2 * Copyright (c) 2007-2008 Sam Leffler, Errno Consulting
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
15 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
16 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
17 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
18 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
19 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
21 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
23 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
26 #include <sys/cdefs.h>
28 __FBSDID("$FreeBSD$");
32 * IEEE 802.11 HOSTAP mode support.
37 #include <sys/param.h>
38 #include <sys/systm.h>
40 #include <sys/malloc.h>
41 #include <sys/kernel.h>
43 #include <sys/socket.h>
44 #include <sys/sockio.h>
45 #include <sys/endian.h>
46 #include <sys/errno.h>
48 #include <sys/sysctl.h>
51 #include <net/if_var.h>
52 #include <net/if_media.h>
53 #include <net/if_llc.h>
54 #include <net/ethernet.h>
58 #include <net80211/ieee80211_var.h>
59 #include <net80211/ieee80211_hostap.h>
60 #include <net80211/ieee80211_input.h>
61 #ifdef IEEE80211_SUPPORT_SUPERG
62 #include <net80211/ieee80211_superg.h>
64 #include <net80211/ieee80211_wds.h>
65 #include <net80211/ieee80211_vht.h>
67 #define IEEE80211_RATE2MBS(r) (((r) & IEEE80211_RATE_VAL) / 2)
69 static void hostap_vattach(struct ieee80211vap *);
70 static int hostap_newstate(struct ieee80211vap *, enum ieee80211_state, int);
71 static int hostap_input(struct ieee80211_node *ni, struct mbuf *m,
72 const struct ieee80211_rx_stats *,
74 static void hostap_deliver_data(struct ieee80211vap *,
75 struct ieee80211_node *, struct mbuf *);
76 static void hostap_recv_mgmt(struct ieee80211_node *, struct mbuf *,
77 int subtype, const struct ieee80211_rx_stats *rxs, int rssi, int nf);
78 static void hostap_recv_ctl(struct ieee80211_node *, struct mbuf *, int);
81 ieee80211_hostap_attach(struct ieee80211com *ic)
83 ic->ic_vattach[IEEE80211_M_HOSTAP] = hostap_vattach;
87 ieee80211_hostap_detach(struct ieee80211com *ic)
92 hostap_vdetach(struct ieee80211vap *vap)
97 hostap_vattach(struct ieee80211vap *vap)
99 vap->iv_newstate = hostap_newstate;
100 vap->iv_input = hostap_input;
101 vap->iv_recv_mgmt = hostap_recv_mgmt;
102 vap->iv_recv_ctl = hostap_recv_ctl;
103 vap->iv_opdetach = hostap_vdetach;
104 vap->iv_deliver_data = hostap_deliver_data;
105 vap->iv_recv_pspoll = ieee80211_recv_pspoll;
109 sta_disassoc(void *arg, struct ieee80211_node *ni)
112 if (ni->ni_associd != 0) {
113 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_DISASSOC,
114 IEEE80211_REASON_ASSOC_LEAVE);
115 ieee80211_node_leave(ni);
120 sta_csa(void *arg, struct ieee80211_node *ni)
122 struct ieee80211vap *vap = ni->ni_vap;
124 if (ni->ni_associd != 0)
125 if (ni->ni_inact > vap->iv_inact_init) {
126 ni->ni_inact = vap->iv_inact_init;
127 IEEE80211_NOTE(vap, IEEE80211_MSG_INACT, ni,
128 "%s: inact %u", __func__, ni->ni_inact);
133 sta_drop(void *arg, struct ieee80211_node *ni)
136 if (ni->ni_associd != 0)
137 ieee80211_node_leave(ni);
141 * Does a channel change require associated stations to re-associate
142 * so protocol state is correct. This is used when doing CSA across
143 * bands or similar (e.g. HT -> legacy).
146 isbandchange(struct ieee80211com *ic)
148 return ((ic->ic_bsschan->ic_flags ^ ic->ic_csa_newchan->ic_flags) &
149 (IEEE80211_CHAN_2GHZ | IEEE80211_CHAN_5GHZ | IEEE80211_CHAN_HALF |
150 IEEE80211_CHAN_QUARTER | IEEE80211_CHAN_HT)) != 0;
154 * IEEE80211_M_HOSTAP vap state machine handler.
157 hostap_newstate(struct ieee80211vap *vap, enum ieee80211_state nstate, int arg)
159 struct ieee80211com *ic = vap->iv_ic;
160 enum ieee80211_state ostate;
162 IEEE80211_LOCK_ASSERT(ic);
164 ostate = vap->iv_state;
165 IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE, "%s: %s -> %s (%d)\n",
166 __func__, ieee80211_state_name[ostate],
167 ieee80211_state_name[nstate], arg);
168 vap->iv_state = nstate; /* state transition */
169 if (ostate != IEEE80211_S_SCAN)
170 ieee80211_cancel_scan(vap); /* background scan */
172 case IEEE80211_S_INIT:
174 case IEEE80211_S_SCAN:
175 ieee80211_cancel_scan(vap);
177 case IEEE80211_S_CAC:
178 ieee80211_dfs_cac_stop(vap);
180 case IEEE80211_S_RUN:
181 ieee80211_iterate_nodes_vap(&ic->ic_sta, vap,
187 if (ostate != IEEE80211_S_INIT) {
188 /* NB: optimize INIT -> INIT case */
189 ieee80211_reset_bss(vap);
191 if (vap->iv_auth->ia_detach != NULL)
192 vap->iv_auth->ia_detach(vap);
194 case IEEE80211_S_SCAN:
196 case IEEE80211_S_CSA:
197 case IEEE80211_S_RUN:
198 ieee80211_iterate_nodes_vap(&ic->ic_sta, vap,
201 * Clear overlapping BSS state; the beacon frame
202 * will be reconstructed on transition to the RUN
203 * state and the timeout routines check if the flag
204 * is set before doing anything so this is sufficient.
206 ic->ic_flags_ext &= ~IEEE80211_FEXT_NONERP_PR;
207 ic->ic_flags_ht &= ~IEEE80211_FHT_NONHT_PR;
209 case IEEE80211_S_CAC:
211 * NB: We may get here because of a manual channel
212 * change in which case we need to stop CAC
213 * XXX no need to stop if ostate RUN but it's ok
215 ieee80211_dfs_cac_stop(vap);
217 case IEEE80211_S_INIT:
218 if (vap->iv_des_chan != IEEE80211_CHAN_ANYC &&
219 !IEEE80211_IS_CHAN_RADAR(vap->iv_des_chan)) {
221 * Already have a channel; bypass the
222 * scan and startup immediately.
223 * ieee80211_create_ibss will call back to
224 * move us to RUN state.
226 ieee80211_create_ibss(vap, vap->iv_des_chan);
230 * Initiate a scan. We can come here as a result
231 * of an IEEE80211_IOC_SCAN_REQ too in which case
232 * the vap will be marked with IEEE80211_FEXT_SCANREQ
233 * and the scan request parameters will be present
234 * in iv_scanreq. Otherwise we do the default.
236 if (vap->iv_flags_ext & IEEE80211_FEXT_SCANREQ) {
237 ieee80211_check_scan(vap,
238 vap->iv_scanreq_flags,
239 vap->iv_scanreq_duration,
240 vap->iv_scanreq_mindwell,
241 vap->iv_scanreq_maxdwell,
242 vap->iv_scanreq_nssid, vap->iv_scanreq_ssid);
243 vap->iv_flags_ext &= ~IEEE80211_FEXT_SCANREQ;
245 ieee80211_check_scan_current(vap);
247 case IEEE80211_S_SCAN:
249 * A state change requires a reset; scan.
251 ieee80211_check_scan_current(vap);
257 case IEEE80211_S_CAC:
259 * Start CAC on a DFS channel. We come here when starting
260 * a bss on a DFS channel (see ieee80211_create_ibss).
262 ieee80211_dfs_cac_start(vap);
264 case IEEE80211_S_RUN:
265 if (vap->iv_flags & IEEE80211_F_WPA) {
266 /* XXX validate prerequisites */
269 case IEEE80211_S_INIT:
271 * Already have a channel; bypass the
272 * scan and startup immediately.
273 * Note that ieee80211_create_ibss will call
274 * back to do a RUN->RUN state change.
276 ieee80211_create_ibss(vap,
277 ieee80211_ht_adjust_channel(ic,
278 ic->ic_curchan, vap->iv_flags_ht));
279 /* NB: iv_bss is changed on return */
281 case IEEE80211_S_CAC:
283 * NB: This is the normal state change when CAC
284 * expires and no radar was detected; no need to
285 * clear the CAC timer as it's already expired.
288 case IEEE80211_S_CSA:
290 * Shorten inactivity timer of associated stations
291 * to weed out sta's that don't follow a CSA.
293 ieee80211_iterate_nodes_vap(&ic->ic_sta, vap,
296 * Update bss node channel to reflect where
297 * we landed after CSA.
299 ieee80211_node_set_chan(vap->iv_bss,
300 ieee80211_ht_adjust_channel(ic, ic->ic_curchan,
301 ieee80211_htchanflags(vap->iv_bss->ni_chan)));
302 /* XXX bypass debug msgs */
304 case IEEE80211_S_SCAN:
305 case IEEE80211_S_RUN:
306 #ifdef IEEE80211_DEBUG
307 if (ieee80211_msg_debug(vap)) {
308 struct ieee80211_node *ni = vap->iv_bss;
310 "synchronized with %s ssid ",
311 ether_sprintf(ni->ni_bssid));
312 ieee80211_print_essid(ni->ni_essid,
315 printf(" channel %d start %uMb\n",
316 ieee80211_chan2ieee(ic, ic->ic_curchan),
317 IEEE80211_RATE2MBS(ni->ni_txrate));
325 * Start/stop the authenticator. We delay until here
326 * to allow configuration to happen out of order.
328 if (vap->iv_auth->ia_attach != NULL) {
329 /* XXX check failure */
330 vap->iv_auth->ia_attach(vap);
331 } else if (vap->iv_auth->ia_detach != NULL) {
332 vap->iv_auth->ia_detach(vap);
334 ieee80211_node_authorize(vap->iv_bss);
336 case IEEE80211_S_CSA:
337 if (ostate == IEEE80211_S_RUN && isbandchange(ic)) {
339 * On a ``band change'' silently drop associated
340 * stations as they must re-associate before they
341 * can pass traffic (as otherwise protocol state
342 * such as capabilities and the negotiated rate
343 * set may/will be wrong).
345 ieee80211_iterate_nodes_vap(&ic->ic_sta, vap,
356 hostap_deliver_data(struct ieee80211vap *vap,
357 struct ieee80211_node *ni, struct mbuf *m)
359 struct ether_header *eh = mtod(m, struct ether_header *);
360 struct ifnet *ifp = vap->iv_ifp;
362 /* clear driver/net80211 flags before passing up */
363 m->m_flags &= ~(M_MCAST | M_BCAST);
366 KASSERT(vap->iv_opmode == IEEE80211_M_HOSTAP,
367 ("gack, opmode %d", vap->iv_opmode));
371 if_inc_counter(ifp, IFCOUNTER_IPACKETS, 1);
372 IEEE80211_NODE_STAT(ni, rx_data);
373 IEEE80211_NODE_STAT_ADD(ni, rx_bytes, m->m_pkthdr.len);
374 if (ETHER_IS_MULTICAST(eh->ether_dhost)) {
375 m->m_flags |= M_MCAST; /* XXX M_BCAST? */
376 IEEE80211_NODE_STAT(ni, rx_mcast);
378 IEEE80211_NODE_STAT(ni, rx_ucast);
380 /* perform as a bridge within the AP */
381 if ((vap->iv_flags & IEEE80211_F_NOBRIDGE) == 0) {
382 struct mbuf *mcopy = NULL;
384 if (m->m_flags & M_MCAST) {
385 mcopy = m_dup(m, M_NOWAIT);
387 if_inc_counter(ifp, IFCOUNTER_OERRORS, 1);
389 mcopy->m_flags |= M_MCAST;
392 * Check if the destination is associated with the
393 * same vap and authorized to receive traffic.
394 * Beware of traffic destined for the vap itself;
395 * sending it will not work; just let it be delivered
398 struct ieee80211_node *sta = ieee80211_find_vap_node(
399 &vap->iv_ic->ic_sta, vap, eh->ether_dhost);
401 if (ieee80211_node_is_authorized(sta)) {
403 * Beware of sending to ourself; this
404 * needs to happen via the normal
407 if (sta != vap->iv_bss) {
412 vap->iv_stats.is_rx_unauth++;
413 IEEE80211_NODE_STAT(sta, rx_unauth);
415 ieee80211_free_node(sta);
419 (void) ieee80211_vap_xmitpkt(vap, mcopy);
423 * Mark frame as coming from vap's interface.
425 m->m_pkthdr.rcvif = ifp;
426 if (m->m_flags & M_MCAST) {
428 * Spam DWDS vap's w/ multicast traffic.
430 /* XXX only if dwds in use? */
431 ieee80211_dwds_mcast(vap, m);
433 if (ni->ni_vlan != 0) {
434 /* attach vlan tag */
435 m->m_pkthdr.ether_vtag = ni->ni_vlan;
436 m->m_flags |= M_VLANTAG;
438 ifp->if_input(ifp, m);
443 * Decide if a received management frame should be
444 * printed when debugging is enabled. This filters some
445 * of the less interesting frames that come frequently
449 doprint(struct ieee80211vap *vap, int subtype)
452 case IEEE80211_FC0_SUBTYPE_BEACON:
453 return (vap->iv_ic->ic_flags & IEEE80211_F_SCAN);
454 case IEEE80211_FC0_SUBTYPE_PROBE_REQ:
461 * Process a received frame. The node associated with the sender
462 * should be supplied. If nothing was found in the node table then
463 * the caller is assumed to supply a reference to iv_bss instead.
464 * The RSSI and a timestamp are also supplied. The RSSI data is used
465 * during AP scanning to select a AP to associate with; it can have
466 * any units so long as values have consistent units and higher values
467 * mean ``better signal''. The receive timestamp is currently not used
468 * by the 802.11 layer.
471 hostap_input(struct ieee80211_node *ni, struct mbuf *m,
472 const struct ieee80211_rx_stats *rxs, int rssi, int nf)
474 struct ieee80211vap *vap = ni->ni_vap;
475 struct ieee80211com *ic = ni->ni_ic;
476 struct ifnet *ifp = vap->iv_ifp;
477 struct ieee80211_frame *wh;
478 struct ieee80211_key *key;
479 struct ether_header *eh;
480 int hdrspace, need_tap = 1; /* mbuf need to be tapped. */
481 uint8_t dir, type, subtype, qos;
483 int is_hw_decrypted = 0;
484 int has_decrypted = 0;
487 * Some devices do hardware decryption all the way through
488 * to pretending the frame wasn't encrypted in the first place.
489 * So, tag it appropriately so it isn't discarded inappropriately.
491 if ((rxs != NULL) && (rxs->c_pktflags & IEEE80211_RX_F_DECRYPTED))
494 if (m->m_flags & M_AMPDU_MPDU) {
496 * Fastpath for A-MPDU reorder q resubmission. Frames
497 * w/ M_AMPDU_MPDU marked have already passed through
498 * here but were received out of order and been held on
499 * the reorder queue. When resubmitted they are marked
500 * with the M_AMPDU_MPDU flag and we can bypass most of
501 * the normal processing.
503 wh = mtod(m, struct ieee80211_frame *);
504 type = IEEE80211_FC0_TYPE_DATA;
505 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK;
506 subtype = IEEE80211_FC0_SUBTYPE_QOS;
507 hdrspace = ieee80211_hdrspace(ic, wh); /* XXX optimize? */
511 KASSERT(ni != NULL, ("null node"));
512 ni->ni_inact = ni->ni_inact_reload;
514 type = -1; /* undefined */
516 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_min)) {
517 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
518 ni->ni_macaddr, NULL,
519 "too short (1): len %u", m->m_pkthdr.len);
520 vap->iv_stats.is_rx_tooshort++;
524 * Bit of a cheat here, we use a pointer for a 3-address
525 * frame format but don't reference fields past outside
526 * ieee80211_frame_min w/o first validating the data is
529 wh = mtod(m, struct ieee80211_frame *);
531 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) !=
532 IEEE80211_FC0_VERSION_0) {
533 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
534 ni->ni_macaddr, NULL, "wrong version, fc %02x:%02x",
535 wh->i_fc[0], wh->i_fc[1]);
536 vap->iv_stats.is_rx_badversion++;
540 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK;
541 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
542 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK;
543 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) {
544 if (dir != IEEE80211_FC1_DIR_NODS)
546 else if (type == IEEE80211_FC0_TYPE_CTL)
549 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) {
550 IEEE80211_DISCARD_MAC(vap,
551 IEEE80211_MSG_ANY, ni->ni_macaddr,
552 NULL, "too short (2): len %u",
554 vap->iv_stats.is_rx_tooshort++;
560 * Validate the bssid.
562 if (!(type == IEEE80211_FC0_TYPE_MGT &&
563 subtype == IEEE80211_FC0_SUBTYPE_BEACON) &&
564 !IEEE80211_ADDR_EQ(bssid, vap->iv_bss->ni_bssid) &&
565 !IEEE80211_ADDR_EQ(bssid, ifp->if_broadcastaddr)) {
566 /* not interested in */
567 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
568 bssid, NULL, "%s", "not to bss");
569 vap->iv_stats.is_rx_wrongbss++;
573 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi);
575 if (IEEE80211_HAS_SEQ(type, subtype)) {
576 uint8_t tid = ieee80211_gettid(wh);
577 if (IEEE80211_QOS_HAS_SEQ(wh) &&
578 TID_TO_WME_AC(tid) >= WME_AC_VI)
579 ic->ic_wme.wme_hipri_traffic++;
580 if (! ieee80211_check_rxseq(ni, wh, bssid))
586 case IEEE80211_FC0_TYPE_DATA:
587 hdrspace = ieee80211_hdrspace(ic, wh);
588 if (m->m_len < hdrspace &&
589 (m = m_pullup(m, hdrspace)) == NULL) {
590 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
591 ni->ni_macaddr, NULL,
592 "data too short: expecting %u", hdrspace);
593 vap->iv_stats.is_rx_tooshort++;
596 if (!(dir == IEEE80211_FC1_DIR_TODS ||
597 (dir == IEEE80211_FC1_DIR_DSTODS &&
598 (vap->iv_flags & IEEE80211_F_DWDS)))) {
599 if (dir != IEEE80211_FC1_DIR_DSTODS) {
600 IEEE80211_DISCARD(vap,
601 IEEE80211_MSG_INPUT, wh, "data",
602 "incorrect dir 0x%x", dir);
604 IEEE80211_DISCARD(vap,
605 IEEE80211_MSG_INPUT |
606 IEEE80211_MSG_WDS, wh,
608 "%s", "DWDS not enabled");
610 vap->iv_stats.is_rx_wrongdir++;
613 /* check if source STA is associated */
614 if (ni == vap->iv_bss) {
615 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
616 wh, "data", "%s", "unknown src");
617 ieee80211_send_error(ni, wh->i_addr2,
618 IEEE80211_FC0_SUBTYPE_DEAUTH,
619 IEEE80211_REASON_NOT_AUTHED);
620 vap->iv_stats.is_rx_notassoc++;
623 if (ni->ni_associd == 0) {
624 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
625 wh, "data", "%s", "unassoc src");
626 IEEE80211_SEND_MGMT(ni,
627 IEEE80211_FC0_SUBTYPE_DISASSOC,
628 IEEE80211_REASON_NOT_ASSOCED);
629 vap->iv_stats.is_rx_notassoc++;
634 * Check for power save state change.
635 * XXX out-of-order A-MPDU frames?
637 if (((wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) ^
638 (ni->ni_flags & IEEE80211_NODE_PWR_MGT)))
640 wh->i_fc[1] & IEEE80211_FC1_PWR_MGT);
642 * For 4-address packets handle WDS discovery
643 * notifications. Once a WDS link is setup frames
644 * are just delivered to the WDS vap (see below).
646 if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap == NULL) {
647 if (!ieee80211_node_is_authorized(ni)) {
648 IEEE80211_DISCARD(vap,
649 IEEE80211_MSG_INPUT |
650 IEEE80211_MSG_WDS, wh,
652 "%s", "unauthorized port");
653 vap->iv_stats.is_rx_unauth++;
654 IEEE80211_NODE_STAT(ni, rx_unauth);
657 ieee80211_dwds_discover(ni, m);
662 * Handle A-MPDU re-ordering. If the frame is to be
663 * processed directly then ieee80211_ampdu_reorder
664 * will return 0; otherwise it has consumed the mbuf
665 * and we should do nothing more with it.
667 if ((m->m_flags & M_AMPDU) &&
668 ieee80211_ampdu_reorder(ni, m) != 0) {
675 * Handle privacy requirements. Note that we
676 * must not be preempted from here until after
677 * we (potentially) call ieee80211_crypto_demic;
678 * otherwise we may violate assumptions in the
679 * crypto cipher modules used to do delayed update
680 * of replay sequence numbers.
682 if (is_hw_decrypted || wh->i_fc[1] & IEEE80211_FC1_PROTECTED) {
683 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
685 * Discard encrypted frames when privacy is off.
687 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
688 wh, "WEP", "%s", "PRIVACY off");
689 vap->iv_stats.is_rx_noprivacy++;
690 IEEE80211_NODE_STAT(ni, rx_noprivacy);
693 if (ieee80211_crypto_decap(ni, m, hdrspace, &key) == 0) {
694 /* NB: stats+msgs handled in crypto_decap */
695 IEEE80211_NODE_STAT(ni, rx_wepfail);
698 wh = mtod(m, struct ieee80211_frame *);
699 wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED;
702 /* XXX M_WEP and IEEE80211_F_PRIVACY */
707 * Save QoS bits for use below--before we strip the header.
709 if (subtype == IEEE80211_FC0_SUBTYPE_QOS) {
710 qos = (dir == IEEE80211_FC1_DIR_DSTODS) ?
711 ((struct ieee80211_qosframe_addr4 *)wh)->i_qos[0] :
712 ((struct ieee80211_qosframe *)wh)->i_qos[0];
717 * Next up, any fragmentation.
719 if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) {
720 m = ieee80211_defrag(ni, m, hdrspace);
722 /* Fragment dropped or frame not complete yet */
726 wh = NULL; /* no longer valid, catch any uses */
729 * Next strip any MSDU crypto bits.
731 if (key != NULL && !ieee80211_crypto_demic(vap, key, m, 0)) {
732 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
733 ni->ni_macaddr, "data", "%s", "demic error");
734 vap->iv_stats.is_rx_demicfail++;
735 IEEE80211_NODE_STAT(ni, rx_demicfail);
738 /* copy to listener after decrypt */
739 if (ieee80211_radiotap_active_vap(vap))
740 ieee80211_radiotap_rx(vap, m);
743 * Finally, strip the 802.11 header.
745 m = ieee80211_decap(vap, m, hdrspace);
747 /* XXX mask bit to check for both */
748 /* don't count Null data frames as errors */
749 if (subtype == IEEE80211_FC0_SUBTYPE_NODATA ||
750 subtype == IEEE80211_FC0_SUBTYPE_QOS_NULL)
752 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
753 ni->ni_macaddr, "data", "%s", "decap error");
754 vap->iv_stats.is_rx_decap++;
755 IEEE80211_NODE_STAT(ni, rx_decap);
758 eh = mtod(m, struct ether_header *);
759 if (!ieee80211_node_is_authorized(ni)) {
761 * Deny any non-PAE frames received prior to
762 * authorization. For open/shared-key
763 * authentication the port is mark authorized
764 * after authentication completes. For 802.1x
765 * the port is not marked authorized by the
766 * authenticator until the handshake has completed.
768 if (eh->ether_type != htons(ETHERTYPE_PAE)) {
769 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
770 eh->ether_shost, "data",
771 "unauthorized port: ether type 0x%x len %u",
772 eh->ether_type, m->m_pkthdr.len);
773 vap->iv_stats.is_rx_unauth++;
774 IEEE80211_NODE_STAT(ni, rx_unauth);
779 * When denying unencrypted frames, discard
780 * any non-PAE frames received without encryption.
782 if ((vap->iv_flags & IEEE80211_F_DROPUNENC) &&
783 ((has_decrypted == 0) && (m->m_flags & M_WEP) == 0) &&
784 (is_hw_decrypted == 0) &&
785 eh->ether_type != htons(ETHERTYPE_PAE)) {
787 * Drop unencrypted frames.
789 vap->iv_stats.is_rx_unencrypted++;
790 IEEE80211_NODE_STAT(ni, rx_unencrypted);
794 /* XXX require HT? */
795 if (qos & IEEE80211_QOS_AMSDU) {
796 m = ieee80211_decap_amsdu(ni, m);
798 return IEEE80211_FC0_TYPE_DATA;
800 #ifdef IEEE80211_SUPPORT_SUPERG
801 m = ieee80211_decap_fastframe(vap, ni, m);
803 return IEEE80211_FC0_TYPE_DATA;
806 if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap != NULL)
807 ieee80211_deliver_data(ni->ni_wdsvap, ni, m);
809 hostap_deliver_data(vap, ni, m);
810 return IEEE80211_FC0_TYPE_DATA;
812 case IEEE80211_FC0_TYPE_MGT:
813 vap->iv_stats.is_rx_mgmt++;
814 IEEE80211_NODE_STAT(ni, rx_mgmt);
815 if (dir != IEEE80211_FC1_DIR_NODS) {
816 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
817 wh, "mgt", "incorrect dir 0x%x", dir);
818 vap->iv_stats.is_rx_wrongdir++;
821 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) {
822 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
823 ni->ni_macaddr, "mgt", "too short: len %u",
825 vap->iv_stats.is_rx_tooshort++;
828 if (IEEE80211_IS_MULTICAST(wh->i_addr2)) {
829 /* ensure return frames are unicast */
830 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
831 wh, NULL, "source is multicast: %s",
832 ether_sprintf(wh->i_addr2));
833 vap->iv_stats.is_rx_mgtdiscard++; /* XXX stat */
836 #ifdef IEEE80211_DEBUG
837 if ((ieee80211_msg_debug(vap) && doprint(vap, subtype)) ||
838 ieee80211_msg_dumppkts(vap)) {
839 if_printf(ifp, "received %s from %s rssi %d\n",
840 ieee80211_mgt_subtype_name(subtype),
841 ether_sprintf(wh->i_addr2), rssi);
844 if (wh->i_fc[1] & IEEE80211_FC1_PROTECTED) {
845 if (subtype != IEEE80211_FC0_SUBTYPE_AUTH) {
847 * Only shared key auth frames with a challenge
848 * should be encrypted, discard all others.
850 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
852 "%s", "WEP set but not permitted");
853 vap->iv_stats.is_rx_mgtdiscard++; /* XXX */
856 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
858 * Discard encrypted frames when privacy is off.
860 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
861 wh, NULL, "%s", "WEP set but PRIVACY off");
862 vap->iv_stats.is_rx_noprivacy++;
865 hdrspace = ieee80211_hdrspace(ic, wh);
866 if (ieee80211_crypto_decap(ni, m, hdrspace, &key) == 0) {
867 /* NB: stats+msgs handled in crypto_decap */
870 wh = mtod(m, struct ieee80211_frame *);
871 wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED;
875 * Pass the packet to radiotap before calling iv_recv_mgmt().
876 * Otherwise iv_recv_mgmt() might pass another packet to
877 * radiotap, resulting in out of order packet captures.
879 if (ieee80211_radiotap_active_vap(vap))
880 ieee80211_radiotap_rx(vap, m);
882 vap->iv_recv_mgmt(ni, m, subtype, rxs, rssi, nf);
885 case IEEE80211_FC0_TYPE_CTL:
886 vap->iv_stats.is_rx_ctl++;
887 IEEE80211_NODE_STAT(ni, rx_ctrl);
888 vap->iv_recv_ctl(ni, m, subtype);
891 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
892 wh, "bad", "frame type 0x%x", type);
893 /* should not come here */
897 if_inc_counter(ifp, IFCOUNTER_IERRORS, 1);
900 if (need_tap && ieee80211_radiotap_active_vap(vap))
901 ieee80211_radiotap_rx(vap, m);
908 hostap_auth_open(struct ieee80211_node *ni, struct ieee80211_frame *wh,
909 int rssi, int nf, uint16_t seq, uint16_t status)
911 struct ieee80211vap *vap = ni->ni_vap;
913 KASSERT(vap->iv_state == IEEE80211_S_RUN, ("state %d", vap->iv_state));
915 if (ni->ni_authmode == IEEE80211_AUTH_SHARED) {
916 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
917 ni->ni_macaddr, "open auth",
918 "bad sta auth mode %u", ni->ni_authmode);
919 vap->iv_stats.is_rx_bad_auth++; /* XXX */
921 * Clear any challenge text that may be there if
922 * a previous shared key auth failed and then an
923 * open auth is attempted.
925 if (ni->ni_challenge != NULL) {
926 IEEE80211_FREE(ni->ni_challenge, M_80211_NODE);
927 ni->ni_challenge = NULL;
929 /* XXX hack to workaround calling convention */
930 ieee80211_send_error(ni, wh->i_addr2,
931 IEEE80211_FC0_SUBTYPE_AUTH,
932 (seq + 1) | (IEEE80211_STATUS_ALG<<16));
935 if (seq != IEEE80211_AUTH_OPEN_REQUEST) {
936 vap->iv_stats.is_rx_bad_auth++;
939 /* always accept open authentication requests */
940 if (ni == vap->iv_bss) {
941 ni = ieee80211_dup_bss(vap, wh->i_addr2);
944 } else if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0)
945 (void) ieee80211_ref_node(ni);
947 * Mark the node as referenced to reflect that it's
948 * reference count has been bumped to insure it remains
949 * after the transaction completes.
951 ni->ni_flags |= IEEE80211_NODE_AREF;
953 * Mark the node as requiring a valid association id
954 * before outbound traffic is permitted.
956 ni->ni_flags |= IEEE80211_NODE_ASSOCID;
958 if (vap->iv_acl != NULL &&
959 vap->iv_acl->iac_getpolicy(vap) == IEEE80211_MACCMD_POLICY_RADIUS) {
961 * When the ACL policy is set to RADIUS we defer the
962 * authorization to a user agent. Dispatch an event,
963 * a subsequent MLME call will decide the fate of the
964 * station. If the user agent is not present then the
965 * node will be reclaimed due to inactivity.
967 IEEE80211_NOTE_MAC(vap,
968 IEEE80211_MSG_AUTH | IEEE80211_MSG_ACL, ni->ni_macaddr,
969 "%s", "station authentication defered (radius acl)");
970 ieee80211_notify_node_auth(ni);
972 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1);
973 IEEE80211_NOTE_MAC(vap,
974 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, ni->ni_macaddr,
975 "%s", "station authenticated (open)");
977 * When 802.1x is not in use mark the port
978 * authorized at this point so traffic can flow.
980 if (ni->ni_authmode != IEEE80211_AUTH_8021X)
981 ieee80211_node_authorize(ni);
986 hostap_auth_shared(struct ieee80211_node *ni, struct ieee80211_frame *wh,
987 uint8_t *frm, uint8_t *efrm, int rssi, int nf,
988 uint16_t seq, uint16_t status)
990 struct ieee80211vap *vap = ni->ni_vap;
992 int allocbs, estatus;
994 KASSERT(vap->iv_state == IEEE80211_S_RUN, ("state %d", vap->iv_state));
997 * NB: this can happen as we allow pre-shared key
998 * authentication to be enabled w/o wep being turned
999 * on so that configuration of these can be done
1000 * in any order. It may be better to enforce the
1001 * ordering in which case this check would just be
1002 * for sanity/consistency.
1004 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
1005 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1006 ni->ni_macaddr, "shared key auth",
1007 "%s", " PRIVACY is disabled");
1008 estatus = IEEE80211_STATUS_ALG;
1012 * Pre-shared key authentication is evil; accept
1013 * it only if explicitly configured (it is supported
1014 * mainly for compatibility with clients like Mac OS X).
1016 if (ni->ni_authmode != IEEE80211_AUTH_AUTO &&
1017 ni->ni_authmode != IEEE80211_AUTH_SHARED) {
1018 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1019 ni->ni_macaddr, "shared key auth",
1020 "bad sta auth mode %u", ni->ni_authmode);
1021 vap->iv_stats.is_rx_bad_auth++; /* XXX maybe a unique error? */
1022 estatus = IEEE80211_STATUS_ALG;
1027 if (frm + 1 < efrm) {
1028 if ((frm[1] + 2) > (efrm - frm)) {
1029 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1030 ni->ni_macaddr, "shared key auth",
1031 "ie %d/%d too long",
1032 frm[0], (frm[1] + 2) - (efrm - frm));
1033 vap->iv_stats.is_rx_bad_auth++;
1034 estatus = IEEE80211_STATUS_CHALLENGE;
1037 if (*frm == IEEE80211_ELEMID_CHALLENGE)
1042 case IEEE80211_AUTH_SHARED_CHALLENGE:
1043 case IEEE80211_AUTH_SHARED_RESPONSE:
1044 if (challenge == NULL) {
1045 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1046 ni->ni_macaddr, "shared key auth",
1047 "%s", "no challenge");
1048 vap->iv_stats.is_rx_bad_auth++;
1049 estatus = IEEE80211_STATUS_CHALLENGE;
1052 if (challenge[1] != IEEE80211_CHALLENGE_LEN) {
1053 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1054 ni->ni_macaddr, "shared key auth",
1055 "bad challenge len %d", challenge[1]);
1056 vap->iv_stats.is_rx_bad_auth++;
1057 estatus = IEEE80211_STATUS_CHALLENGE;
1064 case IEEE80211_AUTH_SHARED_REQUEST:
1065 if (ni == vap->iv_bss) {
1066 ni = ieee80211_dup_bss(vap, wh->i_addr2);
1068 /* NB: no way to return an error */
1073 if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0)
1074 (void) ieee80211_ref_node(ni);
1078 * Mark the node as referenced to reflect that it's
1079 * reference count has been bumped to insure it remains
1080 * after the transaction completes.
1082 ni->ni_flags |= IEEE80211_NODE_AREF;
1084 * Mark the node as requiring a valid association id
1085 * before outbound traffic is permitted.
1087 ni->ni_flags |= IEEE80211_NODE_ASSOCID;
1088 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi);
1090 if (!ieee80211_alloc_challenge(ni)) {
1091 /* NB: don't return error so they rexmit */
1094 get_random_bytes(ni->ni_challenge,
1095 IEEE80211_CHALLENGE_LEN);
1096 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
1097 ni, "shared key %sauth request", allocbs ? "" : "re");
1099 * When the ACL policy is set to RADIUS we defer the
1100 * authorization to a user agent. Dispatch an event,
1101 * a subsequent MLME call will decide the fate of the
1102 * station. If the user agent is not present then the
1103 * node will be reclaimed due to inactivity.
1105 if (vap->iv_acl != NULL &&
1106 vap->iv_acl->iac_getpolicy(vap) == IEEE80211_MACCMD_POLICY_RADIUS) {
1107 IEEE80211_NOTE_MAC(vap,
1108 IEEE80211_MSG_AUTH | IEEE80211_MSG_ACL,
1110 "%s", "station authentication defered (radius acl)");
1111 ieee80211_notify_node_auth(ni);
1115 case IEEE80211_AUTH_SHARED_RESPONSE:
1116 if (ni == vap->iv_bss) {
1117 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1118 ni->ni_macaddr, "shared key response",
1119 "%s", "unknown station");
1120 /* NB: don't send a response */
1123 if (ni->ni_challenge == NULL) {
1124 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1125 ni->ni_macaddr, "shared key response",
1126 "%s", "no challenge recorded");
1127 vap->iv_stats.is_rx_bad_auth++;
1128 estatus = IEEE80211_STATUS_CHALLENGE;
1131 if (memcmp(ni->ni_challenge, &challenge[2],
1132 challenge[1]) != 0) {
1133 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1134 ni->ni_macaddr, "shared key response",
1135 "%s", "challenge mismatch");
1136 vap->iv_stats.is_rx_auth_fail++;
1137 estatus = IEEE80211_STATUS_CHALLENGE;
1140 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
1141 ni, "%s", "station authenticated (shared key)");
1142 ieee80211_node_authorize(ni);
1145 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1146 ni->ni_macaddr, "shared key auth",
1148 vap->iv_stats.is_rx_bad_auth++;
1149 estatus = IEEE80211_STATUS_SEQUENCE;
1152 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1);
1156 * Send an error response; but only when operating as an AP.
1158 /* XXX hack to workaround calling convention */
1159 ieee80211_send_error(ni, wh->i_addr2,
1160 IEEE80211_FC0_SUBTYPE_AUTH,
1161 (seq + 1) | (estatus<<16));
1165 * Convert a WPA cipher selector OUI to an internal
1166 * cipher algorithm. Where appropriate we also
1167 * record any key length.
1170 wpa_cipher(const uint8_t *sel, uint8_t *keylen, uint8_t *cipher)
1172 #define WPA_SEL(x) (((x)<<24)|WPA_OUI)
1173 uint32_t w = le32dec(sel);
1176 case WPA_SEL(WPA_CSE_NULL):
1177 *cipher = IEEE80211_CIPHER_NONE;
1179 case WPA_SEL(WPA_CSE_WEP40):
1181 *keylen = 40 / NBBY;
1182 *cipher = IEEE80211_CIPHER_WEP;
1184 case WPA_SEL(WPA_CSE_WEP104):
1186 *keylen = 104 / NBBY;
1187 *cipher = IEEE80211_CIPHER_WEP;
1189 case WPA_SEL(WPA_CSE_TKIP):
1190 *cipher = IEEE80211_CIPHER_TKIP;
1192 case WPA_SEL(WPA_CSE_CCMP):
1193 *cipher = IEEE80211_CIPHER_AES_CCM;
1204 * Convert a WPA key management/authentication algorithm
1205 * to an internal code.
1208 wpa_keymgmt(const uint8_t *sel)
1210 #define WPA_SEL(x) (((x)<<24)|WPA_OUI)
1211 uint32_t w = le32dec(sel);
1214 case WPA_SEL(WPA_ASE_8021X_UNSPEC):
1215 return WPA_ASE_8021X_UNSPEC;
1216 case WPA_SEL(WPA_ASE_8021X_PSK):
1217 return WPA_ASE_8021X_PSK;
1218 case WPA_SEL(WPA_ASE_NONE):
1219 return WPA_ASE_NONE;
1221 return 0; /* NB: so is discarded */
1226 * Parse a WPA information element to collect parameters.
1227 * Note that we do not validate security parameters; that
1228 * is handled by the authenticator; the parsing done here
1229 * is just for internal use in making operational decisions.
1232 ieee80211_parse_wpa(struct ieee80211vap *vap, const uint8_t *frm,
1233 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh)
1235 uint8_t len = frm[1];
1240 * Check the length once for fixed parts: OUI, type,
1241 * version, mcast cipher, and 2 selector counts.
1242 * Other, variable-length data, must be checked separately.
1244 if ((vap->iv_flags & IEEE80211_F_WPA1) == 0) {
1245 IEEE80211_DISCARD_IE(vap,
1246 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1247 wh, "WPA", "not WPA, flags 0x%x", vap->iv_flags);
1248 return IEEE80211_REASON_IE_INVALID;
1251 IEEE80211_DISCARD_IE(vap,
1252 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1253 wh, "WPA", "too short, len %u", len);
1254 return IEEE80211_REASON_IE_INVALID;
1256 frm += 6, len -= 4; /* NB: len is payload only */
1257 /* NB: iswpaoui already validated the OUI and type */
1259 if (w != WPA_VERSION) {
1260 IEEE80211_DISCARD_IE(vap,
1261 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1262 wh, "WPA", "bad version %u", w);
1263 return IEEE80211_REASON_IE_INVALID;
1267 memset(rsn, 0, sizeof(*rsn));
1269 /* multicast/group cipher */
1270 error = wpa_cipher(frm, &rsn->rsn_mcastkeylen, &rsn->rsn_mcastcipher);
1272 IEEE80211_DISCARD_IE(vap,
1273 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1274 wh, "WPA", "unknown mcast cipher suite %08X",
1276 return IEEE80211_REASON_GROUP_CIPHER_INVALID;
1280 /* unicast ciphers */
1284 IEEE80211_DISCARD_IE(vap,
1285 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1286 wh, "WPA", "ucast cipher data too short; len %u, n %u",
1288 return IEEE80211_REASON_IE_INVALID;
1291 for (; n > 0; n--) {
1294 error = wpa_cipher(frm, &rsn->rsn_ucastkeylen, &cipher);
1301 IEEE80211_DISCARD_IE(vap,
1302 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1303 wh, "WPA", "no usable pairwise cipher suite found (w=%d)",
1305 return IEEE80211_REASON_PAIRWISE_CIPHER_INVALID;
1308 if (w & (1 << IEEE80211_CIPHER_AES_CCM))
1309 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM;
1311 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP;
1313 /* key management algorithms */
1317 IEEE80211_DISCARD_IE(vap,
1318 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1319 wh, "WPA", "key mgmt alg data too short; len %u, n %u",
1321 return IEEE80211_REASON_IE_INVALID;
1324 for (; n > 0; n--) {
1325 w |= wpa_keymgmt(frm);
1328 if (w & WPA_ASE_8021X_UNSPEC)
1329 rsn->rsn_keymgmt = WPA_ASE_8021X_UNSPEC;
1331 rsn->rsn_keymgmt = WPA_ASE_8021X_PSK;
1333 if (len > 2) /* optional capabilities */
1334 rsn->rsn_caps = le16dec(frm);
1340 * Convert an RSN cipher selector OUI to an internal
1341 * cipher algorithm. Where appropriate we also
1342 * record any key length.
1345 rsn_cipher(const uint8_t *sel, uint8_t *keylen, uint8_t *cipher)
1347 #define RSN_SEL(x) (((x)<<24)|RSN_OUI)
1348 uint32_t w = le32dec(sel);
1351 case RSN_SEL(RSN_CSE_NULL):
1352 *cipher = IEEE80211_CIPHER_NONE;
1354 case RSN_SEL(RSN_CSE_WEP40):
1356 *keylen = 40 / NBBY;
1357 *cipher = IEEE80211_CIPHER_WEP;
1359 case RSN_SEL(RSN_CSE_WEP104):
1361 *keylen = 104 / NBBY;
1362 *cipher = IEEE80211_CIPHER_WEP;
1364 case RSN_SEL(RSN_CSE_TKIP):
1365 *cipher = IEEE80211_CIPHER_TKIP;
1367 case RSN_SEL(RSN_CSE_CCMP):
1368 *cipher = IEEE80211_CIPHER_AES_CCM;
1370 case RSN_SEL(RSN_CSE_WRAP):
1371 *cipher = IEEE80211_CIPHER_AES_OCB;
1382 * Convert an RSN key management/authentication algorithm
1383 * to an internal code.
1386 rsn_keymgmt(const uint8_t *sel)
1388 #define RSN_SEL(x) (((x)<<24)|RSN_OUI)
1389 uint32_t w = le32dec(sel);
1392 case RSN_SEL(RSN_ASE_8021X_UNSPEC):
1393 return RSN_ASE_8021X_UNSPEC;
1394 case RSN_SEL(RSN_ASE_8021X_PSK):
1395 return RSN_ASE_8021X_PSK;
1396 case RSN_SEL(RSN_ASE_NONE):
1397 return RSN_ASE_NONE;
1399 return 0; /* NB: so is discarded */
1404 * Parse a WPA/RSN information element to collect parameters
1405 * and validate the parameters against what has been
1406 * configured for the system.
1409 ieee80211_parse_rsn(struct ieee80211vap *vap, const uint8_t *frm,
1410 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh)
1412 uint8_t len = frm[1];
1417 * Check the length once for fixed parts:
1418 * version, mcast cipher, and 2 selector counts.
1419 * Other, variable-length data, must be checked separately.
1421 if ((vap->iv_flags & IEEE80211_F_WPA2) == 0) {
1422 IEEE80211_DISCARD_IE(vap,
1423 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1424 wh, "WPA", "not RSN, flags 0x%x", vap->iv_flags);
1425 return IEEE80211_REASON_IE_INVALID;
1427 /* XXX may be shorter */
1429 IEEE80211_DISCARD_IE(vap,
1430 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1431 wh, "RSN", "too short, len %u", len);
1432 return IEEE80211_REASON_IE_INVALID;
1436 if (w != RSN_VERSION) {
1437 IEEE80211_DISCARD_IE(vap,
1438 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1439 wh, "RSN", "bad version %u", w);
1440 return IEEE80211_REASON_UNSUPP_RSN_IE_VERSION;
1444 memset(rsn, 0, sizeof(*rsn));
1446 /* multicast/group cipher */
1447 error = rsn_cipher(frm, &rsn->rsn_mcastkeylen, &rsn->rsn_mcastcipher);
1449 IEEE80211_DISCARD_IE(vap,
1450 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1451 wh, "RSN", "unknown mcast cipher suite %08X",
1453 return IEEE80211_REASON_GROUP_CIPHER_INVALID;
1455 if (rsn->rsn_mcastcipher == IEEE80211_CIPHER_NONE) {
1456 IEEE80211_DISCARD_IE(vap,
1457 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1458 wh, "RSN", "invalid mcast cipher suite %d",
1459 rsn->rsn_mcastcipher);
1460 return IEEE80211_REASON_GROUP_CIPHER_INVALID;
1464 /* unicast ciphers */
1468 IEEE80211_DISCARD_IE(vap,
1469 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1470 wh, "RSN", "ucast cipher data too short; len %u, n %u",
1472 return IEEE80211_REASON_IE_INVALID;
1476 for (; n > 0; n--) {
1479 error = rsn_cipher(frm, &rsn->rsn_ucastkeylen, &cipher);
1485 if (w & (1 << IEEE80211_CIPHER_AES_CCM))
1486 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM;
1487 else if (w & (1 << IEEE80211_CIPHER_AES_OCB))
1488 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_OCB;
1489 else if (w & (1 << IEEE80211_CIPHER_TKIP))
1490 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP;
1491 else if ((w & (1 << IEEE80211_CIPHER_NONE)) &&
1492 (rsn->rsn_mcastcipher == IEEE80211_CIPHER_WEP ||
1493 rsn->rsn_mcastcipher == IEEE80211_CIPHER_TKIP))
1494 rsn->rsn_ucastcipher = IEEE80211_CIPHER_NONE;
1496 IEEE80211_DISCARD_IE(vap,
1497 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1498 wh, "RSN", "no usable pairwise cipher suite found (w=%d)",
1500 return IEEE80211_REASON_PAIRWISE_CIPHER_INVALID;
1503 /* key management algorithms */
1507 IEEE80211_DISCARD_IE(vap,
1508 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1509 wh, "RSN", "key mgmt alg data too short; len %u, n %u",
1511 return IEEE80211_REASON_IE_INVALID;
1514 for (; n > 0; n--) {
1515 w |= rsn_keymgmt(frm);
1518 if (w & RSN_ASE_8021X_UNSPEC)
1519 rsn->rsn_keymgmt = RSN_ASE_8021X_UNSPEC;
1521 rsn->rsn_keymgmt = RSN_ASE_8021X_PSK;
1523 /* optional RSN capabilities */
1525 rsn->rsn_caps = le16dec(frm);
1532 * WPA/802.11i association request processing.
1535 wpa_assocreq(struct ieee80211_node *ni, struct ieee80211_rsnparms *rsnparms,
1536 const struct ieee80211_frame *wh, const uint8_t *wpa,
1537 const uint8_t *rsn, uint16_t capinfo)
1539 struct ieee80211vap *vap = ni->ni_vap;
1543 ni->ni_flags &= ~(IEEE80211_NODE_WPS|IEEE80211_NODE_TSN);
1544 if (wpa == NULL && rsn == NULL) {
1545 if (vap->iv_flags_ext & IEEE80211_FEXT_WPS) {
1547 * W-Fi Protected Setup (WPS) permits
1548 * clients to associate and pass EAPOL frames
1549 * to establish initial credentials.
1551 ni->ni_flags |= IEEE80211_NODE_WPS;
1554 if ((vap->iv_flags_ext & IEEE80211_FEXT_TSN) &&
1555 (capinfo & IEEE80211_CAPINFO_PRIVACY)) {
1557 * Transitional Security Network. Permits clients
1558 * to associate and use WEP while WPA is configured.
1560 ni->ni_flags |= IEEE80211_NODE_TSN;
1563 IEEE80211_DISCARD(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA,
1564 wh, NULL, "%s", "no WPA/RSN IE in association request");
1565 vap->iv_stats.is_rx_assoc_badwpaie++;
1566 reason = IEEE80211_REASON_IE_INVALID;
1569 /* assert right association security credentials */
1570 badwparsn = 0; /* NB: to silence compiler */
1571 switch (vap->iv_flags & IEEE80211_F_WPA) {
1572 case IEEE80211_F_WPA1:
1573 badwparsn = (wpa == NULL);
1575 case IEEE80211_F_WPA2:
1576 badwparsn = (rsn == NULL);
1578 case IEEE80211_F_WPA1|IEEE80211_F_WPA2:
1579 badwparsn = (wpa == NULL && rsn == NULL);
1583 IEEE80211_DISCARD(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA,
1585 "%s", "missing WPA/RSN IE in association request");
1586 vap->iv_stats.is_rx_assoc_badwpaie++;
1587 reason = IEEE80211_REASON_IE_INVALID;
1591 * Parse WPA/RSN information element.
1594 reason = ieee80211_parse_wpa(vap, wpa, rsnparms, wh);
1596 reason = ieee80211_parse_rsn(vap, rsn, rsnparms, wh);
1598 /* XXX wpa->rsn fallback? */
1599 /* XXX distinguish WPA/RSN? */
1600 vap->iv_stats.is_rx_assoc_badwpaie++;
1603 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, ni,
1604 "%s ie: mc %u/%u uc %u/%u key %u caps 0x%x",
1605 wpa != NULL ? "WPA" : "RSN",
1606 rsnparms->rsn_mcastcipher, rsnparms->rsn_mcastkeylen,
1607 rsnparms->rsn_ucastcipher, rsnparms->rsn_ucastkeylen,
1608 rsnparms->rsn_keymgmt, rsnparms->rsn_caps);
1612 ieee80211_node_deauth(ni, reason);
1616 /* XXX find a better place for definition */
1617 struct l2_update_frame {
1618 struct ether_header eh;
1626 * Deliver a TGf L2UF frame on behalf of a station.
1627 * This primes any bridge when the station is roaming
1628 * between ap's on the same wired network.
1631 ieee80211_deliver_l2uf(struct ieee80211_node *ni)
1633 struct ieee80211vap *vap = ni->ni_vap;
1634 struct ifnet *ifp = vap->iv_ifp;
1636 struct l2_update_frame *l2uf;
1637 struct ether_header *eh;
1639 m = m_gethdr(M_NOWAIT, MT_DATA);
1641 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC, ni,
1642 "%s", "no mbuf for l2uf frame");
1643 vap->iv_stats.is_rx_nobuf++; /* XXX not right */
1646 l2uf = mtod(m, struct l2_update_frame *);
1648 /* dst: Broadcast address */
1649 IEEE80211_ADDR_COPY(eh->ether_dhost, ifp->if_broadcastaddr);
1650 /* src: associated STA */
1651 IEEE80211_ADDR_COPY(eh->ether_shost, ni->ni_macaddr);
1652 eh->ether_type = htons(sizeof(*l2uf) - sizeof(*eh));
1656 l2uf->control = 0xf5;
1657 l2uf->xid[0] = 0x81;
1658 l2uf->xid[1] = 0x80;
1659 l2uf->xid[2] = 0x00;
1661 m->m_pkthdr.len = m->m_len = sizeof(*l2uf);
1662 hostap_deliver_data(vap, ni, m);
1666 ratesetmismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh,
1667 int reassoc, int resp, const char *tag, int rate)
1669 IEEE80211_NOTE_MAC(ni->ni_vap, IEEE80211_MSG_ANY, wh->i_addr2,
1670 "deny %s request, %s rate set mismatch, rate/MCS %d",
1671 reassoc ? "reassoc" : "assoc", tag, rate & IEEE80211_RATE_VAL);
1672 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_BASIC_RATE);
1673 ieee80211_node_leave(ni);
1677 capinfomismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh,
1678 int reassoc, int resp, const char *tag, int capinfo)
1680 struct ieee80211vap *vap = ni->ni_vap;
1682 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ANY, wh->i_addr2,
1683 "deny %s request, %s mismatch 0x%x",
1684 reassoc ? "reassoc" : "assoc", tag, capinfo);
1685 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_CAPINFO);
1686 ieee80211_node_leave(ni);
1687 vap->iv_stats.is_rx_assoc_capmismatch++;
1691 htcapmismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh,
1692 int reassoc, int resp)
1694 IEEE80211_NOTE_MAC(ni->ni_vap, IEEE80211_MSG_ANY, wh->i_addr2,
1695 "deny %s request, %s missing HT ie", reassoc ? "reassoc" : "assoc");
1696 /* XXX no better code */
1697 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_MISSING_HT_CAPS);
1698 ieee80211_node_leave(ni);
1702 authalgreject(struct ieee80211_node *ni, const struct ieee80211_frame *wh,
1703 int algo, int seq, int status)
1705 struct ieee80211vap *vap = ni->ni_vap;
1707 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
1708 wh, NULL, "unsupported alg %d", algo);
1709 vap->iv_stats.is_rx_auth_unsupported++;
1710 ieee80211_send_error(ni, wh->i_addr2, IEEE80211_FC0_SUBTYPE_AUTH,
1711 seq | (status << 16));
1715 ishtmixed(const uint8_t *ie)
1717 const struct ieee80211_ie_htinfo *ht =
1718 (const struct ieee80211_ie_htinfo *) ie;
1719 return (ht->hi_byte2 & IEEE80211_HTINFO_OPMODE) ==
1720 IEEE80211_HTINFO_OPMODE_MIXED;
1724 is11bclient(const uint8_t *rates, const uint8_t *xrates)
1726 static const uint32_t brates = (1<<2*1)|(1<<2*2)|(1<<11)|(1<<2*11);
1729 /* NB: the 11b clients we care about will not have xrates */
1730 if (xrates != NULL || rates == NULL)
1732 for (i = 0; i < rates[1]; i++) {
1733 int r = rates[2+i] & IEEE80211_RATE_VAL;
1734 if (r > 2*11 || ((1<<r) & brates) == 0)
1741 hostap_recv_mgmt(struct ieee80211_node *ni, struct mbuf *m0,
1742 int subtype, const struct ieee80211_rx_stats *rxs, int rssi, int nf)
1744 struct ieee80211vap *vap = ni->ni_vap;
1745 struct ieee80211com *ic = ni->ni_ic;
1746 struct ieee80211_frame *wh;
1747 uint8_t *frm, *efrm, *sfrm;
1748 uint8_t *ssid, *rates, *xrates, *wpa, *rsn, *wme, *ath, *htcap;
1749 uint8_t *vhtcap, *vhtinfo;
1753 wh = mtod(m0, struct ieee80211_frame *);
1754 frm = (uint8_t *)&wh[1];
1755 efrm = mtod(m0, uint8_t *) + m0->m_len;
1757 case IEEE80211_FC0_SUBTYPE_PROBE_RESP:
1759 * We process beacon/probe response frames when scanning;
1760 * otherwise we check beacon frames for overlapping non-ERP
1761 * BSS in 11g and/or overlapping legacy BSS when in HT.
1763 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) {
1764 vap->iv_stats.is_rx_mgtdiscard++;
1768 case IEEE80211_FC0_SUBTYPE_BEACON: {
1769 struct ieee80211_scanparams scan;
1771 /* NB: accept off-channel frames */
1772 /* XXX TODO: use rxstatus to determine off-channel details */
1773 if (ieee80211_parse_beacon(ni, m0, ic->ic_curchan, &scan) &~ IEEE80211_BPARSE_OFFCHAN)
1776 * Count frame now that we know it's to be processed.
1778 if (subtype == IEEE80211_FC0_SUBTYPE_BEACON) {
1779 vap->iv_stats.is_rx_beacon++; /* XXX remove */
1780 IEEE80211_NODE_STAT(ni, rx_beacons);
1782 IEEE80211_NODE_STAT(ni, rx_proberesp);
1784 * If scanning, just pass information to the scan module.
1786 if (ic->ic_flags & IEEE80211_F_SCAN) {
1787 if (scan.status == 0 && /* NB: on channel */
1788 (ic->ic_flags_ext & IEEE80211_FEXT_PROBECHAN)) {
1790 * Actively scanning a channel marked passive;
1791 * send a probe request now that we know there
1792 * is 802.11 traffic present.
1794 * XXX check if the beacon we recv'd gives
1795 * us what we need and suppress the probe req
1797 ieee80211_probe_curchan(vap, 1);
1798 ic->ic_flags_ext &= ~IEEE80211_FEXT_PROBECHAN;
1800 ieee80211_add_scan(vap, ic->ic_curchan, &scan, wh,
1805 * Check beacon for overlapping bss w/ non ERP stations.
1806 * If we detect one and protection is configured but not
1807 * enabled, enable it and start a timer that'll bring us
1808 * out if we stop seeing the bss.
1810 if (IEEE80211_IS_CHAN_ANYG(ic->ic_curchan) &&
1811 scan.status == 0 && /* NB: on-channel */
1812 ((scan.erp & 0x100) == 0 || /* NB: no ERP, 11b sta*/
1813 (scan.erp & IEEE80211_ERP_NON_ERP_PRESENT))) {
1814 ic->ic_lastnonerp = ticks;
1815 ic->ic_flags_ext |= IEEE80211_FEXT_NONERP_PR;
1816 if (ic->ic_protmode != IEEE80211_PROT_NONE &&
1817 (ic->ic_flags & IEEE80211_F_USEPROT) == 0) {
1818 IEEE80211_NOTE_FRAME(vap,
1819 IEEE80211_MSG_ASSOC, wh,
1820 "non-ERP present on channel %d "
1821 "(saw erp 0x%x from channel %d), "
1822 "enable use of protection",
1823 ic->ic_curchan->ic_ieee,
1824 scan.erp, scan.chan);
1825 ic->ic_flags |= IEEE80211_F_USEPROT;
1826 ieee80211_notify_erp(ic);
1830 * Check beacon for non-HT station on HT channel
1831 * and update HT BSS occupancy as appropriate.
1833 if (IEEE80211_IS_CHAN_HT(ic->ic_curchan)) {
1834 if (scan.status & IEEE80211_BPARSE_OFFCHAN) {
1836 * Off control channel; only check frames
1837 * that come in the extension channel when
1838 * operating w/ HT40.
1840 if (!IEEE80211_IS_CHAN_HT40(ic->ic_curchan))
1842 if (scan.chan != ic->ic_curchan->ic_extieee)
1845 if (scan.htinfo == NULL) {
1846 ieee80211_htprot_update(ic,
1847 IEEE80211_HTINFO_OPMODE_PROTOPT |
1848 IEEE80211_HTINFO_NONHT_PRESENT);
1849 } else if (ishtmixed(scan.htinfo)) {
1850 /* XXX? take NONHT_PRESENT from beacon? */
1851 ieee80211_htprot_update(ic,
1852 IEEE80211_HTINFO_OPMODE_MIXED |
1853 IEEE80211_HTINFO_NONHT_PRESENT);
1859 case IEEE80211_FC0_SUBTYPE_PROBE_REQ:
1860 if (vap->iv_state != IEEE80211_S_RUN) {
1861 vap->iv_stats.is_rx_mgtdiscard++;
1865 * Consult the ACL policy module if setup.
1867 if (vap->iv_acl != NULL && !vap->iv_acl->iac_check(vap, wh)) {
1868 IEEE80211_DISCARD(vap, IEEE80211_MSG_ACL,
1869 wh, NULL, "%s", "disallowed by ACL");
1870 vap->iv_stats.is_rx_acl++;
1874 * prreq frame format
1876 * [tlv] supported rates
1877 * [tlv] extended supported rates
1879 ssid = rates = xrates = NULL;
1880 while (efrm - frm > 1) {
1881 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return);
1883 case IEEE80211_ELEMID_SSID:
1886 case IEEE80211_ELEMID_RATES:
1889 case IEEE80211_ELEMID_XRATES:
1895 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return);
1897 IEEE80211_VERIFY_ELEMENT(xrates,
1898 IEEE80211_RATE_MAXSIZE - rates[1], return);
1899 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN, return);
1900 IEEE80211_VERIFY_SSID(vap->iv_bss, ssid, return);
1901 if ((vap->iv_flags & IEEE80211_F_HIDESSID) && ssid[1] == 0) {
1902 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
1904 "%s", "no ssid with ssid suppression enabled");
1905 vap->iv_stats.is_rx_ssidmismatch++; /*XXX*/
1909 /* XXX find a better class or define it's own */
1910 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_INPUT, wh->i_addr2,
1911 "%s", "recv probe req");
1913 * Some legacy 11b clients cannot hack a complete
1914 * probe response frame. When the request includes
1915 * only a bare-bones rate set, communicate this to
1916 * the transmit side.
1918 ieee80211_send_proberesp(vap, wh->i_addr2,
1919 is11bclient(rates, xrates) ? IEEE80211_SEND_LEGACY_11B : 0);
1922 case IEEE80211_FC0_SUBTYPE_AUTH: {
1923 uint16_t algo, seq, status;
1925 if (vap->iv_state != IEEE80211_S_RUN) {
1926 vap->iv_stats.is_rx_mgtdiscard++;
1929 if (!IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_bss->ni_bssid)) {
1930 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
1931 wh, NULL, "%s", "wrong bssid");
1932 vap->iv_stats.is_rx_wrongbss++; /*XXX unique stat?*/
1942 IEEE80211_VERIFY_LENGTH(efrm - frm, 6, return);
1943 algo = le16toh(*(uint16_t *)frm);
1944 seq = le16toh(*(uint16_t *)(frm + 2));
1945 status = le16toh(*(uint16_t *)(frm + 4));
1946 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_AUTH, wh->i_addr2,
1947 "recv auth frame with algorithm %d seq %d", algo, seq);
1949 * Consult the ACL policy module if setup.
1951 if (vap->iv_acl != NULL && !vap->iv_acl->iac_check(vap, wh)) {
1952 IEEE80211_DISCARD(vap, IEEE80211_MSG_ACL,
1953 wh, NULL, "%s", "disallowed by ACL");
1954 vap->iv_stats.is_rx_acl++;
1955 ieee80211_send_error(ni, wh->i_addr2,
1956 IEEE80211_FC0_SUBTYPE_AUTH,
1957 (seq+1) | (IEEE80211_STATUS_UNSPECIFIED<<16));
1960 if (vap->iv_flags & IEEE80211_F_COUNTERM) {
1961 IEEE80211_DISCARD(vap,
1962 IEEE80211_MSG_AUTH | IEEE80211_MSG_CRYPTO,
1963 wh, NULL, "%s", "TKIP countermeasures enabled");
1964 vap->iv_stats.is_rx_auth_countermeasures++;
1965 ieee80211_send_error(ni, wh->i_addr2,
1966 IEEE80211_FC0_SUBTYPE_AUTH,
1967 IEEE80211_REASON_MIC_FAILURE);
1970 if (algo == IEEE80211_AUTH_ALG_SHARED)
1971 hostap_auth_shared(ni, wh, frm + 6, efrm, rssi, nf,
1973 else if (algo == IEEE80211_AUTH_ALG_OPEN)
1974 hostap_auth_open(ni, wh, rssi, nf, seq, status);
1975 else if (algo == IEEE80211_AUTH_ALG_LEAP) {
1976 authalgreject(ni, wh, algo,
1977 seq+1, IEEE80211_STATUS_ALG);
1981 * We assume that an unknown algorithm is the result
1982 * of a decryption failure on a shared key auth frame;
1983 * return a status code appropriate for that instead
1984 * of IEEE80211_STATUS_ALG.
1986 * NB: a seq# of 4 is intentional; the decrypted
1987 * frame likely has a bogus seq value.
1989 authalgreject(ni, wh, algo,
1990 4, IEEE80211_STATUS_CHALLENGE);
1996 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ:
1997 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: {
1998 uint16_t capinfo, lintval;
1999 struct ieee80211_rsnparms rsnparms;
2001 if (vap->iv_state != IEEE80211_S_RUN) {
2002 vap->iv_stats.is_rx_mgtdiscard++;
2005 if (!IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_bss->ni_bssid)) {
2006 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
2007 wh, NULL, "%s", "wrong bssid");
2008 vap->iv_stats.is_rx_assoc_bss++;
2011 if (subtype == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) {
2013 resp = IEEE80211_FC0_SUBTYPE_REASSOC_RESP;
2016 resp = IEEE80211_FC0_SUBTYPE_ASSOC_RESP;
2018 if (ni == vap->iv_bss) {
2019 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ANY, wh->i_addr2,
2020 "deny %s request, sta not authenticated",
2021 reassoc ? "reassoc" : "assoc");
2022 ieee80211_send_error(ni, wh->i_addr2,
2023 IEEE80211_FC0_SUBTYPE_DEAUTH,
2024 IEEE80211_REASON_ASSOC_NOT_AUTHED);
2025 vap->iv_stats.is_rx_assoc_notauth++;
2030 * asreq frame format
2031 * [2] capability information
2032 * [2] listen interval
2033 * [6*] current AP address (reassoc only)
2035 * [tlv] supported rates
2036 * [tlv] extended supported rates
2038 * [tlv] HT capabilities
2039 * [tlv] Atheros capabilities
2041 IEEE80211_VERIFY_LENGTH(efrm - frm, (reassoc ? 10 : 4), return);
2042 capinfo = le16toh(*(uint16_t *)frm); frm += 2;
2043 lintval = le16toh(*(uint16_t *)frm); frm += 2;
2045 frm += 6; /* ignore current AP info */
2046 ssid = rates = xrates = wpa = rsn = wme = ath = htcap = NULL;
2047 vhtcap = vhtinfo = NULL;
2049 while (efrm - frm > 1) {
2050 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return);
2052 case IEEE80211_ELEMID_SSID:
2055 case IEEE80211_ELEMID_RATES:
2058 case IEEE80211_ELEMID_XRATES:
2061 case IEEE80211_ELEMID_RSN:
2064 case IEEE80211_ELEMID_HTCAP:
2067 case IEEE80211_ELEMID_VHT_CAP:
2070 case IEEE80211_ELEMID_VHT_OPMODE:
2073 case IEEE80211_ELEMID_VENDOR:
2076 else if (iswmeinfo(frm))
2078 #ifdef IEEE80211_SUPPORT_SUPERG
2079 else if (isatherosoui(frm))
2082 else if (vap->iv_flags_ht & IEEE80211_FHT_HTCOMPAT) {
2083 if (ishtcapoui(frm) && htcap == NULL)
2090 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return);
2092 IEEE80211_VERIFY_ELEMENT(xrates,
2093 IEEE80211_RATE_MAXSIZE - rates[1], return);
2094 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN, return);
2095 IEEE80211_VERIFY_SSID(vap->iv_bss, ssid, return);
2096 if (htcap != NULL) {
2097 IEEE80211_VERIFY_LENGTH(htcap[1],
2098 htcap[0] == IEEE80211_ELEMID_VENDOR ?
2099 4 + sizeof(struct ieee80211_ie_htcap)-2 :
2100 sizeof(struct ieee80211_ie_htcap)-2,
2101 return); /* XXX just NULL out? */
2104 if ((vap->iv_flags & IEEE80211_F_WPA) &&
2105 !wpa_assocreq(ni, &rsnparms, wh, wpa, rsn, capinfo))
2107 /* discard challenge after association */
2108 if (ni->ni_challenge != NULL) {
2109 IEEE80211_FREE(ni->ni_challenge, M_80211_NODE);
2110 ni->ni_challenge = NULL;
2112 /* NB: 802.11 spec says to ignore station's privacy bit */
2113 if ((capinfo & IEEE80211_CAPINFO_ESS) == 0) {
2114 capinfomismatch(ni, wh, reassoc, resp,
2115 "capability", capinfo);
2119 * Disallow re-associate w/ invalid slot time setting.
2121 if (ni->ni_associd != 0 &&
2122 IEEE80211_IS_CHAN_ANYG(ic->ic_bsschan) &&
2123 ((ni->ni_capinfo ^ capinfo) & IEEE80211_CAPINFO_SHORT_SLOTTIME)) {
2124 capinfomismatch(ni, wh, reassoc, resp,
2125 "slot time", capinfo);
2128 rate = ieee80211_setup_rates(ni, rates, xrates,
2129 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE |
2130 IEEE80211_F_DONEGO | IEEE80211_F_DODEL);
2131 if (rate & IEEE80211_RATE_BASIC) {
2132 ratesetmismatch(ni, wh, reassoc, resp, "legacy", rate);
2133 vap->iv_stats.is_rx_assoc_norate++;
2137 * If constrained to 11g-only stations reject an
2138 * 11b-only station. We cheat a bit here by looking
2139 * at the max negotiated xmit rate and assuming anyone
2140 * with a best rate <24Mb/s is an 11b station.
2142 if ((vap->iv_flags & IEEE80211_F_PUREG) && rate < 48) {
2143 ratesetmismatch(ni, wh, reassoc, resp, "11g", rate);
2144 vap->iv_stats.is_rx_assoc_norate++;
2149 * Do HT rate set handling and setup HT node state.
2151 ni->ni_chan = vap->iv_bss->ni_chan;
2154 if (IEEE80211_IS_CHAN_VHT(ni->ni_chan)) {
2155 /* XXX TODO; see below */
2156 printf("%s: VHT TODO!\n", __func__);
2157 ieee80211_vht_node_init(ni);
2158 ieee80211_vht_update_cap(ni, vhtcap, vhtinfo);
2159 } else if (ni->ni_flags & IEEE80211_NODE_VHT)
2160 ieee80211_vht_node_cleanup(ni);
2163 if (IEEE80211_IS_CHAN_HT(ni->ni_chan) && htcap != NULL) {
2164 rate = ieee80211_setup_htrates(ni, htcap,
2165 IEEE80211_F_DOFMCS | IEEE80211_F_DONEGO |
2167 if (rate & IEEE80211_RATE_BASIC) {
2168 ratesetmismatch(ni, wh, reassoc, resp,
2170 vap->iv_stats.is_ht_assoc_norate++;
2173 ieee80211_ht_node_init(ni);
2174 ieee80211_ht_updatehtcap(ni, htcap);
2175 } else if (ni->ni_flags & IEEE80211_NODE_HT)
2176 ieee80211_ht_node_cleanup(ni);
2178 /* Finally - this will use HT/VHT info to change node channel */
2179 if (IEEE80211_IS_CHAN_HT(ni->ni_chan) && htcap != NULL) {
2180 ieee80211_ht_updatehtcap_final(ni);
2183 #ifdef IEEE80211_SUPPORT_SUPERG
2184 /* Always do ff node cleanup; for A-MSDU */
2185 ieee80211_ff_node_cleanup(ni);
2188 * Allow AMPDU operation only with unencrypted traffic
2189 * or AES-CCM; the 11n spec only specifies these ciphers
2190 * so permitting any others is undefined and can lead
2191 * to interoperability problems.
2193 if ((ni->ni_flags & IEEE80211_NODE_HT) &&
2194 (((vap->iv_flags & IEEE80211_F_WPA) &&
2195 rsnparms.rsn_ucastcipher != IEEE80211_CIPHER_AES_CCM) ||
2196 (vap->iv_flags & (IEEE80211_F_WPA|IEEE80211_F_PRIVACY)) == IEEE80211_F_PRIVACY)) {
2198 IEEE80211_MSG_ASSOC | IEEE80211_MSG_11N, ni,
2199 "disallow HT use because WEP or TKIP requested, "
2200 "capinfo 0x%x ucastcipher %d", capinfo,
2201 rsnparms.rsn_ucastcipher);
2202 ieee80211_ht_node_cleanup(ni);
2203 #ifdef IEEE80211_SUPPORT_SUPERG
2204 /* Always do ff node cleanup; for A-MSDU */
2205 ieee80211_ff_node_cleanup(ni);
2207 vap->iv_stats.is_ht_assoc_downgrade++;
2210 * If constrained to 11n-only stations reject legacy stations.
2212 if ((vap->iv_flags_ht & IEEE80211_FHT_PUREN) &&
2213 (ni->ni_flags & IEEE80211_NODE_HT) == 0) {
2214 htcapmismatch(ni, wh, reassoc, resp);
2215 vap->iv_stats.is_ht_assoc_nohtcap++;
2218 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi);
2220 ni->ni_intval = lintval;
2221 ni->ni_capinfo = capinfo;
2222 ni->ni_fhdwell = vap->iv_bss->ni_fhdwell;
2223 ni->ni_fhindex = vap->iv_bss->ni_fhindex;
2226 * XXX maybe better to just expand
2228 if (ieee80211_ies_init(&ni->ni_ies, sfrm, efrm - sfrm)) {
2229 #define setie(_ie, _off) ieee80211_ies_setie(ni->ni_ies, _ie, _off)
2231 setie(wpa_ie, wpa - sfrm);
2233 setie(rsn_ie, rsn - sfrm);
2235 setie(htcap_ie, htcap - sfrm);
2237 setie(wme_ie, wme - sfrm);
2239 * Mark node as capable of QoS.
2241 ni->ni_flags |= IEEE80211_NODE_QOS;
2243 ni->ni_flags &= ~IEEE80211_NODE_QOS;
2244 #ifdef IEEE80211_SUPPORT_SUPERG
2246 setie(ath_ie, ath - sfrm);
2248 * Parse ATH station parameters.
2250 ieee80211_parse_ath(ni, ni->ni_ies.ath_ie);
2253 ni->ni_ath_flags = 0;
2256 ni->ni_flags &= ~IEEE80211_NODE_QOS;
2257 ni->ni_ath_flags = 0;
2259 ieee80211_node_join(ni, resp);
2260 ieee80211_deliver_l2uf(ni);
2264 case IEEE80211_FC0_SUBTYPE_DEAUTH:
2265 case IEEE80211_FC0_SUBTYPE_DISASSOC: {
2268 if (vap->iv_state != IEEE80211_S_RUN ||
2269 /* NB: can happen when in promiscuous mode */
2270 !IEEE80211_ADDR_EQ(wh->i_addr1, vap->iv_myaddr)) {
2271 vap->iv_stats.is_rx_mgtdiscard++;
2275 * deauth/disassoc frame format
2278 IEEE80211_VERIFY_LENGTH(efrm - frm, 2, return);
2279 reason = le16toh(*(uint16_t *)frm);
2280 if (subtype == IEEE80211_FC0_SUBTYPE_DEAUTH) {
2281 vap->iv_stats.is_rx_deauth++;
2282 IEEE80211_NODE_STAT(ni, rx_deauth);
2284 vap->iv_stats.is_rx_disassoc++;
2285 IEEE80211_NODE_STAT(ni, rx_disassoc);
2287 IEEE80211_NOTE(vap, IEEE80211_MSG_AUTH, ni,
2288 "recv %s (reason: %d (%s))",
2289 ieee80211_mgt_subtype_name(subtype),
2290 reason, ieee80211_reason_to_string(reason));
2291 if (ni != vap->iv_bss)
2292 ieee80211_node_leave(ni);
2296 case IEEE80211_FC0_SUBTYPE_ACTION:
2297 case IEEE80211_FC0_SUBTYPE_ACTION_NOACK:
2298 if (ni == vap->iv_bss) {
2299 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
2300 wh, NULL, "%s", "unknown node");
2301 vap->iv_stats.is_rx_mgtdiscard++;
2302 } else if (!IEEE80211_ADDR_EQ(vap->iv_myaddr, wh->i_addr1) &&
2303 !IEEE80211_IS_MULTICAST(wh->i_addr1)) {
2304 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
2305 wh, NULL, "%s", "not for us");
2306 vap->iv_stats.is_rx_mgtdiscard++;
2307 } else if (vap->iv_state != IEEE80211_S_RUN) {
2308 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
2309 wh, NULL, "wrong state %s",
2310 ieee80211_state_name[vap->iv_state]);
2311 vap->iv_stats.is_rx_mgtdiscard++;
2313 if (ieee80211_parse_action(ni, m0) == 0)
2314 (void)ic->ic_recv_action(ni, wh, frm, efrm);
2318 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP:
2319 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP:
2320 case IEEE80211_FC0_SUBTYPE_TIMING_ADV:
2321 case IEEE80211_FC0_SUBTYPE_ATIM:
2322 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
2323 wh, NULL, "%s", "not handled");
2324 vap->iv_stats.is_rx_mgtdiscard++;
2328 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
2329 wh, "mgt", "subtype 0x%x not handled", subtype);
2330 vap->iv_stats.is_rx_badsubtype++;
2336 hostap_recv_ctl(struct ieee80211_node *ni, struct mbuf *m, int subtype)
2339 case IEEE80211_FC0_SUBTYPE_PS_POLL:
2340 ni->ni_vap->iv_recv_pspoll(ni, m);
2342 case IEEE80211_FC0_SUBTYPE_BAR:
2343 ieee80211_recv_bar(ni, m);
2349 * Process a received ps-poll frame.
2352 ieee80211_recv_pspoll(struct ieee80211_node *ni, struct mbuf *m0)
2354 struct ieee80211vap *vap = ni->ni_vap;
2355 struct ieee80211com *ic = vap->iv_ic;
2356 struct ieee80211_frame_min *wh;
2361 wh = mtod(m0, struct ieee80211_frame_min *);
2362 if (ni->ni_associd == 0) {
2363 IEEE80211_DISCARD(vap,
2364 IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG,
2365 (struct ieee80211_frame *) wh, NULL,
2366 "%s", "unassociated station");
2367 vap->iv_stats.is_ps_unassoc++;
2368 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_DEAUTH,
2369 IEEE80211_REASON_NOT_ASSOCED);
2373 aid = le16toh(*(uint16_t *)wh->i_dur);
2374 if (aid != ni->ni_associd) {
2375 IEEE80211_DISCARD(vap,
2376 IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG,
2377 (struct ieee80211_frame *) wh, NULL,
2378 "aid mismatch: sta aid 0x%x poll aid 0x%x",
2379 ni->ni_associd, aid);
2380 vap->iv_stats.is_ps_badaid++;
2382 * NB: We used to deauth the station but it turns out
2383 * the Blackberry Curve 8230 (and perhaps other devices)
2384 * sometimes send the wrong AID when WME is negotiated.
2385 * Being more lenient here seems ok as we already check
2386 * the station is associated and we only return frames
2387 * queued for the station (i.e. we don't use the AID).
2392 /* Okay, take the first queued packet and put it out... */
2393 m = ieee80211_node_psq_dequeue(ni, &qlen);
2395 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_POWER, wh->i_addr2,
2396 "%s", "recv ps-poll, but queue empty");
2397 ieee80211_send_nulldata(ieee80211_ref_node(ni));
2398 vap->iv_stats.is_ps_qempty++; /* XXX node stat */
2399 if (vap->iv_set_tim != NULL)
2400 vap->iv_set_tim(ni, 0); /* just in case */
2404 * If there are more packets, set the more packets bit
2405 * in the packet dispatched to the station; otherwise
2406 * turn off the TIM bit.
2409 IEEE80211_NOTE(vap, IEEE80211_MSG_POWER, ni,
2410 "recv ps-poll, send packet, %u still queued", qlen);
2411 m->m_flags |= M_MORE_DATA;
2413 IEEE80211_NOTE(vap, IEEE80211_MSG_POWER, ni,
2414 "%s", "recv ps-poll, send packet, queue empty");
2415 if (vap->iv_set_tim != NULL)
2416 vap->iv_set_tim(ni, 0);
2418 m->m_flags |= M_PWR_SAV; /* bypass PS handling */
2421 * Do the right thing; if it's an encap'ed frame then
2422 * call ieee80211_parent_xmitpkt() else
2423 * call ieee80211_vap_xmitpkt().
2425 if (m->m_flags & M_ENCAP) {
2426 (void) ieee80211_parent_xmitpkt(ic, m);
2428 (void) ieee80211_vap_xmitpkt(vap, m);