1 /*- 2 * Copyright (c) 2007-2008 Sam Leffler, Errno Consulting 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 15 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 16 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 17 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 18 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 19 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 21 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 23 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 24 */ 25 26 #include <sys/cdefs.h> 27 #ifdef __FreeBSD__ 28 __FBSDID("$FreeBSD$"); 29 #endif 30 31 /* 32 * IEEE 802.11 HOSTAP mode support. 33 */ 34 #include "opt_inet.h" 35 #include "opt_wlan.h" 36 37 #include <sys/param.h> 38 #include <sys/systm.h> 39 #include <sys/mbuf.h> 40 #include <sys/malloc.h> 41 #include <sys/kernel.h> 42 43 #include <sys/socket.h> 44 #include <sys/sockio.h> 45 #include <sys/endian.h> 46 #include <sys/errno.h> 47 #include <sys/proc.h> 48 #include <sys/sysctl.h> 49 50 #include <net/if.h> 51 #include <net/if_media.h> 52 #include <net/if_llc.h> 53 #include <net/ethernet.h> 54 55 #include <net/bpf.h> 56 57 #include <net80211/ieee80211_var.h> 58 #include <net80211/ieee80211_hostap.h> 59 #include <net80211/ieee80211_input.h> 60 #include <net80211/ieee80211_wds.h> 61 62 #define IEEE80211_RATE2MBS(r) (((r) & IEEE80211_RATE_VAL) / 2) 63 64 static void hostap_vattach(struct ieee80211vap *); 65 static int hostap_newstate(struct ieee80211vap *, enum ieee80211_state, int); 66 static int hostap_input(struct ieee80211_node *ni, struct mbuf *m, 67 int rssi, int noise, uint32_t rstamp); 68 static void hostap_deliver_data(struct ieee80211vap *, 69 struct ieee80211_node *, struct mbuf *); 70 static void hostap_recv_mgmt(struct ieee80211_node *, struct mbuf *, 71 int subtype, int rssi, int noise, uint32_t rstamp); 72 static void hostap_recv_pspoll(struct ieee80211_node *, struct mbuf *); 73 74 void 75 ieee80211_hostap_attach(struct ieee80211com *ic) 76 { 77 ic->ic_vattach[IEEE80211_M_HOSTAP] = hostap_vattach; 78 } 79 80 void 81 ieee80211_hostap_detach(struct ieee80211com *ic) 82 { 83 } 84 85 static void 86 hostap_vdetach(struct ieee80211vap *vap) 87 { 88 } 89 90 static void 91 hostap_vattach(struct ieee80211vap *vap) 92 { 93 vap->iv_newstate = hostap_newstate; 94 vap->iv_input = hostap_input; 95 vap->iv_recv_mgmt = hostap_recv_mgmt; 96 vap->iv_opdetach = hostap_vdetach; 97 vap->iv_deliver_data = hostap_deliver_data; 98 } 99 100 static void 101 sta_disassoc(void *arg, struct ieee80211_node *ni) 102 { 103 struct ieee80211vap *vap = arg; 104 105 if (ni->ni_vap == vap && ni->ni_associd != 0) { 106 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_DISASSOC, 107 IEEE80211_REASON_ASSOC_LEAVE); 108 ieee80211_node_leave(ni); 109 } 110 } 111 112 /* 113 * IEEE80211_M_HOSTAP vap state machine handler. 114 */ 115 static int 116 hostap_newstate(struct ieee80211vap *vap, enum ieee80211_state nstate, int arg) 117 { 118 struct ieee80211com *ic = vap->iv_ic; 119 enum ieee80211_state ostate; 120 121 IEEE80211_LOCK_ASSERT(ic); 122 123 ostate = vap->iv_state; 124 IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE, "%s: %s -> %s (%d)\n", 125 __func__, ieee80211_state_name[ostate], 126 ieee80211_state_name[nstate], arg); 127 vap->iv_state = nstate; /* state transition */ 128 if (ostate != IEEE80211_S_SCAN) 129 ieee80211_cancel_scan(vap); /* background scan */ 130 switch (nstate) { 131 case IEEE80211_S_INIT: 132 switch (ostate) { 133 case IEEE80211_S_SCAN: 134 ieee80211_cancel_scan(vap); 135 break; 136 case IEEE80211_S_CAC: 137 ieee80211_dfs_cac_stop(vap); 138 break; 139 case IEEE80211_S_RUN: 140 ieee80211_iterate_nodes(&ic->ic_sta, sta_disassoc, vap); 141 break; 142 default: 143 break; 144 } 145 if (ostate != IEEE80211_S_INIT) { 146 /* NB: optimize INIT -> INIT case */ 147 ieee80211_reset_bss(vap); 148 } 149 if (vap->iv_auth->ia_detach != NULL) 150 vap->iv_auth->ia_detach(vap); 151 break; 152 case IEEE80211_S_SCAN: 153 switch (ostate) { 154 case IEEE80211_S_CSA: 155 case IEEE80211_S_RUN: 156 ieee80211_iterate_nodes(&ic->ic_sta, sta_disassoc, vap); 157 /* 158 * Clear overlapping BSS state; the beacon frame 159 * will be reconstructed on transition to the RUN 160 * state and the timeout routines check if the flag 161 * is set before doing anything so this is sufficient. 162 */ 163 ic->ic_flags_ext &= ~IEEE80211_FEXT_NONERP_PR; 164 ic->ic_flags_ext &= ~IEEE80211_FEXT_NONHT_PR; 165 /* fall thru... */ 166 case IEEE80211_S_CAC: 167 /* 168 * NB: We may get here because of a manual channel 169 * change in which case we need to stop CAC 170 * XXX no need to stop if ostate RUN but it's ok 171 */ 172 ieee80211_dfs_cac_stop(vap); 173 /* fall thru... */ 174 case IEEE80211_S_INIT: 175 if (vap->iv_des_chan != IEEE80211_CHAN_ANYC && 176 !IEEE80211_IS_CHAN_RADAR(vap->iv_des_chan)) { 177 /* 178 * Already have a channel; bypass the 179 * scan and startup immediately. 180 * ieee80211_create_ibss will call back to 181 * move us to RUN state. 182 */ 183 ieee80211_create_ibss(vap, vap->iv_des_chan); 184 break; 185 } 186 /* 187 * Initiate a scan. We can come here as a result 188 * of an IEEE80211_IOC_SCAN_REQ too in which case 189 * the vap will be marked with IEEE80211_FEXT_SCANREQ 190 * and the scan request parameters will be present 191 * in iv_scanreq. Otherwise we do the default. 192 */ 193 if (vap->iv_flags_ext & IEEE80211_FEXT_SCANREQ) { 194 ieee80211_check_scan(vap, 195 vap->iv_scanreq_flags, 196 vap->iv_scanreq_duration, 197 vap->iv_scanreq_mindwell, 198 vap->iv_scanreq_maxdwell, 199 vap->iv_scanreq_nssid, vap->iv_scanreq_ssid); 200 vap->iv_flags_ext &= ~IEEE80211_FEXT_SCANREQ; 201 } else 202 ieee80211_check_scan_current(vap); 203 break; 204 case IEEE80211_S_SCAN: 205 /* 206 * A state change requires a reset; scan. 207 */ 208 ieee80211_check_scan_current(vap); 209 break; 210 default: 211 break; 212 } 213 break; 214 case IEEE80211_S_CAC: 215 /* 216 * Start CAC on a DFS channel. We come here when starting 217 * a bss on a DFS channel (see ieee80211_create_ibss). 218 */ 219 ieee80211_dfs_cac_start(vap); 220 break; 221 case IEEE80211_S_RUN: 222 if (vap->iv_flags & IEEE80211_F_WPA) { 223 /* XXX validate prerequisites */ 224 } 225 switch (ostate) { 226 case IEEE80211_S_INIT: 227 /* 228 * Already have a channel; bypass the 229 * scan and startup immediately. 230 * Note that ieee80211_create_ibss will call 231 * back to do a RUN->RUN state change. 232 */ 233 ieee80211_create_ibss(vap, 234 ieee80211_ht_adjust_channel(ic, 235 ic->ic_curchan, vap->iv_flags_ext)); 236 /* NB: iv_bss is changed on return */ 237 break; 238 case IEEE80211_S_CAC: 239 /* 240 * NB: This is the normal state change when CAC 241 * expires and no radar was detected; no need to 242 * clear the CAC timer as it's already expired. 243 */ 244 /* fall thru... */ 245 case IEEE80211_S_CSA: 246 /* 247 * Update bss node channel to reflect where 248 * we landed after CSA. 249 */ 250 ieee80211_node_set_chan(vap->iv_bss, 251 ieee80211_ht_adjust_channel(ic, ic->ic_curchan, 252 ieee80211_htchanflags(vap->iv_bss->ni_chan))); 253 /* XXX bypass debug msgs */ 254 break; 255 case IEEE80211_S_SCAN: 256 case IEEE80211_S_RUN: 257 #ifdef IEEE80211_DEBUG 258 if (ieee80211_msg_debug(vap)) { 259 struct ieee80211_node *ni = vap->iv_bss; 260 ieee80211_note(vap, 261 "synchronized with %s ssid ", 262 ether_sprintf(ni->ni_bssid)); 263 ieee80211_print_essid(ni->ni_essid, 264 ni->ni_esslen); 265 /* XXX MCS/HT */ 266 printf(" channel %d start %uMb\n", 267 ieee80211_chan2ieee(ic, ic->ic_curchan), 268 IEEE80211_RATE2MBS(ni->ni_txrate)); 269 } 270 #endif 271 break; 272 default: 273 break; 274 } 275 /* 276 * Start/stop the authenticator. We delay until here 277 * to allow configuration to happen out of order. 278 */ 279 if (vap->iv_auth->ia_attach != NULL) { 280 /* XXX check failure */ 281 vap->iv_auth->ia_attach(vap); 282 } else if (vap->iv_auth->ia_detach != NULL) { 283 vap->iv_auth->ia_detach(vap); 284 } 285 ieee80211_node_authorize(vap->iv_bss); 286 break; 287 default: 288 break; 289 } 290 return 0; 291 } 292 293 static void 294 hostap_deliver_data(struct ieee80211vap *vap, 295 struct ieee80211_node *ni, struct mbuf *m) 296 { 297 struct ether_header *eh = mtod(m, struct ether_header *); 298 struct ifnet *ifp = vap->iv_ifp; 299 300 KASSERT(vap->iv_opmode == IEEE80211_M_HOSTAP, 301 ("gack, opmode %d", vap->iv_opmode)); 302 /* 303 * Do accounting. 304 */ 305 ifp->if_ipackets++; 306 IEEE80211_NODE_STAT(ni, rx_data); 307 IEEE80211_NODE_STAT_ADD(ni, rx_bytes, m->m_pkthdr.len); 308 if (ETHER_IS_MULTICAST(eh->ether_dhost)) { 309 m->m_flags |= M_MCAST; /* XXX M_BCAST? */ 310 IEEE80211_NODE_STAT(ni, rx_mcast); 311 } else 312 IEEE80211_NODE_STAT(ni, rx_ucast); 313 314 /* clear driver/net80211 flags before passing up */ 315 m->m_flags &= ~M_80211_RX; 316 317 /* perform as a bridge within the AP */ 318 if ((vap->iv_flags & IEEE80211_F_NOBRIDGE) == 0) { 319 struct mbuf *mcopy = NULL; 320 321 if (m->m_flags & M_MCAST) { 322 mcopy = m_copypacket(m, M_DONTWAIT); 323 if (mcopy == NULL) 324 ifp->if_oerrors++; 325 else 326 mcopy->m_flags |= M_MCAST; 327 } else { 328 /* 329 * Check if the destination is associated with the 330 * same vap and authorized to receive traffic. 331 * Beware of traffic destined for the vap itself; 332 * sending it will not work; just let it be delivered 333 * normally. 334 */ 335 struct ieee80211_node *sta = ieee80211_find_vap_node( 336 &vap->iv_ic->ic_sta, vap, eh->ether_dhost); 337 if (sta != NULL) { 338 if (ieee80211_node_is_authorized(sta)) { 339 /* 340 * Beware of sending to ourself; this 341 * needs to happen via the normal 342 * input path. 343 */ 344 if (sta != vap->iv_bss) { 345 mcopy = m; 346 m = NULL; 347 } 348 } else { 349 vap->iv_stats.is_rx_unauth++; 350 IEEE80211_NODE_STAT(sta, rx_unauth); 351 } 352 ieee80211_free_node(sta); 353 } 354 } 355 if (mcopy != NULL) { 356 int len, err; 357 len = mcopy->m_pkthdr.len; 358 IFQ_HANDOFF(ifp, mcopy, err); 359 if (err) { 360 /* NB: IFQ_HANDOFF reclaims mcopy */ 361 } else { 362 ifp->if_opackets++; 363 } 364 } 365 } 366 if (m != NULL) { 367 /* 368 * Mark frame as coming from vap's interface. 369 */ 370 m->m_pkthdr.rcvif = ifp; 371 if (m->m_flags & M_MCAST) { 372 /* 373 * Spam DWDS vap's w/ multicast traffic. 374 */ 375 /* XXX only if dwds in use? */ 376 ieee80211_dwds_mcast(vap, m); 377 } 378 if (ni->ni_vlan != 0) { 379 /* attach vlan tag */ 380 m->m_pkthdr.ether_vtag = ni->ni_vlan; 381 m->m_flags |= M_VLANTAG; 382 } 383 ifp->if_input(ifp, m); 384 } 385 } 386 387 /* 388 * Decide if a received management frame should be 389 * printed when debugging is enabled. This filters some 390 * of the less interesting frames that come frequently 391 * (e.g. beacons). 392 */ 393 static __inline int 394 doprint(struct ieee80211vap *vap, int subtype) 395 { 396 switch (subtype) { 397 case IEEE80211_FC0_SUBTYPE_BEACON: 398 return (vap->iv_ic->ic_flags & IEEE80211_F_SCAN); 399 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 400 return 0; 401 } 402 return 1; 403 } 404 405 /* 406 * Process a received frame. The node associated with the sender 407 * should be supplied. If nothing was found in the node table then 408 * the caller is assumed to supply a reference to iv_bss instead. 409 * The RSSI and a timestamp are also supplied. The RSSI data is used 410 * during AP scanning to select a AP to associate with; it can have 411 * any units so long as values have consistent units and higher values 412 * mean ``better signal''. The receive timestamp is currently not used 413 * by the 802.11 layer. 414 */ 415 static int 416 hostap_input(struct ieee80211_node *ni, struct mbuf *m, 417 int rssi, int noise, uint32_t rstamp) 418 { 419 #define SEQ_LEQ(a,b) ((int)((a)-(b)) <= 0) 420 #define HAS_SEQ(type) ((type & 0x4) == 0) 421 struct ieee80211vap *vap = ni->ni_vap; 422 struct ieee80211com *ic = ni->ni_ic; 423 struct ifnet *ifp = vap->iv_ifp; 424 struct ieee80211_frame *wh; 425 struct ieee80211_key *key; 426 struct ether_header *eh; 427 int hdrspace, need_tap; 428 uint8_t dir, type, subtype, qos; 429 uint8_t *bssid; 430 uint16_t rxseq; 431 432 if (m->m_flags & M_AMPDU) { 433 /* 434 * Fastpath for A-MPDU reorder q resubmission. Frames 435 * w/ M_AMPDU marked have already passed through here 436 * but were received out of order and been held on the 437 * reorder queue. When resubmitted they are marked 438 * with the M_AMPDU flag and we can bypass most of the 439 * normal processing. 440 */ 441 wh = mtod(m, struct ieee80211_frame *); 442 type = IEEE80211_FC0_TYPE_DATA; 443 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 444 subtype = IEEE80211_FC0_SUBTYPE_QOS; 445 hdrspace = ieee80211_hdrspace(ic, wh); /* XXX optimize? */ 446 goto resubmit_ampdu; 447 } 448 449 KASSERT(ni != NULL, ("null node")); 450 ni->ni_inact = ni->ni_inact_reload; 451 452 need_tap = 1; /* mbuf need to be tapped. */ 453 type = -1; /* undefined */ 454 455 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_min)) { 456 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 457 ni->ni_macaddr, NULL, 458 "too short (1): len %u", m->m_pkthdr.len); 459 vap->iv_stats.is_rx_tooshort++; 460 goto out; 461 } 462 /* 463 * Bit of a cheat here, we use a pointer for a 3-address 464 * frame format but don't reference fields past outside 465 * ieee80211_frame_min w/o first validating the data is 466 * present. 467 */ 468 wh = mtod(m, struct ieee80211_frame *); 469 470 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) != 471 IEEE80211_FC0_VERSION_0) { 472 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 473 ni->ni_macaddr, NULL, "wrong version %x", wh->i_fc[0]); 474 vap->iv_stats.is_rx_badversion++; 475 goto err; 476 } 477 478 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 479 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK; 480 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK; 481 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) { 482 if (dir != IEEE80211_FC1_DIR_NODS) 483 bssid = wh->i_addr1; 484 else if (type == IEEE80211_FC0_TYPE_CTL) 485 bssid = wh->i_addr1; 486 else { 487 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) { 488 IEEE80211_DISCARD_MAC(vap, 489 IEEE80211_MSG_ANY, ni->ni_macaddr, 490 NULL, "too short (2): len %u", 491 m->m_pkthdr.len); 492 vap->iv_stats.is_rx_tooshort++; 493 goto out; 494 } 495 bssid = wh->i_addr3; 496 } 497 /* 498 * Validate the bssid. 499 */ 500 if (!(type == IEEE80211_FC0_TYPE_MGT && 501 subtype == IEEE80211_FC0_SUBTYPE_BEACON) && 502 !IEEE80211_ADDR_EQ(bssid, vap->iv_bss->ni_bssid) && 503 !IEEE80211_ADDR_EQ(bssid, ifp->if_broadcastaddr)) { 504 /* not interested in */ 505 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 506 bssid, NULL, "%s", "not to bss"); 507 vap->iv_stats.is_rx_wrongbss++; 508 goto out; 509 } 510 511 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi); 512 ni->ni_noise = noise; 513 ni->ni_rstamp = rstamp; 514 if (HAS_SEQ(type)) { 515 uint8_t tid = ieee80211_gettid(wh); 516 if (IEEE80211_QOS_HAS_SEQ(wh) && 517 TID_TO_WME_AC(tid) >= WME_AC_VI) 518 ic->ic_wme.wme_hipri_traffic++; 519 rxseq = le16toh(*(uint16_t *)wh->i_seq); 520 if ((ni->ni_flags & IEEE80211_NODE_HT) == 0 && 521 (wh->i_fc[1] & IEEE80211_FC1_RETRY) && 522 SEQ_LEQ(rxseq, ni->ni_rxseqs[tid])) { 523 /* duplicate, discard */ 524 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 525 bssid, "duplicate", 526 "seqno <%u,%u> fragno <%u,%u> tid %u", 527 rxseq >> IEEE80211_SEQ_SEQ_SHIFT, 528 ni->ni_rxseqs[tid] >> 529 IEEE80211_SEQ_SEQ_SHIFT, 530 rxseq & IEEE80211_SEQ_FRAG_MASK, 531 ni->ni_rxseqs[tid] & 532 IEEE80211_SEQ_FRAG_MASK, 533 tid); 534 vap->iv_stats.is_rx_dup++; 535 IEEE80211_NODE_STAT(ni, rx_dup); 536 goto out; 537 } 538 ni->ni_rxseqs[tid] = rxseq; 539 } 540 } 541 542 switch (type) { 543 case IEEE80211_FC0_TYPE_DATA: 544 hdrspace = ieee80211_hdrspace(ic, wh); 545 if (m->m_len < hdrspace && 546 (m = m_pullup(m, hdrspace)) == NULL) { 547 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 548 ni->ni_macaddr, NULL, 549 "data too short: expecting %u", hdrspace); 550 vap->iv_stats.is_rx_tooshort++; 551 goto out; /* XXX */ 552 } 553 if (!(dir == IEEE80211_FC1_DIR_TODS || 554 (dir == IEEE80211_FC1_DIR_DSTODS && 555 (vap->iv_flags & IEEE80211_F_DWDS)))) { 556 if (dir != IEEE80211_FC1_DIR_DSTODS) { 557 IEEE80211_DISCARD(vap, 558 IEEE80211_MSG_INPUT, wh, "data", 559 "incorrect dir 0x%x", dir); 560 } else { 561 IEEE80211_DISCARD(vap, 562 IEEE80211_MSG_INPUT | 563 IEEE80211_MSG_WDS, wh, 564 "4-address data", 565 "%s", "DWDS not enabled"); 566 } 567 vap->iv_stats.is_rx_wrongdir++; 568 goto out; 569 } 570 /* check if source STA is associated */ 571 if (ni == vap->iv_bss) { 572 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 573 wh, "data", "%s", "unknown src"); 574 ieee80211_send_error(ni, wh->i_addr2, 575 IEEE80211_FC0_SUBTYPE_DEAUTH, 576 IEEE80211_REASON_NOT_AUTHED); 577 vap->iv_stats.is_rx_notassoc++; 578 goto err; 579 } 580 if (ni->ni_associd == 0) { 581 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 582 wh, "data", "%s", "unassoc src"); 583 IEEE80211_SEND_MGMT(ni, 584 IEEE80211_FC0_SUBTYPE_DISASSOC, 585 IEEE80211_REASON_NOT_ASSOCED); 586 vap->iv_stats.is_rx_notassoc++; 587 goto err; 588 } 589 590 /* 591 * Check for power save state change. 592 * XXX out-of-order A-MPDU frames? 593 */ 594 if (((wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) ^ 595 (ni->ni_flags & IEEE80211_NODE_PWR_MGT))) 596 ieee80211_node_pwrsave(ni, 597 wh->i_fc[1] & IEEE80211_FC1_PWR_MGT); 598 /* 599 * For 4-address packets handle WDS discovery 600 * notifications. Once a WDS link is setup frames 601 * are just delivered to the WDS vap (see below). 602 */ 603 if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap == NULL) { 604 if (!ieee80211_node_is_authorized(ni)) { 605 IEEE80211_DISCARD(vap, 606 IEEE80211_MSG_INPUT | 607 IEEE80211_MSG_WDS, wh, 608 "4-address data", 609 "%s", "unauthorized port"); 610 vap->iv_stats.is_rx_unauth++; 611 IEEE80211_NODE_STAT(ni, rx_unauth); 612 goto err; 613 } 614 ieee80211_dwds_discover(ni, m); 615 return type; 616 } 617 618 /* 619 * Handle A-MPDU re-ordering. The station must be 620 * associated and negotiated HT. The frame must be 621 * a QoS frame (not QoS null data) and not previously 622 * processed for A-MPDU re-ordering. If the frame is 623 * to be processed directly then ieee80211_ampdu_reorder 624 * will return 0; otherwise it has consumed the mbuf 625 * and we should do nothing more with it. 626 */ 627 if ((ni->ni_flags & IEEE80211_NODE_HT) && 628 subtype == IEEE80211_FC0_SUBTYPE_QOS && 629 ieee80211_ampdu_reorder(ni, m) != 0) { 630 m = NULL; 631 goto out; 632 } 633 resubmit_ampdu: 634 635 /* 636 * Handle privacy requirements. Note that we 637 * must not be preempted from here until after 638 * we (potentially) call ieee80211_crypto_demic; 639 * otherwise we may violate assumptions in the 640 * crypto cipher modules used to do delayed update 641 * of replay sequence numbers. 642 */ 643 if (wh->i_fc[1] & IEEE80211_FC1_WEP) { 644 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) { 645 /* 646 * Discard encrypted frames when privacy is off. 647 */ 648 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 649 wh, "WEP", "%s", "PRIVACY off"); 650 vap->iv_stats.is_rx_noprivacy++; 651 IEEE80211_NODE_STAT(ni, rx_noprivacy); 652 goto out; 653 } 654 key = ieee80211_crypto_decap(ni, m, hdrspace); 655 if (key == NULL) { 656 /* NB: stats+msgs handled in crypto_decap */ 657 IEEE80211_NODE_STAT(ni, rx_wepfail); 658 goto out; 659 } 660 wh = mtod(m, struct ieee80211_frame *); 661 wh->i_fc[1] &= ~IEEE80211_FC1_WEP; 662 } else { 663 /* XXX M_WEP and IEEE80211_F_PRIVACY */ 664 key = NULL; 665 } 666 667 /* 668 * Save QoS bits for use below--before we strip the header. 669 */ 670 if (subtype == IEEE80211_FC0_SUBTYPE_QOS) { 671 qos = (dir == IEEE80211_FC1_DIR_DSTODS) ? 672 ((struct ieee80211_qosframe_addr4 *)wh)->i_qos[0] : 673 ((struct ieee80211_qosframe *)wh)->i_qos[0]; 674 } else 675 qos = 0; 676 677 /* 678 * Next up, any fragmentation. 679 */ 680 if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) { 681 m = ieee80211_defrag(ni, m, hdrspace); 682 if (m == NULL) { 683 /* Fragment dropped or frame not complete yet */ 684 goto out; 685 } 686 } 687 wh = NULL; /* no longer valid, catch any uses */ 688 689 /* 690 * Next strip any MSDU crypto bits. 691 */ 692 if (key != NULL && !ieee80211_crypto_demic(vap, key, m, 0)) { 693 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 694 ni->ni_macaddr, "data", "%s", "demic error"); 695 vap->iv_stats.is_rx_demicfail++; 696 IEEE80211_NODE_STAT(ni, rx_demicfail); 697 goto out; 698 } 699 /* copy to listener after decrypt */ 700 if (bpf_peers_present(vap->iv_rawbpf)) 701 bpf_mtap(vap->iv_rawbpf, m); 702 need_tap = 0; 703 /* 704 * Finally, strip the 802.11 header. 705 */ 706 m = ieee80211_decap(vap, m, hdrspace); 707 if (m == NULL) { 708 /* XXX mask bit to check for both */ 709 /* don't count Null data frames as errors */ 710 if (subtype == IEEE80211_FC0_SUBTYPE_NODATA || 711 subtype == IEEE80211_FC0_SUBTYPE_QOS_NULL) 712 goto out; 713 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 714 ni->ni_macaddr, "data", "%s", "decap error"); 715 vap->iv_stats.is_rx_decap++; 716 IEEE80211_NODE_STAT(ni, rx_decap); 717 goto err; 718 } 719 eh = mtod(m, struct ether_header *); 720 if (!ieee80211_node_is_authorized(ni)) { 721 /* 722 * Deny any non-PAE frames received prior to 723 * authorization. For open/shared-key 724 * authentication the port is mark authorized 725 * after authentication completes. For 802.1x 726 * the port is not marked authorized by the 727 * authenticator until the handshake has completed. 728 */ 729 if (eh->ether_type != htons(ETHERTYPE_PAE)) { 730 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 731 eh->ether_shost, "data", 732 "unauthorized port: ether type 0x%x len %u", 733 eh->ether_type, m->m_pkthdr.len); 734 vap->iv_stats.is_rx_unauth++; 735 IEEE80211_NODE_STAT(ni, rx_unauth); 736 goto err; 737 } 738 } else { 739 /* 740 * When denying unencrypted frames, discard 741 * any non-PAE frames received without encryption. 742 */ 743 if ((vap->iv_flags & IEEE80211_F_DROPUNENC) && 744 (key == NULL && (m->m_flags & M_WEP) == 0) && 745 eh->ether_type != htons(ETHERTYPE_PAE)) { 746 /* 747 * Drop unencrypted frames. 748 */ 749 vap->iv_stats.is_rx_unencrypted++; 750 IEEE80211_NODE_STAT(ni, rx_unencrypted); 751 goto out; 752 } 753 } 754 /* XXX require HT? */ 755 if (qos & IEEE80211_QOS_AMSDU) { 756 m = ieee80211_decap_amsdu(ni, m); 757 if (m == NULL) 758 return IEEE80211_FC0_TYPE_DATA; 759 } else if ((ni->ni_ath_flags & IEEE80211_NODE_FF) && 760 #define FF_LLC_SIZE (sizeof(struct ether_header) + sizeof(struct llc)) 761 m->m_pkthdr.len >= 3*FF_LLC_SIZE) { 762 struct llc *llc; 763 764 /* 765 * Check for fast-frame tunnel encapsulation. 766 */ 767 if (m->m_len < FF_LLC_SIZE && 768 (m = m_pullup(m, FF_LLC_SIZE)) == NULL) { 769 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 770 ni->ni_macaddr, "fast-frame", 771 "%s", "m_pullup(llc) failed"); 772 vap->iv_stats.is_rx_tooshort++; 773 return IEEE80211_FC0_TYPE_DATA; 774 } 775 llc = (struct llc *)(mtod(m, uint8_t *) + 776 sizeof(struct ether_header)); 777 if (llc->llc_snap.ether_type == htons(ATH_FF_ETH_TYPE)) { 778 m_adj(m, FF_LLC_SIZE); 779 m = ieee80211_decap_fastframe(ni, m); 780 if (m == NULL) 781 return IEEE80211_FC0_TYPE_DATA; 782 } 783 } 784 #undef FF_LLC_SIZE 785 if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap != NULL) 786 ieee80211_deliver_data(ni->ni_wdsvap, ni, m); 787 else 788 hostap_deliver_data(vap, ni, m); 789 return IEEE80211_FC0_TYPE_DATA; 790 791 case IEEE80211_FC0_TYPE_MGT: 792 vap->iv_stats.is_rx_mgmt++; 793 IEEE80211_NODE_STAT(ni, rx_mgmt); 794 if (dir != IEEE80211_FC1_DIR_NODS) { 795 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 796 wh, "mgt", "incorrect dir 0x%x", dir); 797 vap->iv_stats.is_rx_wrongdir++; 798 goto err; 799 } 800 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) { 801 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 802 ni->ni_macaddr, "mgt", "too short: len %u", 803 m->m_pkthdr.len); 804 vap->iv_stats.is_rx_tooshort++; 805 goto out; 806 } 807 if (IEEE80211_IS_MULTICAST(wh->i_addr2)) { 808 /* ensure return frames are unicast */ 809 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 810 wh, NULL, "source is multicast: %s", 811 ether_sprintf(wh->i_addr2)); 812 vap->iv_stats.is_rx_mgtdiscard++; /* XXX stat */ 813 goto out; 814 } 815 #ifdef IEEE80211_DEBUG 816 if ((ieee80211_msg_debug(vap) && doprint(vap, subtype)) || 817 ieee80211_msg_dumppkts(vap)) { 818 if_printf(ifp, "received %s from %s rssi %d\n", 819 ieee80211_mgt_subtype_name[subtype >> 820 IEEE80211_FC0_SUBTYPE_SHIFT], 821 ether_sprintf(wh->i_addr2), rssi); 822 } 823 #endif 824 if (wh->i_fc[1] & IEEE80211_FC1_WEP) { 825 if (subtype != IEEE80211_FC0_SUBTYPE_AUTH) { 826 /* 827 * Only shared key auth frames with a challenge 828 * should be encrypted, discard all others. 829 */ 830 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 831 wh, NULL, 832 "%s", "WEP set but not permitted"); 833 vap->iv_stats.is_rx_mgtdiscard++; /* XXX */ 834 goto out; 835 } 836 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) { 837 /* 838 * Discard encrypted frames when privacy is off. 839 */ 840 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 841 wh, NULL, "%s", "WEP set but PRIVACY off"); 842 vap->iv_stats.is_rx_noprivacy++; 843 goto out; 844 } 845 hdrspace = ieee80211_hdrspace(ic, wh); 846 key = ieee80211_crypto_decap(ni, m, hdrspace); 847 if (key == NULL) { 848 /* NB: stats+msgs handled in crypto_decap */ 849 goto out; 850 } 851 wh = mtod(m, struct ieee80211_frame *); 852 wh->i_fc[1] &= ~IEEE80211_FC1_WEP; 853 } 854 if (bpf_peers_present(vap->iv_rawbpf)) 855 bpf_mtap(vap->iv_rawbpf, m); 856 vap->iv_recv_mgmt(ni, m, subtype, rssi, noise, rstamp); 857 m_freem(m); 858 return IEEE80211_FC0_TYPE_MGT; 859 860 case IEEE80211_FC0_TYPE_CTL: 861 vap->iv_stats.is_rx_ctl++; 862 IEEE80211_NODE_STAT(ni, rx_ctrl); 863 switch (subtype) { 864 case IEEE80211_FC0_SUBTYPE_PS_POLL: 865 hostap_recv_pspoll(ni, m); 866 break; 867 case IEEE80211_FC0_SUBTYPE_BAR: 868 ieee80211_recv_bar(ni, m); 869 break; 870 } 871 goto out; 872 default: 873 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 874 wh, "bad", "frame type 0x%x", type); 875 /* should not come here */ 876 break; 877 } 878 err: 879 ifp->if_ierrors++; 880 out: 881 if (m != NULL) { 882 if (bpf_peers_present(vap->iv_rawbpf) && need_tap) 883 bpf_mtap(vap->iv_rawbpf, m); 884 m_freem(m); 885 } 886 return type; 887 #undef SEQ_LEQ 888 } 889 890 static void 891 hostap_auth_open(struct ieee80211_node *ni, struct ieee80211_frame *wh, 892 int rssi, int noise, uint32_t rstamp, uint16_t seq, uint16_t status) 893 { 894 struct ieee80211vap *vap = ni->ni_vap; 895 896 KASSERT(vap->iv_state == IEEE80211_S_RUN, ("state %d", vap->iv_state)); 897 898 if (ni->ni_authmode == IEEE80211_AUTH_SHARED) { 899 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 900 ni->ni_macaddr, "open auth", 901 "bad sta auth mode %u", ni->ni_authmode); 902 vap->iv_stats.is_rx_bad_auth++; /* XXX */ 903 /* 904 * Clear any challenge text that may be there if 905 * a previous shared key auth failed and then an 906 * open auth is attempted. 907 */ 908 if (ni->ni_challenge != NULL) { 909 FREE(ni->ni_challenge, M_80211_NODE); 910 ni->ni_challenge = NULL; 911 } 912 /* XXX hack to workaround calling convention */ 913 ieee80211_send_error(ni, wh->i_addr2, 914 IEEE80211_FC0_SUBTYPE_AUTH, 915 (seq + 1) | (IEEE80211_STATUS_ALG<<16)); 916 return; 917 } 918 if (seq != IEEE80211_AUTH_OPEN_REQUEST) { 919 vap->iv_stats.is_rx_bad_auth++; 920 return; 921 } 922 /* always accept open authentication requests */ 923 if (ni == vap->iv_bss) { 924 ni = ieee80211_dup_bss(vap, wh->i_addr2); 925 if (ni == NULL) 926 return; 927 } else if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0) 928 (void) ieee80211_ref_node(ni); 929 /* 930 * Mark the node as referenced to reflect that it's 931 * reference count has been bumped to insure it remains 932 * after the transaction completes. 933 */ 934 ni->ni_flags |= IEEE80211_NODE_AREF; 935 936 if (vap->iv_acl != NULL && 937 vap->iv_acl->iac_getpolicy(vap) == IEEE80211_MACCMD_POLICY_RADIUS) { 938 /* 939 * When the ACL policy is set to RADIUS we defer the 940 * authorization to a user agent. Dispatch an event, 941 * a subsequent MLME call will decide the fate of the 942 * station. If the user agent is not present then the 943 * node will be reclaimed due to inactivity. 944 */ 945 IEEE80211_NOTE_MAC(vap, 946 IEEE80211_MSG_AUTH | IEEE80211_MSG_ACL, ni->ni_macaddr, 947 "%s", "station authentication defered (radius acl)"); 948 ieee80211_notify_node_auth(ni); 949 } else { 950 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 951 IEEE80211_NOTE_MAC(vap, 952 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, ni->ni_macaddr, 953 "%s", "station authenticated (open)"); 954 /* 955 * When 802.1x is not in use mark the port 956 * authorized at this point so traffic can flow. 957 */ 958 if (ni->ni_authmode != IEEE80211_AUTH_8021X) 959 ieee80211_node_authorize(ni); 960 } 961 } 962 963 static void 964 hostap_auth_shared(struct ieee80211_node *ni, struct ieee80211_frame *wh, 965 uint8_t *frm, uint8_t *efrm, int rssi, int noise, uint32_t rstamp, 966 uint16_t seq, uint16_t status) 967 { 968 struct ieee80211vap *vap = ni->ni_vap; 969 uint8_t *challenge; 970 int allocbs, estatus; 971 972 KASSERT(vap->iv_state == IEEE80211_S_RUN, ("state %d", vap->iv_state)); 973 974 /* 975 * NB: this can happen as we allow pre-shared key 976 * authentication to be enabled w/o wep being turned 977 * on so that configuration of these can be done 978 * in any order. It may be better to enforce the 979 * ordering in which case this check would just be 980 * for sanity/consistency. 981 */ 982 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) { 983 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 984 ni->ni_macaddr, "shared key auth", 985 "%s", " PRIVACY is disabled"); 986 estatus = IEEE80211_STATUS_ALG; 987 goto bad; 988 } 989 /* 990 * Pre-shared key authentication is evil; accept 991 * it only if explicitly configured (it is supported 992 * mainly for compatibility with clients like Mac OS X). 993 */ 994 if (ni->ni_authmode != IEEE80211_AUTH_AUTO && 995 ni->ni_authmode != IEEE80211_AUTH_SHARED) { 996 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 997 ni->ni_macaddr, "shared key auth", 998 "bad sta auth mode %u", ni->ni_authmode); 999 vap->iv_stats.is_rx_bad_auth++; /* XXX maybe a unique error? */ 1000 estatus = IEEE80211_STATUS_ALG; 1001 goto bad; 1002 } 1003 1004 challenge = NULL; 1005 if (frm + 1 < efrm) { 1006 if ((frm[1] + 2) > (efrm - frm)) { 1007 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1008 ni->ni_macaddr, "shared key auth", 1009 "ie %d/%d too long", 1010 frm[0], (frm[1] + 2) - (efrm - frm)); 1011 vap->iv_stats.is_rx_bad_auth++; 1012 estatus = IEEE80211_STATUS_CHALLENGE; 1013 goto bad; 1014 } 1015 if (*frm == IEEE80211_ELEMID_CHALLENGE) 1016 challenge = frm; 1017 frm += frm[1] + 2; 1018 } 1019 switch (seq) { 1020 case IEEE80211_AUTH_SHARED_CHALLENGE: 1021 case IEEE80211_AUTH_SHARED_RESPONSE: 1022 if (challenge == NULL) { 1023 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1024 ni->ni_macaddr, "shared key auth", 1025 "%s", "no challenge"); 1026 vap->iv_stats.is_rx_bad_auth++; 1027 estatus = IEEE80211_STATUS_CHALLENGE; 1028 goto bad; 1029 } 1030 if (challenge[1] != IEEE80211_CHALLENGE_LEN) { 1031 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1032 ni->ni_macaddr, "shared key auth", 1033 "bad challenge len %d", challenge[1]); 1034 vap->iv_stats.is_rx_bad_auth++; 1035 estatus = IEEE80211_STATUS_CHALLENGE; 1036 goto bad; 1037 } 1038 default: 1039 break; 1040 } 1041 switch (seq) { 1042 case IEEE80211_AUTH_SHARED_REQUEST: 1043 if (ni == vap->iv_bss) { 1044 ni = ieee80211_dup_bss(vap, wh->i_addr2); 1045 if (ni == NULL) { 1046 /* NB: no way to return an error */ 1047 return; 1048 } 1049 allocbs = 1; 1050 } else { 1051 if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0) 1052 (void) ieee80211_ref_node(ni); 1053 allocbs = 0; 1054 } 1055 /* 1056 * Mark the node as referenced to reflect that it's 1057 * reference count has been bumped to insure it remains 1058 * after the transaction completes. 1059 */ 1060 ni->ni_flags |= IEEE80211_NODE_AREF; 1061 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi); 1062 ni->ni_noise = noise; 1063 ni->ni_rstamp = rstamp; 1064 if (!ieee80211_alloc_challenge(ni)) { 1065 /* NB: don't return error so they rexmit */ 1066 return; 1067 } 1068 get_random_bytes(ni->ni_challenge, 1069 IEEE80211_CHALLENGE_LEN); 1070 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1071 ni, "shared key %sauth request", allocbs ? "" : "re"); 1072 /* 1073 * When the ACL policy is set to RADIUS we defer the 1074 * authorization to a user agent. Dispatch an event, 1075 * a subsequent MLME call will decide the fate of the 1076 * station. If the user agent is not present then the 1077 * node will be reclaimed due to inactivity. 1078 */ 1079 if (vap->iv_acl != NULL && 1080 vap->iv_acl->iac_getpolicy(vap) == IEEE80211_MACCMD_POLICY_RADIUS) { 1081 IEEE80211_NOTE_MAC(vap, 1082 IEEE80211_MSG_AUTH | IEEE80211_MSG_ACL, 1083 ni->ni_macaddr, 1084 "%s", "station authentication defered (radius acl)"); 1085 ieee80211_notify_node_auth(ni); 1086 return; 1087 } 1088 break; 1089 case IEEE80211_AUTH_SHARED_RESPONSE: 1090 if (ni == vap->iv_bss) { 1091 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1092 ni->ni_macaddr, "shared key response", 1093 "%s", "unknown station"); 1094 /* NB: don't send a response */ 1095 return; 1096 } 1097 if (ni->ni_challenge == NULL) { 1098 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1099 ni->ni_macaddr, "shared key response", 1100 "%s", "no challenge recorded"); 1101 vap->iv_stats.is_rx_bad_auth++; 1102 estatus = IEEE80211_STATUS_CHALLENGE; 1103 goto bad; 1104 } 1105 if (memcmp(ni->ni_challenge, &challenge[2], 1106 challenge[1]) != 0) { 1107 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1108 ni->ni_macaddr, "shared key response", 1109 "%s", "challenge mismatch"); 1110 vap->iv_stats.is_rx_auth_fail++; 1111 estatus = IEEE80211_STATUS_CHALLENGE; 1112 goto bad; 1113 } 1114 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1115 ni, "%s", "station authenticated (shared key)"); 1116 ieee80211_node_authorize(ni); 1117 break; 1118 default: 1119 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1120 ni->ni_macaddr, "shared key auth", 1121 "bad seq %d", seq); 1122 vap->iv_stats.is_rx_bad_auth++; 1123 estatus = IEEE80211_STATUS_SEQUENCE; 1124 goto bad; 1125 } 1126 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 1127 return; 1128 bad: 1129 /* 1130 * Send an error response; but only when operating as an AP. 1131 */ 1132 /* XXX hack to workaround calling convention */ 1133 ieee80211_send_error(ni, wh->i_addr2, 1134 IEEE80211_FC0_SUBTYPE_AUTH, 1135 (seq + 1) | (estatus<<16)); 1136 } 1137 1138 /* 1139 * Convert a WPA cipher selector OUI to an internal 1140 * cipher algorithm. Where appropriate we also 1141 * record any key length. 1142 */ 1143 static int 1144 wpa_cipher(const uint8_t *sel, uint8_t *keylen) 1145 { 1146 #define WPA_SEL(x) (((x)<<24)|WPA_OUI) 1147 uint32_t w = LE_READ_4(sel); 1148 1149 switch (w) { 1150 case WPA_SEL(WPA_CSE_NULL): 1151 return IEEE80211_CIPHER_NONE; 1152 case WPA_SEL(WPA_CSE_WEP40): 1153 if (keylen) 1154 *keylen = 40 / NBBY; 1155 return IEEE80211_CIPHER_WEP; 1156 case WPA_SEL(WPA_CSE_WEP104): 1157 if (keylen) 1158 *keylen = 104 / NBBY; 1159 return IEEE80211_CIPHER_WEP; 1160 case WPA_SEL(WPA_CSE_TKIP): 1161 return IEEE80211_CIPHER_TKIP; 1162 case WPA_SEL(WPA_CSE_CCMP): 1163 return IEEE80211_CIPHER_AES_CCM; 1164 } 1165 return 32; /* NB: so 1<< is discarded */ 1166 #undef WPA_SEL 1167 } 1168 1169 /* 1170 * Convert a WPA key management/authentication algorithm 1171 * to an internal code. 1172 */ 1173 static int 1174 wpa_keymgmt(const uint8_t *sel) 1175 { 1176 #define WPA_SEL(x) (((x)<<24)|WPA_OUI) 1177 uint32_t w = LE_READ_4(sel); 1178 1179 switch (w) { 1180 case WPA_SEL(WPA_ASE_8021X_UNSPEC): 1181 return WPA_ASE_8021X_UNSPEC; 1182 case WPA_SEL(WPA_ASE_8021X_PSK): 1183 return WPA_ASE_8021X_PSK; 1184 case WPA_SEL(WPA_ASE_NONE): 1185 return WPA_ASE_NONE; 1186 } 1187 return 0; /* NB: so is discarded */ 1188 #undef WPA_SEL 1189 } 1190 1191 /* 1192 * Parse a WPA information element to collect parameters. 1193 * Note that we do not validate security parameters; that 1194 * is handled by the authenticator; the parsing done here 1195 * is just for internal use in making operational decisions. 1196 */ 1197 static int 1198 ieee80211_parse_wpa(struct ieee80211vap *vap, const uint8_t *frm, 1199 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh) 1200 { 1201 uint8_t len = frm[1]; 1202 uint32_t w; 1203 int n; 1204 1205 /* 1206 * Check the length once for fixed parts: OUI, type, 1207 * version, mcast cipher, and 2 selector counts. 1208 * Other, variable-length data, must be checked separately. 1209 */ 1210 if ((vap->iv_flags & IEEE80211_F_WPA1) == 0) { 1211 IEEE80211_DISCARD_IE(vap, 1212 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1213 wh, "WPA", "not WPA, flags 0x%x", vap->iv_flags); 1214 return IEEE80211_REASON_IE_INVALID; 1215 } 1216 if (len < 14) { 1217 IEEE80211_DISCARD_IE(vap, 1218 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1219 wh, "WPA", "too short, len %u", len); 1220 return IEEE80211_REASON_IE_INVALID; 1221 } 1222 frm += 6, len -= 4; /* NB: len is payload only */ 1223 /* NB: iswapoui already validated the OUI and type */ 1224 w = LE_READ_2(frm); 1225 if (w != WPA_VERSION) { 1226 IEEE80211_DISCARD_IE(vap, 1227 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1228 wh, "WPA", "bad version %u", w); 1229 return IEEE80211_REASON_IE_INVALID; 1230 } 1231 frm += 2, len -= 2; 1232 1233 memset(rsn, 0, sizeof(*rsn)); 1234 1235 /* multicast/group cipher */ 1236 rsn->rsn_mcastcipher = wpa_cipher(frm, &rsn->rsn_mcastkeylen); 1237 frm += 4, len -= 4; 1238 1239 /* unicast ciphers */ 1240 n = LE_READ_2(frm); 1241 frm += 2, len -= 2; 1242 if (len < n*4+2) { 1243 IEEE80211_DISCARD_IE(vap, 1244 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1245 wh, "WPA", "ucast cipher data too short; len %u, n %u", 1246 len, n); 1247 return IEEE80211_REASON_IE_INVALID; 1248 } 1249 w = 0; 1250 for (; n > 0; n--) { 1251 w |= 1<<wpa_cipher(frm, &rsn->rsn_ucastkeylen); 1252 frm += 4, len -= 4; 1253 } 1254 if (w & (1<<IEEE80211_CIPHER_TKIP)) 1255 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP; 1256 else 1257 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM; 1258 1259 /* key management algorithms */ 1260 n = LE_READ_2(frm); 1261 frm += 2, len -= 2; 1262 if (len < n*4) { 1263 IEEE80211_DISCARD_IE(vap, 1264 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1265 wh, "WPA", "key mgmt alg data too short; len %u, n %u", 1266 len, n); 1267 return IEEE80211_REASON_IE_INVALID; 1268 } 1269 w = 0; 1270 for (; n > 0; n--) { 1271 w |= wpa_keymgmt(frm); 1272 frm += 4, len -= 4; 1273 } 1274 if (w & WPA_ASE_8021X_UNSPEC) 1275 rsn->rsn_keymgmt = WPA_ASE_8021X_UNSPEC; 1276 else 1277 rsn->rsn_keymgmt = WPA_ASE_8021X_PSK; 1278 1279 if (len > 2) /* optional capabilities */ 1280 rsn->rsn_caps = LE_READ_2(frm); 1281 1282 return 0; 1283 } 1284 1285 /* 1286 * Convert an RSN cipher selector OUI to an internal 1287 * cipher algorithm. Where appropriate we also 1288 * record any key length. 1289 */ 1290 static int 1291 rsn_cipher(const uint8_t *sel, uint8_t *keylen) 1292 { 1293 #define RSN_SEL(x) (((x)<<24)|RSN_OUI) 1294 uint32_t w = LE_READ_4(sel); 1295 1296 switch (w) { 1297 case RSN_SEL(RSN_CSE_NULL): 1298 return IEEE80211_CIPHER_NONE; 1299 case RSN_SEL(RSN_CSE_WEP40): 1300 if (keylen) 1301 *keylen = 40 / NBBY; 1302 return IEEE80211_CIPHER_WEP; 1303 case RSN_SEL(RSN_CSE_WEP104): 1304 if (keylen) 1305 *keylen = 104 / NBBY; 1306 return IEEE80211_CIPHER_WEP; 1307 case RSN_SEL(RSN_CSE_TKIP): 1308 return IEEE80211_CIPHER_TKIP; 1309 case RSN_SEL(RSN_CSE_CCMP): 1310 return IEEE80211_CIPHER_AES_CCM; 1311 case RSN_SEL(RSN_CSE_WRAP): 1312 return IEEE80211_CIPHER_AES_OCB; 1313 } 1314 return 32; /* NB: so 1<< is discarded */ 1315 #undef WPA_SEL 1316 } 1317 1318 /* 1319 * Convert an RSN key management/authentication algorithm 1320 * to an internal code. 1321 */ 1322 static int 1323 rsn_keymgmt(const uint8_t *sel) 1324 { 1325 #define RSN_SEL(x) (((x)<<24)|RSN_OUI) 1326 uint32_t w = LE_READ_4(sel); 1327 1328 switch (w) { 1329 case RSN_SEL(RSN_ASE_8021X_UNSPEC): 1330 return RSN_ASE_8021X_UNSPEC; 1331 case RSN_SEL(RSN_ASE_8021X_PSK): 1332 return RSN_ASE_8021X_PSK; 1333 case RSN_SEL(RSN_ASE_NONE): 1334 return RSN_ASE_NONE; 1335 } 1336 return 0; /* NB: so is discarded */ 1337 #undef RSN_SEL 1338 } 1339 1340 /* 1341 * Parse a WPA/RSN information element to collect parameters 1342 * and validate the parameters against what has been 1343 * configured for the system. 1344 */ 1345 static int 1346 ieee80211_parse_rsn(struct ieee80211vap *vap, const uint8_t *frm, 1347 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh) 1348 { 1349 uint8_t len = frm[1]; 1350 uint32_t w; 1351 int n; 1352 1353 /* 1354 * Check the length once for fixed parts: 1355 * version, mcast cipher, and 2 selector counts. 1356 * Other, variable-length data, must be checked separately. 1357 */ 1358 if ((vap->iv_flags & IEEE80211_F_WPA2) == 0) { 1359 IEEE80211_DISCARD_IE(vap, 1360 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1361 wh, "WPA", "not RSN, flags 0x%x", vap->iv_flags); 1362 return IEEE80211_REASON_IE_INVALID; 1363 } 1364 if (len < 10) { 1365 IEEE80211_DISCARD_IE(vap, 1366 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1367 wh, "RSN", "too short, len %u", len); 1368 return IEEE80211_REASON_IE_INVALID; 1369 } 1370 frm += 2; 1371 w = LE_READ_2(frm); 1372 if (w != RSN_VERSION) { 1373 IEEE80211_DISCARD_IE(vap, 1374 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1375 wh, "RSN", "bad version %u", w); 1376 return IEEE80211_REASON_IE_INVALID; 1377 } 1378 frm += 2, len -= 2; 1379 1380 memset(rsn, 0, sizeof(*rsn)); 1381 1382 /* multicast/group cipher */ 1383 rsn->rsn_mcastcipher = rsn_cipher(frm, &rsn->rsn_mcastkeylen); 1384 frm += 4, len -= 4; 1385 1386 /* unicast ciphers */ 1387 n = LE_READ_2(frm); 1388 frm += 2, len -= 2; 1389 if (len < n*4+2) { 1390 IEEE80211_DISCARD_IE(vap, 1391 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1392 wh, "RSN", "ucast cipher data too short; len %u, n %u", 1393 len, n); 1394 return IEEE80211_REASON_IE_INVALID; 1395 } 1396 w = 0; 1397 for (; n > 0; n--) { 1398 w |= 1<<rsn_cipher(frm, &rsn->rsn_ucastkeylen); 1399 frm += 4, len -= 4; 1400 } 1401 if (w & (1<<IEEE80211_CIPHER_TKIP)) 1402 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP; 1403 else 1404 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM; 1405 1406 /* key management algorithms */ 1407 n = LE_READ_2(frm); 1408 frm += 2, len -= 2; 1409 if (len < n*4) { 1410 IEEE80211_DISCARD_IE(vap, 1411 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1412 wh, "RSN", "key mgmt alg data too short; len %u, n %u", 1413 len, n); 1414 return IEEE80211_REASON_IE_INVALID; 1415 } 1416 w = 0; 1417 for (; n > 0; n--) { 1418 w |= rsn_keymgmt(frm); 1419 frm += 4, len -= 4; 1420 } 1421 if (w & RSN_ASE_8021X_UNSPEC) 1422 rsn->rsn_keymgmt = RSN_ASE_8021X_UNSPEC; 1423 else 1424 rsn->rsn_keymgmt = RSN_ASE_8021X_PSK; 1425 1426 /* optional RSN capabilities */ 1427 if (len > 2) 1428 rsn->rsn_caps = LE_READ_2(frm); 1429 /* XXXPMKID */ 1430 1431 return 0; 1432 } 1433 1434 /* 1435 * WPA/802.11i assocation request processing. 1436 */ 1437 static int 1438 wpa_assocreq(struct ieee80211_node *ni, struct ieee80211_rsnparms *rsnparms, 1439 const struct ieee80211_frame *wh, const uint8_t *wpa, 1440 const uint8_t *rsn, uint16_t capinfo) 1441 { 1442 struct ieee80211vap *vap = ni->ni_vap; 1443 uint8_t reason; 1444 int badwparsn; 1445 1446 ni->ni_flags &= ~(IEEE80211_NODE_WPS|IEEE80211_NODE_TSN); 1447 if (wpa == NULL && rsn == NULL) { 1448 if (vap->iv_flags_ext & IEEE80211_FEXT_WPS) { 1449 /* 1450 * W-Fi Protected Setup (WPS) permits 1451 * clients to associate and pass EAPOL frames 1452 * to establish initial credentials. 1453 */ 1454 ni->ni_flags |= IEEE80211_NODE_WPS; 1455 return 1; 1456 } 1457 if ((vap->iv_flags_ext & IEEE80211_FEXT_TSN) && 1458 (capinfo & IEEE80211_CAPINFO_PRIVACY)) { 1459 /* 1460 * Transitional Security Network. Permits clients 1461 * to associate and use WEP while WPA is configured. 1462 */ 1463 ni->ni_flags |= IEEE80211_NODE_TSN; 1464 return 1; 1465 } 1466 IEEE80211_DISCARD(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, 1467 wh, NULL, "%s", "no WPA/RSN IE in association request"); 1468 vap->iv_stats.is_rx_assoc_badwpaie++; 1469 reason = IEEE80211_REASON_IE_INVALID; 1470 goto bad; 1471 } 1472 /* assert right association security credentials */ 1473 badwparsn = 0; /* NB: to silence compiler */ 1474 switch (vap->iv_flags & IEEE80211_F_WPA) { 1475 case IEEE80211_F_WPA1: 1476 badwparsn = (wpa == NULL); 1477 break; 1478 case IEEE80211_F_WPA2: 1479 badwparsn = (rsn == NULL); 1480 break; 1481 case IEEE80211_F_WPA1|IEEE80211_F_WPA2: 1482 badwparsn = (wpa == NULL && rsn == NULL); 1483 break; 1484 } 1485 if (badwparsn) { 1486 IEEE80211_DISCARD(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, 1487 wh, NULL, 1488 "%s", "missing WPA/RSN IE in association request"); 1489 vap->iv_stats.is_rx_assoc_badwpaie++; 1490 reason = IEEE80211_REASON_IE_INVALID; 1491 goto bad; 1492 } 1493 /* 1494 * Parse WPA/RSN information element. 1495 */ 1496 if (wpa != NULL) 1497 reason = ieee80211_parse_wpa(vap, wpa, rsnparms, wh); 1498 else 1499 reason = ieee80211_parse_rsn(vap, rsn, rsnparms, wh); 1500 if (reason != 0) { 1501 /* XXX distinguish WPA/RSN? */ 1502 vap->iv_stats.is_rx_assoc_badwpaie++; 1503 goto bad; 1504 } 1505 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, ni, 1506 "%s ie: mc %u/%u uc %u/%u key %u caps 0x%x", 1507 wpa != NULL ? "WPA" : "RSN", 1508 rsnparms->rsn_mcastcipher, rsnparms->rsn_mcastkeylen, 1509 rsnparms->rsn_ucastcipher, rsnparms->rsn_ucastkeylen, 1510 rsnparms->rsn_keymgmt, rsnparms->rsn_caps); 1511 1512 return 1; 1513 bad: 1514 ieee80211_node_deauth(ni, reason); 1515 return 0; 1516 } 1517 1518 /* XXX find a better place for definition */ 1519 struct l2_update_frame { 1520 struct ether_header eh; 1521 uint8_t dsap; 1522 uint8_t ssap; 1523 uint8_t control; 1524 uint8_t xid[3]; 1525 } __packed; 1526 1527 /* 1528 * Deliver a TGf L2UF frame on behalf of a station. 1529 * This primes any bridge when the station is roaming 1530 * between ap's on the same wired network. 1531 */ 1532 static void 1533 ieee80211_deliver_l2uf(struct ieee80211_node *ni) 1534 { 1535 struct ieee80211vap *vap = ni->ni_vap; 1536 struct ifnet *ifp = vap->iv_ifp; 1537 struct mbuf *m; 1538 struct l2_update_frame *l2uf; 1539 struct ether_header *eh; 1540 1541 m = m_gethdr(M_NOWAIT, MT_DATA); 1542 if (m == NULL) { 1543 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC, ni, 1544 "%s", "no mbuf for l2uf frame"); 1545 vap->iv_stats.is_rx_nobuf++; /* XXX not right */ 1546 return; 1547 } 1548 l2uf = mtod(m, struct l2_update_frame *); 1549 eh = &l2uf->eh; 1550 /* dst: Broadcast address */ 1551 IEEE80211_ADDR_COPY(eh->ether_dhost, ifp->if_broadcastaddr); 1552 /* src: associated STA */ 1553 IEEE80211_ADDR_COPY(eh->ether_shost, ni->ni_macaddr); 1554 eh->ether_type = htons(sizeof(*l2uf) - sizeof(*eh)); 1555 1556 l2uf->dsap = 0; 1557 l2uf->ssap = 0; 1558 l2uf->control = 0xf5; 1559 l2uf->xid[0] = 0x81; 1560 l2uf->xid[1] = 0x80; 1561 l2uf->xid[2] = 0x00; 1562 1563 m->m_pkthdr.len = m->m_len = sizeof(*l2uf); 1564 hostap_deliver_data(vap, ni, m); 1565 } 1566 1567 static void 1568 ratesetmismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh, 1569 int reassoc, int resp, const char *tag, int rate) 1570 { 1571 IEEE80211_NOTE_MAC(ni->ni_vap, IEEE80211_MSG_ANY, wh->i_addr2, 1572 "deny %s request, %s rate set mismatch, rate/MCS %d", 1573 reassoc ? "reassoc" : "assoc", tag, rate & IEEE80211_RATE_VAL); 1574 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_BASIC_RATE); 1575 ieee80211_node_leave(ni); 1576 } 1577 1578 static void 1579 capinfomismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh, 1580 int reassoc, int resp, const char *tag, int capinfo) 1581 { 1582 struct ieee80211vap *vap = ni->ni_vap; 1583 1584 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ANY, wh->i_addr2, 1585 "deny %s request, %s mismatch 0x%x", 1586 reassoc ? "reassoc" : "assoc", tag, capinfo); 1587 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_CAPINFO); 1588 ieee80211_node_leave(ni); 1589 vap->iv_stats.is_rx_assoc_capmismatch++; 1590 } 1591 1592 static void 1593 htcapmismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh, 1594 int reassoc, int resp) 1595 { 1596 IEEE80211_NOTE_MAC(ni->ni_vap, IEEE80211_MSG_ANY, wh->i_addr2, 1597 "deny %s request, %s missing HT ie", reassoc ? "reassoc" : "assoc"); 1598 /* XXX no better code */ 1599 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_OTHER); 1600 ieee80211_node_leave(ni); 1601 } 1602 1603 static void 1604 authalgreject(struct ieee80211_node *ni, const struct ieee80211_frame *wh, 1605 int algo, int seq, int status) 1606 { 1607 struct ieee80211vap *vap = ni->ni_vap; 1608 1609 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 1610 wh, NULL, "unsupported alg %d", algo); 1611 vap->iv_stats.is_rx_auth_unsupported++; 1612 ieee80211_send_error(ni, wh->i_addr2, IEEE80211_FC0_SUBTYPE_AUTH, 1613 seq | (status << 16)); 1614 } 1615 1616 static __inline int 1617 ishtmixed(const uint8_t *ie) 1618 { 1619 const struct ieee80211_ie_htinfo *ht = 1620 (const struct ieee80211_ie_htinfo *) ie; 1621 return (ht->hi_byte2 & IEEE80211_HTINFO_OPMODE) == 1622 IEEE80211_HTINFO_OPMODE_MIXED; 1623 } 1624 1625 static int 1626 is11bclient(const uint8_t *rates, const uint8_t *xrates) 1627 { 1628 static const uint32_t brates = (1<<2*1)|(1<<2*2)|(1<<11)|(1<<2*11); 1629 int i; 1630 1631 /* NB: the 11b clients we care about will not have xrates */ 1632 if (xrates != NULL || rates == NULL) 1633 return 0; 1634 for (i = 0; i < rates[1]; i++) { 1635 int r = rates[2+i] & IEEE80211_RATE_VAL; 1636 if (r > 2*11 || ((1<<r) & brates) == 0) 1637 return 0; 1638 } 1639 return 1; 1640 } 1641 1642 static void 1643 hostap_recv_mgmt(struct ieee80211_node *ni, struct mbuf *m0, 1644 int subtype, int rssi, int noise, uint32_t rstamp) 1645 { 1646 struct ieee80211vap *vap = ni->ni_vap; 1647 struct ieee80211com *ic = ni->ni_ic; 1648 struct ieee80211_frame *wh; 1649 uint8_t *frm, *efrm, *sfrm; 1650 uint8_t *ssid, *rates, *xrates, *wpa, *rsn, *wme, *ath, *htcap; 1651 int reassoc, resp; 1652 uint8_t rate; 1653 1654 wh = mtod(m0, struct ieee80211_frame *); 1655 frm = (uint8_t *)&wh[1]; 1656 efrm = mtod(m0, uint8_t *) + m0->m_len; 1657 switch (subtype) { 1658 case IEEE80211_FC0_SUBTYPE_PROBE_RESP: 1659 case IEEE80211_FC0_SUBTYPE_BEACON: { 1660 struct ieee80211_scanparams scan; 1661 /* 1662 * We process beacon/probe response frames when scanning; 1663 * otherwise we check beacon frames for overlapping non-ERP 1664 * BSS in 11g and/or overlapping legacy BSS when in HT. 1665 */ 1666 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0 && 1667 subtype == IEEE80211_FC0_SUBTYPE_PROBE_RESP) { 1668 vap->iv_stats.is_rx_mgtdiscard++; 1669 return; 1670 } 1671 /* NB: accept off-channel frames */ 1672 if (ieee80211_parse_beacon(ni, m0, &scan) &~ IEEE80211_BPARSE_OFFCHAN) 1673 return; 1674 /* 1675 * Count frame now that we know it's to be processed. 1676 */ 1677 if (subtype == IEEE80211_FC0_SUBTYPE_BEACON) { 1678 vap->iv_stats.is_rx_beacon++; /* XXX remove */ 1679 IEEE80211_NODE_STAT(ni, rx_beacons); 1680 } else 1681 IEEE80211_NODE_STAT(ni, rx_proberesp); 1682 /* 1683 * If scanning, just pass information to the scan module. 1684 */ 1685 if (ic->ic_flags & IEEE80211_F_SCAN) { 1686 if (scan.status == 0 && /* NB: on channel */ 1687 (ic->ic_flags_ext & IEEE80211_FEXT_PROBECHAN)) { 1688 /* 1689 * Actively scanning a channel marked passive; 1690 * send a probe request now that we know there 1691 * is 802.11 traffic present. 1692 * 1693 * XXX check if the beacon we recv'd gives 1694 * us what we need and suppress the probe req 1695 */ 1696 ieee80211_probe_curchan(vap, 1); 1697 ic->ic_flags_ext &= ~IEEE80211_FEXT_PROBECHAN; 1698 } 1699 ieee80211_add_scan(vap, &scan, wh, 1700 subtype, rssi, noise, rstamp); 1701 return; 1702 } 1703 /* 1704 * Check beacon for overlapping bss w/ non ERP stations. 1705 * If we detect one and protection is configured but not 1706 * enabled, enable it and start a timer that'll bring us 1707 * out if we stop seeing the bss. 1708 */ 1709 if (IEEE80211_IS_CHAN_ANYG(ic->ic_curchan) && 1710 scan.status == 0 && /* NB: on-channel */ 1711 ((scan.erp & 0x100) == 0 || /* NB: no ERP, 11b sta*/ 1712 (scan.erp & IEEE80211_ERP_NON_ERP_PRESENT))) { 1713 ic->ic_lastnonerp = ticks; 1714 ic->ic_flags_ext |= IEEE80211_FEXT_NONERP_PR; 1715 if (ic->ic_protmode != IEEE80211_PROT_NONE && 1716 (ic->ic_flags & IEEE80211_F_USEPROT) == 0) { 1717 IEEE80211_NOTE_FRAME(vap, 1718 IEEE80211_MSG_ASSOC, wh, 1719 "non-ERP present on channel %d " 1720 "(saw erp 0x%x from channel %d), " 1721 "enable use of protection", 1722 ic->ic_curchan->ic_ieee, 1723 scan.erp, scan.chan); 1724 ic->ic_flags |= IEEE80211_F_USEPROT; 1725 ieee80211_notify_erp(ic); 1726 } 1727 } 1728 /* 1729 * Check beacon for non-HT station on HT channel 1730 * and update HT BSS occupancy as appropriate. 1731 */ 1732 if (IEEE80211_IS_CHAN_HT(ic->ic_curchan)) { 1733 if (scan.status & IEEE80211_BPARSE_OFFCHAN) { 1734 /* 1735 * Off control channel; only check frames 1736 * that come in the extension channel when 1737 * operating w/ HT40. 1738 */ 1739 if (!IEEE80211_IS_CHAN_HT40(ic->ic_curchan)) 1740 break; 1741 if (scan.chan != ic->ic_curchan->ic_extieee) 1742 break; 1743 } 1744 if (scan.htinfo == NULL) { 1745 ieee80211_htprot_update(ic, 1746 IEEE80211_HTINFO_OPMODE_PROTOPT | 1747 IEEE80211_HTINFO_NONHT_PRESENT); 1748 } else if (ishtmixed(scan.htinfo)) { 1749 /* XXX? take NONHT_PRESENT from beacon? */ 1750 ieee80211_htprot_update(ic, 1751 IEEE80211_HTINFO_OPMODE_MIXED | 1752 IEEE80211_HTINFO_NONHT_PRESENT); 1753 } 1754 } 1755 break; 1756 } 1757 1758 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 1759 if (vap->iv_state != IEEE80211_S_RUN) { 1760 vap->iv_stats.is_rx_mgtdiscard++; 1761 return; 1762 } 1763 /* 1764 * prreq frame format 1765 * [tlv] ssid 1766 * [tlv] supported rates 1767 * [tlv] extended supported rates 1768 */ 1769 ssid = rates = xrates = NULL; 1770 sfrm = frm; 1771 while (efrm - frm > 1) { 1772 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return); 1773 switch (*frm) { 1774 case IEEE80211_ELEMID_SSID: 1775 ssid = frm; 1776 break; 1777 case IEEE80211_ELEMID_RATES: 1778 rates = frm; 1779 break; 1780 case IEEE80211_ELEMID_XRATES: 1781 xrates = frm; 1782 break; 1783 } 1784 frm += frm[1] + 2; 1785 } 1786 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return); 1787 if (xrates != NULL) 1788 IEEE80211_VERIFY_ELEMENT(xrates, 1789 IEEE80211_RATE_MAXSIZE - rates[1], return); 1790 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN, return); 1791 IEEE80211_VERIFY_SSID(vap->iv_bss, ssid, return); 1792 if ((vap->iv_flags & IEEE80211_F_HIDESSID) && ssid[1] == 0) { 1793 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 1794 wh, NULL, 1795 "%s", "no ssid with ssid suppression enabled"); 1796 vap->iv_stats.is_rx_ssidmismatch++; /*XXX*/ 1797 return; 1798 } 1799 1800 /* XXX find a better class or define it's own */ 1801 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_INPUT, wh->i_addr2, 1802 "%s", "recv probe req"); 1803 /* 1804 * Some legacy 11b clients cannot hack a complete 1805 * probe response frame. When the request includes 1806 * only a bare-bones rate set, communicate this to 1807 * the transmit side. 1808 */ 1809 ieee80211_send_proberesp(vap, wh->i_addr2, 1810 is11bclient(rates, xrates) ? IEEE80211_SEND_LEGACY_11B : 0); 1811 break; 1812 1813 case IEEE80211_FC0_SUBTYPE_AUTH: { 1814 uint16_t algo, seq, status; 1815 1816 if (vap->iv_state != IEEE80211_S_RUN) { 1817 vap->iv_stats.is_rx_mgtdiscard++; 1818 return; 1819 } 1820 if (!IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_bss->ni_bssid)) { 1821 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 1822 wh, NULL, "%s", "wrong bssid"); 1823 vap->iv_stats.is_rx_wrongbss++; /*XXX unique stat?*/ 1824 return; 1825 } 1826 /* 1827 * auth frame format 1828 * [2] algorithm 1829 * [2] sequence 1830 * [2] status 1831 * [tlv*] challenge 1832 */ 1833 IEEE80211_VERIFY_LENGTH(efrm - frm, 6, return); 1834 algo = le16toh(*(uint16_t *)frm); 1835 seq = le16toh(*(uint16_t *)(frm + 2)); 1836 status = le16toh(*(uint16_t *)(frm + 4)); 1837 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_AUTH, wh->i_addr2, 1838 "recv auth frame with algorithm %d seq %d", algo, seq); 1839 /* 1840 * Consult the ACL policy module if setup. 1841 */ 1842 if (vap->iv_acl != NULL && 1843 !vap->iv_acl->iac_check(vap, wh->i_addr2)) { 1844 IEEE80211_DISCARD(vap, IEEE80211_MSG_ACL, 1845 wh, NULL, "%s", "disallowed by ACL"); 1846 vap->iv_stats.is_rx_acl++; 1847 ieee80211_send_error(ni, wh->i_addr2, 1848 IEEE80211_FC0_SUBTYPE_AUTH, 1849 (seq+1) | (IEEE80211_STATUS_UNSPECIFIED<<16)); 1850 return; 1851 } 1852 if (vap->iv_flags & IEEE80211_F_COUNTERM) { 1853 IEEE80211_DISCARD(vap, 1854 IEEE80211_MSG_AUTH | IEEE80211_MSG_CRYPTO, 1855 wh, NULL, "%s", "TKIP countermeasures enabled"); 1856 vap->iv_stats.is_rx_auth_countermeasures++; 1857 ieee80211_send_error(ni, wh->i_addr2, 1858 IEEE80211_FC0_SUBTYPE_AUTH, 1859 IEEE80211_REASON_MIC_FAILURE); 1860 return; 1861 } 1862 if (algo == IEEE80211_AUTH_ALG_SHARED) 1863 hostap_auth_shared(ni, wh, frm + 6, efrm, rssi, 1864 noise, rstamp, seq, status); 1865 else if (algo == IEEE80211_AUTH_ALG_OPEN) 1866 hostap_auth_open(ni, wh, rssi, noise, rstamp, 1867 seq, status); 1868 else if (algo == IEEE80211_AUTH_ALG_LEAP) { 1869 authalgreject(ni, wh, algo, 1870 seq+1, IEEE80211_STATUS_ALG); 1871 return; 1872 } else { 1873 /* 1874 * We assume that an unknown algorithm is the result 1875 * of a decryption failure on a shared key auth frame; 1876 * return a status code appropriate for that instead 1877 * of IEEE80211_STATUS_ALG. 1878 * 1879 * NB: a seq# of 4 is intentional; the decrypted 1880 * frame likely has a bogus seq value. 1881 */ 1882 authalgreject(ni, wh, algo, 1883 4, IEEE80211_STATUS_CHALLENGE); 1884 return; 1885 } 1886 break; 1887 } 1888 1889 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ: 1890 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: { 1891 uint16_t capinfo, lintval; 1892 struct ieee80211_rsnparms rsnparms; 1893 1894 if (vap->iv_state != IEEE80211_S_RUN) { 1895 vap->iv_stats.is_rx_mgtdiscard++; 1896 return; 1897 } 1898 if (!IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_bss->ni_bssid)) { 1899 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 1900 wh, NULL, "%s", "wrong bssid"); 1901 vap->iv_stats.is_rx_assoc_bss++; 1902 return; 1903 } 1904 if (subtype == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) { 1905 reassoc = 1; 1906 resp = IEEE80211_FC0_SUBTYPE_REASSOC_RESP; 1907 } else { 1908 reassoc = 0; 1909 resp = IEEE80211_FC0_SUBTYPE_ASSOC_RESP; 1910 } 1911 if (ni == vap->iv_bss) { 1912 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ANY, wh->i_addr2, 1913 "deny %s request, sta not authenticated", 1914 reassoc ? "reassoc" : "assoc"); 1915 ieee80211_send_error(ni, wh->i_addr2, 1916 IEEE80211_FC0_SUBTYPE_DEAUTH, 1917 IEEE80211_REASON_ASSOC_NOT_AUTHED); 1918 vap->iv_stats.is_rx_assoc_notauth++; 1919 return; 1920 } 1921 1922 /* 1923 * asreq frame format 1924 * [2] capability information 1925 * [2] listen interval 1926 * [6*] current AP address (reassoc only) 1927 * [tlv] ssid 1928 * [tlv] supported rates 1929 * [tlv] extended supported rates 1930 * [tlv] WPA or RSN 1931 * [tlv] HT capabilities 1932 * [tlv] Atheros capabilities 1933 */ 1934 IEEE80211_VERIFY_LENGTH(efrm - frm, (reassoc ? 10 : 4), return); 1935 capinfo = le16toh(*(uint16_t *)frm); frm += 2; 1936 lintval = le16toh(*(uint16_t *)frm); frm += 2; 1937 if (reassoc) 1938 frm += 6; /* ignore current AP info */ 1939 ssid = rates = xrates = wpa = rsn = wme = ath = htcap = NULL; 1940 sfrm = frm; 1941 while (efrm - frm > 1) { 1942 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return); 1943 switch (*frm) { 1944 case IEEE80211_ELEMID_SSID: 1945 ssid = frm; 1946 break; 1947 case IEEE80211_ELEMID_RATES: 1948 rates = frm; 1949 break; 1950 case IEEE80211_ELEMID_XRATES: 1951 xrates = frm; 1952 break; 1953 case IEEE80211_ELEMID_RSN: 1954 rsn = frm; 1955 break; 1956 case IEEE80211_ELEMID_HTCAP: 1957 htcap = frm; 1958 break; 1959 case IEEE80211_ELEMID_VENDOR: 1960 if (iswpaoui(frm)) 1961 wpa = frm; 1962 else if (iswmeinfo(frm)) 1963 wme = frm; 1964 else if (isatherosoui(frm)) 1965 ath = frm; 1966 else if (vap->iv_flags_ext & IEEE80211_FEXT_HTCOMPAT) { 1967 if (ishtcapoui(frm) && htcap == NULL) 1968 htcap = frm; 1969 } 1970 break; 1971 } 1972 frm += frm[1] + 2; 1973 } 1974 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return); 1975 if (xrates != NULL) 1976 IEEE80211_VERIFY_ELEMENT(xrates, 1977 IEEE80211_RATE_MAXSIZE - rates[1], return); 1978 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN, return); 1979 IEEE80211_VERIFY_SSID(vap->iv_bss, ssid, return); 1980 if (htcap != NULL) { 1981 IEEE80211_VERIFY_LENGTH(htcap[1], 1982 htcap[0] == IEEE80211_ELEMID_VENDOR ? 1983 4 + sizeof(struct ieee80211_ie_htcap)-2 : 1984 sizeof(struct ieee80211_ie_htcap)-2, 1985 return); /* XXX just NULL out? */ 1986 } 1987 1988 if ((vap->iv_flags & IEEE80211_F_WPA) && 1989 !wpa_assocreq(ni, &rsnparms, wh, wpa, rsn, capinfo)) 1990 return; 1991 /* discard challenge after association */ 1992 if (ni->ni_challenge != NULL) { 1993 FREE(ni->ni_challenge, M_80211_NODE); 1994 ni->ni_challenge = NULL; 1995 } 1996 /* NB: 802.11 spec says to ignore station's privacy bit */ 1997 if ((capinfo & IEEE80211_CAPINFO_ESS) == 0) { 1998 capinfomismatch(ni, wh, reassoc, resp, 1999 "capability", capinfo); 2000 return; 2001 } 2002 /* 2003 * Disallow re-associate w/ invalid slot time setting. 2004 */ 2005 if (ni->ni_associd != 0 && 2006 IEEE80211_IS_CHAN_ANYG(ic->ic_bsschan) && 2007 ((ni->ni_capinfo ^ capinfo) & IEEE80211_CAPINFO_SHORT_SLOTTIME)) { 2008 capinfomismatch(ni, wh, reassoc, resp, 2009 "slot time", capinfo); 2010 return; 2011 } 2012 rate = ieee80211_setup_rates(ni, rates, xrates, 2013 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | 2014 IEEE80211_F_DONEGO | IEEE80211_F_DODEL); 2015 if (rate & IEEE80211_RATE_BASIC) { 2016 ratesetmismatch(ni, wh, reassoc, resp, "legacy", rate); 2017 vap->iv_stats.is_rx_assoc_norate++; 2018 return; 2019 } 2020 /* 2021 * If constrained to 11g-only stations reject an 2022 * 11b-only station. We cheat a bit here by looking 2023 * at the max negotiated xmit rate and assuming anyone 2024 * with a best rate <24Mb/s is an 11b station. 2025 */ 2026 if ((vap->iv_flags & IEEE80211_F_PUREG) && rate < 48) { 2027 ratesetmismatch(ni, wh, reassoc, resp, "11g", rate); 2028 vap->iv_stats.is_rx_assoc_norate++; 2029 return; 2030 } 2031 /* 2032 * Do HT rate set handling and setup HT node state. 2033 */ 2034 ni->ni_chan = vap->iv_bss->ni_chan; 2035 if (IEEE80211_IS_CHAN_HT(ni->ni_chan) && htcap != NULL) { 2036 rate = ieee80211_setup_htrates(ni, htcap, 2037 IEEE80211_F_DOFMCS | IEEE80211_F_DONEGO | 2038 IEEE80211_F_DOBRS); 2039 if (rate & IEEE80211_RATE_BASIC) { 2040 ratesetmismatch(ni, wh, reassoc, resp, 2041 "HT", rate); 2042 vap->iv_stats.is_ht_assoc_norate++; 2043 return; 2044 } 2045 ieee80211_ht_node_init(ni, htcap); 2046 } else if (ni->ni_flags & IEEE80211_NODE_HT) 2047 ieee80211_ht_node_cleanup(ni); 2048 /* 2049 * Allow AMPDU operation only with unencrypted traffic 2050 * or AES-CCM; the 11n spec only specifies these ciphers 2051 * so permitting any others is undefined and can lead 2052 * to interoperability problems. 2053 */ 2054 if ((ni->ni_flags & IEEE80211_NODE_HT) && 2055 (((vap->iv_flags & IEEE80211_F_WPA) && 2056 rsnparms.rsn_ucastcipher != IEEE80211_CIPHER_AES_CCM) || 2057 (vap->iv_flags & (IEEE80211_F_WPA|IEEE80211_F_PRIVACY)) == IEEE80211_F_PRIVACY)) { 2058 IEEE80211_NOTE(vap, 2059 IEEE80211_MSG_ASSOC | IEEE80211_MSG_11N, ni, 2060 "disallow HT use because WEP or TKIP requested, " 2061 "capinfo 0x%x ucastcipher %d", capinfo, 2062 rsnparms.rsn_ucastcipher); 2063 ieee80211_ht_node_cleanup(ni); 2064 vap->iv_stats.is_ht_assoc_downgrade++; 2065 } 2066 /* 2067 * If constrained to 11n-only stations reject legacy stations. 2068 */ 2069 if ((vap->iv_flags_ext & IEEE80211_FEXT_PUREN) && 2070 (ni->ni_flags & IEEE80211_NODE_HT) == 0) { 2071 htcapmismatch(ni, wh, reassoc, resp); 2072 vap->iv_stats.is_ht_assoc_nohtcap++; 2073 return; 2074 } 2075 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi); 2076 ni->ni_noise = noise; 2077 ni->ni_rstamp = rstamp; 2078 ni->ni_intval = lintval; 2079 ni->ni_capinfo = capinfo; 2080 ni->ni_fhdwell = vap->iv_bss->ni_fhdwell; 2081 ni->ni_fhindex = vap->iv_bss->ni_fhindex; 2082 /* 2083 * Store the IEs. 2084 * XXX maybe better to just expand 2085 */ 2086 if (ieee80211_ies_init(&ni->ni_ies, sfrm, efrm - sfrm)) { 2087 #define setie(_ie, _off) ieee80211_ies_setie(ni->ni_ies, _ie, _off) 2088 if (wpa != NULL) 2089 setie(wpa_ie, wpa - sfrm); 2090 if (rsn != NULL) 2091 setie(rsn_ie, rsn - sfrm); 2092 if (htcap != NULL) 2093 setie(htcap_ie, htcap - sfrm); 2094 if (wme != NULL) { 2095 setie(wme_ie, wme - sfrm); 2096 /* 2097 * Mark node as capable of QoS. 2098 */ 2099 ni->ni_flags |= IEEE80211_NODE_QOS; 2100 } else 2101 ni->ni_flags &= ~IEEE80211_NODE_QOS; 2102 if (ath != NULL) { 2103 setie(ath_ie, ath - sfrm); 2104 /* 2105 * Parse ATH station parameters. 2106 */ 2107 ieee80211_parse_ath(ni, ni->ni_ies.ath_ie); 2108 } else 2109 ni->ni_ath_flags = 0; 2110 #undef setie 2111 } else { 2112 ni->ni_flags &= ~IEEE80211_NODE_QOS; 2113 ni->ni_ath_flags = 0; 2114 } 2115 ieee80211_node_join(ni, resp); 2116 ieee80211_deliver_l2uf(ni); 2117 break; 2118 } 2119 2120 case IEEE80211_FC0_SUBTYPE_DEAUTH: 2121 case IEEE80211_FC0_SUBTYPE_DISASSOC: { 2122 uint16_t reason; 2123 2124 if (vap->iv_state != IEEE80211_S_RUN || 2125 /* NB: can happen when in promiscuous mode */ 2126 !IEEE80211_ADDR_EQ(wh->i_addr1, vap->iv_myaddr)) { 2127 vap->iv_stats.is_rx_mgtdiscard++; 2128 break; 2129 } 2130 /* 2131 * deauth/disassoc frame format 2132 * [2] reason 2133 */ 2134 IEEE80211_VERIFY_LENGTH(efrm - frm, 2, return); 2135 reason = le16toh(*(uint16_t *)frm); 2136 if (subtype == IEEE80211_FC0_SUBTYPE_DEAUTH) { 2137 vap->iv_stats.is_rx_deauth++; 2138 IEEE80211_NODE_STAT(ni, rx_deauth); 2139 } else { 2140 vap->iv_stats.is_rx_disassoc++; 2141 IEEE80211_NODE_STAT(ni, rx_disassoc); 2142 } 2143 IEEE80211_NOTE(vap, IEEE80211_MSG_AUTH, ni, 2144 "recv %s (reason %d)", ieee80211_mgt_subtype_name[subtype >> 2145 IEEE80211_FC0_SUBTYPE_SHIFT], reason); 2146 if (ni != vap->iv_bss) 2147 ieee80211_node_leave(ni); 2148 break; 2149 } 2150 2151 case IEEE80211_FC0_SUBTYPE_ACTION: 2152 if (vap->iv_state == IEEE80211_S_RUN) { 2153 if (ieee80211_parse_action(ni, m0) == 0) 2154 ic->ic_recv_action(ni, frm, efrm); 2155 } else 2156 vap->iv_stats.is_rx_mgtdiscard++; 2157 break; 2158 2159 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP: 2160 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: 2161 default: 2162 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 2163 wh, "mgt", "subtype 0x%x not handled", subtype); 2164 vap->iv_stats.is_rx_badsubtype++; 2165 break; 2166 } 2167 } 2168 2169 /* 2170 * Process a received ps-poll frame. 2171 */ 2172 static void 2173 hostap_recv_pspoll(struct ieee80211_node *ni, struct mbuf *m0) 2174 { 2175 struct ieee80211vap *vap = ni->ni_vap; 2176 struct ieee80211_frame_min *wh; 2177 struct ifnet *ifp = vap->iv_ifp; 2178 struct mbuf *m; 2179 uint16_t aid; 2180 int qlen; 2181 2182 wh = mtod(m0, struct ieee80211_frame_min *); 2183 if (ni->ni_associd == 0) { 2184 IEEE80211_DISCARD(vap, 2185 IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG, 2186 (struct ieee80211_frame *) wh, NULL, 2187 "%s", "unassociated station"); 2188 vap->iv_stats.is_ps_unassoc++; 2189 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_DEAUTH, 2190 IEEE80211_REASON_NOT_ASSOCED); 2191 return; 2192 } 2193 2194 aid = le16toh(*(uint16_t *)wh->i_dur); 2195 if (aid != ni->ni_associd) { 2196 IEEE80211_DISCARD(vap, 2197 IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG, 2198 (struct ieee80211_frame *) wh, NULL, 2199 "aid mismatch: sta aid 0x%x poll aid 0x%x", 2200 ni->ni_associd, aid); 2201 vap->iv_stats.is_ps_badaid++; 2202 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_DEAUTH, 2203 IEEE80211_REASON_NOT_ASSOCED); 2204 return; 2205 } 2206 2207 /* Okay, take the first queued packet and put it out... */ 2208 IEEE80211_NODE_SAVEQ_DEQUEUE(ni, m, qlen); 2209 if (m == NULL) { 2210 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_POWER, wh->i_addr2, 2211 "%s", "recv ps-poll, but queue empty"); 2212 ieee80211_send_nulldata(ieee80211_ref_node(ni)); 2213 vap->iv_stats.is_ps_qempty++; /* XXX node stat */ 2214 if (vap->iv_set_tim != NULL) 2215 vap->iv_set_tim(ni, 0); /* just in case */ 2216 return; 2217 } 2218 /* 2219 * If there are more packets, set the more packets bit 2220 * in the packet dispatched to the station; otherwise 2221 * turn off the TIM bit. 2222 */ 2223 if (qlen != 0) { 2224 IEEE80211_NOTE(vap, IEEE80211_MSG_POWER, ni, 2225 "recv ps-poll, send packet, %u still queued", qlen); 2226 m->m_flags |= M_MORE_DATA; 2227 } else { 2228 IEEE80211_NOTE(vap, IEEE80211_MSG_POWER, ni, 2229 "%s", "recv ps-poll, send packet, queue empty"); 2230 if (vap->iv_set_tim != NULL) 2231 vap->iv_set_tim(ni, 0); 2232 } 2233 m->m_flags |= M_PWR_SAV; /* bypass PS handling */ 2234 IF_ENQUEUE(&ifp->if_snd, m); 2235 if_start(ifp); 2236 } 2237