1 /*- 2 * SPDX-License-Identifier: BSD-2-Clause 3 * 4 * Copyright (c) 2007-2008 Sam Leffler, Errno Consulting 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 17 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 18 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 19 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 21 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 22 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 23 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 24 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 25 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 26 */ 27 28 /* 29 * IEEE 802.11 HOSTAP mode support. 30 */ 31 #include "opt_inet.h" 32 #include "opt_wlan.h" 33 34 #include <sys/param.h> 35 #include <sys/systm.h> 36 #include <sys/mbuf.h> 37 #include <sys/malloc.h> 38 #include <sys/kernel.h> 39 40 #include <sys/socket.h> 41 #include <sys/sockio.h> 42 #include <sys/endian.h> 43 #include <sys/errno.h> 44 #include <sys/proc.h> 45 #include <sys/sysctl.h> 46 47 #include <net/if.h> 48 #include <net/if_var.h> 49 #include <net/if_media.h> 50 #include <net/if_llc.h> 51 #include <net/if_private.h> 52 #include <net/ethernet.h> 53 54 #include <net/bpf.h> 55 56 #include <net80211/ieee80211_var.h> 57 #include <net80211/ieee80211_hostap.h> 58 #include <net80211/ieee80211_input.h> 59 #ifdef IEEE80211_SUPPORT_SUPERG 60 #include <net80211/ieee80211_superg.h> 61 #endif 62 #include <net80211/ieee80211_wds.h> 63 #include <net80211/ieee80211_vht.h> 64 #include <net80211/ieee80211_sta.h> /* for parse_wmeie */ 65 66 #define IEEE80211_RATE2MBS(r) (((r) & IEEE80211_RATE_VAL) / 2) 67 68 static void hostap_vattach(struct ieee80211vap *); 69 static int hostap_newstate(struct ieee80211vap *, enum ieee80211_state, int); 70 static int hostap_input(struct ieee80211_node *ni, struct mbuf *m, 71 const struct ieee80211_rx_stats *, 72 int rssi, int nf); 73 static void hostap_deliver_data(struct ieee80211vap *, 74 struct ieee80211_node *, struct mbuf *); 75 static void hostap_recv_mgmt(struct ieee80211_node *, struct mbuf *, 76 int subtype, const struct ieee80211_rx_stats *rxs, int rssi, int nf); 77 static void hostap_recv_ctl(struct ieee80211_node *, struct mbuf *, int); 78 79 void 80 ieee80211_hostap_attach(struct ieee80211com *ic) 81 { 82 ic->ic_vattach[IEEE80211_M_HOSTAP] = hostap_vattach; 83 } 84 85 void 86 ieee80211_hostap_detach(struct ieee80211com *ic) 87 { 88 } 89 90 static void 91 hostap_vdetach(struct ieee80211vap *vap) 92 { 93 } 94 95 static void 96 hostap_vattach(struct ieee80211vap *vap) 97 { 98 vap->iv_newstate = hostap_newstate; 99 vap->iv_input = hostap_input; 100 vap->iv_recv_mgmt = hostap_recv_mgmt; 101 vap->iv_recv_ctl = hostap_recv_ctl; 102 vap->iv_opdetach = hostap_vdetach; 103 vap->iv_deliver_data = hostap_deliver_data; 104 vap->iv_recv_pspoll = ieee80211_recv_pspoll; 105 } 106 107 static void 108 sta_disassoc(void *arg, struct ieee80211_node *ni) 109 { 110 111 if (ni->ni_associd != 0) { 112 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_DISASSOC, 113 IEEE80211_REASON_ASSOC_LEAVE); 114 ieee80211_node_leave(ni); 115 } 116 } 117 118 static void 119 sta_csa(void *arg, struct ieee80211_node *ni) 120 { 121 struct ieee80211vap *vap = ni->ni_vap; 122 123 if (ni->ni_associd != 0) 124 if (ni->ni_inact > vap->iv_inact_init) { 125 ni->ni_inact = vap->iv_inact_init; 126 IEEE80211_NOTE(vap, IEEE80211_MSG_INACT, ni, 127 "%s: inact %u", __func__, ni->ni_inact); 128 } 129 } 130 131 static void 132 sta_drop(void *arg, struct ieee80211_node *ni) 133 { 134 135 if (ni->ni_associd != 0) 136 ieee80211_node_leave(ni); 137 } 138 139 /* 140 * Does a channel change require associated stations to re-associate 141 * so protocol state is correct. This is used when doing CSA across 142 * bands or similar (e.g. HT -> legacy). 143 */ 144 static int 145 isbandchange(struct ieee80211com *ic) 146 { 147 return ((ic->ic_bsschan->ic_flags ^ ic->ic_csa_newchan->ic_flags) & 148 (IEEE80211_CHAN_2GHZ | IEEE80211_CHAN_5GHZ | IEEE80211_CHAN_HALF | 149 IEEE80211_CHAN_QUARTER | IEEE80211_CHAN_HT)) != 0; 150 } 151 152 /* 153 * IEEE80211_M_HOSTAP vap state machine handler. 154 */ 155 static int 156 hostap_newstate(struct ieee80211vap *vap, enum ieee80211_state nstate, int arg) 157 { 158 struct ieee80211com *ic = vap->iv_ic; 159 enum ieee80211_state ostate; 160 161 IEEE80211_LOCK_ASSERT(ic); 162 163 ostate = vap->iv_state; 164 IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE, "%s: %s -> %s (%d)\n", 165 __func__, ieee80211_state_name[ostate], 166 ieee80211_state_name[nstate], arg); 167 vap->iv_state = nstate; /* state transition */ 168 if (ostate != IEEE80211_S_SCAN) 169 ieee80211_cancel_scan(vap); /* background scan */ 170 switch (nstate) { 171 case IEEE80211_S_INIT: 172 switch (ostate) { 173 case IEEE80211_S_SCAN: 174 ieee80211_cancel_scan(vap); 175 break; 176 case IEEE80211_S_CAC: 177 ieee80211_dfs_cac_stop(vap); 178 break; 179 case IEEE80211_S_RUN: 180 ieee80211_iterate_nodes_vap(&ic->ic_sta, vap, 181 sta_disassoc, NULL); 182 break; 183 default: 184 break; 185 } 186 if (ostate != IEEE80211_S_INIT) { 187 /* NB: optimize INIT -> INIT case */ 188 ieee80211_reset_bss(vap); 189 } 190 if (vap->iv_auth->ia_detach != NULL) 191 vap->iv_auth->ia_detach(vap); 192 break; 193 case IEEE80211_S_SCAN: 194 switch (ostate) { 195 case IEEE80211_S_CSA: 196 case IEEE80211_S_RUN: 197 ieee80211_iterate_nodes_vap(&ic->ic_sta, vap, 198 sta_disassoc, NULL); 199 /* 200 * Clear overlapping BSS state; the beacon frame 201 * will be reconstructed on transition to the RUN 202 * state and the timeout routines check if the flag 203 * is set before doing anything so this is sufficient. 204 */ 205 vap->iv_flags_ext &= ~IEEE80211_FEXT_NONERP_PR; 206 vap->iv_flags_ht &= ~IEEE80211_FHT_NONHT_PR; 207 /* XXX TODO: schedule deferred update? */ 208 /* fall thru... */ 209 case IEEE80211_S_CAC: 210 /* 211 * NB: We may get here because of a manual channel 212 * change in which case we need to stop CAC 213 * XXX no need to stop if ostate RUN but it's ok 214 */ 215 ieee80211_dfs_cac_stop(vap); 216 /* fall thru... */ 217 case IEEE80211_S_INIT: 218 if (vap->iv_des_chan != IEEE80211_CHAN_ANYC && 219 !IEEE80211_IS_CHAN_RADAR(vap->iv_des_chan)) { 220 /* 221 * Already have a channel; bypass the 222 * scan and startup immediately. 223 * ieee80211_create_ibss will call back to 224 * move us to RUN state. 225 */ 226 ieee80211_create_ibss(vap, vap->iv_des_chan); 227 break; 228 } 229 /* 230 * Initiate a scan. We can come here as a result 231 * of an IEEE80211_IOC_SCAN_REQ too in which case 232 * the vap will be marked with IEEE80211_FEXT_SCANREQ 233 * and the scan request parameters will be present 234 * in iv_scanreq. Otherwise we do the default. 235 */ 236 if (vap->iv_flags_ext & IEEE80211_FEXT_SCANREQ) { 237 ieee80211_check_scan(vap, 238 vap->iv_scanreq_flags, 239 vap->iv_scanreq_duration, 240 vap->iv_scanreq_mindwell, 241 vap->iv_scanreq_maxdwell, 242 vap->iv_scanreq_nssid, vap->iv_scanreq_ssid); 243 vap->iv_flags_ext &= ~IEEE80211_FEXT_SCANREQ; 244 } else 245 ieee80211_check_scan_current(vap); 246 break; 247 case IEEE80211_S_SCAN: 248 /* 249 * A state change requires a reset; scan. 250 */ 251 ieee80211_check_scan_current(vap); 252 break; 253 default: 254 break; 255 } 256 break; 257 case IEEE80211_S_CAC: 258 /* 259 * Start CAC on a DFS channel. We come here when starting 260 * a bss on a DFS channel (see ieee80211_create_ibss). 261 */ 262 ieee80211_dfs_cac_start(vap); 263 break; 264 case IEEE80211_S_RUN: 265 if (vap->iv_flags & IEEE80211_F_WPA) { 266 /* XXX validate prerequisites */ 267 } 268 switch (ostate) { 269 case IEEE80211_S_INIT: 270 /* 271 * Already have a channel; bypass the 272 * scan and startup immediately. 273 * Note that ieee80211_create_ibss will call 274 * back to do a RUN->RUN state change. 275 */ 276 ieee80211_create_ibss(vap, 277 ieee80211_ht_adjust_channel(ic, 278 ic->ic_curchan, vap->iv_flags_ht)); 279 /* NB: iv_bss is changed on return */ 280 break; 281 case IEEE80211_S_CAC: 282 /* 283 * NB: This is the normal state change when CAC 284 * expires and no radar was detected; no need to 285 * clear the CAC timer as it's already expired. 286 */ 287 /* fall thru... */ 288 case IEEE80211_S_CSA: 289 /* 290 * Shorten inactivity timer of associated stations 291 * to weed out sta's that don't follow a CSA. 292 */ 293 ieee80211_iterate_nodes_vap(&ic->ic_sta, vap, 294 sta_csa, NULL); 295 /* 296 * Update bss node channel to reflect where 297 * we landed after CSA. 298 */ 299 ieee80211_node_set_chan(vap->iv_bss, 300 ieee80211_ht_adjust_channel(ic, ic->ic_curchan, 301 ieee80211_htchanflags(vap->iv_bss->ni_chan))); 302 /* XXX bypass debug msgs */ 303 break; 304 case IEEE80211_S_SCAN: 305 case IEEE80211_S_RUN: 306 #ifdef IEEE80211_DEBUG 307 if (ieee80211_msg_debug(vap)) { 308 struct ieee80211_node *ni = vap->iv_bss; 309 ieee80211_note(vap, 310 "synchronized with %s ssid ", 311 ether_sprintf(ni->ni_bssid)); 312 ieee80211_print_essid(ni->ni_essid, 313 ni->ni_esslen); 314 /* XXX MCS/HT */ 315 printf(" channel %d start %uMb\n", 316 ieee80211_chan2ieee(ic, ic->ic_curchan), 317 IEEE80211_RATE2MBS(ni->ni_txrate)); 318 } 319 #endif 320 break; 321 default: 322 break; 323 } 324 /* 325 * Start/stop the authenticator. We delay until here 326 * to allow configuration to happen out of order. 327 */ 328 if (vap->iv_auth->ia_attach != NULL) { 329 /* XXX check failure */ 330 vap->iv_auth->ia_attach(vap); 331 } else if (vap->iv_auth->ia_detach != NULL) { 332 vap->iv_auth->ia_detach(vap); 333 } 334 ieee80211_node_authorize(vap->iv_bss); 335 break; 336 case IEEE80211_S_CSA: 337 if (ostate == IEEE80211_S_RUN && isbandchange(ic)) { 338 /* 339 * On a ``band change'' silently drop associated 340 * stations as they must re-associate before they 341 * can pass traffic (as otherwise protocol state 342 * such as capabilities and the negotiated rate 343 * set may/will be wrong). 344 */ 345 ieee80211_iterate_nodes_vap(&ic->ic_sta, vap, 346 sta_drop, NULL); 347 } 348 break; 349 default: 350 break; 351 } 352 return 0; 353 } 354 355 static void 356 hostap_deliver_data(struct ieee80211vap *vap, 357 struct ieee80211_node *ni, struct mbuf *m) 358 { 359 struct ether_header *eh = mtod(m, struct ether_header *); 360 struct ifnet *ifp = vap->iv_ifp; 361 362 /* clear driver/net80211 flags before passing up */ 363 m->m_flags &= ~(M_MCAST | M_BCAST); 364 m_clrprotoflags(m); 365 366 KASSERT(vap->iv_opmode == IEEE80211_M_HOSTAP, 367 ("gack, opmode %d", vap->iv_opmode)); 368 /* 369 * Do accounting. 370 */ 371 if_inc_counter(ifp, IFCOUNTER_IPACKETS, 1); 372 IEEE80211_NODE_STAT(ni, rx_data); 373 IEEE80211_NODE_STAT_ADD(ni, rx_bytes, m->m_pkthdr.len); 374 if (ETHER_IS_MULTICAST(eh->ether_dhost)) { 375 m->m_flags |= M_MCAST; /* XXX M_BCAST? */ 376 IEEE80211_NODE_STAT(ni, rx_mcast); 377 } else 378 IEEE80211_NODE_STAT(ni, rx_ucast); 379 380 /* perform as a bridge within the AP */ 381 if ((vap->iv_flags & IEEE80211_F_NOBRIDGE) == 0) { 382 struct mbuf *mcopy = NULL; 383 384 if (m->m_flags & M_MCAST) { 385 mcopy = m_dup(m, IEEE80211_M_NOWAIT); 386 if (mcopy == NULL) 387 if_inc_counter(ifp, IFCOUNTER_OERRORS, 1); 388 else 389 mcopy->m_flags |= M_MCAST; 390 } else { 391 /* 392 * Check if the destination is associated with the 393 * same vap and authorized to receive traffic. 394 * Beware of traffic destined for the vap itself; 395 * sending it will not work; just let it be delivered 396 * normally. 397 */ 398 struct ieee80211_node *sta = ieee80211_find_vap_node( 399 &vap->iv_ic->ic_sta, vap, eh->ether_dhost); 400 if (sta != NULL) { 401 if (ieee80211_node_is_authorized(sta)) { 402 /* 403 * Beware of sending to ourself; this 404 * needs to happen via the normal 405 * input path. 406 */ 407 if (sta != vap->iv_bss) { 408 mcopy = m; 409 m = NULL; 410 } 411 } else { 412 vap->iv_stats.is_rx_unauth++; 413 IEEE80211_NODE_STAT(sta, rx_unauth); 414 } 415 ieee80211_free_node(sta); 416 } 417 } 418 if (mcopy != NULL) 419 (void) ieee80211_vap_xmitpkt(vap, mcopy); 420 } 421 if (m != NULL) { 422 struct epoch_tracker et; 423 424 /* 425 * Mark frame as coming from vap's interface. 426 */ 427 m->m_pkthdr.rcvif = ifp; 428 if (m->m_flags & M_MCAST) { 429 /* 430 * Spam DWDS vap's w/ multicast traffic. 431 */ 432 /* XXX only if dwds in use? */ 433 ieee80211_dwds_mcast(vap, m); 434 } 435 if (ni->ni_vlan != 0) { 436 /* attach vlan tag */ 437 m->m_pkthdr.ether_vtag = ni->ni_vlan; 438 m->m_flags |= M_VLANTAG; 439 } 440 NET_EPOCH_ENTER(et); 441 ifp->if_input(ifp, m); 442 NET_EPOCH_EXIT(et); 443 } 444 } 445 446 /* 447 * Decide if a received management frame should be 448 * printed when debugging is enabled. This filters some 449 * of the less interesting frames that come frequently 450 * (e.g. beacons). 451 */ 452 static __inline int 453 doprint(struct ieee80211vap *vap, int subtype) 454 { 455 switch (subtype) { 456 case IEEE80211_FC0_SUBTYPE_BEACON: 457 return (vap->iv_ic->ic_flags & IEEE80211_F_SCAN); 458 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 459 return 0; 460 } 461 return 1; 462 } 463 464 /* 465 * Process a received frame. The node associated with the sender 466 * should be supplied. If nothing was found in the node table then 467 * the caller is assumed to supply a reference to iv_bss instead. 468 * The RSSI and a timestamp are also supplied. The RSSI data is used 469 * during AP scanning to select a AP to associate with; it can have 470 * any units so long as values have consistent units and higher values 471 * mean ``better signal''. The receive timestamp is currently not used 472 * by the 802.11 layer. 473 */ 474 static int 475 hostap_input(struct ieee80211_node *ni, struct mbuf *m, 476 const struct ieee80211_rx_stats *rxs, int rssi, int nf) 477 { 478 struct ieee80211vap *vap = ni->ni_vap; 479 struct ieee80211com *ic = ni->ni_ic; 480 struct ifnet *ifp = vap->iv_ifp; 481 struct ieee80211_frame *wh; 482 struct ieee80211_key *key; 483 struct ether_header *eh; 484 int hdrspace, need_tap = 1; /* mbuf need to be tapped. */ 485 uint8_t dir, type, subtype, qos; 486 uint8_t *bssid; 487 int is_hw_decrypted = 0; 488 int has_decrypted = 0; 489 490 /* 491 * Some devices do hardware decryption all the way through 492 * to pretending the frame wasn't encrypted in the first place. 493 * So, tag it appropriately so it isn't discarded inappropriately. 494 */ 495 if ((rxs != NULL) && (rxs->c_pktflags & IEEE80211_RX_F_DECRYPTED)) 496 is_hw_decrypted = 1; 497 498 if (m->m_flags & M_AMPDU_MPDU) { 499 /* 500 * Fastpath for A-MPDU reorder q resubmission. Frames 501 * w/ M_AMPDU_MPDU marked have already passed through 502 * here but were received out of order and been held on 503 * the reorder queue. When resubmitted they are marked 504 * with the M_AMPDU_MPDU flag and we can bypass most of 505 * the normal processing. 506 */ 507 wh = mtod(m, struct ieee80211_frame *); 508 type = IEEE80211_FC0_TYPE_DATA; 509 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 510 subtype = IEEE80211_FC0_SUBTYPE_QOS_DATA; 511 hdrspace = ieee80211_hdrspace(ic, wh); /* XXX optimize? */ 512 goto resubmit_ampdu; 513 } 514 515 KASSERT(ni != NULL, ("null node")); 516 ni->ni_inact = ni->ni_inact_reload; 517 518 type = -1; /* undefined */ 519 520 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_min)) { 521 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 522 ni->ni_macaddr, NULL, 523 "too short (1): len %u", m->m_pkthdr.len); 524 vap->iv_stats.is_rx_tooshort++; 525 goto out; 526 } 527 /* 528 * Bit of a cheat here, we use a pointer for a 3-address 529 * frame format but don't reference fields past outside 530 * ieee80211_frame_min w/o first validating the data is 531 * present. 532 */ 533 wh = mtod(m, struct ieee80211_frame *); 534 535 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) != 536 IEEE80211_FC0_VERSION_0) { 537 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 538 ni->ni_macaddr, NULL, "wrong version, fc %02x:%02x", 539 wh->i_fc[0], wh->i_fc[1]); 540 vap->iv_stats.is_rx_badversion++; 541 goto err; 542 } 543 544 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 545 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK; 546 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK; 547 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) { 548 if (dir != IEEE80211_FC1_DIR_NODS) 549 bssid = wh->i_addr1; 550 else if (type == IEEE80211_FC0_TYPE_CTL) 551 bssid = wh->i_addr1; 552 else { 553 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) { 554 IEEE80211_DISCARD_MAC(vap, 555 IEEE80211_MSG_ANY, ni->ni_macaddr, 556 NULL, "too short (2): len %u", 557 m->m_pkthdr.len); 558 vap->iv_stats.is_rx_tooshort++; 559 goto out; 560 } 561 bssid = wh->i_addr3; 562 } 563 /* 564 * Validate the bssid. 565 */ 566 if (!(type == IEEE80211_FC0_TYPE_MGT && 567 subtype == IEEE80211_FC0_SUBTYPE_BEACON) && 568 !IEEE80211_ADDR_EQ(bssid, vap->iv_bss->ni_bssid) && 569 !IEEE80211_ADDR_EQ(bssid, ifp->if_broadcastaddr)) { 570 /* not interested in */ 571 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 572 bssid, NULL, "%s", "not to bss"); 573 vap->iv_stats.is_rx_wrongbss++; 574 goto out; 575 } 576 577 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi); 578 ni->ni_noise = nf; 579 if (IEEE80211_HAS_SEQ(type, subtype)) { 580 uint8_t tid = ieee80211_gettid(wh); 581 if (IEEE80211_QOS_HAS_SEQ(wh) && 582 TID_TO_WME_AC(tid) >= WME_AC_VI) 583 ic->ic_wme.wme_hipri_traffic++; 584 if (! ieee80211_check_rxseq(ni, wh, bssid, rxs)) 585 goto out; 586 } 587 } 588 589 switch (type) { 590 case IEEE80211_FC0_TYPE_DATA: 591 hdrspace = ieee80211_hdrspace(ic, wh); 592 if (m->m_len < hdrspace && 593 (m = m_pullup(m, hdrspace)) == NULL) { 594 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 595 ni->ni_macaddr, NULL, 596 "data too short: expecting %u", hdrspace); 597 vap->iv_stats.is_rx_tooshort++; 598 goto out; /* XXX */ 599 } 600 if (!(dir == IEEE80211_FC1_DIR_TODS || 601 (dir == IEEE80211_FC1_DIR_DSTODS && 602 (vap->iv_flags & IEEE80211_F_DWDS)))) { 603 if (dir != IEEE80211_FC1_DIR_DSTODS) { 604 IEEE80211_DISCARD(vap, 605 IEEE80211_MSG_INPUT, wh, "data", 606 "incorrect dir 0x%x", dir); 607 } else { 608 IEEE80211_DISCARD(vap, 609 IEEE80211_MSG_INPUT | 610 IEEE80211_MSG_WDS, wh, 611 "4-address data", 612 "%s", "DWDS not enabled"); 613 } 614 vap->iv_stats.is_rx_wrongdir++; 615 goto out; 616 } 617 /* check if source STA is associated */ 618 if (ni == vap->iv_bss) { 619 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 620 wh, "data", "%s", "unknown src"); 621 ieee80211_send_error(ni, wh->i_addr2, 622 IEEE80211_FC0_SUBTYPE_DEAUTH, 623 IEEE80211_REASON_NOT_AUTHED); 624 vap->iv_stats.is_rx_notassoc++; 625 goto err; 626 } 627 if (ni->ni_associd == 0) { 628 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 629 wh, "data", "%s", "unassoc src"); 630 IEEE80211_SEND_MGMT(ni, 631 IEEE80211_FC0_SUBTYPE_DISASSOC, 632 IEEE80211_REASON_NOT_ASSOCED); 633 vap->iv_stats.is_rx_notassoc++; 634 goto err; 635 } 636 637 /* 638 * Check for power save state change. 639 * XXX out-of-order A-MPDU frames? 640 */ 641 if (((wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) ^ 642 (ni->ni_flags & IEEE80211_NODE_PWR_MGT))) 643 vap->iv_node_ps(ni, 644 wh->i_fc[1] & IEEE80211_FC1_PWR_MGT); 645 /* 646 * For 4-address packets handle WDS discovery 647 * notifications. Once a WDS link is setup frames 648 * are just delivered to the WDS vap (see below). 649 */ 650 if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap == NULL) { 651 if (!ieee80211_node_is_authorized(ni)) { 652 IEEE80211_DISCARD(vap, 653 IEEE80211_MSG_INPUT | 654 IEEE80211_MSG_WDS, wh, 655 "4-address data", 656 "%s", "unauthorized port"); 657 vap->iv_stats.is_rx_unauth++; 658 IEEE80211_NODE_STAT(ni, rx_unauth); 659 goto err; 660 } 661 ieee80211_dwds_discover(ni, m); 662 return type; 663 } 664 665 /* 666 * Handle A-MPDU re-ordering. If the frame is to be 667 * processed directly then ieee80211_ampdu_reorder 668 * will return 0; otherwise it has consumed the mbuf 669 * and we should do nothing more with it. 670 */ 671 if ((m->m_flags & M_AMPDU) && 672 ieee80211_ampdu_reorder(ni, m, rxs) != 0) { 673 m = NULL; 674 goto out; 675 } 676 resubmit_ampdu: 677 678 /* 679 * Handle privacy requirements. Note that we 680 * must not be preempted from here until after 681 * we (potentially) call ieee80211_crypto_demic; 682 * otherwise we may violate assumptions in the 683 * crypto cipher modules used to do delayed update 684 * of replay sequence numbers. 685 */ 686 if (is_hw_decrypted || IEEE80211_IS_PROTECTED(wh)) { 687 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) { 688 /* 689 * Discard encrypted frames when privacy is off. 690 */ 691 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 692 wh, "WEP", "%s", "PRIVACY off"); 693 vap->iv_stats.is_rx_noprivacy++; 694 IEEE80211_NODE_STAT(ni, rx_noprivacy); 695 goto out; 696 } 697 if (ieee80211_crypto_decap(ni, m, hdrspace, &key) == 0) { 698 /* NB: stats+msgs handled in crypto_decap */ 699 IEEE80211_NODE_STAT(ni, rx_wepfail); 700 goto out; 701 } 702 wh = mtod(m, struct ieee80211_frame *); 703 wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED; 704 has_decrypted = 1; 705 } else { 706 /* XXX M_WEP and IEEE80211_F_PRIVACY */ 707 key = NULL; 708 } 709 710 /* 711 * Save QoS bits for use below--before we strip the header. 712 */ 713 if (subtype == IEEE80211_FC0_SUBTYPE_QOS_DATA) 714 qos = ieee80211_getqos(wh)[0]; 715 else 716 qos = 0; 717 718 /* 719 * Next up, any fragmentation. 720 */ 721 if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) { 722 m = ieee80211_defrag(ni, m, hdrspace, has_decrypted); 723 if (m == NULL) { 724 /* Fragment dropped or frame not complete yet */ 725 goto out; 726 } 727 } 728 wh = NULL; /* no longer valid, catch any uses */ 729 730 /* 731 * Next strip any MSDU crypto bits. 732 */ 733 if (key != NULL && !ieee80211_crypto_demic(vap, key, m, 0)) { 734 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 735 ni->ni_macaddr, "data", "%s", "demic error"); 736 vap->iv_stats.is_rx_demicfail++; 737 IEEE80211_NODE_STAT(ni, rx_demicfail); 738 goto out; 739 } 740 /* copy to listener after decrypt */ 741 if (ieee80211_radiotap_active_vap(vap)) 742 ieee80211_radiotap_rx(vap, m); 743 need_tap = 0; 744 /* 745 * Finally, strip the 802.11 header. 746 */ 747 m = ieee80211_decap(vap, m, hdrspace, qos); 748 if (m == NULL) { 749 /* XXX mask bit to check for both */ 750 /* don't count Null data frames as errors */ 751 if (subtype == IEEE80211_FC0_SUBTYPE_NODATA || 752 subtype == IEEE80211_FC0_SUBTYPE_QOS_NULL) 753 goto out; 754 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 755 ni->ni_macaddr, "data", "%s", "decap error"); 756 vap->iv_stats.is_rx_decap++; 757 IEEE80211_NODE_STAT(ni, rx_decap); 758 goto err; 759 } 760 if (!(qos & IEEE80211_QOS_AMSDU)) 761 eh = mtod(m, struct ether_header *); 762 else 763 eh = NULL; 764 if (!ieee80211_node_is_authorized(ni)) { 765 /* 766 * Deny any non-PAE frames received prior to 767 * authorization. For open/shared-key 768 * authentication the port is mark authorized 769 * after authentication completes. For 802.1x 770 * the port is not marked authorized by the 771 * authenticator until the handshake has completed. 772 */ 773 if (eh == NULL || 774 eh->ether_type != htons(ETHERTYPE_PAE)) { 775 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 776 ni->ni_macaddr, "data", "unauthorized or " 777 "unknown port: ether type 0x%x len %u", 778 eh == NULL ? -1 : eh->ether_type, 779 m->m_pkthdr.len); 780 vap->iv_stats.is_rx_unauth++; 781 IEEE80211_NODE_STAT(ni, rx_unauth); 782 goto err; 783 } 784 } else { 785 /* 786 * When denying unencrypted frames, discard 787 * any non-PAE frames received without encryption. 788 */ 789 if ((vap->iv_flags & IEEE80211_F_DROPUNENC) && 790 ((has_decrypted == 0) && (m->m_flags & M_WEP) == 0) && 791 (is_hw_decrypted == 0) && 792 (eh == NULL || 793 eh->ether_type != htons(ETHERTYPE_PAE))) { 794 /* 795 * Drop unencrypted frames. 796 */ 797 vap->iv_stats.is_rx_unencrypted++; 798 IEEE80211_NODE_STAT(ni, rx_unencrypted); 799 goto out; 800 } 801 } 802 /* XXX require HT? */ 803 if (qos & IEEE80211_QOS_AMSDU) { 804 m = ieee80211_decap_amsdu(ni, m); 805 if (m == NULL) 806 return IEEE80211_FC0_TYPE_DATA; 807 } else { 808 #ifdef IEEE80211_SUPPORT_SUPERG 809 m = ieee80211_decap_fastframe(vap, ni, m); 810 if (m == NULL) 811 return IEEE80211_FC0_TYPE_DATA; 812 #endif 813 } 814 if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap != NULL) 815 ieee80211_deliver_data(ni->ni_wdsvap, ni, m); 816 else 817 hostap_deliver_data(vap, ni, m); 818 return IEEE80211_FC0_TYPE_DATA; 819 820 case IEEE80211_FC0_TYPE_MGT: 821 vap->iv_stats.is_rx_mgmt++; 822 IEEE80211_NODE_STAT(ni, rx_mgmt); 823 if (dir != IEEE80211_FC1_DIR_NODS) { 824 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 825 wh, "mgt", "incorrect dir 0x%x", dir); 826 vap->iv_stats.is_rx_wrongdir++; 827 goto err; 828 } 829 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) { 830 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 831 ni->ni_macaddr, "mgt", "too short: len %u", 832 m->m_pkthdr.len); 833 vap->iv_stats.is_rx_tooshort++; 834 goto out; 835 } 836 if (IEEE80211_IS_MULTICAST(wh->i_addr2)) { 837 /* ensure return frames are unicast */ 838 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 839 wh, NULL, "source is multicast: %s", 840 ether_sprintf(wh->i_addr2)); 841 vap->iv_stats.is_rx_mgtdiscard++; /* XXX stat */ 842 goto out; 843 } 844 #ifdef IEEE80211_DEBUG 845 if ((ieee80211_msg_debug(vap) && doprint(vap, subtype)) || 846 ieee80211_msg_dumppkts(vap)) { 847 if_printf(ifp, "received %s from %s rssi %d\n", 848 ieee80211_mgt_subtype_name(subtype), 849 ether_sprintf(wh->i_addr2), rssi); 850 } 851 #endif 852 if (IEEE80211_IS_PROTECTED(wh)) { 853 if (subtype != IEEE80211_FC0_SUBTYPE_AUTH) { 854 /* 855 * Only shared key auth frames with a challenge 856 * should be encrypted, discard all others. 857 */ 858 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 859 wh, NULL, 860 "%s", "WEP set but not permitted"); 861 vap->iv_stats.is_rx_mgtdiscard++; /* XXX */ 862 goto out; 863 } 864 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) { 865 /* 866 * Discard encrypted frames when privacy is off. 867 */ 868 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 869 wh, NULL, "%s", "WEP set but PRIVACY off"); 870 vap->iv_stats.is_rx_noprivacy++; 871 goto out; 872 } 873 hdrspace = ieee80211_hdrspace(ic, wh); 874 if (ieee80211_crypto_decap(ni, m, hdrspace, &key) == 0) { 875 /* NB: stats+msgs handled in crypto_decap */ 876 goto out; 877 } 878 wh = mtod(m, struct ieee80211_frame *); 879 wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED; 880 has_decrypted = 1; 881 } 882 /* 883 * Pass the packet to radiotap before calling iv_recv_mgmt(). 884 * Otherwise iv_recv_mgmt() might pass another packet to 885 * radiotap, resulting in out of order packet captures. 886 */ 887 if (ieee80211_radiotap_active_vap(vap)) 888 ieee80211_radiotap_rx(vap, m); 889 need_tap = 0; 890 vap->iv_recv_mgmt(ni, m, subtype, rxs, rssi, nf); 891 goto out; 892 893 case IEEE80211_FC0_TYPE_CTL: 894 vap->iv_stats.is_rx_ctl++; 895 IEEE80211_NODE_STAT(ni, rx_ctrl); 896 vap->iv_recv_ctl(ni, m, subtype); 897 goto out; 898 default: 899 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 900 wh, "bad", "frame type 0x%x", type); 901 /* should not come here */ 902 break; 903 } 904 err: 905 if_inc_counter(ifp, IFCOUNTER_IERRORS, 1); 906 out: 907 if (m != NULL) { 908 if (need_tap && ieee80211_radiotap_active_vap(vap)) 909 ieee80211_radiotap_rx(vap, m); 910 m_freem(m); 911 } 912 return type; 913 } 914 915 static void 916 hostap_auth_open(struct ieee80211_node *ni, struct ieee80211_frame *wh, 917 int rssi, int nf, uint16_t seq, uint16_t status) 918 { 919 struct ieee80211vap *vap = ni->ni_vap; 920 921 KASSERT(vap->iv_state == IEEE80211_S_RUN, ("state %d", vap->iv_state)); 922 923 if (ni->ni_authmode == IEEE80211_AUTH_SHARED) { 924 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 925 ni->ni_macaddr, "open auth", 926 "bad sta auth mode %u", ni->ni_authmode); 927 vap->iv_stats.is_rx_bad_auth++; /* XXX */ 928 /* 929 * Clear any challenge text that may be there if 930 * a previous shared key auth failed and then an 931 * open auth is attempted. 932 */ 933 if (ni->ni_challenge != NULL) { 934 IEEE80211_FREE(ni->ni_challenge, M_80211_NODE); 935 ni->ni_challenge = NULL; 936 } 937 /* XXX hack to workaround calling convention */ 938 ieee80211_send_error(ni, wh->i_addr2, 939 IEEE80211_FC0_SUBTYPE_AUTH, 940 (seq + 1) | (IEEE80211_STATUS_ALG<<16)); 941 return; 942 } 943 if (seq != IEEE80211_AUTH_OPEN_REQUEST) { 944 vap->iv_stats.is_rx_bad_auth++; 945 return; 946 } 947 /* always accept open authentication requests */ 948 if (ni == vap->iv_bss) { 949 ni = ieee80211_dup_bss(vap, wh->i_addr2); 950 if (ni == NULL) 951 return; 952 } else if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0) 953 (void) ieee80211_ref_node(ni); 954 /* 955 * Mark the node as referenced to reflect that it's 956 * reference count has been bumped to insure it remains 957 * after the transaction completes. 958 */ 959 ni->ni_flags |= IEEE80211_NODE_AREF; 960 /* 961 * Mark the node as requiring a valid association id 962 * before outbound traffic is permitted. 963 */ 964 ni->ni_flags |= IEEE80211_NODE_ASSOCID; 965 966 if (vap->iv_acl != NULL && 967 vap->iv_acl->iac_getpolicy(vap) == IEEE80211_MACCMD_POLICY_RADIUS) { 968 /* 969 * When the ACL policy is set to RADIUS we defer the 970 * authorization to a user agent. Dispatch an event, 971 * a subsequent MLME call will decide the fate of the 972 * station. If the user agent is not present then the 973 * node will be reclaimed due to inactivity. 974 */ 975 IEEE80211_NOTE_MAC(vap, 976 IEEE80211_MSG_AUTH | IEEE80211_MSG_ACL, ni->ni_macaddr, 977 "%s", "station authentication deferred (radius acl)"); 978 ieee80211_notify_node_auth(ni); 979 } else { 980 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 981 IEEE80211_NOTE_MAC(vap, 982 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, ni->ni_macaddr, 983 "%s", "station authenticated (open)"); 984 /* 985 * When 802.1x is not in use mark the port 986 * authorized at this point so traffic can flow. 987 */ 988 if (ni->ni_authmode != IEEE80211_AUTH_8021X) 989 ieee80211_node_authorize(ni); 990 } 991 } 992 993 static void 994 hostap_auth_shared(struct ieee80211_node *ni, struct ieee80211_frame *wh, 995 uint8_t *frm, uint8_t *efrm, int rssi, int nf, 996 uint16_t seq, uint16_t status) 997 { 998 struct ieee80211vap *vap = ni->ni_vap; 999 uint8_t *challenge; 1000 int estatus; 1001 1002 KASSERT(vap->iv_state == IEEE80211_S_RUN, ("state %d", vap->iv_state)); 1003 1004 /* 1005 * NB: this can happen as we allow pre-shared key 1006 * authentication to be enabled w/o wep being turned 1007 * on so that configuration of these can be done 1008 * in any order. It may be better to enforce the 1009 * ordering in which case this check would just be 1010 * for sanity/consistency. 1011 */ 1012 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) { 1013 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1014 ni->ni_macaddr, "shared key auth", 1015 "%s", " PRIVACY is disabled"); 1016 estatus = IEEE80211_STATUS_ALG; 1017 goto bad; 1018 } 1019 /* 1020 * Pre-shared key authentication is evil; accept 1021 * it only if explicitly configured (it is supported 1022 * mainly for compatibility with clients like Mac OS X). 1023 */ 1024 if (ni->ni_authmode != IEEE80211_AUTH_AUTO && 1025 ni->ni_authmode != IEEE80211_AUTH_SHARED) { 1026 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1027 ni->ni_macaddr, "shared key auth", 1028 "bad sta auth mode %u", ni->ni_authmode); 1029 vap->iv_stats.is_rx_bad_auth++; /* XXX maybe a unique error? */ 1030 estatus = IEEE80211_STATUS_ALG; 1031 goto bad; 1032 } 1033 1034 challenge = NULL; 1035 if (frm + 1 < efrm) { 1036 if ((frm[1] + 2) > (efrm - frm)) { 1037 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1038 ni->ni_macaddr, "shared key auth", 1039 "ie %d/%d too long", 1040 frm[0], (frm[1] + 2) - (efrm - frm)); 1041 vap->iv_stats.is_rx_bad_auth++; 1042 estatus = IEEE80211_STATUS_CHALLENGE; 1043 goto bad; 1044 } 1045 if (*frm == IEEE80211_ELEMID_CHALLENGE) 1046 challenge = frm; 1047 frm += frm[1] + 2; 1048 } 1049 switch (seq) { 1050 case IEEE80211_AUTH_SHARED_CHALLENGE: 1051 case IEEE80211_AUTH_SHARED_RESPONSE: 1052 if (challenge == NULL) { 1053 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1054 ni->ni_macaddr, "shared key auth", 1055 "%s", "no challenge"); 1056 vap->iv_stats.is_rx_bad_auth++; 1057 estatus = IEEE80211_STATUS_CHALLENGE; 1058 goto bad; 1059 } 1060 if (challenge[1] != IEEE80211_CHALLENGE_LEN) { 1061 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1062 ni->ni_macaddr, "shared key auth", 1063 "bad challenge len %d", challenge[1]); 1064 vap->iv_stats.is_rx_bad_auth++; 1065 estatus = IEEE80211_STATUS_CHALLENGE; 1066 goto bad; 1067 } 1068 default: 1069 break; 1070 } 1071 switch (seq) { 1072 case IEEE80211_AUTH_SHARED_REQUEST: 1073 { 1074 #ifdef IEEE80211_DEBUG 1075 bool allocbs; 1076 #endif 1077 1078 if (ni == vap->iv_bss) { 1079 ni = ieee80211_dup_bss(vap, wh->i_addr2); 1080 if (ni == NULL) { 1081 /* NB: no way to return an error */ 1082 return; 1083 } 1084 #ifdef IEEE80211_DEBUG 1085 allocbs = 1; 1086 #endif 1087 } else { 1088 if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0) 1089 (void) ieee80211_ref_node(ni); 1090 #ifdef IEEE80211_DEBUG 1091 allocbs = 0; 1092 #endif 1093 } 1094 /* 1095 * Mark the node as referenced to reflect that it's 1096 * reference count has been bumped to insure it remains 1097 * after the transaction completes. 1098 */ 1099 ni->ni_flags |= IEEE80211_NODE_AREF; 1100 /* 1101 * Mark the node as requiring a valid association id 1102 * before outbound traffic is permitted. 1103 */ 1104 ni->ni_flags |= IEEE80211_NODE_ASSOCID; 1105 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi); 1106 ni->ni_noise = nf; 1107 if (!ieee80211_alloc_challenge(ni)) { 1108 /* NB: don't return error so they rexmit */ 1109 return; 1110 } 1111 net80211_get_random_bytes(ni->ni_challenge, 1112 IEEE80211_CHALLENGE_LEN); 1113 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1114 ni, "shared key %sauth request", allocbs ? "" : "re"); 1115 /* 1116 * When the ACL policy is set to RADIUS we defer the 1117 * authorization to a user agent. Dispatch an event, 1118 * a subsequent MLME call will decide the fate of the 1119 * station. If the user agent is not present then the 1120 * node will be reclaimed due to inactivity. 1121 */ 1122 if (vap->iv_acl != NULL && 1123 vap->iv_acl->iac_getpolicy(vap) == IEEE80211_MACCMD_POLICY_RADIUS) { 1124 IEEE80211_NOTE_MAC(vap, 1125 IEEE80211_MSG_AUTH | IEEE80211_MSG_ACL, 1126 ni->ni_macaddr, 1127 "%s", "station authentication deferred (radius acl)"); 1128 ieee80211_notify_node_auth(ni); 1129 return; 1130 } 1131 break; 1132 } 1133 case IEEE80211_AUTH_SHARED_RESPONSE: 1134 if (ni == vap->iv_bss) { 1135 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1136 ni->ni_macaddr, "shared key response", 1137 "%s", "unknown station"); 1138 /* NB: don't send a response */ 1139 return; 1140 } 1141 if (ni->ni_challenge == NULL) { 1142 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1143 ni->ni_macaddr, "shared key response", 1144 "%s", "no challenge recorded"); 1145 vap->iv_stats.is_rx_bad_auth++; 1146 estatus = IEEE80211_STATUS_CHALLENGE; 1147 goto bad; 1148 } 1149 if (memcmp(ni->ni_challenge, &challenge[2], 1150 challenge[1]) != 0) { 1151 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1152 ni->ni_macaddr, "shared key response", 1153 "%s", "challenge mismatch"); 1154 vap->iv_stats.is_rx_auth_fail++; 1155 estatus = IEEE80211_STATUS_CHALLENGE; 1156 goto bad; 1157 } 1158 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1159 ni, "%s", "station authenticated (shared key)"); 1160 ieee80211_node_authorize(ni); 1161 break; 1162 default: 1163 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1164 ni->ni_macaddr, "shared key auth", 1165 "bad seq %d", seq); 1166 vap->iv_stats.is_rx_bad_auth++; 1167 estatus = IEEE80211_STATUS_SEQUENCE; 1168 goto bad; 1169 } 1170 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 1171 return; 1172 bad: 1173 /* 1174 * Send an error response; but only when operating as an AP. 1175 */ 1176 /* XXX hack to workaround calling convention */ 1177 ieee80211_send_error(ni, wh->i_addr2, 1178 IEEE80211_FC0_SUBTYPE_AUTH, 1179 (seq + 1) | (estatus<<16)); 1180 } 1181 1182 /* 1183 * Convert a WPA cipher selector OUI to an internal 1184 * cipher algorithm. Where appropriate we also 1185 * record any key length. 1186 */ 1187 static int 1188 wpa_cipher(const uint8_t *sel, uint8_t *keylen, uint8_t *cipher) 1189 { 1190 #define WPA_SEL(x) (((x)<<24)|WPA_OUI) 1191 uint32_t w = le32dec(sel); 1192 1193 switch (w) { 1194 case WPA_SEL(WPA_CSE_NULL): 1195 *cipher = IEEE80211_CIPHER_NONE; 1196 break; 1197 case WPA_SEL(WPA_CSE_WEP40): 1198 if (keylen) 1199 *keylen = 40 / NBBY; 1200 *cipher = IEEE80211_CIPHER_WEP; 1201 break; 1202 case WPA_SEL(WPA_CSE_WEP104): 1203 if (keylen) 1204 *keylen = 104 / NBBY; 1205 *cipher = IEEE80211_CIPHER_WEP; 1206 break; 1207 case WPA_SEL(WPA_CSE_TKIP): 1208 *cipher = IEEE80211_CIPHER_TKIP; 1209 break; 1210 case WPA_SEL(WPA_CSE_CCMP): 1211 *cipher = IEEE80211_CIPHER_AES_CCM; 1212 break; 1213 default: 1214 return (EINVAL); 1215 } 1216 1217 return (0); 1218 #undef WPA_SEL 1219 } 1220 1221 /* 1222 * Convert a WPA key management/authentication algorithm 1223 * to an internal code. 1224 */ 1225 static int 1226 wpa_keymgmt(const uint8_t *sel) 1227 { 1228 #define WPA_SEL(x) (((x)<<24)|WPA_OUI) 1229 uint32_t w = le32dec(sel); 1230 1231 switch (w) { 1232 case WPA_SEL(WPA_ASE_8021X_UNSPEC): 1233 return WPA_ASE_8021X_UNSPEC; 1234 case WPA_SEL(WPA_ASE_8021X_PSK): 1235 return WPA_ASE_8021X_PSK; 1236 case WPA_SEL(WPA_ASE_NONE): 1237 return WPA_ASE_NONE; 1238 } 1239 return 0; /* NB: so is discarded */ 1240 #undef WPA_SEL 1241 } 1242 1243 /* 1244 * Parse a WPA information element to collect parameters. 1245 * Note that we do not validate security parameters; that 1246 * is handled by the authenticator; the parsing done here 1247 * is just for internal use in making operational decisions. 1248 */ 1249 static int 1250 ieee80211_parse_wpa(struct ieee80211vap *vap, const uint8_t *frm, 1251 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh) 1252 { 1253 uint8_t len = frm[1]; 1254 uint32_t w; 1255 int error, n; 1256 1257 /* 1258 * Check the length once for fixed parts: OUI, type, 1259 * version, mcast cipher, and 2 selector counts. 1260 * Other, variable-length data, must be checked separately. 1261 */ 1262 if ((vap->iv_flags & IEEE80211_F_WPA1) == 0) { 1263 IEEE80211_DISCARD_IE(vap, 1264 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1265 wh, "WPA", "not WPA, flags 0x%x", vap->iv_flags); 1266 return IEEE80211_REASON_IE_INVALID; 1267 } 1268 if (len < 14) { 1269 IEEE80211_DISCARD_IE(vap, 1270 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1271 wh, "WPA", "too short, len %u", len); 1272 return IEEE80211_REASON_IE_INVALID; 1273 } 1274 frm += 6, len -= 4; /* NB: len is payload only */ 1275 /* NB: iswpaoui already validated the OUI and type */ 1276 w = le16dec(frm); 1277 if (w != WPA_VERSION) { 1278 IEEE80211_DISCARD_IE(vap, 1279 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1280 wh, "WPA", "bad version %u", w); 1281 return IEEE80211_REASON_IE_INVALID; 1282 } 1283 frm += 2, len -= 2; 1284 1285 memset(rsn, 0, sizeof(*rsn)); 1286 1287 /* multicast/group cipher */ 1288 error = wpa_cipher(frm, &rsn->rsn_mcastkeylen, &rsn->rsn_mcastcipher); 1289 if (error != 0) { 1290 IEEE80211_DISCARD_IE(vap, 1291 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1292 wh, "WPA", "unknown mcast cipher suite %08X", 1293 le32dec(frm)); 1294 return IEEE80211_REASON_GROUP_CIPHER_INVALID; 1295 } 1296 frm += 4, len -= 4; 1297 1298 /* unicast ciphers */ 1299 n = le16dec(frm); 1300 frm += 2, len -= 2; 1301 if (len < n*4+2) { 1302 IEEE80211_DISCARD_IE(vap, 1303 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1304 wh, "WPA", "ucast cipher data too short; len %u, n %u", 1305 len, n); 1306 return IEEE80211_REASON_IE_INVALID; 1307 } 1308 w = 0; 1309 for (; n > 0; n--) { 1310 uint8_t cipher; 1311 1312 error = wpa_cipher(frm, &rsn->rsn_ucastkeylen, &cipher); 1313 if (error == 0) 1314 w |= 1 << cipher; 1315 1316 frm += 4, len -= 4; 1317 } 1318 if (w == 0) { 1319 IEEE80211_DISCARD_IE(vap, 1320 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1321 wh, "WPA", "no usable pairwise cipher suite found (w=%d)", 1322 w); 1323 return IEEE80211_REASON_PAIRWISE_CIPHER_INVALID; 1324 } 1325 /* XXX other? */ 1326 if (w & (1 << IEEE80211_CIPHER_AES_CCM)) 1327 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM; 1328 else 1329 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP; 1330 1331 /* key management algorithms */ 1332 n = le16dec(frm); 1333 frm += 2, len -= 2; 1334 if (len < n*4) { 1335 IEEE80211_DISCARD_IE(vap, 1336 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1337 wh, "WPA", "key mgmt alg data too short; len %u, n %u", 1338 len, n); 1339 return IEEE80211_REASON_IE_INVALID; 1340 } 1341 w = 0; 1342 for (; n > 0; n--) { 1343 w |= wpa_keymgmt(frm); 1344 frm += 4, len -= 4; 1345 } 1346 if (w & WPA_ASE_8021X_UNSPEC) 1347 rsn->rsn_keymgmt = WPA_ASE_8021X_UNSPEC; 1348 else 1349 rsn->rsn_keymgmt = WPA_ASE_8021X_PSK; 1350 1351 if (len > 2) /* optional capabilities */ 1352 rsn->rsn_caps = le16dec(frm); 1353 1354 return 0; 1355 } 1356 1357 /* 1358 * Convert an RSN cipher selector OUI to an internal 1359 * cipher algorithm. Where appropriate we also 1360 * record any key length. 1361 */ 1362 static int 1363 rsn_cipher(const uint8_t *sel, uint8_t *keylen, uint8_t *cipher) 1364 { 1365 #define RSN_SEL(x) (((x)<<24)|RSN_OUI) 1366 uint32_t w = le32dec(sel); 1367 1368 switch (w) { 1369 case RSN_SEL(RSN_CSE_NULL): 1370 *cipher = IEEE80211_CIPHER_NONE; 1371 break; 1372 case RSN_SEL(RSN_CSE_WEP40): 1373 if (keylen) 1374 *keylen = 40 / NBBY; 1375 *cipher = IEEE80211_CIPHER_WEP; 1376 break; 1377 case RSN_SEL(RSN_CSE_WEP104): 1378 if (keylen) 1379 *keylen = 104 / NBBY; 1380 *cipher = IEEE80211_CIPHER_WEP; 1381 break; 1382 case RSN_SEL(RSN_CSE_TKIP): 1383 *cipher = IEEE80211_CIPHER_TKIP; 1384 break; 1385 case RSN_SEL(RSN_CSE_CCMP): 1386 *cipher = IEEE80211_CIPHER_AES_CCM; 1387 break; 1388 case RSN_SEL(RSN_CSE_WRAP): 1389 *cipher = IEEE80211_CIPHER_AES_OCB; 1390 break; 1391 default: 1392 return (EINVAL); 1393 } 1394 1395 return (0); 1396 #undef WPA_SEL 1397 } 1398 1399 /* 1400 * Convert an RSN key management/authentication algorithm 1401 * to an internal code. 1402 */ 1403 static int 1404 rsn_keymgmt(const uint8_t *sel) 1405 { 1406 #define RSN_SEL(x) (((x)<<24)|RSN_OUI) 1407 uint32_t w = le32dec(sel); 1408 1409 switch (w) { 1410 case RSN_SEL(RSN_ASE_8021X_UNSPEC): 1411 return RSN_ASE_8021X_UNSPEC; 1412 case RSN_SEL(RSN_ASE_8021X_PSK): 1413 return RSN_ASE_8021X_PSK; 1414 case RSN_SEL(RSN_ASE_NONE): 1415 return RSN_ASE_NONE; 1416 } 1417 return 0; /* NB: so is discarded */ 1418 #undef RSN_SEL 1419 } 1420 1421 /* 1422 * Parse a WPA/RSN information element to collect parameters 1423 * and validate the parameters against what has been 1424 * configured for the system. 1425 */ 1426 static int 1427 ieee80211_parse_rsn(struct ieee80211vap *vap, const uint8_t *frm, 1428 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh) 1429 { 1430 uint8_t len = frm[1]; 1431 uint32_t w; 1432 int error, n; 1433 1434 /* 1435 * Check the length once for fixed parts: 1436 * version, mcast cipher, and 2 selector counts. 1437 * Other, variable-length data, must be checked separately. 1438 */ 1439 if ((vap->iv_flags & IEEE80211_F_WPA2) == 0) { 1440 IEEE80211_DISCARD_IE(vap, 1441 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1442 wh, "WPA", "not RSN, flags 0x%x", vap->iv_flags); 1443 return IEEE80211_REASON_IE_INVALID; 1444 } 1445 /* XXX may be shorter */ 1446 if (len < 10) { 1447 IEEE80211_DISCARD_IE(vap, 1448 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1449 wh, "RSN", "too short, len %u", len); 1450 return IEEE80211_REASON_IE_INVALID; 1451 } 1452 frm += 2; 1453 w = le16dec(frm); 1454 if (w != RSN_VERSION) { 1455 IEEE80211_DISCARD_IE(vap, 1456 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1457 wh, "RSN", "bad version %u", w); 1458 return IEEE80211_REASON_UNSUPP_RSN_IE_VERSION; 1459 } 1460 frm += 2, len -= 2; 1461 1462 memset(rsn, 0, sizeof(*rsn)); 1463 1464 /* multicast/group cipher */ 1465 error = rsn_cipher(frm, &rsn->rsn_mcastkeylen, &rsn->rsn_mcastcipher); 1466 if (error != 0) { 1467 IEEE80211_DISCARD_IE(vap, 1468 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1469 wh, "RSN", "unknown mcast cipher suite %08X", 1470 le32dec(frm)); 1471 return IEEE80211_REASON_GROUP_CIPHER_INVALID; 1472 } 1473 if (rsn->rsn_mcastcipher == IEEE80211_CIPHER_NONE) { 1474 IEEE80211_DISCARD_IE(vap, 1475 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1476 wh, "RSN", "invalid mcast cipher suite %d", 1477 rsn->rsn_mcastcipher); 1478 return IEEE80211_REASON_GROUP_CIPHER_INVALID; 1479 } 1480 frm += 4, len -= 4; 1481 1482 /* unicast ciphers */ 1483 n = le16dec(frm); 1484 frm += 2, len -= 2; 1485 if (len < n*4+2) { 1486 IEEE80211_DISCARD_IE(vap, 1487 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1488 wh, "RSN", "ucast cipher data too short; len %u, n %u", 1489 len, n); 1490 return IEEE80211_REASON_IE_INVALID; 1491 } 1492 w = 0; 1493 1494 for (; n > 0; n--) { 1495 uint8_t cipher; 1496 1497 error = rsn_cipher(frm, &rsn->rsn_ucastkeylen, &cipher); 1498 if (error == 0) 1499 w |= 1 << cipher; 1500 1501 frm += 4, len -= 4; 1502 } 1503 if (w & (1 << IEEE80211_CIPHER_AES_CCM)) 1504 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM; 1505 else if (w & (1 << IEEE80211_CIPHER_AES_OCB)) 1506 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_OCB; 1507 else if (w & (1 << IEEE80211_CIPHER_TKIP)) 1508 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP; 1509 else if ((w & (1 << IEEE80211_CIPHER_NONE)) && 1510 (rsn->rsn_mcastcipher == IEEE80211_CIPHER_WEP || 1511 rsn->rsn_mcastcipher == IEEE80211_CIPHER_TKIP)) 1512 rsn->rsn_ucastcipher = IEEE80211_CIPHER_NONE; 1513 else { 1514 IEEE80211_DISCARD_IE(vap, 1515 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1516 wh, "RSN", "no usable pairwise cipher suite found (w=%d)", 1517 w); 1518 return IEEE80211_REASON_PAIRWISE_CIPHER_INVALID; 1519 } 1520 1521 /* key management algorithms */ 1522 n = le16dec(frm); 1523 frm += 2, len -= 2; 1524 if (len < n*4) { 1525 IEEE80211_DISCARD_IE(vap, 1526 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1527 wh, "RSN", "key mgmt alg data too short; len %u, n %u", 1528 len, n); 1529 return IEEE80211_REASON_IE_INVALID; 1530 } 1531 w = 0; 1532 for (; n > 0; n--) { 1533 w |= rsn_keymgmt(frm); 1534 frm += 4, len -= 4; 1535 } 1536 if (w & RSN_ASE_8021X_UNSPEC) 1537 rsn->rsn_keymgmt = RSN_ASE_8021X_UNSPEC; 1538 else 1539 rsn->rsn_keymgmt = RSN_ASE_8021X_PSK; 1540 1541 /* optional RSN capabilities */ 1542 if (len >= 2) { 1543 rsn->rsn_caps = le16dec(frm); 1544 frm += 2, len -= 2; 1545 } 1546 1547 /* XXX PMK Count / PMKID */ 1548 1549 /* XXX Group Cipher Management Suite */ 1550 1551 return 0; 1552 } 1553 1554 /* 1555 * WPA/802.11i association request processing. 1556 */ 1557 static int 1558 wpa_assocreq(struct ieee80211_node *ni, struct ieee80211_rsnparms *rsnparms, 1559 const struct ieee80211_frame *wh, const uint8_t *wpa, 1560 const uint8_t *rsn, uint16_t capinfo) 1561 { 1562 struct ieee80211vap *vap = ni->ni_vap; 1563 uint8_t reason; 1564 int badwparsn; 1565 1566 ni->ni_flags &= ~(IEEE80211_NODE_WPS|IEEE80211_NODE_TSN); 1567 if (wpa == NULL && rsn == NULL) { 1568 if (vap->iv_flags_ext & IEEE80211_FEXT_WPS) { 1569 /* 1570 * W-Fi Protected Setup (WPS) permits 1571 * clients to associate and pass EAPOL frames 1572 * to establish initial credentials. 1573 */ 1574 ni->ni_flags |= IEEE80211_NODE_WPS; 1575 return 1; 1576 } 1577 if ((vap->iv_flags_ext & IEEE80211_FEXT_TSN) && 1578 (capinfo & IEEE80211_CAPINFO_PRIVACY)) { 1579 /* 1580 * Transitional Security Network. Permits clients 1581 * to associate and use WEP while WPA is configured. 1582 */ 1583 ni->ni_flags |= IEEE80211_NODE_TSN; 1584 return 1; 1585 } 1586 IEEE80211_DISCARD(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, 1587 wh, NULL, "%s", "no WPA/RSN IE in association request"); 1588 vap->iv_stats.is_rx_assoc_badwpaie++; 1589 reason = IEEE80211_REASON_IE_INVALID; 1590 goto bad; 1591 } 1592 /* assert right association security credentials */ 1593 badwparsn = 0; /* NB: to silence compiler */ 1594 switch (vap->iv_flags & IEEE80211_F_WPA) { 1595 case IEEE80211_F_WPA1: 1596 badwparsn = (wpa == NULL); 1597 break; 1598 case IEEE80211_F_WPA2: 1599 badwparsn = (rsn == NULL); 1600 break; 1601 case IEEE80211_F_WPA1|IEEE80211_F_WPA2: 1602 badwparsn = (wpa == NULL && rsn == NULL); 1603 break; 1604 } 1605 if (badwparsn) { 1606 IEEE80211_DISCARD(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, 1607 wh, NULL, 1608 "%s", "missing WPA/RSN IE in association request"); 1609 vap->iv_stats.is_rx_assoc_badwpaie++; 1610 reason = IEEE80211_REASON_IE_INVALID; 1611 goto bad; 1612 } 1613 /* 1614 * Parse WPA/RSN information element. 1615 */ 1616 if (wpa != NULL) 1617 reason = ieee80211_parse_wpa(vap, wpa, rsnparms, wh); 1618 else 1619 reason = ieee80211_parse_rsn(vap, rsn, rsnparms, wh); 1620 if (reason != 0) { 1621 /* XXX wpa->rsn fallback? */ 1622 /* XXX distinguish WPA/RSN? */ 1623 vap->iv_stats.is_rx_assoc_badwpaie++; 1624 goto bad; 1625 } 1626 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, ni, 1627 "%s ie: mc %u/%u uc %u/%u key %u caps 0x%x", 1628 wpa != NULL ? "WPA" : "RSN", 1629 rsnparms->rsn_mcastcipher, rsnparms->rsn_mcastkeylen, 1630 rsnparms->rsn_ucastcipher, rsnparms->rsn_ucastkeylen, 1631 rsnparms->rsn_keymgmt, rsnparms->rsn_caps); 1632 1633 return 1; 1634 bad: 1635 ieee80211_node_deauth(ni, reason); 1636 return 0; 1637 } 1638 1639 /* XXX find a better place for definition */ 1640 struct l2_update_frame { 1641 struct ether_header eh; 1642 uint8_t dsap; 1643 uint8_t ssap; 1644 uint8_t control; 1645 uint8_t xid[3]; 1646 } __packed; 1647 1648 /* 1649 * Deliver a TGf L2UF frame on behalf of a station. 1650 * This primes any bridge when the station is roaming 1651 * between ap's on the same wired network. 1652 */ 1653 static void 1654 ieee80211_deliver_l2uf(struct ieee80211_node *ni) 1655 { 1656 struct ieee80211vap *vap = ni->ni_vap; 1657 struct ifnet *ifp = vap->iv_ifp; 1658 struct mbuf *m; 1659 struct l2_update_frame *l2uf; 1660 struct ether_header *eh; 1661 1662 m = m_gethdr(IEEE80211_M_NOWAIT, MT_DATA); 1663 if (m == NULL) { 1664 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC, ni, 1665 "%s", "no mbuf for l2uf frame"); 1666 vap->iv_stats.is_rx_nobuf++; /* XXX not right */ 1667 return; 1668 } 1669 l2uf = mtod(m, struct l2_update_frame *); 1670 eh = &l2uf->eh; 1671 /* dst: Broadcast address */ 1672 IEEE80211_ADDR_COPY(eh->ether_dhost, ifp->if_broadcastaddr); 1673 /* src: associated STA */ 1674 IEEE80211_ADDR_COPY(eh->ether_shost, ni->ni_macaddr); 1675 eh->ether_type = htons(sizeof(*l2uf) - sizeof(*eh)); 1676 1677 l2uf->dsap = 0; 1678 l2uf->ssap = 0; 1679 l2uf->control = 0xf5; 1680 l2uf->xid[0] = 0x81; 1681 l2uf->xid[1] = 0x80; 1682 l2uf->xid[2] = 0x00; 1683 1684 m->m_pkthdr.len = m->m_len = sizeof(*l2uf); 1685 hostap_deliver_data(vap, ni, m); 1686 } 1687 1688 static void 1689 ratesetmismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh, 1690 int reassoc, int resp, const char *tag, int rate) 1691 { 1692 IEEE80211_NOTE_MAC(ni->ni_vap, IEEE80211_MSG_ANY, wh->i_addr2, 1693 "deny %s request, %s rate set mismatch, rate/MCS %d", 1694 reassoc ? "reassoc" : "assoc", tag, rate & IEEE80211_RATE_VAL); 1695 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_BASIC_RATE); 1696 ieee80211_node_leave(ni); 1697 } 1698 1699 static void 1700 capinfomismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh, 1701 int reassoc, int resp, const char *tag, int capinfo) 1702 { 1703 struct ieee80211vap *vap = ni->ni_vap; 1704 1705 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ANY, wh->i_addr2, 1706 "deny %s request, %s mismatch 0x%x", 1707 reassoc ? "reassoc" : "assoc", tag, capinfo); 1708 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_CAPINFO); 1709 ieee80211_node_leave(ni); 1710 vap->iv_stats.is_rx_assoc_capmismatch++; 1711 } 1712 1713 static void 1714 htcapmismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh, 1715 int reassoc, int resp) 1716 { 1717 IEEE80211_NOTE_MAC(ni->ni_vap, IEEE80211_MSG_ANY, wh->i_addr2, 1718 "deny %s request, %s missing HT ie", reassoc ? "reassoc" : "assoc"); 1719 /* XXX no better code */ 1720 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_MISSING_HT_CAPS); 1721 ieee80211_node_leave(ni); 1722 } 1723 1724 static void 1725 authalgreject(struct ieee80211_node *ni, const struct ieee80211_frame *wh, 1726 int algo, int seq, int status) 1727 { 1728 struct ieee80211vap *vap = ni->ni_vap; 1729 1730 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 1731 wh, NULL, "unsupported alg %d", algo); 1732 vap->iv_stats.is_rx_auth_unsupported++; 1733 ieee80211_send_error(ni, wh->i_addr2, IEEE80211_FC0_SUBTYPE_AUTH, 1734 seq | (status << 16)); 1735 } 1736 1737 static __inline int 1738 ishtmixed(const uint8_t *ie) 1739 { 1740 const struct ieee80211_ie_htinfo *ht = 1741 (const struct ieee80211_ie_htinfo *) ie; 1742 return (ht->hi_byte2 & IEEE80211_HTINFO_OPMODE) == 1743 IEEE80211_HTINFO_OPMODE_MIXED; 1744 } 1745 1746 static int 1747 is11bclient(const uint8_t *rates, const uint8_t *xrates) 1748 { 1749 static const uint32_t brates = (1<<2*1)|(1<<2*2)|(1<<11)|(1<<2*11); 1750 int i; 1751 1752 /* NB: the 11b clients we care about will not have xrates */ 1753 if (xrates != NULL || rates == NULL) 1754 return 0; 1755 for (i = 0; i < rates[1]; i++) { 1756 int r = rates[2+i] & IEEE80211_RATE_VAL; 1757 if (r > 2*11 || ((1<<r) & brates) == 0) 1758 return 0; 1759 } 1760 return 1; 1761 } 1762 1763 static void 1764 hostap_recv_mgmt(struct ieee80211_node *ni, struct mbuf *m0, 1765 int subtype, const struct ieee80211_rx_stats *rxs, int rssi, int nf) 1766 { 1767 struct ieee80211vap *vap = ni->ni_vap; 1768 struct ieee80211com *ic = ni->ni_ic; 1769 struct ieee80211_frame *wh; 1770 uint8_t *frm, *efrm, *sfrm; 1771 uint8_t *ssid, *rates, *xrates, *wpa, *rsn, *wme, *ath, *htcap; 1772 uint8_t *vhtcap, *vhtinfo; 1773 int reassoc, resp; 1774 uint8_t rate; 1775 1776 wh = mtod(m0, struct ieee80211_frame *); 1777 frm = (uint8_t *)&wh[1]; 1778 efrm = mtod(m0, uint8_t *) + m0->m_len; 1779 switch (subtype) { 1780 case IEEE80211_FC0_SUBTYPE_PROBE_RESP: 1781 /* 1782 * We process beacon/probe response frames when scanning; 1783 * otherwise we check beacon frames for overlapping non-ERP 1784 * BSS in 11g and/or overlapping legacy BSS when in HT. 1785 */ 1786 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) { 1787 vap->iv_stats.is_rx_mgtdiscard++; 1788 return; 1789 } 1790 /* FALLTHROUGH */ 1791 case IEEE80211_FC0_SUBTYPE_BEACON: { 1792 struct ieee80211_scanparams scan; 1793 1794 /* NB: accept off-channel frames */ 1795 /* XXX TODO: use rxstatus to determine off-channel details */ 1796 if (ieee80211_parse_beacon(ni, m0, ic->ic_curchan, &scan) &~ IEEE80211_BPARSE_OFFCHAN) 1797 return; 1798 /* 1799 * Count frame now that we know it's to be processed. 1800 */ 1801 if (subtype == IEEE80211_FC0_SUBTYPE_BEACON) { 1802 vap->iv_stats.is_rx_beacon++; /* XXX remove */ 1803 IEEE80211_NODE_STAT(ni, rx_beacons); 1804 } else 1805 IEEE80211_NODE_STAT(ni, rx_proberesp); 1806 /* 1807 * If scanning, just pass information to the scan module. 1808 */ 1809 if (ic->ic_flags & IEEE80211_F_SCAN) { 1810 if (scan.status == 0 && /* NB: on channel */ 1811 (ic->ic_flags_ext & IEEE80211_FEXT_PROBECHAN)) { 1812 /* 1813 * Actively scanning a channel marked passive; 1814 * send a probe request now that we know there 1815 * is 802.11 traffic present. 1816 * 1817 * XXX check if the beacon we recv'd gives 1818 * us what we need and suppress the probe req 1819 */ 1820 ieee80211_probe_curchan(vap, true); 1821 ic->ic_flags_ext &= ~IEEE80211_FEXT_PROBECHAN; 1822 } 1823 ieee80211_add_scan(vap, ic->ic_curchan, &scan, wh, 1824 subtype, rssi, nf); 1825 return; 1826 } 1827 /* 1828 * Check beacon for overlapping bss w/ non ERP stations. 1829 * If we detect one and protection is configured but not 1830 * enabled, enable it and start a timer that'll bring us 1831 * out if we stop seeing the bss. 1832 */ 1833 if (IEEE80211_IS_CHAN_ANYG(ic->ic_curchan) && 1834 scan.status == 0 && /* NB: on-channel */ 1835 ((scan.erp & 0x100) == 0 || /* NB: no ERP, 11b sta*/ 1836 (scan.erp & IEEE80211_ERP_NON_ERP_PRESENT))) { 1837 vap->iv_lastnonerp = ticks; 1838 vap->iv_flags_ext |= IEEE80211_FEXT_NONERP_PR; 1839 /* 1840 * XXX TODO: this may need to check all VAPs? 1841 */ 1842 if (vap->iv_protmode != IEEE80211_PROT_NONE && 1843 (vap->iv_flags & IEEE80211_F_USEPROT) == 0) { 1844 IEEE80211_NOTE_FRAME(vap, 1845 IEEE80211_MSG_ASSOC, wh, 1846 "non-ERP present on channel %d " 1847 "(saw erp 0x%x from channel %d), " 1848 "enable use of protection", 1849 ic->ic_curchan->ic_ieee, 1850 scan.erp, scan.chan); 1851 vap->iv_flags |= IEEE80211_F_USEPROT; 1852 ieee80211_vap_update_erp_protmode(vap); 1853 } 1854 } 1855 /* 1856 * Check beacon for non-HT station on HT channel 1857 * and update HT BSS occupancy as appropriate. 1858 */ 1859 if (IEEE80211_IS_CHAN_HT(ic->ic_curchan)) { 1860 if (scan.status & IEEE80211_BPARSE_OFFCHAN) { 1861 /* 1862 * Off control channel; only check frames 1863 * that come in the extension channel when 1864 * operating w/ HT40. 1865 */ 1866 if (!IEEE80211_IS_CHAN_HT40(ic->ic_curchan)) 1867 break; 1868 if (scan.chan != ic->ic_curchan->ic_extieee) 1869 break; 1870 } 1871 if (scan.htinfo == NULL) { 1872 ieee80211_htprot_update(vap, 1873 IEEE80211_HTINFO_OPMODE_PROTOPT | 1874 IEEE80211_HTINFO_NONHT_PRESENT); 1875 } else if (ishtmixed(scan.htinfo)) { 1876 /* XXX? take NONHT_PRESENT from beacon? */ 1877 ieee80211_htprot_update(vap, 1878 IEEE80211_HTINFO_OPMODE_MIXED | 1879 IEEE80211_HTINFO_NONHT_PRESENT); 1880 } 1881 } 1882 break; 1883 } 1884 1885 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 1886 if (vap->iv_state != IEEE80211_S_RUN) { 1887 vap->iv_stats.is_rx_mgtdiscard++; 1888 return; 1889 } 1890 /* 1891 * Consult the ACL policy module if setup. 1892 */ 1893 if (vap->iv_acl != NULL && !vap->iv_acl->iac_check(vap, wh)) { 1894 IEEE80211_DISCARD(vap, IEEE80211_MSG_ACL, 1895 wh, NULL, "%s", "disallowed by ACL"); 1896 vap->iv_stats.is_rx_acl++; 1897 return; 1898 } 1899 /* 1900 * prreq frame format 1901 * [tlv] ssid 1902 * [tlv] supported rates 1903 * [tlv] extended supported rates 1904 */ 1905 ssid = rates = xrates = NULL; 1906 while (efrm - frm > 1) { 1907 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return); 1908 switch (*frm) { 1909 case IEEE80211_ELEMID_SSID: 1910 ssid = frm; 1911 break; 1912 case IEEE80211_ELEMID_RATES: 1913 rates = frm; 1914 break; 1915 case IEEE80211_ELEMID_XRATES: 1916 xrates = frm; 1917 break; 1918 } 1919 frm += frm[1] + 2; 1920 } 1921 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return); 1922 if (xrates != NULL) 1923 IEEE80211_VERIFY_ELEMENT(xrates, 1924 IEEE80211_RATE_MAXSIZE - rates[1], return); 1925 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN, return); 1926 IEEE80211_VERIFY_SSID(vap->iv_bss, ssid, return); 1927 if ((vap->iv_flags & IEEE80211_F_HIDESSID) && ssid[1] == 0) { 1928 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 1929 wh, NULL, 1930 "%s", "no ssid with ssid suppression enabled"); 1931 vap->iv_stats.is_rx_ssidmismatch++; /*XXX*/ 1932 return; 1933 } 1934 1935 /* XXX find a better class or define it's own */ 1936 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_INPUT, wh->i_addr2, 1937 "%s", "recv probe req"); 1938 /* 1939 * Some legacy 11b clients cannot hack a complete 1940 * probe response frame. When the request includes 1941 * only a bare-bones rate set, communicate this to 1942 * the transmit side. 1943 */ 1944 ieee80211_send_proberesp(vap, wh->i_addr2, 1945 is11bclient(rates, xrates) ? IEEE80211_SEND_LEGACY_11B : 0); 1946 break; 1947 1948 case IEEE80211_FC0_SUBTYPE_AUTH: { 1949 uint16_t algo, seq, status; 1950 1951 if (vap->iv_state != IEEE80211_S_RUN) { 1952 vap->iv_stats.is_rx_mgtdiscard++; 1953 return; 1954 } 1955 if (!IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_bss->ni_bssid)) { 1956 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 1957 wh, NULL, "%s", "wrong bssid"); 1958 vap->iv_stats.is_rx_wrongbss++; /*XXX unique stat?*/ 1959 return; 1960 } 1961 /* 1962 * auth frame format 1963 * [2] algorithm 1964 * [2] sequence 1965 * [2] status 1966 * [tlv*] challenge 1967 */ 1968 IEEE80211_VERIFY_LENGTH(efrm - frm, 6, return); 1969 algo = le16toh(*(uint16_t *)frm); 1970 seq = le16toh(*(uint16_t *)(frm + 2)); 1971 status = le16toh(*(uint16_t *)(frm + 4)); 1972 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_AUTH, wh->i_addr2, 1973 "recv auth frame with algorithm %d seq %d", algo, seq); 1974 /* 1975 * Consult the ACL policy module if setup. 1976 */ 1977 if (vap->iv_acl != NULL && !vap->iv_acl->iac_check(vap, wh)) { 1978 IEEE80211_DISCARD(vap, IEEE80211_MSG_ACL, 1979 wh, NULL, "%s", "disallowed by ACL"); 1980 vap->iv_stats.is_rx_acl++; 1981 ieee80211_send_error(ni, wh->i_addr2, 1982 IEEE80211_FC0_SUBTYPE_AUTH, 1983 (seq+1) | (IEEE80211_STATUS_UNSPECIFIED<<16)); 1984 return; 1985 } 1986 if (vap->iv_flags & IEEE80211_F_COUNTERM) { 1987 IEEE80211_DISCARD(vap, 1988 IEEE80211_MSG_AUTH | IEEE80211_MSG_CRYPTO, 1989 wh, NULL, "%s", "TKIP countermeasures enabled"); 1990 vap->iv_stats.is_rx_auth_countermeasures++; 1991 ieee80211_send_error(ni, wh->i_addr2, 1992 IEEE80211_FC0_SUBTYPE_AUTH, 1993 IEEE80211_REASON_MIC_FAILURE); 1994 return; 1995 } 1996 if (algo == IEEE80211_AUTH_ALG_SHARED) 1997 hostap_auth_shared(ni, wh, frm + 6, efrm, rssi, nf, 1998 seq, status); 1999 else if (algo == IEEE80211_AUTH_ALG_OPEN) 2000 hostap_auth_open(ni, wh, rssi, nf, seq, status); 2001 else if (algo == IEEE80211_AUTH_ALG_LEAP) { 2002 authalgreject(ni, wh, algo, 2003 seq+1, IEEE80211_STATUS_ALG); 2004 return; 2005 } else { 2006 /* 2007 * We assume that an unknown algorithm is the result 2008 * of a decryption failure on a shared key auth frame; 2009 * return a status code appropriate for that instead 2010 * of IEEE80211_STATUS_ALG. 2011 * 2012 * NB: a seq# of 4 is intentional; the decrypted 2013 * frame likely has a bogus seq value. 2014 */ 2015 authalgreject(ni, wh, algo, 2016 4, IEEE80211_STATUS_CHALLENGE); 2017 return; 2018 } 2019 break; 2020 } 2021 2022 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ: 2023 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: { 2024 uint16_t capinfo, lintval; 2025 struct ieee80211_rsnparms rsnparms; 2026 2027 if (vap->iv_state != IEEE80211_S_RUN) { 2028 vap->iv_stats.is_rx_mgtdiscard++; 2029 return; 2030 } 2031 if (!IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_bss->ni_bssid)) { 2032 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 2033 wh, NULL, "%s", "wrong bssid"); 2034 vap->iv_stats.is_rx_assoc_bss++; 2035 return; 2036 } 2037 if (subtype == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) { 2038 reassoc = 1; 2039 resp = IEEE80211_FC0_SUBTYPE_REASSOC_RESP; 2040 } else { 2041 reassoc = 0; 2042 resp = IEEE80211_FC0_SUBTYPE_ASSOC_RESP; 2043 } 2044 if (ni == vap->iv_bss) { 2045 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ANY, wh->i_addr2, 2046 "deny %s request, sta not authenticated", 2047 reassoc ? "reassoc" : "assoc"); 2048 ieee80211_send_error(ni, wh->i_addr2, 2049 IEEE80211_FC0_SUBTYPE_DEAUTH, 2050 IEEE80211_REASON_ASSOC_NOT_AUTHED); 2051 vap->iv_stats.is_rx_assoc_notauth++; 2052 return; 2053 } 2054 2055 /* 2056 * asreq frame format 2057 * [2] capability information 2058 * [2] listen interval 2059 * [6*] current AP address (reassoc only) 2060 * [tlv] ssid 2061 * [tlv] supported rates 2062 * [tlv] extended supported rates 2063 * [tlv] WPA or RSN 2064 * [tlv] HT capabilities 2065 * [tlv] Atheros capabilities 2066 */ 2067 IEEE80211_VERIFY_LENGTH(efrm - frm, (reassoc ? 10 : 4), return); 2068 capinfo = le16toh(*(uint16_t *)frm); frm += 2; 2069 lintval = le16toh(*(uint16_t *)frm); frm += 2; 2070 if (reassoc) 2071 frm += 6; /* ignore current AP info */ 2072 ssid = rates = xrates = wpa = rsn = wme = ath = htcap = NULL; 2073 vhtcap = vhtinfo = NULL; 2074 sfrm = frm; 2075 while (efrm - frm > 1) { 2076 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return); 2077 switch (*frm) { 2078 case IEEE80211_ELEMID_SSID: 2079 ssid = frm; 2080 break; 2081 case IEEE80211_ELEMID_RATES: 2082 rates = frm; 2083 break; 2084 case IEEE80211_ELEMID_XRATES: 2085 xrates = frm; 2086 break; 2087 case IEEE80211_ELEMID_RSN: 2088 rsn = frm; 2089 break; 2090 case IEEE80211_ELEMID_HTCAP: 2091 htcap = frm; 2092 break; 2093 case IEEE80211_ELEMID_VHT_CAP: 2094 vhtcap = frm; 2095 break; 2096 case IEEE80211_ELEMID_VHT_OPMODE: 2097 vhtinfo = frm; 2098 break; 2099 case IEEE80211_ELEMID_VENDOR: 2100 if (iswpaoui(frm)) 2101 wpa = frm; 2102 else if (iswmeinfo(frm)) 2103 wme = frm; 2104 #ifdef IEEE80211_SUPPORT_SUPERG 2105 else if (isatherosoui(frm)) 2106 ath = frm; 2107 #endif 2108 else if (vap->iv_flags_ht & IEEE80211_FHT_HTCOMPAT) { 2109 if (ishtcapoui(frm) && htcap == NULL) 2110 htcap = frm; 2111 } 2112 break; 2113 } 2114 frm += frm[1] + 2; 2115 } 2116 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return); 2117 if (xrates != NULL) 2118 IEEE80211_VERIFY_ELEMENT(xrates, 2119 IEEE80211_RATE_MAXSIZE - rates[1], return); 2120 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN, return); 2121 IEEE80211_VERIFY_SSID(vap->iv_bss, ssid, return); 2122 if (htcap != NULL) { 2123 IEEE80211_VERIFY_LENGTH(htcap[1], 2124 htcap[0] == IEEE80211_ELEMID_VENDOR ? 2125 4 + sizeof(struct ieee80211_ie_htcap)-2 : 2126 sizeof(struct ieee80211_ie_htcap)-2, 2127 return); /* XXX just NULL out? */ 2128 } 2129 2130 /* Validate VHT IEs */ 2131 if (vhtcap != NULL) { 2132 IEEE80211_VERIFY_LENGTH(vhtcap[1], 2133 sizeof(struct ieee80211_vht_cap), 2134 return); 2135 } 2136 if (vhtinfo != NULL) { 2137 IEEE80211_VERIFY_LENGTH(vhtinfo[1], 2138 sizeof(struct ieee80211_vht_operation), 2139 return); 2140 } 2141 2142 if ((vap->iv_flags & IEEE80211_F_WPA) && 2143 !wpa_assocreq(ni, &rsnparms, wh, wpa, rsn, capinfo)) 2144 return; 2145 /* discard challenge after association */ 2146 if (ni->ni_challenge != NULL) { 2147 IEEE80211_FREE(ni->ni_challenge, M_80211_NODE); 2148 ni->ni_challenge = NULL; 2149 } 2150 /* NB: 802.11 spec says to ignore station's privacy bit */ 2151 if ((capinfo & IEEE80211_CAPINFO_ESS) == 0) { 2152 capinfomismatch(ni, wh, reassoc, resp, 2153 "capability", capinfo); 2154 return; 2155 } 2156 /* 2157 * Disallow re-associate w/ invalid slot time setting. 2158 */ 2159 if (ni->ni_associd != 0 && 2160 IEEE80211_IS_CHAN_ANYG(ic->ic_bsschan) && 2161 ((ni->ni_capinfo ^ capinfo) & IEEE80211_CAPINFO_SHORT_SLOTTIME)) { 2162 capinfomismatch(ni, wh, reassoc, resp, 2163 "slot time", capinfo); 2164 return; 2165 } 2166 rate = ieee80211_setup_rates(ni, rates, xrates, 2167 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | 2168 IEEE80211_F_DONEGO | IEEE80211_F_DODEL); 2169 if (rate & IEEE80211_RATE_BASIC) { 2170 ratesetmismatch(ni, wh, reassoc, resp, "legacy", rate); 2171 vap->iv_stats.is_rx_assoc_norate++; 2172 return; 2173 } 2174 /* 2175 * If constrained to 11g-only stations reject an 2176 * 11b-only station. We cheat a bit here by looking 2177 * at the max negotiated xmit rate and assuming anyone 2178 * with a best rate <24Mb/s is an 11b station. 2179 */ 2180 if ((vap->iv_flags & IEEE80211_F_PUREG) && rate < 48) { 2181 ratesetmismatch(ni, wh, reassoc, resp, "11g", rate); 2182 vap->iv_stats.is_rx_assoc_norate++; 2183 return; 2184 } 2185 2186 /* 2187 * Do HT rate set handling and setup HT node state. 2188 */ 2189 ni->ni_chan = vap->iv_bss->ni_chan; 2190 2191 /* VHT */ 2192 if (IEEE80211_IS_CHAN_VHT(ni->ni_chan) && 2193 vhtcap != NULL && 2194 vhtinfo != NULL) { 2195 /* XXX TODO; see below */ 2196 printf("%s: VHT TODO!\n", __func__); 2197 ieee80211_vht_node_init(ni); 2198 ieee80211_vht_update_cap(ni, vhtcap, vhtinfo); 2199 } else if (ni->ni_flags & IEEE80211_NODE_VHT) 2200 ieee80211_vht_node_cleanup(ni); 2201 2202 /* HT */ 2203 if (IEEE80211_IS_CHAN_HT(ni->ni_chan) && htcap != NULL) { 2204 rate = ieee80211_setup_htrates(ni, htcap, 2205 IEEE80211_F_DOFMCS | IEEE80211_F_DONEGO | 2206 IEEE80211_F_DOBRS); 2207 if (rate & IEEE80211_RATE_BASIC) { 2208 ratesetmismatch(ni, wh, reassoc, resp, 2209 "HT", rate); 2210 vap->iv_stats.is_ht_assoc_norate++; 2211 return; 2212 } 2213 ieee80211_ht_node_init(ni); 2214 ieee80211_ht_updatehtcap(ni, htcap); 2215 } else if (ni->ni_flags & IEEE80211_NODE_HT) 2216 ieee80211_ht_node_cleanup(ni); 2217 2218 /* Finally - this will use HT/VHT info to change node channel */ 2219 if (IEEE80211_IS_CHAN_HT(ni->ni_chan) && htcap != NULL) { 2220 ieee80211_ht_updatehtcap_final(ni); 2221 } 2222 2223 #ifdef IEEE80211_SUPPORT_SUPERG 2224 /* Always do ff node cleanup; for A-MSDU */ 2225 ieee80211_ff_node_cleanup(ni); 2226 #endif 2227 /* 2228 * Allow AMPDU operation only with unencrypted traffic 2229 * or AES-CCM; the 11n spec only specifies these ciphers 2230 * so permitting any others is undefined and can lead 2231 * to interoperability problems. 2232 */ 2233 if ((ni->ni_flags & IEEE80211_NODE_HT) && 2234 (((vap->iv_flags & IEEE80211_F_WPA) && 2235 rsnparms.rsn_ucastcipher != IEEE80211_CIPHER_AES_CCM) || 2236 (vap->iv_flags & (IEEE80211_F_WPA|IEEE80211_F_PRIVACY)) == IEEE80211_F_PRIVACY)) { 2237 IEEE80211_NOTE(vap, 2238 IEEE80211_MSG_ASSOC | IEEE80211_MSG_11N, ni, 2239 "disallow HT use because WEP or TKIP requested, " 2240 "capinfo 0x%x ucastcipher %d", capinfo, 2241 rsnparms.rsn_ucastcipher); 2242 ieee80211_ht_node_cleanup(ni); 2243 #ifdef IEEE80211_SUPPORT_SUPERG 2244 /* Always do ff node cleanup; for A-MSDU */ 2245 ieee80211_ff_node_cleanup(ni); 2246 #endif 2247 vap->iv_stats.is_ht_assoc_downgrade++; 2248 } 2249 /* 2250 * If constrained to 11n-only stations reject legacy stations. 2251 */ 2252 if ((vap->iv_flags_ht & IEEE80211_FHT_PUREN) && 2253 (ni->ni_flags & IEEE80211_NODE_HT) == 0) { 2254 htcapmismatch(ni, wh, reassoc, resp); 2255 vap->iv_stats.is_ht_assoc_nohtcap++; 2256 return; 2257 } 2258 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi); 2259 ni->ni_noise = nf; 2260 ni->ni_intval = lintval; 2261 ni->ni_capinfo = capinfo; 2262 ni->ni_fhdwell = vap->iv_bss->ni_fhdwell; 2263 ni->ni_fhindex = vap->iv_bss->ni_fhindex; 2264 /* 2265 * Store the IEs. 2266 * XXX maybe better to just expand 2267 */ 2268 if (ieee80211_ies_init(&ni->ni_ies, sfrm, efrm - sfrm)) { 2269 #define setie(_ie, _off) ieee80211_ies_setie(ni->ni_ies, _ie, _off) 2270 if (wpa != NULL) 2271 setie(wpa_ie, wpa - sfrm); 2272 if (rsn != NULL) 2273 setie(rsn_ie, rsn - sfrm); 2274 if (htcap != NULL) 2275 setie(htcap_ie, htcap - sfrm); 2276 if (wme != NULL) { 2277 setie(wme_ie, wme - sfrm); 2278 /* 2279 * Mark node as capable of QoS. 2280 */ 2281 ni->ni_flags |= IEEE80211_NODE_QOS; 2282 if (ieee80211_parse_wmeie(wme, wh, ni) > 0) { 2283 if (ni->ni_uapsd != 0) 2284 ni->ni_flags |= 2285 IEEE80211_NODE_UAPSD; 2286 else 2287 ni->ni_flags &= 2288 ~IEEE80211_NODE_UAPSD; 2289 } 2290 } else 2291 ni->ni_flags &= 2292 ~(IEEE80211_NODE_QOS | 2293 IEEE80211_NODE_UAPSD); 2294 #ifdef IEEE80211_SUPPORT_SUPERG 2295 if (ath != NULL) { 2296 setie(ath_ie, ath - sfrm); 2297 /* 2298 * Parse ATH station parameters. 2299 */ 2300 ieee80211_parse_ath(ni, ni->ni_ies.ath_ie); 2301 } else 2302 #endif 2303 ni->ni_ath_flags = 0; 2304 #undef setie 2305 } else { 2306 ni->ni_flags &= ~IEEE80211_NODE_QOS; 2307 ni->ni_flags &= ~IEEE80211_NODE_UAPSD; 2308 ni->ni_ath_flags = 0; 2309 } 2310 ieee80211_node_join(ni, resp); 2311 ieee80211_deliver_l2uf(ni); 2312 break; 2313 } 2314 2315 case IEEE80211_FC0_SUBTYPE_DEAUTH: 2316 case IEEE80211_FC0_SUBTYPE_DISASSOC: { 2317 #ifdef IEEE80211_DEBUG 2318 uint16_t reason; 2319 #endif 2320 2321 if (vap->iv_state != IEEE80211_S_RUN || 2322 /* NB: can happen when in promiscuous mode */ 2323 !IEEE80211_ADDR_EQ(wh->i_addr1, vap->iv_myaddr)) { 2324 vap->iv_stats.is_rx_mgtdiscard++; 2325 break; 2326 } 2327 /* 2328 * deauth/disassoc frame format 2329 * [2] reason 2330 */ 2331 IEEE80211_VERIFY_LENGTH(efrm - frm, 2, return); 2332 #ifdef IEEE80211_DEBUG 2333 reason = le16toh(*(uint16_t *)frm); 2334 #endif 2335 if (subtype == IEEE80211_FC0_SUBTYPE_DEAUTH) { 2336 vap->iv_stats.is_rx_deauth++; 2337 IEEE80211_NODE_STAT(ni, rx_deauth); 2338 } else { 2339 vap->iv_stats.is_rx_disassoc++; 2340 IEEE80211_NODE_STAT(ni, rx_disassoc); 2341 } 2342 IEEE80211_NOTE(vap, IEEE80211_MSG_AUTH, ni, 2343 "recv %s (reason: %d (%s))", 2344 ieee80211_mgt_subtype_name(subtype), 2345 reason, ieee80211_reason_to_string(reason)); 2346 if (ni != vap->iv_bss) 2347 ieee80211_node_leave(ni); 2348 break; 2349 } 2350 2351 case IEEE80211_FC0_SUBTYPE_ACTION: 2352 case IEEE80211_FC0_SUBTYPE_ACTION_NOACK: 2353 if (ni == vap->iv_bss) { 2354 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 2355 wh, NULL, "%s", "unknown node"); 2356 vap->iv_stats.is_rx_mgtdiscard++; 2357 } else if (!IEEE80211_ADDR_EQ(vap->iv_myaddr, wh->i_addr1) && 2358 !IEEE80211_IS_MULTICAST(wh->i_addr1)) { 2359 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 2360 wh, NULL, "%s", "not for us"); 2361 vap->iv_stats.is_rx_mgtdiscard++; 2362 } else if (vap->iv_state != IEEE80211_S_RUN) { 2363 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 2364 wh, NULL, "wrong state %s", 2365 ieee80211_state_name[vap->iv_state]); 2366 vap->iv_stats.is_rx_mgtdiscard++; 2367 } else { 2368 if (ieee80211_parse_action(ni, m0) == 0) 2369 (void)ic->ic_recv_action(ni, wh, frm, efrm); 2370 } 2371 break; 2372 2373 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP: 2374 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: 2375 case IEEE80211_FC0_SUBTYPE_TIMING_ADV: 2376 case IEEE80211_FC0_SUBTYPE_ATIM: 2377 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 2378 wh, NULL, "%s", "not handled"); 2379 vap->iv_stats.is_rx_mgtdiscard++; 2380 break; 2381 2382 default: 2383 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 2384 wh, "mgt", "subtype 0x%x not handled", subtype); 2385 vap->iv_stats.is_rx_badsubtype++; 2386 break; 2387 } 2388 } 2389 2390 static void 2391 hostap_recv_ctl(struct ieee80211_node *ni, struct mbuf *m, int subtype) 2392 { 2393 switch (subtype) { 2394 case IEEE80211_FC0_SUBTYPE_PS_POLL: 2395 ni->ni_vap->iv_recv_pspoll(ni, m); 2396 break; 2397 case IEEE80211_FC0_SUBTYPE_BAR: 2398 ieee80211_recv_bar(ni, m); 2399 break; 2400 } 2401 } 2402 2403 /* 2404 * Process a received ps-poll frame. 2405 */ 2406 void 2407 ieee80211_recv_pspoll(struct ieee80211_node *ni, struct mbuf *m0) 2408 { 2409 struct ieee80211vap *vap = ni->ni_vap; 2410 struct ieee80211com *ic = vap->iv_ic; 2411 struct ieee80211_frame_min *wh; 2412 struct mbuf *m; 2413 uint16_t aid; 2414 int qlen; 2415 2416 wh = mtod(m0, struct ieee80211_frame_min *); 2417 if (ni->ni_associd == 0) { 2418 IEEE80211_DISCARD(vap, 2419 IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG, 2420 (struct ieee80211_frame *) wh, NULL, 2421 "%s", "unassociated station"); 2422 vap->iv_stats.is_ps_unassoc++; 2423 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_DEAUTH, 2424 IEEE80211_REASON_NOT_ASSOCED); 2425 return; 2426 } 2427 2428 aid = le16toh(*(uint16_t *)wh->i_dur); 2429 if (aid != ni->ni_associd) { 2430 IEEE80211_DISCARD(vap, 2431 IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG, 2432 (struct ieee80211_frame *) wh, NULL, 2433 "aid mismatch: sta aid 0x%x poll aid 0x%x", 2434 ni->ni_associd, aid); 2435 vap->iv_stats.is_ps_badaid++; 2436 /* 2437 * NB: We used to deauth the station but it turns out 2438 * the Blackberry Curve 8230 (and perhaps other devices) 2439 * sometimes send the wrong AID when WME is negotiated. 2440 * Being more lenient here seems ok as we already check 2441 * the station is associated and we only return frames 2442 * queued for the station (i.e. we don't use the AID). 2443 */ 2444 return; 2445 } 2446 2447 /* Okay, take the first queued packet and put it out... */ 2448 m = ieee80211_node_psq_dequeue(ni, &qlen); 2449 if (m == NULL) { 2450 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_POWER, wh->i_addr2, 2451 "%s", "recv ps-poll, but queue empty"); 2452 ieee80211_send_nulldata(ieee80211_ref_node(ni)); 2453 vap->iv_stats.is_ps_qempty++; /* XXX node stat */ 2454 if (vap->iv_set_tim != NULL) 2455 vap->iv_set_tim(ni, 0); /* just in case */ 2456 return; 2457 } 2458 /* 2459 * If there are more packets, set the more packets bit 2460 * in the packet dispatched to the station; otherwise 2461 * turn off the TIM bit. 2462 */ 2463 if (qlen != 0) { 2464 IEEE80211_NOTE(vap, IEEE80211_MSG_POWER, ni, 2465 "recv ps-poll, send packet, %u still queued", qlen); 2466 m->m_flags |= M_MORE_DATA; 2467 } else { 2468 IEEE80211_NOTE(vap, IEEE80211_MSG_POWER, ni, 2469 "%s", "recv ps-poll, send packet, queue empty"); 2470 if (vap->iv_set_tim != NULL) 2471 vap->iv_set_tim(ni, 0); 2472 } 2473 m->m_flags |= M_PWR_SAV; /* bypass PS handling */ 2474 2475 /* 2476 * Do the right thing; if it's an encap'ed frame then 2477 * call ieee80211_parent_xmitpkt() else 2478 * call ieee80211_vap_xmitpkt(). 2479 */ 2480 if (m->m_flags & M_ENCAP) { 2481 (void) ieee80211_parent_xmitpkt(ic, m); 2482 } else { 2483 (void) ieee80211_vap_xmitpkt(vap, m); 2484 } 2485 } 2486