freebsd-nq/sys/net80211/ieee80211_hostap.c
Sam Leffler 693e312235 don't deauth a station because it sends a ps-poll w/ a bogus aid in it;
turns out some devices do this and since we otherwise validate the station
is associated and don't use the aid for anything being lenient here allows
them to function

Submitted by:	Chris Zimmermann
MFC after:	2 weeks
2008-07-26 23:50:27 +00:00

2243 lines
64 KiB
C

/*-
* Copyright (c) 2007-2008 Sam Leffler, Errno Consulting
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include <sys/cdefs.h>
#ifdef __FreeBSD__
__FBSDID("$FreeBSD$");
#endif
/*
* IEEE 802.11 HOSTAP mode support.
*/
#include "opt_inet.h"
#include "opt_wlan.h"
#include <sys/param.h>
#include <sys/systm.h>
#include <sys/mbuf.h>
#include <sys/malloc.h>
#include <sys/kernel.h>
#include <sys/socket.h>
#include <sys/sockio.h>
#include <sys/endian.h>
#include <sys/errno.h>
#include <sys/proc.h>
#include <sys/sysctl.h>
#include <net/if.h>
#include <net/if_media.h>
#include <net/if_llc.h>
#include <net/ethernet.h>
#include <net/bpf.h>
#include <net80211/ieee80211_var.h>
#include <net80211/ieee80211_hostap.h>
#include <net80211/ieee80211_input.h>
#include <net80211/ieee80211_wds.h>
#define IEEE80211_RATE2MBS(r) (((r) & IEEE80211_RATE_VAL) / 2)
static void hostap_vattach(struct ieee80211vap *);
static int hostap_newstate(struct ieee80211vap *, enum ieee80211_state, int);
static int hostap_input(struct ieee80211_node *ni, struct mbuf *m,
int rssi, int noise, uint32_t rstamp);
static void hostap_deliver_data(struct ieee80211vap *,
struct ieee80211_node *, struct mbuf *);
static void hostap_recv_mgmt(struct ieee80211_node *, struct mbuf *,
int subtype, int rssi, int noise, uint32_t rstamp);
static void hostap_recv_pspoll(struct ieee80211_node *, struct mbuf *);
void
ieee80211_hostap_attach(struct ieee80211com *ic)
{
ic->ic_vattach[IEEE80211_M_HOSTAP] = hostap_vattach;
}
void
ieee80211_hostap_detach(struct ieee80211com *ic)
{
}
static void
hostap_vdetach(struct ieee80211vap *vap)
{
}
static void
hostap_vattach(struct ieee80211vap *vap)
{
vap->iv_newstate = hostap_newstate;
vap->iv_input = hostap_input;
vap->iv_recv_mgmt = hostap_recv_mgmt;
vap->iv_opdetach = hostap_vdetach;
vap->iv_deliver_data = hostap_deliver_data;
}
static void
sta_disassoc(void *arg, struct ieee80211_node *ni)
{
struct ieee80211vap *vap = arg;
if (ni->ni_vap == vap && ni->ni_associd != 0) {
IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_DISASSOC,
IEEE80211_REASON_ASSOC_LEAVE);
ieee80211_node_leave(ni);
}
}
/*
* IEEE80211_M_HOSTAP vap state machine handler.
*/
static int
hostap_newstate(struct ieee80211vap *vap, enum ieee80211_state nstate, int arg)
{
struct ieee80211com *ic = vap->iv_ic;
enum ieee80211_state ostate;
IEEE80211_LOCK_ASSERT(ic);
ostate = vap->iv_state;
IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE, "%s: %s -> %s (%d)\n",
__func__, ieee80211_state_name[ostate],
ieee80211_state_name[nstate], arg);
vap->iv_state = nstate; /* state transition */
if (ostate != IEEE80211_S_SCAN)
ieee80211_cancel_scan(vap); /* background scan */
switch (nstate) {
case IEEE80211_S_INIT:
switch (ostate) {
case IEEE80211_S_SCAN:
ieee80211_cancel_scan(vap);
break;
case IEEE80211_S_CAC:
ieee80211_dfs_cac_stop(vap);
break;
case IEEE80211_S_RUN:
ieee80211_iterate_nodes(&ic->ic_sta, sta_disassoc, vap);
break;
default:
break;
}
if (ostate != IEEE80211_S_INIT) {
/* NB: optimize INIT -> INIT case */
ieee80211_reset_bss(vap);
}
if (vap->iv_auth->ia_detach != NULL)
vap->iv_auth->ia_detach(vap);
break;
case IEEE80211_S_SCAN:
switch (ostate) {
case IEEE80211_S_CSA:
case IEEE80211_S_RUN:
ieee80211_iterate_nodes(&ic->ic_sta, sta_disassoc, vap);
/*
* Clear overlapping BSS state; the beacon frame
* will be reconstructed on transition to the RUN
* state and the timeout routines check if the flag
* is set before doing anything so this is sufficient.
*/
ic->ic_flags_ext &= ~IEEE80211_FEXT_NONERP_PR;
ic->ic_flags_ext &= ~IEEE80211_FEXT_NONHT_PR;
/* fall thru... */
case IEEE80211_S_CAC:
/*
* NB: We may get here because of a manual channel
* change in which case we need to stop CAC
* XXX no need to stop if ostate RUN but it's ok
*/
ieee80211_dfs_cac_stop(vap);
/* fall thru... */
case IEEE80211_S_INIT:
if (vap->iv_des_chan != IEEE80211_CHAN_ANYC &&
!IEEE80211_IS_CHAN_RADAR(vap->iv_des_chan)) {
/*
* Already have a channel; bypass the
* scan and startup immediately.
* ieee80211_create_ibss will call back to
* move us to RUN state.
*/
ieee80211_create_ibss(vap, vap->iv_des_chan);
break;
}
/*
* Initiate a scan. We can come here as a result
* of an IEEE80211_IOC_SCAN_REQ too in which case
* the vap will be marked with IEEE80211_FEXT_SCANREQ
* and the scan request parameters will be present
* in iv_scanreq. Otherwise we do the default.
*/
if (vap->iv_flags_ext & IEEE80211_FEXT_SCANREQ) {
ieee80211_check_scan(vap,
vap->iv_scanreq_flags,
vap->iv_scanreq_duration,
vap->iv_scanreq_mindwell,
vap->iv_scanreq_maxdwell,
vap->iv_scanreq_nssid, vap->iv_scanreq_ssid);
vap->iv_flags_ext &= ~IEEE80211_FEXT_SCANREQ;
} else
ieee80211_check_scan_current(vap);
break;
case IEEE80211_S_SCAN:
/*
* A state change requires a reset; scan.
*/
ieee80211_check_scan_current(vap);
break;
default:
break;
}
break;
case IEEE80211_S_CAC:
/*
* Start CAC on a DFS channel. We come here when starting
* a bss on a DFS channel (see ieee80211_create_ibss).
*/
ieee80211_dfs_cac_start(vap);
break;
case IEEE80211_S_RUN:
if (vap->iv_flags & IEEE80211_F_WPA) {
/* XXX validate prerequisites */
}
switch (ostate) {
case IEEE80211_S_INIT:
/*
* Already have a channel; bypass the
* scan and startup immediately.
* Note that ieee80211_create_ibss will call
* back to do a RUN->RUN state change.
*/
ieee80211_create_ibss(vap,
ieee80211_ht_adjust_channel(ic,
ic->ic_curchan, vap->iv_flags_ext));
/* NB: iv_bss is changed on return */
break;
case IEEE80211_S_CAC:
/*
* NB: This is the normal state change when CAC
* expires and no radar was detected; no need to
* clear the CAC timer as it's already expired.
*/
/* fall thru... */
case IEEE80211_S_CSA:
/*
* Update bss node channel to reflect where
* we landed after CSA.
*/
ieee80211_node_set_chan(vap->iv_bss,
ieee80211_ht_adjust_channel(ic, ic->ic_curchan,
ieee80211_htchanflags(vap->iv_bss->ni_chan)));
/* XXX bypass debug msgs */
break;
case IEEE80211_S_SCAN:
case IEEE80211_S_RUN:
#ifdef IEEE80211_DEBUG
if (ieee80211_msg_debug(vap)) {
struct ieee80211_node *ni = vap->iv_bss;
ieee80211_note(vap,
"synchronized with %s ssid ",
ether_sprintf(ni->ni_bssid));
ieee80211_print_essid(ni->ni_essid,
ni->ni_esslen);
/* XXX MCS/HT */
printf(" channel %d start %uMb\n",
ieee80211_chan2ieee(ic, ic->ic_curchan),
IEEE80211_RATE2MBS(ni->ni_txrate));
}
#endif
break;
default:
break;
}
/*
* Start/stop the authenticator. We delay until here
* to allow configuration to happen out of order.
*/
if (vap->iv_auth->ia_attach != NULL) {
/* XXX check failure */
vap->iv_auth->ia_attach(vap);
} else if (vap->iv_auth->ia_detach != NULL) {
vap->iv_auth->ia_detach(vap);
}
ieee80211_node_authorize(vap->iv_bss);
break;
default:
break;
}
return 0;
}
static void
hostap_deliver_data(struct ieee80211vap *vap,
struct ieee80211_node *ni, struct mbuf *m)
{
struct ether_header *eh = mtod(m, struct ether_header *);
struct ifnet *ifp = vap->iv_ifp;
KASSERT(vap->iv_opmode == IEEE80211_M_HOSTAP,
("gack, opmode %d", vap->iv_opmode));
/*
* Do accounting.
*/
ifp->if_ipackets++;
IEEE80211_NODE_STAT(ni, rx_data);
IEEE80211_NODE_STAT_ADD(ni, rx_bytes, m->m_pkthdr.len);
if (ETHER_IS_MULTICAST(eh->ether_dhost)) {
m->m_flags |= M_MCAST; /* XXX M_BCAST? */
IEEE80211_NODE_STAT(ni, rx_mcast);
} else
IEEE80211_NODE_STAT(ni, rx_ucast);
/* clear driver/net80211 flags before passing up */
m->m_flags &= ~M_80211_RX;
/* perform as a bridge within the AP */
if ((vap->iv_flags & IEEE80211_F_NOBRIDGE) == 0) {
struct mbuf *mcopy = NULL;
if (m->m_flags & M_MCAST) {
mcopy = m_copypacket(m, M_DONTWAIT);
if (mcopy == NULL)
ifp->if_oerrors++;
else
mcopy->m_flags |= M_MCAST;
} else {
/*
* Check if the destination is associated with the
* same vap and authorized to receive traffic.
* Beware of traffic destined for the vap itself;
* sending it will not work; just let it be delivered
* normally.
*/
struct ieee80211_node *sta = ieee80211_find_vap_node(
&vap->iv_ic->ic_sta, vap, eh->ether_dhost);
if (sta != NULL) {
if (ieee80211_node_is_authorized(sta)) {
/*
* Beware of sending to ourself; this
* needs to happen via the normal
* input path.
*/
if (sta != vap->iv_bss) {
mcopy = m;
m = NULL;
}
} else {
vap->iv_stats.is_rx_unauth++;
IEEE80211_NODE_STAT(sta, rx_unauth);
}
ieee80211_free_node(sta);
}
}
if (mcopy != NULL) {
int len, err;
len = mcopy->m_pkthdr.len;
IFQ_HANDOFF(ifp, mcopy, err);
if (err) {
/* NB: IFQ_HANDOFF reclaims mcopy */
} else {
ifp->if_opackets++;
}
}
}
if (m != NULL) {
/*
* Mark frame as coming from vap's interface.
*/
m->m_pkthdr.rcvif = ifp;
if (m->m_flags & M_MCAST) {
/*
* Spam DWDS vap's w/ multicast traffic.
*/
/* XXX only if dwds in use? */
ieee80211_dwds_mcast(vap, m);
}
if (ni->ni_vlan != 0) {
/* attach vlan tag */
m->m_pkthdr.ether_vtag = ni->ni_vlan;
m->m_flags |= M_VLANTAG;
}
ifp->if_input(ifp, m);
}
}
/*
* Decide if a received management frame should be
* printed when debugging is enabled. This filters some
* of the less interesting frames that come frequently
* (e.g. beacons).
*/
static __inline int
doprint(struct ieee80211vap *vap, int subtype)
{
switch (subtype) {
case IEEE80211_FC0_SUBTYPE_BEACON:
return (vap->iv_ic->ic_flags & IEEE80211_F_SCAN);
case IEEE80211_FC0_SUBTYPE_PROBE_REQ:
return 0;
}
return 1;
}
/*
* Process a received frame. The node associated with the sender
* should be supplied. If nothing was found in the node table then
* the caller is assumed to supply a reference to iv_bss instead.
* The RSSI and a timestamp are also supplied. The RSSI data is used
* during AP scanning to select a AP to associate with; it can have
* any units so long as values have consistent units and higher values
* mean ``better signal''. The receive timestamp is currently not used
* by the 802.11 layer.
*/
static int
hostap_input(struct ieee80211_node *ni, struct mbuf *m,
int rssi, int noise, uint32_t rstamp)
{
#define SEQ_LEQ(a,b) ((int)((a)-(b)) <= 0)
#define HAS_SEQ(type) ((type & 0x4) == 0)
struct ieee80211vap *vap = ni->ni_vap;
struct ieee80211com *ic = ni->ni_ic;
struct ifnet *ifp = vap->iv_ifp;
struct ieee80211_frame *wh;
struct ieee80211_key *key;
struct ether_header *eh;
int hdrspace, need_tap;
uint8_t dir, type, subtype, qos;
uint8_t *bssid;
uint16_t rxseq;
if (m->m_flags & M_AMPDU) {
/*
* Fastpath for A-MPDU reorder q resubmission. Frames
* w/ M_AMPDU marked have already passed through here
* but were received out of order and been held on the
* reorder queue. When resubmitted they are marked
* with the M_AMPDU flag and we can bypass most of the
* normal processing.
*/
wh = mtod(m, struct ieee80211_frame *);
type = IEEE80211_FC0_TYPE_DATA;
dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK;
subtype = IEEE80211_FC0_SUBTYPE_QOS;
hdrspace = ieee80211_hdrspace(ic, wh); /* XXX optimize? */
goto resubmit_ampdu;
}
KASSERT(ni != NULL, ("null node"));
ni->ni_inact = ni->ni_inact_reload;
need_tap = 1; /* mbuf need to be tapped. */
type = -1; /* undefined */
if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_min)) {
IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
ni->ni_macaddr, NULL,
"too short (1): len %u", m->m_pkthdr.len);
vap->iv_stats.is_rx_tooshort++;
goto out;
}
/*
* Bit of a cheat here, we use a pointer for a 3-address
* frame format but don't reference fields past outside
* ieee80211_frame_min w/o first validating the data is
* present.
*/
wh = mtod(m, struct ieee80211_frame *);
if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) !=
IEEE80211_FC0_VERSION_0) {
IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
ni->ni_macaddr, NULL, "wrong version %x", wh->i_fc[0]);
vap->iv_stats.is_rx_badversion++;
goto err;
}
dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK;
type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK;
if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) {
if (dir != IEEE80211_FC1_DIR_NODS)
bssid = wh->i_addr1;
else if (type == IEEE80211_FC0_TYPE_CTL)
bssid = wh->i_addr1;
else {
if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) {
IEEE80211_DISCARD_MAC(vap,
IEEE80211_MSG_ANY, ni->ni_macaddr,
NULL, "too short (2): len %u",
m->m_pkthdr.len);
vap->iv_stats.is_rx_tooshort++;
goto out;
}
bssid = wh->i_addr3;
}
/*
* Validate the bssid.
*/
if (!(type == IEEE80211_FC0_TYPE_MGT &&
subtype == IEEE80211_FC0_SUBTYPE_BEACON) &&
!IEEE80211_ADDR_EQ(bssid, vap->iv_bss->ni_bssid) &&
!IEEE80211_ADDR_EQ(bssid, ifp->if_broadcastaddr)) {
/* not interested in */
IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
bssid, NULL, "%s", "not to bss");
vap->iv_stats.is_rx_wrongbss++;
goto out;
}
IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi);
ni->ni_noise = noise;
ni->ni_rstamp = rstamp;
if (HAS_SEQ(type)) {
uint8_t tid = ieee80211_gettid(wh);
if (IEEE80211_QOS_HAS_SEQ(wh) &&
TID_TO_WME_AC(tid) >= WME_AC_VI)
ic->ic_wme.wme_hipri_traffic++;
rxseq = le16toh(*(uint16_t *)wh->i_seq);
if ((ni->ni_flags & IEEE80211_NODE_HT) == 0 &&
(wh->i_fc[1] & IEEE80211_FC1_RETRY) &&
SEQ_LEQ(rxseq, ni->ni_rxseqs[tid])) {
/* duplicate, discard */
IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
bssid, "duplicate",
"seqno <%u,%u> fragno <%u,%u> tid %u",
rxseq >> IEEE80211_SEQ_SEQ_SHIFT,
ni->ni_rxseqs[tid] >>
IEEE80211_SEQ_SEQ_SHIFT,
rxseq & IEEE80211_SEQ_FRAG_MASK,
ni->ni_rxseqs[tid] &
IEEE80211_SEQ_FRAG_MASK,
tid);
vap->iv_stats.is_rx_dup++;
IEEE80211_NODE_STAT(ni, rx_dup);
goto out;
}
ni->ni_rxseqs[tid] = rxseq;
}
}
switch (type) {
case IEEE80211_FC0_TYPE_DATA:
hdrspace = ieee80211_hdrspace(ic, wh);
if (m->m_len < hdrspace &&
(m = m_pullup(m, hdrspace)) == NULL) {
IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
ni->ni_macaddr, NULL,
"data too short: expecting %u", hdrspace);
vap->iv_stats.is_rx_tooshort++;
goto out; /* XXX */
}
if (!(dir == IEEE80211_FC1_DIR_TODS ||
(dir == IEEE80211_FC1_DIR_DSTODS &&
(vap->iv_flags & IEEE80211_F_DWDS)))) {
if (dir != IEEE80211_FC1_DIR_DSTODS) {
IEEE80211_DISCARD(vap,
IEEE80211_MSG_INPUT, wh, "data",
"incorrect dir 0x%x", dir);
} else {
IEEE80211_DISCARD(vap,
IEEE80211_MSG_INPUT |
IEEE80211_MSG_WDS, wh,
"4-address data",
"%s", "DWDS not enabled");
}
vap->iv_stats.is_rx_wrongdir++;
goto out;
}
/* check if source STA is associated */
if (ni == vap->iv_bss) {
IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
wh, "data", "%s", "unknown src");
ieee80211_send_error(ni, wh->i_addr2,
IEEE80211_FC0_SUBTYPE_DEAUTH,
IEEE80211_REASON_NOT_AUTHED);
vap->iv_stats.is_rx_notassoc++;
goto err;
}
if (ni->ni_associd == 0) {
IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
wh, "data", "%s", "unassoc src");
IEEE80211_SEND_MGMT(ni,
IEEE80211_FC0_SUBTYPE_DISASSOC,
IEEE80211_REASON_NOT_ASSOCED);
vap->iv_stats.is_rx_notassoc++;
goto err;
}
/*
* Check for power save state change.
* XXX out-of-order A-MPDU frames?
*/
if (((wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) ^
(ni->ni_flags & IEEE80211_NODE_PWR_MGT)))
ieee80211_node_pwrsave(ni,
wh->i_fc[1] & IEEE80211_FC1_PWR_MGT);
/*
* For 4-address packets handle WDS discovery
* notifications. Once a WDS link is setup frames
* are just delivered to the WDS vap (see below).
*/
if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap == NULL) {
if (!ieee80211_node_is_authorized(ni)) {
IEEE80211_DISCARD(vap,
IEEE80211_MSG_INPUT |
IEEE80211_MSG_WDS, wh,
"4-address data",
"%s", "unauthorized port");
vap->iv_stats.is_rx_unauth++;
IEEE80211_NODE_STAT(ni, rx_unauth);
goto err;
}
ieee80211_dwds_discover(ni, m);
return type;
}
/*
* Handle A-MPDU re-ordering. The station must be
* associated and negotiated HT. The frame must be
* a QoS frame (not QoS null data) and not previously
* processed for A-MPDU re-ordering. If the frame is
* to be processed directly then ieee80211_ampdu_reorder
* will return 0; otherwise it has consumed the mbuf
* and we should do nothing more with it.
*/
if ((ni->ni_flags & IEEE80211_NODE_HT) &&
subtype == IEEE80211_FC0_SUBTYPE_QOS &&
ieee80211_ampdu_reorder(ni, m) != 0) {
m = NULL;
goto out;
}
resubmit_ampdu:
/*
* Handle privacy requirements. Note that we
* must not be preempted from here until after
* we (potentially) call ieee80211_crypto_demic;
* otherwise we may violate assumptions in the
* crypto cipher modules used to do delayed update
* of replay sequence numbers.
*/
if (wh->i_fc[1] & IEEE80211_FC1_WEP) {
if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
/*
* Discard encrypted frames when privacy is off.
*/
IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
wh, "WEP", "%s", "PRIVACY off");
vap->iv_stats.is_rx_noprivacy++;
IEEE80211_NODE_STAT(ni, rx_noprivacy);
goto out;
}
key = ieee80211_crypto_decap(ni, m, hdrspace);
if (key == NULL) {
/* NB: stats+msgs handled in crypto_decap */
IEEE80211_NODE_STAT(ni, rx_wepfail);
goto out;
}
wh = mtod(m, struct ieee80211_frame *);
wh->i_fc[1] &= ~IEEE80211_FC1_WEP;
} else {
/* XXX M_WEP and IEEE80211_F_PRIVACY */
key = NULL;
}
/*
* Save QoS bits for use below--before we strip the header.
*/
if (subtype == IEEE80211_FC0_SUBTYPE_QOS) {
qos = (dir == IEEE80211_FC1_DIR_DSTODS) ?
((struct ieee80211_qosframe_addr4 *)wh)->i_qos[0] :
((struct ieee80211_qosframe *)wh)->i_qos[0];
} else
qos = 0;
/*
* Next up, any fragmentation.
*/
if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) {
m = ieee80211_defrag(ni, m, hdrspace);
if (m == NULL) {
/* Fragment dropped or frame not complete yet */
goto out;
}
}
wh = NULL; /* no longer valid, catch any uses */
/*
* Next strip any MSDU crypto bits.
*/
if (key != NULL && !ieee80211_crypto_demic(vap, key, m, 0)) {
IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
ni->ni_macaddr, "data", "%s", "demic error");
vap->iv_stats.is_rx_demicfail++;
IEEE80211_NODE_STAT(ni, rx_demicfail);
goto out;
}
/* copy to listener after decrypt */
if (bpf_peers_present(vap->iv_rawbpf))
bpf_mtap(vap->iv_rawbpf, m);
need_tap = 0;
/*
* Finally, strip the 802.11 header.
*/
m = ieee80211_decap(vap, m, hdrspace);
if (m == NULL) {
/* XXX mask bit to check for both */
/* don't count Null data frames as errors */
if (subtype == IEEE80211_FC0_SUBTYPE_NODATA ||
subtype == IEEE80211_FC0_SUBTYPE_QOS_NULL)
goto out;
IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
ni->ni_macaddr, "data", "%s", "decap error");
vap->iv_stats.is_rx_decap++;
IEEE80211_NODE_STAT(ni, rx_decap);
goto err;
}
eh = mtod(m, struct ether_header *);
if (!ieee80211_node_is_authorized(ni)) {
/*
* Deny any non-PAE frames received prior to
* authorization. For open/shared-key
* authentication the port is mark authorized
* after authentication completes. For 802.1x
* the port is not marked authorized by the
* authenticator until the handshake has completed.
*/
if (eh->ether_type != htons(ETHERTYPE_PAE)) {
IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
eh->ether_shost, "data",
"unauthorized port: ether type 0x%x len %u",
eh->ether_type, m->m_pkthdr.len);
vap->iv_stats.is_rx_unauth++;
IEEE80211_NODE_STAT(ni, rx_unauth);
goto err;
}
} else {
/*
* When denying unencrypted frames, discard
* any non-PAE frames received without encryption.
*/
if ((vap->iv_flags & IEEE80211_F_DROPUNENC) &&
(key == NULL && (m->m_flags & M_WEP) == 0) &&
eh->ether_type != htons(ETHERTYPE_PAE)) {
/*
* Drop unencrypted frames.
*/
vap->iv_stats.is_rx_unencrypted++;
IEEE80211_NODE_STAT(ni, rx_unencrypted);
goto out;
}
}
/* XXX require HT? */
if (qos & IEEE80211_QOS_AMSDU) {
m = ieee80211_decap_amsdu(ni, m);
if (m == NULL)
return IEEE80211_FC0_TYPE_DATA;
} else if ((ni->ni_ath_flags & IEEE80211_NODE_FF) &&
#define FF_LLC_SIZE (sizeof(struct ether_header) + sizeof(struct llc))
m->m_pkthdr.len >= 3*FF_LLC_SIZE) {
struct llc *llc;
/*
* Check for fast-frame tunnel encapsulation.
*/
if (m->m_len < FF_LLC_SIZE &&
(m = m_pullup(m, FF_LLC_SIZE)) == NULL) {
IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
ni->ni_macaddr, "fast-frame",
"%s", "m_pullup(llc) failed");
vap->iv_stats.is_rx_tooshort++;
return IEEE80211_FC0_TYPE_DATA;
}
llc = (struct llc *)(mtod(m, uint8_t *) +
sizeof(struct ether_header));
if (llc->llc_snap.ether_type == htons(ATH_FF_ETH_TYPE)) {
m_adj(m, FF_LLC_SIZE);
m = ieee80211_decap_fastframe(ni, m);
if (m == NULL)
return IEEE80211_FC0_TYPE_DATA;
}
}
#undef FF_LLC_SIZE
if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap != NULL)
ieee80211_deliver_data(ni->ni_wdsvap, ni, m);
else
hostap_deliver_data(vap, ni, m);
return IEEE80211_FC0_TYPE_DATA;
case IEEE80211_FC0_TYPE_MGT:
vap->iv_stats.is_rx_mgmt++;
IEEE80211_NODE_STAT(ni, rx_mgmt);
if (dir != IEEE80211_FC1_DIR_NODS) {
IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
wh, "mgt", "incorrect dir 0x%x", dir);
vap->iv_stats.is_rx_wrongdir++;
goto err;
}
if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) {
IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
ni->ni_macaddr, "mgt", "too short: len %u",
m->m_pkthdr.len);
vap->iv_stats.is_rx_tooshort++;
goto out;
}
if (IEEE80211_IS_MULTICAST(wh->i_addr2)) {
/* ensure return frames are unicast */
IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
wh, NULL, "source is multicast: %s",
ether_sprintf(wh->i_addr2));
vap->iv_stats.is_rx_mgtdiscard++; /* XXX stat */
goto out;
}
#ifdef IEEE80211_DEBUG
if ((ieee80211_msg_debug(vap) && doprint(vap, subtype)) ||
ieee80211_msg_dumppkts(vap)) {
if_printf(ifp, "received %s from %s rssi %d\n",
ieee80211_mgt_subtype_name[subtype >>
IEEE80211_FC0_SUBTYPE_SHIFT],
ether_sprintf(wh->i_addr2), rssi);
}
#endif
if (wh->i_fc[1] & IEEE80211_FC1_WEP) {
if (subtype != IEEE80211_FC0_SUBTYPE_AUTH) {
/*
* Only shared key auth frames with a challenge
* should be encrypted, discard all others.
*/
IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
wh, NULL,
"%s", "WEP set but not permitted");
vap->iv_stats.is_rx_mgtdiscard++; /* XXX */
goto out;
}
if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
/*
* Discard encrypted frames when privacy is off.
*/
IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
wh, NULL, "%s", "WEP set but PRIVACY off");
vap->iv_stats.is_rx_noprivacy++;
goto out;
}
hdrspace = ieee80211_hdrspace(ic, wh);
key = ieee80211_crypto_decap(ni, m, hdrspace);
if (key == NULL) {
/* NB: stats+msgs handled in crypto_decap */
goto out;
}
wh = mtod(m, struct ieee80211_frame *);
wh->i_fc[1] &= ~IEEE80211_FC1_WEP;
}
if (bpf_peers_present(vap->iv_rawbpf))
bpf_mtap(vap->iv_rawbpf, m);
vap->iv_recv_mgmt(ni, m, subtype, rssi, noise, rstamp);
m_freem(m);
return IEEE80211_FC0_TYPE_MGT;
case IEEE80211_FC0_TYPE_CTL:
vap->iv_stats.is_rx_ctl++;
IEEE80211_NODE_STAT(ni, rx_ctrl);
switch (subtype) {
case IEEE80211_FC0_SUBTYPE_PS_POLL:
hostap_recv_pspoll(ni, m);
break;
case IEEE80211_FC0_SUBTYPE_BAR:
ieee80211_recv_bar(ni, m);
break;
}
goto out;
default:
IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
wh, "bad", "frame type 0x%x", type);
/* should not come here */
break;
}
err:
ifp->if_ierrors++;
out:
if (m != NULL) {
if (bpf_peers_present(vap->iv_rawbpf) && need_tap)
bpf_mtap(vap->iv_rawbpf, m);
m_freem(m);
}
return type;
#undef SEQ_LEQ
}
static void
hostap_auth_open(struct ieee80211_node *ni, struct ieee80211_frame *wh,
int rssi, int noise, uint32_t rstamp, uint16_t seq, uint16_t status)
{
struct ieee80211vap *vap = ni->ni_vap;
KASSERT(vap->iv_state == IEEE80211_S_RUN, ("state %d", vap->iv_state));
if (ni->ni_authmode == IEEE80211_AUTH_SHARED) {
IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
ni->ni_macaddr, "open auth",
"bad sta auth mode %u", ni->ni_authmode);
vap->iv_stats.is_rx_bad_auth++; /* XXX */
/*
* Clear any challenge text that may be there if
* a previous shared key auth failed and then an
* open auth is attempted.
*/
if (ni->ni_challenge != NULL) {
FREE(ni->ni_challenge, M_80211_NODE);
ni->ni_challenge = NULL;
}
/* XXX hack to workaround calling convention */
ieee80211_send_error(ni, wh->i_addr2,
IEEE80211_FC0_SUBTYPE_AUTH,
(seq + 1) | (IEEE80211_STATUS_ALG<<16));
return;
}
if (seq != IEEE80211_AUTH_OPEN_REQUEST) {
vap->iv_stats.is_rx_bad_auth++;
return;
}
/* always accept open authentication requests */
if (ni == vap->iv_bss) {
ni = ieee80211_dup_bss(vap, wh->i_addr2);
if (ni == NULL)
return;
} else if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0)
(void) ieee80211_ref_node(ni);
/*
* Mark the node as referenced to reflect that it's
* reference count has been bumped to insure it remains
* after the transaction completes.
*/
ni->ni_flags |= IEEE80211_NODE_AREF;
if (vap->iv_acl != NULL &&
vap->iv_acl->iac_getpolicy(vap) == IEEE80211_MACCMD_POLICY_RADIUS) {
/*
* When the ACL policy is set to RADIUS we defer the
* authorization to a user agent. Dispatch an event,
* a subsequent MLME call will decide the fate of the
* station. If the user agent is not present then the
* node will be reclaimed due to inactivity.
*/
IEEE80211_NOTE_MAC(vap,
IEEE80211_MSG_AUTH | IEEE80211_MSG_ACL, ni->ni_macaddr,
"%s", "station authentication defered (radius acl)");
ieee80211_notify_node_auth(ni);
} else {
IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1);
IEEE80211_NOTE_MAC(vap,
IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, ni->ni_macaddr,
"%s", "station authenticated (open)");
/*
* When 802.1x is not in use mark the port
* authorized at this point so traffic can flow.
*/
if (ni->ni_authmode != IEEE80211_AUTH_8021X)
ieee80211_node_authorize(ni);
}
}
static void
hostap_auth_shared(struct ieee80211_node *ni, struct ieee80211_frame *wh,
uint8_t *frm, uint8_t *efrm, int rssi, int noise, uint32_t rstamp,
uint16_t seq, uint16_t status)
{
struct ieee80211vap *vap = ni->ni_vap;
uint8_t *challenge;
int allocbs, estatus;
KASSERT(vap->iv_state == IEEE80211_S_RUN, ("state %d", vap->iv_state));
/*
* NB: this can happen as we allow pre-shared key
* authentication to be enabled w/o wep being turned
* on so that configuration of these can be done
* in any order. It may be better to enforce the
* ordering in which case this check would just be
* for sanity/consistency.
*/
if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
ni->ni_macaddr, "shared key auth",
"%s", " PRIVACY is disabled");
estatus = IEEE80211_STATUS_ALG;
goto bad;
}
/*
* Pre-shared key authentication is evil; accept
* it only if explicitly configured (it is supported
* mainly for compatibility with clients like Mac OS X).
*/
if (ni->ni_authmode != IEEE80211_AUTH_AUTO &&
ni->ni_authmode != IEEE80211_AUTH_SHARED) {
IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
ni->ni_macaddr, "shared key auth",
"bad sta auth mode %u", ni->ni_authmode);
vap->iv_stats.is_rx_bad_auth++; /* XXX maybe a unique error? */
estatus = IEEE80211_STATUS_ALG;
goto bad;
}
challenge = NULL;
if (frm + 1 < efrm) {
if ((frm[1] + 2) > (efrm - frm)) {
IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
ni->ni_macaddr, "shared key auth",
"ie %d/%d too long",
frm[0], (frm[1] + 2) - (efrm - frm));
vap->iv_stats.is_rx_bad_auth++;
estatus = IEEE80211_STATUS_CHALLENGE;
goto bad;
}
if (*frm == IEEE80211_ELEMID_CHALLENGE)
challenge = frm;
frm += frm[1] + 2;
}
switch (seq) {
case IEEE80211_AUTH_SHARED_CHALLENGE:
case IEEE80211_AUTH_SHARED_RESPONSE:
if (challenge == NULL) {
IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
ni->ni_macaddr, "shared key auth",
"%s", "no challenge");
vap->iv_stats.is_rx_bad_auth++;
estatus = IEEE80211_STATUS_CHALLENGE;
goto bad;
}
if (challenge[1] != IEEE80211_CHALLENGE_LEN) {
IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
ni->ni_macaddr, "shared key auth",
"bad challenge len %d", challenge[1]);
vap->iv_stats.is_rx_bad_auth++;
estatus = IEEE80211_STATUS_CHALLENGE;
goto bad;
}
default:
break;
}
switch (seq) {
case IEEE80211_AUTH_SHARED_REQUEST:
if (ni == vap->iv_bss) {
ni = ieee80211_dup_bss(vap, wh->i_addr2);
if (ni == NULL) {
/* NB: no way to return an error */
return;
}
allocbs = 1;
} else {
if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0)
(void) ieee80211_ref_node(ni);
allocbs = 0;
}
/*
* Mark the node as referenced to reflect that it's
* reference count has been bumped to insure it remains
* after the transaction completes.
*/
ni->ni_flags |= IEEE80211_NODE_AREF;
IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi);
ni->ni_noise = noise;
ni->ni_rstamp = rstamp;
if (!ieee80211_alloc_challenge(ni)) {
/* NB: don't return error so they rexmit */
return;
}
get_random_bytes(ni->ni_challenge,
IEEE80211_CHALLENGE_LEN);
IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
ni, "shared key %sauth request", allocbs ? "" : "re");
/*
* When the ACL policy is set to RADIUS we defer the
* authorization to a user agent. Dispatch an event,
* a subsequent MLME call will decide the fate of the
* station. If the user agent is not present then the
* node will be reclaimed due to inactivity.
*/
if (vap->iv_acl != NULL &&
vap->iv_acl->iac_getpolicy(vap) == IEEE80211_MACCMD_POLICY_RADIUS) {
IEEE80211_NOTE_MAC(vap,
IEEE80211_MSG_AUTH | IEEE80211_MSG_ACL,
ni->ni_macaddr,
"%s", "station authentication defered (radius acl)");
ieee80211_notify_node_auth(ni);
return;
}
break;
case IEEE80211_AUTH_SHARED_RESPONSE:
if (ni == vap->iv_bss) {
IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
ni->ni_macaddr, "shared key response",
"%s", "unknown station");
/* NB: don't send a response */
return;
}
if (ni->ni_challenge == NULL) {
IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
ni->ni_macaddr, "shared key response",
"%s", "no challenge recorded");
vap->iv_stats.is_rx_bad_auth++;
estatus = IEEE80211_STATUS_CHALLENGE;
goto bad;
}
if (memcmp(ni->ni_challenge, &challenge[2],
challenge[1]) != 0) {
IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
ni->ni_macaddr, "shared key response",
"%s", "challenge mismatch");
vap->iv_stats.is_rx_auth_fail++;
estatus = IEEE80211_STATUS_CHALLENGE;
goto bad;
}
IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
ni, "%s", "station authenticated (shared key)");
ieee80211_node_authorize(ni);
break;
default:
IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
ni->ni_macaddr, "shared key auth",
"bad seq %d", seq);
vap->iv_stats.is_rx_bad_auth++;
estatus = IEEE80211_STATUS_SEQUENCE;
goto bad;
}
IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1);
return;
bad:
/*
* Send an error response; but only when operating as an AP.
*/
/* XXX hack to workaround calling convention */
ieee80211_send_error(ni, wh->i_addr2,
IEEE80211_FC0_SUBTYPE_AUTH,
(seq + 1) | (estatus<<16));
}
/*
* Convert a WPA cipher selector OUI to an internal
* cipher algorithm. Where appropriate we also
* record any key length.
*/
static int
wpa_cipher(const uint8_t *sel, uint8_t *keylen)
{
#define WPA_SEL(x) (((x)<<24)|WPA_OUI)
uint32_t w = LE_READ_4(sel);
switch (w) {
case WPA_SEL(WPA_CSE_NULL):
return IEEE80211_CIPHER_NONE;
case WPA_SEL(WPA_CSE_WEP40):
if (keylen)
*keylen = 40 / NBBY;
return IEEE80211_CIPHER_WEP;
case WPA_SEL(WPA_CSE_WEP104):
if (keylen)
*keylen = 104 / NBBY;
return IEEE80211_CIPHER_WEP;
case WPA_SEL(WPA_CSE_TKIP):
return IEEE80211_CIPHER_TKIP;
case WPA_SEL(WPA_CSE_CCMP):
return IEEE80211_CIPHER_AES_CCM;
}
return 32; /* NB: so 1<< is discarded */
#undef WPA_SEL
}
/*
* Convert a WPA key management/authentication algorithm
* to an internal code.
*/
static int
wpa_keymgmt(const uint8_t *sel)
{
#define WPA_SEL(x) (((x)<<24)|WPA_OUI)
uint32_t w = LE_READ_4(sel);
switch (w) {
case WPA_SEL(WPA_ASE_8021X_UNSPEC):
return WPA_ASE_8021X_UNSPEC;
case WPA_SEL(WPA_ASE_8021X_PSK):
return WPA_ASE_8021X_PSK;
case WPA_SEL(WPA_ASE_NONE):
return WPA_ASE_NONE;
}
return 0; /* NB: so is discarded */
#undef WPA_SEL
}
/*
* Parse a WPA information element to collect parameters.
* Note that we do not validate security parameters; that
* is handled by the authenticator; the parsing done here
* is just for internal use in making operational decisions.
*/
static int
ieee80211_parse_wpa(struct ieee80211vap *vap, const uint8_t *frm,
struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh)
{
uint8_t len = frm[1];
uint32_t w;
int n;
/*
* Check the length once for fixed parts: OUI, type,
* version, mcast cipher, and 2 selector counts.
* Other, variable-length data, must be checked separately.
*/
if ((vap->iv_flags & IEEE80211_F_WPA1) == 0) {
IEEE80211_DISCARD_IE(vap,
IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
wh, "WPA", "not WPA, flags 0x%x", vap->iv_flags);
return IEEE80211_REASON_IE_INVALID;
}
if (len < 14) {
IEEE80211_DISCARD_IE(vap,
IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
wh, "WPA", "too short, len %u", len);
return IEEE80211_REASON_IE_INVALID;
}
frm += 6, len -= 4; /* NB: len is payload only */
/* NB: iswapoui already validated the OUI and type */
w = LE_READ_2(frm);
if (w != WPA_VERSION) {
IEEE80211_DISCARD_IE(vap,
IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
wh, "WPA", "bad version %u", w);
return IEEE80211_REASON_IE_INVALID;
}
frm += 2, len -= 2;
memset(rsn, 0, sizeof(*rsn));
/* multicast/group cipher */
rsn->rsn_mcastcipher = wpa_cipher(frm, &rsn->rsn_mcastkeylen);
frm += 4, len -= 4;
/* unicast ciphers */
n = LE_READ_2(frm);
frm += 2, len -= 2;
if (len < n*4+2) {
IEEE80211_DISCARD_IE(vap,
IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
wh, "WPA", "ucast cipher data too short; len %u, n %u",
len, n);
return IEEE80211_REASON_IE_INVALID;
}
w = 0;
for (; n > 0; n--) {
w |= 1<<wpa_cipher(frm, &rsn->rsn_ucastkeylen);
frm += 4, len -= 4;
}
if (w & (1<<IEEE80211_CIPHER_TKIP))
rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP;
else
rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM;
/* key management algorithms */
n = LE_READ_2(frm);
frm += 2, len -= 2;
if (len < n*4) {
IEEE80211_DISCARD_IE(vap,
IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
wh, "WPA", "key mgmt alg data too short; len %u, n %u",
len, n);
return IEEE80211_REASON_IE_INVALID;
}
w = 0;
for (; n > 0; n--) {
w |= wpa_keymgmt(frm);
frm += 4, len -= 4;
}
if (w & WPA_ASE_8021X_UNSPEC)
rsn->rsn_keymgmt = WPA_ASE_8021X_UNSPEC;
else
rsn->rsn_keymgmt = WPA_ASE_8021X_PSK;
if (len > 2) /* optional capabilities */
rsn->rsn_caps = LE_READ_2(frm);
return 0;
}
/*
* Convert an RSN cipher selector OUI to an internal
* cipher algorithm. Where appropriate we also
* record any key length.
*/
static int
rsn_cipher(const uint8_t *sel, uint8_t *keylen)
{
#define RSN_SEL(x) (((x)<<24)|RSN_OUI)
uint32_t w = LE_READ_4(sel);
switch (w) {
case RSN_SEL(RSN_CSE_NULL):
return IEEE80211_CIPHER_NONE;
case RSN_SEL(RSN_CSE_WEP40):
if (keylen)
*keylen = 40 / NBBY;
return IEEE80211_CIPHER_WEP;
case RSN_SEL(RSN_CSE_WEP104):
if (keylen)
*keylen = 104 / NBBY;
return IEEE80211_CIPHER_WEP;
case RSN_SEL(RSN_CSE_TKIP):
return IEEE80211_CIPHER_TKIP;
case RSN_SEL(RSN_CSE_CCMP):
return IEEE80211_CIPHER_AES_CCM;
case RSN_SEL(RSN_CSE_WRAP):
return IEEE80211_CIPHER_AES_OCB;
}
return 32; /* NB: so 1<< is discarded */
#undef WPA_SEL
}
/*
* Convert an RSN key management/authentication algorithm
* to an internal code.
*/
static int
rsn_keymgmt(const uint8_t *sel)
{
#define RSN_SEL(x) (((x)<<24)|RSN_OUI)
uint32_t w = LE_READ_4(sel);
switch (w) {
case RSN_SEL(RSN_ASE_8021X_UNSPEC):
return RSN_ASE_8021X_UNSPEC;
case RSN_SEL(RSN_ASE_8021X_PSK):
return RSN_ASE_8021X_PSK;
case RSN_SEL(RSN_ASE_NONE):
return RSN_ASE_NONE;
}
return 0; /* NB: so is discarded */
#undef RSN_SEL
}
/*
* Parse a WPA/RSN information element to collect parameters
* and validate the parameters against what has been
* configured for the system.
*/
static int
ieee80211_parse_rsn(struct ieee80211vap *vap, const uint8_t *frm,
struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh)
{
uint8_t len = frm[1];
uint32_t w;
int n;
/*
* Check the length once for fixed parts:
* version, mcast cipher, and 2 selector counts.
* Other, variable-length data, must be checked separately.
*/
if ((vap->iv_flags & IEEE80211_F_WPA2) == 0) {
IEEE80211_DISCARD_IE(vap,
IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
wh, "WPA", "not RSN, flags 0x%x", vap->iv_flags);
return IEEE80211_REASON_IE_INVALID;
}
if (len < 10) {
IEEE80211_DISCARD_IE(vap,
IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
wh, "RSN", "too short, len %u", len);
return IEEE80211_REASON_IE_INVALID;
}
frm += 2;
w = LE_READ_2(frm);
if (w != RSN_VERSION) {
IEEE80211_DISCARD_IE(vap,
IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
wh, "RSN", "bad version %u", w);
return IEEE80211_REASON_IE_INVALID;
}
frm += 2, len -= 2;
memset(rsn, 0, sizeof(*rsn));
/* multicast/group cipher */
rsn->rsn_mcastcipher = rsn_cipher(frm, &rsn->rsn_mcastkeylen);
frm += 4, len -= 4;
/* unicast ciphers */
n = LE_READ_2(frm);
frm += 2, len -= 2;
if (len < n*4+2) {
IEEE80211_DISCARD_IE(vap,
IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
wh, "RSN", "ucast cipher data too short; len %u, n %u",
len, n);
return IEEE80211_REASON_IE_INVALID;
}
w = 0;
for (; n > 0; n--) {
w |= 1<<rsn_cipher(frm, &rsn->rsn_ucastkeylen);
frm += 4, len -= 4;
}
if (w & (1<<IEEE80211_CIPHER_TKIP))
rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP;
else
rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM;
/* key management algorithms */
n = LE_READ_2(frm);
frm += 2, len -= 2;
if (len < n*4) {
IEEE80211_DISCARD_IE(vap,
IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
wh, "RSN", "key mgmt alg data too short; len %u, n %u",
len, n);
return IEEE80211_REASON_IE_INVALID;
}
w = 0;
for (; n > 0; n--) {
w |= rsn_keymgmt(frm);
frm += 4, len -= 4;
}
if (w & RSN_ASE_8021X_UNSPEC)
rsn->rsn_keymgmt = RSN_ASE_8021X_UNSPEC;
else
rsn->rsn_keymgmt = RSN_ASE_8021X_PSK;
/* optional RSN capabilities */
if (len > 2)
rsn->rsn_caps = LE_READ_2(frm);
/* XXXPMKID */
return 0;
}
/*
* WPA/802.11i assocation request processing.
*/
static int
wpa_assocreq(struct ieee80211_node *ni, struct ieee80211_rsnparms *rsnparms,
const struct ieee80211_frame *wh, const uint8_t *wpa,
const uint8_t *rsn, uint16_t capinfo)
{
struct ieee80211vap *vap = ni->ni_vap;
uint8_t reason;
int badwparsn;
ni->ni_flags &= ~(IEEE80211_NODE_WPS|IEEE80211_NODE_TSN);
if (wpa == NULL && rsn == NULL) {
if (vap->iv_flags_ext & IEEE80211_FEXT_WPS) {
/*
* W-Fi Protected Setup (WPS) permits
* clients to associate and pass EAPOL frames
* to establish initial credentials.
*/
ni->ni_flags |= IEEE80211_NODE_WPS;
return 1;
}
if ((vap->iv_flags_ext & IEEE80211_FEXT_TSN) &&
(capinfo & IEEE80211_CAPINFO_PRIVACY)) {
/*
* Transitional Security Network. Permits clients
* to associate and use WEP while WPA is configured.
*/
ni->ni_flags |= IEEE80211_NODE_TSN;
return 1;
}
IEEE80211_DISCARD(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA,
wh, NULL, "%s", "no WPA/RSN IE in association request");
vap->iv_stats.is_rx_assoc_badwpaie++;
reason = IEEE80211_REASON_IE_INVALID;
goto bad;
}
/* assert right association security credentials */
badwparsn = 0; /* NB: to silence compiler */
switch (vap->iv_flags & IEEE80211_F_WPA) {
case IEEE80211_F_WPA1:
badwparsn = (wpa == NULL);
break;
case IEEE80211_F_WPA2:
badwparsn = (rsn == NULL);
break;
case IEEE80211_F_WPA1|IEEE80211_F_WPA2:
badwparsn = (wpa == NULL && rsn == NULL);
break;
}
if (badwparsn) {
IEEE80211_DISCARD(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA,
wh, NULL,
"%s", "missing WPA/RSN IE in association request");
vap->iv_stats.is_rx_assoc_badwpaie++;
reason = IEEE80211_REASON_IE_INVALID;
goto bad;
}
/*
* Parse WPA/RSN information element.
*/
if (wpa != NULL)
reason = ieee80211_parse_wpa(vap, wpa, rsnparms, wh);
else
reason = ieee80211_parse_rsn(vap, rsn, rsnparms, wh);
if (reason != 0) {
/* XXX distinguish WPA/RSN? */
vap->iv_stats.is_rx_assoc_badwpaie++;
goto bad;
}
IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, ni,
"%s ie: mc %u/%u uc %u/%u key %u caps 0x%x",
wpa != NULL ? "WPA" : "RSN",
rsnparms->rsn_mcastcipher, rsnparms->rsn_mcastkeylen,
rsnparms->rsn_ucastcipher, rsnparms->rsn_ucastkeylen,
rsnparms->rsn_keymgmt, rsnparms->rsn_caps);
return 1;
bad:
ieee80211_node_deauth(ni, reason);
return 0;
}
/* XXX find a better place for definition */
struct l2_update_frame {
struct ether_header eh;
uint8_t dsap;
uint8_t ssap;
uint8_t control;
uint8_t xid[3];
} __packed;
/*
* Deliver a TGf L2UF frame on behalf of a station.
* This primes any bridge when the station is roaming
* between ap's on the same wired network.
*/
static void
ieee80211_deliver_l2uf(struct ieee80211_node *ni)
{
struct ieee80211vap *vap = ni->ni_vap;
struct ifnet *ifp = vap->iv_ifp;
struct mbuf *m;
struct l2_update_frame *l2uf;
struct ether_header *eh;
m = m_gethdr(M_NOWAIT, MT_DATA);
if (m == NULL) {
IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC, ni,
"%s", "no mbuf for l2uf frame");
vap->iv_stats.is_rx_nobuf++; /* XXX not right */
return;
}
l2uf = mtod(m, struct l2_update_frame *);
eh = &l2uf->eh;
/* dst: Broadcast address */
IEEE80211_ADDR_COPY(eh->ether_dhost, ifp->if_broadcastaddr);
/* src: associated STA */
IEEE80211_ADDR_COPY(eh->ether_shost, ni->ni_macaddr);
eh->ether_type = htons(sizeof(*l2uf) - sizeof(*eh));
l2uf->dsap = 0;
l2uf->ssap = 0;
l2uf->control = 0xf5;
l2uf->xid[0] = 0x81;
l2uf->xid[1] = 0x80;
l2uf->xid[2] = 0x00;
m->m_pkthdr.len = m->m_len = sizeof(*l2uf);
hostap_deliver_data(vap, ni, m);
}
static void
ratesetmismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh,
int reassoc, int resp, const char *tag, int rate)
{
IEEE80211_NOTE_MAC(ni->ni_vap, IEEE80211_MSG_ANY, wh->i_addr2,
"deny %s request, %s rate set mismatch, rate/MCS %d",
reassoc ? "reassoc" : "assoc", tag, rate & IEEE80211_RATE_VAL);
IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_BASIC_RATE);
ieee80211_node_leave(ni);
}
static void
capinfomismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh,
int reassoc, int resp, const char *tag, int capinfo)
{
struct ieee80211vap *vap = ni->ni_vap;
IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ANY, wh->i_addr2,
"deny %s request, %s mismatch 0x%x",
reassoc ? "reassoc" : "assoc", tag, capinfo);
IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_CAPINFO);
ieee80211_node_leave(ni);
vap->iv_stats.is_rx_assoc_capmismatch++;
}
static void
htcapmismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh,
int reassoc, int resp)
{
IEEE80211_NOTE_MAC(ni->ni_vap, IEEE80211_MSG_ANY, wh->i_addr2,
"deny %s request, %s missing HT ie", reassoc ? "reassoc" : "assoc");
/* XXX no better code */
IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_OTHER);
ieee80211_node_leave(ni);
}
static void
authalgreject(struct ieee80211_node *ni, const struct ieee80211_frame *wh,
int algo, int seq, int status)
{
struct ieee80211vap *vap = ni->ni_vap;
IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
wh, NULL, "unsupported alg %d", algo);
vap->iv_stats.is_rx_auth_unsupported++;
ieee80211_send_error(ni, wh->i_addr2, IEEE80211_FC0_SUBTYPE_AUTH,
seq | (status << 16));
}
static __inline int
ishtmixed(const uint8_t *ie)
{
const struct ieee80211_ie_htinfo *ht =
(const struct ieee80211_ie_htinfo *) ie;
return (ht->hi_byte2 & IEEE80211_HTINFO_OPMODE) ==
IEEE80211_HTINFO_OPMODE_MIXED;
}
static int
is11bclient(const uint8_t *rates, const uint8_t *xrates)
{
static const uint32_t brates = (1<<2*1)|(1<<2*2)|(1<<11)|(1<<2*11);
int i;
/* NB: the 11b clients we care about will not have xrates */
if (xrates != NULL || rates == NULL)
return 0;
for (i = 0; i < rates[1]; i++) {
int r = rates[2+i] & IEEE80211_RATE_VAL;
if (r > 2*11 || ((1<<r) & brates) == 0)
return 0;
}
return 1;
}
static void
hostap_recv_mgmt(struct ieee80211_node *ni, struct mbuf *m0,
int subtype, int rssi, int noise, uint32_t rstamp)
{
struct ieee80211vap *vap = ni->ni_vap;
struct ieee80211com *ic = ni->ni_ic;
struct ieee80211_frame *wh;
uint8_t *frm, *efrm, *sfrm;
uint8_t *ssid, *rates, *xrates, *wpa, *rsn, *wme, *ath, *htcap;
int reassoc, resp;
uint8_t rate;
wh = mtod(m0, struct ieee80211_frame *);
frm = (uint8_t *)&wh[1];
efrm = mtod(m0, uint8_t *) + m0->m_len;
switch (subtype) {
case IEEE80211_FC0_SUBTYPE_PROBE_RESP:
case IEEE80211_FC0_SUBTYPE_BEACON: {
struct ieee80211_scanparams scan;
/*
* We process beacon/probe response frames when scanning;
* otherwise we check beacon frames for overlapping non-ERP
* BSS in 11g and/or overlapping legacy BSS when in HT.
*/
if ((ic->ic_flags & IEEE80211_F_SCAN) == 0 &&
subtype == IEEE80211_FC0_SUBTYPE_PROBE_RESP) {
vap->iv_stats.is_rx_mgtdiscard++;
return;
}
/* NB: accept off-channel frames */
if (ieee80211_parse_beacon(ni, m0, &scan) &~ IEEE80211_BPARSE_OFFCHAN)
return;
/*
* Count frame now that we know it's to be processed.
*/
if (subtype == IEEE80211_FC0_SUBTYPE_BEACON) {
vap->iv_stats.is_rx_beacon++; /* XXX remove */
IEEE80211_NODE_STAT(ni, rx_beacons);
} else
IEEE80211_NODE_STAT(ni, rx_proberesp);
/*
* If scanning, just pass information to the scan module.
*/
if (ic->ic_flags & IEEE80211_F_SCAN) {
if (scan.status == 0 && /* NB: on channel */
(ic->ic_flags_ext & IEEE80211_FEXT_PROBECHAN)) {
/*
* Actively scanning a channel marked passive;
* send a probe request now that we know there
* is 802.11 traffic present.
*
* XXX check if the beacon we recv'd gives
* us what we need and suppress the probe req
*/
ieee80211_probe_curchan(vap, 1);
ic->ic_flags_ext &= ~IEEE80211_FEXT_PROBECHAN;
}
ieee80211_add_scan(vap, &scan, wh,
subtype, rssi, noise, rstamp);
return;
}
/*
* Check beacon for overlapping bss w/ non ERP stations.
* If we detect one and protection is configured but not
* enabled, enable it and start a timer that'll bring us
* out if we stop seeing the bss.
*/
if (IEEE80211_IS_CHAN_ANYG(ic->ic_curchan) &&
scan.status == 0 && /* NB: on-channel */
((scan.erp & 0x100) == 0 || /* NB: no ERP, 11b sta*/
(scan.erp & IEEE80211_ERP_NON_ERP_PRESENT))) {
ic->ic_lastnonerp = ticks;
ic->ic_flags_ext |= IEEE80211_FEXT_NONERP_PR;
if (ic->ic_protmode != IEEE80211_PROT_NONE &&
(ic->ic_flags & IEEE80211_F_USEPROT) == 0) {
IEEE80211_NOTE_FRAME(vap,
IEEE80211_MSG_ASSOC, wh,
"non-ERP present on channel %d "
"(saw erp 0x%x from channel %d), "
"enable use of protection",
ic->ic_curchan->ic_ieee,
scan.erp, scan.chan);
ic->ic_flags |= IEEE80211_F_USEPROT;
ieee80211_notify_erp(ic);
}
}
/*
* Check beacon for non-HT station on HT channel
* and update HT BSS occupancy as appropriate.
*/
if (IEEE80211_IS_CHAN_HT(ic->ic_curchan)) {
if (scan.status & IEEE80211_BPARSE_OFFCHAN) {
/*
* Off control channel; only check frames
* that come in the extension channel when
* operating w/ HT40.
*/
if (!IEEE80211_IS_CHAN_HT40(ic->ic_curchan))
break;
if (scan.chan != ic->ic_curchan->ic_extieee)
break;
}
if (scan.htinfo == NULL) {
ieee80211_htprot_update(ic,
IEEE80211_HTINFO_OPMODE_PROTOPT |
IEEE80211_HTINFO_NONHT_PRESENT);
} else if (ishtmixed(scan.htinfo)) {
/* XXX? take NONHT_PRESENT from beacon? */
ieee80211_htprot_update(ic,
IEEE80211_HTINFO_OPMODE_MIXED |
IEEE80211_HTINFO_NONHT_PRESENT);
}
}
break;
}
case IEEE80211_FC0_SUBTYPE_PROBE_REQ:
if (vap->iv_state != IEEE80211_S_RUN) {
vap->iv_stats.is_rx_mgtdiscard++;
return;
}
/*
* prreq frame format
* [tlv] ssid
* [tlv] supported rates
* [tlv] extended supported rates
*/
ssid = rates = xrates = NULL;
sfrm = frm;
while (efrm - frm > 1) {
IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return);
switch (*frm) {
case IEEE80211_ELEMID_SSID:
ssid = frm;
break;
case IEEE80211_ELEMID_RATES:
rates = frm;
break;
case IEEE80211_ELEMID_XRATES:
xrates = frm;
break;
}
frm += frm[1] + 2;
}
IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return);
if (xrates != NULL)
IEEE80211_VERIFY_ELEMENT(xrates,
IEEE80211_RATE_MAXSIZE - rates[1], return);
IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN, return);
IEEE80211_VERIFY_SSID(vap->iv_bss, ssid, return);
if ((vap->iv_flags & IEEE80211_F_HIDESSID) && ssid[1] == 0) {
IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
wh, NULL,
"%s", "no ssid with ssid suppression enabled");
vap->iv_stats.is_rx_ssidmismatch++; /*XXX*/
return;
}
/* XXX find a better class or define it's own */
IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_INPUT, wh->i_addr2,
"%s", "recv probe req");
/*
* Some legacy 11b clients cannot hack a complete
* probe response frame. When the request includes
* only a bare-bones rate set, communicate this to
* the transmit side.
*/
ieee80211_send_proberesp(vap, wh->i_addr2,
is11bclient(rates, xrates) ? IEEE80211_SEND_LEGACY_11B : 0);
break;
case IEEE80211_FC0_SUBTYPE_AUTH: {
uint16_t algo, seq, status;
if (vap->iv_state != IEEE80211_S_RUN) {
vap->iv_stats.is_rx_mgtdiscard++;
return;
}
if (!IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_bss->ni_bssid)) {
IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
wh, NULL, "%s", "wrong bssid");
vap->iv_stats.is_rx_wrongbss++; /*XXX unique stat?*/
return;
}
/*
* auth frame format
* [2] algorithm
* [2] sequence
* [2] status
* [tlv*] challenge
*/
IEEE80211_VERIFY_LENGTH(efrm - frm, 6, return);
algo = le16toh(*(uint16_t *)frm);
seq = le16toh(*(uint16_t *)(frm + 2));
status = le16toh(*(uint16_t *)(frm + 4));
IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_AUTH, wh->i_addr2,
"recv auth frame with algorithm %d seq %d", algo, seq);
/*
* Consult the ACL policy module if setup.
*/
if (vap->iv_acl != NULL &&
!vap->iv_acl->iac_check(vap, wh->i_addr2)) {
IEEE80211_DISCARD(vap, IEEE80211_MSG_ACL,
wh, NULL, "%s", "disallowed by ACL");
vap->iv_stats.is_rx_acl++;
ieee80211_send_error(ni, wh->i_addr2,
IEEE80211_FC0_SUBTYPE_AUTH,
(seq+1) | (IEEE80211_STATUS_UNSPECIFIED<<16));
return;
}
if (vap->iv_flags & IEEE80211_F_COUNTERM) {
IEEE80211_DISCARD(vap,
IEEE80211_MSG_AUTH | IEEE80211_MSG_CRYPTO,
wh, NULL, "%s", "TKIP countermeasures enabled");
vap->iv_stats.is_rx_auth_countermeasures++;
ieee80211_send_error(ni, wh->i_addr2,
IEEE80211_FC0_SUBTYPE_AUTH,
IEEE80211_REASON_MIC_FAILURE);
return;
}
if (algo == IEEE80211_AUTH_ALG_SHARED)
hostap_auth_shared(ni, wh, frm + 6, efrm, rssi,
noise, rstamp, seq, status);
else if (algo == IEEE80211_AUTH_ALG_OPEN)
hostap_auth_open(ni, wh, rssi, noise, rstamp,
seq, status);
else if (algo == IEEE80211_AUTH_ALG_LEAP) {
authalgreject(ni, wh, algo,
seq+1, IEEE80211_STATUS_ALG);
return;
} else {
/*
* We assume that an unknown algorithm is the result
* of a decryption failure on a shared key auth frame;
* return a status code appropriate for that instead
* of IEEE80211_STATUS_ALG.
*
* NB: a seq# of 4 is intentional; the decrypted
* frame likely has a bogus seq value.
*/
authalgreject(ni, wh, algo,
4, IEEE80211_STATUS_CHALLENGE);
return;
}
break;
}
case IEEE80211_FC0_SUBTYPE_ASSOC_REQ:
case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: {
uint16_t capinfo, lintval;
struct ieee80211_rsnparms rsnparms;
if (vap->iv_state != IEEE80211_S_RUN) {
vap->iv_stats.is_rx_mgtdiscard++;
return;
}
if (!IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_bss->ni_bssid)) {
IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
wh, NULL, "%s", "wrong bssid");
vap->iv_stats.is_rx_assoc_bss++;
return;
}
if (subtype == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) {
reassoc = 1;
resp = IEEE80211_FC0_SUBTYPE_REASSOC_RESP;
} else {
reassoc = 0;
resp = IEEE80211_FC0_SUBTYPE_ASSOC_RESP;
}
if (ni == vap->iv_bss) {
IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ANY, wh->i_addr2,
"deny %s request, sta not authenticated",
reassoc ? "reassoc" : "assoc");
ieee80211_send_error(ni, wh->i_addr2,
IEEE80211_FC0_SUBTYPE_DEAUTH,
IEEE80211_REASON_ASSOC_NOT_AUTHED);
vap->iv_stats.is_rx_assoc_notauth++;
return;
}
/*
* asreq frame format
* [2] capability information
* [2] listen interval
* [6*] current AP address (reassoc only)
* [tlv] ssid
* [tlv] supported rates
* [tlv] extended supported rates
* [tlv] WPA or RSN
* [tlv] HT capabilities
* [tlv] Atheros capabilities
*/
IEEE80211_VERIFY_LENGTH(efrm - frm, (reassoc ? 10 : 4), return);
capinfo = le16toh(*(uint16_t *)frm); frm += 2;
lintval = le16toh(*(uint16_t *)frm); frm += 2;
if (reassoc)
frm += 6; /* ignore current AP info */
ssid = rates = xrates = wpa = rsn = wme = ath = htcap = NULL;
sfrm = frm;
while (efrm - frm > 1) {
IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return);
switch (*frm) {
case IEEE80211_ELEMID_SSID:
ssid = frm;
break;
case IEEE80211_ELEMID_RATES:
rates = frm;
break;
case IEEE80211_ELEMID_XRATES:
xrates = frm;
break;
case IEEE80211_ELEMID_RSN:
rsn = frm;
break;
case IEEE80211_ELEMID_HTCAP:
htcap = frm;
break;
case IEEE80211_ELEMID_VENDOR:
if (iswpaoui(frm))
wpa = frm;
else if (iswmeinfo(frm))
wme = frm;
else if (isatherosoui(frm))
ath = frm;
else if (vap->iv_flags_ext & IEEE80211_FEXT_HTCOMPAT) {
if (ishtcapoui(frm) && htcap == NULL)
htcap = frm;
}
break;
}
frm += frm[1] + 2;
}
IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return);
if (xrates != NULL)
IEEE80211_VERIFY_ELEMENT(xrates,
IEEE80211_RATE_MAXSIZE - rates[1], return);
IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN, return);
IEEE80211_VERIFY_SSID(vap->iv_bss, ssid, return);
if (htcap != NULL) {
IEEE80211_VERIFY_LENGTH(htcap[1],
htcap[0] == IEEE80211_ELEMID_VENDOR ?
4 + sizeof(struct ieee80211_ie_htcap)-2 :
sizeof(struct ieee80211_ie_htcap)-2,
return); /* XXX just NULL out? */
}
if ((vap->iv_flags & IEEE80211_F_WPA) &&
!wpa_assocreq(ni, &rsnparms, wh, wpa, rsn, capinfo))
return;
/* discard challenge after association */
if (ni->ni_challenge != NULL) {
FREE(ni->ni_challenge, M_80211_NODE);
ni->ni_challenge = NULL;
}
/* NB: 802.11 spec says to ignore station's privacy bit */
if ((capinfo & IEEE80211_CAPINFO_ESS) == 0) {
capinfomismatch(ni, wh, reassoc, resp,
"capability", capinfo);
return;
}
/*
* Disallow re-associate w/ invalid slot time setting.
*/
if (ni->ni_associd != 0 &&
IEEE80211_IS_CHAN_ANYG(ic->ic_bsschan) &&
((ni->ni_capinfo ^ capinfo) & IEEE80211_CAPINFO_SHORT_SLOTTIME)) {
capinfomismatch(ni, wh, reassoc, resp,
"slot time", capinfo);
return;
}
rate = ieee80211_setup_rates(ni, rates, xrates,
IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE |
IEEE80211_F_DONEGO | IEEE80211_F_DODEL);
if (rate & IEEE80211_RATE_BASIC) {
ratesetmismatch(ni, wh, reassoc, resp, "legacy", rate);
vap->iv_stats.is_rx_assoc_norate++;
return;
}
/*
* If constrained to 11g-only stations reject an
* 11b-only station. We cheat a bit here by looking
* at the max negotiated xmit rate and assuming anyone
* with a best rate <24Mb/s is an 11b station.
*/
if ((vap->iv_flags & IEEE80211_F_PUREG) && rate < 48) {
ratesetmismatch(ni, wh, reassoc, resp, "11g", rate);
vap->iv_stats.is_rx_assoc_norate++;
return;
}
/*
* Do HT rate set handling and setup HT node state.
*/
ni->ni_chan = vap->iv_bss->ni_chan;
if (IEEE80211_IS_CHAN_HT(ni->ni_chan) && htcap != NULL) {
rate = ieee80211_setup_htrates(ni, htcap,
IEEE80211_F_DOFMCS | IEEE80211_F_DONEGO |
IEEE80211_F_DOBRS);
if (rate & IEEE80211_RATE_BASIC) {
ratesetmismatch(ni, wh, reassoc, resp,
"HT", rate);
vap->iv_stats.is_ht_assoc_norate++;
return;
}
ieee80211_ht_node_init(ni, htcap);
} else if (ni->ni_flags & IEEE80211_NODE_HT)
ieee80211_ht_node_cleanup(ni);
/*
* Allow AMPDU operation only with unencrypted traffic
* or AES-CCM; the 11n spec only specifies these ciphers
* so permitting any others is undefined and can lead
* to interoperability problems.
*/
if ((ni->ni_flags & IEEE80211_NODE_HT) &&
(((vap->iv_flags & IEEE80211_F_WPA) &&
rsnparms.rsn_ucastcipher != IEEE80211_CIPHER_AES_CCM) ||
(vap->iv_flags & (IEEE80211_F_WPA|IEEE80211_F_PRIVACY)) == IEEE80211_F_PRIVACY)) {
IEEE80211_NOTE(vap,
IEEE80211_MSG_ASSOC | IEEE80211_MSG_11N, ni,
"disallow HT use because WEP or TKIP requested, "
"capinfo 0x%x ucastcipher %d", capinfo,
rsnparms.rsn_ucastcipher);
ieee80211_ht_node_cleanup(ni);
vap->iv_stats.is_ht_assoc_downgrade++;
}
/*
* If constrained to 11n-only stations reject legacy stations.
*/
if ((vap->iv_flags_ext & IEEE80211_FEXT_PUREN) &&
(ni->ni_flags & IEEE80211_NODE_HT) == 0) {
htcapmismatch(ni, wh, reassoc, resp);
vap->iv_stats.is_ht_assoc_nohtcap++;
return;
}
IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi);
ni->ni_noise = noise;
ni->ni_rstamp = rstamp;
ni->ni_intval = lintval;
ni->ni_capinfo = capinfo;
ni->ni_fhdwell = vap->iv_bss->ni_fhdwell;
ni->ni_fhindex = vap->iv_bss->ni_fhindex;
/*
* Store the IEs.
* XXX maybe better to just expand
*/
if (ieee80211_ies_init(&ni->ni_ies, sfrm, efrm - sfrm)) {
#define setie(_ie, _off) ieee80211_ies_setie(ni->ni_ies, _ie, _off)
if (wpa != NULL)
setie(wpa_ie, wpa - sfrm);
if (rsn != NULL)
setie(rsn_ie, rsn - sfrm);
if (htcap != NULL)
setie(htcap_ie, htcap - sfrm);
if (wme != NULL) {
setie(wme_ie, wme - sfrm);
/*
* Mark node as capable of QoS.
*/
ni->ni_flags |= IEEE80211_NODE_QOS;
} else
ni->ni_flags &= ~IEEE80211_NODE_QOS;
if (ath != NULL) {
setie(ath_ie, ath - sfrm);
/*
* Parse ATH station parameters.
*/
ieee80211_parse_ath(ni, ni->ni_ies.ath_ie);
} else
ni->ni_ath_flags = 0;
#undef setie
} else {
ni->ni_flags &= ~IEEE80211_NODE_QOS;
ni->ni_ath_flags = 0;
}
ieee80211_node_join(ni, resp);
ieee80211_deliver_l2uf(ni);
break;
}
case IEEE80211_FC0_SUBTYPE_DEAUTH:
case IEEE80211_FC0_SUBTYPE_DISASSOC: {
uint16_t reason;
if (vap->iv_state != IEEE80211_S_RUN ||
/* NB: can happen when in promiscuous mode */
!IEEE80211_ADDR_EQ(wh->i_addr1, vap->iv_myaddr)) {
vap->iv_stats.is_rx_mgtdiscard++;
break;
}
/*
* deauth/disassoc frame format
* [2] reason
*/
IEEE80211_VERIFY_LENGTH(efrm - frm, 2, return);
reason = le16toh(*(uint16_t *)frm);
if (subtype == IEEE80211_FC0_SUBTYPE_DEAUTH) {
vap->iv_stats.is_rx_deauth++;
IEEE80211_NODE_STAT(ni, rx_deauth);
} else {
vap->iv_stats.is_rx_disassoc++;
IEEE80211_NODE_STAT(ni, rx_disassoc);
}
IEEE80211_NOTE(vap, IEEE80211_MSG_AUTH, ni,
"recv %s (reason %d)", ieee80211_mgt_subtype_name[subtype >>
IEEE80211_FC0_SUBTYPE_SHIFT], reason);
if (ni != vap->iv_bss)
ieee80211_node_leave(ni);
break;
}
case IEEE80211_FC0_SUBTYPE_ACTION:
if (vap->iv_state == IEEE80211_S_RUN) {
if (ieee80211_parse_action(ni, m0) == 0)
ic->ic_recv_action(ni, frm, efrm);
} else
vap->iv_stats.is_rx_mgtdiscard++;
break;
case IEEE80211_FC0_SUBTYPE_ASSOC_RESP:
case IEEE80211_FC0_SUBTYPE_REASSOC_RESP:
default:
IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
wh, "mgt", "subtype 0x%x not handled", subtype);
vap->iv_stats.is_rx_badsubtype++;
break;
}
}
/*
* Process a received ps-poll frame.
*/
static void
hostap_recv_pspoll(struct ieee80211_node *ni, struct mbuf *m0)
{
struct ieee80211vap *vap = ni->ni_vap;
struct ieee80211_frame_min *wh;
struct ifnet *ifp = vap->iv_ifp;
struct mbuf *m;
uint16_t aid;
int qlen;
wh = mtod(m0, struct ieee80211_frame_min *);
if (ni->ni_associd == 0) {
IEEE80211_DISCARD(vap,
IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG,
(struct ieee80211_frame *) wh, NULL,
"%s", "unassociated station");
vap->iv_stats.is_ps_unassoc++;
IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_DEAUTH,
IEEE80211_REASON_NOT_ASSOCED);
return;
}
aid = le16toh(*(uint16_t *)wh->i_dur);
if (aid != ni->ni_associd) {
IEEE80211_DISCARD(vap,
IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG,
(struct ieee80211_frame *) wh, NULL,
"aid mismatch: sta aid 0x%x poll aid 0x%x",
ni->ni_associd, aid);
vap->iv_stats.is_ps_badaid++;
/*
* NB: We used to deauth the station but it turns out
* the Blackberry Curve 8230 (and perhaps other devices)
* sometimes send the wrong AID when WME is negotiated.
* Being more lenient here seems ok as we already check
* the station is associated and we only return frames
* queued for the station (i.e. we don't use the AID).
*/
return;
}
/* Okay, take the first queued packet and put it out... */
IEEE80211_NODE_SAVEQ_DEQUEUE(ni, m, qlen);
if (m == NULL) {
IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_POWER, wh->i_addr2,
"%s", "recv ps-poll, but queue empty");
ieee80211_send_nulldata(ieee80211_ref_node(ni));
vap->iv_stats.is_ps_qempty++; /* XXX node stat */
if (vap->iv_set_tim != NULL)
vap->iv_set_tim(ni, 0); /* just in case */
return;
}
/*
* If there are more packets, set the more packets bit
* in the packet dispatched to the station; otherwise
* turn off the TIM bit.
*/
if (qlen != 0) {
IEEE80211_NOTE(vap, IEEE80211_MSG_POWER, ni,
"recv ps-poll, send packet, %u still queued", qlen);
m->m_flags |= M_MORE_DATA;
} else {
IEEE80211_NOTE(vap, IEEE80211_MSG_POWER, ni,
"%s", "recv ps-poll, send packet, queue empty");
if (vap->iv_set_tim != NULL)
vap->iv_set_tim(ni, 0);
}
m->m_flags |= M_PWR_SAV; /* bypass PS handling */
IF_ENQUEUE(&ifp->if_snd, m);
if_start(ifp);
}