1 /* 2 * Copyright (c) 2001 Atsushi Onoe 3 * Copyright (c) 2002-2005 Sam Leffler, Errno Consulting 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 3. The name of the author may not be used to endorse or promote products 15 * derived from this software without specific prior written permission. 16 * 17 * Alternatively, this software may be distributed under the terms of the 18 * GNU General Public License ("GPL") version 2 as published by the Free 19 * Software Foundation. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 22 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 23 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 24 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 25 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 26 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 27 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 28 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 29 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 30 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 31 * 32 * $FreeBSD: src/sys/net80211/ieee80211_input.c,v 1.62.2.14 2006/09/02 15:16:12 sam Exp $ 33 * $DragonFly: src/sys/netproto/802_11/wlan/ieee80211_input.c,v 1.19 2007/03/26 11:08:30 sephe Exp $ 34 */ 35 36 #include <sys/param.h> 37 #include <sys/systm.h> 38 #include <sys/mbuf.h> 39 #include <sys/malloc.h> 40 #include <sys/endian.h> 41 #include <sys/kernel.h> 42 #include <sys/serialize.h> 43 44 #include <sys/socket.h> 45 46 #include <net/if.h> 47 #include <net/if_arp.h> 48 #include <net/ifq_var.h> 49 #include <net/if_media.h> 50 #include <net/ethernet.h> 51 #include <net/if_llc.h> 52 #include <net/vlan/if_vlan_var.h> 53 54 #include <netproto/802_11/ieee80211_var.h> 55 56 #include <net/bpf.h> 57 58 #ifdef IEEE80211_DEBUG 59 #include <machine/stdarg.h> 60 61 /* 62 * Decide if a received management frame should be 63 * printed when debugging is enabled. This filters some 64 * of the less interesting frames that come frequently 65 * (e.g. beacons). 66 */ 67 static __inline int 68 doprint(struct ieee80211com *ic, int subtype) 69 { 70 switch (subtype) { 71 case IEEE80211_FC0_SUBTYPE_BEACON: 72 return (ic->ic_flags & IEEE80211_F_SCAN); 73 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 74 return (ic->ic_opmode == IEEE80211_M_IBSS); 75 } 76 return 1; 77 } 78 79 /* 80 * Emit a debug message about discarding a frame or information 81 * element. One format is for extracting the mac address from 82 * the frame header; the other is for when a header is not 83 * available or otherwise appropriate. 84 */ 85 #define IEEE80211_DISCARD(_ic, _m, _wh, _type, _fmt, ...) do { \ 86 if ((_ic)->ic_debug & (_m)) \ 87 ieee80211_discard_frame(_ic, _wh, _type, _fmt, __VA_ARGS__);\ 88 } while (0) 89 #define IEEE80211_DISCARD_IE(_ic, _m, _wh, _type, _fmt, ...) do { \ 90 if ((_ic)->ic_debug & (_m)) \ 91 ieee80211_discard_ie(_ic, _wh, _type, _fmt, __VA_ARGS__);\ 92 } while (0) 93 #define IEEE80211_DISCARD_MAC(_ic, _m, _mac, _type, _fmt, ...) do { \ 94 if ((_ic)->ic_debug & (_m)) \ 95 ieee80211_discard_mac(_ic, _mac, _type, _fmt, __VA_ARGS__);\ 96 } while (0) 97 98 static const uint8_t *ieee80211_getbssid(struct ieee80211com *, 99 const struct ieee80211_frame *); 100 static void ieee80211_discard_frame(struct ieee80211com *, 101 const struct ieee80211_frame *, const char *type, const char *fmt, ...); 102 static void ieee80211_discard_ie(struct ieee80211com *, 103 const struct ieee80211_frame *, const char *type, const char *fmt, ...); 104 static void ieee80211_discard_mac(struct ieee80211com *, 105 const uint8_t mac[IEEE80211_ADDR_LEN], const char *type, 106 const char *fmt, ...); 107 #else 108 #define IEEE80211_DISCARD(_ic, _m, _wh, _type, _fmt, ...) 109 #define IEEE80211_DISCARD_IE(_ic, _m, _wh, _type, _fmt, ...) 110 #define IEEE80211_DISCARD_MAC(_ic, _m, _mac, _type, _fmt, ...) 111 #endif /* IEEE80211_DEBUG */ 112 113 static struct mbuf *ieee80211_defrag(struct ieee80211com *, 114 struct ieee80211_node *, struct mbuf *, int); 115 static struct mbuf *ieee80211_decap(struct ieee80211com *, struct mbuf *, int); 116 static void ieee80211_send_error(struct ieee80211com *, struct ieee80211_node *, 117 const uint8_t *mac, int subtype, int arg); 118 static void ieee80211_deliver_data(struct ieee80211com *, 119 struct ieee80211_node *, struct mbuf *); 120 static void ieee80211_node_pwrsave(struct ieee80211_node *, int enable); 121 static void ieee80211_recv_pspoll(struct ieee80211com *, 122 struct ieee80211_node *, struct mbuf *); 123 124 /* 125 * Process a received frame. The node associated with the sender 126 * should be supplied. If nothing was found in the node table then 127 * the caller is assumed to supply a reference to ic_bss instead. 128 * The RSSI and a timestamp are also supplied. The RSSI data is used 129 * during AP scanning to select a AP to associate with; it can have 130 * any units so long as values have consistent units and higher values 131 * mean ``better signal''. The receive timestamp is currently not used 132 * by the 802.11 layer. 133 */ 134 int 135 ieee80211_input(struct ieee80211com *ic, struct mbuf *m, 136 struct ieee80211_node *ni, int rssi, uint32_t rstamp) 137 { 138 #define SEQ_LEQ(a,b) ((int)((a)-(b)) <= 0) 139 #define HAS_SEQ(type) ((type & 0x4) == 0) 140 struct ifnet *ifp = ic->ic_ifp; 141 struct ieee80211_frame *wh; 142 struct ieee80211_key *key; 143 struct ether_header *eh; 144 int hdrspace, need_tap; 145 uint8_t dir, type, subtype; 146 uint8_t *bssid; 147 uint16_t rxseq; 148 149 ASSERT_SERIALIZED(ifp->if_serializer); 150 151 KASSERT(ni != NULL, ("null node")); 152 ni->ni_inact = ni->ni_inact_reload; 153 154 need_tap = 1; /* mbuf need to be tapped */ 155 type = -1; /* undefined */ 156 /* 157 * In monitor mode, send everything directly to bpf. 158 * XXX may want to include the CRC 159 */ 160 if (ic->ic_opmode == IEEE80211_M_MONITOR) 161 goto out; 162 163 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_min)) { 164 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY, 165 ni->ni_macaddr, NULL, 166 "too short (1): len %u", m->m_pkthdr.len); 167 ic->ic_stats.is_rx_tooshort++; 168 goto out; 169 } 170 /* 171 * Bit of a cheat here, we use a pointer for a 3-address 172 * frame format but don't reference fields past outside 173 * ieee80211_frame_min w/o first validating the data is 174 * present. 175 */ 176 wh = mtod(m, struct ieee80211_frame *); 177 178 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) != 179 IEEE80211_FC0_VERSION_0) { 180 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY, 181 ni->ni_macaddr, NULL, "wrong version %x", wh->i_fc[0]); 182 ic->ic_stats.is_rx_badversion++; 183 goto err; 184 } 185 186 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 187 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK; 188 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK; 189 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) { 190 switch (ic->ic_opmode) { 191 case IEEE80211_M_STA: 192 bssid = wh->i_addr2; 193 if (!IEEE80211_ADDR_EQ(bssid, ni->ni_bssid)) { 194 /* not interested in */ 195 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 196 bssid, NULL, "%s", "not to bss"); 197 ic->ic_stats.is_rx_wrongbss++; 198 goto out; 199 } 200 break; 201 case IEEE80211_M_IBSS: 202 case IEEE80211_M_AHDEMO: 203 case IEEE80211_M_HOSTAP: 204 if (dir != IEEE80211_FC1_DIR_NODS) 205 bssid = wh->i_addr1; 206 else if (type == IEEE80211_FC0_TYPE_CTL) 207 bssid = wh->i_addr1; 208 else { 209 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) { 210 IEEE80211_DISCARD_MAC(ic, 211 IEEE80211_MSG_ANY, ni->ni_macaddr, 212 NULL, "too short (2): len %u", 213 m->m_pkthdr.len); 214 ic->ic_stats.is_rx_tooshort++; 215 goto out; 216 } 217 bssid = wh->i_addr3; 218 } 219 if (type != IEEE80211_FC0_TYPE_DATA) 220 break; 221 /* 222 * Data frame, validate the bssid. 223 */ 224 if (!IEEE80211_ADDR_EQ(bssid, ic->ic_bss->ni_bssid) && 225 !IEEE80211_ADDR_EQ(bssid, ifp->if_broadcastaddr)) { 226 /* not interested in */ 227 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 228 bssid, NULL, "%s", "not to bss"); 229 ic->ic_stats.is_rx_wrongbss++; 230 goto out; 231 } 232 /* 233 * For adhoc mode we cons up a node when it doesn't 234 * exist. This should probably done after an ACL check. 235 */ 236 if (ni == ic->ic_bss && 237 ic->ic_opmode != IEEE80211_M_HOSTAP && 238 !IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_macaddr)) { 239 /* 240 * Fake up a node for this newly 241 * discovered member of the IBSS. 242 */ 243 ni = ieee80211_fakeup_adhoc_node(&ic->ic_sta, 244 wh->i_addr2); 245 if (ni == NULL) { 246 /* NB: stat kept for alloc failure */ 247 goto err; 248 } 249 } 250 break; 251 default: 252 goto out; 253 } 254 ni->ni_rssi = rssi; 255 ni->ni_rstamp = rstamp; 256 if (HAS_SEQ(type)) { 257 uint8_t tid; 258 if (IEEE80211_QOS_HAS_SEQ(wh)) { 259 tid = ((struct ieee80211_qosframe *)wh)-> 260 i_qos[0] & IEEE80211_QOS_TID; 261 if (TID_TO_WME_AC(tid) >= WME_AC_VI) 262 ic->ic_wme.wme_hipri_traffic++; 263 tid++; 264 } else 265 tid = 0; 266 rxseq = le16toh(*(uint16_t *)wh->i_seq); 267 if ((wh->i_fc[1] & IEEE80211_FC1_RETRY) && 268 SEQ_LEQ(rxseq, ni->ni_rxseqs[tid])) { 269 /* duplicate, discard */ 270 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 271 bssid, "duplicate", 272 "seqno <%u,%u> fragno <%u,%u> tid %u", 273 rxseq >> IEEE80211_SEQ_SEQ_SHIFT, 274 ni->ni_rxseqs[tid] >> 275 IEEE80211_SEQ_SEQ_SHIFT, 276 rxseq & IEEE80211_SEQ_FRAG_MASK, 277 ni->ni_rxseqs[tid] & 278 IEEE80211_SEQ_FRAG_MASK, 279 tid); 280 ic->ic_stats.is_rx_dup++; 281 IEEE80211_NODE_STAT(ni, rx_dup); 282 goto out; 283 } 284 ni->ni_rxseqs[tid] = rxseq; 285 } 286 } 287 288 switch (type) { 289 case IEEE80211_FC0_TYPE_DATA: 290 hdrspace = ieee80211_hdrspace(ic, wh); 291 if (m->m_len < hdrspace && 292 (m = m_pullup(m, hdrspace)) == NULL) { 293 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY, 294 ni->ni_macaddr, NULL, 295 "data too short: expecting %u", hdrspace); 296 ic->ic_stats.is_rx_tooshort++; 297 goto out; /* XXX */ 298 } 299 switch (ic->ic_opmode) { 300 case IEEE80211_M_STA: 301 if (dir != IEEE80211_FC1_DIR_FROMDS) { 302 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 303 wh, "data", "%s", "unknown dir 0x%x", dir); 304 ic->ic_stats.is_rx_wrongdir++; 305 goto out; 306 } 307 if ((ifp->if_flags & IFF_SIMPLEX) && 308 IEEE80211_IS_MULTICAST(wh->i_addr1) && 309 IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_myaddr)) { 310 /* 311 * In IEEE802.11 network, multicast packet 312 * sent from me is broadcasted from AP. 313 * It should be silently discarded for 314 * SIMPLEX interface. 315 */ 316 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 317 wh, NULL, "%s", "multicast echo"); 318 ic->ic_stats.is_rx_mcastecho++; 319 goto out; 320 } 321 break; 322 case IEEE80211_M_IBSS: 323 case IEEE80211_M_AHDEMO: 324 if (dir != IEEE80211_FC1_DIR_NODS) { 325 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 326 wh, "data", "%s", "unknown dir 0x%x", dir); 327 ic->ic_stats.is_rx_wrongdir++; 328 goto out; 329 } 330 /* XXX no power-save support */ 331 break; 332 case IEEE80211_M_HOSTAP: 333 if (dir != IEEE80211_FC1_DIR_TODS) { 334 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 335 wh, "data", "%s", "unknown dir 0x%x", dir); 336 ic->ic_stats.is_rx_wrongdir++; 337 goto out; 338 } 339 /* check if source STA is associated */ 340 if (ni == ic->ic_bss) { 341 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 342 wh, "data", "%s", "unknown src"); 343 ieee80211_send_error(ic, ni, wh->i_addr2, 344 IEEE80211_FC0_SUBTYPE_DEAUTH, 345 IEEE80211_REASON_NOT_AUTHED); 346 ic->ic_stats.is_rx_notassoc++; 347 goto err; 348 } 349 if (ni->ni_associd == 0) { 350 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 351 wh, "data", "%s", "unassoc src"); 352 IEEE80211_SEND_MGMT(ic, ni, 353 IEEE80211_FC0_SUBTYPE_DISASSOC, 354 IEEE80211_REASON_NOT_ASSOCED); 355 ic->ic_stats.is_rx_notassoc++; 356 goto err; 357 } 358 359 /* 360 * Check for power save state change. 361 */ 362 if (((wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) ^ 363 (ni->ni_flags & IEEE80211_NODE_PWR_MGT))) 364 ieee80211_node_pwrsave(ni, 365 wh->i_fc[1] & IEEE80211_FC1_PWR_MGT); 366 break; 367 default: 368 /* XXX here to keep compiler happy */ 369 goto out; 370 } 371 372 /* 373 * Handle privacy requirements. Note that we 374 * must not be preempted from here until after 375 * we (potentially) call ieee80211_crypto_demic; 376 * otherwise we may violate assumptions in the 377 * crypto cipher modules used to do delayed update 378 * of replay sequence numbers. 379 */ 380 if (wh->i_fc[1] & IEEE80211_FC1_WEP) { 381 if ((ic->ic_flags & IEEE80211_F_PRIVACY) == 0) { 382 /* 383 * Discard encrypted frames when privacy is off. 384 */ 385 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 386 wh, "WEP", "%s", "PRIVACY off"); 387 ic->ic_stats.is_rx_noprivacy++; 388 IEEE80211_NODE_STAT(ni, rx_noprivacy); 389 goto out; 390 } 391 key = ieee80211_crypto_decap(ic, ni, m, hdrspace); 392 if (key == NULL) { 393 /* NB: stats+msgs handled in crypto_decap */ 394 IEEE80211_NODE_STAT(ni, rx_wepfail); 395 goto out; 396 } 397 wh = mtod(m, struct ieee80211_frame *); 398 wh->i_fc[1] &= ~IEEE80211_FC1_WEP; 399 } else { 400 key = NULL; 401 } 402 403 /* 404 * Next up, any fragmentation. 405 */ 406 if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) { 407 m = ieee80211_defrag(ic, ni, m, hdrspace); 408 if (m == NULL) { 409 /* Fragment dropped or frame not complete yet */ 410 goto out; 411 } 412 } 413 wh = NULL; /* no longer valid, catch any uses */ 414 415 /* 416 * Next strip any MSDU crypto bits. 417 */ 418 if (key != NULL && !ieee80211_crypto_demic(ic, key, m, 0)) { 419 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 420 ni->ni_macaddr, "data", "%s", "demic error"); 421 ic->ic_stats.is_rx_demicfail++; 422 IEEE80211_NODE_STAT(ni, rx_demicfail); 423 goto out; 424 } 425 426 /* copy to listener after decrypt */ 427 if (ic->ic_rawbpf) 428 bpf_mtap(ic->ic_rawbpf, m); 429 need_tap = 0; 430 431 /* 432 * Finally, strip the 802.11 header. 433 */ 434 m = ieee80211_decap(ic, m, hdrspace); 435 if (m == NULL) { 436 /* don't count Null data frames as errors */ 437 if (subtype == IEEE80211_FC0_SUBTYPE_NODATA) 438 goto out; 439 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 440 ni->ni_macaddr, "data", "%s", "decap error"); 441 ic->ic_stats.is_rx_decap++; 442 IEEE80211_NODE_STAT(ni, rx_decap); 443 goto err; 444 } 445 eh = mtod(m, struct ether_header *); 446 if (!ieee80211_node_is_authorized(ni)) { 447 /* 448 * Deny any non-PAE frames received prior to 449 * authorization. For open/shared-key 450 * authentication the port is mark authorized 451 * after authentication completes. For 802.1x 452 * the port is not marked authorized by the 453 * authenticator until the handshake has completed. 454 */ 455 if (eh->ether_type != htons(ETHERTYPE_PAE)) { 456 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 457 eh->ether_shost, "data", 458 "unauthorized port: ether type 0x%x len %u", 459 eh->ether_type, m->m_pkthdr.len); 460 ic->ic_stats.is_rx_unauth++; 461 IEEE80211_NODE_STAT(ni, rx_unauth); 462 goto err; 463 } 464 } else { 465 /* 466 * When denying unencrypted frames, discard 467 * any non-PAE frames received without encryption. 468 */ 469 if ((ic->ic_flags & IEEE80211_F_DROPUNENC) && 470 key == NULL && 471 eh->ether_type != htons(ETHERTYPE_PAE)) { 472 /* 473 * Drop unencrypted frames. 474 */ 475 ic->ic_stats.is_rx_unencrypted++; 476 IEEE80211_NODE_STAT(ni, rx_unencrypted); 477 goto out; 478 } 479 } 480 ieee80211_deliver_data(ic, ni, m); 481 return IEEE80211_FC0_TYPE_DATA; 482 483 case IEEE80211_FC0_TYPE_MGT: 484 ic->ic_stats.is_rx_mgmt++; 485 IEEE80211_NODE_STAT(ni, rx_mgmt); 486 if (dir != IEEE80211_FC1_DIR_NODS) { 487 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 488 wh, "data", "%s", "unknown dir 0x%x", dir); 489 ic->ic_stats.is_rx_wrongdir++; 490 goto err; 491 } 492 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) { 493 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY, 494 ni->ni_macaddr, "mgt", "too short: len %u", 495 m->m_pkthdr.len); 496 ic->ic_stats.is_rx_tooshort++; 497 goto out; 498 } 499 #ifdef IEEE80211_DEBUG 500 if ((ieee80211_msg_debug(ic) && doprint(ic, subtype)) || 501 ieee80211_msg_dumppkts(ic)) { 502 if_printf(ic->ic_ifp, "received %s from %6D rssi %d\n", 503 ieee80211_mgt_subtype_name[subtype >> 504 IEEE80211_FC0_SUBTYPE_SHIFT], 505 wh->i_addr2, ":", rssi); 506 } 507 #endif 508 if (wh->i_fc[1] & IEEE80211_FC1_WEP) { 509 if (subtype != IEEE80211_FC0_SUBTYPE_AUTH) { 510 /* 511 * Only shared key auth frames with a challenge 512 * should be encrypted, discard all others. 513 */ 514 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 515 wh, ieee80211_mgt_subtype_name[subtype >> 516 IEEE80211_FC0_SUBTYPE_SHIFT], 517 "%s", "WEP set but not permitted"); 518 ic->ic_stats.is_rx_mgtdiscard++; /* XXX */ 519 goto out; 520 } 521 if ((ic->ic_flags & IEEE80211_F_PRIVACY) == 0) { 522 /* 523 * Discard encrypted frames when privacy is off. 524 */ 525 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 526 wh, "mgt", "%s", "WEP set but PRIVACY off"); 527 ic->ic_stats.is_rx_noprivacy++; 528 goto out; 529 } 530 hdrspace = ieee80211_hdrspace(ic, wh); 531 key = ieee80211_crypto_decap(ic, ni, m, hdrspace); 532 if (key == NULL) { 533 /* NB: stats+msgs handled in crypto_decap */ 534 goto out; 535 } 536 wh = mtod(m, struct ieee80211_frame *); 537 wh->i_fc[1] &= ~IEEE80211_FC1_WEP; 538 } 539 if (ic->ic_rawbpf) 540 bpf_mtap(ic->ic_rawbpf, m); 541 (*ic->ic_recv_mgmt)(ic, m, ni, subtype, rssi, rstamp); 542 m_freem(m); 543 return type; 544 545 case IEEE80211_FC0_TYPE_CTL: 546 IEEE80211_NODE_STAT(ni, rx_ctrl); 547 ic->ic_stats.is_rx_ctl++; 548 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 549 switch (subtype) { 550 case IEEE80211_FC0_SUBTYPE_PS_POLL: 551 ieee80211_recv_pspoll(ic, ni, m); 552 break; 553 } 554 } 555 goto out; 556 default: 557 IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY, 558 wh, NULL, "bad frame type 0x%x", type); 559 /* should not come here */ 560 break; 561 } 562 err: 563 ifp->if_ierrors++; 564 out: 565 if (m != NULL) { 566 if (ic->ic_rawbpf && need_tap) 567 bpf_mtap(ic->ic_rawbpf, m); 568 m_freem(m); 569 } 570 return type; 571 #undef SEQ_LEQ 572 } 573 574 /* 575 * This function reassemble fragments. 576 */ 577 static struct mbuf * 578 ieee80211_defrag(struct ieee80211com *ic, struct ieee80211_node *ni, 579 struct mbuf *m, int hdrspace) 580 { 581 struct ieee80211_frame *wh = mtod(m, struct ieee80211_frame *); 582 struct ieee80211_frame *lwh; 583 uint16_t rxseq; 584 uint8_t fragno; 585 uint8_t more_frag = wh->i_fc[1] & IEEE80211_FC1_MORE_FRAG; 586 struct mbuf *mfrag; 587 588 KASSERT(!IEEE80211_IS_MULTICAST(wh->i_addr1), ("multicast fragm?")); 589 590 rxseq = le16toh(*(uint16_t *)wh->i_seq); 591 fragno = rxseq & IEEE80211_SEQ_FRAG_MASK; 592 593 /* Quick way out, if there's nothing to defragment */ 594 if (!more_frag && fragno == 0 && ni->ni_rxfrag[0] == NULL) 595 return m; 596 597 /* 598 * Remove frag to insure it doesn't get reaped by timer. 599 */ 600 if (ni->ni_table == NULL) { 601 /* 602 * Should never happen. If the node is orphaned (not in 603 * the table) then input packets should not reach here. 604 * Otherwise, a concurrent request that yanks the table 605 * should be blocked by other interlocking and/or by first 606 * shutting the driver down. Regardless, be defensive 607 * here and just bail 608 */ 609 /* XXX need msg+stat */ 610 m_freem(m); 611 return NULL; 612 } 613 mfrag = ni->ni_rxfrag[0]; 614 ni->ni_rxfrag[0] = NULL; 615 616 /* 617 * Validate new fragment is in order and 618 * related to the previous ones. 619 */ 620 if (mfrag != NULL) { 621 uint16_t last_rxseq; 622 623 lwh = mtod(mfrag, struct ieee80211_frame *); 624 last_rxseq = le16toh(*(uint16_t *)lwh->i_seq); 625 /* NB: check seq # and frag together */ 626 if (rxseq != last_rxseq+1 || 627 !IEEE80211_ADDR_EQ(wh->i_addr1, lwh->i_addr1) || 628 !IEEE80211_ADDR_EQ(wh->i_addr2, lwh->i_addr2)) { 629 /* 630 * Unrelated fragment or no space for it, 631 * clear current fragments. 632 */ 633 m_freem(mfrag); 634 mfrag = NULL; 635 } 636 } 637 638 if (mfrag == NULL) { 639 if (fragno != 0) { /* !first fragment, discard */ 640 ic->ic_stats.is_rx_defrag++; 641 IEEE80211_NODE_STAT(ni, rx_defrag); 642 m_freem(m); 643 return NULL; 644 } 645 mfrag = m; 646 } else { /* concatenate */ 647 m_adj(m, hdrspace); /* strip header */ 648 m_cat(mfrag, m); 649 /* NB: m_cat doesn't update the packet header */ 650 mfrag->m_pkthdr.len += m->m_pkthdr.len; 651 /* track last seqnum and fragno */ 652 lwh = mtod(mfrag, struct ieee80211_frame *); 653 *(uint16_t *) lwh->i_seq = *(uint16_t *) wh->i_seq; 654 } 655 if (more_frag) { /* more to come, save */ 656 ni->ni_rxfragstamp = ticks; 657 ni->ni_rxfrag[0] = mfrag; 658 mfrag = NULL; 659 } 660 return mfrag; 661 } 662 663 static void 664 ieee80211_deliver_data(struct ieee80211com *ic, 665 struct ieee80211_node *ni, struct mbuf *m) 666 { 667 struct ether_header *eh = mtod(m, struct ether_header *); 668 struct ifnet *ifp = ic->ic_ifp; 669 670 /* 671 * Do accounting. 672 */ 673 ifp->if_ipackets++; 674 IEEE80211_NODE_STAT(ni, rx_data); 675 IEEE80211_NODE_STAT_ADD(ni, rx_bytes, m->m_pkthdr.len); 676 if (ETHER_IS_MULTICAST(eh->ether_dhost)) { 677 m->m_flags |= M_MCAST; /* XXX M_BCAST? */ 678 IEEE80211_NODE_STAT(ni, rx_mcast); 679 } else { 680 IEEE80211_NODE_STAT(ni, rx_ucast); 681 } 682 683 /* perform as a bridge within the AP */ 684 if (ic->ic_opmode == IEEE80211_M_HOSTAP && 685 (ic->ic_flags & IEEE80211_F_NOBRIDGE) == 0) { 686 struct mbuf *m1 = NULL; 687 688 if (m->m_flags & M_MCAST) { 689 m1 = m_dup(m, MB_DONTWAIT); 690 if (m1 == NULL) 691 ifp->if_oerrors++; 692 else 693 m1->m_flags |= M_MCAST; 694 } else { 695 /* 696 * Check if the destination is known; if so 697 * and the port is authorized dispatch directly. 698 */ 699 struct ieee80211_node *sta = 700 ieee80211_find_node(&ic->ic_sta, eh->ether_dhost); 701 if (sta != NULL) { 702 if (ieee80211_node_is_authorized(sta)) { 703 /* 704 * Beware of sending to ourself; this 705 * needs to happen via the normal 706 * input path. 707 */ 708 if (sta != ic->ic_bss) { 709 m1 = m; 710 m = NULL; 711 } 712 } else { 713 ic->ic_stats.is_rx_unauth++; 714 IEEE80211_NODE_STAT(sta, rx_unauth); 715 } 716 ieee80211_free_node(sta); 717 } 718 } 719 if (m1 != NULL) { 720 /* XXX bypasses ALTQ */ 721 ifq_handoff(ifp, m1, NULL); 722 } 723 } 724 if (m != NULL) { 725 #ifdef FREEBSD_VLAN 726 if (ni->ni_vlan != 0) { 727 /* attach vlan tag */ 728 VLAN_INPUT_TAG_NEW(ifp, m, ni->ni_vlan); 729 if (m == NULL) 730 goto out; /* XXX goto err? */ 731 } 732 #endif 733 ifp->if_input(ifp, m); 734 } 735 return; 736 737 #ifdef FREEBSD_VLAN 738 out: 739 if (m != NULL) { 740 if (ic->ic_rawbpf) 741 bpf_mtap(ic->ic_rawbpf, m); 742 m_freem(m); 743 } 744 #endif 745 } 746 747 static struct mbuf * 748 ieee80211_decap(struct ieee80211com *ic, struct mbuf *m, int hdrlen) 749 { 750 struct ieee80211_qosframe_addr4 wh; /* Max size address frames */ 751 struct ether_header *eh; 752 struct llc *llc; 753 754 if (m->m_len < hdrlen + sizeof(*llc) && 755 (m = m_pullup(m, hdrlen + sizeof(*llc))) == NULL) { 756 /* XXX stat, msg */ 757 return NULL; 758 } 759 memcpy(&wh, mtod(m, caddr_t), hdrlen); 760 llc = (struct llc *)(mtod(m, caddr_t) + hdrlen); 761 if (llc->llc_dsap == LLC_SNAP_LSAP && llc->llc_ssap == LLC_SNAP_LSAP && 762 llc->llc_control == LLC_UI && llc->llc_snap.org_code[0] == 0 && 763 llc->llc_snap.org_code[1] == 0 && llc->llc_snap.org_code[2] == 0) { 764 m_adj(m, hdrlen + sizeof(struct llc) - sizeof(*eh)); 765 llc = NULL; 766 } else { 767 m_adj(m, hdrlen - sizeof(*eh)); 768 } 769 eh = mtod(m, struct ether_header *); 770 switch (wh.i_fc[1] & IEEE80211_FC1_DIR_MASK) { 771 case IEEE80211_FC1_DIR_NODS: 772 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr1); 773 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr2); 774 break; 775 case IEEE80211_FC1_DIR_TODS: 776 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr3); 777 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr2); 778 break; 779 case IEEE80211_FC1_DIR_FROMDS: 780 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr1); 781 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr3); 782 break; 783 case IEEE80211_FC1_DIR_DSTODS: 784 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr3); 785 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr4); 786 break; 787 } 788 #ifdef ALIGNED_POINTER 789 if (!ALIGNED_POINTER(mtod(m, caddr_t) + sizeof(*eh), uint32_t)) { 790 struct mbuf *n, *n0, **np; 791 caddr_t newdata; 792 int off, pktlen; 793 794 n0 = NULL; 795 np = &n0; 796 off = 0; 797 pktlen = m->m_pkthdr.len; 798 while (pktlen > off) { 799 if (n0 == NULL) { 800 MGETHDR(n, M_DONTWAIT, MT_DATA); 801 if (n == NULL) { 802 m_freem(m); 803 return NULL; 804 } 805 M_MOVE_PKTHDR(n, m); 806 n->m_len = MHLEN; 807 } else { 808 MGET(n, M_DONTWAIT, MT_DATA); 809 if (n == NULL) { 810 m_freem(m); 811 m_freem(n0); 812 return NULL; 813 } 814 n->m_len = MLEN; 815 } 816 if (pktlen - off >= MINCLSIZE) { 817 MCLGET(n, M_DONTWAIT); 818 if (n->m_flags & M_EXT) 819 n->m_len = n->m_ext.ext_size; 820 } 821 if (n0 == NULL) { 822 newdata = 823 (caddr_t)ALIGN(n->m_data + sizeof(*eh)) - 824 sizeof(*eh); 825 n->m_len -= newdata - n->m_data; 826 n->m_data = newdata; 827 } 828 if (n->m_len > pktlen - off) 829 n->m_len = pktlen - off; 830 m_copydata(m, off, n->m_len, mtod(n, caddr_t)); 831 off += n->m_len; 832 *np = n; 833 np = &n->m_next; 834 } 835 m_freem(m); 836 m = n0; 837 } 838 #endif /* ALIGNED_POINTER */ 839 if (llc != NULL) { 840 eh = mtod(m, struct ether_header *); 841 eh->ether_type = htons(m->m_pkthdr.len - sizeof(*eh)); 842 } 843 return m; 844 } 845 846 /* 847 * Install received rate set information in the node's state block. 848 */ 849 int 850 ieee80211_setup_rates(struct ieee80211_node *ni, 851 const uint8_t *rates, const uint8_t *xrates, int flags, int join) 852 { 853 struct ieee80211com *ic = ni->ni_ic; 854 struct ieee80211_rateset *rs = &ni->ni_rates; 855 856 memset(rs, 0, sizeof(*rs)); 857 rs->rs_nrates = rates[1]; 858 memcpy(rs->rs_rates, rates + 2, rs->rs_nrates); 859 if (xrates != NULL) { 860 uint8_t nxrates; 861 /* 862 * Tack on 11g extended supported rate element. 863 */ 864 nxrates = xrates[1]; 865 if (rs->rs_nrates + nxrates > IEEE80211_RATE_MAXSIZE) { 866 nxrates = IEEE80211_RATE_MAXSIZE - rs->rs_nrates; 867 IEEE80211_DPRINTF(ic, IEEE80211_MSG_XRATE, 868 "[%6D] extended rate set too large;" 869 " only using %u of %u rates\n", 870 ni->ni_macaddr, ":", nxrates, xrates[1]); 871 ic->ic_stats.is_rx_rstoobig++; 872 } 873 memcpy(rs->rs_rates + rs->rs_nrates, xrates+2, nxrates); 874 rs->rs_nrates += nxrates; 875 } 876 return ieee80211_fix_rate(ni, flags, join); 877 } 878 879 static void 880 ieee80211_auth_open(struct ieee80211com *ic, struct ieee80211_frame *wh, 881 struct ieee80211_node *ni, int rssi, uint32_t rstamp, uint16_t seq, 882 uint16_t status) 883 { 884 if (ni->ni_authmode == IEEE80211_AUTH_SHARED) { 885 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 886 ni->ni_macaddr, "open auth", 887 "bad sta auth mode %u", ni->ni_authmode); 888 ic->ic_stats.is_rx_bad_auth++; /* XXX */ 889 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 890 /* 891 * Clear any challenge text that may be there if 892 * a previous shared key auth failed and then an 893 * open auth is attempted. 894 */ 895 if (ni->ni_challenge != NULL) { 896 FREE(ni->ni_challenge, M_DEVBUF); 897 ni->ni_challenge = NULL; 898 } 899 /* XXX hack to workaround calling convention */ 900 ieee80211_send_error(ic, ni, wh->i_addr2, 901 IEEE80211_FC0_SUBTYPE_AUTH, 902 (seq + 1) | (IEEE80211_STATUS_ALG<<16)); 903 } 904 return; 905 } 906 switch (ic->ic_opmode) { 907 case IEEE80211_M_IBSS: 908 case IEEE80211_M_AHDEMO: 909 case IEEE80211_M_MONITOR: 910 /* should not come here */ 911 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 912 ni->ni_macaddr, "open auth", 913 "bad operating mode %u", ic->ic_opmode); 914 break; 915 916 case IEEE80211_M_HOSTAP: 917 if (ic->ic_state != IEEE80211_S_RUN || 918 seq != IEEE80211_AUTH_OPEN_REQUEST) { 919 ic->ic_stats.is_rx_bad_auth++; 920 return; 921 } 922 /* always accept open authentication requests */ 923 if (ni == ic->ic_bss) { 924 ni = ieee80211_dup_bss(&ic->ic_sta, wh->i_addr2); 925 if (ni == NULL) 926 return; 927 } else if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0) 928 (void) ieee80211_ref_node(ni); 929 /* 930 * Mark the node as referenced to reflect that it's 931 * reference count has been bumped to insure it remains 932 * after the transaction completes. 933 */ 934 ni->ni_flags |= IEEE80211_NODE_AREF; 935 936 IEEE80211_SEND_MGMT(ic, ni, 937 IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 938 IEEE80211_DPRINTF(ic, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 939 "[%6D] station authenticated (open)\n", 940 ni->ni_macaddr, ":"); 941 /* 942 * When 802.1x is not in use mark the port 943 * authorized at this point so traffic can flow. 944 */ 945 if (ni->ni_authmode != IEEE80211_AUTH_8021X) 946 ieee80211_node_authorize(ni); 947 break; 948 949 case IEEE80211_M_STA: 950 if (ic->ic_state != IEEE80211_S_AUTH || 951 seq != IEEE80211_AUTH_OPEN_RESPONSE) { 952 ic->ic_stats.is_rx_bad_auth++; 953 return; 954 } 955 if (status != 0) { 956 IEEE80211_DPRINTF(ic, 957 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 958 "[%6D] open auth failed (reason %d)\n", 959 ni->ni_macaddr, ":", status); 960 /* XXX can this happen? */ 961 if (ni != ic->ic_bss) 962 ni->ni_fails++; 963 ic->ic_stats.is_rx_auth_fail++; 964 ieee80211_new_state(ic, IEEE80211_S_SCAN, 0); 965 } else 966 ieee80211_new_state(ic, IEEE80211_S_ASSOC, 967 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK); 968 break; 969 } 970 } 971 972 /* 973 * Send a management frame error response to the specified 974 * station. If ni is associated with the station then use 975 * it; otherwise allocate a temporary node suitable for 976 * transmitting the frame and then free the reference so 977 * it will go away as soon as the frame has been transmitted. 978 */ 979 static void 980 ieee80211_send_error(struct ieee80211com *ic, struct ieee80211_node *ni, 981 const uint8_t *mac, int subtype, int arg) 982 { 983 int istmp; 984 985 if (ni == ic->ic_bss) { 986 ni = ieee80211_tmp_node(ic, mac); 987 if (ni == NULL) { 988 /* XXX msg */ 989 return; 990 } 991 istmp = 1; 992 } else 993 istmp = 0; 994 IEEE80211_SEND_MGMT(ic, ni, subtype, arg); 995 if (istmp) 996 ieee80211_free_node(ni); 997 } 998 999 static int 1000 alloc_challenge(struct ieee80211com *ic, struct ieee80211_node *ni) 1001 { 1002 if (ni->ni_challenge == NULL) 1003 MALLOC(ni->ni_challenge, uint32_t*, IEEE80211_CHALLENGE_LEN, 1004 M_DEVBUF, M_NOWAIT); 1005 if (ni->ni_challenge == NULL) { 1006 IEEE80211_DPRINTF(ic, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1007 "[%6D] shared key challenge alloc failed\n", 1008 ni->ni_macaddr, ":"); 1009 /* XXX statistic */ 1010 } 1011 return (ni->ni_challenge != NULL); 1012 } 1013 1014 /* XXX TODO: add statistics */ 1015 static void 1016 ieee80211_auth_shared(struct ieee80211com *ic, struct ieee80211_frame *wh, 1017 uint8_t *frm, uint8_t *efrm, struct ieee80211_node *ni, int rssi, 1018 uint32_t rstamp, uint16_t seq, uint16_t status) 1019 { 1020 uint8_t *challenge; 1021 int allocbs, estatus; 1022 1023 /* 1024 * NB: this can happen as we allow pre-shared key 1025 * authentication to be enabled w/o wep being turned 1026 * on so that configuration of these can be done 1027 * in any order. It may be better to enforce the 1028 * ordering in which case this check would just be 1029 * for sanity/consistency. 1030 */ 1031 if ((ic->ic_flags & IEEE80211_F_PRIVACY) == 0) { 1032 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1033 ni->ni_macaddr, "shared key auth", 1034 "%s", " PRIVACY is disabled"); 1035 estatus = IEEE80211_STATUS_ALG; 1036 goto bad; 1037 } 1038 /* 1039 * Pre-shared key authentication is evil; accept 1040 * it only if explicitly configured (it is supported 1041 * mainly for compatibility with clients like OS X). 1042 */ 1043 if (ni->ni_authmode != IEEE80211_AUTH_AUTO && 1044 ni->ni_authmode != IEEE80211_AUTH_SHARED) { 1045 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1046 ni->ni_macaddr, "shared key auth", 1047 "bad sta auth mode %u", ni->ni_authmode); 1048 ic->ic_stats.is_rx_bad_auth++; /* XXX maybe a unique error? */ 1049 estatus = IEEE80211_STATUS_ALG; 1050 goto bad; 1051 } 1052 1053 challenge = NULL; 1054 if (frm + 1 < efrm) { 1055 if ((frm[1] + 2) > (efrm - frm)) { 1056 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1057 ni->ni_macaddr, "shared key auth", 1058 "ie %d/%d too long", 1059 frm[0], (frm[1] + 2) - (efrm - frm)); 1060 ic->ic_stats.is_rx_bad_auth++; 1061 estatus = IEEE80211_STATUS_CHALLENGE; 1062 goto bad; 1063 } 1064 if (*frm == IEEE80211_ELEMID_CHALLENGE) 1065 challenge = frm; 1066 frm += frm[1] + 2; 1067 } 1068 switch (seq) { 1069 case IEEE80211_AUTH_SHARED_CHALLENGE: 1070 case IEEE80211_AUTH_SHARED_RESPONSE: 1071 if (challenge == NULL) { 1072 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1073 ni->ni_macaddr, "shared key auth", 1074 "%s", "no challenge"); 1075 ic->ic_stats.is_rx_bad_auth++; 1076 estatus = IEEE80211_STATUS_CHALLENGE; 1077 goto bad; 1078 } 1079 if (challenge[1] != IEEE80211_CHALLENGE_LEN) { 1080 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1081 ni->ni_macaddr, "shared key auth", 1082 "bad challenge len %d", challenge[1]); 1083 ic->ic_stats.is_rx_bad_auth++; 1084 estatus = IEEE80211_STATUS_CHALLENGE; 1085 goto bad; 1086 } 1087 default: 1088 break; 1089 } 1090 switch (ic->ic_opmode) { 1091 case IEEE80211_M_MONITOR: 1092 case IEEE80211_M_AHDEMO: 1093 case IEEE80211_M_IBSS: 1094 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1095 ni->ni_macaddr, "shared key auth", 1096 "bad operating mode %u", ic->ic_opmode); 1097 return; 1098 case IEEE80211_M_HOSTAP: 1099 if (ic->ic_state != IEEE80211_S_RUN) { 1100 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1101 ni->ni_macaddr, "shared key auth", 1102 "bad state %u", ic->ic_state); 1103 estatus = IEEE80211_STATUS_ALG; /* XXX */ 1104 goto bad; 1105 } 1106 switch (seq) { 1107 case IEEE80211_AUTH_SHARED_REQUEST: 1108 if (ni == ic->ic_bss) { 1109 ni = ieee80211_dup_bss(&ic->ic_sta, wh->i_addr2); 1110 if (ni == NULL) { 1111 /* NB: no way to return an error */ 1112 return; 1113 } 1114 allocbs = 1; 1115 } else { 1116 if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0) 1117 (void) ieee80211_ref_node(ni); 1118 allocbs = 0; 1119 } 1120 /* 1121 * Mark the node as referenced to reflect that it's 1122 * reference count has been bumped to insure it remains 1123 * after the transaction completes. 1124 */ 1125 ni->ni_flags |= IEEE80211_NODE_AREF; 1126 ni->ni_rssi = rssi; 1127 ni->ni_rstamp = rstamp; 1128 if (!alloc_challenge(ic, ni)) { 1129 /* NB: don't return error so they rexmit */ 1130 return; 1131 } 1132 get_random_bytes(ni->ni_challenge, 1133 IEEE80211_CHALLENGE_LEN); 1134 IEEE80211_DPRINTF(ic, 1135 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1136 "[%6D] shared key %sauth request\n", 1137 ni->ni_macaddr, ":", 1138 allocbs ? "" : "re"); 1139 break; 1140 case IEEE80211_AUTH_SHARED_RESPONSE: 1141 if (ni == ic->ic_bss) { 1142 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1143 ni->ni_macaddr, "shared key response", 1144 "%s", "unknown station"); 1145 /* NB: don't send a response */ 1146 return; 1147 } 1148 if (ni->ni_challenge == NULL) { 1149 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1150 ni->ni_macaddr, "shared key response", 1151 "%s", "no challenge recorded"); 1152 ic->ic_stats.is_rx_bad_auth++; 1153 estatus = IEEE80211_STATUS_CHALLENGE; 1154 goto bad; 1155 } 1156 if (memcmp(ni->ni_challenge, &challenge[2], 1157 challenge[1]) != 0) { 1158 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1159 ni->ni_macaddr, "shared key response", 1160 "%s", "challenge mismatch"); 1161 ic->ic_stats.is_rx_auth_fail++; 1162 estatus = IEEE80211_STATUS_CHALLENGE; 1163 goto bad; 1164 } 1165 IEEE80211_DPRINTF(ic, 1166 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1167 "[%6D] station authenticated (shared key)\n", 1168 ni->ni_macaddr, ":"); 1169 ieee80211_node_authorize(ni); 1170 break; 1171 default: 1172 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1173 ni->ni_macaddr, "shared key auth", 1174 "bad seq %d", seq); 1175 ic->ic_stats.is_rx_bad_auth++; 1176 estatus = IEEE80211_STATUS_SEQUENCE; 1177 goto bad; 1178 } 1179 IEEE80211_SEND_MGMT(ic, ni, 1180 IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 1181 break; 1182 1183 case IEEE80211_M_STA: 1184 if (ic->ic_state != IEEE80211_S_AUTH) 1185 return; 1186 switch (seq) { 1187 case IEEE80211_AUTH_SHARED_PASS: 1188 if (ni->ni_challenge != NULL) { 1189 FREE(ni->ni_challenge, M_DEVBUF); 1190 ni->ni_challenge = NULL; 1191 } 1192 if (status != 0) { 1193 IEEE80211_DPRINTF(ic, 1194 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1195 "[%6D] shared key auth failed (reason %d)\n", 1196 ieee80211_getbssid(ic, wh), ":", status); 1197 /* XXX can this happen? */ 1198 if (ni != ic->ic_bss) 1199 ni->ni_fails++; 1200 ic->ic_stats.is_rx_auth_fail++; 1201 return; 1202 } 1203 ieee80211_new_state(ic, IEEE80211_S_ASSOC, 1204 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK); 1205 break; 1206 case IEEE80211_AUTH_SHARED_CHALLENGE: 1207 if (!alloc_challenge(ic, ni)) 1208 return; 1209 /* XXX could optimize by passing recvd challenge */ 1210 memcpy(ni->ni_challenge, &challenge[2], challenge[1]); 1211 IEEE80211_SEND_MGMT(ic, ni, 1212 IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 1213 break; 1214 default: 1215 IEEE80211_DISCARD(ic, IEEE80211_MSG_AUTH, 1216 wh, "shared key auth", "bad seq %d", seq); 1217 ic->ic_stats.is_rx_bad_auth++; 1218 return; 1219 } 1220 break; 1221 } 1222 return; 1223 bad: 1224 /* 1225 * Send an error response; but only when operating as an AP. 1226 */ 1227 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 1228 /* XXX hack to workaround calling convention */ 1229 ieee80211_send_error(ic, ni, wh->i_addr2, 1230 IEEE80211_FC0_SUBTYPE_AUTH, 1231 (seq + 1) | (estatus<<16)); 1232 } else if (ic->ic_opmode == IEEE80211_M_STA) { 1233 /* 1234 * Kick the state machine. This short-circuits 1235 * using the mgt frame timeout to trigger the 1236 * state transition. 1237 */ 1238 if (ic->ic_state == IEEE80211_S_AUTH) 1239 ieee80211_new_state(ic, IEEE80211_S_SCAN, 0); 1240 } 1241 } 1242 1243 /* Verify the existence and length of __elem or get out. */ 1244 #define IEEE80211_VERIFY_ELEMENT(__elem, __maxlen) do { \ 1245 if ((__elem) == NULL) { \ 1246 IEEE80211_DISCARD(ic, IEEE80211_MSG_ELEMID, \ 1247 wh, ieee80211_mgt_subtype_name[subtype >> \ 1248 IEEE80211_FC0_SUBTYPE_SHIFT], \ 1249 "%s", "no " #__elem ); \ 1250 ic->ic_stats.is_rx_elem_missing++; \ 1251 return; \ 1252 } \ 1253 if ((__elem)[1] > (__maxlen)) { \ 1254 IEEE80211_DISCARD(ic, IEEE80211_MSG_ELEMID, \ 1255 wh, ieee80211_mgt_subtype_name[subtype >> \ 1256 IEEE80211_FC0_SUBTYPE_SHIFT], \ 1257 "bad " #__elem " len %d", (__elem)[1]); \ 1258 ic->ic_stats.is_rx_elem_toobig++; \ 1259 return; \ 1260 } \ 1261 } while (0) 1262 1263 #define IEEE80211_VERIFY_LENGTH(_len, _minlen) do { \ 1264 if ((_len) < (_minlen)) { \ 1265 IEEE80211_DISCARD(ic, IEEE80211_MSG_ELEMID, \ 1266 wh, ieee80211_mgt_subtype_name[subtype >> \ 1267 IEEE80211_FC0_SUBTYPE_SHIFT], \ 1268 "%s", "ie too short"); \ 1269 ic->ic_stats.is_rx_elem_toosmall++; \ 1270 return; \ 1271 } \ 1272 } while (0) 1273 1274 #ifdef IEEE80211_DEBUG 1275 static void 1276 ieee80211_ssid_mismatch(struct ieee80211com *ic, const char *tag, 1277 uint8_t mac[IEEE80211_ADDR_LEN], uint8_t *ssid) 1278 { 1279 kprintf("[%6D] discard %s frame, ssid mismatch: ", mac, ":", tag); 1280 ieee80211_print_essid(ssid + 2, ssid[1]); 1281 kprintf("\n"); 1282 } 1283 1284 #define IEEE80211_VERIFY_SSID(_ni, _ssid) do { \ 1285 if ((_ssid)[1] != 0 && \ 1286 ((_ssid)[1] != (_ni)->ni_esslen || \ 1287 memcmp((_ssid) + 2, (_ni)->ni_essid, (_ssid)[1]) != 0)) { \ 1288 if (ieee80211_msg_input(ic)) \ 1289 ieee80211_ssid_mismatch(ic, \ 1290 ieee80211_mgt_subtype_name[subtype >> \ 1291 IEEE80211_FC0_SUBTYPE_SHIFT], \ 1292 wh->i_addr2, _ssid); \ 1293 ic->ic_stats.is_rx_ssidmismatch++; \ 1294 return; \ 1295 } \ 1296 } while (0) 1297 #else /* !IEEE80211_DEBUG */ 1298 #define IEEE80211_VERIFY_SSID(_ni, _ssid) do { \ 1299 if ((_ssid)[1] != 0 && \ 1300 ((_ssid)[1] != (_ni)->ni_esslen || \ 1301 memcmp((_ssid) + 2, (_ni)->ni_essid, (_ssid)[1]) != 0)) { \ 1302 ic->ic_stats.is_rx_ssidmismatch++; \ 1303 return; \ 1304 } \ 1305 } while (0) 1306 #endif /* !IEEE80211_DEBUG */ 1307 1308 /* unalligned little endian access */ 1309 #define LE_READ_2(p) \ 1310 ((uint16_t) \ 1311 ((((const uint8_t *)(p))[0] ) | \ 1312 (((const uint8_t *)(p))[1] << 8))) 1313 #define LE_READ_4(p) \ 1314 ((uint32_t) \ 1315 ((((const uint8_t *)(p))[0] ) | \ 1316 (((const uint8_t *)(p))[1] << 8) | \ 1317 (((const uint8_t *)(p))[2] << 16) | \ 1318 (((const uint8_t *)(p))[3] << 24))) 1319 1320 static int __inline 1321 iswpaoui(const uint8_t *frm) 1322 { 1323 return frm[1] > 3 && LE_READ_4(frm+2) == ((WPA_OUI_TYPE<<24)|WPA_OUI); 1324 } 1325 1326 static int __inline 1327 iswmeoui(const uint8_t *frm) 1328 { 1329 return frm[1] > 3 && LE_READ_4(frm+2) == ((WME_OUI_TYPE<<24)|WME_OUI); 1330 } 1331 1332 static int __inline 1333 iswmeparam(const uint8_t *frm) 1334 { 1335 return frm[1] > 5 && LE_READ_4(frm+2) == ((WME_OUI_TYPE<<24)|WME_OUI) && 1336 frm[6] == WME_PARAM_OUI_SUBTYPE; 1337 } 1338 1339 static int __inline 1340 iswmeinfo(const uint8_t *frm) 1341 { 1342 return frm[1] > 5 && LE_READ_4(frm+2) == ((WME_OUI_TYPE<<24)|WME_OUI) && 1343 frm[6] == WME_INFO_OUI_SUBTYPE; 1344 } 1345 1346 static int __inline 1347 isatherosoui(const uint8_t *frm) 1348 { 1349 return frm[1] > 3 && LE_READ_4(frm+2) == ((ATH_OUI_TYPE<<24)|ATH_OUI); 1350 } 1351 1352 /* 1353 * Convert a WPA cipher selector OUI to an internal 1354 * cipher algorithm. Where appropriate we also 1355 * record any key length. 1356 */ 1357 static int 1358 wpa_cipher(uint8_t *sel, uint8_t *keylen) 1359 { 1360 #define WPA_SEL(x) (((x)<<24)|WPA_OUI) 1361 uint32_t w = LE_READ_4(sel); 1362 1363 switch (w) { 1364 case WPA_SEL(WPA_CSE_NULL): 1365 return IEEE80211_CIPHER_NONE; 1366 case WPA_SEL(WPA_CSE_WEP40): 1367 if (keylen) 1368 *keylen = 40 / NBBY; 1369 return IEEE80211_CIPHER_WEP; 1370 case WPA_SEL(WPA_CSE_WEP104): 1371 if (keylen) 1372 *keylen = 104 / NBBY; 1373 return IEEE80211_CIPHER_WEP; 1374 case WPA_SEL(WPA_CSE_TKIP): 1375 return IEEE80211_CIPHER_TKIP; 1376 case WPA_SEL(WPA_CSE_CCMP): 1377 return IEEE80211_CIPHER_AES_CCM; 1378 } 1379 return 32; /* NB: so 1<< is discarded */ 1380 #undef WPA_SEL 1381 } 1382 1383 /* 1384 * Convert a WPA key management/authentication algorithm 1385 * to an internal code. 1386 */ 1387 static int 1388 wpa_keymgmt(uint8_t *sel) 1389 { 1390 #define WPA_SEL(x) (((x)<<24)|WPA_OUI) 1391 uint32_t w = LE_READ_4(sel); 1392 1393 switch (w) { 1394 case WPA_SEL(WPA_ASE_8021X_UNSPEC): 1395 return WPA_ASE_8021X_UNSPEC; 1396 case WPA_SEL(WPA_ASE_8021X_PSK): 1397 return WPA_ASE_8021X_PSK; 1398 case WPA_SEL(WPA_ASE_NONE): 1399 return WPA_ASE_NONE; 1400 } 1401 return 0; /* NB: so is discarded */ 1402 #undef WPA_SEL 1403 } 1404 1405 /* 1406 * Parse a WPA information element to collect parameters 1407 * and validate the parameters against what has been 1408 * configured for the system. 1409 */ 1410 static int 1411 ieee80211_parse_wpa(struct ieee80211com *ic, uint8_t *frm, 1412 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh) 1413 { 1414 uint8_t len = frm[1]; 1415 uint32_t w; 1416 int n; 1417 1418 /* 1419 * Check the length once for fixed parts: OUI, type, 1420 * version, mcast cipher, and 2 selector counts. 1421 * Other, variable-length data, must be checked separately. 1422 */ 1423 if ((ic->ic_flags & IEEE80211_F_WPA1) == 0) { 1424 IEEE80211_DISCARD_IE(ic, 1425 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1426 wh, "WPA", "not WPA, flags 0x%x", ic->ic_flags); 1427 return IEEE80211_REASON_IE_INVALID; 1428 } 1429 if (len < 14) { 1430 IEEE80211_DISCARD_IE(ic, 1431 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1432 wh, "WPA", "too short, len %u", len); 1433 return IEEE80211_REASON_IE_INVALID; 1434 } 1435 frm += 6, len -= 4; /* NB: len is payload only */ 1436 /* NB: iswapoui already validated the OUI and type */ 1437 w = LE_READ_2(frm); 1438 if (w != WPA_VERSION) { 1439 IEEE80211_DISCARD_IE(ic, 1440 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1441 wh, "WPA", "bad version %u", w); 1442 return IEEE80211_REASON_IE_INVALID; 1443 } 1444 frm += 2, len -= 2; 1445 1446 /* multicast/group cipher */ 1447 w = wpa_cipher(frm, &rsn->rsn_mcastkeylen); 1448 if (w != rsn->rsn_mcastcipher) { 1449 IEEE80211_DISCARD_IE(ic, 1450 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1451 wh, "WPA", "mcast cipher mismatch; got %u, expected %u", 1452 w, rsn->rsn_mcastcipher); 1453 return IEEE80211_REASON_IE_INVALID; 1454 } 1455 frm += 4, len -= 4; 1456 1457 /* unicast ciphers */ 1458 n = LE_READ_2(frm); 1459 frm += 2, len -= 2; 1460 if (len < n*4+2) { 1461 IEEE80211_DISCARD_IE(ic, 1462 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1463 wh, "WPA", "ucast cipher data too short; len %u, n %u", 1464 len, n); 1465 return IEEE80211_REASON_IE_INVALID; 1466 } 1467 w = 0; 1468 for (; n > 0; n--) { 1469 w |= 1<<wpa_cipher(frm, &rsn->rsn_ucastkeylen); 1470 frm += 4, len -= 4; 1471 } 1472 w &= rsn->rsn_ucastcipherset; 1473 if (w == 0) { 1474 IEEE80211_DISCARD_IE(ic, 1475 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1476 wh, "WPA", "%s", "ucast cipher set empty"); 1477 return IEEE80211_REASON_IE_INVALID; 1478 } 1479 if (w & (1<<IEEE80211_CIPHER_TKIP)) 1480 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP; 1481 else 1482 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM; 1483 1484 /* key management algorithms */ 1485 n = LE_READ_2(frm); 1486 frm += 2, len -= 2; 1487 if (len < n*4) { 1488 IEEE80211_DISCARD_IE(ic, 1489 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1490 wh, "WPA", "key mgmt alg data too short; len %u, n %u", 1491 len, n); 1492 return IEEE80211_REASON_IE_INVALID; 1493 } 1494 w = 0; 1495 for (; n > 0; n--) { 1496 w |= wpa_keymgmt(frm); 1497 frm += 4, len -= 4; 1498 } 1499 w &= rsn->rsn_keymgmtset; 1500 if (w == 0) { 1501 IEEE80211_DISCARD_IE(ic, 1502 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1503 wh, "WPA", "%s", "no acceptable key mgmt alg"); 1504 return IEEE80211_REASON_IE_INVALID; 1505 } 1506 if (w & WPA_ASE_8021X_UNSPEC) 1507 rsn->rsn_keymgmt = WPA_ASE_8021X_UNSPEC; 1508 else 1509 rsn->rsn_keymgmt = WPA_ASE_8021X_PSK; 1510 1511 if (len > 2) /* optional capabilities */ 1512 rsn->rsn_caps = LE_READ_2(frm); 1513 1514 return 0; 1515 } 1516 1517 /* 1518 * Convert an RSN cipher selector OUI to an internal 1519 * cipher algorithm. Where appropriate we also 1520 * record any key length. 1521 */ 1522 static int 1523 rsn_cipher(uint8_t *sel, uint8_t *keylen) 1524 { 1525 #define RSN_SEL(x) (((x)<<24)|RSN_OUI) 1526 uint32_t w = LE_READ_4(sel); 1527 1528 switch (w) { 1529 case RSN_SEL(RSN_CSE_NULL): 1530 return IEEE80211_CIPHER_NONE; 1531 case RSN_SEL(RSN_CSE_WEP40): 1532 if (keylen) 1533 *keylen = 40 / NBBY; 1534 return IEEE80211_CIPHER_WEP; 1535 case RSN_SEL(RSN_CSE_WEP104): 1536 if (keylen) 1537 *keylen = 104 / NBBY; 1538 return IEEE80211_CIPHER_WEP; 1539 case RSN_SEL(RSN_CSE_TKIP): 1540 return IEEE80211_CIPHER_TKIP; 1541 case RSN_SEL(RSN_CSE_CCMP): 1542 return IEEE80211_CIPHER_AES_CCM; 1543 case RSN_SEL(RSN_CSE_WRAP): 1544 return IEEE80211_CIPHER_AES_OCB; 1545 } 1546 return 32; /* NB: so 1<< is discarded */ 1547 #undef WPA_SEL 1548 } 1549 1550 /* 1551 * Convert an RSN key management/authentication algorithm 1552 * to an internal code. 1553 */ 1554 static int 1555 rsn_keymgmt(uint8_t *sel) 1556 { 1557 #define RSN_SEL(x) (((x)<<24)|RSN_OUI) 1558 uint32_t w = LE_READ_4(sel); 1559 1560 switch (w) { 1561 case RSN_SEL(RSN_ASE_8021X_UNSPEC): 1562 return RSN_ASE_8021X_UNSPEC; 1563 case RSN_SEL(RSN_ASE_8021X_PSK): 1564 return RSN_ASE_8021X_PSK; 1565 case RSN_SEL(RSN_ASE_NONE): 1566 return RSN_ASE_NONE; 1567 } 1568 return 0; /* NB: so is discarded */ 1569 #undef RSN_SEL 1570 } 1571 1572 /* 1573 * Parse a WPA/RSN information element to collect parameters 1574 * and validate the parameters against what has been 1575 * configured for the system. 1576 */ 1577 static int 1578 ieee80211_parse_rsn(struct ieee80211com *ic, uint8_t *frm, 1579 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh) 1580 { 1581 uint8_t len = frm[1]; 1582 uint32_t w; 1583 int n; 1584 1585 /* 1586 * Check the length once for fixed parts: 1587 * version, mcast cipher, and 2 selector counts. 1588 * Other, variable-length data, must be checked separately. 1589 */ 1590 if ((ic->ic_flags & IEEE80211_F_WPA2) == 0) { 1591 IEEE80211_DISCARD_IE(ic, 1592 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1593 wh, "WPA", "not RSN, flags 0x%x", ic->ic_flags); 1594 return IEEE80211_REASON_IE_INVALID; 1595 } 1596 if (len < 10) { 1597 IEEE80211_DISCARD_IE(ic, 1598 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1599 wh, "RSN", "too short, len %u", len); 1600 return IEEE80211_REASON_IE_INVALID; 1601 } 1602 frm += 2; 1603 w = LE_READ_2(frm); 1604 if (w != RSN_VERSION) { 1605 IEEE80211_DISCARD_IE(ic, 1606 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1607 wh, "RSN", "bad version %u", w); 1608 return IEEE80211_REASON_IE_INVALID; 1609 } 1610 frm += 2, len -= 2; 1611 1612 /* multicast/group cipher */ 1613 w = rsn_cipher(frm, &rsn->rsn_mcastkeylen); 1614 if (w != rsn->rsn_mcastcipher) { 1615 IEEE80211_DISCARD_IE(ic, 1616 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1617 wh, "RSN", "mcast cipher mismatch; got %u, expected %u", 1618 w, rsn->rsn_mcastcipher); 1619 return IEEE80211_REASON_IE_INVALID; 1620 } 1621 frm += 4, len -= 4; 1622 1623 /* unicast ciphers */ 1624 n = LE_READ_2(frm); 1625 frm += 2, len -= 2; 1626 if (len < n*4+2) { 1627 IEEE80211_DISCARD_IE(ic, 1628 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1629 wh, "RSN", "ucast cipher data too short; len %u, n %u", 1630 len, n); 1631 return IEEE80211_REASON_IE_INVALID; 1632 } 1633 w = 0; 1634 for (; n > 0; n--) { 1635 w |= 1<<rsn_cipher(frm, &rsn->rsn_ucastkeylen); 1636 frm += 4, len -= 4; 1637 } 1638 w &= rsn->rsn_ucastcipherset; 1639 if (w == 0) { 1640 IEEE80211_DISCARD_IE(ic, 1641 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1642 wh, "RSN", "%s", "ucast cipher set empty"); 1643 return IEEE80211_REASON_IE_INVALID; 1644 } 1645 if (w & (1<<IEEE80211_CIPHER_TKIP)) 1646 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP; 1647 else 1648 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM; 1649 1650 /* key management algorithms */ 1651 n = LE_READ_2(frm); 1652 frm += 2, len -= 2; 1653 if (len < n*4) { 1654 IEEE80211_DISCARD_IE(ic, 1655 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1656 wh, "RSN", "key mgmt alg data too short; len %u, n %u", 1657 len, n); 1658 return IEEE80211_REASON_IE_INVALID; 1659 } 1660 w = 0; 1661 for (; n > 0; n--) { 1662 w |= rsn_keymgmt(frm); 1663 frm += 4, len -= 4; 1664 } 1665 w &= rsn->rsn_keymgmtset; 1666 if (w == 0) { 1667 IEEE80211_DISCARD_IE(ic, 1668 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1669 wh, "RSN", "%s", "no acceptable key mgmt alg"); 1670 return IEEE80211_REASON_IE_INVALID; 1671 } 1672 if (w & RSN_ASE_8021X_UNSPEC) 1673 rsn->rsn_keymgmt = RSN_ASE_8021X_UNSPEC; 1674 else 1675 rsn->rsn_keymgmt = RSN_ASE_8021X_PSK; 1676 1677 /* optional RSN capabilities */ 1678 if (len > 2) 1679 rsn->rsn_caps = LE_READ_2(frm); 1680 /* XXXPMKID */ 1681 1682 return 0; 1683 } 1684 1685 static int 1686 ieee80211_parse_wmeparams(struct ieee80211com *ic, uint8_t *frm, 1687 const struct ieee80211_frame *wh) 1688 { 1689 #define MS(_v, _f) (((_v) & _f) >> _f##_S) 1690 struct ieee80211_wme_state *wme = &ic->ic_wme; 1691 u_int len = frm[1], qosinfo; 1692 int i; 1693 1694 if (len < sizeof(struct ieee80211_wme_param)-2) { 1695 IEEE80211_DISCARD_IE(ic, 1696 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WME, 1697 wh, "WME", "too short, len %u", len); 1698 return -1; 1699 } 1700 qosinfo = frm[__offsetof(struct ieee80211_wme_param, param_qosInfo)]; 1701 qosinfo &= WME_QOSINFO_COUNT; 1702 /* XXX do proper check for wraparound */ 1703 if (qosinfo == wme->wme_wmeChanParams.cap_info) 1704 return 0; 1705 frm += __offsetof(struct ieee80211_wme_param, params_acParams); 1706 for (i = 0; i < WME_NUM_AC; i++) { 1707 struct wmeParams *wmep = 1708 &wme->wme_wmeChanParams.cap_wmeParams[i]; 1709 /* NB: ACI not used */ 1710 wmep->wmep_acm = MS(frm[0], WME_PARAM_ACM); 1711 wmep->wmep_aifsn = MS(frm[0], WME_PARAM_AIFSN); 1712 wmep->wmep_logcwmin = MS(frm[1], WME_PARAM_LOGCWMIN); 1713 wmep->wmep_logcwmax = MS(frm[1], WME_PARAM_LOGCWMAX); 1714 wmep->wmep_txopLimit = LE_READ_2(frm+2); 1715 frm += 4; 1716 } 1717 wme->wme_wmeChanParams.cap_info = qosinfo; 1718 return 1; 1719 #undef MS 1720 } 1721 1722 void 1723 ieee80211_saveie(uint8_t **iep, const uint8_t *ie) 1724 { 1725 u_int ielen = ie[1]+2; 1726 /* 1727 * Record information element for later use. 1728 */ 1729 if (*iep == NULL || (*iep)[1] != ie[1]) { 1730 if (*iep != NULL) 1731 FREE(*iep, M_DEVBUF); 1732 MALLOC(*iep, void*, ielen, M_DEVBUF, M_NOWAIT); 1733 } 1734 if (*iep != NULL) 1735 memcpy(*iep, ie, ielen); 1736 /* XXX note failure */ 1737 } 1738 1739 /* XXX find a better place for definition */ 1740 struct l2_update_frame { 1741 struct ether_header eh; 1742 uint8_t dsap; 1743 uint8_t ssap; 1744 uint8_t control; 1745 uint8_t xid[3]; 1746 } __packed; 1747 1748 /* 1749 * Deliver a TGf L2UF frame on behalf of a station. 1750 * This primes any bridge when the station is roaming 1751 * between ap's on the same wired network. 1752 */ 1753 static void 1754 ieee80211_deliver_l2uf(struct ieee80211_node *ni) 1755 { 1756 struct ieee80211com *ic = ni->ni_ic; 1757 struct ifnet *ifp = ic->ic_ifp; 1758 struct mbuf *m; 1759 struct l2_update_frame *l2uf; 1760 struct ether_header *eh; 1761 1762 m = m_gethdr(MB_DONTWAIT, MT_DATA); 1763 if (m == NULL) { 1764 IEEE80211_NOTE(ic, IEEE80211_MSG_ASSOC, ni, 1765 "%s", "no mbuf for l2uf frame"); 1766 ic->ic_stats.is_rx_nobuf++; /* XXX not right */ 1767 return; 1768 } 1769 l2uf = mtod(m, struct l2_update_frame *); 1770 eh = &l2uf->eh; 1771 /* dst: Broadcast address */ 1772 IEEE80211_ADDR_COPY(eh->ether_dhost, ifp->if_broadcastaddr); 1773 /* src: associated STA */ 1774 IEEE80211_ADDR_COPY(eh->ether_shost, ni->ni_macaddr); 1775 eh->ether_type = htons(sizeof(*l2uf) - sizeof(*eh)); 1776 1777 l2uf->dsap = 0; 1778 l2uf->ssap = 0; 1779 l2uf->control = 0xf5; 1780 l2uf->xid[0] = 0x81; 1781 l2uf->xid[1] = 0x80; 1782 l2uf->xid[2] = 0x00; 1783 1784 m->m_pkthdr.len = m->m_len = sizeof(*l2uf); 1785 m->m_pkthdr.rcvif = ifp; 1786 ieee80211_deliver_data(ic, ni, m); 1787 } 1788 1789 void 1790 ieee80211_recv_mgmt(struct ieee80211com *ic, struct mbuf *m0, 1791 struct ieee80211_node *ni, 1792 int subtype, int rssi, uint32_t rstamp) 1793 { 1794 #define ISPROBE(_st) ((_st) == IEEE80211_FC0_SUBTYPE_PROBE_RESP) 1795 #define ISREASSOC(_st) ((_st) == IEEE80211_FC0_SUBTYPE_REASSOC_RESP) 1796 struct ieee80211_frame *wh; 1797 uint8_t *frm, *efrm; 1798 uint8_t *ssid, *rates, *xrates, *wpa, *wme; 1799 int reassoc, resp; 1800 uint8_t rate; 1801 1802 wh = mtod(m0, struct ieee80211_frame *); 1803 frm = (uint8_t *)&wh[1]; 1804 efrm = mtod(m0, uint8_t *) + m0->m_len; 1805 switch (subtype) { 1806 case IEEE80211_FC0_SUBTYPE_PROBE_RESP: 1807 case IEEE80211_FC0_SUBTYPE_BEACON: { 1808 struct ieee80211_scanparams scan; 1809 1810 /* 1811 * We process beacon/probe response frames: 1812 * o when scanning, or 1813 * o station mode when associated (to collect state 1814 * updates such as 802.11g slot time), or 1815 * o adhoc mode (to discover neighbors) 1816 * Frames otherwise received are discarded. 1817 */ 1818 if (!((ic->ic_flags & IEEE80211_F_SCAN) || 1819 (ic->ic_opmode == IEEE80211_M_STA && ni->ni_associd) || 1820 ic->ic_opmode == IEEE80211_M_IBSS)) { 1821 ic->ic_stats.is_rx_mgtdiscard++; 1822 return; 1823 } 1824 /* 1825 * beacon/probe response frame format 1826 * [8] time stamp 1827 * [2] beacon interval 1828 * [2] capability information 1829 * [tlv] ssid 1830 * [tlv] supported rates 1831 * [tlv] country information 1832 * [tlv] parameter set (FH/DS) 1833 * [tlv] erp information 1834 * [tlv] extended supported rates 1835 * [tlv] WME 1836 * [tlv] WPA or RSN 1837 */ 1838 IEEE80211_VERIFY_LENGTH(efrm - frm, 12); 1839 memset(&scan, 0, sizeof(scan)); 1840 scan.tstamp = frm; frm += 8; 1841 scan.bintval = le16toh(*(uint16_t *)frm); frm += 2; 1842 scan.capinfo = le16toh(*(uint16_t *)frm); frm += 2; 1843 scan.bchan = ieee80211_chan2ieee(ic, ic->ic_curchan); 1844 scan.chan = scan.bchan; 1845 1846 while (efrm - frm > 1) { 1847 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2); 1848 switch (*frm) { 1849 case IEEE80211_ELEMID_SSID: 1850 scan.ssid = frm; 1851 break; 1852 case IEEE80211_ELEMID_RATES: 1853 scan.rates = frm; 1854 break; 1855 case IEEE80211_ELEMID_COUNTRY: 1856 scan.country = frm; 1857 break; 1858 case IEEE80211_ELEMID_FHPARMS: 1859 if (ic->ic_phytype == IEEE80211_T_FH) { 1860 scan.fhdwell = LE_READ_2(&frm[2]); 1861 scan.chan = IEEE80211_FH_CHAN(frm[4], frm[5]); 1862 scan.fhindex = frm[6]; 1863 } 1864 break; 1865 case IEEE80211_ELEMID_DSPARMS: 1866 /* 1867 * XXX hack this since depending on phytype 1868 * is problematic for multi-mode devices. 1869 */ 1870 if (ic->ic_phytype != IEEE80211_T_FH) 1871 scan.chan = frm[2]; 1872 break; 1873 case IEEE80211_ELEMID_TIM: 1874 /* XXX ATIM? */ 1875 scan.tim = frm; 1876 scan.timoff = frm - mtod(m0, uint8_t *); 1877 break; 1878 case IEEE80211_ELEMID_IBSSPARMS: 1879 break; 1880 case IEEE80211_ELEMID_XRATES: 1881 scan.xrates = frm; 1882 break; 1883 case IEEE80211_ELEMID_ERP: 1884 if (frm[1] != 1) { 1885 IEEE80211_DISCARD_IE(ic, 1886 IEEE80211_MSG_ELEMID, wh, "ERP", 1887 "bad len %u", frm[1]); 1888 ic->ic_stats.is_rx_elem_toobig++; 1889 break; 1890 } 1891 scan.erp = frm[2]; 1892 break; 1893 case IEEE80211_ELEMID_RSN: 1894 scan.wpa = frm; 1895 break; 1896 case IEEE80211_ELEMID_VENDOR: 1897 if (iswpaoui(frm)) 1898 scan.wpa = frm; 1899 else if (iswmeparam(frm) || iswmeinfo(frm)) 1900 scan.wme = frm; 1901 /* XXX Atheros OUI support */ 1902 break; 1903 default: 1904 IEEE80211_DISCARD_IE(ic, IEEE80211_MSG_ELEMID, 1905 wh, "unhandled", 1906 "id %u, len %u", *frm, frm[1]); 1907 ic->ic_stats.is_rx_elem_unknown++; 1908 break; 1909 } 1910 frm += frm[1] + 2; 1911 } 1912 IEEE80211_VERIFY_ELEMENT(scan.rates, IEEE80211_RATE_MAXSIZE); 1913 if (scan.xrates != NULL) { 1914 IEEE80211_VERIFY_ELEMENT(scan.xrates, 1915 IEEE80211_RATE_MAXSIZE - scan.rates[1]); 1916 } 1917 IEEE80211_VERIFY_ELEMENT(scan.ssid, IEEE80211_NWID_LEN); 1918 if ( 1919 #if IEEE80211_CHAN_MAX < 255 1920 scan.chan > IEEE80211_CHAN_MAX || 1921 #endif 1922 isclr(ic->ic_chan_active, scan.chan)) { 1923 IEEE80211_DISCARD(ic, 1924 IEEE80211_MSG_ELEMID | IEEE80211_MSG_INPUT, 1925 wh, ieee80211_mgt_subtype_name[subtype >> 1926 IEEE80211_FC0_SUBTYPE_SHIFT], 1927 "invalid channel %u", scan.chan); 1928 ic->ic_stats.is_rx_badchan++; 1929 return; 1930 } 1931 if (scan.chan != scan.bchan && 1932 ic->ic_phytype != IEEE80211_T_FH) { 1933 /* 1934 * Frame was received on a channel different from the 1935 * one indicated in the DS params element id; 1936 * silently discard it. 1937 * 1938 * NB: this can happen due to signal leakage. 1939 * But we should take it for FH phy because 1940 * the rssi value should be correct even for 1941 * different hop pattern in FH. 1942 */ 1943 IEEE80211_DISCARD(ic, 1944 IEEE80211_MSG_ELEMID | IEEE80211_MSG_INPUT, 1945 wh, ieee80211_mgt_subtype_name[subtype >> 1946 IEEE80211_FC0_SUBTYPE_SHIFT], 1947 "for off-channel %u", scan.chan); 1948 ic->ic_stats.is_rx_chanmismatch++; 1949 return; 1950 } 1951 if (!(IEEE80211_BINTVAL_MIN <= scan.bintval && 1952 scan.bintval <= IEEE80211_BINTVAL_MAX)) { 1953 IEEE80211_DISCARD(ic, 1954 IEEE80211_MSG_ELEMID | IEEE80211_MSG_INPUT, 1955 wh, ieee80211_mgt_subtype_name[subtype >> 1956 IEEE80211_FC0_SUBTYPE_SHIFT], 1957 "bogus beacon interval", scan.bintval); 1958 ic->ic_stats.is_rx_badbintval++; 1959 return; 1960 } 1961 1962 /* 1963 * Count frame now that we know it's to be processed. 1964 */ 1965 if (subtype == IEEE80211_FC0_SUBTYPE_BEACON) { 1966 ic->ic_stats.is_rx_beacon++; /* XXX remove */ 1967 IEEE80211_NODE_STAT(ni, rx_beacons); 1968 } else 1969 IEEE80211_NODE_STAT(ni, rx_proberesp); 1970 1971 /* 1972 * When operating in station mode, check for state updates. 1973 * Be careful to ignore beacons received while doing a 1974 * background scan. We consider only 11g/WMM stuff right now. 1975 */ 1976 if (ic->ic_opmode == IEEE80211_M_STA && 1977 ni->ni_associd != 0 && 1978 ((ic->ic_flags & IEEE80211_F_SCAN) == 0 || 1979 IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_bssid))) { 1980 int update_shpreamble = 0; 1981 1982 /* record tsf of last beacon */ 1983 memcpy(ni->ni_tstamp.data, scan.tstamp, 1984 sizeof(ni->ni_tstamp)); 1985 /* count beacon frame for s/w bmiss handling */ 1986 ic->ic_swbmiss_count++; 1987 ic->ic_bmiss_count = 0; 1988 if (ni->ni_erp != scan.erp) { 1989 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 1990 "[%6D] erp change: was 0x%x, now 0x%x\n", 1991 wh->i_addr2, ":", ni->ni_erp, scan.erp); 1992 if (ic->ic_curmode == IEEE80211_MODE_11G && 1993 (ni->ni_erp & IEEE80211_ERP_USE_PROTECTION)) 1994 ic->ic_flags |= IEEE80211_F_USEPROT; 1995 else 1996 ic->ic_flags &= ~IEEE80211_F_USEPROT; 1997 1998 if ((ni->ni_erp ^ scan.erp) & IEEE80211_ERP_LONG_PREAMBLE) 1999 update_shpreamble = 1; 2000 2001 ni->ni_erp = scan.erp; 2002 /* XXX statistic */ 2003 } 2004 if (ni->ni_capinfo != scan.capinfo) { 2005 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 2006 "[%6D] capabilities change: before 0x%x," 2007 " now 0x%x\n", 2008 wh->i_addr2, ":", 2009 ni->ni_capinfo, scan.capinfo); 2010 2011 if ((ni->ni_capinfo ^ scan.capinfo) & 2012 IEEE80211_CAPINFO_SHORT_SLOTTIME) { 2013 ieee80211_set_shortslottime(ic, 2014 ic->ic_curmode == IEEE80211_MODE_11A || 2015 (scan.capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME)); 2016 } 2017 2018 if ((ni->ni_capinfo ^ scan.capinfo) & 2019 IEEE80211_CAPINFO_SHORT_PREAMBLE) 2020 update_shpreamble = 1; 2021 2022 ni->ni_capinfo = scan.capinfo; 2023 /* XXX statistic */ 2024 } 2025 2026 if (update_shpreamble) 2027 ieee80211_update_shpreamble(ic, ni); 2028 2029 if (scan.wme != NULL && 2030 (ni->ni_flags & IEEE80211_NODE_QOS) && 2031 ieee80211_parse_wmeparams(ic, scan.wme, wh) > 0) 2032 ieee80211_wme_updateparams(ic); 2033 if (scan.tim != NULL) { 2034 struct ieee80211_tim_ie *ie = 2035 (struct ieee80211_tim_ie *) scan.tim; 2036 2037 ni->ni_dtim_count = ie->tim_count; 2038 ni->ni_dtim_period = ie->tim_period; 2039 } 2040 if (ic->ic_flags & IEEE80211_F_SCAN) 2041 ieee80211_add_scan(ic, &scan, wh, 2042 subtype, rssi, rstamp); 2043 return; 2044 } 2045 /* 2046 * If scanning, just pass information to the scan module. 2047 */ 2048 if (ic->ic_flags & IEEE80211_F_SCAN) { 2049 if (ic->ic_flags_ext & IEEE80211_FEXT_PROBECHAN) { 2050 /* 2051 * Actively scanning a channel marked passive; 2052 * send a probe request now that we know there 2053 * is 802.11 traffic present. 2054 * 2055 * XXX check if the beacon we recv'd gives 2056 * us what we need and suppress the probe req 2057 */ 2058 ieee80211_probe_curchan(ic, 1); 2059 ic->ic_flags_ext &= ~IEEE80211_FEXT_PROBECHAN; 2060 } 2061 ieee80211_add_scan(ic, &scan, wh, 2062 subtype, rssi, rstamp); 2063 return; 2064 } 2065 if (scan.capinfo & IEEE80211_CAPINFO_IBSS) { 2066 if (!IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_macaddr)) { 2067 /* 2068 * Create a new entry in the neighbor table. 2069 */ 2070 ni = ieee80211_add_neighbor(ic, wh, &scan); 2071 } else if (ni->ni_capinfo == 0) { 2072 /* 2073 * Update faked node created on transmit. 2074 * Note this also updates the tsf. 2075 */ 2076 ieee80211_init_neighbor(ni, wh, &scan); 2077 } else { 2078 /* 2079 * Record tsf for potential resync. 2080 */ 2081 memcpy(ni->ni_tstamp.data, scan.tstamp, 2082 sizeof(ni->ni_tstamp)); 2083 } 2084 if (ni != NULL) { 2085 ni->ni_rssi = rssi; 2086 ni->ni_rstamp = rstamp; 2087 } 2088 } 2089 break; 2090 } 2091 2092 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: { 2093 int is_tmpnode; 2094 2095 if (ic->ic_opmode == IEEE80211_M_STA || 2096 ic->ic_state != IEEE80211_S_RUN) { 2097 ic->ic_stats.is_rx_mgtdiscard++; 2098 return; 2099 } 2100 if (IEEE80211_IS_MULTICAST(wh->i_addr2)) { 2101 /* frame must be directed */ 2102 ic->ic_stats.is_rx_mgtdiscard++; /* XXX stat */ 2103 return; 2104 } 2105 2106 /* 2107 * prreq frame format 2108 * [tlv] ssid 2109 * [tlv] supported rates 2110 * [tlv] extended supported rates 2111 */ 2112 ssid = rates = xrates = NULL; 2113 while (efrm - frm > 1) { 2114 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2); 2115 switch (*frm) { 2116 case IEEE80211_ELEMID_SSID: 2117 ssid = frm; 2118 break; 2119 case IEEE80211_ELEMID_RATES: 2120 rates = frm; 2121 break; 2122 case IEEE80211_ELEMID_XRATES: 2123 xrates = frm; 2124 break; 2125 } 2126 frm += frm[1] + 2; 2127 } 2128 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE); 2129 if (xrates != NULL) { 2130 IEEE80211_VERIFY_ELEMENT(xrates, 2131 IEEE80211_RATE_MAXSIZE - rates[1]); 2132 } 2133 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN); 2134 IEEE80211_VERIFY_SSID(ic->ic_bss, ssid); 2135 if ((ic->ic_flags & IEEE80211_F_HIDESSID) && ssid[1] == 0) { 2136 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 2137 wh, ieee80211_mgt_subtype_name[subtype >> 2138 IEEE80211_FC0_SUBTYPE_SHIFT], 2139 "%s", "no ssid with ssid suppression enabled"); 2140 ic->ic_stats.is_rx_ssidmismatch++; /*XXX*/ 2141 return; 2142 } 2143 2144 is_tmpnode = 0; 2145 if (ni == ic->ic_bss) { 2146 if (ic->ic_opmode != IEEE80211_M_IBSS) { 2147 ni = ieee80211_tmp_node(ic, wh->i_addr2); 2148 is_tmpnode = 1; 2149 } else if (!IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_macaddr)) { 2150 /* 2151 * XXX Cannot tell if the sender is operating 2152 * in ibss mode. But we need a new node to 2153 * send the response so blindly add them to the 2154 * neighbor table. 2155 */ 2156 ni = ieee80211_fakeup_adhoc_node(&ic->ic_sta, 2157 wh->i_addr2); 2158 } 2159 if (ni == NULL) 2160 return; 2161 } 2162 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 2163 "[%6D] recv probe req\n", wh->i_addr2, ":"); 2164 ni->ni_rssi = rssi; 2165 ni->ni_rstamp = rstamp; 2166 2167 /* 2168 * Since temporary node's rate set will not be used, 2169 * there is no need to do rate negotiation for it. 2170 */ 2171 if (!is_tmpnode) { 2172 ieee80211_setup_rates(ni, rates, xrates, 2173 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | 2174 IEEE80211_F_DONEGO | IEEE80211_F_DODEL, 0); 2175 } 2176 2177 IEEE80211_SEND_MGMT(ic, ni, 2178 IEEE80211_FC0_SUBTYPE_PROBE_RESP, 0); 2179 if (is_tmpnode) { 2180 /* 2181 * Temporary node created just to send a 2182 * response, reclaim immediately. 2183 */ 2184 ieee80211_free_node(ni); 2185 } 2186 break; 2187 } 2188 2189 case IEEE80211_FC0_SUBTYPE_AUTH: { 2190 uint16_t algo, seq, status; 2191 /* 2192 * auth frame format 2193 * [2] algorithm 2194 * [2] sequence 2195 * [2] status 2196 * [tlv*] challenge 2197 */ 2198 IEEE80211_VERIFY_LENGTH(efrm - frm, 6); 2199 algo = le16toh(*(uint16_t *)frm); 2200 seq = le16toh(*(uint16_t *)(frm + 2)); 2201 status = le16toh(*(uint16_t *)(frm + 4)); 2202 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 2203 "[%6D] recv auth frame with algorithm %d seq %d\n", 2204 wh->i_addr2, ":", algo, seq); 2205 /* 2206 * Consult the ACL policy module if setup. 2207 */ 2208 if (ic->ic_acl != NULL && 2209 !ic->ic_acl->iac_check(ic, wh->i_addr2)) { 2210 IEEE80211_DISCARD(ic, IEEE80211_MSG_ACL, 2211 wh, "auth", "%s", "disallowed by ACL"); 2212 ic->ic_stats.is_rx_acl++; 2213 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 2214 IEEE80211_SEND_MGMT(ic, ni, 2215 IEEE80211_FC0_SUBTYPE_AUTH, 2216 (seq+1) | (IEEE80211_STATUS_UNSPECIFIED<<16)); 2217 } 2218 return; 2219 } 2220 if (ic->ic_flags & IEEE80211_F_COUNTERM) { 2221 IEEE80211_DISCARD(ic, 2222 IEEE80211_MSG_AUTH | IEEE80211_MSG_CRYPTO, 2223 wh, "auth", "%s", "TKIP countermeasures enabled"); 2224 ic->ic_stats.is_rx_auth_countermeasures++; 2225 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 2226 IEEE80211_SEND_MGMT(ic, ni, 2227 IEEE80211_FC0_SUBTYPE_AUTH, 2228 IEEE80211_REASON_MIC_FAILURE); 2229 } 2230 return; 2231 } 2232 if (algo == IEEE80211_AUTH_ALG_SHARED) 2233 ieee80211_auth_shared(ic, wh, frm + 6, efrm, ni, rssi, 2234 rstamp, seq, status); 2235 else if (algo == IEEE80211_AUTH_ALG_OPEN) 2236 ieee80211_auth_open(ic, wh, ni, rssi, rstamp, seq, 2237 status); 2238 else { 2239 IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY, 2240 wh, "auth", "unsupported alg %d", algo); 2241 ic->ic_stats.is_rx_auth_unsupported++; 2242 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 2243 /* XXX not right */ 2244 IEEE80211_SEND_MGMT(ic, ni, 2245 IEEE80211_FC0_SUBTYPE_AUTH, 2246 (seq+1) | (IEEE80211_STATUS_ALG<<16)); 2247 } 2248 return; 2249 } 2250 break; 2251 } 2252 2253 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ: 2254 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: { 2255 uint16_t capinfo, lintval; 2256 struct ieee80211_rsnparms rsn; 2257 uint8_t reason; 2258 2259 if (ic->ic_opmode != IEEE80211_M_HOSTAP || 2260 ic->ic_state != IEEE80211_S_RUN) { 2261 ic->ic_stats.is_rx_mgtdiscard++; 2262 return; 2263 } 2264 2265 if (subtype == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) { 2266 reassoc = 1; 2267 resp = IEEE80211_FC0_SUBTYPE_REASSOC_RESP; 2268 } else { 2269 reassoc = 0; 2270 resp = IEEE80211_FC0_SUBTYPE_ASSOC_RESP; 2271 } 2272 /* 2273 * asreq frame format 2274 * [2] capability information 2275 * [2] listen interval 2276 * [6*] current AP address (reassoc only) 2277 * [tlv] ssid 2278 * [tlv] supported rates 2279 * [tlv] extended supported rates 2280 * [tlv] WPA or RSN 2281 */ 2282 IEEE80211_VERIFY_LENGTH(efrm - frm, (reassoc ? 10 : 4)); 2283 if (!IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_bss->ni_bssid)) { 2284 IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY, 2285 wh, ieee80211_mgt_subtype_name[subtype >> 2286 IEEE80211_FC0_SUBTYPE_SHIFT], 2287 "%s", "wrong bssid"); 2288 ic->ic_stats.is_rx_assoc_bss++; 2289 return; 2290 } 2291 capinfo = le16toh(*(uint16_t *)frm); frm += 2; 2292 lintval = le16toh(*(uint16_t *)frm); frm += 2; 2293 if (reassoc) 2294 frm += 6; /* ignore current AP info */ 2295 ssid = rates = xrates = wpa = wme = NULL; 2296 while (efrm - frm > 1) { 2297 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2); 2298 switch (*frm) { 2299 case IEEE80211_ELEMID_SSID: 2300 ssid = frm; 2301 break; 2302 case IEEE80211_ELEMID_RATES: 2303 rates = frm; 2304 break; 2305 case IEEE80211_ELEMID_XRATES: 2306 xrates = frm; 2307 break; 2308 /* XXX verify only one of RSN and WPA ie's? */ 2309 case IEEE80211_ELEMID_RSN: 2310 wpa = frm; 2311 break; 2312 case IEEE80211_ELEMID_VENDOR: 2313 if (iswpaoui(frm)) 2314 wpa = frm; 2315 else if (iswmeinfo(frm)) 2316 wme = frm; 2317 /* XXX Atheros OUI support */ 2318 break; 2319 } 2320 frm += frm[1] + 2; 2321 } 2322 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE); 2323 if (xrates != NULL) { 2324 IEEE80211_VERIFY_ELEMENT(xrates, 2325 IEEE80211_RATE_MAXSIZE - rates[1]); 2326 } 2327 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN); 2328 IEEE80211_VERIFY_SSID(ic->ic_bss, ssid); 2329 2330 if (ni == ic->ic_bss) { 2331 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, 2332 "[%6D] deny %s request, sta not authenticated\n", 2333 wh->i_addr2, ":", reassoc ? "reassoc" : "assoc"); 2334 ieee80211_send_error(ic, ni, wh->i_addr2, 2335 IEEE80211_FC0_SUBTYPE_DEAUTH, 2336 IEEE80211_REASON_ASSOC_NOT_AUTHED); 2337 ic->ic_stats.is_rx_assoc_notauth++; 2338 return; 2339 } 2340 /* assert right associstion security credentials */ 2341 if (wpa == NULL && (ic->ic_flags & IEEE80211_F_WPA)) { 2342 IEEE80211_DPRINTF(ic, 2343 IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, 2344 "[%6D] no WPA/RSN IE in association request\n", 2345 wh->i_addr2, ":"); 2346 IEEE80211_SEND_MGMT(ic, ni, 2347 IEEE80211_FC0_SUBTYPE_DEAUTH, 2348 IEEE80211_REASON_RSN_REQUIRED); 2349 ieee80211_node_leave(ic, ni); 2350 /* XXX distinguish WPA/RSN? */ 2351 ic->ic_stats.is_rx_assoc_badwpaie++; 2352 return; 2353 } 2354 if (wpa != NULL) { 2355 /* 2356 * Parse WPA information element. Note that 2357 * we initialize the param block from the node 2358 * state so that information in the IE overrides 2359 * our defaults. The resulting parameters are 2360 * installed below after the association is assured. 2361 */ 2362 rsn = ni->ni_rsn; 2363 if (wpa[0] != IEEE80211_ELEMID_RSN) 2364 reason = ieee80211_parse_wpa(ic, wpa, &rsn, wh); 2365 else 2366 reason = ieee80211_parse_rsn(ic, wpa, &rsn, wh); 2367 if (reason != 0) { 2368 IEEE80211_SEND_MGMT(ic, ni, 2369 IEEE80211_FC0_SUBTYPE_DEAUTH, reason); 2370 ieee80211_node_leave(ic, ni); 2371 /* XXX distinguish WPA/RSN? */ 2372 ic->ic_stats.is_rx_assoc_badwpaie++; 2373 return; 2374 } 2375 IEEE80211_DPRINTF(ic, 2376 IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, 2377 "[%6D] %s ie: mc %u/%u uc %u/%u key %u caps 0x%x\n", 2378 wh->i_addr2, ":", 2379 wpa[0] != IEEE80211_ELEMID_RSN ? "WPA" : "RSN", 2380 rsn.rsn_mcastcipher, rsn.rsn_mcastkeylen, 2381 rsn.rsn_ucastcipher, rsn.rsn_ucastkeylen, 2382 rsn.rsn_keymgmt, rsn.rsn_caps); 2383 } 2384 /* discard challenge after association */ 2385 if (ni->ni_challenge != NULL) { 2386 FREE(ni->ni_challenge, M_DEVBUF); 2387 ni->ni_challenge = NULL; 2388 } 2389 /* NB: 802.11 spec says to ignore station's privacy bit */ 2390 if ((capinfo & IEEE80211_CAPINFO_ESS) == 0) { 2391 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, 2392 "[%6D] deny %s request, capability mismatch 0x%x\n", 2393 wh->i_addr2, ":", 2394 reassoc ? "reassoc" : "assoc", capinfo); 2395 IEEE80211_SEND_MGMT(ic, ni, resp, 2396 IEEE80211_STATUS_CAPINFO); 2397 ieee80211_node_leave(ic, ni); 2398 ic->ic_stats.is_rx_assoc_capmismatch++; 2399 return; 2400 } 2401 rate = ieee80211_setup_rates(ni, rates, xrates, 2402 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | 2403 IEEE80211_F_DONEGO | IEEE80211_F_DODEL, 0); 2404 if (rate & IEEE80211_RATE_BASIC) { 2405 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, 2406 "[%6D] deny %s request, rate set mismatch\n", 2407 wh->i_addr2, ":", 2408 reassoc ? "reassoc" : "assoc"); 2409 IEEE80211_SEND_MGMT(ic, ni, resp, 2410 IEEE80211_STATUS_BASIC_RATE); 2411 ieee80211_node_leave(ic, ni); 2412 ic->ic_stats.is_rx_assoc_norate++; 2413 return; 2414 } 2415 ni->ni_rssi = rssi; 2416 ni->ni_rstamp = rstamp; 2417 ni->ni_intval = lintval; 2418 ni->ni_capinfo = capinfo; 2419 ni->ni_chan = ic->ic_bss->ni_chan; 2420 ni->ni_fhdwell = ic->ic_bss->ni_fhdwell; 2421 ni->ni_fhindex = ic->ic_bss->ni_fhindex; 2422 if (wpa != NULL) { 2423 /* 2424 * Record WPA/RSN parameters for station, mark 2425 * node as using WPA and record information element 2426 * for applications that require it. 2427 */ 2428 ni->ni_rsn = rsn; 2429 ieee80211_saveie(&ni->ni_wpa_ie, wpa); 2430 } else if (ni->ni_wpa_ie != NULL) { 2431 /* 2432 * Flush any state from a previous association. 2433 */ 2434 FREE(ni->ni_wpa_ie, M_DEVBUF); 2435 ni->ni_wpa_ie = NULL; 2436 } 2437 if (wme != NULL) { 2438 /* 2439 * Record WME parameters for station, mark node 2440 * as capable of QoS and record information 2441 * element for applications that require it. 2442 */ 2443 ieee80211_saveie(&ni->ni_wme_ie, wme); 2444 ni->ni_flags |= IEEE80211_NODE_QOS; 2445 } else if (ni->ni_wme_ie != NULL) { 2446 /* 2447 * Flush any state from a previous association. 2448 */ 2449 FREE(ni->ni_wme_ie, M_DEVBUF); 2450 ni->ni_wme_ie = NULL; 2451 ni->ni_flags &= ~IEEE80211_NODE_QOS; 2452 } 2453 ieee80211_deliver_l2uf(ni); 2454 ieee80211_node_join(ic, ni, resp); 2455 break; 2456 } 2457 2458 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP: 2459 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: { 2460 uint16_t capinfo, associd; 2461 uint16_t status; 2462 2463 if (ic->ic_opmode != IEEE80211_M_STA || 2464 ic->ic_state != IEEE80211_S_ASSOC) { 2465 ic->ic_stats.is_rx_mgtdiscard++; 2466 return; 2467 } 2468 2469 /* 2470 * asresp frame format 2471 * [2] capability information 2472 * [2] status 2473 * [2] association ID 2474 * [tlv] supported rates 2475 * [tlv] extended supported rates 2476 * [tlv] WME 2477 */ 2478 IEEE80211_VERIFY_LENGTH(efrm - frm, 6); 2479 ni = ic->ic_bss; 2480 capinfo = le16toh(*(uint16_t *)frm); 2481 frm += 2; 2482 status = le16toh(*(uint16_t *)frm); 2483 frm += 2; 2484 if (status != 0) { 2485 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 2486 "[%6D] %sassoc failed (reason %d)\n", 2487 wh->i_addr2, ":", 2488 ISREASSOC(subtype) ? "re" : "", status); 2489 if (ni != ic->ic_bss) /* XXX never true? */ 2490 ni->ni_fails++; 2491 ic->ic_stats.is_rx_auth_fail++; /* XXX */ 2492 return; 2493 } 2494 associd = le16toh(*(uint16_t *)frm); 2495 frm += 2; 2496 2497 rates = xrates = wpa = wme = NULL; 2498 while (efrm - frm > 1) { 2499 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2); 2500 switch (*frm) { 2501 case IEEE80211_ELEMID_RATES: 2502 rates = frm; 2503 break; 2504 case IEEE80211_ELEMID_XRATES: 2505 xrates = frm; 2506 break; 2507 case IEEE80211_ELEMID_VENDOR: 2508 if (iswmeoui(frm)) 2509 wme = frm; 2510 /* XXX Atheros OUI support */ 2511 break; 2512 } 2513 frm += frm[1] + 2; 2514 } 2515 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE); 2516 if (xrates != NULL) { 2517 IEEE80211_VERIFY_ELEMENT(xrates, 2518 IEEE80211_RATE_MAXSIZE - rates[1]); 2519 } 2520 2521 rate = ieee80211_setup_rates(ni, rates, xrates, 2522 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | 2523 IEEE80211_F_DONEGO | IEEE80211_F_DODEL, 1); 2524 if (rate & IEEE80211_RATE_BASIC) { 2525 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 2526 "[%6D] %sassoc failed (rate set mismatch)\n", 2527 wh->i_addr2, ":", 2528 ISREASSOC(subtype) ? "re" : ""); 2529 if (ni != ic->ic_bss) /* XXX never true? */ 2530 ni->ni_fails++; 2531 ic->ic_stats.is_rx_assoc_norate++; 2532 ieee80211_new_state(ic, IEEE80211_S_SCAN, 0); 2533 return; 2534 } 2535 2536 ni->ni_capinfo = capinfo; 2537 ni->ni_associd = associd; 2538 if (wme != NULL && 2539 ieee80211_parse_wmeparams(ic, wme, wh) >= 0) { 2540 ni->ni_flags |= IEEE80211_NODE_QOS; 2541 ieee80211_wme_updateparams(ic); 2542 } else 2543 ni->ni_flags &= ~IEEE80211_NODE_QOS; 2544 /* 2545 * Configure state now that we are associated. 2546 * 2547 * XXX may need different/additional driver callbacks? 2548 */ 2549 ieee80211_update_shpreamble(ic, ni); 2550 ieee80211_set_shortslottime(ic, 2551 ic->ic_curmode == IEEE80211_MODE_11A || 2552 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME)); 2553 /* 2554 * Honor ERP protection. 2555 * 2556 * NB: ni_erp should zero for non-11g operation. 2557 * XXX check ic_curmode anyway? 2558 */ 2559 if (ic->ic_curmode == IEEE80211_MODE_11G && 2560 (ni->ni_erp & IEEE80211_ERP_USE_PROTECTION)) 2561 ic->ic_flags |= IEEE80211_F_USEPROT; 2562 else 2563 ic->ic_flags &= ~IEEE80211_F_USEPROT; 2564 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 2565 "[%6D] %sassoc success: %s preamble, %s slot time%s%s\n", 2566 wh->i_addr2, ":", 2567 ISREASSOC(subtype) ? "re" : "", 2568 ic->ic_flags&IEEE80211_F_SHPREAMBLE ? "short" : "long", 2569 ic->ic_flags&IEEE80211_F_SHSLOT ? "short" : "long", 2570 ic->ic_flags&IEEE80211_F_USEPROT ? ", protection" : "", 2571 ni->ni_flags & IEEE80211_NODE_QOS ? ", QoS" : "" 2572 ); 2573 IEEE80211_PRINT_NODERATES(ic, ni, IEEE80211_MSG_ASSOC); 2574 ieee80211_new_state(ic, IEEE80211_S_RUN, subtype); 2575 break; 2576 } 2577 2578 case IEEE80211_FC0_SUBTYPE_DEAUTH: { 2579 uint16_t reason; 2580 2581 if (ic->ic_state == IEEE80211_S_SCAN) { 2582 ic->ic_stats.is_rx_mgtdiscard++; 2583 return; 2584 } 2585 /* 2586 * deauth frame format 2587 * [2] reason 2588 */ 2589 IEEE80211_VERIFY_LENGTH(efrm - frm, 2); 2590 reason = le16toh(*(uint16_t *)frm); 2591 ic->ic_stats.is_rx_deauth++; 2592 IEEE80211_NODE_STAT(ni, rx_deauth); 2593 2594 if (!IEEE80211_ADDR_EQ(wh->i_addr1, ic->ic_myaddr)) { 2595 /* NB: can happen when in promiscuous mode */ 2596 ic->ic_stats.is_rx_mgtdiscard++; 2597 break; 2598 } 2599 2600 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 2601 "[%6D] recv deauthenticate (reason %d)\n", 2602 ni->ni_macaddr, ":", reason); 2603 switch (ic->ic_opmode) { 2604 case IEEE80211_M_STA: 2605 ieee80211_new_state(ic, IEEE80211_S_AUTH, 2606 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK); 2607 break; 2608 case IEEE80211_M_HOSTAP: 2609 if (ni != ic->ic_bss) 2610 ieee80211_node_leave(ic, ni); 2611 break; 2612 default: 2613 ic->ic_stats.is_rx_mgtdiscard++; 2614 break; 2615 } 2616 break; 2617 } 2618 2619 case IEEE80211_FC0_SUBTYPE_DISASSOC: { 2620 uint16_t reason; 2621 2622 if (ic->ic_state != IEEE80211_S_RUN && 2623 ic->ic_state != IEEE80211_S_ASSOC && 2624 ic->ic_state != IEEE80211_S_AUTH) { 2625 ic->ic_stats.is_rx_mgtdiscard++; 2626 return; 2627 } 2628 /* 2629 * disassoc frame format 2630 * [2] reason 2631 */ 2632 IEEE80211_VERIFY_LENGTH(efrm - frm, 2); 2633 reason = le16toh(*(uint16_t *)frm); 2634 ic->ic_stats.is_rx_disassoc++; 2635 IEEE80211_NODE_STAT(ni, rx_disassoc); 2636 2637 if (!IEEE80211_ADDR_EQ(wh->i_addr1, ic->ic_myaddr)) { 2638 /* NB: can happen when in promiscuous mode */ 2639 ic->ic_stats.is_rx_mgtdiscard++; 2640 break; 2641 } 2642 2643 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 2644 "[%6D] recv disassociate (reason %d)\n", 2645 ni->ni_macaddr, ":", reason); 2646 switch (ic->ic_opmode) { 2647 case IEEE80211_M_STA: 2648 ieee80211_new_state(ic, IEEE80211_S_ASSOC, 2649 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK); 2650 break; 2651 case IEEE80211_M_HOSTAP: 2652 if (ni != ic->ic_bss) 2653 ieee80211_node_leave(ic, ni); 2654 break; 2655 default: 2656 ic->ic_stats.is_rx_mgtdiscard++; 2657 break; 2658 } 2659 break; 2660 } 2661 default: 2662 IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY, 2663 wh, "mgt", "subtype 0x%x not handled", subtype); 2664 ic->ic_stats.is_rx_badsubtype++; 2665 break; 2666 } 2667 #undef ISREASSOC 2668 #undef ISPROBE 2669 } 2670 #undef IEEE80211_VERIFY_LENGTH 2671 #undef IEEE80211_VERIFY_ELEMENT 2672 2673 /* 2674 * Handle station power-save state change. 2675 */ 2676 static void 2677 ieee80211_node_pwrsave(struct ieee80211_node *ni, int enable) 2678 { 2679 struct ieee80211com *ic = ni->ni_ic; 2680 struct mbuf *m; 2681 2682 ASSERT_SERIALIZED(ic->ic_ifp->if_serializer); 2683 2684 if (enable) { 2685 if ((ni->ni_flags & IEEE80211_NODE_PWR_MGT) == 0) 2686 ic->ic_ps_sta++; 2687 ni->ni_flags |= IEEE80211_NODE_PWR_MGT; 2688 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, 2689 "[%6D] power save mode on, %u sta's in ps mode\n", 2690 ni->ni_macaddr, ":", ic->ic_ps_sta); 2691 return; 2692 } 2693 2694 if (ni->ni_flags & IEEE80211_NODE_PWR_MGT) 2695 ic->ic_ps_sta--; 2696 ni->ni_flags &= ~IEEE80211_NODE_PWR_MGT; 2697 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, 2698 "[%6D] power save mode off, %u sta's in ps mode\n", 2699 ni->ni_macaddr, ":", ic->ic_ps_sta); 2700 /* XXX if no stations in ps mode, flush mc frames */ 2701 2702 /* 2703 * Flush queued unicast frames. 2704 */ 2705 if (IEEE80211_NODE_SAVEQ_QLEN(ni) == 0) { 2706 if (ic->ic_set_tim != NULL) 2707 ic->ic_set_tim(ni, 0); /* just in case */ 2708 return; 2709 } 2710 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, 2711 "[%6D] flush ps queue, %u packets queued\n", 2712 ni->ni_macaddr, ":", IEEE80211_NODE_SAVEQ_QLEN(ni)); 2713 for (;;) { 2714 int qlen; 2715 2716 IEEE80211_NODE_SAVEQ_DEQUEUE(ni, m, qlen); 2717 if (m == NULL) 2718 break; 2719 /* 2720 * If this is the last packet, turn off the TIM bit. 2721 * If there are more packets, set the more packets bit 2722 * in the mbuf so ieee80211_encap will mark the 802.11 2723 * head to indicate more data frames will follow. 2724 */ 2725 if (qlen != 0) 2726 m->m_flags |= M_MORE_DATA; 2727 /* XXX need different driver interface */ 2728 /* XXX bypasses q max */ 2729 /* XXX bypasses ALTQ */ 2730 ifq_enqueue(&ic->ic_ifp->if_snd, m, NULL); 2731 } 2732 if (ic->ic_set_tim != NULL) 2733 ic->ic_set_tim(ni, 0); 2734 } 2735 2736 /* 2737 * Process a received ps-poll frame. 2738 */ 2739 static void 2740 ieee80211_recv_pspoll(struct ieee80211com *ic, 2741 struct ieee80211_node *ni, struct mbuf *m0) 2742 { 2743 struct ieee80211_frame_min *wh; 2744 struct mbuf *m; 2745 uint16_t aid; 2746 int qlen; 2747 2748 ASSERT_SERIALIZED(ic->ic_ifp->if_serializer); 2749 2750 wh = mtod(m0, struct ieee80211_frame_min *); 2751 if (ni->ni_associd == 0) { 2752 IEEE80211_DISCARD(ic, IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG, 2753 (struct ieee80211_frame *) wh, "ps-poll", 2754 "%s", "unassociated station"); 2755 ic->ic_stats.is_ps_unassoc++; 2756 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_DEAUTH, 2757 IEEE80211_REASON_NOT_ASSOCED); 2758 return; 2759 } 2760 2761 aid = le16toh(*(uint16_t *)wh->i_dur); 2762 if (aid != ni->ni_associd) { 2763 IEEE80211_DISCARD(ic, IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG, 2764 (struct ieee80211_frame *) wh, "ps-poll", 2765 "aid mismatch: sta aid 0x%x poll aid 0x%x", 2766 ni->ni_associd, aid); 2767 ic->ic_stats.is_ps_badaid++; 2768 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_DEAUTH, 2769 IEEE80211_REASON_NOT_ASSOCED); 2770 return; 2771 } 2772 2773 /* Okay, take the first queued packet and put it out... */ 2774 IEEE80211_NODE_SAVEQ_DEQUEUE(ni, m, qlen); 2775 if (m == NULL) { 2776 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, 2777 "[%6D] recv ps-poll, but queue empty\n", 2778 wh->i_addr2, ":"); 2779 ieee80211_send_nulldata(ieee80211_ref_node(ni)); 2780 ic->ic_stats.is_ps_qempty++; /* XXX node stat */ 2781 if (ic->ic_set_tim != NULL) 2782 ic->ic_set_tim(ni, 0); /* just in case */ 2783 return; 2784 } 2785 /* 2786 * If there are more packets, set the more packets bit 2787 * in the packet dispatched to the station; otherwise 2788 * turn off the TIM bit. 2789 */ 2790 if (qlen != 0) { 2791 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, 2792 "[%6D] recv ps-poll, send packet, %u still queued\n", 2793 ni->ni_macaddr, ":", qlen); 2794 m->m_flags |= M_MORE_DATA; 2795 } else { 2796 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, 2797 "[%6D] recv ps-poll, send packet, queue empty\n", 2798 ni->ni_macaddr, ":"); 2799 if (ic->ic_set_tim != NULL) 2800 ic->ic_set_tim(ni, 0); 2801 } 2802 m->m_flags |= M_PWR_SAV; /* bypass PS handling */ 2803 ifq_enqueue(&ic->ic_ifp->if_snd, m, NULL); /* XXX bypasses ALTQ */ 2804 } 2805 2806 #ifdef IEEE80211_DEBUG 2807 /* 2808 * Debugging support. 2809 */ 2810 2811 /* 2812 * Return the bssid of a frame. 2813 */ 2814 static const uint8_t * 2815 ieee80211_getbssid(struct ieee80211com *ic, const struct ieee80211_frame *wh) 2816 { 2817 if (ic->ic_opmode == IEEE80211_M_STA) 2818 return wh->i_addr2; 2819 if ((wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) != IEEE80211_FC1_DIR_NODS) 2820 return wh->i_addr1; 2821 if ((wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK) == IEEE80211_FC0_SUBTYPE_PS_POLL) 2822 return wh->i_addr1; 2823 return wh->i_addr3; 2824 } 2825 2826 void 2827 ieee80211_note(struct ieee80211com *ic, const char *fmt, ...) 2828 { 2829 char buf[128]; /* XXX */ 2830 __va_list ap; 2831 2832 __va_start(ap, fmt); 2833 kvsnprintf(buf, sizeof(buf), fmt, ap); 2834 __va_end(ap); 2835 2836 if_printf(ic->ic_ifp, "%s", buf); /* NB: no \n */ 2837 } 2838 2839 void 2840 ieee80211_note_frame(struct ieee80211com *ic, 2841 const struct ieee80211_frame *wh, 2842 const char *fmt, ...) 2843 { 2844 char buf[128]; /* XXX */ 2845 __va_list ap; 2846 2847 __va_start(ap, fmt); 2848 kvsnprintf(buf, sizeof(buf), fmt, ap); 2849 __va_end(ap); 2850 if_printf(ic->ic_ifp, "[%6D] %s\n", 2851 ieee80211_getbssid(ic, wh), ":", buf); 2852 } 2853 2854 void 2855 ieee80211_note_mac(struct ieee80211com *ic, 2856 const uint8_t mac[IEEE80211_ADDR_LEN], 2857 const char *fmt, ...) 2858 { 2859 char buf[128]; /* XXX */ 2860 __va_list ap; 2861 2862 __va_start(ap, fmt); 2863 kvsnprintf(buf, sizeof(buf), fmt, ap); 2864 __va_end(ap); 2865 if_printf(ic->ic_ifp, "[%6D] %s\n", mac, ":", buf); 2866 } 2867 2868 static void 2869 ieee80211_discard_frame(struct ieee80211com *ic, 2870 const struct ieee80211_frame *wh, 2871 const char *type, const char *fmt, ...) 2872 { 2873 __va_list ap; 2874 2875 kprintf("[%s:%6D] discard ", ic->ic_ifp->if_xname, 2876 ieee80211_getbssid(ic, wh), ":"); 2877 if (type != NULL) 2878 kprintf("%s frame, ", type); 2879 else 2880 kprintf("frame, "); 2881 __va_start(ap, fmt); 2882 kvprintf(fmt, ap); 2883 __va_end(ap); 2884 kprintf("\n"); 2885 } 2886 2887 static void 2888 ieee80211_discard_ie(struct ieee80211com *ic, 2889 const struct ieee80211_frame *wh, 2890 const char *type, const char *fmt, ...) 2891 { 2892 __va_list ap; 2893 2894 kprintf("[%s:%6D] discard ", ic->ic_ifp->if_xname, 2895 ieee80211_getbssid(ic, wh), ":"); 2896 if (type != NULL) 2897 kprintf("%s information element, ", type); 2898 else 2899 kprintf("information element, "); 2900 __va_start(ap, fmt); 2901 kvprintf(fmt, ap); 2902 __va_end(ap); 2903 kprintf("\n"); 2904 } 2905 2906 static void 2907 ieee80211_discard_mac(struct ieee80211com *ic, 2908 const uint8_t mac[IEEE80211_ADDR_LEN], 2909 const char *type, const char *fmt, ...) 2910 { 2911 __va_list ap; 2912 2913 kprintf("[%s:%6D] discard ", ic->ic_ifp->if_xname, mac, ":"); 2914 if (type != NULL) 2915 kprintf("%s frame, ", type); 2916 else 2917 kprintf("frame, "); 2918 __va_start(ap, fmt); 2919 kvprintf(fmt, ap); 2920 __va_end(ap); 2921 kprintf("\n"); 2922 } 2923 #endif /* IEEE80211_DEBUG */ 2924