1 /*-
2 * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
3 *
4 * Copyright (c) 2007-2008 Sam Leffler, Errno Consulting
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 *
16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
17 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
18 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
19 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
21 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
22 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
23 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
24 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
25 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
26 */
27
28 #include <sys/cdefs.h>
29 #ifdef __FreeBSD__
30 __FBSDID("$FreeBSD$");
31 #endif
32
33 /*
34 * IEEE 802.11 HOSTAP mode support.
35 */
36 #include "opt_inet.h"
37 #include "opt_wlan.h"
38
39 #include <sys/param.h>
40 #include <sys/systm.h>
41 #include <sys/mbuf.h>
42 #include <sys/malloc.h>
43 #include <sys/kernel.h>
44
45 #include <sys/socket.h>
46 #include <sys/sockio.h>
47 #include <sys/endian.h>
48 #include <sys/errno.h>
49 #include <sys/proc.h>
50 #include <sys/sysctl.h>
51
52 #include <net/if.h>
53 #include <net/if_var.h>
54 #include <net/if_media.h>
55 #include <net/if_llc.h>
56 #include <net/ethernet.h>
57
58 #include <net/bpf.h>
59
60 #include <net80211/ieee80211_var.h>
61 #include <net80211/ieee80211_hostap.h>
62 #include <net80211/ieee80211_input.h>
63 #ifdef IEEE80211_SUPPORT_SUPERG
64 #include <net80211/ieee80211_superg.h>
65 #endif
66 #include <net80211/ieee80211_wds.h>
67 #include <net80211/ieee80211_vht.h>
68 #include <net80211/ieee80211_sta.h> /* for parse_wmeie */
69
70 #define IEEE80211_RATE2MBS(r) (((r) & IEEE80211_RATE_VAL) / 2)
71
72 static void hostap_vattach(struct ieee80211vap *);
73 static int hostap_newstate(struct ieee80211vap *, enum ieee80211_state, int);
74 static int hostap_input(struct ieee80211_node *ni, struct mbuf *m,
75 const struct ieee80211_rx_stats *,
76 int rssi, int nf);
77 static void hostap_deliver_data(struct ieee80211vap *,
78 struct ieee80211_node *, struct mbuf *);
79 static void hostap_recv_mgmt(struct ieee80211_node *, struct mbuf *,
80 int subtype, const struct ieee80211_rx_stats *rxs, int rssi, int nf);
81 static void hostap_recv_ctl(struct ieee80211_node *, struct mbuf *, int);
82
83 void
84 ieee80211_hostap_attach(struct ieee80211com *ic)
85 {
86 ic->ic_vattach[IEEE80211_M_HOSTAP] = hostap_vattach;
87 }
88
89 void
90 ieee80211_hostap_detach(struct ieee80211com *ic)
91 {
92 }
93
94 static void
95 hostap_vdetach(struct ieee80211vap *vap)
96 {
97 }
98
99 static void
100 hostap_vattach(struct ieee80211vap *vap)
101 {
102 vap->iv_newstate = hostap_newstate;
103 vap->iv_input = hostap_input;
104 vap->iv_recv_mgmt = hostap_recv_mgmt;
105 vap->iv_recv_ctl = hostap_recv_ctl;
106 vap->iv_opdetach = hostap_vdetach;
107 vap->iv_deliver_data = hostap_deliver_data;
108 vap->iv_recv_pspoll = ieee80211_recv_pspoll;
109 }
110
111 static void
112 sta_disassoc(void *arg, struct ieee80211_node *ni)
113 {
114
115 if (ni->ni_associd != 0) {
116 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_DISASSOC,
117 IEEE80211_REASON_ASSOC_LEAVE);
118 ieee80211_node_leave(ni);
119 }
120 }
121
122 static void
123 sta_csa(void *arg, struct ieee80211_node *ni)
124 {
125 struct ieee80211vap *vap = ni->ni_vap;
126
127 if (ni->ni_associd != 0)
128 if (ni->ni_inact > vap->iv_inact_init) {
129 ni->ni_inact = vap->iv_inact_init;
130 IEEE80211_NOTE(vap, IEEE80211_MSG_INACT, ni,
131 "%s: inact %u", __func__, ni->ni_inact);
132 }
133 }
134
135 static void
136 sta_drop(void *arg, struct ieee80211_node *ni)
137 {
138
139 if (ni->ni_associd != 0)
140 ieee80211_node_leave(ni);
141 }
142
143 /*
144 * Does a channel change require associated stations to re-associate
145 * so protocol state is correct. This is used when doing CSA across
146 * bands or similar (e.g. HT -> legacy).
147 */
148 static int
149 isbandchange(struct ieee80211com *ic)
150 {
151 return ((ic->ic_bsschan->ic_flags ^ ic->ic_csa_newchan->ic_flags) &
152 (IEEE80211_CHAN_2GHZ | IEEE80211_CHAN_5GHZ | IEEE80211_CHAN_HALF |
153 IEEE80211_CHAN_QUARTER | IEEE80211_CHAN_HT)) != 0;
154 }
155
156 /*
157 * IEEE80211_M_HOSTAP vap state machine handler.
158 */
159 static int
160 hostap_newstate(struct ieee80211vap *vap, enum ieee80211_state nstate, int arg)
161 {
162 struct ieee80211com *ic = vap->iv_ic;
163 enum ieee80211_state ostate;
164
165 IEEE80211_LOCK_ASSERT(ic);
166
167 ostate = vap->iv_state;
168 IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE, "%s: %s -> %s (%d)\n",
169 __func__, ieee80211_state_name[ostate],
170 ieee80211_state_name[nstate], arg);
171 vap->iv_state = nstate; /* state transition */
172 if (ostate != IEEE80211_S_SCAN)
173 ieee80211_cancel_scan(vap); /* background scan */
174 switch (nstate) {
175 case IEEE80211_S_INIT:
176 switch (ostate) {
177 case IEEE80211_S_SCAN:
178 ieee80211_cancel_scan(vap);
179 break;
180 case IEEE80211_S_CAC:
181 ieee80211_dfs_cac_stop(vap);
182 break;
183 case IEEE80211_S_RUN:
184 ieee80211_iterate_nodes_vap(&ic->ic_sta, vap,
185 sta_disassoc, NULL);
186 break;
187 default:
188 break;
189 }
190 if (ostate != IEEE80211_S_INIT) {
191 /* NB: optimize INIT -> INIT case */
192 ieee80211_reset_bss(vap);
193 }
194 if (vap->iv_auth->ia_detach != NULL)
195 vap->iv_auth->ia_detach(vap);
196 break;
197 case IEEE80211_S_SCAN:
198 switch (ostate) {
199 case IEEE80211_S_CSA:
200 case IEEE80211_S_RUN:
201 ieee80211_iterate_nodes_vap(&ic->ic_sta, vap,
202 sta_disassoc, NULL);
203 /*
204 * Clear overlapping BSS state; the beacon frame
205 * will be reconstructed on transition to the RUN
206 * state and the timeout routines check if the flag
207 * is set before doing anything so this is sufficient.
208 */
209 vap->iv_flags_ext &= ~IEEE80211_FEXT_NONERP_PR;
210 vap->iv_flags_ht &= ~IEEE80211_FHT_NONHT_PR;
211 /* XXX TODO: schedule deferred update? */
212 /* fall thru... */
213 case IEEE80211_S_CAC:
214 /*
215 * NB: We may get here because of a manual channel
216 * change in which case we need to stop CAC
217 * XXX no need to stop if ostate RUN but it's ok
218 */
219 ieee80211_dfs_cac_stop(vap);
220 /* fall thru... */
221 case IEEE80211_S_INIT:
222 if (vap->iv_des_chan != IEEE80211_CHAN_ANYC &&
223 !IEEE80211_IS_CHAN_RADAR(vap->iv_des_chan)) {
224 /*
225 * Already have a channel; bypass the
226 * scan and startup immediately.
227 * ieee80211_create_ibss will call back to
228 * move us to RUN state.
229 */
230 ieee80211_create_ibss(vap, vap->iv_des_chan);
231 break;
232 }
233 /*
234 * Initiate a scan. We can come here as a result
235 * of an IEEE80211_IOC_SCAN_REQ too in which case
236 * the vap will be marked with IEEE80211_FEXT_SCANREQ
237 * and the scan request parameters will be present
238 * in iv_scanreq. Otherwise we do the default.
239 */
240 if (vap->iv_flags_ext & IEEE80211_FEXT_SCANREQ) {
241 ieee80211_check_scan(vap,
242 vap->iv_scanreq_flags,
243 vap->iv_scanreq_duration,
244 vap->iv_scanreq_mindwell,
245 vap->iv_scanreq_maxdwell,
246 vap->iv_scanreq_nssid, vap->iv_scanreq_ssid);
247 vap->iv_flags_ext &= ~IEEE80211_FEXT_SCANREQ;
248 } else
249 ieee80211_check_scan_current(vap);
250 break;
251 case IEEE80211_S_SCAN:
252 /*
253 * A state change requires a reset; scan.
254 */
255 ieee80211_check_scan_current(vap);
256 break;
257 default:
258 break;
259 }
260 break;
261 case IEEE80211_S_CAC:
262 /*
263 * Start CAC on a DFS channel. We come here when starting
264 * a bss on a DFS channel (see ieee80211_create_ibss).
265 */
266 ieee80211_dfs_cac_start(vap);
267 break;
268 case IEEE80211_S_RUN:
269 if (vap->iv_flags & IEEE80211_F_WPA) {
270 /* XXX validate prerequisites */
271 }
272 switch (ostate) {
273 case IEEE80211_S_INIT:
274 /*
275 * Already have a channel; bypass the
276 * scan and startup immediately.
277 * Note that ieee80211_create_ibss will call
278 * back to do a RUN->RUN state change.
279 */
280 ieee80211_create_ibss(vap,
281 ieee80211_ht_adjust_channel(ic,
282 ic->ic_curchan, vap->iv_flags_ht));
283 /* NB: iv_bss is changed on return */
284 break;
285 case IEEE80211_S_CAC:
286 /*
287 * NB: This is the normal state change when CAC
288 * expires and no radar was detected; no need to
289 * clear the CAC timer as it's already expired.
290 */
291 /* fall thru... */
292 case IEEE80211_S_CSA:
293 /*
294 * Shorten inactivity timer of associated stations
295 * to weed out sta's that don't follow a CSA.
296 */
297 ieee80211_iterate_nodes_vap(&ic->ic_sta, vap,
298 sta_csa, NULL);
299 /*
300 * Update bss node channel to reflect where
301 * we landed after CSA.
302 */
303 ieee80211_node_set_chan(vap->iv_bss,
304 ieee80211_ht_adjust_channel(ic, ic->ic_curchan,
305 ieee80211_htchanflags(vap->iv_bss->ni_chan)));
306 /* XXX bypass debug msgs */
307 break;
308 case IEEE80211_S_SCAN:
309 case IEEE80211_S_RUN:
310 #ifdef IEEE80211_DEBUG
311 if (ieee80211_msg_debug(vap)) {
312 struct ieee80211_node *ni = vap->iv_bss;
313 ieee80211_note(vap,
314 "synchronized with %s ssid ",
315 ether_sprintf(ni->ni_bssid));
316 ieee80211_print_essid(ni->ni_essid,
317 ni->ni_esslen);
318 /* XXX MCS/HT */
319 printf(" channel %d start %uMb\n",
320 ieee80211_chan2ieee(ic, ic->ic_curchan),
321 IEEE80211_RATE2MBS(ni->ni_txrate));
322 }
323 #endif
324 break;
325 default:
326 break;
327 }
328 /*
329 * Start/stop the authenticator. We delay until here
330 * to allow configuration to happen out of order.
331 */
332 if (vap->iv_auth->ia_attach != NULL) {
333 /* XXX check failure */
334 vap->iv_auth->ia_attach(vap);
335 } else if (vap->iv_auth->ia_detach != NULL) {
336 vap->iv_auth->ia_detach(vap);
337 }
338 ieee80211_node_authorize(vap->iv_bss);
339 break;
340 case IEEE80211_S_CSA:
341 if (ostate == IEEE80211_S_RUN && isbandchange(ic)) {
342 /*
343 * On a ``band change'' silently drop associated
344 * stations as they must re-associate before they
345 * can pass traffic (as otherwise protocol state
346 * such as capabilities and the negotiated rate
347 * set may/will be wrong).
348 */
349 ieee80211_iterate_nodes_vap(&ic->ic_sta, vap,
350 sta_drop, NULL);
351 }
352 break;
353 default:
354 break;
355 }
356 return 0;
357 }
358
359 static void
360 hostap_deliver_data(struct ieee80211vap *vap,
361 struct ieee80211_node *ni, struct mbuf *m)
362 {
363 struct ether_header *eh = mtod(m, struct ether_header *);
364 struct ifnet *ifp = vap->iv_ifp;
365
366 /* clear driver/net80211 flags before passing up */
367 m->m_flags &= ~(M_MCAST | M_BCAST);
368 m_clrprotoflags(m);
369
370 KASSERT(vap->iv_opmode == IEEE80211_M_HOSTAP,
371 ("gack, opmode %d", vap->iv_opmode));
372 /*
373 * Do accounting.
374 */
375 if_inc_counter(ifp, IFCOUNTER_IPACKETS, 1);
376 IEEE80211_NODE_STAT(ni, rx_data);
377 IEEE80211_NODE_STAT_ADD(ni, rx_bytes, m->m_pkthdr.len);
378 if (ETHER_IS_MULTICAST(eh->ether_dhost)) {
379 m->m_flags |= M_MCAST; /* XXX M_BCAST? */
380 IEEE80211_NODE_STAT(ni, rx_mcast);
381 } else
382 IEEE80211_NODE_STAT(ni, rx_ucast);
383
384 /* perform as a bridge within the AP */
385 if ((vap->iv_flags & IEEE80211_F_NOBRIDGE) == 0) {
386 struct mbuf *mcopy = NULL;
387
388 if (m->m_flags & M_MCAST) {
389 mcopy = m_dup(m, M_NOWAIT);
390 if (mcopy == NULL)
391 if_inc_counter(ifp, IFCOUNTER_OERRORS, 1);
392 else
393 mcopy->m_flags |= M_MCAST;
394 } else {
395 /*
396 * Check if the destination is associated with the
397 * same vap and authorized to receive traffic.
398 * Beware of traffic destined for the vap itself;
399 * sending it will not work; just let it be delivered
400 * normally.
401 */
402 struct ieee80211_node *sta = ieee80211_find_vap_node(
403 &vap->iv_ic->ic_sta, vap, eh->ether_dhost);
404 if (sta != NULL) {
405 if (ieee80211_node_is_authorized(sta)) {
406 /*
407 * Beware of sending to ourself; this
408 * needs to happen via the normal
409 * input path.
410 */
411 if (sta != vap->iv_bss) {
412 mcopy = m;
413 m = NULL;
414 }
415 } else {
416 vap->iv_stats.is_rx_unauth++;
417 IEEE80211_NODE_STAT(sta, rx_unauth);
418 }
419 ieee80211_free_node(sta);
420 }
421 }
422 if (mcopy != NULL)
423 (void) ieee80211_vap_xmitpkt(vap, mcopy);
424 }
425 if (m != NULL) {
426 /*
427 * Mark frame as coming from vap's interface.
428 */
429 m->m_pkthdr.rcvif = ifp;
430 if (m->m_flags & M_MCAST) {
431 /*
432 * Spam DWDS vap's w/ multicast traffic.
433 */
434 /* XXX only if dwds in use? */
435 ieee80211_dwds_mcast(vap, m);
436 }
437 if (ni->ni_vlan != 0) {
438 /* attach vlan tag */
439 m->m_pkthdr.ether_vtag = ni->ni_vlan;
440 m->m_flags |= M_VLANTAG;
441 }
442 ifp->if_input(ifp, m);
443 }
444 }
445
446 /*
447 * Decide if a received management frame should be
448 * printed when debugging is enabled. This filters some
449 * of the less interesting frames that come frequently
450 * (e.g. beacons).
451 */
452 static __inline int
453 doprint(struct ieee80211vap *vap, int subtype)
454 {
455 switch (subtype) {
456 case IEEE80211_FC0_SUBTYPE_BEACON:
457 return (vap->iv_ic->ic_flags & IEEE80211_F_SCAN);
458 case IEEE80211_FC0_SUBTYPE_PROBE_REQ:
459 return 0;
460 }
461 return 1;
462 }
463
464 /*
465 * Process a received frame. The node associated with the sender
466 * should be supplied. If nothing was found in the node table then
467 * the caller is assumed to supply a reference to iv_bss instead.
468 * The RSSI and a timestamp are also supplied. The RSSI data is used
469 * during AP scanning to select a AP to associate with; it can have
470 * any units so long as values have consistent units and higher values
471 * mean ``better signal''. The receive timestamp is currently not used
472 * by the 802.11 layer.
473 */
474 static int
475 hostap_input(struct ieee80211_node *ni, struct mbuf *m,
476 const struct ieee80211_rx_stats *rxs, int rssi, int nf)
477 {
478 struct ieee80211vap *vap = ni->ni_vap;
479 struct ieee80211com *ic = ni->ni_ic;
480 struct ifnet *ifp = vap->iv_ifp;
481 struct ieee80211_frame *wh;
482 struct ieee80211_key *key;
483 struct ether_header *eh;
484 int hdrspace, need_tap = 1; /* mbuf need to be tapped. */
485 uint8_t dir, type, subtype, qos;
486 uint8_t *bssid;
487 int is_hw_decrypted = 0;
488 int has_decrypted = 0;
489
490 /*
491 * Some devices do hardware decryption all the way through
492 * to pretending the frame wasn't encrypted in the first place.
493 * So, tag it appropriately so it isn't discarded inappropriately.
494 */
495 if ((rxs != NULL) && (rxs->c_pktflags & IEEE80211_RX_F_DECRYPTED))
496 is_hw_decrypted = 1;
497
498 if (m->m_flags & M_AMPDU_MPDU) {
499 /*
500 * Fastpath for A-MPDU reorder q resubmission. Frames
501 * w/ M_AMPDU_MPDU marked have already passed through
502 * here but were received out of order and been held on
503 * the reorder queue. When resubmitted they are marked
504 * with the M_AMPDU_MPDU flag and we can bypass most of
505 * the normal processing.
506 */
507 wh = mtod(m, struct ieee80211_frame *);
508 type = IEEE80211_FC0_TYPE_DATA;
509 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK;
510 subtype = IEEE80211_FC0_SUBTYPE_QOS;
511 hdrspace = ieee80211_hdrspace(ic, wh); /* XXX optimize? */
512 goto resubmit_ampdu;
513 }
514
515 KASSERT(ni != NULL, ("null node"));
516 ni->ni_inact = ni->ni_inact_reload;
517
518 type = -1; /* undefined */
519
520 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_min)) {
521 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
522 ni->ni_macaddr, NULL,
523 "too short (1): len %u", m->m_pkthdr.len);
524 vap->iv_stats.is_rx_tooshort++;
525 goto out;
526 }
527 /*
528 * Bit of a cheat here, we use a pointer for a 3-address
529 * frame format but don't reference fields past outside
530 * ieee80211_frame_min w/o first validating the data is
531 * present.
532 */
533 wh = mtod(m, struct ieee80211_frame *);
534
535 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) !=
536 IEEE80211_FC0_VERSION_0) {
537 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
538 ni->ni_macaddr, NULL, "wrong version, fc %02x:%02x",
539 wh->i_fc[0], wh->i_fc[1]);
540 vap->iv_stats.is_rx_badversion++;
541 goto err;
542 }
543
544 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK;
545 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
546 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK;
547 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) {
548 if (dir != IEEE80211_FC1_DIR_NODS)
549 bssid = wh->i_addr1;
550 else if (type == IEEE80211_FC0_TYPE_CTL)
551 bssid = wh->i_addr1;
552 else {
553 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) {
554 IEEE80211_DISCARD_MAC(vap,
555 IEEE80211_MSG_ANY, ni->ni_macaddr,
556 NULL, "too short (2): len %u",
557 m->m_pkthdr.len);
558 vap->iv_stats.is_rx_tooshort++;
559 goto out;
560 }
561 bssid = wh->i_addr3;
562 }
563 /*
564 * Validate the bssid.
565 */
566 if (!(type == IEEE80211_FC0_TYPE_MGT &&
567 subtype == IEEE80211_FC0_SUBTYPE_BEACON) &&
568 !IEEE80211_ADDR_EQ(bssid, vap->iv_bss->ni_bssid) &&
569 !IEEE80211_ADDR_EQ(bssid, ifp->if_broadcastaddr)) {
570 /* not interested in */
571 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
572 bssid, NULL, "%s", "not to bss");
573 vap->iv_stats.is_rx_wrongbss++;
574 goto out;
575 }
576
577 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi);
578 ni->ni_noise = nf;
579 if (IEEE80211_HAS_SEQ(type, subtype)) {
580 uint8_t tid = ieee80211_gettid(wh);
581 if (IEEE80211_QOS_HAS_SEQ(wh) &&
582 TID_TO_WME_AC(tid) >= WME_AC_VI)
583 ic->ic_wme.wme_hipri_traffic++;
584 if (! ieee80211_check_rxseq(ni, wh, bssid, rxs))
585 goto out;
586 }
587 }
588
589 switch (type) {
590 case IEEE80211_FC0_TYPE_DATA:
591 hdrspace = ieee80211_hdrspace(ic, wh);
592 if (m->m_len < hdrspace &&
593 (m = m_pullup(m, hdrspace)) == NULL) {
594 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
595 ni->ni_macaddr, NULL,
596 "data too short: expecting %u", hdrspace);
597 vap->iv_stats.is_rx_tooshort++;
598 goto out; /* XXX */
599 }
600 if (!(dir == IEEE80211_FC1_DIR_TODS ||
601 (dir == IEEE80211_FC1_DIR_DSTODS &&
602 (vap->iv_flags & IEEE80211_F_DWDS)))) {
603 if (dir != IEEE80211_FC1_DIR_DSTODS) {
604 IEEE80211_DISCARD(vap,
605 IEEE80211_MSG_INPUT, wh, "data",
606 "incorrect dir 0x%x", dir);
607 } else {
608 IEEE80211_DISCARD(vap,
609 IEEE80211_MSG_INPUT |
610 IEEE80211_MSG_WDS, wh,
611 "4-address data",
612 "%s", "DWDS not enabled");
613 }
614 vap->iv_stats.is_rx_wrongdir++;
615 goto out;
616 }
617 /* check if source STA is associated */
618 if (ni == vap->iv_bss) {
619 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
620 wh, "data", "%s", "unknown src");
621 ieee80211_send_error(ni, wh->i_addr2,
622 IEEE80211_FC0_SUBTYPE_DEAUTH,
623 IEEE80211_REASON_NOT_AUTHED);
624 vap->iv_stats.is_rx_notassoc++;
625 goto err;
626 }
627 if (ni->ni_associd == 0) {
628 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
629 wh, "data", "%s", "unassoc src");
630 IEEE80211_SEND_MGMT(ni,
631 IEEE80211_FC0_SUBTYPE_DISASSOC,
632 IEEE80211_REASON_NOT_ASSOCED);
633 vap->iv_stats.is_rx_notassoc++;
634 goto err;
635 }
636
637 /*
638 * Check for power save state change.
639 * XXX out-of-order A-MPDU frames?
640 */
641 if (((wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) ^
642 (ni->ni_flags & IEEE80211_NODE_PWR_MGT)))
643 vap->iv_node_ps(ni,
644 wh->i_fc[1] & IEEE80211_FC1_PWR_MGT);
645 /*
646 * For 4-address packets handle WDS discovery
647 * notifications. Once a WDS link is setup frames
648 * are just delivered to the WDS vap (see below).
649 */
650 if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap == NULL) {
651 if (!ieee80211_node_is_authorized(ni)) {
652 IEEE80211_DISCARD(vap,
653 IEEE80211_MSG_INPUT |
654 IEEE80211_MSG_WDS, wh,
655 "4-address data",
656 "%s", "unauthorized port");
657 vap->iv_stats.is_rx_unauth++;
658 IEEE80211_NODE_STAT(ni, rx_unauth);
659 goto err;
660 }
661 ieee80211_dwds_discover(ni, m);
662 return type;
663 }
664
665 /*
666 * Handle A-MPDU re-ordering. If the frame is to be
667 * processed directly then ieee80211_ampdu_reorder
668 * will return 0; otherwise it has consumed the mbuf
669 * and we should do nothing more with it.
670 */
671 if ((m->m_flags & M_AMPDU) &&
672 ieee80211_ampdu_reorder(ni, m, rxs) != 0) {
673 m = NULL;
674 goto out;
675 }
676 resubmit_ampdu:
677
678 /*
679 * Handle privacy requirements. Note that we
680 * must not be preempted from here until after
681 * we (potentially) call ieee80211_crypto_demic;
682 * otherwise we may violate assumptions in the
683 * crypto cipher modules used to do delayed update
684 * of replay sequence numbers.
685 */
686 if (is_hw_decrypted || wh->i_fc[1] & IEEE80211_FC1_PROTECTED) {
687 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
688 /*
689 * Discard encrypted frames when privacy is off.
690 */
691 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
692 wh, "WEP", "%s", "PRIVACY off");
693 vap->iv_stats.is_rx_noprivacy++;
694 IEEE80211_NODE_STAT(ni, rx_noprivacy);
695 goto out;
696 }
697 if (ieee80211_crypto_decap(ni, m, hdrspace, &key) == 0) {
698 /* NB: stats+msgs handled in crypto_decap */
699 IEEE80211_NODE_STAT(ni, rx_wepfail);
700 goto out;
701 }
702 wh = mtod(m, struct ieee80211_frame *);
703 wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED;
704 has_decrypted = 1;
705 } else {
706 /* XXX M_WEP and IEEE80211_F_PRIVACY */
707 key = NULL;
708 }
709
710 /*
711 * Save QoS bits for use below--before we strip the header.
712 */
713 if (subtype == IEEE80211_FC0_SUBTYPE_QOS)
714 qos = ieee80211_getqos(wh)[0];
715 else
716 qos = 0;
717
718 /*
719 * Next up, any fragmentation.
720 */
721 if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) {
722 m = ieee80211_defrag(ni, m, hdrspace, has_decrypted);
723 if (m == NULL) {
724 /* Fragment dropped or frame not complete yet */
725 goto out;
726 }
727 }
728 wh = NULL; /* no longer valid, catch any uses */
729
730 /*
731 * Next strip any MSDU crypto bits.
732 */
733 if (key != NULL && !ieee80211_crypto_demic(vap, key, m, 0)) {
734 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
735 ni->ni_macaddr, "data", "%s", "demic error");
736 vap->iv_stats.is_rx_demicfail++;
737 IEEE80211_NODE_STAT(ni, rx_demicfail);
738 goto out;
739 }
740 /* copy to listener after decrypt */
741 if (ieee80211_radiotap_active_vap(vap))
742 ieee80211_radiotap_rx(vap, m);
743 need_tap = 0;
744 /*
745 * Finally, strip the 802.11 header.
746 */
747 m = ieee80211_decap(vap, m, hdrspace, qos);
748 if (m == NULL) {
749 /* XXX mask bit to check for both */
750 /* don't count Null data frames as errors */
751 if (subtype == IEEE80211_FC0_SUBTYPE_NODATA ||
752 subtype == IEEE80211_FC0_SUBTYPE_QOS_NULL)
753 goto out;
754 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
755 ni->ni_macaddr, "data", "%s", "decap error");
756 vap->iv_stats.is_rx_decap++;
757 IEEE80211_NODE_STAT(ni, rx_decap);
758 goto err;
759 }
760 if (!(qos & IEEE80211_QOS_AMSDU))
761 eh = mtod(m, struct ether_header *);
762 else
763 eh = NULL;
764 if (!ieee80211_node_is_authorized(ni)) {
765 /*
766 * Deny any non-PAE frames received prior to
767 * authorization. For open/shared-key
768 * authentication the port is mark authorized
769 * after authentication completes. For 802.1x
770 * the port is not marked authorized by the
771 * authenticator until the handshake has completed.
772 */
773 if (eh == NULL ||
774 eh->ether_type != htons(ETHERTYPE_PAE)) {
775 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
776 ni->ni_macaddr, "data", "unauthorized or "
777 "unknown port: ether type 0x%x len %u",
778 eh == NULL ? -1 : eh->ether_type,
779 m->m_pkthdr.len);
780 vap->iv_stats.is_rx_unauth++;
781 IEEE80211_NODE_STAT(ni, rx_unauth);
782 goto err;
783 }
784 } else {
785 /*
786 * When denying unencrypted frames, discard
787 * any non-PAE frames received without encryption.
788 */
789 if ((vap->iv_flags & IEEE80211_F_DROPUNENC) &&
790 ((has_decrypted == 0) && (m->m_flags & M_WEP) == 0) &&
791 (is_hw_decrypted == 0) &&
792 (eh == NULL ||
793 eh->ether_type != htons(ETHERTYPE_PAE))) {
794 /*
795 * Drop unencrypted frames.
796 */
797 vap->iv_stats.is_rx_unencrypted++;
798 IEEE80211_NODE_STAT(ni, rx_unencrypted);
799 goto out;
800 }
801 }
802 /* XXX require HT? */
803 if (qos & IEEE80211_QOS_AMSDU) {
804 m = ieee80211_decap_amsdu(ni, m);
805 if (m == NULL)
806 return IEEE80211_FC0_TYPE_DATA;
807 } else {
808 #ifdef IEEE80211_SUPPORT_SUPERG
809 m = ieee80211_decap_fastframe(vap, ni, m);
810 if (m == NULL)
811 return IEEE80211_FC0_TYPE_DATA;
812 #endif
813 }
814 if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap != NULL)
815 ieee80211_deliver_data(ni->ni_wdsvap, ni, m);
816 else
817 hostap_deliver_data(vap, ni, m);
818 return IEEE80211_FC0_TYPE_DATA;
819
820 case IEEE80211_FC0_TYPE_MGT:
821 vap->iv_stats.is_rx_mgmt++;
822 IEEE80211_NODE_STAT(ni, rx_mgmt);
823 if (dir != IEEE80211_FC1_DIR_NODS) {
824 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
825 wh, "mgt", "incorrect dir 0x%x", dir);
826 vap->iv_stats.is_rx_wrongdir++;
827 goto err;
828 }
829 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) {
830 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
831 ni->ni_macaddr, "mgt", "too short: len %u",
832 m->m_pkthdr.len);
833 vap->iv_stats.is_rx_tooshort++;
834 goto out;
835 }
836 if (IEEE80211_IS_MULTICAST(wh->i_addr2)) {
837 /* ensure return frames are unicast */
838 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
839 wh, NULL, "source is multicast: %s",
840 ether_sprintf(wh->i_addr2));
841 vap->iv_stats.is_rx_mgtdiscard++; /* XXX stat */
842 goto out;
843 }
844 #ifdef IEEE80211_DEBUG
845 if ((ieee80211_msg_debug(vap) && doprint(vap, subtype)) ||
846 ieee80211_msg_dumppkts(vap)) {
847 if_printf(ifp, "received %s from %s rssi %d\n",
848 ieee80211_mgt_subtype_name(subtype),
849 ether_sprintf(wh->i_addr2), rssi);
850 }
851 #endif
852 if (wh->i_fc[1] & IEEE80211_FC1_PROTECTED) {
853 if (subtype != IEEE80211_FC0_SUBTYPE_AUTH) {
854 /*
855 * Only shared key auth frames with a challenge
856 * should be encrypted, discard all others.
857 */
858 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
859 wh, NULL,
860 "%s", "WEP set but not permitted");
861 vap->iv_stats.is_rx_mgtdiscard++; /* XXX */
862 goto out;
863 }
864 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
865 /*
866 * Discard encrypted frames when privacy is off.
867 */
868 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
869 wh, NULL, "%s", "WEP set but PRIVACY off");
870 vap->iv_stats.is_rx_noprivacy++;
871 goto out;
872 }
873 hdrspace = ieee80211_hdrspace(ic, wh);
874 if (ieee80211_crypto_decap(ni, m, hdrspace, &key) == 0) {
875 /* NB: stats+msgs handled in crypto_decap */
876 goto out;
877 }
878 wh = mtod(m, struct ieee80211_frame *);
879 wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED;
880 has_decrypted = 1;
881 }
882 /*
883 * Pass the packet to radiotap before calling iv_recv_mgmt().
884 * Otherwise iv_recv_mgmt() might pass another packet to
885 * radiotap, resulting in out of order packet captures.
886 */
887 if (ieee80211_radiotap_active_vap(vap))
888 ieee80211_radiotap_rx(vap, m);
889 need_tap = 0;
890 vap->iv_recv_mgmt(ni, m, subtype, rxs, rssi, nf);
891 goto out;
892
893 case IEEE80211_FC0_TYPE_CTL:
894 vap->iv_stats.is_rx_ctl++;
895 IEEE80211_NODE_STAT(ni, rx_ctrl);
896 vap->iv_recv_ctl(ni, m, subtype);
897 goto out;
898 default:
899 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
900 wh, "bad", "frame type 0x%x", type);
901 /* should not come here */
902 break;
903 }
904 err:
905 if_inc_counter(ifp, IFCOUNTER_IERRORS, 1);
906 out:
907 if (m != NULL) {
908 if (need_tap && ieee80211_radiotap_active_vap(vap))
909 ieee80211_radiotap_rx(vap, m);
910 m_freem(m);
911 }
912 return type;
913 }
914
915 static void
916 hostap_auth_open(struct ieee80211_node *ni, struct ieee80211_frame *wh,
917 int rssi, int nf, uint16_t seq, uint16_t status)
918 {
919 struct ieee80211vap *vap = ni->ni_vap;
920
921 KASSERT(vap->iv_state == IEEE80211_S_RUN, ("state %d", vap->iv_state));
922
923 if (ni->ni_authmode == IEEE80211_AUTH_SHARED) {
924 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
925 ni->ni_macaddr, "open auth",
926 "bad sta auth mode %u", ni->ni_authmode);
927 vap->iv_stats.is_rx_bad_auth++; /* XXX */
928 /*
929 * Clear any challenge text that may be there if
930 * a previous shared key auth failed and then an
931 * open auth is attempted.
932 */
933 if (ni->ni_challenge != NULL) {
934 IEEE80211_FREE(ni->ni_challenge, M_80211_NODE);
935 ni->ni_challenge = NULL;
936 }
937 /* XXX hack to workaround calling convention */
938 ieee80211_send_error(ni, wh->i_addr2,
939 IEEE80211_FC0_SUBTYPE_AUTH,
940 (seq + 1) | (IEEE80211_STATUS_ALG<<16));
941 return;
942 }
943 if (seq != IEEE80211_AUTH_OPEN_REQUEST) {
944 vap->iv_stats.is_rx_bad_auth++;
945 return;
946 }
947 /* always accept open authentication requests */
948 if (ni == vap->iv_bss) {
949 ni = ieee80211_dup_bss(vap, wh->i_addr2);
950 if (ni == NULL)
951 return;
952 } else if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0)
953 (void) ieee80211_ref_node(ni);
954 /*
955 * Mark the node as referenced to reflect that it's
956 * reference count has been bumped to insure it remains
957 * after the transaction completes.
958 */
959 ni->ni_flags |= IEEE80211_NODE_AREF;
960 /*
961 * Mark the node as requiring a valid association id
962 * before outbound traffic is permitted.
963 */
964 ni->ni_flags |= IEEE80211_NODE_ASSOCID;
965
966 if (vap->iv_acl != NULL &&
967 vap->iv_acl->iac_getpolicy(vap) == IEEE80211_MACCMD_POLICY_RADIUS) {
968 /*
969 * When the ACL policy is set to RADIUS we defer the
970 * authorization to a user agent. Dispatch an event,
971 * a subsequent MLME call will decide the fate of the
972 * station. If the user agent is not present then the
973 * node will be reclaimed due to inactivity.
974 */
975 IEEE80211_NOTE_MAC(vap,
976 IEEE80211_MSG_AUTH | IEEE80211_MSG_ACL, ni->ni_macaddr,
977 "%s", "station authentication defered (radius acl)");
978 ieee80211_notify_node_auth(ni);
979 } else {
980 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1);
981 IEEE80211_NOTE_MAC(vap,
982 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, ni->ni_macaddr,
983 "%s", "station authenticated (open)");
984 /*
985 * When 802.1x is not in use mark the port
986 * authorized at this point so traffic can flow.
987 */
988 if (ni->ni_authmode != IEEE80211_AUTH_8021X)
989 ieee80211_node_authorize(ni);
990 }
991 }
992
993 static void
994 hostap_auth_shared(struct ieee80211_node *ni, struct ieee80211_frame *wh,
995 uint8_t *frm, uint8_t *efrm, int rssi, int nf,
996 uint16_t seq, uint16_t status)
997 {
998 struct ieee80211vap *vap = ni->ni_vap;
999 uint8_t *challenge;
1000 int allocbs, estatus;
1001
1002 KASSERT(vap->iv_state == IEEE80211_S_RUN, ("state %d", vap->iv_state));
1003
1004 /*
1005 * NB: this can happen as we allow pre-shared key
1006 * authentication to be enabled w/o wep being turned
1007 * on so that configuration of these can be done
1008 * in any order. It may be better to enforce the
1009 * ordering in which case this check would just be
1010 * for sanity/consistency.
1011 */
1012 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
1013 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1014 ni->ni_macaddr, "shared key auth",
1015 "%s", " PRIVACY is disabled");
1016 estatus = IEEE80211_STATUS_ALG;
1017 goto bad;
1018 }
1019 /*
1020 * Pre-shared key authentication is evil; accept
1021 * it only if explicitly configured (it is supported
1022 * mainly for compatibility with clients like Mac OS X).
1023 */
1024 if (ni->ni_authmode != IEEE80211_AUTH_AUTO &&
1025 ni->ni_authmode != IEEE80211_AUTH_SHARED) {
1026 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1027 ni->ni_macaddr, "shared key auth",
1028 "bad sta auth mode %u", ni->ni_authmode);
1029 vap->iv_stats.is_rx_bad_auth++; /* XXX maybe a unique error? */
1030 estatus = IEEE80211_STATUS_ALG;
1031 goto bad;
1032 }
1033
1034 challenge = NULL;
1035 if (frm + 1 < efrm) {
1036 if ((frm[1] + 2) > (efrm - frm)) {
1037 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1038 ni->ni_macaddr, "shared key auth",
1039 "ie %d/%d too long",
1040 frm[0], (frm[1] + 2) - (efrm - frm));
1041 vap->iv_stats.is_rx_bad_auth++;
1042 estatus = IEEE80211_STATUS_CHALLENGE;
1043 goto bad;
1044 }
1045 if (*frm == IEEE80211_ELEMID_CHALLENGE)
1046 challenge = frm;
1047 frm += frm[1] + 2;
1048 }
1049 switch (seq) {
1050 case IEEE80211_AUTH_SHARED_CHALLENGE:
1051 case IEEE80211_AUTH_SHARED_RESPONSE:
1052 if (challenge == NULL) {
1053 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1054 ni->ni_macaddr, "shared key auth",
1055 "%s", "no challenge");
1056 vap->iv_stats.is_rx_bad_auth++;
1057 estatus = IEEE80211_STATUS_CHALLENGE;
1058 goto bad;
1059 }
1060 if (challenge[1] != IEEE80211_CHALLENGE_LEN) {
1061 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1062 ni->ni_macaddr, "shared key auth",
1063 "bad challenge len %d", challenge[1]);
1064 vap->iv_stats.is_rx_bad_auth++;
1065 estatus = IEEE80211_STATUS_CHALLENGE;
1066 goto bad;
1067 }
1068 default:
1069 break;
1070 }
1071 switch (seq) {
1072 case IEEE80211_AUTH_SHARED_REQUEST:
1073 if (ni == vap->iv_bss) {
1074 ni = ieee80211_dup_bss(vap, wh->i_addr2);
1075 if (ni == NULL) {
1076 /* NB: no way to return an error */
1077 return;
1078 }
1079 allocbs = 1;
1080 } else {
1081 if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0)
1082 (void) ieee80211_ref_node(ni);
1083 allocbs = 0;
1084 }
1085 /*
1086 * Mark the node as referenced to reflect that it's
1087 * reference count has been bumped to insure it remains
1088 * after the transaction completes.
1089 */
1090 ni->ni_flags |= IEEE80211_NODE_AREF;
1091 /*
1092 * Mark the node as requiring a valid association id
1093 * before outbound traffic is permitted.
1094 */
1095 ni->ni_flags |= IEEE80211_NODE_ASSOCID;
1096 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi);
1097 ni->ni_noise = nf;
1098 if (!ieee80211_alloc_challenge(ni)) {
1099 /* NB: don't return error so they rexmit */
1100 return;
1101 }
1102 net80211_get_random_bytes(ni->ni_challenge,
1103 IEEE80211_CHALLENGE_LEN);
1104 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
1105 ni, "shared key %sauth request", allocbs ? "" : "re");
1106 /*
1107 * When the ACL policy is set to RADIUS we defer the
1108 * authorization to a user agent. Dispatch an event,
1109 * a subsequent MLME call will decide the fate of the
1110 * station. If the user agent is not present then the
1111 * node will be reclaimed due to inactivity.
1112 */
1113 if (vap->iv_acl != NULL &&
1114 vap->iv_acl->iac_getpolicy(vap) == IEEE80211_MACCMD_POLICY_RADIUS) {
1115 IEEE80211_NOTE_MAC(vap,
1116 IEEE80211_MSG_AUTH | IEEE80211_MSG_ACL,
1117 ni->ni_macaddr,
1118 "%s", "station authentication defered (radius acl)");
1119 ieee80211_notify_node_auth(ni);
1120 return;
1121 }
1122 break;
1123 case IEEE80211_AUTH_SHARED_RESPONSE:
1124 if (ni == vap->iv_bss) {
1125 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1126 ni->ni_macaddr, "shared key response",
1127 "%s", "unknown station");
1128 /* NB: don't send a response */
1129 return;
1130 }
1131 if (ni->ni_challenge == NULL) {
1132 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1133 ni->ni_macaddr, "shared key response",
1134 "%s", "no challenge recorded");
1135 vap->iv_stats.is_rx_bad_auth++;
1136 estatus = IEEE80211_STATUS_CHALLENGE;
1137 goto bad;
1138 }
1139 if (memcmp(ni->ni_challenge, &challenge[2],
1140 challenge[1]) != 0) {
1141 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1142 ni->ni_macaddr, "shared key response",
1143 "%s", "challenge mismatch");
1144 vap->iv_stats.is_rx_auth_fail++;
1145 estatus = IEEE80211_STATUS_CHALLENGE;
1146 goto bad;
1147 }
1148 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
1149 ni, "%s", "station authenticated (shared key)");
1150 ieee80211_node_authorize(ni);
1151 break;
1152 default:
1153 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1154 ni->ni_macaddr, "shared key auth",
1155 "bad seq %d", seq);
1156 vap->iv_stats.is_rx_bad_auth++;
1157 estatus = IEEE80211_STATUS_SEQUENCE;
1158 goto bad;
1159 }
1160 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1);
1161 return;
1162 bad:
1163 /*
1164 * Send an error response; but only when operating as an AP.
1165 */
1166 /* XXX hack to workaround calling convention */
1167 ieee80211_send_error(ni, wh->i_addr2,
1168 IEEE80211_FC0_SUBTYPE_AUTH,
1169 (seq + 1) | (estatus<<16));
1170 }
1171
1172 /*
1173 * Convert a WPA cipher selector OUI to an internal
1174 * cipher algorithm. Where appropriate we also
1175 * record any key length.
1176 */
1177 static int
1178 wpa_cipher(const uint8_t *sel, uint8_t *keylen, uint8_t *cipher)
1179 {
1180 #define WPA_SEL(x) (((x)<<24)|WPA_OUI)
1181 uint32_t w = le32dec(sel);
1182
1183 switch (w) {
1184 case WPA_SEL(WPA_CSE_NULL):
1185 *cipher = IEEE80211_CIPHER_NONE;
1186 break;
1187 case WPA_SEL(WPA_CSE_WEP40):
1188 if (keylen)
1189 *keylen = 40 / NBBY;
1190 *cipher = IEEE80211_CIPHER_WEP;
1191 break;
1192 case WPA_SEL(WPA_CSE_WEP104):
1193 if (keylen)
1194 *keylen = 104 / NBBY;
1195 *cipher = IEEE80211_CIPHER_WEP;
1196 break;
1197 case WPA_SEL(WPA_CSE_TKIP):
1198 *cipher = IEEE80211_CIPHER_TKIP;
1199 break;
1200 case WPA_SEL(WPA_CSE_CCMP):
1201 *cipher = IEEE80211_CIPHER_AES_CCM;
1202 break;
1203 default:
1204 return (EINVAL);
1205 }
1206
1207 return (0);
1208 #undef WPA_SEL
1209 }
1210
1211 /*
1212 * Convert a WPA key management/authentication algorithm
1213 * to an internal code.
1214 */
1215 static int
1216 wpa_keymgmt(const uint8_t *sel)
1217 {
1218 #define WPA_SEL(x) (((x)<<24)|WPA_OUI)
1219 uint32_t w = le32dec(sel);
1220
1221 switch (w) {
1222 case WPA_SEL(WPA_ASE_8021X_UNSPEC):
1223 return WPA_ASE_8021X_UNSPEC;
1224 case WPA_SEL(WPA_ASE_8021X_PSK):
1225 return WPA_ASE_8021X_PSK;
1226 case WPA_SEL(WPA_ASE_NONE):
1227 return WPA_ASE_NONE;
1228 }
1229 return 0; /* NB: so is discarded */
1230 #undef WPA_SEL
1231 }
1232
1233 /*
1234 * Parse a WPA information element to collect parameters.
1235 * Note that we do not validate security parameters; that
1236 * is handled by the authenticator; the parsing done here
1237 * is just for internal use in making operational decisions.
1238 */
1239 static int
1240 ieee80211_parse_wpa(struct ieee80211vap *vap, const uint8_t *frm,
1241 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh)
1242 {
1243 uint8_t len = frm[1];
1244 uint32_t w;
1245 int error, n;
1246
1247 /*
1248 * Check the length once for fixed parts: OUI, type,
1249 * version, mcast cipher, and 2 selector counts.
1250 * Other, variable-length data, must be checked separately.
1251 */
1252 if ((vap->iv_flags & IEEE80211_F_WPA1) == 0) {
1253 IEEE80211_DISCARD_IE(vap,
1254 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1255 wh, "WPA", "not WPA, flags 0x%x", vap->iv_flags);
1256 return IEEE80211_REASON_IE_INVALID;
1257 }
1258 if (len < 14) {
1259 IEEE80211_DISCARD_IE(vap,
1260 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1261 wh, "WPA", "too short, len %u", len);
1262 return IEEE80211_REASON_IE_INVALID;
1263 }
1264 frm += 6, len -= 4; /* NB: len is payload only */
1265 /* NB: iswpaoui already validated the OUI and type */
1266 w = le16dec(frm);
1267 if (w != WPA_VERSION) {
1268 IEEE80211_DISCARD_IE(vap,
1269 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1270 wh, "WPA", "bad version %u", w);
1271 return IEEE80211_REASON_IE_INVALID;
1272 }
1273 frm += 2, len -= 2;
1274
1275 memset(rsn, 0, sizeof(*rsn));
1276
1277 /* multicast/group cipher */
1278 error = wpa_cipher(frm, &rsn->rsn_mcastkeylen, &rsn->rsn_mcastcipher);
1279 if (error != 0) {
1280 IEEE80211_DISCARD_IE(vap,
1281 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1282 wh, "WPA", "unknown mcast cipher suite %08X",
1283 le32dec(frm));
1284 return IEEE80211_REASON_GROUP_CIPHER_INVALID;
1285 }
1286 frm += 4, len -= 4;
1287
1288 /* unicast ciphers */
1289 n = le16dec(frm);
1290 frm += 2, len -= 2;
1291 if (len < n*4+2) {
1292 IEEE80211_DISCARD_IE(vap,
1293 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1294 wh, "WPA", "ucast cipher data too short; len %u, n %u",
1295 len, n);
1296 return IEEE80211_REASON_IE_INVALID;
1297 }
1298 w = 0;
1299 for (; n > 0; n--) {
1300 uint8_t cipher;
1301
1302 error = wpa_cipher(frm, &rsn->rsn_ucastkeylen, &cipher);
1303 if (error == 0)
1304 w |= 1 << cipher;
1305
1306 frm += 4, len -= 4;
1307 }
1308 if (w == 0) {
1309 IEEE80211_DISCARD_IE(vap,
1310 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1311 wh, "WPA", "no usable pairwise cipher suite found (w=%d)",
1312 w);
1313 return IEEE80211_REASON_PAIRWISE_CIPHER_INVALID;
1314 }
1315 /* XXX other? */
1316 if (w & (1 << IEEE80211_CIPHER_AES_CCM))
1317 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM;
1318 else
1319 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP;
1320
1321 /* key management algorithms */
1322 n = le16dec(frm);
1323 frm += 2, len -= 2;
1324 if (len < n*4) {
1325 IEEE80211_DISCARD_IE(vap,
1326 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1327 wh, "WPA", "key mgmt alg data too short; len %u, n %u",
1328 len, n);
1329 return IEEE80211_REASON_IE_INVALID;
1330 }
1331 w = 0;
1332 for (; n > 0; n--) {
1333 w |= wpa_keymgmt(frm);
1334 frm += 4, len -= 4;
1335 }
1336 if (w & WPA_ASE_8021X_UNSPEC)
1337 rsn->rsn_keymgmt = WPA_ASE_8021X_UNSPEC;
1338 else
1339 rsn->rsn_keymgmt = WPA_ASE_8021X_PSK;
1340
1341 if (len > 2) /* optional capabilities */
1342 rsn->rsn_caps = le16dec(frm);
1343
1344 return 0;
1345 }
1346
1347 /*
1348 * Convert an RSN cipher selector OUI to an internal
1349 * cipher algorithm. Where appropriate we also
1350 * record any key length.
1351 */
1352 static int
1353 rsn_cipher(const uint8_t *sel, uint8_t *keylen, uint8_t *cipher)
1354 {
1355 #define RSN_SEL(x) (((x)<<24)|RSN_OUI)
1356 uint32_t w = le32dec(sel);
1357
1358 switch (w) {
1359 case RSN_SEL(RSN_CSE_NULL):
1360 *cipher = IEEE80211_CIPHER_NONE;
1361 break;
1362 case RSN_SEL(RSN_CSE_WEP40):
1363 if (keylen)
1364 *keylen = 40 / NBBY;
1365 *cipher = IEEE80211_CIPHER_WEP;
1366 break;
1367 case RSN_SEL(RSN_CSE_WEP104):
1368 if (keylen)
1369 *keylen = 104 / NBBY;
1370 *cipher = IEEE80211_CIPHER_WEP;
1371 break;
1372 case RSN_SEL(RSN_CSE_TKIP):
1373 *cipher = IEEE80211_CIPHER_TKIP;
1374 break;
1375 case RSN_SEL(RSN_CSE_CCMP):
1376 *cipher = IEEE80211_CIPHER_AES_CCM;
1377 break;
1378 case RSN_SEL(RSN_CSE_WRAP):
1379 *cipher = IEEE80211_CIPHER_AES_OCB;
1380 break;
1381 default:
1382 return (EINVAL);
1383 }
1384
1385 return (0);
1386 #undef WPA_SEL
1387 }
1388
1389 /*
1390 * Convert an RSN key management/authentication algorithm
1391 * to an internal code.
1392 */
1393 static int
1394 rsn_keymgmt(const uint8_t *sel)
1395 {
1396 #define RSN_SEL(x) (((x)<<24)|RSN_OUI)
1397 uint32_t w = le32dec(sel);
1398
1399 switch (w) {
1400 case RSN_SEL(RSN_ASE_8021X_UNSPEC):
1401 return RSN_ASE_8021X_UNSPEC;
1402 case RSN_SEL(RSN_ASE_8021X_PSK):
1403 return RSN_ASE_8021X_PSK;
1404 case RSN_SEL(RSN_ASE_NONE):
1405 return RSN_ASE_NONE;
1406 }
1407 return 0; /* NB: so is discarded */
1408 #undef RSN_SEL
1409 }
1410
1411 /*
1412 * Parse a WPA/RSN information element to collect parameters
1413 * and validate the parameters against what has been
1414 * configured for the system.
1415 */
1416 static int
1417 ieee80211_parse_rsn(struct ieee80211vap *vap, const uint8_t *frm,
1418 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh)
1419 {
1420 uint8_t len = frm[1];
1421 uint32_t w;
1422 int error, n;
1423
1424 /*
1425 * Check the length once for fixed parts:
1426 * version, mcast cipher, and 2 selector counts.
1427 * Other, variable-length data, must be checked separately.
1428 */
1429 if ((vap->iv_flags & IEEE80211_F_WPA2) == 0) {
1430 IEEE80211_DISCARD_IE(vap,
1431 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1432 wh, "WPA", "not RSN, flags 0x%x", vap->iv_flags);
1433 return IEEE80211_REASON_IE_INVALID;
1434 }
1435 /* XXX may be shorter */
1436 if (len < 10) {
1437 IEEE80211_DISCARD_IE(vap,
1438 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1439 wh, "RSN", "too short, len %u", len);
1440 return IEEE80211_REASON_IE_INVALID;
1441 }
1442 frm += 2;
1443 w = le16dec(frm);
1444 if (w != RSN_VERSION) {
1445 IEEE80211_DISCARD_IE(vap,
1446 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1447 wh, "RSN", "bad version %u", w);
1448 return IEEE80211_REASON_UNSUPP_RSN_IE_VERSION;
1449 }
1450 frm += 2, len -= 2;
1451
1452 memset(rsn, 0, sizeof(*rsn));
1453
1454 /* multicast/group cipher */
1455 error = rsn_cipher(frm, &rsn->rsn_mcastkeylen, &rsn->rsn_mcastcipher);
1456 if (error != 0) {
1457 IEEE80211_DISCARD_IE(vap,
1458 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1459 wh, "RSN", "unknown mcast cipher suite %08X",
1460 le32dec(frm));
1461 return IEEE80211_REASON_GROUP_CIPHER_INVALID;
1462 }
1463 if (rsn->rsn_mcastcipher == IEEE80211_CIPHER_NONE) {
1464 IEEE80211_DISCARD_IE(vap,
1465 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1466 wh, "RSN", "invalid mcast cipher suite %d",
1467 rsn->rsn_mcastcipher);
1468 return IEEE80211_REASON_GROUP_CIPHER_INVALID;
1469 }
1470 frm += 4, len -= 4;
1471
1472 /* unicast ciphers */
1473 n = le16dec(frm);
1474 frm += 2, len -= 2;
1475 if (len < n*4+2) {
1476 IEEE80211_DISCARD_IE(vap,
1477 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1478 wh, "RSN", "ucast cipher data too short; len %u, n %u",
1479 len, n);
1480 return IEEE80211_REASON_IE_INVALID;
1481 }
1482 w = 0;
1483
1484 for (; n > 0; n--) {
1485 uint8_t cipher;
1486
1487 error = rsn_cipher(frm, &rsn->rsn_ucastkeylen, &cipher);
1488 if (error == 0)
1489 w |= 1 << cipher;
1490
1491 frm += 4, len -= 4;
1492 }
1493 if (w & (1 << IEEE80211_CIPHER_AES_CCM))
1494 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM;
1495 else if (w & (1 << IEEE80211_CIPHER_AES_OCB))
1496 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_OCB;
1497 else if (w & (1 << IEEE80211_CIPHER_TKIP))
1498 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP;
1499 else if ((w & (1 << IEEE80211_CIPHER_NONE)) &&
1500 (rsn->rsn_mcastcipher == IEEE80211_CIPHER_WEP ||
1501 rsn->rsn_mcastcipher == IEEE80211_CIPHER_TKIP))
1502 rsn->rsn_ucastcipher = IEEE80211_CIPHER_NONE;
1503 else {
1504 IEEE80211_DISCARD_IE(vap,
1505 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1506 wh, "RSN", "no usable pairwise cipher suite found (w=%d)",
1507 w);
1508 return IEEE80211_REASON_PAIRWISE_CIPHER_INVALID;
1509 }
1510
1511 /* key management algorithms */
1512 n = le16dec(frm);
1513 frm += 2, len -= 2;
1514 if (len < n*4) {
1515 IEEE80211_DISCARD_IE(vap,
1516 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1517 wh, "RSN", "key mgmt alg data too short; len %u, n %u",
1518 len, n);
1519 return IEEE80211_REASON_IE_INVALID;
1520 }
1521 w = 0;
1522 for (; n > 0; n--) {
1523 w |= rsn_keymgmt(frm);
1524 frm += 4, len -= 4;
1525 }
1526 if (w & RSN_ASE_8021X_UNSPEC)
1527 rsn->rsn_keymgmt = RSN_ASE_8021X_UNSPEC;
1528 else
1529 rsn->rsn_keymgmt = RSN_ASE_8021X_PSK;
1530
1531 /* optional RSN capabilities */
1532 if (len > 2)
1533 rsn->rsn_caps = le16dec(frm);
1534 /* XXXPMKID */
1535
1536 return 0;
1537 }
1538
1539 /*
1540 * WPA/802.11i association request processing.
1541 */
1542 static int
1543 wpa_assocreq(struct ieee80211_node *ni, struct ieee80211_rsnparms *rsnparms,
1544 const struct ieee80211_frame *wh, const uint8_t *wpa,
1545 const uint8_t *rsn, uint16_t capinfo)
1546 {
1547 struct ieee80211vap *vap = ni->ni_vap;
1548 uint8_t reason;
1549 int badwparsn;
1550
1551 ni->ni_flags &= ~(IEEE80211_NODE_WPS|IEEE80211_NODE_TSN);
1552 if (wpa == NULL && rsn == NULL) {
1553 if (vap->iv_flags_ext & IEEE80211_FEXT_WPS) {
1554 /*
1555 * W-Fi Protected Setup (WPS) permits
1556 * clients to associate and pass EAPOL frames
1557 * to establish initial credentials.
1558 */
1559 ni->ni_flags |= IEEE80211_NODE_WPS;
1560 return 1;
1561 }
1562 if ((vap->iv_flags_ext & IEEE80211_FEXT_TSN) &&
1563 (capinfo & IEEE80211_CAPINFO_PRIVACY)) {
1564 /*
1565 * Transitional Security Network. Permits clients
1566 * to associate and use WEP while WPA is configured.
1567 */
1568 ni->ni_flags |= IEEE80211_NODE_TSN;
1569 return 1;
1570 }
1571 IEEE80211_DISCARD(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA,
1572 wh, NULL, "%s", "no WPA/RSN IE in association request");
1573 vap->iv_stats.is_rx_assoc_badwpaie++;
1574 reason = IEEE80211_REASON_IE_INVALID;
1575 goto bad;
1576 }
1577 /* assert right association security credentials */
1578 badwparsn = 0; /* NB: to silence compiler */
1579 switch (vap->iv_flags & IEEE80211_F_WPA) {
1580 case IEEE80211_F_WPA1:
1581 badwparsn = (wpa == NULL);
1582 break;
1583 case IEEE80211_F_WPA2:
1584 badwparsn = (rsn == NULL);
1585 break;
1586 case IEEE80211_F_WPA1|IEEE80211_F_WPA2:
1587 badwparsn = (wpa == NULL && rsn == NULL);
1588 break;
1589 }
1590 if (badwparsn) {
1591 IEEE80211_DISCARD(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA,
1592 wh, NULL,
1593 "%s", "missing WPA/RSN IE in association request");
1594 vap->iv_stats.is_rx_assoc_badwpaie++;
1595 reason = IEEE80211_REASON_IE_INVALID;
1596 goto bad;
1597 }
1598 /*
1599 * Parse WPA/RSN information element.
1600 */
1601 if (wpa != NULL)
1602 reason = ieee80211_parse_wpa(vap, wpa, rsnparms, wh);
1603 else
1604 reason = ieee80211_parse_rsn(vap, rsn, rsnparms, wh);
1605 if (reason != 0) {
1606 /* XXX wpa->rsn fallback? */
1607 /* XXX distinguish WPA/RSN? */
1608 vap->iv_stats.is_rx_assoc_badwpaie++;
1609 goto bad;
1610 }
1611 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, ni,
1612 "%s ie: mc %u/%u uc %u/%u key %u caps 0x%x",
1613 wpa != NULL ? "WPA" : "RSN",
1614 rsnparms->rsn_mcastcipher, rsnparms->rsn_mcastkeylen,
1615 rsnparms->rsn_ucastcipher, rsnparms->rsn_ucastkeylen,
1616 rsnparms->rsn_keymgmt, rsnparms->rsn_caps);
1617
1618 return 1;
1619 bad:
1620 ieee80211_node_deauth(ni, reason);
1621 return 0;
1622 }
1623
1624 /* XXX find a better place for definition */
1625 struct l2_update_frame {
1626 struct ether_header eh;
1627 uint8_t dsap;
1628 uint8_t ssap;
1629 uint8_t control;
1630 uint8_t xid[3];
1631 } __packed;
1632
1633 /*
1634 * Deliver a TGf L2UF frame on behalf of a station.
1635 * This primes any bridge when the station is roaming
1636 * between ap's on the same wired network.
1637 */
1638 static void
1639 ieee80211_deliver_l2uf(struct ieee80211_node *ni)
1640 {
1641 struct ieee80211vap *vap = ni->ni_vap;
1642 struct ifnet *ifp = vap->iv_ifp;
1643 struct mbuf *m;
1644 struct l2_update_frame *l2uf;
1645 struct ether_header *eh;
1646
1647 m = m_gethdr(M_NOWAIT, MT_DATA);
1648 if (m == NULL) {
1649 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC, ni,
1650 "%s", "no mbuf for l2uf frame");
1651 vap->iv_stats.is_rx_nobuf++; /* XXX not right */
1652 return;
1653 }
1654 l2uf = mtod(m, struct l2_update_frame *);
1655 eh = &l2uf->eh;
1656 /* dst: Broadcast address */
1657 IEEE80211_ADDR_COPY(eh->ether_dhost, ifp->if_broadcastaddr);
1658 /* src: associated STA */
1659 IEEE80211_ADDR_COPY(eh->ether_shost, ni->ni_macaddr);
1660 eh->ether_type = htons(sizeof(*l2uf) - sizeof(*eh));
1661
1662 l2uf->dsap = 0;
1663 l2uf->ssap = 0;
1664 l2uf->control = 0xf5;
1665 l2uf->xid[0] = 0x81;
1666 l2uf->xid[1] = 0x80;
1667 l2uf->xid[2] = 0x00;
1668
1669 m->m_pkthdr.len = m->m_len = sizeof(*l2uf);
1670 hostap_deliver_data(vap, ni, m);
1671 }
1672
1673 static void
1674 ratesetmismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh,
1675 int reassoc, int resp, const char *tag, int rate)
1676 {
1677 IEEE80211_NOTE_MAC(ni->ni_vap, IEEE80211_MSG_ANY, wh->i_addr2,
1678 "deny %s request, %s rate set mismatch, rate/MCS %d",
1679 reassoc ? "reassoc" : "assoc", tag, rate & IEEE80211_RATE_VAL);
1680 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_BASIC_RATE);
1681 ieee80211_node_leave(ni);
1682 }
1683
1684 static void
1685 capinfomismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh,
1686 int reassoc, int resp, const char *tag, int capinfo)
1687 {
1688 struct ieee80211vap *vap = ni->ni_vap;
1689
1690 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ANY, wh->i_addr2,
1691 "deny %s request, %s mismatch 0x%x",
1692 reassoc ? "reassoc" : "assoc", tag, capinfo);
1693 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_CAPINFO);
1694 ieee80211_node_leave(ni);
1695 vap->iv_stats.is_rx_assoc_capmismatch++;
1696 }
1697
1698 static void
1699 htcapmismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh,
1700 int reassoc, int resp)
1701 {
1702 IEEE80211_NOTE_MAC(ni->ni_vap, IEEE80211_MSG_ANY, wh->i_addr2,
1703 "deny %s request, %s missing HT ie", reassoc ? "reassoc" : "assoc");
1704 /* XXX no better code */
1705 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_MISSING_HT_CAPS);
1706 ieee80211_node_leave(ni);
1707 }
1708
1709 static void
1710 authalgreject(struct ieee80211_node *ni, const struct ieee80211_frame *wh,
1711 int algo, int seq, int status)
1712 {
1713 struct ieee80211vap *vap = ni->ni_vap;
1714
1715 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
1716 wh, NULL, "unsupported alg %d", algo);
1717 vap->iv_stats.is_rx_auth_unsupported++;
1718 ieee80211_send_error(ni, wh->i_addr2, IEEE80211_FC0_SUBTYPE_AUTH,
1719 seq | (status << 16));
1720 }
1721
1722 static __inline int
1723 ishtmixed(const uint8_t *ie)
1724 {
1725 const struct ieee80211_ie_htinfo *ht =
1726 (const struct ieee80211_ie_htinfo *) ie;
1727 return (ht->hi_byte2 & IEEE80211_HTINFO_OPMODE) ==
1728 IEEE80211_HTINFO_OPMODE_MIXED;
1729 }
1730
1731 static int
1732 is11bclient(const uint8_t *rates, const uint8_t *xrates)
1733 {
1734 static const uint32_t brates = (1<<2*1)|(1<<2*2)|(1<<11)|(1<<2*11);
1735 int i;
1736
1737 /* NB: the 11b clients we care about will not have xrates */
1738 if (xrates != NULL || rates == NULL)
1739 return 0;
1740 for (i = 0; i < rates[1]; i++) {
1741 int r = rates[2+i] & IEEE80211_RATE_VAL;
1742 if (r > 2*11 || ((1<<r) & brates) == 0)
1743 return 0;
1744 }
1745 return 1;
1746 }
1747
1748 static void
1749 hostap_recv_mgmt(struct ieee80211_node *ni, struct mbuf *m0,
1750 int subtype, const struct ieee80211_rx_stats *rxs, int rssi, int nf)
1751 {
1752 struct ieee80211vap *vap = ni->ni_vap;
1753 struct ieee80211com *ic = ni->ni_ic;
1754 struct ieee80211_frame *wh;
1755 uint8_t *frm, *efrm, *sfrm;
1756 uint8_t *ssid, *rates, *xrates, *wpa, *rsn, *wme, *ath, *htcap;
1757 uint8_t *vhtcap, *vhtinfo;
1758 int reassoc, resp;
1759 uint8_t rate;
1760
1761 wh = mtod(m0, struct ieee80211_frame *);
1762 frm = (uint8_t *)&wh[1];
1763 efrm = mtod(m0, uint8_t *) + m0->m_len;
1764 switch (subtype) {
1765 case IEEE80211_FC0_SUBTYPE_PROBE_RESP:
1766 /*
1767 * We process beacon/probe response frames when scanning;
1768 * otherwise we check beacon frames for overlapping non-ERP
1769 * BSS in 11g and/or overlapping legacy BSS when in HT.
1770 */
1771 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) {
1772 vap->iv_stats.is_rx_mgtdiscard++;
1773 return;
1774 }
1775 /* FALLTHROUGH */
1776 case IEEE80211_FC0_SUBTYPE_BEACON: {
1777 struct ieee80211_scanparams scan;
1778
1779 /* NB: accept off-channel frames */
1780 /* XXX TODO: use rxstatus to determine off-channel details */
1781 if (ieee80211_parse_beacon(ni, m0, ic->ic_curchan, &scan) &~ IEEE80211_BPARSE_OFFCHAN)
1782 return;
1783 /*
1784 * Count frame now that we know it's to be processed.
1785 */
1786 if (subtype == IEEE80211_FC0_SUBTYPE_BEACON) {
1787 vap->iv_stats.is_rx_beacon++; /* XXX remove */
1788 IEEE80211_NODE_STAT(ni, rx_beacons);
1789 } else
1790 IEEE80211_NODE_STAT(ni, rx_proberesp);
1791 /*
1792 * If scanning, just pass information to the scan module.
1793 */
1794 if (ic->ic_flags & IEEE80211_F_SCAN) {
1795 if (scan.status == 0 && /* NB: on channel */
1796 (ic->ic_flags_ext & IEEE80211_FEXT_PROBECHAN)) {
1797 /*
1798 * Actively scanning a channel marked passive;
1799 * send a probe request now that we know there
1800 * is 802.11 traffic present.
1801 *
1802 * XXX check if the beacon we recv'd gives
1803 * us what we need and suppress the probe req
1804 */
1805 ieee80211_probe_curchan(vap, 1);
1806 ic->ic_flags_ext &= ~IEEE80211_FEXT_PROBECHAN;
1807 }
1808 ieee80211_add_scan(vap, ic->ic_curchan, &scan, wh,
1809 subtype, rssi, nf);
1810 return;
1811 }
1812 /*
1813 * Check beacon for overlapping bss w/ non ERP stations.
1814 * If we detect one and protection is configured but not
1815 * enabled, enable it and start a timer that'll bring us
1816 * out if we stop seeing the bss.
1817 */
1818 if (IEEE80211_IS_CHAN_ANYG(ic->ic_curchan) &&
1819 scan.status == 0 && /* NB: on-channel */
1820 ((scan.erp & 0x100) == 0 || /* NB: no ERP, 11b sta*/
1821 (scan.erp & IEEE80211_ERP_NON_ERP_PRESENT))) {
1822 vap->iv_lastnonerp = ticks;
1823 vap->iv_flags_ext |= IEEE80211_FEXT_NONERP_PR;
1824 /*
1825 * XXX TODO: this may need to check all VAPs?
1826 */
1827 if (vap->iv_protmode != IEEE80211_PROT_NONE &&
1828 (vap->iv_flags & IEEE80211_F_USEPROT) == 0) {
1829 IEEE80211_NOTE_FRAME(vap,
1830 IEEE80211_MSG_ASSOC, wh,
1831 "non-ERP present on channel %d "
1832 "(saw erp 0x%x from channel %d), "
1833 "enable use of protection",
1834 ic->ic_curchan->ic_ieee,
1835 scan.erp, scan.chan);
1836 vap->iv_flags |= IEEE80211_F_USEPROT;
1837 ieee80211_vap_update_erp_protmode(vap);
1838 }
1839 }
1840 /*
1841 * Check beacon for non-HT station on HT channel
1842 * and update HT BSS occupancy as appropriate.
1843 */
1844 if (IEEE80211_IS_CHAN_HT(ic->ic_curchan)) {
1845 if (scan.status & IEEE80211_BPARSE_OFFCHAN) {
1846 /*
1847 * Off control channel; only check frames
1848 * that come in the extension channel when
1849 * operating w/ HT40.
1850 */
1851 if (!IEEE80211_IS_CHAN_HT40(ic->ic_curchan))
1852 break;
1853 if (scan.chan != ic->ic_curchan->ic_extieee)
1854 break;
1855 }
1856 if (scan.htinfo == NULL) {
1857 ieee80211_htprot_update(vap,
1858 IEEE80211_HTINFO_OPMODE_PROTOPT |
1859 IEEE80211_HTINFO_NONHT_PRESENT);
1860 } else if (ishtmixed(scan.htinfo)) {
1861 /* XXX? take NONHT_PRESENT from beacon? */
1862 ieee80211_htprot_update(vap,
1863 IEEE80211_HTINFO_OPMODE_MIXED |
1864 IEEE80211_HTINFO_NONHT_PRESENT);
1865 }
1866 }
1867 break;
1868 }
1869
1870 case IEEE80211_FC0_SUBTYPE_PROBE_REQ:
1871 if (vap->iv_state != IEEE80211_S_RUN) {
1872 vap->iv_stats.is_rx_mgtdiscard++;
1873 return;
1874 }
1875 /*
1876 * Consult the ACL policy module if setup.
1877 */
1878 if (vap->iv_acl != NULL && !vap->iv_acl->iac_check(vap, wh)) {
1879 IEEE80211_DISCARD(vap, IEEE80211_MSG_ACL,
1880 wh, NULL, "%s", "disallowed by ACL");
1881 vap->iv_stats.is_rx_acl++;
1882 return;
1883 }
1884 /*
1885 * prreq frame format
1886 * [tlv] ssid
1887 * [tlv] supported rates
1888 * [tlv] extended supported rates
1889 */
1890 ssid = rates = xrates = NULL;
1891 while (efrm - frm > 1) {
1892 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return);
1893 switch (*frm) {
1894 case IEEE80211_ELEMID_SSID:
1895 ssid = frm;
1896 break;
1897 case IEEE80211_ELEMID_RATES:
1898 rates = frm;
1899 break;
1900 case IEEE80211_ELEMID_XRATES:
1901 xrates = frm;
1902 break;
1903 }
1904 frm += frm[1] + 2;
1905 }
1906 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return);
1907 if (xrates != NULL)
1908 IEEE80211_VERIFY_ELEMENT(xrates,
1909 IEEE80211_RATE_MAXSIZE - rates[1], return);
1910 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN, return);
1911 IEEE80211_VERIFY_SSID(vap->iv_bss, ssid, return);
1912 if ((vap->iv_flags & IEEE80211_F_HIDESSID) && ssid[1] == 0) {
1913 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
1914 wh, NULL,
1915 "%s", "no ssid with ssid suppression enabled");
1916 vap->iv_stats.is_rx_ssidmismatch++; /*XXX*/
1917 return;
1918 }
1919
1920 /* XXX find a better class or define it's own */
1921 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_INPUT, wh->i_addr2,
1922 "%s", "recv probe req");
1923 /*
1924 * Some legacy 11b clients cannot hack a complete
1925 * probe response frame. When the request includes
1926 * only a bare-bones rate set, communicate this to
1927 * the transmit side.
1928 */
1929 ieee80211_send_proberesp(vap, wh->i_addr2,
1930 is11bclient(rates, xrates) ? IEEE80211_SEND_LEGACY_11B : 0);
1931 break;
1932
1933 case IEEE80211_FC0_SUBTYPE_AUTH: {
1934 uint16_t algo, seq, status;
1935
1936 if (vap->iv_state != IEEE80211_S_RUN) {
1937 vap->iv_stats.is_rx_mgtdiscard++;
1938 return;
1939 }
1940 if (!IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_bss->ni_bssid)) {
1941 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
1942 wh, NULL, "%s", "wrong bssid");
1943 vap->iv_stats.is_rx_wrongbss++; /*XXX unique stat?*/
1944 return;
1945 }
1946 /*
1947 * auth frame format
1948 * [2] algorithm
1949 * [2] sequence
1950 * [2] status
1951 * [tlv*] challenge
1952 */
1953 IEEE80211_VERIFY_LENGTH(efrm - frm, 6, return);
1954 algo = le16toh(*(uint16_t *)frm);
1955 seq = le16toh(*(uint16_t *)(frm + 2));
1956 status = le16toh(*(uint16_t *)(frm + 4));
1957 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_AUTH, wh->i_addr2,
1958 "recv auth frame with algorithm %d seq %d", algo, seq);
1959 /*
1960 * Consult the ACL policy module if setup.
1961 */
1962 if (vap->iv_acl != NULL && !vap->iv_acl->iac_check(vap, wh)) {
1963 IEEE80211_DISCARD(vap, IEEE80211_MSG_ACL,
1964 wh, NULL, "%s", "disallowed by ACL");
1965 vap->iv_stats.is_rx_acl++;
1966 ieee80211_send_error(ni, wh->i_addr2,
1967 IEEE80211_FC0_SUBTYPE_AUTH,
1968 (seq+1) | (IEEE80211_STATUS_UNSPECIFIED<<16));
1969 return;
1970 }
1971 if (vap->iv_flags & IEEE80211_F_COUNTERM) {
1972 IEEE80211_DISCARD(vap,
1973 IEEE80211_MSG_AUTH | IEEE80211_MSG_CRYPTO,
1974 wh, NULL, "%s", "TKIP countermeasures enabled");
1975 vap->iv_stats.is_rx_auth_countermeasures++;
1976 ieee80211_send_error(ni, wh->i_addr2,
1977 IEEE80211_FC0_SUBTYPE_AUTH,
1978 IEEE80211_REASON_MIC_FAILURE);
1979 return;
1980 }
1981 if (algo == IEEE80211_AUTH_ALG_SHARED)
1982 hostap_auth_shared(ni, wh, frm + 6, efrm, rssi, nf,
1983 seq, status);
1984 else if (algo == IEEE80211_AUTH_ALG_OPEN)
1985 hostap_auth_open(ni, wh, rssi, nf, seq, status);
1986 else if (algo == IEEE80211_AUTH_ALG_LEAP) {
1987 authalgreject(ni, wh, algo,
1988 seq+1, IEEE80211_STATUS_ALG);
1989 return;
1990 } else {
1991 /*
1992 * We assume that an unknown algorithm is the result
1993 * of a decryption failure on a shared key auth frame;
1994 * return a status code appropriate for that instead
1995 * of IEEE80211_STATUS_ALG.
1996 *
1997 * NB: a seq# of 4 is intentional; the decrypted
1998 * frame likely has a bogus seq value.
1999 */
2000 authalgreject(ni, wh, algo,
2001 4, IEEE80211_STATUS_CHALLENGE);
2002 return;
2003 }
2004 break;
2005 }
2006
2007 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ:
2008 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: {
2009 uint16_t capinfo, lintval;
2010 struct ieee80211_rsnparms rsnparms;
2011
2012 if (vap->iv_state != IEEE80211_S_RUN) {
2013 vap->iv_stats.is_rx_mgtdiscard++;
2014 return;
2015 }
2016 if (!IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_bss->ni_bssid)) {
2017 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
2018 wh, NULL, "%s", "wrong bssid");
2019 vap->iv_stats.is_rx_assoc_bss++;
2020 return;
2021 }
2022 if (subtype == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) {
2023 reassoc = 1;
2024 resp = IEEE80211_FC0_SUBTYPE_REASSOC_RESP;
2025 } else {
2026 reassoc = 0;
2027 resp = IEEE80211_FC0_SUBTYPE_ASSOC_RESP;
2028 }
2029 if (ni == vap->iv_bss) {
2030 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ANY, wh->i_addr2,
2031 "deny %s request, sta not authenticated",
2032 reassoc ? "reassoc" : "assoc");
2033 ieee80211_send_error(ni, wh->i_addr2,
2034 IEEE80211_FC0_SUBTYPE_DEAUTH,
2035 IEEE80211_REASON_ASSOC_NOT_AUTHED);
2036 vap->iv_stats.is_rx_assoc_notauth++;
2037 return;
2038 }
2039
2040 /*
2041 * asreq frame format
2042 * [2] capability information
2043 * [2] listen interval
2044 * [6*] current AP address (reassoc only)
2045 * [tlv] ssid
2046 * [tlv] supported rates
2047 * [tlv] extended supported rates
2048 * [tlv] WPA or RSN
2049 * [tlv] HT capabilities
2050 * [tlv] Atheros capabilities
2051 */
2052 IEEE80211_VERIFY_LENGTH(efrm - frm, (reassoc ? 10 : 4), return);
2053 capinfo = le16toh(*(uint16_t *)frm); frm += 2;
2054 lintval = le16toh(*(uint16_t *)frm); frm += 2;
2055 if (reassoc)
2056 frm += 6; /* ignore current AP info */
2057 ssid = rates = xrates = wpa = rsn = wme = ath = htcap = NULL;
2058 vhtcap = vhtinfo = NULL;
2059 sfrm = frm;
2060 while (efrm - frm > 1) {
2061 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return);
2062 switch (*frm) {
2063 case IEEE80211_ELEMID_SSID:
2064 ssid = frm;
2065 break;
2066 case IEEE80211_ELEMID_RATES:
2067 rates = frm;
2068 break;
2069 case IEEE80211_ELEMID_XRATES:
2070 xrates = frm;
2071 break;
2072 case IEEE80211_ELEMID_RSN:
2073 rsn = frm;
2074 break;
2075 case IEEE80211_ELEMID_HTCAP:
2076 htcap = frm;
2077 break;
2078 case IEEE80211_ELEMID_VHT_CAP:
2079 vhtcap = frm;
2080 break;
2081 case IEEE80211_ELEMID_VHT_OPMODE:
2082 vhtinfo = frm;
2083 break;
2084 case IEEE80211_ELEMID_VENDOR:
2085 if (iswpaoui(frm))
2086 wpa = frm;
2087 else if (iswmeinfo(frm))
2088 wme = frm;
2089 #ifdef IEEE80211_SUPPORT_SUPERG
2090 else if (isatherosoui(frm))
2091 ath = frm;
2092 #endif
2093 else if (vap->iv_flags_ht & IEEE80211_FHT_HTCOMPAT) {
2094 if (ishtcapoui(frm) && htcap == NULL)
2095 htcap = frm;
2096 }
2097 break;
2098 }
2099 frm += frm[1] + 2;
2100 }
2101 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return);
2102 if (xrates != NULL)
2103 IEEE80211_VERIFY_ELEMENT(xrates,
2104 IEEE80211_RATE_MAXSIZE - rates[1], return);
2105 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN, return);
2106 IEEE80211_VERIFY_SSID(vap->iv_bss, ssid, return);
2107 if (htcap != NULL) {
2108 IEEE80211_VERIFY_LENGTH(htcap[1],
2109 htcap[0] == IEEE80211_ELEMID_VENDOR ?
2110 4 + sizeof(struct ieee80211_ie_htcap)-2 :
2111 sizeof(struct ieee80211_ie_htcap)-2,
2112 return); /* XXX just NULL out? */
2113 }
2114
2115 /* Validate VHT IEs */
2116 if (vhtcap != NULL) {
2117 IEEE80211_VERIFY_LENGTH(vhtcap[1],
2118 sizeof(struct ieee80211_ie_vhtcap) - 2,
2119 return);
2120 }
2121 if (vhtinfo != NULL) {
2122 IEEE80211_VERIFY_LENGTH(vhtinfo[1],
2123 sizeof(struct ieee80211_ie_vht_operation) - 2,
2124 return);
2125 }
2126
2127 if ((vap->iv_flags & IEEE80211_F_WPA) &&
2128 !wpa_assocreq(ni, &rsnparms, wh, wpa, rsn, capinfo))
2129 return;
2130 /* discard challenge after association */
2131 if (ni->ni_challenge != NULL) {
2132 IEEE80211_FREE(ni->ni_challenge, M_80211_NODE);
2133 ni->ni_challenge = NULL;
2134 }
2135 /* NB: 802.11 spec says to ignore station's privacy bit */
2136 if ((capinfo & IEEE80211_CAPINFO_ESS) == 0) {
2137 capinfomismatch(ni, wh, reassoc, resp,
2138 "capability", capinfo);
2139 return;
2140 }
2141 /*
2142 * Disallow re-associate w/ invalid slot time setting.
2143 */
2144 if (ni->ni_associd != 0 &&
2145 IEEE80211_IS_CHAN_ANYG(ic->ic_bsschan) &&
2146 ((ni->ni_capinfo ^ capinfo) & IEEE80211_CAPINFO_SHORT_SLOTTIME)) {
2147 capinfomismatch(ni, wh, reassoc, resp,
2148 "slot time", capinfo);
2149 return;
2150 }
2151 rate = ieee80211_setup_rates(ni, rates, xrates,
2152 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE |
2153 IEEE80211_F_DONEGO | IEEE80211_F_DODEL);
2154 if (rate & IEEE80211_RATE_BASIC) {
2155 ratesetmismatch(ni, wh, reassoc, resp, "legacy", rate);
2156 vap->iv_stats.is_rx_assoc_norate++;
2157 return;
2158 }
2159 /*
2160 * If constrained to 11g-only stations reject an
2161 * 11b-only station. We cheat a bit here by looking
2162 * at the max negotiated xmit rate and assuming anyone
2163 * with a best rate <24Mb/s is an 11b station.
2164 */
2165 if ((vap->iv_flags & IEEE80211_F_PUREG) && rate < 48) {
2166 ratesetmismatch(ni, wh, reassoc, resp, "11g", rate);
2167 vap->iv_stats.is_rx_assoc_norate++;
2168 return;
2169 }
2170
2171 /*
2172 * Do HT rate set handling and setup HT node state.
2173 */
2174 ni->ni_chan = vap->iv_bss->ni_chan;
2175
2176 /* VHT */
2177 if (IEEE80211_IS_CHAN_VHT(ni->ni_chan) &&
2178 vhtcap != NULL &&
2179 vhtinfo != NULL) {
2180 /* XXX TODO; see below */
2181 printf("%s: VHT TODO!\n", __func__);
2182 ieee80211_vht_node_init(ni);
2183 ieee80211_vht_update_cap(ni, vhtcap, vhtinfo);
2184 } else if (ni->ni_flags & IEEE80211_NODE_VHT)
2185 ieee80211_vht_node_cleanup(ni);
2186
2187 /* HT */
2188 if (IEEE80211_IS_CHAN_HT(ni->ni_chan) && htcap != NULL) {
2189 rate = ieee80211_setup_htrates(ni, htcap,
2190 IEEE80211_F_DOFMCS | IEEE80211_F_DONEGO |
2191 IEEE80211_F_DOBRS);
2192 if (rate & IEEE80211_RATE_BASIC) {
2193 ratesetmismatch(ni, wh, reassoc, resp,
2194 "HT", rate);
2195 vap->iv_stats.is_ht_assoc_norate++;
2196 return;
2197 }
2198 ieee80211_ht_node_init(ni);
2199 ieee80211_ht_updatehtcap(ni, htcap);
2200 } else if (ni->ni_flags & IEEE80211_NODE_HT)
2201 ieee80211_ht_node_cleanup(ni);
2202
2203 /* Finally - this will use HT/VHT info to change node channel */
2204 if (IEEE80211_IS_CHAN_HT(ni->ni_chan) && htcap != NULL) {
2205 ieee80211_ht_updatehtcap_final(ni);
2206 }
2207
2208 #ifdef IEEE80211_SUPPORT_SUPERG
2209 /* Always do ff node cleanup; for A-MSDU */
2210 ieee80211_ff_node_cleanup(ni);
2211 #endif
2212 /*
2213 * Allow AMPDU operation only with unencrypted traffic
2214 * or AES-CCM; the 11n spec only specifies these ciphers
2215 * so permitting any others is undefined and can lead
2216 * to interoperability problems.
2217 */
2218 if ((ni->ni_flags & IEEE80211_NODE_HT) &&
2219 (((vap->iv_flags & IEEE80211_F_WPA) &&
2220 rsnparms.rsn_ucastcipher != IEEE80211_CIPHER_AES_CCM) ||
2221 (vap->iv_flags & (IEEE80211_F_WPA|IEEE80211_F_PRIVACY)) == IEEE80211_F_PRIVACY)) {
2222 IEEE80211_NOTE(vap,
2223 IEEE80211_MSG_ASSOC | IEEE80211_MSG_11N, ni,
2224 "disallow HT use because WEP or TKIP requested, "
2225 "capinfo 0x%x ucastcipher %d", capinfo,
2226 rsnparms.rsn_ucastcipher);
2227 ieee80211_ht_node_cleanup(ni);
2228 #ifdef IEEE80211_SUPPORT_SUPERG
2229 /* Always do ff node cleanup; for A-MSDU */
2230 ieee80211_ff_node_cleanup(ni);
2231 #endif
2232 vap->iv_stats.is_ht_assoc_downgrade++;
2233 }
2234 /*
2235 * If constrained to 11n-only stations reject legacy stations.
2236 */
2237 if ((vap->iv_flags_ht & IEEE80211_FHT_PUREN) &&
2238 (ni->ni_flags & IEEE80211_NODE_HT) == 0) {
2239 htcapmismatch(ni, wh, reassoc, resp);
2240 vap->iv_stats.is_ht_assoc_nohtcap++;
2241 return;
2242 }
2243 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi);
2244 ni->ni_noise = nf;
2245 ni->ni_intval = lintval;
2246 ni->ni_capinfo = capinfo;
2247 ni->ni_fhdwell = vap->iv_bss->ni_fhdwell;
2248 ni->ni_fhindex = vap->iv_bss->ni_fhindex;
2249 /*
2250 * Store the IEs.
2251 * XXX maybe better to just expand
2252 */
2253 if (ieee80211_ies_init(&ni->ni_ies, sfrm, efrm - sfrm)) {
2254 #define setie(_ie, _off) ieee80211_ies_setie(ni->ni_ies, _ie, _off)
2255 if (wpa != NULL)
2256 setie(wpa_ie, wpa - sfrm);
2257 if (rsn != NULL)
2258 setie(rsn_ie, rsn - sfrm);
2259 if (htcap != NULL)
2260 setie(htcap_ie, htcap - sfrm);
2261 if (wme != NULL) {
2262 setie(wme_ie, wme - sfrm);
2263 /*
2264 * Mark node as capable of QoS.
2265 */
2266 ni->ni_flags |= IEEE80211_NODE_QOS;
2267 if (ieee80211_parse_wmeie(wme, wh, ni) > 0) {
2268 if (ni->ni_uapsd != 0)
2269 ni->ni_flags |=
2270 IEEE80211_NODE_UAPSD;
2271 else
2272 ni->ni_flags &=
2273 ~IEEE80211_NODE_UAPSD;
2274 }
2275 } else
2276 ni->ni_flags &=
2277 ~(IEEE80211_NODE_QOS |
2278 IEEE80211_NODE_UAPSD);
2279 #ifdef IEEE80211_SUPPORT_SUPERG
2280 if (ath != NULL) {
2281 setie(ath_ie, ath - sfrm);
2282 /*
2283 * Parse ATH station parameters.
2284 */
2285 ieee80211_parse_ath(ni, ni->ni_ies.ath_ie);
2286 } else
2287 #endif
2288 ni->ni_ath_flags = 0;
2289 #undef setie
2290 } else {
2291 ni->ni_flags &= ~IEEE80211_NODE_QOS;
2292 ni->ni_flags &= ~IEEE80211_NODE_UAPSD;
2293 ni->ni_ath_flags = 0;
2294 }
2295 ieee80211_node_join(ni, resp);
2296 ieee80211_deliver_l2uf(ni);
2297 break;
2298 }
2299
2300 case IEEE80211_FC0_SUBTYPE_DEAUTH:
2301 case IEEE80211_FC0_SUBTYPE_DISASSOC: {
2302 uint16_t reason;
2303
2304 if (vap->iv_state != IEEE80211_S_RUN ||
2305 /* NB: can happen when in promiscuous mode */
2306 !IEEE80211_ADDR_EQ(wh->i_addr1, vap->iv_myaddr)) {
2307 vap->iv_stats.is_rx_mgtdiscard++;
2308 break;
2309 }
2310 /*
2311 * deauth/disassoc frame format
2312 * [2] reason
2313 */
2314 IEEE80211_VERIFY_LENGTH(efrm - frm, 2, return);
2315 reason = le16toh(*(uint16_t *)frm);
2316 if (subtype == IEEE80211_FC0_SUBTYPE_DEAUTH) {
2317 vap->iv_stats.is_rx_deauth++;
2318 IEEE80211_NODE_STAT(ni, rx_deauth);
2319 } else {
2320 vap->iv_stats.is_rx_disassoc++;
2321 IEEE80211_NODE_STAT(ni, rx_disassoc);
2322 }
2323 IEEE80211_NOTE(vap, IEEE80211_MSG_AUTH, ni,
2324 "recv %s (reason: %d (%s))",
2325 ieee80211_mgt_subtype_name(subtype),
2326 reason, ieee80211_reason_to_string(reason));
2327 if (ni != vap->iv_bss)
2328 ieee80211_node_leave(ni);
2329 break;
2330 }
2331
2332 case IEEE80211_FC0_SUBTYPE_ACTION:
2333 case IEEE80211_FC0_SUBTYPE_ACTION_NOACK:
2334 if (ni == vap->iv_bss) {
2335 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
2336 wh, NULL, "%s", "unknown node");
2337 vap->iv_stats.is_rx_mgtdiscard++;
2338 } else if (!IEEE80211_ADDR_EQ(vap->iv_myaddr, wh->i_addr1) &&
2339 !IEEE80211_IS_MULTICAST(wh->i_addr1)) {
2340 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
2341 wh, NULL, "%s", "not for us");
2342 vap->iv_stats.is_rx_mgtdiscard++;
2343 } else if (vap->iv_state != IEEE80211_S_RUN) {
2344 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
2345 wh, NULL, "wrong state %s",
2346 ieee80211_state_name[vap->iv_state]);
2347 vap->iv_stats.is_rx_mgtdiscard++;
2348 } else {
2349 if (ieee80211_parse_action(ni, m0) == 0)
2350 (void)ic->ic_recv_action(ni, wh, frm, efrm);
2351 }
2352 break;
2353
2354 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP:
2355 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP:
2356 case IEEE80211_FC0_SUBTYPE_TIMING_ADV:
2357 case IEEE80211_FC0_SUBTYPE_ATIM:
2358 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
2359 wh, NULL, "%s", "not handled");
2360 vap->iv_stats.is_rx_mgtdiscard++;
2361 break;
2362
2363 default:
2364 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
2365 wh, "mgt", "subtype 0x%x not handled", subtype);
2366 vap->iv_stats.is_rx_badsubtype++;
2367 break;
2368 }
2369 }
2370
2371 static void
2372 hostap_recv_ctl(struct ieee80211_node *ni, struct mbuf *m, int subtype)
2373 {
2374 switch (subtype) {
2375 case IEEE80211_FC0_SUBTYPE_PS_POLL:
2376 ni->ni_vap->iv_recv_pspoll(ni, m);
2377 break;
2378 case IEEE80211_FC0_SUBTYPE_BAR:
2379 ieee80211_recv_bar(ni, m);
2380 break;
2381 }
2382 }
2383
2384 /*
2385 * Process a received ps-poll frame.
2386 */
2387 void
2388 ieee80211_recv_pspoll(struct ieee80211_node *ni, struct mbuf *m0)
2389 {
2390 struct ieee80211vap *vap = ni->ni_vap;
2391 struct ieee80211com *ic = vap->iv_ic;
2392 struct ieee80211_frame_min *wh;
2393 struct mbuf *m;
2394 uint16_t aid;
2395 int qlen;
2396
2397 wh = mtod(m0, struct ieee80211_frame_min *);
2398 if (ni->ni_associd == 0) {
2399 IEEE80211_DISCARD(vap,
2400 IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG,
2401 (struct ieee80211_frame *) wh, NULL,
2402 "%s", "unassociated station");
2403 vap->iv_stats.is_ps_unassoc++;
2404 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_DEAUTH,
2405 IEEE80211_REASON_NOT_ASSOCED);
2406 return;
2407 }
2408
2409 aid = le16toh(*(uint16_t *)wh->i_dur);
2410 if (aid != ni->ni_associd) {
2411 IEEE80211_DISCARD(vap,
2412 IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG,
2413 (struct ieee80211_frame *) wh, NULL,
2414 "aid mismatch: sta aid 0x%x poll aid 0x%x",
2415 ni->ni_associd, aid);
2416 vap->iv_stats.is_ps_badaid++;
2417 /*
2418 * NB: We used to deauth the station but it turns out
2419 * the Blackberry Curve 8230 (and perhaps other devices)
2420 * sometimes send the wrong AID when WME is negotiated.
2421 * Being more lenient here seems ok as we already check
2422 * the station is associated and we only return frames
2423 * queued for the station (i.e. we don't use the AID).
2424 */
2425 return;
2426 }
2427
2428 /* Okay, take the first queued packet and put it out... */
2429 m = ieee80211_node_psq_dequeue(ni, &qlen);
2430 if (m == NULL) {
2431 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_POWER, wh->i_addr2,
2432 "%s", "recv ps-poll, but queue empty");
2433 ieee80211_send_nulldata(ieee80211_ref_node(ni));
2434 vap->iv_stats.is_ps_qempty++; /* XXX node stat */
2435 if (vap->iv_set_tim != NULL)
2436 vap->iv_set_tim(ni, 0); /* just in case */
2437 return;
2438 }
2439 /*
2440 * If there are more packets, set the more packets bit
2441 * in the packet dispatched to the station; otherwise
2442 * turn off the TIM bit.
2443 */
2444 if (qlen != 0) {
2445 IEEE80211_NOTE(vap, IEEE80211_MSG_POWER, ni,
2446 "recv ps-poll, send packet, %u still queued", qlen);
2447 m->m_flags |= M_MORE_DATA;
2448 } else {
2449 IEEE80211_NOTE(vap, IEEE80211_MSG_POWER, ni,
2450 "%s", "recv ps-poll, send packet, queue empty");
2451 if (vap->iv_set_tim != NULL)
2452 vap->iv_set_tim(ni, 0);
2453 }
2454 m->m_flags |= M_PWR_SAV; /* bypass PS handling */
2455
2456 /*
2457 * Do the right thing; if it's an encap'ed frame then
2458 * call ieee80211_parent_xmitpkt() else
2459 * call ieee80211_vap_xmitpkt().
2460 */
2461 if (m->m_flags & M_ENCAP) {
2462 (void) ieee80211_parent_xmitpkt(ic, m);
2463 } else {
2464 (void) ieee80211_vap_xmitpkt(vap, m);
2465 }
2466 }
Cache object: 9f031c24cd401f7569df5df710ad4a6c
|