1 /*- 2 * SPDX-License-Identifier: BSD-2-Clause-FreeBSD 3 * 4 * Copyright (c) 2007-2008 Sam Leffler, Errno Consulting 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 17 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 18 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 19 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 21 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 22 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 23 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 24 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 25 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 26 */ 27 28 #include <sys/cdefs.h> 29 #ifdef __FreeBSD__ 30 __FBSDID("$FreeBSD$"); 31 #endif 32 33 /* 34 * IEEE 802.11 HOSTAP mode support. 35 */ 36 #include "opt_inet.h" 37 #include "opt_wlan.h" 38 39 #include <sys/param.h> 40 #include <sys/systm.h> 41 #include <sys/mbuf.h> 42 #include <sys/malloc.h> 43 #include <sys/kernel.h> 44 45 #include <sys/socket.h> 46 #include <sys/sockio.h> 47 #include <sys/endian.h> 48 #include <sys/errno.h> 49 #include <sys/proc.h> 50 #include <sys/sysctl.h> 51 52 #include <net/if.h> 53 #include <net/if_var.h> 54 #include <net/if_media.h> 55 #include <net/if_llc.h> 56 #include <net/ethernet.h> 57 58 #include <net/bpf.h> 59 60 #include <net80211/ieee80211_var.h> 61 #include <net80211/ieee80211_hostap.h> 62 #include <net80211/ieee80211_input.h> 63 #ifdef IEEE80211_SUPPORT_SUPERG 64 #include <net80211/ieee80211_superg.h> 65 #endif 66 #include <net80211/ieee80211_wds.h> 67 #include <net80211/ieee80211_vht.h> 68 #include <net80211/ieee80211_sta.h> /* for parse_wmeie */ 69 70 #define IEEE80211_RATE2MBS(r) (((r) & IEEE80211_RATE_VAL) / 2) 71 72 static void hostap_vattach(struct ieee80211vap *); 73 static int hostap_newstate(struct ieee80211vap *, enum ieee80211_state, int); 74 static int hostap_input(struct ieee80211_node *ni, struct mbuf *m, 75 const struct ieee80211_rx_stats *, 76 int rssi, int nf); 77 static void hostap_deliver_data(struct ieee80211vap *, 78 struct ieee80211_node *, struct mbuf *); 79 static void hostap_recv_mgmt(struct ieee80211_node *, struct mbuf *, 80 int subtype, const struct ieee80211_rx_stats *rxs, int rssi, int nf); 81 static void hostap_recv_ctl(struct ieee80211_node *, struct mbuf *, int); 82 83 void 84 ieee80211_hostap_attach(struct ieee80211com *ic) 85 { 86 ic->ic_vattach[IEEE80211_M_HOSTAP] = hostap_vattach; 87 } 88 89 void 90 ieee80211_hostap_detach(struct ieee80211com *ic) 91 { 92 } 93 94 static void 95 hostap_vdetach(struct ieee80211vap *vap) 96 { 97 } 98 99 static void 100 hostap_vattach(struct ieee80211vap *vap) 101 { 102 vap->iv_newstate = hostap_newstate; 103 vap->iv_input = hostap_input; 104 vap->iv_recv_mgmt = hostap_recv_mgmt; 105 vap->iv_recv_ctl = hostap_recv_ctl; 106 vap->iv_opdetach = hostap_vdetach; 107 vap->iv_deliver_data = hostap_deliver_data; 108 vap->iv_recv_pspoll = ieee80211_recv_pspoll; 109 } 110 111 static void 112 sta_disassoc(void *arg, struct ieee80211_node *ni) 113 { 114 115 if (ni->ni_associd != 0) { 116 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_DISASSOC, 117 IEEE80211_REASON_ASSOC_LEAVE); 118 ieee80211_node_leave(ni); 119 } 120 } 121 122 static void 123 sta_csa(void *arg, struct ieee80211_node *ni) 124 { 125 struct ieee80211vap *vap = ni->ni_vap; 126 127 if (ni->ni_associd != 0) 128 if (ni->ni_inact > vap->iv_inact_init) { 129 ni->ni_inact = vap->iv_inact_init; 130 IEEE80211_NOTE(vap, IEEE80211_MSG_INACT, ni, 131 "%s: inact %u", __func__, ni->ni_inact); 132 } 133 } 134 135 static void 136 sta_drop(void *arg, struct ieee80211_node *ni) 137 { 138 139 if (ni->ni_associd != 0) 140 ieee80211_node_leave(ni); 141 } 142 143 /* 144 * Does a channel change require associated stations to re-associate 145 * so protocol state is correct. This is used when doing CSA across 146 * bands or similar (e.g. HT -> legacy). 147 */ 148 static int 149 isbandchange(struct ieee80211com *ic) 150 { 151 return ((ic->ic_bsschan->ic_flags ^ ic->ic_csa_newchan->ic_flags) & 152 (IEEE80211_CHAN_2GHZ | IEEE80211_CHAN_5GHZ | IEEE80211_CHAN_HALF | 153 IEEE80211_CHAN_QUARTER | IEEE80211_CHAN_HT)) != 0; 154 } 155 156 /* 157 * IEEE80211_M_HOSTAP vap state machine handler. 158 */ 159 static int 160 hostap_newstate(struct ieee80211vap *vap, enum ieee80211_state nstate, int arg) 161 { 162 struct ieee80211com *ic = vap->iv_ic; 163 enum ieee80211_state ostate; 164 165 IEEE80211_LOCK_ASSERT(ic); 166 167 ostate = vap->iv_state; 168 IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE, "%s: %s -> %s (%d)\n", 169 __func__, ieee80211_state_name[ostate], 170 ieee80211_state_name[nstate], arg); 171 vap->iv_state = nstate; /* state transition */ 172 if (ostate != IEEE80211_S_SCAN) 173 ieee80211_cancel_scan(vap); /* background scan */ 174 switch (nstate) { 175 case IEEE80211_S_INIT: 176 switch (ostate) { 177 case IEEE80211_S_SCAN: 178 ieee80211_cancel_scan(vap); 179 break; 180 case IEEE80211_S_CAC: 181 ieee80211_dfs_cac_stop(vap); 182 break; 183 case IEEE80211_S_RUN: 184 ieee80211_iterate_nodes_vap(&ic->ic_sta, vap, 185 sta_disassoc, NULL); 186 break; 187 default: 188 break; 189 } 190 if (ostate != IEEE80211_S_INIT) { 191 /* NB: optimize INIT -> INIT case */ 192 ieee80211_reset_bss(vap); 193 } 194 if (vap->iv_auth->ia_detach != NULL) 195 vap->iv_auth->ia_detach(vap); 196 break; 197 case IEEE80211_S_SCAN: 198 switch (ostate) { 199 case IEEE80211_S_CSA: 200 case IEEE80211_S_RUN: 201 ieee80211_iterate_nodes_vap(&ic->ic_sta, vap, 202 sta_disassoc, NULL); 203 /* 204 * Clear overlapping BSS state; the beacon frame 205 * will be reconstructed on transition to the RUN 206 * state and the timeout routines check if the flag 207 * is set before doing anything so this is sufficient. 208 */ 209 vap->iv_flags_ext &= ~IEEE80211_FEXT_NONERP_PR; 210 vap->iv_flags_ht &= ~IEEE80211_FHT_NONHT_PR; 211 /* XXX TODO: schedule deferred update? */ 212 /* fall thru... */ 213 case IEEE80211_S_CAC: 214 /* 215 * NB: We may get here because of a manual channel 216 * change in which case we need to stop CAC 217 * XXX no need to stop if ostate RUN but it's ok 218 */ 219 ieee80211_dfs_cac_stop(vap); 220 /* fall thru... */ 221 case IEEE80211_S_INIT: 222 if (vap->iv_des_chan != IEEE80211_CHAN_ANYC && 223 !IEEE80211_IS_CHAN_RADAR(vap->iv_des_chan)) { 224 /* 225 * Already have a channel; bypass the 226 * scan and startup immediately. 227 * ieee80211_create_ibss will call back to 228 * move us to RUN state. 229 */ 230 ieee80211_create_ibss(vap, vap->iv_des_chan); 231 break; 232 } 233 /* 234 * Initiate a scan. We can come here as a result 235 * of an IEEE80211_IOC_SCAN_REQ too in which case 236 * the vap will be marked with IEEE80211_FEXT_SCANREQ 237 * and the scan request parameters will be present 238 * in iv_scanreq. Otherwise we do the default. 239 */ 240 if (vap->iv_flags_ext & IEEE80211_FEXT_SCANREQ) { 241 ieee80211_check_scan(vap, 242 vap->iv_scanreq_flags, 243 vap->iv_scanreq_duration, 244 vap->iv_scanreq_mindwell, 245 vap->iv_scanreq_maxdwell, 246 vap->iv_scanreq_nssid, vap->iv_scanreq_ssid); 247 vap->iv_flags_ext &= ~IEEE80211_FEXT_SCANREQ; 248 } else 249 ieee80211_check_scan_current(vap); 250 break; 251 case IEEE80211_S_SCAN: 252 /* 253 * A state change requires a reset; scan. 254 */ 255 ieee80211_check_scan_current(vap); 256 break; 257 default: 258 break; 259 } 260 break; 261 case IEEE80211_S_CAC: 262 /* 263 * Start CAC on a DFS channel. We come here when starting 264 * a bss on a DFS channel (see ieee80211_create_ibss). 265 */ 266 ieee80211_dfs_cac_start(vap); 267 break; 268 case IEEE80211_S_RUN: 269 if (vap->iv_flags & IEEE80211_F_WPA) { 270 /* XXX validate prerequisites */ 271 } 272 switch (ostate) { 273 case IEEE80211_S_INIT: 274 /* 275 * Already have a channel; bypass the 276 * scan and startup immediately. 277 * Note that ieee80211_create_ibss will call 278 * back to do a RUN->RUN state change. 279 */ 280 ieee80211_create_ibss(vap, 281 ieee80211_ht_adjust_channel(ic, 282 ic->ic_curchan, vap->iv_flags_ht)); 283 /* NB: iv_bss is changed on return */ 284 break; 285 case IEEE80211_S_CAC: 286 /* 287 * NB: This is the normal state change when CAC 288 * expires and no radar was detected; no need to 289 * clear the CAC timer as it's already expired. 290 */ 291 /* fall thru... */ 292 case IEEE80211_S_CSA: 293 /* 294 * Shorten inactivity timer of associated stations 295 * to weed out sta's that don't follow a CSA. 296 */ 297 ieee80211_iterate_nodes_vap(&ic->ic_sta, vap, 298 sta_csa, NULL); 299 /* 300 * Update bss node channel to reflect where 301 * we landed after CSA. 302 */ 303 ieee80211_node_set_chan(vap->iv_bss, 304 ieee80211_ht_adjust_channel(ic, ic->ic_curchan, 305 ieee80211_htchanflags(vap->iv_bss->ni_chan))); 306 /* XXX bypass debug msgs */ 307 break; 308 case IEEE80211_S_SCAN: 309 case IEEE80211_S_RUN: 310 #ifdef IEEE80211_DEBUG 311 if (ieee80211_msg_debug(vap)) { 312 struct ieee80211_node *ni = vap->iv_bss; 313 ieee80211_note(vap, 314 "synchronized with %s ssid ", 315 ether_sprintf(ni->ni_bssid)); 316 ieee80211_print_essid(ni->ni_essid, 317 ni->ni_esslen); 318 /* XXX MCS/HT */ 319 printf(" channel %d start %uMb\n", 320 ieee80211_chan2ieee(ic, ic->ic_curchan), 321 IEEE80211_RATE2MBS(ni->ni_txrate)); 322 } 323 #endif 324 break; 325 default: 326 break; 327 } 328 /* 329 * Start/stop the authenticator. We delay until here 330 * to allow configuration to happen out of order. 331 */ 332 if (vap->iv_auth->ia_attach != NULL) { 333 /* XXX check failure */ 334 vap->iv_auth->ia_attach(vap); 335 } else if (vap->iv_auth->ia_detach != NULL) { 336 vap->iv_auth->ia_detach(vap); 337 } 338 ieee80211_node_authorize(vap->iv_bss); 339 break; 340 case IEEE80211_S_CSA: 341 if (ostate == IEEE80211_S_RUN && isbandchange(ic)) { 342 /* 343 * On a ``band change'' silently drop associated 344 * stations as they must re-associate before they 345 * can pass traffic (as otherwise protocol state 346 * such as capabilities and the negotiated rate 347 * set may/will be wrong). 348 */ 349 ieee80211_iterate_nodes_vap(&ic->ic_sta, vap, 350 sta_drop, NULL); 351 } 352 break; 353 default: 354 break; 355 } 356 return 0; 357 } 358 359 static void 360 hostap_deliver_data(struct ieee80211vap *vap, 361 struct ieee80211_node *ni, struct mbuf *m) 362 { 363 struct ether_header *eh = mtod(m, struct ether_header *); 364 struct ifnet *ifp = vap->iv_ifp; 365 366 /* clear driver/net80211 flags before passing up */ 367 m->m_flags &= ~(M_MCAST | M_BCAST); 368 m_clrprotoflags(m); 369 370 KASSERT(vap->iv_opmode == IEEE80211_M_HOSTAP, 371 ("gack, opmode %d", vap->iv_opmode)); 372 /* 373 * Do accounting. 374 */ 375 if_inc_counter(ifp, IFCOUNTER_IPACKETS, 1); 376 IEEE80211_NODE_STAT(ni, rx_data); 377 IEEE80211_NODE_STAT_ADD(ni, rx_bytes, m->m_pkthdr.len); 378 if (ETHER_IS_MULTICAST(eh->ether_dhost)) { 379 m->m_flags |= M_MCAST; /* XXX M_BCAST? */ 380 IEEE80211_NODE_STAT(ni, rx_mcast); 381 } else 382 IEEE80211_NODE_STAT(ni, rx_ucast); 383 384 /* perform as a bridge within the AP */ 385 if ((vap->iv_flags & IEEE80211_F_NOBRIDGE) == 0) { 386 struct mbuf *mcopy = NULL; 387 388 if (m->m_flags & M_MCAST) { 389 mcopy = m_dup(m, M_NOWAIT); 390 if (mcopy == NULL) 391 if_inc_counter(ifp, IFCOUNTER_OERRORS, 1); 392 else 393 mcopy->m_flags |= M_MCAST; 394 } else { 395 /* 396 * Check if the destination is associated with the 397 * same vap and authorized to receive traffic. 398 * Beware of traffic destined for the vap itself; 399 * sending it will not work; just let it be delivered 400 * normally. 401 */ 402 struct ieee80211_node *sta = ieee80211_find_vap_node( 403 &vap->iv_ic->ic_sta, vap, eh->ether_dhost); 404 if (sta != NULL) { 405 if (ieee80211_node_is_authorized(sta)) { 406 /* 407 * Beware of sending to ourself; this 408 * needs to happen via the normal 409 * input path. 410 */ 411 if (sta != vap->iv_bss) { 412 mcopy = m; 413 m = NULL; 414 } 415 } else { 416 vap->iv_stats.is_rx_unauth++; 417 IEEE80211_NODE_STAT(sta, rx_unauth); 418 } 419 ieee80211_free_node(sta); 420 } 421 } 422 if (mcopy != NULL) 423 (void) ieee80211_vap_xmitpkt(vap, mcopy); 424 } 425 if (m != NULL) { 426 /* 427 * Mark frame as coming from vap's interface. 428 */ 429 m->m_pkthdr.rcvif = ifp; 430 if (m->m_flags & M_MCAST) { 431 /* 432 * Spam DWDS vap's w/ multicast traffic. 433 */ 434 /* XXX only if dwds in use? */ 435 ieee80211_dwds_mcast(vap, m); 436 } 437 if (ni->ni_vlan != 0) { 438 /* attach vlan tag */ 439 m->m_pkthdr.ether_vtag = ni->ni_vlan; 440 m->m_flags |= M_VLANTAG; 441 } 442 ifp->if_input(ifp, m); 443 } 444 } 445 446 /* 447 * Decide if a received management frame should be 448 * printed when debugging is enabled. This filters some 449 * of the less interesting frames that come frequently 450 * (e.g. beacons). 451 */ 452 static __inline int 453 doprint(struct ieee80211vap *vap, int subtype) 454 { 455 switch (subtype) { 456 case IEEE80211_FC0_SUBTYPE_BEACON: 457 return (vap->iv_ic->ic_flags & IEEE80211_F_SCAN); 458 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 459 return 0; 460 } 461 return 1; 462 } 463 464 /* 465 * Process a received frame. The node associated with the sender 466 * should be supplied. If nothing was found in the node table then 467 * the caller is assumed to supply a reference to iv_bss instead. 468 * The RSSI and a timestamp are also supplied. The RSSI data is used 469 * during AP scanning to select a AP to associate with; it can have 470 * any units so long as values have consistent units and higher values 471 * mean ``better signal''. The receive timestamp is currently not used 472 * by the 802.11 layer. 473 */ 474 static int 475 hostap_input(struct ieee80211_node *ni, struct mbuf *m, 476 const struct ieee80211_rx_stats *rxs, int rssi, int nf) 477 { 478 struct ieee80211vap *vap = ni->ni_vap; 479 struct ieee80211com *ic = ni->ni_ic; 480 struct ifnet *ifp = vap->iv_ifp; 481 struct ieee80211_frame *wh; 482 struct ieee80211_key *key; 483 struct ether_header *eh; 484 int hdrspace, need_tap = 1; /* mbuf need to be tapped. */ 485 uint8_t dir, type, subtype, qos; 486 uint8_t *bssid; 487 int is_hw_decrypted = 0; 488 int has_decrypted = 0; 489 490 /* 491 * Some devices do hardware decryption all the way through 492 * to pretending the frame wasn't encrypted in the first place. 493 * So, tag it appropriately so it isn't discarded inappropriately. 494 */ 495 if ((rxs != NULL) && (rxs->c_pktflags & IEEE80211_RX_F_DECRYPTED)) 496 is_hw_decrypted = 1; 497 498 if (m->m_flags & M_AMPDU_MPDU) { 499 /* 500 * Fastpath for A-MPDU reorder q resubmission. Frames 501 * w/ M_AMPDU_MPDU marked have already passed through 502 * here but were received out of order and been held on 503 * the reorder queue. When resubmitted they are marked 504 * with the M_AMPDU_MPDU flag and we can bypass most of 505 * the normal processing. 506 */ 507 wh = mtod(m, struct ieee80211_frame *); 508 type = IEEE80211_FC0_TYPE_DATA; 509 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 510 subtype = IEEE80211_FC0_SUBTYPE_QOS; 511 hdrspace = ieee80211_hdrspace(ic, wh); /* XXX optimize? */ 512 goto resubmit_ampdu; 513 } 514 515 KASSERT(ni != NULL, ("null node")); 516 ni->ni_inact = ni->ni_inact_reload; 517 518 type = -1; /* undefined */ 519 520 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_min)) { 521 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 522 ni->ni_macaddr, NULL, 523 "too short (1): len %u", m->m_pkthdr.len); 524 vap->iv_stats.is_rx_tooshort++; 525 goto out; 526 } 527 /* 528 * Bit of a cheat here, we use a pointer for a 3-address 529 * frame format but don't reference fields past outside 530 * ieee80211_frame_min w/o first validating the data is 531 * present. 532 */ 533 wh = mtod(m, struct ieee80211_frame *); 534 535 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) != 536 IEEE80211_FC0_VERSION_0) { 537 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 538 ni->ni_macaddr, NULL, "wrong version, fc %02x:%02x", 539 wh->i_fc[0], wh->i_fc[1]); 540 vap->iv_stats.is_rx_badversion++; 541 goto err; 542 } 543 544 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 545 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK; 546 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK; 547 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) { 548 if (dir != IEEE80211_FC1_DIR_NODS) 549 bssid = wh->i_addr1; 550 else if (type == IEEE80211_FC0_TYPE_CTL) 551 bssid = wh->i_addr1; 552 else { 553 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) { 554 IEEE80211_DISCARD_MAC(vap, 555 IEEE80211_MSG_ANY, ni->ni_macaddr, 556 NULL, "too short (2): len %u", 557 m->m_pkthdr.len); 558 vap->iv_stats.is_rx_tooshort++; 559 goto out; 560 } 561 bssid = wh->i_addr3; 562 } 563 /* 564 * Validate the bssid. 565 */ 566 if (!(type == IEEE80211_FC0_TYPE_MGT && 567 subtype == IEEE80211_FC0_SUBTYPE_BEACON) && 568 !IEEE80211_ADDR_EQ(bssid, vap->iv_bss->ni_bssid) && 569 !IEEE80211_ADDR_EQ(bssid, ifp->if_broadcastaddr)) { 570 /* not interested in */ 571 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 572 bssid, NULL, "%s", "not to bss"); 573 vap->iv_stats.is_rx_wrongbss++; 574 goto out; 575 } 576 577 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi); 578 ni->ni_noise = nf; 579 if (IEEE80211_HAS_SEQ(type, subtype)) { 580 uint8_t tid = ieee80211_gettid(wh); 581 if (IEEE80211_QOS_HAS_SEQ(wh) && 582 TID_TO_WME_AC(tid) >= WME_AC_VI) 583 ic->ic_wme.wme_hipri_traffic++; 584 if (! ieee80211_check_rxseq(ni, wh, bssid, rxs)) 585 goto out; 586 } 587 } 588 589 switch (type) { 590 case IEEE80211_FC0_TYPE_DATA: 591 hdrspace = ieee80211_hdrspace(ic, wh); 592 if (m->m_len < hdrspace && 593 (m = m_pullup(m, hdrspace)) == NULL) { 594 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 595 ni->ni_macaddr, NULL, 596 "data too short: expecting %u", hdrspace); 597 vap->iv_stats.is_rx_tooshort++; 598 goto out; /* XXX */ 599 } 600 if (!(dir == IEEE80211_FC1_DIR_TODS || 601 (dir == IEEE80211_FC1_DIR_DSTODS && 602 (vap->iv_flags & IEEE80211_F_DWDS)))) { 603 if (dir != IEEE80211_FC1_DIR_DSTODS) { 604 IEEE80211_DISCARD(vap, 605 IEEE80211_MSG_INPUT, wh, "data", 606 "incorrect dir 0x%x", dir); 607 } else { 608 IEEE80211_DISCARD(vap, 609 IEEE80211_MSG_INPUT | 610 IEEE80211_MSG_WDS, wh, 611 "4-address data", 612 "%s", "DWDS not enabled"); 613 } 614 vap->iv_stats.is_rx_wrongdir++; 615 goto out; 616 } 617 /* check if source STA is associated */ 618 if (ni == vap->iv_bss) { 619 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 620 wh, "data", "%s", "unknown src"); 621 ieee80211_send_error(ni, wh->i_addr2, 622 IEEE80211_FC0_SUBTYPE_DEAUTH, 623 IEEE80211_REASON_NOT_AUTHED); 624 vap->iv_stats.is_rx_notassoc++; 625 goto err; 626 } 627 if (ni->ni_associd == 0) { 628 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 629 wh, "data", "%s", "unassoc src"); 630 IEEE80211_SEND_MGMT(ni, 631 IEEE80211_FC0_SUBTYPE_DISASSOC, 632 IEEE80211_REASON_NOT_ASSOCED); 633 vap->iv_stats.is_rx_notassoc++; 634 goto err; 635 } 636 637 /* 638 * Check for power save state change. 639 * XXX out-of-order A-MPDU frames? 640 */ 641 if (((wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) ^ 642 (ni->ni_flags & IEEE80211_NODE_PWR_MGT))) 643 vap->iv_node_ps(ni, 644 wh->i_fc[1] & IEEE80211_FC1_PWR_MGT); 645 /* 646 * For 4-address packets handle WDS discovery 647 * notifications. Once a WDS link is setup frames 648 * are just delivered to the WDS vap (see below). 649 */ 650 if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap == NULL) { 651 if (!ieee80211_node_is_authorized(ni)) { 652 IEEE80211_DISCARD(vap, 653 IEEE80211_MSG_INPUT | 654 IEEE80211_MSG_WDS, wh, 655 "4-address data", 656 "%s", "unauthorized port"); 657 vap->iv_stats.is_rx_unauth++; 658 IEEE80211_NODE_STAT(ni, rx_unauth); 659 goto err; 660 } 661 ieee80211_dwds_discover(ni, m); 662 return type; 663 } 664 665 /* 666 * Handle A-MPDU re-ordering. If the frame is to be 667 * processed directly then ieee80211_ampdu_reorder 668 * will return 0; otherwise it has consumed the mbuf 669 * and we should do nothing more with it. 670 */ 671 if ((m->m_flags & M_AMPDU) && 672 ieee80211_ampdu_reorder(ni, m, rxs) != 0) { 673 m = NULL; 674 goto out; 675 } 676 resubmit_ampdu: 677 678 /* 679 * Handle privacy requirements. Note that we 680 * must not be preempted from here until after 681 * we (potentially) call ieee80211_crypto_demic; 682 * otherwise we may violate assumptions in the 683 * crypto cipher modules used to do delayed update 684 * of replay sequence numbers. 685 */ 686 if (is_hw_decrypted || wh->i_fc[1] & IEEE80211_FC1_PROTECTED) { 687 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) { 688 /* 689 * Discard encrypted frames when privacy is off. 690 */ 691 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 692 wh, "WEP", "%s", "PRIVACY off"); 693 vap->iv_stats.is_rx_noprivacy++; 694 IEEE80211_NODE_STAT(ni, rx_noprivacy); 695 goto out; 696 } 697 if (ieee80211_crypto_decap(ni, m, hdrspace, &key) == 0) { 698 /* NB: stats+msgs handled in crypto_decap */ 699 IEEE80211_NODE_STAT(ni, rx_wepfail); 700 goto out; 701 } 702 wh = mtod(m, struct ieee80211_frame *); 703 wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED; 704 has_decrypted = 1; 705 } else { 706 /* XXX M_WEP and IEEE80211_F_PRIVACY */ 707 key = NULL; 708 } 709 710 /* 711 * Save QoS bits for use below--before we strip the header. 712 */ 713 if (subtype == IEEE80211_FC0_SUBTYPE_QOS) 714 qos = ieee80211_getqos(wh)[0]; 715 else 716 qos = 0; 717 718 /* 719 * Next up, any fragmentation. 720 */ 721 if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) { 722 m = ieee80211_defrag(ni, m, hdrspace); 723 if (m == NULL) { 724 /* Fragment dropped or frame not complete yet */ 725 goto out; 726 } 727 } 728 wh = NULL; /* no longer valid, catch any uses */ 729 730 /* 731 * Next strip any MSDU crypto bits. 732 */ 733 if (key != NULL && !ieee80211_crypto_demic(vap, key, m, 0)) { 734 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 735 ni->ni_macaddr, "data", "%s", "demic error"); 736 vap->iv_stats.is_rx_demicfail++; 737 IEEE80211_NODE_STAT(ni, rx_demicfail); 738 goto out; 739 } 740 /* copy to listener after decrypt */ 741 if (ieee80211_radiotap_active_vap(vap)) 742 ieee80211_radiotap_rx(vap, m); 743 need_tap = 0; 744 /* 745 * Finally, strip the 802.11 header. 746 */ 747 m = ieee80211_decap(vap, m, hdrspace); 748 if (m == NULL) { 749 /* XXX mask bit to check for both */ 750 /* don't count Null data frames as errors */ 751 if (subtype == IEEE80211_FC0_SUBTYPE_NODATA || 752 subtype == IEEE80211_FC0_SUBTYPE_QOS_NULL) 753 goto out; 754 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 755 ni->ni_macaddr, "data", "%s", "decap error"); 756 vap->iv_stats.is_rx_decap++; 757 IEEE80211_NODE_STAT(ni, rx_decap); 758 goto err; 759 } 760 eh = mtod(m, struct ether_header *); 761 if (!ieee80211_node_is_authorized(ni)) { 762 /* 763 * Deny any non-PAE frames received prior to 764 * authorization. For open/shared-key 765 * authentication the port is mark authorized 766 * after authentication completes. For 802.1x 767 * the port is not marked authorized by the 768 * authenticator until the handshake has completed. 769 */ 770 if (eh->ether_type != htons(ETHERTYPE_PAE)) { 771 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 772 eh->ether_shost, "data", 773 "unauthorized port: ether type 0x%x len %u", 774 eh->ether_type, m->m_pkthdr.len); 775 vap->iv_stats.is_rx_unauth++; 776 IEEE80211_NODE_STAT(ni, rx_unauth); 777 goto err; 778 } 779 } else { 780 /* 781 * When denying unencrypted frames, discard 782 * any non-PAE frames received without encryption. 783 */ 784 if ((vap->iv_flags & IEEE80211_F_DROPUNENC) && 785 ((has_decrypted == 0) && (m->m_flags & M_WEP) == 0) && 786 (is_hw_decrypted == 0) && 787 eh->ether_type != htons(ETHERTYPE_PAE)) { 788 /* 789 * Drop unencrypted frames. 790 */ 791 vap->iv_stats.is_rx_unencrypted++; 792 IEEE80211_NODE_STAT(ni, rx_unencrypted); 793 goto out; 794 } 795 } 796 /* XXX require HT? */ 797 if (qos & IEEE80211_QOS_AMSDU) { 798 m = ieee80211_decap_amsdu(ni, m); 799 if (m == NULL) 800 return IEEE80211_FC0_TYPE_DATA; 801 } else { 802 #ifdef IEEE80211_SUPPORT_SUPERG 803 m = ieee80211_decap_fastframe(vap, ni, m); 804 if (m == NULL) 805 return IEEE80211_FC0_TYPE_DATA; 806 #endif 807 } 808 if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap != NULL) 809 ieee80211_deliver_data(ni->ni_wdsvap, ni, m); 810 else 811 hostap_deliver_data(vap, ni, m); 812 return IEEE80211_FC0_TYPE_DATA; 813 814 case IEEE80211_FC0_TYPE_MGT: 815 vap->iv_stats.is_rx_mgmt++; 816 IEEE80211_NODE_STAT(ni, rx_mgmt); 817 if (dir != IEEE80211_FC1_DIR_NODS) { 818 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 819 wh, "mgt", "incorrect dir 0x%x", dir); 820 vap->iv_stats.is_rx_wrongdir++; 821 goto err; 822 } 823 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) { 824 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 825 ni->ni_macaddr, "mgt", "too short: len %u", 826 m->m_pkthdr.len); 827 vap->iv_stats.is_rx_tooshort++; 828 goto out; 829 } 830 if (IEEE80211_IS_MULTICAST(wh->i_addr2)) { 831 /* ensure return frames are unicast */ 832 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 833 wh, NULL, "source is multicast: %s", 834 ether_sprintf(wh->i_addr2)); 835 vap->iv_stats.is_rx_mgtdiscard++; /* XXX stat */ 836 goto out; 837 } 838 #ifdef IEEE80211_DEBUG 839 if ((ieee80211_msg_debug(vap) && doprint(vap, subtype)) || 840 ieee80211_msg_dumppkts(vap)) { 841 if_printf(ifp, "received %s from %s rssi %d\n", 842 ieee80211_mgt_subtype_name(subtype), 843 ether_sprintf(wh->i_addr2), rssi); 844 } 845 #endif 846 if (wh->i_fc[1] & IEEE80211_FC1_PROTECTED) { 847 if (subtype != IEEE80211_FC0_SUBTYPE_AUTH) { 848 /* 849 * Only shared key auth frames with a challenge 850 * should be encrypted, discard all others. 851 */ 852 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 853 wh, NULL, 854 "%s", "WEP set but not permitted"); 855 vap->iv_stats.is_rx_mgtdiscard++; /* XXX */ 856 goto out; 857 } 858 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) { 859 /* 860 * Discard encrypted frames when privacy is off. 861 */ 862 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 863 wh, NULL, "%s", "WEP set but PRIVACY off"); 864 vap->iv_stats.is_rx_noprivacy++; 865 goto out; 866 } 867 hdrspace = ieee80211_hdrspace(ic, wh); 868 if (ieee80211_crypto_decap(ni, m, hdrspace, &key) == 0) { 869 /* NB: stats+msgs handled in crypto_decap */ 870 goto out; 871 } 872 wh = mtod(m, struct ieee80211_frame *); 873 wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED; 874 has_decrypted = 1; 875 } 876 /* 877 * Pass the packet to radiotap before calling iv_recv_mgmt(). 878 * Otherwise iv_recv_mgmt() might pass another packet to 879 * radiotap, resulting in out of order packet captures. 880 */ 881 if (ieee80211_radiotap_active_vap(vap)) 882 ieee80211_radiotap_rx(vap, m); 883 need_tap = 0; 884 vap->iv_recv_mgmt(ni, m, subtype, rxs, rssi, nf); 885 goto out; 886 887 case IEEE80211_FC0_TYPE_CTL: 888 vap->iv_stats.is_rx_ctl++; 889 IEEE80211_NODE_STAT(ni, rx_ctrl); 890 vap->iv_recv_ctl(ni, m, subtype); 891 goto out; 892 default: 893 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 894 wh, "bad", "frame type 0x%x", type); 895 /* should not come here */ 896 break; 897 } 898 err: 899 if_inc_counter(ifp, IFCOUNTER_IERRORS, 1); 900 out: 901 if (m != NULL) { 902 if (need_tap && ieee80211_radiotap_active_vap(vap)) 903 ieee80211_radiotap_rx(vap, m); 904 m_freem(m); 905 } 906 return type; 907 } 908 909 static void 910 hostap_auth_open(struct ieee80211_node *ni, struct ieee80211_frame *wh, 911 int rssi, int nf, uint16_t seq, uint16_t status) 912 { 913 struct ieee80211vap *vap = ni->ni_vap; 914 915 KASSERT(vap->iv_state == IEEE80211_S_RUN, ("state %d", vap->iv_state)); 916 917 if (ni->ni_authmode == IEEE80211_AUTH_SHARED) { 918 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 919 ni->ni_macaddr, "open auth", 920 "bad sta auth mode %u", ni->ni_authmode); 921 vap->iv_stats.is_rx_bad_auth++; /* XXX */ 922 /* 923 * Clear any challenge text that may be there if 924 * a previous shared key auth failed and then an 925 * open auth is attempted. 926 */ 927 if (ni->ni_challenge != NULL) { 928 IEEE80211_FREE(ni->ni_challenge, M_80211_NODE); 929 ni->ni_challenge = NULL; 930 } 931 /* XXX hack to workaround calling convention */ 932 ieee80211_send_error(ni, wh->i_addr2, 933 IEEE80211_FC0_SUBTYPE_AUTH, 934 (seq + 1) | (IEEE80211_STATUS_ALG<<16)); 935 return; 936 } 937 if (seq != IEEE80211_AUTH_OPEN_REQUEST) { 938 vap->iv_stats.is_rx_bad_auth++; 939 return; 940 } 941 /* always accept open authentication requests */ 942 if (ni == vap->iv_bss) { 943 ni = ieee80211_dup_bss(vap, wh->i_addr2); 944 if (ni == NULL) 945 return; 946 } else if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0) 947 (void) ieee80211_ref_node(ni); 948 /* 949 * Mark the node as referenced to reflect that it's 950 * reference count has been bumped to insure it remains 951 * after the transaction completes. 952 */ 953 ni->ni_flags |= IEEE80211_NODE_AREF; 954 /* 955 * Mark the node as requiring a valid association id 956 * before outbound traffic is permitted. 957 */ 958 ni->ni_flags |= IEEE80211_NODE_ASSOCID; 959 960 if (vap->iv_acl != NULL && 961 vap->iv_acl->iac_getpolicy(vap) == IEEE80211_MACCMD_POLICY_RADIUS) { 962 /* 963 * When the ACL policy is set to RADIUS we defer the 964 * authorization to a user agent. Dispatch an event, 965 * a subsequent MLME call will decide the fate of the 966 * station. If the user agent is not present then the 967 * node will be reclaimed due to inactivity. 968 */ 969 IEEE80211_NOTE_MAC(vap, 970 IEEE80211_MSG_AUTH | IEEE80211_MSG_ACL, ni->ni_macaddr, 971 "%s", "station authentication defered (radius acl)"); 972 ieee80211_notify_node_auth(ni); 973 } else { 974 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 975 IEEE80211_NOTE_MAC(vap, 976 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, ni->ni_macaddr, 977 "%s", "station authenticated (open)"); 978 /* 979 * When 802.1x is not in use mark the port 980 * authorized at this point so traffic can flow. 981 */ 982 if (ni->ni_authmode != IEEE80211_AUTH_8021X) 983 ieee80211_node_authorize(ni); 984 } 985 } 986 987 static void 988 hostap_auth_shared(struct ieee80211_node *ni, struct ieee80211_frame *wh, 989 uint8_t *frm, uint8_t *efrm, int rssi, int nf, 990 uint16_t seq, uint16_t status) 991 { 992 struct ieee80211vap *vap = ni->ni_vap; 993 uint8_t *challenge; 994 int allocbs, estatus; 995 996 KASSERT(vap->iv_state == IEEE80211_S_RUN, ("state %d", vap->iv_state)); 997 998 /* 999 * NB: this can happen as we allow pre-shared key 1000 * authentication to be enabled w/o wep being turned 1001 * on so that configuration of these can be done 1002 * in any order. It may be better to enforce the 1003 * ordering in which case this check would just be 1004 * for sanity/consistency. 1005 */ 1006 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) { 1007 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1008 ni->ni_macaddr, "shared key auth", 1009 "%s", " PRIVACY is disabled"); 1010 estatus = IEEE80211_STATUS_ALG; 1011 goto bad; 1012 } 1013 /* 1014 * Pre-shared key authentication is evil; accept 1015 * it only if explicitly configured (it is supported 1016 * mainly for compatibility with clients like Mac OS X). 1017 */ 1018 if (ni->ni_authmode != IEEE80211_AUTH_AUTO && 1019 ni->ni_authmode != IEEE80211_AUTH_SHARED) { 1020 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1021 ni->ni_macaddr, "shared key auth", 1022 "bad sta auth mode %u", ni->ni_authmode); 1023 vap->iv_stats.is_rx_bad_auth++; /* XXX maybe a unique error? */ 1024 estatus = IEEE80211_STATUS_ALG; 1025 goto bad; 1026 } 1027 1028 challenge = NULL; 1029 if (frm + 1 < efrm) { 1030 if ((frm[1] + 2) > (efrm - frm)) { 1031 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1032 ni->ni_macaddr, "shared key auth", 1033 "ie %d/%d too long", 1034 frm[0], (frm[1] + 2) - (efrm - frm)); 1035 vap->iv_stats.is_rx_bad_auth++; 1036 estatus = IEEE80211_STATUS_CHALLENGE; 1037 goto bad; 1038 } 1039 if (*frm == IEEE80211_ELEMID_CHALLENGE) 1040 challenge = frm; 1041 frm += frm[1] + 2; 1042 } 1043 switch (seq) { 1044 case IEEE80211_AUTH_SHARED_CHALLENGE: 1045 case IEEE80211_AUTH_SHARED_RESPONSE: 1046 if (challenge == NULL) { 1047 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1048 ni->ni_macaddr, "shared key auth", 1049 "%s", "no challenge"); 1050 vap->iv_stats.is_rx_bad_auth++; 1051 estatus = IEEE80211_STATUS_CHALLENGE; 1052 goto bad; 1053 } 1054 if (challenge[1] != IEEE80211_CHALLENGE_LEN) { 1055 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1056 ni->ni_macaddr, "shared key auth", 1057 "bad challenge len %d", challenge[1]); 1058 vap->iv_stats.is_rx_bad_auth++; 1059 estatus = IEEE80211_STATUS_CHALLENGE; 1060 goto bad; 1061 } 1062 default: 1063 break; 1064 } 1065 switch (seq) { 1066 case IEEE80211_AUTH_SHARED_REQUEST: 1067 if (ni == vap->iv_bss) { 1068 ni = ieee80211_dup_bss(vap, wh->i_addr2); 1069 if (ni == NULL) { 1070 /* NB: no way to return an error */ 1071 return; 1072 } 1073 allocbs = 1; 1074 } else { 1075 if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0) 1076 (void) ieee80211_ref_node(ni); 1077 allocbs = 0; 1078 } 1079 /* 1080 * Mark the node as referenced to reflect that it's 1081 * reference count has been bumped to insure it remains 1082 * after the transaction completes. 1083 */ 1084 ni->ni_flags |= IEEE80211_NODE_AREF; 1085 /* 1086 * Mark the node as requiring a valid association id 1087 * before outbound traffic is permitted. 1088 */ 1089 ni->ni_flags |= IEEE80211_NODE_ASSOCID; 1090 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi); 1091 ni->ni_noise = nf; 1092 if (!ieee80211_alloc_challenge(ni)) { 1093 /* NB: don't return error so they rexmit */ 1094 return; 1095 } 1096 net80211_get_random_bytes(ni->ni_challenge, 1097 IEEE80211_CHALLENGE_LEN); 1098 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1099 ni, "shared key %sauth request", allocbs ? "" : "re"); 1100 /* 1101 * When the ACL policy is set to RADIUS we defer the 1102 * authorization to a user agent. Dispatch an event, 1103 * a subsequent MLME call will decide the fate of the 1104 * station. If the user agent is not present then the 1105 * node will be reclaimed due to inactivity. 1106 */ 1107 if (vap->iv_acl != NULL && 1108 vap->iv_acl->iac_getpolicy(vap) == IEEE80211_MACCMD_POLICY_RADIUS) { 1109 IEEE80211_NOTE_MAC(vap, 1110 IEEE80211_MSG_AUTH | IEEE80211_MSG_ACL, 1111 ni->ni_macaddr, 1112 "%s", "station authentication defered (radius acl)"); 1113 ieee80211_notify_node_auth(ni); 1114 return; 1115 } 1116 break; 1117 case IEEE80211_AUTH_SHARED_RESPONSE: 1118 if (ni == vap->iv_bss) { 1119 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1120 ni->ni_macaddr, "shared key response", 1121 "%s", "unknown station"); 1122 /* NB: don't send a response */ 1123 return; 1124 } 1125 if (ni->ni_challenge == NULL) { 1126 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1127 ni->ni_macaddr, "shared key response", 1128 "%s", "no challenge recorded"); 1129 vap->iv_stats.is_rx_bad_auth++; 1130 estatus = IEEE80211_STATUS_CHALLENGE; 1131 goto bad; 1132 } 1133 if (memcmp(ni->ni_challenge, &challenge[2], 1134 challenge[1]) != 0) { 1135 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1136 ni->ni_macaddr, "shared key response", 1137 "%s", "challenge mismatch"); 1138 vap->iv_stats.is_rx_auth_fail++; 1139 estatus = IEEE80211_STATUS_CHALLENGE; 1140 goto bad; 1141 } 1142 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1143 ni, "%s", "station authenticated (shared key)"); 1144 ieee80211_node_authorize(ni); 1145 break; 1146 default: 1147 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1148 ni->ni_macaddr, "shared key auth", 1149 "bad seq %d", seq); 1150 vap->iv_stats.is_rx_bad_auth++; 1151 estatus = IEEE80211_STATUS_SEQUENCE; 1152 goto bad; 1153 } 1154 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 1155 return; 1156 bad: 1157 /* 1158 * Send an error response; but only when operating as an AP. 1159 */ 1160 /* XXX hack to workaround calling convention */ 1161 ieee80211_send_error(ni, wh->i_addr2, 1162 IEEE80211_FC0_SUBTYPE_AUTH, 1163 (seq + 1) | (estatus<<16)); 1164 } 1165 1166 /* 1167 * Convert a WPA cipher selector OUI to an internal 1168 * cipher algorithm. Where appropriate we also 1169 * record any key length. 1170 */ 1171 static int 1172 wpa_cipher(const uint8_t *sel, uint8_t *keylen, uint8_t *cipher) 1173 { 1174 #define WPA_SEL(x) (((x)<<24)|WPA_OUI) 1175 uint32_t w = le32dec(sel); 1176 1177 switch (w) { 1178 case WPA_SEL(WPA_CSE_NULL): 1179 *cipher = IEEE80211_CIPHER_NONE; 1180 break; 1181 case WPA_SEL(WPA_CSE_WEP40): 1182 if (keylen) 1183 *keylen = 40 / NBBY; 1184 *cipher = IEEE80211_CIPHER_WEP; 1185 break; 1186 case WPA_SEL(WPA_CSE_WEP104): 1187 if (keylen) 1188 *keylen = 104 / NBBY; 1189 *cipher = IEEE80211_CIPHER_WEP; 1190 break; 1191 case WPA_SEL(WPA_CSE_TKIP): 1192 *cipher = IEEE80211_CIPHER_TKIP; 1193 break; 1194 case WPA_SEL(WPA_CSE_CCMP): 1195 *cipher = IEEE80211_CIPHER_AES_CCM; 1196 break; 1197 default: 1198 return (EINVAL); 1199 } 1200 1201 return (0); 1202 #undef WPA_SEL 1203 } 1204 1205 /* 1206 * Convert a WPA key management/authentication algorithm 1207 * to an internal code. 1208 */ 1209 static int 1210 wpa_keymgmt(const uint8_t *sel) 1211 { 1212 #define WPA_SEL(x) (((x)<<24)|WPA_OUI) 1213 uint32_t w = le32dec(sel); 1214 1215 switch (w) { 1216 case WPA_SEL(WPA_ASE_8021X_UNSPEC): 1217 return WPA_ASE_8021X_UNSPEC; 1218 case WPA_SEL(WPA_ASE_8021X_PSK): 1219 return WPA_ASE_8021X_PSK; 1220 case WPA_SEL(WPA_ASE_NONE): 1221 return WPA_ASE_NONE; 1222 } 1223 return 0; /* NB: so is discarded */ 1224 #undef WPA_SEL 1225 } 1226 1227 /* 1228 * Parse a WPA information element to collect parameters. 1229 * Note that we do not validate security parameters; that 1230 * is handled by the authenticator; the parsing done here 1231 * is just for internal use in making operational decisions. 1232 */ 1233 static int 1234 ieee80211_parse_wpa(struct ieee80211vap *vap, const uint8_t *frm, 1235 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh) 1236 { 1237 uint8_t len = frm[1]; 1238 uint32_t w; 1239 int error, n; 1240 1241 /* 1242 * Check the length once for fixed parts: OUI, type, 1243 * version, mcast cipher, and 2 selector counts. 1244 * Other, variable-length data, must be checked separately. 1245 */ 1246 if ((vap->iv_flags & IEEE80211_F_WPA1) == 0) { 1247 IEEE80211_DISCARD_IE(vap, 1248 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1249 wh, "WPA", "not WPA, flags 0x%x", vap->iv_flags); 1250 return IEEE80211_REASON_IE_INVALID; 1251 } 1252 if (len < 14) { 1253 IEEE80211_DISCARD_IE(vap, 1254 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1255 wh, "WPA", "too short, len %u", len); 1256 return IEEE80211_REASON_IE_INVALID; 1257 } 1258 frm += 6, len -= 4; /* NB: len is payload only */ 1259 /* NB: iswpaoui already validated the OUI and type */ 1260 w = le16dec(frm); 1261 if (w != WPA_VERSION) { 1262 IEEE80211_DISCARD_IE(vap, 1263 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1264 wh, "WPA", "bad version %u", w); 1265 return IEEE80211_REASON_IE_INVALID; 1266 } 1267 frm += 2, len -= 2; 1268 1269 memset(rsn, 0, sizeof(*rsn)); 1270 1271 /* multicast/group cipher */ 1272 error = wpa_cipher(frm, &rsn->rsn_mcastkeylen, &rsn->rsn_mcastcipher); 1273 if (error != 0) { 1274 IEEE80211_DISCARD_IE(vap, 1275 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1276 wh, "WPA", "unknown mcast cipher suite %08X", 1277 le32dec(frm)); 1278 return IEEE80211_REASON_GROUP_CIPHER_INVALID; 1279 } 1280 frm += 4, len -= 4; 1281 1282 /* unicast ciphers */ 1283 n = le16dec(frm); 1284 frm += 2, len -= 2; 1285 if (len < n*4+2) { 1286 IEEE80211_DISCARD_IE(vap, 1287 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1288 wh, "WPA", "ucast cipher data too short; len %u, n %u", 1289 len, n); 1290 return IEEE80211_REASON_IE_INVALID; 1291 } 1292 w = 0; 1293 for (; n > 0; n--) { 1294 uint8_t cipher; 1295 1296 error = wpa_cipher(frm, &rsn->rsn_ucastkeylen, &cipher); 1297 if (error == 0) 1298 w |= 1 << cipher; 1299 1300 frm += 4, len -= 4; 1301 } 1302 if (w == 0) { 1303 IEEE80211_DISCARD_IE(vap, 1304 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1305 wh, "WPA", "no usable pairwise cipher suite found (w=%d)", 1306 w); 1307 return IEEE80211_REASON_PAIRWISE_CIPHER_INVALID; 1308 } 1309 /* XXX other? */ 1310 if (w & (1 << IEEE80211_CIPHER_AES_CCM)) 1311 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM; 1312 else 1313 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP; 1314 1315 /* key management algorithms */ 1316 n = le16dec(frm); 1317 frm += 2, len -= 2; 1318 if (len < n*4) { 1319 IEEE80211_DISCARD_IE(vap, 1320 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1321 wh, "WPA", "key mgmt alg data too short; len %u, n %u", 1322 len, n); 1323 return IEEE80211_REASON_IE_INVALID; 1324 } 1325 w = 0; 1326 for (; n > 0; n--) { 1327 w |= wpa_keymgmt(frm); 1328 frm += 4, len -= 4; 1329 } 1330 if (w & WPA_ASE_8021X_UNSPEC) 1331 rsn->rsn_keymgmt = WPA_ASE_8021X_UNSPEC; 1332 else 1333 rsn->rsn_keymgmt = WPA_ASE_8021X_PSK; 1334 1335 if (len > 2) /* optional capabilities */ 1336 rsn->rsn_caps = le16dec(frm); 1337 1338 return 0; 1339 } 1340 1341 /* 1342 * Convert an RSN cipher selector OUI to an internal 1343 * cipher algorithm. Where appropriate we also 1344 * record any key length. 1345 */ 1346 static int 1347 rsn_cipher(const uint8_t *sel, uint8_t *keylen, uint8_t *cipher) 1348 { 1349 #define RSN_SEL(x) (((x)<<24)|RSN_OUI) 1350 uint32_t w = le32dec(sel); 1351 1352 switch (w) { 1353 case RSN_SEL(RSN_CSE_NULL): 1354 *cipher = IEEE80211_CIPHER_NONE; 1355 break; 1356 case RSN_SEL(RSN_CSE_WEP40): 1357 if (keylen) 1358 *keylen = 40 / NBBY; 1359 *cipher = IEEE80211_CIPHER_WEP; 1360 break; 1361 case RSN_SEL(RSN_CSE_WEP104): 1362 if (keylen) 1363 *keylen = 104 / NBBY; 1364 *cipher = IEEE80211_CIPHER_WEP; 1365 break; 1366 case RSN_SEL(RSN_CSE_TKIP): 1367 *cipher = IEEE80211_CIPHER_TKIP; 1368 break; 1369 case RSN_SEL(RSN_CSE_CCMP): 1370 *cipher = IEEE80211_CIPHER_AES_CCM; 1371 break; 1372 case RSN_SEL(RSN_CSE_WRAP): 1373 *cipher = IEEE80211_CIPHER_AES_OCB; 1374 break; 1375 default: 1376 return (EINVAL); 1377 } 1378 1379 return (0); 1380 #undef WPA_SEL 1381 } 1382 1383 /* 1384 * Convert an RSN key management/authentication algorithm 1385 * to an internal code. 1386 */ 1387 static int 1388 rsn_keymgmt(const uint8_t *sel) 1389 { 1390 #define RSN_SEL(x) (((x)<<24)|RSN_OUI) 1391 uint32_t w = le32dec(sel); 1392 1393 switch (w) { 1394 case RSN_SEL(RSN_ASE_8021X_UNSPEC): 1395 return RSN_ASE_8021X_UNSPEC; 1396 case RSN_SEL(RSN_ASE_8021X_PSK): 1397 return RSN_ASE_8021X_PSK; 1398 case RSN_SEL(RSN_ASE_NONE): 1399 return RSN_ASE_NONE; 1400 } 1401 return 0; /* NB: so is discarded */ 1402 #undef RSN_SEL 1403 } 1404 1405 /* 1406 * Parse a WPA/RSN information element to collect parameters 1407 * and validate the parameters against what has been 1408 * configured for the system. 1409 */ 1410 static int 1411 ieee80211_parse_rsn(struct ieee80211vap *vap, const uint8_t *frm, 1412 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh) 1413 { 1414 uint8_t len = frm[1]; 1415 uint32_t w; 1416 int error, n; 1417 1418 /* 1419 * Check the length once for fixed parts: 1420 * version, mcast cipher, and 2 selector counts. 1421 * Other, variable-length data, must be checked separately. 1422 */ 1423 if ((vap->iv_flags & IEEE80211_F_WPA2) == 0) { 1424 IEEE80211_DISCARD_IE(vap, 1425 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1426 wh, "WPA", "not RSN, flags 0x%x", vap->iv_flags); 1427 return IEEE80211_REASON_IE_INVALID; 1428 } 1429 /* XXX may be shorter */ 1430 if (len < 10) { 1431 IEEE80211_DISCARD_IE(vap, 1432 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1433 wh, "RSN", "too short, len %u", len); 1434 return IEEE80211_REASON_IE_INVALID; 1435 } 1436 frm += 2; 1437 w = le16dec(frm); 1438 if (w != RSN_VERSION) { 1439 IEEE80211_DISCARD_IE(vap, 1440 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1441 wh, "RSN", "bad version %u", w); 1442 return IEEE80211_REASON_UNSUPP_RSN_IE_VERSION; 1443 } 1444 frm += 2, len -= 2; 1445 1446 memset(rsn, 0, sizeof(*rsn)); 1447 1448 /* multicast/group cipher */ 1449 error = rsn_cipher(frm, &rsn->rsn_mcastkeylen, &rsn->rsn_mcastcipher); 1450 if (error != 0) { 1451 IEEE80211_DISCARD_IE(vap, 1452 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1453 wh, "RSN", "unknown mcast cipher suite %08X", 1454 le32dec(frm)); 1455 return IEEE80211_REASON_GROUP_CIPHER_INVALID; 1456 } 1457 if (rsn->rsn_mcastcipher == IEEE80211_CIPHER_NONE) { 1458 IEEE80211_DISCARD_IE(vap, 1459 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1460 wh, "RSN", "invalid mcast cipher suite %d", 1461 rsn->rsn_mcastcipher); 1462 return IEEE80211_REASON_GROUP_CIPHER_INVALID; 1463 } 1464 frm += 4, len -= 4; 1465 1466 /* unicast ciphers */ 1467 n = le16dec(frm); 1468 frm += 2, len -= 2; 1469 if (len < n*4+2) { 1470 IEEE80211_DISCARD_IE(vap, 1471 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1472 wh, "RSN", "ucast cipher data too short; len %u, n %u", 1473 len, n); 1474 return IEEE80211_REASON_IE_INVALID; 1475 } 1476 w = 0; 1477 1478 for (; n > 0; n--) { 1479 uint8_t cipher; 1480 1481 error = rsn_cipher(frm, &rsn->rsn_ucastkeylen, &cipher); 1482 if (error == 0) 1483 w |= 1 << cipher; 1484 1485 frm += 4, len -= 4; 1486 } 1487 if (w & (1 << IEEE80211_CIPHER_AES_CCM)) 1488 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM; 1489 else if (w & (1 << IEEE80211_CIPHER_AES_OCB)) 1490 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_OCB; 1491 else if (w & (1 << IEEE80211_CIPHER_TKIP)) 1492 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP; 1493 else if ((w & (1 << IEEE80211_CIPHER_NONE)) && 1494 (rsn->rsn_mcastcipher == IEEE80211_CIPHER_WEP || 1495 rsn->rsn_mcastcipher == IEEE80211_CIPHER_TKIP)) 1496 rsn->rsn_ucastcipher = IEEE80211_CIPHER_NONE; 1497 else { 1498 IEEE80211_DISCARD_IE(vap, 1499 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1500 wh, "RSN", "no usable pairwise cipher suite found (w=%d)", 1501 w); 1502 return IEEE80211_REASON_PAIRWISE_CIPHER_INVALID; 1503 } 1504 1505 /* key management algorithms */ 1506 n = le16dec(frm); 1507 frm += 2, len -= 2; 1508 if (len < n*4) { 1509 IEEE80211_DISCARD_IE(vap, 1510 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1511 wh, "RSN", "key mgmt alg data too short; len %u, n %u", 1512 len, n); 1513 return IEEE80211_REASON_IE_INVALID; 1514 } 1515 w = 0; 1516 for (; n > 0; n--) { 1517 w |= rsn_keymgmt(frm); 1518 frm += 4, len -= 4; 1519 } 1520 if (w & RSN_ASE_8021X_UNSPEC) 1521 rsn->rsn_keymgmt = RSN_ASE_8021X_UNSPEC; 1522 else 1523 rsn->rsn_keymgmt = RSN_ASE_8021X_PSK; 1524 1525 /* optional RSN capabilities */ 1526 if (len > 2) 1527 rsn->rsn_caps = le16dec(frm); 1528 /* XXXPMKID */ 1529 1530 return 0; 1531 } 1532 1533 /* 1534 * WPA/802.11i association request processing. 1535 */ 1536 static int 1537 wpa_assocreq(struct ieee80211_node *ni, struct ieee80211_rsnparms *rsnparms, 1538 const struct ieee80211_frame *wh, const uint8_t *wpa, 1539 const uint8_t *rsn, uint16_t capinfo) 1540 { 1541 struct ieee80211vap *vap = ni->ni_vap; 1542 uint8_t reason; 1543 int badwparsn; 1544 1545 ni->ni_flags &= ~(IEEE80211_NODE_WPS|IEEE80211_NODE_TSN); 1546 if (wpa == NULL && rsn == NULL) { 1547 if (vap->iv_flags_ext & IEEE80211_FEXT_WPS) { 1548 /* 1549 * W-Fi Protected Setup (WPS) permits 1550 * clients to associate and pass EAPOL frames 1551 * to establish initial credentials. 1552 */ 1553 ni->ni_flags |= IEEE80211_NODE_WPS; 1554 return 1; 1555 } 1556 if ((vap->iv_flags_ext & IEEE80211_FEXT_TSN) && 1557 (capinfo & IEEE80211_CAPINFO_PRIVACY)) { 1558 /* 1559 * Transitional Security Network. Permits clients 1560 * to associate and use WEP while WPA is configured. 1561 */ 1562 ni->ni_flags |= IEEE80211_NODE_TSN; 1563 return 1; 1564 } 1565 IEEE80211_DISCARD(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, 1566 wh, NULL, "%s", "no WPA/RSN IE in association request"); 1567 vap->iv_stats.is_rx_assoc_badwpaie++; 1568 reason = IEEE80211_REASON_IE_INVALID; 1569 goto bad; 1570 } 1571 /* assert right association security credentials */ 1572 badwparsn = 0; /* NB: to silence compiler */ 1573 switch (vap->iv_flags & IEEE80211_F_WPA) { 1574 case IEEE80211_F_WPA1: 1575 badwparsn = (wpa == NULL); 1576 break; 1577 case IEEE80211_F_WPA2: 1578 badwparsn = (rsn == NULL); 1579 break; 1580 case IEEE80211_F_WPA1|IEEE80211_F_WPA2: 1581 badwparsn = (wpa == NULL && rsn == NULL); 1582 break; 1583 } 1584 if (badwparsn) { 1585 IEEE80211_DISCARD(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, 1586 wh, NULL, 1587 "%s", "missing WPA/RSN IE in association request"); 1588 vap->iv_stats.is_rx_assoc_badwpaie++; 1589 reason = IEEE80211_REASON_IE_INVALID; 1590 goto bad; 1591 } 1592 /* 1593 * Parse WPA/RSN information element. 1594 */ 1595 if (wpa != NULL) 1596 reason = ieee80211_parse_wpa(vap, wpa, rsnparms, wh); 1597 else 1598 reason = ieee80211_parse_rsn(vap, rsn, rsnparms, wh); 1599 if (reason != 0) { 1600 /* XXX wpa->rsn fallback? */ 1601 /* XXX distinguish WPA/RSN? */ 1602 vap->iv_stats.is_rx_assoc_badwpaie++; 1603 goto bad; 1604 } 1605 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, ni, 1606 "%s ie: mc %u/%u uc %u/%u key %u caps 0x%x", 1607 wpa != NULL ? "WPA" : "RSN", 1608 rsnparms->rsn_mcastcipher, rsnparms->rsn_mcastkeylen, 1609 rsnparms->rsn_ucastcipher, rsnparms->rsn_ucastkeylen, 1610 rsnparms->rsn_keymgmt, rsnparms->rsn_caps); 1611 1612 return 1; 1613 bad: 1614 ieee80211_node_deauth(ni, reason); 1615 return 0; 1616 } 1617 1618 /* XXX find a better place for definition */ 1619 struct l2_update_frame { 1620 struct ether_header eh; 1621 uint8_t dsap; 1622 uint8_t ssap; 1623 uint8_t control; 1624 uint8_t xid[3]; 1625 } __packed; 1626 1627 /* 1628 * Deliver a TGf L2UF frame on behalf of a station. 1629 * This primes any bridge when the station is roaming 1630 * between ap's on the same wired network. 1631 */ 1632 static void 1633 ieee80211_deliver_l2uf(struct ieee80211_node *ni) 1634 { 1635 struct ieee80211vap *vap = ni->ni_vap; 1636 struct ifnet *ifp = vap->iv_ifp; 1637 struct mbuf *m; 1638 struct l2_update_frame *l2uf; 1639 struct ether_header *eh; 1640 1641 m = m_gethdr(M_NOWAIT, MT_DATA); 1642 if (m == NULL) { 1643 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC, ni, 1644 "%s", "no mbuf for l2uf frame"); 1645 vap->iv_stats.is_rx_nobuf++; /* XXX not right */ 1646 return; 1647 } 1648 l2uf = mtod(m, struct l2_update_frame *); 1649 eh = &l2uf->eh; 1650 /* dst: Broadcast address */ 1651 IEEE80211_ADDR_COPY(eh->ether_dhost, ifp->if_broadcastaddr); 1652 /* src: associated STA */ 1653 IEEE80211_ADDR_COPY(eh->ether_shost, ni->ni_macaddr); 1654 eh->ether_type = htons(sizeof(*l2uf) - sizeof(*eh)); 1655 1656 l2uf->dsap = 0; 1657 l2uf->ssap = 0; 1658 l2uf->control = 0xf5; 1659 l2uf->xid[0] = 0x81; 1660 l2uf->xid[1] = 0x80; 1661 l2uf->xid[2] = 0x00; 1662 1663 m->m_pkthdr.len = m->m_len = sizeof(*l2uf); 1664 hostap_deliver_data(vap, ni, m); 1665 } 1666 1667 static void 1668 ratesetmismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh, 1669 int reassoc, int resp, const char *tag, int rate) 1670 { 1671 IEEE80211_NOTE_MAC(ni->ni_vap, IEEE80211_MSG_ANY, wh->i_addr2, 1672 "deny %s request, %s rate set mismatch, rate/MCS %d", 1673 reassoc ? "reassoc" : "assoc", tag, rate & IEEE80211_RATE_VAL); 1674 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_BASIC_RATE); 1675 ieee80211_node_leave(ni); 1676 } 1677 1678 static void 1679 capinfomismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh, 1680 int reassoc, int resp, const char *tag, int capinfo) 1681 { 1682 struct ieee80211vap *vap = ni->ni_vap; 1683 1684 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ANY, wh->i_addr2, 1685 "deny %s request, %s mismatch 0x%x", 1686 reassoc ? "reassoc" : "assoc", tag, capinfo); 1687 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_CAPINFO); 1688 ieee80211_node_leave(ni); 1689 vap->iv_stats.is_rx_assoc_capmismatch++; 1690 } 1691 1692 static void 1693 htcapmismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh, 1694 int reassoc, int resp) 1695 { 1696 IEEE80211_NOTE_MAC(ni->ni_vap, IEEE80211_MSG_ANY, wh->i_addr2, 1697 "deny %s request, %s missing HT ie", reassoc ? "reassoc" : "assoc"); 1698 /* XXX no better code */ 1699 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_MISSING_HT_CAPS); 1700 ieee80211_node_leave(ni); 1701 } 1702 1703 static void 1704 authalgreject(struct ieee80211_node *ni, const struct ieee80211_frame *wh, 1705 int algo, int seq, int status) 1706 { 1707 struct ieee80211vap *vap = ni->ni_vap; 1708 1709 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 1710 wh, NULL, "unsupported alg %d", algo); 1711 vap->iv_stats.is_rx_auth_unsupported++; 1712 ieee80211_send_error(ni, wh->i_addr2, IEEE80211_FC0_SUBTYPE_AUTH, 1713 seq | (status << 16)); 1714 } 1715 1716 static __inline int 1717 ishtmixed(const uint8_t *ie) 1718 { 1719 const struct ieee80211_ie_htinfo *ht = 1720 (const struct ieee80211_ie_htinfo *) ie; 1721 return (ht->hi_byte2 & IEEE80211_HTINFO_OPMODE) == 1722 IEEE80211_HTINFO_OPMODE_MIXED; 1723 } 1724 1725 static int 1726 is11bclient(const uint8_t *rates, const uint8_t *xrates) 1727 { 1728 static const uint32_t brates = (1<<2*1)|(1<<2*2)|(1<<11)|(1<<2*11); 1729 int i; 1730 1731 /* NB: the 11b clients we care about will not have xrates */ 1732 if (xrates != NULL || rates == NULL) 1733 return 0; 1734 for (i = 0; i < rates[1]; i++) { 1735 int r = rates[2+i] & IEEE80211_RATE_VAL; 1736 if (r > 2*11 || ((1<<r) & brates) == 0) 1737 return 0; 1738 } 1739 return 1; 1740 } 1741 1742 static void 1743 hostap_recv_mgmt(struct ieee80211_node *ni, struct mbuf *m0, 1744 int subtype, const struct ieee80211_rx_stats *rxs, int rssi, int nf) 1745 { 1746 struct ieee80211vap *vap = ni->ni_vap; 1747 struct ieee80211com *ic = ni->ni_ic; 1748 struct ieee80211_frame *wh; 1749 uint8_t *frm, *efrm, *sfrm; 1750 uint8_t *ssid, *rates, *xrates, *wpa, *rsn, *wme, *ath, *htcap; 1751 uint8_t *vhtcap, *vhtinfo; 1752 int reassoc, resp; 1753 uint8_t rate; 1754 1755 wh = mtod(m0, struct ieee80211_frame *); 1756 frm = (uint8_t *)&wh[1]; 1757 efrm = mtod(m0, uint8_t *) + m0->m_len; 1758 switch (subtype) { 1759 case IEEE80211_FC0_SUBTYPE_PROBE_RESP: 1760 /* 1761 * We process beacon/probe response frames when scanning; 1762 * otherwise we check beacon frames for overlapping non-ERP 1763 * BSS in 11g and/or overlapping legacy BSS when in HT. 1764 */ 1765 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) { 1766 vap->iv_stats.is_rx_mgtdiscard++; 1767 return; 1768 } 1769 /* FALLTHROUGH */ 1770 case IEEE80211_FC0_SUBTYPE_BEACON: { 1771 struct ieee80211_scanparams scan; 1772 1773 /* NB: accept off-channel frames */ 1774 /* XXX TODO: use rxstatus to determine off-channel details */ 1775 if (ieee80211_parse_beacon(ni, m0, ic->ic_curchan, &scan) &~ IEEE80211_BPARSE_OFFCHAN) 1776 return; 1777 /* 1778 * Count frame now that we know it's to be processed. 1779 */ 1780 if (subtype == IEEE80211_FC0_SUBTYPE_BEACON) { 1781 vap->iv_stats.is_rx_beacon++; /* XXX remove */ 1782 IEEE80211_NODE_STAT(ni, rx_beacons); 1783 } else 1784 IEEE80211_NODE_STAT(ni, rx_proberesp); 1785 /* 1786 * If scanning, just pass information to the scan module. 1787 */ 1788 if (ic->ic_flags & IEEE80211_F_SCAN) { 1789 if (scan.status == 0 && /* NB: on channel */ 1790 (ic->ic_flags_ext & IEEE80211_FEXT_PROBECHAN)) { 1791 /* 1792 * Actively scanning a channel marked passive; 1793 * send a probe request now that we know there 1794 * is 802.11 traffic present. 1795 * 1796 * XXX check if the beacon we recv'd gives 1797 * us what we need and suppress the probe req 1798 */ 1799 ieee80211_probe_curchan(vap, 1); 1800 ic->ic_flags_ext &= ~IEEE80211_FEXT_PROBECHAN; 1801 } 1802 ieee80211_add_scan(vap, ic->ic_curchan, &scan, wh, 1803 subtype, rssi, nf); 1804 return; 1805 } 1806 /* 1807 * Check beacon for overlapping bss w/ non ERP stations. 1808 * If we detect one and protection is configured but not 1809 * enabled, enable it and start a timer that'll bring us 1810 * out if we stop seeing the bss. 1811 */ 1812 if (IEEE80211_IS_CHAN_ANYG(ic->ic_curchan) && 1813 scan.status == 0 && /* NB: on-channel */ 1814 ((scan.erp & 0x100) == 0 || /* NB: no ERP, 11b sta*/ 1815 (scan.erp & IEEE80211_ERP_NON_ERP_PRESENT))) { 1816 vap->iv_lastnonerp = ticks; 1817 vap->iv_flags_ext |= IEEE80211_FEXT_NONERP_PR; 1818 /* 1819 * XXX TODO: this may need to check all VAPs? 1820 */ 1821 if (vap->iv_protmode != IEEE80211_PROT_NONE && 1822 (vap->iv_flags & IEEE80211_F_USEPROT) == 0) { 1823 IEEE80211_NOTE_FRAME(vap, 1824 IEEE80211_MSG_ASSOC, wh, 1825 "non-ERP present on channel %d " 1826 "(saw erp 0x%x from channel %d), " 1827 "enable use of protection", 1828 ic->ic_curchan->ic_ieee, 1829 scan.erp, scan.chan); 1830 vap->iv_flags |= IEEE80211_F_USEPROT; 1831 ieee80211_vap_update_erp_protmode(vap); 1832 } 1833 } 1834 /* 1835 * Check beacon for non-HT station on HT channel 1836 * and update HT BSS occupancy as appropriate. 1837 */ 1838 if (IEEE80211_IS_CHAN_HT(ic->ic_curchan)) { 1839 if (scan.status & IEEE80211_BPARSE_OFFCHAN) { 1840 /* 1841 * Off control channel; only check frames 1842 * that come in the extension channel when 1843 * operating w/ HT40. 1844 */ 1845 if (!IEEE80211_IS_CHAN_HT40(ic->ic_curchan)) 1846 break; 1847 if (scan.chan != ic->ic_curchan->ic_extieee) 1848 break; 1849 } 1850 if (scan.htinfo == NULL) { 1851 ieee80211_htprot_update(vap, 1852 IEEE80211_HTINFO_OPMODE_PROTOPT | 1853 IEEE80211_HTINFO_NONHT_PRESENT); 1854 } else if (ishtmixed(scan.htinfo)) { 1855 /* XXX? take NONHT_PRESENT from beacon? */ 1856 ieee80211_htprot_update(vap, 1857 IEEE80211_HTINFO_OPMODE_MIXED | 1858 IEEE80211_HTINFO_NONHT_PRESENT); 1859 } 1860 } 1861 break; 1862 } 1863 1864 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 1865 if (vap->iv_state != IEEE80211_S_RUN) { 1866 vap->iv_stats.is_rx_mgtdiscard++; 1867 return; 1868 } 1869 /* 1870 * Consult the ACL policy module if setup. 1871 */ 1872 if (vap->iv_acl != NULL && !vap->iv_acl->iac_check(vap, wh)) { 1873 IEEE80211_DISCARD(vap, IEEE80211_MSG_ACL, 1874 wh, NULL, "%s", "disallowed by ACL"); 1875 vap->iv_stats.is_rx_acl++; 1876 return; 1877 } 1878 /* 1879 * prreq frame format 1880 * [tlv] ssid 1881 * [tlv] supported rates 1882 * [tlv] extended supported rates 1883 */ 1884 ssid = rates = xrates = NULL; 1885 while (efrm - frm > 1) { 1886 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return); 1887 switch (*frm) { 1888 case IEEE80211_ELEMID_SSID: 1889 ssid = frm; 1890 break; 1891 case IEEE80211_ELEMID_RATES: 1892 rates = frm; 1893 break; 1894 case IEEE80211_ELEMID_XRATES: 1895 xrates = frm; 1896 break; 1897 } 1898 frm += frm[1] + 2; 1899 } 1900 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return); 1901 if (xrates != NULL) 1902 IEEE80211_VERIFY_ELEMENT(xrates, 1903 IEEE80211_RATE_MAXSIZE - rates[1], return); 1904 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN, return); 1905 IEEE80211_VERIFY_SSID(vap->iv_bss, ssid, return); 1906 if ((vap->iv_flags & IEEE80211_F_HIDESSID) && ssid[1] == 0) { 1907 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 1908 wh, NULL, 1909 "%s", "no ssid with ssid suppression enabled"); 1910 vap->iv_stats.is_rx_ssidmismatch++; /*XXX*/ 1911 return; 1912 } 1913 1914 /* XXX find a better class or define it's own */ 1915 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_INPUT, wh->i_addr2, 1916 "%s", "recv probe req"); 1917 /* 1918 * Some legacy 11b clients cannot hack a complete 1919 * probe response frame. When the request includes 1920 * only a bare-bones rate set, communicate this to 1921 * the transmit side. 1922 */ 1923 ieee80211_send_proberesp(vap, wh->i_addr2, 1924 is11bclient(rates, xrates) ? IEEE80211_SEND_LEGACY_11B : 0); 1925 break; 1926 1927 case IEEE80211_FC0_SUBTYPE_AUTH: { 1928 uint16_t algo, seq, status; 1929 1930 if (vap->iv_state != IEEE80211_S_RUN) { 1931 vap->iv_stats.is_rx_mgtdiscard++; 1932 return; 1933 } 1934 if (!IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_bss->ni_bssid)) { 1935 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 1936 wh, NULL, "%s", "wrong bssid"); 1937 vap->iv_stats.is_rx_wrongbss++; /*XXX unique stat?*/ 1938 return; 1939 } 1940 /* 1941 * auth frame format 1942 * [2] algorithm 1943 * [2] sequence 1944 * [2] status 1945 * [tlv*] challenge 1946 */ 1947 IEEE80211_VERIFY_LENGTH(efrm - frm, 6, return); 1948 algo = le16toh(*(uint16_t *)frm); 1949 seq = le16toh(*(uint16_t *)(frm + 2)); 1950 status = le16toh(*(uint16_t *)(frm + 4)); 1951 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_AUTH, wh->i_addr2, 1952 "recv auth frame with algorithm %d seq %d", algo, seq); 1953 /* 1954 * Consult the ACL policy module if setup. 1955 */ 1956 if (vap->iv_acl != NULL && !vap->iv_acl->iac_check(vap, wh)) { 1957 IEEE80211_DISCARD(vap, IEEE80211_MSG_ACL, 1958 wh, NULL, "%s", "disallowed by ACL"); 1959 vap->iv_stats.is_rx_acl++; 1960 ieee80211_send_error(ni, wh->i_addr2, 1961 IEEE80211_FC0_SUBTYPE_AUTH, 1962 (seq+1) | (IEEE80211_STATUS_UNSPECIFIED<<16)); 1963 return; 1964 } 1965 if (vap->iv_flags & IEEE80211_F_COUNTERM) { 1966 IEEE80211_DISCARD(vap, 1967 IEEE80211_MSG_AUTH | IEEE80211_MSG_CRYPTO, 1968 wh, NULL, "%s", "TKIP countermeasures enabled"); 1969 vap->iv_stats.is_rx_auth_countermeasures++; 1970 ieee80211_send_error(ni, wh->i_addr2, 1971 IEEE80211_FC0_SUBTYPE_AUTH, 1972 IEEE80211_REASON_MIC_FAILURE); 1973 return; 1974 } 1975 if (algo == IEEE80211_AUTH_ALG_SHARED) 1976 hostap_auth_shared(ni, wh, frm + 6, efrm, rssi, nf, 1977 seq, status); 1978 else if (algo == IEEE80211_AUTH_ALG_OPEN) 1979 hostap_auth_open(ni, wh, rssi, nf, seq, status); 1980 else if (algo == IEEE80211_AUTH_ALG_LEAP) { 1981 authalgreject(ni, wh, algo, 1982 seq+1, IEEE80211_STATUS_ALG); 1983 return; 1984 } else { 1985 /* 1986 * We assume that an unknown algorithm is the result 1987 * of a decryption failure on a shared key auth frame; 1988 * return a status code appropriate for that instead 1989 * of IEEE80211_STATUS_ALG. 1990 * 1991 * NB: a seq# of 4 is intentional; the decrypted 1992 * frame likely has a bogus seq value. 1993 */ 1994 authalgreject(ni, wh, algo, 1995 4, IEEE80211_STATUS_CHALLENGE); 1996 return; 1997 } 1998 break; 1999 } 2000 2001 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ: 2002 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: { 2003 uint16_t capinfo, lintval; 2004 struct ieee80211_rsnparms rsnparms; 2005 2006 if (vap->iv_state != IEEE80211_S_RUN) { 2007 vap->iv_stats.is_rx_mgtdiscard++; 2008 return; 2009 } 2010 if (!IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_bss->ni_bssid)) { 2011 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 2012 wh, NULL, "%s", "wrong bssid"); 2013 vap->iv_stats.is_rx_assoc_bss++; 2014 return; 2015 } 2016 if (subtype == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) { 2017 reassoc = 1; 2018 resp = IEEE80211_FC0_SUBTYPE_REASSOC_RESP; 2019 } else { 2020 reassoc = 0; 2021 resp = IEEE80211_FC0_SUBTYPE_ASSOC_RESP; 2022 } 2023 if (ni == vap->iv_bss) { 2024 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ANY, wh->i_addr2, 2025 "deny %s request, sta not authenticated", 2026 reassoc ? "reassoc" : "assoc"); 2027 ieee80211_send_error(ni, wh->i_addr2, 2028 IEEE80211_FC0_SUBTYPE_DEAUTH, 2029 IEEE80211_REASON_ASSOC_NOT_AUTHED); 2030 vap->iv_stats.is_rx_assoc_notauth++; 2031 return; 2032 } 2033 2034 /* 2035 * asreq frame format 2036 * [2] capability information 2037 * [2] listen interval 2038 * [6*] current AP address (reassoc only) 2039 * [tlv] ssid 2040 * [tlv] supported rates 2041 * [tlv] extended supported rates 2042 * [tlv] WPA or RSN 2043 * [tlv] HT capabilities 2044 * [tlv] Atheros capabilities 2045 */ 2046 IEEE80211_VERIFY_LENGTH(efrm - frm, (reassoc ? 10 : 4), return); 2047 capinfo = le16toh(*(uint16_t *)frm); frm += 2; 2048 lintval = le16toh(*(uint16_t *)frm); frm += 2; 2049 if (reassoc) 2050 frm += 6; /* ignore current AP info */ 2051 ssid = rates = xrates = wpa = rsn = wme = ath = htcap = NULL; 2052 vhtcap = vhtinfo = NULL; 2053 sfrm = frm; 2054 while (efrm - frm > 1) { 2055 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return); 2056 switch (*frm) { 2057 case IEEE80211_ELEMID_SSID: 2058 ssid = frm; 2059 break; 2060 case IEEE80211_ELEMID_RATES: 2061 rates = frm; 2062 break; 2063 case IEEE80211_ELEMID_XRATES: 2064 xrates = frm; 2065 break; 2066 case IEEE80211_ELEMID_RSN: 2067 rsn = frm; 2068 break; 2069 case IEEE80211_ELEMID_HTCAP: 2070 htcap = frm; 2071 break; 2072 case IEEE80211_ELEMID_VHT_CAP: 2073 vhtcap = frm; 2074 break; 2075 case IEEE80211_ELEMID_VHT_OPMODE: 2076 vhtinfo = frm; 2077 break; 2078 case IEEE80211_ELEMID_VENDOR: 2079 if (iswpaoui(frm)) 2080 wpa = frm; 2081 else if (iswmeinfo(frm)) 2082 wme = frm; 2083 #ifdef IEEE80211_SUPPORT_SUPERG 2084 else if (isatherosoui(frm)) 2085 ath = frm; 2086 #endif 2087 else if (vap->iv_flags_ht & IEEE80211_FHT_HTCOMPAT) { 2088 if (ishtcapoui(frm) && htcap == NULL) 2089 htcap = frm; 2090 } 2091 break; 2092 } 2093 frm += frm[1] + 2; 2094 } 2095 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return); 2096 if (xrates != NULL) 2097 IEEE80211_VERIFY_ELEMENT(xrates, 2098 IEEE80211_RATE_MAXSIZE - rates[1], return); 2099 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN, return); 2100 IEEE80211_VERIFY_SSID(vap->iv_bss, ssid, return); 2101 if (htcap != NULL) { 2102 IEEE80211_VERIFY_LENGTH(htcap[1], 2103 htcap[0] == IEEE80211_ELEMID_VENDOR ? 2104 4 + sizeof(struct ieee80211_ie_htcap)-2 : 2105 sizeof(struct ieee80211_ie_htcap)-2, 2106 return); /* XXX just NULL out? */ 2107 } 2108 2109 /* Validate VHT IEs */ 2110 if (vhtcap != NULL) { 2111 IEEE80211_VERIFY_LENGTH(vhtcap[1], 2112 sizeof(struct ieee80211_ie_vhtcap) - 2, 2113 return); 2114 } 2115 if (vhtinfo != NULL) { 2116 IEEE80211_VERIFY_LENGTH(vhtinfo[1], 2117 sizeof(struct ieee80211_ie_vht_operation) - 2, 2118 return); 2119 } 2120 2121 if ((vap->iv_flags & IEEE80211_F_WPA) && 2122 !wpa_assocreq(ni, &rsnparms, wh, wpa, rsn, capinfo)) 2123 return; 2124 /* discard challenge after association */ 2125 if (ni->ni_challenge != NULL) { 2126 IEEE80211_FREE(ni->ni_challenge, M_80211_NODE); 2127 ni->ni_challenge = NULL; 2128 } 2129 /* NB: 802.11 spec says to ignore station's privacy bit */ 2130 if ((capinfo & IEEE80211_CAPINFO_ESS) == 0) { 2131 capinfomismatch(ni, wh, reassoc, resp, 2132 "capability", capinfo); 2133 return; 2134 } 2135 /* 2136 * Disallow re-associate w/ invalid slot time setting. 2137 */ 2138 if (ni->ni_associd != 0 && 2139 IEEE80211_IS_CHAN_ANYG(ic->ic_bsschan) && 2140 ((ni->ni_capinfo ^ capinfo) & IEEE80211_CAPINFO_SHORT_SLOTTIME)) { 2141 capinfomismatch(ni, wh, reassoc, resp, 2142 "slot time", capinfo); 2143 return; 2144 } 2145 rate = ieee80211_setup_rates(ni, rates, xrates, 2146 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | 2147 IEEE80211_F_DONEGO | IEEE80211_F_DODEL); 2148 if (rate & IEEE80211_RATE_BASIC) { 2149 ratesetmismatch(ni, wh, reassoc, resp, "legacy", rate); 2150 vap->iv_stats.is_rx_assoc_norate++; 2151 return; 2152 } 2153 /* 2154 * If constrained to 11g-only stations reject an 2155 * 11b-only station. We cheat a bit here by looking 2156 * at the max negotiated xmit rate and assuming anyone 2157 * with a best rate <24Mb/s is an 11b station. 2158 */ 2159 if ((vap->iv_flags & IEEE80211_F_PUREG) && rate < 48) { 2160 ratesetmismatch(ni, wh, reassoc, resp, "11g", rate); 2161 vap->iv_stats.is_rx_assoc_norate++; 2162 return; 2163 } 2164 2165 /* 2166 * Do HT rate set handling and setup HT node state. 2167 */ 2168 ni->ni_chan = vap->iv_bss->ni_chan; 2169 2170 /* VHT */ 2171 if (IEEE80211_IS_CHAN_VHT(ni->ni_chan) && 2172 vhtcap != NULL && 2173 vhtinfo != NULL) { 2174 /* XXX TODO; see below */ 2175 printf("%s: VHT TODO!\n", __func__); 2176 ieee80211_vht_node_init(ni); 2177 ieee80211_vht_update_cap(ni, vhtcap, vhtinfo); 2178 } else if (ni->ni_flags & IEEE80211_NODE_VHT) 2179 ieee80211_vht_node_cleanup(ni); 2180 2181 /* HT */ 2182 if (IEEE80211_IS_CHAN_HT(ni->ni_chan) && htcap != NULL) { 2183 rate = ieee80211_setup_htrates(ni, htcap, 2184 IEEE80211_F_DOFMCS | IEEE80211_F_DONEGO | 2185 IEEE80211_F_DOBRS); 2186 if (rate & IEEE80211_RATE_BASIC) { 2187 ratesetmismatch(ni, wh, reassoc, resp, 2188 "HT", rate); 2189 vap->iv_stats.is_ht_assoc_norate++; 2190 return; 2191 } 2192 ieee80211_ht_node_init(ni); 2193 ieee80211_ht_updatehtcap(ni, htcap); 2194 } else if (ni->ni_flags & IEEE80211_NODE_HT) 2195 ieee80211_ht_node_cleanup(ni); 2196 2197 /* Finally - this will use HT/VHT info to change node channel */ 2198 if (IEEE80211_IS_CHAN_HT(ni->ni_chan) && htcap != NULL) { 2199 ieee80211_ht_updatehtcap_final(ni); 2200 } 2201 2202 #ifdef IEEE80211_SUPPORT_SUPERG 2203 /* Always do ff node cleanup; for A-MSDU */ 2204 ieee80211_ff_node_cleanup(ni); 2205 #endif 2206 /* 2207 * Allow AMPDU operation only with unencrypted traffic 2208 * or AES-CCM; the 11n spec only specifies these ciphers 2209 * so permitting any others is undefined and can lead 2210 * to interoperability problems. 2211 */ 2212 if ((ni->ni_flags & IEEE80211_NODE_HT) && 2213 (((vap->iv_flags & IEEE80211_F_WPA) && 2214 rsnparms.rsn_ucastcipher != IEEE80211_CIPHER_AES_CCM) || 2215 (vap->iv_flags & (IEEE80211_F_WPA|IEEE80211_F_PRIVACY)) == IEEE80211_F_PRIVACY)) { 2216 IEEE80211_NOTE(vap, 2217 IEEE80211_MSG_ASSOC | IEEE80211_MSG_11N, ni, 2218 "disallow HT use because WEP or TKIP requested, " 2219 "capinfo 0x%x ucastcipher %d", capinfo, 2220 rsnparms.rsn_ucastcipher); 2221 ieee80211_ht_node_cleanup(ni); 2222 #ifdef IEEE80211_SUPPORT_SUPERG 2223 /* Always do ff node cleanup; for A-MSDU */ 2224 ieee80211_ff_node_cleanup(ni); 2225 #endif 2226 vap->iv_stats.is_ht_assoc_downgrade++; 2227 } 2228 /* 2229 * If constrained to 11n-only stations reject legacy stations. 2230 */ 2231 if ((vap->iv_flags_ht & IEEE80211_FHT_PUREN) && 2232 (ni->ni_flags & IEEE80211_NODE_HT) == 0) { 2233 htcapmismatch(ni, wh, reassoc, resp); 2234 vap->iv_stats.is_ht_assoc_nohtcap++; 2235 return; 2236 } 2237 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi); 2238 ni->ni_noise = nf; 2239 ni->ni_intval = lintval; 2240 ni->ni_capinfo = capinfo; 2241 ni->ni_fhdwell = vap->iv_bss->ni_fhdwell; 2242 ni->ni_fhindex = vap->iv_bss->ni_fhindex; 2243 /* 2244 * Store the IEs. 2245 * XXX maybe better to just expand 2246 */ 2247 if (ieee80211_ies_init(&ni->ni_ies, sfrm, efrm - sfrm)) { 2248 #define setie(_ie, _off) ieee80211_ies_setie(ni->ni_ies, _ie, _off) 2249 if (wpa != NULL) 2250 setie(wpa_ie, wpa - sfrm); 2251 if (rsn != NULL) 2252 setie(rsn_ie, rsn - sfrm); 2253 if (htcap != NULL) 2254 setie(htcap_ie, htcap - sfrm); 2255 if (wme != NULL) { 2256 setie(wme_ie, wme - sfrm); 2257 /* 2258 * Mark node as capable of QoS. 2259 */ 2260 ni->ni_flags |= IEEE80211_NODE_QOS; 2261 if (ieee80211_parse_wmeie(wme, wh, ni) > 0) { 2262 if (ni->ni_uapsd != 0) 2263 ni->ni_flags |= 2264 IEEE80211_NODE_UAPSD; 2265 else 2266 ni->ni_flags &= 2267 ~IEEE80211_NODE_UAPSD; 2268 } 2269 } else 2270 ni->ni_flags &= 2271 ~(IEEE80211_NODE_QOS | 2272 IEEE80211_NODE_UAPSD); 2273 #ifdef IEEE80211_SUPPORT_SUPERG 2274 if (ath != NULL) { 2275 setie(ath_ie, ath - sfrm); 2276 /* 2277 * Parse ATH station parameters. 2278 */ 2279 ieee80211_parse_ath(ni, ni->ni_ies.ath_ie); 2280 } else 2281 #endif 2282 ni->ni_ath_flags = 0; 2283 #undef setie 2284 } else { 2285 ni->ni_flags &= ~IEEE80211_NODE_QOS; 2286 ni->ni_flags &= ~IEEE80211_NODE_UAPSD; 2287 ni->ni_ath_flags = 0; 2288 } 2289 ieee80211_node_join(ni, resp); 2290 ieee80211_deliver_l2uf(ni); 2291 break; 2292 } 2293 2294 case IEEE80211_FC0_SUBTYPE_DEAUTH: 2295 case IEEE80211_FC0_SUBTYPE_DISASSOC: { 2296 uint16_t reason; 2297 2298 if (vap->iv_state != IEEE80211_S_RUN || 2299 /* NB: can happen when in promiscuous mode */ 2300 !IEEE80211_ADDR_EQ(wh->i_addr1, vap->iv_myaddr)) { 2301 vap->iv_stats.is_rx_mgtdiscard++; 2302 break; 2303 } 2304 /* 2305 * deauth/disassoc frame format 2306 * [2] reason 2307 */ 2308 IEEE80211_VERIFY_LENGTH(efrm - frm, 2, return); 2309 reason = le16toh(*(uint16_t *)frm); 2310 if (subtype == IEEE80211_FC0_SUBTYPE_DEAUTH) { 2311 vap->iv_stats.is_rx_deauth++; 2312 IEEE80211_NODE_STAT(ni, rx_deauth); 2313 } else { 2314 vap->iv_stats.is_rx_disassoc++; 2315 IEEE80211_NODE_STAT(ni, rx_disassoc); 2316 } 2317 IEEE80211_NOTE(vap, IEEE80211_MSG_AUTH, ni, 2318 "recv %s (reason: %d (%s))", 2319 ieee80211_mgt_subtype_name(subtype), 2320 reason, ieee80211_reason_to_string(reason)); 2321 if (ni != vap->iv_bss) 2322 ieee80211_node_leave(ni); 2323 break; 2324 } 2325 2326 case IEEE80211_FC0_SUBTYPE_ACTION: 2327 case IEEE80211_FC0_SUBTYPE_ACTION_NOACK: 2328 if (ni == vap->iv_bss) { 2329 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 2330 wh, NULL, "%s", "unknown node"); 2331 vap->iv_stats.is_rx_mgtdiscard++; 2332 } else if (!IEEE80211_ADDR_EQ(vap->iv_myaddr, wh->i_addr1) && 2333 !IEEE80211_IS_MULTICAST(wh->i_addr1)) { 2334 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 2335 wh, NULL, "%s", "not for us"); 2336 vap->iv_stats.is_rx_mgtdiscard++; 2337 } else if (vap->iv_state != IEEE80211_S_RUN) { 2338 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 2339 wh, NULL, "wrong state %s", 2340 ieee80211_state_name[vap->iv_state]); 2341 vap->iv_stats.is_rx_mgtdiscard++; 2342 } else { 2343 if (ieee80211_parse_action(ni, m0) == 0) 2344 (void)ic->ic_recv_action(ni, wh, frm, efrm); 2345 } 2346 break; 2347 2348 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP: 2349 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: 2350 case IEEE80211_FC0_SUBTYPE_TIMING_ADV: 2351 case IEEE80211_FC0_SUBTYPE_ATIM: 2352 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 2353 wh, NULL, "%s", "not handled"); 2354 vap->iv_stats.is_rx_mgtdiscard++; 2355 break; 2356 2357 default: 2358 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 2359 wh, "mgt", "subtype 0x%x not handled", subtype); 2360 vap->iv_stats.is_rx_badsubtype++; 2361 break; 2362 } 2363 } 2364 2365 static void 2366 hostap_recv_ctl(struct ieee80211_node *ni, struct mbuf *m, int subtype) 2367 { 2368 switch (subtype) { 2369 case IEEE80211_FC0_SUBTYPE_PS_POLL: 2370 ni->ni_vap->iv_recv_pspoll(ni, m); 2371 break; 2372 case IEEE80211_FC0_SUBTYPE_BAR: 2373 ieee80211_recv_bar(ni, m); 2374 break; 2375 } 2376 } 2377 2378 /* 2379 * Process a received ps-poll frame. 2380 */ 2381 void 2382 ieee80211_recv_pspoll(struct ieee80211_node *ni, struct mbuf *m0) 2383 { 2384 struct ieee80211vap *vap = ni->ni_vap; 2385 struct ieee80211com *ic = vap->iv_ic; 2386 struct ieee80211_frame_min *wh; 2387 struct mbuf *m; 2388 uint16_t aid; 2389 int qlen; 2390 2391 wh = mtod(m0, struct ieee80211_frame_min *); 2392 if (ni->ni_associd == 0) { 2393 IEEE80211_DISCARD(vap, 2394 IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG, 2395 (struct ieee80211_frame *) wh, NULL, 2396 "%s", "unassociated station"); 2397 vap->iv_stats.is_ps_unassoc++; 2398 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_DEAUTH, 2399 IEEE80211_REASON_NOT_ASSOCED); 2400 return; 2401 } 2402 2403 aid = le16toh(*(uint16_t *)wh->i_dur); 2404 if (aid != ni->ni_associd) { 2405 IEEE80211_DISCARD(vap, 2406 IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG, 2407 (struct ieee80211_frame *) wh, NULL, 2408 "aid mismatch: sta aid 0x%x poll aid 0x%x", 2409 ni->ni_associd, aid); 2410 vap->iv_stats.is_ps_badaid++; 2411 /* 2412 * NB: We used to deauth the station but it turns out 2413 * the Blackberry Curve 8230 (and perhaps other devices) 2414 * sometimes send the wrong AID when WME is negotiated. 2415 * Being more lenient here seems ok as we already check 2416 * the station is associated and we only return frames 2417 * queued for the station (i.e. we don't use the AID). 2418 */ 2419 return; 2420 } 2421 2422 /* Okay, take the first queued packet and put it out... */ 2423 m = ieee80211_node_psq_dequeue(ni, &qlen); 2424 if (m == NULL) { 2425 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_POWER, wh->i_addr2, 2426 "%s", "recv ps-poll, but queue empty"); 2427 ieee80211_send_nulldata(ieee80211_ref_node(ni)); 2428 vap->iv_stats.is_ps_qempty++; /* XXX node stat */ 2429 if (vap->iv_set_tim != NULL) 2430 vap->iv_set_tim(ni, 0); /* just in case */ 2431 return; 2432 } 2433 /* 2434 * If there are more packets, set the more packets bit 2435 * in the packet dispatched to the station; otherwise 2436 * turn off the TIM bit. 2437 */ 2438 if (qlen != 0) { 2439 IEEE80211_NOTE(vap, IEEE80211_MSG_POWER, ni, 2440 "recv ps-poll, send packet, %u still queued", qlen); 2441 m->m_flags |= M_MORE_DATA; 2442 } else { 2443 IEEE80211_NOTE(vap, IEEE80211_MSG_POWER, ni, 2444 "%s", "recv ps-poll, send packet, queue empty"); 2445 if (vap->iv_set_tim != NULL) 2446 vap->iv_set_tim(ni, 0); 2447 } 2448 m->m_flags |= M_PWR_SAV; /* bypass PS handling */ 2449 2450 /* 2451 * Do the right thing; if it's an encap'ed frame then 2452 * call ieee80211_parent_xmitpkt() else 2453 * call ieee80211_vap_xmitpkt(). 2454 */ 2455 if (m->m_flags & M_ENCAP) { 2456 (void) ieee80211_parent_xmitpkt(ic, m); 2457 } else { 2458 (void) ieee80211_vap_xmitpkt(vap, m); 2459 } 2460 } 2461