wlan - Rip out all wlan locks part 1/2
[dragonfly.git] / sys / netproto / 802_11 / wlan / ieee80211_hostap.c
CommitLineData
32176cfd
RP
1/*-
2 * Copyright (c) 2007-2008 Sam Leffler, Errno Consulting
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 *
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
15 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
16 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
17 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
18 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
19 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
21 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
23 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24 *
25 * $FreeBSD: head/sys/net80211/ieee80211_hostap.c 203422 2010-02-03 10:07:43Z rpaulo $
26 * $DragonFly$
27 */
28
29/*
30 * IEEE 802.11 HOSTAP mode support.
31 */
32#include "opt_inet.h"
33#include "opt_wlan.h"
34
35#include <sys/param.h>
36#include <sys/systm.h>
37#include <sys/mbuf.h>
38#include <sys/malloc.h>
39#include <sys/kernel.h>
40
41#include <sys/socket.h>
42#include <sys/sockio.h>
43#include <sys/endian.h>
44#include <sys/errno.h>
45#include <sys/proc.h>
46#include <sys/sysctl.h>
47
48#include <net/if.h>
49#include <net/if_media.h>
50#include <net/if_llc.h>
51#include <net/ethernet.h>
52#include <net/route.h>
53
54#include <net/bpf.h>
55
56#include <netproto/802_11/ieee80211_var.h>
57#include <netproto/802_11/ieee80211_hostap.h>
58#include <netproto/802_11/ieee80211_input.h>
59#ifdef IEEE80211_SUPPORT_SUPERG
60#include <netproto/802_11/ieee80211_superg.h>
61#endif
62#include <netproto/802_11/ieee80211_wds.h>
63
64#define IEEE80211_RATE2MBS(r) (((r) & IEEE80211_RATE_VAL) / 2)
65
66static void hostap_vattach(struct ieee80211vap *);
67static int hostap_newstate(struct ieee80211vap *, enum ieee80211_state, int);
68static int hostap_input(struct ieee80211_node *ni, struct mbuf *m,
69 int rssi, int nf);
70static void hostap_deliver_data(struct ieee80211vap *,
71 struct ieee80211_node *, struct mbuf *);
72static void hostap_recv_mgmt(struct ieee80211_node *, struct mbuf *,
73 int subtype, int rssi, int nf);
74static void hostap_recv_ctl(struct ieee80211_node *, struct mbuf *, int);
75static void hostap_recv_pspoll(struct ieee80211_node *, struct mbuf *);
76
77void
78ieee80211_hostap_attach(struct ieee80211com *ic)
79{
80 ic->ic_vattach[IEEE80211_M_HOSTAP] = hostap_vattach;
81}
82
83void
84ieee80211_hostap_detach(struct ieee80211com *ic)
85{
86}
87
88static void
89hostap_vdetach(struct ieee80211vap *vap)
90{
91}
92
93static void
94hostap_vattach(struct ieee80211vap *vap)
95{
96 vap->iv_newstate = hostap_newstate;
97 vap->iv_input = hostap_input;
98 vap->iv_recv_mgmt = hostap_recv_mgmt;
99 vap->iv_recv_ctl = hostap_recv_ctl;
100 vap->iv_opdetach = hostap_vdetach;
101 vap->iv_deliver_data = hostap_deliver_data;
102}
103
104static void
105sta_disassoc(void *arg, struct ieee80211_node *ni)
106{
107 struct ieee80211vap *vap = arg;
108
109 if (ni->ni_vap == vap && ni->ni_associd != 0) {
110 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_DISASSOC,
111 IEEE80211_REASON_ASSOC_LEAVE);
112 ieee80211_node_leave(ni);
113 }
114}
115
116static void
117sta_csa(void *arg, struct ieee80211_node *ni)
118{
119 struct ieee80211vap *vap = arg;
120
121 if (ni->ni_vap == vap && ni->ni_associd != 0)
122 if (ni->ni_inact > vap->iv_inact_init) {
123 ni->ni_inact = vap->iv_inact_init;
124 IEEE80211_NOTE(vap, IEEE80211_MSG_INACT, ni,
125 "%s: inact %u", __func__, ni->ni_inact);
126 }
127}
128
129static void
130sta_drop(void *arg, struct ieee80211_node *ni)
131{
132 struct ieee80211vap *vap = arg;
133
134 if (ni->ni_vap == vap && ni->ni_associd != 0)
135 ieee80211_node_leave(ni);
136}
137
138/*
139 * Does a channel change require associated stations to re-associate
140 * so protocol state is correct. This is used when doing CSA across
141 * bands or similar (e.g. HT -> legacy).
142 */
143static int
144isbandchange(struct ieee80211com *ic)
145{
146 return ((ic->ic_bsschan->ic_flags ^ ic->ic_csa_newchan->ic_flags) &
147 (IEEE80211_CHAN_2GHZ | IEEE80211_CHAN_5GHZ | IEEE80211_CHAN_HALF |
148 IEEE80211_CHAN_QUARTER | IEEE80211_CHAN_HT)) != 0;
149}
150
151/*
152 * IEEE80211_M_HOSTAP vap state machine handler.
153 */
154static int
155hostap_newstate(struct ieee80211vap *vap, enum ieee80211_state nstate, int arg)
156{
157 struct ieee80211com *ic = vap->iv_ic;
158 enum ieee80211_state ostate;
159
32176cfd
RP
160 ostate = vap->iv_state;
161 IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE, "%s: %s -> %s (%d)\n",
162 __func__, ieee80211_state_name[ostate],
163 ieee80211_state_name[nstate], arg);
164 vap->iv_state = nstate; /* state transition */
165 if (ostate != IEEE80211_S_SCAN)
166 ieee80211_cancel_scan(vap); /* background scan */
167 switch (nstate) {
168 case IEEE80211_S_INIT:
169 switch (ostate) {
170 case IEEE80211_S_SCAN:
171 ieee80211_cancel_scan(vap);
172 break;
173 case IEEE80211_S_CAC:
174 ieee80211_dfs_cac_stop(vap);
175 break;
176 case IEEE80211_S_RUN:
177 ieee80211_iterate_nodes(&ic->ic_sta, sta_disassoc, vap);
178 break;
179 default:
180 break;
181 }
182 if (ostate != IEEE80211_S_INIT) {
183 /* NB: optimize INIT -> INIT case */
184 ieee80211_reset_bss(vap);
185 }
186 if (vap->iv_auth->ia_detach != NULL)
187 vap->iv_auth->ia_detach(vap);
188 break;
189 case IEEE80211_S_SCAN:
190 switch (ostate) {
191 case IEEE80211_S_CSA:
192 case IEEE80211_S_RUN:
193 ieee80211_iterate_nodes(&ic->ic_sta, sta_disassoc, vap);
194 /*
195 * Clear overlapping BSS state; the beacon frame
196 * will be reconstructed on transition to the RUN
197 * state and the timeout routines check if the flag
198 * is set before doing anything so this is sufficient.
199 */
200 ic->ic_flags_ext &= ~IEEE80211_FEXT_NONERP_PR;
201 ic->ic_flags_ht &= ~IEEE80211_FHT_NONHT_PR;
202 /* fall thru... */
203 case IEEE80211_S_CAC:
204 /*
205 * NB: We may get here because of a manual channel
206 * change in which case we need to stop CAC
207 * XXX no need to stop if ostate RUN but it's ok
208 */
209 ieee80211_dfs_cac_stop(vap);
210 /* fall thru... */
211 case IEEE80211_S_INIT:
212 if (vap->iv_des_chan != IEEE80211_CHAN_ANYC &&
213 !IEEE80211_IS_CHAN_RADAR(vap->iv_des_chan)) {
214 /*
215 * Already have a channel; bypass the
216 * scan and startup immediately.
217 * ieee80211_create_ibss will call back to
218 * move us to RUN state.
219 */
220 ieee80211_create_ibss(vap, vap->iv_des_chan);
221 break;
222 }
223 /*
224 * Initiate a scan. We can come here as a result
225 * of an IEEE80211_IOC_SCAN_REQ too in which case
226 * the vap will be marked with IEEE80211_FEXT_SCANREQ
227 * and the scan request parameters will be present
228 * in iv_scanreq. Otherwise we do the default.
229 */
230 if (vap->iv_flags_ext & IEEE80211_FEXT_SCANREQ) {
231 ieee80211_check_scan(vap,
232 vap->iv_scanreq_flags,
233 vap->iv_scanreq_duration,
234 vap->iv_scanreq_mindwell,
235 vap->iv_scanreq_maxdwell,
236 vap->iv_scanreq_nssid, vap->iv_scanreq_ssid);
237 vap->iv_flags_ext &= ~IEEE80211_FEXT_SCANREQ;
238 } else
239 ieee80211_check_scan_current(vap);
240 break;
241 case IEEE80211_S_SCAN:
242 /*
243 * A state change requires a reset; scan.
244 */
245 ieee80211_check_scan_current(vap);
246 break;
247 default:
248 break;
249 }
250 break;
251 case IEEE80211_S_CAC:
252 /*
253 * Start CAC on a DFS channel. We come here when starting
254 * a bss on a DFS channel (see ieee80211_create_ibss).
255 */
256 ieee80211_dfs_cac_start(vap);
257 break;
258 case IEEE80211_S_RUN:
259 if (vap->iv_flags & IEEE80211_F_WPA) {
260 /* XXX validate prerequisites */
261 }
262 switch (ostate) {
263 case IEEE80211_S_INIT:
264 /*
265 * Already have a channel; bypass the
266 * scan and startup immediately.
267 * Note that ieee80211_create_ibss will call
268 * back to do a RUN->RUN state change.
269 */
270 ieee80211_create_ibss(vap,
271 ieee80211_ht_adjust_channel(ic,
272 ic->ic_curchan, vap->iv_flags_ht));
273 /* NB: iv_bss is changed on return */
274 break;
275 case IEEE80211_S_CAC:
276 /*
277 * NB: This is the normal state change when CAC
278 * expires and no radar was detected; no need to
279 * clear the CAC timer as it's already expired.
280 */
281 /* fall thru... */
282 case IEEE80211_S_CSA:
283 /*
284 * Shorten inactivity timer of associated stations
285 * to weed out sta's that don't follow a CSA.
286 */
287 ieee80211_iterate_nodes(&ic->ic_sta, sta_csa, vap);
288 /*
289 * Update bss node channel to reflect where
290 * we landed after CSA.
291 */
292 ieee80211_node_set_chan(vap->iv_bss,
293 ieee80211_ht_adjust_channel(ic, ic->ic_curchan,
294 ieee80211_htchanflags(vap->iv_bss->ni_chan)));
295 /* XXX bypass debug msgs */
296 break;
297 case IEEE80211_S_SCAN:
298 case IEEE80211_S_RUN:
299#ifdef IEEE80211_DEBUG
300 if (ieee80211_msg_debug(vap)) {
301 struct ieee80211_node *ni = vap->iv_bss;
302 ieee80211_note(vap,
6168f72e
RP
303 "synchronized with %6D ssid ",
304 ni->ni_bssid, ":");
32176cfd
RP
305 ieee80211_print_essid(ni->ni_essid,
306 ni->ni_esslen);
307 /* XXX MCS/HT */
6168f72e 308 kprintf(" channel %d start %uMb\n",
32176cfd
RP
309 ieee80211_chan2ieee(ic, ic->ic_curchan),
310 IEEE80211_RATE2MBS(ni->ni_txrate));
311 }
312#endif
313 break;
314 default:
315 break;
316 }
317 /*
318 * Start/stop the authenticator. We delay until here
319 * to allow configuration to happen out of order.
320 */
321 if (vap->iv_auth->ia_attach != NULL) {
322 /* XXX check failure */
323 vap->iv_auth->ia_attach(vap);
324 } else if (vap->iv_auth->ia_detach != NULL) {
325 vap->iv_auth->ia_detach(vap);
326 }
327 ieee80211_node_authorize(vap->iv_bss);
328 break;
329 case IEEE80211_S_CSA:
330 if (ostate == IEEE80211_S_RUN && isbandchange(ic)) {
331 /*
332 * On a ``band change'' silently drop associated
333 * stations as they must re-associate before they
334 * can pass traffic (as otherwise protocol state
335 * such as capabilities and the negotiated rate
336 * set may/will be wrong).
337 */
338 ieee80211_iterate_nodes(&ic->ic_sta, sta_drop, vap);
339 }
340 break;
341 default:
342 break;
343 }
344 return 0;
345}
346
347static void
348hostap_deliver_data(struct ieee80211vap *vap,
349 struct ieee80211_node *ni, struct mbuf *m)
350{
351 struct ether_header *eh = mtod(m, struct ether_header *);
352 struct ifnet *ifp = vap->iv_ifp;
353
354 /* clear driver/net80211 flags before passing up */
355 m->m_flags &= ~(M_80211_RX | M_MCAST | M_BCAST);
356
357 KASSERT(vap->iv_opmode == IEEE80211_M_HOSTAP,
358 ("gack, opmode %d", vap->iv_opmode));
359 /*
360 * Do accounting.
361 */
362 ifp->if_ipackets++;
363 IEEE80211_NODE_STAT(ni, rx_data);
364 IEEE80211_NODE_STAT_ADD(ni, rx_bytes, m->m_pkthdr.len);
365 if (ETHER_IS_MULTICAST(eh->ether_dhost)) {
366 m->m_flags |= M_MCAST; /* XXX M_BCAST? */
367 IEEE80211_NODE_STAT(ni, rx_mcast);
368 } else
369 IEEE80211_NODE_STAT(ni, rx_ucast);
370
371 /* perform as a bridge within the AP */
372 if ((vap->iv_flags & IEEE80211_F_NOBRIDGE) == 0) {
373 struct mbuf *mcopy = NULL;
374
375 if (m->m_flags & M_MCAST) {
376 mcopy = m_dup(m, MB_DONTWAIT);
377 if (mcopy == NULL)
378 ifp->if_oerrors++;
379 else
380 mcopy->m_flags |= M_MCAST;
381 } else {
382 /*
383 * Check if the destination is associated with the
384 * same vap and authorized to receive traffic.
385 * Beware of traffic destined for the vap itself;
386 * sending it will not work; just let it be delivered
387 * normally.
388 */
389 struct ieee80211_node *sta = ieee80211_find_vap_node(
390 &vap->iv_ic->ic_sta, vap, eh->ether_dhost);
391 if (sta != NULL) {
392 if (ieee80211_node_is_authorized(sta)) {
393 /*
394 * Beware of sending to ourself; this
395 * needs to happen via the normal
396 * input path.
397 */
398 if (sta != vap->iv_bss) {
399 mcopy = m;
400 m = NULL;
401 }
402 } else {
403 vap->iv_stats.is_rx_unauth++;
404 IEEE80211_NODE_STAT(sta, rx_unauth);
405 }
406 ieee80211_free_node(sta);
407 }
408 }
409 if (mcopy != NULL) {
410 int len, err;
411 len = mcopy->m_pkthdr.len;
fcaa651d 412 err = ieee80211_handoff(ifp, mcopy);
32176cfd
RP
413 if (err) {
414 /* NB: IFQ_HANDOFF reclaims mcopy */
415 } else {
416 ifp->if_opackets++;
417 }
418 }
419 }
420 if (m != NULL) {
421 /*
422 * Mark frame as coming from vap's interface.
423 */
424 m->m_pkthdr.rcvif = ifp;
425 if (m->m_flags & M_MCAST) {
426 /*
427 * Spam DWDS vap's w/ multicast traffic.
428 */
429 /* XXX only if dwds in use? */
430 ieee80211_dwds_mcast(vap, m);
431 }
432 if (ni->ni_vlan != 0) {
433 /* attach vlan tag */
34a60cf6 434 m->m_pkthdr.ether_vlantag = ni->ni_vlan;
32176cfd
RP
435 m->m_flags |= M_VLANTAG;
436 }
437 ifp->if_input(ifp, m);
438 }
439}
440
441/*
442 * Decide if a received management frame should be
443 * printed when debugging is enabled. This filters some
444 * of the less interesting frames that come frequently
445 * (e.g. beacons).
446 */
447static __inline int
448doprint(struct ieee80211vap *vap, int subtype)
449{
450 switch (subtype) {
451 case IEEE80211_FC0_SUBTYPE_BEACON:
452 return (vap->iv_ic->ic_flags & IEEE80211_F_SCAN);
453 case IEEE80211_FC0_SUBTYPE_PROBE_REQ:
454 return 0;
455 }
456 return 1;
457}
458
459/*
460 * Process a received frame. The node associated with the sender
461 * should be supplied. If nothing was found in the node table then
462 * the caller is assumed to supply a reference to iv_bss instead.
463 * The RSSI and a timestamp are also supplied. The RSSI data is used
464 * during AP scanning to select a AP to associate with; it can have
465 * any units so long as values have consistent units and higher values
466 * mean ``better signal''. The receive timestamp is currently not used
467 * by the 802.11 layer.
468 */
469static int
470hostap_input(struct ieee80211_node *ni, struct mbuf *m, int rssi, int nf)
471{
472#define SEQ_LEQ(a,b) ((int)((a)-(b)) <= 0)
473#define HAS_SEQ(type) ((type & 0x4) == 0)
474 struct ieee80211vap *vap = ni->ni_vap;
475 struct ieee80211com *ic = ni->ni_ic;
476 struct ifnet *ifp = vap->iv_ifp;
477 struct ieee80211_frame *wh;
478 struct ieee80211_key *key;
479 struct ether_header *eh;
480 int hdrspace, need_tap = 1; /* mbuf need to be tapped. */
481 uint8_t dir, type, subtype, qos;
482 uint8_t *bssid;
483 uint16_t rxseq;
484
485 if (m->m_flags & M_AMPDU_MPDU) {
486 /*
487 * Fastpath for A-MPDU reorder q resubmission. Frames
488 * w/ M_AMPDU_MPDU marked have already passed through
489 * here but were received out of order and been held on
490 * the reorder queue. When resubmitted they are marked
491 * with the M_AMPDU_MPDU flag and we can bypass most of
492 * the normal processing.
493 */
494 wh = mtod(m, struct ieee80211_frame *);
495 type = IEEE80211_FC0_TYPE_DATA;
496 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK;
497 subtype = IEEE80211_FC0_SUBTYPE_QOS;
498 hdrspace = ieee80211_hdrspace(ic, wh); /* XXX optimize? */
499 goto resubmit_ampdu;
500 }
501
502 KASSERT(ni != NULL, ("null node"));
503 ni->ni_inact = ni->ni_inact_reload;
504
505 type = -1; /* undefined */
506
507 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_min)) {
508 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
509 ni->ni_macaddr, NULL,
510 "too short (1): len %u", m->m_pkthdr.len);
511 vap->iv_stats.is_rx_tooshort++;
512 goto out;
513 }
514 /*
515 * Bit of a cheat here, we use a pointer for a 3-address
516 * frame format but don't reference fields past outside
517 * ieee80211_frame_min w/o first validating the data is
518 * present.
519 */
520 wh = mtod(m, struct ieee80211_frame *);
521
522 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) !=
523 IEEE80211_FC0_VERSION_0) {
524 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
525 ni->ni_macaddr, NULL, "wrong version, fc %02x:%02x",
526 wh->i_fc[0], wh->i_fc[1]);
527 vap->iv_stats.is_rx_badversion++;
528 goto err;
529 }
530
531 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK;
532 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
533 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK;
534 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) {
535 if (dir != IEEE80211_FC1_DIR_NODS)
536 bssid = wh->i_addr1;
537 else if (type == IEEE80211_FC0_TYPE_CTL)
538 bssid = wh->i_addr1;
539 else {
540 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) {
541 IEEE80211_DISCARD_MAC(vap,
542 IEEE80211_MSG_ANY, ni->ni_macaddr,
543 NULL, "too short (2): len %u",
544 m->m_pkthdr.len);
545 vap->iv_stats.is_rx_tooshort++;
546 goto out;
547 }
548 bssid = wh->i_addr3;
549 }
550 /*
551 * Validate the bssid.
552 */
553 if (!(type == IEEE80211_FC0_TYPE_MGT &&
554 subtype == IEEE80211_FC0_SUBTYPE_BEACON) &&
555 !IEEE80211_ADDR_EQ(bssid, vap->iv_bss->ni_bssid) &&
556 !IEEE80211_ADDR_EQ(bssid, ifp->if_broadcastaddr)) {
557 /* not interested in */
558 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
559 bssid, NULL, "%s", "not to bss");
560 vap->iv_stats.is_rx_wrongbss++;
561 goto out;
562 }
563
564 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi);
565 ni->ni_noise = nf;
566 if (HAS_SEQ(type)) {
567 uint8_t tid = ieee80211_gettid(wh);
568 if (IEEE80211_QOS_HAS_SEQ(wh) &&
569 TID_TO_WME_AC(tid) >= WME_AC_VI)
570 ic->ic_wme.wme_hipri_traffic++;
571 rxseq = le16toh(*(uint16_t *)wh->i_seq);
572 if ((ni->ni_flags & IEEE80211_NODE_HT) == 0 &&
573 (wh->i_fc[1] & IEEE80211_FC1_RETRY) &&
574 SEQ_LEQ(rxseq, ni->ni_rxseqs[tid])) {
575 /* duplicate, discard */
576 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
577 bssid, "duplicate",
578 "seqno <%u,%u> fragno <%u,%u> tid %u",
579 rxseq >> IEEE80211_SEQ_SEQ_SHIFT,
580 ni->ni_rxseqs[tid] >>
581 IEEE80211_SEQ_SEQ_SHIFT,
582 rxseq & IEEE80211_SEQ_FRAG_MASK,
583 ni->ni_rxseqs[tid] &
584 IEEE80211_SEQ_FRAG_MASK,
585 tid);
586 vap->iv_stats.is_rx_dup++;
587 IEEE80211_NODE_STAT(ni, rx_dup);
588 goto out;
589 }
590 ni->ni_rxseqs[tid] = rxseq;
591 }
592 }
593
594 switch (type) {
595 case IEEE80211_FC0_TYPE_DATA:
596 hdrspace = ieee80211_hdrspace(ic, wh);
597 if (m->m_len < hdrspace &&
598 (m = m_pullup(m, hdrspace)) == NULL) {
599 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
600 ni->ni_macaddr, NULL,
601 "data too short: expecting %u", hdrspace);
602 vap->iv_stats.is_rx_tooshort++;
603 goto out; /* XXX */
604 }
605 if (!(dir == IEEE80211_FC1_DIR_TODS ||
606 (dir == IEEE80211_FC1_DIR_DSTODS &&
607 (vap->iv_flags & IEEE80211_F_DWDS)))) {
608 if (dir != IEEE80211_FC1_DIR_DSTODS) {
609 IEEE80211_DISCARD(vap,
610 IEEE80211_MSG_INPUT, wh, "data",
611 "incorrect dir 0x%x", dir);
612 } else {
613 IEEE80211_DISCARD(vap,
614 IEEE80211_MSG_INPUT |
615 IEEE80211_MSG_WDS, wh,
616 "4-address data",
617 "%s", "DWDS not enabled");
618 }
619 vap->iv_stats.is_rx_wrongdir++;
620 goto out;
621 }
622 /* check if source STA is associated */
623 if (ni == vap->iv_bss) {
624 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
625 wh, "data", "%s", "unknown src");
626 ieee80211_send_error(ni, wh->i_addr2,
627 IEEE80211_FC0_SUBTYPE_DEAUTH,
628 IEEE80211_REASON_NOT_AUTHED);
629 vap->iv_stats.is_rx_notassoc++;
630 goto err;
631 }
632 if (ni->ni_associd == 0) {
633 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
634 wh, "data", "%s", "unassoc src");
635 IEEE80211_SEND_MGMT(ni,
636 IEEE80211_FC0_SUBTYPE_DISASSOC,
637 IEEE80211_REASON_NOT_ASSOCED);
638 vap->iv_stats.is_rx_notassoc++;
639 goto err;
640 }
641
642 /*
643 * Check for power save state change.
644 * XXX out-of-order A-MPDU frames?
645 */
646 if (((wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) ^
647 (ni->ni_flags & IEEE80211_NODE_PWR_MGT)))
648 ieee80211_node_pwrsave(ni,
649 wh->i_fc[1] & IEEE80211_FC1_PWR_MGT);
650 /*
651 * For 4-address packets handle WDS discovery
652 * notifications. Once a WDS link is setup frames
653 * are just delivered to the WDS vap (see below).
654 */
655 if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap == NULL) {
656 if (!ieee80211_node_is_authorized(ni)) {
657 IEEE80211_DISCARD(vap,
658 IEEE80211_MSG_INPUT |
659 IEEE80211_MSG_WDS, wh,
660 "4-address data",
661 "%s", "unauthorized port");
662 vap->iv_stats.is_rx_unauth++;
663 IEEE80211_NODE_STAT(ni, rx_unauth);
664 goto err;
665 }
666 ieee80211_dwds_discover(ni, m);
667 return type;
668 }
669
670 /*
671 * Handle A-MPDU re-ordering. If the frame is to be
672 * processed directly then ieee80211_ampdu_reorder
673 * will return 0; otherwise it has consumed the mbuf
674 * and we should do nothing more with it.
675 */
676 if ((m->m_flags & M_AMPDU) &&
677 ieee80211_ampdu_reorder(ni, m) != 0) {
678 m = NULL;
679 goto out;
680 }
681 resubmit_ampdu:
682
683 /*
684 * Handle privacy requirements. Note that we
685 * must not be preempted from here until after
686 * we (potentially) call ieee80211_crypto_demic;
687 * otherwise we may violate assumptions in the
688 * crypto cipher modules used to do delayed update
689 * of replay sequence numbers.
690 */
691 if (wh->i_fc[1] & IEEE80211_FC1_WEP) {
692 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
693 /*
694 * Discard encrypted frames when privacy is off.
695 */
696 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
697 wh, "WEP", "%s", "PRIVACY off");
698 vap->iv_stats.is_rx_noprivacy++;
699 IEEE80211_NODE_STAT(ni, rx_noprivacy);
700 goto out;
701 }
702 key = ieee80211_crypto_decap(ni, m, hdrspace);
703 if (key == NULL) {
704 /* NB: stats+msgs handled in crypto_decap */
705 IEEE80211_NODE_STAT(ni, rx_wepfail);
706 goto out;
707 }
708 wh = mtod(m, struct ieee80211_frame *);
709 wh->i_fc[1] &= ~IEEE80211_FC1_WEP;
710 } else {
711 /* XXX M_WEP and IEEE80211_F_PRIVACY */
712 key = NULL;
713 }
714
715 /*
716 * Save QoS bits for use below--before we strip the header.
717 */
718 if (subtype == IEEE80211_FC0_SUBTYPE_QOS) {
719 qos = (dir == IEEE80211_FC1_DIR_DSTODS) ?
720 ((struct ieee80211_qosframe_addr4 *)wh)->i_qos[0] :
721 ((struct ieee80211_qosframe *)wh)->i_qos[0];
722 } else
723 qos = 0;
724
725 /*
726 * Next up, any fragmentation.
727 */
728 if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) {
729 m = ieee80211_defrag(ni, m, hdrspace);
730 if (m == NULL) {
731 /* Fragment dropped or frame not complete yet */
732 goto out;
733 }
734 }
735 wh = NULL; /* no longer valid, catch any uses */
736
737 /*
738 * Next strip any MSDU crypto bits.
739 */
740 if (key != NULL && !ieee80211_crypto_demic(vap, key, m, 0)) {
741 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
742 ni->ni_macaddr, "data", "%s", "demic error");
743 vap->iv_stats.is_rx_demicfail++;
744 IEEE80211_NODE_STAT(ni, rx_demicfail);
745 goto out;
746 }
747 /* copy to listener after decrypt */
748 if (ieee80211_radiotap_active_vap(vap))
749 ieee80211_radiotap_rx(vap, m);
750 need_tap = 0;
751 /*
752 * Finally, strip the 802.11 header.
753 */
754 m = ieee80211_decap(vap, m, hdrspace);
755 if (m == NULL) {
756 /* XXX mask bit to check for both */
757 /* don't count Null data frames as errors */
758 if (subtype == IEEE80211_FC0_SUBTYPE_NODATA ||
759 subtype == IEEE80211_FC0_SUBTYPE_QOS_NULL)
760 goto out;
761 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
762 ni->ni_macaddr, "data", "%s", "decap error");
763 vap->iv_stats.is_rx_decap++;
764 IEEE80211_NODE_STAT(ni, rx_decap);
765 goto err;
766 }
767 eh = mtod(m, struct ether_header *);
768 if (!ieee80211_node_is_authorized(ni)) {
769 /*
770 * Deny any non-PAE frames received prior to
771 * authorization. For open/shared-key
772 * authentication the port is mark authorized
773 * after authentication completes. For 802.1x
774 * the port is not marked authorized by the
775 * authenticator until the handshake has completed.
776 */
777 if (eh->ether_type != htons(ETHERTYPE_PAE)) {
778 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
779 eh->ether_shost, "data",
780 "unauthorized port: ether type 0x%x len %u",
781 eh->ether_type, m->m_pkthdr.len);
782 vap->iv_stats.is_rx_unauth++;
783 IEEE80211_NODE_STAT(ni, rx_unauth);
784 goto err;
785 }
786 } else {
787 /*
788 * When denying unencrypted frames, discard
789 * any non-PAE frames received without encryption.
790 */
791 if ((vap->iv_flags & IEEE80211_F_DROPUNENC) &&
792 (key == NULL && (m->m_flags & M_WEP) == 0) &&
793 eh->ether_type != htons(ETHERTYPE_PAE)) {
794 /*
795 * Drop unencrypted frames.
796 */
797 vap->iv_stats.is_rx_unencrypted++;
798 IEEE80211_NODE_STAT(ni, rx_unencrypted);
799 goto out;
800 }
801 }
802 /* XXX require HT? */
803 if (qos & IEEE80211_QOS_AMSDU) {
804 m = ieee80211_decap_amsdu(ni, m);
805 if (m == NULL)
806 return IEEE80211_FC0_TYPE_DATA;
807 } else {
808#ifdef IEEE80211_SUPPORT_SUPERG
809 m = ieee80211_decap_fastframe(vap, ni, m);
810 if (m == NULL)
811 return IEEE80211_FC0_TYPE_DATA;
812#endif
813 }
814 if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap != NULL)
815 ieee80211_deliver_data(ni->ni_wdsvap, ni, m);
816 else
817 hostap_deliver_data(vap, ni, m);
818 return IEEE80211_FC0_TYPE_DATA;
819
820 case IEEE80211_FC0_TYPE_MGT:
821 vap->iv_stats.is_rx_mgmt++;
822 IEEE80211_NODE_STAT(ni, rx_mgmt);
823 if (dir != IEEE80211_FC1_DIR_NODS) {
824 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
825 wh, "mgt", "incorrect dir 0x%x", dir);
826 vap->iv_stats.is_rx_wrongdir++;
827 goto err;
828 }
829 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) {
830 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
831 ni->ni_macaddr, "mgt", "too short: len %u",
832 m->m_pkthdr.len);
833 vap->iv_stats.is_rx_tooshort++;
834 goto out;
835 }
836 if (IEEE80211_IS_MULTICAST(wh->i_addr2)) {
837 /* ensure return frames are unicast */
838 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
6168f72e
RP
839 wh, NULL, "source is multicast: %6D",
840 wh->i_addr2, ":");
32176cfd
RP
841 vap->iv_stats.is_rx_mgtdiscard++; /* XXX stat */
842 goto out;
843 }
844#ifdef IEEE80211_DEBUG
845 if ((ieee80211_msg_debug(vap) && doprint(vap, subtype)) ||
846 ieee80211_msg_dumppkts(vap)) {
6168f72e 847 if_printf(ifp, "received %s from %6D rssi %d\n",
32176cfd
RP
848 ieee80211_mgt_subtype_name[subtype >>
849 IEEE80211_FC0_SUBTYPE_SHIFT],
6168f72e 850 wh->i_addr2, ":", rssi);
32176cfd
RP
851 }
852#endif
853 if (wh->i_fc[1] & IEEE80211_FC1_WEP) {
854 if (subtype != IEEE80211_FC0_SUBTYPE_AUTH) {
855 /*
856 * Only shared key auth frames with a challenge
857 * should be encrypted, discard all others.
858 */
859 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
860 wh, NULL,
861 "%s", "WEP set but not permitted");
862 vap->iv_stats.is_rx_mgtdiscard++; /* XXX */
863 goto out;
864 }
865 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
866 /*
867 * Discard encrypted frames when privacy is off.
868 */
869 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
870 wh, NULL, "%s", "WEP set but PRIVACY off");
871 vap->iv_stats.is_rx_noprivacy++;
872 goto out;
873 }
874 hdrspace = ieee80211_hdrspace(ic, wh);
875 key = ieee80211_crypto_decap(ni, m, hdrspace);
876 if (key == NULL) {
877 /* NB: stats+msgs handled in crypto_decap */
878 goto out;
879 }
880 wh = mtod(m, struct ieee80211_frame *);
881 wh->i_fc[1] &= ~IEEE80211_FC1_WEP;
882 }
883 vap->iv_recv_mgmt(ni, m, subtype, rssi, nf);
884 goto out;
885
886 case IEEE80211_FC0_TYPE_CTL:
887 vap->iv_stats.is_rx_ctl++;
888 IEEE80211_NODE_STAT(ni, rx_ctrl);
889 vap->iv_recv_ctl(ni, m, subtype);
890 goto out;
891 default:
892 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
893 wh, "bad", "frame type 0x%x", type);
894 /* should not come here */
895 break;
896 }
897err:
898 ifp->if_ierrors++;
899out:
900 if (m != NULL) {
901 if (need_tap && ieee80211_radiotap_active_vap(vap))
902 ieee80211_radiotap_rx(vap, m);
903 m_freem(m);
904 }
905 return type;
906#undef SEQ_LEQ
907}
908
909static void
910hostap_auth_open(struct ieee80211_node *ni, struct ieee80211_frame *wh,
911 int rssi, int nf, uint16_t seq, uint16_t status)
912{
913 struct ieee80211vap *vap = ni->ni_vap;
914
915 KASSERT(vap->iv_state == IEEE80211_S_RUN, ("state %d", vap->iv_state));
916
917 if (ni->ni_authmode == IEEE80211_AUTH_SHARED) {
918 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
919 ni->ni_macaddr, "open auth",
920 "bad sta auth mode %u", ni->ni_authmode);
921 vap->iv_stats.is_rx_bad_auth++; /* XXX */
922 /*
923 * Clear any challenge text that may be there if
924 * a previous shared key auth failed and then an
925 * open auth is attempted.
926 */
927 if (ni->ni_challenge != NULL) {
928 kfree(ni->ni_challenge, M_80211_NODE);
929 ni->ni_challenge = NULL;
930 }
931 /* XXX hack to workaround calling convention */
932 ieee80211_send_error(ni, wh->i_addr2,
933 IEEE80211_FC0_SUBTYPE_AUTH,
934 (seq + 1) | (IEEE80211_STATUS_ALG<<16));
935 return;
936 }
937 if (seq != IEEE80211_AUTH_OPEN_REQUEST) {
938 vap->iv_stats.is_rx_bad_auth++;
939 return;
940 }
941 /* always accept open authentication requests */
942 if (ni == vap->iv_bss) {
943 ni = ieee80211_dup_bss(vap, wh->i_addr2);
944 if (ni == NULL)
945 return;
946 } else if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0)
947 (void) ieee80211_ref_node(ni);
948 /*
949 * Mark the node as referenced to reflect that it's
950 * reference count has been bumped to insure it remains
951 * after the transaction completes.
952 */
953 ni->ni_flags |= IEEE80211_NODE_AREF;
954 /*
955 * Mark the node as requiring a valid association id
956 * before outbound traffic is permitted.
957 */
958 ni->ni_flags |= IEEE80211_NODE_ASSOCID;
959
960 if (vap->iv_acl != NULL &&
961 vap->iv_acl->iac_getpolicy(vap) == IEEE80211_MACCMD_POLICY_RADIUS) {
962 /*
963 * When the ACL policy is set to RADIUS we defer the
964 * authorization to a user agent. Dispatch an event,
965 * a subsequent MLME call will decide the fate of the
966 * station. If the user agent is not present then the
967 * node will be reclaimed due to inactivity.
968 */
969 IEEE80211_NOTE_MAC(vap,
970 IEEE80211_MSG_AUTH | IEEE80211_MSG_ACL, ni->ni_macaddr,
971 "%s", "station authentication defered (radius acl)");
972 ieee80211_notify_node_auth(ni);
973 } else {
974 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1);
975 IEEE80211_NOTE_MAC(vap,
976 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, ni->ni_macaddr,
977 "%s", "station authenticated (open)");
978 /*
979 * When 802.1x is not in use mark the port
980 * authorized at this point so traffic can flow.
981 */
982 if (ni->ni_authmode != IEEE80211_AUTH_8021X)
983 ieee80211_node_authorize(ni);
984 }
985}
986
987static void
988hostap_auth_shared(struct ieee80211_node *ni, struct ieee80211_frame *wh,
989 uint8_t *frm, uint8_t *efrm, int rssi, int nf,
990 uint16_t seq, uint16_t status)
991{
992 struct ieee80211vap *vap = ni->ni_vap;
993 uint8_t *challenge;
994 int allocbs, estatus;
995
996 KASSERT(vap->iv_state == IEEE80211_S_RUN, ("state %d", vap->iv_state));
997
998 /*
999 * NB: this can happen as we allow pre-shared key
1000 * authentication to be enabled w/o wep being turned
1001 * on so that configuration of these can be done
1002 * in any order. It may be better to enforce the
1003 * ordering in which case this check would just be
1004 * for sanity/consistency.
1005 */
1006 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
1007 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1008 ni->ni_macaddr, "shared key auth",
1009 "%s", " PRIVACY is disabled");
1010 estatus = IEEE80211_STATUS_ALG;
1011 goto bad;
1012 }
1013 /*
1014 * Pre-shared key authentication is evil; accept
1015 * it only if explicitly configured (it is supported
1016 * mainly for compatibility with clients like Mac OS X).
1017 */
1018 if (ni->ni_authmode != IEEE80211_AUTH_AUTO &&
1019 ni->ni_authmode != IEEE80211_AUTH_SHARED) {
1020 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1021 ni->ni_macaddr, "shared key auth",
1022 "bad sta auth mode %u", ni->ni_authmode);
1023 vap->iv_stats.is_rx_bad_auth++; /* XXX maybe a unique error? */
1024 estatus = IEEE80211_STATUS_ALG;
1025 goto bad;
1026 }
1027
1028 challenge = NULL;
1029 if (frm + 1 < efrm) {
1030 if ((frm[1] + 2) > (efrm - frm)) {
1031 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1032 ni->ni_macaddr, "shared key auth",
1033 "ie %d/%d too long",
1034 frm[0], (frm[1] + 2) - (efrm - frm));
1035 vap->iv_stats.is_rx_bad_auth++;
1036 estatus = IEEE80211_STATUS_CHALLENGE;
1037 goto bad;
1038 }
1039 if (*frm == IEEE80211_ELEMID_CHALLENGE)
1040 challenge = frm;
1041 frm += frm[1] + 2;
1042 }
1043 switch (seq) {
1044 case IEEE80211_AUTH_SHARED_CHALLENGE:
1045 case IEEE80211_AUTH_SHARED_RESPONSE:
1046 if (challenge == NULL) {
1047 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1048 ni->ni_macaddr, "shared key auth",
1049 "%s", "no challenge");
1050 vap->iv_stats.is_rx_bad_auth++;
1051 estatus = IEEE80211_STATUS_CHALLENGE;
1052 goto bad;
1053 }
1054 if (challenge[1] != IEEE80211_CHALLENGE_LEN) {
1055 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1056 ni->ni_macaddr, "shared key auth",
1057 "bad challenge len %d", challenge[1]);
1058 vap->iv_stats.is_rx_bad_auth++;
1059 estatus = IEEE80211_STATUS_CHALLENGE;
1060 goto bad;
1061 }
1062 default:
1063 break;
1064 }
1065 switch (seq) {
1066 case IEEE80211_AUTH_SHARED_REQUEST:
1067 if (ni == vap->iv_bss) {
1068 ni = ieee80211_dup_bss(vap, wh->i_addr2);
1069 if (ni == NULL) {
1070 /* NB: no way to return an error */
1071 return;
1072 }
1073 allocbs = 1;
1074 } else {
1075 if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0)
1076 (void) ieee80211_ref_node(ni);
1077 allocbs = 0;
1078 }
1079 /*
1080 * Mark the node as referenced to reflect that it's
1081 * reference count has been bumped to insure it remains
1082 * after the transaction completes.
1083 */
1084 ni->ni_flags |= IEEE80211_NODE_AREF;
1085 /*
1086 * Mark the node as requiring a valid associatio id
1087 * before outbound traffic is permitted.
1088 */
1089 ni->ni_flags |= IEEE80211_NODE_ASSOCID;
1090 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi);
1091 ni->ni_noise = nf;
1092 if (!ieee80211_alloc_challenge(ni)) {
1093 /* NB: don't return error so they rexmit */
1094 return;
1095 }
1096 get_random_bytes(ni->ni_challenge,
1097 IEEE80211_CHALLENGE_LEN);
1098 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
1099 ni, "shared key %sauth request", allocbs ? "" : "re");
1100 /*
1101 * When the ACL policy is set to RADIUS we defer the
1102 * authorization to a user agent. Dispatch an event,
1103 * a subsequent MLME call will decide the fate of the
1104 * station. If the user agent is not present then the
1105 * node will be reclaimed due to inactivity.
1106 */
1107 if (vap->iv_acl != NULL &&
1108 vap->iv_acl->iac_getpolicy(vap) == IEEE80211_MACCMD_POLICY_RADIUS) {
1109 IEEE80211_NOTE_MAC(vap,
1110 IEEE80211_MSG_AUTH | IEEE80211_MSG_ACL,
1111 ni->ni_macaddr,
1112 "%s", "station authentication defered (radius acl)");
1113 ieee80211_notify_node_auth(ni);
1114 return;
1115 }
1116 break;
1117 case IEEE80211_AUTH_SHARED_RESPONSE:
1118 if (ni == vap->iv_bss) {
1119 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1120 ni->ni_macaddr, "shared key response",
1121 "%s", "unknown station");
1122 /* NB: don't send a response */
1123 return;
1124 }
1125 if (ni->ni_challenge == NULL) {
1126 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1127 ni->ni_macaddr, "shared key response",
1128 "%s", "no challenge recorded");
1129 vap->iv_stats.is_rx_bad_auth++;
1130 estatus = IEEE80211_STATUS_CHALLENGE;
1131 goto bad;
1132 }
1133 if (memcmp(ni->ni_challenge, &challenge[2],
1134 challenge[1]) != 0) {
1135 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1136 ni->ni_macaddr, "shared key response",
1137 "%s", "challenge mismatch");
1138 vap->iv_stats.is_rx_auth_fail++;
1139 estatus = IEEE80211_STATUS_CHALLENGE;
1140 goto bad;
1141 }
1142 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
1143 ni, "%s", "station authenticated (shared key)");
1144 ieee80211_node_authorize(ni);
1145 break;
1146 default:
1147 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1148 ni->ni_macaddr, "shared key auth",
1149 "bad seq %d", seq);
1150 vap->iv_stats.is_rx_bad_auth++;
1151 estatus = IEEE80211_STATUS_SEQUENCE;
1152 goto bad;
1153 }
1154 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1);
1155 return;
1156bad:
1157 /*
1158 * Send an error response; but only when operating as an AP.
1159 */
1160 /* XXX hack to workaround calling convention */
1161 ieee80211_send_error(ni, wh->i_addr2,
1162 IEEE80211_FC0_SUBTYPE_AUTH,
1163 (seq + 1) | (estatus<<16));
1164}
1165
1166/*
1167 * Convert a WPA cipher selector OUI to an internal
1168 * cipher algorithm. Where appropriate we also
1169 * record any key length.
1170 */
1171static int
1172wpa_cipher(const uint8_t *sel, uint8_t *keylen)
1173{
1174#define WPA_SEL(x) (((x)<<24)|WPA_OUI)
1175 uint32_t w = LE_READ_4(sel);
1176
1177 switch (w) {
1178 case WPA_SEL(WPA_CSE_NULL):
1179 return IEEE80211_CIPHER_NONE;
1180 case WPA_SEL(WPA_CSE_WEP40):
1181 if (keylen)
1182 *keylen = 40 / NBBY;
1183 return IEEE80211_CIPHER_WEP;
1184 case WPA_SEL(WPA_CSE_WEP104):
1185 if (keylen)
1186 *keylen = 104 / NBBY;
1187 return IEEE80211_CIPHER_WEP;
1188 case WPA_SEL(WPA_CSE_TKIP):
1189 return IEEE80211_CIPHER_TKIP;
1190 case WPA_SEL(WPA_CSE_CCMP):
1191 return IEEE80211_CIPHER_AES_CCM;
1192 }
1193 return 32; /* NB: so 1<< is discarded */
1194#undef WPA_SEL
1195}
1196
1197/*
1198 * Convert a WPA key management/authentication algorithm
1199 * to an internal code.
1200 */
1201static int
1202wpa_keymgmt(const uint8_t *sel)
1203{
1204#define WPA_SEL(x) (((x)<<24)|WPA_OUI)
1205 uint32_t w = LE_READ_4(sel);
1206
1207 switch (w) {
1208 case WPA_SEL(WPA_ASE_8021X_UNSPEC):
1209 return WPA_ASE_8021X_UNSPEC;
1210 case WPA_SEL(WPA_ASE_8021X_PSK):
1211 return WPA_ASE_8021X_PSK;
1212 case WPA_SEL(WPA_ASE_NONE):
1213 return WPA_ASE_NONE;
1214 }
1215 return 0; /* NB: so is discarded */
1216#undef WPA_SEL
1217}
1218
1219/*
1220 * Parse a WPA information element to collect parameters.
1221 * Note that we do not validate security parameters; that
1222 * is handled by the authenticator; the parsing done here
1223 * is just for internal use in making operational decisions.
1224 */
1225static int
1226ieee80211_parse_wpa(struct ieee80211vap *vap, const uint8_t *frm,
1227 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh)
1228{
1229 uint8_t len = frm[1];
1230 uint32_t w;
1231 int n;
1232
1233 /*
1234 * Check the length once for fixed parts: OUI, type,
1235 * version, mcast cipher, and 2 selector counts.
1236 * Other, variable-length data, must be checked separately.
1237 */
1238 if ((vap->iv_flags & IEEE80211_F_WPA1) == 0) {
1239 IEEE80211_DISCARD_IE(vap,
1240 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1241 wh, "WPA", "not WPA, flags 0x%x", vap->iv_flags);
1242 return IEEE80211_REASON_IE_INVALID;
1243 }
1244 if (len < 14) {
1245 IEEE80211_DISCARD_IE(vap,
1246 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1247 wh, "WPA", "too short, len %u", len);
1248 return IEEE80211_REASON_IE_INVALID;
1249 }
1250 frm += 6, len -= 4; /* NB: len is payload only */
1251 /* NB: iswpaoui already validated the OUI and type */
1252 w = LE_READ_2(frm);
1253 if (w != WPA_VERSION) {
1254 IEEE80211_DISCARD_IE(vap,
1255 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1256 wh, "WPA", "bad version %u", w);
1257 return IEEE80211_REASON_IE_INVALID;
1258 }
1259 frm += 2, len -= 2;
1260
1261 memset(rsn, 0, sizeof(*rsn));
1262
1263 /* multicast/group cipher */
1264 rsn->rsn_mcastcipher = wpa_cipher(frm, &rsn->rsn_mcastkeylen);
1265 frm += 4, len -= 4;
1266
1267 /* unicast ciphers */
1268 n = LE_READ_2(frm);
1269 frm += 2, len -= 2;
1270 if (len < n*4+2) {
1271 IEEE80211_DISCARD_IE(vap,
1272 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1273 wh, "WPA", "ucast cipher data too short; len %u, n %u",
1274 len, n);
1275 return IEEE80211_REASON_IE_INVALID;
1276 }
1277 w = 0;
1278 for (; n > 0; n--) {
1279 w |= 1<<wpa_cipher(frm, &rsn->rsn_ucastkeylen);
1280 frm += 4, len -= 4;
1281 }
1282 if (w & (1<<IEEE80211_CIPHER_TKIP))
1283 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP;
1284 else
1285 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM;
1286
1287 /* key management algorithms */
1288 n = LE_READ_2(frm);
1289 frm += 2, len -= 2;
1290 if (len < n*4) {
1291 IEEE80211_DISCARD_IE(vap,
1292 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1293 wh, "WPA", "key mgmt alg data too short; len %u, n %u",
1294 len, n);
1295 return IEEE80211_REASON_IE_INVALID;
1296 }
1297 w = 0;
1298 for (; n > 0; n--) {
1299 w |= wpa_keymgmt(frm);
1300 frm += 4, len -= 4;
1301 }
1302 if (w & WPA_ASE_8021X_UNSPEC)
1303 rsn->rsn_keymgmt = WPA_ASE_8021X_UNSPEC;
1304 else
1305 rsn->rsn_keymgmt = WPA_ASE_8021X_PSK;
1306
1307 if (len > 2) /* optional capabilities */
1308 rsn->rsn_caps = LE_READ_2(frm);
1309
1310 return 0;
1311}
1312
1313/*
1314 * Convert an RSN cipher selector OUI to an internal
1315 * cipher algorithm. Where appropriate we also
1316 * record any key length.
1317 */
1318static int
1319rsn_cipher(const uint8_t *sel, uint8_t *keylen)
1320{
1321#define RSN_SEL(x) (((x)<<24)|RSN_OUI)
1322 uint32_t w = LE_READ_4(sel);
1323
1324 switch (w) {
1325 case RSN_SEL(RSN_CSE_NULL):
1326 return IEEE80211_CIPHER_NONE;
1327 case RSN_SEL(RSN_CSE_WEP40):
1328 if (keylen)
1329 *keylen = 40 / NBBY;
1330 return IEEE80211_CIPHER_WEP;
1331 case RSN_SEL(RSN_CSE_WEP104):
1332 if (keylen)
1333 *keylen = 104 / NBBY;
1334 return IEEE80211_CIPHER_WEP;
1335 case RSN_SEL(RSN_CSE_TKIP):
1336 return IEEE80211_CIPHER_TKIP;
1337 case RSN_SEL(RSN_CSE_CCMP):
1338 return IEEE80211_CIPHER_AES_CCM;
1339 case RSN_SEL(RSN_CSE_WRAP):
1340 return IEEE80211_CIPHER_AES_OCB;
1341 }
1342 return 32; /* NB: so 1<< is discarded */
1343#undef WPA_SEL
1344}
1345
1346/*
1347 * Convert an RSN key management/authentication algorithm
1348 * to an internal code.
1349 */
1350static int
1351rsn_keymgmt(const uint8_t *sel)
1352{
1353#define RSN_SEL(x) (((x)<<24)|RSN_OUI)
1354 uint32_t w = LE_READ_4(sel);
1355
1356 switch (w) {
1357 case RSN_SEL(RSN_ASE_8021X_UNSPEC):
1358 return RSN_ASE_8021X_UNSPEC;
1359 case RSN_SEL(RSN_ASE_8021X_PSK):
1360 return RSN_ASE_8021X_PSK;
1361 case RSN_SEL(RSN_ASE_NONE):
1362 return RSN_ASE_NONE;
1363 }
1364 return 0; /* NB: so is discarded */
1365#undef RSN_SEL
1366}
1367
1368/*
1369 * Parse a WPA/RSN information element to collect parameters
1370 * and validate the parameters against what has been
1371 * configured for the system.
1372 */
1373static int
1374ieee80211_parse_rsn(struct ieee80211vap *vap, const uint8_t *frm,
1375 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh)
1376{
1377 uint8_t len = frm[1];
1378 uint32_t w;
1379 int n;
1380
1381 /*
1382 * Check the length once for fixed parts:
1383 * version, mcast cipher, and 2 selector counts.
1384 * Other, variable-length data, must be checked separately.
1385 */
1386 if ((vap->iv_flags & IEEE80211_F_WPA2) == 0) {
1387 IEEE80211_DISCARD_IE(vap,
1388 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1389 wh, "WPA", "not RSN, flags 0x%x", vap->iv_flags);
1390 return IEEE80211_REASON_IE_INVALID;
1391 }
1392 if (len < 10) {
1393 IEEE80211_DISCARD_IE(vap,
1394 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1395 wh, "RSN", "too short, len %u", len);
1396 return IEEE80211_REASON_IE_INVALID;
1397 }
1398 frm += 2;
1399 w = LE_READ_2(frm);
1400 if (w != RSN_VERSION) {
1401 IEEE80211_DISCARD_IE(vap,
1402 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1403 wh, "RSN", "bad version %u", w);
1404 return IEEE80211_REASON_IE_INVALID;
1405 }
1406 frm += 2, len -= 2;
1407
1408 memset(rsn, 0, sizeof(*rsn));
1409
1410 /* multicast/group cipher */
1411 rsn->rsn_mcastcipher = rsn_cipher(frm, &rsn->rsn_mcastkeylen);
1412 frm += 4, len -= 4;
1413
1414 /* unicast ciphers */
1415 n = LE_READ_2(frm);
1416 frm += 2, len -= 2;
1417 if (len < n*4+2) {
1418 IEEE80211_DISCARD_IE(vap,
1419 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1420 wh, "RSN", "ucast cipher data too short; len %u, n %u",
1421 len, n);
1422 return IEEE80211_REASON_IE_INVALID;
1423 }
1424 w = 0;
1425 for (; n > 0; n--) {
1426 w |= 1<<rsn_cipher(frm, &rsn->rsn_ucastkeylen);
1427 frm += 4, len -= 4;
1428 }
1429 if (w & (1<<IEEE80211_CIPHER_TKIP))
1430 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP;
1431 else
1432 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM;
1433
1434 /* key management algorithms */
1435 n = LE_READ_2(frm);
1436 frm += 2, len -= 2;
1437 if (len < n*4) {
1438 IEEE80211_DISCARD_IE(vap,
1439 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1440 wh, "RSN", "key mgmt alg data too short; len %u, n %u",
1441 len, n);
1442 return IEEE80211_REASON_IE_INVALID;
1443 }
1444 w = 0;
1445 for (; n > 0; n--) {
1446 w |= rsn_keymgmt(frm);
1447 frm += 4, len -= 4;
1448 }
1449 if (w & RSN_ASE_8021X_UNSPEC)
1450 rsn->rsn_keymgmt = RSN_ASE_8021X_UNSPEC;
1451 else
1452 rsn->rsn_keymgmt = RSN_ASE_8021X_PSK;
1453
1454 /* optional RSN capabilities */
1455 if (len > 2)
1456 rsn->rsn_caps = LE_READ_2(frm);
1457 /* XXXPMKID */
1458
1459 return 0;
1460}
1461
1462/*
1463 * WPA/802.11i assocation request processing.
1464 */
1465static int
1466wpa_assocreq(struct ieee80211_node *ni, struct ieee80211_rsnparms *rsnparms,
1467 const struct ieee80211_frame *wh, const uint8_t *wpa,
1468 const uint8_t *rsn, uint16_t capinfo)
1469{
1470 struct ieee80211vap *vap = ni->ni_vap;
1471 uint8_t reason;
1472 int badwparsn;
1473
1474 ni->ni_flags &= ~(IEEE80211_NODE_WPS|IEEE80211_NODE_TSN);
1475 if (wpa == NULL && rsn == NULL) {
1476 if (vap->iv_flags_ext & IEEE80211_FEXT_WPS) {
1477 /*
1478 * W-Fi Protected Setup (WPS) permits
1479 * clients to associate and pass EAPOL frames
1480 * to establish initial credentials.
1481 */
1482 ni->ni_flags |= IEEE80211_NODE_WPS;
1483 return 1;
1484 }
1485 if ((vap->iv_flags_ext & IEEE80211_FEXT_TSN) &&
1486 (capinfo & IEEE80211_CAPINFO_PRIVACY)) {
1487 /*
1488 * Transitional Security Network. Permits clients
1489 * to associate and use WEP while WPA is configured.
1490 */
1491 ni->ni_flags |= IEEE80211_NODE_TSN;
1492 return 1;
1493 }
1494 IEEE80211_DISCARD(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA,
1495 wh, NULL, "%s", "no WPA/RSN IE in association request");
1496 vap->iv_stats.is_rx_assoc_badwpaie++;
1497 reason = IEEE80211_REASON_IE_INVALID;
1498 goto bad;
1499 }
1500 /* assert right association security credentials */
1501 badwparsn = 0; /* NB: to silence compiler */
1502 switch (vap->iv_flags & IEEE80211_F_WPA) {
1503 case IEEE80211_F_WPA1:
1504 badwparsn = (wpa == NULL);
1505 break;
1506 case IEEE80211_F_WPA2:
1507 badwparsn = (rsn == NULL);
1508 break;
1509 case IEEE80211_F_WPA1|IEEE80211_F_WPA2:
1510 badwparsn = (wpa == NULL && rsn == NULL);
1511 break;
1512 }
1513 if (badwparsn) {
1514 IEEE80211_DISCARD(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA,
1515 wh, NULL,
1516 "%s", "missing WPA/RSN IE in association request");
1517 vap->iv_stats.is_rx_assoc_badwpaie++;
1518 reason = IEEE80211_REASON_IE_INVALID;
1519 goto bad;
1520 }
1521 /*
1522 * Parse WPA/RSN information element.
1523 */
1524 if (wpa != NULL)
1525 reason = ieee80211_parse_wpa(vap, wpa, rsnparms, wh);
1526 else
1527 reason = ieee80211_parse_rsn(vap, rsn, rsnparms, wh);
1528 if (reason != 0) {
1529 /* XXX distinguish WPA/RSN? */
1530 vap->iv_stats.is_rx_assoc_badwpaie++;
1531 goto bad;
1532 }
1533 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, ni,
1534 "%s ie: mc %u/%u uc %u/%u key %u caps 0x%x",
1535 wpa != NULL ? "WPA" : "RSN",
1536 rsnparms->rsn_mcastcipher, rsnparms->rsn_mcastkeylen,
1537 rsnparms->rsn_ucastcipher, rsnparms->rsn_ucastkeylen,
1538 rsnparms->rsn_keymgmt, rsnparms->rsn_caps);
1539
1540 return 1;
1541bad:
1542 ieee80211_node_deauth(ni, reason);
1543 return 0;
1544}
1545
1546/* XXX find a better place for definition */
1547struct l2_update_frame {
1548 struct ether_header eh;
1549 uint8_t dsap;
1550 uint8_t ssap;
1551 uint8_t control;
1552 uint8_t xid[3];
1553} __packed;
1554
1555/*
1556 * Deliver a TGf L2UF frame on behalf of a station.
1557 * This primes any bridge when the station is roaming
1558 * between ap's on the same wired network.
1559 */
1560static void
1561ieee80211_deliver_l2uf(struct ieee80211_node *ni)
1562{
1563 struct ieee80211vap *vap = ni->ni_vap;
1564 struct ifnet *ifp = vap->iv_ifp;
1565 struct mbuf *m;
1566 struct l2_update_frame *l2uf;
1567 struct ether_header *eh;
1568
543d1dec 1569 m = m_gethdr(MB_DONTWAIT, MT_DATA);
32176cfd
RP
1570 if (m == NULL) {
1571 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC, ni,
1572 "%s", "no mbuf for l2uf frame");
1573 vap->iv_stats.is_rx_nobuf++; /* XXX not right */
1574 return;
1575 }
1576 l2uf = mtod(m, struct l2_update_frame *);
1577 eh = &l2uf->eh;
1578 /* dst: Broadcast address */
1579 IEEE80211_ADDR_COPY(eh->ether_dhost, ifp->if_broadcastaddr);
1580 /* src: associated STA */
1581 IEEE80211_ADDR_COPY(eh->ether_shost, ni->ni_macaddr);
1582 eh->ether_type = htons(sizeof(*l2uf) - sizeof(*eh));
1583
1584 l2uf->dsap = 0;
1585 l2uf->ssap = 0;
1586 l2uf->control = 0xf5;
1587 l2uf->xid[0] = 0x81;
1588 l2uf->xid[1] = 0x80;
1589 l2uf->xid[2] = 0x00;
1590
1591 m->m_pkthdr.len = m->m_len = sizeof(*l2uf);
1592 hostap_deliver_data(vap, ni, m);
1593}
1594
1595static void
1596ratesetmismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh,
1597 int reassoc, int resp, const char *tag, int rate)
1598{
1599 IEEE80211_NOTE_MAC(ni->ni_vap, IEEE80211_MSG_ANY, wh->i_addr2,
1600 "deny %s request, %s rate set mismatch, rate/MCS %d",
1601 reassoc ? "reassoc" : "assoc", tag, rate & IEEE80211_RATE_VAL);
1602 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_BASIC_RATE);
1603 ieee80211_node_leave(ni);
1604}
1605
1606static void
1607capinfomismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh,
1608 int reassoc, int resp, const char *tag, int capinfo)
1609{
1610 struct ieee80211vap *vap = ni->ni_vap;
1611
1612 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ANY, wh->i_addr2,
1613 "deny %s request, %s mismatch 0x%x",
1614 reassoc ? "reassoc" : "assoc", tag, capinfo);
1615 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_CAPINFO);
1616 ieee80211_node_leave(ni);
1617 vap->iv_stats.is_rx_assoc_capmismatch++;
1618}
1619
1620static void
1621htcapmismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh,
1622 int reassoc, int resp)
1623{
1624 IEEE80211_NOTE_MAC(ni->ni_vap, IEEE80211_MSG_ANY, wh->i_addr2,
1625 "deny %s request, %s missing HT ie", reassoc ? "reassoc" : "assoc");
1626 /* XXX no better code */
1627 IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_MISSING_HT_CAPS);
1628 ieee80211_node_leave(ni);
1629}
1630
1631static void
1632authalgreject(struct ieee80211_node *ni, const struct ieee80211_frame *wh,
1633 int algo, int seq, int status)
1634{
1635 struct ieee80211vap *vap = ni->ni_vap;
1636
1637 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
1638 wh, NULL, "unsupported alg %d", algo);
1639 vap->iv_stats.is_rx_auth_unsupported++;
1640 ieee80211_send_error(ni, wh->i_addr2, IEEE80211_FC0_SUBTYPE_AUTH,
1641 seq | (status << 16));
1642}
1643
1644static __inline int
1645ishtmixed(const uint8_t *ie)
1646{
1647 const struct ieee80211_ie_htinfo *ht =
1648 (const struct ieee80211_ie_htinfo *) ie;
1649 return (ht->hi_byte2 & IEEE80211_HTINFO_OPMODE) ==
1650 IEEE80211_HTINFO_OPMODE_MIXED;
1651}
1652
1653static int
1654is11bclient(const uint8_t *rates, const uint8_t *xrates)
1655{
1656 static const uint32_t brates = (1<<2*1)|(1<<2*2)|(1<<11)|(1<<2*11);
1657 int i;
1658
1659 /* NB: the 11b clients we care about will not have xrates */
1660 if (xrates != NULL || rates == NULL)
1661 return 0;
1662 for (i = 0; i < rates[1]; i++) {
1663 int r = rates[2+i] & IEEE80211_RATE_VAL;
1664 if (r > 2*11 || ((1<<r) & brates) == 0)
1665 return 0;
1666 }
1667 return 1;
1668}
1669
1670static void
1671hostap_recv_mgmt(struct ieee80211_node *ni, struct mbuf *m0,
1672 int subtype, int rssi, int nf)
1673{
1674 struct ieee80211vap *vap = ni->ni_vap;
1675 struct ieee80211com *ic = ni->ni_ic;
1676 struct ieee80211_frame *wh;
1677 uint8_t *frm, *efrm, *sfrm;
1678 uint8_t *ssid, *rates, *xrates, *wpa, *rsn, *wme, *ath, *htcap;
1679 int reassoc, resp;
1680 uint8_t rate;
1681
1682 wh = mtod(m0, struct ieee80211_frame *);
1683 frm = (uint8_t *)&wh[1];
1684 efrm = mtod(m0, uint8_t *) + m0->m_len;
1685 switch (subtype) {
1686 case IEEE80211_FC0_SUBTYPE_PROBE_RESP:
1687 case IEEE80211_FC0_SUBTYPE_BEACON: {
1688 struct ieee80211_scanparams scan;
1689 /*
1690 * We process beacon/probe response frames when scanning;
1691 * otherwise we check beacon frames for overlapping non-ERP
1692 * BSS in 11g and/or overlapping legacy BSS when in HT.
1693 */
1694 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0 &&
1695 subtype == IEEE80211_FC0_SUBTYPE_PROBE_RESP) {
1696 vap->iv_stats.is_rx_mgtdiscard++;
1697 return;
1698 }
1699 /* NB: accept off-channel frames */
1700 if (ieee80211_parse_beacon(ni, m0, &scan) &~ IEEE80211_BPARSE_OFFCHAN)
1701 return;
1702 /*
1703 * Count frame now that we know it's to be processed.
1704 */
1705 if (subtype == IEEE80211_FC0_SUBTYPE_BEACON) {
1706 vap->iv_stats.is_rx_beacon++; /* XXX remove */
1707 IEEE80211_NODE_STAT(ni, rx_beacons);
1708 } else
1709 IEEE80211_NODE_STAT(ni, rx_proberesp);
1710 /*
1711 * If scanning, just pass information to the scan module.
1712 */
1713 if (ic->ic_flags & IEEE80211_F_SCAN) {
1714 if (scan.status == 0 && /* NB: on channel */
1715 (ic->ic_flags_ext & IEEE80211_FEXT_PROBECHAN)) {
1716 /*
1717 * Actively scanning a channel marked passive;
1718 * send a probe request now that we know there
1719 * is 802.11 traffic present.
1720 *
1721 * XXX check if the beacon we recv'd gives
1722 * us what we need and suppress the probe req
1723 */
1724 ieee80211_probe_curchan(vap, 1);
1725 ic->ic_flags_ext &= ~IEEE80211_FEXT_PROBECHAN;
1726 }
1727 ieee80211_add_scan(vap, &scan, wh, subtype, rssi, nf);
1728 return;
1729 }
1730 /*
1731 * Check beacon for overlapping bss w/ non ERP stations.
1732 * If we detect one and protection is configured but not
1733 * enabled, enable it and start a timer that'll bring us
1734 * out if we stop seeing the bss.
1735 */
1736 if (IEEE80211_IS_CHAN_ANYG(ic->ic_curchan) &&
1737 scan.status == 0 && /* NB: on-channel */
1738 ((scan.erp & 0x100) == 0 || /* NB: no ERP, 11b sta*/
1739 (scan.erp & IEEE80211_ERP_NON_ERP_PRESENT))) {
1740 ic->ic_lastnonerp = ticks;
1741 ic->ic_flags_ext |= IEEE80211_FEXT_NONERP_PR;
1742 if (ic->ic_protmode != IEEE80211_PROT_NONE &&
1743 (ic->ic_flags & IEEE80211_F_USEPROT) == 0) {
1744 IEEE80211_NOTE_FRAME(vap,
1745 IEEE80211_MSG_ASSOC, wh,
1746 "non-ERP present on channel %d "
1747 "(saw erp 0x%x from channel %d), "
1748 "enable use of protection",
1749 ic->ic_curchan->ic_ieee,
1750 scan.erp, scan.chan);
1751 ic->ic_flags |= IEEE80211_F_USEPROT;
1752 ieee80211_notify_erp(ic);
1753 }
1754 }
1755 /*
1756 * Check beacon for non-HT station on HT channel
1757 * and update HT BSS occupancy as appropriate.
1758 */
1759 if (IEEE80211_IS_CHAN_HT(ic->ic_curchan)) {
1760 if (scan.status & IEEE80211_BPARSE_OFFCHAN) {
1761 /*
1762 * Off control channel; only check frames
1763 * that come in the extension channel when
1764 * operating w/ HT40.
1765 */
1766 if (!IEEE80211_IS_CHAN_HT40(ic->ic_curchan))
1767 break;
1768 if (scan.chan != ic->ic_curchan->ic_extieee)
1769 break;
1770 }
1771 if (scan.htinfo == NULL) {
1772 ieee80211_htprot_update(ic,
1773 IEEE80211_HTINFO_OPMODE_PROTOPT |
1774 IEEE80211_HTINFO_NONHT_PRESENT);
1775 } else if (ishtmixed(scan.htinfo)) {
1776 /* XXX? take NONHT_PRESENT from beacon? */
1777 ieee80211_htprot_update(ic,
1778 IEEE80211_HTINFO_OPMODE_MIXED |
1779 IEEE80211_HTINFO_NONHT_PRESENT);
1780 }
1781 }
1782 break;
1783 }
1784
1785 case IEEE80211_FC0_SUBTYPE_PROBE_REQ:
1786 if (vap->iv_state != IEEE80211_S_RUN) {
1787 vap->iv_stats.is_rx_mgtdiscard++;
1788 return;
1789 }
1790 /*
1791 * prreq frame format
1792 * [tlv] ssid
1793 * [tlv] supported rates
1794 * [tlv] extended supported rates
1795 */
1796 ssid = rates = xrates = NULL;
1797 sfrm = frm;
1798 while (efrm - frm > 1) {
1799 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return);
1800 switch (*frm) {
1801 case IEEE80211_ELEMID_SSID:
1802 ssid = frm;
1803 break;
1804 case IEEE80211_ELEMID_RATES:
1805 rates = frm;
1806 break;
1807 case IEEE80211_ELEMID_XRATES:
1808 xrates = frm;
1809 break;
1810 }
1811 frm += frm[1] + 2;
1812 }
1813 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return);
1814 if (xrates != NULL)
1815 IEEE80211_VERIFY_ELEMENT(xrates,
1816 IEEE80211_RATE_MAXSIZE - rates[1], return);
1817 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN, return);
1818 IEEE80211_VERIFY_SSID(vap->iv_bss, ssid, return);
1819 if ((vap->iv_flags & IEEE80211_F_HIDESSID) && ssid[1] == 0) {
1820 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
1821 wh, NULL,
1822 "%s", "no ssid with ssid suppression enabled");
1823 vap->iv_stats.is_rx_ssidmismatch++; /*XXX*/
1824 return;
1825 }
1826
1827 /* XXX find a better class or define it's own */
1828 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_INPUT, wh->i_addr2,
1829 "%s", "recv probe req");
1830 /*
1831 * Some legacy 11b clients cannot hack a complete
1832 * probe response frame. When the request includes
1833 * only a bare-bones rate set, communicate this to
1834 * the transmit side.
1835 */
1836 ieee80211_send_proberesp(vap, wh->i_addr2,
1837 is11bclient(rates, xrates) ? IEEE80211_SEND_LEGACY_11B : 0);
1838 break;
1839
1840 case IEEE80211_FC0_SUBTYPE_AUTH: {
1841 uint16_t algo, seq, status;
1842
1843 if (vap->iv_state != IEEE80211_S_RUN) {
1844 vap->iv_stats.is_rx_mgtdiscard++;
1845 return;
1846 }
1847 if (!IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_bss->ni_bssid)) {
1848 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
1849 wh, NULL, "%s", "wrong bssid");
1850 vap->iv_stats.is_rx_wrongbss++; /*XXX unique stat?*/
1851 return;
1852 }
1853 /*
1854 * auth frame format
1855 * [2] algorithm
1856 * [2] sequence
1857 * [2] status
1858 * [tlv*] challenge
1859 */
1860 IEEE80211_VERIFY_LENGTH(efrm - frm, 6, return);
1861 algo = le16toh(*(uint16_t *)frm);
1862 seq = le16toh(*(uint16_t *)(frm + 2));
1863 status = le16toh(*(uint16_t *)(frm + 4));
1864 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_AUTH, wh->i_addr2,
1865 "recv auth frame with algorithm %d seq %d", algo, seq);
1866 /*
1867 * Consult the ACL policy module if setup.
1868 */
1869 if (vap->iv_acl != NULL &&
1870 !vap->iv_acl->iac_check(vap, wh->i_addr2)) {
1871 IEEE80211_DISCARD(vap, IEEE80211_MSG_ACL,
1872 wh, NULL, "%s", "disallowed by ACL");
1873 vap->iv_stats.is_rx_acl++;
1874 ieee80211_send_error(ni, wh->i_addr2,
1875 IEEE80211_FC0_SUBTYPE_AUTH,
1876 (seq+1) | (IEEE80211_STATUS_UNSPECIFIED<<16));
1877 return;
1878 }
1879 if (vap->iv_flags & IEEE80211_F_COUNTERM) {
1880 IEEE80211_DISCARD(vap,
1881 IEEE80211_MSG_AUTH | IEEE80211_MSG_CRYPTO,
1882 wh, NULL, "%s", "TKIP countermeasures enabled");
1883 vap->iv_stats.is_rx_auth_countermeasures++;
1884 ieee80211_send_error(ni, wh->i_addr2,
1885 IEEE80211_FC0_SUBTYPE_AUTH,
1886 IEEE80211_REASON_MIC_FAILURE);
1887 return;
1888 }
1889 if (algo == IEEE80211_AUTH_ALG_SHARED)
1890 hostap_auth_shared(ni, wh, frm + 6, efrm, rssi, nf,
1891 seq, status);
1892 else if (algo == IEEE80211_AUTH_ALG_OPEN)
1893 hostap_auth_open(ni, wh, rssi, nf, seq, status);
1894 else if (algo == IEEE80211_AUTH_ALG_LEAP) {
1895 authalgreject(ni, wh, algo,
1896 seq+1, IEEE80211_STATUS_ALG);
1897 return;
1898 } else {
1899 /*
1900 * We assume that an unknown algorithm is the result
1901 * of a decryption failure on a shared key auth frame;
1902 * return a status code appropriate for that instead
1903 * of IEEE80211_STATUS_ALG.
1904 *
1905 * NB: a seq# of 4 is intentional; the decrypted
1906 * frame likely has a bogus seq value.
1907 */
1908 authalgreject(ni, wh, algo,
1909 4, IEEE80211_STATUS_CHALLENGE);
1910 return;
1911 }
1912 break;
1913 }
1914
1915 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ:
1916 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: {
1917 uint16_t capinfo, lintval;
1918 struct ieee80211_rsnparms rsnparms;
1919
1920 if (vap->iv_state != IEEE80211_S_RUN) {
1921 vap->iv_stats.is_rx_mgtdiscard++;
1922 return;
1923 }
1924 if (!IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_bss->ni_bssid)) {
1925 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
1926 wh, NULL, "%s", "wrong bssid");
1927 vap->iv_stats.is_rx_assoc_bss++;
1928 return;
1929 }
1930 if (subtype == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) {
1931 reassoc = 1;
1932 resp = IEEE80211_FC0_SUBTYPE_REASSOC_RESP;
1933 } else {
1934 reassoc = 0;
1935 resp = IEEE80211_FC0_SUBTYPE_ASSOC_RESP;
1936 }
1937 if (ni == vap->iv_bss) {
1938 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ANY, wh->i_addr2,
1939 "deny %s request, sta not authenticated",
1940 reassoc ? "reassoc" : "assoc");
1941 ieee80211_send_error(ni, wh->i_addr2,
1942 IEEE80211_FC0_SUBTYPE_DEAUTH,
1943 IEEE80211_REASON_ASSOC_NOT_AUTHED);
1944 vap->iv_stats.is_rx_assoc_notauth++;
1945 return;
1946 }
1947
1948 /*
1949 * asreq frame format
1950 * [2] capability information
1951 * [2] listen interval
1952 * [6*] current AP address (reassoc only)
1953 * [tlv] ssid
1954 * [tlv] supported rates
1955 * [tlv] extended supported rates
1956 * [tlv] WPA or RSN
1957 * [tlv] HT capabilities
1958 * [tlv] Atheros capabilities
1959 */
1960 IEEE80211_VERIFY_LENGTH(efrm - frm, (reassoc ? 10 : 4), return);
1961 capinfo = le16toh(*(uint16_t *)frm); frm += 2;
1962 lintval = le16toh(*(uint16_t *)frm); frm += 2;
1963 if (reassoc)
1964 frm += 6; /* ignore current AP info */
1965 ssid = rates = xrates = wpa = rsn = wme = ath = htcap = NULL;
1966 sfrm = frm;
1967 while (efrm - frm > 1) {
1968 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return);
1969 switch (*frm) {
1970 case IEEE80211_ELEMID_SSID:
1971 ssid = frm;
1972 break;
1973 case IEEE80211_ELEMID_RATES:
1974 rates = frm;
1975 break;
1976 case IEEE80211_ELEMID_XRATES:
1977 xrates = frm;
1978 break;
1979 case IEEE80211_ELEMID_RSN:
1980 rsn = frm;
1981 break;
1982 case IEEE80211_ELEMID_HTCAP:
1983 htcap = frm;
1984 break;
1985 case IEEE80211_ELEMID_VENDOR:
1986 if (iswpaoui(frm))
1987 wpa = frm;
1988 else if (iswmeinfo(frm))
1989 wme = frm;
1990#ifdef IEEE80211_SUPPORT_SUPERG
1991 else if (isatherosoui(frm))
1992 ath = frm;
1993#endif
1994 else if (vap->iv_flags_ht & IEEE80211_FHT_HTCOMPAT) {
1995 if (ishtcapoui(frm) && htcap == NULL)
1996 htcap = frm;
1997 }
1998 break;
1999 }
2000 frm += frm[1] + 2;
2001 }
2002 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return);
2003 if (xrates != NULL)
2004 IEEE80211_VERIFY_ELEMENT(xrates,
2005 IEEE80211_RATE_MAXSIZE - rates[1], return);
2006 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN, return);
2007 IEEE80211_VERIFY_SSID(vap->iv_bss, ssid, return);
2008 if (htcap != NULL) {
2009 IEEE80211_VERIFY_LENGTH(htcap[1],
2010 htcap[0] == IEEE80211_ELEMID_VENDOR ?
2011 4 + sizeof(struct ieee80211_ie_htcap)-2 :
2012 sizeof(struct ieee80211_ie_htcap)-2,
2013 return); /* XXX just NULL out? */
2014 }
2015
2016 if ((vap->iv_flags & IEEE80211_F_WPA) &&
2017 !wpa_assocreq(ni, &rsnparms, wh, wpa, rsn, capinfo))
2018 return;
2019 /* discard challenge after association */
2020 if (ni->ni_challenge != NULL) {
2021 kfree(ni->ni_challenge, M_80211_NODE);
2022 ni->ni_challenge = NULL;
2023 }
2024 /* NB: 802.11 spec says to ignore station's privacy bit */
2025 if ((capinfo & IEEE80211_CAPINFO_ESS) == 0) {
2026 capinfomismatch(ni, wh, reassoc, resp,
2027 "capability", capinfo);
2028 return;
2029 }
2030 /*
2031 * Disallow re-associate w/ invalid slot time setting.
2032 */
2033 if (ni->ni_associd != 0 &&
2034 IEEE80211_IS_CHAN_ANYG(ic->ic_bsschan) &&
2035 ((ni->ni_capinfo ^ capinfo) & IEEE80211_CAPINFO_SHORT_SLOTTIME)) {
2036 capinfomismatch(ni, wh, reassoc, resp,
2037 "slot time", capinfo);
2038 return;
2039 }
2040 rate = ieee80211_setup_rates(ni, rates, xrates,
2041 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE |
2042 IEEE80211_F_DONEGO | IEEE80211_F_DODEL);
2043 if (rate & IEEE80211_RATE_BASIC) {
2044 ratesetmismatch(ni, wh, reassoc, resp, "legacy", rate);
2045 vap->iv_stats.is_rx_assoc_norate++;
2046 return;
2047 }
2048 /*
2049 * If constrained to 11g-only stations reject an
2050 * 11b-only station. We cheat a bit here by looking
2051 * at the max negotiated xmit rate and assuming anyone
2052 * with a best rate <24Mb/s is an 11b station.
2053 */
2054 if ((vap->iv_flags & IEEE80211_F_PUREG) && rate < 48) {
2055 ratesetmismatch(ni, wh, reassoc, resp, "11g", rate);
2056 vap->iv_stats.is_rx_assoc_norate++;
2057 return;
2058 }
2059 /*
2060 * Do HT rate set handling and setup HT node state.
2061 */
2062 ni->ni_chan = vap->iv_bss->ni_chan;
2063 if (IEEE80211_IS_CHAN_HT(ni->ni_chan) && htcap != NULL) {
2064 rate = ieee80211_setup_htrates(ni, htcap,
2065 IEEE80211_F_DOFMCS | IEEE80211_F_DONEGO |
2066 IEEE80211_F_DOBRS);
2067 if (rate & IEEE80211_RATE_BASIC) {
2068 ratesetmismatch(ni, wh, reassoc, resp,
2069 "HT", rate);
2070 vap->iv_stats.is_ht_assoc_norate++;
2071 return;
2072 }
2073 ieee80211_ht_node_init(ni);
2074 ieee80211_ht_updatehtcap(ni, htcap);
2075 } else if (ni->ni_flags & IEEE80211_NODE_HT)
2076 ieee80211_ht_node_cleanup(ni);
2077#ifdef IEEE80211_SUPPORT_SUPERG
2078 else if (ni->ni_ath_flags & IEEE80211_NODE_ATH)
2079 ieee80211_ff_node_cleanup(ni);
2080#endif
2081 /*
2082 * Allow AMPDU operation only with unencrypted traffic
2083 * or AES-CCM; the 11n spec only specifies these ciphers
2084 * so permitting any others is undefined and can lead
2085 * to interoperability problems.
2086 */
2087 if ((ni->ni_flags & IEEE80211_NODE_HT) &&
2088 (((vap->iv_flags & IEEE80211_F_WPA) &&
2089 rsnparms.rsn_ucastcipher != IEEE80211_CIPHER_AES_CCM) ||
2090 (vap->iv_flags & (IEEE80211_F_WPA|IEEE80211_F_PRIVACY)) == IEEE80211_F_PRIVACY)) {
2091 IEEE80211_NOTE(vap,
2092 IEEE80211_MSG_ASSOC | IEEE80211_MSG_11N, ni,
2093 "disallow HT use because WEP or TKIP requested, "
2094 "capinfo 0x%x ucastcipher %d", capinfo,
2095 rsnparms.rsn_ucastcipher);
2096 ieee80211_ht_node_cleanup(ni);
2097 vap->iv_stats.is_ht_assoc_downgrade++;
2098 }
2099 /*
2100 * If constrained to 11n-only stations reject legacy stations.
2101 */
2102 if ((vap->iv_flags_ht & IEEE80211_FHT_PUREN) &&
2103 (ni->ni_flags & IEEE80211_NODE_HT) == 0) {
2104 htcapmismatch(ni, wh, reassoc, resp);
2105 vap->iv_stats.is_ht_assoc_nohtcap++;
2106 return;
2107 }
2108 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi);
2109 ni->ni_noise = nf;
2110 ni->ni_intval = lintval;
2111 ni->ni_capinfo = capinfo;
2112 ni->ni_fhdwell = vap->iv_bss->ni_fhdwell;
2113 ni->ni_fhindex = vap->iv_bss->ni_fhindex;
2114 /*
2115 * Store the IEs.
2116 * XXX maybe better to just expand
2117 */
2118 if (ieee80211_ies_init(&ni->ni_ies, sfrm, efrm - sfrm)) {
2119#define setie(_ie, _off) ieee80211_ies_setie(ni->ni_ies, _ie, _off)
2120 if (wpa != NULL)
2121 setie(wpa_ie, wpa - sfrm);
2122 if (rsn != NULL)
2123 setie(rsn_ie, rsn - sfrm);
2124 if (htcap != NULL)
2125 setie(htcap_ie, htcap - sfrm);
2126 if (wme != NULL) {
2127 setie(wme_ie, wme - sfrm);
2128 /*
2129 * Mark node as capable of QoS.
2130 */
2131 ni->ni_flags |= IEEE80211_NODE_QOS;
2132 } else
2133 ni->ni_flags &= ~IEEE80211_NODE_QOS;
2134#ifdef IEEE80211_SUPPORT_SUPERG
2135 if (ath != NULL) {
2136 setie(ath_ie, ath - sfrm);
2137 /*
2138 * Parse ATH station parameters.
2139 */
2140 ieee80211_parse_ath(ni, ni->ni_ies.ath_ie);
2141 } else
2142#endif
2143 ni->ni_ath_flags = 0;
2144#undef setie
2145 } else {
2146 ni->ni_flags &= ~IEEE80211_NODE_QOS;
2147 ni->ni_ath_flags = 0;
2148 }
2149 ieee80211_node_join(ni, resp);
2150 ieee80211_deliver_l2uf(ni);
2151 break;
2152 }
2153
2154 case IEEE80211_FC0_SUBTYPE_DEAUTH:
2155 case IEEE80211_FC0_SUBTYPE_DISASSOC: {
2156 uint16_t reason;
2157
2158 if (vap->iv_state != IEEE80211_S_RUN ||
2159 /* NB: can happen when in promiscuous mode */
2160 !IEEE80211_ADDR_EQ(wh->i_addr1, vap->iv_myaddr)) {
2161 vap->iv_stats.is_rx_mgtdiscard++;
2162 break;
2163 }
2164 /*
2165 * deauth/disassoc frame format
2166 * [2] reason
2167 */
2168 IEEE80211_VERIFY_LENGTH(efrm - frm, 2, return);
2169 reason = le16toh(*(uint16_t *)frm);
2170 if (subtype == IEEE80211_FC0_SUBTYPE_DEAUTH) {
2171 vap->iv_stats.is_rx_deauth++;
2172 IEEE80211_NODE_STAT(ni, rx_deauth);
2173 } else {
2174 vap->iv_stats.is_rx_disassoc++;
2175 IEEE80211_NODE_STAT(ni, rx_disassoc);
2176 }
2177 IEEE80211_NOTE(vap, IEEE80211_MSG_AUTH, ni,
2178 "recv %s (reason %d)", ieee80211_mgt_subtype_name[subtype >>
2179 IEEE80211_FC0_SUBTYPE_SHIFT], reason);
2180 if (ni != vap->iv_bss)
2181 ieee80211_node_leave(ni);
2182 break;
2183 }
2184
2185 case IEEE80211_FC0_SUBTYPE_ACTION:
2186 if (vap->iv_state == IEEE80211_S_RUN) {
2187 if (ieee80211_parse_action(ni, m0) == 0)
2188 ic->ic_recv_action(ni, wh, frm, efrm);
2189 } else
2190 vap->iv_stats.is_rx_mgtdiscard++;
2191 break;
2192
2193 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP:
2194 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP:
2195 default:
2196 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
2197 wh, "mgt", "subtype 0x%x not handled", subtype);
2198 vap->iv_stats.is_rx_badsubtype++;
2199 break;
2200 }
2201}
2202
2203static void
2204hostap_recv_ctl(struct ieee80211_node *ni, struct mbuf *m, int subtype)
2205{
2206 switch (subtype) {
2207 case IEEE80211_FC0_SUBTYPE_PS_POLL:
2208 hostap_recv_pspoll(ni, m);
2209 break;
2210 case IEEE80211_FC0_SUBTYPE_BAR:
2211 ieee80211_recv_bar(ni, m);
2212 break;
2213 }
2214}
2215
2216/*
2217 * Process a received ps-poll frame.
2218 */
2219static void
2220hostap_recv_pspoll(struct ieee80211_node *ni, struct mbuf *m0)
2221{
2222 struct ieee80211vap *vap = ni->ni_vap;
2223 struct ieee80211_frame_min *wh;
2224 struct ifnet *ifp;
2225 struct mbuf *m;
2226 uint16_t aid;
2227 int qlen;
2228
2229 wh = mtod(m0, struct ieee80211_frame_min *);
2230 if (ni->ni_associd == 0) {
2231 IEEE80211_DISCARD(vap,
2232 IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG,
2233 (struct ieee80211_frame *) wh, NULL,
2234 "%s", "unassociated station");
2235 vap->iv_stats.is_ps_unassoc++;
2236 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_DEAUTH,
2237 IEEE80211_REASON_NOT_ASSOCED);
2238 return;
2239 }
2240
2241 aid = le16toh(*(uint16_t *)wh->i_dur);
2242 if (aid != ni->ni_associd) {
2243 IEEE80211_DISCARD(vap,
2244 IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG,
2245 (struct ieee80211_frame *) wh, NULL,
2246 "aid mismatch: sta aid 0x%x poll aid 0x%x",
2247 ni->ni_associd, aid);
2248 vap->iv_stats.is_ps_badaid++;
2249 /*
2250 * NB: We used to deauth the station but it turns out
2251 * the Blackberry Curve 8230 (and perhaps other devices)
2252 * sometimes send the wrong AID when WME is negotiated.
2253 * Being more lenient here seems ok as we already check
2254 * the station is associated and we only return frames
2255 * queued for the station (i.e. we don't use the AID).
2256 */
2257 return;
2258 }
2259
2260 /* Okay, take the first queued packet and put it out... */
2261 m = ieee80211_node_psq_dequeue(ni, &qlen);
2262 if (m == NULL) {
2263 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_POWER, wh->i_addr2,
2264 "%s", "recv ps-poll, but queue empty");
2265 ieee80211_send_nulldata(ieee80211_ref_node(ni));
2266 vap->iv_stats.is_ps_qempty++; /* XXX node stat */
2267 if (vap->iv_set_tim != NULL)
2268 vap->iv_set_tim(ni, 0); /* just in case */
2269 return;
2270 }
2271 /*
2272 * If there are more packets, set the more packets bit
2273 * in the packet dispatched to the station; otherwise
2274 * turn off the TIM bit.
2275 */
2276 if (qlen != 0) {
2277 IEEE80211_NOTE(vap, IEEE80211_MSG_POWER, ni,
2278 "recv ps-poll, send packet, %u still queued", qlen);
2279 m->m_flags |= M_MORE_DATA;
2280 } else {
2281 IEEE80211_NOTE(vap, IEEE80211_MSG_POWER, ni,
2282 "%s", "recv ps-poll, send packet, queue empty");
2283 if (vap->iv_set_tim != NULL)
2284 vap->iv_set_tim(ni, 0);
2285 }
2286 m->m_flags |= M_PWR_SAV; /* bypass PS handling */
2287
2288 if (m->m_flags & M_ENCAP)
2289 ifp = vap->iv_ic->ic_ifp;
2290 else
2291 ifp = vap->iv_ifp;
2292 IF_ENQUEUE(&ifp->if_snd, m);
34a60cf6 2293 ifp->if_start(ifp);
32176cfd 2294}