search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
mtw(4) remove misplaced DEBUG_FLAGS
[freebsd/src.git] / sys / net80211 / ieee80211_hostap.c
blob1dce9a6b5923e72e850fb1f49a2b8740145751b8
1 /*-
2 * SPDX-License-Identifier: BSD-2-Clause
3 *
4 * Copyright (c) 2007-2008 Sam Leffler, Errno Consulting
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 *
16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
17 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
18 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
19 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
21 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
22 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
23 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
24 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
25 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
26 */
27
28 /*
29 * IEEE 802.11 HOSTAP mode support.
30 */
31 #include "opt_inet.h"
32 #include "opt_wlan.h"
33
34 #include <sys/param.h>
35 #include <sys/systm.h>
36 #include <sys/mbuf.h>
37 #include <sys/malloc.h>
38 #include <sys/kernel.h>
39
40 #include <sys/socket.h>
41 #include <sys/sockio.h>
42 #include <sys/endian.h>
43 #include <sys/errno.h>
44 #include <sys/proc.h>
45 #include <sys/sysctl.h>
46
47 #include <net/if.h>
48 #include <net/if_var.h>
49 #include <net/if_media.h>
50 #include <net/if_llc.h>
51 #include <net/if_private.h>
52 #include <net/ethernet.h>
53
54 #include <net/bpf.h>
55
56 #include <net80211/ieee80211_var.h>
57 #include <net80211/ieee80211_hostap.h>
58 #include <net80211/ieee80211_input.h>
59 #ifdef IEEE80211_SUPPORT_SUPERG
60 #include <net80211/ieee80211_superg.h>
61 #endif
62 #include <net80211/ieee80211_wds.h>
63 #include <net80211/ieee80211_vht.h>
64 #include <net80211/ieee80211_sta.h> /* for parse_wmeie */
65
66 #define IEEE80211_RATE2MBS(r) (((r) & IEEE80211_RATE_VAL) / 2)
67
68 static void hostap_vattach(struct ieee80211vap *);
69 static int hostap_newstate(struct ieee80211vap *, enum ieee80211_state, int);
70 static int hostap_input(struct ieee80211_node *ni, struct mbuf *m,
71 const struct ieee80211_rx_stats *,
72 int rssi, int nf);
73 static void hostap_deliver_data(struct ieee80211vap *,
74 struct ieee80211_node *, struct mbuf *);
75 static void hostap_recv_mgmt(struct ieee80211_node *, struct mbuf *,
76 int subtype, const struct ieee80211_rx_stats *rxs, int rssi, int nf);
77 static void hostap_recv_ctl(struct ieee80211_node *, struct mbuf *, int);
78
79 void
80 ieee80211_hostap_attach(struct ieee80211com *ic)
81 {
82 ic->ic_vattach[IEEE80211_M_HOSTAP] = hostap_vattach;
83 }
84
85 void
86 ieee80211_hostap_detach(struct ieee80211com *ic)
87 {
88 }
89
90 static void
91 hostap_vdetach(struct ieee80211vap *vap)
92 {
93 }
94
95 static void
96 hostap_vattach(struct ieee80211vap *vap)
97 {
98 vap->iv_newstate = hostap_newstate;
99 vap->iv_input = hostap_input;
100 vap->iv_recv_mgmt = hostap_recv_mgmt;
101 vap->iv_recv_ctl = hostap_recv_ctl;
102 vap->iv_opdetach = hostap_vdetach;
103 vap->iv_deliver_data = hostap_deliver_data;
104 vap->iv_recv_pspoll = ieee80211_recv_pspoll;
105 }
106
107 static void
108 sta_disassoc(void *arg, struct ieee80211_node *ni)
109 {
110
111 if (ni->ni_associd != 0) {
112 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_DISASSOC,
113 IEEE80211_REASON_ASSOC_LEAVE);
114 ieee80211_node_leave(ni);
115 }
116 }
117
118 static void
119 sta_csa(void *arg, struct ieee80211_node *ni)
120 {
121 struct ieee80211vap *vap = ni->ni_vap;
122
123 if (ni->ni_associd != 0)
124 if (ni->ni_inact > vap->iv_inact_init) {
125 ni->ni_inact = vap->iv_inact_init;
126 IEEE80211_NOTE(vap, IEEE80211_MSG_INACT, ni,
127 "%s: inact %u", __func__, ni->ni_inact);
128 }
129 }
130
131 static void
132 sta_drop(void *arg, struct ieee80211_node *ni)
133 {
134
135 if (ni->ni_associd != 0)
136 ieee80211_node_leave(ni);
137 }
138
139 /*
140 * Does a channel change require associated stations to re-associate
141 * so protocol state is correct. This is used when doing CSA across
142 * bands or similar (e.g. HT -> legacy).
143 */
144 static int
145 isbandchange(struct ieee80211com *ic)
146 {
147 return ((ic->ic_bsschan->ic_flags ^ ic->ic_csa_newchan->ic_flags) &
148 (IEEE80211_CHAN_2GHZ | IEEE80211_CHAN_5GHZ | IEEE80211_CHAN_HALF |
149 IEEE80211_CHAN_QUARTER | IEEE80211_CHAN_HT)) != 0;
150 }
151
152 /*
153 * IEEE80211_M_HOSTAP vap state machine handler.
154 */
155 static int
156 hostap_newstate(struct ieee80211vap *vap, enum ieee80211_state nstate, int arg)
157 {
158 struct ieee80211com *ic = vap->iv_ic;
159 enum ieee80211_state ostate;
160
161 IEEE80211_LOCK_ASSERT(ic);
162
163 ostate = vap->iv_state;
164 IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE, "%s: %s -> %s (%d)\n",
165 __func__, ieee80211_state_name[ostate],
166 ieee80211_state_name[nstate], arg);
167 vap->iv_state = nstate; /* state transition */
168 if (ostate != IEEE80211_S_SCAN)
169 ieee80211_cancel_scan(vap); /* background scan */
170 switch (nstate) {
171 case IEEE80211_S_INIT:
172 switch (ostate) {
173 case IEEE80211_S_SCAN:
174 ieee80211_cancel_scan(vap);
175 break;
176 case IEEE80211_S_CAC:
177 ieee80211_dfs_cac_stop(vap);
178 break;
179 case IEEE80211_S_RUN:
180 ieee80211_iterate_nodes_vap(&ic->ic_sta, vap,
181 sta_disassoc, NULL);
182 break;
183 default:
184 break;
185 }
186 if (ostate != IEEE80211_S_INIT) {
187 /* NB: optimize INIT -> INIT case */
188 ieee80211_reset_bss(vap);
189 }
190 if (vap->iv_auth->ia_detach != NULL)
191 vap->iv_auth->ia_detach(vap);
192 break;
193 case IEEE80211_S_SCAN:
194 switch (ostate) {
195 case IEEE80211_S_CSA:
196 case IEEE80211_S_RUN:
197 ieee80211_iterate_nodes_vap(&ic->ic_sta, vap,
198 sta_disassoc, NULL);
199 /*
200 * Clear overlapping BSS state; the beacon frame
201 * will be reconstructed on transition to the RUN
202 * state and the timeout routines check if the flag
203 * is set before doing anything so this is sufficient.
204 */
205 vap->iv_flags_ext &= ~IEEE80211_FEXT_NONERP_PR;
206 vap->iv_flags_ht &= ~IEEE80211_FHT_NONHT_PR;
207 /* XXX TODO: schedule deferred update? */
208 /* fall thru... */
209 case IEEE80211_S_CAC:
210 /*
211 * NB: We may get here because of a manual channel
212 * change in which case we need to stop CAC
213 * XXX no need to stop if ostate RUN but it's ok
214 */
215 ieee80211_dfs_cac_stop(vap);
216 /* fall thru... */
217 case IEEE80211_S_INIT:
218 if (vap->iv_des_chan != IEEE80211_CHAN_ANYC &&
219 !IEEE80211_IS_CHAN_RADAR(vap->iv_des_chan)) {
220 /*
221 * Already have a channel; bypass the
222 * scan and startup immediately.
223 * ieee80211_create_ibss will call back to
224 * move us to RUN state.
225 */
226 ieee80211_create_ibss(vap, vap->iv_des_chan);
227 break;
228 }
229 /*
230 * Initiate a scan. We can come here as a result
231 * of an IEEE80211_IOC_SCAN_REQ too in which case
232 * the vap will be marked with IEEE80211_FEXT_SCANREQ
233 * and the scan request parameters will be present
234 * in iv_scanreq. Otherwise we do the default.
235 */
236 if (vap->iv_flags_ext & IEEE80211_FEXT_SCANREQ) {
237 ieee80211_check_scan(vap,
238 vap->iv_scanreq_flags,
239 vap->iv_scanreq_duration,
240 vap->iv_scanreq_mindwell,
241 vap->iv_scanreq_maxdwell,
242 vap->iv_scanreq_nssid, vap->iv_scanreq_ssid);
243 vap->iv_flags_ext &= ~IEEE80211_FEXT_SCANREQ;
244 } else
245 ieee80211_check_scan_current(vap);
246 break;
247 case IEEE80211_S_SCAN:
248 /*
249 * A state change requires a reset; scan.
250 */
251 ieee80211_check_scan_current(vap);
252 break;
253 default:
254 break;
255 }
256 break;
257 case IEEE80211_S_CAC:
258 /*
259 * Start CAC on a DFS channel. We come here when starting
260 * a bss on a DFS channel (see ieee80211_create_ibss).
261 */
262 ieee80211_dfs_cac_start(vap);
263 break;
264 case IEEE80211_S_RUN:
265 if (vap->iv_flags & IEEE80211_F_WPA) {
266 /* XXX validate prerequisites */
267 }
268 switch (ostate) {
269 case IEEE80211_S_INIT:
270 /*
271 * Already have a channel; bypass the
272 * scan and startup immediately.
273 * Note that ieee80211_create_ibss will call
274 * back to do a RUN->RUN state change.
275 */
276 ieee80211_create_ibss(vap,
277 ieee80211_ht_adjust_channel(ic,
278 ic->ic_curchan, vap->iv_flags_ht));
279 /* NB: iv_bss is changed on return */
280 break;
281 case IEEE80211_S_CAC:
282 /*
283 * NB: This is the normal state change when CAC
284 * expires and no radar was detected; no need to
285 * clear the CAC timer as it's already expired.
286 */
287 /* fall thru... */
288 case IEEE80211_S_CSA:
289 /*
290 * Shorten inactivity timer of associated stations
291 * to weed out sta's that don't follow a CSA.
292 */
293 ieee80211_iterate_nodes_vap(&ic->ic_sta, vap,
294 sta_csa, NULL);
295 /*
296 * Update bss node channel to reflect where
297 * we landed after CSA.
298 */
299 ieee80211_node_set_chan(vap->iv_bss,
300 ieee80211_ht_adjust_channel(ic, ic->ic_curchan,
301 ieee80211_htchanflags(vap->iv_bss->ni_chan)));
302 /* XXX bypass debug msgs */
303 break;
304 case IEEE80211_S_SCAN:
305 case IEEE80211_S_RUN:
306 #ifdef IEEE80211_DEBUG
307 if (ieee80211_msg_debug(vap)) {
308 struct ieee80211_node *ni = vap->iv_bss;
309 ieee80211_note(vap,
310 "synchronized with %s ssid ",
311 ether_sprintf(ni->ni_bssid));
312 ieee80211_print_essid(ni->ni_essid,
313 ni->ni_esslen);
314 /* XXX MCS/HT */
315 printf(" channel %d start %uMb\n",
316 ieee80211_chan2ieee(ic, ic->ic_curchan),
317 IEEE80211_RATE2MBS(ni->ni_txrate));
318 }
319 #endif
320 break;
321 default:
322 break;
323 }
324 /*
325 * Start/stop the authenticator. We delay until here
326 * to allow configuration to happen out of order.
327 */
328 if (vap->iv_auth->ia_attach != NULL) {
329 /* XXX check failure */
330 vap->iv_auth->ia_attach(vap);
331 } else if (vap->iv_auth->ia_detach != NULL) {
332 vap->iv_auth->ia_detach(vap);
333 }
334 ieee80211_node_authorize(vap->iv_bss);
335 break;
336 case IEEE80211_S_CSA:
337 if (ostate == IEEE80211_S_RUN && isbandchange(ic)) {
338 /*
339 * On a ``band change'' silently drop associated
340 * stations as they must re-associate before they
341 * can pass traffic (as otherwise protocol state
342 * such as capabilities and the negotiated rate
343 * set may/will be wrong).
344 */
345 ieee80211_iterate_nodes_vap(&ic->ic_sta, vap,
346 sta_drop, NULL);
347 }
348 break;
349 default:
350 break;
351 }
352 return 0;
353 }
354
355 static void
356 hostap_deliver_data(struct ieee80211vap *vap,
357 struct ieee80211_node *ni, struct mbuf *m)
358 {
359 struct ether_header *eh = mtod(m, struct ether_header *);
360 struct ifnet *ifp = vap->iv_ifp;
361
362 /* clear driver/net80211 flags before passing up */
363 m->m_flags &= ~(M_MCAST | M_BCAST);
364 m_clrprotoflags(m);
365
366 KASSERT(vap->iv_opmode == IEEE80211_M_HOSTAP,
367 ("gack, opmode %d", vap->iv_opmode));
368 /*
369 * Do accounting.
370 */
371 if_inc_counter(ifp, IFCOUNTER_IPACKETS, 1);
372 IEEE80211_NODE_STAT(ni, rx_data);
373 IEEE80211_NODE_STAT_ADD(ni, rx_bytes, m->m_pkthdr.len);
374 if (ETHER_IS_MULTICAST(eh->ether_dhost)) {
375 m->m_flags |= M_MCAST; /* XXX M_BCAST? */
376 IEEE80211_NODE_STAT(ni, rx_mcast);
377 } else
378 IEEE80211_NODE_STAT(ni, rx_ucast);
379
380 /* perform as a bridge within the AP */
381 if ((vap->iv_flags & IEEE80211_F_NOBRIDGE) == 0) {
382 struct mbuf *mcopy = NULL;
383
384 if (m->m_flags & M_MCAST) {
385 mcopy = m_dup(m, IEEE80211_M_NOWAIT);
386 if (mcopy == NULL)
387 if_inc_counter(ifp, IFCOUNTER_OERRORS, 1);
388 else
389 mcopy->m_flags |= M_MCAST;
390 } else {
391 /*
392 * Check if the destination is associated with the
393 * same vap and authorized to receive traffic.
394 * Beware of traffic destined for the vap itself;
395 * sending it will not work; just let it be delivered
396 * normally.
397 */
398 struct ieee80211_node *sta = ieee80211_find_vap_node(
399 &vap->iv_ic->ic_sta, vap, eh->ether_dhost);
400 if (sta != NULL) {
401 if (ieee80211_node_is_authorized(sta)) {
402 /*
403 * Beware of sending to ourself; this
404 * needs to happen via the normal
405 * input path.
406 */
407 if (sta != vap->iv_bss) {
408 mcopy = m;
409 m = NULL;
410 }
411 } else {
412 vap->iv_stats.is_rx_unauth++;
413 IEEE80211_NODE_STAT(sta, rx_unauth);
414 }
415 ieee80211_free_node(sta);
416 }
417 }
418 if (mcopy != NULL)
419 (void) ieee80211_vap_xmitpkt(vap, mcopy);
420 }
421 if (m != NULL) {
422 struct epoch_tracker et;
423
424 /*
425 * Mark frame as coming from vap's interface.
426 */
427 m->m_pkthdr.rcvif = ifp;
428 if (m->m_flags & M_MCAST) {
429 /*
430 * Spam DWDS vap's w/ multicast traffic.
431 */
432 /* XXX only if dwds in use? */
433 ieee80211_dwds_mcast(vap, m);
434 }
435 if (ni->ni_vlan != 0) {
436 /* attach vlan tag */
437 m->m_pkthdr.ether_vtag = ni->ni_vlan;
438 m->m_flags |= M_VLANTAG;
439 }
440 NET_EPOCH_ENTER(et);
441 ifp->if_input(ifp, m);
442 NET_EPOCH_EXIT(et);
443 }
444 }
445
446 /*
447 * Decide if a received management frame should be
448 * printed when debugging is enabled. This filters some
449 * of the less interesting frames that come frequently
450 * (e.g. beacons).
451 */
452 static __inline int
453 doprint(struct ieee80211vap *vap, int subtype)
454 {
455 switch (subtype) {
456 case IEEE80211_FC0_SUBTYPE_BEACON:
457 return (vap->iv_ic->ic_flags & IEEE80211_F_SCAN);
458 case IEEE80211_FC0_SUBTYPE_PROBE_REQ:
459 return 0;
460 }
461 return 1;
462 }
463
464 /*
465 * Process a received frame. The node associated with the sender
466 * should be supplied. If nothing was found in the node table then
467 * the caller is assumed to supply a reference to iv_bss instead.
468 * The RSSI and a timestamp are also supplied. The RSSI data is used
469 * during AP scanning to select a AP to associate with; it can have
470 * any units so long as values have consistent units and higher values
471 * mean ``better signal''. The receive timestamp is currently not used
472 * by the 802.11 layer.
473 */
474 static int
475 hostap_input(struct ieee80211_node *ni, struct mbuf *m,
476 const struct ieee80211_rx_stats *rxs, int rssi, int nf)
477 {
478 struct ieee80211vap *vap = ni->ni_vap;
479 struct ieee80211com *ic = ni->ni_ic;
480 struct ifnet *ifp = vap->iv_ifp;
481 struct ieee80211_frame *wh;
482 struct ieee80211_key *key;
483 struct ether_header *eh;
484 int hdrspace, need_tap = 1; /* mbuf need to be tapped. */
485 uint8_t dir, type, subtype, qos;
486 uint8_t *bssid;
487 int is_hw_decrypted = 0;
488 int has_decrypted = 0;
489
490 /*
491 * Some devices do hardware decryption all the way through
492 * to pretending the frame wasn't encrypted in the first place.
493 * So, tag it appropriately so it isn't discarded inappropriately.
494 */
495 if ((rxs != NULL) && (rxs->c_pktflags & IEEE80211_RX_F_DECRYPTED))
496 is_hw_decrypted = 1;
497
498 if (m->m_flags & M_AMPDU_MPDU) {
499 /*
500 * Fastpath for A-MPDU reorder q resubmission. Frames
501 * w/ M_AMPDU_MPDU marked have already passed through
502 * here but were received out of order and been held on
503 * the reorder queue. When resubmitted they are marked
504 * with the M_AMPDU_MPDU flag and we can bypass most of
505 * the normal processing.
506 */
507 wh = mtod(m, struct ieee80211_frame *);
508 type = IEEE80211_FC0_TYPE_DATA;
509 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK;
510 subtype = IEEE80211_FC0_SUBTYPE_QOS_DATA;
511 hdrspace = ieee80211_hdrspace(ic, wh); /* XXX optimize? */
512 goto resubmit_ampdu;
513 }
514
515 KASSERT(ni != NULL, ("null node"));
516 ni->ni_inact = ni->ni_inact_reload;
517
518 type = -1; /* undefined */
519
520 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_min)) {
521 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
522 ni->ni_macaddr, NULL,
523 "too short (1): len %u", m->m_pkthdr.len);
524 vap->iv_stats.is_rx_tooshort++;
525 goto out;
526 }
527 /*
528 * Bit of a cheat here, we use a pointer for a 3-address
529 * frame format but don't reference fields past outside
530 * ieee80211_frame_min w/o first validating the data is
531 * present.
532 */
533 wh = mtod(m, struct ieee80211_frame *);
534
535 if (!IEEE80211_IS_FC0_CHECK_VER(wh, IEEE80211_FC0_VERSION_0)) {
536 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
537 ni->ni_macaddr, NULL, "wrong version, fc %02x:%02x",
538 wh->i_fc[0], wh->i_fc[1]);
539 vap->iv_stats.is_rx_badversion++;
540 goto err;
541 }
542
543 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK;
544 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
545 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK;
546 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) {
547 if (dir != IEEE80211_FC1_DIR_NODS)
548 bssid = wh->i_addr1;
549 else if (type == IEEE80211_FC0_TYPE_CTL)
550 bssid = wh->i_addr1;
551 else {
552 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) {
553 IEEE80211_DISCARD_MAC(vap,
554 IEEE80211_MSG_ANY, ni->ni_macaddr,
555 NULL, "too short (2): len %u",
556 m->m_pkthdr.len);
557 vap->iv_stats.is_rx_tooshort++;
558 goto out;
559 }
560 bssid = wh->i_addr3;
561 }
562 /*
563 * Validate the bssid.
564 */
565 if (!(type == IEEE80211_FC0_TYPE_MGT &&
566 subtype == IEEE80211_FC0_SUBTYPE_BEACON) &&
567 !IEEE80211_ADDR_EQ(bssid, vap->iv_bss->ni_bssid) &&
568 !IEEE80211_ADDR_EQ(bssid, ifp->if_broadcastaddr)) {
569 /* not interested in */
570 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
571 bssid, NULL, "%s", "not to bss");
572 vap->iv_stats.is_rx_wrongbss++;
573 goto out;
574 }
575
576 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi);
577 ni->ni_noise = nf;
578 if (IEEE80211_HAS_SEQ(type, subtype)) {
579 uint8_t tid = ieee80211_gettid(wh);
580 if (IEEE80211_QOS_HAS_SEQ(wh) &&
581 TID_TO_WME_AC(tid) >= WME_AC_VI)
582 ic->ic_wme.wme_hipri_traffic++;
583 if (! ieee80211_check_rxseq(ni, wh, bssid, rxs))
584 goto out;
585 }
586 }
587
588 switch (type) {
589 case IEEE80211_FC0_TYPE_DATA:
590 hdrspace = ieee80211_hdrspace(ic, wh);
591 if (m->m_len < hdrspace &&
592 (m = m_pullup(m, hdrspace)) == NULL) {
593 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
594 ni->ni_macaddr, NULL,
595 "data too short: expecting %u", hdrspace);
596 vap->iv_stats.is_rx_tooshort++;
597 goto out; /* XXX */
598 }
599 if (!(dir == IEEE80211_FC1_DIR_TODS ||
600 (dir == IEEE80211_FC1_DIR_DSTODS &&
601 (vap->iv_flags & IEEE80211_F_DWDS)))) {
602 if (dir != IEEE80211_FC1_DIR_DSTODS) {
603 IEEE80211_DISCARD(vap,
604 IEEE80211_MSG_INPUT, wh, "data",
605 "incorrect dir 0x%x", dir);
606 } else {
607 IEEE80211_DISCARD(vap,
608 IEEE80211_MSG_INPUT |
609 IEEE80211_MSG_WDS, wh,
610 "4-address data",
611 "%s", "DWDS not enabled");
612 }
613 vap->iv_stats.is_rx_wrongdir++;
614 goto out;
615 }
616 /* check if source STA is associated */
617 if (ni == vap->iv_bss) {
618 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
619 wh, "data", "%s", "unknown src");
620 ieee80211_send_error(ni, wh->i_addr2,
621 IEEE80211_FC0_SUBTYPE_DEAUTH,
622 IEEE80211_REASON_NOT_AUTHED);
623 vap->iv_stats.is_rx_notassoc++;
624 goto err;
625 }
626 if (ni->ni_associd == 0) {
627 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
628 wh, "data", "%s", "unassoc src");
629 IEEE80211_SEND_MGMT(ni,
630 IEEE80211_FC0_SUBTYPE_DISASSOC,
631 IEEE80211_REASON_NOT_ASSOCED);
632 vap->iv_stats.is_rx_notassoc++;
633 goto err;
634 }
635
636 /*
637 * Check for power save state change.
638 * XXX out-of-order A-MPDU frames?
639 */
640 if (((wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) ^
641 (ni->ni_flags & IEEE80211_NODE_PWR_MGT)))
642 vap->iv_node_ps(ni,
643 wh->i_fc[1] & IEEE80211_FC1_PWR_MGT);
644 /*
645 * For 4-address packets handle WDS discovery
646 * notifications. Once a WDS link is setup frames
647 * are just delivered to the WDS vap (see below).
648 */
649 if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap == NULL) {
650 if (!ieee80211_node_is_authorized(ni)) {
651 IEEE80211_DISCARD(vap,
652 IEEE80211_MSG_INPUT |
653 IEEE80211_MSG_WDS, wh,
654 "4-address data",
655 "%s", "unauthorized port");
656 vap->iv_stats.is_rx_unauth++;
657 IEEE80211_NODE_STAT(ni, rx_unauth);
658 goto err;
659 }
660 ieee80211_dwds_discover(ni, m);
661 return type;
662 }
663
664 /*
665 * Handle A-MPDU re-ordering. If the frame is to be
666 * processed directly then ieee80211_ampdu_reorder
667 * will return 0; otherwise it has consumed the mbuf
668 * and we should do nothing more with it.
669 */
670 if ((m->m_flags & M_AMPDU) &&
671 ieee80211_ampdu_reorder(ni, m, rxs) != 0) {
672 m = NULL;
673 goto out;
674 }
675 resubmit_ampdu:
676
677 /*
678 * Handle privacy requirements. Note that we
679 * must not be preempted from here until after
680 * we (potentially) call ieee80211_crypto_demic;
681 * otherwise we may violate assumptions in the
682 * crypto cipher modules used to do delayed update
683 * of replay sequence numbers.
684 */
685 if (is_hw_decrypted || IEEE80211_IS_PROTECTED(wh)) {
686 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
687 /*
688 * Discard encrypted frames when privacy is off.
689 */
690 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
691 wh, "WEP", "%s", "PRIVACY off");
692 vap->iv_stats.is_rx_noprivacy++;
693 IEEE80211_NODE_STAT(ni, rx_noprivacy);
694 goto out;
695 }
696 if (ieee80211_crypto_decap(ni, m, hdrspace, &key) == 0) {
697 /* NB: stats+msgs handled in crypto_decap */
698 IEEE80211_NODE_STAT(ni, rx_wepfail);
699 goto out;
700 }
701 wh = mtod(m, struct ieee80211_frame *);
702 wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED;
703 has_decrypted = 1;
704 } else {
705 /* XXX M_WEP and IEEE80211_F_PRIVACY */
706 key = NULL;
707 }
708
709 /*
710 * Save QoS bits for use below--before we strip the header.
711 */
712 if (subtype == IEEE80211_FC0_SUBTYPE_QOS_DATA)
713 qos = ieee80211_getqos(wh)[0];
714 else
715 qos = 0;
716
717 /*
718 * Next up, any fragmentation.
719 */
720 if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) {
721 m = ieee80211_defrag(ni, m, hdrspace, has_decrypted);
722 if (m == NULL) {
723 /* Fragment dropped or frame not complete yet */
724 goto out;
725 }
726 }
727 wh = NULL; /* no longer valid, catch any uses */
728
729 /*
730 * Next strip any MSDU crypto bits.
731 */
732 if (key != NULL && !ieee80211_crypto_demic(vap, key, m, 0)) {
733 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
734 ni->ni_macaddr, "data", "%s", "demic error");
735 vap->iv_stats.is_rx_demicfail++;
736 IEEE80211_NODE_STAT(ni, rx_demicfail);
737 goto out;
738 }
739 /* copy to listener after decrypt */
740 if (ieee80211_radiotap_active_vap(vap))
741 ieee80211_radiotap_rx(vap, m);
742 need_tap = 0;
743 /*
744 * Finally, strip the 802.11 header.
745 */
746 m = ieee80211_decap(vap, m, hdrspace, qos);
747 if (m == NULL) {
748 /* XXX mask bit to check for both */
749 /* don't count Null data frames as errors */
750 if (subtype == IEEE80211_FC0_SUBTYPE_NODATA ||
751 subtype == IEEE80211_FC0_SUBTYPE_QOS_NULL)
752 goto out;
753 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
754 ni->ni_macaddr, "data", "%s", "decap error");
755 vap->iv_stats.is_rx_decap++;
756 IEEE80211_NODE_STAT(ni, rx_decap);
757 goto err;
758 }
759 if (!(qos & IEEE80211_QOS_AMSDU))
760 eh = mtod(m, struct ether_header *);
761 else
762 eh = NULL;
763 if (!ieee80211_node_is_authorized(ni)) {
764 /*
765 * Deny any non-PAE frames received prior to
766 * authorization. For open/shared-key
767 * authentication the port is mark authorized
768 * after authentication completes. For 802.1x
769 * the port is not marked authorized by the
770 * authenticator until the handshake has completed.
771 */
772 if (eh == NULL ||
773 eh->ether_type != htons(ETHERTYPE_PAE)) {
774 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
775 ni->ni_macaddr, "data", "unauthorized or "
776 "unknown port: ether type 0x%x len %u",
777 eh == NULL ? -1 : eh->ether_type,
778 m->m_pkthdr.len);
779 vap->iv_stats.is_rx_unauth++;
780 IEEE80211_NODE_STAT(ni, rx_unauth);
781 goto err;
782 }
783 } else {
784 /*
785 * When denying unencrypted frames, discard
786 * any non-PAE frames received without encryption.
787 */
788 if ((vap->iv_flags & IEEE80211_F_DROPUNENC) &&
789 ((has_decrypted == 0) && (m->m_flags & M_WEP) == 0) &&
790 (is_hw_decrypted == 0) &&
791 (eh == NULL ||
792 eh->ether_type != htons(ETHERTYPE_PAE))) {
793 /*
794 * Drop unencrypted frames.
795 */
796 vap->iv_stats.is_rx_unencrypted++;
797 IEEE80211_NODE_STAT(ni, rx_unencrypted);
798 goto out;
799 }
800 }
801 /* XXX require HT? */
802 if (qos & IEEE80211_QOS_AMSDU) {
803 m = ieee80211_decap_amsdu(ni, m);
804 if (m == NULL)
805 return IEEE80211_FC0_TYPE_DATA;
806 } else {
807 #ifdef IEEE80211_SUPPORT_SUPERG
808 m = ieee80211_decap_fastframe(vap, ni, m);
809 if (m == NULL)
810 return IEEE80211_FC0_TYPE_DATA;
811 #endif
812 }
813 if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap != NULL)
814 ieee80211_deliver_data(ni->ni_wdsvap, ni, m);
815 else
816 hostap_deliver_data(vap, ni, m);
817 return IEEE80211_FC0_TYPE_DATA;
818
819 case IEEE80211_FC0_TYPE_MGT:
820 vap->iv_stats.is_rx_mgmt++;
821 IEEE80211_NODE_STAT(ni, rx_mgmt);
822 if (dir != IEEE80211_FC1_DIR_NODS) {
823 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
824 wh, "mgt", "incorrect dir 0x%x", dir);
825 vap->iv_stats.is_rx_wrongdir++;
826 goto err;
827 }
828 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) {
829 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
830 ni->ni_macaddr, "mgt", "too short: len %u",
831 m->m_pkthdr.len);
832 vap->iv_stats.is_rx_tooshort++;
833 goto out;
834 }
835 if (IEEE80211_IS_MULTICAST(wh->i_addr2)) {
836 /* ensure return frames are unicast */
837 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
838 wh, NULL, "source is multicast: %s",
839 ether_sprintf(wh->i_addr2));
840 vap->iv_stats.is_rx_mgtdiscard++; /* XXX stat */
841 goto out;
842 }
843 #ifdef IEEE80211_DEBUG
844 if ((ieee80211_msg_debug(vap) && doprint(vap, subtype)) ||
845 ieee80211_msg_dumppkts(vap)) {
846 if_printf(ifp, "received %s from %s rssi %d\n",
847 ieee80211_mgt_subtype_name(subtype),
848 ether_sprintf(wh->i_addr2), rssi);
849 }
850 #endif
851 if (IEEE80211_IS_PROTECTED(wh)) {
852 if (subtype != IEEE80211_FC0_SUBTYPE_AUTH) {
853 /*
854 * Only shared key auth frames with a challenge
855 * should be encrypted, discard all others.
856 */
857 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
858 wh, NULL,
859 "%s", "WEP set but not permitted");
860 vap->iv_stats.is_rx_mgtdiscard++; /* XXX */
861 goto out;
862 }
863 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
864 /*
865 * Discard encrypted frames when privacy is off.
866 */
867 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
868 wh, NULL, "%s", "WEP set but PRIVACY off");
869 vap->iv_stats.is_rx_noprivacy++;
870 goto out;
871 }
872 hdrspace = ieee80211_hdrspace(ic, wh);
873 if (ieee80211_crypto_decap(ni, m, hdrspace, &key) == 0) {
874 /* NB: stats+msgs handled in crypto_decap */
875 goto out;
876 }
877 wh = mtod(m, struct ieee80211_frame *);
878 wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED;
879 has_decrypted = 1;
880 }
881 /*
882 * Pass the packet to radiotap before calling iv_recv_mgmt().
883 * Otherwise iv_recv_mgmt() might pass another packet to
884 * radiotap, resulting in out of order packet captures.
885 */
886 if (ieee80211_radiotap_active_vap(vap))
887 ieee80211_radiotap_rx(vap, m);
888 need_tap = 0;
889 vap->iv_recv_mgmt(ni, m, subtype, rxs, rssi, nf);
890 goto out;
891
892 case IEEE80211_FC0_TYPE_CTL:
893 vap->iv_stats.is_rx_ctl++;
894 IEEE80211_NODE_STAT(ni, rx_ctrl);
895 vap->iv_recv_ctl(ni, m, subtype);
896 goto out;
897 default:
898 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
899 wh, "bad", "frame type 0x%x", type);
900 /* should not come here */
901 break;
902 }
903 err:
904 if_inc_counter(ifp, IFCOUNTER_IERRORS, 1);
905 out:
906 if (m != NULL) {
907 if (need_tap && ieee80211_radiotap_active_vap(vap))
908 ieee80211_radiotap_rx(vap, m);
909 m_freem(m);
910 }
911 return type;
912 }
913
914 static void
915 hostap_auth_open(struct ieee80211_node *ni, struct ieee80211_frame *wh,
916 int rssi, int nf, uint16_t seq, uint16_t status)
917 {
918 struct ieee80211vap *vap = ni->ni_vap;
919
920 KASSERT(vap->iv_state == IEEE80211_S_RUN, ("state %d", vap->iv_state));
921
922 if (ni->ni_authmode == IEEE80211_AUTH_SHARED) {
923 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
924 ni->ni_macaddr, "open auth",
925 "bad sta auth mode %u", ni->ni_authmode);
926 vap->iv_stats.is_rx_bad_auth++; /* XXX */
927 /*
928 * Clear any challenge text that may be there if
929 * a previous shared key auth failed and then an
930 * open auth is attempted.
931 */
932 if (ni->ni_challenge != NULL) {
933 IEEE80211_FREE(ni->ni_challenge, M_80211_NODE);
934 ni->ni_challenge = NULL;
935 }
936 /* XXX hack to workaround calling convention */
937 ieee80211_send_error(ni, wh->i_addr2,
938 IEEE80211_FC0_SUBTYPE_AUTH,
939 (seq + 1) | (IEEE80211_STATUS_ALG<<16));
940 return;
941 }
942 if (seq != IEEE80211_AUTH_OPEN_REQUEST) {
943 vap->iv_stats.is_rx_bad_auth++;
944 return;
945 }
946 /* always accept open authentication requests */
947 if (ni == vap->iv_bss) {
948 ni = ieee80211_dup_bss(vap, wh->i_addr2);
949 if (ni == NULL)
950 return;
951 } else if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0)
952 (void) ieee80211_ref_node(ni);
953 /*
954 * Mark the node as referenced to reflect that it's
955 * reference count has been bumped to insure it remains
956 * after the transaction completes.
957 */
958 ni->ni_flags |= IEEE80211_NODE_AREF;
959 /*
960 * Mark the node as requiring a valid association id
961 * before outbound traffic is permitted.
962 */
963 ni->ni_flags |= IEEE80211_NODE_ASSOCID;
964
965 if (vap->iv_acl != NULL &&
966 vap->iv_acl->iac_getpolicy(vap) == IEEE80211_MACCMD_POLICY_RADIUS) {
967 /*
968 * When the ACL policy is set to RADIUS we defer the
969 * authorization to a user agent. Dispatch an event,
970 * a subsequent MLME call will decide the fate of the
971 * station. If the user agent is not present then the
972 * node will be reclaimed due to inactivity.
973 */
974 IEEE80211_NOTE_MAC(vap,
975 IEEE80211_MSG_AUTH | IEEE80211_MSG_ACL, ni->ni_macaddr,
976 "%s", "station authentication deferred (radius acl)");
977 ieee80211_notify_node_auth(ni);
978 } else {
979 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1);
980 IEEE80211_NOTE_MAC(vap,
981 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, ni->ni_macaddr,
982 "%s", "station authenticated (open)");
983 /*
984 * When 802.1x is not in use mark the port
985 * authorized at this point so traffic can flow.
986 */
987 if (ni->ni_authmode != IEEE80211_AUTH_8021X)
988 ieee80211_node_authorize(ni);
989 }
990 }
991
992 static void
993 hostap_auth_shared(struct ieee80211_node *ni, struct ieee80211_frame *wh,
994 uint8_t *frm, uint8_t *efrm, int rssi, int nf,
995 uint16_t seq, uint16_t status)
996 {
997 struct ieee80211vap *vap = ni->ni_vap;
998 uint8_t *challenge;
999 int estatus;
1000
1001 KASSERT(vap->iv_state == IEEE80211_S_RUN, ("state %d", vap->iv_state));
1002
1003 /*
1004 * NB: this can happen as we allow pre-shared key
1005 * authentication to be enabled w/o wep being turned
1006 * on so that configuration of these can be done
1007 * in any order. It may be better to enforce the
1008 * ordering in which case this check would just be
1009 * for sanity/consistency.
1010 */
1011 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
1012 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1013 ni->ni_macaddr, "shared key auth",
1014 "%s", " PRIVACY is disabled");
1015 estatus = IEEE80211_STATUS_ALG;
1016 goto bad;
1017 }
1018 /*
1019 * Pre-shared key authentication is evil; accept
1020 * it only if explicitly configured (it is supported
1021 * mainly for compatibility with clients like Mac OS X).
1022 */
1023 if (ni->ni_authmode != IEEE80211_AUTH_AUTO &&
1024 ni->ni_authmode != IEEE80211_AUTH_SHARED) {
1025 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1026 ni->ni_macaddr, "shared key auth",
1027 "bad sta auth mode %u", ni->ni_authmode);
1028 vap->iv_stats.is_rx_bad_auth++; /* XXX maybe a unique error? */
1029 estatus = IEEE80211_STATUS_ALG;
1030 goto bad;
1031 }
1032
1033 challenge = NULL;
1034 if (frm + 1 < efrm) {
1035 if ((frm[1] + 2) > (efrm - frm)) {
1036 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1037 ni->ni_macaddr, "shared key auth",
1038 "ie %d/%d too long",
1039 frm[0], (frm[1] + 2) - (efrm - frm));
1040 vap->iv_stats.is_rx_bad_auth++;
1041 estatus = IEEE80211_STATUS_CHALLENGE;
1042 goto bad;
1043 }
1044 if (*frm == IEEE80211_ELEMID_CHALLENGE)
1045 challenge = frm;
1046 frm += frm[1] + 2;
1047 }
1048 switch (seq) {
1049 case IEEE80211_AUTH_SHARED_CHALLENGE:
1050 case IEEE80211_AUTH_SHARED_RESPONSE:
1051 if (challenge == NULL) {
1052 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1053 ni->ni_macaddr, "shared key auth",
1054 "%s", "no challenge");
1055 vap->iv_stats.is_rx_bad_auth++;
1056 estatus = IEEE80211_STATUS_CHALLENGE;
1057 goto bad;
1058 }
1059 if (challenge[1] != IEEE80211_CHALLENGE_LEN) {
1060 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1061 ni->ni_macaddr, "shared key auth",
1062 "bad challenge len %d", challenge[1]);
1063 vap->iv_stats.is_rx_bad_auth++;
1064 estatus = IEEE80211_STATUS_CHALLENGE;
1065 goto bad;
1066 }
1067 default:
1068 break;
1069 }
1070 switch (seq) {
1071 case IEEE80211_AUTH_SHARED_REQUEST:
1072 {
1073 #ifdef IEEE80211_DEBUG
1074 bool allocbs;
1075 #endif
1076
1077 if (ni == vap->iv_bss) {
1078 ni = ieee80211_dup_bss(vap, wh->i_addr2);
1079 if (ni == NULL) {
1080 /* NB: no way to return an error */
1081 return;
1082 }
1083 #ifdef IEEE80211_DEBUG
1084 allocbs = 1;
1085 #endif
1086 } else {
1087 if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0)
1088 (void) ieee80211_ref_node(ni);
1089 #ifdef IEEE80211_DEBUG
1090 allocbs = 0;
1091 #endif
1092 }
1093 /*
1094 * Mark the node as referenced to reflect that it's
1095 * reference count has been bumped to insure it remains
1096 * after the transaction completes.
1097 */
1098 ni->ni_flags |= IEEE80211_NODE_AREF;
1099 /*
1100 * Mark the node as requiring a valid association id
1101 * before outbound traffic is permitted.
1102 */
1103 ni->ni_flags |= IEEE80211_NODE_ASSOCID;
1104 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi);
1105 ni->ni_noise = nf;
1106 if (!ieee80211_alloc_challenge(ni)) {
1107 /* NB: don't return error so they rexmit */
1108 return;
1109 }
1110 net80211_get_random_bytes(ni->ni_challenge,
1111 IEEE80211_CHALLENGE_LEN);
1112 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
1113 ni, "shared key %sauth request", allocbs ? "" : "re");
1114 /*
1115 * When the ACL policy is set to RADIUS we defer the
1116 * authorization to a user agent. Dispatch an event,
1117 * a subsequent MLME call will decide the fate of the
1118 * station. If the user agent is not present then the
1119 * node will be reclaimed due to inactivity.
1120 */
1121 if (vap->iv_acl != NULL &&
1122 vap->iv_acl->iac_getpolicy(vap) == IEEE80211_MACCMD_POLICY_RADIUS) {
1123 IEEE80211_NOTE_MAC(vap,
1124 IEEE80211_MSG_AUTH | IEEE80211_MSG_ACL,
1125 ni->ni_macaddr,
1126 "%s", "station authentication deferred (radius acl)");
1127 ieee80211_notify_node_auth(ni);
1128 return;
1129 }
1130 break;
1131 }
1132 case IEEE80211_AUTH_SHARED_RESPONSE:
1133 if (ni == vap->iv_bss) {
1134 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1135 ni->ni_macaddr, "shared key response",
1136 "%s", "unknown station");
1137 /* NB: don't send a response */
1138 return;
1139 }
1140 if (ni->ni_challenge == NULL) {
1141 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1142 ni->ni_macaddr, "shared key response",
1143 "%s", "no challenge recorded");
1144 vap->iv_stats.is_rx_bad_auth++;
1145 estatus = IEEE80211_STATUS_CHALLENGE;
1146 goto bad;
1147 }
1148 if (memcmp(ni->ni_challenge, &challenge[2],
1149 challenge[1]) != 0) {
1150 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1151 ni->ni_macaddr, "shared key response",
1152 "%s", "challenge mismatch");
1153 vap->iv_stats.is_rx_auth_fail++;
1154 estatus = IEEE80211_STATUS_CHALLENGE;
1155 goto bad;
1156 }
1157 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
1158 ni, "%s", "station authenticated (shared key)");
1159 ieee80211_node_authorize(ni);
1160 break;
1161 default:
1162 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1163 ni->ni_macaddr, "shared key auth",
1164 "bad seq %d", seq);
1165 vap->iv_stats.is_rx_bad_auth++;
1166 estatus = IEEE80211_STATUS_SEQUENCE;
1167 goto bad;
1168 }
1169 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1);
1170 return;
1171 bad:
1172 /*
1173 * Send an error response; but only when operating as an AP.
1174 */
1175 /* XXX hack to workaround calling convention */
1176 ieee80211_send_error(ni, wh->i_addr2,
1177 IEEE80211_FC0_SUBTYPE_AUTH,
1178 (seq + 1) | (estatus<<16));
1179 }
1180
1181 /*
1182 * Convert a WPA cipher selector OUI to an internal
1183 * cipher algorithm. Where appropriate we also
1184 * record any key length.
1185 */
1186 static int
1187 wpa_cipher(const uint8_t *sel, uint8_t *keylen, uint8_t *cipher)
1188 {
1189 #define WPA_SEL(x) (((x)<<24)|WPA_OUI)
1190 uint32_t w = le32dec(sel);
1191
1192 switch (w) {
1193 case WPA_SEL(WPA_CSE_NULL):
1194 *cipher = IEEE80211_CIPHER_NONE;
1195 break;
1196 case WPA_SEL(WPA_CSE_WEP40):
1197 if (keylen)
1198 *keylen = 40 / NBBY;
1199 *cipher = IEEE80211_CIPHER_WEP;
1200 break;
1201 case WPA_SEL(WPA_CSE_WEP104):
1202 if (keylen)
1203 *keylen = 104 / NBBY;
1204 *cipher = IEEE80211_CIPHER_WEP;
1205 break;
1206 case WPA_SEL(WPA_CSE_TKIP):
1207 *cipher = IEEE80211_CIPHER_TKIP;
1208 break;
1209 case WPA_SEL(WPA_CSE_CCMP):
1210 *cipher = IEEE80211_CIPHER_AES_CCM;
1211 break;
1212 default:
1213 return (EINVAL);
1214 }
1215
1216 return (0);
1217 #undef WPA_SEL
1218 }
1219
1220 /*
1221 * Convert a WPA key management/authentication algorithm
1222 * to an internal code.
1223 */
1224 static int
1225 wpa_keymgmt(const uint8_t *sel)
1226 {
1227 #define WPA_SEL(x) (((x)<<24)|WPA_OUI)
1228 uint32_t w = le32dec(sel);
1229
1230 switch (w) {
1231 case WPA_SEL(WPA_ASE_8021X_UNSPEC):
1232 return WPA_ASE_8021X_UNSPEC;
1233 case WPA_SEL(WPA_ASE_8021X_PSK):
1234 return WPA_ASE_8021X_PSK;
1235 case WPA_SEL(WPA_ASE_NONE):
1236 return WPA_ASE_NONE;
1237 }
1238 return 0; /* NB: so is discarded */
1239 #undef WPA_SEL
1240 }
1241
1242 /*
1243 * Parse a WPA information element to collect parameters.
1244 * Note that we do not validate security parameters; that
1245 * is handled by the authenticator; the parsing done here
1246 * is just for internal use in making operational decisions.
1247 */
1248 static int
1249 ieee80211_parse_wpa(struct ieee80211vap *vap, const uint8_t *frm,
1250 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh)
1251 {
1252 uint8_t len = frm[1];
1253 uint32_t w;
1254 int error, n;
1255
1256 /*
1257 * Check the length once for fixed parts: OUI, type,
1258 * version, mcast cipher, and 2 selector counts.
1259 * Other, variable-length data, must be checked separately.
1260 */
1261 if ((vap->iv_flags & IEEE80211_F_WPA1) == 0) {
1262 IEEE80211_DISCARD_IE(vap,
1263 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1264 wh, "WPA", "not WPA, flags 0x%x", vap->iv_flags);
1265 return IEEE80211_REASON_IE_INVALID;
1266 }
1267 if (len < 14) {
1268 IEEE80211_DISCARD_IE(vap,
1269 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1270 wh, "WPA", "too short, len %u", len);
1271 return IEEE80211_REASON_IE_INVALID;
1272 }
1273 frm += 6, len -= 4; /* NB: len is payload only */
1274 /* NB: iswpaoui already validated the OUI and type */
1275 w = le16dec(frm);
1276 if (w != WPA_VERSION) {
1277 IEEE80211_DISCARD_IE(vap,
1278 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1279 wh, "WPA", "bad version %u", w);
1280 return IEEE80211_REASON_IE_INVALID;
1281 }
1282 frm += 2, len -= 2;
1283
1284 memset(rsn, 0, sizeof(*rsn));
1285
1286 /* multicast/group cipher */
1287 error = wpa_cipher(frm, &rsn->rsn_mcastkeylen, &rsn->rsn_mcastcipher);
1288 if (error != 0) {
1289 IEEE80211_DISCARD_IE(vap,
1290 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1291 wh, "WPA", "unknown mcast cipher suite %08X",
1292 le32dec(frm));
1293 return IEEE80211_REASON_GROUP_CIPHER_INVALID;
1294 }
1295 frm += 4, len -= 4;
1296
1297 /* unicast ciphers */
1298 n = le16dec(frm);
1299 frm += 2, len -= 2;
1300 if (len < n*4+2) {
1301 IEEE80211_DISCARD_IE(vap,
1302 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1303 wh, "WPA", "ucast cipher data too short; len %u, n %u",
1304 len, n);
1305 return IEEE80211_REASON_IE_INVALID;
1306 }
1307 w = 0;
1308 for (; n > 0; n--) {
1309 uint8_t cipher;
1310
1311 error = wpa_cipher(frm, &rsn->rsn_ucastkeylen, &cipher);
1312 if (error == 0)
1313 w |= 1 << cipher;
1314
1315 frm += 4, len -= 4;
1316 }
1317 if (w == 0) {
1318 IEEE80211_DISCARD_IE(vap,
1319 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1320 wh, "WPA", "no usable pairwise cipher suite found (w=%d)",
1321 w);
1322 return IEEE80211_REASON_PAIRWISE_CIPHER_INVALID;
1323 }
1324 /* XXX other? */
1325 if (w & (1 << IEEE80211_CIPHER_AES_CCM))
1326 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM;
1327 else
1328 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP;
1329
1330 /* key management algorithms */
1331 n = le16dec(frm);
1332 frm += 2, len -= 2;
1333 if (len < n*4) {
1334 IEEE80211_DISCARD_IE(vap,
1335 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1336 wh, "WPA", "key mgmt alg data too short; len %u, n %u",
1337 len, n);
1338 return IEEE80211_REASON_IE_INVALID;
1339 }
1340 w = 0;
1341 for (; n > 0; n--) {
1342 w |= wpa_keymgmt(frm);
1343 frm += 4, len -= 4;
1344 }
1345 if (w & WPA_ASE_8021X_UNSPEC)
1346 rsn->rsn_keymgmt = WPA_ASE_8021X_UNSPEC;
1347 else
1348 rsn->rsn_keymgmt = WPA_ASE_8021X_PSK;
1349
1350 if (len > 2) /* optional capabilities */
1351 rsn->rsn_caps = le16dec(frm);
1352
1353 return 0;
1354 }
1355
1356 /*
1357 * Convert an RSN cipher selector OUI to an internal
1358 * cipher algorithm. Where appropriate we also
1359 * record any key length.
1360 */
1361 static int
1362 rsn_cipher(const uint8_t *sel, uint8_t *keylen, uint8_t *cipher)
1363 {
1364 #define RSN_SEL(x) (((x)<<24)|RSN_OUI)
1365 uint32_t w = le32dec(sel);
1366
1367 switch (w) {
1368 case RSN_SEL(RSN_CSE_NULL):
1369 *cipher = IEEE80211_CIPHER_NONE;
1370 break;
1371 case RSN_SEL(RSN_CSE_WEP40):
1372 if (keylen)
1373 *keylen = 40 / NBBY;
1374 *cipher = IEEE80211_CIPHER_WEP;
1375 break;
1376 case RSN_SEL(RSN_CSE_WEP104):
1377 if (keylen)
1378 *keylen = 104 / NBBY;
1379 *cipher = IEEE80211_CIPHER_WEP;
1380 break;
1381 case RSN_SEL(RSN_CSE_TKIP):
1382 *cipher = IEEE80211_CIPHER_TKIP;
1383 break;
1384 case RSN_SEL(RSN_CSE_CCMP):
1385 *cipher = IEEE80211_CIPHER_AES_CCM;
1386 break;
1387 case RSN_SEL(RSN_CSE_WRAP):
1388 *cipher = IEEE80211_CIPHER_AES_OCB;
1389 break;
1390 default:
1391 return (EINVAL);
1392 }
1393
1394 return (0);
1395 #undef WPA_SEL
1396 }
1397
1398 /*
1399 * Convert an RSN key management/authentication algorithm
1400 * to an internal code.
1401 */
1402 static int
1403 rsn_keymgmt(const uint8_t *sel)
1404 {
1405 #define RSN_SEL(x) (((x)<<24)|RSN_OUI)
1406 uint32_t w = le32dec(sel);
1407
1408 switch (w) {
1409 case RSN_SEL(RSN_ASE_8021X_UNSPEC):
1410 return RSN_ASE_8021X_UNSPEC;
1411 case RSN_SEL(RSN_ASE_8021X_PSK):
1412 return RSN_ASE_8021X_PSK;
1413 case RSN_SEL(RSN_ASE_NONE):
1414 return RSN_ASE_NONE;
1415 }
1416 return 0; /* NB: so is discarded */
1417 #undef RSN_SEL
1418 }
1419
1420 /*
1421 * Parse a WPA/RSN information element to collect parameters
1422 * and validate the parameters against what has been
1423 * configured for the system.
1424 */
1425 static int
1426 ieee80211_parse_rsn(struct ieee80211vap *vap, const uint8_t *frm,
1427 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh)
1428 {
1429 uint8_t len = frm[1];
1430 uint32_t w;
1431 int error, n;
1432
1433 /*
1434 * Check the length once for fixed parts:
1435 * version, mcast cipher, and 2 selector counts.
1436 * Other, variable-length data, must be checked separately.
1437 */
1438 if ((vap->iv_flags & IEEE80211_F_WPA2) == 0) {
1439 IEEE80211_DISCARD_IE(vap,
1440 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1441 wh, "WPA", "not RSN, flags 0x%x", vap->iv_flags);
1442 return IEEE80211_REASON_IE_INVALID;
1443 }
1444 /* XXX may be shorter */
1445 if (len < 10) {
1446 IEEE80211_DISCARD_IE(vap,
1447 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1448 wh, "RSN", "too short, len %u", len);
1449 return IEEE80211_REASON_IE_INVALID;
1450 }
1451 frm += 2;
1452 w = le16dec(frm);
1453 if (w != RSN_VERSION) {
1454 IEEE80211_DISCARD_IE(vap,
1455 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1456 wh, "RSN", "bad version %u", w);
1457 return IEEE80211_REASON_UNSUPP_RSN_IE_VERSION;
1458 }
1459 frm += 2, len -= 2;
1460
1461 memset(rsn, 0, sizeof(*rsn));
1462
1463 /* multicast/group cipher */
1464 error = rsn_cipher(frm, &rsn->rsn_mcastkeylen, &rsn->rsn_mcastcipher);
1465 if (error != 0) {
1466 IEEE80211_DISCARD_IE(vap,
1467 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1468 wh, "RSN", "unknown mcast cipher suite %08X",
1469 le32dec(frm));
1470 return IEEE80211_REASON_GROUP_CIPHER_INVALID;
1471 }
1472 if (rsn->rsn_mcastcipher == IEEE80211_CIPHER_NONE) {
1473 IEEE80211_DISCARD_IE(vap,
1474 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1475 wh, "RSN", "invalid mcast cipher suite %d",
1476 rsn->rsn_mcastcipher);
1477 return IEEE80211_REASON_GROUP_CIPHER_INVALID;
1478 }
1479 frm += 4, len -= 4;
1480
1481 /* unicast ciphers */
1482 n = le16dec(frm);
1483 frm += 2, len -= 2;
1484 if (len < n*4+2) {
1485 IEEE80211_DISCARD_IE(vap,
1486 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1487 wh, "RSN", "ucast cipher data too short; len %u, n %u",
1488 len, n);
1489 return IEEE80211_REASON_IE_INVALID;
1490 }
1491 w = 0;
1492
1493 for (; n > 0; n--) {
1494 uint8_t cipher;
1495
1496 error = rsn_cipher(frm, &rsn->rsn_ucastkeylen, &cipher);
1497 if (error == 0)
1498 w |= 1 << cipher;
1499
1500 frm += 4, len -= 4;
1501 }
1502 if (w & (1 << IEEE80211_CIPHER_AES_CCM))
1503 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM;
1504 else if (w & (1 << IEEE80211_CIPHER_AES_OCB))
1505 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_OCB;
1506 else if (w & (1 << IEEE80211_CIPHER_TKIP))
1507 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP;
1508 else if ((w & (1 << IEEE80211_CIPHER_NONE)) &&
1509 (rsn->rsn_mcastcipher == IEEE80211_CIPHER_WEP ||
1510 rsn->rsn_mcastcipher == IEEE80211_CIPHER_TKIP))
1511 rsn->rsn_ucastcipher = IEEE80211_CIPHER_NONE;
1512 else {
1513 IEEE80211_DISCARD_IE(vap,
1514 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1515 wh, "RSN", "no usable pairwise cipher suite found (w=%d)",
1516 w);
1517 return IEEE80211_REASON_PAIRWISE_CIPHER_INVALID;
1518 }
1519
1520 /* key management algorithms */
1521 n = le16dec(frm);
1522 frm += 2, len -= 2;
1523 if (len < n*4) {
1524 IEEE80211_DISCARD_IE(vap,
1525 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1526 wh, "RSN", "key mgmt alg data too short; len %u, n %u",
1527 len, n);
1528 return IEEE80211_REASON_IE_INVALID;
1529 }
1530 w = 0;
1531 for (; n > 0; n--) {
1532 w |= rsn_keymgmt(frm);
1533 frm += 4, len -= 4;
1534 }
1535 if (w & RSN_ASE_8021X_UNSPEC)
1536 rsn->rsn_keymgmt = RSN_ASE_8021X_UNSPEC;
1537 else
1538 rsn->rsn_keymgmt = RSN_ASE_8021X_PSK;
1539
1540 /* optional RSN capabilities */
1541 if (len >= 2) {
1542 rsn->rsn_caps = le16dec(frm);
1543 frm += 2, len -= 2;
1544 }
1545
1546 /* XXX PMK Count / PMKID */
1547
1548 /* XXX Group Cipher Management Suite */
1549
1550 return 0;
1551 }
1552
1553 /*
1554 * WPA/802.11i association request processing.
1555 */
1556 static int
1557 wpa_assocreq(struct ieee80211_node *ni, struct ieee80211_rsnparms *rsnparms,
1558 const struct ieee80211_frame *wh, const uint8_t *wpa,
1559 const uint8_t *rsn, uint16_t capinfo)
1560 {
1561 struct ieee80211vap *vap = ni->ni_vap;
1562 uint8_t reason;
1563 int badwparsn;
1564
1565 ni->ni_flags &= ~(IEEE80211_NODE_WPS|IEEE80211_NODE_TSN);
1566 if (wpa == NULL && rsn == NULL) {
1567 if (vap->iv_flags_ext & IEEE80211_FEXT_WPS) {
1568 /*
1569 * W-Fi Protected Setup (WPS) permits
1570 * clients to associate and pass EAPOL frames
1571 * to establish initial credentials.
1572 */
1573 ni->ni_flags |= IEEE80211_NODE_WPS;
1574 return 1;
1575 }
1576 if ((vap->iv_flags_ext & IEEE80211_FEXT_TSN) &&
1577 (capinfo & IEEE80211_CAPINFO_PRIVACY)) {
1578 /*
1579 * Transitional Security Network. Permits clients
1580 * to associate and use WEP while WPA is configured.
1581 */
1582 ni->ni_flags |= IEEE80211_NODE_TSN;
1583 return 1;
1584 }
1585 IEEE80211_DISCARD(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA,
1586 wh, NULL, "%s", "no WPA/RSN IE in association request");
1587 vap->iv_stats.is_rx_assoc_badwpaie++;
1588 reason = IEEE80211_REASON_IE_INVALID;
1589 goto bad;
1590 }
1591 /* assert right association security credentials */
1592 badwparsn = 0; /* NB: to silence compiler */
1593 switch (vap->iv_flags & IEEE80211_F_WPA) {
1594 case IEEE80211_F_WPA1:
1595 badwparsn = (wpa == NULL);
1596 break;
1597 case IEEE80211_F_WPA2:
1598 badwparsn = (rsn == NULL);
1599 break;
1600 case IEEE80211_F_WPA1|IEEE80211_F_WPA2:
1601 badwparsn = (wpa == NULL && rsn == NULL);
1602 break;
1603 }
1604 if (badwparsn) {
1605 IEEE80211_DISCARD(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA,
1606 wh, NULL,
1607 "%s", "missing WPA/RSN IE in association request");
1608 vap->iv_stats.is_rx_assoc_badwpaie++;
1609 reason = IEEE80211_REASON_IE_INVALID;
1610 goto bad;
1611 }
1612 /*
1613 * Parse WPA/RSN information element.
1614 */
1615 if (wpa != NULL)
1616 reason = ieee80211_parse_wpa(vap, wpa, rsnparms, wh);
1617 else
1618 reason = ieee80211_parse_rsn(vap, rsn, rsnparms, wh);
1619 if (reason != 0) {
1620 /* XXX wpa->rsn fallback? */
1621 /* XXX distinguish WPA/RSN? */
1622 vap->iv_stats.is_rx_assoc_badwpaie++;
1623 goto bad;
1624 }
1625 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, ni,
1626 "%s ie: mc %u/%u uc %u/%u key %u caps 0x%x",
1627 wpa != NULL ? "WPA" : "RSN",
1628 rsnparms->rsn_mcastcipher, rsnparms->rsn_mcastkeylen,
1629 rsnparms->rsn_ucastcipher, rsnparms->rsn_ucastkeylen,
1630 rsnparms->rsn_keymgmt, rsnparms->rsn_caps);
1631
1632 return 1;
1633 bad:
1634 ieee80211_node_deauth(ni, reason);
1635 return 0;
1636 }
1637
1638 /* XXX find a better place for definition */
1639 struct l2_update_frame {
1640 struct ether_header eh;
1641 uint8_t dsap;
1642 uint8_t ssap;
1643 uint8_t control;
1644 uint8_t xid[3];
1645 } __packed;
1646
1647 /*
1648 * Deliver a TGf L2UF frame on behalf of a station.
1649 * This primes any bridge when the station is roaming
1650 * between ap's on the same wired network.
1651 */
1652 static void
1653 ieee80211_deliver_l2uf(struct ieee80211_node *ni)
1654 {
1655 struct ieee80211vap *vap = ni->ni_vap;
1656 struct ifnet *ifp = vap->iv_ifp;
1657 struct mbuf *m;
1658 struct l2_update_frame *l2uf;
1659 struct ether_header *eh;
1660
1661 m = m_gethdr(IEEE80211_M_NOWAIT, MT_DATA);
1662 if (m == NULL) {
1663 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC, ni,
1664 "%s", "no mbuf for l2uf frame");
1665 vap->iv_stats.is_rx_nobuf++; /* XXX not right */
1666 return;
1667 }
1668 l2uf = mtod(m, struct l2_update_frame *);
1669 eh = &l2uf->eh;
1670 /* dst: Broadcast address */
1671 IEEE80211_ADDR_COPY(eh->ether_dhost, ifp->if_broadcastaddr);
1672 /* src: associated STA */
1673 IEEE80211_ADDR_COPY(eh->ether_shost, ni->ni_macaddr);
1674 eh->ether_type = htons(sizeof(*l2uf) - sizeof(*eh));
1675
1676 l2uf->dsap = 0;
1677 l2uf->ssap = 0;
1678 l2uf->control = 0xf5;
1679 l2uf->xid[0] = 0x81;
1680 l2uf->xid[1] = 0x80;
1681 l2uf->xid[2] = 0x00;
1682
1683 m->m_pkthdr.len = m->m_len = sizeof(*l2uf);
1684 hostap_deliver_data(vap, ni, m);
1685 }
1686
1687 static void
1688 ratesetmismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh,
1689 int reassoc, int resp, const char *tag, int rate)
1690 {
1691 IEEE80211_NOTE_MAC(ni->ni_vap, IEEE80211_MSG_ANY, wh->i_addr2,
1692 "deny %s request, %s rate set mismatch, rate/MCS %d",
1693 reassoc ? "reassoc" : "assoc", tag, rate & IEEE80211_RATE_VAL);
1694 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_BASIC_RATE);
1695 ieee80211_node_leave(ni);
1696 }
1697
1698 static void
1699 capinfomismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh,
1700 int reassoc, int resp, const char *tag, int capinfo)
1701 {
1702 struct ieee80211vap *vap = ni->ni_vap;
1703
1704 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ANY, wh->i_addr2,
1705 "deny %s request, %s mismatch 0x%x",
1706 reassoc ? "reassoc" : "assoc", tag, capinfo);
1707 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_CAPINFO);
1708 ieee80211_node_leave(ni);
1709 vap->iv_stats.is_rx_assoc_capmismatch++;
1710 }
1711
1712 static void
1713 htcapmismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh,
1714 int reassoc, int resp)
1715 {
1716 IEEE80211_NOTE_MAC(ni->ni_vap, IEEE80211_MSG_ANY, wh->i_addr2,
1717 "deny %s request, %s missing HT ie", reassoc ? "reassoc" : "assoc");
1718 /* XXX no better code */
1719 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_MISSING_HT_CAPS);
1720 ieee80211_node_leave(ni);
1721 }
1722
1723 static void
1724 authalgreject(struct ieee80211_node *ni, const struct ieee80211_frame *wh,
1725 int algo, int seq, int status)
1726 {
1727 struct ieee80211vap *vap = ni->ni_vap;
1728
1729 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
1730 wh, NULL, "unsupported alg %d", algo);
1731 vap->iv_stats.is_rx_auth_unsupported++;
1732 ieee80211_send_error(ni, wh->i_addr2, IEEE80211_FC0_SUBTYPE_AUTH,
1733 seq | (status << 16));
1734 }
1735
1736 static __inline int
1737 ishtmixed(const uint8_t *ie)
1738 {
1739 const struct ieee80211_ie_htinfo *ht =
1740 (const struct ieee80211_ie_htinfo *) ie;
1741 return (ht->hi_byte2 & IEEE80211_HTINFO_OPMODE) ==
1742 IEEE80211_HTINFO_OPMODE_MIXED;
1743 }
1744
1745 static int
1746 is11bclient(const uint8_t *rates, const uint8_t *xrates)
1747 {
1748 static const uint32_t brates = (1<<2*1)|(1<<2*2)|(1<<11)|(1<<2*11);
1749 int i;
1750
1751 /* NB: the 11b clients we care about will not have xrates */
1752 if (xrates != NULL || rates == NULL)
1753 return 0;
1754 for (i = 0; i < rates[1]; i++) {
1755 int r = rates[2+i] & IEEE80211_RATE_VAL;
1756 if (r > 2*11 || ((1<<r) & brates) == 0)
1757 return 0;
1758 }
1759 return 1;
1760 }
1761
1762 static void
1763 hostap_recv_mgmt(struct ieee80211_node *ni, struct mbuf *m0,
1764 int subtype, const struct ieee80211_rx_stats *rxs, int rssi, int nf)
1765 {
1766 struct ieee80211vap *vap = ni->ni_vap;
1767 struct ieee80211com *ic = ni->ni_ic;
1768 struct ieee80211_frame *wh;
1769 uint8_t *frm, *efrm, *sfrm;
1770 uint8_t *ssid, *rates, *xrates, *wpa, *rsn, *wme, *ath, *htcap;
1771 uint8_t *vhtcap, *vhtinfo;
1772 int reassoc, resp;
1773 uint8_t rate;
1774
1775 wh = mtod(m0, struct ieee80211_frame *);
1776 frm = (uint8_t *)&wh[1];
1777 efrm = mtod(m0, uint8_t *) + m0->m_len;
1778 switch (subtype) {
1779 case IEEE80211_FC0_SUBTYPE_PROBE_RESP:
1780 /*
1781 * We process beacon/probe response frames when scanning;
1782 * otherwise we check beacon frames for overlapping non-ERP
1783 * BSS in 11g and/or overlapping legacy BSS when in HT.
1784 */
1785 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) {
1786 vap->iv_stats.is_rx_mgtdiscard++;
1787 return;
1788 }
1789 /* FALLTHROUGH */
1790 case IEEE80211_FC0_SUBTYPE_BEACON: {
1791 struct ieee80211_scanparams scan;
1792
1793 /* NB: accept off-channel frames */
1794 /* XXX TODO: use rxstatus to determine off-channel details */
1795 if (ieee80211_parse_beacon(ni, m0, ic->ic_curchan, &scan) &~ IEEE80211_BPARSE_OFFCHAN)
1796 return;
1797 /*
1798 * Count frame now that we know it's to be processed.
1799 */
1800 if (subtype == IEEE80211_FC0_SUBTYPE_BEACON) {
1801 vap->iv_stats.is_rx_beacon++; /* XXX remove */
1802 IEEE80211_NODE_STAT(ni, rx_beacons);
1803 } else
1804 IEEE80211_NODE_STAT(ni, rx_proberesp);
1805 /*
1806 * If scanning, just pass information to the scan module.
1807 */
1808 if (ic->ic_flags & IEEE80211_F_SCAN) {
1809 if (scan.status == 0 && /* NB: on channel */
1810 (ic->ic_flags_ext & IEEE80211_FEXT_PROBECHAN)) {
1811 /*
1812 * Actively scanning a channel marked passive;
1813 * send a probe request now that we know there
1814 * is 802.11 traffic present.
1815 *
1816 * XXX check if the beacon we recv'd gives
1817 * us what we need and suppress the probe req
1818 */
1819 ieee80211_probe_curchan(vap, true);
1820 ic->ic_flags_ext &= ~IEEE80211_FEXT_PROBECHAN;
1821 }
1822 ieee80211_add_scan(vap, ic->ic_curchan, &scan, wh,
1823 subtype, rssi, nf);
1824 return;
1825 }
1826 /*
1827 * Check beacon for overlapping bss w/ non ERP stations.
1828 * If we detect one and protection is configured but not
1829 * enabled, enable it and start a timer that'll bring us
1830 * out if we stop seeing the bss.
1831 */
1832 if (IEEE80211_IS_CHAN_ANYG(ic->ic_curchan) &&
1833 scan.status == 0 && /* NB: on-channel */
1834 ((scan.erp & 0x100) == 0 || /* NB: no ERP, 11b sta*/
1835 (scan.erp & IEEE80211_ERP_NON_ERP_PRESENT))) {
1836 vap->iv_lastnonerp = ticks;
1837 vap->iv_flags_ext |= IEEE80211_FEXT_NONERP_PR;
1838 /*
1839 * XXX TODO: this may need to check all VAPs?
1840 */
1841 if (vap->iv_protmode != IEEE80211_PROT_NONE &&
1842 (vap->iv_flags & IEEE80211_F_USEPROT) == 0) {
1843 IEEE80211_NOTE_FRAME(vap,
1844 IEEE80211_MSG_ASSOC, wh,
1845 "non-ERP present on channel %d "
1846 "(saw erp 0x%x from channel %d), "
1847 "enable use of protection",
1848 ic->ic_curchan->ic_ieee,
1849 scan.erp, scan.chan);
1850 vap->iv_flags |= IEEE80211_F_USEPROT;
1851 ieee80211_vap_update_erp_protmode(vap);
1852 }
1853 }
1854 /*
1855 * Check beacon for non-HT station on HT channel
1856 * and update HT BSS occupancy as appropriate.
1857 */
1858 if (IEEE80211_IS_CHAN_HT(ic->ic_curchan)) {
1859 if (scan.status & IEEE80211_BPARSE_OFFCHAN) {
1860 /*
1861 * Off control channel; only check frames
1862 * that come in the extension channel when
1863 * operating w/ HT40.
1864 */
1865 if (!IEEE80211_IS_CHAN_HT40(ic->ic_curchan))
1866 break;
1867 if (scan.chan != ic->ic_curchan->ic_extieee)
1868 break;
1869 }
1870 if (scan.htinfo == NULL) {
1871 ieee80211_htprot_update(vap,
1872 IEEE80211_HTINFO_OPMODE_PROTOPT |
1873 IEEE80211_HTINFO_NONHT_PRESENT);
1874 } else if (ishtmixed(scan.htinfo)) {
1875 /* XXX? take NONHT_PRESENT from beacon? */
1876 ieee80211_htprot_update(vap,
1877 IEEE80211_HTINFO_OPMODE_MIXED |
1878 IEEE80211_HTINFO_NONHT_PRESENT);
1879 }
1880 }
1881 break;
1882 }
1883
1884 case IEEE80211_FC0_SUBTYPE_PROBE_REQ:
1885 if (vap->iv_state != IEEE80211_S_RUN) {
1886 vap->iv_stats.is_rx_mgtdiscard++;
1887 return;
1888 }
1889 /*
1890 * Consult the ACL policy module if setup.
1891 */
1892 if (vap->iv_acl != NULL && !vap->iv_acl->iac_check(vap, wh)) {
1893 IEEE80211_DISCARD(vap, IEEE80211_MSG_ACL,
1894 wh, NULL, "%s", "disallowed by ACL");
1895 vap->iv_stats.is_rx_acl++;
1896 return;
1897 }
1898 /*
1899 * prreq frame format
1900 * [tlv] ssid
1901 * [tlv] supported rates
1902 * [tlv] extended supported rates
1903 */
1904 ssid = rates = xrates = NULL;
1905 while (efrm - frm > 1) {
1906 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return);
1907 switch (*frm) {
1908 case IEEE80211_ELEMID_SSID:
1909 ssid = frm;
1910 break;
1911 case IEEE80211_ELEMID_RATES:
1912 rates = frm;
1913 break;
1914 case IEEE80211_ELEMID_XRATES:
1915 xrates = frm;
1916 break;
1917 }
1918 frm += frm[1] + 2;
1919 }
1920 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return);
1921 if (xrates != NULL)
1922 IEEE80211_VERIFY_ELEMENT(xrates,
1923 IEEE80211_RATE_MAXSIZE - rates[1], return);
1924 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN, return);
1925 IEEE80211_VERIFY_SSID(vap->iv_bss, ssid, return);
1926 if ((vap->iv_flags & IEEE80211_F_HIDESSID) && ssid[1] == 0) {
1927 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
1928 wh, NULL,
1929 "%s", "no ssid with ssid suppression enabled");
1930 vap->iv_stats.is_rx_ssidmismatch++; /*XXX*/
1931 return;
1932 }
1933
1934 /* XXX find a better class or define it's own */
1935 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_INPUT, wh->i_addr2,
1936 "%s", "recv probe req");
1937 /*
1938 * Some legacy 11b clients cannot hack a complete
1939 * probe response frame. When the request includes
1940 * only a bare-bones rate set, communicate this to
1941 * the transmit side.
1942 */
1943 ieee80211_send_proberesp(vap, wh->i_addr2,
1944 is11bclient(rates, xrates) ? IEEE80211_SEND_LEGACY_11B : 0);
1945 break;
1946
1947 case IEEE80211_FC0_SUBTYPE_AUTH: {
1948 uint16_t algo, seq, status;
1949
1950 if (vap->iv_state != IEEE80211_S_RUN) {
1951 vap->iv_stats.is_rx_mgtdiscard++;
1952 return;
1953 }
1954 if (!IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_bss->ni_bssid)) {
1955 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
1956 wh, NULL, "%s", "wrong bssid");
1957 vap->iv_stats.is_rx_wrongbss++; /*XXX unique stat?*/
1958 return;
1959 }
1960 /*
1961 * auth frame format
1962 * [2] algorithm
1963 * [2] sequence
1964 * [2] status
1965 * [tlv*] challenge
1966 */
1967 IEEE80211_VERIFY_LENGTH(efrm - frm, 6, return);
1968 algo = le16toh(*(uint16_t *)frm);
1969 seq = le16toh(*(uint16_t *)(frm + 2));
1970 status = le16toh(*(uint16_t *)(frm + 4));
1971 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_AUTH, wh->i_addr2,
1972 "recv auth frame with algorithm %d seq %d", algo, seq);
1973 /*
1974 * Consult the ACL policy module if setup.
1975 */
1976 if (vap->iv_acl != NULL && !vap->iv_acl->iac_check(vap, wh)) {
1977 IEEE80211_DISCARD(vap, IEEE80211_MSG_ACL,
1978 wh, NULL, "%s", "disallowed by ACL");
1979 vap->iv_stats.is_rx_acl++;
1980 ieee80211_send_error(ni, wh->i_addr2,
1981 IEEE80211_FC0_SUBTYPE_AUTH,
1982 (seq+1) | (IEEE80211_STATUS_UNSPECIFIED<<16));
1983 return;
1984 }
1985 if (vap->iv_flags & IEEE80211_F_COUNTERM) {
1986 IEEE80211_DISCARD(vap,
1987 IEEE80211_MSG_AUTH | IEEE80211_MSG_CRYPTO,
1988 wh, NULL, "%s", "TKIP countermeasures enabled");
1989 vap->iv_stats.is_rx_auth_countermeasures++;
1990 ieee80211_send_error(ni, wh->i_addr2,
1991 IEEE80211_FC0_SUBTYPE_AUTH,
1992 IEEE80211_REASON_MIC_FAILURE);
1993 return;
1994 }
1995 if (algo == IEEE80211_AUTH_ALG_SHARED)
1996 hostap_auth_shared(ni, wh, frm + 6, efrm, rssi, nf,
1997 seq, status);
1998 else if (algo == IEEE80211_AUTH_ALG_OPEN)
1999 hostap_auth_open(ni, wh, rssi, nf, seq, status);
2000 else if (algo == IEEE80211_AUTH_ALG_LEAP) {
2001 authalgreject(ni, wh, algo,
2002 seq+1, IEEE80211_STATUS_ALG);
2003 return;
2004 } else {
2005 /*
2006 * We assume that an unknown algorithm is the result
2007 * of a decryption failure on a shared key auth frame;
2008 * return a status code appropriate for that instead
2009 * of IEEE80211_STATUS_ALG.
2010 *
2011 * NB: a seq# of 4 is intentional; the decrypted
2012 * frame likely has a bogus seq value.
2013 */
2014 authalgreject(ni, wh, algo,
2015 4, IEEE80211_STATUS_CHALLENGE);
2016 return;
2017 }
2018 break;
2019 }
2020
2021 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ:
2022 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: {
2023 uint16_t capinfo, lintval;
2024 struct ieee80211_rsnparms rsnparms;
2025
2026 if (vap->iv_state != IEEE80211_S_RUN) {
2027 vap->iv_stats.is_rx_mgtdiscard++;
2028 return;
2029 }
2030 if (!IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_bss->ni_bssid)) {
2031 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
2032 wh, NULL, "%s", "wrong bssid");
2033 vap->iv_stats.is_rx_assoc_bss++;
2034 return;
2035 }
2036 if (subtype == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) {
2037 reassoc = 1;
2038 resp = IEEE80211_FC0_SUBTYPE_REASSOC_RESP;
2039 } else {
2040 reassoc = 0;
2041 resp = IEEE80211_FC0_SUBTYPE_ASSOC_RESP;
2042 }
2043 if (ni == vap->iv_bss) {
2044 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ANY, wh->i_addr2,
2045 "deny %s request, sta not authenticated",
2046 reassoc ? "reassoc" : "assoc");
2047 ieee80211_send_error(ni, wh->i_addr2,
2048 IEEE80211_FC0_SUBTYPE_DEAUTH,
2049 IEEE80211_REASON_ASSOC_NOT_AUTHED);
2050 vap->iv_stats.is_rx_assoc_notauth++;
2051 return;
2052 }
2053
2054 /*
2055 * asreq frame format
2056 * [2] capability information
2057 * [2] listen interval
2058 * [6*] current AP address (reassoc only)
2059 * [tlv] ssid
2060 * [tlv] supported rates
2061 * [tlv] extended supported rates
2062 * [tlv] WPA or RSN
2063 * [tlv] HT capabilities
2064 * [tlv] Atheros capabilities
2065 */
2066 IEEE80211_VERIFY_LENGTH(efrm - frm, (reassoc ? 10 : 4), return);
2067 capinfo = le16toh(*(uint16_t *)frm); frm += 2;
2068 lintval = le16toh(*(uint16_t *)frm); frm += 2;
2069 if (reassoc)
2070 frm += 6; /* ignore current AP info */
2071 ssid = rates = xrates = wpa = rsn = wme = ath = htcap = NULL;
2072 vhtcap = vhtinfo = NULL;
2073 sfrm = frm;
2074 while (efrm - frm > 1) {
2075 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return);
2076 switch (*frm) {
2077 case IEEE80211_ELEMID_SSID:
2078 ssid = frm;
2079 break;
2080 case IEEE80211_ELEMID_RATES:
2081 rates = frm;
2082 break;
2083 case IEEE80211_ELEMID_XRATES:
2084 xrates = frm;
2085 break;
2086 case IEEE80211_ELEMID_RSN:
2087 rsn = frm;
2088 break;
2089 case IEEE80211_ELEMID_HTCAP:
2090 htcap = frm;
2091 break;
2092 case IEEE80211_ELEMID_VHT_CAP:
2093 vhtcap = frm;
2094 break;
2095 case IEEE80211_ELEMID_VHT_OPMODE:
2096 vhtinfo = frm;
2097 break;
2098 case IEEE80211_ELEMID_VENDOR:
2099 if (iswpaoui(frm))
2100 wpa = frm;
2101 else if (iswmeinfo(frm))
2102 wme = frm;
2103 #ifdef IEEE80211_SUPPORT_SUPERG
2104 else if (isatherosoui(frm))
2105 ath = frm;
2106 #endif
2107 else if (vap->iv_flags_ht & IEEE80211_FHT_HTCOMPAT) {
2108 if (ishtcapoui(frm) && htcap == NULL)
2109 htcap = frm;
2110 }
2111 break;
2112 }
2113 frm += frm[1] + 2;
2114 }
2115 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return);
2116 if (xrates != NULL)
2117 IEEE80211_VERIFY_ELEMENT(xrates,
2118 IEEE80211_RATE_MAXSIZE - rates[1], return);
2119 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN, return);
2120 IEEE80211_VERIFY_SSID(vap->iv_bss, ssid, return);
2121 if (htcap != NULL) {
2122 IEEE80211_VERIFY_LENGTH(htcap[1],
2123 htcap[0] == IEEE80211_ELEMID_VENDOR ?
2124 4 + sizeof(struct ieee80211_ie_htcap)-2 :
2125 sizeof(struct ieee80211_ie_htcap)-2,
2126 return); /* XXX just NULL out? */
2127 }
2128
2129 /* Validate VHT IEs */
2130 if (vhtcap != NULL) {
2131 IEEE80211_VERIFY_LENGTH(vhtcap[1],
2132 sizeof(struct ieee80211_vht_cap),
2133 return);
2134 }
2135 if (vhtinfo != NULL) {
2136 IEEE80211_VERIFY_LENGTH(vhtinfo[1],
2137 sizeof(struct ieee80211_vht_operation),
2138 return);
2139 }
2140
2141 if ((vap->iv_flags & IEEE80211_F_WPA) &&
2142 !wpa_assocreq(ni, &rsnparms, wh, wpa, rsn, capinfo))
2143 return;
2144 /* discard challenge after association */
2145 if (ni->ni_challenge != NULL) {
2146 IEEE80211_FREE(ni->ni_challenge, M_80211_NODE);
2147 ni->ni_challenge = NULL;
2148 }
2149 /* NB: 802.11 spec says to ignore station's privacy bit */
2150 if ((capinfo & IEEE80211_CAPINFO_ESS) == 0) {
2151 capinfomismatch(ni, wh, reassoc, resp,
2152 "capability", capinfo);
2153 return;
2154 }
2155 /*
2156 * Disallow re-associate w/ invalid slot time setting.
2157 */
2158 if (ni->ni_associd != 0 &&
2159 IEEE80211_IS_CHAN_ANYG(ic->ic_bsschan) &&
2160 ((ni->ni_capinfo ^ capinfo) & IEEE80211_CAPINFO_SHORT_SLOTTIME)) {
2161 capinfomismatch(ni, wh, reassoc, resp,
2162 "slot time", capinfo);
2163 return;
2164 }
2165 rate = ieee80211_setup_rates(ni, rates, xrates,
2166 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE |
2167 IEEE80211_F_DONEGO | IEEE80211_F_DODEL);
2168 if (rate & IEEE80211_RATE_BASIC) {
2169 ratesetmismatch(ni, wh, reassoc, resp, "legacy", rate);
2170 vap->iv_stats.is_rx_assoc_norate++;
2171 return;
2172 }
2173 /*
2174 * If constrained to 11g-only stations reject an
2175 * 11b-only station. We cheat a bit here by looking
2176 * at the max negotiated xmit rate and assuming anyone
2177 * with a best rate <24Mb/s is an 11b station.
2178 */
2179 if ((vap->iv_flags & IEEE80211_F_PUREG) && rate < 48) {
2180 ratesetmismatch(ni, wh, reassoc, resp, "11g", rate);
2181 vap->iv_stats.is_rx_assoc_norate++;
2182 return;
2183 }
2184
2185 /*
2186 * Do HT rate set handling and setup HT node state.
2187 */
2188 ni->ni_chan = vap->iv_bss->ni_chan;
2189
2190 /* VHT */
2191 if (IEEE80211_IS_CHAN_VHT(ni->ni_chan) &&
2192 vhtcap != NULL &&
2193 vhtinfo != NULL) {
2194 /* XXX TODO; see below */
2195 printf("%s: VHT TODO!\n", __func__);
2196 ieee80211_vht_node_init(ni);
2197 ieee80211_vht_update_cap(ni, vhtcap, vhtinfo);
2198 } else if (ni->ni_flags & IEEE80211_NODE_VHT)
2199 ieee80211_vht_node_cleanup(ni);
2200
2201 /* HT */
2202 if (IEEE80211_IS_CHAN_HT(ni->ni_chan) && htcap != NULL) {
2203 rate = ieee80211_setup_htrates(ni, htcap,
2204 IEEE80211_F_DOFMCS | IEEE80211_F_DONEGO |
2205 IEEE80211_F_DOBRS);
2206 if (rate & IEEE80211_RATE_BASIC) {
2207 ratesetmismatch(ni, wh, reassoc, resp,
2208 "HT", rate);
2209 vap->iv_stats.is_ht_assoc_norate++;
2210 return;
2211 }
2212 ieee80211_ht_node_init(ni);
2213 ieee80211_ht_updatehtcap(ni, htcap);
2214 } else if (ni->ni_flags & IEEE80211_NODE_HT)
2215 ieee80211_ht_node_cleanup(ni);
2216
2217 /* Finally - this will use HT/VHT info to change node channel */
2218 if (IEEE80211_IS_CHAN_HT(ni->ni_chan) && htcap != NULL) {
2219 ieee80211_ht_updatehtcap_final(ni);
2220 }
2221
2222 #ifdef IEEE80211_SUPPORT_SUPERG
2223 /* Always do ff node cleanup; for A-MSDU */
2224 ieee80211_ff_node_cleanup(ni);
2225 #endif
2226 /*
2227 * Allow AMPDU operation only with unencrypted traffic
2228 * or AES-CCM; the 11n spec only specifies these ciphers
2229 * so permitting any others is undefined and can lead
2230 * to interoperability problems.
2231 */
2232 if ((ni->ni_flags & IEEE80211_NODE_HT) &&
2233 (((vap->iv_flags & IEEE80211_F_WPA) &&
2234 rsnparms.rsn_ucastcipher != IEEE80211_CIPHER_AES_CCM) ||
2235 (vap->iv_flags & (IEEE80211_F_WPA|IEEE80211_F_PRIVACY)) == IEEE80211_F_PRIVACY)) {
2236 IEEE80211_NOTE(vap,
2237 IEEE80211_MSG_ASSOC | IEEE80211_MSG_11N, ni,
2238 "disallow HT use because WEP or TKIP requested, "
2239 "capinfo 0x%x ucastcipher %d", capinfo,
2240 rsnparms.rsn_ucastcipher);
2241 ieee80211_ht_node_cleanup(ni);
2242 #ifdef IEEE80211_SUPPORT_SUPERG
2243 /* Always do ff node cleanup; for A-MSDU */
2244 ieee80211_ff_node_cleanup(ni);
2245 #endif
2246 vap->iv_stats.is_ht_assoc_downgrade++;
2247 }
2248 /*
2249 * If constrained to 11n-only stations reject legacy stations.
2250 */
2251 if ((vap->iv_flags_ht & IEEE80211_FHT_PUREN) &&
2252 (ni->ni_flags & IEEE80211_NODE_HT) == 0) {
2253 htcapmismatch(ni, wh, reassoc, resp);
2254 vap->iv_stats.is_ht_assoc_nohtcap++;
2255 return;
2256 }
2257 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi);
2258 ni->ni_noise = nf;
2259 ni->ni_intval = lintval;
2260 ni->ni_capinfo = capinfo;
2261 ni->ni_fhdwell = vap->iv_bss->ni_fhdwell;
2262 ni->ni_fhindex = vap->iv_bss->ni_fhindex;
2263 /*
2264 * Store the IEs.
2265 * XXX maybe better to just expand
2266 */
2267 if (ieee80211_ies_init(&ni->ni_ies, sfrm, efrm - sfrm)) {
2268 #define setie(_ie, _off) ieee80211_ies_setie(ni->ni_ies, _ie, _off)
2269 if (wpa != NULL)
2270 setie(wpa_ie, wpa - sfrm);
2271 if (rsn != NULL)
2272 setie(rsn_ie, rsn - sfrm);
2273 if (htcap != NULL)
2274 setie(htcap_ie, htcap - sfrm);
2275 if (wme != NULL) {
2276 setie(wme_ie, wme - sfrm);
2277 /*
2278 * Mark node as capable of QoS.
2279 */
2280 ni->ni_flags |= IEEE80211_NODE_QOS;
2281 if (ieee80211_parse_wmeie(wme, wh, ni) > 0) {
2282 if (ni->ni_uapsd != 0)
2283 ni->ni_flags |=
2284 IEEE80211_NODE_UAPSD;
2285 else
2286 ni->ni_flags &=
2287 ~IEEE80211_NODE_UAPSD;
2288 }
2289 } else
2290 ni->ni_flags &=
2291 ~(IEEE80211_NODE_QOS |
2292 IEEE80211_NODE_UAPSD);
2293 #ifdef IEEE80211_SUPPORT_SUPERG
2294 if (ath != NULL) {
2295 setie(ath_ie, ath - sfrm);
2296 /*
2297 * Parse ATH station parameters.
2298 */
2299 ieee80211_parse_ath(ni, ni->ni_ies.ath_ie);
2300 } else
2301 #endif
2302 ni->ni_ath_flags = 0;
2303 #undef setie
2304 } else {
2305 ni->ni_flags &= ~IEEE80211_NODE_QOS;
2306 ni->ni_flags &= ~IEEE80211_NODE_UAPSD;
2307 ni->ni_ath_flags = 0;
2308 }
2309 ieee80211_node_join(ni, resp);
2310 ieee80211_deliver_l2uf(ni);
2311 break;
2312 }
2313
2314 case IEEE80211_FC0_SUBTYPE_DEAUTH:
2315 case IEEE80211_FC0_SUBTYPE_DISASSOC: {
2316 #ifdef IEEE80211_DEBUG
2317 uint16_t reason;
2318 #endif
2319
2320 if (vap->iv_state != IEEE80211_S_RUN ||
2321 /* NB: can happen when in promiscuous mode */
2322 !IEEE80211_ADDR_EQ(wh->i_addr1, vap->iv_myaddr)) {
2323 vap->iv_stats.is_rx_mgtdiscard++;
2324 break;
2325 }
2326 /*
2327 * deauth/disassoc frame format
2328 * [2] reason
2329 */
2330 IEEE80211_VERIFY_LENGTH(efrm - frm, 2, return);
2331 #ifdef IEEE80211_DEBUG
2332 reason = le16toh(*(uint16_t *)frm);
2333 #endif
2334 if (subtype == IEEE80211_FC0_SUBTYPE_DEAUTH) {
2335 vap->iv_stats.is_rx_deauth++;
2336 IEEE80211_NODE_STAT(ni, rx_deauth);
2337 } else {
2338 vap->iv_stats.is_rx_disassoc++;
2339 IEEE80211_NODE_STAT(ni, rx_disassoc);
2340 }
2341 IEEE80211_NOTE(vap, IEEE80211_MSG_AUTH, ni,
2342 "recv %s (reason: %d (%s))",
2343 ieee80211_mgt_subtype_name(subtype),
2344 reason, ieee80211_reason_to_string(reason));
2345 if (ni != vap->iv_bss)
2346 ieee80211_node_leave(ni);
2347 break;
2348 }
2349
2350 case IEEE80211_FC0_SUBTYPE_ACTION:
2351 case IEEE80211_FC0_SUBTYPE_ACTION_NOACK:
2352 if (ni == vap->iv_bss) {
2353 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
2354 wh, NULL, "%s", "unknown node");
2355 vap->iv_stats.is_rx_mgtdiscard++;
2356 } else if (!IEEE80211_ADDR_EQ(vap->iv_myaddr, wh->i_addr1) &&
2357 !IEEE80211_IS_MULTICAST(wh->i_addr1)) {
2358 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
2359 wh, NULL, "%s", "not for us");
2360 vap->iv_stats.is_rx_mgtdiscard++;
2361 } else if (vap->iv_state != IEEE80211_S_RUN) {
2362 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
2363 wh, NULL, "wrong state %s",
2364 ieee80211_state_name[vap->iv_state]);
2365 vap->iv_stats.is_rx_mgtdiscard++;
2366 } else {
2367 if (ieee80211_parse_action(ni, m0) == 0)
2368 (void)ic->ic_recv_action(ni, wh, frm, efrm);
2369 }
2370 break;
2371
2372 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP:
2373 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP:
2374 case IEEE80211_FC0_SUBTYPE_TIMING_ADV:
2375 case IEEE80211_FC0_SUBTYPE_ATIM:
2376 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
2377 wh, NULL, "%s", "not handled");
2378 vap->iv_stats.is_rx_mgtdiscard++;
2379 break;
2380
2381 default:
2382 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
2383 wh, "mgt", "subtype 0x%x not handled", subtype);
2384 vap->iv_stats.is_rx_badsubtype++;
2385 break;
2386 }
2387 }
2388
2389 static void
2390 hostap_recv_ctl(struct ieee80211_node *ni, struct mbuf *m, int subtype)
2391 {
2392 switch (subtype) {
2393 case IEEE80211_FC0_SUBTYPE_PS_POLL:
2394 ni->ni_vap->iv_recv_pspoll(ni, m);
2395 break;
2396 case IEEE80211_FC0_SUBTYPE_BAR:
2397 ieee80211_recv_bar(ni, m);
2398 break;
2399 }
2400 }
2401
2402 /*
2403 * Process a received ps-poll frame.
2404 */
2405 void
2406 ieee80211_recv_pspoll(struct ieee80211_node *ni, struct mbuf *m0)
2407 {
2408 struct ieee80211vap *vap = ni->ni_vap;
2409 struct ieee80211com *ic = vap->iv_ic;
2410 struct ieee80211_frame_min *wh;
2411 struct mbuf *m;
2412 uint16_t aid;
2413 int qlen;
2414
2415 wh = mtod(m0, struct ieee80211_frame_min *);
2416 if (ni->ni_associd == 0) {
2417 IEEE80211_DISCARD(vap,
2418 IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG,
2419 (struct ieee80211_frame *) wh, NULL,
2420 "%s", "unassociated station");
2421 vap->iv_stats.is_ps_unassoc++;
2422 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_DEAUTH,
2423 IEEE80211_REASON_NOT_ASSOCED);
2424 return;
2425 }
2426
2427 aid = le16toh(*(uint16_t *)wh->i_dur);
2428 if (aid != ni->ni_associd) {
2429 IEEE80211_DISCARD(vap,
2430 IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG,
2431 (struct ieee80211_frame *) wh, NULL,
2432 "aid mismatch: sta aid 0x%x poll aid 0x%x",
2433 ni->ni_associd, aid);
2434 vap->iv_stats.is_ps_badaid++;
2435 /*
2436 * NB: We used to deauth the station but it turns out
2437 * the Blackberry Curve 8230 (and perhaps other devices)
2438 * sometimes send the wrong AID when WME is negotiated.
2439 * Being more lenient here seems ok as we already check
2440 * the station is associated and we only return frames
2441 * queued for the station (i.e. we don't use the AID).
2442 */
2443 return;
2444 }
2445
2446 /* Okay, take the first queued packet and put it out... */
2447 m = ieee80211_node_psq_dequeue(ni, &qlen);
2448 if (m == NULL) {
2449 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_POWER, wh->i_addr2,
2450 "%s", "recv ps-poll, but queue empty");
2451 ieee80211_send_nulldata(ieee80211_ref_node(ni));
2452 vap->iv_stats.is_ps_qempty++; /* XXX node stat */
2453 if (vap->iv_set_tim != NULL)
2454 vap->iv_set_tim(ni, 0); /* just in case */
2455 return;
2456 }
2457 /*
2458 * If there are more packets, set the more packets bit
2459 * in the packet dispatched to the station; otherwise
2460 * turn off the TIM bit.
2461 */
2462 if (qlen != 0) {
2463 IEEE80211_NOTE(vap, IEEE80211_MSG_POWER, ni,
2464 "recv ps-poll, send packet, %u still queued", qlen);
2465 m->m_flags |= M_MORE_DATA;
2466 } else {
2467 IEEE80211_NOTE(vap, IEEE80211_MSG_POWER, ni,
2468 "%s", "recv ps-poll, send packet, queue empty");
2469 if (vap->iv_set_tim != NULL)
2470 vap->iv_set_tim(ni, 0);
2471 }
2472 m->m_flags |= M_PWR_SAV; /* bypass PS handling */
2473
2474 /*
2475 * Do the right thing; if it's an encap'ed frame then
2476 * call ieee80211_parent_xmitpkt() else
2477 * call ieee80211_vap_xmitpkt().
2478 */
2479 if (m->m_flags & M_ENCAP) {
2480 (void) ieee80211_parent_xmitpkt(ic, m);
2481 } else {
2482 (void) ieee80211_vap_xmitpkt(vap, m);
2483 }
2484 }
The FreeBSD Project