1 /*- 2 * SPDX-License-Identifier: BSD-2-Clause 3 * 4 * Copyright (c) 2007-2008 Sam Leffler, Errno Consulting 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 17 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 18 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 19 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 21 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 22 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 23 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 24 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 25 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 26 */ 27 28 #include <sys/cdefs.h> 29 #ifdef __FreeBSD__ 30 __FBSDID("$FreeBSD$"); 31 #endif 32 33 /* 34 * IEEE 802.11 HOSTAP mode support. 35 */ 36 #include "opt_inet.h" 37 #include "opt_wlan.h" 38 39 #include <sys/param.h> 40 #include <sys/systm.h> 41 #include <sys/mbuf.h> 42 #include <sys/malloc.h> 43 #include <sys/kernel.h> 44 45 #include <sys/socket.h> 46 #include <sys/sockio.h> 47 #include <sys/endian.h> 48 #include <sys/errno.h> 49 #include <sys/proc.h> 50 #include <sys/sysctl.h> 51 52 #include <net/if.h> 53 #include <net/if_var.h> 54 #include <net/if_media.h> 55 #include <net/if_llc.h> 56 #include <net/if_private.h> 57 #include <net/ethernet.h> 58 59 #include <net/bpf.h> 60 61 #include <net80211/ieee80211_var.h> 62 #include <net80211/ieee80211_hostap.h> 63 #include <net80211/ieee80211_input.h> 64 #ifdef IEEE80211_SUPPORT_SUPERG 65 #include <net80211/ieee80211_superg.h> 66 #endif 67 #include <net80211/ieee80211_wds.h> 68 #include <net80211/ieee80211_vht.h> 69 #include <net80211/ieee80211_sta.h> /* for parse_wmeie */ 70 71 #define IEEE80211_RATE2MBS(r) (((r) & IEEE80211_RATE_VAL) / 2) 72 73 static void hostap_vattach(struct ieee80211vap *); 74 static int hostap_newstate(struct ieee80211vap *, enum ieee80211_state, int); 75 static int hostap_input(struct ieee80211_node *ni, struct mbuf *m, 76 const struct ieee80211_rx_stats *, 77 int rssi, int nf); 78 static void hostap_deliver_data(struct ieee80211vap *, 79 struct ieee80211_node *, struct mbuf *); 80 static void hostap_recv_mgmt(struct ieee80211_node *, struct mbuf *, 81 int subtype, const struct ieee80211_rx_stats *rxs, int rssi, int nf); 82 static void hostap_recv_ctl(struct ieee80211_node *, struct mbuf *, int); 83 84 void 85 ieee80211_hostap_attach(struct ieee80211com *ic) 86 { 87 ic->ic_vattach[IEEE80211_M_HOSTAP] = hostap_vattach; 88 } 89 90 void 91 ieee80211_hostap_detach(struct ieee80211com *ic) 92 { 93 } 94 95 static void 96 hostap_vdetach(struct ieee80211vap *vap) 97 { 98 } 99 100 static void 101 hostap_vattach(struct ieee80211vap *vap) 102 { 103 vap->iv_newstate = hostap_newstate; 104 vap->iv_input = hostap_input; 105 vap->iv_recv_mgmt = hostap_recv_mgmt; 106 vap->iv_recv_ctl = hostap_recv_ctl; 107 vap->iv_opdetach = hostap_vdetach; 108 vap->iv_deliver_data = hostap_deliver_data; 109 vap->iv_recv_pspoll = ieee80211_recv_pspoll; 110 } 111 112 static void 113 sta_disassoc(void *arg, struct ieee80211_node *ni) 114 { 115 116 if (ni->ni_associd != 0) { 117 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_DISASSOC, 118 IEEE80211_REASON_ASSOC_LEAVE); 119 ieee80211_node_leave(ni); 120 } 121 } 122 123 static void 124 sta_csa(void *arg, struct ieee80211_node *ni) 125 { 126 struct ieee80211vap *vap = ni->ni_vap; 127 128 if (ni->ni_associd != 0) 129 if (ni->ni_inact > vap->iv_inact_init) { 130 ni->ni_inact = vap->iv_inact_init; 131 IEEE80211_NOTE(vap, IEEE80211_MSG_INACT, ni, 132 "%s: inact %u", __func__, ni->ni_inact); 133 } 134 } 135 136 static void 137 sta_drop(void *arg, struct ieee80211_node *ni) 138 { 139 140 if (ni->ni_associd != 0) 141 ieee80211_node_leave(ni); 142 } 143 144 /* 145 * Does a channel change require associated stations to re-associate 146 * so protocol state is correct. This is used when doing CSA across 147 * bands or similar (e.g. HT -> legacy). 148 */ 149 static int 150 isbandchange(struct ieee80211com *ic) 151 { 152 return ((ic->ic_bsschan->ic_flags ^ ic->ic_csa_newchan->ic_flags) & 153 (IEEE80211_CHAN_2GHZ | IEEE80211_CHAN_5GHZ | IEEE80211_CHAN_HALF | 154 IEEE80211_CHAN_QUARTER | IEEE80211_CHAN_HT)) != 0; 155 } 156 157 /* 158 * IEEE80211_M_HOSTAP vap state machine handler. 159 */ 160 static int 161 hostap_newstate(struct ieee80211vap *vap, enum ieee80211_state nstate, int arg) 162 { 163 struct ieee80211com *ic = vap->iv_ic; 164 enum ieee80211_state ostate; 165 166 IEEE80211_LOCK_ASSERT(ic); 167 168 ostate = vap->iv_state; 169 IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE, "%s: %s -> %s (%d)\n", 170 __func__, ieee80211_state_name[ostate], 171 ieee80211_state_name[nstate], arg); 172 vap->iv_state = nstate; /* state transition */ 173 if (ostate != IEEE80211_S_SCAN) 174 ieee80211_cancel_scan(vap); /* background scan */ 175 switch (nstate) { 176 case IEEE80211_S_INIT: 177 switch (ostate) { 178 case IEEE80211_S_SCAN: 179 ieee80211_cancel_scan(vap); 180 break; 181 case IEEE80211_S_CAC: 182 ieee80211_dfs_cac_stop(vap); 183 break; 184 case IEEE80211_S_RUN: 185 ieee80211_iterate_nodes_vap(&ic->ic_sta, vap, 186 sta_disassoc, NULL); 187 break; 188 default: 189 break; 190 } 191 if (ostate != IEEE80211_S_INIT) { 192 /* NB: optimize INIT -> INIT case */ 193 ieee80211_reset_bss(vap); 194 } 195 if (vap->iv_auth->ia_detach != NULL) 196 vap->iv_auth->ia_detach(vap); 197 break; 198 case IEEE80211_S_SCAN: 199 switch (ostate) { 200 case IEEE80211_S_CSA: 201 case IEEE80211_S_RUN: 202 ieee80211_iterate_nodes_vap(&ic->ic_sta, vap, 203 sta_disassoc, NULL); 204 /* 205 * Clear overlapping BSS state; the beacon frame 206 * will be reconstructed on transition to the RUN 207 * state and the timeout routines check if the flag 208 * is set before doing anything so this is sufficient. 209 */ 210 vap->iv_flags_ext &= ~IEEE80211_FEXT_NONERP_PR; 211 vap->iv_flags_ht &= ~IEEE80211_FHT_NONHT_PR; 212 /* XXX TODO: schedule deferred update? */ 213 /* fall thru... */ 214 case IEEE80211_S_CAC: 215 /* 216 * NB: We may get here because of a manual channel 217 * change in which case we need to stop CAC 218 * XXX no need to stop if ostate RUN but it's ok 219 */ 220 ieee80211_dfs_cac_stop(vap); 221 /* fall thru... */ 222 case IEEE80211_S_INIT: 223 if (vap->iv_des_chan != IEEE80211_CHAN_ANYC && 224 !IEEE80211_IS_CHAN_RADAR(vap->iv_des_chan)) { 225 /* 226 * Already have a channel; bypass the 227 * scan and startup immediately. 228 * ieee80211_create_ibss will call back to 229 * move us to RUN state. 230 */ 231 ieee80211_create_ibss(vap, vap->iv_des_chan); 232 break; 233 } 234 /* 235 * Initiate a scan. We can come here as a result 236 * of an IEEE80211_IOC_SCAN_REQ too in which case 237 * the vap will be marked with IEEE80211_FEXT_SCANREQ 238 * and the scan request parameters will be present 239 * in iv_scanreq. Otherwise we do the default. 240 */ 241 if (vap->iv_flags_ext & IEEE80211_FEXT_SCANREQ) { 242 ieee80211_check_scan(vap, 243 vap->iv_scanreq_flags, 244 vap->iv_scanreq_duration, 245 vap->iv_scanreq_mindwell, 246 vap->iv_scanreq_maxdwell, 247 vap->iv_scanreq_nssid, vap->iv_scanreq_ssid); 248 vap->iv_flags_ext &= ~IEEE80211_FEXT_SCANREQ; 249 } else 250 ieee80211_check_scan_current(vap); 251 break; 252 case IEEE80211_S_SCAN: 253 /* 254 * A state change requires a reset; scan. 255 */ 256 ieee80211_check_scan_current(vap); 257 break; 258 default: 259 break; 260 } 261 break; 262 case IEEE80211_S_CAC: 263 /* 264 * Start CAC on a DFS channel. We come here when starting 265 * a bss on a DFS channel (see ieee80211_create_ibss). 266 */ 267 ieee80211_dfs_cac_start(vap); 268 break; 269 case IEEE80211_S_RUN: 270 if (vap->iv_flags & IEEE80211_F_WPA) { 271 /* XXX validate prerequisites */ 272 } 273 switch (ostate) { 274 case IEEE80211_S_INIT: 275 /* 276 * Already have a channel; bypass the 277 * scan and startup immediately. 278 * Note that ieee80211_create_ibss will call 279 * back to do a RUN->RUN state change. 280 */ 281 ieee80211_create_ibss(vap, 282 ieee80211_ht_adjust_channel(ic, 283 ic->ic_curchan, vap->iv_flags_ht)); 284 /* NB: iv_bss is changed on return */ 285 break; 286 case IEEE80211_S_CAC: 287 /* 288 * NB: This is the normal state change when CAC 289 * expires and no radar was detected; no need to 290 * clear the CAC timer as it's already expired. 291 */ 292 /* fall thru... */ 293 case IEEE80211_S_CSA: 294 /* 295 * Shorten inactivity timer of associated stations 296 * to weed out sta's that don't follow a CSA. 297 */ 298 ieee80211_iterate_nodes_vap(&ic->ic_sta, vap, 299 sta_csa, NULL); 300 /* 301 * Update bss node channel to reflect where 302 * we landed after CSA. 303 */ 304 ieee80211_node_set_chan(vap->iv_bss, 305 ieee80211_ht_adjust_channel(ic, ic->ic_curchan, 306 ieee80211_htchanflags(vap->iv_bss->ni_chan))); 307 /* XXX bypass debug msgs */ 308 break; 309 case IEEE80211_S_SCAN: 310 case IEEE80211_S_RUN: 311 #ifdef IEEE80211_DEBUG 312 if (ieee80211_msg_debug(vap)) { 313 struct ieee80211_node *ni = vap->iv_bss; 314 ieee80211_note(vap, 315 "synchronized with %s ssid ", 316 ether_sprintf(ni->ni_bssid)); 317 ieee80211_print_essid(ni->ni_essid, 318 ni->ni_esslen); 319 /* XXX MCS/HT */ 320 printf(" channel %d start %uMb\n", 321 ieee80211_chan2ieee(ic, ic->ic_curchan), 322 IEEE80211_RATE2MBS(ni->ni_txrate)); 323 } 324 #endif 325 break; 326 default: 327 break; 328 } 329 /* 330 * Start/stop the authenticator. We delay until here 331 * to allow configuration to happen out of order. 332 */ 333 if (vap->iv_auth->ia_attach != NULL) { 334 /* XXX check failure */ 335 vap->iv_auth->ia_attach(vap); 336 } else if (vap->iv_auth->ia_detach != NULL) { 337 vap->iv_auth->ia_detach(vap); 338 } 339 ieee80211_node_authorize(vap->iv_bss); 340 break; 341 case IEEE80211_S_CSA: 342 if (ostate == IEEE80211_S_RUN && isbandchange(ic)) { 343 /* 344 * On a ``band change'' silently drop associated 345 * stations as they must re-associate before they 346 * can pass traffic (as otherwise protocol state 347 * such as capabilities and the negotiated rate 348 * set may/will be wrong). 349 */ 350 ieee80211_iterate_nodes_vap(&ic->ic_sta, vap, 351 sta_drop, NULL); 352 } 353 break; 354 default: 355 break; 356 } 357 return 0; 358 } 359 360 static void 361 hostap_deliver_data(struct ieee80211vap *vap, 362 struct ieee80211_node *ni, struct mbuf *m) 363 { 364 struct ether_header *eh = mtod(m, struct ether_header *); 365 struct ifnet *ifp = vap->iv_ifp; 366 367 /* clear driver/net80211 flags before passing up */ 368 m->m_flags &= ~(M_MCAST | M_BCAST); 369 m_clrprotoflags(m); 370 371 KASSERT(vap->iv_opmode == IEEE80211_M_HOSTAP, 372 ("gack, opmode %d", vap->iv_opmode)); 373 /* 374 * Do accounting. 375 */ 376 if_inc_counter(ifp, IFCOUNTER_IPACKETS, 1); 377 IEEE80211_NODE_STAT(ni, rx_data); 378 IEEE80211_NODE_STAT_ADD(ni, rx_bytes, m->m_pkthdr.len); 379 if (ETHER_IS_MULTICAST(eh->ether_dhost)) { 380 m->m_flags |= M_MCAST; /* XXX M_BCAST? */ 381 IEEE80211_NODE_STAT(ni, rx_mcast); 382 } else 383 IEEE80211_NODE_STAT(ni, rx_ucast); 384 385 /* perform as a bridge within the AP */ 386 if ((vap->iv_flags & IEEE80211_F_NOBRIDGE) == 0) { 387 struct mbuf *mcopy = NULL; 388 389 if (m->m_flags & M_MCAST) { 390 mcopy = m_dup(m, IEEE80211_M_NOWAIT); 391 if (mcopy == NULL) 392 if_inc_counter(ifp, IFCOUNTER_OERRORS, 1); 393 else 394 mcopy->m_flags |= M_MCAST; 395 } else { 396 /* 397 * Check if the destination is associated with the 398 * same vap and authorized to receive traffic. 399 * Beware of traffic destined for the vap itself; 400 * sending it will not work; just let it be delivered 401 * normally. 402 */ 403 struct ieee80211_node *sta = ieee80211_find_vap_node( 404 &vap->iv_ic->ic_sta, vap, eh->ether_dhost); 405 if (sta != NULL) { 406 if (ieee80211_node_is_authorized(sta)) { 407 /* 408 * Beware of sending to ourself; this 409 * needs to happen via the normal 410 * input path. 411 */ 412 if (sta != vap->iv_bss) { 413 mcopy = m; 414 m = NULL; 415 } 416 } else { 417 vap->iv_stats.is_rx_unauth++; 418 IEEE80211_NODE_STAT(sta, rx_unauth); 419 } 420 ieee80211_free_node(sta); 421 } 422 } 423 if (mcopy != NULL) 424 (void) ieee80211_vap_xmitpkt(vap, mcopy); 425 } 426 if (m != NULL) { 427 /* 428 * Mark frame as coming from vap's interface. 429 */ 430 m->m_pkthdr.rcvif = ifp; 431 if (m->m_flags & M_MCAST) { 432 /* 433 * Spam DWDS vap's w/ multicast traffic. 434 */ 435 /* XXX only if dwds in use? */ 436 ieee80211_dwds_mcast(vap, m); 437 } 438 if (ni->ni_vlan != 0) { 439 /* attach vlan tag */ 440 m->m_pkthdr.ether_vtag = ni->ni_vlan; 441 m->m_flags |= M_VLANTAG; 442 } 443 ifp->if_input(ifp, m); 444 } 445 } 446 447 /* 448 * Decide if a received management frame should be 449 * printed when debugging is enabled. This filters some 450 * of the less interesting frames that come frequently 451 * (e.g. beacons). 452 */ 453 static __inline int 454 doprint(struct ieee80211vap *vap, int subtype) 455 { 456 switch (subtype) { 457 case IEEE80211_FC0_SUBTYPE_BEACON: 458 return (vap->iv_ic->ic_flags & IEEE80211_F_SCAN); 459 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 460 return 0; 461 } 462 return 1; 463 } 464 465 /* 466 * Process a received frame. The node associated with the sender 467 * should be supplied. If nothing was found in the node table then 468 * the caller is assumed to supply a reference to iv_bss instead. 469 * The RSSI and a timestamp are also supplied. The RSSI data is used 470 * during AP scanning to select a AP to associate with; it can have 471 * any units so long as values have consistent units and higher values 472 * mean ``better signal''. The receive timestamp is currently not used 473 * by the 802.11 layer. 474 */ 475 static int 476 hostap_input(struct ieee80211_node *ni, struct mbuf *m, 477 const struct ieee80211_rx_stats *rxs, int rssi, int nf) 478 { 479 struct ieee80211vap *vap = ni->ni_vap; 480 struct ieee80211com *ic = ni->ni_ic; 481 struct ifnet *ifp = vap->iv_ifp; 482 struct ieee80211_frame *wh; 483 struct ieee80211_key *key; 484 struct ether_header *eh; 485 int hdrspace, need_tap = 1; /* mbuf need to be tapped. */ 486 uint8_t dir, type, subtype, qos; 487 uint8_t *bssid; 488 int is_hw_decrypted = 0; 489 int has_decrypted = 0; 490 491 /* 492 * Some devices do hardware decryption all the way through 493 * to pretending the frame wasn't encrypted in the first place. 494 * So, tag it appropriately so it isn't discarded inappropriately. 495 */ 496 if ((rxs != NULL) && (rxs->c_pktflags & IEEE80211_RX_F_DECRYPTED)) 497 is_hw_decrypted = 1; 498 499 if (m->m_flags & M_AMPDU_MPDU) { 500 /* 501 * Fastpath for A-MPDU reorder q resubmission. Frames 502 * w/ M_AMPDU_MPDU marked have already passed through 503 * here but were received out of order and been held on 504 * the reorder queue. When resubmitted they are marked 505 * with the M_AMPDU_MPDU flag and we can bypass most of 506 * the normal processing. 507 */ 508 wh = mtod(m, struct ieee80211_frame *); 509 type = IEEE80211_FC0_TYPE_DATA; 510 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 511 subtype = IEEE80211_FC0_SUBTYPE_QOS_DATA; 512 hdrspace = ieee80211_hdrspace(ic, wh); /* XXX optimize? */ 513 goto resubmit_ampdu; 514 } 515 516 KASSERT(ni != NULL, ("null node")); 517 ni->ni_inact = ni->ni_inact_reload; 518 519 type = -1; /* undefined */ 520 521 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_min)) { 522 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 523 ni->ni_macaddr, NULL, 524 "too short (1): len %u", m->m_pkthdr.len); 525 vap->iv_stats.is_rx_tooshort++; 526 goto out; 527 } 528 /* 529 * Bit of a cheat here, we use a pointer for a 3-address 530 * frame format but don't reference fields past outside 531 * ieee80211_frame_min w/o first validating the data is 532 * present. 533 */ 534 wh = mtod(m, struct ieee80211_frame *); 535 536 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) != 537 IEEE80211_FC0_VERSION_0) { 538 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 539 ni->ni_macaddr, NULL, "wrong version, fc %02x:%02x", 540 wh->i_fc[0], wh->i_fc[1]); 541 vap->iv_stats.is_rx_badversion++; 542 goto err; 543 } 544 545 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 546 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK; 547 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK; 548 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) { 549 if (dir != IEEE80211_FC1_DIR_NODS) 550 bssid = wh->i_addr1; 551 else if (type == IEEE80211_FC0_TYPE_CTL) 552 bssid = wh->i_addr1; 553 else { 554 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) { 555 IEEE80211_DISCARD_MAC(vap, 556 IEEE80211_MSG_ANY, ni->ni_macaddr, 557 NULL, "too short (2): len %u", 558 m->m_pkthdr.len); 559 vap->iv_stats.is_rx_tooshort++; 560 goto out; 561 } 562 bssid = wh->i_addr3; 563 } 564 /* 565 * Validate the bssid. 566 */ 567 if (!(type == IEEE80211_FC0_TYPE_MGT && 568 subtype == IEEE80211_FC0_SUBTYPE_BEACON) && 569 !IEEE80211_ADDR_EQ(bssid, vap->iv_bss->ni_bssid) && 570 !IEEE80211_ADDR_EQ(bssid, ifp->if_broadcastaddr)) { 571 /* not interested in */ 572 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 573 bssid, NULL, "%s", "not to bss"); 574 vap->iv_stats.is_rx_wrongbss++; 575 goto out; 576 } 577 578 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi); 579 ni->ni_noise = nf; 580 if (IEEE80211_HAS_SEQ(type, subtype)) { 581 uint8_t tid = ieee80211_gettid(wh); 582 if (IEEE80211_QOS_HAS_SEQ(wh) && 583 TID_TO_WME_AC(tid) >= WME_AC_VI) 584 ic->ic_wme.wme_hipri_traffic++; 585 if (! ieee80211_check_rxseq(ni, wh, bssid, rxs)) 586 goto out; 587 } 588 } 589 590 switch (type) { 591 case IEEE80211_FC0_TYPE_DATA: 592 hdrspace = ieee80211_hdrspace(ic, wh); 593 if (m->m_len < hdrspace && 594 (m = m_pullup(m, hdrspace)) == NULL) { 595 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 596 ni->ni_macaddr, NULL, 597 "data too short: expecting %u", hdrspace); 598 vap->iv_stats.is_rx_tooshort++; 599 goto out; /* XXX */ 600 } 601 if (!(dir == IEEE80211_FC1_DIR_TODS || 602 (dir == IEEE80211_FC1_DIR_DSTODS && 603 (vap->iv_flags & IEEE80211_F_DWDS)))) { 604 if (dir != IEEE80211_FC1_DIR_DSTODS) { 605 IEEE80211_DISCARD(vap, 606 IEEE80211_MSG_INPUT, wh, "data", 607 "incorrect dir 0x%x", dir); 608 } else { 609 IEEE80211_DISCARD(vap, 610 IEEE80211_MSG_INPUT | 611 IEEE80211_MSG_WDS, wh, 612 "4-address data", 613 "%s", "DWDS not enabled"); 614 } 615 vap->iv_stats.is_rx_wrongdir++; 616 goto out; 617 } 618 /* check if source STA is associated */ 619 if (ni == vap->iv_bss) { 620 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 621 wh, "data", "%s", "unknown src"); 622 ieee80211_send_error(ni, wh->i_addr2, 623 IEEE80211_FC0_SUBTYPE_DEAUTH, 624 IEEE80211_REASON_NOT_AUTHED); 625 vap->iv_stats.is_rx_notassoc++; 626 goto err; 627 } 628 if (ni->ni_associd == 0) { 629 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 630 wh, "data", "%s", "unassoc src"); 631 IEEE80211_SEND_MGMT(ni, 632 IEEE80211_FC0_SUBTYPE_DISASSOC, 633 IEEE80211_REASON_NOT_ASSOCED); 634 vap->iv_stats.is_rx_notassoc++; 635 goto err; 636 } 637 638 /* 639 * Check for power save state change. 640 * XXX out-of-order A-MPDU frames? 641 */ 642 if (((wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) ^ 643 (ni->ni_flags & IEEE80211_NODE_PWR_MGT))) 644 vap->iv_node_ps(ni, 645 wh->i_fc[1] & IEEE80211_FC1_PWR_MGT); 646 /* 647 * For 4-address packets handle WDS discovery 648 * notifications. Once a WDS link is setup frames 649 * are just delivered to the WDS vap (see below). 650 */ 651 if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap == NULL) { 652 if (!ieee80211_node_is_authorized(ni)) { 653 IEEE80211_DISCARD(vap, 654 IEEE80211_MSG_INPUT | 655 IEEE80211_MSG_WDS, wh, 656 "4-address data", 657 "%s", "unauthorized port"); 658 vap->iv_stats.is_rx_unauth++; 659 IEEE80211_NODE_STAT(ni, rx_unauth); 660 goto err; 661 } 662 ieee80211_dwds_discover(ni, m); 663 return type; 664 } 665 666 /* 667 * Handle A-MPDU re-ordering. If the frame is to be 668 * processed directly then ieee80211_ampdu_reorder 669 * will return 0; otherwise it has consumed the mbuf 670 * and we should do nothing more with it. 671 */ 672 if ((m->m_flags & M_AMPDU) && 673 ieee80211_ampdu_reorder(ni, m, rxs) != 0) { 674 m = NULL; 675 goto out; 676 } 677 resubmit_ampdu: 678 679 /* 680 * Handle privacy requirements. Note that we 681 * must not be preempted from here until after 682 * we (potentially) call ieee80211_crypto_demic; 683 * otherwise we may violate assumptions in the 684 * crypto cipher modules used to do delayed update 685 * of replay sequence numbers. 686 */ 687 if (is_hw_decrypted || IEEE80211_IS_PROTECTED(wh)) { 688 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) { 689 /* 690 * Discard encrypted frames when privacy is off. 691 */ 692 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 693 wh, "WEP", "%s", "PRIVACY off"); 694 vap->iv_stats.is_rx_noprivacy++; 695 IEEE80211_NODE_STAT(ni, rx_noprivacy); 696 goto out; 697 } 698 if (ieee80211_crypto_decap(ni, m, hdrspace, &key) == 0) { 699 /* NB: stats+msgs handled in crypto_decap */ 700 IEEE80211_NODE_STAT(ni, rx_wepfail); 701 goto out; 702 } 703 wh = mtod(m, struct ieee80211_frame *); 704 wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED; 705 has_decrypted = 1; 706 } else { 707 /* XXX M_WEP and IEEE80211_F_PRIVACY */ 708 key = NULL; 709 } 710 711 /* 712 * Save QoS bits for use below--before we strip the header. 713 */ 714 if (subtype == IEEE80211_FC0_SUBTYPE_QOS_DATA) 715 qos = ieee80211_getqos(wh)[0]; 716 else 717 qos = 0; 718 719 /* 720 * Next up, any fragmentation. 721 */ 722 if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) { 723 m = ieee80211_defrag(ni, m, hdrspace, has_decrypted); 724 if (m == NULL) { 725 /* Fragment dropped or frame not complete yet */ 726 goto out; 727 } 728 } 729 wh = NULL; /* no longer valid, catch any uses */ 730 731 /* 732 * Next strip any MSDU crypto bits. 733 */ 734 if (key != NULL && !ieee80211_crypto_demic(vap, key, m, 0)) { 735 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 736 ni->ni_macaddr, "data", "%s", "demic error"); 737 vap->iv_stats.is_rx_demicfail++; 738 IEEE80211_NODE_STAT(ni, rx_demicfail); 739 goto out; 740 } 741 /* copy to listener after decrypt */ 742 if (ieee80211_radiotap_active_vap(vap)) 743 ieee80211_radiotap_rx(vap, m); 744 need_tap = 0; 745 /* 746 * Finally, strip the 802.11 header. 747 */ 748 m = ieee80211_decap(vap, m, hdrspace, qos); 749 if (m == NULL) { 750 /* XXX mask bit to check for both */ 751 /* don't count Null data frames as errors */ 752 if (subtype == IEEE80211_FC0_SUBTYPE_NODATA || 753 subtype == IEEE80211_FC0_SUBTYPE_QOS_NULL) 754 goto out; 755 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 756 ni->ni_macaddr, "data", "%s", "decap error"); 757 vap->iv_stats.is_rx_decap++; 758 IEEE80211_NODE_STAT(ni, rx_decap); 759 goto err; 760 } 761 if (!(qos & IEEE80211_QOS_AMSDU)) 762 eh = mtod(m, struct ether_header *); 763 else 764 eh = NULL; 765 if (!ieee80211_node_is_authorized(ni)) { 766 /* 767 * Deny any non-PAE frames received prior to 768 * authorization. For open/shared-key 769 * authentication the port is mark authorized 770 * after authentication completes. For 802.1x 771 * the port is not marked authorized by the 772 * authenticator until the handshake has completed. 773 */ 774 if (eh == NULL || 775 eh->ether_type != htons(ETHERTYPE_PAE)) { 776 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 777 ni->ni_macaddr, "data", "unauthorized or " 778 "unknown port: ether type 0x%x len %u", 779 eh == NULL ? -1 : eh->ether_type, 780 m->m_pkthdr.len); 781 vap->iv_stats.is_rx_unauth++; 782 IEEE80211_NODE_STAT(ni, rx_unauth); 783 goto err; 784 } 785 } else { 786 /* 787 * When denying unencrypted frames, discard 788 * any non-PAE frames received without encryption. 789 */ 790 if ((vap->iv_flags & IEEE80211_F_DROPUNENC) && 791 ((has_decrypted == 0) && (m->m_flags & M_WEP) == 0) && 792 (is_hw_decrypted == 0) && 793 (eh == NULL || 794 eh->ether_type != htons(ETHERTYPE_PAE))) { 795 /* 796 * Drop unencrypted frames. 797 */ 798 vap->iv_stats.is_rx_unencrypted++; 799 IEEE80211_NODE_STAT(ni, rx_unencrypted); 800 goto out; 801 } 802 } 803 /* XXX require HT? */ 804 if (qos & IEEE80211_QOS_AMSDU) { 805 m = ieee80211_decap_amsdu(ni, m); 806 if (m == NULL) 807 return IEEE80211_FC0_TYPE_DATA; 808 } else { 809 #ifdef IEEE80211_SUPPORT_SUPERG 810 m = ieee80211_decap_fastframe(vap, ni, m); 811 if (m == NULL) 812 return IEEE80211_FC0_TYPE_DATA; 813 #endif 814 } 815 if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap != NULL) 816 ieee80211_deliver_data(ni->ni_wdsvap, ni, m); 817 else 818 hostap_deliver_data(vap, ni, m); 819 return IEEE80211_FC0_TYPE_DATA; 820 821 case IEEE80211_FC0_TYPE_MGT: 822 vap->iv_stats.is_rx_mgmt++; 823 IEEE80211_NODE_STAT(ni, rx_mgmt); 824 if (dir != IEEE80211_FC1_DIR_NODS) { 825 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 826 wh, "mgt", "incorrect dir 0x%x", dir); 827 vap->iv_stats.is_rx_wrongdir++; 828 goto err; 829 } 830 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) { 831 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 832 ni->ni_macaddr, "mgt", "too short: len %u", 833 m->m_pkthdr.len); 834 vap->iv_stats.is_rx_tooshort++; 835 goto out; 836 } 837 if (IEEE80211_IS_MULTICAST(wh->i_addr2)) { 838 /* ensure return frames are unicast */ 839 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 840 wh, NULL, "source is multicast: %s", 841 ether_sprintf(wh->i_addr2)); 842 vap->iv_stats.is_rx_mgtdiscard++; /* XXX stat */ 843 goto out; 844 } 845 #ifdef IEEE80211_DEBUG 846 if ((ieee80211_msg_debug(vap) && doprint(vap, subtype)) || 847 ieee80211_msg_dumppkts(vap)) { 848 if_printf(ifp, "received %s from %s rssi %d\n", 849 ieee80211_mgt_subtype_name(subtype), 850 ether_sprintf(wh->i_addr2), rssi); 851 } 852 #endif 853 if (IEEE80211_IS_PROTECTED(wh)) { 854 if (subtype != IEEE80211_FC0_SUBTYPE_AUTH) { 855 /* 856 * Only shared key auth frames with a challenge 857 * should be encrypted, discard all others. 858 */ 859 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 860 wh, NULL, 861 "%s", "WEP set but not permitted"); 862 vap->iv_stats.is_rx_mgtdiscard++; /* XXX */ 863 goto out; 864 } 865 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) { 866 /* 867 * Discard encrypted frames when privacy is off. 868 */ 869 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 870 wh, NULL, "%s", "WEP set but PRIVACY off"); 871 vap->iv_stats.is_rx_noprivacy++; 872 goto out; 873 } 874 hdrspace = ieee80211_hdrspace(ic, wh); 875 if (ieee80211_crypto_decap(ni, m, hdrspace, &key) == 0) { 876 /* NB: stats+msgs handled in crypto_decap */ 877 goto out; 878 } 879 wh = mtod(m, struct ieee80211_frame *); 880 wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED; 881 has_decrypted = 1; 882 } 883 /* 884 * Pass the packet to radiotap before calling iv_recv_mgmt(). 885 * Otherwise iv_recv_mgmt() might pass another packet to 886 * radiotap, resulting in out of order packet captures. 887 */ 888 if (ieee80211_radiotap_active_vap(vap)) 889 ieee80211_radiotap_rx(vap, m); 890 need_tap = 0; 891 vap->iv_recv_mgmt(ni, m, subtype, rxs, rssi, nf); 892 goto out; 893 894 case IEEE80211_FC0_TYPE_CTL: 895 vap->iv_stats.is_rx_ctl++; 896 IEEE80211_NODE_STAT(ni, rx_ctrl); 897 vap->iv_recv_ctl(ni, m, subtype); 898 goto out; 899 default: 900 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 901 wh, "bad", "frame type 0x%x", type); 902 /* should not come here */ 903 break; 904 } 905 err: 906 if_inc_counter(ifp, IFCOUNTER_IERRORS, 1); 907 out: 908 if (m != NULL) { 909 if (need_tap && ieee80211_radiotap_active_vap(vap)) 910 ieee80211_radiotap_rx(vap, m); 911 m_freem(m); 912 } 913 return type; 914 } 915 916 static void 917 hostap_auth_open(struct ieee80211_node *ni, struct ieee80211_frame *wh, 918 int rssi, int nf, uint16_t seq, uint16_t status) 919 { 920 struct ieee80211vap *vap = ni->ni_vap; 921 922 KASSERT(vap->iv_state == IEEE80211_S_RUN, ("state %d", vap->iv_state)); 923 924 if (ni->ni_authmode == IEEE80211_AUTH_SHARED) { 925 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 926 ni->ni_macaddr, "open auth", 927 "bad sta auth mode %u", ni->ni_authmode); 928 vap->iv_stats.is_rx_bad_auth++; /* XXX */ 929 /* 930 * Clear any challenge text that may be there if 931 * a previous shared key auth failed and then an 932 * open auth is attempted. 933 */ 934 if (ni->ni_challenge != NULL) { 935 IEEE80211_FREE(ni->ni_challenge, M_80211_NODE); 936 ni->ni_challenge = NULL; 937 } 938 /* XXX hack to workaround calling convention */ 939 ieee80211_send_error(ni, wh->i_addr2, 940 IEEE80211_FC0_SUBTYPE_AUTH, 941 (seq + 1) | (IEEE80211_STATUS_ALG<<16)); 942 return; 943 } 944 if (seq != IEEE80211_AUTH_OPEN_REQUEST) { 945 vap->iv_stats.is_rx_bad_auth++; 946 return; 947 } 948 /* always accept open authentication requests */ 949 if (ni == vap->iv_bss) { 950 ni = ieee80211_dup_bss(vap, wh->i_addr2); 951 if (ni == NULL) 952 return; 953 } else if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0) 954 (void) ieee80211_ref_node(ni); 955 /* 956 * Mark the node as referenced to reflect that it's 957 * reference count has been bumped to insure it remains 958 * after the transaction completes. 959 */ 960 ni->ni_flags |= IEEE80211_NODE_AREF; 961 /* 962 * Mark the node as requiring a valid association id 963 * before outbound traffic is permitted. 964 */ 965 ni->ni_flags |= IEEE80211_NODE_ASSOCID; 966 967 if (vap->iv_acl != NULL && 968 vap->iv_acl->iac_getpolicy(vap) == IEEE80211_MACCMD_POLICY_RADIUS) { 969 /* 970 * When the ACL policy is set to RADIUS we defer the 971 * authorization to a user agent. Dispatch an event, 972 * a subsequent MLME call will decide the fate of the 973 * station. If the user agent is not present then the 974 * node will be reclaimed due to inactivity. 975 */ 976 IEEE80211_NOTE_MAC(vap, 977 IEEE80211_MSG_AUTH | IEEE80211_MSG_ACL, ni->ni_macaddr, 978 "%s", "station authentication defered (radius acl)"); 979 ieee80211_notify_node_auth(ni); 980 } else { 981 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 982 IEEE80211_NOTE_MAC(vap, 983 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, ni->ni_macaddr, 984 "%s", "station authenticated (open)"); 985 /* 986 * When 802.1x is not in use mark the port 987 * authorized at this point so traffic can flow. 988 */ 989 if (ni->ni_authmode != IEEE80211_AUTH_8021X) 990 ieee80211_node_authorize(ni); 991 } 992 } 993 994 static void 995 hostap_auth_shared(struct ieee80211_node *ni, struct ieee80211_frame *wh, 996 uint8_t *frm, uint8_t *efrm, int rssi, int nf, 997 uint16_t seq, uint16_t status) 998 { 999 struct ieee80211vap *vap = ni->ni_vap; 1000 uint8_t *challenge; 1001 int estatus; 1002 1003 KASSERT(vap->iv_state == IEEE80211_S_RUN, ("state %d", vap->iv_state)); 1004 1005 /* 1006 * NB: this can happen as we allow pre-shared key 1007 * authentication to be enabled w/o wep being turned 1008 * on so that configuration of these can be done 1009 * in any order. It may be better to enforce the 1010 * ordering in which case this check would just be 1011 * for sanity/consistency. 1012 */ 1013 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) { 1014 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1015 ni->ni_macaddr, "shared key auth", 1016 "%s", " PRIVACY is disabled"); 1017 estatus = IEEE80211_STATUS_ALG; 1018 goto bad; 1019 } 1020 /* 1021 * Pre-shared key authentication is evil; accept 1022 * it only if explicitly configured (it is supported 1023 * mainly for compatibility with clients like Mac OS X). 1024 */ 1025 if (ni->ni_authmode != IEEE80211_AUTH_AUTO && 1026 ni->ni_authmode != IEEE80211_AUTH_SHARED) { 1027 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1028 ni->ni_macaddr, "shared key auth", 1029 "bad sta auth mode %u", ni->ni_authmode); 1030 vap->iv_stats.is_rx_bad_auth++; /* XXX maybe a unique error? */ 1031 estatus = IEEE80211_STATUS_ALG; 1032 goto bad; 1033 } 1034 1035 challenge = NULL; 1036 if (frm + 1 < efrm) { 1037 if ((frm[1] + 2) > (efrm - frm)) { 1038 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1039 ni->ni_macaddr, "shared key auth", 1040 "ie %d/%d too long", 1041 frm[0], (frm[1] + 2) - (efrm - frm)); 1042 vap->iv_stats.is_rx_bad_auth++; 1043 estatus = IEEE80211_STATUS_CHALLENGE; 1044 goto bad; 1045 } 1046 if (*frm == IEEE80211_ELEMID_CHALLENGE) 1047 challenge = frm; 1048 frm += frm[1] + 2; 1049 } 1050 switch (seq) { 1051 case IEEE80211_AUTH_SHARED_CHALLENGE: 1052 case IEEE80211_AUTH_SHARED_RESPONSE: 1053 if (challenge == NULL) { 1054 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1055 ni->ni_macaddr, "shared key auth", 1056 "%s", "no challenge"); 1057 vap->iv_stats.is_rx_bad_auth++; 1058 estatus = IEEE80211_STATUS_CHALLENGE; 1059 goto bad; 1060 } 1061 if (challenge[1] != IEEE80211_CHALLENGE_LEN) { 1062 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1063 ni->ni_macaddr, "shared key auth", 1064 "bad challenge len %d", challenge[1]); 1065 vap->iv_stats.is_rx_bad_auth++; 1066 estatus = IEEE80211_STATUS_CHALLENGE; 1067 goto bad; 1068 } 1069 default: 1070 break; 1071 } 1072 switch (seq) { 1073 case IEEE80211_AUTH_SHARED_REQUEST: 1074 { 1075 #ifdef IEEE80211_DEBUG 1076 bool allocbs; 1077 #endif 1078 1079 if (ni == vap->iv_bss) { 1080 ni = ieee80211_dup_bss(vap, wh->i_addr2); 1081 if (ni == NULL) { 1082 /* NB: no way to return an error */ 1083 return; 1084 } 1085 #ifdef IEEE80211_DEBUG 1086 allocbs = 1; 1087 #endif 1088 } else { 1089 if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0) 1090 (void) ieee80211_ref_node(ni); 1091 #ifdef IEEE80211_DEBUG 1092 allocbs = 0; 1093 #endif 1094 } 1095 /* 1096 * Mark the node as referenced to reflect that it's 1097 * reference count has been bumped to insure it remains 1098 * after the transaction completes. 1099 */ 1100 ni->ni_flags |= IEEE80211_NODE_AREF; 1101 /* 1102 * Mark the node as requiring a valid association id 1103 * before outbound traffic is permitted. 1104 */ 1105 ni->ni_flags |= IEEE80211_NODE_ASSOCID; 1106 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi); 1107 ni->ni_noise = nf; 1108 if (!ieee80211_alloc_challenge(ni)) { 1109 /* NB: don't return error so they rexmit */ 1110 return; 1111 } 1112 net80211_get_random_bytes(ni->ni_challenge, 1113 IEEE80211_CHALLENGE_LEN); 1114 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1115 ni, "shared key %sauth request", allocbs ? "" : "re"); 1116 /* 1117 * When the ACL policy is set to RADIUS we defer the 1118 * authorization to a user agent. Dispatch an event, 1119 * a subsequent MLME call will decide the fate of the 1120 * station. If the user agent is not present then the 1121 * node will be reclaimed due to inactivity. 1122 */ 1123 if (vap->iv_acl != NULL && 1124 vap->iv_acl->iac_getpolicy(vap) == IEEE80211_MACCMD_POLICY_RADIUS) { 1125 IEEE80211_NOTE_MAC(vap, 1126 IEEE80211_MSG_AUTH | IEEE80211_MSG_ACL, 1127 ni->ni_macaddr, 1128 "%s", "station authentication defered (radius acl)"); 1129 ieee80211_notify_node_auth(ni); 1130 return; 1131 } 1132 break; 1133 } 1134 case IEEE80211_AUTH_SHARED_RESPONSE: 1135 if (ni == vap->iv_bss) { 1136 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1137 ni->ni_macaddr, "shared key response", 1138 "%s", "unknown station"); 1139 /* NB: don't send a response */ 1140 return; 1141 } 1142 if (ni->ni_challenge == NULL) { 1143 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1144 ni->ni_macaddr, "shared key response", 1145 "%s", "no challenge recorded"); 1146 vap->iv_stats.is_rx_bad_auth++; 1147 estatus = IEEE80211_STATUS_CHALLENGE; 1148 goto bad; 1149 } 1150 if (memcmp(ni->ni_challenge, &challenge[2], 1151 challenge[1]) != 0) { 1152 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1153 ni->ni_macaddr, "shared key response", 1154 "%s", "challenge mismatch"); 1155 vap->iv_stats.is_rx_auth_fail++; 1156 estatus = IEEE80211_STATUS_CHALLENGE; 1157 goto bad; 1158 } 1159 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1160 ni, "%s", "station authenticated (shared key)"); 1161 ieee80211_node_authorize(ni); 1162 break; 1163 default: 1164 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1165 ni->ni_macaddr, "shared key auth", 1166 "bad seq %d", seq); 1167 vap->iv_stats.is_rx_bad_auth++; 1168 estatus = IEEE80211_STATUS_SEQUENCE; 1169 goto bad; 1170 } 1171 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 1172 return; 1173 bad: 1174 /* 1175 * Send an error response; but only when operating as an AP. 1176 */ 1177 /* XXX hack to workaround calling convention */ 1178 ieee80211_send_error(ni, wh->i_addr2, 1179 IEEE80211_FC0_SUBTYPE_AUTH, 1180 (seq + 1) | (estatus<<16)); 1181 } 1182 1183 /* 1184 * Convert a WPA cipher selector OUI to an internal 1185 * cipher algorithm. Where appropriate we also 1186 * record any key length. 1187 */ 1188 static int 1189 wpa_cipher(const uint8_t *sel, uint8_t *keylen, uint8_t *cipher) 1190 { 1191 #define WPA_SEL(x) (((x)<<24)|WPA_OUI) 1192 uint32_t w = le32dec(sel); 1193 1194 switch (w) { 1195 case WPA_SEL(WPA_CSE_NULL): 1196 *cipher = IEEE80211_CIPHER_NONE; 1197 break; 1198 case WPA_SEL(WPA_CSE_WEP40): 1199 if (keylen) 1200 *keylen = 40 / NBBY; 1201 *cipher = IEEE80211_CIPHER_WEP; 1202 break; 1203 case WPA_SEL(WPA_CSE_WEP104): 1204 if (keylen) 1205 *keylen = 104 / NBBY; 1206 *cipher = IEEE80211_CIPHER_WEP; 1207 break; 1208 case WPA_SEL(WPA_CSE_TKIP): 1209 *cipher = IEEE80211_CIPHER_TKIP; 1210 break; 1211 case WPA_SEL(WPA_CSE_CCMP): 1212 *cipher = IEEE80211_CIPHER_AES_CCM; 1213 break; 1214 default: 1215 return (EINVAL); 1216 } 1217 1218 return (0); 1219 #undef WPA_SEL 1220 } 1221 1222 /* 1223 * Convert a WPA key management/authentication algorithm 1224 * to an internal code. 1225 */ 1226 static int 1227 wpa_keymgmt(const uint8_t *sel) 1228 { 1229 #define WPA_SEL(x) (((x)<<24)|WPA_OUI) 1230 uint32_t w = le32dec(sel); 1231 1232 switch (w) { 1233 case WPA_SEL(WPA_ASE_8021X_UNSPEC): 1234 return WPA_ASE_8021X_UNSPEC; 1235 case WPA_SEL(WPA_ASE_8021X_PSK): 1236 return WPA_ASE_8021X_PSK; 1237 case WPA_SEL(WPA_ASE_NONE): 1238 return WPA_ASE_NONE; 1239 } 1240 return 0; /* NB: so is discarded */ 1241 #undef WPA_SEL 1242 } 1243 1244 /* 1245 * Parse a WPA information element to collect parameters. 1246 * Note that we do not validate security parameters; that 1247 * is handled by the authenticator; the parsing done here 1248 * is just for internal use in making operational decisions. 1249 */ 1250 static int 1251 ieee80211_parse_wpa(struct ieee80211vap *vap, const uint8_t *frm, 1252 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh) 1253 { 1254 uint8_t len = frm[1]; 1255 uint32_t w; 1256 int error, n; 1257 1258 /* 1259 * Check the length once for fixed parts: OUI, type, 1260 * version, mcast cipher, and 2 selector counts. 1261 * Other, variable-length data, must be checked separately. 1262 */ 1263 if ((vap->iv_flags & IEEE80211_F_WPA1) == 0) { 1264 IEEE80211_DISCARD_IE(vap, 1265 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1266 wh, "WPA", "not WPA, flags 0x%x", vap->iv_flags); 1267 return IEEE80211_REASON_IE_INVALID; 1268 } 1269 if (len < 14) { 1270 IEEE80211_DISCARD_IE(vap, 1271 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1272 wh, "WPA", "too short, len %u", len); 1273 return IEEE80211_REASON_IE_INVALID; 1274 } 1275 frm += 6, len -= 4; /* NB: len is payload only */ 1276 /* NB: iswpaoui already validated the OUI and type */ 1277 w = le16dec(frm); 1278 if (w != WPA_VERSION) { 1279 IEEE80211_DISCARD_IE(vap, 1280 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1281 wh, "WPA", "bad version %u", w); 1282 return IEEE80211_REASON_IE_INVALID; 1283 } 1284 frm += 2, len -= 2; 1285 1286 memset(rsn, 0, sizeof(*rsn)); 1287 1288 /* multicast/group cipher */ 1289 error = wpa_cipher(frm, &rsn->rsn_mcastkeylen, &rsn->rsn_mcastcipher); 1290 if (error != 0) { 1291 IEEE80211_DISCARD_IE(vap, 1292 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1293 wh, "WPA", "unknown mcast cipher suite %08X", 1294 le32dec(frm)); 1295 return IEEE80211_REASON_GROUP_CIPHER_INVALID; 1296 } 1297 frm += 4, len -= 4; 1298 1299 /* unicast ciphers */ 1300 n = le16dec(frm); 1301 frm += 2, len -= 2; 1302 if (len < n*4+2) { 1303 IEEE80211_DISCARD_IE(vap, 1304 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1305 wh, "WPA", "ucast cipher data too short; len %u, n %u", 1306 len, n); 1307 return IEEE80211_REASON_IE_INVALID; 1308 } 1309 w = 0; 1310 for (; n > 0; n--) { 1311 uint8_t cipher; 1312 1313 error = wpa_cipher(frm, &rsn->rsn_ucastkeylen, &cipher); 1314 if (error == 0) 1315 w |= 1 << cipher; 1316 1317 frm += 4, len -= 4; 1318 } 1319 if (w == 0) { 1320 IEEE80211_DISCARD_IE(vap, 1321 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1322 wh, "WPA", "no usable pairwise cipher suite found (w=%d)", 1323 w); 1324 return IEEE80211_REASON_PAIRWISE_CIPHER_INVALID; 1325 } 1326 /* XXX other? */ 1327 if (w & (1 << IEEE80211_CIPHER_AES_CCM)) 1328 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM; 1329 else 1330 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP; 1331 1332 /* key management algorithms */ 1333 n = le16dec(frm); 1334 frm += 2, len -= 2; 1335 if (len < n*4) { 1336 IEEE80211_DISCARD_IE(vap, 1337 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1338 wh, "WPA", "key mgmt alg data too short; len %u, n %u", 1339 len, n); 1340 return IEEE80211_REASON_IE_INVALID; 1341 } 1342 w = 0; 1343 for (; n > 0; n--) { 1344 w |= wpa_keymgmt(frm); 1345 frm += 4, len -= 4; 1346 } 1347 if (w & WPA_ASE_8021X_UNSPEC) 1348 rsn->rsn_keymgmt = WPA_ASE_8021X_UNSPEC; 1349 else 1350 rsn->rsn_keymgmt = WPA_ASE_8021X_PSK; 1351 1352 if (len > 2) /* optional capabilities */ 1353 rsn->rsn_caps = le16dec(frm); 1354 1355 return 0; 1356 } 1357 1358 /* 1359 * Convert an RSN cipher selector OUI to an internal 1360 * cipher algorithm. Where appropriate we also 1361 * record any key length. 1362 */ 1363 static int 1364 rsn_cipher(const uint8_t *sel, uint8_t *keylen, uint8_t *cipher) 1365 { 1366 #define RSN_SEL(x) (((x)<<24)|RSN_OUI) 1367 uint32_t w = le32dec(sel); 1368 1369 switch (w) { 1370 case RSN_SEL(RSN_CSE_NULL): 1371 *cipher = IEEE80211_CIPHER_NONE; 1372 break; 1373 case RSN_SEL(RSN_CSE_WEP40): 1374 if (keylen) 1375 *keylen = 40 / NBBY; 1376 *cipher = IEEE80211_CIPHER_WEP; 1377 break; 1378 case RSN_SEL(RSN_CSE_WEP104): 1379 if (keylen) 1380 *keylen = 104 / NBBY; 1381 *cipher = IEEE80211_CIPHER_WEP; 1382 break; 1383 case RSN_SEL(RSN_CSE_TKIP): 1384 *cipher = IEEE80211_CIPHER_TKIP; 1385 break; 1386 case RSN_SEL(RSN_CSE_CCMP): 1387 *cipher = IEEE80211_CIPHER_AES_CCM; 1388 break; 1389 case RSN_SEL(RSN_CSE_WRAP): 1390 *cipher = IEEE80211_CIPHER_AES_OCB; 1391 break; 1392 default: 1393 return (EINVAL); 1394 } 1395 1396 return (0); 1397 #undef WPA_SEL 1398 } 1399 1400 /* 1401 * Convert an RSN key management/authentication algorithm 1402 * to an internal code. 1403 */ 1404 static int 1405 rsn_keymgmt(const uint8_t *sel) 1406 { 1407 #define RSN_SEL(x) (((x)<<24)|RSN_OUI) 1408 uint32_t w = le32dec(sel); 1409 1410 switch (w) { 1411 case RSN_SEL(RSN_ASE_8021X_UNSPEC): 1412 return RSN_ASE_8021X_UNSPEC; 1413 case RSN_SEL(RSN_ASE_8021X_PSK): 1414 return RSN_ASE_8021X_PSK; 1415 case RSN_SEL(RSN_ASE_NONE): 1416 return RSN_ASE_NONE; 1417 } 1418 return 0; /* NB: so is discarded */ 1419 #undef RSN_SEL 1420 } 1421 1422 /* 1423 * Parse a WPA/RSN information element to collect parameters 1424 * and validate the parameters against what has been 1425 * configured for the system. 1426 */ 1427 static int 1428 ieee80211_parse_rsn(struct ieee80211vap *vap, const uint8_t *frm, 1429 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh) 1430 { 1431 uint8_t len = frm[1]; 1432 uint32_t w; 1433 int error, n; 1434 1435 /* 1436 * Check the length once for fixed parts: 1437 * version, mcast cipher, and 2 selector counts. 1438 * Other, variable-length data, must be checked separately. 1439 */ 1440 if ((vap->iv_flags & IEEE80211_F_WPA2) == 0) { 1441 IEEE80211_DISCARD_IE(vap, 1442 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1443 wh, "WPA", "not RSN, flags 0x%x", vap->iv_flags); 1444 return IEEE80211_REASON_IE_INVALID; 1445 } 1446 /* XXX may be shorter */ 1447 if (len < 10) { 1448 IEEE80211_DISCARD_IE(vap, 1449 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1450 wh, "RSN", "too short, len %u", len); 1451 return IEEE80211_REASON_IE_INVALID; 1452 } 1453 frm += 2; 1454 w = le16dec(frm); 1455 if (w != RSN_VERSION) { 1456 IEEE80211_DISCARD_IE(vap, 1457 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1458 wh, "RSN", "bad version %u", w); 1459 return IEEE80211_REASON_UNSUPP_RSN_IE_VERSION; 1460 } 1461 frm += 2, len -= 2; 1462 1463 memset(rsn, 0, sizeof(*rsn)); 1464 1465 /* multicast/group cipher */ 1466 error = rsn_cipher(frm, &rsn->rsn_mcastkeylen, &rsn->rsn_mcastcipher); 1467 if (error != 0) { 1468 IEEE80211_DISCARD_IE(vap, 1469 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1470 wh, "RSN", "unknown mcast cipher suite %08X", 1471 le32dec(frm)); 1472 return IEEE80211_REASON_GROUP_CIPHER_INVALID; 1473 } 1474 if (rsn->rsn_mcastcipher == IEEE80211_CIPHER_NONE) { 1475 IEEE80211_DISCARD_IE(vap, 1476 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1477 wh, "RSN", "invalid mcast cipher suite %d", 1478 rsn->rsn_mcastcipher); 1479 return IEEE80211_REASON_GROUP_CIPHER_INVALID; 1480 } 1481 frm += 4, len -= 4; 1482 1483 /* unicast ciphers */ 1484 n = le16dec(frm); 1485 frm += 2, len -= 2; 1486 if (len < n*4+2) { 1487 IEEE80211_DISCARD_IE(vap, 1488 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1489 wh, "RSN", "ucast cipher data too short; len %u, n %u", 1490 len, n); 1491 return IEEE80211_REASON_IE_INVALID; 1492 } 1493 w = 0; 1494 1495 for (; n > 0; n--) { 1496 uint8_t cipher; 1497 1498 error = rsn_cipher(frm, &rsn->rsn_ucastkeylen, &cipher); 1499 if (error == 0) 1500 w |= 1 << cipher; 1501 1502 frm += 4, len -= 4; 1503 } 1504 if (w & (1 << IEEE80211_CIPHER_AES_CCM)) 1505 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM; 1506 else if (w & (1 << IEEE80211_CIPHER_AES_OCB)) 1507 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_OCB; 1508 else if (w & (1 << IEEE80211_CIPHER_TKIP)) 1509 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP; 1510 else if ((w & (1 << IEEE80211_CIPHER_NONE)) && 1511 (rsn->rsn_mcastcipher == IEEE80211_CIPHER_WEP || 1512 rsn->rsn_mcastcipher == IEEE80211_CIPHER_TKIP)) 1513 rsn->rsn_ucastcipher = IEEE80211_CIPHER_NONE; 1514 else { 1515 IEEE80211_DISCARD_IE(vap, 1516 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1517 wh, "RSN", "no usable pairwise cipher suite found (w=%d)", 1518 w); 1519 return IEEE80211_REASON_PAIRWISE_CIPHER_INVALID; 1520 } 1521 1522 /* key management algorithms */ 1523 n = le16dec(frm); 1524 frm += 2, len -= 2; 1525 if (len < n*4) { 1526 IEEE80211_DISCARD_IE(vap, 1527 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1528 wh, "RSN", "key mgmt alg data too short; len %u, n %u", 1529 len, n); 1530 return IEEE80211_REASON_IE_INVALID; 1531 } 1532 w = 0; 1533 for (; n > 0; n--) { 1534 w |= rsn_keymgmt(frm); 1535 frm += 4, len -= 4; 1536 } 1537 if (w & RSN_ASE_8021X_UNSPEC) 1538 rsn->rsn_keymgmt = RSN_ASE_8021X_UNSPEC; 1539 else 1540 rsn->rsn_keymgmt = RSN_ASE_8021X_PSK; 1541 1542 /* optional RSN capabilities */ 1543 if (len > 2) 1544 rsn->rsn_caps = le16dec(frm); 1545 /* XXXPMKID */ 1546 1547 return 0; 1548 } 1549 1550 /* 1551 * WPA/802.11i association request processing. 1552 */ 1553 static int 1554 wpa_assocreq(struct ieee80211_node *ni, struct ieee80211_rsnparms *rsnparms, 1555 const struct ieee80211_frame *wh, const uint8_t *wpa, 1556 const uint8_t *rsn, uint16_t capinfo) 1557 { 1558 struct ieee80211vap *vap = ni->ni_vap; 1559 uint8_t reason; 1560 int badwparsn; 1561 1562 ni->ni_flags &= ~(IEEE80211_NODE_WPS|IEEE80211_NODE_TSN); 1563 if (wpa == NULL && rsn == NULL) { 1564 if (vap->iv_flags_ext & IEEE80211_FEXT_WPS) { 1565 /* 1566 * W-Fi Protected Setup (WPS) permits 1567 * clients to associate and pass EAPOL frames 1568 * to establish initial credentials. 1569 */ 1570 ni->ni_flags |= IEEE80211_NODE_WPS; 1571 return 1; 1572 } 1573 if ((vap->iv_flags_ext & IEEE80211_FEXT_TSN) && 1574 (capinfo & IEEE80211_CAPINFO_PRIVACY)) { 1575 /* 1576 * Transitional Security Network. Permits clients 1577 * to associate and use WEP while WPA is configured. 1578 */ 1579 ni->ni_flags |= IEEE80211_NODE_TSN; 1580 return 1; 1581 } 1582 IEEE80211_DISCARD(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, 1583 wh, NULL, "%s", "no WPA/RSN IE in association request"); 1584 vap->iv_stats.is_rx_assoc_badwpaie++; 1585 reason = IEEE80211_REASON_IE_INVALID; 1586 goto bad; 1587 } 1588 /* assert right association security credentials */ 1589 badwparsn = 0; /* NB: to silence compiler */ 1590 switch (vap->iv_flags & IEEE80211_F_WPA) { 1591 case IEEE80211_F_WPA1: 1592 badwparsn = (wpa == NULL); 1593 break; 1594 case IEEE80211_F_WPA2: 1595 badwparsn = (rsn == NULL); 1596 break; 1597 case IEEE80211_F_WPA1|IEEE80211_F_WPA2: 1598 badwparsn = (wpa == NULL && rsn == NULL); 1599 break; 1600 } 1601 if (badwparsn) { 1602 IEEE80211_DISCARD(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, 1603 wh, NULL, 1604 "%s", "missing WPA/RSN IE in association request"); 1605 vap->iv_stats.is_rx_assoc_badwpaie++; 1606 reason = IEEE80211_REASON_IE_INVALID; 1607 goto bad; 1608 } 1609 /* 1610 * Parse WPA/RSN information element. 1611 */ 1612 if (wpa != NULL) 1613 reason = ieee80211_parse_wpa(vap, wpa, rsnparms, wh); 1614 else 1615 reason = ieee80211_parse_rsn(vap, rsn, rsnparms, wh); 1616 if (reason != 0) { 1617 /* XXX wpa->rsn fallback? */ 1618 /* XXX distinguish WPA/RSN? */ 1619 vap->iv_stats.is_rx_assoc_badwpaie++; 1620 goto bad; 1621 } 1622 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, ni, 1623 "%s ie: mc %u/%u uc %u/%u key %u caps 0x%x", 1624 wpa != NULL ? "WPA" : "RSN", 1625 rsnparms->rsn_mcastcipher, rsnparms->rsn_mcastkeylen, 1626 rsnparms->rsn_ucastcipher, rsnparms->rsn_ucastkeylen, 1627 rsnparms->rsn_keymgmt, rsnparms->rsn_caps); 1628 1629 return 1; 1630 bad: 1631 ieee80211_node_deauth(ni, reason); 1632 return 0; 1633 } 1634 1635 /* XXX find a better place for definition */ 1636 struct l2_update_frame { 1637 struct ether_header eh; 1638 uint8_t dsap; 1639 uint8_t ssap; 1640 uint8_t control; 1641 uint8_t xid[3]; 1642 } __packed; 1643 1644 /* 1645 * Deliver a TGf L2UF frame on behalf of a station. 1646 * This primes any bridge when the station is roaming 1647 * between ap's on the same wired network. 1648 */ 1649 static void 1650 ieee80211_deliver_l2uf(struct ieee80211_node *ni) 1651 { 1652 struct ieee80211vap *vap = ni->ni_vap; 1653 struct ifnet *ifp = vap->iv_ifp; 1654 struct mbuf *m; 1655 struct l2_update_frame *l2uf; 1656 struct ether_header *eh; 1657 1658 m = m_gethdr(IEEE80211_M_NOWAIT, MT_DATA); 1659 if (m == NULL) { 1660 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC, ni, 1661 "%s", "no mbuf for l2uf frame"); 1662 vap->iv_stats.is_rx_nobuf++; /* XXX not right */ 1663 return; 1664 } 1665 l2uf = mtod(m, struct l2_update_frame *); 1666 eh = &l2uf->eh; 1667 /* dst: Broadcast address */ 1668 IEEE80211_ADDR_COPY(eh->ether_dhost, ifp->if_broadcastaddr); 1669 /* src: associated STA */ 1670 IEEE80211_ADDR_COPY(eh->ether_shost, ni->ni_macaddr); 1671 eh->ether_type = htons(sizeof(*l2uf) - sizeof(*eh)); 1672 1673 l2uf->dsap = 0; 1674 l2uf->ssap = 0; 1675 l2uf->control = 0xf5; 1676 l2uf->xid[0] = 0x81; 1677 l2uf->xid[1] = 0x80; 1678 l2uf->xid[2] = 0x00; 1679 1680 m->m_pkthdr.len = m->m_len = sizeof(*l2uf); 1681 hostap_deliver_data(vap, ni, m); 1682 } 1683 1684 static void 1685 ratesetmismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh, 1686 int reassoc, int resp, const char *tag, int rate) 1687 { 1688 IEEE80211_NOTE_MAC(ni->ni_vap, IEEE80211_MSG_ANY, wh->i_addr2, 1689 "deny %s request, %s rate set mismatch, rate/MCS %d", 1690 reassoc ? "reassoc" : "assoc", tag, rate & IEEE80211_RATE_VAL); 1691 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_BASIC_RATE); 1692 ieee80211_node_leave(ni); 1693 } 1694 1695 static void 1696 capinfomismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh, 1697 int reassoc, int resp, const char *tag, int capinfo) 1698 { 1699 struct ieee80211vap *vap = ni->ni_vap; 1700 1701 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ANY, wh->i_addr2, 1702 "deny %s request, %s mismatch 0x%x", 1703 reassoc ? "reassoc" : "assoc", tag, capinfo); 1704 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_CAPINFO); 1705 ieee80211_node_leave(ni); 1706 vap->iv_stats.is_rx_assoc_capmismatch++; 1707 } 1708 1709 static void 1710 htcapmismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh, 1711 int reassoc, int resp) 1712 { 1713 IEEE80211_NOTE_MAC(ni->ni_vap, IEEE80211_MSG_ANY, wh->i_addr2, 1714 "deny %s request, %s missing HT ie", reassoc ? "reassoc" : "assoc"); 1715 /* XXX no better code */ 1716 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_MISSING_HT_CAPS); 1717 ieee80211_node_leave(ni); 1718 } 1719 1720 static void 1721 authalgreject(struct ieee80211_node *ni, const struct ieee80211_frame *wh, 1722 int algo, int seq, int status) 1723 { 1724 struct ieee80211vap *vap = ni->ni_vap; 1725 1726 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 1727 wh, NULL, "unsupported alg %d", algo); 1728 vap->iv_stats.is_rx_auth_unsupported++; 1729 ieee80211_send_error(ni, wh->i_addr2, IEEE80211_FC0_SUBTYPE_AUTH, 1730 seq | (status << 16)); 1731 } 1732 1733 static __inline int 1734 ishtmixed(const uint8_t *ie) 1735 { 1736 const struct ieee80211_ie_htinfo *ht = 1737 (const struct ieee80211_ie_htinfo *) ie; 1738 return (ht->hi_byte2 & IEEE80211_HTINFO_OPMODE) == 1739 IEEE80211_HTINFO_OPMODE_MIXED; 1740 } 1741 1742 static int 1743 is11bclient(const uint8_t *rates, const uint8_t *xrates) 1744 { 1745 static const uint32_t brates = (1<<2*1)|(1<<2*2)|(1<<11)|(1<<2*11); 1746 int i; 1747 1748 /* NB: the 11b clients we care about will not have xrates */ 1749 if (xrates != NULL || rates == NULL) 1750 return 0; 1751 for (i = 0; i < rates[1]; i++) { 1752 int r = rates[2+i] & IEEE80211_RATE_VAL; 1753 if (r > 2*11 || ((1<<r) & brates) == 0) 1754 return 0; 1755 } 1756 return 1; 1757 } 1758 1759 static void 1760 hostap_recv_mgmt(struct ieee80211_node *ni, struct mbuf *m0, 1761 int subtype, const struct ieee80211_rx_stats *rxs, int rssi, int nf) 1762 { 1763 struct ieee80211vap *vap = ni->ni_vap; 1764 struct ieee80211com *ic = ni->ni_ic; 1765 struct ieee80211_frame *wh; 1766 uint8_t *frm, *efrm, *sfrm; 1767 uint8_t *ssid, *rates, *xrates, *wpa, *rsn, *wme, *ath, *htcap; 1768 uint8_t *vhtcap, *vhtinfo; 1769 int reassoc, resp; 1770 uint8_t rate; 1771 1772 wh = mtod(m0, struct ieee80211_frame *); 1773 frm = (uint8_t *)&wh[1]; 1774 efrm = mtod(m0, uint8_t *) + m0->m_len; 1775 switch (subtype) { 1776 case IEEE80211_FC0_SUBTYPE_PROBE_RESP: 1777 /* 1778 * We process beacon/probe response frames when scanning; 1779 * otherwise we check beacon frames for overlapping non-ERP 1780 * BSS in 11g and/or overlapping legacy BSS when in HT. 1781 */ 1782 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) { 1783 vap->iv_stats.is_rx_mgtdiscard++; 1784 return; 1785 } 1786 /* FALLTHROUGH */ 1787 case IEEE80211_FC0_SUBTYPE_BEACON: { 1788 struct ieee80211_scanparams scan; 1789 1790 /* NB: accept off-channel frames */ 1791 /* XXX TODO: use rxstatus to determine off-channel details */ 1792 if (ieee80211_parse_beacon(ni, m0, ic->ic_curchan, &scan) &~ IEEE80211_BPARSE_OFFCHAN) 1793 return; 1794 /* 1795 * Count frame now that we know it's to be processed. 1796 */ 1797 if (subtype == IEEE80211_FC0_SUBTYPE_BEACON) { 1798 vap->iv_stats.is_rx_beacon++; /* XXX remove */ 1799 IEEE80211_NODE_STAT(ni, rx_beacons); 1800 } else 1801 IEEE80211_NODE_STAT(ni, rx_proberesp); 1802 /* 1803 * If scanning, just pass information to the scan module. 1804 */ 1805 if (ic->ic_flags & IEEE80211_F_SCAN) { 1806 if (scan.status == 0 && /* NB: on channel */ 1807 (ic->ic_flags_ext & IEEE80211_FEXT_PROBECHAN)) { 1808 /* 1809 * Actively scanning a channel marked passive; 1810 * send a probe request now that we know there 1811 * is 802.11 traffic present. 1812 * 1813 * XXX check if the beacon we recv'd gives 1814 * us what we need and suppress the probe req 1815 */ 1816 ieee80211_probe_curchan(vap, 1); 1817 ic->ic_flags_ext &= ~IEEE80211_FEXT_PROBECHAN; 1818 } 1819 ieee80211_add_scan(vap, ic->ic_curchan, &scan, wh, 1820 subtype, rssi, nf); 1821 return; 1822 } 1823 /* 1824 * Check beacon for overlapping bss w/ non ERP stations. 1825 * If we detect one and protection is configured but not 1826 * enabled, enable it and start a timer that'll bring us 1827 * out if we stop seeing the bss. 1828 */ 1829 if (IEEE80211_IS_CHAN_ANYG(ic->ic_curchan) && 1830 scan.status == 0 && /* NB: on-channel */ 1831 ((scan.erp & 0x100) == 0 || /* NB: no ERP, 11b sta*/ 1832 (scan.erp & IEEE80211_ERP_NON_ERP_PRESENT))) { 1833 vap->iv_lastnonerp = ticks; 1834 vap->iv_flags_ext |= IEEE80211_FEXT_NONERP_PR; 1835 /* 1836 * XXX TODO: this may need to check all VAPs? 1837 */ 1838 if (vap->iv_protmode != IEEE80211_PROT_NONE && 1839 (vap->iv_flags & IEEE80211_F_USEPROT) == 0) { 1840 IEEE80211_NOTE_FRAME(vap, 1841 IEEE80211_MSG_ASSOC, wh, 1842 "non-ERP present on channel %d " 1843 "(saw erp 0x%x from channel %d), " 1844 "enable use of protection", 1845 ic->ic_curchan->ic_ieee, 1846 scan.erp, scan.chan); 1847 vap->iv_flags |= IEEE80211_F_USEPROT; 1848 ieee80211_vap_update_erp_protmode(vap); 1849 } 1850 } 1851 /* 1852 * Check beacon for non-HT station on HT channel 1853 * and update HT BSS occupancy as appropriate. 1854 */ 1855 if (IEEE80211_IS_CHAN_HT(ic->ic_curchan)) { 1856 if (scan.status & IEEE80211_BPARSE_OFFCHAN) { 1857 /* 1858 * Off control channel; only check frames 1859 * that come in the extension channel when 1860 * operating w/ HT40. 1861 */ 1862 if (!IEEE80211_IS_CHAN_HT40(ic->ic_curchan)) 1863 break; 1864 if (scan.chan != ic->ic_curchan->ic_extieee) 1865 break; 1866 } 1867 if (scan.htinfo == NULL) { 1868 ieee80211_htprot_update(vap, 1869 IEEE80211_HTINFO_OPMODE_PROTOPT | 1870 IEEE80211_HTINFO_NONHT_PRESENT); 1871 } else if (ishtmixed(scan.htinfo)) { 1872 /* XXX? take NONHT_PRESENT from beacon? */ 1873 ieee80211_htprot_update(vap, 1874 IEEE80211_HTINFO_OPMODE_MIXED | 1875 IEEE80211_HTINFO_NONHT_PRESENT); 1876 } 1877 } 1878 break; 1879 } 1880 1881 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 1882 if (vap->iv_state != IEEE80211_S_RUN) { 1883 vap->iv_stats.is_rx_mgtdiscard++; 1884 return; 1885 } 1886 /* 1887 * Consult the ACL policy module if setup. 1888 */ 1889 if (vap->iv_acl != NULL && !vap->iv_acl->iac_check(vap, wh)) { 1890 IEEE80211_DISCARD(vap, IEEE80211_MSG_ACL, 1891 wh, NULL, "%s", "disallowed by ACL"); 1892 vap->iv_stats.is_rx_acl++; 1893 return; 1894 } 1895 /* 1896 * prreq frame format 1897 * [tlv] ssid 1898 * [tlv] supported rates 1899 * [tlv] extended supported rates 1900 */ 1901 ssid = rates = xrates = NULL; 1902 while (efrm - frm > 1) { 1903 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return); 1904 switch (*frm) { 1905 case IEEE80211_ELEMID_SSID: 1906 ssid = frm; 1907 break; 1908 case IEEE80211_ELEMID_RATES: 1909 rates = frm; 1910 break; 1911 case IEEE80211_ELEMID_XRATES: 1912 xrates = frm; 1913 break; 1914 } 1915 frm += frm[1] + 2; 1916 } 1917 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return); 1918 if (xrates != NULL) 1919 IEEE80211_VERIFY_ELEMENT(xrates, 1920 IEEE80211_RATE_MAXSIZE - rates[1], return); 1921 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN, return); 1922 IEEE80211_VERIFY_SSID(vap->iv_bss, ssid, return); 1923 if ((vap->iv_flags & IEEE80211_F_HIDESSID) && ssid[1] == 0) { 1924 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 1925 wh, NULL, 1926 "%s", "no ssid with ssid suppression enabled"); 1927 vap->iv_stats.is_rx_ssidmismatch++; /*XXX*/ 1928 return; 1929 } 1930 1931 /* XXX find a better class or define it's own */ 1932 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_INPUT, wh->i_addr2, 1933 "%s", "recv probe req"); 1934 /* 1935 * Some legacy 11b clients cannot hack a complete 1936 * probe response frame. When the request includes 1937 * only a bare-bones rate set, communicate this to 1938 * the transmit side. 1939 */ 1940 ieee80211_send_proberesp(vap, wh->i_addr2, 1941 is11bclient(rates, xrates) ? IEEE80211_SEND_LEGACY_11B : 0); 1942 break; 1943 1944 case IEEE80211_FC0_SUBTYPE_AUTH: { 1945 uint16_t algo, seq, status; 1946 1947 if (vap->iv_state != IEEE80211_S_RUN) { 1948 vap->iv_stats.is_rx_mgtdiscard++; 1949 return; 1950 } 1951 if (!IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_bss->ni_bssid)) { 1952 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 1953 wh, NULL, "%s", "wrong bssid"); 1954 vap->iv_stats.is_rx_wrongbss++; /*XXX unique stat?*/ 1955 return; 1956 } 1957 /* 1958 * auth frame format 1959 * [2] algorithm 1960 * [2] sequence 1961 * [2] status 1962 * [tlv*] challenge 1963 */ 1964 IEEE80211_VERIFY_LENGTH(efrm - frm, 6, return); 1965 algo = le16toh(*(uint16_t *)frm); 1966 seq = le16toh(*(uint16_t *)(frm + 2)); 1967 status = le16toh(*(uint16_t *)(frm + 4)); 1968 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_AUTH, wh->i_addr2, 1969 "recv auth frame with algorithm %d seq %d", algo, seq); 1970 /* 1971 * Consult the ACL policy module if setup. 1972 */ 1973 if (vap->iv_acl != NULL && !vap->iv_acl->iac_check(vap, wh)) { 1974 IEEE80211_DISCARD(vap, IEEE80211_MSG_ACL, 1975 wh, NULL, "%s", "disallowed by ACL"); 1976 vap->iv_stats.is_rx_acl++; 1977 ieee80211_send_error(ni, wh->i_addr2, 1978 IEEE80211_FC0_SUBTYPE_AUTH, 1979 (seq+1) | (IEEE80211_STATUS_UNSPECIFIED<<16)); 1980 return; 1981 } 1982 if (vap->iv_flags & IEEE80211_F_COUNTERM) { 1983 IEEE80211_DISCARD(vap, 1984 IEEE80211_MSG_AUTH | IEEE80211_MSG_CRYPTO, 1985 wh, NULL, "%s", "TKIP countermeasures enabled"); 1986 vap->iv_stats.is_rx_auth_countermeasures++; 1987 ieee80211_send_error(ni, wh->i_addr2, 1988 IEEE80211_FC0_SUBTYPE_AUTH, 1989 IEEE80211_REASON_MIC_FAILURE); 1990 return; 1991 } 1992 if (algo == IEEE80211_AUTH_ALG_SHARED) 1993 hostap_auth_shared(ni, wh, frm + 6, efrm, rssi, nf, 1994 seq, status); 1995 else if (algo == IEEE80211_AUTH_ALG_OPEN) 1996 hostap_auth_open(ni, wh, rssi, nf, seq, status); 1997 else if (algo == IEEE80211_AUTH_ALG_LEAP) { 1998 authalgreject(ni, wh, algo, 1999 seq+1, IEEE80211_STATUS_ALG); 2000 return; 2001 } else { 2002 /* 2003 * We assume that an unknown algorithm is the result 2004 * of a decryption failure on a shared key auth frame; 2005 * return a status code appropriate for that instead 2006 * of IEEE80211_STATUS_ALG. 2007 * 2008 * NB: a seq# of 4 is intentional; the decrypted 2009 * frame likely has a bogus seq value. 2010 */ 2011 authalgreject(ni, wh, algo, 2012 4, IEEE80211_STATUS_CHALLENGE); 2013 return; 2014 } 2015 break; 2016 } 2017 2018 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ: 2019 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: { 2020 uint16_t capinfo, lintval; 2021 struct ieee80211_rsnparms rsnparms; 2022 2023 if (vap->iv_state != IEEE80211_S_RUN) { 2024 vap->iv_stats.is_rx_mgtdiscard++; 2025 return; 2026 } 2027 if (!IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_bss->ni_bssid)) { 2028 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 2029 wh, NULL, "%s", "wrong bssid"); 2030 vap->iv_stats.is_rx_assoc_bss++; 2031 return; 2032 } 2033 if (subtype == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) { 2034 reassoc = 1; 2035 resp = IEEE80211_FC0_SUBTYPE_REASSOC_RESP; 2036 } else { 2037 reassoc = 0; 2038 resp = IEEE80211_FC0_SUBTYPE_ASSOC_RESP; 2039 } 2040 if (ni == vap->iv_bss) { 2041 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ANY, wh->i_addr2, 2042 "deny %s request, sta not authenticated", 2043 reassoc ? "reassoc" : "assoc"); 2044 ieee80211_send_error(ni, wh->i_addr2, 2045 IEEE80211_FC0_SUBTYPE_DEAUTH, 2046 IEEE80211_REASON_ASSOC_NOT_AUTHED); 2047 vap->iv_stats.is_rx_assoc_notauth++; 2048 return; 2049 } 2050 2051 /* 2052 * asreq frame format 2053 * [2] capability information 2054 * [2] listen interval 2055 * [6*] current AP address (reassoc only) 2056 * [tlv] ssid 2057 * [tlv] supported rates 2058 * [tlv] extended supported rates 2059 * [tlv] WPA or RSN 2060 * [tlv] HT capabilities 2061 * [tlv] Atheros capabilities 2062 */ 2063 IEEE80211_VERIFY_LENGTH(efrm - frm, (reassoc ? 10 : 4), return); 2064 capinfo = le16toh(*(uint16_t *)frm); frm += 2; 2065 lintval = le16toh(*(uint16_t *)frm); frm += 2; 2066 if (reassoc) 2067 frm += 6; /* ignore current AP info */ 2068 ssid = rates = xrates = wpa = rsn = wme = ath = htcap = NULL; 2069 vhtcap = vhtinfo = NULL; 2070 sfrm = frm; 2071 while (efrm - frm > 1) { 2072 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return); 2073 switch (*frm) { 2074 case IEEE80211_ELEMID_SSID: 2075 ssid = frm; 2076 break; 2077 case IEEE80211_ELEMID_RATES: 2078 rates = frm; 2079 break; 2080 case IEEE80211_ELEMID_XRATES: 2081 xrates = frm; 2082 break; 2083 case IEEE80211_ELEMID_RSN: 2084 rsn = frm; 2085 break; 2086 case IEEE80211_ELEMID_HTCAP: 2087 htcap = frm; 2088 break; 2089 case IEEE80211_ELEMID_VHT_CAP: 2090 vhtcap = frm; 2091 break; 2092 case IEEE80211_ELEMID_VHT_OPMODE: 2093 vhtinfo = frm; 2094 break; 2095 case IEEE80211_ELEMID_VENDOR: 2096 if (iswpaoui(frm)) 2097 wpa = frm; 2098 else if (iswmeinfo(frm)) 2099 wme = frm; 2100 #ifdef IEEE80211_SUPPORT_SUPERG 2101 else if (isatherosoui(frm)) 2102 ath = frm; 2103 #endif 2104 else if (vap->iv_flags_ht & IEEE80211_FHT_HTCOMPAT) { 2105 if (ishtcapoui(frm) && htcap == NULL) 2106 htcap = frm; 2107 } 2108 break; 2109 } 2110 frm += frm[1] + 2; 2111 } 2112 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return); 2113 if (xrates != NULL) 2114 IEEE80211_VERIFY_ELEMENT(xrates, 2115 IEEE80211_RATE_MAXSIZE - rates[1], return); 2116 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN, return); 2117 IEEE80211_VERIFY_SSID(vap->iv_bss, ssid, return); 2118 if (htcap != NULL) { 2119 IEEE80211_VERIFY_LENGTH(htcap[1], 2120 htcap[0] == IEEE80211_ELEMID_VENDOR ? 2121 4 + sizeof(struct ieee80211_ie_htcap)-2 : 2122 sizeof(struct ieee80211_ie_htcap)-2, 2123 return); /* XXX just NULL out? */ 2124 } 2125 2126 /* Validate VHT IEs */ 2127 if (vhtcap != NULL) { 2128 IEEE80211_VERIFY_LENGTH(vhtcap[1], 2129 sizeof(struct ieee80211_ie_vhtcap) - 2, 2130 return); 2131 } 2132 if (vhtinfo != NULL) { 2133 IEEE80211_VERIFY_LENGTH(vhtinfo[1], 2134 sizeof(struct ieee80211_ie_vht_operation) - 2, 2135 return); 2136 } 2137 2138 if ((vap->iv_flags & IEEE80211_F_WPA) && 2139 !wpa_assocreq(ni, &rsnparms, wh, wpa, rsn, capinfo)) 2140 return; 2141 /* discard challenge after association */ 2142 if (ni->ni_challenge != NULL) { 2143 IEEE80211_FREE(ni->ni_challenge, M_80211_NODE); 2144 ni->ni_challenge = NULL; 2145 } 2146 /* NB: 802.11 spec says to ignore station's privacy bit */ 2147 if ((capinfo & IEEE80211_CAPINFO_ESS) == 0) { 2148 capinfomismatch(ni, wh, reassoc, resp, 2149 "capability", capinfo); 2150 return; 2151 } 2152 /* 2153 * Disallow re-associate w/ invalid slot time setting. 2154 */ 2155 if (ni->ni_associd != 0 && 2156 IEEE80211_IS_CHAN_ANYG(ic->ic_bsschan) && 2157 ((ni->ni_capinfo ^ capinfo) & IEEE80211_CAPINFO_SHORT_SLOTTIME)) { 2158 capinfomismatch(ni, wh, reassoc, resp, 2159 "slot time", capinfo); 2160 return; 2161 } 2162 rate = ieee80211_setup_rates(ni, rates, xrates, 2163 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | 2164 IEEE80211_F_DONEGO | IEEE80211_F_DODEL); 2165 if (rate & IEEE80211_RATE_BASIC) { 2166 ratesetmismatch(ni, wh, reassoc, resp, "legacy", rate); 2167 vap->iv_stats.is_rx_assoc_norate++; 2168 return; 2169 } 2170 /* 2171 * If constrained to 11g-only stations reject an 2172 * 11b-only station. We cheat a bit here by looking 2173 * at the max negotiated xmit rate and assuming anyone 2174 * with a best rate <24Mb/s is an 11b station. 2175 */ 2176 if ((vap->iv_flags & IEEE80211_F_PUREG) && rate < 48) { 2177 ratesetmismatch(ni, wh, reassoc, resp, "11g", rate); 2178 vap->iv_stats.is_rx_assoc_norate++; 2179 return; 2180 } 2181 2182 /* 2183 * Do HT rate set handling and setup HT node state. 2184 */ 2185 ni->ni_chan = vap->iv_bss->ni_chan; 2186 2187 /* VHT */ 2188 if (IEEE80211_IS_CHAN_VHT(ni->ni_chan) && 2189 vhtcap != NULL && 2190 vhtinfo != NULL) { 2191 /* XXX TODO; see below */ 2192 printf("%s: VHT TODO!\n", __func__); 2193 ieee80211_vht_node_init(ni); 2194 ieee80211_vht_update_cap(ni, vhtcap, vhtinfo); 2195 } else if (ni->ni_flags & IEEE80211_NODE_VHT) 2196 ieee80211_vht_node_cleanup(ni); 2197 2198 /* HT */ 2199 if (IEEE80211_IS_CHAN_HT(ni->ni_chan) && htcap != NULL) { 2200 rate = ieee80211_setup_htrates(ni, htcap, 2201 IEEE80211_F_DOFMCS | IEEE80211_F_DONEGO | 2202 IEEE80211_F_DOBRS); 2203 if (rate & IEEE80211_RATE_BASIC) { 2204 ratesetmismatch(ni, wh, reassoc, resp, 2205 "HT", rate); 2206 vap->iv_stats.is_ht_assoc_norate++; 2207 return; 2208 } 2209 ieee80211_ht_node_init(ni); 2210 ieee80211_ht_updatehtcap(ni, htcap); 2211 } else if (ni->ni_flags & IEEE80211_NODE_HT) 2212 ieee80211_ht_node_cleanup(ni); 2213 2214 /* Finally - this will use HT/VHT info to change node channel */ 2215 if (IEEE80211_IS_CHAN_HT(ni->ni_chan) && htcap != NULL) { 2216 ieee80211_ht_updatehtcap_final(ni); 2217 } 2218 2219 #ifdef IEEE80211_SUPPORT_SUPERG 2220 /* Always do ff node cleanup; for A-MSDU */ 2221 ieee80211_ff_node_cleanup(ni); 2222 #endif 2223 /* 2224 * Allow AMPDU operation only with unencrypted traffic 2225 * or AES-CCM; the 11n spec only specifies these ciphers 2226 * so permitting any others is undefined and can lead 2227 * to interoperability problems. 2228 */ 2229 if ((ni->ni_flags & IEEE80211_NODE_HT) && 2230 (((vap->iv_flags & IEEE80211_F_WPA) && 2231 rsnparms.rsn_ucastcipher != IEEE80211_CIPHER_AES_CCM) || 2232 (vap->iv_flags & (IEEE80211_F_WPA|IEEE80211_F_PRIVACY)) == IEEE80211_F_PRIVACY)) { 2233 IEEE80211_NOTE(vap, 2234 IEEE80211_MSG_ASSOC | IEEE80211_MSG_11N, ni, 2235 "disallow HT use because WEP or TKIP requested, " 2236 "capinfo 0x%x ucastcipher %d", capinfo, 2237 rsnparms.rsn_ucastcipher); 2238 ieee80211_ht_node_cleanup(ni); 2239 #ifdef IEEE80211_SUPPORT_SUPERG 2240 /* Always do ff node cleanup; for A-MSDU */ 2241 ieee80211_ff_node_cleanup(ni); 2242 #endif 2243 vap->iv_stats.is_ht_assoc_downgrade++; 2244 } 2245 /* 2246 * If constrained to 11n-only stations reject legacy stations. 2247 */ 2248 if ((vap->iv_flags_ht & IEEE80211_FHT_PUREN) && 2249 (ni->ni_flags & IEEE80211_NODE_HT) == 0) { 2250 htcapmismatch(ni, wh, reassoc, resp); 2251 vap->iv_stats.is_ht_assoc_nohtcap++; 2252 return; 2253 } 2254 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi); 2255 ni->ni_noise = nf; 2256 ni->ni_intval = lintval; 2257 ni->ni_capinfo = capinfo; 2258 ni->ni_fhdwell = vap->iv_bss->ni_fhdwell; 2259 ni->ni_fhindex = vap->iv_bss->ni_fhindex; 2260 /* 2261 * Store the IEs. 2262 * XXX maybe better to just expand 2263 */ 2264 if (ieee80211_ies_init(&ni->ni_ies, sfrm, efrm - sfrm)) { 2265 #define setie(_ie, _off) ieee80211_ies_setie(ni->ni_ies, _ie, _off) 2266 if (wpa != NULL) 2267 setie(wpa_ie, wpa - sfrm); 2268 if (rsn != NULL) 2269 setie(rsn_ie, rsn - sfrm); 2270 if (htcap != NULL) 2271 setie(htcap_ie, htcap - sfrm); 2272 if (wme != NULL) { 2273 setie(wme_ie, wme - sfrm); 2274 /* 2275 * Mark node as capable of QoS. 2276 */ 2277 ni->ni_flags |= IEEE80211_NODE_QOS; 2278 if (ieee80211_parse_wmeie(wme, wh, ni) > 0) { 2279 if (ni->ni_uapsd != 0) 2280 ni->ni_flags |= 2281 IEEE80211_NODE_UAPSD; 2282 else 2283 ni->ni_flags &= 2284 ~IEEE80211_NODE_UAPSD; 2285 } 2286 } else 2287 ni->ni_flags &= 2288 ~(IEEE80211_NODE_QOS | 2289 IEEE80211_NODE_UAPSD); 2290 #ifdef IEEE80211_SUPPORT_SUPERG 2291 if (ath != NULL) { 2292 setie(ath_ie, ath - sfrm); 2293 /* 2294 * Parse ATH station parameters. 2295 */ 2296 ieee80211_parse_ath(ni, ni->ni_ies.ath_ie); 2297 } else 2298 #endif 2299 ni->ni_ath_flags = 0; 2300 #undef setie 2301 } else { 2302 ni->ni_flags &= ~IEEE80211_NODE_QOS; 2303 ni->ni_flags &= ~IEEE80211_NODE_UAPSD; 2304 ni->ni_ath_flags = 0; 2305 } 2306 ieee80211_node_join(ni, resp); 2307 ieee80211_deliver_l2uf(ni); 2308 break; 2309 } 2310 2311 case IEEE80211_FC0_SUBTYPE_DEAUTH: 2312 case IEEE80211_FC0_SUBTYPE_DISASSOC: { 2313 #ifdef IEEE80211_DEBUG 2314 uint16_t reason; 2315 #endif 2316 2317 if (vap->iv_state != IEEE80211_S_RUN || 2318 /* NB: can happen when in promiscuous mode */ 2319 !IEEE80211_ADDR_EQ(wh->i_addr1, vap->iv_myaddr)) { 2320 vap->iv_stats.is_rx_mgtdiscard++; 2321 break; 2322 } 2323 /* 2324 * deauth/disassoc frame format 2325 * [2] reason 2326 */ 2327 IEEE80211_VERIFY_LENGTH(efrm - frm, 2, return); 2328 #ifdef IEEE80211_DEBUG 2329 reason = le16toh(*(uint16_t *)frm); 2330 #endif 2331 if (subtype == IEEE80211_FC0_SUBTYPE_DEAUTH) { 2332 vap->iv_stats.is_rx_deauth++; 2333 IEEE80211_NODE_STAT(ni, rx_deauth); 2334 } else { 2335 vap->iv_stats.is_rx_disassoc++; 2336 IEEE80211_NODE_STAT(ni, rx_disassoc); 2337 } 2338 IEEE80211_NOTE(vap, IEEE80211_MSG_AUTH, ni, 2339 "recv %s (reason: %d (%s))", 2340 ieee80211_mgt_subtype_name(subtype), 2341 reason, ieee80211_reason_to_string(reason)); 2342 if (ni != vap->iv_bss) 2343 ieee80211_node_leave(ni); 2344 break; 2345 } 2346 2347 case IEEE80211_FC0_SUBTYPE_ACTION: 2348 case IEEE80211_FC0_SUBTYPE_ACTION_NOACK: 2349 if (ni == vap->iv_bss) { 2350 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 2351 wh, NULL, "%s", "unknown node"); 2352 vap->iv_stats.is_rx_mgtdiscard++; 2353 } else if (!IEEE80211_ADDR_EQ(vap->iv_myaddr, wh->i_addr1) && 2354 !IEEE80211_IS_MULTICAST(wh->i_addr1)) { 2355 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 2356 wh, NULL, "%s", "not for us"); 2357 vap->iv_stats.is_rx_mgtdiscard++; 2358 } else if (vap->iv_state != IEEE80211_S_RUN) { 2359 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 2360 wh, NULL, "wrong state %s", 2361 ieee80211_state_name[vap->iv_state]); 2362 vap->iv_stats.is_rx_mgtdiscard++; 2363 } else { 2364 if (ieee80211_parse_action(ni, m0) == 0) 2365 (void)ic->ic_recv_action(ni, wh, frm, efrm); 2366 } 2367 break; 2368 2369 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP: 2370 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: 2371 case IEEE80211_FC0_SUBTYPE_TIMING_ADV: 2372 case IEEE80211_FC0_SUBTYPE_ATIM: 2373 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 2374 wh, NULL, "%s", "not handled"); 2375 vap->iv_stats.is_rx_mgtdiscard++; 2376 break; 2377 2378 default: 2379 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 2380 wh, "mgt", "subtype 0x%x not handled", subtype); 2381 vap->iv_stats.is_rx_badsubtype++; 2382 break; 2383 } 2384 } 2385 2386 static void 2387 hostap_recv_ctl(struct ieee80211_node *ni, struct mbuf *m, int subtype) 2388 { 2389 switch (subtype) { 2390 case IEEE80211_FC0_SUBTYPE_PS_POLL: 2391 ni->ni_vap->iv_recv_pspoll(ni, m); 2392 break; 2393 case IEEE80211_FC0_SUBTYPE_BAR: 2394 ieee80211_recv_bar(ni, m); 2395 break; 2396 } 2397 } 2398 2399 /* 2400 * Process a received ps-poll frame. 2401 */ 2402 void 2403 ieee80211_recv_pspoll(struct ieee80211_node *ni, struct mbuf *m0) 2404 { 2405 struct ieee80211vap *vap = ni->ni_vap; 2406 struct ieee80211com *ic = vap->iv_ic; 2407 struct ieee80211_frame_min *wh; 2408 struct mbuf *m; 2409 uint16_t aid; 2410 int qlen; 2411 2412 wh = mtod(m0, struct ieee80211_frame_min *); 2413 if (ni->ni_associd == 0) { 2414 IEEE80211_DISCARD(vap, 2415 IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG, 2416 (struct ieee80211_frame *) wh, NULL, 2417 "%s", "unassociated station"); 2418 vap->iv_stats.is_ps_unassoc++; 2419 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_DEAUTH, 2420 IEEE80211_REASON_NOT_ASSOCED); 2421 return; 2422 } 2423 2424 aid = le16toh(*(uint16_t *)wh->i_dur); 2425 if (aid != ni->ni_associd) { 2426 IEEE80211_DISCARD(vap, 2427 IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG, 2428 (struct ieee80211_frame *) wh, NULL, 2429 "aid mismatch: sta aid 0x%x poll aid 0x%x", 2430 ni->ni_associd, aid); 2431 vap->iv_stats.is_ps_badaid++; 2432 /* 2433 * NB: We used to deauth the station but it turns out 2434 * the Blackberry Curve 8230 (and perhaps other devices) 2435 * sometimes send the wrong AID when WME is negotiated. 2436 * Being more lenient here seems ok as we already check 2437 * the station is associated and we only return frames 2438 * queued for the station (i.e. we don't use the AID). 2439 */ 2440 return; 2441 } 2442 2443 /* Okay, take the first queued packet and put it out... */ 2444 m = ieee80211_node_psq_dequeue(ni, &qlen); 2445 if (m == NULL) { 2446 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_POWER, wh->i_addr2, 2447 "%s", "recv ps-poll, but queue empty"); 2448 ieee80211_send_nulldata(ieee80211_ref_node(ni)); 2449 vap->iv_stats.is_ps_qempty++; /* XXX node stat */ 2450 if (vap->iv_set_tim != NULL) 2451 vap->iv_set_tim(ni, 0); /* just in case */ 2452 return; 2453 } 2454 /* 2455 * If there are more packets, set the more packets bit 2456 * in the packet dispatched to the station; otherwise 2457 * turn off the TIM bit. 2458 */ 2459 if (qlen != 0) { 2460 IEEE80211_NOTE(vap, IEEE80211_MSG_POWER, ni, 2461 "recv ps-poll, send packet, %u still queued", qlen); 2462 m->m_flags |= M_MORE_DATA; 2463 } else { 2464 IEEE80211_NOTE(vap, IEEE80211_MSG_POWER, ni, 2465 "%s", "recv ps-poll, send packet, queue empty"); 2466 if (vap->iv_set_tim != NULL) 2467 vap->iv_set_tim(ni, 0); 2468 } 2469 m->m_flags |= M_PWR_SAV; /* bypass PS handling */ 2470 2471 /* 2472 * Do the right thing; if it's an encap'ed frame then 2473 * call ieee80211_parent_xmitpkt() else 2474 * call ieee80211_vap_xmitpkt(). 2475 */ 2476 if (m->m_flags & M_ENCAP) { 2477 (void) ieee80211_parent_xmitpkt(ic, m); 2478 } else { 2479 (void) ieee80211_vap_xmitpkt(vap, m); 2480 } 2481 } 2482