2 * Copyright (c) 2007-2008 Sam Leffler, Errno Consulting
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
15 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
16 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
17 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
18 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
19 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
21 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
23 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
25 * $FreeBSD: head/sys/net80211/ieee80211_hostap.c 203422 2010-02-03 10:07:43Z rpaulo $
29 * IEEE 802.11 HOSTAP mode support.
34 #include <sys/param.h>
35 #include <sys/systm.h>
37 #include <sys/malloc.h>
38 #include <sys/kernel.h>
40 #include <sys/socket.h>
41 #include <sys/sockio.h>
42 #include <sys/endian.h>
43 #include <sys/errno.h>
45 #include <sys/sysctl.h>
48 #include <net/if_media.h>
49 #include <net/if_llc.h>
50 #include <net/ifq_var.h>
51 #include <net/ethernet.h>
52 #include <net/route.h>
56 #include <netproto/802_11/ieee80211_var.h>
57 #include <netproto/802_11/ieee80211_hostap.h>
58 #include <netproto/802_11/ieee80211_input.h>
59 #ifdef IEEE80211_SUPPORT_SUPERG
60 #include <netproto/802_11/ieee80211_superg.h>
62 #include <netproto/802_11/ieee80211_wds.h>
64 #define IEEE80211_RATE2MBS(r) (((r) & IEEE80211_RATE_VAL) / 2)
66 static void hostap_vattach(struct ieee80211vap *);
67 static int hostap_newstate(struct ieee80211vap *, enum ieee80211_state, int);
68 static int hostap_input(struct ieee80211_node *ni, struct mbuf *m,
70 static void hostap_deliver_data(struct ieee80211vap *,
71 struct ieee80211_node *, struct mbuf *);
72 static void hostap_recv_mgmt(struct ieee80211_node *, struct mbuf *,
73 int subtype, int rssi, int nf);
74 static void hostap_recv_ctl(struct ieee80211_node *, struct mbuf *, int);
75 static void hostap_recv_pspoll(struct ieee80211_node *, struct mbuf *);
78 ieee80211_hostap_attach(struct ieee80211com *ic)
80 ic->ic_vattach[IEEE80211_M_HOSTAP] = hostap_vattach;
84 ieee80211_hostap_detach(struct ieee80211com *ic)
89 hostap_vdetach(struct ieee80211vap *vap)
94 hostap_vattach(struct ieee80211vap *vap)
96 vap->iv_newstate = hostap_newstate;
97 vap->iv_input = hostap_input;
98 vap->iv_recv_mgmt = hostap_recv_mgmt;
99 vap->iv_recv_ctl = hostap_recv_ctl;
100 vap->iv_opdetach = hostap_vdetach;
101 vap->iv_deliver_data = hostap_deliver_data;
105 sta_disassoc(void *arg, struct ieee80211_node *ni)
107 struct ieee80211vap *vap = arg;
109 if (ni->ni_vap == vap && ni->ni_associd != 0) {
110 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_DISASSOC,
111 IEEE80211_REASON_ASSOC_LEAVE);
112 ieee80211_node_leave(ni);
117 sta_csa(void *arg, struct ieee80211_node *ni)
119 struct ieee80211vap *vap = arg;
121 if (ni->ni_vap == vap && ni->ni_associd != 0)
122 if (ni->ni_inact > vap->iv_inact_init) {
123 ni->ni_inact = vap->iv_inact_init;
124 IEEE80211_NOTE(vap, IEEE80211_MSG_INACT, ni,
125 "%s: inact %u", __func__, ni->ni_inact);
130 sta_drop(void *arg, struct ieee80211_node *ni)
132 struct ieee80211vap *vap = arg;
134 if (ni->ni_vap == vap && ni->ni_associd != 0)
135 ieee80211_node_leave(ni);
139 * Does a channel change require associated stations to re-associate
140 * so protocol state is correct. This is used when doing CSA across
141 * bands or similar (e.g. HT -> legacy).
144 isbandchange(struct ieee80211com *ic)
146 return ((ic->ic_bsschan->ic_flags ^ ic->ic_csa_newchan->ic_flags) &
147 (IEEE80211_CHAN_2GHZ | IEEE80211_CHAN_5GHZ | IEEE80211_CHAN_HALF |
148 IEEE80211_CHAN_QUARTER | IEEE80211_CHAN_HT)) != 0;
152 * IEEE80211_M_HOSTAP vap state machine handler.
155 hostap_newstate(struct ieee80211vap *vap, enum ieee80211_state nstate, int arg)
157 struct ieee80211com *ic = vap->iv_ic;
158 enum ieee80211_state ostate;
159 char ethstr[ETHER_ADDRSTRLEN + 1];
161 ostate = vap->iv_state;
162 IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE, "%s: %s -> %s (%d)\n",
163 __func__, ieee80211_state_name[ostate],
164 ieee80211_state_name[nstate], arg);
165 vap->iv_state = nstate; /* state transition */
166 if (ostate != IEEE80211_S_SCAN)
167 ieee80211_cancel_scan(vap); /* background scan */
169 case IEEE80211_S_INIT:
171 case IEEE80211_S_SCAN:
172 ieee80211_cancel_scan(vap);
174 case IEEE80211_S_CAC:
175 ieee80211_dfs_cac_stop(vap);
177 case IEEE80211_S_RUN:
178 ieee80211_iterate_nodes(&ic->ic_sta, sta_disassoc, vap);
183 if (ostate != IEEE80211_S_INIT) {
184 /* NB: optimize INIT -> INIT case */
185 ieee80211_reset_bss(vap);
187 if (vap->iv_auth->ia_detach != NULL)
188 vap->iv_auth->ia_detach(vap);
190 case IEEE80211_S_SCAN:
192 case IEEE80211_S_CSA:
193 case IEEE80211_S_RUN:
194 ieee80211_iterate_nodes(&ic->ic_sta, sta_disassoc, vap);
196 * Clear overlapping BSS state; the beacon frame
197 * will be reconstructed on transition to the RUN
198 * state and the timeout routines check if the flag
199 * is set before doing anything so this is sufficient.
201 ic->ic_flags_ext &= ~IEEE80211_FEXT_NONERP_PR;
202 ic->ic_flags_ht &= ~IEEE80211_FHT_NONHT_PR;
204 case IEEE80211_S_CAC:
206 * NB: We may get here because of a manual channel
207 * change in which case we need to stop CAC
208 * XXX no need to stop if ostate RUN but it's ok
210 ieee80211_dfs_cac_stop(vap);
212 case IEEE80211_S_INIT:
213 if (vap->iv_des_chan != IEEE80211_CHAN_ANYC &&
214 !IEEE80211_IS_CHAN_RADAR(vap->iv_des_chan)) {
216 * Already have a channel; bypass the
217 * scan and startup immediately.
218 * ieee80211_create_ibss will call back to
219 * move us to RUN state.
221 ieee80211_create_ibss(vap, vap->iv_des_chan);
225 * Initiate a scan. We can come here as a result
226 * of an IEEE80211_IOC_SCAN_REQ too in which case
227 * the vap will be marked with IEEE80211_FEXT_SCANREQ
228 * and the scan request parameters will be present
229 * in iv_scanreq. Otherwise we do the default.
231 if (vap->iv_flags_ext & IEEE80211_FEXT_SCANREQ) {
232 ieee80211_check_scan(vap,
233 vap->iv_scanreq_flags,
234 vap->iv_scanreq_duration,
235 vap->iv_scanreq_mindwell,
236 vap->iv_scanreq_maxdwell,
237 vap->iv_scanreq_nssid, vap->iv_scanreq_ssid);
238 vap->iv_flags_ext &= ~IEEE80211_FEXT_SCANREQ;
240 ieee80211_check_scan_current(vap);
242 case IEEE80211_S_SCAN:
244 * A state change requires a reset; scan.
246 ieee80211_check_scan_current(vap);
252 case IEEE80211_S_CAC:
254 * Start CAC on a DFS channel. We come here when starting
255 * a bss on a DFS channel (see ieee80211_create_ibss).
257 ieee80211_dfs_cac_start(vap);
259 case IEEE80211_S_RUN:
260 if (vap->iv_flags & IEEE80211_F_WPA) {
261 /* XXX validate prerequisites */
264 case IEEE80211_S_INIT:
266 * Already have a channel; bypass the
267 * scan and startup immediately.
268 * Note that ieee80211_create_ibss will call
269 * back to do a RUN->RUN state change.
271 ieee80211_create_ibss(vap,
272 ieee80211_ht_adjust_channel(ic,
273 ic->ic_curchan, vap->iv_flags_ht));
274 /* NB: iv_bss is changed on return */
276 case IEEE80211_S_CAC:
278 * NB: This is the normal state change when CAC
279 * expires and no radar was detected; no need to
280 * clear the CAC timer as it's already expired.
283 case IEEE80211_S_CSA:
285 * Shorten inactivity timer of associated stations
286 * to weed out sta's that don't follow a CSA.
288 ieee80211_iterate_nodes(&ic->ic_sta, sta_csa, vap);
290 * Update bss node channel to reflect where
291 * we landed after CSA.
293 ieee80211_node_set_chan(vap->iv_bss,
294 ieee80211_ht_adjust_channel(ic, ic->ic_curchan,
295 ieee80211_htchanflags(vap->iv_bss->ni_chan)));
296 /* XXX bypass debug msgs */
298 case IEEE80211_S_SCAN:
299 case IEEE80211_S_RUN:
300 #ifdef IEEE80211_DEBUG
301 if (ieee80211_msg_debug(vap)) {
302 struct ieee80211_node *ni = vap->iv_bss;
304 "synchronized with %s ssid ",
305 kether_ntoa(ni->ni_bssid, ethstr));
306 ieee80211_print_essid(ni->ni_essid,
309 kprintf(" channel %d start %uMb\n",
310 ieee80211_chan2ieee(ic, ic->ic_curchan),
311 IEEE80211_RATE2MBS(ni->ni_txrate));
319 * Start/stop the authenticator. We delay until here
320 * to allow configuration to happen out of order.
322 if (vap->iv_auth->ia_attach != NULL) {
323 /* XXX check failure */
324 vap->iv_auth->ia_attach(vap);
325 } else if (vap->iv_auth->ia_detach != NULL) {
326 vap->iv_auth->ia_detach(vap);
328 ieee80211_node_authorize(vap->iv_bss);
330 case IEEE80211_S_CSA:
331 if (ostate == IEEE80211_S_RUN && isbandchange(ic)) {
333 * On a ``band change'' silently drop associated
334 * stations as they must re-associate before they
335 * can pass traffic (as otherwise protocol state
336 * such as capabilities and the negotiated rate
337 * set may/will be wrong).
339 ieee80211_iterate_nodes(&ic->ic_sta, sta_drop, vap);
349 hostap_deliver_data(struct ieee80211vap *vap,
350 struct ieee80211_node *ni, struct mbuf *m)
352 struct ether_header *eh = mtod(m, struct ether_header *);
353 struct ifnet *ifp = vap->iv_ifp;
355 /* clear driver/net80211 flags before passing up */
356 m->m_flags &= ~(M_80211_RX | M_MCAST | M_BCAST);
358 KASSERT(vap->iv_opmode == IEEE80211_M_HOSTAP,
359 ("gack, opmode %d", vap->iv_opmode));
364 IEEE80211_NODE_STAT(ni, rx_data);
365 IEEE80211_NODE_STAT_ADD(ni, rx_bytes, m->m_pkthdr.len);
366 if (ETHER_IS_MULTICAST(eh->ether_dhost)) {
367 m->m_flags |= M_MCAST; /* XXX M_BCAST? */
368 IEEE80211_NODE_STAT(ni, rx_mcast);
370 IEEE80211_NODE_STAT(ni, rx_ucast);
372 /* perform as a bridge within the AP */
373 if ((vap->iv_flags & IEEE80211_F_NOBRIDGE) == 0) {
374 struct mbuf *mcopy = NULL;
376 if (m->m_flags & M_MCAST) {
377 mcopy = m_dup(m, MB_DONTWAIT);
381 mcopy->m_flags |= M_MCAST;
384 * Check if the destination is associated with the
385 * same vap and authorized to receive traffic.
386 * Beware of traffic destined for the vap itself;
387 * sending it will not work; just let it be delivered
390 struct ieee80211_node *sta = ieee80211_find_vap_node(
391 &vap->iv_ic->ic_sta, vap, eh->ether_dhost);
393 if (ieee80211_node_is_authorized(sta)) {
395 * Beware of sending to ourself; this
396 * needs to happen via the normal
399 if (sta != vap->iv_bss) {
404 vap->iv_stats.is_rx_unauth++;
405 IEEE80211_NODE_STAT(sta, rx_unauth);
407 ieee80211_free_node(sta);
412 err = ieee80211_handoff(ifp, mcopy);
414 /* NB: IFQ_HANDOFF reclaims mcopy */
422 * Mark frame as coming from vap's interface.
424 m->m_pkthdr.rcvif = ifp;
425 if (m->m_flags & M_MCAST) {
427 * Spam DWDS vap's w/ multicast traffic.
429 /* XXX only if dwds in use? */
430 ieee80211_dwds_mcast(vap, m);
432 if (ni->ni_vlan != 0) {
433 /* attach vlan tag */
434 m->m_pkthdr.ether_vlantag = ni->ni_vlan;
435 m->m_flags |= M_VLANTAG;
437 ifp->if_input(ifp, m);
442 * Decide if a received management frame should be
443 * printed when debugging is enabled. This filters some
444 * of the less interesting frames that come frequently
448 doprint(struct ieee80211vap *vap, int subtype)
451 case IEEE80211_FC0_SUBTYPE_BEACON:
452 return (vap->iv_ic->ic_flags & IEEE80211_F_SCAN);
453 case IEEE80211_FC0_SUBTYPE_PROBE_REQ:
460 * Process a received frame. The node associated with the sender
461 * should be supplied. If nothing was found in the node table then
462 * the caller is assumed to supply a reference to iv_bss instead.
463 * The RSSI and a timestamp are also supplied. The RSSI data is used
464 * during AP scanning to select a AP to associate with; it can have
465 * any units so long as values have consistent units and higher values
466 * mean ``better signal''. The receive timestamp is currently not used
467 * by the 802.11 layer.
470 hostap_input(struct ieee80211_node *ni, struct mbuf *m, int rssi, int nf)
472 #define SEQ_LEQ(a,b) ((int)((a)-(b)) <= 0)
473 #define HAS_SEQ(type) ((type & 0x4) == 0)
474 struct ieee80211vap *vap = ni->ni_vap;
475 struct ieee80211com *ic = ni->ni_ic;
476 struct ifnet *ifp = vap->iv_ifp;
477 struct ieee80211_frame *wh;
478 struct ieee80211_key *key;
479 struct ether_header *eh;
480 int hdrspace, need_tap = 1; /* mbuf need to be tapped. */
481 uint8_t dir, type, subtype, qos;
484 char ethstr[ETHER_ADDRSTRLEN + 1];
486 if (m->m_flags & M_AMPDU_MPDU) {
488 * Fastpath for A-MPDU reorder q resubmission. Frames
489 * w/ M_AMPDU_MPDU marked have already passed through
490 * here but were received out of order and been held on
491 * the reorder queue. When resubmitted they are marked
492 * with the M_AMPDU_MPDU flag and we can bypass most of
493 * the normal processing.
495 wh = mtod(m, struct ieee80211_frame *);
496 type = IEEE80211_FC0_TYPE_DATA;
497 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK;
498 subtype = IEEE80211_FC0_SUBTYPE_QOS;
499 hdrspace = ieee80211_hdrspace(ic, wh); /* XXX optimize? */
503 KASSERT(ni != NULL, ("null node"));
504 ni->ni_inact = ni->ni_inact_reload;
506 type = -1; /* undefined */
508 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_min)) {
509 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
510 ni->ni_macaddr, NULL,
511 "too short (1): len %u", m->m_pkthdr.len);
512 vap->iv_stats.is_rx_tooshort++;
516 * Bit of a cheat here, we use a pointer for a 3-address
517 * frame format but don't reference fields past outside
518 * ieee80211_frame_min w/o first validating the data is
521 wh = mtod(m, struct ieee80211_frame *);
523 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) !=
524 IEEE80211_FC0_VERSION_0) {
525 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
526 ni->ni_macaddr, NULL, "wrong version, fc %02x:%02x",
527 wh->i_fc[0], wh->i_fc[1]);
528 vap->iv_stats.is_rx_badversion++;
532 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK;
533 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
534 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK;
535 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) {
536 if (dir != IEEE80211_FC1_DIR_NODS)
538 else if (type == IEEE80211_FC0_TYPE_CTL)
541 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) {
542 IEEE80211_DISCARD_MAC(vap,
543 IEEE80211_MSG_ANY, ni->ni_macaddr,
544 NULL, "too short (2): len %u",
546 vap->iv_stats.is_rx_tooshort++;
552 * Validate the bssid.
554 if (!(type == IEEE80211_FC0_TYPE_MGT &&
555 subtype == IEEE80211_FC0_SUBTYPE_BEACON) &&
556 !IEEE80211_ADDR_EQ(bssid, vap->iv_bss->ni_bssid) &&
557 !IEEE80211_ADDR_EQ(bssid, ifp->if_broadcastaddr)) {
558 /* not interested in */
559 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
560 bssid, NULL, "%s", "not to bss");
561 vap->iv_stats.is_rx_wrongbss++;
565 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi);
568 uint8_t tid = ieee80211_gettid(wh);
569 if (IEEE80211_QOS_HAS_SEQ(wh) &&
570 TID_TO_WME_AC(tid) >= WME_AC_VI)
571 ic->ic_wme.wme_hipri_traffic++;
572 rxseq = le16toh(*(uint16_t *)wh->i_seq);
573 if ((ni->ni_flags & IEEE80211_NODE_HT) == 0 &&
574 (wh->i_fc[1] & IEEE80211_FC1_RETRY) &&
575 SEQ_LEQ(rxseq, ni->ni_rxseqs[tid])) {
576 /* duplicate, discard */
577 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
579 "seqno <%u,%u> fragno <%u,%u> tid %u",
580 rxseq >> IEEE80211_SEQ_SEQ_SHIFT,
581 ni->ni_rxseqs[tid] >>
582 IEEE80211_SEQ_SEQ_SHIFT,
583 rxseq & IEEE80211_SEQ_FRAG_MASK,
585 IEEE80211_SEQ_FRAG_MASK,
587 vap->iv_stats.is_rx_dup++;
588 IEEE80211_NODE_STAT(ni, rx_dup);
591 ni->ni_rxseqs[tid] = rxseq;
596 case IEEE80211_FC0_TYPE_DATA:
597 hdrspace = ieee80211_hdrspace(ic, wh);
598 if (m->m_len < hdrspace &&
599 (m = m_pullup(m, hdrspace)) == NULL) {
600 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
601 ni->ni_macaddr, NULL,
602 "data too short: expecting %u", hdrspace);
603 vap->iv_stats.is_rx_tooshort++;
606 if (!(dir == IEEE80211_FC1_DIR_TODS ||
607 (dir == IEEE80211_FC1_DIR_DSTODS &&
608 (vap->iv_flags & IEEE80211_F_DWDS)))) {
609 if (dir != IEEE80211_FC1_DIR_DSTODS) {
610 IEEE80211_DISCARD(vap,
611 IEEE80211_MSG_INPUT, wh, "data",
612 "incorrect dir 0x%x", dir);
614 IEEE80211_DISCARD(vap,
615 IEEE80211_MSG_INPUT |
616 IEEE80211_MSG_WDS, wh,
618 "%s", "DWDS not enabled");
620 vap->iv_stats.is_rx_wrongdir++;
623 /* check if source STA is associated */
624 if (ni == vap->iv_bss) {
625 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
626 wh, "data", "%s", "unknown src");
627 ieee80211_send_error(ni, wh->i_addr2,
628 IEEE80211_FC0_SUBTYPE_DEAUTH,
629 IEEE80211_REASON_NOT_AUTHED);
630 vap->iv_stats.is_rx_notassoc++;
633 if (ni->ni_associd == 0) {
634 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
635 wh, "data", "%s", "unassoc src");
636 IEEE80211_SEND_MGMT(ni,
637 IEEE80211_FC0_SUBTYPE_DISASSOC,
638 IEEE80211_REASON_NOT_ASSOCED);
639 vap->iv_stats.is_rx_notassoc++;
644 * Check for power save state change.
645 * XXX out-of-order A-MPDU frames?
647 if (((wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) ^
648 (ni->ni_flags & IEEE80211_NODE_PWR_MGT)))
649 ieee80211_node_pwrsave(ni,
650 wh->i_fc[1] & IEEE80211_FC1_PWR_MGT);
652 * For 4-address packets handle WDS discovery
653 * notifications. Once a WDS link is setup frames
654 * are just delivered to the WDS vap (see below).
656 if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap == NULL) {
657 if (!ieee80211_node_is_authorized(ni)) {
658 IEEE80211_DISCARD(vap,
659 IEEE80211_MSG_INPUT |
660 IEEE80211_MSG_WDS, wh,
662 "%s", "unauthorized port");
663 vap->iv_stats.is_rx_unauth++;
664 IEEE80211_NODE_STAT(ni, rx_unauth);
667 ieee80211_dwds_discover(ni, m);
672 * Handle A-MPDU re-ordering. If the frame is to be
673 * processed directly then ieee80211_ampdu_reorder
674 * will return 0; otherwise it has consumed the mbuf
675 * and we should do nothing more with it.
677 if ((m->m_flags & M_AMPDU) &&
678 ieee80211_ampdu_reorder(ni, m) != 0) {
685 * Handle privacy requirements. Note that we
686 * must not be preempted from here until after
687 * we (potentially) call ieee80211_crypto_demic;
688 * otherwise we may violate assumptions in the
689 * crypto cipher modules used to do delayed update
690 * of replay sequence numbers.
692 if (wh->i_fc[1] & IEEE80211_FC1_WEP) {
693 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
695 * Discard encrypted frames when privacy is off.
697 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
698 wh, "WEP", "%s", "PRIVACY off");
699 vap->iv_stats.is_rx_noprivacy++;
700 IEEE80211_NODE_STAT(ni, rx_noprivacy);
703 key = ieee80211_crypto_decap(ni, m, hdrspace);
705 /* NB: stats+msgs handled in crypto_decap */
706 IEEE80211_NODE_STAT(ni, rx_wepfail);
709 wh = mtod(m, struct ieee80211_frame *);
710 wh->i_fc[1] &= ~IEEE80211_FC1_WEP;
712 /* XXX M_WEP and IEEE80211_F_PRIVACY */
717 * Save QoS bits for use below--before we strip the header.
719 if (subtype == IEEE80211_FC0_SUBTYPE_QOS) {
720 qos = (dir == IEEE80211_FC1_DIR_DSTODS) ?
721 ((struct ieee80211_qosframe_addr4 *)wh)->i_qos[0] :
722 ((struct ieee80211_qosframe *)wh)->i_qos[0];
727 * Next up, any fragmentation.
729 if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) {
730 m = ieee80211_defrag(ni, m, hdrspace);
732 /* Fragment dropped or frame not complete yet */
736 wh = NULL; /* no longer valid, catch any uses */
739 * Next strip any MSDU crypto bits.
741 if (key != NULL && !ieee80211_crypto_demic(vap, key, m, 0)) {
742 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
743 ni->ni_macaddr, "data", "%s", "demic error");
744 vap->iv_stats.is_rx_demicfail++;
745 IEEE80211_NODE_STAT(ni, rx_demicfail);
748 /* copy to listener after decrypt */
749 if (ieee80211_radiotap_active_vap(vap))
750 ieee80211_radiotap_rx(vap, m);
753 * Finally, strip the 802.11 header.
755 m = ieee80211_decap(vap, m, hdrspace);
757 /* XXX mask bit to check for both */
758 /* don't count Null data frames as errors */
759 if (subtype == IEEE80211_FC0_SUBTYPE_NODATA ||
760 subtype == IEEE80211_FC0_SUBTYPE_QOS_NULL)
762 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
763 ni->ni_macaddr, "data", "%s", "decap error");
764 vap->iv_stats.is_rx_decap++;
765 IEEE80211_NODE_STAT(ni, rx_decap);
768 eh = mtod(m, struct ether_header *);
769 if (!ieee80211_node_is_authorized(ni)) {
771 * Deny any non-PAE frames received prior to
772 * authorization. For open/shared-key
773 * authentication the port is mark authorized
774 * after authentication completes. For 802.1x
775 * the port is not marked authorized by the
776 * authenticator until the handshake has completed.
778 if (eh->ether_type != htons(ETHERTYPE_PAE)) {
779 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
780 eh->ether_shost, "data",
781 "unauthorized port: ether type 0x%x len %u",
782 eh->ether_type, m->m_pkthdr.len);
783 vap->iv_stats.is_rx_unauth++;
784 IEEE80211_NODE_STAT(ni, rx_unauth);
789 * When denying unencrypted frames, discard
790 * any non-PAE frames received without encryption.
792 if ((vap->iv_flags & IEEE80211_F_DROPUNENC) &&
793 (key == NULL && (m->m_flags & M_WEP) == 0) &&
794 eh->ether_type != htons(ETHERTYPE_PAE)) {
796 * Drop unencrypted frames.
798 vap->iv_stats.is_rx_unencrypted++;
799 IEEE80211_NODE_STAT(ni, rx_unencrypted);
803 /* XXX require HT? */
804 if (qos & IEEE80211_QOS_AMSDU) {
805 m = ieee80211_decap_amsdu(ni, m);
807 return IEEE80211_FC0_TYPE_DATA;
809 #ifdef IEEE80211_SUPPORT_SUPERG
810 m = ieee80211_decap_fastframe(vap, ni, m);
812 return IEEE80211_FC0_TYPE_DATA;
815 if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap != NULL)
816 ieee80211_deliver_data(ni->ni_wdsvap, ni, m);
818 hostap_deliver_data(vap, ni, m);
819 return IEEE80211_FC0_TYPE_DATA;
821 case IEEE80211_FC0_TYPE_MGT:
822 vap->iv_stats.is_rx_mgmt++;
823 IEEE80211_NODE_STAT(ni, rx_mgmt);
824 if (dir != IEEE80211_FC1_DIR_NODS) {
825 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
826 wh, "mgt", "incorrect dir 0x%x", dir);
827 vap->iv_stats.is_rx_wrongdir++;
830 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) {
831 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
832 ni->ni_macaddr, "mgt", "too short: len %u",
834 vap->iv_stats.is_rx_tooshort++;
837 if (IEEE80211_IS_MULTICAST(wh->i_addr2)) {
838 /* ensure return frames are unicast */
839 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
840 wh, NULL, "source is multicast: %s",
841 kether_ntoa(wh->i_addr2, ethstr));
842 vap->iv_stats.is_rx_mgtdiscard++; /* XXX stat */
845 #ifdef IEEE80211_DEBUG
846 if ((ieee80211_msg_debug(vap) && doprint(vap, subtype)) ||
847 ieee80211_msg_dumppkts(vap)) {
848 if_printf(ifp, "received %s from %s rssi %d\n",
849 ieee80211_mgt_subtype_name[subtype >>
850 IEEE80211_FC0_SUBTYPE_SHIFT],
851 kether_ntoa(wh->i_addr2, ethstr), rssi);
854 if (wh->i_fc[1] & IEEE80211_FC1_WEP) {
855 if (subtype != IEEE80211_FC0_SUBTYPE_AUTH) {
857 * Only shared key auth frames with a challenge
858 * should be encrypted, discard all others.
860 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
862 "%s", "WEP set but not permitted");
863 vap->iv_stats.is_rx_mgtdiscard++; /* XXX */
866 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
868 * Discard encrypted frames when privacy is off.
870 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
871 wh, NULL, "%s", "WEP set but PRIVACY off");
872 vap->iv_stats.is_rx_noprivacy++;
875 hdrspace = ieee80211_hdrspace(ic, wh);
876 key = ieee80211_crypto_decap(ni, m, hdrspace);
878 /* NB: stats+msgs handled in crypto_decap */
881 wh = mtod(m, struct ieee80211_frame *);
882 wh->i_fc[1] &= ~IEEE80211_FC1_WEP;
884 vap->iv_recv_mgmt(ni, m, subtype, rssi, nf);
887 case IEEE80211_FC0_TYPE_CTL:
888 vap->iv_stats.is_rx_ctl++;
889 IEEE80211_NODE_STAT(ni, rx_ctrl);
890 vap->iv_recv_ctl(ni, m, subtype);
893 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
894 wh, "bad", "frame type 0x%x", type);
895 /* should not come here */
902 if (need_tap && ieee80211_radiotap_active_vap(vap))
903 ieee80211_radiotap_rx(vap, m);
911 hostap_auth_open(struct ieee80211_node *ni, struct ieee80211_frame *wh,
912 int rssi, int nf, uint16_t seq, uint16_t status)
914 struct ieee80211vap *vap = ni->ni_vap;
916 KASSERT(vap->iv_state == IEEE80211_S_RUN, ("state %d", vap->iv_state));
918 if (ni->ni_authmode == IEEE80211_AUTH_SHARED) {
919 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
920 ni->ni_macaddr, "open auth",
921 "bad sta auth mode %u", ni->ni_authmode);
922 vap->iv_stats.is_rx_bad_auth++; /* XXX */
924 * Clear any challenge text that may be there if
925 * a previous shared key auth failed and then an
926 * open auth is attempted.
928 if (ni->ni_challenge != NULL) {
929 kfree(ni->ni_challenge, M_80211_NODE);
930 ni->ni_challenge = NULL;
932 /* XXX hack to workaround calling convention */
933 ieee80211_send_error(ni, wh->i_addr2,
934 IEEE80211_FC0_SUBTYPE_AUTH,
935 (seq + 1) | (IEEE80211_STATUS_ALG<<16));
938 if (seq != IEEE80211_AUTH_OPEN_REQUEST) {
939 vap->iv_stats.is_rx_bad_auth++;
942 /* always accept open authentication requests */
943 if (ni == vap->iv_bss) {
944 ni = ieee80211_dup_bss(vap, wh->i_addr2);
947 } else if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0)
948 (void) ieee80211_ref_node(ni);
950 * Mark the node as referenced to reflect that it's
951 * reference count has been bumped to insure it remains
952 * after the transaction completes.
954 ni->ni_flags |= IEEE80211_NODE_AREF;
956 * Mark the node as requiring a valid association id
957 * before outbound traffic is permitted.
959 ni->ni_flags |= IEEE80211_NODE_ASSOCID;
961 if (vap->iv_acl != NULL &&
962 vap->iv_acl->iac_getpolicy(vap) == IEEE80211_MACCMD_POLICY_RADIUS) {
964 * When the ACL policy is set to RADIUS we defer the
965 * authorization to a user agent. Dispatch an event,
966 * a subsequent MLME call will decide the fate of the
967 * station. If the user agent is not present then the
968 * node will be reclaimed due to inactivity.
970 IEEE80211_NOTE_MAC(vap,
971 IEEE80211_MSG_AUTH | IEEE80211_MSG_ACL, ni->ni_macaddr,
972 "%s", "station authentication defered (radius acl)");
973 ieee80211_notify_node_auth(ni);
975 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1);
976 IEEE80211_NOTE_MAC(vap,
977 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, ni->ni_macaddr,
978 "%s", "station authenticated (open)");
980 * When 802.1x is not in use mark the port
981 * authorized at this point so traffic can flow.
983 if (ni->ni_authmode != IEEE80211_AUTH_8021X)
984 ieee80211_node_authorize(ni);
989 hostap_auth_shared(struct ieee80211_node *ni, struct ieee80211_frame *wh,
990 uint8_t *frm, uint8_t *efrm, int rssi, int nf,
991 uint16_t seq, uint16_t status)
993 struct ieee80211vap *vap = ni->ni_vap;
995 int allocbs, estatus;
997 KASSERT(vap->iv_state == IEEE80211_S_RUN, ("state %d", vap->iv_state));
1000 * NB: this can happen as we allow pre-shared key
1001 * authentication to be enabled w/o wep being turned
1002 * on so that configuration of these can be done
1003 * in any order. It may be better to enforce the
1004 * ordering in which case this check would just be
1005 * for sanity/consistency.
1007 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
1008 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1009 ni->ni_macaddr, "shared key auth",
1010 "%s", " PRIVACY is disabled");
1011 estatus = IEEE80211_STATUS_ALG;
1015 * Pre-shared key authentication is evil; accept
1016 * it only if explicitly configured (it is supported
1017 * mainly for compatibility with clients like Mac OS X).
1019 if (ni->ni_authmode != IEEE80211_AUTH_AUTO &&
1020 ni->ni_authmode != IEEE80211_AUTH_SHARED) {
1021 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1022 ni->ni_macaddr, "shared key auth",
1023 "bad sta auth mode %u", ni->ni_authmode);
1024 vap->iv_stats.is_rx_bad_auth++; /* XXX maybe a unique error? */
1025 estatus = IEEE80211_STATUS_ALG;
1030 if (frm + 1 < efrm) {
1031 if ((frm[1] + 2) > (efrm - frm)) {
1032 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1033 ni->ni_macaddr, "shared key auth",
1034 "ie %d/%d too long",
1035 frm[0], (int)((frm[1] + 2) - (efrm - frm)));
1036 vap->iv_stats.is_rx_bad_auth++;
1037 estatus = IEEE80211_STATUS_CHALLENGE;
1040 if (*frm == IEEE80211_ELEMID_CHALLENGE)
1045 case IEEE80211_AUTH_SHARED_CHALLENGE:
1046 case IEEE80211_AUTH_SHARED_RESPONSE:
1047 if (challenge == NULL) {
1048 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1049 ni->ni_macaddr, "shared key auth",
1050 "%s", "no challenge");
1051 vap->iv_stats.is_rx_bad_auth++;
1052 estatus = IEEE80211_STATUS_CHALLENGE;
1055 if (challenge[1] != IEEE80211_CHALLENGE_LEN) {
1056 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1057 ni->ni_macaddr, "shared key auth",
1058 "bad challenge len %d", challenge[1]);
1059 vap->iv_stats.is_rx_bad_auth++;
1060 estatus = IEEE80211_STATUS_CHALLENGE;
1067 case IEEE80211_AUTH_SHARED_REQUEST:
1068 if (ni == vap->iv_bss) {
1069 ni = ieee80211_dup_bss(vap, wh->i_addr2);
1071 /* NB: no way to return an error */
1076 if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0)
1077 (void) ieee80211_ref_node(ni);
1081 * Mark the node as referenced to reflect that it's
1082 * reference count has been bumped to insure it remains
1083 * after the transaction completes.
1085 ni->ni_flags |= IEEE80211_NODE_AREF;
1087 * Mark the node as requiring a valid associatio id
1088 * before outbound traffic is permitted.
1090 ni->ni_flags |= IEEE80211_NODE_ASSOCID;
1091 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi);
1093 if (!ieee80211_alloc_challenge(ni)) {
1094 /* NB: don't return error so they rexmit */
1097 get_random_bytes(ni->ni_challenge,
1098 IEEE80211_CHALLENGE_LEN);
1099 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
1100 ni, "shared key %sauth request", allocbs ? "" : "re");
1102 * When the ACL policy is set to RADIUS we defer the
1103 * authorization to a user agent. Dispatch an event,
1104 * a subsequent MLME call will decide the fate of the
1105 * station. If the user agent is not present then the
1106 * node will be reclaimed due to inactivity.
1108 if (vap->iv_acl != NULL &&
1109 vap->iv_acl->iac_getpolicy(vap) == IEEE80211_MACCMD_POLICY_RADIUS) {
1110 IEEE80211_NOTE_MAC(vap,
1111 IEEE80211_MSG_AUTH | IEEE80211_MSG_ACL,
1113 "%s", "station authentication defered (radius acl)");
1114 ieee80211_notify_node_auth(ni);
1118 case IEEE80211_AUTH_SHARED_RESPONSE:
1119 if (ni == vap->iv_bss) {
1120 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1121 ni->ni_macaddr, "shared key response",
1122 "%s", "unknown station");
1123 /* NB: don't send a response */
1126 if (ni->ni_challenge == NULL) {
1127 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1128 ni->ni_macaddr, "shared key response",
1129 "%s", "no challenge recorded");
1130 vap->iv_stats.is_rx_bad_auth++;
1131 estatus = IEEE80211_STATUS_CHALLENGE;
1134 if (memcmp(ni->ni_challenge, &challenge[2],
1135 challenge[1]) != 0) {
1136 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1137 ni->ni_macaddr, "shared key response",
1138 "%s", "challenge mismatch");
1139 vap->iv_stats.is_rx_auth_fail++;
1140 estatus = IEEE80211_STATUS_CHALLENGE;
1143 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
1144 ni, "%s", "station authenticated (shared key)");
1145 ieee80211_node_authorize(ni);
1148 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1149 ni->ni_macaddr, "shared key auth",
1151 vap->iv_stats.is_rx_bad_auth++;
1152 estatus = IEEE80211_STATUS_SEQUENCE;
1155 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1);
1159 * Send an error response; but only when operating as an AP.
1161 /* XXX hack to workaround calling convention */
1162 ieee80211_send_error(ni, wh->i_addr2,
1163 IEEE80211_FC0_SUBTYPE_AUTH,
1164 (seq + 1) | (estatus<<16));
1168 * Convert a WPA cipher selector OUI to an internal
1169 * cipher algorithm. Where appropriate we also
1170 * record any key length.
1173 wpa_cipher(const uint8_t *sel, uint8_t *keylen)
1175 #define WPA_SEL(x) (((x)<<24)|WPA_OUI)
1176 uint32_t w = LE_READ_4(sel);
1179 case WPA_SEL(WPA_CSE_NULL):
1180 return IEEE80211_CIPHER_NONE;
1181 case WPA_SEL(WPA_CSE_WEP40):
1183 *keylen = 40 / NBBY;
1184 return IEEE80211_CIPHER_WEP;
1185 case WPA_SEL(WPA_CSE_WEP104):
1187 *keylen = 104 / NBBY;
1188 return IEEE80211_CIPHER_WEP;
1189 case WPA_SEL(WPA_CSE_TKIP):
1190 return IEEE80211_CIPHER_TKIP;
1191 case WPA_SEL(WPA_CSE_CCMP):
1192 return IEEE80211_CIPHER_AES_CCM;
1194 return 32; /* NB: so 1<< is discarded */
1199 * Convert a WPA key management/authentication algorithm
1200 * to an internal code.
1203 wpa_keymgmt(const uint8_t *sel)
1205 #define WPA_SEL(x) (((x)<<24)|WPA_OUI)
1206 uint32_t w = LE_READ_4(sel);
1209 case WPA_SEL(WPA_ASE_8021X_UNSPEC):
1210 return WPA_ASE_8021X_UNSPEC;
1211 case WPA_SEL(WPA_ASE_8021X_PSK):
1212 return WPA_ASE_8021X_PSK;
1213 case WPA_SEL(WPA_ASE_NONE):
1214 return WPA_ASE_NONE;
1216 return 0; /* NB: so is discarded */
1221 * Parse a WPA information element to collect parameters.
1222 * Note that we do not validate security parameters; that
1223 * is handled by the authenticator; the parsing done here
1224 * is just for internal use in making operational decisions.
1227 ieee80211_parse_wpa(struct ieee80211vap *vap, const uint8_t *frm,
1228 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh)
1230 uint8_t len = frm[1];
1235 * Check the length once for fixed parts: OUI, type,
1236 * version, mcast cipher, and 2 selector counts.
1237 * Other, variable-length data, must be checked separately.
1239 if ((vap->iv_flags & IEEE80211_F_WPA1) == 0) {
1240 IEEE80211_DISCARD_IE(vap,
1241 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1242 wh, "WPA", "not WPA, flags 0x%x", vap->iv_flags);
1243 return IEEE80211_REASON_IE_INVALID;
1246 IEEE80211_DISCARD_IE(vap,
1247 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1248 wh, "WPA", "too short, len %u", len);
1249 return IEEE80211_REASON_IE_INVALID;
1251 frm += 6, len -= 4; /* NB: len is payload only */
1252 /* NB: iswpaoui already validated the OUI and type */
1254 if (w != WPA_VERSION) {
1255 IEEE80211_DISCARD_IE(vap,
1256 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1257 wh, "WPA", "bad version %u", w);
1258 return IEEE80211_REASON_IE_INVALID;
1262 memset(rsn, 0, sizeof(*rsn));
1264 /* multicast/group cipher */
1265 rsn->rsn_mcastcipher = wpa_cipher(frm, &rsn->rsn_mcastkeylen);
1268 /* unicast ciphers */
1272 IEEE80211_DISCARD_IE(vap,
1273 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1274 wh, "WPA", "ucast cipher data too short; len %u, n %u",
1276 return IEEE80211_REASON_IE_INVALID;
1279 for (; n > 0; n--) {
1280 w |= 1<<wpa_cipher(frm, &rsn->rsn_ucastkeylen);
1283 if (w & (1<<IEEE80211_CIPHER_TKIP))
1284 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP;
1286 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM;
1288 /* key management algorithms */
1292 IEEE80211_DISCARD_IE(vap,
1293 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1294 wh, "WPA", "key mgmt alg data too short; len %u, n %u",
1296 return IEEE80211_REASON_IE_INVALID;
1299 for (; n > 0; n--) {
1300 w |= wpa_keymgmt(frm);
1303 if (w & WPA_ASE_8021X_UNSPEC)
1304 rsn->rsn_keymgmt = WPA_ASE_8021X_UNSPEC;
1306 rsn->rsn_keymgmt = WPA_ASE_8021X_PSK;
1308 if (len > 2) /* optional capabilities */
1309 rsn->rsn_caps = LE_READ_2(frm);
1315 * Convert an RSN cipher selector OUI to an internal
1316 * cipher algorithm. Where appropriate we also
1317 * record any key length.
1320 rsn_cipher(const uint8_t *sel, uint8_t *keylen)
1322 #define RSN_SEL(x) (((x)<<24)|RSN_OUI)
1323 uint32_t w = LE_READ_4(sel);
1326 case RSN_SEL(RSN_CSE_NULL):
1327 return IEEE80211_CIPHER_NONE;
1328 case RSN_SEL(RSN_CSE_WEP40):
1330 *keylen = 40 / NBBY;
1331 return IEEE80211_CIPHER_WEP;
1332 case RSN_SEL(RSN_CSE_WEP104):
1334 *keylen = 104 / NBBY;
1335 return IEEE80211_CIPHER_WEP;
1336 case RSN_SEL(RSN_CSE_TKIP):
1337 return IEEE80211_CIPHER_TKIP;
1338 case RSN_SEL(RSN_CSE_CCMP):
1339 return IEEE80211_CIPHER_AES_CCM;
1340 case RSN_SEL(RSN_CSE_WRAP):
1341 return IEEE80211_CIPHER_AES_OCB;
1343 return 32; /* NB: so 1<< is discarded */
1348 * Convert an RSN key management/authentication algorithm
1349 * to an internal code.
1352 rsn_keymgmt(const uint8_t *sel)
1354 #define RSN_SEL(x) (((x)<<24)|RSN_OUI)
1355 uint32_t w = LE_READ_4(sel);
1358 case RSN_SEL(RSN_ASE_8021X_UNSPEC):
1359 return RSN_ASE_8021X_UNSPEC;
1360 case RSN_SEL(RSN_ASE_8021X_PSK):
1361 return RSN_ASE_8021X_PSK;
1362 case RSN_SEL(RSN_ASE_NONE):
1363 return RSN_ASE_NONE;
1365 return 0; /* NB: so is discarded */
1370 * Parse a WPA/RSN information element to collect parameters
1371 * and validate the parameters against what has been
1372 * configured for the system.
1375 ieee80211_parse_rsn(struct ieee80211vap *vap, const uint8_t *frm,
1376 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh)
1378 uint8_t len = frm[1];
1383 * Check the length once for fixed parts:
1384 * version, mcast cipher, and 2 selector counts.
1385 * Other, variable-length data, must be checked separately.
1387 if ((vap->iv_flags & IEEE80211_F_WPA2) == 0) {
1388 IEEE80211_DISCARD_IE(vap,
1389 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1390 wh, "WPA", "not RSN, flags 0x%x", vap->iv_flags);
1391 return IEEE80211_REASON_IE_INVALID;
1394 IEEE80211_DISCARD_IE(vap,
1395 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1396 wh, "RSN", "too short, len %u", len);
1397 return IEEE80211_REASON_IE_INVALID;
1401 if (w != RSN_VERSION) {
1402 IEEE80211_DISCARD_IE(vap,
1403 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1404 wh, "RSN", "bad version %u", w);
1405 return IEEE80211_REASON_IE_INVALID;
1409 memset(rsn, 0, sizeof(*rsn));
1411 /* multicast/group cipher */
1412 rsn->rsn_mcastcipher = rsn_cipher(frm, &rsn->rsn_mcastkeylen);
1415 /* unicast ciphers */
1419 IEEE80211_DISCARD_IE(vap,
1420 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1421 wh, "RSN", "ucast cipher data too short; len %u, n %u",
1423 return IEEE80211_REASON_IE_INVALID;
1426 for (; n > 0; n--) {
1427 w |= 1<<rsn_cipher(frm, &rsn->rsn_ucastkeylen);
1430 if (w & (1<<IEEE80211_CIPHER_TKIP))
1431 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP;
1433 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM;
1435 /* key management algorithms */
1439 IEEE80211_DISCARD_IE(vap,
1440 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1441 wh, "RSN", "key mgmt alg data too short; len %u, n %u",
1443 return IEEE80211_REASON_IE_INVALID;
1446 for (; n > 0; n--) {
1447 w |= rsn_keymgmt(frm);
1450 if (w & RSN_ASE_8021X_UNSPEC)
1451 rsn->rsn_keymgmt = RSN_ASE_8021X_UNSPEC;
1453 rsn->rsn_keymgmt = RSN_ASE_8021X_PSK;
1455 /* optional RSN capabilities */
1457 rsn->rsn_caps = LE_READ_2(frm);
1464 * WPA/802.11i assocation request processing.
1467 wpa_assocreq(struct ieee80211_node *ni, struct ieee80211_rsnparms *rsnparms,
1468 const struct ieee80211_frame *wh, const uint8_t *wpa,
1469 const uint8_t *rsn, uint16_t capinfo)
1471 struct ieee80211vap *vap = ni->ni_vap;
1475 ni->ni_flags &= ~(IEEE80211_NODE_WPS|IEEE80211_NODE_TSN);
1476 if (wpa == NULL && rsn == NULL) {
1477 if (vap->iv_flags_ext & IEEE80211_FEXT_WPS) {
1479 * W-Fi Protected Setup (WPS) permits
1480 * clients to associate and pass EAPOL frames
1481 * to establish initial credentials.
1483 ni->ni_flags |= IEEE80211_NODE_WPS;
1486 if ((vap->iv_flags_ext & IEEE80211_FEXT_TSN) &&
1487 (capinfo & IEEE80211_CAPINFO_PRIVACY)) {
1489 * Transitional Security Network. Permits clients
1490 * to associate and use WEP while WPA is configured.
1492 ni->ni_flags |= IEEE80211_NODE_TSN;
1495 IEEE80211_DISCARD(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA,
1496 wh, NULL, "%s", "no WPA/RSN IE in association request");
1497 vap->iv_stats.is_rx_assoc_badwpaie++;
1498 reason = IEEE80211_REASON_IE_INVALID;
1501 /* assert right association security credentials */
1502 badwparsn = 0; /* NB: to silence compiler */
1503 switch (vap->iv_flags & IEEE80211_F_WPA) {
1504 case IEEE80211_F_WPA1:
1505 badwparsn = (wpa == NULL);
1507 case IEEE80211_F_WPA2:
1508 badwparsn = (rsn == NULL);
1510 case IEEE80211_F_WPA1|IEEE80211_F_WPA2:
1511 badwparsn = (wpa == NULL && rsn == NULL);
1515 IEEE80211_DISCARD(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA,
1517 "%s", "missing WPA/RSN IE in association request");
1518 vap->iv_stats.is_rx_assoc_badwpaie++;
1519 reason = IEEE80211_REASON_IE_INVALID;
1523 * Parse WPA/RSN information element.
1526 reason = ieee80211_parse_wpa(vap, wpa, rsnparms, wh);
1528 reason = ieee80211_parse_rsn(vap, rsn, rsnparms, wh);
1530 /* XXX distinguish WPA/RSN? */
1531 vap->iv_stats.is_rx_assoc_badwpaie++;
1534 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, ni,
1535 "%s ie: mc %u/%u uc %u/%u key %u caps 0x%x",
1536 wpa != NULL ? "WPA" : "RSN",
1537 rsnparms->rsn_mcastcipher, rsnparms->rsn_mcastkeylen,
1538 rsnparms->rsn_ucastcipher, rsnparms->rsn_ucastkeylen,
1539 rsnparms->rsn_keymgmt, rsnparms->rsn_caps);
1543 ieee80211_node_deauth(ni, reason);
1547 /* XXX find a better place for definition */
1548 struct l2_update_frame {
1549 struct ether_header eh;
1557 * Deliver a TGf L2UF frame on behalf of a station.
1558 * This primes any bridge when the station is roaming
1559 * between ap's on the same wired network.
1562 ieee80211_deliver_l2uf(struct ieee80211_node *ni)
1564 struct ieee80211vap *vap = ni->ni_vap;
1565 struct ifnet *ifp = vap->iv_ifp;
1567 struct l2_update_frame *l2uf;
1568 struct ether_header *eh;
1570 m = m_gethdr(MB_DONTWAIT, MT_DATA);
1572 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC, ni,
1573 "%s", "no mbuf for l2uf frame");
1574 vap->iv_stats.is_rx_nobuf++; /* XXX not right */
1577 l2uf = mtod(m, struct l2_update_frame *);
1579 /* dst: Broadcast address */
1580 IEEE80211_ADDR_COPY(eh->ether_dhost, ifp->if_broadcastaddr);
1581 /* src: associated STA */
1582 IEEE80211_ADDR_COPY(eh->ether_shost, ni->ni_macaddr);
1583 eh->ether_type = htons(sizeof(*l2uf) - sizeof(*eh));
1587 l2uf->control = 0xf5;
1588 l2uf->xid[0] = 0x81;
1589 l2uf->xid[1] = 0x80;
1590 l2uf->xid[2] = 0x00;
1592 m->m_pkthdr.len = m->m_len = sizeof(*l2uf);
1593 hostap_deliver_data(vap, ni, m);
1597 ratesetmismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh,
1598 int reassoc, int resp, const char *tag, int rate)
1600 IEEE80211_NOTE_MAC(ni->ni_vap, IEEE80211_MSG_ANY, wh->i_addr2,
1601 "deny %s request, %s rate set mismatch, rate/MCS %d",
1602 reassoc ? "reassoc" : "assoc", tag, rate & IEEE80211_RATE_VAL);
1603 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_BASIC_RATE);
1604 ieee80211_node_leave(ni);
1608 capinfomismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh,
1609 int reassoc, int resp, const char *tag, int capinfo)
1611 struct ieee80211vap *vap = ni->ni_vap;
1613 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ANY, wh->i_addr2,
1614 "deny %s request, %s mismatch 0x%x",
1615 reassoc ? "reassoc" : "assoc", tag, capinfo);
1616 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_CAPINFO);
1617 ieee80211_node_leave(ni);
1618 vap->iv_stats.is_rx_assoc_capmismatch++;
1622 htcapmismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh,
1623 int reassoc, int resp)
1625 IEEE80211_NOTE_MAC(ni->ni_vap, IEEE80211_MSG_ANY, wh->i_addr2,
1626 "deny %s request, missing HT ie", reassoc ? "reassoc" : "assoc");
1627 /* XXX no better code */
1628 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_MISSING_HT_CAPS);
1629 ieee80211_node_leave(ni);
1633 authalgreject(struct ieee80211_node *ni, const struct ieee80211_frame *wh,
1634 int algo, int seq, int status)
1636 struct ieee80211vap *vap = ni->ni_vap;
1638 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
1639 wh, NULL, "unsupported alg %d", algo);
1640 vap->iv_stats.is_rx_auth_unsupported++;
1641 ieee80211_send_error(ni, wh->i_addr2, IEEE80211_FC0_SUBTYPE_AUTH,
1642 seq | (status << 16));
1646 ishtmixed(const uint8_t *ie)
1648 const struct ieee80211_ie_htinfo *ht =
1649 (const struct ieee80211_ie_htinfo *) ie;
1650 return (ht->hi_byte2 & IEEE80211_HTINFO_OPMODE) ==
1651 IEEE80211_HTINFO_OPMODE_MIXED;
1655 is11bclient(const uint8_t *rates, const uint8_t *xrates)
1657 static const uint32_t brates = (1<<2*1)|(1<<2*2)|(1<<11)|(1<<2*11);
1660 /* NB: the 11b clients we care about will not have xrates */
1661 if (xrates != NULL || rates == NULL)
1663 for (i = 0; i < rates[1]; i++) {
1664 int r = rates[2+i] & IEEE80211_RATE_VAL;
1665 if (r > 2*11 || ((1<<r) & brates) == 0)
1672 hostap_recv_mgmt(struct ieee80211_node *ni, struct mbuf *m0,
1673 int subtype, int rssi, int nf)
1675 struct ieee80211vap *vap = ni->ni_vap;
1676 struct ieee80211com *ic = ni->ni_ic;
1677 struct ieee80211_frame *wh;
1678 uint8_t *frm, *efrm, *sfrm;
1679 uint8_t *ssid, *rates, *xrates, *wpa, *rsn, *wme, *ath, *htcap;
1683 wh = mtod(m0, struct ieee80211_frame *);
1684 frm = (uint8_t *)&wh[1];
1685 efrm = mtod(m0, uint8_t *) + m0->m_len;
1687 case IEEE80211_FC0_SUBTYPE_PROBE_RESP:
1688 case IEEE80211_FC0_SUBTYPE_BEACON: {
1689 struct ieee80211_scanparams scan;
1691 * We process beacon/probe response frames when scanning;
1692 * otherwise we check beacon frames for overlapping non-ERP
1693 * BSS in 11g and/or overlapping legacy BSS when in HT.
1695 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0 &&
1696 subtype == IEEE80211_FC0_SUBTYPE_PROBE_RESP) {
1697 vap->iv_stats.is_rx_mgtdiscard++;
1700 /* NB: accept off-channel frames */
1701 if (ieee80211_parse_beacon(ni, m0, &scan) &~ IEEE80211_BPARSE_OFFCHAN)
1704 * Count frame now that we know it's to be processed.
1706 if (subtype == IEEE80211_FC0_SUBTYPE_BEACON) {
1707 vap->iv_stats.is_rx_beacon++; /* XXX remove */
1708 IEEE80211_NODE_STAT(ni, rx_beacons);
1710 IEEE80211_NODE_STAT(ni, rx_proberesp);
1712 * If scanning, just pass information to the scan module.
1714 if (ic->ic_flags & IEEE80211_F_SCAN) {
1715 if (scan.status == 0 && /* NB: on channel */
1716 (ic->ic_flags_ext & IEEE80211_FEXT_PROBECHAN)) {
1718 * Actively scanning a channel marked passive;
1719 * send a probe request now that we know there
1720 * is 802.11 traffic present.
1722 * XXX check if the beacon we recv'd gives
1723 * us what we need and suppress the probe req
1725 ieee80211_probe_curchan(vap, 1);
1726 ic->ic_flags_ext &= ~IEEE80211_FEXT_PROBECHAN;
1728 ieee80211_add_scan(vap, &scan, wh, subtype, rssi, nf);
1732 * Check beacon for overlapping bss w/ non ERP stations.
1733 * If we detect one and protection is configured but not
1734 * enabled, enable it and start a timer that'll bring us
1735 * out if we stop seeing the bss.
1737 if (IEEE80211_IS_CHAN_ANYG(ic->ic_curchan) &&
1738 scan.status == 0 && /* NB: on-channel */
1739 ((scan.erp & 0x100) == 0 || /* NB: no ERP, 11b sta*/
1740 (scan.erp & IEEE80211_ERP_NON_ERP_PRESENT))) {
1741 ic->ic_lastnonerp = ticks;
1742 ic->ic_flags_ext |= IEEE80211_FEXT_NONERP_PR;
1743 if (ic->ic_protmode != IEEE80211_PROT_NONE &&
1744 (ic->ic_flags & IEEE80211_F_USEPROT) == 0) {
1745 IEEE80211_NOTE_FRAME(vap,
1746 IEEE80211_MSG_ASSOC, wh,
1747 "non-ERP present on channel %d "
1748 "(saw erp 0x%x from channel %d), "
1749 "enable use of protection",
1750 ic->ic_curchan->ic_ieee,
1751 scan.erp, scan.chan);
1752 ic->ic_flags |= IEEE80211_F_USEPROT;
1753 ieee80211_notify_erp(ic);
1757 * Check beacon for non-HT station on HT channel
1758 * and update HT BSS occupancy as appropriate.
1760 if (IEEE80211_IS_CHAN_HT(ic->ic_curchan)) {
1761 if (scan.status & IEEE80211_BPARSE_OFFCHAN) {
1763 * Off control channel; only check frames
1764 * that come in the extension channel when
1765 * operating w/ HT40.
1767 if (!IEEE80211_IS_CHAN_HT40(ic->ic_curchan))
1769 if (scan.chan != ic->ic_curchan->ic_extieee)
1772 if (scan.htinfo == NULL) {
1773 ieee80211_htprot_update(ic,
1774 IEEE80211_HTINFO_OPMODE_PROTOPT |
1775 IEEE80211_HTINFO_NONHT_PRESENT);
1776 } else if (ishtmixed(scan.htinfo)) {
1777 /* XXX? take NONHT_PRESENT from beacon? */
1778 ieee80211_htprot_update(ic,
1779 IEEE80211_HTINFO_OPMODE_MIXED |
1780 IEEE80211_HTINFO_NONHT_PRESENT);
1786 case IEEE80211_FC0_SUBTYPE_PROBE_REQ:
1787 if (vap->iv_state != IEEE80211_S_RUN) {
1788 vap->iv_stats.is_rx_mgtdiscard++;
1792 * prreq frame format
1794 * [tlv] supported rates
1795 * [tlv] extended supported rates
1797 ssid = rates = xrates = NULL;
1799 while (efrm - frm > 1) {
1800 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return);
1802 case IEEE80211_ELEMID_SSID:
1805 case IEEE80211_ELEMID_RATES:
1808 case IEEE80211_ELEMID_XRATES:
1814 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return);
1816 IEEE80211_VERIFY_ELEMENT(xrates,
1817 IEEE80211_RATE_MAXSIZE - rates[1], return);
1818 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN, return);
1819 IEEE80211_VERIFY_SSID(vap->iv_bss, ssid, return);
1820 if ((vap->iv_flags & IEEE80211_F_HIDESSID) && ssid[1] == 0) {
1821 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
1823 "%s", "no ssid with ssid suppression enabled");
1824 vap->iv_stats.is_rx_ssidmismatch++; /*XXX*/
1828 /* XXX find a better class or define it's own */
1829 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_INPUT, wh->i_addr2,
1830 "%s", "recv probe req");
1832 * Some legacy 11b clients cannot hack a complete
1833 * probe response frame. When the request includes
1834 * only a bare-bones rate set, communicate this to
1835 * the transmit side.
1837 ieee80211_send_proberesp(vap, wh->i_addr2,
1838 is11bclient(rates, xrates) ? IEEE80211_SEND_LEGACY_11B : 0);
1841 case IEEE80211_FC0_SUBTYPE_AUTH: {
1842 uint16_t algo, seq, status;
1844 if (vap->iv_state != IEEE80211_S_RUN) {
1845 vap->iv_stats.is_rx_mgtdiscard++;
1848 if (!IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_bss->ni_bssid)) {
1849 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
1850 wh, NULL, "%s", "wrong bssid");
1851 vap->iv_stats.is_rx_wrongbss++; /*XXX unique stat?*/
1861 IEEE80211_VERIFY_LENGTH(efrm - frm, 6, return);
1862 algo = le16toh(*(uint16_t *)frm);
1863 seq = le16toh(*(uint16_t *)(frm + 2));
1864 status = le16toh(*(uint16_t *)(frm + 4));
1865 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_AUTH, wh->i_addr2,
1866 "recv auth frame with algorithm %d seq %d", algo, seq);
1868 * Consult the ACL policy module if setup.
1870 if (vap->iv_acl != NULL &&
1871 !vap->iv_acl->iac_check(vap, wh->i_addr2)) {
1872 IEEE80211_DISCARD(vap, IEEE80211_MSG_ACL,
1873 wh, NULL, "%s", "disallowed by ACL");
1874 vap->iv_stats.is_rx_acl++;
1875 ieee80211_send_error(ni, wh->i_addr2,
1876 IEEE80211_FC0_SUBTYPE_AUTH,
1877 (seq+1) | (IEEE80211_STATUS_UNSPECIFIED<<16));
1880 if (vap->iv_flags & IEEE80211_F_COUNTERM) {
1881 IEEE80211_DISCARD(vap,
1882 IEEE80211_MSG_AUTH | IEEE80211_MSG_CRYPTO,
1883 wh, NULL, "%s", "TKIP countermeasures enabled");
1884 vap->iv_stats.is_rx_auth_countermeasures++;
1885 ieee80211_send_error(ni, wh->i_addr2,
1886 IEEE80211_FC0_SUBTYPE_AUTH,
1887 IEEE80211_REASON_MIC_FAILURE);
1890 if (algo == IEEE80211_AUTH_ALG_SHARED)
1891 hostap_auth_shared(ni, wh, frm + 6, efrm, rssi, nf,
1893 else if (algo == IEEE80211_AUTH_ALG_OPEN)
1894 hostap_auth_open(ni, wh, rssi, nf, seq, status);
1895 else if (algo == IEEE80211_AUTH_ALG_LEAP) {
1896 authalgreject(ni, wh, algo,
1897 seq+1, IEEE80211_STATUS_ALG);
1901 * We assume that an unknown algorithm is the result
1902 * of a decryption failure on a shared key auth frame;
1903 * return a status code appropriate for that instead
1904 * of IEEE80211_STATUS_ALG.
1906 * NB: a seq# of 4 is intentional; the decrypted
1907 * frame likely has a bogus seq value.
1909 authalgreject(ni, wh, algo,
1910 4, IEEE80211_STATUS_CHALLENGE);
1916 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ:
1917 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: {
1918 uint16_t capinfo, lintval;
1919 struct ieee80211_rsnparms rsnparms;
1921 if (vap->iv_state != IEEE80211_S_RUN) {
1922 vap->iv_stats.is_rx_mgtdiscard++;
1925 if (!IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_bss->ni_bssid)) {
1926 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
1927 wh, NULL, "%s", "wrong bssid");
1928 vap->iv_stats.is_rx_assoc_bss++;
1931 if (subtype == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) {
1933 resp = IEEE80211_FC0_SUBTYPE_REASSOC_RESP;
1936 resp = IEEE80211_FC0_SUBTYPE_ASSOC_RESP;
1938 if (ni == vap->iv_bss) {
1939 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ANY, wh->i_addr2,
1940 "deny %s request, sta not authenticated",
1941 reassoc ? "reassoc" : "assoc");
1942 ieee80211_send_error(ni, wh->i_addr2,
1943 IEEE80211_FC0_SUBTYPE_DEAUTH,
1944 IEEE80211_REASON_ASSOC_NOT_AUTHED);
1945 vap->iv_stats.is_rx_assoc_notauth++;
1950 * asreq frame format
1951 * [2] capability information
1952 * [2] listen interval
1953 * [6*] current AP address (reassoc only)
1955 * [tlv] supported rates
1956 * [tlv] extended supported rates
1958 * [tlv] HT capabilities
1959 * [tlv] Atheros capabilities
1961 IEEE80211_VERIFY_LENGTH(efrm - frm, (reassoc ? 10 : 4), return);
1962 capinfo = le16toh(*(uint16_t *)frm); frm += 2;
1963 lintval = le16toh(*(uint16_t *)frm); frm += 2;
1965 frm += 6; /* ignore current AP info */
1966 ssid = rates = xrates = wpa = rsn = wme = ath = htcap = NULL;
1968 while (efrm - frm > 1) {
1969 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return);
1971 case IEEE80211_ELEMID_SSID:
1974 case IEEE80211_ELEMID_RATES:
1977 case IEEE80211_ELEMID_XRATES:
1980 case IEEE80211_ELEMID_RSN:
1983 case IEEE80211_ELEMID_HTCAP:
1986 case IEEE80211_ELEMID_VENDOR:
1989 else if (iswmeinfo(frm))
1991 #ifdef IEEE80211_SUPPORT_SUPERG
1992 else if (isatherosoui(frm))
1995 else if (vap->iv_flags_ht & IEEE80211_FHT_HTCOMPAT) {
1996 if (ishtcapoui(frm) && htcap == NULL)
2003 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return);
2005 IEEE80211_VERIFY_ELEMENT(xrates,
2006 IEEE80211_RATE_MAXSIZE - rates[1], return);
2007 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN, return);
2008 IEEE80211_VERIFY_SSID(vap->iv_bss, ssid, return);
2009 if (htcap != NULL) {
2010 IEEE80211_VERIFY_LENGTH(htcap[1],
2011 htcap[0] == IEEE80211_ELEMID_VENDOR ?
2012 4 + sizeof(struct ieee80211_ie_htcap)-2 :
2013 sizeof(struct ieee80211_ie_htcap)-2,
2014 return); /* XXX just NULL out? */
2017 if ((vap->iv_flags & IEEE80211_F_WPA) &&
2018 !wpa_assocreq(ni, &rsnparms, wh, wpa, rsn, capinfo))
2020 /* discard challenge after association */
2021 if (ni->ni_challenge != NULL) {
2022 kfree(ni->ni_challenge, M_80211_NODE);
2023 ni->ni_challenge = NULL;
2025 /* NB: 802.11 spec says to ignore station's privacy bit */
2026 if ((capinfo & IEEE80211_CAPINFO_ESS) == 0) {
2027 capinfomismatch(ni, wh, reassoc, resp,
2028 "capability", capinfo);
2032 * Disallow re-associate w/ invalid slot time setting.
2034 if (ni->ni_associd != 0 &&
2035 IEEE80211_IS_CHAN_ANYG(ic->ic_bsschan) &&
2036 ((ni->ni_capinfo ^ capinfo) & IEEE80211_CAPINFO_SHORT_SLOTTIME)) {
2037 capinfomismatch(ni, wh, reassoc, resp,
2038 "slot time", capinfo);
2041 rate = ieee80211_setup_rates(ni, rates, xrates,
2042 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE |
2043 IEEE80211_F_DONEGO | IEEE80211_F_DODEL);
2044 if (rate & IEEE80211_RATE_BASIC) {
2045 ratesetmismatch(ni, wh, reassoc, resp, "legacy", rate);
2046 vap->iv_stats.is_rx_assoc_norate++;
2050 * If constrained to 11g-only stations reject an
2051 * 11b-only station. We cheat a bit here by looking
2052 * at the max negotiated xmit rate and assuming anyone
2053 * with a best rate <24Mb/s is an 11b station.
2055 if ((vap->iv_flags & IEEE80211_F_PUREG) && rate < 48) {
2056 ratesetmismatch(ni, wh, reassoc, resp, "11g", rate);
2057 vap->iv_stats.is_rx_assoc_norate++;
2061 * Do HT rate set handling and setup HT node state.
2063 ni->ni_chan = vap->iv_bss->ni_chan;
2064 if (IEEE80211_IS_CHAN_HT(ni->ni_chan) && htcap != NULL) {
2065 rate = ieee80211_setup_htrates(ni, htcap,
2066 IEEE80211_F_DOFMCS | IEEE80211_F_DONEGO |
2068 if (rate & IEEE80211_RATE_BASIC) {
2069 ratesetmismatch(ni, wh, reassoc, resp,
2071 vap->iv_stats.is_ht_assoc_norate++;
2074 ieee80211_ht_node_init(ni);
2075 ieee80211_ht_updatehtcap(ni, htcap);
2076 } else if (ni->ni_flags & IEEE80211_NODE_HT)
2077 ieee80211_ht_node_cleanup(ni);
2078 #ifdef IEEE80211_SUPPORT_SUPERG
2079 else if (ni->ni_ath_flags & IEEE80211_NODE_ATH)
2080 ieee80211_ff_node_cleanup(ni);
2083 * Allow AMPDU operation only with unencrypted traffic
2084 * or AES-CCM; the 11n spec only specifies these ciphers
2085 * so permitting any others is undefined and can lead
2086 * to interoperability problems.
2088 if ((ni->ni_flags & IEEE80211_NODE_HT) &&
2089 (((vap->iv_flags & IEEE80211_F_WPA) &&
2090 rsnparms.rsn_ucastcipher != IEEE80211_CIPHER_AES_CCM) ||
2091 (vap->iv_flags & (IEEE80211_F_WPA|IEEE80211_F_PRIVACY)) == IEEE80211_F_PRIVACY)) {
2093 IEEE80211_MSG_ASSOC | IEEE80211_MSG_11N, ni,
2094 "disallow HT use because WEP or TKIP requested, "
2095 "capinfo 0x%x ucastcipher %d", capinfo,
2096 rsnparms.rsn_ucastcipher);
2097 ieee80211_ht_node_cleanup(ni);
2098 vap->iv_stats.is_ht_assoc_downgrade++;
2101 * If constrained to 11n-only stations reject legacy stations.
2103 if ((vap->iv_flags_ht & IEEE80211_FHT_PUREN) &&
2104 (ni->ni_flags & IEEE80211_NODE_HT) == 0) {
2105 htcapmismatch(ni, wh, reassoc, resp);
2106 vap->iv_stats.is_ht_assoc_nohtcap++;
2109 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi);
2111 ni->ni_intval = lintval;
2112 ni->ni_capinfo = capinfo;
2113 ni->ni_fhdwell = vap->iv_bss->ni_fhdwell;
2114 ni->ni_fhindex = vap->iv_bss->ni_fhindex;
2117 * XXX maybe better to just expand
2119 if (ieee80211_ies_init(&ni->ni_ies, sfrm, efrm - sfrm)) {
2120 #define setie(_ie, _off) ieee80211_ies_setie(ni->ni_ies, _ie, _off)
2122 setie(wpa_ie, wpa - sfrm);
2124 setie(rsn_ie, rsn - sfrm);
2126 setie(htcap_ie, htcap - sfrm);
2128 setie(wme_ie, wme - sfrm);
2130 * Mark node as capable of QoS.
2132 ni->ni_flags |= IEEE80211_NODE_QOS;
2134 ni->ni_flags &= ~IEEE80211_NODE_QOS;
2135 #ifdef IEEE80211_SUPPORT_SUPERG
2137 setie(ath_ie, ath - sfrm);
2139 * Parse ATH station parameters.
2141 ieee80211_parse_ath(ni, ni->ni_ies.ath_ie);
2144 ni->ni_ath_flags = 0;
2147 ni->ni_flags &= ~IEEE80211_NODE_QOS;
2148 ni->ni_ath_flags = 0;
2150 ieee80211_node_join(ni, resp);
2151 ieee80211_deliver_l2uf(ni);
2155 case IEEE80211_FC0_SUBTYPE_DEAUTH:
2156 case IEEE80211_FC0_SUBTYPE_DISASSOC: {
2159 if (vap->iv_state != IEEE80211_S_RUN ||
2160 /* NB: can happen when in promiscuous mode */
2161 !IEEE80211_ADDR_EQ(wh->i_addr1, vap->iv_myaddr)) {
2162 vap->iv_stats.is_rx_mgtdiscard++;
2166 * deauth/disassoc frame format
2169 IEEE80211_VERIFY_LENGTH(efrm - frm, 2, return);
2170 reason = le16toh(*(uint16_t *)frm);
2171 if (subtype == IEEE80211_FC0_SUBTYPE_DEAUTH) {
2172 vap->iv_stats.is_rx_deauth++;
2173 IEEE80211_NODE_STAT(ni, rx_deauth);
2175 vap->iv_stats.is_rx_disassoc++;
2176 IEEE80211_NODE_STAT(ni, rx_disassoc);
2178 IEEE80211_NOTE(vap, IEEE80211_MSG_AUTH, ni,
2179 "recv %s (reason %d)", ieee80211_mgt_subtype_name[subtype >>
2180 IEEE80211_FC0_SUBTYPE_SHIFT], reason);
2181 if (ni != vap->iv_bss)
2182 ieee80211_node_leave(ni);
2186 case IEEE80211_FC0_SUBTYPE_ACTION:
2187 if (vap->iv_state == IEEE80211_S_RUN) {
2188 if (ieee80211_parse_action(ni, m0) == 0)
2189 ic->ic_recv_action(ni, wh, frm, efrm);
2191 vap->iv_stats.is_rx_mgtdiscard++;
2194 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP:
2195 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP:
2197 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
2198 wh, "mgt", "subtype 0x%x not handled", subtype);
2199 vap->iv_stats.is_rx_badsubtype++;
2205 hostap_recv_ctl(struct ieee80211_node *ni, struct mbuf *m, int subtype)
2208 case IEEE80211_FC0_SUBTYPE_PS_POLL:
2209 hostap_recv_pspoll(ni, m);
2211 case IEEE80211_FC0_SUBTYPE_BAR:
2212 ieee80211_recv_bar(ni, m);
2218 * Process a received ps-poll frame.
2221 hostap_recv_pspoll(struct ieee80211_node *ni, struct mbuf *m0)
2223 struct ieee80211vap *vap = ni->ni_vap;
2224 struct ieee80211_frame_min *wh;
2226 struct ifaltq_subque *ifsq;
2231 wh = mtod(m0, struct ieee80211_frame_min *);
2232 if (ni->ni_associd == 0) {
2233 IEEE80211_DISCARD(vap,
2234 IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG,
2235 (struct ieee80211_frame *) wh, NULL,
2236 "%s", "unassociated station");
2237 vap->iv_stats.is_ps_unassoc++;
2238 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_DEAUTH,
2239 IEEE80211_REASON_NOT_ASSOCED);
2243 aid = le16toh(*(uint16_t *)wh->i_dur);
2244 if (aid != ni->ni_associd) {
2245 IEEE80211_DISCARD(vap,
2246 IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG,
2247 (struct ieee80211_frame *) wh, NULL,
2248 "aid mismatch: sta aid 0x%x poll aid 0x%x",
2249 ni->ni_associd, aid);
2250 vap->iv_stats.is_ps_badaid++;
2252 * NB: We used to deauth the station but it turns out
2253 * the Blackberry Curve 8230 (and perhaps other devices)
2254 * sometimes send the wrong AID when WME is negotiated.
2255 * Being more lenient here seems ok as we already check
2256 * the station is associated and we only return frames
2257 * queued for the station (i.e. we don't use the AID).
2262 /* Okay, take the first queued packet and put it out... */
2263 m = ieee80211_node_psq_dequeue(ni, &qlen);
2265 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_POWER, wh->i_addr2,
2266 "%s", "recv ps-poll, but queue empty");
2267 ieee80211_send_nulldata(ieee80211_ref_node(ni));
2268 vap->iv_stats.is_ps_qempty++; /* XXX node stat */
2269 if (vap->iv_set_tim != NULL)
2270 vap->iv_set_tim(ni, 0); /* just in case */
2274 * If there are more packets, set the more packets bit
2275 * in the packet dispatched to the station; otherwise
2276 * turn off the TIM bit.
2279 IEEE80211_NOTE(vap, IEEE80211_MSG_POWER, ni,
2280 "recv ps-poll, send packet, %u still queued", qlen);
2281 m->m_flags |= M_MORE_DATA;
2283 IEEE80211_NOTE(vap, IEEE80211_MSG_POWER, ni,
2284 "%s", "recv ps-poll, send packet, queue empty");
2285 if (vap->iv_set_tim != NULL)
2286 vap->iv_set_tim(ni, 0);
2288 m->m_flags |= M_PWR_SAV; /* bypass PS handling */
2290 if (m->m_flags & M_ENCAP)
2291 ifp = vap->iv_ic->ic_ifp;
2295 ifsq = ifq_get_subq_default(&ifp->if_snd);
2296 ifsq_enqueue(ifsq, m, NULL);
2297 ifp->if_start(ifp, ifsq);