1 /*- 2 * SPDX-License-Identifier: BSD-2-Clause 3 * 4 * Copyright (c) 2007-2008 Sam Leffler, Errno Consulting 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 17 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 18 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 19 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 21 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 22 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 23 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 24 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 25 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 26 */ 27 28 /* 29 * IEEE 802.11 HOSTAP mode support. 30 */ 31 #include "opt_inet.h" 32 #include "opt_wlan.h" 33 34 #include <sys/param.h> 35 #include <sys/systm.h> 36 #include <sys/mbuf.h> 37 #include <sys/malloc.h> 38 #include <sys/kernel.h> 39 40 #include <sys/socket.h> 41 #include <sys/sockio.h> 42 #include <sys/endian.h> 43 #include <sys/errno.h> 44 #include <sys/proc.h> 45 #include <sys/sysctl.h> 46 47 #include <net/if.h> 48 #include <net/if_var.h> 49 #include <net/if_media.h> 50 #include <net/if_llc.h> 51 #include <net/if_private.h> 52 #include <net/ethernet.h> 53 54 #include <net/bpf.h> 55 56 #include <net80211/ieee80211_var.h> 57 #include <net80211/ieee80211_hostap.h> 58 #include <net80211/ieee80211_input.h> 59 #ifdef IEEE80211_SUPPORT_SUPERG 60 #include <net80211/ieee80211_superg.h> 61 #endif 62 #include <net80211/ieee80211_wds.h> 63 #include <net80211/ieee80211_vht.h> 64 #include <net80211/ieee80211_sta.h> /* for parse_wmeie */ 65 66 #define IEEE80211_RATE2MBS(r) (((r) & IEEE80211_RATE_VAL) / 2) 67 68 static void hostap_vattach(struct ieee80211vap *); 69 static int hostap_newstate(struct ieee80211vap *, enum ieee80211_state, int); 70 static int hostap_input(struct ieee80211_node *ni, struct mbuf *m, 71 const struct ieee80211_rx_stats *, 72 int rssi, int nf); 73 static void hostap_deliver_data(struct ieee80211vap *, 74 struct ieee80211_node *, struct mbuf *); 75 static void hostap_recv_mgmt(struct ieee80211_node *, struct mbuf *, 76 int subtype, const struct ieee80211_rx_stats *rxs, int rssi, int nf); 77 static void hostap_recv_ctl(struct ieee80211_node *, struct mbuf *, int); 78 79 void 80 ieee80211_hostap_attach(struct ieee80211com *ic) 81 { 82 ic->ic_vattach[IEEE80211_M_HOSTAP] = hostap_vattach; 83 } 84 85 void 86 ieee80211_hostap_detach(struct ieee80211com *ic) 87 { 88 } 89 90 static void 91 hostap_vdetach(struct ieee80211vap *vap) 92 { 93 } 94 95 static void 96 hostap_vattach(struct ieee80211vap *vap) 97 { 98 vap->iv_newstate = hostap_newstate; 99 vap->iv_input = hostap_input; 100 vap->iv_recv_mgmt = hostap_recv_mgmt; 101 vap->iv_recv_ctl = hostap_recv_ctl; 102 vap->iv_opdetach = hostap_vdetach; 103 vap->iv_deliver_data = hostap_deliver_data; 104 vap->iv_recv_pspoll = ieee80211_recv_pspoll; 105 } 106 107 static void 108 sta_disassoc(void *arg, struct ieee80211_node *ni) 109 { 110 111 if (ni->ni_associd != 0) { 112 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_DISASSOC, 113 IEEE80211_REASON_ASSOC_LEAVE); 114 ieee80211_node_leave(ni); 115 } 116 } 117 118 static void 119 sta_csa(void *arg, struct ieee80211_node *ni) 120 { 121 struct ieee80211vap *vap = ni->ni_vap; 122 123 if (ni->ni_associd != 0) 124 if (ni->ni_inact > vap->iv_inact_init) { 125 ni->ni_inact = vap->iv_inact_init; 126 IEEE80211_NOTE(vap, IEEE80211_MSG_INACT, ni, 127 "%s: inact %u", __func__, ni->ni_inact); 128 } 129 } 130 131 static void 132 sta_drop(void *arg, struct ieee80211_node *ni) 133 { 134 135 if (ni->ni_associd != 0) 136 ieee80211_node_leave(ni); 137 } 138 139 /* 140 * Does a channel change require associated stations to re-associate 141 * so protocol state is correct. This is used when doing CSA across 142 * bands or similar (e.g. HT -> legacy). 143 */ 144 static int 145 isbandchange(struct ieee80211com *ic) 146 { 147 return ((ic->ic_bsschan->ic_flags ^ ic->ic_csa_newchan->ic_flags) & 148 (IEEE80211_CHAN_2GHZ | IEEE80211_CHAN_5GHZ | IEEE80211_CHAN_HALF | 149 IEEE80211_CHAN_QUARTER | IEEE80211_CHAN_HT)) != 0; 150 } 151 152 /* 153 * IEEE80211_M_HOSTAP vap state machine handler. 154 */ 155 static int 156 hostap_newstate(struct ieee80211vap *vap, enum ieee80211_state nstate, int arg) 157 { 158 struct ieee80211com *ic = vap->iv_ic; 159 enum ieee80211_state ostate; 160 161 IEEE80211_LOCK_ASSERT(ic); 162 163 ostate = vap->iv_state; 164 IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE, "%s: %s -> %s (%d)\n", 165 __func__, ieee80211_state_name[ostate], 166 ieee80211_state_name[nstate], arg); 167 vap->iv_state = nstate; /* state transition */ 168 if (ostate != IEEE80211_S_SCAN) 169 ieee80211_cancel_scan(vap); /* background scan */ 170 switch (nstate) { 171 case IEEE80211_S_INIT: 172 switch (ostate) { 173 case IEEE80211_S_SCAN: 174 ieee80211_cancel_scan(vap); 175 break; 176 case IEEE80211_S_CAC: 177 ieee80211_dfs_cac_stop(vap); 178 break; 179 case IEEE80211_S_RUN: 180 ieee80211_iterate_nodes_vap(&ic->ic_sta, vap, 181 sta_disassoc, NULL); 182 break; 183 default: 184 break; 185 } 186 if (ostate != IEEE80211_S_INIT) { 187 /* NB: optimize INIT -> INIT case */ 188 ieee80211_reset_bss(vap); 189 } 190 if (vap->iv_auth->ia_detach != NULL) 191 vap->iv_auth->ia_detach(vap); 192 break; 193 case IEEE80211_S_SCAN: 194 switch (ostate) { 195 case IEEE80211_S_CSA: 196 case IEEE80211_S_RUN: 197 ieee80211_iterate_nodes_vap(&ic->ic_sta, vap, 198 sta_disassoc, NULL); 199 /* 200 * Clear overlapping BSS state; the beacon frame 201 * will be reconstructed on transition to the RUN 202 * state and the timeout routines check if the flag 203 * is set before doing anything so this is sufficient. 204 */ 205 vap->iv_flags_ext &= ~IEEE80211_FEXT_NONERP_PR; 206 vap->iv_flags_ht &= ~IEEE80211_FHT_NONHT_PR; 207 /* XXX TODO: schedule deferred update? */ 208 /* fall thru... */ 209 case IEEE80211_S_CAC: 210 /* 211 * NB: We may get here because of a manual channel 212 * change in which case we need to stop CAC 213 * XXX no need to stop if ostate RUN but it's ok 214 */ 215 ieee80211_dfs_cac_stop(vap); 216 /* fall thru... */ 217 case IEEE80211_S_INIT: 218 if (vap->iv_des_chan != IEEE80211_CHAN_ANYC && 219 !IEEE80211_IS_CHAN_RADAR(vap->iv_des_chan)) { 220 /* 221 * Already have a channel; bypass the 222 * scan and startup immediately. 223 * ieee80211_create_ibss will call back to 224 * move us to RUN state. 225 */ 226 ieee80211_create_ibss(vap, vap->iv_des_chan); 227 break; 228 } 229 /* 230 * Initiate a scan. We can come here as a result 231 * of an IEEE80211_IOC_SCAN_REQ too in which case 232 * the vap will be marked with IEEE80211_FEXT_SCANREQ 233 * and the scan request parameters will be present 234 * in iv_scanreq. Otherwise we do the default. 235 */ 236 if (vap->iv_flags_ext & IEEE80211_FEXT_SCANREQ) { 237 ieee80211_check_scan(vap, 238 vap->iv_scanreq_flags, 239 vap->iv_scanreq_duration, 240 vap->iv_scanreq_mindwell, 241 vap->iv_scanreq_maxdwell, 242 vap->iv_scanreq_nssid, vap->iv_scanreq_ssid); 243 vap->iv_flags_ext &= ~IEEE80211_FEXT_SCANREQ; 244 } else 245 ieee80211_check_scan_current(vap); 246 break; 247 case IEEE80211_S_SCAN: 248 /* 249 * A state change requires a reset; scan. 250 */ 251 ieee80211_check_scan_current(vap); 252 break; 253 default: 254 break; 255 } 256 break; 257 case IEEE80211_S_CAC: 258 /* 259 * Start CAC on a DFS channel. We come here when starting 260 * a bss on a DFS channel (see ieee80211_create_ibss). 261 */ 262 ieee80211_dfs_cac_start(vap); 263 break; 264 case IEEE80211_S_RUN: 265 if (vap->iv_flags & IEEE80211_F_WPA) { 266 /* XXX validate prerequisites */ 267 } 268 switch (ostate) { 269 case IEEE80211_S_INIT: 270 /* 271 * Already have a channel; bypass the 272 * scan and startup immediately. 273 * Note that ieee80211_create_ibss will call 274 * back to do a RUN->RUN state change. 275 */ 276 ieee80211_create_ibss(vap, 277 ieee80211_ht_adjust_channel(ic, 278 ic->ic_curchan, vap->iv_flags_ht)); 279 /* NB: iv_bss is changed on return */ 280 break; 281 case IEEE80211_S_CAC: 282 /* 283 * NB: This is the normal state change when CAC 284 * expires and no radar was detected; no need to 285 * clear the CAC timer as it's already expired. 286 */ 287 /* fall thru... */ 288 case IEEE80211_S_CSA: 289 /* 290 * Shorten inactivity timer of associated stations 291 * to weed out sta's that don't follow a CSA. 292 */ 293 ieee80211_iterate_nodes_vap(&ic->ic_sta, vap, 294 sta_csa, NULL); 295 /* 296 * Update bss node channel to reflect where 297 * we landed after CSA. 298 */ 299 ieee80211_node_set_chan(vap->iv_bss, 300 ieee80211_ht_adjust_channel(ic, ic->ic_curchan, 301 ieee80211_htchanflags(vap->iv_bss->ni_chan))); 302 /* XXX bypass debug msgs */ 303 break; 304 case IEEE80211_S_SCAN: 305 case IEEE80211_S_RUN: 306 #ifdef IEEE80211_DEBUG 307 if (ieee80211_msg_debug(vap)) { 308 struct ieee80211_node *ni = vap->iv_bss; 309 ieee80211_note(vap, 310 "synchronized with %s ssid ", 311 ether_sprintf(ni->ni_bssid)); 312 ieee80211_print_essid(ni->ni_essid, 313 ni->ni_esslen); 314 /* XXX MCS/HT */ 315 printf(" channel %d start %uMb\n", 316 ieee80211_chan2ieee(ic, ic->ic_curchan), 317 IEEE80211_RATE2MBS(ni->ni_txrate)); 318 } 319 #endif 320 break; 321 default: 322 break; 323 } 324 /* 325 * Start/stop the authenticator. We delay until here 326 * to allow configuration to happen out of order. 327 */ 328 if (vap->iv_auth->ia_attach != NULL) { 329 /* XXX check failure */ 330 vap->iv_auth->ia_attach(vap); 331 } else if (vap->iv_auth->ia_detach != NULL) { 332 vap->iv_auth->ia_detach(vap); 333 } 334 ieee80211_node_authorize(vap->iv_bss); 335 break; 336 case IEEE80211_S_CSA: 337 if (ostate == IEEE80211_S_RUN && isbandchange(ic)) { 338 /* 339 * On a ``band change'' silently drop associated 340 * stations as they must re-associate before they 341 * can pass traffic (as otherwise protocol state 342 * such as capabilities and the negotiated rate 343 * set may/will be wrong). 344 */ 345 ieee80211_iterate_nodes_vap(&ic->ic_sta, vap, 346 sta_drop, NULL); 347 } 348 break; 349 default: 350 break; 351 } 352 return 0; 353 } 354 355 static void 356 hostap_deliver_data(struct ieee80211vap *vap, 357 struct ieee80211_node *ni, struct mbuf *m) 358 { 359 struct ether_header *eh = mtod(m, struct ether_header *); 360 struct ifnet *ifp = vap->iv_ifp; 361 362 /* clear driver/net80211 flags before passing up */ 363 m->m_flags &= ~(M_MCAST | M_BCAST); 364 m_clrprotoflags(m); 365 366 KASSERT(vap->iv_opmode == IEEE80211_M_HOSTAP, 367 ("gack, opmode %d", vap->iv_opmode)); 368 /* 369 * Do accounting. 370 */ 371 if_inc_counter(ifp, IFCOUNTER_IPACKETS, 1); 372 IEEE80211_NODE_STAT(ni, rx_data); 373 IEEE80211_NODE_STAT_ADD(ni, rx_bytes, m->m_pkthdr.len); 374 if (ETHER_IS_MULTICAST(eh->ether_dhost)) { 375 m->m_flags |= M_MCAST; /* XXX M_BCAST? */ 376 IEEE80211_NODE_STAT(ni, rx_mcast); 377 } else 378 IEEE80211_NODE_STAT(ni, rx_ucast); 379 380 /* perform as a bridge within the AP */ 381 if ((vap->iv_flags & IEEE80211_F_NOBRIDGE) == 0) { 382 struct mbuf *mcopy = NULL; 383 384 if (m->m_flags & M_MCAST) { 385 mcopy = m_dup(m, IEEE80211_M_NOWAIT); 386 if (mcopy == NULL) 387 if_inc_counter(ifp, IFCOUNTER_OERRORS, 1); 388 else 389 mcopy->m_flags |= M_MCAST; 390 } else { 391 /* 392 * Check if the destination is associated with the 393 * same vap and authorized to receive traffic. 394 * Beware of traffic destined for the vap itself; 395 * sending it will not work; just let it be delivered 396 * normally. 397 */ 398 struct ieee80211_node *sta = ieee80211_find_vap_node( 399 &vap->iv_ic->ic_sta, vap, eh->ether_dhost); 400 if (sta != NULL) { 401 if (ieee80211_node_is_authorized(sta)) { 402 /* 403 * Beware of sending to ourself; this 404 * needs to happen via the normal 405 * input path. 406 */ 407 if (sta != vap->iv_bss) { 408 mcopy = m; 409 m = NULL; 410 } 411 } else { 412 vap->iv_stats.is_rx_unauth++; 413 IEEE80211_NODE_STAT(sta, rx_unauth); 414 } 415 ieee80211_free_node(sta); 416 } 417 } 418 if (mcopy != NULL) 419 (void) ieee80211_vap_xmitpkt(vap, mcopy); 420 } 421 if (m != NULL) { 422 struct epoch_tracker et; 423 424 /* 425 * Mark frame as coming from vap's interface. 426 */ 427 m->m_pkthdr.rcvif = ifp; 428 if (m->m_flags & M_MCAST) { 429 /* 430 * Spam DWDS vap's w/ multicast traffic. 431 */ 432 /* XXX only if dwds in use? */ 433 ieee80211_dwds_mcast(vap, m); 434 } 435 if (ni->ni_vlan != 0) { 436 /* attach vlan tag */ 437 m->m_pkthdr.ether_vtag = ni->ni_vlan; 438 m->m_flags |= M_VLANTAG; 439 } 440 NET_EPOCH_ENTER(et); 441 ifp->if_input(ifp, m); 442 NET_EPOCH_EXIT(et); 443 } 444 } 445 446 /* 447 * Decide if a received management frame should be 448 * printed when debugging is enabled. This filters some 449 * of the less interesting frames that come frequently 450 * (e.g. beacons). 451 */ 452 static __inline int 453 doprint(struct ieee80211vap *vap, int subtype) 454 { 455 switch (subtype) { 456 case IEEE80211_FC0_SUBTYPE_BEACON: 457 return (vap->iv_ic->ic_flags & IEEE80211_F_SCAN); 458 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 459 return 0; 460 } 461 return 1; 462 } 463 464 /* 465 * Process a received frame. The node associated with the sender 466 * should be supplied. If nothing was found in the node table then 467 * the caller is assumed to supply a reference to iv_bss instead. 468 * The RSSI and a timestamp are also supplied. The RSSI data is used 469 * during AP scanning to select a AP to associate with; it can have 470 * any units so long as values have consistent units and higher values 471 * mean ``better signal''. The receive timestamp is currently not used 472 * by the 802.11 layer. 473 */ 474 static int 475 hostap_input(struct ieee80211_node *ni, struct mbuf *m, 476 const struct ieee80211_rx_stats *rxs, int rssi, int nf) 477 { 478 struct ieee80211vap *vap = ni->ni_vap; 479 struct ieee80211com *ic = ni->ni_ic; 480 struct ifnet *ifp = vap->iv_ifp; 481 struct ieee80211_frame *wh; 482 struct ieee80211_key *key; 483 struct ether_header *eh; 484 int hdrspace, need_tap = 1; /* mbuf need to be tapped. */ 485 uint8_t dir, type, subtype, qos; 486 uint8_t *bssid; 487 int is_hw_decrypted = 0; 488 int has_decrypted = 0; 489 490 /* 491 * Some devices do hardware decryption all the way through 492 * to pretending the frame wasn't encrypted in the first place. 493 * So, tag it appropriately so it isn't discarded inappropriately. 494 */ 495 if ((rxs != NULL) && (rxs->c_pktflags & IEEE80211_RX_F_DECRYPTED)) 496 is_hw_decrypted = 1; 497 498 if (m->m_flags & M_AMPDU_MPDU) { 499 /* 500 * Fastpath for A-MPDU reorder q resubmission. Frames 501 * w/ M_AMPDU_MPDU marked have already passed through 502 * here but were received out of order and been held on 503 * the reorder queue. When resubmitted they are marked 504 * with the M_AMPDU_MPDU flag and we can bypass most of 505 * the normal processing. 506 */ 507 wh = mtod(m, struct ieee80211_frame *); 508 type = IEEE80211_FC0_TYPE_DATA; 509 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 510 subtype = IEEE80211_FC0_SUBTYPE_QOS_DATA; 511 hdrspace = ieee80211_hdrspace(ic, wh); /* XXX optimize? */ 512 goto resubmit_ampdu; 513 } 514 515 KASSERT(ni != NULL, ("null node")); 516 ni->ni_inact = ni->ni_inact_reload; 517 518 type = -1; /* undefined */ 519 520 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_min)) { 521 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 522 ni->ni_macaddr, NULL, 523 "too short (1): len %u", m->m_pkthdr.len); 524 vap->iv_stats.is_rx_tooshort++; 525 goto out; 526 } 527 /* 528 * Bit of a cheat here, we use a pointer for a 3-address 529 * frame format but don't reference fields past outside 530 * ieee80211_frame_min w/o first validating the data is 531 * present. 532 */ 533 wh = mtod(m, struct ieee80211_frame *); 534 535 if (!IEEE80211_IS_FC0_CHECK_VER(wh, IEEE80211_FC0_VERSION_0)) { 536 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 537 ni->ni_macaddr, NULL, "wrong version, fc %02x:%02x", 538 wh->i_fc[0], wh->i_fc[1]); 539 vap->iv_stats.is_rx_badversion++; 540 goto err; 541 } 542 543 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 544 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK; 545 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK; 546 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) { 547 if (dir != IEEE80211_FC1_DIR_NODS) 548 bssid = wh->i_addr1; 549 else if (type == IEEE80211_FC0_TYPE_CTL) 550 bssid = wh->i_addr1; 551 else { 552 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) { 553 IEEE80211_DISCARD_MAC(vap, 554 IEEE80211_MSG_ANY, ni->ni_macaddr, 555 NULL, "too short (2): len %u", 556 m->m_pkthdr.len); 557 vap->iv_stats.is_rx_tooshort++; 558 goto out; 559 } 560 bssid = wh->i_addr3; 561 } 562 /* 563 * Validate the bssid. 564 */ 565 if (!(type == IEEE80211_FC0_TYPE_MGT && 566 subtype == IEEE80211_FC0_SUBTYPE_BEACON) && 567 !IEEE80211_ADDR_EQ(bssid, vap->iv_bss->ni_bssid) && 568 !IEEE80211_ADDR_EQ(bssid, ifp->if_broadcastaddr)) { 569 /* not interested in */ 570 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 571 bssid, NULL, "%s", "not to bss"); 572 vap->iv_stats.is_rx_wrongbss++; 573 goto out; 574 } 575 576 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi); 577 ni->ni_noise = nf; 578 if (IEEE80211_HAS_SEQ(type, subtype)) { 579 uint8_t tid = ieee80211_gettid(wh); 580 if (IEEE80211_QOS_HAS_SEQ(wh) && 581 TID_TO_WME_AC(tid) >= WME_AC_VI) 582 ic->ic_wme.wme_hipri_traffic++; 583 if (! ieee80211_check_rxseq(ni, wh, bssid, rxs)) 584 goto out; 585 } 586 } 587 588 switch (type) { 589 case IEEE80211_FC0_TYPE_DATA: 590 hdrspace = ieee80211_hdrspace(ic, wh); 591 if (m->m_len < hdrspace && 592 (m = m_pullup(m, hdrspace)) == NULL) { 593 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 594 ni->ni_macaddr, NULL, 595 "data too short: expecting %u", hdrspace); 596 vap->iv_stats.is_rx_tooshort++; 597 goto out; /* XXX */ 598 } 599 if (!(dir == IEEE80211_FC1_DIR_TODS || 600 (dir == IEEE80211_FC1_DIR_DSTODS && 601 (vap->iv_flags & IEEE80211_F_DWDS)))) { 602 if (dir != IEEE80211_FC1_DIR_DSTODS) { 603 IEEE80211_DISCARD(vap, 604 IEEE80211_MSG_INPUT, wh, "data", 605 "incorrect dir 0x%x", dir); 606 } else { 607 IEEE80211_DISCARD(vap, 608 IEEE80211_MSG_INPUT | 609 IEEE80211_MSG_WDS, wh, 610 "4-address data", 611 "%s", "DWDS not enabled"); 612 } 613 vap->iv_stats.is_rx_wrongdir++; 614 goto out; 615 } 616 /* check if source STA is associated */ 617 if (ni == vap->iv_bss) { 618 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 619 wh, "data", "%s", "unknown src"); 620 ieee80211_send_error(ni, wh->i_addr2, 621 IEEE80211_FC0_SUBTYPE_DEAUTH, 622 IEEE80211_REASON_NOT_AUTHED); 623 vap->iv_stats.is_rx_notassoc++; 624 goto err; 625 } 626 if (ni->ni_associd == 0) { 627 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 628 wh, "data", "%s", "unassoc src"); 629 IEEE80211_SEND_MGMT(ni, 630 IEEE80211_FC0_SUBTYPE_DISASSOC, 631 IEEE80211_REASON_NOT_ASSOCED); 632 vap->iv_stats.is_rx_notassoc++; 633 goto err; 634 } 635 636 /* 637 * Check for power save state change. 638 * XXX out-of-order A-MPDU frames? 639 */ 640 if (((wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) ^ 641 (ni->ni_flags & IEEE80211_NODE_PWR_MGT))) 642 vap->iv_node_ps(ni, 643 wh->i_fc[1] & IEEE80211_FC1_PWR_MGT); 644 /* 645 * For 4-address packets handle WDS discovery 646 * notifications. Once a WDS link is setup frames 647 * are just delivered to the WDS vap (see below). 648 */ 649 if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap == NULL) { 650 if (!ieee80211_node_is_authorized(ni)) { 651 IEEE80211_DISCARD(vap, 652 IEEE80211_MSG_INPUT | 653 IEEE80211_MSG_WDS, wh, 654 "4-address data", 655 "%s", "unauthorized port"); 656 vap->iv_stats.is_rx_unauth++; 657 IEEE80211_NODE_STAT(ni, rx_unauth); 658 goto err; 659 } 660 ieee80211_dwds_discover(ni, m); 661 return type; 662 } 663 664 /* 665 * Handle A-MPDU re-ordering. If the frame is to be 666 * processed directly then ieee80211_ampdu_reorder 667 * will return 0; otherwise it has consumed the mbuf 668 * and we should do nothing more with it. 669 */ 670 if ((m->m_flags & M_AMPDU) && 671 ieee80211_ampdu_reorder(ni, m, rxs) != 0) { 672 m = NULL; 673 goto out; 674 } 675 resubmit_ampdu: 676 677 /* 678 * Handle privacy requirements. Note that we 679 * must not be preempted from here until after 680 * we (potentially) call ieee80211_crypto_demic; 681 * otherwise we may violate assumptions in the 682 * crypto cipher modules used to do delayed update 683 * of replay sequence numbers. 684 */ 685 if (is_hw_decrypted || IEEE80211_IS_PROTECTED(wh)) { 686 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) { 687 /* 688 * Discard encrypted frames when privacy is off. 689 */ 690 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 691 wh, "WEP", "%s", "PRIVACY off"); 692 vap->iv_stats.is_rx_noprivacy++; 693 IEEE80211_NODE_STAT(ni, rx_noprivacy); 694 goto out; 695 } 696 if (ieee80211_crypto_decap(ni, m, hdrspace, &key) == 0) { 697 /* NB: stats+msgs handled in crypto_decap */ 698 IEEE80211_NODE_STAT(ni, rx_wepfail); 699 goto out; 700 } 701 wh = mtod(m, struct ieee80211_frame *); 702 wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED; 703 has_decrypted = 1; 704 } else { 705 /* XXX M_WEP and IEEE80211_F_PRIVACY */ 706 key = NULL; 707 } 708 709 /* 710 * Save QoS bits for use below--before we strip the header. 711 */ 712 if (subtype == IEEE80211_FC0_SUBTYPE_QOS_DATA) 713 qos = ieee80211_getqos(wh)[0]; 714 else 715 qos = 0; 716 717 /* 718 * Next up, any fragmentation. 719 */ 720 if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) { 721 m = ieee80211_defrag(ni, m, hdrspace, has_decrypted); 722 if (m == NULL) { 723 /* Fragment dropped or frame not complete yet */ 724 goto out; 725 } 726 } 727 wh = NULL; /* no longer valid, catch any uses */ 728 729 /* 730 * Next strip any MSDU crypto bits. 731 */ 732 if (key != NULL && !ieee80211_crypto_demic(vap, key, m, 0)) { 733 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 734 ni->ni_macaddr, "data", "%s", "demic error"); 735 vap->iv_stats.is_rx_demicfail++; 736 IEEE80211_NODE_STAT(ni, rx_demicfail); 737 goto out; 738 } 739 /* copy to listener after decrypt */ 740 if (ieee80211_radiotap_active_vap(vap)) 741 ieee80211_radiotap_rx(vap, m); 742 need_tap = 0; 743 /* 744 * Finally, strip the 802.11 header. 745 */ 746 m = ieee80211_decap(vap, m, hdrspace, qos); 747 if (m == NULL) { 748 /* XXX mask bit to check for both */ 749 /* don't count Null data frames as errors */ 750 if (subtype == IEEE80211_FC0_SUBTYPE_NODATA || 751 subtype == IEEE80211_FC0_SUBTYPE_QOS_NULL) 752 goto out; 753 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 754 ni->ni_macaddr, "data", "%s", "decap error"); 755 vap->iv_stats.is_rx_decap++; 756 IEEE80211_NODE_STAT(ni, rx_decap); 757 goto err; 758 } 759 if (!(qos & IEEE80211_QOS_AMSDU)) 760 eh = mtod(m, struct ether_header *); 761 else 762 eh = NULL; 763 if (!ieee80211_node_is_authorized(ni)) { 764 /* 765 * Deny any non-PAE frames received prior to 766 * authorization. For open/shared-key 767 * authentication the port is mark authorized 768 * after authentication completes. For 802.1x 769 * the port is not marked authorized by the 770 * authenticator until the handshake has completed. 771 */ 772 if (eh == NULL || 773 eh->ether_type != htons(ETHERTYPE_PAE)) { 774 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 775 ni->ni_macaddr, "data", "unauthorized or " 776 "unknown port: ether type 0x%x len %u", 777 eh == NULL ? -1 : eh->ether_type, 778 m->m_pkthdr.len); 779 vap->iv_stats.is_rx_unauth++; 780 IEEE80211_NODE_STAT(ni, rx_unauth); 781 goto err; 782 } 783 } else { 784 /* 785 * When denying unencrypted frames, discard 786 * any non-PAE frames received without encryption. 787 */ 788 if ((vap->iv_flags & IEEE80211_F_DROPUNENC) && 789 ((has_decrypted == 0) && (m->m_flags & M_WEP) == 0) && 790 (is_hw_decrypted == 0) && 791 (eh == NULL || 792 eh->ether_type != htons(ETHERTYPE_PAE))) { 793 /* 794 * Drop unencrypted frames. 795 */ 796 vap->iv_stats.is_rx_unencrypted++; 797 IEEE80211_NODE_STAT(ni, rx_unencrypted); 798 goto out; 799 } 800 } 801 /* XXX require HT? */ 802 if (qos & IEEE80211_QOS_AMSDU) { 803 m = ieee80211_decap_amsdu(ni, m); 804 if (m == NULL) 805 return IEEE80211_FC0_TYPE_DATA; 806 } else { 807 #ifdef IEEE80211_SUPPORT_SUPERG 808 m = ieee80211_decap_fastframe(vap, ni, m); 809 if (m == NULL) 810 return IEEE80211_FC0_TYPE_DATA; 811 #endif 812 } 813 if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap != NULL) 814 ieee80211_deliver_data(ni->ni_wdsvap, ni, m); 815 else 816 hostap_deliver_data(vap, ni, m); 817 return IEEE80211_FC0_TYPE_DATA; 818 819 case IEEE80211_FC0_TYPE_MGT: 820 vap->iv_stats.is_rx_mgmt++; 821 IEEE80211_NODE_STAT(ni, rx_mgmt); 822 if (dir != IEEE80211_FC1_DIR_NODS) { 823 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 824 wh, "mgt", "incorrect dir 0x%x", dir); 825 vap->iv_stats.is_rx_wrongdir++; 826 goto err; 827 } 828 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) { 829 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 830 ni->ni_macaddr, "mgt", "too short: len %u", 831 m->m_pkthdr.len); 832 vap->iv_stats.is_rx_tooshort++; 833 goto out; 834 } 835 if (IEEE80211_IS_MULTICAST(wh->i_addr2)) { 836 /* ensure return frames are unicast */ 837 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 838 wh, NULL, "source is multicast: %s", 839 ether_sprintf(wh->i_addr2)); 840 vap->iv_stats.is_rx_mgtdiscard++; /* XXX stat */ 841 goto out; 842 } 843 #ifdef IEEE80211_DEBUG 844 if ((ieee80211_msg_debug(vap) && doprint(vap, subtype)) || 845 ieee80211_msg_dumppkts(vap)) { 846 if_printf(ifp, "received %s from %s rssi %d\n", 847 ieee80211_mgt_subtype_name(subtype), 848 ether_sprintf(wh->i_addr2), rssi); 849 } 850 #endif 851 if (IEEE80211_IS_PROTECTED(wh)) { 852 if (subtype != IEEE80211_FC0_SUBTYPE_AUTH) { 853 /* 854 * Only shared key auth frames with a challenge 855 * should be encrypted, discard all others. 856 */ 857 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 858 wh, NULL, 859 "%s", "WEP set but not permitted"); 860 vap->iv_stats.is_rx_mgtdiscard++; /* XXX */ 861 goto out; 862 } 863 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) { 864 /* 865 * Discard encrypted frames when privacy is off. 866 */ 867 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 868 wh, NULL, "%s", "WEP set but PRIVACY off"); 869 vap->iv_stats.is_rx_noprivacy++; 870 goto out; 871 } 872 hdrspace = ieee80211_hdrspace(ic, wh); 873 if (ieee80211_crypto_decap(ni, m, hdrspace, &key) == 0) { 874 /* NB: stats+msgs handled in crypto_decap */ 875 goto out; 876 } 877 wh = mtod(m, struct ieee80211_frame *); 878 wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED; 879 has_decrypted = 1; 880 } 881 /* 882 * Pass the packet to radiotap before calling iv_recv_mgmt(). 883 * Otherwise iv_recv_mgmt() might pass another packet to 884 * radiotap, resulting in out of order packet captures. 885 */ 886 if (ieee80211_radiotap_active_vap(vap)) 887 ieee80211_radiotap_rx(vap, m); 888 need_tap = 0; 889 vap->iv_recv_mgmt(ni, m, subtype, rxs, rssi, nf); 890 goto out; 891 892 case IEEE80211_FC0_TYPE_CTL: 893 vap->iv_stats.is_rx_ctl++; 894 IEEE80211_NODE_STAT(ni, rx_ctrl); 895 vap->iv_recv_ctl(ni, m, subtype); 896 goto out; 897 default: 898 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 899 wh, "bad", "frame type 0x%x", type); 900 /* should not come here */ 901 break; 902 } 903 err: 904 if_inc_counter(ifp, IFCOUNTER_IERRORS, 1); 905 out: 906 if (m != NULL) { 907 if (need_tap && ieee80211_radiotap_active_vap(vap)) 908 ieee80211_radiotap_rx(vap, m); 909 m_freem(m); 910 } 911 return type; 912 } 913 914 static void 915 hostap_auth_open(struct ieee80211_node *ni, struct ieee80211_frame *wh, 916 int rssi, int nf, uint16_t seq, uint16_t status) 917 { 918 struct ieee80211vap *vap = ni->ni_vap; 919 920 KASSERT(vap->iv_state == IEEE80211_S_RUN, ("state %d", vap->iv_state)); 921 922 if (ni->ni_authmode == IEEE80211_AUTH_SHARED) { 923 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 924 ni->ni_macaddr, "open auth", 925 "bad sta auth mode %u", ni->ni_authmode); 926 vap->iv_stats.is_rx_bad_auth++; /* XXX */ 927 /* 928 * Clear any challenge text that may be there if 929 * a previous shared key auth failed and then an 930 * open auth is attempted. 931 */ 932 if (ni->ni_challenge != NULL) { 933 IEEE80211_FREE(ni->ni_challenge, M_80211_NODE); 934 ni->ni_challenge = NULL; 935 } 936 /* XXX hack to workaround calling convention */ 937 ieee80211_send_error(ni, wh->i_addr2, 938 IEEE80211_FC0_SUBTYPE_AUTH, 939 (seq + 1) | (IEEE80211_STATUS_ALG<<16)); 940 return; 941 } 942 if (seq != IEEE80211_AUTH_OPEN_REQUEST) { 943 vap->iv_stats.is_rx_bad_auth++; 944 return; 945 } 946 /* always accept open authentication requests */ 947 if (ni == vap->iv_bss) { 948 ni = ieee80211_dup_bss(vap, wh->i_addr2); 949 if (ni == NULL) 950 return; 951 } else if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0) 952 (void) ieee80211_ref_node(ni); 953 /* 954 * Mark the node as referenced to reflect that it's 955 * reference count has been bumped to insure it remains 956 * after the transaction completes. 957 */ 958 ni->ni_flags |= IEEE80211_NODE_AREF; 959 /* 960 * Mark the node as requiring a valid association id 961 * before outbound traffic is permitted. 962 */ 963 ni->ni_flags |= IEEE80211_NODE_ASSOCID; 964 965 if (vap->iv_acl != NULL && 966 vap->iv_acl->iac_getpolicy(vap) == IEEE80211_MACCMD_POLICY_RADIUS) { 967 /* 968 * When the ACL policy is set to RADIUS we defer the 969 * authorization to a user agent. Dispatch an event, 970 * a subsequent MLME call will decide the fate of the 971 * station. If the user agent is not present then the 972 * node will be reclaimed due to inactivity. 973 */ 974 IEEE80211_NOTE_MAC(vap, 975 IEEE80211_MSG_AUTH | IEEE80211_MSG_ACL, ni->ni_macaddr, 976 "%s", "station authentication deferred (radius acl)"); 977 ieee80211_notify_node_auth(ni); 978 } else { 979 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 980 IEEE80211_NOTE_MAC(vap, 981 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, ni->ni_macaddr, 982 "%s", "station authenticated (open)"); 983 /* 984 * When 802.1x is not in use mark the port 985 * authorized at this point so traffic can flow. 986 */ 987 if (ni->ni_authmode != IEEE80211_AUTH_8021X) 988 ieee80211_node_authorize(ni); 989 } 990 } 991 992 static void 993 hostap_auth_shared(struct ieee80211_node *ni, struct ieee80211_frame *wh, 994 uint8_t *frm, uint8_t *efrm, int rssi, int nf, 995 uint16_t seq, uint16_t status) 996 { 997 struct ieee80211vap *vap = ni->ni_vap; 998 uint8_t *challenge; 999 int estatus; 1000 1001 KASSERT(vap->iv_state == IEEE80211_S_RUN, ("state %d", vap->iv_state)); 1002 1003 /* 1004 * NB: this can happen as we allow pre-shared key 1005 * authentication to be enabled w/o wep being turned 1006 * on so that configuration of these can be done 1007 * in any order. It may be better to enforce the 1008 * ordering in which case this check would just be 1009 * for sanity/consistency. 1010 */ 1011 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) { 1012 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1013 ni->ni_macaddr, "shared key auth", 1014 "%s", " PRIVACY is disabled"); 1015 estatus = IEEE80211_STATUS_ALG; 1016 goto bad; 1017 } 1018 /* 1019 * Pre-shared key authentication is evil; accept 1020 * it only if explicitly configured (it is supported 1021 * mainly for compatibility with clients like Mac OS X). 1022 */ 1023 if (ni->ni_authmode != IEEE80211_AUTH_AUTO && 1024 ni->ni_authmode != IEEE80211_AUTH_SHARED) { 1025 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1026 ni->ni_macaddr, "shared key auth", 1027 "bad sta auth mode %u", ni->ni_authmode); 1028 vap->iv_stats.is_rx_bad_auth++; /* XXX maybe a unique error? */ 1029 estatus = IEEE80211_STATUS_ALG; 1030 goto bad; 1031 } 1032 1033 challenge = NULL; 1034 if (frm + 1 < efrm) { 1035 if ((frm[1] + 2) > (efrm - frm)) { 1036 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1037 ni->ni_macaddr, "shared key auth", 1038 "ie %d/%d too long", 1039 frm[0], (frm[1] + 2) - (efrm - frm)); 1040 vap->iv_stats.is_rx_bad_auth++; 1041 estatus = IEEE80211_STATUS_CHALLENGE; 1042 goto bad; 1043 } 1044 if (*frm == IEEE80211_ELEMID_CHALLENGE) 1045 challenge = frm; 1046 frm += frm[1] + 2; 1047 } 1048 switch (seq) { 1049 case IEEE80211_AUTH_SHARED_CHALLENGE: 1050 case IEEE80211_AUTH_SHARED_RESPONSE: 1051 if (challenge == NULL) { 1052 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1053 ni->ni_macaddr, "shared key auth", 1054 "%s", "no challenge"); 1055 vap->iv_stats.is_rx_bad_auth++; 1056 estatus = IEEE80211_STATUS_CHALLENGE; 1057 goto bad; 1058 } 1059 if (challenge[1] != IEEE80211_CHALLENGE_LEN) { 1060 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1061 ni->ni_macaddr, "shared key auth", 1062 "bad challenge len %d", challenge[1]); 1063 vap->iv_stats.is_rx_bad_auth++; 1064 estatus = IEEE80211_STATUS_CHALLENGE; 1065 goto bad; 1066 } 1067 default: 1068 break; 1069 } 1070 switch (seq) { 1071 case IEEE80211_AUTH_SHARED_REQUEST: 1072 { 1073 #ifdef IEEE80211_DEBUG 1074 bool allocbs; 1075 #endif 1076 1077 if (ni == vap->iv_bss) { 1078 ni = ieee80211_dup_bss(vap, wh->i_addr2); 1079 if (ni == NULL) { 1080 /* NB: no way to return an error */ 1081 return; 1082 } 1083 #ifdef IEEE80211_DEBUG 1084 allocbs = 1; 1085 #endif 1086 } else { 1087 if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0) 1088 (void) ieee80211_ref_node(ni); 1089 #ifdef IEEE80211_DEBUG 1090 allocbs = 0; 1091 #endif 1092 } 1093 /* 1094 * Mark the node as referenced to reflect that it's 1095 * reference count has been bumped to insure it remains 1096 * after the transaction completes. 1097 */ 1098 ni->ni_flags |= IEEE80211_NODE_AREF; 1099 /* 1100 * Mark the node as requiring a valid association id 1101 * before outbound traffic is permitted. 1102 */ 1103 ni->ni_flags |= IEEE80211_NODE_ASSOCID; 1104 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi); 1105 ni->ni_noise = nf; 1106 if (!ieee80211_alloc_challenge(ni)) { 1107 /* NB: don't return error so they rexmit */ 1108 return; 1109 } 1110 net80211_get_random_bytes(ni->ni_challenge, 1111 IEEE80211_CHALLENGE_LEN); 1112 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1113 ni, "shared key %sauth request", allocbs ? "" : "re"); 1114 /* 1115 * When the ACL policy is set to RADIUS we defer the 1116 * authorization to a user agent. Dispatch an event, 1117 * a subsequent MLME call will decide the fate of the 1118 * station. If the user agent is not present then the 1119 * node will be reclaimed due to inactivity. 1120 */ 1121 if (vap->iv_acl != NULL && 1122 vap->iv_acl->iac_getpolicy(vap) == IEEE80211_MACCMD_POLICY_RADIUS) { 1123 IEEE80211_NOTE_MAC(vap, 1124 IEEE80211_MSG_AUTH | IEEE80211_MSG_ACL, 1125 ni->ni_macaddr, 1126 "%s", "station authentication deferred (radius acl)"); 1127 ieee80211_notify_node_auth(ni); 1128 return; 1129 } 1130 break; 1131 } 1132 case IEEE80211_AUTH_SHARED_RESPONSE: 1133 if (ni == vap->iv_bss) { 1134 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1135 ni->ni_macaddr, "shared key response", 1136 "%s", "unknown station"); 1137 /* NB: don't send a response */ 1138 return; 1139 } 1140 if (ni->ni_challenge == NULL) { 1141 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1142 ni->ni_macaddr, "shared key response", 1143 "%s", "no challenge recorded"); 1144 vap->iv_stats.is_rx_bad_auth++; 1145 estatus = IEEE80211_STATUS_CHALLENGE; 1146 goto bad; 1147 } 1148 if (memcmp(ni->ni_challenge, &challenge[2], 1149 challenge[1]) != 0) { 1150 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1151 ni->ni_macaddr, "shared key response", 1152 "%s", "challenge mismatch"); 1153 vap->iv_stats.is_rx_auth_fail++; 1154 estatus = IEEE80211_STATUS_CHALLENGE; 1155 goto bad; 1156 } 1157 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1158 ni, "%s", "station authenticated (shared key)"); 1159 ieee80211_node_authorize(ni); 1160 break; 1161 default: 1162 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1163 ni->ni_macaddr, "shared key auth", 1164 "bad seq %d", seq); 1165 vap->iv_stats.is_rx_bad_auth++; 1166 estatus = IEEE80211_STATUS_SEQUENCE; 1167 goto bad; 1168 } 1169 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 1170 return; 1171 bad: 1172 /* 1173 * Send an error response; but only when operating as an AP. 1174 */ 1175 /* XXX hack to workaround calling convention */ 1176 ieee80211_send_error(ni, wh->i_addr2, 1177 IEEE80211_FC0_SUBTYPE_AUTH, 1178 (seq + 1) | (estatus<<16)); 1179 } 1180 1181 /* 1182 * Convert a WPA cipher selector OUI to an internal 1183 * cipher algorithm. Where appropriate we also 1184 * record any key length. 1185 */ 1186 static int 1187 wpa_cipher(const uint8_t *sel, uint8_t *keylen, uint8_t *cipher) 1188 { 1189 #define WPA_SEL(x) (((x)<<24)|WPA_OUI) 1190 uint32_t w = le32dec(sel); 1191 1192 switch (w) { 1193 case WPA_SEL(WPA_CSE_NULL): 1194 *cipher = IEEE80211_CIPHER_NONE; 1195 break; 1196 case WPA_SEL(WPA_CSE_WEP40): 1197 if (keylen) 1198 *keylen = 40 / NBBY; 1199 *cipher = IEEE80211_CIPHER_WEP; 1200 break; 1201 case WPA_SEL(WPA_CSE_WEP104): 1202 if (keylen) 1203 *keylen = 104 / NBBY; 1204 *cipher = IEEE80211_CIPHER_WEP; 1205 break; 1206 case WPA_SEL(WPA_CSE_TKIP): 1207 *cipher = IEEE80211_CIPHER_TKIP; 1208 break; 1209 case WPA_SEL(WPA_CSE_CCMP): 1210 *cipher = IEEE80211_CIPHER_AES_CCM; 1211 break; 1212 default: 1213 return (EINVAL); 1214 } 1215 1216 return (0); 1217 #undef WPA_SEL 1218 } 1219 1220 /* 1221 * Convert a WPA key management/authentication algorithm 1222 * to an internal code. 1223 */ 1224 static int 1225 wpa_keymgmt(const uint8_t *sel) 1226 { 1227 #define WPA_SEL(x) (((x)<<24)|WPA_OUI) 1228 uint32_t w = le32dec(sel); 1229 1230 switch (w) { 1231 case WPA_SEL(WPA_ASE_8021X_UNSPEC): 1232 return WPA_ASE_8021X_UNSPEC; 1233 case WPA_SEL(WPA_ASE_8021X_PSK): 1234 return WPA_ASE_8021X_PSK; 1235 case WPA_SEL(WPA_ASE_NONE): 1236 return WPA_ASE_NONE; 1237 } 1238 return 0; /* NB: so is discarded */ 1239 #undef WPA_SEL 1240 } 1241 1242 /* 1243 * Parse a WPA information element to collect parameters. 1244 * Note that we do not validate security parameters; that 1245 * is handled by the authenticator; the parsing done here 1246 * is just for internal use in making operational decisions. 1247 */ 1248 static int 1249 ieee80211_parse_wpa(struct ieee80211vap *vap, const uint8_t *frm, 1250 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh) 1251 { 1252 uint8_t len = frm[1]; 1253 uint32_t w; 1254 int error, n; 1255 1256 /* 1257 * Check the length once for fixed parts: OUI, type, 1258 * version, mcast cipher, and 2 selector counts. 1259 * Other, variable-length data, must be checked separately. 1260 */ 1261 if ((vap->iv_flags & IEEE80211_F_WPA1) == 0) { 1262 IEEE80211_DISCARD_IE(vap, 1263 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1264 wh, "WPA", "not WPA, flags 0x%x", vap->iv_flags); 1265 return IEEE80211_REASON_IE_INVALID; 1266 } 1267 if (len < 14) { 1268 IEEE80211_DISCARD_IE(vap, 1269 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1270 wh, "WPA", "too short, len %u", len); 1271 return IEEE80211_REASON_IE_INVALID; 1272 } 1273 frm += 6, len -= 4; /* NB: len is payload only */ 1274 /* NB: iswpaoui already validated the OUI and type */ 1275 w = le16dec(frm); 1276 if (w != WPA_VERSION) { 1277 IEEE80211_DISCARD_IE(vap, 1278 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1279 wh, "WPA", "bad version %u", w); 1280 return IEEE80211_REASON_IE_INVALID; 1281 } 1282 frm += 2, len -= 2; 1283 1284 memset(rsn, 0, sizeof(*rsn)); 1285 1286 /* multicast/group cipher */ 1287 error = wpa_cipher(frm, &rsn->rsn_mcastkeylen, &rsn->rsn_mcastcipher); 1288 if (error != 0) { 1289 IEEE80211_DISCARD_IE(vap, 1290 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1291 wh, "WPA", "unknown mcast cipher suite %08X", 1292 le32dec(frm)); 1293 return IEEE80211_REASON_GROUP_CIPHER_INVALID; 1294 } 1295 frm += 4, len -= 4; 1296 1297 /* unicast ciphers */ 1298 n = le16dec(frm); 1299 frm += 2, len -= 2; 1300 if (len < n*4+2) { 1301 IEEE80211_DISCARD_IE(vap, 1302 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1303 wh, "WPA", "ucast cipher data too short; len %u, n %u", 1304 len, n); 1305 return IEEE80211_REASON_IE_INVALID; 1306 } 1307 w = 0; 1308 for (; n > 0; n--) { 1309 uint8_t cipher; 1310 1311 error = wpa_cipher(frm, &rsn->rsn_ucastkeylen, &cipher); 1312 if (error == 0) 1313 w |= 1 << cipher; 1314 1315 frm += 4, len -= 4; 1316 } 1317 if (w == 0) { 1318 IEEE80211_DISCARD_IE(vap, 1319 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1320 wh, "WPA", "no usable pairwise cipher suite found (w=%d)", 1321 w); 1322 return IEEE80211_REASON_PAIRWISE_CIPHER_INVALID; 1323 } 1324 /* XXX other? */ 1325 if (w & (1 << IEEE80211_CIPHER_AES_CCM)) 1326 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM; 1327 else 1328 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP; 1329 1330 /* key management algorithms */ 1331 n = le16dec(frm); 1332 frm += 2, len -= 2; 1333 if (len < n*4) { 1334 IEEE80211_DISCARD_IE(vap, 1335 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1336 wh, "WPA", "key mgmt alg data too short; len %u, n %u", 1337 len, n); 1338 return IEEE80211_REASON_IE_INVALID; 1339 } 1340 w = 0; 1341 for (; n > 0; n--) { 1342 w |= wpa_keymgmt(frm); 1343 frm += 4, len -= 4; 1344 } 1345 if (w & WPA_ASE_8021X_UNSPEC) 1346 rsn->rsn_keymgmt = WPA_ASE_8021X_UNSPEC; 1347 else 1348 rsn->rsn_keymgmt = WPA_ASE_8021X_PSK; 1349 1350 if (len > 2) /* optional capabilities */ 1351 rsn->rsn_caps = le16dec(frm); 1352 1353 return 0; 1354 } 1355 1356 /* 1357 * Convert an RSN cipher selector OUI to an internal 1358 * cipher algorithm. Where appropriate we also 1359 * record any key length. 1360 */ 1361 static int 1362 rsn_cipher(const uint8_t *sel, uint8_t *keylen, uint8_t *cipher) 1363 { 1364 #define RSN_SEL(x) (((x)<<24)|RSN_OUI) 1365 uint32_t w = le32dec(sel); 1366 1367 switch (w) { 1368 case RSN_SEL(RSN_CSE_NULL): 1369 *cipher = IEEE80211_CIPHER_NONE; 1370 break; 1371 case RSN_SEL(RSN_CSE_WEP40): 1372 if (keylen) 1373 *keylen = 40 / NBBY; 1374 *cipher = IEEE80211_CIPHER_WEP; 1375 break; 1376 case RSN_SEL(RSN_CSE_WEP104): 1377 if (keylen) 1378 *keylen = 104 / NBBY; 1379 *cipher = IEEE80211_CIPHER_WEP; 1380 break; 1381 case RSN_SEL(RSN_CSE_TKIP): 1382 *cipher = IEEE80211_CIPHER_TKIP; 1383 break; 1384 case RSN_SEL(RSN_CSE_CCMP): 1385 *cipher = IEEE80211_CIPHER_AES_CCM; 1386 break; 1387 case RSN_SEL(RSN_CSE_WRAP): 1388 *cipher = IEEE80211_CIPHER_AES_OCB; 1389 break; 1390 default: 1391 return (EINVAL); 1392 } 1393 1394 return (0); 1395 #undef WPA_SEL 1396 } 1397 1398 /* 1399 * Convert an RSN key management/authentication algorithm 1400 * to an internal code. 1401 */ 1402 static int 1403 rsn_keymgmt(const uint8_t *sel) 1404 { 1405 #define RSN_SEL(x) (((x)<<24)|RSN_OUI) 1406 uint32_t w = le32dec(sel); 1407 1408 switch (w) { 1409 case RSN_SEL(RSN_ASE_8021X_UNSPEC): 1410 return RSN_ASE_8021X_UNSPEC; 1411 case RSN_SEL(RSN_ASE_8021X_PSK): 1412 return RSN_ASE_8021X_PSK; 1413 case RSN_SEL(RSN_ASE_NONE): 1414 return RSN_ASE_NONE; 1415 } 1416 return 0; /* NB: so is discarded */ 1417 #undef RSN_SEL 1418 } 1419 1420 /* 1421 * Parse a WPA/RSN information element to collect parameters 1422 * and validate the parameters against what has been 1423 * configured for the system. 1424 */ 1425 static int 1426 ieee80211_parse_rsn(struct ieee80211vap *vap, const uint8_t *frm, 1427 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh) 1428 { 1429 uint8_t len = frm[1]; 1430 uint32_t w; 1431 int error, n; 1432 1433 /* 1434 * Check the length once for fixed parts: 1435 * version, mcast cipher, and 2 selector counts. 1436 * Other, variable-length data, must be checked separately. 1437 */ 1438 if ((vap->iv_flags & IEEE80211_F_WPA2) == 0) { 1439 IEEE80211_DISCARD_IE(vap, 1440 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1441 wh, "WPA", "not RSN, flags 0x%x", vap->iv_flags); 1442 return IEEE80211_REASON_IE_INVALID; 1443 } 1444 /* XXX may be shorter */ 1445 if (len < 10) { 1446 IEEE80211_DISCARD_IE(vap, 1447 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1448 wh, "RSN", "too short, len %u", len); 1449 return IEEE80211_REASON_IE_INVALID; 1450 } 1451 frm += 2; 1452 w = le16dec(frm); 1453 if (w != RSN_VERSION) { 1454 IEEE80211_DISCARD_IE(vap, 1455 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1456 wh, "RSN", "bad version %u", w); 1457 return IEEE80211_REASON_UNSUPP_RSN_IE_VERSION; 1458 } 1459 frm += 2, len -= 2; 1460 1461 memset(rsn, 0, sizeof(*rsn)); 1462 1463 /* multicast/group cipher */ 1464 error = rsn_cipher(frm, &rsn->rsn_mcastkeylen, &rsn->rsn_mcastcipher); 1465 if (error != 0) { 1466 IEEE80211_DISCARD_IE(vap, 1467 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1468 wh, "RSN", "unknown mcast cipher suite %08X", 1469 le32dec(frm)); 1470 return IEEE80211_REASON_GROUP_CIPHER_INVALID; 1471 } 1472 if (rsn->rsn_mcastcipher == IEEE80211_CIPHER_NONE) { 1473 IEEE80211_DISCARD_IE(vap, 1474 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1475 wh, "RSN", "invalid mcast cipher suite %d", 1476 rsn->rsn_mcastcipher); 1477 return IEEE80211_REASON_GROUP_CIPHER_INVALID; 1478 } 1479 frm += 4, len -= 4; 1480 1481 /* unicast ciphers */ 1482 n = le16dec(frm); 1483 frm += 2, len -= 2; 1484 if (len < n*4+2) { 1485 IEEE80211_DISCARD_IE(vap, 1486 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1487 wh, "RSN", "ucast cipher data too short; len %u, n %u", 1488 len, n); 1489 return IEEE80211_REASON_IE_INVALID; 1490 } 1491 w = 0; 1492 1493 for (; n > 0; n--) { 1494 uint8_t cipher; 1495 1496 error = rsn_cipher(frm, &rsn->rsn_ucastkeylen, &cipher); 1497 if (error == 0) 1498 w |= 1 << cipher; 1499 1500 frm += 4, len -= 4; 1501 } 1502 if (w & (1 << IEEE80211_CIPHER_AES_CCM)) 1503 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM; 1504 else if (w & (1 << IEEE80211_CIPHER_AES_OCB)) 1505 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_OCB; 1506 else if (w & (1 << IEEE80211_CIPHER_TKIP)) 1507 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP; 1508 else if ((w & (1 << IEEE80211_CIPHER_NONE)) && 1509 (rsn->rsn_mcastcipher == IEEE80211_CIPHER_WEP || 1510 rsn->rsn_mcastcipher == IEEE80211_CIPHER_TKIP)) 1511 rsn->rsn_ucastcipher = IEEE80211_CIPHER_NONE; 1512 else { 1513 IEEE80211_DISCARD_IE(vap, 1514 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1515 wh, "RSN", "no usable pairwise cipher suite found (w=%d)", 1516 w); 1517 return IEEE80211_REASON_PAIRWISE_CIPHER_INVALID; 1518 } 1519 1520 /* key management algorithms */ 1521 n = le16dec(frm); 1522 frm += 2, len -= 2; 1523 if (len < n*4) { 1524 IEEE80211_DISCARD_IE(vap, 1525 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1526 wh, "RSN", "key mgmt alg data too short; len %u, n %u", 1527 len, n); 1528 return IEEE80211_REASON_IE_INVALID; 1529 } 1530 w = 0; 1531 for (; n > 0; n--) { 1532 w |= rsn_keymgmt(frm); 1533 frm += 4, len -= 4; 1534 } 1535 if (w & RSN_ASE_8021X_UNSPEC) 1536 rsn->rsn_keymgmt = RSN_ASE_8021X_UNSPEC; 1537 else 1538 rsn->rsn_keymgmt = RSN_ASE_8021X_PSK; 1539 1540 /* optional RSN capabilities */ 1541 if (len >= 2) { 1542 rsn->rsn_caps = le16dec(frm); 1543 frm += 2, len -= 2; 1544 } 1545 1546 /* XXX PMK Count / PMKID */ 1547 1548 /* XXX Group Cipher Management Suite */ 1549 1550 return 0; 1551 } 1552 1553 /* 1554 * WPA/802.11i association request processing. 1555 */ 1556 static int 1557 wpa_assocreq(struct ieee80211_node *ni, struct ieee80211_rsnparms *rsnparms, 1558 const struct ieee80211_frame *wh, const uint8_t *wpa, 1559 const uint8_t *rsn, uint16_t capinfo) 1560 { 1561 struct ieee80211vap *vap = ni->ni_vap; 1562 uint8_t reason; 1563 int badwparsn; 1564 1565 ni->ni_flags &= ~(IEEE80211_NODE_WPS|IEEE80211_NODE_TSN); 1566 if (wpa == NULL && rsn == NULL) { 1567 if (vap->iv_flags_ext & IEEE80211_FEXT_WPS) { 1568 /* 1569 * W-Fi Protected Setup (WPS) permits 1570 * clients to associate and pass EAPOL frames 1571 * to establish initial credentials. 1572 */ 1573 ni->ni_flags |= IEEE80211_NODE_WPS; 1574 return 1; 1575 } 1576 if ((vap->iv_flags_ext & IEEE80211_FEXT_TSN) && 1577 (capinfo & IEEE80211_CAPINFO_PRIVACY)) { 1578 /* 1579 * Transitional Security Network. Permits clients 1580 * to associate and use WEP while WPA is configured. 1581 */ 1582 ni->ni_flags |= IEEE80211_NODE_TSN; 1583 return 1; 1584 } 1585 IEEE80211_DISCARD(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, 1586 wh, NULL, "%s", "no WPA/RSN IE in association request"); 1587 vap->iv_stats.is_rx_assoc_badwpaie++; 1588 reason = IEEE80211_REASON_IE_INVALID; 1589 goto bad; 1590 } 1591 /* assert right association security credentials */ 1592 badwparsn = 0; /* NB: to silence compiler */ 1593 switch (vap->iv_flags & IEEE80211_F_WPA) { 1594 case IEEE80211_F_WPA1: 1595 badwparsn = (wpa == NULL); 1596 break; 1597 case IEEE80211_F_WPA2: 1598 badwparsn = (rsn == NULL); 1599 break; 1600 case IEEE80211_F_WPA1|IEEE80211_F_WPA2: 1601 badwparsn = (wpa == NULL && rsn == NULL); 1602 break; 1603 } 1604 if (badwparsn) { 1605 IEEE80211_DISCARD(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, 1606 wh, NULL, 1607 "%s", "missing WPA/RSN IE in association request"); 1608 vap->iv_stats.is_rx_assoc_badwpaie++; 1609 reason = IEEE80211_REASON_IE_INVALID; 1610 goto bad; 1611 } 1612 /* 1613 * Parse WPA/RSN information element. 1614 */ 1615 if (wpa != NULL) 1616 reason = ieee80211_parse_wpa(vap, wpa, rsnparms, wh); 1617 else 1618 reason = ieee80211_parse_rsn(vap, rsn, rsnparms, wh); 1619 if (reason != 0) { 1620 /* XXX wpa->rsn fallback? */ 1621 /* XXX distinguish WPA/RSN? */ 1622 vap->iv_stats.is_rx_assoc_badwpaie++; 1623 goto bad; 1624 } 1625 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, ni, 1626 "%s ie: mc %u/%u uc %u/%u key %u caps 0x%x", 1627 wpa != NULL ? "WPA" : "RSN", 1628 rsnparms->rsn_mcastcipher, rsnparms->rsn_mcastkeylen, 1629 rsnparms->rsn_ucastcipher, rsnparms->rsn_ucastkeylen, 1630 rsnparms->rsn_keymgmt, rsnparms->rsn_caps); 1631 1632 return 1; 1633 bad: 1634 ieee80211_node_deauth(ni, reason); 1635 return 0; 1636 } 1637 1638 /* XXX find a better place for definition */ 1639 struct l2_update_frame { 1640 struct ether_header eh; 1641 uint8_t dsap; 1642 uint8_t ssap; 1643 uint8_t control; 1644 uint8_t xid[3]; 1645 } __packed; 1646 1647 /* 1648 * Deliver a TGf L2UF frame on behalf of a station. 1649 * This primes any bridge when the station is roaming 1650 * between ap's on the same wired network. 1651 */ 1652 static void 1653 ieee80211_deliver_l2uf(struct ieee80211_node *ni) 1654 { 1655 struct ieee80211vap *vap = ni->ni_vap; 1656 struct ifnet *ifp = vap->iv_ifp; 1657 struct mbuf *m; 1658 struct l2_update_frame *l2uf; 1659 struct ether_header *eh; 1660 1661 m = m_gethdr(IEEE80211_M_NOWAIT, MT_DATA); 1662 if (m == NULL) { 1663 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC, ni, 1664 "%s", "no mbuf for l2uf frame"); 1665 vap->iv_stats.is_rx_nobuf++; /* XXX not right */ 1666 return; 1667 } 1668 l2uf = mtod(m, struct l2_update_frame *); 1669 eh = &l2uf->eh; 1670 /* dst: Broadcast address */ 1671 IEEE80211_ADDR_COPY(eh->ether_dhost, ifp->if_broadcastaddr); 1672 /* src: associated STA */ 1673 IEEE80211_ADDR_COPY(eh->ether_shost, ni->ni_macaddr); 1674 eh->ether_type = htons(sizeof(*l2uf) - sizeof(*eh)); 1675 1676 l2uf->dsap = 0; 1677 l2uf->ssap = 0; 1678 l2uf->control = 0xf5; 1679 l2uf->xid[0] = 0x81; 1680 l2uf->xid[1] = 0x80; 1681 l2uf->xid[2] = 0x00; 1682 1683 m->m_pkthdr.len = m->m_len = sizeof(*l2uf); 1684 hostap_deliver_data(vap, ni, m); 1685 } 1686 1687 static void 1688 ratesetmismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh, 1689 int reassoc, int resp, const char *tag, int rate) 1690 { 1691 IEEE80211_NOTE_MAC(ni->ni_vap, IEEE80211_MSG_ANY, wh->i_addr2, 1692 "deny %s request, %s rate set mismatch, rate/MCS %d", 1693 reassoc ? "reassoc" : "assoc", tag, rate & IEEE80211_RATE_VAL); 1694 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_BASIC_RATE); 1695 ieee80211_node_leave(ni); 1696 } 1697 1698 static void 1699 capinfomismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh, 1700 int reassoc, int resp, const char *tag, int capinfo) 1701 { 1702 struct ieee80211vap *vap = ni->ni_vap; 1703 1704 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ANY, wh->i_addr2, 1705 "deny %s request, %s mismatch 0x%x", 1706 reassoc ? "reassoc" : "assoc", tag, capinfo); 1707 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_CAPINFO); 1708 ieee80211_node_leave(ni); 1709 vap->iv_stats.is_rx_assoc_capmismatch++; 1710 } 1711 1712 static void 1713 htcapmismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh, 1714 int reassoc, int resp) 1715 { 1716 IEEE80211_NOTE_MAC(ni->ni_vap, IEEE80211_MSG_ANY, wh->i_addr2, 1717 "deny %s request, %s missing HT ie", reassoc ? "reassoc" : "assoc"); 1718 /* XXX no better code */ 1719 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_MISSING_HT_CAPS); 1720 ieee80211_node_leave(ni); 1721 } 1722 1723 static void 1724 authalgreject(struct ieee80211_node *ni, const struct ieee80211_frame *wh, 1725 int algo, int seq, int status) 1726 { 1727 struct ieee80211vap *vap = ni->ni_vap; 1728 1729 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 1730 wh, NULL, "unsupported alg %d", algo); 1731 vap->iv_stats.is_rx_auth_unsupported++; 1732 ieee80211_send_error(ni, wh->i_addr2, IEEE80211_FC0_SUBTYPE_AUTH, 1733 seq | (status << 16)); 1734 } 1735 1736 static __inline int 1737 ishtmixed(const uint8_t *ie) 1738 { 1739 const struct ieee80211_ie_htinfo *ht = 1740 (const struct ieee80211_ie_htinfo *) ie; 1741 return (ht->hi_byte2 & IEEE80211_HTINFO_OPMODE) == 1742 IEEE80211_HTINFO_OPMODE_MIXED; 1743 } 1744 1745 static int 1746 is11bclient(const uint8_t *rates, const uint8_t *xrates) 1747 { 1748 static const uint32_t brates = (1<<2*1)|(1<<2*2)|(1<<11)|(1<<2*11); 1749 int i; 1750 1751 /* NB: the 11b clients we care about will not have xrates */ 1752 if (xrates != NULL || rates == NULL) 1753 return 0; 1754 for (i = 0; i < rates[1]; i++) { 1755 int r = rates[2+i] & IEEE80211_RATE_VAL; 1756 if (r > 2*11 || ((1<<r) & brates) == 0) 1757 return 0; 1758 } 1759 return 1; 1760 } 1761 1762 static void 1763 hostap_recv_mgmt(struct ieee80211_node *ni, struct mbuf *m0, 1764 int subtype, const struct ieee80211_rx_stats *rxs, int rssi, int nf) 1765 { 1766 struct ieee80211vap *vap = ni->ni_vap; 1767 struct ieee80211com *ic = ni->ni_ic; 1768 struct ieee80211_frame *wh; 1769 uint8_t *frm, *efrm, *sfrm; 1770 uint8_t *ssid, *rates, *xrates, *wpa, *rsn, *wme, *ath, *htcap; 1771 uint8_t *vhtcap, *vhtinfo; 1772 int reassoc, resp; 1773 uint8_t rate; 1774 1775 wh = mtod(m0, struct ieee80211_frame *); 1776 frm = (uint8_t *)&wh[1]; 1777 efrm = mtod(m0, uint8_t *) + m0->m_len; 1778 switch (subtype) { 1779 case IEEE80211_FC0_SUBTYPE_PROBE_RESP: 1780 /* 1781 * We process beacon/probe response frames when scanning; 1782 * otherwise we check beacon frames for overlapping non-ERP 1783 * BSS in 11g and/or overlapping legacy BSS when in HT. 1784 */ 1785 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) { 1786 vap->iv_stats.is_rx_mgtdiscard++; 1787 return; 1788 } 1789 /* FALLTHROUGH */ 1790 case IEEE80211_FC0_SUBTYPE_BEACON: { 1791 struct ieee80211_scanparams scan; 1792 1793 /* NB: accept off-channel frames */ 1794 /* XXX TODO: use rxstatus to determine off-channel details */ 1795 if (ieee80211_parse_beacon(ni, m0, ic->ic_curchan, &scan) &~ IEEE80211_BPARSE_OFFCHAN) 1796 return; 1797 /* 1798 * Count frame now that we know it's to be processed. 1799 */ 1800 if (subtype == IEEE80211_FC0_SUBTYPE_BEACON) { 1801 vap->iv_stats.is_rx_beacon++; /* XXX remove */ 1802 IEEE80211_NODE_STAT(ni, rx_beacons); 1803 } else 1804 IEEE80211_NODE_STAT(ni, rx_proberesp); 1805 /* 1806 * If scanning, just pass information to the scan module. 1807 */ 1808 if (ic->ic_flags & IEEE80211_F_SCAN) { 1809 if (scan.status == 0 && /* NB: on channel */ 1810 (ic->ic_flags_ext & IEEE80211_FEXT_PROBECHAN)) { 1811 /* 1812 * Actively scanning a channel marked passive; 1813 * send a probe request now that we know there 1814 * is 802.11 traffic present. 1815 * 1816 * XXX check if the beacon we recv'd gives 1817 * us what we need and suppress the probe req 1818 */ 1819 ieee80211_probe_curchan(vap, true); 1820 ic->ic_flags_ext &= ~IEEE80211_FEXT_PROBECHAN; 1821 } 1822 ieee80211_add_scan(vap, ic->ic_curchan, &scan, wh, 1823 subtype, rssi, nf); 1824 return; 1825 } 1826 /* 1827 * Check beacon for overlapping bss w/ non ERP stations. 1828 * If we detect one and protection is configured but not 1829 * enabled, enable it and start a timer that'll bring us 1830 * out if we stop seeing the bss. 1831 */ 1832 if (IEEE80211_IS_CHAN_ANYG(ic->ic_curchan) && 1833 scan.status == 0 && /* NB: on-channel */ 1834 ((scan.erp & 0x100) == 0 || /* NB: no ERP, 11b sta*/ 1835 (scan.erp & IEEE80211_ERP_NON_ERP_PRESENT))) { 1836 vap->iv_lastnonerp = ticks; 1837 vap->iv_flags_ext |= IEEE80211_FEXT_NONERP_PR; 1838 /* 1839 * XXX TODO: this may need to check all VAPs? 1840 */ 1841 if (vap->iv_protmode != IEEE80211_PROT_NONE && 1842 (vap->iv_flags & IEEE80211_F_USEPROT) == 0) { 1843 IEEE80211_NOTE_FRAME(vap, 1844 IEEE80211_MSG_ASSOC, wh, 1845 "non-ERP present on channel %d " 1846 "(saw erp 0x%x from channel %d), " 1847 "enable use of protection", 1848 ic->ic_curchan->ic_ieee, 1849 scan.erp, scan.chan); 1850 vap->iv_flags |= IEEE80211_F_USEPROT; 1851 ieee80211_vap_update_erp_protmode(vap); 1852 } 1853 } 1854 /* 1855 * Check beacon for non-HT station on HT channel 1856 * and update HT BSS occupancy as appropriate. 1857 */ 1858 if (IEEE80211_IS_CHAN_HT(ic->ic_curchan)) { 1859 if (scan.status & IEEE80211_BPARSE_OFFCHAN) { 1860 /* 1861 * Off control channel; only check frames 1862 * that come in the extension channel when 1863 * operating w/ HT40. 1864 */ 1865 if (!IEEE80211_IS_CHAN_HT40(ic->ic_curchan)) 1866 break; 1867 if (scan.chan != ic->ic_curchan->ic_extieee) 1868 break; 1869 } 1870 if (scan.htinfo == NULL) { 1871 ieee80211_htprot_update(vap, 1872 IEEE80211_HTINFO_OPMODE_PROTOPT | 1873 IEEE80211_HTINFO_NONHT_PRESENT); 1874 } else if (ishtmixed(scan.htinfo)) { 1875 /* XXX? take NONHT_PRESENT from beacon? */ 1876 ieee80211_htprot_update(vap, 1877 IEEE80211_HTINFO_OPMODE_MIXED | 1878 IEEE80211_HTINFO_NONHT_PRESENT); 1879 } 1880 } 1881 break; 1882 } 1883 1884 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 1885 if (vap->iv_state != IEEE80211_S_RUN) { 1886 vap->iv_stats.is_rx_mgtdiscard++; 1887 return; 1888 } 1889 /* 1890 * Consult the ACL policy module if setup. 1891 */ 1892 if (vap->iv_acl != NULL && !vap->iv_acl->iac_check(vap, wh)) { 1893 IEEE80211_DISCARD(vap, IEEE80211_MSG_ACL, 1894 wh, NULL, "%s", "disallowed by ACL"); 1895 vap->iv_stats.is_rx_acl++; 1896 return; 1897 } 1898 /* 1899 * prreq frame format 1900 * [tlv] ssid 1901 * [tlv] supported rates 1902 * [tlv] extended supported rates 1903 */ 1904 ssid = rates = xrates = NULL; 1905 while (efrm - frm > 1) { 1906 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return); 1907 switch (*frm) { 1908 case IEEE80211_ELEMID_SSID: 1909 ssid = frm; 1910 break; 1911 case IEEE80211_ELEMID_RATES: 1912 rates = frm; 1913 break; 1914 case IEEE80211_ELEMID_XRATES: 1915 xrates = frm; 1916 break; 1917 } 1918 frm += frm[1] + 2; 1919 } 1920 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return); 1921 if (xrates != NULL) 1922 IEEE80211_VERIFY_ELEMENT(xrates, 1923 IEEE80211_RATE_MAXSIZE - rates[1], return); 1924 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN, return); 1925 IEEE80211_VERIFY_SSID(vap->iv_bss, ssid, return); 1926 if ((vap->iv_flags & IEEE80211_F_HIDESSID) && ssid[1] == 0) { 1927 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 1928 wh, NULL, 1929 "%s", "no ssid with ssid suppression enabled"); 1930 vap->iv_stats.is_rx_ssidmismatch++; /*XXX*/ 1931 return; 1932 } 1933 1934 /* XXX find a better class or define it's own */ 1935 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_INPUT, wh->i_addr2, 1936 "%s", "recv probe req"); 1937 /* 1938 * Some legacy 11b clients cannot hack a complete 1939 * probe response frame. When the request includes 1940 * only a bare-bones rate set, communicate this to 1941 * the transmit side. 1942 */ 1943 ieee80211_send_proberesp(vap, wh->i_addr2, 1944 is11bclient(rates, xrates) ? IEEE80211_SEND_LEGACY_11B : 0); 1945 break; 1946 1947 case IEEE80211_FC0_SUBTYPE_AUTH: { 1948 uint16_t algo, seq, status; 1949 1950 if (vap->iv_state != IEEE80211_S_RUN) { 1951 vap->iv_stats.is_rx_mgtdiscard++; 1952 return; 1953 } 1954 if (!IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_bss->ni_bssid)) { 1955 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 1956 wh, NULL, "%s", "wrong bssid"); 1957 vap->iv_stats.is_rx_wrongbss++; /*XXX unique stat?*/ 1958 return; 1959 } 1960 /* 1961 * auth frame format 1962 * [2] algorithm 1963 * [2] sequence 1964 * [2] status 1965 * [tlv*] challenge 1966 */ 1967 IEEE80211_VERIFY_LENGTH(efrm - frm, 6, return); 1968 algo = le16toh(*(uint16_t *)frm); 1969 seq = le16toh(*(uint16_t *)(frm + 2)); 1970 status = le16toh(*(uint16_t *)(frm + 4)); 1971 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_AUTH, wh->i_addr2, 1972 "recv auth frame with algorithm %d seq %d", algo, seq); 1973 /* 1974 * Consult the ACL policy module if setup. 1975 */ 1976 if (vap->iv_acl != NULL && !vap->iv_acl->iac_check(vap, wh)) { 1977 IEEE80211_DISCARD(vap, IEEE80211_MSG_ACL, 1978 wh, NULL, "%s", "disallowed by ACL"); 1979 vap->iv_stats.is_rx_acl++; 1980 ieee80211_send_error(ni, wh->i_addr2, 1981 IEEE80211_FC0_SUBTYPE_AUTH, 1982 (seq+1) | (IEEE80211_STATUS_UNSPECIFIED<<16)); 1983 return; 1984 } 1985 if (vap->iv_flags & IEEE80211_F_COUNTERM) { 1986 IEEE80211_DISCARD(vap, 1987 IEEE80211_MSG_AUTH | IEEE80211_MSG_CRYPTO, 1988 wh, NULL, "%s", "TKIP countermeasures enabled"); 1989 vap->iv_stats.is_rx_auth_countermeasures++; 1990 ieee80211_send_error(ni, wh->i_addr2, 1991 IEEE80211_FC0_SUBTYPE_AUTH, 1992 IEEE80211_REASON_MIC_FAILURE); 1993 return; 1994 } 1995 if (algo == IEEE80211_AUTH_ALG_SHARED) 1996 hostap_auth_shared(ni, wh, frm + 6, efrm, rssi, nf, 1997 seq, status); 1998 else if (algo == IEEE80211_AUTH_ALG_OPEN) 1999 hostap_auth_open(ni, wh, rssi, nf, seq, status); 2000 else if (algo == IEEE80211_AUTH_ALG_LEAP) { 2001 authalgreject(ni, wh, algo, 2002 seq+1, IEEE80211_STATUS_ALG); 2003 return; 2004 } else { 2005 /* 2006 * We assume that an unknown algorithm is the result 2007 * of a decryption failure on a shared key auth frame; 2008 * return a status code appropriate for that instead 2009 * of IEEE80211_STATUS_ALG. 2010 * 2011 * NB: a seq# of 4 is intentional; the decrypted 2012 * frame likely has a bogus seq value. 2013 */ 2014 authalgreject(ni, wh, algo, 2015 4, IEEE80211_STATUS_CHALLENGE); 2016 return; 2017 } 2018 break; 2019 } 2020 2021 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ: 2022 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: { 2023 uint16_t capinfo, lintval; 2024 struct ieee80211_rsnparms rsnparms; 2025 2026 if (vap->iv_state != IEEE80211_S_RUN) { 2027 vap->iv_stats.is_rx_mgtdiscard++; 2028 return; 2029 } 2030 if (!IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_bss->ni_bssid)) { 2031 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 2032 wh, NULL, "%s", "wrong bssid"); 2033 vap->iv_stats.is_rx_assoc_bss++; 2034 return; 2035 } 2036 if (subtype == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) { 2037 reassoc = 1; 2038 resp = IEEE80211_FC0_SUBTYPE_REASSOC_RESP; 2039 } else { 2040 reassoc = 0; 2041 resp = IEEE80211_FC0_SUBTYPE_ASSOC_RESP; 2042 } 2043 if (ni == vap->iv_bss) { 2044 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ANY, wh->i_addr2, 2045 "deny %s request, sta not authenticated", 2046 reassoc ? "reassoc" : "assoc"); 2047 ieee80211_send_error(ni, wh->i_addr2, 2048 IEEE80211_FC0_SUBTYPE_DEAUTH, 2049 IEEE80211_REASON_ASSOC_NOT_AUTHED); 2050 vap->iv_stats.is_rx_assoc_notauth++; 2051 return; 2052 } 2053 2054 /* 2055 * asreq frame format 2056 * [2] capability information 2057 * [2] listen interval 2058 * [6*] current AP address (reassoc only) 2059 * [tlv] ssid 2060 * [tlv] supported rates 2061 * [tlv] extended supported rates 2062 * [tlv] WPA or RSN 2063 * [tlv] HT capabilities 2064 * [tlv] Atheros capabilities 2065 */ 2066 IEEE80211_VERIFY_LENGTH(efrm - frm, (reassoc ? 10 : 4), return); 2067 capinfo = le16toh(*(uint16_t *)frm); frm += 2; 2068 lintval = le16toh(*(uint16_t *)frm); frm += 2; 2069 if (reassoc) 2070 frm += 6; /* ignore current AP info */ 2071 ssid = rates = xrates = wpa = rsn = wme = ath = htcap = NULL; 2072 vhtcap = vhtinfo = NULL; 2073 sfrm = frm; 2074 while (efrm - frm > 1) { 2075 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return); 2076 switch (*frm) { 2077 case IEEE80211_ELEMID_SSID: 2078 ssid = frm; 2079 break; 2080 case IEEE80211_ELEMID_RATES: 2081 rates = frm; 2082 break; 2083 case IEEE80211_ELEMID_XRATES: 2084 xrates = frm; 2085 break; 2086 case IEEE80211_ELEMID_RSN: 2087 rsn = frm; 2088 break; 2089 case IEEE80211_ELEMID_HTCAP: 2090 htcap = frm; 2091 break; 2092 case IEEE80211_ELEMID_VHT_CAP: 2093 vhtcap = frm; 2094 break; 2095 case IEEE80211_ELEMID_VHT_OPMODE: 2096 vhtinfo = frm; 2097 break; 2098 case IEEE80211_ELEMID_VENDOR: 2099 if (iswpaoui(frm)) 2100 wpa = frm; 2101 else if (iswmeinfo(frm)) 2102 wme = frm; 2103 #ifdef IEEE80211_SUPPORT_SUPERG 2104 else if (isatherosoui(frm)) 2105 ath = frm; 2106 #endif 2107 else if (vap->iv_flags_ht & IEEE80211_FHT_HTCOMPAT) { 2108 if (ishtcapoui(frm) && htcap == NULL) 2109 htcap = frm; 2110 } 2111 break; 2112 } 2113 frm += frm[1] + 2; 2114 } 2115 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return); 2116 if (xrates != NULL) 2117 IEEE80211_VERIFY_ELEMENT(xrates, 2118 IEEE80211_RATE_MAXSIZE - rates[1], return); 2119 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN, return); 2120 IEEE80211_VERIFY_SSID(vap->iv_bss, ssid, return); 2121 if (htcap != NULL) { 2122 IEEE80211_VERIFY_LENGTH(htcap[1], 2123 htcap[0] == IEEE80211_ELEMID_VENDOR ? 2124 4 + sizeof(struct ieee80211_ie_htcap)-2 : 2125 sizeof(struct ieee80211_ie_htcap)-2, 2126 return); /* XXX just NULL out? */ 2127 } 2128 2129 /* Validate VHT IEs */ 2130 if (vhtcap != NULL) { 2131 IEEE80211_VERIFY_LENGTH(vhtcap[1], 2132 sizeof(struct ieee80211_vht_cap), 2133 return); 2134 } 2135 if (vhtinfo != NULL) { 2136 IEEE80211_VERIFY_LENGTH(vhtinfo[1], 2137 sizeof(struct ieee80211_vht_operation), 2138 return); 2139 } 2140 2141 if ((vap->iv_flags & IEEE80211_F_WPA) && 2142 !wpa_assocreq(ni, &rsnparms, wh, wpa, rsn, capinfo)) 2143 return; 2144 /* discard challenge after association */ 2145 if (ni->ni_challenge != NULL) { 2146 IEEE80211_FREE(ni->ni_challenge, M_80211_NODE); 2147 ni->ni_challenge = NULL; 2148 } 2149 /* NB: 802.11 spec says to ignore station's privacy bit */ 2150 if ((capinfo & IEEE80211_CAPINFO_ESS) == 0) { 2151 capinfomismatch(ni, wh, reassoc, resp, 2152 "capability", capinfo); 2153 return; 2154 } 2155 /* 2156 * Disallow re-associate w/ invalid slot time setting. 2157 */ 2158 if (ni->ni_associd != 0 && 2159 IEEE80211_IS_CHAN_ANYG(ic->ic_bsschan) && 2160 ((ni->ni_capinfo ^ capinfo) & IEEE80211_CAPINFO_SHORT_SLOTTIME)) { 2161 capinfomismatch(ni, wh, reassoc, resp, 2162 "slot time", capinfo); 2163 return; 2164 } 2165 rate = ieee80211_setup_rates(ni, rates, xrates, 2166 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | 2167 IEEE80211_F_DONEGO | IEEE80211_F_DODEL); 2168 if (rate & IEEE80211_RATE_BASIC) { 2169 ratesetmismatch(ni, wh, reassoc, resp, "legacy", rate); 2170 vap->iv_stats.is_rx_assoc_norate++; 2171 return; 2172 } 2173 /* 2174 * If constrained to 11g-only stations reject an 2175 * 11b-only station. We cheat a bit here by looking 2176 * at the max negotiated xmit rate and assuming anyone 2177 * with a best rate <24Mb/s is an 11b station. 2178 */ 2179 if ((vap->iv_flags & IEEE80211_F_PUREG) && rate < 48) { 2180 ratesetmismatch(ni, wh, reassoc, resp, "11g", rate); 2181 vap->iv_stats.is_rx_assoc_norate++; 2182 return; 2183 } 2184 2185 /* 2186 * Do HT rate set handling and setup HT node state. 2187 */ 2188 ni->ni_chan = vap->iv_bss->ni_chan; 2189 2190 /* VHT */ 2191 if (IEEE80211_IS_CHAN_VHT(ni->ni_chan) && 2192 vhtcap != NULL && 2193 vhtinfo != NULL) { 2194 /* XXX TODO; see below */ 2195 printf("%s: VHT TODO!\n", __func__); 2196 ieee80211_vht_node_init(ni); 2197 ieee80211_vht_update_cap(ni, vhtcap, vhtinfo); 2198 } else if (ni->ni_flags & IEEE80211_NODE_VHT) 2199 ieee80211_vht_node_cleanup(ni); 2200 2201 /* HT */ 2202 if (IEEE80211_IS_CHAN_HT(ni->ni_chan) && htcap != NULL) { 2203 rate = ieee80211_setup_htrates(ni, htcap, 2204 IEEE80211_F_DOFMCS | IEEE80211_F_DONEGO | 2205 IEEE80211_F_DOBRS); 2206 if (rate & IEEE80211_RATE_BASIC) { 2207 ratesetmismatch(ni, wh, reassoc, resp, 2208 "HT", rate); 2209 vap->iv_stats.is_ht_assoc_norate++; 2210 return; 2211 } 2212 ieee80211_ht_node_init(ni); 2213 ieee80211_ht_updatehtcap(ni, htcap); 2214 } else if (ni->ni_flags & IEEE80211_NODE_HT) 2215 ieee80211_ht_node_cleanup(ni); 2216 2217 /* Finally - this will use HT/VHT info to change node channel */ 2218 if (IEEE80211_IS_CHAN_HT(ni->ni_chan) && htcap != NULL) { 2219 ieee80211_ht_updatehtcap_final(ni); 2220 } 2221 2222 #ifdef IEEE80211_SUPPORT_SUPERG 2223 /* Always do ff node cleanup; for A-MSDU */ 2224 ieee80211_ff_node_cleanup(ni); 2225 #endif 2226 /* 2227 * Allow AMPDU operation only with unencrypted traffic 2228 * or AES-CCM; the 11n spec only specifies these ciphers 2229 * so permitting any others is undefined and can lead 2230 * to interoperability problems. 2231 */ 2232 if ((ni->ni_flags & IEEE80211_NODE_HT) && 2233 (((vap->iv_flags & IEEE80211_F_WPA) && 2234 rsnparms.rsn_ucastcipher != IEEE80211_CIPHER_AES_CCM) || 2235 (vap->iv_flags & (IEEE80211_F_WPA|IEEE80211_F_PRIVACY)) == IEEE80211_F_PRIVACY)) { 2236 IEEE80211_NOTE(vap, 2237 IEEE80211_MSG_ASSOC | IEEE80211_MSG_11N, ni, 2238 "disallow HT use because WEP or TKIP requested, " 2239 "capinfo 0x%x ucastcipher %d", capinfo, 2240 rsnparms.rsn_ucastcipher); 2241 ieee80211_ht_node_cleanup(ni); 2242 #ifdef IEEE80211_SUPPORT_SUPERG 2243 /* Always do ff node cleanup; for A-MSDU */ 2244 ieee80211_ff_node_cleanup(ni); 2245 #endif 2246 vap->iv_stats.is_ht_assoc_downgrade++; 2247 } 2248 /* 2249 * If constrained to 11n-only stations reject legacy stations. 2250 */ 2251 if ((vap->iv_flags_ht & IEEE80211_FHT_PUREN) && 2252 (ni->ni_flags & IEEE80211_NODE_HT) == 0) { 2253 htcapmismatch(ni, wh, reassoc, resp); 2254 vap->iv_stats.is_ht_assoc_nohtcap++; 2255 return; 2256 } 2257 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi); 2258 ni->ni_noise = nf; 2259 ni->ni_intval = lintval; 2260 ni->ni_capinfo = capinfo; 2261 ni->ni_fhdwell = vap->iv_bss->ni_fhdwell; 2262 ni->ni_fhindex = vap->iv_bss->ni_fhindex; 2263 /* 2264 * Store the IEs. 2265 * XXX maybe better to just expand 2266 */ 2267 if (ieee80211_ies_init(&ni->ni_ies, sfrm, efrm - sfrm)) { 2268 #define setie(_ie, _off) ieee80211_ies_setie(ni->ni_ies, _ie, _off) 2269 if (wpa != NULL) 2270 setie(wpa_ie, wpa - sfrm); 2271 if (rsn != NULL) 2272 setie(rsn_ie, rsn - sfrm); 2273 if (htcap != NULL) 2274 setie(htcap_ie, htcap - sfrm); 2275 if (wme != NULL) { 2276 setie(wme_ie, wme - sfrm); 2277 /* 2278 * Mark node as capable of QoS. 2279 */ 2280 ni->ni_flags |= IEEE80211_NODE_QOS; 2281 if (ieee80211_parse_wmeie(wme, wh, ni) > 0) { 2282 if (ni->ni_uapsd != 0) 2283 ni->ni_flags |= 2284 IEEE80211_NODE_UAPSD; 2285 else 2286 ni->ni_flags &= 2287 ~IEEE80211_NODE_UAPSD; 2288 } 2289 } else 2290 ni->ni_flags &= 2291 ~(IEEE80211_NODE_QOS | 2292 IEEE80211_NODE_UAPSD); 2293 #ifdef IEEE80211_SUPPORT_SUPERG 2294 if (ath != NULL) { 2295 setie(ath_ie, ath - sfrm); 2296 /* 2297 * Parse ATH station parameters. 2298 */ 2299 ieee80211_parse_ath(ni, ni->ni_ies.ath_ie); 2300 } else 2301 #endif 2302 ni->ni_ath_flags = 0; 2303 #undef setie 2304 } else { 2305 ni->ni_flags &= ~IEEE80211_NODE_QOS; 2306 ni->ni_flags &= ~IEEE80211_NODE_UAPSD; 2307 ni->ni_ath_flags = 0; 2308 } 2309 ieee80211_node_join(ni, resp); 2310 ieee80211_deliver_l2uf(ni); 2311 break; 2312 } 2313 2314 case IEEE80211_FC0_SUBTYPE_DEAUTH: 2315 case IEEE80211_FC0_SUBTYPE_DISASSOC: { 2316 #ifdef IEEE80211_DEBUG 2317 uint16_t reason; 2318 #endif 2319 2320 if (vap->iv_state != IEEE80211_S_RUN || 2321 /* NB: can happen when in promiscuous mode */ 2322 !IEEE80211_ADDR_EQ(wh->i_addr1, vap->iv_myaddr)) { 2323 vap->iv_stats.is_rx_mgtdiscard++; 2324 break; 2325 } 2326 /* 2327 * deauth/disassoc frame format 2328 * [2] reason 2329 */ 2330 IEEE80211_VERIFY_LENGTH(efrm - frm, 2, return); 2331 #ifdef IEEE80211_DEBUG 2332 reason = le16toh(*(uint16_t *)frm); 2333 #endif 2334 if (subtype == IEEE80211_FC0_SUBTYPE_DEAUTH) { 2335 vap->iv_stats.is_rx_deauth++; 2336 IEEE80211_NODE_STAT(ni, rx_deauth); 2337 } else { 2338 vap->iv_stats.is_rx_disassoc++; 2339 IEEE80211_NODE_STAT(ni, rx_disassoc); 2340 } 2341 IEEE80211_NOTE(vap, IEEE80211_MSG_AUTH, ni, 2342 "recv %s (reason: %d (%s))", 2343 ieee80211_mgt_subtype_name(subtype), 2344 reason, ieee80211_reason_to_string(reason)); 2345 if (ni != vap->iv_bss) 2346 ieee80211_node_leave(ni); 2347 break; 2348 } 2349 2350 case IEEE80211_FC0_SUBTYPE_ACTION: 2351 case IEEE80211_FC0_SUBTYPE_ACTION_NOACK: 2352 if (ni == vap->iv_bss) { 2353 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 2354 wh, NULL, "%s", "unknown node"); 2355 vap->iv_stats.is_rx_mgtdiscard++; 2356 } else if (!IEEE80211_ADDR_EQ(vap->iv_myaddr, wh->i_addr1) && 2357 !IEEE80211_IS_MULTICAST(wh->i_addr1)) { 2358 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 2359 wh, NULL, "%s", "not for us"); 2360 vap->iv_stats.is_rx_mgtdiscard++; 2361 } else if (vap->iv_state != IEEE80211_S_RUN) { 2362 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 2363 wh, NULL, "wrong state %s", 2364 ieee80211_state_name[vap->iv_state]); 2365 vap->iv_stats.is_rx_mgtdiscard++; 2366 } else { 2367 if (ieee80211_parse_action(ni, m0) == 0) 2368 (void)ic->ic_recv_action(ni, wh, frm, efrm); 2369 } 2370 break; 2371 2372 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP: 2373 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: 2374 case IEEE80211_FC0_SUBTYPE_TIMING_ADV: 2375 case IEEE80211_FC0_SUBTYPE_ATIM: 2376 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 2377 wh, NULL, "%s", "not handled"); 2378 vap->iv_stats.is_rx_mgtdiscard++; 2379 break; 2380 2381 default: 2382 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 2383 wh, "mgt", "subtype 0x%x not handled", subtype); 2384 vap->iv_stats.is_rx_badsubtype++; 2385 break; 2386 } 2387 } 2388 2389 static void 2390 hostap_recv_ctl(struct ieee80211_node *ni, struct mbuf *m, int subtype) 2391 { 2392 switch (subtype) { 2393 case IEEE80211_FC0_SUBTYPE_PS_POLL: 2394 ni->ni_vap->iv_recv_pspoll(ni, m); 2395 break; 2396 case IEEE80211_FC0_SUBTYPE_BAR: 2397 ieee80211_recv_bar(ni, m); 2398 break; 2399 } 2400 } 2401 2402 /* 2403 * Process a received ps-poll frame. 2404 */ 2405 void 2406 ieee80211_recv_pspoll(struct ieee80211_node *ni, struct mbuf *m0) 2407 { 2408 struct ieee80211vap *vap = ni->ni_vap; 2409 struct ieee80211com *ic = vap->iv_ic; 2410 struct ieee80211_frame_min *wh; 2411 struct mbuf *m; 2412 uint16_t aid; 2413 int qlen; 2414 2415 wh = mtod(m0, struct ieee80211_frame_min *); 2416 if (ni->ni_associd == 0) { 2417 IEEE80211_DISCARD(vap, 2418 IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG, 2419 (struct ieee80211_frame *) wh, NULL, 2420 "%s", "unassociated station"); 2421 vap->iv_stats.is_ps_unassoc++; 2422 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_DEAUTH, 2423 IEEE80211_REASON_NOT_ASSOCED); 2424 return; 2425 } 2426 2427 aid = le16toh(*(uint16_t *)wh->i_dur); 2428 if (aid != ni->ni_associd) { 2429 IEEE80211_DISCARD(vap, 2430 IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG, 2431 (struct ieee80211_frame *) wh, NULL, 2432 "aid mismatch: sta aid 0x%x poll aid 0x%x", 2433 ni->ni_associd, aid); 2434 vap->iv_stats.is_ps_badaid++; 2435 /* 2436 * NB: We used to deauth the station but it turns out 2437 * the Blackberry Curve 8230 (and perhaps other devices) 2438 * sometimes send the wrong AID when WME is negotiated. 2439 * Being more lenient here seems ok as we already check 2440 * the station is associated and we only return frames 2441 * queued for the station (i.e. we don't use the AID). 2442 */ 2443 return; 2444 } 2445 2446 /* Okay, take the first queued packet and put it out... */ 2447 m = ieee80211_node_psq_dequeue(ni, &qlen); 2448 if (m == NULL) { 2449 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_POWER, wh->i_addr2, 2450 "%s", "recv ps-poll, but queue empty"); 2451 ieee80211_send_nulldata(ieee80211_ref_node(ni)); 2452 vap->iv_stats.is_ps_qempty++; /* XXX node stat */ 2453 if (vap->iv_set_tim != NULL) 2454 vap->iv_set_tim(ni, 0); /* just in case */ 2455 return; 2456 } 2457 /* 2458 * If there are more packets, set the more packets bit 2459 * in the packet dispatched to the station; otherwise 2460 * turn off the TIM bit. 2461 */ 2462 if (qlen != 0) { 2463 IEEE80211_NOTE(vap, IEEE80211_MSG_POWER, ni, 2464 "recv ps-poll, send packet, %u still queued", qlen); 2465 m->m_flags |= M_MORE_DATA; 2466 } else { 2467 IEEE80211_NOTE(vap, IEEE80211_MSG_POWER, ni, 2468 "%s", "recv ps-poll, send packet, queue empty"); 2469 if (vap->iv_set_tim != NULL) 2470 vap->iv_set_tim(ni, 0); 2471 } 2472 m->m_flags |= M_PWR_SAV; /* bypass PS handling */ 2473 2474 /* 2475 * Do the right thing; if it's an encap'ed frame then 2476 * call ieee80211_parent_xmitpkt() else 2477 * call ieee80211_vap_xmitpkt(). 2478 */ 2479 if (m->m_flags & M_ENCAP) { 2480 (void) ieee80211_parent_xmitpkt(ic, m); 2481 } else { 2482 (void) ieee80211_vap_xmitpkt(vap, m); 2483 } 2484 } 2485