1 /*- 2 * SPDX-License-Identifier: BSD-2-Clause 3 * 4 * Copyright (c) 2007-2008 Sam Leffler, Errno Consulting 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 17 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 18 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 19 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 21 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 22 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 23 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 24 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 25 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 26 */ 27 28 /* 29 * IEEE 802.11 HOSTAP mode support. 30 */ 31 #include "opt_inet.h" 32 #include "opt_wlan.h" 33 34 #include <sys/param.h> 35 #include <sys/systm.h> 36 #include <sys/mbuf.h> 37 #include <sys/malloc.h> 38 #include <sys/kernel.h> 39 40 #include <sys/socket.h> 41 #include <sys/sockio.h> 42 #include <sys/endian.h> 43 #include <sys/errno.h> 44 #include <sys/proc.h> 45 #include <sys/sysctl.h> 46 47 #include <net/if.h> 48 #include <net/if_var.h> 49 #include <net/if_media.h> 50 #include <net/if_llc.h> 51 #include <net/if_private.h> 52 #include <net/ethernet.h> 53 54 #include <net/bpf.h> 55 56 #include <net80211/ieee80211_var.h> 57 #include <net80211/ieee80211_hostap.h> 58 #include <net80211/ieee80211_input.h> 59 #ifdef IEEE80211_SUPPORT_SUPERG 60 #include <net80211/ieee80211_superg.h> 61 #endif 62 #include <net80211/ieee80211_wds.h> 63 #include <net80211/ieee80211_vht.h> 64 #include <net80211/ieee80211_sta.h> /* for parse_wmeie */ 65 66 static void hostap_vattach(struct ieee80211vap *); 67 static int hostap_newstate(struct ieee80211vap *, enum ieee80211_state, int); 68 static int hostap_input(struct ieee80211_node *ni, struct mbuf *m, 69 const struct ieee80211_rx_stats *, 70 int rssi, int nf); 71 static void hostap_deliver_data(struct ieee80211vap *, 72 struct ieee80211_node *, struct mbuf *); 73 static void hostap_recv_mgmt(struct ieee80211_node *, struct mbuf *, 74 int subtype, const struct ieee80211_rx_stats *rxs, int rssi, int nf); 75 static void hostap_recv_ctl(struct ieee80211_node *, struct mbuf *, int); 76 77 void 78 ieee80211_hostap_attach(struct ieee80211com *ic) 79 { 80 ic->ic_vattach[IEEE80211_M_HOSTAP] = hostap_vattach; 81 } 82 83 void 84 ieee80211_hostap_detach(struct ieee80211com *ic) 85 { 86 } 87 88 static void 89 hostap_vdetach(struct ieee80211vap *vap) 90 { 91 } 92 93 static void 94 hostap_vattach(struct ieee80211vap *vap) 95 { 96 vap->iv_newstate = hostap_newstate; 97 vap->iv_input = hostap_input; 98 vap->iv_recv_mgmt = hostap_recv_mgmt; 99 vap->iv_recv_ctl = hostap_recv_ctl; 100 vap->iv_opdetach = hostap_vdetach; 101 vap->iv_deliver_data = hostap_deliver_data; 102 vap->iv_recv_pspoll = ieee80211_recv_pspoll; 103 } 104 105 static void 106 sta_disassoc(void *arg, struct ieee80211_node *ni) 107 { 108 109 if (ni->ni_associd != 0) { 110 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_DISASSOC, 111 IEEE80211_REASON_ASSOC_LEAVE); 112 ieee80211_node_leave(ni); 113 } 114 } 115 116 static void 117 sta_csa(void *arg, struct ieee80211_node *ni) 118 { 119 struct ieee80211vap *vap = ni->ni_vap; 120 121 if (ni->ni_associd != 0) 122 if (ni->ni_inact > vap->iv_inact_init) { 123 ni->ni_inact = vap->iv_inact_init; 124 IEEE80211_NOTE(vap, IEEE80211_MSG_INACT, ni, 125 "%s: inact %u", __func__, ni->ni_inact); 126 } 127 } 128 129 static void 130 sta_drop(void *arg, struct ieee80211_node *ni) 131 { 132 133 if (ni->ni_associd != 0) 134 ieee80211_node_leave(ni); 135 } 136 137 /* 138 * Does a channel change require associated stations to re-associate 139 * so protocol state is correct. This is used when doing CSA across 140 * bands or similar (e.g. HT -> legacy). 141 */ 142 static int 143 isbandchange(struct ieee80211com *ic) 144 { 145 return ((ic->ic_bsschan->ic_flags ^ ic->ic_csa_newchan->ic_flags) & 146 (IEEE80211_CHAN_2GHZ | IEEE80211_CHAN_5GHZ | IEEE80211_CHAN_HALF | 147 IEEE80211_CHAN_QUARTER | IEEE80211_CHAN_HT)) != 0; 148 } 149 150 /* 151 * IEEE80211_M_HOSTAP vap state machine handler. 152 */ 153 static int 154 hostap_newstate(struct ieee80211vap *vap, enum ieee80211_state nstate, int arg) 155 { 156 struct ieee80211com *ic = vap->iv_ic; 157 enum ieee80211_state ostate; 158 159 IEEE80211_LOCK_ASSERT(ic); 160 161 ostate = vap->iv_state; 162 IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE, "%s: %s -> %s (%d)\n", 163 __func__, ieee80211_state_name[ostate], 164 ieee80211_state_name[nstate], arg); 165 vap->iv_state = nstate; /* state transition */ 166 if (ostate != IEEE80211_S_SCAN) 167 ieee80211_cancel_scan(vap); /* background scan */ 168 switch (nstate) { 169 case IEEE80211_S_INIT: 170 switch (ostate) { 171 case IEEE80211_S_SCAN: 172 ieee80211_cancel_scan(vap); 173 break; 174 case IEEE80211_S_CAC: 175 ieee80211_dfs_cac_stop(vap); 176 break; 177 case IEEE80211_S_RUN: 178 ieee80211_iterate_nodes_vap(&ic->ic_sta, vap, 179 sta_disassoc, NULL); 180 break; 181 default: 182 break; 183 } 184 if (ostate != IEEE80211_S_INIT) { 185 /* NB: optimize INIT -> INIT case */ 186 ieee80211_reset_bss(vap); 187 } 188 if (vap->iv_auth->ia_detach != NULL) 189 vap->iv_auth->ia_detach(vap); 190 break; 191 case IEEE80211_S_SCAN: 192 switch (ostate) { 193 case IEEE80211_S_CSA: 194 case IEEE80211_S_RUN: 195 ieee80211_iterate_nodes_vap(&ic->ic_sta, vap, 196 sta_disassoc, NULL); 197 /* 198 * Clear overlapping BSS state; the beacon frame 199 * will be reconstructed on transition to the RUN 200 * state and the timeout routines check if the flag 201 * is set before doing anything so this is sufficient. 202 */ 203 vap->iv_flags_ext &= ~IEEE80211_FEXT_NONERP_PR; 204 vap->iv_flags_ht &= ~IEEE80211_FHT_NONHT_PR; 205 /* XXX TODO: schedule deferred update? */ 206 /* fall thru... */ 207 case IEEE80211_S_CAC: 208 /* 209 * NB: We may get here because of a manual channel 210 * change in which case we need to stop CAC 211 * XXX no need to stop if ostate RUN but it's ok 212 */ 213 ieee80211_dfs_cac_stop(vap); 214 /* fall thru... */ 215 case IEEE80211_S_INIT: 216 if (vap->iv_des_chan != IEEE80211_CHAN_ANYC && 217 !IEEE80211_IS_CHAN_RADAR(vap->iv_des_chan)) { 218 /* 219 * Already have a channel; bypass the 220 * scan and startup immediately. 221 * ieee80211_create_ibss will call back to 222 * move us to RUN state. 223 */ 224 ieee80211_create_ibss(vap, vap->iv_des_chan); 225 break; 226 } 227 /* 228 * Initiate a scan. We can come here as a result 229 * of an IEEE80211_IOC_SCAN_REQ too in which case 230 * the vap will be marked with IEEE80211_FEXT_SCANREQ 231 * and the scan request parameters will be present 232 * in iv_scanreq. Otherwise we do the default. 233 */ 234 if (vap->iv_flags_ext & IEEE80211_FEXT_SCANREQ) { 235 ieee80211_check_scan(vap, 236 vap->iv_scanreq_flags, 237 vap->iv_scanreq_duration, 238 vap->iv_scanreq_mindwell, 239 vap->iv_scanreq_maxdwell, 240 vap->iv_scanreq_nssid, vap->iv_scanreq_ssid); 241 vap->iv_flags_ext &= ~IEEE80211_FEXT_SCANREQ; 242 } else 243 ieee80211_check_scan_current(vap); 244 break; 245 case IEEE80211_S_SCAN: 246 /* 247 * A state change requires a reset; scan. 248 */ 249 ieee80211_check_scan_current(vap); 250 break; 251 default: 252 break; 253 } 254 break; 255 case IEEE80211_S_CAC: 256 /* 257 * Start CAC on a DFS channel. We come here when starting 258 * a bss on a DFS channel (see ieee80211_create_ibss). 259 */ 260 ieee80211_dfs_cac_start(vap); 261 break; 262 case IEEE80211_S_RUN: 263 if (vap->iv_flags & IEEE80211_F_WPA) { 264 /* XXX validate prerequisites */ 265 } 266 switch (ostate) { 267 case IEEE80211_S_INIT: 268 /* 269 * Already have a channel; bypass the 270 * scan and startup immediately. 271 * Note that ieee80211_create_ibss will call 272 * back to do a RUN->RUN state change. 273 */ 274 ieee80211_create_ibss(vap, 275 ieee80211_ht_adjust_channel(ic, 276 ic->ic_curchan, vap->iv_flags_ht)); 277 /* NB: iv_bss is changed on return */ 278 break; 279 case IEEE80211_S_CAC: 280 /* 281 * NB: This is the normal state change when CAC 282 * expires and no radar was detected; no need to 283 * clear the CAC timer as it's already expired. 284 */ 285 /* fall thru... */ 286 case IEEE80211_S_CSA: 287 /* 288 * Shorten inactivity timer of associated stations 289 * to weed out sta's that don't follow a CSA. 290 */ 291 ieee80211_iterate_nodes_vap(&ic->ic_sta, vap, 292 sta_csa, NULL); 293 /* 294 * Update bss node channel to reflect where 295 * we landed after CSA. 296 */ 297 ieee80211_node_set_chan(vap->iv_bss, 298 ieee80211_ht_adjust_channel(ic, ic->ic_curchan, 299 ieee80211_htchanflags(vap->iv_bss->ni_chan))); 300 /* XXX bypass debug msgs */ 301 break; 302 case IEEE80211_S_SCAN: 303 case IEEE80211_S_RUN: 304 #ifdef IEEE80211_DEBUG 305 if (ieee80211_msg_debug(vap)) { 306 struct ieee80211_node *ni = vap->iv_bss; 307 ieee80211_note(vap, 308 "synchronized with %s ssid ", 309 ether_sprintf(ni->ni_bssid)); 310 ieee80211_print_essid(ni->ni_essid, 311 ni->ni_esslen); 312 printf(" channel %d start %uMbit/s\n", 313 ieee80211_chan2ieee(ic, ic->ic_curchan), 314 ieee80211_node_get_txrate_kbit(ni) / 1000); 315 } 316 #endif 317 break; 318 default: 319 break; 320 } 321 /* 322 * Start/stop the authenticator. We delay until here 323 * to allow configuration to happen out of order. 324 */ 325 if (vap->iv_auth->ia_attach != NULL) { 326 /* XXX check failure */ 327 vap->iv_auth->ia_attach(vap); 328 } else if (vap->iv_auth->ia_detach != NULL) { 329 vap->iv_auth->ia_detach(vap); 330 } 331 ieee80211_node_authorize(vap->iv_bss); 332 break; 333 case IEEE80211_S_CSA: 334 if (ostate == IEEE80211_S_RUN && isbandchange(ic)) { 335 /* 336 * On a ``band change'' silently drop associated 337 * stations as they must re-associate before they 338 * can pass traffic (as otherwise protocol state 339 * such as capabilities and the negotiated rate 340 * set may/will be wrong). 341 */ 342 ieee80211_iterate_nodes_vap(&ic->ic_sta, vap, 343 sta_drop, NULL); 344 } 345 break; 346 default: 347 break; 348 } 349 return 0; 350 } 351 352 static void 353 hostap_deliver_data(struct ieee80211vap *vap, 354 struct ieee80211_node *ni, struct mbuf *m) 355 { 356 struct ether_header *eh = mtod(m, struct ether_header *); 357 struct ifnet *ifp = vap->iv_ifp; 358 359 /* clear driver/net80211 flags before passing up */ 360 m->m_flags &= ~(M_MCAST | M_BCAST); 361 m_clrprotoflags(m); 362 363 KASSERT(vap->iv_opmode == IEEE80211_M_HOSTAP, 364 ("gack, opmode %d", vap->iv_opmode)); 365 /* 366 * Do accounting. 367 */ 368 if_inc_counter(ifp, IFCOUNTER_IPACKETS, 1); 369 IEEE80211_NODE_STAT(ni, rx_data); 370 IEEE80211_NODE_STAT_ADD(ni, rx_bytes, m->m_pkthdr.len); 371 if (ETHER_IS_MULTICAST(eh->ether_dhost)) { 372 m->m_flags |= M_MCAST; /* XXX M_BCAST? */ 373 IEEE80211_NODE_STAT(ni, rx_mcast); 374 } else 375 IEEE80211_NODE_STAT(ni, rx_ucast); 376 377 /* perform as a bridge within the AP */ 378 if ((vap->iv_flags & IEEE80211_F_NOBRIDGE) == 0) { 379 struct mbuf *mcopy = NULL; 380 381 if (m->m_flags & M_MCAST) { 382 mcopy = m_dup(m, IEEE80211_M_NOWAIT); 383 if (mcopy == NULL) 384 if_inc_counter(ifp, IFCOUNTER_OERRORS, 1); 385 else 386 mcopy->m_flags |= M_MCAST; 387 } else { 388 /* 389 * Check if the destination is associated with the 390 * same vap and authorized to receive traffic. 391 * Beware of traffic destined for the vap itself; 392 * sending it will not work; just let it be delivered 393 * normally. 394 */ 395 struct ieee80211_node *sta = ieee80211_find_vap_node( 396 &vap->iv_ic->ic_sta, vap, eh->ether_dhost); 397 if (sta != NULL) { 398 if (ieee80211_node_is_authorized(sta)) { 399 /* 400 * Beware of sending to ourself; this 401 * needs to happen via the normal 402 * input path. 403 */ 404 if (sta != vap->iv_bss) { 405 mcopy = m; 406 m = NULL; 407 } 408 } else { 409 vap->iv_stats.is_rx_unauth++; 410 IEEE80211_NODE_STAT(sta, rx_unauth); 411 } 412 ieee80211_free_node(sta); 413 } 414 } 415 if (mcopy != NULL) 416 (void) ieee80211_vap_xmitpkt(vap, mcopy); 417 } 418 if (m != NULL) { 419 struct epoch_tracker et; 420 421 /* 422 * Mark frame as coming from vap's interface. 423 */ 424 m->m_pkthdr.rcvif = ifp; 425 if (m->m_flags & M_MCAST) { 426 /* 427 * Spam DWDS vap's w/ multicast traffic. 428 */ 429 /* XXX only if dwds in use? */ 430 ieee80211_dwds_mcast(vap, m); 431 } 432 if (ni->ni_vlan != 0) { 433 /* attach vlan tag */ 434 m->m_pkthdr.ether_vtag = ni->ni_vlan; 435 m->m_flags |= M_VLANTAG; 436 } 437 NET_EPOCH_ENTER(et); 438 ifp->if_input(ifp, m); 439 NET_EPOCH_EXIT(et); 440 } 441 } 442 443 /* 444 * Decide if a received management frame should be 445 * printed when debugging is enabled. This filters some 446 * of the less interesting frames that come frequently 447 * (e.g. beacons). 448 */ 449 static __inline int 450 doprint(struct ieee80211vap *vap, int subtype) 451 { 452 switch (subtype) { 453 case IEEE80211_FC0_SUBTYPE_BEACON: 454 return (vap->iv_ic->ic_flags & IEEE80211_F_SCAN); 455 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 456 return 0; 457 } 458 return 1; 459 } 460 461 /* 462 * Process a received frame. The node associated with the sender 463 * should be supplied. If nothing was found in the node table then 464 * the caller is assumed to supply a reference to iv_bss instead. 465 * The RSSI and a timestamp are also supplied. The RSSI data is used 466 * during AP scanning to select a AP to associate with; it can have 467 * any units so long as values have consistent units and higher values 468 * mean ``better signal''. The receive timestamp is currently not used 469 * by the 802.11 layer. 470 */ 471 static int 472 hostap_input(struct ieee80211_node *ni, struct mbuf *m, 473 const struct ieee80211_rx_stats *rxs, int rssi, int nf) 474 { 475 struct ieee80211vap *vap = ni->ni_vap; 476 struct ieee80211com *ic = ni->ni_ic; 477 struct ifnet *ifp = vap->iv_ifp; 478 struct ieee80211_frame *wh; 479 struct ieee80211_key *key; 480 struct ether_header *eh; 481 int hdrspace, need_tap = 1; /* mbuf need to be tapped. */ 482 uint8_t dir, type, subtype, qos; 483 uint8_t *bssid; 484 int is_hw_decrypted = 0; 485 int has_decrypted = 0; 486 487 /* 488 * Some devices do hardware decryption all the way through 489 * to pretending the frame wasn't encrypted in the first place. 490 * So, tag it appropriately so it isn't discarded inappropriately. 491 */ 492 if ((rxs != NULL) && (rxs->c_pktflags & IEEE80211_RX_F_DECRYPTED)) 493 is_hw_decrypted = 1; 494 495 if (m->m_flags & M_AMPDU_MPDU) { 496 /* 497 * Fastpath for A-MPDU reorder q resubmission. Frames 498 * w/ M_AMPDU_MPDU marked have already passed through 499 * here but were received out of order and been held on 500 * the reorder queue. When resubmitted they are marked 501 * with the M_AMPDU_MPDU flag and we can bypass most of 502 * the normal processing. 503 */ 504 wh = mtod(m, struct ieee80211_frame *); 505 type = IEEE80211_FC0_TYPE_DATA; 506 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 507 subtype = IEEE80211_FC0_SUBTYPE_QOS_DATA; 508 hdrspace = ieee80211_hdrspace(ic, wh); /* XXX optimize? */ 509 goto resubmit_ampdu; 510 } 511 512 KASSERT(ni != NULL, ("null node")); 513 ni->ni_inact = ni->ni_inact_reload; 514 515 type = -1; /* undefined */ 516 517 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_min)) { 518 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 519 ni->ni_macaddr, NULL, 520 "too short (1): len %u", m->m_pkthdr.len); 521 vap->iv_stats.is_rx_tooshort++; 522 goto out; 523 } 524 /* 525 * Bit of a cheat here, we use a pointer for a 3-address 526 * frame format but don't reference fields past outside 527 * ieee80211_frame_min w/o first validating the data is 528 * present. 529 */ 530 wh = mtod(m, struct ieee80211_frame *); 531 532 if (!IEEE80211_IS_FC0_CHECK_VER(wh, IEEE80211_FC0_VERSION_0)) { 533 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 534 ni->ni_macaddr, NULL, "wrong version, fc %02x:%02x", 535 wh->i_fc[0], wh->i_fc[1]); 536 vap->iv_stats.is_rx_badversion++; 537 goto err; 538 } 539 540 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 541 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK; 542 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK; 543 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) { 544 if (dir != IEEE80211_FC1_DIR_NODS) 545 bssid = wh->i_addr1; 546 else if (type == IEEE80211_FC0_TYPE_CTL) 547 bssid = wh->i_addr1; 548 else { 549 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) { 550 IEEE80211_DISCARD_MAC(vap, 551 IEEE80211_MSG_ANY, ni->ni_macaddr, 552 NULL, "too short (2): len %u", 553 m->m_pkthdr.len); 554 vap->iv_stats.is_rx_tooshort++; 555 goto out; 556 } 557 bssid = wh->i_addr3; 558 } 559 /* 560 * Validate the bssid. 561 */ 562 if (!(type == IEEE80211_FC0_TYPE_MGT && 563 subtype == IEEE80211_FC0_SUBTYPE_BEACON) && 564 !IEEE80211_ADDR_EQ(bssid, vap->iv_bss->ni_bssid) && 565 !IEEE80211_ADDR_EQ(bssid, ifp->if_broadcastaddr)) { 566 /* not interested in */ 567 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 568 bssid, NULL, "%s", "not to bss"); 569 vap->iv_stats.is_rx_wrongbss++; 570 goto out; 571 } 572 573 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi); 574 ni->ni_noise = nf; 575 if (IEEE80211_HAS_SEQ(type, subtype)) { 576 uint8_t tid = ieee80211_gettid(wh); 577 if (IEEE80211_QOS_HAS_SEQ(wh) && 578 TID_TO_WME_AC(tid) >= WME_AC_VI) 579 ic->ic_wme.wme_hipri_traffic++; 580 if (! ieee80211_check_rxseq(ni, wh, bssid, rxs)) 581 goto out; 582 } 583 } 584 585 switch (type) { 586 case IEEE80211_FC0_TYPE_DATA: 587 hdrspace = ieee80211_hdrspace(ic, wh); 588 if (m->m_len < hdrspace && 589 (m = m_pullup(m, hdrspace)) == NULL) { 590 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 591 ni->ni_macaddr, NULL, 592 "data too short: expecting %u", hdrspace); 593 vap->iv_stats.is_rx_tooshort++; 594 goto out; /* XXX */ 595 } 596 if (!(dir == IEEE80211_FC1_DIR_TODS || 597 (dir == IEEE80211_FC1_DIR_DSTODS && 598 (vap->iv_flags & IEEE80211_F_DWDS)))) { 599 if (dir != IEEE80211_FC1_DIR_DSTODS) { 600 IEEE80211_DISCARD(vap, 601 IEEE80211_MSG_INPUT, wh, "data", 602 "incorrect dir 0x%x", dir); 603 } else { 604 IEEE80211_DISCARD(vap, 605 IEEE80211_MSG_INPUT | 606 IEEE80211_MSG_WDS, wh, 607 "4-address data", 608 "%s", "DWDS not enabled"); 609 } 610 vap->iv_stats.is_rx_wrongdir++; 611 goto out; 612 } 613 /* check if source STA is associated */ 614 if (ni == vap->iv_bss) { 615 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 616 wh, "data", "%s", "unknown src"); 617 ieee80211_send_error(ni, wh->i_addr2, 618 IEEE80211_FC0_SUBTYPE_DEAUTH, 619 IEEE80211_REASON_NOT_AUTHED); 620 vap->iv_stats.is_rx_notassoc++; 621 goto err; 622 } 623 if (ni->ni_associd == 0) { 624 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 625 wh, "data", "%s", "unassoc src"); 626 IEEE80211_SEND_MGMT(ni, 627 IEEE80211_FC0_SUBTYPE_DISASSOC, 628 IEEE80211_REASON_NOT_ASSOCED); 629 vap->iv_stats.is_rx_notassoc++; 630 goto err; 631 } 632 633 /* 634 * Check for power save state change. 635 * XXX out-of-order A-MPDU frames? 636 */ 637 if (((wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) ^ 638 (ni->ni_flags & IEEE80211_NODE_PWR_MGT))) 639 vap->iv_node_ps(ni, 640 wh->i_fc[1] & IEEE80211_FC1_PWR_MGT); 641 /* 642 * For 4-address packets handle WDS discovery 643 * notifications. Once a WDS link is setup frames 644 * are just delivered to the WDS vap (see below). 645 */ 646 if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap == NULL) { 647 if (!ieee80211_node_is_authorized(ni)) { 648 IEEE80211_DISCARD(vap, 649 IEEE80211_MSG_INPUT | 650 IEEE80211_MSG_WDS, wh, 651 "4-address data", 652 "%s", "unauthorized port"); 653 vap->iv_stats.is_rx_unauth++; 654 IEEE80211_NODE_STAT(ni, rx_unauth); 655 goto err; 656 } 657 ieee80211_dwds_discover(ni, m); 658 return type; 659 } 660 661 /* 662 * Handle A-MPDU re-ordering. If the frame is to be 663 * processed directly then ieee80211_ampdu_reorder 664 * will return 0; otherwise it has consumed the mbuf 665 * and we should do nothing more with it. 666 */ 667 if ((m->m_flags & M_AMPDU) && 668 ieee80211_ampdu_reorder(ni, m, rxs) != 0) { 669 m = NULL; 670 goto out; 671 } 672 resubmit_ampdu: 673 674 /* 675 * Handle privacy requirements. Note that we 676 * must not be preempted from here until after 677 * we (potentially) call ieee80211_crypto_demic; 678 * otherwise we may violate assumptions in the 679 * crypto cipher modules used to do delayed update 680 * of replay sequence numbers. 681 */ 682 if (is_hw_decrypted || IEEE80211_IS_PROTECTED(wh)) { 683 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) { 684 /* 685 * Discard encrypted frames when privacy is off. 686 */ 687 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 688 wh, "WEP", "%s", "PRIVACY off"); 689 vap->iv_stats.is_rx_noprivacy++; 690 IEEE80211_NODE_STAT(ni, rx_noprivacy); 691 goto out; 692 } 693 if (ieee80211_crypto_decap(ni, m, hdrspace, &key) == 0) { 694 /* NB: stats+msgs handled in crypto_decap */ 695 IEEE80211_NODE_STAT(ni, rx_wepfail); 696 goto out; 697 } 698 wh = mtod(m, struct ieee80211_frame *); 699 wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED; 700 has_decrypted = 1; 701 } else { 702 /* XXX M_WEP and IEEE80211_F_PRIVACY */ 703 key = NULL; 704 } 705 706 /* 707 * Save QoS bits for use below--before we strip the header. 708 */ 709 if (subtype == IEEE80211_FC0_SUBTYPE_QOS_DATA) 710 qos = ieee80211_getqos(wh)[0]; 711 else 712 qos = 0; 713 714 /* 715 * Next up, any fragmentation. 716 */ 717 if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) { 718 m = ieee80211_defrag(ni, m, hdrspace, has_decrypted); 719 if (m == NULL) { 720 /* Fragment dropped or frame not complete yet */ 721 goto out; 722 } 723 } 724 wh = NULL; /* no longer valid, catch any uses */ 725 726 /* 727 * Next strip any MSDU crypto bits. 728 */ 729 if (key != NULL && !ieee80211_crypto_demic(vap, key, m, 0)) { 730 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 731 ni->ni_macaddr, "data", "%s", "demic error"); 732 vap->iv_stats.is_rx_demicfail++; 733 IEEE80211_NODE_STAT(ni, rx_demicfail); 734 goto out; 735 } 736 /* copy to listener after decrypt */ 737 if (ieee80211_radiotap_active_vap(vap)) 738 ieee80211_radiotap_rx(vap, m); 739 need_tap = 0; 740 /* 741 * Finally, strip the 802.11 header. 742 */ 743 m = ieee80211_decap(vap, m, hdrspace, qos); 744 if (m == NULL) { 745 /* XXX mask bit to check for both */ 746 /* don't count Null data frames as errors */ 747 if (subtype == IEEE80211_FC0_SUBTYPE_NODATA || 748 subtype == IEEE80211_FC0_SUBTYPE_QOS_NULL) 749 goto out; 750 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 751 ni->ni_macaddr, "data", "%s", "decap error"); 752 vap->iv_stats.is_rx_decap++; 753 IEEE80211_NODE_STAT(ni, rx_decap); 754 goto err; 755 } 756 if (!(qos & IEEE80211_QOS_AMSDU)) 757 eh = mtod(m, struct ether_header *); 758 else 759 eh = NULL; 760 if (!ieee80211_node_is_authorized(ni)) { 761 /* 762 * Deny any non-PAE frames received prior to 763 * authorization. For open/shared-key 764 * authentication the port is mark authorized 765 * after authentication completes. For 802.1x 766 * the port is not marked authorized by the 767 * authenticator until the handshake has completed. 768 */ 769 if (eh == NULL || 770 eh->ether_type != htons(ETHERTYPE_PAE)) { 771 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 772 ni->ni_macaddr, "data", "unauthorized or " 773 "unknown port: ether type 0x%x len %u", 774 eh == NULL ? -1 : eh->ether_type, 775 m->m_pkthdr.len); 776 vap->iv_stats.is_rx_unauth++; 777 IEEE80211_NODE_STAT(ni, rx_unauth); 778 goto err; 779 } 780 } else { 781 /* 782 * When denying unencrypted frames, discard 783 * any non-PAE frames received without encryption. 784 */ 785 if ((vap->iv_flags & IEEE80211_F_DROPUNENC) && 786 ((has_decrypted == 0) && (m->m_flags & M_WEP) == 0) && 787 (is_hw_decrypted == 0) && 788 (eh == NULL || 789 eh->ether_type != htons(ETHERTYPE_PAE))) { 790 /* 791 * Drop unencrypted frames. 792 */ 793 vap->iv_stats.is_rx_unencrypted++; 794 IEEE80211_NODE_STAT(ni, rx_unencrypted); 795 goto out; 796 } 797 } 798 /* XXX require HT? */ 799 if (qos & IEEE80211_QOS_AMSDU) { 800 m = ieee80211_decap_amsdu(ni, m); 801 if (m == NULL) 802 return IEEE80211_FC0_TYPE_DATA; 803 } else { 804 #ifdef IEEE80211_SUPPORT_SUPERG 805 m = ieee80211_decap_fastframe(vap, ni, m); 806 if (m == NULL) 807 return IEEE80211_FC0_TYPE_DATA; 808 #endif 809 } 810 if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap != NULL) 811 ieee80211_deliver_data(ni->ni_wdsvap, ni, m); 812 else 813 hostap_deliver_data(vap, ni, m); 814 return IEEE80211_FC0_TYPE_DATA; 815 816 case IEEE80211_FC0_TYPE_MGT: 817 vap->iv_stats.is_rx_mgmt++; 818 IEEE80211_NODE_STAT(ni, rx_mgmt); 819 if (dir != IEEE80211_FC1_DIR_NODS) { 820 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 821 wh, "mgt", "incorrect dir 0x%x", dir); 822 vap->iv_stats.is_rx_wrongdir++; 823 goto err; 824 } 825 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) { 826 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 827 ni->ni_macaddr, "mgt", "too short: len %u", 828 m->m_pkthdr.len); 829 vap->iv_stats.is_rx_tooshort++; 830 goto out; 831 } 832 if (IEEE80211_IS_MULTICAST(wh->i_addr2)) { 833 /* ensure return frames are unicast */ 834 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 835 wh, NULL, "source is multicast: %s", 836 ether_sprintf(wh->i_addr2)); 837 vap->iv_stats.is_rx_mgtdiscard++; /* XXX stat */ 838 goto out; 839 } 840 #ifdef IEEE80211_DEBUG 841 if ((ieee80211_msg_debug(vap) && doprint(vap, subtype)) || 842 ieee80211_msg_dumppkts(vap)) { 843 if_printf(ifp, "received %s from %s rssi %d\n", 844 ieee80211_mgt_subtype_name(subtype), 845 ether_sprintf(wh->i_addr2), rssi); 846 } 847 #endif 848 if (IEEE80211_IS_PROTECTED(wh)) { 849 if (subtype != IEEE80211_FC0_SUBTYPE_AUTH) { 850 /* 851 * Only shared key auth frames with a challenge 852 * should be encrypted, discard all others. 853 */ 854 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 855 wh, NULL, 856 "%s", "WEP set but not permitted"); 857 vap->iv_stats.is_rx_mgtdiscard++; /* XXX */ 858 goto out; 859 } 860 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) { 861 /* 862 * Discard encrypted frames when privacy is off. 863 */ 864 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 865 wh, NULL, "%s", "WEP set but PRIVACY off"); 866 vap->iv_stats.is_rx_noprivacy++; 867 goto out; 868 } 869 hdrspace = ieee80211_hdrspace(ic, wh); 870 if (ieee80211_crypto_decap(ni, m, hdrspace, &key) == 0) { 871 /* NB: stats+msgs handled in crypto_decap */ 872 goto out; 873 } 874 wh = mtod(m, struct ieee80211_frame *); 875 wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED; 876 has_decrypted = 1; 877 } 878 /* 879 * Pass the packet to radiotap before calling iv_recv_mgmt(). 880 * Otherwise iv_recv_mgmt() might pass another packet to 881 * radiotap, resulting in out of order packet captures. 882 */ 883 if (ieee80211_radiotap_active_vap(vap)) 884 ieee80211_radiotap_rx(vap, m); 885 need_tap = 0; 886 vap->iv_recv_mgmt(ni, m, subtype, rxs, rssi, nf); 887 goto out; 888 889 case IEEE80211_FC0_TYPE_CTL: 890 vap->iv_stats.is_rx_ctl++; 891 IEEE80211_NODE_STAT(ni, rx_ctrl); 892 if (ieee80211_is_ctl_frame_for_vap(ni, m)) 893 vap->iv_recv_ctl(ni, m, subtype); 894 goto out; 895 default: 896 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 897 wh, "bad", "frame type 0x%x", type); 898 /* should not come here */ 899 break; 900 } 901 err: 902 if_inc_counter(ifp, IFCOUNTER_IERRORS, 1); 903 out: 904 if (m != NULL) { 905 if (need_tap && ieee80211_radiotap_active_vap(vap)) 906 ieee80211_radiotap_rx(vap, m); 907 m_freem(m); 908 } 909 return type; 910 } 911 912 static void 913 hostap_auth_open(struct ieee80211_node *ni, struct ieee80211_frame *wh, 914 int rssi, int nf, uint16_t seq, uint16_t status) 915 { 916 struct ieee80211vap *vap = ni->ni_vap; 917 918 KASSERT(vap->iv_state == IEEE80211_S_RUN, ("state %d", vap->iv_state)); 919 920 if (ni->ni_authmode == IEEE80211_AUTH_SHARED) { 921 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 922 ni->ni_macaddr, "open auth", 923 "bad sta auth mode %u", ni->ni_authmode); 924 vap->iv_stats.is_rx_bad_auth++; /* XXX */ 925 /* 926 * Clear any challenge text that may be there if 927 * a previous shared key auth failed and then an 928 * open auth is attempted. 929 */ 930 if (ni->ni_challenge != NULL) { 931 IEEE80211_FREE(ni->ni_challenge, M_80211_NODE); 932 ni->ni_challenge = NULL; 933 } 934 /* XXX hack to workaround calling convention */ 935 ieee80211_send_error(ni, wh->i_addr2, 936 IEEE80211_FC0_SUBTYPE_AUTH, 937 (seq + 1) | (IEEE80211_STATUS_ALG<<16)); 938 return; 939 } 940 if (seq != IEEE80211_AUTH_OPEN_REQUEST) { 941 vap->iv_stats.is_rx_bad_auth++; 942 return; 943 } 944 /* always accept open authentication requests */ 945 if (ni == vap->iv_bss) { 946 ni = ieee80211_dup_bss(vap, wh->i_addr2); 947 if (ni == NULL) 948 return; 949 } else if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0) 950 (void) ieee80211_ref_node(ni); 951 /* 952 * Mark the node as referenced to reflect that it's 953 * reference count has been bumped to insure it remains 954 * after the transaction completes. 955 */ 956 ni->ni_flags |= IEEE80211_NODE_AREF; 957 /* 958 * Mark the node as requiring a valid association id 959 * before outbound traffic is permitted. 960 */ 961 ni->ni_flags |= IEEE80211_NODE_ASSOCID; 962 963 if (vap->iv_acl != NULL && 964 vap->iv_acl->iac_getpolicy(vap) == IEEE80211_MACCMD_POLICY_RADIUS) { 965 /* 966 * When the ACL policy is set to RADIUS we defer the 967 * authorization to a user agent. Dispatch an event, 968 * a subsequent MLME call will decide the fate of the 969 * station. If the user agent is not present then the 970 * node will be reclaimed due to inactivity. 971 */ 972 IEEE80211_NOTE_MAC(vap, 973 IEEE80211_MSG_AUTH | IEEE80211_MSG_ACL, ni->ni_macaddr, 974 "%s", "station authentication deferred (radius acl)"); 975 ieee80211_notify_node_auth(ni); 976 } else { 977 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 978 IEEE80211_NOTE_MAC(vap, 979 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, ni->ni_macaddr, 980 "%s", "station authenticated (open)"); 981 /* 982 * When 802.1x is not in use mark the port 983 * authorized at this point so traffic can flow. 984 */ 985 if (ni->ni_authmode != IEEE80211_AUTH_8021X) 986 ieee80211_node_authorize(ni); 987 } 988 } 989 990 static void 991 hostap_auth_shared(struct ieee80211_node *ni, struct ieee80211_frame *wh, 992 uint8_t *frm, uint8_t *efrm, int rssi, int nf, 993 uint16_t seq, uint16_t status) 994 { 995 struct ieee80211vap *vap = ni->ni_vap; 996 uint8_t *challenge; 997 int estatus; 998 999 KASSERT(vap->iv_state == IEEE80211_S_RUN, ("state %d", vap->iv_state)); 1000 1001 /* 1002 * NB: this can happen as we allow pre-shared key 1003 * authentication to be enabled w/o wep being turned 1004 * on so that configuration of these can be done 1005 * in any order. It may be better to enforce the 1006 * ordering in which case this check would just be 1007 * for sanity/consistency. 1008 */ 1009 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) { 1010 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1011 ni->ni_macaddr, "shared key auth", 1012 "%s", " PRIVACY is disabled"); 1013 estatus = IEEE80211_STATUS_ALG; 1014 goto bad; 1015 } 1016 /* 1017 * Pre-shared key authentication is evil; accept 1018 * it only if explicitly configured (it is supported 1019 * mainly for compatibility with clients like Mac OS X). 1020 */ 1021 if (ni->ni_authmode != IEEE80211_AUTH_AUTO && 1022 ni->ni_authmode != IEEE80211_AUTH_SHARED) { 1023 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1024 ni->ni_macaddr, "shared key auth", 1025 "bad sta auth mode %u", ni->ni_authmode); 1026 vap->iv_stats.is_rx_bad_auth++; /* XXX maybe a unique error? */ 1027 estatus = IEEE80211_STATUS_ALG; 1028 goto bad; 1029 } 1030 1031 challenge = NULL; 1032 if (frm + 1 < efrm) { 1033 if ((frm[1] + 2) > (efrm - frm)) { 1034 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1035 ni->ni_macaddr, "shared key auth", 1036 "ie %d/%d too long", 1037 frm[0], (frm[1] + 2) - (efrm - frm)); 1038 vap->iv_stats.is_rx_bad_auth++; 1039 estatus = IEEE80211_STATUS_CHALLENGE; 1040 goto bad; 1041 } 1042 if (*frm == IEEE80211_ELEMID_CHALLENGE) 1043 challenge = frm; 1044 frm += frm[1] + 2; 1045 } 1046 switch (seq) { 1047 case IEEE80211_AUTH_SHARED_CHALLENGE: 1048 case IEEE80211_AUTH_SHARED_RESPONSE: 1049 if (challenge == NULL) { 1050 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1051 ni->ni_macaddr, "shared key auth", 1052 "%s", "no challenge"); 1053 vap->iv_stats.is_rx_bad_auth++; 1054 estatus = IEEE80211_STATUS_CHALLENGE; 1055 goto bad; 1056 } 1057 if (challenge[1] != IEEE80211_CHALLENGE_LEN) { 1058 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1059 ni->ni_macaddr, "shared key auth", 1060 "bad challenge len %d", challenge[1]); 1061 vap->iv_stats.is_rx_bad_auth++; 1062 estatus = IEEE80211_STATUS_CHALLENGE; 1063 goto bad; 1064 } 1065 default: 1066 break; 1067 } 1068 switch (seq) { 1069 case IEEE80211_AUTH_SHARED_REQUEST: 1070 { 1071 #ifdef IEEE80211_DEBUG 1072 bool allocbs; 1073 #endif 1074 1075 if (ni == vap->iv_bss) { 1076 ni = ieee80211_dup_bss(vap, wh->i_addr2); 1077 if (ni == NULL) { 1078 /* NB: no way to return an error */ 1079 return; 1080 } 1081 #ifdef IEEE80211_DEBUG 1082 allocbs = 1; 1083 #endif 1084 } else { 1085 if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0) 1086 (void) ieee80211_ref_node(ni); 1087 #ifdef IEEE80211_DEBUG 1088 allocbs = 0; 1089 #endif 1090 } 1091 /* 1092 * Mark the node as referenced to reflect that it's 1093 * reference count has been bumped to insure it remains 1094 * after the transaction completes. 1095 */ 1096 ni->ni_flags |= IEEE80211_NODE_AREF; 1097 /* 1098 * Mark the node as requiring a valid association id 1099 * before outbound traffic is permitted. 1100 */ 1101 ni->ni_flags |= IEEE80211_NODE_ASSOCID; 1102 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi); 1103 ni->ni_noise = nf; 1104 if (!ieee80211_alloc_challenge(ni)) { 1105 /* NB: don't return error so they rexmit */ 1106 return; 1107 } 1108 net80211_get_random_bytes(ni->ni_challenge, 1109 IEEE80211_CHALLENGE_LEN); 1110 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1111 ni, "shared key %sauth request", allocbs ? "" : "re"); 1112 /* 1113 * When the ACL policy is set to RADIUS we defer the 1114 * authorization to a user agent. Dispatch an event, 1115 * a subsequent MLME call will decide the fate of the 1116 * station. If the user agent is not present then the 1117 * node will be reclaimed due to inactivity. 1118 */ 1119 if (vap->iv_acl != NULL && 1120 vap->iv_acl->iac_getpolicy(vap) == IEEE80211_MACCMD_POLICY_RADIUS) { 1121 IEEE80211_NOTE_MAC(vap, 1122 IEEE80211_MSG_AUTH | IEEE80211_MSG_ACL, 1123 ni->ni_macaddr, 1124 "%s", "station authentication deferred (radius acl)"); 1125 ieee80211_notify_node_auth(ni); 1126 return; 1127 } 1128 break; 1129 } 1130 case IEEE80211_AUTH_SHARED_RESPONSE: 1131 if (ni == vap->iv_bss) { 1132 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1133 ni->ni_macaddr, "shared key response", 1134 "%s", "unknown station"); 1135 /* NB: don't send a response */ 1136 return; 1137 } 1138 if (ni->ni_challenge == NULL) { 1139 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1140 ni->ni_macaddr, "shared key response", 1141 "%s", "no challenge recorded"); 1142 vap->iv_stats.is_rx_bad_auth++; 1143 estatus = IEEE80211_STATUS_CHALLENGE; 1144 goto bad; 1145 } 1146 if (memcmp(ni->ni_challenge, &challenge[2], 1147 challenge[1]) != 0) { 1148 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1149 ni->ni_macaddr, "shared key response", 1150 "%s", "challenge mismatch"); 1151 vap->iv_stats.is_rx_auth_fail++; 1152 estatus = IEEE80211_STATUS_CHALLENGE; 1153 goto bad; 1154 } 1155 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1156 ni, "%s", "station authenticated (shared key)"); 1157 ieee80211_node_authorize(ni); 1158 break; 1159 default: 1160 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1161 ni->ni_macaddr, "shared key auth", 1162 "bad seq %d", seq); 1163 vap->iv_stats.is_rx_bad_auth++; 1164 estatus = IEEE80211_STATUS_SEQUENCE; 1165 goto bad; 1166 } 1167 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 1168 return; 1169 bad: 1170 /* 1171 * Send an error response; but only when operating as an AP. 1172 */ 1173 /* XXX hack to workaround calling convention */ 1174 ieee80211_send_error(ni, wh->i_addr2, 1175 IEEE80211_FC0_SUBTYPE_AUTH, 1176 (seq + 1) | (estatus<<16)); 1177 } 1178 1179 /* 1180 * Convert a WPA cipher selector OUI to an internal 1181 * cipher algorithm. Where appropriate we also 1182 * record any key length. 1183 */ 1184 static int 1185 wpa_cipher(const uint8_t *sel, uint8_t *keylen, uint8_t *cipher) 1186 { 1187 #define WPA_SEL(x) (((x)<<24)|WPA_OUI) 1188 uint32_t w = le32dec(sel); 1189 1190 switch (w) { 1191 case WPA_SEL(WPA_CSE_NULL): 1192 *cipher = IEEE80211_CIPHER_NONE; 1193 break; 1194 case WPA_SEL(WPA_CSE_WEP40): 1195 if (keylen) 1196 *keylen = 40 / NBBY; 1197 *cipher = IEEE80211_CIPHER_WEP; 1198 break; 1199 case WPA_SEL(WPA_CSE_WEP104): 1200 if (keylen) 1201 *keylen = 104 / NBBY; 1202 *cipher = IEEE80211_CIPHER_WEP; 1203 break; 1204 case WPA_SEL(WPA_CSE_TKIP): 1205 *cipher = IEEE80211_CIPHER_TKIP; 1206 break; 1207 case WPA_SEL(WPA_CSE_CCMP): 1208 *cipher = IEEE80211_CIPHER_AES_CCM; 1209 break; 1210 /* Note: no GCM cipher in the legacy WPA1 OUI */ 1211 default: 1212 return (EINVAL); 1213 } 1214 1215 return (0); 1216 #undef WPA_SEL 1217 } 1218 1219 /* 1220 * Convert a WPA key management/authentication algorithm 1221 * to an internal code. 1222 */ 1223 static int 1224 wpa_keymgmt(const uint8_t *sel) 1225 { 1226 #define WPA_SEL(x) (((x)<<24)|WPA_OUI) 1227 uint32_t w = le32dec(sel); 1228 1229 switch (w) { 1230 case WPA_SEL(WPA_ASE_8021X_UNSPEC): 1231 return WPA_ASE_8021X_UNSPEC; 1232 case WPA_SEL(WPA_ASE_8021X_PSK): 1233 return WPA_ASE_8021X_PSK; 1234 case WPA_SEL(WPA_ASE_NONE): 1235 return WPA_ASE_NONE; 1236 } 1237 return 0; /* NB: so is discarded */ 1238 #undef WPA_SEL 1239 } 1240 1241 /* 1242 * Parse a WPA information element to collect parameters. 1243 * Note that we do not validate security parameters; that 1244 * is handled by the authenticator; the parsing done here 1245 * is just for internal use in making operational decisions. 1246 */ 1247 static int 1248 ieee80211_parse_wpa(struct ieee80211vap *vap, const uint8_t *frm, 1249 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh) 1250 { 1251 uint8_t len = frm[1]; 1252 uint32_t w; 1253 int error, n; 1254 1255 /* 1256 * Check the length once for fixed parts: OUI, type, 1257 * version, mcast cipher, and 2 selector counts. 1258 * Other, variable-length data, must be checked separately. 1259 */ 1260 if ((vap->iv_flags & IEEE80211_F_WPA1) == 0) { 1261 IEEE80211_DISCARD_IE(vap, 1262 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1263 wh, "WPA", "not WPA, flags 0x%x", vap->iv_flags); 1264 return IEEE80211_REASON_IE_INVALID; 1265 } 1266 if (len < 14) { 1267 IEEE80211_DISCARD_IE(vap, 1268 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1269 wh, "WPA", "too short, len %u", len); 1270 return IEEE80211_REASON_IE_INVALID; 1271 } 1272 frm += 6, len -= 4; /* NB: len is payload only */ 1273 /* NB: iswpaoui already validated the OUI and type */ 1274 w = le16dec(frm); 1275 if (w != WPA_VERSION) { 1276 IEEE80211_DISCARD_IE(vap, 1277 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1278 wh, "WPA", "bad version %u", w); 1279 return IEEE80211_REASON_IE_INVALID; 1280 } 1281 frm += 2, len -= 2; 1282 1283 memset(rsn, 0, sizeof(*rsn)); 1284 1285 /* multicast/group cipher */ 1286 error = wpa_cipher(frm, &rsn->rsn_mcastkeylen, &rsn->rsn_mcastcipher); 1287 if (error != 0) { 1288 IEEE80211_DISCARD_IE(vap, 1289 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1290 wh, "WPA", "unknown mcast cipher suite %08X", 1291 le32dec(frm)); 1292 return IEEE80211_REASON_GROUP_CIPHER_INVALID; 1293 } 1294 frm += 4, len -= 4; 1295 1296 /* unicast ciphers */ 1297 n = le16dec(frm); 1298 frm += 2, len -= 2; 1299 if (len < n*4+2) { 1300 IEEE80211_DISCARD_IE(vap, 1301 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1302 wh, "WPA", "ucast cipher data too short; len %u, n %u", 1303 len, n); 1304 return IEEE80211_REASON_IE_INVALID; 1305 } 1306 w = 0; 1307 for (; n > 0; n--) { 1308 uint8_t cipher; 1309 1310 error = wpa_cipher(frm, &rsn->rsn_ucastkeylen, &cipher); 1311 if (error == 0) 1312 w |= 1 << cipher; 1313 1314 frm += 4, len -= 4; 1315 } 1316 if (w == 0) { 1317 IEEE80211_DISCARD_IE(vap, 1318 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1319 wh, "WPA", "no usable pairwise cipher suite found (w=%d)", 1320 w); 1321 return IEEE80211_REASON_PAIRWISE_CIPHER_INVALID; 1322 } 1323 /* XXX other? */ 1324 if (w & (1 << IEEE80211_CIPHER_AES_CCM)) 1325 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM; 1326 else 1327 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP; 1328 1329 /* key management algorithms */ 1330 n = le16dec(frm); 1331 frm += 2, len -= 2; 1332 if (len < n*4) { 1333 IEEE80211_DISCARD_IE(vap, 1334 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1335 wh, "WPA", "key mgmt alg data too short; len %u, n %u", 1336 len, n); 1337 return IEEE80211_REASON_IE_INVALID; 1338 } 1339 w = 0; 1340 for (; n > 0; n--) { 1341 w |= wpa_keymgmt(frm); 1342 frm += 4, len -= 4; 1343 } 1344 if (w & WPA_ASE_8021X_UNSPEC) 1345 rsn->rsn_keymgmt = WPA_ASE_8021X_UNSPEC; 1346 else 1347 rsn->rsn_keymgmt = WPA_ASE_8021X_PSK; 1348 1349 if (len > 2) /* optional capabilities */ 1350 rsn->rsn_caps = le16dec(frm); 1351 1352 return 0; 1353 } 1354 1355 /* 1356 * Convert an RSN cipher selector OUI to an internal 1357 * cipher algorithm. Where appropriate we also 1358 * record any key length. 1359 */ 1360 static int 1361 rsn_cipher(const uint8_t *sel, uint8_t *keylen, uint8_t *cipher) 1362 { 1363 #define RSN_SEL(x) (((x)<<24)|RSN_OUI) 1364 uint32_t w = le32dec(sel); 1365 1366 switch (w) { 1367 case RSN_SEL(RSN_CSE_NULL): 1368 *cipher = IEEE80211_CIPHER_NONE; 1369 break; 1370 case RSN_SEL(RSN_CSE_WEP40): 1371 if (keylen) 1372 *keylen = 40 / NBBY; 1373 *cipher = IEEE80211_CIPHER_WEP; 1374 break; 1375 case RSN_SEL(RSN_CSE_WEP104): 1376 if (keylen) 1377 *keylen = 104 / NBBY; 1378 *cipher = IEEE80211_CIPHER_WEP; 1379 break; 1380 case RSN_SEL(RSN_CSE_TKIP): 1381 *cipher = IEEE80211_CIPHER_TKIP; 1382 break; 1383 case RSN_SEL(RSN_CSE_CCMP): 1384 *cipher = IEEE80211_CIPHER_AES_CCM; 1385 break; 1386 case RSN_SEL(RSN_CSE_WRAP): 1387 *cipher = IEEE80211_CIPHER_AES_OCB; 1388 break; 1389 case RSN_SEL(RSN_CSE_GCMP_128): 1390 *cipher = IEEE80211_CIPHER_AES_GCM_128; 1391 break; 1392 default: 1393 return (EINVAL); 1394 } 1395 1396 return (0); 1397 #undef WPA_SEL 1398 } 1399 1400 /* 1401 * Convert an RSN key management/authentication algorithm 1402 * to an internal code. 1403 */ 1404 static int 1405 rsn_keymgmt(const uint8_t *sel) 1406 { 1407 #define RSN_SEL(x) (((x)<<24)|RSN_OUI) 1408 uint32_t w = le32dec(sel); 1409 1410 switch (w) { 1411 case RSN_SEL(RSN_ASE_8021X_UNSPEC): 1412 return RSN_ASE_8021X_UNSPEC; 1413 case RSN_SEL(RSN_ASE_8021X_PSK): 1414 return RSN_ASE_8021X_PSK; 1415 case RSN_SEL(RSN_ASE_NONE): 1416 return RSN_ASE_NONE; 1417 } 1418 return 0; /* NB: so is discarded */ 1419 #undef RSN_SEL 1420 } 1421 1422 /* 1423 * Parse a WPA/RSN information element to collect parameters 1424 * and validate the parameters against what has been 1425 * configured for the system. 1426 */ 1427 static int 1428 ieee80211_parse_rsn(struct ieee80211vap *vap, const uint8_t *frm, 1429 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh) 1430 { 1431 uint8_t len = frm[1]; 1432 uint32_t w; 1433 int error, n; 1434 1435 /* 1436 * Check the length once for fixed parts: 1437 * version, mcast cipher, and 2 selector counts. 1438 * Other, variable-length data, must be checked separately. 1439 */ 1440 if ((vap->iv_flags & IEEE80211_F_WPA2) == 0) { 1441 IEEE80211_DISCARD_IE(vap, 1442 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1443 wh, "WPA", "not RSN, flags 0x%x", vap->iv_flags); 1444 return IEEE80211_REASON_IE_INVALID; 1445 } 1446 /* XXX may be shorter */ 1447 if (len < 10) { 1448 IEEE80211_DISCARD_IE(vap, 1449 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1450 wh, "RSN", "too short, len %u", len); 1451 return IEEE80211_REASON_IE_INVALID; 1452 } 1453 frm += 2; 1454 w = le16dec(frm); 1455 if (w != RSN_VERSION) { 1456 IEEE80211_DISCARD_IE(vap, 1457 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1458 wh, "RSN", "bad version %u", w); 1459 return IEEE80211_REASON_UNSUPP_RSN_IE_VERSION; 1460 } 1461 frm += 2, len -= 2; 1462 1463 memset(rsn, 0, sizeof(*rsn)); 1464 1465 /* multicast/group cipher */ 1466 error = rsn_cipher(frm, &rsn->rsn_mcastkeylen, &rsn->rsn_mcastcipher); 1467 if (error != 0) { 1468 IEEE80211_DISCARD_IE(vap, 1469 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1470 wh, "RSN", "unknown mcast cipher suite %08X", 1471 le32dec(frm)); 1472 return IEEE80211_REASON_GROUP_CIPHER_INVALID; 1473 } 1474 if (rsn->rsn_mcastcipher == IEEE80211_CIPHER_NONE) { 1475 IEEE80211_DISCARD_IE(vap, 1476 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1477 wh, "RSN", "invalid mcast cipher suite %d", 1478 rsn->rsn_mcastcipher); 1479 return IEEE80211_REASON_GROUP_CIPHER_INVALID; 1480 } 1481 frm += 4, len -= 4; 1482 1483 /* unicast ciphers */ 1484 n = le16dec(frm); 1485 frm += 2, len -= 2; 1486 if (len < n*4+2) { 1487 IEEE80211_DISCARD_IE(vap, 1488 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1489 wh, "RSN", "ucast cipher data too short; len %u, n %u", 1490 len, n); 1491 return IEEE80211_REASON_IE_INVALID; 1492 } 1493 w = 0; 1494 1495 for (; n > 0; n--) { 1496 uint8_t cipher; 1497 1498 error = rsn_cipher(frm, &rsn->rsn_ucastkeylen, &cipher); 1499 if (error == 0) 1500 w |= 1 << cipher; 1501 1502 frm += 4, len -= 4; 1503 } 1504 if (w & (1 << IEEE80211_CIPHER_AES_GCM_128)) 1505 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_GCM_128; 1506 else if (w & (1 << IEEE80211_CIPHER_AES_CCM)) 1507 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM; 1508 else if (w & (1 << IEEE80211_CIPHER_AES_OCB)) 1509 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_OCB; 1510 else if (w & (1 << IEEE80211_CIPHER_TKIP)) 1511 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP; 1512 else if ((w & (1 << IEEE80211_CIPHER_NONE)) && 1513 (rsn->rsn_mcastcipher == IEEE80211_CIPHER_WEP || 1514 rsn->rsn_mcastcipher == IEEE80211_CIPHER_TKIP)) 1515 rsn->rsn_ucastcipher = IEEE80211_CIPHER_NONE; 1516 else { 1517 IEEE80211_DISCARD_IE(vap, 1518 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1519 wh, "RSN", "no usable pairwise cipher suite found (w=%d)", 1520 w); 1521 return IEEE80211_REASON_PAIRWISE_CIPHER_INVALID; 1522 } 1523 1524 /* key management algorithms */ 1525 n = le16dec(frm); 1526 frm += 2, len -= 2; 1527 if (len < n*4) { 1528 IEEE80211_DISCARD_IE(vap, 1529 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1530 wh, "RSN", "key mgmt alg data too short; len %u, n %u", 1531 len, n); 1532 return IEEE80211_REASON_IE_INVALID; 1533 } 1534 w = 0; 1535 for (; n > 0; n--) { 1536 w |= rsn_keymgmt(frm); 1537 frm += 4, len -= 4; 1538 } 1539 if (w & RSN_ASE_8021X_UNSPEC) 1540 rsn->rsn_keymgmt = RSN_ASE_8021X_UNSPEC; 1541 else 1542 rsn->rsn_keymgmt = RSN_ASE_8021X_PSK; 1543 1544 /* optional RSN capabilities */ 1545 if (len >= 2) { 1546 rsn->rsn_caps = le16dec(frm); 1547 frm += 2, len -= 2; 1548 } 1549 1550 /* XXX PMK Count / PMKID */ 1551 1552 /* XXX Group Cipher Management Suite */ 1553 1554 return 0; 1555 } 1556 1557 /* 1558 * WPA/802.11i association request processing. 1559 */ 1560 static int 1561 wpa_assocreq(struct ieee80211_node *ni, struct ieee80211_rsnparms *rsnparms, 1562 const struct ieee80211_frame *wh, const uint8_t *wpa, 1563 const uint8_t *rsn, uint16_t capinfo) 1564 { 1565 struct ieee80211vap *vap = ni->ni_vap; 1566 uint8_t reason; 1567 int badwparsn; 1568 1569 ni->ni_flags &= ~(IEEE80211_NODE_WPS|IEEE80211_NODE_TSN); 1570 if (wpa == NULL && rsn == NULL) { 1571 if (vap->iv_flags_ext & IEEE80211_FEXT_WPS) { 1572 /* 1573 * W-Fi Protected Setup (WPS) permits 1574 * clients to associate and pass EAPOL frames 1575 * to establish initial credentials. 1576 */ 1577 ni->ni_flags |= IEEE80211_NODE_WPS; 1578 return 1; 1579 } 1580 if ((vap->iv_flags_ext & IEEE80211_FEXT_TSN) && 1581 (capinfo & IEEE80211_CAPINFO_PRIVACY)) { 1582 /* 1583 * Transitional Security Network. Permits clients 1584 * to associate and use WEP while WPA is configured. 1585 */ 1586 ni->ni_flags |= IEEE80211_NODE_TSN; 1587 return 1; 1588 } 1589 IEEE80211_DISCARD(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, 1590 wh, NULL, "%s", "no WPA/RSN IE in association request"); 1591 vap->iv_stats.is_rx_assoc_badwpaie++; 1592 reason = IEEE80211_REASON_IE_INVALID; 1593 goto bad; 1594 } 1595 /* assert right association security credentials */ 1596 badwparsn = 0; /* NB: to silence compiler */ 1597 switch (vap->iv_flags & IEEE80211_F_WPA) { 1598 case IEEE80211_F_WPA1: 1599 badwparsn = (wpa == NULL); 1600 break; 1601 case IEEE80211_F_WPA2: 1602 badwparsn = (rsn == NULL); 1603 break; 1604 case IEEE80211_F_WPA1|IEEE80211_F_WPA2: 1605 badwparsn = (wpa == NULL && rsn == NULL); 1606 break; 1607 } 1608 if (badwparsn) { 1609 IEEE80211_DISCARD(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, 1610 wh, NULL, 1611 "%s", "missing WPA/RSN IE in association request"); 1612 vap->iv_stats.is_rx_assoc_badwpaie++; 1613 reason = IEEE80211_REASON_IE_INVALID; 1614 goto bad; 1615 } 1616 /* 1617 * Parse WPA/RSN information element. 1618 */ 1619 if (wpa != NULL) 1620 reason = ieee80211_parse_wpa(vap, wpa, rsnparms, wh); 1621 else 1622 reason = ieee80211_parse_rsn(vap, rsn, rsnparms, wh); 1623 if (reason != 0) { 1624 /* XXX wpa->rsn fallback? */ 1625 /* XXX distinguish WPA/RSN? */ 1626 vap->iv_stats.is_rx_assoc_badwpaie++; 1627 goto bad; 1628 } 1629 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, ni, 1630 "%s ie: mc %u/%u uc %u/%u key %u caps 0x%x", 1631 wpa != NULL ? "WPA" : "RSN", 1632 rsnparms->rsn_mcastcipher, rsnparms->rsn_mcastkeylen, 1633 rsnparms->rsn_ucastcipher, rsnparms->rsn_ucastkeylen, 1634 rsnparms->rsn_keymgmt, rsnparms->rsn_caps); 1635 1636 return 1; 1637 bad: 1638 ieee80211_node_deauth(ni, reason); 1639 return 0; 1640 } 1641 1642 /* XXX find a better place for definition */ 1643 struct l2_update_frame { 1644 struct ether_header eh; 1645 uint8_t dsap; 1646 uint8_t ssap; 1647 uint8_t control; 1648 uint8_t xid[3]; 1649 } __packed; 1650 1651 /* 1652 * Deliver a TGf L2UF frame on behalf of a station. 1653 * This primes any bridge when the station is roaming 1654 * between ap's on the same wired network. 1655 */ 1656 static void 1657 ieee80211_deliver_l2uf(struct ieee80211_node *ni) 1658 { 1659 struct ieee80211vap *vap = ni->ni_vap; 1660 struct ifnet *ifp = vap->iv_ifp; 1661 struct mbuf *m; 1662 struct l2_update_frame *l2uf; 1663 struct ether_header *eh; 1664 1665 m = m_gethdr(IEEE80211_M_NOWAIT, MT_DATA); 1666 if (m == NULL) { 1667 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC, ni, 1668 "%s", "no mbuf for l2uf frame"); 1669 vap->iv_stats.is_rx_nobuf++; /* XXX not right */ 1670 return; 1671 } 1672 l2uf = mtod(m, struct l2_update_frame *); 1673 eh = &l2uf->eh; 1674 /* dst: Broadcast address */ 1675 IEEE80211_ADDR_COPY(eh->ether_dhost, ifp->if_broadcastaddr); 1676 /* src: associated STA */ 1677 IEEE80211_ADDR_COPY(eh->ether_shost, ni->ni_macaddr); 1678 eh->ether_type = htons(sizeof(*l2uf) - sizeof(*eh)); 1679 1680 l2uf->dsap = 0; 1681 l2uf->ssap = 0; 1682 l2uf->control = 0xf5; 1683 l2uf->xid[0] = 0x81; 1684 l2uf->xid[1] = 0x80; 1685 l2uf->xid[2] = 0x00; 1686 1687 m->m_pkthdr.len = m->m_len = sizeof(*l2uf); 1688 hostap_deliver_data(vap, ni, m); 1689 } 1690 1691 static void 1692 ratesetmismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh, 1693 int reassoc, int resp, const char *tag, int rate) 1694 { 1695 IEEE80211_NOTE_MAC(ni->ni_vap, IEEE80211_MSG_ANY, wh->i_addr2, 1696 "deny %s request, %s rate set mismatch, rate/MCS %d", 1697 reassoc ? "reassoc" : "assoc", tag, rate & IEEE80211_RATE_VAL); 1698 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_BASIC_RATE); 1699 ieee80211_node_leave(ni); 1700 } 1701 1702 static void 1703 capinfomismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh, 1704 int reassoc, int resp, const char *tag, int capinfo) 1705 { 1706 struct ieee80211vap *vap = ni->ni_vap; 1707 1708 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ANY, wh->i_addr2, 1709 "deny %s request, %s mismatch 0x%x", 1710 reassoc ? "reassoc" : "assoc", tag, capinfo); 1711 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_CAPINFO); 1712 ieee80211_node_leave(ni); 1713 vap->iv_stats.is_rx_assoc_capmismatch++; 1714 } 1715 1716 static void 1717 htcapmismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh, 1718 int reassoc, int resp) 1719 { 1720 IEEE80211_NOTE_MAC(ni->ni_vap, IEEE80211_MSG_ANY, wh->i_addr2, 1721 "deny %s request, %s missing HT ie", reassoc ? "reassoc" : "assoc"); 1722 /* XXX no better code */ 1723 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_MISSING_HT_CAPS); 1724 ieee80211_node_leave(ni); 1725 } 1726 1727 static void 1728 authalgreject(struct ieee80211_node *ni, const struct ieee80211_frame *wh, 1729 int algo, int seq, int status) 1730 { 1731 struct ieee80211vap *vap = ni->ni_vap; 1732 1733 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 1734 wh, NULL, "unsupported alg %d", algo); 1735 vap->iv_stats.is_rx_auth_unsupported++; 1736 ieee80211_send_error(ni, wh->i_addr2, IEEE80211_FC0_SUBTYPE_AUTH, 1737 seq | (status << 16)); 1738 } 1739 1740 static __inline int 1741 ishtmixed(const uint8_t *ie) 1742 { 1743 const struct ieee80211_ie_htinfo *ht = 1744 (const struct ieee80211_ie_htinfo *) ie; 1745 return (ht->hi_byte2 & IEEE80211_HTINFO_OPMODE) == 1746 IEEE80211_HTINFO_OPMODE_MIXED; 1747 } 1748 1749 static int 1750 is11bclient(const uint8_t *rates, const uint8_t *xrates) 1751 { 1752 static const uint32_t brates = (1<<2*1)|(1<<2*2)|(1<<11)|(1<<2*11); 1753 int i; 1754 1755 /* NB: the 11b clients we care about will not have xrates */ 1756 if (xrates != NULL || rates == NULL) 1757 return 0; 1758 for (i = 0; i < rates[1]; i++) { 1759 int r = rates[2+i] & IEEE80211_RATE_VAL; 1760 if (r > 2*11 || ((1<<r) & brates) == 0) 1761 return 0; 1762 } 1763 return 1; 1764 } 1765 1766 /** 1767 * Check if the given cipher is valid for 802.11 HT operation. 1768 * 1769 * The 802.11 specification only allows HT A-MPDU to be performed 1770 * on CCMP / GCMP encrypted frames. The WEP/TKIP hardware crypto 1771 * implementations may not meet the timing required for A-MPDU 1772 * operation. 1773 * 1774 * @param cipher the IEEE80211_CIPHER_ value to check 1775 * @returns true if the cipher is valid for HT A-MPDU, false otherwise 1776 */ 1777 static bool 1778 hostapd_validate_cipher_for_ht_ampdu(uint8_t cipher) 1779 { 1780 switch (cipher) { 1781 case IEEE80211_CIPHER_AES_CCM: 1782 case IEEE80211_CIPHER_AES_GCM_128: 1783 return true; 1784 default: 1785 return false; 1786 } 1787 } 1788 1789 static void 1790 hostap_recv_mgmt(struct ieee80211_node *ni, struct mbuf *m0, 1791 int subtype, const struct ieee80211_rx_stats *rxs, int rssi, int nf) 1792 { 1793 struct ieee80211vap *vap = ni->ni_vap; 1794 struct ieee80211com *ic = ni->ni_ic; 1795 struct ieee80211_frame *wh; 1796 uint8_t *frm, *efrm, *sfrm; 1797 uint8_t *ssid, *rates, *xrates, *wpa, *rsn, *wme, *ath, *htcap; 1798 uint8_t *vhtcap, *vhtinfo; 1799 int reassoc, resp; 1800 uint8_t rate; 1801 1802 wh = mtod(m0, struct ieee80211_frame *); 1803 frm = (uint8_t *)&wh[1]; 1804 efrm = mtod(m0, uint8_t *) + m0->m_len; 1805 switch (subtype) { 1806 case IEEE80211_FC0_SUBTYPE_PROBE_RESP: 1807 /* 1808 * We process beacon/probe response frames when scanning; 1809 * otherwise we check beacon frames for overlapping non-ERP 1810 * BSS in 11g and/or overlapping legacy BSS when in HT. 1811 */ 1812 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) { 1813 vap->iv_stats.is_rx_mgtdiscard++; 1814 return; 1815 } 1816 /* FALLTHROUGH */ 1817 case IEEE80211_FC0_SUBTYPE_BEACON: { 1818 struct ieee80211_scanparams scan; 1819 1820 /* NB: accept off-channel frames */ 1821 /* XXX TODO: use rxstatus to determine off-channel details */ 1822 if (ieee80211_parse_beacon(ni, m0, ic->ic_curchan, &scan) &~ IEEE80211_BPARSE_OFFCHAN) 1823 return; 1824 /* 1825 * Count frame now that we know it's to be processed. 1826 */ 1827 if (subtype == IEEE80211_FC0_SUBTYPE_BEACON) { 1828 vap->iv_stats.is_rx_beacon++; /* XXX remove */ 1829 IEEE80211_NODE_STAT(ni, rx_beacons); 1830 } else 1831 IEEE80211_NODE_STAT(ni, rx_proberesp); 1832 /* 1833 * If scanning, just pass information to the scan module. 1834 */ 1835 if (ic->ic_flags & IEEE80211_F_SCAN) { 1836 if (scan.status == 0 && /* NB: on channel */ 1837 (ic->ic_flags_ext & IEEE80211_FEXT_PROBECHAN)) { 1838 /* 1839 * Actively scanning a channel marked passive; 1840 * send a probe request now that we know there 1841 * is 802.11 traffic present. 1842 * 1843 * XXX check if the beacon we recv'd gives 1844 * us what we need and suppress the probe req 1845 */ 1846 ieee80211_probe_curchan(vap, true); 1847 ic->ic_flags_ext &= ~IEEE80211_FEXT_PROBECHAN; 1848 } 1849 ieee80211_add_scan(vap, ic->ic_curchan, &scan, wh, 1850 subtype, rssi, nf); 1851 return; 1852 } 1853 /* 1854 * Check beacon for overlapping bss w/ non ERP stations. 1855 * If we detect one and protection is configured but not 1856 * enabled, enable it and start a timer that'll bring us 1857 * out if we stop seeing the bss. 1858 */ 1859 if (IEEE80211_IS_CHAN_ANYG(ic->ic_curchan) && 1860 scan.status == 0 && /* NB: on-channel */ 1861 ((scan.erp & 0x100) == 0 || /* NB: no ERP, 11b sta*/ 1862 (scan.erp & IEEE80211_ERP_NON_ERP_PRESENT))) { 1863 vap->iv_lastnonerp = ticks; 1864 vap->iv_flags_ext |= IEEE80211_FEXT_NONERP_PR; 1865 /* 1866 * XXX TODO: this may need to check all VAPs? 1867 */ 1868 if (vap->iv_protmode != IEEE80211_PROT_NONE && 1869 (vap->iv_flags & IEEE80211_F_USEPROT) == 0) { 1870 IEEE80211_NOTE_FRAME(vap, 1871 IEEE80211_MSG_ASSOC, wh, 1872 "non-ERP present on channel %d " 1873 "(saw erp 0x%x from channel %d), " 1874 "enable use of protection", 1875 ic->ic_curchan->ic_ieee, 1876 scan.erp, scan.chan); 1877 vap->iv_flags |= IEEE80211_F_USEPROT; 1878 ieee80211_vap_update_erp_protmode(vap); 1879 } 1880 } 1881 /* 1882 * Check beacon for non-HT station on HT channel 1883 * and update HT BSS occupancy as appropriate. 1884 */ 1885 if (IEEE80211_IS_CHAN_HT(ic->ic_curchan)) { 1886 if (scan.status & IEEE80211_BPARSE_OFFCHAN) { 1887 /* 1888 * Off control channel; only check frames 1889 * that come in the extension channel when 1890 * operating w/ HT40. 1891 */ 1892 if (!IEEE80211_IS_CHAN_HT40(ic->ic_curchan)) 1893 break; 1894 if (scan.chan != ic->ic_curchan->ic_extieee) 1895 break; 1896 } 1897 if (scan.htinfo == NULL) { 1898 ieee80211_htprot_update(vap, 1899 IEEE80211_HTINFO_OPMODE_PROTOPT | 1900 IEEE80211_HTINFO_NONHT_PRESENT); 1901 } else if (ishtmixed(scan.htinfo)) { 1902 /* XXX? take NONHT_PRESENT from beacon? */ 1903 ieee80211_htprot_update(vap, 1904 IEEE80211_HTINFO_OPMODE_MIXED | 1905 IEEE80211_HTINFO_NONHT_PRESENT); 1906 } 1907 } 1908 break; 1909 } 1910 1911 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 1912 if (vap->iv_state != IEEE80211_S_RUN) { 1913 vap->iv_stats.is_rx_mgtdiscard++; 1914 return; 1915 } 1916 /* 1917 * Consult the ACL policy module if setup. 1918 */ 1919 if (vap->iv_acl != NULL && !vap->iv_acl->iac_check(vap, wh)) { 1920 IEEE80211_DISCARD(vap, IEEE80211_MSG_ACL, 1921 wh, NULL, "%s", "disallowed by ACL"); 1922 vap->iv_stats.is_rx_acl++; 1923 return; 1924 } 1925 /* 1926 * prreq frame format 1927 * [tlv] ssid 1928 * [tlv] supported rates 1929 * [tlv] extended supported rates 1930 */ 1931 ssid = rates = xrates = NULL; 1932 while (efrm - frm > 1) { 1933 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return); 1934 switch (*frm) { 1935 case IEEE80211_ELEMID_SSID: 1936 ssid = frm; 1937 break; 1938 case IEEE80211_ELEMID_RATES: 1939 rates = frm; 1940 break; 1941 case IEEE80211_ELEMID_XRATES: 1942 xrates = frm; 1943 break; 1944 } 1945 frm += frm[1] + 2; 1946 } 1947 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return); 1948 if (xrates != NULL) 1949 IEEE80211_VERIFY_ELEMENT(xrates, 1950 IEEE80211_RATE_MAXSIZE - rates[1], return); 1951 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN, return); 1952 IEEE80211_VERIFY_SSID(vap->iv_bss, ssid, return); 1953 if ((vap->iv_flags & IEEE80211_F_HIDESSID) && ssid[1] == 0) { 1954 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 1955 wh, NULL, 1956 "%s", "no ssid with ssid suppression enabled"); 1957 vap->iv_stats.is_rx_ssidmismatch++; /*XXX*/ 1958 return; 1959 } 1960 1961 /* XXX find a better class or define it's own */ 1962 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_INPUT, wh->i_addr2, 1963 "%s", "recv probe req"); 1964 /* 1965 * Some legacy 11b clients cannot hack a complete 1966 * probe response frame. When the request includes 1967 * only a bare-bones rate set, communicate this to 1968 * the transmit side. 1969 */ 1970 ieee80211_send_proberesp(vap, wh->i_addr2, 1971 is11bclient(rates, xrates) ? IEEE80211_SEND_LEGACY_11B : 0); 1972 break; 1973 1974 case IEEE80211_FC0_SUBTYPE_AUTH: { 1975 uint16_t algo, seq, status; 1976 1977 if (vap->iv_state != IEEE80211_S_RUN) { 1978 vap->iv_stats.is_rx_mgtdiscard++; 1979 return; 1980 } 1981 if (!IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_bss->ni_bssid)) { 1982 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 1983 wh, NULL, "%s", "wrong bssid"); 1984 vap->iv_stats.is_rx_wrongbss++; /*XXX unique stat?*/ 1985 return; 1986 } 1987 /* 1988 * auth frame format 1989 * [2] algorithm 1990 * [2] sequence 1991 * [2] status 1992 * [tlv*] challenge 1993 */ 1994 IEEE80211_VERIFY_LENGTH(efrm - frm, 6, return); 1995 algo = le16toh(*(uint16_t *)frm); 1996 seq = le16toh(*(uint16_t *)(frm + 2)); 1997 status = le16toh(*(uint16_t *)(frm + 4)); 1998 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_AUTH, wh->i_addr2, 1999 "recv auth frame with algorithm %d seq %d", algo, seq); 2000 /* 2001 * Consult the ACL policy module if setup. 2002 */ 2003 if (vap->iv_acl != NULL && !vap->iv_acl->iac_check(vap, wh)) { 2004 IEEE80211_DISCARD(vap, IEEE80211_MSG_ACL, 2005 wh, NULL, "%s", "disallowed by ACL"); 2006 vap->iv_stats.is_rx_acl++; 2007 ieee80211_send_error(ni, wh->i_addr2, 2008 IEEE80211_FC0_SUBTYPE_AUTH, 2009 (seq+1) | (IEEE80211_STATUS_UNSPECIFIED<<16)); 2010 return; 2011 } 2012 if (vap->iv_flags & IEEE80211_F_COUNTERM) { 2013 IEEE80211_DISCARD(vap, 2014 IEEE80211_MSG_AUTH | IEEE80211_MSG_CRYPTO, 2015 wh, NULL, "%s", "TKIP countermeasures enabled"); 2016 vap->iv_stats.is_rx_auth_countermeasures++; 2017 ieee80211_send_error(ni, wh->i_addr2, 2018 IEEE80211_FC0_SUBTYPE_AUTH, 2019 IEEE80211_REASON_MIC_FAILURE); 2020 return; 2021 } 2022 if (algo == IEEE80211_AUTH_ALG_SHARED) 2023 hostap_auth_shared(ni, wh, frm + 6, efrm, rssi, nf, 2024 seq, status); 2025 else if (algo == IEEE80211_AUTH_ALG_OPEN) 2026 hostap_auth_open(ni, wh, rssi, nf, seq, status); 2027 else if (algo == IEEE80211_AUTH_ALG_LEAP) { 2028 authalgreject(ni, wh, algo, 2029 seq+1, IEEE80211_STATUS_ALG); 2030 return; 2031 } else { 2032 /* 2033 * We assume that an unknown algorithm is the result 2034 * of a decryption failure on a shared key auth frame; 2035 * return a status code appropriate for that instead 2036 * of IEEE80211_STATUS_ALG. 2037 * 2038 * NB: a seq# of 4 is intentional; the decrypted 2039 * frame likely has a bogus seq value. 2040 */ 2041 authalgreject(ni, wh, algo, 2042 4, IEEE80211_STATUS_CHALLENGE); 2043 return; 2044 } 2045 break; 2046 } 2047 2048 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ: 2049 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: { 2050 uint16_t capinfo, lintval; 2051 struct ieee80211_rsnparms rsnparms; 2052 2053 if (vap->iv_state != IEEE80211_S_RUN) { 2054 vap->iv_stats.is_rx_mgtdiscard++; 2055 return; 2056 } 2057 if (!IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_bss->ni_bssid)) { 2058 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 2059 wh, NULL, "%s", "wrong bssid"); 2060 vap->iv_stats.is_rx_assoc_bss++; 2061 return; 2062 } 2063 if (subtype == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) { 2064 reassoc = 1; 2065 resp = IEEE80211_FC0_SUBTYPE_REASSOC_RESP; 2066 } else { 2067 reassoc = 0; 2068 resp = IEEE80211_FC0_SUBTYPE_ASSOC_RESP; 2069 } 2070 if (ni == vap->iv_bss) { 2071 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ANY, wh->i_addr2, 2072 "deny %s request, sta not authenticated", 2073 reassoc ? "reassoc" : "assoc"); 2074 ieee80211_send_error(ni, wh->i_addr2, 2075 IEEE80211_FC0_SUBTYPE_DEAUTH, 2076 IEEE80211_REASON_ASSOC_NOT_AUTHED); 2077 vap->iv_stats.is_rx_assoc_notauth++; 2078 return; 2079 } 2080 2081 /* 2082 * asreq frame format 2083 * [2] capability information 2084 * [2] listen interval 2085 * [6*] current AP address (reassoc only) 2086 * [tlv] ssid 2087 * [tlv] supported rates 2088 * [tlv] extended supported rates 2089 * [tlv] WPA or RSN 2090 * [tlv] HT capabilities 2091 * [tlv] Atheros capabilities 2092 */ 2093 IEEE80211_VERIFY_LENGTH(efrm - frm, (reassoc ? 10 : 4), return); 2094 capinfo = le16toh(*(uint16_t *)frm); frm += 2; 2095 lintval = le16toh(*(uint16_t *)frm); frm += 2; 2096 if (reassoc) 2097 frm += 6; /* ignore current AP info */ 2098 ssid = rates = xrates = wpa = rsn = wme = ath = htcap = NULL; 2099 vhtcap = vhtinfo = NULL; 2100 sfrm = frm; 2101 while (efrm - frm > 1) { 2102 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return); 2103 switch (*frm) { 2104 case IEEE80211_ELEMID_SSID: 2105 ssid = frm; 2106 break; 2107 case IEEE80211_ELEMID_RATES: 2108 rates = frm; 2109 break; 2110 case IEEE80211_ELEMID_XRATES: 2111 xrates = frm; 2112 break; 2113 case IEEE80211_ELEMID_RSN: 2114 rsn = frm; 2115 break; 2116 case IEEE80211_ELEMID_HTCAP: 2117 htcap = frm; 2118 break; 2119 case IEEE80211_ELEMID_VHT_CAP: 2120 vhtcap = frm; 2121 break; 2122 case IEEE80211_ELEMID_VHT_OPMODE: 2123 vhtinfo = frm; 2124 break; 2125 case IEEE80211_ELEMID_VENDOR: 2126 if (iswpaoui(frm)) 2127 wpa = frm; 2128 else if (iswmeinfo(frm)) 2129 wme = frm; 2130 #ifdef IEEE80211_SUPPORT_SUPERG 2131 else if (isatherosoui(frm)) 2132 ath = frm; 2133 #endif 2134 else if (vap->iv_flags_ht & IEEE80211_FHT_HTCOMPAT) { 2135 if (ishtcapoui(frm) && htcap == NULL) 2136 htcap = frm; 2137 } 2138 break; 2139 } 2140 frm += frm[1] + 2; 2141 } 2142 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return); 2143 if (xrates != NULL) 2144 IEEE80211_VERIFY_ELEMENT(xrates, 2145 IEEE80211_RATE_MAXSIZE - rates[1], return); 2146 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN, return); 2147 IEEE80211_VERIFY_SSID(vap->iv_bss, ssid, return); 2148 if (htcap != NULL) { 2149 IEEE80211_VERIFY_LENGTH(htcap[1], 2150 htcap[0] == IEEE80211_ELEMID_VENDOR ? 2151 4 + sizeof(struct ieee80211_ie_htcap)-2 : 2152 sizeof(struct ieee80211_ie_htcap)-2, 2153 return); /* XXX just NULL out? */ 2154 } 2155 2156 /* Validate VHT IEs */ 2157 if (vhtcap != NULL) { 2158 IEEE80211_VERIFY_LENGTH(vhtcap[1], 2159 sizeof(struct ieee80211_vht_cap), 2160 return); 2161 } 2162 if (vhtinfo != NULL) { 2163 IEEE80211_VERIFY_LENGTH(vhtinfo[1], 2164 sizeof(struct ieee80211_vht_operation), 2165 return); 2166 } 2167 2168 if ((vap->iv_flags & IEEE80211_F_WPA) && 2169 !wpa_assocreq(ni, &rsnparms, wh, wpa, rsn, capinfo)) 2170 return; 2171 /* discard challenge after association */ 2172 if (ni->ni_challenge != NULL) { 2173 IEEE80211_FREE(ni->ni_challenge, M_80211_NODE); 2174 ni->ni_challenge = NULL; 2175 } 2176 /* NB: 802.11 spec says to ignore station's privacy bit */ 2177 if ((capinfo & IEEE80211_CAPINFO_ESS) == 0) { 2178 capinfomismatch(ni, wh, reassoc, resp, 2179 "capability", capinfo); 2180 return; 2181 } 2182 /* 2183 * Disallow re-associate w/ invalid slot time setting. 2184 */ 2185 if (ni->ni_associd != 0 && 2186 IEEE80211_IS_CHAN_ANYG(ic->ic_bsschan) && 2187 ((ni->ni_capinfo ^ capinfo) & IEEE80211_CAPINFO_SHORT_SLOTTIME)) { 2188 capinfomismatch(ni, wh, reassoc, resp, 2189 "slot time", capinfo); 2190 return; 2191 } 2192 rate = ieee80211_setup_rates(ni, rates, xrates, 2193 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | 2194 IEEE80211_F_DONEGO | IEEE80211_F_DODEL); 2195 if (rate & IEEE80211_RATE_BASIC) { 2196 ratesetmismatch(ni, wh, reassoc, resp, "legacy", rate); 2197 vap->iv_stats.is_rx_assoc_norate++; 2198 return; 2199 } 2200 /* 2201 * If constrained to 11g-only stations reject an 2202 * 11b-only station. We cheat a bit here by looking 2203 * at the max negotiated xmit rate and assuming anyone 2204 * with a best rate <24Mb/s is an 11b station. 2205 */ 2206 if ((vap->iv_flags & IEEE80211_F_PUREG) && rate < 48) { 2207 ratesetmismatch(ni, wh, reassoc, resp, "11g", rate); 2208 vap->iv_stats.is_rx_assoc_norate++; 2209 return; 2210 } 2211 2212 /* 2213 * Do HT rate set handling and setup HT node state. 2214 */ 2215 ni->ni_chan = vap->iv_bss->ni_chan; 2216 2217 /* VHT */ 2218 if (IEEE80211_IS_CHAN_VHT(ni->ni_chan) && 2219 vhtcap != NULL && 2220 vhtinfo != NULL) { 2221 /* XXX TODO; see below */ 2222 printf("%s: VHT TODO!\n", __func__); 2223 ieee80211_vht_node_init(ni); 2224 ieee80211_vht_update_cap(ni, vhtcap, vhtinfo); 2225 } else if (ni->ni_flags & IEEE80211_NODE_VHT) 2226 ieee80211_vht_node_cleanup(ni); 2227 2228 /* HT */ 2229 if (IEEE80211_IS_CHAN_HT(ni->ni_chan) && htcap != NULL) { 2230 rate = ieee80211_setup_htrates(ni, htcap, 2231 IEEE80211_F_DOFMCS | IEEE80211_F_DONEGO | 2232 IEEE80211_F_DOBRS); 2233 if (rate & IEEE80211_RATE_BASIC) { 2234 ratesetmismatch(ni, wh, reassoc, resp, 2235 "HT", rate); 2236 vap->iv_stats.is_ht_assoc_norate++; 2237 return; 2238 } 2239 ieee80211_ht_node_init(ni); 2240 ieee80211_ht_updatehtcap(ni, htcap); 2241 } else if (ni->ni_flags & IEEE80211_NODE_HT) 2242 ieee80211_ht_node_cleanup(ni); 2243 2244 /* Finally - this will use HT/VHT info to change node channel */ 2245 if (IEEE80211_IS_CHAN_HT(ni->ni_chan) && htcap != NULL) { 2246 ieee80211_ht_updatehtcap_final(ni); 2247 } 2248 2249 #ifdef IEEE80211_SUPPORT_SUPERG 2250 /* Always do ff node cleanup; for A-MSDU */ 2251 ieee80211_ff_node_cleanup(ni); 2252 #endif 2253 /* 2254 * Allow AMPDU operation only with unencrypted traffic 2255 * or AES-CCM / AES-GCM; the 802.11n spec only specifies these 2256 * ciphers so permitting any others is undefined and can lead 2257 * to interoperability problems. 2258 * 2259 * TODO: before landing, find exactly where in 802.11-2020 this 2260 * is called out! 2261 */ 2262 if ((ni->ni_flags & IEEE80211_NODE_HT) && 2263 (((vap->iv_flags & IEEE80211_F_WPA) && 2264 !hostapd_validate_cipher_for_ht_ampdu(rsnparms.rsn_ucastcipher)) || 2265 (vap->iv_flags & (IEEE80211_F_WPA|IEEE80211_F_PRIVACY)) == IEEE80211_F_PRIVACY)) { 2266 IEEE80211_NOTE(vap, 2267 IEEE80211_MSG_ASSOC | IEEE80211_MSG_11N, ni, 2268 "disallow HT use because WEP or TKIP requested, " 2269 "capinfo 0x%x ucastcipher %d", capinfo, 2270 rsnparms.rsn_ucastcipher); 2271 ieee80211_ht_node_cleanup(ni); 2272 #ifdef IEEE80211_SUPPORT_SUPERG 2273 /* Always do ff node cleanup; for A-MSDU */ 2274 ieee80211_ff_node_cleanup(ni); 2275 #endif 2276 vap->iv_stats.is_ht_assoc_downgrade++; 2277 } 2278 /* 2279 * If constrained to 11n-only stations reject legacy stations. 2280 */ 2281 if ((vap->iv_flags_ht & IEEE80211_FHT_PUREN) && 2282 (ni->ni_flags & IEEE80211_NODE_HT) == 0) { 2283 htcapmismatch(ni, wh, reassoc, resp); 2284 vap->iv_stats.is_ht_assoc_nohtcap++; 2285 return; 2286 } 2287 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi); 2288 ni->ni_noise = nf; 2289 ni->ni_intval = lintval; 2290 ni->ni_capinfo = capinfo; 2291 ni->ni_fhdwell = vap->iv_bss->ni_fhdwell; 2292 ni->ni_fhindex = vap->iv_bss->ni_fhindex; 2293 /* 2294 * Store the IEs. 2295 * XXX maybe better to just expand 2296 */ 2297 if (ieee80211_ies_init(&ni->ni_ies, sfrm, efrm - sfrm)) { 2298 #define setie(_ie, _off) ieee80211_ies_setie(ni->ni_ies, _ie, _off) 2299 if (wpa != NULL) 2300 setie(wpa_ie, wpa - sfrm); 2301 if (rsn != NULL) 2302 setie(rsn_ie, rsn - sfrm); 2303 if (htcap != NULL) 2304 setie(htcap_ie, htcap - sfrm); 2305 if (wme != NULL) { 2306 setie(wme_ie, wme - sfrm); 2307 /* 2308 * Mark node as capable of QoS. 2309 */ 2310 ni->ni_flags |= IEEE80211_NODE_QOS; 2311 if (ieee80211_parse_wmeie(wme, wh, ni) > 0) { 2312 if (ni->ni_uapsd != 0) 2313 ni->ni_flags |= 2314 IEEE80211_NODE_UAPSD; 2315 else 2316 ni->ni_flags &= 2317 ~IEEE80211_NODE_UAPSD; 2318 } 2319 } else 2320 ni->ni_flags &= 2321 ~(IEEE80211_NODE_QOS | 2322 IEEE80211_NODE_UAPSD); 2323 #ifdef IEEE80211_SUPPORT_SUPERG 2324 if (ath != NULL) { 2325 setie(ath_ie, ath - sfrm); 2326 /* 2327 * Parse ATH station parameters. 2328 */ 2329 ieee80211_parse_ath(ni, ni->ni_ies.ath_ie); 2330 } else 2331 #endif 2332 ni->ni_ath_flags = 0; 2333 #undef setie 2334 } else { 2335 ni->ni_flags &= ~IEEE80211_NODE_QOS; 2336 ni->ni_flags &= ~IEEE80211_NODE_UAPSD; 2337 ni->ni_ath_flags = 0; 2338 } 2339 ieee80211_node_join(ni, resp); 2340 ieee80211_deliver_l2uf(ni); 2341 break; 2342 } 2343 2344 case IEEE80211_FC0_SUBTYPE_DEAUTH: 2345 case IEEE80211_FC0_SUBTYPE_DISASSOC: { 2346 #ifdef IEEE80211_DEBUG 2347 uint16_t reason; 2348 #endif 2349 2350 if (vap->iv_state != IEEE80211_S_RUN || 2351 /* NB: can happen when in promiscuous mode */ 2352 !IEEE80211_ADDR_EQ(wh->i_addr1, vap->iv_myaddr)) { 2353 vap->iv_stats.is_rx_mgtdiscard++; 2354 break; 2355 } 2356 /* 2357 * deauth/disassoc frame format 2358 * [2] reason 2359 */ 2360 IEEE80211_VERIFY_LENGTH(efrm - frm, 2, return); 2361 #ifdef IEEE80211_DEBUG 2362 reason = le16toh(*(uint16_t *)frm); 2363 #endif 2364 if (subtype == IEEE80211_FC0_SUBTYPE_DEAUTH) { 2365 vap->iv_stats.is_rx_deauth++; 2366 IEEE80211_NODE_STAT(ni, rx_deauth); 2367 } else { 2368 vap->iv_stats.is_rx_disassoc++; 2369 IEEE80211_NODE_STAT(ni, rx_disassoc); 2370 } 2371 IEEE80211_NOTE(vap, IEEE80211_MSG_AUTH, ni, 2372 "recv %s (reason: %d (%s))", 2373 ieee80211_mgt_subtype_name(subtype), 2374 reason, ieee80211_reason_to_string(reason)); 2375 if (ni != vap->iv_bss) 2376 ieee80211_node_leave(ni); 2377 break; 2378 } 2379 2380 case IEEE80211_FC0_SUBTYPE_ACTION: 2381 case IEEE80211_FC0_SUBTYPE_ACTION_NOACK: 2382 if (ni == vap->iv_bss) { 2383 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 2384 wh, NULL, "%s", "unknown node"); 2385 vap->iv_stats.is_rx_mgtdiscard++; 2386 } else if (!IEEE80211_ADDR_EQ(vap->iv_myaddr, wh->i_addr1) && 2387 !IEEE80211_IS_MULTICAST(wh->i_addr1)) { 2388 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 2389 wh, NULL, "%s", "not for us"); 2390 vap->iv_stats.is_rx_mgtdiscard++; 2391 } else if (vap->iv_state != IEEE80211_S_RUN) { 2392 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 2393 wh, NULL, "wrong state %s", 2394 ieee80211_state_name[vap->iv_state]); 2395 vap->iv_stats.is_rx_mgtdiscard++; 2396 } else { 2397 if (ieee80211_parse_action(ni, m0) == 0) 2398 (void)ic->ic_recv_action(ni, wh, frm, efrm); 2399 } 2400 break; 2401 2402 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP: 2403 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: 2404 case IEEE80211_FC0_SUBTYPE_TIMING_ADV: 2405 case IEEE80211_FC0_SUBTYPE_ATIM: 2406 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 2407 wh, NULL, "%s", "not handled"); 2408 vap->iv_stats.is_rx_mgtdiscard++; 2409 break; 2410 2411 default: 2412 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 2413 wh, "mgt", "subtype 0x%x not handled", subtype); 2414 vap->iv_stats.is_rx_badsubtype++; 2415 break; 2416 } 2417 } 2418 2419 static void 2420 hostap_recv_ctl(struct ieee80211_node *ni, struct mbuf *m, int subtype) 2421 { 2422 switch (subtype) { 2423 case IEEE80211_FC0_SUBTYPE_PS_POLL: 2424 ni->ni_vap->iv_recv_pspoll(ni, m); 2425 break; 2426 case IEEE80211_FC0_SUBTYPE_BAR: 2427 ieee80211_recv_bar(ni, m); 2428 break; 2429 } 2430 } 2431 2432 /* 2433 * Process a received ps-poll frame. 2434 */ 2435 void 2436 ieee80211_recv_pspoll(struct ieee80211_node *ni, struct mbuf *m0) 2437 { 2438 struct ieee80211vap *vap = ni->ni_vap; 2439 struct ieee80211com *ic = vap->iv_ic; 2440 struct ieee80211_frame_min *wh; 2441 struct mbuf *m; 2442 uint16_t aid; 2443 int qlen; 2444 2445 wh = mtod(m0, struct ieee80211_frame_min *); 2446 if (ni->ni_associd == 0) { 2447 IEEE80211_DISCARD(vap, 2448 IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG, 2449 (struct ieee80211_frame *) wh, NULL, 2450 "%s", "unassociated station"); 2451 vap->iv_stats.is_ps_unassoc++; 2452 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_DEAUTH, 2453 IEEE80211_REASON_NOT_ASSOCED); 2454 return; 2455 } 2456 2457 aid = le16toh(*(uint16_t *)wh->i_dur); 2458 if (aid != ni->ni_associd) { 2459 IEEE80211_DISCARD(vap, 2460 IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG, 2461 (struct ieee80211_frame *) wh, NULL, 2462 "aid mismatch: sta aid 0x%x poll aid 0x%x", 2463 ni->ni_associd, aid); 2464 vap->iv_stats.is_ps_badaid++; 2465 /* 2466 * NB: We used to deauth the station but it turns out 2467 * the Blackberry Curve 8230 (and perhaps other devices) 2468 * sometimes send the wrong AID when WME is negotiated. 2469 * Being more lenient here seems ok as we already check 2470 * the station is associated and we only return frames 2471 * queued for the station (i.e. we don't use the AID). 2472 */ 2473 return; 2474 } 2475 2476 /* Okay, take the first queued packet and put it out... */ 2477 m = ieee80211_node_psq_dequeue(ni, &qlen); 2478 if (m == NULL) { 2479 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_POWER, wh->i_addr2, 2480 "%s", "recv ps-poll, but queue empty"); 2481 ieee80211_send_nulldata(ieee80211_ref_node(ni)); 2482 vap->iv_stats.is_ps_qempty++; /* XXX node stat */ 2483 if (vap->iv_set_tim != NULL) 2484 vap->iv_set_tim(ni, 0); /* just in case */ 2485 return; 2486 } 2487 /* 2488 * If there are more packets, set the more packets bit 2489 * in the packet dispatched to the station; otherwise 2490 * turn off the TIM bit. 2491 */ 2492 if (qlen != 0) { 2493 IEEE80211_NOTE(vap, IEEE80211_MSG_POWER, ni, 2494 "recv ps-poll, send packet, %u still queued", qlen); 2495 m->m_flags |= M_MORE_DATA; 2496 } else { 2497 IEEE80211_NOTE(vap, IEEE80211_MSG_POWER, ni, 2498 "%s", "recv ps-poll, send packet, queue empty"); 2499 if (vap->iv_set_tim != NULL) 2500 vap->iv_set_tim(ni, 0); 2501 } 2502 m->m_flags |= M_PWR_SAV; /* bypass PS handling */ 2503 2504 /* 2505 * Do the right thing; if it's an encap'ed frame then 2506 * call ieee80211_parent_xmitpkt() else 2507 * call ieee80211_vap_xmitpkt(). 2508 */ 2509 if (m->m_flags & M_ENCAP) { 2510 (void) ieee80211_parent_xmitpkt(ic, m); 2511 } else { 2512 (void) ieee80211_vap_xmitpkt(vap, m); 2513 } 2514 } 2515