2 * Copyright (c) 2007-2008 Sam Leffler, Errno Consulting
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
15 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
16 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
17 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
18 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
19 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
21 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
23 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
26 #include <sys/cdefs.h>
28 __FBSDID("$FreeBSD$");
32 * IEEE 802.11 HOSTAP mode support.
37 #include <sys/param.h>
38 #include <sys/systm.h>
40 #include <sys/malloc.h>
41 #include <sys/kernel.h>
43 #include <sys/socket.h>
44 #include <sys/sockio.h>
45 #include <sys/endian.h>
46 #include <sys/errno.h>
48 #include <sys/sysctl.h>
51 #include <net/if_media.h>
52 #include <net/if_llc.h>
53 #include <net/ethernet.h>
57 #include <net80211/ieee80211_var.h>
58 #include <net80211/ieee80211_hostap.h>
59 #include <net80211/ieee80211_input.h>
60 #ifdef IEEE80211_SUPPORT_SUPERG
61 #include <net80211/ieee80211_superg.h>
63 #include <net80211/ieee80211_wds.h>
65 #define IEEE80211_RATE2MBS(r) (((r) & IEEE80211_RATE_VAL) / 2)
67 static void hostap_vattach(struct ieee80211vap *);
68 static int hostap_newstate(struct ieee80211vap *, enum ieee80211_state, int);
69 static int hostap_input(struct ieee80211_node *ni, struct mbuf *m,
71 static void hostap_deliver_data(struct ieee80211vap *,
72 struct ieee80211_node *, struct mbuf *);
73 static void hostap_recv_mgmt(struct ieee80211_node *, struct mbuf *,
74 int subtype, int rssi, int nf);
75 static void hostap_recv_ctl(struct ieee80211_node *, struct mbuf *, int);
76 static void hostap_recv_pspoll(struct ieee80211_node *, struct mbuf *);
79 ieee80211_hostap_attach(struct ieee80211com *ic)
81 ic->ic_vattach[IEEE80211_M_HOSTAP] = hostap_vattach;
85 ieee80211_hostap_detach(struct ieee80211com *ic)
90 hostap_vdetach(struct ieee80211vap *vap)
95 hostap_vattach(struct ieee80211vap *vap)
97 vap->iv_newstate = hostap_newstate;
98 vap->iv_input = hostap_input;
99 vap->iv_recv_mgmt = hostap_recv_mgmt;
100 vap->iv_recv_ctl = hostap_recv_ctl;
101 vap->iv_opdetach = hostap_vdetach;
102 vap->iv_deliver_data = hostap_deliver_data;
106 sta_disassoc(void *arg, struct ieee80211_node *ni)
108 struct ieee80211vap *vap = arg;
110 if (ni->ni_vap == vap && ni->ni_associd != 0) {
111 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_DISASSOC,
112 IEEE80211_REASON_ASSOC_LEAVE);
113 ieee80211_node_leave(ni);
118 sta_csa(void *arg, struct ieee80211_node *ni)
120 struct ieee80211vap *vap = arg;
122 if (ni->ni_vap == vap && ni->ni_associd != 0)
123 if (ni->ni_inact > vap->iv_inact_init) {
124 ni->ni_inact = vap->iv_inact_init;
125 IEEE80211_NOTE(vap, IEEE80211_MSG_INACT, ni,
126 "%s: inact %u", __func__, ni->ni_inact);
131 sta_drop(void *arg, struct ieee80211_node *ni)
133 struct ieee80211vap *vap = arg;
135 if (ni->ni_vap == vap && ni->ni_associd != 0)
136 ieee80211_node_leave(ni);
140 * Does a channel change require associated stations to re-associate
141 * so protocol state is correct. This is used when doing CSA across
142 * bands or similar (e.g. HT -> legacy).
145 isbandchange(struct ieee80211com *ic)
147 return ((ic->ic_bsschan->ic_flags ^ ic->ic_csa_newchan->ic_flags) &
148 (IEEE80211_CHAN_2GHZ | IEEE80211_CHAN_5GHZ | IEEE80211_CHAN_HALF |
149 IEEE80211_CHAN_QUARTER | IEEE80211_CHAN_HT)) != 0;
153 * IEEE80211_M_HOSTAP vap state machine handler.
156 hostap_newstate(struct ieee80211vap *vap, enum ieee80211_state nstate, int arg)
158 struct ieee80211com *ic = vap->iv_ic;
159 enum ieee80211_state ostate;
161 IEEE80211_LOCK_ASSERT(ic);
163 ostate = vap->iv_state;
164 IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE, "%s: %s -> %s (%d)\n",
165 __func__, ieee80211_state_name[ostate],
166 ieee80211_state_name[nstate], arg);
167 vap->iv_state = nstate; /* state transition */
168 if (ostate != IEEE80211_S_SCAN)
169 ieee80211_cancel_scan(vap); /* background scan */
171 case IEEE80211_S_INIT:
173 case IEEE80211_S_SCAN:
174 ieee80211_cancel_scan(vap);
176 case IEEE80211_S_CAC:
177 ieee80211_dfs_cac_stop(vap);
179 case IEEE80211_S_RUN:
180 ieee80211_iterate_nodes(&ic->ic_sta, sta_disassoc, vap);
185 if (ostate != IEEE80211_S_INIT) {
186 /* NB: optimize INIT -> INIT case */
187 ieee80211_reset_bss(vap);
189 if (vap->iv_auth->ia_detach != NULL)
190 vap->iv_auth->ia_detach(vap);
192 case IEEE80211_S_SCAN:
194 case IEEE80211_S_CSA:
195 case IEEE80211_S_RUN:
196 ieee80211_iterate_nodes(&ic->ic_sta, sta_disassoc, vap);
198 * Clear overlapping BSS state; the beacon frame
199 * will be reconstructed on transition to the RUN
200 * state and the timeout routines check if the flag
201 * is set before doing anything so this is sufficient.
203 ic->ic_flags_ext &= ~IEEE80211_FEXT_NONERP_PR;
204 ic->ic_flags_ht &= ~IEEE80211_FHT_NONHT_PR;
206 case IEEE80211_S_CAC:
208 * NB: We may get here because of a manual channel
209 * change in which case we need to stop CAC
210 * XXX no need to stop if ostate RUN but it's ok
212 ieee80211_dfs_cac_stop(vap);
214 case IEEE80211_S_INIT:
215 if (vap->iv_des_chan != IEEE80211_CHAN_ANYC &&
216 !IEEE80211_IS_CHAN_RADAR(vap->iv_des_chan)) {
218 * Already have a channel; bypass the
219 * scan and startup immediately.
220 * ieee80211_create_ibss will call back to
221 * move us to RUN state.
223 ieee80211_create_ibss(vap, vap->iv_des_chan);
227 * Initiate a scan. We can come here as a result
228 * of an IEEE80211_IOC_SCAN_REQ too in which case
229 * the vap will be marked with IEEE80211_FEXT_SCANREQ
230 * and the scan request parameters will be present
231 * in iv_scanreq. Otherwise we do the default.
233 if (vap->iv_flags_ext & IEEE80211_FEXT_SCANREQ) {
234 ieee80211_check_scan(vap,
235 vap->iv_scanreq_flags,
236 vap->iv_scanreq_duration,
237 vap->iv_scanreq_mindwell,
238 vap->iv_scanreq_maxdwell,
239 vap->iv_scanreq_nssid, vap->iv_scanreq_ssid);
240 vap->iv_flags_ext &= ~IEEE80211_FEXT_SCANREQ;
242 ieee80211_check_scan_current(vap);
244 case IEEE80211_S_SCAN:
246 * A state change requires a reset; scan.
248 ieee80211_check_scan_current(vap);
254 case IEEE80211_S_CAC:
256 * Start CAC on a DFS channel. We come here when starting
257 * a bss on a DFS channel (see ieee80211_create_ibss).
259 ieee80211_dfs_cac_start(vap);
261 case IEEE80211_S_RUN:
262 if (vap->iv_flags & IEEE80211_F_WPA) {
263 /* XXX validate prerequisites */
266 case IEEE80211_S_INIT:
268 * Already have a channel; bypass the
269 * scan and startup immediately.
270 * Note that ieee80211_create_ibss will call
271 * back to do a RUN->RUN state change.
273 ieee80211_create_ibss(vap,
274 ieee80211_ht_adjust_channel(ic,
275 ic->ic_curchan, vap->iv_flags_ht));
276 /* NB: iv_bss is changed on return */
278 case IEEE80211_S_CAC:
280 * NB: This is the normal state change when CAC
281 * expires and no radar was detected; no need to
282 * clear the CAC timer as it's already expired.
285 case IEEE80211_S_CSA:
287 * Shorten inactivity timer of associated stations
288 * to weed out sta's that don't follow a CSA.
290 ieee80211_iterate_nodes(&ic->ic_sta, sta_csa, vap);
292 * Update bss node channel to reflect where
293 * we landed after CSA.
295 ieee80211_node_set_chan(vap->iv_bss,
296 ieee80211_ht_adjust_channel(ic, ic->ic_curchan,
297 ieee80211_htchanflags(vap->iv_bss->ni_chan)));
298 /* XXX bypass debug msgs */
300 case IEEE80211_S_SCAN:
301 case IEEE80211_S_RUN:
302 #ifdef IEEE80211_DEBUG
303 if (ieee80211_msg_debug(vap)) {
304 struct ieee80211_node *ni = vap->iv_bss;
306 "synchronized with %s ssid ",
307 ether_sprintf(ni->ni_bssid));
308 ieee80211_print_essid(ni->ni_essid,
311 printf(" channel %d start %uMb\n",
312 ieee80211_chan2ieee(ic, ic->ic_curchan),
313 IEEE80211_RATE2MBS(ni->ni_txrate));
321 * Start/stop the authenticator. We delay until here
322 * to allow configuration to happen out of order.
324 if (vap->iv_auth->ia_attach != NULL) {
325 /* XXX check failure */
326 vap->iv_auth->ia_attach(vap);
327 } else if (vap->iv_auth->ia_detach != NULL) {
328 vap->iv_auth->ia_detach(vap);
330 ieee80211_node_authorize(vap->iv_bss);
332 case IEEE80211_S_CSA:
333 if (ostate == IEEE80211_S_RUN && isbandchange(ic)) {
335 * On a ``band change'' silently drop associated
336 * stations as they must re-associate before they
337 * can pass traffic (as otherwise protocol state
338 * such as capabilities and the negotiated rate
339 * set may/will be wrong).
341 ieee80211_iterate_nodes(&ic->ic_sta, sta_drop, vap);
351 hostap_deliver_data(struct ieee80211vap *vap,
352 struct ieee80211_node *ni, struct mbuf *m)
354 struct ether_header *eh = mtod(m, struct ether_header *);
355 struct ifnet *ifp = vap->iv_ifp;
357 /* clear driver/net80211 flags before passing up */
358 m->m_flags &= ~(M_80211_RX | M_MCAST | M_BCAST);
360 KASSERT(vap->iv_opmode == IEEE80211_M_HOSTAP,
361 ("gack, opmode %d", vap->iv_opmode));
366 IEEE80211_NODE_STAT(ni, rx_data);
367 IEEE80211_NODE_STAT_ADD(ni, rx_bytes, m->m_pkthdr.len);
368 if (ETHER_IS_MULTICAST(eh->ether_dhost)) {
369 m->m_flags |= M_MCAST; /* XXX M_BCAST? */
370 IEEE80211_NODE_STAT(ni, rx_mcast);
372 IEEE80211_NODE_STAT(ni, rx_ucast);
374 /* perform as a bridge within the AP */
375 if ((vap->iv_flags & IEEE80211_F_NOBRIDGE) == 0) {
376 struct mbuf *mcopy = NULL;
378 if (m->m_flags & M_MCAST) {
379 mcopy = m_dup(m, M_DONTWAIT);
383 mcopy->m_flags |= M_MCAST;
386 * Check if the destination is associated with the
387 * same vap and authorized to receive traffic.
388 * Beware of traffic destined for the vap itself;
389 * sending it will not work; just let it be delivered
392 struct ieee80211_node *sta = ieee80211_find_vap_node(
393 &vap->iv_ic->ic_sta, vap, eh->ether_dhost);
395 if (ieee80211_node_is_authorized(sta)) {
397 * Beware of sending to ourself; this
398 * needs to happen via the normal
401 if (sta != vap->iv_bss) {
406 vap->iv_stats.is_rx_unauth++;
407 IEEE80211_NODE_STAT(sta, rx_unauth);
409 ieee80211_free_node(sta);
414 len = mcopy->m_pkthdr.len;
415 err = ifp->if_transmit(ifp, mcopy);
417 /* NB: IFQ_HANDOFF reclaims mcopy */
425 * Mark frame as coming from vap's interface.
427 m->m_pkthdr.rcvif = ifp;
428 if (m->m_flags & M_MCAST) {
430 * Spam DWDS vap's w/ multicast traffic.
432 /* XXX only if dwds in use? */
433 ieee80211_dwds_mcast(vap, m);
435 if (ni->ni_vlan != 0) {
436 /* attach vlan tag */
437 m->m_pkthdr.ether_vtag = ni->ni_vlan;
438 m->m_flags |= M_VLANTAG;
440 ifp->if_input(ifp, m);
445 * Decide if a received management frame should be
446 * printed when debugging is enabled. This filters some
447 * of the less interesting frames that come frequently
451 doprint(struct ieee80211vap *vap, int subtype)
454 case IEEE80211_FC0_SUBTYPE_BEACON:
455 return (vap->iv_ic->ic_flags & IEEE80211_F_SCAN);
456 case IEEE80211_FC0_SUBTYPE_PROBE_REQ:
463 * Process a received frame. The node associated with the sender
464 * should be supplied. If nothing was found in the node table then
465 * the caller is assumed to supply a reference to iv_bss instead.
466 * The RSSI and a timestamp are also supplied. The RSSI data is used
467 * during AP scanning to select a AP to associate with; it can have
468 * any units so long as values have consistent units and higher values
469 * mean ``better signal''. The receive timestamp is currently not used
470 * by the 802.11 layer.
473 hostap_input(struct ieee80211_node *ni, struct mbuf *m, int rssi, int nf)
475 #define SEQ_LEQ(a,b) ((int)((a)-(b)) <= 0)
476 #define HAS_SEQ(type) ((type & 0x4) == 0)
477 struct ieee80211vap *vap = ni->ni_vap;
478 struct ieee80211com *ic = ni->ni_ic;
479 struct ifnet *ifp = vap->iv_ifp;
480 struct ieee80211_frame *wh;
481 struct ieee80211_key *key;
482 struct ether_header *eh;
483 int hdrspace, need_tap;
484 uint8_t dir, type, subtype, qos;
488 if (m->m_flags & M_AMPDU_MPDU) {
490 * Fastpath for A-MPDU reorder q resubmission. Frames
491 * w/ M_AMPDU_MPDU marked have already passed through
492 * here but were received out of order and been held on
493 * the reorder queue. When resubmitted they are marked
494 * with the M_AMPDU_MPDU flag and we can bypass most of
495 * the normal processing.
497 wh = mtod(m, struct ieee80211_frame *);
498 type = IEEE80211_FC0_TYPE_DATA;
499 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK;
500 subtype = IEEE80211_FC0_SUBTYPE_QOS;
501 hdrspace = ieee80211_hdrspace(ic, wh); /* XXX optimize? */
505 KASSERT(ni != NULL, ("null node"));
506 ni->ni_inact = ni->ni_inact_reload;
508 need_tap = 1; /* mbuf need to be tapped. */
509 type = -1; /* undefined */
511 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_min)) {
512 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
513 ni->ni_macaddr, NULL,
514 "too short (1): len %u", m->m_pkthdr.len);
515 vap->iv_stats.is_rx_tooshort++;
519 * Bit of a cheat here, we use a pointer for a 3-address
520 * frame format but don't reference fields past outside
521 * ieee80211_frame_min w/o first validating the data is
524 wh = mtod(m, struct ieee80211_frame *);
526 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) !=
527 IEEE80211_FC0_VERSION_0) {
528 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
529 ni->ni_macaddr, NULL, "wrong version, fc %02x:%02x",
530 wh->i_fc[0], wh->i_fc[1]);
531 vap->iv_stats.is_rx_badversion++;
535 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK;
536 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
537 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK;
538 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) {
539 if (dir != IEEE80211_FC1_DIR_NODS)
541 else if (type == IEEE80211_FC0_TYPE_CTL)
544 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) {
545 IEEE80211_DISCARD_MAC(vap,
546 IEEE80211_MSG_ANY, ni->ni_macaddr,
547 NULL, "too short (2): len %u",
549 vap->iv_stats.is_rx_tooshort++;
555 * Validate the bssid.
557 if (!(type == IEEE80211_FC0_TYPE_MGT &&
558 subtype == IEEE80211_FC0_SUBTYPE_BEACON) &&
559 !IEEE80211_ADDR_EQ(bssid, vap->iv_bss->ni_bssid) &&
560 !IEEE80211_ADDR_EQ(bssid, ifp->if_broadcastaddr)) {
561 /* not interested in */
562 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
563 bssid, NULL, "%s", "not to bss");
564 vap->iv_stats.is_rx_wrongbss++;
568 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi);
571 uint8_t tid = ieee80211_gettid(wh);
572 if (IEEE80211_QOS_HAS_SEQ(wh) &&
573 TID_TO_WME_AC(tid) >= WME_AC_VI)
574 ic->ic_wme.wme_hipri_traffic++;
575 rxseq = le16toh(*(uint16_t *)wh->i_seq);
576 if ((ni->ni_flags & IEEE80211_NODE_HT) == 0 &&
577 (wh->i_fc[1] & IEEE80211_FC1_RETRY) &&
578 SEQ_LEQ(rxseq, ni->ni_rxseqs[tid])) {
579 /* duplicate, discard */
580 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
582 "seqno <%u,%u> fragno <%u,%u> tid %u",
583 rxseq >> IEEE80211_SEQ_SEQ_SHIFT,
584 ni->ni_rxseqs[tid] >>
585 IEEE80211_SEQ_SEQ_SHIFT,
586 rxseq & IEEE80211_SEQ_FRAG_MASK,
588 IEEE80211_SEQ_FRAG_MASK,
590 vap->iv_stats.is_rx_dup++;
591 IEEE80211_NODE_STAT(ni, rx_dup);
594 ni->ni_rxseqs[tid] = rxseq;
599 case IEEE80211_FC0_TYPE_DATA:
600 hdrspace = ieee80211_hdrspace(ic, wh);
601 if (m->m_len < hdrspace &&
602 (m = m_pullup(m, hdrspace)) == NULL) {
603 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
604 ni->ni_macaddr, NULL,
605 "data too short: expecting %u", hdrspace);
606 vap->iv_stats.is_rx_tooshort++;
609 if (!(dir == IEEE80211_FC1_DIR_TODS ||
610 (dir == IEEE80211_FC1_DIR_DSTODS &&
611 (vap->iv_flags & IEEE80211_F_DWDS)))) {
612 if (dir != IEEE80211_FC1_DIR_DSTODS) {
613 IEEE80211_DISCARD(vap,
614 IEEE80211_MSG_INPUT, wh, "data",
615 "incorrect dir 0x%x", dir);
617 IEEE80211_DISCARD(vap,
618 IEEE80211_MSG_INPUT |
619 IEEE80211_MSG_WDS, wh,
621 "%s", "DWDS not enabled");
623 vap->iv_stats.is_rx_wrongdir++;
626 /* check if source STA is associated */
627 if (ni == vap->iv_bss) {
628 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
629 wh, "data", "%s", "unknown src");
630 ieee80211_send_error(ni, wh->i_addr2,
631 IEEE80211_FC0_SUBTYPE_DEAUTH,
632 IEEE80211_REASON_NOT_AUTHED);
633 vap->iv_stats.is_rx_notassoc++;
636 if (ni->ni_associd == 0) {
637 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
638 wh, "data", "%s", "unassoc src");
639 IEEE80211_SEND_MGMT(ni,
640 IEEE80211_FC0_SUBTYPE_DISASSOC,
641 IEEE80211_REASON_NOT_ASSOCED);
642 vap->iv_stats.is_rx_notassoc++;
647 * Check for power save state change.
648 * XXX out-of-order A-MPDU frames?
650 if (((wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) ^
651 (ni->ni_flags & IEEE80211_NODE_PWR_MGT)))
652 ieee80211_node_pwrsave(ni,
653 wh->i_fc[1] & IEEE80211_FC1_PWR_MGT);
655 * For 4-address packets handle WDS discovery
656 * notifications. Once a WDS link is setup frames
657 * are just delivered to the WDS vap (see below).
659 if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap == NULL) {
660 if (!ieee80211_node_is_authorized(ni)) {
661 IEEE80211_DISCARD(vap,
662 IEEE80211_MSG_INPUT |
663 IEEE80211_MSG_WDS, wh,
665 "%s", "unauthorized port");
666 vap->iv_stats.is_rx_unauth++;
667 IEEE80211_NODE_STAT(ni, rx_unauth);
670 ieee80211_dwds_discover(ni, m);
675 * Handle A-MPDU re-ordering. If the frame is to be
676 * processed directly then ieee80211_ampdu_reorder
677 * will return 0; otherwise it has consumed the mbuf
678 * and we should do nothing more with it.
680 if ((m->m_flags & M_AMPDU) &&
681 ieee80211_ampdu_reorder(ni, m) != 0) {
688 * Handle privacy requirements. Note that we
689 * must not be preempted from here until after
690 * we (potentially) call ieee80211_crypto_demic;
691 * otherwise we may violate assumptions in the
692 * crypto cipher modules used to do delayed update
693 * of replay sequence numbers.
695 if (wh->i_fc[1] & IEEE80211_FC1_WEP) {
696 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
698 * Discard encrypted frames when privacy is off.
700 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
701 wh, "WEP", "%s", "PRIVACY off");
702 vap->iv_stats.is_rx_noprivacy++;
703 IEEE80211_NODE_STAT(ni, rx_noprivacy);
706 key = ieee80211_crypto_decap(ni, m, hdrspace);
708 /* NB: stats+msgs handled in crypto_decap */
709 IEEE80211_NODE_STAT(ni, rx_wepfail);
712 wh = mtod(m, struct ieee80211_frame *);
713 wh->i_fc[1] &= ~IEEE80211_FC1_WEP;
715 /* XXX M_WEP and IEEE80211_F_PRIVACY */
720 * Save QoS bits for use below--before we strip the header.
722 if (subtype == IEEE80211_FC0_SUBTYPE_QOS) {
723 qos = (dir == IEEE80211_FC1_DIR_DSTODS) ?
724 ((struct ieee80211_qosframe_addr4 *)wh)->i_qos[0] :
725 ((struct ieee80211_qosframe *)wh)->i_qos[0];
730 * Next up, any fragmentation.
732 if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) {
733 m = ieee80211_defrag(ni, m, hdrspace);
735 /* Fragment dropped or frame not complete yet */
739 wh = NULL; /* no longer valid, catch any uses */
742 * Next strip any MSDU crypto bits.
744 if (key != NULL && !ieee80211_crypto_demic(vap, key, m, 0)) {
745 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
746 ni->ni_macaddr, "data", "%s", "demic error");
747 vap->iv_stats.is_rx_demicfail++;
748 IEEE80211_NODE_STAT(ni, rx_demicfail);
751 /* copy to listener after decrypt */
752 if (ieee80211_radiotap_active_vap(vap))
753 ieee80211_radiotap_rx(vap, m);
756 * Finally, strip the 802.11 header.
758 m = ieee80211_decap(vap, m, hdrspace);
760 /* XXX mask bit to check for both */
761 /* don't count Null data frames as errors */
762 if (subtype == IEEE80211_FC0_SUBTYPE_NODATA ||
763 subtype == IEEE80211_FC0_SUBTYPE_QOS_NULL)
765 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
766 ni->ni_macaddr, "data", "%s", "decap error");
767 vap->iv_stats.is_rx_decap++;
768 IEEE80211_NODE_STAT(ni, rx_decap);
771 eh = mtod(m, struct ether_header *);
772 if (!ieee80211_node_is_authorized(ni)) {
774 * Deny any non-PAE frames received prior to
775 * authorization. For open/shared-key
776 * authentication the port is mark authorized
777 * after authentication completes. For 802.1x
778 * the port is not marked authorized by the
779 * authenticator until the handshake has completed.
781 if (eh->ether_type != htons(ETHERTYPE_PAE)) {
782 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
783 eh->ether_shost, "data",
784 "unauthorized port: ether type 0x%x len %u",
785 eh->ether_type, m->m_pkthdr.len);
786 vap->iv_stats.is_rx_unauth++;
787 IEEE80211_NODE_STAT(ni, rx_unauth);
792 * When denying unencrypted frames, discard
793 * any non-PAE frames received without encryption.
795 if ((vap->iv_flags & IEEE80211_F_DROPUNENC) &&
796 (key == NULL && (m->m_flags & M_WEP) == 0) &&
797 eh->ether_type != htons(ETHERTYPE_PAE)) {
799 * Drop unencrypted frames.
801 vap->iv_stats.is_rx_unencrypted++;
802 IEEE80211_NODE_STAT(ni, rx_unencrypted);
806 /* XXX require HT? */
807 if (qos & IEEE80211_QOS_AMSDU) {
808 m = ieee80211_decap_amsdu(ni, m);
810 return IEEE80211_FC0_TYPE_DATA;
812 #ifdef IEEE80211_SUPPORT_SUPERG
813 m = ieee80211_decap_fastframe(vap, ni, m);
815 return IEEE80211_FC0_TYPE_DATA;
818 if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap != NULL)
819 ieee80211_deliver_data(ni->ni_wdsvap, ni, m);
821 hostap_deliver_data(vap, ni, m);
822 return IEEE80211_FC0_TYPE_DATA;
824 case IEEE80211_FC0_TYPE_MGT:
825 vap->iv_stats.is_rx_mgmt++;
826 IEEE80211_NODE_STAT(ni, rx_mgmt);
827 if (dir != IEEE80211_FC1_DIR_NODS) {
828 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
829 wh, "mgt", "incorrect dir 0x%x", dir);
830 vap->iv_stats.is_rx_wrongdir++;
833 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) {
834 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
835 ni->ni_macaddr, "mgt", "too short: len %u",
837 vap->iv_stats.is_rx_tooshort++;
840 if (IEEE80211_IS_MULTICAST(wh->i_addr2)) {
841 /* ensure return frames are unicast */
842 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
843 wh, NULL, "source is multicast: %s",
844 ether_sprintf(wh->i_addr2));
845 vap->iv_stats.is_rx_mgtdiscard++; /* XXX stat */
848 #ifdef IEEE80211_DEBUG
849 if ((ieee80211_msg_debug(vap) && doprint(vap, subtype)) ||
850 ieee80211_msg_dumppkts(vap)) {
851 if_printf(ifp, "received %s from %s rssi %d\n",
852 ieee80211_mgt_subtype_name[subtype >>
853 IEEE80211_FC0_SUBTYPE_SHIFT],
854 ether_sprintf(wh->i_addr2), rssi);
857 if (wh->i_fc[1] & IEEE80211_FC1_WEP) {
858 if (subtype != IEEE80211_FC0_SUBTYPE_AUTH) {
860 * Only shared key auth frames with a challenge
861 * should be encrypted, discard all others.
863 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
865 "%s", "WEP set but not permitted");
866 vap->iv_stats.is_rx_mgtdiscard++; /* XXX */
869 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
871 * Discard encrypted frames when privacy is off.
873 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
874 wh, NULL, "%s", "WEP set but PRIVACY off");
875 vap->iv_stats.is_rx_noprivacy++;
878 hdrspace = ieee80211_hdrspace(ic, wh);
879 key = ieee80211_crypto_decap(ni, m, hdrspace);
881 /* NB: stats+msgs handled in crypto_decap */
884 wh = mtod(m, struct ieee80211_frame *);
885 wh->i_fc[1] &= ~IEEE80211_FC1_WEP;
887 vap->iv_recv_mgmt(ni, m, subtype, rssi, nf);
890 case IEEE80211_FC0_TYPE_CTL:
891 vap->iv_stats.is_rx_ctl++;
892 IEEE80211_NODE_STAT(ni, rx_ctrl);
893 vap->iv_recv_ctl(ni, m, subtype);
896 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
897 wh, "bad", "frame type 0x%x", type);
898 /* should not come here */
905 if (need_tap && ieee80211_radiotap_active_vap(vap))
906 ieee80211_radiotap_rx(vap, m);
914 hostap_auth_open(struct ieee80211_node *ni, struct ieee80211_frame *wh,
915 int rssi, int nf, uint16_t seq, uint16_t status)
917 struct ieee80211vap *vap = ni->ni_vap;
919 KASSERT(vap->iv_state == IEEE80211_S_RUN, ("state %d", vap->iv_state));
921 if (ni->ni_authmode == IEEE80211_AUTH_SHARED) {
922 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
923 ni->ni_macaddr, "open auth",
924 "bad sta auth mode %u", ni->ni_authmode);
925 vap->iv_stats.is_rx_bad_auth++; /* XXX */
927 * Clear any challenge text that may be there if
928 * a previous shared key auth failed and then an
929 * open auth is attempted.
931 if (ni->ni_challenge != NULL) {
932 free(ni->ni_challenge, M_80211_NODE);
933 ni->ni_challenge = NULL;
935 /* XXX hack to workaround calling convention */
936 ieee80211_send_error(ni, wh->i_addr2,
937 IEEE80211_FC0_SUBTYPE_AUTH,
938 (seq + 1) | (IEEE80211_STATUS_ALG<<16));
941 if (seq != IEEE80211_AUTH_OPEN_REQUEST) {
942 vap->iv_stats.is_rx_bad_auth++;
945 /* always accept open authentication requests */
946 if (ni == vap->iv_bss) {
947 ni = ieee80211_dup_bss(vap, wh->i_addr2);
950 } else if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0)
951 (void) ieee80211_ref_node(ni);
953 * Mark the node as referenced to reflect that it's
954 * reference count has been bumped to insure it remains
955 * after the transaction completes.
957 ni->ni_flags |= IEEE80211_NODE_AREF;
959 * Mark the node as requiring a valid association id
960 * before outbound traffic is permitted.
962 ni->ni_flags |= IEEE80211_NODE_ASSOCID;
964 if (vap->iv_acl != NULL &&
965 vap->iv_acl->iac_getpolicy(vap) == IEEE80211_MACCMD_POLICY_RADIUS) {
967 * When the ACL policy is set to RADIUS we defer the
968 * authorization to a user agent. Dispatch an event,
969 * a subsequent MLME call will decide the fate of the
970 * station. If the user agent is not present then the
971 * node will be reclaimed due to inactivity.
973 IEEE80211_NOTE_MAC(vap,
974 IEEE80211_MSG_AUTH | IEEE80211_MSG_ACL, ni->ni_macaddr,
975 "%s", "station authentication defered (radius acl)");
976 ieee80211_notify_node_auth(ni);
978 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1);
979 IEEE80211_NOTE_MAC(vap,
980 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, ni->ni_macaddr,
981 "%s", "station authenticated (open)");
983 * When 802.1x is not in use mark the port
984 * authorized at this point so traffic can flow.
986 if (ni->ni_authmode != IEEE80211_AUTH_8021X)
987 ieee80211_node_authorize(ni);
992 hostap_auth_shared(struct ieee80211_node *ni, struct ieee80211_frame *wh,
993 uint8_t *frm, uint8_t *efrm, int rssi, int nf,
994 uint16_t seq, uint16_t status)
996 struct ieee80211vap *vap = ni->ni_vap;
998 int allocbs, estatus;
1000 KASSERT(vap->iv_state == IEEE80211_S_RUN, ("state %d", vap->iv_state));
1003 * NB: this can happen as we allow pre-shared key
1004 * authentication to be enabled w/o wep being turned
1005 * on so that configuration of these can be done
1006 * in any order. It may be better to enforce the
1007 * ordering in which case this check would just be
1008 * for sanity/consistency.
1010 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
1011 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1012 ni->ni_macaddr, "shared key auth",
1013 "%s", " PRIVACY is disabled");
1014 estatus = IEEE80211_STATUS_ALG;
1018 * Pre-shared key authentication is evil; accept
1019 * it only if explicitly configured (it is supported
1020 * mainly for compatibility with clients like Mac OS X).
1022 if (ni->ni_authmode != IEEE80211_AUTH_AUTO &&
1023 ni->ni_authmode != IEEE80211_AUTH_SHARED) {
1024 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1025 ni->ni_macaddr, "shared key auth",
1026 "bad sta auth mode %u", ni->ni_authmode);
1027 vap->iv_stats.is_rx_bad_auth++; /* XXX maybe a unique error? */
1028 estatus = IEEE80211_STATUS_ALG;
1033 if (frm + 1 < efrm) {
1034 if ((frm[1] + 2) > (efrm - frm)) {
1035 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1036 ni->ni_macaddr, "shared key auth",
1037 "ie %d/%d too long",
1038 frm[0], (frm[1] + 2) - (efrm - frm));
1039 vap->iv_stats.is_rx_bad_auth++;
1040 estatus = IEEE80211_STATUS_CHALLENGE;
1043 if (*frm == IEEE80211_ELEMID_CHALLENGE)
1048 case IEEE80211_AUTH_SHARED_CHALLENGE:
1049 case IEEE80211_AUTH_SHARED_RESPONSE:
1050 if (challenge == NULL) {
1051 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1052 ni->ni_macaddr, "shared key auth",
1053 "%s", "no challenge");
1054 vap->iv_stats.is_rx_bad_auth++;
1055 estatus = IEEE80211_STATUS_CHALLENGE;
1058 if (challenge[1] != IEEE80211_CHALLENGE_LEN) {
1059 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1060 ni->ni_macaddr, "shared key auth",
1061 "bad challenge len %d", challenge[1]);
1062 vap->iv_stats.is_rx_bad_auth++;
1063 estatus = IEEE80211_STATUS_CHALLENGE;
1070 case IEEE80211_AUTH_SHARED_REQUEST:
1071 if (ni == vap->iv_bss) {
1072 ni = ieee80211_dup_bss(vap, wh->i_addr2);
1074 /* NB: no way to return an error */
1079 if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0)
1080 (void) ieee80211_ref_node(ni);
1084 * Mark the node as referenced to reflect that it's
1085 * reference count has been bumped to insure it remains
1086 * after the transaction completes.
1088 ni->ni_flags |= IEEE80211_NODE_AREF;
1090 * Mark the node as requiring a valid associatio id
1091 * before outbound traffic is permitted.
1093 ni->ni_flags |= IEEE80211_NODE_ASSOCID;
1094 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi);
1096 if (!ieee80211_alloc_challenge(ni)) {
1097 /* NB: don't return error so they rexmit */
1100 get_random_bytes(ni->ni_challenge,
1101 IEEE80211_CHALLENGE_LEN);
1102 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
1103 ni, "shared key %sauth request", allocbs ? "" : "re");
1105 * When the ACL policy is set to RADIUS we defer the
1106 * authorization to a user agent. Dispatch an event,
1107 * a subsequent MLME call will decide the fate of the
1108 * station. If the user agent is not present then the
1109 * node will be reclaimed due to inactivity.
1111 if (vap->iv_acl != NULL &&
1112 vap->iv_acl->iac_getpolicy(vap) == IEEE80211_MACCMD_POLICY_RADIUS) {
1113 IEEE80211_NOTE_MAC(vap,
1114 IEEE80211_MSG_AUTH | IEEE80211_MSG_ACL,
1116 "%s", "station authentication defered (radius acl)");
1117 ieee80211_notify_node_auth(ni);
1121 case IEEE80211_AUTH_SHARED_RESPONSE:
1122 if (ni == vap->iv_bss) {
1123 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1124 ni->ni_macaddr, "shared key response",
1125 "%s", "unknown station");
1126 /* NB: don't send a response */
1129 if (ni->ni_challenge == NULL) {
1130 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1131 ni->ni_macaddr, "shared key response",
1132 "%s", "no challenge recorded");
1133 vap->iv_stats.is_rx_bad_auth++;
1134 estatus = IEEE80211_STATUS_CHALLENGE;
1137 if (memcmp(ni->ni_challenge, &challenge[2],
1138 challenge[1]) != 0) {
1139 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1140 ni->ni_macaddr, "shared key response",
1141 "%s", "challenge mismatch");
1142 vap->iv_stats.is_rx_auth_fail++;
1143 estatus = IEEE80211_STATUS_CHALLENGE;
1146 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
1147 ni, "%s", "station authenticated (shared key)");
1148 ieee80211_node_authorize(ni);
1151 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1152 ni->ni_macaddr, "shared key auth",
1154 vap->iv_stats.is_rx_bad_auth++;
1155 estatus = IEEE80211_STATUS_SEQUENCE;
1158 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1);
1162 * Send an error response; but only when operating as an AP.
1164 /* XXX hack to workaround calling convention */
1165 ieee80211_send_error(ni, wh->i_addr2,
1166 IEEE80211_FC0_SUBTYPE_AUTH,
1167 (seq + 1) | (estatus<<16));
1171 * Convert a WPA cipher selector OUI to an internal
1172 * cipher algorithm. Where appropriate we also
1173 * record any key length.
1176 wpa_cipher(const uint8_t *sel, uint8_t *keylen)
1178 #define WPA_SEL(x) (((x)<<24)|WPA_OUI)
1179 uint32_t w = LE_READ_4(sel);
1182 case WPA_SEL(WPA_CSE_NULL):
1183 return IEEE80211_CIPHER_NONE;
1184 case WPA_SEL(WPA_CSE_WEP40):
1186 *keylen = 40 / NBBY;
1187 return IEEE80211_CIPHER_WEP;
1188 case WPA_SEL(WPA_CSE_WEP104):
1190 *keylen = 104 / NBBY;
1191 return IEEE80211_CIPHER_WEP;
1192 case WPA_SEL(WPA_CSE_TKIP):
1193 return IEEE80211_CIPHER_TKIP;
1194 case WPA_SEL(WPA_CSE_CCMP):
1195 return IEEE80211_CIPHER_AES_CCM;
1197 return 32; /* NB: so 1<< is discarded */
1202 * Convert a WPA key management/authentication algorithm
1203 * to an internal code.
1206 wpa_keymgmt(const uint8_t *sel)
1208 #define WPA_SEL(x) (((x)<<24)|WPA_OUI)
1209 uint32_t w = LE_READ_4(sel);
1212 case WPA_SEL(WPA_ASE_8021X_UNSPEC):
1213 return WPA_ASE_8021X_UNSPEC;
1214 case WPA_SEL(WPA_ASE_8021X_PSK):
1215 return WPA_ASE_8021X_PSK;
1216 case WPA_SEL(WPA_ASE_NONE):
1217 return WPA_ASE_NONE;
1219 return 0; /* NB: so is discarded */
1224 * Parse a WPA information element to collect parameters.
1225 * Note that we do not validate security parameters; that
1226 * is handled by the authenticator; the parsing done here
1227 * is just for internal use in making operational decisions.
1230 ieee80211_parse_wpa(struct ieee80211vap *vap, const uint8_t *frm,
1231 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh)
1233 uint8_t len = frm[1];
1238 * Check the length once for fixed parts: OUI, type,
1239 * version, mcast cipher, and 2 selector counts.
1240 * Other, variable-length data, must be checked separately.
1242 if ((vap->iv_flags & IEEE80211_F_WPA1) == 0) {
1243 IEEE80211_DISCARD_IE(vap,
1244 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1245 wh, "WPA", "not WPA, flags 0x%x", vap->iv_flags);
1246 return IEEE80211_REASON_IE_INVALID;
1249 IEEE80211_DISCARD_IE(vap,
1250 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1251 wh, "WPA", "too short, len %u", len);
1252 return IEEE80211_REASON_IE_INVALID;
1254 frm += 6, len -= 4; /* NB: len is payload only */
1255 /* NB: iswapoui already validated the OUI and type */
1257 if (w != WPA_VERSION) {
1258 IEEE80211_DISCARD_IE(vap,
1259 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1260 wh, "WPA", "bad version %u", w);
1261 return IEEE80211_REASON_IE_INVALID;
1265 memset(rsn, 0, sizeof(*rsn));
1267 /* multicast/group cipher */
1268 rsn->rsn_mcastcipher = wpa_cipher(frm, &rsn->rsn_mcastkeylen);
1271 /* unicast ciphers */
1275 IEEE80211_DISCARD_IE(vap,
1276 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1277 wh, "WPA", "ucast cipher data too short; len %u, n %u",
1279 return IEEE80211_REASON_IE_INVALID;
1282 for (; n > 0; n--) {
1283 w |= 1<<wpa_cipher(frm, &rsn->rsn_ucastkeylen);
1286 if (w & (1<<IEEE80211_CIPHER_TKIP))
1287 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP;
1289 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM;
1291 /* key management algorithms */
1295 IEEE80211_DISCARD_IE(vap,
1296 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1297 wh, "WPA", "key mgmt alg data too short; len %u, n %u",
1299 return IEEE80211_REASON_IE_INVALID;
1302 for (; n > 0; n--) {
1303 w |= wpa_keymgmt(frm);
1306 if (w & WPA_ASE_8021X_UNSPEC)
1307 rsn->rsn_keymgmt = WPA_ASE_8021X_UNSPEC;
1309 rsn->rsn_keymgmt = WPA_ASE_8021X_PSK;
1311 if (len > 2) /* optional capabilities */
1312 rsn->rsn_caps = LE_READ_2(frm);
1318 * Convert an RSN cipher selector OUI to an internal
1319 * cipher algorithm. Where appropriate we also
1320 * record any key length.
1323 rsn_cipher(const uint8_t *sel, uint8_t *keylen)
1325 #define RSN_SEL(x) (((x)<<24)|RSN_OUI)
1326 uint32_t w = LE_READ_4(sel);
1329 case RSN_SEL(RSN_CSE_NULL):
1330 return IEEE80211_CIPHER_NONE;
1331 case RSN_SEL(RSN_CSE_WEP40):
1333 *keylen = 40 / NBBY;
1334 return IEEE80211_CIPHER_WEP;
1335 case RSN_SEL(RSN_CSE_WEP104):
1337 *keylen = 104 / NBBY;
1338 return IEEE80211_CIPHER_WEP;
1339 case RSN_SEL(RSN_CSE_TKIP):
1340 return IEEE80211_CIPHER_TKIP;
1341 case RSN_SEL(RSN_CSE_CCMP):
1342 return IEEE80211_CIPHER_AES_CCM;
1343 case RSN_SEL(RSN_CSE_WRAP):
1344 return IEEE80211_CIPHER_AES_OCB;
1346 return 32; /* NB: so 1<< is discarded */
1351 * Convert an RSN key management/authentication algorithm
1352 * to an internal code.
1355 rsn_keymgmt(const uint8_t *sel)
1357 #define RSN_SEL(x) (((x)<<24)|RSN_OUI)
1358 uint32_t w = LE_READ_4(sel);
1361 case RSN_SEL(RSN_ASE_8021X_UNSPEC):
1362 return RSN_ASE_8021X_UNSPEC;
1363 case RSN_SEL(RSN_ASE_8021X_PSK):
1364 return RSN_ASE_8021X_PSK;
1365 case RSN_SEL(RSN_ASE_NONE):
1366 return RSN_ASE_NONE;
1368 return 0; /* NB: so is discarded */
1373 * Parse a WPA/RSN information element to collect parameters
1374 * and validate the parameters against what has been
1375 * configured for the system.
1378 ieee80211_parse_rsn(struct ieee80211vap *vap, const uint8_t *frm,
1379 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh)
1381 uint8_t len = frm[1];
1386 * Check the length once for fixed parts:
1387 * version, mcast cipher, and 2 selector counts.
1388 * Other, variable-length data, must be checked separately.
1390 if ((vap->iv_flags & IEEE80211_F_WPA2) == 0) {
1391 IEEE80211_DISCARD_IE(vap,
1392 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1393 wh, "WPA", "not RSN, flags 0x%x", vap->iv_flags);
1394 return IEEE80211_REASON_IE_INVALID;
1397 IEEE80211_DISCARD_IE(vap,
1398 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1399 wh, "RSN", "too short, len %u", len);
1400 return IEEE80211_REASON_IE_INVALID;
1404 if (w != RSN_VERSION) {
1405 IEEE80211_DISCARD_IE(vap,
1406 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1407 wh, "RSN", "bad version %u", w);
1408 return IEEE80211_REASON_IE_INVALID;
1412 memset(rsn, 0, sizeof(*rsn));
1414 /* multicast/group cipher */
1415 rsn->rsn_mcastcipher = rsn_cipher(frm, &rsn->rsn_mcastkeylen);
1418 /* unicast ciphers */
1422 IEEE80211_DISCARD_IE(vap,
1423 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1424 wh, "RSN", "ucast cipher data too short; len %u, n %u",
1426 return IEEE80211_REASON_IE_INVALID;
1429 for (; n > 0; n--) {
1430 w |= 1<<rsn_cipher(frm, &rsn->rsn_ucastkeylen);
1433 if (w & (1<<IEEE80211_CIPHER_TKIP))
1434 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP;
1436 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM;
1438 /* key management algorithms */
1442 IEEE80211_DISCARD_IE(vap,
1443 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1444 wh, "RSN", "key mgmt alg data too short; len %u, n %u",
1446 return IEEE80211_REASON_IE_INVALID;
1449 for (; n > 0; n--) {
1450 w |= rsn_keymgmt(frm);
1453 if (w & RSN_ASE_8021X_UNSPEC)
1454 rsn->rsn_keymgmt = RSN_ASE_8021X_UNSPEC;
1456 rsn->rsn_keymgmt = RSN_ASE_8021X_PSK;
1458 /* optional RSN capabilities */
1460 rsn->rsn_caps = LE_READ_2(frm);
1467 * WPA/802.11i assocation request processing.
1470 wpa_assocreq(struct ieee80211_node *ni, struct ieee80211_rsnparms *rsnparms,
1471 const struct ieee80211_frame *wh, const uint8_t *wpa,
1472 const uint8_t *rsn, uint16_t capinfo)
1474 struct ieee80211vap *vap = ni->ni_vap;
1478 ni->ni_flags &= ~(IEEE80211_NODE_WPS|IEEE80211_NODE_TSN);
1479 if (wpa == NULL && rsn == NULL) {
1480 if (vap->iv_flags_ext & IEEE80211_FEXT_WPS) {
1482 * W-Fi Protected Setup (WPS) permits
1483 * clients to associate and pass EAPOL frames
1484 * to establish initial credentials.
1486 ni->ni_flags |= IEEE80211_NODE_WPS;
1489 if ((vap->iv_flags_ext & IEEE80211_FEXT_TSN) &&
1490 (capinfo & IEEE80211_CAPINFO_PRIVACY)) {
1492 * Transitional Security Network. Permits clients
1493 * to associate and use WEP while WPA is configured.
1495 ni->ni_flags |= IEEE80211_NODE_TSN;
1498 IEEE80211_DISCARD(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA,
1499 wh, NULL, "%s", "no WPA/RSN IE in association request");
1500 vap->iv_stats.is_rx_assoc_badwpaie++;
1501 reason = IEEE80211_REASON_IE_INVALID;
1504 /* assert right association security credentials */
1505 badwparsn = 0; /* NB: to silence compiler */
1506 switch (vap->iv_flags & IEEE80211_F_WPA) {
1507 case IEEE80211_F_WPA1:
1508 badwparsn = (wpa == NULL);
1510 case IEEE80211_F_WPA2:
1511 badwparsn = (rsn == NULL);
1513 case IEEE80211_F_WPA1|IEEE80211_F_WPA2:
1514 badwparsn = (wpa == NULL && rsn == NULL);
1518 IEEE80211_DISCARD(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA,
1520 "%s", "missing WPA/RSN IE in association request");
1521 vap->iv_stats.is_rx_assoc_badwpaie++;
1522 reason = IEEE80211_REASON_IE_INVALID;
1526 * Parse WPA/RSN information element.
1529 reason = ieee80211_parse_wpa(vap, wpa, rsnparms, wh);
1531 reason = ieee80211_parse_rsn(vap, rsn, rsnparms, wh);
1533 /* XXX distinguish WPA/RSN? */
1534 vap->iv_stats.is_rx_assoc_badwpaie++;
1537 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, ni,
1538 "%s ie: mc %u/%u uc %u/%u key %u caps 0x%x",
1539 wpa != NULL ? "WPA" : "RSN",
1540 rsnparms->rsn_mcastcipher, rsnparms->rsn_mcastkeylen,
1541 rsnparms->rsn_ucastcipher, rsnparms->rsn_ucastkeylen,
1542 rsnparms->rsn_keymgmt, rsnparms->rsn_caps);
1546 ieee80211_node_deauth(ni, reason);
1550 /* XXX find a better place for definition */
1551 struct l2_update_frame {
1552 struct ether_header eh;
1560 * Deliver a TGf L2UF frame on behalf of a station.
1561 * This primes any bridge when the station is roaming
1562 * between ap's on the same wired network.
1565 ieee80211_deliver_l2uf(struct ieee80211_node *ni)
1567 struct ieee80211vap *vap = ni->ni_vap;
1568 struct ifnet *ifp = vap->iv_ifp;
1570 struct l2_update_frame *l2uf;
1571 struct ether_header *eh;
1573 m = m_gethdr(M_NOWAIT, MT_DATA);
1575 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC, ni,
1576 "%s", "no mbuf for l2uf frame");
1577 vap->iv_stats.is_rx_nobuf++; /* XXX not right */
1580 l2uf = mtod(m, struct l2_update_frame *);
1582 /* dst: Broadcast address */
1583 IEEE80211_ADDR_COPY(eh->ether_dhost, ifp->if_broadcastaddr);
1584 /* src: associated STA */
1585 IEEE80211_ADDR_COPY(eh->ether_shost, ni->ni_macaddr);
1586 eh->ether_type = htons(sizeof(*l2uf) - sizeof(*eh));
1590 l2uf->control = 0xf5;
1591 l2uf->xid[0] = 0x81;
1592 l2uf->xid[1] = 0x80;
1593 l2uf->xid[2] = 0x00;
1595 m->m_pkthdr.len = m->m_len = sizeof(*l2uf);
1596 hostap_deliver_data(vap, ni, m);
1600 ratesetmismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh,
1601 int reassoc, int resp, const char *tag, int rate)
1603 IEEE80211_NOTE_MAC(ni->ni_vap, IEEE80211_MSG_ANY, wh->i_addr2,
1604 "deny %s request, %s rate set mismatch, rate/MCS %d",
1605 reassoc ? "reassoc" : "assoc", tag, rate & IEEE80211_RATE_VAL);
1606 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_BASIC_RATE);
1607 ieee80211_node_leave(ni);
1611 capinfomismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh,
1612 int reassoc, int resp, const char *tag, int capinfo)
1614 struct ieee80211vap *vap = ni->ni_vap;
1616 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ANY, wh->i_addr2,
1617 "deny %s request, %s mismatch 0x%x",
1618 reassoc ? "reassoc" : "assoc", tag, capinfo);
1619 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_CAPINFO);
1620 ieee80211_node_leave(ni);
1621 vap->iv_stats.is_rx_assoc_capmismatch++;
1625 htcapmismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh,
1626 int reassoc, int resp)
1628 IEEE80211_NOTE_MAC(ni->ni_vap, IEEE80211_MSG_ANY, wh->i_addr2,
1629 "deny %s request, %s missing HT ie", reassoc ? "reassoc" : "assoc");
1630 /* XXX no better code */
1631 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_MISSING_HT_CAPS);
1632 ieee80211_node_leave(ni);
1636 authalgreject(struct ieee80211_node *ni, const struct ieee80211_frame *wh,
1637 int algo, int seq, int status)
1639 struct ieee80211vap *vap = ni->ni_vap;
1641 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
1642 wh, NULL, "unsupported alg %d", algo);
1643 vap->iv_stats.is_rx_auth_unsupported++;
1644 ieee80211_send_error(ni, wh->i_addr2, IEEE80211_FC0_SUBTYPE_AUTH,
1645 seq | (status << 16));
1649 ishtmixed(const uint8_t *ie)
1651 const struct ieee80211_ie_htinfo *ht =
1652 (const struct ieee80211_ie_htinfo *) ie;
1653 return (ht->hi_byte2 & IEEE80211_HTINFO_OPMODE) ==
1654 IEEE80211_HTINFO_OPMODE_MIXED;
1658 is11bclient(const uint8_t *rates, const uint8_t *xrates)
1660 static const uint32_t brates = (1<<2*1)|(1<<2*2)|(1<<11)|(1<<2*11);
1663 /* NB: the 11b clients we care about will not have xrates */
1664 if (xrates != NULL || rates == NULL)
1666 for (i = 0; i < rates[1]; i++) {
1667 int r = rates[2+i] & IEEE80211_RATE_VAL;
1668 if (r > 2*11 || ((1<<r) & brates) == 0)
1675 hostap_recv_mgmt(struct ieee80211_node *ni, struct mbuf *m0,
1676 int subtype, int rssi, int nf)
1678 struct ieee80211vap *vap = ni->ni_vap;
1679 struct ieee80211com *ic = ni->ni_ic;
1680 struct ieee80211_frame *wh;
1681 uint8_t *frm, *efrm, *sfrm;
1682 uint8_t *ssid, *rates, *xrates, *wpa, *rsn, *wme, *ath, *htcap;
1686 wh = mtod(m0, struct ieee80211_frame *);
1687 frm = (uint8_t *)&wh[1];
1688 efrm = mtod(m0, uint8_t *) + m0->m_len;
1690 case IEEE80211_FC0_SUBTYPE_PROBE_RESP:
1691 case IEEE80211_FC0_SUBTYPE_BEACON: {
1692 struct ieee80211_scanparams scan;
1694 * We process beacon/probe response frames when scanning;
1695 * otherwise we check beacon frames for overlapping non-ERP
1696 * BSS in 11g and/or overlapping legacy BSS when in HT.
1698 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0 &&
1699 subtype == IEEE80211_FC0_SUBTYPE_PROBE_RESP) {
1700 vap->iv_stats.is_rx_mgtdiscard++;
1703 /* NB: accept off-channel frames */
1704 if (ieee80211_parse_beacon(ni, m0, &scan) &~ IEEE80211_BPARSE_OFFCHAN)
1707 * Count frame now that we know it's to be processed.
1709 if (subtype == IEEE80211_FC0_SUBTYPE_BEACON) {
1710 vap->iv_stats.is_rx_beacon++; /* XXX remove */
1711 IEEE80211_NODE_STAT(ni, rx_beacons);
1713 IEEE80211_NODE_STAT(ni, rx_proberesp);
1715 * If scanning, just pass information to the scan module.
1717 if (ic->ic_flags & IEEE80211_F_SCAN) {
1718 if (scan.status == 0 && /* NB: on channel */
1719 (ic->ic_flags_ext & IEEE80211_FEXT_PROBECHAN)) {
1721 * Actively scanning a channel marked passive;
1722 * send a probe request now that we know there
1723 * is 802.11 traffic present.
1725 * XXX check if the beacon we recv'd gives
1726 * us what we need and suppress the probe req
1728 ieee80211_probe_curchan(vap, 1);
1729 ic->ic_flags_ext &= ~IEEE80211_FEXT_PROBECHAN;
1731 ieee80211_add_scan(vap, &scan, wh, subtype, rssi, nf);
1735 * Check beacon for overlapping bss w/ non ERP stations.
1736 * If we detect one and protection is configured but not
1737 * enabled, enable it and start a timer that'll bring us
1738 * out if we stop seeing the bss.
1740 if (IEEE80211_IS_CHAN_ANYG(ic->ic_curchan) &&
1741 scan.status == 0 && /* NB: on-channel */
1742 ((scan.erp & 0x100) == 0 || /* NB: no ERP, 11b sta*/
1743 (scan.erp & IEEE80211_ERP_NON_ERP_PRESENT))) {
1744 ic->ic_lastnonerp = ticks;
1745 ic->ic_flags_ext |= IEEE80211_FEXT_NONERP_PR;
1746 if (ic->ic_protmode != IEEE80211_PROT_NONE &&
1747 (ic->ic_flags & IEEE80211_F_USEPROT) == 0) {
1748 IEEE80211_NOTE_FRAME(vap,
1749 IEEE80211_MSG_ASSOC, wh,
1750 "non-ERP present on channel %d "
1751 "(saw erp 0x%x from channel %d), "
1752 "enable use of protection",
1753 ic->ic_curchan->ic_ieee,
1754 scan.erp, scan.chan);
1755 ic->ic_flags |= IEEE80211_F_USEPROT;
1756 ieee80211_notify_erp(ic);
1760 * Check beacon for non-HT station on HT channel
1761 * and update HT BSS occupancy as appropriate.
1763 if (IEEE80211_IS_CHAN_HT(ic->ic_curchan)) {
1764 if (scan.status & IEEE80211_BPARSE_OFFCHAN) {
1766 * Off control channel; only check frames
1767 * that come in the extension channel when
1768 * operating w/ HT40.
1770 if (!IEEE80211_IS_CHAN_HT40(ic->ic_curchan))
1772 if (scan.chan != ic->ic_curchan->ic_extieee)
1775 if (scan.htinfo == NULL) {
1776 ieee80211_htprot_update(ic,
1777 IEEE80211_HTINFO_OPMODE_PROTOPT |
1778 IEEE80211_HTINFO_NONHT_PRESENT);
1779 } else if (ishtmixed(scan.htinfo)) {
1780 /* XXX? take NONHT_PRESENT from beacon? */
1781 ieee80211_htprot_update(ic,
1782 IEEE80211_HTINFO_OPMODE_MIXED |
1783 IEEE80211_HTINFO_NONHT_PRESENT);
1789 case IEEE80211_FC0_SUBTYPE_PROBE_REQ:
1790 if (vap->iv_state != IEEE80211_S_RUN) {
1791 vap->iv_stats.is_rx_mgtdiscard++;
1795 * prreq frame format
1797 * [tlv] supported rates
1798 * [tlv] extended supported rates
1800 ssid = rates = xrates = NULL;
1802 while (efrm - frm > 1) {
1803 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return);
1805 case IEEE80211_ELEMID_SSID:
1808 case IEEE80211_ELEMID_RATES:
1811 case IEEE80211_ELEMID_XRATES:
1817 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return);
1819 IEEE80211_VERIFY_ELEMENT(xrates,
1820 IEEE80211_RATE_MAXSIZE - rates[1], return);
1821 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN, return);
1822 IEEE80211_VERIFY_SSID(vap->iv_bss, ssid, return);
1823 if ((vap->iv_flags & IEEE80211_F_HIDESSID) && ssid[1] == 0) {
1824 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
1826 "%s", "no ssid with ssid suppression enabled");
1827 vap->iv_stats.is_rx_ssidmismatch++; /*XXX*/
1831 /* XXX find a better class or define it's own */
1832 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_INPUT, wh->i_addr2,
1833 "%s", "recv probe req");
1835 * Some legacy 11b clients cannot hack a complete
1836 * probe response frame. When the request includes
1837 * only a bare-bones rate set, communicate this to
1838 * the transmit side.
1840 ieee80211_send_proberesp(vap, wh->i_addr2,
1841 is11bclient(rates, xrates) ? IEEE80211_SEND_LEGACY_11B : 0);
1844 case IEEE80211_FC0_SUBTYPE_AUTH: {
1845 uint16_t algo, seq, status;
1847 if (vap->iv_state != IEEE80211_S_RUN) {
1848 vap->iv_stats.is_rx_mgtdiscard++;
1851 if (!IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_bss->ni_bssid)) {
1852 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
1853 wh, NULL, "%s", "wrong bssid");
1854 vap->iv_stats.is_rx_wrongbss++; /*XXX unique stat?*/
1864 IEEE80211_VERIFY_LENGTH(efrm - frm, 6, return);
1865 algo = le16toh(*(uint16_t *)frm);
1866 seq = le16toh(*(uint16_t *)(frm + 2));
1867 status = le16toh(*(uint16_t *)(frm + 4));
1868 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_AUTH, wh->i_addr2,
1869 "recv auth frame with algorithm %d seq %d", algo, seq);
1871 * Consult the ACL policy module if setup.
1873 if (vap->iv_acl != NULL &&
1874 !vap->iv_acl->iac_check(vap, wh->i_addr2)) {
1875 IEEE80211_DISCARD(vap, IEEE80211_MSG_ACL,
1876 wh, NULL, "%s", "disallowed by ACL");
1877 vap->iv_stats.is_rx_acl++;
1878 ieee80211_send_error(ni, wh->i_addr2,
1879 IEEE80211_FC0_SUBTYPE_AUTH,
1880 (seq+1) | (IEEE80211_STATUS_UNSPECIFIED<<16));
1883 if (vap->iv_flags & IEEE80211_F_COUNTERM) {
1884 IEEE80211_DISCARD(vap,
1885 IEEE80211_MSG_AUTH | IEEE80211_MSG_CRYPTO,
1886 wh, NULL, "%s", "TKIP countermeasures enabled");
1887 vap->iv_stats.is_rx_auth_countermeasures++;
1888 ieee80211_send_error(ni, wh->i_addr2,
1889 IEEE80211_FC0_SUBTYPE_AUTH,
1890 IEEE80211_REASON_MIC_FAILURE);
1893 if (algo == IEEE80211_AUTH_ALG_SHARED)
1894 hostap_auth_shared(ni, wh, frm + 6, efrm, rssi, nf,
1896 else if (algo == IEEE80211_AUTH_ALG_OPEN)
1897 hostap_auth_open(ni, wh, rssi, nf, seq, status);
1898 else if (algo == IEEE80211_AUTH_ALG_LEAP) {
1899 authalgreject(ni, wh, algo,
1900 seq+1, IEEE80211_STATUS_ALG);
1904 * We assume that an unknown algorithm is the result
1905 * of a decryption failure on a shared key auth frame;
1906 * return a status code appropriate for that instead
1907 * of IEEE80211_STATUS_ALG.
1909 * NB: a seq# of 4 is intentional; the decrypted
1910 * frame likely has a bogus seq value.
1912 authalgreject(ni, wh, algo,
1913 4, IEEE80211_STATUS_CHALLENGE);
1919 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ:
1920 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: {
1921 uint16_t capinfo, lintval;
1922 struct ieee80211_rsnparms rsnparms;
1924 if (vap->iv_state != IEEE80211_S_RUN) {
1925 vap->iv_stats.is_rx_mgtdiscard++;
1928 if (!IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_bss->ni_bssid)) {
1929 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
1930 wh, NULL, "%s", "wrong bssid");
1931 vap->iv_stats.is_rx_assoc_bss++;
1934 if (subtype == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) {
1936 resp = IEEE80211_FC0_SUBTYPE_REASSOC_RESP;
1939 resp = IEEE80211_FC0_SUBTYPE_ASSOC_RESP;
1941 if (ni == vap->iv_bss) {
1942 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ANY, wh->i_addr2,
1943 "deny %s request, sta not authenticated",
1944 reassoc ? "reassoc" : "assoc");
1945 ieee80211_send_error(ni, wh->i_addr2,
1946 IEEE80211_FC0_SUBTYPE_DEAUTH,
1947 IEEE80211_REASON_ASSOC_NOT_AUTHED);
1948 vap->iv_stats.is_rx_assoc_notauth++;
1953 * asreq frame format
1954 * [2] capability information
1955 * [2] listen interval
1956 * [6*] current AP address (reassoc only)
1958 * [tlv] supported rates
1959 * [tlv] extended supported rates
1961 * [tlv] HT capabilities
1962 * [tlv] Atheros capabilities
1964 IEEE80211_VERIFY_LENGTH(efrm - frm, (reassoc ? 10 : 4), return);
1965 capinfo = le16toh(*(uint16_t *)frm); frm += 2;
1966 lintval = le16toh(*(uint16_t *)frm); frm += 2;
1968 frm += 6; /* ignore current AP info */
1969 ssid = rates = xrates = wpa = rsn = wme = ath = htcap = NULL;
1971 while (efrm - frm > 1) {
1972 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return);
1974 case IEEE80211_ELEMID_SSID:
1977 case IEEE80211_ELEMID_RATES:
1980 case IEEE80211_ELEMID_XRATES:
1983 case IEEE80211_ELEMID_RSN:
1986 case IEEE80211_ELEMID_HTCAP:
1989 case IEEE80211_ELEMID_VENDOR:
1992 else if (iswmeinfo(frm))
1994 #ifdef IEEE80211_SUPPORT_SUPERG
1995 else if (isatherosoui(frm))
1998 else if (vap->iv_flags_ht & IEEE80211_FHT_HTCOMPAT) {
1999 if (ishtcapoui(frm) && htcap == NULL)
2006 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return);
2008 IEEE80211_VERIFY_ELEMENT(xrates,
2009 IEEE80211_RATE_MAXSIZE - rates[1], return);
2010 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN, return);
2011 IEEE80211_VERIFY_SSID(vap->iv_bss, ssid, return);
2012 if (htcap != NULL) {
2013 IEEE80211_VERIFY_LENGTH(htcap[1],
2014 htcap[0] == IEEE80211_ELEMID_VENDOR ?
2015 4 + sizeof(struct ieee80211_ie_htcap)-2 :
2016 sizeof(struct ieee80211_ie_htcap)-2,
2017 return); /* XXX just NULL out? */
2020 if ((vap->iv_flags & IEEE80211_F_WPA) &&
2021 !wpa_assocreq(ni, &rsnparms, wh, wpa, rsn, capinfo))
2023 /* discard challenge after association */
2024 if (ni->ni_challenge != NULL) {
2025 free(ni->ni_challenge, M_80211_NODE);
2026 ni->ni_challenge = NULL;
2028 /* NB: 802.11 spec says to ignore station's privacy bit */
2029 if ((capinfo & IEEE80211_CAPINFO_ESS) == 0) {
2030 capinfomismatch(ni, wh, reassoc, resp,
2031 "capability", capinfo);
2035 * Disallow re-associate w/ invalid slot time setting.
2037 if (ni->ni_associd != 0 &&
2038 IEEE80211_IS_CHAN_ANYG(ic->ic_bsschan) &&
2039 ((ni->ni_capinfo ^ capinfo) & IEEE80211_CAPINFO_SHORT_SLOTTIME)) {
2040 capinfomismatch(ni, wh, reassoc, resp,
2041 "slot time", capinfo);
2044 rate = ieee80211_setup_rates(ni, rates, xrates,
2045 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE |
2046 IEEE80211_F_DONEGO | IEEE80211_F_DODEL);
2047 if (rate & IEEE80211_RATE_BASIC) {
2048 ratesetmismatch(ni, wh, reassoc, resp, "legacy", rate);
2049 vap->iv_stats.is_rx_assoc_norate++;
2053 * If constrained to 11g-only stations reject an
2054 * 11b-only station. We cheat a bit here by looking
2055 * at the max negotiated xmit rate and assuming anyone
2056 * with a best rate <24Mb/s is an 11b station.
2058 if ((vap->iv_flags & IEEE80211_F_PUREG) && rate < 48) {
2059 ratesetmismatch(ni, wh, reassoc, resp, "11g", rate);
2060 vap->iv_stats.is_rx_assoc_norate++;
2064 * Do HT rate set handling and setup HT node state.
2066 ni->ni_chan = vap->iv_bss->ni_chan;
2067 if (IEEE80211_IS_CHAN_HT(ni->ni_chan) && htcap != NULL) {
2068 rate = ieee80211_setup_htrates(ni, htcap,
2069 IEEE80211_F_DOFMCS | IEEE80211_F_DONEGO |
2071 if (rate & IEEE80211_RATE_BASIC) {
2072 ratesetmismatch(ni, wh, reassoc, resp,
2074 vap->iv_stats.is_ht_assoc_norate++;
2077 ieee80211_ht_node_init(ni);
2078 ieee80211_ht_updatehtcap(ni, htcap);
2079 } else if (ni->ni_flags & IEEE80211_NODE_HT)
2080 ieee80211_ht_node_cleanup(ni);
2081 #ifdef IEEE80211_SUPPORT_SUPERG
2082 else if (ni->ni_ath_flags & IEEE80211_NODE_ATH)
2083 ieee80211_ff_node_cleanup(ni);
2086 * Allow AMPDU operation only with unencrypted traffic
2087 * or AES-CCM; the 11n spec only specifies these ciphers
2088 * so permitting any others is undefined and can lead
2089 * to interoperability problems.
2091 if ((ni->ni_flags & IEEE80211_NODE_HT) &&
2092 (((vap->iv_flags & IEEE80211_F_WPA) &&
2093 rsnparms.rsn_ucastcipher != IEEE80211_CIPHER_AES_CCM) ||
2094 (vap->iv_flags & (IEEE80211_F_WPA|IEEE80211_F_PRIVACY)) == IEEE80211_F_PRIVACY)) {
2096 IEEE80211_MSG_ASSOC | IEEE80211_MSG_11N, ni,
2097 "disallow HT use because WEP or TKIP requested, "
2098 "capinfo 0x%x ucastcipher %d", capinfo,
2099 rsnparms.rsn_ucastcipher);
2100 ieee80211_ht_node_cleanup(ni);
2101 vap->iv_stats.is_ht_assoc_downgrade++;
2104 * If constrained to 11n-only stations reject legacy stations.
2106 if ((vap->iv_flags_ht & IEEE80211_FHT_PUREN) &&
2107 (ni->ni_flags & IEEE80211_NODE_HT) == 0) {
2108 htcapmismatch(ni, wh, reassoc, resp);
2109 vap->iv_stats.is_ht_assoc_nohtcap++;
2112 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi);
2114 ni->ni_intval = lintval;
2115 ni->ni_capinfo = capinfo;
2116 ni->ni_fhdwell = vap->iv_bss->ni_fhdwell;
2117 ni->ni_fhindex = vap->iv_bss->ni_fhindex;
2120 * XXX maybe better to just expand
2122 if (ieee80211_ies_init(&ni->ni_ies, sfrm, efrm - sfrm)) {
2123 #define setie(_ie, _off) ieee80211_ies_setie(ni->ni_ies, _ie, _off)
2125 setie(wpa_ie, wpa - sfrm);
2127 setie(rsn_ie, rsn - sfrm);
2129 setie(htcap_ie, htcap - sfrm);
2131 setie(wme_ie, wme - sfrm);
2133 * Mark node as capable of QoS.
2135 ni->ni_flags |= IEEE80211_NODE_QOS;
2137 ni->ni_flags &= ~IEEE80211_NODE_QOS;
2138 #ifdef IEEE80211_SUPPORT_SUPERG
2140 setie(ath_ie, ath - sfrm);
2142 * Parse ATH station parameters.
2144 ieee80211_parse_ath(ni, ni->ni_ies.ath_ie);
2147 ni->ni_ath_flags = 0;
2150 ni->ni_flags &= ~IEEE80211_NODE_QOS;
2151 ni->ni_ath_flags = 0;
2153 ieee80211_node_join(ni, resp);
2154 ieee80211_deliver_l2uf(ni);
2158 case IEEE80211_FC0_SUBTYPE_DEAUTH:
2159 case IEEE80211_FC0_SUBTYPE_DISASSOC: {
2162 if (vap->iv_state != IEEE80211_S_RUN ||
2163 /* NB: can happen when in promiscuous mode */
2164 !IEEE80211_ADDR_EQ(wh->i_addr1, vap->iv_myaddr)) {
2165 vap->iv_stats.is_rx_mgtdiscard++;
2169 * deauth/disassoc frame format
2172 IEEE80211_VERIFY_LENGTH(efrm - frm, 2, return);
2173 reason = le16toh(*(uint16_t *)frm);
2174 if (subtype == IEEE80211_FC0_SUBTYPE_DEAUTH) {
2175 vap->iv_stats.is_rx_deauth++;
2176 IEEE80211_NODE_STAT(ni, rx_deauth);
2178 vap->iv_stats.is_rx_disassoc++;
2179 IEEE80211_NODE_STAT(ni, rx_disassoc);
2181 IEEE80211_NOTE(vap, IEEE80211_MSG_AUTH, ni,
2182 "recv %s (reason %d)", ieee80211_mgt_subtype_name[subtype >>
2183 IEEE80211_FC0_SUBTYPE_SHIFT], reason);
2184 if (ni != vap->iv_bss)
2185 ieee80211_node_leave(ni);
2189 case IEEE80211_FC0_SUBTYPE_ACTION:
2190 if (vap->iv_state == IEEE80211_S_RUN) {
2191 if (ieee80211_parse_action(ni, m0) == 0)
2192 ic->ic_recv_action(ni, wh, frm, efrm);
2194 vap->iv_stats.is_rx_mgtdiscard++;
2197 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP:
2198 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP:
2200 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
2201 wh, "mgt", "subtype 0x%x not handled", subtype);
2202 vap->iv_stats.is_rx_badsubtype++;
2208 hostap_recv_ctl(struct ieee80211_node *ni, struct mbuf *m, int subtype)
2211 case IEEE80211_FC0_SUBTYPE_PS_POLL:
2212 hostap_recv_pspoll(ni, m);
2214 case IEEE80211_FC0_SUBTYPE_BAR:
2215 ieee80211_recv_bar(ni, m);
2221 * Process a received ps-poll frame.
2224 hostap_recv_pspoll(struct ieee80211_node *ni, struct mbuf *m0)
2226 struct ieee80211vap *vap = ni->ni_vap;
2227 struct ieee80211_frame_min *wh;
2233 wh = mtod(m0, struct ieee80211_frame_min *);
2234 if (ni->ni_associd == 0) {
2235 IEEE80211_DISCARD(vap,
2236 IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG,
2237 (struct ieee80211_frame *) wh, NULL,
2238 "%s", "unassociated station");
2239 vap->iv_stats.is_ps_unassoc++;
2240 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_DEAUTH,
2241 IEEE80211_REASON_NOT_ASSOCED);
2245 aid = le16toh(*(uint16_t *)wh->i_dur);
2246 if (aid != ni->ni_associd) {
2247 IEEE80211_DISCARD(vap,
2248 IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG,
2249 (struct ieee80211_frame *) wh, NULL,
2250 "aid mismatch: sta aid 0x%x poll aid 0x%x",
2251 ni->ni_associd, aid);
2252 vap->iv_stats.is_ps_badaid++;
2254 * NB: We used to deauth the station but it turns out
2255 * the Blackberry Curve 8230 (and perhaps other devices)
2256 * sometimes send the wrong AID when WME is negotiated.
2257 * Being more lenient here seems ok as we already check
2258 * the station is associated and we only return frames
2259 * queued for the station (i.e. we don't use the AID).
2264 /* Okay, take the first queued packet and put it out... */
2265 m = ieee80211_node_psq_dequeue(ni, &qlen);
2267 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_POWER, wh->i_addr2,
2268 "%s", "recv ps-poll, but queue empty");
2269 ieee80211_send_nulldata(ieee80211_ref_node(ni));
2270 vap->iv_stats.is_ps_qempty++; /* XXX node stat */
2271 if (vap->iv_set_tim != NULL)
2272 vap->iv_set_tim(ni, 0); /* just in case */
2276 * If there are more packets, set the more packets bit
2277 * in the packet dispatched to the station; otherwise
2278 * turn off the TIM bit.
2281 IEEE80211_NOTE(vap, IEEE80211_MSG_POWER, ni,
2282 "recv ps-poll, send packet, %u still queued", qlen);
2283 m->m_flags |= M_MORE_DATA;
2285 IEEE80211_NOTE(vap, IEEE80211_MSG_POWER, ni,
2286 "%s", "recv ps-poll, send packet, queue empty");
2287 if (vap->iv_set_tim != NULL)
2288 vap->iv_set_tim(ni, 0);
2290 m->m_flags |= M_PWR_SAV; /* bypass PS handling */
2292 if (m->m_flags & M_ENCAP)
2293 ifp = vap->iv_ic->ic_ifp;
2296 IF_ENQUEUE(&ifp->if_snd, m);