Now available: The Design and Implementation of the FreeBSD Operating System (Second Edition)
[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]
FreeBSD/Linux Kernel Cross Reference
sys/net80211/ieee80211_hostap.c
Version:
- FREEBSD - FREEBSD-13-STABLE - FREEBSD-13-0 - FREEBSD-12-STABLE - FREEBSD-12-0 - FREEBSD-11-STABLE - FREEBSD-11-0 - FREEBSD-10-STABLE - FREEBSD-10-0 - FREEBSD-9-STABLE - FREEBSD-9-0 - FREEBSD-8-STABLE - FREEBSD-8-0 - FREEBSD-7-STABLE - FREEBSD-7-0 - FREEBSD-6-STABLE - FREEBSD-6-0 - FREEBSD-5-STABLE - FREEBSD-5-0 - FREEBSD-4-STABLE - FREEBSD-3-STABLE - FREEBSD22 - l41 - OPENBSD - linux-2.6 - MK84 - PLAN9 - xnu-8792
SearchContext: - none - 3 - 10
SearchContext: - none - 3 - 10
1 /*- 2 * SPDX-License-Identifier: BSD-2-Clause-FreeBSD 3 * 4 * Copyright (c) 2007-2008 Sam Leffler, Errno Consulting 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 17 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 18 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 19 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 21 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 22 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 23 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 24 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 25 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 26 */ 27 28 #include <sys/cdefs.h> 29 #ifdef __FreeBSD__ 30 __FBSDID("$FreeBSD$"); 31 #endif 32 33 /* 34 * IEEE 802.11 HOSTAP mode support. 35 */ 36 #include "opt_inet.h" 37 #include "opt_wlan.h" 38 39 #include <sys/param.h> 40 #include <sys/systm.h> 41 #include <sys/mbuf.h> 42 #include <sys/malloc.h> 43 #include <sys/kernel.h> 44 45 #include <sys/socket.h> 46 #include <sys/sockio.h> 47 #include <sys/endian.h> 48 #include <sys/errno.h> 49 #include <sys/proc.h> 50 #include <sys/sysctl.h> 51 52 #include <net/if.h> 53 #include <net/if_var.h> 54 #include <net/if_media.h> 55 #include <net/if_llc.h> 56 #include <net/ethernet.h> 57 58 #include <net/bpf.h> 59 60 #include <net80211/ieee80211_var.h> 61 #include <net80211/ieee80211_hostap.h> 62 #include <net80211/ieee80211_input.h> 63 #ifdef IEEE80211_SUPPORT_SUPERG 64 #include <net80211/ieee80211_superg.h> 65 #endif 66 #include <net80211/ieee80211_wds.h> 67 #include <net80211/ieee80211_vht.h> 68 #include <net80211/ieee80211_sta.h> /* for parse_wmeie */ 69 70 #define IEEE80211_RATE2MBS(r) (((r) & IEEE80211_RATE_VAL) / 2) 71 72 static void hostap_vattach(struct ieee80211vap *); 73 static int hostap_newstate(struct ieee80211vap *, enum ieee80211_state, int); 74 static int hostap_input(struct ieee80211_node *ni, struct mbuf *m, 75 const struct ieee80211_rx_stats *, 76 int rssi, int nf); 77 static void hostap_deliver_data(struct ieee80211vap *, 78 struct ieee80211_node *, struct mbuf *); 79 static void hostap_recv_mgmt(struct ieee80211_node *, struct mbuf *, 80 int subtype, const struct ieee80211_rx_stats *rxs, int rssi, int nf); 81 static void hostap_recv_ctl(struct ieee80211_node *, struct mbuf *, int); 82 83 void 84 ieee80211_hostap_attach(struct ieee80211com *ic) 85 { 86 ic->ic_vattach[IEEE80211_M_HOSTAP] = hostap_vattach; 87 } 88 89 void 90 ieee80211_hostap_detach(struct ieee80211com *ic) 91 { 92 } 93 94 static void 95 hostap_vdetach(struct ieee80211vap *vap) 96 { 97 } 98 99 static void 100 hostap_vattach(struct ieee80211vap *vap) 101 { 102 vap->iv_newstate = hostap_newstate; 103 vap->iv_input = hostap_input; 104 vap->iv_recv_mgmt = hostap_recv_mgmt; 105 vap->iv_recv_ctl = hostap_recv_ctl; 106 vap->iv_opdetach = hostap_vdetach; 107 vap->iv_deliver_data = hostap_deliver_data; 108 vap->iv_recv_pspoll = ieee80211_recv_pspoll; 109 } 110 111 static void 112 sta_disassoc(void *arg, struct ieee80211_node *ni) 113 { 114 115 if (ni->ni_associd != 0) { 116 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_DISASSOC, 117 IEEE80211_REASON_ASSOC_LEAVE); 118 ieee80211_node_leave(ni); 119 } 120 } 121 122 static void 123 sta_csa(void *arg, struct ieee80211_node *ni) 124 { 125 struct ieee80211vap *vap = ni->ni_vap; 126 127 if (ni->ni_associd != 0) 128 if (ni->ni_inact > vap->iv_inact_init) { 129 ni->ni_inact = vap->iv_inact_init; 130 IEEE80211_NOTE(vap, IEEE80211_MSG_INACT, ni, 131 "%s: inact %u", __func__, ni->ni_inact); 132 } 133 } 134 135 static void 136 sta_drop(void *arg, struct ieee80211_node *ni) 137 { 138 139 if (ni->ni_associd != 0) 140 ieee80211_node_leave(ni); 141 } 142 143 /* 144 * Does a channel change require associated stations to re-associate 145 * so protocol state is correct. This is used when doing CSA across 146 * bands or similar (e.g. HT -> legacy). 147 */ 148 static int 149 isbandchange(struct ieee80211com *ic) 150 { 151 return ((ic->ic_bsschan->ic_flags ^ ic->ic_csa_newchan->ic_flags) & 152 (IEEE80211_CHAN_2GHZ | IEEE80211_CHAN_5GHZ | IEEE80211_CHAN_HALF | 153 IEEE80211_CHAN_QUARTER | IEEE80211_CHAN_HT)) != 0; 154 } 155 156 /* 157 * IEEE80211_M_HOSTAP vap state machine handler. 158 */ 159 static int 160 hostap_newstate(struct ieee80211vap *vap, enum ieee80211_state nstate, int arg) 161 { 162 struct ieee80211com *ic = vap->iv_ic; 163 enum ieee80211_state ostate; 164 165 IEEE80211_LOCK_ASSERT(ic); 166 167 ostate = vap->iv_state; 168 IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE, "%s: %s -> %s (%d)\n", 169 __func__, ieee80211_state_name[ostate], 170 ieee80211_state_name[nstate], arg); 171 vap->iv_state = nstate; /* state transition */ 172 if (ostate != IEEE80211_S_SCAN) 173 ieee80211_cancel_scan(vap); /* background scan */ 174 switch (nstate) { 175 case IEEE80211_S_INIT: 176 switch (ostate) { 177 case IEEE80211_S_SCAN: 178 ieee80211_cancel_scan(vap); 179 break; 180 case IEEE80211_S_CAC: 181 ieee80211_dfs_cac_stop(vap); 182 break; 183 case IEEE80211_S_RUN: 184 ieee80211_iterate_nodes_vap(&ic->ic_sta, vap, 185 sta_disassoc, NULL); 186 break; 187 default: 188 break; 189 } 190 if (ostate != IEEE80211_S_INIT) { 191 /* NB: optimize INIT -> INIT case */ 192 ieee80211_reset_bss(vap); 193 } 194 if (vap->iv_auth->ia_detach != NULL) 195 vap->iv_auth->ia_detach(vap); 196 break; 197 case IEEE80211_S_SCAN: 198 switch (ostate) { 199 case IEEE80211_S_CSA: 200 case IEEE80211_S_RUN: 201 ieee80211_iterate_nodes_vap(&ic->ic_sta, vap, 202 sta_disassoc, NULL); 203 /* 204 * Clear overlapping BSS state; the beacon frame 205 * will be reconstructed on transition to the RUN 206 * state and the timeout routines check if the flag 207 * is set before doing anything so this is sufficient. 208 */ 209 vap->iv_flags_ext &= ~IEEE80211_FEXT_NONERP_PR; 210 vap->iv_flags_ht &= ~IEEE80211_FHT_NONHT_PR; 211 /* XXX TODO: schedule deferred update? */ 212 /* fall thru... */ 213 case IEEE80211_S_CAC: 214 /* 215 * NB: We may get here because of a manual channel 216 * change in which case we need to stop CAC 217 * XXX no need to stop if ostate RUN but it's ok 218 */ 219 ieee80211_dfs_cac_stop(vap); 220 /* fall thru... */ 221 case IEEE80211_S_INIT: 222 if (vap->iv_des_chan != IEEE80211_CHAN_ANYC && 223 !IEEE80211_IS_CHAN_RADAR(vap->iv_des_chan)) { 224 /* 225 * Already have a channel; bypass the 226 * scan and startup immediately. 227 * ieee80211_create_ibss will call back to 228 * move us to RUN state. 229 */ 230 ieee80211_create_ibss(vap, vap->iv_des_chan); 231 break; 232 } 233 /* 234 * Initiate a scan. We can come here as a result 235 * of an IEEE80211_IOC_SCAN_REQ too in which case 236 * the vap will be marked with IEEE80211_FEXT_SCANREQ 237 * and the scan request parameters will be present 238 * in iv_scanreq. Otherwise we do the default. 239 */ 240 if (vap->iv_flags_ext & IEEE80211_FEXT_SCANREQ) { 241 ieee80211_check_scan(vap, 242 vap->iv_scanreq_flags, 243 vap->iv_scanreq_duration, 244 vap->iv_scanreq_mindwell, 245 vap->iv_scanreq_maxdwell, 246 vap->iv_scanreq_nssid, vap->iv_scanreq_ssid); 247 vap->iv_flags_ext &= ~IEEE80211_FEXT_SCANREQ; 248 } else 249 ieee80211_check_scan_current(vap); 250 break; 251 case IEEE80211_S_SCAN: 252 /* 253 * A state change requires a reset; scan. 254 */ 255 ieee80211_check_scan_current(vap); 256 break; 257 default: 258 break; 259 } 260 break; 261 case IEEE80211_S_CAC: 262 /* 263 * Start CAC on a DFS channel. We come here when starting 264 * a bss on a DFS channel (see ieee80211_create_ibss). 265 */ 266 ieee80211_dfs_cac_start(vap); 267 break; 268 case IEEE80211_S_RUN: 269 if (vap->iv_flags & IEEE80211_F_WPA) { 270 /* XXX validate prerequisites */ 271 } 272 switch (ostate) { 273 case IEEE80211_S_INIT: 274 /* 275 * Already have a channel; bypass the 276 * scan and startup immediately. 277 * Note that ieee80211_create_ibss will call 278 * back to do a RUN->RUN state change. 279 */ 280 ieee80211_create_ibss(vap, 281 ieee80211_ht_adjust_channel(ic, 282 ic->ic_curchan, vap->iv_flags_ht)); 283 /* NB: iv_bss is changed on return */ 284 break; 285 case IEEE80211_S_CAC: 286 /* 287 * NB: This is the normal state change when CAC 288 * expires and no radar was detected; no need to 289 * clear the CAC timer as it's already expired. 290 */ 291 /* fall thru... */ 292 case IEEE80211_S_CSA: 293 /* 294 * Shorten inactivity timer of associated stations 295 * to weed out sta's that don't follow a CSA. 296 */ 297 ieee80211_iterate_nodes_vap(&ic->ic_sta, vap, 298 sta_csa, NULL); 299 /* 300 * Update bss node channel to reflect where 301 * we landed after CSA. 302 */ 303 ieee80211_node_set_chan(vap->iv_bss, 304 ieee80211_ht_adjust_channel(ic, ic->ic_curchan, 305 ieee80211_htchanflags(vap->iv_bss->ni_chan))); 306 /* XXX bypass debug msgs */ 307 break; 308 case IEEE80211_S_SCAN: 309 case IEEE80211_S_RUN: 310 #ifdef IEEE80211_DEBUG 311 if (ieee80211_msg_debug(vap)) { 312 struct ieee80211_node *ni = vap->iv_bss; 313 ieee80211_note(vap, 314 "synchronized with %s ssid ", 315 ether_sprintf(ni->ni_bssid)); 316 ieee80211_print_essid(ni->ni_essid, 317 ni->ni_esslen); 318 /* XXX MCS/HT */ 319 printf(" channel %d start %uMb\n", 320 ieee80211_chan2ieee(ic, ic->ic_curchan), 321 IEEE80211_RATE2MBS(ni->ni_txrate)); 322 } 323 #endif 324 break; 325 default: 326 break; 327 } 328 /* 329 * Start/stop the authenticator. We delay until here 330 * to allow configuration to happen out of order. 331 */ 332 if (vap->iv_auth->ia_attach != NULL) { 333 /* XXX check failure */ 334 vap->iv_auth->ia_attach(vap); 335 } else if (vap->iv_auth->ia_detach != NULL) { 336 vap->iv_auth->ia_detach(vap); 337 } 338 ieee80211_node_authorize(vap->iv_bss); 339 break; 340 case IEEE80211_S_CSA: 341 if (ostate == IEEE80211_S_RUN && isbandchange(ic)) { 342 /* 343 * On a ``band change'' silently drop associated 344 * stations as they must re-associate before they 345 * can pass traffic (as otherwise protocol state 346 * such as capabilities and the negotiated rate 347 * set may/will be wrong). 348 */ 349 ieee80211_iterate_nodes_vap(&ic->ic_sta, vap, 350 sta_drop, NULL); 351 } 352 break; 353 default: 354 break; 355 } 356 return 0; 357 } 358 359 static void 360 hostap_deliver_data(struct ieee80211vap *vap, 361 struct ieee80211_node *ni, struct mbuf *m) 362 { 363 struct ether_header *eh = mtod(m, struct ether_header *); 364 struct ifnet *ifp = vap->iv_ifp; 365 366 /* clear driver/net80211 flags before passing up */ 367 m->m_flags &= ~(M_MCAST | M_BCAST); 368 m_clrprotoflags(m); 369 370 KASSERT(vap->iv_opmode == IEEE80211_M_HOSTAP, 371 ("gack, opmode %d", vap->iv_opmode)); 372 /* 373 * Do accounting. 374 */ 375 if_inc_counter(ifp, IFCOUNTER_IPACKETS, 1); 376 IEEE80211_NODE_STAT(ni, rx_data); 377 IEEE80211_NODE_STAT_ADD(ni, rx_bytes, m->m_pkthdr.len); 378 if (ETHER_IS_MULTICAST(eh->ether_dhost)) { 379 m->m_flags |= M_MCAST; /* XXX M_BCAST? */ 380 IEEE80211_NODE_STAT(ni, rx_mcast); 381 } else 382 IEEE80211_NODE_STAT(ni, rx_ucast); 383 384 /* perform as a bridge within the AP */ 385 if ((vap->iv_flags & IEEE80211_F_NOBRIDGE) == 0) { 386 struct mbuf *mcopy = NULL; 387 388 if (m->m_flags & M_MCAST) { 389 mcopy = m_dup(m, M_NOWAIT); 390 if (mcopy == NULL) 391 if_inc_counter(ifp, IFCOUNTER_OERRORS, 1); 392 else 393 mcopy->m_flags |= M_MCAST; 394 } else { 395 /* 396 * Check if the destination is associated with the 397 * same vap and authorized to receive traffic. 398 * Beware of traffic destined for the vap itself; 399 * sending it will not work; just let it be delivered 400 * normally. 401 */ 402 struct ieee80211_node *sta = ieee80211_find_vap_node( 403 &vap->iv_ic->ic_sta, vap, eh->ether_dhost); 404 if (sta != NULL) { 405 if (ieee80211_node_is_authorized(sta)) { 406 /* 407 * Beware of sending to ourself; this 408 * needs to happen via the normal 409 * input path. 410 */ 411 if (sta != vap->iv_bss) { 412 mcopy = m; 413 m = NULL; 414 } 415 } else { 416 vap->iv_stats.is_rx_unauth++; 417 IEEE80211_NODE_STAT(sta, rx_unauth); 418 } 419 ieee80211_free_node(sta); 420 } 421 } 422 if (mcopy != NULL) 423 (void) ieee80211_vap_xmitpkt(vap, mcopy); 424 } 425 if (m != NULL) { 426 /* 427 * Mark frame as coming from vap's interface. 428 */ 429 m->m_pkthdr.rcvif = ifp; 430 if (m->m_flags & M_MCAST) { 431 /* 432 * Spam DWDS vap's w/ multicast traffic. 433 */ 434 /* XXX only if dwds in use? */ 435 ieee80211_dwds_mcast(vap, m); 436 } 437 if (ni->ni_vlan != 0) { 438 /* attach vlan tag */ 439 m->m_pkthdr.ether_vtag = ni->ni_vlan; 440 m->m_flags |= M_VLANTAG; 441 } 442 ifp->if_input(ifp, m); 443 } 444 } 445 446 /* 447 * Decide if a received management frame should be 448 * printed when debugging is enabled. This filters some 449 * of the less interesting frames that come frequently 450 * (e.g. beacons). 451 */ 452 static __inline int 453 doprint(struct ieee80211vap *vap, int subtype) 454 { 455 switch (subtype) { 456 case IEEE80211_FC0_SUBTYPE_BEACON: 457 return (vap->iv_ic->ic_flags & IEEE80211_F_SCAN); 458 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 459 return 0; 460 } 461 return 1; 462 } 463 464 /* 465 * Process a received frame. The node associated with the sender 466 * should be supplied. If nothing was found in the node table then 467 * the caller is assumed to supply a reference to iv_bss instead. 468 * The RSSI and a timestamp are also supplied. The RSSI data is used 469 * during AP scanning to select a AP to associate with; it can have 470 * any units so long as values have consistent units and higher values 471 * mean ``better signal''. The receive timestamp is currently not used 472 * by the 802.11 layer. 473 */ 474 static int 475 hostap_input(struct ieee80211_node *ni, struct mbuf *m, 476 const struct ieee80211_rx_stats *rxs, int rssi, int nf) 477 { 478 struct ieee80211vap *vap = ni->ni_vap; 479 struct ieee80211com *ic = ni->ni_ic; 480 struct ifnet *ifp = vap->iv_ifp; 481 struct ieee80211_frame *wh; 482 struct ieee80211_key *key; 483 struct ether_header *eh; 484 int hdrspace, need_tap = 1; /* mbuf need to be tapped. */ 485 uint8_t dir, type, subtype, qos; 486 uint8_t *bssid; 487 int is_hw_decrypted = 0; 488 int has_decrypted = 0; 489 490 /* 491 * Some devices do hardware decryption all the way through 492 * to pretending the frame wasn't encrypted in the first place. 493 * So, tag it appropriately so it isn't discarded inappropriately. 494 */ 495 if ((rxs != NULL) && (rxs->c_pktflags & IEEE80211_RX_F_DECRYPTED)) 496 is_hw_decrypted = 1; 497 498 if (m->m_flags & M_AMPDU_MPDU) { 499 /* 500 * Fastpath for A-MPDU reorder q resubmission. Frames 501 * w/ M_AMPDU_MPDU marked have already passed through 502 * here but were received out of order and been held on 503 * the reorder queue. When resubmitted they are marked 504 * with the M_AMPDU_MPDU flag and we can bypass most of 505 * the normal processing. 506 */ 507 wh = mtod(m, struct ieee80211_frame *); 508 type = IEEE80211_FC0_TYPE_DATA; 509 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 510 subtype = IEEE80211_FC0_SUBTYPE_QOS; 511 hdrspace = ieee80211_hdrspace(ic, wh); /* XXX optimize? */ 512 goto resubmit_ampdu; 513 } 514 515 KASSERT(ni != NULL, ("null node")); 516 ni->ni_inact = ni->ni_inact_reload; 517 518 type = -1; /* undefined */ 519 520 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_min)) { 521 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 522 ni->ni_macaddr, NULL, 523 "too short (1): len %u", m->m_pkthdr.len); 524 vap->iv_stats.is_rx_tooshort++; 525 goto out; 526 } 527 /* 528 * Bit of a cheat here, we use a pointer for a 3-address 529 * frame format but don't reference fields past outside 530 * ieee80211_frame_min w/o first validating the data is 531 * present. 532 */ 533 wh = mtod(m, struct ieee80211_frame *); 534 535 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) != 536 IEEE80211_FC0_VERSION_0) { 537 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 538 ni->ni_macaddr, NULL, "wrong version, fc %02x:%02x", 539 wh->i_fc[0], wh->i_fc[1]); 540 vap->iv_stats.is_rx_badversion++; 541 goto err; 542 } 543 544 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 545 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK; 546 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK; 547 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) { 548 if (dir != IEEE80211_FC1_DIR_NODS) 549 bssid = wh->i_addr1; 550 else if (type == IEEE80211_FC0_TYPE_CTL) 551 bssid = wh->i_addr1; 552 else { 553 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) { 554 IEEE80211_DISCARD_MAC(vap, 555 IEEE80211_MSG_ANY, ni->ni_macaddr, 556 NULL, "too short (2): len %u", 557 m->m_pkthdr.len); 558 vap->iv_stats.is_rx_tooshort++; 559 goto out; 560 } 561 bssid = wh->i_addr3; 562 } 563 /* 564 * Validate the bssid. 565 */ 566 if (!(type == IEEE80211_FC0_TYPE_MGT && 567 subtype == IEEE80211_FC0_SUBTYPE_BEACON) && 568 !IEEE80211_ADDR_EQ(bssid, vap->iv_bss->ni_bssid) && 569 !IEEE80211_ADDR_EQ(bssid, ifp->if_broadcastaddr)) { 570 /* not interested in */ 571 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 572 bssid, NULL, "%s", "not to bss"); 573 vap->iv_stats.is_rx_wrongbss++; 574 goto out; 575 } 576 577 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi); 578 ni->ni_noise = nf; 579 if (IEEE80211_HAS_SEQ(type, subtype)) { 580 uint8_t tid = ieee80211_gettid(wh); 581 if (IEEE80211_QOS_HAS_SEQ(wh) && 582 TID_TO_WME_AC(tid) >= WME_AC_VI) 583 ic->ic_wme.wme_hipri_traffic++; 584 if (! ieee80211_check_rxseq(ni, wh, bssid, rxs)) 585 goto out; 586 } 587 } 588 589 switch (type) { 590 case IEEE80211_FC0_TYPE_DATA: 591 hdrspace = ieee80211_hdrspace(ic, wh); 592 if (m->m_len < hdrspace && 593 (m = m_pullup(m, hdrspace)) == NULL) { 594 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 595 ni->ni_macaddr, NULL, 596 "data too short: expecting %u", hdrspace); 597 vap->iv_stats.is_rx_tooshort++; 598 goto out; /* XXX */ 599 } 600 if (!(dir == IEEE80211_FC1_DIR_TODS || 601 (dir == IEEE80211_FC1_DIR_DSTODS && 602 (vap->iv_flags & IEEE80211_F_DWDS)))) { 603 if (dir != IEEE80211_FC1_DIR_DSTODS) { 604 IEEE80211_DISCARD(vap, 605 IEEE80211_MSG_INPUT, wh, "data", 606 "incorrect dir 0x%x", dir); 607 } else { 608 IEEE80211_DISCARD(vap, 609 IEEE80211_MSG_INPUT | 610 IEEE80211_MSG_WDS, wh, 611 "4-address data", 612 "%s", "DWDS not enabled"); 613 } 614 vap->iv_stats.is_rx_wrongdir++; 615 goto out; 616 } 617 /* check if source STA is associated */ 618 if (ni == vap->iv_bss) { 619 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 620 wh, "data", "%s", "unknown src"); 621 ieee80211_send_error(ni, wh->i_addr2, 622 IEEE80211_FC0_SUBTYPE_DEAUTH, 623 IEEE80211_REASON_NOT_AUTHED); 624 vap->iv_stats.is_rx_notassoc++; 625 goto err; 626 } 627 if (ni->ni_associd == 0) { 628 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 629 wh, "data", "%s", "unassoc src"); 630 IEEE80211_SEND_MGMT(ni, 631 IEEE80211_FC0_SUBTYPE_DISASSOC, 632 IEEE80211_REASON_NOT_ASSOCED); 633 vap->iv_stats.is_rx_notassoc++; 634 goto err; 635 } 636 637 /* 638 * Check for power save state change. 639 * XXX out-of-order A-MPDU frames? 640 */ 641 if (((wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) ^ 642 (ni->ni_flags & IEEE80211_NODE_PWR_MGT))) 643 vap->iv_node_ps(ni, 644 wh->i_fc[1] & IEEE80211_FC1_PWR_MGT); 645 /* 646 * For 4-address packets handle WDS discovery 647 * notifications. Once a WDS link is setup frames 648 * are just delivered to the WDS vap (see below). 649 */ 650 if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap == NULL) { 651 if (!ieee80211_node_is_authorized(ni)) { 652 IEEE80211_DISCARD(vap, 653 IEEE80211_MSG_INPUT | 654 IEEE80211_MSG_WDS, wh, 655 "4-address data", 656 "%s", "unauthorized port"); 657 vap->iv_stats.is_rx_unauth++; 658 IEEE80211_NODE_STAT(ni, rx_unauth); 659 goto err; 660 } 661 ieee80211_dwds_discover(ni, m); 662 return type; 663 } 664 665 /* 666 * Handle A-MPDU re-ordering. If the frame is to be 667 * processed directly then ieee80211_ampdu_reorder 668 * will return 0; otherwise it has consumed the mbuf 669 * and we should do nothing more with it. 670 */ 671 if ((m->m_flags & M_AMPDU) && 672 ieee80211_ampdu_reorder(ni, m, rxs) != 0) { 673 m = NULL; 674 goto out; 675 } 676 resubmit_ampdu: 677 678 /* 679 * Handle privacy requirements. Note that we 680 * must not be preempted from here until after 681 * we (potentially) call ieee80211_crypto_demic; 682 * otherwise we may violate assumptions in the 683 * crypto cipher modules used to do delayed update 684 * of replay sequence numbers. 685 */ 686 if (is_hw_decrypted || wh->i_fc[1] & IEEE80211_FC1_PROTECTED) { 687 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) { 688 /* 689 * Discard encrypted frames when privacy is off. 690 */ 691 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 692 wh, "WEP", "%s", "PRIVACY off"); 693 vap->iv_stats.is_rx_noprivacy++; 694 IEEE80211_NODE_STAT(ni, rx_noprivacy); 695 goto out; 696 } 697 if (ieee80211_crypto_decap(ni, m, hdrspace, &key) == 0) { 698 /* NB: stats+msgs handled in crypto_decap */ 699 IEEE80211_NODE_STAT(ni, rx_wepfail); 700 goto out; 701 } 702 wh = mtod(m, struct ieee80211_frame *); 703 wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED; 704 has_decrypted = 1; 705 } else { 706 /* XXX M_WEP and IEEE80211_F_PRIVACY */ 707 key = NULL; 708 } 709 710 /* 711 * Save QoS bits for use below--before we strip the header. 712 */ 713 if (subtype == IEEE80211_FC0_SUBTYPE_QOS) 714 qos = ieee80211_getqos(wh)[0]; 715 else 716 qos = 0; 717 718 /* 719 * Next up, any fragmentation. 720 */ 721 if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) { 722 m = ieee80211_defrag(ni, m, hdrspace, has_decrypted); 723 if (m == NULL) { 724 /* Fragment dropped or frame not complete yet */ 725 goto out; 726 } 727 } 728 wh = NULL; /* no longer valid, catch any uses */ 729 730 /* 731 * Next strip any MSDU crypto bits. 732 */ 733 if (key != NULL && !ieee80211_crypto_demic(vap, key, m, 0)) { 734 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 735 ni->ni_macaddr, "data", "%s", "demic error"); 736 vap->iv_stats.is_rx_demicfail++; 737 IEEE80211_NODE_STAT(ni, rx_demicfail); 738 goto out; 739 } 740 /* copy to listener after decrypt */ 741 if (ieee80211_radiotap_active_vap(vap)) 742 ieee80211_radiotap_rx(vap, m); 743 need_tap = 0; 744 /* 745 * Finally, strip the 802.11 header. 746 */ 747 m = ieee80211_decap(vap, m, hdrspace, qos); 748 if (m == NULL) { 749 /* XXX mask bit to check for both */ 750 /* don't count Null data frames as errors */ 751 if (subtype == IEEE80211_FC0_SUBTYPE_NODATA || 752 subtype == IEEE80211_FC0_SUBTYPE_QOS_NULL) 753 goto out; 754 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 755 ni->ni_macaddr, "data", "%s", "decap error"); 756 vap->iv_stats.is_rx_decap++; 757 IEEE80211_NODE_STAT(ni, rx_decap); 758 goto err; 759 } 760 if (!(qos & IEEE80211_QOS_AMSDU)) 761 eh = mtod(m, struct ether_header *); 762 else 763 eh = NULL; 764 if (!ieee80211_node_is_authorized(ni)) { 765 /* 766 * Deny any non-PAE frames received prior to 767 * authorization. For open/shared-key 768 * authentication the port is mark authorized 769 * after authentication completes. For 802.1x 770 * the port is not marked authorized by the 771 * authenticator until the handshake has completed. 772 */ 773 if (eh == NULL || 774 eh->ether_type != htons(ETHERTYPE_PAE)) { 775 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 776 ni->ni_macaddr, "data", "unauthorized or " 777 "unknown port: ether type 0x%x len %u", 778 eh == NULL ? -1 : eh->ether_type, 779 m->m_pkthdr.len); 780 vap->iv_stats.is_rx_unauth++; 781 IEEE80211_NODE_STAT(ni, rx_unauth); 782 goto err; 783 } 784 } else { 785 /* 786 * When denying unencrypted frames, discard 787 * any non-PAE frames received without encryption. 788 */ 789 if ((vap->iv_flags & IEEE80211_F_DROPUNENC) && 790 ((has_decrypted == 0) && (m->m_flags & M_WEP) == 0) && 791 (is_hw_decrypted == 0) && 792 (eh == NULL || 793 eh->ether_type != htons(ETHERTYPE_PAE))) { 794 /* 795 * Drop unencrypted frames. 796 */ 797 vap->iv_stats.is_rx_unencrypted++; 798 IEEE80211_NODE_STAT(ni, rx_unencrypted); 799 goto out; 800 } 801 } 802 /* XXX require HT? */ 803 if (qos & IEEE80211_QOS_AMSDU) { 804 m = ieee80211_decap_amsdu(ni, m); 805 if (m == NULL) 806 return IEEE80211_FC0_TYPE_DATA; 807 } else { 808 #ifdef IEEE80211_SUPPORT_SUPERG 809 m = ieee80211_decap_fastframe(vap, ni, m); 810 if (m == NULL) 811 return IEEE80211_FC0_TYPE_DATA; 812 #endif 813 } 814 if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap != NULL) 815 ieee80211_deliver_data(ni->ni_wdsvap, ni, m); 816 else 817 hostap_deliver_data(vap, ni, m); 818 return IEEE80211_FC0_TYPE_DATA; 819 820 case IEEE80211_FC0_TYPE_MGT: 821 vap->iv_stats.is_rx_mgmt++; 822 IEEE80211_NODE_STAT(ni, rx_mgmt); 823 if (dir != IEEE80211_FC1_DIR_NODS) { 824 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 825 wh, "mgt", "incorrect dir 0x%x", dir); 826 vap->iv_stats.is_rx_wrongdir++; 827 goto err; 828 } 829 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) { 830 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 831 ni->ni_macaddr, "mgt", "too short: len %u", 832 m->m_pkthdr.len); 833 vap->iv_stats.is_rx_tooshort++; 834 goto out; 835 } 836 if (IEEE80211_IS_MULTICAST(wh->i_addr2)) { 837 /* ensure return frames are unicast */ 838 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 839 wh, NULL, "source is multicast: %s", 840 ether_sprintf(wh->i_addr2)); 841 vap->iv_stats.is_rx_mgtdiscard++; /* XXX stat */ 842 goto out; 843 } 844 #ifdef IEEE80211_DEBUG 845 if ((ieee80211_msg_debug(vap) && doprint(vap, subtype)) || 846 ieee80211_msg_dumppkts(vap)) { 847 if_printf(ifp, "received %s from %s rssi %d\n", 848 ieee80211_mgt_subtype_name(subtype), 849 ether_sprintf(wh->i_addr2), rssi); 850 } 851 #endif 852 if (wh->i_fc[1] & IEEE80211_FC1_PROTECTED) { 853 if (subtype != IEEE80211_FC0_SUBTYPE_AUTH) { 854 /* 855 * Only shared key auth frames with a challenge 856 * should be encrypted, discard all others. 857 */ 858 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 859 wh, NULL, 860 "%s", "WEP set but not permitted"); 861 vap->iv_stats.is_rx_mgtdiscard++; /* XXX */ 862 goto out; 863 } 864 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) { 865 /* 866 * Discard encrypted frames when privacy is off. 867 */ 868 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 869 wh, NULL, "%s", "WEP set but PRIVACY off"); 870 vap->iv_stats.is_rx_noprivacy++; 871 goto out; 872 } 873 hdrspace = ieee80211_hdrspace(ic, wh); 874 if (ieee80211_crypto_decap(ni, m, hdrspace, &key) == 0) { 875 /* NB: stats+msgs handled in crypto_decap */ 876 goto out; 877 } 878 wh = mtod(m, struct ieee80211_frame *); 879 wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED; 880 has_decrypted = 1; 881 } 882 /* 883 * Pass the packet to radiotap before calling iv_recv_mgmt(). 884 * Otherwise iv_recv_mgmt() might pass another packet to 885 * radiotap, resulting in out of order packet captures. 886 */ 887 if (ieee80211_radiotap_active_vap(vap)) 888 ieee80211_radiotap_rx(vap, m); 889 need_tap = 0; 890 vap->iv_recv_mgmt(ni, m, subtype, rxs, rssi, nf); 891 goto out; 892 893 case IEEE80211_FC0_TYPE_CTL: 894 vap->iv_stats.is_rx_ctl++; 895 IEEE80211_NODE_STAT(ni, rx_ctrl); 896 vap->iv_recv_ctl(ni, m, subtype); 897 goto out; 898 default: 899 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 900 wh, "bad", "frame type 0x%x", type); 901 /* should not come here */ 902 break; 903 } 904 err: 905 if_inc_counter(ifp, IFCOUNTER_IERRORS, 1); 906 out: 907 if (m != NULL) { 908 if (need_tap && ieee80211_radiotap_active_vap(vap)) 909 ieee80211_radiotap_rx(vap, m); 910 m_freem(m); 911 } 912 return type; 913 } 914 915 static void 916 hostap_auth_open(struct ieee80211_node *ni, struct ieee80211_frame *wh, 917 int rssi, int nf, uint16_t seq, uint16_t status) 918 { 919 struct ieee80211vap *vap = ni->ni_vap; 920 921 KASSERT(vap->iv_state == IEEE80211_S_RUN, ("state %d", vap->iv_state)); 922 923 if (ni->ni_authmode == IEEE80211_AUTH_SHARED) { 924 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 925 ni->ni_macaddr, "open auth", 926 "bad sta auth mode %u", ni->ni_authmode); 927 vap->iv_stats.is_rx_bad_auth++; /* XXX */ 928 /* 929 * Clear any challenge text that may be there if 930 * a previous shared key auth failed and then an 931 * open auth is attempted. 932 */ 933 if (ni->ni_challenge != NULL) { 934 IEEE80211_FREE(ni->ni_challenge, M_80211_NODE); 935 ni->ni_challenge = NULL; 936 } 937 /* XXX hack to workaround calling convention */ 938 ieee80211_send_error(ni, wh->i_addr2, 939 IEEE80211_FC0_SUBTYPE_AUTH, 940 (seq + 1) | (IEEE80211_STATUS_ALG<<16)); 941 return; 942 } 943 if (seq != IEEE80211_AUTH_OPEN_REQUEST) { 944 vap->iv_stats.is_rx_bad_auth++; 945 return; 946 } 947 /* always accept open authentication requests */ 948 if (ni == vap->iv_bss) { 949 ni = ieee80211_dup_bss(vap, wh->i_addr2); 950 if (ni == NULL) 951 return; 952 } else if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0) 953 (void) ieee80211_ref_node(ni); 954 /* 955 * Mark the node as referenced to reflect that it's 956 * reference count has been bumped to insure it remains 957 * after the transaction completes. 958 */ 959 ni->ni_flags |= IEEE80211_NODE_AREF; 960 /* 961 * Mark the node as requiring a valid association id 962 * before outbound traffic is permitted. 963 */ 964 ni->ni_flags |= IEEE80211_NODE_ASSOCID; 965 966 if (vap->iv_acl != NULL && 967 vap->iv_acl->iac_getpolicy(vap) == IEEE80211_MACCMD_POLICY_RADIUS) { 968 /* 969 * When the ACL policy is set to RADIUS we defer the 970 * authorization to a user agent. Dispatch an event, 971 * a subsequent MLME call will decide the fate of the 972 * station. If the user agent is not present then the 973 * node will be reclaimed due to inactivity. 974 */ 975 IEEE80211_NOTE_MAC(vap, 976 IEEE80211_MSG_AUTH | IEEE80211_MSG_ACL, ni->ni_macaddr, 977 "%s", "station authentication defered (radius acl)"); 978 ieee80211_notify_node_auth(ni); 979 } else { 980 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 981 IEEE80211_NOTE_MAC(vap, 982 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, ni->ni_macaddr, 983 "%s", "station authenticated (open)"); 984 /* 985 * When 802.1x is not in use mark the port 986 * authorized at this point so traffic can flow. 987 */ 988 if (ni->ni_authmode != IEEE80211_AUTH_8021X) 989 ieee80211_node_authorize(ni); 990 } 991 } 992 993 static void 994 hostap_auth_shared(struct ieee80211_node *ni, struct ieee80211_frame *wh, 995 uint8_t *frm, uint8_t *efrm, int rssi, int nf, 996 uint16_t seq, uint16_t status) 997 { 998 struct ieee80211vap *vap = ni->ni_vap; 999 uint8_t *challenge; 1000 int allocbs, estatus; 1001 1002 KASSERT(vap->iv_state == IEEE80211_S_RUN, ("state %d", vap->iv_state)); 1003 1004 /* 1005 * NB: this can happen as we allow pre-shared key 1006 * authentication to be enabled w/o wep being turned 1007 * on so that configuration of these can be done 1008 * in any order. It may be better to enforce the 1009 * ordering in which case this check would just be 1010 * for sanity/consistency. 1011 */ 1012 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) { 1013 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1014 ni->ni_macaddr, "shared key auth", 1015 "%s", " PRIVACY is disabled"); 1016 estatus = IEEE80211_STATUS_ALG; 1017 goto bad; 1018 } 1019 /* 1020 * Pre-shared key authentication is evil; accept 1021 * it only if explicitly configured (it is supported 1022 * mainly for compatibility with clients like Mac OS X). 1023 */ 1024 if (ni->ni_authmode != IEEE80211_AUTH_AUTO && 1025 ni->ni_authmode != IEEE80211_AUTH_SHARED) { 1026 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1027 ni->ni_macaddr, "shared key auth", 1028 "bad sta auth mode %u", ni->ni_authmode); 1029 vap->iv_stats.is_rx_bad_auth++; /* XXX maybe a unique error? */ 1030 estatus = IEEE80211_STATUS_ALG; 1031 goto bad; 1032 } 1033 1034 challenge = NULL; 1035 if (frm + 1 < efrm) { 1036 if ((frm[1] + 2) > (efrm - frm)) { 1037 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1038 ni->ni_macaddr, "shared key auth", 1039 "ie %d/%d too long", 1040 frm[0], (frm[1] + 2) - (efrm - frm)); 1041 vap->iv_stats.is_rx_bad_auth++; 1042 estatus = IEEE80211_STATUS_CHALLENGE; 1043 goto bad; 1044 } 1045 if (*frm == IEEE80211_ELEMID_CHALLENGE) 1046 challenge = frm; 1047 frm += frm[1] + 2; 1048 } 1049 switch (seq) { 1050 case IEEE80211_AUTH_SHARED_CHALLENGE: 1051 case IEEE80211_AUTH_SHARED_RESPONSE: 1052 if (challenge == NULL) { 1053 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1054 ni->ni_macaddr, "shared key auth", 1055 "%s", "no challenge"); 1056 vap->iv_stats.is_rx_bad_auth++; 1057 estatus = IEEE80211_STATUS_CHALLENGE; 1058 goto bad; 1059 } 1060 if (challenge[1] != IEEE80211_CHALLENGE_LEN) { 1061 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1062 ni->ni_macaddr, "shared key auth", 1063 "bad challenge len %d", challenge[1]); 1064 vap->iv_stats.is_rx_bad_auth++; 1065 estatus = IEEE80211_STATUS_CHALLENGE; 1066 goto bad; 1067 } 1068 default: 1069 break; 1070 } 1071 switch (seq) { 1072 case IEEE80211_AUTH_SHARED_REQUEST: 1073 if (ni == vap->iv_bss) { 1074 ni = ieee80211_dup_bss(vap, wh->i_addr2); 1075 if (ni == NULL) { 1076 /* NB: no way to return an error */ 1077 return; 1078 } 1079 allocbs = 1; 1080 } else { 1081 if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0) 1082 (void) ieee80211_ref_node(ni); 1083 allocbs = 0; 1084 } 1085 /* 1086 * Mark the node as referenced to reflect that it's 1087 * reference count has been bumped to insure it remains 1088 * after the transaction completes. 1089 */ 1090 ni->ni_flags |= IEEE80211_NODE_AREF; 1091 /* 1092 * Mark the node as requiring a valid association id 1093 * before outbound traffic is permitted. 1094 */ 1095 ni->ni_flags |= IEEE80211_NODE_ASSOCID; 1096 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi); 1097 ni->ni_noise = nf; 1098 if (!ieee80211_alloc_challenge(ni)) { 1099 /* NB: don't return error so they rexmit */ 1100 return; 1101 } 1102 net80211_get_random_bytes(ni->ni_challenge, 1103 IEEE80211_CHALLENGE_LEN); 1104 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1105 ni, "shared key %sauth request", allocbs ? "" : "re"); 1106 /* 1107 * When the ACL policy is set to RADIUS we defer the 1108 * authorization to a user agent. Dispatch an event, 1109 * a subsequent MLME call will decide the fate of the 1110 * station. If the user agent is not present then the 1111 * node will be reclaimed due to inactivity. 1112 */ 1113 if (vap->iv_acl != NULL && 1114 vap->iv_acl->iac_getpolicy(vap) == IEEE80211_MACCMD_POLICY_RADIUS) { 1115 IEEE80211_NOTE_MAC(vap, 1116 IEEE80211_MSG_AUTH | IEEE80211_MSG_ACL, 1117 ni->ni_macaddr, 1118 "%s", "station authentication defered (radius acl)"); 1119 ieee80211_notify_node_auth(ni); 1120 return; 1121 } 1122 break; 1123 case IEEE80211_AUTH_SHARED_RESPONSE: 1124 if (ni == vap->iv_bss) { 1125 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1126 ni->ni_macaddr, "shared key response", 1127 "%s", "unknown station"); 1128 /* NB: don't send a response */ 1129 return; 1130 } 1131 if (ni->ni_challenge == NULL) { 1132 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1133 ni->ni_macaddr, "shared key response", 1134 "%s", "no challenge recorded"); 1135 vap->iv_stats.is_rx_bad_auth++; 1136 estatus = IEEE80211_STATUS_CHALLENGE; 1137 goto bad; 1138 } 1139 if (memcmp(ni->ni_challenge, &challenge[2], 1140 challenge[1]) != 0) { 1141 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1142 ni->ni_macaddr, "shared key response", 1143 "%s", "challenge mismatch"); 1144 vap->iv_stats.is_rx_auth_fail++; 1145 estatus = IEEE80211_STATUS_CHALLENGE; 1146 goto bad; 1147 } 1148 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1149 ni, "%s", "station authenticated (shared key)"); 1150 ieee80211_node_authorize(ni); 1151 break; 1152 default: 1153 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1154 ni->ni_macaddr, "shared key auth", 1155 "bad seq %d", seq); 1156 vap->iv_stats.is_rx_bad_auth++; 1157 estatus = IEEE80211_STATUS_SEQUENCE; 1158 goto bad; 1159 } 1160 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 1161 return; 1162 bad: 1163 /* 1164 * Send an error response; but only when operating as an AP. 1165 */ 1166 /* XXX hack to workaround calling convention */ 1167 ieee80211_send_error(ni, wh->i_addr2, 1168 IEEE80211_FC0_SUBTYPE_AUTH, 1169 (seq + 1) | (estatus<<16)); 1170 } 1171 1172 /* 1173 * Convert a WPA cipher selector OUI to an internal 1174 * cipher algorithm. Where appropriate we also 1175 * record any key length. 1176 */ 1177 static int 1178 wpa_cipher(const uint8_t *sel, uint8_t *keylen, uint8_t *cipher) 1179 { 1180 #define WPA_SEL(x) (((x)<<24)|WPA_OUI) 1181 uint32_t w = le32dec(sel); 1182 1183 switch (w) { 1184 case WPA_SEL(WPA_CSE_NULL): 1185 *cipher = IEEE80211_CIPHER_NONE; 1186 break; 1187 case WPA_SEL(WPA_CSE_WEP40): 1188 if (keylen) 1189 *keylen = 40 / NBBY; 1190 *cipher = IEEE80211_CIPHER_WEP; 1191 break; 1192 case WPA_SEL(WPA_CSE_WEP104): 1193 if (keylen) 1194 *keylen = 104 / NBBY; 1195 *cipher = IEEE80211_CIPHER_WEP; 1196 break; 1197 case WPA_SEL(WPA_CSE_TKIP): 1198 *cipher = IEEE80211_CIPHER_TKIP; 1199 break; 1200 case WPA_SEL(WPA_CSE_CCMP): 1201 *cipher = IEEE80211_CIPHER_AES_CCM; 1202 break; 1203 default: 1204 return (EINVAL); 1205 } 1206 1207 return (0); 1208 #undef WPA_SEL 1209 } 1210 1211 /* 1212 * Convert a WPA key management/authentication algorithm 1213 * to an internal code. 1214 */ 1215 static int 1216 wpa_keymgmt(const uint8_t *sel) 1217 { 1218 #define WPA_SEL(x) (((x)<<24)|WPA_OUI) 1219 uint32_t w = le32dec(sel); 1220 1221 switch (w) { 1222 case WPA_SEL(WPA_ASE_8021X_UNSPEC): 1223 return WPA_ASE_8021X_UNSPEC; 1224 case WPA_SEL(WPA_ASE_8021X_PSK): 1225 return WPA_ASE_8021X_PSK; 1226 case WPA_SEL(WPA_ASE_NONE): 1227 return WPA_ASE_NONE; 1228 } 1229 return 0; /* NB: so is discarded */ 1230 #undef WPA_SEL 1231 } 1232 1233 /* 1234 * Parse a WPA information element to collect parameters. 1235 * Note that we do not validate security parameters; that 1236 * is handled by the authenticator; the parsing done here 1237 * is just for internal use in making operational decisions. 1238 */ 1239 static int 1240 ieee80211_parse_wpa(struct ieee80211vap *vap, const uint8_t *frm, 1241 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh) 1242 { 1243 uint8_t len = frm[1]; 1244 uint32_t w; 1245 int error, n; 1246 1247 /* 1248 * Check the length once for fixed parts: OUI, type, 1249 * version, mcast cipher, and 2 selector counts. 1250 * Other, variable-length data, must be checked separately. 1251 */ 1252 if ((vap->iv_flags & IEEE80211_F_WPA1) == 0) { 1253 IEEE80211_DISCARD_IE(vap, 1254 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1255 wh, "WPA", "not WPA, flags 0x%x", vap->iv_flags); 1256 return IEEE80211_REASON_IE_INVALID; 1257 } 1258 if (len < 14) { 1259 IEEE80211_DISCARD_IE(vap, 1260 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1261 wh, "WPA", "too short, len %u", len); 1262 return IEEE80211_REASON_IE_INVALID; 1263 } 1264 frm += 6, len -= 4; /* NB: len is payload only */ 1265 /* NB: iswpaoui already validated the OUI and type */ 1266 w = le16dec(frm); 1267 if (w != WPA_VERSION) { 1268 IEEE80211_DISCARD_IE(vap, 1269 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1270 wh, "WPA", "bad version %u", w); 1271 return IEEE80211_REASON_IE_INVALID; 1272 } 1273 frm += 2, len -= 2; 1274 1275 memset(rsn, 0, sizeof(*rsn)); 1276 1277 /* multicast/group cipher */ 1278 error = wpa_cipher(frm, &rsn->rsn_mcastkeylen, &rsn->rsn_mcastcipher); 1279 if (error != 0) { 1280 IEEE80211_DISCARD_IE(vap, 1281 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1282 wh, "WPA", "unknown mcast cipher suite %08X", 1283 le32dec(frm)); 1284 return IEEE80211_REASON_GROUP_CIPHER_INVALID; 1285 } 1286 frm += 4, len -= 4; 1287 1288 /* unicast ciphers */ 1289 n = le16dec(frm); 1290 frm += 2, len -= 2; 1291 if (len < n*4+2) { 1292 IEEE80211_DISCARD_IE(vap, 1293 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1294 wh, "WPA", "ucast cipher data too short; len %u, n %u", 1295 len, n); 1296 return IEEE80211_REASON_IE_INVALID; 1297 } 1298 w = 0; 1299 for (; n > 0; n--) { 1300 uint8_t cipher; 1301 1302 error = wpa_cipher(frm, &rsn->rsn_ucastkeylen, &cipher); 1303 if (error == 0) 1304 w |= 1 << cipher; 1305 1306 frm += 4, len -= 4; 1307 } 1308 if (w == 0) { 1309 IEEE80211_DISCARD_IE(vap, 1310 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1311 wh, "WPA", "no usable pairwise cipher suite found (w=%d)", 1312 w); 1313 return IEEE80211_REASON_PAIRWISE_CIPHER_INVALID; 1314 } 1315 /* XXX other? */ 1316 if (w & (1 << IEEE80211_CIPHER_AES_CCM)) 1317 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM; 1318 else 1319 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP; 1320 1321 /* key management algorithms */ 1322 n = le16dec(frm); 1323 frm += 2, len -= 2; 1324 if (len < n*4) { 1325 IEEE80211_DISCARD_IE(vap, 1326 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1327 wh, "WPA", "key mgmt alg data too short; len %u, n %u", 1328 len, n); 1329 return IEEE80211_REASON_IE_INVALID; 1330 } 1331 w = 0; 1332 for (; n > 0; n--) { 1333 w |= wpa_keymgmt(frm); 1334 frm += 4, len -= 4; 1335 } 1336 if (w & WPA_ASE_8021X_UNSPEC) 1337 rsn->rsn_keymgmt = WPA_ASE_8021X_UNSPEC; 1338 else 1339 rsn->rsn_keymgmt = WPA_ASE_8021X_PSK; 1340 1341 if (len > 2) /* optional capabilities */ 1342 rsn->rsn_caps = le16dec(frm); 1343 1344 return 0; 1345 } 1346 1347 /* 1348 * Convert an RSN cipher selector OUI to an internal 1349 * cipher algorithm. Where appropriate we also 1350 * record any key length. 1351 */ 1352 static int 1353 rsn_cipher(const uint8_t *sel, uint8_t *keylen, uint8_t *cipher) 1354 { 1355 #define RSN_SEL(x) (((x)<<24)|RSN_OUI) 1356 uint32_t w = le32dec(sel); 1357 1358 switch (w) { 1359 case RSN_SEL(RSN_CSE_NULL): 1360 *cipher = IEEE80211_CIPHER_NONE; 1361 break; 1362 case RSN_SEL(RSN_CSE_WEP40): 1363 if (keylen) 1364 *keylen = 40 / NBBY; 1365 *cipher = IEEE80211_CIPHER_WEP; 1366 break; 1367 case RSN_SEL(RSN_CSE_WEP104): 1368 if (keylen) 1369 *keylen = 104 / NBBY; 1370 *cipher = IEEE80211_CIPHER_WEP; 1371 break; 1372 case RSN_SEL(RSN_CSE_TKIP): 1373 *cipher = IEEE80211_CIPHER_TKIP; 1374 break; 1375 case RSN_SEL(RSN_CSE_CCMP): 1376 *cipher = IEEE80211_CIPHER_AES_CCM; 1377 break; 1378 case RSN_SEL(RSN_CSE_WRAP): 1379 *cipher = IEEE80211_CIPHER_AES_OCB; 1380 break; 1381 default: 1382 return (EINVAL); 1383 } 1384 1385 return (0); 1386 #undef WPA_SEL 1387 } 1388 1389 /* 1390 * Convert an RSN key management/authentication algorithm 1391 * to an internal code. 1392 */ 1393 static int 1394 rsn_keymgmt(const uint8_t *sel) 1395 { 1396 #define RSN_SEL(x) (((x)<<24)|RSN_OUI) 1397 uint32_t w = le32dec(sel); 1398 1399 switch (w) { 1400 case RSN_SEL(RSN_ASE_8021X_UNSPEC): 1401 return RSN_ASE_8021X_UNSPEC; 1402 case RSN_SEL(RSN_ASE_8021X_PSK): 1403 return RSN_ASE_8021X_PSK; 1404 case RSN_SEL(RSN_ASE_NONE): 1405 return RSN_ASE_NONE; 1406 } 1407 return 0; /* NB: so is discarded */ 1408 #undef RSN_SEL 1409 } 1410 1411 /* 1412 * Parse a WPA/RSN information element to collect parameters 1413 * and validate the parameters against what has been 1414 * configured for the system. 1415 */ 1416 static int 1417 ieee80211_parse_rsn(struct ieee80211vap *vap, const uint8_t *frm, 1418 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh) 1419 { 1420 uint8_t len = frm[1]; 1421 uint32_t w; 1422 int error, n; 1423 1424 /* 1425 * Check the length once for fixed parts: 1426 * version, mcast cipher, and 2 selector counts. 1427 * Other, variable-length data, must be checked separately. 1428 */ 1429 if ((vap->iv_flags & IEEE80211_F_WPA2) == 0) { 1430 IEEE80211_DISCARD_IE(vap, 1431 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1432 wh, "WPA", "not RSN, flags 0x%x", vap->iv_flags); 1433 return IEEE80211_REASON_IE_INVALID; 1434 } 1435 /* XXX may be shorter */ 1436 if (len < 10) { 1437 IEEE80211_DISCARD_IE(vap, 1438 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1439 wh, "RSN", "too short, len %u", len); 1440 return IEEE80211_REASON_IE_INVALID; 1441 } 1442 frm += 2; 1443 w = le16dec(frm); 1444 if (w != RSN_VERSION) { 1445 IEEE80211_DISCARD_IE(vap, 1446 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1447 wh, "RSN", "bad version %u", w); 1448 return IEEE80211_REASON_UNSUPP_RSN_IE_VERSION; 1449 } 1450 frm += 2, len -= 2; 1451 1452 memset(rsn, 0, sizeof(*rsn)); 1453 1454 /* multicast/group cipher */ 1455 error = rsn_cipher(frm, &rsn->rsn_mcastkeylen, &rsn->rsn_mcastcipher); 1456 if (error != 0) { 1457 IEEE80211_DISCARD_IE(vap, 1458 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1459 wh, "RSN", "unknown mcast cipher suite %08X", 1460 le32dec(frm)); 1461 return IEEE80211_REASON_GROUP_CIPHER_INVALID; 1462 } 1463 if (rsn->rsn_mcastcipher == IEEE80211_CIPHER_NONE) { 1464 IEEE80211_DISCARD_IE(vap, 1465 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1466 wh, "RSN", "invalid mcast cipher suite %d", 1467 rsn->rsn_mcastcipher); 1468 return IEEE80211_REASON_GROUP_CIPHER_INVALID; 1469 } 1470 frm += 4, len -= 4; 1471 1472 /* unicast ciphers */ 1473 n = le16dec(frm); 1474 frm += 2, len -= 2; 1475 if (len < n*4+2) { 1476 IEEE80211_DISCARD_IE(vap, 1477 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1478 wh, "RSN", "ucast cipher data too short; len %u, n %u", 1479 len, n); 1480 return IEEE80211_REASON_IE_INVALID; 1481 } 1482 w = 0; 1483 1484 for (; n > 0; n--) { 1485 uint8_t cipher; 1486 1487 error = rsn_cipher(frm, &rsn->rsn_ucastkeylen, &cipher); 1488 if (error == 0) 1489 w |= 1 << cipher; 1490 1491 frm += 4, len -= 4; 1492 } 1493 if (w & (1 << IEEE80211_CIPHER_AES_CCM)) 1494 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM; 1495 else if (w & (1 << IEEE80211_CIPHER_AES_OCB)) 1496 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_OCB; 1497 else if (w & (1 << IEEE80211_CIPHER_TKIP)) 1498 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP; 1499 else if ((w & (1 << IEEE80211_CIPHER_NONE)) && 1500 (rsn->rsn_mcastcipher == IEEE80211_CIPHER_WEP || 1501 rsn->rsn_mcastcipher == IEEE80211_CIPHER_TKIP)) 1502 rsn->rsn_ucastcipher = IEEE80211_CIPHER_NONE; 1503 else { 1504 IEEE80211_DISCARD_IE(vap, 1505 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1506 wh, "RSN", "no usable pairwise cipher suite found (w=%d)", 1507 w); 1508 return IEEE80211_REASON_PAIRWISE_CIPHER_INVALID; 1509 } 1510 1511 /* key management algorithms */ 1512 n = le16dec(frm); 1513 frm += 2, len -= 2; 1514 if (len < n*4) { 1515 IEEE80211_DISCARD_IE(vap, 1516 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1517 wh, "RSN", "key mgmt alg data too short; len %u, n %u", 1518 len, n); 1519 return IEEE80211_REASON_IE_INVALID; 1520 } 1521 w = 0; 1522 for (; n > 0; n--) { 1523 w |= rsn_keymgmt(frm); 1524 frm += 4, len -= 4; 1525 } 1526 if (w & RSN_ASE_8021X_UNSPEC) 1527 rsn->rsn_keymgmt = RSN_ASE_8021X_UNSPEC; 1528 else 1529 rsn->rsn_keymgmt = RSN_ASE_8021X_PSK; 1530 1531 /* optional RSN capabilities */ 1532 if (len > 2) 1533 rsn->rsn_caps = le16dec(frm); 1534 /* XXXPMKID */ 1535 1536 return 0; 1537 } 1538 1539 /* 1540 * WPA/802.11i association request processing. 1541 */ 1542 static int 1543 wpa_assocreq(struct ieee80211_node *ni, struct ieee80211_rsnparms *rsnparms, 1544 const struct ieee80211_frame *wh, const uint8_t *wpa, 1545 const uint8_t *rsn, uint16_t capinfo) 1546 { 1547 struct ieee80211vap *vap = ni->ni_vap; 1548 uint8_t reason; 1549 int badwparsn; 1550 1551 ni->ni_flags &= ~(IEEE80211_NODE_WPS|IEEE80211_NODE_TSN); 1552 if (wpa == NULL && rsn == NULL) { 1553 if (vap->iv_flags_ext & IEEE80211_FEXT_WPS) { 1554 /* 1555 * W-Fi Protected Setup (WPS) permits 1556 * clients to associate and pass EAPOL frames 1557 * to establish initial credentials. 1558 */ 1559 ni->ni_flags |= IEEE80211_NODE_WPS; 1560 return 1; 1561 } 1562 if ((vap->iv_flags_ext & IEEE80211_FEXT_TSN) && 1563 (capinfo & IEEE80211_CAPINFO_PRIVACY)) { 1564 /* 1565 * Transitional Security Network. Permits clients 1566 * to associate and use WEP while WPA is configured. 1567 */ 1568 ni->ni_flags |= IEEE80211_NODE_TSN; 1569 return 1; 1570 } 1571 IEEE80211_DISCARD(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, 1572 wh, NULL, "%s", "no WPA/RSN IE in association request"); 1573 vap->iv_stats.is_rx_assoc_badwpaie++; 1574 reason = IEEE80211_REASON_IE_INVALID; 1575 goto bad; 1576 } 1577 /* assert right association security credentials */ 1578 badwparsn = 0; /* NB: to silence compiler */ 1579 switch (vap->iv_flags & IEEE80211_F_WPA) { 1580 case IEEE80211_F_WPA1: 1581 badwparsn = (wpa == NULL); 1582 break; 1583 case IEEE80211_F_WPA2: 1584 badwparsn = (rsn == NULL); 1585 break; 1586 case IEEE80211_F_WPA1|IEEE80211_F_WPA2: 1587 badwparsn = (wpa == NULL && rsn == NULL); 1588 break; 1589 } 1590 if (badwparsn) { 1591 IEEE80211_DISCARD(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, 1592 wh, NULL, 1593 "%s", "missing WPA/RSN IE in association request"); 1594 vap->iv_stats.is_rx_assoc_badwpaie++; 1595 reason = IEEE80211_REASON_IE_INVALID; 1596 goto bad; 1597 } 1598 /* 1599 * Parse WPA/RSN information element. 1600 */ 1601 if (wpa != NULL) 1602 reason = ieee80211_parse_wpa(vap, wpa, rsnparms, wh); 1603 else 1604 reason = ieee80211_parse_rsn(vap, rsn, rsnparms, wh); 1605 if (reason != 0) { 1606 /* XXX wpa->rsn fallback? */ 1607 /* XXX distinguish WPA/RSN? */ 1608 vap->iv_stats.is_rx_assoc_badwpaie++; 1609 goto bad; 1610 } 1611 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, ni, 1612 "%s ie: mc %u/%u uc %u/%u key %u caps 0x%x", 1613 wpa != NULL ? "WPA" : "RSN", 1614 rsnparms->rsn_mcastcipher, rsnparms->rsn_mcastkeylen, 1615 rsnparms->rsn_ucastcipher, rsnparms->rsn_ucastkeylen, 1616 rsnparms->rsn_keymgmt, rsnparms->rsn_caps); 1617 1618 return 1; 1619 bad: 1620 ieee80211_node_deauth(ni, reason); 1621 return 0; 1622 } 1623 1624 /* XXX find a better place for definition */ 1625 struct l2_update_frame { 1626 struct ether_header eh; 1627 uint8_t dsap; 1628 uint8_t ssap; 1629 uint8_t control; 1630 uint8_t xid[3]; 1631 } __packed; 1632 1633 /* 1634 * Deliver a TGf L2UF frame on behalf of a station. 1635 * This primes any bridge when the station is roaming 1636 * between ap's on the same wired network. 1637 */ 1638 static void 1639 ieee80211_deliver_l2uf(struct ieee80211_node *ni) 1640 { 1641 struct ieee80211vap *vap = ni->ni_vap; 1642 struct ifnet *ifp = vap->iv_ifp; 1643 struct mbuf *m; 1644 struct l2_update_frame *l2uf; 1645 struct ether_header *eh; 1646 1647 m = m_gethdr(M_NOWAIT, MT_DATA); 1648 if (m == NULL) { 1649 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC, ni, 1650 "%s", "no mbuf for l2uf frame"); 1651 vap->iv_stats.is_rx_nobuf++; /* XXX not right */ 1652 return; 1653 } 1654 l2uf = mtod(m, struct l2_update_frame *); 1655 eh = &l2uf->eh; 1656 /* dst: Broadcast address */ 1657 IEEE80211_ADDR_COPY(eh->ether_dhost, ifp->if_broadcastaddr); 1658 /* src: associated STA */ 1659 IEEE80211_ADDR_COPY(eh->ether_shost, ni->ni_macaddr); 1660 eh->ether_type = htons(sizeof(*l2uf) - sizeof(*eh)); 1661 1662 l2uf->dsap = 0; 1663 l2uf->ssap = 0; 1664 l2uf->control = 0xf5; 1665 l2uf->xid[0] = 0x81; 1666 l2uf->xid[1] = 0x80; 1667 l2uf->xid[2] = 0x00; 1668 1669 m->m_pkthdr.len = m->m_len = sizeof(*l2uf); 1670 hostap_deliver_data(vap, ni, m); 1671 } 1672 1673 static void 1674 ratesetmismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh, 1675 int reassoc, int resp, const char *tag, int rate) 1676 { 1677 IEEE80211_NOTE_MAC(ni->ni_vap, IEEE80211_MSG_ANY, wh->i_addr2, 1678 "deny %s request, %s rate set mismatch, rate/MCS %d", 1679 reassoc ? "reassoc" : "assoc", tag, rate & IEEE80211_RATE_VAL); 1680 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_BASIC_RATE); 1681 ieee80211_node_leave(ni); 1682 } 1683 1684 static void 1685 capinfomismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh, 1686 int reassoc, int resp, const char *tag, int capinfo) 1687 { 1688 struct ieee80211vap *vap = ni->ni_vap; 1689 1690 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ANY, wh->i_addr2, 1691 "deny %s request, %s mismatch 0x%x", 1692 reassoc ? "reassoc" : "assoc", tag, capinfo); 1693 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_CAPINFO); 1694 ieee80211_node_leave(ni); 1695 vap->iv_stats.is_rx_assoc_capmismatch++; 1696 } 1697 1698 static void 1699 htcapmismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh, 1700 int reassoc, int resp) 1701 { 1702 IEEE80211_NOTE_MAC(ni->ni_vap, IEEE80211_MSG_ANY, wh->i_addr2, 1703 "deny %s request, %s missing HT ie", reassoc ? "reassoc" : "assoc"); 1704 /* XXX no better code */ 1705 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_MISSING_HT_CAPS); 1706 ieee80211_node_leave(ni); 1707 } 1708 1709 static void 1710 authalgreject(struct ieee80211_node *ni, const struct ieee80211_frame *wh, 1711 int algo, int seq, int status) 1712 { 1713 struct ieee80211vap *vap = ni->ni_vap; 1714 1715 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 1716 wh, NULL, "unsupported alg %d", algo); 1717 vap->iv_stats.is_rx_auth_unsupported++; 1718 ieee80211_send_error(ni, wh->i_addr2, IEEE80211_FC0_SUBTYPE_AUTH, 1719 seq | (status << 16)); 1720 } 1721 1722 static __inline int 1723 ishtmixed(const uint8_t *ie) 1724 { 1725 const struct ieee80211_ie_htinfo *ht = 1726 (const struct ieee80211_ie_htinfo *) ie; 1727 return (ht->hi_byte2 & IEEE80211_HTINFO_OPMODE) == 1728 IEEE80211_HTINFO_OPMODE_MIXED; 1729 } 1730 1731 static int 1732 is11bclient(const uint8_t *rates, const uint8_t *xrates) 1733 { 1734 static const uint32_t brates = (1<<2*1)|(1<<2*2)|(1<<11)|(1<<2*11); 1735 int i; 1736 1737 /* NB: the 11b clients we care about will not have xrates */ 1738 if (xrates != NULL || rates == NULL) 1739 return 0; 1740 for (i = 0; i < rates[1]; i++) { 1741 int r = rates[2+i] & IEEE80211_RATE_VAL; 1742 if (r > 2*11 || ((1<<r) & brates) == 0) 1743 return 0; 1744 } 1745 return 1; 1746 } 1747 1748 static void 1749 hostap_recv_mgmt(struct ieee80211_node *ni, struct mbuf *m0, 1750 int subtype, const struct ieee80211_rx_stats *rxs, int rssi, int nf) 1751 { 1752 struct ieee80211vap *vap = ni->ni_vap; 1753 struct ieee80211com *ic = ni->ni_ic; 1754 struct ieee80211_frame *wh; 1755 uint8_t *frm, *efrm, *sfrm; 1756 uint8_t *ssid, *rates, *xrates, *wpa, *rsn, *wme, *ath, *htcap; 1757 uint8_t *vhtcap, *vhtinfo; 1758 int reassoc, resp; 1759 uint8_t rate; 1760 1761 wh = mtod(m0, struct ieee80211_frame *); 1762 frm = (uint8_t *)&wh[1]; 1763 efrm = mtod(m0, uint8_t *) + m0->m_len; 1764 switch (subtype) { 1765 case IEEE80211_FC0_SUBTYPE_PROBE_RESP: 1766 /* 1767 * We process beacon/probe response frames when scanning; 1768 * otherwise we check beacon frames for overlapping non-ERP 1769 * BSS in 11g and/or overlapping legacy BSS when in HT. 1770 */ 1771 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) { 1772 vap->iv_stats.is_rx_mgtdiscard++; 1773 return; 1774 } 1775 /* FALLTHROUGH */ 1776 case IEEE80211_FC0_SUBTYPE_BEACON: { 1777 struct ieee80211_scanparams scan; 1778 1779 /* NB: accept off-channel frames */ 1780 /* XXX TODO: use rxstatus to determine off-channel details */ 1781 if (ieee80211_parse_beacon(ni, m0, ic->ic_curchan, &scan) &~ IEEE80211_BPARSE_OFFCHAN) 1782 return; 1783 /* 1784 * Count frame now that we know it's to be processed. 1785 */ 1786 if (subtype == IEEE80211_FC0_SUBTYPE_BEACON) { 1787 vap->iv_stats.is_rx_beacon++; /* XXX remove */ 1788 IEEE80211_NODE_STAT(ni, rx_beacons); 1789 } else 1790 IEEE80211_NODE_STAT(ni, rx_proberesp); 1791 /* 1792 * If scanning, just pass information to the scan module. 1793 */ 1794 if (ic->ic_flags & IEEE80211_F_SCAN) { 1795 if (scan.status == 0 && /* NB: on channel */ 1796 (ic->ic_flags_ext & IEEE80211_FEXT_PROBECHAN)) { 1797 /* 1798 * Actively scanning a channel marked passive; 1799 * send a probe request now that we know there 1800 * is 802.11 traffic present. 1801 * 1802 * XXX check if the beacon we recv'd gives 1803 * us what we need and suppress the probe req 1804 */ 1805 ieee80211_probe_curchan(vap, 1); 1806 ic->ic_flags_ext &= ~IEEE80211_FEXT_PROBECHAN; 1807 } 1808 ieee80211_add_scan(vap, ic->ic_curchan, &scan, wh, 1809 subtype, rssi, nf); 1810 return; 1811 } 1812 /* 1813 * Check beacon for overlapping bss w/ non ERP stations. 1814 * If we detect one and protection is configured but not 1815 * enabled, enable it and start a timer that'll bring us 1816 * out if we stop seeing the bss. 1817 */ 1818 if (IEEE80211_IS_CHAN_ANYG(ic->ic_curchan) && 1819 scan.status == 0 && /* NB: on-channel */ 1820 ((scan.erp & 0x100) == 0 || /* NB: no ERP, 11b sta*/ 1821 (scan.erp & IEEE80211_ERP_NON_ERP_PRESENT))) { 1822 vap->iv_lastnonerp = ticks; 1823 vap->iv_flags_ext |= IEEE80211_FEXT_NONERP_PR; 1824 /* 1825 * XXX TODO: this may need to check all VAPs? 1826 */ 1827 if (vap->iv_protmode != IEEE80211_PROT_NONE && 1828 (vap->iv_flags & IEEE80211_F_USEPROT) == 0) { 1829 IEEE80211_NOTE_FRAME(vap, 1830 IEEE80211_MSG_ASSOC, wh, 1831 "non-ERP present on channel %d " 1832 "(saw erp 0x%x from channel %d), " 1833 "enable use of protection", 1834 ic->ic_curchan->ic_ieee, 1835 scan.erp, scan.chan); 1836 vap->iv_flags |= IEEE80211_F_USEPROT; 1837 ieee80211_vap_update_erp_protmode(vap); 1838 } 1839 } 1840 /* 1841 * Check beacon for non-HT station on HT channel 1842 * and update HT BSS occupancy as appropriate. 1843 */ 1844 if (IEEE80211_IS_CHAN_HT(ic->ic_curchan)) { 1845 if (scan.status & IEEE80211_BPARSE_OFFCHAN) { 1846 /* 1847 * Off control channel; only check frames 1848 * that come in the extension channel when 1849 * operating w/ HT40. 1850 */ 1851 if (!IEEE80211_IS_CHAN_HT40(ic->ic_curchan)) 1852 break; 1853 if (scan.chan != ic->ic_curchan->ic_extieee) 1854 break; 1855 } 1856 if (scan.htinfo == NULL) { 1857 ieee80211_htprot_update(vap, 1858 IEEE80211_HTINFO_OPMODE_PROTOPT | 1859 IEEE80211_HTINFO_NONHT_PRESENT); 1860 } else if (ishtmixed(scan.htinfo)) { 1861 /* XXX? take NONHT_PRESENT from beacon? */ 1862 ieee80211_htprot_update(vap, 1863 IEEE80211_HTINFO_OPMODE_MIXED | 1864 IEEE80211_HTINFO_NONHT_PRESENT); 1865 } 1866 } 1867 break; 1868 } 1869 1870 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 1871 if (vap->iv_state != IEEE80211_S_RUN) { 1872 vap->iv_stats.is_rx_mgtdiscard++; 1873 return; 1874 } 1875 /* 1876 * Consult the ACL policy module if setup. 1877 */ 1878 if (vap->iv_acl != NULL && !vap->iv_acl->iac_check(vap, wh)) { 1879 IEEE80211_DISCARD(vap, IEEE80211_MSG_ACL, 1880 wh, NULL, "%s", "disallowed by ACL"); 1881 vap->iv_stats.is_rx_acl++; 1882 return; 1883 } 1884 /* 1885 * prreq frame format 1886 * [tlv] ssid 1887 * [tlv] supported rates 1888 * [tlv] extended supported rates 1889 */ 1890 ssid = rates = xrates = NULL; 1891 while (efrm - frm > 1) { 1892 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return); 1893 switch (*frm) { 1894 case IEEE80211_ELEMID_SSID: 1895 ssid = frm; 1896 break; 1897 case IEEE80211_ELEMID_RATES: 1898 rates = frm; 1899 break; 1900 case IEEE80211_ELEMID_XRATES: 1901 xrates = frm; 1902 break; 1903 } 1904 frm += frm[1] + 2; 1905 } 1906 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return); 1907 if (xrates != NULL) 1908 IEEE80211_VERIFY_ELEMENT(xrates, 1909 IEEE80211_RATE_MAXSIZE - rates[1], return); 1910 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN, return); 1911 IEEE80211_VERIFY_SSID(vap->iv_bss, ssid, return); 1912 if ((vap->iv_flags & IEEE80211_F_HIDESSID) && ssid[1] == 0) { 1913 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 1914 wh, NULL, 1915 "%s", "no ssid with ssid suppression enabled"); 1916 vap->iv_stats.is_rx_ssidmismatch++; /*XXX*/ 1917 return; 1918 } 1919 1920 /* XXX find a better class or define it's own */ 1921 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_INPUT, wh->i_addr2, 1922 "%s", "recv probe req"); 1923 /* 1924 * Some legacy 11b clients cannot hack a complete 1925 * probe response frame. When the request includes 1926 * only a bare-bones rate set, communicate this to 1927 * the transmit side. 1928 */ 1929 ieee80211_send_proberesp(vap, wh->i_addr2, 1930 is11bclient(rates, xrates) ? IEEE80211_SEND_LEGACY_11B : 0); 1931 break; 1932 1933 case IEEE80211_FC0_SUBTYPE_AUTH: { 1934 uint16_t algo, seq, status; 1935 1936 if (vap->iv_state != IEEE80211_S_RUN) { 1937 vap->iv_stats.is_rx_mgtdiscard++; 1938 return; 1939 } 1940 if (!IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_bss->ni_bssid)) { 1941 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 1942 wh, NULL, "%s", "wrong bssid"); 1943 vap->iv_stats.is_rx_wrongbss++; /*XXX unique stat?*/ 1944 return; 1945 } 1946 /* 1947 * auth frame format 1948 * [2] algorithm 1949 * [2] sequence 1950 * [2] status 1951 * [tlv*] challenge 1952 */ 1953 IEEE80211_VERIFY_LENGTH(efrm - frm, 6, return); 1954 algo = le16toh(*(uint16_t *)frm); 1955 seq = le16toh(*(uint16_t *)(frm + 2)); 1956 status = le16toh(*(uint16_t *)(frm + 4)); 1957 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_AUTH, wh->i_addr2, 1958 "recv auth frame with algorithm %d seq %d", algo, seq); 1959 /* 1960 * Consult the ACL policy module if setup. 1961 */ 1962 if (vap->iv_acl != NULL && !vap->iv_acl->iac_check(vap, wh)) { 1963 IEEE80211_DISCARD(vap, IEEE80211_MSG_ACL, 1964 wh, NULL, "%s", "disallowed by ACL"); 1965 vap->iv_stats.is_rx_acl++; 1966 ieee80211_send_error(ni, wh->i_addr2, 1967 IEEE80211_FC0_SUBTYPE_AUTH, 1968 (seq+1) | (IEEE80211_STATUS_UNSPECIFIED<<16)); 1969 return; 1970 } 1971 if (vap->iv_flags & IEEE80211_F_COUNTERM) { 1972 IEEE80211_DISCARD(vap, 1973 IEEE80211_MSG_AUTH | IEEE80211_MSG_CRYPTO, 1974 wh, NULL, "%s", "TKIP countermeasures enabled"); 1975 vap->iv_stats.is_rx_auth_countermeasures++; 1976 ieee80211_send_error(ni, wh->i_addr2, 1977 IEEE80211_FC0_SUBTYPE_AUTH, 1978 IEEE80211_REASON_MIC_FAILURE); 1979 return; 1980 } 1981 if (algo == IEEE80211_AUTH_ALG_SHARED) 1982 hostap_auth_shared(ni, wh, frm + 6, efrm, rssi, nf, 1983 seq, status); 1984 else if (algo == IEEE80211_AUTH_ALG_OPEN) 1985 hostap_auth_open(ni, wh, rssi, nf, seq, status); 1986 else if (algo == IEEE80211_AUTH_ALG_LEAP) { 1987 authalgreject(ni, wh, algo, 1988 seq+1, IEEE80211_STATUS_ALG); 1989 return; 1990 } else { 1991 /* 1992 * We assume that an unknown algorithm is the result 1993 * of a decryption failure on a shared key auth frame; 1994 * return a status code appropriate for that instead 1995 * of IEEE80211_STATUS_ALG. 1996 * 1997 * NB: a seq# of 4 is intentional; the decrypted 1998 * frame likely has a bogus seq value. 1999 */ 2000 authalgreject(ni, wh, algo, 2001 4, IEEE80211_STATUS_CHALLENGE); 2002 return; 2003 } 2004 break; 2005 } 2006 2007 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ: 2008 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: { 2009 uint16_t capinfo, lintval; 2010 struct ieee80211_rsnparms rsnparms; 2011 2012 if (vap->iv_state != IEEE80211_S_RUN) { 2013 vap->iv_stats.is_rx_mgtdiscard++; 2014 return; 2015 } 2016 if (!IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_bss->ni_bssid)) { 2017 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 2018 wh, NULL, "%s", "wrong bssid"); 2019 vap->iv_stats.is_rx_assoc_bss++; 2020 return; 2021 } 2022 if (subtype == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) { 2023 reassoc = 1; 2024 resp = IEEE80211_FC0_SUBTYPE_REASSOC_RESP; 2025 } else { 2026 reassoc = 0; 2027 resp = IEEE80211_FC0_SUBTYPE_ASSOC_RESP; 2028 } 2029 if (ni == vap->iv_bss) { 2030 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ANY, wh->i_addr2, 2031 "deny %s request, sta not authenticated", 2032 reassoc ? "reassoc" : "assoc"); 2033 ieee80211_send_error(ni, wh->i_addr2, 2034 IEEE80211_FC0_SUBTYPE_DEAUTH, 2035 IEEE80211_REASON_ASSOC_NOT_AUTHED); 2036 vap->iv_stats.is_rx_assoc_notauth++; 2037 return; 2038 } 2039 2040 /* 2041 * asreq frame format 2042 * [2] capability information 2043 * [2] listen interval 2044 * [6*] current AP address (reassoc only) 2045 * [tlv] ssid 2046 * [tlv] supported rates 2047 * [tlv] extended supported rates 2048 * [tlv] WPA or RSN 2049 * [tlv] HT capabilities 2050 * [tlv] Atheros capabilities 2051 */ 2052 IEEE80211_VERIFY_LENGTH(efrm - frm, (reassoc ? 10 : 4), return); 2053 capinfo = le16toh(*(uint16_t *)frm); frm += 2; 2054 lintval = le16toh(*(uint16_t *)frm); frm += 2; 2055 if (reassoc) 2056 frm += 6; /* ignore current AP info */ 2057 ssid = rates = xrates = wpa = rsn = wme = ath = htcap = NULL; 2058 vhtcap = vhtinfo = NULL; 2059 sfrm = frm; 2060 while (efrm - frm > 1) { 2061 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return); 2062 switch (*frm) { 2063 case IEEE80211_ELEMID_SSID: 2064 ssid = frm; 2065 break; 2066 case IEEE80211_ELEMID_RATES: 2067 rates = frm; 2068 break; 2069 case IEEE80211_ELEMID_XRATES: 2070 xrates = frm; 2071 break; 2072 case IEEE80211_ELEMID_RSN: 2073 rsn = frm; 2074 break; 2075 case IEEE80211_ELEMID_HTCAP: 2076 htcap = frm; 2077 break; 2078 case IEEE80211_ELEMID_VHT_CAP: 2079 vhtcap = frm; 2080 break; 2081 case IEEE80211_ELEMID_VHT_OPMODE: 2082 vhtinfo = frm; 2083 break; 2084 case IEEE80211_ELEMID_VENDOR: 2085 if (iswpaoui(frm)) 2086 wpa = frm; 2087 else if (iswmeinfo(frm)) 2088 wme = frm; 2089 #ifdef IEEE80211_SUPPORT_SUPERG 2090 else if (isatherosoui(frm)) 2091 ath = frm; 2092 #endif 2093 else if (vap->iv_flags_ht & IEEE80211_FHT_HTCOMPAT) { 2094 if (ishtcapoui(frm) && htcap == NULL) 2095 htcap = frm; 2096 } 2097 break; 2098 } 2099 frm += frm[1] + 2; 2100 } 2101 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return); 2102 if (xrates != NULL) 2103 IEEE80211_VERIFY_ELEMENT(xrates, 2104 IEEE80211_RATE_MAXSIZE - rates[1], return); 2105 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN, return); 2106 IEEE80211_VERIFY_SSID(vap->iv_bss, ssid, return); 2107 if (htcap != NULL) { 2108 IEEE80211_VERIFY_LENGTH(htcap[1], 2109 htcap[0] == IEEE80211_ELEMID_VENDOR ? 2110 4 + sizeof(struct ieee80211_ie_htcap)-2 : 2111 sizeof(struct ieee80211_ie_htcap)-2, 2112 return); /* XXX just NULL out? */ 2113 } 2114 2115 /* Validate VHT IEs */ 2116 if (vhtcap != NULL) { 2117 IEEE80211_VERIFY_LENGTH(vhtcap[1], 2118 sizeof(struct ieee80211_ie_vhtcap) - 2, 2119 return); 2120 } 2121 if (vhtinfo != NULL) { 2122 IEEE80211_VERIFY_LENGTH(vhtinfo[1], 2123 sizeof(struct ieee80211_ie_vht_operation) - 2, 2124 return); 2125 } 2126 2127 if ((vap->iv_flags & IEEE80211_F_WPA) && 2128 !wpa_assocreq(ni, &rsnparms, wh, wpa, rsn, capinfo)) 2129 return; 2130 /* discard challenge after association */ 2131 if (ni->ni_challenge != NULL) { 2132 IEEE80211_FREE(ni->ni_challenge, M_80211_NODE); 2133 ni->ni_challenge = NULL; 2134 } 2135 /* NB: 802.11 spec says to ignore station's privacy bit */ 2136 if ((capinfo & IEEE80211_CAPINFO_ESS) == 0) { 2137 capinfomismatch(ni, wh, reassoc, resp, 2138 "capability", capinfo); 2139 return; 2140 } 2141 /* 2142 * Disallow re-associate w/ invalid slot time setting. 2143 */ 2144 if (ni->ni_associd != 0 && 2145 IEEE80211_IS_CHAN_ANYG(ic->ic_bsschan) && 2146 ((ni->ni_capinfo ^ capinfo) & IEEE80211_CAPINFO_SHORT_SLOTTIME)) { 2147 capinfomismatch(ni, wh, reassoc, resp, 2148 "slot time", capinfo); 2149 return; 2150 } 2151 rate = ieee80211_setup_rates(ni, rates, xrates, 2152 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | 2153 IEEE80211_F_DONEGO | IEEE80211_F_DODEL); 2154 if (rate & IEEE80211_RATE_BASIC) { 2155 ratesetmismatch(ni, wh, reassoc, resp, "legacy", rate); 2156 vap->iv_stats.is_rx_assoc_norate++; 2157 return; 2158 } 2159 /* 2160 * If constrained to 11g-only stations reject an 2161 * 11b-only station. We cheat a bit here by looking 2162 * at the max negotiated xmit rate and assuming anyone 2163 * with a best rate <24Mb/s is an 11b station. 2164 */ 2165 if ((vap->iv_flags & IEEE80211_F_PUREG) && rate < 48) { 2166 ratesetmismatch(ni, wh, reassoc, resp, "11g", rate); 2167 vap->iv_stats.is_rx_assoc_norate++; 2168 return; 2169 } 2170 2171 /* 2172 * Do HT rate set handling and setup HT node state. 2173 */ 2174 ni->ni_chan = vap->iv_bss->ni_chan; 2175 2176 /* VHT */ 2177 if (IEEE80211_IS_CHAN_VHT(ni->ni_chan) && 2178 vhtcap != NULL && 2179 vhtinfo != NULL) { 2180 /* XXX TODO; see below */ 2181 printf("%s: VHT TODO!\n", __func__); 2182 ieee80211_vht_node_init(ni); 2183 ieee80211_vht_update_cap(ni, vhtcap, vhtinfo); 2184 } else if (ni->ni_flags & IEEE80211_NODE_VHT) 2185 ieee80211_vht_node_cleanup(ni); 2186 2187 /* HT */ 2188 if (IEEE80211_IS_CHAN_HT(ni->ni_chan) && htcap != NULL) { 2189 rate = ieee80211_setup_htrates(ni, htcap, 2190 IEEE80211_F_DOFMCS | IEEE80211_F_DONEGO | 2191 IEEE80211_F_DOBRS); 2192 if (rate & IEEE80211_RATE_BASIC) { 2193 ratesetmismatch(ni, wh, reassoc, resp, 2194 "HT", rate); 2195 vap->iv_stats.is_ht_assoc_norate++; 2196 return; 2197 } 2198 ieee80211_ht_node_init(ni); 2199 ieee80211_ht_updatehtcap(ni, htcap); 2200 } else if (ni->ni_flags & IEEE80211_NODE_HT) 2201 ieee80211_ht_node_cleanup(ni); 2202 2203 /* Finally - this will use HT/VHT info to change node channel */ 2204 if (IEEE80211_IS_CHAN_HT(ni->ni_chan) && htcap != NULL) { 2205 ieee80211_ht_updatehtcap_final(ni); 2206 } 2207 2208 #ifdef IEEE80211_SUPPORT_SUPERG 2209 /* Always do ff node cleanup; for A-MSDU */ 2210 ieee80211_ff_node_cleanup(ni); 2211 #endif 2212 /* 2213 * Allow AMPDU operation only with unencrypted traffic 2214 * or AES-CCM; the 11n spec only specifies these ciphers 2215 * so permitting any others is undefined and can lead 2216 * to interoperability problems. 2217 */ 2218 if ((ni->ni_flags & IEEE80211_NODE_HT) && 2219 (((vap->iv_flags & IEEE80211_F_WPA) && 2220 rsnparms.rsn_ucastcipher != IEEE80211_CIPHER_AES_CCM) || 2221 (vap->iv_flags & (IEEE80211_F_WPA|IEEE80211_F_PRIVACY)) == IEEE80211_F_PRIVACY)) { 2222 IEEE80211_NOTE(vap, 2223 IEEE80211_MSG_ASSOC | IEEE80211_MSG_11N, ni, 2224 "disallow HT use because WEP or TKIP requested, " 2225 "capinfo 0x%x ucastcipher %d", capinfo, 2226 rsnparms.rsn_ucastcipher); 2227 ieee80211_ht_node_cleanup(ni); 2228 #ifdef IEEE80211_SUPPORT_SUPERG 2229 /* Always do ff node cleanup; for A-MSDU */ 2230 ieee80211_ff_node_cleanup(ni); 2231 #endif 2232 vap->iv_stats.is_ht_assoc_downgrade++; 2233 } 2234 /* 2235 * If constrained to 11n-only stations reject legacy stations. 2236 */ 2237 if ((vap->iv_flags_ht & IEEE80211_FHT_PUREN) && 2238 (ni->ni_flags & IEEE80211_NODE_HT) == 0) { 2239 htcapmismatch(ni, wh, reassoc, resp); 2240 vap->iv_stats.is_ht_assoc_nohtcap++; 2241 return; 2242 } 2243 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi); 2244 ni->ni_noise = nf; 2245 ni->ni_intval = lintval; 2246 ni->ni_capinfo = capinfo; 2247 ni->ni_fhdwell = vap->iv_bss->ni_fhdwell; 2248 ni->ni_fhindex = vap->iv_bss->ni_fhindex; 2249 /* 2250 * Store the IEs. 2251 * XXX maybe better to just expand 2252 */ 2253 if (ieee80211_ies_init(&ni->ni_ies, sfrm, efrm - sfrm)) { 2254 #define setie(_ie, _off) ieee80211_ies_setie(ni->ni_ies, _ie, _off) 2255 if (wpa != NULL) 2256 setie(wpa_ie, wpa - sfrm); 2257 if (rsn != NULL) 2258 setie(rsn_ie, rsn - sfrm); 2259 if (htcap != NULL) 2260 setie(htcap_ie, htcap - sfrm); 2261 if (wme != NULL) { 2262 setie(wme_ie, wme - sfrm); 2263 /* 2264 * Mark node as capable of QoS. 2265 */ 2266 ni->ni_flags |= IEEE80211_NODE_QOS; 2267 if (ieee80211_parse_wmeie(wme, wh, ni) > 0) { 2268 if (ni->ni_uapsd != 0) 2269 ni->ni_flags |= 2270 IEEE80211_NODE_UAPSD; 2271 else 2272 ni->ni_flags &= 2273 ~IEEE80211_NODE_UAPSD; 2274 } 2275 } else 2276 ni->ni_flags &= 2277 ~(IEEE80211_NODE_QOS | 2278 IEEE80211_NODE_UAPSD); 2279 #ifdef IEEE80211_SUPPORT_SUPERG 2280 if (ath != NULL) { 2281 setie(ath_ie, ath - sfrm); 2282 /* 2283 * Parse ATH station parameters. 2284 */ 2285 ieee80211_parse_ath(ni, ni->ni_ies.ath_ie); 2286 } else 2287 #endif 2288 ni->ni_ath_flags = 0; 2289 #undef setie 2290 } else { 2291 ni->ni_flags &= ~IEEE80211_NODE_QOS; 2292 ni->ni_flags &= ~IEEE80211_NODE_UAPSD; 2293 ni->ni_ath_flags = 0; 2294 } 2295 ieee80211_node_join(ni, resp); 2296 ieee80211_deliver_l2uf(ni); 2297 break; 2298 } 2299 2300 case IEEE80211_FC0_SUBTYPE_DEAUTH: 2301 case IEEE80211_FC0_SUBTYPE_DISASSOC: { 2302 uint16_t reason; 2303 2304 if (vap->iv_state != IEEE80211_S_RUN || 2305 /* NB: can happen when in promiscuous mode */ 2306 !IEEE80211_ADDR_EQ(wh->i_addr1, vap->iv_myaddr)) { 2307 vap->iv_stats.is_rx_mgtdiscard++; 2308 break; 2309 } 2310 /* 2311 * deauth/disassoc frame format 2312 * [2] reason 2313 */ 2314 IEEE80211_VERIFY_LENGTH(efrm - frm, 2, return); 2315 reason = le16toh(*(uint16_t *)frm); 2316 if (subtype == IEEE80211_FC0_SUBTYPE_DEAUTH) { 2317 vap->iv_stats.is_rx_deauth++; 2318 IEEE80211_NODE_STAT(ni, rx_deauth); 2319 } else { 2320 vap->iv_stats.is_rx_disassoc++; 2321 IEEE80211_NODE_STAT(ni, rx_disassoc); 2322 } 2323 IEEE80211_NOTE(vap, IEEE80211_MSG_AUTH, ni, 2324 "recv %s (reason: %d (%s))", 2325 ieee80211_mgt_subtype_name(subtype), 2326 reason, ieee80211_reason_to_string(reason)); 2327 if (ni != vap->iv_bss) 2328 ieee80211_node_leave(ni); 2329 break; 2330 } 2331 2332 case IEEE80211_FC0_SUBTYPE_ACTION: 2333 case IEEE80211_FC0_SUBTYPE_ACTION_NOACK: 2334 if (ni == vap->iv_bss) { 2335 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 2336 wh, NULL, "%s", "unknown node"); 2337 vap->iv_stats.is_rx_mgtdiscard++; 2338 } else if (!IEEE80211_ADDR_EQ(vap->iv_myaddr, wh->i_addr1) && 2339 !IEEE80211_IS_MULTICAST(wh->i_addr1)) { 2340 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 2341 wh, NULL, "%s", "not for us"); 2342 vap->iv_stats.is_rx_mgtdiscard++; 2343 } else if (vap->iv_state != IEEE80211_S_RUN) { 2344 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 2345 wh, NULL, "wrong state %s", 2346 ieee80211_state_name[vap->iv_state]); 2347 vap->iv_stats.is_rx_mgtdiscard++; 2348 } else { 2349 if (ieee80211_parse_action(ni, m0) == 0) 2350 (void)ic->ic_recv_action(ni, wh, frm, efrm); 2351 } 2352 break; 2353 2354 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP: 2355 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: 2356 case IEEE80211_FC0_SUBTYPE_TIMING_ADV: 2357 case IEEE80211_FC0_SUBTYPE_ATIM: 2358 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 2359 wh, NULL, "%s", "not handled"); 2360 vap->iv_stats.is_rx_mgtdiscard++; 2361 break; 2362 2363 default: 2364 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 2365 wh, "mgt", "subtype 0x%x not handled", subtype); 2366 vap->iv_stats.is_rx_badsubtype++; 2367 break; 2368 } 2369 } 2370 2371 static void 2372 hostap_recv_ctl(struct ieee80211_node *ni, struct mbuf *m, int subtype) 2373 { 2374 switch (subtype) { 2375 case IEEE80211_FC0_SUBTYPE_PS_POLL: 2376 ni->ni_vap->iv_recv_pspoll(ni, m); 2377 break; 2378 case IEEE80211_FC0_SUBTYPE_BAR: 2379 ieee80211_recv_bar(ni, m); 2380 break; 2381 } 2382 } 2383 2384 /* 2385 * Process a received ps-poll frame. 2386 */ 2387 void 2388 ieee80211_recv_pspoll(struct ieee80211_node *ni, struct mbuf *m0) 2389 { 2390 struct ieee80211vap *vap = ni->ni_vap; 2391 struct ieee80211com *ic = vap->iv_ic; 2392 struct ieee80211_frame_min *wh; 2393 struct mbuf *m; 2394 uint16_t aid; 2395 int qlen; 2396 2397 wh = mtod(m0, struct ieee80211_frame_min *); 2398 if (ni->ni_associd == 0) { 2399 IEEE80211_DISCARD(vap, 2400 IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG, 2401 (struct ieee80211_frame *) wh, NULL, 2402 "%s", "unassociated station"); 2403 vap->iv_stats.is_ps_unassoc++; 2404 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_DEAUTH, 2405 IEEE80211_REASON_NOT_ASSOCED); 2406 return; 2407 } 2408 2409 aid = le16toh(*(uint16_t *)wh->i_dur); 2410 if (aid != ni->ni_associd) { 2411 IEEE80211_DISCARD(vap, 2412 IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG, 2413 (struct ieee80211_frame *) wh, NULL, 2414 "aid mismatch: sta aid 0x%x poll aid 0x%x", 2415 ni->ni_associd, aid); 2416 vap->iv_stats.is_ps_badaid++; 2417 /* 2418 * NB: We used to deauth the station but it turns out 2419 * the Blackberry Curve 8230 (and perhaps other devices) 2420 * sometimes send the wrong AID when WME is negotiated. 2421 * Being more lenient here seems ok as we already check 2422 * the station is associated and we only return frames 2423 * queued for the station (i.e. we don't use the AID). 2424 */ 2425 return; 2426 } 2427 2428 /* Okay, take the first queued packet and put it out... */ 2429 m = ieee80211_node_psq_dequeue(ni, &qlen); 2430 if (m == NULL) { 2431 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_POWER, wh->i_addr2, 2432 "%s", "recv ps-poll, but queue empty"); 2433 ieee80211_send_nulldata(ieee80211_ref_node(ni)); 2434 vap->iv_stats.is_ps_qempty++; /* XXX node stat */ 2435 if (vap->iv_set_tim != NULL) 2436 vap->iv_set_tim(ni, 0); /* just in case */ 2437 return; 2438 } 2439 /* 2440 * If there are more packets, set the more packets bit 2441 * in the packet dispatched to the station; otherwise 2442 * turn off the TIM bit. 2443 */ 2444 if (qlen != 0) { 2445 IEEE80211_NOTE(vap, IEEE80211_MSG_POWER, ni, 2446 "recv ps-poll, send packet, %u still queued", qlen); 2447 m->m_flags |= M_MORE_DATA; 2448 } else { 2449 IEEE80211_NOTE(vap, IEEE80211_MSG_POWER, ni, 2450 "%s", "recv ps-poll, send packet, queue empty"); 2451 if (vap->iv_set_tim != NULL) 2452 vap->iv_set_tim(ni, 0); 2453 } 2454 m->m_flags |= M_PWR_SAV; /* bypass PS handling */ 2455 2456 /* 2457 * Do the right thing; if it's an encap'ed frame then 2458 * call ieee80211_parent_xmitpkt() else 2459 * call ieee80211_vap_xmitpkt(). 2460 */ 2461 if (m->m_flags & M_ENCAP) { 2462 (void) ieee80211_parent_xmitpkt(ic, m); 2463 } else { 2464 (void) ieee80211_vap_xmitpkt(vap, m); 2465 } 2466 }
Cache object: 9f031c24cd401f7569df5df710ad4a6c
[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]