1 /*- 2 * SPDX-License-Identifier: BSD-2-Clause 3 * 4 * Copyright (c) 2007-2008 Sam Leffler, Errno Consulting 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 17 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 18 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 19 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 21 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 22 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 23 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 24 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 25 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 26 */ 27 28 /* 29 * IEEE 802.11 HOSTAP mode support. 30 */ 31 #include "opt_inet.h" 32 #include "opt_wlan.h" 33 34 #include <sys/param.h> 35 #include <sys/systm.h> 36 #include <sys/mbuf.h> 37 #include <sys/malloc.h> 38 #include <sys/kernel.h> 39 40 #include <sys/socket.h> 41 #include <sys/sockio.h> 42 #include <sys/endian.h> 43 #include <sys/errno.h> 44 #include <sys/proc.h> 45 #include <sys/sysctl.h> 46 47 #include <net/if.h> 48 #include <net/if_var.h> 49 #include <net/if_media.h> 50 #include <net/if_llc.h> 51 #include <net/if_private.h> 52 #include <net/ethernet.h> 53 54 #include <net/bpf.h> 55 56 #include <net80211/ieee80211_var.h> 57 #include <net80211/ieee80211_hostap.h> 58 #include <net80211/ieee80211_input.h> 59 #ifdef IEEE80211_SUPPORT_SUPERG 60 #include <net80211/ieee80211_superg.h> 61 #endif 62 #include <net80211/ieee80211_wds.h> 63 #include <net80211/ieee80211_vht.h> 64 #include <net80211/ieee80211_sta.h> /* for parse_wmeie */ 65 66 static void hostap_vattach(struct ieee80211vap *); 67 static int hostap_newstate(struct ieee80211vap *, enum ieee80211_state, int); 68 static int hostap_input(struct ieee80211_node *ni, struct mbuf *m, 69 const struct ieee80211_rx_stats *, 70 int rssi, int nf); 71 static void hostap_deliver_data(struct ieee80211vap *, 72 struct ieee80211_node *, struct mbuf *); 73 static void hostap_recv_mgmt(struct ieee80211_node *, struct mbuf *, 74 int subtype, const struct ieee80211_rx_stats *rxs, int rssi, int nf); 75 static void hostap_recv_ctl(struct ieee80211_node *, struct mbuf *, int); 76 77 void 78 ieee80211_hostap_attach(struct ieee80211com *ic) 79 { 80 ic->ic_vattach[IEEE80211_M_HOSTAP] = hostap_vattach; 81 } 82 83 void 84 ieee80211_hostap_detach(struct ieee80211com *ic) 85 { 86 } 87 88 static void 89 hostap_vdetach(struct ieee80211vap *vap) 90 { 91 } 92 93 static void 94 hostap_vattach(struct ieee80211vap *vap) 95 { 96 vap->iv_newstate = hostap_newstate; 97 vap->iv_input = hostap_input; 98 vap->iv_recv_mgmt = hostap_recv_mgmt; 99 vap->iv_recv_ctl = hostap_recv_ctl; 100 vap->iv_opdetach = hostap_vdetach; 101 vap->iv_deliver_data = hostap_deliver_data; 102 vap->iv_recv_pspoll = ieee80211_recv_pspoll; 103 } 104 105 static void 106 sta_disassoc(void *arg, struct ieee80211_node *ni) 107 { 108 109 if (ni->ni_associd != 0) { 110 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_DISASSOC, 111 IEEE80211_REASON_ASSOC_LEAVE); 112 ieee80211_node_leave(ni); 113 } 114 } 115 116 static void 117 sta_csa(void *arg, struct ieee80211_node *ni) 118 { 119 struct ieee80211vap *vap = ni->ni_vap; 120 121 if (ni->ni_associd != 0) 122 if (ni->ni_inact > vap->iv_inact_init) { 123 ni->ni_inact = vap->iv_inact_init; 124 IEEE80211_NOTE(vap, IEEE80211_MSG_INACT, ni, 125 "%s: inact %u", __func__, ni->ni_inact); 126 } 127 } 128 129 static void 130 sta_drop(void *arg, struct ieee80211_node *ni) 131 { 132 133 if (ni->ni_associd != 0) 134 ieee80211_node_leave(ni); 135 } 136 137 /* 138 * Does a channel change require associated stations to re-associate 139 * so protocol state is correct. This is used when doing CSA across 140 * bands or similar (e.g. HT -> legacy). 141 */ 142 static int 143 isbandchange(struct ieee80211com *ic) 144 { 145 return ((ic->ic_bsschan->ic_flags ^ ic->ic_csa_newchan->ic_flags) & 146 (IEEE80211_CHAN_2GHZ | IEEE80211_CHAN_5GHZ | IEEE80211_CHAN_HALF | 147 IEEE80211_CHAN_QUARTER | IEEE80211_CHAN_HT)) != 0; 148 } 149 150 /* 151 * IEEE80211_M_HOSTAP vap state machine handler. 152 */ 153 static int 154 hostap_newstate(struct ieee80211vap *vap, enum ieee80211_state nstate, int arg) 155 { 156 struct ieee80211com *ic = vap->iv_ic; 157 enum ieee80211_state ostate; 158 159 IEEE80211_LOCK_ASSERT(ic); 160 161 ostate = vap->iv_state; 162 IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE, "%s: %s -> %s (%d)\n", 163 __func__, ieee80211_state_name[ostate], 164 ieee80211_state_name[nstate], arg); 165 vap->iv_state = nstate; /* state transition */ 166 if (ostate != IEEE80211_S_SCAN) 167 ieee80211_cancel_scan(vap); /* background scan */ 168 switch (nstate) { 169 case IEEE80211_S_INIT: 170 switch (ostate) { 171 case IEEE80211_S_SCAN: 172 ieee80211_cancel_scan(vap); 173 break; 174 case IEEE80211_S_CAC: 175 ieee80211_dfs_cac_stop(vap); 176 break; 177 case IEEE80211_S_RUN: 178 ieee80211_iterate_nodes_vap(&ic->ic_sta, vap, 179 sta_disassoc, NULL); 180 break; 181 default: 182 break; 183 } 184 if (ostate != IEEE80211_S_INIT) { 185 /* NB: optimize INIT -> INIT case */ 186 ieee80211_reset_bss(vap); 187 } 188 if (vap->iv_auth->ia_detach != NULL) 189 vap->iv_auth->ia_detach(vap); 190 break; 191 case IEEE80211_S_SCAN: 192 switch (ostate) { 193 case IEEE80211_S_CSA: 194 case IEEE80211_S_RUN: 195 ieee80211_iterate_nodes_vap(&ic->ic_sta, vap, 196 sta_disassoc, NULL); 197 /* 198 * Clear overlapping BSS state; the beacon frame 199 * will be reconstructed on transition to the RUN 200 * state and the timeout routines check if the flag 201 * is set before doing anything so this is sufficient. 202 */ 203 vap->iv_flags_ext &= ~IEEE80211_FEXT_NONERP_PR; 204 vap->iv_flags_ht &= ~IEEE80211_FHT_NONHT_PR; 205 /* XXX TODO: schedule deferred update? */ 206 /* fall thru... */ 207 case IEEE80211_S_CAC: 208 /* 209 * NB: We may get here because of a manual channel 210 * change in which case we need to stop CAC 211 * XXX no need to stop if ostate RUN but it's ok 212 */ 213 ieee80211_dfs_cac_stop(vap); 214 /* fall thru... */ 215 case IEEE80211_S_INIT: 216 if (vap->iv_des_chan != IEEE80211_CHAN_ANYC && 217 !IEEE80211_IS_CHAN_RADAR(vap->iv_des_chan)) { 218 /* 219 * Already have a channel; bypass the 220 * scan and startup immediately. 221 * ieee80211_create_ibss will call back to 222 * move us to RUN state. 223 */ 224 ieee80211_create_ibss(vap, vap->iv_des_chan); 225 break; 226 } 227 /* 228 * Initiate a scan. We can come here as a result 229 * of an IEEE80211_IOC_SCAN_REQ too in which case 230 * the vap will be marked with IEEE80211_FEXT_SCANREQ 231 * and the scan request parameters will be present 232 * in iv_scanreq. Otherwise we do the default. 233 */ 234 if (vap->iv_flags_ext & IEEE80211_FEXT_SCANREQ) { 235 ieee80211_check_scan(vap, 236 vap->iv_scanreq_flags, 237 vap->iv_scanreq_duration, 238 vap->iv_scanreq_mindwell, 239 vap->iv_scanreq_maxdwell, 240 vap->iv_scanreq_nssid, vap->iv_scanreq_ssid); 241 vap->iv_flags_ext &= ~IEEE80211_FEXT_SCANREQ; 242 } else 243 ieee80211_check_scan_current(vap); 244 break; 245 case IEEE80211_S_SCAN: 246 /* 247 * A state change requires a reset; scan. 248 */ 249 ieee80211_check_scan_current(vap); 250 break; 251 default: 252 break; 253 } 254 break; 255 case IEEE80211_S_CAC: 256 /* 257 * Start CAC on a DFS channel. We come here when starting 258 * a bss on a DFS channel (see ieee80211_create_ibss). 259 */ 260 ieee80211_dfs_cac_start(vap); 261 break; 262 case IEEE80211_S_RUN: 263 if (vap->iv_flags & IEEE80211_F_WPA) { 264 /* XXX validate prerequisites */ 265 } 266 switch (ostate) { 267 case IEEE80211_S_INIT: 268 /* 269 * Already have a channel; bypass the 270 * scan and startup immediately. 271 * Note that ieee80211_create_ibss will call 272 * back to do a RUN->RUN state change. 273 */ 274 ieee80211_create_ibss(vap, 275 ieee80211_ht_adjust_channel(ic, 276 ic->ic_curchan, vap->iv_flags_ht)); 277 /* NB: iv_bss is changed on return */ 278 break; 279 case IEEE80211_S_CAC: 280 /* 281 * NB: This is the normal state change when CAC 282 * expires and no radar was detected; no need to 283 * clear the CAC timer as it's already expired. 284 */ 285 /* fall thru... */ 286 case IEEE80211_S_CSA: 287 /* 288 * Shorten inactivity timer of associated stations 289 * to weed out sta's that don't follow a CSA. 290 */ 291 ieee80211_iterate_nodes_vap(&ic->ic_sta, vap, 292 sta_csa, NULL); 293 /* 294 * Update bss node channel to reflect where 295 * we landed after CSA. 296 */ 297 ieee80211_node_set_chan(vap->iv_bss, 298 ieee80211_ht_adjust_channel(ic, ic->ic_curchan, 299 ieee80211_htchanflags(vap->iv_bss->ni_chan))); 300 /* XXX bypass debug msgs */ 301 break; 302 case IEEE80211_S_SCAN: 303 case IEEE80211_S_RUN: 304 #ifdef IEEE80211_DEBUG 305 if (ieee80211_msg_debug(vap)) { 306 struct ieee80211_node *ni = vap->iv_bss; 307 ieee80211_note(vap, 308 "synchronized with %s ssid ", 309 ether_sprintf(ni->ni_bssid)); 310 ieee80211_print_essid(ni->ni_essid, 311 ni->ni_esslen); 312 printf(" channel %d start %uMbit/s\n", 313 ieee80211_chan2ieee(ic, ic->ic_curchan), 314 ieee80211_node_get_txrate_kbit(ni) / 1000); 315 } 316 #endif 317 break; 318 default: 319 break; 320 } 321 /* 322 * Start/stop the authenticator. We delay until here 323 * to allow configuration to happen out of order. 324 */ 325 if (vap->iv_auth->ia_attach != NULL) { 326 /* XXX check failure */ 327 vap->iv_auth->ia_attach(vap); 328 } else if (vap->iv_auth->ia_detach != NULL) { 329 vap->iv_auth->ia_detach(vap); 330 } 331 ieee80211_node_authorize(vap->iv_bss); 332 break; 333 case IEEE80211_S_CSA: 334 if (ostate == IEEE80211_S_RUN && isbandchange(ic)) { 335 /* 336 * On a ``band change'' silently drop associated 337 * stations as they must re-associate before they 338 * can pass traffic (as otherwise protocol state 339 * such as capabilities and the negotiated rate 340 * set may/will be wrong). 341 */ 342 ieee80211_iterate_nodes_vap(&ic->ic_sta, vap, 343 sta_drop, NULL); 344 } 345 break; 346 default: 347 break; 348 } 349 return 0; 350 } 351 352 static void 353 hostap_deliver_data(struct ieee80211vap *vap, 354 struct ieee80211_node *ni, struct mbuf *m) 355 { 356 struct ether_header *eh = mtod(m, struct ether_header *); 357 struct ifnet *ifp = vap->iv_ifp; 358 359 /* clear driver/net80211 flags before passing up */ 360 m->m_flags &= ~(M_MCAST | M_BCAST); 361 m_clrprotoflags(m); 362 363 KASSERT(vap->iv_opmode == IEEE80211_M_HOSTAP, 364 ("gack, opmode %d", vap->iv_opmode)); 365 /* 366 * Do accounting. 367 */ 368 if_inc_counter(ifp, IFCOUNTER_IPACKETS, 1); 369 IEEE80211_NODE_STAT(ni, rx_data); 370 IEEE80211_NODE_STAT_ADD(ni, rx_bytes, m->m_pkthdr.len); 371 if (ETHER_IS_MULTICAST(eh->ether_dhost)) { 372 m->m_flags |= M_MCAST; /* XXX M_BCAST? */ 373 IEEE80211_NODE_STAT(ni, rx_mcast); 374 } else 375 IEEE80211_NODE_STAT(ni, rx_ucast); 376 377 /* perform as a bridge within the AP */ 378 if ((vap->iv_flags & IEEE80211_F_NOBRIDGE) == 0) { 379 struct mbuf *mcopy = NULL; 380 381 if (m->m_flags & M_MCAST) { 382 mcopy = m_dup(m, IEEE80211_M_NOWAIT); 383 if (mcopy == NULL) 384 if_inc_counter(ifp, IFCOUNTER_OERRORS, 1); 385 else 386 mcopy->m_flags |= M_MCAST; 387 } else { 388 /* 389 * Check if the destination is associated with the 390 * same vap and authorized to receive traffic. 391 * Beware of traffic destined for the vap itself; 392 * sending it will not work; just let it be delivered 393 * normally. 394 */ 395 struct ieee80211_node *sta = ieee80211_find_vap_node( 396 &vap->iv_ic->ic_sta, vap, eh->ether_dhost); 397 if (sta != NULL) { 398 if (ieee80211_node_is_authorized(sta)) { 399 /* 400 * Beware of sending to ourself; this 401 * needs to happen via the normal 402 * input path. 403 */ 404 if (sta != vap->iv_bss) { 405 mcopy = m; 406 m = NULL; 407 } 408 } else { 409 vap->iv_stats.is_rx_unauth++; 410 IEEE80211_NODE_STAT(sta, rx_unauth); 411 } 412 ieee80211_free_node(sta); 413 } 414 } 415 if (mcopy != NULL) 416 (void) ieee80211_vap_xmitpkt(vap, mcopy); 417 } 418 if (m != NULL) { 419 /* 420 * Mark frame as coming from vap's interface. 421 */ 422 m->m_pkthdr.rcvif = ifp; 423 if (m->m_flags & M_MCAST) { 424 /* 425 * Spam DWDS vap's w/ multicast traffic. 426 */ 427 /* XXX only if dwds in use? */ 428 ieee80211_dwds_mcast(vap, m); 429 } 430 if (ni->ni_vlan != 0) { 431 /* attach vlan tag */ 432 m->m_pkthdr.ether_vtag = ni->ni_vlan; 433 m->m_flags |= M_VLANTAG; 434 } 435 436 ieee80211_vap_deliver_data(vap, m); 437 } 438 } 439 440 /* 441 * Decide if a received management frame should be 442 * printed when debugging is enabled. This filters some 443 * of the less interesting frames that come frequently 444 * (e.g. beacons). 445 */ 446 static __inline int 447 doprint(struct ieee80211vap *vap, int subtype) 448 { 449 switch (subtype) { 450 case IEEE80211_FC0_SUBTYPE_BEACON: 451 return (vap->iv_ic->ic_flags & IEEE80211_F_SCAN); 452 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 453 return 0; 454 } 455 return 1; 456 } 457 458 /* 459 * Process a received frame. The node associated with the sender 460 * should be supplied. If nothing was found in the node table then 461 * the caller is assumed to supply a reference to iv_bss instead. 462 * The RSSI and a timestamp are also supplied. The RSSI data is used 463 * during AP scanning to select a AP to associate with; it can have 464 * any units so long as values have consistent units and higher values 465 * mean ``better signal''. The receive timestamp is currently not used 466 * by the 802.11 layer. 467 */ 468 static int 469 hostap_input(struct ieee80211_node *ni, struct mbuf *m, 470 const struct ieee80211_rx_stats *rxs, int rssi, int nf) 471 { 472 struct ieee80211vap *vap = ni->ni_vap; 473 struct ieee80211com *ic = ni->ni_ic; 474 struct ifnet *ifp = vap->iv_ifp; 475 struct ieee80211_frame *wh; 476 struct ieee80211_key *key; 477 struct ether_header *eh; 478 int hdrspace, need_tap = 1; /* mbuf need to be tapped. */ 479 uint8_t dir, type, subtype, qos; 480 uint8_t *bssid; 481 int is_hw_decrypted = 0; 482 int has_decrypted = 0; 483 484 /* 485 * Some devices do hardware decryption all the way through 486 * to pretending the frame wasn't encrypted in the first place. 487 * So, tag it appropriately so it isn't discarded inappropriately. 488 */ 489 if ((rxs != NULL) && (rxs->c_pktflags & IEEE80211_RX_F_DECRYPTED)) 490 is_hw_decrypted = 1; 491 492 if (m->m_flags & M_AMPDU_MPDU) { 493 /* 494 * Fastpath for A-MPDU reorder q resubmission. Frames 495 * w/ M_AMPDU_MPDU marked have already passed through 496 * here but were received out of order and been held on 497 * the reorder queue. When resubmitted they are marked 498 * with the M_AMPDU_MPDU flag and we can bypass most of 499 * the normal processing. 500 */ 501 wh = mtod(m, struct ieee80211_frame *); 502 type = IEEE80211_FC0_TYPE_DATA; 503 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 504 subtype = IEEE80211_FC0_SUBTYPE_QOS_DATA; 505 hdrspace = ieee80211_hdrspace(ic, wh); /* XXX optimize? */ 506 goto resubmit_ampdu; 507 } 508 509 KASSERT(ni != NULL, ("null node")); 510 ni->ni_inact = ni->ni_inact_reload; 511 512 type = -1; /* undefined */ 513 514 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_min)) { 515 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 516 ni->ni_macaddr, NULL, 517 "too short (1): len %u", m->m_pkthdr.len); 518 vap->iv_stats.is_rx_tooshort++; 519 goto out; 520 } 521 /* 522 * Bit of a cheat here, we use a pointer for a 3-address 523 * frame format but don't reference fields past outside 524 * ieee80211_frame_min w/o first validating the data is 525 * present. 526 */ 527 wh = mtod(m, struct ieee80211_frame *); 528 529 if (!IEEE80211_IS_FC0_CHECK_VER(wh, IEEE80211_FC0_VERSION_0)) { 530 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 531 ni->ni_macaddr, NULL, "wrong version, fc %02x:%02x", 532 wh->i_fc[0], wh->i_fc[1]); 533 vap->iv_stats.is_rx_badversion++; 534 goto err; 535 } 536 537 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 538 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK; 539 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK; 540 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) { 541 if (dir != IEEE80211_FC1_DIR_NODS) 542 bssid = wh->i_addr1; 543 else if (type == IEEE80211_FC0_TYPE_CTL) 544 bssid = wh->i_addr1; 545 else { 546 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) { 547 IEEE80211_DISCARD_MAC(vap, 548 IEEE80211_MSG_ANY, ni->ni_macaddr, 549 NULL, "too short (2): len %u", 550 m->m_pkthdr.len); 551 vap->iv_stats.is_rx_tooshort++; 552 goto out; 553 } 554 bssid = wh->i_addr3; 555 } 556 /* 557 * Validate the bssid. 558 */ 559 if (!(type == IEEE80211_FC0_TYPE_MGT && 560 subtype == IEEE80211_FC0_SUBTYPE_BEACON) && 561 !IEEE80211_ADDR_EQ(bssid, vap->iv_bss->ni_bssid) && 562 !IEEE80211_ADDR_EQ(bssid, 563 ieee80211_vap_get_broadcast_address(vap))) { 564 /* not interested in */ 565 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 566 bssid, NULL, "%s", "not to bss"); 567 vap->iv_stats.is_rx_wrongbss++; 568 goto out; 569 } 570 571 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi); 572 ni->ni_noise = nf; 573 if (IEEE80211_HAS_SEQ(type, subtype)) { 574 uint8_t tid = ieee80211_gettid(wh); 575 if (IEEE80211_QOS_HAS_SEQ(wh) && 576 TID_TO_WME_AC(tid) >= WME_AC_VI) 577 ic->ic_wme.wme_hipri_traffic++; 578 if (! ieee80211_check_rxseq(ni, wh, bssid, rxs)) 579 goto out; 580 } 581 } 582 583 switch (type) { 584 case IEEE80211_FC0_TYPE_DATA: 585 hdrspace = ieee80211_hdrspace(ic, wh); 586 if (m->m_len < hdrspace && 587 (m = m_pullup(m, hdrspace)) == NULL) { 588 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 589 ni->ni_macaddr, NULL, 590 "data too short: expecting %u", hdrspace); 591 vap->iv_stats.is_rx_tooshort++; 592 goto out; /* XXX */ 593 } 594 if (!(dir == IEEE80211_FC1_DIR_TODS || 595 (dir == IEEE80211_FC1_DIR_DSTODS && 596 (vap->iv_flags & IEEE80211_F_DWDS)))) { 597 if (dir != IEEE80211_FC1_DIR_DSTODS) { 598 IEEE80211_DISCARD(vap, 599 IEEE80211_MSG_INPUT, wh, "data", 600 "incorrect dir 0x%x", dir); 601 } else { 602 IEEE80211_DISCARD(vap, 603 IEEE80211_MSG_INPUT | 604 IEEE80211_MSG_WDS, wh, 605 "4-address data", 606 "%s", "DWDS not enabled"); 607 } 608 vap->iv_stats.is_rx_wrongdir++; 609 goto out; 610 } 611 /* check if source STA is associated */ 612 if (ni == vap->iv_bss) { 613 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 614 wh, "data", "%s", "unknown src"); 615 ieee80211_send_error(ni, wh->i_addr2, 616 IEEE80211_FC0_SUBTYPE_DEAUTH, 617 IEEE80211_REASON_NOT_AUTHED); 618 vap->iv_stats.is_rx_notassoc++; 619 goto err; 620 } 621 if (ni->ni_associd == 0) { 622 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 623 wh, "data", "%s", "unassoc src"); 624 IEEE80211_SEND_MGMT(ni, 625 IEEE80211_FC0_SUBTYPE_DISASSOC, 626 IEEE80211_REASON_NOT_ASSOCED); 627 vap->iv_stats.is_rx_notassoc++; 628 goto err; 629 } 630 631 /* 632 * Check for power save state change. 633 * XXX out-of-order A-MPDU frames? 634 */ 635 if (((wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) ^ 636 (ni->ni_flags & IEEE80211_NODE_PWR_MGT))) 637 vap->iv_node_ps(ni, 638 wh->i_fc[1] & IEEE80211_FC1_PWR_MGT); 639 /* 640 * For 4-address packets handle WDS discovery 641 * notifications. Once a WDS link is setup frames 642 * are just delivered to the WDS vap (see below). 643 */ 644 if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap == NULL) { 645 if (!ieee80211_node_is_authorized(ni)) { 646 IEEE80211_DISCARD(vap, 647 IEEE80211_MSG_INPUT | 648 IEEE80211_MSG_WDS, wh, 649 "4-address data", 650 "%s", "unauthorized port"); 651 vap->iv_stats.is_rx_unauth++; 652 IEEE80211_NODE_STAT(ni, rx_unauth); 653 goto err; 654 } 655 ieee80211_dwds_discover(ni, m); 656 return type; 657 } 658 659 /* 660 * Handle A-MPDU re-ordering. If the frame is to be 661 * processed directly then ieee80211_ampdu_reorder 662 * will return 0; otherwise it has consumed the mbuf 663 * and we should do nothing more with it. 664 */ 665 if ((m->m_flags & M_AMPDU) && 666 ieee80211_ampdu_reorder(ni, m, rxs) != 0) { 667 m = NULL; 668 goto out; 669 } 670 resubmit_ampdu: 671 672 /* 673 * Handle privacy requirements. Note that we 674 * must not be preempted from here until after 675 * we (potentially) call ieee80211_crypto_demic; 676 * otherwise we may violate assumptions in the 677 * crypto cipher modules used to do delayed update 678 * of replay sequence numbers. 679 */ 680 if (is_hw_decrypted || IEEE80211_IS_PROTECTED(wh)) { 681 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) { 682 /* 683 * Discard encrypted frames when privacy is off. 684 */ 685 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 686 wh, "WEP", "%s", "PRIVACY off"); 687 vap->iv_stats.is_rx_noprivacy++; 688 IEEE80211_NODE_STAT(ni, rx_noprivacy); 689 goto out; 690 } 691 if (ieee80211_crypto_decap(ni, m, hdrspace, &key) == 0) { 692 /* NB: stats+msgs handled in crypto_decap */ 693 IEEE80211_NODE_STAT(ni, rx_wepfail); 694 goto out; 695 } 696 wh = mtod(m, struct ieee80211_frame *); 697 wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED; 698 has_decrypted = 1; 699 } else { 700 /* XXX M_WEP and IEEE80211_F_PRIVACY */ 701 key = NULL; 702 } 703 704 /* 705 * Save QoS bits for use below--before we strip the header. 706 */ 707 if (subtype == IEEE80211_FC0_SUBTYPE_QOS_DATA) 708 qos = ieee80211_getqos(wh)[0]; 709 else 710 qos = 0; 711 712 /* 713 * Next up, any fragmentation. 714 */ 715 if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) { 716 m = ieee80211_defrag(ni, m, hdrspace, has_decrypted); 717 if (m == NULL) { 718 /* Fragment dropped or frame not complete yet */ 719 goto out; 720 } 721 } 722 wh = NULL; /* no longer valid, catch any uses */ 723 724 /* 725 * Next strip any MSDU crypto bits. 726 */ 727 if (key != NULL && !ieee80211_crypto_demic(vap, key, m, 0)) { 728 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 729 ni->ni_macaddr, "data", "%s", "demic error"); 730 vap->iv_stats.is_rx_demicfail++; 731 IEEE80211_NODE_STAT(ni, rx_demicfail); 732 goto out; 733 } 734 /* copy to listener after decrypt */ 735 if (ieee80211_radiotap_active_vap(vap)) 736 ieee80211_radiotap_rx(vap, m); 737 need_tap = 0; 738 /* 739 * Finally, strip the 802.11 header. 740 */ 741 m = ieee80211_decap(vap, m, hdrspace, qos); 742 if (m == NULL) { 743 /* XXX mask bit to check for both */ 744 /* don't count Null data frames as errors */ 745 if (subtype == IEEE80211_FC0_SUBTYPE_NODATA || 746 subtype == IEEE80211_FC0_SUBTYPE_QOS_NULL) 747 goto out; 748 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 749 ni->ni_macaddr, "data", "%s", "decap error"); 750 vap->iv_stats.is_rx_decap++; 751 IEEE80211_NODE_STAT(ni, rx_decap); 752 goto err; 753 } 754 if (!(qos & IEEE80211_QOS_AMSDU)) 755 eh = mtod(m, struct ether_header *); 756 else 757 eh = NULL; 758 if (!ieee80211_node_is_authorized(ni)) { 759 /* 760 * Deny any non-PAE frames received prior to 761 * authorization. For open/shared-key 762 * authentication the port is mark authorized 763 * after authentication completes. For 802.1x 764 * the port is not marked authorized by the 765 * authenticator until the handshake has completed. 766 */ 767 if (eh == NULL || 768 eh->ether_type != htons(ETHERTYPE_PAE)) { 769 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 770 ni->ni_macaddr, "data", "unauthorized or " 771 "unknown port: ether type 0x%x len %u", 772 eh == NULL ? -1 : eh->ether_type, 773 m->m_pkthdr.len); 774 vap->iv_stats.is_rx_unauth++; 775 IEEE80211_NODE_STAT(ni, rx_unauth); 776 goto err; 777 } 778 } else { 779 /* 780 * When denying unencrypted frames, discard 781 * any non-PAE frames received without encryption. 782 */ 783 if ((vap->iv_flags & IEEE80211_F_DROPUNENC) && 784 ((has_decrypted == 0) && (m->m_flags & M_WEP) == 0) && 785 (is_hw_decrypted == 0) && 786 (eh == NULL || 787 eh->ether_type != htons(ETHERTYPE_PAE))) { 788 /* 789 * Drop unencrypted frames. 790 */ 791 vap->iv_stats.is_rx_unencrypted++; 792 IEEE80211_NODE_STAT(ni, rx_unencrypted); 793 goto out; 794 } 795 } 796 /* XXX require HT? */ 797 if (qos & IEEE80211_QOS_AMSDU) { 798 m = ieee80211_decap_amsdu(ni, m); 799 if (m == NULL) 800 return IEEE80211_FC0_TYPE_DATA; 801 } else { 802 #ifdef IEEE80211_SUPPORT_SUPERG 803 m = ieee80211_decap_fastframe(vap, ni, m); 804 if (m == NULL) 805 return IEEE80211_FC0_TYPE_DATA; 806 #endif 807 } 808 if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap != NULL) 809 ieee80211_deliver_data(ni->ni_wdsvap, ni, m); 810 else 811 hostap_deliver_data(vap, ni, m); 812 return IEEE80211_FC0_TYPE_DATA; 813 814 case IEEE80211_FC0_TYPE_MGT: 815 vap->iv_stats.is_rx_mgmt++; 816 IEEE80211_NODE_STAT(ni, rx_mgmt); 817 if (dir != IEEE80211_FC1_DIR_NODS) { 818 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 819 wh, "mgt", "incorrect dir 0x%x", dir); 820 vap->iv_stats.is_rx_wrongdir++; 821 goto err; 822 } 823 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) { 824 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 825 ni->ni_macaddr, "mgt", "too short: len %u", 826 m->m_pkthdr.len); 827 vap->iv_stats.is_rx_tooshort++; 828 goto out; 829 } 830 if (IEEE80211_IS_MULTICAST(wh->i_addr2)) { 831 /* ensure return frames are unicast */ 832 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 833 wh, NULL, "source is multicast: %s", 834 ether_sprintf(wh->i_addr2)); 835 vap->iv_stats.is_rx_mgtdiscard++; /* XXX stat */ 836 goto out; 837 } 838 #ifdef IEEE80211_DEBUG 839 if ((ieee80211_msg_debug(vap) && doprint(vap, subtype)) || 840 ieee80211_msg_dumppkts(vap)) { 841 if_printf(ifp, "received %s from %s rssi %d\n", 842 ieee80211_mgt_subtype_name(subtype), 843 ether_sprintf(wh->i_addr2), rssi); 844 } 845 #endif 846 if (IEEE80211_IS_PROTECTED(wh)) { 847 if (subtype != IEEE80211_FC0_SUBTYPE_AUTH) { 848 /* 849 * Only shared key auth frames with a challenge 850 * should be encrypted, discard all others. 851 */ 852 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 853 wh, NULL, 854 "%s", "WEP set but not permitted"); 855 vap->iv_stats.is_rx_mgtdiscard++; /* XXX */ 856 goto out; 857 } 858 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) { 859 /* 860 * Discard encrypted frames when privacy is off. 861 */ 862 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 863 wh, NULL, "%s", "WEP set but PRIVACY off"); 864 vap->iv_stats.is_rx_noprivacy++; 865 goto out; 866 } 867 hdrspace = ieee80211_hdrspace(ic, wh); 868 if (ieee80211_crypto_decap(ni, m, hdrspace, &key) == 0) { 869 /* NB: stats+msgs handled in crypto_decap */ 870 goto out; 871 } 872 wh = mtod(m, struct ieee80211_frame *); 873 wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED; 874 has_decrypted = 1; 875 } 876 /* 877 * Pass the packet to radiotap before calling iv_recv_mgmt(). 878 * Otherwise iv_recv_mgmt() might pass another packet to 879 * radiotap, resulting in out of order packet captures. 880 */ 881 if (ieee80211_radiotap_active_vap(vap)) 882 ieee80211_radiotap_rx(vap, m); 883 need_tap = 0; 884 vap->iv_recv_mgmt(ni, m, subtype, rxs, rssi, nf); 885 goto out; 886 887 case IEEE80211_FC0_TYPE_CTL: 888 vap->iv_stats.is_rx_ctl++; 889 IEEE80211_NODE_STAT(ni, rx_ctrl); 890 if (ieee80211_is_ctl_frame_for_vap(ni, m)) 891 vap->iv_recv_ctl(ni, m, subtype); 892 goto out; 893 default: 894 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 895 wh, "bad", "frame type 0x%x", type); 896 /* should not come here */ 897 break; 898 } 899 err: 900 if_inc_counter(ifp, IFCOUNTER_IERRORS, 1); 901 out: 902 if (m != NULL) { 903 if (need_tap && ieee80211_radiotap_active_vap(vap)) 904 ieee80211_radiotap_rx(vap, m); 905 m_freem(m); 906 } 907 return type; 908 } 909 910 static void 911 hostap_auth_open(struct ieee80211_node *ni, struct ieee80211_frame *wh, 912 int rssi, int nf, uint16_t seq, uint16_t status) 913 { 914 struct ieee80211vap *vap = ni->ni_vap; 915 916 KASSERT(vap->iv_state == IEEE80211_S_RUN, ("state %d", vap->iv_state)); 917 918 if (ni->ni_authmode == IEEE80211_AUTH_SHARED) { 919 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 920 ni->ni_macaddr, "open auth", 921 "bad sta auth mode %u", ni->ni_authmode); 922 vap->iv_stats.is_rx_bad_auth++; /* XXX */ 923 /* 924 * Clear any challenge text that may be there if 925 * a previous shared key auth failed and then an 926 * open auth is attempted. 927 */ 928 if (ni->ni_challenge != NULL) { 929 IEEE80211_FREE(ni->ni_challenge, M_80211_NODE); 930 ni->ni_challenge = NULL; 931 } 932 /* XXX hack to workaround calling convention */ 933 ieee80211_send_error(ni, wh->i_addr2, 934 IEEE80211_FC0_SUBTYPE_AUTH, 935 (seq + 1) | (IEEE80211_STATUS_ALG<<16)); 936 return; 937 } 938 if (seq != IEEE80211_AUTH_OPEN_REQUEST) { 939 vap->iv_stats.is_rx_bad_auth++; 940 return; 941 } 942 /* always accept open authentication requests */ 943 if (ni == vap->iv_bss) { 944 ni = ieee80211_dup_bss(vap, wh->i_addr2); 945 if (ni == NULL) 946 return; 947 } else if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0) 948 (void) ieee80211_ref_node(ni); 949 /* 950 * Mark the node as referenced to reflect that it's 951 * reference count has been bumped to insure it remains 952 * after the transaction completes. 953 */ 954 ni->ni_flags |= IEEE80211_NODE_AREF; 955 /* 956 * Mark the node as requiring a valid association id 957 * before outbound traffic is permitted. 958 */ 959 ni->ni_flags |= IEEE80211_NODE_ASSOCID; 960 961 if (vap->iv_acl != NULL && 962 vap->iv_acl->iac_getpolicy(vap) == IEEE80211_MACCMD_POLICY_RADIUS) { 963 /* 964 * When the ACL policy is set to RADIUS we defer the 965 * authorization to a user agent. Dispatch an event, 966 * a subsequent MLME call will decide the fate of the 967 * station. If the user agent is not present then the 968 * node will be reclaimed due to inactivity. 969 */ 970 IEEE80211_NOTE_MAC(vap, 971 IEEE80211_MSG_AUTH | IEEE80211_MSG_ACL, ni->ni_macaddr, 972 "%s", "station authentication deferred (radius acl)"); 973 ieee80211_notify_node_auth(ni); 974 } else { 975 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 976 IEEE80211_NOTE_MAC(vap, 977 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, ni->ni_macaddr, 978 "%s", "station authenticated (open)"); 979 /* 980 * When 802.1x is not in use mark the port 981 * authorized at this point so traffic can flow. 982 */ 983 if (ni->ni_authmode != IEEE80211_AUTH_8021X) 984 ieee80211_node_authorize(ni); 985 } 986 } 987 988 static void 989 hostap_auth_shared(struct ieee80211_node *ni, struct ieee80211_frame *wh, 990 uint8_t *frm, uint8_t *efrm, int rssi, int nf, 991 uint16_t seq, uint16_t status) 992 { 993 struct ieee80211vap *vap = ni->ni_vap; 994 uint8_t *challenge; 995 int estatus; 996 997 KASSERT(vap->iv_state == IEEE80211_S_RUN, ("state %d", vap->iv_state)); 998 999 /* 1000 * NB: this can happen as we allow pre-shared key 1001 * authentication to be enabled w/o wep being turned 1002 * on so that configuration of these can be done 1003 * in any order. It may be better to enforce the 1004 * ordering in which case this check would just be 1005 * for sanity/consistency. 1006 */ 1007 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) { 1008 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1009 ni->ni_macaddr, "shared key auth", 1010 "%s", " PRIVACY is disabled"); 1011 estatus = IEEE80211_STATUS_ALG; 1012 goto bad; 1013 } 1014 /* 1015 * Pre-shared key authentication is evil; accept 1016 * it only if explicitly configured (it is supported 1017 * mainly for compatibility with clients like Mac OS X). 1018 */ 1019 if (ni->ni_authmode != IEEE80211_AUTH_AUTO && 1020 ni->ni_authmode != IEEE80211_AUTH_SHARED) { 1021 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1022 ni->ni_macaddr, "shared key auth", 1023 "bad sta auth mode %u", ni->ni_authmode); 1024 vap->iv_stats.is_rx_bad_auth++; /* XXX maybe a unique error? */ 1025 estatus = IEEE80211_STATUS_ALG; 1026 goto bad; 1027 } 1028 1029 challenge = NULL; 1030 if (frm + 1 < efrm) { 1031 if ((frm[1] + 2) > (efrm - frm)) { 1032 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1033 ni->ni_macaddr, "shared key auth", 1034 "ie %d/%d too long", 1035 frm[0], (frm[1] + 2) - (efrm - frm)); 1036 vap->iv_stats.is_rx_bad_auth++; 1037 estatus = IEEE80211_STATUS_CHALLENGE; 1038 goto bad; 1039 } 1040 if (*frm == IEEE80211_ELEMID_CHALLENGE) 1041 challenge = frm; 1042 frm += frm[1] + 2; 1043 } 1044 switch (seq) { 1045 case IEEE80211_AUTH_SHARED_CHALLENGE: 1046 case IEEE80211_AUTH_SHARED_RESPONSE: 1047 if (challenge == NULL) { 1048 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1049 ni->ni_macaddr, "shared key auth", 1050 "%s", "no challenge"); 1051 vap->iv_stats.is_rx_bad_auth++; 1052 estatus = IEEE80211_STATUS_CHALLENGE; 1053 goto bad; 1054 } 1055 if (challenge[1] != IEEE80211_CHALLENGE_LEN) { 1056 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1057 ni->ni_macaddr, "shared key auth", 1058 "bad challenge len %d", challenge[1]); 1059 vap->iv_stats.is_rx_bad_auth++; 1060 estatus = IEEE80211_STATUS_CHALLENGE; 1061 goto bad; 1062 } 1063 default: 1064 break; 1065 } 1066 switch (seq) { 1067 case IEEE80211_AUTH_SHARED_REQUEST: 1068 { 1069 #ifdef IEEE80211_DEBUG 1070 bool allocbs; 1071 #endif 1072 1073 if (ni == vap->iv_bss) { 1074 ni = ieee80211_dup_bss(vap, wh->i_addr2); 1075 if (ni == NULL) { 1076 /* NB: no way to return an error */ 1077 return; 1078 } 1079 #ifdef IEEE80211_DEBUG 1080 allocbs = 1; 1081 #endif 1082 } else { 1083 if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0) 1084 (void) ieee80211_ref_node(ni); 1085 #ifdef IEEE80211_DEBUG 1086 allocbs = 0; 1087 #endif 1088 } 1089 /* 1090 * Mark the node as referenced to reflect that it's 1091 * reference count has been bumped to insure it remains 1092 * after the transaction completes. 1093 */ 1094 ni->ni_flags |= IEEE80211_NODE_AREF; 1095 /* 1096 * Mark the node as requiring a valid association id 1097 * before outbound traffic is permitted. 1098 */ 1099 ni->ni_flags |= IEEE80211_NODE_ASSOCID; 1100 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi); 1101 ni->ni_noise = nf; 1102 if (!ieee80211_alloc_challenge(ni)) { 1103 /* NB: don't return error so they rexmit */ 1104 return; 1105 } 1106 net80211_get_random_bytes(ni->ni_challenge, 1107 IEEE80211_CHALLENGE_LEN); 1108 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1109 ni, "shared key %sauth request", allocbs ? "" : "re"); 1110 /* 1111 * When the ACL policy is set to RADIUS we defer the 1112 * authorization to a user agent. Dispatch an event, 1113 * a subsequent MLME call will decide the fate of the 1114 * station. If the user agent is not present then the 1115 * node will be reclaimed due to inactivity. 1116 */ 1117 if (vap->iv_acl != NULL && 1118 vap->iv_acl->iac_getpolicy(vap) == IEEE80211_MACCMD_POLICY_RADIUS) { 1119 IEEE80211_NOTE_MAC(vap, 1120 IEEE80211_MSG_AUTH | IEEE80211_MSG_ACL, 1121 ni->ni_macaddr, 1122 "%s", "station authentication deferred (radius acl)"); 1123 ieee80211_notify_node_auth(ni); 1124 return; 1125 } 1126 break; 1127 } 1128 case IEEE80211_AUTH_SHARED_RESPONSE: 1129 if (ni == vap->iv_bss) { 1130 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1131 ni->ni_macaddr, "shared key response", 1132 "%s", "unknown station"); 1133 /* NB: don't send a response */ 1134 return; 1135 } 1136 if (ni->ni_challenge == NULL) { 1137 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1138 ni->ni_macaddr, "shared key response", 1139 "%s", "no challenge recorded"); 1140 vap->iv_stats.is_rx_bad_auth++; 1141 estatus = IEEE80211_STATUS_CHALLENGE; 1142 goto bad; 1143 } 1144 if (memcmp(ni->ni_challenge, &challenge[2], 1145 challenge[1]) != 0) { 1146 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1147 ni->ni_macaddr, "shared key response", 1148 "%s", "challenge mismatch"); 1149 vap->iv_stats.is_rx_auth_fail++; 1150 estatus = IEEE80211_STATUS_CHALLENGE; 1151 goto bad; 1152 } 1153 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1154 ni, "%s", "station authenticated (shared key)"); 1155 ieee80211_node_authorize(ni); 1156 break; 1157 default: 1158 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1159 ni->ni_macaddr, "shared key auth", 1160 "bad seq %d", seq); 1161 vap->iv_stats.is_rx_bad_auth++; 1162 estatus = IEEE80211_STATUS_SEQUENCE; 1163 goto bad; 1164 } 1165 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 1166 return; 1167 bad: 1168 /* 1169 * Send an error response; but only when operating as an AP. 1170 */ 1171 /* XXX hack to workaround calling convention */ 1172 ieee80211_send_error(ni, wh->i_addr2, 1173 IEEE80211_FC0_SUBTYPE_AUTH, 1174 (seq + 1) | (estatus<<16)); 1175 } 1176 1177 /* 1178 * Convert a WPA cipher selector OUI to an internal 1179 * cipher algorithm. Where appropriate we also 1180 * record any key length. 1181 */ 1182 static int 1183 wpa_cipher(const uint8_t *sel, uint8_t *keylen, uint8_t *cipher) 1184 { 1185 #define WPA_SEL(x) (((x)<<24)|WPA_OUI) 1186 uint32_t w = le32dec(sel); 1187 1188 switch (w) { 1189 case WPA_SEL(WPA_CSE_NULL): 1190 *cipher = IEEE80211_CIPHER_NONE; 1191 break; 1192 case WPA_SEL(WPA_CSE_WEP40): 1193 if (keylen) 1194 *keylen = 40 / NBBY; 1195 *cipher = IEEE80211_CIPHER_WEP; 1196 break; 1197 case WPA_SEL(WPA_CSE_WEP104): 1198 if (keylen) 1199 *keylen = 104 / NBBY; 1200 *cipher = IEEE80211_CIPHER_WEP; 1201 break; 1202 case WPA_SEL(WPA_CSE_TKIP): 1203 *cipher = IEEE80211_CIPHER_TKIP; 1204 break; 1205 case WPA_SEL(WPA_CSE_CCMP): 1206 *cipher = IEEE80211_CIPHER_AES_CCM; 1207 break; 1208 /* Note: no GCM cipher in the legacy WPA1 OUI */ 1209 default: 1210 return (EINVAL); 1211 } 1212 1213 return (0); 1214 #undef WPA_SEL 1215 } 1216 1217 /* 1218 * Convert a WPA key management/authentication algorithm 1219 * to an internal code. 1220 */ 1221 static int 1222 wpa_keymgmt(const uint8_t *sel) 1223 { 1224 #define WPA_SEL(x) (((x)<<24)|WPA_OUI) 1225 uint32_t w = le32dec(sel); 1226 1227 switch (w) { 1228 case WPA_SEL(WPA_ASE_8021X_UNSPEC): 1229 return WPA_ASE_8021X_UNSPEC; 1230 case WPA_SEL(WPA_ASE_8021X_PSK): 1231 return WPA_ASE_8021X_PSK; 1232 case WPA_SEL(WPA_ASE_NONE): 1233 return WPA_ASE_NONE; 1234 } 1235 return 0; /* NB: so is discarded */ 1236 #undef WPA_SEL 1237 } 1238 1239 /* 1240 * Parse a WPA information element to collect parameters. 1241 * Note that we do not validate security parameters; that 1242 * is handled by the authenticator; the parsing done here 1243 * is just for internal use in making operational decisions. 1244 */ 1245 static int 1246 ieee80211_parse_wpa(struct ieee80211vap *vap, const uint8_t *frm, 1247 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh) 1248 { 1249 uint8_t len = frm[1]; 1250 uint32_t w; 1251 int error, n; 1252 1253 /* 1254 * Check the length once for fixed parts: OUI, type, 1255 * version, mcast cipher, and 2 selector counts. 1256 * Other, variable-length data, must be checked separately. 1257 */ 1258 if ((vap->iv_flags & IEEE80211_F_WPA1) == 0) { 1259 IEEE80211_DISCARD_IE(vap, 1260 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1261 wh, "WPA", "not WPA, flags 0x%x", vap->iv_flags); 1262 return IEEE80211_REASON_IE_INVALID; 1263 } 1264 if (len < 14) { 1265 IEEE80211_DISCARD_IE(vap, 1266 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1267 wh, "WPA", "too short, len %u", len); 1268 return IEEE80211_REASON_IE_INVALID; 1269 } 1270 frm += 6, len -= 4; /* NB: len is payload only */ 1271 /* NB: iswpaoui already validated the OUI and type */ 1272 w = le16dec(frm); 1273 if (w != WPA_VERSION) { 1274 IEEE80211_DISCARD_IE(vap, 1275 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1276 wh, "WPA", "bad version %u", w); 1277 return IEEE80211_REASON_IE_INVALID; 1278 } 1279 frm += 2, len -= 2; 1280 1281 memset(rsn, 0, sizeof(*rsn)); 1282 1283 /* multicast/group cipher */ 1284 error = wpa_cipher(frm, &rsn->rsn_mcastkeylen, &rsn->rsn_mcastcipher); 1285 if (error != 0) { 1286 IEEE80211_DISCARD_IE(vap, 1287 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1288 wh, "WPA", "unknown mcast cipher suite %08X", 1289 le32dec(frm)); 1290 return IEEE80211_REASON_GROUP_CIPHER_INVALID; 1291 } 1292 frm += 4, len -= 4; 1293 1294 /* unicast ciphers */ 1295 n = le16dec(frm); 1296 frm += 2, len -= 2; 1297 if (len < n*4+2) { 1298 IEEE80211_DISCARD_IE(vap, 1299 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1300 wh, "WPA", "ucast cipher data too short; len %u, n %u", 1301 len, n); 1302 return IEEE80211_REASON_IE_INVALID; 1303 } 1304 w = 0; 1305 for (; n > 0; n--) { 1306 uint8_t cipher; 1307 1308 error = wpa_cipher(frm, &rsn->rsn_ucastkeylen, &cipher); 1309 if (error == 0) 1310 w |= 1 << cipher; 1311 1312 frm += 4, len -= 4; 1313 } 1314 if (w == 0) { 1315 IEEE80211_DISCARD_IE(vap, 1316 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1317 wh, "WPA", "no usable pairwise cipher suite found (w=%d)", 1318 w); 1319 return IEEE80211_REASON_PAIRWISE_CIPHER_INVALID; 1320 } 1321 /* XXX other? */ 1322 if (w & (1 << IEEE80211_CIPHER_AES_CCM)) 1323 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM; 1324 else 1325 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP; 1326 1327 /* key management algorithms */ 1328 n = le16dec(frm); 1329 frm += 2, len -= 2; 1330 if (len < n*4) { 1331 IEEE80211_DISCARD_IE(vap, 1332 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1333 wh, "WPA", "key mgmt alg data too short; len %u, n %u", 1334 len, n); 1335 return IEEE80211_REASON_IE_INVALID; 1336 } 1337 w = 0; 1338 for (; n > 0; n--) { 1339 w |= wpa_keymgmt(frm); 1340 frm += 4, len -= 4; 1341 } 1342 if (w & WPA_ASE_8021X_UNSPEC) 1343 rsn->rsn_keymgmt = WPA_ASE_8021X_UNSPEC; 1344 else 1345 rsn->rsn_keymgmt = WPA_ASE_8021X_PSK; 1346 1347 if (len > 2) /* optional capabilities */ 1348 rsn->rsn_caps = le16dec(frm); 1349 1350 return 0; 1351 } 1352 1353 /* 1354 * Convert an RSN cipher selector OUI to an internal 1355 * cipher algorithm. Where appropriate we also 1356 * record any key length. 1357 */ 1358 static int 1359 rsn_cipher(const uint8_t *sel, uint8_t *keylen, uint8_t *cipher) 1360 { 1361 #define RSN_SEL(x) (((x)<<24)|RSN_OUI) 1362 uint32_t w = le32dec(sel); 1363 1364 switch (w) { 1365 case RSN_SEL(RSN_CSE_NULL): 1366 *cipher = IEEE80211_CIPHER_NONE; 1367 break; 1368 case RSN_SEL(RSN_CSE_WEP40): 1369 if (keylen) 1370 *keylen = 40 / NBBY; 1371 *cipher = IEEE80211_CIPHER_WEP; 1372 break; 1373 case RSN_SEL(RSN_CSE_WEP104): 1374 if (keylen) 1375 *keylen = 104 / NBBY; 1376 *cipher = IEEE80211_CIPHER_WEP; 1377 break; 1378 case RSN_SEL(RSN_CSE_TKIP): 1379 *cipher = IEEE80211_CIPHER_TKIP; 1380 break; 1381 case RSN_SEL(RSN_CSE_CCMP): 1382 *cipher = IEEE80211_CIPHER_AES_CCM; 1383 break; 1384 case RSN_SEL(RSN_CSE_WRAP): 1385 *cipher = IEEE80211_CIPHER_AES_OCB; 1386 break; 1387 case RSN_SEL(RSN_CSE_GCMP_128): 1388 *cipher = IEEE80211_CIPHER_AES_GCM_128; 1389 break; 1390 default: 1391 return (EINVAL); 1392 } 1393 1394 return (0); 1395 #undef WPA_SEL 1396 } 1397 1398 /* 1399 * Convert an RSN key management/authentication algorithm 1400 * to an internal code. 1401 */ 1402 static int 1403 rsn_keymgmt(const uint8_t *sel) 1404 { 1405 #define RSN_SEL(x) (((x)<<24)|RSN_OUI) 1406 uint32_t w = le32dec(sel); 1407 1408 switch (w) { 1409 case RSN_SEL(RSN_ASE_8021X_UNSPEC): 1410 return RSN_ASE_8021X_UNSPEC; 1411 case RSN_SEL(RSN_ASE_8021X_PSK): 1412 return RSN_ASE_8021X_PSK; 1413 case RSN_SEL(RSN_ASE_NONE): 1414 return RSN_ASE_NONE; 1415 } 1416 return 0; /* NB: so is discarded */ 1417 #undef RSN_SEL 1418 } 1419 1420 /* 1421 * Parse a WPA/RSN information element to collect parameters 1422 * and validate the parameters against what has been 1423 * configured for the system. 1424 */ 1425 static int 1426 ieee80211_parse_rsn(struct ieee80211vap *vap, const uint8_t *frm, 1427 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh) 1428 { 1429 uint8_t len = frm[1]; 1430 uint32_t w; 1431 int error, n; 1432 1433 /* 1434 * Check the length once for fixed parts: 1435 * version, mcast cipher, and 2 selector counts. 1436 * Other, variable-length data, must be checked separately. 1437 */ 1438 if ((vap->iv_flags & IEEE80211_F_WPA2) == 0) { 1439 IEEE80211_DISCARD_IE(vap, 1440 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1441 wh, "WPA", "not RSN, flags 0x%x", vap->iv_flags); 1442 return IEEE80211_REASON_IE_INVALID; 1443 } 1444 /* XXX may be shorter */ 1445 if (len < 10) { 1446 IEEE80211_DISCARD_IE(vap, 1447 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1448 wh, "RSN", "too short, len %u", len); 1449 return IEEE80211_REASON_IE_INVALID; 1450 } 1451 frm += 2; 1452 w = le16dec(frm); 1453 if (w != RSN_VERSION) { 1454 IEEE80211_DISCARD_IE(vap, 1455 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1456 wh, "RSN", "bad version %u", w); 1457 return IEEE80211_REASON_UNSUPP_RSN_IE_VERSION; 1458 } 1459 frm += 2, len -= 2; 1460 1461 memset(rsn, 0, sizeof(*rsn)); 1462 1463 /* multicast/group cipher */ 1464 error = rsn_cipher(frm, &rsn->rsn_mcastkeylen, &rsn->rsn_mcastcipher); 1465 if (error != 0) { 1466 IEEE80211_DISCARD_IE(vap, 1467 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1468 wh, "RSN", "unknown mcast cipher suite %08X", 1469 le32dec(frm)); 1470 return IEEE80211_REASON_GROUP_CIPHER_INVALID; 1471 } 1472 if (rsn->rsn_mcastcipher == IEEE80211_CIPHER_NONE) { 1473 IEEE80211_DISCARD_IE(vap, 1474 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1475 wh, "RSN", "invalid mcast cipher suite %d", 1476 rsn->rsn_mcastcipher); 1477 return IEEE80211_REASON_GROUP_CIPHER_INVALID; 1478 } 1479 frm += 4, len -= 4; 1480 1481 /* unicast ciphers */ 1482 n = le16dec(frm); 1483 frm += 2, len -= 2; 1484 if (len < n*4+2) { 1485 IEEE80211_DISCARD_IE(vap, 1486 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1487 wh, "RSN", "ucast cipher data too short; len %u, n %u", 1488 len, n); 1489 return IEEE80211_REASON_IE_INVALID; 1490 } 1491 w = 0; 1492 1493 for (; n > 0; n--) { 1494 uint8_t cipher; 1495 1496 error = rsn_cipher(frm, &rsn->rsn_ucastkeylen, &cipher); 1497 if (error == 0) 1498 w |= 1 << cipher; 1499 1500 frm += 4, len -= 4; 1501 } 1502 if (w & (1 << IEEE80211_CIPHER_AES_GCM_128)) 1503 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_GCM_128; 1504 else if (w & (1 << IEEE80211_CIPHER_AES_CCM)) 1505 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM; 1506 else if (w & (1 << IEEE80211_CIPHER_AES_OCB)) 1507 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_OCB; 1508 else if (w & (1 << IEEE80211_CIPHER_TKIP)) 1509 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP; 1510 else if ((w & (1 << IEEE80211_CIPHER_NONE)) && 1511 (rsn->rsn_mcastcipher == IEEE80211_CIPHER_WEP || 1512 rsn->rsn_mcastcipher == IEEE80211_CIPHER_TKIP)) 1513 rsn->rsn_ucastcipher = IEEE80211_CIPHER_NONE; 1514 else { 1515 IEEE80211_DISCARD_IE(vap, 1516 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1517 wh, "RSN", "no usable pairwise cipher suite found (w=%d)", 1518 w); 1519 return IEEE80211_REASON_PAIRWISE_CIPHER_INVALID; 1520 } 1521 1522 /* key management algorithms */ 1523 n = le16dec(frm); 1524 frm += 2, len -= 2; 1525 if (len < n*4) { 1526 IEEE80211_DISCARD_IE(vap, 1527 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1528 wh, "RSN", "key mgmt alg data too short; len %u, n %u", 1529 len, n); 1530 return IEEE80211_REASON_IE_INVALID; 1531 } 1532 w = 0; 1533 for (; n > 0; n--) { 1534 w |= rsn_keymgmt(frm); 1535 frm += 4, len -= 4; 1536 } 1537 if (w & RSN_ASE_8021X_UNSPEC) 1538 rsn->rsn_keymgmt = RSN_ASE_8021X_UNSPEC; 1539 else 1540 rsn->rsn_keymgmt = RSN_ASE_8021X_PSK; 1541 1542 /* optional RSN capabilities */ 1543 if (len >= 2) { 1544 rsn->rsn_caps = le16dec(frm); 1545 frm += 2, len -= 2; 1546 } 1547 1548 /* XXX PMK Count / PMKID */ 1549 1550 /* XXX Group Cipher Management Suite */ 1551 1552 return 0; 1553 } 1554 1555 /* 1556 * WPA/802.11i association request processing. 1557 */ 1558 static int 1559 wpa_assocreq(struct ieee80211_node *ni, struct ieee80211_rsnparms *rsnparms, 1560 const struct ieee80211_frame *wh, const uint8_t *wpa, 1561 const uint8_t *rsn, uint16_t capinfo) 1562 { 1563 struct ieee80211vap *vap = ni->ni_vap; 1564 uint8_t reason; 1565 int badwparsn; 1566 1567 ni->ni_flags &= ~(IEEE80211_NODE_WPS|IEEE80211_NODE_TSN); 1568 if (wpa == NULL && rsn == NULL) { 1569 if (vap->iv_flags_ext & IEEE80211_FEXT_WPS) { 1570 /* 1571 * W-Fi Protected Setup (WPS) permits 1572 * clients to associate and pass EAPOL frames 1573 * to establish initial credentials. 1574 */ 1575 ni->ni_flags |= IEEE80211_NODE_WPS; 1576 return 1; 1577 } 1578 if ((vap->iv_flags_ext & IEEE80211_FEXT_TSN) && 1579 (capinfo & IEEE80211_CAPINFO_PRIVACY)) { 1580 /* 1581 * Transitional Security Network. Permits clients 1582 * to associate and use WEP while WPA is configured. 1583 */ 1584 ni->ni_flags |= IEEE80211_NODE_TSN; 1585 return 1; 1586 } 1587 IEEE80211_DISCARD(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, 1588 wh, NULL, "%s", "no WPA/RSN IE in association request"); 1589 vap->iv_stats.is_rx_assoc_badwpaie++; 1590 reason = IEEE80211_REASON_IE_INVALID; 1591 goto bad; 1592 } 1593 /* assert right association security credentials */ 1594 badwparsn = 0; /* NB: to silence compiler */ 1595 switch (vap->iv_flags & IEEE80211_F_WPA) { 1596 case IEEE80211_F_WPA1: 1597 badwparsn = (wpa == NULL); 1598 break; 1599 case IEEE80211_F_WPA2: 1600 badwparsn = (rsn == NULL); 1601 break; 1602 case IEEE80211_F_WPA1|IEEE80211_F_WPA2: 1603 badwparsn = (wpa == NULL && rsn == NULL); 1604 break; 1605 } 1606 if (badwparsn) { 1607 IEEE80211_DISCARD(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, 1608 wh, NULL, 1609 "%s", "missing WPA/RSN IE in association request"); 1610 vap->iv_stats.is_rx_assoc_badwpaie++; 1611 reason = IEEE80211_REASON_IE_INVALID; 1612 goto bad; 1613 } 1614 /* 1615 * Parse WPA/RSN information element. 1616 */ 1617 if (wpa != NULL) 1618 reason = ieee80211_parse_wpa(vap, wpa, rsnparms, wh); 1619 else 1620 reason = ieee80211_parse_rsn(vap, rsn, rsnparms, wh); 1621 if (reason != 0) { 1622 /* XXX wpa->rsn fallback? */ 1623 /* XXX distinguish WPA/RSN? */ 1624 vap->iv_stats.is_rx_assoc_badwpaie++; 1625 goto bad; 1626 } 1627 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, ni, 1628 "%s ie: mc %u/%u uc %u/%u key %u caps 0x%x", 1629 wpa != NULL ? "WPA" : "RSN", 1630 rsnparms->rsn_mcastcipher, rsnparms->rsn_mcastkeylen, 1631 rsnparms->rsn_ucastcipher, rsnparms->rsn_ucastkeylen, 1632 rsnparms->rsn_keymgmt, rsnparms->rsn_caps); 1633 1634 return 1; 1635 bad: 1636 ieee80211_node_deauth(ni, reason); 1637 return 0; 1638 } 1639 1640 /* XXX find a better place for definition */ 1641 struct l2_update_frame { 1642 struct ether_header eh; 1643 uint8_t dsap; 1644 uint8_t ssap; 1645 uint8_t control; 1646 uint8_t xid[3]; 1647 } __packed; 1648 1649 /* 1650 * Deliver a TGf L2UF frame on behalf of a station. 1651 * This primes any bridge when the station is roaming 1652 * between ap's on the same wired network. 1653 */ 1654 static void 1655 ieee80211_deliver_l2uf(struct ieee80211_node *ni) 1656 { 1657 struct ieee80211vap *vap = ni->ni_vap; 1658 struct mbuf *m; 1659 struct l2_update_frame *l2uf; 1660 struct ether_header *eh; 1661 1662 m = m_gethdr(IEEE80211_M_NOWAIT, MT_DATA); 1663 if (m == NULL) { 1664 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC, ni, 1665 "%s", "no mbuf for l2uf frame"); 1666 vap->iv_stats.is_rx_nobuf++; /* XXX not right */ 1667 return; 1668 } 1669 l2uf = mtod(m, struct l2_update_frame *); 1670 eh = &l2uf->eh; 1671 /* dst: Broadcast address */ 1672 IEEE80211_ADDR_COPY(eh->ether_dhost, 1673 ieee80211_vap_get_broadcast_address(vap)); 1674 /* src: associated STA */ 1675 IEEE80211_ADDR_COPY(eh->ether_shost, ni->ni_macaddr); 1676 eh->ether_type = htons(sizeof(*l2uf) - sizeof(*eh)); 1677 1678 l2uf->dsap = 0; 1679 l2uf->ssap = 0; 1680 l2uf->control = 0xf5; 1681 l2uf->xid[0] = 0x81; 1682 l2uf->xid[1] = 0x80; 1683 l2uf->xid[2] = 0x00; 1684 1685 m->m_pkthdr.len = m->m_len = sizeof(*l2uf); 1686 hostap_deliver_data(vap, ni, m); 1687 } 1688 1689 static void 1690 ratesetmismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh, 1691 int reassoc, int resp, const char *tag, int rate) 1692 { 1693 IEEE80211_NOTE_MAC(ni->ni_vap, IEEE80211_MSG_ANY, wh->i_addr2, 1694 "deny %s request, %s rate set mismatch, rate/MCS %d", 1695 reassoc ? "reassoc" : "assoc", tag, rate & IEEE80211_RATE_VAL); 1696 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_BASIC_RATE); 1697 ieee80211_node_leave(ni); 1698 } 1699 1700 static void 1701 capinfomismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh, 1702 int reassoc, int resp, const char *tag, int capinfo) 1703 { 1704 struct ieee80211vap *vap = ni->ni_vap; 1705 1706 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ANY, wh->i_addr2, 1707 "deny %s request, %s mismatch 0x%x", 1708 reassoc ? "reassoc" : "assoc", tag, capinfo); 1709 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_CAPINFO); 1710 ieee80211_node_leave(ni); 1711 vap->iv_stats.is_rx_assoc_capmismatch++; 1712 } 1713 1714 static void 1715 htcapmismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh, 1716 int reassoc, int resp) 1717 { 1718 IEEE80211_NOTE_MAC(ni->ni_vap, IEEE80211_MSG_ANY, wh->i_addr2, 1719 "deny %s request, %s missing HT ie", reassoc ? "reassoc" : "assoc"); 1720 /* XXX no better code */ 1721 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_MISSING_HT_CAPS); 1722 ieee80211_node_leave(ni); 1723 } 1724 1725 static void 1726 authalgreject(struct ieee80211_node *ni, const struct ieee80211_frame *wh, 1727 int algo, int seq, int status) 1728 { 1729 struct ieee80211vap *vap = ni->ni_vap; 1730 1731 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 1732 wh, NULL, "unsupported alg %d", algo); 1733 vap->iv_stats.is_rx_auth_unsupported++; 1734 ieee80211_send_error(ni, wh->i_addr2, IEEE80211_FC0_SUBTYPE_AUTH, 1735 seq | (status << 16)); 1736 } 1737 1738 static __inline int 1739 ishtmixed(const uint8_t *ie) 1740 { 1741 const struct ieee80211_ie_htinfo *ht = 1742 (const struct ieee80211_ie_htinfo *) ie; 1743 return (ht->hi_byte2 & IEEE80211_HTINFO_OPMODE) == 1744 IEEE80211_HTINFO_OPMODE_MIXED; 1745 } 1746 1747 static int 1748 is11bclient(const uint8_t *rates, const uint8_t *xrates) 1749 { 1750 static const uint32_t brates = (1<<2*1)|(1<<2*2)|(1<<11)|(1<<2*11); 1751 int i; 1752 1753 /* NB: the 11b clients we care about will not have xrates */ 1754 if (xrates != NULL || rates == NULL) 1755 return 0; 1756 for (i = 0; i < rates[1]; i++) { 1757 int r = rates[2+i] & IEEE80211_RATE_VAL; 1758 if (r > 2*11 || ((1<<r) & brates) == 0) 1759 return 0; 1760 } 1761 return 1; 1762 } 1763 1764 /** 1765 * Check if the given cipher is valid for 802.11 HT operation. 1766 * 1767 * The 802.11 specification only allows HT A-MPDU to be performed 1768 * on CCMP / GCMP encrypted frames. The WEP/TKIP hardware crypto 1769 * implementations may not meet the timing required for A-MPDU 1770 * operation. 1771 * 1772 * @param cipher the IEEE80211_CIPHER_ value to check 1773 * @returns true if the cipher is valid for HT A-MPDU, false otherwise 1774 */ 1775 static bool 1776 hostapd_validate_cipher_for_ht_ampdu(uint8_t cipher) 1777 { 1778 switch (cipher) { 1779 case IEEE80211_CIPHER_AES_CCM: 1780 case IEEE80211_CIPHER_AES_GCM_128: 1781 return true; 1782 default: 1783 return false; 1784 } 1785 } 1786 1787 static void 1788 hostap_recv_mgmt(struct ieee80211_node *ni, struct mbuf *m0, 1789 int subtype, const struct ieee80211_rx_stats *rxs, int rssi, int nf) 1790 { 1791 struct ieee80211vap *vap = ni->ni_vap; 1792 struct ieee80211com *ic = ni->ni_ic; 1793 struct ieee80211_frame *wh; 1794 uint8_t *frm, *efrm, *sfrm; 1795 uint8_t *ssid, *rates, *xrates, *wpa, *rsn, *wme, *ath, *htcap; 1796 uint8_t *vhtcap, *vhtinfo; 1797 int reassoc, resp; 1798 uint8_t rate; 1799 1800 wh = mtod(m0, struct ieee80211_frame *); 1801 frm = (uint8_t *)&wh[1]; 1802 efrm = mtod(m0, uint8_t *) + m0->m_len; 1803 switch (subtype) { 1804 case IEEE80211_FC0_SUBTYPE_PROBE_RESP: 1805 /* 1806 * We process beacon/probe response frames when scanning; 1807 * otherwise we check beacon frames for overlapping non-ERP 1808 * BSS in 11g and/or overlapping legacy BSS when in HT. 1809 */ 1810 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) { 1811 vap->iv_stats.is_rx_mgtdiscard++; 1812 return; 1813 } 1814 /* FALLTHROUGH */ 1815 case IEEE80211_FC0_SUBTYPE_BEACON: { 1816 struct ieee80211_scanparams scan; 1817 1818 /* NB: accept off-channel frames */ 1819 /* XXX TODO: use rxstatus to determine off-channel details */ 1820 if (ieee80211_parse_beacon(ni, m0, ic->ic_curchan, &scan) &~ IEEE80211_BPARSE_OFFCHAN) 1821 return; 1822 /* 1823 * Count frame now that we know it's to be processed. 1824 */ 1825 if (subtype == IEEE80211_FC0_SUBTYPE_BEACON) { 1826 vap->iv_stats.is_rx_beacon++; /* XXX remove */ 1827 IEEE80211_NODE_STAT(ni, rx_beacons); 1828 } else 1829 IEEE80211_NODE_STAT(ni, rx_proberesp); 1830 /* 1831 * If scanning, just pass information to the scan module. 1832 */ 1833 if (ic->ic_flags & IEEE80211_F_SCAN) { 1834 if (scan.status == 0 && /* NB: on channel */ 1835 (ic->ic_flags_ext & IEEE80211_FEXT_PROBECHAN)) { 1836 /* 1837 * Actively scanning a channel marked passive; 1838 * send a probe request now that we know there 1839 * is 802.11 traffic present. 1840 * 1841 * XXX check if the beacon we recv'd gives 1842 * us what we need and suppress the probe req 1843 */ 1844 ieee80211_probe_curchan(vap, true); 1845 ic->ic_flags_ext &= ~IEEE80211_FEXT_PROBECHAN; 1846 } 1847 ieee80211_add_scan(vap, ic->ic_curchan, &scan, wh, 1848 subtype, rssi, nf); 1849 return; 1850 } 1851 /* 1852 * Check beacon for overlapping bss w/ non ERP stations. 1853 * If we detect one and protection is configured but not 1854 * enabled, enable it and start a timer that'll bring us 1855 * out if we stop seeing the bss. 1856 */ 1857 if (IEEE80211_IS_CHAN_ANYG(ic->ic_curchan) && 1858 scan.status == 0 && /* NB: on-channel */ 1859 ((scan.erp & 0x100) == 0 || /* NB: no ERP, 11b sta*/ 1860 (scan.erp & IEEE80211_ERP_NON_ERP_PRESENT))) { 1861 vap->iv_lastnonerp = ticks; 1862 vap->iv_flags_ext |= IEEE80211_FEXT_NONERP_PR; 1863 /* 1864 * XXX TODO: this may need to check all VAPs? 1865 */ 1866 if (vap->iv_protmode != IEEE80211_PROT_NONE && 1867 (vap->iv_flags & IEEE80211_F_USEPROT) == 0) { 1868 IEEE80211_NOTE_FRAME(vap, 1869 IEEE80211_MSG_ASSOC, wh, 1870 "non-ERP present on channel %d " 1871 "(saw erp 0x%x from channel %d), " 1872 "enable use of protection", 1873 ic->ic_curchan->ic_ieee, 1874 scan.erp, scan.chan); 1875 vap->iv_flags |= IEEE80211_F_USEPROT; 1876 ieee80211_vap_update_erp_protmode(vap); 1877 } 1878 } 1879 /* 1880 * Check beacon for non-HT station on HT channel 1881 * and update HT BSS occupancy as appropriate. 1882 */ 1883 if (IEEE80211_IS_CHAN_HT(ic->ic_curchan)) { 1884 if (scan.status & IEEE80211_BPARSE_OFFCHAN) { 1885 /* 1886 * Off control channel; only check frames 1887 * that come in the extension channel when 1888 * operating w/ HT40. 1889 */ 1890 if (!IEEE80211_IS_CHAN_HT40(ic->ic_curchan)) 1891 break; 1892 if (scan.chan != ic->ic_curchan->ic_extieee) 1893 break; 1894 } 1895 if (scan.htinfo == NULL) { 1896 ieee80211_htprot_update(vap, 1897 IEEE80211_HTINFO_OPMODE_PROTOPT | 1898 IEEE80211_HTINFO_NONHT_PRESENT); 1899 } else if (ishtmixed(scan.htinfo)) { 1900 /* XXX? take NONHT_PRESENT from beacon? */ 1901 ieee80211_htprot_update(vap, 1902 IEEE80211_HTINFO_OPMODE_MIXED | 1903 IEEE80211_HTINFO_NONHT_PRESENT); 1904 } 1905 } 1906 break; 1907 } 1908 1909 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 1910 if (vap->iv_state != IEEE80211_S_RUN) { 1911 vap->iv_stats.is_rx_mgtdiscard++; 1912 return; 1913 } 1914 /* 1915 * Consult the ACL policy module if setup. 1916 */ 1917 if (vap->iv_acl != NULL && !vap->iv_acl->iac_check(vap, wh)) { 1918 IEEE80211_DISCARD(vap, IEEE80211_MSG_ACL, 1919 wh, NULL, "%s", "disallowed by ACL"); 1920 vap->iv_stats.is_rx_acl++; 1921 return; 1922 } 1923 /* 1924 * prreq frame format 1925 * [tlv] ssid 1926 * [tlv] supported rates 1927 * [tlv] extended supported rates 1928 */ 1929 ssid = rates = xrates = NULL; 1930 while (efrm - frm > 1) { 1931 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return); 1932 switch (*frm) { 1933 case IEEE80211_ELEMID_SSID: 1934 ssid = frm; 1935 break; 1936 case IEEE80211_ELEMID_RATES: 1937 rates = frm; 1938 break; 1939 case IEEE80211_ELEMID_XRATES: 1940 xrates = frm; 1941 break; 1942 } 1943 frm += frm[1] + 2; 1944 } 1945 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return); 1946 if (xrates != NULL) 1947 IEEE80211_VERIFY_ELEMENT(xrates, 1948 IEEE80211_RATE_MAXSIZE - rates[1], return); 1949 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN, return); 1950 IEEE80211_VERIFY_SSID(vap->iv_bss, ssid, return); 1951 if ((vap->iv_flags & IEEE80211_F_HIDESSID) && ssid[1] == 0) { 1952 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 1953 wh, NULL, 1954 "%s", "no ssid with ssid suppression enabled"); 1955 vap->iv_stats.is_rx_ssidmismatch++; /*XXX*/ 1956 return; 1957 } 1958 1959 /* XXX find a better class or define it's own */ 1960 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_INPUT, wh->i_addr2, 1961 "%s", "recv probe req"); 1962 /* 1963 * Some legacy 11b clients cannot hack a complete 1964 * probe response frame. When the request includes 1965 * only a bare-bones rate set, communicate this to 1966 * the transmit side. 1967 */ 1968 ieee80211_send_proberesp(vap, wh->i_addr2, 1969 is11bclient(rates, xrates) ? IEEE80211_SEND_LEGACY_11B : 0); 1970 break; 1971 1972 case IEEE80211_FC0_SUBTYPE_AUTH: { 1973 uint16_t algo, seq, status; 1974 1975 if (vap->iv_state != IEEE80211_S_RUN) { 1976 vap->iv_stats.is_rx_mgtdiscard++; 1977 return; 1978 } 1979 if (!IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_bss->ni_bssid)) { 1980 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 1981 wh, NULL, "%s", "wrong bssid"); 1982 vap->iv_stats.is_rx_wrongbss++; /*XXX unique stat?*/ 1983 return; 1984 } 1985 /* 1986 * auth frame format 1987 * [2] algorithm 1988 * [2] sequence 1989 * [2] status 1990 * [tlv*] challenge 1991 */ 1992 IEEE80211_VERIFY_LENGTH(efrm - frm, 6, return); 1993 algo = le16toh(*(uint16_t *)frm); 1994 seq = le16toh(*(uint16_t *)(frm + 2)); 1995 status = le16toh(*(uint16_t *)(frm + 4)); 1996 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_AUTH, wh->i_addr2, 1997 "recv auth frame with algorithm %d seq %d", algo, seq); 1998 /* 1999 * Consult the ACL policy module if setup. 2000 */ 2001 if (vap->iv_acl != NULL && !vap->iv_acl->iac_check(vap, wh)) { 2002 IEEE80211_DISCARD(vap, IEEE80211_MSG_ACL, 2003 wh, NULL, "%s", "disallowed by ACL"); 2004 vap->iv_stats.is_rx_acl++; 2005 ieee80211_send_error(ni, wh->i_addr2, 2006 IEEE80211_FC0_SUBTYPE_AUTH, 2007 (seq+1) | (IEEE80211_STATUS_UNSPECIFIED<<16)); 2008 return; 2009 } 2010 if (vap->iv_flags & IEEE80211_F_COUNTERM) { 2011 IEEE80211_DISCARD(vap, 2012 IEEE80211_MSG_AUTH | IEEE80211_MSG_CRYPTO, 2013 wh, NULL, "%s", "TKIP countermeasures enabled"); 2014 vap->iv_stats.is_rx_auth_countermeasures++; 2015 ieee80211_send_error(ni, wh->i_addr2, 2016 IEEE80211_FC0_SUBTYPE_AUTH, 2017 IEEE80211_REASON_MIC_FAILURE); 2018 return; 2019 } 2020 if (algo == IEEE80211_AUTH_ALG_SHARED) 2021 hostap_auth_shared(ni, wh, frm + 6, efrm, rssi, nf, 2022 seq, status); 2023 else if (algo == IEEE80211_AUTH_ALG_OPEN) 2024 hostap_auth_open(ni, wh, rssi, nf, seq, status); 2025 else if (algo == IEEE80211_AUTH_ALG_LEAP) { 2026 authalgreject(ni, wh, algo, 2027 seq+1, IEEE80211_STATUS_ALG); 2028 return; 2029 } else { 2030 /* 2031 * We assume that an unknown algorithm is the result 2032 * of a decryption failure on a shared key auth frame; 2033 * return a status code appropriate for that instead 2034 * of IEEE80211_STATUS_ALG. 2035 * 2036 * NB: a seq# of 4 is intentional; the decrypted 2037 * frame likely has a bogus seq value. 2038 */ 2039 authalgreject(ni, wh, algo, 2040 4, IEEE80211_STATUS_CHALLENGE); 2041 return; 2042 } 2043 break; 2044 } 2045 2046 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ: 2047 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: { 2048 uint16_t capinfo, lintval; 2049 struct ieee80211_rsnparms rsnparms; 2050 2051 if (vap->iv_state != IEEE80211_S_RUN) { 2052 vap->iv_stats.is_rx_mgtdiscard++; 2053 return; 2054 } 2055 if (!IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_bss->ni_bssid)) { 2056 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 2057 wh, NULL, "%s", "wrong bssid"); 2058 vap->iv_stats.is_rx_assoc_bss++; 2059 return; 2060 } 2061 if (subtype == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) { 2062 reassoc = 1; 2063 resp = IEEE80211_FC0_SUBTYPE_REASSOC_RESP; 2064 } else { 2065 reassoc = 0; 2066 resp = IEEE80211_FC0_SUBTYPE_ASSOC_RESP; 2067 } 2068 if (ni == vap->iv_bss) { 2069 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ANY, wh->i_addr2, 2070 "deny %s request, sta not authenticated", 2071 reassoc ? "reassoc" : "assoc"); 2072 ieee80211_send_error(ni, wh->i_addr2, 2073 IEEE80211_FC0_SUBTYPE_DEAUTH, 2074 IEEE80211_REASON_ASSOC_NOT_AUTHED); 2075 vap->iv_stats.is_rx_assoc_notauth++; 2076 return; 2077 } 2078 2079 /* 2080 * asreq frame format 2081 * [2] capability information 2082 * [2] listen interval 2083 * [6*] current AP address (reassoc only) 2084 * [tlv] ssid 2085 * [tlv] supported rates 2086 * [tlv] extended supported rates 2087 * [tlv] WPA or RSN 2088 * [tlv] HT capabilities 2089 * [tlv] Atheros capabilities 2090 */ 2091 IEEE80211_VERIFY_LENGTH(efrm - frm, (reassoc ? 10 : 4), return); 2092 capinfo = le16toh(*(uint16_t *)frm); frm += 2; 2093 lintval = le16toh(*(uint16_t *)frm); frm += 2; 2094 if (reassoc) 2095 frm += 6; /* ignore current AP info */ 2096 ssid = rates = xrates = wpa = rsn = wme = ath = htcap = NULL; 2097 vhtcap = vhtinfo = NULL; 2098 sfrm = frm; 2099 while (efrm - frm > 1) { 2100 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return); 2101 switch (*frm) { 2102 case IEEE80211_ELEMID_SSID: 2103 ssid = frm; 2104 break; 2105 case IEEE80211_ELEMID_RATES: 2106 rates = frm; 2107 break; 2108 case IEEE80211_ELEMID_XRATES: 2109 xrates = frm; 2110 break; 2111 case IEEE80211_ELEMID_RSN: 2112 rsn = frm; 2113 break; 2114 case IEEE80211_ELEMID_HTCAP: 2115 htcap = frm; 2116 break; 2117 case IEEE80211_ELEMID_VHT_CAP: 2118 vhtcap = frm; 2119 break; 2120 case IEEE80211_ELEMID_VHT_OPMODE: 2121 vhtinfo = frm; 2122 break; 2123 case IEEE80211_ELEMID_VENDOR: 2124 if (iswpaoui(frm)) 2125 wpa = frm; 2126 else if (iswmeinfo(frm)) 2127 wme = frm; 2128 #ifdef IEEE80211_SUPPORT_SUPERG 2129 else if (isatherosoui(frm)) 2130 ath = frm; 2131 #endif 2132 else if (vap->iv_flags_ht & IEEE80211_FHT_HTCOMPAT) { 2133 if (ishtcapoui(frm) && htcap == NULL) 2134 htcap = frm; 2135 } 2136 break; 2137 } 2138 frm += frm[1] + 2; 2139 } 2140 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return); 2141 if (xrates != NULL) 2142 IEEE80211_VERIFY_ELEMENT(xrates, 2143 IEEE80211_RATE_MAXSIZE - rates[1], return); 2144 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN, return); 2145 IEEE80211_VERIFY_SSID(vap->iv_bss, ssid, return); 2146 if (htcap != NULL) { 2147 IEEE80211_VERIFY_LENGTH(htcap[1], 2148 htcap[0] == IEEE80211_ELEMID_VENDOR ? 2149 4 + sizeof(struct ieee80211_ie_htcap)-2 : 2150 sizeof(struct ieee80211_ie_htcap)-2, 2151 return); /* XXX just NULL out? */ 2152 } 2153 2154 /* Validate VHT IEs */ 2155 if (vhtcap != NULL) { 2156 IEEE80211_VERIFY_LENGTH(vhtcap[1], 2157 sizeof(struct ieee80211_vht_cap), 2158 return); 2159 } 2160 if (vhtinfo != NULL) { 2161 IEEE80211_VERIFY_LENGTH(vhtinfo[1], 2162 sizeof(struct ieee80211_vht_operation), 2163 return); 2164 } 2165 2166 if ((vap->iv_flags & IEEE80211_F_WPA) && 2167 !wpa_assocreq(ni, &rsnparms, wh, wpa, rsn, capinfo)) 2168 return; 2169 /* discard challenge after association */ 2170 if (ni->ni_challenge != NULL) { 2171 IEEE80211_FREE(ni->ni_challenge, M_80211_NODE); 2172 ni->ni_challenge = NULL; 2173 } 2174 /* NB: 802.11 spec says to ignore station's privacy bit */ 2175 if ((capinfo & IEEE80211_CAPINFO_ESS) == 0) { 2176 capinfomismatch(ni, wh, reassoc, resp, 2177 "capability", capinfo); 2178 return; 2179 } 2180 /* 2181 * Disallow re-associate w/ invalid slot time setting. 2182 */ 2183 if (ni->ni_associd != 0 && 2184 IEEE80211_IS_CHAN_ANYG(ic->ic_bsschan) && 2185 ((ni->ni_capinfo ^ capinfo) & IEEE80211_CAPINFO_SHORT_SLOTTIME)) { 2186 capinfomismatch(ni, wh, reassoc, resp, 2187 "slot time", capinfo); 2188 return; 2189 } 2190 rate = ieee80211_setup_rates(ni, rates, xrates, 2191 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | 2192 IEEE80211_F_DONEGO | IEEE80211_F_DODEL); 2193 if (rate & IEEE80211_RATE_BASIC) { 2194 ratesetmismatch(ni, wh, reassoc, resp, "legacy", rate); 2195 vap->iv_stats.is_rx_assoc_norate++; 2196 return; 2197 } 2198 /* 2199 * If constrained to 11g-only stations reject an 2200 * 11b-only station. We cheat a bit here by looking 2201 * at the max negotiated xmit rate and assuming anyone 2202 * with a best rate <24Mb/s is an 11b station. 2203 */ 2204 if ((vap->iv_flags & IEEE80211_F_PUREG) && rate < 48) { 2205 ratesetmismatch(ni, wh, reassoc, resp, "11g", rate); 2206 vap->iv_stats.is_rx_assoc_norate++; 2207 return; 2208 } 2209 2210 /* 2211 * Do HT rate set handling and setup HT node state. 2212 */ 2213 ni->ni_chan = vap->iv_bss->ni_chan; 2214 2215 /* VHT */ 2216 if (IEEE80211_IS_CHAN_VHT(ni->ni_chan) && 2217 vhtcap != NULL && 2218 vhtinfo != NULL) { 2219 /* XXX TODO; see below */ 2220 printf("%s: VHT TODO!\n", __func__); 2221 ieee80211_vht_node_init(ni); 2222 ieee80211_vht_update_cap(ni, vhtcap, vhtinfo); 2223 } else if (ni->ni_flags & IEEE80211_NODE_VHT) 2224 ieee80211_vht_node_cleanup(ni); 2225 2226 /* HT */ 2227 if (IEEE80211_IS_CHAN_HT(ni->ni_chan) && htcap != NULL) { 2228 rate = ieee80211_setup_htrates(ni, htcap, 2229 IEEE80211_F_DOFMCS | IEEE80211_F_DONEGO | 2230 IEEE80211_F_DOBRS); 2231 if (rate & IEEE80211_RATE_BASIC) { 2232 ratesetmismatch(ni, wh, reassoc, resp, 2233 "HT", rate); 2234 vap->iv_stats.is_ht_assoc_norate++; 2235 return; 2236 } 2237 ieee80211_ht_node_init(ni); 2238 ieee80211_ht_updatehtcap(ni, htcap); 2239 } else if (ni->ni_flags & IEEE80211_NODE_HT) 2240 ieee80211_ht_node_cleanup(ni); 2241 2242 /* Finally - this will use HT/VHT info to change node channel */ 2243 if (IEEE80211_IS_CHAN_HT(ni->ni_chan) && htcap != NULL) { 2244 ieee80211_ht_updatehtcap_final(ni); 2245 } 2246 2247 #ifdef IEEE80211_SUPPORT_SUPERG 2248 /* Always do ff node cleanup; for A-MSDU */ 2249 ieee80211_ff_node_cleanup(ni); 2250 #endif 2251 /* 2252 * Allow AMPDU operation only with unencrypted traffic 2253 * or AES-CCM / AES-GCM; the 802.11n spec only specifies these 2254 * ciphers so permitting any others is undefined and can lead 2255 * to interoperability problems. 2256 * 2257 * TODO: before landing, find exactly where in 802.11-2020 this 2258 * is called out! 2259 */ 2260 if ((ni->ni_flags & IEEE80211_NODE_HT) && 2261 (((vap->iv_flags & IEEE80211_F_WPA) && 2262 !hostapd_validate_cipher_for_ht_ampdu(rsnparms.rsn_ucastcipher)) || 2263 (vap->iv_flags & (IEEE80211_F_WPA|IEEE80211_F_PRIVACY)) == IEEE80211_F_PRIVACY)) { 2264 IEEE80211_NOTE(vap, 2265 IEEE80211_MSG_ASSOC | IEEE80211_MSG_11N, ni, 2266 "disallow HT use because WEP or TKIP requested, " 2267 "capinfo 0x%x ucastcipher %d", capinfo, 2268 rsnparms.rsn_ucastcipher); 2269 ieee80211_ht_node_cleanup(ni); 2270 #ifdef IEEE80211_SUPPORT_SUPERG 2271 /* Always do ff node cleanup; for A-MSDU */ 2272 ieee80211_ff_node_cleanup(ni); 2273 #endif 2274 vap->iv_stats.is_ht_assoc_downgrade++; 2275 } 2276 /* 2277 * If constrained to 11n-only stations reject legacy stations. 2278 */ 2279 if ((vap->iv_flags_ht & IEEE80211_FHT_PUREN) && 2280 (ni->ni_flags & IEEE80211_NODE_HT) == 0) { 2281 htcapmismatch(ni, wh, reassoc, resp); 2282 vap->iv_stats.is_ht_assoc_nohtcap++; 2283 return; 2284 } 2285 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi); 2286 ni->ni_noise = nf; 2287 ni->ni_intval = lintval; 2288 ni->ni_capinfo = capinfo; 2289 ni->ni_fhdwell = vap->iv_bss->ni_fhdwell; 2290 ni->ni_fhindex = vap->iv_bss->ni_fhindex; 2291 /* 2292 * Store the IEs. 2293 * XXX maybe better to just expand 2294 */ 2295 if (ieee80211_ies_init(&ni->ni_ies, sfrm, efrm - sfrm)) { 2296 #define setie(_ie, _off) ieee80211_ies_setie(ni->ni_ies, _ie, _off) 2297 if (wpa != NULL) 2298 setie(wpa_ie, wpa - sfrm); 2299 if (rsn != NULL) 2300 setie(rsn_ie, rsn - sfrm); 2301 if (htcap != NULL) 2302 setie(htcap_ie, htcap - sfrm); 2303 if (wme != NULL) { 2304 setie(wme_ie, wme - sfrm); 2305 /* 2306 * Mark node as capable of QoS. 2307 */ 2308 ni->ni_flags |= IEEE80211_NODE_QOS; 2309 if (ieee80211_parse_wmeie(wme, wh, ni) > 0) { 2310 if (ni->ni_uapsd != 0) 2311 ni->ni_flags |= 2312 IEEE80211_NODE_UAPSD; 2313 else 2314 ni->ni_flags &= 2315 ~IEEE80211_NODE_UAPSD; 2316 } 2317 } else 2318 ni->ni_flags &= 2319 ~(IEEE80211_NODE_QOS | 2320 IEEE80211_NODE_UAPSD); 2321 #ifdef IEEE80211_SUPPORT_SUPERG 2322 if (ath != NULL) { 2323 setie(ath_ie, ath - sfrm); 2324 /* 2325 * Parse ATH station parameters. 2326 */ 2327 ieee80211_parse_ath(ni, ni->ni_ies.ath_ie); 2328 } else 2329 #endif 2330 ni->ni_ath_flags = 0; 2331 #undef setie 2332 } else { 2333 ni->ni_flags &= ~IEEE80211_NODE_QOS; 2334 ni->ni_flags &= ~IEEE80211_NODE_UAPSD; 2335 ni->ni_ath_flags = 0; 2336 } 2337 ieee80211_node_join(ni, resp); 2338 ieee80211_deliver_l2uf(ni); 2339 break; 2340 } 2341 2342 case IEEE80211_FC0_SUBTYPE_DEAUTH: 2343 case IEEE80211_FC0_SUBTYPE_DISASSOC: { 2344 #ifdef IEEE80211_DEBUG 2345 uint16_t reason; 2346 #endif 2347 2348 if (vap->iv_state != IEEE80211_S_RUN || 2349 /* NB: can happen when in promiscuous mode */ 2350 !IEEE80211_ADDR_EQ(wh->i_addr1, vap->iv_myaddr)) { 2351 vap->iv_stats.is_rx_mgtdiscard++; 2352 break; 2353 } 2354 /* 2355 * deauth/disassoc frame format 2356 * [2] reason 2357 */ 2358 IEEE80211_VERIFY_LENGTH(efrm - frm, 2, return); 2359 #ifdef IEEE80211_DEBUG 2360 reason = le16toh(*(uint16_t *)frm); 2361 #endif 2362 if (subtype == IEEE80211_FC0_SUBTYPE_DEAUTH) { 2363 vap->iv_stats.is_rx_deauth++; 2364 IEEE80211_NODE_STAT(ni, rx_deauth); 2365 } else { 2366 vap->iv_stats.is_rx_disassoc++; 2367 IEEE80211_NODE_STAT(ni, rx_disassoc); 2368 } 2369 IEEE80211_NOTE(vap, IEEE80211_MSG_AUTH, ni, 2370 "recv %s (reason: %d (%s))", 2371 ieee80211_mgt_subtype_name(subtype), 2372 reason, ieee80211_reason_to_string(reason)); 2373 if (ni != vap->iv_bss) 2374 ieee80211_node_leave(ni); 2375 break; 2376 } 2377 2378 case IEEE80211_FC0_SUBTYPE_ACTION: 2379 case IEEE80211_FC0_SUBTYPE_ACTION_NOACK: 2380 if (ni == vap->iv_bss) { 2381 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 2382 wh, NULL, "%s", "unknown node"); 2383 vap->iv_stats.is_rx_mgtdiscard++; 2384 } else if (!IEEE80211_ADDR_EQ(vap->iv_myaddr, wh->i_addr1) && 2385 !IEEE80211_IS_MULTICAST(wh->i_addr1)) { 2386 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 2387 wh, NULL, "%s", "not for us"); 2388 vap->iv_stats.is_rx_mgtdiscard++; 2389 } else if (vap->iv_state != IEEE80211_S_RUN) { 2390 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 2391 wh, NULL, "wrong state %s", 2392 ieee80211_state_name[vap->iv_state]); 2393 vap->iv_stats.is_rx_mgtdiscard++; 2394 } else { 2395 if (ieee80211_parse_action(ni, m0) == 0) 2396 (void)ic->ic_recv_action(ni, wh, frm, efrm); 2397 } 2398 break; 2399 2400 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP: 2401 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: 2402 case IEEE80211_FC0_SUBTYPE_TIMING_ADV: 2403 case IEEE80211_FC0_SUBTYPE_ATIM: 2404 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 2405 wh, NULL, "%s", "not handled"); 2406 vap->iv_stats.is_rx_mgtdiscard++; 2407 break; 2408 2409 default: 2410 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 2411 wh, "mgt", "subtype 0x%x not handled", subtype); 2412 vap->iv_stats.is_rx_badsubtype++; 2413 break; 2414 } 2415 } 2416 2417 static void 2418 hostap_recv_ctl(struct ieee80211_node *ni, struct mbuf *m, int subtype) 2419 { 2420 switch (subtype) { 2421 case IEEE80211_FC0_SUBTYPE_PS_POLL: 2422 ni->ni_vap->iv_recv_pspoll(ni, m); 2423 break; 2424 case IEEE80211_FC0_SUBTYPE_BAR: 2425 ieee80211_recv_bar(ni, m); 2426 break; 2427 } 2428 } 2429 2430 /* 2431 * Process a received ps-poll frame. 2432 */ 2433 void 2434 ieee80211_recv_pspoll(struct ieee80211_node *ni, struct mbuf *m0) 2435 { 2436 struct ieee80211vap *vap = ni->ni_vap; 2437 struct ieee80211com *ic = vap->iv_ic; 2438 struct ieee80211_frame_min *wh; 2439 struct mbuf *m; 2440 uint16_t aid; 2441 int qlen; 2442 2443 wh = mtod(m0, struct ieee80211_frame_min *); 2444 if (ni->ni_associd == 0) { 2445 IEEE80211_DISCARD(vap, 2446 IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG, 2447 (struct ieee80211_frame *) wh, NULL, 2448 "%s", "unassociated station"); 2449 vap->iv_stats.is_ps_unassoc++; 2450 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_DEAUTH, 2451 IEEE80211_REASON_NOT_ASSOCED); 2452 return; 2453 } 2454 2455 aid = le16toh(*(uint16_t *)wh->i_dur); 2456 if (aid != ni->ni_associd) { 2457 IEEE80211_DISCARD(vap, 2458 IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG, 2459 (struct ieee80211_frame *) wh, NULL, 2460 "aid mismatch: sta aid 0x%x poll aid 0x%x", 2461 ni->ni_associd, aid); 2462 vap->iv_stats.is_ps_badaid++; 2463 /* 2464 * NB: We used to deauth the station but it turns out 2465 * the Blackberry Curve 8230 (and perhaps other devices) 2466 * sometimes send the wrong AID when WME is negotiated. 2467 * Being more lenient here seems ok as we already check 2468 * the station is associated and we only return frames 2469 * queued for the station (i.e. we don't use the AID). 2470 */ 2471 return; 2472 } 2473 2474 /* Okay, take the first queued packet and put it out... */ 2475 m = ieee80211_node_psq_dequeue(ni, &qlen); 2476 if (m == NULL) { 2477 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_POWER, wh->i_addr2, 2478 "%s", "recv ps-poll, but queue empty"); 2479 ieee80211_send_nulldata(ieee80211_ref_node(ni)); 2480 vap->iv_stats.is_ps_qempty++; /* XXX node stat */ 2481 if (vap->iv_set_tim != NULL) 2482 vap->iv_set_tim(ni, 0); /* just in case */ 2483 return; 2484 } 2485 /* 2486 * If there are more packets, set the more packets bit 2487 * in the packet dispatched to the station; otherwise 2488 * turn off the TIM bit. 2489 */ 2490 if (qlen != 0) { 2491 IEEE80211_NOTE(vap, IEEE80211_MSG_POWER, ni, 2492 "recv ps-poll, send packet, %u still queued", qlen); 2493 m->m_flags |= M_MORE_DATA; 2494 } else { 2495 IEEE80211_NOTE(vap, IEEE80211_MSG_POWER, ni, 2496 "%s", "recv ps-poll, send packet, queue empty"); 2497 if (vap->iv_set_tim != NULL) 2498 vap->iv_set_tim(ni, 0); 2499 } 2500 m->m_flags |= M_PWR_SAV; /* bypass PS handling */ 2501 2502 /* 2503 * Do the right thing; if it's an encap'ed frame then 2504 * call ieee80211_parent_xmitpkt() else 2505 * call ieee80211_vap_xmitpkt(). 2506 */ 2507 if (m->m_flags & M_ENCAP) { 2508 (void) ieee80211_parent_xmitpkt(ic, m); 2509 } else { 2510 (void) ieee80211_vap_xmitpkt(vap, m); 2511 } 2512 } 2513