1 /*- 2 * SPDX-License-Identifier: BSD-2-Clause-FreeBSD 3 * 4 * Copyright (c) 2007-2008 Sam Leffler, Errno Consulting 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 17 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 18 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 19 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 21 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 22 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 23 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 24 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 25 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 26 */ 27 28 #include <sys/cdefs.h> 29 #ifdef __FreeBSD__ 30 __FBSDID("$FreeBSD$"); 31 #endif 32 33 /* 34 * IEEE 802.11 HOSTAP mode support. 35 */ 36 #include "opt_inet.h" 37 #include "opt_wlan.h" 38 39 #include <sys/param.h> 40 #include <sys/systm.h> 41 #include <sys/mbuf.h> 42 #include <sys/malloc.h> 43 #include <sys/kernel.h> 44 45 #include <sys/socket.h> 46 #include <sys/sockio.h> 47 #include <sys/endian.h> 48 #include <sys/errno.h> 49 #include <sys/proc.h> 50 #include <sys/sysctl.h> 51 52 #include <net/if.h> 53 #include <net/if_var.h> 54 #include <net/if_media.h> 55 #include <net/if_llc.h> 56 #include <net/ethernet.h> 57 58 #include <net/bpf.h> 59 60 #include <net80211/ieee80211_var.h> 61 #include <net80211/ieee80211_hostap.h> 62 #include <net80211/ieee80211_input.h> 63 #ifdef IEEE80211_SUPPORT_SUPERG 64 #include <net80211/ieee80211_superg.h> 65 #endif 66 #include <net80211/ieee80211_wds.h> 67 #include <net80211/ieee80211_vht.h> 68 69 #define IEEE80211_RATE2MBS(r) (((r) & IEEE80211_RATE_VAL) / 2) 70 71 static void hostap_vattach(struct ieee80211vap *); 72 static int hostap_newstate(struct ieee80211vap *, enum ieee80211_state, int); 73 static int hostap_input(struct ieee80211_node *ni, struct mbuf *m, 74 const struct ieee80211_rx_stats *, 75 int rssi, int nf); 76 static void hostap_deliver_data(struct ieee80211vap *, 77 struct ieee80211_node *, struct mbuf *); 78 static void hostap_recv_mgmt(struct ieee80211_node *, struct mbuf *, 79 int subtype, const struct ieee80211_rx_stats *rxs, int rssi, int nf); 80 static void hostap_recv_ctl(struct ieee80211_node *, struct mbuf *, int); 81 82 void 83 ieee80211_hostap_attach(struct ieee80211com *ic) 84 { 85 ic->ic_vattach[IEEE80211_M_HOSTAP] = hostap_vattach; 86 } 87 88 void 89 ieee80211_hostap_detach(struct ieee80211com *ic) 90 { 91 } 92 93 static void 94 hostap_vdetach(struct ieee80211vap *vap) 95 { 96 } 97 98 static void 99 hostap_vattach(struct ieee80211vap *vap) 100 { 101 vap->iv_newstate = hostap_newstate; 102 vap->iv_input = hostap_input; 103 vap->iv_recv_mgmt = hostap_recv_mgmt; 104 vap->iv_recv_ctl = hostap_recv_ctl; 105 vap->iv_opdetach = hostap_vdetach; 106 vap->iv_deliver_data = hostap_deliver_data; 107 vap->iv_recv_pspoll = ieee80211_recv_pspoll; 108 } 109 110 static void 111 sta_disassoc(void *arg, struct ieee80211_node *ni) 112 { 113 114 if (ni->ni_associd != 0) { 115 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_DISASSOC, 116 IEEE80211_REASON_ASSOC_LEAVE); 117 ieee80211_node_leave(ni); 118 } 119 } 120 121 static void 122 sta_csa(void *arg, struct ieee80211_node *ni) 123 { 124 struct ieee80211vap *vap = ni->ni_vap; 125 126 if (ni->ni_associd != 0) 127 if (ni->ni_inact > vap->iv_inact_init) { 128 ni->ni_inact = vap->iv_inact_init; 129 IEEE80211_NOTE(vap, IEEE80211_MSG_INACT, ni, 130 "%s: inact %u", __func__, ni->ni_inact); 131 } 132 } 133 134 static void 135 sta_drop(void *arg, struct ieee80211_node *ni) 136 { 137 138 if (ni->ni_associd != 0) 139 ieee80211_node_leave(ni); 140 } 141 142 /* 143 * Does a channel change require associated stations to re-associate 144 * so protocol state is correct. This is used when doing CSA across 145 * bands or similar (e.g. HT -> legacy). 146 */ 147 static int 148 isbandchange(struct ieee80211com *ic) 149 { 150 return ((ic->ic_bsschan->ic_flags ^ ic->ic_csa_newchan->ic_flags) & 151 (IEEE80211_CHAN_2GHZ | IEEE80211_CHAN_5GHZ | IEEE80211_CHAN_HALF | 152 IEEE80211_CHAN_QUARTER | IEEE80211_CHAN_HT)) != 0; 153 } 154 155 /* 156 * IEEE80211_M_HOSTAP vap state machine handler. 157 */ 158 static int 159 hostap_newstate(struct ieee80211vap *vap, enum ieee80211_state nstate, int arg) 160 { 161 struct ieee80211com *ic = vap->iv_ic; 162 enum ieee80211_state ostate; 163 164 IEEE80211_LOCK_ASSERT(ic); 165 166 ostate = vap->iv_state; 167 IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE, "%s: %s -> %s (%d)\n", 168 __func__, ieee80211_state_name[ostate], 169 ieee80211_state_name[nstate], arg); 170 vap->iv_state = nstate; /* state transition */ 171 if (ostate != IEEE80211_S_SCAN) 172 ieee80211_cancel_scan(vap); /* background scan */ 173 switch (nstate) { 174 case IEEE80211_S_INIT: 175 switch (ostate) { 176 case IEEE80211_S_SCAN: 177 ieee80211_cancel_scan(vap); 178 break; 179 case IEEE80211_S_CAC: 180 ieee80211_dfs_cac_stop(vap); 181 break; 182 case IEEE80211_S_RUN: 183 ieee80211_iterate_nodes_vap(&ic->ic_sta, vap, 184 sta_disassoc, NULL); 185 break; 186 default: 187 break; 188 } 189 if (ostate != IEEE80211_S_INIT) { 190 /* NB: optimize INIT -> INIT case */ 191 ieee80211_reset_bss(vap); 192 } 193 if (vap->iv_auth->ia_detach != NULL) 194 vap->iv_auth->ia_detach(vap); 195 break; 196 case IEEE80211_S_SCAN: 197 switch (ostate) { 198 case IEEE80211_S_CSA: 199 case IEEE80211_S_RUN: 200 ieee80211_iterate_nodes_vap(&ic->ic_sta, vap, 201 sta_disassoc, NULL); 202 /* 203 * Clear overlapping BSS state; the beacon frame 204 * will be reconstructed on transition to the RUN 205 * state and the timeout routines check if the flag 206 * is set before doing anything so this is sufficient. 207 */ 208 ic->ic_flags_ext &= ~IEEE80211_FEXT_NONERP_PR; 209 ic->ic_flags_ht &= ~IEEE80211_FHT_NONHT_PR; 210 /* fall thru... */ 211 case IEEE80211_S_CAC: 212 /* 213 * NB: We may get here because of a manual channel 214 * change in which case we need to stop CAC 215 * XXX no need to stop if ostate RUN but it's ok 216 */ 217 ieee80211_dfs_cac_stop(vap); 218 /* fall thru... */ 219 case IEEE80211_S_INIT: 220 if (vap->iv_des_chan != IEEE80211_CHAN_ANYC && 221 !IEEE80211_IS_CHAN_RADAR(vap->iv_des_chan)) { 222 /* 223 * Already have a channel; bypass the 224 * scan and startup immediately. 225 * ieee80211_create_ibss will call back to 226 * move us to RUN state. 227 */ 228 ieee80211_create_ibss(vap, vap->iv_des_chan); 229 break; 230 } 231 /* 232 * Initiate a scan. We can come here as a result 233 * of an IEEE80211_IOC_SCAN_REQ too in which case 234 * the vap will be marked with IEEE80211_FEXT_SCANREQ 235 * and the scan request parameters will be present 236 * in iv_scanreq. Otherwise we do the default. 237 */ 238 if (vap->iv_flags_ext & IEEE80211_FEXT_SCANREQ) { 239 ieee80211_check_scan(vap, 240 vap->iv_scanreq_flags, 241 vap->iv_scanreq_duration, 242 vap->iv_scanreq_mindwell, 243 vap->iv_scanreq_maxdwell, 244 vap->iv_scanreq_nssid, vap->iv_scanreq_ssid); 245 vap->iv_flags_ext &= ~IEEE80211_FEXT_SCANREQ; 246 } else 247 ieee80211_check_scan_current(vap); 248 break; 249 case IEEE80211_S_SCAN: 250 /* 251 * A state change requires a reset; scan. 252 */ 253 ieee80211_check_scan_current(vap); 254 break; 255 default: 256 break; 257 } 258 break; 259 case IEEE80211_S_CAC: 260 /* 261 * Start CAC on a DFS channel. We come here when starting 262 * a bss on a DFS channel (see ieee80211_create_ibss). 263 */ 264 ieee80211_dfs_cac_start(vap); 265 break; 266 case IEEE80211_S_RUN: 267 if (vap->iv_flags & IEEE80211_F_WPA) { 268 /* XXX validate prerequisites */ 269 } 270 switch (ostate) { 271 case IEEE80211_S_INIT: 272 /* 273 * Already have a channel; bypass the 274 * scan and startup immediately. 275 * Note that ieee80211_create_ibss will call 276 * back to do a RUN->RUN state change. 277 */ 278 ieee80211_create_ibss(vap, 279 ieee80211_ht_adjust_channel(ic, 280 ic->ic_curchan, vap->iv_flags_ht)); 281 /* NB: iv_bss is changed on return */ 282 break; 283 case IEEE80211_S_CAC: 284 /* 285 * NB: This is the normal state change when CAC 286 * expires and no radar was detected; no need to 287 * clear the CAC timer as it's already expired. 288 */ 289 /* fall thru... */ 290 case IEEE80211_S_CSA: 291 /* 292 * Shorten inactivity timer of associated stations 293 * to weed out sta's that don't follow a CSA. 294 */ 295 ieee80211_iterate_nodes_vap(&ic->ic_sta, vap, 296 sta_csa, NULL); 297 /* 298 * Update bss node channel to reflect where 299 * we landed after CSA. 300 */ 301 ieee80211_node_set_chan(vap->iv_bss, 302 ieee80211_ht_adjust_channel(ic, ic->ic_curchan, 303 ieee80211_htchanflags(vap->iv_bss->ni_chan))); 304 /* XXX bypass debug msgs */ 305 break; 306 case IEEE80211_S_SCAN: 307 case IEEE80211_S_RUN: 308 #ifdef IEEE80211_DEBUG 309 if (ieee80211_msg_debug(vap)) { 310 struct ieee80211_node *ni = vap->iv_bss; 311 ieee80211_note(vap, 312 "synchronized with %s ssid ", 313 ether_sprintf(ni->ni_bssid)); 314 ieee80211_print_essid(ni->ni_essid, 315 ni->ni_esslen); 316 /* XXX MCS/HT */ 317 printf(" channel %d start %uMb\n", 318 ieee80211_chan2ieee(ic, ic->ic_curchan), 319 IEEE80211_RATE2MBS(ni->ni_txrate)); 320 } 321 #endif 322 break; 323 default: 324 break; 325 } 326 /* 327 * Start/stop the authenticator. We delay until here 328 * to allow configuration to happen out of order. 329 */ 330 if (vap->iv_auth->ia_attach != NULL) { 331 /* XXX check failure */ 332 vap->iv_auth->ia_attach(vap); 333 } else if (vap->iv_auth->ia_detach != NULL) { 334 vap->iv_auth->ia_detach(vap); 335 } 336 ieee80211_node_authorize(vap->iv_bss); 337 break; 338 case IEEE80211_S_CSA: 339 if (ostate == IEEE80211_S_RUN && isbandchange(ic)) { 340 /* 341 * On a ``band change'' silently drop associated 342 * stations as they must re-associate before they 343 * can pass traffic (as otherwise protocol state 344 * such as capabilities and the negotiated rate 345 * set may/will be wrong). 346 */ 347 ieee80211_iterate_nodes_vap(&ic->ic_sta, vap, 348 sta_drop, NULL); 349 } 350 break; 351 default: 352 break; 353 } 354 return 0; 355 } 356 357 static void 358 hostap_deliver_data(struct ieee80211vap *vap, 359 struct ieee80211_node *ni, struct mbuf *m) 360 { 361 struct ether_header *eh = mtod(m, struct ether_header *); 362 struct ifnet *ifp = vap->iv_ifp; 363 364 /* clear driver/net80211 flags before passing up */ 365 m->m_flags &= ~(M_MCAST | M_BCAST); 366 m_clrprotoflags(m); 367 368 KASSERT(vap->iv_opmode == IEEE80211_M_HOSTAP, 369 ("gack, opmode %d", vap->iv_opmode)); 370 /* 371 * Do accounting. 372 */ 373 if_inc_counter(ifp, IFCOUNTER_IPACKETS, 1); 374 IEEE80211_NODE_STAT(ni, rx_data); 375 IEEE80211_NODE_STAT_ADD(ni, rx_bytes, m->m_pkthdr.len); 376 if (ETHER_IS_MULTICAST(eh->ether_dhost)) { 377 m->m_flags |= M_MCAST; /* XXX M_BCAST? */ 378 IEEE80211_NODE_STAT(ni, rx_mcast); 379 } else 380 IEEE80211_NODE_STAT(ni, rx_ucast); 381 382 /* perform as a bridge within the AP */ 383 if ((vap->iv_flags & IEEE80211_F_NOBRIDGE) == 0) { 384 struct mbuf *mcopy = NULL; 385 386 if (m->m_flags & M_MCAST) { 387 mcopy = m_dup(m, M_NOWAIT); 388 if (mcopy == NULL) 389 if_inc_counter(ifp, IFCOUNTER_OERRORS, 1); 390 else 391 mcopy->m_flags |= M_MCAST; 392 } else { 393 /* 394 * Check if the destination is associated with the 395 * same vap and authorized to receive traffic. 396 * Beware of traffic destined for the vap itself; 397 * sending it will not work; just let it be delivered 398 * normally. 399 */ 400 struct ieee80211_node *sta = ieee80211_find_vap_node( 401 &vap->iv_ic->ic_sta, vap, eh->ether_dhost); 402 if (sta != NULL) { 403 if (ieee80211_node_is_authorized(sta)) { 404 /* 405 * Beware of sending to ourself; this 406 * needs to happen via the normal 407 * input path. 408 */ 409 if (sta != vap->iv_bss) { 410 mcopy = m; 411 m = NULL; 412 } 413 } else { 414 vap->iv_stats.is_rx_unauth++; 415 IEEE80211_NODE_STAT(sta, rx_unauth); 416 } 417 ieee80211_free_node(sta); 418 } 419 } 420 if (mcopy != NULL) 421 (void) ieee80211_vap_xmitpkt(vap, mcopy); 422 } 423 if (m != NULL) { 424 /* 425 * Mark frame as coming from vap's interface. 426 */ 427 m->m_pkthdr.rcvif = ifp; 428 if (m->m_flags & M_MCAST) { 429 /* 430 * Spam DWDS vap's w/ multicast traffic. 431 */ 432 /* XXX only if dwds in use? */ 433 ieee80211_dwds_mcast(vap, m); 434 } 435 if (ni->ni_vlan != 0) { 436 /* attach vlan tag */ 437 m->m_pkthdr.ether_vtag = ni->ni_vlan; 438 m->m_flags |= M_VLANTAG; 439 } 440 ifp->if_input(ifp, m); 441 } 442 } 443 444 /* 445 * Decide if a received management frame should be 446 * printed when debugging is enabled. This filters some 447 * of the less interesting frames that come frequently 448 * (e.g. beacons). 449 */ 450 static __inline int 451 doprint(struct ieee80211vap *vap, int subtype) 452 { 453 switch (subtype) { 454 case IEEE80211_FC0_SUBTYPE_BEACON: 455 return (vap->iv_ic->ic_flags & IEEE80211_F_SCAN); 456 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 457 return 0; 458 } 459 return 1; 460 } 461 462 /* 463 * Process a received frame. The node associated with the sender 464 * should be supplied. If nothing was found in the node table then 465 * the caller is assumed to supply a reference to iv_bss instead. 466 * The RSSI and a timestamp are also supplied. The RSSI data is used 467 * during AP scanning to select a AP to associate with; it can have 468 * any units so long as values have consistent units and higher values 469 * mean ``better signal''. The receive timestamp is currently not used 470 * by the 802.11 layer. 471 */ 472 static int 473 hostap_input(struct ieee80211_node *ni, struct mbuf *m, 474 const struct ieee80211_rx_stats *rxs, int rssi, int nf) 475 { 476 struct ieee80211vap *vap = ni->ni_vap; 477 struct ieee80211com *ic = ni->ni_ic; 478 struct ifnet *ifp = vap->iv_ifp; 479 struct ieee80211_frame *wh; 480 struct ieee80211_key *key; 481 struct ether_header *eh; 482 int hdrspace, need_tap = 1; /* mbuf need to be tapped. */ 483 uint8_t dir, type, subtype, qos; 484 uint8_t *bssid; 485 int is_hw_decrypted = 0; 486 int has_decrypted = 0; 487 488 /* 489 * Some devices do hardware decryption all the way through 490 * to pretending the frame wasn't encrypted in the first place. 491 * So, tag it appropriately so it isn't discarded inappropriately. 492 */ 493 if ((rxs != NULL) && (rxs->c_pktflags & IEEE80211_RX_F_DECRYPTED)) 494 is_hw_decrypted = 1; 495 496 if (m->m_flags & M_AMPDU_MPDU) { 497 /* 498 * Fastpath for A-MPDU reorder q resubmission. Frames 499 * w/ M_AMPDU_MPDU marked have already passed through 500 * here but were received out of order and been held on 501 * the reorder queue. When resubmitted they are marked 502 * with the M_AMPDU_MPDU flag and we can bypass most of 503 * the normal processing. 504 */ 505 wh = mtod(m, struct ieee80211_frame *); 506 type = IEEE80211_FC0_TYPE_DATA; 507 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 508 subtype = IEEE80211_FC0_SUBTYPE_QOS; 509 hdrspace = ieee80211_hdrspace(ic, wh); /* XXX optimize? */ 510 goto resubmit_ampdu; 511 } 512 513 KASSERT(ni != NULL, ("null node")); 514 ni->ni_inact = ni->ni_inact_reload; 515 516 type = -1; /* undefined */ 517 518 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_min)) { 519 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 520 ni->ni_macaddr, NULL, 521 "too short (1): len %u", m->m_pkthdr.len); 522 vap->iv_stats.is_rx_tooshort++; 523 goto out; 524 } 525 /* 526 * Bit of a cheat here, we use a pointer for a 3-address 527 * frame format but don't reference fields past outside 528 * ieee80211_frame_min w/o first validating the data is 529 * present. 530 */ 531 wh = mtod(m, struct ieee80211_frame *); 532 533 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) != 534 IEEE80211_FC0_VERSION_0) { 535 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 536 ni->ni_macaddr, NULL, "wrong version, fc %02x:%02x", 537 wh->i_fc[0], wh->i_fc[1]); 538 vap->iv_stats.is_rx_badversion++; 539 goto err; 540 } 541 542 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 543 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK; 544 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK; 545 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) { 546 if (dir != IEEE80211_FC1_DIR_NODS) 547 bssid = wh->i_addr1; 548 else if (type == IEEE80211_FC0_TYPE_CTL) 549 bssid = wh->i_addr1; 550 else { 551 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) { 552 IEEE80211_DISCARD_MAC(vap, 553 IEEE80211_MSG_ANY, ni->ni_macaddr, 554 NULL, "too short (2): len %u", 555 m->m_pkthdr.len); 556 vap->iv_stats.is_rx_tooshort++; 557 goto out; 558 } 559 bssid = wh->i_addr3; 560 } 561 /* 562 * Validate the bssid. 563 */ 564 if (!(type == IEEE80211_FC0_TYPE_MGT && 565 subtype == IEEE80211_FC0_SUBTYPE_BEACON) && 566 !IEEE80211_ADDR_EQ(bssid, vap->iv_bss->ni_bssid) && 567 !IEEE80211_ADDR_EQ(bssid, ifp->if_broadcastaddr)) { 568 /* not interested in */ 569 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 570 bssid, NULL, "%s", "not to bss"); 571 vap->iv_stats.is_rx_wrongbss++; 572 goto out; 573 } 574 575 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi); 576 ni->ni_noise = nf; 577 if (IEEE80211_HAS_SEQ(type, subtype)) { 578 uint8_t tid = ieee80211_gettid(wh); 579 if (IEEE80211_QOS_HAS_SEQ(wh) && 580 TID_TO_WME_AC(tid) >= WME_AC_VI) 581 ic->ic_wme.wme_hipri_traffic++; 582 if (! ieee80211_check_rxseq(ni, wh, bssid, rxs)) 583 goto out; 584 } 585 } 586 587 switch (type) { 588 case IEEE80211_FC0_TYPE_DATA: 589 hdrspace = ieee80211_hdrspace(ic, wh); 590 if (m->m_len < hdrspace && 591 (m = m_pullup(m, hdrspace)) == NULL) { 592 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 593 ni->ni_macaddr, NULL, 594 "data too short: expecting %u", hdrspace); 595 vap->iv_stats.is_rx_tooshort++; 596 goto out; /* XXX */ 597 } 598 if (!(dir == IEEE80211_FC1_DIR_TODS || 599 (dir == IEEE80211_FC1_DIR_DSTODS && 600 (vap->iv_flags & IEEE80211_F_DWDS)))) { 601 if (dir != IEEE80211_FC1_DIR_DSTODS) { 602 IEEE80211_DISCARD(vap, 603 IEEE80211_MSG_INPUT, wh, "data", 604 "incorrect dir 0x%x", dir); 605 } else { 606 IEEE80211_DISCARD(vap, 607 IEEE80211_MSG_INPUT | 608 IEEE80211_MSG_WDS, wh, 609 "4-address data", 610 "%s", "DWDS not enabled"); 611 } 612 vap->iv_stats.is_rx_wrongdir++; 613 goto out; 614 } 615 /* check if source STA is associated */ 616 if (ni == vap->iv_bss) { 617 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 618 wh, "data", "%s", "unknown src"); 619 ieee80211_send_error(ni, wh->i_addr2, 620 IEEE80211_FC0_SUBTYPE_DEAUTH, 621 IEEE80211_REASON_NOT_AUTHED); 622 vap->iv_stats.is_rx_notassoc++; 623 goto err; 624 } 625 if (ni->ni_associd == 0) { 626 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 627 wh, "data", "%s", "unassoc src"); 628 IEEE80211_SEND_MGMT(ni, 629 IEEE80211_FC0_SUBTYPE_DISASSOC, 630 IEEE80211_REASON_NOT_ASSOCED); 631 vap->iv_stats.is_rx_notassoc++; 632 goto err; 633 } 634 635 /* 636 * Check for power save state change. 637 * XXX out-of-order A-MPDU frames? 638 */ 639 if (((wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) ^ 640 (ni->ni_flags & IEEE80211_NODE_PWR_MGT))) 641 vap->iv_node_ps(ni, 642 wh->i_fc[1] & IEEE80211_FC1_PWR_MGT); 643 /* 644 * For 4-address packets handle WDS discovery 645 * notifications. Once a WDS link is setup frames 646 * are just delivered to the WDS vap (see below). 647 */ 648 if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap == NULL) { 649 if (!ieee80211_node_is_authorized(ni)) { 650 IEEE80211_DISCARD(vap, 651 IEEE80211_MSG_INPUT | 652 IEEE80211_MSG_WDS, wh, 653 "4-address data", 654 "%s", "unauthorized port"); 655 vap->iv_stats.is_rx_unauth++; 656 IEEE80211_NODE_STAT(ni, rx_unauth); 657 goto err; 658 } 659 ieee80211_dwds_discover(ni, m); 660 return type; 661 } 662 663 /* 664 * Handle A-MPDU re-ordering. If the frame is to be 665 * processed directly then ieee80211_ampdu_reorder 666 * will return 0; otherwise it has consumed the mbuf 667 * and we should do nothing more with it. 668 */ 669 if ((m->m_flags & M_AMPDU) && 670 ieee80211_ampdu_reorder(ni, m, rxs) != 0) { 671 m = NULL; 672 goto out; 673 } 674 resubmit_ampdu: 675 676 /* 677 * Handle privacy requirements. Note that we 678 * must not be preempted from here until after 679 * we (potentially) call ieee80211_crypto_demic; 680 * otherwise we may violate assumptions in the 681 * crypto cipher modules used to do delayed update 682 * of replay sequence numbers. 683 */ 684 if (is_hw_decrypted || wh->i_fc[1] & IEEE80211_FC1_PROTECTED) { 685 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) { 686 /* 687 * Discard encrypted frames when privacy is off. 688 */ 689 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 690 wh, "WEP", "%s", "PRIVACY off"); 691 vap->iv_stats.is_rx_noprivacy++; 692 IEEE80211_NODE_STAT(ni, rx_noprivacy); 693 goto out; 694 } 695 if (ieee80211_crypto_decap(ni, m, hdrspace, &key) == 0) { 696 /* NB: stats+msgs handled in crypto_decap */ 697 IEEE80211_NODE_STAT(ni, rx_wepfail); 698 goto out; 699 } 700 wh = mtod(m, struct ieee80211_frame *); 701 wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED; 702 has_decrypted = 1; 703 } else { 704 /* XXX M_WEP and IEEE80211_F_PRIVACY */ 705 key = NULL; 706 } 707 708 /* 709 * Save QoS bits for use below--before we strip the header. 710 */ 711 if (subtype == IEEE80211_FC0_SUBTYPE_QOS) { 712 qos = (dir == IEEE80211_FC1_DIR_DSTODS) ? 713 ((struct ieee80211_qosframe_addr4 *)wh)->i_qos[0] : 714 ((struct ieee80211_qosframe *)wh)->i_qos[0]; 715 } else 716 qos = 0; 717 718 /* 719 * Next up, any fragmentation. 720 */ 721 if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) { 722 m = ieee80211_defrag(ni, m, hdrspace); 723 if (m == NULL) { 724 /* Fragment dropped or frame not complete yet */ 725 goto out; 726 } 727 } 728 wh = NULL; /* no longer valid, catch any uses */ 729 730 /* 731 * Next strip any MSDU crypto bits. 732 */ 733 if (key != NULL && !ieee80211_crypto_demic(vap, key, m, 0)) { 734 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 735 ni->ni_macaddr, "data", "%s", "demic error"); 736 vap->iv_stats.is_rx_demicfail++; 737 IEEE80211_NODE_STAT(ni, rx_demicfail); 738 goto out; 739 } 740 /* copy to listener after decrypt */ 741 if (ieee80211_radiotap_active_vap(vap)) 742 ieee80211_radiotap_rx(vap, m); 743 need_tap = 0; 744 /* 745 * Finally, strip the 802.11 header. 746 */ 747 m = ieee80211_decap(vap, m, hdrspace); 748 if (m == NULL) { 749 /* XXX mask bit to check for both */ 750 /* don't count Null data frames as errors */ 751 if (subtype == IEEE80211_FC0_SUBTYPE_NODATA || 752 subtype == IEEE80211_FC0_SUBTYPE_QOS_NULL) 753 goto out; 754 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 755 ni->ni_macaddr, "data", "%s", "decap error"); 756 vap->iv_stats.is_rx_decap++; 757 IEEE80211_NODE_STAT(ni, rx_decap); 758 goto err; 759 } 760 eh = mtod(m, struct ether_header *); 761 if (!ieee80211_node_is_authorized(ni)) { 762 /* 763 * Deny any non-PAE frames received prior to 764 * authorization. For open/shared-key 765 * authentication the port is mark authorized 766 * after authentication completes. For 802.1x 767 * the port is not marked authorized by the 768 * authenticator until the handshake has completed. 769 */ 770 if (eh->ether_type != htons(ETHERTYPE_PAE)) { 771 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 772 eh->ether_shost, "data", 773 "unauthorized port: ether type 0x%x len %u", 774 eh->ether_type, m->m_pkthdr.len); 775 vap->iv_stats.is_rx_unauth++; 776 IEEE80211_NODE_STAT(ni, rx_unauth); 777 goto err; 778 } 779 } else { 780 /* 781 * When denying unencrypted frames, discard 782 * any non-PAE frames received without encryption. 783 */ 784 if ((vap->iv_flags & IEEE80211_F_DROPUNENC) && 785 ((has_decrypted == 0) && (m->m_flags & M_WEP) == 0) && 786 (is_hw_decrypted == 0) && 787 eh->ether_type != htons(ETHERTYPE_PAE)) { 788 /* 789 * Drop unencrypted frames. 790 */ 791 vap->iv_stats.is_rx_unencrypted++; 792 IEEE80211_NODE_STAT(ni, rx_unencrypted); 793 goto out; 794 } 795 } 796 /* XXX require HT? */ 797 if (qos & IEEE80211_QOS_AMSDU) { 798 m = ieee80211_decap_amsdu(ni, m); 799 if (m == NULL) 800 return IEEE80211_FC0_TYPE_DATA; 801 } else { 802 #ifdef IEEE80211_SUPPORT_SUPERG 803 m = ieee80211_decap_fastframe(vap, ni, m); 804 if (m == NULL) 805 return IEEE80211_FC0_TYPE_DATA; 806 #endif 807 } 808 if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap != NULL) 809 ieee80211_deliver_data(ni->ni_wdsvap, ni, m); 810 else 811 hostap_deliver_data(vap, ni, m); 812 return IEEE80211_FC0_TYPE_DATA; 813 814 case IEEE80211_FC0_TYPE_MGT: 815 vap->iv_stats.is_rx_mgmt++; 816 IEEE80211_NODE_STAT(ni, rx_mgmt); 817 if (dir != IEEE80211_FC1_DIR_NODS) { 818 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 819 wh, "mgt", "incorrect dir 0x%x", dir); 820 vap->iv_stats.is_rx_wrongdir++; 821 goto err; 822 } 823 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) { 824 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 825 ni->ni_macaddr, "mgt", "too short: len %u", 826 m->m_pkthdr.len); 827 vap->iv_stats.is_rx_tooshort++; 828 goto out; 829 } 830 if (IEEE80211_IS_MULTICAST(wh->i_addr2)) { 831 /* ensure return frames are unicast */ 832 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 833 wh, NULL, "source is multicast: %s", 834 ether_sprintf(wh->i_addr2)); 835 vap->iv_stats.is_rx_mgtdiscard++; /* XXX stat */ 836 goto out; 837 } 838 #ifdef IEEE80211_DEBUG 839 if ((ieee80211_msg_debug(vap) && doprint(vap, subtype)) || 840 ieee80211_msg_dumppkts(vap)) { 841 if_printf(ifp, "received %s from %s rssi %d\n", 842 ieee80211_mgt_subtype_name(subtype), 843 ether_sprintf(wh->i_addr2), rssi); 844 } 845 #endif 846 if (wh->i_fc[1] & IEEE80211_FC1_PROTECTED) { 847 if (subtype != IEEE80211_FC0_SUBTYPE_AUTH) { 848 /* 849 * Only shared key auth frames with a challenge 850 * should be encrypted, discard all others. 851 */ 852 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 853 wh, NULL, 854 "%s", "WEP set but not permitted"); 855 vap->iv_stats.is_rx_mgtdiscard++; /* XXX */ 856 goto out; 857 } 858 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) { 859 /* 860 * Discard encrypted frames when privacy is off. 861 */ 862 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 863 wh, NULL, "%s", "WEP set but PRIVACY off"); 864 vap->iv_stats.is_rx_noprivacy++; 865 goto out; 866 } 867 hdrspace = ieee80211_hdrspace(ic, wh); 868 if (ieee80211_crypto_decap(ni, m, hdrspace, &key) == 0) { 869 /* NB: stats+msgs handled in crypto_decap */ 870 goto out; 871 } 872 wh = mtod(m, struct ieee80211_frame *); 873 wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED; 874 has_decrypted = 1; 875 } 876 /* 877 * Pass the packet to radiotap before calling iv_recv_mgmt(). 878 * Otherwise iv_recv_mgmt() might pass another packet to 879 * radiotap, resulting in out of order packet captures. 880 */ 881 if (ieee80211_radiotap_active_vap(vap)) 882 ieee80211_radiotap_rx(vap, m); 883 need_tap = 0; 884 vap->iv_recv_mgmt(ni, m, subtype, rxs, rssi, nf); 885 goto out; 886 887 case IEEE80211_FC0_TYPE_CTL: 888 vap->iv_stats.is_rx_ctl++; 889 IEEE80211_NODE_STAT(ni, rx_ctrl); 890 vap->iv_recv_ctl(ni, m, subtype); 891 goto out; 892 default: 893 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 894 wh, "bad", "frame type 0x%x", type); 895 /* should not come here */ 896 break; 897 } 898 err: 899 if_inc_counter(ifp, IFCOUNTER_IERRORS, 1); 900 out: 901 if (m != NULL) { 902 if (need_tap && ieee80211_radiotap_active_vap(vap)) 903 ieee80211_radiotap_rx(vap, m); 904 m_freem(m); 905 } 906 return type; 907 } 908 909 static void 910 hostap_auth_open(struct ieee80211_node *ni, struct ieee80211_frame *wh, 911 int rssi, int nf, uint16_t seq, uint16_t status) 912 { 913 struct ieee80211vap *vap = ni->ni_vap; 914 915 KASSERT(vap->iv_state == IEEE80211_S_RUN, ("state %d", vap->iv_state)); 916 917 if (ni->ni_authmode == IEEE80211_AUTH_SHARED) { 918 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 919 ni->ni_macaddr, "open auth", 920 "bad sta auth mode %u", ni->ni_authmode); 921 vap->iv_stats.is_rx_bad_auth++; /* XXX */ 922 /* 923 * Clear any challenge text that may be there if 924 * a previous shared key auth failed and then an 925 * open auth is attempted. 926 */ 927 if (ni->ni_challenge != NULL) { 928 IEEE80211_FREE(ni->ni_challenge, M_80211_NODE); 929 ni->ni_challenge = NULL; 930 } 931 /* XXX hack to workaround calling convention */ 932 ieee80211_send_error(ni, wh->i_addr2, 933 IEEE80211_FC0_SUBTYPE_AUTH, 934 (seq + 1) | (IEEE80211_STATUS_ALG<<16)); 935 return; 936 } 937 if (seq != IEEE80211_AUTH_OPEN_REQUEST) { 938 vap->iv_stats.is_rx_bad_auth++; 939 return; 940 } 941 /* always accept open authentication requests */ 942 if (ni == vap->iv_bss) { 943 ni = ieee80211_dup_bss(vap, wh->i_addr2); 944 if (ni == NULL) 945 return; 946 } else if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0) 947 (void) ieee80211_ref_node(ni); 948 /* 949 * Mark the node as referenced to reflect that it's 950 * reference count has been bumped to insure it remains 951 * after the transaction completes. 952 */ 953 ni->ni_flags |= IEEE80211_NODE_AREF; 954 /* 955 * Mark the node as requiring a valid association id 956 * before outbound traffic is permitted. 957 */ 958 ni->ni_flags |= IEEE80211_NODE_ASSOCID; 959 960 if (vap->iv_acl != NULL && 961 vap->iv_acl->iac_getpolicy(vap) == IEEE80211_MACCMD_POLICY_RADIUS) { 962 /* 963 * When the ACL policy is set to RADIUS we defer the 964 * authorization to a user agent. Dispatch an event, 965 * a subsequent MLME call will decide the fate of the 966 * station. If the user agent is not present then the 967 * node will be reclaimed due to inactivity. 968 */ 969 IEEE80211_NOTE_MAC(vap, 970 IEEE80211_MSG_AUTH | IEEE80211_MSG_ACL, ni->ni_macaddr, 971 "%s", "station authentication defered (radius acl)"); 972 ieee80211_notify_node_auth(ni); 973 } else { 974 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 975 IEEE80211_NOTE_MAC(vap, 976 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, ni->ni_macaddr, 977 "%s", "station authenticated (open)"); 978 /* 979 * When 802.1x is not in use mark the port 980 * authorized at this point so traffic can flow. 981 */ 982 if (ni->ni_authmode != IEEE80211_AUTH_8021X) 983 ieee80211_node_authorize(ni); 984 } 985 } 986 987 static void 988 hostap_auth_shared(struct ieee80211_node *ni, struct ieee80211_frame *wh, 989 uint8_t *frm, uint8_t *efrm, int rssi, int nf, 990 uint16_t seq, uint16_t status) 991 { 992 struct ieee80211vap *vap = ni->ni_vap; 993 uint8_t *challenge; 994 int allocbs, estatus; 995 996 KASSERT(vap->iv_state == IEEE80211_S_RUN, ("state %d", vap->iv_state)); 997 998 /* 999 * NB: this can happen as we allow pre-shared key 1000 * authentication to be enabled w/o wep being turned 1001 * on so that configuration of these can be done 1002 * in any order. It may be better to enforce the 1003 * ordering in which case this check would just be 1004 * for sanity/consistency. 1005 */ 1006 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) { 1007 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1008 ni->ni_macaddr, "shared key auth", 1009 "%s", " PRIVACY is disabled"); 1010 estatus = IEEE80211_STATUS_ALG; 1011 goto bad; 1012 } 1013 /* 1014 * Pre-shared key authentication is evil; accept 1015 * it only if explicitly configured (it is supported 1016 * mainly for compatibility with clients like Mac OS X). 1017 */ 1018 if (ni->ni_authmode != IEEE80211_AUTH_AUTO && 1019 ni->ni_authmode != IEEE80211_AUTH_SHARED) { 1020 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1021 ni->ni_macaddr, "shared key auth", 1022 "bad sta auth mode %u", ni->ni_authmode); 1023 vap->iv_stats.is_rx_bad_auth++; /* XXX maybe a unique error? */ 1024 estatus = IEEE80211_STATUS_ALG; 1025 goto bad; 1026 } 1027 1028 challenge = NULL; 1029 if (frm + 1 < efrm) { 1030 if ((frm[1] + 2) > (efrm - frm)) { 1031 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1032 ni->ni_macaddr, "shared key auth", 1033 "ie %d/%d too long", 1034 frm[0], (frm[1] + 2) - (efrm - frm)); 1035 vap->iv_stats.is_rx_bad_auth++; 1036 estatus = IEEE80211_STATUS_CHALLENGE; 1037 goto bad; 1038 } 1039 if (*frm == IEEE80211_ELEMID_CHALLENGE) 1040 challenge = frm; 1041 frm += frm[1] + 2; 1042 } 1043 switch (seq) { 1044 case IEEE80211_AUTH_SHARED_CHALLENGE: 1045 case IEEE80211_AUTH_SHARED_RESPONSE: 1046 if (challenge == NULL) { 1047 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1048 ni->ni_macaddr, "shared key auth", 1049 "%s", "no challenge"); 1050 vap->iv_stats.is_rx_bad_auth++; 1051 estatus = IEEE80211_STATUS_CHALLENGE; 1052 goto bad; 1053 } 1054 if (challenge[1] != IEEE80211_CHALLENGE_LEN) { 1055 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1056 ni->ni_macaddr, "shared key auth", 1057 "bad challenge len %d", challenge[1]); 1058 vap->iv_stats.is_rx_bad_auth++; 1059 estatus = IEEE80211_STATUS_CHALLENGE; 1060 goto bad; 1061 } 1062 default: 1063 break; 1064 } 1065 switch (seq) { 1066 case IEEE80211_AUTH_SHARED_REQUEST: 1067 if (ni == vap->iv_bss) { 1068 ni = ieee80211_dup_bss(vap, wh->i_addr2); 1069 if (ni == NULL) { 1070 /* NB: no way to return an error */ 1071 return; 1072 } 1073 allocbs = 1; 1074 } else { 1075 if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0) 1076 (void) ieee80211_ref_node(ni); 1077 allocbs = 0; 1078 } 1079 /* 1080 * Mark the node as referenced to reflect that it's 1081 * reference count has been bumped to insure it remains 1082 * after the transaction completes. 1083 */ 1084 ni->ni_flags |= IEEE80211_NODE_AREF; 1085 /* 1086 * Mark the node as requiring a valid association id 1087 * before outbound traffic is permitted. 1088 */ 1089 ni->ni_flags |= IEEE80211_NODE_ASSOCID; 1090 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi); 1091 ni->ni_noise = nf; 1092 if (!ieee80211_alloc_challenge(ni)) { 1093 /* NB: don't return error so they rexmit */ 1094 return; 1095 } 1096 get_random_bytes(ni->ni_challenge, 1097 IEEE80211_CHALLENGE_LEN); 1098 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1099 ni, "shared key %sauth request", allocbs ? "" : "re"); 1100 /* 1101 * When the ACL policy is set to RADIUS we defer the 1102 * authorization to a user agent. Dispatch an event, 1103 * a subsequent MLME call will decide the fate of the 1104 * station. If the user agent is not present then the 1105 * node will be reclaimed due to inactivity. 1106 */ 1107 if (vap->iv_acl != NULL && 1108 vap->iv_acl->iac_getpolicy(vap) == IEEE80211_MACCMD_POLICY_RADIUS) { 1109 IEEE80211_NOTE_MAC(vap, 1110 IEEE80211_MSG_AUTH | IEEE80211_MSG_ACL, 1111 ni->ni_macaddr, 1112 "%s", "station authentication defered (radius acl)"); 1113 ieee80211_notify_node_auth(ni); 1114 return; 1115 } 1116 break; 1117 case IEEE80211_AUTH_SHARED_RESPONSE: 1118 if (ni == vap->iv_bss) { 1119 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1120 ni->ni_macaddr, "shared key response", 1121 "%s", "unknown station"); 1122 /* NB: don't send a response */ 1123 return; 1124 } 1125 if (ni->ni_challenge == NULL) { 1126 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1127 ni->ni_macaddr, "shared key response", 1128 "%s", "no challenge recorded"); 1129 vap->iv_stats.is_rx_bad_auth++; 1130 estatus = IEEE80211_STATUS_CHALLENGE; 1131 goto bad; 1132 } 1133 if (memcmp(ni->ni_challenge, &challenge[2], 1134 challenge[1]) != 0) { 1135 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1136 ni->ni_macaddr, "shared key response", 1137 "%s", "challenge mismatch"); 1138 vap->iv_stats.is_rx_auth_fail++; 1139 estatus = IEEE80211_STATUS_CHALLENGE; 1140 goto bad; 1141 } 1142 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1143 ni, "%s", "station authenticated (shared key)"); 1144 ieee80211_node_authorize(ni); 1145 break; 1146 default: 1147 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1148 ni->ni_macaddr, "shared key auth", 1149 "bad seq %d", seq); 1150 vap->iv_stats.is_rx_bad_auth++; 1151 estatus = IEEE80211_STATUS_SEQUENCE; 1152 goto bad; 1153 } 1154 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 1155 return; 1156 bad: 1157 /* 1158 * Send an error response; but only when operating as an AP. 1159 */ 1160 /* XXX hack to workaround calling convention */ 1161 ieee80211_send_error(ni, wh->i_addr2, 1162 IEEE80211_FC0_SUBTYPE_AUTH, 1163 (seq + 1) | (estatus<<16)); 1164 } 1165 1166 /* 1167 * Convert a WPA cipher selector OUI to an internal 1168 * cipher algorithm. Where appropriate we also 1169 * record any key length. 1170 */ 1171 static int 1172 wpa_cipher(const uint8_t *sel, uint8_t *keylen, uint8_t *cipher) 1173 { 1174 #define WPA_SEL(x) (((x)<<24)|WPA_OUI) 1175 uint32_t w = le32dec(sel); 1176 1177 switch (w) { 1178 case WPA_SEL(WPA_CSE_NULL): 1179 *cipher = IEEE80211_CIPHER_NONE; 1180 break; 1181 case WPA_SEL(WPA_CSE_WEP40): 1182 if (keylen) 1183 *keylen = 40 / NBBY; 1184 *cipher = IEEE80211_CIPHER_WEP; 1185 break; 1186 case WPA_SEL(WPA_CSE_WEP104): 1187 if (keylen) 1188 *keylen = 104 / NBBY; 1189 *cipher = IEEE80211_CIPHER_WEP; 1190 break; 1191 case WPA_SEL(WPA_CSE_TKIP): 1192 *cipher = IEEE80211_CIPHER_TKIP; 1193 break; 1194 case WPA_SEL(WPA_CSE_CCMP): 1195 *cipher = IEEE80211_CIPHER_AES_CCM; 1196 break; 1197 default: 1198 return (EINVAL); 1199 } 1200 1201 return (0); 1202 #undef WPA_SEL 1203 } 1204 1205 /* 1206 * Convert a WPA key management/authentication algorithm 1207 * to an internal code. 1208 */ 1209 static int 1210 wpa_keymgmt(const uint8_t *sel) 1211 { 1212 #define WPA_SEL(x) (((x)<<24)|WPA_OUI) 1213 uint32_t w = le32dec(sel); 1214 1215 switch (w) { 1216 case WPA_SEL(WPA_ASE_8021X_UNSPEC): 1217 return WPA_ASE_8021X_UNSPEC; 1218 case WPA_SEL(WPA_ASE_8021X_PSK): 1219 return WPA_ASE_8021X_PSK; 1220 case WPA_SEL(WPA_ASE_NONE): 1221 return WPA_ASE_NONE; 1222 } 1223 return 0; /* NB: so is discarded */ 1224 #undef WPA_SEL 1225 } 1226 1227 /* 1228 * Parse a WPA information element to collect parameters. 1229 * Note that we do not validate security parameters; that 1230 * is handled by the authenticator; the parsing done here 1231 * is just for internal use in making operational decisions. 1232 */ 1233 static int 1234 ieee80211_parse_wpa(struct ieee80211vap *vap, const uint8_t *frm, 1235 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh) 1236 { 1237 uint8_t len = frm[1]; 1238 uint32_t w; 1239 int error, n; 1240 1241 /* 1242 * Check the length once for fixed parts: OUI, type, 1243 * version, mcast cipher, and 2 selector counts. 1244 * Other, variable-length data, must be checked separately. 1245 */ 1246 if ((vap->iv_flags & IEEE80211_F_WPA1) == 0) { 1247 IEEE80211_DISCARD_IE(vap, 1248 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1249 wh, "WPA", "not WPA, flags 0x%x", vap->iv_flags); 1250 return IEEE80211_REASON_IE_INVALID; 1251 } 1252 if (len < 14) { 1253 IEEE80211_DISCARD_IE(vap, 1254 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1255 wh, "WPA", "too short, len %u", len); 1256 return IEEE80211_REASON_IE_INVALID; 1257 } 1258 frm += 6, len -= 4; /* NB: len is payload only */ 1259 /* NB: iswpaoui already validated the OUI and type */ 1260 w = le16dec(frm); 1261 if (w != WPA_VERSION) { 1262 IEEE80211_DISCARD_IE(vap, 1263 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1264 wh, "WPA", "bad version %u", w); 1265 return IEEE80211_REASON_IE_INVALID; 1266 } 1267 frm += 2, len -= 2; 1268 1269 memset(rsn, 0, sizeof(*rsn)); 1270 1271 /* multicast/group cipher */ 1272 error = wpa_cipher(frm, &rsn->rsn_mcastkeylen, &rsn->rsn_mcastcipher); 1273 if (error != 0) { 1274 IEEE80211_DISCARD_IE(vap, 1275 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1276 wh, "WPA", "unknown mcast cipher suite %08X", 1277 le32dec(frm)); 1278 return IEEE80211_REASON_GROUP_CIPHER_INVALID; 1279 } 1280 frm += 4, len -= 4; 1281 1282 /* unicast ciphers */ 1283 n = le16dec(frm); 1284 frm += 2, len -= 2; 1285 if (len < n*4+2) { 1286 IEEE80211_DISCARD_IE(vap, 1287 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1288 wh, "WPA", "ucast cipher data too short; len %u, n %u", 1289 len, n); 1290 return IEEE80211_REASON_IE_INVALID; 1291 } 1292 w = 0; 1293 for (; n > 0; n--) { 1294 uint8_t cipher; 1295 1296 error = wpa_cipher(frm, &rsn->rsn_ucastkeylen, &cipher); 1297 if (error == 0) 1298 w |= 1 << cipher; 1299 1300 frm += 4, len -= 4; 1301 } 1302 if (w == 0) { 1303 IEEE80211_DISCARD_IE(vap, 1304 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1305 wh, "WPA", "no usable pairwise cipher suite found (w=%d)", 1306 w); 1307 return IEEE80211_REASON_PAIRWISE_CIPHER_INVALID; 1308 } 1309 /* XXX other? */ 1310 if (w & (1 << IEEE80211_CIPHER_AES_CCM)) 1311 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM; 1312 else 1313 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP; 1314 1315 /* key management algorithms */ 1316 n = le16dec(frm); 1317 frm += 2, len -= 2; 1318 if (len < n*4) { 1319 IEEE80211_DISCARD_IE(vap, 1320 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1321 wh, "WPA", "key mgmt alg data too short; len %u, n %u", 1322 len, n); 1323 return IEEE80211_REASON_IE_INVALID; 1324 } 1325 w = 0; 1326 for (; n > 0; n--) { 1327 w |= wpa_keymgmt(frm); 1328 frm += 4, len -= 4; 1329 } 1330 if (w & WPA_ASE_8021X_UNSPEC) 1331 rsn->rsn_keymgmt = WPA_ASE_8021X_UNSPEC; 1332 else 1333 rsn->rsn_keymgmt = WPA_ASE_8021X_PSK; 1334 1335 if (len > 2) /* optional capabilities */ 1336 rsn->rsn_caps = le16dec(frm); 1337 1338 return 0; 1339 } 1340 1341 /* 1342 * Convert an RSN cipher selector OUI to an internal 1343 * cipher algorithm. Where appropriate we also 1344 * record any key length. 1345 */ 1346 static int 1347 rsn_cipher(const uint8_t *sel, uint8_t *keylen, uint8_t *cipher) 1348 { 1349 #define RSN_SEL(x) (((x)<<24)|RSN_OUI) 1350 uint32_t w = le32dec(sel); 1351 1352 switch (w) { 1353 case RSN_SEL(RSN_CSE_NULL): 1354 *cipher = IEEE80211_CIPHER_NONE; 1355 break; 1356 case RSN_SEL(RSN_CSE_WEP40): 1357 if (keylen) 1358 *keylen = 40 / NBBY; 1359 *cipher = IEEE80211_CIPHER_WEP; 1360 break; 1361 case RSN_SEL(RSN_CSE_WEP104): 1362 if (keylen) 1363 *keylen = 104 / NBBY; 1364 *cipher = IEEE80211_CIPHER_WEP; 1365 break; 1366 case RSN_SEL(RSN_CSE_TKIP): 1367 *cipher = IEEE80211_CIPHER_TKIP; 1368 break; 1369 case RSN_SEL(RSN_CSE_CCMP): 1370 *cipher = IEEE80211_CIPHER_AES_CCM; 1371 break; 1372 case RSN_SEL(RSN_CSE_WRAP): 1373 *cipher = IEEE80211_CIPHER_AES_OCB; 1374 break; 1375 default: 1376 return (EINVAL); 1377 } 1378 1379 return (0); 1380 #undef WPA_SEL 1381 } 1382 1383 /* 1384 * Convert an RSN key management/authentication algorithm 1385 * to an internal code. 1386 */ 1387 static int 1388 rsn_keymgmt(const uint8_t *sel) 1389 { 1390 #define RSN_SEL(x) (((x)<<24)|RSN_OUI) 1391 uint32_t w = le32dec(sel); 1392 1393 switch (w) { 1394 case RSN_SEL(RSN_ASE_8021X_UNSPEC): 1395 return RSN_ASE_8021X_UNSPEC; 1396 case RSN_SEL(RSN_ASE_8021X_PSK): 1397 return RSN_ASE_8021X_PSK; 1398 case RSN_SEL(RSN_ASE_NONE): 1399 return RSN_ASE_NONE; 1400 } 1401 return 0; /* NB: so is discarded */ 1402 #undef RSN_SEL 1403 } 1404 1405 /* 1406 * Parse a WPA/RSN information element to collect parameters 1407 * and validate the parameters against what has been 1408 * configured for the system. 1409 */ 1410 static int 1411 ieee80211_parse_rsn(struct ieee80211vap *vap, const uint8_t *frm, 1412 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh) 1413 { 1414 uint8_t len = frm[1]; 1415 uint32_t w; 1416 int error, n; 1417 1418 /* 1419 * Check the length once for fixed parts: 1420 * version, mcast cipher, and 2 selector counts. 1421 * Other, variable-length data, must be checked separately. 1422 */ 1423 if ((vap->iv_flags & IEEE80211_F_WPA2) == 0) { 1424 IEEE80211_DISCARD_IE(vap, 1425 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1426 wh, "WPA", "not RSN, flags 0x%x", vap->iv_flags); 1427 return IEEE80211_REASON_IE_INVALID; 1428 } 1429 /* XXX may be shorter */ 1430 if (len < 10) { 1431 IEEE80211_DISCARD_IE(vap, 1432 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1433 wh, "RSN", "too short, len %u", len); 1434 return IEEE80211_REASON_IE_INVALID; 1435 } 1436 frm += 2; 1437 w = le16dec(frm); 1438 if (w != RSN_VERSION) { 1439 IEEE80211_DISCARD_IE(vap, 1440 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1441 wh, "RSN", "bad version %u", w); 1442 return IEEE80211_REASON_UNSUPP_RSN_IE_VERSION; 1443 } 1444 frm += 2, len -= 2; 1445 1446 memset(rsn, 0, sizeof(*rsn)); 1447 1448 /* multicast/group cipher */ 1449 error = rsn_cipher(frm, &rsn->rsn_mcastkeylen, &rsn->rsn_mcastcipher); 1450 if (error != 0) { 1451 IEEE80211_DISCARD_IE(vap, 1452 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1453 wh, "RSN", "unknown mcast cipher suite %08X", 1454 le32dec(frm)); 1455 return IEEE80211_REASON_GROUP_CIPHER_INVALID; 1456 } 1457 if (rsn->rsn_mcastcipher == IEEE80211_CIPHER_NONE) { 1458 IEEE80211_DISCARD_IE(vap, 1459 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1460 wh, "RSN", "invalid mcast cipher suite %d", 1461 rsn->rsn_mcastcipher); 1462 return IEEE80211_REASON_GROUP_CIPHER_INVALID; 1463 } 1464 frm += 4, len -= 4; 1465 1466 /* unicast ciphers */ 1467 n = le16dec(frm); 1468 frm += 2, len -= 2; 1469 if (len < n*4+2) { 1470 IEEE80211_DISCARD_IE(vap, 1471 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1472 wh, "RSN", "ucast cipher data too short; len %u, n %u", 1473 len, n); 1474 return IEEE80211_REASON_IE_INVALID; 1475 } 1476 w = 0; 1477 1478 for (; n > 0; n--) { 1479 uint8_t cipher; 1480 1481 error = rsn_cipher(frm, &rsn->rsn_ucastkeylen, &cipher); 1482 if (error == 0) 1483 w |= 1 << cipher; 1484 1485 frm += 4, len -= 4; 1486 } 1487 if (w & (1 << IEEE80211_CIPHER_AES_CCM)) 1488 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM; 1489 else if (w & (1 << IEEE80211_CIPHER_AES_OCB)) 1490 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_OCB; 1491 else if (w & (1 << IEEE80211_CIPHER_TKIP)) 1492 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP; 1493 else if ((w & (1 << IEEE80211_CIPHER_NONE)) && 1494 (rsn->rsn_mcastcipher == IEEE80211_CIPHER_WEP || 1495 rsn->rsn_mcastcipher == IEEE80211_CIPHER_TKIP)) 1496 rsn->rsn_ucastcipher = IEEE80211_CIPHER_NONE; 1497 else { 1498 IEEE80211_DISCARD_IE(vap, 1499 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1500 wh, "RSN", "no usable pairwise cipher suite found (w=%d)", 1501 w); 1502 return IEEE80211_REASON_PAIRWISE_CIPHER_INVALID; 1503 } 1504 1505 /* key management algorithms */ 1506 n = le16dec(frm); 1507 frm += 2, len -= 2; 1508 if (len < n*4) { 1509 IEEE80211_DISCARD_IE(vap, 1510 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1511 wh, "RSN", "key mgmt alg data too short; len %u, n %u", 1512 len, n); 1513 return IEEE80211_REASON_IE_INVALID; 1514 } 1515 w = 0; 1516 for (; n > 0; n--) { 1517 w |= rsn_keymgmt(frm); 1518 frm += 4, len -= 4; 1519 } 1520 if (w & RSN_ASE_8021X_UNSPEC) 1521 rsn->rsn_keymgmt = RSN_ASE_8021X_UNSPEC; 1522 else 1523 rsn->rsn_keymgmt = RSN_ASE_8021X_PSK; 1524 1525 /* optional RSN capabilities */ 1526 if (len > 2) 1527 rsn->rsn_caps = le16dec(frm); 1528 /* XXXPMKID */ 1529 1530 return 0; 1531 } 1532 1533 /* 1534 * WPA/802.11i association request processing. 1535 */ 1536 static int 1537 wpa_assocreq(struct ieee80211_node *ni, struct ieee80211_rsnparms *rsnparms, 1538 const struct ieee80211_frame *wh, const uint8_t *wpa, 1539 const uint8_t *rsn, uint16_t capinfo) 1540 { 1541 struct ieee80211vap *vap = ni->ni_vap; 1542 uint8_t reason; 1543 int badwparsn; 1544 1545 ni->ni_flags &= ~(IEEE80211_NODE_WPS|IEEE80211_NODE_TSN); 1546 if (wpa == NULL && rsn == NULL) { 1547 if (vap->iv_flags_ext & IEEE80211_FEXT_WPS) { 1548 /* 1549 * W-Fi Protected Setup (WPS) permits 1550 * clients to associate and pass EAPOL frames 1551 * to establish initial credentials. 1552 */ 1553 ni->ni_flags |= IEEE80211_NODE_WPS; 1554 return 1; 1555 } 1556 if ((vap->iv_flags_ext & IEEE80211_FEXT_TSN) && 1557 (capinfo & IEEE80211_CAPINFO_PRIVACY)) { 1558 /* 1559 * Transitional Security Network. Permits clients 1560 * to associate and use WEP while WPA is configured. 1561 */ 1562 ni->ni_flags |= IEEE80211_NODE_TSN; 1563 return 1; 1564 } 1565 IEEE80211_DISCARD(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, 1566 wh, NULL, "%s", "no WPA/RSN IE in association request"); 1567 vap->iv_stats.is_rx_assoc_badwpaie++; 1568 reason = IEEE80211_REASON_IE_INVALID; 1569 goto bad; 1570 } 1571 /* assert right association security credentials */ 1572 badwparsn = 0; /* NB: to silence compiler */ 1573 switch (vap->iv_flags & IEEE80211_F_WPA) { 1574 case IEEE80211_F_WPA1: 1575 badwparsn = (wpa == NULL); 1576 break; 1577 case IEEE80211_F_WPA2: 1578 badwparsn = (rsn == NULL); 1579 break; 1580 case IEEE80211_F_WPA1|IEEE80211_F_WPA2: 1581 badwparsn = (wpa == NULL && rsn == NULL); 1582 break; 1583 } 1584 if (badwparsn) { 1585 IEEE80211_DISCARD(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, 1586 wh, NULL, 1587 "%s", "missing WPA/RSN IE in association request"); 1588 vap->iv_stats.is_rx_assoc_badwpaie++; 1589 reason = IEEE80211_REASON_IE_INVALID; 1590 goto bad; 1591 } 1592 /* 1593 * Parse WPA/RSN information element. 1594 */ 1595 if (wpa != NULL) 1596 reason = ieee80211_parse_wpa(vap, wpa, rsnparms, wh); 1597 else 1598 reason = ieee80211_parse_rsn(vap, rsn, rsnparms, wh); 1599 if (reason != 0) { 1600 /* XXX wpa->rsn fallback? */ 1601 /* XXX distinguish WPA/RSN? */ 1602 vap->iv_stats.is_rx_assoc_badwpaie++; 1603 goto bad; 1604 } 1605 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, ni, 1606 "%s ie: mc %u/%u uc %u/%u key %u caps 0x%x", 1607 wpa != NULL ? "WPA" : "RSN", 1608 rsnparms->rsn_mcastcipher, rsnparms->rsn_mcastkeylen, 1609 rsnparms->rsn_ucastcipher, rsnparms->rsn_ucastkeylen, 1610 rsnparms->rsn_keymgmt, rsnparms->rsn_caps); 1611 1612 return 1; 1613 bad: 1614 ieee80211_node_deauth(ni, reason); 1615 return 0; 1616 } 1617 1618 /* XXX find a better place for definition */ 1619 struct l2_update_frame { 1620 struct ether_header eh; 1621 uint8_t dsap; 1622 uint8_t ssap; 1623 uint8_t control; 1624 uint8_t xid[3]; 1625 } __packed; 1626 1627 /* 1628 * Deliver a TGf L2UF frame on behalf of a station. 1629 * This primes any bridge when the station is roaming 1630 * between ap's on the same wired network. 1631 */ 1632 static void 1633 ieee80211_deliver_l2uf(struct ieee80211_node *ni) 1634 { 1635 struct ieee80211vap *vap = ni->ni_vap; 1636 struct ifnet *ifp = vap->iv_ifp; 1637 struct mbuf *m; 1638 struct l2_update_frame *l2uf; 1639 struct ether_header *eh; 1640 1641 m = m_gethdr(M_NOWAIT, MT_DATA); 1642 if (m == NULL) { 1643 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC, ni, 1644 "%s", "no mbuf for l2uf frame"); 1645 vap->iv_stats.is_rx_nobuf++; /* XXX not right */ 1646 return; 1647 } 1648 l2uf = mtod(m, struct l2_update_frame *); 1649 eh = &l2uf->eh; 1650 /* dst: Broadcast address */ 1651 IEEE80211_ADDR_COPY(eh->ether_dhost, ifp->if_broadcastaddr); 1652 /* src: associated STA */ 1653 IEEE80211_ADDR_COPY(eh->ether_shost, ni->ni_macaddr); 1654 eh->ether_type = htons(sizeof(*l2uf) - sizeof(*eh)); 1655 1656 l2uf->dsap = 0; 1657 l2uf->ssap = 0; 1658 l2uf->control = 0xf5; 1659 l2uf->xid[0] = 0x81; 1660 l2uf->xid[1] = 0x80; 1661 l2uf->xid[2] = 0x00; 1662 1663 m->m_pkthdr.len = m->m_len = sizeof(*l2uf); 1664 hostap_deliver_data(vap, ni, m); 1665 } 1666 1667 static void 1668 ratesetmismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh, 1669 int reassoc, int resp, const char *tag, int rate) 1670 { 1671 IEEE80211_NOTE_MAC(ni->ni_vap, IEEE80211_MSG_ANY, wh->i_addr2, 1672 "deny %s request, %s rate set mismatch, rate/MCS %d", 1673 reassoc ? "reassoc" : "assoc", tag, rate & IEEE80211_RATE_VAL); 1674 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_BASIC_RATE); 1675 ieee80211_node_leave(ni); 1676 } 1677 1678 static void 1679 capinfomismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh, 1680 int reassoc, int resp, const char *tag, int capinfo) 1681 { 1682 struct ieee80211vap *vap = ni->ni_vap; 1683 1684 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ANY, wh->i_addr2, 1685 "deny %s request, %s mismatch 0x%x", 1686 reassoc ? "reassoc" : "assoc", tag, capinfo); 1687 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_CAPINFO); 1688 ieee80211_node_leave(ni); 1689 vap->iv_stats.is_rx_assoc_capmismatch++; 1690 } 1691 1692 static void 1693 htcapmismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh, 1694 int reassoc, int resp) 1695 { 1696 IEEE80211_NOTE_MAC(ni->ni_vap, IEEE80211_MSG_ANY, wh->i_addr2, 1697 "deny %s request, %s missing HT ie", reassoc ? "reassoc" : "assoc"); 1698 /* XXX no better code */ 1699 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_MISSING_HT_CAPS); 1700 ieee80211_node_leave(ni); 1701 } 1702 1703 static void 1704 authalgreject(struct ieee80211_node *ni, const struct ieee80211_frame *wh, 1705 int algo, int seq, int status) 1706 { 1707 struct ieee80211vap *vap = ni->ni_vap; 1708 1709 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 1710 wh, NULL, "unsupported alg %d", algo); 1711 vap->iv_stats.is_rx_auth_unsupported++; 1712 ieee80211_send_error(ni, wh->i_addr2, IEEE80211_FC0_SUBTYPE_AUTH, 1713 seq | (status << 16)); 1714 } 1715 1716 static __inline int 1717 ishtmixed(const uint8_t *ie) 1718 { 1719 const struct ieee80211_ie_htinfo *ht = 1720 (const struct ieee80211_ie_htinfo *) ie; 1721 return (ht->hi_byte2 & IEEE80211_HTINFO_OPMODE) == 1722 IEEE80211_HTINFO_OPMODE_MIXED; 1723 } 1724 1725 static int 1726 is11bclient(const uint8_t *rates, const uint8_t *xrates) 1727 { 1728 static const uint32_t brates = (1<<2*1)|(1<<2*2)|(1<<11)|(1<<2*11); 1729 int i; 1730 1731 /* NB: the 11b clients we care about will not have xrates */ 1732 if (xrates != NULL || rates == NULL) 1733 return 0; 1734 for (i = 0; i < rates[1]; i++) { 1735 int r = rates[2+i] & IEEE80211_RATE_VAL; 1736 if (r > 2*11 || ((1<<r) & brates) == 0) 1737 return 0; 1738 } 1739 return 1; 1740 } 1741 1742 static void 1743 hostap_recv_mgmt(struct ieee80211_node *ni, struct mbuf *m0, 1744 int subtype, const struct ieee80211_rx_stats *rxs, int rssi, int nf) 1745 { 1746 struct ieee80211vap *vap = ni->ni_vap; 1747 struct ieee80211com *ic = ni->ni_ic; 1748 struct ieee80211_frame *wh; 1749 uint8_t *frm, *efrm, *sfrm; 1750 uint8_t *ssid, *rates, *xrates, *wpa, *rsn, *wme, *ath, *htcap; 1751 uint8_t *vhtcap, *vhtinfo; 1752 int reassoc, resp; 1753 uint8_t rate; 1754 1755 wh = mtod(m0, struct ieee80211_frame *); 1756 frm = (uint8_t *)&wh[1]; 1757 efrm = mtod(m0, uint8_t *) + m0->m_len; 1758 switch (subtype) { 1759 case IEEE80211_FC0_SUBTYPE_PROBE_RESP: 1760 /* 1761 * We process beacon/probe response frames when scanning; 1762 * otherwise we check beacon frames for overlapping non-ERP 1763 * BSS in 11g and/or overlapping legacy BSS when in HT. 1764 */ 1765 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) { 1766 vap->iv_stats.is_rx_mgtdiscard++; 1767 return; 1768 } 1769 /* FALLTHROUGH */ 1770 case IEEE80211_FC0_SUBTYPE_BEACON: { 1771 struct ieee80211_scanparams scan; 1772 1773 /* NB: accept off-channel frames */ 1774 /* XXX TODO: use rxstatus to determine off-channel details */ 1775 if (ieee80211_parse_beacon(ni, m0, ic->ic_curchan, &scan) &~ IEEE80211_BPARSE_OFFCHAN) 1776 return; 1777 /* 1778 * Count frame now that we know it's to be processed. 1779 */ 1780 if (subtype == IEEE80211_FC0_SUBTYPE_BEACON) { 1781 vap->iv_stats.is_rx_beacon++; /* XXX remove */ 1782 IEEE80211_NODE_STAT(ni, rx_beacons); 1783 } else 1784 IEEE80211_NODE_STAT(ni, rx_proberesp); 1785 /* 1786 * If scanning, just pass information to the scan module. 1787 */ 1788 if (ic->ic_flags & IEEE80211_F_SCAN) { 1789 if (scan.status == 0 && /* NB: on channel */ 1790 (ic->ic_flags_ext & IEEE80211_FEXT_PROBECHAN)) { 1791 /* 1792 * Actively scanning a channel marked passive; 1793 * send a probe request now that we know there 1794 * is 802.11 traffic present. 1795 * 1796 * XXX check if the beacon we recv'd gives 1797 * us what we need and suppress the probe req 1798 */ 1799 ieee80211_probe_curchan(vap, 1); 1800 ic->ic_flags_ext &= ~IEEE80211_FEXT_PROBECHAN; 1801 } 1802 ieee80211_add_scan(vap, ic->ic_curchan, &scan, wh, 1803 subtype, rssi, nf); 1804 return; 1805 } 1806 /* 1807 * Check beacon for overlapping bss w/ non ERP stations. 1808 * If we detect one and protection is configured but not 1809 * enabled, enable it and start a timer that'll bring us 1810 * out if we stop seeing the bss. 1811 */ 1812 if (IEEE80211_IS_CHAN_ANYG(ic->ic_curchan) && 1813 scan.status == 0 && /* NB: on-channel */ 1814 ((scan.erp & 0x100) == 0 || /* NB: no ERP, 11b sta*/ 1815 (scan.erp & IEEE80211_ERP_NON_ERP_PRESENT))) { 1816 ic->ic_lastnonerp = ticks; 1817 ic->ic_flags_ext |= IEEE80211_FEXT_NONERP_PR; 1818 if (ic->ic_protmode != IEEE80211_PROT_NONE && 1819 (ic->ic_flags & IEEE80211_F_USEPROT) == 0) { 1820 IEEE80211_NOTE_FRAME(vap, 1821 IEEE80211_MSG_ASSOC, wh, 1822 "non-ERP present on channel %d " 1823 "(saw erp 0x%x from channel %d), " 1824 "enable use of protection", 1825 ic->ic_curchan->ic_ieee, 1826 scan.erp, scan.chan); 1827 ic->ic_flags |= IEEE80211_F_USEPROT; 1828 ieee80211_notify_erp(ic); 1829 } 1830 } 1831 /* 1832 * Check beacon for non-HT station on HT channel 1833 * and update HT BSS occupancy as appropriate. 1834 */ 1835 if (IEEE80211_IS_CHAN_HT(ic->ic_curchan)) { 1836 if (scan.status & IEEE80211_BPARSE_OFFCHAN) { 1837 /* 1838 * Off control channel; only check frames 1839 * that come in the extension channel when 1840 * operating w/ HT40. 1841 */ 1842 if (!IEEE80211_IS_CHAN_HT40(ic->ic_curchan)) 1843 break; 1844 if (scan.chan != ic->ic_curchan->ic_extieee) 1845 break; 1846 } 1847 if (scan.htinfo == NULL) { 1848 ieee80211_htprot_update(ic, 1849 IEEE80211_HTINFO_OPMODE_PROTOPT | 1850 IEEE80211_HTINFO_NONHT_PRESENT); 1851 } else if (ishtmixed(scan.htinfo)) { 1852 /* XXX? take NONHT_PRESENT from beacon? */ 1853 ieee80211_htprot_update(ic, 1854 IEEE80211_HTINFO_OPMODE_MIXED | 1855 IEEE80211_HTINFO_NONHT_PRESENT); 1856 } 1857 } 1858 break; 1859 } 1860 1861 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 1862 if (vap->iv_state != IEEE80211_S_RUN) { 1863 vap->iv_stats.is_rx_mgtdiscard++; 1864 return; 1865 } 1866 /* 1867 * Consult the ACL policy module if setup. 1868 */ 1869 if (vap->iv_acl != NULL && !vap->iv_acl->iac_check(vap, wh)) { 1870 IEEE80211_DISCARD(vap, IEEE80211_MSG_ACL, 1871 wh, NULL, "%s", "disallowed by ACL"); 1872 vap->iv_stats.is_rx_acl++; 1873 return; 1874 } 1875 /* 1876 * prreq frame format 1877 * [tlv] ssid 1878 * [tlv] supported rates 1879 * [tlv] extended supported rates 1880 */ 1881 ssid = rates = xrates = NULL; 1882 while (efrm - frm > 1) { 1883 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return); 1884 switch (*frm) { 1885 case IEEE80211_ELEMID_SSID: 1886 ssid = frm; 1887 break; 1888 case IEEE80211_ELEMID_RATES: 1889 rates = frm; 1890 break; 1891 case IEEE80211_ELEMID_XRATES: 1892 xrates = frm; 1893 break; 1894 } 1895 frm += frm[1] + 2; 1896 } 1897 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return); 1898 if (xrates != NULL) 1899 IEEE80211_VERIFY_ELEMENT(xrates, 1900 IEEE80211_RATE_MAXSIZE - rates[1], return); 1901 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN, return); 1902 IEEE80211_VERIFY_SSID(vap->iv_bss, ssid, return); 1903 if ((vap->iv_flags & IEEE80211_F_HIDESSID) && ssid[1] == 0) { 1904 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 1905 wh, NULL, 1906 "%s", "no ssid with ssid suppression enabled"); 1907 vap->iv_stats.is_rx_ssidmismatch++; /*XXX*/ 1908 return; 1909 } 1910 1911 /* XXX find a better class or define it's own */ 1912 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_INPUT, wh->i_addr2, 1913 "%s", "recv probe req"); 1914 /* 1915 * Some legacy 11b clients cannot hack a complete 1916 * probe response frame. When the request includes 1917 * only a bare-bones rate set, communicate this to 1918 * the transmit side. 1919 */ 1920 ieee80211_send_proberesp(vap, wh->i_addr2, 1921 is11bclient(rates, xrates) ? IEEE80211_SEND_LEGACY_11B : 0); 1922 break; 1923 1924 case IEEE80211_FC0_SUBTYPE_AUTH: { 1925 uint16_t algo, seq, status; 1926 1927 if (vap->iv_state != IEEE80211_S_RUN) { 1928 vap->iv_stats.is_rx_mgtdiscard++; 1929 return; 1930 } 1931 if (!IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_bss->ni_bssid)) { 1932 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 1933 wh, NULL, "%s", "wrong bssid"); 1934 vap->iv_stats.is_rx_wrongbss++; /*XXX unique stat?*/ 1935 return; 1936 } 1937 /* 1938 * auth frame format 1939 * [2] algorithm 1940 * [2] sequence 1941 * [2] status 1942 * [tlv*] challenge 1943 */ 1944 IEEE80211_VERIFY_LENGTH(efrm - frm, 6, return); 1945 algo = le16toh(*(uint16_t *)frm); 1946 seq = le16toh(*(uint16_t *)(frm + 2)); 1947 status = le16toh(*(uint16_t *)(frm + 4)); 1948 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_AUTH, wh->i_addr2, 1949 "recv auth frame with algorithm %d seq %d", algo, seq); 1950 /* 1951 * Consult the ACL policy module if setup. 1952 */ 1953 if (vap->iv_acl != NULL && !vap->iv_acl->iac_check(vap, wh)) { 1954 IEEE80211_DISCARD(vap, IEEE80211_MSG_ACL, 1955 wh, NULL, "%s", "disallowed by ACL"); 1956 vap->iv_stats.is_rx_acl++; 1957 ieee80211_send_error(ni, wh->i_addr2, 1958 IEEE80211_FC0_SUBTYPE_AUTH, 1959 (seq+1) | (IEEE80211_STATUS_UNSPECIFIED<<16)); 1960 return; 1961 } 1962 if (vap->iv_flags & IEEE80211_F_COUNTERM) { 1963 IEEE80211_DISCARD(vap, 1964 IEEE80211_MSG_AUTH | IEEE80211_MSG_CRYPTO, 1965 wh, NULL, "%s", "TKIP countermeasures enabled"); 1966 vap->iv_stats.is_rx_auth_countermeasures++; 1967 ieee80211_send_error(ni, wh->i_addr2, 1968 IEEE80211_FC0_SUBTYPE_AUTH, 1969 IEEE80211_REASON_MIC_FAILURE); 1970 return; 1971 } 1972 if (algo == IEEE80211_AUTH_ALG_SHARED) 1973 hostap_auth_shared(ni, wh, frm + 6, efrm, rssi, nf, 1974 seq, status); 1975 else if (algo == IEEE80211_AUTH_ALG_OPEN) 1976 hostap_auth_open(ni, wh, rssi, nf, seq, status); 1977 else if (algo == IEEE80211_AUTH_ALG_LEAP) { 1978 authalgreject(ni, wh, algo, 1979 seq+1, IEEE80211_STATUS_ALG); 1980 return; 1981 } else { 1982 /* 1983 * We assume that an unknown algorithm is the result 1984 * of a decryption failure on a shared key auth frame; 1985 * return a status code appropriate for that instead 1986 * of IEEE80211_STATUS_ALG. 1987 * 1988 * NB: a seq# of 4 is intentional; the decrypted 1989 * frame likely has a bogus seq value. 1990 */ 1991 authalgreject(ni, wh, algo, 1992 4, IEEE80211_STATUS_CHALLENGE); 1993 return; 1994 } 1995 break; 1996 } 1997 1998 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ: 1999 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: { 2000 uint16_t capinfo, lintval; 2001 struct ieee80211_rsnparms rsnparms; 2002 2003 if (vap->iv_state != IEEE80211_S_RUN) { 2004 vap->iv_stats.is_rx_mgtdiscard++; 2005 return; 2006 } 2007 if (!IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_bss->ni_bssid)) { 2008 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 2009 wh, NULL, "%s", "wrong bssid"); 2010 vap->iv_stats.is_rx_assoc_bss++; 2011 return; 2012 } 2013 if (subtype == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) { 2014 reassoc = 1; 2015 resp = IEEE80211_FC0_SUBTYPE_REASSOC_RESP; 2016 } else { 2017 reassoc = 0; 2018 resp = IEEE80211_FC0_SUBTYPE_ASSOC_RESP; 2019 } 2020 if (ni == vap->iv_bss) { 2021 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ANY, wh->i_addr2, 2022 "deny %s request, sta not authenticated", 2023 reassoc ? "reassoc" : "assoc"); 2024 ieee80211_send_error(ni, wh->i_addr2, 2025 IEEE80211_FC0_SUBTYPE_DEAUTH, 2026 IEEE80211_REASON_ASSOC_NOT_AUTHED); 2027 vap->iv_stats.is_rx_assoc_notauth++; 2028 return; 2029 } 2030 2031 /* 2032 * asreq frame format 2033 * [2] capability information 2034 * [2] listen interval 2035 * [6*] current AP address (reassoc only) 2036 * [tlv] ssid 2037 * [tlv] supported rates 2038 * [tlv] extended supported rates 2039 * [tlv] WPA or RSN 2040 * [tlv] HT capabilities 2041 * [tlv] Atheros capabilities 2042 */ 2043 IEEE80211_VERIFY_LENGTH(efrm - frm, (reassoc ? 10 : 4), return); 2044 capinfo = le16toh(*(uint16_t *)frm); frm += 2; 2045 lintval = le16toh(*(uint16_t *)frm); frm += 2; 2046 if (reassoc) 2047 frm += 6; /* ignore current AP info */ 2048 ssid = rates = xrates = wpa = rsn = wme = ath = htcap = NULL; 2049 vhtcap = vhtinfo = NULL; 2050 sfrm = frm; 2051 while (efrm - frm > 1) { 2052 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return); 2053 switch (*frm) { 2054 case IEEE80211_ELEMID_SSID: 2055 ssid = frm; 2056 break; 2057 case IEEE80211_ELEMID_RATES: 2058 rates = frm; 2059 break; 2060 case IEEE80211_ELEMID_XRATES: 2061 xrates = frm; 2062 break; 2063 case IEEE80211_ELEMID_RSN: 2064 rsn = frm; 2065 break; 2066 case IEEE80211_ELEMID_HTCAP: 2067 htcap = frm; 2068 break; 2069 case IEEE80211_ELEMID_VHT_CAP: 2070 vhtcap = frm; 2071 break; 2072 case IEEE80211_ELEMID_VHT_OPMODE: 2073 vhtinfo = frm; 2074 break; 2075 case IEEE80211_ELEMID_VENDOR: 2076 if (iswpaoui(frm)) 2077 wpa = frm; 2078 else if (iswmeinfo(frm)) 2079 wme = frm; 2080 #ifdef IEEE80211_SUPPORT_SUPERG 2081 else if (isatherosoui(frm)) 2082 ath = frm; 2083 #endif 2084 else if (vap->iv_flags_ht & IEEE80211_FHT_HTCOMPAT) { 2085 if (ishtcapoui(frm) && htcap == NULL) 2086 htcap = frm; 2087 } 2088 break; 2089 } 2090 frm += frm[1] + 2; 2091 } 2092 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return); 2093 if (xrates != NULL) 2094 IEEE80211_VERIFY_ELEMENT(xrates, 2095 IEEE80211_RATE_MAXSIZE - rates[1], return); 2096 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN, return); 2097 IEEE80211_VERIFY_SSID(vap->iv_bss, ssid, return); 2098 if (htcap != NULL) { 2099 IEEE80211_VERIFY_LENGTH(htcap[1], 2100 htcap[0] == IEEE80211_ELEMID_VENDOR ? 2101 4 + sizeof(struct ieee80211_ie_htcap)-2 : 2102 sizeof(struct ieee80211_ie_htcap)-2, 2103 return); /* XXX just NULL out? */ 2104 } 2105 2106 /* Validate VHT IEs */ 2107 if (vhtcap != NULL) { 2108 IEEE80211_VERIFY_LENGTH(vhtcap[1], 2109 sizeof(struct ieee80211_ie_vhtcap) - 2, 2110 return); 2111 } 2112 if (vhtinfo != NULL) { 2113 IEEE80211_VERIFY_LENGTH(vhtinfo[1], 2114 sizeof(struct ieee80211_ie_vht_operation) - 2, 2115 return); 2116 } 2117 2118 if ((vap->iv_flags & IEEE80211_F_WPA) && 2119 !wpa_assocreq(ni, &rsnparms, wh, wpa, rsn, capinfo)) 2120 return; 2121 /* discard challenge after association */ 2122 if (ni->ni_challenge != NULL) { 2123 IEEE80211_FREE(ni->ni_challenge, M_80211_NODE); 2124 ni->ni_challenge = NULL; 2125 } 2126 /* NB: 802.11 spec says to ignore station's privacy bit */ 2127 if ((capinfo & IEEE80211_CAPINFO_ESS) == 0) { 2128 capinfomismatch(ni, wh, reassoc, resp, 2129 "capability", capinfo); 2130 return; 2131 } 2132 /* 2133 * Disallow re-associate w/ invalid slot time setting. 2134 */ 2135 if (ni->ni_associd != 0 && 2136 IEEE80211_IS_CHAN_ANYG(ic->ic_bsschan) && 2137 ((ni->ni_capinfo ^ capinfo) & IEEE80211_CAPINFO_SHORT_SLOTTIME)) { 2138 capinfomismatch(ni, wh, reassoc, resp, 2139 "slot time", capinfo); 2140 return; 2141 } 2142 rate = ieee80211_setup_rates(ni, rates, xrates, 2143 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | 2144 IEEE80211_F_DONEGO | IEEE80211_F_DODEL); 2145 if (rate & IEEE80211_RATE_BASIC) { 2146 ratesetmismatch(ni, wh, reassoc, resp, "legacy", rate); 2147 vap->iv_stats.is_rx_assoc_norate++; 2148 return; 2149 } 2150 /* 2151 * If constrained to 11g-only stations reject an 2152 * 11b-only station. We cheat a bit here by looking 2153 * at the max negotiated xmit rate and assuming anyone 2154 * with a best rate <24Mb/s is an 11b station. 2155 */ 2156 if ((vap->iv_flags & IEEE80211_F_PUREG) && rate < 48) { 2157 ratesetmismatch(ni, wh, reassoc, resp, "11g", rate); 2158 vap->iv_stats.is_rx_assoc_norate++; 2159 return; 2160 } 2161 2162 /* 2163 * Do HT rate set handling and setup HT node state. 2164 */ 2165 ni->ni_chan = vap->iv_bss->ni_chan; 2166 2167 /* VHT */ 2168 if (IEEE80211_IS_CHAN_VHT(ni->ni_chan) && 2169 vhtcap != NULL && 2170 vhtinfo != NULL) { 2171 /* XXX TODO; see below */ 2172 printf("%s: VHT TODO!\n", __func__); 2173 ieee80211_vht_node_init(ni); 2174 ieee80211_vht_update_cap(ni, vhtcap, vhtinfo); 2175 } else if (ni->ni_flags & IEEE80211_NODE_VHT) 2176 ieee80211_vht_node_cleanup(ni); 2177 2178 /* HT */ 2179 if (IEEE80211_IS_CHAN_HT(ni->ni_chan) && htcap != NULL) { 2180 rate = ieee80211_setup_htrates(ni, htcap, 2181 IEEE80211_F_DOFMCS | IEEE80211_F_DONEGO | 2182 IEEE80211_F_DOBRS); 2183 if (rate & IEEE80211_RATE_BASIC) { 2184 ratesetmismatch(ni, wh, reassoc, resp, 2185 "HT", rate); 2186 vap->iv_stats.is_ht_assoc_norate++; 2187 return; 2188 } 2189 ieee80211_ht_node_init(ni); 2190 ieee80211_ht_updatehtcap(ni, htcap); 2191 } else if (ni->ni_flags & IEEE80211_NODE_HT) 2192 ieee80211_ht_node_cleanup(ni); 2193 2194 /* Finally - this will use HT/VHT info to change node channel */ 2195 if (IEEE80211_IS_CHAN_HT(ni->ni_chan) && htcap != NULL) { 2196 ieee80211_ht_updatehtcap_final(ni); 2197 } 2198 2199 #ifdef IEEE80211_SUPPORT_SUPERG 2200 /* Always do ff node cleanup; for A-MSDU */ 2201 ieee80211_ff_node_cleanup(ni); 2202 #endif 2203 /* 2204 * Allow AMPDU operation only with unencrypted traffic 2205 * or AES-CCM; the 11n spec only specifies these ciphers 2206 * so permitting any others is undefined and can lead 2207 * to interoperability problems. 2208 */ 2209 if ((ni->ni_flags & IEEE80211_NODE_HT) && 2210 (((vap->iv_flags & IEEE80211_F_WPA) && 2211 rsnparms.rsn_ucastcipher != IEEE80211_CIPHER_AES_CCM) || 2212 (vap->iv_flags & (IEEE80211_F_WPA|IEEE80211_F_PRIVACY)) == IEEE80211_F_PRIVACY)) { 2213 IEEE80211_NOTE(vap, 2214 IEEE80211_MSG_ASSOC | IEEE80211_MSG_11N, ni, 2215 "disallow HT use because WEP or TKIP requested, " 2216 "capinfo 0x%x ucastcipher %d", capinfo, 2217 rsnparms.rsn_ucastcipher); 2218 ieee80211_ht_node_cleanup(ni); 2219 #ifdef IEEE80211_SUPPORT_SUPERG 2220 /* Always do ff node cleanup; for A-MSDU */ 2221 ieee80211_ff_node_cleanup(ni); 2222 #endif 2223 vap->iv_stats.is_ht_assoc_downgrade++; 2224 } 2225 /* 2226 * If constrained to 11n-only stations reject legacy stations. 2227 */ 2228 if ((vap->iv_flags_ht & IEEE80211_FHT_PUREN) && 2229 (ni->ni_flags & IEEE80211_NODE_HT) == 0) { 2230 htcapmismatch(ni, wh, reassoc, resp); 2231 vap->iv_stats.is_ht_assoc_nohtcap++; 2232 return; 2233 } 2234 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi); 2235 ni->ni_noise = nf; 2236 ni->ni_intval = lintval; 2237 ni->ni_capinfo = capinfo; 2238 ni->ni_fhdwell = vap->iv_bss->ni_fhdwell; 2239 ni->ni_fhindex = vap->iv_bss->ni_fhindex; 2240 /* 2241 * Store the IEs. 2242 * XXX maybe better to just expand 2243 */ 2244 if (ieee80211_ies_init(&ni->ni_ies, sfrm, efrm - sfrm)) { 2245 #define setie(_ie, _off) ieee80211_ies_setie(ni->ni_ies, _ie, _off) 2246 if (wpa != NULL) 2247 setie(wpa_ie, wpa - sfrm); 2248 if (rsn != NULL) 2249 setie(rsn_ie, rsn - sfrm); 2250 if (htcap != NULL) 2251 setie(htcap_ie, htcap - sfrm); 2252 if (wme != NULL) { 2253 setie(wme_ie, wme - sfrm); 2254 /* 2255 * Mark node as capable of QoS. 2256 */ 2257 ni->ni_flags |= IEEE80211_NODE_QOS; 2258 } else 2259 ni->ni_flags &= ~IEEE80211_NODE_QOS; 2260 #ifdef IEEE80211_SUPPORT_SUPERG 2261 if (ath != NULL) { 2262 setie(ath_ie, ath - sfrm); 2263 /* 2264 * Parse ATH station parameters. 2265 */ 2266 ieee80211_parse_ath(ni, ni->ni_ies.ath_ie); 2267 } else 2268 #endif 2269 ni->ni_ath_flags = 0; 2270 #undef setie 2271 } else { 2272 ni->ni_flags &= ~IEEE80211_NODE_QOS; 2273 ni->ni_ath_flags = 0; 2274 } 2275 ieee80211_node_join(ni, resp); 2276 ieee80211_deliver_l2uf(ni); 2277 break; 2278 } 2279 2280 case IEEE80211_FC0_SUBTYPE_DEAUTH: 2281 case IEEE80211_FC0_SUBTYPE_DISASSOC: { 2282 uint16_t reason; 2283 2284 if (vap->iv_state != IEEE80211_S_RUN || 2285 /* NB: can happen when in promiscuous mode */ 2286 !IEEE80211_ADDR_EQ(wh->i_addr1, vap->iv_myaddr)) { 2287 vap->iv_stats.is_rx_mgtdiscard++; 2288 break; 2289 } 2290 /* 2291 * deauth/disassoc frame format 2292 * [2] reason 2293 */ 2294 IEEE80211_VERIFY_LENGTH(efrm - frm, 2, return); 2295 reason = le16toh(*(uint16_t *)frm); 2296 if (subtype == IEEE80211_FC0_SUBTYPE_DEAUTH) { 2297 vap->iv_stats.is_rx_deauth++; 2298 IEEE80211_NODE_STAT(ni, rx_deauth); 2299 } else { 2300 vap->iv_stats.is_rx_disassoc++; 2301 IEEE80211_NODE_STAT(ni, rx_disassoc); 2302 } 2303 IEEE80211_NOTE(vap, IEEE80211_MSG_AUTH, ni, 2304 "recv %s (reason: %d (%s))", 2305 ieee80211_mgt_subtype_name(subtype), 2306 reason, ieee80211_reason_to_string(reason)); 2307 if (ni != vap->iv_bss) 2308 ieee80211_node_leave(ni); 2309 break; 2310 } 2311 2312 case IEEE80211_FC0_SUBTYPE_ACTION: 2313 case IEEE80211_FC0_SUBTYPE_ACTION_NOACK: 2314 if (ni == vap->iv_bss) { 2315 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 2316 wh, NULL, "%s", "unknown node"); 2317 vap->iv_stats.is_rx_mgtdiscard++; 2318 } else if (!IEEE80211_ADDR_EQ(vap->iv_myaddr, wh->i_addr1) && 2319 !IEEE80211_IS_MULTICAST(wh->i_addr1)) { 2320 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 2321 wh, NULL, "%s", "not for us"); 2322 vap->iv_stats.is_rx_mgtdiscard++; 2323 } else if (vap->iv_state != IEEE80211_S_RUN) { 2324 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 2325 wh, NULL, "wrong state %s", 2326 ieee80211_state_name[vap->iv_state]); 2327 vap->iv_stats.is_rx_mgtdiscard++; 2328 } else { 2329 if (ieee80211_parse_action(ni, m0) == 0) 2330 (void)ic->ic_recv_action(ni, wh, frm, efrm); 2331 } 2332 break; 2333 2334 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP: 2335 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: 2336 case IEEE80211_FC0_SUBTYPE_TIMING_ADV: 2337 case IEEE80211_FC0_SUBTYPE_ATIM: 2338 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 2339 wh, NULL, "%s", "not handled"); 2340 vap->iv_stats.is_rx_mgtdiscard++; 2341 break; 2342 2343 default: 2344 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 2345 wh, "mgt", "subtype 0x%x not handled", subtype); 2346 vap->iv_stats.is_rx_badsubtype++; 2347 break; 2348 } 2349 } 2350 2351 static void 2352 hostap_recv_ctl(struct ieee80211_node *ni, struct mbuf *m, int subtype) 2353 { 2354 switch (subtype) { 2355 case IEEE80211_FC0_SUBTYPE_PS_POLL: 2356 ni->ni_vap->iv_recv_pspoll(ni, m); 2357 break; 2358 case IEEE80211_FC0_SUBTYPE_BAR: 2359 ieee80211_recv_bar(ni, m); 2360 break; 2361 } 2362 } 2363 2364 /* 2365 * Process a received ps-poll frame. 2366 */ 2367 void 2368 ieee80211_recv_pspoll(struct ieee80211_node *ni, struct mbuf *m0) 2369 { 2370 struct ieee80211vap *vap = ni->ni_vap; 2371 struct ieee80211com *ic = vap->iv_ic; 2372 struct ieee80211_frame_min *wh; 2373 struct mbuf *m; 2374 uint16_t aid; 2375 int qlen; 2376 2377 wh = mtod(m0, struct ieee80211_frame_min *); 2378 if (ni->ni_associd == 0) { 2379 IEEE80211_DISCARD(vap, 2380 IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG, 2381 (struct ieee80211_frame *) wh, NULL, 2382 "%s", "unassociated station"); 2383 vap->iv_stats.is_ps_unassoc++; 2384 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_DEAUTH, 2385 IEEE80211_REASON_NOT_ASSOCED); 2386 return; 2387 } 2388 2389 aid = le16toh(*(uint16_t *)wh->i_dur); 2390 if (aid != ni->ni_associd) { 2391 IEEE80211_DISCARD(vap, 2392 IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG, 2393 (struct ieee80211_frame *) wh, NULL, 2394 "aid mismatch: sta aid 0x%x poll aid 0x%x", 2395 ni->ni_associd, aid); 2396 vap->iv_stats.is_ps_badaid++; 2397 /* 2398 * NB: We used to deauth the station but it turns out 2399 * the Blackberry Curve 8230 (and perhaps other devices) 2400 * sometimes send the wrong AID when WME is negotiated. 2401 * Being more lenient here seems ok as we already check 2402 * the station is associated and we only return frames 2403 * queued for the station (i.e. we don't use the AID). 2404 */ 2405 return; 2406 } 2407 2408 /* Okay, take the first queued packet and put it out... */ 2409 m = ieee80211_node_psq_dequeue(ni, &qlen); 2410 if (m == NULL) { 2411 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_POWER, wh->i_addr2, 2412 "%s", "recv ps-poll, but queue empty"); 2413 ieee80211_send_nulldata(ieee80211_ref_node(ni)); 2414 vap->iv_stats.is_ps_qempty++; /* XXX node stat */ 2415 if (vap->iv_set_tim != NULL) 2416 vap->iv_set_tim(ni, 0); /* just in case */ 2417 return; 2418 } 2419 /* 2420 * If there are more packets, set the more packets bit 2421 * in the packet dispatched to the station; otherwise 2422 * turn off the TIM bit. 2423 */ 2424 if (qlen != 0) { 2425 IEEE80211_NOTE(vap, IEEE80211_MSG_POWER, ni, 2426 "recv ps-poll, send packet, %u still queued", qlen); 2427 m->m_flags |= M_MORE_DATA; 2428 } else { 2429 IEEE80211_NOTE(vap, IEEE80211_MSG_POWER, ni, 2430 "%s", "recv ps-poll, send packet, queue empty"); 2431 if (vap->iv_set_tim != NULL) 2432 vap->iv_set_tim(ni, 0); 2433 } 2434 m->m_flags |= M_PWR_SAV; /* bypass PS handling */ 2435 2436 /* 2437 * Do the right thing; if it's an encap'ed frame then 2438 * call ieee80211_parent_xmitpkt() else 2439 * call ieee80211_vap_xmitpkt(). 2440 */ 2441 if (m->m_flags & M_ENCAP) { 2442 (void) ieee80211_parent_xmitpkt(ic, m); 2443 } else { 2444 (void) ieee80211_vap_xmitpkt(vap, m); 2445 } 2446 } 2447