1 | #include <machine/rtems-bsd-kernel-space.h> |
---|
2 | |
---|
3 | /*- |
---|
4 | * Copyright (c) 2007-2008 Sam Leffler, Errno Consulting |
---|
5 | * All rights reserved. |
---|
6 | * |
---|
7 | * Redistribution and use in source and binary forms, with or without |
---|
8 | * modification, are permitted provided that the following conditions |
---|
9 | * are met: |
---|
10 | * 1. Redistributions of source code must retain the above copyright |
---|
11 | * notice, this list of conditions and the following disclaimer. |
---|
12 | * 2. Redistributions in binary form must reproduce the above copyright |
---|
13 | * notice, this list of conditions and the following disclaimer in the |
---|
14 | * documentation and/or other materials provided with the distribution. |
---|
15 | * |
---|
16 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR |
---|
17 | * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES |
---|
18 | * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. |
---|
19 | * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, |
---|
20 | * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT |
---|
21 | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, |
---|
22 | * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY |
---|
23 | * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT |
---|
24 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
---|
25 | * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
---|
26 | */ |
---|
27 | |
---|
28 | #include <sys/cdefs.h> |
---|
29 | #ifdef __FreeBSD__ |
---|
30 | __FBSDID("$FreeBSD$"); |
---|
31 | #endif |
---|
32 | |
---|
33 | /* |
---|
34 | * IEEE 802.11 HOSTAP mode support. |
---|
35 | */ |
---|
36 | #include <rtems/bsd/local/opt_inet.h> |
---|
37 | #include <rtems/bsd/local/opt_wlan.h> |
---|
38 | |
---|
39 | #include <rtems/bsd/sys/param.h> |
---|
40 | #include <sys/systm.h> |
---|
41 | #include <sys/mbuf.h> |
---|
42 | #include <sys/malloc.h> |
---|
43 | #include <sys/kernel.h> |
---|
44 | |
---|
45 | #include <sys/socket.h> |
---|
46 | #include <sys/sockio.h> |
---|
47 | #include <sys/endian.h> |
---|
48 | #include <rtems/bsd/sys/errno.h> |
---|
49 | #include <sys/proc.h> |
---|
50 | #include <sys/sysctl.h> |
---|
51 | |
---|
52 | #include <net/if.h> |
---|
53 | #include <net/if_var.h> |
---|
54 | #include <net/if_media.h> |
---|
55 | #include <net/if_llc.h> |
---|
56 | #include <net/ethernet.h> |
---|
57 | |
---|
58 | #include <net/bpf.h> |
---|
59 | |
---|
60 | #include <net80211/ieee80211_var.h> |
---|
61 | #include <net80211/ieee80211_hostap.h> |
---|
62 | #include <net80211/ieee80211_input.h> |
---|
63 | #ifdef IEEE80211_SUPPORT_SUPERG |
---|
64 | #include <net80211/ieee80211_superg.h> |
---|
65 | #endif |
---|
66 | #include <net80211/ieee80211_wds.h> |
---|
67 | |
---|
68 | #define IEEE80211_RATE2MBS(r) (((r) & IEEE80211_RATE_VAL) / 2) |
---|
69 | |
---|
70 | static void hostap_vattach(struct ieee80211vap *); |
---|
71 | static int hostap_newstate(struct ieee80211vap *, enum ieee80211_state, int); |
---|
72 | static int hostap_input(struct ieee80211_node *ni, struct mbuf *m, |
---|
73 | const struct ieee80211_rx_stats *, |
---|
74 | int rssi, int nf); |
---|
75 | static void hostap_deliver_data(struct ieee80211vap *, |
---|
76 | struct ieee80211_node *, struct mbuf *); |
---|
77 | static void hostap_recv_mgmt(struct ieee80211_node *, struct mbuf *, |
---|
78 | int subtype, const struct ieee80211_rx_stats *rxs, int rssi, int nf); |
---|
79 | static void hostap_recv_ctl(struct ieee80211_node *, struct mbuf *, int); |
---|
80 | |
---|
81 | void |
---|
82 | ieee80211_hostap_attach(struct ieee80211com *ic) |
---|
83 | { |
---|
84 | ic->ic_vattach[IEEE80211_M_HOSTAP] = hostap_vattach; |
---|
85 | } |
---|
86 | |
---|
87 | void |
---|
88 | ieee80211_hostap_detach(struct ieee80211com *ic) |
---|
89 | { |
---|
90 | } |
---|
91 | |
---|
92 | static void |
---|
93 | hostap_vdetach(struct ieee80211vap *vap) |
---|
94 | { |
---|
95 | } |
---|
96 | |
---|
97 | static void |
---|
98 | hostap_vattach(struct ieee80211vap *vap) |
---|
99 | { |
---|
100 | vap->iv_newstate = hostap_newstate; |
---|
101 | vap->iv_input = hostap_input; |
---|
102 | vap->iv_recv_mgmt = hostap_recv_mgmt; |
---|
103 | vap->iv_recv_ctl = hostap_recv_ctl; |
---|
104 | vap->iv_opdetach = hostap_vdetach; |
---|
105 | vap->iv_deliver_data = hostap_deliver_data; |
---|
106 | vap->iv_recv_pspoll = ieee80211_recv_pspoll; |
---|
107 | } |
---|
108 | |
---|
109 | static void |
---|
110 | sta_disassoc(void *arg, struct ieee80211_node *ni) |
---|
111 | { |
---|
112 | |
---|
113 | if (ni->ni_associd != 0) { |
---|
114 | IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_DISASSOC, |
---|
115 | IEEE80211_REASON_ASSOC_LEAVE); |
---|
116 | ieee80211_node_leave(ni); |
---|
117 | } |
---|
118 | } |
---|
119 | |
---|
120 | static void |
---|
121 | sta_csa(void *arg, struct ieee80211_node *ni) |
---|
122 | { |
---|
123 | struct ieee80211vap *vap = ni->ni_vap; |
---|
124 | |
---|
125 | if (ni->ni_associd != 0) |
---|
126 | if (ni->ni_inact > vap->iv_inact_init) { |
---|
127 | ni->ni_inact = vap->iv_inact_init; |
---|
128 | IEEE80211_NOTE(vap, IEEE80211_MSG_INACT, ni, |
---|
129 | "%s: inact %u", __func__, ni->ni_inact); |
---|
130 | } |
---|
131 | } |
---|
132 | |
---|
133 | static void |
---|
134 | sta_drop(void *arg, struct ieee80211_node *ni) |
---|
135 | { |
---|
136 | |
---|
137 | if (ni->ni_associd != 0) |
---|
138 | ieee80211_node_leave(ni); |
---|
139 | } |
---|
140 | |
---|
141 | /* |
---|
142 | * Does a channel change require associated stations to re-associate |
---|
143 | * so protocol state is correct. This is used when doing CSA across |
---|
144 | * bands or similar (e.g. HT -> legacy). |
---|
145 | */ |
---|
146 | static int |
---|
147 | isbandchange(struct ieee80211com *ic) |
---|
148 | { |
---|
149 | return ((ic->ic_bsschan->ic_flags ^ ic->ic_csa_newchan->ic_flags) & |
---|
150 | (IEEE80211_CHAN_2GHZ | IEEE80211_CHAN_5GHZ | IEEE80211_CHAN_HALF | |
---|
151 | IEEE80211_CHAN_QUARTER | IEEE80211_CHAN_HT)) != 0; |
---|
152 | } |
---|
153 | |
---|
154 | /* |
---|
155 | * IEEE80211_M_HOSTAP vap state machine handler. |
---|
156 | */ |
---|
157 | static int |
---|
158 | hostap_newstate(struct ieee80211vap *vap, enum ieee80211_state nstate, int arg) |
---|
159 | { |
---|
160 | struct ieee80211com *ic = vap->iv_ic; |
---|
161 | enum ieee80211_state ostate; |
---|
162 | |
---|
163 | IEEE80211_LOCK_ASSERT(ic); |
---|
164 | |
---|
165 | ostate = vap->iv_state; |
---|
166 | IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE, "%s: %s -> %s (%d)\n", |
---|
167 | __func__, ieee80211_state_name[ostate], |
---|
168 | ieee80211_state_name[nstate], arg); |
---|
169 | vap->iv_state = nstate; /* state transition */ |
---|
170 | if (ostate != IEEE80211_S_SCAN) |
---|
171 | ieee80211_cancel_scan(vap); /* background scan */ |
---|
172 | switch (nstate) { |
---|
173 | case IEEE80211_S_INIT: |
---|
174 | switch (ostate) { |
---|
175 | case IEEE80211_S_SCAN: |
---|
176 | ieee80211_cancel_scan(vap); |
---|
177 | break; |
---|
178 | case IEEE80211_S_CAC: |
---|
179 | ieee80211_dfs_cac_stop(vap); |
---|
180 | break; |
---|
181 | case IEEE80211_S_RUN: |
---|
182 | ieee80211_iterate_nodes_vap(&ic->ic_sta, vap, |
---|
183 | sta_disassoc, NULL); |
---|
184 | break; |
---|
185 | default: |
---|
186 | break; |
---|
187 | } |
---|
188 | if (ostate != IEEE80211_S_INIT) { |
---|
189 | /* NB: optimize INIT -> INIT case */ |
---|
190 | ieee80211_reset_bss(vap); |
---|
191 | } |
---|
192 | if (vap->iv_auth->ia_detach != NULL) |
---|
193 | vap->iv_auth->ia_detach(vap); |
---|
194 | break; |
---|
195 | case IEEE80211_S_SCAN: |
---|
196 | switch (ostate) { |
---|
197 | case IEEE80211_S_CSA: |
---|
198 | case IEEE80211_S_RUN: |
---|
199 | ieee80211_iterate_nodes_vap(&ic->ic_sta, vap, |
---|
200 | sta_disassoc, NULL); |
---|
201 | /* |
---|
202 | * Clear overlapping BSS state; the beacon frame |
---|
203 | * will be reconstructed on transition to the RUN |
---|
204 | * state and the timeout routines check if the flag |
---|
205 | * is set before doing anything so this is sufficient. |
---|
206 | */ |
---|
207 | ic->ic_flags_ext &= ~IEEE80211_FEXT_NONERP_PR; |
---|
208 | ic->ic_flags_ht &= ~IEEE80211_FHT_NONHT_PR; |
---|
209 | /* fall thru... */ |
---|
210 | case IEEE80211_S_CAC: |
---|
211 | /* |
---|
212 | * NB: We may get here because of a manual channel |
---|
213 | * change in which case we need to stop CAC |
---|
214 | * XXX no need to stop if ostate RUN but it's ok |
---|
215 | */ |
---|
216 | ieee80211_dfs_cac_stop(vap); |
---|
217 | /* fall thru... */ |
---|
218 | case IEEE80211_S_INIT: |
---|
219 | if (vap->iv_des_chan != IEEE80211_CHAN_ANYC && |
---|
220 | !IEEE80211_IS_CHAN_RADAR(vap->iv_des_chan)) { |
---|
221 | /* |
---|
222 | * Already have a channel; bypass the |
---|
223 | * scan and startup immediately. |
---|
224 | * ieee80211_create_ibss will call back to |
---|
225 | * move us to RUN state. |
---|
226 | */ |
---|
227 | ieee80211_create_ibss(vap, vap->iv_des_chan); |
---|
228 | break; |
---|
229 | } |
---|
230 | /* |
---|
231 | * Initiate a scan. We can come here as a result |
---|
232 | * of an IEEE80211_IOC_SCAN_REQ too in which case |
---|
233 | * the vap will be marked with IEEE80211_FEXT_SCANREQ |
---|
234 | * and the scan request parameters will be present |
---|
235 | * in iv_scanreq. Otherwise we do the default. |
---|
236 | */ |
---|
237 | if (vap->iv_flags_ext & IEEE80211_FEXT_SCANREQ) { |
---|
238 | ieee80211_check_scan(vap, |
---|
239 | vap->iv_scanreq_flags, |
---|
240 | vap->iv_scanreq_duration, |
---|
241 | vap->iv_scanreq_mindwell, |
---|
242 | vap->iv_scanreq_maxdwell, |
---|
243 | vap->iv_scanreq_nssid, vap->iv_scanreq_ssid); |
---|
244 | vap->iv_flags_ext &= ~IEEE80211_FEXT_SCANREQ; |
---|
245 | } else |
---|
246 | ieee80211_check_scan_current(vap); |
---|
247 | break; |
---|
248 | case IEEE80211_S_SCAN: |
---|
249 | /* |
---|
250 | * A state change requires a reset; scan. |
---|
251 | */ |
---|
252 | ieee80211_check_scan_current(vap); |
---|
253 | break; |
---|
254 | default: |
---|
255 | break; |
---|
256 | } |
---|
257 | break; |
---|
258 | case IEEE80211_S_CAC: |
---|
259 | /* |
---|
260 | * Start CAC on a DFS channel. We come here when starting |
---|
261 | * a bss on a DFS channel (see ieee80211_create_ibss). |
---|
262 | */ |
---|
263 | ieee80211_dfs_cac_start(vap); |
---|
264 | break; |
---|
265 | case IEEE80211_S_RUN: |
---|
266 | if (vap->iv_flags & IEEE80211_F_WPA) { |
---|
267 | /* XXX validate prerequisites */ |
---|
268 | } |
---|
269 | switch (ostate) { |
---|
270 | case IEEE80211_S_INIT: |
---|
271 | /* |
---|
272 | * Already have a channel; bypass the |
---|
273 | * scan and startup immediately. |
---|
274 | * Note that ieee80211_create_ibss will call |
---|
275 | * back to do a RUN->RUN state change. |
---|
276 | */ |
---|
277 | ieee80211_create_ibss(vap, |
---|
278 | ieee80211_ht_adjust_channel(ic, |
---|
279 | ic->ic_curchan, vap->iv_flags_ht)); |
---|
280 | /* NB: iv_bss is changed on return */ |
---|
281 | break; |
---|
282 | case IEEE80211_S_CAC: |
---|
283 | /* |
---|
284 | * NB: This is the normal state change when CAC |
---|
285 | * expires and no radar was detected; no need to |
---|
286 | * clear the CAC timer as it's already expired. |
---|
287 | */ |
---|
288 | /* fall thru... */ |
---|
289 | case IEEE80211_S_CSA: |
---|
290 | /* |
---|
291 | * Shorten inactivity timer of associated stations |
---|
292 | * to weed out sta's that don't follow a CSA. |
---|
293 | */ |
---|
294 | ieee80211_iterate_nodes_vap(&ic->ic_sta, vap, |
---|
295 | sta_csa, NULL); |
---|
296 | /* |
---|
297 | * Update bss node channel to reflect where |
---|
298 | * we landed after CSA. |
---|
299 | */ |
---|
300 | ieee80211_node_set_chan(vap->iv_bss, |
---|
301 | ieee80211_ht_adjust_channel(ic, ic->ic_curchan, |
---|
302 | ieee80211_htchanflags(vap->iv_bss->ni_chan))); |
---|
303 | /* XXX bypass debug msgs */ |
---|
304 | break; |
---|
305 | case IEEE80211_S_SCAN: |
---|
306 | case IEEE80211_S_RUN: |
---|
307 | #ifdef IEEE80211_DEBUG |
---|
308 | if (ieee80211_msg_debug(vap)) { |
---|
309 | struct ieee80211_node *ni = vap->iv_bss; |
---|
310 | ieee80211_note(vap, |
---|
311 | "synchronized with %s ssid ", |
---|
312 | ether_sprintf(ni->ni_bssid)); |
---|
313 | ieee80211_print_essid(ni->ni_essid, |
---|
314 | ni->ni_esslen); |
---|
315 | /* XXX MCS/HT */ |
---|
316 | printf(" channel %d start %uMb\n", |
---|
317 | ieee80211_chan2ieee(ic, ic->ic_curchan), |
---|
318 | IEEE80211_RATE2MBS(ni->ni_txrate)); |
---|
319 | } |
---|
320 | #endif |
---|
321 | break; |
---|
322 | default: |
---|
323 | break; |
---|
324 | } |
---|
325 | /* |
---|
326 | * Start/stop the authenticator. We delay until here |
---|
327 | * to allow configuration to happen out of order. |
---|
328 | */ |
---|
329 | if (vap->iv_auth->ia_attach != NULL) { |
---|
330 | /* XXX check failure */ |
---|
331 | vap->iv_auth->ia_attach(vap); |
---|
332 | } else if (vap->iv_auth->ia_detach != NULL) { |
---|
333 | vap->iv_auth->ia_detach(vap); |
---|
334 | } |
---|
335 | ieee80211_node_authorize(vap->iv_bss); |
---|
336 | break; |
---|
337 | case IEEE80211_S_CSA: |
---|
338 | if (ostate == IEEE80211_S_RUN && isbandchange(ic)) { |
---|
339 | /* |
---|
340 | * On a ``band change'' silently drop associated |
---|
341 | * stations as they must re-associate before they |
---|
342 | * can pass traffic (as otherwise protocol state |
---|
343 | * such as capabilities and the negotiated rate |
---|
344 | * set may/will be wrong). |
---|
345 | */ |
---|
346 | ieee80211_iterate_nodes_vap(&ic->ic_sta, vap, |
---|
347 | sta_drop, NULL); |
---|
348 | } |
---|
349 | break; |
---|
350 | default: |
---|
351 | break; |
---|
352 | } |
---|
353 | return 0; |
---|
354 | } |
---|
355 | |
---|
356 | static void |
---|
357 | hostap_deliver_data(struct ieee80211vap *vap, |
---|
358 | struct ieee80211_node *ni, struct mbuf *m) |
---|
359 | { |
---|
360 | struct ether_header *eh = mtod(m, struct ether_header *); |
---|
361 | struct ifnet *ifp = vap->iv_ifp; |
---|
362 | |
---|
363 | /* clear driver/net80211 flags before passing up */ |
---|
364 | m->m_flags &= ~(M_MCAST | M_BCAST); |
---|
365 | m_clrprotoflags(m); |
---|
366 | |
---|
367 | KASSERT(vap->iv_opmode == IEEE80211_M_HOSTAP, |
---|
368 | ("gack, opmode %d", vap->iv_opmode)); |
---|
369 | /* |
---|
370 | * Do accounting. |
---|
371 | */ |
---|
372 | if_inc_counter(ifp, IFCOUNTER_IPACKETS, 1); |
---|
373 | IEEE80211_NODE_STAT(ni, rx_data); |
---|
374 | IEEE80211_NODE_STAT_ADD(ni, rx_bytes, m->m_pkthdr.len); |
---|
375 | if (ETHER_IS_MULTICAST(eh->ether_dhost)) { |
---|
376 | m->m_flags |= M_MCAST; /* XXX M_BCAST? */ |
---|
377 | IEEE80211_NODE_STAT(ni, rx_mcast); |
---|
378 | } else |
---|
379 | IEEE80211_NODE_STAT(ni, rx_ucast); |
---|
380 | |
---|
381 | /* perform as a bridge within the AP */ |
---|
382 | if ((vap->iv_flags & IEEE80211_F_NOBRIDGE) == 0) { |
---|
383 | struct mbuf *mcopy = NULL; |
---|
384 | |
---|
385 | if (m->m_flags & M_MCAST) { |
---|
386 | mcopy = m_dup(m, M_NOWAIT); |
---|
387 | if (mcopy == NULL) |
---|
388 | if_inc_counter(ifp, IFCOUNTER_OERRORS, 1); |
---|
389 | else |
---|
390 | mcopy->m_flags |= M_MCAST; |
---|
391 | } else { |
---|
392 | /* |
---|
393 | * Check if the destination is associated with the |
---|
394 | * same vap and authorized to receive traffic. |
---|
395 | * Beware of traffic destined for the vap itself; |
---|
396 | * sending it will not work; just let it be delivered |
---|
397 | * normally. |
---|
398 | */ |
---|
399 | struct ieee80211_node *sta = ieee80211_find_vap_node( |
---|
400 | &vap->iv_ic->ic_sta, vap, eh->ether_dhost); |
---|
401 | if (sta != NULL) { |
---|
402 | if (ieee80211_node_is_authorized(sta)) { |
---|
403 | /* |
---|
404 | * Beware of sending to ourself; this |
---|
405 | * needs to happen via the normal |
---|
406 | * input path. |
---|
407 | */ |
---|
408 | if (sta != vap->iv_bss) { |
---|
409 | mcopy = m; |
---|
410 | m = NULL; |
---|
411 | } |
---|
412 | } else { |
---|
413 | vap->iv_stats.is_rx_unauth++; |
---|
414 | IEEE80211_NODE_STAT(sta, rx_unauth); |
---|
415 | } |
---|
416 | ieee80211_free_node(sta); |
---|
417 | } |
---|
418 | } |
---|
419 | if (mcopy != NULL) |
---|
420 | (void) ieee80211_vap_xmitpkt(vap, mcopy); |
---|
421 | } |
---|
422 | if (m != NULL) { |
---|
423 | /* |
---|
424 | * Mark frame as coming from vap's interface. |
---|
425 | */ |
---|
426 | m->m_pkthdr.rcvif = ifp; |
---|
427 | if (m->m_flags & M_MCAST) { |
---|
428 | /* |
---|
429 | * Spam DWDS vap's w/ multicast traffic. |
---|
430 | */ |
---|
431 | /* XXX only if dwds in use? */ |
---|
432 | ieee80211_dwds_mcast(vap, m); |
---|
433 | } |
---|
434 | if (ni->ni_vlan != 0) { |
---|
435 | /* attach vlan tag */ |
---|
436 | m->m_pkthdr.ether_vtag = ni->ni_vlan; |
---|
437 | m->m_flags |= M_VLANTAG; |
---|
438 | } |
---|
439 | ifp->if_input(ifp, m); |
---|
440 | } |
---|
441 | } |
---|
442 | |
---|
443 | /* |
---|
444 | * Decide if a received management frame should be |
---|
445 | * printed when debugging is enabled. This filters some |
---|
446 | * of the less interesting frames that come frequently |
---|
447 | * (e.g. beacons). |
---|
448 | */ |
---|
449 | static __inline int |
---|
450 | doprint(struct ieee80211vap *vap, int subtype) |
---|
451 | { |
---|
452 | switch (subtype) { |
---|
453 | case IEEE80211_FC0_SUBTYPE_BEACON: |
---|
454 | return (vap->iv_ic->ic_flags & IEEE80211_F_SCAN); |
---|
455 | case IEEE80211_FC0_SUBTYPE_PROBE_REQ: |
---|
456 | return 0; |
---|
457 | } |
---|
458 | return 1; |
---|
459 | } |
---|
460 | |
---|
461 | /* |
---|
462 | * Process a received frame. The node associated with the sender |
---|
463 | * should be supplied. If nothing was found in the node table then |
---|
464 | * the caller is assumed to supply a reference to iv_bss instead. |
---|
465 | * The RSSI and a timestamp are also supplied. The RSSI data is used |
---|
466 | * during AP scanning to select a AP to associate with; it can have |
---|
467 | * any units so long as values have consistent units and higher values |
---|
468 | * mean ``better signal''. The receive timestamp is currently not used |
---|
469 | * by the 802.11 layer. |
---|
470 | */ |
---|
471 | static int |
---|
472 | hostap_input(struct ieee80211_node *ni, struct mbuf *m, |
---|
473 | const struct ieee80211_rx_stats *rxs, int rssi, int nf) |
---|
474 | { |
---|
475 | struct ieee80211vap *vap = ni->ni_vap; |
---|
476 | struct ieee80211com *ic = ni->ni_ic; |
---|
477 | struct ifnet *ifp = vap->iv_ifp; |
---|
478 | struct ieee80211_frame *wh; |
---|
479 | struct ieee80211_key *key; |
---|
480 | struct ether_header *eh; |
---|
481 | int hdrspace, need_tap = 1; /* mbuf need to be tapped. */ |
---|
482 | uint8_t dir, type, subtype, qos; |
---|
483 | uint8_t *bssid; |
---|
484 | int is_hw_decrypted = 0; |
---|
485 | int has_decrypted = 0; |
---|
486 | |
---|
487 | /* |
---|
488 | * Some devices do hardware decryption all the way through |
---|
489 | * to pretending the frame wasn't encrypted in the first place. |
---|
490 | * So, tag it appropriately so it isn't discarded inappropriately. |
---|
491 | */ |
---|
492 | if ((rxs != NULL) && (rxs->c_pktflags & IEEE80211_RX_F_DECRYPTED)) |
---|
493 | is_hw_decrypted = 1; |
---|
494 | |
---|
495 | if (m->m_flags & M_AMPDU_MPDU) { |
---|
496 | /* |
---|
497 | * Fastpath for A-MPDU reorder q resubmission. Frames |
---|
498 | * w/ M_AMPDU_MPDU marked have already passed through |
---|
499 | * here but were received out of order and been held on |
---|
500 | * the reorder queue. When resubmitted they are marked |
---|
501 | * with the M_AMPDU_MPDU flag and we can bypass most of |
---|
502 | * the normal processing. |
---|
503 | */ |
---|
504 | wh = mtod(m, struct ieee80211_frame *); |
---|
505 | type = IEEE80211_FC0_TYPE_DATA; |
---|
506 | dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; |
---|
507 | subtype = IEEE80211_FC0_SUBTYPE_QOS; |
---|
508 | hdrspace = ieee80211_hdrspace(ic, wh); /* XXX optimize? */ |
---|
509 | goto resubmit_ampdu; |
---|
510 | } |
---|
511 | |
---|
512 | KASSERT(ni != NULL, ("null node")); |
---|
513 | ni->ni_inact = ni->ni_inact_reload; |
---|
514 | |
---|
515 | type = -1; /* undefined */ |
---|
516 | |
---|
517 | if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_min)) { |
---|
518 | IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, |
---|
519 | ni->ni_macaddr, NULL, |
---|
520 | "too short (1): len %u", m->m_pkthdr.len); |
---|
521 | vap->iv_stats.is_rx_tooshort++; |
---|
522 | goto out; |
---|
523 | } |
---|
524 | /* |
---|
525 | * Bit of a cheat here, we use a pointer for a 3-address |
---|
526 | * frame format but don't reference fields past outside |
---|
527 | * ieee80211_frame_min w/o first validating the data is |
---|
528 | * present. |
---|
529 | */ |
---|
530 | wh = mtod(m, struct ieee80211_frame *); |
---|
531 | |
---|
532 | if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) != |
---|
533 | IEEE80211_FC0_VERSION_0) { |
---|
534 | IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, |
---|
535 | ni->ni_macaddr, NULL, "wrong version, fc %02x:%02x", |
---|
536 | wh->i_fc[0], wh->i_fc[1]); |
---|
537 | vap->iv_stats.is_rx_badversion++; |
---|
538 | goto err; |
---|
539 | } |
---|
540 | |
---|
541 | dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; |
---|
542 | type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK; |
---|
543 | subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK; |
---|
544 | if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) { |
---|
545 | if (dir != IEEE80211_FC1_DIR_NODS) |
---|
546 | bssid = wh->i_addr1; |
---|
547 | else if (type == IEEE80211_FC0_TYPE_CTL) |
---|
548 | bssid = wh->i_addr1; |
---|
549 | else { |
---|
550 | if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) { |
---|
551 | IEEE80211_DISCARD_MAC(vap, |
---|
552 | IEEE80211_MSG_ANY, ni->ni_macaddr, |
---|
553 | NULL, "too short (2): len %u", |
---|
554 | m->m_pkthdr.len); |
---|
555 | vap->iv_stats.is_rx_tooshort++; |
---|
556 | goto out; |
---|
557 | } |
---|
558 | bssid = wh->i_addr3; |
---|
559 | } |
---|
560 | /* |
---|
561 | * Validate the bssid. |
---|
562 | */ |
---|
563 | if (!(type == IEEE80211_FC0_TYPE_MGT && |
---|
564 | subtype == IEEE80211_FC0_SUBTYPE_BEACON) && |
---|
565 | !IEEE80211_ADDR_EQ(bssid, vap->iv_bss->ni_bssid) && |
---|
566 | !IEEE80211_ADDR_EQ(bssid, ifp->if_broadcastaddr)) { |
---|
567 | /* not interested in */ |
---|
568 | IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, |
---|
569 | bssid, NULL, "%s", "not to bss"); |
---|
570 | vap->iv_stats.is_rx_wrongbss++; |
---|
571 | goto out; |
---|
572 | } |
---|
573 | |
---|
574 | IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi); |
---|
575 | ni->ni_noise = nf; |
---|
576 | if (IEEE80211_HAS_SEQ(type, subtype)) { |
---|
577 | uint8_t tid = ieee80211_gettid(wh); |
---|
578 | if (IEEE80211_QOS_HAS_SEQ(wh) && |
---|
579 | TID_TO_WME_AC(tid) >= WME_AC_VI) |
---|
580 | ic->ic_wme.wme_hipri_traffic++; |
---|
581 | if (! ieee80211_check_rxseq(ni, wh, bssid)) |
---|
582 | goto out; |
---|
583 | } |
---|
584 | } |
---|
585 | |
---|
586 | switch (type) { |
---|
587 | case IEEE80211_FC0_TYPE_DATA: |
---|
588 | hdrspace = ieee80211_hdrspace(ic, wh); |
---|
589 | if (m->m_len < hdrspace && |
---|
590 | (m = m_pullup(m, hdrspace)) == NULL) { |
---|
591 | IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, |
---|
592 | ni->ni_macaddr, NULL, |
---|
593 | "data too short: expecting %u", hdrspace); |
---|
594 | vap->iv_stats.is_rx_tooshort++; |
---|
595 | goto out; /* XXX */ |
---|
596 | } |
---|
597 | if (!(dir == IEEE80211_FC1_DIR_TODS || |
---|
598 | (dir == IEEE80211_FC1_DIR_DSTODS && |
---|
599 | (vap->iv_flags & IEEE80211_F_DWDS)))) { |
---|
600 | if (dir != IEEE80211_FC1_DIR_DSTODS) { |
---|
601 | IEEE80211_DISCARD(vap, |
---|
602 | IEEE80211_MSG_INPUT, wh, "data", |
---|
603 | "incorrect dir 0x%x", dir); |
---|
604 | } else { |
---|
605 | IEEE80211_DISCARD(vap, |
---|
606 | IEEE80211_MSG_INPUT | |
---|
607 | IEEE80211_MSG_WDS, wh, |
---|
608 | "4-address data", |
---|
609 | "%s", "DWDS not enabled"); |
---|
610 | } |
---|
611 | vap->iv_stats.is_rx_wrongdir++; |
---|
612 | goto out; |
---|
613 | } |
---|
614 | /* check if source STA is associated */ |
---|
615 | if (ni == vap->iv_bss) { |
---|
616 | IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, |
---|
617 | wh, "data", "%s", "unknown src"); |
---|
618 | ieee80211_send_error(ni, wh->i_addr2, |
---|
619 | IEEE80211_FC0_SUBTYPE_DEAUTH, |
---|
620 | IEEE80211_REASON_NOT_AUTHED); |
---|
621 | vap->iv_stats.is_rx_notassoc++; |
---|
622 | goto err; |
---|
623 | } |
---|
624 | if (ni->ni_associd == 0) { |
---|
625 | IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, |
---|
626 | wh, "data", "%s", "unassoc src"); |
---|
627 | IEEE80211_SEND_MGMT(ni, |
---|
628 | IEEE80211_FC0_SUBTYPE_DISASSOC, |
---|
629 | IEEE80211_REASON_NOT_ASSOCED); |
---|
630 | vap->iv_stats.is_rx_notassoc++; |
---|
631 | goto err; |
---|
632 | } |
---|
633 | |
---|
634 | /* |
---|
635 | * Check for power save state change. |
---|
636 | * XXX out-of-order A-MPDU frames? |
---|
637 | */ |
---|
638 | if (((wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) ^ |
---|
639 | (ni->ni_flags & IEEE80211_NODE_PWR_MGT))) |
---|
640 | vap->iv_node_ps(ni, |
---|
641 | wh->i_fc[1] & IEEE80211_FC1_PWR_MGT); |
---|
642 | /* |
---|
643 | * For 4-address packets handle WDS discovery |
---|
644 | * notifications. Once a WDS link is setup frames |
---|
645 | * are just delivered to the WDS vap (see below). |
---|
646 | */ |
---|
647 | if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap == NULL) { |
---|
648 | if (!ieee80211_node_is_authorized(ni)) { |
---|
649 | IEEE80211_DISCARD(vap, |
---|
650 | IEEE80211_MSG_INPUT | |
---|
651 | IEEE80211_MSG_WDS, wh, |
---|
652 | "4-address data", |
---|
653 | "%s", "unauthorized port"); |
---|
654 | vap->iv_stats.is_rx_unauth++; |
---|
655 | IEEE80211_NODE_STAT(ni, rx_unauth); |
---|
656 | goto err; |
---|
657 | } |
---|
658 | ieee80211_dwds_discover(ni, m); |
---|
659 | return type; |
---|
660 | } |
---|
661 | |
---|
662 | /* |
---|
663 | * Handle A-MPDU re-ordering. If the frame is to be |
---|
664 | * processed directly then ieee80211_ampdu_reorder |
---|
665 | * will return 0; otherwise it has consumed the mbuf |
---|
666 | * and we should do nothing more with it. |
---|
667 | */ |
---|
668 | if ((m->m_flags & M_AMPDU) && |
---|
669 | ieee80211_ampdu_reorder(ni, m) != 0) { |
---|
670 | m = NULL; |
---|
671 | goto out; |
---|
672 | } |
---|
673 | resubmit_ampdu: |
---|
674 | |
---|
675 | /* |
---|
676 | * Handle privacy requirements. Note that we |
---|
677 | * must not be preempted from here until after |
---|
678 | * we (potentially) call ieee80211_crypto_demic; |
---|
679 | * otherwise we may violate assumptions in the |
---|
680 | * crypto cipher modules used to do delayed update |
---|
681 | * of replay sequence numbers. |
---|
682 | */ |
---|
683 | if (is_hw_decrypted || wh->i_fc[1] & IEEE80211_FC1_PROTECTED) { |
---|
684 | if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) { |
---|
685 | /* |
---|
686 | * Discard encrypted frames when privacy is off. |
---|
687 | */ |
---|
688 | IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, |
---|
689 | wh, "WEP", "%s", "PRIVACY off"); |
---|
690 | vap->iv_stats.is_rx_noprivacy++; |
---|
691 | IEEE80211_NODE_STAT(ni, rx_noprivacy); |
---|
692 | goto out; |
---|
693 | } |
---|
694 | if (ieee80211_crypto_decap(ni, m, hdrspace, &key) == 0) { |
---|
695 | /* NB: stats+msgs handled in crypto_decap */ |
---|
696 | IEEE80211_NODE_STAT(ni, rx_wepfail); |
---|
697 | goto out; |
---|
698 | } |
---|
699 | wh = mtod(m, struct ieee80211_frame *); |
---|
700 | wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED; |
---|
701 | has_decrypted = 1; |
---|
702 | } else { |
---|
703 | /* XXX M_WEP and IEEE80211_F_PRIVACY */ |
---|
704 | key = NULL; |
---|
705 | } |
---|
706 | |
---|
707 | /* |
---|
708 | * Save QoS bits for use below--before we strip the header. |
---|
709 | */ |
---|
710 | if (subtype == IEEE80211_FC0_SUBTYPE_QOS) { |
---|
711 | qos = (dir == IEEE80211_FC1_DIR_DSTODS) ? |
---|
712 | ((struct ieee80211_qosframe_addr4 *)wh)->i_qos[0] : |
---|
713 | ((struct ieee80211_qosframe *)wh)->i_qos[0]; |
---|
714 | } else |
---|
715 | qos = 0; |
---|
716 | |
---|
717 | /* |
---|
718 | * Next up, any fragmentation. |
---|
719 | */ |
---|
720 | if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) { |
---|
721 | m = ieee80211_defrag(ni, m, hdrspace); |
---|
722 | if (m == NULL) { |
---|
723 | /* Fragment dropped or frame not complete yet */ |
---|
724 | goto out; |
---|
725 | } |
---|
726 | } |
---|
727 | wh = NULL; /* no longer valid, catch any uses */ |
---|
728 | |
---|
729 | /* |
---|
730 | * Next strip any MSDU crypto bits. |
---|
731 | */ |
---|
732 | if (key != NULL && !ieee80211_crypto_demic(vap, key, m, 0)) { |
---|
733 | IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, |
---|
734 | ni->ni_macaddr, "data", "%s", "demic error"); |
---|
735 | vap->iv_stats.is_rx_demicfail++; |
---|
736 | IEEE80211_NODE_STAT(ni, rx_demicfail); |
---|
737 | goto out; |
---|
738 | } |
---|
739 | /* copy to listener after decrypt */ |
---|
740 | if (ieee80211_radiotap_active_vap(vap)) |
---|
741 | ieee80211_radiotap_rx(vap, m); |
---|
742 | need_tap = 0; |
---|
743 | /* |
---|
744 | * Finally, strip the 802.11 header. |
---|
745 | */ |
---|
746 | m = ieee80211_decap(vap, m, hdrspace); |
---|
747 | if (m == NULL) { |
---|
748 | /* XXX mask bit to check for both */ |
---|
749 | /* don't count Null data frames as errors */ |
---|
750 | if (subtype == IEEE80211_FC0_SUBTYPE_NODATA || |
---|
751 | subtype == IEEE80211_FC0_SUBTYPE_QOS_NULL) |
---|
752 | goto out; |
---|
753 | IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, |
---|
754 | ni->ni_macaddr, "data", "%s", "decap error"); |
---|
755 | vap->iv_stats.is_rx_decap++; |
---|
756 | IEEE80211_NODE_STAT(ni, rx_decap); |
---|
757 | goto err; |
---|
758 | } |
---|
759 | eh = mtod(m, struct ether_header *); |
---|
760 | if (!ieee80211_node_is_authorized(ni)) { |
---|
761 | /* |
---|
762 | * Deny any non-PAE frames received prior to |
---|
763 | * authorization. For open/shared-key |
---|
764 | * authentication the port is mark authorized |
---|
765 | * after authentication completes. For 802.1x |
---|
766 | * the port is not marked authorized by the |
---|
767 | * authenticator until the handshake has completed. |
---|
768 | */ |
---|
769 | if (eh->ether_type != htons(ETHERTYPE_PAE)) { |
---|
770 | IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, |
---|
771 | eh->ether_shost, "data", |
---|
772 | "unauthorized port: ether type 0x%x len %u", |
---|
773 | eh->ether_type, m->m_pkthdr.len); |
---|
774 | vap->iv_stats.is_rx_unauth++; |
---|
775 | IEEE80211_NODE_STAT(ni, rx_unauth); |
---|
776 | goto err; |
---|
777 | } |
---|
778 | } else { |
---|
779 | /* |
---|
780 | * When denying unencrypted frames, discard |
---|
781 | * any non-PAE frames received without encryption. |
---|
782 | */ |
---|
783 | if ((vap->iv_flags & IEEE80211_F_DROPUNENC) && |
---|
784 | ((has_decrypted == 0) && (m->m_flags & M_WEP) == 0) && |
---|
785 | (is_hw_decrypted == 0) && |
---|
786 | eh->ether_type != htons(ETHERTYPE_PAE)) { |
---|
787 | /* |
---|
788 | * Drop unencrypted frames. |
---|
789 | */ |
---|
790 | vap->iv_stats.is_rx_unencrypted++; |
---|
791 | IEEE80211_NODE_STAT(ni, rx_unencrypted); |
---|
792 | goto out; |
---|
793 | } |
---|
794 | } |
---|
795 | /* XXX require HT? */ |
---|
796 | if (qos & IEEE80211_QOS_AMSDU) { |
---|
797 | m = ieee80211_decap_amsdu(ni, m); |
---|
798 | if (m == NULL) |
---|
799 | return IEEE80211_FC0_TYPE_DATA; |
---|
800 | } else { |
---|
801 | #ifdef IEEE80211_SUPPORT_SUPERG |
---|
802 | m = ieee80211_decap_fastframe(vap, ni, m); |
---|
803 | if (m == NULL) |
---|
804 | return IEEE80211_FC0_TYPE_DATA; |
---|
805 | #endif |
---|
806 | } |
---|
807 | if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap != NULL) |
---|
808 | ieee80211_deliver_data(ni->ni_wdsvap, ni, m); |
---|
809 | else |
---|
810 | hostap_deliver_data(vap, ni, m); |
---|
811 | return IEEE80211_FC0_TYPE_DATA; |
---|
812 | |
---|
813 | case IEEE80211_FC0_TYPE_MGT: |
---|
814 | vap->iv_stats.is_rx_mgmt++; |
---|
815 | IEEE80211_NODE_STAT(ni, rx_mgmt); |
---|
816 | if (dir != IEEE80211_FC1_DIR_NODS) { |
---|
817 | IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, |
---|
818 | wh, "mgt", "incorrect dir 0x%x", dir); |
---|
819 | vap->iv_stats.is_rx_wrongdir++; |
---|
820 | goto err; |
---|
821 | } |
---|
822 | if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) { |
---|
823 | IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, |
---|
824 | ni->ni_macaddr, "mgt", "too short: len %u", |
---|
825 | m->m_pkthdr.len); |
---|
826 | vap->iv_stats.is_rx_tooshort++; |
---|
827 | goto out; |
---|
828 | } |
---|
829 | if (IEEE80211_IS_MULTICAST(wh->i_addr2)) { |
---|
830 | /* ensure return frames are unicast */ |
---|
831 | IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, |
---|
832 | wh, NULL, "source is multicast: %s", |
---|
833 | ether_sprintf(wh->i_addr2)); |
---|
834 | vap->iv_stats.is_rx_mgtdiscard++; /* XXX stat */ |
---|
835 | goto out; |
---|
836 | } |
---|
837 | #ifdef IEEE80211_DEBUG |
---|
838 | if ((ieee80211_msg_debug(vap) && doprint(vap, subtype)) || |
---|
839 | ieee80211_msg_dumppkts(vap)) { |
---|
840 | if_printf(ifp, "received %s from %s rssi %d\n", |
---|
841 | ieee80211_mgt_subtype_name(subtype), |
---|
842 | ether_sprintf(wh->i_addr2), rssi); |
---|
843 | } |
---|
844 | #endif |
---|
845 | if (wh->i_fc[1] & IEEE80211_FC1_PROTECTED) { |
---|
846 | if (subtype != IEEE80211_FC0_SUBTYPE_AUTH) { |
---|
847 | /* |
---|
848 | * Only shared key auth frames with a challenge |
---|
849 | * should be encrypted, discard all others. |
---|
850 | */ |
---|
851 | IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, |
---|
852 | wh, NULL, |
---|
853 | "%s", "WEP set but not permitted"); |
---|
854 | vap->iv_stats.is_rx_mgtdiscard++; /* XXX */ |
---|
855 | goto out; |
---|
856 | } |
---|
857 | if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) { |
---|
858 | /* |
---|
859 | * Discard encrypted frames when privacy is off. |
---|
860 | */ |
---|
861 | IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, |
---|
862 | wh, NULL, "%s", "WEP set but PRIVACY off"); |
---|
863 | vap->iv_stats.is_rx_noprivacy++; |
---|
864 | goto out; |
---|
865 | } |
---|
866 | hdrspace = ieee80211_hdrspace(ic, wh); |
---|
867 | if (ieee80211_crypto_decap(ni, m, hdrspace, &key) == 0) { |
---|
868 | /* NB: stats+msgs handled in crypto_decap */ |
---|
869 | goto out; |
---|
870 | } |
---|
871 | wh = mtod(m, struct ieee80211_frame *); |
---|
872 | wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED; |
---|
873 | has_decrypted = 1; |
---|
874 | } |
---|
875 | /* |
---|
876 | * Pass the packet to radiotap before calling iv_recv_mgmt(). |
---|
877 | * Otherwise iv_recv_mgmt() might pass another packet to |
---|
878 | * radiotap, resulting in out of order packet captures. |
---|
879 | */ |
---|
880 | if (ieee80211_radiotap_active_vap(vap)) |
---|
881 | ieee80211_radiotap_rx(vap, m); |
---|
882 | need_tap = 0; |
---|
883 | vap->iv_recv_mgmt(ni, m, subtype, rxs, rssi, nf); |
---|
884 | goto out; |
---|
885 | |
---|
886 | case IEEE80211_FC0_TYPE_CTL: |
---|
887 | vap->iv_stats.is_rx_ctl++; |
---|
888 | IEEE80211_NODE_STAT(ni, rx_ctrl); |
---|
889 | vap->iv_recv_ctl(ni, m, subtype); |
---|
890 | goto out; |
---|
891 | default: |
---|
892 | IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, |
---|
893 | wh, "bad", "frame type 0x%x", type); |
---|
894 | /* should not come here */ |
---|
895 | break; |
---|
896 | } |
---|
897 | err: |
---|
898 | if_inc_counter(ifp, IFCOUNTER_IERRORS, 1); |
---|
899 | out: |
---|
900 | if (m != NULL) { |
---|
901 | if (need_tap && ieee80211_radiotap_active_vap(vap)) |
---|
902 | ieee80211_radiotap_rx(vap, m); |
---|
903 | m_freem(m); |
---|
904 | } |
---|
905 | return type; |
---|
906 | } |
---|
907 | |
---|
908 | static void |
---|
909 | hostap_auth_open(struct ieee80211_node *ni, struct ieee80211_frame *wh, |
---|
910 | int rssi, int nf, uint16_t seq, uint16_t status) |
---|
911 | { |
---|
912 | struct ieee80211vap *vap = ni->ni_vap; |
---|
913 | |
---|
914 | KASSERT(vap->iv_state == IEEE80211_S_RUN, ("state %d", vap->iv_state)); |
---|
915 | |
---|
916 | if (ni->ni_authmode == IEEE80211_AUTH_SHARED) { |
---|
917 | IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, |
---|
918 | ni->ni_macaddr, "open auth", |
---|
919 | "bad sta auth mode %u", ni->ni_authmode); |
---|
920 | vap->iv_stats.is_rx_bad_auth++; /* XXX */ |
---|
921 | /* |
---|
922 | * Clear any challenge text that may be there if |
---|
923 | * a previous shared key auth failed and then an |
---|
924 | * open auth is attempted. |
---|
925 | */ |
---|
926 | if (ni->ni_challenge != NULL) { |
---|
927 | IEEE80211_FREE(ni->ni_challenge, M_80211_NODE); |
---|
928 | ni->ni_challenge = NULL; |
---|
929 | } |
---|
930 | /* XXX hack to workaround calling convention */ |
---|
931 | ieee80211_send_error(ni, wh->i_addr2, |
---|
932 | IEEE80211_FC0_SUBTYPE_AUTH, |
---|
933 | (seq + 1) | (IEEE80211_STATUS_ALG<<16)); |
---|
934 | return; |
---|
935 | } |
---|
936 | if (seq != IEEE80211_AUTH_OPEN_REQUEST) { |
---|
937 | vap->iv_stats.is_rx_bad_auth++; |
---|
938 | return; |
---|
939 | } |
---|
940 | /* always accept open authentication requests */ |
---|
941 | if (ni == vap->iv_bss) { |
---|
942 | ni = ieee80211_dup_bss(vap, wh->i_addr2); |
---|
943 | if (ni == NULL) |
---|
944 | return; |
---|
945 | } else if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0) |
---|
946 | (void) ieee80211_ref_node(ni); |
---|
947 | /* |
---|
948 | * Mark the node as referenced to reflect that it's |
---|
949 | * reference count has been bumped to insure it remains |
---|
950 | * after the transaction completes. |
---|
951 | */ |
---|
952 | ni->ni_flags |= IEEE80211_NODE_AREF; |
---|
953 | /* |
---|
954 | * Mark the node as requiring a valid association id |
---|
955 | * before outbound traffic is permitted. |
---|
956 | */ |
---|
957 | ni->ni_flags |= IEEE80211_NODE_ASSOCID; |
---|
958 | |
---|
959 | if (vap->iv_acl != NULL && |
---|
960 | vap->iv_acl->iac_getpolicy(vap) == IEEE80211_MACCMD_POLICY_RADIUS) { |
---|
961 | /* |
---|
962 | * When the ACL policy is set to RADIUS we defer the |
---|
963 | * authorization to a user agent. Dispatch an event, |
---|
964 | * a subsequent MLME call will decide the fate of the |
---|
965 | * station. If the user agent is not present then the |
---|
966 | * node will be reclaimed due to inactivity. |
---|
967 | */ |
---|
968 | IEEE80211_NOTE_MAC(vap, |
---|
969 | IEEE80211_MSG_AUTH | IEEE80211_MSG_ACL, ni->ni_macaddr, |
---|
970 | "%s", "station authentication defered (radius acl)"); |
---|
971 | ieee80211_notify_node_auth(ni); |
---|
972 | } else { |
---|
973 | IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); |
---|
974 | IEEE80211_NOTE_MAC(vap, |
---|
975 | IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, ni->ni_macaddr, |
---|
976 | "%s", "station authenticated (open)"); |
---|
977 | /* |
---|
978 | * When 802.1x is not in use mark the port |
---|
979 | * authorized at this point so traffic can flow. |
---|
980 | */ |
---|
981 | if (ni->ni_authmode != IEEE80211_AUTH_8021X) |
---|
982 | ieee80211_node_authorize(ni); |
---|
983 | } |
---|
984 | } |
---|
985 | |
---|
986 | static void |
---|
987 | hostap_auth_shared(struct ieee80211_node *ni, struct ieee80211_frame *wh, |
---|
988 | uint8_t *frm, uint8_t *efrm, int rssi, int nf, |
---|
989 | uint16_t seq, uint16_t status) |
---|
990 | { |
---|
991 | struct ieee80211vap *vap = ni->ni_vap; |
---|
992 | uint8_t *challenge; |
---|
993 | int allocbs, estatus; |
---|
994 | |
---|
995 | KASSERT(vap->iv_state == IEEE80211_S_RUN, ("state %d", vap->iv_state)); |
---|
996 | |
---|
997 | /* |
---|
998 | * NB: this can happen as we allow pre-shared key |
---|
999 | * authentication to be enabled w/o wep being turned |
---|
1000 | * on so that configuration of these can be done |
---|
1001 | * in any order. It may be better to enforce the |
---|
1002 | * ordering in which case this check would just be |
---|
1003 | * for sanity/consistency. |
---|
1004 | */ |
---|
1005 | if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) { |
---|
1006 | IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, |
---|
1007 | ni->ni_macaddr, "shared key auth", |
---|
1008 | "%s", " PRIVACY is disabled"); |
---|
1009 | estatus = IEEE80211_STATUS_ALG; |
---|
1010 | goto bad; |
---|
1011 | } |
---|
1012 | /* |
---|
1013 | * Pre-shared key authentication is evil; accept |
---|
1014 | * it only if explicitly configured (it is supported |
---|
1015 | * mainly for compatibility with clients like Mac OS X). |
---|
1016 | */ |
---|
1017 | if (ni->ni_authmode != IEEE80211_AUTH_AUTO && |
---|
1018 | ni->ni_authmode != IEEE80211_AUTH_SHARED) { |
---|
1019 | IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, |
---|
1020 | ni->ni_macaddr, "shared key auth", |
---|
1021 | "bad sta auth mode %u", ni->ni_authmode); |
---|
1022 | vap->iv_stats.is_rx_bad_auth++; /* XXX maybe a unique error? */ |
---|
1023 | estatus = IEEE80211_STATUS_ALG; |
---|
1024 | goto bad; |
---|
1025 | } |
---|
1026 | |
---|
1027 | challenge = NULL; |
---|
1028 | if (frm + 1 < efrm) { |
---|
1029 | if ((frm[1] + 2) > (efrm - frm)) { |
---|
1030 | IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, |
---|
1031 | ni->ni_macaddr, "shared key auth", |
---|
1032 | "ie %d/%d too long", |
---|
1033 | frm[0], (frm[1] + 2) - (efrm - frm)); |
---|
1034 | vap->iv_stats.is_rx_bad_auth++; |
---|
1035 | estatus = IEEE80211_STATUS_CHALLENGE; |
---|
1036 | goto bad; |
---|
1037 | } |
---|
1038 | if (*frm == IEEE80211_ELEMID_CHALLENGE) |
---|
1039 | challenge = frm; |
---|
1040 | frm += frm[1] + 2; |
---|
1041 | } |
---|
1042 | switch (seq) { |
---|
1043 | case IEEE80211_AUTH_SHARED_CHALLENGE: |
---|
1044 | case IEEE80211_AUTH_SHARED_RESPONSE: |
---|
1045 | if (challenge == NULL) { |
---|
1046 | IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, |
---|
1047 | ni->ni_macaddr, "shared key auth", |
---|
1048 | "%s", "no challenge"); |
---|
1049 | vap->iv_stats.is_rx_bad_auth++; |
---|
1050 | estatus = IEEE80211_STATUS_CHALLENGE; |
---|
1051 | goto bad; |
---|
1052 | } |
---|
1053 | if (challenge[1] != IEEE80211_CHALLENGE_LEN) { |
---|
1054 | IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, |
---|
1055 | ni->ni_macaddr, "shared key auth", |
---|
1056 | "bad challenge len %d", challenge[1]); |
---|
1057 | vap->iv_stats.is_rx_bad_auth++; |
---|
1058 | estatus = IEEE80211_STATUS_CHALLENGE; |
---|
1059 | goto bad; |
---|
1060 | } |
---|
1061 | default: |
---|
1062 | break; |
---|
1063 | } |
---|
1064 | switch (seq) { |
---|
1065 | case IEEE80211_AUTH_SHARED_REQUEST: |
---|
1066 | if (ni == vap->iv_bss) { |
---|
1067 | ni = ieee80211_dup_bss(vap, wh->i_addr2); |
---|
1068 | if (ni == NULL) { |
---|
1069 | /* NB: no way to return an error */ |
---|
1070 | return; |
---|
1071 | } |
---|
1072 | allocbs = 1; |
---|
1073 | } else { |
---|
1074 | if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0) |
---|
1075 | (void) ieee80211_ref_node(ni); |
---|
1076 | allocbs = 0; |
---|
1077 | } |
---|
1078 | /* |
---|
1079 | * Mark the node as referenced to reflect that it's |
---|
1080 | * reference count has been bumped to insure it remains |
---|
1081 | * after the transaction completes. |
---|
1082 | */ |
---|
1083 | ni->ni_flags |= IEEE80211_NODE_AREF; |
---|
1084 | /* |
---|
1085 | * Mark the node as requiring a valid association id |
---|
1086 | * before outbound traffic is permitted. |
---|
1087 | */ |
---|
1088 | ni->ni_flags |= IEEE80211_NODE_ASSOCID; |
---|
1089 | IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi); |
---|
1090 | ni->ni_noise = nf; |
---|
1091 | if (!ieee80211_alloc_challenge(ni)) { |
---|
1092 | /* NB: don't return error so they rexmit */ |
---|
1093 | return; |
---|
1094 | } |
---|
1095 | get_random_bytes(ni->ni_challenge, |
---|
1096 | IEEE80211_CHALLENGE_LEN); |
---|
1097 | IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, |
---|
1098 | ni, "shared key %sauth request", allocbs ? "" : "re"); |
---|
1099 | /* |
---|
1100 | * When the ACL policy is set to RADIUS we defer the |
---|
1101 | * authorization to a user agent. Dispatch an event, |
---|
1102 | * a subsequent MLME call will decide the fate of the |
---|
1103 | * station. If the user agent is not present then the |
---|
1104 | * node will be reclaimed due to inactivity. |
---|
1105 | */ |
---|
1106 | if (vap->iv_acl != NULL && |
---|
1107 | vap->iv_acl->iac_getpolicy(vap) == IEEE80211_MACCMD_POLICY_RADIUS) { |
---|
1108 | IEEE80211_NOTE_MAC(vap, |
---|
1109 | IEEE80211_MSG_AUTH | IEEE80211_MSG_ACL, |
---|
1110 | ni->ni_macaddr, |
---|
1111 | "%s", "station authentication defered (radius acl)"); |
---|
1112 | ieee80211_notify_node_auth(ni); |
---|
1113 | return; |
---|
1114 | } |
---|
1115 | break; |
---|
1116 | case IEEE80211_AUTH_SHARED_RESPONSE: |
---|
1117 | if (ni == vap->iv_bss) { |
---|
1118 | IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, |
---|
1119 | ni->ni_macaddr, "shared key response", |
---|
1120 | "%s", "unknown station"); |
---|
1121 | /* NB: don't send a response */ |
---|
1122 | return; |
---|
1123 | } |
---|
1124 | if (ni->ni_challenge == NULL) { |
---|
1125 | IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, |
---|
1126 | ni->ni_macaddr, "shared key response", |
---|
1127 | "%s", "no challenge recorded"); |
---|
1128 | vap->iv_stats.is_rx_bad_auth++; |
---|
1129 | estatus = IEEE80211_STATUS_CHALLENGE; |
---|
1130 | goto bad; |
---|
1131 | } |
---|
1132 | if (memcmp(ni->ni_challenge, &challenge[2], |
---|
1133 | challenge[1]) != 0) { |
---|
1134 | IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, |
---|
1135 | ni->ni_macaddr, "shared key response", |
---|
1136 | "%s", "challenge mismatch"); |
---|
1137 | vap->iv_stats.is_rx_auth_fail++; |
---|
1138 | estatus = IEEE80211_STATUS_CHALLENGE; |
---|
1139 | goto bad; |
---|
1140 | } |
---|
1141 | IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, |
---|
1142 | ni, "%s", "station authenticated (shared key)"); |
---|
1143 | ieee80211_node_authorize(ni); |
---|
1144 | break; |
---|
1145 | default: |
---|
1146 | IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, |
---|
1147 | ni->ni_macaddr, "shared key auth", |
---|
1148 | "bad seq %d", seq); |
---|
1149 | vap->iv_stats.is_rx_bad_auth++; |
---|
1150 | estatus = IEEE80211_STATUS_SEQUENCE; |
---|
1151 | goto bad; |
---|
1152 | } |
---|
1153 | IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); |
---|
1154 | return; |
---|
1155 | bad: |
---|
1156 | /* |
---|
1157 | * Send an error response; but only when operating as an AP. |
---|
1158 | */ |
---|
1159 | /* XXX hack to workaround calling convention */ |
---|
1160 | ieee80211_send_error(ni, wh->i_addr2, |
---|
1161 | IEEE80211_FC0_SUBTYPE_AUTH, |
---|
1162 | (seq + 1) | (estatus<<16)); |
---|
1163 | } |
---|
1164 | |
---|
1165 | /* |
---|
1166 | * Convert a WPA cipher selector OUI to an internal |
---|
1167 | * cipher algorithm. Where appropriate we also |
---|
1168 | * record any key length. |
---|
1169 | */ |
---|
1170 | static int |
---|
1171 | wpa_cipher(const uint8_t *sel, uint8_t *keylen, uint8_t *cipher) |
---|
1172 | { |
---|
1173 | #define WPA_SEL(x) (((x)<<24)|WPA_OUI) |
---|
1174 | uint32_t w = le32dec(sel); |
---|
1175 | |
---|
1176 | switch (w) { |
---|
1177 | case WPA_SEL(WPA_CSE_NULL): |
---|
1178 | *cipher = IEEE80211_CIPHER_NONE; |
---|
1179 | break; |
---|
1180 | case WPA_SEL(WPA_CSE_WEP40): |
---|
1181 | if (keylen) |
---|
1182 | *keylen = 40 / NBBY; |
---|
1183 | *cipher = IEEE80211_CIPHER_WEP; |
---|
1184 | break; |
---|
1185 | case WPA_SEL(WPA_CSE_WEP104): |
---|
1186 | if (keylen) |
---|
1187 | *keylen = 104 / NBBY; |
---|
1188 | *cipher = IEEE80211_CIPHER_WEP; |
---|
1189 | break; |
---|
1190 | case WPA_SEL(WPA_CSE_TKIP): |
---|
1191 | *cipher = IEEE80211_CIPHER_TKIP; |
---|
1192 | break; |
---|
1193 | case WPA_SEL(WPA_CSE_CCMP): |
---|
1194 | *cipher = IEEE80211_CIPHER_AES_CCM; |
---|
1195 | break; |
---|
1196 | default: |
---|
1197 | return (EINVAL); |
---|
1198 | } |
---|
1199 | |
---|
1200 | return (0); |
---|
1201 | #undef WPA_SEL |
---|
1202 | } |
---|
1203 | |
---|
1204 | /* |
---|
1205 | * Convert a WPA key management/authentication algorithm |
---|
1206 | * to an internal code. |
---|
1207 | */ |
---|
1208 | static int |
---|
1209 | wpa_keymgmt(const uint8_t *sel) |
---|
1210 | { |
---|
1211 | #define WPA_SEL(x) (((x)<<24)|WPA_OUI) |
---|
1212 | uint32_t w = le32dec(sel); |
---|
1213 | |
---|
1214 | switch (w) { |
---|
1215 | case WPA_SEL(WPA_ASE_8021X_UNSPEC): |
---|
1216 | return WPA_ASE_8021X_UNSPEC; |
---|
1217 | case WPA_SEL(WPA_ASE_8021X_PSK): |
---|
1218 | return WPA_ASE_8021X_PSK; |
---|
1219 | case WPA_SEL(WPA_ASE_NONE): |
---|
1220 | return WPA_ASE_NONE; |
---|
1221 | } |
---|
1222 | return 0; /* NB: so is discarded */ |
---|
1223 | #undef WPA_SEL |
---|
1224 | } |
---|
1225 | |
---|
1226 | /* |
---|
1227 | * Parse a WPA information element to collect parameters. |
---|
1228 | * Note that we do not validate security parameters; that |
---|
1229 | * is handled by the authenticator; the parsing done here |
---|
1230 | * is just for internal use in making operational decisions. |
---|
1231 | */ |
---|
1232 | static int |
---|
1233 | ieee80211_parse_wpa(struct ieee80211vap *vap, const uint8_t *frm, |
---|
1234 | struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh) |
---|
1235 | { |
---|
1236 | uint8_t len = frm[1]; |
---|
1237 | uint32_t w; |
---|
1238 | int error, n; |
---|
1239 | |
---|
1240 | /* |
---|
1241 | * Check the length once for fixed parts: OUI, type, |
---|
1242 | * version, mcast cipher, and 2 selector counts. |
---|
1243 | * Other, variable-length data, must be checked separately. |
---|
1244 | */ |
---|
1245 | if ((vap->iv_flags & IEEE80211_F_WPA1) == 0) { |
---|
1246 | IEEE80211_DISCARD_IE(vap, |
---|
1247 | IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, |
---|
1248 | wh, "WPA", "not WPA, flags 0x%x", vap->iv_flags); |
---|
1249 | return IEEE80211_REASON_IE_INVALID; |
---|
1250 | } |
---|
1251 | if (len < 14) { |
---|
1252 | IEEE80211_DISCARD_IE(vap, |
---|
1253 | IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, |
---|
1254 | wh, "WPA", "too short, len %u", len); |
---|
1255 | return IEEE80211_REASON_IE_INVALID; |
---|
1256 | } |
---|
1257 | frm += 6, len -= 4; /* NB: len is payload only */ |
---|
1258 | /* NB: iswpaoui already validated the OUI and type */ |
---|
1259 | w = le16dec(frm); |
---|
1260 | if (w != WPA_VERSION) { |
---|
1261 | IEEE80211_DISCARD_IE(vap, |
---|
1262 | IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, |
---|
1263 | wh, "WPA", "bad version %u", w); |
---|
1264 | return IEEE80211_REASON_IE_INVALID; |
---|
1265 | } |
---|
1266 | frm += 2, len -= 2; |
---|
1267 | |
---|
1268 | memset(rsn, 0, sizeof(*rsn)); |
---|
1269 | |
---|
1270 | /* multicast/group cipher */ |
---|
1271 | error = wpa_cipher(frm, &rsn->rsn_mcastkeylen, &rsn->rsn_mcastcipher); |
---|
1272 | if (error != 0) { |
---|
1273 | IEEE80211_DISCARD_IE(vap, |
---|
1274 | IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, |
---|
1275 | wh, "WPA", "unknown mcast cipher suite %08X", |
---|
1276 | le32dec(frm)); |
---|
1277 | return IEEE80211_REASON_GROUP_CIPHER_INVALID; |
---|
1278 | } |
---|
1279 | frm += 4, len -= 4; |
---|
1280 | |
---|
1281 | /* unicast ciphers */ |
---|
1282 | n = le16dec(frm); |
---|
1283 | frm += 2, len -= 2; |
---|
1284 | if (len < n*4+2) { |
---|
1285 | IEEE80211_DISCARD_IE(vap, |
---|
1286 | IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, |
---|
1287 | wh, "WPA", "ucast cipher data too short; len %u, n %u", |
---|
1288 | len, n); |
---|
1289 | return IEEE80211_REASON_IE_INVALID; |
---|
1290 | } |
---|
1291 | w = 0; |
---|
1292 | for (; n > 0; n--) { |
---|
1293 | uint8_t cipher; |
---|
1294 | |
---|
1295 | error = wpa_cipher(frm, &rsn->rsn_ucastkeylen, &cipher); |
---|
1296 | if (error == 0) |
---|
1297 | w |= 1 << cipher; |
---|
1298 | |
---|
1299 | frm += 4, len -= 4; |
---|
1300 | } |
---|
1301 | if (w == 0) { |
---|
1302 | IEEE80211_DISCARD_IE(vap, |
---|
1303 | IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, |
---|
1304 | wh, "WPA", "no usable pairwise cipher suite found (w=%d)", |
---|
1305 | w); |
---|
1306 | return IEEE80211_REASON_PAIRWISE_CIPHER_INVALID; |
---|
1307 | } |
---|
1308 | /* XXX other? */ |
---|
1309 | if (w & (1 << IEEE80211_CIPHER_AES_CCM)) |
---|
1310 | rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM; |
---|
1311 | else |
---|
1312 | rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP; |
---|
1313 | |
---|
1314 | /* key management algorithms */ |
---|
1315 | n = le16dec(frm); |
---|
1316 | frm += 2, len -= 2; |
---|
1317 | if (len < n*4) { |
---|
1318 | IEEE80211_DISCARD_IE(vap, |
---|
1319 | IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, |
---|
1320 | wh, "WPA", "key mgmt alg data too short; len %u, n %u", |
---|
1321 | len, n); |
---|
1322 | return IEEE80211_REASON_IE_INVALID; |
---|
1323 | } |
---|
1324 | w = 0; |
---|
1325 | for (; n > 0; n--) { |
---|
1326 | w |= wpa_keymgmt(frm); |
---|
1327 | frm += 4, len -= 4; |
---|
1328 | } |
---|
1329 | if (w & WPA_ASE_8021X_UNSPEC) |
---|
1330 | rsn->rsn_keymgmt = WPA_ASE_8021X_UNSPEC; |
---|
1331 | else |
---|
1332 | rsn->rsn_keymgmt = WPA_ASE_8021X_PSK; |
---|
1333 | |
---|
1334 | if (len > 2) /* optional capabilities */ |
---|
1335 | rsn->rsn_caps = le16dec(frm); |
---|
1336 | |
---|
1337 | return 0; |
---|
1338 | } |
---|
1339 | |
---|
1340 | /* |
---|
1341 | * Convert an RSN cipher selector OUI to an internal |
---|
1342 | * cipher algorithm. Where appropriate we also |
---|
1343 | * record any key length. |
---|
1344 | */ |
---|
1345 | static int |
---|
1346 | rsn_cipher(const uint8_t *sel, uint8_t *keylen, uint8_t *cipher) |
---|
1347 | { |
---|
1348 | #define RSN_SEL(x) (((x)<<24)|RSN_OUI) |
---|
1349 | uint32_t w = le32dec(sel); |
---|
1350 | |
---|
1351 | switch (w) { |
---|
1352 | case RSN_SEL(RSN_CSE_NULL): |
---|
1353 | *cipher = IEEE80211_CIPHER_NONE; |
---|
1354 | break; |
---|
1355 | case RSN_SEL(RSN_CSE_WEP40): |
---|
1356 | if (keylen) |
---|
1357 | *keylen = 40 / NBBY; |
---|
1358 | *cipher = IEEE80211_CIPHER_WEP; |
---|
1359 | break; |
---|
1360 | case RSN_SEL(RSN_CSE_WEP104): |
---|
1361 | if (keylen) |
---|
1362 | *keylen = 104 / NBBY; |
---|
1363 | *cipher = IEEE80211_CIPHER_WEP; |
---|
1364 | break; |
---|
1365 | case RSN_SEL(RSN_CSE_TKIP): |
---|
1366 | *cipher = IEEE80211_CIPHER_TKIP; |
---|
1367 | break; |
---|
1368 | case RSN_SEL(RSN_CSE_CCMP): |
---|
1369 | *cipher = IEEE80211_CIPHER_AES_CCM; |
---|
1370 | break; |
---|
1371 | case RSN_SEL(RSN_CSE_WRAP): |
---|
1372 | *cipher = IEEE80211_CIPHER_AES_OCB; |
---|
1373 | break; |
---|
1374 | default: |
---|
1375 | return (EINVAL); |
---|
1376 | } |
---|
1377 | |
---|
1378 | return (0); |
---|
1379 | #undef WPA_SEL |
---|
1380 | } |
---|
1381 | |
---|
1382 | /* |
---|
1383 | * Convert an RSN key management/authentication algorithm |
---|
1384 | * to an internal code. |
---|
1385 | */ |
---|
1386 | static int |
---|
1387 | rsn_keymgmt(const uint8_t *sel) |
---|
1388 | { |
---|
1389 | #define RSN_SEL(x) (((x)<<24)|RSN_OUI) |
---|
1390 | uint32_t w = le32dec(sel); |
---|
1391 | |
---|
1392 | switch (w) { |
---|
1393 | case RSN_SEL(RSN_ASE_8021X_UNSPEC): |
---|
1394 | return RSN_ASE_8021X_UNSPEC; |
---|
1395 | case RSN_SEL(RSN_ASE_8021X_PSK): |
---|
1396 | return RSN_ASE_8021X_PSK; |
---|
1397 | case RSN_SEL(RSN_ASE_NONE): |
---|
1398 | return RSN_ASE_NONE; |
---|
1399 | } |
---|
1400 | return 0; /* NB: so is discarded */ |
---|
1401 | #undef RSN_SEL |
---|
1402 | } |
---|
1403 | |
---|
1404 | /* |
---|
1405 | * Parse a WPA/RSN information element to collect parameters |
---|
1406 | * and validate the parameters against what has been |
---|
1407 | * configured for the system. |
---|
1408 | */ |
---|
1409 | static int |
---|
1410 | ieee80211_parse_rsn(struct ieee80211vap *vap, const uint8_t *frm, |
---|
1411 | struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh) |
---|
1412 | { |
---|
1413 | uint8_t len = frm[1]; |
---|
1414 | uint32_t w; |
---|
1415 | int error, n; |
---|
1416 | |
---|
1417 | /* |
---|
1418 | * Check the length once for fixed parts: |
---|
1419 | * version, mcast cipher, and 2 selector counts. |
---|
1420 | * Other, variable-length data, must be checked separately. |
---|
1421 | */ |
---|
1422 | if ((vap->iv_flags & IEEE80211_F_WPA2) == 0) { |
---|
1423 | IEEE80211_DISCARD_IE(vap, |
---|
1424 | IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, |
---|
1425 | wh, "WPA", "not RSN, flags 0x%x", vap->iv_flags); |
---|
1426 | return IEEE80211_REASON_IE_INVALID; |
---|
1427 | } |
---|
1428 | /* XXX may be shorter */ |
---|
1429 | if (len < 10) { |
---|
1430 | IEEE80211_DISCARD_IE(vap, |
---|
1431 | IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, |
---|
1432 | wh, "RSN", "too short, len %u", len); |
---|
1433 | return IEEE80211_REASON_IE_INVALID; |
---|
1434 | } |
---|
1435 | frm += 2; |
---|
1436 | w = le16dec(frm); |
---|
1437 | if (w != RSN_VERSION) { |
---|
1438 | IEEE80211_DISCARD_IE(vap, |
---|
1439 | IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, |
---|
1440 | wh, "RSN", "bad version %u", w); |
---|
1441 | return IEEE80211_REASON_UNSUPP_RSN_IE_VERSION; |
---|
1442 | } |
---|
1443 | frm += 2, len -= 2; |
---|
1444 | |
---|
1445 | memset(rsn, 0, sizeof(*rsn)); |
---|
1446 | |
---|
1447 | /* multicast/group cipher */ |
---|
1448 | error = rsn_cipher(frm, &rsn->rsn_mcastkeylen, &rsn->rsn_mcastcipher); |
---|
1449 | if (error != 0) { |
---|
1450 | IEEE80211_DISCARD_IE(vap, |
---|
1451 | IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, |
---|
1452 | wh, "RSN", "unknown mcast cipher suite %08X", |
---|
1453 | le32dec(frm)); |
---|
1454 | return IEEE80211_REASON_GROUP_CIPHER_INVALID; |
---|
1455 | } |
---|
1456 | if (rsn->rsn_mcastcipher == IEEE80211_CIPHER_NONE) { |
---|
1457 | IEEE80211_DISCARD_IE(vap, |
---|
1458 | IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, |
---|
1459 | wh, "RSN", "invalid mcast cipher suite %d", |
---|
1460 | rsn->rsn_mcastcipher); |
---|
1461 | return IEEE80211_REASON_GROUP_CIPHER_INVALID; |
---|
1462 | } |
---|
1463 | frm += 4, len -= 4; |
---|
1464 | |
---|
1465 | /* unicast ciphers */ |
---|
1466 | n = le16dec(frm); |
---|
1467 | frm += 2, len -= 2; |
---|
1468 | if (len < n*4+2) { |
---|
1469 | IEEE80211_DISCARD_IE(vap, |
---|
1470 | IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, |
---|
1471 | wh, "RSN", "ucast cipher data too short; len %u, n %u", |
---|
1472 | len, n); |
---|
1473 | return IEEE80211_REASON_IE_INVALID; |
---|
1474 | } |
---|
1475 | w = 0; |
---|
1476 | |
---|
1477 | for (; n > 0; n--) { |
---|
1478 | uint8_t cipher; |
---|
1479 | |
---|
1480 | error = rsn_cipher(frm, &rsn->rsn_ucastkeylen, &cipher); |
---|
1481 | if (error == 0) |
---|
1482 | w |= 1 << cipher; |
---|
1483 | |
---|
1484 | frm += 4, len -= 4; |
---|
1485 | } |
---|
1486 | if (w & (1 << IEEE80211_CIPHER_AES_CCM)) |
---|
1487 | rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM; |
---|
1488 | else if (w & (1 << IEEE80211_CIPHER_AES_OCB)) |
---|
1489 | rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_OCB; |
---|
1490 | else if (w & (1 << IEEE80211_CIPHER_TKIP)) |
---|
1491 | rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP; |
---|
1492 | else if ((w & (1 << IEEE80211_CIPHER_NONE)) && |
---|
1493 | (rsn->rsn_mcastcipher == IEEE80211_CIPHER_WEP || |
---|
1494 | rsn->rsn_mcastcipher == IEEE80211_CIPHER_TKIP)) |
---|
1495 | rsn->rsn_ucastcipher = IEEE80211_CIPHER_NONE; |
---|
1496 | else { |
---|
1497 | IEEE80211_DISCARD_IE(vap, |
---|
1498 | IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, |
---|
1499 | wh, "RSN", "no usable pairwise cipher suite found (w=%d)", |
---|
1500 | w); |
---|
1501 | return IEEE80211_REASON_PAIRWISE_CIPHER_INVALID; |
---|
1502 | } |
---|
1503 | |
---|
1504 | /* key management algorithms */ |
---|
1505 | n = le16dec(frm); |
---|
1506 | frm += 2, len -= 2; |
---|
1507 | if (len < n*4) { |
---|
1508 | IEEE80211_DISCARD_IE(vap, |
---|
1509 | IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, |
---|
1510 | wh, "RSN", "key mgmt alg data too short; len %u, n %u", |
---|
1511 | len, n); |
---|
1512 | return IEEE80211_REASON_IE_INVALID; |
---|
1513 | } |
---|
1514 | w = 0; |
---|
1515 | for (; n > 0; n--) { |
---|
1516 | w |= rsn_keymgmt(frm); |
---|
1517 | frm += 4, len -= 4; |
---|
1518 | } |
---|
1519 | if (w & RSN_ASE_8021X_UNSPEC) |
---|
1520 | rsn->rsn_keymgmt = RSN_ASE_8021X_UNSPEC; |
---|
1521 | else |
---|
1522 | rsn->rsn_keymgmt = RSN_ASE_8021X_PSK; |
---|
1523 | |
---|
1524 | /* optional RSN capabilities */ |
---|
1525 | if (len > 2) |
---|
1526 | rsn->rsn_caps = le16dec(frm); |
---|
1527 | /* XXXPMKID */ |
---|
1528 | |
---|
1529 | return 0; |
---|
1530 | } |
---|
1531 | |
---|
1532 | /* |
---|
1533 | * WPA/802.11i association request processing. |
---|
1534 | */ |
---|
1535 | static int |
---|
1536 | wpa_assocreq(struct ieee80211_node *ni, struct ieee80211_rsnparms *rsnparms, |
---|
1537 | const struct ieee80211_frame *wh, const uint8_t *wpa, |
---|
1538 | const uint8_t *rsn, uint16_t capinfo) |
---|
1539 | { |
---|
1540 | struct ieee80211vap *vap = ni->ni_vap; |
---|
1541 | uint8_t reason; |
---|
1542 | int badwparsn; |
---|
1543 | |
---|
1544 | ni->ni_flags &= ~(IEEE80211_NODE_WPS|IEEE80211_NODE_TSN); |
---|
1545 | if (wpa == NULL && rsn == NULL) { |
---|
1546 | if (vap->iv_flags_ext & IEEE80211_FEXT_WPS) { |
---|
1547 | /* |
---|
1548 | * W-Fi Protected Setup (WPS) permits |
---|
1549 | * clients to associate and pass EAPOL frames |
---|
1550 | * to establish initial credentials. |
---|
1551 | */ |
---|
1552 | ni->ni_flags |= IEEE80211_NODE_WPS; |
---|
1553 | return 1; |
---|
1554 | } |
---|
1555 | if ((vap->iv_flags_ext & IEEE80211_FEXT_TSN) && |
---|
1556 | (capinfo & IEEE80211_CAPINFO_PRIVACY)) { |
---|
1557 | /* |
---|
1558 | * Transitional Security Network. Permits clients |
---|
1559 | * to associate and use WEP while WPA is configured. |
---|
1560 | */ |
---|
1561 | ni->ni_flags |= IEEE80211_NODE_TSN; |
---|
1562 | return 1; |
---|
1563 | } |
---|
1564 | IEEE80211_DISCARD(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, |
---|
1565 | wh, NULL, "%s", "no WPA/RSN IE in association request"); |
---|
1566 | vap->iv_stats.is_rx_assoc_badwpaie++; |
---|
1567 | reason = IEEE80211_REASON_IE_INVALID; |
---|
1568 | goto bad; |
---|
1569 | } |
---|
1570 | /* assert right association security credentials */ |
---|
1571 | badwparsn = 0; /* NB: to silence compiler */ |
---|
1572 | switch (vap->iv_flags & IEEE80211_F_WPA) { |
---|
1573 | case IEEE80211_F_WPA1: |
---|
1574 | badwparsn = (wpa == NULL); |
---|
1575 | break; |
---|
1576 | case IEEE80211_F_WPA2: |
---|
1577 | badwparsn = (rsn == NULL); |
---|
1578 | break; |
---|
1579 | case IEEE80211_F_WPA1|IEEE80211_F_WPA2: |
---|
1580 | badwparsn = (wpa == NULL && rsn == NULL); |
---|
1581 | break; |
---|
1582 | } |
---|
1583 | if (badwparsn) { |
---|
1584 | IEEE80211_DISCARD(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, |
---|
1585 | wh, NULL, |
---|
1586 | "%s", "missing WPA/RSN IE in association request"); |
---|
1587 | vap->iv_stats.is_rx_assoc_badwpaie++; |
---|
1588 | reason = IEEE80211_REASON_IE_INVALID; |
---|
1589 | goto bad; |
---|
1590 | } |
---|
1591 | /* |
---|
1592 | * Parse WPA/RSN information element. |
---|
1593 | */ |
---|
1594 | if (wpa != NULL) |
---|
1595 | reason = ieee80211_parse_wpa(vap, wpa, rsnparms, wh); |
---|
1596 | else |
---|
1597 | reason = ieee80211_parse_rsn(vap, rsn, rsnparms, wh); |
---|
1598 | if (reason != 0) { |
---|
1599 | /* XXX wpa->rsn fallback? */ |
---|
1600 | /* XXX distinguish WPA/RSN? */ |
---|
1601 | vap->iv_stats.is_rx_assoc_badwpaie++; |
---|
1602 | goto bad; |
---|
1603 | } |
---|
1604 | IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, ni, |
---|
1605 | "%s ie: mc %u/%u uc %u/%u key %u caps 0x%x", |
---|
1606 | wpa != NULL ? "WPA" : "RSN", |
---|
1607 | rsnparms->rsn_mcastcipher, rsnparms->rsn_mcastkeylen, |
---|
1608 | rsnparms->rsn_ucastcipher, rsnparms->rsn_ucastkeylen, |
---|
1609 | rsnparms->rsn_keymgmt, rsnparms->rsn_caps); |
---|
1610 | |
---|
1611 | return 1; |
---|
1612 | bad: |
---|
1613 | ieee80211_node_deauth(ni, reason); |
---|
1614 | return 0; |
---|
1615 | } |
---|
1616 | |
---|
1617 | /* XXX find a better place for definition */ |
---|
1618 | struct l2_update_frame { |
---|
1619 | struct ether_header eh; |
---|
1620 | uint8_t dsap; |
---|
1621 | uint8_t ssap; |
---|
1622 | uint8_t control; |
---|
1623 | uint8_t xid[3]; |
---|
1624 | } __packed; |
---|
1625 | |
---|
1626 | /* |
---|
1627 | * Deliver a TGf L2UF frame on behalf of a station. |
---|
1628 | * This primes any bridge when the station is roaming |
---|
1629 | * between ap's on the same wired network. |
---|
1630 | */ |
---|
1631 | static void |
---|
1632 | ieee80211_deliver_l2uf(struct ieee80211_node *ni) |
---|
1633 | { |
---|
1634 | struct ieee80211vap *vap = ni->ni_vap; |
---|
1635 | struct ifnet *ifp = vap->iv_ifp; |
---|
1636 | struct mbuf *m; |
---|
1637 | struct l2_update_frame *l2uf; |
---|
1638 | struct ether_header *eh; |
---|
1639 | |
---|
1640 | m = m_gethdr(M_NOWAIT, MT_DATA); |
---|
1641 | if (m == NULL) { |
---|
1642 | IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC, ni, |
---|
1643 | "%s", "no mbuf for l2uf frame"); |
---|
1644 | vap->iv_stats.is_rx_nobuf++; /* XXX not right */ |
---|
1645 | return; |
---|
1646 | } |
---|
1647 | l2uf = mtod(m, struct l2_update_frame *); |
---|
1648 | eh = &l2uf->eh; |
---|
1649 | /* dst: Broadcast address */ |
---|
1650 | IEEE80211_ADDR_COPY(eh->ether_dhost, ifp->if_broadcastaddr); |
---|
1651 | /* src: associated STA */ |
---|
1652 | IEEE80211_ADDR_COPY(eh->ether_shost, ni->ni_macaddr); |
---|
1653 | eh->ether_type = htons(sizeof(*l2uf) - sizeof(*eh)); |
---|
1654 | |
---|
1655 | l2uf->dsap = 0; |
---|
1656 | l2uf->ssap = 0; |
---|
1657 | l2uf->control = 0xf5; |
---|
1658 | l2uf->xid[0] = 0x81; |
---|
1659 | l2uf->xid[1] = 0x80; |
---|
1660 | l2uf->xid[2] = 0x00; |
---|
1661 | |
---|
1662 | m->m_pkthdr.len = m->m_len = sizeof(*l2uf); |
---|
1663 | hostap_deliver_data(vap, ni, m); |
---|
1664 | } |
---|
1665 | |
---|
1666 | static void |
---|
1667 | ratesetmismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh, |
---|
1668 | int reassoc, int resp, const char *tag, int rate) |
---|
1669 | { |
---|
1670 | IEEE80211_NOTE_MAC(ni->ni_vap, IEEE80211_MSG_ANY, wh->i_addr2, |
---|
1671 | "deny %s request, %s rate set mismatch, rate/MCS %d", |
---|
1672 | reassoc ? "reassoc" : "assoc", tag, rate & IEEE80211_RATE_VAL); |
---|
1673 | IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_BASIC_RATE); |
---|
1674 | ieee80211_node_leave(ni); |
---|
1675 | } |
---|
1676 | |
---|
1677 | static void |
---|
1678 | capinfomismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh, |
---|
1679 | int reassoc, int resp, const char *tag, int capinfo) |
---|
1680 | { |
---|
1681 | struct ieee80211vap *vap = ni->ni_vap; |
---|
1682 | |
---|
1683 | IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ANY, wh->i_addr2, |
---|
1684 | "deny %s request, %s mismatch 0x%x", |
---|
1685 | reassoc ? "reassoc" : "assoc", tag, capinfo); |
---|
1686 | IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_CAPINFO); |
---|
1687 | ieee80211_node_leave(ni); |
---|
1688 | vap->iv_stats.is_rx_assoc_capmismatch++; |
---|
1689 | } |
---|
1690 | |
---|
1691 | static void |
---|
1692 | htcapmismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh, |
---|
1693 | int reassoc, int resp) |
---|
1694 | { |
---|
1695 | IEEE80211_NOTE_MAC(ni->ni_vap, IEEE80211_MSG_ANY, wh->i_addr2, |
---|
1696 | "deny %s request, %s missing HT ie", reassoc ? "reassoc" : "assoc"); |
---|
1697 | /* XXX no better code */ |
---|
1698 | IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_MISSING_HT_CAPS); |
---|
1699 | ieee80211_node_leave(ni); |
---|
1700 | } |
---|
1701 | |
---|
1702 | static void |
---|
1703 | authalgreject(struct ieee80211_node *ni, const struct ieee80211_frame *wh, |
---|
1704 | int algo, int seq, int status) |
---|
1705 | { |
---|
1706 | struct ieee80211vap *vap = ni->ni_vap; |
---|
1707 | |
---|
1708 | IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, |
---|
1709 | wh, NULL, "unsupported alg %d", algo); |
---|
1710 | vap->iv_stats.is_rx_auth_unsupported++; |
---|
1711 | ieee80211_send_error(ni, wh->i_addr2, IEEE80211_FC0_SUBTYPE_AUTH, |
---|
1712 | seq | (status << 16)); |
---|
1713 | } |
---|
1714 | |
---|
1715 | static __inline int |
---|
1716 | ishtmixed(const uint8_t *ie) |
---|
1717 | { |
---|
1718 | const struct ieee80211_ie_htinfo *ht = |
---|
1719 | (const struct ieee80211_ie_htinfo *) ie; |
---|
1720 | return (ht->hi_byte2 & IEEE80211_HTINFO_OPMODE) == |
---|
1721 | IEEE80211_HTINFO_OPMODE_MIXED; |
---|
1722 | } |
---|
1723 | |
---|
1724 | static int |
---|
1725 | is11bclient(const uint8_t *rates, const uint8_t *xrates) |
---|
1726 | { |
---|
1727 | static const uint32_t brates = (1<<2*1)|(1<<2*2)|(1<<11)|(1<<2*11); |
---|
1728 | int i; |
---|
1729 | |
---|
1730 | /* NB: the 11b clients we care about will not have xrates */ |
---|
1731 | if (xrates != NULL || rates == NULL) |
---|
1732 | return 0; |
---|
1733 | for (i = 0; i < rates[1]; i++) { |
---|
1734 | int r = rates[2+i] & IEEE80211_RATE_VAL; |
---|
1735 | if (r > 2*11 || ((1<<r) & brates) == 0) |
---|
1736 | return 0; |
---|
1737 | } |
---|
1738 | return 1; |
---|
1739 | } |
---|
1740 | |
---|
1741 | static void |
---|
1742 | hostap_recv_mgmt(struct ieee80211_node *ni, struct mbuf *m0, |
---|
1743 | int subtype, const struct ieee80211_rx_stats *rxs, int rssi, int nf) |
---|
1744 | { |
---|
1745 | struct ieee80211vap *vap = ni->ni_vap; |
---|
1746 | struct ieee80211com *ic = ni->ni_ic; |
---|
1747 | struct ieee80211_frame *wh; |
---|
1748 | uint8_t *frm, *efrm, *sfrm; |
---|
1749 | uint8_t *ssid, *rates, *xrates, *wpa, *rsn, *wme, *ath, *htcap; |
---|
1750 | int reassoc, resp; |
---|
1751 | uint8_t rate; |
---|
1752 | |
---|
1753 | wh = mtod(m0, struct ieee80211_frame *); |
---|
1754 | frm = (uint8_t *)&wh[1]; |
---|
1755 | efrm = mtod(m0, uint8_t *) + m0->m_len; |
---|
1756 | switch (subtype) { |
---|
1757 | case IEEE80211_FC0_SUBTYPE_PROBE_RESP: |
---|
1758 | /* |
---|
1759 | * We process beacon/probe response frames when scanning; |
---|
1760 | * otherwise we check beacon frames for overlapping non-ERP |
---|
1761 | * BSS in 11g and/or overlapping legacy BSS when in HT. |
---|
1762 | */ |
---|
1763 | if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) { |
---|
1764 | vap->iv_stats.is_rx_mgtdiscard++; |
---|
1765 | return; |
---|
1766 | } |
---|
1767 | /* FALLTHROUGH */ |
---|
1768 | case IEEE80211_FC0_SUBTYPE_BEACON: { |
---|
1769 | struct ieee80211_scanparams scan; |
---|
1770 | |
---|
1771 | /* NB: accept off-channel frames */ |
---|
1772 | /* XXX TODO: use rxstatus to determine off-channel details */ |
---|
1773 | if (ieee80211_parse_beacon(ni, m0, ic->ic_curchan, &scan) &~ IEEE80211_BPARSE_OFFCHAN) |
---|
1774 | return; |
---|
1775 | /* |
---|
1776 | * Count frame now that we know it's to be processed. |
---|
1777 | */ |
---|
1778 | if (subtype == IEEE80211_FC0_SUBTYPE_BEACON) { |
---|
1779 | vap->iv_stats.is_rx_beacon++; /* XXX remove */ |
---|
1780 | IEEE80211_NODE_STAT(ni, rx_beacons); |
---|
1781 | } else |
---|
1782 | IEEE80211_NODE_STAT(ni, rx_proberesp); |
---|
1783 | /* |
---|
1784 | * If scanning, just pass information to the scan module. |
---|
1785 | */ |
---|
1786 | if (ic->ic_flags & IEEE80211_F_SCAN) { |
---|
1787 | if (scan.status == 0 && /* NB: on channel */ |
---|
1788 | (ic->ic_flags_ext & IEEE80211_FEXT_PROBECHAN)) { |
---|
1789 | /* |
---|
1790 | * Actively scanning a channel marked passive; |
---|
1791 | * send a probe request now that we know there |
---|
1792 | * is 802.11 traffic present. |
---|
1793 | * |
---|
1794 | * XXX check if the beacon we recv'd gives |
---|
1795 | * us what we need and suppress the probe req |
---|
1796 | */ |
---|
1797 | ieee80211_probe_curchan(vap, 1); |
---|
1798 | ic->ic_flags_ext &= ~IEEE80211_FEXT_PROBECHAN; |
---|
1799 | } |
---|
1800 | ieee80211_add_scan(vap, ic->ic_curchan, &scan, wh, |
---|
1801 | subtype, rssi, nf); |
---|
1802 | return; |
---|
1803 | } |
---|
1804 | /* |
---|
1805 | * Check beacon for overlapping bss w/ non ERP stations. |
---|
1806 | * If we detect one and protection is configured but not |
---|
1807 | * enabled, enable it and start a timer that'll bring us |
---|
1808 | * out if we stop seeing the bss. |
---|
1809 | */ |
---|
1810 | if (IEEE80211_IS_CHAN_ANYG(ic->ic_curchan) && |
---|
1811 | scan.status == 0 && /* NB: on-channel */ |
---|
1812 | ((scan.erp & 0x100) == 0 || /* NB: no ERP, 11b sta*/ |
---|
1813 | (scan.erp & IEEE80211_ERP_NON_ERP_PRESENT))) { |
---|
1814 | ic->ic_lastnonerp = ticks; |
---|
1815 | ic->ic_flags_ext |= IEEE80211_FEXT_NONERP_PR; |
---|
1816 | if (ic->ic_protmode != IEEE80211_PROT_NONE && |
---|
1817 | (ic->ic_flags & IEEE80211_F_USEPROT) == 0) { |
---|
1818 | IEEE80211_NOTE_FRAME(vap, |
---|
1819 | IEEE80211_MSG_ASSOC, wh, |
---|
1820 | "non-ERP present on channel %d " |
---|
1821 | "(saw erp 0x%x from channel %d), " |
---|
1822 | "enable use of protection", |
---|
1823 | ic->ic_curchan->ic_ieee, |
---|
1824 | scan.erp, scan.chan); |
---|
1825 | ic->ic_flags |= IEEE80211_F_USEPROT; |
---|
1826 | ieee80211_notify_erp(ic); |
---|
1827 | } |
---|
1828 | } |
---|
1829 | /* |
---|
1830 | * Check beacon for non-HT station on HT channel |
---|
1831 | * and update HT BSS occupancy as appropriate. |
---|
1832 | */ |
---|
1833 | if (IEEE80211_IS_CHAN_HT(ic->ic_curchan)) { |
---|
1834 | if (scan.status & IEEE80211_BPARSE_OFFCHAN) { |
---|
1835 | /* |
---|
1836 | * Off control channel; only check frames |
---|
1837 | * that come in the extension channel when |
---|
1838 | * operating w/ HT40. |
---|
1839 | */ |
---|
1840 | if (!IEEE80211_IS_CHAN_HT40(ic->ic_curchan)) |
---|
1841 | break; |
---|
1842 | if (scan.chan != ic->ic_curchan->ic_extieee) |
---|
1843 | break; |
---|
1844 | } |
---|
1845 | if (scan.htinfo == NULL) { |
---|
1846 | ieee80211_htprot_update(ic, |
---|
1847 | IEEE80211_HTINFO_OPMODE_PROTOPT | |
---|
1848 | IEEE80211_HTINFO_NONHT_PRESENT); |
---|
1849 | } else if (ishtmixed(scan.htinfo)) { |
---|
1850 | /* XXX? take NONHT_PRESENT from beacon? */ |
---|
1851 | ieee80211_htprot_update(ic, |
---|
1852 | IEEE80211_HTINFO_OPMODE_MIXED | |
---|
1853 | IEEE80211_HTINFO_NONHT_PRESENT); |
---|
1854 | } |
---|
1855 | } |
---|
1856 | break; |
---|
1857 | } |
---|
1858 | |
---|
1859 | case IEEE80211_FC0_SUBTYPE_PROBE_REQ: |
---|
1860 | if (vap->iv_state != IEEE80211_S_RUN) { |
---|
1861 | vap->iv_stats.is_rx_mgtdiscard++; |
---|
1862 | return; |
---|
1863 | } |
---|
1864 | /* |
---|
1865 | * Consult the ACL policy module if setup. |
---|
1866 | */ |
---|
1867 | if (vap->iv_acl != NULL && !vap->iv_acl->iac_check(vap, wh)) { |
---|
1868 | IEEE80211_DISCARD(vap, IEEE80211_MSG_ACL, |
---|
1869 | wh, NULL, "%s", "disallowed by ACL"); |
---|
1870 | vap->iv_stats.is_rx_acl++; |
---|
1871 | return; |
---|
1872 | } |
---|
1873 | /* |
---|
1874 | * prreq frame format |
---|
1875 | * [tlv] ssid |
---|
1876 | * [tlv] supported rates |
---|
1877 | * [tlv] extended supported rates |
---|
1878 | */ |
---|
1879 | ssid = rates = xrates = NULL; |
---|
1880 | while (efrm - frm > 1) { |
---|
1881 | IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return); |
---|
1882 | switch (*frm) { |
---|
1883 | case IEEE80211_ELEMID_SSID: |
---|
1884 | ssid = frm; |
---|
1885 | break; |
---|
1886 | case IEEE80211_ELEMID_RATES: |
---|
1887 | rates = frm; |
---|
1888 | break; |
---|
1889 | case IEEE80211_ELEMID_XRATES: |
---|
1890 | xrates = frm; |
---|
1891 | break; |
---|
1892 | } |
---|
1893 | frm += frm[1] + 2; |
---|
1894 | } |
---|
1895 | IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return); |
---|
1896 | if (xrates != NULL) |
---|
1897 | IEEE80211_VERIFY_ELEMENT(xrates, |
---|
1898 | IEEE80211_RATE_MAXSIZE - rates[1], return); |
---|
1899 | IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN, return); |
---|
1900 | IEEE80211_VERIFY_SSID(vap->iv_bss, ssid, return); |
---|
1901 | if ((vap->iv_flags & IEEE80211_F_HIDESSID) && ssid[1] == 0) { |
---|
1902 | IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, |
---|
1903 | wh, NULL, |
---|
1904 | "%s", "no ssid with ssid suppression enabled"); |
---|
1905 | vap->iv_stats.is_rx_ssidmismatch++; /*XXX*/ |
---|
1906 | return; |
---|
1907 | } |
---|
1908 | |
---|
1909 | /* XXX find a better class or define it's own */ |
---|
1910 | IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_INPUT, wh->i_addr2, |
---|
1911 | "%s", "recv probe req"); |
---|
1912 | /* |
---|
1913 | * Some legacy 11b clients cannot hack a complete |
---|
1914 | * probe response frame. When the request includes |
---|
1915 | * only a bare-bones rate set, communicate this to |
---|
1916 | * the transmit side. |
---|
1917 | */ |
---|
1918 | ieee80211_send_proberesp(vap, wh->i_addr2, |
---|
1919 | is11bclient(rates, xrates) ? IEEE80211_SEND_LEGACY_11B : 0); |
---|
1920 | break; |
---|
1921 | |
---|
1922 | case IEEE80211_FC0_SUBTYPE_AUTH: { |
---|
1923 | uint16_t algo, seq, status; |
---|
1924 | |
---|
1925 | if (vap->iv_state != IEEE80211_S_RUN) { |
---|
1926 | vap->iv_stats.is_rx_mgtdiscard++; |
---|
1927 | return; |
---|
1928 | } |
---|
1929 | if (!IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_bss->ni_bssid)) { |
---|
1930 | IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, |
---|
1931 | wh, NULL, "%s", "wrong bssid"); |
---|
1932 | vap->iv_stats.is_rx_wrongbss++; /*XXX unique stat?*/ |
---|
1933 | return; |
---|
1934 | } |
---|
1935 | /* |
---|
1936 | * auth frame format |
---|
1937 | * [2] algorithm |
---|
1938 | * [2] sequence |
---|
1939 | * [2] status |
---|
1940 | * [tlv*] challenge |
---|
1941 | */ |
---|
1942 | IEEE80211_VERIFY_LENGTH(efrm - frm, 6, return); |
---|
1943 | algo = le16toh(*(uint16_t *)frm); |
---|
1944 | seq = le16toh(*(uint16_t *)(frm + 2)); |
---|
1945 | status = le16toh(*(uint16_t *)(frm + 4)); |
---|
1946 | IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_AUTH, wh->i_addr2, |
---|
1947 | "recv auth frame with algorithm %d seq %d", algo, seq); |
---|
1948 | /* |
---|
1949 | * Consult the ACL policy module if setup. |
---|
1950 | */ |
---|
1951 | if (vap->iv_acl != NULL && !vap->iv_acl->iac_check(vap, wh)) { |
---|
1952 | IEEE80211_DISCARD(vap, IEEE80211_MSG_ACL, |
---|
1953 | wh, NULL, "%s", "disallowed by ACL"); |
---|
1954 | vap->iv_stats.is_rx_acl++; |
---|
1955 | ieee80211_send_error(ni, wh->i_addr2, |
---|
1956 | IEEE80211_FC0_SUBTYPE_AUTH, |
---|
1957 | (seq+1) | (IEEE80211_STATUS_UNSPECIFIED<<16)); |
---|
1958 | return; |
---|
1959 | } |
---|
1960 | if (vap->iv_flags & IEEE80211_F_COUNTERM) { |
---|
1961 | IEEE80211_DISCARD(vap, |
---|
1962 | IEEE80211_MSG_AUTH | IEEE80211_MSG_CRYPTO, |
---|
1963 | wh, NULL, "%s", "TKIP countermeasures enabled"); |
---|
1964 | vap->iv_stats.is_rx_auth_countermeasures++; |
---|
1965 | ieee80211_send_error(ni, wh->i_addr2, |
---|
1966 | IEEE80211_FC0_SUBTYPE_AUTH, |
---|
1967 | IEEE80211_REASON_MIC_FAILURE); |
---|
1968 | return; |
---|
1969 | } |
---|
1970 | if (algo == IEEE80211_AUTH_ALG_SHARED) |
---|
1971 | hostap_auth_shared(ni, wh, frm + 6, efrm, rssi, nf, |
---|
1972 | seq, status); |
---|
1973 | else if (algo == IEEE80211_AUTH_ALG_OPEN) |
---|
1974 | hostap_auth_open(ni, wh, rssi, nf, seq, status); |
---|
1975 | else if (algo == IEEE80211_AUTH_ALG_LEAP) { |
---|
1976 | authalgreject(ni, wh, algo, |
---|
1977 | seq+1, IEEE80211_STATUS_ALG); |
---|
1978 | return; |
---|
1979 | } else { |
---|
1980 | /* |
---|
1981 | * We assume that an unknown algorithm is the result |
---|
1982 | * of a decryption failure on a shared key auth frame; |
---|
1983 | * return a status code appropriate for that instead |
---|
1984 | * of IEEE80211_STATUS_ALG. |
---|
1985 | * |
---|
1986 | * NB: a seq# of 4 is intentional; the decrypted |
---|
1987 | * frame likely has a bogus seq value. |
---|
1988 | */ |
---|
1989 | authalgreject(ni, wh, algo, |
---|
1990 | 4, IEEE80211_STATUS_CHALLENGE); |
---|
1991 | return; |
---|
1992 | } |
---|
1993 | break; |
---|
1994 | } |
---|
1995 | |
---|
1996 | case IEEE80211_FC0_SUBTYPE_ASSOC_REQ: |
---|
1997 | case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: { |
---|
1998 | uint16_t capinfo, lintval; |
---|
1999 | struct ieee80211_rsnparms rsnparms; |
---|
2000 | |
---|
2001 | if (vap->iv_state != IEEE80211_S_RUN) { |
---|
2002 | vap->iv_stats.is_rx_mgtdiscard++; |
---|
2003 | return; |
---|
2004 | } |
---|
2005 | if (!IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_bss->ni_bssid)) { |
---|
2006 | IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, |
---|
2007 | wh, NULL, "%s", "wrong bssid"); |
---|
2008 | vap->iv_stats.is_rx_assoc_bss++; |
---|
2009 | return; |
---|
2010 | } |
---|
2011 | if (subtype == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) { |
---|
2012 | reassoc = 1; |
---|
2013 | resp = IEEE80211_FC0_SUBTYPE_REASSOC_RESP; |
---|
2014 | } else { |
---|
2015 | reassoc = 0; |
---|
2016 | resp = IEEE80211_FC0_SUBTYPE_ASSOC_RESP; |
---|
2017 | } |
---|
2018 | if (ni == vap->iv_bss) { |
---|
2019 | IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ANY, wh->i_addr2, |
---|
2020 | "deny %s request, sta not authenticated", |
---|
2021 | reassoc ? "reassoc" : "assoc"); |
---|
2022 | ieee80211_send_error(ni, wh->i_addr2, |
---|
2023 | IEEE80211_FC0_SUBTYPE_DEAUTH, |
---|
2024 | IEEE80211_REASON_ASSOC_NOT_AUTHED); |
---|
2025 | vap->iv_stats.is_rx_assoc_notauth++; |
---|
2026 | return; |
---|
2027 | } |
---|
2028 | |
---|
2029 | /* |
---|
2030 | * asreq frame format |
---|
2031 | * [2] capability information |
---|
2032 | * [2] listen interval |
---|
2033 | * [6*] current AP address (reassoc only) |
---|
2034 | * [tlv] ssid |
---|
2035 | * [tlv] supported rates |
---|
2036 | * [tlv] extended supported rates |
---|
2037 | * [tlv] WPA or RSN |
---|
2038 | * [tlv] HT capabilities |
---|
2039 | * [tlv] Atheros capabilities |
---|
2040 | */ |
---|
2041 | IEEE80211_VERIFY_LENGTH(efrm - frm, (reassoc ? 10 : 4), return); |
---|
2042 | capinfo = le16toh(*(uint16_t *)frm); frm += 2; |
---|
2043 | lintval = le16toh(*(uint16_t *)frm); frm += 2; |
---|
2044 | if (reassoc) |
---|
2045 | frm += 6; /* ignore current AP info */ |
---|
2046 | ssid = rates = xrates = wpa = rsn = wme = ath = htcap = NULL; |
---|
2047 | sfrm = frm; |
---|
2048 | while (efrm - frm > 1) { |
---|
2049 | IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return); |
---|
2050 | switch (*frm) { |
---|
2051 | case IEEE80211_ELEMID_SSID: |
---|
2052 | ssid = frm; |
---|
2053 | break; |
---|
2054 | case IEEE80211_ELEMID_RATES: |
---|
2055 | rates = frm; |
---|
2056 | break; |
---|
2057 | case IEEE80211_ELEMID_XRATES: |
---|
2058 | xrates = frm; |
---|
2059 | break; |
---|
2060 | case IEEE80211_ELEMID_RSN: |
---|
2061 | rsn = frm; |
---|
2062 | break; |
---|
2063 | case IEEE80211_ELEMID_HTCAP: |
---|
2064 | htcap = frm; |
---|
2065 | break; |
---|
2066 | case IEEE80211_ELEMID_VENDOR: |
---|
2067 | if (iswpaoui(frm)) |
---|
2068 | wpa = frm; |
---|
2069 | else if (iswmeinfo(frm)) |
---|
2070 | wme = frm; |
---|
2071 | #ifdef IEEE80211_SUPPORT_SUPERG |
---|
2072 | else if (isatherosoui(frm)) |
---|
2073 | ath = frm; |
---|
2074 | #endif |
---|
2075 | else if (vap->iv_flags_ht & IEEE80211_FHT_HTCOMPAT) { |
---|
2076 | if (ishtcapoui(frm) && htcap == NULL) |
---|
2077 | htcap = frm; |
---|
2078 | } |
---|
2079 | break; |
---|
2080 | } |
---|
2081 | frm += frm[1] + 2; |
---|
2082 | } |
---|
2083 | IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return); |
---|
2084 | if (xrates != NULL) |
---|
2085 | IEEE80211_VERIFY_ELEMENT(xrates, |
---|
2086 | IEEE80211_RATE_MAXSIZE - rates[1], return); |
---|
2087 | IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN, return); |
---|
2088 | IEEE80211_VERIFY_SSID(vap->iv_bss, ssid, return); |
---|
2089 | if (htcap != NULL) { |
---|
2090 | IEEE80211_VERIFY_LENGTH(htcap[1], |
---|
2091 | htcap[0] == IEEE80211_ELEMID_VENDOR ? |
---|
2092 | 4 + sizeof(struct ieee80211_ie_htcap)-2 : |
---|
2093 | sizeof(struct ieee80211_ie_htcap)-2, |
---|
2094 | return); /* XXX just NULL out? */ |
---|
2095 | } |
---|
2096 | |
---|
2097 | if ((vap->iv_flags & IEEE80211_F_WPA) && |
---|
2098 | !wpa_assocreq(ni, &rsnparms, wh, wpa, rsn, capinfo)) |
---|
2099 | return; |
---|
2100 | /* discard challenge after association */ |
---|
2101 | if (ni->ni_challenge != NULL) { |
---|
2102 | IEEE80211_FREE(ni->ni_challenge, M_80211_NODE); |
---|
2103 | ni->ni_challenge = NULL; |
---|
2104 | } |
---|
2105 | /* NB: 802.11 spec says to ignore station's privacy bit */ |
---|
2106 | if ((capinfo & IEEE80211_CAPINFO_ESS) == 0) { |
---|
2107 | capinfomismatch(ni, wh, reassoc, resp, |
---|
2108 | "capability", capinfo); |
---|
2109 | return; |
---|
2110 | } |
---|
2111 | /* |
---|
2112 | * Disallow re-associate w/ invalid slot time setting. |
---|
2113 | */ |
---|
2114 | if (ni->ni_associd != 0 && |
---|
2115 | IEEE80211_IS_CHAN_ANYG(ic->ic_bsschan) && |
---|
2116 | ((ni->ni_capinfo ^ capinfo) & IEEE80211_CAPINFO_SHORT_SLOTTIME)) { |
---|
2117 | capinfomismatch(ni, wh, reassoc, resp, |
---|
2118 | "slot time", capinfo); |
---|
2119 | return; |
---|
2120 | } |
---|
2121 | rate = ieee80211_setup_rates(ni, rates, xrates, |
---|
2122 | IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | |
---|
2123 | IEEE80211_F_DONEGO | IEEE80211_F_DODEL); |
---|
2124 | if (rate & IEEE80211_RATE_BASIC) { |
---|
2125 | ratesetmismatch(ni, wh, reassoc, resp, "legacy", rate); |
---|
2126 | vap->iv_stats.is_rx_assoc_norate++; |
---|
2127 | return; |
---|
2128 | } |
---|
2129 | /* |
---|
2130 | * If constrained to 11g-only stations reject an |
---|
2131 | * 11b-only station. We cheat a bit here by looking |
---|
2132 | * at the max negotiated xmit rate and assuming anyone |
---|
2133 | * with a best rate <24Mb/s is an 11b station. |
---|
2134 | */ |
---|
2135 | if ((vap->iv_flags & IEEE80211_F_PUREG) && rate < 48) { |
---|
2136 | ratesetmismatch(ni, wh, reassoc, resp, "11g", rate); |
---|
2137 | vap->iv_stats.is_rx_assoc_norate++; |
---|
2138 | return; |
---|
2139 | } |
---|
2140 | /* |
---|
2141 | * Do HT rate set handling and setup HT node state. |
---|
2142 | */ |
---|
2143 | ni->ni_chan = vap->iv_bss->ni_chan; |
---|
2144 | if (IEEE80211_IS_CHAN_HT(ni->ni_chan) && htcap != NULL) { |
---|
2145 | rate = ieee80211_setup_htrates(ni, htcap, |
---|
2146 | IEEE80211_F_DOFMCS | IEEE80211_F_DONEGO | |
---|
2147 | IEEE80211_F_DOBRS); |
---|
2148 | if (rate & IEEE80211_RATE_BASIC) { |
---|
2149 | ratesetmismatch(ni, wh, reassoc, resp, |
---|
2150 | "HT", rate); |
---|
2151 | vap->iv_stats.is_ht_assoc_norate++; |
---|
2152 | return; |
---|
2153 | } |
---|
2154 | ieee80211_ht_node_init(ni); |
---|
2155 | ieee80211_ht_updatehtcap(ni, htcap); |
---|
2156 | } else if (ni->ni_flags & IEEE80211_NODE_HT) |
---|
2157 | ieee80211_ht_node_cleanup(ni); |
---|
2158 | #ifdef IEEE80211_SUPPORT_SUPERG |
---|
2159 | /* Always do ff node cleanup; for A-MSDU */ |
---|
2160 | ieee80211_ff_node_cleanup(ni); |
---|
2161 | #endif |
---|
2162 | /* |
---|
2163 | * Allow AMPDU operation only with unencrypted traffic |
---|
2164 | * or AES-CCM; the 11n spec only specifies these ciphers |
---|
2165 | * so permitting any others is undefined and can lead |
---|
2166 | * to interoperability problems. |
---|
2167 | */ |
---|
2168 | if ((ni->ni_flags & IEEE80211_NODE_HT) && |
---|
2169 | (((vap->iv_flags & IEEE80211_F_WPA) && |
---|
2170 | rsnparms.rsn_ucastcipher != IEEE80211_CIPHER_AES_CCM) || |
---|
2171 | (vap->iv_flags & (IEEE80211_F_WPA|IEEE80211_F_PRIVACY)) == IEEE80211_F_PRIVACY)) { |
---|
2172 | IEEE80211_NOTE(vap, |
---|
2173 | IEEE80211_MSG_ASSOC | IEEE80211_MSG_11N, ni, |
---|
2174 | "disallow HT use because WEP or TKIP requested, " |
---|
2175 | "capinfo 0x%x ucastcipher %d", capinfo, |
---|
2176 | rsnparms.rsn_ucastcipher); |
---|
2177 | ieee80211_ht_node_cleanup(ni); |
---|
2178 | #ifdef IEEE80211_SUPPORT_SUPERG |
---|
2179 | /* Always do ff node cleanup; for A-MSDU */ |
---|
2180 | ieee80211_ff_node_cleanup(ni); |
---|
2181 | #endif |
---|
2182 | vap->iv_stats.is_ht_assoc_downgrade++; |
---|
2183 | } |
---|
2184 | /* |
---|
2185 | * If constrained to 11n-only stations reject legacy stations. |
---|
2186 | */ |
---|
2187 | if ((vap->iv_flags_ht & IEEE80211_FHT_PUREN) && |
---|
2188 | (ni->ni_flags & IEEE80211_NODE_HT) == 0) { |
---|
2189 | htcapmismatch(ni, wh, reassoc, resp); |
---|
2190 | vap->iv_stats.is_ht_assoc_nohtcap++; |
---|
2191 | return; |
---|
2192 | } |
---|
2193 | IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi); |
---|
2194 | ni->ni_noise = nf; |
---|
2195 | ni->ni_intval = lintval; |
---|
2196 | ni->ni_capinfo = capinfo; |
---|
2197 | ni->ni_fhdwell = vap->iv_bss->ni_fhdwell; |
---|
2198 | ni->ni_fhindex = vap->iv_bss->ni_fhindex; |
---|
2199 | /* |
---|
2200 | * Store the IEs. |
---|
2201 | * XXX maybe better to just expand |
---|
2202 | */ |
---|
2203 | if (ieee80211_ies_init(&ni->ni_ies, sfrm, efrm - sfrm)) { |
---|
2204 | #define setie(_ie, _off) ieee80211_ies_setie(ni->ni_ies, _ie, _off) |
---|
2205 | if (wpa != NULL) |
---|
2206 | setie(wpa_ie, wpa - sfrm); |
---|
2207 | if (rsn != NULL) |
---|
2208 | setie(rsn_ie, rsn - sfrm); |
---|
2209 | if (htcap != NULL) |
---|
2210 | setie(htcap_ie, htcap - sfrm); |
---|
2211 | if (wme != NULL) { |
---|
2212 | setie(wme_ie, wme - sfrm); |
---|
2213 | /* |
---|
2214 | * Mark node as capable of QoS. |
---|
2215 | */ |
---|
2216 | ni->ni_flags |= IEEE80211_NODE_QOS; |
---|
2217 | } else |
---|
2218 | ni->ni_flags &= ~IEEE80211_NODE_QOS; |
---|
2219 | #ifdef IEEE80211_SUPPORT_SUPERG |
---|
2220 | if (ath != NULL) { |
---|
2221 | setie(ath_ie, ath - sfrm); |
---|
2222 | /* |
---|
2223 | * Parse ATH station parameters. |
---|
2224 | */ |
---|
2225 | ieee80211_parse_ath(ni, ni->ni_ies.ath_ie); |
---|
2226 | } else |
---|
2227 | #endif |
---|
2228 | ni->ni_ath_flags = 0; |
---|
2229 | #undef setie |
---|
2230 | } else { |
---|
2231 | ni->ni_flags &= ~IEEE80211_NODE_QOS; |
---|
2232 | ni->ni_ath_flags = 0; |
---|
2233 | } |
---|
2234 | ieee80211_node_join(ni, resp); |
---|
2235 | ieee80211_deliver_l2uf(ni); |
---|
2236 | break; |
---|
2237 | } |
---|
2238 | |
---|
2239 | case IEEE80211_FC0_SUBTYPE_DEAUTH: |
---|
2240 | case IEEE80211_FC0_SUBTYPE_DISASSOC: { |
---|
2241 | uint16_t reason; |
---|
2242 | |
---|
2243 | if (vap->iv_state != IEEE80211_S_RUN || |
---|
2244 | /* NB: can happen when in promiscuous mode */ |
---|
2245 | !IEEE80211_ADDR_EQ(wh->i_addr1, vap->iv_myaddr)) { |
---|
2246 | vap->iv_stats.is_rx_mgtdiscard++; |
---|
2247 | break; |
---|
2248 | } |
---|
2249 | /* |
---|
2250 | * deauth/disassoc frame format |
---|
2251 | * [2] reason |
---|
2252 | */ |
---|
2253 | IEEE80211_VERIFY_LENGTH(efrm - frm, 2, return); |
---|
2254 | reason = le16toh(*(uint16_t *)frm); |
---|
2255 | if (subtype == IEEE80211_FC0_SUBTYPE_DEAUTH) { |
---|
2256 | vap->iv_stats.is_rx_deauth++; |
---|
2257 | IEEE80211_NODE_STAT(ni, rx_deauth); |
---|
2258 | } else { |
---|
2259 | vap->iv_stats.is_rx_disassoc++; |
---|
2260 | IEEE80211_NODE_STAT(ni, rx_disassoc); |
---|
2261 | } |
---|
2262 | IEEE80211_NOTE(vap, IEEE80211_MSG_AUTH, ni, |
---|
2263 | "recv %s (reason: %d (%s))", |
---|
2264 | ieee80211_mgt_subtype_name(subtype), |
---|
2265 | reason, ieee80211_reason_to_string(reason)); |
---|
2266 | if (ni != vap->iv_bss) |
---|
2267 | ieee80211_node_leave(ni); |
---|
2268 | break; |
---|
2269 | } |
---|
2270 | |
---|
2271 | case IEEE80211_FC0_SUBTYPE_ACTION: |
---|
2272 | case IEEE80211_FC0_SUBTYPE_ACTION_NOACK: |
---|
2273 | if (ni == vap->iv_bss) { |
---|
2274 | IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, |
---|
2275 | wh, NULL, "%s", "unknown node"); |
---|
2276 | vap->iv_stats.is_rx_mgtdiscard++; |
---|
2277 | } else if (!IEEE80211_ADDR_EQ(vap->iv_myaddr, wh->i_addr1) && |
---|
2278 | !IEEE80211_IS_MULTICAST(wh->i_addr1)) { |
---|
2279 | IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, |
---|
2280 | wh, NULL, "%s", "not for us"); |
---|
2281 | vap->iv_stats.is_rx_mgtdiscard++; |
---|
2282 | } else if (vap->iv_state != IEEE80211_S_RUN) { |
---|
2283 | IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, |
---|
2284 | wh, NULL, "wrong state %s", |
---|
2285 | ieee80211_state_name[vap->iv_state]); |
---|
2286 | vap->iv_stats.is_rx_mgtdiscard++; |
---|
2287 | } else { |
---|
2288 | if (ieee80211_parse_action(ni, m0) == 0) |
---|
2289 | (void)ic->ic_recv_action(ni, wh, frm, efrm); |
---|
2290 | } |
---|
2291 | break; |
---|
2292 | |
---|
2293 | case IEEE80211_FC0_SUBTYPE_ASSOC_RESP: |
---|
2294 | case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: |
---|
2295 | case IEEE80211_FC0_SUBTYPE_TIMING_ADV: |
---|
2296 | case IEEE80211_FC0_SUBTYPE_ATIM: |
---|
2297 | IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, |
---|
2298 | wh, NULL, "%s", "not handled"); |
---|
2299 | vap->iv_stats.is_rx_mgtdiscard++; |
---|
2300 | break; |
---|
2301 | |
---|
2302 | default: |
---|
2303 | IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, |
---|
2304 | wh, "mgt", "subtype 0x%x not handled", subtype); |
---|
2305 | vap->iv_stats.is_rx_badsubtype++; |
---|
2306 | break; |
---|
2307 | } |
---|
2308 | } |
---|
2309 | |
---|
2310 | static void |
---|
2311 | hostap_recv_ctl(struct ieee80211_node *ni, struct mbuf *m, int subtype) |
---|
2312 | { |
---|
2313 | switch (subtype) { |
---|
2314 | case IEEE80211_FC0_SUBTYPE_PS_POLL: |
---|
2315 | ni->ni_vap->iv_recv_pspoll(ni, m); |
---|
2316 | break; |
---|
2317 | case IEEE80211_FC0_SUBTYPE_BAR: |
---|
2318 | ieee80211_recv_bar(ni, m); |
---|
2319 | break; |
---|
2320 | } |
---|
2321 | } |
---|
2322 | |
---|
2323 | /* |
---|
2324 | * Process a received ps-poll frame. |
---|
2325 | */ |
---|
2326 | void |
---|
2327 | ieee80211_recv_pspoll(struct ieee80211_node *ni, struct mbuf *m0) |
---|
2328 | { |
---|
2329 | struct ieee80211vap *vap = ni->ni_vap; |
---|
2330 | struct ieee80211com *ic = vap->iv_ic; |
---|
2331 | struct ieee80211_frame_min *wh; |
---|
2332 | struct mbuf *m; |
---|
2333 | uint16_t aid; |
---|
2334 | int qlen; |
---|
2335 | |
---|
2336 | wh = mtod(m0, struct ieee80211_frame_min *); |
---|
2337 | if (ni->ni_associd == 0) { |
---|
2338 | IEEE80211_DISCARD(vap, |
---|
2339 | IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG, |
---|
2340 | (struct ieee80211_frame *) wh, NULL, |
---|
2341 | "%s", "unassociated station"); |
---|
2342 | vap->iv_stats.is_ps_unassoc++; |
---|
2343 | IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_DEAUTH, |
---|
2344 | IEEE80211_REASON_NOT_ASSOCED); |
---|
2345 | return; |
---|
2346 | } |
---|
2347 | |
---|
2348 | aid = le16toh(*(uint16_t *)wh->i_dur); |
---|
2349 | if (aid != ni->ni_associd) { |
---|
2350 | IEEE80211_DISCARD(vap, |
---|
2351 | IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG, |
---|
2352 | (struct ieee80211_frame *) wh, NULL, |
---|
2353 | "aid mismatch: sta aid 0x%x poll aid 0x%x", |
---|
2354 | ni->ni_associd, aid); |
---|
2355 | vap->iv_stats.is_ps_badaid++; |
---|
2356 | /* |
---|
2357 | * NB: We used to deauth the station but it turns out |
---|
2358 | * the Blackberry Curve 8230 (and perhaps other devices) |
---|
2359 | * sometimes send the wrong AID when WME is negotiated. |
---|
2360 | * Being more lenient here seems ok as we already check |
---|
2361 | * the station is associated and we only return frames |
---|
2362 | * queued for the station (i.e. we don't use the AID). |
---|
2363 | */ |
---|
2364 | return; |
---|
2365 | } |
---|
2366 | |
---|
2367 | /* Okay, take the first queued packet and put it out... */ |
---|
2368 | m = ieee80211_node_psq_dequeue(ni, &qlen); |
---|
2369 | if (m == NULL) { |
---|
2370 | IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_POWER, wh->i_addr2, |
---|
2371 | "%s", "recv ps-poll, but queue empty"); |
---|
2372 | ieee80211_send_nulldata(ieee80211_ref_node(ni)); |
---|
2373 | vap->iv_stats.is_ps_qempty++; /* XXX node stat */ |
---|
2374 | if (vap->iv_set_tim != NULL) |
---|
2375 | vap->iv_set_tim(ni, 0); /* just in case */ |
---|
2376 | return; |
---|
2377 | } |
---|
2378 | /* |
---|
2379 | * If there are more packets, set the more packets bit |
---|
2380 | * in the packet dispatched to the station; otherwise |
---|
2381 | * turn off the TIM bit. |
---|
2382 | */ |
---|
2383 | if (qlen != 0) { |
---|
2384 | IEEE80211_NOTE(vap, IEEE80211_MSG_POWER, ni, |
---|
2385 | "recv ps-poll, send packet, %u still queued", qlen); |
---|
2386 | m->m_flags |= M_MORE_DATA; |
---|
2387 | } else { |
---|
2388 | IEEE80211_NOTE(vap, IEEE80211_MSG_POWER, ni, |
---|
2389 | "%s", "recv ps-poll, send packet, queue empty"); |
---|
2390 | if (vap->iv_set_tim != NULL) |
---|
2391 | vap->iv_set_tim(ni, 0); |
---|
2392 | } |
---|
2393 | m->m_flags |= M_PWR_SAV; /* bypass PS handling */ |
---|
2394 | |
---|
2395 | /* |
---|
2396 | * Do the right thing; if it's an encap'ed frame then |
---|
2397 | * call ieee80211_parent_xmitpkt() else |
---|
2398 | * call ieee80211_vap_xmitpkt(). |
---|
2399 | */ |
---|
2400 | if (m->m_flags & M_ENCAP) { |
---|
2401 | (void) ieee80211_parent_xmitpkt(ic, m); |
---|
2402 | } else { |
---|
2403 | (void) ieee80211_vap_xmitpkt(vap, m); |
---|
2404 | } |
---|
2405 | } |
---|