Context Navigation

source: rtems-libbsd/freebsd/sys/net80211/ieee80211_hostap.c @ a241ea8

55-freebsd-126-freebsd-12

Last change on this file since a241ea8 was a241ea8, checked in by Christian Mauderer <Christian.Mauderer@…>, on 11/14/16 at 12:46:13
Import IEEE 802.11 from FreeBSD.
Property mode set to `100644`
File size: 68.8 KB

Line
1	#include <machine/rtems-bsd-kernel-space.h>
2
3	/*-
4	* Copyright (c) 2007-2008 Sam Leffler, Errno Consulting
5	* All rights reserved.
6	*
7	* Redistribution and use in source and binary forms, with or without
8	* modification, are permitted provided that the following conditions
9	* are met:
10	* 1. Redistributions of source code must retain the above copyright
11	* notice, this list of conditions and the following disclaimer.
12	* 2. Redistributions in binary form must reproduce the above copyright
13	* notice, this list of conditions and the following disclaimer in the
14	* documentation and/or other materials provided with the distribution.
15	*
16	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
17	* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
18	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
19	* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
20	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
21	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
22	* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
23	* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
24	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
25	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
26	*/
27
28	#include <sys/cdefs.h>
29	#ifdef __FreeBSD__
30	__FBSDID("$FreeBSD$");
31	#endif
32
33	/*
34	* IEEE 802.11 HOSTAP mode support.
35	*/
36	#include <rtems/bsd/local/opt_inet.h>
37	#include <rtems/bsd/local/opt_wlan.h>
38
39	#include <rtems/bsd/sys/param.h>
40	#include <sys/systm.h>
41	#include <sys/mbuf.h>
42	#include <sys/malloc.h>
43	#include <sys/kernel.h>
44
45	#include <sys/socket.h>
46	#include <sys/sockio.h>
47	#include <sys/endian.h>
48	#include <rtems/bsd/sys/errno.h>
49	#include <sys/proc.h>
50	#include <sys/sysctl.h>
51
52	#include <net/if.h>
53	#include <net/if_var.h>
54	#include <net/if_media.h>
55	#include <net/if_llc.h>
56	#include <net/ethernet.h>
57
58	#include <net/bpf.h>
59
60	#include <net80211/ieee80211_var.h>
61	#include <net80211/ieee80211_hostap.h>
62	#include <net80211/ieee80211_input.h>
63	#ifdef IEEE80211_SUPPORT_SUPERG
64	#include <net80211/ieee80211_superg.h>
65	#endif
66	#include <net80211/ieee80211_wds.h>
67
68	#define IEEE80211_RATE2MBS(r) (((r) & IEEE80211_RATE_VAL) / 2)
69
70	static void hostap_vattach(struct ieee80211vap *);
71	static int hostap_newstate(struct ieee80211vap *, enum ieee80211_state, int);
72	static int hostap_input(struct ieee80211_node ni, struct mbuf m,
73	const struct ieee80211_rx_stats *,
74	int rssi, int nf);
75	static void hostap_deliver_data(struct ieee80211vap *,
76	struct ieee80211_node , struct mbuf );
77	static void hostap_recv_mgmt(struct ieee80211_node , struct mbuf ,
78	int subtype, const struct ieee80211_rx_stats *rxs, int rssi, int nf);
79	static void hostap_recv_ctl(struct ieee80211_node , struct mbuf , int);
80
81	void
82	ieee80211_hostap_attach(struct ieee80211com *ic)
83	{
84	ic->ic_vattach[IEEE80211_M_HOSTAP] = hostap_vattach;
85	}
86
87	void
88	ieee80211_hostap_detach(struct ieee80211com *ic)
89	{
90	}
91
92	static void
93	hostap_vdetach(struct ieee80211vap *vap)
94	{
95	}
96
97	static void
98	hostap_vattach(struct ieee80211vap *vap)
99	{
100	vap->iv_newstate = hostap_newstate;
101	vap->iv_input = hostap_input;
102	vap->iv_recv_mgmt = hostap_recv_mgmt;
103	vap->iv_recv_ctl = hostap_recv_ctl;
104	vap->iv_opdetach = hostap_vdetach;
105	vap->iv_deliver_data = hostap_deliver_data;
106	vap->iv_recv_pspoll = ieee80211_recv_pspoll;
107	}
108
109	static void
110	sta_disassoc(void arg, struct ieee80211_node ni)
111	{
112
113	if (ni->ni_associd != 0) {
114	IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_DISASSOC,
115	IEEE80211_REASON_ASSOC_LEAVE);
116	ieee80211_node_leave(ni);
117	}
118	}
119
120	static void
121	sta_csa(void arg, struct ieee80211_node ni)
122	{
123	struct ieee80211vap *vap = ni->ni_vap;
124
125	if (ni->ni_associd != 0)
126	if (ni->ni_inact > vap->iv_inact_init) {
127	ni->ni_inact = vap->iv_inact_init;
128	IEEE80211_NOTE(vap, IEEE80211_MSG_INACT, ni,
129	"%s: inact %u", __func__, ni->ni_inact);
130	}
131	}
132
133	static void
134	sta_drop(void arg, struct ieee80211_node ni)
135	{
136
137	if (ni->ni_associd != 0)
138	ieee80211_node_leave(ni);
139	}
140
141	/*
142	* Does a channel change require associated stations to re-associate
143	* so protocol state is correct. This is used when doing CSA across
144	* bands or similar (e.g. HT -> legacy).
145	*/
146	static int
147	isbandchange(struct ieee80211com *ic)
148	{
149	return ((ic->ic_bsschan->ic_flags ^ ic->ic_csa_newchan->ic_flags) &
150	(IEEE80211_CHAN_2GHZ \| IEEE80211_CHAN_5GHZ \| IEEE80211_CHAN_HALF \|
151	IEEE80211_CHAN_QUARTER \| IEEE80211_CHAN_HT)) != 0;
152	}
153
154	/*
155	* IEEE80211_M_HOSTAP vap state machine handler.
156	*/
157	static int
158	hostap_newstate(struct ieee80211vap *vap, enum ieee80211_state nstate, int arg)
159	{
160	struct ieee80211com *ic = vap->iv_ic;
161	enum ieee80211_state ostate;
162
163	IEEE80211_LOCK_ASSERT(ic);
164
165	ostate = vap->iv_state;
166	IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE, "%s: %s -> %s (%d)\n",
167	__func__, ieee80211_state_name[ostate],
168	ieee80211_state_name[nstate], arg);
169	vap->iv_state = nstate; /* state transition */
170	if (ostate != IEEE80211_S_SCAN)
171	ieee80211_cancel_scan(vap); /* background scan */
172	switch (nstate) {
173	case IEEE80211_S_INIT:
174	switch (ostate) {
175	case IEEE80211_S_SCAN:
176	ieee80211_cancel_scan(vap);
177	break;
178	case IEEE80211_S_CAC:
179	ieee80211_dfs_cac_stop(vap);
180	break;
181	case IEEE80211_S_RUN:
182	ieee80211_iterate_nodes_vap(&ic->ic_sta, vap,
183	sta_disassoc, NULL);
184	break;
185	default:
186	break;
187	}
188	if (ostate != IEEE80211_S_INIT) {
189	/* NB: optimize INIT -> INIT case */
190	ieee80211_reset_bss(vap);
191	}
192	if (vap->iv_auth->ia_detach != NULL)
193	vap->iv_auth->ia_detach(vap);
194	break;
195	case IEEE80211_S_SCAN:
196	switch (ostate) {
197	case IEEE80211_S_CSA:
198	case IEEE80211_S_RUN:
199	ieee80211_iterate_nodes_vap(&ic->ic_sta, vap,
200	sta_disassoc, NULL);
201	/*
202	* Clear overlapping BSS state; the beacon frame
203	* will be reconstructed on transition to the RUN
204	* state and the timeout routines check if the flag
205	* is set before doing anything so this is sufficient.
206	*/
207	ic->ic_flags_ext &= ~IEEE80211_FEXT_NONERP_PR;
208	ic->ic_flags_ht &= ~IEEE80211_FHT_NONHT_PR;
209	/* fall thru... */
210	case IEEE80211_S_CAC:
211	/*
212	* NB: We may get here because of a manual channel
213	* change in which case we need to stop CAC
214	* XXX no need to stop if ostate RUN but it's ok
215	*/
216	ieee80211_dfs_cac_stop(vap);
217	/* fall thru... */
218	case IEEE80211_S_INIT:
219	if (vap->iv_des_chan != IEEE80211_CHAN_ANYC &&
220	!IEEE80211_IS_CHAN_RADAR(vap->iv_des_chan)) {
221	/*
222	* Already have a channel; bypass the
223	* scan and startup immediately.
224	* ieee80211_create_ibss will call back to
225	* move us to RUN state.
226	*/
227	ieee80211_create_ibss(vap, vap->iv_des_chan);
228	break;
229	}
230	/*
231	* Initiate a scan. We can come here as a result
232	* of an IEEE80211_IOC_SCAN_REQ too in which case
233	* the vap will be marked with IEEE80211_FEXT_SCANREQ
234	* and the scan request parameters will be present
235	* in iv_scanreq. Otherwise we do the default.
236	*/
237	if (vap->iv_flags_ext & IEEE80211_FEXT_SCANREQ) {
238	ieee80211_check_scan(vap,
239	vap->iv_scanreq_flags,
240	vap->iv_scanreq_duration,
241	vap->iv_scanreq_mindwell,
242	vap->iv_scanreq_maxdwell,
243	vap->iv_scanreq_nssid, vap->iv_scanreq_ssid);
244	vap->iv_flags_ext &= ~IEEE80211_FEXT_SCANREQ;
245	} else
246	ieee80211_check_scan_current(vap);
247	break;
248	case IEEE80211_S_SCAN:
249	/*
250	* A state change requires a reset; scan.
251	*/
252	ieee80211_check_scan_current(vap);
253	break;
254	default:
255	break;
256	}
257	break;
258	case IEEE80211_S_CAC:
259	/*
260	* Start CAC on a DFS channel. We come here when starting
261	* a bss on a DFS channel (see ieee80211_create_ibss).
262	*/
263	ieee80211_dfs_cac_start(vap);
264	break;
265	case IEEE80211_S_RUN:
266	if (vap->iv_flags & IEEE80211_F_WPA) {
267	/* XXX validate prerequisites */
268	}
269	switch (ostate) {
270	case IEEE80211_S_INIT:
271	/*
272	* Already have a channel; bypass the
273	* scan and startup immediately.
274	* Note that ieee80211_create_ibss will call
275	* back to do a RUN->RUN state change.
276	*/
277	ieee80211_create_ibss(vap,
278	ieee80211_ht_adjust_channel(ic,
279	ic->ic_curchan, vap->iv_flags_ht));
280	/* NB: iv_bss is changed on return */
281	break;
282	case IEEE80211_S_CAC:
283	/*
284	* NB: This is the normal state change when CAC
285	* expires and no radar was detected; no need to
286	* clear the CAC timer as it's already expired.
287	*/
288	/* fall thru... */
289	case IEEE80211_S_CSA:
290	/*
291	* Shorten inactivity timer of associated stations
292	* to weed out sta's that don't follow a CSA.
293	*/
294	ieee80211_iterate_nodes_vap(&ic->ic_sta, vap,
295	sta_csa, NULL);
296	/*
297	* Update bss node channel to reflect where
298	* we landed after CSA.
299	*/
300	ieee80211_node_set_chan(vap->iv_bss,
301	ieee80211_ht_adjust_channel(ic, ic->ic_curchan,
302	ieee80211_htchanflags(vap->iv_bss->ni_chan)));
303	/* XXX bypass debug msgs */
304	break;
305	case IEEE80211_S_SCAN:
306	case IEEE80211_S_RUN:
307	#ifdef IEEE80211_DEBUG
308	if (ieee80211_msg_debug(vap)) {
309	struct ieee80211_node *ni = vap->iv_bss;
310	ieee80211_note(vap,
311	"synchronized with %s ssid ",
312	ether_sprintf(ni->ni_bssid));
313	ieee80211_print_essid(ni->ni_essid,
314	ni->ni_esslen);
315	/* XXX MCS/HT */
316	printf(" channel %d start %uMb\n",
317	ieee80211_chan2ieee(ic, ic->ic_curchan),
318	IEEE80211_RATE2MBS(ni->ni_txrate));
319	}
320	#endif
321	break;
322	default:
323	break;
324	}
325	/*
326	* Start/stop the authenticator. We delay until here
327	* to allow configuration to happen out of order.
328	*/
329	if (vap->iv_auth->ia_attach != NULL) {
330	/* XXX check failure */
331	vap->iv_auth->ia_attach(vap);
332	} else if (vap->iv_auth->ia_detach != NULL) {
333	vap->iv_auth->ia_detach(vap);
334	}
335	ieee80211_node_authorize(vap->iv_bss);
336	break;
337	case IEEE80211_S_CSA:
338	if (ostate == IEEE80211_S_RUN && isbandchange(ic)) {
339	/*
340	* On a ``band change'' silently drop associated
341	* stations as they must re-associate before they
342	* can pass traffic (as otherwise protocol state
343	* such as capabilities and the negotiated rate
344	* set may/will be wrong).
345	*/
346	ieee80211_iterate_nodes_vap(&ic->ic_sta, vap,
347	sta_drop, NULL);
348	}
349	break;
350	default:
351	break;
352	}
353	return 0;
354	}
355
356	static void
357	hostap_deliver_data(struct ieee80211vap *vap,
358	struct ieee80211_node ni, struct mbuf m)
359	{
360	struct ether_header eh = mtod(m, struct ether_header );
361	struct ifnet *ifp = vap->iv_ifp;
362
363	/* clear driver/net80211 flags before passing up */
364	m->m_flags &= ~(M_MCAST \| M_BCAST);
365	m_clrprotoflags(m);
366
367	KASSERT(vap->iv_opmode == IEEE80211_M_HOSTAP,
368	("gack, opmode %d", vap->iv_opmode));
369	/*
370	* Do accounting.
371	*/
372	if_inc_counter(ifp, IFCOUNTER_IPACKETS, 1);
373	IEEE80211_NODE_STAT(ni, rx_data);
374	IEEE80211_NODE_STAT_ADD(ni, rx_bytes, m->m_pkthdr.len);
375	if (ETHER_IS_MULTICAST(eh->ether_dhost)) {
376	m->m_flags \|= M_MCAST; /* XXX M_BCAST? */
377	IEEE80211_NODE_STAT(ni, rx_mcast);
378	} else
379	IEEE80211_NODE_STAT(ni, rx_ucast);
380
381	/* perform as a bridge within the AP */
382	if ((vap->iv_flags & IEEE80211_F_NOBRIDGE) == 0) {
383	struct mbuf *mcopy = NULL;
384
385	if (m->m_flags & M_MCAST) {
386	mcopy = m_dup(m, M_NOWAIT);
387	if (mcopy == NULL)
388	if_inc_counter(ifp, IFCOUNTER_OERRORS, 1);
389	else
390	mcopy->m_flags \|= M_MCAST;
391	} else {
392	/*
393	* Check if the destination is associated with the
394	* same vap and authorized to receive traffic.
395	* Beware of traffic destined for the vap itself;
396	* sending it will not work; just let it be delivered
397	* normally.
398	*/
399	struct ieee80211_node *sta = ieee80211_find_vap_node(
400	&vap->iv_ic->ic_sta, vap, eh->ether_dhost);
401	if (sta != NULL) {
402	if (ieee80211_node_is_authorized(sta)) {
403	/*
404	* Beware of sending to ourself; this
405	* needs to happen via the normal
406	* input path.
407	*/
408	if (sta != vap->iv_bss) {
409	mcopy = m;
410	m = NULL;
411	}
412	} else {
413	vap->iv_stats.is_rx_unauth++;
414	IEEE80211_NODE_STAT(sta, rx_unauth);
415	}
416	ieee80211_free_node(sta);
417	}
418	}
419	if (mcopy != NULL)
420	(void) ieee80211_vap_xmitpkt(vap, mcopy);
421	}
422	if (m != NULL) {
423	/*
424	* Mark frame as coming from vap's interface.
425	*/
426	m->m_pkthdr.rcvif = ifp;
427	if (m->m_flags & M_MCAST) {
428	/*
429	* Spam DWDS vap's w/ multicast traffic.
430	*/
431	/* XXX only if dwds in use? */
432	ieee80211_dwds_mcast(vap, m);
433	}
434	if (ni->ni_vlan != 0) {
435	/* attach vlan tag */
436	m->m_pkthdr.ether_vtag = ni->ni_vlan;
437	m->m_flags \|= M_VLANTAG;
438	}
439	ifp->if_input(ifp, m);
440	}
441	}
442
443	/*
444	* Decide if a received management frame should be
445	* printed when debugging is enabled. This filters some
446	* of the less interesting frames that come frequently
447	* (e.g. beacons).
448	*/
449	static __inline int
450	doprint(struct ieee80211vap *vap, int subtype)
451	{
452	switch (subtype) {
453	case IEEE80211_FC0_SUBTYPE_BEACON:
454	return (vap->iv_ic->ic_flags & IEEE80211_F_SCAN);
455	case IEEE80211_FC0_SUBTYPE_PROBE_REQ:
456	return 0;
457	}
458	return 1;
459	}
460
461	/*
462	* Process a received frame. The node associated with the sender
463	* should be supplied. If nothing was found in the node table then
464	* the caller is assumed to supply a reference to iv_bss instead.
465	* The RSSI and a timestamp are also supplied. The RSSI data is used
466	* during AP scanning to select a AP to associate with; it can have
467	* any units so long as values have consistent units and higher values
468	* mean ``better signal''. The receive timestamp is currently not used
469	* by the 802.11 layer.
470	*/
471	static int
472	hostap_input(struct ieee80211_node ni, struct mbuf m,
473	const struct ieee80211_rx_stats *rxs, int rssi, int nf)
474	{
475	struct ieee80211vap *vap = ni->ni_vap;
476	struct ieee80211com *ic = ni->ni_ic;
477	struct ifnet *ifp = vap->iv_ifp;
478	struct ieee80211_frame *wh;
479	struct ieee80211_key *key;
480	struct ether_header *eh;
481	int hdrspace, need_tap = 1; /* mbuf need to be tapped. */
482	uint8_t dir, type, subtype, qos;
483	uint8_t *bssid;
484	int is_hw_decrypted = 0;
485	int has_decrypted = 0;
486
487	/*
488	* Some devices do hardware decryption all the way through
489	* to pretending the frame wasn't encrypted in the first place.
490	* So, tag it appropriately so it isn't discarded inappropriately.
491	*/
492	if ((rxs != NULL) && (rxs->c_pktflags & IEEE80211_RX_F_DECRYPTED))
493	is_hw_decrypted = 1;
494
495	if (m->m_flags & M_AMPDU_MPDU) {
496	/*
497	* Fastpath for A-MPDU reorder q resubmission. Frames
498	* w/ M_AMPDU_MPDU marked have already passed through
499	* here but were received out of order and been held on
500	* the reorder queue. When resubmitted they are marked
501	* with the M_AMPDU_MPDU flag and we can bypass most of
502	* the normal processing.
503	*/
504	wh = mtod(m, struct ieee80211_frame *);
505	type = IEEE80211_FC0_TYPE_DATA;
506	dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK;
507	subtype = IEEE80211_FC0_SUBTYPE_QOS;
508	hdrspace = ieee80211_hdrspace(ic, wh); /* XXX optimize? */
509	goto resubmit_ampdu;
510	}
511
512	KASSERT(ni != NULL, ("null node"));
513	ni->ni_inact = ni->ni_inact_reload;
514
515	type = -1; /* undefined */
516
517	if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_min)) {
518	IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
519	ni->ni_macaddr, NULL,
520	"too short (1): len %u", m->m_pkthdr.len);
521	vap->iv_stats.is_rx_tooshort++;
522	goto out;
523	}
524	/*
525	* Bit of a cheat here, we use a pointer for a 3-address
526	* frame format but don't reference fields past outside
527	* ieee80211_frame_min w/o first validating the data is
528	* present.
529	*/
530	wh = mtod(m, struct ieee80211_frame *);
531
532	if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) !=
533	IEEE80211_FC0_VERSION_0) {
534	IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
535	ni->ni_macaddr, NULL, "wrong version, fc %02x:%02x",
536	wh->i_fc[0], wh->i_fc[1]);
537	vap->iv_stats.is_rx_badversion++;
538	goto err;
539	}
540
541	dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK;
542	type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
543	subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK;
544	if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) {
545	if (dir != IEEE80211_FC1_DIR_NODS)
546	bssid = wh->i_addr1;
547	else if (type == IEEE80211_FC0_TYPE_CTL)
548	bssid = wh->i_addr1;
549	else {
550	if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) {
551	IEEE80211_DISCARD_MAC(vap,
552	IEEE80211_MSG_ANY, ni->ni_macaddr,
553	NULL, "too short (2): len %u",
554	m->m_pkthdr.len);
555	vap->iv_stats.is_rx_tooshort++;
556	goto out;
557	}
558	bssid = wh->i_addr3;
559	}
560	/*
561	* Validate the bssid.
562	*/
563	if (!(type == IEEE80211_FC0_TYPE_MGT &&
564	subtype == IEEE80211_FC0_SUBTYPE_BEACON) &&
565	!IEEE80211_ADDR_EQ(bssid, vap->iv_bss->ni_bssid) &&
566	!IEEE80211_ADDR_EQ(bssid, ifp->if_broadcastaddr)) {
567	/* not interested in */
568	IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
569	bssid, NULL, "%s", "not to bss");
570	vap->iv_stats.is_rx_wrongbss++;
571	goto out;
572	}
573
574	IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi);
575	ni->ni_noise = nf;
576	if (IEEE80211_HAS_SEQ(type, subtype)) {
577	uint8_t tid = ieee80211_gettid(wh);
578	if (IEEE80211_QOS_HAS_SEQ(wh) &&
579	TID_TO_WME_AC(tid) >= WME_AC_VI)
580	ic->ic_wme.wme_hipri_traffic++;
581	if (! ieee80211_check_rxseq(ni, wh, bssid))
582	goto out;
583	}
584	}
585
586	switch (type) {
587	case IEEE80211_FC0_TYPE_DATA:
588	hdrspace = ieee80211_hdrspace(ic, wh);
589	if (m->m_len < hdrspace &&
590	(m = m_pullup(m, hdrspace)) == NULL) {
591	IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
592	ni->ni_macaddr, NULL,
593	"data too short: expecting %u", hdrspace);
594	vap->iv_stats.is_rx_tooshort++;
595	goto out; /* XXX */
596	}
597	if (!(dir == IEEE80211_FC1_DIR_TODS \|\|
598	(dir == IEEE80211_FC1_DIR_DSTODS &&
599	(vap->iv_flags & IEEE80211_F_DWDS)))) {
600	if (dir != IEEE80211_FC1_DIR_DSTODS) {
601	IEEE80211_DISCARD(vap,
602	IEEE80211_MSG_INPUT, wh, "data",
603	"incorrect dir 0x%x", dir);
604	} else {
605	IEEE80211_DISCARD(vap,
606	IEEE80211_MSG_INPUT \|
607	IEEE80211_MSG_WDS, wh,
608	"4-address data",
609	"%s", "DWDS not enabled");
610	}
611	vap->iv_stats.is_rx_wrongdir++;
612	goto out;
613	}
614	/* check if source STA is associated */
615	if (ni == vap->iv_bss) {
616	IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
617	wh, "data", "%s", "unknown src");
618	ieee80211_send_error(ni, wh->i_addr2,
619	IEEE80211_FC0_SUBTYPE_DEAUTH,
620	IEEE80211_REASON_NOT_AUTHED);
621	vap->iv_stats.is_rx_notassoc++;
622	goto err;
623	}
624	if (ni->ni_associd == 0) {
625	IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
626	wh, "data", "%s", "unassoc src");
627	IEEE80211_SEND_MGMT(ni,
628	IEEE80211_FC0_SUBTYPE_DISASSOC,
629	IEEE80211_REASON_NOT_ASSOCED);
630	vap->iv_stats.is_rx_notassoc++;
631	goto err;
632	}
633
634	/*
635	* Check for power save state change.
636	* XXX out-of-order A-MPDU frames?
637	*/
638	if (((wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) ^
639	(ni->ni_flags & IEEE80211_NODE_PWR_MGT)))
640	vap->iv_node_ps(ni,
641	wh->i_fc[1] & IEEE80211_FC1_PWR_MGT);
642	/*
643	* For 4-address packets handle WDS discovery
644	* notifications. Once a WDS link is setup frames
645	* are just delivered to the WDS vap (see below).
646	*/
647	if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap == NULL) {
648	if (!ieee80211_node_is_authorized(ni)) {
649	IEEE80211_DISCARD(vap,
650	IEEE80211_MSG_INPUT \|
651	IEEE80211_MSG_WDS, wh,
652	"4-address data",
653	"%s", "unauthorized port");
654	vap->iv_stats.is_rx_unauth++;
655	IEEE80211_NODE_STAT(ni, rx_unauth);
656	goto err;
657	}
658	ieee80211_dwds_discover(ni, m);
659	return type;
660	}
661
662	/*
663	* Handle A-MPDU re-ordering. If the frame is to be
664	* processed directly then ieee80211_ampdu_reorder
665	* will return 0; otherwise it has consumed the mbuf
666	* and we should do nothing more with it.
667	*/
668	if ((m->m_flags & M_AMPDU) &&
669	ieee80211_ampdu_reorder(ni, m) != 0) {
670	m = NULL;
671	goto out;
672	}
673	resubmit_ampdu:
674
675	/*
676	* Handle privacy requirements. Note that we
677	* must not be preempted from here until after
678	* we (potentially) call ieee80211_crypto_demic;
679	* otherwise we may violate assumptions in the
680	* crypto cipher modules used to do delayed update
681	* of replay sequence numbers.
682	*/
683	if (is_hw_decrypted \|\| wh->i_fc[1] & IEEE80211_FC1_PROTECTED) {
684	if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
685	/*
686	* Discard encrypted frames when privacy is off.
687	*/
688	IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
689	wh, "WEP", "%s", "PRIVACY off");
690	vap->iv_stats.is_rx_noprivacy++;
691	IEEE80211_NODE_STAT(ni, rx_noprivacy);
692	goto out;
693	}
694	if (ieee80211_crypto_decap(ni, m, hdrspace, &key) == 0) {
695	/* NB: stats+msgs handled in crypto_decap */
696	IEEE80211_NODE_STAT(ni, rx_wepfail);
697	goto out;
698	}
699	wh = mtod(m, struct ieee80211_frame *);
700	wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED;
701	has_decrypted = 1;
702	} else {
703	/* XXX M_WEP and IEEE80211_F_PRIVACY */
704	key = NULL;
705	}
706
707	/*
708	* Save QoS bits for use below--before we strip the header.
709	*/
710	if (subtype == IEEE80211_FC0_SUBTYPE_QOS) {
711	qos = (dir == IEEE80211_FC1_DIR_DSTODS) ?
712	((struct ieee80211_qosframe_addr4 *)wh)->i_qos[0] :
713	((struct ieee80211_qosframe *)wh)->i_qos[0];
714	} else
715	qos = 0;
716
717	/*
718	* Next up, any fragmentation.
719	*/
720	if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) {
721	m = ieee80211_defrag(ni, m, hdrspace);
722	if (m == NULL) {
723	/* Fragment dropped or frame not complete yet */
724	goto out;
725	}
726	}
727	wh = NULL; /* no longer valid, catch any uses */
728
729	/*
730	* Next strip any MSDU crypto bits.
731	*/
732	if (key != NULL && !ieee80211_crypto_demic(vap, key, m, 0)) {
733	IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
734	ni->ni_macaddr, "data", "%s", "demic error");
735	vap->iv_stats.is_rx_demicfail++;
736	IEEE80211_NODE_STAT(ni, rx_demicfail);
737	goto out;
738	}
739	/* copy to listener after decrypt */
740	if (ieee80211_radiotap_active_vap(vap))
741	ieee80211_radiotap_rx(vap, m);
742	need_tap = 0;
743	/*
744	* Finally, strip the 802.11 header.
745	*/
746	m = ieee80211_decap(vap, m, hdrspace);
747	if (m == NULL) {
748	/* XXX mask bit to check for both */
749	/* don't count Null data frames as errors */
750	if (subtype == IEEE80211_FC0_SUBTYPE_NODATA \|\|
751	subtype == IEEE80211_FC0_SUBTYPE_QOS_NULL)
752	goto out;
753	IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
754	ni->ni_macaddr, "data", "%s", "decap error");
755	vap->iv_stats.is_rx_decap++;
756	IEEE80211_NODE_STAT(ni, rx_decap);
757	goto err;
758	}
759	eh = mtod(m, struct ether_header *);
760	if (!ieee80211_node_is_authorized(ni)) {
761	/*
762	* Deny any non-PAE frames received prior to
763	* authorization. For open/shared-key
764	* authentication the port is mark authorized
765	* after authentication completes. For 802.1x
766	* the port is not marked authorized by the
767	* authenticator until the handshake has completed.
768	*/
769	if (eh->ether_type != htons(ETHERTYPE_PAE)) {
770	IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
771	eh->ether_shost, "data",
772	"unauthorized port: ether type 0x%x len %u",
773	eh->ether_type, m->m_pkthdr.len);
774	vap->iv_stats.is_rx_unauth++;
775	IEEE80211_NODE_STAT(ni, rx_unauth);
776	goto err;
777	}
778	} else {
779	/*
780	* When denying unencrypted frames, discard
781	* any non-PAE frames received without encryption.
782	*/
783	if ((vap->iv_flags & IEEE80211_F_DROPUNENC) &&
784	((has_decrypted == 0) && (m->m_flags & M_WEP) == 0) &&
785	(is_hw_decrypted == 0) &&
786	eh->ether_type != htons(ETHERTYPE_PAE)) {
787	/*
788	* Drop unencrypted frames.
789	*/
790	vap->iv_stats.is_rx_unencrypted++;
791	IEEE80211_NODE_STAT(ni, rx_unencrypted);
792	goto out;
793	}
794	}
795	/* XXX require HT? */
796	if (qos & IEEE80211_QOS_AMSDU) {
797	m = ieee80211_decap_amsdu(ni, m);
798	if (m == NULL)
799	return IEEE80211_FC0_TYPE_DATA;
800	} else {
801	#ifdef IEEE80211_SUPPORT_SUPERG
802	m = ieee80211_decap_fastframe(vap, ni, m);
803	if (m == NULL)
804	return IEEE80211_FC0_TYPE_DATA;
805	#endif
806	}
807	if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap != NULL)
808	ieee80211_deliver_data(ni->ni_wdsvap, ni, m);
809	else
810	hostap_deliver_data(vap, ni, m);
811	return IEEE80211_FC0_TYPE_DATA;
812
813	case IEEE80211_FC0_TYPE_MGT:
814	vap->iv_stats.is_rx_mgmt++;
815	IEEE80211_NODE_STAT(ni, rx_mgmt);
816	if (dir != IEEE80211_FC1_DIR_NODS) {
817	IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
818	wh, "mgt", "incorrect dir 0x%x", dir);
819	vap->iv_stats.is_rx_wrongdir++;
820	goto err;
821	}
822	if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) {
823	IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
824	ni->ni_macaddr, "mgt", "too short: len %u",
825	m->m_pkthdr.len);
826	vap->iv_stats.is_rx_tooshort++;
827	goto out;
828	}
829	if (IEEE80211_IS_MULTICAST(wh->i_addr2)) {
830	/* ensure return frames are unicast */
831	IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
832	wh, NULL, "source is multicast: %s",
833	ether_sprintf(wh->i_addr2));
834	vap->iv_stats.is_rx_mgtdiscard++; /* XXX stat */
835	goto out;
836	}
837	#ifdef IEEE80211_DEBUG
838	if ((ieee80211_msg_debug(vap) && doprint(vap, subtype)) \|\|
839	ieee80211_msg_dumppkts(vap)) {
840	if_printf(ifp, "received %s from %s rssi %d\n",
841	ieee80211_mgt_subtype_name(subtype),
842	ether_sprintf(wh->i_addr2), rssi);
843	}
844	#endif
845	if (wh->i_fc[1] & IEEE80211_FC1_PROTECTED) {
846	if (subtype != IEEE80211_FC0_SUBTYPE_AUTH) {
847	/*
848	* Only shared key auth frames with a challenge
849	* should be encrypted, discard all others.
850	*/
851	IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
852	wh, NULL,
853	"%s", "WEP set but not permitted");
854	vap->iv_stats.is_rx_mgtdiscard++; /* XXX */
855	goto out;
856	}
857	if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
858	/*
859	* Discard encrypted frames when privacy is off.
860	*/
861	IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
862	wh, NULL, "%s", "WEP set but PRIVACY off");
863	vap->iv_stats.is_rx_noprivacy++;
864	goto out;
865	}
866	hdrspace = ieee80211_hdrspace(ic, wh);
867	if (ieee80211_crypto_decap(ni, m, hdrspace, &key) == 0) {
868	/* NB: stats+msgs handled in crypto_decap */
869	goto out;
870	}
871	wh = mtod(m, struct ieee80211_frame *);
872	wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED;
873	has_decrypted = 1;
874	}
875	/*
876	* Pass the packet to radiotap before calling iv_recv_mgmt().
877	* Otherwise iv_recv_mgmt() might pass another packet to
878	* radiotap, resulting in out of order packet captures.
879	*/
880	if (ieee80211_radiotap_active_vap(vap))
881	ieee80211_radiotap_rx(vap, m);
882	need_tap = 0;
883	vap->iv_recv_mgmt(ni, m, subtype, rxs, rssi, nf);
884	goto out;
885
886	case IEEE80211_FC0_TYPE_CTL:
887	vap->iv_stats.is_rx_ctl++;
888	IEEE80211_NODE_STAT(ni, rx_ctrl);
889	vap->iv_recv_ctl(ni, m, subtype);
890	goto out;
891	default:
892	IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
893	wh, "bad", "frame type 0x%x", type);
894	/* should not come here */
895	break;
896	}
897	err:
898	if_inc_counter(ifp, IFCOUNTER_IERRORS, 1);
899	out:
900	if (m != NULL) {
901	if (need_tap && ieee80211_radiotap_active_vap(vap))
902	ieee80211_radiotap_rx(vap, m);
903	m_freem(m);
904	}
905	return type;
906	}
907
908	static void
909	hostap_auth_open(struct ieee80211_node ni, struct ieee80211_frame wh,
910	int rssi, int nf, uint16_t seq, uint16_t status)
911	{
912	struct ieee80211vap *vap = ni->ni_vap;
913
914	KASSERT(vap->iv_state == IEEE80211_S_RUN, ("state %d", vap->iv_state));
915
916	if (ni->ni_authmode == IEEE80211_AUTH_SHARED) {
917	IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
918	ni->ni_macaddr, "open auth",
919	"bad sta auth mode %u", ni->ni_authmode);
920	vap->iv_stats.is_rx_bad_auth++; /* XXX */
921	/*
922	* Clear any challenge text that may be there if
923	* a previous shared key auth failed and then an
924	* open auth is attempted.
925	*/
926	if (ni->ni_challenge != NULL) {
927	IEEE80211_FREE(ni->ni_challenge, M_80211_NODE);
928	ni->ni_challenge = NULL;
929	}
930	/* XXX hack to workaround calling convention */
931	ieee80211_send_error(ni, wh->i_addr2,
932	IEEE80211_FC0_SUBTYPE_AUTH,
933	(seq + 1) \| (IEEE80211_STATUS_ALG<<16));
934	return;
935	}
936	if (seq != IEEE80211_AUTH_OPEN_REQUEST) {
937	vap->iv_stats.is_rx_bad_auth++;
938	return;
939	}
940	/* always accept open authentication requests */
941	if (ni == vap->iv_bss) {
942	ni = ieee80211_dup_bss(vap, wh->i_addr2);
943	if (ni == NULL)
944	return;
945	} else if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0)
946	(void) ieee80211_ref_node(ni);
947	/*
948	* Mark the node as referenced to reflect that it's
949	* reference count has been bumped to insure it remains
950	* after the transaction completes.
951	*/
952	ni->ni_flags \|= IEEE80211_NODE_AREF;
953	/*
954	* Mark the node as requiring a valid association id
955	* before outbound traffic is permitted.
956	*/
957	ni->ni_flags \|= IEEE80211_NODE_ASSOCID;
958
959	if (vap->iv_acl != NULL &&
960	vap->iv_acl->iac_getpolicy(vap) == IEEE80211_MACCMD_POLICY_RADIUS) {
961	/*
962	* When the ACL policy is set to RADIUS we defer the
963	* authorization to a user agent. Dispatch an event,
964	* a subsequent MLME call will decide the fate of the
965	* station. If the user agent is not present then the
966	* node will be reclaimed due to inactivity.
967	*/
968	IEEE80211_NOTE_MAC(vap,
969	IEEE80211_MSG_AUTH \| IEEE80211_MSG_ACL, ni->ni_macaddr,
970	"%s", "station authentication defered (radius acl)");
971	ieee80211_notify_node_auth(ni);
972	} else {
973	IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1);
974	IEEE80211_NOTE_MAC(vap,
975	IEEE80211_MSG_DEBUG \| IEEE80211_MSG_AUTH, ni->ni_macaddr,
976	"%s", "station authenticated (open)");
977	/*
978	* When 802.1x is not in use mark the port
979	* authorized at this point so traffic can flow.
980	*/
981	if (ni->ni_authmode != IEEE80211_AUTH_8021X)
982	ieee80211_node_authorize(ni);
983	}
984	}
985
986	static void
987	hostap_auth_shared(struct ieee80211_node ni, struct ieee80211_frame wh,
988	uint8_t frm, uint8_t efrm, int rssi, int nf,
989	uint16_t seq, uint16_t status)
990	{
991	struct ieee80211vap *vap = ni->ni_vap;
992	uint8_t *challenge;
993	int allocbs, estatus;
994
995	KASSERT(vap->iv_state == IEEE80211_S_RUN, ("state %d", vap->iv_state));
996
997	/*
998	* NB: this can happen as we allow pre-shared key
999	* authentication to be enabled w/o wep being turned
1000	* on so that configuration of these can be done
1001	* in any order. It may be better to enforce the
1002	* ordering in which case this check would just be
1003	* for sanity/consistency.
1004	*/
1005	if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
1006	IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1007	ni->ni_macaddr, "shared key auth",
1008	"%s", " PRIVACY is disabled");
1009	estatus = IEEE80211_STATUS_ALG;
1010	goto bad;
1011	}
1012	/*
1013	* Pre-shared key authentication is evil; accept
1014	* it only if explicitly configured (it is supported
1015	* mainly for compatibility with clients like Mac OS X).
1016	*/
1017	if (ni->ni_authmode != IEEE80211_AUTH_AUTO &&
1018	ni->ni_authmode != IEEE80211_AUTH_SHARED) {
1019	IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1020	ni->ni_macaddr, "shared key auth",
1021	"bad sta auth mode %u", ni->ni_authmode);
1022	vap->iv_stats.is_rx_bad_auth++; /* XXX maybe a unique error? */
1023	estatus = IEEE80211_STATUS_ALG;
1024	goto bad;
1025	}
1026
1027	challenge = NULL;
1028	if (frm + 1 < efrm) {
1029	if ((frm[1] + 2) > (efrm - frm)) {
1030	IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1031	ni->ni_macaddr, "shared key auth",
1032	"ie %d/%d too long",
1033	frm[0], (frm[1] + 2) - (efrm - frm));
1034	vap->iv_stats.is_rx_bad_auth++;
1035	estatus = IEEE80211_STATUS_CHALLENGE;
1036	goto bad;
1037	}
1038	if (*frm == IEEE80211_ELEMID_CHALLENGE)
1039	challenge = frm;
1040	frm += frm[1] + 2;
1041	}
1042	switch (seq) {
1043	case IEEE80211_AUTH_SHARED_CHALLENGE:
1044	case IEEE80211_AUTH_SHARED_RESPONSE:
1045	if (challenge == NULL) {
1046	IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1047	ni->ni_macaddr, "shared key auth",
1048	"%s", "no challenge");
1049	vap->iv_stats.is_rx_bad_auth++;
1050	estatus = IEEE80211_STATUS_CHALLENGE;
1051	goto bad;
1052	}
1053	if (challenge[1] != IEEE80211_CHALLENGE_LEN) {
1054	IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1055	ni->ni_macaddr, "shared key auth",
1056	"bad challenge len %d", challenge[1]);
1057	vap->iv_stats.is_rx_bad_auth++;
1058	estatus = IEEE80211_STATUS_CHALLENGE;
1059	goto bad;
1060	}
1061	default:
1062	break;
1063	}
1064	switch (seq) {
1065	case IEEE80211_AUTH_SHARED_REQUEST:
1066	if (ni == vap->iv_bss) {
1067	ni = ieee80211_dup_bss(vap, wh->i_addr2);
1068	if (ni == NULL) {
1069	/* NB: no way to return an error */
1070	return;
1071	}
1072	allocbs = 1;
1073	} else {
1074	if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0)
1075	(void) ieee80211_ref_node(ni);
1076	allocbs = 0;
1077	}
1078	/*
1079	* Mark the node as referenced to reflect that it's
1080	* reference count has been bumped to insure it remains
1081	* after the transaction completes.
1082	*/
1083	ni->ni_flags \|= IEEE80211_NODE_AREF;
1084	/*
1085	* Mark the node as requiring a valid association id
1086	* before outbound traffic is permitted.
1087	*/
1088	ni->ni_flags \|= IEEE80211_NODE_ASSOCID;
1089	IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi);
1090	ni->ni_noise = nf;
1091	if (!ieee80211_alloc_challenge(ni)) {
1092	/* NB: don't return error so they rexmit */
1093	return;
1094	}
1095	get_random_bytes(ni->ni_challenge,
1096	IEEE80211_CHALLENGE_LEN);
1097	IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG \| IEEE80211_MSG_AUTH,
1098	ni, "shared key %sauth request", allocbs ? "" : "re");
1099	/*
1100	* When the ACL policy is set to RADIUS we defer the
1101	* authorization to a user agent. Dispatch an event,
1102	* a subsequent MLME call will decide the fate of the
1103	* station. If the user agent is not present then the
1104	* node will be reclaimed due to inactivity.
1105	*/
1106	if (vap->iv_acl != NULL &&
1107	vap->iv_acl->iac_getpolicy(vap) == IEEE80211_MACCMD_POLICY_RADIUS) {
1108	IEEE80211_NOTE_MAC(vap,
1109	IEEE80211_MSG_AUTH \| IEEE80211_MSG_ACL,
1110	ni->ni_macaddr,
1111	"%s", "station authentication defered (radius acl)");
1112	ieee80211_notify_node_auth(ni);
1113	return;
1114	}
1115	break;
1116	case IEEE80211_AUTH_SHARED_RESPONSE:
1117	if (ni == vap->iv_bss) {
1118	IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1119	ni->ni_macaddr, "shared key response",
1120	"%s", "unknown station");
1121	/* NB: don't send a response */
1122	return;
1123	}
1124	if (ni->ni_challenge == NULL) {
1125	IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1126	ni->ni_macaddr, "shared key response",
1127	"%s", "no challenge recorded");
1128	vap->iv_stats.is_rx_bad_auth++;
1129	estatus = IEEE80211_STATUS_CHALLENGE;
1130	goto bad;
1131	}
1132	if (memcmp(ni->ni_challenge, &challenge[2],
1133	challenge[1]) != 0) {
1134	IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1135	ni->ni_macaddr, "shared key response",
1136	"%s", "challenge mismatch");
1137	vap->iv_stats.is_rx_auth_fail++;
1138	estatus = IEEE80211_STATUS_CHALLENGE;
1139	goto bad;
1140	}
1141	IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG \| IEEE80211_MSG_AUTH,
1142	ni, "%s", "station authenticated (shared key)");
1143	ieee80211_node_authorize(ni);
1144	break;
1145	default:
1146	IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1147	ni->ni_macaddr, "shared key auth",
1148	"bad seq %d", seq);
1149	vap->iv_stats.is_rx_bad_auth++;
1150	estatus = IEEE80211_STATUS_SEQUENCE;
1151	goto bad;
1152	}
1153	IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1);
1154	return;
1155	bad:
1156	/*
1157	* Send an error response; but only when operating as an AP.
1158	*/
1159	/* XXX hack to workaround calling convention */
1160	ieee80211_send_error(ni, wh->i_addr2,
1161	IEEE80211_FC0_SUBTYPE_AUTH,
1162	(seq + 1) \| (estatus<<16));
1163	}
1164
1165	/*
1166	* Convert a WPA cipher selector OUI to an internal
1167	* cipher algorithm. Where appropriate we also
1168	* record any key length.
1169	*/
1170	static int
1171	wpa_cipher(const uint8_t sel, uint8_t keylen, uint8_t *cipher)
1172	{
1173	#define WPA_SEL(x) (((x)<<24)\|WPA_OUI)
1174	uint32_t w = le32dec(sel);
1175
1176	switch (w) {
1177	case WPA_SEL(WPA_CSE_NULL):
1178	*cipher = IEEE80211_CIPHER_NONE;
1179	break;
1180	case WPA_SEL(WPA_CSE_WEP40):
1181	if (keylen)
1182	*keylen = 40 / NBBY;
1183	*cipher = IEEE80211_CIPHER_WEP;
1184	break;
1185	case WPA_SEL(WPA_CSE_WEP104):
1186	if (keylen)
1187	*keylen = 104 / NBBY;
1188	*cipher = IEEE80211_CIPHER_WEP;
1189	break;
1190	case WPA_SEL(WPA_CSE_TKIP):
1191	*cipher = IEEE80211_CIPHER_TKIP;
1192	break;
1193	case WPA_SEL(WPA_CSE_CCMP):
1194	*cipher = IEEE80211_CIPHER_AES_CCM;
1195	break;
1196	default:
1197	return (EINVAL);
1198	}
1199
1200	return (0);
1201	#undef WPA_SEL
1202	}
1203
1204	/*
1205	* Convert a WPA key management/authentication algorithm
1206	* to an internal code.
1207	*/
1208	static int
1209	wpa_keymgmt(const uint8_t *sel)
1210	{
1211	#define WPA_SEL(x) (((x)<<24)\|WPA_OUI)
1212	uint32_t w = le32dec(sel);
1213
1214	switch (w) {
1215	case WPA_SEL(WPA_ASE_8021X_UNSPEC):
1216	return WPA_ASE_8021X_UNSPEC;
1217	case WPA_SEL(WPA_ASE_8021X_PSK):
1218	return WPA_ASE_8021X_PSK;
1219	case WPA_SEL(WPA_ASE_NONE):
1220	return WPA_ASE_NONE;
1221	}
1222	return 0; /* NB: so is discarded */
1223	#undef WPA_SEL
1224	}
1225
1226	/*
1227	* Parse a WPA information element to collect parameters.
1228	* Note that we do not validate security parameters; that
1229	* is handled by the authenticator; the parsing done here
1230	* is just for internal use in making operational decisions.
1231	*/
1232	static int
1233	ieee80211_parse_wpa(struct ieee80211vap vap, const uint8_t frm,
1234	struct ieee80211_rsnparms rsn, const struct ieee80211_frame wh)
1235	{
1236	uint8_t len = frm[1];
1237	uint32_t w;
1238	int error, n;
1239
1240	/*
1241	* Check the length once for fixed parts: OUI, type,
1242	* version, mcast cipher, and 2 selector counts.
1243	* Other, variable-length data, must be checked separately.
1244	*/
1245	if ((vap->iv_flags & IEEE80211_F_WPA1) == 0) {
1246	IEEE80211_DISCARD_IE(vap,
1247	IEEE80211_MSG_ELEMID \| IEEE80211_MSG_WPA,
1248	wh, "WPA", "not WPA, flags 0x%x", vap->iv_flags);
1249	return IEEE80211_REASON_IE_INVALID;
1250	}
1251	if (len < 14) {
1252	IEEE80211_DISCARD_IE(vap,
1253	IEEE80211_MSG_ELEMID \| IEEE80211_MSG_WPA,
1254	wh, "WPA", "too short, len %u", len);
1255	return IEEE80211_REASON_IE_INVALID;
1256	}
1257	frm += 6, len -= 4; /* NB: len is payload only */
1258	/* NB: iswpaoui already validated the OUI and type */
1259	w = le16dec(frm);
1260	if (w != WPA_VERSION) {
1261	IEEE80211_DISCARD_IE(vap,
1262	IEEE80211_MSG_ELEMID \| IEEE80211_MSG_WPA,
1263	wh, "WPA", "bad version %u", w);
1264	return IEEE80211_REASON_IE_INVALID;
1265	}
1266	frm += 2, len -= 2;
1267
1268	memset(rsn, 0, sizeof(*rsn));
1269
1270	/* multicast/group cipher */
1271	error = wpa_cipher(frm, &rsn->rsn_mcastkeylen, &rsn->rsn_mcastcipher);
1272	if (error != 0) {
1273	IEEE80211_DISCARD_IE(vap,
1274	IEEE80211_MSG_ELEMID \| IEEE80211_MSG_WPA,
1275	wh, "WPA", "unknown mcast cipher suite %08X",
1276	le32dec(frm));
1277	return IEEE80211_REASON_GROUP_CIPHER_INVALID;
1278	}
1279	frm += 4, len -= 4;
1280
1281	/* unicast ciphers */
1282	n = le16dec(frm);
1283	frm += 2, len -= 2;
1284	if (len < n*4+2) {
1285	IEEE80211_DISCARD_IE(vap,
1286	IEEE80211_MSG_ELEMID \| IEEE80211_MSG_WPA,
1287	wh, "WPA", "ucast cipher data too short; len %u, n %u",
1288	len, n);
1289	return IEEE80211_REASON_IE_INVALID;
1290	}
1291	w = 0;
1292	for (; n > 0; n--) {
1293	uint8_t cipher;
1294
1295	error = wpa_cipher(frm, &rsn->rsn_ucastkeylen, &cipher);
1296	if (error == 0)
1297	w \|= 1 << cipher;
1298
1299	frm += 4, len -= 4;
1300	}
1301	if (w == 0) {
1302	IEEE80211_DISCARD_IE(vap,
1303	IEEE80211_MSG_ELEMID \| IEEE80211_MSG_WPA,
1304	wh, "WPA", "no usable pairwise cipher suite found (w=%d)",
1305	w);
1306	return IEEE80211_REASON_PAIRWISE_CIPHER_INVALID;
1307	}
1308	/* XXX other? */
1309	if (w & (1 << IEEE80211_CIPHER_AES_CCM))
1310	rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM;
1311	else
1312	rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP;
1313
1314	/* key management algorithms */
1315	n = le16dec(frm);
1316	frm += 2, len -= 2;
1317	if (len < n*4) {
1318	IEEE80211_DISCARD_IE(vap,
1319	IEEE80211_MSG_ELEMID \| IEEE80211_MSG_WPA,
1320	wh, "WPA", "key mgmt alg data too short; len %u, n %u",
1321	len, n);
1322	return IEEE80211_REASON_IE_INVALID;
1323	}
1324	w = 0;
1325	for (; n > 0; n--) {
1326	w \|= wpa_keymgmt(frm);
1327	frm += 4, len -= 4;
1328	}
1329	if (w & WPA_ASE_8021X_UNSPEC)
1330	rsn->rsn_keymgmt = WPA_ASE_8021X_UNSPEC;
1331	else
1332	rsn->rsn_keymgmt = WPA_ASE_8021X_PSK;
1333
1334	if (len > 2) /* optional capabilities */
1335	rsn->rsn_caps = le16dec(frm);
1336
1337	return 0;
1338	}
1339
1340	/*
1341	* Convert an RSN cipher selector OUI to an internal
1342	* cipher algorithm. Where appropriate we also
1343	* record any key length.
1344	*/
1345	static int
1346	rsn_cipher(const uint8_t sel, uint8_t keylen, uint8_t *cipher)
1347	{
1348	#define RSN_SEL(x) (((x)<<24)\|RSN_OUI)
1349	uint32_t w = le32dec(sel);
1350
1351	switch (w) {
1352	case RSN_SEL(RSN_CSE_NULL):
1353	*cipher = IEEE80211_CIPHER_NONE;
1354	break;
1355	case RSN_SEL(RSN_CSE_WEP40):
1356	if (keylen)
1357	*keylen = 40 / NBBY;
1358	*cipher = IEEE80211_CIPHER_WEP;
1359	break;
1360	case RSN_SEL(RSN_CSE_WEP104):
1361	if (keylen)
1362	*keylen = 104 / NBBY;
1363	*cipher = IEEE80211_CIPHER_WEP;
1364	break;
1365	case RSN_SEL(RSN_CSE_TKIP):
1366	*cipher = IEEE80211_CIPHER_TKIP;
1367	break;
1368	case RSN_SEL(RSN_CSE_CCMP):
1369	*cipher = IEEE80211_CIPHER_AES_CCM;
1370	break;
1371	case RSN_SEL(RSN_CSE_WRAP):
1372	*cipher = IEEE80211_CIPHER_AES_OCB;
1373	break;
1374	default:
1375	return (EINVAL);
1376	}
1377
1378	return (0);
1379	#undef WPA_SEL
1380	}
1381
1382	/*
1383	* Convert an RSN key management/authentication algorithm
1384	* to an internal code.
1385	*/
1386	static int
1387	rsn_keymgmt(const uint8_t *sel)
1388	{
1389	#define RSN_SEL(x) (((x)<<24)\|RSN_OUI)
1390	uint32_t w = le32dec(sel);
1391
1392	switch (w) {
1393	case RSN_SEL(RSN_ASE_8021X_UNSPEC):
1394	return RSN_ASE_8021X_UNSPEC;
1395	case RSN_SEL(RSN_ASE_8021X_PSK):
1396	return RSN_ASE_8021X_PSK;
1397	case RSN_SEL(RSN_ASE_NONE):
1398	return RSN_ASE_NONE;
1399	}
1400	return 0; /* NB: so is discarded */
1401	#undef RSN_SEL
1402	}
1403
1404	/*
1405	* Parse a WPA/RSN information element to collect parameters
1406	* and validate the parameters against what has been
1407	* configured for the system.
1408	*/
1409	static int
1410	ieee80211_parse_rsn(struct ieee80211vap vap, const uint8_t frm,
1411	struct ieee80211_rsnparms rsn, const struct ieee80211_frame wh)
1412	{
1413	uint8_t len = frm[1];
1414	uint32_t w;
1415	int error, n;
1416
1417	/*
1418	* Check the length once for fixed parts:
1419	* version, mcast cipher, and 2 selector counts.
1420	* Other, variable-length data, must be checked separately.
1421	*/
1422	if ((vap->iv_flags & IEEE80211_F_WPA2) == 0) {
1423	IEEE80211_DISCARD_IE(vap,
1424	IEEE80211_MSG_ELEMID \| IEEE80211_MSG_WPA,
1425	wh, "WPA", "not RSN, flags 0x%x", vap->iv_flags);
1426	return IEEE80211_REASON_IE_INVALID;
1427	}
1428	/* XXX may be shorter */
1429	if (len < 10) {
1430	IEEE80211_DISCARD_IE(vap,
1431	IEEE80211_MSG_ELEMID \| IEEE80211_MSG_WPA,
1432	wh, "RSN", "too short, len %u", len);
1433	return IEEE80211_REASON_IE_INVALID;
1434	}
1435	frm += 2;
1436	w = le16dec(frm);
1437	if (w != RSN_VERSION) {
1438	IEEE80211_DISCARD_IE(vap,
1439	IEEE80211_MSG_ELEMID \| IEEE80211_MSG_WPA,
1440	wh, "RSN", "bad version %u", w);
1441	return IEEE80211_REASON_UNSUPP_RSN_IE_VERSION;
1442	}
1443	frm += 2, len -= 2;
1444
1445	memset(rsn, 0, sizeof(*rsn));
1446
1447	/* multicast/group cipher */
1448	error = rsn_cipher(frm, &rsn->rsn_mcastkeylen, &rsn->rsn_mcastcipher);
1449	if (error != 0) {
1450	IEEE80211_DISCARD_IE(vap,
1451	IEEE80211_MSG_ELEMID \| IEEE80211_MSG_WPA,
1452	wh, "RSN", "unknown mcast cipher suite %08X",
1453	le32dec(frm));
1454	return IEEE80211_REASON_GROUP_CIPHER_INVALID;
1455	}
1456	if (rsn->rsn_mcastcipher == IEEE80211_CIPHER_NONE) {
1457	IEEE80211_DISCARD_IE(vap,
1458	IEEE80211_MSG_ELEMID \| IEEE80211_MSG_WPA,
1459	wh, "RSN", "invalid mcast cipher suite %d",
1460	rsn->rsn_mcastcipher);
1461	return IEEE80211_REASON_GROUP_CIPHER_INVALID;
1462	}
1463	frm += 4, len -= 4;
1464
1465	/* unicast ciphers */
1466	n = le16dec(frm);
1467	frm += 2, len -= 2;
1468	if (len < n*4+2) {
1469	IEEE80211_DISCARD_IE(vap,
1470	IEEE80211_MSG_ELEMID \| IEEE80211_MSG_WPA,
1471	wh, "RSN", "ucast cipher data too short; len %u, n %u",
1472	len, n);
1473	return IEEE80211_REASON_IE_INVALID;
1474	}
1475	w = 0;
1476
1477	for (; n > 0; n--) {
1478	uint8_t cipher;
1479
1480	error = rsn_cipher(frm, &rsn->rsn_ucastkeylen, &cipher);
1481	if (error == 0)
1482	w \|= 1 << cipher;
1483
1484	frm += 4, len -= 4;
1485	}
1486	if (w & (1 << IEEE80211_CIPHER_AES_CCM))
1487	rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM;
1488	else if (w & (1 << IEEE80211_CIPHER_AES_OCB))
1489	rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_OCB;
1490	else if (w & (1 << IEEE80211_CIPHER_TKIP))
1491	rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP;
1492	else if ((w & (1 << IEEE80211_CIPHER_NONE)) &&
1493	(rsn->rsn_mcastcipher == IEEE80211_CIPHER_WEP \|\|
1494	rsn->rsn_mcastcipher == IEEE80211_CIPHER_TKIP))
1495	rsn->rsn_ucastcipher = IEEE80211_CIPHER_NONE;
1496	else {
1497	IEEE80211_DISCARD_IE(vap,
1498	IEEE80211_MSG_ELEMID \| IEEE80211_MSG_WPA,
1499	wh, "RSN", "no usable pairwise cipher suite found (w=%d)",
1500	w);
1501	return IEEE80211_REASON_PAIRWISE_CIPHER_INVALID;
1502	}
1503
1504	/* key management algorithms */
1505	n = le16dec(frm);
1506	frm += 2, len -= 2;
1507	if (len < n*4) {
1508	IEEE80211_DISCARD_IE(vap,
1509	IEEE80211_MSG_ELEMID \| IEEE80211_MSG_WPA,
1510	wh, "RSN", "key mgmt alg data too short; len %u, n %u",
1511	len, n);
1512	return IEEE80211_REASON_IE_INVALID;
1513	}
1514	w = 0;
1515	for (; n > 0; n--) {
1516	w \|= rsn_keymgmt(frm);
1517	frm += 4, len -= 4;
1518	}
1519	if (w & RSN_ASE_8021X_UNSPEC)
1520	rsn->rsn_keymgmt = RSN_ASE_8021X_UNSPEC;
1521	else
1522	rsn->rsn_keymgmt = RSN_ASE_8021X_PSK;
1523
1524	/* optional RSN capabilities */
1525	if (len > 2)
1526	rsn->rsn_caps = le16dec(frm);
1527	/* XXXPMKID */
1528
1529	return 0;
1530	}
1531
1532	/*
1533	* WPA/802.11i association request processing.
1534	*/
1535	static int
1536	wpa_assocreq(struct ieee80211_node ni, struct ieee80211_rsnparms rsnparms,
1537	const struct ieee80211_frame wh, const uint8_t wpa,
1538	const uint8_t *rsn, uint16_t capinfo)
1539	{
1540	struct ieee80211vap *vap = ni->ni_vap;
1541	uint8_t reason;
1542	int badwparsn;
1543
1544	ni->ni_flags &= ~(IEEE80211_NODE_WPS\|IEEE80211_NODE_TSN);
1545	if (wpa == NULL && rsn == NULL) {
1546	if (vap->iv_flags_ext & IEEE80211_FEXT_WPS) {
1547	/*
1548	* W-Fi Protected Setup (WPS) permits
1549	* clients to associate and pass EAPOL frames
1550	* to establish initial credentials.
1551	*/
1552	ni->ni_flags \|= IEEE80211_NODE_WPS;
1553	return 1;
1554	}
1555	if ((vap->iv_flags_ext & IEEE80211_FEXT_TSN) &&
1556	(capinfo & IEEE80211_CAPINFO_PRIVACY)) {
1557	/*
1558	* Transitional Security Network. Permits clients
1559	* to associate and use WEP while WPA is configured.
1560	*/
1561	ni->ni_flags \|= IEEE80211_NODE_TSN;
1562	return 1;
1563	}
1564	IEEE80211_DISCARD(vap, IEEE80211_MSG_ASSOC \| IEEE80211_MSG_WPA,
1565	wh, NULL, "%s", "no WPA/RSN IE in association request");
1566	vap->iv_stats.is_rx_assoc_badwpaie++;
1567	reason = IEEE80211_REASON_IE_INVALID;
1568	goto bad;
1569	}
1570	/* assert right association security credentials */
1571	badwparsn = 0; /* NB: to silence compiler */
1572	switch (vap->iv_flags & IEEE80211_F_WPA) {
1573	case IEEE80211_F_WPA1:
1574	badwparsn = (wpa == NULL);
1575	break;
1576	case IEEE80211_F_WPA2:
1577	badwparsn = (rsn == NULL);
1578	break;
1579	case IEEE80211_F_WPA1\|IEEE80211_F_WPA2:
1580	badwparsn = (wpa == NULL && rsn == NULL);
1581	break;
1582	}
1583	if (badwparsn) {
1584	IEEE80211_DISCARD(vap, IEEE80211_MSG_ASSOC \| IEEE80211_MSG_WPA,
1585	wh, NULL,
1586	"%s", "missing WPA/RSN IE in association request");
1587	vap->iv_stats.is_rx_assoc_badwpaie++;
1588	reason = IEEE80211_REASON_IE_INVALID;
1589	goto bad;
1590	}
1591	/*
1592	* Parse WPA/RSN information element.
1593	*/
1594	if (wpa != NULL)
1595	reason = ieee80211_parse_wpa(vap, wpa, rsnparms, wh);
1596	else
1597	reason = ieee80211_parse_rsn(vap, rsn, rsnparms, wh);
1598	if (reason != 0) {
1599	/* XXX wpa->rsn fallback? */
1600	/* XXX distinguish WPA/RSN? */
1601	vap->iv_stats.is_rx_assoc_badwpaie++;
1602	goto bad;
1603	}
1604	IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC \| IEEE80211_MSG_WPA, ni,
1605	"%s ie: mc %u/%u uc %u/%u key %u caps 0x%x",
1606	wpa != NULL ? "WPA" : "RSN",
1607	rsnparms->rsn_mcastcipher, rsnparms->rsn_mcastkeylen,
1608	rsnparms->rsn_ucastcipher, rsnparms->rsn_ucastkeylen,
1609	rsnparms->rsn_keymgmt, rsnparms->rsn_caps);
1610
1611	return 1;
1612	bad:
1613	ieee80211_node_deauth(ni, reason);
1614	return 0;
1615	}
1616
1617	/* XXX find a better place for definition */
1618	struct l2_update_frame {
1619	struct ether_header eh;
1620	uint8_t dsap;
1621	uint8_t ssap;
1622	uint8_t control;
1623	uint8_t xid[3];
1624	} __packed;
1625
1626	/*
1627	* Deliver a TGf L2UF frame on behalf of a station.
1628	* This primes any bridge when the station is roaming
1629	* between ap's on the same wired network.
1630	*/
1631	static void
1632	ieee80211_deliver_l2uf(struct ieee80211_node *ni)
1633	{
1634	struct ieee80211vap *vap = ni->ni_vap;
1635	struct ifnet *ifp = vap->iv_ifp;
1636	struct mbuf *m;
1637	struct l2_update_frame *l2uf;
1638	struct ether_header *eh;
1639
1640	m = m_gethdr(M_NOWAIT, MT_DATA);
1641	if (m == NULL) {
1642	IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC, ni,
1643	"%s", "no mbuf for l2uf frame");
1644	vap->iv_stats.is_rx_nobuf++; /* XXX not right */
1645	return;
1646	}
1647	l2uf = mtod(m, struct l2_update_frame *);
1648	eh = &l2uf->eh;
1649	/* dst: Broadcast address */
1650	IEEE80211_ADDR_COPY(eh->ether_dhost, ifp->if_broadcastaddr);
1651	/* src: associated STA */
1652	IEEE80211_ADDR_COPY(eh->ether_shost, ni->ni_macaddr);
1653	eh->ether_type = htons(sizeof(l2uf) - sizeof(eh));
1654
1655	l2uf->dsap = 0;
1656	l2uf->ssap = 0;
1657	l2uf->control = 0xf5;
1658	l2uf->xid[0] = 0x81;
1659	l2uf->xid[1] = 0x80;
1660	l2uf->xid[2] = 0x00;
1661
1662	m->m_pkthdr.len = m->m_len = sizeof(*l2uf);
1663	hostap_deliver_data(vap, ni, m);
1664	}
1665
1666	static void
1667	ratesetmismatch(struct ieee80211_node ni, const struct ieee80211_frame wh,
1668	int reassoc, int resp, const char *tag, int rate)
1669	{
1670	IEEE80211_NOTE_MAC(ni->ni_vap, IEEE80211_MSG_ANY, wh->i_addr2,
1671	"deny %s request, %s rate set mismatch, rate/MCS %d",
1672	reassoc ? "reassoc" : "assoc", tag, rate & IEEE80211_RATE_VAL);
1673	IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_BASIC_RATE);
1674	ieee80211_node_leave(ni);
1675	}
1676
1677	static void
1678	capinfomismatch(struct ieee80211_node ni, const struct ieee80211_frame wh,
1679	int reassoc, int resp, const char *tag, int capinfo)
1680	{
1681	struct ieee80211vap *vap = ni->ni_vap;
1682
1683	IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ANY, wh->i_addr2,
1684	"deny %s request, %s mismatch 0x%x",
1685	reassoc ? "reassoc" : "assoc", tag, capinfo);
1686	IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_CAPINFO);
1687	ieee80211_node_leave(ni);
1688	vap->iv_stats.is_rx_assoc_capmismatch++;
1689	}
1690
1691	static void
1692	htcapmismatch(struct ieee80211_node ni, const struct ieee80211_frame wh,
1693	int reassoc, int resp)
1694	{
1695	IEEE80211_NOTE_MAC(ni->ni_vap, IEEE80211_MSG_ANY, wh->i_addr2,
1696	"deny %s request, %s missing HT ie", reassoc ? "reassoc" : "assoc");
1697	/* XXX no better code */
1698	IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_MISSING_HT_CAPS);
1699	ieee80211_node_leave(ni);
1700	}
1701
1702	static void
1703	authalgreject(struct ieee80211_node ni, const struct ieee80211_frame wh,
1704	int algo, int seq, int status)
1705	{
1706	struct ieee80211vap *vap = ni->ni_vap;
1707
1708	IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
1709	wh, NULL, "unsupported alg %d", algo);
1710	vap->iv_stats.is_rx_auth_unsupported++;
1711	ieee80211_send_error(ni, wh->i_addr2, IEEE80211_FC0_SUBTYPE_AUTH,
1712	seq \| (status << 16));
1713	}
1714
1715	static __inline int
1716	ishtmixed(const uint8_t *ie)
1717	{
1718	const struct ieee80211_ie_htinfo *ht =
1719	(const struct ieee80211_ie_htinfo *) ie;
1720	return (ht->hi_byte2 & IEEE80211_HTINFO_OPMODE) ==
1721	IEEE80211_HTINFO_OPMODE_MIXED;
1722	}
1723
1724	static int
1725	is11bclient(const uint8_t rates, const uint8_t xrates)
1726	{
1727	static const uint32_t brates = (1<<21)\|(1<<22)\|(1<<11)\|(1<<2*11);
1728	int i;
1729
1730	/* NB: the 11b clients we care about will not have xrates */
1731	if (xrates != NULL \|\| rates == NULL)
1732	return 0;
1733	for (i = 0; i < rates[1]; i++) {
1734	int r = rates[2+i] & IEEE80211_RATE_VAL;
1735	if (r > 2*11 \|\| ((1<<r) & brates) == 0)
1736	return 0;
1737	}
1738	return 1;
1739	}
1740
1741	static void
1742	hostap_recv_mgmt(struct ieee80211_node ni, struct mbuf m0,
1743	int subtype, const struct ieee80211_rx_stats *rxs, int rssi, int nf)
1744	{
1745	struct ieee80211vap *vap = ni->ni_vap;
1746	struct ieee80211com *ic = ni->ni_ic;
1747	struct ieee80211_frame *wh;
1748	uint8_t frm, efrm, *sfrm;
1749	uint8_t ssid, rates, xrates, wpa, rsn, wme, ath, htcap;
1750	int reassoc, resp;
1751	uint8_t rate;
1752
1753	wh = mtod(m0, struct ieee80211_frame *);
1754	frm = (uint8_t *)&wh[1];
1755	efrm = mtod(m0, uint8_t *) + m0->m_len;
1756	switch (subtype) {
1757	case IEEE80211_FC0_SUBTYPE_PROBE_RESP:
1758	/*
1759	* We process beacon/probe response frames when scanning;
1760	* otherwise we check beacon frames for overlapping non-ERP
1761	* BSS in 11g and/or overlapping legacy BSS when in HT.
1762	*/
1763	if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) {
1764	vap->iv_stats.is_rx_mgtdiscard++;
1765	return;
1766	}
1767	/* FALLTHROUGH */
1768	case IEEE80211_FC0_SUBTYPE_BEACON: {
1769	struct ieee80211_scanparams scan;
1770
1771	/* NB: accept off-channel frames */
1772	/* XXX TODO: use rxstatus to determine off-channel details */
1773	if (ieee80211_parse_beacon(ni, m0, ic->ic_curchan, &scan) &~ IEEE80211_BPARSE_OFFCHAN)
1774	return;
1775	/*
1776	* Count frame now that we know it's to be processed.
1777	*/
1778	if (subtype == IEEE80211_FC0_SUBTYPE_BEACON) {
1779	vap->iv_stats.is_rx_beacon++; /* XXX remove */
1780	IEEE80211_NODE_STAT(ni, rx_beacons);
1781	} else
1782	IEEE80211_NODE_STAT(ni, rx_proberesp);
1783	/*
1784	* If scanning, just pass information to the scan module.
1785	*/
1786	if (ic->ic_flags & IEEE80211_F_SCAN) {
1787	if (scan.status == 0 && /* NB: on channel */
1788	(ic->ic_flags_ext & IEEE80211_FEXT_PROBECHAN)) {
1789	/*
1790	* Actively scanning a channel marked passive;
1791	* send a probe request now that we know there
1792	* is 802.11 traffic present.
1793	*
1794	* XXX check if the beacon we recv'd gives
1795	* us what we need and suppress the probe req
1796	*/
1797	ieee80211_probe_curchan(vap, 1);
1798	ic->ic_flags_ext &= ~IEEE80211_FEXT_PROBECHAN;
1799	}
1800	ieee80211_add_scan(vap, ic->ic_curchan, &scan, wh,
1801	subtype, rssi, nf);
1802	return;
1803	}
1804	/*
1805	* Check beacon for overlapping bss w/ non ERP stations.
1806	* If we detect one and protection is configured but not
1807	* enabled, enable it and start a timer that'll bring us
1808	* out if we stop seeing the bss.
1809	*/
1810	if (IEEE80211_IS_CHAN_ANYG(ic->ic_curchan) &&
1811	scan.status == 0 && /* NB: on-channel */
1812	((scan.erp & 0x100) == 0 \|\| /* NB: no ERP, 11b sta*/
1813	(scan.erp & IEEE80211_ERP_NON_ERP_PRESENT))) {
1814	ic->ic_lastnonerp = ticks;
1815	ic->ic_flags_ext \|= IEEE80211_FEXT_NONERP_PR;
1816	if (ic->ic_protmode != IEEE80211_PROT_NONE &&
1817	(ic->ic_flags & IEEE80211_F_USEPROT) == 0) {
1818	IEEE80211_NOTE_FRAME(vap,
1819	IEEE80211_MSG_ASSOC, wh,
1820	"non-ERP present on channel %d "
1821	"(saw erp 0x%x from channel %d), "
1822	"enable use of protection",
1823	ic->ic_curchan->ic_ieee,
1824	scan.erp, scan.chan);
1825	ic->ic_flags \|= IEEE80211_F_USEPROT;
1826	ieee80211_notify_erp(ic);
1827	}
1828	}
1829	/*
1830	* Check beacon for non-HT station on HT channel
1831	* and update HT BSS occupancy as appropriate.
1832	*/
1833	if (IEEE80211_IS_CHAN_HT(ic->ic_curchan)) {
1834	if (scan.status & IEEE80211_BPARSE_OFFCHAN) {
1835	/*
1836	* Off control channel; only check frames
1837	* that come in the extension channel when
1838	* operating w/ HT40.
1839	*/
1840	if (!IEEE80211_IS_CHAN_HT40(ic->ic_curchan))
1841	break;
1842	if (scan.chan != ic->ic_curchan->ic_extieee)
1843	break;
1844	}
1845	if (scan.htinfo == NULL) {
1846	ieee80211_htprot_update(ic,
1847	IEEE80211_HTINFO_OPMODE_PROTOPT \|
1848	IEEE80211_HTINFO_NONHT_PRESENT);
1849	} else if (ishtmixed(scan.htinfo)) {
1850	/* XXX? take NONHT_PRESENT from beacon? */
1851	ieee80211_htprot_update(ic,
1852	IEEE80211_HTINFO_OPMODE_MIXED \|
1853	IEEE80211_HTINFO_NONHT_PRESENT);
1854	}
1855	}
1856	break;
1857	}
1858
1859	case IEEE80211_FC0_SUBTYPE_PROBE_REQ:
1860	if (vap->iv_state != IEEE80211_S_RUN) {
1861	vap->iv_stats.is_rx_mgtdiscard++;
1862	return;
1863	}
1864	/*
1865	* Consult the ACL policy module if setup.
1866	*/
1867	if (vap->iv_acl != NULL && !vap->iv_acl->iac_check(vap, wh)) {
1868	IEEE80211_DISCARD(vap, IEEE80211_MSG_ACL,
1869	wh, NULL, "%s", "disallowed by ACL");
1870	vap->iv_stats.is_rx_acl++;
1871	return;
1872	}
1873	/*
1874	* prreq frame format
1875	* [tlv] ssid
1876	* [tlv] supported rates
1877	* [tlv] extended supported rates
1878	*/
1879	ssid = rates = xrates = NULL;
1880	while (efrm - frm > 1) {
1881	IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return);
1882	switch (*frm) {
1883	case IEEE80211_ELEMID_SSID:
1884	ssid = frm;
1885	break;
1886	case IEEE80211_ELEMID_RATES:
1887	rates = frm;
1888	break;
1889	case IEEE80211_ELEMID_XRATES:
1890	xrates = frm;
1891	break;
1892	}
1893	frm += frm[1] + 2;
1894	}
1895	IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return);
1896	if (xrates != NULL)
1897	IEEE80211_VERIFY_ELEMENT(xrates,
1898	IEEE80211_RATE_MAXSIZE - rates[1], return);
1899	IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN, return);
1900	IEEE80211_VERIFY_SSID(vap->iv_bss, ssid, return);
1901	if ((vap->iv_flags & IEEE80211_F_HIDESSID) && ssid[1] == 0) {
1902	IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
1903	wh, NULL,
1904	"%s", "no ssid with ssid suppression enabled");
1905	vap->iv_stats.is_rx_ssidmismatch++; /XXX/
1906	return;
1907	}
1908
1909	/* XXX find a better class or define it's own */
1910	IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_INPUT, wh->i_addr2,
1911	"%s", "recv probe req");
1912	/*
1913	* Some legacy 11b clients cannot hack a complete
1914	* probe response frame. When the request includes
1915	* only a bare-bones rate set, communicate this to
1916	* the transmit side.
1917	*/
1918	ieee80211_send_proberesp(vap, wh->i_addr2,
1919	is11bclient(rates, xrates) ? IEEE80211_SEND_LEGACY_11B : 0);
1920	break;
1921
1922	case IEEE80211_FC0_SUBTYPE_AUTH: {
1923	uint16_t algo, seq, status;
1924
1925	if (vap->iv_state != IEEE80211_S_RUN) {
1926	vap->iv_stats.is_rx_mgtdiscard++;
1927	return;
1928	}
1929	if (!IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_bss->ni_bssid)) {
1930	IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
1931	wh, NULL, "%s", "wrong bssid");
1932	vap->iv_stats.is_rx_wrongbss++; /XXX unique stat?/
1933	return;
1934	}
1935	/*
1936	* auth frame format
1937	* [2] algorithm
1938	* [2] sequence
1939	* [2] status
1940	* [tlv*] challenge
1941	*/
1942	IEEE80211_VERIFY_LENGTH(efrm - frm, 6, return);
1943	algo = le16toh((uint16_t )frm);
1944	seq = le16toh((uint16_t )(frm + 2));
1945	status = le16toh((uint16_t )(frm + 4));
1946	IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_AUTH, wh->i_addr2,
1947	"recv auth frame with algorithm %d seq %d", algo, seq);
1948	/*
1949	* Consult the ACL policy module if setup.
1950	*/
1951	if (vap->iv_acl != NULL && !vap->iv_acl->iac_check(vap, wh)) {
1952	IEEE80211_DISCARD(vap, IEEE80211_MSG_ACL,
1953	wh, NULL, "%s", "disallowed by ACL");
1954	vap->iv_stats.is_rx_acl++;
1955	ieee80211_send_error(ni, wh->i_addr2,
1956	IEEE80211_FC0_SUBTYPE_AUTH,
1957	(seq+1) \| (IEEE80211_STATUS_UNSPECIFIED<<16));
1958	return;
1959	}
1960	if (vap->iv_flags & IEEE80211_F_COUNTERM) {
1961	IEEE80211_DISCARD(vap,
1962	IEEE80211_MSG_AUTH \| IEEE80211_MSG_CRYPTO,
1963	wh, NULL, "%s", "TKIP countermeasures enabled");
1964	vap->iv_stats.is_rx_auth_countermeasures++;
1965	ieee80211_send_error(ni, wh->i_addr2,
1966	IEEE80211_FC0_SUBTYPE_AUTH,
1967	IEEE80211_REASON_MIC_FAILURE);
1968	return;
1969	}
1970	if (algo == IEEE80211_AUTH_ALG_SHARED)
1971	hostap_auth_shared(ni, wh, frm + 6, efrm, rssi, nf,
1972	seq, status);
1973	else if (algo == IEEE80211_AUTH_ALG_OPEN)
1974	hostap_auth_open(ni, wh, rssi, nf, seq, status);
1975	else if (algo == IEEE80211_AUTH_ALG_LEAP) {
1976	authalgreject(ni, wh, algo,
1977	seq+1, IEEE80211_STATUS_ALG);
1978	return;
1979	} else {
1980	/*
1981	* We assume that an unknown algorithm is the result
1982	* of a decryption failure on a shared key auth frame;
1983	* return a status code appropriate for that instead
1984	* of IEEE80211_STATUS_ALG.
1985	*
1986	* NB: a seq# of 4 is intentional; the decrypted
1987	* frame likely has a bogus seq value.
1988	*/
1989	authalgreject(ni, wh, algo,
1990	4, IEEE80211_STATUS_CHALLENGE);
1991	return;
1992	}
1993	break;
1994	}
1995
1996	case IEEE80211_FC0_SUBTYPE_ASSOC_REQ:
1997	case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: {
1998	uint16_t capinfo, lintval;
1999	struct ieee80211_rsnparms rsnparms;
2000
2001	if (vap->iv_state != IEEE80211_S_RUN) {
2002	vap->iv_stats.is_rx_mgtdiscard++;
2003	return;
2004	}
2005	if (!IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_bss->ni_bssid)) {
2006	IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
2007	wh, NULL, "%s", "wrong bssid");
2008	vap->iv_stats.is_rx_assoc_bss++;
2009	return;
2010	}
2011	if (subtype == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) {
2012	reassoc = 1;
2013	resp = IEEE80211_FC0_SUBTYPE_REASSOC_RESP;
2014	} else {
2015	reassoc = 0;
2016	resp = IEEE80211_FC0_SUBTYPE_ASSOC_RESP;
2017	}
2018	if (ni == vap->iv_bss) {
2019	IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ANY, wh->i_addr2,
2020	"deny %s request, sta not authenticated",
2021	reassoc ? "reassoc" : "assoc");
2022	ieee80211_send_error(ni, wh->i_addr2,
2023	IEEE80211_FC0_SUBTYPE_DEAUTH,
2024	IEEE80211_REASON_ASSOC_NOT_AUTHED);
2025	vap->iv_stats.is_rx_assoc_notauth++;
2026	return;
2027	}
2028
2029	/*
2030	* asreq frame format
2031	* [2] capability information
2032	* [2] listen interval
2033	* [6*] current AP address (reassoc only)
2034	* [tlv] ssid
2035	* [tlv] supported rates
2036	* [tlv] extended supported rates
2037	* [tlv] WPA or RSN
2038	* [tlv] HT capabilities
2039	* [tlv] Atheros capabilities
2040	*/
2041	IEEE80211_VERIFY_LENGTH(efrm - frm, (reassoc ? 10 : 4), return);
2042	capinfo = le16toh((uint16_t )frm); frm += 2;
2043	lintval = le16toh((uint16_t )frm); frm += 2;
2044	if (reassoc)
2045	frm += 6; /* ignore current AP info */
2046	ssid = rates = xrates = wpa = rsn = wme = ath = htcap = NULL;
2047	sfrm = frm;
2048	while (efrm - frm > 1) {
2049	IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return);
2050	switch (*frm) {
2051	case IEEE80211_ELEMID_SSID:
2052	ssid = frm;
2053	break;
2054	case IEEE80211_ELEMID_RATES:
2055	rates = frm;
2056	break;
2057	case IEEE80211_ELEMID_XRATES:
2058	xrates = frm;
2059	break;
2060	case IEEE80211_ELEMID_RSN:
2061	rsn = frm;
2062	break;
2063	case IEEE80211_ELEMID_HTCAP:
2064	htcap = frm;
2065	break;
2066	case IEEE80211_ELEMID_VENDOR:
2067	if (iswpaoui(frm))
2068	wpa = frm;
2069	else if (iswmeinfo(frm))
2070	wme = frm;
2071	#ifdef IEEE80211_SUPPORT_SUPERG
2072	else if (isatherosoui(frm))
2073	ath = frm;
2074	#endif
2075	else if (vap->iv_flags_ht & IEEE80211_FHT_HTCOMPAT) {
2076	if (ishtcapoui(frm) && htcap == NULL)
2077	htcap = frm;
2078	}
2079	break;
2080	}
2081	frm += frm[1] + 2;
2082	}
2083	IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return);
2084	if (xrates != NULL)
2085	IEEE80211_VERIFY_ELEMENT(xrates,
2086	IEEE80211_RATE_MAXSIZE - rates[1], return);
2087	IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN, return);
2088	IEEE80211_VERIFY_SSID(vap->iv_bss, ssid, return);
2089	if (htcap != NULL) {
2090	IEEE80211_VERIFY_LENGTH(htcap[1],
2091	htcap[0] == IEEE80211_ELEMID_VENDOR ?
2092	4 + sizeof(struct ieee80211_ie_htcap)-2 :
2093	sizeof(struct ieee80211_ie_htcap)-2,
2094	return); /* XXX just NULL out? */
2095	}
2096
2097	if ((vap->iv_flags & IEEE80211_F_WPA) &&
2098	!wpa_assocreq(ni, &rsnparms, wh, wpa, rsn, capinfo))
2099	return;
2100	/* discard challenge after association */
2101	if (ni->ni_challenge != NULL) {
2102	IEEE80211_FREE(ni->ni_challenge, M_80211_NODE);
2103	ni->ni_challenge = NULL;
2104	}
2105	/* NB: 802.11 spec says to ignore station's privacy bit */
2106	if ((capinfo & IEEE80211_CAPINFO_ESS) == 0) {
2107	capinfomismatch(ni, wh, reassoc, resp,
2108	"capability", capinfo);
2109	return;
2110	}
2111	/*
2112	* Disallow re-associate w/ invalid slot time setting.
2113	*/
2114	if (ni->ni_associd != 0 &&
2115	IEEE80211_IS_CHAN_ANYG(ic->ic_bsschan) &&
2116	((ni->ni_capinfo ^ capinfo) & IEEE80211_CAPINFO_SHORT_SLOTTIME)) {
2117	capinfomismatch(ni, wh, reassoc, resp,
2118	"slot time", capinfo);
2119	return;
2120	}
2121	rate = ieee80211_setup_rates(ni, rates, xrates,
2122	IEEE80211_F_DOSORT \| IEEE80211_F_DOFRATE \|
2123	IEEE80211_F_DONEGO \| IEEE80211_F_DODEL);
2124	if (rate & IEEE80211_RATE_BASIC) {
2125	ratesetmismatch(ni, wh, reassoc, resp, "legacy", rate);
2126	vap->iv_stats.is_rx_assoc_norate++;
2127	return;
2128	}
2129	/*
2130	* If constrained to 11g-only stations reject an
2131	* 11b-only station. We cheat a bit here by looking
2132	* at the max negotiated xmit rate and assuming anyone
2133	* with a best rate <24Mb/s is an 11b station.
2134	*/
2135	if ((vap->iv_flags & IEEE80211_F_PUREG) && rate < 48) {
2136	ratesetmismatch(ni, wh, reassoc, resp, "11g", rate);
2137	vap->iv_stats.is_rx_assoc_norate++;
2138	return;
2139	}
2140	/*
2141	* Do HT rate set handling and setup HT node state.
2142	*/
2143	ni->ni_chan = vap->iv_bss->ni_chan;
2144	if (IEEE80211_IS_CHAN_HT(ni->ni_chan) && htcap != NULL) {
2145	rate = ieee80211_setup_htrates(ni, htcap,
2146	IEEE80211_F_DOFMCS \| IEEE80211_F_DONEGO \|
2147	IEEE80211_F_DOBRS);
2148	if (rate & IEEE80211_RATE_BASIC) {
2149	ratesetmismatch(ni, wh, reassoc, resp,
2150	"HT", rate);
2151	vap->iv_stats.is_ht_assoc_norate++;
2152	return;
2153	}
2154	ieee80211_ht_node_init(ni);
2155	ieee80211_ht_updatehtcap(ni, htcap);
2156	} else if (ni->ni_flags & IEEE80211_NODE_HT)
2157	ieee80211_ht_node_cleanup(ni);
2158	#ifdef IEEE80211_SUPPORT_SUPERG
2159	/* Always do ff node cleanup; for A-MSDU */
2160	ieee80211_ff_node_cleanup(ni);
2161	#endif
2162	/*
2163	* Allow AMPDU operation only with unencrypted traffic
2164	* or AES-CCM; the 11n spec only specifies these ciphers
2165	* so permitting any others is undefined and can lead
2166	* to interoperability problems.
2167	*/
2168	if ((ni->ni_flags & IEEE80211_NODE_HT) &&
2169	(((vap->iv_flags & IEEE80211_F_WPA) &&
2170	rsnparms.rsn_ucastcipher != IEEE80211_CIPHER_AES_CCM) \|\|
2171	(vap->iv_flags & (IEEE80211_F_WPA\|IEEE80211_F_PRIVACY)) == IEEE80211_F_PRIVACY)) {
2172	IEEE80211_NOTE(vap,
2173	IEEE80211_MSG_ASSOC \| IEEE80211_MSG_11N, ni,
2174	"disallow HT use because WEP or TKIP requested, "
2175	"capinfo 0x%x ucastcipher %d", capinfo,
2176	rsnparms.rsn_ucastcipher);
2177	ieee80211_ht_node_cleanup(ni);
2178	#ifdef IEEE80211_SUPPORT_SUPERG
2179	/* Always do ff node cleanup; for A-MSDU */
2180	ieee80211_ff_node_cleanup(ni);
2181	#endif
2182	vap->iv_stats.is_ht_assoc_downgrade++;
2183	}
2184	/*
2185	* If constrained to 11n-only stations reject legacy stations.
2186	*/
2187	if ((vap->iv_flags_ht & IEEE80211_FHT_PUREN) &&
2188	(ni->ni_flags & IEEE80211_NODE_HT) == 0) {
2189	htcapmismatch(ni, wh, reassoc, resp);
2190	vap->iv_stats.is_ht_assoc_nohtcap++;
2191	return;
2192	}
2193	IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi);
2194	ni->ni_noise = nf;
2195	ni->ni_intval = lintval;
2196	ni->ni_capinfo = capinfo;
2197	ni->ni_fhdwell = vap->iv_bss->ni_fhdwell;
2198	ni->ni_fhindex = vap->iv_bss->ni_fhindex;
2199	/*
2200	* Store the IEs.
2201	* XXX maybe better to just expand
2202	*/
2203	if (ieee80211_ies_init(&ni->ni_ies, sfrm, efrm - sfrm)) {
2204	#define setie(_ie, _off) ieee80211_ies_setie(ni->ni_ies, _ie, _off)
2205	if (wpa != NULL)
2206	setie(wpa_ie, wpa - sfrm);
2207	if (rsn != NULL)
2208	setie(rsn_ie, rsn - sfrm);
2209	if (htcap != NULL)
2210	setie(htcap_ie, htcap - sfrm);
2211	if (wme != NULL) {
2212	setie(wme_ie, wme - sfrm);
2213	/*
2214	* Mark node as capable of QoS.
2215	*/
2216	ni->ni_flags \|= IEEE80211_NODE_QOS;
2217	} else
2218	ni->ni_flags &= ~IEEE80211_NODE_QOS;
2219	#ifdef IEEE80211_SUPPORT_SUPERG
2220	if (ath != NULL) {
2221	setie(ath_ie, ath - sfrm);
2222	/*
2223	* Parse ATH station parameters.
2224	*/
2225	ieee80211_parse_ath(ni, ni->ni_ies.ath_ie);
2226	} else
2227	#endif
2228	ni->ni_ath_flags = 0;
2229	#undef setie
2230	} else {
2231	ni->ni_flags &= ~IEEE80211_NODE_QOS;
2232	ni->ni_ath_flags = 0;
2233	}
2234	ieee80211_node_join(ni, resp);
2235	ieee80211_deliver_l2uf(ni);
2236	break;
2237	}
2238
2239	case IEEE80211_FC0_SUBTYPE_DEAUTH:
2240	case IEEE80211_FC0_SUBTYPE_DISASSOC: {
2241	uint16_t reason;
2242
2243	if (vap->iv_state != IEEE80211_S_RUN \|\|
2244	/* NB: can happen when in promiscuous mode */
2245	!IEEE80211_ADDR_EQ(wh->i_addr1, vap->iv_myaddr)) {
2246	vap->iv_stats.is_rx_mgtdiscard++;
2247	break;
2248	}
2249	/*
2250	* deauth/disassoc frame format
2251	* [2] reason
2252	*/
2253	IEEE80211_VERIFY_LENGTH(efrm - frm, 2, return);
2254	reason = le16toh((uint16_t )frm);
2255	if (subtype == IEEE80211_FC0_SUBTYPE_DEAUTH) {
2256	vap->iv_stats.is_rx_deauth++;
2257	IEEE80211_NODE_STAT(ni, rx_deauth);
2258	} else {
2259	vap->iv_stats.is_rx_disassoc++;
2260	IEEE80211_NODE_STAT(ni, rx_disassoc);
2261	}
2262	IEEE80211_NOTE(vap, IEEE80211_MSG_AUTH, ni,
2263	"recv %s (reason: %d (%s))",
2264	ieee80211_mgt_subtype_name(subtype),
2265	reason, ieee80211_reason_to_string(reason));
2266	if (ni != vap->iv_bss)
2267	ieee80211_node_leave(ni);
2268	break;
2269	}
2270
2271	case IEEE80211_FC0_SUBTYPE_ACTION:
2272	case IEEE80211_FC0_SUBTYPE_ACTION_NOACK:
2273	if (ni == vap->iv_bss) {
2274	IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
2275	wh, NULL, "%s", "unknown node");
2276	vap->iv_stats.is_rx_mgtdiscard++;
2277	} else if (!IEEE80211_ADDR_EQ(vap->iv_myaddr, wh->i_addr1) &&
2278	!IEEE80211_IS_MULTICAST(wh->i_addr1)) {
2279	IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
2280	wh, NULL, "%s", "not for us");
2281	vap->iv_stats.is_rx_mgtdiscard++;
2282	} else if (vap->iv_state != IEEE80211_S_RUN) {
2283	IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
2284	wh, NULL, "wrong state %s",
2285	ieee80211_state_name[vap->iv_state]);
2286	vap->iv_stats.is_rx_mgtdiscard++;
2287	} else {
2288	if (ieee80211_parse_action(ni, m0) == 0)
2289	(void)ic->ic_recv_action(ni, wh, frm, efrm);
2290	}
2291	break;
2292
2293	case IEEE80211_FC0_SUBTYPE_ASSOC_RESP:
2294	case IEEE80211_FC0_SUBTYPE_REASSOC_RESP:
2295	case IEEE80211_FC0_SUBTYPE_TIMING_ADV:
2296	case IEEE80211_FC0_SUBTYPE_ATIM:
2297	IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
2298	wh, NULL, "%s", "not handled");
2299	vap->iv_stats.is_rx_mgtdiscard++;
2300	break;
2301
2302	default:
2303	IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
2304	wh, "mgt", "subtype 0x%x not handled", subtype);
2305	vap->iv_stats.is_rx_badsubtype++;
2306	break;
2307	}
2308	}
2309
2310	static void
2311	hostap_recv_ctl(struct ieee80211_node ni, struct mbuf m, int subtype)
2312	{
2313	switch (subtype) {
2314	case IEEE80211_FC0_SUBTYPE_PS_POLL:
2315	ni->ni_vap->iv_recv_pspoll(ni, m);
2316	break;
2317	case IEEE80211_FC0_SUBTYPE_BAR:
2318	ieee80211_recv_bar(ni, m);
2319	break;
2320	}
2321	}
2322
2323	/*
2324	* Process a received ps-poll frame.
2325	*/
2326	void
2327	ieee80211_recv_pspoll(struct ieee80211_node ni, struct mbuf m0)
2328	{
2329	struct ieee80211vap *vap = ni->ni_vap;
2330	struct ieee80211com *ic = vap->iv_ic;
2331	struct ieee80211_frame_min *wh;
2332	struct mbuf *m;
2333	uint16_t aid;
2334	int qlen;
2335
2336	wh = mtod(m0, struct ieee80211_frame_min *);
2337	if (ni->ni_associd == 0) {
2338	IEEE80211_DISCARD(vap,
2339	IEEE80211_MSG_POWER \| IEEE80211_MSG_DEBUG,
2340	(struct ieee80211_frame *) wh, NULL,
2341	"%s", "unassociated station");
2342	vap->iv_stats.is_ps_unassoc++;
2343	IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_DEAUTH,
2344	IEEE80211_REASON_NOT_ASSOCED);
2345	return;
2346	}
2347
2348	aid = le16toh((uint16_t )wh->i_dur);
2349	if (aid != ni->ni_associd) {
2350	IEEE80211_DISCARD(vap,
2351	IEEE80211_MSG_POWER \| IEEE80211_MSG_DEBUG,
2352	(struct ieee80211_frame *) wh, NULL,
2353	"aid mismatch: sta aid 0x%x poll aid 0x%x",
2354	ni->ni_associd, aid);
2355	vap->iv_stats.is_ps_badaid++;
2356	/*
2357	* NB: We used to deauth the station but it turns out
2358	* the Blackberry Curve 8230 (and perhaps other devices)
2359	* sometimes send the wrong AID when WME is negotiated.
2360	* Being more lenient here seems ok as we already check
2361	* the station is associated and we only return frames
2362	* queued for the station (i.e. we don't use the AID).
2363	*/
2364	return;
2365	}
2366
2367	/* Okay, take the first queued packet and put it out... */
2368	m = ieee80211_node_psq_dequeue(ni, &qlen);
2369	if (m == NULL) {
2370	IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_POWER, wh->i_addr2,
2371	"%s", "recv ps-poll, but queue empty");
2372	ieee80211_send_nulldata(ieee80211_ref_node(ni));
2373	vap->iv_stats.is_ps_qempty++; /* XXX node stat */
2374	if (vap->iv_set_tim != NULL)
2375	vap->iv_set_tim(ni, 0); /* just in case */
2376	return;
2377	}
2378	/*
2379	* If there are more packets, set the more packets bit
2380	* in the packet dispatched to the station; otherwise
2381	* turn off the TIM bit.
2382	*/
2383	if (qlen != 0) {
2384	IEEE80211_NOTE(vap, IEEE80211_MSG_POWER, ni,
2385	"recv ps-poll, send packet, %u still queued", qlen);
2386	m->m_flags \|= M_MORE_DATA;
2387	} else {
2388	IEEE80211_NOTE(vap, IEEE80211_MSG_POWER, ni,
2389	"%s", "recv ps-poll, send packet, queue empty");
2390	if (vap->iv_set_tim != NULL)
2391	vap->iv_set_tim(ni, 0);
2392	}
2393	m->m_flags \|= M_PWR_SAV; /* bypass PS handling */
2394
2395	/*
2396	* Do the right thing; if it's an encap'ed frame then
2397	* call ieee80211_parent_xmitpkt() else
2398	* call ieee80211_vap_xmitpkt().
2399	*/
2400	if (m->m_flags & M_ENCAP) {
2401	(void) ieee80211_parent_xmitpkt(ic, m);
2402	} else {
2403	(void) ieee80211_vap_xmitpkt(vap, m);
2404	}
2405	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: