1
/*-
2
 * SPDX-License-Identifier: BSD-2-Clause
3
 *
4
 * Copyright (c) 2007-2008 Sam Leffler, Errno Consulting
5
 * All rights reserved.
6
 *
7
 * Redistribution and use in source and binary forms, with or without
8
 * modification, are permitted provided that the following conditions
9
 * are met:
10
 * 1. Redistributions of source code must retain the above copyright
11
 *    notice, this list of conditions and the following disclaimer.
12
 * 2. Redistributions in binary form must reproduce the above copyright
13
 *    notice, this list of conditions and the following disclaimer in the
14
 *    documentation and/or other materials provided with the distribution.
15
 *
16
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
17
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
18
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
19
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
20
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
21
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
22
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
23
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
24
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
25
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
26
 */
27

28
/*
29
 * IEEE 802.11 HOSTAP mode support.
30
 */
31
#include "opt_inet.h"
32
#include "opt_wlan.h"
33

34
#include <sys/param.h>
35
#include <sys/systm.h> 
36
#include <sys/mbuf.h>   
37
#include <sys/malloc.h>
38
#include <sys/kernel.h>
39

40
#include <sys/socket.h>
41
#include <sys/sockio.h>
42
#include <sys/endian.h>
43
#include <sys/errno.h>
44
#include <sys/proc.h>
45
#include <sys/sysctl.h>
46

47
#include <net/if.h>
48
#include <net/if_var.h>
49
#include <net/if_media.h>
50
#include <net/if_llc.h>
51
#include <net/ethernet.h>
52

53
#include <net/bpf.h>
54

55
#include <net80211/ieee80211_var.h>
56
#include <net80211/ieee80211_hostap.h>
57
#include <net80211/ieee80211_input.h>
58
#ifdef IEEE80211_SUPPORT_SUPERG
59
#include <net80211/ieee80211_superg.h>
60
#endif
61
#include <net80211/ieee80211_wds.h>
62
#include <net80211/ieee80211_vht.h>
63
#include <net80211/ieee80211_sta.h> /* for parse_wmeie */
64

65
static	void hostap_vattach(struct ieee80211vap *);
66
static	int hostap_newstate(struct ieee80211vap *, enum ieee80211_state, int);
67
static	int hostap_input(struct ieee80211_node *ni, struct mbuf *m,
68
	    const struct ieee80211_rx_stats *,
69
	    int rssi, int nf);
70
static void hostap_deliver_data(struct ieee80211vap *,
71
	    struct ieee80211_node *, struct mbuf *);
72
static void hostap_recv_mgmt(struct ieee80211_node *, struct mbuf *,
73
	    int subtype, const struct ieee80211_rx_stats *rxs, int rssi, int nf);
74
static void hostap_recv_ctl(struct ieee80211_node *, struct mbuf *, int);
75

76
void
77
ieee80211_hostap_attach(struct ieee80211com *ic)
78
{
79
	ic->ic_vattach[IEEE80211_M_HOSTAP] = hostap_vattach;
80
}
81

82
void
83
ieee80211_hostap_detach(struct ieee80211com *ic)
84
{
85
}
86

87
static void
88
hostap_vdetach(struct ieee80211vap *vap)
89
{
90
}
91

92
static void
93
hostap_vattach(struct ieee80211vap *vap)
94
{
95
	vap->iv_newstate = hostap_newstate;
96
	vap->iv_input = hostap_input;
97
	vap->iv_recv_mgmt = hostap_recv_mgmt;
98
	vap->iv_recv_ctl = hostap_recv_ctl;
99
	vap->iv_opdetach = hostap_vdetach;
100
	vap->iv_deliver_data = hostap_deliver_data;
101
	vap->iv_recv_pspoll = ieee80211_recv_pspoll;
102
}
103

104
static void
105
sta_disassoc(void *arg, struct ieee80211_node *ni)
106
{
107

108
	if (ni->ni_associd != 0) {
109
		IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_DISASSOC,
110
			IEEE80211_REASON_ASSOC_LEAVE);
111
		ieee80211_node_leave(ni);
112
	}
113
}
114

115
static void
116
sta_csa(void *arg, struct ieee80211_node *ni)
117
{
118
	struct ieee80211vap *vap = ni->ni_vap;
119

120
	if (ni->ni_associd != 0)
121
		if (ni->ni_inact > vap->iv_inact_init) {
122
			ni->ni_inact = vap->iv_inact_init;
123
			IEEE80211_NOTE(vap, IEEE80211_MSG_INACT, ni,
124
			    "%s: inact %u", __func__, ni->ni_inact);
125
		}
126
}
127

128
static void
129
sta_drop(void *arg, struct ieee80211_node *ni)
130
{
131

132
	if (ni->ni_associd != 0)
133
		ieee80211_node_leave(ni);
134
}
135

136
/*
137
 * Does a channel change require associated stations to re-associate
138
 * so protocol state is correct.  This is used when doing CSA across
139
 * bands or similar (e.g. HT -> legacy).
140
 */
141
static int
142
isbandchange(struct ieee80211com *ic)
143
{
144
	return ((ic->ic_bsschan->ic_flags ^ ic->ic_csa_newchan->ic_flags) &
145
	    (IEEE80211_CHAN_2GHZ | IEEE80211_CHAN_5GHZ | IEEE80211_CHAN_HALF |
146
	     IEEE80211_CHAN_QUARTER | IEEE80211_CHAN_HT)) != 0;
147
}
148

149
/*
150
 * IEEE80211_M_HOSTAP vap state machine handler.
151
 */
152
static int
153
hostap_newstate(struct ieee80211vap *vap, enum ieee80211_state nstate, int arg)
154
{
155
	struct ieee80211com *ic = vap->iv_ic;
156
	enum ieee80211_state ostate;
157

158
	IEEE80211_LOCK_ASSERT(ic);
159

160
	ostate = vap->iv_state;
161
	IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE, "%s: %s -> %s (%d)\n",
162
	    __func__, ieee80211_state_name[ostate],
163
	    ieee80211_state_name[nstate], arg);
164
	vap->iv_state = nstate;			/* state transition */
165
	if (ostate != IEEE80211_S_SCAN)
166
		ieee80211_cancel_scan(vap);	/* background scan */
167
	switch (nstate) {
168
	case IEEE80211_S_INIT:
169
		switch (ostate) {
170
		case IEEE80211_S_SCAN:
171
			ieee80211_cancel_scan(vap);
172
			break;
173
		case IEEE80211_S_CAC:
174
			ieee80211_dfs_cac_stop(vap);
175
			break;
176
		case IEEE80211_S_RUN:
177
			ieee80211_iterate_nodes_vap(&ic->ic_sta, vap,
178
			    sta_disassoc, NULL);
179
			break;
180
		default:
181
			break;
182
		}
183
		if (ostate != IEEE80211_S_INIT) {
184
			/* NB: optimize INIT -> INIT case */
185
			ieee80211_reset_bss(vap);
186
		}
187
		if (vap->iv_auth->ia_detach != NULL)
188
			vap->iv_auth->ia_detach(vap);
189
		break;
190
	case IEEE80211_S_SCAN:
191
		switch (ostate) {
192
		case IEEE80211_S_CSA:
193
		case IEEE80211_S_RUN:
194
			ieee80211_iterate_nodes_vap(&ic->ic_sta, vap,
195
			    sta_disassoc, NULL);
196
			/*
197
			 * Clear overlapping BSS state; the beacon frame
198
			 * will be reconstructed on transition to the RUN
199
			 * state and the timeout routines check if the flag
200
			 * is set before doing anything so this is sufficient.
201
			 */
202
			vap->iv_flags_ext &= ~IEEE80211_FEXT_NONERP_PR;
203
			vap->iv_flags_ht &= ~IEEE80211_FHT_NONHT_PR;
204
			/* XXX TODO: schedule deferred update? */
205
			/* fall thru... */
206
		case IEEE80211_S_CAC:
207
			/*
208
			 * NB: We may get here because of a manual channel
209
			 *     change in which case we need to stop CAC
210
			 * XXX no need to stop if ostate RUN but it's ok
211
			 */
212
			ieee80211_dfs_cac_stop(vap);
213
			/* fall thru... */
214
		case IEEE80211_S_INIT:
215
			if (vap->iv_des_chan != IEEE80211_CHAN_ANYC &&
216
			    !IEEE80211_IS_CHAN_RADAR(vap->iv_des_chan)) {
217
				/*
218
				 * Already have a channel; bypass the
219
				 * scan and startup immediately.  
220
				 * ieee80211_create_ibss will call back to
221
				 * move us to RUN state.
222
				 */
223
				ieee80211_create_ibss(vap, vap->iv_des_chan);
224
				break;
225
			}
226
			/*
227
			 * Initiate a scan.  We can come here as a result
228
			 * of an IEEE80211_IOC_SCAN_REQ too in which case
229
			 * the vap will be marked with IEEE80211_FEXT_SCANREQ
230
			 * and the scan request parameters will be present
231
			 * in iv_scanreq.  Otherwise we do the default.
232
			 */
233
			if (vap->iv_flags_ext & IEEE80211_FEXT_SCANREQ) {
234
				ieee80211_check_scan(vap,
235
				    vap->iv_scanreq_flags,
236
				    vap->iv_scanreq_duration,
237
				    vap->iv_scanreq_mindwell,
238
				    vap->iv_scanreq_maxdwell,
239
				    vap->iv_scanreq_nssid, vap->iv_scanreq_ssid);
240
				vap->iv_flags_ext &= ~IEEE80211_FEXT_SCANREQ;
241
			} else
242
				ieee80211_check_scan_current(vap);
243
			break;
244
		case IEEE80211_S_SCAN:
245
			/*
246
			 * A state change requires a reset; scan.
247
			 */
248
			ieee80211_check_scan_current(vap);
249
			break;
250
		default:
251
			break;
252
		}
253
		break;
254
	case IEEE80211_S_CAC:
255
		/*
256
		 * Start CAC on a DFS channel.  We come here when starting
257
		 * a bss on a DFS channel (see ieee80211_create_ibss).
258
		 */
259
		ieee80211_dfs_cac_start(vap);
260
		break;
261
	case IEEE80211_S_RUN:
262
		if (vap->iv_flags & IEEE80211_F_WPA) {
263
			/* XXX validate prerequisites */
264
		}
265
		switch (ostate) {
266
		case IEEE80211_S_INIT:
267
			/*
268
			 * Already have a channel; bypass the
269
			 * scan and startup immediately.
270
			 * Note that ieee80211_create_ibss will call
271
			 * back to do a RUN->RUN state change.
272
			 */
273
			ieee80211_create_ibss(vap,
274
			    ieee80211_ht_adjust_channel(ic,
275
				ic->ic_curchan, vap->iv_flags_ht));
276
			/* NB: iv_bss is changed on return */
277
			break;
278
		case IEEE80211_S_CAC:
279
			/*
280
			 * NB: This is the normal state change when CAC
281
			 * expires and no radar was detected; no need to
282
			 * clear the CAC timer as it's already expired.
283
			 */
284
			/* fall thru... */
285
		case IEEE80211_S_CSA:
286
			/*
287
			 * Shorten inactivity timer of associated stations
288
			 * to weed out sta's that don't follow a CSA.
289
			 */
290
			ieee80211_iterate_nodes_vap(&ic->ic_sta, vap,
291
			    sta_csa, NULL);
292
			/*
293
			 * Update bss node channel to reflect where
294
			 * we landed after CSA.
295
			 */
296
			ieee80211_node_set_chan(vap->iv_bss,
297
			    ieee80211_ht_adjust_channel(ic, ic->ic_curchan,
298
				ieee80211_htchanflags(vap->iv_bss->ni_chan)));
299
			/* XXX bypass debug msgs */
300
			break;
301
		case IEEE80211_S_SCAN:
302
		case IEEE80211_S_RUN:
303
#ifdef IEEE80211_DEBUG
304
			if (ieee80211_msg_debug(vap)) {
305
				struct ieee80211_node *ni = vap->iv_bss;
306
				ieee80211_note(vap,
307
				    "synchronized with %s ssid ",
308
				    ether_sprintf(ni->ni_bssid));
309
				ieee80211_print_essid(ni->ni_essid,
310
				    ni->ni_esslen);
311
				net80211_printf(" channel %d start %uMbit/s\n",
312
				    ieee80211_chan2ieee(ic, ic->ic_curchan),
313
				    ieee80211_node_get_txrate_kbit(ni) / 1000);
314
			}
315
#endif
316
			break;
317
		default:
318
			break;
319
		}
320
		/*
321
		 * Start/stop the authenticator.  We delay until here
322
		 * to allow configuration to happen out of order.
323
		 */
324
		if (vap->iv_auth->ia_attach != NULL) {
325
			/* XXX check failure */
326
			vap->iv_auth->ia_attach(vap);
327
		} else if (vap->iv_auth->ia_detach != NULL) {
328
			vap->iv_auth->ia_detach(vap);
329
		}
330
		ieee80211_node_authorize(vap->iv_bss);
331
		break;
332
	case IEEE80211_S_CSA:
333
		if (ostate == IEEE80211_S_RUN && isbandchange(ic)) {
334
			/*
335
			 * On a ``band change'' silently drop associated
336
			 * stations as they must re-associate before they
337
			 * can pass traffic (as otherwise protocol state
338
			 * such as capabilities and the negotiated rate
339
			 * set may/will be wrong).
340
			 */
341
			ieee80211_iterate_nodes_vap(&ic->ic_sta, vap,
342
			    sta_drop, NULL);
343
		}
344
		break;
345
	default:
346
		break;
347
	}
348
	return 0;
349
}
350

351
static void
352
hostap_deliver_data(struct ieee80211vap *vap,
353
	struct ieee80211_node *ni, struct mbuf *m)
354
{
355
	struct ether_header *eh = mtod(m, struct ether_header *);
356
	struct ifnet *ifp = vap->iv_ifp;
357

358
	/* clear driver/net80211 flags before passing up */
359
	m->m_flags &= ~(M_MCAST | M_BCAST);
360
	m_clrprotoflags(m);
361

362
	KASSERT(vap->iv_opmode == IEEE80211_M_HOSTAP,
363
	    ("gack, opmode %d", vap->iv_opmode));
364
	/*
365
	 * Do accounting.
366
	 */
367
	if_inc_counter(ifp, IFCOUNTER_IPACKETS, 1);
368
	IEEE80211_NODE_STAT(ni, rx_data);
369
	IEEE80211_NODE_STAT_ADD(ni, rx_bytes, m->m_pkthdr.len);
370
	if (ETHER_IS_MULTICAST(eh->ether_dhost)) {
371
		m->m_flags |= M_MCAST;		/* XXX M_BCAST? */
372
		IEEE80211_NODE_STAT(ni, rx_mcast);
373
	} else
374
		IEEE80211_NODE_STAT(ni, rx_ucast);
375

376
	/* perform as a bridge within the AP */
377
	if ((vap->iv_flags & IEEE80211_F_NOBRIDGE) == 0) {
378
		struct mbuf *mcopy = NULL;
379

380
		if (m->m_flags & M_MCAST) {
381
			mcopy = m_dup(m, IEEE80211_M_NOWAIT);
382
			if (mcopy == NULL)
383
				if_inc_counter(ifp, IFCOUNTER_OERRORS, 1);
384
			else
385
				mcopy->m_flags |= M_MCAST;
386
		} else {
387
			/*
388
			 * Check if the destination is associated with the
389
			 * same vap and authorized to receive traffic.
390
			 * Beware of traffic destined for the vap itself;
391
			 * sending it will not work; just let it be delivered
392
			 * normally.
393
			 */
394
			struct ieee80211_node *sta = ieee80211_find_vap_node(
395
			     &vap->iv_ic->ic_sta, vap, eh->ether_dhost);
396
			if (sta != NULL) {
397
				if (ieee80211_node_is_authorized(sta)) {
398
					/*
399
					 * Beware of sending to ourself; this
400
					 * needs to happen via the normal
401
					 * input path.
402
					 */
403
					if (sta != vap->iv_bss) {
404
						mcopy = m;
405
						m = NULL;
406
					}
407
				} else {
408
					vap->iv_stats.is_rx_unauth++;
409
					IEEE80211_NODE_STAT(sta, rx_unauth);
410
				}
411
				ieee80211_free_node(sta);
412
			}
413
		}
414
		if (mcopy != NULL)
415
			(void) ieee80211_vap_xmitpkt(vap, mcopy);
416
	}
417
	if (m != NULL) {
418
		/*
419
		 * Mark frame as coming from vap's interface.
420
		 */
421
		m->m_pkthdr.rcvif = ifp;
422
		if (m->m_flags & M_MCAST) {
423
			/*
424
			 * Spam DWDS vap's w/ multicast traffic.
425
			 */
426
			/* XXX only if dwds in use? */
427
			ieee80211_dwds_mcast(vap, m);
428
		}
429
		if (ni->ni_vlan != 0) {
430
			/* attach vlan tag */
431
			m->m_pkthdr.ether_vtag = ni->ni_vlan;
432
			m->m_flags |= M_VLANTAG;
433
		}
434

435
		ieee80211_vap_deliver_data(vap, m);
436
	}
437
}
438

439
/*
440
 * Decide if a received management frame should be
441
 * printed when debugging is enabled.  This filters some
442
 * of the less interesting frames that come frequently
443
 * (e.g. beacons).
444
 */
445
static __inline int
446
doprint(struct ieee80211vap *vap, int subtype)
447
{
448
	switch (subtype) {
449
	case IEEE80211_FC0_SUBTYPE_BEACON:
450
		return (vap->iv_ic->ic_flags & IEEE80211_F_SCAN);
451
	case IEEE80211_FC0_SUBTYPE_PROBE_REQ:
452
		return 0;
453
	}
454
	return 1;
455
}
456

457
/*
458
 * Process a received frame.  The node associated with the sender
459
 * should be supplied.  If nothing was found in the node table then
460
 * the caller is assumed to supply a reference to iv_bss instead.
461
 * The RSSI and a timestamp are also supplied.  The RSSI data is used
462
 * during AP scanning to select a AP to associate with; it can have
463
 * any units so long as values have consistent units and higher values
464
 * mean ``better signal''.  The receive timestamp is currently not used
465
 * by the 802.11 layer.
466
 */
467
static int
468
hostap_input(struct ieee80211_node *ni, struct mbuf *m,
469
    const struct ieee80211_rx_stats *rxs, int rssi, int nf)
470
{
471
	struct ieee80211vap *vap = ni->ni_vap;
472
	struct ieee80211com *ic = ni->ni_ic;
473
	struct ifnet *ifp = vap->iv_ifp;
474
	struct ieee80211_frame *wh;
475
	struct ieee80211_key *key;
476
	struct ether_header *eh;
477
	int hdrspace, need_tap = 1;	/* mbuf need to be tapped. */
478
	uint8_t dir, type, subtype, qos;
479
	uint8_t *bssid;
480
	int is_hw_decrypted = 0;
481
	int has_decrypted = 0;
482

483
	/*
484
	 * Some devices do hardware decryption all the way through
485
	 * to pretending the frame wasn't encrypted in the first place.
486
	 * So, tag it appropriately so it isn't discarded inappropriately.
487
	 */
488
	if ((rxs != NULL) && (rxs->c_pktflags & IEEE80211_RX_F_DECRYPTED))
489
		is_hw_decrypted = 1;
490

491
	if (m->m_flags & M_AMPDU_MPDU) {
492
		/*
493
		 * Fastpath for A-MPDU reorder q resubmission.  Frames
494
		 * w/ M_AMPDU_MPDU marked have already passed through
495
		 * here but were received out of order and been held on
496
		 * the reorder queue.  When resubmitted they are marked
497
		 * with the M_AMPDU_MPDU flag and we can bypass most of
498
		 * the normal processing.
499
		 */
500
		wh = mtod(m, struct ieee80211_frame *);
501
		type = IEEE80211_FC0_TYPE_DATA;
502
		dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK;
503
		subtype = IEEE80211_FC0_SUBTYPE_QOS_DATA;
504
		hdrspace = ieee80211_hdrspace(ic, wh);	/* XXX optimize? */
505
		goto resubmit_ampdu;
506
	}
507

508
	KASSERT(ni != NULL, ("null node"));
509
	ni->ni_inact = ni->ni_inact_reload;
510

511
	type = -1;			/* undefined */
512

513
	if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_min)) {
514
		IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
515
		    ni->ni_macaddr, NULL,
516
		    "too short (1): len %u", m->m_pkthdr.len);
517
		vap->iv_stats.is_rx_tooshort++;
518
		goto out;
519
	}
520
	/*
521
	 * Bit of a cheat here, we use a pointer for a 3-address
522
	 * frame format but don't reference fields past outside
523
	 * ieee80211_frame_min w/o first validating the data is
524
	 * present.
525
	 */
526
	wh = mtod(m, struct ieee80211_frame *);
527

528
	if (!IEEE80211_IS_FC0_CHECK_VER(wh, IEEE80211_FC0_VERSION_0)) {
529
		IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
530
		    ni->ni_macaddr, NULL, "wrong version, fc %02x:%02x",
531
		    wh->i_fc[0], wh->i_fc[1]);
532
		vap->iv_stats.is_rx_badversion++;
533
		goto err;
534
	}
535

536
	dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK;
537
	type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
538
	subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK;
539
	if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) {
540
		if (dir != IEEE80211_FC1_DIR_NODS)
541
			bssid = wh->i_addr1;
542
		else if (type == IEEE80211_FC0_TYPE_CTL)
543
			bssid = wh->i_addr1;
544
		else {
545
			if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) {
546
				IEEE80211_DISCARD_MAC(vap,
547
				    IEEE80211_MSG_ANY, ni->ni_macaddr,
548
				    NULL, "too short (2): len %u",
549
				    m->m_pkthdr.len);
550
				vap->iv_stats.is_rx_tooshort++;
551
				goto out;
552
			}
553
			bssid = wh->i_addr3;
554
		}
555
		/*
556
		 * Validate the bssid.
557
		 */
558
		if (!(type == IEEE80211_FC0_TYPE_MGT &&
559
		    subtype == IEEE80211_FC0_SUBTYPE_BEACON) &&
560
		    !IEEE80211_ADDR_EQ(bssid, vap->iv_bss->ni_bssid) &&
561
		    !IEEE80211_ADDR_EQ(bssid,
562
		    ieee80211_vap_get_broadcast_address(vap))) {
563
			/* not interested in */
564
			IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
565
			    bssid, NULL, "%s", "not to bss");
566
			vap->iv_stats.is_rx_wrongbss++;
567
			goto out;
568
		}
569

570
		IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi);
571
		ni->ni_noise = nf;
572
		if (IEEE80211_HAS_SEQ(type, subtype)) {
573
			uint8_t tid = ieee80211_gettid(wh);
574
			if (IEEE80211_QOS_HAS_SEQ(wh) &&
575
			    TID_TO_WME_AC(tid) >= WME_AC_VI)
576
				ic->ic_wme.wme_hipri_traffic++;
577
			if (! ieee80211_check_rxseq(ni, wh, bssid, rxs))
578
				goto out;
579
		}
580
	}
581

582
	switch (type) {
583
	case IEEE80211_FC0_TYPE_DATA:
584
		hdrspace = ieee80211_hdrspace(ic, wh);
585
		if (m->m_len < hdrspace &&
586
		    (m = m_pullup(m, hdrspace)) == NULL) {
587
			IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
588
			    ni->ni_macaddr, NULL,
589
			    "data too short: expecting %u", hdrspace);
590
			vap->iv_stats.is_rx_tooshort++;
591
			goto out;		/* XXX */
592
		}
593
		if (!(dir == IEEE80211_FC1_DIR_TODS ||
594
		     (dir == IEEE80211_FC1_DIR_DSTODS &&
595
		      (vap->iv_flags & IEEE80211_F_DWDS)))) {
596
			if (dir != IEEE80211_FC1_DIR_DSTODS) {
597
				IEEE80211_DISCARD(vap,
598
				    IEEE80211_MSG_INPUT, wh, "data",
599
				    "incorrect dir 0x%x", dir);
600
			} else {
601
				IEEE80211_DISCARD(vap,
602
				    IEEE80211_MSG_INPUT |
603
				    IEEE80211_MSG_WDS, wh,
604
				    "4-address data",
605
				    "%s", "DWDS not enabled");
606
			}
607
			vap->iv_stats.is_rx_wrongdir++;
608
			goto out;
609
		}
610
		/* check if source STA is associated */
611
		if (ni == vap->iv_bss) {
612
			IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
613
			    wh, "data", "%s", "unknown src");
614
			ieee80211_send_error(ni, wh->i_addr2,
615
			    IEEE80211_FC0_SUBTYPE_DEAUTH,
616
			    IEEE80211_REASON_NOT_AUTHED);
617
			vap->iv_stats.is_rx_notassoc++;
618
			goto err;
619
		}
620
		if (ni->ni_associd == 0) {
621
			IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
622
			    wh, "data", "%s", "unassoc src");
623
			IEEE80211_SEND_MGMT(ni,
624
			    IEEE80211_FC0_SUBTYPE_DISASSOC,
625
			    IEEE80211_REASON_NOT_ASSOCED);
626
			vap->iv_stats.is_rx_notassoc++;
627
			goto err;
628
		}
629

630
		/*
631
		 * Check for power save state change.
632
		 * XXX out-of-order A-MPDU frames?
633
		 */
634
		if (((wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) ^
635
		    (ni->ni_flags & IEEE80211_NODE_PWR_MGT)))
636
			vap->iv_node_ps(ni,
637
				wh->i_fc[1] & IEEE80211_FC1_PWR_MGT);
638
		/*
639
		 * For 4-address packets handle WDS discovery
640
		 * notifications.  Once a WDS link is setup frames
641
		 * are just delivered to the WDS vap (see below).
642
		 */
643
		if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap == NULL) {
644
			if (!ieee80211_node_is_authorized(ni)) {
645
				IEEE80211_DISCARD(vap,
646
				    IEEE80211_MSG_INPUT |
647
				    IEEE80211_MSG_WDS, wh,
648
				    "4-address data",
649
				    "%s", "unauthorized port");
650
				vap->iv_stats.is_rx_unauth++;
651
				IEEE80211_NODE_STAT(ni, rx_unauth);
652
				goto err;
653
			}
654
			ieee80211_dwds_discover(ni, m);
655
			return type;
656
		}
657

658
		/*
659
		 * Handle A-MPDU re-ordering.  If the frame is to be
660
		 * processed directly then ieee80211_ampdu_reorder
661
		 * will return 0; otherwise it has consumed the mbuf
662
		 * and we should do nothing more with it.
663
		 */
664
		if ((m->m_flags & M_AMPDU) &&
665
		    ieee80211_ampdu_reorder(ni, m, rxs) != 0) {
666
			m = NULL;
667
			goto out;
668
		}
669
	resubmit_ampdu:
670

671
		/*
672
		 * Handle privacy requirements.  Note that we
673
		 * must not be preempted from here until after
674
		 * we (potentially) call ieee80211_crypto_demic;
675
		 * otherwise we may violate assumptions in the
676
		 * crypto cipher modules used to do delayed update
677
		 * of replay sequence numbers.
678
		 */
679
		if (is_hw_decrypted || IEEE80211_IS_PROTECTED(wh)) {
680
			if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
681
				/*
682
				 * Discard encrypted frames when privacy is off.
683
				 */
684
				IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
685
				    wh, "WEP", "%s", "PRIVACY off");
686
				vap->iv_stats.is_rx_noprivacy++;
687
				IEEE80211_NODE_STAT(ni, rx_noprivacy);
688
				goto out;
689
			}
690
			if (ieee80211_crypto_decap(ni, m, hdrspace, &key) == 0) {
691
				/* NB: stats+msgs handled in crypto_decap */
692
				IEEE80211_NODE_STAT(ni, rx_wepfail);
693
				goto out;
694
			}
695
			wh = mtod(m, struct ieee80211_frame *);
696
			wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED;
697
			has_decrypted = 1;
698
		} else {
699
			/* XXX M_WEP and IEEE80211_F_PRIVACY */
700
			key = NULL;
701
		}
702

703
		/*
704
		 * Save QoS bits for use below--before we strip the header.
705
		 */
706
		if (subtype == IEEE80211_FC0_SUBTYPE_QOS_DATA)
707
			qos = ieee80211_getqos(wh)[0];
708
		else
709
			qos = 0;
710

711
		/*
712
		 * Next up, any fragmentation.
713
		 */
714
		if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) {
715
			m = ieee80211_defrag(ni, m, hdrspace, has_decrypted);
716
			if (m == NULL) {
717
				/* Fragment dropped or frame not complete yet */
718
				goto out;
719
			}
720
		}
721
		wh = NULL;		/* no longer valid, catch any uses */
722

723
		/*
724
		 * Next strip any MSDU crypto bits.
725
		 */
726
		if (key != NULL && !ieee80211_crypto_demic(vap, key, m, 0)) {
727
			IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
728
			    ni->ni_macaddr, "data", "%s", "demic error");
729
			vap->iv_stats.is_rx_demicfail++;
730
			IEEE80211_NODE_STAT(ni, rx_demicfail);
731
			goto out;
732
		}
733
		/* copy to listener after decrypt */
734
		if (ieee80211_radiotap_active_vap(vap))
735
			ieee80211_radiotap_rx(vap, m);
736
		need_tap = 0;
737
		/*
738
		 * Finally, strip the 802.11 header.
739
		 */
740
		m = ieee80211_decap(vap, m, hdrspace, qos);
741
		if (m == NULL) {
742
			/* XXX mask bit to check for both */
743
			/* don't count Null data frames as errors */
744
			if (subtype == IEEE80211_FC0_SUBTYPE_NODATA ||
745
			    subtype == IEEE80211_FC0_SUBTYPE_QOS_NULL)
746
				goto out;
747
			IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
748
			    ni->ni_macaddr, "data", "%s", "decap error");
749
			vap->iv_stats.is_rx_decap++;
750
			IEEE80211_NODE_STAT(ni, rx_decap);
751
			goto err;
752
		}
753
		if (!(qos & IEEE80211_QOS_AMSDU))
754
			eh = mtod(m, struct ether_header *);
755
		else
756
			eh = NULL;
757
		if (!ieee80211_node_is_authorized(ni)) {
758
			/*
759
			 * Deny any non-PAE frames received prior to
760
			 * authorization.  For open/shared-key
761
			 * authentication the port is mark authorized
762
			 * after authentication completes.  For 802.1x
763
			 * the port is not marked authorized by the
764
			 * authenticator until the handshake has completed.
765
			 */
766
			if (eh == NULL ||
767
			    eh->ether_type != htons(ETHERTYPE_PAE)) {
768
				IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
769
				    ni->ni_macaddr, "data", "unauthorized or "
770
				    "unknown port: ether type 0x%x len %u",
771
				    eh == NULL ? -1 : eh->ether_type,
772
				    m->m_pkthdr.len);
773
				vap->iv_stats.is_rx_unauth++;
774
				IEEE80211_NODE_STAT(ni, rx_unauth);
775
				goto err;
776
			}
777
		} else {
778
			/*
779
			 * When denying unencrypted frames, discard
780
			 * any non-PAE frames received without encryption.
781
			 */
782
			if ((vap->iv_flags & IEEE80211_F_DROPUNENC) &&
783
			    ((has_decrypted == 0) && (m->m_flags & M_WEP) == 0) &&
784
			    (is_hw_decrypted == 0) &&
785
			    (eh == NULL ||
786
			     eh->ether_type != htons(ETHERTYPE_PAE))) {
787
				/*
788
				 * Drop unencrypted frames.
789
				 */
790
				vap->iv_stats.is_rx_unencrypted++;
791
				IEEE80211_NODE_STAT(ni, rx_unencrypted);
792
				goto out;
793
			}
794
		}
795
		/* XXX require HT? */
796
		if (qos & IEEE80211_QOS_AMSDU) {
797
			m = ieee80211_decap_amsdu(ni, m);
798
			if (m == NULL)
799
				return IEEE80211_FC0_TYPE_DATA;
800
		} else {
801
#ifdef IEEE80211_SUPPORT_SUPERG
802
			m = ieee80211_decap_fastframe(vap, ni, m);
803
			if (m == NULL)
804
				return IEEE80211_FC0_TYPE_DATA;
805
#endif
806
		}
807
		if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap != NULL)
808
			ieee80211_deliver_data(ni->ni_wdsvap, ni, m);
809
		else
810
			hostap_deliver_data(vap, ni, m);
811
		return IEEE80211_FC0_TYPE_DATA;
812

813
	case IEEE80211_FC0_TYPE_MGT:
814
		vap->iv_stats.is_rx_mgmt++;
815
		IEEE80211_NODE_STAT(ni, rx_mgmt);
816
		if (dir != IEEE80211_FC1_DIR_NODS) {
817
			IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
818
			    wh, "mgt", "incorrect dir 0x%x", dir);
819
			vap->iv_stats.is_rx_wrongdir++;
820
			goto err;
821
		}
822
		if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) {
823
			IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
824
			    ni->ni_macaddr, "mgt", "too short: len %u",
825
			    m->m_pkthdr.len);
826
			vap->iv_stats.is_rx_tooshort++;
827
			goto out;
828
		}
829
		if (IEEE80211_IS_MULTICAST(wh->i_addr2)) {
830
			/* ensure return frames are unicast */
831
			IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
832
			    wh, NULL, "source is multicast: %s",
833
			    ether_sprintf(wh->i_addr2));
834
			vap->iv_stats.is_rx_mgtdiscard++;	/* XXX stat */
835
			goto out;
836
		}
837
#ifdef IEEE80211_DEBUG
838
		if ((ieee80211_msg_debug(vap) && doprint(vap, subtype)) ||
839
		    ieee80211_msg_dumppkts(vap)) {
840
			net80211_vap_printf(vap,
841
			    "received %s from %s rssi %d\n",
842
			    ieee80211_mgt_subtype_name(subtype),
843
			    ether_sprintf(wh->i_addr2), rssi);
844
		}
845
#endif
846
		if (IEEE80211_IS_PROTECTED(wh)) {
847
			if (subtype != IEEE80211_FC0_SUBTYPE_AUTH) {
848
				/*
849
				 * Only shared key auth frames with a challenge
850
				 * should be encrypted, discard all others.
851
				 */
852
				IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
853
				    wh, NULL,
854
				    "%s", "WEP set but not permitted");
855
				vap->iv_stats.is_rx_mgtdiscard++; /* XXX */
856
				goto out;
857
			}
858
			if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
859
				/*
860
				 * Discard encrypted frames when privacy is off.
861
				 */
862
				IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
863
				    wh, NULL, "%s", "WEP set but PRIVACY off");
864
				vap->iv_stats.is_rx_noprivacy++;
865
				goto out;
866
			}
867
			hdrspace = ieee80211_hdrspace(ic, wh);
868
			if (ieee80211_crypto_decap(ni, m, hdrspace, &key) == 0) {
869
				/* NB: stats+msgs handled in crypto_decap */
870
				goto out;
871
			}
872
			wh = mtod(m, struct ieee80211_frame *);
873
			wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED;
874
			has_decrypted = 1;
875
		}
876
		/*
877
		 * Pass the packet to radiotap before calling iv_recv_mgmt().
878
		 * Otherwise iv_recv_mgmt() might pass another packet to
879
		 * radiotap, resulting in out of order packet captures.
880
		 */
881
		if (ieee80211_radiotap_active_vap(vap))
882
			ieee80211_radiotap_rx(vap, m);
883
		need_tap = 0;
884
		vap->iv_recv_mgmt(ni, m, subtype, rxs, rssi, nf);
885
		goto out;
886

887
	case IEEE80211_FC0_TYPE_CTL:
888
		vap->iv_stats.is_rx_ctl++;
889
		IEEE80211_NODE_STAT(ni, rx_ctrl);
890
		if (ieee80211_is_ctl_frame_for_vap(ni, m))
891
			vap->iv_recv_ctl(ni, m, subtype);
892
		goto out;
893
	default:
894
		IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
895
		    wh, "bad", "frame type 0x%x", type);
896
		/* should not come here */
897
		break;
898
	}
899
err:
900
	if_inc_counter(ifp, IFCOUNTER_IERRORS, 1);
901
out:
902
	if (m != NULL) {
903
		if (need_tap && ieee80211_radiotap_active_vap(vap))
904
			ieee80211_radiotap_rx(vap, m);
905
		m_freem(m);
906
	}
907
	return type;
908
}
909

910
static void
911
hostap_auth_open(struct ieee80211_node *ni, struct ieee80211_frame *wh,
912
    int rssi, int nf, uint16_t seq, uint16_t status)
913
{
914
	struct ieee80211vap *vap = ni->ni_vap;
915

916
	KASSERT(vap->iv_state == IEEE80211_S_RUN, ("state %d", vap->iv_state));
917

918
	if (ni->ni_authmode == IEEE80211_AUTH_SHARED) {
919
		IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
920
		    ni->ni_macaddr, "open auth",
921
		    "bad sta auth mode %u", ni->ni_authmode);
922
		vap->iv_stats.is_rx_bad_auth++;	/* XXX */
923
		/*
924
		 * Clear any challenge text that may be there if
925
		 * a previous shared key auth failed and then an
926
		 * open auth is attempted.
927
		 */
928
		if (ni->ni_challenge != NULL) {
929
			IEEE80211_FREE(ni->ni_challenge, M_80211_NODE);
930
			ni->ni_challenge = NULL;
931
		}
932
		/* XXX hack to workaround calling convention */
933
		ieee80211_send_error(ni, wh->i_addr2, 
934
		    IEEE80211_FC0_SUBTYPE_AUTH,
935
		    (seq + 1) | (IEEE80211_STATUS_ALG<<16));
936
		return;
937
	}
938
	if (seq != IEEE80211_AUTH_OPEN_REQUEST) {
939
		vap->iv_stats.is_rx_bad_auth++;
940
		return;
941
	}
942
	/* always accept open authentication requests */
943
	if (ni == vap->iv_bss) {
944
		ni = ieee80211_dup_bss(vap, wh->i_addr2);
945
		if (ni == NULL)
946
			return;
947
	} else if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0)
948
		(void) ieee80211_ref_node(ni);
949
	/*
950
	 * Mark the node as referenced to reflect that it's
951
	 * reference count has been bumped to insure it remains
952
	 * after the transaction completes.
953
	 */
954
	ni->ni_flags |= IEEE80211_NODE_AREF;
955
	/*
956
	 * Mark the node as requiring a valid association id
957
	 * before outbound traffic is permitted.
958
	 */
959
	ni->ni_flags |= IEEE80211_NODE_ASSOCID;
960

961
	if (vap->iv_acl != NULL &&
962
	    vap->iv_acl->iac_getpolicy(vap) == IEEE80211_MACCMD_POLICY_RADIUS) {
963
		/*
964
		 * When the ACL policy is set to RADIUS we defer the
965
		 * authorization to a user agent.  Dispatch an event,
966
		 * a subsequent MLME call will decide the fate of the
967
		 * station.  If the user agent is not present then the
968
		 * node will be reclaimed due to inactivity.
969
		 */
970
		IEEE80211_NOTE_MAC(vap,
971
		    IEEE80211_MSG_AUTH | IEEE80211_MSG_ACL, ni->ni_macaddr,
972
		    "%s", "station authentication deferred (radius acl)");
973
		ieee80211_notify_node_auth(ni);
974
	} else {
975
		IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1);
976
		IEEE80211_NOTE_MAC(vap,
977
		    IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, ni->ni_macaddr,
978
		    "%s", "station authenticated (open)");
979
		/*
980
		 * When 802.1x is not in use mark the port
981
		 * authorized at this point so traffic can flow.
982
		 */
983
		if (ni->ni_authmode != IEEE80211_AUTH_8021X)
984
			ieee80211_node_authorize(ni);
985
	}
986
}
987

988
static void
989
hostap_auth_shared(struct ieee80211_node *ni, struct ieee80211_frame *wh,
990
    uint8_t *frm, uint8_t *efrm, int rssi, int nf,
991
    uint16_t seq, uint16_t status)
992
{
993
	struct ieee80211vap *vap = ni->ni_vap;
994
	uint8_t *challenge;
995
	int estatus;
996

997
	KASSERT(vap->iv_state == IEEE80211_S_RUN, ("state %d", vap->iv_state));
998

999
	/*
1000
	 * NB: this can happen as we allow pre-shared key
1001
	 * authentication to be enabled w/o wep being turned
1002
	 * on so that configuration of these can be done
1003
	 * in any order.  It may be better to enforce the
1004
	 * ordering in which case this check would just be
1005
	 * for sanity/consistency.
1006
	 */
1007
	if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
1008
		IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1009
		    ni->ni_macaddr, "shared key auth",
1010
		    "%s", " PRIVACY is disabled");
1011
		estatus = IEEE80211_STATUS_ALG;
1012
		goto bad;
1013
	}
1014
	/*
1015
	 * Pre-shared key authentication is evil; accept
1016
	 * it only if explicitly configured (it is supported
1017
	 * mainly for compatibility with clients like Mac OS X).
1018
	 */
1019
	if (ni->ni_authmode != IEEE80211_AUTH_AUTO &&
1020
	    ni->ni_authmode != IEEE80211_AUTH_SHARED) {
1021
		IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1022
		    ni->ni_macaddr, "shared key auth",
1023
		    "bad sta auth mode %u", ni->ni_authmode);
1024
		vap->iv_stats.is_rx_bad_auth++;	/* XXX maybe a unique error? */
1025
		estatus = IEEE80211_STATUS_ALG;
1026
		goto bad;
1027
	}
1028

1029
	challenge = NULL;
1030
	if (frm + 1 < efrm) {
1031
		if ((frm[1] + 2) > (efrm - frm)) {
1032
			IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1033
			    ni->ni_macaddr, "shared key auth",
1034
			    "ie %d/%d too long",
1035
			    frm[0], (frm[1] + 2) - (efrm - frm));
1036
			vap->iv_stats.is_rx_bad_auth++;
1037
			estatus = IEEE80211_STATUS_CHALLENGE;
1038
			goto bad;
1039
		}
1040
		if (*frm == IEEE80211_ELEMID_CHALLENGE)
1041
			challenge = frm;
1042
		frm += frm[1] + 2;
1043
	}
1044
	switch (seq) {
1045
	case IEEE80211_AUTH_SHARED_CHALLENGE:
1046
	case IEEE80211_AUTH_SHARED_RESPONSE:
1047
		if (challenge == NULL) {
1048
			IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1049
			    ni->ni_macaddr, "shared key auth",
1050
			    "%s", "no challenge");
1051
			vap->iv_stats.is_rx_bad_auth++;
1052
			estatus = IEEE80211_STATUS_CHALLENGE;
1053
			goto bad;
1054
		}
1055
		if (challenge[1] != IEEE80211_CHALLENGE_LEN) {
1056
			IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1057
			    ni->ni_macaddr, "shared key auth",
1058
			    "bad challenge len %d", challenge[1]);
1059
			vap->iv_stats.is_rx_bad_auth++;
1060
			estatus = IEEE80211_STATUS_CHALLENGE;
1061
			goto bad;
1062
		}
1063
	default:
1064
		break;
1065
	}
1066
	switch (seq) {
1067
	case IEEE80211_AUTH_SHARED_REQUEST:
1068
	{
1069
#ifdef IEEE80211_DEBUG
1070
		bool allocbs;
1071
#endif
1072

1073
		if (ni == vap->iv_bss) {
1074
			ni = ieee80211_dup_bss(vap, wh->i_addr2);
1075
			if (ni == NULL) {
1076
				/* NB: no way to return an error */
1077
				return;
1078
			}
1079
#ifdef IEEE80211_DEBUG
1080
			allocbs = 1;
1081
#endif
1082
		} else {
1083
			if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0)
1084
				(void) ieee80211_ref_node(ni);
1085
#ifdef IEEE80211_DEBUG
1086
			allocbs = 0;
1087
#endif
1088
		}
1089
		/*
1090
		 * Mark the node as referenced to reflect that it's
1091
		 * reference count has been bumped to insure it remains
1092
		 * after the transaction completes.
1093
		 */
1094
		ni->ni_flags |= IEEE80211_NODE_AREF;
1095
		/*
1096
		 * Mark the node as requiring a valid association id
1097
		 * before outbound traffic is permitted.
1098
		 */
1099
		ni->ni_flags |= IEEE80211_NODE_ASSOCID;
1100
		IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi);
1101
		ni->ni_noise = nf;
1102
		if (!ieee80211_alloc_challenge(ni)) {
1103
			/* NB: don't return error so they rexmit */
1104
			return;
1105
		}
1106
		net80211_get_random_bytes(ni->ni_challenge,
1107
			IEEE80211_CHALLENGE_LEN);
1108
		IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
1109
		    ni, "shared key %sauth request", allocbs ? "" : "re");
1110
		/*
1111
		 * When the ACL policy is set to RADIUS we defer the
1112
		 * authorization to a user agent.  Dispatch an event,
1113
		 * a subsequent MLME call will decide the fate of the
1114
		 * station.  If the user agent is not present then the
1115
		 * node will be reclaimed due to inactivity.
1116
		 */
1117
		if (vap->iv_acl != NULL &&
1118
		    vap->iv_acl->iac_getpolicy(vap) == IEEE80211_MACCMD_POLICY_RADIUS) {
1119
			IEEE80211_NOTE_MAC(vap,
1120
			    IEEE80211_MSG_AUTH | IEEE80211_MSG_ACL,
1121
			    ni->ni_macaddr,
1122
			    "%s", "station authentication deferred (radius acl)");
1123
			ieee80211_notify_node_auth(ni);
1124
			return;
1125
		}
1126
		break;
1127
	}
1128
	case IEEE80211_AUTH_SHARED_RESPONSE:
1129
		if (ni == vap->iv_bss) {
1130
			IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1131
			    ni->ni_macaddr, "shared key response",
1132
			    "%s", "unknown station");
1133
			/* NB: don't send a response */
1134
			return;
1135
		}
1136
		if (ni->ni_challenge == NULL) {
1137
			IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1138
			    ni->ni_macaddr, "shared key response",
1139
			    "%s", "no challenge recorded");
1140
			vap->iv_stats.is_rx_bad_auth++;
1141
			estatus = IEEE80211_STATUS_CHALLENGE;
1142
			goto bad;
1143
		}
1144
		if (memcmp(ni->ni_challenge, &challenge[2],
1145
			   challenge[1]) != 0) {
1146
			IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1147
			    ni->ni_macaddr, "shared key response",
1148
			    "%s", "challenge mismatch");
1149
			vap->iv_stats.is_rx_auth_fail++;
1150
			estatus = IEEE80211_STATUS_CHALLENGE;
1151
			goto bad;
1152
		}
1153
		IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
1154
		    ni, "%s", "station authenticated (shared key)");
1155
		ieee80211_node_authorize(ni);
1156
		break;
1157
	default:
1158
		IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1159
		    ni->ni_macaddr, "shared key auth",
1160
		    "bad seq %d", seq);
1161
		vap->iv_stats.is_rx_bad_auth++;
1162
		estatus = IEEE80211_STATUS_SEQUENCE;
1163
		goto bad;
1164
	}
1165
	IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1);
1166
	return;
1167
bad:
1168
	/*
1169
	 * Send an error response; but only when operating as an AP.
1170
	 */
1171
	/* XXX hack to workaround calling convention */
1172
	ieee80211_send_error(ni, wh->i_addr2,
1173
	    IEEE80211_FC0_SUBTYPE_AUTH,
1174
	    (seq + 1) | (estatus<<16));
1175
}
1176

1177
/*
1178
 * Convert a WPA cipher selector OUI to an internal
1179
 * cipher algorithm.  Where appropriate we also
1180
 * record any key length.
1181
 */
1182
static int
1183
wpa_cipher(const uint8_t *sel, uint8_t *keylen, uint8_t *cipher)
1184
{
1185
#define	WPA_SEL(x)	(((x)<<24)|WPA_OUI)
1186
	uint32_t w = le32dec(sel);
1187

1188
	switch (w) {
1189
	case WPA_SEL(WPA_CSE_NULL):
1190
		*cipher = IEEE80211_CIPHER_NONE;
1191
		break;
1192
	case WPA_SEL(WPA_CSE_WEP40):
1193
		if (keylen)
1194
			*keylen = 40 / NBBY;
1195
		*cipher = IEEE80211_CIPHER_WEP;
1196
		break;
1197
	case WPA_SEL(WPA_CSE_WEP104):
1198
		if (keylen)
1199
			*keylen = 104 / NBBY;
1200
		*cipher = IEEE80211_CIPHER_WEP;
1201
		break;
1202
	case WPA_SEL(WPA_CSE_TKIP):
1203
		*cipher = IEEE80211_CIPHER_TKIP;
1204
		break;
1205
	case WPA_SEL(WPA_CSE_CCMP):
1206
		*cipher = IEEE80211_CIPHER_AES_CCM;
1207
		break;
1208
	/* Note: no GCM cipher in the legacy WPA1 OUI */
1209
	default:
1210
		return (EINVAL);
1211
	}
1212

1213
	return (0);
1214
#undef WPA_SEL
1215
}
1216

1217
/*
1218
 * Convert a WPA key management/authentication algorithm
1219
 * to an internal code.
1220
 */
1221
static int
1222
wpa_keymgmt(const uint8_t *sel)
1223
{
1224
#define	WPA_SEL(x)	(((x)<<24)|WPA_OUI)
1225
	uint32_t w = le32dec(sel);
1226

1227
	switch (w) {
1228
	case WPA_SEL(WPA_ASE_8021X_UNSPEC):
1229
		return WPA_ASE_8021X_UNSPEC;
1230
	case WPA_SEL(WPA_ASE_8021X_PSK):
1231
		return WPA_ASE_8021X_PSK;
1232
	case WPA_SEL(WPA_ASE_NONE):
1233
		return WPA_ASE_NONE;
1234
	}
1235
	return 0;		/* NB: so is discarded */
1236
#undef WPA_SEL
1237
}
1238

1239
/*
1240
 * Parse a WPA information element to collect parameters.
1241
 * Note that we do not validate security parameters; that
1242
 * is handled by the authenticator; the parsing done here
1243
 * is just for internal use in making operational decisions.
1244
 */
1245
static int
1246
ieee80211_parse_wpa(struct ieee80211vap *vap, const uint8_t *frm,
1247
	struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh)
1248
{
1249
	uint8_t len = frm[1];
1250
	uint32_t w;
1251
	int error, n;
1252

1253
	/*
1254
	 * Check the length once for fixed parts: OUI, type,
1255
	 * version, mcast cipher, and 2 selector counts.
1256
	 * Other, variable-length data, must be checked separately.
1257
	 */
1258
	if ((vap->iv_flags & IEEE80211_F_WPA1) == 0) {
1259
		IEEE80211_DISCARD_IE(vap,
1260
		    IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1261
		    wh, "WPA", "not WPA, flags 0x%x", vap->iv_flags);
1262
		return IEEE80211_REASON_IE_INVALID;
1263
	}
1264
	if (len < 14) {
1265
		IEEE80211_DISCARD_IE(vap,
1266
		    IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1267
		    wh, "WPA", "too short, len %u", len);
1268
		return IEEE80211_REASON_IE_INVALID;
1269
	}
1270
	frm += 6, len -= 4;		/* NB: len is payload only */
1271
	/* NB: iswpaoui already validated the OUI and type */
1272
	w = le16dec(frm);
1273
	if (w != WPA_VERSION) {
1274
		IEEE80211_DISCARD_IE(vap,
1275
		    IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1276
		    wh, "WPA", "bad version %u", w);
1277
		return IEEE80211_REASON_IE_INVALID;
1278
	}
1279
	frm += 2, len -= 2;
1280

1281
	memset(rsn, 0, sizeof(*rsn));
1282

1283
	/* multicast/group cipher */
1284
	error = wpa_cipher(frm, &rsn->rsn_mcastkeylen, &rsn->rsn_mcastcipher);
1285
	if (error != 0) {
1286
		IEEE80211_DISCARD_IE(vap,
1287
		    IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1288
		    wh, "WPA", "unknown mcast cipher suite %08X",
1289
		    le32dec(frm));
1290
		return IEEE80211_REASON_GROUP_CIPHER_INVALID;
1291
	}
1292
	frm += 4, len -= 4;
1293

1294
	/* unicast ciphers */
1295
	n = le16dec(frm);
1296
	frm += 2, len -= 2;
1297
	if (len < n*4+2) {
1298
		IEEE80211_DISCARD_IE(vap,
1299
		    IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1300
		    wh, "WPA", "ucast cipher data too short; len %u, n %u",
1301
		    len, n);
1302
		return IEEE80211_REASON_IE_INVALID;
1303
	}
1304
	w = 0;
1305
	for (; n > 0; n--) {
1306
		uint8_t cipher;
1307

1308
		error = wpa_cipher(frm, &rsn->rsn_ucastkeylen, &cipher);
1309
		if (error == 0)
1310
			w |= 1 << cipher;
1311

1312
		frm += 4, len -= 4;
1313
	}
1314
	if (w == 0) {
1315
		IEEE80211_DISCARD_IE(vap,
1316
		    IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1317
		    wh, "WPA", "no usable pairwise cipher suite found (w=%d)",
1318
		    w);
1319
		return IEEE80211_REASON_PAIRWISE_CIPHER_INVALID;
1320
	}
1321
	/* XXX other? */
1322
	if (w & (1 << IEEE80211_CIPHER_AES_CCM))
1323
		rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM;
1324
	else
1325
		rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP;
1326

1327
	/* key management algorithms */
1328
	n = le16dec(frm);
1329
	frm += 2, len -= 2;
1330
	if (len < n*4) {
1331
		IEEE80211_DISCARD_IE(vap,
1332
		    IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1333
		    wh, "WPA", "key mgmt alg data too short; len %u, n %u",
1334
		    len, n);
1335
		return IEEE80211_REASON_IE_INVALID;
1336
	}
1337
	w = 0;
1338
	for (; n > 0; n--) {
1339
		w |= wpa_keymgmt(frm);
1340
		frm += 4, len -= 4;
1341
	}
1342
	if (w & WPA_ASE_8021X_UNSPEC)
1343
		rsn->rsn_keymgmt = WPA_ASE_8021X_UNSPEC;
1344
	else
1345
		rsn->rsn_keymgmt = WPA_ASE_8021X_PSK;
1346

1347
	if (len > 2)		/* optional capabilities */
1348
		rsn->rsn_caps = le16dec(frm);
1349

1350
	return 0;
1351
}
1352

1353
/*
1354
 * Convert an RSN cipher selector OUI to an internal
1355
 * cipher algorithm.  Where appropriate we also
1356
 * record any key length.
1357
 */
1358
static int
1359
rsn_cipher(const uint8_t *sel, uint8_t *keylen, uint8_t *cipher)
1360
{
1361
#define	RSN_SEL(x)	(((x)<<24)|RSN_OUI)
1362
	uint32_t w = le32dec(sel);
1363

1364
	switch (w) {
1365
	case RSN_SEL(RSN_CSE_NULL):
1366
		*cipher = IEEE80211_CIPHER_NONE;
1367
		break;
1368
	case RSN_SEL(RSN_CSE_WEP40):
1369
		if (keylen)
1370
			*keylen = 40 / NBBY;
1371
		*cipher = IEEE80211_CIPHER_WEP;
1372
		break;
1373
	case RSN_SEL(RSN_CSE_WEP104):
1374
		if (keylen)
1375
			*keylen = 104 / NBBY;
1376
		*cipher = IEEE80211_CIPHER_WEP;
1377
		break;
1378
	case RSN_SEL(RSN_CSE_TKIP):
1379
		*cipher = IEEE80211_CIPHER_TKIP;
1380
		break;
1381
	case RSN_SEL(RSN_CSE_CCMP):
1382
		*cipher = IEEE80211_CIPHER_AES_CCM;
1383
		break;
1384
	case RSN_SEL(RSN_CSE_WRAP):
1385
		*cipher = IEEE80211_CIPHER_AES_OCB;
1386
		break;
1387
	case RSN_SEL(RSN_CSE_GCMP_128):
1388
		*cipher = IEEE80211_CIPHER_AES_GCM_128;
1389
		break;
1390
	default:
1391
		return (EINVAL);
1392
	}
1393

1394
	return (0);
1395
#undef WPA_SEL
1396
}
1397

1398
/*
1399
 * Convert an RSN key management/authentication algorithm
1400
 * to an internal code.
1401
 */
1402
static int
1403
rsn_keymgmt(const uint8_t *sel)
1404
{
1405
#define	RSN_SEL(x)	(((x)<<24)|RSN_OUI)
1406
	uint32_t w = le32dec(sel);
1407

1408
	switch (w) {
1409
	case RSN_SEL(RSN_ASE_8021X_UNSPEC):
1410
		return RSN_ASE_8021X_UNSPEC;
1411
	case RSN_SEL(RSN_ASE_8021X_PSK):
1412
		return RSN_ASE_8021X_PSK;
1413
	case RSN_SEL(RSN_ASE_NONE):
1414
		return RSN_ASE_NONE;
1415
	}
1416
	return 0;		/* NB: so is discarded */
1417
#undef RSN_SEL
1418
}
1419

1420
/*
1421
 * Parse a WPA/RSN information element to collect parameters
1422
 * and validate the parameters against what has been
1423
 * configured for the system.
1424
 */
1425
static int
1426
ieee80211_parse_rsn(struct ieee80211vap *vap, const uint8_t *frm,
1427
	struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh)
1428
{
1429
	uint8_t len = frm[1];
1430
	uint32_t w;
1431
	int error, n;
1432

1433
	/*
1434
	 * Check the length once for fixed parts: 
1435
	 * version, mcast cipher, and 2 selector counts.
1436
	 * Other, variable-length data, must be checked separately.
1437
	 */
1438
	if ((vap->iv_flags & IEEE80211_F_WPA2) == 0) {
1439
		IEEE80211_DISCARD_IE(vap,
1440
		    IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1441
		    wh, "WPA", "not RSN, flags 0x%x", vap->iv_flags);
1442
		return IEEE80211_REASON_IE_INVALID;
1443
	}
1444
	/* XXX may be shorter */
1445
	if (len < 10) {
1446
		IEEE80211_DISCARD_IE(vap,
1447
		    IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1448
		    wh, "RSN", "too short, len %u", len);
1449
		return IEEE80211_REASON_IE_INVALID;
1450
	}
1451
	frm += 2;
1452
	w = le16dec(frm);
1453
	if (w != RSN_VERSION) {
1454
		IEEE80211_DISCARD_IE(vap,
1455
		    IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1456
		    wh, "RSN", "bad version %u", w);
1457
		return IEEE80211_REASON_UNSUPP_RSN_IE_VERSION;
1458
	}
1459
	frm += 2, len -= 2;
1460

1461
	memset(rsn, 0, sizeof(*rsn));
1462

1463
	/* multicast/group cipher */
1464
	error = rsn_cipher(frm, &rsn->rsn_mcastkeylen, &rsn->rsn_mcastcipher);
1465
	if (error != 0) {
1466
		IEEE80211_DISCARD_IE(vap,
1467
		    IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1468
		    wh, "RSN", "unknown mcast cipher suite %08X",
1469
		    le32dec(frm));
1470
		return IEEE80211_REASON_GROUP_CIPHER_INVALID;
1471
	}
1472
	if (rsn->rsn_mcastcipher == IEEE80211_CIPHER_NONE) {
1473
		IEEE80211_DISCARD_IE(vap,
1474
		    IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1475
		    wh, "RSN", "invalid mcast cipher suite %d",
1476
		    rsn->rsn_mcastcipher);
1477
		return IEEE80211_REASON_GROUP_CIPHER_INVALID;
1478
	}
1479
	frm += 4, len -= 4;
1480

1481
	/* unicast ciphers */
1482
	n = le16dec(frm);
1483
	frm += 2, len -= 2;
1484
	if (len < n*4+2) {
1485
		IEEE80211_DISCARD_IE(vap,
1486
		    IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1487
		    wh, "RSN", "ucast cipher data too short; len %u, n %u",
1488
		    len, n);
1489
		return IEEE80211_REASON_IE_INVALID;
1490
	}
1491
	w = 0;
1492

1493
	for (; n > 0; n--) {
1494
		uint8_t cipher;
1495

1496
		error = rsn_cipher(frm, &rsn->rsn_ucastkeylen, &cipher);
1497
		if (error == 0)
1498
			w |= 1 << cipher;
1499

1500
		frm += 4, len -= 4;
1501
	}
1502
	if (w & (1 << IEEE80211_CIPHER_AES_GCM_128))
1503
		rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_GCM_128;
1504
	else if (w & (1 << IEEE80211_CIPHER_AES_CCM))
1505
		rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM;
1506
	else if (w & (1 << IEEE80211_CIPHER_AES_OCB))
1507
		rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_OCB;
1508
	else if (w & (1 << IEEE80211_CIPHER_TKIP))
1509
		rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP;
1510
	else if ((w & (1 << IEEE80211_CIPHER_NONE)) &&
1511
	    (rsn->rsn_mcastcipher == IEEE80211_CIPHER_WEP ||
1512
	     rsn->rsn_mcastcipher == IEEE80211_CIPHER_TKIP))
1513
		rsn->rsn_ucastcipher = IEEE80211_CIPHER_NONE;
1514
	else {
1515
		IEEE80211_DISCARD_IE(vap,
1516
		    IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1517
		    wh, "RSN", "no usable pairwise cipher suite found (w=%d)",
1518
		    w);
1519
		return IEEE80211_REASON_PAIRWISE_CIPHER_INVALID;
1520
	}
1521

1522
	/* key management algorithms */
1523
	n = le16dec(frm);
1524
	frm += 2, len -= 2;
1525
	if (len < n*4) {
1526
		IEEE80211_DISCARD_IE(vap,
1527
		    IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1528
		    wh, "RSN", "key mgmt alg data too short; len %u, n %u",
1529
		    len, n);
1530
		return IEEE80211_REASON_IE_INVALID;
1531
	}
1532
	w = 0;
1533
	for (; n > 0; n--) {
1534
		w |= rsn_keymgmt(frm);
1535
		frm += 4, len -= 4;
1536
	}
1537
	if (w & RSN_ASE_8021X_UNSPEC)
1538
		rsn->rsn_keymgmt = RSN_ASE_8021X_UNSPEC;
1539
	else
1540
		rsn->rsn_keymgmt = RSN_ASE_8021X_PSK;
1541

1542
	/* optional RSN capabilities */
1543
	if (len >= 2) {
1544
		rsn->rsn_caps = le16dec(frm);
1545
		frm += 2, len -= 2;
1546
	}
1547

1548
	/* XXX PMK Count / PMKID */
1549

1550
	/* XXX Group Cipher Management Suite */
1551

1552
	return 0;
1553
}
1554

1555
/*
1556
 * WPA/802.11i association request processing.
1557
 */
1558
static int
1559
wpa_assocreq(struct ieee80211_node *ni, struct ieee80211_rsnparms *rsnparms,
1560
	const struct ieee80211_frame *wh, const uint8_t *wpa,
1561
	const uint8_t *rsn, uint16_t capinfo)
1562
{
1563
	struct ieee80211vap *vap = ni->ni_vap;
1564
	uint8_t reason;
1565
	int badwparsn;
1566

1567
	ni->ni_flags &= ~(IEEE80211_NODE_WPS|IEEE80211_NODE_TSN);
1568
	if (wpa == NULL && rsn == NULL) {
1569
		if (vap->iv_flags_ext & IEEE80211_FEXT_WPS) {
1570
			/*
1571
			 * W-Fi Protected Setup (WPS) permits
1572
			 * clients to associate and pass EAPOL frames
1573
			 * to establish initial credentials.
1574
			 */
1575
			ni->ni_flags |= IEEE80211_NODE_WPS;
1576
			return 1;
1577
		}
1578
		if ((vap->iv_flags_ext & IEEE80211_FEXT_TSN) &&
1579
		    (capinfo & IEEE80211_CAPINFO_PRIVACY)) {
1580
			/* 
1581
			 * Transitional Security Network.  Permits clients
1582
			 * to associate and use WEP while WPA is configured.
1583
			 */
1584
			ni->ni_flags |= IEEE80211_NODE_TSN;
1585
			return 1;
1586
		}
1587
		IEEE80211_DISCARD(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA,
1588
		    wh, NULL, "%s", "no WPA/RSN IE in association request");
1589
		vap->iv_stats.is_rx_assoc_badwpaie++;
1590
		reason = IEEE80211_REASON_IE_INVALID;
1591
		goto bad;
1592
	}
1593
	/* assert right association security credentials */
1594
	badwparsn = 0;			/* NB: to silence compiler */
1595
	switch (vap->iv_flags & IEEE80211_F_WPA) {
1596
	case IEEE80211_F_WPA1:
1597
		badwparsn = (wpa == NULL);
1598
		break;
1599
	case IEEE80211_F_WPA2:
1600
		badwparsn = (rsn == NULL);
1601
		break;
1602
	case IEEE80211_F_WPA1|IEEE80211_F_WPA2:
1603
		badwparsn = (wpa == NULL && rsn == NULL);
1604
		break;
1605
	}
1606
	if (badwparsn) {
1607
		IEEE80211_DISCARD(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA,
1608
		    wh, NULL,
1609
		    "%s", "missing WPA/RSN IE in association request");
1610
		vap->iv_stats.is_rx_assoc_badwpaie++;
1611
		reason = IEEE80211_REASON_IE_INVALID;
1612
		goto bad;
1613
	}
1614
	/*
1615
	 * Parse WPA/RSN information element.
1616
	 */
1617
	if (wpa != NULL)
1618
		reason = ieee80211_parse_wpa(vap, wpa, rsnparms, wh);
1619
	else
1620
		reason = ieee80211_parse_rsn(vap, rsn, rsnparms, wh);
1621
	if (reason != 0) {
1622
		/* XXX wpa->rsn fallback? */
1623
		/* XXX distinguish WPA/RSN? */
1624
		vap->iv_stats.is_rx_assoc_badwpaie++;
1625
		goto bad;
1626
	}
1627
	IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, ni,
1628
	    "%s ie: mc %u/%u uc %u/%u key %u caps 0x%x",
1629
	    wpa != NULL ? "WPA" : "RSN",
1630
	    rsnparms->rsn_mcastcipher, rsnparms->rsn_mcastkeylen,
1631
	    rsnparms->rsn_ucastcipher, rsnparms->rsn_ucastkeylen,
1632
	    rsnparms->rsn_keymgmt, rsnparms->rsn_caps);
1633

1634
	return 1;
1635
bad:
1636
	ieee80211_node_deauth(ni, reason);
1637
	return 0;
1638
}
1639

1640
/* XXX find a better place for definition */
1641
struct l2_update_frame {
1642
	struct ether_header eh;
1643
	uint8_t dsap;
1644
	uint8_t ssap;
1645
	uint8_t control;
1646
	uint8_t xid[3];
1647
}  __packed;
1648

1649
/*
1650
 * Deliver a TGf L2UF frame on behalf of a station.
1651
 * This primes any bridge when the station is roaming
1652
 * between ap's on the same wired network.
1653
 */
1654
static void
1655
ieee80211_deliver_l2uf(struct ieee80211_node *ni)
1656
{
1657
	struct ieee80211vap *vap = ni->ni_vap;
1658
	struct mbuf *m;
1659
	struct l2_update_frame *l2uf;
1660
	struct ether_header *eh;
1661

1662
	m = m_gethdr(IEEE80211_M_NOWAIT, MT_DATA);
1663
	if (m == NULL) {
1664
		IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC, ni,
1665
		    "%s", "no mbuf for l2uf frame");
1666
		vap->iv_stats.is_rx_nobuf++;	/* XXX not right */
1667
		return;
1668
	}
1669
	l2uf = mtod(m, struct l2_update_frame *);
1670
	eh = &l2uf->eh;
1671
	/* dst: Broadcast address */
1672
	IEEE80211_ADDR_COPY(eh->ether_dhost,
1673
	    ieee80211_vap_get_broadcast_address(vap));
1674
	/* src: associated STA */
1675
	IEEE80211_ADDR_COPY(eh->ether_shost, ni->ni_macaddr);
1676
	eh->ether_type = htons(sizeof(*l2uf) - sizeof(*eh));
1677

1678
	l2uf->dsap = 0;
1679
	l2uf->ssap = 0;
1680
	l2uf->control = 0xf5;
1681
	l2uf->xid[0] = 0x81;
1682
	l2uf->xid[1] = 0x80;
1683
	l2uf->xid[2] = 0x00;
1684

1685
	m->m_pkthdr.len = m->m_len = sizeof(*l2uf);
1686
	hostap_deliver_data(vap, ni, m);
1687
}
1688

1689
static void
1690
ratesetmismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh,
1691
	int reassoc, int resp, const char *tag, int rate)
1692
{
1693
	IEEE80211_NOTE_MAC(ni->ni_vap, IEEE80211_MSG_ANY, wh->i_addr2,
1694
	    "deny %s request, %s rate set mismatch, rate/MCS %d",
1695
	    reassoc ? "reassoc" : "assoc", tag, rate & IEEE80211_RATE_VAL);
1696
	IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_BASIC_RATE);
1697
	ieee80211_node_leave(ni);
1698
}
1699

1700
static void
1701
capinfomismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh,
1702
	int reassoc, int resp, const char *tag, int capinfo)
1703
{
1704
	struct ieee80211vap *vap = ni->ni_vap;
1705

1706
	IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ANY, wh->i_addr2,
1707
	    "deny %s request, %s mismatch 0x%x",
1708
	    reassoc ? "reassoc" : "assoc", tag, capinfo);
1709
	IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_CAPINFO);
1710
	ieee80211_node_leave(ni);
1711
	vap->iv_stats.is_rx_assoc_capmismatch++;
1712
}
1713

1714
static void
1715
htcapmismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh,
1716
	int reassoc, int resp)
1717
{
1718
	IEEE80211_NOTE_MAC(ni->ni_vap, IEEE80211_MSG_ANY, wh->i_addr2,
1719
	    "deny %s request, %s missing HT ie", reassoc ? "reassoc" : "assoc");
1720
	/* XXX no better code */
1721
	IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_MISSING_HT_CAPS);
1722
	ieee80211_node_leave(ni);
1723
}
1724

1725
static void
1726
authalgreject(struct ieee80211_node *ni, const struct ieee80211_frame *wh,
1727
	int algo, int seq, int status)
1728
{
1729
	struct ieee80211vap *vap = ni->ni_vap;
1730

1731
	IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
1732
	    wh, NULL, "unsupported alg %d", algo);
1733
	vap->iv_stats.is_rx_auth_unsupported++;
1734
	ieee80211_send_error(ni, wh->i_addr2, IEEE80211_FC0_SUBTYPE_AUTH,
1735
	    seq | (status << 16));
1736
}
1737

1738
static __inline int
1739
ishtmixed(const uint8_t *ie)
1740
{
1741
	const struct ieee80211_ie_htinfo *ht =
1742
	    (const struct ieee80211_ie_htinfo *) ie;
1743
	return (ht->hi_byte2 & IEEE80211_HTINFO_OPMODE) ==
1744
	    IEEE80211_HTINFO_OPMODE_MIXED;
1745
}
1746

1747
static int
1748
is11bclient(const uint8_t *rates, const uint8_t *xrates)
1749
{
1750
	static const uint32_t brates = (1<<2*1)|(1<<2*2)|(1<<11)|(1<<2*11);
1751
	int i;
1752

1753
	/* NB: the 11b clients we care about will not have xrates */
1754
	if (xrates != NULL || rates == NULL)
1755
		return 0;
1756
	for (i = 0; i < rates[1]; i++) {
1757
		int r = rates[2+i] & IEEE80211_RATE_VAL;
1758
		if (r > 2*11 || ((1<<r) & brates) == 0)
1759
			return 0;
1760
	}
1761
	return 1;
1762
}
1763

1764
/**
1765
 * Check if the given cipher is valid for 802.11 HT operation.
1766
 *
1767
 * The 802.11 specification only allows HT A-MPDU to be performed
1768
 * on CCMP / GCMP encrypted frames.  The WEP/TKIP hardware crypto
1769
 * implementations may not meet the timing required for A-MPDU
1770
 * operation.
1771
 *
1772
 * @param cipher	the IEEE80211_CIPHER_ value to check
1773
 * @returns	true if the cipher is valid for HT A-MPDU, false otherwise
1774
 */
1775
static bool
1776
hostapd_validate_cipher_for_ht_ampdu(uint8_t cipher)
1777
{
1778
	switch (cipher) {
1779
	case IEEE80211_CIPHER_AES_CCM:
1780
	case IEEE80211_CIPHER_AES_GCM_128:
1781
		return true;
1782
	default:
1783
		return false;
1784
	}
1785
}
1786

1787
static void
1788
hostap_recv_mgmt(struct ieee80211_node *ni, struct mbuf *m0,
1789
	int subtype, const struct ieee80211_rx_stats *rxs, int rssi, int nf)
1790
{
1791
	struct ieee80211vap *vap = ni->ni_vap;
1792
	struct ieee80211com *ic = ni->ni_ic;
1793
	struct ieee80211_frame *wh;
1794
	uint8_t *frm, *efrm, *sfrm;
1795
	uint8_t *ssid, *rates, *xrates, *wpa, *rsn, *wme, *ath, *htcap;
1796
	uint8_t *vhtcap, *vhtinfo;
1797
	int reassoc, resp;
1798
	uint8_t rate;
1799

1800
	wh = mtod(m0, struct ieee80211_frame *);
1801
	frm = (uint8_t *)&wh[1];
1802
	efrm = mtod(m0, uint8_t *) + m0->m_len;
1803
	switch (subtype) {
1804
	case IEEE80211_FC0_SUBTYPE_PROBE_RESP:
1805
		/*
1806
		 * We process beacon/probe response frames when scanning;
1807
		 * otherwise we check beacon frames for overlapping non-ERP
1808
		 * BSS in 11g and/or overlapping legacy BSS when in HT.
1809
		 */
1810
		if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) {
1811
			vap->iv_stats.is_rx_mgtdiscard++;
1812
			return;
1813
		}
1814
		/* FALLTHROUGH */
1815
	case IEEE80211_FC0_SUBTYPE_BEACON: {
1816
		struct ieee80211_scanparams scan;
1817

1818
		/* NB: accept off-channel frames */
1819
		/* XXX TODO: use rxstatus to determine off-channel details */
1820
		if (ieee80211_parse_beacon(ni, m0, ic->ic_curchan, &scan) &~ IEEE80211_BPARSE_OFFCHAN)
1821
			return;
1822
		/*
1823
		 * Count frame now that we know it's to be processed.
1824
		 */
1825
		if (subtype == IEEE80211_FC0_SUBTYPE_BEACON) {
1826
			vap->iv_stats.is_rx_beacon++;		/* XXX remove */
1827
			IEEE80211_NODE_STAT(ni, rx_beacons);
1828
		} else
1829
			IEEE80211_NODE_STAT(ni, rx_proberesp);
1830
		/*
1831
		 * If scanning, just pass information to the scan module.
1832
		 */
1833
		if (ic->ic_flags & IEEE80211_F_SCAN) {
1834
			if (scan.status == 0 &&		/* NB: on channel */
1835
			    (ic->ic_flags_ext & IEEE80211_FEXT_PROBECHAN)) {
1836
				/*
1837
				 * Actively scanning a channel marked passive;
1838
				 * send a probe request now that we know there
1839
				 * is 802.11 traffic present.
1840
				 *
1841
				 * XXX check if the beacon we recv'd gives
1842
				 * us what we need and suppress the probe req
1843
				 */
1844
				ieee80211_probe_curchan(vap, true);
1845
				ic->ic_flags_ext &= ~IEEE80211_FEXT_PROBECHAN;
1846
			}
1847
			ieee80211_add_scan(vap, ic->ic_curchan, &scan, wh,
1848
			    subtype, rssi, nf);
1849
			return;
1850
		}
1851
		/*
1852
		 * Check beacon for overlapping bss w/ non ERP stations.
1853
		 * If we detect one and protection is configured but not
1854
		 * enabled, enable it and start a timer that'll bring us
1855
		 * out if we stop seeing the bss.
1856
		 */
1857
		if (IEEE80211_IS_CHAN_ANYG(ic->ic_curchan) &&
1858
		    scan.status == 0 &&			/* NB: on-channel */
1859
		    ((scan.erp & 0x100) == 0 ||		/* NB: no ERP, 11b sta*/
1860
		     (scan.erp & IEEE80211_ERP_NON_ERP_PRESENT))) {
1861
			vap->iv_lastnonerp = ticks;
1862
			vap->iv_flags_ext |= IEEE80211_FEXT_NONERP_PR;
1863
			/*
1864
			 * XXX TODO: this may need to check all VAPs?
1865
			 */
1866
			if (vap->iv_protmode != IEEE80211_PROT_NONE &&
1867
			    (vap->iv_flags & IEEE80211_F_USEPROT) == 0) {
1868
				IEEE80211_NOTE_FRAME(vap,
1869
				    IEEE80211_MSG_ASSOC, wh,
1870
				    "non-ERP present on channel %d "
1871
				    "(saw erp 0x%x from channel %d), "
1872
				    "enable use of protection",
1873
				    ic->ic_curchan->ic_ieee,
1874
				    scan.erp, scan.chan);
1875
				vap->iv_flags |= IEEE80211_F_USEPROT;
1876
				ieee80211_vap_update_erp_protmode(vap);
1877
			}
1878
		}
1879
		/* 
1880
		 * Check beacon for non-HT station on HT channel
1881
		 * and update HT BSS occupancy as appropriate.
1882
		 */
1883
		if (IEEE80211_IS_CHAN_HT(ic->ic_curchan)) {
1884
			if (scan.status & IEEE80211_BPARSE_OFFCHAN) {
1885
				/*
1886
				 * Off control channel; only check frames
1887
				 * that come in the extension channel when
1888
				 * operating w/ HT40.
1889
				 */
1890
				if (!IEEE80211_IS_CHAN_HT40(ic->ic_curchan))
1891
					break;
1892
				if (scan.chan != ic->ic_curchan->ic_extieee)
1893
					break;
1894
			}
1895
			if (scan.htinfo == NULL) {
1896
				ieee80211_htprot_update(vap,
1897
				    IEEE80211_HTINFO_OPMODE_PROTOPT |
1898
				    IEEE80211_HTINFO_NONHT_PRESENT);
1899
			} else if (ishtmixed(scan.htinfo)) {
1900
				/* XXX? take NONHT_PRESENT from beacon? */
1901
				ieee80211_htprot_update(vap,
1902
				    IEEE80211_HTINFO_OPMODE_MIXED |
1903
				    IEEE80211_HTINFO_NONHT_PRESENT);
1904
			}
1905
		}
1906
		break;
1907
	}
1908

1909
	case IEEE80211_FC0_SUBTYPE_PROBE_REQ:
1910
		if (vap->iv_state != IEEE80211_S_RUN) {
1911
			vap->iv_stats.is_rx_mgtdiscard++;
1912
			return;
1913
		}
1914
		/*
1915
		 * Consult the ACL policy module if setup.
1916
		 */
1917
		if (vap->iv_acl != NULL && !vap->iv_acl->iac_check(vap, wh)) {
1918
			IEEE80211_DISCARD(vap, IEEE80211_MSG_ACL,
1919
			    wh, NULL, "%s", "disallowed by ACL");
1920
			vap->iv_stats.is_rx_acl++;
1921
			return;
1922
		}
1923
		/*
1924
		 * prreq frame format
1925
		 *	[tlv] ssid
1926
		 *	[tlv] supported rates
1927
		 *	[tlv] extended supported rates
1928
		 */
1929
		ssid = rates = xrates = NULL;
1930
		while (efrm - frm > 1) {
1931
			IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return);
1932
			switch (*frm) {
1933
			case IEEE80211_ELEMID_SSID:
1934
				ssid = frm;
1935
				break;
1936
			case IEEE80211_ELEMID_RATES:
1937
				rates = frm;
1938
				break;
1939
			case IEEE80211_ELEMID_XRATES:
1940
				xrates = frm;
1941
				break;
1942
			}
1943
			frm += frm[1] + 2;
1944
		}
1945
		IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return);
1946
		if (xrates != NULL)
1947
			IEEE80211_VERIFY_ELEMENT(xrates,
1948
				IEEE80211_RATE_MAXSIZE - rates[1], return);
1949
		IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN, return);
1950
		IEEE80211_VERIFY_SSID(vap->iv_bss, ssid, return);
1951
		if ((vap->iv_flags & IEEE80211_F_HIDESSID) && ssid[1] == 0) {
1952
			IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
1953
			    wh, NULL,
1954
			    "%s", "no ssid with ssid suppression enabled");
1955
			vap->iv_stats.is_rx_ssidmismatch++; /*XXX*/
1956
			return;
1957
		}
1958

1959
		/* XXX find a better class or define it's own */
1960
		IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_INPUT, wh->i_addr2,
1961
		    "%s", "recv probe req");
1962
		/*
1963
		 * Some legacy 11b clients cannot hack a complete
1964
		 * probe response frame.  When the request includes
1965
		 * only a bare-bones rate set, communicate this to
1966
		 * the transmit side.
1967
		 */
1968
		ieee80211_send_proberesp(vap, wh->i_addr2,
1969
		    is11bclient(rates, xrates) ? IEEE80211_SEND_LEGACY_11B : 0);
1970
		break;
1971

1972
	case IEEE80211_FC0_SUBTYPE_AUTH: {
1973
		uint16_t algo, seq, status;
1974

1975
		if (vap->iv_state != IEEE80211_S_RUN) {
1976
			vap->iv_stats.is_rx_mgtdiscard++;
1977
			return;
1978
		}
1979
		if (!IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_bss->ni_bssid)) {
1980
			IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
1981
			    wh, NULL, "%s", "wrong bssid");
1982
			vap->iv_stats.is_rx_wrongbss++;	/*XXX unique stat?*/
1983
			return;
1984
		}
1985
		/*
1986
		 * auth frame format
1987
		 *	[2] algorithm
1988
		 *	[2] sequence
1989
		 *	[2] status
1990
		 *	[tlv*] challenge
1991
		 */
1992
		IEEE80211_VERIFY_LENGTH(efrm - frm, 6, return);
1993
		algo   = le16toh(*(uint16_t *)frm);
1994
		seq    = le16toh(*(uint16_t *)(frm + 2));
1995
		status = le16toh(*(uint16_t *)(frm + 4));
1996
		IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_AUTH, wh->i_addr2,
1997
		    "recv auth frame with algorithm %d seq %d", algo, seq);
1998
		/*
1999
		 * Consult the ACL policy module if setup.
2000
		 */
2001
		if (vap->iv_acl != NULL && !vap->iv_acl->iac_check(vap, wh)) {
2002
			IEEE80211_DISCARD(vap, IEEE80211_MSG_ACL,
2003
			    wh, NULL, "%s", "disallowed by ACL");
2004
			vap->iv_stats.is_rx_acl++;
2005
			ieee80211_send_error(ni, wh->i_addr2,
2006
			    IEEE80211_FC0_SUBTYPE_AUTH,
2007
			    (seq+1) | (IEEE80211_STATUS_UNSPECIFIED<<16));
2008
			return;
2009
		}
2010
		if (vap->iv_flags & IEEE80211_F_COUNTERM) {
2011
			IEEE80211_DISCARD(vap,
2012
			    IEEE80211_MSG_AUTH | IEEE80211_MSG_CRYPTO,
2013
			    wh, NULL, "%s", "TKIP countermeasures enabled");
2014
			vap->iv_stats.is_rx_auth_countermeasures++;
2015
			ieee80211_send_error(ni, wh->i_addr2,
2016
				IEEE80211_FC0_SUBTYPE_AUTH,
2017
				IEEE80211_REASON_MIC_FAILURE);
2018
			return;
2019
		}
2020
		if (algo == IEEE80211_AUTH_ALG_SHARED)
2021
			hostap_auth_shared(ni, wh, frm + 6, efrm, rssi, nf,
2022
			    seq, status);
2023
		else if (algo == IEEE80211_AUTH_ALG_OPEN)
2024
			hostap_auth_open(ni, wh, rssi, nf, seq, status);
2025
		else if (algo == IEEE80211_AUTH_ALG_LEAP) {
2026
			authalgreject(ni, wh, algo,
2027
			    seq+1, IEEE80211_STATUS_ALG);
2028
			return;
2029
		} else {
2030
			/*
2031
			 * We assume that an unknown algorithm is the result
2032
			 * of a decryption failure on a shared key auth frame;
2033
			 * return a status code appropriate for that instead
2034
			 * of IEEE80211_STATUS_ALG.
2035
			 *
2036
			 * NB: a seq# of 4 is intentional; the decrypted
2037
			 *     frame likely has a bogus seq value.
2038
			 */
2039
			authalgreject(ni, wh, algo,
2040
			    4, IEEE80211_STATUS_CHALLENGE);
2041
			return;
2042
		} 
2043
		break;
2044
	}
2045

2046
	case IEEE80211_FC0_SUBTYPE_ASSOC_REQ:
2047
	case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: {
2048
		uint16_t capinfo, lintval;
2049
		struct ieee80211_rsnparms rsnparms;
2050

2051
		if (vap->iv_state != IEEE80211_S_RUN) {
2052
			vap->iv_stats.is_rx_mgtdiscard++;
2053
			return;
2054
		}
2055
		if (!IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_bss->ni_bssid)) {
2056
			IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
2057
			    wh, NULL, "%s", "wrong bssid");
2058
			vap->iv_stats.is_rx_assoc_bss++;
2059
			return;
2060
		}
2061
		if (subtype == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) {
2062
			reassoc = 1;
2063
			resp = IEEE80211_FC0_SUBTYPE_REASSOC_RESP;
2064
		} else {
2065
			reassoc = 0;
2066
			resp = IEEE80211_FC0_SUBTYPE_ASSOC_RESP;
2067
		}
2068
		if (ni == vap->iv_bss) {
2069
			IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ANY, wh->i_addr2,
2070
			    "deny %s request, sta not authenticated",
2071
			    reassoc ? "reassoc" : "assoc");
2072
			ieee80211_send_error(ni, wh->i_addr2,
2073
			    IEEE80211_FC0_SUBTYPE_DEAUTH,
2074
			    IEEE80211_REASON_ASSOC_NOT_AUTHED);
2075
			vap->iv_stats.is_rx_assoc_notauth++;
2076
			return;
2077
		}
2078

2079
		/*
2080
		 * asreq frame format
2081
		 *	[2] capability information
2082
		 *	[2] listen interval
2083
		 *	[6*] current AP address (reassoc only)
2084
		 *	[tlv] ssid
2085
		 *	[tlv] supported rates
2086
		 *	[tlv] extended supported rates
2087
		 *	[tlv] WPA or RSN
2088
		 *	[tlv] HT capabilities
2089
		 *	[tlv] Atheros capabilities
2090
		 */
2091
		IEEE80211_VERIFY_LENGTH(efrm - frm, (reassoc ? 10 : 4), return);
2092
		capinfo = le16toh(*(uint16_t *)frm);	frm += 2;
2093
		lintval = le16toh(*(uint16_t *)frm);	frm += 2;
2094
		if (reassoc)
2095
			frm += 6;	/* ignore current AP info */
2096
		ssid = rates = xrates = wpa = rsn = wme = ath = htcap = NULL;
2097
		vhtcap = vhtinfo = NULL;
2098
		sfrm = frm;
2099
		while (efrm - frm > 1) {
2100
			IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return);
2101
			switch (*frm) {
2102
			case IEEE80211_ELEMID_SSID:
2103
				ssid = frm;
2104
				break;
2105
			case IEEE80211_ELEMID_RATES:
2106
				rates = frm;
2107
				break;
2108
			case IEEE80211_ELEMID_XRATES:
2109
				xrates = frm;
2110
				break;
2111
			case IEEE80211_ELEMID_RSN:
2112
				rsn = frm;
2113
				break;
2114
			case IEEE80211_ELEMID_HTCAP:
2115
				htcap = frm;
2116
				break;
2117
			case IEEE80211_ELEMID_VHT_CAP:
2118
				vhtcap = frm;
2119
				break;
2120
			case IEEE80211_ELEMID_VHT_OPMODE:
2121
				vhtinfo = frm;
2122
				break;
2123
			case IEEE80211_ELEMID_VENDOR:
2124
				if (iswpaoui(frm))
2125
					wpa = frm;
2126
				else if (iswmeinfo(frm))
2127
					wme = frm;
2128
#ifdef IEEE80211_SUPPORT_SUPERG
2129
				else if (isatherosoui(frm))
2130
					ath = frm;
2131
#endif
2132
				else if (vap->iv_flags_ht & IEEE80211_FHT_HTCOMPAT) {
2133
					if (ishtcapoui(frm) && htcap == NULL)
2134
						htcap = frm;
2135
				}
2136
				break;
2137
			}
2138
			frm += frm[1] + 2;
2139
		}
2140
		IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return);
2141
		if (xrates != NULL)
2142
			IEEE80211_VERIFY_ELEMENT(xrates,
2143
				IEEE80211_RATE_MAXSIZE - rates[1], return);
2144
		IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN, return);
2145
		IEEE80211_VERIFY_SSID(vap->iv_bss, ssid, return);
2146
		if (htcap != NULL) {
2147
			IEEE80211_VERIFY_LENGTH(htcap[1],
2148
			     htcap[0] == IEEE80211_ELEMID_VENDOR ?
2149
			         4 + sizeof(struct ieee80211_ie_htcap)-2 :
2150
			         sizeof(struct ieee80211_ie_htcap)-2,
2151
			     return);		/* XXX just NULL out? */
2152
		}
2153

2154
		/* Validate VHT IEs */
2155
		if (vhtcap != NULL) {
2156
			IEEE80211_VERIFY_LENGTH(vhtcap[1],
2157
			    sizeof(struct ieee80211_vht_cap),
2158
			    return);
2159
		}
2160
		if (vhtinfo != NULL) {
2161
			IEEE80211_VERIFY_LENGTH(vhtinfo[1],
2162
			    sizeof(struct ieee80211_vht_operation),
2163
			    return);
2164
		}
2165

2166
		if ((vap->iv_flags & IEEE80211_F_WPA) &&
2167
		    !wpa_assocreq(ni, &rsnparms, wh, wpa, rsn, capinfo))
2168
			return;
2169
		/* discard challenge after association */
2170
		if (ni->ni_challenge != NULL) {
2171
			IEEE80211_FREE(ni->ni_challenge, M_80211_NODE);
2172
			ni->ni_challenge = NULL;
2173
		}
2174
		/* NB: 802.11 spec says to ignore station's privacy bit */
2175
		if ((capinfo & IEEE80211_CAPINFO_ESS) == 0) {
2176
			capinfomismatch(ni, wh, reassoc, resp,
2177
			    "capability", capinfo);
2178
			return;
2179
		}
2180
		/*
2181
		 * Disallow re-associate w/ invalid slot time setting.
2182
		 */
2183
		if (ni->ni_associd != 0 &&
2184
		    IEEE80211_IS_CHAN_ANYG(ic->ic_bsschan) &&
2185
		    ((ni->ni_capinfo ^ capinfo) & IEEE80211_CAPINFO_SHORT_SLOTTIME)) {
2186
			capinfomismatch(ni, wh, reassoc, resp,
2187
			    "slot time", capinfo);
2188
			return;
2189
		}
2190
		rate = ieee80211_setup_rates(ni, rates, xrates,
2191
				IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE |
2192
				IEEE80211_F_DONEGO | IEEE80211_F_DODEL);
2193
		if (rate & IEEE80211_RATE_BASIC) {
2194
			ratesetmismatch(ni, wh, reassoc, resp, "legacy", rate);
2195
			vap->iv_stats.is_rx_assoc_norate++;
2196
			return;
2197
		}
2198
		/*
2199
		 * If constrained to 11g-only stations reject an
2200
		 * 11b-only station.  We cheat a bit here by looking
2201
		 * at the max negotiated xmit rate and assuming anyone
2202
		 * with a best rate <24Mb/s is an 11b station.
2203
		 */
2204
		if ((vap->iv_flags & IEEE80211_F_PUREG) && rate < 48) {
2205
			ratesetmismatch(ni, wh, reassoc, resp, "11g", rate);
2206
			vap->iv_stats.is_rx_assoc_norate++;
2207
			return;
2208
		}
2209

2210
		/*
2211
		 * Do HT rate set handling and setup HT node state.
2212
		 */
2213
		ni->ni_chan = vap->iv_bss->ni_chan;
2214

2215
		/* VHT */
2216
		if (IEEE80211_IS_CHAN_VHT(ni->ni_chan) &&
2217
		    vhtcap != NULL) {
2218
			ieee80211_vht_node_init(ni);
2219
			ieee80211_vht_update_cap(ni, vhtcap);
2220
		} else if (ni->ni_flags & IEEE80211_NODE_VHT)
2221
			ieee80211_vht_node_cleanup(ni);
2222

2223
		/* HT */
2224
		if (IEEE80211_IS_CHAN_HT(ni->ni_chan) && htcap != NULL) {
2225
			rate = ieee80211_setup_htrates(ni, htcap,
2226
				IEEE80211_F_DOFMCS | IEEE80211_F_DONEGO |
2227
				IEEE80211_F_DOBRS);
2228
			if (rate & IEEE80211_RATE_BASIC) {
2229
				ratesetmismatch(ni, wh, reassoc, resp,
2230
				    "HT", rate);
2231
				vap->iv_stats.is_ht_assoc_norate++;
2232
				return;
2233
			}
2234
			ieee80211_ht_node_init(ni);
2235
			ieee80211_ht_updatehtcap(ni, htcap);
2236
		} else if (ni->ni_flags & IEEE80211_NODE_HT)
2237
			ieee80211_ht_node_cleanup(ni);
2238

2239
		/* Finally - this will use HT/VHT info to change node channel */
2240
		if (IEEE80211_IS_CHAN_HT(ni->ni_chan) && htcap != NULL) {
2241
			ieee80211_ht_updatehtcap_final(ni);
2242
		}
2243

2244
#ifdef IEEE80211_SUPPORT_SUPERG
2245
		/* Always do ff node cleanup; for A-MSDU */
2246
		ieee80211_ff_node_cleanup(ni);
2247
#endif
2248
		/*
2249
		 * Allow AMPDU operation only with unencrypted traffic
2250
		 * or AES-CCM / AES-GCM; the 802.11n spec only specifies these
2251
		 * ciphers so permitting any others is undefined and can lead
2252
		 * to interoperability problems.
2253
		 *
2254
		 * TODO: before landing, find exactly where in 802.11-2020 this
2255
		 * is called out!
2256
		 */
2257
		if ((ni->ni_flags & IEEE80211_NODE_HT) &&
2258
		    (((vap->iv_flags & IEEE80211_F_WPA) &&
2259
		    !hostapd_validate_cipher_for_ht_ampdu(rsnparms.rsn_ucastcipher)) ||
2260
		     (vap->iv_flags & (IEEE80211_F_WPA|IEEE80211_F_PRIVACY)) == IEEE80211_F_PRIVACY)) {
2261
			IEEE80211_NOTE(vap,
2262
			    IEEE80211_MSG_ASSOC | IEEE80211_MSG_11N, ni,
2263
			    "disallow HT use because WEP or TKIP requested, "
2264
			    "capinfo 0x%x ucastcipher %d", capinfo,
2265
			    rsnparms.rsn_ucastcipher);
2266
			ieee80211_ht_node_cleanup(ni);
2267
#ifdef IEEE80211_SUPPORT_SUPERG
2268
			/* Always do ff node cleanup; for A-MSDU */
2269
			ieee80211_ff_node_cleanup(ni);
2270
#endif
2271
			vap->iv_stats.is_ht_assoc_downgrade++;
2272
		}
2273
		/*
2274
		 * If constrained to 11n-only stations reject legacy stations.
2275
		 */
2276
		if ((vap->iv_flags_ht & IEEE80211_FHT_PUREN) &&
2277
		    (ni->ni_flags & IEEE80211_NODE_HT) == 0) {
2278
			htcapmismatch(ni, wh, reassoc, resp);
2279
			vap->iv_stats.is_ht_assoc_nohtcap++;
2280
			return;
2281
		}
2282
		IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi);
2283
		ni->ni_noise = nf;
2284
		ni->ni_intval = lintval;
2285
		ni->ni_capinfo = capinfo;
2286
		ni->ni_fhdwell = vap->iv_bss->ni_fhdwell;
2287
		ni->ni_fhindex = vap->iv_bss->ni_fhindex;
2288
		/*
2289
		 * Store the IEs.
2290
		 * XXX maybe better to just expand
2291
		 */
2292
		if (ieee80211_ies_init(&ni->ni_ies, sfrm, efrm - sfrm)) {
2293
#define	setie(_ie, _off)	ieee80211_ies_setie(ni->ni_ies, _ie, _off)
2294
			if (wpa != NULL)
2295
				setie(wpa_ie, wpa - sfrm);
2296
			if (rsn != NULL)
2297
				setie(rsn_ie, rsn - sfrm);
2298
			if (htcap != NULL)
2299
				setie(htcap_ie, htcap - sfrm);
2300
			if (wme != NULL) {
2301
				setie(wme_ie, wme - sfrm);
2302
				/*
2303
				 * Mark node as capable of QoS.
2304
				 */
2305
				ni->ni_flags |= IEEE80211_NODE_QOS;
2306
				if (ieee80211_parse_wmeie(wme, wh, ni) > 0) {
2307
					if (ni->ni_uapsd != 0)
2308
						ni->ni_flags |=
2309
						    IEEE80211_NODE_UAPSD;
2310
					else
2311
						ni->ni_flags &=
2312
						    ~IEEE80211_NODE_UAPSD;
2313
				}
2314
			} else
2315
				ni->ni_flags &=
2316
				    ~(IEEE80211_NODE_QOS |
2317
				      IEEE80211_NODE_UAPSD);
2318
#ifdef IEEE80211_SUPPORT_SUPERG
2319
			if (ath != NULL) {
2320
				setie(ath_ie, ath - sfrm);
2321
				/* 
2322
				 * Parse ATH station parameters.
2323
				 */
2324
				ieee80211_parse_ath(ni, ni->ni_ies.ath_ie);
2325
			} else
2326
#endif
2327
				ni->ni_ath_flags = 0;
2328
#undef setie
2329
		} else {
2330
			ni->ni_flags &= ~IEEE80211_NODE_QOS;
2331
			ni->ni_flags &= ~IEEE80211_NODE_UAPSD;
2332
			ni->ni_ath_flags = 0;
2333
		}
2334
		ieee80211_node_join(ni, resp);
2335
		ieee80211_deliver_l2uf(ni);
2336
		break;
2337
	}
2338

2339
	case IEEE80211_FC0_SUBTYPE_DEAUTH:
2340
	case IEEE80211_FC0_SUBTYPE_DISASSOC: {
2341
#ifdef IEEE80211_DEBUG
2342
		uint16_t reason;
2343
#endif
2344

2345
		if (vap->iv_state != IEEE80211_S_RUN ||
2346
		    /* NB: can happen when in promiscuous mode */
2347
		    !IEEE80211_ADDR_EQ(wh->i_addr1, vap->iv_myaddr)) {
2348
			vap->iv_stats.is_rx_mgtdiscard++;
2349
			break;
2350
		}
2351
		/*
2352
		 * deauth/disassoc frame format
2353
		 *	[2] reason
2354
		 */
2355
		IEEE80211_VERIFY_LENGTH(efrm - frm, 2, return);
2356
#ifdef IEEE80211_DEBUG
2357
		reason = le16toh(*(uint16_t *)frm);
2358
#endif
2359
		if (subtype == IEEE80211_FC0_SUBTYPE_DEAUTH) {
2360
			vap->iv_stats.is_rx_deauth++;
2361
			IEEE80211_NODE_STAT(ni, rx_deauth);
2362
		} else {
2363
			vap->iv_stats.is_rx_disassoc++;
2364
			IEEE80211_NODE_STAT(ni, rx_disassoc);
2365
		}
2366
		IEEE80211_NOTE(vap, IEEE80211_MSG_AUTH, ni,
2367
		    "recv %s (reason: %d (%s))",
2368
		    ieee80211_mgt_subtype_name(subtype),
2369
		    reason, ieee80211_reason_to_string(reason));
2370
		if (ni != vap->iv_bss)
2371
			ieee80211_node_leave(ni);
2372
		break;
2373
	}
2374

2375
	case IEEE80211_FC0_SUBTYPE_ACTION:
2376
	case IEEE80211_FC0_SUBTYPE_ACTION_NOACK:
2377
		if (ni == vap->iv_bss) {
2378
			IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
2379
			    wh, NULL, "%s", "unknown node");
2380
			vap->iv_stats.is_rx_mgtdiscard++;
2381
		} else if (!IEEE80211_ADDR_EQ(vap->iv_myaddr, wh->i_addr1) &&
2382
		    !IEEE80211_IS_MULTICAST(wh->i_addr1)) {
2383
			IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
2384
			    wh, NULL, "%s", "not for us");
2385
			vap->iv_stats.is_rx_mgtdiscard++;
2386
		} else if (vap->iv_state != IEEE80211_S_RUN) {
2387
			IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
2388
			    wh, NULL, "wrong state %s",
2389
			    ieee80211_state_name[vap->iv_state]);
2390
			vap->iv_stats.is_rx_mgtdiscard++;
2391
		} else {
2392
			if (ieee80211_parse_action(ni, m0) == 0)
2393
				(void)ic->ic_recv_action(ni, wh, frm, efrm);
2394
		}
2395
		break;
2396

2397
	case IEEE80211_FC0_SUBTYPE_ASSOC_RESP:
2398
	case IEEE80211_FC0_SUBTYPE_REASSOC_RESP:
2399
	case IEEE80211_FC0_SUBTYPE_TIMING_ADV:
2400
	case IEEE80211_FC0_SUBTYPE_ATIM:
2401
		IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
2402
		    wh, NULL, "%s", "not handled");
2403
		vap->iv_stats.is_rx_mgtdiscard++;
2404
		break;
2405

2406
	default:
2407
		IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
2408
		    wh, "mgt", "subtype 0x%x not handled", subtype);
2409
		vap->iv_stats.is_rx_badsubtype++;
2410
		break;
2411
	}
2412
}
2413

2414
static void
2415
hostap_recv_ctl(struct ieee80211_node *ni, struct mbuf *m, int subtype)
2416
{
2417
	switch (subtype) {
2418
	case IEEE80211_FC0_SUBTYPE_PS_POLL:
2419
		ni->ni_vap->iv_recv_pspoll(ni, m);
2420
		break;
2421
	case IEEE80211_FC0_SUBTYPE_BAR:
2422
		ieee80211_recv_bar(ni, m);
2423
		break;
2424
	}
2425
}
2426

2427
/*
2428
 * Process a received ps-poll frame.
2429
 */
2430
void
2431
ieee80211_recv_pspoll(struct ieee80211_node *ni, struct mbuf *m0)
2432
{
2433
	struct ieee80211vap *vap = ni->ni_vap;
2434
	struct ieee80211com *ic = vap->iv_ic;
2435
	struct ieee80211_frame_min *wh;
2436
	struct mbuf *m;
2437
	uint16_t aid;
2438
	int qlen;
2439

2440
	wh = mtod(m0, struct ieee80211_frame_min *);
2441
	if (ni->ni_associd == 0) {
2442
		IEEE80211_DISCARD(vap,
2443
		    IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG,
2444
		    (struct ieee80211_frame *) wh, NULL,
2445
		    "%s", "unassociated station");
2446
		vap->iv_stats.is_ps_unassoc++;
2447
		IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_DEAUTH,
2448
			IEEE80211_REASON_NOT_ASSOCED);
2449
		return;
2450
	}
2451

2452
	aid = le16toh(*(uint16_t *)wh->i_dur);
2453
	if (aid != ni->ni_associd) {
2454
		IEEE80211_DISCARD(vap,
2455
		    IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG,
2456
		    (struct ieee80211_frame *) wh, NULL,
2457
		    "aid mismatch: sta aid 0x%x poll aid 0x%x",
2458
		    ni->ni_associd, aid);
2459
		vap->iv_stats.is_ps_badaid++;
2460
		/*
2461
		 * NB: We used to deauth the station but it turns out
2462
		 * the Blackberry Curve 8230 (and perhaps other devices) 
2463
		 * sometimes send the wrong AID when WME is negotiated.
2464
		 * Being more lenient here seems ok as we already check
2465
		 * the station is associated and we only return frames
2466
		 * queued for the station (i.e. we don't use the AID).
2467
		 */
2468
		return;
2469
	}
2470

2471
	/* Okay, take the first queued packet and put it out... */
2472
	m = ieee80211_node_psq_dequeue(ni, &qlen);
2473
	if (m == NULL) {
2474
		IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_POWER, wh->i_addr2,
2475
		    "%s", "recv ps-poll, but queue empty");
2476
		ieee80211_send_nulldata(ieee80211_ref_node(ni));
2477
		vap->iv_stats.is_ps_qempty++;	/* XXX node stat */
2478
		if (vap->iv_set_tim != NULL)
2479
			vap->iv_set_tim(ni, 0);	/* just in case */
2480
		return;
2481
	}
2482
	/* 
2483
	 * If there are more packets, set the more packets bit
2484
	 * in the packet dispatched to the station; otherwise
2485
	 * turn off the TIM bit.
2486
	 */
2487
	if (qlen != 0) {
2488
		IEEE80211_NOTE(vap, IEEE80211_MSG_POWER, ni,
2489
		    "recv ps-poll, send packet, %u still queued", qlen);
2490
		m->m_flags |= M_MORE_DATA;
2491
	} else {
2492
		IEEE80211_NOTE(vap, IEEE80211_MSG_POWER, ni,
2493
		    "%s", "recv ps-poll, send packet, queue empty");
2494
		if (vap->iv_set_tim != NULL)
2495
			vap->iv_set_tim(ni, 0);
2496
	}
2497
	m->m_flags |= M_PWR_SAV;		/* bypass PS handling */
2498

2499
	/*
2500
	 * Do the right thing; if it's an encap'ed frame then
2501
	 * call ieee80211_parent_xmitpkt() else
2502
	 * call ieee80211_vap_xmitpkt().
2503
	 */
2504
	if (m->m_flags & M_ENCAP) {
2505
		(void) ieee80211_parent_xmitpkt(ic, m);
2506
	} else {
2507
		(void) ieee80211_vap_xmitpkt(vap, m);
2508
	}
2509
}
2510

2511