1 /*- 2 * Copyright (c) 2007-2008 Sam Leffler, Errno Consulting 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 15 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 16 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 17 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 18 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 19 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 21 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 23 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 24 */ 25 26 #include <sys/cdefs.h> 27 #ifdef __FreeBSD__ 28 __FBSDID("$FreeBSD$"); 29 #endif 30 31 /* 32 * IEEE 802.11 HOSTAP mode support. 33 */ 34 #include "opt_inet.h" 35 #include "opt_wlan.h" 36 37 #include <sys/param.h> 38 #include <sys/systm.h> 39 #include <sys/mbuf.h> 40 #include <sys/malloc.h> 41 #include <sys/kernel.h> 42 43 #include <sys/socket.h> 44 #include <sys/sockio.h> 45 #include <sys/endian.h> 46 #include <sys/errno.h> 47 #include <sys/proc.h> 48 #include <sys/sysctl.h> 49 50 #include <net/if.h> 51 #include <net/if_var.h> 52 #include <net/if_media.h> 53 #include <net/if_llc.h> 54 #include <net/ethernet.h> 55 56 #include <net/bpf.h> 57 58 #include <net80211/ieee80211_var.h> 59 #include <net80211/ieee80211_hostap.h> 60 #include <net80211/ieee80211_input.h> 61 #ifdef IEEE80211_SUPPORT_SUPERG 62 #include <net80211/ieee80211_superg.h> 63 #endif 64 #include <net80211/ieee80211_wds.h> 65 66 #define IEEE80211_RATE2MBS(r) (((r) & IEEE80211_RATE_VAL) / 2) 67 68 static void hostap_vattach(struct ieee80211vap *); 69 static int hostap_newstate(struct ieee80211vap *, enum ieee80211_state, int); 70 static int hostap_input(struct ieee80211_node *ni, struct mbuf *m, 71 const struct ieee80211_rx_stats *, 72 int rssi, int nf); 73 static void hostap_deliver_data(struct ieee80211vap *, 74 struct ieee80211_node *, struct mbuf *); 75 static void hostap_recv_mgmt(struct ieee80211_node *, struct mbuf *, 76 int subtype, const struct ieee80211_rx_stats *rxs, int rssi, int nf); 77 static void hostap_recv_ctl(struct ieee80211_node *, struct mbuf *, int); 78 79 void 80 ieee80211_hostap_attach(struct ieee80211com *ic) 81 { 82 ic->ic_vattach[IEEE80211_M_HOSTAP] = hostap_vattach; 83 } 84 85 void 86 ieee80211_hostap_detach(struct ieee80211com *ic) 87 { 88 } 89 90 static void 91 hostap_vdetach(struct ieee80211vap *vap) 92 { 93 } 94 95 static void 96 hostap_vattach(struct ieee80211vap *vap) 97 { 98 vap->iv_newstate = hostap_newstate; 99 vap->iv_input = hostap_input; 100 vap->iv_recv_mgmt = hostap_recv_mgmt; 101 vap->iv_recv_ctl = hostap_recv_ctl; 102 vap->iv_opdetach = hostap_vdetach; 103 vap->iv_deliver_data = hostap_deliver_data; 104 vap->iv_recv_pspoll = ieee80211_recv_pspoll; 105 } 106 107 static void 108 sta_disassoc(void *arg, struct ieee80211_node *ni) 109 { 110 111 if (ni->ni_associd != 0) { 112 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_DISASSOC, 113 IEEE80211_REASON_ASSOC_LEAVE); 114 ieee80211_node_leave(ni); 115 } 116 } 117 118 static void 119 sta_csa(void *arg, struct ieee80211_node *ni) 120 { 121 struct ieee80211vap *vap = ni->ni_vap; 122 123 if (ni->ni_associd != 0) 124 if (ni->ni_inact > vap->iv_inact_init) { 125 ni->ni_inact = vap->iv_inact_init; 126 IEEE80211_NOTE(vap, IEEE80211_MSG_INACT, ni, 127 "%s: inact %u", __func__, ni->ni_inact); 128 } 129 } 130 131 static void 132 sta_drop(void *arg, struct ieee80211_node *ni) 133 { 134 135 if (ni->ni_associd != 0) 136 ieee80211_node_leave(ni); 137 } 138 139 /* 140 * Does a channel change require associated stations to re-associate 141 * so protocol state is correct. This is used when doing CSA across 142 * bands or similar (e.g. HT -> legacy). 143 */ 144 static int 145 isbandchange(struct ieee80211com *ic) 146 { 147 return ((ic->ic_bsschan->ic_flags ^ ic->ic_csa_newchan->ic_flags) & 148 (IEEE80211_CHAN_2GHZ | IEEE80211_CHAN_5GHZ | IEEE80211_CHAN_HALF | 149 IEEE80211_CHAN_QUARTER | IEEE80211_CHAN_HT)) != 0; 150 } 151 152 /* 153 * IEEE80211_M_HOSTAP vap state machine handler. 154 */ 155 static int 156 hostap_newstate(struct ieee80211vap *vap, enum ieee80211_state nstate, int arg) 157 { 158 struct ieee80211com *ic = vap->iv_ic; 159 enum ieee80211_state ostate; 160 161 IEEE80211_LOCK_ASSERT(ic); 162 163 ostate = vap->iv_state; 164 IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE, "%s: %s -> %s (%d)\n", 165 __func__, ieee80211_state_name[ostate], 166 ieee80211_state_name[nstate], arg); 167 vap->iv_state = nstate; /* state transition */ 168 if (ostate != IEEE80211_S_SCAN) 169 ieee80211_cancel_scan(vap); /* background scan */ 170 switch (nstate) { 171 case IEEE80211_S_INIT: 172 switch (ostate) { 173 case IEEE80211_S_SCAN: 174 ieee80211_cancel_scan(vap); 175 break; 176 case IEEE80211_S_CAC: 177 ieee80211_dfs_cac_stop(vap); 178 break; 179 case IEEE80211_S_RUN: 180 ieee80211_iterate_nodes_vap(&ic->ic_sta, vap, 181 sta_disassoc, NULL); 182 break; 183 default: 184 break; 185 } 186 if (ostate != IEEE80211_S_INIT) { 187 /* NB: optimize INIT -> INIT case */ 188 ieee80211_reset_bss(vap); 189 } 190 if (vap->iv_auth->ia_detach != NULL) 191 vap->iv_auth->ia_detach(vap); 192 break; 193 case IEEE80211_S_SCAN: 194 switch (ostate) { 195 case IEEE80211_S_CSA: 196 case IEEE80211_S_RUN: 197 ieee80211_iterate_nodes_vap(&ic->ic_sta, vap, 198 sta_disassoc, NULL); 199 /* 200 * Clear overlapping BSS state; the beacon frame 201 * will be reconstructed on transition to the RUN 202 * state and the timeout routines check if the flag 203 * is set before doing anything so this is sufficient. 204 */ 205 ic->ic_flags_ext &= ~IEEE80211_FEXT_NONERP_PR; 206 ic->ic_flags_ht &= ~IEEE80211_FHT_NONHT_PR; 207 /* fall thru... */ 208 case IEEE80211_S_CAC: 209 /* 210 * NB: We may get here because of a manual channel 211 * change in which case we need to stop CAC 212 * XXX no need to stop if ostate RUN but it's ok 213 */ 214 ieee80211_dfs_cac_stop(vap); 215 /* fall thru... */ 216 case IEEE80211_S_INIT: 217 if (vap->iv_des_chan != IEEE80211_CHAN_ANYC && 218 !IEEE80211_IS_CHAN_RADAR(vap->iv_des_chan)) { 219 /* 220 * Already have a channel; bypass the 221 * scan and startup immediately. 222 * ieee80211_create_ibss will call back to 223 * move us to RUN state. 224 */ 225 ieee80211_create_ibss(vap, vap->iv_des_chan); 226 break; 227 } 228 /* 229 * Initiate a scan. We can come here as a result 230 * of an IEEE80211_IOC_SCAN_REQ too in which case 231 * the vap will be marked with IEEE80211_FEXT_SCANREQ 232 * and the scan request parameters will be present 233 * in iv_scanreq. Otherwise we do the default. 234 */ 235 if (vap->iv_flags_ext & IEEE80211_FEXT_SCANREQ) { 236 ieee80211_check_scan(vap, 237 vap->iv_scanreq_flags, 238 vap->iv_scanreq_duration, 239 vap->iv_scanreq_mindwell, 240 vap->iv_scanreq_maxdwell, 241 vap->iv_scanreq_nssid, vap->iv_scanreq_ssid); 242 vap->iv_flags_ext &= ~IEEE80211_FEXT_SCANREQ; 243 } else 244 ieee80211_check_scan_current(vap); 245 break; 246 case IEEE80211_S_SCAN: 247 /* 248 * A state change requires a reset; scan. 249 */ 250 ieee80211_check_scan_current(vap); 251 break; 252 default: 253 break; 254 } 255 break; 256 case IEEE80211_S_CAC: 257 /* 258 * Start CAC on a DFS channel. We come here when starting 259 * a bss on a DFS channel (see ieee80211_create_ibss). 260 */ 261 ieee80211_dfs_cac_start(vap); 262 break; 263 case IEEE80211_S_RUN: 264 if (vap->iv_flags & IEEE80211_F_WPA) { 265 /* XXX validate prerequisites */ 266 } 267 switch (ostate) { 268 case IEEE80211_S_INIT: 269 /* 270 * Already have a channel; bypass the 271 * scan and startup immediately. 272 * Note that ieee80211_create_ibss will call 273 * back to do a RUN->RUN state change. 274 */ 275 ieee80211_create_ibss(vap, 276 ieee80211_ht_adjust_channel(ic, 277 ic->ic_curchan, vap->iv_flags_ht)); 278 /* NB: iv_bss is changed on return */ 279 break; 280 case IEEE80211_S_CAC: 281 /* 282 * NB: This is the normal state change when CAC 283 * expires and no radar was detected; no need to 284 * clear the CAC timer as it's already expired. 285 */ 286 /* fall thru... */ 287 case IEEE80211_S_CSA: 288 /* 289 * Shorten inactivity timer of associated stations 290 * to weed out sta's that don't follow a CSA. 291 */ 292 ieee80211_iterate_nodes_vap(&ic->ic_sta, vap, 293 sta_csa, NULL); 294 /* 295 * Update bss node channel to reflect where 296 * we landed after CSA. 297 */ 298 ieee80211_node_set_chan(vap->iv_bss, 299 ieee80211_ht_adjust_channel(ic, ic->ic_curchan, 300 ieee80211_htchanflags(vap->iv_bss->ni_chan))); 301 /* XXX bypass debug msgs */ 302 break; 303 case IEEE80211_S_SCAN: 304 case IEEE80211_S_RUN: 305 #ifdef IEEE80211_DEBUG 306 if (ieee80211_msg_debug(vap)) { 307 struct ieee80211_node *ni = vap->iv_bss; 308 ieee80211_note(vap, 309 "synchronized with %s ssid ", 310 ether_sprintf(ni->ni_bssid)); 311 ieee80211_print_essid(ni->ni_essid, 312 ni->ni_esslen); 313 /* XXX MCS/HT */ 314 printf(" channel %d start %uMb\n", 315 ieee80211_chan2ieee(ic, ic->ic_curchan), 316 IEEE80211_RATE2MBS(ni->ni_txrate)); 317 } 318 #endif 319 break; 320 default: 321 break; 322 } 323 /* 324 * Start/stop the authenticator. We delay until here 325 * to allow configuration to happen out of order. 326 */ 327 if (vap->iv_auth->ia_attach != NULL) { 328 /* XXX check failure */ 329 vap->iv_auth->ia_attach(vap); 330 } else if (vap->iv_auth->ia_detach != NULL) { 331 vap->iv_auth->ia_detach(vap); 332 } 333 ieee80211_node_authorize(vap->iv_bss); 334 break; 335 case IEEE80211_S_CSA: 336 if (ostate == IEEE80211_S_RUN && isbandchange(ic)) { 337 /* 338 * On a ``band change'' silently drop associated 339 * stations as they must re-associate before they 340 * can pass traffic (as otherwise protocol state 341 * such as capabilities and the negotiated rate 342 * set may/will be wrong). 343 */ 344 ieee80211_iterate_nodes_vap(&ic->ic_sta, vap, 345 sta_drop, NULL); 346 } 347 break; 348 default: 349 break; 350 } 351 return 0; 352 } 353 354 static void 355 hostap_deliver_data(struct ieee80211vap *vap, 356 struct ieee80211_node *ni, struct mbuf *m) 357 { 358 struct ether_header *eh = mtod(m, struct ether_header *); 359 struct ifnet *ifp = vap->iv_ifp; 360 361 /* clear driver/net80211 flags before passing up */ 362 m->m_flags &= ~(M_MCAST | M_BCAST); 363 m_clrprotoflags(m); 364 365 KASSERT(vap->iv_opmode == IEEE80211_M_HOSTAP, 366 ("gack, opmode %d", vap->iv_opmode)); 367 /* 368 * Do accounting. 369 */ 370 if_inc_counter(ifp, IFCOUNTER_IPACKETS, 1); 371 IEEE80211_NODE_STAT(ni, rx_data); 372 IEEE80211_NODE_STAT_ADD(ni, rx_bytes, m->m_pkthdr.len); 373 if (ETHER_IS_MULTICAST(eh->ether_dhost)) { 374 m->m_flags |= M_MCAST; /* XXX M_BCAST? */ 375 IEEE80211_NODE_STAT(ni, rx_mcast); 376 } else 377 IEEE80211_NODE_STAT(ni, rx_ucast); 378 379 /* perform as a bridge within the AP */ 380 if ((vap->iv_flags & IEEE80211_F_NOBRIDGE) == 0) { 381 struct mbuf *mcopy = NULL; 382 383 if (m->m_flags & M_MCAST) { 384 mcopy = m_dup(m, M_NOWAIT); 385 if (mcopy == NULL) 386 if_inc_counter(ifp, IFCOUNTER_OERRORS, 1); 387 else 388 mcopy->m_flags |= M_MCAST; 389 } else { 390 /* 391 * Check if the destination is associated with the 392 * same vap and authorized to receive traffic. 393 * Beware of traffic destined for the vap itself; 394 * sending it will not work; just let it be delivered 395 * normally. 396 */ 397 struct ieee80211_node *sta = ieee80211_find_vap_node( 398 &vap->iv_ic->ic_sta, vap, eh->ether_dhost); 399 if (sta != NULL) { 400 if (ieee80211_node_is_authorized(sta)) { 401 /* 402 * Beware of sending to ourself; this 403 * needs to happen via the normal 404 * input path. 405 */ 406 if (sta != vap->iv_bss) { 407 mcopy = m; 408 m = NULL; 409 } 410 } else { 411 vap->iv_stats.is_rx_unauth++; 412 IEEE80211_NODE_STAT(sta, rx_unauth); 413 } 414 ieee80211_free_node(sta); 415 } 416 } 417 if (mcopy != NULL) 418 (void) ieee80211_vap_xmitpkt(vap, mcopy); 419 } 420 if (m != NULL) { 421 /* 422 * Mark frame as coming from vap's interface. 423 */ 424 m->m_pkthdr.rcvif = ifp; 425 if (m->m_flags & M_MCAST) { 426 /* 427 * Spam DWDS vap's w/ multicast traffic. 428 */ 429 /* XXX only if dwds in use? */ 430 ieee80211_dwds_mcast(vap, m); 431 } 432 if (ni->ni_vlan != 0) { 433 /* attach vlan tag */ 434 m->m_pkthdr.ether_vtag = ni->ni_vlan; 435 m->m_flags |= M_VLANTAG; 436 } 437 ifp->if_input(ifp, m); 438 } 439 } 440 441 /* 442 * Decide if a received management frame should be 443 * printed when debugging is enabled. This filters some 444 * of the less interesting frames that come frequently 445 * (e.g. beacons). 446 */ 447 static __inline int 448 doprint(struct ieee80211vap *vap, int subtype) 449 { 450 switch (subtype) { 451 case IEEE80211_FC0_SUBTYPE_BEACON: 452 return (vap->iv_ic->ic_flags & IEEE80211_F_SCAN); 453 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 454 return 0; 455 } 456 return 1; 457 } 458 459 /* 460 * Process a received frame. The node associated with the sender 461 * should be supplied. If nothing was found in the node table then 462 * the caller is assumed to supply a reference to iv_bss instead. 463 * The RSSI and a timestamp are also supplied. The RSSI data is used 464 * during AP scanning to select a AP to associate with; it can have 465 * any units so long as values have consistent units and higher values 466 * mean ``better signal''. The receive timestamp is currently not used 467 * by the 802.11 layer. 468 */ 469 static int 470 hostap_input(struct ieee80211_node *ni, struct mbuf *m, 471 const struct ieee80211_rx_stats *rxs, int rssi, int nf) 472 { 473 struct ieee80211vap *vap = ni->ni_vap; 474 struct ieee80211com *ic = ni->ni_ic; 475 struct ifnet *ifp = vap->iv_ifp; 476 struct ieee80211_frame *wh; 477 struct ieee80211_key *key; 478 struct ether_header *eh; 479 int hdrspace, need_tap = 1; /* mbuf need to be tapped. */ 480 uint8_t dir, type, subtype, qos; 481 uint8_t *bssid; 482 int is_hw_decrypted = 0; 483 int has_decrypted = 0; 484 485 /* 486 * Some devices do hardware decryption all the way through 487 * to pretending the frame wasn't encrypted in the first place. 488 * So, tag it appropriately so it isn't discarded inappropriately. 489 */ 490 if ((rxs != NULL) && (rxs->c_pktflags & IEEE80211_RX_F_DECRYPTED)) 491 is_hw_decrypted = 1; 492 493 if (m->m_flags & M_AMPDU_MPDU) { 494 /* 495 * Fastpath for A-MPDU reorder q resubmission. Frames 496 * w/ M_AMPDU_MPDU marked have already passed through 497 * here but were received out of order and been held on 498 * the reorder queue. When resubmitted they are marked 499 * with the M_AMPDU_MPDU flag and we can bypass most of 500 * the normal processing. 501 */ 502 wh = mtod(m, struct ieee80211_frame *); 503 type = IEEE80211_FC0_TYPE_DATA; 504 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 505 subtype = IEEE80211_FC0_SUBTYPE_QOS; 506 hdrspace = ieee80211_hdrspace(ic, wh); /* XXX optimize? */ 507 goto resubmit_ampdu; 508 } 509 510 KASSERT(ni != NULL, ("null node")); 511 ni->ni_inact = ni->ni_inact_reload; 512 513 type = -1; /* undefined */ 514 515 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_min)) { 516 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 517 ni->ni_macaddr, NULL, 518 "too short (1): len %u", m->m_pkthdr.len); 519 vap->iv_stats.is_rx_tooshort++; 520 goto out; 521 } 522 /* 523 * Bit of a cheat here, we use a pointer for a 3-address 524 * frame format but don't reference fields past outside 525 * ieee80211_frame_min w/o first validating the data is 526 * present. 527 */ 528 wh = mtod(m, struct ieee80211_frame *); 529 530 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) != 531 IEEE80211_FC0_VERSION_0) { 532 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 533 ni->ni_macaddr, NULL, "wrong version, fc %02x:%02x", 534 wh->i_fc[0], wh->i_fc[1]); 535 vap->iv_stats.is_rx_badversion++; 536 goto err; 537 } 538 539 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 540 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK; 541 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK; 542 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) { 543 if (dir != IEEE80211_FC1_DIR_NODS) 544 bssid = wh->i_addr1; 545 else if (type == IEEE80211_FC0_TYPE_CTL) 546 bssid = wh->i_addr1; 547 else { 548 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) { 549 IEEE80211_DISCARD_MAC(vap, 550 IEEE80211_MSG_ANY, ni->ni_macaddr, 551 NULL, "too short (2): len %u", 552 m->m_pkthdr.len); 553 vap->iv_stats.is_rx_tooshort++; 554 goto out; 555 } 556 bssid = wh->i_addr3; 557 } 558 /* 559 * Validate the bssid. 560 */ 561 if (!(type == IEEE80211_FC0_TYPE_MGT && 562 subtype == IEEE80211_FC0_SUBTYPE_BEACON) && 563 !IEEE80211_ADDR_EQ(bssid, vap->iv_bss->ni_bssid) && 564 !IEEE80211_ADDR_EQ(bssid, ifp->if_broadcastaddr)) { 565 /* not interested in */ 566 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 567 bssid, NULL, "%s", "not to bss"); 568 vap->iv_stats.is_rx_wrongbss++; 569 goto out; 570 } 571 572 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi); 573 ni->ni_noise = nf; 574 if (IEEE80211_HAS_SEQ(type, subtype)) { 575 uint8_t tid = ieee80211_gettid(wh); 576 if (IEEE80211_QOS_HAS_SEQ(wh) && 577 TID_TO_WME_AC(tid) >= WME_AC_VI) 578 ic->ic_wme.wme_hipri_traffic++; 579 if (! ieee80211_check_rxseq(ni, wh, bssid)) 580 goto out; 581 } 582 } 583 584 switch (type) { 585 case IEEE80211_FC0_TYPE_DATA: 586 hdrspace = ieee80211_hdrspace(ic, wh); 587 if (m->m_len < hdrspace && 588 (m = m_pullup(m, hdrspace)) == NULL) { 589 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 590 ni->ni_macaddr, NULL, 591 "data too short: expecting %u", hdrspace); 592 vap->iv_stats.is_rx_tooshort++; 593 goto out; /* XXX */ 594 } 595 if (!(dir == IEEE80211_FC1_DIR_TODS || 596 (dir == IEEE80211_FC1_DIR_DSTODS && 597 (vap->iv_flags & IEEE80211_F_DWDS)))) { 598 if (dir != IEEE80211_FC1_DIR_DSTODS) { 599 IEEE80211_DISCARD(vap, 600 IEEE80211_MSG_INPUT, wh, "data", 601 "incorrect dir 0x%x", dir); 602 } else { 603 IEEE80211_DISCARD(vap, 604 IEEE80211_MSG_INPUT | 605 IEEE80211_MSG_WDS, wh, 606 "4-address data", 607 "%s", "DWDS not enabled"); 608 } 609 vap->iv_stats.is_rx_wrongdir++; 610 goto out; 611 } 612 /* check if source STA is associated */ 613 if (ni == vap->iv_bss) { 614 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 615 wh, "data", "%s", "unknown src"); 616 ieee80211_send_error(ni, wh->i_addr2, 617 IEEE80211_FC0_SUBTYPE_DEAUTH, 618 IEEE80211_REASON_NOT_AUTHED); 619 vap->iv_stats.is_rx_notassoc++; 620 goto err; 621 } 622 if (ni->ni_associd == 0) { 623 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 624 wh, "data", "%s", "unassoc src"); 625 IEEE80211_SEND_MGMT(ni, 626 IEEE80211_FC0_SUBTYPE_DISASSOC, 627 IEEE80211_REASON_NOT_ASSOCED); 628 vap->iv_stats.is_rx_notassoc++; 629 goto err; 630 } 631 632 /* 633 * Check for power save state change. 634 * XXX out-of-order A-MPDU frames? 635 */ 636 if (((wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) ^ 637 (ni->ni_flags & IEEE80211_NODE_PWR_MGT))) 638 vap->iv_node_ps(ni, 639 wh->i_fc[1] & IEEE80211_FC1_PWR_MGT); 640 /* 641 * For 4-address packets handle WDS discovery 642 * notifications. Once a WDS link is setup frames 643 * are just delivered to the WDS vap (see below). 644 */ 645 if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap == NULL) { 646 if (!ieee80211_node_is_authorized(ni)) { 647 IEEE80211_DISCARD(vap, 648 IEEE80211_MSG_INPUT | 649 IEEE80211_MSG_WDS, wh, 650 "4-address data", 651 "%s", "unauthorized port"); 652 vap->iv_stats.is_rx_unauth++; 653 IEEE80211_NODE_STAT(ni, rx_unauth); 654 goto err; 655 } 656 ieee80211_dwds_discover(ni, m); 657 return type; 658 } 659 660 /* 661 * Handle A-MPDU re-ordering. If the frame is to be 662 * processed directly then ieee80211_ampdu_reorder 663 * will return 0; otherwise it has consumed the mbuf 664 * and we should do nothing more with it. 665 */ 666 if ((m->m_flags & M_AMPDU) && 667 ieee80211_ampdu_reorder(ni, m) != 0) { 668 m = NULL; 669 goto out; 670 } 671 resubmit_ampdu: 672 673 /* 674 * Handle privacy requirements. Note that we 675 * must not be preempted from here until after 676 * we (potentially) call ieee80211_crypto_demic; 677 * otherwise we may violate assumptions in the 678 * crypto cipher modules used to do delayed update 679 * of replay sequence numbers. 680 */ 681 if (is_hw_decrypted || wh->i_fc[1] & IEEE80211_FC1_PROTECTED) { 682 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) { 683 /* 684 * Discard encrypted frames when privacy is off. 685 */ 686 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 687 wh, "WEP", "%s", "PRIVACY off"); 688 vap->iv_stats.is_rx_noprivacy++; 689 IEEE80211_NODE_STAT(ni, rx_noprivacy); 690 goto out; 691 } 692 if (ieee80211_crypto_decap(ni, m, hdrspace, &key) == 0) { 693 /* NB: stats+msgs handled in crypto_decap */ 694 IEEE80211_NODE_STAT(ni, rx_wepfail); 695 goto out; 696 } 697 wh = mtod(m, struct ieee80211_frame *); 698 wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED; 699 has_decrypted = 1; 700 } else { 701 /* XXX M_WEP and IEEE80211_F_PRIVACY */ 702 key = NULL; 703 } 704 705 /* 706 * Save QoS bits for use below--before we strip the header. 707 */ 708 if (subtype == IEEE80211_FC0_SUBTYPE_QOS) { 709 qos = (dir == IEEE80211_FC1_DIR_DSTODS) ? 710 ((struct ieee80211_qosframe_addr4 *)wh)->i_qos[0] : 711 ((struct ieee80211_qosframe *)wh)->i_qos[0]; 712 } else 713 qos = 0; 714 715 /* 716 * Next up, any fragmentation. 717 */ 718 if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) { 719 m = ieee80211_defrag(ni, m, hdrspace); 720 if (m == NULL) { 721 /* Fragment dropped or frame not complete yet */ 722 goto out; 723 } 724 } 725 wh = NULL; /* no longer valid, catch any uses */ 726 727 /* 728 * Next strip any MSDU crypto bits. 729 */ 730 if (key != NULL && !ieee80211_crypto_demic(vap, key, m, 0)) { 731 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 732 ni->ni_macaddr, "data", "%s", "demic error"); 733 vap->iv_stats.is_rx_demicfail++; 734 IEEE80211_NODE_STAT(ni, rx_demicfail); 735 goto out; 736 } 737 /* copy to listener after decrypt */ 738 if (ieee80211_radiotap_active_vap(vap)) 739 ieee80211_radiotap_rx(vap, m); 740 need_tap = 0; 741 /* 742 * Finally, strip the 802.11 header. 743 */ 744 m = ieee80211_decap(vap, m, hdrspace); 745 if (m == NULL) { 746 /* XXX mask bit to check for both */ 747 /* don't count Null data frames as errors */ 748 if (subtype == IEEE80211_FC0_SUBTYPE_NODATA || 749 subtype == IEEE80211_FC0_SUBTYPE_QOS_NULL) 750 goto out; 751 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 752 ni->ni_macaddr, "data", "%s", "decap error"); 753 vap->iv_stats.is_rx_decap++; 754 IEEE80211_NODE_STAT(ni, rx_decap); 755 goto err; 756 } 757 eh = mtod(m, struct ether_header *); 758 if (!ieee80211_node_is_authorized(ni)) { 759 /* 760 * Deny any non-PAE frames received prior to 761 * authorization. For open/shared-key 762 * authentication the port is mark authorized 763 * after authentication completes. For 802.1x 764 * the port is not marked authorized by the 765 * authenticator until the handshake has completed. 766 */ 767 if (eh->ether_type != htons(ETHERTYPE_PAE)) { 768 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 769 eh->ether_shost, "data", 770 "unauthorized port: ether type 0x%x len %u", 771 eh->ether_type, m->m_pkthdr.len); 772 vap->iv_stats.is_rx_unauth++; 773 IEEE80211_NODE_STAT(ni, rx_unauth); 774 goto err; 775 } 776 } else { 777 /* 778 * When denying unencrypted frames, discard 779 * any non-PAE frames received without encryption. 780 */ 781 if ((vap->iv_flags & IEEE80211_F_DROPUNENC) && 782 ((has_decrypted == 0) && (m->m_flags & M_WEP) == 0) && 783 (is_hw_decrypted == 0) && 784 eh->ether_type != htons(ETHERTYPE_PAE)) { 785 /* 786 * Drop unencrypted frames. 787 */ 788 vap->iv_stats.is_rx_unencrypted++; 789 IEEE80211_NODE_STAT(ni, rx_unencrypted); 790 goto out; 791 } 792 } 793 /* XXX require HT? */ 794 if (qos & IEEE80211_QOS_AMSDU) { 795 m = ieee80211_decap_amsdu(ni, m); 796 if (m == NULL) 797 return IEEE80211_FC0_TYPE_DATA; 798 } else { 799 #ifdef IEEE80211_SUPPORT_SUPERG 800 m = ieee80211_decap_fastframe(vap, ni, m); 801 if (m == NULL) 802 return IEEE80211_FC0_TYPE_DATA; 803 #endif 804 } 805 if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap != NULL) 806 ieee80211_deliver_data(ni->ni_wdsvap, ni, m); 807 else 808 hostap_deliver_data(vap, ni, m); 809 return IEEE80211_FC0_TYPE_DATA; 810 811 case IEEE80211_FC0_TYPE_MGT: 812 vap->iv_stats.is_rx_mgmt++; 813 IEEE80211_NODE_STAT(ni, rx_mgmt); 814 if (dir != IEEE80211_FC1_DIR_NODS) { 815 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 816 wh, "mgt", "incorrect dir 0x%x", dir); 817 vap->iv_stats.is_rx_wrongdir++; 818 goto err; 819 } 820 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) { 821 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 822 ni->ni_macaddr, "mgt", "too short: len %u", 823 m->m_pkthdr.len); 824 vap->iv_stats.is_rx_tooshort++; 825 goto out; 826 } 827 if (IEEE80211_IS_MULTICAST(wh->i_addr2)) { 828 /* ensure return frames are unicast */ 829 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 830 wh, NULL, "source is multicast: %s", 831 ether_sprintf(wh->i_addr2)); 832 vap->iv_stats.is_rx_mgtdiscard++; /* XXX stat */ 833 goto out; 834 } 835 #ifdef IEEE80211_DEBUG 836 if ((ieee80211_msg_debug(vap) && doprint(vap, subtype)) || 837 ieee80211_msg_dumppkts(vap)) { 838 if_printf(ifp, "received %s from %s rssi %d\n", 839 ieee80211_mgt_subtype_name(subtype), 840 ether_sprintf(wh->i_addr2), rssi); 841 } 842 #endif 843 if (wh->i_fc[1] & IEEE80211_FC1_PROTECTED) { 844 if (subtype != IEEE80211_FC0_SUBTYPE_AUTH) { 845 /* 846 * Only shared key auth frames with a challenge 847 * should be encrypted, discard all others. 848 */ 849 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 850 wh, NULL, 851 "%s", "WEP set but not permitted"); 852 vap->iv_stats.is_rx_mgtdiscard++; /* XXX */ 853 goto out; 854 } 855 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) { 856 /* 857 * Discard encrypted frames when privacy is off. 858 */ 859 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 860 wh, NULL, "%s", "WEP set but PRIVACY off"); 861 vap->iv_stats.is_rx_noprivacy++; 862 goto out; 863 } 864 hdrspace = ieee80211_hdrspace(ic, wh); 865 if (ieee80211_crypto_decap(ni, m, hdrspace, &key) == 0) { 866 /* NB: stats+msgs handled in crypto_decap */ 867 goto out; 868 } 869 wh = mtod(m, struct ieee80211_frame *); 870 wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED; 871 has_decrypted = 1; 872 } 873 /* 874 * Pass the packet to radiotap before calling iv_recv_mgmt(). 875 * Otherwise iv_recv_mgmt() might pass another packet to 876 * radiotap, resulting in out of order packet captures. 877 */ 878 if (ieee80211_radiotap_active_vap(vap)) 879 ieee80211_radiotap_rx(vap, m); 880 need_tap = 0; 881 vap->iv_recv_mgmt(ni, m, subtype, rxs, rssi, nf); 882 goto out; 883 884 case IEEE80211_FC0_TYPE_CTL: 885 vap->iv_stats.is_rx_ctl++; 886 IEEE80211_NODE_STAT(ni, rx_ctrl); 887 vap->iv_recv_ctl(ni, m, subtype); 888 goto out; 889 default: 890 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 891 wh, "bad", "frame type 0x%x", type); 892 /* should not come here */ 893 break; 894 } 895 err: 896 if_inc_counter(ifp, IFCOUNTER_IERRORS, 1); 897 out: 898 if (m != NULL) { 899 if (need_tap && ieee80211_radiotap_active_vap(vap)) 900 ieee80211_radiotap_rx(vap, m); 901 m_freem(m); 902 } 903 return type; 904 } 905 906 static void 907 hostap_auth_open(struct ieee80211_node *ni, struct ieee80211_frame *wh, 908 int rssi, int nf, uint16_t seq, uint16_t status) 909 { 910 struct ieee80211vap *vap = ni->ni_vap; 911 912 KASSERT(vap->iv_state == IEEE80211_S_RUN, ("state %d", vap->iv_state)); 913 914 if (ni->ni_authmode == IEEE80211_AUTH_SHARED) { 915 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 916 ni->ni_macaddr, "open auth", 917 "bad sta auth mode %u", ni->ni_authmode); 918 vap->iv_stats.is_rx_bad_auth++; /* XXX */ 919 /* 920 * Clear any challenge text that may be there if 921 * a previous shared key auth failed and then an 922 * open auth is attempted. 923 */ 924 if (ni->ni_challenge != NULL) { 925 IEEE80211_FREE(ni->ni_challenge, M_80211_NODE); 926 ni->ni_challenge = NULL; 927 } 928 /* XXX hack to workaround calling convention */ 929 ieee80211_send_error(ni, wh->i_addr2, 930 IEEE80211_FC0_SUBTYPE_AUTH, 931 (seq + 1) | (IEEE80211_STATUS_ALG<<16)); 932 return; 933 } 934 if (seq != IEEE80211_AUTH_OPEN_REQUEST) { 935 vap->iv_stats.is_rx_bad_auth++; 936 return; 937 } 938 /* always accept open authentication requests */ 939 if (ni == vap->iv_bss) { 940 ni = ieee80211_dup_bss(vap, wh->i_addr2); 941 if (ni == NULL) 942 return; 943 } else if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0) 944 (void) ieee80211_ref_node(ni); 945 /* 946 * Mark the node as referenced to reflect that it's 947 * reference count has been bumped to insure it remains 948 * after the transaction completes. 949 */ 950 ni->ni_flags |= IEEE80211_NODE_AREF; 951 /* 952 * Mark the node as requiring a valid association id 953 * before outbound traffic is permitted. 954 */ 955 ni->ni_flags |= IEEE80211_NODE_ASSOCID; 956 957 if (vap->iv_acl != NULL && 958 vap->iv_acl->iac_getpolicy(vap) == IEEE80211_MACCMD_POLICY_RADIUS) { 959 /* 960 * When the ACL policy is set to RADIUS we defer the 961 * authorization to a user agent. Dispatch an event, 962 * a subsequent MLME call will decide the fate of the 963 * station. If the user agent is not present then the 964 * node will be reclaimed due to inactivity. 965 */ 966 IEEE80211_NOTE_MAC(vap, 967 IEEE80211_MSG_AUTH | IEEE80211_MSG_ACL, ni->ni_macaddr, 968 "%s", "station authentication defered (radius acl)"); 969 ieee80211_notify_node_auth(ni); 970 } else { 971 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 972 IEEE80211_NOTE_MAC(vap, 973 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, ni->ni_macaddr, 974 "%s", "station authenticated (open)"); 975 /* 976 * When 802.1x is not in use mark the port 977 * authorized at this point so traffic can flow. 978 */ 979 if (ni->ni_authmode != IEEE80211_AUTH_8021X) 980 ieee80211_node_authorize(ni); 981 } 982 } 983 984 static void 985 hostap_auth_shared(struct ieee80211_node *ni, struct ieee80211_frame *wh, 986 uint8_t *frm, uint8_t *efrm, int rssi, int nf, 987 uint16_t seq, uint16_t status) 988 { 989 struct ieee80211vap *vap = ni->ni_vap; 990 uint8_t *challenge; 991 int allocbs, estatus; 992 993 KASSERT(vap->iv_state == IEEE80211_S_RUN, ("state %d", vap->iv_state)); 994 995 /* 996 * NB: this can happen as we allow pre-shared key 997 * authentication to be enabled w/o wep being turned 998 * on so that configuration of these can be done 999 * in any order. It may be better to enforce the 1000 * ordering in which case this check would just be 1001 * for sanity/consistency. 1002 */ 1003 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) { 1004 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1005 ni->ni_macaddr, "shared key auth", 1006 "%s", " PRIVACY is disabled"); 1007 estatus = IEEE80211_STATUS_ALG; 1008 goto bad; 1009 } 1010 /* 1011 * Pre-shared key authentication is evil; accept 1012 * it only if explicitly configured (it is supported 1013 * mainly for compatibility with clients like Mac OS X). 1014 */ 1015 if (ni->ni_authmode != IEEE80211_AUTH_AUTO && 1016 ni->ni_authmode != IEEE80211_AUTH_SHARED) { 1017 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1018 ni->ni_macaddr, "shared key auth", 1019 "bad sta auth mode %u", ni->ni_authmode); 1020 vap->iv_stats.is_rx_bad_auth++; /* XXX maybe a unique error? */ 1021 estatus = IEEE80211_STATUS_ALG; 1022 goto bad; 1023 } 1024 1025 challenge = NULL; 1026 if (frm + 1 < efrm) { 1027 if ((frm[1] + 2) > (efrm - frm)) { 1028 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1029 ni->ni_macaddr, "shared key auth", 1030 "ie %d/%d too long", 1031 frm[0], (frm[1] + 2) - (efrm - frm)); 1032 vap->iv_stats.is_rx_bad_auth++; 1033 estatus = IEEE80211_STATUS_CHALLENGE; 1034 goto bad; 1035 } 1036 if (*frm == IEEE80211_ELEMID_CHALLENGE) 1037 challenge = frm; 1038 frm += frm[1] + 2; 1039 } 1040 switch (seq) { 1041 case IEEE80211_AUTH_SHARED_CHALLENGE: 1042 case IEEE80211_AUTH_SHARED_RESPONSE: 1043 if (challenge == NULL) { 1044 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1045 ni->ni_macaddr, "shared key auth", 1046 "%s", "no challenge"); 1047 vap->iv_stats.is_rx_bad_auth++; 1048 estatus = IEEE80211_STATUS_CHALLENGE; 1049 goto bad; 1050 } 1051 if (challenge[1] != IEEE80211_CHALLENGE_LEN) { 1052 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1053 ni->ni_macaddr, "shared key auth", 1054 "bad challenge len %d", challenge[1]); 1055 vap->iv_stats.is_rx_bad_auth++; 1056 estatus = IEEE80211_STATUS_CHALLENGE; 1057 goto bad; 1058 } 1059 default: 1060 break; 1061 } 1062 switch (seq) { 1063 case IEEE80211_AUTH_SHARED_REQUEST: 1064 if (ni == vap->iv_bss) { 1065 ni = ieee80211_dup_bss(vap, wh->i_addr2); 1066 if (ni == NULL) { 1067 /* NB: no way to return an error */ 1068 return; 1069 } 1070 allocbs = 1; 1071 } else { 1072 if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0) 1073 (void) ieee80211_ref_node(ni); 1074 allocbs = 0; 1075 } 1076 /* 1077 * Mark the node as referenced to reflect that it's 1078 * reference count has been bumped to insure it remains 1079 * after the transaction completes. 1080 */ 1081 ni->ni_flags |= IEEE80211_NODE_AREF; 1082 /* 1083 * Mark the node as requiring a valid association id 1084 * before outbound traffic is permitted. 1085 */ 1086 ni->ni_flags |= IEEE80211_NODE_ASSOCID; 1087 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi); 1088 ni->ni_noise = nf; 1089 if (!ieee80211_alloc_challenge(ni)) { 1090 /* NB: don't return error so they rexmit */ 1091 return; 1092 } 1093 get_random_bytes(ni->ni_challenge, 1094 IEEE80211_CHALLENGE_LEN); 1095 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1096 ni, "shared key %sauth request", allocbs ? "" : "re"); 1097 /* 1098 * When the ACL policy is set to RADIUS we defer the 1099 * authorization to a user agent. Dispatch an event, 1100 * a subsequent MLME call will decide the fate of the 1101 * station. If the user agent is not present then the 1102 * node will be reclaimed due to inactivity. 1103 */ 1104 if (vap->iv_acl != NULL && 1105 vap->iv_acl->iac_getpolicy(vap) == IEEE80211_MACCMD_POLICY_RADIUS) { 1106 IEEE80211_NOTE_MAC(vap, 1107 IEEE80211_MSG_AUTH | IEEE80211_MSG_ACL, 1108 ni->ni_macaddr, 1109 "%s", "station authentication defered (radius acl)"); 1110 ieee80211_notify_node_auth(ni); 1111 return; 1112 } 1113 break; 1114 case IEEE80211_AUTH_SHARED_RESPONSE: 1115 if (ni == vap->iv_bss) { 1116 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1117 ni->ni_macaddr, "shared key response", 1118 "%s", "unknown station"); 1119 /* NB: don't send a response */ 1120 return; 1121 } 1122 if (ni->ni_challenge == NULL) { 1123 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1124 ni->ni_macaddr, "shared key response", 1125 "%s", "no challenge recorded"); 1126 vap->iv_stats.is_rx_bad_auth++; 1127 estatus = IEEE80211_STATUS_CHALLENGE; 1128 goto bad; 1129 } 1130 if (memcmp(ni->ni_challenge, &challenge[2], 1131 challenge[1]) != 0) { 1132 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1133 ni->ni_macaddr, "shared key response", 1134 "%s", "challenge mismatch"); 1135 vap->iv_stats.is_rx_auth_fail++; 1136 estatus = IEEE80211_STATUS_CHALLENGE; 1137 goto bad; 1138 } 1139 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1140 ni, "%s", "station authenticated (shared key)"); 1141 ieee80211_node_authorize(ni); 1142 break; 1143 default: 1144 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1145 ni->ni_macaddr, "shared key auth", 1146 "bad seq %d", seq); 1147 vap->iv_stats.is_rx_bad_auth++; 1148 estatus = IEEE80211_STATUS_SEQUENCE; 1149 goto bad; 1150 } 1151 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 1152 return; 1153 bad: 1154 /* 1155 * Send an error response; but only when operating as an AP. 1156 */ 1157 /* XXX hack to workaround calling convention */ 1158 ieee80211_send_error(ni, wh->i_addr2, 1159 IEEE80211_FC0_SUBTYPE_AUTH, 1160 (seq + 1) | (estatus<<16)); 1161 } 1162 1163 /* 1164 * Convert a WPA cipher selector OUI to an internal 1165 * cipher algorithm. Where appropriate we also 1166 * record any key length. 1167 */ 1168 static int 1169 wpa_cipher(const uint8_t *sel, uint8_t *keylen, uint8_t *cipher) 1170 { 1171 #define WPA_SEL(x) (((x)<<24)|WPA_OUI) 1172 uint32_t w = le32dec(sel); 1173 1174 switch (w) { 1175 case WPA_SEL(WPA_CSE_NULL): 1176 *cipher = IEEE80211_CIPHER_NONE; 1177 break; 1178 case WPA_SEL(WPA_CSE_WEP40): 1179 if (keylen) 1180 *keylen = 40 / NBBY; 1181 *cipher = IEEE80211_CIPHER_WEP; 1182 break; 1183 case WPA_SEL(WPA_CSE_WEP104): 1184 if (keylen) 1185 *keylen = 104 / NBBY; 1186 *cipher = IEEE80211_CIPHER_WEP; 1187 break; 1188 case WPA_SEL(WPA_CSE_TKIP): 1189 *cipher = IEEE80211_CIPHER_TKIP; 1190 break; 1191 case WPA_SEL(WPA_CSE_CCMP): 1192 *cipher = IEEE80211_CIPHER_AES_CCM; 1193 break; 1194 default: 1195 return (EINVAL); 1196 } 1197 1198 return (0); 1199 #undef WPA_SEL 1200 } 1201 1202 /* 1203 * Convert a WPA key management/authentication algorithm 1204 * to an internal code. 1205 */ 1206 static int 1207 wpa_keymgmt(const uint8_t *sel) 1208 { 1209 #define WPA_SEL(x) (((x)<<24)|WPA_OUI) 1210 uint32_t w = le32dec(sel); 1211 1212 switch (w) { 1213 case WPA_SEL(WPA_ASE_8021X_UNSPEC): 1214 return WPA_ASE_8021X_UNSPEC; 1215 case WPA_SEL(WPA_ASE_8021X_PSK): 1216 return WPA_ASE_8021X_PSK; 1217 case WPA_SEL(WPA_ASE_NONE): 1218 return WPA_ASE_NONE; 1219 } 1220 return 0; /* NB: so is discarded */ 1221 #undef WPA_SEL 1222 } 1223 1224 /* 1225 * Parse a WPA information element to collect parameters. 1226 * Note that we do not validate security parameters; that 1227 * is handled by the authenticator; the parsing done here 1228 * is just for internal use in making operational decisions. 1229 */ 1230 static int 1231 ieee80211_parse_wpa(struct ieee80211vap *vap, const uint8_t *frm, 1232 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh) 1233 { 1234 uint8_t len = frm[1]; 1235 uint32_t w; 1236 int error, n; 1237 1238 /* 1239 * Check the length once for fixed parts: OUI, type, 1240 * version, mcast cipher, and 2 selector counts. 1241 * Other, variable-length data, must be checked separately. 1242 */ 1243 if ((vap->iv_flags & IEEE80211_F_WPA1) == 0) { 1244 IEEE80211_DISCARD_IE(vap, 1245 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1246 wh, "WPA", "not WPA, flags 0x%x", vap->iv_flags); 1247 return IEEE80211_REASON_IE_INVALID; 1248 } 1249 if (len < 14) { 1250 IEEE80211_DISCARD_IE(vap, 1251 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1252 wh, "WPA", "too short, len %u", len); 1253 return IEEE80211_REASON_IE_INVALID; 1254 } 1255 frm += 6, len -= 4; /* NB: len is payload only */ 1256 /* NB: iswpaoui already validated the OUI and type */ 1257 w = le16dec(frm); 1258 if (w != WPA_VERSION) { 1259 IEEE80211_DISCARD_IE(vap, 1260 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1261 wh, "WPA", "bad version %u", w); 1262 return IEEE80211_REASON_IE_INVALID; 1263 } 1264 frm += 2, len -= 2; 1265 1266 memset(rsn, 0, sizeof(*rsn)); 1267 1268 /* multicast/group cipher */ 1269 error = wpa_cipher(frm, &rsn->rsn_mcastkeylen, &rsn->rsn_mcastcipher); 1270 if (error != 0) { 1271 IEEE80211_DISCARD_IE(vap, 1272 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1273 wh, "WPA", "unknown mcast cipher suite %08X", 1274 le32dec(frm)); 1275 return IEEE80211_REASON_GROUP_CIPHER_INVALID; 1276 } 1277 frm += 4, len -= 4; 1278 1279 /* unicast ciphers */ 1280 n = le16dec(frm); 1281 frm += 2, len -= 2; 1282 if (len < n*4+2) { 1283 IEEE80211_DISCARD_IE(vap, 1284 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1285 wh, "WPA", "ucast cipher data too short; len %u, n %u", 1286 len, n); 1287 return IEEE80211_REASON_IE_INVALID; 1288 } 1289 w = 0; 1290 for (; n > 0; n--) { 1291 uint8_t cipher; 1292 1293 error = wpa_cipher(frm, &rsn->rsn_ucastkeylen, &cipher); 1294 if (error == 0) 1295 w |= 1 << cipher; 1296 1297 frm += 4, len -= 4; 1298 } 1299 if (w == 0) { 1300 IEEE80211_DISCARD_IE(vap, 1301 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1302 wh, "WPA", "no usable pairwise cipher suite found (w=%d)", 1303 w); 1304 return IEEE80211_REASON_PAIRWISE_CIPHER_INVALID; 1305 } 1306 /* XXX other? */ 1307 if (w & (1 << IEEE80211_CIPHER_AES_CCM)) 1308 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM; 1309 else 1310 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP; 1311 1312 /* key management algorithms */ 1313 n = le16dec(frm); 1314 frm += 2, len -= 2; 1315 if (len < n*4) { 1316 IEEE80211_DISCARD_IE(vap, 1317 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1318 wh, "WPA", "key mgmt alg data too short; len %u, n %u", 1319 len, n); 1320 return IEEE80211_REASON_IE_INVALID; 1321 } 1322 w = 0; 1323 for (; n > 0; n--) { 1324 w |= wpa_keymgmt(frm); 1325 frm += 4, len -= 4; 1326 } 1327 if (w & WPA_ASE_8021X_UNSPEC) 1328 rsn->rsn_keymgmt = WPA_ASE_8021X_UNSPEC; 1329 else 1330 rsn->rsn_keymgmt = WPA_ASE_8021X_PSK; 1331 1332 if (len > 2) /* optional capabilities */ 1333 rsn->rsn_caps = le16dec(frm); 1334 1335 return 0; 1336 } 1337 1338 /* 1339 * Convert an RSN cipher selector OUI to an internal 1340 * cipher algorithm. Where appropriate we also 1341 * record any key length. 1342 */ 1343 static int 1344 rsn_cipher(const uint8_t *sel, uint8_t *keylen, uint8_t *cipher) 1345 { 1346 #define RSN_SEL(x) (((x)<<24)|RSN_OUI) 1347 uint32_t w = le32dec(sel); 1348 1349 switch (w) { 1350 case RSN_SEL(RSN_CSE_NULL): 1351 *cipher = IEEE80211_CIPHER_NONE; 1352 break; 1353 case RSN_SEL(RSN_CSE_WEP40): 1354 if (keylen) 1355 *keylen = 40 / NBBY; 1356 *cipher = IEEE80211_CIPHER_WEP; 1357 break; 1358 case RSN_SEL(RSN_CSE_WEP104): 1359 if (keylen) 1360 *keylen = 104 / NBBY; 1361 *cipher = IEEE80211_CIPHER_WEP; 1362 break; 1363 case RSN_SEL(RSN_CSE_TKIP): 1364 *cipher = IEEE80211_CIPHER_TKIP; 1365 break; 1366 case RSN_SEL(RSN_CSE_CCMP): 1367 *cipher = IEEE80211_CIPHER_AES_CCM; 1368 break; 1369 case RSN_SEL(RSN_CSE_WRAP): 1370 *cipher = IEEE80211_CIPHER_AES_OCB; 1371 break; 1372 default: 1373 return (EINVAL); 1374 } 1375 1376 return (0); 1377 #undef WPA_SEL 1378 } 1379 1380 /* 1381 * Convert an RSN key management/authentication algorithm 1382 * to an internal code. 1383 */ 1384 static int 1385 rsn_keymgmt(const uint8_t *sel) 1386 { 1387 #define RSN_SEL(x) (((x)<<24)|RSN_OUI) 1388 uint32_t w = le32dec(sel); 1389 1390 switch (w) { 1391 case RSN_SEL(RSN_ASE_8021X_UNSPEC): 1392 return RSN_ASE_8021X_UNSPEC; 1393 case RSN_SEL(RSN_ASE_8021X_PSK): 1394 return RSN_ASE_8021X_PSK; 1395 case RSN_SEL(RSN_ASE_NONE): 1396 return RSN_ASE_NONE; 1397 } 1398 return 0; /* NB: so is discarded */ 1399 #undef RSN_SEL 1400 } 1401 1402 /* 1403 * Parse a WPA/RSN information element to collect parameters 1404 * and validate the parameters against what has been 1405 * configured for the system. 1406 */ 1407 static int 1408 ieee80211_parse_rsn(struct ieee80211vap *vap, const uint8_t *frm, 1409 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh) 1410 { 1411 uint8_t len = frm[1]; 1412 uint32_t w; 1413 int error, n; 1414 1415 /* 1416 * Check the length once for fixed parts: 1417 * version, mcast cipher, and 2 selector counts. 1418 * Other, variable-length data, must be checked separately. 1419 */ 1420 if ((vap->iv_flags & IEEE80211_F_WPA2) == 0) { 1421 IEEE80211_DISCARD_IE(vap, 1422 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1423 wh, "WPA", "not RSN, flags 0x%x", vap->iv_flags); 1424 return IEEE80211_REASON_IE_INVALID; 1425 } 1426 /* XXX may be shorter */ 1427 if (len < 10) { 1428 IEEE80211_DISCARD_IE(vap, 1429 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1430 wh, "RSN", "too short, len %u", len); 1431 return IEEE80211_REASON_IE_INVALID; 1432 } 1433 frm += 2; 1434 w = le16dec(frm); 1435 if (w != RSN_VERSION) { 1436 IEEE80211_DISCARD_IE(vap, 1437 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1438 wh, "RSN", "bad version %u", w); 1439 return IEEE80211_REASON_UNSUPP_RSN_IE_VERSION; 1440 } 1441 frm += 2, len -= 2; 1442 1443 memset(rsn, 0, sizeof(*rsn)); 1444 1445 /* multicast/group cipher */ 1446 error = rsn_cipher(frm, &rsn->rsn_mcastkeylen, &rsn->rsn_mcastcipher); 1447 if (error != 0) { 1448 IEEE80211_DISCARD_IE(vap, 1449 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1450 wh, "RSN", "unknown mcast cipher suite %08X", 1451 le32dec(frm)); 1452 return IEEE80211_REASON_GROUP_CIPHER_INVALID; 1453 } 1454 if (rsn->rsn_mcastcipher == IEEE80211_CIPHER_NONE) { 1455 IEEE80211_DISCARD_IE(vap, 1456 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1457 wh, "RSN", "invalid mcast cipher suite %d", 1458 rsn->rsn_mcastcipher); 1459 return IEEE80211_REASON_GROUP_CIPHER_INVALID; 1460 } 1461 frm += 4, len -= 4; 1462 1463 /* unicast ciphers */ 1464 n = le16dec(frm); 1465 frm += 2, len -= 2; 1466 if (len < n*4+2) { 1467 IEEE80211_DISCARD_IE(vap, 1468 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1469 wh, "RSN", "ucast cipher data too short; len %u, n %u", 1470 len, n); 1471 return IEEE80211_REASON_IE_INVALID; 1472 } 1473 w = 0; 1474 1475 for (; n > 0; n--) { 1476 uint8_t cipher; 1477 1478 error = rsn_cipher(frm, &rsn->rsn_ucastkeylen, &cipher); 1479 if (error == 0) 1480 w |= 1 << cipher; 1481 1482 frm += 4, len -= 4; 1483 } 1484 if (w & (1 << IEEE80211_CIPHER_AES_CCM)) 1485 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM; 1486 else if (w & (1 << IEEE80211_CIPHER_AES_OCB)) 1487 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_OCB; 1488 else if (w & (1 << IEEE80211_CIPHER_TKIP)) 1489 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP; 1490 else if ((w & (1 << IEEE80211_CIPHER_NONE)) && 1491 (rsn->rsn_mcastcipher == IEEE80211_CIPHER_WEP || 1492 rsn->rsn_mcastcipher == IEEE80211_CIPHER_TKIP)) 1493 rsn->rsn_ucastcipher = IEEE80211_CIPHER_NONE; 1494 else { 1495 IEEE80211_DISCARD_IE(vap, 1496 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1497 wh, "RSN", "no usable pairwise cipher suite found (w=%d)", 1498 w); 1499 return IEEE80211_REASON_PAIRWISE_CIPHER_INVALID; 1500 } 1501 1502 /* key management algorithms */ 1503 n = le16dec(frm); 1504 frm += 2, len -= 2; 1505 if (len < n*4) { 1506 IEEE80211_DISCARD_IE(vap, 1507 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1508 wh, "RSN", "key mgmt alg data too short; len %u, n %u", 1509 len, n); 1510 return IEEE80211_REASON_IE_INVALID; 1511 } 1512 w = 0; 1513 for (; n > 0; n--) { 1514 w |= rsn_keymgmt(frm); 1515 frm += 4, len -= 4; 1516 } 1517 if (w & RSN_ASE_8021X_UNSPEC) 1518 rsn->rsn_keymgmt = RSN_ASE_8021X_UNSPEC; 1519 else 1520 rsn->rsn_keymgmt = RSN_ASE_8021X_PSK; 1521 1522 /* optional RSN capabilities */ 1523 if (len > 2) 1524 rsn->rsn_caps = le16dec(frm); 1525 /* XXXPMKID */ 1526 1527 return 0; 1528 } 1529 1530 /* 1531 * WPA/802.11i association request processing. 1532 */ 1533 static int 1534 wpa_assocreq(struct ieee80211_node *ni, struct ieee80211_rsnparms *rsnparms, 1535 const struct ieee80211_frame *wh, const uint8_t *wpa, 1536 const uint8_t *rsn, uint16_t capinfo) 1537 { 1538 struct ieee80211vap *vap = ni->ni_vap; 1539 uint8_t reason; 1540 int badwparsn; 1541 1542 ni->ni_flags &= ~(IEEE80211_NODE_WPS|IEEE80211_NODE_TSN); 1543 if (wpa == NULL && rsn == NULL) { 1544 if (vap->iv_flags_ext & IEEE80211_FEXT_WPS) { 1545 /* 1546 * W-Fi Protected Setup (WPS) permits 1547 * clients to associate and pass EAPOL frames 1548 * to establish initial credentials. 1549 */ 1550 ni->ni_flags |= IEEE80211_NODE_WPS; 1551 return 1; 1552 } 1553 if ((vap->iv_flags_ext & IEEE80211_FEXT_TSN) && 1554 (capinfo & IEEE80211_CAPINFO_PRIVACY)) { 1555 /* 1556 * Transitional Security Network. Permits clients 1557 * to associate and use WEP while WPA is configured. 1558 */ 1559 ni->ni_flags |= IEEE80211_NODE_TSN; 1560 return 1; 1561 } 1562 IEEE80211_DISCARD(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, 1563 wh, NULL, "%s", "no WPA/RSN IE in association request"); 1564 vap->iv_stats.is_rx_assoc_badwpaie++; 1565 reason = IEEE80211_REASON_IE_INVALID; 1566 goto bad; 1567 } 1568 /* assert right association security credentials */ 1569 badwparsn = 0; /* NB: to silence compiler */ 1570 switch (vap->iv_flags & IEEE80211_F_WPA) { 1571 case IEEE80211_F_WPA1: 1572 badwparsn = (wpa == NULL); 1573 break; 1574 case IEEE80211_F_WPA2: 1575 badwparsn = (rsn == NULL); 1576 break; 1577 case IEEE80211_F_WPA1|IEEE80211_F_WPA2: 1578 badwparsn = (wpa == NULL && rsn == NULL); 1579 break; 1580 } 1581 if (badwparsn) { 1582 IEEE80211_DISCARD(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, 1583 wh, NULL, 1584 "%s", "missing WPA/RSN IE in association request"); 1585 vap->iv_stats.is_rx_assoc_badwpaie++; 1586 reason = IEEE80211_REASON_IE_INVALID; 1587 goto bad; 1588 } 1589 /* 1590 * Parse WPA/RSN information element. 1591 */ 1592 if (wpa != NULL) 1593 reason = ieee80211_parse_wpa(vap, wpa, rsnparms, wh); 1594 else 1595 reason = ieee80211_parse_rsn(vap, rsn, rsnparms, wh); 1596 if (reason != 0) { 1597 /* XXX wpa->rsn fallback? */ 1598 /* XXX distinguish WPA/RSN? */ 1599 vap->iv_stats.is_rx_assoc_badwpaie++; 1600 goto bad; 1601 } 1602 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, ni, 1603 "%s ie: mc %u/%u uc %u/%u key %u caps 0x%x", 1604 wpa != NULL ? "WPA" : "RSN", 1605 rsnparms->rsn_mcastcipher, rsnparms->rsn_mcastkeylen, 1606 rsnparms->rsn_ucastcipher, rsnparms->rsn_ucastkeylen, 1607 rsnparms->rsn_keymgmt, rsnparms->rsn_caps); 1608 1609 return 1; 1610 bad: 1611 ieee80211_node_deauth(ni, reason); 1612 return 0; 1613 } 1614 1615 /* XXX find a better place for definition */ 1616 struct l2_update_frame { 1617 struct ether_header eh; 1618 uint8_t dsap; 1619 uint8_t ssap; 1620 uint8_t control; 1621 uint8_t xid[3]; 1622 } __packed; 1623 1624 /* 1625 * Deliver a TGf L2UF frame on behalf of a station. 1626 * This primes any bridge when the station is roaming 1627 * between ap's on the same wired network. 1628 */ 1629 static void 1630 ieee80211_deliver_l2uf(struct ieee80211_node *ni) 1631 { 1632 struct ieee80211vap *vap = ni->ni_vap; 1633 struct ifnet *ifp = vap->iv_ifp; 1634 struct mbuf *m; 1635 struct l2_update_frame *l2uf; 1636 struct ether_header *eh; 1637 1638 m = m_gethdr(M_NOWAIT, MT_DATA); 1639 if (m == NULL) { 1640 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC, ni, 1641 "%s", "no mbuf for l2uf frame"); 1642 vap->iv_stats.is_rx_nobuf++; /* XXX not right */ 1643 return; 1644 } 1645 l2uf = mtod(m, struct l2_update_frame *); 1646 eh = &l2uf->eh; 1647 /* dst: Broadcast address */ 1648 IEEE80211_ADDR_COPY(eh->ether_dhost, ifp->if_broadcastaddr); 1649 /* src: associated STA */ 1650 IEEE80211_ADDR_COPY(eh->ether_shost, ni->ni_macaddr); 1651 eh->ether_type = htons(sizeof(*l2uf) - sizeof(*eh)); 1652 1653 l2uf->dsap = 0; 1654 l2uf->ssap = 0; 1655 l2uf->control = 0xf5; 1656 l2uf->xid[0] = 0x81; 1657 l2uf->xid[1] = 0x80; 1658 l2uf->xid[2] = 0x00; 1659 1660 m->m_pkthdr.len = m->m_len = sizeof(*l2uf); 1661 hostap_deliver_data(vap, ni, m); 1662 } 1663 1664 static void 1665 ratesetmismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh, 1666 int reassoc, int resp, const char *tag, int rate) 1667 { 1668 IEEE80211_NOTE_MAC(ni->ni_vap, IEEE80211_MSG_ANY, wh->i_addr2, 1669 "deny %s request, %s rate set mismatch, rate/MCS %d", 1670 reassoc ? "reassoc" : "assoc", tag, rate & IEEE80211_RATE_VAL); 1671 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_BASIC_RATE); 1672 ieee80211_node_leave(ni); 1673 } 1674 1675 static void 1676 capinfomismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh, 1677 int reassoc, int resp, const char *tag, int capinfo) 1678 { 1679 struct ieee80211vap *vap = ni->ni_vap; 1680 1681 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ANY, wh->i_addr2, 1682 "deny %s request, %s mismatch 0x%x", 1683 reassoc ? "reassoc" : "assoc", tag, capinfo); 1684 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_CAPINFO); 1685 ieee80211_node_leave(ni); 1686 vap->iv_stats.is_rx_assoc_capmismatch++; 1687 } 1688 1689 static void 1690 htcapmismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh, 1691 int reassoc, int resp) 1692 { 1693 IEEE80211_NOTE_MAC(ni->ni_vap, IEEE80211_MSG_ANY, wh->i_addr2, 1694 "deny %s request, %s missing HT ie", reassoc ? "reassoc" : "assoc"); 1695 /* XXX no better code */ 1696 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_MISSING_HT_CAPS); 1697 ieee80211_node_leave(ni); 1698 } 1699 1700 static void 1701 authalgreject(struct ieee80211_node *ni, const struct ieee80211_frame *wh, 1702 int algo, int seq, int status) 1703 { 1704 struct ieee80211vap *vap = ni->ni_vap; 1705 1706 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 1707 wh, NULL, "unsupported alg %d", algo); 1708 vap->iv_stats.is_rx_auth_unsupported++; 1709 ieee80211_send_error(ni, wh->i_addr2, IEEE80211_FC0_SUBTYPE_AUTH, 1710 seq | (status << 16)); 1711 } 1712 1713 static __inline int 1714 ishtmixed(const uint8_t *ie) 1715 { 1716 const struct ieee80211_ie_htinfo *ht = 1717 (const struct ieee80211_ie_htinfo *) ie; 1718 return (ht->hi_byte2 & IEEE80211_HTINFO_OPMODE) == 1719 IEEE80211_HTINFO_OPMODE_MIXED; 1720 } 1721 1722 static int 1723 is11bclient(const uint8_t *rates, const uint8_t *xrates) 1724 { 1725 static const uint32_t brates = (1<<2*1)|(1<<2*2)|(1<<11)|(1<<2*11); 1726 int i; 1727 1728 /* NB: the 11b clients we care about will not have xrates */ 1729 if (xrates != NULL || rates == NULL) 1730 return 0; 1731 for (i = 0; i < rates[1]; i++) { 1732 int r = rates[2+i] & IEEE80211_RATE_VAL; 1733 if (r > 2*11 || ((1<<r) & brates) == 0) 1734 return 0; 1735 } 1736 return 1; 1737 } 1738 1739 static void 1740 hostap_recv_mgmt(struct ieee80211_node *ni, struct mbuf *m0, 1741 int subtype, const struct ieee80211_rx_stats *rxs, int rssi, int nf) 1742 { 1743 struct ieee80211vap *vap = ni->ni_vap; 1744 struct ieee80211com *ic = ni->ni_ic; 1745 struct ieee80211_frame *wh; 1746 uint8_t *frm, *efrm, *sfrm; 1747 uint8_t *ssid, *rates, *xrates, *wpa, *rsn, *wme, *ath, *htcap; 1748 int reassoc, resp; 1749 uint8_t rate; 1750 1751 wh = mtod(m0, struct ieee80211_frame *); 1752 frm = (uint8_t *)&wh[1]; 1753 efrm = mtod(m0, uint8_t *) + m0->m_len; 1754 switch (subtype) { 1755 case IEEE80211_FC0_SUBTYPE_PROBE_RESP: 1756 /* 1757 * We process beacon/probe response frames when scanning; 1758 * otherwise we check beacon frames for overlapping non-ERP 1759 * BSS in 11g and/or overlapping legacy BSS when in HT. 1760 */ 1761 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) { 1762 vap->iv_stats.is_rx_mgtdiscard++; 1763 return; 1764 } 1765 /* FALLTHROUGH */ 1766 case IEEE80211_FC0_SUBTYPE_BEACON: { 1767 struct ieee80211_scanparams scan; 1768 1769 /* NB: accept off-channel frames */ 1770 /* XXX TODO: use rxstatus to determine off-channel details */ 1771 if (ieee80211_parse_beacon(ni, m0, ic->ic_curchan, &scan) &~ IEEE80211_BPARSE_OFFCHAN) 1772 return; 1773 /* 1774 * Count frame now that we know it's to be processed. 1775 */ 1776 if (subtype == IEEE80211_FC0_SUBTYPE_BEACON) { 1777 vap->iv_stats.is_rx_beacon++; /* XXX remove */ 1778 IEEE80211_NODE_STAT(ni, rx_beacons); 1779 } else 1780 IEEE80211_NODE_STAT(ni, rx_proberesp); 1781 /* 1782 * If scanning, just pass information to the scan module. 1783 */ 1784 if (ic->ic_flags & IEEE80211_F_SCAN) { 1785 if (scan.status == 0 && /* NB: on channel */ 1786 (ic->ic_flags_ext & IEEE80211_FEXT_PROBECHAN)) { 1787 /* 1788 * Actively scanning a channel marked passive; 1789 * send a probe request now that we know there 1790 * is 802.11 traffic present. 1791 * 1792 * XXX check if the beacon we recv'd gives 1793 * us what we need and suppress the probe req 1794 */ 1795 ieee80211_probe_curchan(vap, 1); 1796 ic->ic_flags_ext &= ~IEEE80211_FEXT_PROBECHAN; 1797 } 1798 ieee80211_add_scan(vap, ic->ic_curchan, &scan, wh, 1799 subtype, rssi, nf); 1800 return; 1801 } 1802 /* 1803 * Check beacon for overlapping bss w/ non ERP stations. 1804 * If we detect one and protection is configured but not 1805 * enabled, enable it and start a timer that'll bring us 1806 * out if we stop seeing the bss. 1807 */ 1808 if (IEEE80211_IS_CHAN_ANYG(ic->ic_curchan) && 1809 scan.status == 0 && /* NB: on-channel */ 1810 ((scan.erp & 0x100) == 0 || /* NB: no ERP, 11b sta*/ 1811 (scan.erp & IEEE80211_ERP_NON_ERP_PRESENT))) { 1812 ic->ic_lastnonerp = ticks; 1813 ic->ic_flags_ext |= IEEE80211_FEXT_NONERP_PR; 1814 if (ic->ic_protmode != IEEE80211_PROT_NONE && 1815 (ic->ic_flags & IEEE80211_F_USEPROT) == 0) { 1816 IEEE80211_NOTE_FRAME(vap, 1817 IEEE80211_MSG_ASSOC, wh, 1818 "non-ERP present on channel %d " 1819 "(saw erp 0x%x from channel %d), " 1820 "enable use of protection", 1821 ic->ic_curchan->ic_ieee, 1822 scan.erp, scan.chan); 1823 ic->ic_flags |= IEEE80211_F_USEPROT; 1824 ieee80211_notify_erp(ic); 1825 } 1826 } 1827 /* 1828 * Check beacon for non-HT station on HT channel 1829 * and update HT BSS occupancy as appropriate. 1830 */ 1831 if (IEEE80211_IS_CHAN_HT(ic->ic_curchan)) { 1832 if (scan.status & IEEE80211_BPARSE_OFFCHAN) { 1833 /* 1834 * Off control channel; only check frames 1835 * that come in the extension channel when 1836 * operating w/ HT40. 1837 */ 1838 if (!IEEE80211_IS_CHAN_HT40(ic->ic_curchan)) 1839 break; 1840 if (scan.chan != ic->ic_curchan->ic_extieee) 1841 break; 1842 } 1843 if (scan.htinfo == NULL) { 1844 ieee80211_htprot_update(ic, 1845 IEEE80211_HTINFO_OPMODE_PROTOPT | 1846 IEEE80211_HTINFO_NONHT_PRESENT); 1847 } else if (ishtmixed(scan.htinfo)) { 1848 /* XXX? take NONHT_PRESENT from beacon? */ 1849 ieee80211_htprot_update(ic, 1850 IEEE80211_HTINFO_OPMODE_MIXED | 1851 IEEE80211_HTINFO_NONHT_PRESENT); 1852 } 1853 } 1854 break; 1855 } 1856 1857 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 1858 if (vap->iv_state != IEEE80211_S_RUN) { 1859 vap->iv_stats.is_rx_mgtdiscard++; 1860 return; 1861 } 1862 /* 1863 * Consult the ACL policy module if setup. 1864 */ 1865 if (vap->iv_acl != NULL && !vap->iv_acl->iac_check(vap, wh)) { 1866 IEEE80211_DISCARD(vap, IEEE80211_MSG_ACL, 1867 wh, NULL, "%s", "disallowed by ACL"); 1868 vap->iv_stats.is_rx_acl++; 1869 return; 1870 } 1871 /* 1872 * prreq frame format 1873 * [tlv] ssid 1874 * [tlv] supported rates 1875 * [tlv] extended supported rates 1876 */ 1877 ssid = rates = xrates = NULL; 1878 while (efrm - frm > 1) { 1879 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return); 1880 switch (*frm) { 1881 case IEEE80211_ELEMID_SSID: 1882 ssid = frm; 1883 break; 1884 case IEEE80211_ELEMID_RATES: 1885 rates = frm; 1886 break; 1887 case IEEE80211_ELEMID_XRATES: 1888 xrates = frm; 1889 break; 1890 } 1891 frm += frm[1] + 2; 1892 } 1893 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return); 1894 if (xrates != NULL) 1895 IEEE80211_VERIFY_ELEMENT(xrates, 1896 IEEE80211_RATE_MAXSIZE - rates[1], return); 1897 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN, return); 1898 IEEE80211_VERIFY_SSID(vap->iv_bss, ssid, return); 1899 if ((vap->iv_flags & IEEE80211_F_HIDESSID) && ssid[1] == 0) { 1900 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 1901 wh, NULL, 1902 "%s", "no ssid with ssid suppression enabled"); 1903 vap->iv_stats.is_rx_ssidmismatch++; /*XXX*/ 1904 return; 1905 } 1906 1907 /* XXX find a better class or define it's own */ 1908 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_INPUT, wh->i_addr2, 1909 "%s", "recv probe req"); 1910 /* 1911 * Some legacy 11b clients cannot hack a complete 1912 * probe response frame. When the request includes 1913 * only a bare-bones rate set, communicate this to 1914 * the transmit side. 1915 */ 1916 ieee80211_send_proberesp(vap, wh->i_addr2, 1917 is11bclient(rates, xrates) ? IEEE80211_SEND_LEGACY_11B : 0); 1918 break; 1919 1920 case IEEE80211_FC0_SUBTYPE_AUTH: { 1921 uint16_t algo, seq, status; 1922 1923 if (vap->iv_state != IEEE80211_S_RUN) { 1924 vap->iv_stats.is_rx_mgtdiscard++; 1925 return; 1926 } 1927 if (!IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_bss->ni_bssid)) { 1928 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 1929 wh, NULL, "%s", "wrong bssid"); 1930 vap->iv_stats.is_rx_wrongbss++; /*XXX unique stat?*/ 1931 return; 1932 } 1933 /* 1934 * auth frame format 1935 * [2] algorithm 1936 * [2] sequence 1937 * [2] status 1938 * [tlv*] challenge 1939 */ 1940 IEEE80211_VERIFY_LENGTH(efrm - frm, 6, return); 1941 algo = le16toh(*(uint16_t *)frm); 1942 seq = le16toh(*(uint16_t *)(frm + 2)); 1943 status = le16toh(*(uint16_t *)(frm + 4)); 1944 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_AUTH, wh->i_addr2, 1945 "recv auth frame with algorithm %d seq %d", algo, seq); 1946 /* 1947 * Consult the ACL policy module if setup. 1948 */ 1949 if (vap->iv_acl != NULL && !vap->iv_acl->iac_check(vap, wh)) { 1950 IEEE80211_DISCARD(vap, IEEE80211_MSG_ACL, 1951 wh, NULL, "%s", "disallowed by ACL"); 1952 vap->iv_stats.is_rx_acl++; 1953 ieee80211_send_error(ni, wh->i_addr2, 1954 IEEE80211_FC0_SUBTYPE_AUTH, 1955 (seq+1) | (IEEE80211_STATUS_UNSPECIFIED<<16)); 1956 return; 1957 } 1958 if (vap->iv_flags & IEEE80211_F_COUNTERM) { 1959 IEEE80211_DISCARD(vap, 1960 IEEE80211_MSG_AUTH | IEEE80211_MSG_CRYPTO, 1961 wh, NULL, "%s", "TKIP countermeasures enabled"); 1962 vap->iv_stats.is_rx_auth_countermeasures++; 1963 ieee80211_send_error(ni, wh->i_addr2, 1964 IEEE80211_FC0_SUBTYPE_AUTH, 1965 IEEE80211_REASON_MIC_FAILURE); 1966 return; 1967 } 1968 if (algo == IEEE80211_AUTH_ALG_SHARED) 1969 hostap_auth_shared(ni, wh, frm + 6, efrm, rssi, nf, 1970 seq, status); 1971 else if (algo == IEEE80211_AUTH_ALG_OPEN) 1972 hostap_auth_open(ni, wh, rssi, nf, seq, status); 1973 else if (algo == IEEE80211_AUTH_ALG_LEAP) { 1974 authalgreject(ni, wh, algo, 1975 seq+1, IEEE80211_STATUS_ALG); 1976 return; 1977 } else { 1978 /* 1979 * We assume that an unknown algorithm is the result 1980 * of a decryption failure on a shared key auth frame; 1981 * return a status code appropriate for that instead 1982 * of IEEE80211_STATUS_ALG. 1983 * 1984 * NB: a seq# of 4 is intentional; the decrypted 1985 * frame likely has a bogus seq value. 1986 */ 1987 authalgreject(ni, wh, algo, 1988 4, IEEE80211_STATUS_CHALLENGE); 1989 return; 1990 } 1991 break; 1992 } 1993 1994 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ: 1995 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: { 1996 uint16_t capinfo, lintval; 1997 struct ieee80211_rsnparms rsnparms; 1998 1999 if (vap->iv_state != IEEE80211_S_RUN) { 2000 vap->iv_stats.is_rx_mgtdiscard++; 2001 return; 2002 } 2003 if (!IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_bss->ni_bssid)) { 2004 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 2005 wh, NULL, "%s", "wrong bssid"); 2006 vap->iv_stats.is_rx_assoc_bss++; 2007 return; 2008 } 2009 if (subtype == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) { 2010 reassoc = 1; 2011 resp = IEEE80211_FC0_SUBTYPE_REASSOC_RESP; 2012 } else { 2013 reassoc = 0; 2014 resp = IEEE80211_FC0_SUBTYPE_ASSOC_RESP; 2015 } 2016 if (ni == vap->iv_bss) { 2017 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ANY, wh->i_addr2, 2018 "deny %s request, sta not authenticated", 2019 reassoc ? "reassoc" : "assoc"); 2020 ieee80211_send_error(ni, wh->i_addr2, 2021 IEEE80211_FC0_SUBTYPE_DEAUTH, 2022 IEEE80211_REASON_ASSOC_NOT_AUTHED); 2023 vap->iv_stats.is_rx_assoc_notauth++; 2024 return; 2025 } 2026 2027 /* 2028 * asreq frame format 2029 * [2] capability information 2030 * [2] listen interval 2031 * [6*] current AP address (reassoc only) 2032 * [tlv] ssid 2033 * [tlv] supported rates 2034 * [tlv] extended supported rates 2035 * [tlv] WPA or RSN 2036 * [tlv] HT capabilities 2037 * [tlv] Atheros capabilities 2038 */ 2039 IEEE80211_VERIFY_LENGTH(efrm - frm, (reassoc ? 10 : 4), return); 2040 capinfo = le16toh(*(uint16_t *)frm); frm += 2; 2041 lintval = le16toh(*(uint16_t *)frm); frm += 2; 2042 if (reassoc) 2043 frm += 6; /* ignore current AP info */ 2044 ssid = rates = xrates = wpa = rsn = wme = ath = htcap = NULL; 2045 sfrm = frm; 2046 while (efrm - frm > 1) { 2047 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return); 2048 switch (*frm) { 2049 case IEEE80211_ELEMID_SSID: 2050 ssid = frm; 2051 break; 2052 case IEEE80211_ELEMID_RATES: 2053 rates = frm; 2054 break; 2055 case IEEE80211_ELEMID_XRATES: 2056 xrates = frm; 2057 break; 2058 case IEEE80211_ELEMID_RSN: 2059 rsn = frm; 2060 break; 2061 case IEEE80211_ELEMID_HTCAP: 2062 htcap = frm; 2063 break; 2064 case IEEE80211_ELEMID_VENDOR: 2065 if (iswpaoui(frm)) 2066 wpa = frm; 2067 else if (iswmeinfo(frm)) 2068 wme = frm; 2069 #ifdef IEEE80211_SUPPORT_SUPERG 2070 else if (isatherosoui(frm)) 2071 ath = frm; 2072 #endif 2073 else if (vap->iv_flags_ht & IEEE80211_FHT_HTCOMPAT) { 2074 if (ishtcapoui(frm) && htcap == NULL) 2075 htcap = frm; 2076 } 2077 break; 2078 } 2079 frm += frm[1] + 2; 2080 } 2081 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return); 2082 if (xrates != NULL) 2083 IEEE80211_VERIFY_ELEMENT(xrates, 2084 IEEE80211_RATE_MAXSIZE - rates[1], return); 2085 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN, return); 2086 IEEE80211_VERIFY_SSID(vap->iv_bss, ssid, return); 2087 if (htcap != NULL) { 2088 IEEE80211_VERIFY_LENGTH(htcap[1], 2089 htcap[0] == IEEE80211_ELEMID_VENDOR ? 2090 4 + sizeof(struct ieee80211_ie_htcap)-2 : 2091 sizeof(struct ieee80211_ie_htcap)-2, 2092 return); /* XXX just NULL out? */ 2093 } 2094 2095 if ((vap->iv_flags & IEEE80211_F_WPA) && 2096 !wpa_assocreq(ni, &rsnparms, wh, wpa, rsn, capinfo)) 2097 return; 2098 /* discard challenge after association */ 2099 if (ni->ni_challenge != NULL) { 2100 IEEE80211_FREE(ni->ni_challenge, M_80211_NODE); 2101 ni->ni_challenge = NULL; 2102 } 2103 /* NB: 802.11 spec says to ignore station's privacy bit */ 2104 if ((capinfo & IEEE80211_CAPINFO_ESS) == 0) { 2105 capinfomismatch(ni, wh, reassoc, resp, 2106 "capability", capinfo); 2107 return; 2108 } 2109 /* 2110 * Disallow re-associate w/ invalid slot time setting. 2111 */ 2112 if (ni->ni_associd != 0 && 2113 IEEE80211_IS_CHAN_ANYG(ic->ic_bsschan) && 2114 ((ni->ni_capinfo ^ capinfo) & IEEE80211_CAPINFO_SHORT_SLOTTIME)) { 2115 capinfomismatch(ni, wh, reassoc, resp, 2116 "slot time", capinfo); 2117 return; 2118 } 2119 rate = ieee80211_setup_rates(ni, rates, xrates, 2120 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | 2121 IEEE80211_F_DONEGO | IEEE80211_F_DODEL); 2122 if (rate & IEEE80211_RATE_BASIC) { 2123 ratesetmismatch(ni, wh, reassoc, resp, "legacy", rate); 2124 vap->iv_stats.is_rx_assoc_norate++; 2125 return; 2126 } 2127 /* 2128 * If constrained to 11g-only stations reject an 2129 * 11b-only station. We cheat a bit here by looking 2130 * at the max negotiated xmit rate and assuming anyone 2131 * with a best rate <24Mb/s is an 11b station. 2132 */ 2133 if ((vap->iv_flags & IEEE80211_F_PUREG) && rate < 48) { 2134 ratesetmismatch(ni, wh, reassoc, resp, "11g", rate); 2135 vap->iv_stats.is_rx_assoc_norate++; 2136 return; 2137 } 2138 /* 2139 * Do HT rate set handling and setup HT node state. 2140 */ 2141 ni->ni_chan = vap->iv_bss->ni_chan; 2142 if (IEEE80211_IS_CHAN_HT(ni->ni_chan) && htcap != NULL) { 2143 rate = ieee80211_setup_htrates(ni, htcap, 2144 IEEE80211_F_DOFMCS | IEEE80211_F_DONEGO | 2145 IEEE80211_F_DOBRS); 2146 if (rate & IEEE80211_RATE_BASIC) { 2147 ratesetmismatch(ni, wh, reassoc, resp, 2148 "HT", rate); 2149 vap->iv_stats.is_ht_assoc_norate++; 2150 return; 2151 } 2152 ieee80211_ht_node_init(ni); 2153 ieee80211_ht_updatehtcap(ni, htcap); 2154 } else if (ni->ni_flags & IEEE80211_NODE_HT) 2155 ieee80211_ht_node_cleanup(ni); 2156 #ifdef IEEE80211_SUPPORT_SUPERG 2157 /* Always do ff node cleanup; for A-MSDU */ 2158 ieee80211_ff_node_cleanup(ni); 2159 #endif 2160 /* 2161 * Allow AMPDU operation only with unencrypted traffic 2162 * or AES-CCM; the 11n spec only specifies these ciphers 2163 * so permitting any others is undefined and can lead 2164 * to interoperability problems. 2165 */ 2166 if ((ni->ni_flags & IEEE80211_NODE_HT) && 2167 (((vap->iv_flags & IEEE80211_F_WPA) && 2168 rsnparms.rsn_ucastcipher != IEEE80211_CIPHER_AES_CCM) || 2169 (vap->iv_flags & (IEEE80211_F_WPA|IEEE80211_F_PRIVACY)) == IEEE80211_F_PRIVACY)) { 2170 IEEE80211_NOTE(vap, 2171 IEEE80211_MSG_ASSOC | IEEE80211_MSG_11N, ni, 2172 "disallow HT use because WEP or TKIP requested, " 2173 "capinfo 0x%x ucastcipher %d", capinfo, 2174 rsnparms.rsn_ucastcipher); 2175 ieee80211_ht_node_cleanup(ni); 2176 #ifdef IEEE80211_SUPPORT_SUPERG 2177 /* Always do ff node cleanup; for A-MSDU */ 2178 ieee80211_ff_node_cleanup(ni); 2179 #endif 2180 vap->iv_stats.is_ht_assoc_downgrade++; 2181 } 2182 /* 2183 * If constrained to 11n-only stations reject legacy stations. 2184 */ 2185 if ((vap->iv_flags_ht & IEEE80211_FHT_PUREN) && 2186 (ni->ni_flags & IEEE80211_NODE_HT) == 0) { 2187 htcapmismatch(ni, wh, reassoc, resp); 2188 vap->iv_stats.is_ht_assoc_nohtcap++; 2189 return; 2190 } 2191 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi); 2192 ni->ni_noise = nf; 2193 ni->ni_intval = lintval; 2194 ni->ni_capinfo = capinfo; 2195 ni->ni_fhdwell = vap->iv_bss->ni_fhdwell; 2196 ni->ni_fhindex = vap->iv_bss->ni_fhindex; 2197 /* 2198 * Store the IEs. 2199 * XXX maybe better to just expand 2200 */ 2201 if (ieee80211_ies_init(&ni->ni_ies, sfrm, efrm - sfrm)) { 2202 #define setie(_ie, _off) ieee80211_ies_setie(ni->ni_ies, _ie, _off) 2203 if (wpa != NULL) 2204 setie(wpa_ie, wpa - sfrm); 2205 if (rsn != NULL) 2206 setie(rsn_ie, rsn - sfrm); 2207 if (htcap != NULL) 2208 setie(htcap_ie, htcap - sfrm); 2209 if (wme != NULL) { 2210 setie(wme_ie, wme - sfrm); 2211 /* 2212 * Mark node as capable of QoS. 2213 */ 2214 ni->ni_flags |= IEEE80211_NODE_QOS; 2215 } else 2216 ni->ni_flags &= ~IEEE80211_NODE_QOS; 2217 #ifdef IEEE80211_SUPPORT_SUPERG 2218 if (ath != NULL) { 2219 setie(ath_ie, ath - sfrm); 2220 /* 2221 * Parse ATH station parameters. 2222 */ 2223 ieee80211_parse_ath(ni, ni->ni_ies.ath_ie); 2224 } else 2225 #endif 2226 ni->ni_ath_flags = 0; 2227 #undef setie 2228 } else { 2229 ni->ni_flags &= ~IEEE80211_NODE_QOS; 2230 ni->ni_ath_flags = 0; 2231 } 2232 ieee80211_node_join(ni, resp); 2233 ieee80211_deliver_l2uf(ni); 2234 break; 2235 } 2236 2237 case IEEE80211_FC0_SUBTYPE_DEAUTH: 2238 case IEEE80211_FC0_SUBTYPE_DISASSOC: { 2239 uint16_t reason; 2240 2241 if (vap->iv_state != IEEE80211_S_RUN || 2242 /* NB: can happen when in promiscuous mode */ 2243 !IEEE80211_ADDR_EQ(wh->i_addr1, vap->iv_myaddr)) { 2244 vap->iv_stats.is_rx_mgtdiscard++; 2245 break; 2246 } 2247 /* 2248 * deauth/disassoc frame format 2249 * [2] reason 2250 */ 2251 IEEE80211_VERIFY_LENGTH(efrm - frm, 2, return); 2252 reason = le16toh(*(uint16_t *)frm); 2253 if (subtype == IEEE80211_FC0_SUBTYPE_DEAUTH) { 2254 vap->iv_stats.is_rx_deauth++; 2255 IEEE80211_NODE_STAT(ni, rx_deauth); 2256 } else { 2257 vap->iv_stats.is_rx_disassoc++; 2258 IEEE80211_NODE_STAT(ni, rx_disassoc); 2259 } 2260 IEEE80211_NOTE(vap, IEEE80211_MSG_AUTH, ni, 2261 "recv %s (reason: %d (%s))", 2262 ieee80211_mgt_subtype_name(subtype), 2263 reason, ieee80211_reason_to_string(reason)); 2264 if (ni != vap->iv_bss) 2265 ieee80211_node_leave(ni); 2266 break; 2267 } 2268 2269 case IEEE80211_FC0_SUBTYPE_ACTION: 2270 case IEEE80211_FC0_SUBTYPE_ACTION_NOACK: 2271 if (ni == vap->iv_bss) { 2272 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 2273 wh, NULL, "%s", "unknown node"); 2274 vap->iv_stats.is_rx_mgtdiscard++; 2275 } else if (!IEEE80211_ADDR_EQ(vap->iv_myaddr, wh->i_addr1) && 2276 !IEEE80211_IS_MULTICAST(wh->i_addr1)) { 2277 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 2278 wh, NULL, "%s", "not for us"); 2279 vap->iv_stats.is_rx_mgtdiscard++; 2280 } else if (vap->iv_state != IEEE80211_S_RUN) { 2281 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 2282 wh, NULL, "wrong state %s", 2283 ieee80211_state_name[vap->iv_state]); 2284 vap->iv_stats.is_rx_mgtdiscard++; 2285 } else { 2286 if (ieee80211_parse_action(ni, m0) == 0) 2287 (void)ic->ic_recv_action(ni, wh, frm, efrm); 2288 } 2289 break; 2290 2291 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP: 2292 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: 2293 case IEEE80211_FC0_SUBTYPE_TIMING_ADV: 2294 case IEEE80211_FC0_SUBTYPE_ATIM: 2295 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 2296 wh, NULL, "%s", "not handled"); 2297 vap->iv_stats.is_rx_mgtdiscard++; 2298 break; 2299 2300 default: 2301 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 2302 wh, "mgt", "subtype 0x%x not handled", subtype); 2303 vap->iv_stats.is_rx_badsubtype++; 2304 break; 2305 } 2306 } 2307 2308 static void 2309 hostap_recv_ctl(struct ieee80211_node *ni, struct mbuf *m, int subtype) 2310 { 2311 switch (subtype) { 2312 case IEEE80211_FC0_SUBTYPE_PS_POLL: 2313 ni->ni_vap->iv_recv_pspoll(ni, m); 2314 break; 2315 case IEEE80211_FC0_SUBTYPE_BAR: 2316 ieee80211_recv_bar(ni, m); 2317 break; 2318 } 2319 } 2320 2321 /* 2322 * Process a received ps-poll frame. 2323 */ 2324 void 2325 ieee80211_recv_pspoll(struct ieee80211_node *ni, struct mbuf *m0) 2326 { 2327 struct ieee80211vap *vap = ni->ni_vap; 2328 struct ieee80211com *ic = vap->iv_ic; 2329 struct ieee80211_frame_min *wh; 2330 struct mbuf *m; 2331 uint16_t aid; 2332 int qlen; 2333 2334 wh = mtod(m0, struct ieee80211_frame_min *); 2335 if (ni->ni_associd == 0) { 2336 IEEE80211_DISCARD(vap, 2337 IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG, 2338 (struct ieee80211_frame *) wh, NULL, 2339 "%s", "unassociated station"); 2340 vap->iv_stats.is_ps_unassoc++; 2341 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_DEAUTH, 2342 IEEE80211_REASON_NOT_ASSOCED); 2343 return; 2344 } 2345 2346 aid = le16toh(*(uint16_t *)wh->i_dur); 2347 if (aid != ni->ni_associd) { 2348 IEEE80211_DISCARD(vap, 2349 IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG, 2350 (struct ieee80211_frame *) wh, NULL, 2351 "aid mismatch: sta aid 0x%x poll aid 0x%x", 2352 ni->ni_associd, aid); 2353 vap->iv_stats.is_ps_badaid++; 2354 /* 2355 * NB: We used to deauth the station but it turns out 2356 * the Blackberry Curve 8230 (and perhaps other devices) 2357 * sometimes send the wrong AID when WME is negotiated. 2358 * Being more lenient here seems ok as we already check 2359 * the station is associated and we only return frames 2360 * queued for the station (i.e. we don't use the AID). 2361 */ 2362 return; 2363 } 2364 2365 /* Okay, take the first queued packet and put it out... */ 2366 m = ieee80211_node_psq_dequeue(ni, &qlen); 2367 if (m == NULL) { 2368 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_POWER, wh->i_addr2, 2369 "%s", "recv ps-poll, but queue empty"); 2370 ieee80211_send_nulldata(ieee80211_ref_node(ni)); 2371 vap->iv_stats.is_ps_qempty++; /* XXX node stat */ 2372 if (vap->iv_set_tim != NULL) 2373 vap->iv_set_tim(ni, 0); /* just in case */ 2374 return; 2375 } 2376 /* 2377 * If there are more packets, set the more packets bit 2378 * in the packet dispatched to the station; otherwise 2379 * turn off the TIM bit. 2380 */ 2381 if (qlen != 0) { 2382 IEEE80211_NOTE(vap, IEEE80211_MSG_POWER, ni, 2383 "recv ps-poll, send packet, %u still queued", qlen); 2384 m->m_flags |= M_MORE_DATA; 2385 } else { 2386 IEEE80211_NOTE(vap, IEEE80211_MSG_POWER, ni, 2387 "%s", "recv ps-poll, send packet, queue empty"); 2388 if (vap->iv_set_tim != NULL) 2389 vap->iv_set_tim(ni, 0); 2390 } 2391 m->m_flags |= M_PWR_SAV; /* bypass PS handling */ 2392 2393 /* 2394 * Do the right thing; if it's an encap'ed frame then 2395 * call ieee80211_parent_xmitpkt() else 2396 * call ieee80211_vap_xmitpkt(). 2397 */ 2398 if (m->m_flags & M_ENCAP) { 2399 (void) ieee80211_parent_xmitpkt(ic, m); 2400 } else { 2401 (void) ieee80211_vap_xmitpkt(vap, m); 2402 } 2403 } 2404