2 * Copyright (c) 2007-2008 Sam Leffler, Errno Consulting
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
15 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
16 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
17 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
18 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
19 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
21 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
23 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
26 #include <sys/cdefs.h>
28 __FBSDID("$FreeBSD$");
32 * IEEE 802.11 HOSTAP mode support.
37 #include <sys/param.h>
38 #include <sys/systm.h>
40 #include <sys/malloc.h>
41 #include <sys/kernel.h>
43 #include <sys/socket.h>
44 #include <sys/sockio.h>
45 #include <sys/endian.h>
46 #include <sys/errno.h>
48 #include <sys/sysctl.h>
51 #include <net/if_var.h>
52 #include <net/if_media.h>
53 #include <net/if_llc.h>
54 #include <net/ethernet.h>
58 #include <net80211/ieee80211_var.h>
59 #include <net80211/ieee80211_hostap.h>
60 #include <net80211/ieee80211_input.h>
61 #ifdef IEEE80211_SUPPORT_SUPERG
62 #include <net80211/ieee80211_superg.h>
64 #include <net80211/ieee80211_wds.h>
66 #define IEEE80211_RATE2MBS(r) (((r) & IEEE80211_RATE_VAL) / 2)
68 static void hostap_vattach(struct ieee80211vap *);
69 static int hostap_newstate(struct ieee80211vap *, enum ieee80211_state, int);
70 static int hostap_input(struct ieee80211_node *ni, struct mbuf *m,
71 const struct ieee80211_rx_stats *,
73 static void hostap_deliver_data(struct ieee80211vap *,
74 struct ieee80211_node *, struct mbuf *);
75 static void hostap_recv_mgmt(struct ieee80211_node *, struct mbuf *,
76 int subtype, const struct ieee80211_rx_stats *rxs, int rssi, int nf);
77 static void hostap_recv_ctl(struct ieee80211_node *, struct mbuf *, int);
80 ieee80211_hostap_attach(struct ieee80211com *ic)
82 ic->ic_vattach[IEEE80211_M_HOSTAP] = hostap_vattach;
86 ieee80211_hostap_detach(struct ieee80211com *ic)
91 hostap_vdetach(struct ieee80211vap *vap)
96 hostap_vattach(struct ieee80211vap *vap)
98 vap->iv_newstate = hostap_newstate;
99 vap->iv_input = hostap_input;
100 vap->iv_recv_mgmt = hostap_recv_mgmt;
101 vap->iv_recv_ctl = hostap_recv_ctl;
102 vap->iv_opdetach = hostap_vdetach;
103 vap->iv_deliver_data = hostap_deliver_data;
104 vap->iv_recv_pspoll = ieee80211_recv_pspoll;
108 sta_disassoc(void *arg, struct ieee80211_node *ni)
110 struct ieee80211vap *vap = arg;
112 if (ni->ni_vap == vap && ni->ni_associd != 0) {
113 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_DISASSOC,
114 IEEE80211_REASON_ASSOC_LEAVE);
115 ieee80211_node_leave(ni);
120 sta_csa(void *arg, struct ieee80211_node *ni)
122 struct ieee80211vap *vap = arg;
124 if (ni->ni_vap == vap && ni->ni_associd != 0)
125 if (ni->ni_inact > vap->iv_inact_init) {
126 ni->ni_inact = vap->iv_inact_init;
127 IEEE80211_NOTE(vap, IEEE80211_MSG_INACT, ni,
128 "%s: inact %u", __func__, ni->ni_inact);
133 sta_drop(void *arg, struct ieee80211_node *ni)
135 struct ieee80211vap *vap = arg;
137 if (ni->ni_vap == vap && ni->ni_associd != 0)
138 ieee80211_node_leave(ni);
142 * Does a channel change require associated stations to re-associate
143 * so protocol state is correct. This is used when doing CSA across
144 * bands or similar (e.g. HT -> legacy).
147 isbandchange(struct ieee80211com *ic)
149 return ((ic->ic_bsschan->ic_flags ^ ic->ic_csa_newchan->ic_flags) &
150 (IEEE80211_CHAN_2GHZ | IEEE80211_CHAN_5GHZ | IEEE80211_CHAN_HALF |
151 IEEE80211_CHAN_QUARTER | IEEE80211_CHAN_HT)) != 0;
155 * IEEE80211_M_HOSTAP vap state machine handler.
158 hostap_newstate(struct ieee80211vap *vap, enum ieee80211_state nstate, int arg)
160 struct ieee80211com *ic = vap->iv_ic;
161 enum ieee80211_state ostate;
163 IEEE80211_LOCK_ASSERT(ic);
165 ostate = vap->iv_state;
166 IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE, "%s: %s -> %s (%d)\n",
167 __func__, ieee80211_state_name[ostate],
168 ieee80211_state_name[nstate], arg);
169 vap->iv_state = nstate; /* state transition */
170 if (ostate != IEEE80211_S_SCAN)
171 ieee80211_cancel_scan(vap); /* background scan */
173 case IEEE80211_S_INIT:
175 case IEEE80211_S_SCAN:
176 ieee80211_cancel_scan(vap);
178 case IEEE80211_S_CAC:
179 ieee80211_dfs_cac_stop(vap);
181 case IEEE80211_S_RUN:
182 ieee80211_iterate_nodes(&ic->ic_sta, sta_disassoc, vap);
187 if (ostate != IEEE80211_S_INIT) {
188 /* NB: optimize INIT -> INIT case */
189 ieee80211_reset_bss(vap);
191 if (vap->iv_auth->ia_detach != NULL)
192 vap->iv_auth->ia_detach(vap);
194 case IEEE80211_S_SCAN:
196 case IEEE80211_S_CSA:
197 case IEEE80211_S_RUN:
198 ieee80211_iterate_nodes(&ic->ic_sta, sta_disassoc, vap);
200 * Clear overlapping BSS state; the beacon frame
201 * will be reconstructed on transition to the RUN
202 * state and the timeout routines check if the flag
203 * is set before doing anything so this is sufficient.
205 ic->ic_flags_ext &= ~IEEE80211_FEXT_NONERP_PR;
206 ic->ic_flags_ht &= ~IEEE80211_FHT_NONHT_PR;
208 case IEEE80211_S_CAC:
210 * NB: We may get here because of a manual channel
211 * change in which case we need to stop CAC
212 * XXX no need to stop if ostate RUN but it's ok
214 ieee80211_dfs_cac_stop(vap);
216 case IEEE80211_S_INIT:
217 if (vap->iv_des_chan != IEEE80211_CHAN_ANYC &&
218 !IEEE80211_IS_CHAN_RADAR(vap->iv_des_chan)) {
220 * Already have a channel; bypass the
221 * scan and startup immediately.
222 * ieee80211_create_ibss will call back to
223 * move us to RUN state.
225 ieee80211_create_ibss(vap, vap->iv_des_chan);
229 * Initiate a scan. We can come here as a result
230 * of an IEEE80211_IOC_SCAN_REQ too in which case
231 * the vap will be marked with IEEE80211_FEXT_SCANREQ
232 * and the scan request parameters will be present
233 * in iv_scanreq. Otherwise we do the default.
235 if (vap->iv_flags_ext & IEEE80211_FEXT_SCANREQ) {
236 ieee80211_check_scan(vap,
237 vap->iv_scanreq_flags,
238 vap->iv_scanreq_duration,
239 vap->iv_scanreq_mindwell,
240 vap->iv_scanreq_maxdwell,
241 vap->iv_scanreq_nssid, vap->iv_scanreq_ssid);
242 vap->iv_flags_ext &= ~IEEE80211_FEXT_SCANREQ;
244 ieee80211_check_scan_current(vap);
246 case IEEE80211_S_SCAN:
248 * A state change requires a reset; scan.
250 ieee80211_check_scan_current(vap);
256 case IEEE80211_S_CAC:
258 * Start CAC on a DFS channel. We come here when starting
259 * a bss on a DFS channel (see ieee80211_create_ibss).
261 ieee80211_dfs_cac_start(vap);
263 case IEEE80211_S_RUN:
264 if (vap->iv_flags & IEEE80211_F_WPA) {
265 /* XXX validate prerequisites */
268 case IEEE80211_S_INIT:
270 * Already have a channel; bypass the
271 * scan and startup immediately.
272 * Note that ieee80211_create_ibss will call
273 * back to do a RUN->RUN state change.
275 ieee80211_create_ibss(vap,
276 ieee80211_ht_adjust_channel(ic,
277 ic->ic_curchan, vap->iv_flags_ht));
278 /* NB: iv_bss is changed on return */
280 case IEEE80211_S_CAC:
282 * NB: This is the normal state change when CAC
283 * expires and no radar was detected; no need to
284 * clear the CAC timer as it's already expired.
287 case IEEE80211_S_CSA:
289 * Shorten inactivity timer of associated stations
290 * to weed out sta's that don't follow a CSA.
292 ieee80211_iterate_nodes(&ic->ic_sta, sta_csa, vap);
294 * Update bss node channel to reflect where
295 * we landed after CSA.
297 ieee80211_node_set_chan(vap->iv_bss,
298 ieee80211_ht_adjust_channel(ic, ic->ic_curchan,
299 ieee80211_htchanflags(vap->iv_bss->ni_chan)));
300 /* XXX bypass debug msgs */
302 case IEEE80211_S_SCAN:
303 case IEEE80211_S_RUN:
304 #ifdef IEEE80211_DEBUG
305 if (ieee80211_msg_debug(vap)) {
306 struct ieee80211_node *ni = vap->iv_bss;
308 "synchronized with %s ssid ",
309 ether_sprintf(ni->ni_bssid));
310 ieee80211_print_essid(ni->ni_essid,
313 printf(" channel %d start %uMb\n",
314 ieee80211_chan2ieee(ic, ic->ic_curchan),
315 IEEE80211_RATE2MBS(ni->ni_txrate));
323 * Start/stop the authenticator. We delay until here
324 * to allow configuration to happen out of order.
326 if (vap->iv_auth->ia_attach != NULL) {
327 /* XXX check failure */
328 vap->iv_auth->ia_attach(vap);
329 } else if (vap->iv_auth->ia_detach != NULL) {
330 vap->iv_auth->ia_detach(vap);
332 ieee80211_node_authorize(vap->iv_bss);
334 case IEEE80211_S_CSA:
335 if (ostate == IEEE80211_S_RUN && isbandchange(ic)) {
337 * On a ``band change'' silently drop associated
338 * stations as they must re-associate before they
339 * can pass traffic (as otherwise protocol state
340 * such as capabilities and the negotiated rate
341 * set may/will be wrong).
343 ieee80211_iterate_nodes(&ic->ic_sta, sta_drop, vap);
353 hostap_deliver_data(struct ieee80211vap *vap,
354 struct ieee80211_node *ni, struct mbuf *m)
356 struct ether_header *eh = mtod(m, struct ether_header *);
357 struct ifnet *ifp = vap->iv_ifp;
359 /* clear driver/net80211 flags before passing up */
360 m->m_flags &= ~(M_MCAST | M_BCAST);
363 KASSERT(vap->iv_opmode == IEEE80211_M_HOSTAP,
364 ("gack, opmode %d", vap->iv_opmode));
368 if_inc_counter(ifp, IFCOUNTER_IPACKETS, 1);
369 IEEE80211_NODE_STAT(ni, rx_data);
370 IEEE80211_NODE_STAT_ADD(ni, rx_bytes, m->m_pkthdr.len);
371 if (ETHER_IS_MULTICAST(eh->ether_dhost)) {
372 m->m_flags |= M_MCAST; /* XXX M_BCAST? */
373 IEEE80211_NODE_STAT(ni, rx_mcast);
375 IEEE80211_NODE_STAT(ni, rx_ucast);
377 /* perform as a bridge within the AP */
378 if ((vap->iv_flags & IEEE80211_F_NOBRIDGE) == 0) {
379 struct mbuf *mcopy = NULL;
381 if (m->m_flags & M_MCAST) {
382 mcopy = m_dup(m, M_NOWAIT);
384 if_inc_counter(ifp, IFCOUNTER_OERRORS, 1);
386 mcopy->m_flags |= M_MCAST;
389 * Check if the destination is associated with the
390 * same vap and authorized to receive traffic.
391 * Beware of traffic destined for the vap itself;
392 * sending it will not work; just let it be delivered
395 struct ieee80211_node *sta = ieee80211_find_vap_node(
396 &vap->iv_ic->ic_sta, vap, eh->ether_dhost);
398 if (ieee80211_node_is_authorized(sta)) {
400 * Beware of sending to ourself; this
401 * needs to happen via the normal
404 if (sta != vap->iv_bss) {
409 vap->iv_stats.is_rx_unauth++;
410 IEEE80211_NODE_STAT(sta, rx_unauth);
412 ieee80211_free_node(sta);
416 (void) ieee80211_vap_xmitpkt(vap, mcopy);
420 * Mark frame as coming from vap's interface.
422 m->m_pkthdr.rcvif = ifp;
423 if (m->m_flags & M_MCAST) {
425 * Spam DWDS vap's w/ multicast traffic.
427 /* XXX only if dwds in use? */
428 ieee80211_dwds_mcast(vap, m);
430 if (ni->ni_vlan != 0) {
431 /* attach vlan tag */
432 m->m_pkthdr.ether_vtag = ni->ni_vlan;
433 m->m_flags |= M_VLANTAG;
435 ifp->if_input(ifp, m);
440 * Decide if a received management frame should be
441 * printed when debugging is enabled. This filters some
442 * of the less interesting frames that come frequently
446 doprint(struct ieee80211vap *vap, int subtype)
449 case IEEE80211_FC0_SUBTYPE_BEACON:
450 return (vap->iv_ic->ic_flags & IEEE80211_F_SCAN);
451 case IEEE80211_FC0_SUBTYPE_PROBE_REQ:
458 * Process a received frame. The node associated with the sender
459 * should be supplied. If nothing was found in the node table then
460 * the caller is assumed to supply a reference to iv_bss instead.
461 * The RSSI and a timestamp are also supplied. The RSSI data is used
462 * during AP scanning to select a AP to associate with; it can have
463 * any units so long as values have consistent units and higher values
464 * mean ``better signal''. The receive timestamp is currently not used
465 * by the 802.11 layer.
468 hostap_input(struct ieee80211_node *ni, struct mbuf *m,
469 const struct ieee80211_rx_stats *rxs, int rssi, int nf)
471 struct ieee80211vap *vap = ni->ni_vap;
472 struct ieee80211com *ic = ni->ni_ic;
473 struct ifnet *ifp = vap->iv_ifp;
474 struct ieee80211_frame *wh;
475 struct ieee80211_key *key;
476 struct ether_header *eh;
477 int hdrspace, need_tap = 1; /* mbuf need to be tapped. */
478 uint8_t dir, type, subtype, qos;
481 if (m->m_flags & M_AMPDU_MPDU) {
483 * Fastpath for A-MPDU reorder q resubmission. Frames
484 * w/ M_AMPDU_MPDU marked have already passed through
485 * here but were received out of order and been held on
486 * the reorder queue. When resubmitted they are marked
487 * with the M_AMPDU_MPDU flag and we can bypass most of
488 * the normal processing.
490 wh = mtod(m, struct ieee80211_frame *);
491 type = IEEE80211_FC0_TYPE_DATA;
492 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK;
493 subtype = IEEE80211_FC0_SUBTYPE_QOS;
494 hdrspace = ieee80211_hdrspace(ic, wh); /* XXX optimize? */
498 KASSERT(ni != NULL, ("null node"));
499 ni->ni_inact = ni->ni_inact_reload;
501 type = -1; /* undefined */
503 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_min)) {
504 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
505 ni->ni_macaddr, NULL,
506 "too short (1): len %u", m->m_pkthdr.len);
507 vap->iv_stats.is_rx_tooshort++;
511 * Bit of a cheat here, we use a pointer for a 3-address
512 * frame format but don't reference fields past outside
513 * ieee80211_frame_min w/o first validating the data is
516 wh = mtod(m, struct ieee80211_frame *);
518 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) !=
519 IEEE80211_FC0_VERSION_0) {
520 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
521 ni->ni_macaddr, NULL, "wrong version, fc %02x:%02x",
522 wh->i_fc[0], wh->i_fc[1]);
523 vap->iv_stats.is_rx_badversion++;
527 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK;
528 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
529 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK;
530 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) {
531 if (dir != IEEE80211_FC1_DIR_NODS)
533 else if (type == IEEE80211_FC0_TYPE_CTL)
536 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) {
537 IEEE80211_DISCARD_MAC(vap,
538 IEEE80211_MSG_ANY, ni->ni_macaddr,
539 NULL, "too short (2): len %u",
541 vap->iv_stats.is_rx_tooshort++;
547 * Validate the bssid.
549 if (!(type == IEEE80211_FC0_TYPE_MGT &&
550 subtype == IEEE80211_FC0_SUBTYPE_BEACON) &&
551 !IEEE80211_ADDR_EQ(bssid, vap->iv_bss->ni_bssid) &&
552 !IEEE80211_ADDR_EQ(bssid, ifp->if_broadcastaddr)) {
553 /* not interested in */
554 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
555 bssid, NULL, "%s", "not to bss");
556 vap->iv_stats.is_rx_wrongbss++;
560 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi);
562 if (IEEE80211_HAS_SEQ(type, subtype)) {
563 uint8_t tid = ieee80211_gettid(wh);
564 if (IEEE80211_QOS_HAS_SEQ(wh) &&
565 TID_TO_WME_AC(tid) >= WME_AC_VI)
566 ic->ic_wme.wme_hipri_traffic++;
567 if (! ieee80211_check_rxseq(ni, wh, bssid))
573 case IEEE80211_FC0_TYPE_DATA:
574 hdrspace = ieee80211_hdrspace(ic, wh);
575 if (m->m_len < hdrspace &&
576 (m = m_pullup(m, hdrspace)) == NULL) {
577 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
578 ni->ni_macaddr, NULL,
579 "data too short: expecting %u", hdrspace);
580 vap->iv_stats.is_rx_tooshort++;
583 if (!(dir == IEEE80211_FC1_DIR_TODS ||
584 (dir == IEEE80211_FC1_DIR_DSTODS &&
585 (vap->iv_flags & IEEE80211_F_DWDS)))) {
586 if (dir != IEEE80211_FC1_DIR_DSTODS) {
587 IEEE80211_DISCARD(vap,
588 IEEE80211_MSG_INPUT, wh, "data",
589 "incorrect dir 0x%x", dir);
591 IEEE80211_DISCARD(vap,
592 IEEE80211_MSG_INPUT |
593 IEEE80211_MSG_WDS, wh,
595 "%s", "DWDS not enabled");
597 vap->iv_stats.is_rx_wrongdir++;
600 /* check if source STA is associated */
601 if (ni == vap->iv_bss) {
602 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
603 wh, "data", "%s", "unknown src");
604 ieee80211_send_error(ni, wh->i_addr2,
605 IEEE80211_FC0_SUBTYPE_DEAUTH,
606 IEEE80211_REASON_NOT_AUTHED);
607 vap->iv_stats.is_rx_notassoc++;
610 if (ni->ni_associd == 0) {
611 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
612 wh, "data", "%s", "unassoc src");
613 IEEE80211_SEND_MGMT(ni,
614 IEEE80211_FC0_SUBTYPE_DISASSOC,
615 IEEE80211_REASON_NOT_ASSOCED);
616 vap->iv_stats.is_rx_notassoc++;
621 * Check for power save state change.
622 * XXX out-of-order A-MPDU frames?
624 if (((wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) ^
625 (ni->ni_flags & IEEE80211_NODE_PWR_MGT)))
627 wh->i_fc[1] & IEEE80211_FC1_PWR_MGT);
629 * For 4-address packets handle WDS discovery
630 * notifications. Once a WDS link is setup frames
631 * are just delivered to the WDS vap (see below).
633 if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap == NULL) {
634 if (!ieee80211_node_is_authorized(ni)) {
635 IEEE80211_DISCARD(vap,
636 IEEE80211_MSG_INPUT |
637 IEEE80211_MSG_WDS, wh,
639 "%s", "unauthorized port");
640 vap->iv_stats.is_rx_unauth++;
641 IEEE80211_NODE_STAT(ni, rx_unauth);
644 ieee80211_dwds_discover(ni, m);
649 * Handle A-MPDU re-ordering. If the frame is to be
650 * processed directly then ieee80211_ampdu_reorder
651 * will return 0; otherwise it has consumed the mbuf
652 * and we should do nothing more with it.
654 if ((m->m_flags & M_AMPDU) &&
655 ieee80211_ampdu_reorder(ni, m) != 0) {
662 * Handle privacy requirements. Note that we
663 * must not be preempted from here until after
664 * we (potentially) call ieee80211_crypto_demic;
665 * otherwise we may violate assumptions in the
666 * crypto cipher modules used to do delayed update
667 * of replay sequence numbers.
669 if (wh->i_fc[1] & IEEE80211_FC1_PROTECTED) {
670 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
672 * Discard encrypted frames when privacy is off.
674 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
675 wh, "WEP", "%s", "PRIVACY off");
676 vap->iv_stats.is_rx_noprivacy++;
677 IEEE80211_NODE_STAT(ni, rx_noprivacy);
680 key = ieee80211_crypto_decap(ni, m, hdrspace);
682 /* NB: stats+msgs handled in crypto_decap */
683 IEEE80211_NODE_STAT(ni, rx_wepfail);
686 wh = mtod(m, struct ieee80211_frame *);
687 wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED;
689 /* XXX M_WEP and IEEE80211_F_PRIVACY */
694 * Save QoS bits for use below--before we strip the header.
696 if (subtype == IEEE80211_FC0_SUBTYPE_QOS) {
697 qos = (dir == IEEE80211_FC1_DIR_DSTODS) ?
698 ((struct ieee80211_qosframe_addr4 *)wh)->i_qos[0] :
699 ((struct ieee80211_qosframe *)wh)->i_qos[0];
704 * Next up, any fragmentation.
706 if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) {
707 m = ieee80211_defrag(ni, m, hdrspace);
709 /* Fragment dropped or frame not complete yet */
713 wh = NULL; /* no longer valid, catch any uses */
716 * Next strip any MSDU crypto bits.
718 if (key != NULL && !ieee80211_crypto_demic(vap, key, m, 0)) {
719 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
720 ni->ni_macaddr, "data", "%s", "demic error");
721 vap->iv_stats.is_rx_demicfail++;
722 IEEE80211_NODE_STAT(ni, rx_demicfail);
725 /* copy to listener after decrypt */
726 if (ieee80211_radiotap_active_vap(vap))
727 ieee80211_radiotap_rx(vap, m);
730 * Finally, strip the 802.11 header.
732 m = ieee80211_decap(vap, m, hdrspace);
734 /* XXX mask bit to check for both */
735 /* don't count Null data frames as errors */
736 if (subtype == IEEE80211_FC0_SUBTYPE_NODATA ||
737 subtype == IEEE80211_FC0_SUBTYPE_QOS_NULL)
739 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
740 ni->ni_macaddr, "data", "%s", "decap error");
741 vap->iv_stats.is_rx_decap++;
742 IEEE80211_NODE_STAT(ni, rx_decap);
745 eh = mtod(m, struct ether_header *);
746 if (!ieee80211_node_is_authorized(ni)) {
748 * Deny any non-PAE frames received prior to
749 * authorization. For open/shared-key
750 * authentication the port is mark authorized
751 * after authentication completes. For 802.1x
752 * the port is not marked authorized by the
753 * authenticator until the handshake has completed.
755 if (eh->ether_type != htons(ETHERTYPE_PAE)) {
756 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
757 eh->ether_shost, "data",
758 "unauthorized port: ether type 0x%x len %u",
759 eh->ether_type, m->m_pkthdr.len);
760 vap->iv_stats.is_rx_unauth++;
761 IEEE80211_NODE_STAT(ni, rx_unauth);
766 * When denying unencrypted frames, discard
767 * any non-PAE frames received without encryption.
769 if ((vap->iv_flags & IEEE80211_F_DROPUNENC) &&
770 (key == NULL && (m->m_flags & M_WEP) == 0) &&
771 eh->ether_type != htons(ETHERTYPE_PAE)) {
773 * Drop unencrypted frames.
775 vap->iv_stats.is_rx_unencrypted++;
776 IEEE80211_NODE_STAT(ni, rx_unencrypted);
780 /* XXX require HT? */
781 if (qos & IEEE80211_QOS_AMSDU) {
782 m = ieee80211_decap_amsdu(ni, m);
784 return IEEE80211_FC0_TYPE_DATA;
786 #ifdef IEEE80211_SUPPORT_SUPERG
787 m = ieee80211_decap_fastframe(vap, ni, m);
789 return IEEE80211_FC0_TYPE_DATA;
792 if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap != NULL)
793 ieee80211_deliver_data(ni->ni_wdsvap, ni, m);
795 hostap_deliver_data(vap, ni, m);
796 return IEEE80211_FC0_TYPE_DATA;
798 case IEEE80211_FC0_TYPE_MGT:
799 vap->iv_stats.is_rx_mgmt++;
800 IEEE80211_NODE_STAT(ni, rx_mgmt);
801 if (dir != IEEE80211_FC1_DIR_NODS) {
802 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
803 wh, "mgt", "incorrect dir 0x%x", dir);
804 vap->iv_stats.is_rx_wrongdir++;
807 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) {
808 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
809 ni->ni_macaddr, "mgt", "too short: len %u",
811 vap->iv_stats.is_rx_tooshort++;
814 if (IEEE80211_IS_MULTICAST(wh->i_addr2)) {
815 /* ensure return frames are unicast */
816 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
817 wh, NULL, "source is multicast: %s",
818 ether_sprintf(wh->i_addr2));
819 vap->iv_stats.is_rx_mgtdiscard++; /* XXX stat */
822 #ifdef IEEE80211_DEBUG
823 if ((ieee80211_msg_debug(vap) && doprint(vap, subtype)) ||
824 ieee80211_msg_dumppkts(vap)) {
825 if_printf(ifp, "received %s from %s rssi %d\n",
826 ieee80211_mgt_subtype_name(subtype),
827 ether_sprintf(wh->i_addr2), rssi);
830 if (wh->i_fc[1] & IEEE80211_FC1_PROTECTED) {
831 if (subtype != IEEE80211_FC0_SUBTYPE_AUTH) {
833 * Only shared key auth frames with a challenge
834 * should be encrypted, discard all others.
836 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
838 "%s", "WEP set but not permitted");
839 vap->iv_stats.is_rx_mgtdiscard++; /* XXX */
842 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
844 * Discard encrypted frames when privacy is off.
846 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
847 wh, NULL, "%s", "WEP set but PRIVACY off");
848 vap->iv_stats.is_rx_noprivacy++;
851 hdrspace = ieee80211_hdrspace(ic, wh);
852 key = ieee80211_crypto_decap(ni, m, hdrspace);
854 /* NB: stats+msgs handled in crypto_decap */
857 wh = mtod(m, struct ieee80211_frame *);
858 wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED;
861 * Pass the packet to radiotap before calling iv_recv_mgmt().
862 * Otherwise iv_recv_mgmt() might pass another packet to
863 * radiotap, resulting in out of order packet captures.
865 if (ieee80211_radiotap_active_vap(vap))
866 ieee80211_radiotap_rx(vap, m);
868 vap->iv_recv_mgmt(ni, m, subtype, rxs, rssi, nf);
871 case IEEE80211_FC0_TYPE_CTL:
872 vap->iv_stats.is_rx_ctl++;
873 IEEE80211_NODE_STAT(ni, rx_ctrl);
874 vap->iv_recv_ctl(ni, m, subtype);
877 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
878 wh, "bad", "frame type 0x%x", type);
879 /* should not come here */
883 if_inc_counter(ifp, IFCOUNTER_IERRORS, 1);
886 if (need_tap && ieee80211_radiotap_active_vap(vap))
887 ieee80211_radiotap_rx(vap, m);
894 hostap_auth_open(struct ieee80211_node *ni, struct ieee80211_frame *wh,
895 int rssi, int nf, uint16_t seq, uint16_t status)
897 struct ieee80211vap *vap = ni->ni_vap;
899 KASSERT(vap->iv_state == IEEE80211_S_RUN, ("state %d", vap->iv_state));
901 if (ni->ni_authmode == IEEE80211_AUTH_SHARED) {
902 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
903 ni->ni_macaddr, "open auth",
904 "bad sta auth mode %u", ni->ni_authmode);
905 vap->iv_stats.is_rx_bad_auth++; /* XXX */
907 * Clear any challenge text that may be there if
908 * a previous shared key auth failed and then an
909 * open auth is attempted.
911 if (ni->ni_challenge != NULL) {
912 IEEE80211_FREE(ni->ni_challenge, M_80211_NODE);
913 ni->ni_challenge = NULL;
915 /* XXX hack to workaround calling convention */
916 ieee80211_send_error(ni, wh->i_addr2,
917 IEEE80211_FC0_SUBTYPE_AUTH,
918 (seq + 1) | (IEEE80211_STATUS_ALG<<16));
921 if (seq != IEEE80211_AUTH_OPEN_REQUEST) {
922 vap->iv_stats.is_rx_bad_auth++;
925 /* always accept open authentication requests */
926 if (ni == vap->iv_bss) {
927 ni = ieee80211_dup_bss(vap, wh->i_addr2);
930 } else if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0)
931 (void) ieee80211_ref_node(ni);
933 * Mark the node as referenced to reflect that it's
934 * reference count has been bumped to insure it remains
935 * after the transaction completes.
937 ni->ni_flags |= IEEE80211_NODE_AREF;
939 * Mark the node as requiring a valid association id
940 * before outbound traffic is permitted.
942 ni->ni_flags |= IEEE80211_NODE_ASSOCID;
944 if (vap->iv_acl != NULL &&
945 vap->iv_acl->iac_getpolicy(vap) == IEEE80211_MACCMD_POLICY_RADIUS) {
947 * When the ACL policy is set to RADIUS we defer the
948 * authorization to a user agent. Dispatch an event,
949 * a subsequent MLME call will decide the fate of the
950 * station. If the user agent is not present then the
951 * node will be reclaimed due to inactivity.
953 IEEE80211_NOTE_MAC(vap,
954 IEEE80211_MSG_AUTH | IEEE80211_MSG_ACL, ni->ni_macaddr,
955 "%s", "station authentication defered (radius acl)");
956 ieee80211_notify_node_auth(ni);
958 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1);
959 IEEE80211_NOTE_MAC(vap,
960 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, ni->ni_macaddr,
961 "%s", "station authenticated (open)");
963 * When 802.1x is not in use mark the port
964 * authorized at this point so traffic can flow.
966 if (ni->ni_authmode != IEEE80211_AUTH_8021X)
967 ieee80211_node_authorize(ni);
972 hostap_auth_shared(struct ieee80211_node *ni, struct ieee80211_frame *wh,
973 uint8_t *frm, uint8_t *efrm, int rssi, int nf,
974 uint16_t seq, uint16_t status)
976 struct ieee80211vap *vap = ni->ni_vap;
978 int allocbs, estatus;
980 KASSERT(vap->iv_state == IEEE80211_S_RUN, ("state %d", vap->iv_state));
983 * NB: this can happen as we allow pre-shared key
984 * authentication to be enabled w/o wep being turned
985 * on so that configuration of these can be done
986 * in any order. It may be better to enforce the
987 * ordering in which case this check would just be
988 * for sanity/consistency.
990 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
991 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
992 ni->ni_macaddr, "shared key auth",
993 "%s", " PRIVACY is disabled");
994 estatus = IEEE80211_STATUS_ALG;
998 * Pre-shared key authentication is evil; accept
999 * it only if explicitly configured (it is supported
1000 * mainly for compatibility with clients like Mac OS X).
1002 if (ni->ni_authmode != IEEE80211_AUTH_AUTO &&
1003 ni->ni_authmode != IEEE80211_AUTH_SHARED) {
1004 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1005 ni->ni_macaddr, "shared key auth",
1006 "bad sta auth mode %u", ni->ni_authmode);
1007 vap->iv_stats.is_rx_bad_auth++; /* XXX maybe a unique error? */
1008 estatus = IEEE80211_STATUS_ALG;
1013 if (frm + 1 < efrm) {
1014 if ((frm[1] + 2) > (efrm - frm)) {
1015 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1016 ni->ni_macaddr, "shared key auth",
1017 "ie %d/%d too long",
1018 frm[0], (frm[1] + 2) - (efrm - frm));
1019 vap->iv_stats.is_rx_bad_auth++;
1020 estatus = IEEE80211_STATUS_CHALLENGE;
1023 if (*frm == IEEE80211_ELEMID_CHALLENGE)
1028 case IEEE80211_AUTH_SHARED_CHALLENGE:
1029 case IEEE80211_AUTH_SHARED_RESPONSE:
1030 if (challenge == NULL) {
1031 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1032 ni->ni_macaddr, "shared key auth",
1033 "%s", "no challenge");
1034 vap->iv_stats.is_rx_bad_auth++;
1035 estatus = IEEE80211_STATUS_CHALLENGE;
1038 if (challenge[1] != IEEE80211_CHALLENGE_LEN) {
1039 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1040 ni->ni_macaddr, "shared key auth",
1041 "bad challenge len %d", challenge[1]);
1042 vap->iv_stats.is_rx_bad_auth++;
1043 estatus = IEEE80211_STATUS_CHALLENGE;
1050 case IEEE80211_AUTH_SHARED_REQUEST:
1051 if (ni == vap->iv_bss) {
1052 ni = ieee80211_dup_bss(vap, wh->i_addr2);
1054 /* NB: no way to return an error */
1059 if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0)
1060 (void) ieee80211_ref_node(ni);
1064 * Mark the node as referenced to reflect that it's
1065 * reference count has been bumped to insure it remains
1066 * after the transaction completes.
1068 ni->ni_flags |= IEEE80211_NODE_AREF;
1070 * Mark the node as requiring a valid association id
1071 * before outbound traffic is permitted.
1073 ni->ni_flags |= IEEE80211_NODE_ASSOCID;
1074 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi);
1076 if (!ieee80211_alloc_challenge(ni)) {
1077 /* NB: don't return error so they rexmit */
1080 get_random_bytes(ni->ni_challenge,
1081 IEEE80211_CHALLENGE_LEN);
1082 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
1083 ni, "shared key %sauth request", allocbs ? "" : "re");
1085 * When the ACL policy is set to RADIUS we defer the
1086 * authorization to a user agent. Dispatch an event,
1087 * a subsequent MLME call will decide the fate of the
1088 * station. If the user agent is not present then the
1089 * node will be reclaimed due to inactivity.
1091 if (vap->iv_acl != NULL &&
1092 vap->iv_acl->iac_getpolicy(vap) == IEEE80211_MACCMD_POLICY_RADIUS) {
1093 IEEE80211_NOTE_MAC(vap,
1094 IEEE80211_MSG_AUTH | IEEE80211_MSG_ACL,
1096 "%s", "station authentication defered (radius acl)");
1097 ieee80211_notify_node_auth(ni);
1101 case IEEE80211_AUTH_SHARED_RESPONSE:
1102 if (ni == vap->iv_bss) {
1103 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1104 ni->ni_macaddr, "shared key response",
1105 "%s", "unknown station");
1106 /* NB: don't send a response */
1109 if (ni->ni_challenge == NULL) {
1110 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1111 ni->ni_macaddr, "shared key response",
1112 "%s", "no challenge recorded");
1113 vap->iv_stats.is_rx_bad_auth++;
1114 estatus = IEEE80211_STATUS_CHALLENGE;
1117 if (memcmp(ni->ni_challenge, &challenge[2],
1118 challenge[1]) != 0) {
1119 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1120 ni->ni_macaddr, "shared key response",
1121 "%s", "challenge mismatch");
1122 vap->iv_stats.is_rx_auth_fail++;
1123 estatus = IEEE80211_STATUS_CHALLENGE;
1126 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
1127 ni, "%s", "station authenticated (shared key)");
1128 ieee80211_node_authorize(ni);
1131 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1132 ni->ni_macaddr, "shared key auth",
1134 vap->iv_stats.is_rx_bad_auth++;
1135 estatus = IEEE80211_STATUS_SEQUENCE;
1138 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1);
1142 * Send an error response; but only when operating as an AP.
1144 /* XXX hack to workaround calling convention */
1145 ieee80211_send_error(ni, wh->i_addr2,
1146 IEEE80211_FC0_SUBTYPE_AUTH,
1147 (seq + 1) | (estatus<<16));
1151 * Convert a WPA cipher selector OUI to an internal
1152 * cipher algorithm. Where appropriate we also
1153 * record any key length.
1156 wpa_cipher(const uint8_t *sel, uint8_t *keylen, uint8_t *cipher)
1158 #define WPA_SEL(x) (((x)<<24)|WPA_OUI)
1159 uint32_t w = le32dec(sel);
1162 case WPA_SEL(WPA_CSE_NULL):
1163 *cipher = IEEE80211_CIPHER_NONE;
1165 case WPA_SEL(WPA_CSE_WEP40):
1167 *keylen = 40 / NBBY;
1168 *cipher = IEEE80211_CIPHER_WEP;
1170 case WPA_SEL(WPA_CSE_WEP104):
1172 *keylen = 104 / NBBY;
1173 *cipher = IEEE80211_CIPHER_WEP;
1175 case WPA_SEL(WPA_CSE_TKIP):
1176 *cipher = IEEE80211_CIPHER_TKIP;
1178 case WPA_SEL(WPA_CSE_CCMP):
1179 *cipher = IEEE80211_CIPHER_AES_CCM;
1190 * Convert a WPA key management/authentication algorithm
1191 * to an internal code.
1194 wpa_keymgmt(const uint8_t *sel)
1196 #define WPA_SEL(x) (((x)<<24)|WPA_OUI)
1197 uint32_t w = le32dec(sel);
1200 case WPA_SEL(WPA_ASE_8021X_UNSPEC):
1201 return WPA_ASE_8021X_UNSPEC;
1202 case WPA_SEL(WPA_ASE_8021X_PSK):
1203 return WPA_ASE_8021X_PSK;
1204 case WPA_SEL(WPA_ASE_NONE):
1205 return WPA_ASE_NONE;
1207 return 0; /* NB: so is discarded */
1212 * Parse a WPA information element to collect parameters.
1213 * Note that we do not validate security parameters; that
1214 * is handled by the authenticator; the parsing done here
1215 * is just for internal use in making operational decisions.
1218 ieee80211_parse_wpa(struct ieee80211vap *vap, const uint8_t *frm,
1219 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh)
1221 uint8_t len = frm[1];
1226 * Check the length once for fixed parts: OUI, type,
1227 * version, mcast cipher, and 2 selector counts.
1228 * Other, variable-length data, must be checked separately.
1230 if ((vap->iv_flags & IEEE80211_F_WPA1) == 0) {
1231 IEEE80211_DISCARD_IE(vap,
1232 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1233 wh, "WPA", "not WPA, flags 0x%x", vap->iv_flags);
1234 return IEEE80211_REASON_IE_INVALID;
1237 IEEE80211_DISCARD_IE(vap,
1238 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1239 wh, "WPA", "too short, len %u", len);
1240 return IEEE80211_REASON_IE_INVALID;
1242 frm += 6, len -= 4; /* NB: len is payload only */
1243 /* NB: iswpaoui already validated the OUI and type */
1245 if (w != WPA_VERSION) {
1246 IEEE80211_DISCARD_IE(vap,
1247 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1248 wh, "WPA", "bad version %u", w);
1249 return IEEE80211_REASON_IE_INVALID;
1253 memset(rsn, 0, sizeof(*rsn));
1255 /* multicast/group cipher */
1256 error = wpa_cipher(frm, &rsn->rsn_mcastkeylen, &rsn->rsn_mcastcipher);
1258 IEEE80211_DISCARD_IE(vap,
1259 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1260 wh, "WPA", "unknown mcast cipher suite %08X",
1262 return IEEE80211_REASON_GROUP_CIPHER_INVALID;
1266 /* unicast ciphers */
1270 IEEE80211_DISCARD_IE(vap,
1271 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1272 wh, "WPA", "ucast cipher data too short; len %u, n %u",
1274 return IEEE80211_REASON_IE_INVALID;
1277 for (; n > 0; n--) {
1280 error = wpa_cipher(frm, &rsn->rsn_ucastkeylen, &cipher);
1287 IEEE80211_DISCARD_IE(vap,
1288 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1289 wh, "WPA", "no usable pairwise cipher suite found (w=%d)",
1291 return IEEE80211_REASON_PAIRWISE_CIPHER_INVALID;
1294 if (w & (1 << IEEE80211_CIPHER_AES_CCM))
1295 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM;
1297 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP;
1299 /* key management algorithms */
1303 IEEE80211_DISCARD_IE(vap,
1304 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1305 wh, "WPA", "key mgmt alg data too short; len %u, n %u",
1307 return IEEE80211_REASON_IE_INVALID;
1310 for (; n > 0; n--) {
1311 w |= wpa_keymgmt(frm);
1314 if (w & WPA_ASE_8021X_UNSPEC)
1315 rsn->rsn_keymgmt = WPA_ASE_8021X_UNSPEC;
1317 rsn->rsn_keymgmt = WPA_ASE_8021X_PSK;
1319 if (len > 2) /* optional capabilities */
1320 rsn->rsn_caps = le16dec(frm);
1326 * Convert an RSN cipher selector OUI to an internal
1327 * cipher algorithm. Where appropriate we also
1328 * record any key length.
1331 rsn_cipher(const uint8_t *sel, uint8_t *keylen, uint8_t *cipher)
1333 #define RSN_SEL(x) (((x)<<24)|RSN_OUI)
1334 uint32_t w = le32dec(sel);
1337 case RSN_SEL(RSN_CSE_NULL):
1338 *cipher = IEEE80211_CIPHER_NONE;
1340 case RSN_SEL(RSN_CSE_WEP40):
1342 *keylen = 40 / NBBY;
1343 *cipher = IEEE80211_CIPHER_WEP;
1345 case RSN_SEL(RSN_CSE_WEP104):
1347 *keylen = 104 / NBBY;
1348 *cipher = IEEE80211_CIPHER_WEP;
1350 case RSN_SEL(RSN_CSE_TKIP):
1351 *cipher = IEEE80211_CIPHER_TKIP;
1353 case RSN_SEL(RSN_CSE_CCMP):
1354 *cipher = IEEE80211_CIPHER_AES_CCM;
1356 case RSN_SEL(RSN_CSE_WRAP):
1357 *cipher = IEEE80211_CIPHER_AES_OCB;
1368 * Convert an RSN key management/authentication algorithm
1369 * to an internal code.
1372 rsn_keymgmt(const uint8_t *sel)
1374 #define RSN_SEL(x) (((x)<<24)|RSN_OUI)
1375 uint32_t w = le32dec(sel);
1378 case RSN_SEL(RSN_ASE_8021X_UNSPEC):
1379 return RSN_ASE_8021X_UNSPEC;
1380 case RSN_SEL(RSN_ASE_8021X_PSK):
1381 return RSN_ASE_8021X_PSK;
1382 case RSN_SEL(RSN_ASE_NONE):
1383 return RSN_ASE_NONE;
1385 return 0; /* NB: so is discarded */
1390 * Parse a WPA/RSN information element to collect parameters
1391 * and validate the parameters against what has been
1392 * configured for the system.
1395 ieee80211_parse_rsn(struct ieee80211vap *vap, const uint8_t *frm,
1396 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh)
1398 uint8_t len = frm[1];
1403 * Check the length once for fixed parts:
1404 * version, mcast cipher, and 2 selector counts.
1405 * Other, variable-length data, must be checked separately.
1407 if ((vap->iv_flags & IEEE80211_F_WPA2) == 0) {
1408 IEEE80211_DISCARD_IE(vap,
1409 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1410 wh, "WPA", "not RSN, flags 0x%x", vap->iv_flags);
1411 return IEEE80211_REASON_IE_INVALID;
1413 /* XXX may be shorter */
1415 IEEE80211_DISCARD_IE(vap,
1416 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1417 wh, "RSN", "too short, len %u", len);
1418 return IEEE80211_REASON_IE_INVALID;
1422 if (w != RSN_VERSION) {
1423 IEEE80211_DISCARD_IE(vap,
1424 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1425 wh, "RSN", "bad version %u", w);
1426 return IEEE80211_REASON_UNSUPP_RSN_IE_VERSION;
1430 memset(rsn, 0, sizeof(*rsn));
1432 /* multicast/group cipher */
1433 error = rsn_cipher(frm, &rsn->rsn_mcastkeylen, &rsn->rsn_mcastcipher);
1435 IEEE80211_DISCARD_IE(vap,
1436 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1437 wh, "RSN", "unknown mcast cipher suite %08X",
1439 return IEEE80211_REASON_GROUP_CIPHER_INVALID;
1441 if (rsn->rsn_mcastcipher == IEEE80211_CIPHER_NONE) {
1442 IEEE80211_DISCARD_IE(vap,
1443 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1444 wh, "RSN", "invalid mcast cipher suite %d",
1445 rsn->rsn_mcastcipher);
1446 return IEEE80211_REASON_GROUP_CIPHER_INVALID;
1450 /* unicast ciphers */
1454 IEEE80211_DISCARD_IE(vap,
1455 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1456 wh, "RSN", "ucast cipher data too short; len %u, n %u",
1458 return IEEE80211_REASON_IE_INVALID;
1462 for (; n > 0; n--) {
1465 error = rsn_cipher(frm, &rsn->rsn_ucastkeylen, &cipher);
1471 if (w & (1 << IEEE80211_CIPHER_AES_CCM))
1472 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM;
1473 else if (w & (1 << IEEE80211_CIPHER_AES_OCB))
1474 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_OCB;
1475 else if (w & (1 << IEEE80211_CIPHER_TKIP))
1476 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP;
1477 else if ((w & (1 << IEEE80211_CIPHER_NONE)) &&
1478 (rsn->rsn_mcastcipher == IEEE80211_CIPHER_WEP ||
1479 rsn->rsn_mcastcipher == IEEE80211_CIPHER_TKIP))
1480 rsn->rsn_ucastcipher = IEEE80211_CIPHER_NONE;
1482 IEEE80211_DISCARD_IE(vap,
1483 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1484 wh, "RSN", "no usable pairwise cipher suite found (w=%d)",
1486 return IEEE80211_REASON_PAIRWISE_CIPHER_INVALID;
1489 /* key management algorithms */
1493 IEEE80211_DISCARD_IE(vap,
1494 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1495 wh, "RSN", "key mgmt alg data too short; len %u, n %u",
1497 return IEEE80211_REASON_IE_INVALID;
1500 for (; n > 0; n--) {
1501 w |= rsn_keymgmt(frm);
1504 if (w & RSN_ASE_8021X_UNSPEC)
1505 rsn->rsn_keymgmt = RSN_ASE_8021X_UNSPEC;
1507 rsn->rsn_keymgmt = RSN_ASE_8021X_PSK;
1509 /* optional RSN capabilities */
1511 rsn->rsn_caps = le16dec(frm);
1518 * WPA/802.11i association request processing.
1521 wpa_assocreq(struct ieee80211_node *ni, struct ieee80211_rsnparms *rsnparms,
1522 const struct ieee80211_frame *wh, const uint8_t *wpa,
1523 const uint8_t *rsn, uint16_t capinfo)
1525 struct ieee80211vap *vap = ni->ni_vap;
1529 ni->ni_flags &= ~(IEEE80211_NODE_WPS|IEEE80211_NODE_TSN);
1530 if (wpa == NULL && rsn == NULL) {
1531 if (vap->iv_flags_ext & IEEE80211_FEXT_WPS) {
1533 * W-Fi Protected Setup (WPS) permits
1534 * clients to associate and pass EAPOL frames
1535 * to establish initial credentials.
1537 ni->ni_flags |= IEEE80211_NODE_WPS;
1540 if ((vap->iv_flags_ext & IEEE80211_FEXT_TSN) &&
1541 (capinfo & IEEE80211_CAPINFO_PRIVACY)) {
1543 * Transitional Security Network. Permits clients
1544 * to associate and use WEP while WPA is configured.
1546 ni->ni_flags |= IEEE80211_NODE_TSN;
1549 IEEE80211_DISCARD(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA,
1550 wh, NULL, "%s", "no WPA/RSN IE in association request");
1551 vap->iv_stats.is_rx_assoc_badwpaie++;
1552 reason = IEEE80211_REASON_IE_INVALID;
1555 /* assert right association security credentials */
1556 badwparsn = 0; /* NB: to silence compiler */
1557 switch (vap->iv_flags & IEEE80211_F_WPA) {
1558 case IEEE80211_F_WPA1:
1559 badwparsn = (wpa == NULL);
1561 case IEEE80211_F_WPA2:
1562 badwparsn = (rsn == NULL);
1564 case IEEE80211_F_WPA1|IEEE80211_F_WPA2:
1565 badwparsn = (wpa == NULL && rsn == NULL);
1569 IEEE80211_DISCARD(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA,
1571 "%s", "missing WPA/RSN IE in association request");
1572 vap->iv_stats.is_rx_assoc_badwpaie++;
1573 reason = IEEE80211_REASON_IE_INVALID;
1577 * Parse WPA/RSN information element.
1580 reason = ieee80211_parse_wpa(vap, wpa, rsnparms, wh);
1582 reason = ieee80211_parse_rsn(vap, rsn, rsnparms, wh);
1584 /* XXX wpa->rsn fallback? */
1585 /* XXX distinguish WPA/RSN? */
1586 vap->iv_stats.is_rx_assoc_badwpaie++;
1589 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, ni,
1590 "%s ie: mc %u/%u uc %u/%u key %u caps 0x%x",
1591 wpa != NULL ? "WPA" : "RSN",
1592 rsnparms->rsn_mcastcipher, rsnparms->rsn_mcastkeylen,
1593 rsnparms->rsn_ucastcipher, rsnparms->rsn_ucastkeylen,
1594 rsnparms->rsn_keymgmt, rsnparms->rsn_caps);
1598 ieee80211_node_deauth(ni, reason);
1602 /* XXX find a better place for definition */
1603 struct l2_update_frame {
1604 struct ether_header eh;
1612 * Deliver a TGf L2UF frame on behalf of a station.
1613 * This primes any bridge when the station is roaming
1614 * between ap's on the same wired network.
1617 ieee80211_deliver_l2uf(struct ieee80211_node *ni)
1619 struct ieee80211vap *vap = ni->ni_vap;
1620 struct ifnet *ifp = vap->iv_ifp;
1622 struct l2_update_frame *l2uf;
1623 struct ether_header *eh;
1625 m = m_gethdr(M_NOWAIT, MT_DATA);
1627 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC, ni,
1628 "%s", "no mbuf for l2uf frame");
1629 vap->iv_stats.is_rx_nobuf++; /* XXX not right */
1632 l2uf = mtod(m, struct l2_update_frame *);
1634 /* dst: Broadcast address */
1635 IEEE80211_ADDR_COPY(eh->ether_dhost, ifp->if_broadcastaddr);
1636 /* src: associated STA */
1637 IEEE80211_ADDR_COPY(eh->ether_shost, ni->ni_macaddr);
1638 eh->ether_type = htons(sizeof(*l2uf) - sizeof(*eh));
1642 l2uf->control = 0xf5;
1643 l2uf->xid[0] = 0x81;
1644 l2uf->xid[1] = 0x80;
1645 l2uf->xid[2] = 0x00;
1647 m->m_pkthdr.len = m->m_len = sizeof(*l2uf);
1648 hostap_deliver_data(vap, ni, m);
1652 ratesetmismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh,
1653 int reassoc, int resp, const char *tag, int rate)
1655 IEEE80211_NOTE_MAC(ni->ni_vap, IEEE80211_MSG_ANY, wh->i_addr2,
1656 "deny %s request, %s rate set mismatch, rate/MCS %d",
1657 reassoc ? "reassoc" : "assoc", tag, rate & IEEE80211_RATE_VAL);
1658 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_BASIC_RATE);
1659 ieee80211_node_leave(ni);
1663 capinfomismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh,
1664 int reassoc, int resp, const char *tag, int capinfo)
1666 struct ieee80211vap *vap = ni->ni_vap;
1668 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ANY, wh->i_addr2,
1669 "deny %s request, %s mismatch 0x%x",
1670 reassoc ? "reassoc" : "assoc", tag, capinfo);
1671 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_CAPINFO);
1672 ieee80211_node_leave(ni);
1673 vap->iv_stats.is_rx_assoc_capmismatch++;
1677 htcapmismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh,
1678 int reassoc, int resp)
1680 IEEE80211_NOTE_MAC(ni->ni_vap, IEEE80211_MSG_ANY, wh->i_addr2,
1681 "deny %s request, %s missing HT ie", reassoc ? "reassoc" : "assoc");
1682 /* XXX no better code */
1683 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_MISSING_HT_CAPS);
1684 ieee80211_node_leave(ni);
1688 authalgreject(struct ieee80211_node *ni, const struct ieee80211_frame *wh,
1689 int algo, int seq, int status)
1691 struct ieee80211vap *vap = ni->ni_vap;
1693 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
1694 wh, NULL, "unsupported alg %d", algo);
1695 vap->iv_stats.is_rx_auth_unsupported++;
1696 ieee80211_send_error(ni, wh->i_addr2, IEEE80211_FC0_SUBTYPE_AUTH,
1697 seq | (status << 16));
1701 ishtmixed(const uint8_t *ie)
1703 const struct ieee80211_ie_htinfo *ht =
1704 (const struct ieee80211_ie_htinfo *) ie;
1705 return (ht->hi_byte2 & IEEE80211_HTINFO_OPMODE) ==
1706 IEEE80211_HTINFO_OPMODE_MIXED;
1710 is11bclient(const uint8_t *rates, const uint8_t *xrates)
1712 static const uint32_t brates = (1<<2*1)|(1<<2*2)|(1<<11)|(1<<2*11);
1715 /* NB: the 11b clients we care about will not have xrates */
1716 if (xrates != NULL || rates == NULL)
1718 for (i = 0; i < rates[1]; i++) {
1719 int r = rates[2+i] & IEEE80211_RATE_VAL;
1720 if (r > 2*11 || ((1<<r) & brates) == 0)
1727 hostap_recv_mgmt(struct ieee80211_node *ni, struct mbuf *m0,
1728 int subtype, const struct ieee80211_rx_stats *rxs, int rssi, int nf)
1730 struct ieee80211vap *vap = ni->ni_vap;
1731 struct ieee80211com *ic = ni->ni_ic;
1732 struct ieee80211_frame *wh;
1733 uint8_t *frm, *efrm, *sfrm;
1734 uint8_t *ssid, *rates, *xrates, *wpa, *rsn, *wme, *ath, *htcap;
1738 wh = mtod(m0, struct ieee80211_frame *);
1739 frm = (uint8_t *)&wh[1];
1740 efrm = mtod(m0, uint8_t *) + m0->m_len;
1742 case IEEE80211_FC0_SUBTYPE_PROBE_RESP:
1744 * We process beacon/probe response frames when scanning;
1745 * otherwise we check beacon frames for overlapping non-ERP
1746 * BSS in 11g and/or overlapping legacy BSS when in HT.
1748 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) {
1749 vap->iv_stats.is_rx_mgtdiscard++;
1753 case IEEE80211_FC0_SUBTYPE_BEACON: {
1754 struct ieee80211_scanparams scan;
1756 /* NB: accept off-channel frames */
1757 /* XXX TODO: use rxstatus to determine off-channel details */
1758 if (ieee80211_parse_beacon(ni, m0, ic->ic_curchan, &scan) &~ IEEE80211_BPARSE_OFFCHAN)
1761 * Count frame now that we know it's to be processed.
1763 if (subtype == IEEE80211_FC0_SUBTYPE_BEACON) {
1764 vap->iv_stats.is_rx_beacon++; /* XXX remove */
1765 IEEE80211_NODE_STAT(ni, rx_beacons);
1767 IEEE80211_NODE_STAT(ni, rx_proberesp);
1769 * If scanning, just pass information to the scan module.
1771 if (ic->ic_flags & IEEE80211_F_SCAN) {
1772 if (scan.status == 0 && /* NB: on channel */
1773 (ic->ic_flags_ext & IEEE80211_FEXT_PROBECHAN)) {
1775 * Actively scanning a channel marked passive;
1776 * send a probe request now that we know there
1777 * is 802.11 traffic present.
1779 * XXX check if the beacon we recv'd gives
1780 * us what we need and suppress the probe req
1782 ieee80211_probe_curchan(vap, 1);
1783 ic->ic_flags_ext &= ~IEEE80211_FEXT_PROBECHAN;
1785 ieee80211_add_scan(vap, ic->ic_curchan, &scan, wh,
1790 * Check beacon for overlapping bss w/ non ERP stations.
1791 * If we detect one and protection is configured but not
1792 * enabled, enable it and start a timer that'll bring us
1793 * out if we stop seeing the bss.
1795 if (IEEE80211_IS_CHAN_ANYG(ic->ic_curchan) &&
1796 scan.status == 0 && /* NB: on-channel */
1797 ((scan.erp & 0x100) == 0 || /* NB: no ERP, 11b sta*/
1798 (scan.erp & IEEE80211_ERP_NON_ERP_PRESENT))) {
1799 ic->ic_lastnonerp = ticks;
1800 ic->ic_flags_ext |= IEEE80211_FEXT_NONERP_PR;
1801 if (ic->ic_protmode != IEEE80211_PROT_NONE &&
1802 (ic->ic_flags & IEEE80211_F_USEPROT) == 0) {
1803 IEEE80211_NOTE_FRAME(vap,
1804 IEEE80211_MSG_ASSOC, wh,
1805 "non-ERP present on channel %d "
1806 "(saw erp 0x%x from channel %d), "
1807 "enable use of protection",
1808 ic->ic_curchan->ic_ieee,
1809 scan.erp, scan.chan);
1810 ic->ic_flags |= IEEE80211_F_USEPROT;
1811 ieee80211_notify_erp(ic);
1815 * Check beacon for non-HT station on HT channel
1816 * and update HT BSS occupancy as appropriate.
1818 if (IEEE80211_IS_CHAN_HT(ic->ic_curchan)) {
1819 if (scan.status & IEEE80211_BPARSE_OFFCHAN) {
1821 * Off control channel; only check frames
1822 * that come in the extension channel when
1823 * operating w/ HT40.
1825 if (!IEEE80211_IS_CHAN_HT40(ic->ic_curchan))
1827 if (scan.chan != ic->ic_curchan->ic_extieee)
1830 if (scan.htinfo == NULL) {
1831 ieee80211_htprot_update(ic,
1832 IEEE80211_HTINFO_OPMODE_PROTOPT |
1833 IEEE80211_HTINFO_NONHT_PRESENT);
1834 } else if (ishtmixed(scan.htinfo)) {
1835 /* XXX? take NONHT_PRESENT from beacon? */
1836 ieee80211_htprot_update(ic,
1837 IEEE80211_HTINFO_OPMODE_MIXED |
1838 IEEE80211_HTINFO_NONHT_PRESENT);
1844 case IEEE80211_FC0_SUBTYPE_PROBE_REQ:
1845 if (vap->iv_state != IEEE80211_S_RUN) {
1846 vap->iv_stats.is_rx_mgtdiscard++;
1850 * Consult the ACL policy module if setup.
1852 if (vap->iv_acl != NULL && !vap->iv_acl->iac_check(vap, wh)) {
1853 IEEE80211_DISCARD(vap, IEEE80211_MSG_ACL,
1854 wh, NULL, "%s", "disallowed by ACL");
1855 vap->iv_stats.is_rx_acl++;
1859 * prreq frame format
1861 * [tlv] supported rates
1862 * [tlv] extended supported rates
1864 ssid = rates = xrates = NULL;
1865 while (efrm - frm > 1) {
1866 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return);
1868 case IEEE80211_ELEMID_SSID:
1871 case IEEE80211_ELEMID_RATES:
1874 case IEEE80211_ELEMID_XRATES:
1880 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return);
1882 IEEE80211_VERIFY_ELEMENT(xrates,
1883 IEEE80211_RATE_MAXSIZE - rates[1], return);
1884 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN, return);
1885 IEEE80211_VERIFY_SSID(vap->iv_bss, ssid, return);
1886 if ((vap->iv_flags & IEEE80211_F_HIDESSID) && ssid[1] == 0) {
1887 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
1889 "%s", "no ssid with ssid suppression enabled");
1890 vap->iv_stats.is_rx_ssidmismatch++; /*XXX*/
1894 /* XXX find a better class or define it's own */
1895 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_INPUT, wh->i_addr2,
1896 "%s", "recv probe req");
1898 * Some legacy 11b clients cannot hack a complete
1899 * probe response frame. When the request includes
1900 * only a bare-bones rate set, communicate this to
1901 * the transmit side.
1903 ieee80211_send_proberesp(vap, wh->i_addr2,
1904 is11bclient(rates, xrates) ? IEEE80211_SEND_LEGACY_11B : 0);
1907 case IEEE80211_FC0_SUBTYPE_AUTH: {
1908 uint16_t algo, seq, status;
1910 if (vap->iv_state != IEEE80211_S_RUN) {
1911 vap->iv_stats.is_rx_mgtdiscard++;
1914 if (!IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_bss->ni_bssid)) {
1915 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
1916 wh, NULL, "%s", "wrong bssid");
1917 vap->iv_stats.is_rx_wrongbss++; /*XXX unique stat?*/
1927 IEEE80211_VERIFY_LENGTH(efrm - frm, 6, return);
1928 algo = le16toh(*(uint16_t *)frm);
1929 seq = le16toh(*(uint16_t *)(frm + 2));
1930 status = le16toh(*(uint16_t *)(frm + 4));
1931 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_AUTH, wh->i_addr2,
1932 "recv auth frame with algorithm %d seq %d", algo, seq);
1934 * Consult the ACL policy module if setup.
1936 if (vap->iv_acl != NULL && !vap->iv_acl->iac_check(vap, wh)) {
1937 IEEE80211_DISCARD(vap, IEEE80211_MSG_ACL,
1938 wh, NULL, "%s", "disallowed by ACL");
1939 vap->iv_stats.is_rx_acl++;
1940 ieee80211_send_error(ni, wh->i_addr2,
1941 IEEE80211_FC0_SUBTYPE_AUTH,
1942 (seq+1) | (IEEE80211_STATUS_UNSPECIFIED<<16));
1945 if (vap->iv_flags & IEEE80211_F_COUNTERM) {
1946 IEEE80211_DISCARD(vap,
1947 IEEE80211_MSG_AUTH | IEEE80211_MSG_CRYPTO,
1948 wh, NULL, "%s", "TKIP countermeasures enabled");
1949 vap->iv_stats.is_rx_auth_countermeasures++;
1950 ieee80211_send_error(ni, wh->i_addr2,
1951 IEEE80211_FC0_SUBTYPE_AUTH,
1952 IEEE80211_REASON_MIC_FAILURE);
1955 if (algo == IEEE80211_AUTH_ALG_SHARED)
1956 hostap_auth_shared(ni, wh, frm + 6, efrm, rssi, nf,
1958 else if (algo == IEEE80211_AUTH_ALG_OPEN)
1959 hostap_auth_open(ni, wh, rssi, nf, seq, status);
1960 else if (algo == IEEE80211_AUTH_ALG_LEAP) {
1961 authalgreject(ni, wh, algo,
1962 seq+1, IEEE80211_STATUS_ALG);
1966 * We assume that an unknown algorithm is the result
1967 * of a decryption failure on a shared key auth frame;
1968 * return a status code appropriate for that instead
1969 * of IEEE80211_STATUS_ALG.
1971 * NB: a seq# of 4 is intentional; the decrypted
1972 * frame likely has a bogus seq value.
1974 authalgreject(ni, wh, algo,
1975 4, IEEE80211_STATUS_CHALLENGE);
1981 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ:
1982 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: {
1983 uint16_t capinfo, lintval;
1984 struct ieee80211_rsnparms rsnparms;
1986 if (vap->iv_state != IEEE80211_S_RUN) {
1987 vap->iv_stats.is_rx_mgtdiscard++;
1990 if (!IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_bss->ni_bssid)) {
1991 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
1992 wh, NULL, "%s", "wrong bssid");
1993 vap->iv_stats.is_rx_assoc_bss++;
1996 if (subtype == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) {
1998 resp = IEEE80211_FC0_SUBTYPE_REASSOC_RESP;
2001 resp = IEEE80211_FC0_SUBTYPE_ASSOC_RESP;
2003 if (ni == vap->iv_bss) {
2004 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ANY, wh->i_addr2,
2005 "deny %s request, sta not authenticated",
2006 reassoc ? "reassoc" : "assoc");
2007 ieee80211_send_error(ni, wh->i_addr2,
2008 IEEE80211_FC0_SUBTYPE_DEAUTH,
2009 IEEE80211_REASON_ASSOC_NOT_AUTHED);
2010 vap->iv_stats.is_rx_assoc_notauth++;
2015 * asreq frame format
2016 * [2] capability information
2017 * [2] listen interval
2018 * [6*] current AP address (reassoc only)
2020 * [tlv] supported rates
2021 * [tlv] extended supported rates
2023 * [tlv] HT capabilities
2024 * [tlv] Atheros capabilities
2026 IEEE80211_VERIFY_LENGTH(efrm - frm, (reassoc ? 10 : 4), return);
2027 capinfo = le16toh(*(uint16_t *)frm); frm += 2;
2028 lintval = le16toh(*(uint16_t *)frm); frm += 2;
2030 frm += 6; /* ignore current AP info */
2031 ssid = rates = xrates = wpa = rsn = wme = ath = htcap = NULL;
2033 while (efrm - frm > 1) {
2034 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return);
2036 case IEEE80211_ELEMID_SSID:
2039 case IEEE80211_ELEMID_RATES:
2042 case IEEE80211_ELEMID_XRATES:
2045 case IEEE80211_ELEMID_RSN:
2048 case IEEE80211_ELEMID_HTCAP:
2051 case IEEE80211_ELEMID_VENDOR:
2054 else if (iswmeinfo(frm))
2056 #ifdef IEEE80211_SUPPORT_SUPERG
2057 else if (isatherosoui(frm))
2060 else if (vap->iv_flags_ht & IEEE80211_FHT_HTCOMPAT) {
2061 if (ishtcapoui(frm) && htcap == NULL)
2068 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return);
2070 IEEE80211_VERIFY_ELEMENT(xrates,
2071 IEEE80211_RATE_MAXSIZE - rates[1], return);
2072 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN, return);
2073 IEEE80211_VERIFY_SSID(vap->iv_bss, ssid, return);
2074 if (htcap != NULL) {
2075 IEEE80211_VERIFY_LENGTH(htcap[1],
2076 htcap[0] == IEEE80211_ELEMID_VENDOR ?
2077 4 + sizeof(struct ieee80211_ie_htcap)-2 :
2078 sizeof(struct ieee80211_ie_htcap)-2,
2079 return); /* XXX just NULL out? */
2082 if ((vap->iv_flags & IEEE80211_F_WPA) &&
2083 !wpa_assocreq(ni, &rsnparms, wh, wpa, rsn, capinfo))
2085 /* discard challenge after association */
2086 if (ni->ni_challenge != NULL) {
2087 IEEE80211_FREE(ni->ni_challenge, M_80211_NODE);
2088 ni->ni_challenge = NULL;
2090 /* NB: 802.11 spec says to ignore station's privacy bit */
2091 if ((capinfo & IEEE80211_CAPINFO_ESS) == 0) {
2092 capinfomismatch(ni, wh, reassoc, resp,
2093 "capability", capinfo);
2097 * Disallow re-associate w/ invalid slot time setting.
2099 if (ni->ni_associd != 0 &&
2100 IEEE80211_IS_CHAN_ANYG(ic->ic_bsschan) &&
2101 ((ni->ni_capinfo ^ capinfo) & IEEE80211_CAPINFO_SHORT_SLOTTIME)) {
2102 capinfomismatch(ni, wh, reassoc, resp,
2103 "slot time", capinfo);
2106 rate = ieee80211_setup_rates(ni, rates, xrates,
2107 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE |
2108 IEEE80211_F_DONEGO | IEEE80211_F_DODEL);
2109 if (rate & IEEE80211_RATE_BASIC) {
2110 ratesetmismatch(ni, wh, reassoc, resp, "legacy", rate);
2111 vap->iv_stats.is_rx_assoc_norate++;
2115 * If constrained to 11g-only stations reject an
2116 * 11b-only station. We cheat a bit here by looking
2117 * at the max negotiated xmit rate and assuming anyone
2118 * with a best rate <24Mb/s is an 11b station.
2120 if ((vap->iv_flags & IEEE80211_F_PUREG) && rate < 48) {
2121 ratesetmismatch(ni, wh, reassoc, resp, "11g", rate);
2122 vap->iv_stats.is_rx_assoc_norate++;
2126 * Do HT rate set handling and setup HT node state.
2128 ni->ni_chan = vap->iv_bss->ni_chan;
2129 if (IEEE80211_IS_CHAN_HT(ni->ni_chan) && htcap != NULL) {
2130 rate = ieee80211_setup_htrates(ni, htcap,
2131 IEEE80211_F_DOFMCS | IEEE80211_F_DONEGO |
2133 if (rate & IEEE80211_RATE_BASIC) {
2134 ratesetmismatch(ni, wh, reassoc, resp,
2136 vap->iv_stats.is_ht_assoc_norate++;
2139 ieee80211_ht_node_init(ni);
2140 ieee80211_ht_updatehtcap(ni, htcap);
2141 } else if (ni->ni_flags & IEEE80211_NODE_HT)
2142 ieee80211_ht_node_cleanup(ni);
2143 #ifdef IEEE80211_SUPPORT_SUPERG
2144 /* Always do ff node cleanup; for A-MSDU */
2145 ieee80211_ff_node_cleanup(ni);
2148 * Allow AMPDU operation only with unencrypted traffic
2149 * or AES-CCM; the 11n spec only specifies these ciphers
2150 * so permitting any others is undefined and can lead
2151 * to interoperability problems.
2153 if ((ni->ni_flags & IEEE80211_NODE_HT) &&
2154 (((vap->iv_flags & IEEE80211_F_WPA) &&
2155 rsnparms.rsn_ucastcipher != IEEE80211_CIPHER_AES_CCM) ||
2156 (vap->iv_flags & (IEEE80211_F_WPA|IEEE80211_F_PRIVACY)) == IEEE80211_F_PRIVACY)) {
2158 IEEE80211_MSG_ASSOC | IEEE80211_MSG_11N, ni,
2159 "disallow HT use because WEP or TKIP requested, "
2160 "capinfo 0x%x ucastcipher %d", capinfo,
2161 rsnparms.rsn_ucastcipher);
2162 ieee80211_ht_node_cleanup(ni);
2163 #ifdef IEEE80211_SUPPORT_SUPERG
2164 /* Always do ff node cleanup; for A-MSDU */
2165 ieee80211_ff_node_cleanup(ni);
2167 vap->iv_stats.is_ht_assoc_downgrade++;
2170 * If constrained to 11n-only stations reject legacy stations.
2172 if ((vap->iv_flags_ht & IEEE80211_FHT_PUREN) &&
2173 (ni->ni_flags & IEEE80211_NODE_HT) == 0) {
2174 htcapmismatch(ni, wh, reassoc, resp);
2175 vap->iv_stats.is_ht_assoc_nohtcap++;
2178 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi);
2180 ni->ni_intval = lintval;
2181 ni->ni_capinfo = capinfo;
2182 ni->ni_fhdwell = vap->iv_bss->ni_fhdwell;
2183 ni->ni_fhindex = vap->iv_bss->ni_fhindex;
2186 * XXX maybe better to just expand
2188 if (ieee80211_ies_init(&ni->ni_ies, sfrm, efrm - sfrm)) {
2189 #define setie(_ie, _off) ieee80211_ies_setie(ni->ni_ies, _ie, _off)
2191 setie(wpa_ie, wpa - sfrm);
2193 setie(rsn_ie, rsn - sfrm);
2195 setie(htcap_ie, htcap - sfrm);
2197 setie(wme_ie, wme - sfrm);
2199 * Mark node as capable of QoS.
2201 ni->ni_flags |= IEEE80211_NODE_QOS;
2203 ni->ni_flags &= ~IEEE80211_NODE_QOS;
2204 #ifdef IEEE80211_SUPPORT_SUPERG
2206 setie(ath_ie, ath - sfrm);
2208 * Parse ATH station parameters.
2210 ieee80211_parse_ath(ni, ni->ni_ies.ath_ie);
2213 ni->ni_ath_flags = 0;
2216 ni->ni_flags &= ~IEEE80211_NODE_QOS;
2217 ni->ni_ath_flags = 0;
2219 ieee80211_node_join(ni, resp);
2220 ieee80211_deliver_l2uf(ni);
2224 case IEEE80211_FC0_SUBTYPE_DEAUTH:
2225 case IEEE80211_FC0_SUBTYPE_DISASSOC: {
2228 if (vap->iv_state != IEEE80211_S_RUN ||
2229 /* NB: can happen when in promiscuous mode */
2230 !IEEE80211_ADDR_EQ(wh->i_addr1, vap->iv_myaddr)) {
2231 vap->iv_stats.is_rx_mgtdiscard++;
2235 * deauth/disassoc frame format
2238 IEEE80211_VERIFY_LENGTH(efrm - frm, 2, return);
2239 reason = le16toh(*(uint16_t *)frm);
2240 if (subtype == IEEE80211_FC0_SUBTYPE_DEAUTH) {
2241 vap->iv_stats.is_rx_deauth++;
2242 IEEE80211_NODE_STAT(ni, rx_deauth);
2244 vap->iv_stats.is_rx_disassoc++;
2245 IEEE80211_NODE_STAT(ni, rx_disassoc);
2247 IEEE80211_NOTE(vap, IEEE80211_MSG_AUTH, ni,
2248 "recv %s (reason: %d (%s))",
2249 ieee80211_mgt_subtype_name(subtype),
2250 reason, ieee80211_reason_to_string(reason));
2251 if (ni != vap->iv_bss)
2252 ieee80211_node_leave(ni);
2256 case IEEE80211_FC0_SUBTYPE_ACTION:
2257 case IEEE80211_FC0_SUBTYPE_ACTION_NOACK:
2258 if (ni == vap->iv_bss) {
2259 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
2260 wh, NULL, "%s", "unknown node");
2261 vap->iv_stats.is_rx_mgtdiscard++;
2262 } else if (!IEEE80211_ADDR_EQ(vap->iv_myaddr, wh->i_addr1) &&
2263 !IEEE80211_IS_MULTICAST(wh->i_addr1)) {
2264 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
2265 wh, NULL, "%s", "not for us");
2266 vap->iv_stats.is_rx_mgtdiscard++;
2267 } else if (vap->iv_state != IEEE80211_S_RUN) {
2268 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
2269 wh, NULL, "wrong state %s",
2270 ieee80211_state_name[vap->iv_state]);
2271 vap->iv_stats.is_rx_mgtdiscard++;
2273 if (ieee80211_parse_action(ni, m0) == 0)
2274 (void)ic->ic_recv_action(ni, wh, frm, efrm);
2278 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP:
2279 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP:
2280 case IEEE80211_FC0_SUBTYPE_TIMING_ADV:
2281 case IEEE80211_FC0_SUBTYPE_ATIM:
2282 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
2283 wh, NULL, "%s", "not handled");
2284 vap->iv_stats.is_rx_mgtdiscard++;
2288 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
2289 wh, "mgt", "subtype 0x%x not handled", subtype);
2290 vap->iv_stats.is_rx_badsubtype++;
2296 hostap_recv_ctl(struct ieee80211_node *ni, struct mbuf *m, int subtype)
2299 case IEEE80211_FC0_SUBTYPE_PS_POLL:
2300 ni->ni_vap->iv_recv_pspoll(ni, m);
2302 case IEEE80211_FC0_SUBTYPE_BAR:
2303 ieee80211_recv_bar(ni, m);
2309 * Process a received ps-poll frame.
2312 ieee80211_recv_pspoll(struct ieee80211_node *ni, struct mbuf *m0)
2314 struct ieee80211vap *vap = ni->ni_vap;
2315 struct ieee80211com *ic = vap->iv_ic;
2316 struct ieee80211_frame_min *wh;
2321 wh = mtod(m0, struct ieee80211_frame_min *);
2322 if (ni->ni_associd == 0) {
2323 IEEE80211_DISCARD(vap,
2324 IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG,
2325 (struct ieee80211_frame *) wh, NULL,
2326 "%s", "unassociated station");
2327 vap->iv_stats.is_ps_unassoc++;
2328 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_DEAUTH,
2329 IEEE80211_REASON_NOT_ASSOCED);
2333 aid = le16toh(*(uint16_t *)wh->i_dur);
2334 if (aid != ni->ni_associd) {
2335 IEEE80211_DISCARD(vap,
2336 IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG,
2337 (struct ieee80211_frame *) wh, NULL,
2338 "aid mismatch: sta aid 0x%x poll aid 0x%x",
2339 ni->ni_associd, aid);
2340 vap->iv_stats.is_ps_badaid++;
2342 * NB: We used to deauth the station but it turns out
2343 * the Blackberry Curve 8230 (and perhaps other devices)
2344 * sometimes send the wrong AID when WME is negotiated.
2345 * Being more lenient here seems ok as we already check
2346 * the station is associated and we only return frames
2347 * queued for the station (i.e. we don't use the AID).
2352 /* Okay, take the first queued packet and put it out... */
2353 m = ieee80211_node_psq_dequeue(ni, &qlen);
2355 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_POWER, wh->i_addr2,
2356 "%s", "recv ps-poll, but queue empty");
2357 ieee80211_send_nulldata(ieee80211_ref_node(ni));
2358 vap->iv_stats.is_ps_qempty++; /* XXX node stat */
2359 if (vap->iv_set_tim != NULL)
2360 vap->iv_set_tim(ni, 0); /* just in case */
2364 * If there are more packets, set the more packets bit
2365 * in the packet dispatched to the station; otherwise
2366 * turn off the TIM bit.
2369 IEEE80211_NOTE(vap, IEEE80211_MSG_POWER, ni,
2370 "recv ps-poll, send packet, %u still queued", qlen);
2371 m->m_flags |= M_MORE_DATA;
2373 IEEE80211_NOTE(vap, IEEE80211_MSG_POWER, ni,
2374 "%s", "recv ps-poll, send packet, queue empty");
2375 if (vap->iv_set_tim != NULL)
2376 vap->iv_set_tim(ni, 0);
2378 m->m_flags |= M_PWR_SAV; /* bypass PS handling */
2381 * Do the right thing; if it's an encap'ed frame then
2382 * call ieee80211_parent_xmitpkt() else
2383 * call ieee80211_vap_xmitpkt().
2385 if (m->m_flags & M_ENCAP) {
2386 (void) ieee80211_parent_xmitpkt(ic, m);
2388 (void) ieee80211_vap_xmitpkt(vap, m);