1 /*- 2 * Copyright (c) 2007-2008 Sam Leffler, Errno Consulting 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 15 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 16 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 17 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 18 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 19 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 21 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 23 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 24 */ 25 26 #include <sys/cdefs.h> 27 #ifdef __FreeBSD__ 28 __FBSDID("$FreeBSD$"); 29 #endif 30 31 /* 32 * IEEE 802.11 HOSTAP mode support. 33 */ 34 #include "opt_inet.h" 35 #include "opt_wlan.h" 36 37 #include <sys/param.h> 38 #include <sys/systm.h> 39 #include <sys/mbuf.h> 40 #include <sys/malloc.h> 41 #include <sys/kernel.h> 42 43 #include <sys/socket.h> 44 #include <sys/sockio.h> 45 #include <sys/endian.h> 46 #include <sys/errno.h> 47 #include <sys/proc.h> 48 #include <sys/sysctl.h> 49 50 #include <net/if.h> 51 #include <net/if_var.h> 52 #include <net/if_media.h> 53 #include <net/if_llc.h> 54 #include <net/ethernet.h> 55 56 #include <net/bpf.h> 57 58 #include <netproto/802_11/ieee80211_var.h> 59 #include <netproto/802_11/ieee80211_hostap.h> 60 #include <netproto/802_11/ieee80211_input.h> 61 #ifdef IEEE80211_SUPPORT_SUPERG 62 #include <netproto/802_11/ieee80211_superg.h> 63 #endif 64 #include <netproto/802_11/ieee80211_wds.h> 65 66 #define IEEE80211_RATE2MBS(r) (((r) & IEEE80211_RATE_VAL) / 2) 67 68 static void hostap_vattach(struct ieee80211vap *); 69 static int hostap_newstate(struct ieee80211vap *, enum ieee80211_state, int); 70 static int hostap_input(struct ieee80211_node *ni, struct mbuf *m, 71 const struct ieee80211_rx_stats *, 72 int rssi, int nf); 73 static void hostap_deliver_data(struct ieee80211vap *, 74 struct ieee80211_node *, struct mbuf *); 75 static void hostap_recv_mgmt(struct ieee80211_node *, struct mbuf *, 76 int subtype, const struct ieee80211_rx_stats *rxs, int rssi, int nf); 77 static void hostap_recv_ctl(struct ieee80211_node *, struct mbuf *, int); 78 79 void 80 ieee80211_hostap_attach(struct ieee80211com *ic) 81 { 82 ic->ic_vattach[IEEE80211_M_HOSTAP] = hostap_vattach; 83 } 84 85 void 86 ieee80211_hostap_detach(struct ieee80211com *ic) 87 { 88 } 89 90 static void 91 hostap_vdetach(struct ieee80211vap *vap) 92 { 93 } 94 95 static void 96 hostap_vattach(struct ieee80211vap *vap) 97 { 98 vap->iv_newstate = hostap_newstate; 99 vap->iv_input = hostap_input; 100 vap->iv_recv_mgmt = hostap_recv_mgmt; 101 vap->iv_recv_ctl = hostap_recv_ctl; 102 vap->iv_opdetach = hostap_vdetach; 103 vap->iv_deliver_data = hostap_deliver_data; 104 vap->iv_recv_pspoll = ieee80211_recv_pspoll; 105 } 106 107 static void 108 sta_disassoc(void *arg, struct ieee80211_node *ni) 109 { 110 struct ieee80211vap *vap = arg; 111 112 if (ni->ni_vap == vap && ni->ni_associd != 0) { 113 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_DISASSOC, 114 IEEE80211_REASON_ASSOC_LEAVE); 115 ieee80211_node_leave(ni); 116 } 117 } 118 119 static void 120 sta_csa(void *arg, struct ieee80211_node *ni) 121 { 122 struct ieee80211vap *vap = arg; 123 124 if (ni->ni_vap == vap && ni->ni_associd != 0) 125 if (ni->ni_inact > vap->iv_inact_init) { 126 ni->ni_inact = vap->iv_inact_init; 127 IEEE80211_NOTE(vap, IEEE80211_MSG_INACT, ni, 128 "%s: inact %u", __func__, ni->ni_inact); 129 } 130 } 131 132 static void 133 sta_drop(void *arg, struct ieee80211_node *ni) 134 { 135 struct ieee80211vap *vap = arg; 136 137 if (ni->ni_vap == vap && ni->ni_associd != 0) 138 ieee80211_node_leave(ni); 139 } 140 141 /* 142 * Does a channel change require associated stations to re-associate 143 * so protocol state is correct. This is used when doing CSA across 144 * bands or similar (e.g. HT -> legacy). 145 */ 146 static int 147 isbandchange(struct ieee80211com *ic) 148 { 149 return ((ic->ic_bsschan->ic_flags ^ ic->ic_csa_newchan->ic_flags) & 150 (IEEE80211_CHAN_2GHZ | IEEE80211_CHAN_5GHZ | IEEE80211_CHAN_HALF | 151 IEEE80211_CHAN_QUARTER | IEEE80211_CHAN_HT)) != 0; 152 } 153 154 /* 155 * IEEE80211_M_HOSTAP vap state machine handler. 156 */ 157 static int 158 hostap_newstate(struct ieee80211vap *vap, enum ieee80211_state nstate, int arg) 159 { 160 struct ieee80211com *ic = vap->iv_ic; 161 enum ieee80211_state ostate; 162 163 IEEE80211_LOCK_ASSERT(ic); 164 165 ostate = vap->iv_state; 166 IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE, "%s: %s -> %s (%d)\n", 167 __func__, ieee80211_state_name[ostate], 168 ieee80211_state_name[nstate], arg); 169 vap->iv_state = nstate; /* state transition */ 170 if (ostate != IEEE80211_S_SCAN) 171 ieee80211_cancel_scan(vap); /* background scan */ 172 switch (nstate) { 173 case IEEE80211_S_INIT: 174 switch (ostate) { 175 case IEEE80211_S_SCAN: 176 ieee80211_cancel_scan(vap); 177 break; 178 case IEEE80211_S_CAC: 179 ieee80211_dfs_cac_stop(vap); 180 break; 181 case IEEE80211_S_RUN: 182 ieee80211_iterate_nodes(&ic->ic_sta, sta_disassoc, vap); 183 break; 184 default: 185 break; 186 } 187 if (ostate != IEEE80211_S_INIT) { 188 /* NB: optimize INIT -> INIT case */ 189 ieee80211_reset_bss(vap); 190 } 191 if (vap->iv_auth->ia_detach != NULL) 192 vap->iv_auth->ia_detach(vap); 193 break; 194 case IEEE80211_S_SCAN: 195 switch (ostate) { 196 case IEEE80211_S_CSA: 197 case IEEE80211_S_RUN: 198 ieee80211_iterate_nodes(&ic->ic_sta, sta_disassoc, vap); 199 /* 200 * Clear overlapping BSS state; the beacon frame 201 * will be reconstructed on transition to the RUN 202 * state and the timeout routines check if the flag 203 * is set before doing anything so this is sufficient. 204 */ 205 ic->ic_flags_ext &= ~IEEE80211_FEXT_NONERP_PR; 206 ic->ic_flags_ht &= ~IEEE80211_FHT_NONHT_PR; 207 /* fall thru... */ 208 case IEEE80211_S_CAC: 209 /* 210 * NB: We may get here because of a manual channel 211 * change in which case we need to stop CAC 212 * XXX no need to stop if ostate RUN but it's ok 213 */ 214 ieee80211_dfs_cac_stop(vap); 215 /* fall thru... */ 216 case IEEE80211_S_INIT: 217 if (vap->iv_des_chan != IEEE80211_CHAN_ANYC && 218 !IEEE80211_IS_CHAN_RADAR(vap->iv_des_chan)) { 219 /* 220 * Already have a channel; bypass the 221 * scan and startup immediately. 222 * ieee80211_create_ibss will call back to 223 * move us to RUN state. 224 */ 225 ieee80211_create_ibss(vap, vap->iv_des_chan); 226 break; 227 } 228 /* 229 * Initiate a scan. We can come here as a result 230 * of an IEEE80211_IOC_SCAN_REQ too in which case 231 * the vap will be marked with IEEE80211_FEXT_SCANREQ 232 * and the scan request parameters will be present 233 * in iv_scanreq. Otherwise we do the default. 234 */ 235 if (vap->iv_flags_ext & IEEE80211_FEXT_SCANREQ) { 236 ieee80211_check_scan(vap, 237 vap->iv_scanreq_flags, 238 vap->iv_scanreq_duration, 239 vap->iv_scanreq_mindwell, 240 vap->iv_scanreq_maxdwell, 241 vap->iv_scanreq_nssid, vap->iv_scanreq_ssid); 242 vap->iv_flags_ext &= ~IEEE80211_FEXT_SCANREQ; 243 } else 244 ieee80211_check_scan_current(vap); 245 break; 246 case IEEE80211_S_SCAN: 247 /* 248 * A state change requires a reset; scan. 249 */ 250 ieee80211_check_scan_current(vap); 251 break; 252 default: 253 break; 254 } 255 break; 256 case IEEE80211_S_CAC: 257 /* 258 * Start CAC on a DFS channel. We come here when starting 259 * a bss on a DFS channel (see ieee80211_create_ibss). 260 */ 261 ieee80211_dfs_cac_start(vap); 262 break; 263 case IEEE80211_S_RUN: 264 if (vap->iv_flags & IEEE80211_F_WPA) { 265 /* XXX validate prerequisites */ 266 } 267 switch (ostate) { 268 case IEEE80211_S_INIT: 269 /* 270 * Already have a channel; bypass the 271 * scan and startup immediately. 272 * Note that ieee80211_create_ibss will call 273 * back to do a RUN->RUN state change. 274 */ 275 ieee80211_create_ibss(vap, 276 ieee80211_ht_adjust_channel(ic, 277 ic->ic_curchan, vap->iv_flags_ht)); 278 /* NB: iv_bss is changed on return */ 279 break; 280 case IEEE80211_S_CAC: 281 /* 282 * NB: This is the normal state change when CAC 283 * expires and no radar was detected; no need to 284 * clear the CAC timer as it's already expired. 285 */ 286 /* fall thru... */ 287 case IEEE80211_S_CSA: 288 /* 289 * Shorten inactivity timer of associated stations 290 * to weed out sta's that don't follow a CSA. 291 */ 292 ieee80211_iterate_nodes(&ic->ic_sta, sta_csa, vap); 293 /* 294 * Update bss node channel to reflect where 295 * we landed after CSA. 296 */ 297 ieee80211_node_set_chan(vap->iv_bss, 298 ieee80211_ht_adjust_channel(ic, ic->ic_curchan, 299 ieee80211_htchanflags(vap->iv_bss->ni_chan))); 300 /* XXX bypass debug msgs */ 301 break; 302 case IEEE80211_S_SCAN: 303 case IEEE80211_S_RUN: 304 #ifdef IEEE80211_DEBUG 305 if (ieee80211_msg_debug(vap)) { 306 struct ieee80211_node *ni = vap->iv_bss; 307 ieee80211_note(vap, 308 "synchronized with %s ssid ", 309 ether_sprintf(ni->ni_bssid)); 310 ieee80211_print_essid(ni->ni_essid, 311 ni->ni_esslen); 312 /* XXX MCS/HT */ 313 kprintf(" channel %d start %uMb\n", 314 ieee80211_chan2ieee(ic, ic->ic_curchan), 315 IEEE80211_RATE2MBS(ni->ni_txrate)); 316 } 317 #endif 318 break; 319 default: 320 break; 321 } 322 /* 323 * Start/stop the authenticator. We delay until here 324 * to allow configuration to happen out of order. 325 */ 326 if (vap->iv_auth->ia_attach != NULL) { 327 /* XXX check failure */ 328 vap->iv_auth->ia_attach(vap); 329 } else if (vap->iv_auth->ia_detach != NULL) { 330 vap->iv_auth->ia_detach(vap); 331 } 332 ieee80211_node_authorize(vap->iv_bss); 333 break; 334 case IEEE80211_S_CSA: 335 if (ostate == IEEE80211_S_RUN && isbandchange(ic)) { 336 /* 337 * On a ``band change'' silently drop associated 338 * stations as they must re-associate before they 339 * can pass traffic (as otherwise protocol state 340 * such as capabilities and the negotiated rate 341 * set may/will be wrong). 342 */ 343 ieee80211_iterate_nodes(&ic->ic_sta, sta_drop, vap); 344 } 345 break; 346 default: 347 break; 348 } 349 return 0; 350 } 351 352 static void 353 hostap_deliver_data(struct ieee80211vap *vap, 354 struct ieee80211_node *ni, struct mbuf *m) 355 { 356 struct ether_header *eh = mtod(m, struct ether_header *); 357 struct ifnet *ifp = vap->iv_ifp; 358 359 /* clear driver/net80211 flags before passing up */ 360 #if defined(__DragonFly__) 361 m->m_flags &= ~(M_80211_RX | M_MCAST | M_BCAST); 362 #else 363 m->m_flags &= ~(M_MCAST | M_BCAST); 364 m_clrprotoflags(m); 365 #endif 366 367 KASSERT(vap->iv_opmode == IEEE80211_M_HOSTAP, 368 ("gack, opmode %d", vap->iv_opmode)); 369 /* 370 * Do accounting. 371 */ 372 if_inc_counter(ifp, IFCOUNTER_IPACKETS, 1); 373 IEEE80211_NODE_STAT(ni, rx_data); 374 IEEE80211_NODE_STAT_ADD(ni, rx_bytes, m->m_pkthdr.len); 375 if (ETHER_IS_MULTICAST(eh->ether_dhost)) { 376 m->m_flags |= M_MCAST; /* XXX M_BCAST? */ 377 IEEE80211_NODE_STAT(ni, rx_mcast); 378 } else 379 IEEE80211_NODE_STAT(ni, rx_ucast); 380 381 /* perform as a bridge within the AP */ 382 if ((vap->iv_flags & IEEE80211_F_NOBRIDGE) == 0) { 383 struct mbuf *mcopy = NULL; 384 385 if (m->m_flags & M_MCAST) { 386 mcopy = m_dup(m, M_NOWAIT); 387 if (mcopy == NULL) 388 if_inc_counter(ifp, IFCOUNTER_OERRORS, 1); 389 else 390 mcopy->m_flags |= M_MCAST; 391 } else { 392 /* 393 * Check if the destination is associated with the 394 * same vap and authorized to receive traffic. 395 * Beware of traffic destined for the vap itself; 396 * sending it will not work; just let it be delivered 397 * normally. 398 */ 399 struct ieee80211_node *sta = ieee80211_find_vap_node( 400 &vap->iv_ic->ic_sta, vap, eh->ether_dhost); 401 if (sta != NULL) { 402 if (ieee80211_node_is_authorized(sta)) { 403 /* 404 * Beware of sending to ourself; this 405 * needs to happen via the normal 406 * input path. 407 */ 408 if (sta != vap->iv_bss) { 409 mcopy = m; 410 m = NULL; 411 } 412 } else { 413 vap->iv_stats.is_rx_unauth++; 414 IEEE80211_NODE_STAT(sta, rx_unauth); 415 } 416 ieee80211_free_node(sta); 417 } 418 } 419 if (mcopy != NULL) { 420 int len, err; 421 len = mcopy->m_pkthdr.len; 422 err = ieee80211_vap_xmitpkt(vap, mcopy); 423 if (err) { 424 /* NB: IFQ_HANDOFF reclaims mcopy */ 425 } else { 426 if_inc_counter(ifp, IFCOUNTER_OPACKETS, 1); 427 } 428 } 429 } 430 if (m != NULL) { 431 /* 432 * Mark frame as coming from vap's interface. 433 */ 434 m->m_pkthdr.rcvif = ifp; 435 if (m->m_flags & M_MCAST) { 436 /* 437 * Spam DWDS vap's w/ multicast traffic. 438 */ 439 /* XXX only if dwds in use? */ 440 ieee80211_dwds_mcast(vap, m); 441 } 442 if (ni->ni_vlan != 0) { 443 /* attach vlan tag */ 444 #if defined(__DragonFly__) 445 /* XXX ntohs() needed? */ 446 m->m_pkthdr.ether_vlantag = ni->ni_vlan; 447 #else 448 m->m_pkthdr.ether_vtag = ni->ni_vlan; 449 #endif 450 m->m_flags |= M_VLANTAG; 451 } 452 #if defined(__DragonFly__) 453 ifp->if_input(ifp, m, NULL, -1); 454 #else 455 ifp->if_input(ifp, m); 456 #endif 457 } 458 } 459 460 /* 461 * Decide if a received management frame should be 462 * printed when debugging is enabled. This filters some 463 * of the less interesting frames that come frequently 464 * (e.g. beacons). 465 */ 466 static __inline int 467 doprint(struct ieee80211vap *vap, int subtype) 468 { 469 switch (subtype) { 470 case IEEE80211_FC0_SUBTYPE_BEACON: 471 return (vap->iv_ic->ic_flags & IEEE80211_F_SCAN); 472 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 473 return 0; 474 } 475 return 1; 476 } 477 478 /* 479 * Process a received frame. The node associated with the sender 480 * should be supplied. If nothing was found in the node table then 481 * the caller is assumed to supply a reference to iv_bss instead. 482 * The RSSI and a timestamp are also supplied. The RSSI data is used 483 * during AP scanning to select a AP to associate with; it can have 484 * any units so long as values have consistent units and higher values 485 * mean ``better signal''. The receive timestamp is currently not used 486 * by the 802.11 layer. 487 */ 488 static int 489 hostap_input(struct ieee80211_node *ni, struct mbuf *m, 490 const struct ieee80211_rx_stats *rxs, int rssi, int nf) 491 { 492 struct ieee80211vap *vap = ni->ni_vap; 493 struct ieee80211com *ic = ni->ni_ic; 494 struct ifnet *ifp = vap->iv_ifp; 495 struct ieee80211_frame *wh; 496 struct ieee80211_key *key; 497 struct ether_header *eh; 498 int hdrspace, need_tap = 1; /* mbuf need to be tapped. */ 499 uint8_t dir, type, subtype, qos; 500 uint8_t *bssid; 501 502 if (m->m_flags & M_AMPDU_MPDU) { 503 /* 504 * Fastpath for A-MPDU reorder q resubmission. Frames 505 * w/ M_AMPDU_MPDU marked have already passed through 506 * here but were received out of order and been held on 507 * the reorder queue. When resubmitted they are marked 508 * with the M_AMPDU_MPDU flag and we can bypass most of 509 * the normal processing. 510 */ 511 wh = mtod(m, struct ieee80211_frame *); 512 type = IEEE80211_FC0_TYPE_DATA; 513 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 514 subtype = IEEE80211_FC0_SUBTYPE_QOS; 515 hdrspace = ieee80211_hdrspace(ic, wh); /* XXX optimize? */ 516 goto resubmit_ampdu; 517 } 518 519 KASSERT(ni != NULL, ("null node")); 520 ni->ni_inact = ni->ni_inact_reload; 521 522 type = -1; /* undefined */ 523 524 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_min)) { 525 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 526 ni->ni_macaddr, NULL, 527 "too short (1): len %u", m->m_pkthdr.len); 528 vap->iv_stats.is_rx_tooshort++; 529 goto out; 530 } 531 /* 532 * Bit of a cheat here, we use a pointer for a 3-address 533 * frame format but don't reference fields past outside 534 * ieee80211_frame_min w/o first validating the data is 535 * present. 536 */ 537 wh = mtod(m, struct ieee80211_frame *); 538 539 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) != 540 IEEE80211_FC0_VERSION_0) { 541 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 542 ni->ni_macaddr, NULL, "wrong version, fc %02x:%02x", 543 wh->i_fc[0], wh->i_fc[1]); 544 vap->iv_stats.is_rx_badversion++; 545 goto err; 546 } 547 548 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 549 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK; 550 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK; 551 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) { 552 if (dir != IEEE80211_FC1_DIR_NODS) 553 bssid = wh->i_addr1; 554 else if (type == IEEE80211_FC0_TYPE_CTL) 555 bssid = wh->i_addr1; 556 else { 557 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) { 558 IEEE80211_DISCARD_MAC(vap, 559 IEEE80211_MSG_ANY, ni->ni_macaddr, 560 NULL, "too short (2): len %u", 561 m->m_pkthdr.len); 562 vap->iv_stats.is_rx_tooshort++; 563 goto out; 564 } 565 bssid = wh->i_addr3; 566 } 567 /* 568 * Validate the bssid. 569 */ 570 if (!(type == IEEE80211_FC0_TYPE_MGT && 571 subtype == IEEE80211_FC0_SUBTYPE_BEACON) && 572 !IEEE80211_ADDR_EQ(bssid, vap->iv_bss->ni_bssid) && 573 !IEEE80211_ADDR_EQ(bssid, ifp->if_broadcastaddr)) { 574 /* not interested in */ 575 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 576 bssid, NULL, "%s", "not to bss"); 577 vap->iv_stats.is_rx_wrongbss++; 578 goto out; 579 } 580 581 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi); 582 ni->ni_noise = nf; 583 if (IEEE80211_HAS_SEQ(type, subtype)) { 584 uint8_t tid = ieee80211_gettid(wh); 585 if (IEEE80211_QOS_HAS_SEQ(wh) && 586 TID_TO_WME_AC(tid) >= WME_AC_VI) 587 ic->ic_wme.wme_hipri_traffic++; 588 if (! ieee80211_check_rxseq(ni, wh, bssid)) 589 goto out; 590 } 591 } 592 593 switch (type) { 594 case IEEE80211_FC0_TYPE_DATA: 595 hdrspace = ieee80211_hdrspace(ic, wh); 596 if (m->m_len < hdrspace && 597 (m = m_pullup(m, hdrspace)) == NULL) { 598 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 599 ni->ni_macaddr, NULL, 600 "data too short: expecting %u", hdrspace); 601 vap->iv_stats.is_rx_tooshort++; 602 goto out; /* XXX */ 603 } 604 if (!(dir == IEEE80211_FC1_DIR_TODS || 605 (dir == IEEE80211_FC1_DIR_DSTODS && 606 (vap->iv_flags & IEEE80211_F_DWDS)))) { 607 if (dir != IEEE80211_FC1_DIR_DSTODS) { 608 IEEE80211_DISCARD(vap, 609 IEEE80211_MSG_INPUT, wh, "data", 610 "incorrect dir 0x%x", dir); 611 } else { 612 IEEE80211_DISCARD(vap, 613 IEEE80211_MSG_INPUT | 614 IEEE80211_MSG_WDS, wh, 615 "4-address data", 616 "%s", "DWDS not enabled"); 617 } 618 vap->iv_stats.is_rx_wrongdir++; 619 goto out; 620 } 621 /* check if source STA is associated */ 622 if (ni == vap->iv_bss) { 623 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 624 wh, "data", "%s", "unknown src"); 625 ieee80211_send_error(ni, wh->i_addr2, 626 IEEE80211_FC0_SUBTYPE_DEAUTH, 627 IEEE80211_REASON_NOT_AUTHED); 628 vap->iv_stats.is_rx_notassoc++; 629 goto err; 630 } 631 if (ni->ni_associd == 0) { 632 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 633 wh, "data", "%s", "unassoc src"); 634 IEEE80211_SEND_MGMT(ni, 635 IEEE80211_FC0_SUBTYPE_DISASSOC, 636 IEEE80211_REASON_NOT_ASSOCED); 637 vap->iv_stats.is_rx_notassoc++; 638 goto err; 639 } 640 641 /* 642 * Check for power save state change. 643 * XXX out-of-order A-MPDU frames? 644 */ 645 if (((wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) ^ 646 (ni->ni_flags & IEEE80211_NODE_PWR_MGT))) 647 vap->iv_node_ps(ni, 648 wh->i_fc[1] & IEEE80211_FC1_PWR_MGT); 649 /* 650 * For 4-address packets handle WDS discovery 651 * notifications. Once a WDS link is setup frames 652 * are just delivered to the WDS vap (see below). 653 */ 654 if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap == NULL) { 655 if (!ieee80211_node_is_authorized(ni)) { 656 IEEE80211_DISCARD(vap, 657 IEEE80211_MSG_INPUT | 658 IEEE80211_MSG_WDS, wh, 659 "4-address data", 660 "%s", "unauthorized port"); 661 vap->iv_stats.is_rx_unauth++; 662 IEEE80211_NODE_STAT(ni, rx_unauth); 663 goto err; 664 } 665 ieee80211_dwds_discover(ni, m); 666 return type; 667 } 668 669 /* 670 * Handle A-MPDU re-ordering. If the frame is to be 671 * processed directly then ieee80211_ampdu_reorder 672 * will return 0; otherwise it has consumed the mbuf 673 * and we should do nothing more with it. 674 */ 675 if ((m->m_flags & M_AMPDU) && 676 ieee80211_ampdu_reorder(ni, m) != 0) { 677 m = NULL; 678 goto out; 679 } 680 resubmit_ampdu: 681 682 /* 683 * Handle privacy requirements. Note that we 684 * must not be preempted from here until after 685 * we (potentially) call ieee80211_crypto_demic; 686 * otherwise we may violate assumptions in the 687 * crypto cipher modules used to do delayed update 688 * of replay sequence numbers. 689 */ 690 if (wh->i_fc[1] & IEEE80211_FC1_PROTECTED) { 691 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) { 692 /* 693 * Discard encrypted frames when privacy is off. 694 */ 695 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 696 wh, "WEP", "%s", "PRIVACY off"); 697 vap->iv_stats.is_rx_noprivacy++; 698 IEEE80211_NODE_STAT(ni, rx_noprivacy); 699 goto out; 700 } 701 key = ieee80211_crypto_decap(ni, m, hdrspace); 702 if (key == NULL) { 703 /* NB: stats+msgs handled in crypto_decap */ 704 IEEE80211_NODE_STAT(ni, rx_wepfail); 705 goto out; 706 } 707 wh = mtod(m, struct ieee80211_frame *); 708 wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED; 709 } else { 710 /* XXX M_WEP and IEEE80211_F_PRIVACY */ 711 key = NULL; 712 } 713 714 /* 715 * Save QoS bits for use below--before we strip the header. 716 */ 717 if (subtype == IEEE80211_FC0_SUBTYPE_QOS) { 718 qos = (dir == IEEE80211_FC1_DIR_DSTODS) ? 719 ((struct ieee80211_qosframe_addr4 *)wh)->i_qos[0] : 720 ((struct ieee80211_qosframe *)wh)->i_qos[0]; 721 } else 722 qos = 0; 723 724 /* 725 * Next up, any fragmentation. 726 */ 727 if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) { 728 m = ieee80211_defrag(ni, m, hdrspace); 729 if (m == NULL) { 730 /* Fragment dropped or frame not complete yet */ 731 goto out; 732 } 733 } 734 wh = NULL; /* no longer valid, catch any uses */ 735 736 /* 737 * Next strip any MSDU crypto bits. 738 */ 739 if (key != NULL && !ieee80211_crypto_demic(vap, key, m, 0)) { 740 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 741 ni->ni_macaddr, "data", "%s", "demic error"); 742 vap->iv_stats.is_rx_demicfail++; 743 IEEE80211_NODE_STAT(ni, rx_demicfail); 744 goto out; 745 } 746 /* copy to listener after decrypt */ 747 if (ieee80211_radiotap_active_vap(vap)) 748 ieee80211_radiotap_rx(vap, m); 749 need_tap = 0; 750 /* 751 * Finally, strip the 802.11 header. 752 */ 753 m = ieee80211_decap(vap, m, hdrspace); 754 if (m == NULL) { 755 /* XXX mask bit to check for both */ 756 /* don't count Null data frames as errors */ 757 if (subtype == IEEE80211_FC0_SUBTYPE_NODATA || 758 subtype == IEEE80211_FC0_SUBTYPE_QOS_NULL) 759 goto out; 760 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 761 ni->ni_macaddr, "data", "%s", "decap error"); 762 vap->iv_stats.is_rx_decap++; 763 IEEE80211_NODE_STAT(ni, rx_decap); 764 goto err; 765 } 766 eh = mtod(m, struct ether_header *); 767 if (!ieee80211_node_is_authorized(ni)) { 768 /* 769 * Deny any non-PAE frames received prior to 770 * authorization. For open/shared-key 771 * authentication the port is mark authorized 772 * after authentication completes. For 802.1x 773 * the port is not marked authorized by the 774 * authenticator until the handshake has completed. 775 */ 776 if (eh->ether_type != htons(ETHERTYPE_PAE)) { 777 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 778 eh->ether_shost, "data", 779 "unauthorized port: ether type 0x%x len %u", 780 eh->ether_type, m->m_pkthdr.len); 781 vap->iv_stats.is_rx_unauth++; 782 IEEE80211_NODE_STAT(ni, rx_unauth); 783 goto err; 784 } 785 } else { 786 /* 787 * When denying unencrypted frames, discard 788 * any non-PAE frames received without encryption. 789 */ 790 if ((vap->iv_flags & IEEE80211_F_DROPUNENC) && 791 (key == NULL && (m->m_flags & M_WEP) == 0) && 792 eh->ether_type != htons(ETHERTYPE_PAE)) { 793 /* 794 * Drop unencrypted frames. 795 */ 796 vap->iv_stats.is_rx_unencrypted++; 797 IEEE80211_NODE_STAT(ni, rx_unencrypted); 798 goto out; 799 } 800 } 801 /* XXX require HT? */ 802 if (qos & IEEE80211_QOS_AMSDU) { 803 m = ieee80211_decap_amsdu(ni, m); 804 if (m == NULL) 805 return IEEE80211_FC0_TYPE_DATA; 806 } else { 807 #ifdef IEEE80211_SUPPORT_SUPERG 808 m = ieee80211_decap_fastframe(vap, ni, m); 809 if (m == NULL) 810 return IEEE80211_FC0_TYPE_DATA; 811 #endif 812 } 813 if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap != NULL) 814 ieee80211_deliver_data(ni->ni_wdsvap, ni, m); 815 else 816 hostap_deliver_data(vap, ni, m); 817 return IEEE80211_FC0_TYPE_DATA; 818 819 case IEEE80211_FC0_TYPE_MGT: 820 vap->iv_stats.is_rx_mgmt++; 821 IEEE80211_NODE_STAT(ni, rx_mgmt); 822 if (dir != IEEE80211_FC1_DIR_NODS) { 823 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 824 wh, "mgt", "incorrect dir 0x%x", dir); 825 vap->iv_stats.is_rx_wrongdir++; 826 goto err; 827 } 828 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) { 829 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 830 ni->ni_macaddr, "mgt", "too short: len %u", 831 m->m_pkthdr.len); 832 vap->iv_stats.is_rx_tooshort++; 833 goto out; 834 } 835 if (IEEE80211_IS_MULTICAST(wh->i_addr2)) { 836 /* ensure return frames are unicast */ 837 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 838 wh, NULL, "source is multicast: %s", 839 ether_sprintf(wh->i_addr2)); 840 vap->iv_stats.is_rx_mgtdiscard++; /* XXX stat */ 841 goto out; 842 } 843 #ifdef IEEE80211_DEBUG 844 if ((ieee80211_msg_debug(vap) && doprint(vap, subtype)) || 845 ieee80211_msg_dumppkts(vap)) { 846 if_printf(ifp, "received %s from %s rssi %d\n", 847 ieee80211_mgt_subtype_name(subtype), 848 ether_sprintf(wh->i_addr2), rssi); 849 } 850 #endif 851 if (wh->i_fc[1] & IEEE80211_FC1_PROTECTED) { 852 if (subtype != IEEE80211_FC0_SUBTYPE_AUTH) { 853 /* 854 * Only shared key auth frames with a challenge 855 * should be encrypted, discard all others. 856 */ 857 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 858 wh, NULL, 859 "%s", "WEP set but not permitted"); 860 vap->iv_stats.is_rx_mgtdiscard++; /* XXX */ 861 goto out; 862 } 863 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) { 864 /* 865 * Discard encrypted frames when privacy is off. 866 */ 867 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 868 wh, NULL, "%s", "WEP set but PRIVACY off"); 869 vap->iv_stats.is_rx_noprivacy++; 870 goto out; 871 } 872 hdrspace = ieee80211_hdrspace(ic, wh); 873 key = ieee80211_crypto_decap(ni, m, hdrspace); 874 if (key == NULL) { 875 /* NB: stats+msgs handled in crypto_decap */ 876 goto out; 877 } 878 wh = mtod(m, struct ieee80211_frame *); 879 wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED; 880 } 881 /* 882 * Pass the packet to radiotap before calling iv_recv_mgmt(). 883 * Otherwise iv_recv_mgmt() might pass another packet to 884 * radiotap, resulting in out of order packet captures. 885 */ 886 if (ieee80211_radiotap_active_vap(vap)) 887 ieee80211_radiotap_rx(vap, m); 888 need_tap = 0; 889 vap->iv_recv_mgmt(ni, m, subtype, rxs, rssi, nf); 890 goto out; 891 892 case IEEE80211_FC0_TYPE_CTL: 893 vap->iv_stats.is_rx_ctl++; 894 IEEE80211_NODE_STAT(ni, rx_ctrl); 895 vap->iv_recv_ctl(ni, m, subtype); 896 goto out; 897 default: 898 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 899 wh, "bad", "frame type 0x%x", type); 900 /* should not come here */ 901 break; 902 } 903 err: 904 if_inc_counter(ifp, IFCOUNTER_IERRORS, 1); 905 out: 906 if (m != NULL) { 907 if (need_tap && ieee80211_radiotap_active_vap(vap)) 908 ieee80211_radiotap_rx(vap, m); 909 m_freem(m); 910 } 911 return type; 912 } 913 914 static void 915 hostap_auth_open(struct ieee80211_node *ni, struct ieee80211_frame *wh, 916 int rssi, int nf, uint16_t seq, uint16_t status) 917 { 918 struct ieee80211vap *vap = ni->ni_vap; 919 920 KASSERT(vap->iv_state == IEEE80211_S_RUN, ("state %d", vap->iv_state)); 921 922 if (ni->ni_authmode == IEEE80211_AUTH_SHARED) { 923 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 924 ni->ni_macaddr, "open auth", 925 "bad sta auth mode %u", ni->ni_authmode); 926 vap->iv_stats.is_rx_bad_auth++; /* XXX */ 927 /* 928 * Clear any challenge text that may be there if 929 * a previous shared key auth failed and then an 930 * open auth is attempted. 931 */ 932 if (ni->ni_challenge != NULL) { 933 IEEE80211_FREE(ni->ni_challenge, M_80211_NODE); 934 ni->ni_challenge = NULL; 935 } 936 /* XXX hack to workaround calling convention */ 937 ieee80211_send_error(ni, wh->i_addr2, 938 IEEE80211_FC0_SUBTYPE_AUTH, 939 (seq + 1) | (IEEE80211_STATUS_ALG<<16)); 940 return; 941 } 942 if (seq != IEEE80211_AUTH_OPEN_REQUEST) { 943 vap->iv_stats.is_rx_bad_auth++; 944 return; 945 } 946 /* always accept open authentication requests */ 947 if (ni == vap->iv_bss) { 948 ni = ieee80211_dup_bss(vap, wh->i_addr2); 949 if (ni == NULL) 950 return; 951 } else if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0) 952 (void) ieee80211_ref_node(ni); 953 /* 954 * Mark the node as referenced to reflect that it's 955 * reference count has been bumped to insure it remains 956 * after the transaction completes. 957 */ 958 ni->ni_flags |= IEEE80211_NODE_AREF; 959 /* 960 * Mark the node as requiring a valid association id 961 * before outbound traffic is permitted. 962 */ 963 ni->ni_flags |= IEEE80211_NODE_ASSOCID; 964 965 if (vap->iv_acl != NULL && 966 vap->iv_acl->iac_getpolicy(vap) == IEEE80211_MACCMD_POLICY_RADIUS) { 967 /* 968 * When the ACL policy is set to RADIUS we defer the 969 * authorization to a user agent. Dispatch an event, 970 * a subsequent MLME call will decide the fate of the 971 * station. If the user agent is not present then the 972 * node will be reclaimed due to inactivity. 973 */ 974 IEEE80211_NOTE_MAC(vap, 975 IEEE80211_MSG_AUTH | IEEE80211_MSG_ACL, ni->ni_macaddr, 976 "%s", "station authentication defered (radius acl)"); 977 ieee80211_notify_node_auth(ni); 978 } else { 979 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 980 IEEE80211_NOTE_MAC(vap, 981 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, ni->ni_macaddr, 982 "%s", "station authenticated (open)"); 983 /* 984 * When 802.1x is not in use mark the port 985 * authorized at this point so traffic can flow. 986 */ 987 if (ni->ni_authmode != IEEE80211_AUTH_8021X) 988 ieee80211_node_authorize(ni); 989 } 990 } 991 992 static void 993 hostap_auth_shared(struct ieee80211_node *ni, struct ieee80211_frame *wh, 994 uint8_t *frm, uint8_t *efrm, int rssi, int nf, 995 uint16_t seq, uint16_t status) 996 { 997 struct ieee80211vap *vap = ni->ni_vap; 998 uint8_t *challenge; 999 int allocbs, estatus; 1000 1001 KASSERT(vap->iv_state == IEEE80211_S_RUN, ("state %d", vap->iv_state)); 1002 1003 /* 1004 * NB: this can happen as we allow pre-shared key 1005 * authentication to be enabled w/o wep being turned 1006 * on so that configuration of these can be done 1007 * in any order. It may be better to enforce the 1008 * ordering in which case this check would just be 1009 * for sanity/consistency. 1010 */ 1011 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) { 1012 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1013 ni->ni_macaddr, "shared key auth", 1014 "%s", " PRIVACY is disabled"); 1015 estatus = IEEE80211_STATUS_ALG; 1016 goto bad; 1017 } 1018 /* 1019 * Pre-shared key authentication is evil; accept 1020 * it only if explicitly configured (it is supported 1021 * mainly for compatibility with clients like Mac OS X). 1022 */ 1023 if (ni->ni_authmode != IEEE80211_AUTH_AUTO && 1024 ni->ni_authmode != IEEE80211_AUTH_SHARED) { 1025 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1026 ni->ni_macaddr, "shared key auth", 1027 "bad sta auth mode %u", ni->ni_authmode); 1028 vap->iv_stats.is_rx_bad_auth++; /* XXX maybe a unique error? */ 1029 estatus = IEEE80211_STATUS_ALG; 1030 goto bad; 1031 } 1032 1033 challenge = NULL; 1034 if (frm + 1 < efrm) { 1035 if ((frm[1] + 2) > (efrm - frm)) { 1036 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1037 ni->ni_macaddr, "shared key auth", 1038 "ie %d/%ld too long", 1039 frm[0], (frm[1] + 2) - (efrm - frm)); 1040 vap->iv_stats.is_rx_bad_auth++; 1041 estatus = IEEE80211_STATUS_CHALLENGE; 1042 goto bad; 1043 } 1044 if (*frm == IEEE80211_ELEMID_CHALLENGE) 1045 challenge = frm; 1046 frm += frm[1] + 2; 1047 } 1048 switch (seq) { 1049 case IEEE80211_AUTH_SHARED_CHALLENGE: 1050 case IEEE80211_AUTH_SHARED_RESPONSE: 1051 if (challenge == NULL) { 1052 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1053 ni->ni_macaddr, "shared key auth", 1054 "%s", "no challenge"); 1055 vap->iv_stats.is_rx_bad_auth++; 1056 estatus = IEEE80211_STATUS_CHALLENGE; 1057 goto bad; 1058 } 1059 if (challenge[1] != IEEE80211_CHALLENGE_LEN) { 1060 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1061 ni->ni_macaddr, "shared key auth", 1062 "bad challenge len %d", challenge[1]); 1063 vap->iv_stats.is_rx_bad_auth++; 1064 estatus = IEEE80211_STATUS_CHALLENGE; 1065 goto bad; 1066 } 1067 default: 1068 break; 1069 } 1070 switch (seq) { 1071 case IEEE80211_AUTH_SHARED_REQUEST: 1072 if (ni == vap->iv_bss) { 1073 ni = ieee80211_dup_bss(vap, wh->i_addr2); 1074 if (ni == NULL) { 1075 /* NB: no way to return an error */ 1076 return; 1077 } 1078 allocbs = 1; 1079 } else { 1080 if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0) 1081 (void) ieee80211_ref_node(ni); 1082 allocbs = 0; 1083 } 1084 /* 1085 * Mark the node as referenced to reflect that it's 1086 * reference count has been bumped to insure it remains 1087 * after the transaction completes. 1088 */ 1089 ni->ni_flags |= IEEE80211_NODE_AREF; 1090 /* 1091 * Mark the node as requiring a valid associatio id 1092 * before outbound traffic is permitted. 1093 */ 1094 ni->ni_flags |= IEEE80211_NODE_ASSOCID; 1095 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi); 1096 ni->ni_noise = nf; 1097 if (!ieee80211_alloc_challenge(ni)) { 1098 /* NB: don't return error so they rexmit */ 1099 return; 1100 } 1101 get_random_bytes(ni->ni_challenge, 1102 IEEE80211_CHALLENGE_LEN); 1103 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1104 ni, "shared key %sauth request", allocbs ? "" : "re"); 1105 /* 1106 * When the ACL policy is set to RADIUS we defer the 1107 * authorization to a user agent. Dispatch an event, 1108 * a subsequent MLME call will decide the fate of the 1109 * station. If the user agent is not present then the 1110 * node will be reclaimed due to inactivity. 1111 */ 1112 if (vap->iv_acl != NULL && 1113 vap->iv_acl->iac_getpolicy(vap) == IEEE80211_MACCMD_POLICY_RADIUS) { 1114 IEEE80211_NOTE_MAC(vap, 1115 IEEE80211_MSG_AUTH | IEEE80211_MSG_ACL, 1116 ni->ni_macaddr, 1117 "%s", "station authentication defered (radius acl)"); 1118 ieee80211_notify_node_auth(ni); 1119 return; 1120 } 1121 break; 1122 case IEEE80211_AUTH_SHARED_RESPONSE: 1123 if (ni == vap->iv_bss) { 1124 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1125 ni->ni_macaddr, "shared key response", 1126 "%s", "unknown station"); 1127 /* NB: don't send a response */ 1128 return; 1129 } 1130 if (ni->ni_challenge == NULL) { 1131 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1132 ni->ni_macaddr, "shared key response", 1133 "%s", "no challenge recorded"); 1134 vap->iv_stats.is_rx_bad_auth++; 1135 estatus = IEEE80211_STATUS_CHALLENGE; 1136 goto bad; 1137 } 1138 if (memcmp(ni->ni_challenge, &challenge[2], 1139 challenge[1]) != 0) { 1140 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1141 ni->ni_macaddr, "shared key response", 1142 "%s", "challenge mismatch"); 1143 vap->iv_stats.is_rx_auth_fail++; 1144 estatus = IEEE80211_STATUS_CHALLENGE; 1145 goto bad; 1146 } 1147 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1148 ni, "%s", "station authenticated (shared key)"); 1149 ieee80211_node_authorize(ni); 1150 break; 1151 default: 1152 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1153 ni->ni_macaddr, "shared key auth", 1154 "bad seq %d", seq); 1155 vap->iv_stats.is_rx_bad_auth++; 1156 estatus = IEEE80211_STATUS_SEQUENCE; 1157 goto bad; 1158 } 1159 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 1160 return; 1161 bad: 1162 /* 1163 * Send an error response; but only when operating as an AP. 1164 */ 1165 /* XXX hack to workaround calling convention */ 1166 ieee80211_send_error(ni, wh->i_addr2, 1167 IEEE80211_FC0_SUBTYPE_AUTH, 1168 (seq + 1) | (estatus<<16)); 1169 } 1170 1171 /* 1172 * Convert a WPA cipher selector OUI to an internal 1173 * cipher algorithm. Where appropriate we also 1174 * record any key length. 1175 */ 1176 static int 1177 wpa_cipher(const uint8_t *sel, uint8_t *keylen) 1178 { 1179 #define WPA_SEL(x) (((x)<<24)|WPA_OUI) 1180 uint32_t w = le32dec(sel); 1181 1182 switch (w) { 1183 case WPA_SEL(WPA_CSE_NULL): 1184 return IEEE80211_CIPHER_NONE; 1185 case WPA_SEL(WPA_CSE_WEP40): 1186 if (keylen) 1187 *keylen = 40 / NBBY; 1188 return IEEE80211_CIPHER_WEP; 1189 case WPA_SEL(WPA_CSE_WEP104): 1190 if (keylen) 1191 *keylen = 104 / NBBY; 1192 return IEEE80211_CIPHER_WEP; 1193 case WPA_SEL(WPA_CSE_TKIP): 1194 return IEEE80211_CIPHER_TKIP; 1195 case WPA_SEL(WPA_CSE_CCMP): 1196 return IEEE80211_CIPHER_AES_CCM; 1197 } 1198 return 32; /* NB: so 1<< is discarded */ 1199 #undef WPA_SEL 1200 } 1201 1202 /* 1203 * Convert a WPA key management/authentication algorithm 1204 * to an internal code. 1205 */ 1206 static int 1207 wpa_keymgmt(const uint8_t *sel) 1208 { 1209 #define WPA_SEL(x) (((x)<<24)|WPA_OUI) 1210 uint32_t w = le32dec(sel); 1211 1212 switch (w) { 1213 case WPA_SEL(WPA_ASE_8021X_UNSPEC): 1214 return WPA_ASE_8021X_UNSPEC; 1215 case WPA_SEL(WPA_ASE_8021X_PSK): 1216 return WPA_ASE_8021X_PSK; 1217 case WPA_SEL(WPA_ASE_NONE): 1218 return WPA_ASE_NONE; 1219 } 1220 return 0; /* NB: so is discarded */ 1221 #undef WPA_SEL 1222 } 1223 1224 /* 1225 * Parse a WPA information element to collect parameters. 1226 * Note that we do not validate security parameters; that 1227 * is handled by the authenticator; the parsing done here 1228 * is just for internal use in making operational decisions. 1229 */ 1230 static int 1231 ieee80211_parse_wpa(struct ieee80211vap *vap, const uint8_t *frm, 1232 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh) 1233 { 1234 uint8_t len = frm[1]; 1235 uint32_t w; 1236 int n; 1237 1238 /* 1239 * Check the length once for fixed parts: OUI, type, 1240 * version, mcast cipher, and 2 selector counts. 1241 * Other, variable-length data, must be checked separately. 1242 */ 1243 if ((vap->iv_flags & IEEE80211_F_WPA1) == 0) { 1244 IEEE80211_DISCARD_IE(vap, 1245 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1246 wh, "WPA", "not WPA, flags 0x%x", vap->iv_flags); 1247 return IEEE80211_REASON_IE_INVALID; 1248 } 1249 if (len < 14) { 1250 IEEE80211_DISCARD_IE(vap, 1251 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1252 wh, "WPA", "too short, len %u", len); 1253 return IEEE80211_REASON_IE_INVALID; 1254 } 1255 frm += 6, len -= 4; /* NB: len is payload only */ 1256 /* NB: iswpaoui already validated the OUI and type */ 1257 w = le16dec(frm); 1258 if (w != WPA_VERSION) { 1259 IEEE80211_DISCARD_IE(vap, 1260 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1261 wh, "WPA", "bad version %u", w); 1262 return IEEE80211_REASON_IE_INVALID; 1263 } 1264 frm += 2, len -= 2; 1265 1266 memset(rsn, 0, sizeof(*rsn)); 1267 1268 /* multicast/group cipher */ 1269 rsn->rsn_mcastcipher = wpa_cipher(frm, &rsn->rsn_mcastkeylen); 1270 frm += 4, len -= 4; 1271 1272 /* unicast ciphers */ 1273 n = le16dec(frm); 1274 frm += 2, len -= 2; 1275 if (len < n*4+2) { 1276 IEEE80211_DISCARD_IE(vap, 1277 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1278 wh, "WPA", "ucast cipher data too short; len %u, n %u", 1279 len, n); 1280 return IEEE80211_REASON_IE_INVALID; 1281 } 1282 w = 0; 1283 for (; n > 0; n--) { 1284 w |= 1<<wpa_cipher(frm, &rsn->rsn_ucastkeylen); 1285 frm += 4, len -= 4; 1286 } 1287 if (w & (1<<IEEE80211_CIPHER_TKIP)) 1288 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP; 1289 else 1290 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM; 1291 1292 /* key management algorithms */ 1293 n = le16dec(frm); 1294 frm += 2, len -= 2; 1295 if (len < n*4) { 1296 IEEE80211_DISCARD_IE(vap, 1297 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1298 wh, "WPA", "key mgmt alg data too short; len %u, n %u", 1299 len, n); 1300 return IEEE80211_REASON_IE_INVALID; 1301 } 1302 w = 0; 1303 for (; n > 0; n--) { 1304 w |= wpa_keymgmt(frm); 1305 frm += 4, len -= 4; 1306 } 1307 if (w & WPA_ASE_8021X_UNSPEC) 1308 rsn->rsn_keymgmt = WPA_ASE_8021X_UNSPEC; 1309 else 1310 rsn->rsn_keymgmt = WPA_ASE_8021X_PSK; 1311 1312 if (len > 2) /* optional capabilities */ 1313 rsn->rsn_caps = le16dec(frm); 1314 1315 return 0; 1316 } 1317 1318 /* 1319 * Convert an RSN cipher selector OUI to an internal 1320 * cipher algorithm. Where appropriate we also 1321 * record any key length. 1322 */ 1323 static int 1324 rsn_cipher(const uint8_t *sel, uint8_t *keylen) 1325 { 1326 #define RSN_SEL(x) (((x)<<24)|RSN_OUI) 1327 uint32_t w = le32dec(sel); 1328 1329 switch (w) { 1330 case RSN_SEL(RSN_CSE_NULL): 1331 return IEEE80211_CIPHER_NONE; 1332 case RSN_SEL(RSN_CSE_WEP40): 1333 if (keylen) 1334 *keylen = 40 / NBBY; 1335 return IEEE80211_CIPHER_WEP; 1336 case RSN_SEL(RSN_CSE_WEP104): 1337 if (keylen) 1338 *keylen = 104 / NBBY; 1339 return IEEE80211_CIPHER_WEP; 1340 case RSN_SEL(RSN_CSE_TKIP): 1341 return IEEE80211_CIPHER_TKIP; 1342 case RSN_SEL(RSN_CSE_CCMP): 1343 return IEEE80211_CIPHER_AES_CCM; 1344 case RSN_SEL(RSN_CSE_WRAP): 1345 return IEEE80211_CIPHER_AES_OCB; 1346 } 1347 return 32; /* NB: so 1<< is discarded */ 1348 #undef WPA_SEL 1349 } 1350 1351 /* 1352 * Convert an RSN key management/authentication algorithm 1353 * to an internal code. 1354 */ 1355 static int 1356 rsn_keymgmt(const uint8_t *sel) 1357 { 1358 #define RSN_SEL(x) (((x)<<24)|RSN_OUI) 1359 uint32_t w = le32dec(sel); 1360 1361 switch (w) { 1362 case RSN_SEL(RSN_ASE_8021X_UNSPEC): 1363 return RSN_ASE_8021X_UNSPEC; 1364 case RSN_SEL(RSN_ASE_8021X_PSK): 1365 return RSN_ASE_8021X_PSK; 1366 case RSN_SEL(RSN_ASE_NONE): 1367 return RSN_ASE_NONE; 1368 } 1369 return 0; /* NB: so is discarded */ 1370 #undef RSN_SEL 1371 } 1372 1373 /* 1374 * Parse a WPA/RSN information element to collect parameters 1375 * and validate the parameters against what has been 1376 * configured for the system. 1377 */ 1378 static int 1379 ieee80211_parse_rsn(struct ieee80211vap *vap, const uint8_t *frm, 1380 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh) 1381 { 1382 uint8_t len = frm[1]; 1383 uint32_t w; 1384 int n; 1385 1386 /* 1387 * Check the length once for fixed parts: 1388 * version, mcast cipher, and 2 selector counts. 1389 * Other, variable-length data, must be checked separately. 1390 */ 1391 if ((vap->iv_flags & IEEE80211_F_WPA2) == 0) { 1392 IEEE80211_DISCARD_IE(vap, 1393 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1394 wh, "WPA", "not RSN, flags 0x%x", vap->iv_flags); 1395 return IEEE80211_REASON_IE_INVALID; 1396 } 1397 if (len < 10) { 1398 IEEE80211_DISCARD_IE(vap, 1399 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1400 wh, "RSN", "too short, len %u", len); 1401 return IEEE80211_REASON_IE_INVALID; 1402 } 1403 frm += 2; 1404 w = le16dec(frm); 1405 if (w != RSN_VERSION) { 1406 IEEE80211_DISCARD_IE(vap, 1407 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1408 wh, "RSN", "bad version %u", w); 1409 return IEEE80211_REASON_IE_INVALID; 1410 } 1411 frm += 2, len -= 2; 1412 1413 memset(rsn, 0, sizeof(*rsn)); 1414 1415 /* multicast/group cipher */ 1416 rsn->rsn_mcastcipher = rsn_cipher(frm, &rsn->rsn_mcastkeylen); 1417 frm += 4, len -= 4; 1418 1419 /* unicast ciphers */ 1420 n = le16dec(frm); 1421 frm += 2, len -= 2; 1422 if (len < n*4+2) { 1423 IEEE80211_DISCARD_IE(vap, 1424 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1425 wh, "RSN", "ucast cipher data too short; len %u, n %u", 1426 len, n); 1427 return IEEE80211_REASON_IE_INVALID; 1428 } 1429 w = 0; 1430 for (; n > 0; n--) { 1431 w |= 1<<rsn_cipher(frm, &rsn->rsn_ucastkeylen); 1432 frm += 4, len -= 4; 1433 } 1434 if (w & (1<<IEEE80211_CIPHER_TKIP)) 1435 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP; 1436 else 1437 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM; 1438 1439 /* key management algorithms */ 1440 n = le16dec(frm); 1441 frm += 2, len -= 2; 1442 if (len < n*4) { 1443 IEEE80211_DISCARD_IE(vap, 1444 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1445 wh, "RSN", "key mgmt alg data too short; len %u, n %u", 1446 len, n); 1447 return IEEE80211_REASON_IE_INVALID; 1448 } 1449 w = 0; 1450 for (; n > 0; n--) { 1451 w |= rsn_keymgmt(frm); 1452 frm += 4, len -= 4; 1453 } 1454 if (w & RSN_ASE_8021X_UNSPEC) 1455 rsn->rsn_keymgmt = RSN_ASE_8021X_UNSPEC; 1456 else 1457 rsn->rsn_keymgmt = RSN_ASE_8021X_PSK; 1458 1459 /* optional RSN capabilities */ 1460 if (len > 2) 1461 rsn->rsn_caps = le16dec(frm); 1462 /* XXXPMKID */ 1463 1464 return 0; 1465 } 1466 1467 /* 1468 * WPA/802.11i association request processing. 1469 */ 1470 static int 1471 wpa_assocreq(struct ieee80211_node *ni, struct ieee80211_rsnparms *rsnparms, 1472 const struct ieee80211_frame *wh, const uint8_t *wpa, 1473 const uint8_t *rsn, uint16_t capinfo) 1474 { 1475 struct ieee80211vap *vap = ni->ni_vap; 1476 uint8_t reason; 1477 int badwparsn; 1478 1479 ni->ni_flags &= ~(IEEE80211_NODE_WPS|IEEE80211_NODE_TSN); 1480 if (wpa == NULL && rsn == NULL) { 1481 if (vap->iv_flags_ext & IEEE80211_FEXT_WPS) { 1482 /* 1483 * W-Fi Protected Setup (WPS) permits 1484 * clients to associate and pass EAPOL frames 1485 * to establish initial credentials. 1486 */ 1487 ni->ni_flags |= IEEE80211_NODE_WPS; 1488 return 1; 1489 } 1490 if ((vap->iv_flags_ext & IEEE80211_FEXT_TSN) && 1491 (capinfo & IEEE80211_CAPINFO_PRIVACY)) { 1492 /* 1493 * Transitional Security Network. Permits clients 1494 * to associate and use WEP while WPA is configured. 1495 */ 1496 ni->ni_flags |= IEEE80211_NODE_TSN; 1497 return 1; 1498 } 1499 IEEE80211_DISCARD(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, 1500 wh, NULL, "%s", "no WPA/RSN IE in association request"); 1501 vap->iv_stats.is_rx_assoc_badwpaie++; 1502 reason = IEEE80211_REASON_IE_INVALID; 1503 goto bad; 1504 } 1505 /* assert right association security credentials */ 1506 badwparsn = 0; /* NB: to silence compiler */ 1507 switch (vap->iv_flags & IEEE80211_F_WPA) { 1508 case IEEE80211_F_WPA1: 1509 badwparsn = (wpa == NULL); 1510 break; 1511 case IEEE80211_F_WPA2: 1512 badwparsn = (rsn == NULL); 1513 break; 1514 case IEEE80211_F_WPA1|IEEE80211_F_WPA2: 1515 badwparsn = (wpa == NULL && rsn == NULL); 1516 break; 1517 } 1518 if (badwparsn) { 1519 IEEE80211_DISCARD(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, 1520 wh, NULL, 1521 "%s", "missing WPA/RSN IE in association request"); 1522 vap->iv_stats.is_rx_assoc_badwpaie++; 1523 reason = IEEE80211_REASON_IE_INVALID; 1524 goto bad; 1525 } 1526 /* 1527 * Parse WPA/RSN information element. 1528 */ 1529 if (wpa != NULL) 1530 reason = ieee80211_parse_wpa(vap, wpa, rsnparms, wh); 1531 else 1532 reason = ieee80211_parse_rsn(vap, rsn, rsnparms, wh); 1533 if (reason != 0) { 1534 /* XXX distinguish WPA/RSN? */ 1535 vap->iv_stats.is_rx_assoc_badwpaie++; 1536 goto bad; 1537 } 1538 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, ni, 1539 "%s ie: mc %u/%u uc %u/%u key %u caps 0x%x", 1540 wpa != NULL ? "WPA" : "RSN", 1541 rsnparms->rsn_mcastcipher, rsnparms->rsn_mcastkeylen, 1542 rsnparms->rsn_ucastcipher, rsnparms->rsn_ucastkeylen, 1543 rsnparms->rsn_keymgmt, rsnparms->rsn_caps); 1544 1545 return 1; 1546 bad: 1547 ieee80211_node_deauth(ni, reason); 1548 return 0; 1549 } 1550 1551 /* XXX find a better place for definition */ 1552 struct l2_update_frame { 1553 struct ether_header eh; 1554 uint8_t dsap; 1555 uint8_t ssap; 1556 uint8_t control; 1557 uint8_t xid[3]; 1558 } __packed; 1559 1560 /* 1561 * Deliver a TGf L2UF frame on behalf of a station. 1562 * This primes any bridge when the station is roaming 1563 * between ap's on the same wired network. 1564 */ 1565 static void 1566 ieee80211_deliver_l2uf(struct ieee80211_node *ni) 1567 { 1568 struct ieee80211vap *vap = ni->ni_vap; 1569 struct ifnet *ifp = vap->iv_ifp; 1570 struct mbuf *m; 1571 struct l2_update_frame *l2uf; 1572 struct ether_header *eh; 1573 1574 m = m_gethdr(M_NOWAIT, MT_DATA); 1575 if (m == NULL) { 1576 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC, ni, 1577 "%s", "no mbuf for l2uf frame"); 1578 vap->iv_stats.is_rx_nobuf++; /* XXX not right */ 1579 return; 1580 } 1581 l2uf = mtod(m, struct l2_update_frame *); 1582 eh = &l2uf->eh; 1583 /* dst: Broadcast address */ 1584 IEEE80211_ADDR_COPY(eh->ether_dhost, ifp->if_broadcastaddr); 1585 /* src: associated STA */ 1586 IEEE80211_ADDR_COPY(eh->ether_shost, ni->ni_macaddr); 1587 eh->ether_type = htons(sizeof(*l2uf) - sizeof(*eh)); 1588 1589 l2uf->dsap = 0; 1590 l2uf->ssap = 0; 1591 l2uf->control = 0xf5; 1592 l2uf->xid[0] = 0x81; 1593 l2uf->xid[1] = 0x80; 1594 l2uf->xid[2] = 0x00; 1595 1596 m->m_pkthdr.len = m->m_len = sizeof(*l2uf); 1597 hostap_deliver_data(vap, ni, m); 1598 } 1599 1600 static void 1601 ratesetmismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh, 1602 int reassoc, int resp, const char *tag, int rate) 1603 { 1604 IEEE80211_NOTE_MAC(ni->ni_vap, IEEE80211_MSG_ANY, wh->i_addr2, 1605 "deny %s request, %s rate set mismatch, rate/MCS %d", 1606 reassoc ? "reassoc" : "assoc", tag, rate & IEEE80211_RATE_VAL); 1607 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_BASIC_RATE); 1608 ieee80211_node_leave(ni); 1609 } 1610 1611 static void 1612 capinfomismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh, 1613 int reassoc, int resp, const char *tag, int capinfo) 1614 { 1615 struct ieee80211vap *vap = ni->ni_vap; 1616 1617 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ANY, wh->i_addr2, 1618 "deny %s request, %s mismatch 0x%x", 1619 reassoc ? "reassoc" : "assoc", tag, capinfo); 1620 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_CAPINFO); 1621 ieee80211_node_leave(ni); 1622 vap->iv_stats.is_rx_assoc_capmismatch++; 1623 } 1624 1625 static void 1626 htcapmismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh, 1627 int reassoc, int resp) 1628 { 1629 IEEE80211_NOTE_MAC(ni->ni_vap, IEEE80211_MSG_ANY, wh->i_addr2, 1630 "deny %s request, missing HT ie", reassoc ? "reassoc" : "assoc"); 1631 /* XXX no better code */ 1632 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_MISSING_HT_CAPS); 1633 ieee80211_node_leave(ni); 1634 } 1635 1636 static void 1637 authalgreject(struct ieee80211_node *ni, const struct ieee80211_frame *wh, 1638 int algo, int seq, int status) 1639 { 1640 struct ieee80211vap *vap = ni->ni_vap; 1641 1642 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 1643 wh, NULL, "unsupported alg %d", algo); 1644 vap->iv_stats.is_rx_auth_unsupported++; 1645 ieee80211_send_error(ni, wh->i_addr2, IEEE80211_FC0_SUBTYPE_AUTH, 1646 seq | (status << 16)); 1647 } 1648 1649 static __inline int 1650 ishtmixed(const uint8_t *ie) 1651 { 1652 const struct ieee80211_ie_htinfo *ht = 1653 (const struct ieee80211_ie_htinfo *) ie; 1654 return (ht->hi_byte2 & IEEE80211_HTINFO_OPMODE) == 1655 IEEE80211_HTINFO_OPMODE_MIXED; 1656 } 1657 1658 static int 1659 is11bclient(const uint8_t *rates, const uint8_t *xrates) 1660 { 1661 static const uint32_t brates = (1<<2*1)|(1<<2*2)|(1<<11)|(1<<2*11); 1662 int i; 1663 1664 /* NB: the 11b clients we care about will not have xrates */ 1665 if (xrates != NULL || rates == NULL) 1666 return 0; 1667 for (i = 0; i < rates[1]; i++) { 1668 int r = rates[2+i] & IEEE80211_RATE_VAL; 1669 if (r > 2*11 || ((1<<r) & brates) == 0) 1670 return 0; 1671 } 1672 return 1; 1673 } 1674 1675 static void 1676 hostap_recv_mgmt(struct ieee80211_node *ni, struct mbuf *m0, 1677 int subtype, const struct ieee80211_rx_stats *rxs, int rssi, int nf) 1678 { 1679 struct ieee80211vap *vap = ni->ni_vap; 1680 struct ieee80211com *ic = ni->ni_ic; 1681 struct ieee80211_frame *wh; 1682 uint8_t *frm, *efrm, *sfrm; 1683 uint8_t *ssid, *rates, *xrates, *wpa, *rsn, *wme, *ath, *htcap; 1684 int reassoc, resp; 1685 uint8_t rate; 1686 1687 wh = mtod(m0, struct ieee80211_frame *); 1688 frm = (uint8_t *)&wh[1]; 1689 efrm = mtod(m0, uint8_t *) + m0->m_len; 1690 switch (subtype) { 1691 case IEEE80211_FC0_SUBTYPE_PROBE_RESP: 1692 /* 1693 * We process beacon/probe response frames when scanning; 1694 * otherwise we check beacon frames for overlapping non-ERP 1695 * BSS in 11g and/or overlapping legacy BSS when in HT. 1696 */ 1697 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) { 1698 vap->iv_stats.is_rx_mgtdiscard++; 1699 return; 1700 } 1701 /* FALLTHROUGH */ 1702 case IEEE80211_FC0_SUBTYPE_BEACON: { 1703 struct ieee80211_scanparams scan; 1704 1705 /* NB: accept off-channel frames */ 1706 /* XXX TODO: use rxstatus to determine off-channel details */ 1707 if (ieee80211_parse_beacon(ni, m0, ic->ic_curchan, &scan) &~ IEEE80211_BPARSE_OFFCHAN) 1708 return; 1709 /* 1710 * Count frame now that we know it's to be processed. 1711 */ 1712 if (subtype == IEEE80211_FC0_SUBTYPE_BEACON) { 1713 vap->iv_stats.is_rx_beacon++; /* XXX remove */ 1714 IEEE80211_NODE_STAT(ni, rx_beacons); 1715 } else 1716 IEEE80211_NODE_STAT(ni, rx_proberesp); 1717 /* 1718 * If scanning, just pass information to the scan module. 1719 */ 1720 if (ic->ic_flags & IEEE80211_F_SCAN) { 1721 if (scan.status == 0 && /* NB: on channel */ 1722 (ic->ic_flags_ext & IEEE80211_FEXT_PROBECHAN)) { 1723 /* 1724 * Actively scanning a channel marked passive; 1725 * send a probe request now that we know there 1726 * is 802.11 traffic present. 1727 * 1728 * XXX check if the beacon we recv'd gives 1729 * us what we need and suppress the probe req 1730 */ 1731 ieee80211_probe_curchan(vap, 1); 1732 ic->ic_flags_ext &= ~IEEE80211_FEXT_PROBECHAN; 1733 } 1734 ieee80211_add_scan(vap, ic->ic_curchan, &scan, wh, 1735 subtype, rssi, nf); 1736 return; 1737 } 1738 /* 1739 * Check beacon for overlapping bss w/ non ERP stations. 1740 * If we detect one and protection is configured but not 1741 * enabled, enable it and start a timer that'll bring us 1742 * out if we stop seeing the bss. 1743 */ 1744 if (IEEE80211_IS_CHAN_ANYG(ic->ic_curchan) && 1745 scan.status == 0 && /* NB: on-channel */ 1746 ((scan.erp & 0x100) == 0 || /* NB: no ERP, 11b sta*/ 1747 (scan.erp & IEEE80211_ERP_NON_ERP_PRESENT))) { 1748 ic->ic_lastnonerp = ticks; 1749 ic->ic_flags_ext |= IEEE80211_FEXT_NONERP_PR; 1750 if (ic->ic_protmode != IEEE80211_PROT_NONE && 1751 (ic->ic_flags & IEEE80211_F_USEPROT) == 0) { 1752 IEEE80211_NOTE_FRAME(vap, 1753 IEEE80211_MSG_ASSOC, wh, 1754 "non-ERP present on channel %d " 1755 "(saw erp 0x%x from channel %d), " 1756 "enable use of protection", 1757 ic->ic_curchan->ic_ieee, 1758 scan.erp, scan.chan); 1759 ic->ic_flags |= IEEE80211_F_USEPROT; 1760 ieee80211_notify_erp(ic); 1761 } 1762 } 1763 /* 1764 * Check beacon for non-HT station on HT channel 1765 * and update HT BSS occupancy as appropriate. 1766 */ 1767 if (IEEE80211_IS_CHAN_HT(ic->ic_curchan)) { 1768 if (scan.status & IEEE80211_BPARSE_OFFCHAN) { 1769 /* 1770 * Off control channel; only check frames 1771 * that come in the extension channel when 1772 * operating w/ HT40. 1773 */ 1774 if (!IEEE80211_IS_CHAN_HT40(ic->ic_curchan)) 1775 break; 1776 if (scan.chan != ic->ic_curchan->ic_extieee) 1777 break; 1778 } 1779 if (scan.htinfo == NULL) { 1780 ieee80211_htprot_update(ic, 1781 IEEE80211_HTINFO_OPMODE_PROTOPT | 1782 IEEE80211_HTINFO_NONHT_PRESENT); 1783 } else if (ishtmixed(scan.htinfo)) { 1784 /* XXX? take NONHT_PRESENT from beacon? */ 1785 ieee80211_htprot_update(ic, 1786 IEEE80211_HTINFO_OPMODE_MIXED | 1787 IEEE80211_HTINFO_NONHT_PRESENT); 1788 } 1789 } 1790 break; 1791 } 1792 1793 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 1794 if (vap->iv_state != IEEE80211_S_RUN) { 1795 vap->iv_stats.is_rx_mgtdiscard++; 1796 return; 1797 } 1798 /* 1799 * Consult the ACL policy module if setup. 1800 */ 1801 if (vap->iv_acl != NULL && !vap->iv_acl->iac_check(vap, wh)) { 1802 IEEE80211_DISCARD(vap, IEEE80211_MSG_ACL, 1803 wh, NULL, "%s", "disallowed by ACL"); 1804 vap->iv_stats.is_rx_acl++; 1805 return; 1806 } 1807 /* 1808 * prreq frame format 1809 * [tlv] ssid 1810 * [tlv] supported rates 1811 * [tlv] extended supported rates 1812 */ 1813 ssid = rates = xrates = NULL; 1814 sfrm = frm; 1815 while (efrm - frm > 1) { 1816 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return); 1817 switch (*frm) { 1818 case IEEE80211_ELEMID_SSID: 1819 ssid = frm; 1820 break; 1821 case IEEE80211_ELEMID_RATES: 1822 rates = frm; 1823 break; 1824 case IEEE80211_ELEMID_XRATES: 1825 xrates = frm; 1826 break; 1827 } 1828 frm += frm[1] + 2; 1829 } 1830 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return); 1831 if (xrates != NULL) 1832 IEEE80211_VERIFY_ELEMENT(xrates, 1833 IEEE80211_RATE_MAXSIZE - rates[1], return); 1834 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN, return); 1835 IEEE80211_VERIFY_SSID(vap->iv_bss, ssid, return); 1836 if ((vap->iv_flags & IEEE80211_F_HIDESSID) && ssid[1] == 0) { 1837 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 1838 wh, NULL, 1839 "%s", "no ssid with ssid suppression enabled"); 1840 vap->iv_stats.is_rx_ssidmismatch++; /*XXX*/ 1841 return; 1842 } 1843 1844 /* XXX find a better class or define it's own */ 1845 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_INPUT, wh->i_addr2, 1846 "%s", "recv probe req"); 1847 /* 1848 * Some legacy 11b clients cannot hack a complete 1849 * probe response frame. When the request includes 1850 * only a bare-bones rate set, communicate this to 1851 * the transmit side. 1852 */ 1853 ieee80211_send_proberesp(vap, wh->i_addr2, 1854 is11bclient(rates, xrates) ? IEEE80211_SEND_LEGACY_11B : 0); 1855 break; 1856 1857 case IEEE80211_FC0_SUBTYPE_AUTH: { 1858 uint16_t algo, seq, status; 1859 1860 if (vap->iv_state != IEEE80211_S_RUN) { 1861 vap->iv_stats.is_rx_mgtdiscard++; 1862 return; 1863 } 1864 if (!IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_bss->ni_bssid)) { 1865 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 1866 wh, NULL, "%s", "wrong bssid"); 1867 vap->iv_stats.is_rx_wrongbss++; /*XXX unique stat?*/ 1868 return; 1869 } 1870 /* 1871 * auth frame format 1872 * [2] algorithm 1873 * [2] sequence 1874 * [2] status 1875 * [tlv*] challenge 1876 */ 1877 IEEE80211_VERIFY_LENGTH(efrm - frm, 6, return); 1878 algo = le16toh(*(uint16_t *)frm); 1879 seq = le16toh(*(uint16_t *)(frm + 2)); 1880 status = le16toh(*(uint16_t *)(frm + 4)); 1881 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_AUTH, wh->i_addr2, 1882 "recv auth frame with algorithm %d seq %d", algo, seq); 1883 /* 1884 * Consult the ACL policy module if setup. 1885 */ 1886 if (vap->iv_acl != NULL && !vap->iv_acl->iac_check(vap, wh)) { 1887 IEEE80211_DISCARD(vap, IEEE80211_MSG_ACL, 1888 wh, NULL, "%s", "disallowed by ACL"); 1889 vap->iv_stats.is_rx_acl++; 1890 ieee80211_send_error(ni, wh->i_addr2, 1891 IEEE80211_FC0_SUBTYPE_AUTH, 1892 (seq+1) | (IEEE80211_STATUS_UNSPECIFIED<<16)); 1893 return; 1894 } 1895 if (vap->iv_flags & IEEE80211_F_COUNTERM) { 1896 IEEE80211_DISCARD(vap, 1897 IEEE80211_MSG_AUTH | IEEE80211_MSG_CRYPTO, 1898 wh, NULL, "%s", "TKIP countermeasures enabled"); 1899 vap->iv_stats.is_rx_auth_countermeasures++; 1900 ieee80211_send_error(ni, wh->i_addr2, 1901 IEEE80211_FC0_SUBTYPE_AUTH, 1902 IEEE80211_REASON_MIC_FAILURE); 1903 return; 1904 } 1905 if (algo == IEEE80211_AUTH_ALG_SHARED) 1906 hostap_auth_shared(ni, wh, frm + 6, efrm, rssi, nf, 1907 seq, status); 1908 else if (algo == IEEE80211_AUTH_ALG_OPEN) 1909 hostap_auth_open(ni, wh, rssi, nf, seq, status); 1910 else if (algo == IEEE80211_AUTH_ALG_LEAP) { 1911 authalgreject(ni, wh, algo, 1912 seq+1, IEEE80211_STATUS_ALG); 1913 return; 1914 } else { 1915 /* 1916 * We assume that an unknown algorithm is the result 1917 * of a decryption failure on a shared key auth frame; 1918 * return a status code appropriate for that instead 1919 * of IEEE80211_STATUS_ALG. 1920 * 1921 * NB: a seq# of 4 is intentional; the decrypted 1922 * frame likely has a bogus seq value. 1923 */ 1924 authalgreject(ni, wh, algo, 1925 4, IEEE80211_STATUS_CHALLENGE); 1926 return; 1927 } 1928 break; 1929 } 1930 1931 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ: 1932 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: { 1933 uint16_t capinfo, lintval; 1934 struct ieee80211_rsnparms rsnparms; 1935 1936 if (vap->iv_state != IEEE80211_S_RUN) { 1937 vap->iv_stats.is_rx_mgtdiscard++; 1938 return; 1939 } 1940 if (!IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_bss->ni_bssid)) { 1941 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 1942 wh, NULL, "%s", "wrong bssid"); 1943 vap->iv_stats.is_rx_assoc_bss++; 1944 return; 1945 } 1946 if (subtype == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) { 1947 reassoc = 1; 1948 resp = IEEE80211_FC0_SUBTYPE_REASSOC_RESP; 1949 } else { 1950 reassoc = 0; 1951 resp = IEEE80211_FC0_SUBTYPE_ASSOC_RESP; 1952 } 1953 if (ni == vap->iv_bss) { 1954 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ANY, wh->i_addr2, 1955 "deny %s request, sta not authenticated", 1956 reassoc ? "reassoc" : "assoc"); 1957 ieee80211_send_error(ni, wh->i_addr2, 1958 IEEE80211_FC0_SUBTYPE_DEAUTH, 1959 IEEE80211_REASON_ASSOC_NOT_AUTHED); 1960 vap->iv_stats.is_rx_assoc_notauth++; 1961 return; 1962 } 1963 1964 /* 1965 * asreq frame format 1966 * [2] capability information 1967 * [2] listen interval 1968 * [6*] current AP address (reassoc only) 1969 * [tlv] ssid 1970 * [tlv] supported rates 1971 * [tlv] extended supported rates 1972 * [tlv] WPA or RSN 1973 * [tlv] HT capabilities 1974 * [tlv] Atheros capabilities 1975 */ 1976 IEEE80211_VERIFY_LENGTH(efrm - frm, (reassoc ? 10 : 4), return); 1977 capinfo = le16toh(*(uint16_t *)frm); frm += 2; 1978 lintval = le16toh(*(uint16_t *)frm); frm += 2; 1979 if (reassoc) 1980 frm += 6; /* ignore current AP info */ 1981 ssid = rates = xrates = wpa = rsn = wme = ath = htcap = NULL; 1982 sfrm = frm; 1983 while (efrm - frm > 1) { 1984 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return); 1985 switch (*frm) { 1986 case IEEE80211_ELEMID_SSID: 1987 ssid = frm; 1988 break; 1989 case IEEE80211_ELEMID_RATES: 1990 rates = frm; 1991 break; 1992 case IEEE80211_ELEMID_XRATES: 1993 xrates = frm; 1994 break; 1995 case IEEE80211_ELEMID_RSN: 1996 rsn = frm; 1997 break; 1998 case IEEE80211_ELEMID_HTCAP: 1999 htcap = frm; 2000 break; 2001 case IEEE80211_ELEMID_VENDOR: 2002 if (iswpaoui(frm)) 2003 wpa = frm; 2004 else if (iswmeinfo(frm)) 2005 wme = frm; 2006 #ifdef IEEE80211_SUPPORT_SUPERG 2007 else if (isatherosoui(frm)) 2008 ath = frm; 2009 #endif 2010 else if (vap->iv_flags_ht & IEEE80211_FHT_HTCOMPAT) { 2011 if (ishtcapoui(frm) && htcap == NULL) 2012 htcap = frm; 2013 } 2014 break; 2015 } 2016 frm += frm[1] + 2; 2017 } 2018 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return); 2019 if (xrates != NULL) 2020 IEEE80211_VERIFY_ELEMENT(xrates, 2021 IEEE80211_RATE_MAXSIZE - rates[1], return); 2022 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN, return); 2023 IEEE80211_VERIFY_SSID(vap->iv_bss, ssid, return); 2024 if (htcap != NULL) { 2025 IEEE80211_VERIFY_LENGTH(htcap[1], 2026 htcap[0] == IEEE80211_ELEMID_VENDOR ? 2027 4 + sizeof(struct ieee80211_ie_htcap)-2 : 2028 sizeof(struct ieee80211_ie_htcap)-2, 2029 return); /* XXX just NULL out? */ 2030 } 2031 2032 if ((vap->iv_flags & IEEE80211_F_WPA) && 2033 !wpa_assocreq(ni, &rsnparms, wh, wpa, rsn, capinfo)) 2034 return; 2035 /* discard challenge after association */ 2036 if (ni->ni_challenge != NULL) { 2037 IEEE80211_FREE(ni->ni_challenge, M_80211_NODE); 2038 ni->ni_challenge = NULL; 2039 } 2040 /* NB: 802.11 spec says to ignore station's privacy bit */ 2041 if ((capinfo & IEEE80211_CAPINFO_ESS) == 0) { 2042 capinfomismatch(ni, wh, reassoc, resp, 2043 "capability", capinfo); 2044 return; 2045 } 2046 /* 2047 * Disallow re-associate w/ invalid slot time setting. 2048 */ 2049 if (ni->ni_associd != 0 && 2050 IEEE80211_IS_CHAN_ANYG(ic->ic_bsschan) && 2051 ((ni->ni_capinfo ^ capinfo) & IEEE80211_CAPINFO_SHORT_SLOTTIME)) { 2052 capinfomismatch(ni, wh, reassoc, resp, 2053 "slot time", capinfo); 2054 return; 2055 } 2056 rate = ieee80211_setup_rates(ni, rates, xrates, 2057 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | 2058 IEEE80211_F_DONEGO | IEEE80211_F_DODEL); 2059 if (rate & IEEE80211_RATE_BASIC) { 2060 ratesetmismatch(ni, wh, reassoc, resp, "legacy", rate); 2061 vap->iv_stats.is_rx_assoc_norate++; 2062 return; 2063 } 2064 /* 2065 * If constrained to 11g-only stations reject an 2066 * 11b-only station. We cheat a bit here by looking 2067 * at the max negotiated xmit rate and assuming anyone 2068 * with a best rate <24Mb/s is an 11b station. 2069 */ 2070 if ((vap->iv_flags & IEEE80211_F_PUREG) && rate < 48) { 2071 ratesetmismatch(ni, wh, reassoc, resp, "11g", rate); 2072 vap->iv_stats.is_rx_assoc_norate++; 2073 return; 2074 } 2075 /* 2076 * Do HT rate set handling and setup HT node state. 2077 */ 2078 ni->ni_chan = vap->iv_bss->ni_chan; 2079 if (IEEE80211_IS_CHAN_HT(ni->ni_chan) && htcap != NULL) { 2080 rate = ieee80211_setup_htrates(ni, htcap, 2081 IEEE80211_F_DOFMCS | IEEE80211_F_DONEGO | 2082 IEEE80211_F_DOBRS); 2083 if (rate & IEEE80211_RATE_BASIC) { 2084 ratesetmismatch(ni, wh, reassoc, resp, 2085 "HT", rate); 2086 vap->iv_stats.is_ht_assoc_norate++; 2087 return; 2088 } 2089 ieee80211_ht_node_init(ni); 2090 ieee80211_ht_updatehtcap(ni, htcap); 2091 } else if (ni->ni_flags & IEEE80211_NODE_HT) 2092 ieee80211_ht_node_cleanup(ni); 2093 #ifdef IEEE80211_SUPPORT_SUPERG 2094 /* Always do ff node cleanup; for A-MSDU */ 2095 ieee80211_ff_node_cleanup(ni); 2096 #endif 2097 /* 2098 * Allow AMPDU operation only with unencrypted traffic 2099 * or AES-CCM; the 11n spec only specifies these ciphers 2100 * so permitting any others is undefined and can lead 2101 * to interoperability problems. 2102 */ 2103 if ((ni->ni_flags & IEEE80211_NODE_HT) && 2104 (((vap->iv_flags & IEEE80211_F_WPA) && 2105 rsnparms.rsn_ucastcipher != IEEE80211_CIPHER_AES_CCM) || 2106 (vap->iv_flags & (IEEE80211_F_WPA|IEEE80211_F_PRIVACY)) == IEEE80211_F_PRIVACY)) { 2107 IEEE80211_NOTE(vap, 2108 IEEE80211_MSG_ASSOC | IEEE80211_MSG_11N, ni, 2109 "disallow HT use because WEP or TKIP requested, " 2110 "capinfo 0x%x ucastcipher %d", capinfo, 2111 rsnparms.rsn_ucastcipher); 2112 ieee80211_ht_node_cleanup(ni); 2113 #ifdef IEEE80211_SUPPORT_SUPERG 2114 /* Always do ff node cleanup; for A-MSDU */ 2115 ieee80211_ff_node_cleanup(ni); 2116 #endif 2117 vap->iv_stats.is_ht_assoc_downgrade++; 2118 } 2119 /* 2120 * If constrained to 11n-only stations reject legacy stations. 2121 */ 2122 if ((vap->iv_flags_ht & IEEE80211_FHT_PUREN) && 2123 (ni->ni_flags & IEEE80211_NODE_HT) == 0) { 2124 htcapmismatch(ni, wh, reassoc, resp); 2125 vap->iv_stats.is_ht_assoc_nohtcap++; 2126 return; 2127 } 2128 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi); 2129 ni->ni_noise = nf; 2130 ni->ni_intval = lintval; 2131 ni->ni_capinfo = capinfo; 2132 ni->ni_fhdwell = vap->iv_bss->ni_fhdwell; 2133 ni->ni_fhindex = vap->iv_bss->ni_fhindex; 2134 /* 2135 * Store the IEs. 2136 * XXX maybe better to just expand 2137 */ 2138 if (ieee80211_ies_init(&ni->ni_ies, sfrm, efrm - sfrm)) { 2139 #define setie(_ie, _off) ieee80211_ies_setie(ni->ni_ies, _ie, _off) 2140 if (wpa != NULL) 2141 setie(wpa_ie, wpa - sfrm); 2142 if (rsn != NULL) 2143 setie(rsn_ie, rsn - sfrm); 2144 if (htcap != NULL) 2145 setie(htcap_ie, htcap - sfrm); 2146 if (wme != NULL) { 2147 setie(wme_ie, wme - sfrm); 2148 /* 2149 * Mark node as capable of QoS. 2150 */ 2151 ni->ni_flags |= IEEE80211_NODE_QOS; 2152 } else 2153 ni->ni_flags &= ~IEEE80211_NODE_QOS; 2154 #ifdef IEEE80211_SUPPORT_SUPERG 2155 if (ath != NULL) { 2156 setie(ath_ie, ath - sfrm); 2157 /* 2158 * Parse ATH station parameters. 2159 */ 2160 ieee80211_parse_ath(ni, ni->ni_ies.ath_ie); 2161 } else 2162 #endif 2163 ni->ni_ath_flags = 0; 2164 #undef setie 2165 } else { 2166 ni->ni_flags &= ~IEEE80211_NODE_QOS; 2167 ni->ni_ath_flags = 0; 2168 } 2169 ieee80211_node_join(ni, resp); 2170 ieee80211_deliver_l2uf(ni); 2171 break; 2172 } 2173 2174 case IEEE80211_FC0_SUBTYPE_DEAUTH: 2175 case IEEE80211_FC0_SUBTYPE_DISASSOC: { 2176 uint16_t reason; 2177 2178 if (vap->iv_state != IEEE80211_S_RUN || 2179 /* NB: can happen when in promiscuous mode */ 2180 !IEEE80211_ADDR_EQ(wh->i_addr1, vap->iv_myaddr)) { 2181 vap->iv_stats.is_rx_mgtdiscard++; 2182 break; 2183 } 2184 /* 2185 * deauth/disassoc frame format 2186 * [2] reason 2187 */ 2188 IEEE80211_VERIFY_LENGTH(efrm - frm, 2, return); 2189 reason = le16toh(*(uint16_t *)frm); 2190 if (subtype == IEEE80211_FC0_SUBTYPE_DEAUTH) { 2191 vap->iv_stats.is_rx_deauth++; 2192 IEEE80211_NODE_STAT(ni, rx_deauth); 2193 } else { 2194 vap->iv_stats.is_rx_disassoc++; 2195 IEEE80211_NODE_STAT(ni, rx_disassoc); 2196 } 2197 IEEE80211_NOTE(vap, IEEE80211_MSG_AUTH, ni, 2198 "recv %s (reason: %d (%s))", 2199 ieee80211_mgt_subtype_name(subtype), 2200 reason, ieee80211_reason_to_string(reason)); 2201 if (ni != vap->iv_bss) 2202 ieee80211_node_leave(ni); 2203 break; 2204 } 2205 2206 case IEEE80211_FC0_SUBTYPE_ACTION: 2207 case IEEE80211_FC0_SUBTYPE_ACTION_NOACK: 2208 if (ni == vap->iv_bss) { 2209 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 2210 wh, NULL, "%s", "unknown node"); 2211 vap->iv_stats.is_rx_mgtdiscard++; 2212 } else if (!IEEE80211_ADDR_EQ(vap->iv_myaddr, wh->i_addr1) && 2213 !IEEE80211_IS_MULTICAST(wh->i_addr1)) { 2214 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 2215 wh, NULL, "%s", "not for us"); 2216 vap->iv_stats.is_rx_mgtdiscard++; 2217 } else if (vap->iv_state != IEEE80211_S_RUN) { 2218 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 2219 wh, NULL, "wrong state %s", 2220 ieee80211_state_name[vap->iv_state]); 2221 vap->iv_stats.is_rx_mgtdiscard++; 2222 } else { 2223 if (ieee80211_parse_action(ni, m0) == 0) 2224 (void)ic->ic_recv_action(ni, wh, frm, efrm); 2225 } 2226 break; 2227 2228 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP: 2229 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: 2230 case IEEE80211_FC0_SUBTYPE_TIMING_ADV: 2231 case IEEE80211_FC0_SUBTYPE_ATIM: 2232 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 2233 wh, NULL, "%s", "not handled"); 2234 vap->iv_stats.is_rx_mgtdiscard++; 2235 break; 2236 2237 default: 2238 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 2239 wh, "mgt", "subtype 0x%x not handled", subtype); 2240 vap->iv_stats.is_rx_badsubtype++; 2241 break; 2242 } 2243 } 2244 2245 static void 2246 hostap_recv_ctl(struct ieee80211_node *ni, struct mbuf *m, int subtype) 2247 { 2248 switch (subtype) { 2249 case IEEE80211_FC0_SUBTYPE_PS_POLL: 2250 ni->ni_vap->iv_recv_pspoll(ni, m); 2251 break; 2252 case IEEE80211_FC0_SUBTYPE_BAR: 2253 ieee80211_recv_bar(ni, m); 2254 break; 2255 } 2256 } 2257 2258 /* 2259 * Process a received ps-poll frame. 2260 */ 2261 void 2262 ieee80211_recv_pspoll(struct ieee80211_node *ni, struct mbuf *m0) 2263 { 2264 struct ieee80211vap *vap = ni->ni_vap; 2265 struct ieee80211com *ic = vap->iv_ic; 2266 struct ieee80211_frame_min *wh; 2267 struct mbuf *m; 2268 uint16_t aid; 2269 int qlen; 2270 2271 wh = mtod(m0, struct ieee80211_frame_min *); 2272 if (ni->ni_associd == 0) { 2273 IEEE80211_DISCARD(vap, 2274 IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG, 2275 (struct ieee80211_frame *) wh, NULL, 2276 "%s", "unassociated station"); 2277 vap->iv_stats.is_ps_unassoc++; 2278 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_DEAUTH, 2279 IEEE80211_REASON_NOT_ASSOCED); 2280 return; 2281 } 2282 2283 aid = le16toh(*(uint16_t *)wh->i_dur); 2284 if (aid != ni->ni_associd) { 2285 IEEE80211_DISCARD(vap, 2286 IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG, 2287 (struct ieee80211_frame *) wh, NULL, 2288 "aid mismatch: sta aid 0x%x poll aid 0x%x", 2289 ni->ni_associd, aid); 2290 vap->iv_stats.is_ps_badaid++; 2291 /* 2292 * NB: We used to deauth the station but it turns out 2293 * the Blackberry Curve 8230 (and perhaps other devices) 2294 * sometimes send the wrong AID when WME is negotiated. 2295 * Being more lenient here seems ok as we already check 2296 * the station is associated and we only return frames 2297 * queued for the station (i.e. we don't use the AID). 2298 */ 2299 return; 2300 } 2301 2302 /* Okay, take the first queued packet and put it out... */ 2303 m = ieee80211_node_psq_dequeue(ni, &qlen); 2304 if (m == NULL) { 2305 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_POWER, wh->i_addr2, 2306 "%s", "recv ps-poll, but queue empty"); 2307 ieee80211_send_nulldata(ieee80211_ref_node(ni)); 2308 vap->iv_stats.is_ps_qempty++; /* XXX node stat */ 2309 if (vap->iv_set_tim != NULL) 2310 vap->iv_set_tim(ni, 0); /* just in case */ 2311 return; 2312 } 2313 /* 2314 * If there are more packets, set the more packets bit 2315 * in the packet dispatched to the station; otherwise 2316 * turn off the TIM bit. 2317 */ 2318 if (qlen != 0) { 2319 IEEE80211_NOTE(vap, IEEE80211_MSG_POWER, ni, 2320 "recv ps-poll, send packet, %u still queued", qlen); 2321 m->m_flags |= M_MORE_DATA; 2322 } else { 2323 IEEE80211_NOTE(vap, IEEE80211_MSG_POWER, ni, 2324 "%s", "recv ps-poll, send packet, queue empty"); 2325 if (vap->iv_set_tim != NULL) 2326 vap->iv_set_tim(ni, 0); 2327 } 2328 m->m_flags |= M_PWR_SAV; /* bypass PS handling */ 2329 2330 /* 2331 * Do the right thing; if it's an encap'ed frame then 2332 * call ieee80211_parent_xmitpkt() else 2333 * call ieee80211_vap_xmitpkt(). 2334 */ 2335 if (m->m_flags & M_ENCAP) { 2336 (void) ieee80211_parent_xmitpkt(ic, m); 2337 } else { 2338 (void) ieee80211_vap_xmitpkt(vap, m); 2339 } 2340 } 2341