1 /*- 2 * SPDX-License-Identifier: BSD-2-Clause 3 * 4 * Copyright (c) 2007-2008 Sam Leffler, Errno Consulting 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 17 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 18 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 19 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 21 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 22 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 23 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 24 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 25 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 26 */ 27 28 /* 29 * IEEE 802.11 HOSTAP mode support. 30 */ 31 #include "opt_inet.h" 32 #include "opt_wlan.h" 33 34 #include <sys/param.h> 35 #include <sys/systm.h> 36 #include <sys/mbuf.h> 37 #include <sys/malloc.h> 38 #include <sys/kernel.h> 39 40 #include <sys/socket.h> 41 #include <sys/sockio.h> 42 #include <sys/endian.h> 43 #include <sys/errno.h> 44 #include <sys/proc.h> 45 #include <sys/sysctl.h> 46 47 #include <net/if.h> 48 #include <net/if_var.h> 49 #include <net/if_media.h> 50 #include <net/if_llc.h> 51 #include <net/if_private.h> 52 #include <net/ethernet.h> 53 54 #include <net/bpf.h> 55 56 #include <net80211/ieee80211_var.h> 57 #include <net80211/ieee80211_hostap.h> 58 #include <net80211/ieee80211_input.h> 59 #ifdef IEEE80211_SUPPORT_SUPERG 60 #include <net80211/ieee80211_superg.h> 61 #endif 62 #include <net80211/ieee80211_wds.h> 63 #include <net80211/ieee80211_vht.h> 64 #include <net80211/ieee80211_sta.h> /* for parse_wmeie */ 65 66 static void hostap_vattach(struct ieee80211vap *); 67 static int hostap_newstate(struct ieee80211vap *, enum ieee80211_state, int); 68 static int hostap_input(struct ieee80211_node *ni, struct mbuf *m, 69 const struct ieee80211_rx_stats *, 70 int rssi, int nf); 71 static void hostap_deliver_data(struct ieee80211vap *, 72 struct ieee80211_node *, struct mbuf *); 73 static void hostap_recv_mgmt(struct ieee80211_node *, struct mbuf *, 74 int subtype, const struct ieee80211_rx_stats *rxs, int rssi, int nf); 75 static void hostap_recv_ctl(struct ieee80211_node *, struct mbuf *, int); 76 77 void 78 ieee80211_hostap_attach(struct ieee80211com *ic) 79 { 80 ic->ic_vattach[IEEE80211_M_HOSTAP] = hostap_vattach; 81 } 82 83 void 84 ieee80211_hostap_detach(struct ieee80211com *ic) 85 { 86 } 87 88 static void 89 hostap_vdetach(struct ieee80211vap *vap) 90 { 91 } 92 93 static void 94 hostap_vattach(struct ieee80211vap *vap) 95 { 96 vap->iv_newstate = hostap_newstate; 97 vap->iv_input = hostap_input; 98 vap->iv_recv_mgmt = hostap_recv_mgmt; 99 vap->iv_recv_ctl = hostap_recv_ctl; 100 vap->iv_opdetach = hostap_vdetach; 101 vap->iv_deliver_data = hostap_deliver_data; 102 vap->iv_recv_pspoll = ieee80211_recv_pspoll; 103 } 104 105 static void 106 sta_disassoc(void *arg, struct ieee80211_node *ni) 107 { 108 109 if (ni->ni_associd != 0) { 110 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_DISASSOC, 111 IEEE80211_REASON_ASSOC_LEAVE); 112 ieee80211_node_leave(ni); 113 } 114 } 115 116 static void 117 sta_csa(void *arg, struct ieee80211_node *ni) 118 { 119 struct ieee80211vap *vap = ni->ni_vap; 120 121 if (ni->ni_associd != 0) 122 if (ni->ni_inact > vap->iv_inact_init) { 123 ni->ni_inact = vap->iv_inact_init; 124 IEEE80211_NOTE(vap, IEEE80211_MSG_INACT, ni, 125 "%s: inact %u", __func__, ni->ni_inact); 126 } 127 } 128 129 static void 130 sta_drop(void *arg, struct ieee80211_node *ni) 131 { 132 133 if (ni->ni_associd != 0) 134 ieee80211_node_leave(ni); 135 } 136 137 /* 138 * Does a channel change require associated stations to re-associate 139 * so protocol state is correct. This is used when doing CSA across 140 * bands or similar (e.g. HT -> legacy). 141 */ 142 static int 143 isbandchange(struct ieee80211com *ic) 144 { 145 return ((ic->ic_bsschan->ic_flags ^ ic->ic_csa_newchan->ic_flags) & 146 (IEEE80211_CHAN_2GHZ | IEEE80211_CHAN_5GHZ | IEEE80211_CHAN_HALF | 147 IEEE80211_CHAN_QUARTER | IEEE80211_CHAN_HT)) != 0; 148 } 149 150 /* 151 * IEEE80211_M_HOSTAP vap state machine handler. 152 */ 153 static int 154 hostap_newstate(struct ieee80211vap *vap, enum ieee80211_state nstate, int arg) 155 { 156 struct ieee80211com *ic = vap->iv_ic; 157 enum ieee80211_state ostate; 158 159 IEEE80211_LOCK_ASSERT(ic); 160 161 ostate = vap->iv_state; 162 IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE, "%s: %s -> %s (%d)\n", 163 __func__, ieee80211_state_name[ostate], 164 ieee80211_state_name[nstate], arg); 165 vap->iv_state = nstate; /* state transition */ 166 if (ostate != IEEE80211_S_SCAN) 167 ieee80211_cancel_scan(vap); /* background scan */ 168 switch (nstate) { 169 case IEEE80211_S_INIT: 170 switch (ostate) { 171 case IEEE80211_S_SCAN: 172 ieee80211_cancel_scan(vap); 173 break; 174 case IEEE80211_S_CAC: 175 ieee80211_dfs_cac_stop(vap); 176 break; 177 case IEEE80211_S_RUN: 178 ieee80211_iterate_nodes_vap(&ic->ic_sta, vap, 179 sta_disassoc, NULL); 180 break; 181 default: 182 break; 183 } 184 if (ostate != IEEE80211_S_INIT) { 185 /* NB: optimize INIT -> INIT case */ 186 ieee80211_reset_bss(vap); 187 } 188 if (vap->iv_auth->ia_detach != NULL) 189 vap->iv_auth->ia_detach(vap); 190 break; 191 case IEEE80211_S_SCAN: 192 switch (ostate) { 193 case IEEE80211_S_CSA: 194 case IEEE80211_S_RUN: 195 ieee80211_iterate_nodes_vap(&ic->ic_sta, vap, 196 sta_disassoc, NULL); 197 /* 198 * Clear overlapping BSS state; the beacon frame 199 * will be reconstructed on transition to the RUN 200 * state and the timeout routines check if the flag 201 * is set before doing anything so this is sufficient. 202 */ 203 vap->iv_flags_ext &= ~IEEE80211_FEXT_NONERP_PR; 204 vap->iv_flags_ht &= ~IEEE80211_FHT_NONHT_PR; 205 /* XXX TODO: schedule deferred update? */ 206 /* fall thru... */ 207 case IEEE80211_S_CAC: 208 /* 209 * NB: We may get here because of a manual channel 210 * change in which case we need to stop CAC 211 * XXX no need to stop if ostate RUN but it's ok 212 */ 213 ieee80211_dfs_cac_stop(vap); 214 /* fall thru... */ 215 case IEEE80211_S_INIT: 216 if (vap->iv_des_chan != IEEE80211_CHAN_ANYC && 217 !IEEE80211_IS_CHAN_RADAR(vap->iv_des_chan)) { 218 /* 219 * Already have a channel; bypass the 220 * scan and startup immediately. 221 * ieee80211_create_ibss will call back to 222 * move us to RUN state. 223 */ 224 ieee80211_create_ibss(vap, vap->iv_des_chan); 225 break; 226 } 227 /* 228 * Initiate a scan. We can come here as a result 229 * of an IEEE80211_IOC_SCAN_REQ too in which case 230 * the vap will be marked with IEEE80211_FEXT_SCANREQ 231 * and the scan request parameters will be present 232 * in iv_scanreq. Otherwise we do the default. 233 */ 234 if (vap->iv_flags_ext & IEEE80211_FEXT_SCANREQ) { 235 ieee80211_check_scan(vap, 236 vap->iv_scanreq_flags, 237 vap->iv_scanreq_duration, 238 vap->iv_scanreq_mindwell, 239 vap->iv_scanreq_maxdwell, 240 vap->iv_scanreq_nssid, vap->iv_scanreq_ssid); 241 vap->iv_flags_ext &= ~IEEE80211_FEXT_SCANREQ; 242 } else 243 ieee80211_check_scan_current(vap); 244 break; 245 case IEEE80211_S_SCAN: 246 /* 247 * A state change requires a reset; scan. 248 */ 249 ieee80211_check_scan_current(vap); 250 break; 251 default: 252 break; 253 } 254 break; 255 case IEEE80211_S_CAC: 256 /* 257 * Start CAC on a DFS channel. We come here when starting 258 * a bss on a DFS channel (see ieee80211_create_ibss). 259 */ 260 ieee80211_dfs_cac_start(vap); 261 break; 262 case IEEE80211_S_RUN: 263 if (vap->iv_flags & IEEE80211_F_WPA) { 264 /* XXX validate prerequisites */ 265 } 266 switch (ostate) { 267 case IEEE80211_S_INIT: 268 /* 269 * Already have a channel; bypass the 270 * scan and startup immediately. 271 * Note that ieee80211_create_ibss will call 272 * back to do a RUN->RUN state change. 273 */ 274 ieee80211_create_ibss(vap, 275 ieee80211_ht_adjust_channel(ic, 276 ic->ic_curchan, vap->iv_flags_ht)); 277 /* NB: iv_bss is changed on return */ 278 break; 279 case IEEE80211_S_CAC: 280 /* 281 * NB: This is the normal state change when CAC 282 * expires and no radar was detected; no need to 283 * clear the CAC timer as it's already expired. 284 */ 285 /* fall thru... */ 286 case IEEE80211_S_CSA: 287 /* 288 * Shorten inactivity timer of associated stations 289 * to weed out sta's that don't follow a CSA. 290 */ 291 ieee80211_iterate_nodes_vap(&ic->ic_sta, vap, 292 sta_csa, NULL); 293 /* 294 * Update bss node channel to reflect where 295 * we landed after CSA. 296 */ 297 ieee80211_node_set_chan(vap->iv_bss, 298 ieee80211_ht_adjust_channel(ic, ic->ic_curchan, 299 ieee80211_htchanflags(vap->iv_bss->ni_chan))); 300 /* XXX bypass debug msgs */ 301 break; 302 case IEEE80211_S_SCAN: 303 case IEEE80211_S_RUN: 304 #ifdef IEEE80211_DEBUG 305 if (ieee80211_msg_debug(vap)) { 306 struct ieee80211_node *ni = vap->iv_bss; 307 ieee80211_note(vap, 308 "synchronized with %s ssid ", 309 ether_sprintf(ni->ni_bssid)); 310 ieee80211_print_essid(ni->ni_essid, 311 ni->ni_esslen); 312 printf(" channel %d start %uMbit/s\n", 313 ieee80211_chan2ieee(ic, ic->ic_curchan), 314 ieee80211_node_get_txrate_kbit(ni) / 1000); 315 } 316 #endif 317 break; 318 default: 319 break; 320 } 321 /* 322 * Start/stop the authenticator. We delay until here 323 * to allow configuration to happen out of order. 324 */ 325 if (vap->iv_auth->ia_attach != NULL) { 326 /* XXX check failure */ 327 vap->iv_auth->ia_attach(vap); 328 } else if (vap->iv_auth->ia_detach != NULL) { 329 vap->iv_auth->ia_detach(vap); 330 } 331 ieee80211_node_authorize(vap->iv_bss); 332 break; 333 case IEEE80211_S_CSA: 334 if (ostate == IEEE80211_S_RUN && isbandchange(ic)) { 335 /* 336 * On a ``band change'' silently drop associated 337 * stations as they must re-associate before they 338 * can pass traffic (as otherwise protocol state 339 * such as capabilities and the negotiated rate 340 * set may/will be wrong). 341 */ 342 ieee80211_iterate_nodes_vap(&ic->ic_sta, vap, 343 sta_drop, NULL); 344 } 345 break; 346 default: 347 break; 348 } 349 return 0; 350 } 351 352 static void 353 hostap_deliver_data(struct ieee80211vap *vap, 354 struct ieee80211_node *ni, struct mbuf *m) 355 { 356 struct ether_header *eh = mtod(m, struct ether_header *); 357 struct ifnet *ifp = vap->iv_ifp; 358 359 /* clear driver/net80211 flags before passing up */ 360 m->m_flags &= ~(M_MCAST | M_BCAST); 361 m_clrprotoflags(m); 362 363 KASSERT(vap->iv_opmode == IEEE80211_M_HOSTAP, 364 ("gack, opmode %d", vap->iv_opmode)); 365 /* 366 * Do accounting. 367 */ 368 if_inc_counter(ifp, IFCOUNTER_IPACKETS, 1); 369 IEEE80211_NODE_STAT(ni, rx_data); 370 IEEE80211_NODE_STAT_ADD(ni, rx_bytes, m->m_pkthdr.len); 371 if (ETHER_IS_MULTICAST(eh->ether_dhost)) { 372 m->m_flags |= M_MCAST; /* XXX M_BCAST? */ 373 IEEE80211_NODE_STAT(ni, rx_mcast); 374 } else 375 IEEE80211_NODE_STAT(ni, rx_ucast); 376 377 /* perform as a bridge within the AP */ 378 if ((vap->iv_flags & IEEE80211_F_NOBRIDGE) == 0) { 379 struct mbuf *mcopy = NULL; 380 381 if (m->m_flags & M_MCAST) { 382 mcopy = m_dup(m, IEEE80211_M_NOWAIT); 383 if (mcopy == NULL) 384 if_inc_counter(ifp, IFCOUNTER_OERRORS, 1); 385 else 386 mcopy->m_flags |= M_MCAST; 387 } else { 388 /* 389 * Check if the destination is associated with the 390 * same vap and authorized to receive traffic. 391 * Beware of traffic destined for the vap itself; 392 * sending it will not work; just let it be delivered 393 * normally. 394 */ 395 struct ieee80211_node *sta = ieee80211_find_vap_node( 396 &vap->iv_ic->ic_sta, vap, eh->ether_dhost); 397 if (sta != NULL) { 398 if (ieee80211_node_is_authorized(sta)) { 399 /* 400 * Beware of sending to ourself; this 401 * needs to happen via the normal 402 * input path. 403 */ 404 if (sta != vap->iv_bss) { 405 mcopy = m; 406 m = NULL; 407 } 408 } else { 409 vap->iv_stats.is_rx_unauth++; 410 IEEE80211_NODE_STAT(sta, rx_unauth); 411 } 412 ieee80211_free_node(sta); 413 } 414 } 415 if (mcopy != NULL) 416 (void) ieee80211_vap_xmitpkt(vap, mcopy); 417 } 418 if (m != NULL) { 419 struct epoch_tracker et; 420 421 /* 422 * Mark frame as coming from vap's interface. 423 */ 424 m->m_pkthdr.rcvif = ifp; 425 if (m->m_flags & M_MCAST) { 426 /* 427 * Spam DWDS vap's w/ multicast traffic. 428 */ 429 /* XXX only if dwds in use? */ 430 ieee80211_dwds_mcast(vap, m); 431 } 432 if (ni->ni_vlan != 0) { 433 /* attach vlan tag */ 434 m->m_pkthdr.ether_vtag = ni->ni_vlan; 435 m->m_flags |= M_VLANTAG; 436 } 437 NET_EPOCH_ENTER(et); 438 ifp->if_input(ifp, m); 439 NET_EPOCH_EXIT(et); 440 } 441 } 442 443 /* 444 * Decide if a received management frame should be 445 * printed when debugging is enabled. This filters some 446 * of the less interesting frames that come frequently 447 * (e.g. beacons). 448 */ 449 static __inline int 450 doprint(struct ieee80211vap *vap, int subtype) 451 { 452 switch (subtype) { 453 case IEEE80211_FC0_SUBTYPE_BEACON: 454 return (vap->iv_ic->ic_flags & IEEE80211_F_SCAN); 455 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 456 return 0; 457 } 458 return 1; 459 } 460 461 /* 462 * Process a received frame. The node associated with the sender 463 * should be supplied. If nothing was found in the node table then 464 * the caller is assumed to supply a reference to iv_bss instead. 465 * The RSSI and a timestamp are also supplied. The RSSI data is used 466 * during AP scanning to select a AP to associate with; it can have 467 * any units so long as values have consistent units and higher values 468 * mean ``better signal''. The receive timestamp is currently not used 469 * by the 802.11 layer. 470 */ 471 static int 472 hostap_input(struct ieee80211_node *ni, struct mbuf *m, 473 const struct ieee80211_rx_stats *rxs, int rssi, int nf) 474 { 475 struct ieee80211vap *vap = ni->ni_vap; 476 struct ieee80211com *ic = ni->ni_ic; 477 struct ifnet *ifp = vap->iv_ifp; 478 struct ieee80211_frame *wh; 479 struct ieee80211_key *key; 480 struct ether_header *eh; 481 int hdrspace, need_tap = 1; /* mbuf need to be tapped. */ 482 uint8_t dir, type, subtype, qos; 483 uint8_t *bssid; 484 int is_hw_decrypted = 0; 485 int has_decrypted = 0; 486 487 /* 488 * Some devices do hardware decryption all the way through 489 * to pretending the frame wasn't encrypted in the first place. 490 * So, tag it appropriately so it isn't discarded inappropriately. 491 */ 492 if ((rxs != NULL) && (rxs->c_pktflags & IEEE80211_RX_F_DECRYPTED)) 493 is_hw_decrypted = 1; 494 495 if (m->m_flags & M_AMPDU_MPDU) { 496 /* 497 * Fastpath for A-MPDU reorder q resubmission. Frames 498 * w/ M_AMPDU_MPDU marked have already passed through 499 * here but were received out of order and been held on 500 * the reorder queue. When resubmitted they are marked 501 * with the M_AMPDU_MPDU flag and we can bypass most of 502 * the normal processing. 503 */ 504 wh = mtod(m, struct ieee80211_frame *); 505 type = IEEE80211_FC0_TYPE_DATA; 506 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 507 subtype = IEEE80211_FC0_SUBTYPE_QOS_DATA; 508 hdrspace = ieee80211_hdrspace(ic, wh); /* XXX optimize? */ 509 goto resubmit_ampdu; 510 } 511 512 KASSERT(ni != NULL, ("null node")); 513 ni->ni_inact = ni->ni_inact_reload; 514 515 type = -1; /* undefined */ 516 517 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_min)) { 518 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 519 ni->ni_macaddr, NULL, 520 "too short (1): len %u", m->m_pkthdr.len); 521 vap->iv_stats.is_rx_tooshort++; 522 goto out; 523 } 524 /* 525 * Bit of a cheat here, we use a pointer for a 3-address 526 * frame format but don't reference fields past outside 527 * ieee80211_frame_min w/o first validating the data is 528 * present. 529 */ 530 wh = mtod(m, struct ieee80211_frame *); 531 532 if (!IEEE80211_IS_FC0_CHECK_VER(wh, IEEE80211_FC0_VERSION_0)) { 533 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 534 ni->ni_macaddr, NULL, "wrong version, fc %02x:%02x", 535 wh->i_fc[0], wh->i_fc[1]); 536 vap->iv_stats.is_rx_badversion++; 537 goto err; 538 } 539 540 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 541 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK; 542 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK; 543 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) { 544 if (dir != IEEE80211_FC1_DIR_NODS) 545 bssid = wh->i_addr1; 546 else if (type == IEEE80211_FC0_TYPE_CTL) 547 bssid = wh->i_addr1; 548 else { 549 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) { 550 IEEE80211_DISCARD_MAC(vap, 551 IEEE80211_MSG_ANY, ni->ni_macaddr, 552 NULL, "too short (2): len %u", 553 m->m_pkthdr.len); 554 vap->iv_stats.is_rx_tooshort++; 555 goto out; 556 } 557 bssid = wh->i_addr3; 558 } 559 /* 560 * Validate the bssid. 561 */ 562 if (!(type == IEEE80211_FC0_TYPE_MGT && 563 subtype == IEEE80211_FC0_SUBTYPE_BEACON) && 564 !IEEE80211_ADDR_EQ(bssid, vap->iv_bss->ni_bssid) && 565 !IEEE80211_ADDR_EQ(bssid, ifp->if_broadcastaddr)) { 566 /* not interested in */ 567 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 568 bssid, NULL, "%s", "not to bss"); 569 vap->iv_stats.is_rx_wrongbss++; 570 goto out; 571 } 572 573 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi); 574 ni->ni_noise = nf; 575 if (IEEE80211_HAS_SEQ(type, subtype)) { 576 uint8_t tid = ieee80211_gettid(wh); 577 if (IEEE80211_QOS_HAS_SEQ(wh) && 578 TID_TO_WME_AC(tid) >= WME_AC_VI) 579 ic->ic_wme.wme_hipri_traffic++; 580 if (! ieee80211_check_rxseq(ni, wh, bssid, rxs)) 581 goto out; 582 } 583 } 584 585 switch (type) { 586 case IEEE80211_FC0_TYPE_DATA: 587 hdrspace = ieee80211_hdrspace(ic, wh); 588 if (m->m_len < hdrspace && 589 (m = m_pullup(m, hdrspace)) == NULL) { 590 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 591 ni->ni_macaddr, NULL, 592 "data too short: expecting %u", hdrspace); 593 vap->iv_stats.is_rx_tooshort++; 594 goto out; /* XXX */ 595 } 596 if (!(dir == IEEE80211_FC1_DIR_TODS || 597 (dir == IEEE80211_FC1_DIR_DSTODS && 598 (vap->iv_flags & IEEE80211_F_DWDS)))) { 599 if (dir != IEEE80211_FC1_DIR_DSTODS) { 600 IEEE80211_DISCARD(vap, 601 IEEE80211_MSG_INPUT, wh, "data", 602 "incorrect dir 0x%x", dir); 603 } else { 604 IEEE80211_DISCARD(vap, 605 IEEE80211_MSG_INPUT | 606 IEEE80211_MSG_WDS, wh, 607 "4-address data", 608 "%s", "DWDS not enabled"); 609 } 610 vap->iv_stats.is_rx_wrongdir++; 611 goto out; 612 } 613 /* check if source STA is associated */ 614 if (ni == vap->iv_bss) { 615 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 616 wh, "data", "%s", "unknown src"); 617 ieee80211_send_error(ni, wh->i_addr2, 618 IEEE80211_FC0_SUBTYPE_DEAUTH, 619 IEEE80211_REASON_NOT_AUTHED); 620 vap->iv_stats.is_rx_notassoc++; 621 goto err; 622 } 623 if (ni->ni_associd == 0) { 624 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 625 wh, "data", "%s", "unassoc src"); 626 IEEE80211_SEND_MGMT(ni, 627 IEEE80211_FC0_SUBTYPE_DISASSOC, 628 IEEE80211_REASON_NOT_ASSOCED); 629 vap->iv_stats.is_rx_notassoc++; 630 goto err; 631 } 632 633 /* 634 * Check for power save state change. 635 * XXX out-of-order A-MPDU frames? 636 */ 637 if (((wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) ^ 638 (ni->ni_flags & IEEE80211_NODE_PWR_MGT))) 639 vap->iv_node_ps(ni, 640 wh->i_fc[1] & IEEE80211_FC1_PWR_MGT); 641 /* 642 * For 4-address packets handle WDS discovery 643 * notifications. Once a WDS link is setup frames 644 * are just delivered to the WDS vap (see below). 645 */ 646 if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap == NULL) { 647 if (!ieee80211_node_is_authorized(ni)) { 648 IEEE80211_DISCARD(vap, 649 IEEE80211_MSG_INPUT | 650 IEEE80211_MSG_WDS, wh, 651 "4-address data", 652 "%s", "unauthorized port"); 653 vap->iv_stats.is_rx_unauth++; 654 IEEE80211_NODE_STAT(ni, rx_unauth); 655 goto err; 656 } 657 ieee80211_dwds_discover(ni, m); 658 return type; 659 } 660 661 /* 662 * Handle A-MPDU re-ordering. If the frame is to be 663 * processed directly then ieee80211_ampdu_reorder 664 * will return 0; otherwise it has consumed the mbuf 665 * and we should do nothing more with it. 666 */ 667 if ((m->m_flags & M_AMPDU) && 668 ieee80211_ampdu_reorder(ni, m, rxs) != 0) { 669 m = NULL; 670 goto out; 671 } 672 resubmit_ampdu: 673 674 /* 675 * Handle privacy requirements. Note that we 676 * must not be preempted from here until after 677 * we (potentially) call ieee80211_crypto_demic; 678 * otherwise we may violate assumptions in the 679 * crypto cipher modules used to do delayed update 680 * of replay sequence numbers. 681 */ 682 if (is_hw_decrypted || IEEE80211_IS_PROTECTED(wh)) { 683 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) { 684 /* 685 * Discard encrypted frames when privacy is off. 686 */ 687 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 688 wh, "WEP", "%s", "PRIVACY off"); 689 vap->iv_stats.is_rx_noprivacy++; 690 IEEE80211_NODE_STAT(ni, rx_noprivacy); 691 goto out; 692 } 693 if (ieee80211_crypto_decap(ni, m, hdrspace, &key) == 0) { 694 /* NB: stats+msgs handled in crypto_decap */ 695 IEEE80211_NODE_STAT(ni, rx_wepfail); 696 goto out; 697 } 698 wh = mtod(m, struct ieee80211_frame *); 699 wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED; 700 has_decrypted = 1; 701 } else { 702 /* XXX M_WEP and IEEE80211_F_PRIVACY */ 703 key = NULL; 704 } 705 706 /* 707 * Save QoS bits for use below--before we strip the header. 708 */ 709 if (subtype == IEEE80211_FC0_SUBTYPE_QOS_DATA) 710 qos = ieee80211_getqos(wh)[0]; 711 else 712 qos = 0; 713 714 /* 715 * Next up, any fragmentation. 716 */ 717 if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) { 718 m = ieee80211_defrag(ni, m, hdrspace, has_decrypted); 719 if (m == NULL) { 720 /* Fragment dropped or frame not complete yet */ 721 goto out; 722 } 723 } 724 wh = NULL; /* no longer valid, catch any uses */ 725 726 /* 727 * Next strip any MSDU crypto bits. 728 */ 729 if (key != NULL && !ieee80211_crypto_demic(vap, key, m, 0)) { 730 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 731 ni->ni_macaddr, "data", "%s", "demic error"); 732 vap->iv_stats.is_rx_demicfail++; 733 IEEE80211_NODE_STAT(ni, rx_demicfail); 734 goto out; 735 } 736 /* copy to listener after decrypt */ 737 if (ieee80211_radiotap_active_vap(vap)) 738 ieee80211_radiotap_rx(vap, m); 739 need_tap = 0; 740 /* 741 * Finally, strip the 802.11 header. 742 */ 743 m = ieee80211_decap(vap, m, hdrspace, qos); 744 if (m == NULL) { 745 /* XXX mask bit to check for both */ 746 /* don't count Null data frames as errors */ 747 if (subtype == IEEE80211_FC0_SUBTYPE_NODATA || 748 subtype == IEEE80211_FC0_SUBTYPE_QOS_NULL) 749 goto out; 750 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 751 ni->ni_macaddr, "data", "%s", "decap error"); 752 vap->iv_stats.is_rx_decap++; 753 IEEE80211_NODE_STAT(ni, rx_decap); 754 goto err; 755 } 756 if (!(qos & IEEE80211_QOS_AMSDU)) 757 eh = mtod(m, struct ether_header *); 758 else 759 eh = NULL; 760 if (!ieee80211_node_is_authorized(ni)) { 761 /* 762 * Deny any non-PAE frames received prior to 763 * authorization. For open/shared-key 764 * authentication the port is mark authorized 765 * after authentication completes. For 802.1x 766 * the port is not marked authorized by the 767 * authenticator until the handshake has completed. 768 */ 769 if (eh == NULL || 770 eh->ether_type != htons(ETHERTYPE_PAE)) { 771 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 772 ni->ni_macaddr, "data", "unauthorized or " 773 "unknown port: ether type 0x%x len %u", 774 eh == NULL ? -1 : eh->ether_type, 775 m->m_pkthdr.len); 776 vap->iv_stats.is_rx_unauth++; 777 IEEE80211_NODE_STAT(ni, rx_unauth); 778 goto err; 779 } 780 } else { 781 /* 782 * When denying unencrypted frames, discard 783 * any non-PAE frames received without encryption. 784 */ 785 if ((vap->iv_flags & IEEE80211_F_DROPUNENC) && 786 ((has_decrypted == 0) && (m->m_flags & M_WEP) == 0) && 787 (is_hw_decrypted == 0) && 788 (eh == NULL || 789 eh->ether_type != htons(ETHERTYPE_PAE))) { 790 /* 791 * Drop unencrypted frames. 792 */ 793 vap->iv_stats.is_rx_unencrypted++; 794 IEEE80211_NODE_STAT(ni, rx_unencrypted); 795 goto out; 796 } 797 } 798 /* XXX require HT? */ 799 if (qos & IEEE80211_QOS_AMSDU) { 800 m = ieee80211_decap_amsdu(ni, m); 801 if (m == NULL) 802 return IEEE80211_FC0_TYPE_DATA; 803 } else { 804 #ifdef IEEE80211_SUPPORT_SUPERG 805 m = ieee80211_decap_fastframe(vap, ni, m); 806 if (m == NULL) 807 return IEEE80211_FC0_TYPE_DATA; 808 #endif 809 } 810 if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap != NULL) 811 ieee80211_deliver_data(ni->ni_wdsvap, ni, m); 812 else 813 hostap_deliver_data(vap, ni, m); 814 return IEEE80211_FC0_TYPE_DATA; 815 816 case IEEE80211_FC0_TYPE_MGT: 817 vap->iv_stats.is_rx_mgmt++; 818 IEEE80211_NODE_STAT(ni, rx_mgmt); 819 if (dir != IEEE80211_FC1_DIR_NODS) { 820 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 821 wh, "mgt", "incorrect dir 0x%x", dir); 822 vap->iv_stats.is_rx_wrongdir++; 823 goto err; 824 } 825 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) { 826 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 827 ni->ni_macaddr, "mgt", "too short: len %u", 828 m->m_pkthdr.len); 829 vap->iv_stats.is_rx_tooshort++; 830 goto out; 831 } 832 if (IEEE80211_IS_MULTICAST(wh->i_addr2)) { 833 /* ensure return frames are unicast */ 834 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 835 wh, NULL, "source is multicast: %s", 836 ether_sprintf(wh->i_addr2)); 837 vap->iv_stats.is_rx_mgtdiscard++; /* XXX stat */ 838 goto out; 839 } 840 #ifdef IEEE80211_DEBUG 841 if ((ieee80211_msg_debug(vap) && doprint(vap, subtype)) || 842 ieee80211_msg_dumppkts(vap)) { 843 if_printf(ifp, "received %s from %s rssi %d\n", 844 ieee80211_mgt_subtype_name(subtype), 845 ether_sprintf(wh->i_addr2), rssi); 846 } 847 #endif 848 if (IEEE80211_IS_PROTECTED(wh)) { 849 if (subtype != IEEE80211_FC0_SUBTYPE_AUTH) { 850 /* 851 * Only shared key auth frames with a challenge 852 * should be encrypted, discard all others. 853 */ 854 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 855 wh, NULL, 856 "%s", "WEP set but not permitted"); 857 vap->iv_stats.is_rx_mgtdiscard++; /* XXX */ 858 goto out; 859 } 860 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) { 861 /* 862 * Discard encrypted frames when privacy is off. 863 */ 864 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 865 wh, NULL, "%s", "WEP set but PRIVACY off"); 866 vap->iv_stats.is_rx_noprivacy++; 867 goto out; 868 } 869 hdrspace = ieee80211_hdrspace(ic, wh); 870 if (ieee80211_crypto_decap(ni, m, hdrspace, &key) == 0) { 871 /* NB: stats+msgs handled in crypto_decap */ 872 goto out; 873 } 874 wh = mtod(m, struct ieee80211_frame *); 875 wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED; 876 has_decrypted = 1; 877 } 878 /* 879 * Pass the packet to radiotap before calling iv_recv_mgmt(). 880 * Otherwise iv_recv_mgmt() might pass another packet to 881 * radiotap, resulting in out of order packet captures. 882 */ 883 if (ieee80211_radiotap_active_vap(vap)) 884 ieee80211_radiotap_rx(vap, m); 885 need_tap = 0; 886 vap->iv_recv_mgmt(ni, m, subtype, rxs, rssi, nf); 887 goto out; 888 889 case IEEE80211_FC0_TYPE_CTL: 890 vap->iv_stats.is_rx_ctl++; 891 IEEE80211_NODE_STAT(ni, rx_ctrl); 892 vap->iv_recv_ctl(ni, m, subtype); 893 goto out; 894 default: 895 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 896 wh, "bad", "frame type 0x%x", type); 897 /* should not come here */ 898 break; 899 } 900 err: 901 if_inc_counter(ifp, IFCOUNTER_IERRORS, 1); 902 out: 903 if (m != NULL) { 904 if (need_tap && ieee80211_radiotap_active_vap(vap)) 905 ieee80211_radiotap_rx(vap, m); 906 m_freem(m); 907 } 908 return type; 909 } 910 911 static void 912 hostap_auth_open(struct ieee80211_node *ni, struct ieee80211_frame *wh, 913 int rssi, int nf, uint16_t seq, uint16_t status) 914 { 915 struct ieee80211vap *vap = ni->ni_vap; 916 917 KASSERT(vap->iv_state == IEEE80211_S_RUN, ("state %d", vap->iv_state)); 918 919 if (ni->ni_authmode == IEEE80211_AUTH_SHARED) { 920 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 921 ni->ni_macaddr, "open auth", 922 "bad sta auth mode %u", ni->ni_authmode); 923 vap->iv_stats.is_rx_bad_auth++; /* XXX */ 924 /* 925 * Clear any challenge text that may be there if 926 * a previous shared key auth failed and then an 927 * open auth is attempted. 928 */ 929 if (ni->ni_challenge != NULL) { 930 IEEE80211_FREE(ni->ni_challenge, M_80211_NODE); 931 ni->ni_challenge = NULL; 932 } 933 /* XXX hack to workaround calling convention */ 934 ieee80211_send_error(ni, wh->i_addr2, 935 IEEE80211_FC0_SUBTYPE_AUTH, 936 (seq + 1) | (IEEE80211_STATUS_ALG<<16)); 937 return; 938 } 939 if (seq != IEEE80211_AUTH_OPEN_REQUEST) { 940 vap->iv_stats.is_rx_bad_auth++; 941 return; 942 } 943 /* always accept open authentication requests */ 944 if (ni == vap->iv_bss) { 945 ni = ieee80211_dup_bss(vap, wh->i_addr2); 946 if (ni == NULL) 947 return; 948 } else if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0) 949 (void) ieee80211_ref_node(ni); 950 /* 951 * Mark the node as referenced to reflect that it's 952 * reference count has been bumped to insure it remains 953 * after the transaction completes. 954 */ 955 ni->ni_flags |= IEEE80211_NODE_AREF; 956 /* 957 * Mark the node as requiring a valid association id 958 * before outbound traffic is permitted. 959 */ 960 ni->ni_flags |= IEEE80211_NODE_ASSOCID; 961 962 if (vap->iv_acl != NULL && 963 vap->iv_acl->iac_getpolicy(vap) == IEEE80211_MACCMD_POLICY_RADIUS) { 964 /* 965 * When the ACL policy is set to RADIUS we defer the 966 * authorization to a user agent. Dispatch an event, 967 * a subsequent MLME call will decide the fate of the 968 * station. If the user agent is not present then the 969 * node will be reclaimed due to inactivity. 970 */ 971 IEEE80211_NOTE_MAC(vap, 972 IEEE80211_MSG_AUTH | IEEE80211_MSG_ACL, ni->ni_macaddr, 973 "%s", "station authentication deferred (radius acl)"); 974 ieee80211_notify_node_auth(ni); 975 } else { 976 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 977 IEEE80211_NOTE_MAC(vap, 978 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, ni->ni_macaddr, 979 "%s", "station authenticated (open)"); 980 /* 981 * When 802.1x is not in use mark the port 982 * authorized at this point so traffic can flow. 983 */ 984 if (ni->ni_authmode != IEEE80211_AUTH_8021X) 985 ieee80211_node_authorize(ni); 986 } 987 } 988 989 static void 990 hostap_auth_shared(struct ieee80211_node *ni, struct ieee80211_frame *wh, 991 uint8_t *frm, uint8_t *efrm, int rssi, int nf, 992 uint16_t seq, uint16_t status) 993 { 994 struct ieee80211vap *vap = ni->ni_vap; 995 uint8_t *challenge; 996 int estatus; 997 998 KASSERT(vap->iv_state == IEEE80211_S_RUN, ("state %d", vap->iv_state)); 999 1000 /* 1001 * NB: this can happen as we allow pre-shared key 1002 * authentication to be enabled w/o wep being turned 1003 * on so that configuration of these can be done 1004 * in any order. It may be better to enforce the 1005 * ordering in which case this check would just be 1006 * for sanity/consistency. 1007 */ 1008 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) { 1009 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1010 ni->ni_macaddr, "shared key auth", 1011 "%s", " PRIVACY is disabled"); 1012 estatus = IEEE80211_STATUS_ALG; 1013 goto bad; 1014 } 1015 /* 1016 * Pre-shared key authentication is evil; accept 1017 * it only if explicitly configured (it is supported 1018 * mainly for compatibility with clients like Mac OS X). 1019 */ 1020 if (ni->ni_authmode != IEEE80211_AUTH_AUTO && 1021 ni->ni_authmode != IEEE80211_AUTH_SHARED) { 1022 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1023 ni->ni_macaddr, "shared key auth", 1024 "bad sta auth mode %u", ni->ni_authmode); 1025 vap->iv_stats.is_rx_bad_auth++; /* XXX maybe a unique error? */ 1026 estatus = IEEE80211_STATUS_ALG; 1027 goto bad; 1028 } 1029 1030 challenge = NULL; 1031 if (frm + 1 < efrm) { 1032 if ((frm[1] + 2) > (efrm - frm)) { 1033 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1034 ni->ni_macaddr, "shared key auth", 1035 "ie %d/%d too long", 1036 frm[0], (frm[1] + 2) - (efrm - frm)); 1037 vap->iv_stats.is_rx_bad_auth++; 1038 estatus = IEEE80211_STATUS_CHALLENGE; 1039 goto bad; 1040 } 1041 if (*frm == IEEE80211_ELEMID_CHALLENGE) 1042 challenge = frm; 1043 frm += frm[1] + 2; 1044 } 1045 switch (seq) { 1046 case IEEE80211_AUTH_SHARED_CHALLENGE: 1047 case IEEE80211_AUTH_SHARED_RESPONSE: 1048 if (challenge == NULL) { 1049 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1050 ni->ni_macaddr, "shared key auth", 1051 "%s", "no challenge"); 1052 vap->iv_stats.is_rx_bad_auth++; 1053 estatus = IEEE80211_STATUS_CHALLENGE; 1054 goto bad; 1055 } 1056 if (challenge[1] != IEEE80211_CHALLENGE_LEN) { 1057 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1058 ni->ni_macaddr, "shared key auth", 1059 "bad challenge len %d", challenge[1]); 1060 vap->iv_stats.is_rx_bad_auth++; 1061 estatus = IEEE80211_STATUS_CHALLENGE; 1062 goto bad; 1063 } 1064 default: 1065 break; 1066 } 1067 switch (seq) { 1068 case IEEE80211_AUTH_SHARED_REQUEST: 1069 { 1070 #ifdef IEEE80211_DEBUG 1071 bool allocbs; 1072 #endif 1073 1074 if (ni == vap->iv_bss) { 1075 ni = ieee80211_dup_bss(vap, wh->i_addr2); 1076 if (ni == NULL) { 1077 /* NB: no way to return an error */ 1078 return; 1079 } 1080 #ifdef IEEE80211_DEBUG 1081 allocbs = 1; 1082 #endif 1083 } else { 1084 if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0) 1085 (void) ieee80211_ref_node(ni); 1086 #ifdef IEEE80211_DEBUG 1087 allocbs = 0; 1088 #endif 1089 } 1090 /* 1091 * Mark the node as referenced to reflect that it's 1092 * reference count has been bumped to insure it remains 1093 * after the transaction completes. 1094 */ 1095 ni->ni_flags |= IEEE80211_NODE_AREF; 1096 /* 1097 * Mark the node as requiring a valid association id 1098 * before outbound traffic is permitted. 1099 */ 1100 ni->ni_flags |= IEEE80211_NODE_ASSOCID; 1101 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi); 1102 ni->ni_noise = nf; 1103 if (!ieee80211_alloc_challenge(ni)) { 1104 /* NB: don't return error so they rexmit */ 1105 return; 1106 } 1107 net80211_get_random_bytes(ni->ni_challenge, 1108 IEEE80211_CHALLENGE_LEN); 1109 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1110 ni, "shared key %sauth request", allocbs ? "" : "re"); 1111 /* 1112 * When the ACL policy is set to RADIUS we defer the 1113 * authorization to a user agent. Dispatch an event, 1114 * a subsequent MLME call will decide the fate of the 1115 * station. If the user agent is not present then the 1116 * node will be reclaimed due to inactivity. 1117 */ 1118 if (vap->iv_acl != NULL && 1119 vap->iv_acl->iac_getpolicy(vap) == IEEE80211_MACCMD_POLICY_RADIUS) { 1120 IEEE80211_NOTE_MAC(vap, 1121 IEEE80211_MSG_AUTH | IEEE80211_MSG_ACL, 1122 ni->ni_macaddr, 1123 "%s", "station authentication deferred (radius acl)"); 1124 ieee80211_notify_node_auth(ni); 1125 return; 1126 } 1127 break; 1128 } 1129 case IEEE80211_AUTH_SHARED_RESPONSE: 1130 if (ni == vap->iv_bss) { 1131 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1132 ni->ni_macaddr, "shared key response", 1133 "%s", "unknown station"); 1134 /* NB: don't send a response */ 1135 return; 1136 } 1137 if (ni->ni_challenge == NULL) { 1138 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1139 ni->ni_macaddr, "shared key response", 1140 "%s", "no challenge recorded"); 1141 vap->iv_stats.is_rx_bad_auth++; 1142 estatus = IEEE80211_STATUS_CHALLENGE; 1143 goto bad; 1144 } 1145 if (memcmp(ni->ni_challenge, &challenge[2], 1146 challenge[1]) != 0) { 1147 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1148 ni->ni_macaddr, "shared key response", 1149 "%s", "challenge mismatch"); 1150 vap->iv_stats.is_rx_auth_fail++; 1151 estatus = IEEE80211_STATUS_CHALLENGE; 1152 goto bad; 1153 } 1154 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1155 ni, "%s", "station authenticated (shared key)"); 1156 ieee80211_node_authorize(ni); 1157 break; 1158 default: 1159 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1160 ni->ni_macaddr, "shared key auth", 1161 "bad seq %d", seq); 1162 vap->iv_stats.is_rx_bad_auth++; 1163 estatus = IEEE80211_STATUS_SEQUENCE; 1164 goto bad; 1165 } 1166 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 1167 return; 1168 bad: 1169 /* 1170 * Send an error response; but only when operating as an AP. 1171 */ 1172 /* XXX hack to workaround calling convention */ 1173 ieee80211_send_error(ni, wh->i_addr2, 1174 IEEE80211_FC0_SUBTYPE_AUTH, 1175 (seq + 1) | (estatus<<16)); 1176 } 1177 1178 /* 1179 * Convert a WPA cipher selector OUI to an internal 1180 * cipher algorithm. Where appropriate we also 1181 * record any key length. 1182 */ 1183 static int 1184 wpa_cipher(const uint8_t *sel, uint8_t *keylen, uint8_t *cipher) 1185 { 1186 #define WPA_SEL(x) (((x)<<24)|WPA_OUI) 1187 uint32_t w = le32dec(sel); 1188 1189 switch (w) { 1190 case WPA_SEL(WPA_CSE_NULL): 1191 *cipher = IEEE80211_CIPHER_NONE; 1192 break; 1193 case WPA_SEL(WPA_CSE_WEP40): 1194 if (keylen) 1195 *keylen = 40 / NBBY; 1196 *cipher = IEEE80211_CIPHER_WEP; 1197 break; 1198 case WPA_SEL(WPA_CSE_WEP104): 1199 if (keylen) 1200 *keylen = 104 / NBBY; 1201 *cipher = IEEE80211_CIPHER_WEP; 1202 break; 1203 case WPA_SEL(WPA_CSE_TKIP): 1204 *cipher = IEEE80211_CIPHER_TKIP; 1205 break; 1206 case WPA_SEL(WPA_CSE_CCMP): 1207 *cipher = IEEE80211_CIPHER_AES_CCM; 1208 break; 1209 default: 1210 return (EINVAL); 1211 } 1212 1213 return (0); 1214 #undef WPA_SEL 1215 } 1216 1217 /* 1218 * Convert a WPA key management/authentication algorithm 1219 * to an internal code. 1220 */ 1221 static int 1222 wpa_keymgmt(const uint8_t *sel) 1223 { 1224 #define WPA_SEL(x) (((x)<<24)|WPA_OUI) 1225 uint32_t w = le32dec(sel); 1226 1227 switch (w) { 1228 case WPA_SEL(WPA_ASE_8021X_UNSPEC): 1229 return WPA_ASE_8021X_UNSPEC; 1230 case WPA_SEL(WPA_ASE_8021X_PSK): 1231 return WPA_ASE_8021X_PSK; 1232 case WPA_SEL(WPA_ASE_NONE): 1233 return WPA_ASE_NONE; 1234 } 1235 return 0; /* NB: so is discarded */ 1236 #undef WPA_SEL 1237 } 1238 1239 /* 1240 * Parse a WPA information element to collect parameters. 1241 * Note that we do not validate security parameters; that 1242 * is handled by the authenticator; the parsing done here 1243 * is just for internal use in making operational decisions. 1244 */ 1245 static int 1246 ieee80211_parse_wpa(struct ieee80211vap *vap, const uint8_t *frm, 1247 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh) 1248 { 1249 uint8_t len = frm[1]; 1250 uint32_t w; 1251 int error, n; 1252 1253 /* 1254 * Check the length once for fixed parts: OUI, type, 1255 * version, mcast cipher, and 2 selector counts. 1256 * Other, variable-length data, must be checked separately. 1257 */ 1258 if ((vap->iv_flags & IEEE80211_F_WPA1) == 0) { 1259 IEEE80211_DISCARD_IE(vap, 1260 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1261 wh, "WPA", "not WPA, flags 0x%x", vap->iv_flags); 1262 return IEEE80211_REASON_IE_INVALID; 1263 } 1264 if (len < 14) { 1265 IEEE80211_DISCARD_IE(vap, 1266 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1267 wh, "WPA", "too short, len %u", len); 1268 return IEEE80211_REASON_IE_INVALID; 1269 } 1270 frm += 6, len -= 4; /* NB: len is payload only */ 1271 /* NB: iswpaoui already validated the OUI and type */ 1272 w = le16dec(frm); 1273 if (w != WPA_VERSION) { 1274 IEEE80211_DISCARD_IE(vap, 1275 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1276 wh, "WPA", "bad version %u", w); 1277 return IEEE80211_REASON_IE_INVALID; 1278 } 1279 frm += 2, len -= 2; 1280 1281 memset(rsn, 0, sizeof(*rsn)); 1282 1283 /* multicast/group cipher */ 1284 error = wpa_cipher(frm, &rsn->rsn_mcastkeylen, &rsn->rsn_mcastcipher); 1285 if (error != 0) { 1286 IEEE80211_DISCARD_IE(vap, 1287 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1288 wh, "WPA", "unknown mcast cipher suite %08X", 1289 le32dec(frm)); 1290 return IEEE80211_REASON_GROUP_CIPHER_INVALID; 1291 } 1292 frm += 4, len -= 4; 1293 1294 /* unicast ciphers */ 1295 n = le16dec(frm); 1296 frm += 2, len -= 2; 1297 if (len < n*4+2) { 1298 IEEE80211_DISCARD_IE(vap, 1299 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1300 wh, "WPA", "ucast cipher data too short; len %u, n %u", 1301 len, n); 1302 return IEEE80211_REASON_IE_INVALID; 1303 } 1304 w = 0; 1305 for (; n > 0; n--) { 1306 uint8_t cipher; 1307 1308 error = wpa_cipher(frm, &rsn->rsn_ucastkeylen, &cipher); 1309 if (error == 0) 1310 w |= 1 << cipher; 1311 1312 frm += 4, len -= 4; 1313 } 1314 if (w == 0) { 1315 IEEE80211_DISCARD_IE(vap, 1316 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1317 wh, "WPA", "no usable pairwise cipher suite found (w=%d)", 1318 w); 1319 return IEEE80211_REASON_PAIRWISE_CIPHER_INVALID; 1320 } 1321 /* XXX other? */ 1322 if (w & (1 << IEEE80211_CIPHER_AES_CCM)) 1323 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM; 1324 else 1325 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP; 1326 1327 /* key management algorithms */ 1328 n = le16dec(frm); 1329 frm += 2, len -= 2; 1330 if (len < n*4) { 1331 IEEE80211_DISCARD_IE(vap, 1332 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1333 wh, "WPA", "key mgmt alg data too short; len %u, n %u", 1334 len, n); 1335 return IEEE80211_REASON_IE_INVALID; 1336 } 1337 w = 0; 1338 for (; n > 0; n--) { 1339 w |= wpa_keymgmt(frm); 1340 frm += 4, len -= 4; 1341 } 1342 if (w & WPA_ASE_8021X_UNSPEC) 1343 rsn->rsn_keymgmt = WPA_ASE_8021X_UNSPEC; 1344 else 1345 rsn->rsn_keymgmt = WPA_ASE_8021X_PSK; 1346 1347 if (len > 2) /* optional capabilities */ 1348 rsn->rsn_caps = le16dec(frm); 1349 1350 return 0; 1351 } 1352 1353 /* 1354 * Convert an RSN cipher selector OUI to an internal 1355 * cipher algorithm. Where appropriate we also 1356 * record any key length. 1357 */ 1358 static int 1359 rsn_cipher(const uint8_t *sel, uint8_t *keylen, uint8_t *cipher) 1360 { 1361 #define RSN_SEL(x) (((x)<<24)|RSN_OUI) 1362 uint32_t w = le32dec(sel); 1363 1364 switch (w) { 1365 case RSN_SEL(RSN_CSE_NULL): 1366 *cipher = IEEE80211_CIPHER_NONE; 1367 break; 1368 case RSN_SEL(RSN_CSE_WEP40): 1369 if (keylen) 1370 *keylen = 40 / NBBY; 1371 *cipher = IEEE80211_CIPHER_WEP; 1372 break; 1373 case RSN_SEL(RSN_CSE_WEP104): 1374 if (keylen) 1375 *keylen = 104 / NBBY; 1376 *cipher = IEEE80211_CIPHER_WEP; 1377 break; 1378 case RSN_SEL(RSN_CSE_TKIP): 1379 *cipher = IEEE80211_CIPHER_TKIP; 1380 break; 1381 case RSN_SEL(RSN_CSE_CCMP): 1382 *cipher = IEEE80211_CIPHER_AES_CCM; 1383 break; 1384 case RSN_SEL(RSN_CSE_WRAP): 1385 *cipher = IEEE80211_CIPHER_AES_OCB; 1386 break; 1387 default: 1388 return (EINVAL); 1389 } 1390 1391 return (0); 1392 #undef WPA_SEL 1393 } 1394 1395 /* 1396 * Convert an RSN key management/authentication algorithm 1397 * to an internal code. 1398 */ 1399 static int 1400 rsn_keymgmt(const uint8_t *sel) 1401 { 1402 #define RSN_SEL(x) (((x)<<24)|RSN_OUI) 1403 uint32_t w = le32dec(sel); 1404 1405 switch (w) { 1406 case RSN_SEL(RSN_ASE_8021X_UNSPEC): 1407 return RSN_ASE_8021X_UNSPEC; 1408 case RSN_SEL(RSN_ASE_8021X_PSK): 1409 return RSN_ASE_8021X_PSK; 1410 case RSN_SEL(RSN_ASE_NONE): 1411 return RSN_ASE_NONE; 1412 } 1413 return 0; /* NB: so is discarded */ 1414 #undef RSN_SEL 1415 } 1416 1417 /* 1418 * Parse a WPA/RSN information element to collect parameters 1419 * and validate the parameters against what has been 1420 * configured for the system. 1421 */ 1422 static int 1423 ieee80211_parse_rsn(struct ieee80211vap *vap, const uint8_t *frm, 1424 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh) 1425 { 1426 uint8_t len = frm[1]; 1427 uint32_t w; 1428 int error, n; 1429 1430 /* 1431 * Check the length once for fixed parts: 1432 * version, mcast cipher, and 2 selector counts. 1433 * Other, variable-length data, must be checked separately. 1434 */ 1435 if ((vap->iv_flags & IEEE80211_F_WPA2) == 0) { 1436 IEEE80211_DISCARD_IE(vap, 1437 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1438 wh, "WPA", "not RSN, flags 0x%x", vap->iv_flags); 1439 return IEEE80211_REASON_IE_INVALID; 1440 } 1441 /* XXX may be shorter */ 1442 if (len < 10) { 1443 IEEE80211_DISCARD_IE(vap, 1444 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1445 wh, "RSN", "too short, len %u", len); 1446 return IEEE80211_REASON_IE_INVALID; 1447 } 1448 frm += 2; 1449 w = le16dec(frm); 1450 if (w != RSN_VERSION) { 1451 IEEE80211_DISCARD_IE(vap, 1452 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1453 wh, "RSN", "bad version %u", w); 1454 return IEEE80211_REASON_UNSUPP_RSN_IE_VERSION; 1455 } 1456 frm += 2, len -= 2; 1457 1458 memset(rsn, 0, sizeof(*rsn)); 1459 1460 /* multicast/group cipher */ 1461 error = rsn_cipher(frm, &rsn->rsn_mcastkeylen, &rsn->rsn_mcastcipher); 1462 if (error != 0) { 1463 IEEE80211_DISCARD_IE(vap, 1464 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1465 wh, "RSN", "unknown mcast cipher suite %08X", 1466 le32dec(frm)); 1467 return IEEE80211_REASON_GROUP_CIPHER_INVALID; 1468 } 1469 if (rsn->rsn_mcastcipher == IEEE80211_CIPHER_NONE) { 1470 IEEE80211_DISCARD_IE(vap, 1471 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1472 wh, "RSN", "invalid mcast cipher suite %d", 1473 rsn->rsn_mcastcipher); 1474 return IEEE80211_REASON_GROUP_CIPHER_INVALID; 1475 } 1476 frm += 4, len -= 4; 1477 1478 /* unicast ciphers */ 1479 n = le16dec(frm); 1480 frm += 2, len -= 2; 1481 if (len < n*4+2) { 1482 IEEE80211_DISCARD_IE(vap, 1483 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1484 wh, "RSN", "ucast cipher data too short; len %u, n %u", 1485 len, n); 1486 return IEEE80211_REASON_IE_INVALID; 1487 } 1488 w = 0; 1489 1490 for (; n > 0; n--) { 1491 uint8_t cipher; 1492 1493 error = rsn_cipher(frm, &rsn->rsn_ucastkeylen, &cipher); 1494 if (error == 0) 1495 w |= 1 << cipher; 1496 1497 frm += 4, len -= 4; 1498 } 1499 if (w & (1 << IEEE80211_CIPHER_AES_CCM)) 1500 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM; 1501 else if (w & (1 << IEEE80211_CIPHER_AES_OCB)) 1502 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_OCB; 1503 else if (w & (1 << IEEE80211_CIPHER_TKIP)) 1504 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP; 1505 else if ((w & (1 << IEEE80211_CIPHER_NONE)) && 1506 (rsn->rsn_mcastcipher == IEEE80211_CIPHER_WEP || 1507 rsn->rsn_mcastcipher == IEEE80211_CIPHER_TKIP)) 1508 rsn->rsn_ucastcipher = IEEE80211_CIPHER_NONE; 1509 else { 1510 IEEE80211_DISCARD_IE(vap, 1511 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1512 wh, "RSN", "no usable pairwise cipher suite found (w=%d)", 1513 w); 1514 return IEEE80211_REASON_PAIRWISE_CIPHER_INVALID; 1515 } 1516 1517 /* key management algorithms */ 1518 n = le16dec(frm); 1519 frm += 2, len -= 2; 1520 if (len < n*4) { 1521 IEEE80211_DISCARD_IE(vap, 1522 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1523 wh, "RSN", "key mgmt alg data too short; len %u, n %u", 1524 len, n); 1525 return IEEE80211_REASON_IE_INVALID; 1526 } 1527 w = 0; 1528 for (; n > 0; n--) { 1529 w |= rsn_keymgmt(frm); 1530 frm += 4, len -= 4; 1531 } 1532 if (w & RSN_ASE_8021X_UNSPEC) 1533 rsn->rsn_keymgmt = RSN_ASE_8021X_UNSPEC; 1534 else 1535 rsn->rsn_keymgmt = RSN_ASE_8021X_PSK; 1536 1537 /* optional RSN capabilities */ 1538 if (len >= 2) { 1539 rsn->rsn_caps = le16dec(frm); 1540 frm += 2, len -= 2; 1541 } 1542 1543 /* XXX PMK Count / PMKID */ 1544 1545 /* XXX Group Cipher Management Suite */ 1546 1547 return 0; 1548 } 1549 1550 /* 1551 * WPA/802.11i association request processing. 1552 */ 1553 static int 1554 wpa_assocreq(struct ieee80211_node *ni, struct ieee80211_rsnparms *rsnparms, 1555 const struct ieee80211_frame *wh, const uint8_t *wpa, 1556 const uint8_t *rsn, uint16_t capinfo) 1557 { 1558 struct ieee80211vap *vap = ni->ni_vap; 1559 uint8_t reason; 1560 int badwparsn; 1561 1562 ni->ni_flags &= ~(IEEE80211_NODE_WPS|IEEE80211_NODE_TSN); 1563 if (wpa == NULL && rsn == NULL) { 1564 if (vap->iv_flags_ext & IEEE80211_FEXT_WPS) { 1565 /* 1566 * W-Fi Protected Setup (WPS) permits 1567 * clients to associate and pass EAPOL frames 1568 * to establish initial credentials. 1569 */ 1570 ni->ni_flags |= IEEE80211_NODE_WPS; 1571 return 1; 1572 } 1573 if ((vap->iv_flags_ext & IEEE80211_FEXT_TSN) && 1574 (capinfo & IEEE80211_CAPINFO_PRIVACY)) { 1575 /* 1576 * Transitional Security Network. Permits clients 1577 * to associate and use WEP while WPA is configured. 1578 */ 1579 ni->ni_flags |= IEEE80211_NODE_TSN; 1580 return 1; 1581 } 1582 IEEE80211_DISCARD(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, 1583 wh, NULL, "%s", "no WPA/RSN IE in association request"); 1584 vap->iv_stats.is_rx_assoc_badwpaie++; 1585 reason = IEEE80211_REASON_IE_INVALID; 1586 goto bad; 1587 } 1588 /* assert right association security credentials */ 1589 badwparsn = 0; /* NB: to silence compiler */ 1590 switch (vap->iv_flags & IEEE80211_F_WPA) { 1591 case IEEE80211_F_WPA1: 1592 badwparsn = (wpa == NULL); 1593 break; 1594 case IEEE80211_F_WPA2: 1595 badwparsn = (rsn == NULL); 1596 break; 1597 case IEEE80211_F_WPA1|IEEE80211_F_WPA2: 1598 badwparsn = (wpa == NULL && rsn == NULL); 1599 break; 1600 } 1601 if (badwparsn) { 1602 IEEE80211_DISCARD(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, 1603 wh, NULL, 1604 "%s", "missing WPA/RSN IE in association request"); 1605 vap->iv_stats.is_rx_assoc_badwpaie++; 1606 reason = IEEE80211_REASON_IE_INVALID; 1607 goto bad; 1608 } 1609 /* 1610 * Parse WPA/RSN information element. 1611 */ 1612 if (wpa != NULL) 1613 reason = ieee80211_parse_wpa(vap, wpa, rsnparms, wh); 1614 else 1615 reason = ieee80211_parse_rsn(vap, rsn, rsnparms, wh); 1616 if (reason != 0) { 1617 /* XXX wpa->rsn fallback? */ 1618 /* XXX distinguish WPA/RSN? */ 1619 vap->iv_stats.is_rx_assoc_badwpaie++; 1620 goto bad; 1621 } 1622 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, ni, 1623 "%s ie: mc %u/%u uc %u/%u key %u caps 0x%x", 1624 wpa != NULL ? "WPA" : "RSN", 1625 rsnparms->rsn_mcastcipher, rsnparms->rsn_mcastkeylen, 1626 rsnparms->rsn_ucastcipher, rsnparms->rsn_ucastkeylen, 1627 rsnparms->rsn_keymgmt, rsnparms->rsn_caps); 1628 1629 return 1; 1630 bad: 1631 ieee80211_node_deauth(ni, reason); 1632 return 0; 1633 } 1634 1635 /* XXX find a better place for definition */ 1636 struct l2_update_frame { 1637 struct ether_header eh; 1638 uint8_t dsap; 1639 uint8_t ssap; 1640 uint8_t control; 1641 uint8_t xid[3]; 1642 } __packed; 1643 1644 /* 1645 * Deliver a TGf L2UF frame on behalf of a station. 1646 * This primes any bridge when the station is roaming 1647 * between ap's on the same wired network. 1648 */ 1649 static void 1650 ieee80211_deliver_l2uf(struct ieee80211_node *ni) 1651 { 1652 struct ieee80211vap *vap = ni->ni_vap; 1653 struct ifnet *ifp = vap->iv_ifp; 1654 struct mbuf *m; 1655 struct l2_update_frame *l2uf; 1656 struct ether_header *eh; 1657 1658 m = m_gethdr(IEEE80211_M_NOWAIT, MT_DATA); 1659 if (m == NULL) { 1660 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC, ni, 1661 "%s", "no mbuf for l2uf frame"); 1662 vap->iv_stats.is_rx_nobuf++; /* XXX not right */ 1663 return; 1664 } 1665 l2uf = mtod(m, struct l2_update_frame *); 1666 eh = &l2uf->eh; 1667 /* dst: Broadcast address */ 1668 IEEE80211_ADDR_COPY(eh->ether_dhost, ifp->if_broadcastaddr); 1669 /* src: associated STA */ 1670 IEEE80211_ADDR_COPY(eh->ether_shost, ni->ni_macaddr); 1671 eh->ether_type = htons(sizeof(*l2uf) - sizeof(*eh)); 1672 1673 l2uf->dsap = 0; 1674 l2uf->ssap = 0; 1675 l2uf->control = 0xf5; 1676 l2uf->xid[0] = 0x81; 1677 l2uf->xid[1] = 0x80; 1678 l2uf->xid[2] = 0x00; 1679 1680 m->m_pkthdr.len = m->m_len = sizeof(*l2uf); 1681 hostap_deliver_data(vap, ni, m); 1682 } 1683 1684 static void 1685 ratesetmismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh, 1686 int reassoc, int resp, const char *tag, int rate) 1687 { 1688 IEEE80211_NOTE_MAC(ni->ni_vap, IEEE80211_MSG_ANY, wh->i_addr2, 1689 "deny %s request, %s rate set mismatch, rate/MCS %d", 1690 reassoc ? "reassoc" : "assoc", tag, rate & IEEE80211_RATE_VAL); 1691 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_BASIC_RATE); 1692 ieee80211_node_leave(ni); 1693 } 1694 1695 static void 1696 capinfomismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh, 1697 int reassoc, int resp, const char *tag, int capinfo) 1698 { 1699 struct ieee80211vap *vap = ni->ni_vap; 1700 1701 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ANY, wh->i_addr2, 1702 "deny %s request, %s mismatch 0x%x", 1703 reassoc ? "reassoc" : "assoc", tag, capinfo); 1704 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_CAPINFO); 1705 ieee80211_node_leave(ni); 1706 vap->iv_stats.is_rx_assoc_capmismatch++; 1707 } 1708 1709 static void 1710 htcapmismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh, 1711 int reassoc, int resp) 1712 { 1713 IEEE80211_NOTE_MAC(ni->ni_vap, IEEE80211_MSG_ANY, wh->i_addr2, 1714 "deny %s request, %s missing HT ie", reassoc ? "reassoc" : "assoc"); 1715 /* XXX no better code */ 1716 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_MISSING_HT_CAPS); 1717 ieee80211_node_leave(ni); 1718 } 1719 1720 static void 1721 authalgreject(struct ieee80211_node *ni, const struct ieee80211_frame *wh, 1722 int algo, int seq, int status) 1723 { 1724 struct ieee80211vap *vap = ni->ni_vap; 1725 1726 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 1727 wh, NULL, "unsupported alg %d", algo); 1728 vap->iv_stats.is_rx_auth_unsupported++; 1729 ieee80211_send_error(ni, wh->i_addr2, IEEE80211_FC0_SUBTYPE_AUTH, 1730 seq | (status << 16)); 1731 } 1732 1733 static __inline int 1734 ishtmixed(const uint8_t *ie) 1735 { 1736 const struct ieee80211_ie_htinfo *ht = 1737 (const struct ieee80211_ie_htinfo *) ie; 1738 return (ht->hi_byte2 & IEEE80211_HTINFO_OPMODE) == 1739 IEEE80211_HTINFO_OPMODE_MIXED; 1740 } 1741 1742 static int 1743 is11bclient(const uint8_t *rates, const uint8_t *xrates) 1744 { 1745 static const uint32_t brates = (1<<2*1)|(1<<2*2)|(1<<11)|(1<<2*11); 1746 int i; 1747 1748 /* NB: the 11b clients we care about will not have xrates */ 1749 if (xrates != NULL || rates == NULL) 1750 return 0; 1751 for (i = 0; i < rates[1]; i++) { 1752 int r = rates[2+i] & IEEE80211_RATE_VAL; 1753 if (r > 2*11 || ((1<<r) & brates) == 0) 1754 return 0; 1755 } 1756 return 1; 1757 } 1758 1759 static void 1760 hostap_recv_mgmt(struct ieee80211_node *ni, struct mbuf *m0, 1761 int subtype, const struct ieee80211_rx_stats *rxs, int rssi, int nf) 1762 { 1763 struct ieee80211vap *vap = ni->ni_vap; 1764 struct ieee80211com *ic = ni->ni_ic; 1765 struct ieee80211_frame *wh; 1766 uint8_t *frm, *efrm, *sfrm; 1767 uint8_t *ssid, *rates, *xrates, *wpa, *rsn, *wme, *ath, *htcap; 1768 uint8_t *vhtcap, *vhtinfo; 1769 int reassoc, resp; 1770 uint8_t rate; 1771 1772 wh = mtod(m0, struct ieee80211_frame *); 1773 frm = (uint8_t *)&wh[1]; 1774 efrm = mtod(m0, uint8_t *) + m0->m_len; 1775 switch (subtype) { 1776 case IEEE80211_FC0_SUBTYPE_PROBE_RESP: 1777 /* 1778 * We process beacon/probe response frames when scanning; 1779 * otherwise we check beacon frames for overlapping non-ERP 1780 * BSS in 11g and/or overlapping legacy BSS when in HT. 1781 */ 1782 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) { 1783 vap->iv_stats.is_rx_mgtdiscard++; 1784 return; 1785 } 1786 /* FALLTHROUGH */ 1787 case IEEE80211_FC0_SUBTYPE_BEACON: { 1788 struct ieee80211_scanparams scan; 1789 1790 /* NB: accept off-channel frames */ 1791 /* XXX TODO: use rxstatus to determine off-channel details */ 1792 if (ieee80211_parse_beacon(ni, m0, ic->ic_curchan, &scan) &~ IEEE80211_BPARSE_OFFCHAN) 1793 return; 1794 /* 1795 * Count frame now that we know it's to be processed. 1796 */ 1797 if (subtype == IEEE80211_FC0_SUBTYPE_BEACON) { 1798 vap->iv_stats.is_rx_beacon++; /* XXX remove */ 1799 IEEE80211_NODE_STAT(ni, rx_beacons); 1800 } else 1801 IEEE80211_NODE_STAT(ni, rx_proberesp); 1802 /* 1803 * If scanning, just pass information to the scan module. 1804 */ 1805 if (ic->ic_flags & IEEE80211_F_SCAN) { 1806 if (scan.status == 0 && /* NB: on channel */ 1807 (ic->ic_flags_ext & IEEE80211_FEXT_PROBECHAN)) { 1808 /* 1809 * Actively scanning a channel marked passive; 1810 * send a probe request now that we know there 1811 * is 802.11 traffic present. 1812 * 1813 * XXX check if the beacon we recv'd gives 1814 * us what we need and suppress the probe req 1815 */ 1816 ieee80211_probe_curchan(vap, true); 1817 ic->ic_flags_ext &= ~IEEE80211_FEXT_PROBECHAN; 1818 } 1819 ieee80211_add_scan(vap, ic->ic_curchan, &scan, wh, 1820 subtype, rssi, nf); 1821 return; 1822 } 1823 /* 1824 * Check beacon for overlapping bss w/ non ERP stations. 1825 * If we detect one and protection is configured but not 1826 * enabled, enable it and start a timer that'll bring us 1827 * out if we stop seeing the bss. 1828 */ 1829 if (IEEE80211_IS_CHAN_ANYG(ic->ic_curchan) && 1830 scan.status == 0 && /* NB: on-channel */ 1831 ((scan.erp & 0x100) == 0 || /* NB: no ERP, 11b sta*/ 1832 (scan.erp & IEEE80211_ERP_NON_ERP_PRESENT))) { 1833 vap->iv_lastnonerp = ticks; 1834 vap->iv_flags_ext |= IEEE80211_FEXT_NONERP_PR; 1835 /* 1836 * XXX TODO: this may need to check all VAPs? 1837 */ 1838 if (vap->iv_protmode != IEEE80211_PROT_NONE && 1839 (vap->iv_flags & IEEE80211_F_USEPROT) == 0) { 1840 IEEE80211_NOTE_FRAME(vap, 1841 IEEE80211_MSG_ASSOC, wh, 1842 "non-ERP present on channel %d " 1843 "(saw erp 0x%x from channel %d), " 1844 "enable use of protection", 1845 ic->ic_curchan->ic_ieee, 1846 scan.erp, scan.chan); 1847 vap->iv_flags |= IEEE80211_F_USEPROT; 1848 ieee80211_vap_update_erp_protmode(vap); 1849 } 1850 } 1851 /* 1852 * Check beacon for non-HT station on HT channel 1853 * and update HT BSS occupancy as appropriate. 1854 */ 1855 if (IEEE80211_IS_CHAN_HT(ic->ic_curchan)) { 1856 if (scan.status & IEEE80211_BPARSE_OFFCHAN) { 1857 /* 1858 * Off control channel; only check frames 1859 * that come in the extension channel when 1860 * operating w/ HT40. 1861 */ 1862 if (!IEEE80211_IS_CHAN_HT40(ic->ic_curchan)) 1863 break; 1864 if (scan.chan != ic->ic_curchan->ic_extieee) 1865 break; 1866 } 1867 if (scan.htinfo == NULL) { 1868 ieee80211_htprot_update(vap, 1869 IEEE80211_HTINFO_OPMODE_PROTOPT | 1870 IEEE80211_HTINFO_NONHT_PRESENT); 1871 } else if (ishtmixed(scan.htinfo)) { 1872 /* XXX? take NONHT_PRESENT from beacon? */ 1873 ieee80211_htprot_update(vap, 1874 IEEE80211_HTINFO_OPMODE_MIXED | 1875 IEEE80211_HTINFO_NONHT_PRESENT); 1876 } 1877 } 1878 break; 1879 } 1880 1881 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 1882 if (vap->iv_state != IEEE80211_S_RUN) { 1883 vap->iv_stats.is_rx_mgtdiscard++; 1884 return; 1885 } 1886 /* 1887 * Consult the ACL policy module if setup. 1888 */ 1889 if (vap->iv_acl != NULL && !vap->iv_acl->iac_check(vap, wh)) { 1890 IEEE80211_DISCARD(vap, IEEE80211_MSG_ACL, 1891 wh, NULL, "%s", "disallowed by ACL"); 1892 vap->iv_stats.is_rx_acl++; 1893 return; 1894 } 1895 /* 1896 * prreq frame format 1897 * [tlv] ssid 1898 * [tlv] supported rates 1899 * [tlv] extended supported rates 1900 */ 1901 ssid = rates = xrates = NULL; 1902 while (efrm - frm > 1) { 1903 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return); 1904 switch (*frm) { 1905 case IEEE80211_ELEMID_SSID: 1906 ssid = frm; 1907 break; 1908 case IEEE80211_ELEMID_RATES: 1909 rates = frm; 1910 break; 1911 case IEEE80211_ELEMID_XRATES: 1912 xrates = frm; 1913 break; 1914 } 1915 frm += frm[1] + 2; 1916 } 1917 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return); 1918 if (xrates != NULL) 1919 IEEE80211_VERIFY_ELEMENT(xrates, 1920 IEEE80211_RATE_MAXSIZE - rates[1], return); 1921 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN, return); 1922 IEEE80211_VERIFY_SSID(vap->iv_bss, ssid, return); 1923 if ((vap->iv_flags & IEEE80211_F_HIDESSID) && ssid[1] == 0) { 1924 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 1925 wh, NULL, 1926 "%s", "no ssid with ssid suppression enabled"); 1927 vap->iv_stats.is_rx_ssidmismatch++; /*XXX*/ 1928 return; 1929 } 1930 1931 /* XXX find a better class or define it's own */ 1932 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_INPUT, wh->i_addr2, 1933 "%s", "recv probe req"); 1934 /* 1935 * Some legacy 11b clients cannot hack a complete 1936 * probe response frame. When the request includes 1937 * only a bare-bones rate set, communicate this to 1938 * the transmit side. 1939 */ 1940 ieee80211_send_proberesp(vap, wh->i_addr2, 1941 is11bclient(rates, xrates) ? IEEE80211_SEND_LEGACY_11B : 0); 1942 break; 1943 1944 case IEEE80211_FC0_SUBTYPE_AUTH: { 1945 uint16_t algo, seq, status; 1946 1947 if (vap->iv_state != IEEE80211_S_RUN) { 1948 vap->iv_stats.is_rx_mgtdiscard++; 1949 return; 1950 } 1951 if (!IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_bss->ni_bssid)) { 1952 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 1953 wh, NULL, "%s", "wrong bssid"); 1954 vap->iv_stats.is_rx_wrongbss++; /*XXX unique stat?*/ 1955 return; 1956 } 1957 /* 1958 * auth frame format 1959 * [2] algorithm 1960 * [2] sequence 1961 * [2] status 1962 * [tlv*] challenge 1963 */ 1964 IEEE80211_VERIFY_LENGTH(efrm - frm, 6, return); 1965 algo = le16toh(*(uint16_t *)frm); 1966 seq = le16toh(*(uint16_t *)(frm + 2)); 1967 status = le16toh(*(uint16_t *)(frm + 4)); 1968 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_AUTH, wh->i_addr2, 1969 "recv auth frame with algorithm %d seq %d", algo, seq); 1970 /* 1971 * Consult the ACL policy module if setup. 1972 */ 1973 if (vap->iv_acl != NULL && !vap->iv_acl->iac_check(vap, wh)) { 1974 IEEE80211_DISCARD(vap, IEEE80211_MSG_ACL, 1975 wh, NULL, "%s", "disallowed by ACL"); 1976 vap->iv_stats.is_rx_acl++; 1977 ieee80211_send_error(ni, wh->i_addr2, 1978 IEEE80211_FC0_SUBTYPE_AUTH, 1979 (seq+1) | (IEEE80211_STATUS_UNSPECIFIED<<16)); 1980 return; 1981 } 1982 if (vap->iv_flags & IEEE80211_F_COUNTERM) { 1983 IEEE80211_DISCARD(vap, 1984 IEEE80211_MSG_AUTH | IEEE80211_MSG_CRYPTO, 1985 wh, NULL, "%s", "TKIP countermeasures enabled"); 1986 vap->iv_stats.is_rx_auth_countermeasures++; 1987 ieee80211_send_error(ni, wh->i_addr2, 1988 IEEE80211_FC0_SUBTYPE_AUTH, 1989 IEEE80211_REASON_MIC_FAILURE); 1990 return; 1991 } 1992 if (algo == IEEE80211_AUTH_ALG_SHARED) 1993 hostap_auth_shared(ni, wh, frm + 6, efrm, rssi, nf, 1994 seq, status); 1995 else if (algo == IEEE80211_AUTH_ALG_OPEN) 1996 hostap_auth_open(ni, wh, rssi, nf, seq, status); 1997 else if (algo == IEEE80211_AUTH_ALG_LEAP) { 1998 authalgreject(ni, wh, algo, 1999 seq+1, IEEE80211_STATUS_ALG); 2000 return; 2001 } else { 2002 /* 2003 * We assume that an unknown algorithm is the result 2004 * of a decryption failure on a shared key auth frame; 2005 * return a status code appropriate for that instead 2006 * of IEEE80211_STATUS_ALG. 2007 * 2008 * NB: a seq# of 4 is intentional; the decrypted 2009 * frame likely has a bogus seq value. 2010 */ 2011 authalgreject(ni, wh, algo, 2012 4, IEEE80211_STATUS_CHALLENGE); 2013 return; 2014 } 2015 break; 2016 } 2017 2018 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ: 2019 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: { 2020 uint16_t capinfo, lintval; 2021 struct ieee80211_rsnparms rsnparms; 2022 2023 if (vap->iv_state != IEEE80211_S_RUN) { 2024 vap->iv_stats.is_rx_mgtdiscard++; 2025 return; 2026 } 2027 if (!IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_bss->ni_bssid)) { 2028 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 2029 wh, NULL, "%s", "wrong bssid"); 2030 vap->iv_stats.is_rx_assoc_bss++; 2031 return; 2032 } 2033 if (subtype == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) { 2034 reassoc = 1; 2035 resp = IEEE80211_FC0_SUBTYPE_REASSOC_RESP; 2036 } else { 2037 reassoc = 0; 2038 resp = IEEE80211_FC0_SUBTYPE_ASSOC_RESP; 2039 } 2040 if (ni == vap->iv_bss) { 2041 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ANY, wh->i_addr2, 2042 "deny %s request, sta not authenticated", 2043 reassoc ? "reassoc" : "assoc"); 2044 ieee80211_send_error(ni, wh->i_addr2, 2045 IEEE80211_FC0_SUBTYPE_DEAUTH, 2046 IEEE80211_REASON_ASSOC_NOT_AUTHED); 2047 vap->iv_stats.is_rx_assoc_notauth++; 2048 return; 2049 } 2050 2051 /* 2052 * asreq frame format 2053 * [2] capability information 2054 * [2] listen interval 2055 * [6*] current AP address (reassoc only) 2056 * [tlv] ssid 2057 * [tlv] supported rates 2058 * [tlv] extended supported rates 2059 * [tlv] WPA or RSN 2060 * [tlv] HT capabilities 2061 * [tlv] Atheros capabilities 2062 */ 2063 IEEE80211_VERIFY_LENGTH(efrm - frm, (reassoc ? 10 : 4), return); 2064 capinfo = le16toh(*(uint16_t *)frm); frm += 2; 2065 lintval = le16toh(*(uint16_t *)frm); frm += 2; 2066 if (reassoc) 2067 frm += 6; /* ignore current AP info */ 2068 ssid = rates = xrates = wpa = rsn = wme = ath = htcap = NULL; 2069 vhtcap = vhtinfo = NULL; 2070 sfrm = frm; 2071 while (efrm - frm > 1) { 2072 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return); 2073 switch (*frm) { 2074 case IEEE80211_ELEMID_SSID: 2075 ssid = frm; 2076 break; 2077 case IEEE80211_ELEMID_RATES: 2078 rates = frm; 2079 break; 2080 case IEEE80211_ELEMID_XRATES: 2081 xrates = frm; 2082 break; 2083 case IEEE80211_ELEMID_RSN: 2084 rsn = frm; 2085 break; 2086 case IEEE80211_ELEMID_HTCAP: 2087 htcap = frm; 2088 break; 2089 case IEEE80211_ELEMID_VHT_CAP: 2090 vhtcap = frm; 2091 break; 2092 case IEEE80211_ELEMID_VHT_OPMODE: 2093 vhtinfo = frm; 2094 break; 2095 case IEEE80211_ELEMID_VENDOR: 2096 if (iswpaoui(frm)) 2097 wpa = frm; 2098 else if (iswmeinfo(frm)) 2099 wme = frm; 2100 #ifdef IEEE80211_SUPPORT_SUPERG 2101 else if (isatherosoui(frm)) 2102 ath = frm; 2103 #endif 2104 else if (vap->iv_flags_ht & IEEE80211_FHT_HTCOMPAT) { 2105 if (ishtcapoui(frm) && htcap == NULL) 2106 htcap = frm; 2107 } 2108 break; 2109 } 2110 frm += frm[1] + 2; 2111 } 2112 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return); 2113 if (xrates != NULL) 2114 IEEE80211_VERIFY_ELEMENT(xrates, 2115 IEEE80211_RATE_MAXSIZE - rates[1], return); 2116 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN, return); 2117 IEEE80211_VERIFY_SSID(vap->iv_bss, ssid, return); 2118 if (htcap != NULL) { 2119 IEEE80211_VERIFY_LENGTH(htcap[1], 2120 htcap[0] == IEEE80211_ELEMID_VENDOR ? 2121 4 + sizeof(struct ieee80211_ie_htcap)-2 : 2122 sizeof(struct ieee80211_ie_htcap)-2, 2123 return); /* XXX just NULL out? */ 2124 } 2125 2126 /* Validate VHT IEs */ 2127 if (vhtcap != NULL) { 2128 IEEE80211_VERIFY_LENGTH(vhtcap[1], 2129 sizeof(struct ieee80211_vht_cap), 2130 return); 2131 } 2132 if (vhtinfo != NULL) { 2133 IEEE80211_VERIFY_LENGTH(vhtinfo[1], 2134 sizeof(struct ieee80211_vht_operation), 2135 return); 2136 } 2137 2138 if ((vap->iv_flags & IEEE80211_F_WPA) && 2139 !wpa_assocreq(ni, &rsnparms, wh, wpa, rsn, capinfo)) 2140 return; 2141 /* discard challenge after association */ 2142 if (ni->ni_challenge != NULL) { 2143 IEEE80211_FREE(ni->ni_challenge, M_80211_NODE); 2144 ni->ni_challenge = NULL; 2145 } 2146 /* NB: 802.11 spec says to ignore station's privacy bit */ 2147 if ((capinfo & IEEE80211_CAPINFO_ESS) == 0) { 2148 capinfomismatch(ni, wh, reassoc, resp, 2149 "capability", capinfo); 2150 return; 2151 } 2152 /* 2153 * Disallow re-associate w/ invalid slot time setting. 2154 */ 2155 if (ni->ni_associd != 0 && 2156 IEEE80211_IS_CHAN_ANYG(ic->ic_bsschan) && 2157 ((ni->ni_capinfo ^ capinfo) & IEEE80211_CAPINFO_SHORT_SLOTTIME)) { 2158 capinfomismatch(ni, wh, reassoc, resp, 2159 "slot time", capinfo); 2160 return; 2161 } 2162 rate = ieee80211_setup_rates(ni, rates, xrates, 2163 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | 2164 IEEE80211_F_DONEGO | IEEE80211_F_DODEL); 2165 if (rate & IEEE80211_RATE_BASIC) { 2166 ratesetmismatch(ni, wh, reassoc, resp, "legacy", rate); 2167 vap->iv_stats.is_rx_assoc_norate++; 2168 return; 2169 } 2170 /* 2171 * If constrained to 11g-only stations reject an 2172 * 11b-only station. We cheat a bit here by looking 2173 * at the max negotiated xmit rate and assuming anyone 2174 * with a best rate <24Mb/s is an 11b station. 2175 */ 2176 if ((vap->iv_flags & IEEE80211_F_PUREG) && rate < 48) { 2177 ratesetmismatch(ni, wh, reassoc, resp, "11g", rate); 2178 vap->iv_stats.is_rx_assoc_norate++; 2179 return; 2180 } 2181 2182 /* 2183 * Do HT rate set handling and setup HT node state. 2184 */ 2185 ni->ni_chan = vap->iv_bss->ni_chan; 2186 2187 /* VHT */ 2188 if (IEEE80211_IS_CHAN_VHT(ni->ni_chan) && 2189 vhtcap != NULL && 2190 vhtinfo != NULL) { 2191 /* XXX TODO; see below */ 2192 printf("%s: VHT TODO!\n", __func__); 2193 ieee80211_vht_node_init(ni); 2194 ieee80211_vht_update_cap(ni, vhtcap, vhtinfo); 2195 } else if (ni->ni_flags & IEEE80211_NODE_VHT) 2196 ieee80211_vht_node_cleanup(ni); 2197 2198 /* HT */ 2199 if (IEEE80211_IS_CHAN_HT(ni->ni_chan) && htcap != NULL) { 2200 rate = ieee80211_setup_htrates(ni, htcap, 2201 IEEE80211_F_DOFMCS | IEEE80211_F_DONEGO | 2202 IEEE80211_F_DOBRS); 2203 if (rate & IEEE80211_RATE_BASIC) { 2204 ratesetmismatch(ni, wh, reassoc, resp, 2205 "HT", rate); 2206 vap->iv_stats.is_ht_assoc_norate++; 2207 return; 2208 } 2209 ieee80211_ht_node_init(ni); 2210 ieee80211_ht_updatehtcap(ni, htcap); 2211 } else if (ni->ni_flags & IEEE80211_NODE_HT) 2212 ieee80211_ht_node_cleanup(ni); 2213 2214 /* Finally - this will use HT/VHT info to change node channel */ 2215 if (IEEE80211_IS_CHAN_HT(ni->ni_chan) && htcap != NULL) { 2216 ieee80211_ht_updatehtcap_final(ni); 2217 } 2218 2219 #ifdef IEEE80211_SUPPORT_SUPERG 2220 /* Always do ff node cleanup; for A-MSDU */ 2221 ieee80211_ff_node_cleanup(ni); 2222 #endif 2223 /* 2224 * Allow AMPDU operation only with unencrypted traffic 2225 * or AES-CCM; the 11n spec only specifies these ciphers 2226 * so permitting any others is undefined and can lead 2227 * to interoperability problems. 2228 */ 2229 if ((ni->ni_flags & IEEE80211_NODE_HT) && 2230 (((vap->iv_flags & IEEE80211_F_WPA) && 2231 rsnparms.rsn_ucastcipher != IEEE80211_CIPHER_AES_CCM) || 2232 (vap->iv_flags & (IEEE80211_F_WPA|IEEE80211_F_PRIVACY)) == IEEE80211_F_PRIVACY)) { 2233 IEEE80211_NOTE(vap, 2234 IEEE80211_MSG_ASSOC | IEEE80211_MSG_11N, ni, 2235 "disallow HT use because WEP or TKIP requested, " 2236 "capinfo 0x%x ucastcipher %d", capinfo, 2237 rsnparms.rsn_ucastcipher); 2238 ieee80211_ht_node_cleanup(ni); 2239 #ifdef IEEE80211_SUPPORT_SUPERG 2240 /* Always do ff node cleanup; for A-MSDU */ 2241 ieee80211_ff_node_cleanup(ni); 2242 #endif 2243 vap->iv_stats.is_ht_assoc_downgrade++; 2244 } 2245 /* 2246 * If constrained to 11n-only stations reject legacy stations. 2247 */ 2248 if ((vap->iv_flags_ht & IEEE80211_FHT_PUREN) && 2249 (ni->ni_flags & IEEE80211_NODE_HT) == 0) { 2250 htcapmismatch(ni, wh, reassoc, resp); 2251 vap->iv_stats.is_ht_assoc_nohtcap++; 2252 return; 2253 } 2254 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi); 2255 ni->ni_noise = nf; 2256 ni->ni_intval = lintval; 2257 ni->ni_capinfo = capinfo; 2258 ni->ni_fhdwell = vap->iv_bss->ni_fhdwell; 2259 ni->ni_fhindex = vap->iv_bss->ni_fhindex; 2260 /* 2261 * Store the IEs. 2262 * XXX maybe better to just expand 2263 */ 2264 if (ieee80211_ies_init(&ni->ni_ies, sfrm, efrm - sfrm)) { 2265 #define setie(_ie, _off) ieee80211_ies_setie(ni->ni_ies, _ie, _off) 2266 if (wpa != NULL) 2267 setie(wpa_ie, wpa - sfrm); 2268 if (rsn != NULL) 2269 setie(rsn_ie, rsn - sfrm); 2270 if (htcap != NULL) 2271 setie(htcap_ie, htcap - sfrm); 2272 if (wme != NULL) { 2273 setie(wme_ie, wme - sfrm); 2274 /* 2275 * Mark node as capable of QoS. 2276 */ 2277 ni->ni_flags |= IEEE80211_NODE_QOS; 2278 if (ieee80211_parse_wmeie(wme, wh, ni) > 0) { 2279 if (ni->ni_uapsd != 0) 2280 ni->ni_flags |= 2281 IEEE80211_NODE_UAPSD; 2282 else 2283 ni->ni_flags &= 2284 ~IEEE80211_NODE_UAPSD; 2285 } 2286 } else 2287 ni->ni_flags &= 2288 ~(IEEE80211_NODE_QOS | 2289 IEEE80211_NODE_UAPSD); 2290 #ifdef IEEE80211_SUPPORT_SUPERG 2291 if (ath != NULL) { 2292 setie(ath_ie, ath - sfrm); 2293 /* 2294 * Parse ATH station parameters. 2295 */ 2296 ieee80211_parse_ath(ni, ni->ni_ies.ath_ie); 2297 } else 2298 #endif 2299 ni->ni_ath_flags = 0; 2300 #undef setie 2301 } else { 2302 ni->ni_flags &= ~IEEE80211_NODE_QOS; 2303 ni->ni_flags &= ~IEEE80211_NODE_UAPSD; 2304 ni->ni_ath_flags = 0; 2305 } 2306 ieee80211_node_join(ni, resp); 2307 ieee80211_deliver_l2uf(ni); 2308 break; 2309 } 2310 2311 case IEEE80211_FC0_SUBTYPE_DEAUTH: 2312 case IEEE80211_FC0_SUBTYPE_DISASSOC: { 2313 #ifdef IEEE80211_DEBUG 2314 uint16_t reason; 2315 #endif 2316 2317 if (vap->iv_state != IEEE80211_S_RUN || 2318 /* NB: can happen when in promiscuous mode */ 2319 !IEEE80211_ADDR_EQ(wh->i_addr1, vap->iv_myaddr)) { 2320 vap->iv_stats.is_rx_mgtdiscard++; 2321 break; 2322 } 2323 /* 2324 * deauth/disassoc frame format 2325 * [2] reason 2326 */ 2327 IEEE80211_VERIFY_LENGTH(efrm - frm, 2, return); 2328 #ifdef IEEE80211_DEBUG 2329 reason = le16toh(*(uint16_t *)frm); 2330 #endif 2331 if (subtype == IEEE80211_FC0_SUBTYPE_DEAUTH) { 2332 vap->iv_stats.is_rx_deauth++; 2333 IEEE80211_NODE_STAT(ni, rx_deauth); 2334 } else { 2335 vap->iv_stats.is_rx_disassoc++; 2336 IEEE80211_NODE_STAT(ni, rx_disassoc); 2337 } 2338 IEEE80211_NOTE(vap, IEEE80211_MSG_AUTH, ni, 2339 "recv %s (reason: %d (%s))", 2340 ieee80211_mgt_subtype_name(subtype), 2341 reason, ieee80211_reason_to_string(reason)); 2342 if (ni != vap->iv_bss) 2343 ieee80211_node_leave(ni); 2344 break; 2345 } 2346 2347 case IEEE80211_FC0_SUBTYPE_ACTION: 2348 case IEEE80211_FC0_SUBTYPE_ACTION_NOACK: 2349 if (ni == vap->iv_bss) { 2350 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 2351 wh, NULL, "%s", "unknown node"); 2352 vap->iv_stats.is_rx_mgtdiscard++; 2353 } else if (!IEEE80211_ADDR_EQ(vap->iv_myaddr, wh->i_addr1) && 2354 !IEEE80211_IS_MULTICAST(wh->i_addr1)) { 2355 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 2356 wh, NULL, "%s", "not for us"); 2357 vap->iv_stats.is_rx_mgtdiscard++; 2358 } else if (vap->iv_state != IEEE80211_S_RUN) { 2359 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 2360 wh, NULL, "wrong state %s", 2361 ieee80211_state_name[vap->iv_state]); 2362 vap->iv_stats.is_rx_mgtdiscard++; 2363 } else { 2364 if (ieee80211_parse_action(ni, m0) == 0) 2365 (void)ic->ic_recv_action(ni, wh, frm, efrm); 2366 } 2367 break; 2368 2369 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP: 2370 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: 2371 case IEEE80211_FC0_SUBTYPE_TIMING_ADV: 2372 case IEEE80211_FC0_SUBTYPE_ATIM: 2373 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 2374 wh, NULL, "%s", "not handled"); 2375 vap->iv_stats.is_rx_mgtdiscard++; 2376 break; 2377 2378 default: 2379 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 2380 wh, "mgt", "subtype 0x%x not handled", subtype); 2381 vap->iv_stats.is_rx_badsubtype++; 2382 break; 2383 } 2384 } 2385 2386 static void 2387 hostap_recv_ctl(struct ieee80211_node *ni, struct mbuf *m, int subtype) 2388 { 2389 switch (subtype) { 2390 case IEEE80211_FC0_SUBTYPE_PS_POLL: 2391 ni->ni_vap->iv_recv_pspoll(ni, m); 2392 break; 2393 case IEEE80211_FC0_SUBTYPE_BAR: 2394 ieee80211_recv_bar(ni, m); 2395 break; 2396 } 2397 } 2398 2399 /* 2400 * Process a received ps-poll frame. 2401 */ 2402 void 2403 ieee80211_recv_pspoll(struct ieee80211_node *ni, struct mbuf *m0) 2404 { 2405 struct ieee80211vap *vap = ni->ni_vap; 2406 struct ieee80211com *ic = vap->iv_ic; 2407 struct ieee80211_frame_min *wh; 2408 struct mbuf *m; 2409 uint16_t aid; 2410 int qlen; 2411 2412 wh = mtod(m0, struct ieee80211_frame_min *); 2413 if (ni->ni_associd == 0) { 2414 IEEE80211_DISCARD(vap, 2415 IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG, 2416 (struct ieee80211_frame *) wh, NULL, 2417 "%s", "unassociated station"); 2418 vap->iv_stats.is_ps_unassoc++; 2419 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_DEAUTH, 2420 IEEE80211_REASON_NOT_ASSOCED); 2421 return; 2422 } 2423 2424 aid = le16toh(*(uint16_t *)wh->i_dur); 2425 if (aid != ni->ni_associd) { 2426 IEEE80211_DISCARD(vap, 2427 IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG, 2428 (struct ieee80211_frame *) wh, NULL, 2429 "aid mismatch: sta aid 0x%x poll aid 0x%x", 2430 ni->ni_associd, aid); 2431 vap->iv_stats.is_ps_badaid++; 2432 /* 2433 * NB: We used to deauth the station but it turns out 2434 * the Blackberry Curve 8230 (and perhaps other devices) 2435 * sometimes send the wrong AID when WME is negotiated. 2436 * Being more lenient here seems ok as we already check 2437 * the station is associated and we only return frames 2438 * queued for the station (i.e. we don't use the AID). 2439 */ 2440 return; 2441 } 2442 2443 /* Okay, take the first queued packet and put it out... */ 2444 m = ieee80211_node_psq_dequeue(ni, &qlen); 2445 if (m == NULL) { 2446 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_POWER, wh->i_addr2, 2447 "%s", "recv ps-poll, but queue empty"); 2448 ieee80211_send_nulldata(ieee80211_ref_node(ni)); 2449 vap->iv_stats.is_ps_qempty++; /* XXX node stat */ 2450 if (vap->iv_set_tim != NULL) 2451 vap->iv_set_tim(ni, 0); /* just in case */ 2452 return; 2453 } 2454 /* 2455 * If there are more packets, set the more packets bit 2456 * in the packet dispatched to the station; otherwise 2457 * turn off the TIM bit. 2458 */ 2459 if (qlen != 0) { 2460 IEEE80211_NOTE(vap, IEEE80211_MSG_POWER, ni, 2461 "recv ps-poll, send packet, %u still queued", qlen); 2462 m->m_flags |= M_MORE_DATA; 2463 } else { 2464 IEEE80211_NOTE(vap, IEEE80211_MSG_POWER, ni, 2465 "%s", "recv ps-poll, send packet, queue empty"); 2466 if (vap->iv_set_tim != NULL) 2467 vap->iv_set_tim(ni, 0); 2468 } 2469 m->m_flags |= M_PWR_SAV; /* bypass PS handling */ 2470 2471 /* 2472 * Do the right thing; if it's an encap'ed frame then 2473 * call ieee80211_parent_xmitpkt() else 2474 * call ieee80211_vap_xmitpkt(). 2475 */ 2476 if (m->m_flags & M_ENCAP) { 2477 (void) ieee80211_parent_xmitpkt(ic, m); 2478 } else { 2479 (void) ieee80211_vap_xmitpkt(vap, m); 2480 } 2481 } 2482