1 /*-
2 * SPDX-License-Identifier: BSD-2-Clause
3 *
4 * Copyright (c) 2007-2008 Sam Leffler, Errno Consulting
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 *
16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
17 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
18 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
19 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
21 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
22 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
23 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
24 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
25 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
26 */
27
28 /*
29 * IEEE 802.11 HOSTAP mode support.
30 */
31 #include "opt_inet.h"
32 #include "opt_wlan.h"
33
34 #include <sys/param.h>
35 #include <sys/systm.h>
36 #include <sys/mbuf.h>
37 #include <sys/malloc.h>
38 #include <sys/kernel.h>
39
40 #include <sys/socket.h>
41 #include <sys/sockio.h>
42 #include <sys/endian.h>
43 #include <sys/errno.h>
44 #include <sys/proc.h>
45 #include <sys/sysctl.h>
46
47 #include <net/if.h>
48 #include <net/if_var.h>
49 #include <net/if_media.h>
50 #include <net/if_llc.h>
51 #include <net/ethernet.h>
52
53 #include <net/bpf.h>
54
55 #include <net80211/ieee80211_var.h>
56 #include <net80211/ieee80211_hostap.h>
57 #include <net80211/ieee80211_input.h>
58 #ifdef IEEE80211_SUPPORT_SUPERG
59 #include <net80211/ieee80211_superg.h>
60 #endif
61 #include <net80211/ieee80211_wds.h>
62 #include <net80211/ieee80211_vht.h>
63 #include <net80211/ieee80211_sta.h> /* for parse_wmeie */
64
65 static void hostap_vattach(struct ieee80211vap *);
66 static int hostap_newstate(struct ieee80211vap *, enum ieee80211_state, int);
67 static int hostap_input(struct ieee80211_node *ni, struct mbuf *m,
68 const struct ieee80211_rx_stats *,
69 int rssi, int nf);
70 static void hostap_deliver_data(struct ieee80211vap *,
71 struct ieee80211_node *, struct mbuf *);
72 static void hostap_recv_mgmt(struct ieee80211_node *, struct mbuf *,
73 int subtype, const struct ieee80211_rx_stats *rxs, int rssi, int nf);
74 static void hostap_recv_ctl(struct ieee80211_node *, struct mbuf *, int);
75
76 void
ieee80211_hostap_attach(struct ieee80211com * ic)77 ieee80211_hostap_attach(struct ieee80211com *ic)
78 {
79 ic->ic_vattach[IEEE80211_M_HOSTAP] = hostap_vattach;
80 }
81
82 void
ieee80211_hostap_detach(struct ieee80211com * ic)83 ieee80211_hostap_detach(struct ieee80211com *ic)
84 {
85 }
86
87 static void
hostap_vdetach(struct ieee80211vap * vap)88 hostap_vdetach(struct ieee80211vap *vap)
89 {
90 }
91
92 static void
hostap_vattach(struct ieee80211vap * vap)93 hostap_vattach(struct ieee80211vap *vap)
94 {
95 vap->iv_newstate = hostap_newstate;
96 vap->iv_input = hostap_input;
97 vap->iv_recv_mgmt = hostap_recv_mgmt;
98 vap->iv_recv_ctl = hostap_recv_ctl;
99 vap->iv_opdetach = hostap_vdetach;
100 vap->iv_deliver_data = hostap_deliver_data;
101 vap->iv_recv_pspoll = ieee80211_recv_pspoll;
102 }
103
104 static void
sta_disassoc(void * arg,struct ieee80211_node * ni)105 sta_disassoc(void *arg, struct ieee80211_node *ni)
106 {
107
108 if (ni->ni_associd != 0) {
109 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_DISASSOC,
110 IEEE80211_REASON_ASSOC_LEAVE);
111 ieee80211_node_leave(ni);
112 }
113 }
114
115 static void
sta_csa(void * arg,struct ieee80211_node * ni)116 sta_csa(void *arg, struct ieee80211_node *ni)
117 {
118 struct ieee80211vap *vap = ni->ni_vap;
119
120 if (ni->ni_associd != 0)
121 if (ni->ni_inact > vap->iv_inact_init) {
122 ni->ni_inact = vap->iv_inact_init;
123 IEEE80211_NOTE(vap, IEEE80211_MSG_INACT, ni,
124 "%s: inact %u", __func__, ni->ni_inact);
125 }
126 }
127
128 static void
sta_drop(void * arg,struct ieee80211_node * ni)129 sta_drop(void *arg, struct ieee80211_node *ni)
130 {
131
132 if (ni->ni_associd != 0)
133 ieee80211_node_leave(ni);
134 }
135
136 /*
137 * Does a channel change require associated stations to re-associate
138 * so protocol state is correct. This is used when doing CSA across
139 * bands or similar (e.g. HT -> legacy).
140 */
141 static int
isbandchange(struct ieee80211com * ic)142 isbandchange(struct ieee80211com *ic)
143 {
144 return ((ic->ic_bsschan->ic_flags ^ ic->ic_csa_newchan->ic_flags) &
145 (IEEE80211_CHAN_2GHZ | IEEE80211_CHAN_5GHZ | IEEE80211_CHAN_HALF |
146 IEEE80211_CHAN_QUARTER | IEEE80211_CHAN_HT)) != 0;
147 }
148
149 /*
150 * IEEE80211_M_HOSTAP vap state machine handler.
151 */
152 static int
hostap_newstate(struct ieee80211vap * vap,enum ieee80211_state nstate,int arg)153 hostap_newstate(struct ieee80211vap *vap, enum ieee80211_state nstate, int arg)
154 {
155 struct ieee80211com *ic = vap->iv_ic;
156 enum ieee80211_state ostate;
157
158 IEEE80211_LOCK_ASSERT(ic);
159
160 ostate = vap->iv_state;
161 IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE, "%s: %s -> %s (%d)\n",
162 __func__, ieee80211_state_name[ostate],
163 ieee80211_state_name[nstate], arg);
164 vap->iv_state = nstate; /* state transition */
165 if (ostate != IEEE80211_S_SCAN)
166 ieee80211_cancel_scan(vap); /* background scan */
167 switch (nstate) {
168 case IEEE80211_S_INIT:
169 switch (ostate) {
170 case IEEE80211_S_SCAN:
171 ieee80211_cancel_scan(vap);
172 break;
173 case IEEE80211_S_CAC:
174 ieee80211_dfs_cac_stop(vap);
175 break;
176 case IEEE80211_S_RUN:
177 ieee80211_iterate_nodes_vap(&ic->ic_sta, vap,
178 sta_disassoc, NULL);
179 break;
180 default:
181 break;
182 }
183 if (ostate != IEEE80211_S_INIT) {
184 /* NB: optimize INIT -> INIT case */
185 ieee80211_reset_bss(vap);
186 }
187 if (vap->iv_auth->ia_detach != NULL)
188 vap->iv_auth->ia_detach(vap);
189 break;
190 case IEEE80211_S_SCAN:
191 switch (ostate) {
192 case IEEE80211_S_CSA:
193 case IEEE80211_S_RUN:
194 ieee80211_iterate_nodes_vap(&ic->ic_sta, vap,
195 sta_disassoc, NULL);
196 /*
197 * Clear overlapping BSS state; the beacon frame
198 * will be reconstructed on transition to the RUN
199 * state and the timeout routines check if the flag
200 * is set before doing anything so this is sufficient.
201 */
202 vap->iv_flags_ext &= ~IEEE80211_FEXT_NONERP_PR;
203 vap->iv_flags_ht &= ~IEEE80211_FHT_NONHT_PR;
204 /* XXX TODO: schedule deferred update? */
205 /* fall thru... */
206 case IEEE80211_S_CAC:
207 /*
208 * NB: We may get here because of a manual channel
209 * change in which case we need to stop CAC
210 * XXX no need to stop if ostate RUN but it's ok
211 */
212 ieee80211_dfs_cac_stop(vap);
213 /* fall thru... */
214 case IEEE80211_S_INIT:
215 if (vap->iv_des_chan != IEEE80211_CHAN_ANYC &&
216 !IEEE80211_IS_CHAN_RADAR(vap->iv_des_chan)) {
217 /*
218 * Already have a channel; bypass the
219 * scan and startup immediately.
220 * ieee80211_create_ibss will call back to
221 * move us to RUN state.
222 */
223 ieee80211_create_ibss(vap, vap->iv_des_chan);
224 break;
225 }
226 /*
227 * Initiate a scan. We can come here as a result
228 * of an IEEE80211_IOC_SCAN_REQ too in which case
229 * the vap will be marked with IEEE80211_FEXT_SCANREQ
230 * and the scan request parameters will be present
231 * in iv_scanreq. Otherwise we do the default.
232 */
233 if (vap->iv_flags_ext & IEEE80211_FEXT_SCANREQ) {
234 ieee80211_check_scan(vap,
235 vap->iv_scanreq_flags,
236 vap->iv_scanreq_duration,
237 vap->iv_scanreq_mindwell,
238 vap->iv_scanreq_maxdwell,
239 vap->iv_scanreq_nssid, vap->iv_scanreq_ssid);
240 vap->iv_flags_ext &= ~IEEE80211_FEXT_SCANREQ;
241 } else
242 ieee80211_check_scan_current(vap);
243 break;
244 case IEEE80211_S_SCAN:
245 /*
246 * A state change requires a reset; scan.
247 */
248 ieee80211_check_scan_current(vap);
249 break;
250 default:
251 break;
252 }
253 break;
254 case IEEE80211_S_CAC:
255 /*
256 * Start CAC on a DFS channel. We come here when starting
257 * a bss on a DFS channel (see ieee80211_create_ibss).
258 */
259 ieee80211_dfs_cac_start(vap);
260 break;
261 case IEEE80211_S_RUN:
262 if (vap->iv_flags & IEEE80211_F_WPA) {
263 /* XXX validate prerequisites */
264 }
265 switch (ostate) {
266 case IEEE80211_S_INIT:
267 /*
268 * Already have a channel; bypass the
269 * scan and startup immediately.
270 * Note that ieee80211_create_ibss will call
271 * back to do a RUN->RUN state change.
272 */
273 ieee80211_create_ibss(vap,
274 ieee80211_ht_adjust_channel(ic,
275 ic->ic_curchan, vap->iv_flags_ht));
276 /* NB: iv_bss is changed on return */
277 break;
278 case IEEE80211_S_CAC:
279 /*
280 * NB: This is the normal state change when CAC
281 * expires and no radar was detected; no need to
282 * clear the CAC timer as it's already expired.
283 */
284 /* fall thru... */
285 case IEEE80211_S_CSA:
286 /*
287 * Shorten inactivity timer of associated stations
288 * to weed out sta's that don't follow a CSA.
289 */
290 ieee80211_iterate_nodes_vap(&ic->ic_sta, vap,
291 sta_csa, NULL);
292 /*
293 * Update bss node channel to reflect where
294 * we landed after CSA.
295 */
296 ieee80211_node_set_chan(vap->iv_bss,
297 ieee80211_ht_adjust_channel(ic, ic->ic_curchan,
298 ieee80211_htchanflags(vap->iv_bss->ni_chan)));
299 /* XXX bypass debug msgs */
300 break;
301 case IEEE80211_S_SCAN:
302 case IEEE80211_S_RUN:
303 #ifdef IEEE80211_DEBUG
304 if (ieee80211_msg_debug(vap)) {
305 struct ieee80211_node *ni = vap->iv_bss;
306 ieee80211_note(vap,
307 "synchronized with %s ssid ",
308 ether_sprintf(ni->ni_bssid));
309 ieee80211_print_essid(ni->ni_essid,
310 ni->ni_esslen);
311 net80211_printf(" channel %d start %uMbit/s\n",
312 ieee80211_chan2ieee(ic, ic->ic_curchan),
313 ieee80211_node_get_txrate_kbit(ni) / 1000);
314 }
315 #endif
316 break;
317 default:
318 break;
319 }
320 /*
321 * Start/stop the authenticator. We delay until here
322 * to allow configuration to happen out of order.
323 */
324 if (vap->iv_auth->ia_attach != NULL) {
325 /* XXX check failure */
326 vap->iv_auth->ia_attach(vap);
327 } else if (vap->iv_auth->ia_detach != NULL) {
328 vap->iv_auth->ia_detach(vap);
329 }
330 ieee80211_node_authorize(vap->iv_bss);
331 break;
332 case IEEE80211_S_CSA:
333 if (ostate == IEEE80211_S_RUN && isbandchange(ic)) {
334 /*
335 * On a ``band change'' silently drop associated
336 * stations as they must re-associate before they
337 * can pass traffic (as otherwise protocol state
338 * such as capabilities and the negotiated rate
339 * set may/will be wrong).
340 */
341 ieee80211_iterate_nodes_vap(&ic->ic_sta, vap,
342 sta_drop, NULL);
343 }
344 break;
345 default:
346 break;
347 }
348 return 0;
349 }
350
351 static void
hostap_deliver_data(struct ieee80211vap * vap,struct ieee80211_node * ni,struct mbuf * m)352 hostap_deliver_data(struct ieee80211vap *vap,
353 struct ieee80211_node *ni, struct mbuf *m)
354 {
355 struct ether_header *eh = mtod(m, struct ether_header *);
356 struct ifnet *ifp = vap->iv_ifp;
357
358 /* clear driver/net80211 flags before passing up */
359 m->m_flags &= ~(M_MCAST | M_BCAST);
360 m_clrprotoflags(m);
361
362 KASSERT(vap->iv_opmode == IEEE80211_M_HOSTAP,
363 ("gack, opmode %d", vap->iv_opmode));
364 /*
365 * Do accounting.
366 */
367 if_inc_counter(ifp, IFCOUNTER_IPACKETS, 1);
368 IEEE80211_NODE_STAT(ni, rx_data);
369 IEEE80211_NODE_STAT_ADD(ni, rx_bytes, m->m_pkthdr.len);
370 if (ETHER_IS_MULTICAST(eh->ether_dhost)) {
371 m->m_flags |= M_MCAST; /* XXX M_BCAST? */
372 IEEE80211_NODE_STAT(ni, rx_mcast);
373 } else
374 IEEE80211_NODE_STAT(ni, rx_ucast);
375
376 /* perform as a bridge within the AP */
377 if ((vap->iv_flags & IEEE80211_F_NOBRIDGE) == 0) {
378 struct mbuf *mcopy = NULL;
379
380 if (m->m_flags & M_MCAST) {
381 mcopy = m_dup(m, IEEE80211_M_NOWAIT);
382 if (mcopy == NULL)
383 if_inc_counter(ifp, IFCOUNTER_OERRORS, 1);
384 else
385 mcopy->m_flags |= M_MCAST;
386 } else {
387 /*
388 * Check if the destination is associated with the
389 * same vap and authorized to receive traffic.
390 * Beware of traffic destined for the vap itself;
391 * sending it will not work; just let it be delivered
392 * normally.
393 */
394 struct ieee80211_node *sta = ieee80211_find_vap_node(
395 &vap->iv_ic->ic_sta, vap, eh->ether_dhost);
396 if (sta != NULL) {
397 if (ieee80211_node_is_authorized(sta)) {
398 /*
399 * Beware of sending to ourself; this
400 * needs to happen via the normal
401 * input path.
402 */
403 if (sta != vap->iv_bss) {
404 mcopy = m;
405 m = NULL;
406 }
407 } else {
408 vap->iv_stats.is_rx_unauth++;
409 IEEE80211_NODE_STAT(sta, rx_unauth);
410 }
411 ieee80211_free_node(sta);
412 }
413 }
414 if (mcopy != NULL)
415 (void) ieee80211_vap_xmitpkt(vap, mcopy);
416 }
417 if (m != NULL) {
418 /*
419 * Mark frame as coming from vap's interface.
420 */
421 m->m_pkthdr.rcvif = ifp;
422 if (m->m_flags & M_MCAST) {
423 /*
424 * Spam DWDS vap's w/ multicast traffic.
425 */
426 /* XXX only if dwds in use? */
427 ieee80211_dwds_mcast(vap, m);
428 }
429 if (ni->ni_vlan != 0) {
430 /* attach vlan tag */
431 m->m_pkthdr.ether_vtag = ni->ni_vlan;
432 m->m_flags |= M_VLANTAG;
433 }
434
435 ieee80211_vap_deliver_data(vap, m);
436 }
437 }
438
439 /*
440 * Decide if a received management frame should be
441 * printed when debugging is enabled. This filters some
442 * of the less interesting frames that come frequently
443 * (e.g. beacons).
444 */
445 static __inline int
doprint(struct ieee80211vap * vap,int subtype)446 doprint(struct ieee80211vap *vap, int subtype)
447 {
448 switch (subtype) {
449 case IEEE80211_FC0_SUBTYPE_BEACON:
450 return (vap->iv_ic->ic_flags & IEEE80211_F_SCAN);
451 case IEEE80211_FC0_SUBTYPE_PROBE_REQ:
452 return 0;
453 }
454 return 1;
455 }
456
457 /*
458 * Process a received frame. The node associated with the sender
459 * should be supplied. If nothing was found in the node table then
460 * the caller is assumed to supply a reference to iv_bss instead.
461 * The RSSI and a timestamp are also supplied. The RSSI data is used
462 * during AP scanning to select a AP to associate with; it can have
463 * any units so long as values have consistent units and higher values
464 * mean ``better signal''. The receive timestamp is currently not used
465 * by the 802.11 layer.
466 */
467 static int
hostap_input(struct ieee80211_node * ni,struct mbuf * m,const struct ieee80211_rx_stats * rxs,int rssi,int nf)468 hostap_input(struct ieee80211_node *ni, struct mbuf *m,
469 const struct ieee80211_rx_stats *rxs, int rssi, int nf)
470 {
471 struct ieee80211vap *vap = ni->ni_vap;
472 struct ieee80211com *ic = ni->ni_ic;
473 struct ifnet *ifp = vap->iv_ifp;
474 struct ieee80211_frame *wh;
475 struct ieee80211_key *key;
476 struct ether_header *eh;
477 int hdrspace, need_tap = 1; /* mbuf need to be tapped. */
478 uint8_t dir, type, subtype, qos;
479 uint8_t *bssid;
480 int is_hw_decrypted = 0;
481 int has_decrypted = 0;
482
483 /*
484 * Some devices do hardware decryption all the way through
485 * to pretending the frame wasn't encrypted in the first place.
486 * So, tag it appropriately so it isn't discarded inappropriately.
487 */
488 if ((rxs != NULL) && (rxs->c_pktflags & IEEE80211_RX_F_DECRYPTED))
489 is_hw_decrypted = 1;
490
491 if (m->m_flags & M_AMPDU_MPDU) {
492 /*
493 * Fastpath for A-MPDU reorder q resubmission. Frames
494 * w/ M_AMPDU_MPDU marked have already passed through
495 * here but were received out of order and been held on
496 * the reorder queue. When resubmitted they are marked
497 * with the M_AMPDU_MPDU flag and we can bypass most of
498 * the normal processing.
499 */
500 wh = mtod(m, struct ieee80211_frame *);
501 type = IEEE80211_FC0_TYPE_DATA;
502 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK;
503 subtype = IEEE80211_FC0_SUBTYPE_QOS_DATA;
504 hdrspace = ieee80211_hdrspace(ic, wh); /* XXX optimize? */
505 goto resubmit_ampdu;
506 }
507
508 KASSERT(ni != NULL, ("null node"));
509 ni->ni_inact = ni->ni_inact_reload;
510
511 type = -1; /* undefined */
512
513 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_min)) {
514 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
515 ni->ni_macaddr, NULL,
516 "too short (1): len %u", m->m_pkthdr.len);
517 vap->iv_stats.is_rx_tooshort++;
518 goto out;
519 }
520 /*
521 * Bit of a cheat here, we use a pointer for a 3-address
522 * frame format but don't reference fields past outside
523 * ieee80211_frame_min w/o first validating the data is
524 * present.
525 */
526 wh = mtod(m, struct ieee80211_frame *);
527
528 if (!IEEE80211_IS_FC0_CHECK_VER(wh, IEEE80211_FC0_VERSION_0)) {
529 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
530 ni->ni_macaddr, NULL, "wrong version, fc %02x:%02x",
531 wh->i_fc[0], wh->i_fc[1]);
532 vap->iv_stats.is_rx_badversion++;
533 goto err;
534 }
535
536 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK;
537 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
538 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK;
539 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) {
540 if (dir != IEEE80211_FC1_DIR_NODS)
541 bssid = wh->i_addr1;
542 else if (type == IEEE80211_FC0_TYPE_CTL)
543 bssid = wh->i_addr1;
544 else {
545 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) {
546 IEEE80211_DISCARD_MAC(vap,
547 IEEE80211_MSG_ANY, ni->ni_macaddr,
548 NULL, "too short (2): len %u",
549 m->m_pkthdr.len);
550 vap->iv_stats.is_rx_tooshort++;
551 goto out;
552 }
553 bssid = wh->i_addr3;
554 }
555 /*
556 * Validate the bssid.
557 */
558 if (!(type == IEEE80211_FC0_TYPE_MGT &&
559 subtype == IEEE80211_FC0_SUBTYPE_BEACON) &&
560 !IEEE80211_ADDR_EQ(bssid, vap->iv_bss->ni_bssid) &&
561 !IEEE80211_ADDR_EQ(bssid,
562 ieee80211_vap_get_broadcast_address(vap))) {
563 /* not interested in */
564 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
565 bssid, NULL, "%s", "not to bss");
566 vap->iv_stats.is_rx_wrongbss++;
567 goto out;
568 }
569
570 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi);
571 ni->ni_noise = nf;
572 if (IEEE80211_HAS_SEQ(type, subtype)) {
573 uint8_t tid = ieee80211_gettid(wh);
574 if (IEEE80211_QOS_HAS_SEQ(wh) &&
575 TID_TO_WME_AC(tid) >= WME_AC_VI)
576 ic->ic_wme.wme_hipri_traffic++;
577 if (! ieee80211_check_rxseq(ni, wh, bssid, rxs))
578 goto out;
579 }
580 }
581
582 switch (type) {
583 case IEEE80211_FC0_TYPE_DATA:
584 hdrspace = ieee80211_hdrspace(ic, wh);
585 if (m->m_len < hdrspace &&
586 (m = m_pullup(m, hdrspace)) == NULL) {
587 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
588 ni->ni_macaddr, NULL,
589 "data too short: expecting %u", hdrspace);
590 vap->iv_stats.is_rx_tooshort++;
591 goto out; /* XXX */
592 }
593 if (!(dir == IEEE80211_FC1_DIR_TODS ||
594 (dir == IEEE80211_FC1_DIR_DSTODS &&
595 (vap->iv_flags & IEEE80211_F_DWDS)))) {
596 if (dir != IEEE80211_FC1_DIR_DSTODS) {
597 IEEE80211_DISCARD(vap,
598 IEEE80211_MSG_INPUT, wh, "data",
599 "incorrect dir 0x%x", dir);
600 } else {
601 IEEE80211_DISCARD(vap,
602 IEEE80211_MSG_INPUT |
603 IEEE80211_MSG_WDS, wh,
604 "4-address data",
605 "%s", "DWDS not enabled");
606 }
607 vap->iv_stats.is_rx_wrongdir++;
608 goto out;
609 }
610 /* check if source STA is associated */
611 if (ni == vap->iv_bss) {
612 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
613 wh, "data", "%s", "unknown src");
614 ieee80211_send_error(ni, wh->i_addr2,
615 IEEE80211_FC0_SUBTYPE_DEAUTH,
616 IEEE80211_REASON_NOT_AUTHED);
617 vap->iv_stats.is_rx_notassoc++;
618 goto err;
619 }
620 if (ni->ni_associd == 0) {
621 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
622 wh, "data", "%s", "unassoc src");
623 IEEE80211_SEND_MGMT(ni,
624 IEEE80211_FC0_SUBTYPE_DISASSOC,
625 IEEE80211_REASON_NOT_ASSOCED);
626 vap->iv_stats.is_rx_notassoc++;
627 goto err;
628 }
629
630 /*
631 * Check for power save state change.
632 * XXX out-of-order A-MPDU frames?
633 */
634 if (((wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) ^
635 (ni->ni_flags & IEEE80211_NODE_PWR_MGT)))
636 vap->iv_node_ps(ni,
637 wh->i_fc[1] & IEEE80211_FC1_PWR_MGT);
638 /*
639 * For 4-address packets handle WDS discovery
640 * notifications. Once a WDS link is setup frames
641 * are just delivered to the WDS vap (see below).
642 */
643 if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap == NULL) {
644 if (!ieee80211_node_is_authorized(ni)) {
645 IEEE80211_DISCARD(vap,
646 IEEE80211_MSG_INPUT |
647 IEEE80211_MSG_WDS, wh,
648 "4-address data",
649 "%s", "unauthorized port");
650 vap->iv_stats.is_rx_unauth++;
651 IEEE80211_NODE_STAT(ni, rx_unauth);
652 goto err;
653 }
654 ieee80211_dwds_discover(ni, m);
655 return type;
656 }
657
658 /*
659 * Handle A-MPDU re-ordering. If the frame is to be
660 * processed directly then ieee80211_ampdu_reorder
661 * will return 0; otherwise it has consumed the mbuf
662 * and we should do nothing more with it.
663 */
664 if ((m->m_flags & M_AMPDU) &&
665 ieee80211_ampdu_reorder(ni, m, rxs) != 0) {
666 m = NULL;
667 goto out;
668 }
669 resubmit_ampdu:
670
671 /*
672 * Handle privacy requirements. Note that we
673 * must not be preempted from here until after
674 * we (potentially) call ieee80211_crypto_demic;
675 * otherwise we may violate assumptions in the
676 * crypto cipher modules used to do delayed update
677 * of replay sequence numbers.
678 */
679 if (is_hw_decrypted || IEEE80211_IS_PROTECTED(wh)) {
680 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
681 /*
682 * Discard encrypted frames when privacy is off.
683 */
684 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
685 wh, "WEP", "%s", "PRIVACY off");
686 vap->iv_stats.is_rx_noprivacy++;
687 IEEE80211_NODE_STAT(ni, rx_noprivacy);
688 goto out;
689 }
690 if (ieee80211_crypto_decap(ni, m, hdrspace, &key) == 0) {
691 /* NB: stats+msgs handled in crypto_decap */
692 IEEE80211_NODE_STAT(ni, rx_wepfail);
693 goto out;
694 }
695 wh = mtod(m, struct ieee80211_frame *);
696 wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED;
697 has_decrypted = 1;
698 } else {
699 /* XXX M_WEP and IEEE80211_F_PRIVACY */
700 key = NULL;
701 }
702
703 /*
704 * Save QoS bits for use below--before we strip the header.
705 */
706 if (subtype == IEEE80211_FC0_SUBTYPE_QOS_DATA)
707 qos = ieee80211_getqos(wh)[0];
708 else
709 qos = 0;
710
711 /*
712 * Next up, any fragmentation.
713 */
714 if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) {
715 m = ieee80211_defrag(ni, m, hdrspace, has_decrypted);
716 if (m == NULL) {
717 /* Fragment dropped or frame not complete yet */
718 goto out;
719 }
720 }
721 wh = NULL; /* no longer valid, catch any uses */
722
723 /*
724 * Next strip any MSDU crypto bits.
725 */
726 if (key != NULL && !ieee80211_crypto_demic(vap, key, m, 0)) {
727 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
728 ni->ni_macaddr, "data", "%s", "demic error");
729 vap->iv_stats.is_rx_demicfail++;
730 IEEE80211_NODE_STAT(ni, rx_demicfail);
731 goto out;
732 }
733 /* copy to listener after decrypt */
734 if (ieee80211_radiotap_active_vap(vap))
735 ieee80211_radiotap_rx(vap, m);
736 need_tap = 0;
737 /*
738 * Finally, strip the 802.11 header.
739 */
740 m = ieee80211_decap(vap, m, hdrspace, qos);
741 if (m == NULL) {
742 /* XXX mask bit to check for both */
743 /* don't count Null data frames as errors */
744 if (subtype == IEEE80211_FC0_SUBTYPE_NODATA ||
745 subtype == IEEE80211_FC0_SUBTYPE_QOS_NULL)
746 goto out;
747 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
748 ni->ni_macaddr, "data", "%s", "decap error");
749 vap->iv_stats.is_rx_decap++;
750 IEEE80211_NODE_STAT(ni, rx_decap);
751 goto err;
752 }
753 if (!(qos & IEEE80211_QOS_AMSDU))
754 eh = mtod(m, struct ether_header *);
755 else
756 eh = NULL;
757 if (!ieee80211_node_is_authorized(ni)) {
758 /*
759 * Deny any non-PAE frames received prior to
760 * authorization. For open/shared-key
761 * authentication the port is mark authorized
762 * after authentication completes. For 802.1x
763 * the port is not marked authorized by the
764 * authenticator until the handshake has completed.
765 */
766 if (eh == NULL ||
767 eh->ether_type != htons(ETHERTYPE_PAE)) {
768 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
769 ni->ni_macaddr, "data", "unauthorized or "
770 "unknown port: ether type 0x%x len %u",
771 eh == NULL ? -1 : eh->ether_type,
772 m->m_pkthdr.len);
773 vap->iv_stats.is_rx_unauth++;
774 IEEE80211_NODE_STAT(ni, rx_unauth);
775 goto err;
776 }
777 } else {
778 /*
779 * When denying unencrypted frames, discard
780 * any non-PAE frames received without encryption.
781 */
782 if ((vap->iv_flags & IEEE80211_F_DROPUNENC) &&
783 ((has_decrypted == 0) && (m->m_flags & M_WEP) == 0) &&
784 (is_hw_decrypted == 0) &&
785 (eh == NULL ||
786 eh->ether_type != htons(ETHERTYPE_PAE))) {
787 /*
788 * Drop unencrypted frames.
789 */
790 vap->iv_stats.is_rx_unencrypted++;
791 IEEE80211_NODE_STAT(ni, rx_unencrypted);
792 goto out;
793 }
794 }
795 /* XXX require HT? */
796 if (qos & IEEE80211_QOS_AMSDU) {
797 m = ieee80211_decap_amsdu(ni, m);
798 if (m == NULL)
799 return IEEE80211_FC0_TYPE_DATA;
800 } else {
801 #ifdef IEEE80211_SUPPORT_SUPERG
802 m = ieee80211_decap_fastframe(vap, ni, m);
803 if (m == NULL)
804 return IEEE80211_FC0_TYPE_DATA;
805 #endif
806 }
807 if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap != NULL)
808 ieee80211_deliver_data(ni->ni_wdsvap, ni, m);
809 else
810 hostap_deliver_data(vap, ni, m);
811 return IEEE80211_FC0_TYPE_DATA;
812
813 case IEEE80211_FC0_TYPE_MGT:
814 vap->iv_stats.is_rx_mgmt++;
815 IEEE80211_NODE_STAT(ni, rx_mgmt);
816 if (dir != IEEE80211_FC1_DIR_NODS) {
817 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
818 wh, "mgt", "incorrect dir 0x%x", dir);
819 vap->iv_stats.is_rx_wrongdir++;
820 goto err;
821 }
822 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) {
823 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
824 ni->ni_macaddr, "mgt", "too short: len %u",
825 m->m_pkthdr.len);
826 vap->iv_stats.is_rx_tooshort++;
827 goto out;
828 }
829 if (IEEE80211_IS_MULTICAST(wh->i_addr2)) {
830 /* ensure return frames are unicast */
831 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
832 wh, NULL, "source is multicast: %s",
833 ether_sprintf(wh->i_addr2));
834 vap->iv_stats.is_rx_mgtdiscard++; /* XXX stat */
835 goto out;
836 }
837 #ifdef IEEE80211_DEBUG
838 if ((ieee80211_msg_debug(vap) && doprint(vap, subtype)) ||
839 ieee80211_msg_dumppkts(vap)) {
840 net80211_vap_printf(vap,
841 "received %s from %s rssi %d\n",
842 ieee80211_mgt_subtype_name(subtype),
843 ether_sprintf(wh->i_addr2), rssi);
844 }
845 #endif
846 if (IEEE80211_IS_PROTECTED(wh)) {
847 if (subtype != IEEE80211_FC0_SUBTYPE_AUTH) {
848 /*
849 * Only shared key auth frames with a challenge
850 * should be encrypted, discard all others.
851 */
852 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
853 wh, NULL,
854 "%s", "WEP set but not permitted");
855 vap->iv_stats.is_rx_mgtdiscard++; /* XXX */
856 goto out;
857 }
858 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
859 /*
860 * Discard encrypted frames when privacy is off.
861 */
862 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
863 wh, NULL, "%s", "WEP set but PRIVACY off");
864 vap->iv_stats.is_rx_noprivacy++;
865 goto out;
866 }
867 hdrspace = ieee80211_hdrspace(ic, wh);
868 if (ieee80211_crypto_decap(ni, m, hdrspace, &key) == 0) {
869 /* NB: stats+msgs handled in crypto_decap */
870 goto out;
871 }
872 wh = mtod(m, struct ieee80211_frame *);
873 wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED;
874 has_decrypted = 1;
875 }
876 /*
877 * Pass the packet to radiotap before calling iv_recv_mgmt().
878 * Otherwise iv_recv_mgmt() might pass another packet to
879 * radiotap, resulting in out of order packet captures.
880 */
881 if (ieee80211_radiotap_active_vap(vap))
882 ieee80211_radiotap_rx(vap, m);
883 need_tap = 0;
884 vap->iv_recv_mgmt(ni, m, subtype, rxs, rssi, nf);
885 goto out;
886
887 case IEEE80211_FC0_TYPE_CTL:
888 vap->iv_stats.is_rx_ctl++;
889 IEEE80211_NODE_STAT(ni, rx_ctrl);
890 if (ieee80211_is_ctl_frame_for_vap(ni, m))
891 vap->iv_recv_ctl(ni, m, subtype);
892 goto out;
893 default:
894 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
895 wh, "bad", "frame type 0x%x", type);
896 /* should not come here */
897 break;
898 }
899 err:
900 if_inc_counter(ifp, IFCOUNTER_IERRORS, 1);
901 out:
902 if (m != NULL) {
903 if (need_tap && ieee80211_radiotap_active_vap(vap))
904 ieee80211_radiotap_rx(vap, m);
905 m_freem(m);
906 }
907 return type;
908 }
909
910 static void
hostap_auth_open(struct ieee80211_node * ni,struct ieee80211_frame * wh,int rssi,int nf,uint16_t seq,uint16_t status)911 hostap_auth_open(struct ieee80211_node *ni, struct ieee80211_frame *wh,
912 int rssi, int nf, uint16_t seq, uint16_t status)
913 {
914 struct ieee80211vap *vap = ni->ni_vap;
915
916 KASSERT(vap->iv_state == IEEE80211_S_RUN, ("state %d", vap->iv_state));
917
918 if (ni->ni_authmode == IEEE80211_AUTH_SHARED) {
919 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
920 ni->ni_macaddr, "open auth",
921 "bad sta auth mode %u", ni->ni_authmode);
922 vap->iv_stats.is_rx_bad_auth++; /* XXX */
923 /*
924 * Clear any challenge text that may be there if
925 * a previous shared key auth failed and then an
926 * open auth is attempted.
927 */
928 if (ni->ni_challenge != NULL) {
929 IEEE80211_FREE(ni->ni_challenge, M_80211_NODE);
930 ni->ni_challenge = NULL;
931 }
932 /* XXX hack to workaround calling convention */
933 ieee80211_send_error(ni, wh->i_addr2,
934 IEEE80211_FC0_SUBTYPE_AUTH,
935 (seq + 1) | (IEEE80211_STATUS_ALG<<16));
936 return;
937 }
938 if (seq != IEEE80211_AUTH_OPEN_REQUEST) {
939 vap->iv_stats.is_rx_bad_auth++;
940 return;
941 }
942 /* always accept open authentication requests */
943 if (ni == vap->iv_bss) {
944 ni = ieee80211_dup_bss(vap, wh->i_addr2);
945 if (ni == NULL)
946 return;
947 } else if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0)
948 (void) ieee80211_ref_node(ni);
949 /*
950 * Mark the node as referenced to reflect that it's
951 * reference count has been bumped to insure it remains
952 * after the transaction completes.
953 */
954 ni->ni_flags |= IEEE80211_NODE_AREF;
955 /*
956 * Mark the node as requiring a valid association id
957 * before outbound traffic is permitted.
958 */
959 ni->ni_flags |= IEEE80211_NODE_ASSOCID;
960
961 if (vap->iv_acl != NULL &&
962 vap->iv_acl->iac_getpolicy(vap) == IEEE80211_MACCMD_POLICY_RADIUS) {
963 /*
964 * When the ACL policy is set to RADIUS we defer the
965 * authorization to a user agent. Dispatch an event,
966 * a subsequent MLME call will decide the fate of the
967 * station. If the user agent is not present then the
968 * node will be reclaimed due to inactivity.
969 */
970 IEEE80211_NOTE_MAC(vap,
971 IEEE80211_MSG_AUTH | IEEE80211_MSG_ACL, ni->ni_macaddr,
972 "%s", "station authentication deferred (radius acl)");
973 ieee80211_notify_node_auth(ni);
974 } else {
975 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1);
976 IEEE80211_NOTE_MAC(vap,
977 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, ni->ni_macaddr,
978 "%s", "station authenticated (open)");
979 /*
980 * When 802.1x is not in use mark the port
981 * authorized at this point so traffic can flow.
982 */
983 if (ni->ni_authmode != IEEE80211_AUTH_8021X)
984 ieee80211_node_authorize(ni);
985 }
986 }
987
988 static void
hostap_auth_shared(struct ieee80211_node * ni,struct ieee80211_frame * wh,uint8_t * frm,uint8_t * efrm,int rssi,int nf,uint16_t seq,uint16_t status)989 hostap_auth_shared(struct ieee80211_node *ni, struct ieee80211_frame *wh,
990 uint8_t *frm, uint8_t *efrm, int rssi, int nf,
991 uint16_t seq, uint16_t status)
992 {
993 struct ieee80211vap *vap = ni->ni_vap;
994 uint8_t *challenge;
995 int estatus;
996
997 KASSERT(vap->iv_state == IEEE80211_S_RUN, ("state %d", vap->iv_state));
998
999 /*
1000 * NB: this can happen as we allow pre-shared key
1001 * authentication to be enabled w/o wep being turned
1002 * on so that configuration of these can be done
1003 * in any order. It may be better to enforce the
1004 * ordering in which case this check would just be
1005 * for sanity/consistency.
1006 */
1007 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
1008 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1009 ni->ni_macaddr, "shared key auth",
1010 "%s", " PRIVACY is disabled");
1011 estatus = IEEE80211_STATUS_ALG;
1012 goto bad;
1013 }
1014 /*
1015 * Pre-shared key authentication is evil; accept
1016 * it only if explicitly configured (it is supported
1017 * mainly for compatibility with clients like Mac OS X).
1018 */
1019 if (ni->ni_authmode != IEEE80211_AUTH_AUTO &&
1020 ni->ni_authmode != IEEE80211_AUTH_SHARED) {
1021 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1022 ni->ni_macaddr, "shared key auth",
1023 "bad sta auth mode %u", ni->ni_authmode);
1024 vap->iv_stats.is_rx_bad_auth++; /* XXX maybe a unique error? */
1025 estatus = IEEE80211_STATUS_ALG;
1026 goto bad;
1027 }
1028
1029 challenge = NULL;
1030 if (frm + 1 < efrm) {
1031 if ((frm[1] + 2) > (efrm - frm)) {
1032 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1033 ni->ni_macaddr, "shared key auth",
1034 "ie %d/%d too long",
1035 frm[0], (frm[1] + 2) - (efrm - frm));
1036 vap->iv_stats.is_rx_bad_auth++;
1037 estatus = IEEE80211_STATUS_CHALLENGE;
1038 goto bad;
1039 }
1040 if (*frm == IEEE80211_ELEMID_CHALLENGE)
1041 challenge = frm;
1042 frm += frm[1] + 2;
1043 }
1044 switch (seq) {
1045 case IEEE80211_AUTH_SHARED_CHALLENGE:
1046 case IEEE80211_AUTH_SHARED_RESPONSE:
1047 if (challenge == NULL) {
1048 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1049 ni->ni_macaddr, "shared key auth",
1050 "%s", "no challenge");
1051 vap->iv_stats.is_rx_bad_auth++;
1052 estatus = IEEE80211_STATUS_CHALLENGE;
1053 goto bad;
1054 }
1055 if (challenge[1] != IEEE80211_CHALLENGE_LEN) {
1056 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1057 ni->ni_macaddr, "shared key auth",
1058 "bad challenge len %d", challenge[1]);
1059 vap->iv_stats.is_rx_bad_auth++;
1060 estatus = IEEE80211_STATUS_CHALLENGE;
1061 goto bad;
1062 }
1063 default:
1064 break;
1065 }
1066 switch (seq) {
1067 case IEEE80211_AUTH_SHARED_REQUEST:
1068 {
1069 #ifdef IEEE80211_DEBUG
1070 bool allocbs;
1071 #endif
1072
1073 if (ni == vap->iv_bss) {
1074 ni = ieee80211_dup_bss(vap, wh->i_addr2);
1075 if (ni == NULL) {
1076 /* NB: no way to return an error */
1077 return;
1078 }
1079 #ifdef IEEE80211_DEBUG
1080 allocbs = 1;
1081 #endif
1082 } else {
1083 if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0)
1084 (void) ieee80211_ref_node(ni);
1085 #ifdef IEEE80211_DEBUG
1086 allocbs = 0;
1087 #endif
1088 }
1089 /*
1090 * Mark the node as referenced to reflect that it's
1091 * reference count has been bumped to insure it remains
1092 * after the transaction completes.
1093 */
1094 ni->ni_flags |= IEEE80211_NODE_AREF;
1095 /*
1096 * Mark the node as requiring a valid association id
1097 * before outbound traffic is permitted.
1098 */
1099 ni->ni_flags |= IEEE80211_NODE_ASSOCID;
1100 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi);
1101 ni->ni_noise = nf;
1102 if (!ieee80211_alloc_challenge(ni)) {
1103 /* NB: don't return error so they rexmit */
1104 return;
1105 }
1106 net80211_get_random_bytes(ni->ni_challenge,
1107 IEEE80211_CHALLENGE_LEN);
1108 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
1109 ni, "shared key %sauth request", allocbs ? "" : "re");
1110 /*
1111 * When the ACL policy is set to RADIUS we defer the
1112 * authorization to a user agent. Dispatch an event,
1113 * a subsequent MLME call will decide the fate of the
1114 * station. If the user agent is not present then the
1115 * node will be reclaimed due to inactivity.
1116 */
1117 if (vap->iv_acl != NULL &&
1118 vap->iv_acl->iac_getpolicy(vap) == IEEE80211_MACCMD_POLICY_RADIUS) {
1119 IEEE80211_NOTE_MAC(vap,
1120 IEEE80211_MSG_AUTH | IEEE80211_MSG_ACL,
1121 ni->ni_macaddr,
1122 "%s", "station authentication deferred (radius acl)");
1123 ieee80211_notify_node_auth(ni);
1124 return;
1125 }
1126 break;
1127 }
1128 case IEEE80211_AUTH_SHARED_RESPONSE:
1129 if (ni == vap->iv_bss) {
1130 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1131 ni->ni_macaddr, "shared key response",
1132 "%s", "unknown station");
1133 /* NB: don't send a response */
1134 return;
1135 }
1136 if (ni->ni_challenge == NULL) {
1137 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1138 ni->ni_macaddr, "shared key response",
1139 "%s", "no challenge recorded");
1140 vap->iv_stats.is_rx_bad_auth++;
1141 estatus = IEEE80211_STATUS_CHALLENGE;
1142 goto bad;
1143 }
1144 if (memcmp(ni->ni_challenge, &challenge[2],
1145 challenge[1]) != 0) {
1146 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1147 ni->ni_macaddr, "shared key response",
1148 "%s", "challenge mismatch");
1149 vap->iv_stats.is_rx_auth_fail++;
1150 estatus = IEEE80211_STATUS_CHALLENGE;
1151 goto bad;
1152 }
1153 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
1154 ni, "%s", "station authenticated (shared key)");
1155 ieee80211_node_authorize(ni);
1156 break;
1157 default:
1158 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1159 ni->ni_macaddr, "shared key auth",
1160 "bad seq %d", seq);
1161 vap->iv_stats.is_rx_bad_auth++;
1162 estatus = IEEE80211_STATUS_SEQUENCE;
1163 goto bad;
1164 }
1165 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1);
1166 return;
1167 bad:
1168 /*
1169 * Send an error response; but only when operating as an AP.
1170 */
1171 /* XXX hack to workaround calling convention */
1172 ieee80211_send_error(ni, wh->i_addr2,
1173 IEEE80211_FC0_SUBTYPE_AUTH,
1174 (seq + 1) | (estatus<<16));
1175 }
1176
1177 /*
1178 * Convert a WPA cipher selector OUI to an internal
1179 * cipher algorithm. Where appropriate we also
1180 * record any key length.
1181 */
1182 static int
wpa_cipher(const uint8_t * sel,uint8_t * keylen,uint8_t * cipher)1183 wpa_cipher(const uint8_t *sel, uint8_t *keylen, uint8_t *cipher)
1184 {
1185 #define WPA_SEL(x) (((x)<<24)|WPA_OUI)
1186 uint32_t w = le32dec(sel);
1187
1188 switch (w) {
1189 case WPA_SEL(WPA_CSE_NULL):
1190 *cipher = IEEE80211_CIPHER_NONE;
1191 break;
1192 case WPA_SEL(WPA_CSE_WEP40):
1193 if (keylen)
1194 *keylen = 40 / NBBY;
1195 *cipher = IEEE80211_CIPHER_WEP;
1196 break;
1197 case WPA_SEL(WPA_CSE_WEP104):
1198 if (keylen)
1199 *keylen = 104 / NBBY;
1200 *cipher = IEEE80211_CIPHER_WEP;
1201 break;
1202 case WPA_SEL(WPA_CSE_TKIP):
1203 *cipher = IEEE80211_CIPHER_TKIP;
1204 break;
1205 case WPA_SEL(WPA_CSE_CCMP):
1206 *cipher = IEEE80211_CIPHER_AES_CCM;
1207 break;
1208 /* Note: no GCM cipher in the legacy WPA1 OUI */
1209 default:
1210 return (EINVAL);
1211 }
1212
1213 return (0);
1214 #undef WPA_SEL
1215 }
1216
1217 /*
1218 * Convert a WPA key management/authentication algorithm
1219 * to an internal code.
1220 */
1221 static int
wpa_keymgmt(const uint8_t * sel)1222 wpa_keymgmt(const uint8_t *sel)
1223 {
1224 #define WPA_SEL(x) (((x)<<24)|WPA_OUI)
1225 uint32_t w = le32dec(sel);
1226
1227 switch (w) {
1228 case WPA_SEL(WPA_ASE_8021X_UNSPEC):
1229 return WPA_ASE_8021X_UNSPEC;
1230 case WPA_SEL(WPA_ASE_8021X_PSK):
1231 return WPA_ASE_8021X_PSK;
1232 case WPA_SEL(WPA_ASE_NONE):
1233 return WPA_ASE_NONE;
1234 }
1235 return 0; /* NB: so is discarded */
1236 #undef WPA_SEL
1237 }
1238
1239 /*
1240 * Parse a WPA information element to collect parameters.
1241 * Note that we do not validate security parameters; that
1242 * is handled by the authenticator; the parsing done here
1243 * is just for internal use in making operational decisions.
1244 */
1245 static int
ieee80211_parse_wpa(struct ieee80211vap * vap,const uint8_t * frm,struct ieee80211_rsnparms * rsn,const struct ieee80211_frame * wh)1246 ieee80211_parse_wpa(struct ieee80211vap *vap, const uint8_t *frm,
1247 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh)
1248 {
1249 uint8_t len = frm[1];
1250 uint32_t w;
1251 int error, n;
1252
1253 /*
1254 * Check the length once for fixed parts: OUI, type,
1255 * version, mcast cipher, and 2 selector counts.
1256 * Other, variable-length data, must be checked separately.
1257 */
1258 if ((vap->iv_flags & IEEE80211_F_WPA1) == 0) {
1259 IEEE80211_DISCARD_IE(vap,
1260 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1261 wh, "WPA", "not WPA, flags 0x%x", vap->iv_flags);
1262 return IEEE80211_REASON_IE_INVALID;
1263 }
1264 if (len < 14) {
1265 IEEE80211_DISCARD_IE(vap,
1266 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1267 wh, "WPA", "too short, len %u", len);
1268 return IEEE80211_REASON_IE_INVALID;
1269 }
1270 frm += 6, len -= 4; /* NB: len is payload only */
1271 /* NB: iswpaoui already validated the OUI and type */
1272 w = le16dec(frm);
1273 if (w != WPA_VERSION) {
1274 IEEE80211_DISCARD_IE(vap,
1275 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1276 wh, "WPA", "bad version %u", w);
1277 return IEEE80211_REASON_IE_INVALID;
1278 }
1279 frm += 2, len -= 2;
1280
1281 memset(rsn, 0, sizeof(*rsn));
1282
1283 /* multicast/group cipher */
1284 error = wpa_cipher(frm, &rsn->rsn_mcastkeylen, &rsn->rsn_mcastcipher);
1285 if (error != 0) {
1286 IEEE80211_DISCARD_IE(vap,
1287 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1288 wh, "WPA", "unknown mcast cipher suite %08X",
1289 le32dec(frm));
1290 return IEEE80211_REASON_GROUP_CIPHER_INVALID;
1291 }
1292 frm += 4, len -= 4;
1293
1294 /* unicast ciphers */
1295 n = le16dec(frm);
1296 frm += 2, len -= 2;
1297 if (len < n*4+2) {
1298 IEEE80211_DISCARD_IE(vap,
1299 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1300 wh, "WPA", "ucast cipher data too short; len %u, n %u",
1301 len, n);
1302 return IEEE80211_REASON_IE_INVALID;
1303 }
1304 w = 0;
1305 for (; n > 0; n--) {
1306 uint8_t cipher;
1307
1308 error = wpa_cipher(frm, &rsn->rsn_ucastkeylen, &cipher);
1309 if (error == 0)
1310 w |= 1 << cipher;
1311
1312 frm += 4, len -= 4;
1313 }
1314 if (w == 0) {
1315 IEEE80211_DISCARD_IE(vap,
1316 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1317 wh, "WPA", "no usable pairwise cipher suite found (w=%d)",
1318 w);
1319 return IEEE80211_REASON_PAIRWISE_CIPHER_INVALID;
1320 }
1321 /* XXX other? */
1322 if (w & (1 << IEEE80211_CIPHER_AES_CCM))
1323 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM;
1324 else
1325 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP;
1326
1327 /* key management algorithms */
1328 n = le16dec(frm);
1329 frm += 2, len -= 2;
1330 if (len < n*4) {
1331 IEEE80211_DISCARD_IE(vap,
1332 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1333 wh, "WPA", "key mgmt alg data too short; len %u, n %u",
1334 len, n);
1335 return IEEE80211_REASON_IE_INVALID;
1336 }
1337 w = 0;
1338 for (; n > 0; n--) {
1339 w |= wpa_keymgmt(frm);
1340 frm += 4, len -= 4;
1341 }
1342 if (w & WPA_ASE_8021X_UNSPEC)
1343 rsn->rsn_keymgmt = WPA_ASE_8021X_UNSPEC;
1344 else
1345 rsn->rsn_keymgmt = WPA_ASE_8021X_PSK;
1346
1347 if (len > 2) /* optional capabilities */
1348 rsn->rsn_caps = le16dec(frm);
1349
1350 return 0;
1351 }
1352
1353 /*
1354 * Convert an RSN cipher selector OUI to an internal
1355 * cipher algorithm. Where appropriate we also
1356 * record any key length.
1357 */
1358 static int
rsn_cipher(const uint8_t * sel,uint8_t * keylen,uint8_t * cipher)1359 rsn_cipher(const uint8_t *sel, uint8_t *keylen, uint8_t *cipher)
1360 {
1361 #define RSN_SEL(x) (((x)<<24)|RSN_OUI)
1362 uint32_t w = le32dec(sel);
1363
1364 switch (w) {
1365 case RSN_SEL(RSN_CSE_NULL):
1366 *cipher = IEEE80211_CIPHER_NONE;
1367 break;
1368 case RSN_SEL(RSN_CSE_WEP40):
1369 if (keylen)
1370 *keylen = 40 / NBBY;
1371 *cipher = IEEE80211_CIPHER_WEP;
1372 break;
1373 case RSN_SEL(RSN_CSE_WEP104):
1374 if (keylen)
1375 *keylen = 104 / NBBY;
1376 *cipher = IEEE80211_CIPHER_WEP;
1377 break;
1378 case RSN_SEL(RSN_CSE_TKIP):
1379 *cipher = IEEE80211_CIPHER_TKIP;
1380 break;
1381 case RSN_SEL(RSN_CSE_CCMP):
1382 *cipher = IEEE80211_CIPHER_AES_CCM;
1383 break;
1384 case RSN_SEL(RSN_CSE_WRAP):
1385 *cipher = IEEE80211_CIPHER_AES_OCB;
1386 break;
1387 case RSN_SEL(RSN_CSE_GCMP_128):
1388 *cipher = IEEE80211_CIPHER_AES_GCM_128;
1389 break;
1390 default:
1391 return (EINVAL);
1392 }
1393
1394 return (0);
1395 #undef WPA_SEL
1396 }
1397
1398 /*
1399 * Convert an RSN key management/authentication algorithm
1400 * to an internal code.
1401 */
1402 static int
rsn_keymgmt(const uint8_t * sel)1403 rsn_keymgmt(const uint8_t *sel)
1404 {
1405 #define RSN_SEL(x) (((x)<<24)|RSN_OUI)
1406 uint32_t w = le32dec(sel);
1407
1408 switch (w) {
1409 case RSN_SEL(RSN_ASE_8021X_UNSPEC):
1410 return RSN_ASE_8021X_UNSPEC;
1411 case RSN_SEL(RSN_ASE_8021X_PSK):
1412 return RSN_ASE_8021X_PSK;
1413 case RSN_SEL(RSN_ASE_NONE):
1414 return RSN_ASE_NONE;
1415 }
1416 return 0; /* NB: so is discarded */
1417 #undef RSN_SEL
1418 }
1419
1420 /*
1421 * Parse a WPA/RSN information element to collect parameters
1422 * and validate the parameters against what has been
1423 * configured for the system.
1424 */
1425 static int
ieee80211_parse_rsn(struct ieee80211vap * vap,const uint8_t * frm,struct ieee80211_rsnparms * rsn,const struct ieee80211_frame * wh)1426 ieee80211_parse_rsn(struct ieee80211vap *vap, const uint8_t *frm,
1427 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh)
1428 {
1429 uint8_t len = frm[1];
1430 uint32_t w;
1431 int error, n;
1432
1433 /*
1434 * Check the length once for fixed parts:
1435 * version, mcast cipher, and 2 selector counts.
1436 * Other, variable-length data, must be checked separately.
1437 */
1438 if ((vap->iv_flags & IEEE80211_F_WPA2) == 0) {
1439 IEEE80211_DISCARD_IE(vap,
1440 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1441 wh, "WPA", "not RSN, flags 0x%x", vap->iv_flags);
1442 return IEEE80211_REASON_IE_INVALID;
1443 }
1444 /* XXX may be shorter */
1445 if (len < 10) {
1446 IEEE80211_DISCARD_IE(vap,
1447 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1448 wh, "RSN", "too short, len %u", len);
1449 return IEEE80211_REASON_IE_INVALID;
1450 }
1451 frm += 2;
1452 w = le16dec(frm);
1453 if (w != RSN_VERSION) {
1454 IEEE80211_DISCARD_IE(vap,
1455 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1456 wh, "RSN", "bad version %u", w);
1457 return IEEE80211_REASON_UNSUPP_RSN_IE_VERSION;
1458 }
1459 frm += 2, len -= 2;
1460
1461 memset(rsn, 0, sizeof(*rsn));
1462
1463 /* multicast/group cipher */
1464 error = rsn_cipher(frm, &rsn->rsn_mcastkeylen, &rsn->rsn_mcastcipher);
1465 if (error != 0) {
1466 IEEE80211_DISCARD_IE(vap,
1467 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1468 wh, "RSN", "unknown mcast cipher suite %08X",
1469 le32dec(frm));
1470 return IEEE80211_REASON_GROUP_CIPHER_INVALID;
1471 }
1472 if (rsn->rsn_mcastcipher == IEEE80211_CIPHER_NONE) {
1473 IEEE80211_DISCARD_IE(vap,
1474 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1475 wh, "RSN", "invalid mcast cipher suite %d",
1476 rsn->rsn_mcastcipher);
1477 return IEEE80211_REASON_GROUP_CIPHER_INVALID;
1478 }
1479 frm += 4, len -= 4;
1480
1481 /* unicast ciphers */
1482 n = le16dec(frm);
1483 frm += 2, len -= 2;
1484 if (len < n*4+2) {
1485 IEEE80211_DISCARD_IE(vap,
1486 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1487 wh, "RSN", "ucast cipher data too short; len %u, n %u",
1488 len, n);
1489 return IEEE80211_REASON_IE_INVALID;
1490 }
1491 w = 0;
1492
1493 for (; n > 0; n--) {
1494 uint8_t cipher;
1495
1496 error = rsn_cipher(frm, &rsn->rsn_ucastkeylen, &cipher);
1497 if (error == 0)
1498 w |= 1 << cipher;
1499
1500 frm += 4, len -= 4;
1501 }
1502 if (w & (1 << IEEE80211_CIPHER_AES_GCM_128))
1503 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_GCM_128;
1504 else if (w & (1 << IEEE80211_CIPHER_AES_CCM))
1505 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM;
1506 else if (w & (1 << IEEE80211_CIPHER_AES_OCB))
1507 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_OCB;
1508 else if (w & (1 << IEEE80211_CIPHER_TKIP))
1509 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP;
1510 else if ((w & (1 << IEEE80211_CIPHER_NONE)) &&
1511 (rsn->rsn_mcastcipher == IEEE80211_CIPHER_WEP ||
1512 rsn->rsn_mcastcipher == IEEE80211_CIPHER_TKIP))
1513 rsn->rsn_ucastcipher = IEEE80211_CIPHER_NONE;
1514 else {
1515 IEEE80211_DISCARD_IE(vap,
1516 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1517 wh, "RSN", "no usable pairwise cipher suite found (w=%d)",
1518 w);
1519 return IEEE80211_REASON_PAIRWISE_CIPHER_INVALID;
1520 }
1521
1522 /* key management algorithms */
1523 n = le16dec(frm);
1524 frm += 2, len -= 2;
1525 if (len < n*4) {
1526 IEEE80211_DISCARD_IE(vap,
1527 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1528 wh, "RSN", "key mgmt alg data too short; len %u, n %u",
1529 len, n);
1530 return IEEE80211_REASON_IE_INVALID;
1531 }
1532 w = 0;
1533 for (; n > 0; n--) {
1534 w |= rsn_keymgmt(frm);
1535 frm += 4, len -= 4;
1536 }
1537 if (w & RSN_ASE_8021X_UNSPEC)
1538 rsn->rsn_keymgmt = RSN_ASE_8021X_UNSPEC;
1539 else
1540 rsn->rsn_keymgmt = RSN_ASE_8021X_PSK;
1541
1542 /* optional RSN capabilities */
1543 if (len >= 2) {
1544 rsn->rsn_caps = le16dec(frm);
1545 frm += 2, len -= 2;
1546 }
1547
1548 /* XXX PMK Count / PMKID */
1549
1550 /* XXX Group Cipher Management Suite */
1551
1552 return 0;
1553 }
1554
1555 /*
1556 * WPA/802.11i association request processing.
1557 */
1558 static int
wpa_assocreq(struct ieee80211_node * ni,struct ieee80211_rsnparms * rsnparms,const struct ieee80211_frame * wh,const uint8_t * wpa,const uint8_t * rsn,uint16_t capinfo)1559 wpa_assocreq(struct ieee80211_node *ni, struct ieee80211_rsnparms *rsnparms,
1560 const struct ieee80211_frame *wh, const uint8_t *wpa,
1561 const uint8_t *rsn, uint16_t capinfo)
1562 {
1563 struct ieee80211vap *vap = ni->ni_vap;
1564 uint8_t reason;
1565 int badwparsn;
1566
1567 ni->ni_flags &= ~(IEEE80211_NODE_WPS|IEEE80211_NODE_TSN);
1568 if (wpa == NULL && rsn == NULL) {
1569 if (vap->iv_flags_ext & IEEE80211_FEXT_WPS) {
1570 /*
1571 * W-Fi Protected Setup (WPS) permits
1572 * clients to associate and pass EAPOL frames
1573 * to establish initial credentials.
1574 */
1575 ni->ni_flags |= IEEE80211_NODE_WPS;
1576 return 1;
1577 }
1578 if ((vap->iv_flags_ext & IEEE80211_FEXT_TSN) &&
1579 (capinfo & IEEE80211_CAPINFO_PRIVACY)) {
1580 /*
1581 * Transitional Security Network. Permits clients
1582 * to associate and use WEP while WPA is configured.
1583 */
1584 ni->ni_flags |= IEEE80211_NODE_TSN;
1585 return 1;
1586 }
1587 IEEE80211_DISCARD(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA,
1588 wh, NULL, "%s", "no WPA/RSN IE in association request");
1589 vap->iv_stats.is_rx_assoc_badwpaie++;
1590 reason = IEEE80211_REASON_IE_INVALID;
1591 goto bad;
1592 }
1593 /* assert right association security credentials */
1594 badwparsn = 0; /* NB: to silence compiler */
1595 switch (vap->iv_flags & IEEE80211_F_WPA) {
1596 case IEEE80211_F_WPA1:
1597 badwparsn = (wpa == NULL);
1598 break;
1599 case IEEE80211_F_WPA2:
1600 badwparsn = (rsn == NULL);
1601 break;
1602 case IEEE80211_F_WPA1|IEEE80211_F_WPA2:
1603 badwparsn = (wpa == NULL && rsn == NULL);
1604 break;
1605 }
1606 if (badwparsn) {
1607 IEEE80211_DISCARD(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA,
1608 wh, NULL,
1609 "%s", "missing WPA/RSN IE in association request");
1610 vap->iv_stats.is_rx_assoc_badwpaie++;
1611 reason = IEEE80211_REASON_IE_INVALID;
1612 goto bad;
1613 }
1614 /*
1615 * Parse WPA/RSN information element.
1616 */
1617 if (wpa != NULL)
1618 reason = ieee80211_parse_wpa(vap, wpa, rsnparms, wh);
1619 else
1620 reason = ieee80211_parse_rsn(vap, rsn, rsnparms, wh);
1621 if (reason != 0) {
1622 /* XXX wpa->rsn fallback? */
1623 /* XXX distinguish WPA/RSN? */
1624 vap->iv_stats.is_rx_assoc_badwpaie++;
1625 goto bad;
1626 }
1627 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, ni,
1628 "%s ie: mc %u/%u uc %u/%u key %u caps 0x%x",
1629 wpa != NULL ? "WPA" : "RSN",
1630 rsnparms->rsn_mcastcipher, rsnparms->rsn_mcastkeylen,
1631 rsnparms->rsn_ucastcipher, rsnparms->rsn_ucastkeylen,
1632 rsnparms->rsn_keymgmt, rsnparms->rsn_caps);
1633
1634 return 1;
1635 bad:
1636 ieee80211_node_deauth(ni, reason);
1637 return 0;
1638 }
1639
1640 /* XXX find a better place for definition */
1641 struct l2_update_frame {
1642 struct ether_header eh;
1643 uint8_t dsap;
1644 uint8_t ssap;
1645 uint8_t control;
1646 uint8_t xid[3];
1647 } __packed;
1648
1649 /*
1650 * Deliver a TGf L2UF frame on behalf of a station.
1651 * This primes any bridge when the station is roaming
1652 * between ap's on the same wired network.
1653 */
1654 static void
ieee80211_deliver_l2uf(struct ieee80211_node * ni)1655 ieee80211_deliver_l2uf(struct ieee80211_node *ni)
1656 {
1657 struct ieee80211vap *vap = ni->ni_vap;
1658 struct mbuf *m;
1659 struct l2_update_frame *l2uf;
1660 struct ether_header *eh;
1661
1662 m = m_gethdr(IEEE80211_M_NOWAIT, MT_DATA);
1663 if (m == NULL) {
1664 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC, ni,
1665 "%s", "no mbuf for l2uf frame");
1666 vap->iv_stats.is_rx_nobuf++; /* XXX not right */
1667 return;
1668 }
1669 l2uf = mtod(m, struct l2_update_frame *);
1670 eh = &l2uf->eh;
1671 /* dst: Broadcast address */
1672 IEEE80211_ADDR_COPY(eh->ether_dhost,
1673 ieee80211_vap_get_broadcast_address(vap));
1674 /* src: associated STA */
1675 IEEE80211_ADDR_COPY(eh->ether_shost, ni->ni_macaddr);
1676 eh->ether_type = htons(sizeof(*l2uf) - sizeof(*eh));
1677
1678 l2uf->dsap = 0;
1679 l2uf->ssap = 0;
1680 l2uf->control = 0xf5;
1681 l2uf->xid[0] = 0x81;
1682 l2uf->xid[1] = 0x80;
1683 l2uf->xid[2] = 0x00;
1684
1685 m->m_pkthdr.len = m->m_len = sizeof(*l2uf);
1686 hostap_deliver_data(vap, ni, m);
1687 }
1688
1689 static void
ratesetmismatch(struct ieee80211_node * ni,const struct ieee80211_frame * wh,int reassoc,int resp,const char * tag,int rate)1690 ratesetmismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh,
1691 int reassoc, int resp, const char *tag, int rate)
1692 {
1693 IEEE80211_NOTE_MAC(ni->ni_vap, IEEE80211_MSG_ANY, wh->i_addr2,
1694 "deny %s request, %s rate set mismatch, rate/MCS %d",
1695 reassoc ? "reassoc" : "assoc", tag, rate & IEEE80211_RATE_VAL);
1696 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_BASIC_RATE);
1697 ieee80211_node_leave(ni);
1698 }
1699
1700 static void
capinfomismatch(struct ieee80211_node * ni,const struct ieee80211_frame * wh,int reassoc,int resp,const char * tag,int capinfo)1701 capinfomismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh,
1702 int reassoc, int resp, const char *tag, int capinfo)
1703 {
1704 struct ieee80211vap *vap = ni->ni_vap;
1705
1706 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ANY, wh->i_addr2,
1707 "deny %s request, %s mismatch 0x%x",
1708 reassoc ? "reassoc" : "assoc", tag, capinfo);
1709 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_CAPINFO);
1710 ieee80211_node_leave(ni);
1711 vap->iv_stats.is_rx_assoc_capmismatch++;
1712 }
1713
1714 static void
htcapmismatch(struct ieee80211_node * ni,const struct ieee80211_frame * wh,int reassoc,int resp)1715 htcapmismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh,
1716 int reassoc, int resp)
1717 {
1718 IEEE80211_NOTE_MAC(ni->ni_vap, IEEE80211_MSG_ANY, wh->i_addr2,
1719 "deny %s request, %s missing HT ie", reassoc ? "reassoc" : "assoc");
1720 /* XXX no better code */
1721 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_MISSING_HT_CAPS);
1722 ieee80211_node_leave(ni);
1723 }
1724
1725 static void
authalgreject(struct ieee80211_node * ni,const struct ieee80211_frame * wh,int algo,int seq,int status)1726 authalgreject(struct ieee80211_node *ni, const struct ieee80211_frame *wh,
1727 int algo, int seq, int status)
1728 {
1729 struct ieee80211vap *vap = ni->ni_vap;
1730
1731 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
1732 wh, NULL, "unsupported alg %d", algo);
1733 vap->iv_stats.is_rx_auth_unsupported++;
1734 ieee80211_send_error(ni, wh->i_addr2, IEEE80211_FC0_SUBTYPE_AUTH,
1735 seq | (status << 16));
1736 }
1737
1738 static __inline int
ishtmixed(const uint8_t * ie)1739 ishtmixed(const uint8_t *ie)
1740 {
1741 const struct ieee80211_ie_htinfo *ht =
1742 (const struct ieee80211_ie_htinfo *) ie;
1743 return (ht->hi_byte2 & IEEE80211_HTINFO_OPMODE) ==
1744 IEEE80211_HTINFO_OPMODE_MIXED;
1745 }
1746
1747 static int
is11bclient(const uint8_t * rates,const uint8_t * xrates)1748 is11bclient(const uint8_t *rates, const uint8_t *xrates)
1749 {
1750 static const uint32_t brates = (1<<2*1)|(1<<2*2)|(1<<11)|(1<<2*11);
1751 int i;
1752
1753 /* NB: the 11b clients we care about will not have xrates */
1754 if (xrates != NULL || rates == NULL)
1755 return 0;
1756 for (i = 0; i < rates[1]; i++) {
1757 int r = rates[2+i] & IEEE80211_RATE_VAL;
1758 if (r > 2*11 || ((1<<r) & brates) == 0)
1759 return 0;
1760 }
1761 return 1;
1762 }
1763
1764 /**
1765 * Check if the given cipher is valid for 802.11 HT operation.
1766 *
1767 * The 802.11 specification only allows HT A-MPDU to be performed
1768 * on CCMP / GCMP encrypted frames. The WEP/TKIP hardware crypto
1769 * implementations may not meet the timing required for A-MPDU
1770 * operation.
1771 *
1772 * @param cipher the IEEE80211_CIPHER_ value to check
1773 * @returns true if the cipher is valid for HT A-MPDU, false otherwise
1774 */
1775 static bool
hostapd_validate_cipher_for_ht_ampdu(uint8_t cipher)1776 hostapd_validate_cipher_for_ht_ampdu(uint8_t cipher)
1777 {
1778 switch (cipher) {
1779 case IEEE80211_CIPHER_AES_CCM:
1780 case IEEE80211_CIPHER_AES_GCM_128:
1781 return true;
1782 default:
1783 return false;
1784 }
1785 }
1786
1787 static void
hostap_recv_mgmt(struct ieee80211_node * ni,struct mbuf * m0,int subtype,const struct ieee80211_rx_stats * rxs,int rssi,int nf)1788 hostap_recv_mgmt(struct ieee80211_node *ni, struct mbuf *m0,
1789 int subtype, const struct ieee80211_rx_stats *rxs, int rssi, int nf)
1790 {
1791 struct ieee80211vap *vap = ni->ni_vap;
1792 struct ieee80211com *ic = ni->ni_ic;
1793 struct ieee80211_frame *wh;
1794 uint8_t *frm, *efrm, *sfrm;
1795 uint8_t *ssid, *rates, *xrates, *wpa, *rsn, *wme, *ath, *htcap;
1796 uint8_t *vhtcap, *vhtinfo;
1797 int reassoc, resp;
1798 uint8_t rate;
1799
1800 wh = mtod(m0, struct ieee80211_frame *);
1801 frm = (uint8_t *)&wh[1];
1802 efrm = mtod(m0, uint8_t *) + m0->m_len;
1803 switch (subtype) {
1804 case IEEE80211_FC0_SUBTYPE_PROBE_RESP:
1805 /*
1806 * We process beacon/probe response frames when scanning;
1807 * otherwise we check beacon frames for overlapping non-ERP
1808 * BSS in 11g and/or overlapping legacy BSS when in HT.
1809 */
1810 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) {
1811 vap->iv_stats.is_rx_mgtdiscard++;
1812 return;
1813 }
1814 /* FALLTHROUGH */
1815 case IEEE80211_FC0_SUBTYPE_BEACON: {
1816 struct ieee80211_scanparams scan;
1817
1818 /* NB: accept off-channel frames */
1819 /* XXX TODO: use rxstatus to determine off-channel details */
1820 if (ieee80211_parse_beacon(ni, m0, ic->ic_curchan, &scan) &~ IEEE80211_BPARSE_OFFCHAN)
1821 return;
1822 /*
1823 * Count frame now that we know it's to be processed.
1824 */
1825 if (subtype == IEEE80211_FC0_SUBTYPE_BEACON) {
1826 vap->iv_stats.is_rx_beacon++; /* XXX remove */
1827 IEEE80211_NODE_STAT(ni, rx_beacons);
1828 } else
1829 IEEE80211_NODE_STAT(ni, rx_proberesp);
1830 /*
1831 * If scanning, just pass information to the scan module.
1832 */
1833 if (ic->ic_flags & IEEE80211_F_SCAN) {
1834 if (scan.status == 0 && /* NB: on channel */
1835 (ic->ic_flags_ext & IEEE80211_FEXT_PROBECHAN)) {
1836 /*
1837 * Actively scanning a channel marked passive;
1838 * send a probe request now that we know there
1839 * is 802.11 traffic present.
1840 *
1841 * XXX check if the beacon we recv'd gives
1842 * us what we need and suppress the probe req
1843 */
1844 ieee80211_probe_curchan(vap, true);
1845 ic->ic_flags_ext &= ~IEEE80211_FEXT_PROBECHAN;
1846 }
1847 ieee80211_add_scan(vap, ic->ic_curchan, &scan, wh,
1848 subtype, rssi, nf);
1849 return;
1850 }
1851 /*
1852 * Check beacon for overlapping bss w/ non ERP stations.
1853 * If we detect one and protection is configured but not
1854 * enabled, enable it and start a timer that'll bring us
1855 * out if we stop seeing the bss.
1856 */
1857 if (IEEE80211_IS_CHAN_ANYG(ic->ic_curchan) &&
1858 scan.status == 0 && /* NB: on-channel */
1859 ((scan.erp & 0x100) == 0 || /* NB: no ERP, 11b sta*/
1860 (scan.erp & IEEE80211_ERP_NON_ERP_PRESENT))) {
1861 vap->iv_lastnonerp = ticks;
1862 vap->iv_flags_ext |= IEEE80211_FEXT_NONERP_PR;
1863 /*
1864 * XXX TODO: this may need to check all VAPs?
1865 */
1866 if (vap->iv_protmode != IEEE80211_PROT_NONE &&
1867 (vap->iv_flags & IEEE80211_F_USEPROT) == 0) {
1868 IEEE80211_NOTE_FRAME(vap,
1869 IEEE80211_MSG_ASSOC, wh,
1870 "non-ERP present on channel %d "
1871 "(saw erp 0x%x from channel %d), "
1872 "enable use of protection",
1873 ic->ic_curchan->ic_ieee,
1874 scan.erp, scan.chan);
1875 vap->iv_flags |= IEEE80211_F_USEPROT;
1876 ieee80211_vap_update_erp_protmode(vap);
1877 }
1878 }
1879 /*
1880 * Check beacon for non-HT station on HT channel
1881 * and update HT BSS occupancy as appropriate.
1882 */
1883 if (IEEE80211_IS_CHAN_HT(ic->ic_curchan)) {
1884 if (scan.status & IEEE80211_BPARSE_OFFCHAN) {
1885 /*
1886 * Off control channel; only check frames
1887 * that come in the extension channel when
1888 * operating w/ HT40.
1889 */
1890 if (!IEEE80211_IS_CHAN_HT40(ic->ic_curchan))
1891 break;
1892 if (scan.chan != ic->ic_curchan->ic_extieee)
1893 break;
1894 }
1895 if (scan.htinfo == NULL) {
1896 ieee80211_htprot_update(vap,
1897 IEEE80211_HTINFO_OPMODE_PROTOPT |
1898 IEEE80211_HTINFO_NONHT_PRESENT);
1899 } else if (ishtmixed(scan.htinfo)) {
1900 /* XXX? take NONHT_PRESENT from beacon? */
1901 ieee80211_htprot_update(vap,
1902 IEEE80211_HTINFO_OPMODE_MIXED |
1903 IEEE80211_HTINFO_NONHT_PRESENT);
1904 }
1905 }
1906 break;
1907 }
1908
1909 case IEEE80211_FC0_SUBTYPE_PROBE_REQ:
1910 if (vap->iv_state != IEEE80211_S_RUN) {
1911 vap->iv_stats.is_rx_mgtdiscard++;
1912 return;
1913 }
1914 /*
1915 * Consult the ACL policy module if setup.
1916 */
1917 if (vap->iv_acl != NULL && !vap->iv_acl->iac_check(vap, wh)) {
1918 IEEE80211_DISCARD(vap, IEEE80211_MSG_ACL,
1919 wh, NULL, "%s", "disallowed by ACL");
1920 vap->iv_stats.is_rx_acl++;
1921 return;
1922 }
1923 /*
1924 * prreq frame format
1925 * [tlv] ssid
1926 * [tlv] supported rates
1927 * [tlv] extended supported rates
1928 */
1929 ssid = rates = xrates = NULL;
1930 while (efrm - frm > 1) {
1931 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return);
1932 switch (*frm) {
1933 case IEEE80211_ELEMID_SSID:
1934 ssid = frm;
1935 break;
1936 case IEEE80211_ELEMID_RATES:
1937 rates = frm;
1938 break;
1939 case IEEE80211_ELEMID_XRATES:
1940 xrates = frm;
1941 break;
1942 }
1943 frm += frm[1] + 2;
1944 }
1945 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return);
1946 if (xrates != NULL)
1947 IEEE80211_VERIFY_ELEMENT(xrates,
1948 IEEE80211_RATE_MAXSIZE - rates[1], return);
1949 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN, return);
1950 IEEE80211_VERIFY_SSID(vap->iv_bss, ssid, return);
1951 if ((vap->iv_flags & IEEE80211_F_HIDESSID) && ssid[1] == 0) {
1952 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
1953 wh, NULL,
1954 "%s", "no ssid with ssid suppression enabled");
1955 vap->iv_stats.is_rx_ssidmismatch++; /*XXX*/
1956 return;
1957 }
1958
1959 /* XXX find a better class or define it's own */
1960 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_INPUT, wh->i_addr2,
1961 "%s", "recv probe req");
1962 /*
1963 * Some legacy 11b clients cannot hack a complete
1964 * probe response frame. When the request includes
1965 * only a bare-bones rate set, communicate this to
1966 * the transmit side.
1967 */
1968 ieee80211_send_proberesp(vap, wh->i_addr2,
1969 is11bclient(rates, xrates) ? IEEE80211_SEND_LEGACY_11B : 0);
1970 break;
1971
1972 case IEEE80211_FC0_SUBTYPE_AUTH: {
1973 uint16_t algo, seq, status;
1974
1975 if (vap->iv_state != IEEE80211_S_RUN) {
1976 vap->iv_stats.is_rx_mgtdiscard++;
1977 return;
1978 }
1979 if (!IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_bss->ni_bssid)) {
1980 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
1981 wh, NULL, "%s", "wrong bssid");
1982 vap->iv_stats.is_rx_wrongbss++; /*XXX unique stat?*/
1983 return;
1984 }
1985 /*
1986 * auth frame format
1987 * [2] algorithm
1988 * [2] sequence
1989 * [2] status
1990 * [tlv*] challenge
1991 */
1992 IEEE80211_VERIFY_LENGTH(efrm - frm, 6, return);
1993 algo = le16toh(*(uint16_t *)frm);
1994 seq = le16toh(*(uint16_t *)(frm + 2));
1995 status = le16toh(*(uint16_t *)(frm + 4));
1996 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_AUTH, wh->i_addr2,
1997 "recv auth frame with algorithm %d seq %d", algo, seq);
1998 /*
1999 * Consult the ACL policy module if setup.
2000 */
2001 if (vap->iv_acl != NULL && !vap->iv_acl->iac_check(vap, wh)) {
2002 IEEE80211_DISCARD(vap, IEEE80211_MSG_ACL,
2003 wh, NULL, "%s", "disallowed by ACL");
2004 vap->iv_stats.is_rx_acl++;
2005 ieee80211_send_error(ni, wh->i_addr2,
2006 IEEE80211_FC0_SUBTYPE_AUTH,
2007 (seq+1) | (IEEE80211_STATUS_UNSPECIFIED<<16));
2008 return;
2009 }
2010 if (vap->iv_flags & IEEE80211_F_COUNTERM) {
2011 IEEE80211_DISCARD(vap,
2012 IEEE80211_MSG_AUTH | IEEE80211_MSG_CRYPTO,
2013 wh, NULL, "%s", "TKIP countermeasures enabled");
2014 vap->iv_stats.is_rx_auth_countermeasures++;
2015 ieee80211_send_error(ni, wh->i_addr2,
2016 IEEE80211_FC0_SUBTYPE_AUTH,
2017 IEEE80211_REASON_MIC_FAILURE);
2018 return;
2019 }
2020 if (algo == IEEE80211_AUTH_ALG_SHARED)
2021 hostap_auth_shared(ni, wh, frm + 6, efrm, rssi, nf,
2022 seq, status);
2023 else if (algo == IEEE80211_AUTH_ALG_OPEN)
2024 hostap_auth_open(ni, wh, rssi, nf, seq, status);
2025 else if (algo == IEEE80211_AUTH_ALG_LEAP) {
2026 authalgreject(ni, wh, algo,
2027 seq+1, IEEE80211_STATUS_ALG);
2028 return;
2029 } else {
2030 /*
2031 * We assume that an unknown algorithm is the result
2032 * of a decryption failure on a shared key auth frame;
2033 * return a status code appropriate for that instead
2034 * of IEEE80211_STATUS_ALG.
2035 *
2036 * NB: a seq# of 4 is intentional; the decrypted
2037 * frame likely has a bogus seq value.
2038 */
2039 authalgreject(ni, wh, algo,
2040 4, IEEE80211_STATUS_CHALLENGE);
2041 return;
2042 }
2043 break;
2044 }
2045
2046 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ:
2047 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: {
2048 uint16_t capinfo, lintval;
2049 struct ieee80211_rsnparms rsnparms;
2050
2051 if (vap->iv_state != IEEE80211_S_RUN) {
2052 vap->iv_stats.is_rx_mgtdiscard++;
2053 return;
2054 }
2055 if (!IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_bss->ni_bssid)) {
2056 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
2057 wh, NULL, "%s", "wrong bssid");
2058 vap->iv_stats.is_rx_assoc_bss++;
2059 return;
2060 }
2061 if (subtype == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) {
2062 reassoc = 1;
2063 resp = IEEE80211_FC0_SUBTYPE_REASSOC_RESP;
2064 } else {
2065 reassoc = 0;
2066 resp = IEEE80211_FC0_SUBTYPE_ASSOC_RESP;
2067 }
2068 if (ni == vap->iv_bss) {
2069 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ANY, wh->i_addr2,
2070 "deny %s request, sta not authenticated",
2071 reassoc ? "reassoc" : "assoc");
2072 ieee80211_send_error(ni, wh->i_addr2,
2073 IEEE80211_FC0_SUBTYPE_DEAUTH,
2074 IEEE80211_REASON_ASSOC_NOT_AUTHED);
2075 vap->iv_stats.is_rx_assoc_notauth++;
2076 return;
2077 }
2078
2079 /*
2080 * asreq frame format
2081 * [2] capability information
2082 * [2] listen interval
2083 * [6*] current AP address (reassoc only)
2084 * [tlv] ssid
2085 * [tlv] supported rates
2086 * [tlv] extended supported rates
2087 * [tlv] WPA or RSN
2088 * [tlv] HT capabilities
2089 * [tlv] Atheros capabilities
2090 */
2091 IEEE80211_VERIFY_LENGTH(efrm - frm, (reassoc ? 10 : 4), return);
2092 capinfo = le16toh(*(uint16_t *)frm); frm += 2;
2093 lintval = le16toh(*(uint16_t *)frm); frm += 2;
2094 if (reassoc)
2095 frm += 6; /* ignore current AP info */
2096 ssid = rates = xrates = wpa = rsn = wme = ath = htcap = NULL;
2097 vhtcap = vhtinfo = NULL;
2098 sfrm = frm;
2099 while (efrm - frm > 1) {
2100 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return);
2101 switch (*frm) {
2102 case IEEE80211_ELEMID_SSID:
2103 ssid = frm;
2104 break;
2105 case IEEE80211_ELEMID_RATES:
2106 rates = frm;
2107 break;
2108 case IEEE80211_ELEMID_XRATES:
2109 xrates = frm;
2110 break;
2111 case IEEE80211_ELEMID_RSN:
2112 rsn = frm;
2113 break;
2114 case IEEE80211_ELEMID_HTCAP:
2115 htcap = frm;
2116 break;
2117 case IEEE80211_ELEMID_VHT_CAP:
2118 vhtcap = frm;
2119 break;
2120 case IEEE80211_ELEMID_VHT_OPMODE:
2121 vhtinfo = frm;
2122 break;
2123 case IEEE80211_ELEMID_VENDOR:
2124 if (iswpaoui(frm))
2125 wpa = frm;
2126 else if (iswmeinfo(frm))
2127 wme = frm;
2128 #ifdef IEEE80211_SUPPORT_SUPERG
2129 else if (isatherosoui(frm))
2130 ath = frm;
2131 #endif
2132 else if (vap->iv_flags_ht & IEEE80211_FHT_HTCOMPAT) {
2133 if (ishtcapoui(frm) && htcap == NULL)
2134 htcap = frm;
2135 }
2136 break;
2137 }
2138 frm += frm[1] + 2;
2139 }
2140 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return);
2141 if (xrates != NULL)
2142 IEEE80211_VERIFY_ELEMENT(xrates,
2143 IEEE80211_RATE_MAXSIZE - rates[1], return);
2144 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN, return);
2145 IEEE80211_VERIFY_SSID(vap->iv_bss, ssid, return);
2146 if (htcap != NULL) {
2147 IEEE80211_VERIFY_LENGTH(htcap[1],
2148 htcap[0] == IEEE80211_ELEMID_VENDOR ?
2149 4 + sizeof(struct ieee80211_ie_htcap)-2 :
2150 sizeof(struct ieee80211_ie_htcap)-2,
2151 return); /* XXX just NULL out? */
2152 }
2153
2154 /* Validate VHT IEs */
2155 if (vhtcap != NULL) {
2156 IEEE80211_VERIFY_LENGTH(vhtcap[1],
2157 sizeof(struct ieee80211_vht_cap),
2158 return);
2159 }
2160 if (vhtinfo != NULL) {
2161 IEEE80211_VERIFY_LENGTH(vhtinfo[1],
2162 sizeof(struct ieee80211_vht_operation),
2163 return);
2164 }
2165
2166 if ((vap->iv_flags & IEEE80211_F_WPA) &&
2167 !wpa_assocreq(ni, &rsnparms, wh, wpa, rsn, capinfo))
2168 return;
2169 /* discard challenge after association */
2170 if (ni->ni_challenge != NULL) {
2171 IEEE80211_FREE(ni->ni_challenge, M_80211_NODE);
2172 ni->ni_challenge = NULL;
2173 }
2174 /* NB: 802.11 spec says to ignore station's privacy bit */
2175 if ((capinfo & IEEE80211_CAPINFO_ESS) == 0) {
2176 capinfomismatch(ni, wh, reassoc, resp,
2177 "capability", capinfo);
2178 return;
2179 }
2180 /*
2181 * Disallow re-associate w/ invalid slot time setting.
2182 */
2183 if (ni->ni_associd != 0 &&
2184 IEEE80211_IS_CHAN_ANYG(ic->ic_bsschan) &&
2185 ((ni->ni_capinfo ^ capinfo) & IEEE80211_CAPINFO_SHORT_SLOTTIME)) {
2186 capinfomismatch(ni, wh, reassoc, resp,
2187 "slot time", capinfo);
2188 return;
2189 }
2190 rate = ieee80211_setup_rates(ni, rates, xrates,
2191 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE |
2192 IEEE80211_F_DONEGO | IEEE80211_F_DODEL);
2193 if (rate & IEEE80211_RATE_BASIC) {
2194 ratesetmismatch(ni, wh, reassoc, resp, "legacy", rate);
2195 vap->iv_stats.is_rx_assoc_norate++;
2196 return;
2197 }
2198 /*
2199 * If constrained to 11g-only stations reject an
2200 * 11b-only station. We cheat a bit here by looking
2201 * at the max negotiated xmit rate and assuming anyone
2202 * with a best rate <24Mb/s is an 11b station.
2203 */
2204 if ((vap->iv_flags & IEEE80211_F_PUREG) && rate < 48) {
2205 ratesetmismatch(ni, wh, reassoc, resp, "11g", rate);
2206 vap->iv_stats.is_rx_assoc_norate++;
2207 return;
2208 }
2209
2210 /*
2211 * Do HT rate set handling and setup HT node state.
2212 */
2213 ni->ni_chan = vap->iv_bss->ni_chan;
2214
2215 /* VHT */
2216 if (IEEE80211_IS_CHAN_VHT(ni->ni_chan) &&
2217 vhtcap != NULL &&
2218 vhtinfo != NULL) {
2219 /* XXX TODO; see below */
2220 net80211_vap_printf(vap, "%s: VHT TODO!\n", __func__);
2221 ieee80211_vht_node_init(ni);
2222 ieee80211_vht_update_cap(ni, vhtcap, vhtinfo);
2223 } else if (ni->ni_flags & IEEE80211_NODE_VHT)
2224 ieee80211_vht_node_cleanup(ni);
2225
2226 /* HT */
2227 if (IEEE80211_IS_CHAN_HT(ni->ni_chan) && htcap != NULL) {
2228 rate = ieee80211_setup_htrates(ni, htcap,
2229 IEEE80211_F_DOFMCS | IEEE80211_F_DONEGO |
2230 IEEE80211_F_DOBRS);
2231 if (rate & IEEE80211_RATE_BASIC) {
2232 ratesetmismatch(ni, wh, reassoc, resp,
2233 "HT", rate);
2234 vap->iv_stats.is_ht_assoc_norate++;
2235 return;
2236 }
2237 ieee80211_ht_node_init(ni);
2238 ieee80211_ht_updatehtcap(ni, htcap);
2239 } else if (ni->ni_flags & IEEE80211_NODE_HT)
2240 ieee80211_ht_node_cleanup(ni);
2241
2242 /* Finally - this will use HT/VHT info to change node channel */
2243 if (IEEE80211_IS_CHAN_HT(ni->ni_chan) && htcap != NULL) {
2244 ieee80211_ht_updatehtcap_final(ni);
2245 }
2246
2247 #ifdef IEEE80211_SUPPORT_SUPERG
2248 /* Always do ff node cleanup; for A-MSDU */
2249 ieee80211_ff_node_cleanup(ni);
2250 #endif
2251 /*
2252 * Allow AMPDU operation only with unencrypted traffic
2253 * or AES-CCM / AES-GCM; the 802.11n spec only specifies these
2254 * ciphers so permitting any others is undefined and can lead
2255 * to interoperability problems.
2256 *
2257 * TODO: before landing, find exactly where in 802.11-2020 this
2258 * is called out!
2259 */
2260 if ((ni->ni_flags & IEEE80211_NODE_HT) &&
2261 (((vap->iv_flags & IEEE80211_F_WPA) &&
2262 !hostapd_validate_cipher_for_ht_ampdu(rsnparms.rsn_ucastcipher)) ||
2263 (vap->iv_flags & (IEEE80211_F_WPA|IEEE80211_F_PRIVACY)) == IEEE80211_F_PRIVACY)) {
2264 IEEE80211_NOTE(vap,
2265 IEEE80211_MSG_ASSOC | IEEE80211_MSG_11N, ni,
2266 "disallow HT use because WEP or TKIP requested, "
2267 "capinfo 0x%x ucastcipher %d", capinfo,
2268 rsnparms.rsn_ucastcipher);
2269 ieee80211_ht_node_cleanup(ni);
2270 #ifdef IEEE80211_SUPPORT_SUPERG
2271 /* Always do ff node cleanup; for A-MSDU */
2272 ieee80211_ff_node_cleanup(ni);
2273 #endif
2274 vap->iv_stats.is_ht_assoc_downgrade++;
2275 }
2276 /*
2277 * If constrained to 11n-only stations reject legacy stations.
2278 */
2279 if ((vap->iv_flags_ht & IEEE80211_FHT_PUREN) &&
2280 (ni->ni_flags & IEEE80211_NODE_HT) == 0) {
2281 htcapmismatch(ni, wh, reassoc, resp);
2282 vap->iv_stats.is_ht_assoc_nohtcap++;
2283 return;
2284 }
2285 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi);
2286 ni->ni_noise = nf;
2287 ni->ni_intval = lintval;
2288 ni->ni_capinfo = capinfo;
2289 ni->ni_fhdwell = vap->iv_bss->ni_fhdwell;
2290 ni->ni_fhindex = vap->iv_bss->ni_fhindex;
2291 /*
2292 * Store the IEs.
2293 * XXX maybe better to just expand
2294 */
2295 if (ieee80211_ies_init(&ni->ni_ies, sfrm, efrm - sfrm)) {
2296 #define setie(_ie, _off) ieee80211_ies_setie(ni->ni_ies, _ie, _off)
2297 if (wpa != NULL)
2298 setie(wpa_ie, wpa - sfrm);
2299 if (rsn != NULL)
2300 setie(rsn_ie, rsn - sfrm);
2301 if (htcap != NULL)
2302 setie(htcap_ie, htcap - sfrm);
2303 if (wme != NULL) {
2304 setie(wme_ie, wme - sfrm);
2305 /*
2306 * Mark node as capable of QoS.
2307 */
2308 ni->ni_flags |= IEEE80211_NODE_QOS;
2309 if (ieee80211_parse_wmeie(wme, wh, ni) > 0) {
2310 if (ni->ni_uapsd != 0)
2311 ni->ni_flags |=
2312 IEEE80211_NODE_UAPSD;
2313 else
2314 ni->ni_flags &=
2315 ~IEEE80211_NODE_UAPSD;
2316 }
2317 } else
2318 ni->ni_flags &=
2319 ~(IEEE80211_NODE_QOS |
2320 IEEE80211_NODE_UAPSD);
2321 #ifdef IEEE80211_SUPPORT_SUPERG
2322 if (ath != NULL) {
2323 setie(ath_ie, ath - sfrm);
2324 /*
2325 * Parse ATH station parameters.
2326 */
2327 ieee80211_parse_ath(ni, ni->ni_ies.ath_ie);
2328 } else
2329 #endif
2330 ni->ni_ath_flags = 0;
2331 #undef setie
2332 } else {
2333 ni->ni_flags &= ~IEEE80211_NODE_QOS;
2334 ni->ni_flags &= ~IEEE80211_NODE_UAPSD;
2335 ni->ni_ath_flags = 0;
2336 }
2337 ieee80211_node_join(ni, resp);
2338 ieee80211_deliver_l2uf(ni);
2339 break;
2340 }
2341
2342 case IEEE80211_FC0_SUBTYPE_DEAUTH:
2343 case IEEE80211_FC0_SUBTYPE_DISASSOC: {
2344 #ifdef IEEE80211_DEBUG
2345 uint16_t reason;
2346 #endif
2347
2348 if (vap->iv_state != IEEE80211_S_RUN ||
2349 /* NB: can happen when in promiscuous mode */
2350 !IEEE80211_ADDR_EQ(wh->i_addr1, vap->iv_myaddr)) {
2351 vap->iv_stats.is_rx_mgtdiscard++;
2352 break;
2353 }
2354 /*
2355 * deauth/disassoc frame format
2356 * [2] reason
2357 */
2358 IEEE80211_VERIFY_LENGTH(efrm - frm, 2, return);
2359 #ifdef IEEE80211_DEBUG
2360 reason = le16toh(*(uint16_t *)frm);
2361 #endif
2362 if (subtype == IEEE80211_FC0_SUBTYPE_DEAUTH) {
2363 vap->iv_stats.is_rx_deauth++;
2364 IEEE80211_NODE_STAT(ni, rx_deauth);
2365 } else {
2366 vap->iv_stats.is_rx_disassoc++;
2367 IEEE80211_NODE_STAT(ni, rx_disassoc);
2368 }
2369 IEEE80211_NOTE(vap, IEEE80211_MSG_AUTH, ni,
2370 "recv %s (reason: %d (%s))",
2371 ieee80211_mgt_subtype_name(subtype),
2372 reason, ieee80211_reason_to_string(reason));
2373 if (ni != vap->iv_bss)
2374 ieee80211_node_leave(ni);
2375 break;
2376 }
2377
2378 case IEEE80211_FC0_SUBTYPE_ACTION:
2379 case IEEE80211_FC0_SUBTYPE_ACTION_NOACK:
2380 if (ni == vap->iv_bss) {
2381 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
2382 wh, NULL, "%s", "unknown node");
2383 vap->iv_stats.is_rx_mgtdiscard++;
2384 } else if (!IEEE80211_ADDR_EQ(vap->iv_myaddr, wh->i_addr1) &&
2385 !IEEE80211_IS_MULTICAST(wh->i_addr1)) {
2386 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
2387 wh, NULL, "%s", "not for us");
2388 vap->iv_stats.is_rx_mgtdiscard++;
2389 } else if (vap->iv_state != IEEE80211_S_RUN) {
2390 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
2391 wh, NULL, "wrong state %s",
2392 ieee80211_state_name[vap->iv_state]);
2393 vap->iv_stats.is_rx_mgtdiscard++;
2394 } else {
2395 if (ieee80211_parse_action(ni, m0) == 0)
2396 (void)ic->ic_recv_action(ni, wh, frm, efrm);
2397 }
2398 break;
2399
2400 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP:
2401 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP:
2402 case IEEE80211_FC0_SUBTYPE_TIMING_ADV:
2403 case IEEE80211_FC0_SUBTYPE_ATIM:
2404 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
2405 wh, NULL, "%s", "not handled");
2406 vap->iv_stats.is_rx_mgtdiscard++;
2407 break;
2408
2409 default:
2410 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
2411 wh, "mgt", "subtype 0x%x not handled", subtype);
2412 vap->iv_stats.is_rx_badsubtype++;
2413 break;
2414 }
2415 }
2416
2417 static void
hostap_recv_ctl(struct ieee80211_node * ni,struct mbuf * m,int subtype)2418 hostap_recv_ctl(struct ieee80211_node *ni, struct mbuf *m, int subtype)
2419 {
2420 switch (subtype) {
2421 case IEEE80211_FC0_SUBTYPE_PS_POLL:
2422 ni->ni_vap->iv_recv_pspoll(ni, m);
2423 break;
2424 case IEEE80211_FC0_SUBTYPE_BAR:
2425 ieee80211_recv_bar(ni, m);
2426 break;
2427 }
2428 }
2429
2430 /*
2431 * Process a received ps-poll frame.
2432 */
2433 void
ieee80211_recv_pspoll(struct ieee80211_node * ni,struct mbuf * m0)2434 ieee80211_recv_pspoll(struct ieee80211_node *ni, struct mbuf *m0)
2435 {
2436 struct ieee80211vap *vap = ni->ni_vap;
2437 struct ieee80211com *ic = vap->iv_ic;
2438 struct ieee80211_frame_min *wh;
2439 struct mbuf *m;
2440 uint16_t aid;
2441 int qlen;
2442
2443 wh = mtod(m0, struct ieee80211_frame_min *);
2444 if (ni->ni_associd == 0) {
2445 IEEE80211_DISCARD(vap,
2446 IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG,
2447 (struct ieee80211_frame *) wh, NULL,
2448 "%s", "unassociated station");
2449 vap->iv_stats.is_ps_unassoc++;
2450 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_DEAUTH,
2451 IEEE80211_REASON_NOT_ASSOCED);
2452 return;
2453 }
2454
2455 aid = le16toh(*(uint16_t *)wh->i_dur);
2456 if (aid != ni->ni_associd) {
2457 IEEE80211_DISCARD(vap,
2458 IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG,
2459 (struct ieee80211_frame *) wh, NULL,
2460 "aid mismatch: sta aid 0x%x poll aid 0x%x",
2461 ni->ni_associd, aid);
2462 vap->iv_stats.is_ps_badaid++;
2463 /*
2464 * NB: We used to deauth the station but it turns out
2465 * the Blackberry Curve 8230 (and perhaps other devices)
2466 * sometimes send the wrong AID when WME is negotiated.
2467 * Being more lenient here seems ok as we already check
2468 * the station is associated and we only return frames
2469 * queued for the station (i.e. we don't use the AID).
2470 */
2471 return;
2472 }
2473
2474 /* Okay, take the first queued packet and put it out... */
2475 m = ieee80211_node_psq_dequeue(ni, &qlen);
2476 if (m == NULL) {
2477 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_POWER, wh->i_addr2,
2478 "%s", "recv ps-poll, but queue empty");
2479 ieee80211_send_nulldata(ieee80211_ref_node(ni));
2480 vap->iv_stats.is_ps_qempty++; /* XXX node stat */
2481 if (vap->iv_set_tim != NULL)
2482 vap->iv_set_tim(ni, 0); /* just in case */
2483 return;
2484 }
2485 /*
2486 * If there are more packets, set the more packets bit
2487 * in the packet dispatched to the station; otherwise
2488 * turn off the TIM bit.
2489 */
2490 if (qlen != 0) {
2491 IEEE80211_NOTE(vap, IEEE80211_MSG_POWER, ni,
2492 "recv ps-poll, send packet, %u still queued", qlen);
2493 m->m_flags |= M_MORE_DATA;
2494 } else {
2495 IEEE80211_NOTE(vap, IEEE80211_MSG_POWER, ni,
2496 "%s", "recv ps-poll, send packet, queue empty");
2497 if (vap->iv_set_tim != NULL)
2498 vap->iv_set_tim(ni, 0);
2499 }
2500 m->m_flags |= M_PWR_SAV; /* bypass PS handling */
2501
2502 /*
2503 * Do the right thing; if it's an encap'ed frame then
2504 * call ieee80211_parent_xmitpkt() else
2505 * call ieee80211_vap_xmitpkt().
2506 */
2507 if (m->m_flags & M_ENCAP) {
2508 (void) ieee80211_parent_xmitpkt(ic, m);
2509 } else {
2510 (void) ieee80211_vap_xmitpkt(vap, m);
2511 }
2512 }
2513