1 /*- 2 * SPDX-License-Identifier: BSD-2-Clause 3 * 4 * Copyright (c) 2007-2008 Sam Leffler, Errno Consulting 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 17 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 18 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 19 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 21 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 22 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 23 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 24 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 25 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 26 */ 27 28 #include <sys/cdefs.h> 29 #ifdef __FreeBSD__ 30 #endif 31 32 /* 33 * IEEE 802.11 HOSTAP mode support. 34 */ 35 #include "opt_inet.h" 36 #include "opt_wlan.h" 37 38 #include <sys/param.h> 39 #include <sys/systm.h> 40 #include <sys/mbuf.h> 41 #include <sys/malloc.h> 42 #include <sys/kernel.h> 43 #include <sys/epoch.h> 44 45 #include <sys/socket.h> 46 #include <sys/sockio.h> 47 #include <sys/endian.h> 48 #include <sys/errno.h> 49 #include <sys/proc.h> 50 #include <sys/sysctl.h> 51 52 #include <net/if.h> 53 #include <net/if_var.h> 54 #include <net/if_media.h> 55 #include <net/if_llc.h> 56 #include <net/if_private.h> 57 #include <net/ethernet.h> 58 59 #include <net/bpf.h> 60 61 #include <net80211/ieee80211_var.h> 62 #include <net80211/ieee80211_hostap.h> 63 #include <net80211/ieee80211_input.h> 64 #ifdef IEEE80211_SUPPORT_SUPERG 65 #include <net80211/ieee80211_superg.h> 66 #endif 67 #include <net80211/ieee80211_wds.h> 68 #include <net80211/ieee80211_vht.h> 69 #include <net80211/ieee80211_sta.h> /* for parse_wmeie */ 70 71 #define IEEE80211_RATE2MBS(r) (((r) & IEEE80211_RATE_VAL) / 2) 72 73 static void hostap_vattach(struct ieee80211vap *); 74 static int hostap_newstate(struct ieee80211vap *, enum ieee80211_state, int); 75 static int hostap_input(struct ieee80211_node *ni, struct mbuf *m, 76 const struct ieee80211_rx_stats *, 77 int rssi, int nf); 78 static void hostap_deliver_data(struct ieee80211vap *, 79 struct ieee80211_node *, struct mbuf *); 80 static void hostap_recv_mgmt(struct ieee80211_node *, struct mbuf *, 81 int subtype, const struct ieee80211_rx_stats *rxs, int rssi, int nf); 82 static void hostap_recv_ctl(struct ieee80211_node *, struct mbuf *, int); 83 84 void 85 ieee80211_hostap_attach(struct ieee80211com *ic) 86 { 87 ic->ic_vattach[IEEE80211_M_HOSTAP] = hostap_vattach; 88 } 89 90 void 91 ieee80211_hostap_detach(struct ieee80211com *ic) 92 { 93 } 94 95 static void 96 hostap_vdetach(struct ieee80211vap *vap) 97 { 98 } 99 100 static void 101 hostap_vattach(struct ieee80211vap *vap) 102 { 103 vap->iv_newstate = hostap_newstate; 104 vap->iv_input = hostap_input; 105 vap->iv_recv_mgmt = hostap_recv_mgmt; 106 vap->iv_recv_ctl = hostap_recv_ctl; 107 vap->iv_opdetach = hostap_vdetach; 108 vap->iv_deliver_data = hostap_deliver_data; 109 vap->iv_recv_pspoll = ieee80211_recv_pspoll; 110 } 111 112 static void 113 sta_disassoc(void *arg, struct ieee80211_node *ni) 114 { 115 116 if (ni->ni_associd != 0) { 117 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_DISASSOC, 118 IEEE80211_REASON_ASSOC_LEAVE); 119 ieee80211_node_leave(ni); 120 } 121 } 122 123 static void 124 sta_csa(void *arg, struct ieee80211_node *ni) 125 { 126 struct ieee80211vap *vap = ni->ni_vap; 127 128 if (ni->ni_associd != 0) 129 if (ni->ni_inact > vap->iv_inact_init) { 130 ni->ni_inact = vap->iv_inact_init; 131 IEEE80211_NOTE(vap, IEEE80211_MSG_INACT, ni, 132 "%s: inact %u", __func__, ni->ni_inact); 133 } 134 } 135 136 static void 137 sta_drop(void *arg, struct ieee80211_node *ni) 138 { 139 140 if (ni->ni_associd != 0) 141 ieee80211_node_leave(ni); 142 } 143 144 /* 145 * Does a channel change require associated stations to re-associate 146 * so protocol state is correct. This is used when doing CSA across 147 * bands or similar (e.g. HT -> legacy). 148 */ 149 static int 150 isbandchange(struct ieee80211com *ic) 151 { 152 return ((ic->ic_bsschan->ic_flags ^ ic->ic_csa_newchan->ic_flags) & 153 (IEEE80211_CHAN_2GHZ | IEEE80211_CHAN_5GHZ | IEEE80211_CHAN_HALF | 154 IEEE80211_CHAN_QUARTER | IEEE80211_CHAN_HT)) != 0; 155 } 156 157 /* 158 * IEEE80211_M_HOSTAP vap state machine handler. 159 */ 160 static int 161 hostap_newstate(struct ieee80211vap *vap, enum ieee80211_state nstate, int arg) 162 { 163 struct ieee80211com *ic = vap->iv_ic; 164 enum ieee80211_state ostate; 165 166 IEEE80211_LOCK_ASSERT(ic); 167 168 ostate = vap->iv_state; 169 IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE, "%s: %s -> %s (%d)\n", 170 __func__, ieee80211_state_name[ostate], 171 ieee80211_state_name[nstate], arg); 172 vap->iv_state = nstate; /* state transition */ 173 if (ostate != IEEE80211_S_SCAN) 174 ieee80211_cancel_scan(vap); /* background scan */ 175 switch (nstate) { 176 case IEEE80211_S_INIT: 177 switch (ostate) { 178 case IEEE80211_S_SCAN: 179 ieee80211_cancel_scan(vap); 180 break; 181 case IEEE80211_S_CAC: 182 ieee80211_dfs_cac_stop(vap); 183 break; 184 case IEEE80211_S_RUN: 185 ieee80211_iterate_nodes_vap(&ic->ic_sta, vap, 186 sta_disassoc, NULL); 187 break; 188 default: 189 break; 190 } 191 if (ostate != IEEE80211_S_INIT) { 192 /* NB: optimize INIT -> INIT case */ 193 ieee80211_reset_bss(vap); 194 } 195 if (vap->iv_auth->ia_detach != NULL) 196 vap->iv_auth->ia_detach(vap); 197 break; 198 case IEEE80211_S_SCAN: 199 switch (ostate) { 200 case IEEE80211_S_CSA: 201 case IEEE80211_S_RUN: 202 ieee80211_iterate_nodes_vap(&ic->ic_sta, vap, 203 sta_disassoc, NULL); 204 /* 205 * Clear overlapping BSS state; the beacon frame 206 * will be reconstructed on transition to the RUN 207 * state and the timeout routines check if the flag 208 * is set before doing anything so this is sufficient. 209 */ 210 vap->iv_flags_ext &= ~IEEE80211_FEXT_NONERP_PR; 211 vap->iv_flags_ht &= ~IEEE80211_FHT_NONHT_PR; 212 /* XXX TODO: schedule deferred update? */ 213 /* fall thru... */ 214 case IEEE80211_S_CAC: 215 /* 216 * NB: We may get here because of a manual channel 217 * change in which case we need to stop CAC 218 * XXX no need to stop if ostate RUN but it's ok 219 */ 220 ieee80211_dfs_cac_stop(vap); 221 /* fall thru... */ 222 case IEEE80211_S_INIT: 223 if (vap->iv_des_chan != IEEE80211_CHAN_ANYC && 224 !IEEE80211_IS_CHAN_RADAR(vap->iv_des_chan)) { 225 /* 226 * Already have a channel; bypass the 227 * scan and startup immediately. 228 * ieee80211_create_ibss will call back to 229 * move us to RUN state. 230 */ 231 ieee80211_create_ibss(vap, vap->iv_des_chan); 232 break; 233 } 234 /* 235 * Initiate a scan. We can come here as a result 236 * of an IEEE80211_IOC_SCAN_REQ too in which case 237 * the vap will be marked with IEEE80211_FEXT_SCANREQ 238 * and the scan request parameters will be present 239 * in iv_scanreq. Otherwise we do the default. 240 */ 241 if (vap->iv_flags_ext & IEEE80211_FEXT_SCANREQ) { 242 ieee80211_check_scan(vap, 243 vap->iv_scanreq_flags, 244 vap->iv_scanreq_duration, 245 vap->iv_scanreq_mindwell, 246 vap->iv_scanreq_maxdwell, 247 vap->iv_scanreq_nssid, vap->iv_scanreq_ssid); 248 vap->iv_flags_ext &= ~IEEE80211_FEXT_SCANREQ; 249 } else 250 ieee80211_check_scan_current(vap); 251 break; 252 case IEEE80211_S_SCAN: 253 /* 254 * A state change requires a reset; scan. 255 */ 256 ieee80211_check_scan_current(vap); 257 break; 258 default: 259 break; 260 } 261 break; 262 case IEEE80211_S_CAC: 263 /* 264 * Start CAC on a DFS channel. We come here when starting 265 * a bss on a DFS channel (see ieee80211_create_ibss). 266 */ 267 ieee80211_dfs_cac_start(vap); 268 break; 269 case IEEE80211_S_RUN: 270 if (vap->iv_flags & IEEE80211_F_WPA) { 271 /* XXX validate prerequisites */ 272 } 273 switch (ostate) { 274 case IEEE80211_S_INIT: 275 /* 276 * Already have a channel; bypass the 277 * scan and startup immediately. 278 * Note that ieee80211_create_ibss will call 279 * back to do a RUN->RUN state change. 280 */ 281 ieee80211_create_ibss(vap, 282 ieee80211_ht_adjust_channel(ic, 283 ic->ic_curchan, vap->iv_flags_ht)); 284 /* NB: iv_bss is changed on return */ 285 break; 286 case IEEE80211_S_CAC: 287 /* 288 * NB: This is the normal state change when CAC 289 * expires and no radar was detected; no need to 290 * clear the CAC timer as it's already expired. 291 */ 292 /* fall thru... */ 293 case IEEE80211_S_CSA: 294 /* 295 * Shorten inactivity timer of associated stations 296 * to weed out sta's that don't follow a CSA. 297 */ 298 ieee80211_iterate_nodes_vap(&ic->ic_sta, vap, 299 sta_csa, NULL); 300 /* 301 * Update bss node channel to reflect where 302 * we landed after CSA. 303 */ 304 ieee80211_node_set_chan(vap->iv_bss, 305 ieee80211_ht_adjust_channel(ic, ic->ic_curchan, 306 ieee80211_htchanflags(vap->iv_bss->ni_chan))); 307 /* XXX bypass debug msgs */ 308 break; 309 case IEEE80211_S_SCAN: 310 case IEEE80211_S_RUN: 311 #ifdef IEEE80211_DEBUG 312 if (ieee80211_msg_debug(vap)) { 313 struct ieee80211_node *ni = vap->iv_bss; 314 ieee80211_note(vap, 315 "synchronized with %s ssid ", 316 ether_sprintf(ni->ni_bssid)); 317 ieee80211_print_essid(ni->ni_essid, 318 ni->ni_esslen); 319 /* XXX MCS/HT */ 320 printf(" channel %d start %uMb\n", 321 ieee80211_chan2ieee(ic, ic->ic_curchan), 322 IEEE80211_RATE2MBS(ni->ni_txrate)); 323 } 324 #endif 325 break; 326 default: 327 break; 328 } 329 /* 330 * Start/stop the authenticator. We delay until here 331 * to allow configuration to happen out of order. 332 */ 333 if (vap->iv_auth->ia_attach != NULL) { 334 /* XXX check failure */ 335 vap->iv_auth->ia_attach(vap); 336 } else if (vap->iv_auth->ia_detach != NULL) { 337 vap->iv_auth->ia_detach(vap); 338 } 339 ieee80211_node_authorize(vap->iv_bss); 340 break; 341 case IEEE80211_S_CSA: 342 if (ostate == IEEE80211_S_RUN && isbandchange(ic)) { 343 /* 344 * On a ``band change'' silently drop associated 345 * stations as they must re-associate before they 346 * can pass traffic (as otherwise protocol state 347 * such as capabilities and the negotiated rate 348 * set may/will be wrong). 349 */ 350 ieee80211_iterate_nodes_vap(&ic->ic_sta, vap, 351 sta_drop, NULL); 352 } 353 break; 354 default: 355 break; 356 } 357 return 0; 358 } 359 360 static void 361 hostap_deliver_data(struct ieee80211vap *vap, 362 struct ieee80211_node *ni, struct mbuf *m) 363 { 364 struct ether_header *eh = mtod(m, struct ether_header *); 365 struct ifnet *ifp = vap->iv_ifp; 366 367 /* clear driver/net80211 flags before passing up */ 368 m->m_flags &= ~(M_MCAST | M_BCAST); 369 m_clrprotoflags(m); 370 371 KASSERT(vap->iv_opmode == IEEE80211_M_HOSTAP, 372 ("gack, opmode %d", vap->iv_opmode)); 373 /* 374 * Do accounting. 375 */ 376 if_inc_counter(ifp, IFCOUNTER_IPACKETS, 1); 377 IEEE80211_NODE_STAT(ni, rx_data); 378 IEEE80211_NODE_STAT_ADD(ni, rx_bytes, m->m_pkthdr.len); 379 if (ETHER_IS_MULTICAST(eh->ether_dhost)) { 380 m->m_flags |= M_MCAST; /* XXX M_BCAST? */ 381 IEEE80211_NODE_STAT(ni, rx_mcast); 382 } else 383 IEEE80211_NODE_STAT(ni, rx_ucast); 384 385 /* perform as a bridge within the AP */ 386 if ((vap->iv_flags & IEEE80211_F_NOBRIDGE) == 0) { 387 struct mbuf *mcopy = NULL; 388 389 if (m->m_flags & M_MCAST) { 390 mcopy = m_dup(m, IEEE80211_M_NOWAIT); 391 if (mcopy == NULL) 392 if_inc_counter(ifp, IFCOUNTER_OERRORS, 1); 393 else 394 mcopy->m_flags |= M_MCAST; 395 } else { 396 /* 397 * Check if the destination is associated with the 398 * same vap and authorized to receive traffic. 399 * Beware of traffic destined for the vap itself; 400 * sending it will not work; just let it be delivered 401 * normally. 402 */ 403 struct ieee80211_node *sta = ieee80211_find_vap_node( 404 &vap->iv_ic->ic_sta, vap, eh->ether_dhost); 405 if (sta != NULL) { 406 if (ieee80211_node_is_authorized(sta)) { 407 /* 408 * Beware of sending to ourself; this 409 * needs to happen via the normal 410 * input path. 411 */ 412 if (sta != vap->iv_bss) { 413 mcopy = m; 414 m = NULL; 415 } 416 } else { 417 vap->iv_stats.is_rx_unauth++; 418 IEEE80211_NODE_STAT(sta, rx_unauth); 419 } 420 ieee80211_free_node(sta); 421 } 422 } 423 if (mcopy != NULL) 424 (void) ieee80211_vap_xmitpkt(vap, mcopy); 425 } 426 if (m != NULL) { 427 struct epoch_tracker et; 428 429 /* 430 * Mark frame as coming from vap's interface. 431 */ 432 m->m_pkthdr.rcvif = ifp; 433 if (m->m_flags & M_MCAST) { 434 /* 435 * Spam DWDS vap's w/ multicast traffic. 436 */ 437 /* XXX only if dwds in use? */ 438 ieee80211_dwds_mcast(vap, m); 439 } 440 if (ni->ni_vlan != 0) { 441 /* attach vlan tag */ 442 m->m_pkthdr.ether_vtag = ni->ni_vlan; 443 m->m_flags |= M_VLANTAG; 444 } 445 NET_EPOCH_ENTER(et); 446 ifp->if_input(ifp, m); 447 NET_EPOCH_EXIT(et); 448 } 449 } 450 451 /* 452 * Decide if a received management frame should be 453 * printed when debugging is enabled. This filters some 454 * of the less interesting frames that come frequently 455 * (e.g. beacons). 456 */ 457 static __inline int 458 doprint(struct ieee80211vap *vap, int subtype) 459 { 460 switch (subtype) { 461 case IEEE80211_FC0_SUBTYPE_BEACON: 462 return (vap->iv_ic->ic_flags & IEEE80211_F_SCAN); 463 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 464 return 0; 465 } 466 return 1; 467 } 468 469 /* 470 * Process a received frame. The node associated with the sender 471 * should be supplied. If nothing was found in the node table then 472 * the caller is assumed to supply a reference to iv_bss instead. 473 * The RSSI and a timestamp are also supplied. The RSSI data is used 474 * during AP scanning to select a AP to associate with; it can have 475 * any units so long as values have consistent units and higher values 476 * mean ``better signal''. The receive timestamp is currently not used 477 * by the 802.11 layer. 478 */ 479 static int 480 hostap_input(struct ieee80211_node *ni, struct mbuf *m, 481 const struct ieee80211_rx_stats *rxs, int rssi, int nf) 482 { 483 struct ieee80211vap *vap = ni->ni_vap; 484 struct ieee80211com *ic = ni->ni_ic; 485 struct ifnet *ifp = vap->iv_ifp; 486 struct ieee80211_frame *wh; 487 struct ieee80211_key *key; 488 struct ether_header *eh; 489 int hdrspace, need_tap = 1; /* mbuf need to be tapped. */ 490 uint8_t dir, type, subtype, qos; 491 uint8_t *bssid; 492 int is_hw_decrypted = 0; 493 int has_decrypted = 0; 494 495 /* 496 * Some devices do hardware decryption all the way through 497 * to pretending the frame wasn't encrypted in the first place. 498 * So, tag it appropriately so it isn't discarded inappropriately. 499 */ 500 if ((rxs != NULL) && (rxs->c_pktflags & IEEE80211_RX_F_DECRYPTED)) 501 is_hw_decrypted = 1; 502 503 if (m->m_flags & M_AMPDU_MPDU) { 504 /* 505 * Fastpath for A-MPDU reorder q resubmission. Frames 506 * w/ M_AMPDU_MPDU marked have already passed through 507 * here but were received out of order and been held on 508 * the reorder queue. When resubmitted they are marked 509 * with the M_AMPDU_MPDU flag and we can bypass most of 510 * the normal processing. 511 */ 512 wh = mtod(m, struct ieee80211_frame *); 513 type = IEEE80211_FC0_TYPE_DATA; 514 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 515 subtype = IEEE80211_FC0_SUBTYPE_QOS_DATA; 516 hdrspace = ieee80211_hdrspace(ic, wh); /* XXX optimize? */ 517 goto resubmit_ampdu; 518 } 519 520 KASSERT(ni != NULL, ("null node")); 521 ni->ni_inact = ni->ni_inact_reload; 522 523 type = -1; /* undefined */ 524 525 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_min)) { 526 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 527 ni->ni_macaddr, NULL, 528 "too short (1): len %u", m->m_pkthdr.len); 529 vap->iv_stats.is_rx_tooshort++; 530 goto out; 531 } 532 /* 533 * Bit of a cheat here, we use a pointer for a 3-address 534 * frame format but don't reference fields past outside 535 * ieee80211_frame_min w/o first validating the data is 536 * present. 537 */ 538 wh = mtod(m, struct ieee80211_frame *); 539 540 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) != 541 IEEE80211_FC0_VERSION_0) { 542 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 543 ni->ni_macaddr, NULL, "wrong version, fc %02x:%02x", 544 wh->i_fc[0], wh->i_fc[1]); 545 vap->iv_stats.is_rx_badversion++; 546 goto err; 547 } 548 549 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 550 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK; 551 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK; 552 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) { 553 if (dir != IEEE80211_FC1_DIR_NODS) 554 bssid = wh->i_addr1; 555 else if (type == IEEE80211_FC0_TYPE_CTL) 556 bssid = wh->i_addr1; 557 else { 558 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) { 559 IEEE80211_DISCARD_MAC(vap, 560 IEEE80211_MSG_ANY, ni->ni_macaddr, 561 NULL, "too short (2): len %u", 562 m->m_pkthdr.len); 563 vap->iv_stats.is_rx_tooshort++; 564 goto out; 565 } 566 bssid = wh->i_addr3; 567 } 568 /* 569 * Validate the bssid. 570 */ 571 if (!(type == IEEE80211_FC0_TYPE_MGT && 572 subtype == IEEE80211_FC0_SUBTYPE_BEACON) && 573 !IEEE80211_ADDR_EQ(bssid, vap->iv_bss->ni_bssid) && 574 !IEEE80211_ADDR_EQ(bssid, ifp->if_broadcastaddr)) { 575 /* not interested in */ 576 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 577 bssid, NULL, "%s", "not to bss"); 578 vap->iv_stats.is_rx_wrongbss++; 579 goto out; 580 } 581 582 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi); 583 ni->ni_noise = nf; 584 if (IEEE80211_HAS_SEQ(type, subtype)) { 585 uint8_t tid = ieee80211_gettid(wh); 586 if (IEEE80211_QOS_HAS_SEQ(wh) && 587 TID_TO_WME_AC(tid) >= WME_AC_VI) 588 ic->ic_wme.wme_hipri_traffic++; 589 if (! ieee80211_check_rxseq(ni, wh, bssid, rxs)) 590 goto out; 591 } 592 } 593 594 switch (type) { 595 case IEEE80211_FC0_TYPE_DATA: 596 hdrspace = ieee80211_hdrspace(ic, wh); 597 if (m->m_len < hdrspace && 598 (m = m_pullup(m, hdrspace)) == NULL) { 599 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 600 ni->ni_macaddr, NULL, 601 "data too short: expecting %u", hdrspace); 602 vap->iv_stats.is_rx_tooshort++; 603 goto out; /* XXX */ 604 } 605 if (!(dir == IEEE80211_FC1_DIR_TODS || 606 (dir == IEEE80211_FC1_DIR_DSTODS && 607 (vap->iv_flags & IEEE80211_F_DWDS)))) { 608 if (dir != IEEE80211_FC1_DIR_DSTODS) { 609 IEEE80211_DISCARD(vap, 610 IEEE80211_MSG_INPUT, wh, "data", 611 "incorrect dir 0x%x", dir); 612 } else { 613 IEEE80211_DISCARD(vap, 614 IEEE80211_MSG_INPUT | 615 IEEE80211_MSG_WDS, wh, 616 "4-address data", 617 "%s", "DWDS not enabled"); 618 } 619 vap->iv_stats.is_rx_wrongdir++; 620 goto out; 621 } 622 /* check if source STA is associated */ 623 if (ni == vap->iv_bss) { 624 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 625 wh, "data", "%s", "unknown src"); 626 ieee80211_send_error(ni, wh->i_addr2, 627 IEEE80211_FC0_SUBTYPE_DEAUTH, 628 IEEE80211_REASON_NOT_AUTHED); 629 vap->iv_stats.is_rx_notassoc++; 630 goto err; 631 } 632 if (ni->ni_associd == 0) { 633 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 634 wh, "data", "%s", "unassoc src"); 635 IEEE80211_SEND_MGMT(ni, 636 IEEE80211_FC0_SUBTYPE_DISASSOC, 637 IEEE80211_REASON_NOT_ASSOCED); 638 vap->iv_stats.is_rx_notassoc++; 639 goto err; 640 } 641 642 /* 643 * Check for power save state change. 644 * XXX out-of-order A-MPDU frames? 645 */ 646 if (((wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) ^ 647 (ni->ni_flags & IEEE80211_NODE_PWR_MGT))) 648 vap->iv_node_ps(ni, 649 wh->i_fc[1] & IEEE80211_FC1_PWR_MGT); 650 /* 651 * For 4-address packets handle WDS discovery 652 * notifications. Once a WDS link is setup frames 653 * are just delivered to the WDS vap (see below). 654 */ 655 if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap == NULL) { 656 if (!ieee80211_node_is_authorized(ni)) { 657 IEEE80211_DISCARD(vap, 658 IEEE80211_MSG_INPUT | 659 IEEE80211_MSG_WDS, wh, 660 "4-address data", 661 "%s", "unauthorized port"); 662 vap->iv_stats.is_rx_unauth++; 663 IEEE80211_NODE_STAT(ni, rx_unauth); 664 goto err; 665 } 666 ieee80211_dwds_discover(ni, m); 667 return type; 668 } 669 670 /* 671 * Handle A-MPDU re-ordering. If the frame is to be 672 * processed directly then ieee80211_ampdu_reorder 673 * will return 0; otherwise it has consumed the mbuf 674 * and we should do nothing more with it. 675 */ 676 if ((m->m_flags & M_AMPDU) && 677 ieee80211_ampdu_reorder(ni, m, rxs) != 0) { 678 m = NULL; 679 goto out; 680 } 681 resubmit_ampdu: 682 683 /* 684 * Handle privacy requirements. Note that we 685 * must not be preempted from here until after 686 * we (potentially) call ieee80211_crypto_demic; 687 * otherwise we may violate assumptions in the 688 * crypto cipher modules used to do delayed update 689 * of replay sequence numbers. 690 */ 691 if (is_hw_decrypted || IEEE80211_IS_PROTECTED(wh)) { 692 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) { 693 /* 694 * Discard encrypted frames when privacy is off. 695 */ 696 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 697 wh, "WEP", "%s", "PRIVACY off"); 698 vap->iv_stats.is_rx_noprivacy++; 699 IEEE80211_NODE_STAT(ni, rx_noprivacy); 700 goto out; 701 } 702 if (ieee80211_crypto_decap(ni, m, hdrspace, &key) == 0) { 703 /* NB: stats+msgs handled in crypto_decap */ 704 IEEE80211_NODE_STAT(ni, rx_wepfail); 705 goto out; 706 } 707 wh = mtod(m, struct ieee80211_frame *); 708 wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED; 709 has_decrypted = 1; 710 } else { 711 /* XXX M_WEP and IEEE80211_F_PRIVACY */ 712 key = NULL; 713 } 714 715 /* 716 * Save QoS bits for use below--before we strip the header. 717 */ 718 if (subtype == IEEE80211_FC0_SUBTYPE_QOS_DATA) 719 qos = ieee80211_getqos(wh)[0]; 720 else 721 qos = 0; 722 723 /* 724 * Next up, any fragmentation. 725 */ 726 if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) { 727 m = ieee80211_defrag(ni, m, hdrspace, has_decrypted); 728 if (m == NULL) { 729 /* Fragment dropped or frame not complete yet */ 730 goto out; 731 } 732 } 733 wh = NULL; /* no longer valid, catch any uses */ 734 735 /* 736 * Next strip any MSDU crypto bits. 737 */ 738 if (key != NULL && !ieee80211_crypto_demic(vap, key, m, 0)) { 739 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 740 ni->ni_macaddr, "data", "%s", "demic error"); 741 vap->iv_stats.is_rx_demicfail++; 742 IEEE80211_NODE_STAT(ni, rx_demicfail); 743 goto out; 744 } 745 /* copy to listener after decrypt */ 746 if (ieee80211_radiotap_active_vap(vap)) 747 ieee80211_radiotap_rx(vap, m); 748 need_tap = 0; 749 /* 750 * Finally, strip the 802.11 header. 751 */ 752 m = ieee80211_decap(vap, m, hdrspace, qos); 753 if (m == NULL) { 754 /* XXX mask bit to check for both */ 755 /* don't count Null data frames as errors */ 756 if (subtype == IEEE80211_FC0_SUBTYPE_NODATA || 757 subtype == IEEE80211_FC0_SUBTYPE_QOS_NULL) 758 goto out; 759 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 760 ni->ni_macaddr, "data", "%s", "decap error"); 761 vap->iv_stats.is_rx_decap++; 762 IEEE80211_NODE_STAT(ni, rx_decap); 763 goto err; 764 } 765 if (!(qos & IEEE80211_QOS_AMSDU)) 766 eh = mtod(m, struct ether_header *); 767 else 768 eh = NULL; 769 if (!ieee80211_node_is_authorized(ni)) { 770 /* 771 * Deny any non-PAE frames received prior to 772 * authorization. For open/shared-key 773 * authentication the port is mark authorized 774 * after authentication completes. For 802.1x 775 * the port is not marked authorized by the 776 * authenticator until the handshake has completed. 777 */ 778 if (eh == NULL || 779 eh->ether_type != htons(ETHERTYPE_PAE)) { 780 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 781 ni->ni_macaddr, "data", "unauthorized or " 782 "unknown port: ether type 0x%x len %u", 783 eh == NULL ? -1 : eh->ether_type, 784 m->m_pkthdr.len); 785 vap->iv_stats.is_rx_unauth++; 786 IEEE80211_NODE_STAT(ni, rx_unauth); 787 goto err; 788 } 789 } else { 790 /* 791 * When denying unencrypted frames, discard 792 * any non-PAE frames received without encryption. 793 */ 794 if ((vap->iv_flags & IEEE80211_F_DROPUNENC) && 795 ((has_decrypted == 0) && (m->m_flags & M_WEP) == 0) && 796 (is_hw_decrypted == 0) && 797 (eh == NULL || 798 eh->ether_type != htons(ETHERTYPE_PAE))) { 799 /* 800 * Drop unencrypted frames. 801 */ 802 vap->iv_stats.is_rx_unencrypted++; 803 IEEE80211_NODE_STAT(ni, rx_unencrypted); 804 goto out; 805 } 806 } 807 /* XXX require HT? */ 808 if (qos & IEEE80211_QOS_AMSDU) { 809 m = ieee80211_decap_amsdu(ni, m); 810 if (m == NULL) 811 return IEEE80211_FC0_TYPE_DATA; 812 } else { 813 #ifdef IEEE80211_SUPPORT_SUPERG 814 m = ieee80211_decap_fastframe(vap, ni, m); 815 if (m == NULL) 816 return IEEE80211_FC0_TYPE_DATA; 817 #endif 818 } 819 if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap != NULL) 820 ieee80211_deliver_data(ni->ni_wdsvap, ni, m); 821 else 822 hostap_deliver_data(vap, ni, m); 823 return IEEE80211_FC0_TYPE_DATA; 824 825 case IEEE80211_FC0_TYPE_MGT: 826 vap->iv_stats.is_rx_mgmt++; 827 IEEE80211_NODE_STAT(ni, rx_mgmt); 828 if (dir != IEEE80211_FC1_DIR_NODS) { 829 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 830 wh, "mgt", "incorrect dir 0x%x", dir); 831 vap->iv_stats.is_rx_wrongdir++; 832 goto err; 833 } 834 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) { 835 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 836 ni->ni_macaddr, "mgt", "too short: len %u", 837 m->m_pkthdr.len); 838 vap->iv_stats.is_rx_tooshort++; 839 goto out; 840 } 841 if (IEEE80211_IS_MULTICAST(wh->i_addr2)) { 842 /* ensure return frames are unicast */ 843 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 844 wh, NULL, "source is multicast: %s", 845 ether_sprintf(wh->i_addr2)); 846 vap->iv_stats.is_rx_mgtdiscard++; /* XXX stat */ 847 goto out; 848 } 849 #ifdef IEEE80211_DEBUG 850 if ((ieee80211_msg_debug(vap) && doprint(vap, subtype)) || 851 ieee80211_msg_dumppkts(vap)) { 852 if_printf(ifp, "received %s from %s rssi %d\n", 853 ieee80211_mgt_subtype_name(subtype), 854 ether_sprintf(wh->i_addr2), rssi); 855 } 856 #endif 857 if (IEEE80211_IS_PROTECTED(wh)) { 858 if (subtype != IEEE80211_FC0_SUBTYPE_AUTH) { 859 /* 860 * Only shared key auth frames with a challenge 861 * should be encrypted, discard all others. 862 */ 863 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 864 wh, NULL, 865 "%s", "WEP set but not permitted"); 866 vap->iv_stats.is_rx_mgtdiscard++; /* XXX */ 867 goto out; 868 } 869 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) { 870 /* 871 * Discard encrypted frames when privacy is off. 872 */ 873 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 874 wh, NULL, "%s", "WEP set but PRIVACY off"); 875 vap->iv_stats.is_rx_noprivacy++; 876 goto out; 877 } 878 hdrspace = ieee80211_hdrspace(ic, wh); 879 if (ieee80211_crypto_decap(ni, m, hdrspace, &key) == 0) { 880 /* NB: stats+msgs handled in crypto_decap */ 881 goto out; 882 } 883 wh = mtod(m, struct ieee80211_frame *); 884 wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED; 885 has_decrypted = 1; 886 } 887 /* 888 * Pass the packet to radiotap before calling iv_recv_mgmt(). 889 * Otherwise iv_recv_mgmt() might pass another packet to 890 * radiotap, resulting in out of order packet captures. 891 */ 892 if (ieee80211_radiotap_active_vap(vap)) 893 ieee80211_radiotap_rx(vap, m); 894 need_tap = 0; 895 vap->iv_recv_mgmt(ni, m, subtype, rxs, rssi, nf); 896 goto out; 897 898 case IEEE80211_FC0_TYPE_CTL: 899 vap->iv_stats.is_rx_ctl++; 900 IEEE80211_NODE_STAT(ni, rx_ctrl); 901 vap->iv_recv_ctl(ni, m, subtype); 902 goto out; 903 default: 904 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 905 wh, "bad", "frame type 0x%x", type); 906 /* should not come here */ 907 break; 908 } 909 err: 910 if_inc_counter(ifp, IFCOUNTER_IERRORS, 1); 911 out: 912 if (m != NULL) { 913 if (need_tap && ieee80211_radiotap_active_vap(vap)) 914 ieee80211_radiotap_rx(vap, m); 915 m_freem(m); 916 } 917 return type; 918 } 919 920 static void 921 hostap_auth_open(struct ieee80211_node *ni, struct ieee80211_frame *wh, 922 int rssi, int nf, uint16_t seq, uint16_t status) 923 { 924 struct ieee80211vap *vap = ni->ni_vap; 925 926 KASSERT(vap->iv_state == IEEE80211_S_RUN, ("state %d", vap->iv_state)); 927 928 if (ni->ni_authmode == IEEE80211_AUTH_SHARED) { 929 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 930 ni->ni_macaddr, "open auth", 931 "bad sta auth mode %u", ni->ni_authmode); 932 vap->iv_stats.is_rx_bad_auth++; /* XXX */ 933 /* 934 * Clear any challenge text that may be there if 935 * a previous shared key auth failed and then an 936 * open auth is attempted. 937 */ 938 if (ni->ni_challenge != NULL) { 939 IEEE80211_FREE(ni->ni_challenge, M_80211_NODE); 940 ni->ni_challenge = NULL; 941 } 942 /* XXX hack to workaround calling convention */ 943 ieee80211_send_error(ni, wh->i_addr2, 944 IEEE80211_FC0_SUBTYPE_AUTH, 945 (seq + 1) | (IEEE80211_STATUS_ALG<<16)); 946 return; 947 } 948 if (seq != IEEE80211_AUTH_OPEN_REQUEST) { 949 vap->iv_stats.is_rx_bad_auth++; 950 return; 951 } 952 /* always accept open authentication requests */ 953 if (ni == vap->iv_bss) { 954 ni = ieee80211_dup_bss(vap, wh->i_addr2); 955 if (ni == NULL) 956 return; 957 } else if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0) 958 (void) ieee80211_ref_node(ni); 959 /* 960 * Mark the node as referenced to reflect that it's 961 * reference count has been bumped to insure it remains 962 * after the transaction completes. 963 */ 964 ni->ni_flags |= IEEE80211_NODE_AREF; 965 /* 966 * Mark the node as requiring a valid association id 967 * before outbound traffic is permitted. 968 */ 969 ni->ni_flags |= IEEE80211_NODE_ASSOCID; 970 971 if (vap->iv_acl != NULL && 972 vap->iv_acl->iac_getpolicy(vap) == IEEE80211_MACCMD_POLICY_RADIUS) { 973 /* 974 * When the ACL policy is set to RADIUS we defer the 975 * authorization to a user agent. Dispatch an event, 976 * a subsequent MLME call will decide the fate of the 977 * station. If the user agent is not present then the 978 * node will be reclaimed due to inactivity. 979 */ 980 IEEE80211_NOTE_MAC(vap, 981 IEEE80211_MSG_AUTH | IEEE80211_MSG_ACL, ni->ni_macaddr, 982 "%s", "station authentication deferred (radius acl)"); 983 ieee80211_notify_node_auth(ni); 984 } else { 985 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 986 IEEE80211_NOTE_MAC(vap, 987 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, ni->ni_macaddr, 988 "%s", "station authenticated (open)"); 989 /* 990 * When 802.1x is not in use mark the port 991 * authorized at this point so traffic can flow. 992 */ 993 if (ni->ni_authmode != IEEE80211_AUTH_8021X) 994 ieee80211_node_authorize(ni); 995 } 996 } 997 998 static void 999 hostap_auth_shared(struct ieee80211_node *ni, struct ieee80211_frame *wh, 1000 uint8_t *frm, uint8_t *efrm, int rssi, int nf, 1001 uint16_t seq, uint16_t status) 1002 { 1003 struct ieee80211vap *vap = ni->ni_vap; 1004 uint8_t *challenge; 1005 int estatus; 1006 1007 KASSERT(vap->iv_state == IEEE80211_S_RUN, ("state %d", vap->iv_state)); 1008 1009 /* 1010 * NB: this can happen as we allow pre-shared key 1011 * authentication to be enabled w/o wep being turned 1012 * on so that configuration of these can be done 1013 * in any order. It may be better to enforce the 1014 * ordering in which case this check would just be 1015 * for sanity/consistency. 1016 */ 1017 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) { 1018 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1019 ni->ni_macaddr, "shared key auth", 1020 "%s", " PRIVACY is disabled"); 1021 estatus = IEEE80211_STATUS_ALG; 1022 goto bad; 1023 } 1024 /* 1025 * Pre-shared key authentication is evil; accept 1026 * it only if explicitly configured (it is supported 1027 * mainly for compatibility with clients like Mac OS X). 1028 */ 1029 if (ni->ni_authmode != IEEE80211_AUTH_AUTO && 1030 ni->ni_authmode != IEEE80211_AUTH_SHARED) { 1031 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1032 ni->ni_macaddr, "shared key auth", 1033 "bad sta auth mode %u", ni->ni_authmode); 1034 vap->iv_stats.is_rx_bad_auth++; /* XXX maybe a unique error? */ 1035 estatus = IEEE80211_STATUS_ALG; 1036 goto bad; 1037 } 1038 1039 challenge = NULL; 1040 if (frm + 1 < efrm) { 1041 if ((frm[1] + 2) > (efrm - frm)) { 1042 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1043 ni->ni_macaddr, "shared key auth", 1044 "ie %d/%d too long", 1045 frm[0], (frm[1] + 2) - (efrm - frm)); 1046 vap->iv_stats.is_rx_bad_auth++; 1047 estatus = IEEE80211_STATUS_CHALLENGE; 1048 goto bad; 1049 } 1050 if (*frm == IEEE80211_ELEMID_CHALLENGE) 1051 challenge = frm; 1052 frm += frm[1] + 2; 1053 } 1054 switch (seq) { 1055 case IEEE80211_AUTH_SHARED_CHALLENGE: 1056 case IEEE80211_AUTH_SHARED_RESPONSE: 1057 if (challenge == NULL) { 1058 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1059 ni->ni_macaddr, "shared key auth", 1060 "%s", "no challenge"); 1061 vap->iv_stats.is_rx_bad_auth++; 1062 estatus = IEEE80211_STATUS_CHALLENGE; 1063 goto bad; 1064 } 1065 if (challenge[1] != IEEE80211_CHALLENGE_LEN) { 1066 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1067 ni->ni_macaddr, "shared key auth", 1068 "bad challenge len %d", challenge[1]); 1069 vap->iv_stats.is_rx_bad_auth++; 1070 estatus = IEEE80211_STATUS_CHALLENGE; 1071 goto bad; 1072 } 1073 default: 1074 break; 1075 } 1076 switch (seq) { 1077 case IEEE80211_AUTH_SHARED_REQUEST: 1078 { 1079 #ifdef IEEE80211_DEBUG 1080 bool allocbs; 1081 #endif 1082 1083 if (ni == vap->iv_bss) { 1084 ni = ieee80211_dup_bss(vap, wh->i_addr2); 1085 if (ni == NULL) { 1086 /* NB: no way to return an error */ 1087 return; 1088 } 1089 #ifdef IEEE80211_DEBUG 1090 allocbs = 1; 1091 #endif 1092 } else { 1093 if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0) 1094 (void) ieee80211_ref_node(ni); 1095 #ifdef IEEE80211_DEBUG 1096 allocbs = 0; 1097 #endif 1098 } 1099 /* 1100 * Mark the node as referenced to reflect that it's 1101 * reference count has been bumped to insure it remains 1102 * after the transaction completes. 1103 */ 1104 ni->ni_flags |= IEEE80211_NODE_AREF; 1105 /* 1106 * Mark the node as requiring a valid association id 1107 * before outbound traffic is permitted. 1108 */ 1109 ni->ni_flags |= IEEE80211_NODE_ASSOCID; 1110 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi); 1111 ni->ni_noise = nf; 1112 if (!ieee80211_alloc_challenge(ni)) { 1113 /* NB: don't return error so they rexmit */ 1114 return; 1115 } 1116 net80211_get_random_bytes(ni->ni_challenge, 1117 IEEE80211_CHALLENGE_LEN); 1118 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1119 ni, "shared key %sauth request", allocbs ? "" : "re"); 1120 /* 1121 * When the ACL policy is set to RADIUS we defer the 1122 * authorization to a user agent. Dispatch an event, 1123 * a subsequent MLME call will decide the fate of the 1124 * station. If the user agent is not present then the 1125 * node will be reclaimed due to inactivity. 1126 */ 1127 if (vap->iv_acl != NULL && 1128 vap->iv_acl->iac_getpolicy(vap) == IEEE80211_MACCMD_POLICY_RADIUS) { 1129 IEEE80211_NOTE_MAC(vap, 1130 IEEE80211_MSG_AUTH | IEEE80211_MSG_ACL, 1131 ni->ni_macaddr, 1132 "%s", "station authentication deferred (radius acl)"); 1133 ieee80211_notify_node_auth(ni); 1134 return; 1135 } 1136 break; 1137 } 1138 case IEEE80211_AUTH_SHARED_RESPONSE: 1139 if (ni == vap->iv_bss) { 1140 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1141 ni->ni_macaddr, "shared key response", 1142 "%s", "unknown station"); 1143 /* NB: don't send a response */ 1144 return; 1145 } 1146 if (ni->ni_challenge == NULL) { 1147 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1148 ni->ni_macaddr, "shared key response", 1149 "%s", "no challenge recorded"); 1150 vap->iv_stats.is_rx_bad_auth++; 1151 estatus = IEEE80211_STATUS_CHALLENGE; 1152 goto bad; 1153 } 1154 if (memcmp(ni->ni_challenge, &challenge[2], 1155 challenge[1]) != 0) { 1156 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1157 ni->ni_macaddr, "shared key response", 1158 "%s", "challenge mismatch"); 1159 vap->iv_stats.is_rx_auth_fail++; 1160 estatus = IEEE80211_STATUS_CHALLENGE; 1161 goto bad; 1162 } 1163 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1164 ni, "%s", "station authenticated (shared key)"); 1165 ieee80211_node_authorize(ni); 1166 break; 1167 default: 1168 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1169 ni->ni_macaddr, "shared key auth", 1170 "bad seq %d", seq); 1171 vap->iv_stats.is_rx_bad_auth++; 1172 estatus = IEEE80211_STATUS_SEQUENCE; 1173 goto bad; 1174 } 1175 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 1176 return; 1177 bad: 1178 /* 1179 * Send an error response; but only when operating as an AP. 1180 */ 1181 /* XXX hack to workaround calling convention */ 1182 ieee80211_send_error(ni, wh->i_addr2, 1183 IEEE80211_FC0_SUBTYPE_AUTH, 1184 (seq + 1) | (estatus<<16)); 1185 } 1186 1187 /* 1188 * Convert a WPA cipher selector OUI to an internal 1189 * cipher algorithm. Where appropriate we also 1190 * record any key length. 1191 */ 1192 static int 1193 wpa_cipher(const uint8_t *sel, uint8_t *keylen, uint8_t *cipher) 1194 { 1195 #define WPA_SEL(x) (((x)<<24)|WPA_OUI) 1196 uint32_t w = le32dec(sel); 1197 1198 switch (w) { 1199 case WPA_SEL(WPA_CSE_NULL): 1200 *cipher = IEEE80211_CIPHER_NONE; 1201 break; 1202 case WPA_SEL(WPA_CSE_WEP40): 1203 if (keylen) 1204 *keylen = 40 / NBBY; 1205 *cipher = IEEE80211_CIPHER_WEP; 1206 break; 1207 case WPA_SEL(WPA_CSE_WEP104): 1208 if (keylen) 1209 *keylen = 104 / NBBY; 1210 *cipher = IEEE80211_CIPHER_WEP; 1211 break; 1212 case WPA_SEL(WPA_CSE_TKIP): 1213 *cipher = IEEE80211_CIPHER_TKIP; 1214 break; 1215 case WPA_SEL(WPA_CSE_CCMP): 1216 *cipher = IEEE80211_CIPHER_AES_CCM; 1217 break; 1218 default: 1219 return (EINVAL); 1220 } 1221 1222 return (0); 1223 #undef WPA_SEL 1224 } 1225 1226 /* 1227 * Convert a WPA key management/authentication algorithm 1228 * to an internal code. 1229 */ 1230 static int 1231 wpa_keymgmt(const uint8_t *sel) 1232 { 1233 #define WPA_SEL(x) (((x)<<24)|WPA_OUI) 1234 uint32_t w = le32dec(sel); 1235 1236 switch (w) { 1237 case WPA_SEL(WPA_ASE_8021X_UNSPEC): 1238 return WPA_ASE_8021X_UNSPEC; 1239 case WPA_SEL(WPA_ASE_8021X_PSK): 1240 return WPA_ASE_8021X_PSK; 1241 case WPA_SEL(WPA_ASE_NONE): 1242 return WPA_ASE_NONE; 1243 } 1244 return 0; /* NB: so is discarded */ 1245 #undef WPA_SEL 1246 } 1247 1248 /* 1249 * Parse a WPA information element to collect parameters. 1250 * Note that we do not validate security parameters; that 1251 * is handled by the authenticator; the parsing done here 1252 * is just for internal use in making operational decisions. 1253 */ 1254 static int 1255 ieee80211_parse_wpa(struct ieee80211vap *vap, const uint8_t *frm, 1256 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh) 1257 { 1258 uint8_t len = frm[1]; 1259 uint32_t w; 1260 int error, n; 1261 1262 /* 1263 * Check the length once for fixed parts: OUI, type, 1264 * version, mcast cipher, and 2 selector counts. 1265 * Other, variable-length data, must be checked separately. 1266 */ 1267 if ((vap->iv_flags & IEEE80211_F_WPA1) == 0) { 1268 IEEE80211_DISCARD_IE(vap, 1269 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1270 wh, "WPA", "not WPA, flags 0x%x", vap->iv_flags); 1271 return IEEE80211_REASON_IE_INVALID; 1272 } 1273 if (len < 14) { 1274 IEEE80211_DISCARD_IE(vap, 1275 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1276 wh, "WPA", "too short, len %u", len); 1277 return IEEE80211_REASON_IE_INVALID; 1278 } 1279 frm += 6, len -= 4; /* NB: len is payload only */ 1280 /* NB: iswpaoui already validated the OUI and type */ 1281 w = le16dec(frm); 1282 if (w != WPA_VERSION) { 1283 IEEE80211_DISCARD_IE(vap, 1284 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1285 wh, "WPA", "bad version %u", w); 1286 return IEEE80211_REASON_IE_INVALID; 1287 } 1288 frm += 2, len -= 2; 1289 1290 memset(rsn, 0, sizeof(*rsn)); 1291 1292 /* multicast/group cipher */ 1293 error = wpa_cipher(frm, &rsn->rsn_mcastkeylen, &rsn->rsn_mcastcipher); 1294 if (error != 0) { 1295 IEEE80211_DISCARD_IE(vap, 1296 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1297 wh, "WPA", "unknown mcast cipher suite %08X", 1298 le32dec(frm)); 1299 return IEEE80211_REASON_GROUP_CIPHER_INVALID; 1300 } 1301 frm += 4, len -= 4; 1302 1303 /* unicast ciphers */ 1304 n = le16dec(frm); 1305 frm += 2, len -= 2; 1306 if (len < n*4+2) { 1307 IEEE80211_DISCARD_IE(vap, 1308 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1309 wh, "WPA", "ucast cipher data too short; len %u, n %u", 1310 len, n); 1311 return IEEE80211_REASON_IE_INVALID; 1312 } 1313 w = 0; 1314 for (; n > 0; n--) { 1315 uint8_t cipher; 1316 1317 error = wpa_cipher(frm, &rsn->rsn_ucastkeylen, &cipher); 1318 if (error == 0) 1319 w |= 1 << cipher; 1320 1321 frm += 4, len -= 4; 1322 } 1323 if (w == 0) { 1324 IEEE80211_DISCARD_IE(vap, 1325 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1326 wh, "WPA", "no usable pairwise cipher suite found (w=%d)", 1327 w); 1328 return IEEE80211_REASON_PAIRWISE_CIPHER_INVALID; 1329 } 1330 /* XXX other? */ 1331 if (w & (1 << IEEE80211_CIPHER_AES_CCM)) 1332 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM; 1333 else 1334 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP; 1335 1336 /* key management algorithms */ 1337 n = le16dec(frm); 1338 frm += 2, len -= 2; 1339 if (len < n*4) { 1340 IEEE80211_DISCARD_IE(vap, 1341 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1342 wh, "WPA", "key mgmt alg data too short; len %u, n %u", 1343 len, n); 1344 return IEEE80211_REASON_IE_INVALID; 1345 } 1346 w = 0; 1347 for (; n > 0; n--) { 1348 w |= wpa_keymgmt(frm); 1349 frm += 4, len -= 4; 1350 } 1351 if (w & WPA_ASE_8021X_UNSPEC) 1352 rsn->rsn_keymgmt = WPA_ASE_8021X_UNSPEC; 1353 else 1354 rsn->rsn_keymgmt = WPA_ASE_8021X_PSK; 1355 1356 if (len > 2) /* optional capabilities */ 1357 rsn->rsn_caps = le16dec(frm); 1358 1359 return 0; 1360 } 1361 1362 /* 1363 * Convert an RSN cipher selector OUI to an internal 1364 * cipher algorithm. Where appropriate we also 1365 * record any key length. 1366 */ 1367 static int 1368 rsn_cipher(const uint8_t *sel, uint8_t *keylen, uint8_t *cipher) 1369 { 1370 #define RSN_SEL(x) (((x)<<24)|RSN_OUI) 1371 uint32_t w = le32dec(sel); 1372 1373 switch (w) { 1374 case RSN_SEL(RSN_CSE_NULL): 1375 *cipher = IEEE80211_CIPHER_NONE; 1376 break; 1377 case RSN_SEL(RSN_CSE_WEP40): 1378 if (keylen) 1379 *keylen = 40 / NBBY; 1380 *cipher = IEEE80211_CIPHER_WEP; 1381 break; 1382 case RSN_SEL(RSN_CSE_WEP104): 1383 if (keylen) 1384 *keylen = 104 / NBBY; 1385 *cipher = IEEE80211_CIPHER_WEP; 1386 break; 1387 case RSN_SEL(RSN_CSE_TKIP): 1388 *cipher = IEEE80211_CIPHER_TKIP; 1389 break; 1390 case RSN_SEL(RSN_CSE_CCMP): 1391 *cipher = IEEE80211_CIPHER_AES_CCM; 1392 break; 1393 case RSN_SEL(RSN_CSE_WRAP): 1394 *cipher = IEEE80211_CIPHER_AES_OCB; 1395 break; 1396 default: 1397 return (EINVAL); 1398 } 1399 1400 return (0); 1401 #undef WPA_SEL 1402 } 1403 1404 /* 1405 * Convert an RSN key management/authentication algorithm 1406 * to an internal code. 1407 */ 1408 static int 1409 rsn_keymgmt(const uint8_t *sel) 1410 { 1411 #define RSN_SEL(x) (((x)<<24)|RSN_OUI) 1412 uint32_t w = le32dec(sel); 1413 1414 switch (w) { 1415 case RSN_SEL(RSN_ASE_8021X_UNSPEC): 1416 return RSN_ASE_8021X_UNSPEC; 1417 case RSN_SEL(RSN_ASE_8021X_PSK): 1418 return RSN_ASE_8021X_PSK; 1419 case RSN_SEL(RSN_ASE_NONE): 1420 return RSN_ASE_NONE; 1421 } 1422 return 0; /* NB: so is discarded */ 1423 #undef RSN_SEL 1424 } 1425 1426 /* 1427 * Parse a WPA/RSN information element to collect parameters 1428 * and validate the parameters against what has been 1429 * configured for the system. 1430 */ 1431 static int 1432 ieee80211_parse_rsn(struct ieee80211vap *vap, const uint8_t *frm, 1433 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh) 1434 { 1435 uint8_t len = frm[1]; 1436 uint32_t w; 1437 int error, n; 1438 1439 /* 1440 * Check the length once for fixed parts: 1441 * version, mcast cipher, and 2 selector counts. 1442 * Other, variable-length data, must be checked separately. 1443 */ 1444 if ((vap->iv_flags & IEEE80211_F_WPA2) == 0) { 1445 IEEE80211_DISCARD_IE(vap, 1446 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1447 wh, "WPA", "not RSN, flags 0x%x", vap->iv_flags); 1448 return IEEE80211_REASON_IE_INVALID; 1449 } 1450 /* XXX may be shorter */ 1451 if (len < 10) { 1452 IEEE80211_DISCARD_IE(vap, 1453 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1454 wh, "RSN", "too short, len %u", len); 1455 return IEEE80211_REASON_IE_INVALID; 1456 } 1457 frm += 2; 1458 w = le16dec(frm); 1459 if (w != RSN_VERSION) { 1460 IEEE80211_DISCARD_IE(vap, 1461 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1462 wh, "RSN", "bad version %u", w); 1463 return IEEE80211_REASON_UNSUPP_RSN_IE_VERSION; 1464 } 1465 frm += 2, len -= 2; 1466 1467 memset(rsn, 0, sizeof(*rsn)); 1468 1469 /* multicast/group cipher */ 1470 error = rsn_cipher(frm, &rsn->rsn_mcastkeylen, &rsn->rsn_mcastcipher); 1471 if (error != 0) { 1472 IEEE80211_DISCARD_IE(vap, 1473 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1474 wh, "RSN", "unknown mcast cipher suite %08X", 1475 le32dec(frm)); 1476 return IEEE80211_REASON_GROUP_CIPHER_INVALID; 1477 } 1478 if (rsn->rsn_mcastcipher == IEEE80211_CIPHER_NONE) { 1479 IEEE80211_DISCARD_IE(vap, 1480 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1481 wh, "RSN", "invalid mcast cipher suite %d", 1482 rsn->rsn_mcastcipher); 1483 return IEEE80211_REASON_GROUP_CIPHER_INVALID; 1484 } 1485 frm += 4, len -= 4; 1486 1487 /* unicast ciphers */ 1488 n = le16dec(frm); 1489 frm += 2, len -= 2; 1490 if (len < n*4+2) { 1491 IEEE80211_DISCARD_IE(vap, 1492 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1493 wh, "RSN", "ucast cipher data too short; len %u, n %u", 1494 len, n); 1495 return IEEE80211_REASON_IE_INVALID; 1496 } 1497 w = 0; 1498 1499 for (; n > 0; n--) { 1500 uint8_t cipher; 1501 1502 error = rsn_cipher(frm, &rsn->rsn_ucastkeylen, &cipher); 1503 if (error == 0) 1504 w |= 1 << cipher; 1505 1506 frm += 4, len -= 4; 1507 } 1508 if (w & (1 << IEEE80211_CIPHER_AES_CCM)) 1509 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM; 1510 else if (w & (1 << IEEE80211_CIPHER_AES_OCB)) 1511 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_OCB; 1512 else if (w & (1 << IEEE80211_CIPHER_TKIP)) 1513 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP; 1514 else if ((w & (1 << IEEE80211_CIPHER_NONE)) && 1515 (rsn->rsn_mcastcipher == IEEE80211_CIPHER_WEP || 1516 rsn->rsn_mcastcipher == IEEE80211_CIPHER_TKIP)) 1517 rsn->rsn_ucastcipher = IEEE80211_CIPHER_NONE; 1518 else { 1519 IEEE80211_DISCARD_IE(vap, 1520 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1521 wh, "RSN", "no usable pairwise cipher suite found (w=%d)", 1522 w); 1523 return IEEE80211_REASON_PAIRWISE_CIPHER_INVALID; 1524 } 1525 1526 /* key management algorithms */ 1527 n = le16dec(frm); 1528 frm += 2, len -= 2; 1529 if (len < n*4) { 1530 IEEE80211_DISCARD_IE(vap, 1531 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1532 wh, "RSN", "key mgmt alg data too short; len %u, n %u", 1533 len, n); 1534 return IEEE80211_REASON_IE_INVALID; 1535 } 1536 w = 0; 1537 for (; n > 0; n--) { 1538 w |= rsn_keymgmt(frm); 1539 frm += 4, len -= 4; 1540 } 1541 if (w & RSN_ASE_8021X_UNSPEC) 1542 rsn->rsn_keymgmt = RSN_ASE_8021X_UNSPEC; 1543 else 1544 rsn->rsn_keymgmt = RSN_ASE_8021X_PSK; 1545 1546 /* optional RSN capabilities */ 1547 if (len > 2) 1548 rsn->rsn_caps = le16dec(frm); 1549 /* XXXPMKID */ 1550 1551 return 0; 1552 } 1553 1554 /* 1555 * WPA/802.11i association request processing. 1556 */ 1557 static int 1558 wpa_assocreq(struct ieee80211_node *ni, struct ieee80211_rsnparms *rsnparms, 1559 const struct ieee80211_frame *wh, const uint8_t *wpa, 1560 const uint8_t *rsn, uint16_t capinfo) 1561 { 1562 struct ieee80211vap *vap = ni->ni_vap; 1563 uint8_t reason; 1564 int badwparsn; 1565 1566 ni->ni_flags &= ~(IEEE80211_NODE_WPS|IEEE80211_NODE_TSN); 1567 if (wpa == NULL && rsn == NULL) { 1568 if (vap->iv_flags_ext & IEEE80211_FEXT_WPS) { 1569 /* 1570 * W-Fi Protected Setup (WPS) permits 1571 * clients to associate and pass EAPOL frames 1572 * to establish initial credentials. 1573 */ 1574 ni->ni_flags |= IEEE80211_NODE_WPS; 1575 return 1; 1576 } 1577 if ((vap->iv_flags_ext & IEEE80211_FEXT_TSN) && 1578 (capinfo & IEEE80211_CAPINFO_PRIVACY)) { 1579 /* 1580 * Transitional Security Network. Permits clients 1581 * to associate and use WEP while WPA is configured. 1582 */ 1583 ni->ni_flags |= IEEE80211_NODE_TSN; 1584 return 1; 1585 } 1586 IEEE80211_DISCARD(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, 1587 wh, NULL, "%s", "no WPA/RSN IE in association request"); 1588 vap->iv_stats.is_rx_assoc_badwpaie++; 1589 reason = IEEE80211_REASON_IE_INVALID; 1590 goto bad; 1591 } 1592 /* assert right association security credentials */ 1593 badwparsn = 0; /* NB: to silence compiler */ 1594 switch (vap->iv_flags & IEEE80211_F_WPA) { 1595 case IEEE80211_F_WPA1: 1596 badwparsn = (wpa == NULL); 1597 break; 1598 case IEEE80211_F_WPA2: 1599 badwparsn = (rsn == NULL); 1600 break; 1601 case IEEE80211_F_WPA1|IEEE80211_F_WPA2: 1602 badwparsn = (wpa == NULL && rsn == NULL); 1603 break; 1604 } 1605 if (badwparsn) { 1606 IEEE80211_DISCARD(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, 1607 wh, NULL, 1608 "%s", "missing WPA/RSN IE in association request"); 1609 vap->iv_stats.is_rx_assoc_badwpaie++; 1610 reason = IEEE80211_REASON_IE_INVALID; 1611 goto bad; 1612 } 1613 /* 1614 * Parse WPA/RSN information element. 1615 */ 1616 if (wpa != NULL) 1617 reason = ieee80211_parse_wpa(vap, wpa, rsnparms, wh); 1618 else 1619 reason = ieee80211_parse_rsn(vap, rsn, rsnparms, wh); 1620 if (reason != 0) { 1621 /* XXX wpa->rsn fallback? */ 1622 /* XXX distinguish WPA/RSN? */ 1623 vap->iv_stats.is_rx_assoc_badwpaie++; 1624 goto bad; 1625 } 1626 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, ni, 1627 "%s ie: mc %u/%u uc %u/%u key %u caps 0x%x", 1628 wpa != NULL ? "WPA" : "RSN", 1629 rsnparms->rsn_mcastcipher, rsnparms->rsn_mcastkeylen, 1630 rsnparms->rsn_ucastcipher, rsnparms->rsn_ucastkeylen, 1631 rsnparms->rsn_keymgmt, rsnparms->rsn_caps); 1632 1633 return 1; 1634 bad: 1635 ieee80211_node_deauth(ni, reason); 1636 return 0; 1637 } 1638 1639 /* XXX find a better place for definition */ 1640 struct l2_update_frame { 1641 struct ether_header eh; 1642 uint8_t dsap; 1643 uint8_t ssap; 1644 uint8_t control; 1645 uint8_t xid[3]; 1646 } __packed; 1647 1648 /* 1649 * Deliver a TGf L2UF frame on behalf of a station. 1650 * This primes any bridge when the station is roaming 1651 * between ap's on the same wired network. 1652 */ 1653 static void 1654 ieee80211_deliver_l2uf(struct ieee80211_node *ni) 1655 { 1656 struct ieee80211vap *vap = ni->ni_vap; 1657 struct ifnet *ifp = vap->iv_ifp; 1658 struct mbuf *m; 1659 struct l2_update_frame *l2uf; 1660 struct ether_header *eh; 1661 1662 m = m_gethdr(IEEE80211_M_NOWAIT, MT_DATA); 1663 if (m == NULL) { 1664 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC, ni, 1665 "%s", "no mbuf for l2uf frame"); 1666 vap->iv_stats.is_rx_nobuf++; /* XXX not right */ 1667 return; 1668 } 1669 l2uf = mtod(m, struct l2_update_frame *); 1670 eh = &l2uf->eh; 1671 /* dst: Broadcast address */ 1672 IEEE80211_ADDR_COPY(eh->ether_dhost, ifp->if_broadcastaddr); 1673 /* src: associated STA */ 1674 IEEE80211_ADDR_COPY(eh->ether_shost, ni->ni_macaddr); 1675 eh->ether_type = htons(sizeof(*l2uf) - sizeof(*eh)); 1676 1677 l2uf->dsap = 0; 1678 l2uf->ssap = 0; 1679 l2uf->control = 0xf5; 1680 l2uf->xid[0] = 0x81; 1681 l2uf->xid[1] = 0x80; 1682 l2uf->xid[2] = 0x00; 1683 1684 m->m_pkthdr.len = m->m_len = sizeof(*l2uf); 1685 hostap_deliver_data(vap, ni, m); 1686 } 1687 1688 static void 1689 ratesetmismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh, 1690 int reassoc, int resp, const char *tag, int rate) 1691 { 1692 IEEE80211_NOTE_MAC(ni->ni_vap, IEEE80211_MSG_ANY, wh->i_addr2, 1693 "deny %s request, %s rate set mismatch, rate/MCS %d", 1694 reassoc ? "reassoc" : "assoc", tag, rate & IEEE80211_RATE_VAL); 1695 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_BASIC_RATE); 1696 ieee80211_node_leave(ni); 1697 } 1698 1699 static void 1700 capinfomismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh, 1701 int reassoc, int resp, const char *tag, int capinfo) 1702 { 1703 struct ieee80211vap *vap = ni->ni_vap; 1704 1705 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ANY, wh->i_addr2, 1706 "deny %s request, %s mismatch 0x%x", 1707 reassoc ? "reassoc" : "assoc", tag, capinfo); 1708 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_CAPINFO); 1709 ieee80211_node_leave(ni); 1710 vap->iv_stats.is_rx_assoc_capmismatch++; 1711 } 1712 1713 static void 1714 htcapmismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh, 1715 int reassoc, int resp) 1716 { 1717 IEEE80211_NOTE_MAC(ni->ni_vap, IEEE80211_MSG_ANY, wh->i_addr2, 1718 "deny %s request, %s missing HT ie", reassoc ? "reassoc" : "assoc"); 1719 /* XXX no better code */ 1720 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_MISSING_HT_CAPS); 1721 ieee80211_node_leave(ni); 1722 } 1723 1724 static void 1725 authalgreject(struct ieee80211_node *ni, const struct ieee80211_frame *wh, 1726 int algo, int seq, int status) 1727 { 1728 struct ieee80211vap *vap = ni->ni_vap; 1729 1730 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 1731 wh, NULL, "unsupported alg %d", algo); 1732 vap->iv_stats.is_rx_auth_unsupported++; 1733 ieee80211_send_error(ni, wh->i_addr2, IEEE80211_FC0_SUBTYPE_AUTH, 1734 seq | (status << 16)); 1735 } 1736 1737 static __inline int 1738 ishtmixed(const uint8_t *ie) 1739 { 1740 const struct ieee80211_ie_htinfo *ht = 1741 (const struct ieee80211_ie_htinfo *) ie; 1742 return (ht->hi_byte2 & IEEE80211_HTINFO_OPMODE) == 1743 IEEE80211_HTINFO_OPMODE_MIXED; 1744 } 1745 1746 static int 1747 is11bclient(const uint8_t *rates, const uint8_t *xrates) 1748 { 1749 static const uint32_t brates = (1<<2*1)|(1<<2*2)|(1<<11)|(1<<2*11); 1750 int i; 1751 1752 /* NB: the 11b clients we care about will not have xrates */ 1753 if (xrates != NULL || rates == NULL) 1754 return 0; 1755 for (i = 0; i < rates[1]; i++) { 1756 int r = rates[2+i] & IEEE80211_RATE_VAL; 1757 if (r > 2*11 || ((1<<r) & brates) == 0) 1758 return 0; 1759 } 1760 return 1; 1761 } 1762 1763 static void 1764 hostap_recv_mgmt(struct ieee80211_node *ni, struct mbuf *m0, 1765 int subtype, const struct ieee80211_rx_stats *rxs, int rssi, int nf) 1766 { 1767 struct ieee80211vap *vap = ni->ni_vap; 1768 struct ieee80211com *ic = ni->ni_ic; 1769 struct ieee80211_frame *wh; 1770 uint8_t *frm, *efrm, *sfrm; 1771 uint8_t *ssid, *rates, *xrates, *wpa, *rsn, *wme, *ath, *htcap; 1772 uint8_t *vhtcap, *vhtinfo; 1773 int reassoc, resp; 1774 uint8_t rate; 1775 1776 wh = mtod(m0, struct ieee80211_frame *); 1777 frm = (uint8_t *)&wh[1]; 1778 efrm = mtod(m0, uint8_t *) + m0->m_len; 1779 switch (subtype) { 1780 case IEEE80211_FC0_SUBTYPE_PROBE_RESP: 1781 /* 1782 * We process beacon/probe response frames when scanning; 1783 * otherwise we check beacon frames for overlapping non-ERP 1784 * BSS in 11g and/or overlapping legacy BSS when in HT. 1785 */ 1786 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) { 1787 vap->iv_stats.is_rx_mgtdiscard++; 1788 return; 1789 } 1790 /* FALLTHROUGH */ 1791 case IEEE80211_FC0_SUBTYPE_BEACON: { 1792 struct ieee80211_scanparams scan; 1793 1794 /* NB: accept off-channel frames */ 1795 /* XXX TODO: use rxstatus to determine off-channel details */ 1796 if (ieee80211_parse_beacon(ni, m0, ic->ic_curchan, &scan) &~ IEEE80211_BPARSE_OFFCHAN) 1797 return; 1798 /* 1799 * Count frame now that we know it's to be processed. 1800 */ 1801 if (subtype == IEEE80211_FC0_SUBTYPE_BEACON) { 1802 vap->iv_stats.is_rx_beacon++; /* XXX remove */ 1803 IEEE80211_NODE_STAT(ni, rx_beacons); 1804 } else 1805 IEEE80211_NODE_STAT(ni, rx_proberesp); 1806 /* 1807 * If scanning, just pass information to the scan module. 1808 */ 1809 if (ic->ic_flags & IEEE80211_F_SCAN) { 1810 if (scan.status == 0 && /* NB: on channel */ 1811 (ic->ic_flags_ext & IEEE80211_FEXT_PROBECHAN)) { 1812 /* 1813 * Actively scanning a channel marked passive; 1814 * send a probe request now that we know there 1815 * is 802.11 traffic present. 1816 * 1817 * XXX check if the beacon we recv'd gives 1818 * us what we need and suppress the probe req 1819 */ 1820 ieee80211_probe_curchan(vap, 1); 1821 ic->ic_flags_ext &= ~IEEE80211_FEXT_PROBECHAN; 1822 } 1823 ieee80211_add_scan(vap, ic->ic_curchan, &scan, wh, 1824 subtype, rssi, nf); 1825 return; 1826 } 1827 /* 1828 * Check beacon for overlapping bss w/ non ERP stations. 1829 * If we detect one and protection is configured but not 1830 * enabled, enable it and start a timer that'll bring us 1831 * out if we stop seeing the bss. 1832 */ 1833 if (IEEE80211_IS_CHAN_ANYG(ic->ic_curchan) && 1834 scan.status == 0 && /* NB: on-channel */ 1835 ((scan.erp & 0x100) == 0 || /* NB: no ERP, 11b sta*/ 1836 (scan.erp & IEEE80211_ERP_NON_ERP_PRESENT))) { 1837 vap->iv_lastnonerp = ticks; 1838 vap->iv_flags_ext |= IEEE80211_FEXT_NONERP_PR; 1839 /* 1840 * XXX TODO: this may need to check all VAPs? 1841 */ 1842 if (vap->iv_protmode != IEEE80211_PROT_NONE && 1843 (vap->iv_flags & IEEE80211_F_USEPROT) == 0) { 1844 IEEE80211_NOTE_FRAME(vap, 1845 IEEE80211_MSG_ASSOC, wh, 1846 "non-ERP present on channel %d " 1847 "(saw erp 0x%x from channel %d), " 1848 "enable use of protection", 1849 ic->ic_curchan->ic_ieee, 1850 scan.erp, scan.chan); 1851 vap->iv_flags |= IEEE80211_F_USEPROT; 1852 ieee80211_vap_update_erp_protmode(vap); 1853 } 1854 } 1855 /* 1856 * Check beacon for non-HT station on HT channel 1857 * and update HT BSS occupancy as appropriate. 1858 */ 1859 if (IEEE80211_IS_CHAN_HT(ic->ic_curchan)) { 1860 if (scan.status & IEEE80211_BPARSE_OFFCHAN) { 1861 /* 1862 * Off control channel; only check frames 1863 * that come in the extension channel when 1864 * operating w/ HT40. 1865 */ 1866 if (!IEEE80211_IS_CHAN_HT40(ic->ic_curchan)) 1867 break; 1868 if (scan.chan != ic->ic_curchan->ic_extieee) 1869 break; 1870 } 1871 if (scan.htinfo == NULL) { 1872 ieee80211_htprot_update(vap, 1873 IEEE80211_HTINFO_OPMODE_PROTOPT | 1874 IEEE80211_HTINFO_NONHT_PRESENT); 1875 } else if (ishtmixed(scan.htinfo)) { 1876 /* XXX? take NONHT_PRESENT from beacon? */ 1877 ieee80211_htprot_update(vap, 1878 IEEE80211_HTINFO_OPMODE_MIXED | 1879 IEEE80211_HTINFO_NONHT_PRESENT); 1880 } 1881 } 1882 break; 1883 } 1884 1885 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 1886 if (vap->iv_state != IEEE80211_S_RUN) { 1887 vap->iv_stats.is_rx_mgtdiscard++; 1888 return; 1889 } 1890 /* 1891 * Consult the ACL policy module if setup. 1892 */ 1893 if (vap->iv_acl != NULL && !vap->iv_acl->iac_check(vap, wh)) { 1894 IEEE80211_DISCARD(vap, IEEE80211_MSG_ACL, 1895 wh, NULL, "%s", "disallowed by ACL"); 1896 vap->iv_stats.is_rx_acl++; 1897 return; 1898 } 1899 /* 1900 * prreq frame format 1901 * [tlv] ssid 1902 * [tlv] supported rates 1903 * [tlv] extended supported rates 1904 */ 1905 ssid = rates = xrates = NULL; 1906 while (efrm - frm > 1) { 1907 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return); 1908 switch (*frm) { 1909 case IEEE80211_ELEMID_SSID: 1910 ssid = frm; 1911 break; 1912 case IEEE80211_ELEMID_RATES: 1913 rates = frm; 1914 break; 1915 case IEEE80211_ELEMID_XRATES: 1916 xrates = frm; 1917 break; 1918 } 1919 frm += frm[1] + 2; 1920 } 1921 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return); 1922 if (xrates != NULL) 1923 IEEE80211_VERIFY_ELEMENT(xrates, 1924 IEEE80211_RATE_MAXSIZE - rates[1], return); 1925 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN, return); 1926 IEEE80211_VERIFY_SSID(vap->iv_bss, ssid, return); 1927 if ((vap->iv_flags & IEEE80211_F_HIDESSID) && ssid[1] == 0) { 1928 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 1929 wh, NULL, 1930 "%s", "no ssid with ssid suppression enabled"); 1931 vap->iv_stats.is_rx_ssidmismatch++; /*XXX*/ 1932 return; 1933 } 1934 1935 /* XXX find a better class or define it's own */ 1936 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_INPUT, wh->i_addr2, 1937 "%s", "recv probe req"); 1938 /* 1939 * Some legacy 11b clients cannot hack a complete 1940 * probe response frame. When the request includes 1941 * only a bare-bones rate set, communicate this to 1942 * the transmit side. 1943 */ 1944 ieee80211_send_proberesp(vap, wh->i_addr2, 1945 is11bclient(rates, xrates) ? IEEE80211_SEND_LEGACY_11B : 0); 1946 break; 1947 1948 case IEEE80211_FC0_SUBTYPE_AUTH: { 1949 uint16_t algo, seq, status; 1950 1951 if (vap->iv_state != IEEE80211_S_RUN) { 1952 vap->iv_stats.is_rx_mgtdiscard++; 1953 return; 1954 } 1955 if (!IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_bss->ni_bssid)) { 1956 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 1957 wh, NULL, "%s", "wrong bssid"); 1958 vap->iv_stats.is_rx_wrongbss++; /*XXX unique stat?*/ 1959 return; 1960 } 1961 /* 1962 * auth frame format 1963 * [2] algorithm 1964 * [2] sequence 1965 * [2] status 1966 * [tlv*] challenge 1967 */ 1968 IEEE80211_VERIFY_LENGTH(efrm - frm, 6, return); 1969 algo = le16toh(*(uint16_t *)frm); 1970 seq = le16toh(*(uint16_t *)(frm + 2)); 1971 status = le16toh(*(uint16_t *)(frm + 4)); 1972 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_AUTH, wh->i_addr2, 1973 "recv auth frame with algorithm %d seq %d", algo, seq); 1974 /* 1975 * Consult the ACL policy module if setup. 1976 */ 1977 if (vap->iv_acl != NULL && !vap->iv_acl->iac_check(vap, wh)) { 1978 IEEE80211_DISCARD(vap, IEEE80211_MSG_ACL, 1979 wh, NULL, "%s", "disallowed by ACL"); 1980 vap->iv_stats.is_rx_acl++; 1981 ieee80211_send_error(ni, wh->i_addr2, 1982 IEEE80211_FC0_SUBTYPE_AUTH, 1983 (seq+1) | (IEEE80211_STATUS_UNSPECIFIED<<16)); 1984 return; 1985 } 1986 if (vap->iv_flags & IEEE80211_F_COUNTERM) { 1987 IEEE80211_DISCARD(vap, 1988 IEEE80211_MSG_AUTH | IEEE80211_MSG_CRYPTO, 1989 wh, NULL, "%s", "TKIP countermeasures enabled"); 1990 vap->iv_stats.is_rx_auth_countermeasures++; 1991 ieee80211_send_error(ni, wh->i_addr2, 1992 IEEE80211_FC0_SUBTYPE_AUTH, 1993 IEEE80211_REASON_MIC_FAILURE); 1994 return; 1995 } 1996 if (algo == IEEE80211_AUTH_ALG_SHARED) 1997 hostap_auth_shared(ni, wh, frm + 6, efrm, rssi, nf, 1998 seq, status); 1999 else if (algo == IEEE80211_AUTH_ALG_OPEN) 2000 hostap_auth_open(ni, wh, rssi, nf, seq, status); 2001 else if (algo == IEEE80211_AUTH_ALG_LEAP) { 2002 authalgreject(ni, wh, algo, 2003 seq+1, IEEE80211_STATUS_ALG); 2004 return; 2005 } else { 2006 /* 2007 * We assume that an unknown algorithm is the result 2008 * of a decryption failure on a shared key auth frame; 2009 * return a status code appropriate for that instead 2010 * of IEEE80211_STATUS_ALG. 2011 * 2012 * NB: a seq# of 4 is intentional; the decrypted 2013 * frame likely has a bogus seq value. 2014 */ 2015 authalgreject(ni, wh, algo, 2016 4, IEEE80211_STATUS_CHALLENGE); 2017 return; 2018 } 2019 break; 2020 } 2021 2022 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ: 2023 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: { 2024 uint16_t capinfo, lintval; 2025 struct ieee80211_rsnparms rsnparms; 2026 2027 if (vap->iv_state != IEEE80211_S_RUN) { 2028 vap->iv_stats.is_rx_mgtdiscard++; 2029 return; 2030 } 2031 if (!IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_bss->ni_bssid)) { 2032 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 2033 wh, NULL, "%s", "wrong bssid"); 2034 vap->iv_stats.is_rx_assoc_bss++; 2035 return; 2036 } 2037 if (subtype == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) { 2038 reassoc = 1; 2039 resp = IEEE80211_FC0_SUBTYPE_REASSOC_RESP; 2040 } else { 2041 reassoc = 0; 2042 resp = IEEE80211_FC0_SUBTYPE_ASSOC_RESP; 2043 } 2044 if (ni == vap->iv_bss) { 2045 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ANY, wh->i_addr2, 2046 "deny %s request, sta not authenticated", 2047 reassoc ? "reassoc" : "assoc"); 2048 ieee80211_send_error(ni, wh->i_addr2, 2049 IEEE80211_FC0_SUBTYPE_DEAUTH, 2050 IEEE80211_REASON_ASSOC_NOT_AUTHED); 2051 vap->iv_stats.is_rx_assoc_notauth++; 2052 return; 2053 } 2054 2055 /* 2056 * asreq frame format 2057 * [2] capability information 2058 * [2] listen interval 2059 * [6*] current AP address (reassoc only) 2060 * [tlv] ssid 2061 * [tlv] supported rates 2062 * [tlv] extended supported rates 2063 * [tlv] WPA or RSN 2064 * [tlv] HT capabilities 2065 * [tlv] Atheros capabilities 2066 */ 2067 IEEE80211_VERIFY_LENGTH(efrm - frm, (reassoc ? 10 : 4), return); 2068 capinfo = le16toh(*(uint16_t *)frm); frm += 2; 2069 lintval = le16toh(*(uint16_t *)frm); frm += 2; 2070 if (reassoc) 2071 frm += 6; /* ignore current AP info */ 2072 ssid = rates = xrates = wpa = rsn = wme = ath = htcap = NULL; 2073 vhtcap = vhtinfo = NULL; 2074 sfrm = frm; 2075 while (efrm - frm > 1) { 2076 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return); 2077 switch (*frm) { 2078 case IEEE80211_ELEMID_SSID: 2079 ssid = frm; 2080 break; 2081 case IEEE80211_ELEMID_RATES: 2082 rates = frm; 2083 break; 2084 case IEEE80211_ELEMID_XRATES: 2085 xrates = frm; 2086 break; 2087 case IEEE80211_ELEMID_RSN: 2088 rsn = frm; 2089 break; 2090 case IEEE80211_ELEMID_HTCAP: 2091 htcap = frm; 2092 break; 2093 case IEEE80211_ELEMID_VHT_CAP: 2094 vhtcap = frm; 2095 break; 2096 case IEEE80211_ELEMID_VHT_OPMODE: 2097 vhtinfo = frm; 2098 break; 2099 case IEEE80211_ELEMID_VENDOR: 2100 if (iswpaoui(frm)) 2101 wpa = frm; 2102 else if (iswmeinfo(frm)) 2103 wme = frm; 2104 #ifdef IEEE80211_SUPPORT_SUPERG 2105 else if (isatherosoui(frm)) 2106 ath = frm; 2107 #endif 2108 else if (vap->iv_flags_ht & IEEE80211_FHT_HTCOMPAT) { 2109 if (ishtcapoui(frm) && htcap == NULL) 2110 htcap = frm; 2111 } 2112 break; 2113 } 2114 frm += frm[1] + 2; 2115 } 2116 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return); 2117 if (xrates != NULL) 2118 IEEE80211_VERIFY_ELEMENT(xrates, 2119 IEEE80211_RATE_MAXSIZE - rates[1], return); 2120 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN, return); 2121 IEEE80211_VERIFY_SSID(vap->iv_bss, ssid, return); 2122 if (htcap != NULL) { 2123 IEEE80211_VERIFY_LENGTH(htcap[1], 2124 htcap[0] == IEEE80211_ELEMID_VENDOR ? 2125 4 + sizeof(struct ieee80211_ie_htcap)-2 : 2126 sizeof(struct ieee80211_ie_htcap)-2, 2127 return); /* XXX just NULL out? */ 2128 } 2129 2130 /* Validate VHT IEs */ 2131 if (vhtcap != NULL) { 2132 IEEE80211_VERIFY_LENGTH(vhtcap[1], 2133 sizeof(struct ieee80211_vht_cap), 2134 return); 2135 } 2136 if (vhtinfo != NULL) { 2137 IEEE80211_VERIFY_LENGTH(vhtinfo[1], 2138 sizeof(struct ieee80211_vht_operation), 2139 return); 2140 } 2141 2142 if ((vap->iv_flags & IEEE80211_F_WPA) && 2143 !wpa_assocreq(ni, &rsnparms, wh, wpa, rsn, capinfo)) 2144 return; 2145 /* discard challenge after association */ 2146 if (ni->ni_challenge != NULL) { 2147 IEEE80211_FREE(ni->ni_challenge, M_80211_NODE); 2148 ni->ni_challenge = NULL; 2149 } 2150 /* NB: 802.11 spec says to ignore station's privacy bit */ 2151 if ((capinfo & IEEE80211_CAPINFO_ESS) == 0) { 2152 capinfomismatch(ni, wh, reassoc, resp, 2153 "capability", capinfo); 2154 return; 2155 } 2156 /* 2157 * Disallow re-associate w/ invalid slot time setting. 2158 */ 2159 if (ni->ni_associd != 0 && 2160 IEEE80211_IS_CHAN_ANYG(ic->ic_bsschan) && 2161 ((ni->ni_capinfo ^ capinfo) & IEEE80211_CAPINFO_SHORT_SLOTTIME)) { 2162 capinfomismatch(ni, wh, reassoc, resp, 2163 "slot time", capinfo); 2164 return; 2165 } 2166 rate = ieee80211_setup_rates(ni, rates, xrates, 2167 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | 2168 IEEE80211_F_DONEGO | IEEE80211_F_DODEL); 2169 if (rate & IEEE80211_RATE_BASIC) { 2170 ratesetmismatch(ni, wh, reassoc, resp, "legacy", rate); 2171 vap->iv_stats.is_rx_assoc_norate++; 2172 return; 2173 } 2174 /* 2175 * If constrained to 11g-only stations reject an 2176 * 11b-only station. We cheat a bit here by looking 2177 * at the max negotiated xmit rate and assuming anyone 2178 * with a best rate <24Mb/s is an 11b station. 2179 */ 2180 if ((vap->iv_flags & IEEE80211_F_PUREG) && rate < 48) { 2181 ratesetmismatch(ni, wh, reassoc, resp, "11g", rate); 2182 vap->iv_stats.is_rx_assoc_norate++; 2183 return; 2184 } 2185 2186 /* 2187 * Do HT rate set handling and setup HT node state. 2188 */ 2189 ni->ni_chan = vap->iv_bss->ni_chan; 2190 2191 /* VHT */ 2192 if (IEEE80211_IS_CHAN_VHT(ni->ni_chan) && 2193 vhtcap != NULL && 2194 vhtinfo != NULL) { 2195 /* XXX TODO; see below */ 2196 printf("%s: VHT TODO!\n", __func__); 2197 ieee80211_vht_node_init(ni); 2198 ieee80211_vht_update_cap(ni, vhtcap, vhtinfo); 2199 } else if (ni->ni_flags & IEEE80211_NODE_VHT) 2200 ieee80211_vht_node_cleanup(ni); 2201 2202 /* HT */ 2203 if (IEEE80211_IS_CHAN_HT(ni->ni_chan) && htcap != NULL) { 2204 rate = ieee80211_setup_htrates(ni, htcap, 2205 IEEE80211_F_DOFMCS | IEEE80211_F_DONEGO | 2206 IEEE80211_F_DOBRS); 2207 if (rate & IEEE80211_RATE_BASIC) { 2208 ratesetmismatch(ni, wh, reassoc, resp, 2209 "HT", rate); 2210 vap->iv_stats.is_ht_assoc_norate++; 2211 return; 2212 } 2213 ieee80211_ht_node_init(ni); 2214 ieee80211_ht_updatehtcap(ni, htcap); 2215 } else if (ni->ni_flags & IEEE80211_NODE_HT) 2216 ieee80211_ht_node_cleanup(ni); 2217 2218 /* Finally - this will use HT/VHT info to change node channel */ 2219 if (IEEE80211_IS_CHAN_HT(ni->ni_chan) && htcap != NULL) { 2220 ieee80211_ht_updatehtcap_final(ni); 2221 } 2222 2223 #ifdef IEEE80211_SUPPORT_SUPERG 2224 /* Always do ff node cleanup; for A-MSDU */ 2225 ieee80211_ff_node_cleanup(ni); 2226 #endif 2227 /* 2228 * Allow AMPDU operation only with unencrypted traffic 2229 * or AES-CCM; the 11n spec only specifies these ciphers 2230 * so permitting any others is undefined and can lead 2231 * to interoperability problems. 2232 */ 2233 if ((ni->ni_flags & IEEE80211_NODE_HT) && 2234 (((vap->iv_flags & IEEE80211_F_WPA) && 2235 rsnparms.rsn_ucastcipher != IEEE80211_CIPHER_AES_CCM) || 2236 (vap->iv_flags & (IEEE80211_F_WPA|IEEE80211_F_PRIVACY)) == IEEE80211_F_PRIVACY)) { 2237 IEEE80211_NOTE(vap, 2238 IEEE80211_MSG_ASSOC | IEEE80211_MSG_11N, ni, 2239 "disallow HT use because WEP or TKIP requested, " 2240 "capinfo 0x%x ucastcipher %d", capinfo, 2241 rsnparms.rsn_ucastcipher); 2242 ieee80211_ht_node_cleanup(ni); 2243 #ifdef IEEE80211_SUPPORT_SUPERG 2244 /* Always do ff node cleanup; for A-MSDU */ 2245 ieee80211_ff_node_cleanup(ni); 2246 #endif 2247 vap->iv_stats.is_ht_assoc_downgrade++; 2248 } 2249 /* 2250 * If constrained to 11n-only stations reject legacy stations. 2251 */ 2252 if ((vap->iv_flags_ht & IEEE80211_FHT_PUREN) && 2253 (ni->ni_flags & IEEE80211_NODE_HT) == 0) { 2254 htcapmismatch(ni, wh, reassoc, resp); 2255 vap->iv_stats.is_ht_assoc_nohtcap++; 2256 return; 2257 } 2258 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi); 2259 ni->ni_noise = nf; 2260 ni->ni_intval = lintval; 2261 ni->ni_capinfo = capinfo; 2262 ni->ni_fhdwell = vap->iv_bss->ni_fhdwell; 2263 ni->ni_fhindex = vap->iv_bss->ni_fhindex; 2264 /* 2265 * Store the IEs. 2266 * XXX maybe better to just expand 2267 */ 2268 if (ieee80211_ies_init(&ni->ni_ies, sfrm, efrm - sfrm)) { 2269 #define setie(_ie, _off) ieee80211_ies_setie(ni->ni_ies, _ie, _off) 2270 if (wpa != NULL) 2271 setie(wpa_ie, wpa - sfrm); 2272 if (rsn != NULL) 2273 setie(rsn_ie, rsn - sfrm); 2274 if (htcap != NULL) 2275 setie(htcap_ie, htcap - sfrm); 2276 if (wme != NULL) { 2277 setie(wme_ie, wme - sfrm); 2278 /* 2279 * Mark node as capable of QoS. 2280 */ 2281 ni->ni_flags |= IEEE80211_NODE_QOS; 2282 if (ieee80211_parse_wmeie(wme, wh, ni) > 0) { 2283 if (ni->ni_uapsd != 0) 2284 ni->ni_flags |= 2285 IEEE80211_NODE_UAPSD; 2286 else 2287 ni->ni_flags &= 2288 ~IEEE80211_NODE_UAPSD; 2289 } 2290 } else 2291 ni->ni_flags &= 2292 ~(IEEE80211_NODE_QOS | 2293 IEEE80211_NODE_UAPSD); 2294 #ifdef IEEE80211_SUPPORT_SUPERG 2295 if (ath != NULL) { 2296 setie(ath_ie, ath - sfrm); 2297 /* 2298 * Parse ATH station parameters. 2299 */ 2300 ieee80211_parse_ath(ni, ni->ni_ies.ath_ie); 2301 } else 2302 #endif 2303 ni->ni_ath_flags = 0; 2304 #undef setie 2305 } else { 2306 ni->ni_flags &= ~IEEE80211_NODE_QOS; 2307 ni->ni_flags &= ~IEEE80211_NODE_UAPSD; 2308 ni->ni_ath_flags = 0; 2309 } 2310 ieee80211_node_join(ni, resp); 2311 ieee80211_deliver_l2uf(ni); 2312 break; 2313 } 2314 2315 case IEEE80211_FC0_SUBTYPE_DEAUTH: 2316 case IEEE80211_FC0_SUBTYPE_DISASSOC: { 2317 #ifdef IEEE80211_DEBUG 2318 uint16_t reason; 2319 #endif 2320 2321 if (vap->iv_state != IEEE80211_S_RUN || 2322 /* NB: can happen when in promiscuous mode */ 2323 !IEEE80211_ADDR_EQ(wh->i_addr1, vap->iv_myaddr)) { 2324 vap->iv_stats.is_rx_mgtdiscard++; 2325 break; 2326 } 2327 /* 2328 * deauth/disassoc frame format 2329 * [2] reason 2330 */ 2331 IEEE80211_VERIFY_LENGTH(efrm - frm, 2, return); 2332 #ifdef IEEE80211_DEBUG 2333 reason = le16toh(*(uint16_t *)frm); 2334 #endif 2335 if (subtype == IEEE80211_FC0_SUBTYPE_DEAUTH) { 2336 vap->iv_stats.is_rx_deauth++; 2337 IEEE80211_NODE_STAT(ni, rx_deauth); 2338 } else { 2339 vap->iv_stats.is_rx_disassoc++; 2340 IEEE80211_NODE_STAT(ni, rx_disassoc); 2341 } 2342 IEEE80211_NOTE(vap, IEEE80211_MSG_AUTH, ni, 2343 "recv %s (reason: %d (%s))", 2344 ieee80211_mgt_subtype_name(subtype), 2345 reason, ieee80211_reason_to_string(reason)); 2346 if (ni != vap->iv_bss) 2347 ieee80211_node_leave(ni); 2348 break; 2349 } 2350 2351 case IEEE80211_FC0_SUBTYPE_ACTION: 2352 case IEEE80211_FC0_SUBTYPE_ACTION_NOACK: 2353 if (ni == vap->iv_bss) { 2354 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 2355 wh, NULL, "%s", "unknown node"); 2356 vap->iv_stats.is_rx_mgtdiscard++; 2357 } else if (!IEEE80211_ADDR_EQ(vap->iv_myaddr, wh->i_addr1) && 2358 !IEEE80211_IS_MULTICAST(wh->i_addr1)) { 2359 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 2360 wh, NULL, "%s", "not for us"); 2361 vap->iv_stats.is_rx_mgtdiscard++; 2362 } else if (vap->iv_state != IEEE80211_S_RUN) { 2363 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 2364 wh, NULL, "wrong state %s", 2365 ieee80211_state_name[vap->iv_state]); 2366 vap->iv_stats.is_rx_mgtdiscard++; 2367 } else { 2368 if (ieee80211_parse_action(ni, m0) == 0) 2369 (void)ic->ic_recv_action(ni, wh, frm, efrm); 2370 } 2371 break; 2372 2373 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP: 2374 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: 2375 case IEEE80211_FC0_SUBTYPE_TIMING_ADV: 2376 case IEEE80211_FC0_SUBTYPE_ATIM: 2377 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 2378 wh, NULL, "%s", "not handled"); 2379 vap->iv_stats.is_rx_mgtdiscard++; 2380 break; 2381 2382 default: 2383 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 2384 wh, "mgt", "subtype 0x%x not handled", subtype); 2385 vap->iv_stats.is_rx_badsubtype++; 2386 break; 2387 } 2388 } 2389 2390 static void 2391 hostap_recv_ctl(struct ieee80211_node *ni, struct mbuf *m, int subtype) 2392 { 2393 switch (subtype) { 2394 case IEEE80211_FC0_SUBTYPE_PS_POLL: 2395 ni->ni_vap->iv_recv_pspoll(ni, m); 2396 break; 2397 case IEEE80211_FC0_SUBTYPE_BAR: 2398 ieee80211_recv_bar(ni, m); 2399 break; 2400 } 2401 } 2402 2403 /* 2404 * Process a received ps-poll frame. 2405 */ 2406 void 2407 ieee80211_recv_pspoll(struct ieee80211_node *ni, struct mbuf *m0) 2408 { 2409 struct ieee80211vap *vap = ni->ni_vap; 2410 struct ieee80211com *ic = vap->iv_ic; 2411 struct ieee80211_frame_min *wh; 2412 struct mbuf *m; 2413 uint16_t aid; 2414 int qlen; 2415 2416 wh = mtod(m0, struct ieee80211_frame_min *); 2417 if (ni->ni_associd == 0) { 2418 IEEE80211_DISCARD(vap, 2419 IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG, 2420 (struct ieee80211_frame *) wh, NULL, 2421 "%s", "unassociated station"); 2422 vap->iv_stats.is_ps_unassoc++; 2423 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_DEAUTH, 2424 IEEE80211_REASON_NOT_ASSOCED); 2425 return; 2426 } 2427 2428 aid = le16toh(*(uint16_t *)wh->i_dur); 2429 if (aid != ni->ni_associd) { 2430 IEEE80211_DISCARD(vap, 2431 IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG, 2432 (struct ieee80211_frame *) wh, NULL, 2433 "aid mismatch: sta aid 0x%x poll aid 0x%x", 2434 ni->ni_associd, aid); 2435 vap->iv_stats.is_ps_badaid++; 2436 /* 2437 * NB: We used to deauth the station but it turns out 2438 * the Blackberry Curve 8230 (and perhaps other devices) 2439 * sometimes send the wrong AID when WME is negotiated. 2440 * Being more lenient here seems ok as we already check 2441 * the station is associated and we only return frames 2442 * queued for the station (i.e. we don't use the AID). 2443 */ 2444 return; 2445 } 2446 2447 /* Okay, take the first queued packet and put it out... */ 2448 m = ieee80211_node_psq_dequeue(ni, &qlen); 2449 if (m == NULL) { 2450 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_POWER, wh->i_addr2, 2451 "%s", "recv ps-poll, but queue empty"); 2452 ieee80211_send_nulldata(ieee80211_ref_node(ni)); 2453 vap->iv_stats.is_ps_qempty++; /* XXX node stat */ 2454 if (vap->iv_set_tim != NULL) 2455 vap->iv_set_tim(ni, 0); /* just in case */ 2456 return; 2457 } 2458 /* 2459 * If there are more packets, set the more packets bit 2460 * in the packet dispatched to the station; otherwise 2461 * turn off the TIM bit. 2462 */ 2463 if (qlen != 0) { 2464 IEEE80211_NOTE(vap, IEEE80211_MSG_POWER, ni, 2465 "recv ps-poll, send packet, %u still queued", qlen); 2466 m->m_flags |= M_MORE_DATA; 2467 } else { 2468 IEEE80211_NOTE(vap, IEEE80211_MSG_POWER, ni, 2469 "%s", "recv ps-poll, send packet, queue empty"); 2470 if (vap->iv_set_tim != NULL) 2471 vap->iv_set_tim(ni, 0); 2472 } 2473 m->m_flags |= M_PWR_SAV; /* bypass PS handling */ 2474 2475 /* 2476 * Do the right thing; if it's an encap'ed frame then 2477 * call ieee80211_parent_xmitpkt() else 2478 * call ieee80211_vap_xmitpkt(). 2479 */ 2480 if (m->m_flags & M_ENCAP) { 2481 (void) ieee80211_parent_xmitpkt(ic, m); 2482 } else { 2483 (void) ieee80211_vap_xmitpkt(vap, m); 2484 } 2485 } 2486