1 /* $NetBSD: ieee80211_input.c,v 1.117 2022/11/19 07:57:51 yamt Exp $ */
2
3 /*
4 * Copyright (c) 2001 Atsushi Onoe
5 * Copyright (c) 2002-2005 Sam Leffler, Errno Consulting
6 * All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 * 3. The name of the author may not be used to endorse or promote products
17 * derived from this software without specific prior written permission.
18 *
19 * Alternatively, this software may be distributed under the terms of the
20 * GNU General Public License ("GPL") version 2 as published by the Free
21 * Software Foundation.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
24 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
25 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
26 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
27 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
28 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
29 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
30 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
31 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
32 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
33 */
34
35 #include <sys/cdefs.h>
36 #ifdef __FreeBSD__
37 __FBSDID("$FreeBSD: src/sys/net80211/ieee80211_input.c,v 1.81 2005/08/10 16:22:29 sam Exp $");
38 #endif
39 #ifdef __NetBSD__
40 __KERNEL_RCSID(0, "$NetBSD: ieee80211_input.c,v 1.117 2022/11/19 07:57:51 yamt Exp $");
41 #endif
42
43 #ifdef _KERNEL_OPT
44 #include "opt_inet.h"
45 #endif
46
47 #include <sys/param.h>
48 #include <sys/systm.h>
49 #include <sys/mbuf.h>
50 #include <sys/malloc.h>
51 #include <sys/endian.h>
52 #include <sys/kernel.h>
53
54 #include <sys/socket.h>
55 #include <sys/sockio.h>
56 #include <sys/endian.h>
57 #include <sys/errno.h>
58 #include <sys/proc.h>
59 #include <sys/sysctl.h>
60 #include <sys/cpu.h>
61
62 #include <net/if.h>
63 #include <net/if_media.h>
64 #include <net/if_arp.h>
65 #include <net/if_ether.h>
66 #include <net/if_llc.h>
67
68 #include <net80211/ieee80211_var.h>
69
70 #include <net/bpf.h>
71
72 #ifdef INET
73 #include <netinet/in.h>
74 #include <net/if_ether.h>
75 #endif
76
77 const struct timeval ieee80211_merge_print_intvl = {.tv_sec = 1, .tv_usec = 0};
78
79 #ifdef IEEE80211_DEBUG
80
81 /*
82 * Decide if a received management frame should be
83 * printed when debugging is enabled. This filters some
84 * of the less interesting frames that come frequently
85 * (e.g. beacons).
86 */
87 static __inline int
doprint(struct ieee80211com * ic,int subtype)88 doprint(struct ieee80211com *ic, int subtype)
89 {
90 switch (subtype) {
91 case IEEE80211_FC0_SUBTYPE_BEACON:
92 return (ic->ic_flags & IEEE80211_F_SCAN);
93 case IEEE80211_FC0_SUBTYPE_PROBE_REQ:
94 return (ic->ic_opmode == IEEE80211_M_IBSS);
95 }
96 return 1;
97 }
98
99 /*
100 * Emit a debug message about discarding a frame or information
101 * element. One format is for extracting the mac address from
102 * the frame header; the other is for when a header is not
103 * available or otherwise appropriate.
104 */
105 #define IEEE80211_DISCARD(_ic, _m, _wh, _type, _fmt, ...) do { \
106 if ((_ic)->ic_debug & (_m)) \
107 ieee80211_discard_frame(_ic, _wh, _type, _fmt, __VA_ARGS__);\
108 } while (0)
109 #define IEEE80211_DISCARD_IE(_ic, _m, _wh, _type, _fmt, ...) do { \
110 if ((_ic)->ic_debug & (_m)) \
111 ieee80211_discard_ie(_ic, _wh, _type, _fmt, __VA_ARGS__);\
112 } while (0)
113 #define IEEE80211_DISCARD_MAC(_ic, _m, _mac, _type, _fmt, ...) do { \
114 if ((_ic)->ic_debug & (_m)) \
115 ieee80211_discard_mac(_ic, _mac, _type, _fmt, __VA_ARGS__);\
116 } while (0)
117 #define IEEE80211_DEBUGVAR(a) a
118
119 static const u_int8_t *ieee80211_getbssid(struct ieee80211com *,
120 const struct ieee80211_frame *);
121 static void ieee80211_discard_frame(struct ieee80211com *,
122 const struct ieee80211_frame *, const char *type, const char *fmt, ...);
123 static void ieee80211_discard_ie(struct ieee80211com *,
124 const struct ieee80211_frame *, const char *type, const char *fmt, ...);
125 static void ieee80211_discard_mac(struct ieee80211com *,
126 const u_int8_t mac[IEEE80211_ADDR_LEN], const char *type,
127 const char *fmt, ...);
128 #else
129 #define IEEE80211_DISCARD(_ic, _m, _wh, _type, _fmt, ...)
130 #define IEEE80211_DISCARD_IE(_ic, _m, _wh, _type, _fmt, ...)
131 #define IEEE80211_DISCARD_MAC(_ic, _m, _mac, _type, _fmt, ...)
132 #define IEEE80211_DEBUGVAR(a)
133 #endif /* IEEE80211_DEBUG */
134
135 static struct mbuf *ieee80211_defrag(struct ieee80211_node *,
136 struct mbuf *, int);
137 static struct mbuf *ieee80211_decap(struct mbuf *, int);
138 static void ieee80211_send_error(struct ieee80211com *, struct ieee80211_node *,
139 const u_int8_t *mac, int subtype, int arg);
140 static void ieee80211_deliver_data(struct ieee80211com *,
141 struct ieee80211_node *, struct mbuf *);
142 #ifndef IEEE80211_NO_HOSTAP
143 static void ieee80211_node_pwrsave(struct ieee80211_node *, int enable);
144 static void ieee80211_recv_pspoll(struct ieee80211com *,
145 struct ieee80211_node *, struct mbuf *);
146 #endif /* !IEEE80211_NO_HOSTAP */
147 static void ieee80211_update_adhoc_node(struct ieee80211com *,
148 struct ieee80211_node *, struct ieee80211_frame *,
149 struct ieee80211_scanparams *, int, u_int32_t);
150
151 /* -------------------------------------------------------------------------- */
152
153 /*
154 * Input code for a DATA frame.
155 */
156 static int
ieee80211_input_data(struct ieee80211com * ic,struct mbuf ** mp,struct ieee80211_node * ni)157 ieee80211_input_data(struct ieee80211com *ic, struct mbuf **mp,
158 struct ieee80211_node *ni)
159 {
160 struct ifnet *ifp = ic->ic_ifp;
161 struct ieee80211_key *key;
162 struct ieee80211_frame *wh;
163 u_int8_t dir, subtype;
164 struct ether_header *eh;
165 struct mbuf *m = *mp;
166 int hdrspace;
167
168 wh = mtod(m, struct ieee80211_frame *);
169 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK;
170 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK;
171
172 hdrspace = ieee80211_hdrspace(ic, wh);
173
174 if (m->m_len < hdrspace &&
175 (m = m_pullup(m, hdrspace)) == NULL) {
176 ic->ic_stats.is_rx_tooshort++;
177 goto out;
178 }
179 wh = mtod(m, struct ieee80211_frame *);
180
181 switch (ic->ic_opmode) {
182 case IEEE80211_M_STA:
183 if (dir != IEEE80211_FC1_DIR_FROMDS) {
184 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT,
185 wh, "data", "unknown dir 0x%x", dir);
186 ic->ic_stats.is_rx_wrongdir++;
187 goto out;
188 }
189 if ((ifp->if_flags & IFF_SIMPLEX) &&
190 IEEE80211_IS_MULTICAST(wh->i_addr1) &&
191 IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_myaddr)) {
192 /*
193 * In IEEE802.11 network, multicast packet
194 * sent from me is broadcast from AP.
195 * It should be silently discarded for
196 * SIMPLEX interface.
197 */
198 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT,
199 wh, NULL, "%s", "multicast echo");
200 ic->ic_stats.is_rx_mcastecho++;
201 goto out;
202 }
203 break;
204
205 case IEEE80211_M_IBSS:
206 case IEEE80211_M_AHDEMO:
207 if (dir != IEEE80211_FC1_DIR_NODS) {
208 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT,
209 wh, "data", "unknown dir 0x%x", dir);
210 ic->ic_stats.is_rx_wrongdir++;
211 goto out;
212 }
213 /* XXX no power-save support */
214 break;
215
216 case IEEE80211_M_HOSTAP:
217 #ifndef IEEE80211_NO_HOSTAP
218 if (dir != IEEE80211_FC1_DIR_TODS) {
219 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT,
220 wh, "data", "unknown dir 0x%x", dir);
221 ic->ic_stats.is_rx_wrongdir++;
222 goto out;
223 }
224 /* check if source STA is associated */
225 if (ni == ic->ic_bss) {
226 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT,
227 wh, "data", "%s", "unknown src");
228 ieee80211_send_error(ic, ni, wh->i_addr2,
229 IEEE80211_FC0_SUBTYPE_DEAUTH,
230 IEEE80211_REASON_NOT_AUTHED);
231 ic->ic_stats.is_rx_notassoc++;
232 goto err;
233 }
234 if (ni->ni_associd == 0) {
235 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT,
236 wh, "data", "%s", "unassoc src");
237 IEEE80211_SEND_MGMT(ic, ni,
238 IEEE80211_FC0_SUBTYPE_DISASSOC,
239 IEEE80211_REASON_NOT_ASSOCED);
240 ic->ic_stats.is_rx_notassoc++;
241 goto err;
242 }
243
244 /*
245 * Check for power save state change.
246 */
247 if (((wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) ^
248 (ni->ni_flags & IEEE80211_NODE_PWR_MGT)))
249 ieee80211_node_pwrsave(ni,
250 wh->i_fc[1] & IEEE80211_FC1_PWR_MGT);
251 #endif /* !IEEE80211_NO_HOSTAP */
252 break;
253
254 default:
255 /* XXX here to keep compiler happy */
256 goto out;
257 }
258
259 /*
260 * Handle privacy requirements. Note that we
261 * must not be preempted from here until after
262 * we (potentially) call ieee80211_crypto_demic;
263 * otherwise we may violate assumptions in the
264 * crypto cipher modules used to do delayed update
265 * of replay sequence numbers.
266 */
267 if (wh->i_fc[1] & IEEE80211_FC1_WEP) {
268 if ((ic->ic_flags & IEEE80211_F_PRIVACY) == 0) {
269 /*
270 * Discard encrypted frames when privacy is off.
271 */
272 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT,
273 wh, "WEP", "%s", "PRIVACY off");
274 ic->ic_stats.is_rx_noprivacy++;
275 IEEE80211_NODE_STAT(ni, rx_noprivacy);
276 goto out;
277 }
278 key = ieee80211_crypto_decap(ic, ni, &m, hdrspace);
279 if (key == NULL) {
280 /* NB: stats+msgs handled in crypto_decap */
281 IEEE80211_NODE_STAT(ni, rx_wepfail);
282 goto out;
283 }
284 wh = mtod(m, struct ieee80211_frame *);
285 wh->i_fc[1] &= ~IEEE80211_FC1_WEP;
286 } else {
287 key = NULL;
288 }
289
290 /*
291 * Next up, any fragmentation.
292 */
293 if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) {
294 m = ieee80211_defrag(ni, m, hdrspace);
295 if (m == NULL) {
296 /* Fragment dropped or frame not complete yet */
297 goto out;
298 }
299 }
300
301 /*
302 * Next, strip any MSDU crypto bits.
303 */
304 if (key != NULL && !ieee80211_crypto_demic(ic, key, m, 0)) {
305 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT,
306 ni->ni_macaddr, "data", "%s", "demic error");
307 IEEE80211_NODE_STAT(ni, rx_demicfail);
308 goto out;
309 }
310
311 /* copy to listener after decrypt */
312 bpf_mtap3(ic->ic_rawbpf, m, BPF_D_IN);
313
314 /*
315 * Finally, strip the 802.11 header.
316 */
317 m = ieee80211_decap(m, hdrspace);
318 if (m == NULL) {
319 /* don't count Null data frames as errors */
320 if (subtype == IEEE80211_FC0_SUBTYPE_NODATA)
321 goto out;
322 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT,
323 ni->ni_macaddr, "data", "%s", "decap error");
324 ic->ic_stats.is_rx_decap++;
325 IEEE80211_NODE_STAT(ni, rx_decap);
326 goto err;
327 }
328
329 eh = mtod(m, struct ether_header *);
330 if (!ieee80211_node_is_authorized(ni)) {
331 /*
332 * Deny any non-PAE frames received prior to
333 * authorization. For open/shared-key
334 * authentication the port is mark authorized
335 * after authentication completes. For 802.1x
336 * the port is not marked authorized by the
337 * authenticator until the handshake has completed.
338 */
339 if (eh->ether_type != htons(ETHERTYPE_PAE)) {
340 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT,
341 eh->ether_shost, "data",
342 "unauthorized port: ether type 0x%x len %u",
343 eh->ether_type, m->m_pkthdr.len);
344 ic->ic_stats.is_rx_unauth++;
345 IEEE80211_NODE_STAT(ni, rx_unauth);
346 goto err;
347 }
348 } else {
349 /*
350 * When denying unencrypted frames, discard
351 * any non-PAE frames received without encryption.
352 */
353 if ((ic->ic_flags & IEEE80211_F_DROPUNENC) &&
354 key == NULL && eh->ether_type != htons(ETHERTYPE_PAE)) {
355 /*
356 * Drop unencrypted frames.
357 */
358 ic->ic_stats.is_rx_unencrypted++;
359 IEEE80211_NODE_STAT(ni, rx_unencrypted);
360 goto out;
361 }
362 }
363
364 if_statinc(ifp, if_ipackets);
365 IEEE80211_NODE_STAT(ni, rx_data);
366 IEEE80211_NODE_STAT_ADD(ni, rx_bytes, m->m_pkthdr.len);
367
368 ieee80211_deliver_data(ic, ni, m);
369
370 *mp = NULL;
371 return 0;
372
373 err:
374 if_statinc(ifp, if_ierrors);
375 out:
376 *mp = m;
377 return -1;
378 }
379
380 /*
381 * Input code for a MANAGEMENT frame.
382 */
383 static int
ieee80211_input_management(struct ieee80211com * ic,struct mbuf ** mp,struct ieee80211_node * ni,int rssi,u_int32_t rstamp)384 ieee80211_input_management(struct ieee80211com *ic, struct mbuf **mp,
385 struct ieee80211_node *ni, int rssi, u_int32_t rstamp)
386 {
387 IEEE80211_DEBUGVAR(char ebuf[3 * ETHER_ADDR_LEN]);
388 struct ifnet *ifp = ic->ic_ifp;
389 struct ieee80211_key *key;
390 struct ieee80211_frame *wh;
391 u_int8_t dir, subtype;
392 struct mbuf *m = *mp;
393 int hdrspace;
394
395 wh = mtod(m, struct ieee80211_frame *);
396 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK;
397 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK;
398
399 IEEE80211_NODE_STAT(ni, rx_mgmt);
400 if (dir != IEEE80211_FC1_DIR_NODS) {
401 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT,
402 wh, "data", "unknown dir 0x%x", dir);
403 ic->ic_stats.is_rx_wrongdir++;
404 goto err;
405 }
406 if (m->m_len < sizeof(struct ieee80211_frame)) {
407 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY, ni->ni_macaddr,
408 "mgt", "too short: len %u", m->m_len);
409 ic->ic_stats.is_rx_tooshort++;
410 goto out;
411 }
412 #ifdef IEEE80211_DEBUG
413 if ((ieee80211_msg_debug(ic) && doprint(ic, subtype)) ||
414 ieee80211_msg_dumppkts(ic)) {
415 if_printf(ic->ic_ifp, "received %s from %s rssi %d\n",
416 ieee80211_mgt_subtype_name[subtype >>
417 IEEE80211_FC0_SUBTYPE_SHIFT],
418 ether_snprintf(ebuf, sizeof(ebuf), wh->i_addr2),
419 rssi);
420 }
421 #endif
422
423 if (wh->i_fc[1] & IEEE80211_FC1_WEP) {
424 if (subtype != IEEE80211_FC0_SUBTYPE_AUTH) {
425 /*
426 * Only shared key auth frames with a challenge
427 * should be encrypted, discard all others.
428 */
429 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT,
430 wh, ieee80211_mgt_subtype_name[subtype >>
431 IEEE80211_FC0_SUBTYPE_SHIFT],
432 "%s", "WEP set but not permitted");
433 ic->ic_stats.is_rx_mgtdiscard++; /* XXX */
434 goto out;
435 }
436 if ((ic->ic_flags & IEEE80211_F_PRIVACY) == 0) {
437 /*
438 * Discard encrypted frames when privacy is off.
439 */
440 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT,
441 wh, "mgt", "%s", "WEP set but PRIVACY off");
442 ic->ic_stats.is_rx_noprivacy++;
443 goto out;
444 }
445 hdrspace = ieee80211_hdrspace(ic, wh);
446 key = ieee80211_crypto_decap(ic, ni, &m, hdrspace);
447 if (key == NULL) {
448 /* NB: stats+msgs handled in crypto_decap */
449 goto out;
450 }
451 wh = mtod(m, struct ieee80211_frame *);
452 wh->i_fc[1] &= ~IEEE80211_FC1_WEP;
453 }
454
455 bpf_mtap3(ic->ic_rawbpf, m, BPF_D_IN);
456 (*ic->ic_recv_mgmt)(ic, m, ni, subtype, rssi, rstamp);
457 m_freem(m);
458
459 *mp = NULL;
460 return 0;
461
462 err:
463 if_statinc(ifp, if_ierrors);
464 out:
465 *mp = m;
466 return -1;
467 }
468
469 /*
470 * Input code for a CONTROL frame.
471 */
472 static void
ieee80211_input_control(struct ieee80211com * ic,struct mbuf * m,struct ieee80211_node * ni)473 ieee80211_input_control(struct ieee80211com *ic, struct mbuf *m,
474 struct ieee80211_node *ni)
475 {
476 IEEE80211_NODE_STAT(ni, rx_ctrl);
477 ic->ic_stats.is_rx_ctl++;
478
479 #ifndef IEEE80211_NO_HOSTAP
480 if (ic->ic_opmode == IEEE80211_M_HOSTAP) {
481 struct ieee80211_frame *wh;
482 u_int8_t subtype;
483
484 wh = mtod(m, struct ieee80211_frame *);
485 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK;
486
487 switch (subtype) {
488 case IEEE80211_FC0_SUBTYPE_PS_POLL:
489 ieee80211_recv_pspoll(ic, ni, m);
490 break;
491 }
492 }
493 #endif
494 }
495
496 /* -------------------------------------------------------------------------- */
497
498 /*
499 * Process a received frame. The node associated with the sender
500 * should be supplied. If nothing was found in the node table then
501 * the caller is assumed to supply a reference to ic_bss instead.
502 * The RSSI and a timestamp are also supplied. The RSSI data is used
503 * during AP scanning to select a AP to associate with; it can have
504 * any units so long as values have consistent units and higher values
505 * mean ``better signal''. The receive timestamp is currently not used
506 * by the 802.11 layer.
507 */
508 int
ieee80211_input(struct ieee80211com * ic,struct mbuf * m,struct ieee80211_node * ni,int rssi,u_int32_t rstamp)509 ieee80211_input(struct ieee80211com *ic, struct mbuf *m,
510 struct ieee80211_node *ni, int rssi, u_int32_t rstamp)
511 {
512 #define SEQ_LEQ(a,b) ((int)((a)-(b)) <= 0)
513 #define HAS_SEQ(type) ((type & 0x4) == 0)
514 struct ifnet *ifp = ic->ic_ifp;
515 struct ieee80211_frame *wh;
516 u_int8_t dir, type;
517 u_int16_t rxseq;
518 IEEE80211_DEBUGVAR(char ebuf[3 * ETHER_ADDR_LEN]);
519 int ret;
520
521 KASSERT(!cpu_intr_p());
522
523 IASSERT(ni != NULL, ("null node"));
524 ni->ni_inact = ni->ni_inact_reload;
525
526 /* trim CRC here so WEP can find its own CRC at the end of packet. */
527 if (m->m_flags & M_HASFCS) {
528 m_adj(m, -IEEE80211_CRC_LEN);
529 m->m_flags &= ~M_HASFCS;
530 }
531 type = -1; /* undefined */
532
533 /*
534 * In monitor mode, send everything directly to bpf.
535 * XXX may want to include the CRC
536 */
537 if (ic->ic_opmode == IEEE80211_M_MONITOR)
538 goto out;
539
540 if (m->m_len < sizeof(struct ieee80211_frame_min)) {
541 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY,
542 ni->ni_macaddr, NULL,
543 "too short (1): len %u", m->m_len);
544 ic->ic_stats.is_rx_tooshort++;
545 goto out;
546 }
547
548 /*
549 * Bit of a cheat here, we use a pointer for a 3-address
550 * frame format but don't reference fields past outside
551 * ieee80211_frame_min w/o first validating the data is
552 * present.
553 */
554 wh = mtod(m, struct ieee80211_frame *);
555
556 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) !=
557 IEEE80211_FC0_VERSION_0) {
558 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY,
559 ni->ni_macaddr, NULL, "wrong version %x", wh->i_fc[0]);
560 ic->ic_stats.is_rx_badversion++;
561 goto err;
562 }
563
564 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK;
565 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
566
567 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) {
568 u_int8_t *bssid;
569
570 switch (ic->ic_opmode) {
571 case IEEE80211_M_STA:
572 bssid = wh->i_addr2;
573 if (!IEEE80211_ADDR_EQ(bssid, ni->ni_bssid)) {
574 /* not interested in */
575 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT,
576 bssid, NULL, "node %s, %s",
577 ether_snprintf(ebuf, sizeof(ebuf),
578 ni->ni_bssid), "not to bss");
579 ic->ic_stats.is_rx_wrongbss++;
580 goto out;
581 }
582
583 /*
584 * Filter out packets not directed to us in case the
585 * device is in promiscuous mode
586 */
587 if (!IEEE80211_IS_MULTICAST(wh->i_addr1) &&
588 !IEEE80211_ADDR_EQ(wh->i_addr1, ic->ic_myaddr)) {
589 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT,
590 bssid, NULL, "not to cur sta: lladdr=%6D, addr1=%6D",
591 ic->ic_myaddr, ":", wh->i_addr1, ":");
592 ic->ic_stats.is_rx_wrongbss++;
593 goto out;
594 }
595 break;
596
597 case IEEE80211_M_IBSS:
598 case IEEE80211_M_AHDEMO:
599 case IEEE80211_M_HOSTAP:
600 if (dir != IEEE80211_FC1_DIR_NODS)
601 bssid = wh->i_addr1;
602 else if (type == IEEE80211_FC0_TYPE_CTL)
603 bssid = wh->i_addr1;
604 else {
605 if (m->m_len < sizeof(struct ieee80211_frame)) {
606 IEEE80211_DISCARD_MAC(ic,
607 IEEE80211_MSG_ANY, ni->ni_macaddr,
608 NULL, "too short (2): len %u",
609 m->m_len);
610 ic->ic_stats.is_rx_tooshort++;
611 goto out;
612 }
613 bssid = wh->i_addr3;
614 }
615 if (type != IEEE80211_FC0_TYPE_DATA)
616 break;
617
618 /*
619 * Data frame, validate the bssid.
620 */
621 if (!IEEE80211_ADDR_EQ(bssid, ic->ic_bss->ni_bssid) &&
622 !IEEE80211_ADDR_EQ(bssid, ifp->if_broadcastaddr)) {
623 /* not interested in */
624 IEEE80211_DEBUGVAR(
625 char bbuf[3 * ETHER_ADDR_LEN]);
626 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT,
627 bssid, NULL, "bss %s, broadcast %s, %s",
628 ether_snprintf(ebuf, sizeof(ebuf),
629 ic->ic_bss->ni_bssid),
630 ether_snprintf(bbuf, sizeof(bbuf),
631 ifp->if_broadcastaddr), "not to bss");
632 ic->ic_stats.is_rx_wrongbss++;
633 goto out;
634 }
635
636 /*
637 * For adhoc mode we cons up a node when it doesn't
638 * exist. This should probably be done after an ACL
639 * check.
640 */
641 if (ni == ic->ic_bss &&
642 ic->ic_opmode != IEEE80211_M_HOSTAP &&
643 !IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_macaddr)) {
644 /*
645 * Fake up a node for this newly
646 * discovered member of the IBSS.
647 */
648 ni = ieee80211_fakeup_adhoc_node(&ic->ic_sta,
649 wh->i_addr2);
650 if (ni == NULL) {
651 /* NB: stat kept for alloc failure */
652 goto err;
653 }
654 }
655 break;
656
657 default:
658 goto out;
659 }
660
661 ni->ni_rssi = rssi;
662 ni->ni_rstamp = rstamp;
663
664 if (HAS_SEQ(type) && (ic->ic_opmode != IEEE80211_M_STA ||
665 !IEEE80211_IS_MULTICAST(wh->i_addr1))) {
666 u_int8_t tid, retry;
667 u_int16_t rxno, orxno;
668
669 if (ieee80211_has_qos(wh)) {
670 struct ieee80211_qosframe *qosf;
671
672 if (m->m_len < sizeof(struct ieee80211_qosframe)) {
673 IEEE80211_DISCARD_MAC(ic,
674 IEEE80211_MSG_ANY,
675 ni->ni_macaddr, NULL,
676 "too short (1): len %u", m->m_len);
677 ic->ic_stats.is_rx_tooshort++;
678 goto out;
679 }
680 qosf = mtod(m, struct ieee80211_qosframe *);
681
682 tid = qosf->i_qos[0] & IEEE80211_QOS_TID;
683 if (TID_TO_WME_AC(tid) >= WME_AC_VI)
684 ic->ic_wme.wme_hipri_traffic++;
685 tid++;
686 } else {
687 tid = 0;
688 }
689
690 rxseq = le16toh(*(u_int16_t *)wh->i_seq);
691 retry = wh->i_fc[1] & IEEE80211_FC1_RETRY;
692 rxno = rxseq >> IEEE80211_SEQ_SEQ_SHIFT;
693 orxno = ni->ni_rxseqs[tid] >> IEEE80211_SEQ_SEQ_SHIFT;
694
695 if (retry && (
696 (orxno == 4095 && rxno == orxno) ||
697 (orxno != 4095 &&
698 SEQ_LEQ(rxseq, ni->ni_rxseqs[tid]))
699 )) {
700 /* duplicate, discard */
701 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT,
702 bssid, "duplicate",
703 "seqno <%u,%u> fragno <%u,%u> tid %u",
704 rxno,
705 orxno,
706 rxseq & IEEE80211_SEQ_FRAG_MASK,
707 ni->ni_rxseqs[tid] &
708 IEEE80211_SEQ_FRAG_MASK,
709 tid);
710 ic->ic_stats.is_rx_dup++;
711 IEEE80211_NODE_STAT(ni, rx_dup);
712 goto out;
713 }
714 ni->ni_rxseqs[tid] = rxseq;
715 }
716 }
717
718 switch (type) {
719 case IEEE80211_FC0_TYPE_DATA:
720 ret = ieee80211_input_data(ic, &m, ni);
721 if (ret == -1) {
722 goto out;
723 }
724 return IEEE80211_FC0_TYPE_DATA;
725
726 case IEEE80211_FC0_TYPE_MGT:
727 ret = ieee80211_input_management(ic, &m, ni, rssi, rstamp);
728 if (ret == -1) {
729 goto out;
730 }
731 return IEEE80211_FC0_TYPE_MGT;
732
733 case IEEE80211_FC0_TYPE_CTL:
734 ieee80211_input_control(ic, m, ni);
735 goto out;
736
737 default:
738 IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY,
739 wh, NULL, "bad frame type 0x%x", type);
740 /* should not come here */
741 break;
742 }
743
744 err:
745 if_statinc(ifp, if_ierrors);
746
747 out:
748 if (m != NULL) {
749 bpf_mtap3(ic->ic_rawbpf, m, BPF_D_IN);
750 m_freem(m);
751 }
752 return type;
753 #undef SEQ_LEQ
754 }
755
756 /*
757 * This function reassembles fragments.
758 */
759 static struct mbuf *
ieee80211_defrag(struct ieee80211_node * ni,struct mbuf * m,int hdrspace)760 ieee80211_defrag(struct ieee80211_node *ni, struct mbuf *m, int hdrspace)
761 {
762 struct ieee80211_frame *wh = mtod(m, struct ieee80211_frame *);
763 struct ieee80211_frame *lwh;
764 u_int16_t rxseq, iseq;
765 u_int8_t fragno;
766 const u_int8_t more_frag = wh->i_fc[1] & IEEE80211_FC1_MORE_FRAG;
767 struct mbuf *mfrag;
768
769 IASSERT(!IEEE80211_IS_MULTICAST(wh->i_addr1), ("multicast fragm?"));
770
771 iseq = *(u_int16_t *)wh->i_seq;
772 rxseq = le16toh(iseq);
773 fragno = rxseq & IEEE80211_SEQ_FRAG_MASK;
774
775 /* Quick way out, if there's nothing to defragment */
776 if (!more_frag && fragno == 0 && ni->ni_rxfrag[0] == NULL)
777 return m;
778
779 /*
780 * Remove frag to insure it doesn't get reaped by timer.
781 */
782 if (ni->ni_table == NULL) {
783 /*
784 * Should never happen. If the node is orphaned (not in
785 * the table) then input packets should not reach here.
786 * Otherwise, a concurrent request that yanks the table
787 * should be blocked by other interlocking and/or by first
788 * shutting the driver down. Regardless, be defensive
789 * here and just bail
790 */
791 /* XXX need msg+stat */
792 m_freem(m);
793 return NULL;
794 }
795 IEEE80211_NODE_LOCK(ni->ni_table);
796 mfrag = ni->ni_rxfrag[0];
797 ni->ni_rxfrag[0] = NULL;
798 IEEE80211_NODE_UNLOCK(ni->ni_table);
799
800 /*
801 * Validate new fragment is in order and
802 * related to the previous ones.
803 */
804 if (mfrag != NULL) {
805 u_int16_t last_rxseq;
806
807 lwh = mtod(mfrag, struct ieee80211_frame *);
808 last_rxseq = le16toh(*(u_int16_t *)lwh->i_seq);
809 /* NB: check seq # and frag together */
810 if (rxseq != last_rxseq+1 ||
811 !IEEE80211_ADDR_EQ(wh->i_addr1, lwh->i_addr1) ||
812 !IEEE80211_ADDR_EQ(wh->i_addr2, lwh->i_addr2)) {
813 /*
814 * Unrelated fragment or no space for it,
815 * clear current fragments.
816 */
817 m_freem(mfrag);
818 mfrag = NULL;
819 }
820 }
821
822 if (mfrag == NULL) {
823 if (fragno != 0) { /* !first fragment, discard */
824 IEEE80211_NODE_STAT(ni, rx_defrag);
825 m_freem(m);
826 return NULL;
827 }
828 mfrag = m;
829 } else {
830 int mlen;
831
832 /* Strip header and concatenate */
833 m_adj(m, hdrspace);
834 mlen = m->m_pkthdr.len;
835 m_cat(mfrag, m);
836
837 /* NB: m_cat doesn't update the packet header */
838 mfrag->m_pkthdr.len += mlen;
839
840 /* track last seqnum and fragno */
841 lwh = mtod(mfrag, struct ieee80211_frame *);
842 *(u_int16_t *)lwh->i_seq = iseq;
843 }
844
845 if (more_frag) {
846 /* more to come, save */
847 ni->ni_rxfragstamp = ticks;
848 ni->ni_rxfrag[0] = mfrag;
849 mfrag = NULL;
850 }
851
852 return mfrag;
853 }
854
855 static void
ieee80211_deliver_data(struct ieee80211com * ic,struct ieee80211_node * ni,struct mbuf * m)856 ieee80211_deliver_data(struct ieee80211com *ic,
857 struct ieee80211_node *ni, struct mbuf *m)
858 {
859 struct ether_header *eh = mtod(m, struct ether_header *);
860 struct ifnet *ifp = ic->ic_ifp;
861 int error;
862
863 /* perform as a bridge within the AP */
864 if (ic->ic_opmode == IEEE80211_M_HOSTAP &&
865 (ic->ic_flags & IEEE80211_F_NOBRIDGE) == 0) {
866 struct mbuf *m1 = NULL;
867
868 if (ETHER_IS_MULTICAST(eh->ether_dhost)) {
869 m1 = m_copypacket(m, M_DONTWAIT);
870 if (m1 == NULL)
871 if_statinc(ifp, if_oerrors);
872 else
873 m1->m_flags |= M_MCAST;
874 } else {
875 /*
876 * Check if the destination is known; if so
877 * and the port is authorized dispatch directly.
878 */
879 struct ieee80211_node *sta =
880 ieee80211_find_node(&ic->ic_sta, eh->ether_dhost);
881 if (sta != NULL) {
882 if (ieee80211_node_is_authorized(sta)) {
883 /*
884 * Beware of sending to ourself; this
885 * needs to happen via the normal
886 * input path.
887 */
888 if (sta != ic->ic_bss) {
889 m1 = m;
890 m = NULL;
891 }
892 } else {
893 ic->ic_stats.is_rx_unauth++;
894 IEEE80211_NODE_STAT(sta, rx_unauth);
895 }
896 ieee80211_free_node(sta);
897 }
898 }
899
900 if (m1 != NULL) {
901 int len;
902 #ifdef ALTQ
903 if (ALTQ_IS_ENABLED(&ifp->if_snd)) {
904 altq_etherclassify(&ifp->if_snd, m1);
905 }
906 #endif
907 len = m1->m_pkthdr.len;
908 IFQ_ENQUEUE(&ifp->if_snd, m1, error);
909 if (error) {
910 if_statinc(ifp, if_oerrors);
911 m_freem(m);
912 m = NULL;
913 }
914 if_statadd(ifp, if_obytes, len);
915 }
916 }
917
918 if (m != NULL) {
919 if (ni->ni_vlan != 0)
920 vlan_set_tag(m, ni->ni_vlan);
921
922 /*
923 * XXX once ieee80211_input (or rxintr itself) runs in softint
924 * we have to change here too to use if_input.
925 */
926 KASSERT(ifp->if_percpuq);
927 if_percpuq_enqueue(ifp->if_percpuq, m);
928 }
929
930 return;
931 }
932
933 static struct mbuf *
ieee80211_decap(struct mbuf * m,int hdrlen)934 ieee80211_decap(struct mbuf *m, int hdrlen)
935 {
936 struct ieee80211_qosframe_addr4 wh; /* Max size address frames */
937 struct ether_header *eh;
938 struct llc *llc;
939
940 if (m->m_len < hdrlen + sizeof(*llc) &&
941 (m = m_pullup(m, hdrlen + sizeof(*llc))) == NULL) {
942 return NULL;
943 }
944
945 memcpy(&wh, mtod(m, void *), hdrlen);
946
947 llc = (struct llc *)(mtod(m, char *) + hdrlen);
948 if (llc->llc_dsap == LLC_SNAP_LSAP &&
949 llc->llc_ssap == LLC_SNAP_LSAP &&
950 llc->llc_control == LLC_UI &&
951 llc->llc_snap.org_code[0] == 0 &&
952 llc->llc_snap.org_code[1] == 0 &&
953 llc->llc_snap.org_code[2] == 0) {
954 m_adj(m, hdrlen + sizeof(struct llc) - sizeof(*eh));
955 llc = NULL;
956 } else {
957 /* Keep the LLC after the Ethernet header. */
958 m_adj(m, hdrlen - sizeof(*eh));
959 }
960
961 eh = mtod(m, struct ether_header *);
962
963 switch (wh.i_fc[1] & IEEE80211_FC1_DIR_MASK) {
964 case IEEE80211_FC1_DIR_NODS:
965 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr1);
966 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr2);
967 break;
968 case IEEE80211_FC1_DIR_TODS:
969 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr3);
970 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr2);
971 break;
972 case IEEE80211_FC1_DIR_FROMDS:
973 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr1);
974 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr3);
975 break;
976 case IEEE80211_FC1_DIR_DSTODS:
977 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr3);
978 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr4);
979 break;
980 }
981
982 #ifdef ALIGNED_POINTER
983 if (!ALIGNED_POINTER(mtod(m, char *) + sizeof(*eh), u_int32_t)) {
984 struct mbuf *n, *n0, **np;
985 char *newdata;
986 int off, pktlen;
987
988 n0 = NULL;
989 np = &n0;
990 off = 0;
991 pktlen = m->m_pkthdr.len;
992 while (pktlen > off) {
993 if (n0 == NULL) {
994 MGETHDR(n, M_DONTWAIT, MT_DATA);
995 if (n == NULL) {
996 m_freem(m);
997 return NULL;
998 }
999 m_move_pkthdr(n, m);
1000 n->m_len = MHLEN;
1001 } else {
1002 MGET(n, M_DONTWAIT, MT_DATA);
1003 if (n == NULL) {
1004 m_freem(m);
1005 m_freem(n0);
1006 return NULL;
1007 }
1008 n->m_len = MLEN;
1009 }
1010 if (pktlen - off >= MINCLSIZE) {
1011 MCLGET(n, M_DONTWAIT);
1012 if (n->m_flags & M_EXT)
1013 n->m_len = n->m_ext.ext_size;
1014 }
1015 if (n0 == NULL) {
1016 newdata =
1017 (char *)ALIGN(n->m_data + sizeof(*eh)) -
1018 sizeof(*eh);
1019 n->m_len -= newdata - n->m_data;
1020 n->m_data = newdata;
1021 }
1022 if (n->m_len > pktlen - off)
1023 n->m_len = pktlen - off;
1024 m_copydata(m, off, n->m_len, mtod(n, void *));
1025 off += n->m_len;
1026 *np = n;
1027 np = &n->m_next;
1028 }
1029 m_freem(m);
1030 m = n0;
1031 }
1032 #endif /* ALIGNED_POINTER */
1033
1034 if (llc != NULL) {
1035 eh = mtod(m, struct ether_header *);
1036 eh->ether_type = htons(m->m_pkthdr.len - sizeof(*eh));
1037 }
1038
1039 return m;
1040 }
1041
1042 /*
1043 * Install received rate set information in the node's state block.
1044 */
1045 int
ieee80211_setup_rates(struct ieee80211_node * ni,const u_int8_t * rates,const u_int8_t * xrates,int flags)1046 ieee80211_setup_rates(struct ieee80211_node *ni, const u_int8_t *rates,
1047 const u_int8_t *xrates, int flags)
1048 {
1049 struct ieee80211com *ic = ni->ni_ic;
1050 struct ieee80211_rateset *rs = &ni->ni_rates;
1051
1052 memset(rs, 0, sizeof(*rs));
1053
1054 rs->rs_nrates = rates[1];
1055 memcpy(rs->rs_rates, rates + 2, rs->rs_nrates);
1056
1057 if (xrates != NULL) {
1058 u_int8_t nxrates;
1059 size_t totalrate;
1060
1061 /*
1062 * Tack on 11g extended supported rate element.
1063 */
1064 nxrates = xrates[1];
1065 totalrate = (size_t)rs->rs_nrates + (size_t)nxrates;
1066
1067 if (totalrate > IEEE80211_RATE_MAXSIZE) {
1068 IEEE80211_DEBUGVAR(char ebuf[3 * ETHER_ADDR_LEN]);
1069 nxrates = IEEE80211_RATE_MAXSIZE - rs->rs_nrates;
1070 IEEE80211_DPRINTF(ic, IEEE80211_MSG_XRATE,
1071 "[%s] extended rate set too large;"
1072 " only using %u of %u rates\n",
1073 ether_snprintf(ebuf, sizeof(ebuf), ni->ni_macaddr),
1074 nxrates, xrates[1]);
1075 ic->ic_stats.is_rx_rstoobig++;
1076 }
1077
1078 memcpy(rs->rs_rates + rs->rs_nrates, xrates+2, nxrates);
1079 rs->rs_nrates += nxrates;
1080 }
1081
1082 return ieee80211_fix_rate(ni, flags);
1083 }
1084
1085 static void
ieee80211_auth_open(struct ieee80211com * ic,struct ieee80211_frame * wh,struct ieee80211_node * ni,int rssi,u_int32_t rstamp,u_int16_t seq,u_int16_t status)1086 ieee80211_auth_open(struct ieee80211com *ic, struct ieee80211_frame *wh,
1087 struct ieee80211_node *ni, int rssi, u_int32_t rstamp,
1088 u_int16_t seq, u_int16_t status)
1089 {
1090 IEEE80211_DEBUGVAR(char ebuf[3 * ETHER_ADDR_LEN]);
1091
1092 if (ni->ni_authmode == IEEE80211_AUTH_SHARED) {
1093 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
1094 ni->ni_macaddr, "open auth",
1095 "bad sta auth mode %u", ni->ni_authmode);
1096 ic->ic_stats.is_rx_bad_auth++; /* XXX */
1097
1098 if (ic->ic_opmode == IEEE80211_M_HOSTAP) {
1099 /* XXX hack to workaround calling convention */
1100 ieee80211_send_error(ic, ni, wh->i_addr2,
1101 IEEE80211_FC0_SUBTYPE_AUTH,
1102 (seq + 1) | (IEEE80211_STATUS_ALG<<16));
1103 }
1104 return;
1105 }
1106
1107 switch (ic->ic_opmode) {
1108 case IEEE80211_M_IBSS:
1109 case IEEE80211_M_AHDEMO:
1110 case IEEE80211_M_MONITOR:
1111 /* should not come here */
1112 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
1113 ni->ni_macaddr, "open auth",
1114 "bad operating mode %u", ic->ic_opmode);
1115 break;
1116
1117 case IEEE80211_M_HOSTAP:
1118 #ifndef IEEE80211_NO_HOSTAP
1119 if (ic->ic_state != IEEE80211_S_RUN ||
1120 seq != IEEE80211_AUTH_OPEN_REQUEST) {
1121 ic->ic_stats.is_rx_bad_auth++;
1122 return;
1123 }
1124
1125 /* always accept open authentication requests */
1126 if (ni == ic->ic_bss) {
1127 ni = ieee80211_dup_bss(&ic->ic_sta, wh->i_addr2);
1128 if (ni == NULL)
1129 return;
1130 } else if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0) {
1131 (void)ieee80211_ref_node(ni);
1132 }
1133
1134 /*
1135 * Mark the node as referenced to reflect that its
1136 * reference count has been bumped to insure it remains
1137 * after the transaction completes.
1138 */
1139 ni->ni_flags |= IEEE80211_NODE_AREF;
1140
1141 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_AUTH,
1142 seq + 1);
1143 IEEE80211_DPRINTF(ic, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
1144 "[%s] station authenticated (open)\n",
1145 ether_snprintf(ebuf, sizeof(ebuf), ni->ni_macaddr));
1146
1147 /*
1148 * When 802.1x is not in use mark the port
1149 * authorized at this point so traffic can flow.
1150 */
1151 if (ni->ni_authmode != IEEE80211_AUTH_8021X)
1152 ieee80211_node_authorize(ni);
1153 #endif /* !IEEE80211_NO_HOSTAP */
1154 break;
1155
1156 case IEEE80211_M_STA:
1157 if (ic->ic_state != IEEE80211_S_AUTH ||
1158 seq != IEEE80211_AUTH_OPEN_RESPONSE) {
1159 ic->ic_stats.is_rx_bad_auth++;
1160 return;
1161 }
1162 if (status != 0) {
1163 IEEE80211_DPRINTF(ic,
1164 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
1165 "[%s] open auth failed (reason %d)\n",
1166 ether_snprintf(ebuf, sizeof(ebuf), ni->ni_macaddr),
1167 status);
1168
1169 /* XXX can this happen? */
1170 if (ni != ic->ic_bss)
1171 ni->ni_fails++;
1172
1173 ic->ic_stats.is_rx_auth_fail++;
1174 ieee80211_new_state(ic, IEEE80211_S_SCAN, 0);
1175 } else {
1176 ieee80211_new_state(ic, IEEE80211_S_ASSOC,
1177 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK);
1178 }
1179 break;
1180 }
1181 }
1182
1183 /*
1184 * Send a management frame error response to the specified
1185 * station. If ni is associated with the station then use
1186 * it; otherwise allocate a temporary node suitable for
1187 * transmitting the frame and then free the reference so
1188 * it will go away as soon as the frame has been transmitted.
1189 */
1190 static void
ieee80211_send_error(struct ieee80211com * ic,struct ieee80211_node * ni,const u_int8_t * mac,int subtype,int arg)1191 ieee80211_send_error(struct ieee80211com *ic, struct ieee80211_node *ni,
1192 const u_int8_t *mac, int subtype, int arg)
1193 {
1194 bool istmp;
1195
1196 if (ni == ic->ic_bss) {
1197 ni = ieee80211_tmp_node(ic, mac);
1198 if (ni == NULL) {
1199 /* XXX msg */
1200 return;
1201 }
1202 istmp = true;
1203 } else {
1204 istmp = false;
1205 }
1206
1207 IEEE80211_SEND_MGMT(ic, ni, subtype, arg);
1208 if (istmp)
1209 ieee80211_free_node(ni);
1210 }
1211
1212 static int
alloc_challenge(struct ieee80211com * ic,struct ieee80211_node * ni)1213 alloc_challenge(struct ieee80211com *ic, struct ieee80211_node *ni)
1214 {
1215 if (ni->ni_challenge == NULL) {
1216 ni->ni_challenge = malloc(IEEE80211_CHALLENGE_LEN,
1217 M_DEVBUF, M_NOWAIT);
1218 }
1219 if (ni->ni_challenge == NULL) {
1220 IEEE80211_DEBUGVAR(char ebuf[3 * ETHER_ADDR_LEN]);
1221
1222 IEEE80211_DPRINTF(ic, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
1223 "[%s] shared key challenge alloc failed\n",
1224 ether_snprintf(ebuf, sizeof(ebuf), ni->ni_macaddr));
1225 /* XXX statistic */
1226 }
1227 return (ni->ni_challenge != NULL);
1228 }
1229
1230 /* XXX TODO: add statistics */
1231 static void
ieee80211_auth_shared(struct ieee80211com * ic,struct ieee80211_frame * wh,u_int8_t * frm,u_int8_t * efrm,struct ieee80211_node * ni,int rssi,u_int32_t rstamp,u_int16_t seq,u_int16_t status)1232 ieee80211_auth_shared(struct ieee80211com *ic, struct ieee80211_frame *wh,
1233 u_int8_t *frm, u_int8_t *efrm, struct ieee80211_node *ni, int rssi,
1234 u_int32_t rstamp, u_int16_t seq, u_int16_t status)
1235 {
1236 u_int8_t *challenge;
1237 int estatus;
1238 IEEE80211_DEBUGVAR(char ebuf[3 * ETHER_ADDR_LEN]);
1239
1240 /*
1241 * NB: this can happen as we allow pre-shared key
1242 * authentication to be enabled w/o wep being turned
1243 * on so that configuration of these can be done
1244 * in any order. It may be better to enforce the
1245 * ordering in which case this check would just be
1246 * for sanity/consistency.
1247 */
1248 if ((ic->ic_flags & IEEE80211_F_PRIVACY) == 0) {
1249 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
1250 ni->ni_macaddr, "shared key auth",
1251 "%s", " PRIVACY is disabled");
1252 estatus = IEEE80211_STATUS_ALG;
1253 goto bad;
1254 }
1255
1256 /*
1257 * Pre-shared key authentication is evil; accept
1258 * it only if explicitly configured (it is supported
1259 * mainly for compatibility with clients like OS X).
1260 */
1261 if (ni->ni_authmode != IEEE80211_AUTH_AUTO &&
1262 ni->ni_authmode != IEEE80211_AUTH_SHARED) {
1263 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
1264 ni->ni_macaddr, "shared key auth",
1265 "bad sta auth mode %u", ni->ni_authmode);
1266 ic->ic_stats.is_rx_bad_auth++; /* XXX maybe a unique error? */
1267 estatus = IEEE80211_STATUS_ALG;
1268 goto bad;
1269 }
1270
1271 challenge = NULL;
1272 if (frm + 1 < efrm) {
1273 if ((frm[1] + 2) > (efrm - frm)) {
1274 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
1275 ni->ni_macaddr, "shared key auth",
1276 "ie %d/%d too long",
1277 frm[0], (frm[1] + 2) - (efrm - frm));
1278 ic->ic_stats.is_rx_bad_auth++;
1279 estatus = IEEE80211_STATUS_CHALLENGE;
1280 goto bad;
1281 }
1282 if (*frm == IEEE80211_ELEMID_CHALLENGE)
1283 challenge = frm;
1284 frm += frm[1] + 2;
1285 }
1286
1287 switch (seq) {
1288 case IEEE80211_AUTH_SHARED_CHALLENGE:
1289 case IEEE80211_AUTH_SHARED_RESPONSE:
1290 if (challenge == NULL) {
1291 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
1292 ni->ni_macaddr, "shared key auth",
1293 "%s", "no challenge");
1294 ic->ic_stats.is_rx_bad_auth++;
1295 estatus = IEEE80211_STATUS_CHALLENGE;
1296 goto bad;
1297 }
1298 if (challenge[1] != IEEE80211_CHALLENGE_LEN) {
1299 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
1300 ni->ni_macaddr, "shared key auth",
1301 "bad challenge len %d", challenge[1]);
1302 ic->ic_stats.is_rx_bad_auth++;
1303 estatus = IEEE80211_STATUS_CHALLENGE;
1304 goto bad;
1305 }
1306 default:
1307 break;
1308 }
1309
1310 switch (ic->ic_opmode) {
1311 case IEEE80211_M_MONITOR:
1312 case IEEE80211_M_AHDEMO:
1313 case IEEE80211_M_IBSS:
1314 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
1315 ni->ni_macaddr, "shared key auth",
1316 "bad operating mode %u", ic->ic_opmode);
1317 return;
1318
1319 case IEEE80211_M_HOSTAP:
1320 #ifndef IEEE80211_NO_HOSTAP
1321 {
1322 int allocbs;
1323 if (ic->ic_state != IEEE80211_S_RUN) {
1324 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
1325 ni->ni_macaddr, "shared key auth",
1326 "bad state %u", ic->ic_state);
1327 estatus = IEEE80211_STATUS_ALG; /* XXX */
1328 goto bad;
1329 }
1330 switch (seq) {
1331 case IEEE80211_AUTH_SHARED_REQUEST:
1332 if (ni == ic->ic_bss) {
1333 ni = ieee80211_dup_bss(&ic->ic_sta, wh->i_addr2);
1334 if (ni == NULL) {
1335 /* NB: no way to return an error */
1336 return;
1337 }
1338 allocbs = 1;
1339 } else {
1340 if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0)
1341 (void)ieee80211_ref_node(ni);
1342 allocbs = 0;
1343 }
1344 __USE(allocbs);
1345
1346 /*
1347 * Mark the node as referenced to reflect that its
1348 * reference count has been bumped to insure it remains
1349 * after the transaction completes.
1350 */
1351 ni->ni_flags |= IEEE80211_NODE_AREF;
1352 ni->ni_rssi = rssi;
1353 ni->ni_rstamp = rstamp;
1354 if (!alloc_challenge(ic, ni)) {
1355 /* NB: don't return error so they rexmit */
1356 return;
1357 }
1358
1359 get_random_bytes(ni->ni_challenge,
1360 IEEE80211_CHALLENGE_LEN);
1361
1362 IEEE80211_DPRINTF(ic,
1363 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
1364 "[%s] shared key %sauth request\n",
1365 ether_snprintf(ebuf, sizeof(ebuf),
1366 ni->ni_macaddr),
1367 allocbs ? "" : "re");
1368 break;
1369
1370 case IEEE80211_AUTH_SHARED_RESPONSE:
1371 if (ni == ic->ic_bss) {
1372 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
1373 ni->ni_macaddr, "shared key response",
1374 "%s", "unknown station");
1375 /* NB: don't send a response */
1376 return;
1377 }
1378
1379 if (ni->ni_challenge == NULL) {
1380 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
1381 ni->ni_macaddr, "shared key response",
1382 "%s", "no challenge recorded");
1383 ic->ic_stats.is_rx_bad_auth++;
1384 estatus = IEEE80211_STATUS_CHALLENGE;
1385 goto bad;
1386 }
1387
1388 if (memcmp(ni->ni_challenge, &challenge[2],
1389 challenge[1]) != 0) {
1390 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
1391 ni->ni_macaddr, "shared key response",
1392 "%s", "challenge mismatch");
1393 ic->ic_stats.is_rx_auth_fail++;
1394 estatus = IEEE80211_STATUS_CHALLENGE;
1395 goto bad;
1396 }
1397
1398 IEEE80211_DPRINTF(ic,
1399 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
1400 "[%s] station authenticated (shared key)\n",
1401 ether_snprintf(ebuf, sizeof(ebuf), ni->ni_macaddr));
1402
1403 ieee80211_node_authorize(ni);
1404 break;
1405
1406 default:
1407 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
1408 ni->ni_macaddr, "shared key auth",
1409 "bad seq %d", seq);
1410 ic->ic_stats.is_rx_bad_auth++;
1411 estatus = IEEE80211_STATUS_SEQUENCE;
1412 goto bad;
1413 }
1414
1415 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_AUTH,
1416 seq + 1);
1417 }
1418 #endif /* !IEEE80211_NO_HOSTAP */
1419 break;
1420
1421 case IEEE80211_M_STA:
1422 if (ic->ic_state != IEEE80211_S_AUTH)
1423 return;
1424 switch (seq) {
1425 case IEEE80211_AUTH_SHARED_PASS:
1426 if (ni->ni_challenge != NULL) {
1427 free(ni->ni_challenge, M_DEVBUF);
1428 ni->ni_challenge = NULL;
1429 }
1430 if (status != 0) {
1431 IEEE80211_DPRINTF(ic,
1432 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
1433 "[%s] shared key auth failed (reason %d)\n",
1434 ether_snprintf(ebuf, sizeof(ebuf),
1435 ieee80211_getbssid(ic, wh)),
1436 status);
1437
1438 /* XXX can this happen? */
1439 if (ni != ic->ic_bss)
1440 ni->ni_fails++;
1441
1442 ic->ic_stats.is_rx_auth_fail++;
1443 return;
1444 }
1445
1446 ieee80211_new_state(ic, IEEE80211_S_ASSOC,
1447 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK);
1448 break;
1449
1450 case IEEE80211_AUTH_SHARED_CHALLENGE:
1451 if (!alloc_challenge(ic, ni))
1452 return;
1453 /* XXX could optimize by passing recvd challenge */
1454 memcpy(ni->ni_challenge, &challenge[2], challenge[1]);
1455
1456 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_AUTH,
1457 seq + 1);
1458 break;
1459
1460 default:
1461 IEEE80211_DISCARD(ic, IEEE80211_MSG_AUTH,
1462 wh, "shared key auth", "bad seq %d", seq);
1463 ic->ic_stats.is_rx_bad_auth++;
1464 return;
1465 }
1466 break;
1467 }
1468 return;
1469
1470 bad:
1471 #ifndef IEEE80211_NO_HOSTAP
1472 /*
1473 * Send an error response; but only when operating as an AP.
1474 */
1475 if (ic->ic_opmode == IEEE80211_M_HOSTAP) {
1476 /* XXX hack to workaround calling convention */
1477 ieee80211_send_error(ic, ni, wh->i_addr2,
1478 IEEE80211_FC0_SUBTYPE_AUTH,
1479 (seq + 1) | (estatus<<16));
1480 } else if (ic->ic_opmode == IEEE80211_M_STA) {
1481 /*
1482 * Kick the state machine. This short-circuits
1483 * using the mgt frame timeout to trigger the
1484 * state transition.
1485 */
1486 if (ic->ic_state == IEEE80211_S_AUTH)
1487 ieee80211_new_state(ic, IEEE80211_S_SCAN, 0);
1488 }
1489 #else
1490 ;
1491 #endif /* !IEEE80211_NO_HOSTAP */
1492 }
1493
1494 #ifdef IEEE80211_DEBUG
1495 static void
ieee80211_ssid_mismatch(struct ieee80211com * ic,const char * tag,u_int8_t mac[IEEE80211_ADDR_LEN],u_int8_t * ssid)1496 ieee80211_ssid_mismatch(struct ieee80211com *ic, const char *tag,
1497 u_int8_t mac[IEEE80211_ADDR_LEN], u_int8_t *ssid)
1498 {
1499 char ebuf[3 * ETHER_ADDR_LEN];
1500
1501 printf("[%s] discard %s frame, ssid mismatch: ",
1502 ether_snprintf(ebuf, sizeof(ebuf), mac), tag);
1503 ieee80211_print_essid(ssid + 2, ssid[1]);
1504 printf("\n");
1505 }
1506
1507 #define IEEE80211_VERIFY_SSID(_ni, _ssid) do { \
1508 if ((_ssid)[1] != 0 && \
1509 ((_ssid)[1] != (_ni)->ni_esslen || \
1510 memcmp((_ssid) + 2, (_ni)->ni_essid, (_ssid)[1]) != 0)) { \
1511 if (ieee80211_msg_input(ic)) \
1512 ieee80211_ssid_mismatch(ic, \
1513 ieee80211_mgt_subtype_name[subtype >> \
1514 IEEE80211_FC0_SUBTYPE_SHIFT], \
1515 wh->i_addr2, _ssid); \
1516 ic->ic_stats.is_rx_ssidmismatch++; \
1517 return; \
1518 } \
1519 } while (0)
1520 #else /* !IEEE80211_DEBUG */
1521 #define IEEE80211_VERIFY_SSID(_ni, _ssid) do { \
1522 if ((_ssid)[1] != 0 && \
1523 ((_ssid)[1] != (_ni)->ni_esslen || \
1524 memcmp((_ssid) + 2, (_ni)->ni_essid, (_ssid)[1]) != 0)) { \
1525 ic->ic_stats.is_rx_ssidmismatch++; \
1526 return; \
1527 } \
1528 } while (0)
1529 #endif /* !IEEE80211_DEBUG */
1530
1531 /* unaligned little endian access */
1532 #define LE_READ_2(p) \
1533 ((u_int16_t) \
1534 ((((const u_int8_t *)(p))[0] ) | \
1535 (((const u_int8_t *)(p))[1] << 8)))
1536 #define LE_READ_4(p) \
1537 ((u_int32_t) \
1538 ((((const u_int8_t *)(p))[0] ) | \
1539 (((const u_int8_t *)(p))[1] << 8) | \
1540 (((const u_int8_t *)(p))[2] << 16) | \
1541 (((const u_int8_t *)(p))[3] << 24)))
1542
1543 static __inline int
iswpaoui(const u_int8_t * frm)1544 iswpaoui(const u_int8_t *frm)
1545 {
1546 return frm[1] > 3 && LE_READ_4(frm+2) == ((WPA_OUI_TYPE<<24)|WPA_OUI);
1547 }
1548
1549 static __inline int
iswmeoui(const u_int8_t * frm)1550 iswmeoui(const u_int8_t *frm)
1551 {
1552 return frm[1] > 3 && LE_READ_4(frm+2) == ((WME_OUI_TYPE<<24)|WME_OUI);
1553 }
1554
1555 static __inline int
iswmeparam(const u_int8_t * frm)1556 iswmeparam(const u_int8_t *frm)
1557 {
1558 return frm[1] > 5 && LE_READ_4(frm+2) == ((WME_OUI_TYPE<<24)|WME_OUI) &&
1559 frm[6] == WME_PARAM_OUI_SUBTYPE;
1560 }
1561
1562 static __inline int
iswmeinfo(const u_int8_t * frm)1563 iswmeinfo(const u_int8_t *frm)
1564 {
1565 return frm[1] > 5 && LE_READ_4(frm+2) == ((WME_OUI_TYPE<<24)|WME_OUI) &&
1566 frm[6] == WME_INFO_OUI_SUBTYPE;
1567 }
1568
1569 /*
1570 * Convert a WPA cipher selector OUI to an internal
1571 * cipher algorithm. Where appropriate we also
1572 * record any key length.
1573 */
1574 static int
wpa_cipher(u_int8_t * sel,u_int8_t * keylen)1575 wpa_cipher(u_int8_t *sel, u_int8_t *keylen)
1576 {
1577 #define WPA_SEL(x) (((x)<<24)|WPA_OUI)
1578 u_int32_t w = LE_READ_4(sel);
1579
1580 switch (w) {
1581 case WPA_SEL(WPA_CSE_NULL):
1582 return IEEE80211_CIPHER_NONE;
1583 case WPA_SEL(WPA_CSE_WEP40):
1584 if (keylen)
1585 *keylen = 40 / NBBY;
1586 return IEEE80211_CIPHER_WEP;
1587 case WPA_SEL(WPA_CSE_WEP104):
1588 if (keylen)
1589 *keylen = 104 / NBBY;
1590 return IEEE80211_CIPHER_WEP;
1591 case WPA_SEL(WPA_CSE_TKIP):
1592 return IEEE80211_CIPHER_TKIP;
1593 case WPA_SEL(WPA_CSE_CCMP):
1594 return IEEE80211_CIPHER_AES_CCM;
1595 }
1596 return 32; /* NB: so 1<< is discarded */
1597 #undef WPA_SEL
1598 }
1599
1600 /*
1601 * Convert a WPA key management/authentication algorithm
1602 * to an internal code.
1603 */
1604 static int
wpa_keymgmt(u_int8_t * sel)1605 wpa_keymgmt(u_int8_t *sel)
1606 {
1607 #define WPA_SEL(x) (((x)<<24)|WPA_OUI)
1608 u_int32_t w = LE_READ_4(sel);
1609
1610 switch (w) {
1611 case WPA_SEL(WPA_ASE_8021X_UNSPEC):
1612 return WPA_ASE_8021X_UNSPEC;
1613 case WPA_SEL(WPA_ASE_8021X_PSK):
1614 return WPA_ASE_8021X_PSK;
1615 case WPA_SEL(WPA_ASE_NONE):
1616 return WPA_ASE_NONE;
1617 }
1618 return 0; /* NB: so is discarded */
1619 #undef WPA_SEL
1620 }
1621
1622 /*
1623 * Parse a WPA information element to collect parameters
1624 * and validate the parameters against what has been
1625 * configured for the system.
1626 */
1627 static int
ieee80211_parse_wpa(struct ieee80211com * ic,u_int8_t * frm,struct ieee80211_rsnparms * rsn,const struct ieee80211_frame * wh)1628 ieee80211_parse_wpa(struct ieee80211com *ic, u_int8_t *frm,
1629 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh)
1630 {
1631 u_int8_t len = frm[1];
1632 u_int32_t w;
1633 int n;
1634
1635 if ((ic->ic_flags & IEEE80211_F_WPA1) == 0) {
1636 IEEE80211_DISCARD_IE(ic,
1637 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1638 wh, "WPA", "not WPA, flags 0x%x", ic->ic_flags);
1639 return IEEE80211_REASON_IE_INVALID;
1640 }
1641
1642 /*
1643 * Check the length once for fixed parts: OUI, type,
1644 * version, mcast cipher, and 2 selector counts.
1645 * Other, variable-length data, must be checked separately.
1646 */
1647 if (len < 14) {
1648 IEEE80211_DISCARD_IE(ic,
1649 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1650 wh, "WPA", "too short, len %u", len);
1651 return IEEE80211_REASON_IE_INVALID;
1652 }
1653
1654 frm += 2; /* beginning of payload */
1655 frm += 4, len -= 4;
1656
1657 /* NB: iswapoui already validated the OUI and type */
1658 w = LE_READ_2(frm);
1659 if (w != WPA_VERSION) {
1660 IEEE80211_DISCARD_IE(ic,
1661 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1662 wh, "WPA", "bad version %u", w);
1663 return IEEE80211_REASON_IE_INVALID;
1664 }
1665 frm += 2, len -= 2;
1666
1667 /* multicast/group cipher */
1668 w = wpa_cipher(frm, &rsn->rsn_mcastkeylen);
1669 if (w != rsn->rsn_mcastcipher) {
1670 IEEE80211_DISCARD_IE(ic,
1671 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1672 wh, "WPA", "mcast cipher mismatch; got %u, expected %u",
1673 w, rsn->rsn_mcastcipher);
1674 return IEEE80211_REASON_IE_INVALID;
1675 }
1676 frm += 4, len -= 4;
1677
1678 /* unicast ciphers */
1679 n = LE_READ_2(frm);
1680 frm += 2, len -= 2;
1681 if (len < n*4+2) {
1682 IEEE80211_DISCARD_IE(ic,
1683 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1684 wh, "WPA", "ucast cipher data too short; len %u, n %u",
1685 len, n);
1686 return IEEE80211_REASON_IE_INVALID;
1687 }
1688 w = 0;
1689 for (; n > 0; n--) {
1690 w |= 1 << wpa_cipher(frm, &rsn->rsn_ucastkeylen);
1691 frm += 4, len -= 4;
1692 }
1693 w &= rsn->rsn_ucastcipherset;
1694 if (w == 0) {
1695 IEEE80211_DISCARD_IE(ic,
1696 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1697 wh, "WPA", "%s", "ucast cipher set empty");
1698 return IEEE80211_REASON_IE_INVALID;
1699 }
1700 if (w & (1 << IEEE80211_CIPHER_TKIP))
1701 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP;
1702 else
1703 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM;
1704
1705 /* key management algorithms */
1706 n = LE_READ_2(frm);
1707 frm += 2, len -= 2;
1708 if (len < n*4) {
1709 IEEE80211_DISCARD_IE(ic,
1710 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1711 wh, "WPA", "key mgmt alg data too short; len %u, n %u",
1712 len, n);
1713 return IEEE80211_REASON_IE_INVALID;
1714 }
1715 w = 0;
1716 for (; n > 0; n--) {
1717 w |= wpa_keymgmt(frm);
1718 frm += 4, len -= 4;
1719 }
1720 w &= rsn->rsn_keymgmtset;
1721 if (w == 0) {
1722 IEEE80211_DISCARD_IE(ic,
1723 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1724 wh, "WPA", "%s", "no acceptable key mgmt alg");
1725 return IEEE80211_REASON_IE_INVALID;
1726 }
1727 if (w & WPA_ASE_8021X_UNSPEC)
1728 rsn->rsn_keymgmt = WPA_ASE_8021X_UNSPEC;
1729 else
1730 rsn->rsn_keymgmt = WPA_ASE_8021X_PSK;
1731
1732 if (len > 2) /* optional capabilities */
1733 rsn->rsn_caps = LE_READ_2(frm);
1734
1735 return 0;
1736 }
1737
1738 /*
1739 * Convert an RSN cipher selector OUI to an internal
1740 * cipher algorithm. Where appropriate we also
1741 * record any key length.
1742 */
1743 static int
rsn_cipher(u_int8_t * sel,u_int8_t * keylen)1744 rsn_cipher(u_int8_t *sel, u_int8_t *keylen)
1745 {
1746 #define RSN_SEL(x) (((x)<<24)|RSN_OUI)
1747 u_int32_t w = LE_READ_4(sel);
1748
1749 switch (w) {
1750 case RSN_SEL(RSN_CSE_NULL):
1751 return IEEE80211_CIPHER_NONE;
1752 case RSN_SEL(RSN_CSE_WEP40):
1753 if (keylen)
1754 *keylen = 40 / NBBY;
1755 return IEEE80211_CIPHER_WEP;
1756 case RSN_SEL(RSN_CSE_WEP104):
1757 if (keylen)
1758 *keylen = 104 / NBBY;
1759 return IEEE80211_CIPHER_WEP;
1760 case RSN_SEL(RSN_CSE_TKIP):
1761 return IEEE80211_CIPHER_TKIP;
1762 case RSN_SEL(RSN_CSE_CCMP):
1763 return IEEE80211_CIPHER_AES_CCM;
1764 case RSN_SEL(RSN_CSE_WRAP):
1765 return IEEE80211_CIPHER_AES_OCB;
1766 }
1767 return 32; /* NB: so 1<< is discarded */
1768 #undef WPA_SEL
1769 }
1770
1771 /*
1772 * Convert an RSN key management/authentication algorithm
1773 * to an internal code.
1774 */
1775 static int
rsn_keymgmt(u_int8_t * sel)1776 rsn_keymgmt(u_int8_t *sel)
1777 {
1778 #define RSN_SEL(x) (((x)<<24)|RSN_OUI)
1779 u_int32_t w = LE_READ_4(sel);
1780
1781 switch (w) {
1782 case RSN_SEL(RSN_ASE_8021X_UNSPEC):
1783 return RSN_ASE_8021X_UNSPEC;
1784 case RSN_SEL(RSN_ASE_8021X_PSK):
1785 return RSN_ASE_8021X_PSK;
1786 case RSN_SEL(RSN_ASE_NONE):
1787 return RSN_ASE_NONE;
1788 }
1789 return 0; /* NB: so is discarded */
1790 #undef RSN_SEL
1791 }
1792
1793 /*
1794 * Parse a WPA/RSN information element to collect parameters
1795 * and validate the parameters against what has been
1796 * configured for the system.
1797 */
1798 static int
ieee80211_parse_rsn(struct ieee80211com * ic,u_int8_t * frm,struct ieee80211_rsnparms * rsn,const struct ieee80211_frame * wh)1799 ieee80211_parse_rsn(struct ieee80211com *ic, u_int8_t *frm,
1800 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh)
1801 {
1802 u_int8_t len = frm[1];
1803 u_int32_t w;
1804 int n;
1805
1806 if ((ic->ic_flags & IEEE80211_F_WPA2) == 0) {
1807 IEEE80211_DISCARD_IE(ic,
1808 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1809 wh, "WPA", "not RSN, flags 0x%x", ic->ic_flags);
1810 return IEEE80211_REASON_IE_INVALID;
1811 }
1812
1813 /*
1814 * Check the length once for fixed parts:
1815 * version, mcast cipher, and 2 selector counts.
1816 * Other, variable-length data, must be checked separately.
1817 */
1818 if (len < 10) {
1819 IEEE80211_DISCARD_IE(ic,
1820 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1821 wh, "RSN", "too short, len %u", len);
1822 return IEEE80211_REASON_IE_INVALID;
1823 }
1824
1825 frm += 2; /* beginning of payload */
1826 w = LE_READ_2(frm);
1827 if (w != RSN_VERSION) {
1828 IEEE80211_DISCARD_IE(ic,
1829 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1830 wh, "RSN", "bad version %u", w);
1831 return IEEE80211_REASON_IE_INVALID;
1832 }
1833 frm += 2, len -= 2;
1834
1835 /* multicast/group cipher */
1836 w = rsn_cipher(frm, &rsn->rsn_mcastkeylen);
1837 if (w != rsn->rsn_mcastcipher) {
1838 IEEE80211_DISCARD_IE(ic,
1839 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1840 wh, "RSN", "mcast cipher mismatch; got %u, expected %u",
1841 w, rsn->rsn_mcastcipher);
1842 return IEEE80211_REASON_IE_INVALID;
1843 }
1844 frm += 4, len -= 4;
1845
1846 /* unicast ciphers */
1847 n = LE_READ_2(frm);
1848 frm += 2, len -= 2;
1849 if (len < n*4+2) {
1850 IEEE80211_DISCARD_IE(ic,
1851 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1852 wh, "RSN", "ucast cipher data too short; len %u, n %u",
1853 len, n);
1854 return IEEE80211_REASON_IE_INVALID;
1855 }
1856 w = 0;
1857 for (; n > 0; n--) {
1858 w |= 1 << rsn_cipher(frm, &rsn->rsn_ucastkeylen);
1859 frm += 4, len -= 4;
1860 }
1861 w &= rsn->rsn_ucastcipherset;
1862 if (w == 0) {
1863 IEEE80211_DISCARD_IE(ic,
1864 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1865 wh, "RSN", "%s", "ucast cipher set empty");
1866 return IEEE80211_REASON_IE_INVALID;
1867 }
1868 if (w & (1 << IEEE80211_CIPHER_TKIP))
1869 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP;
1870 else
1871 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM;
1872
1873 /* key management algorithms */
1874 n = LE_READ_2(frm);
1875 frm += 2, len -= 2;
1876 if (len < n*4) {
1877 IEEE80211_DISCARD_IE(ic,
1878 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1879 wh, "RSN", "key mgmt alg data too short; len %u, n %u",
1880 len, n);
1881 return IEEE80211_REASON_IE_INVALID;
1882 }
1883 w = 0;
1884 for (; n > 0; n--) {
1885 w |= rsn_keymgmt(frm);
1886 frm += 4, len -= 4;
1887 }
1888 w &= rsn->rsn_keymgmtset;
1889 if (w == 0) {
1890 IEEE80211_DISCARD_IE(ic,
1891 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1892 wh, "RSN", "%s", "no acceptable key mgmt alg");
1893 return IEEE80211_REASON_IE_INVALID;
1894 }
1895 if (w & RSN_ASE_8021X_UNSPEC)
1896 rsn->rsn_keymgmt = RSN_ASE_8021X_UNSPEC;
1897 else
1898 rsn->rsn_keymgmt = RSN_ASE_8021X_PSK;
1899
1900 /* optional RSN capabilities */
1901 if (len > 2)
1902 rsn->rsn_caps = LE_READ_2(frm);
1903 /* XXXPMKID */
1904
1905 return 0;
1906 }
1907
1908 static int
ieee80211_parse_wmeparams(struct ieee80211com * ic,u_int8_t * frm,const struct ieee80211_frame * wh)1909 ieee80211_parse_wmeparams(struct ieee80211com *ic, u_int8_t *frm,
1910 const struct ieee80211_frame *wh)
1911 {
1912 #define MS(_v, _f) (((_v) & _f) >> _f##_S)
1913 struct ieee80211_wme_state *wme = &ic->ic_wme;
1914 u_int len = frm[1], qosinfo;
1915 int i;
1916
1917 if (len < sizeof(struct ieee80211_wme_param)-2) {
1918 IEEE80211_DISCARD_IE(ic,
1919 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WME,
1920 wh, "WME", "too short, len %u", len);
1921 return -1;
1922 }
1923
1924 qosinfo = frm[offsetof(struct ieee80211_wme_param, param_qosInfo)];
1925 qosinfo &= WME_QOSINFO_COUNT;
1926
1927 /* XXX do proper check for wraparound */
1928 if (qosinfo == wme->wme_wmeChanParams.cap_info)
1929 return 0;
1930
1931 frm += offsetof(struct ieee80211_wme_param, params_acParams);
1932 for (i = 0; i < WME_NUM_AC; i++) {
1933 struct wmeParams *wmep =
1934 &wme->wme_wmeChanParams.cap_wmeParams[i];
1935 /* NB: ACI not used */
1936 wmep->wmep_acm = MS(frm[0], WME_PARAM_ACM);
1937 wmep->wmep_aifsn = MS(frm[0], WME_PARAM_AIFSN);
1938 wmep->wmep_logcwmin = MS(frm[1], WME_PARAM_LOGCWMIN);
1939 wmep->wmep_logcwmax = MS(frm[1], WME_PARAM_LOGCWMAX);
1940 wmep->wmep_txopLimit = LE_READ_2(frm+2);
1941 frm += 4;
1942 }
1943
1944 wme->wme_wmeChanParams.cap_info = qosinfo;
1945 return 1;
1946 #undef MS
1947 }
1948
1949 void
ieee80211_saveie(u_int8_t ** iep,const u_int8_t * ie)1950 ieee80211_saveie(u_int8_t **iep, const u_int8_t *ie)
1951 {
1952 u_int ielen = ie[1]+2;
1953
1954 /* Record information element for later use. */
1955 if (*iep == NULL || (*iep)[1] != ie[1]) {
1956 if (*iep != NULL)
1957 free(*iep, M_DEVBUF);
1958 *iep = malloc(ielen, M_DEVBUF, M_NOWAIT);
1959 }
1960 if (*iep != NULL)
1961 memcpy(*iep, ie, ielen);
1962 /* XXX note failure */
1963 }
1964
1965 static void
ieee80211_update_adhoc_node(struct ieee80211com * ic,struct ieee80211_node * ni,struct ieee80211_frame * wh,struct ieee80211_scanparams * scan,int rssi,u_int32_t rstamp)1966 ieee80211_update_adhoc_node(struct ieee80211com *ic, struct ieee80211_node *ni,
1967 struct ieee80211_frame *wh, struct ieee80211_scanparams *scan, int rssi,
1968 u_int32_t rstamp)
1969 {
1970 if (!IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_macaddr)) {
1971 /*
1972 * Create a new entry in the neighbor table.
1973 * Records the TSF.
1974 */
1975 if ((ni = ieee80211_add_neighbor(ic, wh, scan)) == NULL)
1976 return;
1977 } else if (ni->ni_capinfo == 0) {
1978 /*
1979 * Initialize a node that was "faked up." Records
1980 * the TSF.
1981 *
1982 * No need to check for a change of BSSID: ni could
1983 * not have been the IBSS (ic_bss)
1984 */
1985 ieee80211_init_neighbor(ic, ni, wh, scan, 0);
1986 } else {
1987 /* Record TSF for potential resync. */
1988 memcpy(ni->ni_tstamp.data, scan->sp_tstamp, sizeof(ni->ni_tstamp));
1989 }
1990
1991 ni->ni_rssi = rssi;
1992 ni->ni_rstamp = rstamp;
1993
1994 /* Mark a neighbor's change of BSSID. */
1995 if (IEEE80211_ADDR_EQ(wh->i_addr3, ni->ni_bssid))
1996 return;
1997
1998 IEEE80211_ADDR_COPY(ni->ni_bssid, wh->i_addr3);
1999
2000 if (ni != ic->ic_bss)
2001 return;
2002 else if (ic->ic_flags & IEEE80211_F_DESBSSID) {
2003 /*
2004 * Now, ni does not represent a network we
2005 * want to belong to, so start a scan.
2006 */
2007 ieee80211_new_state(ic, IEEE80211_S_SCAN, 0);
2008 return;
2009 } else {
2010 /*
2011 * A RUN->RUN transition lets the driver
2012 * reprogram its BSSID filter.
2013 *
2014 * No need to SCAN, we already belong to
2015 * an IBSS that meets our criteria: channel,
2016 * SSID, etc. It could be harmful to scan,
2017 * too: if a scan does not detect nodes
2018 * belonging to my current IBSS, then we
2019 * will create a new IBSS at the end of
2020 * the scan, needlessly splitting the
2021 * network.
2022 */
2023 ieee80211_new_state(ic, IEEE80211_S_RUN, 0);
2024 }
2025 }
2026
2027 /* -------------------------------------------------------------------------- */
2028
2029 #define IEEE80211_VERIFY_ELEMENT(__elem, __maxlen) do { \
2030 if ((__elem) == NULL) { \
2031 IEEE80211_DISCARD(ic, IEEE80211_MSG_ELEMID, \
2032 wh, ieee80211_mgt_subtype_name[subtype >> \
2033 IEEE80211_FC0_SUBTYPE_SHIFT], \
2034 "%s", "no " #__elem ); \
2035 ic->ic_stats.is_rx_elem_missing++; \
2036 return; \
2037 } \
2038 if ((__elem)[1] > (__maxlen)) { \
2039 IEEE80211_DISCARD(ic, IEEE80211_MSG_ELEMID, \
2040 wh, ieee80211_mgt_subtype_name[subtype >> \
2041 IEEE80211_FC0_SUBTYPE_SHIFT], \
2042 "bad " #__elem " len %d", (__elem)[1]); \
2043 ic->ic_stats.is_rx_elem_toobig++; \
2044 return; \
2045 } \
2046 } while (0)
2047
2048 #define IEEE80211_VERIFY_LENGTH(_len, _minlen) do { \
2049 if ((size_t)(_len) < (size_t)(_minlen)) { \
2050 IEEE80211_DISCARD(ic, IEEE80211_MSG_ELEMID, \
2051 wh, ieee80211_mgt_subtype_name[subtype >> \
2052 IEEE80211_FC0_SUBTYPE_SHIFT], \
2053 "%s", "ie too short"); \
2054 ic->ic_stats.is_rx_elem_toosmall++; \
2055 return; \
2056 } \
2057 } while (0)
2058
2059 static void
ieee80211_recv_mgmt_beacon(struct ieee80211com * ic,struct mbuf * m0,struct ieee80211_node * ni,int subtype,int rssi,u_int32_t rstamp)2060 ieee80211_recv_mgmt_beacon(struct ieee80211com *ic, struct mbuf *m0,
2061 struct ieee80211_node *ni, int subtype, int rssi, u_int32_t rstamp)
2062 {
2063 struct ieee80211_frame *wh;
2064 u_int8_t *frm, *efrm;
2065 IEEE80211_DEBUGVAR(char ebuf[3 * ETHER_ADDR_LEN]);
2066 struct ieee80211_scanparams scan;
2067
2068 wh = mtod(m0, struct ieee80211_frame *);
2069 frm = (u_int8_t *)(wh + 1);
2070 efrm = mtod(m0, u_int8_t *) + m0->m_len;
2071
2072 /*
2073 * We process beacon/probe response frames:
2074 * o when scanning, or
2075 * o station mode when associated (to collect state
2076 * updates such as 802.11g slot time), or
2077 * o adhoc mode (to discover neighbors)
2078 * Frames otherwise received are discarded.
2079 */
2080 if (!((ic->ic_flags & IEEE80211_F_SCAN) ||
2081 (ic->ic_opmode == IEEE80211_M_STA && ni->ni_associd) ||
2082 ic->ic_opmode == IEEE80211_M_IBSS)) {
2083 ic->ic_stats.is_rx_mgtdiscard++;
2084 return;
2085 }
2086
2087 /*
2088 * beacon/probe response frame format
2089 * [8] time stamp
2090 * [2] beacon interval
2091 * [2] capability information
2092 * [tlv] ssid
2093 * [tlv] supported rates
2094 * [tlv] country information
2095 * [tlv] parameter set (FH/DS)
2096 * [tlv] erp information
2097 * [tlv] extended supported rates
2098 * [tlv] WME
2099 * [tlv] WPA or RSN
2100 */
2101 IEEE80211_VERIFY_LENGTH(efrm - frm, 12);
2102 memset(&scan, 0, sizeof(scan));
2103 scan.sp_tstamp = frm; frm += 8;
2104 scan.sp_bintval = le16toh(*(u_int16_t *)frm); frm += 2;
2105 scan.sp_capinfo = le16toh(*(u_int16_t *)frm); frm += 2;
2106 scan.sp_bchan = ieee80211_chan2ieee(ic, ic->ic_curchan);
2107 scan.sp_chan = scan.sp_bchan;
2108
2109 while (frm + 1 < efrm) {
2110 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2);
2111
2112 switch (*frm) {
2113 case IEEE80211_ELEMID_SSID:
2114 /* no length check needed */
2115 scan.sp_ssid = frm;
2116 break;
2117 case IEEE80211_ELEMID_RATES:
2118 /* no length check needed */
2119 scan.sp_rates = frm;
2120 break;
2121 case IEEE80211_ELEMID_COUNTRY:
2122 /* XXX: we don't do anything with this? */
2123 scan.sp_country = frm;
2124 break;
2125 case IEEE80211_ELEMID_FHPARMS:
2126 IEEE80211_VERIFY_LENGTH(frm[1], 5);
2127 if (ic->ic_phytype == IEEE80211_T_FH) {
2128 scan.sp_fhdwell = LE_READ_2(&frm[2]);
2129 scan.sp_chan = IEEE80211_FH_CHAN(frm[4], frm[5]);
2130 scan.sp_fhindex = frm[6];
2131 }
2132 break;
2133 case IEEE80211_ELEMID_DSPARMS:
2134 /*
2135 * XXX hack this since depending on phytype
2136 * is problematic for multi-mode devices.
2137 */
2138 IEEE80211_VERIFY_LENGTH(frm[1], 1);
2139 if (ic->ic_phytype != IEEE80211_T_FH)
2140 scan.sp_chan = frm[2];
2141 break;
2142 case IEEE80211_ELEMID_TIM:
2143 /* XXX ATIM? */
2144 IEEE80211_VERIFY_LENGTH(frm[1], 4);
2145 scan.sp_tim = frm;
2146 scan.sp_timoff = frm - mtod(m0, u_int8_t *);
2147 break;
2148 case IEEE80211_ELEMID_IBSSPARMS:
2149 break;
2150 case IEEE80211_ELEMID_XRATES:
2151 scan.sp_xrates = frm;
2152 break;
2153 case IEEE80211_ELEMID_ERP:
2154 if (frm[1] != 1) {
2155 IEEE80211_DISCARD_IE(ic, IEEE80211_MSG_ELEMID,
2156 wh, "ERP", "bad len %u", frm[1]);
2157 ic->ic_stats.is_rx_elem_toobig++;
2158 break;
2159 }
2160 scan.sp_erp = frm[2];
2161 break;
2162 case IEEE80211_ELEMID_RSN:
2163 /* no length check needed */
2164 scan.sp_wpa = frm;
2165 break;
2166 case IEEE80211_ELEMID_VENDOR:
2167 /* no length check needed */
2168 if (iswpaoui(frm))
2169 scan.sp_wpa = frm;
2170 else if (iswmeparam(frm) || iswmeinfo(frm))
2171 scan.sp_wme = frm;
2172 /* XXX Atheros OUI support */
2173 break;
2174 default:
2175 IEEE80211_DISCARD_IE(ic, IEEE80211_MSG_ELEMID,
2176 wh, "unhandled", "id %u, len %u", *frm, frm[1]);
2177 ic->ic_stats.is_rx_elem_unknown++;
2178 break;
2179 }
2180
2181 frm += frm[1] + 2;
2182 }
2183
2184 IEEE80211_VERIFY_ELEMENT(scan.sp_rates, IEEE80211_RATE_MAXSIZE);
2185 IEEE80211_VERIFY_ELEMENT(scan.sp_ssid, IEEE80211_NWID_LEN);
2186
2187 if (
2188 #if IEEE80211_CHAN_MAX < 255
2189 scan.sp_chan > IEEE80211_CHAN_MAX ||
2190 #endif
2191 isclr(ic->ic_chan_active, scan.sp_chan)) {
2192 IEEE80211_DISCARD(ic,
2193 IEEE80211_MSG_ELEMID | IEEE80211_MSG_INPUT,
2194 wh, ieee80211_mgt_subtype_name[subtype >>
2195 IEEE80211_FC0_SUBTYPE_SHIFT],
2196 "invalid channel %u", scan.sp_chan);
2197 ic->ic_stats.is_rx_badchan++;
2198 return;
2199 }
2200
2201 if (scan.sp_chan != scan.sp_bchan &&
2202 ic->ic_phytype != IEEE80211_T_FH) {
2203 /*
2204 * Frame was received on a channel different from the
2205 * one indicated in the DS params element id;
2206 * silently discard it.
2207 *
2208 * NB: this can happen due to signal leakage.
2209 * But we should take it for FH phy because
2210 * the rssi value should be correct even for
2211 * different hop pattern in FH.
2212 */
2213 IEEE80211_DISCARD(ic,
2214 IEEE80211_MSG_ELEMID | IEEE80211_MSG_INPUT,
2215 wh, ieee80211_mgt_subtype_name[subtype >>
2216 IEEE80211_FC0_SUBTYPE_SHIFT],
2217 "for off-channel %u", scan.sp_chan);
2218 ic->ic_stats.is_rx_chanmismatch++;
2219 return;
2220 }
2221
2222 if (!(IEEE80211_BINTVAL_MIN <= scan.sp_bintval &&
2223 scan.sp_bintval <= IEEE80211_BINTVAL_MAX)) {
2224 IEEE80211_DISCARD(ic,
2225 IEEE80211_MSG_ELEMID | IEEE80211_MSG_INPUT,
2226 wh, ieee80211_mgt_subtype_name[subtype >>
2227 IEEE80211_FC0_SUBTYPE_SHIFT],
2228 "bogus beacon interval", scan.sp_bintval);
2229 ic->ic_stats.is_rx_badbintval++;
2230 return;
2231 }
2232
2233 if (ni != ic->ic_bss) {
2234 ni = ieee80211_refine_node_for_beacon(ic, ni,
2235 &ic->ic_channels[scan.sp_chan], scan.sp_ssid);
2236 }
2237
2238 /*
2239 * Count frame now that we know it's to be processed.
2240 */
2241 if (subtype == IEEE80211_FC0_SUBTYPE_BEACON) {
2242 ic->ic_stats.is_rx_beacon++;
2243 IEEE80211_NODE_STAT(ni, rx_beacons);
2244 } else {
2245 IEEE80211_NODE_STAT(ni, rx_proberesp);
2246 }
2247
2248 /*
2249 * When operating in station mode, check for state updates.
2250 * Be careful to ignore beacons received while doing a
2251 * background scan. We consider only 11g/WMM stuff right now.
2252 */
2253 if (ic->ic_opmode == IEEE80211_M_STA && ni->ni_associd != 0 &&
2254 ((ic->ic_flags & IEEE80211_F_SCAN) == 0 ||
2255 IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_bssid))) {
2256 /* record tsf of last beacon */
2257 memcpy(ni->ni_tstamp.data, scan.sp_tstamp, sizeof(ni->ni_tstamp));
2258
2259 if (ni->ni_erp != scan.sp_erp) {
2260 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC,
2261 "[%s] erp change: was 0x%x, now 0x%x\n",
2262 ether_snprintf(ebuf, sizeof(ebuf),
2263 wh->i_addr2), ni->ni_erp, scan.sp_erp);
2264
2265 if (ic->ic_curmode == IEEE80211_MODE_11G &&
2266 (ni->ni_erp & IEEE80211_ERP_USE_PROTECTION)) {
2267 ic->ic_flags |= IEEE80211_F_USEPROT;
2268 } else {
2269 ic->ic_flags &= ~IEEE80211_F_USEPROT;
2270 }
2271 ni->ni_erp = scan.sp_erp;
2272 }
2273
2274 if ((ni->ni_capinfo ^ scan.sp_capinfo) & IEEE80211_CAPINFO_SHORT_SLOTTIME) {
2275 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC,
2276 "[%s] capabilities change: before 0x%x,"
2277 " now 0x%x\n",
2278 ether_snprintf(ebuf, sizeof(ebuf),
2279 wh->i_addr2),
2280 ni->ni_capinfo, scan.sp_capinfo);
2281 /*
2282 * NB: we assume short preamble doesn't
2283 * change dynamically
2284 */
2285 ieee80211_set_shortslottime(ic,
2286 ic->ic_curmode == IEEE80211_MODE_11A ||
2287 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME));
2288 ni->ni_capinfo = scan.sp_capinfo;
2289 }
2290
2291 if (scan.sp_wme != NULL && (ni->ni_flags & IEEE80211_NODE_QOS) &&
2292 ieee80211_parse_wmeparams(ic, scan.sp_wme, wh) > 0) {
2293 ieee80211_wme_updateparams(ic);
2294 }
2295
2296 if (scan.sp_tim != NULL) {
2297 struct ieee80211_tim_ie *ie =
2298 (struct ieee80211_tim_ie *)scan.sp_tim;
2299
2300 ni->ni_dtim_count = ie->tim_count;
2301 ni->ni_dtim_period = ie->tim_period;
2302 }
2303
2304 if (ic->ic_flags & IEEE80211_F_SCAN) {
2305 ieee80211_add_scan(ic, &scan, wh, subtype, rssi,
2306 rstamp);
2307 }
2308
2309 ic->ic_bmiss_count = 0;
2310 return;
2311 }
2312
2313 /*
2314 * If scanning, just pass information to the scan module.
2315 */
2316 if (ic->ic_flags & IEEE80211_F_SCAN) {
2317 if (ic->ic_flags_ext & IEEE80211_FEXT_PROBECHAN) {
2318 /*
2319 * Actively scanning a channel marked passive;
2320 * send a probe request now that we know there
2321 * is 802.11 traffic present.
2322 *
2323 * XXX check if the beacon we recv'd gives
2324 * us what we need and suppress the probe req
2325 */
2326 ieee80211_probe_curchan(ic, 1);
2327 ic->ic_flags_ext &= ~IEEE80211_FEXT_PROBECHAN;
2328 }
2329 ieee80211_add_scan(ic, &scan, wh, subtype, rssi, rstamp);
2330 return;
2331 }
2332
2333 if (scan.sp_capinfo & IEEE80211_CAPINFO_IBSS) {
2334 ieee80211_update_adhoc_node(ic, ni, wh, &scan, rssi, rstamp);
2335 }
2336 }
2337
2338 static void
ieee80211_recv_mgmt_probe_req(struct ieee80211com * ic,struct mbuf * m0,struct ieee80211_node * ni,int subtype,int rssi,u_int32_t rstamp)2339 ieee80211_recv_mgmt_probe_req(struct ieee80211com *ic, struct mbuf *m0,
2340 struct ieee80211_node *ni, int subtype, int rssi, u_int32_t rstamp)
2341 {
2342 struct ieee80211_frame *wh;
2343 u_int8_t *frm, *efrm;
2344 u_int8_t *ssid, *rates, *xrates;
2345 bool need_free = false;
2346 u_int8_t rate;
2347 IEEE80211_DEBUGVAR(char ebuf[3 * ETHER_ADDR_LEN]);
2348
2349 wh = mtod(m0, struct ieee80211_frame *);
2350 frm = (u_int8_t *)(wh + 1);
2351 efrm = mtod(m0, u_int8_t *) + m0->m_len;
2352
2353 if (ic->ic_opmode == IEEE80211_M_STA ||
2354 ic->ic_state != IEEE80211_S_RUN) {
2355 ic->ic_stats.is_rx_mgtdiscard++;
2356 return;
2357 }
2358 if (IEEE80211_IS_MULTICAST(wh->i_addr2)) {
2359 /* frame must be directed */
2360 ic->ic_stats.is_rx_mgtdiscard++;
2361 return;
2362 }
2363
2364 /*
2365 * prreq frame format
2366 * [tlv] ssid
2367 * [tlv] supported rates
2368 * [tlv] extended supported rates
2369 */
2370 ssid = rates = xrates = NULL;
2371 while (frm + 1 < efrm) {
2372 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2);
2373
2374 switch (*frm) {
2375 case IEEE80211_ELEMID_SSID:
2376 ssid = frm;
2377 break;
2378 case IEEE80211_ELEMID_RATES:
2379 rates = frm;
2380 break;
2381 case IEEE80211_ELEMID_XRATES:
2382 xrates = frm;
2383 break;
2384 }
2385
2386 frm += frm[1] + 2;
2387 }
2388
2389 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE);
2390 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN);
2391 IEEE80211_VERIFY_SSID(ic->ic_bss, ssid);
2392
2393 if ((ic->ic_flags & IEEE80211_F_HIDESSID) && ssid[1] == 0) {
2394 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT,
2395 wh, ieee80211_mgt_subtype_name[subtype >>
2396 IEEE80211_FC0_SUBTYPE_SHIFT],
2397 "%s", "no ssid with ssid suppression enabled");
2398 ic->ic_stats.is_rx_ssidmismatch++; /*XXX*/
2399 return;
2400 }
2401
2402 if (ni == ic->ic_bss) {
2403 if (ic->ic_opmode != IEEE80211_M_IBSS) {
2404 ni = ieee80211_tmp_node(ic, wh->i_addr2);
2405 need_free = true;
2406 } else if (IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_macaddr)) {
2407 ;
2408 } else {
2409 /*
2410 * XXX Cannot tell if the sender is operating
2411 * in ibss mode. But we need a new node to
2412 * send the response so blindly add them to the
2413 * neighbor table.
2414 */
2415 ni = ieee80211_fakeup_adhoc_node(&ic->ic_sta,
2416 wh->i_addr2);
2417 }
2418 if (ni == NULL)
2419 return;
2420 }
2421
2422 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, "[%s] recv probe req\n",
2423 ether_snprintf(ebuf, sizeof(ebuf), wh->i_addr2));
2424
2425 ni->ni_rssi = rssi;
2426 ni->ni_rstamp = rstamp;
2427 rate = ieee80211_setup_rates(ni, rates, xrates,
2428 IEEE80211_R_DOSORT | IEEE80211_R_DOFRATE |
2429 IEEE80211_R_DONEGO | IEEE80211_R_DODEL);
2430
2431 if (rate & IEEE80211_RATE_BASIC) {
2432 IEEE80211_DISCARD(ic, IEEE80211_MSG_XRATE,
2433 wh, ieee80211_mgt_subtype_name[subtype >>
2434 IEEE80211_FC0_SUBTYPE_SHIFT],
2435 "%s", "recv'd rate set invalid");
2436 } else {
2437 IEEE80211_SEND_MGMT(ic, ni,
2438 IEEE80211_FC0_SUBTYPE_PROBE_RESP, 0);
2439 }
2440
2441 if (need_free) {
2442 /* reclaim immediately */
2443 ieee80211_free_node(ni);
2444 }
2445 }
2446
2447 static void
ieee80211_recv_mgmt_auth(struct ieee80211com * ic,struct mbuf * m0,struct ieee80211_node * ni,int subtype,int rssi,u_int32_t rstamp)2448 ieee80211_recv_mgmt_auth(struct ieee80211com *ic, struct mbuf *m0,
2449 struct ieee80211_node *ni, int subtype, int rssi, u_int32_t rstamp)
2450 {
2451 struct ieee80211_frame *wh;
2452 u_int8_t *frm, *efrm;
2453 IEEE80211_DEBUGVAR(char ebuf[3 * ETHER_ADDR_LEN]);
2454 u_int16_t algo, seq, status;
2455
2456 wh = mtod(m0, struct ieee80211_frame *);
2457 frm = (u_int8_t *)(wh + 1);
2458 efrm = mtod(m0, u_int8_t *) + m0->m_len;
2459
2460 /*
2461 * auth frame format
2462 * [2] algorithm
2463 * [2] sequence
2464 * [2] status
2465 * [tlv*] challenge
2466 */
2467 IEEE80211_VERIFY_LENGTH(efrm - frm, 6);
2468 algo = le16toh(*(u_int16_t *)frm);
2469 seq = le16toh(*(u_int16_t *)(frm + 2));
2470 status = le16toh(*(u_int16_t *)(frm + 4));
2471
2472 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH,
2473 "[%s] recv auth frame with algorithm %d seq %d\n",
2474 ether_snprintf(ebuf, sizeof(ebuf), wh->i_addr2), algo, seq);
2475
2476 /*
2477 * Consult the ACL policy module if setup.
2478 */
2479 if (ic->ic_acl != NULL && !ic->ic_acl->iac_check(ic, wh->i_addr2)) {
2480 IEEE80211_DISCARD(ic, IEEE80211_MSG_ACL,
2481 wh, "auth", "%s", "disallowed by ACL");
2482 ic->ic_stats.is_rx_acl++;
2483 if (ic->ic_opmode == IEEE80211_M_HOSTAP) {
2484 IEEE80211_SEND_MGMT(ic, ni,
2485 IEEE80211_FC0_SUBTYPE_AUTH,
2486 (seq+1) | (IEEE80211_STATUS_UNSPECIFIED<<16));
2487 }
2488 return;
2489 }
2490
2491 if (ic->ic_flags & IEEE80211_F_COUNTERM) {
2492 IEEE80211_DISCARD(ic,
2493 IEEE80211_MSG_AUTH | IEEE80211_MSG_CRYPTO,
2494 wh, "auth", "%s", "TKIP countermeasures enabled");
2495 ic->ic_stats.is_rx_auth_countermeasures++;
2496 #ifndef IEEE80211_NO_HOSTAP
2497 if (ic->ic_opmode == IEEE80211_M_HOSTAP) {
2498 IEEE80211_SEND_MGMT(ic, ni,
2499 IEEE80211_FC0_SUBTYPE_AUTH,
2500 IEEE80211_REASON_MIC_FAILURE);
2501 }
2502 #endif
2503 return;
2504 }
2505
2506 if (algo == IEEE80211_AUTH_ALG_SHARED) {
2507 ieee80211_auth_shared(ic, wh, frm + 6, efrm, ni, rssi,
2508 rstamp, seq, status);
2509 } else if (algo == IEEE80211_AUTH_ALG_OPEN) {
2510 ieee80211_auth_open(ic, wh, ni, rssi, rstamp, seq, status);
2511 } else {
2512 IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY,
2513 wh, "auth", "unsupported alg %d", algo);
2514 ic->ic_stats.is_rx_auth_unsupported++;
2515 #ifndef IEEE80211_NO_HOSTAP
2516 if (ic->ic_opmode == IEEE80211_M_HOSTAP) {
2517 /* XXX not right */
2518 IEEE80211_SEND_MGMT(ic, ni,
2519 IEEE80211_FC0_SUBTYPE_AUTH,
2520 (seq+1) | (IEEE80211_STATUS_ALG<<16));
2521 }
2522 #endif
2523 }
2524 }
2525
2526 static void
ieee80211_recv_mgmt_assoc_req(struct ieee80211com * ic,struct mbuf * m0,struct ieee80211_node * ni,int subtype,int rssi,u_int32_t rstamp)2527 ieee80211_recv_mgmt_assoc_req(struct ieee80211com *ic, struct mbuf *m0,
2528 struct ieee80211_node *ni, int subtype, int rssi, u_int32_t rstamp)
2529 {
2530 struct ieee80211_frame *wh;
2531 u_int8_t *frm, *efrm;
2532 u_int8_t *ssid, *rates, *xrates, *wpa, *wme;
2533 int reassoc, resp;
2534 u_int8_t rate;
2535 IEEE80211_DEBUGVAR(char ebuf[3 * ETHER_ADDR_LEN]);
2536 u_int16_t capinfo, lintval;
2537 struct ieee80211_rsnparms rsn;
2538 u_int8_t reason;
2539
2540 wh = mtod(m0, struct ieee80211_frame *);
2541 frm = (u_int8_t *)(wh + 1);
2542 efrm = mtod(m0, u_int8_t *) + m0->m_len;
2543
2544 if (ic->ic_opmode != IEEE80211_M_HOSTAP ||
2545 ic->ic_state != IEEE80211_S_RUN) {
2546 ic->ic_stats.is_rx_mgtdiscard++;
2547 return;
2548 }
2549
2550 if (subtype == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) {
2551 reassoc = 1;
2552 resp = IEEE80211_FC0_SUBTYPE_REASSOC_RESP;
2553 } else {
2554 reassoc = 0;
2555 resp = IEEE80211_FC0_SUBTYPE_ASSOC_RESP;
2556 }
2557
2558 /*
2559 * asreq frame format
2560 * [2] capability information
2561 * [2] listen interval
2562 * [6*] current AP address (reassoc only)
2563 * [tlv] ssid
2564 * [tlv] supported rates
2565 * [tlv] extended supported rates
2566 * [tlv] WPA or RSN
2567 */
2568 IEEE80211_VERIFY_LENGTH(efrm - frm, (reassoc ? 10 : 4));
2569
2570 if (!IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_bss->ni_bssid)) {
2571 IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY,
2572 wh, ieee80211_mgt_subtype_name[subtype >>
2573 IEEE80211_FC0_SUBTYPE_SHIFT],
2574 "%s", "wrong bssid");
2575 ic->ic_stats.is_rx_assoc_bss++;
2576 return;
2577 }
2578
2579 capinfo = le16toh(*(u_int16_t *)frm); frm += 2;
2580 lintval = le16toh(*(u_int16_t *)frm); frm += 2;
2581 if (reassoc)
2582 frm += 6; /* ignore current AP info */
2583
2584 ssid = rates = xrates = wpa = wme = NULL;
2585 while (frm + 1 < efrm) {
2586 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2);
2587
2588 switch (*frm) {
2589 case IEEE80211_ELEMID_SSID:
2590 ssid = frm;
2591 break;
2592 case IEEE80211_ELEMID_RATES:
2593 rates = frm;
2594 break;
2595 case IEEE80211_ELEMID_XRATES:
2596 xrates = frm;
2597 break;
2598 /* XXX verify only one of RSN and WPA ie's? */
2599 case IEEE80211_ELEMID_RSN:
2600 wpa = frm;
2601 break;
2602 case IEEE80211_ELEMID_VENDOR:
2603 if (iswpaoui(frm))
2604 wpa = frm;
2605 else if (iswmeinfo(frm))
2606 wme = frm;
2607 /* XXX Atheros OUI support */
2608 break;
2609 }
2610
2611 frm += frm[1] + 2;
2612 }
2613
2614 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE);
2615 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN);
2616 IEEE80211_VERIFY_SSID(ic->ic_bss, ssid);
2617
2618 if (ni == ic->ic_bss) {
2619 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY,
2620 "[%s] deny %s request, sta not authenticated\n",
2621 ether_snprintf(ebuf, sizeof(ebuf), wh->i_addr2),
2622 reassoc ? "reassoc" : "assoc");
2623 ieee80211_send_error(ic, ni, wh->i_addr2,
2624 IEEE80211_FC0_SUBTYPE_DEAUTH,
2625 IEEE80211_REASON_ASSOC_NOT_AUTHED);
2626 ic->ic_stats.is_rx_assoc_notauth++;
2627 return;
2628 }
2629
2630 /* assert right association security credentials */
2631 if (wpa == NULL && (ic->ic_flags & IEEE80211_F_WPA)) {
2632 IEEE80211_DPRINTF(ic,
2633 IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA,
2634 "[%s] no WPA/RSN IE in association request\n",
2635 ether_snprintf(ebuf, sizeof(ebuf), wh->i_addr2));
2636
2637 IEEE80211_SEND_MGMT(ic, ni,
2638 IEEE80211_FC0_SUBTYPE_DEAUTH,
2639 IEEE80211_REASON_RSN_REQUIRED);
2640 ieee80211_node_leave(ic, ni);
2641
2642 /* XXX distinguish WPA/RSN? */
2643 ic->ic_stats.is_rx_assoc_badwpaie++;
2644 return;
2645 }
2646
2647 if (wpa != NULL) {
2648 /*
2649 * Parse WPA information element. Note that
2650 * we initialize the param block from the node
2651 * state so that information in the IE overrides
2652 * our defaults. The resulting parameters are
2653 * installed below after the association is assured.
2654 */
2655 rsn = ni->ni_rsn;
2656 if (wpa[0] != IEEE80211_ELEMID_RSN)
2657 reason = ieee80211_parse_wpa(ic, wpa, &rsn, wh);
2658 else
2659 reason = ieee80211_parse_rsn(ic, wpa, &rsn, wh);
2660
2661 if (reason != 0) {
2662 IEEE80211_SEND_MGMT(ic, ni,
2663 IEEE80211_FC0_SUBTYPE_DEAUTH, reason);
2664 ieee80211_node_leave(ic, ni);
2665
2666 /* XXX distinguish WPA/RSN? */
2667 ic->ic_stats.is_rx_assoc_badwpaie++;
2668 return;
2669 }
2670
2671 IEEE80211_DPRINTF(ic,
2672 IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA,
2673 "[%s] %s ie: mc %u/%u uc %u/%u key %u caps 0x%x\n",
2674 ether_snprintf(ebuf, sizeof(ebuf), wh->i_addr2),
2675 wpa[0] != IEEE80211_ELEMID_RSN ? "WPA" : "RSN",
2676 rsn.rsn_mcastcipher, rsn.rsn_mcastkeylen,
2677 rsn.rsn_ucastcipher, rsn.rsn_ucastkeylen,
2678 rsn.rsn_keymgmt, rsn.rsn_caps);
2679 }
2680
2681 /* discard challenge after association */
2682 if (ni->ni_challenge != NULL) {
2683 free(ni->ni_challenge, M_DEVBUF);
2684 ni->ni_challenge = NULL;
2685 }
2686
2687 /* NB: 802.11 spec says to ignore station's privacy bit */
2688 if ((capinfo & IEEE80211_CAPINFO_ESS) == 0) {
2689 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY,
2690 "[%s] deny %s request, capability mismatch 0x%x\n",
2691 ether_snprintf(ebuf, sizeof(ebuf), wh->i_addr2),
2692 reassoc ? "reassoc" : "assoc", capinfo);
2693 IEEE80211_SEND_MGMT(ic, ni, resp,
2694 IEEE80211_STATUS_CAPINFO);
2695 ieee80211_node_leave(ic, ni);
2696 ic->ic_stats.is_rx_assoc_capmismatch++;
2697 return;
2698 }
2699
2700 rate = ieee80211_setup_rates(ni, rates, xrates,
2701 IEEE80211_R_DOSORT | IEEE80211_R_DOFRATE |
2702 IEEE80211_R_DONEGO | IEEE80211_R_DODEL);
2703
2704 /*
2705 * If constrained to 11g-only stations reject an
2706 * 11b-only station. We cheat a bit here by looking
2707 * at the max negotiated xmit rate and assuming anyone
2708 * with a best rate <24Mb/s is an 11b station.
2709 */
2710 if ((rate & IEEE80211_RATE_BASIC) ||
2711 ((ic->ic_flags & IEEE80211_F_PUREG) && rate < 48)) {
2712 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY,
2713 "[%s] deny %s request, rate set mismatch\n",
2714 ether_snprintf(ebuf, sizeof(ebuf), wh->i_addr2),
2715 reassoc ? "reassoc" : "assoc");
2716 IEEE80211_SEND_MGMT(ic, ni, resp,
2717 IEEE80211_STATUS_BASIC_RATE);
2718 ieee80211_node_leave(ic, ni);
2719 ic->ic_stats.is_rx_assoc_norate++;
2720 return;
2721 }
2722
2723 ni->ni_rssi = rssi;
2724 ni->ni_rstamp = rstamp;
2725 ni->ni_intval = lintval;
2726 ni->ni_capinfo = capinfo;
2727 ni->ni_chan = ic->ic_bss->ni_chan;
2728 ni->ni_fhdwell = ic->ic_bss->ni_fhdwell;
2729 ni->ni_fhindex = ic->ic_bss->ni_fhindex;
2730
2731 if (wpa != NULL) {
2732 /*
2733 * Record WPA/RSN parameters for station, mark
2734 * node as using WPA and record information element
2735 * for applications that require it.
2736 */
2737 ni->ni_rsn = rsn;
2738 ieee80211_saveie(&ni->ni_wpa_ie, wpa);
2739 } else if (ni->ni_wpa_ie != NULL) {
2740 /*
2741 * Flush any state from a previous association.
2742 */
2743 free(ni->ni_wpa_ie, M_DEVBUF);
2744 ni->ni_wpa_ie = NULL;
2745 }
2746
2747 if (wme != NULL) {
2748 /*
2749 * Record WME parameters for station, mark node
2750 * as capable of QoS and record information
2751 * element for applications that require it.
2752 */
2753 ieee80211_saveie(&ni->ni_wme_ie, wme);
2754 ni->ni_flags |= IEEE80211_NODE_QOS;
2755 } else if (ni->ni_wme_ie != NULL) {
2756 /*
2757 * Flush any state from a previous association.
2758 */
2759 free(ni->ni_wme_ie, M_DEVBUF);
2760 ni->ni_wme_ie = NULL;
2761 ni->ni_flags &= ~IEEE80211_NODE_QOS;
2762 }
2763
2764 ieee80211_node_join(ic, ni, resp);
2765 }
2766
2767 #define ISREASSOC(_st) ((_st) == IEEE80211_FC0_SUBTYPE_REASSOC_RESP)
2768
2769 static void
ieee80211_recv_mgmt_assoc_resp(struct ieee80211com * ic,struct mbuf * m0,struct ieee80211_node * ni,int subtype,int rssi,u_int32_t rstamp)2770 ieee80211_recv_mgmt_assoc_resp(struct ieee80211com *ic, struct mbuf *m0,
2771 struct ieee80211_node *ni, int subtype, int rssi, u_int32_t rstamp)
2772 {
2773 struct ieee80211_frame *wh;
2774 u_int8_t *frm, *efrm;
2775 u_int8_t *rates, *xrates, *wme;
2776 u_int8_t rate;
2777 IEEE80211_DEBUGVAR(char ebuf[3 * ETHER_ADDR_LEN]);
2778 u_int16_t capinfo, associd;
2779 u_int16_t status;
2780
2781 wh = mtod(m0, struct ieee80211_frame *);
2782 frm = (u_int8_t *)(wh + 1);
2783 efrm = mtod(m0, u_int8_t *) + m0->m_len;
2784
2785 if (ic->ic_opmode != IEEE80211_M_STA ||
2786 ic->ic_state != IEEE80211_S_ASSOC) {
2787 ic->ic_stats.is_rx_mgtdiscard++;
2788 return;
2789 }
2790
2791 /*
2792 * asresp frame format
2793 * [2] capability information
2794 * [2] status
2795 * [2] association ID
2796 * [tlv] supported rates
2797 * [tlv] extended supported rates
2798 * [tlv] WME
2799 */
2800 IEEE80211_VERIFY_LENGTH(efrm - frm, 6);
2801 ni = ic->ic_bss;
2802 capinfo = le16toh(*(u_int16_t *)frm);
2803 frm += 2;
2804 status = le16toh(*(u_int16_t *)frm);
2805 frm += 2;
2806 if (status != 0) {
2807 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC,
2808 "[%s] %sassoc failed (reason %d)\n",
2809 ether_snprintf(ebuf, sizeof(ebuf), wh->i_addr2),
2810 ISREASSOC(subtype) ? "re" : "", status);
2811 if (ni != ic->ic_bss) /* XXX never true? */
2812 ni->ni_fails++;
2813 ic->ic_stats.is_rx_auth_fail++; /* XXX */
2814 return;
2815 }
2816 associd = le16toh(*(u_int16_t *)frm);
2817 frm += 2;
2818
2819 rates = xrates = wme = NULL;
2820 while (frm + 1 < efrm) {
2821 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2);
2822
2823 switch (*frm) {
2824 case IEEE80211_ELEMID_RATES:
2825 rates = frm;
2826 break;
2827 case IEEE80211_ELEMID_XRATES:
2828 xrates = frm;
2829 break;
2830 case IEEE80211_ELEMID_VENDOR:
2831 if (iswmeoui(frm))
2832 wme = frm;
2833 /* XXX Atheros OUI support */
2834 break;
2835 }
2836
2837 frm += frm[1] + 2;
2838 }
2839
2840 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE);
2841
2842 rate = ieee80211_setup_rates(ni, rates, xrates,
2843 IEEE80211_R_DOSORT | IEEE80211_R_DOFRATE |
2844 IEEE80211_R_DONEGO | IEEE80211_R_DODEL);
2845
2846 if (rate & IEEE80211_RATE_BASIC) {
2847 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC,
2848 "[%s] %sassoc failed (rate set mismatch)\n",
2849 ether_snprintf(ebuf, sizeof(ebuf), wh->i_addr2),
2850 ISREASSOC(subtype) ? "re" : "");
2851 if (ni != ic->ic_bss) /* XXX never true? */
2852 ni->ni_fails++;
2853 ic->ic_stats.is_rx_assoc_norate++;
2854 ieee80211_new_state(ic, IEEE80211_S_SCAN, 0);
2855 return;
2856 }
2857
2858 ni->ni_capinfo = capinfo;
2859 ni->ni_associd = associd;
2860 if (wme != NULL && ieee80211_parse_wmeparams(ic, wme, wh) >= 0) {
2861 ni->ni_flags |= IEEE80211_NODE_QOS;
2862 ieee80211_wme_updateparams(ic);
2863 } else {
2864 ni->ni_flags &= ~IEEE80211_NODE_QOS;
2865 }
2866
2867 /*
2868 * Configure state now that we are associated.
2869 *
2870 * XXX may need different/additional driver callbacks?
2871 */
2872 if (ic->ic_curmode == IEEE80211_MODE_11A ||
2873 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_PREAMBLE)) {
2874 ic->ic_flags |= IEEE80211_F_SHPREAMBLE;
2875 ic->ic_flags &= ~IEEE80211_F_USEBARKER;
2876 } else {
2877 ic->ic_flags &= ~IEEE80211_F_SHPREAMBLE;
2878 ic->ic_flags |= IEEE80211_F_USEBARKER;
2879 }
2880 ieee80211_set_shortslottime(ic,
2881 ic->ic_curmode == IEEE80211_MODE_11A ||
2882 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME));
2883
2884 /*
2885 * Honor ERP protection.
2886 *
2887 * NB: ni_erp should zero for non-11g operation.
2888 * XXX check ic_curmode anyway?
2889 */
2890 if (ic->ic_curmode == IEEE80211_MODE_11G &&
2891 (ni->ni_erp & IEEE80211_ERP_USE_PROTECTION)) {
2892 ic->ic_flags |= IEEE80211_F_USEPROT;
2893 } else {
2894 ic->ic_flags &= ~IEEE80211_F_USEPROT;
2895 }
2896
2897 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC,
2898 "[%s] %sassoc success: %s preamble, %s slot time%s%s\n",
2899 ether_snprintf(ebuf, sizeof(ebuf), wh->i_addr2),
2900 ISREASSOC(subtype) ? "re" : "",
2901 ic->ic_flags&IEEE80211_F_SHPREAMBLE ? "short" : "long",
2902 ic->ic_flags&IEEE80211_F_SHSLOT ? "short" : "long",
2903 ic->ic_flags&IEEE80211_F_USEPROT ? ", protection" : "",
2904 ni->ni_flags & IEEE80211_NODE_QOS ? ", QoS" : ""
2905 );
2906
2907 ieee80211_new_state(ic, IEEE80211_S_RUN, subtype);
2908 }
2909
2910 static void
ieee80211_recv_mgmt_deauth(struct ieee80211com * ic,struct mbuf * m0,struct ieee80211_node * ni,int subtype,int rssi,u_int32_t rstamp)2911 ieee80211_recv_mgmt_deauth(struct ieee80211com *ic, struct mbuf *m0,
2912 struct ieee80211_node *ni, int subtype, int rssi, u_int32_t rstamp)
2913 {
2914 struct ieee80211_frame *wh;
2915 u_int8_t *frm, *efrm;
2916 IEEE80211_DEBUGVAR(char ebuf[3 * ETHER_ADDR_LEN]);
2917 u_int16_t reason;
2918
2919 wh = mtod(m0, struct ieee80211_frame *);
2920 frm = (u_int8_t *)(wh + 1);
2921 efrm = mtod(m0, u_int8_t *) + m0->m_len;
2922
2923 if (ic->ic_state == IEEE80211_S_SCAN) {
2924 ic->ic_stats.is_rx_mgtdiscard++;
2925 return;
2926 }
2927
2928 /*
2929 * deauth frame format
2930 * [2] reason
2931 */
2932 IEEE80211_VERIFY_LENGTH(efrm - frm, 2);
2933 reason = le16toh(*(u_int16_t *)frm);
2934 __USE(reason);
2935 ic->ic_stats.is_rx_deauth++;
2936 IEEE80211_NODE_STAT(ni, rx_deauth);
2937
2938 if (!IEEE80211_ADDR_EQ(wh->i_addr1, ic->ic_myaddr)) {
2939 /* Not intended for this station. */
2940 ic->ic_stats.is_rx_mgtdiscard++;
2941 return;
2942 }
2943
2944 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH,
2945 "[%s] recv deauthenticate (reason %d)\n",
2946 ether_snprintf(ebuf, sizeof(ebuf), ni->ni_macaddr), reason);
2947
2948 switch (ic->ic_opmode) {
2949 case IEEE80211_M_STA:
2950 ieee80211_new_state(ic, IEEE80211_S_AUTH,
2951 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK);
2952 break;
2953 case IEEE80211_M_HOSTAP:
2954 #ifndef IEEE80211_NO_HOSTAP
2955 if (ni != ic->ic_bss)
2956 ieee80211_node_leave(ic, ni);
2957 #endif
2958 break;
2959 default:
2960 ic->ic_stats.is_rx_mgtdiscard++;
2961 break;
2962 }
2963 }
2964
2965 static void
ieee80211_recv_mgmt_disassoc(struct ieee80211com * ic,struct mbuf * m0,struct ieee80211_node * ni,int subtype,int rssi,u_int32_t rstamp)2966 ieee80211_recv_mgmt_disassoc(struct ieee80211com *ic, struct mbuf *m0,
2967 struct ieee80211_node *ni, int subtype, int rssi, u_int32_t rstamp)
2968 {
2969 struct ieee80211_frame *wh;
2970 u_int8_t *frm, *efrm;
2971 IEEE80211_DEBUGVAR(char ebuf[3 * ETHER_ADDR_LEN]);
2972 u_int16_t reason;
2973
2974 wh = mtod(m0, struct ieee80211_frame *);
2975 frm = (u_int8_t *)(wh + 1);
2976 efrm = mtod(m0, u_int8_t *) + m0->m_len;
2977
2978 if (ic->ic_state != IEEE80211_S_RUN &&
2979 ic->ic_state != IEEE80211_S_ASSOC &&
2980 ic->ic_state != IEEE80211_S_AUTH) {
2981 ic->ic_stats.is_rx_mgtdiscard++;
2982 return;
2983 }
2984
2985 /*
2986 * disassoc frame format
2987 * [2] reason
2988 */
2989 IEEE80211_VERIFY_LENGTH(efrm - frm, 2);
2990 reason = le16toh(*(u_int16_t *)frm);
2991 __USE(reason);
2992 ic->ic_stats.is_rx_disassoc++;
2993 IEEE80211_NODE_STAT(ni, rx_disassoc);
2994
2995 if (!IEEE80211_ADDR_EQ(wh->i_addr1, ic->ic_myaddr)) {
2996 /* Not intended for this station. */
2997 ic->ic_stats.is_rx_mgtdiscard++;
2998 return;
2999 }
3000
3001 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC,
3002 "[%s] recv disassociate (reason %d)\n",
3003 ether_snprintf(ebuf, sizeof(ebuf), ni->ni_macaddr), reason);
3004
3005 switch (ic->ic_opmode) {
3006 case IEEE80211_M_STA:
3007 ieee80211_new_state(ic, IEEE80211_S_ASSOC,
3008 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK);
3009 break;
3010 case IEEE80211_M_HOSTAP:
3011 #ifndef IEEE80211_NO_HOSTAP
3012 if (ni != ic->ic_bss)
3013 ieee80211_node_leave(ic, ni);
3014 #endif
3015 break;
3016 default:
3017 ic->ic_stats.is_rx_mgtdiscard++;
3018 break;
3019 }
3020 }
3021
3022 #undef ISREASSOC
3023 #undef IEEE80211_VERIFY_LENGTH
3024 #undef IEEE80211_VERIFY_ELEMENT
3025
3026 /* -------------------------------------------------------------------------- */
3027
3028 void
ieee80211_recv_mgmt(struct ieee80211com * ic,struct mbuf * m0,struct ieee80211_node * ni,int subtype,int rssi,u_int32_t rstamp)3029 ieee80211_recv_mgmt(struct ieee80211com *ic, struct mbuf *m0,
3030 struct ieee80211_node *ni, int subtype, int rssi, u_int32_t rstamp)
3031 {
3032 struct ieee80211_frame *wh;
3033
3034 wh = mtod(m0, struct ieee80211_frame *);
3035
3036 switch (subtype) {
3037 case IEEE80211_FC0_SUBTYPE_PROBE_RESP:
3038 case IEEE80211_FC0_SUBTYPE_BEACON:
3039 ieee80211_recv_mgmt_beacon(ic, m0, ni, subtype, rssi, rstamp);
3040 return;
3041
3042 case IEEE80211_FC0_SUBTYPE_PROBE_REQ:
3043 ieee80211_recv_mgmt_probe_req(ic, m0, ni, subtype, rssi, rstamp);
3044 return;
3045
3046 case IEEE80211_FC0_SUBTYPE_AUTH:
3047 ieee80211_recv_mgmt_auth(ic, m0, ni, subtype, rssi, rstamp);
3048 return;
3049
3050 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ:
3051 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ:
3052 ieee80211_recv_mgmt_assoc_req(ic, m0, ni, subtype, rssi, rstamp);
3053 return;
3054
3055 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP:
3056 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP:
3057 ieee80211_recv_mgmt_assoc_resp(ic, m0, ni, subtype, rssi, rstamp);
3058 return;
3059
3060 case IEEE80211_FC0_SUBTYPE_DEAUTH:
3061 ieee80211_recv_mgmt_deauth(ic, m0, ni, subtype, rssi, rstamp);
3062 return;
3063
3064 case IEEE80211_FC0_SUBTYPE_DISASSOC:
3065 ieee80211_recv_mgmt_disassoc(ic, m0, ni, subtype, rssi, rstamp);
3066 return;
3067
3068 default:
3069 IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY,
3070 wh, "mgt", "subtype 0x%x not handled", subtype);
3071 ic->ic_stats.is_rx_badsubtype++;
3072 break;
3073 }
3074 }
3075
3076 #ifndef IEEE80211_NO_HOSTAP
3077 /*
3078 * Handle station power-save state change.
3079 */
3080 static void
ieee80211_node_pwrsave(struct ieee80211_node * ni,int enable)3081 ieee80211_node_pwrsave(struct ieee80211_node *ni, int enable)
3082 {
3083 struct ieee80211com *ic = ni->ni_ic;
3084 struct mbuf *m;
3085 IEEE80211_DEBUGVAR(char ebuf[3 * ETHER_ADDR_LEN]);
3086
3087 if (enable) {
3088 if ((ni->ni_flags & IEEE80211_NODE_PWR_MGT) == 0)
3089 ic->ic_ps_sta++;
3090 ni->ni_flags |= IEEE80211_NODE_PWR_MGT;
3091 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER,
3092 "[%s] power save mode on, %u sta's in ps mode\n",
3093 ether_snprintf(ebuf, sizeof(ebuf), ni->ni_macaddr),
3094 ic->ic_ps_sta);
3095 return;
3096 }
3097
3098 if (ni->ni_flags & IEEE80211_NODE_PWR_MGT)
3099 ic->ic_ps_sta--;
3100 ni->ni_flags &= ~IEEE80211_NODE_PWR_MGT;
3101 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER,
3102 "[%s] power save mode off, %u sta's in ps mode\n",
3103 ether_snprintf(ebuf, sizeof(ebuf), ni->ni_macaddr), ic->ic_ps_sta);
3104 /* XXX if no stations in ps mode, flush mc frames */
3105
3106 /*
3107 * Flush queued unicast frames.
3108 */
3109 if (IEEE80211_NODE_SAVEQ_QLEN(ni) == 0) {
3110 if (ic->ic_set_tim != NULL)
3111 ic->ic_set_tim(ni, 0); /* just in case */
3112 return;
3113 }
3114
3115 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER,
3116 "[%s] flush ps queue, %u packets queued\n",
3117 ether_snprintf(ebuf, sizeof(ebuf), ni->ni_macaddr),
3118 IEEE80211_NODE_SAVEQ_QLEN(ni));
3119
3120 for (;;) {
3121 int qlen;
3122
3123 IEEE80211_NODE_SAVEQ_DEQUEUE(ni, m, qlen);
3124 if (m == NULL)
3125 break;
3126
3127 /*
3128 * If this is the last packet, turn off the TIM bit.
3129 * If there are more packets, set the more packets bit
3130 * in the mbuf so ieee80211_encap will mark the 802.11
3131 * head to indicate more data frames will follow.
3132 */
3133 if (qlen != 0)
3134 m->m_flags |= M_MORE_DATA;
3135
3136 /* XXX need different driver interface */
3137 /* XXX bypasses q max */
3138 IF_ENQUEUE(&ic->ic_ifp->if_snd, m);
3139 }
3140
3141 if (ic->ic_set_tim != NULL)
3142 ic->ic_set_tim(ni, 0);
3143 }
3144
3145 /*
3146 * Process a received ps-poll frame.
3147 */
3148 static void
ieee80211_recv_pspoll(struct ieee80211com * ic,struct ieee80211_node * ni,struct mbuf * m0)3149 ieee80211_recv_pspoll(struct ieee80211com *ic, struct ieee80211_node *ni,
3150 struct mbuf *m0)
3151 {
3152 struct ieee80211_frame_min *wh;
3153 struct mbuf *m;
3154 u_int16_t aid;
3155 int qlen;
3156 IEEE80211_DEBUGVAR(char ebuf[3 * ETHER_ADDR_LEN]);
3157
3158 wh = mtod(m0, struct ieee80211_frame_min *);
3159 if (ni->ni_associd == 0) {
3160 IEEE80211_DISCARD(ic, IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG,
3161 (struct ieee80211_frame *)wh, "ps-poll",
3162 "%s", "unassociated station");
3163 ic->ic_stats.is_ps_unassoc++;
3164 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_DEAUTH,
3165 IEEE80211_REASON_NOT_ASSOCED);
3166 return;
3167 }
3168
3169 aid = le16toh(*(u_int16_t *)wh->i_dur);
3170 if (aid != ni->ni_associd) {
3171 IEEE80211_DISCARD(ic, IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG,
3172 (struct ieee80211_frame *)wh, "ps-poll",
3173 "aid mismatch: sta aid 0x%x poll aid 0x%x",
3174 ni->ni_associd, aid);
3175 ic->ic_stats.is_ps_badaid++;
3176 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_DEAUTH,
3177 IEEE80211_REASON_NOT_ASSOCED);
3178 return;
3179 }
3180
3181 /* Okay, take the first queued packet and put it out... */
3182 IEEE80211_NODE_SAVEQ_DEQUEUE(ni, m, qlen);
3183 if (m == NULL) {
3184 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER,
3185 "[%s] recv ps-poll, but queue empty\n",
3186 ether_snprintf(ebuf, sizeof(ebuf), wh->i_addr2));
3187 ieee80211_send_nulldata(ieee80211_ref_node(ni));
3188 ic->ic_stats.is_ps_qempty++; /* XXX node stat */
3189 if (ic->ic_set_tim != NULL)
3190 ic->ic_set_tim(ni, 0); /* just in case */
3191 return;
3192 }
3193
3194 /*
3195 * If there are more packets, set the more packets bit
3196 * in the packet dispatched to the station; otherwise
3197 * turn off the TIM bit.
3198 */
3199 if (qlen != 0) {
3200 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER,
3201 "[%s] recv ps-poll, send packet, %u still queued\n",
3202 ether_snprintf(ebuf, sizeof(ebuf), ni->ni_macaddr), qlen);
3203 m->m_flags |= M_MORE_DATA;
3204 } else {
3205 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER,
3206 "[%s] recv ps-poll, send packet, queue empty\n",
3207 ether_snprintf(ebuf, sizeof(ebuf), ni->ni_macaddr));
3208 if (ic->ic_set_tim != NULL)
3209 ic->ic_set_tim(ni, 0);
3210 }
3211
3212 m->m_flags |= M_PWR_SAV; /* bypass PS handling */
3213 IF_ENQUEUE(&ic->ic_ifp->if_snd, m);
3214 }
3215 #endif /* !IEEE80211_NO_HOSTAP */
3216
3217 #ifdef IEEE80211_DEBUG
3218 /*
3219 * Debugging support.
3220 */
3221
3222 /*
3223 * Return the bssid of a frame.
3224 */
3225 static const u_int8_t *
ieee80211_getbssid(struct ieee80211com * ic,const struct ieee80211_frame * wh)3226 ieee80211_getbssid(struct ieee80211com *ic, const struct ieee80211_frame *wh)
3227 {
3228 if (ic->ic_opmode == IEEE80211_M_STA)
3229 return wh->i_addr2;
3230 if ((wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) != IEEE80211_FC1_DIR_NODS)
3231 return wh->i_addr1;
3232 if ((wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK) == IEEE80211_FC0_SUBTYPE_PS_POLL)
3233 return wh->i_addr1;
3234 return wh->i_addr3;
3235 }
3236
3237 void
ieee80211_note(struct ieee80211com * ic,const char * fmt,...)3238 ieee80211_note(struct ieee80211com *ic, const char *fmt, ...)
3239 {
3240 char buf[128]; /* XXX */
3241 va_list ap;
3242
3243 va_start(ap, fmt);
3244 vsnprintf(buf, sizeof(buf), fmt, ap);
3245 va_end(ap);
3246
3247 if_printf(ic->ic_ifp, "%s", buf); /* NB: no \n */
3248 }
3249
3250 void
ieee80211_note_mac(struct ieee80211com * ic,const u_int8_t mac[IEEE80211_ADDR_LEN],const char * fmt,...)3251 ieee80211_note_mac(struct ieee80211com *ic,
3252 const u_int8_t mac[IEEE80211_ADDR_LEN],
3253 const char *fmt, ...)
3254 {
3255 char buf[128]; /* XXX */
3256 va_list ap;
3257 char ebuf[3 * ETHER_ADDR_LEN];
3258
3259 va_start(ap, fmt);
3260 vsnprintf(buf, sizeof(buf), fmt, ap);
3261 va_end(ap);
3262 if_printf(ic->ic_ifp, "[%s] %s\n", ether_snprintf(ebuf, sizeof(ebuf),
3263 mac), buf);
3264 }
3265
3266 static void
ieee80211_discard_frame(struct ieee80211com * ic,const struct ieee80211_frame * wh,const char * type,const char * fmt,...)3267 ieee80211_discard_frame(struct ieee80211com *ic,
3268 const struct ieee80211_frame *wh,
3269 const char *type, const char *fmt, ...)
3270 {
3271 va_list ap;
3272 char ebuf[3 * ETHER_ADDR_LEN];
3273
3274 printf("[%s:%s] discard ", ic->ic_ifp->if_xname,
3275 ether_snprintf(ebuf, sizeof(ebuf), ieee80211_getbssid(ic, wh)));
3276 if (type != NULL)
3277 printf("%s frame, ", type);
3278 else
3279 printf("frame, ");
3280 va_start(ap, fmt);
3281 vprintf(fmt, ap);
3282 va_end(ap);
3283 printf("\n");
3284 }
3285
3286 static void
ieee80211_discard_ie(struct ieee80211com * ic,const struct ieee80211_frame * wh,const char * type,const char * fmt,...)3287 ieee80211_discard_ie(struct ieee80211com *ic,
3288 const struct ieee80211_frame *wh,
3289 const char *type, const char *fmt, ...)
3290 {
3291 va_list ap;
3292 char ebuf[3 * ETHER_ADDR_LEN];
3293
3294 printf("[%s:%s] discard ", ic->ic_ifp->if_xname,
3295 ether_snprintf(ebuf, sizeof(ebuf), ieee80211_getbssid(ic, wh)));
3296 if (type != NULL)
3297 printf("%s information element, ", type);
3298 else
3299 printf("information element, ");
3300 va_start(ap, fmt);
3301 vprintf(fmt, ap);
3302 va_end(ap);
3303 printf("\n");
3304 }
3305
3306 static void
ieee80211_discard_mac(struct ieee80211com * ic,const u_int8_t mac[IEEE80211_ADDR_LEN],const char * type,const char * fmt,...)3307 ieee80211_discard_mac(struct ieee80211com *ic,
3308 const u_int8_t mac[IEEE80211_ADDR_LEN],
3309 const char *type, const char *fmt, ...)
3310 {
3311 va_list ap;
3312 char ebuf[3 * ETHER_ADDR_LEN];
3313
3314 printf("[%s:%s] discard ", ic->ic_ifp->if_xname,
3315 ether_snprintf(ebuf, sizeof(ebuf), mac));
3316 if (type != NULL)
3317 printf("%s frame, ", type);
3318 else
3319 printf("frame, ");
3320 va_start(ap, fmt);
3321 vprintf(fmt, ap);
3322 va_end(ap);
3323 printf("\n");
3324 }
3325 #endif /* IEEE80211_DEBUG */
3326