1 /*- 2 * SPDX-License-Identifier: BSD-2-Clause 3 * 4 * Copyright (c) 2007-2008 Sam Leffler, Errno Consulting 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 17 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 18 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 19 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 21 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 22 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 23 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 24 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 25 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 26 */ 27 28 /* 29 * IEEE 802.11 HOSTAP mode support. 30 */ 31 #include "opt_inet.h" 32 #include "opt_wlan.h" 33 34 #include <sys/param.h> 35 #include <sys/systm.h> 36 #include <sys/mbuf.h> 37 #include <sys/malloc.h> 38 #include <sys/kernel.h> 39 40 #include <sys/socket.h> 41 #include <sys/sockio.h> 42 #include <sys/endian.h> 43 #include <sys/errno.h> 44 #include <sys/proc.h> 45 #include <sys/sysctl.h> 46 47 #include <net/if.h> 48 #include <net/if_var.h> 49 #include <net/if_media.h> 50 #include <net/if_llc.h> 51 #include <net/if_private.h> 52 #include <net/ethernet.h> 53 54 #include <net/bpf.h> 55 56 #include <net80211/ieee80211_var.h> 57 #include <net80211/ieee80211_hostap.h> 58 #include <net80211/ieee80211_input.h> 59 #ifdef IEEE80211_SUPPORT_SUPERG 60 #include <net80211/ieee80211_superg.h> 61 #endif 62 #include <net80211/ieee80211_wds.h> 63 #include <net80211/ieee80211_vht.h> 64 #include <net80211/ieee80211_sta.h> /* for parse_wmeie */ 65 66 static void hostap_vattach(struct ieee80211vap *); 67 static int hostap_newstate(struct ieee80211vap *, enum ieee80211_state, int); 68 static int hostap_input(struct ieee80211_node *ni, struct mbuf *m, 69 const struct ieee80211_rx_stats *, 70 int rssi, int nf); 71 static void hostap_deliver_data(struct ieee80211vap *, 72 struct ieee80211_node *, struct mbuf *); 73 static void hostap_recv_mgmt(struct ieee80211_node *, struct mbuf *, 74 int subtype, const struct ieee80211_rx_stats *rxs, int rssi, int nf); 75 static void hostap_recv_ctl(struct ieee80211_node *, struct mbuf *, int); 76 77 void 78 ieee80211_hostap_attach(struct ieee80211com *ic) 79 { 80 ic->ic_vattach[IEEE80211_M_HOSTAP] = hostap_vattach; 81 } 82 83 void 84 ieee80211_hostap_detach(struct ieee80211com *ic) 85 { 86 } 87 88 static void 89 hostap_vdetach(struct ieee80211vap *vap) 90 { 91 } 92 93 static void 94 hostap_vattach(struct ieee80211vap *vap) 95 { 96 vap->iv_newstate = hostap_newstate; 97 vap->iv_input = hostap_input; 98 vap->iv_recv_mgmt = hostap_recv_mgmt; 99 vap->iv_recv_ctl = hostap_recv_ctl; 100 vap->iv_opdetach = hostap_vdetach; 101 vap->iv_deliver_data = hostap_deliver_data; 102 vap->iv_recv_pspoll = ieee80211_recv_pspoll; 103 } 104 105 static void 106 sta_disassoc(void *arg, struct ieee80211_node *ni) 107 { 108 109 if (ni->ni_associd != 0) { 110 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_DISASSOC, 111 IEEE80211_REASON_ASSOC_LEAVE); 112 ieee80211_node_leave(ni); 113 } 114 } 115 116 static void 117 sta_csa(void *arg, struct ieee80211_node *ni) 118 { 119 struct ieee80211vap *vap = ni->ni_vap; 120 121 if (ni->ni_associd != 0) 122 if (ni->ni_inact > vap->iv_inact_init) { 123 ni->ni_inact = vap->iv_inact_init; 124 IEEE80211_NOTE(vap, IEEE80211_MSG_INACT, ni, 125 "%s: inact %u", __func__, ni->ni_inact); 126 } 127 } 128 129 static void 130 sta_drop(void *arg, struct ieee80211_node *ni) 131 { 132 133 if (ni->ni_associd != 0) 134 ieee80211_node_leave(ni); 135 } 136 137 /* 138 * Does a channel change require associated stations to re-associate 139 * so protocol state is correct. This is used when doing CSA across 140 * bands or similar (e.g. HT -> legacy). 141 */ 142 static int 143 isbandchange(struct ieee80211com *ic) 144 { 145 return ((ic->ic_bsschan->ic_flags ^ ic->ic_csa_newchan->ic_flags) & 146 (IEEE80211_CHAN_2GHZ | IEEE80211_CHAN_5GHZ | IEEE80211_CHAN_HALF | 147 IEEE80211_CHAN_QUARTER | IEEE80211_CHAN_HT)) != 0; 148 } 149 150 /* 151 * IEEE80211_M_HOSTAP vap state machine handler. 152 */ 153 static int 154 hostap_newstate(struct ieee80211vap *vap, enum ieee80211_state nstate, int arg) 155 { 156 struct ieee80211com *ic = vap->iv_ic; 157 enum ieee80211_state ostate; 158 159 IEEE80211_LOCK_ASSERT(ic); 160 161 ostate = vap->iv_state; 162 IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE, "%s: %s -> %s (%d)\n", 163 __func__, ieee80211_state_name[ostate], 164 ieee80211_state_name[nstate], arg); 165 vap->iv_state = nstate; /* state transition */ 166 if (ostate != IEEE80211_S_SCAN) 167 ieee80211_cancel_scan(vap); /* background scan */ 168 switch (nstate) { 169 case IEEE80211_S_INIT: 170 switch (ostate) { 171 case IEEE80211_S_SCAN: 172 ieee80211_cancel_scan(vap); 173 break; 174 case IEEE80211_S_CAC: 175 ieee80211_dfs_cac_stop(vap); 176 break; 177 case IEEE80211_S_RUN: 178 ieee80211_iterate_nodes_vap(&ic->ic_sta, vap, 179 sta_disassoc, NULL); 180 break; 181 default: 182 break; 183 } 184 if (ostate != IEEE80211_S_INIT) { 185 /* NB: optimize INIT -> INIT case */ 186 ieee80211_reset_bss(vap); 187 } 188 if (vap->iv_auth->ia_detach != NULL) 189 vap->iv_auth->ia_detach(vap); 190 break; 191 case IEEE80211_S_SCAN: 192 switch (ostate) { 193 case IEEE80211_S_CSA: 194 case IEEE80211_S_RUN: 195 ieee80211_iterate_nodes_vap(&ic->ic_sta, vap, 196 sta_disassoc, NULL); 197 /* 198 * Clear overlapping BSS state; the beacon frame 199 * will be reconstructed on transition to the RUN 200 * state and the timeout routines check if the flag 201 * is set before doing anything so this is sufficient. 202 */ 203 vap->iv_flags_ext &= ~IEEE80211_FEXT_NONERP_PR; 204 vap->iv_flags_ht &= ~IEEE80211_FHT_NONHT_PR; 205 /* XXX TODO: schedule deferred update? */ 206 /* fall thru... */ 207 case IEEE80211_S_CAC: 208 /* 209 * NB: We may get here because of a manual channel 210 * change in which case we need to stop CAC 211 * XXX no need to stop if ostate RUN but it's ok 212 */ 213 ieee80211_dfs_cac_stop(vap); 214 /* fall thru... */ 215 case IEEE80211_S_INIT: 216 if (vap->iv_des_chan != IEEE80211_CHAN_ANYC && 217 !IEEE80211_IS_CHAN_RADAR(vap->iv_des_chan)) { 218 /* 219 * Already have a channel; bypass the 220 * scan and startup immediately. 221 * ieee80211_create_ibss will call back to 222 * move us to RUN state. 223 */ 224 ieee80211_create_ibss(vap, vap->iv_des_chan); 225 break; 226 } 227 /* 228 * Initiate a scan. We can come here as a result 229 * of an IEEE80211_IOC_SCAN_REQ too in which case 230 * the vap will be marked with IEEE80211_FEXT_SCANREQ 231 * and the scan request parameters will be present 232 * in iv_scanreq. Otherwise we do the default. 233 */ 234 if (vap->iv_flags_ext & IEEE80211_FEXT_SCANREQ) { 235 ieee80211_check_scan(vap, 236 vap->iv_scanreq_flags, 237 vap->iv_scanreq_duration, 238 vap->iv_scanreq_mindwell, 239 vap->iv_scanreq_maxdwell, 240 vap->iv_scanreq_nssid, vap->iv_scanreq_ssid); 241 vap->iv_flags_ext &= ~IEEE80211_FEXT_SCANREQ; 242 } else 243 ieee80211_check_scan_current(vap); 244 break; 245 case IEEE80211_S_SCAN: 246 /* 247 * A state change requires a reset; scan. 248 */ 249 ieee80211_check_scan_current(vap); 250 break; 251 default: 252 break; 253 } 254 break; 255 case IEEE80211_S_CAC: 256 /* 257 * Start CAC on a DFS channel. We come here when starting 258 * a bss on a DFS channel (see ieee80211_create_ibss). 259 */ 260 ieee80211_dfs_cac_start(vap); 261 break; 262 case IEEE80211_S_RUN: 263 if (vap->iv_flags & IEEE80211_F_WPA) { 264 /* XXX validate prerequisites */ 265 } 266 switch (ostate) { 267 case IEEE80211_S_INIT: 268 /* 269 * Already have a channel; bypass the 270 * scan and startup immediately. 271 * Note that ieee80211_create_ibss will call 272 * back to do a RUN->RUN state change. 273 */ 274 ieee80211_create_ibss(vap, 275 ieee80211_ht_adjust_channel(ic, 276 ic->ic_curchan, vap->iv_flags_ht)); 277 /* NB: iv_bss is changed on return */ 278 break; 279 case IEEE80211_S_CAC: 280 /* 281 * NB: This is the normal state change when CAC 282 * expires and no radar was detected; no need to 283 * clear the CAC timer as it's already expired. 284 */ 285 /* fall thru... */ 286 case IEEE80211_S_CSA: 287 /* 288 * Shorten inactivity timer of associated stations 289 * to weed out sta's that don't follow a CSA. 290 */ 291 ieee80211_iterate_nodes_vap(&ic->ic_sta, vap, 292 sta_csa, NULL); 293 /* 294 * Update bss node channel to reflect where 295 * we landed after CSA. 296 */ 297 ieee80211_node_set_chan(vap->iv_bss, 298 ieee80211_ht_adjust_channel(ic, ic->ic_curchan, 299 ieee80211_htchanflags(vap->iv_bss->ni_chan))); 300 /* XXX bypass debug msgs */ 301 break; 302 case IEEE80211_S_SCAN: 303 case IEEE80211_S_RUN: 304 #ifdef IEEE80211_DEBUG 305 if (ieee80211_msg_debug(vap)) { 306 struct ieee80211_node *ni = vap->iv_bss; 307 ieee80211_note(vap, 308 "synchronized with %s ssid ", 309 ether_sprintf(ni->ni_bssid)); 310 ieee80211_print_essid(ni->ni_essid, 311 ni->ni_esslen); 312 printf(" channel %d start %uMbit/s\n", 313 ieee80211_chan2ieee(ic, ic->ic_curchan), 314 ieee80211_node_get_txrate_kbit(ni) / 1000); 315 } 316 #endif 317 break; 318 default: 319 break; 320 } 321 /* 322 * Start/stop the authenticator. We delay until here 323 * to allow configuration to happen out of order. 324 */ 325 if (vap->iv_auth->ia_attach != NULL) { 326 /* XXX check failure */ 327 vap->iv_auth->ia_attach(vap); 328 } else if (vap->iv_auth->ia_detach != NULL) { 329 vap->iv_auth->ia_detach(vap); 330 } 331 ieee80211_node_authorize(vap->iv_bss); 332 break; 333 case IEEE80211_S_CSA: 334 if (ostate == IEEE80211_S_RUN && isbandchange(ic)) { 335 /* 336 * On a ``band change'' silently drop associated 337 * stations as they must re-associate before they 338 * can pass traffic (as otherwise protocol state 339 * such as capabilities and the negotiated rate 340 * set may/will be wrong). 341 */ 342 ieee80211_iterate_nodes_vap(&ic->ic_sta, vap, 343 sta_drop, NULL); 344 } 345 break; 346 default: 347 break; 348 } 349 return 0; 350 } 351 352 static void 353 hostap_deliver_data(struct ieee80211vap *vap, 354 struct ieee80211_node *ni, struct mbuf *m) 355 { 356 struct ether_header *eh = mtod(m, struct ether_header *); 357 struct ifnet *ifp = vap->iv_ifp; 358 359 /* clear driver/net80211 flags before passing up */ 360 m->m_flags &= ~(M_MCAST | M_BCAST); 361 m_clrprotoflags(m); 362 363 KASSERT(vap->iv_opmode == IEEE80211_M_HOSTAP, 364 ("gack, opmode %d", vap->iv_opmode)); 365 /* 366 * Do accounting. 367 */ 368 if_inc_counter(ifp, IFCOUNTER_IPACKETS, 1); 369 IEEE80211_NODE_STAT(ni, rx_data); 370 IEEE80211_NODE_STAT_ADD(ni, rx_bytes, m->m_pkthdr.len); 371 if (ETHER_IS_MULTICAST(eh->ether_dhost)) { 372 m->m_flags |= M_MCAST; /* XXX M_BCAST? */ 373 IEEE80211_NODE_STAT(ni, rx_mcast); 374 } else 375 IEEE80211_NODE_STAT(ni, rx_ucast); 376 377 /* perform as a bridge within the AP */ 378 if ((vap->iv_flags & IEEE80211_F_NOBRIDGE) == 0) { 379 struct mbuf *mcopy = NULL; 380 381 if (m->m_flags & M_MCAST) { 382 mcopy = m_dup(m, IEEE80211_M_NOWAIT); 383 if (mcopy == NULL) 384 if_inc_counter(ifp, IFCOUNTER_OERRORS, 1); 385 else 386 mcopy->m_flags |= M_MCAST; 387 } else { 388 /* 389 * Check if the destination is associated with the 390 * same vap and authorized to receive traffic. 391 * Beware of traffic destined for the vap itself; 392 * sending it will not work; just let it be delivered 393 * normally. 394 */ 395 struct ieee80211_node *sta = ieee80211_find_vap_node( 396 &vap->iv_ic->ic_sta, vap, eh->ether_dhost); 397 if (sta != NULL) { 398 if (ieee80211_node_is_authorized(sta)) { 399 /* 400 * Beware of sending to ourself; this 401 * needs to happen via the normal 402 * input path. 403 */ 404 if (sta != vap->iv_bss) { 405 mcopy = m; 406 m = NULL; 407 } 408 } else { 409 vap->iv_stats.is_rx_unauth++; 410 IEEE80211_NODE_STAT(sta, rx_unauth); 411 } 412 ieee80211_free_node(sta); 413 } 414 } 415 if (mcopy != NULL) 416 (void) ieee80211_vap_xmitpkt(vap, mcopy); 417 } 418 if (m != NULL) { 419 struct epoch_tracker et; 420 421 /* 422 * Mark frame as coming from vap's interface. 423 */ 424 m->m_pkthdr.rcvif = ifp; 425 if (m->m_flags & M_MCAST) { 426 /* 427 * Spam DWDS vap's w/ multicast traffic. 428 */ 429 /* XXX only if dwds in use? */ 430 ieee80211_dwds_mcast(vap, m); 431 } 432 if (ni->ni_vlan != 0) { 433 /* attach vlan tag */ 434 m->m_pkthdr.ether_vtag = ni->ni_vlan; 435 m->m_flags |= M_VLANTAG; 436 } 437 NET_EPOCH_ENTER(et); 438 ifp->if_input(ifp, m); 439 NET_EPOCH_EXIT(et); 440 } 441 } 442 443 /* 444 * Decide if a received management frame should be 445 * printed when debugging is enabled. This filters some 446 * of the less interesting frames that come frequently 447 * (e.g. beacons). 448 */ 449 static __inline int 450 doprint(struct ieee80211vap *vap, int subtype) 451 { 452 switch (subtype) { 453 case IEEE80211_FC0_SUBTYPE_BEACON: 454 return (vap->iv_ic->ic_flags & IEEE80211_F_SCAN); 455 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 456 return 0; 457 } 458 return 1; 459 } 460 461 /* 462 * Process a received frame. The node associated with the sender 463 * should be supplied. If nothing was found in the node table then 464 * the caller is assumed to supply a reference to iv_bss instead. 465 * The RSSI and a timestamp are also supplied. The RSSI data is used 466 * during AP scanning to select a AP to associate with; it can have 467 * any units so long as values have consistent units and higher values 468 * mean ``better signal''. The receive timestamp is currently not used 469 * by the 802.11 layer. 470 */ 471 static int 472 hostap_input(struct ieee80211_node *ni, struct mbuf *m, 473 const struct ieee80211_rx_stats *rxs, int rssi, int nf) 474 { 475 struct ieee80211vap *vap = ni->ni_vap; 476 struct ieee80211com *ic = ni->ni_ic; 477 struct ifnet *ifp = vap->iv_ifp; 478 struct ieee80211_frame *wh; 479 struct ieee80211_key *key; 480 struct ether_header *eh; 481 int hdrspace, need_tap = 1; /* mbuf need to be tapped. */ 482 uint8_t dir, type, subtype, qos; 483 uint8_t *bssid; 484 int is_hw_decrypted = 0; 485 int has_decrypted = 0; 486 487 /* 488 * Some devices do hardware decryption all the way through 489 * to pretending the frame wasn't encrypted in the first place. 490 * So, tag it appropriately so it isn't discarded inappropriately. 491 */ 492 if ((rxs != NULL) && (rxs->c_pktflags & IEEE80211_RX_F_DECRYPTED)) 493 is_hw_decrypted = 1; 494 495 if (m->m_flags & M_AMPDU_MPDU) { 496 /* 497 * Fastpath for A-MPDU reorder q resubmission. Frames 498 * w/ M_AMPDU_MPDU marked have already passed through 499 * here but were received out of order and been held on 500 * the reorder queue. When resubmitted they are marked 501 * with the M_AMPDU_MPDU flag and we can bypass most of 502 * the normal processing. 503 */ 504 wh = mtod(m, struct ieee80211_frame *); 505 type = IEEE80211_FC0_TYPE_DATA; 506 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 507 subtype = IEEE80211_FC0_SUBTYPE_QOS_DATA; 508 hdrspace = ieee80211_hdrspace(ic, wh); /* XXX optimize? */ 509 goto resubmit_ampdu; 510 } 511 512 KASSERT(ni != NULL, ("null node")); 513 ni->ni_inact = ni->ni_inact_reload; 514 515 type = -1; /* undefined */ 516 517 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_min)) { 518 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 519 ni->ni_macaddr, NULL, 520 "too short (1): len %u", m->m_pkthdr.len); 521 vap->iv_stats.is_rx_tooshort++; 522 goto out; 523 } 524 /* 525 * Bit of a cheat here, we use a pointer for a 3-address 526 * frame format but don't reference fields past outside 527 * ieee80211_frame_min w/o first validating the data is 528 * present. 529 */ 530 wh = mtod(m, struct ieee80211_frame *); 531 532 if (!IEEE80211_IS_FC0_CHECK_VER(wh, IEEE80211_FC0_VERSION_0)) { 533 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 534 ni->ni_macaddr, NULL, "wrong version, fc %02x:%02x", 535 wh->i_fc[0], wh->i_fc[1]); 536 vap->iv_stats.is_rx_badversion++; 537 goto err; 538 } 539 540 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 541 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK; 542 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK; 543 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) { 544 if (dir != IEEE80211_FC1_DIR_NODS) 545 bssid = wh->i_addr1; 546 else if (type == IEEE80211_FC0_TYPE_CTL) 547 bssid = wh->i_addr1; 548 else { 549 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) { 550 IEEE80211_DISCARD_MAC(vap, 551 IEEE80211_MSG_ANY, ni->ni_macaddr, 552 NULL, "too short (2): len %u", 553 m->m_pkthdr.len); 554 vap->iv_stats.is_rx_tooshort++; 555 goto out; 556 } 557 bssid = wh->i_addr3; 558 } 559 /* 560 * Validate the bssid. 561 */ 562 if (!(type == IEEE80211_FC0_TYPE_MGT && 563 subtype == IEEE80211_FC0_SUBTYPE_BEACON) && 564 !IEEE80211_ADDR_EQ(bssid, vap->iv_bss->ni_bssid) && 565 !IEEE80211_ADDR_EQ(bssid, ifp->if_broadcastaddr)) { 566 /* not interested in */ 567 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 568 bssid, NULL, "%s", "not to bss"); 569 vap->iv_stats.is_rx_wrongbss++; 570 goto out; 571 } 572 573 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi); 574 ni->ni_noise = nf; 575 if (IEEE80211_HAS_SEQ(type, subtype)) { 576 uint8_t tid = ieee80211_gettid(wh); 577 if (IEEE80211_QOS_HAS_SEQ(wh) && 578 TID_TO_WME_AC(tid) >= WME_AC_VI) 579 ic->ic_wme.wme_hipri_traffic++; 580 if (! ieee80211_check_rxseq(ni, wh, bssid, rxs)) 581 goto out; 582 } 583 } 584 585 switch (type) { 586 case IEEE80211_FC0_TYPE_DATA: 587 hdrspace = ieee80211_hdrspace(ic, wh); 588 if (m->m_len < hdrspace && 589 (m = m_pullup(m, hdrspace)) == NULL) { 590 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 591 ni->ni_macaddr, NULL, 592 "data too short: expecting %u", hdrspace); 593 vap->iv_stats.is_rx_tooshort++; 594 goto out; /* XXX */ 595 } 596 if (!(dir == IEEE80211_FC1_DIR_TODS || 597 (dir == IEEE80211_FC1_DIR_DSTODS && 598 (vap->iv_flags & IEEE80211_F_DWDS)))) { 599 if (dir != IEEE80211_FC1_DIR_DSTODS) { 600 IEEE80211_DISCARD(vap, 601 IEEE80211_MSG_INPUT, wh, "data", 602 "incorrect dir 0x%x", dir); 603 } else { 604 IEEE80211_DISCARD(vap, 605 IEEE80211_MSG_INPUT | 606 IEEE80211_MSG_WDS, wh, 607 "4-address data", 608 "%s", "DWDS not enabled"); 609 } 610 vap->iv_stats.is_rx_wrongdir++; 611 goto out; 612 } 613 /* check if source STA is associated */ 614 if (ni == vap->iv_bss) { 615 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 616 wh, "data", "%s", "unknown src"); 617 ieee80211_send_error(ni, wh->i_addr2, 618 IEEE80211_FC0_SUBTYPE_DEAUTH, 619 IEEE80211_REASON_NOT_AUTHED); 620 vap->iv_stats.is_rx_notassoc++; 621 goto err; 622 } 623 if (ni->ni_associd == 0) { 624 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 625 wh, "data", "%s", "unassoc src"); 626 IEEE80211_SEND_MGMT(ni, 627 IEEE80211_FC0_SUBTYPE_DISASSOC, 628 IEEE80211_REASON_NOT_ASSOCED); 629 vap->iv_stats.is_rx_notassoc++; 630 goto err; 631 } 632 633 /* 634 * Check for power save state change. 635 * XXX out-of-order A-MPDU frames? 636 */ 637 if (((wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) ^ 638 (ni->ni_flags & IEEE80211_NODE_PWR_MGT))) 639 vap->iv_node_ps(ni, 640 wh->i_fc[1] & IEEE80211_FC1_PWR_MGT); 641 /* 642 * For 4-address packets handle WDS discovery 643 * notifications. Once a WDS link is setup frames 644 * are just delivered to the WDS vap (see below). 645 */ 646 if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap == NULL) { 647 if (!ieee80211_node_is_authorized(ni)) { 648 IEEE80211_DISCARD(vap, 649 IEEE80211_MSG_INPUT | 650 IEEE80211_MSG_WDS, wh, 651 "4-address data", 652 "%s", "unauthorized port"); 653 vap->iv_stats.is_rx_unauth++; 654 IEEE80211_NODE_STAT(ni, rx_unauth); 655 goto err; 656 } 657 ieee80211_dwds_discover(ni, m); 658 return type; 659 } 660 661 /* 662 * Handle A-MPDU re-ordering. If the frame is to be 663 * processed directly then ieee80211_ampdu_reorder 664 * will return 0; otherwise it has consumed the mbuf 665 * and we should do nothing more with it. 666 */ 667 if ((m->m_flags & M_AMPDU) && 668 ieee80211_ampdu_reorder(ni, m, rxs) != 0) { 669 m = NULL; 670 goto out; 671 } 672 resubmit_ampdu: 673 674 /* 675 * Handle privacy requirements. Note that we 676 * must not be preempted from here until after 677 * we (potentially) call ieee80211_crypto_demic; 678 * otherwise we may violate assumptions in the 679 * crypto cipher modules used to do delayed update 680 * of replay sequence numbers. 681 */ 682 if (is_hw_decrypted || IEEE80211_IS_PROTECTED(wh)) { 683 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) { 684 /* 685 * Discard encrypted frames when privacy is off. 686 */ 687 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 688 wh, "WEP", "%s", "PRIVACY off"); 689 vap->iv_stats.is_rx_noprivacy++; 690 IEEE80211_NODE_STAT(ni, rx_noprivacy); 691 goto out; 692 } 693 if (ieee80211_crypto_decap(ni, m, hdrspace, &key) == 0) { 694 /* NB: stats+msgs handled in crypto_decap */ 695 IEEE80211_NODE_STAT(ni, rx_wepfail); 696 goto out; 697 } 698 wh = mtod(m, struct ieee80211_frame *); 699 wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED; 700 has_decrypted = 1; 701 } else { 702 /* XXX M_WEP and IEEE80211_F_PRIVACY */ 703 key = NULL; 704 } 705 706 /* 707 * Save QoS bits for use below--before we strip the header. 708 */ 709 if (subtype == IEEE80211_FC0_SUBTYPE_QOS_DATA) 710 qos = ieee80211_getqos(wh)[0]; 711 else 712 qos = 0; 713 714 /* 715 * Next up, any fragmentation. 716 */ 717 if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) { 718 m = ieee80211_defrag(ni, m, hdrspace, has_decrypted); 719 if (m == NULL) { 720 /* Fragment dropped or frame not complete yet */ 721 goto out; 722 } 723 } 724 wh = NULL; /* no longer valid, catch any uses */ 725 726 /* 727 * Next strip any MSDU crypto bits. 728 */ 729 if (key != NULL && !ieee80211_crypto_demic(vap, key, m, 0)) { 730 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 731 ni->ni_macaddr, "data", "%s", "demic error"); 732 vap->iv_stats.is_rx_demicfail++; 733 IEEE80211_NODE_STAT(ni, rx_demicfail); 734 goto out; 735 } 736 /* copy to listener after decrypt */ 737 if (ieee80211_radiotap_active_vap(vap)) 738 ieee80211_radiotap_rx(vap, m); 739 need_tap = 0; 740 /* 741 * Finally, strip the 802.11 header. 742 */ 743 m = ieee80211_decap(vap, m, hdrspace, qos); 744 if (m == NULL) { 745 /* XXX mask bit to check for both */ 746 /* don't count Null data frames as errors */ 747 if (subtype == IEEE80211_FC0_SUBTYPE_NODATA || 748 subtype == IEEE80211_FC0_SUBTYPE_QOS_NULL) 749 goto out; 750 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 751 ni->ni_macaddr, "data", "%s", "decap error"); 752 vap->iv_stats.is_rx_decap++; 753 IEEE80211_NODE_STAT(ni, rx_decap); 754 goto err; 755 } 756 if (!(qos & IEEE80211_QOS_AMSDU)) 757 eh = mtod(m, struct ether_header *); 758 else 759 eh = NULL; 760 if (!ieee80211_node_is_authorized(ni)) { 761 /* 762 * Deny any non-PAE frames received prior to 763 * authorization. For open/shared-key 764 * authentication the port is mark authorized 765 * after authentication completes. For 802.1x 766 * the port is not marked authorized by the 767 * authenticator until the handshake has completed. 768 */ 769 if (eh == NULL || 770 eh->ether_type != htons(ETHERTYPE_PAE)) { 771 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 772 ni->ni_macaddr, "data", "unauthorized or " 773 "unknown port: ether type 0x%x len %u", 774 eh == NULL ? -1 : eh->ether_type, 775 m->m_pkthdr.len); 776 vap->iv_stats.is_rx_unauth++; 777 IEEE80211_NODE_STAT(ni, rx_unauth); 778 goto err; 779 } 780 } else { 781 /* 782 * When denying unencrypted frames, discard 783 * any non-PAE frames received without encryption. 784 */ 785 if ((vap->iv_flags & IEEE80211_F_DROPUNENC) && 786 ((has_decrypted == 0) && (m->m_flags & M_WEP) == 0) && 787 (is_hw_decrypted == 0) && 788 (eh == NULL || 789 eh->ether_type != htons(ETHERTYPE_PAE))) { 790 /* 791 * Drop unencrypted frames. 792 */ 793 vap->iv_stats.is_rx_unencrypted++; 794 IEEE80211_NODE_STAT(ni, rx_unencrypted); 795 goto out; 796 } 797 } 798 /* XXX require HT? */ 799 if (qos & IEEE80211_QOS_AMSDU) { 800 m = ieee80211_decap_amsdu(ni, m); 801 if (m == NULL) 802 return IEEE80211_FC0_TYPE_DATA; 803 } else { 804 #ifdef IEEE80211_SUPPORT_SUPERG 805 m = ieee80211_decap_fastframe(vap, ni, m); 806 if (m == NULL) 807 return IEEE80211_FC0_TYPE_DATA; 808 #endif 809 } 810 if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap != NULL) 811 ieee80211_deliver_data(ni->ni_wdsvap, ni, m); 812 else 813 hostap_deliver_data(vap, ni, m); 814 return IEEE80211_FC0_TYPE_DATA; 815 816 case IEEE80211_FC0_TYPE_MGT: 817 vap->iv_stats.is_rx_mgmt++; 818 IEEE80211_NODE_STAT(ni, rx_mgmt); 819 if (dir != IEEE80211_FC1_DIR_NODS) { 820 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 821 wh, "mgt", "incorrect dir 0x%x", dir); 822 vap->iv_stats.is_rx_wrongdir++; 823 goto err; 824 } 825 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) { 826 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 827 ni->ni_macaddr, "mgt", "too short: len %u", 828 m->m_pkthdr.len); 829 vap->iv_stats.is_rx_tooshort++; 830 goto out; 831 } 832 if (IEEE80211_IS_MULTICAST(wh->i_addr2)) { 833 /* ensure return frames are unicast */ 834 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 835 wh, NULL, "source is multicast: %s", 836 ether_sprintf(wh->i_addr2)); 837 vap->iv_stats.is_rx_mgtdiscard++; /* XXX stat */ 838 goto out; 839 } 840 #ifdef IEEE80211_DEBUG 841 if ((ieee80211_msg_debug(vap) && doprint(vap, subtype)) || 842 ieee80211_msg_dumppkts(vap)) { 843 if_printf(ifp, "received %s from %s rssi %d\n", 844 ieee80211_mgt_subtype_name(subtype), 845 ether_sprintf(wh->i_addr2), rssi); 846 } 847 #endif 848 if (IEEE80211_IS_PROTECTED(wh)) { 849 if (subtype != IEEE80211_FC0_SUBTYPE_AUTH) { 850 /* 851 * Only shared key auth frames with a challenge 852 * should be encrypted, discard all others. 853 */ 854 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 855 wh, NULL, 856 "%s", "WEP set but not permitted"); 857 vap->iv_stats.is_rx_mgtdiscard++; /* XXX */ 858 goto out; 859 } 860 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) { 861 /* 862 * Discard encrypted frames when privacy is off. 863 */ 864 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 865 wh, NULL, "%s", "WEP set but PRIVACY off"); 866 vap->iv_stats.is_rx_noprivacy++; 867 goto out; 868 } 869 hdrspace = ieee80211_hdrspace(ic, wh); 870 if (ieee80211_crypto_decap(ni, m, hdrspace, &key) == 0) { 871 /* NB: stats+msgs handled in crypto_decap */ 872 goto out; 873 } 874 wh = mtod(m, struct ieee80211_frame *); 875 wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED; 876 has_decrypted = 1; 877 } 878 /* 879 * Pass the packet to radiotap before calling iv_recv_mgmt(). 880 * Otherwise iv_recv_mgmt() might pass another packet to 881 * radiotap, resulting in out of order packet captures. 882 */ 883 if (ieee80211_radiotap_active_vap(vap)) 884 ieee80211_radiotap_rx(vap, m); 885 need_tap = 0; 886 vap->iv_recv_mgmt(ni, m, subtype, rxs, rssi, nf); 887 goto out; 888 889 case IEEE80211_FC0_TYPE_CTL: 890 vap->iv_stats.is_rx_ctl++; 891 IEEE80211_NODE_STAT(ni, rx_ctrl); 892 vap->iv_recv_ctl(ni, m, subtype); 893 goto out; 894 default: 895 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 896 wh, "bad", "frame type 0x%x", type); 897 /* should not come here */ 898 break; 899 } 900 err: 901 if_inc_counter(ifp, IFCOUNTER_IERRORS, 1); 902 out: 903 if (m != NULL) { 904 if (need_tap && ieee80211_radiotap_active_vap(vap)) 905 ieee80211_radiotap_rx(vap, m); 906 m_freem(m); 907 } 908 return type; 909 } 910 911 static void 912 hostap_auth_open(struct ieee80211_node *ni, struct ieee80211_frame *wh, 913 int rssi, int nf, uint16_t seq, uint16_t status) 914 { 915 struct ieee80211vap *vap = ni->ni_vap; 916 917 KASSERT(vap->iv_state == IEEE80211_S_RUN, ("state %d", vap->iv_state)); 918 919 if (ni->ni_authmode == IEEE80211_AUTH_SHARED) { 920 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 921 ni->ni_macaddr, "open auth", 922 "bad sta auth mode %u", ni->ni_authmode); 923 vap->iv_stats.is_rx_bad_auth++; /* XXX */ 924 /* 925 * Clear any challenge text that may be there if 926 * a previous shared key auth failed and then an 927 * open auth is attempted. 928 */ 929 if (ni->ni_challenge != NULL) { 930 IEEE80211_FREE(ni->ni_challenge, M_80211_NODE); 931 ni->ni_challenge = NULL; 932 } 933 /* XXX hack to workaround calling convention */ 934 ieee80211_send_error(ni, wh->i_addr2, 935 IEEE80211_FC0_SUBTYPE_AUTH, 936 (seq + 1) | (IEEE80211_STATUS_ALG<<16)); 937 return; 938 } 939 if (seq != IEEE80211_AUTH_OPEN_REQUEST) { 940 vap->iv_stats.is_rx_bad_auth++; 941 return; 942 } 943 /* always accept open authentication requests */ 944 if (ni == vap->iv_bss) { 945 ni = ieee80211_dup_bss(vap, wh->i_addr2); 946 if (ni == NULL) 947 return; 948 } else if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0) 949 (void) ieee80211_ref_node(ni); 950 /* 951 * Mark the node as referenced to reflect that it's 952 * reference count has been bumped to insure it remains 953 * after the transaction completes. 954 */ 955 ni->ni_flags |= IEEE80211_NODE_AREF; 956 /* 957 * Mark the node as requiring a valid association id 958 * before outbound traffic is permitted. 959 */ 960 ni->ni_flags |= IEEE80211_NODE_ASSOCID; 961 962 if (vap->iv_acl != NULL && 963 vap->iv_acl->iac_getpolicy(vap) == IEEE80211_MACCMD_POLICY_RADIUS) { 964 /* 965 * When the ACL policy is set to RADIUS we defer the 966 * authorization to a user agent. Dispatch an event, 967 * a subsequent MLME call will decide the fate of the 968 * station. If the user agent is not present then the 969 * node will be reclaimed due to inactivity. 970 */ 971 IEEE80211_NOTE_MAC(vap, 972 IEEE80211_MSG_AUTH | IEEE80211_MSG_ACL, ni->ni_macaddr, 973 "%s", "station authentication deferred (radius acl)"); 974 ieee80211_notify_node_auth(ni); 975 } else { 976 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 977 IEEE80211_NOTE_MAC(vap, 978 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, ni->ni_macaddr, 979 "%s", "station authenticated (open)"); 980 /* 981 * When 802.1x is not in use mark the port 982 * authorized at this point so traffic can flow. 983 */ 984 if (ni->ni_authmode != IEEE80211_AUTH_8021X) 985 ieee80211_node_authorize(ni); 986 } 987 } 988 989 static void 990 hostap_auth_shared(struct ieee80211_node *ni, struct ieee80211_frame *wh, 991 uint8_t *frm, uint8_t *efrm, int rssi, int nf, 992 uint16_t seq, uint16_t status) 993 { 994 struct ieee80211vap *vap = ni->ni_vap; 995 uint8_t *challenge; 996 int estatus; 997 998 KASSERT(vap->iv_state == IEEE80211_S_RUN, ("state %d", vap->iv_state)); 999 1000 /* 1001 * NB: this can happen as we allow pre-shared key 1002 * authentication to be enabled w/o wep being turned 1003 * on so that configuration of these can be done 1004 * in any order. It may be better to enforce the 1005 * ordering in which case this check would just be 1006 * for sanity/consistency. 1007 */ 1008 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) { 1009 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1010 ni->ni_macaddr, "shared key auth", 1011 "%s", " PRIVACY is disabled"); 1012 estatus = IEEE80211_STATUS_ALG; 1013 goto bad; 1014 } 1015 /* 1016 * Pre-shared key authentication is evil; accept 1017 * it only if explicitly configured (it is supported 1018 * mainly for compatibility with clients like Mac OS X). 1019 */ 1020 if (ni->ni_authmode != IEEE80211_AUTH_AUTO && 1021 ni->ni_authmode != IEEE80211_AUTH_SHARED) { 1022 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1023 ni->ni_macaddr, "shared key auth", 1024 "bad sta auth mode %u", ni->ni_authmode); 1025 vap->iv_stats.is_rx_bad_auth++; /* XXX maybe a unique error? */ 1026 estatus = IEEE80211_STATUS_ALG; 1027 goto bad; 1028 } 1029 1030 challenge = NULL; 1031 if (frm + 1 < efrm) { 1032 if ((frm[1] + 2) > (efrm - frm)) { 1033 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1034 ni->ni_macaddr, "shared key auth", 1035 "ie %d/%d too long", 1036 frm[0], (frm[1] + 2) - (efrm - frm)); 1037 vap->iv_stats.is_rx_bad_auth++; 1038 estatus = IEEE80211_STATUS_CHALLENGE; 1039 goto bad; 1040 } 1041 if (*frm == IEEE80211_ELEMID_CHALLENGE) 1042 challenge = frm; 1043 frm += frm[1] + 2; 1044 } 1045 switch (seq) { 1046 case IEEE80211_AUTH_SHARED_CHALLENGE: 1047 case IEEE80211_AUTH_SHARED_RESPONSE: 1048 if (challenge == NULL) { 1049 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1050 ni->ni_macaddr, "shared key auth", 1051 "%s", "no challenge"); 1052 vap->iv_stats.is_rx_bad_auth++; 1053 estatus = IEEE80211_STATUS_CHALLENGE; 1054 goto bad; 1055 } 1056 if (challenge[1] != IEEE80211_CHALLENGE_LEN) { 1057 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1058 ni->ni_macaddr, "shared key auth", 1059 "bad challenge len %d", challenge[1]); 1060 vap->iv_stats.is_rx_bad_auth++; 1061 estatus = IEEE80211_STATUS_CHALLENGE; 1062 goto bad; 1063 } 1064 default: 1065 break; 1066 } 1067 switch (seq) { 1068 case IEEE80211_AUTH_SHARED_REQUEST: 1069 { 1070 #ifdef IEEE80211_DEBUG 1071 bool allocbs; 1072 #endif 1073 1074 if (ni == vap->iv_bss) { 1075 ni = ieee80211_dup_bss(vap, wh->i_addr2); 1076 if (ni == NULL) { 1077 /* NB: no way to return an error */ 1078 return; 1079 } 1080 #ifdef IEEE80211_DEBUG 1081 allocbs = 1; 1082 #endif 1083 } else { 1084 if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0) 1085 (void) ieee80211_ref_node(ni); 1086 #ifdef IEEE80211_DEBUG 1087 allocbs = 0; 1088 #endif 1089 } 1090 /* 1091 * Mark the node as referenced to reflect that it's 1092 * reference count has been bumped to insure it remains 1093 * after the transaction completes. 1094 */ 1095 ni->ni_flags |= IEEE80211_NODE_AREF; 1096 /* 1097 * Mark the node as requiring a valid association id 1098 * before outbound traffic is permitted. 1099 */ 1100 ni->ni_flags |= IEEE80211_NODE_ASSOCID; 1101 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi); 1102 ni->ni_noise = nf; 1103 if (!ieee80211_alloc_challenge(ni)) { 1104 /* NB: don't return error so they rexmit */ 1105 return; 1106 } 1107 net80211_get_random_bytes(ni->ni_challenge, 1108 IEEE80211_CHALLENGE_LEN); 1109 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1110 ni, "shared key %sauth request", allocbs ? "" : "re"); 1111 /* 1112 * When the ACL policy is set to RADIUS we defer the 1113 * authorization to a user agent. Dispatch an event, 1114 * a subsequent MLME call will decide the fate of the 1115 * station. If the user agent is not present then the 1116 * node will be reclaimed due to inactivity. 1117 */ 1118 if (vap->iv_acl != NULL && 1119 vap->iv_acl->iac_getpolicy(vap) == IEEE80211_MACCMD_POLICY_RADIUS) { 1120 IEEE80211_NOTE_MAC(vap, 1121 IEEE80211_MSG_AUTH | IEEE80211_MSG_ACL, 1122 ni->ni_macaddr, 1123 "%s", "station authentication deferred (radius acl)"); 1124 ieee80211_notify_node_auth(ni); 1125 return; 1126 } 1127 break; 1128 } 1129 case IEEE80211_AUTH_SHARED_RESPONSE: 1130 if (ni == vap->iv_bss) { 1131 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1132 ni->ni_macaddr, "shared key response", 1133 "%s", "unknown station"); 1134 /* NB: don't send a response */ 1135 return; 1136 } 1137 if (ni->ni_challenge == NULL) { 1138 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1139 ni->ni_macaddr, "shared key response", 1140 "%s", "no challenge recorded"); 1141 vap->iv_stats.is_rx_bad_auth++; 1142 estatus = IEEE80211_STATUS_CHALLENGE; 1143 goto bad; 1144 } 1145 if (memcmp(ni->ni_challenge, &challenge[2], 1146 challenge[1]) != 0) { 1147 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1148 ni->ni_macaddr, "shared key response", 1149 "%s", "challenge mismatch"); 1150 vap->iv_stats.is_rx_auth_fail++; 1151 estatus = IEEE80211_STATUS_CHALLENGE; 1152 goto bad; 1153 } 1154 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1155 ni, "%s", "station authenticated (shared key)"); 1156 ieee80211_node_authorize(ni); 1157 break; 1158 default: 1159 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1160 ni->ni_macaddr, "shared key auth", 1161 "bad seq %d", seq); 1162 vap->iv_stats.is_rx_bad_auth++; 1163 estatus = IEEE80211_STATUS_SEQUENCE; 1164 goto bad; 1165 } 1166 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 1167 return; 1168 bad: 1169 /* 1170 * Send an error response; but only when operating as an AP. 1171 */ 1172 /* XXX hack to workaround calling convention */ 1173 ieee80211_send_error(ni, wh->i_addr2, 1174 IEEE80211_FC0_SUBTYPE_AUTH, 1175 (seq + 1) | (estatus<<16)); 1176 } 1177 1178 /* 1179 * Convert a WPA cipher selector OUI to an internal 1180 * cipher algorithm. Where appropriate we also 1181 * record any key length. 1182 */ 1183 static int 1184 wpa_cipher(const uint8_t *sel, uint8_t *keylen, uint8_t *cipher) 1185 { 1186 #define WPA_SEL(x) (((x)<<24)|WPA_OUI) 1187 uint32_t w = le32dec(sel); 1188 1189 switch (w) { 1190 case WPA_SEL(WPA_CSE_NULL): 1191 *cipher = IEEE80211_CIPHER_NONE; 1192 break; 1193 case WPA_SEL(WPA_CSE_WEP40): 1194 if (keylen) 1195 *keylen = 40 / NBBY; 1196 *cipher = IEEE80211_CIPHER_WEP; 1197 break; 1198 case WPA_SEL(WPA_CSE_WEP104): 1199 if (keylen) 1200 *keylen = 104 / NBBY; 1201 *cipher = IEEE80211_CIPHER_WEP; 1202 break; 1203 case WPA_SEL(WPA_CSE_TKIP): 1204 *cipher = IEEE80211_CIPHER_TKIP; 1205 break; 1206 case WPA_SEL(WPA_CSE_CCMP): 1207 *cipher = IEEE80211_CIPHER_AES_CCM; 1208 break; 1209 /* Note: no GCM cipher in the legacy WPA1 OUI */ 1210 default: 1211 return (EINVAL); 1212 } 1213 1214 return (0); 1215 #undef WPA_SEL 1216 } 1217 1218 /* 1219 * Convert a WPA key management/authentication algorithm 1220 * to an internal code. 1221 */ 1222 static int 1223 wpa_keymgmt(const uint8_t *sel) 1224 { 1225 #define WPA_SEL(x) (((x)<<24)|WPA_OUI) 1226 uint32_t w = le32dec(sel); 1227 1228 switch (w) { 1229 case WPA_SEL(WPA_ASE_8021X_UNSPEC): 1230 return WPA_ASE_8021X_UNSPEC; 1231 case WPA_SEL(WPA_ASE_8021X_PSK): 1232 return WPA_ASE_8021X_PSK; 1233 case WPA_SEL(WPA_ASE_NONE): 1234 return WPA_ASE_NONE; 1235 } 1236 return 0; /* NB: so is discarded */ 1237 #undef WPA_SEL 1238 } 1239 1240 /* 1241 * Parse a WPA information element to collect parameters. 1242 * Note that we do not validate security parameters; that 1243 * is handled by the authenticator; the parsing done here 1244 * is just for internal use in making operational decisions. 1245 */ 1246 static int 1247 ieee80211_parse_wpa(struct ieee80211vap *vap, const uint8_t *frm, 1248 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh) 1249 { 1250 uint8_t len = frm[1]; 1251 uint32_t w; 1252 int error, n; 1253 1254 /* 1255 * Check the length once for fixed parts: OUI, type, 1256 * version, mcast cipher, and 2 selector counts. 1257 * Other, variable-length data, must be checked separately. 1258 */ 1259 if ((vap->iv_flags & IEEE80211_F_WPA1) == 0) { 1260 IEEE80211_DISCARD_IE(vap, 1261 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1262 wh, "WPA", "not WPA, flags 0x%x", vap->iv_flags); 1263 return IEEE80211_REASON_IE_INVALID; 1264 } 1265 if (len < 14) { 1266 IEEE80211_DISCARD_IE(vap, 1267 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1268 wh, "WPA", "too short, len %u", len); 1269 return IEEE80211_REASON_IE_INVALID; 1270 } 1271 frm += 6, len -= 4; /* NB: len is payload only */ 1272 /* NB: iswpaoui already validated the OUI and type */ 1273 w = le16dec(frm); 1274 if (w != WPA_VERSION) { 1275 IEEE80211_DISCARD_IE(vap, 1276 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1277 wh, "WPA", "bad version %u", w); 1278 return IEEE80211_REASON_IE_INVALID; 1279 } 1280 frm += 2, len -= 2; 1281 1282 memset(rsn, 0, sizeof(*rsn)); 1283 1284 /* multicast/group cipher */ 1285 error = wpa_cipher(frm, &rsn->rsn_mcastkeylen, &rsn->rsn_mcastcipher); 1286 if (error != 0) { 1287 IEEE80211_DISCARD_IE(vap, 1288 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1289 wh, "WPA", "unknown mcast cipher suite %08X", 1290 le32dec(frm)); 1291 return IEEE80211_REASON_GROUP_CIPHER_INVALID; 1292 } 1293 frm += 4, len -= 4; 1294 1295 /* unicast ciphers */ 1296 n = le16dec(frm); 1297 frm += 2, len -= 2; 1298 if (len < n*4+2) { 1299 IEEE80211_DISCARD_IE(vap, 1300 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1301 wh, "WPA", "ucast cipher data too short; len %u, n %u", 1302 len, n); 1303 return IEEE80211_REASON_IE_INVALID; 1304 } 1305 w = 0; 1306 for (; n > 0; n--) { 1307 uint8_t cipher; 1308 1309 error = wpa_cipher(frm, &rsn->rsn_ucastkeylen, &cipher); 1310 if (error == 0) 1311 w |= 1 << cipher; 1312 1313 frm += 4, len -= 4; 1314 } 1315 if (w == 0) { 1316 IEEE80211_DISCARD_IE(vap, 1317 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1318 wh, "WPA", "no usable pairwise cipher suite found (w=%d)", 1319 w); 1320 return IEEE80211_REASON_PAIRWISE_CIPHER_INVALID; 1321 } 1322 /* XXX other? */ 1323 if (w & (1 << IEEE80211_CIPHER_AES_CCM)) 1324 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM; 1325 else 1326 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP; 1327 1328 /* key management algorithms */ 1329 n = le16dec(frm); 1330 frm += 2, len -= 2; 1331 if (len < n*4) { 1332 IEEE80211_DISCARD_IE(vap, 1333 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1334 wh, "WPA", "key mgmt alg data too short; len %u, n %u", 1335 len, n); 1336 return IEEE80211_REASON_IE_INVALID; 1337 } 1338 w = 0; 1339 for (; n > 0; n--) { 1340 w |= wpa_keymgmt(frm); 1341 frm += 4, len -= 4; 1342 } 1343 if (w & WPA_ASE_8021X_UNSPEC) 1344 rsn->rsn_keymgmt = WPA_ASE_8021X_UNSPEC; 1345 else 1346 rsn->rsn_keymgmt = WPA_ASE_8021X_PSK; 1347 1348 if (len > 2) /* optional capabilities */ 1349 rsn->rsn_caps = le16dec(frm); 1350 1351 return 0; 1352 } 1353 1354 /* 1355 * Convert an RSN cipher selector OUI to an internal 1356 * cipher algorithm. Where appropriate we also 1357 * record any key length. 1358 */ 1359 static int 1360 rsn_cipher(const uint8_t *sel, uint8_t *keylen, uint8_t *cipher) 1361 { 1362 #define RSN_SEL(x) (((x)<<24)|RSN_OUI) 1363 uint32_t w = le32dec(sel); 1364 1365 switch (w) { 1366 case RSN_SEL(RSN_CSE_NULL): 1367 *cipher = IEEE80211_CIPHER_NONE; 1368 break; 1369 case RSN_SEL(RSN_CSE_WEP40): 1370 if (keylen) 1371 *keylen = 40 / NBBY; 1372 *cipher = IEEE80211_CIPHER_WEP; 1373 break; 1374 case RSN_SEL(RSN_CSE_WEP104): 1375 if (keylen) 1376 *keylen = 104 / NBBY; 1377 *cipher = IEEE80211_CIPHER_WEP; 1378 break; 1379 case RSN_SEL(RSN_CSE_TKIP): 1380 *cipher = IEEE80211_CIPHER_TKIP; 1381 break; 1382 case RSN_SEL(RSN_CSE_CCMP): 1383 *cipher = IEEE80211_CIPHER_AES_CCM; 1384 break; 1385 case RSN_SEL(RSN_CSE_WRAP): 1386 *cipher = IEEE80211_CIPHER_AES_OCB; 1387 break; 1388 case RSN_SEL(RSN_CSE_GCMP_128): 1389 *cipher = IEEE80211_CIPHER_AES_GCM_128; 1390 break; 1391 default: 1392 return (EINVAL); 1393 } 1394 1395 return (0); 1396 #undef WPA_SEL 1397 } 1398 1399 /* 1400 * Convert an RSN key management/authentication algorithm 1401 * to an internal code. 1402 */ 1403 static int 1404 rsn_keymgmt(const uint8_t *sel) 1405 { 1406 #define RSN_SEL(x) (((x)<<24)|RSN_OUI) 1407 uint32_t w = le32dec(sel); 1408 1409 switch (w) { 1410 case RSN_SEL(RSN_ASE_8021X_UNSPEC): 1411 return RSN_ASE_8021X_UNSPEC; 1412 case RSN_SEL(RSN_ASE_8021X_PSK): 1413 return RSN_ASE_8021X_PSK; 1414 case RSN_SEL(RSN_ASE_NONE): 1415 return RSN_ASE_NONE; 1416 } 1417 return 0; /* NB: so is discarded */ 1418 #undef RSN_SEL 1419 } 1420 1421 /* 1422 * Parse a WPA/RSN information element to collect parameters 1423 * and validate the parameters against what has been 1424 * configured for the system. 1425 */ 1426 static int 1427 ieee80211_parse_rsn(struct ieee80211vap *vap, const uint8_t *frm, 1428 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh) 1429 { 1430 uint8_t len = frm[1]; 1431 uint32_t w; 1432 int error, n; 1433 1434 /* 1435 * Check the length once for fixed parts: 1436 * version, mcast cipher, and 2 selector counts. 1437 * Other, variable-length data, must be checked separately. 1438 */ 1439 if ((vap->iv_flags & IEEE80211_F_WPA2) == 0) { 1440 IEEE80211_DISCARD_IE(vap, 1441 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1442 wh, "WPA", "not RSN, flags 0x%x", vap->iv_flags); 1443 return IEEE80211_REASON_IE_INVALID; 1444 } 1445 /* XXX may be shorter */ 1446 if (len < 10) { 1447 IEEE80211_DISCARD_IE(vap, 1448 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1449 wh, "RSN", "too short, len %u", len); 1450 return IEEE80211_REASON_IE_INVALID; 1451 } 1452 frm += 2; 1453 w = le16dec(frm); 1454 if (w != RSN_VERSION) { 1455 IEEE80211_DISCARD_IE(vap, 1456 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1457 wh, "RSN", "bad version %u", w); 1458 return IEEE80211_REASON_UNSUPP_RSN_IE_VERSION; 1459 } 1460 frm += 2, len -= 2; 1461 1462 memset(rsn, 0, sizeof(*rsn)); 1463 1464 /* multicast/group cipher */ 1465 error = rsn_cipher(frm, &rsn->rsn_mcastkeylen, &rsn->rsn_mcastcipher); 1466 if (error != 0) { 1467 IEEE80211_DISCARD_IE(vap, 1468 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1469 wh, "RSN", "unknown mcast cipher suite %08X", 1470 le32dec(frm)); 1471 return IEEE80211_REASON_GROUP_CIPHER_INVALID; 1472 } 1473 if (rsn->rsn_mcastcipher == IEEE80211_CIPHER_NONE) { 1474 IEEE80211_DISCARD_IE(vap, 1475 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1476 wh, "RSN", "invalid mcast cipher suite %d", 1477 rsn->rsn_mcastcipher); 1478 return IEEE80211_REASON_GROUP_CIPHER_INVALID; 1479 } 1480 frm += 4, len -= 4; 1481 1482 /* unicast ciphers */ 1483 n = le16dec(frm); 1484 frm += 2, len -= 2; 1485 if (len < n*4+2) { 1486 IEEE80211_DISCARD_IE(vap, 1487 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1488 wh, "RSN", "ucast cipher data too short; len %u, n %u", 1489 len, n); 1490 return IEEE80211_REASON_IE_INVALID; 1491 } 1492 w = 0; 1493 1494 for (; n > 0; n--) { 1495 uint8_t cipher; 1496 1497 error = rsn_cipher(frm, &rsn->rsn_ucastkeylen, &cipher); 1498 if (error == 0) 1499 w |= 1 << cipher; 1500 1501 frm += 4, len -= 4; 1502 } 1503 if (w & (1 << IEEE80211_CIPHER_AES_GCM_128)) 1504 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_GCM_128; 1505 else if (w & (1 << IEEE80211_CIPHER_AES_CCM)) 1506 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM; 1507 else if (w & (1 << IEEE80211_CIPHER_AES_OCB)) 1508 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_OCB; 1509 else if (w & (1 << IEEE80211_CIPHER_TKIP)) 1510 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP; 1511 else if ((w & (1 << IEEE80211_CIPHER_NONE)) && 1512 (rsn->rsn_mcastcipher == IEEE80211_CIPHER_WEP || 1513 rsn->rsn_mcastcipher == IEEE80211_CIPHER_TKIP)) 1514 rsn->rsn_ucastcipher = IEEE80211_CIPHER_NONE; 1515 else { 1516 IEEE80211_DISCARD_IE(vap, 1517 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1518 wh, "RSN", "no usable pairwise cipher suite found (w=%d)", 1519 w); 1520 return IEEE80211_REASON_PAIRWISE_CIPHER_INVALID; 1521 } 1522 1523 /* key management algorithms */ 1524 n = le16dec(frm); 1525 frm += 2, len -= 2; 1526 if (len < n*4) { 1527 IEEE80211_DISCARD_IE(vap, 1528 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1529 wh, "RSN", "key mgmt alg data too short; len %u, n %u", 1530 len, n); 1531 return IEEE80211_REASON_IE_INVALID; 1532 } 1533 w = 0; 1534 for (; n > 0; n--) { 1535 w |= rsn_keymgmt(frm); 1536 frm += 4, len -= 4; 1537 } 1538 if (w & RSN_ASE_8021X_UNSPEC) 1539 rsn->rsn_keymgmt = RSN_ASE_8021X_UNSPEC; 1540 else 1541 rsn->rsn_keymgmt = RSN_ASE_8021X_PSK; 1542 1543 /* optional RSN capabilities */ 1544 if (len >= 2) { 1545 rsn->rsn_caps = le16dec(frm); 1546 frm += 2, len -= 2; 1547 } 1548 1549 /* XXX PMK Count / PMKID */ 1550 1551 /* XXX Group Cipher Management Suite */ 1552 1553 return 0; 1554 } 1555 1556 /* 1557 * WPA/802.11i association request processing. 1558 */ 1559 static int 1560 wpa_assocreq(struct ieee80211_node *ni, struct ieee80211_rsnparms *rsnparms, 1561 const struct ieee80211_frame *wh, const uint8_t *wpa, 1562 const uint8_t *rsn, uint16_t capinfo) 1563 { 1564 struct ieee80211vap *vap = ni->ni_vap; 1565 uint8_t reason; 1566 int badwparsn; 1567 1568 ni->ni_flags &= ~(IEEE80211_NODE_WPS|IEEE80211_NODE_TSN); 1569 if (wpa == NULL && rsn == NULL) { 1570 if (vap->iv_flags_ext & IEEE80211_FEXT_WPS) { 1571 /* 1572 * W-Fi Protected Setup (WPS) permits 1573 * clients to associate and pass EAPOL frames 1574 * to establish initial credentials. 1575 */ 1576 ni->ni_flags |= IEEE80211_NODE_WPS; 1577 return 1; 1578 } 1579 if ((vap->iv_flags_ext & IEEE80211_FEXT_TSN) && 1580 (capinfo & IEEE80211_CAPINFO_PRIVACY)) { 1581 /* 1582 * Transitional Security Network. Permits clients 1583 * to associate and use WEP while WPA is configured. 1584 */ 1585 ni->ni_flags |= IEEE80211_NODE_TSN; 1586 return 1; 1587 } 1588 IEEE80211_DISCARD(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, 1589 wh, NULL, "%s", "no WPA/RSN IE in association request"); 1590 vap->iv_stats.is_rx_assoc_badwpaie++; 1591 reason = IEEE80211_REASON_IE_INVALID; 1592 goto bad; 1593 } 1594 /* assert right association security credentials */ 1595 badwparsn = 0; /* NB: to silence compiler */ 1596 switch (vap->iv_flags & IEEE80211_F_WPA) { 1597 case IEEE80211_F_WPA1: 1598 badwparsn = (wpa == NULL); 1599 break; 1600 case IEEE80211_F_WPA2: 1601 badwparsn = (rsn == NULL); 1602 break; 1603 case IEEE80211_F_WPA1|IEEE80211_F_WPA2: 1604 badwparsn = (wpa == NULL && rsn == NULL); 1605 break; 1606 } 1607 if (badwparsn) { 1608 IEEE80211_DISCARD(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, 1609 wh, NULL, 1610 "%s", "missing WPA/RSN IE in association request"); 1611 vap->iv_stats.is_rx_assoc_badwpaie++; 1612 reason = IEEE80211_REASON_IE_INVALID; 1613 goto bad; 1614 } 1615 /* 1616 * Parse WPA/RSN information element. 1617 */ 1618 if (wpa != NULL) 1619 reason = ieee80211_parse_wpa(vap, wpa, rsnparms, wh); 1620 else 1621 reason = ieee80211_parse_rsn(vap, rsn, rsnparms, wh); 1622 if (reason != 0) { 1623 /* XXX wpa->rsn fallback? */ 1624 /* XXX distinguish WPA/RSN? */ 1625 vap->iv_stats.is_rx_assoc_badwpaie++; 1626 goto bad; 1627 } 1628 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, ni, 1629 "%s ie: mc %u/%u uc %u/%u key %u caps 0x%x", 1630 wpa != NULL ? "WPA" : "RSN", 1631 rsnparms->rsn_mcastcipher, rsnparms->rsn_mcastkeylen, 1632 rsnparms->rsn_ucastcipher, rsnparms->rsn_ucastkeylen, 1633 rsnparms->rsn_keymgmt, rsnparms->rsn_caps); 1634 1635 return 1; 1636 bad: 1637 ieee80211_node_deauth(ni, reason); 1638 return 0; 1639 } 1640 1641 /* XXX find a better place for definition */ 1642 struct l2_update_frame { 1643 struct ether_header eh; 1644 uint8_t dsap; 1645 uint8_t ssap; 1646 uint8_t control; 1647 uint8_t xid[3]; 1648 } __packed; 1649 1650 /* 1651 * Deliver a TGf L2UF frame on behalf of a station. 1652 * This primes any bridge when the station is roaming 1653 * between ap's on the same wired network. 1654 */ 1655 static void 1656 ieee80211_deliver_l2uf(struct ieee80211_node *ni) 1657 { 1658 struct ieee80211vap *vap = ni->ni_vap; 1659 struct ifnet *ifp = vap->iv_ifp; 1660 struct mbuf *m; 1661 struct l2_update_frame *l2uf; 1662 struct ether_header *eh; 1663 1664 m = m_gethdr(IEEE80211_M_NOWAIT, MT_DATA); 1665 if (m == NULL) { 1666 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC, ni, 1667 "%s", "no mbuf for l2uf frame"); 1668 vap->iv_stats.is_rx_nobuf++; /* XXX not right */ 1669 return; 1670 } 1671 l2uf = mtod(m, struct l2_update_frame *); 1672 eh = &l2uf->eh; 1673 /* dst: Broadcast address */ 1674 IEEE80211_ADDR_COPY(eh->ether_dhost, ifp->if_broadcastaddr); 1675 /* src: associated STA */ 1676 IEEE80211_ADDR_COPY(eh->ether_shost, ni->ni_macaddr); 1677 eh->ether_type = htons(sizeof(*l2uf) - sizeof(*eh)); 1678 1679 l2uf->dsap = 0; 1680 l2uf->ssap = 0; 1681 l2uf->control = 0xf5; 1682 l2uf->xid[0] = 0x81; 1683 l2uf->xid[1] = 0x80; 1684 l2uf->xid[2] = 0x00; 1685 1686 m->m_pkthdr.len = m->m_len = sizeof(*l2uf); 1687 hostap_deliver_data(vap, ni, m); 1688 } 1689 1690 static void 1691 ratesetmismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh, 1692 int reassoc, int resp, const char *tag, int rate) 1693 { 1694 IEEE80211_NOTE_MAC(ni->ni_vap, IEEE80211_MSG_ANY, wh->i_addr2, 1695 "deny %s request, %s rate set mismatch, rate/MCS %d", 1696 reassoc ? "reassoc" : "assoc", tag, rate & IEEE80211_RATE_VAL); 1697 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_BASIC_RATE); 1698 ieee80211_node_leave(ni); 1699 } 1700 1701 static void 1702 capinfomismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh, 1703 int reassoc, int resp, const char *tag, int capinfo) 1704 { 1705 struct ieee80211vap *vap = ni->ni_vap; 1706 1707 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ANY, wh->i_addr2, 1708 "deny %s request, %s mismatch 0x%x", 1709 reassoc ? "reassoc" : "assoc", tag, capinfo); 1710 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_CAPINFO); 1711 ieee80211_node_leave(ni); 1712 vap->iv_stats.is_rx_assoc_capmismatch++; 1713 } 1714 1715 static void 1716 htcapmismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh, 1717 int reassoc, int resp) 1718 { 1719 IEEE80211_NOTE_MAC(ni->ni_vap, IEEE80211_MSG_ANY, wh->i_addr2, 1720 "deny %s request, %s missing HT ie", reassoc ? "reassoc" : "assoc"); 1721 /* XXX no better code */ 1722 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_MISSING_HT_CAPS); 1723 ieee80211_node_leave(ni); 1724 } 1725 1726 static void 1727 authalgreject(struct ieee80211_node *ni, const struct ieee80211_frame *wh, 1728 int algo, int seq, int status) 1729 { 1730 struct ieee80211vap *vap = ni->ni_vap; 1731 1732 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 1733 wh, NULL, "unsupported alg %d", algo); 1734 vap->iv_stats.is_rx_auth_unsupported++; 1735 ieee80211_send_error(ni, wh->i_addr2, IEEE80211_FC0_SUBTYPE_AUTH, 1736 seq | (status << 16)); 1737 } 1738 1739 static __inline int 1740 ishtmixed(const uint8_t *ie) 1741 { 1742 const struct ieee80211_ie_htinfo *ht = 1743 (const struct ieee80211_ie_htinfo *) ie; 1744 return (ht->hi_byte2 & IEEE80211_HTINFO_OPMODE) == 1745 IEEE80211_HTINFO_OPMODE_MIXED; 1746 } 1747 1748 static int 1749 is11bclient(const uint8_t *rates, const uint8_t *xrates) 1750 { 1751 static const uint32_t brates = (1<<2*1)|(1<<2*2)|(1<<11)|(1<<2*11); 1752 int i; 1753 1754 /* NB: the 11b clients we care about will not have xrates */ 1755 if (xrates != NULL || rates == NULL) 1756 return 0; 1757 for (i = 0; i < rates[1]; i++) { 1758 int r = rates[2+i] & IEEE80211_RATE_VAL; 1759 if (r > 2*11 || ((1<<r) & brates) == 0) 1760 return 0; 1761 } 1762 return 1; 1763 } 1764 1765 /** 1766 * Check if the given cipher is valid for 802.11 HT operation. 1767 * 1768 * The 802.11 specification only allows HT A-MPDU to be performed 1769 * on CCMP / GCMP encrypted frames. The WEP/TKIP hardware crypto 1770 * implementations may not meet the timing required for A-MPDU 1771 * operation. 1772 * 1773 * @param cipher the IEEE80211_CIPHER_ value to check 1774 * @returns true if the cipher is valid for HT A-MPDU, false otherwise 1775 */ 1776 static bool 1777 hostapd_validate_cipher_for_ht_ampdu(uint8_t cipher) 1778 { 1779 switch (cipher) { 1780 case IEEE80211_CIPHER_AES_CCM: 1781 case IEEE80211_CIPHER_AES_GCM_128: 1782 return true; 1783 default: 1784 return false; 1785 } 1786 } 1787 1788 static void 1789 hostap_recv_mgmt(struct ieee80211_node *ni, struct mbuf *m0, 1790 int subtype, const struct ieee80211_rx_stats *rxs, int rssi, int nf) 1791 { 1792 struct ieee80211vap *vap = ni->ni_vap; 1793 struct ieee80211com *ic = ni->ni_ic; 1794 struct ieee80211_frame *wh; 1795 uint8_t *frm, *efrm, *sfrm; 1796 uint8_t *ssid, *rates, *xrates, *wpa, *rsn, *wme, *ath, *htcap; 1797 uint8_t *vhtcap, *vhtinfo; 1798 int reassoc, resp; 1799 uint8_t rate; 1800 1801 wh = mtod(m0, struct ieee80211_frame *); 1802 frm = (uint8_t *)&wh[1]; 1803 efrm = mtod(m0, uint8_t *) + m0->m_len; 1804 switch (subtype) { 1805 case IEEE80211_FC0_SUBTYPE_PROBE_RESP: 1806 /* 1807 * We process beacon/probe response frames when scanning; 1808 * otherwise we check beacon frames for overlapping non-ERP 1809 * BSS in 11g and/or overlapping legacy BSS when in HT. 1810 */ 1811 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) { 1812 vap->iv_stats.is_rx_mgtdiscard++; 1813 return; 1814 } 1815 /* FALLTHROUGH */ 1816 case IEEE80211_FC0_SUBTYPE_BEACON: { 1817 struct ieee80211_scanparams scan; 1818 1819 /* NB: accept off-channel frames */ 1820 /* XXX TODO: use rxstatus to determine off-channel details */ 1821 if (ieee80211_parse_beacon(ni, m0, ic->ic_curchan, &scan) &~ IEEE80211_BPARSE_OFFCHAN) 1822 return; 1823 /* 1824 * Count frame now that we know it's to be processed. 1825 */ 1826 if (subtype == IEEE80211_FC0_SUBTYPE_BEACON) { 1827 vap->iv_stats.is_rx_beacon++; /* XXX remove */ 1828 IEEE80211_NODE_STAT(ni, rx_beacons); 1829 } else 1830 IEEE80211_NODE_STAT(ni, rx_proberesp); 1831 /* 1832 * If scanning, just pass information to the scan module. 1833 */ 1834 if (ic->ic_flags & IEEE80211_F_SCAN) { 1835 if (scan.status == 0 && /* NB: on channel */ 1836 (ic->ic_flags_ext & IEEE80211_FEXT_PROBECHAN)) { 1837 /* 1838 * Actively scanning a channel marked passive; 1839 * send a probe request now that we know there 1840 * is 802.11 traffic present. 1841 * 1842 * XXX check if the beacon we recv'd gives 1843 * us what we need and suppress the probe req 1844 */ 1845 ieee80211_probe_curchan(vap, true); 1846 ic->ic_flags_ext &= ~IEEE80211_FEXT_PROBECHAN; 1847 } 1848 ieee80211_add_scan(vap, ic->ic_curchan, &scan, wh, 1849 subtype, rssi, nf); 1850 return; 1851 } 1852 /* 1853 * Check beacon for overlapping bss w/ non ERP stations. 1854 * If we detect one and protection is configured but not 1855 * enabled, enable it and start a timer that'll bring us 1856 * out if we stop seeing the bss. 1857 */ 1858 if (IEEE80211_IS_CHAN_ANYG(ic->ic_curchan) && 1859 scan.status == 0 && /* NB: on-channel */ 1860 ((scan.erp & 0x100) == 0 || /* NB: no ERP, 11b sta*/ 1861 (scan.erp & IEEE80211_ERP_NON_ERP_PRESENT))) { 1862 vap->iv_lastnonerp = ticks; 1863 vap->iv_flags_ext |= IEEE80211_FEXT_NONERP_PR; 1864 /* 1865 * XXX TODO: this may need to check all VAPs? 1866 */ 1867 if (vap->iv_protmode != IEEE80211_PROT_NONE && 1868 (vap->iv_flags & IEEE80211_F_USEPROT) == 0) { 1869 IEEE80211_NOTE_FRAME(vap, 1870 IEEE80211_MSG_ASSOC, wh, 1871 "non-ERP present on channel %d " 1872 "(saw erp 0x%x from channel %d), " 1873 "enable use of protection", 1874 ic->ic_curchan->ic_ieee, 1875 scan.erp, scan.chan); 1876 vap->iv_flags |= IEEE80211_F_USEPROT; 1877 ieee80211_vap_update_erp_protmode(vap); 1878 } 1879 } 1880 /* 1881 * Check beacon for non-HT station on HT channel 1882 * and update HT BSS occupancy as appropriate. 1883 */ 1884 if (IEEE80211_IS_CHAN_HT(ic->ic_curchan)) { 1885 if (scan.status & IEEE80211_BPARSE_OFFCHAN) { 1886 /* 1887 * Off control channel; only check frames 1888 * that come in the extension channel when 1889 * operating w/ HT40. 1890 */ 1891 if (!IEEE80211_IS_CHAN_HT40(ic->ic_curchan)) 1892 break; 1893 if (scan.chan != ic->ic_curchan->ic_extieee) 1894 break; 1895 } 1896 if (scan.htinfo == NULL) { 1897 ieee80211_htprot_update(vap, 1898 IEEE80211_HTINFO_OPMODE_PROTOPT | 1899 IEEE80211_HTINFO_NONHT_PRESENT); 1900 } else if (ishtmixed(scan.htinfo)) { 1901 /* XXX? take NONHT_PRESENT from beacon? */ 1902 ieee80211_htprot_update(vap, 1903 IEEE80211_HTINFO_OPMODE_MIXED | 1904 IEEE80211_HTINFO_NONHT_PRESENT); 1905 } 1906 } 1907 break; 1908 } 1909 1910 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 1911 if (vap->iv_state != IEEE80211_S_RUN) { 1912 vap->iv_stats.is_rx_mgtdiscard++; 1913 return; 1914 } 1915 /* 1916 * Consult the ACL policy module if setup. 1917 */ 1918 if (vap->iv_acl != NULL && !vap->iv_acl->iac_check(vap, wh)) { 1919 IEEE80211_DISCARD(vap, IEEE80211_MSG_ACL, 1920 wh, NULL, "%s", "disallowed by ACL"); 1921 vap->iv_stats.is_rx_acl++; 1922 return; 1923 } 1924 /* 1925 * prreq frame format 1926 * [tlv] ssid 1927 * [tlv] supported rates 1928 * [tlv] extended supported rates 1929 */ 1930 ssid = rates = xrates = NULL; 1931 while (efrm - frm > 1) { 1932 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return); 1933 switch (*frm) { 1934 case IEEE80211_ELEMID_SSID: 1935 ssid = frm; 1936 break; 1937 case IEEE80211_ELEMID_RATES: 1938 rates = frm; 1939 break; 1940 case IEEE80211_ELEMID_XRATES: 1941 xrates = frm; 1942 break; 1943 } 1944 frm += frm[1] + 2; 1945 } 1946 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return); 1947 if (xrates != NULL) 1948 IEEE80211_VERIFY_ELEMENT(xrates, 1949 IEEE80211_RATE_MAXSIZE - rates[1], return); 1950 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN, return); 1951 IEEE80211_VERIFY_SSID(vap->iv_bss, ssid, return); 1952 if ((vap->iv_flags & IEEE80211_F_HIDESSID) && ssid[1] == 0) { 1953 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 1954 wh, NULL, 1955 "%s", "no ssid with ssid suppression enabled"); 1956 vap->iv_stats.is_rx_ssidmismatch++; /*XXX*/ 1957 return; 1958 } 1959 1960 /* XXX find a better class or define it's own */ 1961 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_INPUT, wh->i_addr2, 1962 "%s", "recv probe req"); 1963 /* 1964 * Some legacy 11b clients cannot hack a complete 1965 * probe response frame. When the request includes 1966 * only a bare-bones rate set, communicate this to 1967 * the transmit side. 1968 */ 1969 ieee80211_send_proberesp(vap, wh->i_addr2, 1970 is11bclient(rates, xrates) ? IEEE80211_SEND_LEGACY_11B : 0); 1971 break; 1972 1973 case IEEE80211_FC0_SUBTYPE_AUTH: { 1974 uint16_t algo, seq, status; 1975 1976 if (vap->iv_state != IEEE80211_S_RUN) { 1977 vap->iv_stats.is_rx_mgtdiscard++; 1978 return; 1979 } 1980 if (!IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_bss->ni_bssid)) { 1981 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 1982 wh, NULL, "%s", "wrong bssid"); 1983 vap->iv_stats.is_rx_wrongbss++; /*XXX unique stat?*/ 1984 return; 1985 } 1986 /* 1987 * auth frame format 1988 * [2] algorithm 1989 * [2] sequence 1990 * [2] status 1991 * [tlv*] challenge 1992 */ 1993 IEEE80211_VERIFY_LENGTH(efrm - frm, 6, return); 1994 algo = le16toh(*(uint16_t *)frm); 1995 seq = le16toh(*(uint16_t *)(frm + 2)); 1996 status = le16toh(*(uint16_t *)(frm + 4)); 1997 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_AUTH, wh->i_addr2, 1998 "recv auth frame with algorithm %d seq %d", algo, seq); 1999 /* 2000 * Consult the ACL policy module if setup. 2001 */ 2002 if (vap->iv_acl != NULL && !vap->iv_acl->iac_check(vap, wh)) { 2003 IEEE80211_DISCARD(vap, IEEE80211_MSG_ACL, 2004 wh, NULL, "%s", "disallowed by ACL"); 2005 vap->iv_stats.is_rx_acl++; 2006 ieee80211_send_error(ni, wh->i_addr2, 2007 IEEE80211_FC0_SUBTYPE_AUTH, 2008 (seq+1) | (IEEE80211_STATUS_UNSPECIFIED<<16)); 2009 return; 2010 } 2011 if (vap->iv_flags & IEEE80211_F_COUNTERM) { 2012 IEEE80211_DISCARD(vap, 2013 IEEE80211_MSG_AUTH | IEEE80211_MSG_CRYPTO, 2014 wh, NULL, "%s", "TKIP countermeasures enabled"); 2015 vap->iv_stats.is_rx_auth_countermeasures++; 2016 ieee80211_send_error(ni, wh->i_addr2, 2017 IEEE80211_FC0_SUBTYPE_AUTH, 2018 IEEE80211_REASON_MIC_FAILURE); 2019 return; 2020 } 2021 if (algo == IEEE80211_AUTH_ALG_SHARED) 2022 hostap_auth_shared(ni, wh, frm + 6, efrm, rssi, nf, 2023 seq, status); 2024 else if (algo == IEEE80211_AUTH_ALG_OPEN) 2025 hostap_auth_open(ni, wh, rssi, nf, seq, status); 2026 else if (algo == IEEE80211_AUTH_ALG_LEAP) { 2027 authalgreject(ni, wh, algo, 2028 seq+1, IEEE80211_STATUS_ALG); 2029 return; 2030 } else { 2031 /* 2032 * We assume that an unknown algorithm is the result 2033 * of a decryption failure on a shared key auth frame; 2034 * return a status code appropriate for that instead 2035 * of IEEE80211_STATUS_ALG. 2036 * 2037 * NB: a seq# of 4 is intentional; the decrypted 2038 * frame likely has a bogus seq value. 2039 */ 2040 authalgreject(ni, wh, algo, 2041 4, IEEE80211_STATUS_CHALLENGE); 2042 return; 2043 } 2044 break; 2045 } 2046 2047 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ: 2048 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: { 2049 uint16_t capinfo, lintval; 2050 struct ieee80211_rsnparms rsnparms; 2051 2052 if (vap->iv_state != IEEE80211_S_RUN) { 2053 vap->iv_stats.is_rx_mgtdiscard++; 2054 return; 2055 } 2056 if (!IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_bss->ni_bssid)) { 2057 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 2058 wh, NULL, "%s", "wrong bssid"); 2059 vap->iv_stats.is_rx_assoc_bss++; 2060 return; 2061 } 2062 if (subtype == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) { 2063 reassoc = 1; 2064 resp = IEEE80211_FC0_SUBTYPE_REASSOC_RESP; 2065 } else { 2066 reassoc = 0; 2067 resp = IEEE80211_FC0_SUBTYPE_ASSOC_RESP; 2068 } 2069 if (ni == vap->iv_bss) { 2070 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ANY, wh->i_addr2, 2071 "deny %s request, sta not authenticated", 2072 reassoc ? "reassoc" : "assoc"); 2073 ieee80211_send_error(ni, wh->i_addr2, 2074 IEEE80211_FC0_SUBTYPE_DEAUTH, 2075 IEEE80211_REASON_ASSOC_NOT_AUTHED); 2076 vap->iv_stats.is_rx_assoc_notauth++; 2077 return; 2078 } 2079 2080 /* 2081 * asreq frame format 2082 * [2] capability information 2083 * [2] listen interval 2084 * [6*] current AP address (reassoc only) 2085 * [tlv] ssid 2086 * [tlv] supported rates 2087 * [tlv] extended supported rates 2088 * [tlv] WPA or RSN 2089 * [tlv] HT capabilities 2090 * [tlv] Atheros capabilities 2091 */ 2092 IEEE80211_VERIFY_LENGTH(efrm - frm, (reassoc ? 10 : 4), return); 2093 capinfo = le16toh(*(uint16_t *)frm); frm += 2; 2094 lintval = le16toh(*(uint16_t *)frm); frm += 2; 2095 if (reassoc) 2096 frm += 6; /* ignore current AP info */ 2097 ssid = rates = xrates = wpa = rsn = wme = ath = htcap = NULL; 2098 vhtcap = vhtinfo = NULL; 2099 sfrm = frm; 2100 while (efrm - frm > 1) { 2101 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return); 2102 switch (*frm) { 2103 case IEEE80211_ELEMID_SSID: 2104 ssid = frm; 2105 break; 2106 case IEEE80211_ELEMID_RATES: 2107 rates = frm; 2108 break; 2109 case IEEE80211_ELEMID_XRATES: 2110 xrates = frm; 2111 break; 2112 case IEEE80211_ELEMID_RSN: 2113 rsn = frm; 2114 break; 2115 case IEEE80211_ELEMID_HTCAP: 2116 htcap = frm; 2117 break; 2118 case IEEE80211_ELEMID_VHT_CAP: 2119 vhtcap = frm; 2120 break; 2121 case IEEE80211_ELEMID_VHT_OPMODE: 2122 vhtinfo = frm; 2123 break; 2124 case IEEE80211_ELEMID_VENDOR: 2125 if (iswpaoui(frm)) 2126 wpa = frm; 2127 else if (iswmeinfo(frm)) 2128 wme = frm; 2129 #ifdef IEEE80211_SUPPORT_SUPERG 2130 else if (isatherosoui(frm)) 2131 ath = frm; 2132 #endif 2133 else if (vap->iv_flags_ht & IEEE80211_FHT_HTCOMPAT) { 2134 if (ishtcapoui(frm) && htcap == NULL) 2135 htcap = frm; 2136 } 2137 break; 2138 } 2139 frm += frm[1] + 2; 2140 } 2141 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return); 2142 if (xrates != NULL) 2143 IEEE80211_VERIFY_ELEMENT(xrates, 2144 IEEE80211_RATE_MAXSIZE - rates[1], return); 2145 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN, return); 2146 IEEE80211_VERIFY_SSID(vap->iv_bss, ssid, return); 2147 if (htcap != NULL) { 2148 IEEE80211_VERIFY_LENGTH(htcap[1], 2149 htcap[0] == IEEE80211_ELEMID_VENDOR ? 2150 4 + sizeof(struct ieee80211_ie_htcap)-2 : 2151 sizeof(struct ieee80211_ie_htcap)-2, 2152 return); /* XXX just NULL out? */ 2153 } 2154 2155 /* Validate VHT IEs */ 2156 if (vhtcap != NULL) { 2157 IEEE80211_VERIFY_LENGTH(vhtcap[1], 2158 sizeof(struct ieee80211_vht_cap), 2159 return); 2160 } 2161 if (vhtinfo != NULL) { 2162 IEEE80211_VERIFY_LENGTH(vhtinfo[1], 2163 sizeof(struct ieee80211_vht_operation), 2164 return); 2165 } 2166 2167 if ((vap->iv_flags & IEEE80211_F_WPA) && 2168 !wpa_assocreq(ni, &rsnparms, wh, wpa, rsn, capinfo)) 2169 return; 2170 /* discard challenge after association */ 2171 if (ni->ni_challenge != NULL) { 2172 IEEE80211_FREE(ni->ni_challenge, M_80211_NODE); 2173 ni->ni_challenge = NULL; 2174 } 2175 /* NB: 802.11 spec says to ignore station's privacy bit */ 2176 if ((capinfo & IEEE80211_CAPINFO_ESS) == 0) { 2177 capinfomismatch(ni, wh, reassoc, resp, 2178 "capability", capinfo); 2179 return; 2180 } 2181 /* 2182 * Disallow re-associate w/ invalid slot time setting. 2183 */ 2184 if (ni->ni_associd != 0 && 2185 IEEE80211_IS_CHAN_ANYG(ic->ic_bsschan) && 2186 ((ni->ni_capinfo ^ capinfo) & IEEE80211_CAPINFO_SHORT_SLOTTIME)) { 2187 capinfomismatch(ni, wh, reassoc, resp, 2188 "slot time", capinfo); 2189 return; 2190 } 2191 rate = ieee80211_setup_rates(ni, rates, xrates, 2192 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | 2193 IEEE80211_F_DONEGO | IEEE80211_F_DODEL); 2194 if (rate & IEEE80211_RATE_BASIC) { 2195 ratesetmismatch(ni, wh, reassoc, resp, "legacy", rate); 2196 vap->iv_stats.is_rx_assoc_norate++; 2197 return; 2198 } 2199 /* 2200 * If constrained to 11g-only stations reject an 2201 * 11b-only station. We cheat a bit here by looking 2202 * at the max negotiated xmit rate and assuming anyone 2203 * with a best rate <24Mb/s is an 11b station. 2204 */ 2205 if ((vap->iv_flags & IEEE80211_F_PUREG) && rate < 48) { 2206 ratesetmismatch(ni, wh, reassoc, resp, "11g", rate); 2207 vap->iv_stats.is_rx_assoc_norate++; 2208 return; 2209 } 2210 2211 /* 2212 * Do HT rate set handling and setup HT node state. 2213 */ 2214 ni->ni_chan = vap->iv_bss->ni_chan; 2215 2216 /* VHT */ 2217 if (IEEE80211_IS_CHAN_VHT(ni->ni_chan) && 2218 vhtcap != NULL && 2219 vhtinfo != NULL) { 2220 /* XXX TODO; see below */ 2221 printf("%s: VHT TODO!\n", __func__); 2222 ieee80211_vht_node_init(ni); 2223 ieee80211_vht_update_cap(ni, vhtcap, vhtinfo); 2224 } else if (ni->ni_flags & IEEE80211_NODE_VHT) 2225 ieee80211_vht_node_cleanup(ni); 2226 2227 /* HT */ 2228 if (IEEE80211_IS_CHAN_HT(ni->ni_chan) && htcap != NULL) { 2229 rate = ieee80211_setup_htrates(ni, htcap, 2230 IEEE80211_F_DOFMCS | IEEE80211_F_DONEGO | 2231 IEEE80211_F_DOBRS); 2232 if (rate & IEEE80211_RATE_BASIC) { 2233 ratesetmismatch(ni, wh, reassoc, resp, 2234 "HT", rate); 2235 vap->iv_stats.is_ht_assoc_norate++; 2236 return; 2237 } 2238 ieee80211_ht_node_init(ni); 2239 ieee80211_ht_updatehtcap(ni, htcap); 2240 } else if (ni->ni_flags & IEEE80211_NODE_HT) 2241 ieee80211_ht_node_cleanup(ni); 2242 2243 /* Finally - this will use HT/VHT info to change node channel */ 2244 if (IEEE80211_IS_CHAN_HT(ni->ni_chan) && htcap != NULL) { 2245 ieee80211_ht_updatehtcap_final(ni); 2246 } 2247 2248 #ifdef IEEE80211_SUPPORT_SUPERG 2249 /* Always do ff node cleanup; for A-MSDU */ 2250 ieee80211_ff_node_cleanup(ni); 2251 #endif 2252 /* 2253 * Allow AMPDU operation only with unencrypted traffic 2254 * or AES-CCM / AES-GCM; the 802.11n spec only specifies these 2255 * ciphers so permitting any others is undefined and can lead 2256 * to interoperability problems. 2257 * 2258 * TODO: before landing, find exactly where in 802.11-2020 this 2259 * is called out! 2260 */ 2261 if ((ni->ni_flags & IEEE80211_NODE_HT) && 2262 (((vap->iv_flags & IEEE80211_F_WPA) && 2263 !hostapd_validate_cipher_for_ht_ampdu(rsnparms.rsn_ucastcipher)) || 2264 (vap->iv_flags & (IEEE80211_F_WPA|IEEE80211_F_PRIVACY)) == IEEE80211_F_PRIVACY)) { 2265 IEEE80211_NOTE(vap, 2266 IEEE80211_MSG_ASSOC | IEEE80211_MSG_11N, ni, 2267 "disallow HT use because WEP or TKIP requested, " 2268 "capinfo 0x%x ucastcipher %d", capinfo, 2269 rsnparms.rsn_ucastcipher); 2270 ieee80211_ht_node_cleanup(ni); 2271 #ifdef IEEE80211_SUPPORT_SUPERG 2272 /* Always do ff node cleanup; for A-MSDU */ 2273 ieee80211_ff_node_cleanup(ni); 2274 #endif 2275 vap->iv_stats.is_ht_assoc_downgrade++; 2276 } 2277 /* 2278 * If constrained to 11n-only stations reject legacy stations. 2279 */ 2280 if ((vap->iv_flags_ht & IEEE80211_FHT_PUREN) && 2281 (ni->ni_flags & IEEE80211_NODE_HT) == 0) { 2282 htcapmismatch(ni, wh, reassoc, resp); 2283 vap->iv_stats.is_ht_assoc_nohtcap++; 2284 return; 2285 } 2286 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi); 2287 ni->ni_noise = nf; 2288 ni->ni_intval = lintval; 2289 ni->ni_capinfo = capinfo; 2290 ni->ni_fhdwell = vap->iv_bss->ni_fhdwell; 2291 ni->ni_fhindex = vap->iv_bss->ni_fhindex; 2292 /* 2293 * Store the IEs. 2294 * XXX maybe better to just expand 2295 */ 2296 if (ieee80211_ies_init(&ni->ni_ies, sfrm, efrm - sfrm)) { 2297 #define setie(_ie, _off) ieee80211_ies_setie(ni->ni_ies, _ie, _off) 2298 if (wpa != NULL) 2299 setie(wpa_ie, wpa - sfrm); 2300 if (rsn != NULL) 2301 setie(rsn_ie, rsn - sfrm); 2302 if (htcap != NULL) 2303 setie(htcap_ie, htcap - sfrm); 2304 if (wme != NULL) { 2305 setie(wme_ie, wme - sfrm); 2306 /* 2307 * Mark node as capable of QoS. 2308 */ 2309 ni->ni_flags |= IEEE80211_NODE_QOS; 2310 if (ieee80211_parse_wmeie(wme, wh, ni) > 0) { 2311 if (ni->ni_uapsd != 0) 2312 ni->ni_flags |= 2313 IEEE80211_NODE_UAPSD; 2314 else 2315 ni->ni_flags &= 2316 ~IEEE80211_NODE_UAPSD; 2317 } 2318 } else 2319 ni->ni_flags &= 2320 ~(IEEE80211_NODE_QOS | 2321 IEEE80211_NODE_UAPSD); 2322 #ifdef IEEE80211_SUPPORT_SUPERG 2323 if (ath != NULL) { 2324 setie(ath_ie, ath - sfrm); 2325 /* 2326 * Parse ATH station parameters. 2327 */ 2328 ieee80211_parse_ath(ni, ni->ni_ies.ath_ie); 2329 } else 2330 #endif 2331 ni->ni_ath_flags = 0; 2332 #undef setie 2333 } else { 2334 ni->ni_flags &= ~IEEE80211_NODE_QOS; 2335 ni->ni_flags &= ~IEEE80211_NODE_UAPSD; 2336 ni->ni_ath_flags = 0; 2337 } 2338 ieee80211_node_join(ni, resp); 2339 ieee80211_deliver_l2uf(ni); 2340 break; 2341 } 2342 2343 case IEEE80211_FC0_SUBTYPE_DEAUTH: 2344 case IEEE80211_FC0_SUBTYPE_DISASSOC: { 2345 #ifdef IEEE80211_DEBUG 2346 uint16_t reason; 2347 #endif 2348 2349 if (vap->iv_state != IEEE80211_S_RUN || 2350 /* NB: can happen when in promiscuous mode */ 2351 !IEEE80211_ADDR_EQ(wh->i_addr1, vap->iv_myaddr)) { 2352 vap->iv_stats.is_rx_mgtdiscard++; 2353 break; 2354 } 2355 /* 2356 * deauth/disassoc frame format 2357 * [2] reason 2358 */ 2359 IEEE80211_VERIFY_LENGTH(efrm - frm, 2, return); 2360 #ifdef IEEE80211_DEBUG 2361 reason = le16toh(*(uint16_t *)frm); 2362 #endif 2363 if (subtype == IEEE80211_FC0_SUBTYPE_DEAUTH) { 2364 vap->iv_stats.is_rx_deauth++; 2365 IEEE80211_NODE_STAT(ni, rx_deauth); 2366 } else { 2367 vap->iv_stats.is_rx_disassoc++; 2368 IEEE80211_NODE_STAT(ni, rx_disassoc); 2369 } 2370 IEEE80211_NOTE(vap, IEEE80211_MSG_AUTH, ni, 2371 "recv %s (reason: %d (%s))", 2372 ieee80211_mgt_subtype_name(subtype), 2373 reason, ieee80211_reason_to_string(reason)); 2374 if (ni != vap->iv_bss) 2375 ieee80211_node_leave(ni); 2376 break; 2377 } 2378 2379 case IEEE80211_FC0_SUBTYPE_ACTION: 2380 case IEEE80211_FC0_SUBTYPE_ACTION_NOACK: 2381 if (ni == vap->iv_bss) { 2382 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 2383 wh, NULL, "%s", "unknown node"); 2384 vap->iv_stats.is_rx_mgtdiscard++; 2385 } else if (!IEEE80211_ADDR_EQ(vap->iv_myaddr, wh->i_addr1) && 2386 !IEEE80211_IS_MULTICAST(wh->i_addr1)) { 2387 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 2388 wh, NULL, "%s", "not for us"); 2389 vap->iv_stats.is_rx_mgtdiscard++; 2390 } else if (vap->iv_state != IEEE80211_S_RUN) { 2391 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 2392 wh, NULL, "wrong state %s", 2393 ieee80211_state_name[vap->iv_state]); 2394 vap->iv_stats.is_rx_mgtdiscard++; 2395 } else { 2396 if (ieee80211_parse_action(ni, m0) == 0) 2397 (void)ic->ic_recv_action(ni, wh, frm, efrm); 2398 } 2399 break; 2400 2401 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP: 2402 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: 2403 case IEEE80211_FC0_SUBTYPE_TIMING_ADV: 2404 case IEEE80211_FC0_SUBTYPE_ATIM: 2405 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 2406 wh, NULL, "%s", "not handled"); 2407 vap->iv_stats.is_rx_mgtdiscard++; 2408 break; 2409 2410 default: 2411 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 2412 wh, "mgt", "subtype 0x%x not handled", subtype); 2413 vap->iv_stats.is_rx_badsubtype++; 2414 break; 2415 } 2416 } 2417 2418 static void 2419 hostap_recv_ctl(struct ieee80211_node *ni, struct mbuf *m, int subtype) 2420 { 2421 switch (subtype) { 2422 case IEEE80211_FC0_SUBTYPE_PS_POLL: 2423 ni->ni_vap->iv_recv_pspoll(ni, m); 2424 break; 2425 case IEEE80211_FC0_SUBTYPE_BAR: 2426 ieee80211_recv_bar(ni, m); 2427 break; 2428 } 2429 } 2430 2431 /* 2432 * Process a received ps-poll frame. 2433 */ 2434 void 2435 ieee80211_recv_pspoll(struct ieee80211_node *ni, struct mbuf *m0) 2436 { 2437 struct ieee80211vap *vap = ni->ni_vap; 2438 struct ieee80211com *ic = vap->iv_ic; 2439 struct ieee80211_frame_min *wh; 2440 struct mbuf *m; 2441 uint16_t aid; 2442 int qlen; 2443 2444 wh = mtod(m0, struct ieee80211_frame_min *); 2445 if (ni->ni_associd == 0) { 2446 IEEE80211_DISCARD(vap, 2447 IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG, 2448 (struct ieee80211_frame *) wh, NULL, 2449 "%s", "unassociated station"); 2450 vap->iv_stats.is_ps_unassoc++; 2451 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_DEAUTH, 2452 IEEE80211_REASON_NOT_ASSOCED); 2453 return; 2454 } 2455 2456 aid = le16toh(*(uint16_t *)wh->i_dur); 2457 if (aid != ni->ni_associd) { 2458 IEEE80211_DISCARD(vap, 2459 IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG, 2460 (struct ieee80211_frame *) wh, NULL, 2461 "aid mismatch: sta aid 0x%x poll aid 0x%x", 2462 ni->ni_associd, aid); 2463 vap->iv_stats.is_ps_badaid++; 2464 /* 2465 * NB: We used to deauth the station but it turns out 2466 * the Blackberry Curve 8230 (and perhaps other devices) 2467 * sometimes send the wrong AID when WME is negotiated. 2468 * Being more lenient here seems ok as we already check 2469 * the station is associated and we only return frames 2470 * queued for the station (i.e. we don't use the AID). 2471 */ 2472 return; 2473 } 2474 2475 /* Okay, take the first queued packet and put it out... */ 2476 m = ieee80211_node_psq_dequeue(ni, &qlen); 2477 if (m == NULL) { 2478 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_POWER, wh->i_addr2, 2479 "%s", "recv ps-poll, but queue empty"); 2480 ieee80211_send_nulldata(ieee80211_ref_node(ni)); 2481 vap->iv_stats.is_ps_qempty++; /* XXX node stat */ 2482 if (vap->iv_set_tim != NULL) 2483 vap->iv_set_tim(ni, 0); /* just in case */ 2484 return; 2485 } 2486 /* 2487 * If there are more packets, set the more packets bit 2488 * in the packet dispatched to the station; otherwise 2489 * turn off the TIM bit. 2490 */ 2491 if (qlen != 0) { 2492 IEEE80211_NOTE(vap, IEEE80211_MSG_POWER, ni, 2493 "recv ps-poll, send packet, %u still queued", qlen); 2494 m->m_flags |= M_MORE_DATA; 2495 } else { 2496 IEEE80211_NOTE(vap, IEEE80211_MSG_POWER, ni, 2497 "%s", "recv ps-poll, send packet, queue empty"); 2498 if (vap->iv_set_tim != NULL) 2499 vap->iv_set_tim(ni, 0); 2500 } 2501 m->m_flags |= M_PWR_SAV; /* bypass PS handling */ 2502 2503 /* 2504 * Do the right thing; if it's an encap'ed frame then 2505 * call ieee80211_parent_xmitpkt() else 2506 * call ieee80211_vap_xmitpkt(). 2507 */ 2508 if (m->m_flags & M_ENCAP) { 2509 (void) ieee80211_parent_xmitpkt(ic, m); 2510 } else { 2511 (void) ieee80211_vap_xmitpkt(vap, m); 2512 } 2513 } 2514