ieee80211_hostap.c revision 193413
1/*- 2 * Copyright (c) 2007-2008 Sam Leffler, Errno Consulting 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 15 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 16 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 17 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 18 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 19 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 21 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 23 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 24 */ 25 26#include <sys/cdefs.h> 27#ifdef __FreeBSD__ 28__FBSDID("$FreeBSD: head/sys/net80211/ieee80211_hostap.c 193413 2009-06-03 23:30:25Z sam $"); 29#endif 30 31/* 32 * IEEE 802.11 HOSTAP mode support. 33 */ 34#include "opt_inet.h" 35#include "opt_wlan.h" 36 37#include <sys/param.h> 38#include <sys/systm.h> 39#include <sys/mbuf.h> 40#include <sys/malloc.h> 41#include <sys/kernel.h> 42 43#include <sys/socket.h> 44#include <sys/sockio.h> 45#include <sys/endian.h> 46#include <sys/errno.h> 47#include <sys/proc.h> 48#include <sys/sysctl.h> 49 50#include <net/if.h> 51#include <net/if_media.h> 52#include <net/if_llc.h> 53#include <net/ethernet.h> 54 55#include <net/bpf.h> 56 57#include <net80211/ieee80211_var.h> 58#include <net80211/ieee80211_hostap.h> 59#include <net80211/ieee80211_input.h> 60#ifdef IEEE80211_SUPPORT_SUPERG 61#include <net80211/ieee80211_superg.h> 62#endif 63#include <net80211/ieee80211_wds.h> 64 65#define IEEE80211_RATE2MBS(r) (((r) & IEEE80211_RATE_VAL) / 2) 66 67static void hostap_vattach(struct ieee80211vap *); 68static int hostap_newstate(struct ieee80211vap *, enum ieee80211_state, int); 69static int hostap_input(struct ieee80211_node *ni, struct mbuf *m, 70 int rssi, int nf); 71static void hostap_deliver_data(struct ieee80211vap *, 72 struct ieee80211_node *, struct mbuf *); 73static void hostap_recv_mgmt(struct ieee80211_node *, struct mbuf *, 74 int subtype, int rssi, int nf); 75static void hostap_recv_ctl(struct ieee80211_node *, struct mbuf *, int); 76static void hostap_recv_pspoll(struct ieee80211_node *, struct mbuf *); 77 78void 79ieee80211_hostap_attach(struct ieee80211com *ic) 80{ 81 ic->ic_vattach[IEEE80211_M_HOSTAP] = hostap_vattach; 82} 83 84void 85ieee80211_hostap_detach(struct ieee80211com *ic) 86{ 87} 88 89static void 90hostap_vdetach(struct ieee80211vap *vap) 91{ 92} 93 94static void 95hostap_vattach(struct ieee80211vap *vap) 96{ 97 vap->iv_newstate = hostap_newstate; 98 vap->iv_input = hostap_input; 99 vap->iv_recv_mgmt = hostap_recv_mgmt; 100 vap->iv_recv_ctl = hostap_recv_ctl; 101 vap->iv_opdetach = hostap_vdetach; 102 vap->iv_deliver_data = hostap_deliver_data; 103} 104 105static void 106sta_disassoc(void *arg, struct ieee80211_node *ni) 107{ 108 struct ieee80211vap *vap = arg; 109 110 if (ni->ni_vap == vap && ni->ni_associd != 0) { 111 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_DISASSOC, 112 IEEE80211_REASON_ASSOC_LEAVE); 113 ieee80211_node_leave(ni); 114 } 115} 116 117static void 118sta_csa(void *arg, struct ieee80211_node *ni) 119{ 120 struct ieee80211vap *vap = arg; 121 122 if (ni->ni_vap == vap && ni->ni_associd != 0) 123 if (ni->ni_inact > vap->iv_inact_init) { 124 ni->ni_inact = vap->iv_inact_init; 125 IEEE80211_NOTE(vap, IEEE80211_MSG_INACT, ni, 126 "%s: inact %u", __func__, ni->ni_inact); 127 } 128} 129 130/* 131 * IEEE80211_M_HOSTAP vap state machine handler. 132 */ 133static int 134hostap_newstate(struct ieee80211vap *vap, enum ieee80211_state nstate, int arg) 135{ 136 struct ieee80211com *ic = vap->iv_ic; 137 enum ieee80211_state ostate; 138 139 IEEE80211_LOCK_ASSERT(ic); 140 141 ostate = vap->iv_state; 142 IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE, "%s: %s -> %s (%d)\n", 143 __func__, ieee80211_state_name[ostate], 144 ieee80211_state_name[nstate], arg); 145 vap->iv_state = nstate; /* state transition */ 146 if (ostate != IEEE80211_S_SCAN) 147 ieee80211_cancel_scan(vap); /* background scan */ 148 switch (nstate) { 149 case IEEE80211_S_INIT: 150 switch (ostate) { 151 case IEEE80211_S_SCAN: 152 ieee80211_cancel_scan(vap); 153 break; 154 case IEEE80211_S_CAC: 155 ieee80211_dfs_cac_stop(vap); 156 break; 157 case IEEE80211_S_RUN: 158 ieee80211_iterate_nodes(&ic->ic_sta, sta_disassoc, vap); 159 break; 160 default: 161 break; 162 } 163 if (ostate != IEEE80211_S_INIT) { 164 /* NB: optimize INIT -> INIT case */ 165 ieee80211_reset_bss(vap); 166 } 167 if (vap->iv_auth->ia_detach != NULL) 168 vap->iv_auth->ia_detach(vap); 169 break; 170 case IEEE80211_S_SCAN: 171 switch (ostate) { 172 case IEEE80211_S_CSA: 173 case IEEE80211_S_RUN: 174 ieee80211_iterate_nodes(&ic->ic_sta, sta_disassoc, vap); 175 /* 176 * Clear overlapping BSS state; the beacon frame 177 * will be reconstructed on transition to the RUN 178 * state and the timeout routines check if the flag 179 * is set before doing anything so this is sufficient. 180 */ 181 ic->ic_flags_ext &= ~IEEE80211_FEXT_NONERP_PR; 182 ic->ic_flags_ext &= ~IEEE80211_FEXT_NONHT_PR; 183 /* fall thru... */ 184 case IEEE80211_S_CAC: 185 /* 186 * NB: We may get here because of a manual channel 187 * change in which case we need to stop CAC 188 * XXX no need to stop if ostate RUN but it's ok 189 */ 190 ieee80211_dfs_cac_stop(vap); 191 /* fall thru... */ 192 case IEEE80211_S_INIT: 193 if (vap->iv_des_chan != IEEE80211_CHAN_ANYC && 194 !IEEE80211_IS_CHAN_RADAR(vap->iv_des_chan)) { 195 /* 196 * Already have a channel; bypass the 197 * scan and startup immediately. 198 * ieee80211_create_ibss will call back to 199 * move us to RUN state. 200 */ 201 ieee80211_create_ibss(vap, vap->iv_des_chan); 202 break; 203 } 204 /* 205 * Initiate a scan. We can come here as a result 206 * of an IEEE80211_IOC_SCAN_REQ too in which case 207 * the vap will be marked with IEEE80211_FEXT_SCANREQ 208 * and the scan request parameters will be present 209 * in iv_scanreq. Otherwise we do the default. 210 */ 211 if (vap->iv_flags_ext & IEEE80211_FEXT_SCANREQ) { 212 ieee80211_check_scan(vap, 213 vap->iv_scanreq_flags, 214 vap->iv_scanreq_duration, 215 vap->iv_scanreq_mindwell, 216 vap->iv_scanreq_maxdwell, 217 vap->iv_scanreq_nssid, vap->iv_scanreq_ssid); 218 vap->iv_flags_ext &= ~IEEE80211_FEXT_SCANREQ; 219 } else 220 ieee80211_check_scan_current(vap); 221 break; 222 case IEEE80211_S_SCAN: 223 /* 224 * A state change requires a reset; scan. 225 */ 226 ieee80211_check_scan_current(vap); 227 break; 228 default: 229 break; 230 } 231 break; 232 case IEEE80211_S_CAC: 233 /* 234 * Start CAC on a DFS channel. We come here when starting 235 * a bss on a DFS channel (see ieee80211_create_ibss). 236 */ 237 ieee80211_dfs_cac_start(vap); 238 break; 239 case IEEE80211_S_RUN: 240 if (vap->iv_flags & IEEE80211_F_WPA) { 241 /* XXX validate prerequisites */ 242 } 243 switch (ostate) { 244 case IEEE80211_S_INIT: 245 /* 246 * Already have a channel; bypass the 247 * scan and startup immediately. 248 * Note that ieee80211_create_ibss will call 249 * back to do a RUN->RUN state change. 250 */ 251 ieee80211_create_ibss(vap, 252 ieee80211_ht_adjust_channel(ic, 253 ic->ic_curchan, vap->iv_flags_ext)); 254 /* NB: iv_bss is changed on return */ 255 break; 256 case IEEE80211_S_CAC: 257 /* 258 * NB: This is the normal state change when CAC 259 * expires and no radar was detected; no need to 260 * clear the CAC timer as it's already expired. 261 */ 262 /* fall thru... */ 263 case IEEE80211_S_CSA: 264 /* 265 * Shorten inactivity timer of associated stations 266 * to weed out sta's that don't follow a CSA. 267 */ 268 ieee80211_iterate_nodes(&ic->ic_sta, sta_csa, vap); 269 /* 270 * Update bss node channel to reflect where 271 * we landed after CSA. 272 */ 273 ieee80211_node_set_chan(vap->iv_bss, 274 ieee80211_ht_adjust_channel(ic, ic->ic_curchan, 275 ieee80211_htchanflags(vap->iv_bss->ni_chan))); 276 /* XXX bypass debug msgs */ 277 break; 278 case IEEE80211_S_SCAN: 279 case IEEE80211_S_RUN: 280#ifdef IEEE80211_DEBUG 281 if (ieee80211_msg_debug(vap)) { 282 struct ieee80211_node *ni = vap->iv_bss; 283 ieee80211_note(vap, 284 "synchronized with %s ssid ", 285 ether_sprintf(ni->ni_bssid)); 286 ieee80211_print_essid(ni->ni_essid, 287 ni->ni_esslen); 288 /* XXX MCS/HT */ 289 printf(" channel %d start %uMb\n", 290 ieee80211_chan2ieee(ic, ic->ic_curchan), 291 IEEE80211_RATE2MBS(ni->ni_txrate)); 292 } 293#endif 294 break; 295 default: 296 break; 297 } 298 /* 299 * Start/stop the authenticator. We delay until here 300 * to allow configuration to happen out of order. 301 */ 302 if (vap->iv_auth->ia_attach != NULL) { 303 /* XXX check failure */ 304 vap->iv_auth->ia_attach(vap); 305 } else if (vap->iv_auth->ia_detach != NULL) { 306 vap->iv_auth->ia_detach(vap); 307 } 308 ieee80211_node_authorize(vap->iv_bss); 309 break; 310 default: 311 break; 312 } 313 return 0; 314} 315 316static void 317hostap_deliver_data(struct ieee80211vap *vap, 318 struct ieee80211_node *ni, struct mbuf *m) 319{ 320 struct ether_header *eh = mtod(m, struct ether_header *); 321 struct ifnet *ifp = vap->iv_ifp; 322 323 /* clear driver/net80211 flags before passing up */ 324 m->m_flags &= ~(M_80211_RX | M_MCAST | M_BCAST); 325 326 KASSERT(vap->iv_opmode == IEEE80211_M_HOSTAP, 327 ("gack, opmode %d", vap->iv_opmode)); 328 /* 329 * Do accounting. 330 */ 331 ifp->if_ipackets++; 332 IEEE80211_NODE_STAT(ni, rx_data); 333 IEEE80211_NODE_STAT_ADD(ni, rx_bytes, m->m_pkthdr.len); 334 if (ETHER_IS_MULTICAST(eh->ether_dhost)) { 335 m->m_flags |= M_MCAST; /* XXX M_BCAST? */ 336 IEEE80211_NODE_STAT(ni, rx_mcast); 337 } else 338 IEEE80211_NODE_STAT(ni, rx_ucast); 339 340 /* perform as a bridge within the AP */ 341 if ((vap->iv_flags & IEEE80211_F_NOBRIDGE) == 0) { 342 struct mbuf *mcopy = NULL; 343 344 if (m->m_flags & M_MCAST) { 345 mcopy = m_dup(m, M_DONTWAIT); 346 if (mcopy == NULL) 347 ifp->if_oerrors++; 348 else 349 mcopy->m_flags |= M_MCAST; 350 } else { 351 /* 352 * Check if the destination is associated with the 353 * same vap and authorized to receive traffic. 354 * Beware of traffic destined for the vap itself; 355 * sending it will not work; just let it be delivered 356 * normally. 357 */ 358 struct ieee80211_node *sta = ieee80211_find_vap_node( 359 &vap->iv_ic->ic_sta, vap, eh->ether_dhost); 360 if (sta != NULL) { 361 if (ieee80211_node_is_authorized(sta)) { 362 /* 363 * Beware of sending to ourself; this 364 * needs to happen via the normal 365 * input path. 366 */ 367 if (sta != vap->iv_bss) { 368 mcopy = m; 369 m = NULL; 370 } 371 } else { 372 vap->iv_stats.is_rx_unauth++; 373 IEEE80211_NODE_STAT(sta, rx_unauth); 374 } 375 ieee80211_free_node(sta); 376 } 377 } 378 if (mcopy != NULL) { 379 int len, err; 380 len = mcopy->m_pkthdr.len; 381 err = ifp->if_transmit(ifp, mcopy); 382 if (err) { 383 /* NB: IFQ_HANDOFF reclaims mcopy */ 384 } else { 385 ifp->if_opackets++; 386 } 387 } 388 } 389 if (m != NULL) { 390 /* 391 * Mark frame as coming from vap's interface. 392 */ 393 m->m_pkthdr.rcvif = ifp; 394 if (m->m_flags & M_MCAST) { 395 /* 396 * Spam DWDS vap's w/ multicast traffic. 397 */ 398 /* XXX only if dwds in use? */ 399 ieee80211_dwds_mcast(vap, m); 400 } 401 if (ni->ni_vlan != 0) { 402 /* attach vlan tag */ 403 m->m_pkthdr.ether_vtag = ni->ni_vlan; 404 m->m_flags |= M_VLANTAG; 405 } 406 ifp->if_input(ifp, m); 407 } 408} 409 410/* 411 * Decide if a received management frame should be 412 * printed when debugging is enabled. This filters some 413 * of the less interesting frames that come frequently 414 * (e.g. beacons). 415 */ 416static __inline int 417doprint(struct ieee80211vap *vap, int subtype) 418{ 419 switch (subtype) { 420 case IEEE80211_FC0_SUBTYPE_BEACON: 421 return (vap->iv_ic->ic_flags & IEEE80211_F_SCAN); 422 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 423 return 0; 424 } 425 return 1; 426} 427 428/* 429 * Process a received frame. The node associated with the sender 430 * should be supplied. If nothing was found in the node table then 431 * the caller is assumed to supply a reference to iv_bss instead. 432 * The RSSI and a timestamp are also supplied. The RSSI data is used 433 * during AP scanning to select a AP to associate with; it can have 434 * any units so long as values have consistent units and higher values 435 * mean ``better signal''. The receive timestamp is currently not used 436 * by the 802.11 layer. 437 */ 438static int 439hostap_input(struct ieee80211_node *ni, struct mbuf *m, int rssi, int nf) 440{ 441#define SEQ_LEQ(a,b) ((int)((a)-(b)) <= 0) 442#define HAS_SEQ(type) ((type & 0x4) == 0) 443 struct ieee80211vap *vap = ni->ni_vap; 444 struct ieee80211com *ic = ni->ni_ic; 445 struct ifnet *ifp = vap->iv_ifp; 446 struct ieee80211_frame *wh; 447 struct ieee80211_key *key; 448 struct ether_header *eh; 449 int hdrspace, need_tap; 450 uint8_t dir, type, subtype, qos; 451 uint8_t *bssid; 452 uint16_t rxseq; 453 454 if (m->m_flags & M_AMPDU_MPDU) { 455 /* 456 * Fastpath for A-MPDU reorder q resubmission. Frames 457 * w/ M_AMPDU_MPDU marked have already passed through 458 * here but were received out of order and been held on 459 * the reorder queue. When resubmitted they are marked 460 * with the M_AMPDU_MPDU flag and we can bypass most of 461 * the normal processing. 462 */ 463 wh = mtod(m, struct ieee80211_frame *); 464 type = IEEE80211_FC0_TYPE_DATA; 465 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 466 subtype = IEEE80211_FC0_SUBTYPE_QOS; 467 hdrspace = ieee80211_hdrspace(ic, wh); /* XXX optimize? */ 468 goto resubmit_ampdu; 469 } 470 471 KASSERT(ni != NULL, ("null node")); 472 ni->ni_inact = ni->ni_inact_reload; 473 474 need_tap = 1; /* mbuf need to be tapped. */ 475 type = -1; /* undefined */ 476 477 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_min)) { 478 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 479 ni->ni_macaddr, NULL, 480 "too short (1): len %u", m->m_pkthdr.len); 481 vap->iv_stats.is_rx_tooshort++; 482 goto out; 483 } 484 /* 485 * Bit of a cheat here, we use a pointer for a 3-address 486 * frame format but don't reference fields past outside 487 * ieee80211_frame_min w/o first validating the data is 488 * present. 489 */ 490 wh = mtod(m, struct ieee80211_frame *); 491 492 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) != 493 IEEE80211_FC0_VERSION_0) { 494 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 495 ni->ni_macaddr, NULL, "wrong version, fc %02x:%02x", 496 wh->i_fc[0], wh->i_fc[1]); 497 vap->iv_stats.is_rx_badversion++; 498 goto err; 499 } 500 501 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 502 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK; 503 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK; 504 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) { 505 if (dir != IEEE80211_FC1_DIR_NODS) 506 bssid = wh->i_addr1; 507 else if (type == IEEE80211_FC0_TYPE_CTL) 508 bssid = wh->i_addr1; 509 else { 510 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) { 511 IEEE80211_DISCARD_MAC(vap, 512 IEEE80211_MSG_ANY, ni->ni_macaddr, 513 NULL, "too short (2): len %u", 514 m->m_pkthdr.len); 515 vap->iv_stats.is_rx_tooshort++; 516 goto out; 517 } 518 bssid = wh->i_addr3; 519 } 520 /* 521 * Validate the bssid. 522 */ 523 if (!(type == IEEE80211_FC0_TYPE_MGT && 524 subtype == IEEE80211_FC0_SUBTYPE_BEACON) && 525 !IEEE80211_ADDR_EQ(bssid, vap->iv_bss->ni_bssid) && 526 !IEEE80211_ADDR_EQ(bssid, ifp->if_broadcastaddr)) { 527 /* not interested in */ 528 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 529 bssid, NULL, "%s", "not to bss"); 530 vap->iv_stats.is_rx_wrongbss++; 531 goto out; 532 } 533 534 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi); 535 ni->ni_noise = nf; 536 if (HAS_SEQ(type)) { 537 uint8_t tid = ieee80211_gettid(wh); 538 if (IEEE80211_QOS_HAS_SEQ(wh) && 539 TID_TO_WME_AC(tid) >= WME_AC_VI) 540 ic->ic_wme.wme_hipri_traffic++; 541 rxseq = le16toh(*(uint16_t *)wh->i_seq); 542 if ((ni->ni_flags & IEEE80211_NODE_HT) == 0 && 543 (wh->i_fc[1] & IEEE80211_FC1_RETRY) && 544 SEQ_LEQ(rxseq, ni->ni_rxseqs[tid])) { 545 /* duplicate, discard */ 546 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 547 bssid, "duplicate", 548 "seqno <%u,%u> fragno <%u,%u> tid %u", 549 rxseq >> IEEE80211_SEQ_SEQ_SHIFT, 550 ni->ni_rxseqs[tid] >> 551 IEEE80211_SEQ_SEQ_SHIFT, 552 rxseq & IEEE80211_SEQ_FRAG_MASK, 553 ni->ni_rxseqs[tid] & 554 IEEE80211_SEQ_FRAG_MASK, 555 tid); 556 vap->iv_stats.is_rx_dup++; 557 IEEE80211_NODE_STAT(ni, rx_dup); 558 goto out; 559 } 560 ni->ni_rxseqs[tid] = rxseq; 561 } 562 } 563 564 switch (type) { 565 case IEEE80211_FC0_TYPE_DATA: 566 hdrspace = ieee80211_hdrspace(ic, wh); 567 if (m->m_len < hdrspace && 568 (m = m_pullup(m, hdrspace)) == NULL) { 569 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 570 ni->ni_macaddr, NULL, 571 "data too short: expecting %u", hdrspace); 572 vap->iv_stats.is_rx_tooshort++; 573 goto out; /* XXX */ 574 } 575 if (!(dir == IEEE80211_FC1_DIR_TODS || 576 (dir == IEEE80211_FC1_DIR_DSTODS && 577 (vap->iv_flags & IEEE80211_F_DWDS)))) { 578 if (dir != IEEE80211_FC1_DIR_DSTODS) { 579 IEEE80211_DISCARD(vap, 580 IEEE80211_MSG_INPUT, wh, "data", 581 "incorrect dir 0x%x", dir); 582 } else { 583 IEEE80211_DISCARD(vap, 584 IEEE80211_MSG_INPUT | 585 IEEE80211_MSG_WDS, wh, 586 "4-address data", 587 "%s", "DWDS not enabled"); 588 } 589 vap->iv_stats.is_rx_wrongdir++; 590 goto out; 591 } 592 /* check if source STA is associated */ 593 if (ni == vap->iv_bss) { 594 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 595 wh, "data", "%s", "unknown src"); 596 ieee80211_send_error(ni, wh->i_addr2, 597 IEEE80211_FC0_SUBTYPE_DEAUTH, 598 IEEE80211_REASON_NOT_AUTHED); 599 vap->iv_stats.is_rx_notassoc++; 600 goto err; 601 } 602 if (ni->ni_associd == 0) { 603 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 604 wh, "data", "%s", "unassoc src"); 605 IEEE80211_SEND_MGMT(ni, 606 IEEE80211_FC0_SUBTYPE_DISASSOC, 607 IEEE80211_REASON_NOT_ASSOCED); 608 vap->iv_stats.is_rx_notassoc++; 609 goto err; 610 } 611 612 /* 613 * Check for power save state change. 614 * XXX out-of-order A-MPDU frames? 615 */ 616 if (((wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) ^ 617 (ni->ni_flags & IEEE80211_NODE_PWR_MGT))) 618 ieee80211_node_pwrsave(ni, 619 wh->i_fc[1] & IEEE80211_FC1_PWR_MGT); 620 /* 621 * For 4-address packets handle WDS discovery 622 * notifications. Once a WDS link is setup frames 623 * are just delivered to the WDS vap (see below). 624 */ 625 if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap == NULL) { 626 if (!ieee80211_node_is_authorized(ni)) { 627 IEEE80211_DISCARD(vap, 628 IEEE80211_MSG_INPUT | 629 IEEE80211_MSG_WDS, wh, 630 "4-address data", 631 "%s", "unauthorized port"); 632 vap->iv_stats.is_rx_unauth++; 633 IEEE80211_NODE_STAT(ni, rx_unauth); 634 goto err; 635 } 636 ieee80211_dwds_discover(ni, m); 637 return type; 638 } 639 640 /* 641 * Handle A-MPDU re-ordering. If the frame is to be 642 * processed directly then ieee80211_ampdu_reorder 643 * will return 0; otherwise it has consumed the mbuf 644 * and we should do nothing more with it. 645 */ 646 if ((m->m_flags & M_AMPDU) && 647 ieee80211_ampdu_reorder(ni, m) != 0) { 648 m = NULL; 649 goto out; 650 } 651 resubmit_ampdu: 652 653 /* 654 * Handle privacy requirements. Note that we 655 * must not be preempted from here until after 656 * we (potentially) call ieee80211_crypto_demic; 657 * otherwise we may violate assumptions in the 658 * crypto cipher modules used to do delayed update 659 * of replay sequence numbers. 660 */ 661 if (wh->i_fc[1] & IEEE80211_FC1_WEP) { 662 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) { 663 /* 664 * Discard encrypted frames when privacy is off. 665 */ 666 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 667 wh, "WEP", "%s", "PRIVACY off"); 668 vap->iv_stats.is_rx_noprivacy++; 669 IEEE80211_NODE_STAT(ni, rx_noprivacy); 670 goto out; 671 } 672 key = ieee80211_crypto_decap(ni, m, hdrspace); 673 if (key == NULL) { 674 /* NB: stats+msgs handled in crypto_decap */ 675 IEEE80211_NODE_STAT(ni, rx_wepfail); 676 goto out; 677 } 678 wh = mtod(m, struct ieee80211_frame *); 679 wh->i_fc[1] &= ~IEEE80211_FC1_WEP; 680 } else { 681 /* XXX M_WEP and IEEE80211_F_PRIVACY */ 682 key = NULL; 683 } 684 685 /* 686 * Save QoS bits for use below--before we strip the header. 687 */ 688 if (subtype == IEEE80211_FC0_SUBTYPE_QOS) { 689 qos = (dir == IEEE80211_FC1_DIR_DSTODS) ? 690 ((struct ieee80211_qosframe_addr4 *)wh)->i_qos[0] : 691 ((struct ieee80211_qosframe *)wh)->i_qos[0]; 692 } else 693 qos = 0; 694 695 /* 696 * Next up, any fragmentation. 697 */ 698 if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) { 699 m = ieee80211_defrag(ni, m, hdrspace); 700 if (m == NULL) { 701 /* Fragment dropped or frame not complete yet */ 702 goto out; 703 } 704 } 705 wh = NULL; /* no longer valid, catch any uses */ 706 707 /* 708 * Next strip any MSDU crypto bits. 709 */ 710 if (key != NULL && !ieee80211_crypto_demic(vap, key, m, 0)) { 711 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 712 ni->ni_macaddr, "data", "%s", "demic error"); 713 vap->iv_stats.is_rx_demicfail++; 714 IEEE80211_NODE_STAT(ni, rx_demicfail); 715 goto out; 716 } 717 /* copy to listener after decrypt */ 718 if (ieee80211_radiotap_active_vap(vap)) 719 ieee80211_radiotap_rx(vap, m); 720 need_tap = 0; 721 /* 722 * Finally, strip the 802.11 header. 723 */ 724 m = ieee80211_decap(vap, m, hdrspace); 725 if (m == NULL) { 726 /* XXX mask bit to check for both */ 727 /* don't count Null data frames as errors */ 728 if (subtype == IEEE80211_FC0_SUBTYPE_NODATA || 729 subtype == IEEE80211_FC0_SUBTYPE_QOS_NULL) 730 goto out; 731 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 732 ni->ni_macaddr, "data", "%s", "decap error"); 733 vap->iv_stats.is_rx_decap++; 734 IEEE80211_NODE_STAT(ni, rx_decap); 735 goto err; 736 } 737 eh = mtod(m, struct ether_header *); 738 if (!ieee80211_node_is_authorized(ni)) { 739 /* 740 * Deny any non-PAE frames received prior to 741 * authorization. For open/shared-key 742 * authentication the port is mark authorized 743 * after authentication completes. For 802.1x 744 * the port is not marked authorized by the 745 * authenticator until the handshake has completed. 746 */ 747 if (eh->ether_type != htons(ETHERTYPE_PAE)) { 748 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 749 eh->ether_shost, "data", 750 "unauthorized port: ether type 0x%x len %u", 751 eh->ether_type, m->m_pkthdr.len); 752 vap->iv_stats.is_rx_unauth++; 753 IEEE80211_NODE_STAT(ni, rx_unauth); 754 goto err; 755 } 756 } else { 757 /* 758 * When denying unencrypted frames, discard 759 * any non-PAE frames received without encryption. 760 */ 761 if ((vap->iv_flags & IEEE80211_F_DROPUNENC) && 762 (key == NULL && (m->m_flags & M_WEP) == 0) && 763 eh->ether_type != htons(ETHERTYPE_PAE)) { 764 /* 765 * Drop unencrypted frames. 766 */ 767 vap->iv_stats.is_rx_unencrypted++; 768 IEEE80211_NODE_STAT(ni, rx_unencrypted); 769 goto out; 770 } 771 } 772 /* XXX require HT? */ 773 if (qos & IEEE80211_QOS_AMSDU) { 774 m = ieee80211_decap_amsdu(ni, m); 775 if (m == NULL) 776 return IEEE80211_FC0_TYPE_DATA; 777 } else { 778#ifdef IEEE80211_SUPPORT_SUPERG 779 m = ieee80211_decap_fastframe(vap, ni, m); 780 if (m == NULL) 781 return IEEE80211_FC0_TYPE_DATA; 782#endif 783 } 784 if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap != NULL) 785 ieee80211_deliver_data(ni->ni_wdsvap, ni, m); 786 else 787 hostap_deliver_data(vap, ni, m); 788 return IEEE80211_FC0_TYPE_DATA; 789 790 case IEEE80211_FC0_TYPE_MGT: 791 vap->iv_stats.is_rx_mgmt++; 792 IEEE80211_NODE_STAT(ni, rx_mgmt); 793 if (dir != IEEE80211_FC1_DIR_NODS) { 794 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 795 wh, "mgt", "incorrect dir 0x%x", dir); 796 vap->iv_stats.is_rx_wrongdir++; 797 goto err; 798 } 799 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) { 800 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 801 ni->ni_macaddr, "mgt", "too short: len %u", 802 m->m_pkthdr.len); 803 vap->iv_stats.is_rx_tooshort++; 804 goto out; 805 } 806 if (IEEE80211_IS_MULTICAST(wh->i_addr2)) { 807 /* ensure return frames are unicast */ 808 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 809 wh, NULL, "source is multicast: %s", 810 ether_sprintf(wh->i_addr2)); 811 vap->iv_stats.is_rx_mgtdiscard++; /* XXX stat */ 812 goto out; 813 } 814#ifdef IEEE80211_DEBUG 815 if ((ieee80211_msg_debug(vap) && doprint(vap, subtype)) || 816 ieee80211_msg_dumppkts(vap)) { 817 if_printf(ifp, "received %s from %s rssi %d\n", 818 ieee80211_mgt_subtype_name[subtype >> 819 IEEE80211_FC0_SUBTYPE_SHIFT], 820 ether_sprintf(wh->i_addr2), rssi); 821 } 822#endif 823 if (wh->i_fc[1] & IEEE80211_FC1_WEP) { 824 if (subtype != IEEE80211_FC0_SUBTYPE_AUTH) { 825 /* 826 * Only shared key auth frames with a challenge 827 * should be encrypted, discard all others. 828 */ 829 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 830 wh, NULL, 831 "%s", "WEP set but not permitted"); 832 vap->iv_stats.is_rx_mgtdiscard++; /* XXX */ 833 goto out; 834 } 835 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) { 836 /* 837 * Discard encrypted frames when privacy is off. 838 */ 839 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 840 wh, NULL, "%s", "WEP set but PRIVACY off"); 841 vap->iv_stats.is_rx_noprivacy++; 842 goto out; 843 } 844 hdrspace = ieee80211_hdrspace(ic, wh); 845 key = ieee80211_crypto_decap(ni, m, hdrspace); 846 if (key == NULL) { 847 /* NB: stats+msgs handled in crypto_decap */ 848 goto out; 849 } 850 wh = mtod(m, struct ieee80211_frame *); 851 wh->i_fc[1] &= ~IEEE80211_FC1_WEP; 852 } 853 vap->iv_recv_mgmt(ni, m, subtype, rssi, nf); 854 goto out; 855 856 case IEEE80211_FC0_TYPE_CTL: 857 vap->iv_stats.is_rx_ctl++; 858 IEEE80211_NODE_STAT(ni, rx_ctrl); 859 vap->iv_recv_ctl(ni, m, subtype); 860 goto out; 861 default: 862 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 863 wh, "bad", "frame type 0x%x", type); 864 /* should not come here */ 865 break; 866 } 867err: 868 ifp->if_ierrors++; 869out: 870 if (m != NULL) { 871 if (need_tap && ieee80211_radiotap_active_vap(vap)) 872 ieee80211_radiotap_rx(vap, m); 873 m_freem(m); 874 } 875 return type; 876#undef SEQ_LEQ 877} 878 879static void 880hostap_auth_open(struct ieee80211_node *ni, struct ieee80211_frame *wh, 881 int rssi, int nf, uint16_t seq, uint16_t status) 882{ 883 struct ieee80211vap *vap = ni->ni_vap; 884 885 KASSERT(vap->iv_state == IEEE80211_S_RUN, ("state %d", vap->iv_state)); 886 887 if (ni->ni_authmode == IEEE80211_AUTH_SHARED) { 888 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 889 ni->ni_macaddr, "open auth", 890 "bad sta auth mode %u", ni->ni_authmode); 891 vap->iv_stats.is_rx_bad_auth++; /* XXX */ 892 /* 893 * Clear any challenge text that may be there if 894 * a previous shared key auth failed and then an 895 * open auth is attempted. 896 */ 897 if (ni->ni_challenge != NULL) { 898 free(ni->ni_challenge, M_80211_NODE); 899 ni->ni_challenge = NULL; 900 } 901 /* XXX hack to workaround calling convention */ 902 ieee80211_send_error(ni, wh->i_addr2, 903 IEEE80211_FC0_SUBTYPE_AUTH, 904 (seq + 1) | (IEEE80211_STATUS_ALG<<16)); 905 return; 906 } 907 if (seq != IEEE80211_AUTH_OPEN_REQUEST) { 908 vap->iv_stats.is_rx_bad_auth++; 909 return; 910 } 911 /* always accept open authentication requests */ 912 if (ni == vap->iv_bss) { 913 ni = ieee80211_dup_bss(vap, wh->i_addr2); 914 if (ni == NULL) 915 return; 916 } else if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0) 917 (void) ieee80211_ref_node(ni); 918 /* 919 * Mark the node as referenced to reflect that it's 920 * reference count has been bumped to insure it remains 921 * after the transaction completes. 922 */ 923 ni->ni_flags |= IEEE80211_NODE_AREF; 924 /* 925 * Mark the node as requiring a valid association id 926 * before outbound traffic is permitted. 927 */ 928 ni->ni_flags |= IEEE80211_NODE_ASSOCID; 929 930 if (vap->iv_acl != NULL && 931 vap->iv_acl->iac_getpolicy(vap) == IEEE80211_MACCMD_POLICY_RADIUS) { 932 /* 933 * When the ACL policy is set to RADIUS we defer the 934 * authorization to a user agent. Dispatch an event, 935 * a subsequent MLME call will decide the fate of the 936 * station. If the user agent is not present then the 937 * node will be reclaimed due to inactivity. 938 */ 939 IEEE80211_NOTE_MAC(vap, 940 IEEE80211_MSG_AUTH | IEEE80211_MSG_ACL, ni->ni_macaddr, 941 "%s", "station authentication defered (radius acl)"); 942 ieee80211_notify_node_auth(ni); 943 } else { 944 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 945 IEEE80211_NOTE_MAC(vap, 946 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, ni->ni_macaddr, 947 "%s", "station authenticated (open)"); 948 /* 949 * When 802.1x is not in use mark the port 950 * authorized at this point so traffic can flow. 951 */ 952 if (ni->ni_authmode != IEEE80211_AUTH_8021X) 953 ieee80211_node_authorize(ni); 954 } 955} 956 957static void 958hostap_auth_shared(struct ieee80211_node *ni, struct ieee80211_frame *wh, 959 uint8_t *frm, uint8_t *efrm, int rssi, int nf, 960 uint16_t seq, uint16_t status) 961{ 962 struct ieee80211vap *vap = ni->ni_vap; 963 uint8_t *challenge; 964 int allocbs, estatus; 965 966 KASSERT(vap->iv_state == IEEE80211_S_RUN, ("state %d", vap->iv_state)); 967 968 /* 969 * NB: this can happen as we allow pre-shared key 970 * authentication to be enabled w/o wep being turned 971 * on so that configuration of these can be done 972 * in any order. It may be better to enforce the 973 * ordering in which case this check would just be 974 * for sanity/consistency. 975 */ 976 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) { 977 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 978 ni->ni_macaddr, "shared key auth", 979 "%s", " PRIVACY is disabled"); 980 estatus = IEEE80211_STATUS_ALG; 981 goto bad; 982 } 983 /* 984 * Pre-shared key authentication is evil; accept 985 * it only if explicitly configured (it is supported 986 * mainly for compatibility with clients like Mac OS X). 987 */ 988 if (ni->ni_authmode != IEEE80211_AUTH_AUTO && 989 ni->ni_authmode != IEEE80211_AUTH_SHARED) { 990 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 991 ni->ni_macaddr, "shared key auth", 992 "bad sta auth mode %u", ni->ni_authmode); 993 vap->iv_stats.is_rx_bad_auth++; /* XXX maybe a unique error? */ 994 estatus = IEEE80211_STATUS_ALG; 995 goto bad; 996 } 997 998 challenge = NULL; 999 if (frm + 1 < efrm) { 1000 if ((frm[1] + 2) > (efrm - frm)) { 1001 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1002 ni->ni_macaddr, "shared key auth", 1003 "ie %d/%d too long", 1004 frm[0], (frm[1] + 2) - (efrm - frm)); 1005 vap->iv_stats.is_rx_bad_auth++; 1006 estatus = IEEE80211_STATUS_CHALLENGE; 1007 goto bad; 1008 } 1009 if (*frm == IEEE80211_ELEMID_CHALLENGE) 1010 challenge = frm; 1011 frm += frm[1] + 2; 1012 } 1013 switch (seq) { 1014 case IEEE80211_AUTH_SHARED_CHALLENGE: 1015 case IEEE80211_AUTH_SHARED_RESPONSE: 1016 if (challenge == NULL) { 1017 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1018 ni->ni_macaddr, "shared key auth", 1019 "%s", "no challenge"); 1020 vap->iv_stats.is_rx_bad_auth++; 1021 estatus = IEEE80211_STATUS_CHALLENGE; 1022 goto bad; 1023 } 1024 if (challenge[1] != IEEE80211_CHALLENGE_LEN) { 1025 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1026 ni->ni_macaddr, "shared key auth", 1027 "bad challenge len %d", challenge[1]); 1028 vap->iv_stats.is_rx_bad_auth++; 1029 estatus = IEEE80211_STATUS_CHALLENGE; 1030 goto bad; 1031 } 1032 default: 1033 break; 1034 } 1035 switch (seq) { 1036 case IEEE80211_AUTH_SHARED_REQUEST: 1037 if (ni == vap->iv_bss) { 1038 ni = ieee80211_dup_bss(vap, wh->i_addr2); 1039 if (ni == NULL) { 1040 /* NB: no way to return an error */ 1041 return; 1042 } 1043 allocbs = 1; 1044 } else { 1045 if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0) 1046 (void) ieee80211_ref_node(ni); 1047 allocbs = 0; 1048 } 1049 /* 1050 * Mark the node as referenced to reflect that it's 1051 * reference count has been bumped to insure it remains 1052 * after the transaction completes. 1053 */ 1054 ni->ni_flags |= IEEE80211_NODE_AREF; 1055 /* 1056 * Mark the node as requiring a valid associatio id 1057 * before outbound traffic is permitted. 1058 */ 1059 ni->ni_flags |= IEEE80211_NODE_ASSOCID; 1060 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi); 1061 ni->ni_noise = nf; 1062 if (!ieee80211_alloc_challenge(ni)) { 1063 /* NB: don't return error so they rexmit */ 1064 return; 1065 } 1066 get_random_bytes(ni->ni_challenge, 1067 IEEE80211_CHALLENGE_LEN); 1068 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1069 ni, "shared key %sauth request", allocbs ? "" : "re"); 1070 /* 1071 * When the ACL policy is set to RADIUS we defer the 1072 * authorization to a user agent. Dispatch an event, 1073 * a subsequent MLME call will decide the fate of the 1074 * station. If the user agent is not present then the 1075 * node will be reclaimed due to inactivity. 1076 */ 1077 if (vap->iv_acl != NULL && 1078 vap->iv_acl->iac_getpolicy(vap) == IEEE80211_MACCMD_POLICY_RADIUS) { 1079 IEEE80211_NOTE_MAC(vap, 1080 IEEE80211_MSG_AUTH | IEEE80211_MSG_ACL, 1081 ni->ni_macaddr, 1082 "%s", "station authentication defered (radius acl)"); 1083 ieee80211_notify_node_auth(ni); 1084 return; 1085 } 1086 break; 1087 case IEEE80211_AUTH_SHARED_RESPONSE: 1088 if (ni == vap->iv_bss) { 1089 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1090 ni->ni_macaddr, "shared key response", 1091 "%s", "unknown station"); 1092 /* NB: don't send a response */ 1093 return; 1094 } 1095 if (ni->ni_challenge == NULL) { 1096 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1097 ni->ni_macaddr, "shared key response", 1098 "%s", "no challenge recorded"); 1099 vap->iv_stats.is_rx_bad_auth++; 1100 estatus = IEEE80211_STATUS_CHALLENGE; 1101 goto bad; 1102 } 1103 if (memcmp(ni->ni_challenge, &challenge[2], 1104 challenge[1]) != 0) { 1105 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1106 ni->ni_macaddr, "shared key response", 1107 "%s", "challenge mismatch"); 1108 vap->iv_stats.is_rx_auth_fail++; 1109 estatus = IEEE80211_STATUS_CHALLENGE; 1110 goto bad; 1111 } 1112 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1113 ni, "%s", "station authenticated (shared key)"); 1114 ieee80211_node_authorize(ni); 1115 break; 1116 default: 1117 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1118 ni->ni_macaddr, "shared key auth", 1119 "bad seq %d", seq); 1120 vap->iv_stats.is_rx_bad_auth++; 1121 estatus = IEEE80211_STATUS_SEQUENCE; 1122 goto bad; 1123 } 1124 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 1125 return; 1126bad: 1127 /* 1128 * Send an error response; but only when operating as an AP. 1129 */ 1130 /* XXX hack to workaround calling convention */ 1131 ieee80211_send_error(ni, wh->i_addr2, 1132 IEEE80211_FC0_SUBTYPE_AUTH, 1133 (seq + 1) | (estatus<<16)); 1134} 1135 1136/* 1137 * Convert a WPA cipher selector OUI to an internal 1138 * cipher algorithm. Where appropriate we also 1139 * record any key length. 1140 */ 1141static int 1142wpa_cipher(const uint8_t *sel, uint8_t *keylen) 1143{ 1144#define WPA_SEL(x) (((x)<<24)|WPA_OUI) 1145 uint32_t w = LE_READ_4(sel); 1146 1147 switch (w) { 1148 case WPA_SEL(WPA_CSE_NULL): 1149 return IEEE80211_CIPHER_NONE; 1150 case WPA_SEL(WPA_CSE_WEP40): 1151 if (keylen) 1152 *keylen = 40 / NBBY; 1153 return IEEE80211_CIPHER_WEP; 1154 case WPA_SEL(WPA_CSE_WEP104): 1155 if (keylen) 1156 *keylen = 104 / NBBY; 1157 return IEEE80211_CIPHER_WEP; 1158 case WPA_SEL(WPA_CSE_TKIP): 1159 return IEEE80211_CIPHER_TKIP; 1160 case WPA_SEL(WPA_CSE_CCMP): 1161 return IEEE80211_CIPHER_AES_CCM; 1162 } 1163 return 32; /* NB: so 1<< is discarded */ 1164#undef WPA_SEL 1165} 1166 1167/* 1168 * Convert a WPA key management/authentication algorithm 1169 * to an internal code. 1170 */ 1171static int 1172wpa_keymgmt(const uint8_t *sel) 1173{ 1174#define WPA_SEL(x) (((x)<<24)|WPA_OUI) 1175 uint32_t w = LE_READ_4(sel); 1176 1177 switch (w) { 1178 case WPA_SEL(WPA_ASE_8021X_UNSPEC): 1179 return WPA_ASE_8021X_UNSPEC; 1180 case WPA_SEL(WPA_ASE_8021X_PSK): 1181 return WPA_ASE_8021X_PSK; 1182 case WPA_SEL(WPA_ASE_NONE): 1183 return WPA_ASE_NONE; 1184 } 1185 return 0; /* NB: so is discarded */ 1186#undef WPA_SEL 1187} 1188 1189/* 1190 * Parse a WPA information element to collect parameters. 1191 * Note that we do not validate security parameters; that 1192 * is handled by the authenticator; the parsing done here 1193 * is just for internal use in making operational decisions. 1194 */ 1195static int 1196ieee80211_parse_wpa(struct ieee80211vap *vap, const uint8_t *frm, 1197 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh) 1198{ 1199 uint8_t len = frm[1]; 1200 uint32_t w; 1201 int n; 1202 1203 /* 1204 * Check the length once for fixed parts: OUI, type, 1205 * version, mcast cipher, and 2 selector counts. 1206 * Other, variable-length data, must be checked separately. 1207 */ 1208 if ((vap->iv_flags & IEEE80211_F_WPA1) == 0) { 1209 IEEE80211_DISCARD_IE(vap, 1210 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1211 wh, "WPA", "not WPA, flags 0x%x", vap->iv_flags); 1212 return IEEE80211_REASON_IE_INVALID; 1213 } 1214 if (len < 14) { 1215 IEEE80211_DISCARD_IE(vap, 1216 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1217 wh, "WPA", "too short, len %u", len); 1218 return IEEE80211_REASON_IE_INVALID; 1219 } 1220 frm += 6, len -= 4; /* NB: len is payload only */ 1221 /* NB: iswapoui already validated the OUI and type */ 1222 w = LE_READ_2(frm); 1223 if (w != WPA_VERSION) { 1224 IEEE80211_DISCARD_IE(vap, 1225 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1226 wh, "WPA", "bad version %u", w); 1227 return IEEE80211_REASON_IE_INVALID; 1228 } 1229 frm += 2, len -= 2; 1230 1231 memset(rsn, 0, sizeof(*rsn)); 1232 1233 /* multicast/group cipher */ 1234 rsn->rsn_mcastcipher = wpa_cipher(frm, &rsn->rsn_mcastkeylen); 1235 frm += 4, len -= 4; 1236 1237 /* unicast ciphers */ 1238 n = LE_READ_2(frm); 1239 frm += 2, len -= 2; 1240 if (len < n*4+2) { 1241 IEEE80211_DISCARD_IE(vap, 1242 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1243 wh, "WPA", "ucast cipher data too short; len %u, n %u", 1244 len, n); 1245 return IEEE80211_REASON_IE_INVALID; 1246 } 1247 w = 0; 1248 for (; n > 0; n--) { 1249 w |= 1<<wpa_cipher(frm, &rsn->rsn_ucastkeylen); 1250 frm += 4, len -= 4; 1251 } 1252 if (w & (1<<IEEE80211_CIPHER_TKIP)) 1253 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP; 1254 else 1255 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM; 1256 1257 /* key management algorithms */ 1258 n = LE_READ_2(frm); 1259 frm += 2, len -= 2; 1260 if (len < n*4) { 1261 IEEE80211_DISCARD_IE(vap, 1262 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1263 wh, "WPA", "key mgmt alg data too short; len %u, n %u", 1264 len, n); 1265 return IEEE80211_REASON_IE_INVALID; 1266 } 1267 w = 0; 1268 for (; n > 0; n--) { 1269 w |= wpa_keymgmt(frm); 1270 frm += 4, len -= 4; 1271 } 1272 if (w & WPA_ASE_8021X_UNSPEC) 1273 rsn->rsn_keymgmt = WPA_ASE_8021X_UNSPEC; 1274 else 1275 rsn->rsn_keymgmt = WPA_ASE_8021X_PSK; 1276 1277 if (len > 2) /* optional capabilities */ 1278 rsn->rsn_caps = LE_READ_2(frm); 1279 1280 return 0; 1281} 1282 1283/* 1284 * Convert an RSN cipher selector OUI to an internal 1285 * cipher algorithm. Where appropriate we also 1286 * record any key length. 1287 */ 1288static int 1289rsn_cipher(const uint8_t *sel, uint8_t *keylen) 1290{ 1291#define RSN_SEL(x) (((x)<<24)|RSN_OUI) 1292 uint32_t w = LE_READ_4(sel); 1293 1294 switch (w) { 1295 case RSN_SEL(RSN_CSE_NULL): 1296 return IEEE80211_CIPHER_NONE; 1297 case RSN_SEL(RSN_CSE_WEP40): 1298 if (keylen) 1299 *keylen = 40 / NBBY; 1300 return IEEE80211_CIPHER_WEP; 1301 case RSN_SEL(RSN_CSE_WEP104): 1302 if (keylen) 1303 *keylen = 104 / NBBY; 1304 return IEEE80211_CIPHER_WEP; 1305 case RSN_SEL(RSN_CSE_TKIP): 1306 return IEEE80211_CIPHER_TKIP; 1307 case RSN_SEL(RSN_CSE_CCMP): 1308 return IEEE80211_CIPHER_AES_CCM; 1309 case RSN_SEL(RSN_CSE_WRAP): 1310 return IEEE80211_CIPHER_AES_OCB; 1311 } 1312 return 32; /* NB: so 1<< is discarded */ 1313#undef WPA_SEL 1314} 1315 1316/* 1317 * Convert an RSN key management/authentication algorithm 1318 * to an internal code. 1319 */ 1320static int 1321rsn_keymgmt(const uint8_t *sel) 1322{ 1323#define RSN_SEL(x) (((x)<<24)|RSN_OUI) 1324 uint32_t w = LE_READ_4(sel); 1325 1326 switch (w) { 1327 case RSN_SEL(RSN_ASE_8021X_UNSPEC): 1328 return RSN_ASE_8021X_UNSPEC; 1329 case RSN_SEL(RSN_ASE_8021X_PSK): 1330 return RSN_ASE_8021X_PSK; 1331 case RSN_SEL(RSN_ASE_NONE): 1332 return RSN_ASE_NONE; 1333 } 1334 return 0; /* NB: so is discarded */ 1335#undef RSN_SEL 1336} 1337 1338/* 1339 * Parse a WPA/RSN information element to collect parameters 1340 * and validate the parameters against what has been 1341 * configured for the system. 1342 */ 1343static int 1344ieee80211_parse_rsn(struct ieee80211vap *vap, const uint8_t *frm, 1345 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh) 1346{ 1347 uint8_t len = frm[1]; 1348 uint32_t w; 1349 int n; 1350 1351 /* 1352 * Check the length once for fixed parts: 1353 * version, mcast cipher, and 2 selector counts. 1354 * Other, variable-length data, must be checked separately. 1355 */ 1356 if ((vap->iv_flags & IEEE80211_F_WPA2) == 0) { 1357 IEEE80211_DISCARD_IE(vap, 1358 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1359 wh, "WPA", "not RSN, flags 0x%x", vap->iv_flags); 1360 return IEEE80211_REASON_IE_INVALID; 1361 } 1362 if (len < 10) { 1363 IEEE80211_DISCARD_IE(vap, 1364 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1365 wh, "RSN", "too short, len %u", len); 1366 return IEEE80211_REASON_IE_INVALID; 1367 } 1368 frm += 2; 1369 w = LE_READ_2(frm); 1370 if (w != RSN_VERSION) { 1371 IEEE80211_DISCARD_IE(vap, 1372 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1373 wh, "RSN", "bad version %u", w); 1374 return IEEE80211_REASON_IE_INVALID; 1375 } 1376 frm += 2, len -= 2; 1377 1378 memset(rsn, 0, sizeof(*rsn)); 1379 1380 /* multicast/group cipher */ 1381 rsn->rsn_mcastcipher = rsn_cipher(frm, &rsn->rsn_mcastkeylen); 1382 frm += 4, len -= 4; 1383 1384 /* unicast ciphers */ 1385 n = LE_READ_2(frm); 1386 frm += 2, len -= 2; 1387 if (len < n*4+2) { 1388 IEEE80211_DISCARD_IE(vap, 1389 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1390 wh, "RSN", "ucast cipher data too short; len %u, n %u", 1391 len, n); 1392 return IEEE80211_REASON_IE_INVALID; 1393 } 1394 w = 0; 1395 for (; n > 0; n--) { 1396 w |= 1<<rsn_cipher(frm, &rsn->rsn_ucastkeylen); 1397 frm += 4, len -= 4; 1398 } 1399 if (w & (1<<IEEE80211_CIPHER_TKIP)) 1400 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP; 1401 else 1402 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM; 1403 1404 /* key management algorithms */ 1405 n = LE_READ_2(frm); 1406 frm += 2, len -= 2; 1407 if (len < n*4) { 1408 IEEE80211_DISCARD_IE(vap, 1409 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1410 wh, "RSN", "key mgmt alg data too short; len %u, n %u", 1411 len, n); 1412 return IEEE80211_REASON_IE_INVALID; 1413 } 1414 w = 0; 1415 for (; n > 0; n--) { 1416 w |= rsn_keymgmt(frm); 1417 frm += 4, len -= 4; 1418 } 1419 if (w & RSN_ASE_8021X_UNSPEC) 1420 rsn->rsn_keymgmt = RSN_ASE_8021X_UNSPEC; 1421 else 1422 rsn->rsn_keymgmt = RSN_ASE_8021X_PSK; 1423 1424 /* optional RSN capabilities */ 1425 if (len > 2) 1426 rsn->rsn_caps = LE_READ_2(frm); 1427 /* XXXPMKID */ 1428 1429 return 0; 1430} 1431 1432/* 1433 * WPA/802.11i assocation request processing. 1434 */ 1435static int 1436wpa_assocreq(struct ieee80211_node *ni, struct ieee80211_rsnparms *rsnparms, 1437 const struct ieee80211_frame *wh, const uint8_t *wpa, 1438 const uint8_t *rsn, uint16_t capinfo) 1439{ 1440 struct ieee80211vap *vap = ni->ni_vap; 1441 uint8_t reason; 1442 int badwparsn; 1443 1444 ni->ni_flags &= ~(IEEE80211_NODE_WPS|IEEE80211_NODE_TSN); 1445 if (wpa == NULL && rsn == NULL) { 1446 if (vap->iv_flags_ext & IEEE80211_FEXT_WPS) { 1447 /* 1448 * W-Fi Protected Setup (WPS) permits 1449 * clients to associate and pass EAPOL frames 1450 * to establish initial credentials. 1451 */ 1452 ni->ni_flags |= IEEE80211_NODE_WPS; 1453 return 1; 1454 } 1455 if ((vap->iv_flags_ext & IEEE80211_FEXT_TSN) && 1456 (capinfo & IEEE80211_CAPINFO_PRIVACY)) { 1457 /* 1458 * Transitional Security Network. Permits clients 1459 * to associate and use WEP while WPA is configured. 1460 */ 1461 ni->ni_flags |= IEEE80211_NODE_TSN; 1462 return 1; 1463 } 1464 IEEE80211_DISCARD(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, 1465 wh, NULL, "%s", "no WPA/RSN IE in association request"); 1466 vap->iv_stats.is_rx_assoc_badwpaie++; 1467 reason = IEEE80211_REASON_IE_INVALID; 1468 goto bad; 1469 } 1470 /* assert right association security credentials */ 1471 badwparsn = 0; /* NB: to silence compiler */ 1472 switch (vap->iv_flags & IEEE80211_F_WPA) { 1473 case IEEE80211_F_WPA1: 1474 badwparsn = (wpa == NULL); 1475 break; 1476 case IEEE80211_F_WPA2: 1477 badwparsn = (rsn == NULL); 1478 break; 1479 case IEEE80211_F_WPA1|IEEE80211_F_WPA2: 1480 badwparsn = (wpa == NULL && rsn == NULL); 1481 break; 1482 } 1483 if (badwparsn) { 1484 IEEE80211_DISCARD(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, 1485 wh, NULL, 1486 "%s", "missing WPA/RSN IE in association request"); 1487 vap->iv_stats.is_rx_assoc_badwpaie++; 1488 reason = IEEE80211_REASON_IE_INVALID; 1489 goto bad; 1490 } 1491 /* 1492 * Parse WPA/RSN information element. 1493 */ 1494 if (wpa != NULL) 1495 reason = ieee80211_parse_wpa(vap, wpa, rsnparms, wh); 1496 else 1497 reason = ieee80211_parse_rsn(vap, rsn, rsnparms, wh); 1498 if (reason != 0) { 1499 /* XXX distinguish WPA/RSN? */ 1500 vap->iv_stats.is_rx_assoc_badwpaie++; 1501 goto bad; 1502 } 1503 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, ni, 1504 "%s ie: mc %u/%u uc %u/%u key %u caps 0x%x", 1505 wpa != NULL ? "WPA" : "RSN", 1506 rsnparms->rsn_mcastcipher, rsnparms->rsn_mcastkeylen, 1507 rsnparms->rsn_ucastcipher, rsnparms->rsn_ucastkeylen, 1508 rsnparms->rsn_keymgmt, rsnparms->rsn_caps); 1509 1510 return 1; 1511bad: 1512 ieee80211_node_deauth(ni, reason); 1513 return 0; 1514} 1515 1516/* XXX find a better place for definition */ 1517struct l2_update_frame { 1518 struct ether_header eh; 1519 uint8_t dsap; 1520 uint8_t ssap; 1521 uint8_t control; 1522 uint8_t xid[3]; 1523} __packed; 1524 1525/* 1526 * Deliver a TGf L2UF frame on behalf of a station. 1527 * This primes any bridge when the station is roaming 1528 * between ap's on the same wired network. 1529 */ 1530static void 1531ieee80211_deliver_l2uf(struct ieee80211_node *ni) 1532{ 1533 struct ieee80211vap *vap = ni->ni_vap; 1534 struct ifnet *ifp = vap->iv_ifp; 1535 struct mbuf *m; 1536 struct l2_update_frame *l2uf; 1537 struct ether_header *eh; 1538 1539 m = m_gethdr(M_NOWAIT, MT_DATA); 1540 if (m == NULL) { 1541 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC, ni, 1542 "%s", "no mbuf for l2uf frame"); 1543 vap->iv_stats.is_rx_nobuf++; /* XXX not right */ 1544 return; 1545 } 1546 l2uf = mtod(m, struct l2_update_frame *); 1547 eh = &l2uf->eh; 1548 /* dst: Broadcast address */ 1549 IEEE80211_ADDR_COPY(eh->ether_dhost, ifp->if_broadcastaddr); 1550 /* src: associated STA */ 1551 IEEE80211_ADDR_COPY(eh->ether_shost, ni->ni_macaddr); 1552 eh->ether_type = htons(sizeof(*l2uf) - sizeof(*eh)); 1553 1554 l2uf->dsap = 0; 1555 l2uf->ssap = 0; 1556 l2uf->control = 0xf5; 1557 l2uf->xid[0] = 0x81; 1558 l2uf->xid[1] = 0x80; 1559 l2uf->xid[2] = 0x00; 1560 1561 m->m_pkthdr.len = m->m_len = sizeof(*l2uf); 1562 hostap_deliver_data(vap, ni, m); 1563} 1564 1565static void 1566ratesetmismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh, 1567 int reassoc, int resp, const char *tag, int rate) 1568{ 1569 IEEE80211_NOTE_MAC(ni->ni_vap, IEEE80211_MSG_ANY, wh->i_addr2, 1570 "deny %s request, %s rate set mismatch, rate/MCS %d", 1571 reassoc ? "reassoc" : "assoc", tag, rate & IEEE80211_RATE_VAL); 1572 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_BASIC_RATE); 1573 ieee80211_node_leave(ni); 1574} 1575 1576static void 1577capinfomismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh, 1578 int reassoc, int resp, const char *tag, int capinfo) 1579{ 1580 struct ieee80211vap *vap = ni->ni_vap; 1581 1582 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ANY, wh->i_addr2, 1583 "deny %s request, %s mismatch 0x%x", 1584 reassoc ? "reassoc" : "assoc", tag, capinfo); 1585 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_CAPINFO); 1586 ieee80211_node_leave(ni); 1587 vap->iv_stats.is_rx_assoc_capmismatch++; 1588} 1589 1590static void 1591htcapmismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh, 1592 int reassoc, int resp) 1593{ 1594 IEEE80211_NOTE_MAC(ni->ni_vap, IEEE80211_MSG_ANY, wh->i_addr2, 1595 "deny %s request, %s missing HT ie", reassoc ? "reassoc" : "assoc"); 1596 /* XXX no better code */ 1597 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_OTHER); 1598 ieee80211_node_leave(ni); 1599} 1600 1601static void 1602authalgreject(struct ieee80211_node *ni, const struct ieee80211_frame *wh, 1603 int algo, int seq, int status) 1604{ 1605 struct ieee80211vap *vap = ni->ni_vap; 1606 1607 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 1608 wh, NULL, "unsupported alg %d", algo); 1609 vap->iv_stats.is_rx_auth_unsupported++; 1610 ieee80211_send_error(ni, wh->i_addr2, IEEE80211_FC0_SUBTYPE_AUTH, 1611 seq | (status << 16)); 1612} 1613 1614static __inline int 1615ishtmixed(const uint8_t *ie) 1616{ 1617 const struct ieee80211_ie_htinfo *ht = 1618 (const struct ieee80211_ie_htinfo *) ie; 1619 return (ht->hi_byte2 & IEEE80211_HTINFO_OPMODE) == 1620 IEEE80211_HTINFO_OPMODE_MIXED; 1621} 1622 1623static int 1624is11bclient(const uint8_t *rates, const uint8_t *xrates) 1625{ 1626 static const uint32_t brates = (1<<2*1)|(1<<2*2)|(1<<11)|(1<<2*11); 1627 int i; 1628 1629 /* NB: the 11b clients we care about will not have xrates */ 1630 if (xrates != NULL || rates == NULL) 1631 return 0; 1632 for (i = 0; i < rates[1]; i++) { 1633 int r = rates[2+i] & IEEE80211_RATE_VAL; 1634 if (r > 2*11 || ((1<<r) & brates) == 0) 1635 return 0; 1636 } 1637 return 1; 1638} 1639 1640static void 1641hostap_recv_mgmt(struct ieee80211_node *ni, struct mbuf *m0, 1642 int subtype, int rssi, int nf) 1643{ 1644 struct ieee80211vap *vap = ni->ni_vap; 1645 struct ieee80211com *ic = ni->ni_ic; 1646 struct ieee80211_frame *wh; 1647 uint8_t *frm, *efrm, *sfrm; 1648 uint8_t *ssid, *rates, *xrates, *wpa, *rsn, *wme, *ath, *htcap; 1649 int reassoc, resp; 1650 uint8_t rate; 1651 1652 wh = mtod(m0, struct ieee80211_frame *); 1653 frm = (uint8_t *)&wh[1]; 1654 efrm = mtod(m0, uint8_t *) + m0->m_len; 1655 switch (subtype) { 1656 case IEEE80211_FC0_SUBTYPE_PROBE_RESP: 1657 case IEEE80211_FC0_SUBTYPE_BEACON: { 1658 struct ieee80211_scanparams scan; 1659 /* 1660 * We process beacon/probe response frames when scanning; 1661 * otherwise we check beacon frames for overlapping non-ERP 1662 * BSS in 11g and/or overlapping legacy BSS when in HT. 1663 */ 1664 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0 && 1665 subtype == IEEE80211_FC0_SUBTYPE_PROBE_RESP) { 1666 vap->iv_stats.is_rx_mgtdiscard++; 1667 return; 1668 } 1669 /* NB: accept off-channel frames */ 1670 if (ieee80211_parse_beacon(ni, m0, &scan) &~ IEEE80211_BPARSE_OFFCHAN) 1671 return; 1672 /* 1673 * Count frame now that we know it's to be processed. 1674 */ 1675 if (subtype == IEEE80211_FC0_SUBTYPE_BEACON) { 1676 vap->iv_stats.is_rx_beacon++; /* XXX remove */ 1677 IEEE80211_NODE_STAT(ni, rx_beacons); 1678 } else 1679 IEEE80211_NODE_STAT(ni, rx_proberesp); 1680 /* 1681 * If scanning, just pass information to the scan module. 1682 */ 1683 if (ic->ic_flags & IEEE80211_F_SCAN) { 1684 if (scan.status == 0 && /* NB: on channel */ 1685 (ic->ic_flags_ext & IEEE80211_FEXT_PROBECHAN)) { 1686 /* 1687 * Actively scanning a channel marked passive; 1688 * send a probe request now that we know there 1689 * is 802.11 traffic present. 1690 * 1691 * XXX check if the beacon we recv'd gives 1692 * us what we need and suppress the probe req 1693 */ 1694 ieee80211_probe_curchan(vap, 1); 1695 ic->ic_flags_ext &= ~IEEE80211_FEXT_PROBECHAN; 1696 } 1697 ieee80211_add_scan(vap, &scan, wh, subtype, rssi, nf); 1698 return; 1699 } 1700 /* 1701 * Check beacon for overlapping bss w/ non ERP stations. 1702 * If we detect one and protection is configured but not 1703 * enabled, enable it and start a timer that'll bring us 1704 * out if we stop seeing the bss. 1705 */ 1706 if (IEEE80211_IS_CHAN_ANYG(ic->ic_curchan) && 1707 scan.status == 0 && /* NB: on-channel */ 1708 ((scan.erp & 0x100) == 0 || /* NB: no ERP, 11b sta*/ 1709 (scan.erp & IEEE80211_ERP_NON_ERP_PRESENT))) { 1710 ic->ic_lastnonerp = ticks; 1711 ic->ic_flags_ext |= IEEE80211_FEXT_NONERP_PR; 1712 if (ic->ic_protmode != IEEE80211_PROT_NONE && 1713 (ic->ic_flags & IEEE80211_F_USEPROT) == 0) { 1714 IEEE80211_NOTE_FRAME(vap, 1715 IEEE80211_MSG_ASSOC, wh, 1716 "non-ERP present on channel %d " 1717 "(saw erp 0x%x from channel %d), " 1718 "enable use of protection", 1719 ic->ic_curchan->ic_ieee, 1720 scan.erp, scan.chan); 1721 ic->ic_flags |= IEEE80211_F_USEPROT; 1722 ieee80211_notify_erp(ic); 1723 } 1724 } 1725 /* 1726 * Check beacon for non-HT station on HT channel 1727 * and update HT BSS occupancy as appropriate. 1728 */ 1729 if (IEEE80211_IS_CHAN_HT(ic->ic_curchan)) { 1730 if (scan.status & IEEE80211_BPARSE_OFFCHAN) { 1731 /* 1732 * Off control channel; only check frames 1733 * that come in the extension channel when 1734 * operating w/ HT40. 1735 */ 1736 if (!IEEE80211_IS_CHAN_HT40(ic->ic_curchan)) 1737 break; 1738 if (scan.chan != ic->ic_curchan->ic_extieee) 1739 break; 1740 } 1741 if (scan.htinfo == NULL) { 1742 ieee80211_htprot_update(ic, 1743 IEEE80211_HTINFO_OPMODE_PROTOPT | 1744 IEEE80211_HTINFO_NONHT_PRESENT); 1745 } else if (ishtmixed(scan.htinfo)) { 1746 /* XXX? take NONHT_PRESENT from beacon? */ 1747 ieee80211_htprot_update(ic, 1748 IEEE80211_HTINFO_OPMODE_MIXED | 1749 IEEE80211_HTINFO_NONHT_PRESENT); 1750 } 1751 } 1752 break; 1753 } 1754 1755 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 1756 if (vap->iv_state != IEEE80211_S_RUN) { 1757 vap->iv_stats.is_rx_mgtdiscard++; 1758 return; 1759 } 1760 /* 1761 * prreq frame format 1762 * [tlv] ssid 1763 * [tlv] supported rates 1764 * [tlv] extended supported rates 1765 */ 1766 ssid = rates = xrates = NULL; 1767 sfrm = frm; 1768 while (efrm - frm > 1) { 1769 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return); 1770 switch (*frm) { 1771 case IEEE80211_ELEMID_SSID: 1772 ssid = frm; 1773 break; 1774 case IEEE80211_ELEMID_RATES: 1775 rates = frm; 1776 break; 1777 case IEEE80211_ELEMID_XRATES: 1778 xrates = frm; 1779 break; 1780 } 1781 frm += frm[1] + 2; 1782 } 1783 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return); 1784 if (xrates != NULL) 1785 IEEE80211_VERIFY_ELEMENT(xrates, 1786 IEEE80211_RATE_MAXSIZE - rates[1], return); 1787 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN, return); 1788 IEEE80211_VERIFY_SSID(vap->iv_bss, ssid, return); 1789 if ((vap->iv_flags & IEEE80211_F_HIDESSID) && ssid[1] == 0) { 1790 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 1791 wh, NULL, 1792 "%s", "no ssid with ssid suppression enabled"); 1793 vap->iv_stats.is_rx_ssidmismatch++; /*XXX*/ 1794 return; 1795 } 1796 1797 /* XXX find a better class or define it's own */ 1798 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_INPUT, wh->i_addr2, 1799 "%s", "recv probe req"); 1800 /* 1801 * Some legacy 11b clients cannot hack a complete 1802 * probe response frame. When the request includes 1803 * only a bare-bones rate set, communicate this to 1804 * the transmit side. 1805 */ 1806 ieee80211_send_proberesp(vap, wh->i_addr2, 1807 is11bclient(rates, xrates) ? IEEE80211_SEND_LEGACY_11B : 0); 1808 break; 1809 1810 case IEEE80211_FC0_SUBTYPE_AUTH: { 1811 uint16_t algo, seq, status; 1812 1813 if (vap->iv_state != IEEE80211_S_RUN) { 1814 vap->iv_stats.is_rx_mgtdiscard++; 1815 return; 1816 } 1817 if (!IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_bss->ni_bssid)) { 1818 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 1819 wh, NULL, "%s", "wrong bssid"); 1820 vap->iv_stats.is_rx_wrongbss++; /*XXX unique stat?*/ 1821 return; 1822 } 1823 /* 1824 * auth frame format 1825 * [2] algorithm 1826 * [2] sequence 1827 * [2] status 1828 * [tlv*] challenge 1829 */ 1830 IEEE80211_VERIFY_LENGTH(efrm - frm, 6, return); 1831 algo = le16toh(*(uint16_t *)frm); 1832 seq = le16toh(*(uint16_t *)(frm + 2)); 1833 status = le16toh(*(uint16_t *)(frm + 4)); 1834 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_AUTH, wh->i_addr2, 1835 "recv auth frame with algorithm %d seq %d", algo, seq); 1836 /* 1837 * Consult the ACL policy module if setup. 1838 */ 1839 if (vap->iv_acl != NULL && 1840 !vap->iv_acl->iac_check(vap, wh->i_addr2)) { 1841 IEEE80211_DISCARD(vap, IEEE80211_MSG_ACL, 1842 wh, NULL, "%s", "disallowed by ACL"); 1843 vap->iv_stats.is_rx_acl++; 1844 ieee80211_send_error(ni, wh->i_addr2, 1845 IEEE80211_FC0_SUBTYPE_AUTH, 1846 (seq+1) | (IEEE80211_STATUS_UNSPECIFIED<<16)); 1847 return; 1848 } 1849 if (vap->iv_flags & IEEE80211_F_COUNTERM) { 1850 IEEE80211_DISCARD(vap, 1851 IEEE80211_MSG_AUTH | IEEE80211_MSG_CRYPTO, 1852 wh, NULL, "%s", "TKIP countermeasures enabled"); 1853 vap->iv_stats.is_rx_auth_countermeasures++; 1854 ieee80211_send_error(ni, wh->i_addr2, 1855 IEEE80211_FC0_SUBTYPE_AUTH, 1856 IEEE80211_REASON_MIC_FAILURE); 1857 return; 1858 } 1859 if (algo == IEEE80211_AUTH_ALG_SHARED) 1860 hostap_auth_shared(ni, wh, frm + 6, efrm, rssi, nf, 1861 seq, status); 1862 else if (algo == IEEE80211_AUTH_ALG_OPEN) 1863 hostap_auth_open(ni, wh, rssi, nf, seq, status); 1864 else if (algo == IEEE80211_AUTH_ALG_LEAP) { 1865 authalgreject(ni, wh, algo, 1866 seq+1, IEEE80211_STATUS_ALG); 1867 return; 1868 } else { 1869 /* 1870 * We assume that an unknown algorithm is the result 1871 * of a decryption failure on a shared key auth frame; 1872 * return a status code appropriate for that instead 1873 * of IEEE80211_STATUS_ALG. 1874 * 1875 * NB: a seq# of 4 is intentional; the decrypted 1876 * frame likely has a bogus seq value. 1877 */ 1878 authalgreject(ni, wh, algo, 1879 4, IEEE80211_STATUS_CHALLENGE); 1880 return; 1881 } 1882 break; 1883 } 1884 1885 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ: 1886 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: { 1887 uint16_t capinfo, lintval; 1888 struct ieee80211_rsnparms rsnparms; 1889 1890 if (vap->iv_state != IEEE80211_S_RUN) { 1891 vap->iv_stats.is_rx_mgtdiscard++; 1892 return; 1893 } 1894 if (!IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_bss->ni_bssid)) { 1895 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 1896 wh, NULL, "%s", "wrong bssid"); 1897 vap->iv_stats.is_rx_assoc_bss++; 1898 return; 1899 } 1900 if (subtype == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) { 1901 reassoc = 1; 1902 resp = IEEE80211_FC0_SUBTYPE_REASSOC_RESP; 1903 } else { 1904 reassoc = 0; 1905 resp = IEEE80211_FC0_SUBTYPE_ASSOC_RESP; 1906 } 1907 if (ni == vap->iv_bss) { 1908 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ANY, wh->i_addr2, 1909 "deny %s request, sta not authenticated", 1910 reassoc ? "reassoc" : "assoc"); 1911 ieee80211_send_error(ni, wh->i_addr2, 1912 IEEE80211_FC0_SUBTYPE_DEAUTH, 1913 IEEE80211_REASON_ASSOC_NOT_AUTHED); 1914 vap->iv_stats.is_rx_assoc_notauth++; 1915 return; 1916 } 1917 1918 /* 1919 * asreq frame format 1920 * [2] capability information 1921 * [2] listen interval 1922 * [6*] current AP address (reassoc only) 1923 * [tlv] ssid 1924 * [tlv] supported rates 1925 * [tlv] extended supported rates 1926 * [tlv] WPA or RSN 1927 * [tlv] HT capabilities 1928 * [tlv] Atheros capabilities 1929 */ 1930 IEEE80211_VERIFY_LENGTH(efrm - frm, (reassoc ? 10 : 4), return); 1931 capinfo = le16toh(*(uint16_t *)frm); frm += 2; 1932 lintval = le16toh(*(uint16_t *)frm); frm += 2; 1933 if (reassoc) 1934 frm += 6; /* ignore current AP info */ 1935 ssid = rates = xrates = wpa = rsn = wme = ath = htcap = NULL; 1936 sfrm = frm; 1937 while (efrm - frm > 1) { 1938 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return); 1939 switch (*frm) { 1940 case IEEE80211_ELEMID_SSID: 1941 ssid = frm; 1942 break; 1943 case IEEE80211_ELEMID_RATES: 1944 rates = frm; 1945 break; 1946 case IEEE80211_ELEMID_XRATES: 1947 xrates = frm; 1948 break; 1949 case IEEE80211_ELEMID_RSN: 1950 rsn = frm; 1951 break; 1952 case IEEE80211_ELEMID_HTCAP: 1953 htcap = frm; 1954 break; 1955 case IEEE80211_ELEMID_VENDOR: 1956 if (iswpaoui(frm)) 1957 wpa = frm; 1958 else if (iswmeinfo(frm)) 1959 wme = frm; 1960#ifdef IEEE80211_SUPPORT_SUPERG 1961 else if (isatherosoui(frm)) 1962 ath = frm; 1963#endif 1964 else if (vap->iv_flags_ext & IEEE80211_FEXT_HTCOMPAT) { 1965 if (ishtcapoui(frm) && htcap == NULL) 1966 htcap = frm; 1967 } 1968 break; 1969 } 1970 frm += frm[1] + 2; 1971 } 1972 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return); 1973 if (xrates != NULL) 1974 IEEE80211_VERIFY_ELEMENT(xrates, 1975 IEEE80211_RATE_MAXSIZE - rates[1], return); 1976 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN, return); 1977 IEEE80211_VERIFY_SSID(vap->iv_bss, ssid, return); 1978 if (htcap != NULL) { 1979 IEEE80211_VERIFY_LENGTH(htcap[1], 1980 htcap[0] == IEEE80211_ELEMID_VENDOR ? 1981 4 + sizeof(struct ieee80211_ie_htcap)-2 : 1982 sizeof(struct ieee80211_ie_htcap)-2, 1983 return); /* XXX just NULL out? */ 1984 } 1985 1986 if ((vap->iv_flags & IEEE80211_F_WPA) && 1987 !wpa_assocreq(ni, &rsnparms, wh, wpa, rsn, capinfo)) 1988 return; 1989 /* discard challenge after association */ 1990 if (ni->ni_challenge != NULL) { 1991 free(ni->ni_challenge, M_80211_NODE); 1992 ni->ni_challenge = NULL; 1993 } 1994 /* NB: 802.11 spec says to ignore station's privacy bit */ 1995 if ((capinfo & IEEE80211_CAPINFO_ESS) == 0) { 1996 capinfomismatch(ni, wh, reassoc, resp, 1997 "capability", capinfo); 1998 return; 1999 } 2000 /* 2001 * Disallow re-associate w/ invalid slot time setting. 2002 */ 2003 if (ni->ni_associd != 0 && 2004 IEEE80211_IS_CHAN_ANYG(ic->ic_bsschan) && 2005 ((ni->ni_capinfo ^ capinfo) & IEEE80211_CAPINFO_SHORT_SLOTTIME)) { 2006 capinfomismatch(ni, wh, reassoc, resp, 2007 "slot time", capinfo); 2008 return; 2009 } 2010 rate = ieee80211_setup_rates(ni, rates, xrates, 2011 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | 2012 IEEE80211_F_DONEGO | IEEE80211_F_DODEL); 2013 if (rate & IEEE80211_RATE_BASIC) { 2014 ratesetmismatch(ni, wh, reassoc, resp, "legacy", rate); 2015 vap->iv_stats.is_rx_assoc_norate++; 2016 return; 2017 } 2018 /* 2019 * If constrained to 11g-only stations reject an 2020 * 11b-only station. We cheat a bit here by looking 2021 * at the max negotiated xmit rate and assuming anyone 2022 * with a best rate <24Mb/s is an 11b station. 2023 */ 2024 if ((vap->iv_flags & IEEE80211_F_PUREG) && rate < 48) { 2025 ratesetmismatch(ni, wh, reassoc, resp, "11g", rate); 2026 vap->iv_stats.is_rx_assoc_norate++; 2027 return; 2028 } 2029 /* 2030 * Do HT rate set handling and setup HT node state. 2031 */ 2032 ni->ni_chan = vap->iv_bss->ni_chan; 2033 if (IEEE80211_IS_CHAN_HT(ni->ni_chan) && htcap != NULL) { 2034 rate = ieee80211_setup_htrates(ni, htcap, 2035 IEEE80211_F_DOFMCS | IEEE80211_F_DONEGO | 2036 IEEE80211_F_DOBRS); 2037 if (rate & IEEE80211_RATE_BASIC) { 2038 ratesetmismatch(ni, wh, reassoc, resp, 2039 "HT", rate); 2040 vap->iv_stats.is_ht_assoc_norate++; 2041 return; 2042 } 2043 ieee80211_ht_node_init(ni); 2044 ieee80211_ht_updatehtcap(ni, htcap); 2045 } else if (ni->ni_flags & IEEE80211_NODE_HT) 2046 ieee80211_ht_node_cleanup(ni); 2047#ifdef IEEE80211_SUPPORT_SUPERG 2048 else if (ni->ni_ath_flags & IEEE80211_NODE_ATH) 2049 ieee80211_ff_node_cleanup(ni); 2050#endif 2051 /* 2052 * Allow AMPDU operation only with unencrypted traffic 2053 * or AES-CCM; the 11n spec only specifies these ciphers 2054 * so permitting any others is undefined and can lead 2055 * to interoperability problems. 2056 */ 2057 if ((ni->ni_flags & IEEE80211_NODE_HT) && 2058 (((vap->iv_flags & IEEE80211_F_WPA) && 2059 rsnparms.rsn_ucastcipher != IEEE80211_CIPHER_AES_CCM) || 2060 (vap->iv_flags & (IEEE80211_F_WPA|IEEE80211_F_PRIVACY)) == IEEE80211_F_PRIVACY)) { 2061 IEEE80211_NOTE(vap, 2062 IEEE80211_MSG_ASSOC | IEEE80211_MSG_11N, ni, 2063 "disallow HT use because WEP or TKIP requested, " 2064 "capinfo 0x%x ucastcipher %d", capinfo, 2065 rsnparms.rsn_ucastcipher); 2066 ieee80211_ht_node_cleanup(ni); 2067 vap->iv_stats.is_ht_assoc_downgrade++; 2068 } 2069 /* 2070 * If constrained to 11n-only stations reject legacy stations. 2071 */ 2072 if ((vap->iv_flags_ext & IEEE80211_FEXT_PUREN) && 2073 (ni->ni_flags & IEEE80211_NODE_HT) == 0) { 2074 htcapmismatch(ni, wh, reassoc, resp); 2075 vap->iv_stats.is_ht_assoc_nohtcap++; 2076 return; 2077 } 2078 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi); 2079 ni->ni_noise = nf; 2080 ni->ni_intval = lintval; 2081 ni->ni_capinfo = capinfo; 2082 ni->ni_fhdwell = vap->iv_bss->ni_fhdwell; 2083 ni->ni_fhindex = vap->iv_bss->ni_fhindex; 2084 /* 2085 * Store the IEs. 2086 * XXX maybe better to just expand 2087 */ 2088 if (ieee80211_ies_init(&ni->ni_ies, sfrm, efrm - sfrm)) { 2089#define setie(_ie, _off) ieee80211_ies_setie(ni->ni_ies, _ie, _off) 2090 if (wpa != NULL) 2091 setie(wpa_ie, wpa - sfrm); 2092 if (rsn != NULL) 2093 setie(rsn_ie, rsn - sfrm); 2094 if (htcap != NULL) 2095 setie(htcap_ie, htcap - sfrm); 2096 if (wme != NULL) { 2097 setie(wme_ie, wme - sfrm); 2098 /* 2099 * Mark node as capable of QoS. 2100 */ 2101 ni->ni_flags |= IEEE80211_NODE_QOS; 2102 } else 2103 ni->ni_flags &= ~IEEE80211_NODE_QOS; 2104#ifdef IEEE80211_SUPPORT_SUPERG 2105 if (ath != NULL) { 2106 setie(ath_ie, ath - sfrm); 2107 /* 2108 * Parse ATH station parameters. 2109 */ 2110 ieee80211_parse_ath(ni, ni->ni_ies.ath_ie); 2111 } else 2112#endif 2113 ni->ni_ath_flags = 0; 2114#undef setie 2115 } else { 2116 ni->ni_flags &= ~IEEE80211_NODE_QOS; 2117 ni->ni_ath_flags = 0; 2118 } 2119 ieee80211_node_join(ni, resp); 2120 ieee80211_deliver_l2uf(ni); 2121 break; 2122 } 2123 2124 case IEEE80211_FC0_SUBTYPE_DEAUTH: 2125 case IEEE80211_FC0_SUBTYPE_DISASSOC: { 2126 uint16_t reason; 2127 2128 if (vap->iv_state != IEEE80211_S_RUN || 2129 /* NB: can happen when in promiscuous mode */ 2130 !IEEE80211_ADDR_EQ(wh->i_addr1, vap->iv_myaddr)) { 2131 vap->iv_stats.is_rx_mgtdiscard++; 2132 break; 2133 } 2134 /* 2135 * deauth/disassoc frame format 2136 * [2] reason 2137 */ 2138 IEEE80211_VERIFY_LENGTH(efrm - frm, 2, return); 2139 reason = le16toh(*(uint16_t *)frm); 2140 if (subtype == IEEE80211_FC0_SUBTYPE_DEAUTH) { 2141 vap->iv_stats.is_rx_deauth++; 2142 IEEE80211_NODE_STAT(ni, rx_deauth); 2143 } else { 2144 vap->iv_stats.is_rx_disassoc++; 2145 IEEE80211_NODE_STAT(ni, rx_disassoc); 2146 } 2147 IEEE80211_NOTE(vap, IEEE80211_MSG_AUTH, ni, 2148 "recv %s (reason %d)", ieee80211_mgt_subtype_name[subtype >> 2149 IEEE80211_FC0_SUBTYPE_SHIFT], reason); 2150 if (ni != vap->iv_bss) 2151 ieee80211_node_leave(ni); 2152 break; 2153 } 2154 2155 case IEEE80211_FC0_SUBTYPE_ACTION: 2156 if (vap->iv_state == IEEE80211_S_RUN) { 2157 if (ieee80211_parse_action(ni, m0) == 0) 2158 ic->ic_recv_action(ni, frm, efrm); 2159 } else 2160 vap->iv_stats.is_rx_mgtdiscard++; 2161 break; 2162 2163 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP: 2164 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: 2165 default: 2166 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 2167 wh, "mgt", "subtype 0x%x not handled", subtype); 2168 vap->iv_stats.is_rx_badsubtype++; 2169 break; 2170 } 2171} 2172 2173static void 2174hostap_recv_ctl(struct ieee80211_node *ni, struct mbuf *m, int subtype) 2175{ 2176 switch (subtype) { 2177 case IEEE80211_FC0_SUBTYPE_PS_POLL: 2178 hostap_recv_pspoll(ni, m); 2179 break; 2180 case IEEE80211_FC0_SUBTYPE_BAR: 2181 ieee80211_recv_bar(ni, m); 2182 break; 2183 } 2184} 2185 2186/* 2187 * Process a received ps-poll frame. 2188 */ 2189static void 2190hostap_recv_pspoll(struct ieee80211_node *ni, struct mbuf *m0) 2191{ 2192 struct ieee80211vap *vap = ni->ni_vap; 2193 struct ieee80211_frame_min *wh; 2194 struct ifnet *ifp; 2195 struct mbuf *m; 2196 uint16_t aid; 2197 int qlen; 2198 2199 wh = mtod(m0, struct ieee80211_frame_min *); 2200 if (ni->ni_associd == 0) { 2201 IEEE80211_DISCARD(vap, 2202 IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG, 2203 (struct ieee80211_frame *) wh, NULL, 2204 "%s", "unassociated station"); 2205 vap->iv_stats.is_ps_unassoc++; 2206 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_DEAUTH, 2207 IEEE80211_REASON_NOT_ASSOCED); 2208 return; 2209 } 2210 2211 aid = le16toh(*(uint16_t *)wh->i_dur); 2212 if (aid != ni->ni_associd) { 2213 IEEE80211_DISCARD(vap, 2214 IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG, 2215 (struct ieee80211_frame *) wh, NULL, 2216 "aid mismatch: sta aid 0x%x poll aid 0x%x", 2217 ni->ni_associd, aid); 2218 vap->iv_stats.is_ps_badaid++; 2219 /* 2220 * NB: We used to deauth the station but it turns out 2221 * the Blackberry Curve 8230 (and perhaps other devices) 2222 * sometimes send the wrong AID when WME is negotiated. 2223 * Being more lenient here seems ok as we already check 2224 * the station is associated and we only return frames 2225 * queued for the station (i.e. we don't use the AID). 2226 */ 2227 return; 2228 } 2229 2230 /* Okay, take the first queued packet and put it out... */ 2231 m = ieee80211_node_psq_dequeue(ni, &qlen); 2232 if (m == NULL) { 2233 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_POWER, wh->i_addr2, 2234 "%s", "recv ps-poll, but queue empty"); 2235 ieee80211_send_nulldata(ieee80211_ref_node(ni)); 2236 vap->iv_stats.is_ps_qempty++; /* XXX node stat */ 2237 if (vap->iv_set_tim != NULL) 2238 vap->iv_set_tim(ni, 0); /* just in case */ 2239 return; 2240 } 2241 /* 2242 * If there are more packets, set the more packets bit 2243 * in the packet dispatched to the station; otherwise 2244 * turn off the TIM bit. 2245 */ 2246 if (qlen != 0) { 2247 IEEE80211_NOTE(vap, IEEE80211_MSG_POWER, ni, 2248 "recv ps-poll, send packet, %u still queued", qlen); 2249 m->m_flags |= M_MORE_DATA; 2250 } else { 2251 IEEE80211_NOTE(vap, IEEE80211_MSG_POWER, ni, 2252 "%s", "recv ps-poll, send packet, queue empty"); 2253 if (vap->iv_set_tim != NULL) 2254 vap->iv_set_tim(ni, 0); 2255 } 2256 m->m_flags |= M_PWR_SAV; /* bypass PS handling */ 2257 2258 if (m->m_flags & M_ENCAP) 2259 ifp = vap->iv_ic->ic_ifp; 2260 else 2261 ifp = vap->iv_ifp; 2262 IF_ENQUEUE(&ifp->if_snd, m); 2263 if_start(ifp); 2264} 2265