The Design and Implementation of the FreeBSD Operating System, Second Edition
Now available: The Design and Implementation of the FreeBSD Operating System (Second Edition)


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]

FreeBSD/Linux Kernel Cross Reference
sys/net80211/ieee80211_hostap.c

Version: -  FREEBSD  -  FREEBSD-13-STABLE  -  FREEBSD-13-0  -  FREEBSD-12-STABLE  -  FREEBSD-12-0  -  FREEBSD-11-STABLE  -  FREEBSD-11-0  -  FREEBSD-10-STABLE  -  FREEBSD-10-0  -  FREEBSD-9-STABLE  -  FREEBSD-9-0  -  FREEBSD-8-STABLE  -  FREEBSD-8-0  -  FREEBSD-7-STABLE  -  FREEBSD-7-0  -  FREEBSD-6-STABLE  -  FREEBSD-6-0  -  FREEBSD-5-STABLE  -  FREEBSD-5-0  -  FREEBSD-4-STABLE  -  FREEBSD-3-STABLE  -  FREEBSD22  -  l41  -  OPENBSD  -  linux-2.6  -  MK84  -  PLAN9  -  xnu-8792 
SearchContext: -  none  -  3  -  10 

    1 /*-
    2  * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
    3  *
    4  * Copyright (c) 2007-2008 Sam Leffler, Errno Consulting
    5  * All rights reserved.
    6  *
    7  * Redistribution and use in source and binary forms, with or without
    8  * modification, are permitted provided that the following conditions
    9  * are met:
   10  * 1. Redistributions of source code must retain the above copyright
   11  *    notice, this list of conditions and the following disclaimer.
   12  * 2. Redistributions in binary form must reproduce the above copyright
   13  *    notice, this list of conditions and the following disclaimer in the
   14  *    documentation and/or other materials provided with the distribution.
   15  *
   16  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
   17  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
   18  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
   19  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
   20  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
   21  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
   22  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
   23  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
   24  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
   25  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
   26  */
   27 
   28 #include <sys/cdefs.h>
   29 #ifdef __FreeBSD__
   30 __FBSDID("$FreeBSD$");
   31 #endif
   32 
   33 /*
   34  * IEEE 802.11 HOSTAP mode support.
   35  */
   36 #include "opt_inet.h"
   37 #include "opt_wlan.h"
   38 
   39 #include <sys/param.h>
   40 #include <sys/systm.h> 
   41 #include <sys/mbuf.h>   
   42 #include <sys/malloc.h>
   43 #include <sys/kernel.h>
   44 
   45 #include <sys/socket.h>
   46 #include <sys/sockio.h>
   47 #include <sys/endian.h>
   48 #include <sys/errno.h>
   49 #include <sys/proc.h>
   50 #include <sys/sysctl.h>
   51 
   52 #include <net/if.h>
   53 #include <net/if_var.h>
   54 #include <net/if_media.h>
   55 #include <net/if_llc.h>
   56 #include <net/ethernet.h>
   57 
   58 #include <net/bpf.h>
   59 
   60 #include <net80211/ieee80211_var.h>
   61 #include <net80211/ieee80211_hostap.h>
   62 #include <net80211/ieee80211_input.h>
   63 #ifdef IEEE80211_SUPPORT_SUPERG
   64 #include <net80211/ieee80211_superg.h>
   65 #endif
   66 #include <net80211/ieee80211_wds.h>
   67 #include <net80211/ieee80211_vht.h>
   68 #include <net80211/ieee80211_sta.h> /* for parse_wmeie */
   69 
   70 #define IEEE80211_RATE2MBS(r)   (((r) & IEEE80211_RATE_VAL) / 2)
   71 
   72 static  void hostap_vattach(struct ieee80211vap *);
   73 static  int hostap_newstate(struct ieee80211vap *, enum ieee80211_state, int);
   74 static  int hostap_input(struct ieee80211_node *ni, struct mbuf *m,
   75             const struct ieee80211_rx_stats *,
   76             int rssi, int nf);
   77 static void hostap_deliver_data(struct ieee80211vap *,
   78             struct ieee80211_node *, struct mbuf *);
   79 static void hostap_recv_mgmt(struct ieee80211_node *, struct mbuf *,
   80             int subtype, const struct ieee80211_rx_stats *rxs, int rssi, int nf);
   81 static void hostap_recv_ctl(struct ieee80211_node *, struct mbuf *, int);
   82 
   83 void
   84 ieee80211_hostap_attach(struct ieee80211com *ic)
   85 {
   86         ic->ic_vattach[IEEE80211_M_HOSTAP] = hostap_vattach;
   87 }
   88 
   89 void
   90 ieee80211_hostap_detach(struct ieee80211com *ic)
   91 {
   92 }
   93 
   94 static void
   95 hostap_vdetach(struct ieee80211vap *vap)
   96 {
   97 }
   98 
   99 static void
  100 hostap_vattach(struct ieee80211vap *vap)
  101 {
  102         vap->iv_newstate = hostap_newstate;
  103         vap->iv_input = hostap_input;
  104         vap->iv_recv_mgmt = hostap_recv_mgmt;
  105         vap->iv_recv_ctl = hostap_recv_ctl;
  106         vap->iv_opdetach = hostap_vdetach;
  107         vap->iv_deliver_data = hostap_deliver_data;
  108         vap->iv_recv_pspoll = ieee80211_recv_pspoll;
  109 }
  110 
  111 static void
  112 sta_disassoc(void *arg, struct ieee80211_node *ni)
  113 {
  114 
  115         if (ni->ni_associd != 0) {
  116                 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_DISASSOC,
  117                         IEEE80211_REASON_ASSOC_LEAVE);
  118                 ieee80211_node_leave(ni);
  119         }
  120 }
  121 
  122 static void
  123 sta_csa(void *arg, struct ieee80211_node *ni)
  124 {
  125         struct ieee80211vap *vap = ni->ni_vap;
  126 
  127         if (ni->ni_associd != 0)
  128                 if (ni->ni_inact > vap->iv_inact_init) {
  129                         ni->ni_inact = vap->iv_inact_init;
  130                         IEEE80211_NOTE(vap, IEEE80211_MSG_INACT, ni,
  131                             "%s: inact %u", __func__, ni->ni_inact);
  132                 }
  133 }
  134 
  135 static void
  136 sta_drop(void *arg, struct ieee80211_node *ni)
  137 {
  138 
  139         if (ni->ni_associd != 0)
  140                 ieee80211_node_leave(ni);
  141 }
  142 
  143 /*
  144  * Does a channel change require associated stations to re-associate
  145  * so protocol state is correct.  This is used when doing CSA across
  146  * bands or similar (e.g. HT -> legacy).
  147  */
  148 static int
  149 isbandchange(struct ieee80211com *ic)
  150 {
  151         return ((ic->ic_bsschan->ic_flags ^ ic->ic_csa_newchan->ic_flags) &
  152             (IEEE80211_CHAN_2GHZ | IEEE80211_CHAN_5GHZ | IEEE80211_CHAN_HALF |
  153              IEEE80211_CHAN_QUARTER | IEEE80211_CHAN_HT)) != 0;
  154 }
  155 
  156 /*
  157  * IEEE80211_M_HOSTAP vap state machine handler.
  158  */
  159 static int
  160 hostap_newstate(struct ieee80211vap *vap, enum ieee80211_state nstate, int arg)
  161 {
  162         struct ieee80211com *ic = vap->iv_ic;
  163         enum ieee80211_state ostate;
  164 
  165         IEEE80211_LOCK_ASSERT(ic);
  166 
  167         ostate = vap->iv_state;
  168         IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE, "%s: %s -> %s (%d)\n",
  169             __func__, ieee80211_state_name[ostate],
  170             ieee80211_state_name[nstate], arg);
  171         vap->iv_state = nstate;                 /* state transition */
  172         if (ostate != IEEE80211_S_SCAN)
  173                 ieee80211_cancel_scan(vap);     /* background scan */
  174         switch (nstate) {
  175         case IEEE80211_S_INIT:
  176                 switch (ostate) {
  177                 case IEEE80211_S_SCAN:
  178                         ieee80211_cancel_scan(vap);
  179                         break;
  180                 case IEEE80211_S_CAC:
  181                         ieee80211_dfs_cac_stop(vap);
  182                         break;
  183                 case IEEE80211_S_RUN:
  184                         ieee80211_iterate_nodes_vap(&ic->ic_sta, vap,
  185                             sta_disassoc, NULL);
  186                         break;
  187                 default:
  188                         break;
  189                 }
  190                 if (ostate != IEEE80211_S_INIT) {
  191                         /* NB: optimize INIT -> INIT case */
  192                         ieee80211_reset_bss(vap);
  193                 }
  194                 if (vap->iv_auth->ia_detach != NULL)
  195                         vap->iv_auth->ia_detach(vap);
  196                 break;
  197         case IEEE80211_S_SCAN:
  198                 switch (ostate) {
  199                 case IEEE80211_S_CSA:
  200                 case IEEE80211_S_RUN:
  201                         ieee80211_iterate_nodes_vap(&ic->ic_sta, vap,
  202                             sta_disassoc, NULL);
  203                         /*
  204                          * Clear overlapping BSS state; the beacon frame
  205                          * will be reconstructed on transition to the RUN
  206                          * state and the timeout routines check if the flag
  207                          * is set before doing anything so this is sufficient.
  208                          */
  209                         vap->iv_flags_ext &= ~IEEE80211_FEXT_NONERP_PR;
  210                         vap->iv_flags_ht &= ~IEEE80211_FHT_NONHT_PR;
  211                         /* XXX TODO: schedule deferred update? */
  212                         /* fall thru... */
  213                 case IEEE80211_S_CAC:
  214                         /*
  215                          * NB: We may get here because of a manual channel
  216                          *     change in which case we need to stop CAC
  217                          * XXX no need to stop if ostate RUN but it's ok
  218                          */
  219                         ieee80211_dfs_cac_stop(vap);
  220                         /* fall thru... */
  221                 case IEEE80211_S_INIT:
  222                         if (vap->iv_des_chan != IEEE80211_CHAN_ANYC &&
  223                             !IEEE80211_IS_CHAN_RADAR(vap->iv_des_chan)) {
  224                                 /*
  225                                  * Already have a channel; bypass the
  226                                  * scan and startup immediately.  
  227                                  * ieee80211_create_ibss will call back to
  228                                  * move us to RUN state.
  229                                  */
  230                                 ieee80211_create_ibss(vap, vap->iv_des_chan);
  231                                 break;
  232                         }
  233                         /*
  234                          * Initiate a scan.  We can come here as a result
  235                          * of an IEEE80211_IOC_SCAN_REQ too in which case
  236                          * the vap will be marked with IEEE80211_FEXT_SCANREQ
  237                          * and the scan request parameters will be present
  238                          * in iv_scanreq.  Otherwise we do the default.
  239                          */
  240                         if (vap->iv_flags_ext & IEEE80211_FEXT_SCANREQ) {
  241                                 ieee80211_check_scan(vap,
  242                                     vap->iv_scanreq_flags,
  243                                     vap->iv_scanreq_duration,
  244                                     vap->iv_scanreq_mindwell,
  245                                     vap->iv_scanreq_maxdwell,
  246                                     vap->iv_scanreq_nssid, vap->iv_scanreq_ssid);
  247                                 vap->iv_flags_ext &= ~IEEE80211_FEXT_SCANREQ;
  248                         } else
  249                                 ieee80211_check_scan_current(vap);
  250                         break;
  251                 case IEEE80211_S_SCAN:
  252                         /*
  253                          * A state change requires a reset; scan.
  254                          */
  255                         ieee80211_check_scan_current(vap);
  256                         break;
  257                 default:
  258                         break;
  259                 }
  260                 break;
  261         case IEEE80211_S_CAC:
  262                 /*
  263                  * Start CAC on a DFS channel.  We come here when starting
  264                  * a bss on a DFS channel (see ieee80211_create_ibss).
  265                  */
  266                 ieee80211_dfs_cac_start(vap);
  267                 break;
  268         case IEEE80211_S_RUN:
  269                 if (vap->iv_flags & IEEE80211_F_WPA) {
  270                         /* XXX validate prerequisites */
  271                 }
  272                 switch (ostate) {
  273                 case IEEE80211_S_INIT:
  274                         /*
  275                          * Already have a channel; bypass the
  276                          * scan and startup immediately.
  277                          * Note that ieee80211_create_ibss will call
  278                          * back to do a RUN->RUN state change.
  279                          */
  280                         ieee80211_create_ibss(vap,
  281                             ieee80211_ht_adjust_channel(ic,
  282                                 ic->ic_curchan, vap->iv_flags_ht));
  283                         /* NB: iv_bss is changed on return */
  284                         break;
  285                 case IEEE80211_S_CAC:
  286                         /*
  287                          * NB: This is the normal state change when CAC
  288                          * expires and no radar was detected; no need to
  289                          * clear the CAC timer as it's already expired.
  290                          */
  291                         /* fall thru... */
  292                 case IEEE80211_S_CSA:
  293                         /*
  294                          * Shorten inactivity timer of associated stations
  295                          * to weed out sta's that don't follow a CSA.
  296                          */
  297                         ieee80211_iterate_nodes_vap(&ic->ic_sta, vap,
  298                             sta_csa, NULL);
  299                         /*
  300                          * Update bss node channel to reflect where
  301                          * we landed after CSA.
  302                          */
  303                         ieee80211_node_set_chan(vap->iv_bss,
  304                             ieee80211_ht_adjust_channel(ic, ic->ic_curchan,
  305                                 ieee80211_htchanflags(vap->iv_bss->ni_chan)));
  306                         /* XXX bypass debug msgs */
  307                         break;
  308                 case IEEE80211_S_SCAN:
  309                 case IEEE80211_S_RUN:
  310 #ifdef IEEE80211_DEBUG
  311                         if (ieee80211_msg_debug(vap)) {
  312                                 struct ieee80211_node *ni = vap->iv_bss;
  313                                 ieee80211_note(vap,
  314                                     "synchronized with %s ssid ",
  315                                     ether_sprintf(ni->ni_bssid));
  316                                 ieee80211_print_essid(ni->ni_essid,
  317                                     ni->ni_esslen);
  318                                 /* XXX MCS/HT */
  319                                 printf(" channel %d start %uMb\n",
  320                                     ieee80211_chan2ieee(ic, ic->ic_curchan),
  321                                     IEEE80211_RATE2MBS(ni->ni_txrate));
  322                         }
  323 #endif
  324                         break;
  325                 default:
  326                         break;
  327                 }
  328                 /*
  329                  * Start/stop the authenticator.  We delay until here
  330                  * to allow configuration to happen out of order.
  331                  */
  332                 if (vap->iv_auth->ia_attach != NULL) {
  333                         /* XXX check failure */
  334                         vap->iv_auth->ia_attach(vap);
  335                 } else if (vap->iv_auth->ia_detach != NULL) {
  336                         vap->iv_auth->ia_detach(vap);
  337                 }
  338                 ieee80211_node_authorize(vap->iv_bss);
  339                 break;
  340         case IEEE80211_S_CSA:
  341                 if (ostate == IEEE80211_S_RUN && isbandchange(ic)) {
  342                         /*
  343                          * On a ``band change'' silently drop associated
  344                          * stations as they must re-associate before they
  345                          * can pass traffic (as otherwise protocol state
  346                          * such as capabilities and the negotiated rate
  347                          * set may/will be wrong).
  348                          */
  349                         ieee80211_iterate_nodes_vap(&ic->ic_sta, vap,
  350                             sta_drop, NULL);
  351                 }
  352                 break;
  353         default:
  354                 break;
  355         }
  356         return 0;
  357 }
  358 
  359 static void
  360 hostap_deliver_data(struct ieee80211vap *vap,
  361         struct ieee80211_node *ni, struct mbuf *m)
  362 {
  363         struct ether_header *eh = mtod(m, struct ether_header *);
  364         struct ifnet *ifp = vap->iv_ifp;
  365 
  366         /* clear driver/net80211 flags before passing up */
  367         m->m_flags &= ~(M_MCAST | M_BCAST);
  368         m_clrprotoflags(m);
  369 
  370         KASSERT(vap->iv_opmode == IEEE80211_M_HOSTAP,
  371             ("gack, opmode %d", vap->iv_opmode));
  372         /*
  373          * Do accounting.
  374          */
  375         if_inc_counter(ifp, IFCOUNTER_IPACKETS, 1);
  376         IEEE80211_NODE_STAT(ni, rx_data);
  377         IEEE80211_NODE_STAT_ADD(ni, rx_bytes, m->m_pkthdr.len);
  378         if (ETHER_IS_MULTICAST(eh->ether_dhost)) {
  379                 m->m_flags |= M_MCAST;          /* XXX M_BCAST? */
  380                 IEEE80211_NODE_STAT(ni, rx_mcast);
  381         } else
  382                 IEEE80211_NODE_STAT(ni, rx_ucast);
  383 
  384         /* perform as a bridge within the AP */
  385         if ((vap->iv_flags & IEEE80211_F_NOBRIDGE) == 0) {
  386                 struct mbuf *mcopy = NULL;
  387 
  388                 if (m->m_flags & M_MCAST) {
  389                         mcopy = m_dup(m, IEEE80211_M_NOWAIT);
  390                         if (mcopy == NULL)
  391                                 if_inc_counter(ifp, IFCOUNTER_OERRORS, 1);
  392                         else
  393                                 mcopy->m_flags |= M_MCAST;
  394                 } else {
  395                         /*
  396                          * Check if the destination is associated with the
  397                          * same vap and authorized to receive traffic.
  398                          * Beware of traffic destined for the vap itself;
  399                          * sending it will not work; just let it be delivered
  400                          * normally.
  401                          */
  402                         struct ieee80211_node *sta = ieee80211_find_vap_node(
  403                              &vap->iv_ic->ic_sta, vap, eh->ether_dhost);
  404                         if (sta != NULL) {
  405                                 if (ieee80211_node_is_authorized(sta)) {
  406                                         /*
  407                                          * Beware of sending to ourself; this
  408                                          * needs to happen via the normal
  409                                          * input path.
  410                                          */
  411                                         if (sta != vap->iv_bss) {
  412                                                 mcopy = m;
  413                                                 m = NULL;
  414                                         }
  415                                 } else {
  416                                         vap->iv_stats.is_rx_unauth++;
  417                                         IEEE80211_NODE_STAT(sta, rx_unauth);
  418                                 }
  419                                 ieee80211_free_node(sta);
  420                         }
  421                 }
  422                 if (mcopy != NULL)
  423                         (void) ieee80211_vap_xmitpkt(vap, mcopy);
  424         }
  425         if (m != NULL) {
  426                 /*
  427                  * Mark frame as coming from vap's interface.
  428                  */
  429                 m->m_pkthdr.rcvif = ifp;
  430                 if (m->m_flags & M_MCAST) {
  431                         /*
  432                          * Spam DWDS vap's w/ multicast traffic.
  433                          */
  434                         /* XXX only if dwds in use? */
  435                         ieee80211_dwds_mcast(vap, m);
  436                 }
  437                 if (ni->ni_vlan != 0) {
  438                         /* attach vlan tag */
  439                         m->m_pkthdr.ether_vtag = ni->ni_vlan;
  440                         m->m_flags |= M_VLANTAG;
  441                 }
  442                 ifp->if_input(ifp, m);
  443         }
  444 }
  445 
  446 /*
  447  * Decide if a received management frame should be
  448  * printed when debugging is enabled.  This filters some
  449  * of the less interesting frames that come frequently
  450  * (e.g. beacons).
  451  */
  452 static __inline int
  453 doprint(struct ieee80211vap *vap, int subtype)
  454 {
  455         switch (subtype) {
  456         case IEEE80211_FC0_SUBTYPE_BEACON:
  457                 return (vap->iv_ic->ic_flags & IEEE80211_F_SCAN);
  458         case IEEE80211_FC0_SUBTYPE_PROBE_REQ:
  459                 return 0;
  460         }
  461         return 1;
  462 }
  463 
  464 /*
  465  * Process a received frame.  The node associated with the sender
  466  * should be supplied.  If nothing was found in the node table then
  467  * the caller is assumed to supply a reference to iv_bss instead.
  468  * The RSSI and a timestamp are also supplied.  The RSSI data is used
  469  * during AP scanning to select a AP to associate with; it can have
  470  * any units so long as values have consistent units and higher values
  471  * mean ``better signal''.  The receive timestamp is currently not used
  472  * by the 802.11 layer.
  473  */
  474 static int
  475 hostap_input(struct ieee80211_node *ni, struct mbuf *m,
  476     const struct ieee80211_rx_stats *rxs, int rssi, int nf)
  477 {
  478         struct ieee80211vap *vap = ni->ni_vap;
  479         struct ieee80211com *ic = ni->ni_ic;
  480         struct ifnet *ifp = vap->iv_ifp;
  481         struct ieee80211_frame *wh;
  482         struct ieee80211_key *key;
  483         struct ether_header *eh;
  484         int hdrspace, need_tap = 1;     /* mbuf need to be tapped. */
  485         uint8_t dir, type, subtype, qos;
  486         uint8_t *bssid;
  487         int is_hw_decrypted = 0;
  488         int has_decrypted = 0;
  489 
  490         /*
  491          * Some devices do hardware decryption all the way through
  492          * to pretending the frame wasn't encrypted in the first place.
  493          * So, tag it appropriately so it isn't discarded inappropriately.
  494          */
  495         if ((rxs != NULL) && (rxs->c_pktflags & IEEE80211_RX_F_DECRYPTED))
  496                 is_hw_decrypted = 1;
  497 
  498         if (m->m_flags & M_AMPDU_MPDU) {
  499                 /*
  500                  * Fastpath for A-MPDU reorder q resubmission.  Frames
  501                  * w/ M_AMPDU_MPDU marked have already passed through
  502                  * here but were received out of order and been held on
  503                  * the reorder queue.  When resubmitted they are marked
  504                  * with the M_AMPDU_MPDU flag and we can bypass most of
  505                  * the normal processing.
  506                  */
  507                 wh = mtod(m, struct ieee80211_frame *);
  508                 type = IEEE80211_FC0_TYPE_DATA;
  509                 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK;
  510                 subtype = IEEE80211_FC0_SUBTYPE_QOS_DATA;
  511                 hdrspace = ieee80211_hdrspace(ic, wh);  /* XXX optimize? */
  512                 goto resubmit_ampdu;
  513         }
  514 
  515         KASSERT(ni != NULL, ("null node"));
  516         ni->ni_inact = ni->ni_inact_reload;
  517 
  518         type = -1;                      /* undefined */
  519 
  520         if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_min)) {
  521                 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
  522                     ni->ni_macaddr, NULL,
  523                     "too short (1): len %u", m->m_pkthdr.len);
  524                 vap->iv_stats.is_rx_tooshort++;
  525                 goto out;
  526         }
  527         /*
  528          * Bit of a cheat here, we use a pointer for a 3-address
  529          * frame format but don't reference fields past outside
  530          * ieee80211_frame_min w/o first validating the data is
  531          * present.
  532          */
  533         wh = mtod(m, struct ieee80211_frame *);
  534 
  535         if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) !=
  536             IEEE80211_FC0_VERSION_0) {
  537                 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
  538                     ni->ni_macaddr, NULL, "wrong version, fc %02x:%02x",
  539                     wh->i_fc[0], wh->i_fc[1]);
  540                 vap->iv_stats.is_rx_badversion++;
  541                 goto err;
  542         }
  543 
  544         dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK;
  545         type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
  546         subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK;
  547         if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) {
  548                 if (dir != IEEE80211_FC1_DIR_NODS)
  549                         bssid = wh->i_addr1;
  550                 else if (type == IEEE80211_FC0_TYPE_CTL)
  551                         bssid = wh->i_addr1;
  552                 else {
  553                         if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) {
  554                                 IEEE80211_DISCARD_MAC(vap,
  555                                     IEEE80211_MSG_ANY, ni->ni_macaddr,
  556                                     NULL, "too short (2): len %u",
  557                                     m->m_pkthdr.len);
  558                                 vap->iv_stats.is_rx_tooshort++;
  559                                 goto out;
  560                         }
  561                         bssid = wh->i_addr3;
  562                 }
  563                 /*
  564                  * Validate the bssid.
  565                  */
  566                 if (!(type == IEEE80211_FC0_TYPE_MGT &&
  567                       subtype == IEEE80211_FC0_SUBTYPE_BEACON) &&
  568                     !IEEE80211_ADDR_EQ(bssid, vap->iv_bss->ni_bssid) &&
  569                     !IEEE80211_ADDR_EQ(bssid, ifp->if_broadcastaddr)) {
  570                         /* not interested in */
  571                         IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
  572                             bssid, NULL, "%s", "not to bss");
  573                         vap->iv_stats.is_rx_wrongbss++;
  574                         goto out;
  575                 }
  576 
  577                 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi);
  578                 ni->ni_noise = nf;
  579                 if (IEEE80211_HAS_SEQ(type, subtype)) {
  580                         uint8_t tid = ieee80211_gettid(wh);
  581                         if (IEEE80211_QOS_HAS_SEQ(wh) &&
  582                             TID_TO_WME_AC(tid) >= WME_AC_VI)
  583                                 ic->ic_wme.wme_hipri_traffic++;
  584                         if (! ieee80211_check_rxseq(ni, wh, bssid, rxs))
  585                                 goto out;
  586                 }
  587         }
  588 
  589         switch (type) {
  590         case IEEE80211_FC0_TYPE_DATA:
  591                 hdrspace = ieee80211_hdrspace(ic, wh);
  592                 if (m->m_len < hdrspace &&
  593                     (m = m_pullup(m, hdrspace)) == NULL) {
  594                         IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
  595                             ni->ni_macaddr, NULL,
  596                             "data too short: expecting %u", hdrspace);
  597                         vap->iv_stats.is_rx_tooshort++;
  598                         goto out;               /* XXX */
  599                 }
  600                 if (!(dir == IEEE80211_FC1_DIR_TODS ||
  601                      (dir == IEEE80211_FC1_DIR_DSTODS &&
  602                       (vap->iv_flags & IEEE80211_F_DWDS)))) {
  603                         if (dir != IEEE80211_FC1_DIR_DSTODS) {
  604                                 IEEE80211_DISCARD(vap,
  605                                     IEEE80211_MSG_INPUT, wh, "data",
  606                                     "incorrect dir 0x%x", dir);
  607                         } else {
  608                                 IEEE80211_DISCARD(vap,
  609                                     IEEE80211_MSG_INPUT |
  610                                     IEEE80211_MSG_WDS, wh,
  611                                     "4-address data",
  612                                     "%s", "DWDS not enabled");
  613                         }
  614                         vap->iv_stats.is_rx_wrongdir++;
  615                         goto out;
  616                 }
  617                 /* check if source STA is associated */
  618                 if (ni == vap->iv_bss) {
  619                         IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
  620                             wh, "data", "%s", "unknown src");
  621                         ieee80211_send_error(ni, wh->i_addr2,
  622                             IEEE80211_FC0_SUBTYPE_DEAUTH,
  623                             IEEE80211_REASON_NOT_AUTHED);
  624                         vap->iv_stats.is_rx_notassoc++;
  625                         goto err;
  626                 }
  627                 if (ni->ni_associd == 0) {
  628                         IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
  629                             wh, "data", "%s", "unassoc src");
  630                         IEEE80211_SEND_MGMT(ni,
  631                             IEEE80211_FC0_SUBTYPE_DISASSOC,
  632                             IEEE80211_REASON_NOT_ASSOCED);
  633                         vap->iv_stats.is_rx_notassoc++;
  634                         goto err;
  635                 }
  636 
  637                 /*
  638                  * Check for power save state change.
  639                  * XXX out-of-order A-MPDU frames?
  640                  */
  641                 if (((wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) ^
  642                     (ni->ni_flags & IEEE80211_NODE_PWR_MGT)))
  643                         vap->iv_node_ps(ni,
  644                                 wh->i_fc[1] & IEEE80211_FC1_PWR_MGT);
  645                 /*
  646                  * For 4-address packets handle WDS discovery
  647                  * notifications.  Once a WDS link is setup frames
  648                  * are just delivered to the WDS vap (see below).
  649                  */
  650                 if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap == NULL) {
  651                         if (!ieee80211_node_is_authorized(ni)) {
  652                                 IEEE80211_DISCARD(vap,
  653                                     IEEE80211_MSG_INPUT |
  654                                     IEEE80211_MSG_WDS, wh,
  655                                     "4-address data",
  656                                     "%s", "unauthorized port");
  657                                 vap->iv_stats.is_rx_unauth++;
  658                                 IEEE80211_NODE_STAT(ni, rx_unauth);
  659                                 goto err;
  660                         }
  661                         ieee80211_dwds_discover(ni, m);
  662                         return type;
  663                 }
  664 
  665                 /*
  666                  * Handle A-MPDU re-ordering.  If the frame is to be
  667                  * processed directly then ieee80211_ampdu_reorder
  668                  * will return 0; otherwise it has consumed the mbuf
  669                  * and we should do nothing more with it.
  670                  */
  671                 if ((m->m_flags & M_AMPDU) &&
  672                     ieee80211_ampdu_reorder(ni, m, rxs) != 0) {
  673                         m = NULL;
  674                         goto out;
  675                 }
  676         resubmit_ampdu:
  677 
  678                 /*
  679                  * Handle privacy requirements.  Note that we
  680                  * must not be preempted from here until after
  681                  * we (potentially) call ieee80211_crypto_demic;
  682                  * otherwise we may violate assumptions in the
  683                  * crypto cipher modules used to do delayed update
  684                  * of replay sequence numbers.
  685                  */
  686                 if (is_hw_decrypted || IEEE80211_IS_PROTECTED(wh)) {
  687                         if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
  688                                 /*
  689                                  * Discard encrypted frames when privacy is off.
  690                                  */
  691                                 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
  692                                     wh, "WEP", "%s", "PRIVACY off");
  693                                 vap->iv_stats.is_rx_noprivacy++;
  694                                 IEEE80211_NODE_STAT(ni, rx_noprivacy);
  695                                 goto out;
  696                         }
  697                         if (ieee80211_crypto_decap(ni, m, hdrspace, &key) == 0) {
  698                                 /* NB: stats+msgs handled in crypto_decap */
  699                                 IEEE80211_NODE_STAT(ni, rx_wepfail);
  700                                 goto out;
  701                         }
  702                         wh = mtod(m, struct ieee80211_frame *);
  703                         wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED;
  704                         has_decrypted = 1;
  705                 } else {
  706                         /* XXX M_WEP and IEEE80211_F_PRIVACY */
  707                         key = NULL;
  708                 }
  709 
  710                 /*
  711                  * Save QoS bits for use below--before we strip the header.
  712                  */
  713                 if (subtype == IEEE80211_FC0_SUBTYPE_QOS_DATA)
  714                         qos = ieee80211_getqos(wh)[0];
  715                 else
  716                         qos = 0;
  717 
  718                 /*
  719                  * Next up, any fragmentation.
  720                  */
  721                 if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) {
  722                         m = ieee80211_defrag(ni, m, hdrspace, has_decrypted);
  723                         if (m == NULL) {
  724                                 /* Fragment dropped or frame not complete yet */
  725                                 goto out;
  726                         }
  727                 }
  728                 wh = NULL;              /* no longer valid, catch any uses */
  729 
  730                 /*
  731                  * Next strip any MSDU crypto bits.
  732                  */
  733                 if (key != NULL && !ieee80211_crypto_demic(vap, key, m, 0)) {
  734                         IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
  735                             ni->ni_macaddr, "data", "%s", "demic error");
  736                         vap->iv_stats.is_rx_demicfail++;
  737                         IEEE80211_NODE_STAT(ni, rx_demicfail);
  738                         goto out;
  739                 }
  740                 /* copy to listener after decrypt */
  741                 if (ieee80211_radiotap_active_vap(vap))
  742                         ieee80211_radiotap_rx(vap, m);
  743                 need_tap = 0;
  744                 /*
  745                  * Finally, strip the 802.11 header.
  746                  */
  747                 m = ieee80211_decap(vap, m, hdrspace, qos);
  748                 if (m == NULL) {
  749                         /* XXX mask bit to check for both */
  750                         /* don't count Null data frames as errors */
  751                         if (subtype == IEEE80211_FC0_SUBTYPE_NODATA ||
  752                             subtype == IEEE80211_FC0_SUBTYPE_QOS_NULL)
  753                                 goto out;
  754                         IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
  755                             ni->ni_macaddr, "data", "%s", "decap error");
  756                         vap->iv_stats.is_rx_decap++;
  757                         IEEE80211_NODE_STAT(ni, rx_decap);
  758                         goto err;
  759                 }
  760                 if (!(qos & IEEE80211_QOS_AMSDU))
  761                         eh = mtod(m, struct ether_header *);
  762                 else
  763                         eh = NULL;
  764                 if (!ieee80211_node_is_authorized(ni)) {
  765                         /*
  766                          * Deny any non-PAE frames received prior to
  767                          * authorization.  For open/shared-key
  768                          * authentication the port is mark authorized
  769                          * after authentication completes.  For 802.1x
  770                          * the port is not marked authorized by the
  771                          * authenticator until the handshake has completed.
  772                          */
  773                         if (eh == NULL ||
  774                             eh->ether_type != htons(ETHERTYPE_PAE)) {
  775                                 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
  776                                     ni->ni_macaddr, "data", "unauthorized or "
  777                                     "unknown port: ether type 0x%x len %u",
  778                                     eh == NULL ? -1 : eh->ether_type,
  779                                     m->m_pkthdr.len);
  780                                 vap->iv_stats.is_rx_unauth++;
  781                                 IEEE80211_NODE_STAT(ni, rx_unauth);
  782                                 goto err;
  783                         }
  784                 } else {
  785                         /*
  786                          * When denying unencrypted frames, discard
  787                          * any non-PAE frames received without encryption.
  788                          */
  789                         if ((vap->iv_flags & IEEE80211_F_DROPUNENC) &&
  790                             ((has_decrypted == 0) && (m->m_flags & M_WEP) == 0) &&
  791                             (is_hw_decrypted == 0) &&
  792                             (eh == NULL ||
  793                              eh->ether_type != htons(ETHERTYPE_PAE))) {
  794                                 /*
  795                                  * Drop unencrypted frames.
  796                                  */
  797                                 vap->iv_stats.is_rx_unencrypted++;
  798                                 IEEE80211_NODE_STAT(ni, rx_unencrypted);
  799                                 goto out;
  800                         }
  801                 }
  802                 /* XXX require HT? */
  803                 if (qos & IEEE80211_QOS_AMSDU) {
  804                         m = ieee80211_decap_amsdu(ni, m);
  805                         if (m == NULL)
  806                                 return IEEE80211_FC0_TYPE_DATA;
  807                 } else {
  808 #ifdef IEEE80211_SUPPORT_SUPERG
  809                         m = ieee80211_decap_fastframe(vap, ni, m);
  810                         if (m == NULL)
  811                                 return IEEE80211_FC0_TYPE_DATA;
  812 #endif
  813                 }
  814                 if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap != NULL)
  815                         ieee80211_deliver_data(ni->ni_wdsvap, ni, m);
  816                 else
  817                         hostap_deliver_data(vap, ni, m);
  818                 return IEEE80211_FC0_TYPE_DATA;
  819 
  820         case IEEE80211_FC0_TYPE_MGT:
  821                 vap->iv_stats.is_rx_mgmt++;
  822                 IEEE80211_NODE_STAT(ni, rx_mgmt);
  823                 if (dir != IEEE80211_FC1_DIR_NODS) {
  824                         IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
  825                             wh, "mgt", "incorrect dir 0x%x", dir);
  826                         vap->iv_stats.is_rx_wrongdir++;
  827                         goto err;
  828                 }
  829                 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) {
  830                         IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
  831                             ni->ni_macaddr, "mgt", "too short: len %u",
  832                             m->m_pkthdr.len);
  833                         vap->iv_stats.is_rx_tooshort++;
  834                         goto out;
  835                 }
  836                 if (IEEE80211_IS_MULTICAST(wh->i_addr2)) {
  837                         /* ensure return frames are unicast */
  838                         IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
  839                             wh, NULL, "source is multicast: %s",
  840                             ether_sprintf(wh->i_addr2));
  841                         vap->iv_stats.is_rx_mgtdiscard++;       /* XXX stat */
  842                         goto out;
  843                 }
  844 #ifdef IEEE80211_DEBUG
  845                 if ((ieee80211_msg_debug(vap) && doprint(vap, subtype)) ||
  846                     ieee80211_msg_dumppkts(vap)) {
  847                         if_printf(ifp, "received %s from %s rssi %d\n",
  848                             ieee80211_mgt_subtype_name(subtype),
  849                             ether_sprintf(wh->i_addr2), rssi);
  850                 }
  851 #endif
  852                 if (IEEE80211_IS_PROTECTED(wh)) {
  853                         if (subtype != IEEE80211_FC0_SUBTYPE_AUTH) {
  854                                 /*
  855                                  * Only shared key auth frames with a challenge
  856                                  * should be encrypted, discard all others.
  857                                  */
  858                                 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
  859                                     wh, NULL,
  860                                     "%s", "WEP set but not permitted");
  861                                 vap->iv_stats.is_rx_mgtdiscard++; /* XXX */
  862                                 goto out;
  863                         }
  864                         if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
  865                                 /*
  866                                  * Discard encrypted frames when privacy is off.
  867                                  */
  868                                 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
  869                                     wh, NULL, "%s", "WEP set but PRIVACY off");
  870                                 vap->iv_stats.is_rx_noprivacy++;
  871                                 goto out;
  872                         }
  873                         hdrspace = ieee80211_hdrspace(ic, wh);
  874                         if (ieee80211_crypto_decap(ni, m, hdrspace, &key) == 0) {
  875                                 /* NB: stats+msgs handled in crypto_decap */
  876                                 goto out;
  877                         }
  878                         wh = mtod(m, struct ieee80211_frame *);
  879                         wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED;
  880                         has_decrypted = 1;
  881                 }
  882                 /*
  883                  * Pass the packet to radiotap before calling iv_recv_mgmt().
  884                  * Otherwise iv_recv_mgmt() might pass another packet to
  885                  * radiotap, resulting in out of order packet captures.
  886                  */
  887                 if (ieee80211_radiotap_active_vap(vap))
  888                         ieee80211_radiotap_rx(vap, m);
  889                 need_tap = 0;
  890                 vap->iv_recv_mgmt(ni, m, subtype, rxs, rssi, nf);
  891                 goto out;
  892 
  893         case IEEE80211_FC0_TYPE_CTL:
  894                 vap->iv_stats.is_rx_ctl++;
  895                 IEEE80211_NODE_STAT(ni, rx_ctrl);
  896                 vap->iv_recv_ctl(ni, m, subtype);
  897                 goto out;
  898         default:
  899                 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
  900                     wh, "bad", "frame type 0x%x", type);
  901                 /* should not come here */
  902                 break;
  903         }
  904 err:
  905         if_inc_counter(ifp, IFCOUNTER_IERRORS, 1);
  906 out:
  907         if (m != NULL) {
  908                 if (need_tap && ieee80211_radiotap_active_vap(vap))
  909                         ieee80211_radiotap_rx(vap, m);
  910                 m_freem(m);
  911         }
  912         return type;
  913 }
  914 
  915 static void
  916 hostap_auth_open(struct ieee80211_node *ni, struct ieee80211_frame *wh,
  917     int rssi, int nf, uint16_t seq, uint16_t status)
  918 {
  919         struct ieee80211vap *vap = ni->ni_vap;
  920 
  921         KASSERT(vap->iv_state == IEEE80211_S_RUN, ("state %d", vap->iv_state));
  922 
  923         if (ni->ni_authmode == IEEE80211_AUTH_SHARED) {
  924                 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
  925                     ni->ni_macaddr, "open auth",
  926                     "bad sta auth mode %u", ni->ni_authmode);
  927                 vap->iv_stats.is_rx_bad_auth++; /* XXX */
  928                 /*
  929                  * Clear any challenge text that may be there if
  930                  * a previous shared key auth failed and then an
  931                  * open auth is attempted.
  932                  */
  933                 if (ni->ni_challenge != NULL) {
  934                         IEEE80211_FREE(ni->ni_challenge, M_80211_NODE);
  935                         ni->ni_challenge = NULL;
  936                 }
  937                 /* XXX hack to workaround calling convention */
  938                 ieee80211_send_error(ni, wh->i_addr2, 
  939                     IEEE80211_FC0_SUBTYPE_AUTH,
  940                     (seq + 1) | (IEEE80211_STATUS_ALG<<16));
  941                 return;
  942         }
  943         if (seq != IEEE80211_AUTH_OPEN_REQUEST) {
  944                 vap->iv_stats.is_rx_bad_auth++;
  945                 return;
  946         }
  947         /* always accept open authentication requests */
  948         if (ni == vap->iv_bss) {
  949                 ni = ieee80211_dup_bss(vap, wh->i_addr2);
  950                 if (ni == NULL)
  951                         return;
  952         } else if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0)
  953                 (void) ieee80211_ref_node(ni);
  954         /*
  955          * Mark the node as referenced to reflect that it's
  956          * reference count has been bumped to insure it remains
  957          * after the transaction completes.
  958          */
  959         ni->ni_flags |= IEEE80211_NODE_AREF;
  960         /*
  961          * Mark the node as requiring a valid association id
  962          * before outbound traffic is permitted.
  963          */
  964         ni->ni_flags |= IEEE80211_NODE_ASSOCID;
  965 
  966         if (vap->iv_acl != NULL &&
  967             vap->iv_acl->iac_getpolicy(vap) == IEEE80211_MACCMD_POLICY_RADIUS) {
  968                 /*
  969                  * When the ACL policy is set to RADIUS we defer the
  970                  * authorization to a user agent.  Dispatch an event,
  971                  * a subsequent MLME call will decide the fate of the
  972                  * station.  If the user agent is not present then the
  973                  * node will be reclaimed due to inactivity.
  974                  */
  975                 IEEE80211_NOTE_MAC(vap,
  976                     IEEE80211_MSG_AUTH | IEEE80211_MSG_ACL, ni->ni_macaddr,
  977                     "%s", "station authentication defered (radius acl)");
  978                 ieee80211_notify_node_auth(ni);
  979         } else {
  980                 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1);
  981                 IEEE80211_NOTE_MAC(vap,
  982                     IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, ni->ni_macaddr,
  983                     "%s", "station authenticated (open)");
  984                 /*
  985                  * When 802.1x is not in use mark the port
  986                  * authorized at this point so traffic can flow.
  987                  */
  988                 if (ni->ni_authmode != IEEE80211_AUTH_8021X)
  989                         ieee80211_node_authorize(ni);
  990         }
  991 }
  992 
  993 static void
  994 hostap_auth_shared(struct ieee80211_node *ni, struct ieee80211_frame *wh,
  995     uint8_t *frm, uint8_t *efrm, int rssi, int nf,
  996     uint16_t seq, uint16_t status)
  997 {
  998         struct ieee80211vap *vap = ni->ni_vap;
  999         uint8_t *challenge;
 1000         int estatus;
 1001 
 1002         KASSERT(vap->iv_state == IEEE80211_S_RUN, ("state %d", vap->iv_state));
 1003 
 1004         /*
 1005          * NB: this can happen as we allow pre-shared key
 1006          * authentication to be enabled w/o wep being turned
 1007          * on so that configuration of these can be done
 1008          * in any order.  It may be better to enforce the
 1009          * ordering in which case this check would just be
 1010          * for sanity/consistency.
 1011          */
 1012         if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
 1013                 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
 1014                     ni->ni_macaddr, "shared key auth",
 1015                     "%s", " PRIVACY is disabled");
 1016                 estatus = IEEE80211_STATUS_ALG;
 1017                 goto bad;
 1018         }
 1019         /*
 1020          * Pre-shared key authentication is evil; accept
 1021          * it only if explicitly configured (it is supported
 1022          * mainly for compatibility with clients like Mac OS X).
 1023          */
 1024         if (ni->ni_authmode != IEEE80211_AUTH_AUTO &&
 1025             ni->ni_authmode != IEEE80211_AUTH_SHARED) {
 1026                 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
 1027                     ni->ni_macaddr, "shared key auth",
 1028                     "bad sta auth mode %u", ni->ni_authmode);
 1029                 vap->iv_stats.is_rx_bad_auth++; /* XXX maybe a unique error? */
 1030                 estatus = IEEE80211_STATUS_ALG;
 1031                 goto bad;
 1032         }
 1033 
 1034         challenge = NULL;
 1035         if (frm + 1 < efrm) {
 1036                 if ((frm[1] + 2) > (efrm - frm)) {
 1037                         IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
 1038                             ni->ni_macaddr, "shared key auth",
 1039                             "ie %d/%d too long",
 1040                             frm[0], (frm[1] + 2) - (efrm - frm));
 1041                         vap->iv_stats.is_rx_bad_auth++;
 1042                         estatus = IEEE80211_STATUS_CHALLENGE;
 1043                         goto bad;
 1044                 }
 1045                 if (*frm == IEEE80211_ELEMID_CHALLENGE)
 1046                         challenge = frm;
 1047                 frm += frm[1] + 2;
 1048         }
 1049         switch (seq) {
 1050         case IEEE80211_AUTH_SHARED_CHALLENGE:
 1051         case IEEE80211_AUTH_SHARED_RESPONSE:
 1052                 if (challenge == NULL) {
 1053                         IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
 1054                             ni->ni_macaddr, "shared key auth",
 1055                             "%s", "no challenge");
 1056                         vap->iv_stats.is_rx_bad_auth++;
 1057                         estatus = IEEE80211_STATUS_CHALLENGE;
 1058                         goto bad;
 1059                 }
 1060                 if (challenge[1] != IEEE80211_CHALLENGE_LEN) {
 1061                         IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
 1062                             ni->ni_macaddr, "shared key auth",
 1063                             "bad challenge len %d", challenge[1]);
 1064                         vap->iv_stats.is_rx_bad_auth++;
 1065                         estatus = IEEE80211_STATUS_CHALLENGE;
 1066                         goto bad;
 1067                 }
 1068         default:
 1069                 break;
 1070         }
 1071         switch (seq) {
 1072         case IEEE80211_AUTH_SHARED_REQUEST:
 1073         {
 1074 #ifdef IEEE80211_DEBUG
 1075                 bool allocbs;
 1076 #endif
 1077 
 1078                 if (ni == vap->iv_bss) {
 1079                         ni = ieee80211_dup_bss(vap, wh->i_addr2);
 1080                         if (ni == NULL) {
 1081                                 /* NB: no way to return an error */
 1082                                 return;
 1083                         }
 1084 #ifdef IEEE80211_DEBUG
 1085                         allocbs = 1;
 1086 #endif
 1087                 } else {
 1088                         if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0)
 1089                                 (void) ieee80211_ref_node(ni);
 1090 #ifdef IEEE80211_DEBUG
 1091                         allocbs = 0;
 1092 #endif
 1093                 }
 1094                 /*
 1095                  * Mark the node as referenced to reflect that it's
 1096                  * reference count has been bumped to insure it remains
 1097                  * after the transaction completes.
 1098                  */
 1099                 ni->ni_flags |= IEEE80211_NODE_AREF;
 1100                 /*
 1101                  * Mark the node as requiring a valid association id
 1102                  * before outbound traffic is permitted.
 1103                  */
 1104                 ni->ni_flags |= IEEE80211_NODE_ASSOCID;
 1105                 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi);
 1106                 ni->ni_noise = nf;
 1107                 if (!ieee80211_alloc_challenge(ni)) {
 1108                         /* NB: don't return error so they rexmit */
 1109                         return;
 1110                 }
 1111                 net80211_get_random_bytes(ni->ni_challenge,
 1112                         IEEE80211_CHALLENGE_LEN);
 1113                 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
 1114                     ni, "shared key %sauth request", allocbs ? "" : "re");
 1115                 /*
 1116                  * When the ACL policy is set to RADIUS we defer the
 1117                  * authorization to a user agent.  Dispatch an event,
 1118                  * a subsequent MLME call will decide the fate of the
 1119                  * station.  If the user agent is not present then the
 1120                  * node will be reclaimed due to inactivity.
 1121                  */
 1122                 if (vap->iv_acl != NULL &&
 1123                     vap->iv_acl->iac_getpolicy(vap) == IEEE80211_MACCMD_POLICY_RADIUS) {
 1124                         IEEE80211_NOTE_MAC(vap,
 1125                             IEEE80211_MSG_AUTH | IEEE80211_MSG_ACL,
 1126                             ni->ni_macaddr,
 1127                             "%s", "station authentication defered (radius acl)");
 1128                         ieee80211_notify_node_auth(ni);
 1129                         return;
 1130                 }
 1131                 break;
 1132         }
 1133         case IEEE80211_AUTH_SHARED_RESPONSE:
 1134                 if (ni == vap->iv_bss) {
 1135                         IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
 1136                             ni->ni_macaddr, "shared key response",
 1137                             "%s", "unknown station");
 1138                         /* NB: don't send a response */
 1139                         return;
 1140                 }
 1141                 if (ni->ni_challenge == NULL) {
 1142                         IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
 1143                             ni->ni_macaddr, "shared key response",
 1144                             "%s", "no challenge recorded");
 1145                         vap->iv_stats.is_rx_bad_auth++;
 1146                         estatus = IEEE80211_STATUS_CHALLENGE;
 1147                         goto bad;
 1148                 }
 1149                 if (memcmp(ni->ni_challenge, &challenge[2],
 1150                            challenge[1]) != 0) {
 1151                         IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
 1152                             ni->ni_macaddr, "shared key response",
 1153                             "%s", "challenge mismatch");
 1154                         vap->iv_stats.is_rx_auth_fail++;
 1155                         estatus = IEEE80211_STATUS_CHALLENGE;
 1156                         goto bad;
 1157                 }
 1158                 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
 1159                     ni, "%s", "station authenticated (shared key)");
 1160                 ieee80211_node_authorize(ni);
 1161                 break;
 1162         default:
 1163                 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
 1164                     ni->ni_macaddr, "shared key auth",
 1165                     "bad seq %d", seq);
 1166                 vap->iv_stats.is_rx_bad_auth++;
 1167                 estatus = IEEE80211_STATUS_SEQUENCE;
 1168                 goto bad;
 1169         }
 1170         IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1);
 1171         return;
 1172 bad:
 1173         /*
 1174          * Send an error response; but only when operating as an AP.
 1175          */
 1176         /* XXX hack to workaround calling convention */
 1177         ieee80211_send_error(ni, wh->i_addr2,
 1178             IEEE80211_FC0_SUBTYPE_AUTH,
 1179             (seq + 1) | (estatus<<16));
 1180 }
 1181 
 1182 /*
 1183  * Convert a WPA cipher selector OUI to an internal
 1184  * cipher algorithm.  Where appropriate we also
 1185  * record any key length.
 1186  */
 1187 static int
 1188 wpa_cipher(const uint8_t *sel, uint8_t *keylen, uint8_t *cipher)
 1189 {
 1190 #define WPA_SEL(x)      (((x)<<24)|WPA_OUI)
 1191         uint32_t w = le32dec(sel);
 1192 
 1193         switch (w) {
 1194         case WPA_SEL(WPA_CSE_NULL):
 1195                 *cipher = IEEE80211_CIPHER_NONE;
 1196                 break;
 1197         case WPA_SEL(WPA_CSE_WEP40):
 1198                 if (keylen)
 1199                         *keylen = 40 / NBBY;
 1200                 *cipher = IEEE80211_CIPHER_WEP;
 1201                 break;
 1202         case WPA_SEL(WPA_CSE_WEP104):
 1203                 if (keylen)
 1204                         *keylen = 104 / NBBY;
 1205                 *cipher = IEEE80211_CIPHER_WEP;
 1206                 break;
 1207         case WPA_SEL(WPA_CSE_TKIP):
 1208                 *cipher = IEEE80211_CIPHER_TKIP;
 1209                 break;
 1210         case WPA_SEL(WPA_CSE_CCMP):
 1211                 *cipher = IEEE80211_CIPHER_AES_CCM;
 1212                 break;
 1213         default:
 1214                 return (EINVAL);
 1215         }
 1216 
 1217         return (0);
 1218 #undef WPA_SEL
 1219 }
 1220 
 1221 /*
 1222  * Convert a WPA key management/authentication algorithm
 1223  * to an internal code.
 1224  */
 1225 static int
 1226 wpa_keymgmt(const uint8_t *sel)
 1227 {
 1228 #define WPA_SEL(x)      (((x)<<24)|WPA_OUI)
 1229         uint32_t w = le32dec(sel);
 1230 
 1231         switch (w) {
 1232         case WPA_SEL(WPA_ASE_8021X_UNSPEC):
 1233                 return WPA_ASE_8021X_UNSPEC;
 1234         case WPA_SEL(WPA_ASE_8021X_PSK):
 1235                 return WPA_ASE_8021X_PSK;
 1236         case WPA_SEL(WPA_ASE_NONE):
 1237                 return WPA_ASE_NONE;
 1238         }
 1239         return 0;               /* NB: so is discarded */
 1240 #undef WPA_SEL
 1241 }
 1242 
 1243 /*
 1244  * Parse a WPA information element to collect parameters.
 1245  * Note that we do not validate security parameters; that
 1246  * is handled by the authenticator; the parsing done here
 1247  * is just for internal use in making operational decisions.
 1248  */
 1249 static int
 1250 ieee80211_parse_wpa(struct ieee80211vap *vap, const uint8_t *frm,
 1251         struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh)
 1252 {
 1253         uint8_t len = frm[1];
 1254         uint32_t w;
 1255         int error, n;
 1256 
 1257         /*
 1258          * Check the length once for fixed parts: OUI, type,
 1259          * version, mcast cipher, and 2 selector counts.
 1260          * Other, variable-length data, must be checked separately.
 1261          */
 1262         if ((vap->iv_flags & IEEE80211_F_WPA1) == 0) {
 1263                 IEEE80211_DISCARD_IE(vap,
 1264                     IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
 1265                     wh, "WPA", "not WPA, flags 0x%x", vap->iv_flags);
 1266                 return IEEE80211_REASON_IE_INVALID;
 1267         }
 1268         if (len < 14) {
 1269                 IEEE80211_DISCARD_IE(vap,
 1270                     IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
 1271                     wh, "WPA", "too short, len %u", len);
 1272                 return IEEE80211_REASON_IE_INVALID;
 1273         }
 1274         frm += 6, len -= 4;             /* NB: len is payload only */
 1275         /* NB: iswpaoui already validated the OUI and type */
 1276         w = le16dec(frm);
 1277         if (w != WPA_VERSION) {
 1278                 IEEE80211_DISCARD_IE(vap,
 1279                     IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
 1280                     wh, "WPA", "bad version %u", w);
 1281                 return IEEE80211_REASON_IE_INVALID;
 1282         }
 1283         frm += 2, len -= 2;
 1284 
 1285         memset(rsn, 0, sizeof(*rsn));
 1286 
 1287         /* multicast/group cipher */
 1288         error = wpa_cipher(frm, &rsn->rsn_mcastkeylen, &rsn->rsn_mcastcipher);
 1289         if (error != 0) {
 1290                 IEEE80211_DISCARD_IE(vap,
 1291                     IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
 1292                     wh, "WPA", "unknown mcast cipher suite %08X",
 1293                     le32dec(frm));
 1294                 return IEEE80211_REASON_GROUP_CIPHER_INVALID;
 1295         }
 1296         frm += 4, len -= 4;
 1297 
 1298         /* unicast ciphers */
 1299         n = le16dec(frm);
 1300         frm += 2, len -= 2;
 1301         if (len < n*4+2) {
 1302                 IEEE80211_DISCARD_IE(vap,
 1303                     IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
 1304                     wh, "WPA", "ucast cipher data too short; len %u, n %u",
 1305                     len, n);
 1306                 return IEEE80211_REASON_IE_INVALID;
 1307         }
 1308         w = 0;
 1309         for (; n > 0; n--) {
 1310                 uint8_t cipher;
 1311 
 1312                 error = wpa_cipher(frm, &rsn->rsn_ucastkeylen, &cipher);
 1313                 if (error == 0)
 1314                         w |= 1 << cipher;
 1315 
 1316                 frm += 4, len -= 4;
 1317         }
 1318         if (w == 0) {
 1319                 IEEE80211_DISCARD_IE(vap,
 1320                     IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
 1321                     wh, "WPA", "no usable pairwise cipher suite found (w=%d)",
 1322                     w);
 1323                 return IEEE80211_REASON_PAIRWISE_CIPHER_INVALID;
 1324         }
 1325         /* XXX other? */
 1326         if (w & (1 << IEEE80211_CIPHER_AES_CCM))
 1327                 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM;
 1328         else
 1329                 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP;
 1330 
 1331         /* key management algorithms */
 1332         n = le16dec(frm);
 1333         frm += 2, len -= 2;
 1334         if (len < n*4) {
 1335                 IEEE80211_DISCARD_IE(vap,
 1336                     IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
 1337                     wh, "WPA", "key mgmt alg data too short; len %u, n %u",
 1338                     len, n);
 1339                 return IEEE80211_REASON_IE_INVALID;
 1340         }
 1341         w = 0;
 1342         for (; n > 0; n--) {
 1343                 w |= wpa_keymgmt(frm);
 1344                 frm += 4, len -= 4;
 1345         }
 1346         if (w & WPA_ASE_8021X_UNSPEC)
 1347                 rsn->rsn_keymgmt = WPA_ASE_8021X_UNSPEC;
 1348         else
 1349                 rsn->rsn_keymgmt = WPA_ASE_8021X_PSK;
 1350 
 1351         if (len > 2)            /* optional capabilities */
 1352                 rsn->rsn_caps = le16dec(frm);
 1353 
 1354         return 0;
 1355 }
 1356 
 1357 /*
 1358  * Convert an RSN cipher selector OUI to an internal
 1359  * cipher algorithm.  Where appropriate we also
 1360  * record any key length.
 1361  */
 1362 static int
 1363 rsn_cipher(const uint8_t *sel, uint8_t *keylen, uint8_t *cipher)
 1364 {
 1365 #define RSN_SEL(x)      (((x)<<24)|RSN_OUI)
 1366         uint32_t w = le32dec(sel);
 1367 
 1368         switch (w) {
 1369         case RSN_SEL(RSN_CSE_NULL):
 1370                 *cipher = IEEE80211_CIPHER_NONE;
 1371                 break;
 1372         case RSN_SEL(RSN_CSE_WEP40):
 1373                 if (keylen)
 1374                         *keylen = 40 / NBBY;
 1375                 *cipher = IEEE80211_CIPHER_WEP;
 1376                 break;
 1377         case RSN_SEL(RSN_CSE_WEP104):
 1378                 if (keylen)
 1379                         *keylen = 104 / NBBY;
 1380                 *cipher = IEEE80211_CIPHER_WEP;
 1381                 break;
 1382         case RSN_SEL(RSN_CSE_TKIP):
 1383                 *cipher = IEEE80211_CIPHER_TKIP;
 1384                 break;
 1385         case RSN_SEL(RSN_CSE_CCMP):
 1386                 *cipher = IEEE80211_CIPHER_AES_CCM;
 1387                 break;
 1388         case RSN_SEL(RSN_CSE_WRAP):
 1389                 *cipher = IEEE80211_CIPHER_AES_OCB;
 1390                 break;
 1391         default:
 1392                 return (EINVAL);
 1393         }
 1394 
 1395         return (0);
 1396 #undef WPA_SEL
 1397 }
 1398 
 1399 /*
 1400  * Convert an RSN key management/authentication algorithm
 1401  * to an internal code.
 1402  */
 1403 static int
 1404 rsn_keymgmt(const uint8_t *sel)
 1405 {
 1406 #define RSN_SEL(x)      (((x)<<24)|RSN_OUI)
 1407         uint32_t w = le32dec(sel);
 1408 
 1409         switch (w) {
 1410         case RSN_SEL(RSN_ASE_8021X_UNSPEC):
 1411                 return RSN_ASE_8021X_UNSPEC;
 1412         case RSN_SEL(RSN_ASE_8021X_PSK):
 1413                 return RSN_ASE_8021X_PSK;
 1414         case RSN_SEL(RSN_ASE_NONE):
 1415                 return RSN_ASE_NONE;
 1416         }
 1417         return 0;               /* NB: so is discarded */
 1418 #undef RSN_SEL
 1419 }
 1420 
 1421 /*
 1422  * Parse a WPA/RSN information element to collect parameters
 1423  * and validate the parameters against what has been
 1424  * configured for the system.
 1425  */
 1426 static int
 1427 ieee80211_parse_rsn(struct ieee80211vap *vap, const uint8_t *frm,
 1428         struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh)
 1429 {
 1430         uint8_t len = frm[1];
 1431         uint32_t w;
 1432         int error, n;
 1433 
 1434         /*
 1435          * Check the length once for fixed parts: 
 1436          * version, mcast cipher, and 2 selector counts.
 1437          * Other, variable-length data, must be checked separately.
 1438          */
 1439         if ((vap->iv_flags & IEEE80211_F_WPA2) == 0) {
 1440                 IEEE80211_DISCARD_IE(vap,
 1441                     IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
 1442                     wh, "WPA", "not RSN, flags 0x%x", vap->iv_flags);
 1443                 return IEEE80211_REASON_IE_INVALID;
 1444         }
 1445         /* XXX may be shorter */
 1446         if (len < 10) {
 1447                 IEEE80211_DISCARD_IE(vap,
 1448                     IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
 1449                     wh, "RSN", "too short, len %u", len);
 1450                 return IEEE80211_REASON_IE_INVALID;
 1451         }
 1452         frm += 2;
 1453         w = le16dec(frm);
 1454         if (w != RSN_VERSION) {
 1455                 IEEE80211_DISCARD_IE(vap,
 1456                     IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
 1457                     wh, "RSN", "bad version %u", w);
 1458                 return IEEE80211_REASON_UNSUPP_RSN_IE_VERSION;
 1459         }
 1460         frm += 2, len -= 2;
 1461 
 1462         memset(rsn, 0, sizeof(*rsn));
 1463 
 1464         /* multicast/group cipher */
 1465         error = rsn_cipher(frm, &rsn->rsn_mcastkeylen, &rsn->rsn_mcastcipher);
 1466         if (error != 0) {
 1467                 IEEE80211_DISCARD_IE(vap,
 1468                     IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
 1469                     wh, "RSN", "unknown mcast cipher suite %08X",
 1470                     le32dec(frm));
 1471                 return IEEE80211_REASON_GROUP_CIPHER_INVALID;
 1472         }
 1473         if (rsn->rsn_mcastcipher == IEEE80211_CIPHER_NONE) {
 1474                 IEEE80211_DISCARD_IE(vap,
 1475                     IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
 1476                     wh, "RSN", "invalid mcast cipher suite %d",
 1477                     rsn->rsn_mcastcipher);
 1478                 return IEEE80211_REASON_GROUP_CIPHER_INVALID;
 1479         }
 1480         frm += 4, len -= 4;
 1481 
 1482         /* unicast ciphers */
 1483         n = le16dec(frm);
 1484         frm += 2, len -= 2;
 1485         if (len < n*4+2) {
 1486                 IEEE80211_DISCARD_IE(vap,
 1487                     IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
 1488                     wh, "RSN", "ucast cipher data too short; len %u, n %u",
 1489                     len, n);
 1490                 return IEEE80211_REASON_IE_INVALID;
 1491         }
 1492         w = 0;
 1493 
 1494         for (; n > 0; n--) {
 1495                 uint8_t cipher;
 1496 
 1497                 error = rsn_cipher(frm, &rsn->rsn_ucastkeylen, &cipher);
 1498                 if (error == 0)
 1499                         w |= 1 << cipher;
 1500 
 1501                 frm += 4, len -= 4;
 1502         }
 1503         if (w & (1 << IEEE80211_CIPHER_AES_CCM))
 1504                 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM;
 1505         else if (w & (1 << IEEE80211_CIPHER_AES_OCB))
 1506                 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_OCB;
 1507         else if (w & (1 << IEEE80211_CIPHER_TKIP))
 1508                 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP;
 1509         else if ((w & (1 << IEEE80211_CIPHER_NONE)) &&
 1510             (rsn->rsn_mcastcipher == IEEE80211_CIPHER_WEP ||
 1511              rsn->rsn_mcastcipher == IEEE80211_CIPHER_TKIP))
 1512                 rsn->rsn_ucastcipher = IEEE80211_CIPHER_NONE;
 1513         else {
 1514                 IEEE80211_DISCARD_IE(vap,
 1515                     IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
 1516                     wh, "RSN", "no usable pairwise cipher suite found (w=%d)",
 1517                     w);
 1518                 return IEEE80211_REASON_PAIRWISE_CIPHER_INVALID;
 1519         }
 1520 
 1521         /* key management algorithms */
 1522         n = le16dec(frm);
 1523         frm += 2, len -= 2;
 1524         if (len < n*4) {
 1525                 IEEE80211_DISCARD_IE(vap,
 1526                     IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
 1527                     wh, "RSN", "key mgmt alg data too short; len %u, n %u",
 1528                     len, n);
 1529                 return IEEE80211_REASON_IE_INVALID;
 1530         }
 1531         w = 0;
 1532         for (; n > 0; n--) {
 1533                 w |= rsn_keymgmt(frm);
 1534                 frm += 4, len -= 4;
 1535         }
 1536         if (w & RSN_ASE_8021X_UNSPEC)
 1537                 rsn->rsn_keymgmt = RSN_ASE_8021X_UNSPEC;
 1538         else
 1539                 rsn->rsn_keymgmt = RSN_ASE_8021X_PSK;
 1540 
 1541         /* optional RSN capabilities */
 1542         if (len > 2)
 1543                 rsn->rsn_caps = le16dec(frm);
 1544         /* XXXPMKID */
 1545 
 1546         return 0;
 1547 }
 1548 
 1549 /*
 1550  * WPA/802.11i association request processing.
 1551  */
 1552 static int
 1553 wpa_assocreq(struct ieee80211_node *ni, struct ieee80211_rsnparms *rsnparms,
 1554         const struct ieee80211_frame *wh, const uint8_t *wpa,
 1555         const uint8_t *rsn, uint16_t capinfo)
 1556 {
 1557         struct ieee80211vap *vap = ni->ni_vap;
 1558         uint8_t reason;
 1559         int badwparsn;
 1560 
 1561         ni->ni_flags &= ~(IEEE80211_NODE_WPS|IEEE80211_NODE_TSN);
 1562         if (wpa == NULL && rsn == NULL) {
 1563                 if (vap->iv_flags_ext & IEEE80211_FEXT_WPS) {
 1564                         /*
 1565                          * W-Fi Protected Setup (WPS) permits
 1566                          * clients to associate and pass EAPOL frames
 1567                          * to establish initial credentials.
 1568                          */
 1569                         ni->ni_flags |= IEEE80211_NODE_WPS;
 1570                         return 1;
 1571                 }
 1572                 if ((vap->iv_flags_ext & IEEE80211_FEXT_TSN) &&
 1573                     (capinfo & IEEE80211_CAPINFO_PRIVACY)) {
 1574                         /* 
 1575                          * Transitional Security Network.  Permits clients
 1576                          * to associate and use WEP while WPA is configured.
 1577                          */
 1578                         ni->ni_flags |= IEEE80211_NODE_TSN;
 1579                         return 1;
 1580                 }
 1581                 IEEE80211_DISCARD(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA,
 1582                     wh, NULL, "%s", "no WPA/RSN IE in association request");
 1583                 vap->iv_stats.is_rx_assoc_badwpaie++;
 1584                 reason = IEEE80211_REASON_IE_INVALID;
 1585                 goto bad;
 1586         }
 1587         /* assert right association security credentials */
 1588         badwparsn = 0;                  /* NB: to silence compiler */
 1589         switch (vap->iv_flags & IEEE80211_F_WPA) {
 1590         case IEEE80211_F_WPA1:
 1591                 badwparsn = (wpa == NULL);
 1592                 break;
 1593         case IEEE80211_F_WPA2:
 1594                 badwparsn = (rsn == NULL);
 1595                 break;
 1596         case IEEE80211_F_WPA1|IEEE80211_F_WPA2:
 1597                 badwparsn = (wpa == NULL && rsn == NULL);
 1598                 break;
 1599         }
 1600         if (badwparsn) {
 1601                 IEEE80211_DISCARD(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA,
 1602                     wh, NULL,
 1603                     "%s", "missing WPA/RSN IE in association request");
 1604                 vap->iv_stats.is_rx_assoc_badwpaie++;
 1605                 reason = IEEE80211_REASON_IE_INVALID;
 1606                 goto bad;
 1607         }
 1608         /*
 1609          * Parse WPA/RSN information element.
 1610          */
 1611         if (wpa != NULL)
 1612                 reason = ieee80211_parse_wpa(vap, wpa, rsnparms, wh);
 1613         else
 1614                 reason = ieee80211_parse_rsn(vap, rsn, rsnparms, wh);
 1615         if (reason != 0) {
 1616                 /* XXX wpa->rsn fallback? */
 1617                 /* XXX distinguish WPA/RSN? */
 1618                 vap->iv_stats.is_rx_assoc_badwpaie++;
 1619                 goto bad;
 1620         }
 1621         IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, ni,
 1622             "%s ie: mc %u/%u uc %u/%u key %u caps 0x%x",
 1623             wpa != NULL ? "WPA" : "RSN",
 1624             rsnparms->rsn_mcastcipher, rsnparms->rsn_mcastkeylen,
 1625             rsnparms->rsn_ucastcipher, rsnparms->rsn_ucastkeylen,
 1626             rsnparms->rsn_keymgmt, rsnparms->rsn_caps);
 1627 
 1628         return 1;
 1629 bad:
 1630         ieee80211_node_deauth(ni, reason);
 1631         return 0;
 1632 }
 1633 
 1634 /* XXX find a better place for definition */
 1635 struct l2_update_frame {
 1636         struct ether_header eh;
 1637         uint8_t dsap;
 1638         uint8_t ssap;
 1639         uint8_t control;
 1640         uint8_t xid[3];
 1641 }  __packed;
 1642 
 1643 /*
 1644  * Deliver a TGf L2UF frame on behalf of a station.
 1645  * This primes any bridge when the station is roaming
 1646  * between ap's on the same wired network.
 1647  */
 1648 static void
 1649 ieee80211_deliver_l2uf(struct ieee80211_node *ni)
 1650 {
 1651         struct ieee80211vap *vap = ni->ni_vap;
 1652         struct ifnet *ifp = vap->iv_ifp;
 1653         struct mbuf *m;
 1654         struct l2_update_frame *l2uf;
 1655         struct ether_header *eh;
 1656 
 1657         m = m_gethdr(IEEE80211_M_NOWAIT, MT_DATA);
 1658         if (m == NULL) {
 1659                 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC, ni,
 1660                     "%s", "no mbuf for l2uf frame");
 1661                 vap->iv_stats.is_rx_nobuf++;    /* XXX not right */
 1662                 return;
 1663         }
 1664         l2uf = mtod(m, struct l2_update_frame *);
 1665         eh = &l2uf->eh;
 1666         /* dst: Broadcast address */
 1667         IEEE80211_ADDR_COPY(eh->ether_dhost, ifp->if_broadcastaddr);
 1668         /* src: associated STA */
 1669         IEEE80211_ADDR_COPY(eh->ether_shost, ni->ni_macaddr);
 1670         eh->ether_type = htons(sizeof(*l2uf) - sizeof(*eh));
 1671 
 1672         l2uf->dsap = 0;
 1673         l2uf->ssap = 0;
 1674         l2uf->control = 0xf5;
 1675         l2uf->xid[0] = 0x81;
 1676         l2uf->xid[1] = 0x80;
 1677         l2uf->xid[2] = 0x00;
 1678 
 1679         m->m_pkthdr.len = m->m_len = sizeof(*l2uf);
 1680         hostap_deliver_data(vap, ni, m);
 1681 }
 1682 
 1683 static void
 1684 ratesetmismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh,
 1685         int reassoc, int resp, const char *tag, int rate)
 1686 {
 1687         IEEE80211_NOTE_MAC(ni->ni_vap, IEEE80211_MSG_ANY, wh->i_addr2,
 1688             "deny %s request, %s rate set mismatch, rate/MCS %d",
 1689             reassoc ? "reassoc" : "assoc", tag, rate & IEEE80211_RATE_VAL);
 1690         IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_BASIC_RATE);
 1691         ieee80211_node_leave(ni);
 1692 }
 1693 
 1694 static void
 1695 capinfomismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh,
 1696         int reassoc, int resp, const char *tag, int capinfo)
 1697 {
 1698         struct ieee80211vap *vap = ni->ni_vap;
 1699 
 1700         IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ANY, wh->i_addr2,
 1701             "deny %s request, %s mismatch 0x%x",
 1702             reassoc ? "reassoc" : "assoc", tag, capinfo);
 1703         IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_CAPINFO);
 1704         ieee80211_node_leave(ni);
 1705         vap->iv_stats.is_rx_assoc_capmismatch++;
 1706 }
 1707 
 1708 static void
 1709 htcapmismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh,
 1710         int reassoc, int resp)
 1711 {
 1712         IEEE80211_NOTE_MAC(ni->ni_vap, IEEE80211_MSG_ANY, wh->i_addr2,
 1713             "deny %s request, %s missing HT ie", reassoc ? "reassoc" : "assoc");
 1714         /* XXX no better code */
 1715         IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_MISSING_HT_CAPS);
 1716         ieee80211_node_leave(ni);
 1717 }
 1718 
 1719 static void
 1720 authalgreject(struct ieee80211_node *ni, const struct ieee80211_frame *wh,
 1721         int algo, int seq, int status)
 1722 {
 1723         struct ieee80211vap *vap = ni->ni_vap;
 1724 
 1725         IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
 1726             wh, NULL, "unsupported alg %d", algo);
 1727         vap->iv_stats.is_rx_auth_unsupported++;
 1728         ieee80211_send_error(ni, wh->i_addr2, IEEE80211_FC0_SUBTYPE_AUTH,
 1729             seq | (status << 16));
 1730 }
 1731 
 1732 static __inline int
 1733 ishtmixed(const uint8_t *ie)
 1734 {
 1735         const struct ieee80211_ie_htinfo *ht =
 1736             (const struct ieee80211_ie_htinfo *) ie;
 1737         return (ht->hi_byte2 & IEEE80211_HTINFO_OPMODE) ==
 1738             IEEE80211_HTINFO_OPMODE_MIXED;
 1739 }
 1740 
 1741 static int
 1742 is11bclient(const uint8_t *rates, const uint8_t *xrates)
 1743 {
 1744         static const uint32_t brates = (1<<2*1)|(1<<2*2)|(1<<11)|(1<<2*11);
 1745         int i;
 1746 
 1747         /* NB: the 11b clients we care about will not have xrates */
 1748         if (xrates != NULL || rates == NULL)
 1749                 return 0;
 1750         for (i = 0; i < rates[1]; i++) {
 1751                 int r = rates[2+i] & IEEE80211_RATE_VAL;
 1752                 if (r > 2*11 || ((1<<r) & brates) == 0)
 1753                         return 0;
 1754         }
 1755         return 1;
 1756 }
 1757 
 1758 static void
 1759 hostap_recv_mgmt(struct ieee80211_node *ni, struct mbuf *m0,
 1760         int subtype, const struct ieee80211_rx_stats *rxs, int rssi, int nf)
 1761 {
 1762         struct ieee80211vap *vap = ni->ni_vap;
 1763         struct ieee80211com *ic = ni->ni_ic;
 1764         struct ieee80211_frame *wh;
 1765         uint8_t *frm, *efrm, *sfrm;
 1766         uint8_t *ssid, *rates, *xrates, *wpa, *rsn, *wme, *ath, *htcap;
 1767         uint8_t *vhtcap, *vhtinfo;
 1768         int reassoc, resp;
 1769         uint8_t rate;
 1770 
 1771         wh = mtod(m0, struct ieee80211_frame *);
 1772         frm = (uint8_t *)&wh[1];
 1773         efrm = mtod(m0, uint8_t *) + m0->m_len;
 1774         switch (subtype) {
 1775         case IEEE80211_FC0_SUBTYPE_PROBE_RESP:
 1776                 /*
 1777                  * We process beacon/probe response frames when scanning;
 1778                  * otherwise we check beacon frames for overlapping non-ERP
 1779                  * BSS in 11g and/or overlapping legacy BSS when in HT.
 1780                  */
 1781                 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) {
 1782                         vap->iv_stats.is_rx_mgtdiscard++;
 1783                         return;
 1784                 }
 1785                 /* FALLTHROUGH */
 1786         case IEEE80211_FC0_SUBTYPE_BEACON: {
 1787                 struct ieee80211_scanparams scan;
 1788 
 1789                 /* NB: accept off-channel frames */
 1790                 /* XXX TODO: use rxstatus to determine off-channel details */
 1791                 if (ieee80211_parse_beacon(ni, m0, ic->ic_curchan, &scan) &~ IEEE80211_BPARSE_OFFCHAN)
 1792                         return;
 1793                 /*
 1794                  * Count frame now that we know it's to be processed.
 1795                  */
 1796                 if (subtype == IEEE80211_FC0_SUBTYPE_BEACON) {
 1797                         vap->iv_stats.is_rx_beacon++;           /* XXX remove */
 1798                         IEEE80211_NODE_STAT(ni, rx_beacons);
 1799                 } else
 1800                         IEEE80211_NODE_STAT(ni, rx_proberesp);
 1801                 /*
 1802                  * If scanning, just pass information to the scan module.
 1803                  */
 1804                 if (ic->ic_flags & IEEE80211_F_SCAN) {
 1805                         if (scan.status == 0 &&         /* NB: on channel */
 1806                             (ic->ic_flags_ext & IEEE80211_FEXT_PROBECHAN)) {
 1807                                 /*
 1808                                  * Actively scanning a channel marked passive;
 1809                                  * send a probe request now that we know there
 1810                                  * is 802.11 traffic present.
 1811                                  *
 1812                                  * XXX check if the beacon we recv'd gives
 1813                                  * us what we need and suppress the probe req
 1814                                  */
 1815                                 ieee80211_probe_curchan(vap, 1);
 1816                                 ic->ic_flags_ext &= ~IEEE80211_FEXT_PROBECHAN;
 1817                         }
 1818                         ieee80211_add_scan(vap, ic->ic_curchan, &scan, wh,
 1819                             subtype, rssi, nf);
 1820                         return;
 1821                 }
 1822                 /*
 1823                  * Check beacon for overlapping bss w/ non ERP stations.
 1824                  * If we detect one and protection is configured but not
 1825                  * enabled, enable it and start a timer that'll bring us
 1826                  * out if we stop seeing the bss.
 1827                  */
 1828                 if (IEEE80211_IS_CHAN_ANYG(ic->ic_curchan) &&
 1829                     scan.status == 0 &&                 /* NB: on-channel */
 1830                     ((scan.erp & 0x100) == 0 ||         /* NB: no ERP, 11b sta*/
 1831                      (scan.erp & IEEE80211_ERP_NON_ERP_PRESENT))) {
 1832                         vap->iv_lastnonerp = ticks;
 1833                         vap->iv_flags_ext |= IEEE80211_FEXT_NONERP_PR;
 1834                         /*
 1835                          * XXX TODO: this may need to check all VAPs?
 1836                          */
 1837                         if (vap->iv_protmode != IEEE80211_PROT_NONE &&
 1838                             (vap->iv_flags & IEEE80211_F_USEPROT) == 0) {
 1839                                 IEEE80211_NOTE_FRAME(vap,
 1840                                     IEEE80211_MSG_ASSOC, wh,
 1841                                     "non-ERP present on channel %d "
 1842                                     "(saw erp 0x%x from channel %d), "
 1843                                     "enable use of protection",
 1844                                     ic->ic_curchan->ic_ieee,
 1845                                     scan.erp, scan.chan);
 1846                                 vap->iv_flags |= IEEE80211_F_USEPROT;
 1847                                 ieee80211_vap_update_erp_protmode(vap);
 1848                         }
 1849                 }
 1850                 /* 
 1851                  * Check beacon for non-HT station on HT channel
 1852                  * and update HT BSS occupancy as appropriate.
 1853                  */
 1854                 if (IEEE80211_IS_CHAN_HT(ic->ic_curchan)) {
 1855                         if (scan.status & IEEE80211_BPARSE_OFFCHAN) {
 1856                                 /*
 1857                                  * Off control channel; only check frames
 1858                                  * that come in the extension channel when
 1859                                  * operating w/ HT40.
 1860                                  */
 1861                                 if (!IEEE80211_IS_CHAN_HT40(ic->ic_curchan))
 1862                                         break;
 1863                                 if (scan.chan != ic->ic_curchan->ic_extieee)
 1864                                         break;
 1865                         }
 1866                         if (scan.htinfo == NULL) {
 1867                                 ieee80211_htprot_update(vap,
 1868                                     IEEE80211_HTINFO_OPMODE_PROTOPT |
 1869                                     IEEE80211_HTINFO_NONHT_PRESENT);
 1870                         } else if (ishtmixed(scan.htinfo)) {
 1871                                 /* XXX? take NONHT_PRESENT from beacon? */
 1872                                 ieee80211_htprot_update(vap,
 1873                                     IEEE80211_HTINFO_OPMODE_MIXED |
 1874                                     IEEE80211_HTINFO_NONHT_PRESENT);
 1875                         }
 1876                 }
 1877                 break;
 1878         }
 1879 
 1880         case IEEE80211_FC0_SUBTYPE_PROBE_REQ:
 1881                 if (vap->iv_state != IEEE80211_S_RUN) {
 1882                         vap->iv_stats.is_rx_mgtdiscard++;
 1883                         return;
 1884                 }
 1885                 /*
 1886                  * Consult the ACL policy module if setup.
 1887                  */
 1888                 if (vap->iv_acl != NULL && !vap->iv_acl->iac_check(vap, wh)) {
 1889                         IEEE80211_DISCARD(vap, IEEE80211_MSG_ACL,
 1890                             wh, NULL, "%s", "disallowed by ACL");
 1891                         vap->iv_stats.is_rx_acl++;
 1892                         return;
 1893                 }
 1894                 /*
 1895                  * prreq frame format
 1896                  *      [tlv] ssid
 1897                  *      [tlv] supported rates
 1898                  *      [tlv] extended supported rates
 1899                  */
 1900                 ssid = rates = xrates = NULL;
 1901                 while (efrm - frm > 1) {
 1902                         IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return);
 1903                         switch (*frm) {
 1904                         case IEEE80211_ELEMID_SSID:
 1905                                 ssid = frm;
 1906                                 break;
 1907                         case IEEE80211_ELEMID_RATES:
 1908                                 rates = frm;
 1909                                 break;
 1910                         case IEEE80211_ELEMID_XRATES:
 1911                                 xrates = frm;
 1912                                 break;
 1913                         }
 1914                         frm += frm[1] + 2;
 1915                 }
 1916                 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return);
 1917                 if (xrates != NULL)
 1918                         IEEE80211_VERIFY_ELEMENT(xrates,
 1919                                 IEEE80211_RATE_MAXSIZE - rates[1], return);
 1920                 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN, return);
 1921                 IEEE80211_VERIFY_SSID(vap->iv_bss, ssid, return);
 1922                 if ((vap->iv_flags & IEEE80211_F_HIDESSID) && ssid[1] == 0) {
 1923                         IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
 1924                             wh, NULL,
 1925                             "%s", "no ssid with ssid suppression enabled");
 1926                         vap->iv_stats.is_rx_ssidmismatch++; /*XXX*/
 1927                         return;
 1928                 }
 1929 
 1930                 /* XXX find a better class or define it's own */
 1931                 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_INPUT, wh->i_addr2,
 1932                     "%s", "recv probe req");
 1933                 /*
 1934                  * Some legacy 11b clients cannot hack a complete
 1935                  * probe response frame.  When the request includes
 1936                  * only a bare-bones rate set, communicate this to
 1937                  * the transmit side.
 1938                  */
 1939                 ieee80211_send_proberesp(vap, wh->i_addr2,
 1940                     is11bclient(rates, xrates) ? IEEE80211_SEND_LEGACY_11B : 0);
 1941                 break;
 1942 
 1943         case IEEE80211_FC0_SUBTYPE_AUTH: {
 1944                 uint16_t algo, seq, status;
 1945 
 1946                 if (vap->iv_state != IEEE80211_S_RUN) {
 1947                         vap->iv_stats.is_rx_mgtdiscard++;
 1948                         return;
 1949                 }
 1950                 if (!IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_bss->ni_bssid)) {
 1951                         IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
 1952                             wh, NULL, "%s", "wrong bssid");
 1953                         vap->iv_stats.is_rx_wrongbss++; /*XXX unique stat?*/
 1954                         return;
 1955                 }
 1956                 /*
 1957                  * auth frame format
 1958                  *      [2] algorithm
 1959                  *      [2] sequence
 1960                  *      [2] status
 1961                  *      [tlv*] challenge
 1962                  */
 1963                 IEEE80211_VERIFY_LENGTH(efrm - frm, 6, return);
 1964                 algo   = le16toh(*(uint16_t *)frm);
 1965                 seq    = le16toh(*(uint16_t *)(frm + 2));
 1966                 status = le16toh(*(uint16_t *)(frm + 4));
 1967                 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_AUTH, wh->i_addr2,
 1968                     "recv auth frame with algorithm %d seq %d", algo, seq);
 1969                 /*
 1970                  * Consult the ACL policy module if setup.
 1971                  */
 1972                 if (vap->iv_acl != NULL && !vap->iv_acl->iac_check(vap, wh)) {
 1973                         IEEE80211_DISCARD(vap, IEEE80211_MSG_ACL,
 1974                             wh, NULL, "%s", "disallowed by ACL");
 1975                         vap->iv_stats.is_rx_acl++;
 1976                         ieee80211_send_error(ni, wh->i_addr2,
 1977                             IEEE80211_FC0_SUBTYPE_AUTH,
 1978                             (seq+1) | (IEEE80211_STATUS_UNSPECIFIED<<16));
 1979                         return;
 1980                 }
 1981                 if (vap->iv_flags & IEEE80211_F_COUNTERM) {
 1982                         IEEE80211_DISCARD(vap,
 1983                             IEEE80211_MSG_AUTH | IEEE80211_MSG_CRYPTO,
 1984                             wh, NULL, "%s", "TKIP countermeasures enabled");
 1985                         vap->iv_stats.is_rx_auth_countermeasures++;
 1986                         ieee80211_send_error(ni, wh->i_addr2,
 1987                                 IEEE80211_FC0_SUBTYPE_AUTH,
 1988                                 IEEE80211_REASON_MIC_FAILURE);
 1989                         return;
 1990                 }
 1991                 if (algo == IEEE80211_AUTH_ALG_SHARED)
 1992                         hostap_auth_shared(ni, wh, frm + 6, efrm, rssi, nf,
 1993                             seq, status);
 1994                 else if (algo == IEEE80211_AUTH_ALG_OPEN)
 1995                         hostap_auth_open(ni, wh, rssi, nf, seq, status);
 1996                 else if (algo == IEEE80211_AUTH_ALG_LEAP) {
 1997                         authalgreject(ni, wh, algo,
 1998                             seq+1, IEEE80211_STATUS_ALG);
 1999                         return;
 2000                 } else {
 2001                         /*
 2002                          * We assume that an unknown algorithm is the result
 2003                          * of a decryption failure on a shared key auth frame;
 2004                          * return a status code appropriate for that instead
 2005                          * of IEEE80211_STATUS_ALG.
 2006                          *
 2007                          * NB: a seq# of 4 is intentional; the decrypted
 2008                          *     frame likely has a bogus seq value.
 2009                          */
 2010                         authalgreject(ni, wh, algo,
 2011                             4, IEEE80211_STATUS_CHALLENGE);
 2012                         return;
 2013                 } 
 2014                 break;
 2015         }
 2016 
 2017         case IEEE80211_FC0_SUBTYPE_ASSOC_REQ:
 2018         case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: {
 2019                 uint16_t capinfo, lintval;
 2020                 struct ieee80211_rsnparms rsnparms;
 2021 
 2022                 if (vap->iv_state != IEEE80211_S_RUN) {
 2023                         vap->iv_stats.is_rx_mgtdiscard++;
 2024                         return;
 2025                 }
 2026                 if (!IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_bss->ni_bssid)) {
 2027                         IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
 2028                             wh, NULL, "%s", "wrong bssid");
 2029                         vap->iv_stats.is_rx_assoc_bss++;
 2030                         return;
 2031                 }
 2032                 if (subtype == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) {
 2033                         reassoc = 1;
 2034                         resp = IEEE80211_FC0_SUBTYPE_REASSOC_RESP;
 2035                 } else {
 2036                         reassoc = 0;
 2037                         resp = IEEE80211_FC0_SUBTYPE_ASSOC_RESP;
 2038                 }
 2039                 if (ni == vap->iv_bss) {
 2040                         IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ANY, wh->i_addr2,
 2041                             "deny %s request, sta not authenticated",
 2042                             reassoc ? "reassoc" : "assoc");
 2043                         ieee80211_send_error(ni, wh->i_addr2,
 2044                             IEEE80211_FC0_SUBTYPE_DEAUTH,
 2045                             IEEE80211_REASON_ASSOC_NOT_AUTHED);
 2046                         vap->iv_stats.is_rx_assoc_notauth++;
 2047                         return;
 2048                 }
 2049 
 2050                 /*
 2051                  * asreq frame format
 2052                  *      [2] capability information
 2053                  *      [2] listen interval
 2054                  *      [6*] current AP address (reassoc only)
 2055                  *      [tlv] ssid
 2056                  *      [tlv] supported rates
 2057                  *      [tlv] extended supported rates
 2058                  *      [tlv] WPA or RSN
 2059                  *      [tlv] HT capabilities
 2060                  *      [tlv] Atheros capabilities
 2061                  */
 2062                 IEEE80211_VERIFY_LENGTH(efrm - frm, (reassoc ? 10 : 4), return);
 2063                 capinfo = le16toh(*(uint16_t *)frm);    frm += 2;
 2064                 lintval = le16toh(*(uint16_t *)frm);    frm += 2;
 2065                 if (reassoc)
 2066                         frm += 6;       /* ignore current AP info */
 2067                 ssid = rates = xrates = wpa = rsn = wme = ath = htcap = NULL;
 2068                 vhtcap = vhtinfo = NULL;
 2069                 sfrm = frm;
 2070                 while (efrm - frm > 1) {
 2071                         IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return);
 2072                         switch (*frm) {
 2073                         case IEEE80211_ELEMID_SSID:
 2074                                 ssid = frm;
 2075                                 break;
 2076                         case IEEE80211_ELEMID_RATES:
 2077                                 rates = frm;
 2078                                 break;
 2079                         case IEEE80211_ELEMID_XRATES:
 2080                                 xrates = frm;
 2081                                 break;
 2082                         case IEEE80211_ELEMID_RSN:
 2083                                 rsn = frm;
 2084                                 break;
 2085                         case IEEE80211_ELEMID_HTCAP:
 2086                                 htcap = frm;
 2087                                 break;
 2088                         case IEEE80211_ELEMID_VHT_CAP:
 2089                                 vhtcap = frm;
 2090                                 break;
 2091                         case IEEE80211_ELEMID_VHT_OPMODE:
 2092                                 vhtinfo = frm;
 2093                                 break;
 2094                         case IEEE80211_ELEMID_VENDOR:
 2095                                 if (iswpaoui(frm))
 2096                                         wpa = frm;
 2097                                 else if (iswmeinfo(frm))
 2098                                         wme = frm;
 2099 #ifdef IEEE80211_SUPPORT_SUPERG
 2100                                 else if (isatherosoui(frm))
 2101                                         ath = frm;
 2102 #endif
 2103                                 else if (vap->iv_flags_ht & IEEE80211_FHT_HTCOMPAT) {
 2104                                         if (ishtcapoui(frm) && htcap == NULL)
 2105                                                 htcap = frm;
 2106                                 }
 2107                                 break;
 2108                         }
 2109                         frm += frm[1] + 2;
 2110                 }
 2111                 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return);
 2112                 if (xrates != NULL)
 2113                         IEEE80211_VERIFY_ELEMENT(xrates,
 2114                                 IEEE80211_RATE_MAXSIZE - rates[1], return);
 2115                 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN, return);
 2116                 IEEE80211_VERIFY_SSID(vap->iv_bss, ssid, return);
 2117                 if (htcap != NULL) {
 2118                         IEEE80211_VERIFY_LENGTH(htcap[1],
 2119                              htcap[0] == IEEE80211_ELEMID_VENDOR ?
 2120                                  4 + sizeof(struct ieee80211_ie_htcap)-2 :
 2121                                  sizeof(struct ieee80211_ie_htcap)-2,
 2122                              return);           /* XXX just NULL out? */
 2123                 }
 2124 
 2125                 /* Validate VHT IEs */
 2126                 if (vhtcap != NULL) {
 2127                         IEEE80211_VERIFY_LENGTH(vhtcap[1],
 2128                             sizeof(struct ieee80211_ie_vhtcap) - 2,
 2129                             return);
 2130                 }
 2131                 if (vhtinfo != NULL) {
 2132                         IEEE80211_VERIFY_LENGTH(vhtinfo[1],
 2133                             sizeof(struct ieee80211_ie_vht_operation) - 2,
 2134                             return);
 2135                 }
 2136 
 2137                 if ((vap->iv_flags & IEEE80211_F_WPA) &&
 2138                     !wpa_assocreq(ni, &rsnparms, wh, wpa, rsn, capinfo))
 2139                         return;
 2140                 /* discard challenge after association */
 2141                 if (ni->ni_challenge != NULL) {
 2142                         IEEE80211_FREE(ni->ni_challenge, M_80211_NODE);
 2143                         ni->ni_challenge = NULL;
 2144                 }
 2145                 /* NB: 802.11 spec says to ignore station's privacy bit */
 2146                 if ((capinfo & IEEE80211_CAPINFO_ESS) == 0) {
 2147                         capinfomismatch(ni, wh, reassoc, resp,
 2148                             "capability", capinfo);
 2149                         return;
 2150                 }
 2151                 /*
 2152                  * Disallow re-associate w/ invalid slot time setting.
 2153                  */
 2154                 if (ni->ni_associd != 0 &&
 2155                     IEEE80211_IS_CHAN_ANYG(ic->ic_bsschan) &&
 2156                     ((ni->ni_capinfo ^ capinfo) & IEEE80211_CAPINFO_SHORT_SLOTTIME)) {
 2157                         capinfomismatch(ni, wh, reassoc, resp,
 2158                             "slot time", capinfo);
 2159                         return;
 2160                 }
 2161                 rate = ieee80211_setup_rates(ni, rates, xrates,
 2162                                 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE |
 2163                                 IEEE80211_F_DONEGO | IEEE80211_F_DODEL);
 2164                 if (rate & IEEE80211_RATE_BASIC) {
 2165                         ratesetmismatch(ni, wh, reassoc, resp, "legacy", rate);
 2166                         vap->iv_stats.is_rx_assoc_norate++;
 2167                         return;
 2168                 }
 2169                 /*
 2170                  * If constrained to 11g-only stations reject an
 2171                  * 11b-only station.  We cheat a bit here by looking
 2172                  * at the max negotiated xmit rate and assuming anyone
 2173                  * with a best rate <24Mb/s is an 11b station.
 2174                  */
 2175                 if ((vap->iv_flags & IEEE80211_F_PUREG) && rate < 48) {
 2176                         ratesetmismatch(ni, wh, reassoc, resp, "11g", rate);
 2177                         vap->iv_stats.is_rx_assoc_norate++;
 2178                         return;
 2179                 }
 2180 
 2181                 /*
 2182                  * Do HT rate set handling and setup HT node state.
 2183                  */
 2184                 ni->ni_chan = vap->iv_bss->ni_chan;
 2185 
 2186                 /* VHT */
 2187                 if (IEEE80211_IS_CHAN_VHT(ni->ni_chan) &&
 2188                     vhtcap != NULL &&
 2189                     vhtinfo != NULL) {
 2190                         /* XXX TODO; see below */
 2191                         printf("%s: VHT TODO!\n", __func__);
 2192                         ieee80211_vht_node_init(ni);
 2193                         ieee80211_vht_update_cap(ni, vhtcap, vhtinfo);
 2194                 } else if (ni->ni_flags & IEEE80211_NODE_VHT)
 2195                         ieee80211_vht_node_cleanup(ni);
 2196 
 2197                 /* HT */
 2198                 if (IEEE80211_IS_CHAN_HT(ni->ni_chan) && htcap != NULL) {
 2199                         rate = ieee80211_setup_htrates(ni, htcap,
 2200                                 IEEE80211_F_DOFMCS | IEEE80211_F_DONEGO |
 2201                                 IEEE80211_F_DOBRS);
 2202                         if (rate & IEEE80211_RATE_BASIC) {
 2203                                 ratesetmismatch(ni, wh, reassoc, resp,
 2204                                     "HT", rate);
 2205                                 vap->iv_stats.is_ht_assoc_norate++;
 2206                                 return;
 2207                         }
 2208                         ieee80211_ht_node_init(ni);
 2209                         ieee80211_ht_updatehtcap(ni, htcap);
 2210                 } else if (ni->ni_flags & IEEE80211_NODE_HT)
 2211                         ieee80211_ht_node_cleanup(ni);
 2212 
 2213                 /* Finally - this will use HT/VHT info to change node channel */
 2214                 if (IEEE80211_IS_CHAN_HT(ni->ni_chan) && htcap != NULL) {
 2215                         ieee80211_ht_updatehtcap_final(ni);
 2216                 }
 2217 
 2218 #ifdef IEEE80211_SUPPORT_SUPERG
 2219                 /* Always do ff node cleanup; for A-MSDU */
 2220                 ieee80211_ff_node_cleanup(ni);
 2221 #endif
 2222                 /*
 2223                  * Allow AMPDU operation only with unencrypted traffic
 2224                  * or AES-CCM; the 11n spec only specifies these ciphers
 2225                  * so permitting any others is undefined and can lead
 2226                  * to interoperability problems.
 2227                  */
 2228                 if ((ni->ni_flags & IEEE80211_NODE_HT) &&
 2229                     (((vap->iv_flags & IEEE80211_F_WPA) &&
 2230                       rsnparms.rsn_ucastcipher != IEEE80211_CIPHER_AES_CCM) ||
 2231                      (vap->iv_flags & (IEEE80211_F_WPA|IEEE80211_F_PRIVACY)) == IEEE80211_F_PRIVACY)) {
 2232                         IEEE80211_NOTE(vap,
 2233                             IEEE80211_MSG_ASSOC | IEEE80211_MSG_11N, ni,
 2234                             "disallow HT use because WEP or TKIP requested, "
 2235                             "capinfo 0x%x ucastcipher %d", capinfo,
 2236                             rsnparms.rsn_ucastcipher);
 2237                         ieee80211_ht_node_cleanup(ni);
 2238 #ifdef IEEE80211_SUPPORT_SUPERG
 2239                         /* Always do ff node cleanup; for A-MSDU */
 2240                         ieee80211_ff_node_cleanup(ni);
 2241 #endif
 2242                         vap->iv_stats.is_ht_assoc_downgrade++;
 2243                 }
 2244                 /*
 2245                  * If constrained to 11n-only stations reject legacy stations.
 2246                  */
 2247                 if ((vap->iv_flags_ht & IEEE80211_FHT_PUREN) &&
 2248                     (ni->ni_flags & IEEE80211_NODE_HT) == 0) {
 2249                         htcapmismatch(ni, wh, reassoc, resp);
 2250                         vap->iv_stats.is_ht_assoc_nohtcap++;
 2251                         return;
 2252                 }
 2253                 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi);
 2254                 ni->ni_noise = nf;
 2255                 ni->ni_intval = lintval;
 2256                 ni->ni_capinfo = capinfo;
 2257                 ni->ni_fhdwell = vap->iv_bss->ni_fhdwell;
 2258                 ni->ni_fhindex = vap->iv_bss->ni_fhindex;
 2259                 /*
 2260                  * Store the IEs.
 2261                  * XXX maybe better to just expand
 2262                  */
 2263                 if (ieee80211_ies_init(&ni->ni_ies, sfrm, efrm - sfrm)) {
 2264 #define setie(_ie, _off)        ieee80211_ies_setie(ni->ni_ies, _ie, _off)
 2265                         if (wpa != NULL)
 2266                                 setie(wpa_ie, wpa - sfrm);
 2267                         if (rsn != NULL)
 2268                                 setie(rsn_ie, rsn - sfrm);
 2269                         if (htcap != NULL)
 2270                                 setie(htcap_ie, htcap - sfrm);
 2271                         if (wme != NULL) {
 2272                                 setie(wme_ie, wme - sfrm);
 2273                                 /*
 2274                                  * Mark node as capable of QoS.
 2275                                  */
 2276                                 ni->ni_flags |= IEEE80211_NODE_QOS;
 2277                                 if (ieee80211_parse_wmeie(wme, wh, ni) > 0) {
 2278                                         if (ni->ni_uapsd != 0)
 2279                                                 ni->ni_flags |=
 2280                                                     IEEE80211_NODE_UAPSD;
 2281                                         else
 2282                                                 ni->ni_flags &=
 2283                                                     ~IEEE80211_NODE_UAPSD;
 2284                                 }
 2285                         } else
 2286                                 ni->ni_flags &=
 2287                                     ~(IEEE80211_NODE_QOS |
 2288                                       IEEE80211_NODE_UAPSD);
 2289 #ifdef IEEE80211_SUPPORT_SUPERG
 2290                         if (ath != NULL) {
 2291                                 setie(ath_ie, ath - sfrm);
 2292                                 /* 
 2293                                  * Parse ATH station parameters.
 2294                                  */
 2295                                 ieee80211_parse_ath(ni, ni->ni_ies.ath_ie);
 2296                         } else
 2297 #endif
 2298                                 ni->ni_ath_flags = 0;
 2299 #undef setie
 2300                 } else {
 2301                         ni->ni_flags &= ~IEEE80211_NODE_QOS;
 2302                         ni->ni_flags &= ~IEEE80211_NODE_UAPSD;
 2303                         ni->ni_ath_flags = 0;
 2304                 }
 2305                 ieee80211_node_join(ni, resp);
 2306                 ieee80211_deliver_l2uf(ni);
 2307                 break;
 2308         }
 2309 
 2310         case IEEE80211_FC0_SUBTYPE_DEAUTH:
 2311         case IEEE80211_FC0_SUBTYPE_DISASSOC: {
 2312 #ifdef IEEE80211_DEBUG
 2313                 uint16_t reason;
 2314 #endif
 2315 
 2316                 if (vap->iv_state != IEEE80211_S_RUN ||
 2317                     /* NB: can happen when in promiscuous mode */
 2318                     !IEEE80211_ADDR_EQ(wh->i_addr1, vap->iv_myaddr)) {
 2319                         vap->iv_stats.is_rx_mgtdiscard++;
 2320                         break;
 2321                 }
 2322                 /*
 2323                  * deauth/disassoc frame format
 2324                  *      [2] reason
 2325                  */
 2326                 IEEE80211_VERIFY_LENGTH(efrm - frm, 2, return);
 2327 #ifdef IEEE80211_DEBUG
 2328                 reason = le16toh(*(uint16_t *)frm);
 2329 #endif
 2330                 if (subtype == IEEE80211_FC0_SUBTYPE_DEAUTH) {
 2331                         vap->iv_stats.is_rx_deauth++;
 2332                         IEEE80211_NODE_STAT(ni, rx_deauth);
 2333                 } else {
 2334                         vap->iv_stats.is_rx_disassoc++;
 2335                         IEEE80211_NODE_STAT(ni, rx_disassoc);
 2336                 }
 2337                 IEEE80211_NOTE(vap, IEEE80211_MSG_AUTH, ni,
 2338                     "recv %s (reason: %d (%s))",
 2339                     ieee80211_mgt_subtype_name(subtype),
 2340                     reason, ieee80211_reason_to_string(reason));
 2341                 if (ni != vap->iv_bss)
 2342                         ieee80211_node_leave(ni);
 2343                 break;
 2344         }
 2345 
 2346         case IEEE80211_FC0_SUBTYPE_ACTION:
 2347         case IEEE80211_FC0_SUBTYPE_ACTION_NOACK:
 2348                 if (ni == vap->iv_bss) {
 2349                         IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
 2350                             wh, NULL, "%s", "unknown node");
 2351                         vap->iv_stats.is_rx_mgtdiscard++;
 2352                 } else if (!IEEE80211_ADDR_EQ(vap->iv_myaddr, wh->i_addr1) &&
 2353                     !IEEE80211_IS_MULTICAST(wh->i_addr1)) {
 2354                         IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
 2355                             wh, NULL, "%s", "not for us");
 2356                         vap->iv_stats.is_rx_mgtdiscard++;
 2357                 } else if (vap->iv_state != IEEE80211_S_RUN) {
 2358                         IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
 2359                             wh, NULL, "wrong state %s",
 2360                             ieee80211_state_name[vap->iv_state]);
 2361                         vap->iv_stats.is_rx_mgtdiscard++;
 2362                 } else {
 2363                         if (ieee80211_parse_action(ni, m0) == 0)
 2364                                 (void)ic->ic_recv_action(ni, wh, frm, efrm);
 2365                 }
 2366                 break;
 2367 
 2368         case IEEE80211_FC0_SUBTYPE_ASSOC_RESP:
 2369         case IEEE80211_FC0_SUBTYPE_REASSOC_RESP:
 2370         case IEEE80211_FC0_SUBTYPE_TIMING_ADV:
 2371         case IEEE80211_FC0_SUBTYPE_ATIM:
 2372                 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
 2373                     wh, NULL, "%s", "not handled");
 2374                 vap->iv_stats.is_rx_mgtdiscard++;
 2375                 break;
 2376 
 2377         default:
 2378                 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
 2379                     wh, "mgt", "subtype 0x%x not handled", subtype);
 2380                 vap->iv_stats.is_rx_badsubtype++;
 2381                 break;
 2382         }
 2383 }
 2384 
 2385 static void
 2386 hostap_recv_ctl(struct ieee80211_node *ni, struct mbuf *m, int subtype)
 2387 {
 2388         switch (subtype) {
 2389         case IEEE80211_FC0_SUBTYPE_PS_POLL:
 2390                 ni->ni_vap->iv_recv_pspoll(ni, m);
 2391                 break;
 2392         case IEEE80211_FC0_SUBTYPE_BAR:
 2393                 ieee80211_recv_bar(ni, m);
 2394                 break;
 2395         }
 2396 }
 2397 
 2398 /*
 2399  * Process a received ps-poll frame.
 2400  */
 2401 void
 2402 ieee80211_recv_pspoll(struct ieee80211_node *ni, struct mbuf *m0)
 2403 {
 2404         struct ieee80211vap *vap = ni->ni_vap;
 2405         struct ieee80211com *ic = vap->iv_ic;
 2406         struct ieee80211_frame_min *wh;
 2407         struct mbuf *m;
 2408         uint16_t aid;
 2409         int qlen;
 2410 
 2411         wh = mtod(m0, struct ieee80211_frame_min *);
 2412         if (ni->ni_associd == 0) {
 2413                 IEEE80211_DISCARD(vap,
 2414                     IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG,
 2415                     (struct ieee80211_frame *) wh, NULL,
 2416                     "%s", "unassociated station");
 2417                 vap->iv_stats.is_ps_unassoc++;
 2418                 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_DEAUTH,
 2419                         IEEE80211_REASON_NOT_ASSOCED);
 2420                 return;
 2421         }
 2422 
 2423         aid = le16toh(*(uint16_t *)wh->i_dur);
 2424         if (aid != ni->ni_associd) {
 2425                 IEEE80211_DISCARD(vap,
 2426                     IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG,
 2427                     (struct ieee80211_frame *) wh, NULL,
 2428                     "aid mismatch: sta aid 0x%x poll aid 0x%x",
 2429                     ni->ni_associd, aid);
 2430                 vap->iv_stats.is_ps_badaid++;
 2431                 /*
 2432                  * NB: We used to deauth the station but it turns out
 2433                  * the Blackberry Curve 8230 (and perhaps other devices) 
 2434                  * sometimes send the wrong AID when WME is negotiated.
 2435                  * Being more lenient here seems ok as we already check
 2436                  * the station is associated and we only return frames
 2437                  * queued for the station (i.e. we don't use the AID).
 2438                  */
 2439                 return;
 2440         }
 2441 
 2442         /* Okay, take the first queued packet and put it out... */
 2443         m = ieee80211_node_psq_dequeue(ni, &qlen);
 2444         if (m == NULL) {
 2445                 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_POWER, wh->i_addr2,
 2446                     "%s", "recv ps-poll, but queue empty");
 2447                 ieee80211_send_nulldata(ieee80211_ref_node(ni));
 2448                 vap->iv_stats.is_ps_qempty++;   /* XXX node stat */
 2449                 if (vap->iv_set_tim != NULL)
 2450                         vap->iv_set_tim(ni, 0); /* just in case */
 2451                 return;
 2452         }
 2453         /* 
 2454          * If there are more packets, set the more packets bit
 2455          * in the packet dispatched to the station; otherwise
 2456          * turn off the TIM bit.
 2457          */
 2458         if (qlen != 0) {
 2459                 IEEE80211_NOTE(vap, IEEE80211_MSG_POWER, ni,
 2460                     "recv ps-poll, send packet, %u still queued", qlen);
 2461                 m->m_flags |= M_MORE_DATA;
 2462         } else {
 2463                 IEEE80211_NOTE(vap, IEEE80211_MSG_POWER, ni,
 2464                     "%s", "recv ps-poll, send packet, queue empty");
 2465                 if (vap->iv_set_tim != NULL)
 2466                         vap->iv_set_tim(ni, 0);
 2467         }
 2468         m->m_flags |= M_PWR_SAV;                /* bypass PS handling */
 2469 
 2470         /*
 2471          * Do the right thing; if it's an encap'ed frame then
 2472          * call ieee80211_parent_xmitpkt() else
 2473          * call ieee80211_vap_xmitpkt().
 2474          */
 2475         if (m->m_flags & M_ENCAP) {
 2476                 (void) ieee80211_parent_xmitpkt(ic, m);
 2477         } else {
 2478                 (void) ieee80211_vap_xmitpkt(vap, m);
 2479         }
 2480 }

Cache object: ced4012a14ffd4f49a009086d6d61c2a


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]


This page is part of the FreeBSD/Linux Linux Kernel Cross-Reference, and was automatically generated using a modified version of the LXR engine.