1 /*- 2 * SPDX-License-Identifier: BSD-2-Clause 3 * 4 * Copyright (c) 2007-2008 Sam Leffler, Errno Consulting 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 17 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 18 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 19 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 21 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 22 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 23 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 24 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 25 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 26 */ 27 28 /* 29 * IEEE 802.11 HOSTAP mode support. 30 */ 31 #include "opt_inet.h" 32 #include "opt_wlan.h" 33 34 #include <sys/param.h> 35 #include <sys/systm.h> 36 #include <sys/mbuf.h> 37 #include <sys/malloc.h> 38 #include <sys/kernel.h> 39 40 #include <sys/socket.h> 41 #include <sys/sockio.h> 42 #include <sys/endian.h> 43 #include <sys/errno.h> 44 #include <sys/proc.h> 45 #include <sys/sysctl.h> 46 47 #include <net/if.h> 48 #include <net/if_var.h> 49 #include <net/if_media.h> 50 #include <net/if_llc.h> 51 #include <net/if_private.h> 52 #include <net/ethernet.h> 53 54 #include <net/bpf.h> 55 56 #include <net80211/ieee80211_var.h> 57 #include <net80211/ieee80211_hostap.h> 58 #include <net80211/ieee80211_input.h> 59 #ifdef IEEE80211_SUPPORT_SUPERG 60 #include <net80211/ieee80211_superg.h> 61 #endif 62 #include <net80211/ieee80211_wds.h> 63 #include <net80211/ieee80211_vht.h> 64 #include <net80211/ieee80211_sta.h> /* for parse_wmeie */ 65 66 #define IEEE80211_RATE2MBS(r) (((r) & IEEE80211_RATE_VAL) / 2) 67 68 static void hostap_vattach(struct ieee80211vap *); 69 static int hostap_newstate(struct ieee80211vap *, enum ieee80211_state, int); 70 static int hostap_input(struct ieee80211_node *ni, struct mbuf *m, 71 const struct ieee80211_rx_stats *, 72 int rssi, int nf); 73 static void hostap_deliver_data(struct ieee80211vap *, 74 struct ieee80211_node *, struct mbuf *); 75 static void hostap_recv_mgmt(struct ieee80211_node *, struct mbuf *, 76 int subtype, const struct ieee80211_rx_stats *rxs, int rssi, int nf); 77 static void hostap_recv_ctl(struct ieee80211_node *, struct mbuf *, int); 78 79 void 80 ieee80211_hostap_attach(struct ieee80211com *ic) 81 { 82 ic->ic_vattach[IEEE80211_M_HOSTAP] = hostap_vattach; 83 } 84 85 void 86 ieee80211_hostap_detach(struct ieee80211com *ic) 87 { 88 } 89 90 static void 91 hostap_vdetach(struct ieee80211vap *vap) 92 { 93 } 94 95 static void 96 hostap_vattach(struct ieee80211vap *vap) 97 { 98 vap->iv_newstate = hostap_newstate; 99 vap->iv_input = hostap_input; 100 vap->iv_recv_mgmt = hostap_recv_mgmt; 101 vap->iv_recv_ctl = hostap_recv_ctl; 102 vap->iv_opdetach = hostap_vdetach; 103 vap->iv_deliver_data = hostap_deliver_data; 104 vap->iv_recv_pspoll = ieee80211_recv_pspoll; 105 } 106 107 static void 108 sta_disassoc(void *arg, struct ieee80211_node *ni) 109 { 110 111 if (ni->ni_associd != 0) { 112 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_DISASSOC, 113 IEEE80211_REASON_ASSOC_LEAVE); 114 ieee80211_node_leave(ni); 115 } 116 } 117 118 static void 119 sta_csa(void *arg, struct ieee80211_node *ni) 120 { 121 struct ieee80211vap *vap = ni->ni_vap; 122 123 if (ni->ni_associd != 0) 124 if (ni->ni_inact > vap->iv_inact_init) { 125 ni->ni_inact = vap->iv_inact_init; 126 IEEE80211_NOTE(vap, IEEE80211_MSG_INACT, ni, 127 "%s: inact %u", __func__, ni->ni_inact); 128 } 129 } 130 131 static void 132 sta_drop(void *arg, struct ieee80211_node *ni) 133 { 134 135 if (ni->ni_associd != 0) 136 ieee80211_node_leave(ni); 137 } 138 139 /* 140 * Does a channel change require associated stations to re-associate 141 * so protocol state is correct. This is used when doing CSA across 142 * bands or similar (e.g. HT -> legacy). 143 */ 144 static int 145 isbandchange(struct ieee80211com *ic) 146 { 147 return ((ic->ic_bsschan->ic_flags ^ ic->ic_csa_newchan->ic_flags) & 148 (IEEE80211_CHAN_2GHZ | IEEE80211_CHAN_5GHZ | IEEE80211_CHAN_HALF | 149 IEEE80211_CHAN_QUARTER | IEEE80211_CHAN_HT)) != 0; 150 } 151 152 /* 153 * IEEE80211_M_HOSTAP vap state machine handler. 154 */ 155 static int 156 hostap_newstate(struct ieee80211vap *vap, enum ieee80211_state nstate, int arg) 157 { 158 struct ieee80211com *ic = vap->iv_ic; 159 enum ieee80211_state ostate; 160 161 IEEE80211_LOCK_ASSERT(ic); 162 163 ostate = vap->iv_state; 164 IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE, "%s: %s -> %s (%d)\n", 165 __func__, ieee80211_state_name[ostate], 166 ieee80211_state_name[nstate], arg); 167 vap->iv_state = nstate; /* state transition */ 168 if (ostate != IEEE80211_S_SCAN) 169 ieee80211_cancel_scan(vap); /* background scan */ 170 switch (nstate) { 171 case IEEE80211_S_INIT: 172 switch (ostate) { 173 case IEEE80211_S_SCAN: 174 ieee80211_cancel_scan(vap); 175 break; 176 case IEEE80211_S_CAC: 177 ieee80211_dfs_cac_stop(vap); 178 break; 179 case IEEE80211_S_RUN: 180 ieee80211_iterate_nodes_vap(&ic->ic_sta, vap, 181 sta_disassoc, NULL); 182 break; 183 default: 184 break; 185 } 186 if (ostate != IEEE80211_S_INIT) { 187 /* NB: optimize INIT -> INIT case */ 188 ieee80211_reset_bss(vap); 189 } 190 if (vap->iv_auth->ia_detach != NULL) 191 vap->iv_auth->ia_detach(vap); 192 break; 193 case IEEE80211_S_SCAN: 194 switch (ostate) { 195 case IEEE80211_S_CSA: 196 case IEEE80211_S_RUN: 197 ieee80211_iterate_nodes_vap(&ic->ic_sta, vap, 198 sta_disassoc, NULL); 199 /* 200 * Clear overlapping BSS state; the beacon frame 201 * will be reconstructed on transition to the RUN 202 * state and the timeout routines check if the flag 203 * is set before doing anything so this is sufficient. 204 */ 205 vap->iv_flags_ext &= ~IEEE80211_FEXT_NONERP_PR; 206 vap->iv_flags_ht &= ~IEEE80211_FHT_NONHT_PR; 207 /* XXX TODO: schedule deferred update? */ 208 /* fall thru... */ 209 case IEEE80211_S_CAC: 210 /* 211 * NB: We may get here because of a manual channel 212 * change in which case we need to stop CAC 213 * XXX no need to stop if ostate RUN but it's ok 214 */ 215 ieee80211_dfs_cac_stop(vap); 216 /* fall thru... */ 217 case IEEE80211_S_INIT: 218 if (vap->iv_des_chan != IEEE80211_CHAN_ANYC && 219 !IEEE80211_IS_CHAN_RADAR(vap->iv_des_chan)) { 220 /* 221 * Already have a channel; bypass the 222 * scan and startup immediately. 223 * ieee80211_create_ibss will call back to 224 * move us to RUN state. 225 */ 226 ieee80211_create_ibss(vap, vap->iv_des_chan); 227 break; 228 } 229 /* 230 * Initiate a scan. We can come here as a result 231 * of an IEEE80211_IOC_SCAN_REQ too in which case 232 * the vap will be marked with IEEE80211_FEXT_SCANREQ 233 * and the scan request parameters will be present 234 * in iv_scanreq. Otherwise we do the default. 235 */ 236 if (vap->iv_flags_ext & IEEE80211_FEXT_SCANREQ) { 237 ieee80211_check_scan(vap, 238 vap->iv_scanreq_flags, 239 vap->iv_scanreq_duration, 240 vap->iv_scanreq_mindwell, 241 vap->iv_scanreq_maxdwell, 242 vap->iv_scanreq_nssid, vap->iv_scanreq_ssid); 243 vap->iv_flags_ext &= ~IEEE80211_FEXT_SCANREQ; 244 } else 245 ieee80211_check_scan_current(vap); 246 break; 247 case IEEE80211_S_SCAN: 248 /* 249 * A state change requires a reset; scan. 250 */ 251 ieee80211_check_scan_current(vap); 252 break; 253 default: 254 break; 255 } 256 break; 257 case IEEE80211_S_CAC: 258 /* 259 * Start CAC on a DFS channel. We come here when starting 260 * a bss on a DFS channel (see ieee80211_create_ibss). 261 */ 262 ieee80211_dfs_cac_start(vap); 263 break; 264 case IEEE80211_S_RUN: 265 if (vap->iv_flags & IEEE80211_F_WPA) { 266 /* XXX validate prerequisites */ 267 } 268 switch (ostate) { 269 case IEEE80211_S_INIT: 270 /* 271 * Already have a channel; bypass the 272 * scan and startup immediately. 273 * Note that ieee80211_create_ibss will call 274 * back to do a RUN->RUN state change. 275 */ 276 ieee80211_create_ibss(vap, 277 ieee80211_ht_adjust_channel(ic, 278 ic->ic_curchan, vap->iv_flags_ht)); 279 /* NB: iv_bss is changed on return */ 280 break; 281 case IEEE80211_S_CAC: 282 /* 283 * NB: This is the normal state change when CAC 284 * expires and no radar was detected; no need to 285 * clear the CAC timer as it's already expired. 286 */ 287 /* fall thru... */ 288 case IEEE80211_S_CSA: 289 /* 290 * Shorten inactivity timer of associated stations 291 * to weed out sta's that don't follow a CSA. 292 */ 293 ieee80211_iterate_nodes_vap(&ic->ic_sta, vap, 294 sta_csa, NULL); 295 /* 296 * Update bss node channel to reflect where 297 * we landed after CSA. 298 */ 299 ieee80211_node_set_chan(vap->iv_bss, 300 ieee80211_ht_adjust_channel(ic, ic->ic_curchan, 301 ieee80211_htchanflags(vap->iv_bss->ni_chan))); 302 /* XXX bypass debug msgs */ 303 break; 304 case IEEE80211_S_SCAN: 305 case IEEE80211_S_RUN: 306 #ifdef IEEE80211_DEBUG 307 if (ieee80211_msg_debug(vap)) { 308 struct ieee80211_node *ni = vap->iv_bss; 309 ieee80211_note(vap, 310 "synchronized with %s ssid ", 311 ether_sprintf(ni->ni_bssid)); 312 ieee80211_print_essid(ni->ni_essid, 313 ni->ni_esslen); 314 /* XXX MCS/HT */ 315 printf(" channel %d start %uMb\n", 316 ieee80211_chan2ieee(ic, ic->ic_curchan), 317 IEEE80211_RATE2MBS(ni->ni_txrate)); 318 } 319 #endif 320 break; 321 default: 322 break; 323 } 324 /* 325 * Start/stop the authenticator. We delay until here 326 * to allow configuration to happen out of order. 327 */ 328 if (vap->iv_auth->ia_attach != NULL) { 329 /* XXX check failure */ 330 vap->iv_auth->ia_attach(vap); 331 } else if (vap->iv_auth->ia_detach != NULL) { 332 vap->iv_auth->ia_detach(vap); 333 } 334 ieee80211_node_authorize(vap->iv_bss); 335 break; 336 case IEEE80211_S_CSA: 337 if (ostate == IEEE80211_S_RUN && isbandchange(ic)) { 338 /* 339 * On a ``band change'' silently drop associated 340 * stations as they must re-associate before they 341 * can pass traffic (as otherwise protocol state 342 * such as capabilities and the negotiated rate 343 * set may/will be wrong). 344 */ 345 ieee80211_iterate_nodes_vap(&ic->ic_sta, vap, 346 sta_drop, NULL); 347 } 348 break; 349 default: 350 break; 351 } 352 return 0; 353 } 354 355 static void 356 hostap_deliver_data(struct ieee80211vap *vap, 357 struct ieee80211_node *ni, struct mbuf *m) 358 { 359 struct ether_header *eh = mtod(m, struct ether_header *); 360 struct ifnet *ifp = vap->iv_ifp; 361 362 /* clear driver/net80211 flags before passing up */ 363 m->m_flags &= ~(M_MCAST | M_BCAST); 364 m_clrprotoflags(m); 365 366 KASSERT(vap->iv_opmode == IEEE80211_M_HOSTAP, 367 ("gack, opmode %d", vap->iv_opmode)); 368 /* 369 * Do accounting. 370 */ 371 if_inc_counter(ifp, IFCOUNTER_IPACKETS, 1); 372 IEEE80211_NODE_STAT(ni, rx_data); 373 IEEE80211_NODE_STAT_ADD(ni, rx_bytes, m->m_pkthdr.len); 374 if (ETHER_IS_MULTICAST(eh->ether_dhost)) { 375 m->m_flags |= M_MCAST; /* XXX M_BCAST? */ 376 IEEE80211_NODE_STAT(ni, rx_mcast); 377 } else 378 IEEE80211_NODE_STAT(ni, rx_ucast); 379 380 /* perform as a bridge within the AP */ 381 if ((vap->iv_flags & IEEE80211_F_NOBRIDGE) == 0) { 382 struct mbuf *mcopy = NULL; 383 384 if (m->m_flags & M_MCAST) { 385 mcopy = m_dup(m, IEEE80211_M_NOWAIT); 386 if (mcopy == NULL) 387 if_inc_counter(ifp, IFCOUNTER_OERRORS, 1); 388 else 389 mcopy->m_flags |= M_MCAST; 390 } else { 391 /* 392 * Check if the destination is associated with the 393 * same vap and authorized to receive traffic. 394 * Beware of traffic destined for the vap itself; 395 * sending it will not work; just let it be delivered 396 * normally. 397 */ 398 struct ieee80211_node *sta = ieee80211_find_vap_node( 399 &vap->iv_ic->ic_sta, vap, eh->ether_dhost); 400 if (sta != NULL) { 401 if (ieee80211_node_is_authorized(sta)) { 402 /* 403 * Beware of sending to ourself; this 404 * needs to happen via the normal 405 * input path. 406 */ 407 if (sta != vap->iv_bss) { 408 mcopy = m; 409 m = NULL; 410 } 411 } else { 412 vap->iv_stats.is_rx_unauth++; 413 IEEE80211_NODE_STAT(sta, rx_unauth); 414 } 415 ieee80211_free_node(sta); 416 } 417 } 418 if (mcopy != NULL) 419 (void) ieee80211_vap_xmitpkt(vap, mcopy); 420 } 421 if (m != NULL) { 422 /* 423 * Mark frame as coming from vap's interface. 424 */ 425 m->m_pkthdr.rcvif = ifp; 426 if (m->m_flags & M_MCAST) { 427 /* 428 * Spam DWDS vap's w/ multicast traffic. 429 */ 430 /* XXX only if dwds in use? */ 431 ieee80211_dwds_mcast(vap, m); 432 } 433 if (ni->ni_vlan != 0) { 434 /* attach vlan tag */ 435 m->m_pkthdr.ether_vtag = ni->ni_vlan; 436 m->m_flags |= M_VLANTAG; 437 } 438 ifp->if_input(ifp, m); 439 } 440 } 441 442 /* 443 * Decide if a received management frame should be 444 * printed when debugging is enabled. This filters some 445 * of the less interesting frames that come frequently 446 * (e.g. beacons). 447 */ 448 static __inline int 449 doprint(struct ieee80211vap *vap, int subtype) 450 { 451 switch (subtype) { 452 case IEEE80211_FC0_SUBTYPE_BEACON: 453 return (vap->iv_ic->ic_flags & IEEE80211_F_SCAN); 454 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 455 return 0; 456 } 457 return 1; 458 } 459 460 /* 461 * Process a received frame. The node associated with the sender 462 * should be supplied. If nothing was found in the node table then 463 * the caller is assumed to supply a reference to iv_bss instead. 464 * The RSSI and a timestamp are also supplied. The RSSI data is used 465 * during AP scanning to select a AP to associate with; it can have 466 * any units so long as values have consistent units and higher values 467 * mean ``better signal''. The receive timestamp is currently not used 468 * by the 802.11 layer. 469 */ 470 static int 471 hostap_input(struct ieee80211_node *ni, struct mbuf *m, 472 const struct ieee80211_rx_stats *rxs, int rssi, int nf) 473 { 474 struct ieee80211vap *vap = ni->ni_vap; 475 struct ieee80211com *ic = ni->ni_ic; 476 struct ifnet *ifp = vap->iv_ifp; 477 struct ieee80211_frame *wh; 478 struct ieee80211_key *key; 479 struct ether_header *eh; 480 int hdrspace, need_tap = 1; /* mbuf need to be tapped. */ 481 uint8_t dir, type, subtype, qos; 482 uint8_t *bssid; 483 int is_hw_decrypted = 0; 484 int has_decrypted = 0; 485 486 /* 487 * Some devices do hardware decryption all the way through 488 * to pretending the frame wasn't encrypted in the first place. 489 * So, tag it appropriately so it isn't discarded inappropriately. 490 */ 491 if ((rxs != NULL) && (rxs->c_pktflags & IEEE80211_RX_F_DECRYPTED)) 492 is_hw_decrypted = 1; 493 494 if (m->m_flags & M_AMPDU_MPDU) { 495 /* 496 * Fastpath for A-MPDU reorder q resubmission. Frames 497 * w/ M_AMPDU_MPDU marked have already passed through 498 * here but were received out of order and been held on 499 * the reorder queue. When resubmitted they are marked 500 * with the M_AMPDU_MPDU flag and we can bypass most of 501 * the normal processing. 502 */ 503 wh = mtod(m, struct ieee80211_frame *); 504 type = IEEE80211_FC0_TYPE_DATA; 505 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 506 subtype = IEEE80211_FC0_SUBTYPE_QOS_DATA; 507 hdrspace = ieee80211_hdrspace(ic, wh); /* XXX optimize? */ 508 goto resubmit_ampdu; 509 } 510 511 KASSERT(ni != NULL, ("null node")); 512 ni->ni_inact = ni->ni_inact_reload; 513 514 type = -1; /* undefined */ 515 516 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_min)) { 517 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 518 ni->ni_macaddr, NULL, 519 "too short (1): len %u", m->m_pkthdr.len); 520 vap->iv_stats.is_rx_tooshort++; 521 goto out; 522 } 523 /* 524 * Bit of a cheat here, we use a pointer for a 3-address 525 * frame format but don't reference fields past outside 526 * ieee80211_frame_min w/o first validating the data is 527 * present. 528 */ 529 wh = mtod(m, struct ieee80211_frame *); 530 531 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) != 532 IEEE80211_FC0_VERSION_0) { 533 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 534 ni->ni_macaddr, NULL, "wrong version, fc %02x:%02x", 535 wh->i_fc[0], wh->i_fc[1]); 536 vap->iv_stats.is_rx_badversion++; 537 goto err; 538 } 539 540 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 541 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK; 542 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK; 543 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) { 544 if (dir != IEEE80211_FC1_DIR_NODS) 545 bssid = wh->i_addr1; 546 else if (type == IEEE80211_FC0_TYPE_CTL) 547 bssid = wh->i_addr1; 548 else { 549 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) { 550 IEEE80211_DISCARD_MAC(vap, 551 IEEE80211_MSG_ANY, ni->ni_macaddr, 552 NULL, "too short (2): len %u", 553 m->m_pkthdr.len); 554 vap->iv_stats.is_rx_tooshort++; 555 goto out; 556 } 557 bssid = wh->i_addr3; 558 } 559 /* 560 * Validate the bssid. 561 */ 562 if (!(type == IEEE80211_FC0_TYPE_MGT && 563 subtype == IEEE80211_FC0_SUBTYPE_BEACON) && 564 !IEEE80211_ADDR_EQ(bssid, vap->iv_bss->ni_bssid) && 565 !IEEE80211_ADDR_EQ(bssid, ifp->if_broadcastaddr)) { 566 /* not interested in */ 567 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 568 bssid, NULL, "%s", "not to bss"); 569 vap->iv_stats.is_rx_wrongbss++; 570 goto out; 571 } 572 573 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi); 574 ni->ni_noise = nf; 575 if (IEEE80211_HAS_SEQ(type, subtype)) { 576 uint8_t tid = ieee80211_gettid(wh); 577 if (IEEE80211_QOS_HAS_SEQ(wh) && 578 TID_TO_WME_AC(tid) >= WME_AC_VI) 579 ic->ic_wme.wme_hipri_traffic++; 580 if (! ieee80211_check_rxseq(ni, wh, bssid, rxs)) 581 goto out; 582 } 583 } 584 585 switch (type) { 586 case IEEE80211_FC0_TYPE_DATA: 587 hdrspace = ieee80211_hdrspace(ic, wh); 588 if (m->m_len < hdrspace && 589 (m = m_pullup(m, hdrspace)) == NULL) { 590 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 591 ni->ni_macaddr, NULL, 592 "data too short: expecting %u", hdrspace); 593 vap->iv_stats.is_rx_tooshort++; 594 goto out; /* XXX */ 595 } 596 if (!(dir == IEEE80211_FC1_DIR_TODS || 597 (dir == IEEE80211_FC1_DIR_DSTODS && 598 (vap->iv_flags & IEEE80211_F_DWDS)))) { 599 if (dir != IEEE80211_FC1_DIR_DSTODS) { 600 IEEE80211_DISCARD(vap, 601 IEEE80211_MSG_INPUT, wh, "data", 602 "incorrect dir 0x%x", dir); 603 } else { 604 IEEE80211_DISCARD(vap, 605 IEEE80211_MSG_INPUT | 606 IEEE80211_MSG_WDS, wh, 607 "4-address data", 608 "%s", "DWDS not enabled"); 609 } 610 vap->iv_stats.is_rx_wrongdir++; 611 goto out; 612 } 613 /* check if source STA is associated */ 614 if (ni == vap->iv_bss) { 615 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 616 wh, "data", "%s", "unknown src"); 617 ieee80211_send_error(ni, wh->i_addr2, 618 IEEE80211_FC0_SUBTYPE_DEAUTH, 619 IEEE80211_REASON_NOT_AUTHED); 620 vap->iv_stats.is_rx_notassoc++; 621 goto err; 622 } 623 if (ni->ni_associd == 0) { 624 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 625 wh, "data", "%s", "unassoc src"); 626 IEEE80211_SEND_MGMT(ni, 627 IEEE80211_FC0_SUBTYPE_DISASSOC, 628 IEEE80211_REASON_NOT_ASSOCED); 629 vap->iv_stats.is_rx_notassoc++; 630 goto err; 631 } 632 633 /* 634 * Check for power save state change. 635 * XXX out-of-order A-MPDU frames? 636 */ 637 if (((wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) ^ 638 (ni->ni_flags & IEEE80211_NODE_PWR_MGT))) 639 vap->iv_node_ps(ni, 640 wh->i_fc[1] & IEEE80211_FC1_PWR_MGT); 641 /* 642 * For 4-address packets handle WDS discovery 643 * notifications. Once a WDS link is setup frames 644 * are just delivered to the WDS vap (see below). 645 */ 646 if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap == NULL) { 647 if (!ieee80211_node_is_authorized(ni)) { 648 IEEE80211_DISCARD(vap, 649 IEEE80211_MSG_INPUT | 650 IEEE80211_MSG_WDS, wh, 651 "4-address data", 652 "%s", "unauthorized port"); 653 vap->iv_stats.is_rx_unauth++; 654 IEEE80211_NODE_STAT(ni, rx_unauth); 655 goto err; 656 } 657 ieee80211_dwds_discover(ni, m); 658 return type; 659 } 660 661 /* 662 * Handle A-MPDU re-ordering. If the frame is to be 663 * processed directly then ieee80211_ampdu_reorder 664 * will return 0; otherwise it has consumed the mbuf 665 * and we should do nothing more with it. 666 */ 667 if ((m->m_flags & M_AMPDU) && 668 ieee80211_ampdu_reorder(ni, m, rxs) != 0) { 669 m = NULL; 670 goto out; 671 } 672 resubmit_ampdu: 673 674 /* 675 * Handle privacy requirements. Note that we 676 * must not be preempted from here until after 677 * we (potentially) call ieee80211_crypto_demic; 678 * otherwise we may violate assumptions in the 679 * crypto cipher modules used to do delayed update 680 * of replay sequence numbers. 681 */ 682 if (is_hw_decrypted || IEEE80211_IS_PROTECTED(wh)) { 683 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) { 684 /* 685 * Discard encrypted frames when privacy is off. 686 */ 687 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 688 wh, "WEP", "%s", "PRIVACY off"); 689 vap->iv_stats.is_rx_noprivacy++; 690 IEEE80211_NODE_STAT(ni, rx_noprivacy); 691 goto out; 692 } 693 if (ieee80211_crypto_decap(ni, m, hdrspace, &key) == 0) { 694 /* NB: stats+msgs handled in crypto_decap */ 695 IEEE80211_NODE_STAT(ni, rx_wepfail); 696 goto out; 697 } 698 wh = mtod(m, struct ieee80211_frame *); 699 wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED; 700 has_decrypted = 1; 701 } else { 702 /* XXX M_WEP and IEEE80211_F_PRIVACY */ 703 key = NULL; 704 } 705 706 /* 707 * Save QoS bits for use below--before we strip the header. 708 */ 709 if (subtype == IEEE80211_FC0_SUBTYPE_QOS_DATA) 710 qos = ieee80211_getqos(wh)[0]; 711 else 712 qos = 0; 713 714 /* 715 * Next up, any fragmentation. 716 */ 717 if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) { 718 m = ieee80211_defrag(ni, m, hdrspace, has_decrypted); 719 if (m == NULL) { 720 /* Fragment dropped or frame not complete yet */ 721 goto out; 722 } 723 } 724 wh = NULL; /* no longer valid, catch any uses */ 725 726 /* 727 * Next strip any MSDU crypto bits. 728 */ 729 if (key != NULL && !ieee80211_crypto_demic(vap, key, m, 0)) { 730 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 731 ni->ni_macaddr, "data", "%s", "demic error"); 732 vap->iv_stats.is_rx_demicfail++; 733 IEEE80211_NODE_STAT(ni, rx_demicfail); 734 goto out; 735 } 736 /* copy to listener after decrypt */ 737 if (ieee80211_radiotap_active_vap(vap)) 738 ieee80211_radiotap_rx(vap, m); 739 need_tap = 0; 740 /* 741 * Finally, strip the 802.11 header. 742 */ 743 m = ieee80211_decap(vap, m, hdrspace, qos); 744 if (m == NULL) { 745 /* XXX mask bit to check for both */ 746 /* don't count Null data frames as errors */ 747 if (subtype == IEEE80211_FC0_SUBTYPE_NODATA || 748 subtype == IEEE80211_FC0_SUBTYPE_QOS_NULL) 749 goto out; 750 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 751 ni->ni_macaddr, "data", "%s", "decap error"); 752 vap->iv_stats.is_rx_decap++; 753 IEEE80211_NODE_STAT(ni, rx_decap); 754 goto err; 755 } 756 if (!(qos & IEEE80211_QOS_AMSDU)) 757 eh = mtod(m, struct ether_header *); 758 else 759 eh = NULL; 760 if (!ieee80211_node_is_authorized(ni)) { 761 /* 762 * Deny any non-PAE frames received prior to 763 * authorization. For open/shared-key 764 * authentication the port is mark authorized 765 * after authentication completes. For 802.1x 766 * the port is not marked authorized by the 767 * authenticator until the handshake has completed. 768 */ 769 if (eh == NULL || 770 eh->ether_type != htons(ETHERTYPE_PAE)) { 771 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 772 ni->ni_macaddr, "data", "unauthorized or " 773 "unknown port: ether type 0x%x len %u", 774 eh == NULL ? -1 : eh->ether_type, 775 m->m_pkthdr.len); 776 vap->iv_stats.is_rx_unauth++; 777 IEEE80211_NODE_STAT(ni, rx_unauth); 778 goto err; 779 } 780 } else { 781 /* 782 * When denying unencrypted frames, discard 783 * any non-PAE frames received without encryption. 784 */ 785 if ((vap->iv_flags & IEEE80211_F_DROPUNENC) && 786 ((has_decrypted == 0) && (m->m_flags & M_WEP) == 0) && 787 (is_hw_decrypted == 0) && 788 (eh == NULL || 789 eh->ether_type != htons(ETHERTYPE_PAE))) { 790 /* 791 * Drop unencrypted frames. 792 */ 793 vap->iv_stats.is_rx_unencrypted++; 794 IEEE80211_NODE_STAT(ni, rx_unencrypted); 795 goto out; 796 } 797 } 798 /* XXX require HT? */ 799 if (qos & IEEE80211_QOS_AMSDU) { 800 m = ieee80211_decap_amsdu(ni, m); 801 if (m == NULL) 802 return IEEE80211_FC0_TYPE_DATA; 803 } else { 804 #ifdef IEEE80211_SUPPORT_SUPERG 805 m = ieee80211_decap_fastframe(vap, ni, m); 806 if (m == NULL) 807 return IEEE80211_FC0_TYPE_DATA; 808 #endif 809 } 810 if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap != NULL) 811 ieee80211_deliver_data(ni->ni_wdsvap, ni, m); 812 else 813 hostap_deliver_data(vap, ni, m); 814 return IEEE80211_FC0_TYPE_DATA; 815 816 case IEEE80211_FC0_TYPE_MGT: 817 vap->iv_stats.is_rx_mgmt++; 818 IEEE80211_NODE_STAT(ni, rx_mgmt); 819 if (dir != IEEE80211_FC1_DIR_NODS) { 820 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 821 wh, "mgt", "incorrect dir 0x%x", dir); 822 vap->iv_stats.is_rx_wrongdir++; 823 goto err; 824 } 825 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) { 826 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 827 ni->ni_macaddr, "mgt", "too short: len %u", 828 m->m_pkthdr.len); 829 vap->iv_stats.is_rx_tooshort++; 830 goto out; 831 } 832 if (IEEE80211_IS_MULTICAST(wh->i_addr2)) { 833 /* ensure return frames are unicast */ 834 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 835 wh, NULL, "source is multicast: %s", 836 ether_sprintf(wh->i_addr2)); 837 vap->iv_stats.is_rx_mgtdiscard++; /* XXX stat */ 838 goto out; 839 } 840 #ifdef IEEE80211_DEBUG 841 if ((ieee80211_msg_debug(vap) && doprint(vap, subtype)) || 842 ieee80211_msg_dumppkts(vap)) { 843 if_printf(ifp, "received %s from %s rssi %d\n", 844 ieee80211_mgt_subtype_name(subtype), 845 ether_sprintf(wh->i_addr2), rssi); 846 } 847 #endif 848 if (IEEE80211_IS_PROTECTED(wh)) { 849 if (subtype != IEEE80211_FC0_SUBTYPE_AUTH) { 850 /* 851 * Only shared key auth frames with a challenge 852 * should be encrypted, discard all others. 853 */ 854 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 855 wh, NULL, 856 "%s", "WEP set but not permitted"); 857 vap->iv_stats.is_rx_mgtdiscard++; /* XXX */ 858 goto out; 859 } 860 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) { 861 /* 862 * Discard encrypted frames when privacy is off. 863 */ 864 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 865 wh, NULL, "%s", "WEP set but PRIVACY off"); 866 vap->iv_stats.is_rx_noprivacy++; 867 goto out; 868 } 869 hdrspace = ieee80211_hdrspace(ic, wh); 870 if (ieee80211_crypto_decap(ni, m, hdrspace, &key) == 0) { 871 /* NB: stats+msgs handled in crypto_decap */ 872 goto out; 873 } 874 wh = mtod(m, struct ieee80211_frame *); 875 wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED; 876 has_decrypted = 1; 877 } 878 /* 879 * Pass the packet to radiotap before calling iv_recv_mgmt(). 880 * Otherwise iv_recv_mgmt() might pass another packet to 881 * radiotap, resulting in out of order packet captures. 882 */ 883 if (ieee80211_radiotap_active_vap(vap)) 884 ieee80211_radiotap_rx(vap, m); 885 need_tap = 0; 886 vap->iv_recv_mgmt(ni, m, subtype, rxs, rssi, nf); 887 goto out; 888 889 case IEEE80211_FC0_TYPE_CTL: 890 vap->iv_stats.is_rx_ctl++; 891 IEEE80211_NODE_STAT(ni, rx_ctrl); 892 vap->iv_recv_ctl(ni, m, subtype); 893 goto out; 894 default: 895 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 896 wh, "bad", "frame type 0x%x", type); 897 /* should not come here */ 898 break; 899 } 900 err: 901 if_inc_counter(ifp, IFCOUNTER_IERRORS, 1); 902 out: 903 if (m != NULL) { 904 if (need_tap && ieee80211_radiotap_active_vap(vap)) 905 ieee80211_radiotap_rx(vap, m); 906 m_freem(m); 907 } 908 return type; 909 } 910 911 static void 912 hostap_auth_open(struct ieee80211_node *ni, struct ieee80211_frame *wh, 913 int rssi, int nf, uint16_t seq, uint16_t status) 914 { 915 struct ieee80211vap *vap = ni->ni_vap; 916 917 KASSERT(vap->iv_state == IEEE80211_S_RUN, ("state %d", vap->iv_state)); 918 919 if (ni->ni_authmode == IEEE80211_AUTH_SHARED) { 920 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 921 ni->ni_macaddr, "open auth", 922 "bad sta auth mode %u", ni->ni_authmode); 923 vap->iv_stats.is_rx_bad_auth++; /* XXX */ 924 /* 925 * Clear any challenge text that may be there if 926 * a previous shared key auth failed and then an 927 * open auth is attempted. 928 */ 929 if (ni->ni_challenge != NULL) { 930 IEEE80211_FREE(ni->ni_challenge, M_80211_NODE); 931 ni->ni_challenge = NULL; 932 } 933 /* XXX hack to workaround calling convention */ 934 ieee80211_send_error(ni, wh->i_addr2, 935 IEEE80211_FC0_SUBTYPE_AUTH, 936 (seq + 1) | (IEEE80211_STATUS_ALG<<16)); 937 return; 938 } 939 if (seq != IEEE80211_AUTH_OPEN_REQUEST) { 940 vap->iv_stats.is_rx_bad_auth++; 941 return; 942 } 943 /* always accept open authentication requests */ 944 if (ni == vap->iv_bss) { 945 ni = ieee80211_dup_bss(vap, wh->i_addr2); 946 if (ni == NULL) 947 return; 948 } else if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0) 949 (void) ieee80211_ref_node(ni); 950 /* 951 * Mark the node as referenced to reflect that it's 952 * reference count has been bumped to insure it remains 953 * after the transaction completes. 954 */ 955 ni->ni_flags |= IEEE80211_NODE_AREF; 956 /* 957 * Mark the node as requiring a valid association id 958 * before outbound traffic is permitted. 959 */ 960 ni->ni_flags |= IEEE80211_NODE_ASSOCID; 961 962 if (vap->iv_acl != NULL && 963 vap->iv_acl->iac_getpolicy(vap) == IEEE80211_MACCMD_POLICY_RADIUS) { 964 /* 965 * When the ACL policy is set to RADIUS we defer the 966 * authorization to a user agent. Dispatch an event, 967 * a subsequent MLME call will decide the fate of the 968 * station. If the user agent is not present then the 969 * node will be reclaimed due to inactivity. 970 */ 971 IEEE80211_NOTE_MAC(vap, 972 IEEE80211_MSG_AUTH | IEEE80211_MSG_ACL, ni->ni_macaddr, 973 "%s", "station authentication defered (radius acl)"); 974 ieee80211_notify_node_auth(ni); 975 } else { 976 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 977 IEEE80211_NOTE_MAC(vap, 978 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, ni->ni_macaddr, 979 "%s", "station authenticated (open)"); 980 /* 981 * When 802.1x is not in use mark the port 982 * authorized at this point so traffic can flow. 983 */ 984 if (ni->ni_authmode != IEEE80211_AUTH_8021X) 985 ieee80211_node_authorize(ni); 986 } 987 } 988 989 static void 990 hostap_auth_shared(struct ieee80211_node *ni, struct ieee80211_frame *wh, 991 uint8_t *frm, uint8_t *efrm, int rssi, int nf, 992 uint16_t seq, uint16_t status) 993 { 994 struct ieee80211vap *vap = ni->ni_vap; 995 uint8_t *challenge; 996 int estatus; 997 998 KASSERT(vap->iv_state == IEEE80211_S_RUN, ("state %d", vap->iv_state)); 999 1000 /* 1001 * NB: this can happen as we allow pre-shared key 1002 * authentication to be enabled w/o wep being turned 1003 * on so that configuration of these can be done 1004 * in any order. It may be better to enforce the 1005 * ordering in which case this check would just be 1006 * for sanity/consistency. 1007 */ 1008 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) { 1009 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1010 ni->ni_macaddr, "shared key auth", 1011 "%s", " PRIVACY is disabled"); 1012 estatus = IEEE80211_STATUS_ALG; 1013 goto bad; 1014 } 1015 /* 1016 * Pre-shared key authentication is evil; accept 1017 * it only if explicitly configured (it is supported 1018 * mainly for compatibility with clients like Mac OS X). 1019 */ 1020 if (ni->ni_authmode != IEEE80211_AUTH_AUTO && 1021 ni->ni_authmode != IEEE80211_AUTH_SHARED) { 1022 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1023 ni->ni_macaddr, "shared key auth", 1024 "bad sta auth mode %u", ni->ni_authmode); 1025 vap->iv_stats.is_rx_bad_auth++; /* XXX maybe a unique error? */ 1026 estatus = IEEE80211_STATUS_ALG; 1027 goto bad; 1028 } 1029 1030 challenge = NULL; 1031 if (frm + 1 < efrm) { 1032 if ((frm[1] + 2) > (efrm - frm)) { 1033 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1034 ni->ni_macaddr, "shared key auth", 1035 "ie %d/%d too long", 1036 frm[0], (frm[1] + 2) - (efrm - frm)); 1037 vap->iv_stats.is_rx_bad_auth++; 1038 estatus = IEEE80211_STATUS_CHALLENGE; 1039 goto bad; 1040 } 1041 if (*frm == IEEE80211_ELEMID_CHALLENGE) 1042 challenge = frm; 1043 frm += frm[1] + 2; 1044 } 1045 switch (seq) { 1046 case IEEE80211_AUTH_SHARED_CHALLENGE: 1047 case IEEE80211_AUTH_SHARED_RESPONSE: 1048 if (challenge == NULL) { 1049 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1050 ni->ni_macaddr, "shared key auth", 1051 "%s", "no challenge"); 1052 vap->iv_stats.is_rx_bad_auth++; 1053 estatus = IEEE80211_STATUS_CHALLENGE; 1054 goto bad; 1055 } 1056 if (challenge[1] != IEEE80211_CHALLENGE_LEN) { 1057 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1058 ni->ni_macaddr, "shared key auth", 1059 "bad challenge len %d", challenge[1]); 1060 vap->iv_stats.is_rx_bad_auth++; 1061 estatus = IEEE80211_STATUS_CHALLENGE; 1062 goto bad; 1063 } 1064 default: 1065 break; 1066 } 1067 switch (seq) { 1068 case IEEE80211_AUTH_SHARED_REQUEST: 1069 { 1070 #ifdef IEEE80211_DEBUG 1071 bool allocbs; 1072 #endif 1073 1074 if (ni == vap->iv_bss) { 1075 ni = ieee80211_dup_bss(vap, wh->i_addr2); 1076 if (ni == NULL) { 1077 /* NB: no way to return an error */ 1078 return; 1079 } 1080 #ifdef IEEE80211_DEBUG 1081 allocbs = 1; 1082 #endif 1083 } else { 1084 if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0) 1085 (void) ieee80211_ref_node(ni); 1086 #ifdef IEEE80211_DEBUG 1087 allocbs = 0; 1088 #endif 1089 } 1090 /* 1091 * Mark the node as referenced to reflect that it's 1092 * reference count has been bumped to insure it remains 1093 * after the transaction completes. 1094 */ 1095 ni->ni_flags |= IEEE80211_NODE_AREF; 1096 /* 1097 * Mark the node as requiring a valid association id 1098 * before outbound traffic is permitted. 1099 */ 1100 ni->ni_flags |= IEEE80211_NODE_ASSOCID; 1101 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi); 1102 ni->ni_noise = nf; 1103 if (!ieee80211_alloc_challenge(ni)) { 1104 /* NB: don't return error so they rexmit */ 1105 return; 1106 } 1107 net80211_get_random_bytes(ni->ni_challenge, 1108 IEEE80211_CHALLENGE_LEN); 1109 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1110 ni, "shared key %sauth request", allocbs ? "" : "re"); 1111 /* 1112 * When the ACL policy is set to RADIUS we defer the 1113 * authorization to a user agent. Dispatch an event, 1114 * a subsequent MLME call will decide the fate of the 1115 * station. If the user agent is not present then the 1116 * node will be reclaimed due to inactivity. 1117 */ 1118 if (vap->iv_acl != NULL && 1119 vap->iv_acl->iac_getpolicy(vap) == IEEE80211_MACCMD_POLICY_RADIUS) { 1120 IEEE80211_NOTE_MAC(vap, 1121 IEEE80211_MSG_AUTH | IEEE80211_MSG_ACL, 1122 ni->ni_macaddr, 1123 "%s", "station authentication defered (radius acl)"); 1124 ieee80211_notify_node_auth(ni); 1125 return; 1126 } 1127 break; 1128 } 1129 case IEEE80211_AUTH_SHARED_RESPONSE: 1130 if (ni == vap->iv_bss) { 1131 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1132 ni->ni_macaddr, "shared key response", 1133 "%s", "unknown station"); 1134 /* NB: don't send a response */ 1135 return; 1136 } 1137 if (ni->ni_challenge == NULL) { 1138 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1139 ni->ni_macaddr, "shared key response", 1140 "%s", "no challenge recorded"); 1141 vap->iv_stats.is_rx_bad_auth++; 1142 estatus = IEEE80211_STATUS_CHALLENGE; 1143 goto bad; 1144 } 1145 if (memcmp(ni->ni_challenge, &challenge[2], 1146 challenge[1]) != 0) { 1147 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1148 ni->ni_macaddr, "shared key response", 1149 "%s", "challenge mismatch"); 1150 vap->iv_stats.is_rx_auth_fail++; 1151 estatus = IEEE80211_STATUS_CHALLENGE; 1152 goto bad; 1153 } 1154 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1155 ni, "%s", "station authenticated (shared key)"); 1156 ieee80211_node_authorize(ni); 1157 break; 1158 default: 1159 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1160 ni->ni_macaddr, "shared key auth", 1161 "bad seq %d", seq); 1162 vap->iv_stats.is_rx_bad_auth++; 1163 estatus = IEEE80211_STATUS_SEQUENCE; 1164 goto bad; 1165 } 1166 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 1167 return; 1168 bad: 1169 /* 1170 * Send an error response; but only when operating as an AP. 1171 */ 1172 /* XXX hack to workaround calling convention */ 1173 ieee80211_send_error(ni, wh->i_addr2, 1174 IEEE80211_FC0_SUBTYPE_AUTH, 1175 (seq + 1) | (estatus<<16)); 1176 } 1177 1178 /* 1179 * Convert a WPA cipher selector OUI to an internal 1180 * cipher algorithm. Where appropriate we also 1181 * record any key length. 1182 */ 1183 static int 1184 wpa_cipher(const uint8_t *sel, uint8_t *keylen, uint8_t *cipher) 1185 { 1186 #define WPA_SEL(x) (((x)<<24)|WPA_OUI) 1187 uint32_t w = le32dec(sel); 1188 1189 switch (w) { 1190 case WPA_SEL(WPA_CSE_NULL): 1191 *cipher = IEEE80211_CIPHER_NONE; 1192 break; 1193 case WPA_SEL(WPA_CSE_WEP40): 1194 if (keylen) 1195 *keylen = 40 / NBBY; 1196 *cipher = IEEE80211_CIPHER_WEP; 1197 break; 1198 case WPA_SEL(WPA_CSE_WEP104): 1199 if (keylen) 1200 *keylen = 104 / NBBY; 1201 *cipher = IEEE80211_CIPHER_WEP; 1202 break; 1203 case WPA_SEL(WPA_CSE_TKIP): 1204 *cipher = IEEE80211_CIPHER_TKIP; 1205 break; 1206 case WPA_SEL(WPA_CSE_CCMP): 1207 *cipher = IEEE80211_CIPHER_AES_CCM; 1208 break; 1209 default: 1210 return (EINVAL); 1211 } 1212 1213 return (0); 1214 #undef WPA_SEL 1215 } 1216 1217 /* 1218 * Convert a WPA key management/authentication algorithm 1219 * to an internal code. 1220 */ 1221 static int 1222 wpa_keymgmt(const uint8_t *sel) 1223 { 1224 #define WPA_SEL(x) (((x)<<24)|WPA_OUI) 1225 uint32_t w = le32dec(sel); 1226 1227 switch (w) { 1228 case WPA_SEL(WPA_ASE_8021X_UNSPEC): 1229 return WPA_ASE_8021X_UNSPEC; 1230 case WPA_SEL(WPA_ASE_8021X_PSK): 1231 return WPA_ASE_8021X_PSK; 1232 case WPA_SEL(WPA_ASE_NONE): 1233 return WPA_ASE_NONE; 1234 } 1235 return 0; /* NB: so is discarded */ 1236 #undef WPA_SEL 1237 } 1238 1239 /* 1240 * Parse a WPA information element to collect parameters. 1241 * Note that we do not validate security parameters; that 1242 * is handled by the authenticator; the parsing done here 1243 * is just for internal use in making operational decisions. 1244 */ 1245 static int 1246 ieee80211_parse_wpa(struct ieee80211vap *vap, const uint8_t *frm, 1247 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh) 1248 { 1249 uint8_t len = frm[1]; 1250 uint32_t w; 1251 int error, n; 1252 1253 /* 1254 * Check the length once for fixed parts: OUI, type, 1255 * version, mcast cipher, and 2 selector counts. 1256 * Other, variable-length data, must be checked separately. 1257 */ 1258 if ((vap->iv_flags & IEEE80211_F_WPA1) == 0) { 1259 IEEE80211_DISCARD_IE(vap, 1260 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1261 wh, "WPA", "not WPA, flags 0x%x", vap->iv_flags); 1262 return IEEE80211_REASON_IE_INVALID; 1263 } 1264 if (len < 14) { 1265 IEEE80211_DISCARD_IE(vap, 1266 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1267 wh, "WPA", "too short, len %u", len); 1268 return IEEE80211_REASON_IE_INVALID; 1269 } 1270 frm += 6, len -= 4; /* NB: len is payload only */ 1271 /* NB: iswpaoui already validated the OUI and type */ 1272 w = le16dec(frm); 1273 if (w != WPA_VERSION) { 1274 IEEE80211_DISCARD_IE(vap, 1275 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1276 wh, "WPA", "bad version %u", w); 1277 return IEEE80211_REASON_IE_INVALID; 1278 } 1279 frm += 2, len -= 2; 1280 1281 memset(rsn, 0, sizeof(*rsn)); 1282 1283 /* multicast/group cipher */ 1284 error = wpa_cipher(frm, &rsn->rsn_mcastkeylen, &rsn->rsn_mcastcipher); 1285 if (error != 0) { 1286 IEEE80211_DISCARD_IE(vap, 1287 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1288 wh, "WPA", "unknown mcast cipher suite %08X", 1289 le32dec(frm)); 1290 return IEEE80211_REASON_GROUP_CIPHER_INVALID; 1291 } 1292 frm += 4, len -= 4; 1293 1294 /* unicast ciphers */ 1295 n = le16dec(frm); 1296 frm += 2, len -= 2; 1297 if (len < n*4+2) { 1298 IEEE80211_DISCARD_IE(vap, 1299 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1300 wh, "WPA", "ucast cipher data too short; len %u, n %u", 1301 len, n); 1302 return IEEE80211_REASON_IE_INVALID; 1303 } 1304 w = 0; 1305 for (; n > 0; n--) { 1306 uint8_t cipher; 1307 1308 error = wpa_cipher(frm, &rsn->rsn_ucastkeylen, &cipher); 1309 if (error == 0) 1310 w |= 1 << cipher; 1311 1312 frm += 4, len -= 4; 1313 } 1314 if (w == 0) { 1315 IEEE80211_DISCARD_IE(vap, 1316 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1317 wh, "WPA", "no usable pairwise cipher suite found (w=%d)", 1318 w); 1319 return IEEE80211_REASON_PAIRWISE_CIPHER_INVALID; 1320 } 1321 /* XXX other? */ 1322 if (w & (1 << IEEE80211_CIPHER_AES_CCM)) 1323 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM; 1324 else 1325 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP; 1326 1327 /* key management algorithms */ 1328 n = le16dec(frm); 1329 frm += 2, len -= 2; 1330 if (len < n*4) { 1331 IEEE80211_DISCARD_IE(vap, 1332 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1333 wh, "WPA", "key mgmt alg data too short; len %u, n %u", 1334 len, n); 1335 return IEEE80211_REASON_IE_INVALID; 1336 } 1337 w = 0; 1338 for (; n > 0; n--) { 1339 w |= wpa_keymgmt(frm); 1340 frm += 4, len -= 4; 1341 } 1342 if (w & WPA_ASE_8021X_UNSPEC) 1343 rsn->rsn_keymgmt = WPA_ASE_8021X_UNSPEC; 1344 else 1345 rsn->rsn_keymgmt = WPA_ASE_8021X_PSK; 1346 1347 if (len > 2) /* optional capabilities */ 1348 rsn->rsn_caps = le16dec(frm); 1349 1350 return 0; 1351 } 1352 1353 /* 1354 * Convert an RSN cipher selector OUI to an internal 1355 * cipher algorithm. Where appropriate we also 1356 * record any key length. 1357 */ 1358 static int 1359 rsn_cipher(const uint8_t *sel, uint8_t *keylen, uint8_t *cipher) 1360 { 1361 #define RSN_SEL(x) (((x)<<24)|RSN_OUI) 1362 uint32_t w = le32dec(sel); 1363 1364 switch (w) { 1365 case RSN_SEL(RSN_CSE_NULL): 1366 *cipher = IEEE80211_CIPHER_NONE; 1367 break; 1368 case RSN_SEL(RSN_CSE_WEP40): 1369 if (keylen) 1370 *keylen = 40 / NBBY; 1371 *cipher = IEEE80211_CIPHER_WEP; 1372 break; 1373 case RSN_SEL(RSN_CSE_WEP104): 1374 if (keylen) 1375 *keylen = 104 / NBBY; 1376 *cipher = IEEE80211_CIPHER_WEP; 1377 break; 1378 case RSN_SEL(RSN_CSE_TKIP): 1379 *cipher = IEEE80211_CIPHER_TKIP; 1380 break; 1381 case RSN_SEL(RSN_CSE_CCMP): 1382 *cipher = IEEE80211_CIPHER_AES_CCM; 1383 break; 1384 case RSN_SEL(RSN_CSE_WRAP): 1385 *cipher = IEEE80211_CIPHER_AES_OCB; 1386 break; 1387 default: 1388 return (EINVAL); 1389 } 1390 1391 return (0); 1392 #undef WPA_SEL 1393 } 1394 1395 /* 1396 * Convert an RSN key management/authentication algorithm 1397 * to an internal code. 1398 */ 1399 static int 1400 rsn_keymgmt(const uint8_t *sel) 1401 { 1402 #define RSN_SEL(x) (((x)<<24)|RSN_OUI) 1403 uint32_t w = le32dec(sel); 1404 1405 switch (w) { 1406 case RSN_SEL(RSN_ASE_8021X_UNSPEC): 1407 return RSN_ASE_8021X_UNSPEC; 1408 case RSN_SEL(RSN_ASE_8021X_PSK): 1409 return RSN_ASE_8021X_PSK; 1410 case RSN_SEL(RSN_ASE_NONE): 1411 return RSN_ASE_NONE; 1412 } 1413 return 0; /* NB: so is discarded */ 1414 #undef RSN_SEL 1415 } 1416 1417 /* 1418 * Parse a WPA/RSN information element to collect parameters 1419 * and validate the parameters against what has been 1420 * configured for the system. 1421 */ 1422 static int 1423 ieee80211_parse_rsn(struct ieee80211vap *vap, const uint8_t *frm, 1424 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh) 1425 { 1426 uint8_t len = frm[1]; 1427 uint32_t w; 1428 int error, n; 1429 1430 /* 1431 * Check the length once for fixed parts: 1432 * version, mcast cipher, and 2 selector counts. 1433 * Other, variable-length data, must be checked separately. 1434 */ 1435 if ((vap->iv_flags & IEEE80211_F_WPA2) == 0) { 1436 IEEE80211_DISCARD_IE(vap, 1437 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1438 wh, "WPA", "not RSN, flags 0x%x", vap->iv_flags); 1439 return IEEE80211_REASON_IE_INVALID; 1440 } 1441 /* XXX may be shorter */ 1442 if (len < 10) { 1443 IEEE80211_DISCARD_IE(vap, 1444 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1445 wh, "RSN", "too short, len %u", len); 1446 return IEEE80211_REASON_IE_INVALID; 1447 } 1448 frm += 2; 1449 w = le16dec(frm); 1450 if (w != RSN_VERSION) { 1451 IEEE80211_DISCARD_IE(vap, 1452 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1453 wh, "RSN", "bad version %u", w); 1454 return IEEE80211_REASON_UNSUPP_RSN_IE_VERSION; 1455 } 1456 frm += 2, len -= 2; 1457 1458 memset(rsn, 0, sizeof(*rsn)); 1459 1460 /* multicast/group cipher */ 1461 error = rsn_cipher(frm, &rsn->rsn_mcastkeylen, &rsn->rsn_mcastcipher); 1462 if (error != 0) { 1463 IEEE80211_DISCARD_IE(vap, 1464 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1465 wh, "RSN", "unknown mcast cipher suite %08X", 1466 le32dec(frm)); 1467 return IEEE80211_REASON_GROUP_CIPHER_INVALID; 1468 } 1469 if (rsn->rsn_mcastcipher == IEEE80211_CIPHER_NONE) { 1470 IEEE80211_DISCARD_IE(vap, 1471 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1472 wh, "RSN", "invalid mcast cipher suite %d", 1473 rsn->rsn_mcastcipher); 1474 return IEEE80211_REASON_GROUP_CIPHER_INVALID; 1475 } 1476 frm += 4, len -= 4; 1477 1478 /* unicast ciphers */ 1479 n = le16dec(frm); 1480 frm += 2, len -= 2; 1481 if (len < n*4+2) { 1482 IEEE80211_DISCARD_IE(vap, 1483 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1484 wh, "RSN", "ucast cipher data too short; len %u, n %u", 1485 len, n); 1486 return IEEE80211_REASON_IE_INVALID; 1487 } 1488 w = 0; 1489 1490 for (; n > 0; n--) { 1491 uint8_t cipher; 1492 1493 error = rsn_cipher(frm, &rsn->rsn_ucastkeylen, &cipher); 1494 if (error == 0) 1495 w |= 1 << cipher; 1496 1497 frm += 4, len -= 4; 1498 } 1499 if (w & (1 << IEEE80211_CIPHER_AES_CCM)) 1500 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM; 1501 else if (w & (1 << IEEE80211_CIPHER_AES_OCB)) 1502 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_OCB; 1503 else if (w & (1 << IEEE80211_CIPHER_TKIP)) 1504 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP; 1505 else if ((w & (1 << IEEE80211_CIPHER_NONE)) && 1506 (rsn->rsn_mcastcipher == IEEE80211_CIPHER_WEP || 1507 rsn->rsn_mcastcipher == IEEE80211_CIPHER_TKIP)) 1508 rsn->rsn_ucastcipher = IEEE80211_CIPHER_NONE; 1509 else { 1510 IEEE80211_DISCARD_IE(vap, 1511 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1512 wh, "RSN", "no usable pairwise cipher suite found (w=%d)", 1513 w); 1514 return IEEE80211_REASON_PAIRWISE_CIPHER_INVALID; 1515 } 1516 1517 /* key management algorithms */ 1518 n = le16dec(frm); 1519 frm += 2, len -= 2; 1520 if (len < n*4) { 1521 IEEE80211_DISCARD_IE(vap, 1522 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1523 wh, "RSN", "key mgmt alg data too short; len %u, n %u", 1524 len, n); 1525 return IEEE80211_REASON_IE_INVALID; 1526 } 1527 w = 0; 1528 for (; n > 0; n--) { 1529 w |= rsn_keymgmt(frm); 1530 frm += 4, len -= 4; 1531 } 1532 if (w & RSN_ASE_8021X_UNSPEC) 1533 rsn->rsn_keymgmt = RSN_ASE_8021X_UNSPEC; 1534 else 1535 rsn->rsn_keymgmt = RSN_ASE_8021X_PSK; 1536 1537 /* optional RSN capabilities */ 1538 if (len > 2) 1539 rsn->rsn_caps = le16dec(frm); 1540 /* XXXPMKID */ 1541 1542 return 0; 1543 } 1544 1545 /* 1546 * WPA/802.11i association request processing. 1547 */ 1548 static int 1549 wpa_assocreq(struct ieee80211_node *ni, struct ieee80211_rsnparms *rsnparms, 1550 const struct ieee80211_frame *wh, const uint8_t *wpa, 1551 const uint8_t *rsn, uint16_t capinfo) 1552 { 1553 struct ieee80211vap *vap = ni->ni_vap; 1554 uint8_t reason; 1555 int badwparsn; 1556 1557 ni->ni_flags &= ~(IEEE80211_NODE_WPS|IEEE80211_NODE_TSN); 1558 if (wpa == NULL && rsn == NULL) { 1559 if (vap->iv_flags_ext & IEEE80211_FEXT_WPS) { 1560 /* 1561 * W-Fi Protected Setup (WPS) permits 1562 * clients to associate and pass EAPOL frames 1563 * to establish initial credentials. 1564 */ 1565 ni->ni_flags |= IEEE80211_NODE_WPS; 1566 return 1; 1567 } 1568 if ((vap->iv_flags_ext & IEEE80211_FEXT_TSN) && 1569 (capinfo & IEEE80211_CAPINFO_PRIVACY)) { 1570 /* 1571 * Transitional Security Network. Permits clients 1572 * to associate and use WEP while WPA is configured. 1573 */ 1574 ni->ni_flags |= IEEE80211_NODE_TSN; 1575 return 1; 1576 } 1577 IEEE80211_DISCARD(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, 1578 wh, NULL, "%s", "no WPA/RSN IE in association request"); 1579 vap->iv_stats.is_rx_assoc_badwpaie++; 1580 reason = IEEE80211_REASON_IE_INVALID; 1581 goto bad; 1582 } 1583 /* assert right association security credentials */ 1584 badwparsn = 0; /* NB: to silence compiler */ 1585 switch (vap->iv_flags & IEEE80211_F_WPA) { 1586 case IEEE80211_F_WPA1: 1587 badwparsn = (wpa == NULL); 1588 break; 1589 case IEEE80211_F_WPA2: 1590 badwparsn = (rsn == NULL); 1591 break; 1592 case IEEE80211_F_WPA1|IEEE80211_F_WPA2: 1593 badwparsn = (wpa == NULL && rsn == NULL); 1594 break; 1595 } 1596 if (badwparsn) { 1597 IEEE80211_DISCARD(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, 1598 wh, NULL, 1599 "%s", "missing WPA/RSN IE in association request"); 1600 vap->iv_stats.is_rx_assoc_badwpaie++; 1601 reason = IEEE80211_REASON_IE_INVALID; 1602 goto bad; 1603 } 1604 /* 1605 * Parse WPA/RSN information element. 1606 */ 1607 if (wpa != NULL) 1608 reason = ieee80211_parse_wpa(vap, wpa, rsnparms, wh); 1609 else 1610 reason = ieee80211_parse_rsn(vap, rsn, rsnparms, wh); 1611 if (reason != 0) { 1612 /* XXX wpa->rsn fallback? */ 1613 /* XXX distinguish WPA/RSN? */ 1614 vap->iv_stats.is_rx_assoc_badwpaie++; 1615 goto bad; 1616 } 1617 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, ni, 1618 "%s ie: mc %u/%u uc %u/%u key %u caps 0x%x", 1619 wpa != NULL ? "WPA" : "RSN", 1620 rsnparms->rsn_mcastcipher, rsnparms->rsn_mcastkeylen, 1621 rsnparms->rsn_ucastcipher, rsnparms->rsn_ucastkeylen, 1622 rsnparms->rsn_keymgmt, rsnparms->rsn_caps); 1623 1624 return 1; 1625 bad: 1626 ieee80211_node_deauth(ni, reason); 1627 return 0; 1628 } 1629 1630 /* XXX find a better place for definition */ 1631 struct l2_update_frame { 1632 struct ether_header eh; 1633 uint8_t dsap; 1634 uint8_t ssap; 1635 uint8_t control; 1636 uint8_t xid[3]; 1637 } __packed; 1638 1639 /* 1640 * Deliver a TGf L2UF frame on behalf of a station. 1641 * This primes any bridge when the station is roaming 1642 * between ap's on the same wired network. 1643 */ 1644 static void 1645 ieee80211_deliver_l2uf(struct ieee80211_node *ni) 1646 { 1647 struct ieee80211vap *vap = ni->ni_vap; 1648 struct ifnet *ifp = vap->iv_ifp; 1649 struct mbuf *m; 1650 struct l2_update_frame *l2uf; 1651 struct ether_header *eh; 1652 1653 m = m_gethdr(IEEE80211_M_NOWAIT, MT_DATA); 1654 if (m == NULL) { 1655 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC, ni, 1656 "%s", "no mbuf for l2uf frame"); 1657 vap->iv_stats.is_rx_nobuf++; /* XXX not right */ 1658 return; 1659 } 1660 l2uf = mtod(m, struct l2_update_frame *); 1661 eh = &l2uf->eh; 1662 /* dst: Broadcast address */ 1663 IEEE80211_ADDR_COPY(eh->ether_dhost, ifp->if_broadcastaddr); 1664 /* src: associated STA */ 1665 IEEE80211_ADDR_COPY(eh->ether_shost, ni->ni_macaddr); 1666 eh->ether_type = htons(sizeof(*l2uf) - sizeof(*eh)); 1667 1668 l2uf->dsap = 0; 1669 l2uf->ssap = 0; 1670 l2uf->control = 0xf5; 1671 l2uf->xid[0] = 0x81; 1672 l2uf->xid[1] = 0x80; 1673 l2uf->xid[2] = 0x00; 1674 1675 m->m_pkthdr.len = m->m_len = sizeof(*l2uf); 1676 hostap_deliver_data(vap, ni, m); 1677 } 1678 1679 static void 1680 ratesetmismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh, 1681 int reassoc, int resp, const char *tag, int rate) 1682 { 1683 IEEE80211_NOTE_MAC(ni->ni_vap, IEEE80211_MSG_ANY, wh->i_addr2, 1684 "deny %s request, %s rate set mismatch, rate/MCS %d", 1685 reassoc ? "reassoc" : "assoc", tag, rate & IEEE80211_RATE_VAL); 1686 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_BASIC_RATE); 1687 ieee80211_node_leave(ni); 1688 } 1689 1690 static void 1691 capinfomismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh, 1692 int reassoc, int resp, const char *tag, int capinfo) 1693 { 1694 struct ieee80211vap *vap = ni->ni_vap; 1695 1696 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ANY, wh->i_addr2, 1697 "deny %s request, %s mismatch 0x%x", 1698 reassoc ? "reassoc" : "assoc", tag, capinfo); 1699 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_CAPINFO); 1700 ieee80211_node_leave(ni); 1701 vap->iv_stats.is_rx_assoc_capmismatch++; 1702 } 1703 1704 static void 1705 htcapmismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh, 1706 int reassoc, int resp) 1707 { 1708 IEEE80211_NOTE_MAC(ni->ni_vap, IEEE80211_MSG_ANY, wh->i_addr2, 1709 "deny %s request, %s missing HT ie", reassoc ? "reassoc" : "assoc"); 1710 /* XXX no better code */ 1711 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_MISSING_HT_CAPS); 1712 ieee80211_node_leave(ni); 1713 } 1714 1715 static void 1716 authalgreject(struct ieee80211_node *ni, const struct ieee80211_frame *wh, 1717 int algo, int seq, int status) 1718 { 1719 struct ieee80211vap *vap = ni->ni_vap; 1720 1721 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 1722 wh, NULL, "unsupported alg %d", algo); 1723 vap->iv_stats.is_rx_auth_unsupported++; 1724 ieee80211_send_error(ni, wh->i_addr2, IEEE80211_FC0_SUBTYPE_AUTH, 1725 seq | (status << 16)); 1726 } 1727 1728 static __inline int 1729 ishtmixed(const uint8_t *ie) 1730 { 1731 const struct ieee80211_ie_htinfo *ht = 1732 (const struct ieee80211_ie_htinfo *) ie; 1733 return (ht->hi_byte2 & IEEE80211_HTINFO_OPMODE) == 1734 IEEE80211_HTINFO_OPMODE_MIXED; 1735 } 1736 1737 static int 1738 is11bclient(const uint8_t *rates, const uint8_t *xrates) 1739 { 1740 static const uint32_t brates = (1<<2*1)|(1<<2*2)|(1<<11)|(1<<2*11); 1741 int i; 1742 1743 /* NB: the 11b clients we care about will not have xrates */ 1744 if (xrates != NULL || rates == NULL) 1745 return 0; 1746 for (i = 0; i < rates[1]; i++) { 1747 int r = rates[2+i] & IEEE80211_RATE_VAL; 1748 if (r > 2*11 || ((1<<r) & brates) == 0) 1749 return 0; 1750 } 1751 return 1; 1752 } 1753 1754 static void 1755 hostap_recv_mgmt(struct ieee80211_node *ni, struct mbuf *m0, 1756 int subtype, const struct ieee80211_rx_stats *rxs, int rssi, int nf) 1757 { 1758 struct ieee80211vap *vap = ni->ni_vap; 1759 struct ieee80211com *ic = ni->ni_ic; 1760 struct ieee80211_frame *wh; 1761 uint8_t *frm, *efrm, *sfrm; 1762 uint8_t *ssid, *rates, *xrates, *wpa, *rsn, *wme, *ath, *htcap; 1763 uint8_t *vhtcap, *vhtinfo; 1764 int reassoc, resp; 1765 uint8_t rate; 1766 1767 wh = mtod(m0, struct ieee80211_frame *); 1768 frm = (uint8_t *)&wh[1]; 1769 efrm = mtod(m0, uint8_t *) + m0->m_len; 1770 switch (subtype) { 1771 case IEEE80211_FC0_SUBTYPE_PROBE_RESP: 1772 /* 1773 * We process beacon/probe response frames when scanning; 1774 * otherwise we check beacon frames for overlapping non-ERP 1775 * BSS in 11g and/or overlapping legacy BSS when in HT. 1776 */ 1777 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) { 1778 vap->iv_stats.is_rx_mgtdiscard++; 1779 return; 1780 } 1781 /* FALLTHROUGH */ 1782 case IEEE80211_FC0_SUBTYPE_BEACON: { 1783 struct ieee80211_scanparams scan; 1784 1785 /* NB: accept off-channel frames */ 1786 /* XXX TODO: use rxstatus to determine off-channel details */ 1787 if (ieee80211_parse_beacon(ni, m0, ic->ic_curchan, &scan) &~ IEEE80211_BPARSE_OFFCHAN) 1788 return; 1789 /* 1790 * Count frame now that we know it's to be processed. 1791 */ 1792 if (subtype == IEEE80211_FC0_SUBTYPE_BEACON) { 1793 vap->iv_stats.is_rx_beacon++; /* XXX remove */ 1794 IEEE80211_NODE_STAT(ni, rx_beacons); 1795 } else 1796 IEEE80211_NODE_STAT(ni, rx_proberesp); 1797 /* 1798 * If scanning, just pass information to the scan module. 1799 */ 1800 if (ic->ic_flags & IEEE80211_F_SCAN) { 1801 if (scan.status == 0 && /* NB: on channel */ 1802 (ic->ic_flags_ext & IEEE80211_FEXT_PROBECHAN)) { 1803 /* 1804 * Actively scanning a channel marked passive; 1805 * send a probe request now that we know there 1806 * is 802.11 traffic present. 1807 * 1808 * XXX check if the beacon we recv'd gives 1809 * us what we need and suppress the probe req 1810 */ 1811 ieee80211_probe_curchan(vap, 1); 1812 ic->ic_flags_ext &= ~IEEE80211_FEXT_PROBECHAN; 1813 } 1814 ieee80211_add_scan(vap, ic->ic_curchan, &scan, wh, 1815 subtype, rssi, nf); 1816 return; 1817 } 1818 /* 1819 * Check beacon for overlapping bss w/ non ERP stations. 1820 * If we detect one and protection is configured but not 1821 * enabled, enable it and start a timer that'll bring us 1822 * out if we stop seeing the bss. 1823 */ 1824 if (IEEE80211_IS_CHAN_ANYG(ic->ic_curchan) && 1825 scan.status == 0 && /* NB: on-channel */ 1826 ((scan.erp & 0x100) == 0 || /* NB: no ERP, 11b sta*/ 1827 (scan.erp & IEEE80211_ERP_NON_ERP_PRESENT))) { 1828 vap->iv_lastnonerp = ticks; 1829 vap->iv_flags_ext |= IEEE80211_FEXT_NONERP_PR; 1830 /* 1831 * XXX TODO: this may need to check all VAPs? 1832 */ 1833 if (vap->iv_protmode != IEEE80211_PROT_NONE && 1834 (vap->iv_flags & IEEE80211_F_USEPROT) == 0) { 1835 IEEE80211_NOTE_FRAME(vap, 1836 IEEE80211_MSG_ASSOC, wh, 1837 "non-ERP present on channel %d " 1838 "(saw erp 0x%x from channel %d), " 1839 "enable use of protection", 1840 ic->ic_curchan->ic_ieee, 1841 scan.erp, scan.chan); 1842 vap->iv_flags |= IEEE80211_F_USEPROT; 1843 ieee80211_vap_update_erp_protmode(vap); 1844 } 1845 } 1846 /* 1847 * Check beacon for non-HT station on HT channel 1848 * and update HT BSS occupancy as appropriate. 1849 */ 1850 if (IEEE80211_IS_CHAN_HT(ic->ic_curchan)) { 1851 if (scan.status & IEEE80211_BPARSE_OFFCHAN) { 1852 /* 1853 * Off control channel; only check frames 1854 * that come in the extension channel when 1855 * operating w/ HT40. 1856 */ 1857 if (!IEEE80211_IS_CHAN_HT40(ic->ic_curchan)) 1858 break; 1859 if (scan.chan != ic->ic_curchan->ic_extieee) 1860 break; 1861 } 1862 if (scan.htinfo == NULL) { 1863 ieee80211_htprot_update(vap, 1864 IEEE80211_HTINFO_OPMODE_PROTOPT | 1865 IEEE80211_HTINFO_NONHT_PRESENT); 1866 } else if (ishtmixed(scan.htinfo)) { 1867 /* XXX? take NONHT_PRESENT from beacon? */ 1868 ieee80211_htprot_update(vap, 1869 IEEE80211_HTINFO_OPMODE_MIXED | 1870 IEEE80211_HTINFO_NONHT_PRESENT); 1871 } 1872 } 1873 break; 1874 } 1875 1876 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 1877 if (vap->iv_state != IEEE80211_S_RUN) { 1878 vap->iv_stats.is_rx_mgtdiscard++; 1879 return; 1880 } 1881 /* 1882 * Consult the ACL policy module if setup. 1883 */ 1884 if (vap->iv_acl != NULL && !vap->iv_acl->iac_check(vap, wh)) { 1885 IEEE80211_DISCARD(vap, IEEE80211_MSG_ACL, 1886 wh, NULL, "%s", "disallowed by ACL"); 1887 vap->iv_stats.is_rx_acl++; 1888 return; 1889 } 1890 /* 1891 * prreq frame format 1892 * [tlv] ssid 1893 * [tlv] supported rates 1894 * [tlv] extended supported rates 1895 */ 1896 ssid = rates = xrates = NULL; 1897 while (efrm - frm > 1) { 1898 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return); 1899 switch (*frm) { 1900 case IEEE80211_ELEMID_SSID: 1901 ssid = frm; 1902 break; 1903 case IEEE80211_ELEMID_RATES: 1904 rates = frm; 1905 break; 1906 case IEEE80211_ELEMID_XRATES: 1907 xrates = frm; 1908 break; 1909 } 1910 frm += frm[1] + 2; 1911 } 1912 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return); 1913 if (xrates != NULL) 1914 IEEE80211_VERIFY_ELEMENT(xrates, 1915 IEEE80211_RATE_MAXSIZE - rates[1], return); 1916 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN, return); 1917 IEEE80211_VERIFY_SSID(vap->iv_bss, ssid, return); 1918 if ((vap->iv_flags & IEEE80211_F_HIDESSID) && ssid[1] == 0) { 1919 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 1920 wh, NULL, 1921 "%s", "no ssid with ssid suppression enabled"); 1922 vap->iv_stats.is_rx_ssidmismatch++; /*XXX*/ 1923 return; 1924 } 1925 1926 /* XXX find a better class or define it's own */ 1927 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_INPUT, wh->i_addr2, 1928 "%s", "recv probe req"); 1929 /* 1930 * Some legacy 11b clients cannot hack a complete 1931 * probe response frame. When the request includes 1932 * only a bare-bones rate set, communicate this to 1933 * the transmit side. 1934 */ 1935 ieee80211_send_proberesp(vap, wh->i_addr2, 1936 is11bclient(rates, xrates) ? IEEE80211_SEND_LEGACY_11B : 0); 1937 break; 1938 1939 case IEEE80211_FC0_SUBTYPE_AUTH: { 1940 uint16_t algo, seq, status; 1941 1942 if (vap->iv_state != IEEE80211_S_RUN) { 1943 vap->iv_stats.is_rx_mgtdiscard++; 1944 return; 1945 } 1946 if (!IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_bss->ni_bssid)) { 1947 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 1948 wh, NULL, "%s", "wrong bssid"); 1949 vap->iv_stats.is_rx_wrongbss++; /*XXX unique stat?*/ 1950 return; 1951 } 1952 /* 1953 * auth frame format 1954 * [2] algorithm 1955 * [2] sequence 1956 * [2] status 1957 * [tlv*] challenge 1958 */ 1959 IEEE80211_VERIFY_LENGTH(efrm - frm, 6, return); 1960 algo = le16toh(*(uint16_t *)frm); 1961 seq = le16toh(*(uint16_t *)(frm + 2)); 1962 status = le16toh(*(uint16_t *)(frm + 4)); 1963 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_AUTH, wh->i_addr2, 1964 "recv auth frame with algorithm %d seq %d", algo, seq); 1965 /* 1966 * Consult the ACL policy module if setup. 1967 */ 1968 if (vap->iv_acl != NULL && !vap->iv_acl->iac_check(vap, wh)) { 1969 IEEE80211_DISCARD(vap, IEEE80211_MSG_ACL, 1970 wh, NULL, "%s", "disallowed by ACL"); 1971 vap->iv_stats.is_rx_acl++; 1972 ieee80211_send_error(ni, wh->i_addr2, 1973 IEEE80211_FC0_SUBTYPE_AUTH, 1974 (seq+1) | (IEEE80211_STATUS_UNSPECIFIED<<16)); 1975 return; 1976 } 1977 if (vap->iv_flags & IEEE80211_F_COUNTERM) { 1978 IEEE80211_DISCARD(vap, 1979 IEEE80211_MSG_AUTH | IEEE80211_MSG_CRYPTO, 1980 wh, NULL, "%s", "TKIP countermeasures enabled"); 1981 vap->iv_stats.is_rx_auth_countermeasures++; 1982 ieee80211_send_error(ni, wh->i_addr2, 1983 IEEE80211_FC0_SUBTYPE_AUTH, 1984 IEEE80211_REASON_MIC_FAILURE); 1985 return; 1986 } 1987 if (algo == IEEE80211_AUTH_ALG_SHARED) 1988 hostap_auth_shared(ni, wh, frm + 6, efrm, rssi, nf, 1989 seq, status); 1990 else if (algo == IEEE80211_AUTH_ALG_OPEN) 1991 hostap_auth_open(ni, wh, rssi, nf, seq, status); 1992 else if (algo == IEEE80211_AUTH_ALG_LEAP) { 1993 authalgreject(ni, wh, algo, 1994 seq+1, IEEE80211_STATUS_ALG); 1995 return; 1996 } else { 1997 /* 1998 * We assume that an unknown algorithm is the result 1999 * of a decryption failure on a shared key auth frame; 2000 * return a status code appropriate for that instead 2001 * of IEEE80211_STATUS_ALG. 2002 * 2003 * NB: a seq# of 4 is intentional; the decrypted 2004 * frame likely has a bogus seq value. 2005 */ 2006 authalgreject(ni, wh, algo, 2007 4, IEEE80211_STATUS_CHALLENGE); 2008 return; 2009 } 2010 break; 2011 } 2012 2013 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ: 2014 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: { 2015 uint16_t capinfo, lintval; 2016 struct ieee80211_rsnparms rsnparms; 2017 2018 if (vap->iv_state != IEEE80211_S_RUN) { 2019 vap->iv_stats.is_rx_mgtdiscard++; 2020 return; 2021 } 2022 if (!IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_bss->ni_bssid)) { 2023 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 2024 wh, NULL, "%s", "wrong bssid"); 2025 vap->iv_stats.is_rx_assoc_bss++; 2026 return; 2027 } 2028 if (subtype == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) { 2029 reassoc = 1; 2030 resp = IEEE80211_FC0_SUBTYPE_REASSOC_RESP; 2031 } else { 2032 reassoc = 0; 2033 resp = IEEE80211_FC0_SUBTYPE_ASSOC_RESP; 2034 } 2035 if (ni == vap->iv_bss) { 2036 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ANY, wh->i_addr2, 2037 "deny %s request, sta not authenticated", 2038 reassoc ? "reassoc" : "assoc"); 2039 ieee80211_send_error(ni, wh->i_addr2, 2040 IEEE80211_FC0_SUBTYPE_DEAUTH, 2041 IEEE80211_REASON_ASSOC_NOT_AUTHED); 2042 vap->iv_stats.is_rx_assoc_notauth++; 2043 return; 2044 } 2045 2046 /* 2047 * asreq frame format 2048 * [2] capability information 2049 * [2] listen interval 2050 * [6*] current AP address (reassoc only) 2051 * [tlv] ssid 2052 * [tlv] supported rates 2053 * [tlv] extended supported rates 2054 * [tlv] WPA or RSN 2055 * [tlv] HT capabilities 2056 * [tlv] Atheros capabilities 2057 */ 2058 IEEE80211_VERIFY_LENGTH(efrm - frm, (reassoc ? 10 : 4), return); 2059 capinfo = le16toh(*(uint16_t *)frm); frm += 2; 2060 lintval = le16toh(*(uint16_t *)frm); frm += 2; 2061 if (reassoc) 2062 frm += 6; /* ignore current AP info */ 2063 ssid = rates = xrates = wpa = rsn = wme = ath = htcap = NULL; 2064 vhtcap = vhtinfo = NULL; 2065 sfrm = frm; 2066 while (efrm - frm > 1) { 2067 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return); 2068 switch (*frm) { 2069 case IEEE80211_ELEMID_SSID: 2070 ssid = frm; 2071 break; 2072 case IEEE80211_ELEMID_RATES: 2073 rates = frm; 2074 break; 2075 case IEEE80211_ELEMID_XRATES: 2076 xrates = frm; 2077 break; 2078 case IEEE80211_ELEMID_RSN: 2079 rsn = frm; 2080 break; 2081 case IEEE80211_ELEMID_HTCAP: 2082 htcap = frm; 2083 break; 2084 case IEEE80211_ELEMID_VHT_CAP: 2085 vhtcap = frm; 2086 break; 2087 case IEEE80211_ELEMID_VHT_OPMODE: 2088 vhtinfo = frm; 2089 break; 2090 case IEEE80211_ELEMID_VENDOR: 2091 if (iswpaoui(frm)) 2092 wpa = frm; 2093 else if (iswmeinfo(frm)) 2094 wme = frm; 2095 #ifdef IEEE80211_SUPPORT_SUPERG 2096 else if (isatherosoui(frm)) 2097 ath = frm; 2098 #endif 2099 else if (vap->iv_flags_ht & IEEE80211_FHT_HTCOMPAT) { 2100 if (ishtcapoui(frm) && htcap == NULL) 2101 htcap = frm; 2102 } 2103 break; 2104 } 2105 frm += frm[1] + 2; 2106 } 2107 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return); 2108 if (xrates != NULL) 2109 IEEE80211_VERIFY_ELEMENT(xrates, 2110 IEEE80211_RATE_MAXSIZE - rates[1], return); 2111 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN, return); 2112 IEEE80211_VERIFY_SSID(vap->iv_bss, ssid, return); 2113 if (htcap != NULL) { 2114 IEEE80211_VERIFY_LENGTH(htcap[1], 2115 htcap[0] == IEEE80211_ELEMID_VENDOR ? 2116 4 + sizeof(struct ieee80211_ie_htcap)-2 : 2117 sizeof(struct ieee80211_ie_htcap)-2, 2118 return); /* XXX just NULL out? */ 2119 } 2120 2121 /* Validate VHT IEs */ 2122 if (vhtcap != NULL) { 2123 IEEE80211_VERIFY_LENGTH(vhtcap[1], 2124 sizeof(struct ieee80211_ie_vhtcap) - 2, 2125 return); 2126 } 2127 if (vhtinfo != NULL) { 2128 IEEE80211_VERIFY_LENGTH(vhtinfo[1], 2129 sizeof(struct ieee80211_ie_vht_operation) - 2, 2130 return); 2131 } 2132 2133 if ((vap->iv_flags & IEEE80211_F_WPA) && 2134 !wpa_assocreq(ni, &rsnparms, wh, wpa, rsn, capinfo)) 2135 return; 2136 /* discard challenge after association */ 2137 if (ni->ni_challenge != NULL) { 2138 IEEE80211_FREE(ni->ni_challenge, M_80211_NODE); 2139 ni->ni_challenge = NULL; 2140 } 2141 /* NB: 802.11 spec says to ignore station's privacy bit */ 2142 if ((capinfo & IEEE80211_CAPINFO_ESS) == 0) { 2143 capinfomismatch(ni, wh, reassoc, resp, 2144 "capability", capinfo); 2145 return; 2146 } 2147 /* 2148 * Disallow re-associate w/ invalid slot time setting. 2149 */ 2150 if (ni->ni_associd != 0 && 2151 IEEE80211_IS_CHAN_ANYG(ic->ic_bsschan) && 2152 ((ni->ni_capinfo ^ capinfo) & IEEE80211_CAPINFO_SHORT_SLOTTIME)) { 2153 capinfomismatch(ni, wh, reassoc, resp, 2154 "slot time", capinfo); 2155 return; 2156 } 2157 rate = ieee80211_setup_rates(ni, rates, xrates, 2158 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | 2159 IEEE80211_F_DONEGO | IEEE80211_F_DODEL); 2160 if (rate & IEEE80211_RATE_BASIC) { 2161 ratesetmismatch(ni, wh, reassoc, resp, "legacy", rate); 2162 vap->iv_stats.is_rx_assoc_norate++; 2163 return; 2164 } 2165 /* 2166 * If constrained to 11g-only stations reject an 2167 * 11b-only station. We cheat a bit here by looking 2168 * at the max negotiated xmit rate and assuming anyone 2169 * with a best rate <24Mb/s is an 11b station. 2170 */ 2171 if ((vap->iv_flags & IEEE80211_F_PUREG) && rate < 48) { 2172 ratesetmismatch(ni, wh, reassoc, resp, "11g", rate); 2173 vap->iv_stats.is_rx_assoc_norate++; 2174 return; 2175 } 2176 2177 /* 2178 * Do HT rate set handling and setup HT node state. 2179 */ 2180 ni->ni_chan = vap->iv_bss->ni_chan; 2181 2182 /* VHT */ 2183 if (IEEE80211_IS_CHAN_VHT(ni->ni_chan) && 2184 vhtcap != NULL && 2185 vhtinfo != NULL) { 2186 /* XXX TODO; see below */ 2187 printf("%s: VHT TODO!\n", __func__); 2188 ieee80211_vht_node_init(ni); 2189 ieee80211_vht_update_cap(ni, vhtcap, vhtinfo); 2190 } else if (ni->ni_flags & IEEE80211_NODE_VHT) 2191 ieee80211_vht_node_cleanup(ni); 2192 2193 /* HT */ 2194 if (IEEE80211_IS_CHAN_HT(ni->ni_chan) && htcap != NULL) { 2195 rate = ieee80211_setup_htrates(ni, htcap, 2196 IEEE80211_F_DOFMCS | IEEE80211_F_DONEGO | 2197 IEEE80211_F_DOBRS); 2198 if (rate & IEEE80211_RATE_BASIC) { 2199 ratesetmismatch(ni, wh, reassoc, resp, 2200 "HT", rate); 2201 vap->iv_stats.is_ht_assoc_norate++; 2202 return; 2203 } 2204 ieee80211_ht_node_init(ni); 2205 ieee80211_ht_updatehtcap(ni, htcap); 2206 } else if (ni->ni_flags & IEEE80211_NODE_HT) 2207 ieee80211_ht_node_cleanup(ni); 2208 2209 /* Finally - this will use HT/VHT info to change node channel */ 2210 if (IEEE80211_IS_CHAN_HT(ni->ni_chan) && htcap != NULL) { 2211 ieee80211_ht_updatehtcap_final(ni); 2212 } 2213 2214 #ifdef IEEE80211_SUPPORT_SUPERG 2215 /* Always do ff node cleanup; for A-MSDU */ 2216 ieee80211_ff_node_cleanup(ni); 2217 #endif 2218 /* 2219 * Allow AMPDU operation only with unencrypted traffic 2220 * or AES-CCM; the 11n spec only specifies these ciphers 2221 * so permitting any others is undefined and can lead 2222 * to interoperability problems. 2223 */ 2224 if ((ni->ni_flags & IEEE80211_NODE_HT) && 2225 (((vap->iv_flags & IEEE80211_F_WPA) && 2226 rsnparms.rsn_ucastcipher != IEEE80211_CIPHER_AES_CCM) || 2227 (vap->iv_flags & (IEEE80211_F_WPA|IEEE80211_F_PRIVACY)) == IEEE80211_F_PRIVACY)) { 2228 IEEE80211_NOTE(vap, 2229 IEEE80211_MSG_ASSOC | IEEE80211_MSG_11N, ni, 2230 "disallow HT use because WEP or TKIP requested, " 2231 "capinfo 0x%x ucastcipher %d", capinfo, 2232 rsnparms.rsn_ucastcipher); 2233 ieee80211_ht_node_cleanup(ni); 2234 #ifdef IEEE80211_SUPPORT_SUPERG 2235 /* Always do ff node cleanup; for A-MSDU */ 2236 ieee80211_ff_node_cleanup(ni); 2237 #endif 2238 vap->iv_stats.is_ht_assoc_downgrade++; 2239 } 2240 /* 2241 * If constrained to 11n-only stations reject legacy stations. 2242 */ 2243 if ((vap->iv_flags_ht & IEEE80211_FHT_PUREN) && 2244 (ni->ni_flags & IEEE80211_NODE_HT) == 0) { 2245 htcapmismatch(ni, wh, reassoc, resp); 2246 vap->iv_stats.is_ht_assoc_nohtcap++; 2247 return; 2248 } 2249 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi); 2250 ni->ni_noise = nf; 2251 ni->ni_intval = lintval; 2252 ni->ni_capinfo = capinfo; 2253 ni->ni_fhdwell = vap->iv_bss->ni_fhdwell; 2254 ni->ni_fhindex = vap->iv_bss->ni_fhindex; 2255 /* 2256 * Store the IEs. 2257 * XXX maybe better to just expand 2258 */ 2259 if (ieee80211_ies_init(&ni->ni_ies, sfrm, efrm - sfrm)) { 2260 #define setie(_ie, _off) ieee80211_ies_setie(ni->ni_ies, _ie, _off) 2261 if (wpa != NULL) 2262 setie(wpa_ie, wpa - sfrm); 2263 if (rsn != NULL) 2264 setie(rsn_ie, rsn - sfrm); 2265 if (htcap != NULL) 2266 setie(htcap_ie, htcap - sfrm); 2267 if (wme != NULL) { 2268 setie(wme_ie, wme - sfrm); 2269 /* 2270 * Mark node as capable of QoS. 2271 */ 2272 ni->ni_flags |= IEEE80211_NODE_QOS; 2273 if (ieee80211_parse_wmeie(wme, wh, ni) > 0) { 2274 if (ni->ni_uapsd != 0) 2275 ni->ni_flags |= 2276 IEEE80211_NODE_UAPSD; 2277 else 2278 ni->ni_flags &= 2279 ~IEEE80211_NODE_UAPSD; 2280 } 2281 } else 2282 ni->ni_flags &= 2283 ~(IEEE80211_NODE_QOS | 2284 IEEE80211_NODE_UAPSD); 2285 #ifdef IEEE80211_SUPPORT_SUPERG 2286 if (ath != NULL) { 2287 setie(ath_ie, ath - sfrm); 2288 /* 2289 * Parse ATH station parameters. 2290 */ 2291 ieee80211_parse_ath(ni, ni->ni_ies.ath_ie); 2292 } else 2293 #endif 2294 ni->ni_ath_flags = 0; 2295 #undef setie 2296 } else { 2297 ni->ni_flags &= ~IEEE80211_NODE_QOS; 2298 ni->ni_flags &= ~IEEE80211_NODE_UAPSD; 2299 ni->ni_ath_flags = 0; 2300 } 2301 ieee80211_node_join(ni, resp); 2302 ieee80211_deliver_l2uf(ni); 2303 break; 2304 } 2305 2306 case IEEE80211_FC0_SUBTYPE_DEAUTH: 2307 case IEEE80211_FC0_SUBTYPE_DISASSOC: { 2308 #ifdef IEEE80211_DEBUG 2309 uint16_t reason; 2310 #endif 2311 2312 if (vap->iv_state != IEEE80211_S_RUN || 2313 /* NB: can happen when in promiscuous mode */ 2314 !IEEE80211_ADDR_EQ(wh->i_addr1, vap->iv_myaddr)) { 2315 vap->iv_stats.is_rx_mgtdiscard++; 2316 break; 2317 } 2318 /* 2319 * deauth/disassoc frame format 2320 * [2] reason 2321 */ 2322 IEEE80211_VERIFY_LENGTH(efrm - frm, 2, return); 2323 #ifdef IEEE80211_DEBUG 2324 reason = le16toh(*(uint16_t *)frm); 2325 #endif 2326 if (subtype == IEEE80211_FC0_SUBTYPE_DEAUTH) { 2327 vap->iv_stats.is_rx_deauth++; 2328 IEEE80211_NODE_STAT(ni, rx_deauth); 2329 } else { 2330 vap->iv_stats.is_rx_disassoc++; 2331 IEEE80211_NODE_STAT(ni, rx_disassoc); 2332 } 2333 IEEE80211_NOTE(vap, IEEE80211_MSG_AUTH, ni, 2334 "recv %s (reason: %d (%s))", 2335 ieee80211_mgt_subtype_name(subtype), 2336 reason, ieee80211_reason_to_string(reason)); 2337 if (ni != vap->iv_bss) 2338 ieee80211_node_leave(ni); 2339 break; 2340 } 2341 2342 case IEEE80211_FC0_SUBTYPE_ACTION: 2343 case IEEE80211_FC0_SUBTYPE_ACTION_NOACK: 2344 if (ni == vap->iv_bss) { 2345 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 2346 wh, NULL, "%s", "unknown node"); 2347 vap->iv_stats.is_rx_mgtdiscard++; 2348 } else if (!IEEE80211_ADDR_EQ(vap->iv_myaddr, wh->i_addr1) && 2349 !IEEE80211_IS_MULTICAST(wh->i_addr1)) { 2350 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 2351 wh, NULL, "%s", "not for us"); 2352 vap->iv_stats.is_rx_mgtdiscard++; 2353 } else if (vap->iv_state != IEEE80211_S_RUN) { 2354 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 2355 wh, NULL, "wrong state %s", 2356 ieee80211_state_name[vap->iv_state]); 2357 vap->iv_stats.is_rx_mgtdiscard++; 2358 } else { 2359 if (ieee80211_parse_action(ni, m0) == 0) 2360 (void)ic->ic_recv_action(ni, wh, frm, efrm); 2361 } 2362 break; 2363 2364 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP: 2365 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: 2366 case IEEE80211_FC0_SUBTYPE_TIMING_ADV: 2367 case IEEE80211_FC0_SUBTYPE_ATIM: 2368 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 2369 wh, NULL, "%s", "not handled"); 2370 vap->iv_stats.is_rx_mgtdiscard++; 2371 break; 2372 2373 default: 2374 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 2375 wh, "mgt", "subtype 0x%x not handled", subtype); 2376 vap->iv_stats.is_rx_badsubtype++; 2377 break; 2378 } 2379 } 2380 2381 static void 2382 hostap_recv_ctl(struct ieee80211_node *ni, struct mbuf *m, int subtype) 2383 { 2384 switch (subtype) { 2385 case IEEE80211_FC0_SUBTYPE_PS_POLL: 2386 ni->ni_vap->iv_recv_pspoll(ni, m); 2387 break; 2388 case IEEE80211_FC0_SUBTYPE_BAR: 2389 ieee80211_recv_bar(ni, m); 2390 break; 2391 } 2392 } 2393 2394 /* 2395 * Process a received ps-poll frame. 2396 */ 2397 void 2398 ieee80211_recv_pspoll(struct ieee80211_node *ni, struct mbuf *m0) 2399 { 2400 struct ieee80211vap *vap = ni->ni_vap; 2401 struct ieee80211com *ic = vap->iv_ic; 2402 struct ieee80211_frame_min *wh; 2403 struct mbuf *m; 2404 uint16_t aid; 2405 int qlen; 2406 2407 wh = mtod(m0, struct ieee80211_frame_min *); 2408 if (ni->ni_associd == 0) { 2409 IEEE80211_DISCARD(vap, 2410 IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG, 2411 (struct ieee80211_frame *) wh, NULL, 2412 "%s", "unassociated station"); 2413 vap->iv_stats.is_ps_unassoc++; 2414 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_DEAUTH, 2415 IEEE80211_REASON_NOT_ASSOCED); 2416 return; 2417 } 2418 2419 aid = le16toh(*(uint16_t *)wh->i_dur); 2420 if (aid != ni->ni_associd) { 2421 IEEE80211_DISCARD(vap, 2422 IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG, 2423 (struct ieee80211_frame *) wh, NULL, 2424 "aid mismatch: sta aid 0x%x poll aid 0x%x", 2425 ni->ni_associd, aid); 2426 vap->iv_stats.is_ps_badaid++; 2427 /* 2428 * NB: We used to deauth the station but it turns out 2429 * the Blackberry Curve 8230 (and perhaps other devices) 2430 * sometimes send the wrong AID when WME is negotiated. 2431 * Being more lenient here seems ok as we already check 2432 * the station is associated and we only return frames 2433 * queued for the station (i.e. we don't use the AID). 2434 */ 2435 return; 2436 } 2437 2438 /* Okay, take the first queued packet and put it out... */ 2439 m = ieee80211_node_psq_dequeue(ni, &qlen); 2440 if (m == NULL) { 2441 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_POWER, wh->i_addr2, 2442 "%s", "recv ps-poll, but queue empty"); 2443 ieee80211_send_nulldata(ieee80211_ref_node(ni)); 2444 vap->iv_stats.is_ps_qempty++; /* XXX node stat */ 2445 if (vap->iv_set_tim != NULL) 2446 vap->iv_set_tim(ni, 0); /* just in case */ 2447 return; 2448 } 2449 /* 2450 * If there are more packets, set the more packets bit 2451 * in the packet dispatched to the station; otherwise 2452 * turn off the TIM bit. 2453 */ 2454 if (qlen != 0) { 2455 IEEE80211_NOTE(vap, IEEE80211_MSG_POWER, ni, 2456 "recv ps-poll, send packet, %u still queued", qlen); 2457 m->m_flags |= M_MORE_DATA; 2458 } else { 2459 IEEE80211_NOTE(vap, IEEE80211_MSG_POWER, ni, 2460 "%s", "recv ps-poll, send packet, queue empty"); 2461 if (vap->iv_set_tim != NULL) 2462 vap->iv_set_tim(ni, 0); 2463 } 2464 m->m_flags |= M_PWR_SAV; /* bypass PS handling */ 2465 2466 /* 2467 * Do the right thing; if it's an encap'ed frame then 2468 * call ieee80211_parent_xmitpkt() else 2469 * call ieee80211_vap_xmitpkt(). 2470 */ 2471 if (m->m_flags & M_ENCAP) { 2472 (void) ieee80211_parent_xmitpkt(ic, m); 2473 } else { 2474 (void) ieee80211_vap_xmitpkt(vap, m); 2475 } 2476 } 2477