575 uint8_t tid = ieee80211_gettid(wh); 576 if (IEEE80211_QOS_HAS_SEQ(wh) && 577 TID_TO_WME_AC(tid) >= WME_AC_VI) 578 ic->ic_wme.wme_hipri_traffic++; 579 rxseq = le16toh(*(uint16_t *)wh->i_seq); 580 if (! ieee80211_check_rxseq(ni, wh)) { 581 /* duplicate, discard */ 582 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 583 bssid, "duplicate", 584 "seqno <%u,%u> fragno <%u,%u> tid %u", 585 rxseq >> IEEE80211_SEQ_SEQ_SHIFT, 586 ni->ni_rxseqs[tid] >> 587 IEEE80211_SEQ_SEQ_SHIFT, 588 rxseq & IEEE80211_SEQ_FRAG_MASK, 589 ni->ni_rxseqs[tid] & 590 IEEE80211_SEQ_FRAG_MASK, 591 tid); 592 vap->iv_stats.is_rx_dup++; 593 IEEE80211_NODE_STAT(ni, rx_dup); 594 goto out; 595 } 596 ni->ni_rxseqs[tid] = rxseq; 597 } 598 } 599 600 switch (type) { 601 case IEEE80211_FC0_TYPE_DATA: 602 hdrspace = ieee80211_hdrspace(ic, wh); 603 if (m->m_len < hdrspace && 604 (m = m_pullup(m, hdrspace)) == NULL) { 605 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 606 ni->ni_macaddr, NULL, 607 "data too short: expecting %u", hdrspace); 608 vap->iv_stats.is_rx_tooshort++; 609 goto out; /* XXX */ 610 } 611 if (!(dir == IEEE80211_FC1_DIR_TODS || 612 (dir == IEEE80211_FC1_DIR_DSTODS && 613 (vap->iv_flags & IEEE80211_F_DWDS)))) { 614 if (dir != IEEE80211_FC1_DIR_DSTODS) { 615 IEEE80211_DISCARD(vap, 616 IEEE80211_MSG_INPUT, wh, "data", 617 "incorrect dir 0x%x", dir); 618 } else { 619 IEEE80211_DISCARD(vap, 620 IEEE80211_MSG_INPUT | 621 IEEE80211_MSG_WDS, wh, 622 "4-address data", 623 "%s", "DWDS not enabled"); 624 } 625 vap->iv_stats.is_rx_wrongdir++; 626 goto out; 627 } 628 /* check if source STA is associated */ 629 if (ni == vap->iv_bss) { 630 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 631 wh, "data", "%s", "unknown src"); 632 ieee80211_send_error(ni, wh->i_addr2, 633 IEEE80211_FC0_SUBTYPE_DEAUTH, 634 IEEE80211_REASON_NOT_AUTHED); 635 vap->iv_stats.is_rx_notassoc++; 636 goto err; 637 } 638 if (ni->ni_associd == 0) { 639 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 640 wh, "data", "%s", "unassoc src"); 641 IEEE80211_SEND_MGMT(ni, 642 IEEE80211_FC0_SUBTYPE_DISASSOC, 643 IEEE80211_REASON_NOT_ASSOCED); 644 vap->iv_stats.is_rx_notassoc++; 645 goto err; 646 } 647 648 /* 649 * Check for power save state change. 650 * XXX out-of-order A-MPDU frames? 651 */ 652 if (((wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) ^ 653 (ni->ni_flags & IEEE80211_NODE_PWR_MGT))) 654 vap->iv_node_ps(ni, 655 wh->i_fc[1] & IEEE80211_FC1_PWR_MGT); 656 /* 657 * For 4-address packets handle WDS discovery 658 * notifications. Once a WDS link is setup frames 659 * are just delivered to the WDS vap (see below). 660 */ 661 if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap == NULL) { 662 if (!ieee80211_node_is_authorized(ni)) { 663 IEEE80211_DISCARD(vap, 664 IEEE80211_MSG_INPUT | 665 IEEE80211_MSG_WDS, wh, 666 "4-address data", 667 "%s", "unauthorized port"); 668 vap->iv_stats.is_rx_unauth++; 669 IEEE80211_NODE_STAT(ni, rx_unauth); 670 goto err; 671 } 672 ieee80211_dwds_discover(ni, m); 673 return type; 674 } 675 676 /* 677 * Handle A-MPDU re-ordering. If the frame is to be 678 * processed directly then ieee80211_ampdu_reorder 679 * will return 0; otherwise it has consumed the mbuf 680 * and we should do nothing more with it. 681 */ 682 if ((m->m_flags & M_AMPDU) && 683 ieee80211_ampdu_reorder(ni, m) != 0) { 684 m = NULL; 685 goto out; 686 } 687 resubmit_ampdu: 688 689 /* 690 * Handle privacy requirements. Note that we 691 * must not be preempted from here until after 692 * we (potentially) call ieee80211_crypto_demic; 693 * otherwise we may violate assumptions in the 694 * crypto cipher modules used to do delayed update 695 * of replay sequence numbers. 696 */ 697 if (wh->i_fc[1] & IEEE80211_FC1_PROTECTED) { 698 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) { 699 /* 700 * Discard encrypted frames when privacy is off. 701 */ 702 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 703 wh, "WEP", "%s", "PRIVACY off"); 704 vap->iv_stats.is_rx_noprivacy++; 705 IEEE80211_NODE_STAT(ni, rx_noprivacy); 706 goto out; 707 } 708 key = ieee80211_crypto_decap(ni, m, hdrspace); 709 if (key == NULL) { 710 /* NB: stats+msgs handled in crypto_decap */ 711 IEEE80211_NODE_STAT(ni, rx_wepfail); 712 goto out; 713 } 714 wh = mtod(m, struct ieee80211_frame *); 715 wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED; 716 } else { 717 /* XXX M_WEP and IEEE80211_F_PRIVACY */ 718 key = NULL; 719 } 720 721 /* 722 * Save QoS bits for use below--before we strip the header. 723 */ 724 if (subtype == IEEE80211_FC0_SUBTYPE_QOS) { 725 qos = (dir == IEEE80211_FC1_DIR_DSTODS) ? 726 ((struct ieee80211_qosframe_addr4 *)wh)->i_qos[0] : 727 ((struct ieee80211_qosframe *)wh)->i_qos[0]; 728 } else 729 qos = 0; 730 731 /* 732 * Next up, any fragmentation. 733 */ 734 if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) { 735 m = ieee80211_defrag(ni, m, hdrspace); 736 if (m == NULL) { 737 /* Fragment dropped or frame not complete yet */ 738 goto out; 739 } 740 } 741 wh = NULL; /* no longer valid, catch any uses */ 742 743 /* 744 * Next strip any MSDU crypto bits. 745 */ 746 if (key != NULL && !ieee80211_crypto_demic(vap, key, m, 0)) { 747 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 748 ni->ni_macaddr, "data", "%s", "demic error"); 749 vap->iv_stats.is_rx_demicfail++; 750 IEEE80211_NODE_STAT(ni, rx_demicfail); 751 goto out; 752 } 753 /* copy to listener after decrypt */ 754 if (ieee80211_radiotap_active_vap(vap)) 755 ieee80211_radiotap_rx(vap, m); 756 need_tap = 0; 757 /* 758 * Finally, strip the 802.11 header. 759 */ 760 m = ieee80211_decap(vap, m, hdrspace); 761 if (m == NULL) { 762 /* XXX mask bit to check for both */ 763 /* don't count Null data frames as errors */ 764 if (subtype == IEEE80211_FC0_SUBTYPE_NODATA || 765 subtype == IEEE80211_FC0_SUBTYPE_QOS_NULL) 766 goto out; 767 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 768 ni->ni_macaddr, "data", "%s", "decap error"); 769 vap->iv_stats.is_rx_decap++; 770 IEEE80211_NODE_STAT(ni, rx_decap); 771 goto err; 772 } 773 eh = mtod(m, struct ether_header *); 774 if (!ieee80211_node_is_authorized(ni)) { 775 /* 776 * Deny any non-PAE frames received prior to 777 * authorization. For open/shared-key 778 * authentication the port is mark authorized 779 * after authentication completes. For 802.1x 780 * the port is not marked authorized by the 781 * authenticator until the handshake has completed. 782 */ 783 if (eh->ether_type != htons(ETHERTYPE_PAE)) { 784 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 785 eh->ether_shost, "data", 786 "unauthorized port: ether type 0x%x len %u", 787 eh->ether_type, m->m_pkthdr.len); 788 vap->iv_stats.is_rx_unauth++; 789 IEEE80211_NODE_STAT(ni, rx_unauth); 790 goto err; 791 } 792 } else { 793 /* 794 * When denying unencrypted frames, discard 795 * any non-PAE frames received without encryption. 796 */ 797 if ((vap->iv_flags & IEEE80211_F_DROPUNENC) && 798 (key == NULL && (m->m_flags & M_WEP) == 0) && 799 eh->ether_type != htons(ETHERTYPE_PAE)) { 800 /* 801 * Drop unencrypted frames. 802 */ 803 vap->iv_stats.is_rx_unencrypted++; 804 IEEE80211_NODE_STAT(ni, rx_unencrypted); 805 goto out; 806 } 807 } 808 /* XXX require HT? */ 809 if (qos & IEEE80211_QOS_AMSDU) { 810 m = ieee80211_decap_amsdu(ni, m); 811 if (m == NULL) 812 return IEEE80211_FC0_TYPE_DATA; 813 } else { 814#ifdef IEEE80211_SUPPORT_SUPERG 815 m = ieee80211_decap_fastframe(vap, ni, m); 816 if (m == NULL) 817 return IEEE80211_FC0_TYPE_DATA; 818#endif 819 } 820 if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap != NULL) 821 ieee80211_deliver_data(ni->ni_wdsvap, ni, m); 822 else 823 hostap_deliver_data(vap, ni, m); 824 return IEEE80211_FC0_TYPE_DATA; 825 826 case IEEE80211_FC0_TYPE_MGT: 827 vap->iv_stats.is_rx_mgmt++; 828 IEEE80211_NODE_STAT(ni, rx_mgmt); 829 if (dir != IEEE80211_FC1_DIR_NODS) { 830 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 831 wh, "mgt", "incorrect dir 0x%x", dir); 832 vap->iv_stats.is_rx_wrongdir++; 833 goto err; 834 } 835 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) { 836 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 837 ni->ni_macaddr, "mgt", "too short: len %u", 838 m->m_pkthdr.len); 839 vap->iv_stats.is_rx_tooshort++; 840 goto out; 841 } 842 if (IEEE80211_IS_MULTICAST(wh->i_addr2)) { 843 /* ensure return frames are unicast */ 844 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 845 wh, NULL, "source is multicast: %s", 846 ether_sprintf(wh->i_addr2)); 847 vap->iv_stats.is_rx_mgtdiscard++; /* XXX stat */ 848 goto out; 849 } 850#ifdef IEEE80211_DEBUG 851 if ((ieee80211_msg_debug(vap) && doprint(vap, subtype)) || 852 ieee80211_msg_dumppkts(vap)) { 853 if_printf(ifp, "received %s from %s rssi %d\n", 854 ieee80211_mgt_subtype_name[subtype >> 855 IEEE80211_FC0_SUBTYPE_SHIFT], 856 ether_sprintf(wh->i_addr2), rssi); 857 } 858#endif 859 if (wh->i_fc[1] & IEEE80211_FC1_PROTECTED) { 860 if (subtype != IEEE80211_FC0_SUBTYPE_AUTH) { 861 /* 862 * Only shared key auth frames with a challenge 863 * should be encrypted, discard all others. 864 */ 865 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 866 wh, NULL, 867 "%s", "WEP set but not permitted"); 868 vap->iv_stats.is_rx_mgtdiscard++; /* XXX */ 869 goto out; 870 } 871 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) { 872 /* 873 * Discard encrypted frames when privacy is off. 874 */ 875 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 876 wh, NULL, "%s", "WEP set but PRIVACY off"); 877 vap->iv_stats.is_rx_noprivacy++; 878 goto out; 879 } 880 hdrspace = ieee80211_hdrspace(ic, wh); 881 key = ieee80211_crypto_decap(ni, m, hdrspace); 882 if (key == NULL) { 883 /* NB: stats+msgs handled in crypto_decap */ 884 goto out; 885 } 886 wh = mtod(m, struct ieee80211_frame *); 887 wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED; 888 } 889 /* 890 * Pass the packet to radiotap before calling iv_recv_mgmt(). 891 * Otherwise iv_recv_mgmt() might pass another packet to 892 * radiotap, resulting in out of order packet captures. 893 */ 894 if (ieee80211_radiotap_active_vap(vap)) 895 ieee80211_radiotap_rx(vap, m); 896 need_tap = 0; 897 vap->iv_recv_mgmt(ni, m, subtype, rssi, nf); 898 goto out; 899 900 case IEEE80211_FC0_TYPE_CTL: 901 vap->iv_stats.is_rx_ctl++; 902 IEEE80211_NODE_STAT(ni, rx_ctrl); 903 vap->iv_recv_ctl(ni, m, subtype); 904 goto out; 905 default: 906 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 907 wh, "bad", "frame type 0x%x", type); 908 /* should not come here */ 909 break; 910 } 911err: 912 if_inc_counter(ifp, IFCOUNTER_IERRORS, 1); 913out: 914 if (m != NULL) { 915 if (need_tap && ieee80211_radiotap_active_vap(vap)) 916 ieee80211_radiotap_rx(vap, m); 917 m_freem(m); 918 } 919 return type; 920} 921 922static void 923hostap_auth_open(struct ieee80211_node *ni, struct ieee80211_frame *wh, 924 int rssi, int nf, uint16_t seq, uint16_t status) 925{ 926 struct ieee80211vap *vap = ni->ni_vap; 927 928 KASSERT(vap->iv_state == IEEE80211_S_RUN, ("state %d", vap->iv_state)); 929 930 if (ni->ni_authmode == IEEE80211_AUTH_SHARED) { 931 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 932 ni->ni_macaddr, "open auth", 933 "bad sta auth mode %u", ni->ni_authmode); 934 vap->iv_stats.is_rx_bad_auth++; /* XXX */ 935 /* 936 * Clear any challenge text that may be there if 937 * a previous shared key auth failed and then an 938 * open auth is attempted. 939 */ 940 if (ni->ni_challenge != NULL) { 941 free(ni->ni_challenge, M_80211_NODE); 942 ni->ni_challenge = NULL; 943 } 944 /* XXX hack to workaround calling convention */ 945 ieee80211_send_error(ni, wh->i_addr2, 946 IEEE80211_FC0_SUBTYPE_AUTH, 947 (seq + 1) | (IEEE80211_STATUS_ALG<<16)); 948 return; 949 } 950 if (seq != IEEE80211_AUTH_OPEN_REQUEST) { 951 vap->iv_stats.is_rx_bad_auth++; 952 return; 953 } 954 /* always accept open authentication requests */ 955 if (ni == vap->iv_bss) { 956 ni = ieee80211_dup_bss(vap, wh->i_addr2); 957 if (ni == NULL) 958 return; 959 } else if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0) 960 (void) ieee80211_ref_node(ni); 961 /* 962 * Mark the node as referenced to reflect that it's 963 * reference count has been bumped to insure it remains 964 * after the transaction completes. 965 */ 966 ni->ni_flags |= IEEE80211_NODE_AREF; 967 /* 968 * Mark the node as requiring a valid association id 969 * before outbound traffic is permitted. 970 */ 971 ni->ni_flags |= IEEE80211_NODE_ASSOCID; 972 973 if (vap->iv_acl != NULL && 974 vap->iv_acl->iac_getpolicy(vap) == IEEE80211_MACCMD_POLICY_RADIUS) { 975 /* 976 * When the ACL policy is set to RADIUS we defer the 977 * authorization to a user agent. Dispatch an event, 978 * a subsequent MLME call will decide the fate of the 979 * station. If the user agent is not present then the 980 * node will be reclaimed due to inactivity. 981 */ 982 IEEE80211_NOTE_MAC(vap, 983 IEEE80211_MSG_AUTH | IEEE80211_MSG_ACL, ni->ni_macaddr, 984 "%s", "station authentication defered (radius acl)"); 985 ieee80211_notify_node_auth(ni); 986 } else { 987 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 988 IEEE80211_NOTE_MAC(vap, 989 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, ni->ni_macaddr, 990 "%s", "station authenticated (open)"); 991 /* 992 * When 802.1x is not in use mark the port 993 * authorized at this point so traffic can flow. 994 */ 995 if (ni->ni_authmode != IEEE80211_AUTH_8021X) 996 ieee80211_node_authorize(ni); 997 } 998} 999 1000static void 1001hostap_auth_shared(struct ieee80211_node *ni, struct ieee80211_frame *wh, 1002 uint8_t *frm, uint8_t *efrm, int rssi, int nf, 1003 uint16_t seq, uint16_t status) 1004{ 1005 struct ieee80211vap *vap = ni->ni_vap; 1006 uint8_t *challenge; 1007 int allocbs, estatus; 1008 1009 KASSERT(vap->iv_state == IEEE80211_S_RUN, ("state %d", vap->iv_state)); 1010 1011 /* 1012 * NB: this can happen as we allow pre-shared key 1013 * authentication to be enabled w/o wep being turned 1014 * on so that configuration of these can be done 1015 * in any order. It may be better to enforce the 1016 * ordering in which case this check would just be 1017 * for sanity/consistency. 1018 */ 1019 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) { 1020 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1021 ni->ni_macaddr, "shared key auth", 1022 "%s", " PRIVACY is disabled"); 1023 estatus = IEEE80211_STATUS_ALG; 1024 goto bad; 1025 } 1026 /* 1027 * Pre-shared key authentication is evil; accept 1028 * it only if explicitly configured (it is supported 1029 * mainly for compatibility with clients like Mac OS X). 1030 */ 1031 if (ni->ni_authmode != IEEE80211_AUTH_AUTO && 1032 ni->ni_authmode != IEEE80211_AUTH_SHARED) { 1033 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1034 ni->ni_macaddr, "shared key auth", 1035 "bad sta auth mode %u", ni->ni_authmode); 1036 vap->iv_stats.is_rx_bad_auth++; /* XXX maybe a unique error? */ 1037 estatus = IEEE80211_STATUS_ALG; 1038 goto bad; 1039 } 1040 1041 challenge = NULL; 1042 if (frm + 1 < efrm) { 1043 if ((frm[1] + 2) > (efrm - frm)) { 1044 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1045 ni->ni_macaddr, "shared key auth", 1046 "ie %d/%d too long", 1047 frm[0], (frm[1] + 2) - (efrm - frm)); 1048 vap->iv_stats.is_rx_bad_auth++; 1049 estatus = IEEE80211_STATUS_CHALLENGE; 1050 goto bad; 1051 } 1052 if (*frm == IEEE80211_ELEMID_CHALLENGE) 1053 challenge = frm; 1054 frm += frm[1] + 2; 1055 } 1056 switch (seq) { 1057 case IEEE80211_AUTH_SHARED_CHALLENGE: 1058 case IEEE80211_AUTH_SHARED_RESPONSE: 1059 if (challenge == NULL) { 1060 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1061 ni->ni_macaddr, "shared key auth", 1062 "%s", "no challenge"); 1063 vap->iv_stats.is_rx_bad_auth++; 1064 estatus = IEEE80211_STATUS_CHALLENGE; 1065 goto bad; 1066 } 1067 if (challenge[1] != IEEE80211_CHALLENGE_LEN) { 1068 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1069 ni->ni_macaddr, "shared key auth", 1070 "bad challenge len %d", challenge[1]); 1071 vap->iv_stats.is_rx_bad_auth++; 1072 estatus = IEEE80211_STATUS_CHALLENGE; 1073 goto bad; 1074 } 1075 default: 1076 break; 1077 } 1078 switch (seq) { 1079 case IEEE80211_AUTH_SHARED_REQUEST: 1080 if (ni == vap->iv_bss) { 1081 ni = ieee80211_dup_bss(vap, wh->i_addr2); 1082 if (ni == NULL) { 1083 /* NB: no way to return an error */ 1084 return; 1085 } 1086 allocbs = 1; 1087 } else { 1088 if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0) 1089 (void) ieee80211_ref_node(ni); 1090 allocbs = 0; 1091 } 1092 /* 1093 * Mark the node as referenced to reflect that it's 1094 * reference count has been bumped to insure it remains 1095 * after the transaction completes. 1096 */ 1097 ni->ni_flags |= IEEE80211_NODE_AREF; 1098 /* 1099 * Mark the node as requiring a valid associatio id 1100 * before outbound traffic is permitted. 1101 */ 1102 ni->ni_flags |= IEEE80211_NODE_ASSOCID; 1103 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi); 1104 ni->ni_noise = nf; 1105 if (!ieee80211_alloc_challenge(ni)) { 1106 /* NB: don't return error so they rexmit */ 1107 return; 1108 } 1109 get_random_bytes(ni->ni_challenge, 1110 IEEE80211_CHALLENGE_LEN); 1111 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1112 ni, "shared key %sauth request", allocbs ? "" : "re"); 1113 /* 1114 * When the ACL policy is set to RADIUS we defer the 1115 * authorization to a user agent. Dispatch an event, 1116 * a subsequent MLME call will decide the fate of the 1117 * station. If the user agent is not present then the 1118 * node will be reclaimed due to inactivity. 1119 */ 1120 if (vap->iv_acl != NULL && 1121 vap->iv_acl->iac_getpolicy(vap) == IEEE80211_MACCMD_POLICY_RADIUS) { 1122 IEEE80211_NOTE_MAC(vap, 1123 IEEE80211_MSG_AUTH | IEEE80211_MSG_ACL, 1124 ni->ni_macaddr, 1125 "%s", "station authentication defered (radius acl)"); 1126 ieee80211_notify_node_auth(ni); 1127 return; 1128 } 1129 break; 1130 case IEEE80211_AUTH_SHARED_RESPONSE: 1131 if (ni == vap->iv_bss) { 1132 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1133 ni->ni_macaddr, "shared key response", 1134 "%s", "unknown station"); 1135 /* NB: don't send a response */ 1136 return; 1137 } 1138 if (ni->ni_challenge == NULL) { 1139 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1140 ni->ni_macaddr, "shared key response", 1141 "%s", "no challenge recorded"); 1142 vap->iv_stats.is_rx_bad_auth++; 1143 estatus = IEEE80211_STATUS_CHALLENGE; 1144 goto bad; 1145 } 1146 if (memcmp(ni->ni_challenge, &challenge[2], 1147 challenge[1]) != 0) { 1148 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1149 ni->ni_macaddr, "shared key response", 1150 "%s", "challenge mismatch"); 1151 vap->iv_stats.is_rx_auth_fail++; 1152 estatus = IEEE80211_STATUS_CHALLENGE; 1153 goto bad; 1154 } 1155 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1156 ni, "%s", "station authenticated (shared key)"); 1157 ieee80211_node_authorize(ni); 1158 break; 1159 default: 1160 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1161 ni->ni_macaddr, "shared key auth", 1162 "bad seq %d", seq); 1163 vap->iv_stats.is_rx_bad_auth++; 1164 estatus = IEEE80211_STATUS_SEQUENCE; 1165 goto bad; 1166 } 1167 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 1168 return; 1169bad: 1170 /* 1171 * Send an error response; but only when operating as an AP. 1172 */ 1173 /* XXX hack to workaround calling convention */ 1174 ieee80211_send_error(ni, wh->i_addr2, 1175 IEEE80211_FC0_SUBTYPE_AUTH, 1176 (seq + 1) | (estatus<<16)); 1177} 1178 1179/* 1180 * Convert a WPA cipher selector OUI to an internal 1181 * cipher algorithm. Where appropriate we also 1182 * record any key length. 1183 */ 1184static int 1185wpa_cipher(const uint8_t *sel, uint8_t *keylen) 1186{ 1187#define WPA_SEL(x) (((x)<<24)|WPA_OUI) 1188 uint32_t w = LE_READ_4(sel); 1189 1190 switch (w) { 1191 case WPA_SEL(WPA_CSE_NULL): 1192 return IEEE80211_CIPHER_NONE; 1193 case WPA_SEL(WPA_CSE_WEP40): 1194 if (keylen) 1195 *keylen = 40 / NBBY; 1196 return IEEE80211_CIPHER_WEP; 1197 case WPA_SEL(WPA_CSE_WEP104): 1198 if (keylen) 1199 *keylen = 104 / NBBY; 1200 return IEEE80211_CIPHER_WEP; 1201 case WPA_SEL(WPA_CSE_TKIP): 1202 return IEEE80211_CIPHER_TKIP; 1203 case WPA_SEL(WPA_CSE_CCMP): 1204 return IEEE80211_CIPHER_AES_CCM; 1205 } 1206 return 32; /* NB: so 1<< is discarded */ 1207#undef WPA_SEL 1208} 1209 1210/* 1211 * Convert a WPA key management/authentication algorithm 1212 * to an internal code. 1213 */ 1214static int 1215wpa_keymgmt(const uint8_t *sel) 1216{ 1217#define WPA_SEL(x) (((x)<<24)|WPA_OUI) 1218 uint32_t w = LE_READ_4(sel); 1219 1220 switch (w) { 1221 case WPA_SEL(WPA_ASE_8021X_UNSPEC): 1222 return WPA_ASE_8021X_UNSPEC; 1223 case WPA_SEL(WPA_ASE_8021X_PSK): 1224 return WPA_ASE_8021X_PSK; 1225 case WPA_SEL(WPA_ASE_NONE): 1226 return WPA_ASE_NONE; 1227 } 1228 return 0; /* NB: so is discarded */ 1229#undef WPA_SEL 1230} 1231 1232/* 1233 * Parse a WPA information element to collect parameters. 1234 * Note that we do not validate security parameters; that 1235 * is handled by the authenticator; the parsing done here 1236 * is just for internal use in making operational decisions. 1237 */ 1238static int 1239ieee80211_parse_wpa(struct ieee80211vap *vap, const uint8_t *frm, 1240 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh) 1241{ 1242 uint8_t len = frm[1]; 1243 uint32_t w; 1244 int n; 1245 1246 /* 1247 * Check the length once for fixed parts: OUI, type, 1248 * version, mcast cipher, and 2 selector counts. 1249 * Other, variable-length data, must be checked separately. 1250 */ 1251 if ((vap->iv_flags & IEEE80211_F_WPA1) == 0) { 1252 IEEE80211_DISCARD_IE(vap, 1253 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1254 wh, "WPA", "not WPA, flags 0x%x", vap->iv_flags); 1255 return IEEE80211_REASON_IE_INVALID; 1256 } 1257 if (len < 14) { 1258 IEEE80211_DISCARD_IE(vap, 1259 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1260 wh, "WPA", "too short, len %u", len); 1261 return IEEE80211_REASON_IE_INVALID; 1262 } 1263 frm += 6, len -= 4; /* NB: len is payload only */ 1264 /* NB: iswpaoui already validated the OUI and type */ 1265 w = LE_READ_2(frm); 1266 if (w != WPA_VERSION) { 1267 IEEE80211_DISCARD_IE(vap, 1268 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1269 wh, "WPA", "bad version %u", w); 1270 return IEEE80211_REASON_IE_INVALID; 1271 } 1272 frm += 2, len -= 2; 1273 1274 memset(rsn, 0, sizeof(*rsn)); 1275 1276 /* multicast/group cipher */ 1277 rsn->rsn_mcastcipher = wpa_cipher(frm, &rsn->rsn_mcastkeylen); 1278 frm += 4, len -= 4; 1279 1280 /* unicast ciphers */ 1281 n = LE_READ_2(frm); 1282 frm += 2, len -= 2; 1283 if (len < n*4+2) { 1284 IEEE80211_DISCARD_IE(vap, 1285 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1286 wh, "WPA", "ucast cipher data too short; len %u, n %u", 1287 len, n); 1288 return IEEE80211_REASON_IE_INVALID; 1289 } 1290 w = 0; 1291 for (; n > 0; n--) { 1292 w |= 1<<wpa_cipher(frm, &rsn->rsn_ucastkeylen); 1293 frm += 4, len -= 4; 1294 } 1295 if (w & (1<<IEEE80211_CIPHER_TKIP)) 1296 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP; 1297 else 1298 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM; 1299 1300 /* key management algorithms */ 1301 n = LE_READ_2(frm); 1302 frm += 2, len -= 2; 1303 if (len < n*4) { 1304 IEEE80211_DISCARD_IE(vap, 1305 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1306 wh, "WPA", "key mgmt alg data too short; len %u, n %u", 1307 len, n); 1308 return IEEE80211_REASON_IE_INVALID; 1309 } 1310 w = 0; 1311 for (; n > 0; n--) { 1312 w |= wpa_keymgmt(frm); 1313 frm += 4, len -= 4; 1314 } 1315 if (w & WPA_ASE_8021X_UNSPEC) 1316 rsn->rsn_keymgmt = WPA_ASE_8021X_UNSPEC; 1317 else 1318 rsn->rsn_keymgmt = WPA_ASE_8021X_PSK; 1319 1320 if (len > 2) /* optional capabilities */ 1321 rsn->rsn_caps = LE_READ_2(frm); 1322 1323 return 0; 1324} 1325 1326/* 1327 * Convert an RSN cipher selector OUI to an internal 1328 * cipher algorithm. Where appropriate we also 1329 * record any key length. 1330 */ 1331static int 1332rsn_cipher(const uint8_t *sel, uint8_t *keylen) 1333{ 1334#define RSN_SEL(x) (((x)<<24)|RSN_OUI) 1335 uint32_t w = LE_READ_4(sel); 1336 1337 switch (w) { 1338 case RSN_SEL(RSN_CSE_NULL): 1339 return IEEE80211_CIPHER_NONE; 1340 case RSN_SEL(RSN_CSE_WEP40): 1341 if (keylen) 1342 *keylen = 40 / NBBY; 1343 return IEEE80211_CIPHER_WEP; 1344 case RSN_SEL(RSN_CSE_WEP104): 1345 if (keylen) 1346 *keylen = 104 / NBBY; 1347 return IEEE80211_CIPHER_WEP; 1348 case RSN_SEL(RSN_CSE_TKIP): 1349 return IEEE80211_CIPHER_TKIP; 1350 case RSN_SEL(RSN_CSE_CCMP): 1351 return IEEE80211_CIPHER_AES_CCM; 1352 case RSN_SEL(RSN_CSE_WRAP): 1353 return IEEE80211_CIPHER_AES_OCB; 1354 } 1355 return 32; /* NB: so 1<< is discarded */ 1356#undef WPA_SEL 1357} 1358 1359/* 1360 * Convert an RSN key management/authentication algorithm 1361 * to an internal code. 1362 */ 1363static int 1364rsn_keymgmt(const uint8_t *sel) 1365{ 1366#define RSN_SEL(x) (((x)<<24)|RSN_OUI) 1367 uint32_t w = LE_READ_4(sel); 1368 1369 switch (w) { 1370 case RSN_SEL(RSN_ASE_8021X_UNSPEC): 1371 return RSN_ASE_8021X_UNSPEC; 1372 case RSN_SEL(RSN_ASE_8021X_PSK): 1373 return RSN_ASE_8021X_PSK; 1374 case RSN_SEL(RSN_ASE_NONE): 1375 return RSN_ASE_NONE; 1376 } 1377 return 0; /* NB: so is discarded */ 1378#undef RSN_SEL 1379} 1380 1381/* 1382 * Parse a WPA/RSN information element to collect parameters 1383 * and validate the parameters against what has been 1384 * configured for the system. 1385 */ 1386static int 1387ieee80211_parse_rsn(struct ieee80211vap *vap, const uint8_t *frm, 1388 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh) 1389{ 1390 uint8_t len = frm[1]; 1391 uint32_t w; 1392 int n; 1393 1394 /* 1395 * Check the length once for fixed parts: 1396 * version, mcast cipher, and 2 selector counts. 1397 * Other, variable-length data, must be checked separately. 1398 */ 1399 if ((vap->iv_flags & IEEE80211_F_WPA2) == 0) { 1400 IEEE80211_DISCARD_IE(vap, 1401 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1402 wh, "WPA", "not RSN, flags 0x%x", vap->iv_flags); 1403 return IEEE80211_REASON_IE_INVALID; 1404 } 1405 if (len < 10) { 1406 IEEE80211_DISCARD_IE(vap, 1407 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1408 wh, "RSN", "too short, len %u", len); 1409 return IEEE80211_REASON_IE_INVALID; 1410 } 1411 frm += 2; 1412 w = LE_READ_2(frm); 1413 if (w != RSN_VERSION) { 1414 IEEE80211_DISCARD_IE(vap, 1415 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1416 wh, "RSN", "bad version %u", w); 1417 return IEEE80211_REASON_IE_INVALID; 1418 } 1419 frm += 2, len -= 2; 1420 1421 memset(rsn, 0, sizeof(*rsn)); 1422 1423 /* multicast/group cipher */ 1424 rsn->rsn_mcastcipher = rsn_cipher(frm, &rsn->rsn_mcastkeylen); 1425 frm += 4, len -= 4; 1426 1427 /* unicast ciphers */ 1428 n = LE_READ_2(frm); 1429 frm += 2, len -= 2; 1430 if (len < n*4+2) { 1431 IEEE80211_DISCARD_IE(vap, 1432 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1433 wh, "RSN", "ucast cipher data too short; len %u, n %u", 1434 len, n); 1435 return IEEE80211_REASON_IE_INVALID; 1436 } 1437 w = 0; 1438 for (; n > 0; n--) { 1439 w |= 1<<rsn_cipher(frm, &rsn->rsn_ucastkeylen); 1440 frm += 4, len -= 4; 1441 } 1442 if (w & (1<<IEEE80211_CIPHER_TKIP)) 1443 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP; 1444 else 1445 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM; 1446 1447 /* key management algorithms */ 1448 n = LE_READ_2(frm); 1449 frm += 2, len -= 2; 1450 if (len < n*4) { 1451 IEEE80211_DISCARD_IE(vap, 1452 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1453 wh, "RSN", "key mgmt alg data too short; len %u, n %u", 1454 len, n); 1455 return IEEE80211_REASON_IE_INVALID; 1456 } 1457 w = 0; 1458 for (; n > 0; n--) { 1459 w |= rsn_keymgmt(frm); 1460 frm += 4, len -= 4; 1461 } 1462 if (w & RSN_ASE_8021X_UNSPEC) 1463 rsn->rsn_keymgmt = RSN_ASE_8021X_UNSPEC; 1464 else 1465 rsn->rsn_keymgmt = RSN_ASE_8021X_PSK; 1466 1467 /* optional RSN capabilities */ 1468 if (len > 2) 1469 rsn->rsn_caps = LE_READ_2(frm); 1470 /* XXXPMKID */ 1471 1472 return 0; 1473} 1474 1475/* 1476 * WPA/802.11i assocation request processing. 1477 */ 1478static int 1479wpa_assocreq(struct ieee80211_node *ni, struct ieee80211_rsnparms *rsnparms, 1480 const struct ieee80211_frame *wh, const uint8_t *wpa, 1481 const uint8_t *rsn, uint16_t capinfo) 1482{ 1483 struct ieee80211vap *vap = ni->ni_vap; 1484 uint8_t reason; 1485 int badwparsn; 1486 1487 ni->ni_flags &= ~(IEEE80211_NODE_WPS|IEEE80211_NODE_TSN); 1488 if (wpa == NULL && rsn == NULL) { 1489 if (vap->iv_flags_ext & IEEE80211_FEXT_WPS) { 1490 /* 1491 * W-Fi Protected Setup (WPS) permits 1492 * clients to associate and pass EAPOL frames 1493 * to establish initial credentials. 1494 */ 1495 ni->ni_flags |= IEEE80211_NODE_WPS; 1496 return 1; 1497 } 1498 if ((vap->iv_flags_ext & IEEE80211_FEXT_TSN) && 1499 (capinfo & IEEE80211_CAPINFO_PRIVACY)) { 1500 /* 1501 * Transitional Security Network. Permits clients 1502 * to associate and use WEP while WPA is configured. 1503 */ 1504 ni->ni_flags |= IEEE80211_NODE_TSN; 1505 return 1; 1506 } 1507 IEEE80211_DISCARD(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, 1508 wh, NULL, "%s", "no WPA/RSN IE in association request"); 1509 vap->iv_stats.is_rx_assoc_badwpaie++; 1510 reason = IEEE80211_REASON_IE_INVALID; 1511 goto bad; 1512 } 1513 /* assert right association security credentials */ 1514 badwparsn = 0; /* NB: to silence compiler */ 1515 switch (vap->iv_flags & IEEE80211_F_WPA) { 1516 case IEEE80211_F_WPA1: 1517 badwparsn = (wpa == NULL); 1518 break; 1519 case IEEE80211_F_WPA2: 1520 badwparsn = (rsn == NULL); 1521 break; 1522 case IEEE80211_F_WPA1|IEEE80211_F_WPA2: 1523 badwparsn = (wpa == NULL && rsn == NULL); 1524 break; 1525 } 1526 if (badwparsn) { 1527 IEEE80211_DISCARD(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, 1528 wh, NULL, 1529 "%s", "missing WPA/RSN IE in association request"); 1530 vap->iv_stats.is_rx_assoc_badwpaie++; 1531 reason = IEEE80211_REASON_IE_INVALID; 1532 goto bad; 1533 } 1534 /* 1535 * Parse WPA/RSN information element. 1536 */ 1537 if (wpa != NULL) 1538 reason = ieee80211_parse_wpa(vap, wpa, rsnparms, wh); 1539 else 1540 reason = ieee80211_parse_rsn(vap, rsn, rsnparms, wh); 1541 if (reason != 0) { 1542 /* XXX distinguish WPA/RSN? */ 1543 vap->iv_stats.is_rx_assoc_badwpaie++; 1544 goto bad; 1545 } 1546 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, ni, 1547 "%s ie: mc %u/%u uc %u/%u key %u caps 0x%x", 1548 wpa != NULL ? "WPA" : "RSN", 1549 rsnparms->rsn_mcastcipher, rsnparms->rsn_mcastkeylen, 1550 rsnparms->rsn_ucastcipher, rsnparms->rsn_ucastkeylen, 1551 rsnparms->rsn_keymgmt, rsnparms->rsn_caps); 1552 1553 return 1; 1554bad: 1555 ieee80211_node_deauth(ni, reason); 1556 return 0; 1557} 1558 1559/* XXX find a better place for definition */ 1560struct l2_update_frame { 1561 struct ether_header eh; 1562 uint8_t dsap; 1563 uint8_t ssap; 1564 uint8_t control; 1565 uint8_t xid[3]; 1566} __packed; 1567 1568/* 1569 * Deliver a TGf L2UF frame on behalf of a station. 1570 * This primes any bridge when the station is roaming 1571 * between ap's on the same wired network. 1572 */ 1573static void 1574ieee80211_deliver_l2uf(struct ieee80211_node *ni) 1575{ 1576 struct ieee80211vap *vap = ni->ni_vap; 1577 struct ifnet *ifp = vap->iv_ifp; 1578 struct mbuf *m; 1579 struct l2_update_frame *l2uf; 1580 struct ether_header *eh; 1581 1582 m = m_gethdr(M_NOWAIT, MT_DATA); 1583 if (m == NULL) { 1584 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC, ni, 1585 "%s", "no mbuf for l2uf frame"); 1586 vap->iv_stats.is_rx_nobuf++; /* XXX not right */ 1587 return; 1588 } 1589 l2uf = mtod(m, struct l2_update_frame *); 1590 eh = &l2uf->eh; 1591 /* dst: Broadcast address */ 1592 IEEE80211_ADDR_COPY(eh->ether_dhost, ifp->if_broadcastaddr); 1593 /* src: associated STA */ 1594 IEEE80211_ADDR_COPY(eh->ether_shost, ni->ni_macaddr); 1595 eh->ether_type = htons(sizeof(*l2uf) - sizeof(*eh)); 1596 1597 l2uf->dsap = 0; 1598 l2uf->ssap = 0; 1599 l2uf->control = 0xf5; 1600 l2uf->xid[0] = 0x81; 1601 l2uf->xid[1] = 0x80; 1602 l2uf->xid[2] = 0x00; 1603 1604 m->m_pkthdr.len = m->m_len = sizeof(*l2uf); 1605 hostap_deliver_data(vap, ni, m); 1606} 1607 1608static void 1609ratesetmismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh, 1610 int reassoc, int resp, const char *tag, int rate) 1611{ 1612 IEEE80211_NOTE_MAC(ni->ni_vap, IEEE80211_MSG_ANY, wh->i_addr2, 1613 "deny %s request, %s rate set mismatch, rate/MCS %d", 1614 reassoc ? "reassoc" : "assoc", tag, rate & IEEE80211_RATE_VAL); 1615 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_BASIC_RATE); 1616 ieee80211_node_leave(ni); 1617} 1618 1619static void 1620capinfomismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh, 1621 int reassoc, int resp, const char *tag, int capinfo) 1622{ 1623 struct ieee80211vap *vap = ni->ni_vap; 1624 1625 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ANY, wh->i_addr2, 1626 "deny %s request, %s mismatch 0x%x", 1627 reassoc ? "reassoc" : "assoc", tag, capinfo); 1628 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_CAPINFO); 1629 ieee80211_node_leave(ni); 1630 vap->iv_stats.is_rx_assoc_capmismatch++; 1631} 1632 1633static void 1634htcapmismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh, 1635 int reassoc, int resp) 1636{ 1637 IEEE80211_NOTE_MAC(ni->ni_vap, IEEE80211_MSG_ANY, wh->i_addr2, 1638 "deny %s request, %s missing HT ie", reassoc ? "reassoc" : "assoc"); 1639 /* XXX no better code */ 1640 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_MISSING_HT_CAPS); 1641 ieee80211_node_leave(ni); 1642} 1643 1644static void 1645authalgreject(struct ieee80211_node *ni, const struct ieee80211_frame *wh, 1646 int algo, int seq, int status) 1647{ 1648 struct ieee80211vap *vap = ni->ni_vap; 1649 1650 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 1651 wh, NULL, "unsupported alg %d", algo); 1652 vap->iv_stats.is_rx_auth_unsupported++; 1653 ieee80211_send_error(ni, wh->i_addr2, IEEE80211_FC0_SUBTYPE_AUTH, 1654 seq | (status << 16)); 1655} 1656 1657static __inline int 1658ishtmixed(const uint8_t *ie) 1659{ 1660 const struct ieee80211_ie_htinfo *ht = 1661 (const struct ieee80211_ie_htinfo *) ie; 1662 return (ht->hi_byte2 & IEEE80211_HTINFO_OPMODE) == 1663 IEEE80211_HTINFO_OPMODE_MIXED; 1664} 1665 1666static int 1667is11bclient(const uint8_t *rates, const uint8_t *xrates) 1668{ 1669 static const uint32_t brates = (1<<2*1)|(1<<2*2)|(1<<11)|(1<<2*11); 1670 int i; 1671 1672 /* NB: the 11b clients we care about will not have xrates */ 1673 if (xrates != NULL || rates == NULL) 1674 return 0; 1675 for (i = 0; i < rates[1]; i++) { 1676 int r = rates[2+i] & IEEE80211_RATE_VAL; 1677 if (r > 2*11 || ((1<<r) & brates) == 0) 1678 return 0; 1679 } 1680 return 1; 1681} 1682 1683static void 1684hostap_recv_mgmt(struct ieee80211_node *ni, struct mbuf *m0, 1685 int subtype, int rssi, int nf) 1686{ 1687 struct ieee80211vap *vap = ni->ni_vap; 1688 struct ieee80211com *ic = ni->ni_ic; 1689 struct ieee80211_frame *wh; 1690 uint8_t *frm, *efrm, *sfrm; 1691 uint8_t *ssid, *rates, *xrates, *wpa, *rsn, *wme, *ath, *htcap; 1692 int reassoc, resp; 1693 uint8_t rate; 1694 1695 wh = mtod(m0, struct ieee80211_frame *); 1696 frm = (uint8_t *)&wh[1]; 1697 efrm = mtod(m0, uint8_t *) + m0->m_len; 1698 switch (subtype) { 1699 case IEEE80211_FC0_SUBTYPE_PROBE_RESP: 1700 case IEEE80211_FC0_SUBTYPE_BEACON: { 1701 struct ieee80211_scanparams scan; 1702 /* 1703 * We process beacon/probe response frames when scanning; 1704 * otherwise we check beacon frames for overlapping non-ERP 1705 * BSS in 11g and/or overlapping legacy BSS when in HT. 1706 */ 1707 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0 && 1708 subtype == IEEE80211_FC0_SUBTYPE_PROBE_RESP) { 1709 vap->iv_stats.is_rx_mgtdiscard++; 1710 return; 1711 } 1712 /* NB: accept off-channel frames */ 1713 if (ieee80211_parse_beacon(ni, m0, &scan) &~ IEEE80211_BPARSE_OFFCHAN) 1714 return; 1715 /* 1716 * Count frame now that we know it's to be processed. 1717 */ 1718 if (subtype == IEEE80211_FC0_SUBTYPE_BEACON) { 1719 vap->iv_stats.is_rx_beacon++; /* XXX remove */ 1720 IEEE80211_NODE_STAT(ni, rx_beacons); 1721 } else 1722 IEEE80211_NODE_STAT(ni, rx_proberesp); 1723 /* 1724 * If scanning, just pass information to the scan module. 1725 */ 1726 if (ic->ic_flags & IEEE80211_F_SCAN) { 1727 if (scan.status == 0 && /* NB: on channel */ 1728 (ic->ic_flags_ext & IEEE80211_FEXT_PROBECHAN)) { 1729 /* 1730 * Actively scanning a channel marked passive; 1731 * send a probe request now that we know there 1732 * is 802.11 traffic present. 1733 * 1734 * XXX check if the beacon we recv'd gives 1735 * us what we need and suppress the probe req 1736 */ 1737 ieee80211_probe_curchan(vap, 1); 1738 ic->ic_flags_ext &= ~IEEE80211_FEXT_PROBECHAN; 1739 } 1740 ieee80211_add_scan(vap, ic->ic_curchan, &scan, wh, 1741 subtype, rssi, nf); 1742 return; 1743 } 1744 /* 1745 * Check beacon for overlapping bss w/ non ERP stations. 1746 * If we detect one and protection is configured but not 1747 * enabled, enable it and start a timer that'll bring us 1748 * out if we stop seeing the bss. 1749 */ 1750 if (IEEE80211_IS_CHAN_ANYG(ic->ic_curchan) && 1751 scan.status == 0 && /* NB: on-channel */ 1752 ((scan.erp & 0x100) == 0 || /* NB: no ERP, 11b sta*/ 1753 (scan.erp & IEEE80211_ERP_NON_ERP_PRESENT))) { 1754 ic->ic_lastnonerp = ticks; 1755 ic->ic_flags_ext |= IEEE80211_FEXT_NONERP_PR; 1756 if (ic->ic_protmode != IEEE80211_PROT_NONE && 1757 (ic->ic_flags & IEEE80211_F_USEPROT) == 0) { 1758 IEEE80211_NOTE_FRAME(vap, 1759 IEEE80211_MSG_ASSOC, wh, 1760 "non-ERP present on channel %d " 1761 "(saw erp 0x%x from channel %d), " 1762 "enable use of protection", 1763 ic->ic_curchan->ic_ieee, 1764 scan.erp, scan.chan); 1765 ic->ic_flags |= IEEE80211_F_USEPROT; 1766 ieee80211_notify_erp(ic); 1767 } 1768 } 1769 /* 1770 * Check beacon for non-HT station on HT channel 1771 * and update HT BSS occupancy as appropriate. 1772 */ 1773 if (IEEE80211_IS_CHAN_HT(ic->ic_curchan)) { 1774 if (scan.status & IEEE80211_BPARSE_OFFCHAN) { 1775 /* 1776 * Off control channel; only check frames 1777 * that come in the extension channel when 1778 * operating w/ HT40. 1779 */ 1780 if (!IEEE80211_IS_CHAN_HT40(ic->ic_curchan)) 1781 break; 1782 if (scan.chan != ic->ic_curchan->ic_extieee) 1783 break; 1784 } 1785 if (scan.htinfo == NULL) { 1786 ieee80211_htprot_update(ic, 1787 IEEE80211_HTINFO_OPMODE_PROTOPT | 1788 IEEE80211_HTINFO_NONHT_PRESENT); 1789 } else if (ishtmixed(scan.htinfo)) { 1790 /* XXX? take NONHT_PRESENT from beacon? */ 1791 ieee80211_htprot_update(ic, 1792 IEEE80211_HTINFO_OPMODE_MIXED | 1793 IEEE80211_HTINFO_NONHT_PRESENT); 1794 } 1795 } 1796 break; 1797 } 1798 1799 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 1800 if (vap->iv_state != IEEE80211_S_RUN) { 1801 vap->iv_stats.is_rx_mgtdiscard++; 1802 return; 1803 } 1804 /* 1805 * Consult the ACL policy module if setup. 1806 */ 1807 if (vap->iv_acl != NULL && !vap->iv_acl->iac_check(vap, wh)) { 1808 IEEE80211_DISCARD(vap, IEEE80211_MSG_ACL, 1809 wh, NULL, "%s", "disallowed by ACL"); 1810 vap->iv_stats.is_rx_acl++; 1811 return; 1812 } 1813 /* 1814 * prreq frame format 1815 * [tlv] ssid 1816 * [tlv] supported rates 1817 * [tlv] extended supported rates 1818 */ 1819 ssid = rates = xrates = NULL; 1820 sfrm = frm; 1821 while (efrm - frm > 1) { 1822 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return); 1823 switch (*frm) { 1824 case IEEE80211_ELEMID_SSID: 1825 ssid = frm; 1826 break; 1827 case IEEE80211_ELEMID_RATES: 1828 rates = frm; 1829 break; 1830 case IEEE80211_ELEMID_XRATES: 1831 xrates = frm; 1832 break; 1833 } 1834 frm += frm[1] + 2; 1835 } 1836 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return); 1837 if (xrates != NULL) 1838 IEEE80211_VERIFY_ELEMENT(xrates, 1839 IEEE80211_RATE_MAXSIZE - rates[1], return); 1840 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN, return); 1841 IEEE80211_VERIFY_SSID(vap->iv_bss, ssid, return); 1842 if ((vap->iv_flags & IEEE80211_F_HIDESSID) && ssid[1] == 0) { 1843 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 1844 wh, NULL, 1845 "%s", "no ssid with ssid suppression enabled"); 1846 vap->iv_stats.is_rx_ssidmismatch++; /*XXX*/ 1847 return; 1848 } 1849 1850 /* XXX find a better class or define it's own */ 1851 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_INPUT, wh->i_addr2, 1852 "%s", "recv probe req"); 1853 /* 1854 * Some legacy 11b clients cannot hack a complete 1855 * probe response frame. When the request includes 1856 * only a bare-bones rate set, communicate this to 1857 * the transmit side. 1858 */ 1859 ieee80211_send_proberesp(vap, wh->i_addr2, 1860 is11bclient(rates, xrates) ? IEEE80211_SEND_LEGACY_11B : 0); 1861 break; 1862 1863 case IEEE80211_FC0_SUBTYPE_AUTH: { 1864 uint16_t algo, seq, status; 1865 1866 if (vap->iv_state != IEEE80211_S_RUN) { 1867 vap->iv_stats.is_rx_mgtdiscard++; 1868 return; 1869 } 1870 if (!IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_bss->ni_bssid)) { 1871 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 1872 wh, NULL, "%s", "wrong bssid"); 1873 vap->iv_stats.is_rx_wrongbss++; /*XXX unique stat?*/ 1874 return; 1875 } 1876 /* 1877 * auth frame format 1878 * [2] algorithm 1879 * [2] sequence 1880 * [2] status 1881 * [tlv*] challenge 1882 */ 1883 IEEE80211_VERIFY_LENGTH(efrm - frm, 6, return); 1884 algo = le16toh(*(uint16_t *)frm); 1885 seq = le16toh(*(uint16_t *)(frm + 2)); 1886 status = le16toh(*(uint16_t *)(frm + 4)); 1887 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_AUTH, wh->i_addr2, 1888 "recv auth frame with algorithm %d seq %d", algo, seq); 1889 /* 1890 * Consult the ACL policy module if setup. 1891 */ 1892 if (vap->iv_acl != NULL && !vap->iv_acl->iac_check(vap, wh)) { 1893 IEEE80211_DISCARD(vap, IEEE80211_MSG_ACL, 1894 wh, NULL, "%s", "disallowed by ACL"); 1895 vap->iv_stats.is_rx_acl++; 1896 ieee80211_send_error(ni, wh->i_addr2, 1897 IEEE80211_FC0_SUBTYPE_AUTH, 1898 (seq+1) | (IEEE80211_STATUS_UNSPECIFIED<<16)); 1899 return; 1900 } 1901 if (vap->iv_flags & IEEE80211_F_COUNTERM) { 1902 IEEE80211_DISCARD(vap, 1903 IEEE80211_MSG_AUTH | IEEE80211_MSG_CRYPTO, 1904 wh, NULL, "%s", "TKIP countermeasures enabled"); 1905 vap->iv_stats.is_rx_auth_countermeasures++; 1906 ieee80211_send_error(ni, wh->i_addr2, 1907 IEEE80211_FC0_SUBTYPE_AUTH, 1908 IEEE80211_REASON_MIC_FAILURE); 1909 return; 1910 } 1911 if (algo == IEEE80211_AUTH_ALG_SHARED) 1912 hostap_auth_shared(ni, wh, frm + 6, efrm, rssi, nf, 1913 seq, status); 1914 else if (algo == IEEE80211_AUTH_ALG_OPEN) 1915 hostap_auth_open(ni, wh, rssi, nf, seq, status); 1916 else if (algo == IEEE80211_AUTH_ALG_LEAP) { 1917 authalgreject(ni, wh, algo, 1918 seq+1, IEEE80211_STATUS_ALG); 1919 return; 1920 } else { 1921 /* 1922 * We assume that an unknown algorithm is the result 1923 * of a decryption failure on a shared key auth frame; 1924 * return a status code appropriate for that instead 1925 * of IEEE80211_STATUS_ALG. 1926 * 1927 * NB: a seq# of 4 is intentional; the decrypted 1928 * frame likely has a bogus seq value. 1929 */ 1930 authalgreject(ni, wh, algo, 1931 4, IEEE80211_STATUS_CHALLENGE); 1932 return; 1933 } 1934 break; 1935 } 1936 1937 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ: 1938 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: { 1939 uint16_t capinfo, lintval; 1940 struct ieee80211_rsnparms rsnparms; 1941 1942 if (vap->iv_state != IEEE80211_S_RUN) { 1943 vap->iv_stats.is_rx_mgtdiscard++; 1944 return; 1945 } 1946 if (!IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_bss->ni_bssid)) { 1947 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 1948 wh, NULL, "%s", "wrong bssid"); 1949 vap->iv_stats.is_rx_assoc_bss++; 1950 return; 1951 } 1952 if (subtype == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) { 1953 reassoc = 1; 1954 resp = IEEE80211_FC0_SUBTYPE_REASSOC_RESP; 1955 } else { 1956 reassoc = 0; 1957 resp = IEEE80211_FC0_SUBTYPE_ASSOC_RESP; 1958 } 1959 if (ni == vap->iv_bss) { 1960 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ANY, wh->i_addr2, 1961 "deny %s request, sta not authenticated", 1962 reassoc ? "reassoc" : "assoc"); 1963 ieee80211_send_error(ni, wh->i_addr2, 1964 IEEE80211_FC0_SUBTYPE_DEAUTH, 1965 IEEE80211_REASON_ASSOC_NOT_AUTHED); 1966 vap->iv_stats.is_rx_assoc_notauth++; 1967 return; 1968 } 1969 1970 /* 1971 * asreq frame format 1972 * [2] capability information 1973 * [2] listen interval 1974 * [6*] current AP address (reassoc only) 1975 * [tlv] ssid 1976 * [tlv] supported rates 1977 * [tlv] extended supported rates 1978 * [tlv] WPA or RSN 1979 * [tlv] HT capabilities 1980 * [tlv] Atheros capabilities 1981 */ 1982 IEEE80211_VERIFY_LENGTH(efrm - frm, (reassoc ? 10 : 4), return); 1983 capinfo = le16toh(*(uint16_t *)frm); frm += 2; 1984 lintval = le16toh(*(uint16_t *)frm); frm += 2; 1985 if (reassoc) 1986 frm += 6; /* ignore current AP info */ 1987 ssid = rates = xrates = wpa = rsn = wme = ath = htcap = NULL; 1988 sfrm = frm; 1989 while (efrm - frm > 1) { 1990 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return); 1991 switch (*frm) { 1992 case IEEE80211_ELEMID_SSID: 1993 ssid = frm; 1994 break; 1995 case IEEE80211_ELEMID_RATES: 1996 rates = frm; 1997 break; 1998 case IEEE80211_ELEMID_XRATES: 1999 xrates = frm; 2000 break; 2001 case IEEE80211_ELEMID_RSN: 2002 rsn = frm; 2003 break; 2004 case IEEE80211_ELEMID_HTCAP: 2005 htcap = frm; 2006 break; 2007 case IEEE80211_ELEMID_VENDOR: 2008 if (iswpaoui(frm)) 2009 wpa = frm; 2010 else if (iswmeinfo(frm)) 2011 wme = frm; 2012#ifdef IEEE80211_SUPPORT_SUPERG 2013 else if (isatherosoui(frm)) 2014 ath = frm; 2015#endif 2016 else if (vap->iv_flags_ht & IEEE80211_FHT_HTCOMPAT) { 2017 if (ishtcapoui(frm) && htcap == NULL) 2018 htcap = frm; 2019 } 2020 break; 2021 } 2022 frm += frm[1] + 2; 2023 } 2024 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return); 2025 if (xrates != NULL) 2026 IEEE80211_VERIFY_ELEMENT(xrates, 2027 IEEE80211_RATE_MAXSIZE - rates[1], return); 2028 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN, return); 2029 IEEE80211_VERIFY_SSID(vap->iv_bss, ssid, return); 2030 if (htcap != NULL) { 2031 IEEE80211_VERIFY_LENGTH(htcap[1], 2032 htcap[0] == IEEE80211_ELEMID_VENDOR ? 2033 4 + sizeof(struct ieee80211_ie_htcap)-2 : 2034 sizeof(struct ieee80211_ie_htcap)-2, 2035 return); /* XXX just NULL out? */ 2036 } 2037 2038 if ((vap->iv_flags & IEEE80211_F_WPA) && 2039 !wpa_assocreq(ni, &rsnparms, wh, wpa, rsn, capinfo)) 2040 return; 2041 /* discard challenge after association */ 2042 if (ni->ni_challenge != NULL) { 2043 free(ni->ni_challenge, M_80211_NODE); 2044 ni->ni_challenge = NULL; 2045 } 2046 /* NB: 802.11 spec says to ignore station's privacy bit */ 2047 if ((capinfo & IEEE80211_CAPINFO_ESS) == 0) { 2048 capinfomismatch(ni, wh, reassoc, resp, 2049 "capability", capinfo); 2050 return; 2051 } 2052 /* 2053 * Disallow re-associate w/ invalid slot time setting. 2054 */ 2055 if (ni->ni_associd != 0 && 2056 IEEE80211_IS_CHAN_ANYG(ic->ic_bsschan) && 2057 ((ni->ni_capinfo ^ capinfo) & IEEE80211_CAPINFO_SHORT_SLOTTIME)) { 2058 capinfomismatch(ni, wh, reassoc, resp, 2059 "slot time", capinfo); 2060 return; 2061 } 2062 rate = ieee80211_setup_rates(ni, rates, xrates, 2063 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | 2064 IEEE80211_F_DONEGO | IEEE80211_F_DODEL); 2065 if (rate & IEEE80211_RATE_BASIC) { 2066 ratesetmismatch(ni, wh, reassoc, resp, "legacy", rate); 2067 vap->iv_stats.is_rx_assoc_norate++; 2068 return; 2069 } 2070 /* 2071 * If constrained to 11g-only stations reject an 2072 * 11b-only station. We cheat a bit here by looking 2073 * at the max negotiated xmit rate and assuming anyone 2074 * with a best rate <24Mb/s is an 11b station. 2075 */ 2076 if ((vap->iv_flags & IEEE80211_F_PUREG) && rate < 48) { 2077 ratesetmismatch(ni, wh, reassoc, resp, "11g", rate); 2078 vap->iv_stats.is_rx_assoc_norate++; 2079 return; 2080 } 2081 /* 2082 * Do HT rate set handling and setup HT node state. 2083 */ 2084 ni->ni_chan = vap->iv_bss->ni_chan; 2085 if (IEEE80211_IS_CHAN_HT(ni->ni_chan) && htcap != NULL) { 2086 rate = ieee80211_setup_htrates(ni, htcap, 2087 IEEE80211_F_DOFMCS | IEEE80211_F_DONEGO | 2088 IEEE80211_F_DOBRS); 2089 if (rate & IEEE80211_RATE_BASIC) { 2090 ratesetmismatch(ni, wh, reassoc, resp, 2091 "HT", rate); 2092 vap->iv_stats.is_ht_assoc_norate++; 2093 return; 2094 } 2095 ieee80211_ht_node_init(ni); 2096 ieee80211_ht_updatehtcap(ni, htcap); 2097 } else if (ni->ni_flags & IEEE80211_NODE_HT) 2098 ieee80211_ht_node_cleanup(ni); 2099#ifdef IEEE80211_SUPPORT_SUPERG 2100 else if (ni->ni_ath_flags & IEEE80211_NODE_ATH) 2101 ieee80211_ff_node_cleanup(ni); 2102#endif 2103 /* 2104 * Allow AMPDU operation only with unencrypted traffic 2105 * or AES-CCM; the 11n spec only specifies these ciphers 2106 * so permitting any others is undefined and can lead 2107 * to interoperability problems. 2108 */ 2109 if ((ni->ni_flags & IEEE80211_NODE_HT) && 2110 (((vap->iv_flags & IEEE80211_F_WPA) && 2111 rsnparms.rsn_ucastcipher != IEEE80211_CIPHER_AES_CCM) || 2112 (vap->iv_flags & (IEEE80211_F_WPA|IEEE80211_F_PRIVACY)) == IEEE80211_F_PRIVACY)) { 2113 IEEE80211_NOTE(vap, 2114 IEEE80211_MSG_ASSOC | IEEE80211_MSG_11N, ni, 2115 "disallow HT use because WEP or TKIP requested, " 2116 "capinfo 0x%x ucastcipher %d", capinfo, 2117 rsnparms.rsn_ucastcipher); 2118 ieee80211_ht_node_cleanup(ni); 2119 vap->iv_stats.is_ht_assoc_downgrade++; 2120 } 2121 /* 2122 * If constrained to 11n-only stations reject legacy stations. 2123 */ 2124 if ((vap->iv_flags_ht & IEEE80211_FHT_PUREN) && 2125 (ni->ni_flags & IEEE80211_NODE_HT) == 0) { 2126 htcapmismatch(ni, wh, reassoc, resp); 2127 vap->iv_stats.is_ht_assoc_nohtcap++; 2128 return; 2129 } 2130 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi); 2131 ni->ni_noise = nf; 2132 ni->ni_intval = lintval; 2133 ni->ni_capinfo = capinfo; 2134 ni->ni_fhdwell = vap->iv_bss->ni_fhdwell; 2135 ni->ni_fhindex = vap->iv_bss->ni_fhindex; 2136 /* 2137 * Store the IEs. 2138 * XXX maybe better to just expand 2139 */ 2140 if (ieee80211_ies_init(&ni->ni_ies, sfrm, efrm - sfrm)) { 2141#define setie(_ie, _off) ieee80211_ies_setie(ni->ni_ies, _ie, _off) 2142 if (wpa != NULL) 2143 setie(wpa_ie, wpa - sfrm); 2144 if (rsn != NULL) 2145 setie(rsn_ie, rsn - sfrm); 2146 if (htcap != NULL) 2147 setie(htcap_ie, htcap - sfrm); 2148 if (wme != NULL) { 2149 setie(wme_ie, wme - sfrm); 2150 /* 2151 * Mark node as capable of QoS. 2152 */ 2153 ni->ni_flags |= IEEE80211_NODE_QOS; 2154 } else 2155 ni->ni_flags &= ~IEEE80211_NODE_QOS; 2156#ifdef IEEE80211_SUPPORT_SUPERG 2157 if (ath != NULL) { 2158 setie(ath_ie, ath - sfrm); 2159 /* 2160 * Parse ATH station parameters. 2161 */ 2162 ieee80211_parse_ath(ni, ni->ni_ies.ath_ie); 2163 } else 2164#endif 2165 ni->ni_ath_flags = 0; 2166#undef setie 2167 } else { 2168 ni->ni_flags &= ~IEEE80211_NODE_QOS; 2169 ni->ni_ath_flags = 0; 2170 } 2171 ieee80211_node_join(ni, resp); 2172 ieee80211_deliver_l2uf(ni); 2173 break; 2174 } 2175 2176 case IEEE80211_FC0_SUBTYPE_DEAUTH: 2177 case IEEE80211_FC0_SUBTYPE_DISASSOC: { 2178 uint16_t reason; 2179 2180 if (vap->iv_state != IEEE80211_S_RUN || 2181 /* NB: can happen when in promiscuous mode */ 2182 !IEEE80211_ADDR_EQ(wh->i_addr1, vap->iv_myaddr)) { 2183 vap->iv_stats.is_rx_mgtdiscard++; 2184 break; 2185 } 2186 /* 2187 * deauth/disassoc frame format 2188 * [2] reason 2189 */ 2190 IEEE80211_VERIFY_LENGTH(efrm - frm, 2, return); 2191 reason = le16toh(*(uint16_t *)frm); 2192 if (subtype == IEEE80211_FC0_SUBTYPE_DEAUTH) { 2193 vap->iv_stats.is_rx_deauth++; 2194 IEEE80211_NODE_STAT(ni, rx_deauth); 2195 } else { 2196 vap->iv_stats.is_rx_disassoc++; 2197 IEEE80211_NODE_STAT(ni, rx_disassoc); 2198 } 2199 IEEE80211_NOTE(vap, IEEE80211_MSG_AUTH, ni, 2200 "recv %s (reason %d)", ieee80211_mgt_subtype_name[subtype >> 2201 IEEE80211_FC0_SUBTYPE_SHIFT], reason); 2202 if (ni != vap->iv_bss) 2203 ieee80211_node_leave(ni); 2204 break; 2205 } 2206 2207 case IEEE80211_FC0_SUBTYPE_ACTION: 2208 case IEEE80211_FC0_SUBTYPE_ACTION_NOACK: 2209 if (ni == vap->iv_bss) { 2210 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 2211 wh, NULL, "%s", "unknown node"); 2212 vap->iv_stats.is_rx_mgtdiscard++; 2213 } else if (!IEEE80211_ADDR_EQ(vap->iv_myaddr, wh->i_addr1) && 2214 !IEEE80211_IS_MULTICAST(wh->i_addr1)) { 2215 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 2216 wh, NULL, "%s", "not for us"); 2217 vap->iv_stats.is_rx_mgtdiscard++; 2218 } else if (vap->iv_state != IEEE80211_S_RUN) { 2219 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 2220 wh, NULL, "wrong state %s", 2221 ieee80211_state_name[vap->iv_state]); 2222 vap->iv_stats.is_rx_mgtdiscard++; 2223 } else { 2224 if (ieee80211_parse_action(ni, m0) == 0) 2225 (void)ic->ic_recv_action(ni, wh, frm, efrm); 2226 } 2227 break; 2228 2229 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP: 2230 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: 2231 case IEEE80211_FC0_SUBTYPE_ATIM: 2232 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 2233 wh, NULL, "%s", "not handled"); 2234 vap->iv_stats.is_rx_mgtdiscard++; 2235 break; 2236 2237 default: 2238 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 2239 wh, "mgt", "subtype 0x%x not handled", subtype); 2240 vap->iv_stats.is_rx_badsubtype++; 2241 break; 2242 } 2243} 2244 2245static void 2246hostap_recv_ctl(struct ieee80211_node *ni, struct mbuf *m, int subtype) 2247{ 2248 switch (subtype) { 2249 case IEEE80211_FC0_SUBTYPE_PS_POLL: 2250 ni->ni_vap->iv_recv_pspoll(ni, m); 2251 break; 2252 case IEEE80211_FC0_SUBTYPE_BAR: 2253 ieee80211_recv_bar(ni, m); 2254 break; 2255 } 2256} 2257 2258/* 2259 * Process a received ps-poll frame. 2260 */ 2261void 2262ieee80211_recv_pspoll(struct ieee80211_node *ni, struct mbuf *m0) 2263{ 2264 struct ieee80211vap *vap = ni->ni_vap; 2265 struct ieee80211com *ic = vap->iv_ic; 2266 struct ieee80211_frame_min *wh; 2267 struct mbuf *m; 2268 uint16_t aid; 2269 int qlen; 2270 2271 wh = mtod(m0, struct ieee80211_frame_min *); 2272 if (ni->ni_associd == 0) { 2273 IEEE80211_DISCARD(vap, 2274 IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG, 2275 (struct ieee80211_frame *) wh, NULL, 2276 "%s", "unassociated station"); 2277 vap->iv_stats.is_ps_unassoc++; 2278 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_DEAUTH, 2279 IEEE80211_REASON_NOT_ASSOCED); 2280 return; 2281 } 2282 2283 aid = le16toh(*(uint16_t *)wh->i_dur); 2284 if (aid != ni->ni_associd) { 2285 IEEE80211_DISCARD(vap, 2286 IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG, 2287 (struct ieee80211_frame *) wh, NULL, 2288 "aid mismatch: sta aid 0x%x poll aid 0x%x", 2289 ni->ni_associd, aid); 2290 vap->iv_stats.is_ps_badaid++; 2291 /* 2292 * NB: We used to deauth the station but it turns out 2293 * the Blackberry Curve 8230 (and perhaps other devices) 2294 * sometimes send the wrong AID when WME is negotiated. 2295 * Being more lenient here seems ok as we already check 2296 * the station is associated and we only return frames 2297 * queued for the station (i.e. we don't use the AID). 2298 */ 2299 return; 2300 } 2301 2302 /* Okay, take the first queued packet and put it out... */ 2303 m = ieee80211_node_psq_dequeue(ni, &qlen); 2304 if (m == NULL) { 2305 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_POWER, wh->i_addr2, 2306 "%s", "recv ps-poll, but queue empty"); 2307 ieee80211_send_nulldata(ieee80211_ref_node(ni)); 2308 vap->iv_stats.is_ps_qempty++; /* XXX node stat */ 2309 if (vap->iv_set_tim != NULL) 2310 vap->iv_set_tim(ni, 0); /* just in case */ 2311 return; 2312 } 2313 /* 2314 * If there are more packets, set the more packets bit 2315 * in the packet dispatched to the station; otherwise 2316 * turn off the TIM bit. 2317 */ 2318 if (qlen != 0) { 2319 IEEE80211_NOTE(vap, IEEE80211_MSG_POWER, ni, 2320 "recv ps-poll, send packet, %u still queued", qlen); 2321 m->m_flags |= M_MORE_DATA; 2322 } else { 2323 IEEE80211_NOTE(vap, IEEE80211_MSG_POWER, ni, 2324 "%s", "recv ps-poll, send packet, queue empty"); 2325 if (vap->iv_set_tim != NULL) 2326 vap->iv_set_tim(ni, 0); 2327 } 2328 m->m_flags |= M_PWR_SAV; /* bypass PS handling */ 2329 2330 /* 2331 * Do the right thing; if it's an encap'ed frame then 2332 * call ieee80211_parent_xmitpkt() (and free the ref) else 2333 * call ieee80211_vap_xmitpkt(). 2334 */ 2335 if (m->m_flags & M_ENCAP) { 2336 if (ieee80211_parent_xmitpkt(ic, m) != 0) 2337 ieee80211_free_node(ni); 2338 } else { 2339 (void) ieee80211_vap_xmitpkt(vap, m); 2340 } 2341}
| 574 uint8_t tid = ieee80211_gettid(wh); 575 if (IEEE80211_QOS_HAS_SEQ(wh) && 576 TID_TO_WME_AC(tid) >= WME_AC_VI) 577 ic->ic_wme.wme_hipri_traffic++; 578 rxseq = le16toh(*(uint16_t *)wh->i_seq); 579 if (! ieee80211_check_rxseq(ni, wh)) { 580 /* duplicate, discard */ 581 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 582 bssid, "duplicate", 583 "seqno <%u,%u> fragno <%u,%u> tid %u", 584 rxseq >> IEEE80211_SEQ_SEQ_SHIFT, 585 ni->ni_rxseqs[tid] >> 586 IEEE80211_SEQ_SEQ_SHIFT, 587 rxseq & IEEE80211_SEQ_FRAG_MASK, 588 ni->ni_rxseqs[tid] & 589 IEEE80211_SEQ_FRAG_MASK, 590 tid); 591 vap->iv_stats.is_rx_dup++; 592 IEEE80211_NODE_STAT(ni, rx_dup); 593 goto out; 594 } 595 ni->ni_rxseqs[tid] = rxseq; 596 } 597 } 598 599 switch (type) { 600 case IEEE80211_FC0_TYPE_DATA: 601 hdrspace = ieee80211_hdrspace(ic, wh); 602 if (m->m_len < hdrspace && 603 (m = m_pullup(m, hdrspace)) == NULL) { 604 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 605 ni->ni_macaddr, NULL, 606 "data too short: expecting %u", hdrspace); 607 vap->iv_stats.is_rx_tooshort++; 608 goto out; /* XXX */ 609 } 610 if (!(dir == IEEE80211_FC1_DIR_TODS || 611 (dir == IEEE80211_FC1_DIR_DSTODS && 612 (vap->iv_flags & IEEE80211_F_DWDS)))) { 613 if (dir != IEEE80211_FC1_DIR_DSTODS) { 614 IEEE80211_DISCARD(vap, 615 IEEE80211_MSG_INPUT, wh, "data", 616 "incorrect dir 0x%x", dir); 617 } else { 618 IEEE80211_DISCARD(vap, 619 IEEE80211_MSG_INPUT | 620 IEEE80211_MSG_WDS, wh, 621 "4-address data", 622 "%s", "DWDS not enabled"); 623 } 624 vap->iv_stats.is_rx_wrongdir++; 625 goto out; 626 } 627 /* check if source STA is associated */ 628 if (ni == vap->iv_bss) { 629 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 630 wh, "data", "%s", "unknown src"); 631 ieee80211_send_error(ni, wh->i_addr2, 632 IEEE80211_FC0_SUBTYPE_DEAUTH, 633 IEEE80211_REASON_NOT_AUTHED); 634 vap->iv_stats.is_rx_notassoc++; 635 goto err; 636 } 637 if (ni->ni_associd == 0) { 638 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 639 wh, "data", "%s", "unassoc src"); 640 IEEE80211_SEND_MGMT(ni, 641 IEEE80211_FC0_SUBTYPE_DISASSOC, 642 IEEE80211_REASON_NOT_ASSOCED); 643 vap->iv_stats.is_rx_notassoc++; 644 goto err; 645 } 646 647 /* 648 * Check for power save state change. 649 * XXX out-of-order A-MPDU frames? 650 */ 651 if (((wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) ^ 652 (ni->ni_flags & IEEE80211_NODE_PWR_MGT))) 653 vap->iv_node_ps(ni, 654 wh->i_fc[1] & IEEE80211_FC1_PWR_MGT); 655 /* 656 * For 4-address packets handle WDS discovery 657 * notifications. Once a WDS link is setup frames 658 * are just delivered to the WDS vap (see below). 659 */ 660 if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap == NULL) { 661 if (!ieee80211_node_is_authorized(ni)) { 662 IEEE80211_DISCARD(vap, 663 IEEE80211_MSG_INPUT | 664 IEEE80211_MSG_WDS, wh, 665 "4-address data", 666 "%s", "unauthorized port"); 667 vap->iv_stats.is_rx_unauth++; 668 IEEE80211_NODE_STAT(ni, rx_unauth); 669 goto err; 670 } 671 ieee80211_dwds_discover(ni, m); 672 return type; 673 } 674 675 /* 676 * Handle A-MPDU re-ordering. If the frame is to be 677 * processed directly then ieee80211_ampdu_reorder 678 * will return 0; otherwise it has consumed the mbuf 679 * and we should do nothing more with it. 680 */ 681 if ((m->m_flags & M_AMPDU) && 682 ieee80211_ampdu_reorder(ni, m) != 0) { 683 m = NULL; 684 goto out; 685 } 686 resubmit_ampdu: 687 688 /* 689 * Handle privacy requirements. Note that we 690 * must not be preempted from here until after 691 * we (potentially) call ieee80211_crypto_demic; 692 * otherwise we may violate assumptions in the 693 * crypto cipher modules used to do delayed update 694 * of replay sequence numbers. 695 */ 696 if (wh->i_fc[1] & IEEE80211_FC1_PROTECTED) { 697 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) { 698 /* 699 * Discard encrypted frames when privacy is off. 700 */ 701 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 702 wh, "WEP", "%s", "PRIVACY off"); 703 vap->iv_stats.is_rx_noprivacy++; 704 IEEE80211_NODE_STAT(ni, rx_noprivacy); 705 goto out; 706 } 707 key = ieee80211_crypto_decap(ni, m, hdrspace); 708 if (key == NULL) { 709 /* NB: stats+msgs handled in crypto_decap */ 710 IEEE80211_NODE_STAT(ni, rx_wepfail); 711 goto out; 712 } 713 wh = mtod(m, struct ieee80211_frame *); 714 wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED; 715 } else { 716 /* XXX M_WEP and IEEE80211_F_PRIVACY */ 717 key = NULL; 718 } 719 720 /* 721 * Save QoS bits for use below--before we strip the header. 722 */ 723 if (subtype == IEEE80211_FC0_SUBTYPE_QOS) { 724 qos = (dir == IEEE80211_FC1_DIR_DSTODS) ? 725 ((struct ieee80211_qosframe_addr4 *)wh)->i_qos[0] : 726 ((struct ieee80211_qosframe *)wh)->i_qos[0]; 727 } else 728 qos = 0; 729 730 /* 731 * Next up, any fragmentation. 732 */ 733 if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) { 734 m = ieee80211_defrag(ni, m, hdrspace); 735 if (m == NULL) { 736 /* Fragment dropped or frame not complete yet */ 737 goto out; 738 } 739 } 740 wh = NULL; /* no longer valid, catch any uses */ 741 742 /* 743 * Next strip any MSDU crypto bits. 744 */ 745 if (key != NULL && !ieee80211_crypto_demic(vap, key, m, 0)) { 746 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 747 ni->ni_macaddr, "data", "%s", "demic error"); 748 vap->iv_stats.is_rx_demicfail++; 749 IEEE80211_NODE_STAT(ni, rx_demicfail); 750 goto out; 751 } 752 /* copy to listener after decrypt */ 753 if (ieee80211_radiotap_active_vap(vap)) 754 ieee80211_radiotap_rx(vap, m); 755 need_tap = 0; 756 /* 757 * Finally, strip the 802.11 header. 758 */ 759 m = ieee80211_decap(vap, m, hdrspace); 760 if (m == NULL) { 761 /* XXX mask bit to check for both */ 762 /* don't count Null data frames as errors */ 763 if (subtype == IEEE80211_FC0_SUBTYPE_NODATA || 764 subtype == IEEE80211_FC0_SUBTYPE_QOS_NULL) 765 goto out; 766 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 767 ni->ni_macaddr, "data", "%s", "decap error"); 768 vap->iv_stats.is_rx_decap++; 769 IEEE80211_NODE_STAT(ni, rx_decap); 770 goto err; 771 } 772 eh = mtod(m, struct ether_header *); 773 if (!ieee80211_node_is_authorized(ni)) { 774 /* 775 * Deny any non-PAE frames received prior to 776 * authorization. For open/shared-key 777 * authentication the port is mark authorized 778 * after authentication completes. For 802.1x 779 * the port is not marked authorized by the 780 * authenticator until the handshake has completed. 781 */ 782 if (eh->ether_type != htons(ETHERTYPE_PAE)) { 783 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 784 eh->ether_shost, "data", 785 "unauthorized port: ether type 0x%x len %u", 786 eh->ether_type, m->m_pkthdr.len); 787 vap->iv_stats.is_rx_unauth++; 788 IEEE80211_NODE_STAT(ni, rx_unauth); 789 goto err; 790 } 791 } else { 792 /* 793 * When denying unencrypted frames, discard 794 * any non-PAE frames received without encryption. 795 */ 796 if ((vap->iv_flags & IEEE80211_F_DROPUNENC) && 797 (key == NULL && (m->m_flags & M_WEP) == 0) && 798 eh->ether_type != htons(ETHERTYPE_PAE)) { 799 /* 800 * Drop unencrypted frames. 801 */ 802 vap->iv_stats.is_rx_unencrypted++; 803 IEEE80211_NODE_STAT(ni, rx_unencrypted); 804 goto out; 805 } 806 } 807 /* XXX require HT? */ 808 if (qos & IEEE80211_QOS_AMSDU) { 809 m = ieee80211_decap_amsdu(ni, m); 810 if (m == NULL) 811 return IEEE80211_FC0_TYPE_DATA; 812 } else { 813#ifdef IEEE80211_SUPPORT_SUPERG 814 m = ieee80211_decap_fastframe(vap, ni, m); 815 if (m == NULL) 816 return IEEE80211_FC0_TYPE_DATA; 817#endif 818 } 819 if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap != NULL) 820 ieee80211_deliver_data(ni->ni_wdsvap, ni, m); 821 else 822 hostap_deliver_data(vap, ni, m); 823 return IEEE80211_FC0_TYPE_DATA; 824 825 case IEEE80211_FC0_TYPE_MGT: 826 vap->iv_stats.is_rx_mgmt++; 827 IEEE80211_NODE_STAT(ni, rx_mgmt); 828 if (dir != IEEE80211_FC1_DIR_NODS) { 829 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 830 wh, "mgt", "incorrect dir 0x%x", dir); 831 vap->iv_stats.is_rx_wrongdir++; 832 goto err; 833 } 834 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) { 835 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 836 ni->ni_macaddr, "mgt", "too short: len %u", 837 m->m_pkthdr.len); 838 vap->iv_stats.is_rx_tooshort++; 839 goto out; 840 } 841 if (IEEE80211_IS_MULTICAST(wh->i_addr2)) { 842 /* ensure return frames are unicast */ 843 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 844 wh, NULL, "source is multicast: %s", 845 ether_sprintf(wh->i_addr2)); 846 vap->iv_stats.is_rx_mgtdiscard++; /* XXX stat */ 847 goto out; 848 } 849#ifdef IEEE80211_DEBUG 850 if ((ieee80211_msg_debug(vap) && doprint(vap, subtype)) || 851 ieee80211_msg_dumppkts(vap)) { 852 if_printf(ifp, "received %s from %s rssi %d\n", 853 ieee80211_mgt_subtype_name[subtype >> 854 IEEE80211_FC0_SUBTYPE_SHIFT], 855 ether_sprintf(wh->i_addr2), rssi); 856 } 857#endif 858 if (wh->i_fc[1] & IEEE80211_FC1_PROTECTED) { 859 if (subtype != IEEE80211_FC0_SUBTYPE_AUTH) { 860 /* 861 * Only shared key auth frames with a challenge 862 * should be encrypted, discard all others. 863 */ 864 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 865 wh, NULL, 866 "%s", "WEP set but not permitted"); 867 vap->iv_stats.is_rx_mgtdiscard++; /* XXX */ 868 goto out; 869 } 870 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) { 871 /* 872 * Discard encrypted frames when privacy is off. 873 */ 874 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 875 wh, NULL, "%s", "WEP set but PRIVACY off"); 876 vap->iv_stats.is_rx_noprivacy++; 877 goto out; 878 } 879 hdrspace = ieee80211_hdrspace(ic, wh); 880 key = ieee80211_crypto_decap(ni, m, hdrspace); 881 if (key == NULL) { 882 /* NB: stats+msgs handled in crypto_decap */ 883 goto out; 884 } 885 wh = mtod(m, struct ieee80211_frame *); 886 wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED; 887 } 888 /* 889 * Pass the packet to radiotap before calling iv_recv_mgmt(). 890 * Otherwise iv_recv_mgmt() might pass another packet to 891 * radiotap, resulting in out of order packet captures. 892 */ 893 if (ieee80211_radiotap_active_vap(vap)) 894 ieee80211_radiotap_rx(vap, m); 895 need_tap = 0; 896 vap->iv_recv_mgmt(ni, m, subtype, rssi, nf); 897 goto out; 898 899 case IEEE80211_FC0_TYPE_CTL: 900 vap->iv_stats.is_rx_ctl++; 901 IEEE80211_NODE_STAT(ni, rx_ctrl); 902 vap->iv_recv_ctl(ni, m, subtype); 903 goto out; 904 default: 905 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 906 wh, "bad", "frame type 0x%x", type); 907 /* should not come here */ 908 break; 909 } 910err: 911 if_inc_counter(ifp, IFCOUNTER_IERRORS, 1); 912out: 913 if (m != NULL) { 914 if (need_tap && ieee80211_radiotap_active_vap(vap)) 915 ieee80211_radiotap_rx(vap, m); 916 m_freem(m); 917 } 918 return type; 919} 920 921static void 922hostap_auth_open(struct ieee80211_node *ni, struct ieee80211_frame *wh, 923 int rssi, int nf, uint16_t seq, uint16_t status) 924{ 925 struct ieee80211vap *vap = ni->ni_vap; 926 927 KASSERT(vap->iv_state == IEEE80211_S_RUN, ("state %d", vap->iv_state)); 928 929 if (ni->ni_authmode == IEEE80211_AUTH_SHARED) { 930 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 931 ni->ni_macaddr, "open auth", 932 "bad sta auth mode %u", ni->ni_authmode); 933 vap->iv_stats.is_rx_bad_auth++; /* XXX */ 934 /* 935 * Clear any challenge text that may be there if 936 * a previous shared key auth failed and then an 937 * open auth is attempted. 938 */ 939 if (ni->ni_challenge != NULL) { 940 free(ni->ni_challenge, M_80211_NODE); 941 ni->ni_challenge = NULL; 942 } 943 /* XXX hack to workaround calling convention */ 944 ieee80211_send_error(ni, wh->i_addr2, 945 IEEE80211_FC0_SUBTYPE_AUTH, 946 (seq + 1) | (IEEE80211_STATUS_ALG<<16)); 947 return; 948 } 949 if (seq != IEEE80211_AUTH_OPEN_REQUEST) { 950 vap->iv_stats.is_rx_bad_auth++; 951 return; 952 } 953 /* always accept open authentication requests */ 954 if (ni == vap->iv_bss) { 955 ni = ieee80211_dup_bss(vap, wh->i_addr2); 956 if (ni == NULL) 957 return; 958 } else if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0) 959 (void) ieee80211_ref_node(ni); 960 /* 961 * Mark the node as referenced to reflect that it's 962 * reference count has been bumped to insure it remains 963 * after the transaction completes. 964 */ 965 ni->ni_flags |= IEEE80211_NODE_AREF; 966 /* 967 * Mark the node as requiring a valid association id 968 * before outbound traffic is permitted. 969 */ 970 ni->ni_flags |= IEEE80211_NODE_ASSOCID; 971 972 if (vap->iv_acl != NULL && 973 vap->iv_acl->iac_getpolicy(vap) == IEEE80211_MACCMD_POLICY_RADIUS) { 974 /* 975 * When the ACL policy is set to RADIUS we defer the 976 * authorization to a user agent. Dispatch an event, 977 * a subsequent MLME call will decide the fate of the 978 * station. If the user agent is not present then the 979 * node will be reclaimed due to inactivity. 980 */ 981 IEEE80211_NOTE_MAC(vap, 982 IEEE80211_MSG_AUTH | IEEE80211_MSG_ACL, ni->ni_macaddr, 983 "%s", "station authentication defered (radius acl)"); 984 ieee80211_notify_node_auth(ni); 985 } else { 986 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 987 IEEE80211_NOTE_MAC(vap, 988 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, ni->ni_macaddr, 989 "%s", "station authenticated (open)"); 990 /* 991 * When 802.1x is not in use mark the port 992 * authorized at this point so traffic can flow. 993 */ 994 if (ni->ni_authmode != IEEE80211_AUTH_8021X) 995 ieee80211_node_authorize(ni); 996 } 997} 998 999static void 1000hostap_auth_shared(struct ieee80211_node *ni, struct ieee80211_frame *wh, 1001 uint8_t *frm, uint8_t *efrm, int rssi, int nf, 1002 uint16_t seq, uint16_t status) 1003{ 1004 struct ieee80211vap *vap = ni->ni_vap; 1005 uint8_t *challenge; 1006 int allocbs, estatus; 1007 1008 KASSERT(vap->iv_state == IEEE80211_S_RUN, ("state %d", vap->iv_state)); 1009 1010 /* 1011 * NB: this can happen as we allow pre-shared key 1012 * authentication to be enabled w/o wep being turned 1013 * on so that configuration of these can be done 1014 * in any order. It may be better to enforce the 1015 * ordering in which case this check would just be 1016 * for sanity/consistency. 1017 */ 1018 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) { 1019 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1020 ni->ni_macaddr, "shared key auth", 1021 "%s", " PRIVACY is disabled"); 1022 estatus = IEEE80211_STATUS_ALG; 1023 goto bad; 1024 } 1025 /* 1026 * Pre-shared key authentication is evil; accept 1027 * it only if explicitly configured (it is supported 1028 * mainly for compatibility with clients like Mac OS X). 1029 */ 1030 if (ni->ni_authmode != IEEE80211_AUTH_AUTO && 1031 ni->ni_authmode != IEEE80211_AUTH_SHARED) { 1032 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1033 ni->ni_macaddr, "shared key auth", 1034 "bad sta auth mode %u", ni->ni_authmode); 1035 vap->iv_stats.is_rx_bad_auth++; /* XXX maybe a unique error? */ 1036 estatus = IEEE80211_STATUS_ALG; 1037 goto bad; 1038 } 1039 1040 challenge = NULL; 1041 if (frm + 1 < efrm) { 1042 if ((frm[1] + 2) > (efrm - frm)) { 1043 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1044 ni->ni_macaddr, "shared key auth", 1045 "ie %d/%d too long", 1046 frm[0], (frm[1] + 2) - (efrm - frm)); 1047 vap->iv_stats.is_rx_bad_auth++; 1048 estatus = IEEE80211_STATUS_CHALLENGE; 1049 goto bad; 1050 } 1051 if (*frm == IEEE80211_ELEMID_CHALLENGE) 1052 challenge = frm; 1053 frm += frm[1] + 2; 1054 } 1055 switch (seq) { 1056 case IEEE80211_AUTH_SHARED_CHALLENGE: 1057 case IEEE80211_AUTH_SHARED_RESPONSE: 1058 if (challenge == NULL) { 1059 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1060 ni->ni_macaddr, "shared key auth", 1061 "%s", "no challenge"); 1062 vap->iv_stats.is_rx_bad_auth++; 1063 estatus = IEEE80211_STATUS_CHALLENGE; 1064 goto bad; 1065 } 1066 if (challenge[1] != IEEE80211_CHALLENGE_LEN) { 1067 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1068 ni->ni_macaddr, "shared key auth", 1069 "bad challenge len %d", challenge[1]); 1070 vap->iv_stats.is_rx_bad_auth++; 1071 estatus = IEEE80211_STATUS_CHALLENGE; 1072 goto bad; 1073 } 1074 default: 1075 break; 1076 } 1077 switch (seq) { 1078 case IEEE80211_AUTH_SHARED_REQUEST: 1079 if (ni == vap->iv_bss) { 1080 ni = ieee80211_dup_bss(vap, wh->i_addr2); 1081 if (ni == NULL) { 1082 /* NB: no way to return an error */ 1083 return; 1084 } 1085 allocbs = 1; 1086 } else { 1087 if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0) 1088 (void) ieee80211_ref_node(ni); 1089 allocbs = 0; 1090 } 1091 /* 1092 * Mark the node as referenced to reflect that it's 1093 * reference count has been bumped to insure it remains 1094 * after the transaction completes. 1095 */ 1096 ni->ni_flags |= IEEE80211_NODE_AREF; 1097 /* 1098 * Mark the node as requiring a valid associatio id 1099 * before outbound traffic is permitted. 1100 */ 1101 ni->ni_flags |= IEEE80211_NODE_ASSOCID; 1102 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi); 1103 ni->ni_noise = nf; 1104 if (!ieee80211_alloc_challenge(ni)) { 1105 /* NB: don't return error so they rexmit */ 1106 return; 1107 } 1108 get_random_bytes(ni->ni_challenge, 1109 IEEE80211_CHALLENGE_LEN); 1110 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1111 ni, "shared key %sauth request", allocbs ? "" : "re"); 1112 /* 1113 * When the ACL policy is set to RADIUS we defer the 1114 * authorization to a user agent. Dispatch an event, 1115 * a subsequent MLME call will decide the fate of the 1116 * station. If the user agent is not present then the 1117 * node will be reclaimed due to inactivity. 1118 */ 1119 if (vap->iv_acl != NULL && 1120 vap->iv_acl->iac_getpolicy(vap) == IEEE80211_MACCMD_POLICY_RADIUS) { 1121 IEEE80211_NOTE_MAC(vap, 1122 IEEE80211_MSG_AUTH | IEEE80211_MSG_ACL, 1123 ni->ni_macaddr, 1124 "%s", "station authentication defered (radius acl)"); 1125 ieee80211_notify_node_auth(ni); 1126 return; 1127 } 1128 break; 1129 case IEEE80211_AUTH_SHARED_RESPONSE: 1130 if (ni == vap->iv_bss) { 1131 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1132 ni->ni_macaddr, "shared key response", 1133 "%s", "unknown station"); 1134 /* NB: don't send a response */ 1135 return; 1136 } 1137 if (ni->ni_challenge == NULL) { 1138 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1139 ni->ni_macaddr, "shared key response", 1140 "%s", "no challenge recorded"); 1141 vap->iv_stats.is_rx_bad_auth++; 1142 estatus = IEEE80211_STATUS_CHALLENGE; 1143 goto bad; 1144 } 1145 if (memcmp(ni->ni_challenge, &challenge[2], 1146 challenge[1]) != 0) { 1147 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1148 ni->ni_macaddr, "shared key response", 1149 "%s", "challenge mismatch"); 1150 vap->iv_stats.is_rx_auth_fail++; 1151 estatus = IEEE80211_STATUS_CHALLENGE; 1152 goto bad; 1153 } 1154 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1155 ni, "%s", "station authenticated (shared key)"); 1156 ieee80211_node_authorize(ni); 1157 break; 1158 default: 1159 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1160 ni->ni_macaddr, "shared key auth", 1161 "bad seq %d", seq); 1162 vap->iv_stats.is_rx_bad_auth++; 1163 estatus = IEEE80211_STATUS_SEQUENCE; 1164 goto bad; 1165 } 1166 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 1167 return; 1168bad: 1169 /* 1170 * Send an error response; but only when operating as an AP. 1171 */ 1172 /* XXX hack to workaround calling convention */ 1173 ieee80211_send_error(ni, wh->i_addr2, 1174 IEEE80211_FC0_SUBTYPE_AUTH, 1175 (seq + 1) | (estatus<<16)); 1176} 1177 1178/* 1179 * Convert a WPA cipher selector OUI to an internal 1180 * cipher algorithm. Where appropriate we also 1181 * record any key length. 1182 */ 1183static int 1184wpa_cipher(const uint8_t *sel, uint8_t *keylen) 1185{ 1186#define WPA_SEL(x) (((x)<<24)|WPA_OUI) 1187 uint32_t w = LE_READ_4(sel); 1188 1189 switch (w) { 1190 case WPA_SEL(WPA_CSE_NULL): 1191 return IEEE80211_CIPHER_NONE; 1192 case WPA_SEL(WPA_CSE_WEP40): 1193 if (keylen) 1194 *keylen = 40 / NBBY; 1195 return IEEE80211_CIPHER_WEP; 1196 case WPA_SEL(WPA_CSE_WEP104): 1197 if (keylen) 1198 *keylen = 104 / NBBY; 1199 return IEEE80211_CIPHER_WEP; 1200 case WPA_SEL(WPA_CSE_TKIP): 1201 return IEEE80211_CIPHER_TKIP; 1202 case WPA_SEL(WPA_CSE_CCMP): 1203 return IEEE80211_CIPHER_AES_CCM; 1204 } 1205 return 32; /* NB: so 1<< is discarded */ 1206#undef WPA_SEL 1207} 1208 1209/* 1210 * Convert a WPA key management/authentication algorithm 1211 * to an internal code. 1212 */ 1213static int 1214wpa_keymgmt(const uint8_t *sel) 1215{ 1216#define WPA_SEL(x) (((x)<<24)|WPA_OUI) 1217 uint32_t w = LE_READ_4(sel); 1218 1219 switch (w) { 1220 case WPA_SEL(WPA_ASE_8021X_UNSPEC): 1221 return WPA_ASE_8021X_UNSPEC; 1222 case WPA_SEL(WPA_ASE_8021X_PSK): 1223 return WPA_ASE_8021X_PSK; 1224 case WPA_SEL(WPA_ASE_NONE): 1225 return WPA_ASE_NONE; 1226 } 1227 return 0; /* NB: so is discarded */ 1228#undef WPA_SEL 1229} 1230 1231/* 1232 * Parse a WPA information element to collect parameters. 1233 * Note that we do not validate security parameters; that 1234 * is handled by the authenticator; the parsing done here 1235 * is just for internal use in making operational decisions. 1236 */ 1237static int 1238ieee80211_parse_wpa(struct ieee80211vap *vap, const uint8_t *frm, 1239 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh) 1240{ 1241 uint8_t len = frm[1]; 1242 uint32_t w; 1243 int n; 1244 1245 /* 1246 * Check the length once for fixed parts: OUI, type, 1247 * version, mcast cipher, and 2 selector counts. 1248 * Other, variable-length data, must be checked separately. 1249 */ 1250 if ((vap->iv_flags & IEEE80211_F_WPA1) == 0) { 1251 IEEE80211_DISCARD_IE(vap, 1252 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1253 wh, "WPA", "not WPA, flags 0x%x", vap->iv_flags); 1254 return IEEE80211_REASON_IE_INVALID; 1255 } 1256 if (len < 14) { 1257 IEEE80211_DISCARD_IE(vap, 1258 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1259 wh, "WPA", "too short, len %u", len); 1260 return IEEE80211_REASON_IE_INVALID; 1261 } 1262 frm += 6, len -= 4; /* NB: len is payload only */ 1263 /* NB: iswpaoui already validated the OUI and type */ 1264 w = LE_READ_2(frm); 1265 if (w != WPA_VERSION) { 1266 IEEE80211_DISCARD_IE(vap, 1267 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1268 wh, "WPA", "bad version %u", w); 1269 return IEEE80211_REASON_IE_INVALID; 1270 } 1271 frm += 2, len -= 2; 1272 1273 memset(rsn, 0, sizeof(*rsn)); 1274 1275 /* multicast/group cipher */ 1276 rsn->rsn_mcastcipher = wpa_cipher(frm, &rsn->rsn_mcastkeylen); 1277 frm += 4, len -= 4; 1278 1279 /* unicast ciphers */ 1280 n = LE_READ_2(frm); 1281 frm += 2, len -= 2; 1282 if (len < n*4+2) { 1283 IEEE80211_DISCARD_IE(vap, 1284 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1285 wh, "WPA", "ucast cipher data too short; len %u, n %u", 1286 len, n); 1287 return IEEE80211_REASON_IE_INVALID; 1288 } 1289 w = 0; 1290 for (; n > 0; n--) { 1291 w |= 1<<wpa_cipher(frm, &rsn->rsn_ucastkeylen); 1292 frm += 4, len -= 4; 1293 } 1294 if (w & (1<<IEEE80211_CIPHER_TKIP)) 1295 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP; 1296 else 1297 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM; 1298 1299 /* key management algorithms */ 1300 n = LE_READ_2(frm); 1301 frm += 2, len -= 2; 1302 if (len < n*4) { 1303 IEEE80211_DISCARD_IE(vap, 1304 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1305 wh, "WPA", "key mgmt alg data too short; len %u, n %u", 1306 len, n); 1307 return IEEE80211_REASON_IE_INVALID; 1308 } 1309 w = 0; 1310 for (; n > 0; n--) { 1311 w |= wpa_keymgmt(frm); 1312 frm += 4, len -= 4; 1313 } 1314 if (w & WPA_ASE_8021X_UNSPEC) 1315 rsn->rsn_keymgmt = WPA_ASE_8021X_UNSPEC; 1316 else 1317 rsn->rsn_keymgmt = WPA_ASE_8021X_PSK; 1318 1319 if (len > 2) /* optional capabilities */ 1320 rsn->rsn_caps = LE_READ_2(frm); 1321 1322 return 0; 1323} 1324 1325/* 1326 * Convert an RSN cipher selector OUI to an internal 1327 * cipher algorithm. Where appropriate we also 1328 * record any key length. 1329 */ 1330static int 1331rsn_cipher(const uint8_t *sel, uint8_t *keylen) 1332{ 1333#define RSN_SEL(x) (((x)<<24)|RSN_OUI) 1334 uint32_t w = LE_READ_4(sel); 1335 1336 switch (w) { 1337 case RSN_SEL(RSN_CSE_NULL): 1338 return IEEE80211_CIPHER_NONE; 1339 case RSN_SEL(RSN_CSE_WEP40): 1340 if (keylen) 1341 *keylen = 40 / NBBY; 1342 return IEEE80211_CIPHER_WEP; 1343 case RSN_SEL(RSN_CSE_WEP104): 1344 if (keylen) 1345 *keylen = 104 / NBBY; 1346 return IEEE80211_CIPHER_WEP; 1347 case RSN_SEL(RSN_CSE_TKIP): 1348 return IEEE80211_CIPHER_TKIP; 1349 case RSN_SEL(RSN_CSE_CCMP): 1350 return IEEE80211_CIPHER_AES_CCM; 1351 case RSN_SEL(RSN_CSE_WRAP): 1352 return IEEE80211_CIPHER_AES_OCB; 1353 } 1354 return 32; /* NB: so 1<< is discarded */ 1355#undef WPA_SEL 1356} 1357 1358/* 1359 * Convert an RSN key management/authentication algorithm 1360 * to an internal code. 1361 */ 1362static int 1363rsn_keymgmt(const uint8_t *sel) 1364{ 1365#define RSN_SEL(x) (((x)<<24)|RSN_OUI) 1366 uint32_t w = LE_READ_4(sel); 1367 1368 switch (w) { 1369 case RSN_SEL(RSN_ASE_8021X_UNSPEC): 1370 return RSN_ASE_8021X_UNSPEC; 1371 case RSN_SEL(RSN_ASE_8021X_PSK): 1372 return RSN_ASE_8021X_PSK; 1373 case RSN_SEL(RSN_ASE_NONE): 1374 return RSN_ASE_NONE; 1375 } 1376 return 0; /* NB: so is discarded */ 1377#undef RSN_SEL 1378} 1379 1380/* 1381 * Parse a WPA/RSN information element to collect parameters 1382 * and validate the parameters against what has been 1383 * configured for the system. 1384 */ 1385static int 1386ieee80211_parse_rsn(struct ieee80211vap *vap, const uint8_t *frm, 1387 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh) 1388{ 1389 uint8_t len = frm[1]; 1390 uint32_t w; 1391 int n; 1392 1393 /* 1394 * Check the length once for fixed parts: 1395 * version, mcast cipher, and 2 selector counts. 1396 * Other, variable-length data, must be checked separately. 1397 */ 1398 if ((vap->iv_flags & IEEE80211_F_WPA2) == 0) { 1399 IEEE80211_DISCARD_IE(vap, 1400 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1401 wh, "WPA", "not RSN, flags 0x%x", vap->iv_flags); 1402 return IEEE80211_REASON_IE_INVALID; 1403 } 1404 if (len < 10) { 1405 IEEE80211_DISCARD_IE(vap, 1406 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1407 wh, "RSN", "too short, len %u", len); 1408 return IEEE80211_REASON_IE_INVALID; 1409 } 1410 frm += 2; 1411 w = LE_READ_2(frm); 1412 if (w != RSN_VERSION) { 1413 IEEE80211_DISCARD_IE(vap, 1414 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1415 wh, "RSN", "bad version %u", w); 1416 return IEEE80211_REASON_IE_INVALID; 1417 } 1418 frm += 2, len -= 2; 1419 1420 memset(rsn, 0, sizeof(*rsn)); 1421 1422 /* multicast/group cipher */ 1423 rsn->rsn_mcastcipher = rsn_cipher(frm, &rsn->rsn_mcastkeylen); 1424 frm += 4, len -= 4; 1425 1426 /* unicast ciphers */ 1427 n = LE_READ_2(frm); 1428 frm += 2, len -= 2; 1429 if (len < n*4+2) { 1430 IEEE80211_DISCARD_IE(vap, 1431 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1432 wh, "RSN", "ucast cipher data too short; len %u, n %u", 1433 len, n); 1434 return IEEE80211_REASON_IE_INVALID; 1435 } 1436 w = 0; 1437 for (; n > 0; n--) { 1438 w |= 1<<rsn_cipher(frm, &rsn->rsn_ucastkeylen); 1439 frm += 4, len -= 4; 1440 } 1441 if (w & (1<<IEEE80211_CIPHER_TKIP)) 1442 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP; 1443 else 1444 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM; 1445 1446 /* key management algorithms */ 1447 n = LE_READ_2(frm); 1448 frm += 2, len -= 2; 1449 if (len < n*4) { 1450 IEEE80211_DISCARD_IE(vap, 1451 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1452 wh, "RSN", "key mgmt alg data too short; len %u, n %u", 1453 len, n); 1454 return IEEE80211_REASON_IE_INVALID; 1455 } 1456 w = 0; 1457 for (; n > 0; n--) { 1458 w |= rsn_keymgmt(frm); 1459 frm += 4, len -= 4; 1460 } 1461 if (w & RSN_ASE_8021X_UNSPEC) 1462 rsn->rsn_keymgmt = RSN_ASE_8021X_UNSPEC; 1463 else 1464 rsn->rsn_keymgmt = RSN_ASE_8021X_PSK; 1465 1466 /* optional RSN capabilities */ 1467 if (len > 2) 1468 rsn->rsn_caps = LE_READ_2(frm); 1469 /* XXXPMKID */ 1470 1471 return 0; 1472} 1473 1474/* 1475 * WPA/802.11i assocation request processing. 1476 */ 1477static int 1478wpa_assocreq(struct ieee80211_node *ni, struct ieee80211_rsnparms *rsnparms, 1479 const struct ieee80211_frame *wh, const uint8_t *wpa, 1480 const uint8_t *rsn, uint16_t capinfo) 1481{ 1482 struct ieee80211vap *vap = ni->ni_vap; 1483 uint8_t reason; 1484 int badwparsn; 1485 1486 ni->ni_flags &= ~(IEEE80211_NODE_WPS|IEEE80211_NODE_TSN); 1487 if (wpa == NULL && rsn == NULL) { 1488 if (vap->iv_flags_ext & IEEE80211_FEXT_WPS) { 1489 /* 1490 * W-Fi Protected Setup (WPS) permits 1491 * clients to associate and pass EAPOL frames 1492 * to establish initial credentials. 1493 */ 1494 ni->ni_flags |= IEEE80211_NODE_WPS; 1495 return 1; 1496 } 1497 if ((vap->iv_flags_ext & IEEE80211_FEXT_TSN) && 1498 (capinfo & IEEE80211_CAPINFO_PRIVACY)) { 1499 /* 1500 * Transitional Security Network. Permits clients 1501 * to associate and use WEP while WPA is configured. 1502 */ 1503 ni->ni_flags |= IEEE80211_NODE_TSN; 1504 return 1; 1505 } 1506 IEEE80211_DISCARD(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, 1507 wh, NULL, "%s", "no WPA/RSN IE in association request"); 1508 vap->iv_stats.is_rx_assoc_badwpaie++; 1509 reason = IEEE80211_REASON_IE_INVALID; 1510 goto bad; 1511 } 1512 /* assert right association security credentials */ 1513 badwparsn = 0; /* NB: to silence compiler */ 1514 switch (vap->iv_flags & IEEE80211_F_WPA) { 1515 case IEEE80211_F_WPA1: 1516 badwparsn = (wpa == NULL); 1517 break; 1518 case IEEE80211_F_WPA2: 1519 badwparsn = (rsn == NULL); 1520 break; 1521 case IEEE80211_F_WPA1|IEEE80211_F_WPA2: 1522 badwparsn = (wpa == NULL && rsn == NULL); 1523 break; 1524 } 1525 if (badwparsn) { 1526 IEEE80211_DISCARD(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, 1527 wh, NULL, 1528 "%s", "missing WPA/RSN IE in association request"); 1529 vap->iv_stats.is_rx_assoc_badwpaie++; 1530 reason = IEEE80211_REASON_IE_INVALID; 1531 goto bad; 1532 } 1533 /* 1534 * Parse WPA/RSN information element. 1535 */ 1536 if (wpa != NULL) 1537 reason = ieee80211_parse_wpa(vap, wpa, rsnparms, wh); 1538 else 1539 reason = ieee80211_parse_rsn(vap, rsn, rsnparms, wh); 1540 if (reason != 0) { 1541 /* XXX distinguish WPA/RSN? */ 1542 vap->iv_stats.is_rx_assoc_badwpaie++; 1543 goto bad; 1544 } 1545 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, ni, 1546 "%s ie: mc %u/%u uc %u/%u key %u caps 0x%x", 1547 wpa != NULL ? "WPA" : "RSN", 1548 rsnparms->rsn_mcastcipher, rsnparms->rsn_mcastkeylen, 1549 rsnparms->rsn_ucastcipher, rsnparms->rsn_ucastkeylen, 1550 rsnparms->rsn_keymgmt, rsnparms->rsn_caps); 1551 1552 return 1; 1553bad: 1554 ieee80211_node_deauth(ni, reason); 1555 return 0; 1556} 1557 1558/* XXX find a better place for definition */ 1559struct l2_update_frame { 1560 struct ether_header eh; 1561 uint8_t dsap; 1562 uint8_t ssap; 1563 uint8_t control; 1564 uint8_t xid[3]; 1565} __packed; 1566 1567/* 1568 * Deliver a TGf L2UF frame on behalf of a station. 1569 * This primes any bridge when the station is roaming 1570 * between ap's on the same wired network. 1571 */ 1572static void 1573ieee80211_deliver_l2uf(struct ieee80211_node *ni) 1574{ 1575 struct ieee80211vap *vap = ni->ni_vap; 1576 struct ifnet *ifp = vap->iv_ifp; 1577 struct mbuf *m; 1578 struct l2_update_frame *l2uf; 1579 struct ether_header *eh; 1580 1581 m = m_gethdr(M_NOWAIT, MT_DATA); 1582 if (m == NULL) { 1583 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC, ni, 1584 "%s", "no mbuf for l2uf frame"); 1585 vap->iv_stats.is_rx_nobuf++; /* XXX not right */ 1586 return; 1587 } 1588 l2uf = mtod(m, struct l2_update_frame *); 1589 eh = &l2uf->eh; 1590 /* dst: Broadcast address */ 1591 IEEE80211_ADDR_COPY(eh->ether_dhost, ifp->if_broadcastaddr); 1592 /* src: associated STA */ 1593 IEEE80211_ADDR_COPY(eh->ether_shost, ni->ni_macaddr); 1594 eh->ether_type = htons(sizeof(*l2uf) - sizeof(*eh)); 1595 1596 l2uf->dsap = 0; 1597 l2uf->ssap = 0; 1598 l2uf->control = 0xf5; 1599 l2uf->xid[0] = 0x81; 1600 l2uf->xid[1] = 0x80; 1601 l2uf->xid[2] = 0x00; 1602 1603 m->m_pkthdr.len = m->m_len = sizeof(*l2uf); 1604 hostap_deliver_data(vap, ni, m); 1605} 1606 1607static void 1608ratesetmismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh, 1609 int reassoc, int resp, const char *tag, int rate) 1610{ 1611 IEEE80211_NOTE_MAC(ni->ni_vap, IEEE80211_MSG_ANY, wh->i_addr2, 1612 "deny %s request, %s rate set mismatch, rate/MCS %d", 1613 reassoc ? "reassoc" : "assoc", tag, rate & IEEE80211_RATE_VAL); 1614 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_BASIC_RATE); 1615 ieee80211_node_leave(ni); 1616} 1617 1618static void 1619capinfomismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh, 1620 int reassoc, int resp, const char *tag, int capinfo) 1621{ 1622 struct ieee80211vap *vap = ni->ni_vap; 1623 1624 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ANY, wh->i_addr2, 1625 "deny %s request, %s mismatch 0x%x", 1626 reassoc ? "reassoc" : "assoc", tag, capinfo); 1627 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_CAPINFO); 1628 ieee80211_node_leave(ni); 1629 vap->iv_stats.is_rx_assoc_capmismatch++; 1630} 1631 1632static void 1633htcapmismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh, 1634 int reassoc, int resp) 1635{ 1636 IEEE80211_NOTE_MAC(ni->ni_vap, IEEE80211_MSG_ANY, wh->i_addr2, 1637 "deny %s request, %s missing HT ie", reassoc ? "reassoc" : "assoc"); 1638 /* XXX no better code */ 1639 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_MISSING_HT_CAPS); 1640 ieee80211_node_leave(ni); 1641} 1642 1643static void 1644authalgreject(struct ieee80211_node *ni, const struct ieee80211_frame *wh, 1645 int algo, int seq, int status) 1646{ 1647 struct ieee80211vap *vap = ni->ni_vap; 1648 1649 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 1650 wh, NULL, "unsupported alg %d", algo); 1651 vap->iv_stats.is_rx_auth_unsupported++; 1652 ieee80211_send_error(ni, wh->i_addr2, IEEE80211_FC0_SUBTYPE_AUTH, 1653 seq | (status << 16)); 1654} 1655 1656static __inline int 1657ishtmixed(const uint8_t *ie) 1658{ 1659 const struct ieee80211_ie_htinfo *ht = 1660 (const struct ieee80211_ie_htinfo *) ie; 1661 return (ht->hi_byte2 & IEEE80211_HTINFO_OPMODE) == 1662 IEEE80211_HTINFO_OPMODE_MIXED; 1663} 1664 1665static int 1666is11bclient(const uint8_t *rates, const uint8_t *xrates) 1667{ 1668 static const uint32_t brates = (1<<2*1)|(1<<2*2)|(1<<11)|(1<<2*11); 1669 int i; 1670 1671 /* NB: the 11b clients we care about will not have xrates */ 1672 if (xrates != NULL || rates == NULL) 1673 return 0; 1674 for (i = 0; i < rates[1]; i++) { 1675 int r = rates[2+i] & IEEE80211_RATE_VAL; 1676 if (r > 2*11 || ((1<<r) & brates) == 0) 1677 return 0; 1678 } 1679 return 1; 1680} 1681 1682static void 1683hostap_recv_mgmt(struct ieee80211_node *ni, struct mbuf *m0, 1684 int subtype, int rssi, int nf) 1685{ 1686 struct ieee80211vap *vap = ni->ni_vap; 1687 struct ieee80211com *ic = ni->ni_ic; 1688 struct ieee80211_frame *wh; 1689 uint8_t *frm, *efrm, *sfrm; 1690 uint8_t *ssid, *rates, *xrates, *wpa, *rsn, *wme, *ath, *htcap; 1691 int reassoc, resp; 1692 uint8_t rate; 1693 1694 wh = mtod(m0, struct ieee80211_frame *); 1695 frm = (uint8_t *)&wh[1]; 1696 efrm = mtod(m0, uint8_t *) + m0->m_len; 1697 switch (subtype) { 1698 case IEEE80211_FC0_SUBTYPE_PROBE_RESP: 1699 case IEEE80211_FC0_SUBTYPE_BEACON: { 1700 struct ieee80211_scanparams scan; 1701 /* 1702 * We process beacon/probe response frames when scanning; 1703 * otherwise we check beacon frames for overlapping non-ERP 1704 * BSS in 11g and/or overlapping legacy BSS when in HT. 1705 */ 1706 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0 && 1707 subtype == IEEE80211_FC0_SUBTYPE_PROBE_RESP) { 1708 vap->iv_stats.is_rx_mgtdiscard++; 1709 return; 1710 } 1711 /* NB: accept off-channel frames */ 1712 if (ieee80211_parse_beacon(ni, m0, &scan) &~ IEEE80211_BPARSE_OFFCHAN) 1713 return; 1714 /* 1715 * Count frame now that we know it's to be processed. 1716 */ 1717 if (subtype == IEEE80211_FC0_SUBTYPE_BEACON) { 1718 vap->iv_stats.is_rx_beacon++; /* XXX remove */ 1719 IEEE80211_NODE_STAT(ni, rx_beacons); 1720 } else 1721 IEEE80211_NODE_STAT(ni, rx_proberesp); 1722 /* 1723 * If scanning, just pass information to the scan module. 1724 */ 1725 if (ic->ic_flags & IEEE80211_F_SCAN) { 1726 if (scan.status == 0 && /* NB: on channel */ 1727 (ic->ic_flags_ext & IEEE80211_FEXT_PROBECHAN)) { 1728 /* 1729 * Actively scanning a channel marked passive; 1730 * send a probe request now that we know there 1731 * is 802.11 traffic present. 1732 * 1733 * XXX check if the beacon we recv'd gives 1734 * us what we need and suppress the probe req 1735 */ 1736 ieee80211_probe_curchan(vap, 1); 1737 ic->ic_flags_ext &= ~IEEE80211_FEXT_PROBECHAN; 1738 } 1739 ieee80211_add_scan(vap, ic->ic_curchan, &scan, wh, 1740 subtype, rssi, nf); 1741 return; 1742 } 1743 /* 1744 * Check beacon for overlapping bss w/ non ERP stations. 1745 * If we detect one and protection is configured but not 1746 * enabled, enable it and start a timer that'll bring us 1747 * out if we stop seeing the bss. 1748 */ 1749 if (IEEE80211_IS_CHAN_ANYG(ic->ic_curchan) && 1750 scan.status == 0 && /* NB: on-channel */ 1751 ((scan.erp & 0x100) == 0 || /* NB: no ERP, 11b sta*/ 1752 (scan.erp & IEEE80211_ERP_NON_ERP_PRESENT))) { 1753 ic->ic_lastnonerp = ticks; 1754 ic->ic_flags_ext |= IEEE80211_FEXT_NONERP_PR; 1755 if (ic->ic_protmode != IEEE80211_PROT_NONE && 1756 (ic->ic_flags & IEEE80211_F_USEPROT) == 0) { 1757 IEEE80211_NOTE_FRAME(vap, 1758 IEEE80211_MSG_ASSOC, wh, 1759 "non-ERP present on channel %d " 1760 "(saw erp 0x%x from channel %d), " 1761 "enable use of protection", 1762 ic->ic_curchan->ic_ieee, 1763 scan.erp, scan.chan); 1764 ic->ic_flags |= IEEE80211_F_USEPROT; 1765 ieee80211_notify_erp(ic); 1766 } 1767 } 1768 /* 1769 * Check beacon for non-HT station on HT channel 1770 * and update HT BSS occupancy as appropriate. 1771 */ 1772 if (IEEE80211_IS_CHAN_HT(ic->ic_curchan)) { 1773 if (scan.status & IEEE80211_BPARSE_OFFCHAN) { 1774 /* 1775 * Off control channel; only check frames 1776 * that come in the extension channel when 1777 * operating w/ HT40. 1778 */ 1779 if (!IEEE80211_IS_CHAN_HT40(ic->ic_curchan)) 1780 break; 1781 if (scan.chan != ic->ic_curchan->ic_extieee) 1782 break; 1783 } 1784 if (scan.htinfo == NULL) { 1785 ieee80211_htprot_update(ic, 1786 IEEE80211_HTINFO_OPMODE_PROTOPT | 1787 IEEE80211_HTINFO_NONHT_PRESENT); 1788 } else if (ishtmixed(scan.htinfo)) { 1789 /* XXX? take NONHT_PRESENT from beacon? */ 1790 ieee80211_htprot_update(ic, 1791 IEEE80211_HTINFO_OPMODE_MIXED | 1792 IEEE80211_HTINFO_NONHT_PRESENT); 1793 } 1794 } 1795 break; 1796 } 1797 1798 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 1799 if (vap->iv_state != IEEE80211_S_RUN) { 1800 vap->iv_stats.is_rx_mgtdiscard++; 1801 return; 1802 } 1803 /* 1804 * Consult the ACL policy module if setup. 1805 */ 1806 if (vap->iv_acl != NULL && !vap->iv_acl->iac_check(vap, wh)) { 1807 IEEE80211_DISCARD(vap, IEEE80211_MSG_ACL, 1808 wh, NULL, "%s", "disallowed by ACL"); 1809 vap->iv_stats.is_rx_acl++; 1810 return; 1811 } 1812 /* 1813 * prreq frame format 1814 * [tlv] ssid 1815 * [tlv] supported rates 1816 * [tlv] extended supported rates 1817 */ 1818 ssid = rates = xrates = NULL; 1819 sfrm = frm; 1820 while (efrm - frm > 1) { 1821 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return); 1822 switch (*frm) { 1823 case IEEE80211_ELEMID_SSID: 1824 ssid = frm; 1825 break; 1826 case IEEE80211_ELEMID_RATES: 1827 rates = frm; 1828 break; 1829 case IEEE80211_ELEMID_XRATES: 1830 xrates = frm; 1831 break; 1832 } 1833 frm += frm[1] + 2; 1834 } 1835 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return); 1836 if (xrates != NULL) 1837 IEEE80211_VERIFY_ELEMENT(xrates, 1838 IEEE80211_RATE_MAXSIZE - rates[1], return); 1839 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN, return); 1840 IEEE80211_VERIFY_SSID(vap->iv_bss, ssid, return); 1841 if ((vap->iv_flags & IEEE80211_F_HIDESSID) && ssid[1] == 0) { 1842 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 1843 wh, NULL, 1844 "%s", "no ssid with ssid suppression enabled"); 1845 vap->iv_stats.is_rx_ssidmismatch++; /*XXX*/ 1846 return; 1847 } 1848 1849 /* XXX find a better class or define it's own */ 1850 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_INPUT, wh->i_addr2, 1851 "%s", "recv probe req"); 1852 /* 1853 * Some legacy 11b clients cannot hack a complete 1854 * probe response frame. When the request includes 1855 * only a bare-bones rate set, communicate this to 1856 * the transmit side. 1857 */ 1858 ieee80211_send_proberesp(vap, wh->i_addr2, 1859 is11bclient(rates, xrates) ? IEEE80211_SEND_LEGACY_11B : 0); 1860 break; 1861 1862 case IEEE80211_FC0_SUBTYPE_AUTH: { 1863 uint16_t algo, seq, status; 1864 1865 if (vap->iv_state != IEEE80211_S_RUN) { 1866 vap->iv_stats.is_rx_mgtdiscard++; 1867 return; 1868 } 1869 if (!IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_bss->ni_bssid)) { 1870 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 1871 wh, NULL, "%s", "wrong bssid"); 1872 vap->iv_stats.is_rx_wrongbss++; /*XXX unique stat?*/ 1873 return; 1874 } 1875 /* 1876 * auth frame format 1877 * [2] algorithm 1878 * [2] sequence 1879 * [2] status 1880 * [tlv*] challenge 1881 */ 1882 IEEE80211_VERIFY_LENGTH(efrm - frm, 6, return); 1883 algo = le16toh(*(uint16_t *)frm); 1884 seq = le16toh(*(uint16_t *)(frm + 2)); 1885 status = le16toh(*(uint16_t *)(frm + 4)); 1886 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_AUTH, wh->i_addr2, 1887 "recv auth frame with algorithm %d seq %d", algo, seq); 1888 /* 1889 * Consult the ACL policy module if setup. 1890 */ 1891 if (vap->iv_acl != NULL && !vap->iv_acl->iac_check(vap, wh)) { 1892 IEEE80211_DISCARD(vap, IEEE80211_MSG_ACL, 1893 wh, NULL, "%s", "disallowed by ACL"); 1894 vap->iv_stats.is_rx_acl++; 1895 ieee80211_send_error(ni, wh->i_addr2, 1896 IEEE80211_FC0_SUBTYPE_AUTH, 1897 (seq+1) | (IEEE80211_STATUS_UNSPECIFIED<<16)); 1898 return; 1899 } 1900 if (vap->iv_flags & IEEE80211_F_COUNTERM) { 1901 IEEE80211_DISCARD(vap, 1902 IEEE80211_MSG_AUTH | IEEE80211_MSG_CRYPTO, 1903 wh, NULL, "%s", "TKIP countermeasures enabled"); 1904 vap->iv_stats.is_rx_auth_countermeasures++; 1905 ieee80211_send_error(ni, wh->i_addr2, 1906 IEEE80211_FC0_SUBTYPE_AUTH, 1907 IEEE80211_REASON_MIC_FAILURE); 1908 return; 1909 } 1910 if (algo == IEEE80211_AUTH_ALG_SHARED) 1911 hostap_auth_shared(ni, wh, frm + 6, efrm, rssi, nf, 1912 seq, status); 1913 else if (algo == IEEE80211_AUTH_ALG_OPEN) 1914 hostap_auth_open(ni, wh, rssi, nf, seq, status); 1915 else if (algo == IEEE80211_AUTH_ALG_LEAP) { 1916 authalgreject(ni, wh, algo, 1917 seq+1, IEEE80211_STATUS_ALG); 1918 return; 1919 } else { 1920 /* 1921 * We assume that an unknown algorithm is the result 1922 * of a decryption failure on a shared key auth frame; 1923 * return a status code appropriate for that instead 1924 * of IEEE80211_STATUS_ALG. 1925 * 1926 * NB: a seq# of 4 is intentional; the decrypted 1927 * frame likely has a bogus seq value. 1928 */ 1929 authalgreject(ni, wh, algo, 1930 4, IEEE80211_STATUS_CHALLENGE); 1931 return; 1932 } 1933 break; 1934 } 1935 1936 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ: 1937 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: { 1938 uint16_t capinfo, lintval; 1939 struct ieee80211_rsnparms rsnparms; 1940 1941 if (vap->iv_state != IEEE80211_S_RUN) { 1942 vap->iv_stats.is_rx_mgtdiscard++; 1943 return; 1944 } 1945 if (!IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_bss->ni_bssid)) { 1946 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 1947 wh, NULL, "%s", "wrong bssid"); 1948 vap->iv_stats.is_rx_assoc_bss++; 1949 return; 1950 } 1951 if (subtype == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) { 1952 reassoc = 1; 1953 resp = IEEE80211_FC0_SUBTYPE_REASSOC_RESP; 1954 } else { 1955 reassoc = 0; 1956 resp = IEEE80211_FC0_SUBTYPE_ASSOC_RESP; 1957 } 1958 if (ni == vap->iv_bss) { 1959 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ANY, wh->i_addr2, 1960 "deny %s request, sta not authenticated", 1961 reassoc ? "reassoc" : "assoc"); 1962 ieee80211_send_error(ni, wh->i_addr2, 1963 IEEE80211_FC0_SUBTYPE_DEAUTH, 1964 IEEE80211_REASON_ASSOC_NOT_AUTHED); 1965 vap->iv_stats.is_rx_assoc_notauth++; 1966 return; 1967 } 1968 1969 /* 1970 * asreq frame format 1971 * [2] capability information 1972 * [2] listen interval 1973 * [6*] current AP address (reassoc only) 1974 * [tlv] ssid 1975 * [tlv] supported rates 1976 * [tlv] extended supported rates 1977 * [tlv] WPA or RSN 1978 * [tlv] HT capabilities 1979 * [tlv] Atheros capabilities 1980 */ 1981 IEEE80211_VERIFY_LENGTH(efrm - frm, (reassoc ? 10 : 4), return); 1982 capinfo = le16toh(*(uint16_t *)frm); frm += 2; 1983 lintval = le16toh(*(uint16_t *)frm); frm += 2; 1984 if (reassoc) 1985 frm += 6; /* ignore current AP info */ 1986 ssid = rates = xrates = wpa = rsn = wme = ath = htcap = NULL; 1987 sfrm = frm; 1988 while (efrm - frm > 1) { 1989 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return); 1990 switch (*frm) { 1991 case IEEE80211_ELEMID_SSID: 1992 ssid = frm; 1993 break; 1994 case IEEE80211_ELEMID_RATES: 1995 rates = frm; 1996 break; 1997 case IEEE80211_ELEMID_XRATES: 1998 xrates = frm; 1999 break; 2000 case IEEE80211_ELEMID_RSN: 2001 rsn = frm; 2002 break; 2003 case IEEE80211_ELEMID_HTCAP: 2004 htcap = frm; 2005 break; 2006 case IEEE80211_ELEMID_VENDOR: 2007 if (iswpaoui(frm)) 2008 wpa = frm; 2009 else if (iswmeinfo(frm)) 2010 wme = frm; 2011#ifdef IEEE80211_SUPPORT_SUPERG 2012 else if (isatherosoui(frm)) 2013 ath = frm; 2014#endif 2015 else if (vap->iv_flags_ht & IEEE80211_FHT_HTCOMPAT) { 2016 if (ishtcapoui(frm) && htcap == NULL) 2017 htcap = frm; 2018 } 2019 break; 2020 } 2021 frm += frm[1] + 2; 2022 } 2023 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return); 2024 if (xrates != NULL) 2025 IEEE80211_VERIFY_ELEMENT(xrates, 2026 IEEE80211_RATE_MAXSIZE - rates[1], return); 2027 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN, return); 2028 IEEE80211_VERIFY_SSID(vap->iv_bss, ssid, return); 2029 if (htcap != NULL) { 2030 IEEE80211_VERIFY_LENGTH(htcap[1], 2031 htcap[0] == IEEE80211_ELEMID_VENDOR ? 2032 4 + sizeof(struct ieee80211_ie_htcap)-2 : 2033 sizeof(struct ieee80211_ie_htcap)-2, 2034 return); /* XXX just NULL out? */ 2035 } 2036 2037 if ((vap->iv_flags & IEEE80211_F_WPA) && 2038 !wpa_assocreq(ni, &rsnparms, wh, wpa, rsn, capinfo)) 2039 return; 2040 /* discard challenge after association */ 2041 if (ni->ni_challenge != NULL) { 2042 free(ni->ni_challenge, M_80211_NODE); 2043 ni->ni_challenge = NULL; 2044 } 2045 /* NB: 802.11 spec says to ignore station's privacy bit */ 2046 if ((capinfo & IEEE80211_CAPINFO_ESS) == 0) { 2047 capinfomismatch(ni, wh, reassoc, resp, 2048 "capability", capinfo); 2049 return; 2050 } 2051 /* 2052 * Disallow re-associate w/ invalid slot time setting. 2053 */ 2054 if (ni->ni_associd != 0 && 2055 IEEE80211_IS_CHAN_ANYG(ic->ic_bsschan) && 2056 ((ni->ni_capinfo ^ capinfo) & IEEE80211_CAPINFO_SHORT_SLOTTIME)) { 2057 capinfomismatch(ni, wh, reassoc, resp, 2058 "slot time", capinfo); 2059 return; 2060 } 2061 rate = ieee80211_setup_rates(ni, rates, xrates, 2062 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | 2063 IEEE80211_F_DONEGO | IEEE80211_F_DODEL); 2064 if (rate & IEEE80211_RATE_BASIC) { 2065 ratesetmismatch(ni, wh, reassoc, resp, "legacy", rate); 2066 vap->iv_stats.is_rx_assoc_norate++; 2067 return; 2068 } 2069 /* 2070 * If constrained to 11g-only stations reject an 2071 * 11b-only station. We cheat a bit here by looking 2072 * at the max negotiated xmit rate and assuming anyone 2073 * with a best rate <24Mb/s is an 11b station. 2074 */ 2075 if ((vap->iv_flags & IEEE80211_F_PUREG) && rate < 48) { 2076 ratesetmismatch(ni, wh, reassoc, resp, "11g", rate); 2077 vap->iv_stats.is_rx_assoc_norate++; 2078 return; 2079 } 2080 /* 2081 * Do HT rate set handling and setup HT node state. 2082 */ 2083 ni->ni_chan = vap->iv_bss->ni_chan; 2084 if (IEEE80211_IS_CHAN_HT(ni->ni_chan) && htcap != NULL) { 2085 rate = ieee80211_setup_htrates(ni, htcap, 2086 IEEE80211_F_DOFMCS | IEEE80211_F_DONEGO | 2087 IEEE80211_F_DOBRS); 2088 if (rate & IEEE80211_RATE_BASIC) { 2089 ratesetmismatch(ni, wh, reassoc, resp, 2090 "HT", rate); 2091 vap->iv_stats.is_ht_assoc_norate++; 2092 return; 2093 } 2094 ieee80211_ht_node_init(ni); 2095 ieee80211_ht_updatehtcap(ni, htcap); 2096 } else if (ni->ni_flags & IEEE80211_NODE_HT) 2097 ieee80211_ht_node_cleanup(ni); 2098#ifdef IEEE80211_SUPPORT_SUPERG 2099 else if (ni->ni_ath_flags & IEEE80211_NODE_ATH) 2100 ieee80211_ff_node_cleanup(ni); 2101#endif 2102 /* 2103 * Allow AMPDU operation only with unencrypted traffic 2104 * or AES-CCM; the 11n spec only specifies these ciphers 2105 * so permitting any others is undefined and can lead 2106 * to interoperability problems. 2107 */ 2108 if ((ni->ni_flags & IEEE80211_NODE_HT) && 2109 (((vap->iv_flags & IEEE80211_F_WPA) && 2110 rsnparms.rsn_ucastcipher != IEEE80211_CIPHER_AES_CCM) || 2111 (vap->iv_flags & (IEEE80211_F_WPA|IEEE80211_F_PRIVACY)) == IEEE80211_F_PRIVACY)) { 2112 IEEE80211_NOTE(vap, 2113 IEEE80211_MSG_ASSOC | IEEE80211_MSG_11N, ni, 2114 "disallow HT use because WEP or TKIP requested, " 2115 "capinfo 0x%x ucastcipher %d", capinfo, 2116 rsnparms.rsn_ucastcipher); 2117 ieee80211_ht_node_cleanup(ni); 2118 vap->iv_stats.is_ht_assoc_downgrade++; 2119 } 2120 /* 2121 * If constrained to 11n-only stations reject legacy stations. 2122 */ 2123 if ((vap->iv_flags_ht & IEEE80211_FHT_PUREN) && 2124 (ni->ni_flags & IEEE80211_NODE_HT) == 0) { 2125 htcapmismatch(ni, wh, reassoc, resp); 2126 vap->iv_stats.is_ht_assoc_nohtcap++; 2127 return; 2128 } 2129 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi); 2130 ni->ni_noise = nf; 2131 ni->ni_intval = lintval; 2132 ni->ni_capinfo = capinfo; 2133 ni->ni_fhdwell = vap->iv_bss->ni_fhdwell; 2134 ni->ni_fhindex = vap->iv_bss->ni_fhindex; 2135 /* 2136 * Store the IEs. 2137 * XXX maybe better to just expand 2138 */ 2139 if (ieee80211_ies_init(&ni->ni_ies, sfrm, efrm - sfrm)) { 2140#define setie(_ie, _off) ieee80211_ies_setie(ni->ni_ies, _ie, _off) 2141 if (wpa != NULL) 2142 setie(wpa_ie, wpa - sfrm); 2143 if (rsn != NULL) 2144 setie(rsn_ie, rsn - sfrm); 2145 if (htcap != NULL) 2146 setie(htcap_ie, htcap - sfrm); 2147 if (wme != NULL) { 2148 setie(wme_ie, wme - sfrm); 2149 /* 2150 * Mark node as capable of QoS. 2151 */ 2152 ni->ni_flags |= IEEE80211_NODE_QOS; 2153 } else 2154 ni->ni_flags &= ~IEEE80211_NODE_QOS; 2155#ifdef IEEE80211_SUPPORT_SUPERG 2156 if (ath != NULL) { 2157 setie(ath_ie, ath - sfrm); 2158 /* 2159 * Parse ATH station parameters. 2160 */ 2161 ieee80211_parse_ath(ni, ni->ni_ies.ath_ie); 2162 } else 2163#endif 2164 ni->ni_ath_flags = 0; 2165#undef setie 2166 } else { 2167 ni->ni_flags &= ~IEEE80211_NODE_QOS; 2168 ni->ni_ath_flags = 0; 2169 } 2170 ieee80211_node_join(ni, resp); 2171 ieee80211_deliver_l2uf(ni); 2172 break; 2173 } 2174 2175 case IEEE80211_FC0_SUBTYPE_DEAUTH: 2176 case IEEE80211_FC0_SUBTYPE_DISASSOC: { 2177 uint16_t reason; 2178 2179 if (vap->iv_state != IEEE80211_S_RUN || 2180 /* NB: can happen when in promiscuous mode */ 2181 !IEEE80211_ADDR_EQ(wh->i_addr1, vap->iv_myaddr)) { 2182 vap->iv_stats.is_rx_mgtdiscard++; 2183 break; 2184 } 2185 /* 2186 * deauth/disassoc frame format 2187 * [2] reason 2188 */ 2189 IEEE80211_VERIFY_LENGTH(efrm - frm, 2, return); 2190 reason = le16toh(*(uint16_t *)frm); 2191 if (subtype == IEEE80211_FC0_SUBTYPE_DEAUTH) { 2192 vap->iv_stats.is_rx_deauth++; 2193 IEEE80211_NODE_STAT(ni, rx_deauth); 2194 } else { 2195 vap->iv_stats.is_rx_disassoc++; 2196 IEEE80211_NODE_STAT(ni, rx_disassoc); 2197 } 2198 IEEE80211_NOTE(vap, IEEE80211_MSG_AUTH, ni, 2199 "recv %s (reason %d)", ieee80211_mgt_subtype_name[subtype >> 2200 IEEE80211_FC0_SUBTYPE_SHIFT], reason); 2201 if (ni != vap->iv_bss) 2202 ieee80211_node_leave(ni); 2203 break; 2204 } 2205 2206 case IEEE80211_FC0_SUBTYPE_ACTION: 2207 case IEEE80211_FC0_SUBTYPE_ACTION_NOACK: 2208 if (ni == vap->iv_bss) { 2209 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 2210 wh, NULL, "%s", "unknown node"); 2211 vap->iv_stats.is_rx_mgtdiscard++; 2212 } else if (!IEEE80211_ADDR_EQ(vap->iv_myaddr, wh->i_addr1) && 2213 !IEEE80211_IS_MULTICAST(wh->i_addr1)) { 2214 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 2215 wh, NULL, "%s", "not for us"); 2216 vap->iv_stats.is_rx_mgtdiscard++; 2217 } else if (vap->iv_state != IEEE80211_S_RUN) { 2218 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 2219 wh, NULL, "wrong state %s", 2220 ieee80211_state_name[vap->iv_state]); 2221 vap->iv_stats.is_rx_mgtdiscard++; 2222 } else { 2223 if (ieee80211_parse_action(ni, m0) == 0) 2224 (void)ic->ic_recv_action(ni, wh, frm, efrm); 2225 } 2226 break; 2227 2228 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP: 2229 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: 2230 case IEEE80211_FC0_SUBTYPE_ATIM: 2231 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 2232 wh, NULL, "%s", "not handled"); 2233 vap->iv_stats.is_rx_mgtdiscard++; 2234 break; 2235 2236 default: 2237 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 2238 wh, "mgt", "subtype 0x%x not handled", subtype); 2239 vap->iv_stats.is_rx_badsubtype++; 2240 break; 2241 } 2242} 2243 2244static void 2245hostap_recv_ctl(struct ieee80211_node *ni, struct mbuf *m, int subtype) 2246{ 2247 switch (subtype) { 2248 case IEEE80211_FC0_SUBTYPE_PS_POLL: 2249 ni->ni_vap->iv_recv_pspoll(ni, m); 2250 break; 2251 case IEEE80211_FC0_SUBTYPE_BAR: 2252 ieee80211_recv_bar(ni, m); 2253 break; 2254 } 2255} 2256 2257/* 2258 * Process a received ps-poll frame. 2259 */ 2260void 2261ieee80211_recv_pspoll(struct ieee80211_node *ni, struct mbuf *m0) 2262{ 2263 struct ieee80211vap *vap = ni->ni_vap; 2264 struct ieee80211com *ic = vap->iv_ic; 2265 struct ieee80211_frame_min *wh; 2266 struct mbuf *m; 2267 uint16_t aid; 2268 int qlen; 2269 2270 wh = mtod(m0, struct ieee80211_frame_min *); 2271 if (ni->ni_associd == 0) { 2272 IEEE80211_DISCARD(vap, 2273 IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG, 2274 (struct ieee80211_frame *) wh, NULL, 2275 "%s", "unassociated station"); 2276 vap->iv_stats.is_ps_unassoc++; 2277 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_DEAUTH, 2278 IEEE80211_REASON_NOT_ASSOCED); 2279 return; 2280 } 2281 2282 aid = le16toh(*(uint16_t *)wh->i_dur); 2283 if (aid != ni->ni_associd) { 2284 IEEE80211_DISCARD(vap, 2285 IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG, 2286 (struct ieee80211_frame *) wh, NULL, 2287 "aid mismatch: sta aid 0x%x poll aid 0x%x", 2288 ni->ni_associd, aid); 2289 vap->iv_stats.is_ps_badaid++; 2290 /* 2291 * NB: We used to deauth the station but it turns out 2292 * the Blackberry Curve 8230 (and perhaps other devices) 2293 * sometimes send the wrong AID when WME is negotiated. 2294 * Being more lenient here seems ok as we already check 2295 * the station is associated and we only return frames 2296 * queued for the station (i.e. we don't use the AID). 2297 */ 2298 return; 2299 } 2300 2301 /* Okay, take the first queued packet and put it out... */ 2302 m = ieee80211_node_psq_dequeue(ni, &qlen); 2303 if (m == NULL) { 2304 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_POWER, wh->i_addr2, 2305 "%s", "recv ps-poll, but queue empty"); 2306 ieee80211_send_nulldata(ieee80211_ref_node(ni)); 2307 vap->iv_stats.is_ps_qempty++; /* XXX node stat */ 2308 if (vap->iv_set_tim != NULL) 2309 vap->iv_set_tim(ni, 0); /* just in case */ 2310 return; 2311 } 2312 /* 2313 * If there are more packets, set the more packets bit 2314 * in the packet dispatched to the station; otherwise 2315 * turn off the TIM bit. 2316 */ 2317 if (qlen != 0) { 2318 IEEE80211_NOTE(vap, IEEE80211_MSG_POWER, ni, 2319 "recv ps-poll, send packet, %u still queued", qlen); 2320 m->m_flags |= M_MORE_DATA; 2321 } else { 2322 IEEE80211_NOTE(vap, IEEE80211_MSG_POWER, ni, 2323 "%s", "recv ps-poll, send packet, queue empty"); 2324 if (vap->iv_set_tim != NULL) 2325 vap->iv_set_tim(ni, 0); 2326 } 2327 m->m_flags |= M_PWR_SAV; /* bypass PS handling */ 2328 2329 /* 2330 * Do the right thing; if it's an encap'ed frame then 2331 * call ieee80211_parent_xmitpkt() (and free the ref) else 2332 * call ieee80211_vap_xmitpkt(). 2333 */ 2334 if (m->m_flags & M_ENCAP) { 2335 if (ieee80211_parent_xmitpkt(ic, m) != 0) 2336 ieee80211_free_node(ni); 2337 } else { 2338 (void) ieee80211_vap_xmitpkt(vap, m); 2339 } 2340}
|