80211_FC0_TYPE_CTL:
841 vap->iv_stats.is_rx_ctl++;
842 IEEE80211_NODE_STAT(ni, rx_ctrl);
844 case IEEE80211_FC0_SUBTYPE_PS_POLL:
845 hostap_recv_pspoll(ni, m);
847 case IEEE80211_FC0_SUBTYPE_BAR:
848 ieee80211_recv_bar(ni, m);
853 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
854 wh, "bad", "frame type 0x%x", type);
855 /* should not come here */
862 if (bpf_peers_present(vap->iv_rawbpf) && need_tap)
863 bpf_mtap(vap->iv_rawbpf, m);
871 hostap_auth_open(struct ieee80211_node *ni, struct ieee80211_frame *wh,
872 int rssi, int noise, uint32_t rstamp, uint16_t seq, uint16_t status)
874 struct ieee80211vap *vap = ni->ni_vap;
876 KASSERT(vap->iv_state == IEEE80211_S_RUN, ("state %d", vap->iv_state));
878 if (ni->ni_authmode == IEEE80211_AUTH_SHARED) {
879 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
880 ni->ni_macaddr, "open auth",
881 "bad sta auth mode %u", ni->ni_authmode);
882 vap->iv_stats.is_rx_bad_auth++; /* XXX */
884 * Clear any challenge text that may be there if
885 * a previous shared key auth failed and then an
886 * open auth is attempted.
888 if (ni->ni_challenge != NULL) {
889 free(ni->ni_challenge, M_80211_NODE);
890 ni->ni_challenge = NULL;
892 /* XXX hack to workaround calling convention */
893 ieee80211_send_error(ni, wh->i_addr2,
894 IEEE80211_FC0_SUBTYPE_AUTH,
895 (seq + 1) | (IEEE80211_STATUS_ALG<<16));
898 if (seq != IEEE80211_AUTH_OPEN_REQUEST) {
899 vap->iv_stats.is_rx_bad_auth++;
902 /* always accept open authentication requests */
903 if (ni == vap->iv_bss) {
904 ni = ieee80211_dup_bss(vap, wh->i_addr2);
907 } else if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0)
908 (void) ieee80211_ref_node(ni);
910 * Mark the node as referenced to reflect that it's
911 * reference count has been bumped to insure it remains
912 * after the transaction completes.
914 ni->ni_flags |= IEEE80211_NODE_AREF;
916 * Mark the node as requiring a valid association id
917 * before outbound traffic is permitted.
919 ni->ni_flags |= IEEE80211_NODE_ASSOCID;
921 if (vap->iv_acl != NULL &&
922 vap->iv_acl->iac_getpolicy(vap) == IEEE80211_MACCMD_POLICY_RADIUS) {
924 * When the ACL policy is set to RADIUS we defer the
925 * authorization to a user agent. Dispatch an event,
926 * a subsequent MLME call will decide the fate of the
927 * station. If the user agent is not present then the
928 * node will be reclaimed due to inactivity.
930 IEEE80211_NOTE_MAC(vap,
931 IEEE80211_MSG_AUTH | IEEE80211_MSG_ACL, ni->ni_macaddr,
932 "%s", "station authentication defered (radius acl)");
933 ieee80211_notify_node_auth(ni);
935 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1);
936 IEEE80211_NOTE_MAC(vap,
937 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, ni->ni_macaddr,
938 "%s", "station authenticated (open)");
940 * When 802.1x is not in use mark the port
941 * authorized at this point so traffic can flow.
943 if (ni->ni_authmode != IEEE80211_AUTH_8021X)
944 ieee80211_node_authorize(ni);
949 hostap_auth_shared(struct ieee80211_node *ni, struct ieee80211_frame *wh,
950 uint8_t *frm, uint8_t *efrm, int rssi, int noise, uint32_t rstamp,
951 uint16_t seq, uint16_t status)
953 struct ieee80211vap *vap = ni->ni_vap;
955 int allocbs, estatus;
957 KASSERT(vap->iv_state == IEEE80211_S_RUN, ("state %d", vap->iv_state));
960 * NB: this can happen as we allow pre-shared key
961 * authentication to be enabled w/o wep being turned
962 * on so that configuration of these can be done
963 * in any order. It may be better to enforce the
964 * ordering in which case this check would just be
965 * for sanity/consistency.
967 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
968 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
969 ni->ni_macaddr, "shared key auth",
970 "%s", " PRIVACY is disabled");
971 estatus = IEEE80211_STATUS_ALG;
975 * Pre-shared key authentication is evil; accept
976 * it only if explicitly configured (it is supported
977 * mainly for compatibility with clients like Mac OS X).
979 if (ni->ni_authmode != IEEE80211_AUTH_AUTO &&
980 ni->ni_authmode != IEEE80211_AUTH_SHARED) {
981 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
982 ni->ni_macaddr, "shared key auth",
983 "bad sta auth mode %u", ni->ni_authmode);
984 vap->iv_stats.is_rx_bad_auth++; /* XXX maybe a unique error? */
985 estatus = IEEE80211_STATUS_ALG;
990 if (frm + 1 < efrm) {
991 if ((frm[1] + 2) > (efrm - frm)) {
992 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
993 ni->ni_macaddr, "shared key auth",
995 frm[0], (frm[1] + 2) - (efrm - frm));
996 vap->iv_stats.is_rx_bad_auth++;
997 estatus = IEEE80211_STATUS_CHALLENGE;
1000 if (*frm == IEEE80211_ELEMID_CHALLENGE)
1005 case IEEE80211_AUTH_SHARED_CHALLENGE:
1006 case IEEE80211_AUTH_SHARED_RESPONSE:
1007 if (challenge == NULL) {
1008 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1009 ni->ni_macaddr, "shared key auth",
1010 "%s", "no challenge");
1011 vap->iv_stats.is_rx_bad_auth++;
1012 estatus = IEEE80211_STATUS_CHALLENGE;
1015 if (challenge[1] != IEEE80211_CHALLENGE_LEN) {
1016 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1017 ni->ni_macaddr, "shared key auth",
1018 "bad challenge len %d", challenge[1]);
1019 vap->iv_stats.is_rx_bad_auth++;
1020 estatus = IEEE80211_STATUS_CHALLENGE;
1027 case IEEE80211_AUTH_SHARED_REQUEST:
1028 if (ni == vap->iv_bss) {
1029 ni = ieee80211_dup_bss(vap, wh->i_addr2);
1031 /* NB: no way to return an error */
1036 if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0)
1037 (void) ieee80211_ref_node(ni);
1041 * Mark the node as referenced to reflect that it's
1042 * reference count has been bumped to insure it remains
1043 * after the transaction completes.
1045 ni->ni_flags |= IEEE80211_NODE_AREF;
1047 * Mark the node as requiring a valid associatio id
1048 * before outbound traffic is permitted.
1050 ni->ni_flags |= IEEE80211_NODE_ASSOCID;
1051 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi);
1052 ni->ni_noise = noise;
1053 ni->ni_rstamp = rstamp;
1054 if (!ieee80211_alloc_challenge(ni)) {
1055 /* NB: don't return error so they rexmit */
1058 get_random_bytes(ni->ni_challenge,
1059 IEEE80211_CHALLENGE_LEN);
1060 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
1061 ni, "shared key %sauth request", allocbs ? "" : "re");
1063 * When the ACL policy is set to RADIUS we defer the
1064 * authorization to a user agent. Dispatch an event,
1065 * a subsequent MLME call will decide the fate of the
1066 * station. If the user agent is not present then the
1067 * node will be reclaimed due to inactivity.
1069 if (vap->iv_acl != NULL &&
1070 vap->iv_acl->iac_getpolicy(vap) == IEEE80211_MACCMD_POLICY_RADIUS) {
1071 IEEE80211_NOTE_MAC(vap,
1072 IEEE80211_MSG_AUTH | IEEE80211_MSG_ACL,
1074 "%s", "station authentication defered (radius acl)");
1075 ieee80211_notify_node_auth(ni);
1079 case IEEE80211_AUTH_SHARED_RESPONSE:
1080 if (ni == vap->iv_bss) {
1081 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1082 ni->ni_macaddr, "shared key response",
1083 "%s", "unknown station");
1084 /* NB: don't send a response */
1087 if (ni->ni_challenge == NULL) {
1088 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1089 ni->ni_macaddr, "shared key response",
1090 "%s", "no challenge recorded");
1091 vap->iv_stats.is_rx_bad_auth++;
1092 estatus = IEEE80211_STATUS_CHALLENGE;
1095 if (memcmp(ni->ni_challenge, &challenge[2],
1096 challenge[1]) != 0) {
1097 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1098 ni->ni_macaddr, "shared key response",
1099 "%s", "challenge mismatch");
1100 vap->iv_stats.is_rx_auth_fail++;
1101 estatus = IEEE80211_STATUS_CHALLENGE;
1104 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
1105 ni, "%s", "station authenticated (shared key)");
1106 ieee80211_node_authorize(ni);
1109 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1110 ni->ni_macaddr, "shared key auth",
1112 vap->iv_stats.is_rx_bad_auth++;
1113 estatus = IEEE80211_STATUS_SEQUENCE;
1116 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1);
1120 * Send an error response; but only when operating as an AP.
1122 /* XXX hack to workaround calling convention */
1123 ieee80211_send_error(ni, wh->i_addr2,
1124 IEEE80211_FC0_SUBTYPE_AUTH,
1125 (seq + 1) | (estatus<<16));
1129 * Convert a WPA cipher selector OUI to an internal
1130 * cipher algorithm. Where appropriate we also
1131 * record any key length.
1134 wpa_cipher(const uint8_t *sel, uint8_t *keylen)
1136 #define WPA_SEL(x) (((x)<<24)|WPA_OUI)
1137 uint32_t w = LE_READ_4(sel);
1140 case WPA_SEL(WPA_CSE_NULL):
1141 return IEEE80211_CIPHER_NONE;
1142 case WPA_SEL(WPA_CSE_WEP40):
1144 *keylen = 40 / NBBY;
1145 return IEEE80211_CIPHER_WEP;
1146 case WPA_SEL(WPA_CSE_WEP104):
1148 *keylen = 104 / NBBY;
1149 return IEEE80211_CIPHER_WEP;
1150 case WPA_SEL(WPA_CSE_TKIP):
1151 return IEEE80211_CIPHER_TKIP;
1152 case WPA_SEL(WPA_CSE_CCMP):
1153 return IEEE80211_CIPHER_AES_CCM;
1155 return 32; /* NB: so 1<< is discarded */
1160 * Convert a WPA key management/authentication algorithm
1161 * to an internal code.
1164 wpa_keymgmt(const uint8_t *sel)
1166 #define WPA_SEL(x) (((x)<<24)|WPA_OUI)
1167 uint32_t w = LE_READ_4(sel);
1170 case WPA_SEL(WPA_ASE_8021X_UNSPEC):
1171 return WPA_ASE_8021X_UNSPEC;
1172 case WPA_SEL(WPA_ASE_8021X_PSK):
1173 return WPA_ASE_8021X_PSK;
1174 case WPA_SEL(WPA_ASE_NONE):
1175 return WPA_ASE_NONE;
1177 return 0; /* NB: so is discarded */
1182 * Parse a WPA information element to collect parameters.
1183 * Note that we do not validate security parameters; that
1184 * is handled by the authenticator; the parsing done here
1185 * is just for internal use in making operational decisions.
1188 ieee80211_parse_wpa(struct ieee80211vap *vap, const uint8_t *frm,
1189 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh)
1191 uint8_t len = frm[1];
1196 * Check the length once for fixed parts: OUI, type,
1197 * version, mcast cipher, and 2 selector counts.
1198 * Other, variable-length data, must be checked separately.
1200 if ((vap->iv_flags & IEEE80211_F_WPA1) == 0) {
1201 IEEE80211_DISCARD_IE(vap,
1202 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1203 wh, "WPA", "not WPA, flags 0x%x", vap->iv_flags);
1204 return IEEE80211_REASON_IE_INVALID;
1207 IEEE80211_DISCARD_IE(vap,
1208 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1209 wh, "WPA", "too short, len %u", len);
1210 return IEEE80211_REASON_IE_INVALID;
1212 frm += 6, len -= 4; /* NB: len is payload only */
1213 /* NB: iswapoui already validated the OUI and type */
1215 if (w != WPA_VERSION) {
1216 IEEE80211_DISCARD_IE(vap,
1217 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1218 wh, "WPA", "bad version %u", w);
1219 return IEEE80211_REASON_IE_INVALID;
1223 memset(rsn, 0, sizeof(*rsn));
1225 /* multicast/group cipher */
1226 rsn->rsn_mcastcipher = wpa_cipher(frm, &rsn->rsn_mcastkeylen);
1229 /* unicast ciphers */
1233 IEEE80211_DISCARD_IE(vap,
1234 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1235 wh, "WPA", "ucast cipher data too short; len %u, n %u",
1237 return IEEE80211_REASON_IE_INVALID;
1240 for (; n > 0; n--) {
1241 w |= 1<<wpa_cipher(frm, &rsn->rsn_ucastkeylen);
1244 if (w & (1<<IEEE80211_CIPHER_TKIP))
1245 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP;
1247 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM;
1249 /* key management algorithms */
1253 IEEE80211_DISCARD_IE(vap,
1254 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1255 wh, "WPA", "key mgmt alg data too short; len %u, n %u",
1257 return IEEE80211_REASON_IE_INVALID;
1260 for (; n > 0; n--) {
1261 w |= wpa_keymgmt(frm);
1264 if (w & WPA_ASE_8021X_UNSPEC)
1265 rsn->rsn_keymgmt = WPA_ASE_8021X_UNSPEC;
1267 rsn->rsn_keymgmt = WPA_ASE_8021X_PSK;
1269 if (len > 2) /* optional capabilities */
1270 rsn->rsn_caps = LE_READ_2(frm);
1276 * Convert an RSN cipher selector OUI to an internal
1277 * cipher algorithm. Where appropriate we also
1278 * record any key length.
1281 rsn_cipher(const uint8_t *sel, uint8_t *keylen)
1283 #define RSN_SEL(x) (((x)<<24)|RSN_OUI)
1284 uint32_t w = LE_READ_4(sel);
1287 case RSN_SEL(RSN_CSE_NULL):
1288 return IEEE80211_CIPHER_NONE;
1289 case RSN_SEL(RSN_CSE_WEP40):
1291 *keylen = 40 / NBBY;
1292 return IEEE80211_CIPHER_WEP;
1293 case RSN_SEL(RSN_CSE_WEP104):
1295 *keylen = 104 / NBBY;
1296 return IEEE80211_CIPHER_WEP;
1297 case RSN_SEL(RSN_CSE_TKIP):
1298 return IEEE80211_CIPHER_TKIP;
1299 case RSN_SEL(RSN_CSE_CCMP):
1300 return IEEE80211_CIPHER_AES_CCM;
1301 case RSN_SEL(RSN_CSE_WRAP):
1302 return IEEE80211_CIPHER_AES_OCB;
1304 return 32; /* NB: so 1<< is discarded */
1309 * Convert an RSN key management/authentication algorithm
1310 * to an internal code.
1313 rsn_keymgmt(const uint8_t *sel)
1315 #define RSN_SEL(x) (((x)<<24)|RSN_OUI)
1316 uint32_t w = LE_READ_4(sel);
1319 case RSN_SEL(RSN_ASE_8021X_UNSPEC):
1320 return RSN_ASE_8021X_UNSPEC;
1321 case RSN_SEL(RSN_ASE_8021X_PSK):
1322 return RSN_ASE_8021X_PSK;
1323 case RSN_SEL(RSN_ASE_NONE):
1324 return RSN_ASE_NONE;
1326 return 0; /* NB: so is discarded */
1331 * Parse a WPA/RSN information element to collect parameters
1332 * and validate the parameters against what has been
1333 * configured for the system.
1336 ieee80211_parse_rsn(struct ieee80211vap *vap, const uint8_t *frm,
1337 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh)
1339 uint8_t len = frm[1];
1344 * Check the length once for fixed parts:
1345 * version, mcast cipher, and 2 selector counts.
1346 * Other, variable-length data, must be checked separately.
1348 if ((vap->iv_flags & IEEE80211_F_WPA2) == 0) {
1349 IEEE80211_DISCARD_IE(vap,
1350 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1351 wh, "WPA", "not RSN, flags 0x%x", vap->iv_flags);
1352 return IEEE80211_REASON_IE_INVALID;
1355 IEEE80211_DISCARD_IE(vap,
1356 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1357 wh, "RSN", "too short, len %u", len);
1358 return IEEE80211_REASON_IE_INVALID;
1362 if (w != RSN_VERSION) {
1363 IEEE80211_DISCARD_IE(vap,
1364 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1365 wh, "RSN", "bad version %u", w);
1366 return IEEE80211_REASON_IE_INVALID;
1370 memset(rsn, 0, sizeof(*rsn));
1372 /* multicast/group cipher */
1373 rsn->rsn_mcastcipher = rsn_cipher(frm, &rsn->rsn_mcastkeylen);
1376 /* unicast ciphers */
1380 IEEE80211_DISCARD_IE(vap,
1381 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1382 wh, "RSN", "ucast cipher data too short; len %u, n %u",
1384 return IEEE80211_REASON_IE_INVALID;
1387 for (; n > 0; n--) {
1388 w |= 1<<rsn_cipher(frm, &rsn->rsn_ucastkeylen);
1391 if (w & (1<<IEEE80211_CIPHER_TKIP))
1392 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP;
1394 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM;
1396 /* key management algorithms */
1400 IEEE80211_DISCARD_IE(vap,
1401 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1402 wh, "RSN", "key mgmt alg data too short; len %u, n %u",
1404 return IEEE80211_REASON_IE_INVALID;
1407 for (; n > 0; n--) {
1408 w |= rsn_keymgmt(frm);
1411 if (w & RSN_ASE_8021X_UNSPEC)
1412 rsn->rsn_keymgmt = RSN_ASE_8021X_UNSPEC;
1414 rsn->rsn_keymgmt = RSN_ASE_8021X_PSK;
1416 /* optional RSN capabilities */
1418 rsn->rsn_caps = LE_READ_2(frm);
1425 * WPA/802.11i assocation request processing.
1428 wpa_assocreq(struct ieee80211_node *ni, struct ieee80211_rsnparms *rsnparms,
1429 const struct ieee80211_frame *wh, const uint8_t *wpa,
1430 const uint8_t *rsn, uint16_t capinfo)
1432 struct ieee80211vap *vap = ni->ni_vap;
1436 ni->ni_flags &= ~(IEEE80211_NODE_WPS|IEEE80211_NODE_TSN);
1437 if (wpa == NULL && rsn == NULL) {
1438 if (vap->iv_flags_ext & IEEE80211_FEXT_WPS) {
1440 * W-Fi Protected Setup (WPS) permits
1441 * clients to associate and pass EAPOL frames
1442 * to establish initial credentials.
1444 ni->ni_flags |= IEEE80211_NODE_WPS;
1447 if ((vap->iv_flags_ext & IEEE80211_FEXT_TSN) &&
1448 (capinfo & IEEE80211_CAPINFO_PRIVACY)) {
1450 * Transitional Security Network. Permits clients
1451 * to associate and use WEP while WPA is configured.
1453 ni->ni_flags |= IEEE80211_NODE_TSN;
1456 IEEE80211_DISCARD(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA,
1457 wh, NULL, "%s", "no WPA/RSN IE in association request");
1458 vap->iv_stats.is_rx_assoc_badwpaie++;
1459 reason = IEEE80211_REASON_IE_INVALID;
1462 /* assert right association security credentials */
1463 badwparsn = 0; /* NB: to silence compiler */
1464 switch (vap->iv_flags & IEEE80211_F_WPA) {
1465 case IEEE80211_F_WPA1:
1466 badwparsn = (wpa == NULL);
1468 case IEEE80211_F_WPA2:
1469 badwparsn = (rsn == NULL);
1471 case IEEE80211_F_WPA1|IEEE80211_F_WPA2:
1472 badwparsn = (wpa == NULL && rsn == NULL);
1476 IEEE80211_DISCARD(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA,
1478 "%s", "missing WPA/RSN IE in association request");
1479 vap->iv_stats.is_rx_assoc_badwpaie++;
1480 reason = IEEE80211_REASON_IE_INVALID;
1484 * Parse WPA/RSN information element.
1487 reason = ieee80211_parse_wpa(vap, wpa, rsnparms, wh);
1489 reason = ieee80211_parse_rsn(vap, rsn, rsnparms, wh);
1491 /* XXX distinguish WPA/RSN? */
1492 vap->iv_stats.is_rx_assoc_badwpaie++;
1495 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, ni,
1496 "%s ie: mc %u/%u uc %u/%u key %u caps 0x%x",
1497 wpa != NULL ? "WPA" : "RSN",
1498 rsnparms->rsn_mcastcipher, rsnparms->rsn_mcastkeylen,
1499 rsnparms->rsn_ucastcipher, rsnparms->rsn_ucastkeylen,
1500 rsnparms->rsn_keymgmt, rsnparms->rsn_caps);
1504 ieee80211_node_deauth(ni, reason);
1508 /* XXX find a better place for definition */
1509 struct l2_update_frame {
1510 struct ether_header eh;
1518 * Deliver a TGf L2UF frame on behalf of a station.
1519 * This primes any bridge when the station is roaming
1520 * between ap's on the same wired network.
1523 ieee80211_deliver_l2uf(struct ieee80211_node *ni)
1525 struct ieee80211vap *vap = ni->ni_vap;
1526 struct ifnet *ifp = vap->iv_ifp;
1528 struct l2_update_frame *l2uf;
1529 struct ether_header *eh;
1531 m = m_gethdr(M_NOWAIT, MT_DATA);
1533 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC, ni,
1534 "%s", "no mbuf for l2uf frame");
1535 vap->iv_stats.is_rx_nobuf++; /* XXX not right */
1538 l2uf = mtod(m, struct l2_update_frame *);
1540 /* dst: Broadcast address */
1541 IEEE80211_ADDR_COPY(eh->ether_dhost, ifp->if_broadcastaddr);
1542 /* src: associated STA */
1543 IEEE80211_ADDR_COPY(eh->ether_shost, ni->ni_macaddr);
1544 eh->ether_type = htons(sizeof(*l2uf) - sizeof(*eh));
1548 l2uf->control = 0xf5;
1549 l2uf->xid[0] = 0x81;
1550 l2uf->xid[1] = 0x80;
1551 l2uf->xid[2] = 0x00;
1553 m->m_pkthdr.len = m->m_len = sizeof(*l2uf);
1554 hostap_deliver_data(vap, ni, m);
1558 ratesetmismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh,
1559 int reassoc, int resp, const char *tag, int rate)
1561 IEEE80211_NOTE_MAC(ni->ni_vap, IEEE80211_MSG_ANY, wh->i_addr2,
1562 "deny %s request, %s rate set mismatch, rate/MCS %d",
1563 reassoc ? "reassoc" : "assoc", tag, rate & IEEE80211_RATE_VAL);
1564 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_BASIC_RATE);
1565 ieee80211_node_leave(ni);
1569 capinfomismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh,
1570 int reassoc, int resp, const char *tag, int capinfo)
1572 struct ieee80211vap *vap = ni->ni_vap;
1574 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ANY, wh->i_addr2,
1575 "deny %s request, %s mismatch 0x%x",
1576 reassoc ? "reassoc" : "assoc", tag, capinfo);
1577 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_CAPINFO);
1578 ieee80211_node_leave(ni);
1579 vap->iv_stats.is_rx_assoc_capmismatch++;
1583 htcapmismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh,
1584 int reassoc, int resp)
1586 IEEE80211_NOTE_MAC(ni->ni_vap, IEEE80211_MSG_ANY, wh->i_addr2,
1587 "deny %s request, %s missing HT ie", reassoc ? "reassoc" : "assoc");
1588 /* XXX no better code */
1589 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_OTHER);
1590 ieee80211_node_leave(ni);
1594 authalgreject(struct ieee80211_node *ni, const struct ieee80211_frame *wh,
1595 int algo, int seq, int status)
1597 struct ieee80211vap *vap = ni->ni_vap;
1599 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
1600 wh, NULL, "unsupported alg %d", algo);
1601 vap->iv_stats.is_rx_auth_unsupported++;
1602 ieee80211_send_error(ni, wh->i_addr2, IEEE80211_FC0_SUBTYPE_AUTH,
1603 seq | (status << 16));
1607 ishtmixed(const uint8_t *ie)
1609 const struct ieee80211_ie_htinfo *ht =
1610 (const struct ieee80211_ie_htinfo *) ie;
1611 return (ht->hi_byte2 & IEEE80211_HTINFO_OPMODE) ==
1612 IEEE80211_HTINFO_OPMODE_MIXED;
1616 is11bclient(const uint8_t *rates, const uint8_t *xrates)
1618 static const uint32_t brates = (1<<2*1)|(1<<2*2)|(1<<11)|(1<<2*11);
1621 /* NB: the 11b clients we care about will not have xrates */
1622 if (xrates != NULL || rates == NULL)
1624 for (i = 0; i < rates[1]; i++) {
1625 int r = rates[2+i] & IEEE80211_RATE_VAL;
1626 if (r > 2*11 || ((1<<r) & brates) == 0)
1633 hostap_recv_mgmt(struct ieee80211_node *ni, struct mbuf *m0,
1634 int subtype, int rssi, int noise, uint32_t rstamp)
1636 struct ieee80211vap *vap = ni->ni_vap;
1637 struct ieee80211com *ic = ni->ni_ic;
1638 struct ieee80211_frame *wh;
1639 uint8_t *frm, *efrm, *sfrm;
1640 uint8_t *ssid, *rates, *xrates, *wpa, *rsn, *wme, *ath, *htcap;
1644 wh = mtod(m0, struct ieee80211_frame *);
1645 frm = (uint8_t *)&wh[1];
1646 efrm = mtod(m0, uint8_t *) + m0->m_len;
1648 case IEEE80211_FC0_SUBTYPE_PROBE_RESP:
1649 case IEEE80211_FC0_SUBTYPE_BEACON: {
1650 struct ieee80211_scanparams scan;
1652 * We process beacon/probe response frames when scanning;
1653 * otherwise we check beacon frames for overlapping non-ERP
1654 * BSS in 11g and/or overlapping legacy BSS when in HT.
1656 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0 &&
1657 subtype == IEEE80211_FC0_SUBTYPE_PROBE_RESP) {
1658 vap->iv_stats.is_rx_mgtdiscard++;
1661 /* NB: accept off-channel frames */
1662 if (ieee80211_parse_beacon(ni, m0, &scan) &~ IEEE80211_BPARSE_OFFCHAN)
1665 * Count frame now that we know it's to be processed.
1667 if (subtype == IEEE80211_FC0_SUBTYPE_BEACON) {
1668 vap->iv_stats.is_rx_beacon++; /* XXX remove */
1669 IEEE80211_NODE_STAT(ni, rx_beacons);
1671 IEEE80211_NODE_STAT(ni, rx_proberesp);
1673 * If scanning, just pass information to the scan module.
1675 if (ic->ic_flags & IEEE80211_F_SCAN) {
1676 if (scan.status == 0 && /* NB: on channel */
1677 (ic->ic_flags_ext & IEEE80211_FEXT_PROBECHAN)) {
1679 * Actively scanning a channel marked passive;
1680 * send a probe request now that we know there
1681 * is 802.11 traffic present.
1683 * XXX check if the beacon we recv'd gives
1684 * us what we need and suppress the probe req
1686 ieee80211_probe_curchan(vap, 1);
1687 ic->ic_flags_ext &= ~IEEE80211_FEXT_PROBECHAN;
1689 ieee80211_add_scan(vap, &scan, wh,
1690 subtype, rssi, noise, rstamp);
1694 * Check beacon for overlapping bss w/ non ERP stations.
1695 * If we detect one and protection is configured but not
1696 * enabled, enable it and start a timer that'll bring us
1697 * out if we stop seeing the bss.
1699 if (IEEE80211_IS_CHAN_ANYG(ic->ic_curchan) &&
1700 scan.status == 0 && /* NB: on-channel */
1701 ((scan.erp & 0x100) == 0 || /* NB: no ERP, 11b sta*/
1702 (scan.erp & IEEE80211_ERP_NON_ERP_PRESENT))) {
1703 ic->ic_lastnonerp = ticks;
1704 ic->ic_flags_ext |= IEEE80211_FEXT_NONERP_PR;
1705 if (ic->ic_protmode != IEEE80211_PROT_NONE &&
1706 (ic->ic_flags & IEEE80211_F_USEPROT) == 0) {
1707 IEEE80211_NOTE_FRAME(vap,
1708 IEEE80211_MSG_ASSOC, wh,
1709 "non-ERP present on channel %d "
1710 "(saw erp 0x%x from channel %d), "
1711 "enable use of protection",
1712 ic->ic_curchan->ic_ieee,
1713 scan.erp, scan.chan);
1714 ic->ic_flags |= IEEE80211_F_USEPROT;
1715 ieee80211_notify_erp(ic);
1719 * Check beacon for non-HT station on HT channel
1720 * and update HT BSS occupancy as appropriate.
1722 if (IEEE80211_IS_CHAN_HT(ic->ic_curchan)) {
1723 if (scan.status & IEEE80211_BPARSE_OFFCHAN) {
1725 * Off control channel; only check frames
1726 * that come in the extension channel when
1727 * operating w/ HT40.
1729 if (!IEEE80211_IS_CHAN_HT40(ic->ic_curchan))
1731 if (scan.chan != ic->ic_curchan->ic_extieee)
1734 if (scan.htinfo == NULL) {
1735 ieee80211_htprot_update(ic,
1736 IEEE80211_HTINFO_OPMODE_PROTOPT |
1737 IEEE80211_HTINFO_NONHT_PRESENT);
1738 } else if (ishtmixed(scan.htinfo)) {
1739 /* XXX? take NONHT_PRESENT from beacon? */
1740 ieee80211_htprot_update(ic,
1741 IEEE80211_HTINFO_OPMODE_MIXED |
1742 IEEE80211_HTINFO_NONHT_PRESENT);
1748 case IEEE80211_FC0_SUBTYPE_PROBE_REQ:
1749 if (vap->iv_state != IEEE80211_S_RUN) {
1750 vap->iv_stats.is_rx_mgtdiscard++;
1754 * prreq frame format
1756 * [tlv] supported rates
1757 * [tlv] extended supported rates
1759 ssid = rates = xrates = NULL;
1761 while (efrm - frm > 1) {
1762 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return);
1764 case IEEE80211_ELEMID_SSID:
1767 case IEEE80211_ELEMID_RATES:
1770 case IEEE80211_ELEMID_XRATES:
1776 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return);
1778 IEEE80211_VERIFY_ELEMENT(xrates,
1779 IEEE80211_RATE_MAXSIZE - rates[1], return);
1780 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN, return);
1781 IEEE80211_VERIFY_SSID(vap->iv_bss, ssid, return);
1782 if ((vap->iv_flags & IEEE80211_F_HIDESSID) && ssid[1] == 0) {
1783 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
1785 "%s", "no ssid with ssid suppression enabled");
1786 vap->iv_stats.is_rx_ssidmismatch++; /*XXX*/
1790 /* XXX find a better class or define it's own */
1791 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_INPUT, wh->i_addr2,
1792 "%s", "recv probe req");
1794 * Some legacy 11b clients cannot hack a complete
1795 * probe response frame. When the request includes
1796 * only a bare-bones rate set, communicate this to
1797 * the transmit side.
1799 ieee80211_send_proberesp(vap, wh->i_addr2,
1800 is11bclient(rates, xrates) ? IEEE80211_SEND_LEGACY_11B : 0);
1803 case IEEE80211_FC0_SUBTYPE_AUTH: {
1804 uint16_t algo, seq, status;
1806 if (vap->iv_state != IEEE80211_S_RUN) {
1807 vap->iv_stats.is_rx_mgtdiscard++;
1810 if (!IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_bss->ni_bssid)) {
1811 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
1812 wh, NULL, "%s", "wrong bssid");
1813 vap->iv_stats.is_rx_wrongbss++; /*XXX unique stat?*/
1823 IEEE80211_VERIFY_LENGTH(efrm - frm, 6, return);
1824 algo = le16toh(*(uint16_t *)frm);
1825 seq = le16toh(*(uint16_t *)(frm + 2));
1826 status = le16toh(*(uint16_t *)(frm + 4));
1827 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_AUTH, wh->i_addr2,
1828 "recv auth frame with algorithm %d seq %d", algo, seq);
1830 * Consult the ACL policy module if setup.
1832 if (vap->iv_acl != NULL &&
1833 !vap->iv_acl->iac_check(vap, wh->i_addr2)) {
1834 IEEE80211_DISCARD(vap, IEEE80211_MSG_ACL,
1835 wh, NULL, "%s", "disallowed by ACL");
1836 vap->iv_stats.is_rx_acl++;
1837 ieee80211_send_error(ni, wh->i_addr2,
1838 IEEE80211_FC0_SUBTYPE_AUTH,
1839 (seq+1) | (IEEE80211_STATUS_UNSPECIFIED<<16));
1842 if (vap->iv_flags & IEEE80211_F_COUNTERM) {
1843 IEEE80211_DISCARD(vap,
1844 IEEE80211_MSG_AUTH | IEEE80211_MSG_CRYPTO,
1845 wh, NULL, "%s", "TKIP countermeasures enabled");
1846 vap->iv_stats.is_rx_auth_countermeasures++;
1847 ieee80211_send_error(ni, wh->i_addr2,
1848 IEEE80211_FC0_SUBTYPE_AUTH,
1849 IEEE80211_REASON_MIC_FAILURE);
1852 if (algo == IEEE80211_AUTH_ALG_SHARED)
1853 hostap_auth_shared(ni, wh, frm + 6, efrm, rssi,
1854 noise, rstamp, seq, status);
1855 else if (algo == IEEE80211_AUTH_ALG_OPEN)
1856 hostap_auth_open(ni, wh, rssi, noise, rstamp,
1858 else if (algo == IEEE80211_AUTH_ALG_LEAP) {
1859 authalgreject(ni, wh, algo,
1860 seq+1, IEEE80211_STATUS_ALG);
1864 * We assume that an unknown algorithm is the result
1865 * of a decryption failure on a shared key auth frame;
1866 * return a status code appropriate for that instead
1867 * of IEEE80211_STATUS_ALG.
1869 * NB: a seq# of 4 is intentional; the decrypted
1870 * frame likely has a bogus seq value.
1872 authalgreject(ni, wh, algo,
1873 4, IEEE80211_STATUS_CHALLENGE);
1879 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ:
1880 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: {
1881 uint16_t capinfo, lintval;
1882 struct ieee80211_rsnparms rsnparms;
1884 if (vap->iv_state != IEEE80211_S_RUN) {
1885 vap->iv_stats.is_rx_mgtdiscard++;
1888 if (!IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_bss->ni_bssid)) {
1889 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
1890 wh, NULL, "%s", "wrong bssid");
1891 vap->iv_stats.is_rx_assoc_bss++;
1894 if (subtype == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) {
1896 resp = IEEE80211_FC0_SUBTYPE_REASSOC_RESP;
1899 resp = IEEE80211_FC0_SUBTYPE_ASSOC_RESP;
1901 if (ni == vap->iv_bss) {
1902 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ANY, wh->i_addr2,
1903 "deny %s request, sta not authenticated",
1904 reassoc ? "reassoc" : "assoc");
1905 ieee80211_send_error(ni, wh->i_addr2,
1906 IEEE80211_FC0_SUBTYPE_DEAUTH,
1907 IEEE80211_REASON_ASSOC_NOT_AUTHED);
1908 vap->iv_stats.is_rx_assoc_notauth++;
1913 * asreq frame format
1914 * [2] capability information
1915 * [2] listen interval
1916 * [6*] current AP address (reassoc only)
1918 * [tlv] supported rates
1919 * [tlv] extended supported rates
1921 * [tlv] HT capabilities
1922 * [tlv] Atheros capabilities
1924 IEEE80211_VERIFY_LENGTH(efrm - frm, (reassoc ? 10 : 4), return);
1925 capinfo = le16toh(*(uint16_t *)frm); frm += 2;
1926 lintval = le16toh(*(uint16_t *)frm); frm += 2;
1928 frm += 6; /* ignore current AP info */
1929 ssid = rates = xrates = wpa = rsn = wme = ath = htcap = NULL;
1931 while (efrm - frm > 1) {
1932 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return);
1934 case IEEE80211_ELEMID_SSID:
1937 case IEEE80211_ELEMID_RATES:
1940 case IEEE80211_ELEMID_XRATES:
1943 case IEEE80211_ELEMID_RSN:
1946 case IEEE80211_ELEMID_HTCAP:
1949 case IEEE80211_ELEMID_VENDOR:
1952 else if (iswmeinfo(frm))
1954 #ifdef IEEE80211_SUPPORT_SUPERG
1955 else if (isatherosoui(frm))
1958 else if (vap->iv_flags_ext & IEEE80211_FEXT_HTCOMPAT) {
1959 if (ishtcapoui(frm) && htcap == NULL)
1966 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return);
1968 IEEE80211_VERIFY_ELEMENT(xrates,
1969 IEEE80211_RATE_MAXSIZE - rates[1], return);
1970 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN, return);
1971 IEEE80211_VERIFY_SSID(vap->iv_bss, ssid, return);
1972 if (htcap != NULL) {
1973 IEEE80211_VERIFY_LENGTH(htcap[1],
1974 htcap[0] == IEEE80211_ELEMID_VENDOR ?
1975 4 + sizeof(struct ieee80211_ie_htcap)-2 :
1976 sizeof(struct ieee80211_ie_htcap)-2,
1977 return); /* XXX just NULL out? */
1980 if ((vap->iv_flags & IEEE80211_F_WPA) &&
1981 !wpa_assocreq(ni, &rsnparms, wh, wpa, rsn, capinfo))
1983 /* discard challenge after association */
1984 if (ni->ni_challenge != NULL) {
1985 free(ni->ni_challenge, M_80211_NODE);
1986 ni->ni_challenge = NULL;
1988 /* NB: 802.11 spec says to ignore station's privacy bit */
1989 if ((capinfo & IEEE80211_CAPINFO_ESS) == 0) {
1990 capinfomismatch(ni, wh, reassoc, resp,
1991 "capability", capinfo);
1995 * Disallow re-associate w/ invalid slot time setting.
1997 if (ni->ni_associd != 0 &&
1998 IEEE80211_IS_CHAN_ANYG(ic->ic_bsschan) &&
1999 ((ni->ni_capinfo ^ capinfo) & IEEE80211_CAPINFO_SHORT_SLOTTIME)) {
2000 capinfomismatch(ni, wh, reassoc, resp,
2001 "slot time", capinfo);
2004 rate = ieee80211_setup_rates(ni, rates, xrates,
2005 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE |
2006 IEEE80211_F_DONEGO | IEEE80211_F_DODEL);
2007 if (rate & IEEE80211_RATE_BASIC) {
2008 ratesetmismatch(ni, wh, reassoc, resp, "legacy", rate);
2009 vap->iv_stats.is_rx_assoc_norate++;
2013 * If constrained to 11g-only stations reject an
2014 * 11b-only station. We cheat a bit here by looking
2015 * at the max negotiated xmit rate and assuming anyone
2016 * with a best rate <24Mb/s is an 11b station.
2018 if ((vap->iv_flags & IEEE80211_F_PUREG) && rate < 48) {
2019 ratesetmismatch(ni, wh, reassoc, resp, "11g", rate);
2020 vap->iv_stats.is_rx_assoc_norate++;
2024 * Do HT rate set handling and setup HT node state.
2026 ni->ni_chan = vap->iv_bss->ni_chan;
2027 if (IEEE80211_IS_CHAN_HT(ni->ni_chan) && htcap != NULL) {
2028 rate = ieee80211_setup_htrates(ni, htcap,
2029 IEEE80211_F_DOFMCS | IEEE80211_F_DONEGO |
2031 if (rate & IEEE80211_RATE_BASIC) {
2032 ratesetmismatch(ni, wh, reassoc, resp,
2034 vap->iv_stats.is_ht_assoc_norate++;
2037 ieee80211_ht_node_init(ni);
2038 ieee80211_ht_updatehtcap(ni, htcap);
2039 } else if (ni->ni_flags & IEEE80211_NODE_HT)
2040 ieee80211_ht_node_cleanup(ni);
2042 * Allow AMPDU operation only with unencrypted traffic
2043 * or AES-CCM; the 11n spec only specifies these ciphers
2044 * so permitting any others is undefined and can lead
2045 * to interoperability problems.
2047 if ((ni->ni_flags & IEEE80211_NODE_HT) &&
2048 (((vap->iv_flags & IEEE80211_F_WPA) &&
2049 rsnparms.rsn_ucastcipher != IEEE80211_CIPHER_AES_CCM) ||
2050 (vap->iv_flags & (IEEE80211_F_WPA|IEEE80211_F_PRIVACY)) == IEEE80211_F_PRIVACY)) {
2052 IEEE80211_MSG_ASSOC | IEEE80211_MSG_11N, ni,
2053 "disallow HT use because WEP or TKIP requested, "
2054 "capinfo 0x%x ucastcipher %d", capinfo,
2055 rsnparms.rsn_ucastcipher);
2056 ieee80211_ht_node_cleanup(ni);
2057 vap->iv_stats.is_ht_assoc_downgrade++;
2060 * If constrained to 11n-only stations reject legacy stations.
2062 if ((vap->iv_flags_ext & IEEE80211_FEXT_PUREN) &&
2063 (ni->ni_flags & IEEE80211_NODE_HT) == 0) {
2064 htcapmismatch(ni, wh, reassoc, resp);
2065 vap->iv_stats.is_ht_assoc_nohtcap++;
2068 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi);
2069 ni->ni_noise = noise;
2070 ni->ni_rstamp = rstamp;
2071 ni->ni_intval = lintval;
2072 ni->ni_capinfo = capinfo;
2073 ni->ni_fhdwell = vap->iv_bss->ni_fhdwell;
2074 ni->ni_fhindex = vap->iv_bss->ni_fhindex;
2077 * XXX maybe better to just expand
2079 if (ieee80211_ies_init(&ni->ni_ies, sfrm, efrm - sfrm)) {
2080 #define setie(_ie, _off) ieee80211_ies_setie(ni->ni_ies, _ie, _off)
2082 setie(wpa_ie, wpa - sfrm);
2084 setie(rsn_ie, rsn - sfrm);
2086 setie(htcap_ie, htcap - sfrm);
2088 setie(wme_ie, wme - sfrm);
2090 * Mark node as capable of QoS.
2092 ni->ni_flags |= IEEE80211_NODE_QOS;
2094 ni->ni_flags &= ~IEEE80211_NODE_QOS;
2095 #ifdef IEEE80211_SUPPORT_SUPERG
2097 setie(ath_ie, ath - sfrm);
2099 * Parse ATH station parameters.
2101 ieee80211_parse_ath(ni, ni->ni_ies.ath_ie);
2104 ni->ni_ath_flags = 0;
2107 ni->ni_flags &= ~IEEE80211_NODE_QOS;
2108 ni->ni_ath_flags = 0;
2110 ieee80211_node_join(ni, resp);
2111 ieee80211_deliver_l2uf(ni);
2115 case IEEE80211_FC0_SUBTYPE_DEAUTH:
2116 case IEEE80211_FC0_SUBTYPE_DISASSOC: {
2119 if (vap->iv_state != IEEE80211_S_RUN ||
2120 /* NB: can happen when in promiscuous mode */
2121 !IEEE80211_ADDR_EQ(wh->i_addr1, vap->iv_myaddr)) {
2122 vap->iv_stats.is_rx_mgtdiscard++;
2126 * deauth/disassoc frame format
2129 IEEE80211_VERIFY_LENGTH(efrm - frm, 2, return);
2130 reason = le16toh(*(uint16_t *)frm);
2131 if (subtype == IEEE80211_FC0_SUBTYPE_DEAUTH) {
2132 vap->iv_stats.is_rx_deauth++;
2133 IEEE80211_NODE_STAT(ni, rx_deauth);
2135 vap->iv_stats.is_rx_disassoc++;
2136 IEEE80211_NODE_STAT(ni, rx_disassoc);
2138 IEEE80211_NOTE(vap, IEEE80211_MSG_AUTH, ni,
2139 "recv %s (reason %d)", ieee80211_mgt_subtype_name[subtype >>
2140 IEEE80211_FC0_SUBTYPE_SHIFT], reason);
2141 if (ni != vap->iv_bss)
2142 ieee80211_node_leave(ni);
2146 case IEEE80211_FC0_SUBTYPE_ACTION:
2147 if (vap->iv_state == IEEE80211_S_RUN) {
2148 if (ieee80211_parse_action(ni, m0) == 0)
2149 ic->ic_recv_action(ni, frm, efrm);
2151 vap->iv_stats.is_rx_mgtdiscard++;
2154 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP:
2155 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP:
2157 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
2158 wh, "mgt", "subtype 0x%x not handled", subtype);
2159 vap->iv_stats.is_rx_badsubtype++;
2165 * Process a received ps-poll frame.
2168 hostap_recv_pspoll(struct ieee80211_node *ni, struct mbuf *m0)
2170 struct ieee80211vap *vap = ni->ni_vap;
2171 struct ieee80211_frame_min *wh;
2177 wh = mtod(m0, struct ieee80211_frame_min *);
2178 if (ni->ni_associd == 0) {
2179 IEEE80211_DISCARD(vap,
2180 IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG,
2181 (struct ieee80211_frame *) wh, NULL,
2182 "%s", "unassociated station");
2183 vap->iv_stats.is_ps_unassoc++;
2184 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_DEAUTH,
2185 IEEE80211_REASON_NOT_ASSOCED);
2189 aid = le16toh(*(uint16_t *)wh->i_dur);
2190 if (aid != ni->ni_associd) {
2191 IEEE80211_DISCARD(vap,
2192 IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG,
2193 (struct ieee80211_frame *) wh, NULL,
2194 "aid mismatch: sta aid 0x%x poll aid 0x%x",
2195 ni->ni_associd, aid);
2196 vap->iv_stats.is_ps_badaid++;
2198 * NB: We used to deauth the station but it turns out
2199 * the Blackberry Curve 8230 (and perhaps other devices)
2200 * sometimes send the wrong AID when WME is negotiated.
2201 * Being more lenient here seems ok as we already check
2202 * the station is associated and we only return frames
2203 * queued for the station (i.e. we don't use the AID).
2208 /* Okay, take the first queued packet and put it out... */
2209 m = ieee80211_node_psq_dequeue(ni, &qlen);
2211 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_POWER, wh->i_addr2,
2212 "%s", "recv ps-poll, but queue empty");
2213 ieee80211_send_nulldata(ieee80211_ref_node(ni));
2214 vap->iv_stats.is_ps_qempty++; /* XXX node stat */
2215 if (vap->iv_set_tim != NULL)
2216 vap->iv_set_tim(ni, 0); /* just in case */
2220 * If there are more packets, set the more packets bit
2221 * in the packet dispatched to the station; otherwise
2222 * turn off the TIM bit.
2225 IEEE80211_NOTE(vap, IEEE80211_MSG_POWER, ni,
2226 "recv ps-poll, send packet, %u still queued", qlen);
2227 m->m_flags |= M_MORE_DATA;
2229 IEEE80211_NOTE(vap, IEEE80211_MSG_POWER, ni,
2230 "%s", "recv ps-poll, send packet, queue empty");
2231 if (vap->iv_set_tim != NULL)
2232 vap->iv_set_tim(ni, 0);
2234 m->m_flags |= M_PWR_SAV; /* bypass PS handling */
2236 if (m->m_flags & M_ENCAP)
2237 ifp = vap->iv_ic->ic_ifp;
2240 IF_ENQUEUE(&ifp->if_snd, m);