Cross Reference: /freebsd-11.0-release/sys/net80211/ieee80211_hostap.c

Deleted Added

sdiff udiff text old ( 282742 ) new ( 282820 )

full compact

ieee80211_hostap.c (282742)	ieee80211_hostap.c (282820)
1/- 2 Copyright (c) 2007-2008 Sam Leffler, Errno Consulting 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 15 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 16 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 17 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 18 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 19 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 21 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 23 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 24 */ 25 26#include <sys/cdefs.h> 27#ifdef __FreeBSD__	1/- 2 Copyright (c) 2007-2008 Sam Leffler, Errno Consulting 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 15 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 16 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 17 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 18 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 19 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 21 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 23 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 24 */ 25 26#include <sys/cdefs.h> 27#ifdef __FreeBSD__
28__FBSDID("$FreeBSD: head/sys/net80211/ieee80211_hostap.c 282742 2015-05-10 22:07:53Z adrian $");	28__FBSDID("$FreeBSD: head/sys/net80211/ieee80211_hostap.c 282820 2015-05-12 16:55:50Z adrian $");
29#endif 30 31/* 32 * IEEE 802.11 HOSTAP mode support. 33 / 34#include "opt_inet.h" 35#include "opt_wlan.h" 36 37#include <sys/param.h> 38#include <sys/systm.h> 39#include <sys/mbuf.h> 40#include <sys/malloc.h> 41#include <sys/kernel.h> 42 43#include <sys/socket.h> 44#include <sys/sockio.h> 45#include <sys/endian.h> 46#include <sys/errno.h> 47#include <sys/proc.h> 48#include <sys/sysctl.h> 49 50#include <net/if.h> 51#include <net/if_var.h> 52#include <net/if_media.h> 53#include <net/if_llc.h> 54#include <net/ethernet.h> 55 56#include <net/bpf.h> 57 58#include <net80211/ieee80211_var.h> 59#include <net80211/ieee80211_hostap.h> 60#include <net80211/ieee80211_input.h> 61#ifdef IEEE80211_SUPPORT_SUPERG 62#include <net80211/ieee80211_superg.h> 63#endif 64#include <net80211/ieee80211_wds.h> 65 66#define IEEE80211_RATE2MBS(r) (((r) & IEEE80211_RATE_VAL) / 2) 67 68static void hostap_vattach(struct ieee80211vap ); 69static int hostap_newstate(struct ieee80211vap , enum ieee80211_state, int); 70static int hostap_input(struct ieee80211_node ni, struct mbuf m, 71 int rssi, int nf); 72static void hostap_deliver_data(struct ieee80211vap , 73 struct ieee80211_node , struct mbuf ); 74static void hostap_recv_mgmt(struct ieee80211_node , struct mbuf , 75 int subtype, int rssi, int nf); 76static void hostap_recv_ctl(struct ieee80211_node , struct mbuf , int); 77 78void 79ieee80211_hostap_attach(struct ieee80211com ic) 80{ 81 ic->ic_vattach[IEEE80211_M_HOSTAP] = hostap_vattach; 82} 83 84void 85ieee80211_hostap_detach(struct ieee80211com ic) 86{ 87} 88 89static void 90hostap_vdetach(struct ieee80211vap vap) 91{ 92} 93 94static void 95hostap_vattach(struct ieee80211vap vap) 96{ 97 vap->iv_newstate = hostap_newstate; 98 vap->iv_input = hostap_input; 99 vap->iv_recv_mgmt = hostap_recv_mgmt; 100 vap->iv_recv_ctl = hostap_recv_ctl; 101 vap->iv_opdetach = hostap_vdetach; 102 vap->iv_deliver_data = hostap_deliver_data; 103 vap->iv_recv_pspoll = ieee80211_recv_pspoll; 104} 105 106static void 107sta_disassoc(void arg, struct ieee80211_node ni) 108{ 109 struct ieee80211vap vap = arg; 110* 111 if (ni->ni_vap == vap && ni->ni_associd != 0) { 112 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_DISASSOC, 113 IEEE80211_REASON_ASSOC_LEAVE); 114 ieee80211_node_leave(ni); 115 } 116} 117 118static void 119sta_csa(void arg, struct ieee80211_node ni) 120{ 121 struct ieee80211vap vap = arg; 122* 123 if (ni->ni_vap == vap && ni->ni_associd != 0) 124 if (ni->ni_inact > vap->iv_inact_init) { 125 ni->ni_inact = vap->iv_inact_init; 126 IEEE80211_NOTE(vap, IEEE80211_MSG_INACT, ni, 127 "%s: inact %u", __func__, ni->ni_inact); 128 } 129} 130 131static void 132sta_drop(void arg, struct ieee80211_node ni) 133{ 134 struct ieee80211vap vap = arg; 135* 136 if (ni->ni_vap == vap && ni->ni_associd != 0) 137 ieee80211_node_leave(ni); 138} 139 140/* 141 * Does a channel change require associated stations to re-associate 142 * so protocol state is correct. This is used when doing CSA across 143 * bands or similar (e.g. HT -> legacy). 144 / 145static int 146isbandchange(struct ieee80211com ic) 147{ 148 return ((ic->ic_bsschan->ic_flags ^ ic->ic_csa_newchan->ic_flags) & 149 (IEEE80211_CHAN_2GHZ \| IEEE80211_CHAN_5GHZ \| IEEE80211_CHAN_HALF \| 150 IEEE80211_CHAN_QUARTER \| IEEE80211_CHAN_HT)) != 0; 151} 152 153/* 154 * IEEE80211_M_HOSTAP vap state machine handler. 155 / 156static int 157hostap_newstate(struct ieee80211vap vap, enum ieee80211_state nstate, int arg) 158{ 159 struct ieee80211com ic = vap->iv_ic; 160* enum ieee80211_state ostate; 161 162 IEEE80211_LOCK_ASSERT(ic); 163 164 ostate = vap->iv_state; 165 IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE, "%s: %s -> %s (%d)\n", 166 __func__, ieee80211_state_name[ostate], 167 ieee80211_state_name[nstate], arg); 168 vap->iv_state = nstate; /* state transition / 169* if (ostate != IEEE80211_S_SCAN) 170 ieee80211_cancel_scan(vap); /* background scan / 171* switch (nstate) { 172 case IEEE80211_S_INIT: 173 switch (ostate) { 174 case IEEE80211_S_SCAN: 175 ieee80211_cancel_scan(vap); 176 break; 177 case IEEE80211_S_CAC: 178 ieee80211_dfs_cac_stop(vap); 179 break; 180 case IEEE80211_S_RUN: 181 ieee80211_iterate_nodes(&ic->ic_sta, sta_disassoc, vap); 182 break; 183 default: 184 break; 185 } 186 if (ostate != IEEE80211_S_INIT) { 187 /* NB: optimize INIT -> INIT case / 188* ieee80211_reset_bss(vap); 189 } 190 if (vap->iv_auth->ia_detach != NULL) 191 vap->iv_auth->ia_detach(vap); 192 break; 193 case IEEE80211_S_SCAN: 194 switch (ostate) { 195 case IEEE80211_S_CSA: 196 case IEEE80211_S_RUN: 197 ieee80211_iterate_nodes(&ic->ic_sta, sta_disassoc, vap); 198 /* 199 * Clear overlapping BSS state; the beacon frame 200 * will be reconstructed on transition to the RUN 201 * state and the timeout routines check if the flag 202 * is set before doing anything so this is sufficient. 203 / 204* ic->ic_flags_ext &= ~IEEE80211_FEXT_NONERP_PR; 205 ic->ic_flags_ht &= ~IEEE80211_FHT_NONHT_PR; 206 /* fall thru... / 207* case IEEE80211_S_CAC: 208 /* 209 * NB: We may get here because of a manual channel 210 * change in which case we need to stop CAC 211 * XXX no need to stop if ostate RUN but it's ok 212 / 213* ieee80211_dfs_cac_stop(vap); 214 /* fall thru... / 215* case IEEE80211_S_INIT: 216 if (vap->iv_des_chan != IEEE80211_CHAN_ANYC && 217 !IEEE80211_IS_CHAN_RADAR(vap->iv_des_chan)) { 218 /* 219 * Already have a channel; bypass the 220 * scan and startup immediately. 221 * ieee80211_create_ibss will call back to 222 * move us to RUN state. 223 / 224* ieee80211_create_ibss(vap, vap->iv_des_chan); 225 break; 226 } 227 /* 228 * Initiate a scan. We can come here as a result 229 * of an IEEE80211_IOC_SCAN_REQ too in which case 230 * the vap will be marked with IEEE80211_FEXT_SCANREQ 231 * and the scan request parameters will be present 232 * in iv_scanreq. Otherwise we do the default. 233 / 234* if (vap->iv_flags_ext & IEEE80211_FEXT_SCANREQ) { 235 ieee80211_check_scan(vap, 236 vap->iv_scanreq_flags, 237 vap->iv_scanreq_duration, 238 vap->iv_scanreq_mindwell, 239 vap->iv_scanreq_maxdwell, 240 vap->iv_scanreq_nssid, vap->iv_scanreq_ssid); 241 vap->iv_flags_ext &= ~IEEE80211_FEXT_SCANREQ; 242 } else 243 ieee80211_check_scan_current(vap); 244 break; 245 case IEEE80211_S_SCAN: 246 /* 247 * A state change requires a reset; scan. 248 / 249* ieee80211_check_scan_current(vap); 250 break; 251 default: 252 break; 253 } 254 break; 255 case IEEE80211_S_CAC: 256 /* 257 * Start CAC on a DFS channel. We come here when starting 258 * a bss on a DFS channel (see ieee80211_create_ibss). 259 / 260* ieee80211_dfs_cac_start(vap); 261 break; 262 case IEEE80211_S_RUN: 263 if (vap->iv_flags & IEEE80211_F_WPA) { 264 /* XXX validate prerequisites / 265* } 266 switch (ostate) { 267 case IEEE80211_S_INIT: 268 /* 269 * Already have a channel; bypass the 270 * scan and startup immediately. 271 * Note that ieee80211_create_ibss will call 272 * back to do a RUN->RUN state change. 273 / 274* ieee80211_create_ibss(vap, 275 ieee80211_ht_adjust_channel(ic, 276 ic->ic_curchan, vap->iv_flags_ht)); 277 /* NB: iv_bss is changed on return / 278* break; 279 case IEEE80211_S_CAC: 280 /* 281 * NB: This is the normal state change when CAC 282 * expires and no radar was detected; no need to 283 * clear the CAC timer as it's already expired. 284 / 285* /* fall thru... / 286* case IEEE80211_S_CSA: 287 /* 288 * Shorten inactivity timer of associated stations 289 * to weed out sta's that don't follow a CSA. 290 / 291* ieee80211_iterate_nodes(&ic->ic_sta, sta_csa, vap); 292 /* 293 * Update bss node channel to reflect where 294 * we landed after CSA. 295 / 296* ieee80211_node_set_chan(vap->iv_bss, 297 ieee80211_ht_adjust_channel(ic, ic->ic_curchan, 298 ieee80211_htchanflags(vap->iv_bss->ni_chan))); 299 /* XXX bypass debug msgs / 300* break; 301 case IEEE80211_S_SCAN: 302 case IEEE80211_S_RUN: 303#ifdef IEEE80211_DEBUG 304 if (ieee80211_msg_debug(vap)) { 305 struct ieee80211_node ni = vap->iv_bss; 306* ieee80211_note(vap, 307 "synchronized with %s ssid ", 308 ether_sprintf(ni->ni_bssid)); 309 ieee80211_print_essid(ni->ni_essid, 310 ni->ni_esslen); 311 /* XXX MCS/HT / 312* printf(" channel %d start %uMb\n", 313 ieee80211_chan2ieee(ic, ic->ic_curchan), 314 IEEE80211_RATE2MBS(ni->ni_txrate)); 315 } 316#endif 317 break; 318 default: 319 break; 320 } 321 /* 322 * Start/stop the authenticator. We delay until here 323 * to allow configuration to happen out of order. 324 / 325* if (vap->iv_auth->ia_attach != NULL) { 326 /* XXX check failure / 327* vap->iv_auth->ia_attach(vap); 328 } else if (vap->iv_auth->ia_detach != NULL) { 329 vap->iv_auth->ia_detach(vap); 330 } 331 ieee80211_node_authorize(vap->iv_bss); 332 break; 333 case IEEE80211_S_CSA: 334 if (ostate == IEEE80211_S_RUN && isbandchange(ic)) { 335 /* 336 * On a ``band change'' silently drop associated 337 * stations as they must re-associate before they 338 * can pass traffic (as otherwise protocol state 339 * such as capabilities and the negotiated rate 340 * set may/will be wrong). 341 / 342* ieee80211_iterate_nodes(&ic->ic_sta, sta_drop, vap); 343 } 344 break; 345 default: 346 break; 347 } 348 return 0; 349} 350 351static void 352hostap_deliver_data(struct ieee80211vap vap, 353* struct ieee80211_node ni, struct mbuf m) 354{ 355 struct ether_header eh = mtod(m, struct ether_header ); 356 struct ifnet ifp = vap->iv_ifp; 357* 358 /* clear driver/net80211 flags before passing up / 359#if __FreeBSD_version >= 1000046 360* m->m_flags &= ~(M_MCAST \| M_BCAST); 361 m_clrprotoflags(m); 362#else 363 m->m_flags &= ~(M_80211_RX \| M_MCAST \| M_BCAST); 364#endif 365 366 KASSERT(vap->iv_opmode == IEEE80211_M_HOSTAP, 367 ("gack, opmode %d", vap->iv_opmode)); 368 /* 369 * Do accounting. 370 / 371* if_inc_counter(ifp, IFCOUNTER_IPACKETS, 1); 372 IEEE80211_NODE_STAT(ni, rx_data); 373 IEEE80211_NODE_STAT_ADD(ni, rx_bytes, m->m_pkthdr.len); 374 if (ETHER_IS_MULTICAST(eh->ether_dhost)) { 375 m->m_flags \|= M_MCAST; /* XXX M_BCAST? / 376* IEEE80211_NODE_STAT(ni, rx_mcast); 377 } else 378 IEEE80211_NODE_STAT(ni, rx_ucast); 379 380 /* perform as a bridge within the AP / 381* if ((vap->iv_flags & IEEE80211_F_NOBRIDGE) == 0) { 382 struct mbuf mcopy = NULL; 383* 384 if (m->m_flags & M_MCAST) { 385 mcopy = m_dup(m, M_NOWAIT); 386 if (mcopy == NULL) 387 if_inc_counter(ifp, IFCOUNTER_OERRORS, 1); 388 else 389 mcopy->m_flags \|= M_MCAST; 390 } else { 391 /* 392 * Check if the destination is associated with the 393 * same vap and authorized to receive traffic. 394 * Beware of traffic destined for the vap itself; 395 * sending it will not work; just let it be delivered 396 * normally. 397 / 398* struct ieee80211_node sta = ieee80211_find_vap_node( 399* &vap->iv_ic->ic_sta, vap, eh->ether_dhost); 400 if (sta != NULL) { 401 if (ieee80211_node_is_authorized(sta)) { 402 /* 403 * Beware of sending to ourself; this 404 * needs to happen via the normal 405 * input path. 406 / 407* if (sta != vap->iv_bss) { 408 mcopy = m; 409 m = NULL; 410 } 411 } else { 412 vap->iv_stats.is_rx_unauth++; 413 IEEE80211_NODE_STAT(sta, rx_unauth); 414 } 415 ieee80211_free_node(sta); 416 } 417 } 418 if (mcopy != NULL) { 419 int len, err; 420 len = mcopy->m_pkthdr.len; 421 err = ieee80211_vap_xmitpkt(vap, mcopy); 422 if (err) { 423 /* NB: IFQ_HANDOFF reclaims mcopy / 424* } else { 425 if_inc_counter(ifp, IFCOUNTER_OPACKETS, 1); 426 } 427 } 428 } 429 if (m != NULL) { 430 /* 431 * Mark frame as coming from vap's interface. 432 / 433* m->m_pkthdr.rcvif = ifp; 434 if (m->m_flags & M_MCAST) { 435 /* 436 * Spam DWDS vap's w/ multicast traffic. 437 / 438* /* XXX only if dwds in use? / 439* ieee80211_dwds_mcast(vap, m); 440 } 441 if (ni->ni_vlan != 0) { 442 /* attach vlan tag / 443* m->m_pkthdr.ether_vtag = ni->ni_vlan; 444 m->m_flags \|= M_VLANTAG; 445 } 446 ifp->if_input(ifp, m); 447 } 448} 449 450/* 451 * Decide if a received management frame should be 452 * printed when debugging is enabled. This filters some 453 * of the less interesting frames that come frequently 454 * (e.g. beacons). 455 / 456static __inline int 457doprint(struct ieee80211vap vap, int subtype) 458{ 459 switch (subtype) { 460 case IEEE80211_FC0_SUBTYPE_BEACON: 461 return (vap->iv_ic->ic_flags & IEEE80211_F_SCAN); 462 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 463 return 0; 464 } 465 return 1; 466} 467 468/* 469 * Process a received frame. The node associated with the sender 470 * should be supplied. If nothing was found in the node table then 471 * the caller is assumed to supply a reference to iv_bss instead. 472 * The RSSI and a timestamp are also supplied. The RSSI data is used 473 * during AP scanning to select a AP to associate with; it can have 474 * any units so long as values have consistent units and higher values 475 * mean ``better signal''. The receive timestamp is currently not used 476 * by the 802.11 layer. 477 / 478static int 479hostap_input(struct ieee80211_node ni, struct mbuf m, int rssi, int nf) 480*{	29#endif 30 31/* 32 * IEEE 802.11 HOSTAP mode support. 33 / 34#include "opt_inet.h" 35#include "opt_wlan.h" 36 37#include <sys/param.h> 38#include <sys/systm.h> 39#include <sys/mbuf.h> 40#include <sys/malloc.h> 41#include <sys/kernel.h> 42 43#include <sys/socket.h> 44#include <sys/sockio.h> 45#include <sys/endian.h> 46#include <sys/errno.h> 47#include <sys/proc.h> 48#include <sys/sysctl.h> 49 50#include <net/if.h> 51#include <net/if_var.h> 52#include <net/if_media.h> 53#include <net/if_llc.h> 54#include <net/ethernet.h> 55 56#include <net/bpf.h> 57 58#include <net80211/ieee80211_var.h> 59#include <net80211/ieee80211_hostap.h> 60#include <net80211/ieee80211_input.h> 61#ifdef IEEE80211_SUPPORT_SUPERG 62#include <net80211/ieee80211_superg.h> 63#endif 64#include <net80211/ieee80211_wds.h> 65 66#define IEEE80211_RATE2MBS(r) (((r) & IEEE80211_RATE_VAL) / 2) 67 68static void hostap_vattach(struct ieee80211vap ); 69static int hostap_newstate(struct ieee80211vap , enum ieee80211_state, int); 70static int hostap_input(struct ieee80211_node ni, struct mbuf m, 71 int rssi, int nf); 72static void hostap_deliver_data(struct ieee80211vap , 73 struct ieee80211_node , struct mbuf ); 74static void hostap_recv_mgmt(struct ieee80211_node , struct mbuf , 75 int subtype, int rssi, int nf); 76static void hostap_recv_ctl(struct ieee80211_node , struct mbuf , int); 77 78void 79ieee80211_hostap_attach(struct ieee80211com ic) 80{ 81 ic->ic_vattach[IEEE80211_M_HOSTAP] = hostap_vattach; 82} 83 84void 85ieee80211_hostap_detach(struct ieee80211com ic) 86{ 87} 88 89static void 90hostap_vdetach(struct ieee80211vap vap) 91{ 92} 93 94static void 95hostap_vattach(struct ieee80211vap vap) 96{ 97 vap->iv_newstate = hostap_newstate; 98 vap->iv_input = hostap_input; 99 vap->iv_recv_mgmt = hostap_recv_mgmt; 100 vap->iv_recv_ctl = hostap_recv_ctl; 101 vap->iv_opdetach = hostap_vdetach; 102 vap->iv_deliver_data = hostap_deliver_data; 103 vap->iv_recv_pspoll = ieee80211_recv_pspoll; 104} 105 106static void 107sta_disassoc(void arg, struct ieee80211_node ni) 108{ 109 struct ieee80211vap vap = arg; 110* 111 if (ni->ni_vap == vap && ni->ni_associd != 0) { 112 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_DISASSOC, 113 IEEE80211_REASON_ASSOC_LEAVE); 114 ieee80211_node_leave(ni); 115 } 116} 117 118static void 119sta_csa(void arg, struct ieee80211_node ni) 120{ 121 struct ieee80211vap vap = arg; 122* 123 if (ni->ni_vap == vap && ni->ni_associd != 0) 124 if (ni->ni_inact > vap->iv_inact_init) { 125 ni->ni_inact = vap->iv_inact_init; 126 IEEE80211_NOTE(vap, IEEE80211_MSG_INACT, ni, 127 "%s: inact %u", __func__, ni->ni_inact); 128 } 129} 130 131static void 132sta_drop(void arg, struct ieee80211_node ni) 133{ 134 struct ieee80211vap vap = arg; 135* 136 if (ni->ni_vap == vap && ni->ni_associd != 0) 137 ieee80211_node_leave(ni); 138} 139 140/* 141 * Does a channel change require associated stations to re-associate 142 * so protocol state is correct. This is used when doing CSA across 143 * bands or similar (e.g. HT -> legacy). 144 / 145static int 146isbandchange(struct ieee80211com ic) 147{ 148 return ((ic->ic_bsschan->ic_flags ^ ic->ic_csa_newchan->ic_flags) & 149 (IEEE80211_CHAN_2GHZ \| IEEE80211_CHAN_5GHZ \| IEEE80211_CHAN_HALF \| 150 IEEE80211_CHAN_QUARTER \| IEEE80211_CHAN_HT)) != 0; 151} 152 153/* 154 * IEEE80211_M_HOSTAP vap state machine handler. 155 / 156static int 157hostap_newstate(struct ieee80211vap vap, enum ieee80211_state nstate, int arg) 158{ 159 struct ieee80211com ic = vap->iv_ic; 160* enum ieee80211_state ostate; 161 162 IEEE80211_LOCK_ASSERT(ic); 163 164 ostate = vap->iv_state; 165 IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE, "%s: %s -> %s (%d)\n", 166 __func__, ieee80211_state_name[ostate], 167 ieee80211_state_name[nstate], arg); 168 vap->iv_state = nstate; /* state transition / 169* if (ostate != IEEE80211_S_SCAN) 170 ieee80211_cancel_scan(vap); /* background scan / 171* switch (nstate) { 172 case IEEE80211_S_INIT: 173 switch (ostate) { 174 case IEEE80211_S_SCAN: 175 ieee80211_cancel_scan(vap); 176 break; 177 case IEEE80211_S_CAC: 178 ieee80211_dfs_cac_stop(vap); 179 break; 180 case IEEE80211_S_RUN: 181 ieee80211_iterate_nodes(&ic->ic_sta, sta_disassoc, vap); 182 break; 183 default: 184 break; 185 } 186 if (ostate != IEEE80211_S_INIT) { 187 /* NB: optimize INIT -> INIT case / 188* ieee80211_reset_bss(vap); 189 } 190 if (vap->iv_auth->ia_detach != NULL) 191 vap->iv_auth->ia_detach(vap); 192 break; 193 case IEEE80211_S_SCAN: 194 switch (ostate) { 195 case IEEE80211_S_CSA: 196 case IEEE80211_S_RUN: 197 ieee80211_iterate_nodes(&ic->ic_sta, sta_disassoc, vap); 198 /* 199 * Clear overlapping BSS state; the beacon frame 200 * will be reconstructed on transition to the RUN 201 * state and the timeout routines check if the flag 202 * is set before doing anything so this is sufficient. 203 / 204* ic->ic_flags_ext &= ~IEEE80211_FEXT_NONERP_PR; 205 ic->ic_flags_ht &= ~IEEE80211_FHT_NONHT_PR; 206 /* fall thru... / 207* case IEEE80211_S_CAC: 208 /* 209 * NB: We may get here because of a manual channel 210 * change in which case we need to stop CAC 211 * XXX no need to stop if ostate RUN but it's ok 212 / 213* ieee80211_dfs_cac_stop(vap); 214 /* fall thru... / 215* case IEEE80211_S_INIT: 216 if (vap->iv_des_chan != IEEE80211_CHAN_ANYC && 217 !IEEE80211_IS_CHAN_RADAR(vap->iv_des_chan)) { 218 /* 219 * Already have a channel; bypass the 220 * scan and startup immediately. 221 * ieee80211_create_ibss will call back to 222 * move us to RUN state. 223 / 224* ieee80211_create_ibss(vap, vap->iv_des_chan); 225 break; 226 } 227 /* 228 * Initiate a scan. We can come here as a result 229 * of an IEEE80211_IOC_SCAN_REQ too in which case 230 * the vap will be marked with IEEE80211_FEXT_SCANREQ 231 * and the scan request parameters will be present 232 * in iv_scanreq. Otherwise we do the default. 233 / 234* if (vap->iv_flags_ext & IEEE80211_FEXT_SCANREQ) { 235 ieee80211_check_scan(vap, 236 vap->iv_scanreq_flags, 237 vap->iv_scanreq_duration, 238 vap->iv_scanreq_mindwell, 239 vap->iv_scanreq_maxdwell, 240 vap->iv_scanreq_nssid, vap->iv_scanreq_ssid); 241 vap->iv_flags_ext &= ~IEEE80211_FEXT_SCANREQ; 242 } else 243 ieee80211_check_scan_current(vap); 244 break; 245 case IEEE80211_S_SCAN: 246 /* 247 * A state change requires a reset; scan. 248 / 249* ieee80211_check_scan_current(vap); 250 break; 251 default: 252 break; 253 } 254 break; 255 case IEEE80211_S_CAC: 256 /* 257 * Start CAC on a DFS channel. We come here when starting 258 * a bss on a DFS channel (see ieee80211_create_ibss). 259 / 260* ieee80211_dfs_cac_start(vap); 261 break; 262 case IEEE80211_S_RUN: 263 if (vap->iv_flags & IEEE80211_F_WPA) { 264 /* XXX validate prerequisites / 265* } 266 switch (ostate) { 267 case IEEE80211_S_INIT: 268 /* 269 * Already have a channel; bypass the 270 * scan and startup immediately. 271 * Note that ieee80211_create_ibss will call 272 * back to do a RUN->RUN state change. 273 / 274* ieee80211_create_ibss(vap, 275 ieee80211_ht_adjust_channel(ic, 276 ic->ic_curchan, vap->iv_flags_ht)); 277 /* NB: iv_bss is changed on return / 278* break; 279 case IEEE80211_S_CAC: 280 /* 281 * NB: This is the normal state change when CAC 282 * expires and no radar was detected; no need to 283 * clear the CAC timer as it's already expired. 284 / 285* /* fall thru... / 286* case IEEE80211_S_CSA: 287 /* 288 * Shorten inactivity timer of associated stations 289 * to weed out sta's that don't follow a CSA. 290 / 291* ieee80211_iterate_nodes(&ic->ic_sta, sta_csa, vap); 292 /* 293 * Update bss node channel to reflect where 294 * we landed after CSA. 295 / 296* ieee80211_node_set_chan(vap->iv_bss, 297 ieee80211_ht_adjust_channel(ic, ic->ic_curchan, 298 ieee80211_htchanflags(vap->iv_bss->ni_chan))); 299 /* XXX bypass debug msgs / 300* break; 301 case IEEE80211_S_SCAN: 302 case IEEE80211_S_RUN: 303#ifdef IEEE80211_DEBUG 304 if (ieee80211_msg_debug(vap)) { 305 struct ieee80211_node ni = vap->iv_bss; 306* ieee80211_note(vap, 307 "synchronized with %s ssid ", 308 ether_sprintf(ni->ni_bssid)); 309 ieee80211_print_essid(ni->ni_essid, 310 ni->ni_esslen); 311 /* XXX MCS/HT / 312* printf(" channel %d start %uMb\n", 313 ieee80211_chan2ieee(ic, ic->ic_curchan), 314 IEEE80211_RATE2MBS(ni->ni_txrate)); 315 } 316#endif 317 break; 318 default: 319 break; 320 } 321 /* 322 * Start/stop the authenticator. We delay until here 323 * to allow configuration to happen out of order. 324 / 325* if (vap->iv_auth->ia_attach != NULL) { 326 /* XXX check failure / 327* vap->iv_auth->ia_attach(vap); 328 } else if (vap->iv_auth->ia_detach != NULL) { 329 vap->iv_auth->ia_detach(vap); 330 } 331 ieee80211_node_authorize(vap->iv_bss); 332 break; 333 case IEEE80211_S_CSA: 334 if (ostate == IEEE80211_S_RUN && isbandchange(ic)) { 335 /* 336 * On a ``band change'' silently drop associated 337 * stations as they must re-associate before they 338 * can pass traffic (as otherwise protocol state 339 * such as capabilities and the negotiated rate 340 * set may/will be wrong). 341 / 342* ieee80211_iterate_nodes(&ic->ic_sta, sta_drop, vap); 343 } 344 break; 345 default: 346 break; 347 } 348 return 0; 349} 350 351static void 352hostap_deliver_data(struct ieee80211vap vap, 353* struct ieee80211_node ni, struct mbuf m) 354{ 355 struct ether_header eh = mtod(m, struct ether_header ); 356 struct ifnet ifp = vap->iv_ifp; 357* 358 /* clear driver/net80211 flags before passing up / 359#if __FreeBSD_version >= 1000046 360* m->m_flags &= ~(M_MCAST \| M_BCAST); 361 m_clrprotoflags(m); 362#else 363 m->m_flags &= ~(M_80211_RX \| M_MCAST \| M_BCAST); 364#endif 365 366 KASSERT(vap->iv_opmode == IEEE80211_M_HOSTAP, 367 ("gack, opmode %d", vap->iv_opmode)); 368 /* 369 * Do accounting. 370 / 371* if_inc_counter(ifp, IFCOUNTER_IPACKETS, 1); 372 IEEE80211_NODE_STAT(ni, rx_data); 373 IEEE80211_NODE_STAT_ADD(ni, rx_bytes, m->m_pkthdr.len); 374 if (ETHER_IS_MULTICAST(eh->ether_dhost)) { 375 m->m_flags \|= M_MCAST; /* XXX M_BCAST? / 376* IEEE80211_NODE_STAT(ni, rx_mcast); 377 } else 378 IEEE80211_NODE_STAT(ni, rx_ucast); 379 380 /* perform as a bridge within the AP / 381* if ((vap->iv_flags & IEEE80211_F_NOBRIDGE) == 0) { 382 struct mbuf mcopy = NULL; 383* 384 if (m->m_flags & M_MCAST) { 385 mcopy = m_dup(m, M_NOWAIT); 386 if (mcopy == NULL) 387 if_inc_counter(ifp, IFCOUNTER_OERRORS, 1); 388 else 389 mcopy->m_flags \|= M_MCAST; 390 } else { 391 /* 392 * Check if the destination is associated with the 393 * same vap and authorized to receive traffic. 394 * Beware of traffic destined for the vap itself; 395 * sending it will not work; just let it be delivered 396 * normally. 397 / 398* struct ieee80211_node sta = ieee80211_find_vap_node( 399* &vap->iv_ic->ic_sta, vap, eh->ether_dhost); 400 if (sta != NULL) { 401 if (ieee80211_node_is_authorized(sta)) { 402 /* 403 * Beware of sending to ourself; this 404 * needs to happen via the normal 405 * input path. 406 / 407* if (sta != vap->iv_bss) { 408 mcopy = m; 409 m = NULL; 410 } 411 } else { 412 vap->iv_stats.is_rx_unauth++; 413 IEEE80211_NODE_STAT(sta, rx_unauth); 414 } 415 ieee80211_free_node(sta); 416 } 417 } 418 if (mcopy != NULL) { 419 int len, err; 420 len = mcopy->m_pkthdr.len; 421 err = ieee80211_vap_xmitpkt(vap, mcopy); 422 if (err) { 423 /* NB: IFQ_HANDOFF reclaims mcopy / 424* } else { 425 if_inc_counter(ifp, IFCOUNTER_OPACKETS, 1); 426 } 427 } 428 } 429 if (m != NULL) { 430 /* 431 * Mark frame as coming from vap's interface. 432 / 433* m->m_pkthdr.rcvif = ifp; 434 if (m->m_flags & M_MCAST) { 435 /* 436 * Spam DWDS vap's w/ multicast traffic. 437 / 438* /* XXX only if dwds in use? / 439* ieee80211_dwds_mcast(vap, m); 440 } 441 if (ni->ni_vlan != 0) { 442 /* attach vlan tag / 443* m->m_pkthdr.ether_vtag = ni->ni_vlan; 444 m->m_flags \|= M_VLANTAG; 445 } 446 ifp->if_input(ifp, m); 447 } 448} 449 450/* 451 * Decide if a received management frame should be 452 * printed when debugging is enabled. This filters some 453 * of the less interesting frames that come frequently 454 * (e.g. beacons). 455 / 456static __inline int 457doprint(struct ieee80211vap vap, int subtype) 458{ 459 switch (subtype) { 460 case IEEE80211_FC0_SUBTYPE_BEACON: 461 return (vap->iv_ic->ic_flags & IEEE80211_F_SCAN); 462 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 463 return 0; 464 } 465 return 1; 466} 467 468/* 469 * Process a received frame. The node associated with the sender 470 * should be supplied. If nothing was found in the node table then 471 * the caller is assumed to supply a reference to iv_bss instead. 472 * The RSSI and a timestamp are also supplied. The RSSI data is used 473 * during AP scanning to select a AP to associate with; it can have 474 * any units so long as values have consistent units and higher values 475 * mean ``better signal''. The receive timestamp is currently not used 476 * by the 802.11 layer. 477 / 478static int 479hostap_input(struct ieee80211_node ni, struct mbuf m, int rssi, int nf) 480*{
481#define HAS_SEQ(type) ((type & 0x4) == 0)
482 struct ieee80211vap vap = ni->ni_vap; 483* struct ieee80211com ic = ni->ni_ic; 484* struct ifnet ifp = vap->iv_ifp; 485* struct ieee80211_frame wh; 486* struct ieee80211_key key; 487* struct ether_header eh; 488* int hdrspace, need_tap = 1; /* mbuf need to be tapped. / 489* uint8_t dir, type, subtype, qos; 490 uint8_t bssid; 491* uint16_t rxseq; 492 493 if (m->m_flags & M_AMPDU_MPDU) { 494 /* 495 * Fastpath for A-MPDU reorder q resubmission. Frames 496 * w/ M_AMPDU_MPDU marked have already passed through 497 * here but were received out of order and been held on 498 * the reorder queue. When resubmitted they are marked 499 * with the M_AMPDU_MPDU flag and we can bypass most of 500 * the normal processing. 501 / 502* wh = mtod(m, struct ieee80211_frame ); 503* type = IEEE80211_FC0_TYPE_DATA; 504 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 505 subtype = IEEE80211_FC0_SUBTYPE_QOS; 506 hdrspace = ieee80211_hdrspace(ic, wh); /* XXX optimize? / 507* goto resubmit_ampdu; 508 } 509 510 KASSERT(ni != NULL, ("null node")); 511 ni->ni_inact = ni->ni_inact_reload; 512 513 type = -1; /* undefined / 514* 515 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_min)) { 516 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 517 ni->ni_macaddr, NULL, 518 "too short (1): len %u", m->m_pkthdr.len); 519 vap->iv_stats.is_rx_tooshort++; 520 goto out; 521 } 522 /* 523 * Bit of a cheat here, we use a pointer for a 3-address 524 * frame format but don't reference fields past outside 525 * ieee80211_frame_min w/o first validating the data is 526 * present. 527 / 528* wh = mtod(m, struct ieee80211_frame ); 529* 530 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) != 531 IEEE80211_FC0_VERSION_0) { 532 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 533 ni->ni_macaddr, NULL, "wrong version, fc %02x:%02x", 534 wh->i_fc[0], wh->i_fc[1]); 535 vap->iv_stats.is_rx_badversion++; 536 goto err; 537 } 538 539 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 540 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK; 541 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK; 542 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) { 543 if (dir != IEEE80211_FC1_DIR_NODS) 544 bssid = wh->i_addr1; 545 else if (type == IEEE80211_FC0_TYPE_CTL) 546 bssid = wh->i_addr1; 547 else { 548 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) { 549 IEEE80211_DISCARD_MAC(vap, 550 IEEE80211_MSG_ANY, ni->ni_macaddr, 551 NULL, "too short (2): len %u", 552 m->m_pkthdr.len); 553 vap->iv_stats.is_rx_tooshort++; 554 goto out; 555 } 556 bssid = wh->i_addr3; 557 } 558 /* 559 * Validate the bssid. 560 / 561* if (!(type == IEEE80211_FC0_TYPE_MGT && 562 subtype == IEEE80211_FC0_SUBTYPE_BEACON) && 563 !IEEE80211_ADDR_EQ(bssid, vap->iv_bss->ni_bssid) && 564 !IEEE80211_ADDR_EQ(bssid, ifp->if_broadcastaddr)) { 565 /* not interested in / 566* IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 567 bssid, NULL, "%s", "not to bss"); 568 vap->iv_stats.is_rx_wrongbss++; 569 goto out; 570 } 571 572 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi); 573 ni->ni_noise = nf;	481 struct ieee80211vap vap = ni->ni_vap; 482* struct ieee80211com ic = ni->ni_ic; 483* struct ifnet ifp = vap->iv_ifp; 484* struct ieee80211_frame wh; 485* struct ieee80211_key key; 486* struct ether_header eh; 487* int hdrspace, need_tap = 1; /* mbuf need to be tapped. / 488* uint8_t dir, type, subtype, qos; 489 uint8_t bssid; 490* uint16_t rxseq; 491 492 if (m->m_flags & M_AMPDU_MPDU) { 493 /* 494 * Fastpath for A-MPDU reorder q resubmission. Frames 495 * w/ M_AMPDU_MPDU marked have already passed through 496 * here but were received out of order and been held on 497 * the reorder queue. When resubmitted they are marked 498 * with the M_AMPDU_MPDU flag and we can bypass most of 499 * the normal processing. 500 / 501* wh = mtod(m, struct ieee80211_frame ); 502* type = IEEE80211_FC0_TYPE_DATA; 503 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 504 subtype = IEEE80211_FC0_SUBTYPE_QOS; 505 hdrspace = ieee80211_hdrspace(ic, wh); /* XXX optimize? / 506* goto resubmit_ampdu; 507 } 508 509 KASSERT(ni != NULL, ("null node")); 510 ni->ni_inact = ni->ni_inact_reload; 511 512 type = -1; /* undefined / 513* 514 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_min)) { 515 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 516 ni->ni_macaddr, NULL, 517 "too short (1): len %u", m->m_pkthdr.len); 518 vap->iv_stats.is_rx_tooshort++; 519 goto out; 520 } 521 /* 522 * Bit of a cheat here, we use a pointer for a 3-address 523 * frame format but don't reference fields past outside 524 * ieee80211_frame_min w/o first validating the data is 525 * present. 526 / 527* wh = mtod(m, struct ieee80211_frame ); 528* 529 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) != 530 IEEE80211_FC0_VERSION_0) { 531 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 532 ni->ni_macaddr, NULL, "wrong version, fc %02x:%02x", 533 wh->i_fc[0], wh->i_fc[1]); 534 vap->iv_stats.is_rx_badversion++; 535 goto err; 536 } 537 538 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 539 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK; 540 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK; 541 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) { 542 if (dir != IEEE80211_FC1_DIR_NODS) 543 bssid = wh->i_addr1; 544 else if (type == IEEE80211_FC0_TYPE_CTL) 545 bssid = wh->i_addr1; 546 else { 547 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) { 548 IEEE80211_DISCARD_MAC(vap, 549 IEEE80211_MSG_ANY, ni->ni_macaddr, 550 NULL, "too short (2): len %u", 551 m->m_pkthdr.len); 552 vap->iv_stats.is_rx_tooshort++; 553 goto out; 554 } 555 bssid = wh->i_addr3; 556 } 557 /* 558 * Validate the bssid. 559 / 560* if (!(type == IEEE80211_FC0_TYPE_MGT && 561 subtype == IEEE80211_FC0_SUBTYPE_BEACON) && 562 !IEEE80211_ADDR_EQ(bssid, vap->iv_bss->ni_bssid) && 563 !IEEE80211_ADDR_EQ(bssid, ifp->if_broadcastaddr)) { 564 /* not interested in / 565* IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 566 bssid, NULL, "%s", "not to bss"); 567 vap->iv_stats.is_rx_wrongbss++; 568 goto out; 569 } 570 571 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi); 572 ni->ni_noise = nf;
574 if (HAS_SEQ(type)) {	573 if (IEEE80211_HAS_SEQ(type, subtype)) {
575 uint8_t tid = ieee80211_gettid(wh); 576 if (IEEE80211_QOS_HAS_SEQ(wh) && 577 TID_TO_WME_AC(tid) >= WME_AC_VI) 578 ic->ic_wme.wme_hipri_traffic++; 579 rxseq = le16toh((uint16_t )wh->i_seq); 580 if (! ieee80211_check_rxseq(ni, wh)) { 581 /* duplicate, discard / 582* IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 583 bssid, "duplicate", 584 "seqno <%u,%u> fragno <%u,%u> tid %u", 585 rxseq >> IEEE80211_SEQ_SEQ_SHIFT, 586 ni->ni_rxseqs[tid] >> 587 IEEE80211_SEQ_SEQ_SHIFT, 588 rxseq & IEEE80211_SEQ_FRAG_MASK, 589 ni->ni_rxseqs[tid] & 590 IEEE80211_SEQ_FRAG_MASK, 591 tid); 592 vap->iv_stats.is_rx_dup++; 593 IEEE80211_NODE_STAT(ni, rx_dup); 594 goto out; 595 } 596 ni->ni_rxseqs[tid] = rxseq; 597 } 598 } 599 600 switch (type) { 601 case IEEE80211_FC0_TYPE_DATA: 602 hdrspace = ieee80211_hdrspace(ic, wh); 603 if (m->m_len < hdrspace && 604 (m = m_pullup(m, hdrspace)) == NULL) { 605 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 606 ni->ni_macaddr, NULL, 607 "data too short: expecting %u", hdrspace); 608 vap->iv_stats.is_rx_tooshort++; 609 goto out; /* XXX / 610* } 611 if (!(dir == IEEE80211_FC1_DIR_TODS \|\| 612 (dir == IEEE80211_FC1_DIR_DSTODS && 613 (vap->iv_flags & IEEE80211_F_DWDS)))) { 614 if (dir != IEEE80211_FC1_DIR_DSTODS) { 615 IEEE80211_DISCARD(vap, 616 IEEE80211_MSG_INPUT, wh, "data", 617 "incorrect dir 0x%x", dir); 618 } else { 619 IEEE80211_DISCARD(vap, 620 IEEE80211_MSG_INPUT \| 621 IEEE80211_MSG_WDS, wh, 622 "4-address data", 623 "%s", "DWDS not enabled"); 624 } 625 vap->iv_stats.is_rx_wrongdir++; 626 goto out; 627 } 628 /* check if source STA is associated / 629* if (ni == vap->iv_bss) { 630 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 631 wh, "data", "%s", "unknown src"); 632 ieee80211_send_error(ni, wh->i_addr2, 633 IEEE80211_FC0_SUBTYPE_DEAUTH, 634 IEEE80211_REASON_NOT_AUTHED); 635 vap->iv_stats.is_rx_notassoc++; 636 goto err; 637 } 638 if (ni->ni_associd == 0) { 639 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 640 wh, "data", "%s", "unassoc src"); 641 IEEE80211_SEND_MGMT(ni, 642 IEEE80211_FC0_SUBTYPE_DISASSOC, 643 IEEE80211_REASON_NOT_ASSOCED); 644 vap->iv_stats.is_rx_notassoc++; 645 goto err; 646 } 647 648 /* 649 * Check for power save state change. 650 * XXX out-of-order A-MPDU frames? 651 / 652* if (((wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) ^ 653 (ni->ni_flags & IEEE80211_NODE_PWR_MGT))) 654 vap->iv_node_ps(ni, 655 wh->i_fc[1] & IEEE80211_FC1_PWR_MGT); 656 /* 657 * For 4-address packets handle WDS discovery 658 * notifications. Once a WDS link is setup frames 659 * are just delivered to the WDS vap (see below). 660 / 661* if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap == NULL) { 662 if (!ieee80211_node_is_authorized(ni)) { 663 IEEE80211_DISCARD(vap, 664 IEEE80211_MSG_INPUT \| 665 IEEE80211_MSG_WDS, wh, 666 "4-address data", 667 "%s", "unauthorized port"); 668 vap->iv_stats.is_rx_unauth++; 669 IEEE80211_NODE_STAT(ni, rx_unauth); 670 goto err; 671 } 672 ieee80211_dwds_discover(ni, m); 673 return type; 674 } 675 676 /* 677 * Handle A-MPDU re-ordering. If the frame is to be 678 * processed directly then ieee80211_ampdu_reorder 679 * will return 0; otherwise it has consumed the mbuf 680 * and we should do nothing more with it. 681 / 682* if ((m->m_flags & M_AMPDU) && 683 ieee80211_ampdu_reorder(ni, m) != 0) { 684 m = NULL; 685 goto out; 686 } 687 resubmit_ampdu: 688 689 /* 690 * Handle privacy requirements. Note that we 691 * must not be preempted from here until after 692 * we (potentially) call ieee80211_crypto_demic; 693 * otherwise we may violate assumptions in the 694 * crypto cipher modules used to do delayed update 695 * of replay sequence numbers. 696 / 697* if (wh->i_fc[1] & IEEE80211_FC1_PROTECTED) { 698 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) { 699 /* 700 * Discard encrypted frames when privacy is off. 701 / 702* IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 703 wh, "WEP", "%s", "PRIVACY off"); 704 vap->iv_stats.is_rx_noprivacy++; 705 IEEE80211_NODE_STAT(ni, rx_noprivacy); 706 goto out; 707 } 708 key = ieee80211_crypto_decap(ni, m, hdrspace); 709 if (key == NULL) { 710 /* NB: stats+msgs handled in crypto_decap / 711* IEEE80211_NODE_STAT(ni, rx_wepfail); 712 goto out; 713 } 714 wh = mtod(m, struct ieee80211_frame ); 715* wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED; 716 } else { 717 /* XXX M_WEP and IEEE80211_F_PRIVACY / 718* key = NULL; 719 } 720 721 /* 722 * Save QoS bits for use below--before we strip the header. 723 / 724* if (subtype == IEEE80211_FC0_SUBTYPE_QOS) { 725 qos = (dir == IEEE80211_FC1_DIR_DSTODS) ? 726 ((struct ieee80211_qosframe_addr4 )wh)->i_qos[0] : 727* ((struct ieee80211_qosframe )wh)->i_qos[0]; 728* } else 729 qos = 0; 730 731 /* 732 * Next up, any fragmentation. 733 / 734* if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) { 735 m = ieee80211_defrag(ni, m, hdrspace); 736 if (m == NULL) { 737 /* Fragment dropped or frame not complete yet / 738* goto out; 739 } 740 } 741 wh = NULL; /* no longer valid, catch any uses / 742* 743 /* 744 * Next strip any MSDU crypto bits. 745 / 746* if (key != NULL && !ieee80211_crypto_demic(vap, key, m, 0)) { 747 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 748 ni->ni_macaddr, "data", "%s", "demic error"); 749 vap->iv_stats.is_rx_demicfail++; 750 IEEE80211_NODE_STAT(ni, rx_demicfail); 751 goto out; 752 } 753 /* copy to listener after decrypt / 754* if (ieee80211_radiotap_active_vap(vap)) 755 ieee80211_radiotap_rx(vap, m); 756 need_tap = 0; 757 /* 758 * Finally, strip the 802.11 header. 759 / 760* m = ieee80211_decap(vap, m, hdrspace); 761 if (m == NULL) { 762 /* XXX mask bit to check for both / 763* /* don't count Null data frames as errors / 764* if (subtype == IEEE80211_FC0_SUBTYPE_NODATA \|\| 765 subtype == IEEE80211_FC0_SUBTYPE_QOS_NULL) 766 goto out; 767 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 768 ni->ni_macaddr, "data", "%s", "decap error"); 769 vap->iv_stats.is_rx_decap++; 770 IEEE80211_NODE_STAT(ni, rx_decap); 771 goto err; 772 } 773 eh = mtod(m, struct ether_header ); 774* if (!ieee80211_node_is_authorized(ni)) { 775 /* 776 * Deny any non-PAE frames received prior to 777 * authorization. For open/shared-key 778 * authentication the port is mark authorized 779 * after authentication completes. For 802.1x 780 * the port is not marked authorized by the 781 * authenticator until the handshake has completed. 782 / 783* if (eh->ether_type != htons(ETHERTYPE_PAE)) { 784 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 785 eh->ether_shost, "data", 786 "unauthorized port: ether type 0x%x len %u", 787 eh->ether_type, m->m_pkthdr.len); 788 vap->iv_stats.is_rx_unauth++; 789 IEEE80211_NODE_STAT(ni, rx_unauth); 790 goto err; 791 } 792 } else { 793 /* 794 * When denying unencrypted frames, discard 795 * any non-PAE frames received without encryption. 796 / 797* if ((vap->iv_flags & IEEE80211_F_DROPUNENC) && 798 (key == NULL && (m->m_flags & M_WEP) == 0) && 799 eh->ether_type != htons(ETHERTYPE_PAE)) { 800 /* 801 * Drop unencrypted frames. 802 / 803* vap->iv_stats.is_rx_unencrypted++; 804 IEEE80211_NODE_STAT(ni, rx_unencrypted); 805 goto out; 806 } 807 } 808 /* XXX require HT? / 809* if (qos & IEEE80211_QOS_AMSDU) { 810 m = ieee80211_decap_amsdu(ni, m); 811 if (m == NULL) 812 return IEEE80211_FC0_TYPE_DATA; 813 } else { 814#ifdef IEEE80211_SUPPORT_SUPERG 815 m = ieee80211_decap_fastframe(vap, ni, m); 816 if (m == NULL) 817 return IEEE80211_FC0_TYPE_DATA; 818#endif 819 } 820 if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap != NULL) 821 ieee80211_deliver_data(ni->ni_wdsvap, ni, m); 822 else 823 hostap_deliver_data(vap, ni, m); 824 return IEEE80211_FC0_TYPE_DATA; 825 826 case IEEE80211_FC0_TYPE_MGT: 827 vap->iv_stats.is_rx_mgmt++; 828 IEEE80211_NODE_STAT(ni, rx_mgmt); 829 if (dir != IEEE80211_FC1_DIR_NODS) { 830 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 831 wh, "mgt", "incorrect dir 0x%x", dir); 832 vap->iv_stats.is_rx_wrongdir++; 833 goto err; 834 } 835 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) { 836 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 837 ni->ni_macaddr, "mgt", "too short: len %u", 838 m->m_pkthdr.len); 839 vap->iv_stats.is_rx_tooshort++; 840 goto out; 841 } 842 if (IEEE80211_IS_MULTICAST(wh->i_addr2)) { 843 /* ensure return frames are unicast / 844* IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 845 wh, NULL, "source is multicast: %s", 846 ether_sprintf(wh->i_addr2)); 847 vap->iv_stats.is_rx_mgtdiscard++; /* XXX stat / 848* goto out; 849 } 850#ifdef IEEE80211_DEBUG 851 if ((ieee80211_msg_debug(vap) && doprint(vap, subtype)) \|\| 852 ieee80211_msg_dumppkts(vap)) { 853 if_printf(ifp, "received %s from %s rssi %d\n", 854 ieee80211_mgt_subtype_name[subtype >> 855 IEEE80211_FC0_SUBTYPE_SHIFT], 856 ether_sprintf(wh->i_addr2), rssi); 857 } 858#endif 859 if (wh->i_fc[1] & IEEE80211_FC1_PROTECTED) { 860 if (subtype != IEEE80211_FC0_SUBTYPE_AUTH) { 861 /* 862 * Only shared key auth frames with a challenge 863 * should be encrypted, discard all others. 864 / 865* IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 866 wh, NULL, 867 "%s", "WEP set but not permitted"); 868 vap->iv_stats.is_rx_mgtdiscard++; /* XXX / 869* goto out; 870 } 871 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) { 872 /* 873 * Discard encrypted frames when privacy is off. 874 / 875* IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 876 wh, NULL, "%s", "WEP set but PRIVACY off"); 877 vap->iv_stats.is_rx_noprivacy++; 878 goto out; 879 } 880 hdrspace = ieee80211_hdrspace(ic, wh); 881 key = ieee80211_crypto_decap(ni, m, hdrspace); 882 if (key == NULL) { 883 /* NB: stats+msgs handled in crypto_decap / 884* goto out; 885 } 886 wh = mtod(m, struct ieee80211_frame ); 887* wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED; 888 } 889 /* 890 * Pass the packet to radiotap before calling iv_recv_mgmt(). 891 * Otherwise iv_recv_mgmt() might pass another packet to 892 * radiotap, resulting in out of order packet captures. 893 / 894* if (ieee80211_radiotap_active_vap(vap)) 895 ieee80211_radiotap_rx(vap, m); 896 need_tap = 0; 897 vap->iv_recv_mgmt(ni, m, subtype, rssi, nf); 898 goto out; 899 900 case IEEE80211_FC0_TYPE_CTL: 901 vap->iv_stats.is_rx_ctl++; 902 IEEE80211_NODE_STAT(ni, rx_ctrl); 903 vap->iv_recv_ctl(ni, m, subtype); 904 goto out; 905 default: 906 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 907 wh, "bad", "frame type 0x%x", type); 908 /* should not come here / 909* break; 910 } 911err: 912 if_inc_counter(ifp, IFCOUNTER_IERRORS, 1); 913out: 914 if (m != NULL) { 915 if (need_tap && ieee80211_radiotap_active_vap(vap)) 916 ieee80211_radiotap_rx(vap, m); 917 m_freem(m); 918 } 919 return type; 920} 921 922static void 923hostap_auth_open(struct ieee80211_node ni, struct ieee80211_frame wh, 924 int rssi, int nf, uint16_t seq, uint16_t status) 925{ 926 struct ieee80211vap vap = ni->ni_vap; 927* 928 KASSERT(vap->iv_state == IEEE80211_S_RUN, ("state %d", vap->iv_state)); 929 930 if (ni->ni_authmode == IEEE80211_AUTH_SHARED) { 931 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 932 ni->ni_macaddr, "open auth", 933 "bad sta auth mode %u", ni->ni_authmode); 934 vap->iv_stats.is_rx_bad_auth++; /* XXX / 935* /* 936 * Clear any challenge text that may be there if 937 * a previous shared key auth failed and then an 938 * open auth is attempted. 939 / 940* if (ni->ni_challenge != NULL) { 941 free(ni->ni_challenge, M_80211_NODE); 942 ni->ni_challenge = NULL; 943 } 944 /* XXX hack to workaround calling convention / 945* ieee80211_send_error(ni, wh->i_addr2, 946 IEEE80211_FC0_SUBTYPE_AUTH, 947 (seq + 1) \| (IEEE80211_STATUS_ALG<<16)); 948 return; 949 } 950 if (seq != IEEE80211_AUTH_OPEN_REQUEST) { 951 vap->iv_stats.is_rx_bad_auth++; 952 return; 953 } 954 /* always accept open authentication requests / 955* if (ni == vap->iv_bss) { 956 ni = ieee80211_dup_bss(vap, wh->i_addr2); 957 if (ni == NULL) 958 return; 959 } else if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0) 960 (void) ieee80211_ref_node(ni); 961 /* 962 * Mark the node as referenced to reflect that it's 963 * reference count has been bumped to insure it remains 964 * after the transaction completes. 965 / 966* ni->ni_flags \|= IEEE80211_NODE_AREF; 967 /* 968 * Mark the node as requiring a valid association id 969 * before outbound traffic is permitted. 970 / 971* ni->ni_flags \|= IEEE80211_NODE_ASSOCID; 972 973 if (vap->iv_acl != NULL && 974 vap->iv_acl->iac_getpolicy(vap) == IEEE80211_MACCMD_POLICY_RADIUS) { 975 /* 976 * When the ACL policy is set to RADIUS we defer the 977 * authorization to a user agent. Dispatch an event, 978 * a subsequent MLME call will decide the fate of the 979 * station. If the user agent is not present then the 980 * node will be reclaimed due to inactivity. 981 / 982* IEEE80211_NOTE_MAC(vap, 983 IEEE80211_MSG_AUTH \| IEEE80211_MSG_ACL, ni->ni_macaddr, 984 "%s", "station authentication defered (radius acl)"); 985 ieee80211_notify_node_auth(ni); 986 } else { 987 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 988 IEEE80211_NOTE_MAC(vap, 989 IEEE80211_MSG_DEBUG \| IEEE80211_MSG_AUTH, ni->ni_macaddr, 990 "%s", "station authenticated (open)"); 991 /* 992 * When 802.1x is not in use mark the port 993 * authorized at this point so traffic can flow. 994 / 995* if (ni->ni_authmode != IEEE80211_AUTH_8021X) 996 ieee80211_node_authorize(ni); 997 } 998} 999 1000static void 1001hostap_auth_shared(struct ieee80211_node ni, struct ieee80211_frame wh, 1002 uint8_t frm, uint8_t efrm, int rssi, int nf, 1003 uint16_t seq, uint16_t status) 1004{ 1005 struct ieee80211vap vap = ni->ni_vap; 1006* uint8_t challenge; 1007* int allocbs, estatus; 1008 1009 KASSERT(vap->iv_state == IEEE80211_S_RUN, ("state %d", vap->iv_state)); 1010 1011 /* 1012 * NB: this can happen as we allow pre-shared key 1013 * authentication to be enabled w/o wep being turned 1014 * on so that configuration of these can be done 1015 * in any order. It may be better to enforce the 1016 * ordering in which case this check would just be 1017 * for sanity/consistency. 1018 / 1019* if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) { 1020 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1021 ni->ni_macaddr, "shared key auth", 1022 "%s", " PRIVACY is disabled"); 1023 estatus = IEEE80211_STATUS_ALG; 1024 goto bad; 1025 } 1026 /* 1027 * Pre-shared key authentication is evil; accept 1028 * it only if explicitly configured (it is supported 1029 * mainly for compatibility with clients like Mac OS X). 1030 / 1031* if (ni->ni_authmode != IEEE80211_AUTH_AUTO && 1032 ni->ni_authmode != IEEE80211_AUTH_SHARED) { 1033 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1034 ni->ni_macaddr, "shared key auth", 1035 "bad sta auth mode %u", ni->ni_authmode); 1036 vap->iv_stats.is_rx_bad_auth++; /* XXX maybe a unique error? / 1037* estatus = IEEE80211_STATUS_ALG; 1038 goto bad; 1039 } 1040 1041 challenge = NULL; 1042 if (frm + 1 < efrm) { 1043 if ((frm[1] + 2) > (efrm - frm)) { 1044 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1045 ni->ni_macaddr, "shared key auth", 1046 "ie %d/%d too long", 1047 frm[0], (frm[1] + 2) - (efrm - frm)); 1048 vap->iv_stats.is_rx_bad_auth++; 1049 estatus = IEEE80211_STATUS_CHALLENGE; 1050 goto bad; 1051 } 1052 if (frm == IEEE80211_ELEMID_CHALLENGE) 1053* challenge = frm; 1054 frm += frm[1] + 2; 1055 } 1056 switch (seq) { 1057 case IEEE80211_AUTH_SHARED_CHALLENGE: 1058 case IEEE80211_AUTH_SHARED_RESPONSE: 1059 if (challenge == NULL) { 1060 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1061 ni->ni_macaddr, "shared key auth", 1062 "%s", "no challenge"); 1063 vap->iv_stats.is_rx_bad_auth++; 1064 estatus = IEEE80211_STATUS_CHALLENGE; 1065 goto bad; 1066 } 1067 if (challenge[1] != IEEE80211_CHALLENGE_LEN) { 1068 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1069 ni->ni_macaddr, "shared key auth", 1070 "bad challenge len %d", challenge[1]); 1071 vap->iv_stats.is_rx_bad_auth++; 1072 estatus = IEEE80211_STATUS_CHALLENGE; 1073 goto bad; 1074 } 1075 default: 1076 break; 1077 } 1078 switch (seq) { 1079 case IEEE80211_AUTH_SHARED_REQUEST: 1080 if (ni == vap->iv_bss) { 1081 ni = ieee80211_dup_bss(vap, wh->i_addr2); 1082 if (ni == NULL) { 1083 /* NB: no way to return an error / 1084* return; 1085 } 1086 allocbs = 1; 1087 } else { 1088 if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0) 1089 (void) ieee80211_ref_node(ni); 1090 allocbs = 0; 1091 } 1092 /* 1093 * Mark the node as referenced to reflect that it's 1094 * reference count has been bumped to insure it remains 1095 * after the transaction completes. 1096 / 1097* ni->ni_flags \|= IEEE80211_NODE_AREF; 1098 /* 1099 * Mark the node as requiring a valid associatio id 1100 * before outbound traffic is permitted. 1101 / 1102* ni->ni_flags \|= IEEE80211_NODE_ASSOCID; 1103 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi); 1104 ni->ni_noise = nf; 1105 if (!ieee80211_alloc_challenge(ni)) { 1106 /* NB: don't return error so they rexmit / 1107* return; 1108 } 1109 get_random_bytes(ni->ni_challenge, 1110 IEEE80211_CHALLENGE_LEN); 1111 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG \| IEEE80211_MSG_AUTH, 1112 ni, "shared key %sauth request", allocbs ? "" : "re"); 1113 /* 1114 * When the ACL policy is set to RADIUS we defer the 1115 * authorization to a user agent. Dispatch an event, 1116 * a subsequent MLME call will decide the fate of the 1117 * station. If the user agent is not present then the 1118 * node will be reclaimed due to inactivity. 1119 / 1120* if (vap->iv_acl != NULL && 1121 vap->iv_acl->iac_getpolicy(vap) == IEEE80211_MACCMD_POLICY_RADIUS) { 1122 IEEE80211_NOTE_MAC(vap, 1123 IEEE80211_MSG_AUTH \| IEEE80211_MSG_ACL, 1124 ni->ni_macaddr, 1125 "%s", "station authentication defered (radius acl)"); 1126 ieee80211_notify_node_auth(ni); 1127 return; 1128 } 1129 break; 1130 case IEEE80211_AUTH_SHARED_RESPONSE: 1131 if (ni == vap->iv_bss) { 1132 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1133 ni->ni_macaddr, "shared key response", 1134 "%s", "unknown station"); 1135 /* NB: don't send a response / 1136* return; 1137 } 1138 if (ni->ni_challenge == NULL) { 1139 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1140 ni->ni_macaddr, "shared key response", 1141 "%s", "no challenge recorded"); 1142 vap->iv_stats.is_rx_bad_auth++; 1143 estatus = IEEE80211_STATUS_CHALLENGE; 1144 goto bad; 1145 } 1146 if (memcmp(ni->ni_challenge, &challenge[2], 1147 challenge[1]) != 0) { 1148 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1149 ni->ni_macaddr, "shared key response", 1150 "%s", "challenge mismatch"); 1151 vap->iv_stats.is_rx_auth_fail++; 1152 estatus = IEEE80211_STATUS_CHALLENGE; 1153 goto bad; 1154 } 1155 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG \| IEEE80211_MSG_AUTH, 1156 ni, "%s", "station authenticated (shared key)"); 1157 ieee80211_node_authorize(ni); 1158 break; 1159 default: 1160 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1161 ni->ni_macaddr, "shared key auth", 1162 "bad seq %d", seq); 1163 vap->iv_stats.is_rx_bad_auth++; 1164 estatus = IEEE80211_STATUS_SEQUENCE; 1165 goto bad; 1166 } 1167 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 1168 return; 1169bad: 1170 /* 1171 * Send an error response; but only when operating as an AP. 1172 / 1173* /* XXX hack to workaround calling convention / 1174* ieee80211_send_error(ni, wh->i_addr2, 1175 IEEE80211_FC0_SUBTYPE_AUTH, 1176 (seq + 1) \| (estatus<<16)); 1177} 1178 1179/* 1180 * Convert a WPA cipher selector OUI to an internal 1181 * cipher algorithm. Where appropriate we also 1182 * record any key length. 1183 / 1184static int 1185wpa_cipher(const uint8_t sel, uint8_t keylen) 1186{ 1187#define WPA_SEL(x) (((x)<<24)\|WPA_OUI) 1188* uint32_t w = LE_READ_4(sel); 1189 1190 switch (w) { 1191 case WPA_SEL(WPA_CSE_NULL): 1192 return IEEE80211_CIPHER_NONE; 1193 case WPA_SEL(WPA_CSE_WEP40): 1194 if (keylen) 1195 keylen = 40 / NBBY; 1196* return IEEE80211_CIPHER_WEP; 1197 case WPA_SEL(WPA_CSE_WEP104): 1198 if (keylen) 1199 keylen = 104 / NBBY; 1200* return IEEE80211_CIPHER_WEP; 1201 case WPA_SEL(WPA_CSE_TKIP): 1202 return IEEE80211_CIPHER_TKIP; 1203 case WPA_SEL(WPA_CSE_CCMP): 1204 return IEEE80211_CIPHER_AES_CCM; 1205 } 1206 return 32; /* NB: so 1<< is discarded / 1207#undef WPA_SEL 1208} 1209* 1210/* 1211 * Convert a WPA key management/authentication algorithm 1212 * to an internal code. 1213 / 1214static int 1215wpa_keymgmt(const uint8_t sel) 1216{ 1217#define WPA_SEL(x) (((x)<<24)\|WPA_OUI) 1218 uint32_t w = LE_READ_4(sel); 1219 1220 switch (w) { 1221 case WPA_SEL(WPA_ASE_8021X_UNSPEC): 1222 return WPA_ASE_8021X_UNSPEC; 1223 case WPA_SEL(WPA_ASE_8021X_PSK): 1224 return WPA_ASE_8021X_PSK; 1225 case WPA_SEL(WPA_ASE_NONE): 1226 return WPA_ASE_NONE; 1227 } 1228 return 0; /* NB: so is discarded / 1229#undef WPA_SEL 1230} 1231* 1232/* 1233 * Parse a WPA information element to collect parameters. 1234 * Note that we do not validate security parameters; that 1235 * is handled by the authenticator; the parsing done here 1236 * is just for internal use in making operational decisions. 1237 / 1238static int 1239ieee80211_parse_wpa(struct ieee80211vap vap, const uint8_t frm, 1240* struct ieee80211_rsnparms rsn, const struct ieee80211_frame wh) 1241{ 1242 uint8_t len = frm[1]; 1243 uint32_t w; 1244 int n; 1245 1246 /* 1247 * Check the length once for fixed parts: OUI, type, 1248 * version, mcast cipher, and 2 selector counts. 1249 * Other, variable-length data, must be checked separately. 1250 / 1251* if ((vap->iv_flags & IEEE80211_F_WPA1) == 0) { 1252 IEEE80211_DISCARD_IE(vap, 1253 IEEE80211_MSG_ELEMID \| IEEE80211_MSG_WPA, 1254 wh, "WPA", "not WPA, flags 0x%x", vap->iv_flags); 1255 return IEEE80211_REASON_IE_INVALID; 1256 } 1257 if (len < 14) { 1258 IEEE80211_DISCARD_IE(vap, 1259 IEEE80211_MSG_ELEMID \| IEEE80211_MSG_WPA, 1260 wh, "WPA", "too short, len %u", len); 1261 return IEEE80211_REASON_IE_INVALID; 1262 } 1263 frm += 6, len -= 4; /* NB: len is payload only / 1264* /* NB: iswpaoui already validated the OUI and type / 1265* w = LE_READ_2(frm); 1266 if (w != WPA_VERSION) { 1267 IEEE80211_DISCARD_IE(vap, 1268 IEEE80211_MSG_ELEMID \| IEEE80211_MSG_WPA, 1269 wh, "WPA", "bad version %u", w); 1270 return IEEE80211_REASON_IE_INVALID; 1271 } 1272 frm += 2, len -= 2; 1273 1274 memset(rsn, 0, sizeof(rsn)); 1275* 1276 /* multicast/group cipher / 1277* rsn->rsn_mcastcipher = wpa_cipher(frm, &rsn->rsn_mcastkeylen); 1278 frm += 4, len -= 4; 1279 1280 /* unicast ciphers / 1281* n = LE_READ_2(frm); 1282 frm += 2, len -= 2; 1283 if (len < n4+2) { 1284* IEEE80211_DISCARD_IE(vap, 1285 IEEE80211_MSG_ELEMID \| IEEE80211_MSG_WPA, 1286 wh, "WPA", "ucast cipher data too short; len %u, n %u", 1287 len, n); 1288 return IEEE80211_REASON_IE_INVALID; 1289 } 1290 w = 0; 1291 for (; n > 0; n--) { 1292 w \|= 1<<wpa_cipher(frm, &rsn->rsn_ucastkeylen); 1293 frm += 4, len -= 4; 1294 } 1295 if (w & (1<<IEEE80211_CIPHER_TKIP)) 1296 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP; 1297 else 1298 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM; 1299 1300 /* key management algorithms / 1301* n = LE_READ_2(frm); 1302 frm += 2, len -= 2; 1303 if (len < n4) { 1304* IEEE80211_DISCARD_IE(vap, 1305 IEEE80211_MSG_ELEMID \| IEEE80211_MSG_WPA, 1306 wh, "WPA", "key mgmt alg data too short; len %u, n %u", 1307 len, n); 1308 return IEEE80211_REASON_IE_INVALID; 1309 } 1310 w = 0; 1311 for (; n > 0; n--) { 1312 w \|= wpa_keymgmt(frm); 1313 frm += 4, len -= 4; 1314 } 1315 if (w & WPA_ASE_8021X_UNSPEC) 1316 rsn->rsn_keymgmt = WPA_ASE_8021X_UNSPEC; 1317 else 1318 rsn->rsn_keymgmt = WPA_ASE_8021X_PSK; 1319 1320 if (len > 2) /* optional capabilities / 1321* rsn->rsn_caps = LE_READ_2(frm); 1322 1323 return 0; 1324} 1325 1326/* 1327 * Convert an RSN cipher selector OUI to an internal 1328 * cipher algorithm. Where appropriate we also 1329 * record any key length. 1330 / 1331static int 1332rsn_cipher(const uint8_t sel, uint8_t keylen) 1333{ 1334#define RSN_SEL(x) (((x)<<24)\|RSN_OUI) 1335* uint32_t w = LE_READ_4(sel); 1336 1337 switch (w) { 1338 case RSN_SEL(RSN_CSE_NULL): 1339 return IEEE80211_CIPHER_NONE; 1340 case RSN_SEL(RSN_CSE_WEP40): 1341 if (keylen) 1342 keylen = 40 / NBBY; 1343* return IEEE80211_CIPHER_WEP; 1344 case RSN_SEL(RSN_CSE_WEP104): 1345 if (keylen) 1346 keylen = 104 / NBBY; 1347* return IEEE80211_CIPHER_WEP; 1348 case RSN_SEL(RSN_CSE_TKIP): 1349 return IEEE80211_CIPHER_TKIP; 1350 case RSN_SEL(RSN_CSE_CCMP): 1351 return IEEE80211_CIPHER_AES_CCM; 1352 case RSN_SEL(RSN_CSE_WRAP): 1353 return IEEE80211_CIPHER_AES_OCB; 1354 } 1355 return 32; /* NB: so 1<< is discarded / 1356#undef WPA_SEL 1357} 1358* 1359/* 1360 * Convert an RSN key management/authentication algorithm 1361 * to an internal code. 1362 / 1363static int 1364rsn_keymgmt(const uint8_t sel) 1365{ 1366#define RSN_SEL(x) (((x)<<24)\|RSN_OUI) 1367 uint32_t w = LE_READ_4(sel); 1368 1369 switch (w) { 1370 case RSN_SEL(RSN_ASE_8021X_UNSPEC): 1371 return RSN_ASE_8021X_UNSPEC; 1372 case RSN_SEL(RSN_ASE_8021X_PSK): 1373 return RSN_ASE_8021X_PSK; 1374 case RSN_SEL(RSN_ASE_NONE): 1375 return RSN_ASE_NONE; 1376 } 1377 return 0; /* NB: so is discarded / 1378#undef RSN_SEL 1379} 1380* 1381/* 1382 * Parse a WPA/RSN information element to collect parameters 1383 * and validate the parameters against what has been 1384 * configured for the system. 1385 / 1386static int 1387ieee80211_parse_rsn(struct ieee80211vap vap, const uint8_t frm, 1388* struct ieee80211_rsnparms rsn, const struct ieee80211_frame wh) 1389{ 1390 uint8_t len = frm[1]; 1391 uint32_t w; 1392 int n; 1393 1394 /* 1395 * Check the length once for fixed parts: 1396 * version, mcast cipher, and 2 selector counts. 1397 * Other, variable-length data, must be checked separately. 1398 / 1399* if ((vap->iv_flags & IEEE80211_F_WPA2) == 0) { 1400 IEEE80211_DISCARD_IE(vap, 1401 IEEE80211_MSG_ELEMID \| IEEE80211_MSG_WPA, 1402 wh, "WPA", "not RSN, flags 0x%x", vap->iv_flags); 1403 return IEEE80211_REASON_IE_INVALID; 1404 } 1405 if (len < 10) { 1406 IEEE80211_DISCARD_IE(vap, 1407 IEEE80211_MSG_ELEMID \| IEEE80211_MSG_WPA, 1408 wh, "RSN", "too short, len %u", len); 1409 return IEEE80211_REASON_IE_INVALID; 1410 } 1411 frm += 2; 1412 w = LE_READ_2(frm); 1413 if (w != RSN_VERSION) { 1414 IEEE80211_DISCARD_IE(vap, 1415 IEEE80211_MSG_ELEMID \| IEEE80211_MSG_WPA, 1416 wh, "RSN", "bad version %u", w); 1417 return IEEE80211_REASON_IE_INVALID; 1418 } 1419 frm += 2, len -= 2; 1420 1421 memset(rsn, 0, sizeof(rsn)); 1422* 1423 /* multicast/group cipher / 1424* rsn->rsn_mcastcipher = rsn_cipher(frm, &rsn->rsn_mcastkeylen); 1425 frm += 4, len -= 4; 1426 1427 /* unicast ciphers / 1428* n = LE_READ_2(frm); 1429 frm += 2, len -= 2; 1430 if (len < n4+2) { 1431* IEEE80211_DISCARD_IE(vap, 1432 IEEE80211_MSG_ELEMID \| IEEE80211_MSG_WPA, 1433 wh, "RSN", "ucast cipher data too short; len %u, n %u", 1434 len, n); 1435 return IEEE80211_REASON_IE_INVALID; 1436 } 1437 w = 0; 1438 for (; n > 0; n--) { 1439 w \|= 1<<rsn_cipher(frm, &rsn->rsn_ucastkeylen); 1440 frm += 4, len -= 4; 1441 } 1442 if (w & (1<<IEEE80211_CIPHER_TKIP)) 1443 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP; 1444 else 1445 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM; 1446 1447 /* key management algorithms / 1448* n = LE_READ_2(frm); 1449 frm += 2, len -= 2; 1450 if (len < n4) { 1451* IEEE80211_DISCARD_IE(vap, 1452 IEEE80211_MSG_ELEMID \| IEEE80211_MSG_WPA, 1453 wh, "RSN", "key mgmt alg data too short; len %u, n %u", 1454 len, n); 1455 return IEEE80211_REASON_IE_INVALID; 1456 } 1457 w = 0; 1458 for (; n > 0; n--) { 1459 w \|= rsn_keymgmt(frm); 1460 frm += 4, len -= 4; 1461 } 1462 if (w & RSN_ASE_8021X_UNSPEC) 1463 rsn->rsn_keymgmt = RSN_ASE_8021X_UNSPEC; 1464 else 1465 rsn->rsn_keymgmt = RSN_ASE_8021X_PSK; 1466 1467 /* optional RSN capabilities / 1468* if (len > 2) 1469 rsn->rsn_caps = LE_READ_2(frm); 1470 /* XXXPMKID / 1471* 1472 return 0; 1473} 1474 1475/* 1476 * WPA/802.11i assocation request processing. 1477 / 1478static int 1479wpa_assocreq(struct ieee80211_node ni, struct ieee80211_rsnparms rsnparms, 1480* const struct ieee80211_frame wh, const uint8_t wpa, 1481 const uint8_t rsn, uint16_t capinfo) 1482{ 1483* struct ieee80211vap vap = ni->ni_vap; 1484* uint8_t reason; 1485 int badwparsn; 1486 1487 ni->ni_flags &= ~(IEEE80211_NODE_WPS\|IEEE80211_NODE_TSN); 1488 if (wpa == NULL && rsn == NULL) { 1489 if (vap->iv_flags_ext & IEEE80211_FEXT_WPS) { 1490 /* 1491 * W-Fi Protected Setup (WPS) permits 1492 * clients to associate and pass EAPOL frames 1493 * to establish initial credentials. 1494 / 1495* ni->ni_flags \|= IEEE80211_NODE_WPS; 1496 return 1; 1497 } 1498 if ((vap->iv_flags_ext & IEEE80211_FEXT_TSN) && 1499 (capinfo & IEEE80211_CAPINFO_PRIVACY)) { 1500 /* 1501 * Transitional Security Network. Permits clients 1502 * to associate and use WEP while WPA is configured. 1503 / 1504* ni->ni_flags \|= IEEE80211_NODE_TSN; 1505 return 1; 1506 } 1507 IEEE80211_DISCARD(vap, IEEE80211_MSG_ASSOC \| IEEE80211_MSG_WPA, 1508 wh, NULL, "%s", "no WPA/RSN IE in association request"); 1509 vap->iv_stats.is_rx_assoc_badwpaie++; 1510 reason = IEEE80211_REASON_IE_INVALID; 1511 goto bad; 1512 } 1513 /* assert right association security credentials / 1514* badwparsn = 0; /* NB: to silence compiler / 1515* switch (vap->iv_flags & IEEE80211_F_WPA) { 1516 case IEEE80211_F_WPA1: 1517 badwparsn = (wpa == NULL); 1518 break; 1519 case IEEE80211_F_WPA2: 1520 badwparsn = (rsn == NULL); 1521 break; 1522 case IEEE80211_F_WPA1\|IEEE80211_F_WPA2: 1523 badwparsn = (wpa == NULL && rsn == NULL); 1524 break; 1525 } 1526 if (badwparsn) { 1527 IEEE80211_DISCARD(vap, IEEE80211_MSG_ASSOC \| IEEE80211_MSG_WPA, 1528 wh, NULL, 1529 "%s", "missing WPA/RSN IE in association request"); 1530 vap->iv_stats.is_rx_assoc_badwpaie++; 1531 reason = IEEE80211_REASON_IE_INVALID; 1532 goto bad; 1533 } 1534 /* 1535 * Parse WPA/RSN information element. 1536 / 1537* if (wpa != NULL) 1538 reason = ieee80211_parse_wpa(vap, wpa, rsnparms, wh); 1539 else 1540 reason = ieee80211_parse_rsn(vap, rsn, rsnparms, wh); 1541 if (reason != 0) { 1542 /* XXX distinguish WPA/RSN? / 1543* vap->iv_stats.is_rx_assoc_badwpaie++; 1544 goto bad; 1545 } 1546 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC \| IEEE80211_MSG_WPA, ni, 1547 "%s ie: mc %u/%u uc %u/%u key %u caps 0x%x", 1548 wpa != NULL ? "WPA" : "RSN", 1549 rsnparms->rsn_mcastcipher, rsnparms->rsn_mcastkeylen, 1550 rsnparms->rsn_ucastcipher, rsnparms->rsn_ucastkeylen, 1551 rsnparms->rsn_keymgmt, rsnparms->rsn_caps); 1552 1553 return 1; 1554bad: 1555 ieee80211_node_deauth(ni, reason); 1556 return 0; 1557} 1558 1559/* XXX find a better place for definition / 1560struct l2_update_frame { 1561* struct ether_header eh; 1562 uint8_t dsap; 1563 uint8_t ssap; 1564 uint8_t control; 1565 uint8_t xid[3]; 1566} __packed; 1567 1568/* 1569 * Deliver a TGf L2UF frame on behalf of a station. 1570 * This primes any bridge when the station is roaming 1571 * between ap's on the same wired network. 1572 / 1573static void 1574ieee80211_deliver_l2uf(struct ieee80211_node ni) 1575{ 1576 struct ieee80211vap vap = ni->ni_vap; 1577* struct ifnet ifp = vap->iv_ifp; 1578* struct mbuf m; 1579* struct l2_update_frame l2uf; 1580* struct ether_header eh; 1581* 1582 m = m_gethdr(M_NOWAIT, MT_DATA); 1583 if (m == NULL) { 1584 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC, ni, 1585 "%s", "no mbuf for l2uf frame"); 1586 vap->iv_stats.is_rx_nobuf++; /* XXX not right / 1587* return; 1588 } 1589 l2uf = mtod(m, struct l2_update_frame ); 1590* eh = &l2uf->eh; 1591 /* dst: Broadcast address / 1592* IEEE80211_ADDR_COPY(eh->ether_dhost, ifp->if_broadcastaddr); 1593 /* src: associated STA / 1594* IEEE80211_ADDR_COPY(eh->ether_shost, ni->ni_macaddr); 1595 eh->ether_type = htons(sizeof(l2uf) - sizeof(eh)); 1596 1597 l2uf->dsap = 0; 1598 l2uf->ssap = 0; 1599 l2uf->control = 0xf5; 1600 l2uf->xid[0] = 0x81; 1601 l2uf->xid[1] = 0x80; 1602 l2uf->xid[2] = 0x00; 1603 1604 m->m_pkthdr.len = m->m_len = sizeof(l2uf); 1605* hostap_deliver_data(vap, ni, m); 1606} 1607 1608static void 1609ratesetmismatch(struct ieee80211_node ni, const struct ieee80211_frame wh, 1610 int reassoc, int resp, const char tag, int rate) 1611{ 1612* IEEE80211_NOTE_MAC(ni->ni_vap, IEEE80211_MSG_ANY, wh->i_addr2, 1613 "deny %s request, %s rate set mismatch, rate/MCS %d", 1614 reassoc ? "reassoc" : "assoc", tag, rate & IEEE80211_RATE_VAL); 1615 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_BASIC_RATE); 1616 ieee80211_node_leave(ni); 1617} 1618 1619static void 1620capinfomismatch(struct ieee80211_node ni, const struct ieee80211_frame wh, 1621 int reassoc, int resp, const char tag, int capinfo) 1622{ 1623* struct ieee80211vap vap = ni->ni_vap; 1624* 1625 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ANY, wh->i_addr2, 1626 "deny %s request, %s mismatch 0x%x", 1627 reassoc ? "reassoc" : "assoc", tag, capinfo); 1628 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_CAPINFO); 1629 ieee80211_node_leave(ni); 1630 vap->iv_stats.is_rx_assoc_capmismatch++; 1631} 1632 1633static void 1634htcapmismatch(struct ieee80211_node ni, const struct ieee80211_frame wh, 1635 int reassoc, int resp) 1636{ 1637 IEEE80211_NOTE_MAC(ni->ni_vap, IEEE80211_MSG_ANY, wh->i_addr2, 1638 "deny %s request, %s missing HT ie", reassoc ? "reassoc" : "assoc"); 1639 /* XXX no better code / 1640* IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_MISSING_HT_CAPS); 1641 ieee80211_node_leave(ni); 1642} 1643 1644static void 1645authalgreject(struct ieee80211_node ni, const struct ieee80211_frame wh, 1646 int algo, int seq, int status) 1647{ 1648 struct ieee80211vap vap = ni->ni_vap; 1649* 1650 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 1651 wh, NULL, "unsupported alg %d", algo); 1652 vap->iv_stats.is_rx_auth_unsupported++; 1653 ieee80211_send_error(ni, wh->i_addr2, IEEE80211_FC0_SUBTYPE_AUTH, 1654 seq \| (status << 16)); 1655} 1656 1657static __inline int 1658ishtmixed(const uint8_t ie) 1659{ 1660* const struct ieee80211_ie_htinfo ht = 1661* (const struct ieee80211_ie_htinfo ) ie; 1662* return (ht->hi_byte2 & IEEE80211_HTINFO_OPMODE) == 1663 IEEE80211_HTINFO_OPMODE_MIXED; 1664} 1665 1666static int 1667is11bclient(const uint8_t rates, const uint8_t xrates) 1668{ 1669 static const uint32_t brates = (1<<21)\|(1<<22)\|(1<<11)\|(1<<211); 1670* int i; 1671 1672 /* NB: the 11b clients we care about will not have xrates / 1673* if (xrates != NULL \|\| rates == NULL) 1674 return 0; 1675 for (i = 0; i < rates[1]; i++) { 1676 int r = rates[2+i] & IEEE80211_RATE_VAL; 1677 if (r > 211 \|\| ((1<<r) & brates) == 0) 1678* return 0; 1679 } 1680 return 1; 1681} 1682 1683static void 1684hostap_recv_mgmt(struct ieee80211_node ni, struct mbuf m0, 1685 int subtype, int rssi, int nf) 1686{ 1687 struct ieee80211vap vap = ni->ni_vap; 1688* struct ieee80211com ic = ni->ni_ic; 1689* struct ieee80211_frame wh; 1690* uint8_t frm, efrm, sfrm; 1691* uint8_t ssid, rates, xrates, wpa, rsn, wme, ath, htcap; 1692 int reassoc, resp; 1693 uint8_t rate; 1694 1695 wh = mtod(m0, struct ieee80211_frame ); 1696* frm = (uint8_t )&wh[1]; 1697* efrm = mtod(m0, uint8_t ) + m0->m_len; 1698* switch (subtype) { 1699 case IEEE80211_FC0_SUBTYPE_PROBE_RESP: 1700 case IEEE80211_FC0_SUBTYPE_BEACON: { 1701 struct ieee80211_scanparams scan; 1702 /* 1703 * We process beacon/probe response frames when scanning; 1704 * otherwise we check beacon frames for overlapping non-ERP 1705 * BSS in 11g and/or overlapping legacy BSS when in HT. 1706 / 1707* if ((ic->ic_flags & IEEE80211_F_SCAN) == 0 && 1708 subtype == IEEE80211_FC0_SUBTYPE_PROBE_RESP) { 1709 vap->iv_stats.is_rx_mgtdiscard++; 1710 return; 1711 } 1712 /* NB: accept off-channel frames / 1713* if (ieee80211_parse_beacon(ni, m0, &scan) &~ IEEE80211_BPARSE_OFFCHAN) 1714 return; 1715 /* 1716 * Count frame now that we know it's to be processed. 1717 / 1718* if (subtype == IEEE80211_FC0_SUBTYPE_BEACON) { 1719 vap->iv_stats.is_rx_beacon++; /* XXX remove / 1720* IEEE80211_NODE_STAT(ni, rx_beacons); 1721 } else 1722 IEEE80211_NODE_STAT(ni, rx_proberesp); 1723 /* 1724 * If scanning, just pass information to the scan module. 1725 / 1726* if (ic->ic_flags & IEEE80211_F_SCAN) { 1727 if (scan.status == 0 && /* NB: on channel / 1728* (ic->ic_flags_ext & IEEE80211_FEXT_PROBECHAN)) { 1729 /* 1730 * Actively scanning a channel marked passive; 1731 * send a probe request now that we know there 1732 * is 802.11 traffic present. 1733 * 1734 * XXX check if the beacon we recv'd gives 1735 * us what we need and suppress the probe req 1736 / 1737* ieee80211_probe_curchan(vap, 1); 1738 ic->ic_flags_ext &= ~IEEE80211_FEXT_PROBECHAN; 1739 } 1740 ieee80211_add_scan(vap, ic->ic_curchan, &scan, wh, 1741 subtype, rssi, nf); 1742 return; 1743 } 1744 /* 1745 * Check beacon for overlapping bss w/ non ERP stations. 1746 * If we detect one and protection is configured but not 1747 * enabled, enable it and start a timer that'll bring us 1748 * out if we stop seeing the bss. 1749 / 1750* if (IEEE80211_IS_CHAN_ANYG(ic->ic_curchan) && 1751 scan.status == 0 && /* NB: on-channel / 1752* ((scan.erp & 0x100) == 0 \|\| /* NB: no ERP, 11b sta/ 1753* (scan.erp & IEEE80211_ERP_NON_ERP_PRESENT))) { 1754 ic->ic_lastnonerp = ticks; 1755 ic->ic_flags_ext \|= IEEE80211_FEXT_NONERP_PR; 1756 if (ic->ic_protmode != IEEE80211_PROT_NONE && 1757 (ic->ic_flags & IEEE80211_F_USEPROT) == 0) { 1758 IEEE80211_NOTE_FRAME(vap, 1759 IEEE80211_MSG_ASSOC, wh, 1760 "non-ERP present on channel %d " 1761 "(saw erp 0x%x from channel %d), " 1762 "enable use of protection", 1763 ic->ic_curchan->ic_ieee, 1764 scan.erp, scan.chan); 1765 ic->ic_flags \|= IEEE80211_F_USEPROT; 1766 ieee80211_notify_erp(ic); 1767 } 1768 } 1769 /* 1770 * Check beacon for non-HT station on HT channel 1771 * and update HT BSS occupancy as appropriate. 1772 / 1773* if (IEEE80211_IS_CHAN_HT(ic->ic_curchan)) { 1774 if (scan.status & IEEE80211_BPARSE_OFFCHAN) { 1775 /* 1776 * Off control channel; only check frames 1777 * that come in the extension channel when 1778 * operating w/ HT40. 1779 / 1780* if (!IEEE80211_IS_CHAN_HT40(ic->ic_curchan)) 1781 break; 1782 if (scan.chan != ic->ic_curchan->ic_extieee) 1783 break; 1784 } 1785 if (scan.htinfo == NULL) { 1786 ieee80211_htprot_update(ic, 1787 IEEE80211_HTINFO_OPMODE_PROTOPT \| 1788 IEEE80211_HTINFO_NONHT_PRESENT); 1789 } else if (ishtmixed(scan.htinfo)) { 1790 /* XXX? take NONHT_PRESENT from beacon? / 1791* ieee80211_htprot_update(ic, 1792 IEEE80211_HTINFO_OPMODE_MIXED \| 1793 IEEE80211_HTINFO_NONHT_PRESENT); 1794 } 1795 } 1796 break; 1797 } 1798 1799 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 1800 if (vap->iv_state != IEEE80211_S_RUN) { 1801 vap->iv_stats.is_rx_mgtdiscard++; 1802 return; 1803 } 1804 /* 1805 * Consult the ACL policy module if setup. 1806 / 1807* if (vap->iv_acl != NULL && !vap->iv_acl->iac_check(vap, wh)) { 1808 IEEE80211_DISCARD(vap, IEEE80211_MSG_ACL, 1809 wh, NULL, "%s", "disallowed by ACL"); 1810 vap->iv_stats.is_rx_acl++; 1811 return; 1812 } 1813 /* 1814 * prreq frame format 1815 * [tlv] ssid 1816 * [tlv] supported rates 1817 * [tlv] extended supported rates 1818 / 1819* ssid = rates = xrates = NULL; 1820 sfrm = frm; 1821 while (efrm - frm > 1) { 1822 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return); 1823 switch (frm) { 1824* case IEEE80211_ELEMID_SSID: 1825 ssid = frm; 1826 break; 1827 case IEEE80211_ELEMID_RATES: 1828 rates = frm; 1829 break; 1830 case IEEE80211_ELEMID_XRATES: 1831 xrates = frm; 1832 break; 1833 } 1834 frm += frm[1] + 2; 1835 } 1836 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return); 1837 if (xrates != NULL) 1838 IEEE80211_VERIFY_ELEMENT(xrates, 1839 IEEE80211_RATE_MAXSIZE - rates[1], return); 1840 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN, return); 1841 IEEE80211_VERIFY_SSID(vap->iv_bss, ssid, return); 1842 if ((vap->iv_flags & IEEE80211_F_HIDESSID) && ssid[1] == 0) { 1843 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 1844 wh, NULL, 1845 "%s", "no ssid with ssid suppression enabled"); 1846 vap->iv_stats.is_rx_ssidmismatch++; /XXX/ 1847 return; 1848 } 1849 1850 /* XXX find a better class or define it's own / 1851* IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_INPUT, wh->i_addr2, 1852 "%s", "recv probe req"); 1853 /* 1854 * Some legacy 11b clients cannot hack a complete 1855 * probe response frame. When the request includes 1856 * only a bare-bones rate set, communicate this to 1857 * the transmit side. 1858 / 1859* ieee80211_send_proberesp(vap, wh->i_addr2, 1860 is11bclient(rates, xrates) ? IEEE80211_SEND_LEGACY_11B : 0); 1861 break; 1862 1863 case IEEE80211_FC0_SUBTYPE_AUTH: { 1864 uint16_t algo, seq, status; 1865 1866 if (vap->iv_state != IEEE80211_S_RUN) { 1867 vap->iv_stats.is_rx_mgtdiscard++; 1868 return; 1869 } 1870 if (!IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_bss->ni_bssid)) { 1871 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 1872 wh, NULL, "%s", "wrong bssid"); 1873 vap->iv_stats.is_rx_wrongbss++; /XXX unique stat?/ 1874 return; 1875 } 1876 /* 1877 * auth frame format 1878 * [2] algorithm 1879 * [2] sequence 1880 * [2] status 1881 * [tlv] challenge 1882* / 1883* IEEE80211_VERIFY_LENGTH(efrm - frm, 6, return); 1884 algo = le16toh((uint16_t )frm); 1885 seq = le16toh((uint16_t )(frm + 2)); 1886 status = le16toh((uint16_t )(frm + 4)); 1887 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_AUTH, wh->i_addr2, 1888 "recv auth frame with algorithm %d seq %d", algo, seq); 1889 /* 1890 * Consult the ACL policy module if setup. 1891 / 1892* if (vap->iv_acl != NULL && !vap->iv_acl->iac_check(vap, wh)) { 1893 IEEE80211_DISCARD(vap, IEEE80211_MSG_ACL, 1894 wh, NULL, "%s", "disallowed by ACL"); 1895 vap->iv_stats.is_rx_acl++; 1896 ieee80211_send_error(ni, wh->i_addr2, 1897 IEEE80211_FC0_SUBTYPE_AUTH, 1898 (seq+1) \| (IEEE80211_STATUS_UNSPECIFIED<<16)); 1899 return; 1900 } 1901 if (vap->iv_flags & IEEE80211_F_COUNTERM) { 1902 IEEE80211_DISCARD(vap, 1903 IEEE80211_MSG_AUTH \| IEEE80211_MSG_CRYPTO, 1904 wh, NULL, "%s", "TKIP countermeasures enabled"); 1905 vap->iv_stats.is_rx_auth_countermeasures++; 1906 ieee80211_send_error(ni, wh->i_addr2, 1907 IEEE80211_FC0_SUBTYPE_AUTH, 1908 IEEE80211_REASON_MIC_FAILURE); 1909 return; 1910 } 1911 if (algo == IEEE80211_AUTH_ALG_SHARED) 1912 hostap_auth_shared(ni, wh, frm + 6, efrm, rssi, nf, 1913 seq, status); 1914 else if (algo == IEEE80211_AUTH_ALG_OPEN) 1915 hostap_auth_open(ni, wh, rssi, nf, seq, status); 1916 else if (algo == IEEE80211_AUTH_ALG_LEAP) { 1917 authalgreject(ni, wh, algo, 1918 seq+1, IEEE80211_STATUS_ALG); 1919 return; 1920 } else { 1921 /* 1922 * We assume that an unknown algorithm is the result 1923 * of a decryption failure on a shared key auth frame; 1924 * return a status code appropriate for that instead 1925 * of IEEE80211_STATUS_ALG. 1926 * 1927 * NB: a seq# of 4 is intentional; the decrypted 1928 * frame likely has a bogus seq value. 1929 / 1930* authalgreject(ni, wh, algo, 1931 4, IEEE80211_STATUS_CHALLENGE); 1932 return; 1933 } 1934 break; 1935 } 1936 1937 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ: 1938 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: { 1939 uint16_t capinfo, lintval; 1940 struct ieee80211_rsnparms rsnparms; 1941 1942 if (vap->iv_state != IEEE80211_S_RUN) { 1943 vap->iv_stats.is_rx_mgtdiscard++; 1944 return; 1945 } 1946 if (!IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_bss->ni_bssid)) { 1947 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 1948 wh, NULL, "%s", "wrong bssid"); 1949 vap->iv_stats.is_rx_assoc_bss++; 1950 return; 1951 } 1952 if (subtype == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) { 1953 reassoc = 1; 1954 resp = IEEE80211_FC0_SUBTYPE_REASSOC_RESP; 1955 } else { 1956 reassoc = 0; 1957 resp = IEEE80211_FC0_SUBTYPE_ASSOC_RESP; 1958 } 1959 if (ni == vap->iv_bss) { 1960 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ANY, wh->i_addr2, 1961 "deny %s request, sta not authenticated", 1962 reassoc ? "reassoc" : "assoc"); 1963 ieee80211_send_error(ni, wh->i_addr2, 1964 IEEE80211_FC0_SUBTYPE_DEAUTH, 1965 IEEE80211_REASON_ASSOC_NOT_AUTHED); 1966 vap->iv_stats.is_rx_assoc_notauth++; 1967 return; 1968 } 1969 1970 /* 1971 * asreq frame format 1972 * [2] capability information 1973 * [2] listen interval 1974 * [6] current AP address (reassoc only) 1975* * [tlv] ssid 1976 * [tlv] supported rates 1977 * [tlv] extended supported rates 1978 * [tlv] WPA or RSN 1979 * [tlv] HT capabilities 1980 * [tlv] Atheros capabilities 1981 / 1982* IEEE80211_VERIFY_LENGTH(efrm - frm, (reassoc ? 10 : 4), return); 1983 capinfo = le16toh((uint16_t )frm); frm += 2; 1984 lintval = le16toh((uint16_t )frm); frm += 2; 1985 if (reassoc) 1986 frm += 6; /* ignore current AP info / 1987* ssid = rates = xrates = wpa = rsn = wme = ath = htcap = NULL; 1988 sfrm = frm; 1989 while (efrm - frm > 1) { 1990 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return); 1991 switch (frm) { 1992* case IEEE80211_ELEMID_SSID: 1993 ssid = frm; 1994 break; 1995 case IEEE80211_ELEMID_RATES: 1996 rates = frm; 1997 break; 1998 case IEEE80211_ELEMID_XRATES: 1999 xrates = frm; 2000 break; 2001 case IEEE80211_ELEMID_RSN: 2002 rsn = frm; 2003 break; 2004 case IEEE80211_ELEMID_HTCAP: 2005 htcap = frm; 2006 break; 2007 case IEEE80211_ELEMID_VENDOR: 2008 if (iswpaoui(frm)) 2009 wpa = frm; 2010 else if (iswmeinfo(frm)) 2011 wme = frm; 2012#ifdef IEEE80211_SUPPORT_SUPERG 2013 else if (isatherosoui(frm)) 2014 ath = frm; 2015#endif 2016 else if (vap->iv_flags_ht & IEEE80211_FHT_HTCOMPAT) { 2017 if (ishtcapoui(frm) && htcap == NULL) 2018 htcap = frm; 2019 } 2020 break; 2021 } 2022 frm += frm[1] + 2; 2023 } 2024 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return); 2025 if (xrates != NULL) 2026 IEEE80211_VERIFY_ELEMENT(xrates, 2027 IEEE80211_RATE_MAXSIZE - rates[1], return); 2028 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN, return); 2029 IEEE80211_VERIFY_SSID(vap->iv_bss, ssid, return); 2030 if (htcap != NULL) { 2031 IEEE80211_VERIFY_LENGTH(htcap[1], 2032 htcap[0] == IEEE80211_ELEMID_VENDOR ? 2033 4 + sizeof(struct ieee80211_ie_htcap)-2 : 2034 sizeof(struct ieee80211_ie_htcap)-2, 2035 return); /* XXX just NULL out? / 2036* } 2037 2038 if ((vap->iv_flags & IEEE80211_F_WPA) && 2039 !wpa_assocreq(ni, &rsnparms, wh, wpa, rsn, capinfo)) 2040 return; 2041 /* discard challenge after association / 2042* if (ni->ni_challenge != NULL) { 2043 free(ni->ni_challenge, M_80211_NODE); 2044 ni->ni_challenge = NULL; 2045 } 2046 /* NB: 802.11 spec says to ignore station's privacy bit / 2047* if ((capinfo & IEEE80211_CAPINFO_ESS) == 0) { 2048 capinfomismatch(ni, wh, reassoc, resp, 2049 "capability", capinfo); 2050 return; 2051 } 2052 /* 2053 * Disallow re-associate w/ invalid slot time setting. 2054 / 2055* if (ni->ni_associd != 0 && 2056 IEEE80211_IS_CHAN_ANYG(ic->ic_bsschan) && 2057 ((ni->ni_capinfo ^ capinfo) & IEEE80211_CAPINFO_SHORT_SLOTTIME)) { 2058 capinfomismatch(ni, wh, reassoc, resp, 2059 "slot time", capinfo); 2060 return; 2061 } 2062 rate = ieee80211_setup_rates(ni, rates, xrates, 2063 IEEE80211_F_DOSORT \| IEEE80211_F_DOFRATE \| 2064 IEEE80211_F_DONEGO \| IEEE80211_F_DODEL); 2065 if (rate & IEEE80211_RATE_BASIC) { 2066 ratesetmismatch(ni, wh, reassoc, resp, "legacy", rate); 2067 vap->iv_stats.is_rx_assoc_norate++; 2068 return; 2069 } 2070 /* 2071 * If constrained to 11g-only stations reject an 2072 * 11b-only station. We cheat a bit here by looking 2073 * at the max negotiated xmit rate and assuming anyone 2074 * with a best rate <24Mb/s is an 11b station. 2075 / 2076* if ((vap->iv_flags & IEEE80211_F_PUREG) && rate < 48) { 2077 ratesetmismatch(ni, wh, reassoc, resp, "11g", rate); 2078 vap->iv_stats.is_rx_assoc_norate++; 2079 return; 2080 } 2081 /* 2082 * Do HT rate set handling and setup HT node state. 2083 / 2084* ni->ni_chan = vap->iv_bss->ni_chan; 2085 if (IEEE80211_IS_CHAN_HT(ni->ni_chan) && htcap != NULL) { 2086 rate = ieee80211_setup_htrates(ni, htcap, 2087 IEEE80211_F_DOFMCS \| IEEE80211_F_DONEGO \| 2088 IEEE80211_F_DOBRS); 2089 if (rate & IEEE80211_RATE_BASIC) { 2090 ratesetmismatch(ni, wh, reassoc, resp, 2091 "HT", rate); 2092 vap->iv_stats.is_ht_assoc_norate++; 2093 return; 2094 } 2095 ieee80211_ht_node_init(ni); 2096 ieee80211_ht_updatehtcap(ni, htcap); 2097 } else if (ni->ni_flags & IEEE80211_NODE_HT) 2098 ieee80211_ht_node_cleanup(ni); 2099#ifdef IEEE80211_SUPPORT_SUPERG 2100 else if (ni->ni_ath_flags & IEEE80211_NODE_ATH) 2101 ieee80211_ff_node_cleanup(ni); 2102#endif 2103 /* 2104 * Allow AMPDU operation only with unencrypted traffic 2105 * or AES-CCM; the 11n spec only specifies these ciphers 2106 * so permitting any others is undefined and can lead 2107 * to interoperability problems. 2108 / 2109* if ((ni->ni_flags & IEEE80211_NODE_HT) && 2110 (((vap->iv_flags & IEEE80211_F_WPA) && 2111 rsnparms.rsn_ucastcipher != IEEE80211_CIPHER_AES_CCM) \|\| 2112 (vap->iv_flags & (IEEE80211_F_WPA\|IEEE80211_F_PRIVACY)) == IEEE80211_F_PRIVACY)) { 2113 IEEE80211_NOTE(vap, 2114 IEEE80211_MSG_ASSOC \| IEEE80211_MSG_11N, ni, 2115 "disallow HT use because WEP or TKIP requested, " 2116 "capinfo 0x%x ucastcipher %d", capinfo, 2117 rsnparms.rsn_ucastcipher); 2118 ieee80211_ht_node_cleanup(ni); 2119 vap->iv_stats.is_ht_assoc_downgrade++; 2120 } 2121 /* 2122 * If constrained to 11n-only stations reject legacy stations. 2123 / 2124* if ((vap->iv_flags_ht & IEEE80211_FHT_PUREN) && 2125 (ni->ni_flags & IEEE80211_NODE_HT) == 0) { 2126 htcapmismatch(ni, wh, reassoc, resp); 2127 vap->iv_stats.is_ht_assoc_nohtcap++; 2128 return; 2129 } 2130 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi); 2131 ni->ni_noise = nf; 2132 ni->ni_intval = lintval; 2133 ni->ni_capinfo = capinfo; 2134 ni->ni_fhdwell = vap->iv_bss->ni_fhdwell; 2135 ni->ni_fhindex = vap->iv_bss->ni_fhindex; 2136 /* 2137 * Store the IEs. 2138 * XXX maybe better to just expand 2139 / 2140* if (ieee80211_ies_init(&ni->ni_ies, sfrm, efrm - sfrm)) { 2141#define setie(_ie, _off) ieee80211_ies_setie(ni->ni_ies, _ie, _off) 2142 if (wpa != NULL) 2143 setie(wpa_ie, wpa - sfrm); 2144 if (rsn != NULL) 2145 setie(rsn_ie, rsn - sfrm); 2146 if (htcap != NULL) 2147 setie(htcap_ie, htcap - sfrm); 2148 if (wme != NULL) { 2149 setie(wme_ie, wme - sfrm); 2150 /* 2151 * Mark node as capable of QoS. 2152 / 2153* ni->ni_flags \|= IEEE80211_NODE_QOS; 2154 } else 2155 ni->ni_flags &= ~IEEE80211_NODE_QOS; 2156#ifdef IEEE80211_SUPPORT_SUPERG 2157 if (ath != NULL) { 2158 setie(ath_ie, ath - sfrm); 2159 /* 2160 * Parse ATH station parameters. 2161 / 2162* ieee80211_parse_ath(ni, ni->ni_ies.ath_ie); 2163 } else 2164#endif 2165 ni->ni_ath_flags = 0; 2166#undef setie 2167 } else { 2168 ni->ni_flags &= ~IEEE80211_NODE_QOS; 2169 ni->ni_ath_flags = 0; 2170 } 2171 ieee80211_node_join(ni, resp); 2172 ieee80211_deliver_l2uf(ni); 2173 break; 2174 } 2175 2176 case IEEE80211_FC0_SUBTYPE_DEAUTH: 2177 case IEEE80211_FC0_SUBTYPE_DISASSOC: { 2178 uint16_t reason; 2179 2180 if (vap->iv_state != IEEE80211_S_RUN \|\| 2181 /* NB: can happen when in promiscuous mode / 2182* !IEEE80211_ADDR_EQ(wh->i_addr1, vap->iv_myaddr)) { 2183 vap->iv_stats.is_rx_mgtdiscard++; 2184 break; 2185 } 2186 /* 2187 * deauth/disassoc frame format 2188 * [2] reason 2189 / 2190* IEEE80211_VERIFY_LENGTH(efrm - frm, 2, return); 2191 reason = le16toh((uint16_t )frm); 2192 if (subtype == IEEE80211_FC0_SUBTYPE_DEAUTH) { 2193 vap->iv_stats.is_rx_deauth++; 2194 IEEE80211_NODE_STAT(ni, rx_deauth); 2195 } else { 2196 vap->iv_stats.is_rx_disassoc++; 2197 IEEE80211_NODE_STAT(ni, rx_disassoc); 2198 } 2199 IEEE80211_NOTE(vap, IEEE80211_MSG_AUTH, ni, 2200 "recv %s (reason %d)", ieee80211_mgt_subtype_name[subtype >> 2201 IEEE80211_FC0_SUBTYPE_SHIFT], reason); 2202 if (ni != vap->iv_bss) 2203 ieee80211_node_leave(ni); 2204 break; 2205 } 2206 2207 case IEEE80211_FC0_SUBTYPE_ACTION: 2208 case IEEE80211_FC0_SUBTYPE_ACTION_NOACK: 2209 if (ni == vap->iv_bss) { 2210 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 2211 wh, NULL, "%s", "unknown node"); 2212 vap->iv_stats.is_rx_mgtdiscard++; 2213 } else if (!IEEE80211_ADDR_EQ(vap->iv_myaddr, wh->i_addr1) && 2214 !IEEE80211_IS_MULTICAST(wh->i_addr1)) { 2215 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 2216 wh, NULL, "%s", "not for us"); 2217 vap->iv_stats.is_rx_mgtdiscard++; 2218 } else if (vap->iv_state != IEEE80211_S_RUN) { 2219 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 2220 wh, NULL, "wrong state %s", 2221 ieee80211_state_name[vap->iv_state]); 2222 vap->iv_stats.is_rx_mgtdiscard++; 2223 } else { 2224 if (ieee80211_parse_action(ni, m0) == 0) 2225 (void)ic->ic_recv_action(ni, wh, frm, efrm); 2226 } 2227 break; 2228 2229 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP: 2230 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: 2231 case IEEE80211_FC0_SUBTYPE_ATIM: 2232 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 2233 wh, NULL, "%s", "not handled"); 2234 vap->iv_stats.is_rx_mgtdiscard++; 2235 break; 2236 2237 default: 2238 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 2239 wh, "mgt", "subtype 0x%x not handled", subtype); 2240 vap->iv_stats.is_rx_badsubtype++; 2241 break; 2242 } 2243} 2244 2245static void 2246hostap_recv_ctl(struct ieee80211_node ni, struct mbuf m, int subtype) 2247{ 2248 switch (subtype) { 2249 case IEEE80211_FC0_SUBTYPE_PS_POLL: 2250 ni->ni_vap->iv_recv_pspoll(ni, m); 2251 break; 2252 case IEEE80211_FC0_SUBTYPE_BAR: 2253 ieee80211_recv_bar(ni, m); 2254 break; 2255 } 2256} 2257 2258/* 2259 * Process a received ps-poll frame. 2260 / 2261void 2262ieee80211_recv_pspoll(struct ieee80211_node ni, struct mbuf m0) 2263{ 2264* struct ieee80211vap vap = ni->ni_vap; 2265* struct ieee80211com ic = vap->iv_ic; 2266* struct ieee80211_frame_min wh; 2267* struct mbuf m; 2268* uint16_t aid; 2269 int qlen; 2270 2271 wh = mtod(m0, struct ieee80211_frame_min ); 2272* if (ni->ni_associd == 0) { 2273 IEEE80211_DISCARD(vap, 2274 IEEE80211_MSG_POWER \| IEEE80211_MSG_DEBUG, 2275 (struct ieee80211_frame ) wh, NULL, 2276* "%s", "unassociated station"); 2277 vap->iv_stats.is_ps_unassoc++; 2278 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_DEAUTH, 2279 IEEE80211_REASON_NOT_ASSOCED); 2280 return; 2281 } 2282 2283 aid = le16toh((uint16_t )wh->i_dur); 2284 if (aid != ni->ni_associd) { 2285 IEEE80211_DISCARD(vap, 2286 IEEE80211_MSG_POWER \| IEEE80211_MSG_DEBUG, 2287 (struct ieee80211_frame ) wh, NULL, 2288* "aid mismatch: sta aid 0x%x poll aid 0x%x", 2289 ni->ni_associd, aid); 2290 vap->iv_stats.is_ps_badaid++; 2291 /* 2292 * NB: We used to deauth the station but it turns out 2293 * the Blackberry Curve 8230 (and perhaps other devices) 2294 * sometimes send the wrong AID when WME is negotiated. 2295 * Being more lenient here seems ok as we already check 2296 * the station is associated and we only return frames 2297 * queued for the station (i.e. we don't use the AID). 2298 / 2299* return; 2300 } 2301 2302 /* Okay, take the first queued packet and put it out... / 2303* m = ieee80211_node_psq_dequeue(ni, &qlen); 2304 if (m == NULL) { 2305 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_POWER, wh->i_addr2, 2306 "%s", "recv ps-poll, but queue empty"); 2307 ieee80211_send_nulldata(ieee80211_ref_node(ni)); 2308 vap->iv_stats.is_ps_qempty++; /* XXX node stat / 2309* if (vap->iv_set_tim != NULL) 2310 vap->iv_set_tim(ni, 0); /* just in case / 2311* return; 2312 } 2313 /* 2314 * If there are more packets, set the more packets bit 2315 * in the packet dispatched to the station; otherwise 2316 * turn off the TIM bit. 2317 / 2318* if (qlen != 0) { 2319 IEEE80211_NOTE(vap, IEEE80211_MSG_POWER, ni, 2320 "recv ps-poll, send packet, %u still queued", qlen); 2321 m->m_flags \|= M_MORE_DATA; 2322 } else { 2323 IEEE80211_NOTE(vap, IEEE80211_MSG_POWER, ni, 2324 "%s", "recv ps-poll, send packet, queue empty"); 2325 if (vap->iv_set_tim != NULL) 2326 vap->iv_set_tim(ni, 0); 2327 } 2328 m->m_flags \|= M_PWR_SAV; /* bypass PS handling / 2329* 2330 /* 2331 * Do the right thing; if it's an encap'ed frame then 2332 * call ieee80211_parent_xmitpkt() (and free the ref) else 2333 * call ieee80211_vap_xmitpkt(). 2334 / 2335* if (m->m_flags & M_ENCAP) { 2336 if (ieee80211_parent_xmitpkt(ic, m) != 0) 2337 ieee80211_free_node(ni); 2338 } else { 2339 (void) ieee80211_vap_xmitpkt(vap, m); 2340 } 2341}	574 uint8_t tid = ieee80211_gettid(wh); 575 if (IEEE80211_QOS_HAS_SEQ(wh) && 576 TID_TO_WME_AC(tid) >= WME_AC_VI) 577 ic->ic_wme.wme_hipri_traffic++; 578 rxseq = le16toh((uint16_t )wh->i_seq); 579 if (! ieee80211_check_rxseq(ni, wh)) { 580 /* duplicate, discard / 581* IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 582 bssid, "duplicate", 583 "seqno <%u,%u> fragno <%u,%u> tid %u", 584 rxseq >> IEEE80211_SEQ_SEQ_SHIFT, 585 ni->ni_rxseqs[tid] >> 586 IEEE80211_SEQ_SEQ_SHIFT, 587 rxseq & IEEE80211_SEQ_FRAG_MASK, 588 ni->ni_rxseqs[tid] & 589 IEEE80211_SEQ_FRAG_MASK, 590 tid); 591 vap->iv_stats.is_rx_dup++; 592 IEEE80211_NODE_STAT(ni, rx_dup); 593 goto out; 594 } 595 ni->ni_rxseqs[tid] = rxseq; 596 } 597 } 598 599 switch (type) { 600 case IEEE80211_FC0_TYPE_DATA: 601 hdrspace = ieee80211_hdrspace(ic, wh); 602 if (m->m_len < hdrspace && 603 (m = m_pullup(m, hdrspace)) == NULL) { 604 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 605 ni->ni_macaddr, NULL, 606 "data too short: expecting %u", hdrspace); 607 vap->iv_stats.is_rx_tooshort++; 608 goto out; /* XXX / 609* } 610 if (!(dir == IEEE80211_FC1_DIR_TODS \|\| 611 (dir == IEEE80211_FC1_DIR_DSTODS && 612 (vap->iv_flags & IEEE80211_F_DWDS)))) { 613 if (dir != IEEE80211_FC1_DIR_DSTODS) { 614 IEEE80211_DISCARD(vap, 615 IEEE80211_MSG_INPUT, wh, "data", 616 "incorrect dir 0x%x", dir); 617 } else { 618 IEEE80211_DISCARD(vap, 619 IEEE80211_MSG_INPUT \| 620 IEEE80211_MSG_WDS, wh, 621 "4-address data", 622 "%s", "DWDS not enabled"); 623 } 624 vap->iv_stats.is_rx_wrongdir++; 625 goto out; 626 } 627 /* check if source STA is associated / 628* if (ni == vap->iv_bss) { 629 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 630 wh, "data", "%s", "unknown src"); 631 ieee80211_send_error(ni, wh->i_addr2, 632 IEEE80211_FC0_SUBTYPE_DEAUTH, 633 IEEE80211_REASON_NOT_AUTHED); 634 vap->iv_stats.is_rx_notassoc++; 635 goto err; 636 } 637 if (ni->ni_associd == 0) { 638 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 639 wh, "data", "%s", "unassoc src"); 640 IEEE80211_SEND_MGMT(ni, 641 IEEE80211_FC0_SUBTYPE_DISASSOC, 642 IEEE80211_REASON_NOT_ASSOCED); 643 vap->iv_stats.is_rx_notassoc++; 644 goto err; 645 } 646 647 /* 648 * Check for power save state change. 649 * XXX out-of-order A-MPDU frames? 650 / 651* if (((wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) ^ 652 (ni->ni_flags & IEEE80211_NODE_PWR_MGT))) 653 vap->iv_node_ps(ni, 654 wh->i_fc[1] & IEEE80211_FC1_PWR_MGT); 655 /* 656 * For 4-address packets handle WDS discovery 657 * notifications. Once a WDS link is setup frames 658 * are just delivered to the WDS vap (see below). 659 / 660* if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap == NULL) { 661 if (!ieee80211_node_is_authorized(ni)) { 662 IEEE80211_DISCARD(vap, 663 IEEE80211_MSG_INPUT \| 664 IEEE80211_MSG_WDS, wh, 665 "4-address data", 666 "%s", "unauthorized port"); 667 vap->iv_stats.is_rx_unauth++; 668 IEEE80211_NODE_STAT(ni, rx_unauth); 669 goto err; 670 } 671 ieee80211_dwds_discover(ni, m); 672 return type; 673 } 674 675 /* 676 * Handle A-MPDU re-ordering. If the frame is to be 677 * processed directly then ieee80211_ampdu_reorder 678 * will return 0; otherwise it has consumed the mbuf 679 * and we should do nothing more with it. 680 / 681* if ((m->m_flags & M_AMPDU) && 682 ieee80211_ampdu_reorder(ni, m) != 0) { 683 m = NULL; 684 goto out; 685 } 686 resubmit_ampdu: 687 688 /* 689 * Handle privacy requirements. Note that we 690 * must not be preempted from here until after 691 * we (potentially) call ieee80211_crypto_demic; 692 * otherwise we may violate assumptions in the 693 * crypto cipher modules used to do delayed update 694 * of replay sequence numbers. 695 / 696* if (wh->i_fc[1] & IEEE80211_FC1_PROTECTED) { 697 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) { 698 /* 699 * Discard encrypted frames when privacy is off. 700 / 701* IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 702 wh, "WEP", "%s", "PRIVACY off"); 703 vap->iv_stats.is_rx_noprivacy++; 704 IEEE80211_NODE_STAT(ni, rx_noprivacy); 705 goto out; 706 } 707 key = ieee80211_crypto_decap(ni, m, hdrspace); 708 if (key == NULL) { 709 /* NB: stats+msgs handled in crypto_decap / 710* IEEE80211_NODE_STAT(ni, rx_wepfail); 711 goto out; 712 } 713 wh = mtod(m, struct ieee80211_frame ); 714* wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED; 715 } else { 716 /* XXX M_WEP and IEEE80211_F_PRIVACY / 717* key = NULL; 718 } 719 720 /* 721 * Save QoS bits for use below--before we strip the header. 722 / 723* if (subtype == IEEE80211_FC0_SUBTYPE_QOS) { 724 qos = (dir == IEEE80211_FC1_DIR_DSTODS) ? 725 ((struct ieee80211_qosframe_addr4 )wh)->i_qos[0] : 726* ((struct ieee80211_qosframe )wh)->i_qos[0]; 727* } else 728 qos = 0; 729 730 /* 731 * Next up, any fragmentation. 732 / 733* if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) { 734 m = ieee80211_defrag(ni, m, hdrspace); 735 if (m == NULL) { 736 /* Fragment dropped or frame not complete yet / 737* goto out; 738 } 739 } 740 wh = NULL; /* no longer valid, catch any uses / 741* 742 /* 743 * Next strip any MSDU crypto bits. 744 / 745* if (key != NULL && !ieee80211_crypto_demic(vap, key, m, 0)) { 746 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 747 ni->ni_macaddr, "data", "%s", "demic error"); 748 vap->iv_stats.is_rx_demicfail++; 749 IEEE80211_NODE_STAT(ni, rx_demicfail); 750 goto out; 751 } 752 /* copy to listener after decrypt / 753* if (ieee80211_radiotap_active_vap(vap)) 754 ieee80211_radiotap_rx(vap, m); 755 need_tap = 0; 756 /* 757 * Finally, strip the 802.11 header. 758 / 759* m = ieee80211_decap(vap, m, hdrspace); 760 if (m == NULL) { 761 /* XXX mask bit to check for both / 762* /* don't count Null data frames as errors / 763* if (subtype == IEEE80211_FC0_SUBTYPE_NODATA \|\| 764 subtype == IEEE80211_FC0_SUBTYPE_QOS_NULL) 765 goto out; 766 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 767 ni->ni_macaddr, "data", "%s", "decap error"); 768 vap->iv_stats.is_rx_decap++; 769 IEEE80211_NODE_STAT(ni, rx_decap); 770 goto err; 771 } 772 eh = mtod(m, struct ether_header ); 773* if (!ieee80211_node_is_authorized(ni)) { 774 /* 775 * Deny any non-PAE frames received prior to 776 * authorization. For open/shared-key 777 * authentication the port is mark authorized 778 * after authentication completes. For 802.1x 779 * the port is not marked authorized by the 780 * authenticator until the handshake has completed. 781 / 782* if (eh->ether_type != htons(ETHERTYPE_PAE)) { 783 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 784 eh->ether_shost, "data", 785 "unauthorized port: ether type 0x%x len %u", 786 eh->ether_type, m->m_pkthdr.len); 787 vap->iv_stats.is_rx_unauth++; 788 IEEE80211_NODE_STAT(ni, rx_unauth); 789 goto err; 790 } 791 } else { 792 /* 793 * When denying unencrypted frames, discard 794 * any non-PAE frames received without encryption. 795 / 796* if ((vap->iv_flags & IEEE80211_F_DROPUNENC) && 797 (key == NULL && (m->m_flags & M_WEP) == 0) && 798 eh->ether_type != htons(ETHERTYPE_PAE)) { 799 /* 800 * Drop unencrypted frames. 801 / 802* vap->iv_stats.is_rx_unencrypted++; 803 IEEE80211_NODE_STAT(ni, rx_unencrypted); 804 goto out; 805 } 806 } 807 /* XXX require HT? / 808* if (qos & IEEE80211_QOS_AMSDU) { 809 m = ieee80211_decap_amsdu(ni, m); 810 if (m == NULL) 811 return IEEE80211_FC0_TYPE_DATA; 812 } else { 813#ifdef IEEE80211_SUPPORT_SUPERG 814 m = ieee80211_decap_fastframe(vap, ni, m); 815 if (m == NULL) 816 return IEEE80211_FC0_TYPE_DATA; 817#endif 818 } 819 if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap != NULL) 820 ieee80211_deliver_data(ni->ni_wdsvap, ni, m); 821 else 822 hostap_deliver_data(vap, ni, m); 823 return IEEE80211_FC0_TYPE_DATA; 824 825 case IEEE80211_FC0_TYPE_MGT: 826 vap->iv_stats.is_rx_mgmt++; 827 IEEE80211_NODE_STAT(ni, rx_mgmt); 828 if (dir != IEEE80211_FC1_DIR_NODS) { 829 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 830 wh, "mgt", "incorrect dir 0x%x", dir); 831 vap->iv_stats.is_rx_wrongdir++; 832 goto err; 833 } 834 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) { 835 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 836 ni->ni_macaddr, "mgt", "too short: len %u", 837 m->m_pkthdr.len); 838 vap->iv_stats.is_rx_tooshort++; 839 goto out; 840 } 841 if (IEEE80211_IS_MULTICAST(wh->i_addr2)) { 842 /* ensure return frames are unicast / 843* IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 844 wh, NULL, "source is multicast: %s", 845 ether_sprintf(wh->i_addr2)); 846 vap->iv_stats.is_rx_mgtdiscard++; /* XXX stat / 847* goto out; 848 } 849#ifdef IEEE80211_DEBUG 850 if ((ieee80211_msg_debug(vap) && doprint(vap, subtype)) \|\| 851 ieee80211_msg_dumppkts(vap)) { 852 if_printf(ifp, "received %s from %s rssi %d\n", 853 ieee80211_mgt_subtype_name[subtype >> 854 IEEE80211_FC0_SUBTYPE_SHIFT], 855 ether_sprintf(wh->i_addr2), rssi); 856 } 857#endif 858 if (wh->i_fc[1] & IEEE80211_FC1_PROTECTED) { 859 if (subtype != IEEE80211_FC0_SUBTYPE_AUTH) { 860 /* 861 * Only shared key auth frames with a challenge 862 * should be encrypted, discard all others. 863 / 864* IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 865 wh, NULL, 866 "%s", "WEP set but not permitted"); 867 vap->iv_stats.is_rx_mgtdiscard++; /* XXX / 868* goto out; 869 } 870 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) { 871 /* 872 * Discard encrypted frames when privacy is off. 873 / 874* IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 875 wh, NULL, "%s", "WEP set but PRIVACY off"); 876 vap->iv_stats.is_rx_noprivacy++; 877 goto out; 878 } 879 hdrspace = ieee80211_hdrspace(ic, wh); 880 key = ieee80211_crypto_decap(ni, m, hdrspace); 881 if (key == NULL) { 882 /* NB: stats+msgs handled in crypto_decap / 883* goto out; 884 } 885 wh = mtod(m, struct ieee80211_frame ); 886* wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED; 887 } 888 /* 889 * Pass the packet to radiotap before calling iv_recv_mgmt(). 890 * Otherwise iv_recv_mgmt() might pass another packet to 891 * radiotap, resulting in out of order packet captures. 892 / 893* if (ieee80211_radiotap_active_vap(vap)) 894 ieee80211_radiotap_rx(vap, m); 895 need_tap = 0; 896 vap->iv_recv_mgmt(ni, m, subtype, rssi, nf); 897 goto out; 898 899 case IEEE80211_FC0_TYPE_CTL: 900 vap->iv_stats.is_rx_ctl++; 901 IEEE80211_NODE_STAT(ni, rx_ctrl); 902 vap->iv_recv_ctl(ni, m, subtype); 903 goto out; 904 default: 905 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 906 wh, "bad", "frame type 0x%x", type); 907 /* should not come here / 908* break; 909 } 910err: 911 if_inc_counter(ifp, IFCOUNTER_IERRORS, 1); 912out: 913 if (m != NULL) { 914 if (need_tap && ieee80211_radiotap_active_vap(vap)) 915 ieee80211_radiotap_rx(vap, m); 916 m_freem(m); 917 } 918 return type; 919} 920 921static void 922hostap_auth_open(struct ieee80211_node ni, struct ieee80211_frame wh, 923 int rssi, int nf, uint16_t seq, uint16_t status) 924{ 925 struct ieee80211vap vap = ni->ni_vap; 926* 927 KASSERT(vap->iv_state == IEEE80211_S_RUN, ("state %d", vap->iv_state)); 928 929 if (ni->ni_authmode == IEEE80211_AUTH_SHARED) { 930 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 931 ni->ni_macaddr, "open auth", 932 "bad sta auth mode %u", ni->ni_authmode); 933 vap->iv_stats.is_rx_bad_auth++; /* XXX / 934* /* 935 * Clear any challenge text that may be there if 936 * a previous shared key auth failed and then an 937 * open auth is attempted. 938 / 939* if (ni->ni_challenge != NULL) { 940 free(ni->ni_challenge, M_80211_NODE); 941 ni->ni_challenge = NULL; 942 } 943 /* XXX hack to workaround calling convention / 944* ieee80211_send_error(ni, wh->i_addr2, 945 IEEE80211_FC0_SUBTYPE_AUTH, 946 (seq + 1) \| (IEEE80211_STATUS_ALG<<16)); 947 return; 948 } 949 if (seq != IEEE80211_AUTH_OPEN_REQUEST) { 950 vap->iv_stats.is_rx_bad_auth++; 951 return; 952 } 953 /* always accept open authentication requests / 954* if (ni == vap->iv_bss) { 955 ni = ieee80211_dup_bss(vap, wh->i_addr2); 956 if (ni == NULL) 957 return; 958 } else if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0) 959 (void) ieee80211_ref_node(ni); 960 /* 961 * Mark the node as referenced to reflect that it's 962 * reference count has been bumped to insure it remains 963 * after the transaction completes. 964 / 965* ni->ni_flags \|= IEEE80211_NODE_AREF; 966 /* 967 * Mark the node as requiring a valid association id 968 * before outbound traffic is permitted. 969 / 970* ni->ni_flags \|= IEEE80211_NODE_ASSOCID; 971 972 if (vap->iv_acl != NULL && 973 vap->iv_acl->iac_getpolicy(vap) == IEEE80211_MACCMD_POLICY_RADIUS) { 974 /* 975 * When the ACL policy is set to RADIUS we defer the 976 * authorization to a user agent. Dispatch an event, 977 * a subsequent MLME call will decide the fate of the 978 * station. If the user agent is not present then the 979 * node will be reclaimed due to inactivity. 980 / 981* IEEE80211_NOTE_MAC(vap, 982 IEEE80211_MSG_AUTH \| IEEE80211_MSG_ACL, ni->ni_macaddr, 983 "%s", "station authentication defered (radius acl)"); 984 ieee80211_notify_node_auth(ni); 985 } else { 986 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 987 IEEE80211_NOTE_MAC(vap, 988 IEEE80211_MSG_DEBUG \| IEEE80211_MSG_AUTH, ni->ni_macaddr, 989 "%s", "station authenticated (open)"); 990 /* 991 * When 802.1x is not in use mark the port 992 * authorized at this point so traffic can flow. 993 / 994* if (ni->ni_authmode != IEEE80211_AUTH_8021X) 995 ieee80211_node_authorize(ni); 996 } 997} 998 999static void 1000hostap_auth_shared(struct ieee80211_node ni, struct ieee80211_frame wh, 1001 uint8_t frm, uint8_t efrm, int rssi, int nf, 1002 uint16_t seq, uint16_t status) 1003{ 1004 struct ieee80211vap vap = ni->ni_vap; 1005* uint8_t challenge; 1006* int allocbs, estatus; 1007 1008 KASSERT(vap->iv_state == IEEE80211_S_RUN, ("state %d", vap->iv_state)); 1009 1010 /* 1011 * NB: this can happen as we allow pre-shared key 1012 * authentication to be enabled w/o wep being turned 1013 * on so that configuration of these can be done 1014 * in any order. It may be better to enforce the 1015 * ordering in which case this check would just be 1016 * for sanity/consistency. 1017 / 1018* if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) { 1019 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1020 ni->ni_macaddr, "shared key auth", 1021 "%s", " PRIVACY is disabled"); 1022 estatus = IEEE80211_STATUS_ALG; 1023 goto bad; 1024 } 1025 /* 1026 * Pre-shared key authentication is evil; accept 1027 * it only if explicitly configured (it is supported 1028 * mainly for compatibility with clients like Mac OS X). 1029 / 1030* if (ni->ni_authmode != IEEE80211_AUTH_AUTO && 1031 ni->ni_authmode != IEEE80211_AUTH_SHARED) { 1032 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1033 ni->ni_macaddr, "shared key auth", 1034 "bad sta auth mode %u", ni->ni_authmode); 1035 vap->iv_stats.is_rx_bad_auth++; /* XXX maybe a unique error? / 1036* estatus = IEEE80211_STATUS_ALG; 1037 goto bad; 1038 } 1039 1040 challenge = NULL; 1041 if (frm + 1 < efrm) { 1042 if ((frm[1] + 2) > (efrm - frm)) { 1043 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1044 ni->ni_macaddr, "shared key auth", 1045 "ie %d/%d too long", 1046 frm[0], (frm[1] + 2) - (efrm - frm)); 1047 vap->iv_stats.is_rx_bad_auth++; 1048 estatus = IEEE80211_STATUS_CHALLENGE; 1049 goto bad; 1050 } 1051 if (frm == IEEE80211_ELEMID_CHALLENGE) 1052* challenge = frm; 1053 frm += frm[1] + 2; 1054 } 1055 switch (seq) { 1056 case IEEE80211_AUTH_SHARED_CHALLENGE: 1057 case IEEE80211_AUTH_SHARED_RESPONSE: 1058 if (challenge == NULL) { 1059 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1060 ni->ni_macaddr, "shared key auth", 1061 "%s", "no challenge"); 1062 vap->iv_stats.is_rx_bad_auth++; 1063 estatus = IEEE80211_STATUS_CHALLENGE; 1064 goto bad; 1065 } 1066 if (challenge[1] != IEEE80211_CHALLENGE_LEN) { 1067 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1068 ni->ni_macaddr, "shared key auth", 1069 "bad challenge len %d", challenge[1]); 1070 vap->iv_stats.is_rx_bad_auth++; 1071 estatus = IEEE80211_STATUS_CHALLENGE; 1072 goto bad; 1073 } 1074 default: 1075 break; 1076 } 1077 switch (seq) { 1078 case IEEE80211_AUTH_SHARED_REQUEST: 1079 if (ni == vap->iv_bss) { 1080 ni = ieee80211_dup_bss(vap, wh->i_addr2); 1081 if (ni == NULL) { 1082 /* NB: no way to return an error / 1083* return; 1084 } 1085 allocbs = 1; 1086 } else { 1087 if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0) 1088 (void) ieee80211_ref_node(ni); 1089 allocbs = 0; 1090 } 1091 /* 1092 * Mark the node as referenced to reflect that it's 1093 * reference count has been bumped to insure it remains 1094 * after the transaction completes. 1095 / 1096* ni->ni_flags \|= IEEE80211_NODE_AREF; 1097 /* 1098 * Mark the node as requiring a valid associatio id 1099 * before outbound traffic is permitted. 1100 / 1101* ni->ni_flags \|= IEEE80211_NODE_ASSOCID; 1102 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi); 1103 ni->ni_noise = nf; 1104 if (!ieee80211_alloc_challenge(ni)) { 1105 /* NB: don't return error so they rexmit / 1106* return; 1107 } 1108 get_random_bytes(ni->ni_challenge, 1109 IEEE80211_CHALLENGE_LEN); 1110 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG \| IEEE80211_MSG_AUTH, 1111 ni, "shared key %sauth request", allocbs ? "" : "re"); 1112 /* 1113 * When the ACL policy is set to RADIUS we defer the 1114 * authorization to a user agent. Dispatch an event, 1115 * a subsequent MLME call will decide the fate of the 1116 * station. If the user agent is not present then the 1117 * node will be reclaimed due to inactivity. 1118 / 1119* if (vap->iv_acl != NULL && 1120 vap->iv_acl->iac_getpolicy(vap) == IEEE80211_MACCMD_POLICY_RADIUS) { 1121 IEEE80211_NOTE_MAC(vap, 1122 IEEE80211_MSG_AUTH \| IEEE80211_MSG_ACL, 1123 ni->ni_macaddr, 1124 "%s", "station authentication defered (radius acl)"); 1125 ieee80211_notify_node_auth(ni); 1126 return; 1127 } 1128 break; 1129 case IEEE80211_AUTH_SHARED_RESPONSE: 1130 if (ni == vap->iv_bss) { 1131 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1132 ni->ni_macaddr, "shared key response", 1133 "%s", "unknown station"); 1134 /* NB: don't send a response / 1135* return; 1136 } 1137 if (ni->ni_challenge == NULL) { 1138 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1139 ni->ni_macaddr, "shared key response", 1140 "%s", "no challenge recorded"); 1141 vap->iv_stats.is_rx_bad_auth++; 1142 estatus = IEEE80211_STATUS_CHALLENGE; 1143 goto bad; 1144 } 1145 if (memcmp(ni->ni_challenge, &challenge[2], 1146 challenge[1]) != 0) { 1147 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1148 ni->ni_macaddr, "shared key response", 1149 "%s", "challenge mismatch"); 1150 vap->iv_stats.is_rx_auth_fail++; 1151 estatus = IEEE80211_STATUS_CHALLENGE; 1152 goto bad; 1153 } 1154 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG \| IEEE80211_MSG_AUTH, 1155 ni, "%s", "station authenticated (shared key)"); 1156 ieee80211_node_authorize(ni); 1157 break; 1158 default: 1159 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1160 ni->ni_macaddr, "shared key auth", 1161 "bad seq %d", seq); 1162 vap->iv_stats.is_rx_bad_auth++; 1163 estatus = IEEE80211_STATUS_SEQUENCE; 1164 goto bad; 1165 } 1166 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 1167 return; 1168bad: 1169 /* 1170 * Send an error response; but only when operating as an AP. 1171 / 1172* /* XXX hack to workaround calling convention / 1173* ieee80211_send_error(ni, wh->i_addr2, 1174 IEEE80211_FC0_SUBTYPE_AUTH, 1175 (seq + 1) \| (estatus<<16)); 1176} 1177 1178/* 1179 * Convert a WPA cipher selector OUI to an internal 1180 * cipher algorithm. Where appropriate we also 1181 * record any key length. 1182 / 1183static int 1184wpa_cipher(const uint8_t sel, uint8_t keylen) 1185{ 1186#define WPA_SEL(x) (((x)<<24)\|WPA_OUI) 1187* uint32_t w = LE_READ_4(sel); 1188 1189 switch (w) { 1190 case WPA_SEL(WPA_CSE_NULL): 1191 return IEEE80211_CIPHER_NONE; 1192 case WPA_SEL(WPA_CSE_WEP40): 1193 if (keylen) 1194 keylen = 40 / NBBY; 1195* return IEEE80211_CIPHER_WEP; 1196 case WPA_SEL(WPA_CSE_WEP104): 1197 if (keylen) 1198 keylen = 104 / NBBY; 1199* return IEEE80211_CIPHER_WEP; 1200 case WPA_SEL(WPA_CSE_TKIP): 1201 return IEEE80211_CIPHER_TKIP; 1202 case WPA_SEL(WPA_CSE_CCMP): 1203 return IEEE80211_CIPHER_AES_CCM; 1204 } 1205 return 32; /* NB: so 1<< is discarded / 1206#undef WPA_SEL 1207} 1208* 1209/* 1210 * Convert a WPA key management/authentication algorithm 1211 * to an internal code. 1212 / 1213static int 1214wpa_keymgmt(const uint8_t sel) 1215{ 1216#define WPA_SEL(x) (((x)<<24)\|WPA_OUI) 1217 uint32_t w = LE_READ_4(sel); 1218 1219 switch (w) { 1220 case WPA_SEL(WPA_ASE_8021X_UNSPEC): 1221 return WPA_ASE_8021X_UNSPEC; 1222 case WPA_SEL(WPA_ASE_8021X_PSK): 1223 return WPA_ASE_8021X_PSK; 1224 case WPA_SEL(WPA_ASE_NONE): 1225 return WPA_ASE_NONE; 1226 } 1227 return 0; /* NB: so is discarded / 1228#undef WPA_SEL 1229} 1230* 1231/* 1232 * Parse a WPA information element to collect parameters. 1233 * Note that we do not validate security parameters; that 1234 * is handled by the authenticator; the parsing done here 1235 * is just for internal use in making operational decisions. 1236 / 1237static int 1238ieee80211_parse_wpa(struct ieee80211vap vap, const uint8_t frm, 1239* struct ieee80211_rsnparms rsn, const struct ieee80211_frame wh) 1240{ 1241 uint8_t len = frm[1]; 1242 uint32_t w; 1243 int n; 1244 1245 /* 1246 * Check the length once for fixed parts: OUI, type, 1247 * version, mcast cipher, and 2 selector counts. 1248 * Other, variable-length data, must be checked separately. 1249 / 1250* if ((vap->iv_flags & IEEE80211_F_WPA1) == 0) { 1251 IEEE80211_DISCARD_IE(vap, 1252 IEEE80211_MSG_ELEMID \| IEEE80211_MSG_WPA, 1253 wh, "WPA", "not WPA, flags 0x%x", vap->iv_flags); 1254 return IEEE80211_REASON_IE_INVALID; 1255 } 1256 if (len < 14) { 1257 IEEE80211_DISCARD_IE(vap, 1258 IEEE80211_MSG_ELEMID \| IEEE80211_MSG_WPA, 1259 wh, "WPA", "too short, len %u", len); 1260 return IEEE80211_REASON_IE_INVALID; 1261 } 1262 frm += 6, len -= 4; /* NB: len is payload only / 1263* /* NB: iswpaoui already validated the OUI and type / 1264* w = LE_READ_2(frm); 1265 if (w != WPA_VERSION) { 1266 IEEE80211_DISCARD_IE(vap, 1267 IEEE80211_MSG_ELEMID \| IEEE80211_MSG_WPA, 1268 wh, "WPA", "bad version %u", w); 1269 return IEEE80211_REASON_IE_INVALID; 1270 } 1271 frm += 2, len -= 2; 1272 1273 memset(rsn, 0, sizeof(rsn)); 1274* 1275 /* multicast/group cipher / 1276* rsn->rsn_mcastcipher = wpa_cipher(frm, &rsn->rsn_mcastkeylen); 1277 frm += 4, len -= 4; 1278 1279 /* unicast ciphers / 1280* n = LE_READ_2(frm); 1281 frm += 2, len -= 2; 1282 if (len < n4+2) { 1283* IEEE80211_DISCARD_IE(vap, 1284 IEEE80211_MSG_ELEMID \| IEEE80211_MSG_WPA, 1285 wh, "WPA", "ucast cipher data too short; len %u, n %u", 1286 len, n); 1287 return IEEE80211_REASON_IE_INVALID; 1288 } 1289 w = 0; 1290 for (; n > 0; n--) { 1291 w \|= 1<<wpa_cipher(frm, &rsn->rsn_ucastkeylen); 1292 frm += 4, len -= 4; 1293 } 1294 if (w & (1<<IEEE80211_CIPHER_TKIP)) 1295 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP; 1296 else 1297 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM; 1298 1299 /* key management algorithms / 1300* n = LE_READ_2(frm); 1301 frm += 2, len -= 2; 1302 if (len < n4) { 1303* IEEE80211_DISCARD_IE(vap, 1304 IEEE80211_MSG_ELEMID \| IEEE80211_MSG_WPA, 1305 wh, "WPA", "key mgmt alg data too short; len %u, n %u", 1306 len, n); 1307 return IEEE80211_REASON_IE_INVALID; 1308 } 1309 w = 0; 1310 for (; n > 0; n--) { 1311 w \|= wpa_keymgmt(frm); 1312 frm += 4, len -= 4; 1313 } 1314 if (w & WPA_ASE_8021X_UNSPEC) 1315 rsn->rsn_keymgmt = WPA_ASE_8021X_UNSPEC; 1316 else 1317 rsn->rsn_keymgmt = WPA_ASE_8021X_PSK; 1318 1319 if (len > 2) /* optional capabilities / 1320* rsn->rsn_caps = LE_READ_2(frm); 1321 1322 return 0; 1323} 1324 1325/* 1326 * Convert an RSN cipher selector OUI to an internal 1327 * cipher algorithm. Where appropriate we also 1328 * record any key length. 1329 / 1330static int 1331rsn_cipher(const uint8_t sel, uint8_t keylen) 1332{ 1333#define RSN_SEL(x) (((x)<<24)\|RSN_OUI) 1334* uint32_t w = LE_READ_4(sel); 1335 1336 switch (w) { 1337 case RSN_SEL(RSN_CSE_NULL): 1338 return IEEE80211_CIPHER_NONE; 1339 case RSN_SEL(RSN_CSE_WEP40): 1340 if (keylen) 1341 keylen = 40 / NBBY; 1342* return IEEE80211_CIPHER_WEP; 1343 case RSN_SEL(RSN_CSE_WEP104): 1344 if (keylen) 1345 keylen = 104 / NBBY; 1346* return IEEE80211_CIPHER_WEP; 1347 case RSN_SEL(RSN_CSE_TKIP): 1348 return IEEE80211_CIPHER_TKIP; 1349 case RSN_SEL(RSN_CSE_CCMP): 1350 return IEEE80211_CIPHER_AES_CCM; 1351 case RSN_SEL(RSN_CSE_WRAP): 1352 return IEEE80211_CIPHER_AES_OCB; 1353 } 1354 return 32; /* NB: so 1<< is discarded / 1355#undef WPA_SEL 1356} 1357* 1358/* 1359 * Convert an RSN key management/authentication algorithm 1360 * to an internal code. 1361 / 1362static int 1363rsn_keymgmt(const uint8_t sel) 1364{ 1365#define RSN_SEL(x) (((x)<<24)\|RSN_OUI) 1366 uint32_t w = LE_READ_4(sel); 1367 1368 switch (w) { 1369 case RSN_SEL(RSN_ASE_8021X_UNSPEC): 1370 return RSN_ASE_8021X_UNSPEC; 1371 case RSN_SEL(RSN_ASE_8021X_PSK): 1372 return RSN_ASE_8021X_PSK; 1373 case RSN_SEL(RSN_ASE_NONE): 1374 return RSN_ASE_NONE; 1375 } 1376 return 0; /* NB: so is discarded / 1377#undef RSN_SEL 1378} 1379* 1380/* 1381 * Parse a WPA/RSN information element to collect parameters 1382 * and validate the parameters against what has been 1383 * configured for the system. 1384 / 1385static int 1386ieee80211_parse_rsn(struct ieee80211vap vap, const uint8_t frm, 1387* struct ieee80211_rsnparms rsn, const struct ieee80211_frame wh) 1388{ 1389 uint8_t len = frm[1]; 1390 uint32_t w; 1391 int n; 1392 1393 /* 1394 * Check the length once for fixed parts: 1395 * version, mcast cipher, and 2 selector counts. 1396 * Other, variable-length data, must be checked separately. 1397 / 1398* if ((vap->iv_flags & IEEE80211_F_WPA2) == 0) { 1399 IEEE80211_DISCARD_IE(vap, 1400 IEEE80211_MSG_ELEMID \| IEEE80211_MSG_WPA, 1401 wh, "WPA", "not RSN, flags 0x%x", vap->iv_flags); 1402 return IEEE80211_REASON_IE_INVALID; 1403 } 1404 if (len < 10) { 1405 IEEE80211_DISCARD_IE(vap, 1406 IEEE80211_MSG_ELEMID \| IEEE80211_MSG_WPA, 1407 wh, "RSN", "too short, len %u", len); 1408 return IEEE80211_REASON_IE_INVALID; 1409 } 1410 frm += 2; 1411 w = LE_READ_2(frm); 1412 if (w != RSN_VERSION) { 1413 IEEE80211_DISCARD_IE(vap, 1414 IEEE80211_MSG_ELEMID \| IEEE80211_MSG_WPA, 1415 wh, "RSN", "bad version %u", w); 1416 return IEEE80211_REASON_IE_INVALID; 1417 } 1418 frm += 2, len -= 2; 1419 1420 memset(rsn, 0, sizeof(rsn)); 1421* 1422 /* multicast/group cipher / 1423* rsn->rsn_mcastcipher = rsn_cipher(frm, &rsn->rsn_mcastkeylen); 1424 frm += 4, len -= 4; 1425 1426 /* unicast ciphers / 1427* n = LE_READ_2(frm); 1428 frm += 2, len -= 2; 1429 if (len < n4+2) { 1430* IEEE80211_DISCARD_IE(vap, 1431 IEEE80211_MSG_ELEMID \| IEEE80211_MSG_WPA, 1432 wh, "RSN", "ucast cipher data too short; len %u, n %u", 1433 len, n); 1434 return IEEE80211_REASON_IE_INVALID; 1435 } 1436 w = 0; 1437 for (; n > 0; n--) { 1438 w \|= 1<<rsn_cipher(frm, &rsn->rsn_ucastkeylen); 1439 frm += 4, len -= 4; 1440 } 1441 if (w & (1<<IEEE80211_CIPHER_TKIP)) 1442 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP; 1443 else 1444 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM; 1445 1446 /* key management algorithms / 1447* n = LE_READ_2(frm); 1448 frm += 2, len -= 2; 1449 if (len < n4) { 1450* IEEE80211_DISCARD_IE(vap, 1451 IEEE80211_MSG_ELEMID \| IEEE80211_MSG_WPA, 1452 wh, "RSN", "key mgmt alg data too short; len %u, n %u", 1453 len, n); 1454 return IEEE80211_REASON_IE_INVALID; 1455 } 1456 w = 0; 1457 for (; n > 0; n--) { 1458 w \|= rsn_keymgmt(frm); 1459 frm += 4, len -= 4; 1460 } 1461 if (w & RSN_ASE_8021X_UNSPEC) 1462 rsn->rsn_keymgmt = RSN_ASE_8021X_UNSPEC; 1463 else 1464 rsn->rsn_keymgmt = RSN_ASE_8021X_PSK; 1465 1466 /* optional RSN capabilities / 1467* if (len > 2) 1468 rsn->rsn_caps = LE_READ_2(frm); 1469 /* XXXPMKID / 1470* 1471 return 0; 1472} 1473 1474/* 1475 * WPA/802.11i assocation request processing. 1476 / 1477static int 1478wpa_assocreq(struct ieee80211_node ni, struct ieee80211_rsnparms rsnparms, 1479* const struct ieee80211_frame wh, const uint8_t wpa, 1480 const uint8_t rsn, uint16_t capinfo) 1481{ 1482* struct ieee80211vap vap = ni->ni_vap; 1483* uint8_t reason; 1484 int badwparsn; 1485 1486 ni->ni_flags &= ~(IEEE80211_NODE_WPS\|IEEE80211_NODE_TSN); 1487 if (wpa == NULL && rsn == NULL) { 1488 if (vap->iv_flags_ext & IEEE80211_FEXT_WPS) { 1489 /* 1490 * W-Fi Protected Setup (WPS) permits 1491 * clients to associate and pass EAPOL frames 1492 * to establish initial credentials. 1493 / 1494* ni->ni_flags \|= IEEE80211_NODE_WPS; 1495 return 1; 1496 } 1497 if ((vap->iv_flags_ext & IEEE80211_FEXT_TSN) && 1498 (capinfo & IEEE80211_CAPINFO_PRIVACY)) { 1499 /* 1500 * Transitional Security Network. Permits clients 1501 * to associate and use WEP while WPA is configured. 1502 / 1503* ni->ni_flags \|= IEEE80211_NODE_TSN; 1504 return 1; 1505 } 1506 IEEE80211_DISCARD(vap, IEEE80211_MSG_ASSOC \| IEEE80211_MSG_WPA, 1507 wh, NULL, "%s", "no WPA/RSN IE in association request"); 1508 vap->iv_stats.is_rx_assoc_badwpaie++; 1509 reason = IEEE80211_REASON_IE_INVALID; 1510 goto bad; 1511 } 1512 /* assert right association security credentials / 1513* badwparsn = 0; /* NB: to silence compiler / 1514* switch (vap->iv_flags & IEEE80211_F_WPA) { 1515 case IEEE80211_F_WPA1: 1516 badwparsn = (wpa == NULL); 1517 break; 1518 case IEEE80211_F_WPA2: 1519 badwparsn = (rsn == NULL); 1520 break; 1521 case IEEE80211_F_WPA1\|IEEE80211_F_WPA2: 1522 badwparsn = (wpa == NULL && rsn == NULL); 1523 break; 1524 } 1525 if (badwparsn) { 1526 IEEE80211_DISCARD(vap, IEEE80211_MSG_ASSOC \| IEEE80211_MSG_WPA, 1527 wh, NULL, 1528 "%s", "missing WPA/RSN IE in association request"); 1529 vap->iv_stats.is_rx_assoc_badwpaie++; 1530 reason = IEEE80211_REASON_IE_INVALID; 1531 goto bad; 1532 } 1533 /* 1534 * Parse WPA/RSN information element. 1535 / 1536* if (wpa != NULL) 1537 reason = ieee80211_parse_wpa(vap, wpa, rsnparms, wh); 1538 else 1539 reason = ieee80211_parse_rsn(vap, rsn, rsnparms, wh); 1540 if (reason != 0) { 1541 /* XXX distinguish WPA/RSN? / 1542* vap->iv_stats.is_rx_assoc_badwpaie++; 1543 goto bad; 1544 } 1545 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC \| IEEE80211_MSG_WPA, ni, 1546 "%s ie: mc %u/%u uc %u/%u key %u caps 0x%x", 1547 wpa != NULL ? "WPA" : "RSN", 1548 rsnparms->rsn_mcastcipher, rsnparms->rsn_mcastkeylen, 1549 rsnparms->rsn_ucastcipher, rsnparms->rsn_ucastkeylen, 1550 rsnparms->rsn_keymgmt, rsnparms->rsn_caps); 1551 1552 return 1; 1553bad: 1554 ieee80211_node_deauth(ni, reason); 1555 return 0; 1556} 1557 1558/* XXX find a better place for definition / 1559struct l2_update_frame { 1560* struct ether_header eh; 1561 uint8_t dsap; 1562 uint8_t ssap; 1563 uint8_t control; 1564 uint8_t xid[3]; 1565} __packed; 1566 1567/* 1568 * Deliver a TGf L2UF frame on behalf of a station. 1569 * This primes any bridge when the station is roaming 1570 * between ap's on the same wired network. 1571 / 1572static void 1573ieee80211_deliver_l2uf(struct ieee80211_node ni) 1574{ 1575 struct ieee80211vap vap = ni->ni_vap; 1576* struct ifnet ifp = vap->iv_ifp; 1577* struct mbuf m; 1578* struct l2_update_frame l2uf; 1579* struct ether_header eh; 1580* 1581 m = m_gethdr(M_NOWAIT, MT_DATA); 1582 if (m == NULL) { 1583 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC, ni, 1584 "%s", "no mbuf for l2uf frame"); 1585 vap->iv_stats.is_rx_nobuf++; /* XXX not right / 1586* return; 1587 } 1588 l2uf = mtod(m, struct l2_update_frame ); 1589* eh = &l2uf->eh; 1590 /* dst: Broadcast address / 1591* IEEE80211_ADDR_COPY(eh->ether_dhost, ifp->if_broadcastaddr); 1592 /* src: associated STA / 1593* IEEE80211_ADDR_COPY(eh->ether_shost, ni->ni_macaddr); 1594 eh->ether_type = htons(sizeof(l2uf) - sizeof(eh)); 1595 1596 l2uf->dsap = 0; 1597 l2uf->ssap = 0; 1598 l2uf->control = 0xf5; 1599 l2uf->xid[0] = 0x81; 1600 l2uf->xid[1] = 0x80; 1601 l2uf->xid[2] = 0x00; 1602 1603 m->m_pkthdr.len = m->m_len = sizeof(l2uf); 1604* hostap_deliver_data(vap, ni, m); 1605} 1606 1607static void 1608ratesetmismatch(struct ieee80211_node ni, const struct ieee80211_frame wh, 1609 int reassoc, int resp, const char tag, int rate) 1610{ 1611* IEEE80211_NOTE_MAC(ni->ni_vap, IEEE80211_MSG_ANY, wh->i_addr2, 1612 "deny %s request, %s rate set mismatch, rate/MCS %d", 1613 reassoc ? "reassoc" : "assoc", tag, rate & IEEE80211_RATE_VAL); 1614 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_BASIC_RATE); 1615 ieee80211_node_leave(ni); 1616} 1617 1618static void 1619capinfomismatch(struct ieee80211_node ni, const struct ieee80211_frame wh, 1620 int reassoc, int resp, const char tag, int capinfo) 1621{ 1622* struct ieee80211vap vap = ni->ni_vap; 1623* 1624 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ANY, wh->i_addr2, 1625 "deny %s request, %s mismatch 0x%x", 1626 reassoc ? "reassoc" : "assoc", tag, capinfo); 1627 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_CAPINFO); 1628 ieee80211_node_leave(ni); 1629 vap->iv_stats.is_rx_assoc_capmismatch++; 1630} 1631 1632static void 1633htcapmismatch(struct ieee80211_node ni, const struct ieee80211_frame wh, 1634 int reassoc, int resp) 1635{ 1636 IEEE80211_NOTE_MAC(ni->ni_vap, IEEE80211_MSG_ANY, wh->i_addr2, 1637 "deny %s request, %s missing HT ie", reassoc ? "reassoc" : "assoc"); 1638 /* XXX no better code / 1639* IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_MISSING_HT_CAPS); 1640 ieee80211_node_leave(ni); 1641} 1642 1643static void 1644authalgreject(struct ieee80211_node ni, const struct ieee80211_frame wh, 1645 int algo, int seq, int status) 1646{ 1647 struct ieee80211vap vap = ni->ni_vap; 1648* 1649 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 1650 wh, NULL, "unsupported alg %d", algo); 1651 vap->iv_stats.is_rx_auth_unsupported++; 1652 ieee80211_send_error(ni, wh->i_addr2, IEEE80211_FC0_SUBTYPE_AUTH, 1653 seq \| (status << 16)); 1654} 1655 1656static __inline int 1657ishtmixed(const uint8_t ie) 1658{ 1659* const struct ieee80211_ie_htinfo ht = 1660* (const struct ieee80211_ie_htinfo ) ie; 1661* return (ht->hi_byte2 & IEEE80211_HTINFO_OPMODE) == 1662 IEEE80211_HTINFO_OPMODE_MIXED; 1663} 1664 1665static int 1666is11bclient(const uint8_t rates, const uint8_t xrates) 1667{ 1668 static const uint32_t brates = (1<<21)\|(1<<22)\|(1<<11)\|(1<<211); 1669* int i; 1670 1671 /* NB: the 11b clients we care about will not have xrates / 1672* if (xrates != NULL \|\| rates == NULL) 1673 return 0; 1674 for (i = 0; i < rates[1]; i++) { 1675 int r = rates[2+i] & IEEE80211_RATE_VAL; 1676 if (r > 211 \|\| ((1<<r) & brates) == 0) 1677* return 0; 1678 } 1679 return 1; 1680} 1681 1682static void 1683hostap_recv_mgmt(struct ieee80211_node ni, struct mbuf m0, 1684 int subtype, int rssi, int nf) 1685{ 1686 struct ieee80211vap vap = ni->ni_vap; 1687* struct ieee80211com ic = ni->ni_ic; 1688* struct ieee80211_frame wh; 1689* uint8_t frm, efrm, sfrm; 1690* uint8_t ssid, rates, xrates, wpa, rsn, wme, ath, htcap; 1691 int reassoc, resp; 1692 uint8_t rate; 1693 1694 wh = mtod(m0, struct ieee80211_frame ); 1695* frm = (uint8_t )&wh[1]; 1696* efrm = mtod(m0, uint8_t ) + m0->m_len; 1697* switch (subtype) { 1698 case IEEE80211_FC0_SUBTYPE_PROBE_RESP: 1699 case IEEE80211_FC0_SUBTYPE_BEACON: { 1700 struct ieee80211_scanparams scan; 1701 /* 1702 * We process beacon/probe response frames when scanning; 1703 * otherwise we check beacon frames for overlapping non-ERP 1704 * BSS in 11g and/or overlapping legacy BSS when in HT. 1705 / 1706* if ((ic->ic_flags & IEEE80211_F_SCAN) == 0 && 1707 subtype == IEEE80211_FC0_SUBTYPE_PROBE_RESP) { 1708 vap->iv_stats.is_rx_mgtdiscard++; 1709 return; 1710 } 1711 /* NB: accept off-channel frames / 1712* if (ieee80211_parse_beacon(ni, m0, &scan) &~ IEEE80211_BPARSE_OFFCHAN) 1713 return; 1714 /* 1715 * Count frame now that we know it's to be processed. 1716 / 1717* if (subtype == IEEE80211_FC0_SUBTYPE_BEACON) { 1718 vap->iv_stats.is_rx_beacon++; /* XXX remove / 1719* IEEE80211_NODE_STAT(ni, rx_beacons); 1720 } else 1721 IEEE80211_NODE_STAT(ni, rx_proberesp); 1722 /* 1723 * If scanning, just pass information to the scan module. 1724 / 1725* if (ic->ic_flags & IEEE80211_F_SCAN) { 1726 if (scan.status == 0 && /* NB: on channel / 1727* (ic->ic_flags_ext & IEEE80211_FEXT_PROBECHAN)) { 1728 /* 1729 * Actively scanning a channel marked passive; 1730 * send a probe request now that we know there 1731 * is 802.11 traffic present. 1732 * 1733 * XXX check if the beacon we recv'd gives 1734 * us what we need and suppress the probe req 1735 / 1736* ieee80211_probe_curchan(vap, 1); 1737 ic->ic_flags_ext &= ~IEEE80211_FEXT_PROBECHAN; 1738 } 1739 ieee80211_add_scan(vap, ic->ic_curchan, &scan, wh, 1740 subtype, rssi, nf); 1741 return; 1742 } 1743 /* 1744 * Check beacon for overlapping bss w/ non ERP stations. 1745 * If we detect one and protection is configured but not 1746 * enabled, enable it and start a timer that'll bring us 1747 * out if we stop seeing the bss. 1748 / 1749* if (IEEE80211_IS_CHAN_ANYG(ic->ic_curchan) && 1750 scan.status == 0 && /* NB: on-channel / 1751* ((scan.erp & 0x100) == 0 \|\| /* NB: no ERP, 11b sta/ 1752* (scan.erp & IEEE80211_ERP_NON_ERP_PRESENT))) { 1753 ic->ic_lastnonerp = ticks; 1754 ic->ic_flags_ext \|= IEEE80211_FEXT_NONERP_PR; 1755 if (ic->ic_protmode != IEEE80211_PROT_NONE && 1756 (ic->ic_flags & IEEE80211_F_USEPROT) == 0) { 1757 IEEE80211_NOTE_FRAME(vap, 1758 IEEE80211_MSG_ASSOC, wh, 1759 "non-ERP present on channel %d " 1760 "(saw erp 0x%x from channel %d), " 1761 "enable use of protection", 1762 ic->ic_curchan->ic_ieee, 1763 scan.erp, scan.chan); 1764 ic->ic_flags \|= IEEE80211_F_USEPROT; 1765 ieee80211_notify_erp(ic); 1766 } 1767 } 1768 /* 1769 * Check beacon for non-HT station on HT channel 1770 * and update HT BSS occupancy as appropriate. 1771 / 1772* if (IEEE80211_IS_CHAN_HT(ic->ic_curchan)) { 1773 if (scan.status & IEEE80211_BPARSE_OFFCHAN) { 1774 /* 1775 * Off control channel; only check frames 1776 * that come in the extension channel when 1777 * operating w/ HT40. 1778 / 1779* if (!IEEE80211_IS_CHAN_HT40(ic->ic_curchan)) 1780 break; 1781 if (scan.chan != ic->ic_curchan->ic_extieee) 1782 break; 1783 } 1784 if (scan.htinfo == NULL) { 1785 ieee80211_htprot_update(ic, 1786 IEEE80211_HTINFO_OPMODE_PROTOPT \| 1787 IEEE80211_HTINFO_NONHT_PRESENT); 1788 } else if (ishtmixed(scan.htinfo)) { 1789 /* XXX? take NONHT_PRESENT from beacon? / 1790* ieee80211_htprot_update(ic, 1791 IEEE80211_HTINFO_OPMODE_MIXED \| 1792 IEEE80211_HTINFO_NONHT_PRESENT); 1793 } 1794 } 1795 break; 1796 } 1797 1798 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 1799 if (vap->iv_state != IEEE80211_S_RUN) { 1800 vap->iv_stats.is_rx_mgtdiscard++; 1801 return; 1802 } 1803 /* 1804 * Consult the ACL policy module if setup. 1805 / 1806* if (vap->iv_acl != NULL && !vap->iv_acl->iac_check(vap, wh)) { 1807 IEEE80211_DISCARD(vap, IEEE80211_MSG_ACL, 1808 wh, NULL, "%s", "disallowed by ACL"); 1809 vap->iv_stats.is_rx_acl++; 1810 return; 1811 } 1812 /* 1813 * prreq frame format 1814 * [tlv] ssid 1815 * [tlv] supported rates 1816 * [tlv] extended supported rates 1817 / 1818* ssid = rates = xrates = NULL; 1819 sfrm = frm; 1820 while (efrm - frm > 1) { 1821 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return); 1822 switch (frm) { 1823* case IEEE80211_ELEMID_SSID: 1824 ssid = frm; 1825 break; 1826 case IEEE80211_ELEMID_RATES: 1827 rates = frm; 1828 break; 1829 case IEEE80211_ELEMID_XRATES: 1830 xrates = frm; 1831 break; 1832 } 1833 frm += frm[1] + 2; 1834 } 1835 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return); 1836 if (xrates != NULL) 1837 IEEE80211_VERIFY_ELEMENT(xrates, 1838 IEEE80211_RATE_MAXSIZE - rates[1], return); 1839 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN, return); 1840 IEEE80211_VERIFY_SSID(vap->iv_bss, ssid, return); 1841 if ((vap->iv_flags & IEEE80211_F_HIDESSID) && ssid[1] == 0) { 1842 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 1843 wh, NULL, 1844 "%s", "no ssid with ssid suppression enabled"); 1845 vap->iv_stats.is_rx_ssidmismatch++; /XXX/ 1846 return; 1847 } 1848 1849 /* XXX find a better class or define it's own / 1850* IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_INPUT, wh->i_addr2, 1851 "%s", "recv probe req"); 1852 /* 1853 * Some legacy 11b clients cannot hack a complete 1854 * probe response frame. When the request includes 1855 * only a bare-bones rate set, communicate this to 1856 * the transmit side. 1857 / 1858* ieee80211_send_proberesp(vap, wh->i_addr2, 1859 is11bclient(rates, xrates) ? IEEE80211_SEND_LEGACY_11B : 0); 1860 break; 1861 1862 case IEEE80211_FC0_SUBTYPE_AUTH: { 1863 uint16_t algo, seq, status; 1864 1865 if (vap->iv_state != IEEE80211_S_RUN) { 1866 vap->iv_stats.is_rx_mgtdiscard++; 1867 return; 1868 } 1869 if (!IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_bss->ni_bssid)) { 1870 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 1871 wh, NULL, "%s", "wrong bssid"); 1872 vap->iv_stats.is_rx_wrongbss++; /XXX unique stat?/ 1873 return; 1874 } 1875 /* 1876 * auth frame format 1877 * [2] algorithm 1878 * [2] sequence 1879 * [2] status 1880 * [tlv] challenge 1881* / 1882* IEEE80211_VERIFY_LENGTH(efrm - frm, 6, return); 1883 algo = le16toh((uint16_t )frm); 1884 seq = le16toh((uint16_t )(frm + 2)); 1885 status = le16toh((uint16_t )(frm + 4)); 1886 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_AUTH, wh->i_addr2, 1887 "recv auth frame with algorithm %d seq %d", algo, seq); 1888 /* 1889 * Consult the ACL policy module if setup. 1890 / 1891* if (vap->iv_acl != NULL && !vap->iv_acl->iac_check(vap, wh)) { 1892 IEEE80211_DISCARD(vap, IEEE80211_MSG_ACL, 1893 wh, NULL, "%s", "disallowed by ACL"); 1894 vap->iv_stats.is_rx_acl++; 1895 ieee80211_send_error(ni, wh->i_addr2, 1896 IEEE80211_FC0_SUBTYPE_AUTH, 1897 (seq+1) \| (IEEE80211_STATUS_UNSPECIFIED<<16)); 1898 return; 1899 } 1900 if (vap->iv_flags & IEEE80211_F_COUNTERM) { 1901 IEEE80211_DISCARD(vap, 1902 IEEE80211_MSG_AUTH \| IEEE80211_MSG_CRYPTO, 1903 wh, NULL, "%s", "TKIP countermeasures enabled"); 1904 vap->iv_stats.is_rx_auth_countermeasures++; 1905 ieee80211_send_error(ni, wh->i_addr2, 1906 IEEE80211_FC0_SUBTYPE_AUTH, 1907 IEEE80211_REASON_MIC_FAILURE); 1908 return; 1909 } 1910 if (algo == IEEE80211_AUTH_ALG_SHARED) 1911 hostap_auth_shared(ni, wh, frm + 6, efrm, rssi, nf, 1912 seq, status); 1913 else if (algo == IEEE80211_AUTH_ALG_OPEN) 1914 hostap_auth_open(ni, wh, rssi, nf, seq, status); 1915 else if (algo == IEEE80211_AUTH_ALG_LEAP) { 1916 authalgreject(ni, wh, algo, 1917 seq+1, IEEE80211_STATUS_ALG); 1918 return; 1919 } else { 1920 /* 1921 * We assume that an unknown algorithm is the result 1922 * of a decryption failure on a shared key auth frame; 1923 * return a status code appropriate for that instead 1924 * of IEEE80211_STATUS_ALG. 1925 * 1926 * NB: a seq# of 4 is intentional; the decrypted 1927 * frame likely has a bogus seq value. 1928 / 1929* authalgreject(ni, wh, algo, 1930 4, IEEE80211_STATUS_CHALLENGE); 1931 return; 1932 } 1933 break; 1934 } 1935 1936 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ: 1937 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: { 1938 uint16_t capinfo, lintval; 1939 struct ieee80211_rsnparms rsnparms; 1940 1941 if (vap->iv_state != IEEE80211_S_RUN) { 1942 vap->iv_stats.is_rx_mgtdiscard++; 1943 return; 1944 } 1945 if (!IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_bss->ni_bssid)) { 1946 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 1947 wh, NULL, "%s", "wrong bssid"); 1948 vap->iv_stats.is_rx_assoc_bss++; 1949 return; 1950 } 1951 if (subtype == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) { 1952 reassoc = 1; 1953 resp = IEEE80211_FC0_SUBTYPE_REASSOC_RESP; 1954 } else { 1955 reassoc = 0; 1956 resp = IEEE80211_FC0_SUBTYPE_ASSOC_RESP; 1957 } 1958 if (ni == vap->iv_bss) { 1959 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ANY, wh->i_addr2, 1960 "deny %s request, sta not authenticated", 1961 reassoc ? "reassoc" : "assoc"); 1962 ieee80211_send_error(ni, wh->i_addr2, 1963 IEEE80211_FC0_SUBTYPE_DEAUTH, 1964 IEEE80211_REASON_ASSOC_NOT_AUTHED); 1965 vap->iv_stats.is_rx_assoc_notauth++; 1966 return; 1967 } 1968 1969 /* 1970 * asreq frame format 1971 * [2] capability information 1972 * [2] listen interval 1973 * [6] current AP address (reassoc only) 1974* * [tlv] ssid 1975 * [tlv] supported rates 1976 * [tlv] extended supported rates 1977 * [tlv] WPA or RSN 1978 * [tlv] HT capabilities 1979 * [tlv] Atheros capabilities 1980 / 1981* IEEE80211_VERIFY_LENGTH(efrm - frm, (reassoc ? 10 : 4), return); 1982 capinfo = le16toh((uint16_t )frm); frm += 2; 1983 lintval = le16toh((uint16_t )frm); frm += 2; 1984 if (reassoc) 1985 frm += 6; /* ignore current AP info / 1986* ssid = rates = xrates = wpa = rsn = wme = ath = htcap = NULL; 1987 sfrm = frm; 1988 while (efrm - frm > 1) { 1989 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return); 1990 switch (frm) { 1991* case IEEE80211_ELEMID_SSID: 1992 ssid = frm; 1993 break; 1994 case IEEE80211_ELEMID_RATES: 1995 rates = frm; 1996 break; 1997 case IEEE80211_ELEMID_XRATES: 1998 xrates = frm; 1999 break; 2000 case IEEE80211_ELEMID_RSN: 2001 rsn = frm; 2002 break; 2003 case IEEE80211_ELEMID_HTCAP: 2004 htcap = frm; 2005 break; 2006 case IEEE80211_ELEMID_VENDOR: 2007 if (iswpaoui(frm)) 2008 wpa = frm; 2009 else if (iswmeinfo(frm)) 2010 wme = frm; 2011#ifdef IEEE80211_SUPPORT_SUPERG 2012 else if (isatherosoui(frm)) 2013 ath = frm; 2014#endif 2015 else if (vap->iv_flags_ht & IEEE80211_FHT_HTCOMPAT) { 2016 if (ishtcapoui(frm) && htcap == NULL) 2017 htcap = frm; 2018 } 2019 break; 2020 } 2021 frm += frm[1] + 2; 2022 } 2023 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return); 2024 if (xrates != NULL) 2025 IEEE80211_VERIFY_ELEMENT(xrates, 2026 IEEE80211_RATE_MAXSIZE - rates[1], return); 2027 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN, return); 2028 IEEE80211_VERIFY_SSID(vap->iv_bss, ssid, return); 2029 if (htcap != NULL) { 2030 IEEE80211_VERIFY_LENGTH(htcap[1], 2031 htcap[0] == IEEE80211_ELEMID_VENDOR ? 2032 4 + sizeof(struct ieee80211_ie_htcap)-2 : 2033 sizeof(struct ieee80211_ie_htcap)-2, 2034 return); /* XXX just NULL out? / 2035* } 2036 2037 if ((vap->iv_flags & IEEE80211_F_WPA) && 2038 !wpa_assocreq(ni, &rsnparms, wh, wpa, rsn, capinfo)) 2039 return; 2040 /* discard challenge after association / 2041* if (ni->ni_challenge != NULL) { 2042 free(ni->ni_challenge, M_80211_NODE); 2043 ni->ni_challenge = NULL; 2044 } 2045 /* NB: 802.11 spec says to ignore station's privacy bit / 2046* if ((capinfo & IEEE80211_CAPINFO_ESS) == 0) { 2047 capinfomismatch(ni, wh, reassoc, resp, 2048 "capability", capinfo); 2049 return; 2050 } 2051 /* 2052 * Disallow re-associate w/ invalid slot time setting. 2053 / 2054* if (ni->ni_associd != 0 && 2055 IEEE80211_IS_CHAN_ANYG(ic->ic_bsschan) && 2056 ((ni->ni_capinfo ^ capinfo) & IEEE80211_CAPINFO_SHORT_SLOTTIME)) { 2057 capinfomismatch(ni, wh, reassoc, resp, 2058 "slot time", capinfo); 2059 return; 2060 } 2061 rate = ieee80211_setup_rates(ni, rates, xrates, 2062 IEEE80211_F_DOSORT \| IEEE80211_F_DOFRATE \| 2063 IEEE80211_F_DONEGO \| IEEE80211_F_DODEL); 2064 if (rate & IEEE80211_RATE_BASIC) { 2065 ratesetmismatch(ni, wh, reassoc, resp, "legacy", rate); 2066 vap->iv_stats.is_rx_assoc_norate++; 2067 return; 2068 } 2069 /* 2070 * If constrained to 11g-only stations reject an 2071 * 11b-only station. We cheat a bit here by looking 2072 * at the max negotiated xmit rate and assuming anyone 2073 * with a best rate <24Mb/s is an 11b station. 2074 / 2075* if ((vap->iv_flags & IEEE80211_F_PUREG) && rate < 48) { 2076 ratesetmismatch(ni, wh, reassoc, resp, "11g", rate); 2077 vap->iv_stats.is_rx_assoc_norate++; 2078 return; 2079 } 2080 /* 2081 * Do HT rate set handling and setup HT node state. 2082 / 2083* ni->ni_chan = vap->iv_bss->ni_chan; 2084 if (IEEE80211_IS_CHAN_HT(ni->ni_chan) && htcap != NULL) { 2085 rate = ieee80211_setup_htrates(ni, htcap, 2086 IEEE80211_F_DOFMCS \| IEEE80211_F_DONEGO \| 2087 IEEE80211_F_DOBRS); 2088 if (rate & IEEE80211_RATE_BASIC) { 2089 ratesetmismatch(ni, wh, reassoc, resp, 2090 "HT", rate); 2091 vap->iv_stats.is_ht_assoc_norate++; 2092 return; 2093 } 2094 ieee80211_ht_node_init(ni); 2095 ieee80211_ht_updatehtcap(ni, htcap); 2096 } else if (ni->ni_flags & IEEE80211_NODE_HT) 2097 ieee80211_ht_node_cleanup(ni); 2098#ifdef IEEE80211_SUPPORT_SUPERG 2099 else if (ni->ni_ath_flags & IEEE80211_NODE_ATH) 2100 ieee80211_ff_node_cleanup(ni); 2101#endif 2102 /* 2103 * Allow AMPDU operation only with unencrypted traffic 2104 * or AES-CCM; the 11n spec only specifies these ciphers 2105 * so permitting any others is undefined and can lead 2106 * to interoperability problems. 2107 / 2108* if ((ni->ni_flags & IEEE80211_NODE_HT) && 2109 (((vap->iv_flags & IEEE80211_F_WPA) && 2110 rsnparms.rsn_ucastcipher != IEEE80211_CIPHER_AES_CCM) \|\| 2111 (vap->iv_flags & (IEEE80211_F_WPA\|IEEE80211_F_PRIVACY)) == IEEE80211_F_PRIVACY)) { 2112 IEEE80211_NOTE(vap, 2113 IEEE80211_MSG_ASSOC \| IEEE80211_MSG_11N, ni, 2114 "disallow HT use because WEP or TKIP requested, " 2115 "capinfo 0x%x ucastcipher %d", capinfo, 2116 rsnparms.rsn_ucastcipher); 2117 ieee80211_ht_node_cleanup(ni); 2118 vap->iv_stats.is_ht_assoc_downgrade++; 2119 } 2120 /* 2121 * If constrained to 11n-only stations reject legacy stations. 2122 / 2123* if ((vap->iv_flags_ht & IEEE80211_FHT_PUREN) && 2124 (ni->ni_flags & IEEE80211_NODE_HT) == 0) { 2125 htcapmismatch(ni, wh, reassoc, resp); 2126 vap->iv_stats.is_ht_assoc_nohtcap++; 2127 return; 2128 } 2129 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi); 2130 ni->ni_noise = nf; 2131 ni->ni_intval = lintval; 2132 ni->ni_capinfo = capinfo; 2133 ni->ni_fhdwell = vap->iv_bss->ni_fhdwell; 2134 ni->ni_fhindex = vap->iv_bss->ni_fhindex; 2135 /* 2136 * Store the IEs. 2137 * XXX maybe better to just expand 2138 / 2139* if (ieee80211_ies_init(&ni->ni_ies, sfrm, efrm - sfrm)) { 2140#define setie(_ie, _off) ieee80211_ies_setie(ni->ni_ies, _ie, _off) 2141 if (wpa != NULL) 2142 setie(wpa_ie, wpa - sfrm); 2143 if (rsn != NULL) 2144 setie(rsn_ie, rsn - sfrm); 2145 if (htcap != NULL) 2146 setie(htcap_ie, htcap - sfrm); 2147 if (wme != NULL) { 2148 setie(wme_ie, wme - sfrm); 2149 /* 2150 * Mark node as capable of QoS. 2151 / 2152* ni->ni_flags \|= IEEE80211_NODE_QOS; 2153 } else 2154 ni->ni_flags &= ~IEEE80211_NODE_QOS; 2155#ifdef IEEE80211_SUPPORT_SUPERG 2156 if (ath != NULL) { 2157 setie(ath_ie, ath - sfrm); 2158 /* 2159 * Parse ATH station parameters. 2160 / 2161* ieee80211_parse_ath(ni, ni->ni_ies.ath_ie); 2162 } else 2163#endif 2164 ni->ni_ath_flags = 0; 2165#undef setie 2166 } else { 2167 ni->ni_flags &= ~IEEE80211_NODE_QOS; 2168 ni->ni_ath_flags = 0; 2169 } 2170 ieee80211_node_join(ni, resp); 2171 ieee80211_deliver_l2uf(ni); 2172 break; 2173 } 2174 2175 case IEEE80211_FC0_SUBTYPE_DEAUTH: 2176 case IEEE80211_FC0_SUBTYPE_DISASSOC: { 2177 uint16_t reason; 2178 2179 if (vap->iv_state != IEEE80211_S_RUN \|\| 2180 /* NB: can happen when in promiscuous mode / 2181* !IEEE80211_ADDR_EQ(wh->i_addr1, vap->iv_myaddr)) { 2182 vap->iv_stats.is_rx_mgtdiscard++; 2183 break; 2184 } 2185 /* 2186 * deauth/disassoc frame format 2187 * [2] reason 2188 / 2189* IEEE80211_VERIFY_LENGTH(efrm - frm, 2, return); 2190 reason = le16toh((uint16_t )frm); 2191 if (subtype == IEEE80211_FC0_SUBTYPE_DEAUTH) { 2192 vap->iv_stats.is_rx_deauth++; 2193 IEEE80211_NODE_STAT(ni, rx_deauth); 2194 } else { 2195 vap->iv_stats.is_rx_disassoc++; 2196 IEEE80211_NODE_STAT(ni, rx_disassoc); 2197 } 2198 IEEE80211_NOTE(vap, IEEE80211_MSG_AUTH, ni, 2199 "recv %s (reason %d)", ieee80211_mgt_subtype_name[subtype >> 2200 IEEE80211_FC0_SUBTYPE_SHIFT], reason); 2201 if (ni != vap->iv_bss) 2202 ieee80211_node_leave(ni); 2203 break; 2204 } 2205 2206 case IEEE80211_FC0_SUBTYPE_ACTION: 2207 case IEEE80211_FC0_SUBTYPE_ACTION_NOACK: 2208 if (ni == vap->iv_bss) { 2209 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 2210 wh, NULL, "%s", "unknown node"); 2211 vap->iv_stats.is_rx_mgtdiscard++; 2212 } else if (!IEEE80211_ADDR_EQ(vap->iv_myaddr, wh->i_addr1) && 2213 !IEEE80211_IS_MULTICAST(wh->i_addr1)) { 2214 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 2215 wh, NULL, "%s", "not for us"); 2216 vap->iv_stats.is_rx_mgtdiscard++; 2217 } else if (vap->iv_state != IEEE80211_S_RUN) { 2218 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 2219 wh, NULL, "wrong state %s", 2220 ieee80211_state_name[vap->iv_state]); 2221 vap->iv_stats.is_rx_mgtdiscard++; 2222 } else { 2223 if (ieee80211_parse_action(ni, m0) == 0) 2224 (void)ic->ic_recv_action(ni, wh, frm, efrm); 2225 } 2226 break; 2227 2228 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP: 2229 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: 2230 case IEEE80211_FC0_SUBTYPE_ATIM: 2231 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 2232 wh, NULL, "%s", "not handled"); 2233 vap->iv_stats.is_rx_mgtdiscard++; 2234 break; 2235 2236 default: 2237 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 2238 wh, "mgt", "subtype 0x%x not handled", subtype); 2239 vap->iv_stats.is_rx_badsubtype++; 2240 break; 2241 } 2242} 2243 2244static void 2245hostap_recv_ctl(struct ieee80211_node ni, struct mbuf m, int subtype) 2246{ 2247 switch (subtype) { 2248 case IEEE80211_FC0_SUBTYPE_PS_POLL: 2249 ni->ni_vap->iv_recv_pspoll(ni, m); 2250 break; 2251 case IEEE80211_FC0_SUBTYPE_BAR: 2252 ieee80211_recv_bar(ni, m); 2253 break; 2254 } 2255} 2256 2257/* 2258 * Process a received ps-poll frame. 2259 / 2260void 2261ieee80211_recv_pspoll(struct ieee80211_node ni, struct mbuf m0) 2262{ 2263* struct ieee80211vap vap = ni->ni_vap; 2264* struct ieee80211com ic = vap->iv_ic; 2265* struct ieee80211_frame_min wh; 2266* struct mbuf m; 2267* uint16_t aid; 2268 int qlen; 2269 2270 wh = mtod(m0, struct ieee80211_frame_min ); 2271* if (ni->ni_associd == 0) { 2272 IEEE80211_DISCARD(vap, 2273 IEEE80211_MSG_POWER \| IEEE80211_MSG_DEBUG, 2274 (struct ieee80211_frame ) wh, NULL, 2275* "%s", "unassociated station"); 2276 vap->iv_stats.is_ps_unassoc++; 2277 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_DEAUTH, 2278 IEEE80211_REASON_NOT_ASSOCED); 2279 return; 2280 } 2281 2282 aid = le16toh((uint16_t )wh->i_dur); 2283 if (aid != ni->ni_associd) { 2284 IEEE80211_DISCARD(vap, 2285 IEEE80211_MSG_POWER \| IEEE80211_MSG_DEBUG, 2286 (struct ieee80211_frame ) wh, NULL, 2287* "aid mismatch: sta aid 0x%x poll aid 0x%x", 2288 ni->ni_associd, aid); 2289 vap->iv_stats.is_ps_badaid++; 2290 /* 2291 * NB: We used to deauth the station but it turns out 2292 * the Blackberry Curve 8230 (and perhaps other devices) 2293 * sometimes send the wrong AID when WME is negotiated. 2294 * Being more lenient here seems ok as we already check 2295 * the station is associated and we only return frames 2296 * queued for the station (i.e. we don't use the AID). 2297 / 2298* return; 2299 } 2300 2301 /* Okay, take the first queued packet and put it out... / 2302* m = ieee80211_node_psq_dequeue(ni, &qlen); 2303 if (m == NULL) { 2304 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_POWER, wh->i_addr2, 2305 "%s", "recv ps-poll, but queue empty"); 2306 ieee80211_send_nulldata(ieee80211_ref_node(ni)); 2307 vap->iv_stats.is_ps_qempty++; /* XXX node stat / 2308* if (vap->iv_set_tim != NULL) 2309 vap->iv_set_tim(ni, 0); /* just in case / 2310* return; 2311 } 2312 /* 2313 * If there are more packets, set the more packets bit 2314 * in the packet dispatched to the station; otherwise 2315 * turn off the TIM bit. 2316 / 2317* if (qlen != 0) { 2318 IEEE80211_NOTE(vap, IEEE80211_MSG_POWER, ni, 2319 "recv ps-poll, send packet, %u still queued", qlen); 2320 m->m_flags \|= M_MORE_DATA; 2321 } else { 2322 IEEE80211_NOTE(vap, IEEE80211_MSG_POWER, ni, 2323 "%s", "recv ps-poll, send packet, queue empty"); 2324 if (vap->iv_set_tim != NULL) 2325 vap->iv_set_tim(ni, 0); 2326 } 2327 m->m_flags \|= M_PWR_SAV; /* bypass PS handling / 2328* 2329 /* 2330 * Do the right thing; if it's an encap'ed frame then 2331 * call ieee80211_parent_xmitpkt() (and free the ref) else 2332 * call ieee80211_vap_xmitpkt(). 2333 / 2334* if (m->m_flags & M_ENCAP) { 2335 if (ieee80211_parent_xmitpkt(ic, m) != 0) 2336 ieee80211_free_node(ni); 2337 } else { 2338 (void) ieee80211_vap_xmitpkt(vap, m); 2339 } 2340}