1 /*- 2 * Copyright (c) 2001 Atsushi Onoe 3 * Copyright (c) 2002-2007 Sam Leffler, Errno Consulting 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 16 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 17 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 18 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 19 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 20 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 21 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 22 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 23 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 24 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 */ 26 27 #include <sys/cdefs.h> 28 __FBSDID("$FreeBSD$"); 29 30 #include <sys/param.h> 31 #include <sys/systm.h> 32 #include <sys/mbuf.h> 33 #include <sys/malloc.h> 34 #include <sys/endian.h> 35 #include <sys/kernel.h> 36 37 #include <sys/socket.h> 38 39 #include <net/if.h> 40 #include <net/if_media.h> 41 #include <net/ethernet.h> 42 #include <net/if_llc.h> 43 #include <net/if_vlan_var.h> 44 45 #include <net80211/ieee80211_var.h> 46 47 #include <net/bpf.h> 48 49 #ifdef IEEE80211_DEBUG 50 #include <machine/stdarg.h> 51 52 /* 53 * Decide if a received management frame should be 54 * printed when debugging is enabled. This filters some 55 * of the less interesting frames that come frequently 56 * (e.g. beacons). 57 */ 58 static __inline int 59 doprint(struct ieee80211com *ic, int subtype) 60 { 61 switch (subtype) { 62 case IEEE80211_FC0_SUBTYPE_BEACON: 63 return (ic->ic_flags & IEEE80211_F_SCAN); 64 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 65 return (ic->ic_opmode == IEEE80211_M_IBSS); 66 } 67 return 1; 68 } 69 70 static const uint8_t *ieee80211_getbssid(struct ieee80211com *, 71 const struct ieee80211_frame *); 72 #endif /* IEEE80211_DEBUG */ 73 74 static struct mbuf *ieee80211_defrag(struct ieee80211com *, 75 struct ieee80211_node *, struct mbuf *, int); 76 static struct mbuf *ieee80211_decap(struct ieee80211com *, struct mbuf *, int); 77 static void ieee80211_send_error(struct ieee80211com *, struct ieee80211_node *, 78 const uint8_t *mac, int subtype, int arg); 79 static struct mbuf *ieee80211_decap_fastframe(struct ieee80211com *, 80 struct ieee80211_node *, struct mbuf *); 81 static void ieee80211_recv_pspoll(struct ieee80211com *, 82 struct ieee80211_node *, struct mbuf *); 83 84 /* 85 * Process a received frame. The node associated with the sender 86 * should be supplied. If nothing was found in the node table then 87 * the caller is assumed to supply a reference to ic_bss instead. 88 * The RSSI and a timestamp are also supplied. The RSSI data is used 89 * during AP scanning to select a AP to associate with; it can have 90 * any units so long as values have consistent units and higher values 91 * mean ``better signal''. The receive timestamp is currently not used 92 * by the 802.11 layer. 93 */ 94 int 95 ieee80211_input(struct ieee80211com *ic, struct mbuf *m, 96 struct ieee80211_node *ni, int rssi, int noise, uint32_t rstamp) 97 { 98 #define SEQ_LEQ(a,b) ((int)((a)-(b)) <= 0) 99 #define HAS_SEQ(type) ((type & 0x4) == 0) 100 struct ifnet *ifp = ic->ic_ifp; 101 struct ieee80211_frame *wh; 102 struct ieee80211_key *key; 103 struct ether_header *eh; 104 int hdrspace, need_tap; 105 uint8_t dir, type, subtype, qos; 106 uint8_t *bssid; 107 uint16_t rxseq; 108 109 if (m->m_flags & M_AMPDU) { 110 /* 111 * Fastpath for A-MPDU reorder q resubmission. Frames 112 * w/ M_AMPDU marked have already passed through here 113 * but were received out of order and been held on the 114 * reorder queue. When resubmitted they are marked 115 * with the M_AMPDU flag and we can bypass most of the 116 * normal processing. 117 */ 118 wh = mtod(m, struct ieee80211_frame *); 119 type = IEEE80211_FC0_TYPE_DATA; 120 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 121 subtype = IEEE80211_FC0_SUBTYPE_QOS; 122 hdrspace = ieee80211_hdrspace(ic, wh); /* XXX optimize? */ 123 need_tap = 0; 124 goto resubmit_ampdu; 125 } 126 127 KASSERT(ni != NULL, ("null node")); 128 ni->ni_inact = ni->ni_inact_reload; 129 130 need_tap = 1; /* mbuf need to be tapped. */ 131 type = -1; /* undefined */ 132 /* 133 * In monitor mode, send everything directly to bpf. 134 * XXX may want to include the CRC 135 */ 136 if (ic->ic_opmode == IEEE80211_M_MONITOR) 137 goto out; 138 139 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_min)) { 140 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY, 141 ni->ni_macaddr, NULL, 142 "too short (1): len %u", m->m_pkthdr.len); 143 ic->ic_stats.is_rx_tooshort++; 144 goto out; 145 } 146 /* 147 * Bit of a cheat here, we use a pointer for a 3-address 148 * frame format but don't reference fields past outside 149 * ieee80211_frame_min w/o first validating the data is 150 * present. 151 */ 152 wh = mtod(m, struct ieee80211_frame *); 153 154 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) != 155 IEEE80211_FC0_VERSION_0) { 156 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY, 157 ni->ni_macaddr, NULL, "wrong version %x", wh->i_fc[0]); 158 ic->ic_stats.is_rx_badversion++; 159 goto err; 160 } 161 162 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 163 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK; 164 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK; 165 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) { 166 switch (ic->ic_opmode) { 167 case IEEE80211_M_STA: 168 bssid = wh->i_addr2; 169 if (!IEEE80211_ADDR_EQ(bssid, ni->ni_bssid)) { 170 /* not interested in */ 171 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 172 bssid, NULL, "%s", "not to bss"); 173 ic->ic_stats.is_rx_wrongbss++; 174 goto out; 175 } 176 break; 177 case IEEE80211_M_IBSS: 178 case IEEE80211_M_AHDEMO: 179 case IEEE80211_M_HOSTAP: 180 if (dir != IEEE80211_FC1_DIR_NODS) 181 bssid = wh->i_addr1; 182 else if (type == IEEE80211_FC0_TYPE_CTL) 183 bssid = wh->i_addr1; 184 else { 185 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) { 186 IEEE80211_DISCARD_MAC(ic, 187 IEEE80211_MSG_ANY, ni->ni_macaddr, 188 NULL, "too short (2): len %u", 189 m->m_pkthdr.len); 190 ic->ic_stats.is_rx_tooshort++; 191 goto out; 192 } 193 bssid = wh->i_addr3; 194 } 195 if (type != IEEE80211_FC0_TYPE_DATA) 196 break; 197 /* 198 * Data frame, validate the bssid. 199 */ 200 if (!IEEE80211_ADDR_EQ(bssid, ic->ic_bss->ni_bssid) && 201 !IEEE80211_ADDR_EQ(bssid, ifp->if_broadcastaddr)) { 202 /* not interested in */ 203 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 204 bssid, NULL, "%s", "not to bss"); 205 ic->ic_stats.is_rx_wrongbss++; 206 goto out; 207 } 208 /* 209 * For adhoc mode we cons up a node when it doesn't 210 * exist. This should probably done after an ACL check. 211 */ 212 if (ni == ic->ic_bss && 213 ic->ic_opmode != IEEE80211_M_HOSTAP && 214 !IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_macaddr)) { 215 /* 216 * Fake up a node for this newly 217 * discovered member of the IBSS. 218 */ 219 ni = ieee80211_fakeup_adhoc_node(&ic->ic_sta, 220 wh->i_addr2); 221 if (ni == NULL) { 222 /* NB: stat kept for alloc failure */ 223 goto err; 224 } 225 } 226 break; 227 default: 228 goto out; 229 } 230 ni->ni_rssi = rssi; 231 ni->ni_noise = noise; 232 ni->ni_rstamp = rstamp; 233 if (HAS_SEQ(type)) { 234 uint8_t tid; 235 if (IEEE80211_QOS_HAS_SEQ(wh)) { 236 tid = ((struct ieee80211_qosframe *)wh)-> 237 i_qos[0] & IEEE80211_QOS_TID; 238 if (TID_TO_WME_AC(tid) >= WME_AC_VI) 239 ic->ic_wme.wme_hipri_traffic++; 240 tid++; 241 } else 242 tid = IEEE80211_NONQOS_TID; 243 rxseq = le16toh(*(uint16_t *)wh->i_seq); 244 if ((ni->ni_flags & IEEE80211_NODE_HT) == 0 && 245 (wh->i_fc[1] & IEEE80211_FC1_RETRY) && 246 SEQ_LEQ(rxseq, ni->ni_rxseqs[tid])) { 247 /* duplicate, discard */ 248 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 249 bssid, "duplicate", 250 "seqno <%u,%u> fragno <%u,%u> tid %u", 251 rxseq >> IEEE80211_SEQ_SEQ_SHIFT, 252 ni->ni_rxseqs[tid] >> 253 IEEE80211_SEQ_SEQ_SHIFT, 254 rxseq & IEEE80211_SEQ_FRAG_MASK, 255 ni->ni_rxseqs[tid] & 256 IEEE80211_SEQ_FRAG_MASK, 257 tid); 258 ic->ic_stats.is_rx_dup++; 259 IEEE80211_NODE_STAT(ni, rx_dup); 260 goto out; 261 } 262 ni->ni_rxseqs[tid] = rxseq; 263 } 264 } 265 266 switch (type) { 267 case IEEE80211_FC0_TYPE_DATA: 268 hdrspace = ieee80211_hdrspace(ic, wh); 269 if (m->m_len < hdrspace && 270 (m = m_pullup(m, hdrspace)) == NULL) { 271 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY, 272 ni->ni_macaddr, NULL, 273 "data too short: expecting %u", hdrspace); 274 ic->ic_stats.is_rx_tooshort++; 275 goto out; /* XXX */ 276 } 277 switch (ic->ic_opmode) { 278 case IEEE80211_M_STA: 279 if (dir != IEEE80211_FC1_DIR_FROMDS) { 280 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 281 wh, "data", "unknown dir 0x%x", dir); 282 ic->ic_stats.is_rx_wrongdir++; 283 goto out; 284 } 285 if ((ifp->if_flags & IFF_SIMPLEX) && 286 IEEE80211_IS_MULTICAST(wh->i_addr1) && 287 IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_myaddr)) { 288 /* 289 * In IEEE802.11 network, multicast packet 290 * sent from me is broadcasted from AP. 291 * It should be silently discarded for 292 * SIMPLEX interface. 293 */ 294 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 295 wh, NULL, "%s", "multicast echo"); 296 ic->ic_stats.is_rx_mcastecho++; 297 goto out; 298 } 299 break; 300 case IEEE80211_M_IBSS: 301 case IEEE80211_M_AHDEMO: 302 if (dir != IEEE80211_FC1_DIR_NODS) { 303 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 304 wh, "data", "unknown dir 0x%x", dir); 305 ic->ic_stats.is_rx_wrongdir++; 306 goto out; 307 } 308 /* XXX no power-save support */ 309 break; 310 case IEEE80211_M_HOSTAP: 311 if (dir != IEEE80211_FC1_DIR_TODS) { 312 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 313 wh, "data", "unknown dir 0x%x", dir); 314 ic->ic_stats.is_rx_wrongdir++; 315 goto out; 316 } 317 /* check if source STA is associated */ 318 if (ni == ic->ic_bss) { 319 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 320 wh, "data", "%s", "unknown src"); 321 ieee80211_send_error(ic, ni, wh->i_addr2, 322 IEEE80211_FC0_SUBTYPE_DEAUTH, 323 IEEE80211_REASON_NOT_AUTHED); 324 ic->ic_stats.is_rx_notassoc++; 325 goto err; 326 } 327 if (ni->ni_associd == 0) { 328 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 329 wh, "data", "%s", "unassoc src"); 330 IEEE80211_SEND_MGMT(ic, ni, 331 IEEE80211_FC0_SUBTYPE_DISASSOC, 332 IEEE80211_REASON_NOT_ASSOCED); 333 ic->ic_stats.is_rx_notassoc++; 334 goto err; 335 } 336 337 /* 338 * Check for power save state change. 339 * XXX out-of-order A-MPDU frames? 340 */ 341 if (((wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) ^ 342 (ni->ni_flags & IEEE80211_NODE_PWR_MGT))) 343 ieee80211_node_pwrsave(ni, 344 wh->i_fc[1] & IEEE80211_FC1_PWR_MGT); 345 break; 346 default: 347 /* XXX here to keep compiler happy */ 348 goto out; 349 } 350 351 /* 352 * Handle A-MPDU re-ordering. The station must be 353 * associated and negotiated HT. The frame must be 354 * a QoS frame (not QoS null data) and not previously 355 * processed for A-MPDU re-ordering. If the frame is 356 * to be processed directly then ieee80211_ampdu_reorder 357 * will return 0; otherwise it has consumed the mbuf 358 * and we should do nothing more with it. 359 */ 360 if ((ni->ni_flags & IEEE80211_NODE_HT) && 361 subtype == IEEE80211_FC0_SUBTYPE_QOS && 362 ieee80211_ampdu_reorder(ni, m) != 0) { 363 m = NULL; 364 goto out; 365 } 366 resubmit_ampdu: 367 368 /* 369 * Handle privacy requirements. Note that we 370 * must not be preempted from here until after 371 * we (potentially) call ieee80211_crypto_demic; 372 * otherwise we may violate assumptions in the 373 * crypto cipher modules used to do delayed update 374 * of replay sequence numbers. 375 */ 376 if (wh->i_fc[1] & IEEE80211_FC1_WEP) { 377 if ((ic->ic_flags & IEEE80211_F_PRIVACY) == 0) { 378 /* 379 * Discard encrypted frames when privacy is off. 380 */ 381 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 382 wh, "WEP", "%s", "PRIVACY off"); 383 ic->ic_stats.is_rx_noprivacy++; 384 IEEE80211_NODE_STAT(ni, rx_noprivacy); 385 goto out; 386 } 387 key = ieee80211_crypto_decap(ic, ni, m, hdrspace); 388 if (key == NULL) { 389 /* NB: stats+msgs handled in crypto_decap */ 390 IEEE80211_NODE_STAT(ni, rx_wepfail); 391 goto out; 392 } 393 wh = mtod(m, struct ieee80211_frame *); 394 wh->i_fc[1] &= ~IEEE80211_FC1_WEP; 395 } else { 396 key = NULL; 397 } 398 399 /* 400 * Save QoS bits for use below--before we strip the header. 401 */ 402 if (subtype == IEEE80211_FC0_SUBTYPE_QOS) { 403 qos = (dir == IEEE80211_FC1_DIR_DSTODS) ? 404 ((struct ieee80211_qosframe_addr4 *)wh)->i_qos[0] : 405 ((struct ieee80211_qosframe *)wh)->i_qos[0]; 406 } else 407 qos = 0; 408 409 /* 410 * Next up, any fragmentation. 411 */ 412 if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) { 413 m = ieee80211_defrag(ic, ni, m, hdrspace); 414 if (m == NULL) { 415 /* Fragment dropped or frame not complete yet */ 416 goto out; 417 } 418 } 419 wh = NULL; /* no longer valid, catch any uses */ 420 421 /* 422 * Next strip any MSDU crypto bits. 423 */ 424 if (key != NULL && !ieee80211_crypto_demic(ic, key, m, 0)) { 425 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 426 ni->ni_macaddr, "data", "%s", "demic error"); 427 ic->ic_stats.is_rx_demicfail++; 428 IEEE80211_NODE_STAT(ni, rx_demicfail); 429 goto out; 430 } 431 432 /* copy to listener after decrypt */ 433 if (bpf_peers_present(ic->ic_rawbpf)) 434 bpf_mtap(ic->ic_rawbpf, m); 435 need_tap = 0; 436 437 /* 438 * Finally, strip the 802.11 header. 439 */ 440 m = ieee80211_decap(ic, m, hdrspace); 441 if (m == NULL) { 442 /* don't count Null data frames as errors */ 443 if (subtype == IEEE80211_FC0_SUBTYPE_NODATA || 444 subtype == IEEE80211_FC0_SUBTYPE_QOS_NULL) 445 goto out; 446 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 447 ni->ni_macaddr, "data", "%s", "decap error"); 448 ic->ic_stats.is_rx_decap++; 449 IEEE80211_NODE_STAT(ni, rx_decap); 450 goto err; 451 } 452 eh = mtod(m, struct ether_header *); 453 if (!ieee80211_node_is_authorized(ni)) { 454 /* 455 * Deny any non-PAE frames received prior to 456 * authorization. For open/shared-key 457 * authentication the port is mark authorized 458 * after authentication completes. For 802.1x 459 * the port is not marked authorized by the 460 * authenticator until the handshake has completed. 461 */ 462 if (eh->ether_type != htons(ETHERTYPE_PAE)) { 463 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 464 eh->ether_shost, "data", 465 "unauthorized port: ether type 0x%x len %u", 466 eh->ether_type, m->m_pkthdr.len); 467 ic->ic_stats.is_rx_unauth++; 468 IEEE80211_NODE_STAT(ni, rx_unauth); 469 goto err; 470 } 471 } else { 472 /* 473 * When denying unencrypted frames, discard 474 * any non-PAE frames received without encryption. 475 */ 476 if ((ic->ic_flags & IEEE80211_F_DROPUNENC) && 477 key == NULL && 478 eh->ether_type != htons(ETHERTYPE_PAE)) { 479 /* 480 * Drop unencrypted frames. 481 */ 482 ic->ic_stats.is_rx_unencrypted++; 483 IEEE80211_NODE_STAT(ni, rx_unencrypted); 484 goto out; 485 } 486 } 487 /* XXX require HT? */ 488 if (qos & IEEE80211_QOS_AMSDU) { 489 m = ieee80211_decap_amsdu(ni, m); 490 if (m == NULL) 491 return IEEE80211_FC0_TYPE_DATA; 492 } else if ((ni->ni_ath_flags & IEEE80211_NODE_FF) && 493 #define FF_LLC_SIZE (sizeof(struct ether_header) + sizeof(struct llc)) 494 m->m_pkthdr.len >= 3*FF_LLC_SIZE) { 495 struct llc *llc; 496 497 /* 498 * Check for fast-frame tunnel encapsulation. 499 */ 500 if (m->m_len < FF_LLC_SIZE && 501 (m = m_pullup(m, FF_LLC_SIZE)) == NULL) { 502 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY, 503 ni->ni_macaddr, "fast-frame", 504 "%s", "m_pullup(llc) failed"); 505 ic->ic_stats.is_rx_tooshort++; 506 return IEEE80211_FC0_TYPE_DATA; 507 } 508 llc = (struct llc *)(mtod(m, uint8_t *) + 509 sizeof(struct ether_header)); 510 if (llc->llc_snap.ether_type == htons(ATH_FF_ETH_TYPE)) { 511 m_adj(m, FF_LLC_SIZE); 512 m = ieee80211_decap_fastframe(ic, ni, m); 513 if (m == NULL) 514 return IEEE80211_FC0_TYPE_DATA; 515 } 516 } 517 #undef FF_LLC_SIZE 518 ieee80211_deliver_data(ic, ni, m); 519 return IEEE80211_FC0_TYPE_DATA; 520 521 case IEEE80211_FC0_TYPE_MGT: 522 ic->ic_stats.is_rx_mgmt++; 523 IEEE80211_NODE_STAT(ni, rx_mgmt); 524 if (dir != IEEE80211_FC1_DIR_NODS) { 525 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 526 wh, "data", "unknown dir 0x%x", dir); 527 ic->ic_stats.is_rx_wrongdir++; 528 goto err; 529 } 530 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) { 531 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY, 532 ni->ni_macaddr, "mgt", "too short: len %u", 533 m->m_pkthdr.len); 534 ic->ic_stats.is_rx_tooshort++; 535 goto out; 536 } 537 #ifdef IEEE80211_DEBUG 538 if ((ieee80211_msg_debug(ic) && doprint(ic, subtype)) || 539 ieee80211_msg_dumppkts(ic)) { 540 if_printf(ic->ic_ifp, "received %s from %s rssi %d\n", 541 ieee80211_mgt_subtype_name[subtype >> 542 IEEE80211_FC0_SUBTYPE_SHIFT], 543 ether_sprintf(wh->i_addr2), rssi); 544 } 545 #endif 546 if (wh->i_fc[1] & IEEE80211_FC1_WEP) { 547 if (subtype != IEEE80211_FC0_SUBTYPE_AUTH) { 548 /* 549 * Only shared key auth frames with a challenge 550 * should be encrypted, discard all others. 551 */ 552 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 553 wh, ieee80211_mgt_subtype_name[subtype >> 554 IEEE80211_FC0_SUBTYPE_SHIFT], 555 "%s", "WEP set but not permitted"); 556 ic->ic_stats.is_rx_mgtdiscard++; /* XXX */ 557 goto out; 558 } 559 if ((ic->ic_flags & IEEE80211_F_PRIVACY) == 0) { 560 /* 561 * Discard encrypted frames when privacy is off. 562 */ 563 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 564 wh, "mgt", "%s", "WEP set but PRIVACY off"); 565 ic->ic_stats.is_rx_noprivacy++; 566 goto out; 567 } 568 hdrspace = ieee80211_hdrspace(ic, wh); 569 key = ieee80211_crypto_decap(ic, ni, m, hdrspace); 570 if (key == NULL) { 571 /* NB: stats+msgs handled in crypto_decap */ 572 goto out; 573 } 574 wh = mtod(m, struct ieee80211_frame *); 575 wh->i_fc[1] &= ~IEEE80211_FC1_WEP; 576 } 577 if (bpf_peers_present(ic->ic_rawbpf)) 578 bpf_mtap(ic->ic_rawbpf, m); 579 (*ic->ic_recv_mgmt)(ic, m, ni, subtype, rssi, noise, rstamp); 580 m_freem(m); 581 return IEEE80211_FC0_TYPE_MGT; 582 583 case IEEE80211_FC0_TYPE_CTL: 584 ic->ic_stats.is_rx_ctl++; 585 IEEE80211_NODE_STAT(ni, rx_ctrl); 586 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 587 switch (subtype) { 588 case IEEE80211_FC0_SUBTYPE_PS_POLL: 589 ieee80211_recv_pspoll(ic, ni, m); 590 break; 591 case IEEE80211_FC0_SUBTYPE_BAR: 592 ieee80211_recv_bar(ni, m); 593 break; 594 } 595 } 596 goto out; 597 default: 598 IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY, 599 wh, NULL, "bad frame type 0x%x", type); 600 /* should not come here */ 601 break; 602 } 603 err: 604 ifp->if_ierrors++; 605 out: 606 if (m != NULL) { 607 if (bpf_peers_present(ic->ic_rawbpf) && need_tap) 608 bpf_mtap(ic->ic_rawbpf, m); 609 m_freem(m); 610 } 611 return type; 612 #undef SEQ_LEQ 613 } 614 615 /* 616 * This function reassemble fragments. 617 */ 618 static struct mbuf * 619 ieee80211_defrag(struct ieee80211com *ic, struct ieee80211_node *ni, 620 struct mbuf *m, int hdrspace) 621 { 622 struct ieee80211_frame *wh = mtod(m, struct ieee80211_frame *); 623 struct ieee80211_frame *lwh; 624 uint16_t rxseq; 625 uint8_t fragno; 626 uint8_t more_frag = wh->i_fc[1] & IEEE80211_FC1_MORE_FRAG; 627 struct mbuf *mfrag; 628 629 KASSERT(!IEEE80211_IS_MULTICAST(wh->i_addr1), ("multicast fragm?")); 630 631 rxseq = le16toh(*(uint16_t *)wh->i_seq); 632 fragno = rxseq & IEEE80211_SEQ_FRAG_MASK; 633 634 /* Quick way out, if there's nothing to defragment */ 635 if (!more_frag && fragno == 0 && ni->ni_rxfrag[0] == NULL) 636 return m; 637 638 /* 639 * Remove frag to insure it doesn't get reaped by timer. 640 */ 641 if (ni->ni_table == NULL) { 642 /* 643 * Should never happen. If the node is orphaned (not in 644 * the table) then input packets should not reach here. 645 * Otherwise, a concurrent request that yanks the table 646 * should be blocked by other interlocking and/or by first 647 * shutting the driver down. Regardless, be defensive 648 * here and just bail 649 */ 650 /* XXX need msg+stat */ 651 m_freem(m); 652 return NULL; 653 } 654 IEEE80211_NODE_LOCK(ni->ni_table); 655 mfrag = ni->ni_rxfrag[0]; 656 ni->ni_rxfrag[0] = NULL; 657 IEEE80211_NODE_UNLOCK(ni->ni_table); 658 659 /* 660 * Validate new fragment is in order and 661 * related to the previous ones. 662 */ 663 if (mfrag != NULL) { 664 uint16_t last_rxseq; 665 666 lwh = mtod(mfrag, struct ieee80211_frame *); 667 last_rxseq = le16toh(*(uint16_t *)lwh->i_seq); 668 /* NB: check seq # and frag together */ 669 if (rxseq != last_rxseq+1 || 670 !IEEE80211_ADDR_EQ(wh->i_addr1, lwh->i_addr1) || 671 !IEEE80211_ADDR_EQ(wh->i_addr2, lwh->i_addr2)) { 672 /* 673 * Unrelated fragment or no space for it, 674 * clear current fragments. 675 */ 676 m_freem(mfrag); 677 mfrag = NULL; 678 } 679 } 680 681 if (mfrag == NULL) { 682 if (fragno != 0) { /* !first fragment, discard */ 683 ic->ic_stats.is_rx_defrag++; 684 IEEE80211_NODE_STAT(ni, rx_defrag); 685 m_freem(m); 686 return NULL; 687 } 688 mfrag = m; 689 } else { /* concatenate */ 690 m_adj(m, hdrspace); /* strip header */ 691 m_cat(mfrag, m); 692 /* NB: m_cat doesn't update the packet header */ 693 mfrag->m_pkthdr.len += m->m_pkthdr.len; 694 /* track last seqnum and fragno */ 695 lwh = mtod(mfrag, struct ieee80211_frame *); 696 *(uint16_t *) lwh->i_seq = *(uint16_t *) wh->i_seq; 697 } 698 if (more_frag) { /* more to come, save */ 699 ni->ni_rxfragstamp = ticks; 700 ni->ni_rxfrag[0] = mfrag; 701 mfrag = NULL; 702 } 703 return mfrag; 704 } 705 706 void 707 ieee80211_deliver_data(struct ieee80211com *ic, 708 struct ieee80211_node *ni, struct mbuf *m) 709 { 710 struct ether_header *eh = mtod(m, struct ether_header *); 711 struct ifnet *ifp = ic->ic_ifp; 712 713 /* 714 * Do accounting. 715 */ 716 ifp->if_ipackets++; 717 IEEE80211_NODE_STAT(ni, rx_data); 718 IEEE80211_NODE_STAT_ADD(ni, rx_bytes, m->m_pkthdr.len); 719 if (ETHER_IS_MULTICAST(eh->ether_dhost)) { 720 m->m_flags |= M_MCAST; /* XXX M_BCAST? */ 721 IEEE80211_NODE_STAT(ni, rx_mcast); 722 } else 723 IEEE80211_NODE_STAT(ni, rx_ucast); 724 725 /* perform as a bridge within the AP */ 726 if (ic->ic_opmode == IEEE80211_M_HOSTAP && 727 (ic->ic_flags & IEEE80211_F_NOBRIDGE) == 0) { 728 struct mbuf *m1 = NULL; 729 730 if (m->m_flags & M_MCAST) { 731 m1 = m_dup(m, M_DONTWAIT); 732 if (m1 == NULL) 733 ifp->if_oerrors++; 734 else 735 m1->m_flags |= M_MCAST; 736 } else { 737 /* 738 * Check if the destination is known; if so 739 * and the port is authorized dispatch directly. 740 */ 741 struct ieee80211_node *sta = 742 ieee80211_find_node(&ic->ic_sta, eh->ether_dhost); 743 if (sta != NULL) { 744 if (ieee80211_node_is_authorized(sta)) { 745 /* 746 * Beware of sending to ourself; this 747 * needs to happen via the normal 748 * input path. 749 */ 750 if (sta != ic->ic_bss) { 751 m1 = m; 752 m = NULL; 753 } 754 } else { 755 ic->ic_stats.is_rx_unauth++; 756 IEEE80211_NODE_STAT(sta, rx_unauth); 757 } 758 ieee80211_free_node(sta); 759 } 760 } 761 if (m1 != NULL) 762 (void) IF_HANDOFF(&ifp->if_snd, m1, ifp); 763 } 764 if (m != NULL) { 765 m->m_pkthdr.rcvif = ifp; 766 if (ni->ni_vlan != 0) { 767 /* attach vlan tag */ 768 m->m_pkthdr.ether_vtag = ni->ni_vlan; 769 m->m_flags |= M_VLANTAG; 770 } 771 (*ifp->if_input)(ifp, m); 772 } 773 } 774 775 static struct mbuf * 776 ieee80211_decap(struct ieee80211com *ic, struct mbuf *m, int hdrlen) 777 { 778 struct ieee80211_qosframe_addr4 wh; /* Max size address frames */ 779 struct ether_header *eh; 780 struct llc *llc; 781 782 if (m->m_len < hdrlen + sizeof(*llc) && 783 (m = m_pullup(m, hdrlen + sizeof(*llc))) == NULL) { 784 /* XXX stat, msg */ 785 return NULL; 786 } 787 memcpy(&wh, mtod(m, caddr_t), hdrlen); 788 llc = (struct llc *)(mtod(m, caddr_t) + hdrlen); 789 if (llc->llc_dsap == LLC_SNAP_LSAP && llc->llc_ssap == LLC_SNAP_LSAP && 790 llc->llc_control == LLC_UI && llc->llc_snap.org_code[0] == 0 && 791 llc->llc_snap.org_code[1] == 0 && llc->llc_snap.org_code[2] == 0) { 792 m_adj(m, hdrlen + sizeof(struct llc) - sizeof(*eh)); 793 llc = NULL; 794 } else { 795 m_adj(m, hdrlen - sizeof(*eh)); 796 } 797 eh = mtod(m, struct ether_header *); 798 switch (wh.i_fc[1] & IEEE80211_FC1_DIR_MASK) { 799 case IEEE80211_FC1_DIR_NODS: 800 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr1); 801 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr2); 802 break; 803 case IEEE80211_FC1_DIR_TODS: 804 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr3); 805 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr2); 806 break; 807 case IEEE80211_FC1_DIR_FROMDS: 808 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr1); 809 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr3); 810 break; 811 case IEEE80211_FC1_DIR_DSTODS: 812 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr3); 813 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr4); 814 break; 815 } 816 #ifdef ALIGNED_POINTER 817 if (!ALIGNED_POINTER(mtod(m, caddr_t) + sizeof(*eh), uint32_t)) { 818 struct mbuf *n, *n0, **np; 819 caddr_t newdata; 820 int off, pktlen; 821 822 n0 = NULL; 823 np = &n0; 824 off = 0; 825 pktlen = m->m_pkthdr.len; 826 while (pktlen > off) { 827 if (n0 == NULL) { 828 MGETHDR(n, M_DONTWAIT, MT_DATA); 829 if (n == NULL) { 830 m_freem(m); 831 return NULL; 832 } 833 M_MOVE_PKTHDR(n, m); 834 n->m_len = MHLEN; 835 } else { 836 MGET(n, M_DONTWAIT, MT_DATA); 837 if (n == NULL) { 838 m_freem(m); 839 m_freem(n0); 840 return NULL; 841 } 842 n->m_len = MLEN; 843 } 844 if (pktlen - off >= MINCLSIZE) { 845 MCLGET(n, M_DONTWAIT); 846 if (n->m_flags & M_EXT) 847 n->m_len = n->m_ext.ext_size; 848 } 849 if (n0 == NULL) { 850 newdata = 851 (caddr_t)ALIGN(n->m_data + sizeof(*eh)) - 852 sizeof(*eh); 853 n->m_len -= newdata - n->m_data; 854 n->m_data = newdata; 855 } 856 if (n->m_len > pktlen - off) 857 n->m_len = pktlen - off; 858 m_copydata(m, off, n->m_len, mtod(n, caddr_t)); 859 off += n->m_len; 860 *np = n; 861 np = &n->m_next; 862 } 863 m_freem(m); 864 m = n0; 865 } 866 #endif /* ALIGNED_POINTER */ 867 if (llc != NULL) { 868 eh = mtod(m, struct ether_header *); 869 eh->ether_type = htons(m->m_pkthdr.len - sizeof(*eh)); 870 } 871 return m; 872 } 873 874 /* 875 * Decap a frame encapsulated in a fast-frame/A-MSDU. 876 */ 877 struct mbuf * 878 ieee80211_decap1(struct mbuf *m, int *framelen) 879 { 880 #define FF_LLC_SIZE (sizeof(struct ether_header) + sizeof(struct llc)) 881 struct ether_header *eh; 882 struct llc *llc; 883 884 /* 885 * The frame has an 802.3 header followed by an 802.2 886 * LLC header. The encapsulated frame length is in the 887 * first header type field; save that and overwrite it 888 * with the true type field found in the second. Then 889 * copy the 802.3 header up to where it belongs and 890 * adjust the mbuf contents to remove the void. 891 */ 892 if (m->m_len < FF_LLC_SIZE && (m = m_pullup(m, FF_LLC_SIZE)) == NULL) 893 return NULL; 894 eh = mtod(m, struct ether_header *); /* 802.3 header is first */ 895 llc = (struct llc *)&eh[1]; /* 802.2 header follows */ 896 *framelen = ntohs(eh->ether_type) /* encap'd frame size */ 897 + sizeof(struct ether_header) - sizeof(struct llc); 898 eh->ether_type = llc->llc_un.type_snap.ether_type; 899 ovbcopy(eh, mtod(m, uint8_t *) + sizeof(struct llc), 900 sizeof(struct ether_header)); 901 m_adj(m, sizeof(struct llc)); 902 return m; 903 #undef FF_LLC_SIZE 904 } 905 906 /* 907 * Decap the encapsulated frame pair and dispatch the first 908 * for delivery. The second frame is returned for delivery 909 * via the normal path. 910 */ 911 static struct mbuf * 912 ieee80211_decap_fastframe(struct ieee80211com *ic, 913 struct ieee80211_node *ni, struct mbuf *m) 914 { 915 #define MS(x,f) (((x) & f) >> f##_S) 916 uint32_t ath; 917 struct mbuf *n; 918 int framelen; 919 920 m_copydata(m, 0, sizeof(uint32_t), (caddr_t) &ath); 921 if (MS(ath, ATH_FF_PROTO) != ATH_FF_PROTO_L2TUNNEL) { 922 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY, 923 ni->ni_macaddr, "fast-frame", 924 "unsupport tunnel protocol, header 0x%x", ath); 925 ic->ic_stats.is_ff_badhdr++; 926 m_freem(m); 927 return NULL; 928 } 929 /* NB: skip header and alignment padding */ 930 m_adj(m, roundup(sizeof(uint32_t) - 2, 4) + 2); 931 932 ic->ic_stats.is_ff_decap++; 933 934 /* 935 * Decap the first frame, bust it apart from the 936 * second and deliver; then decap the second frame 937 * and return it to the caller for normal delivery. 938 */ 939 m = ieee80211_decap1(m, &framelen); 940 if (m == NULL) { 941 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY, 942 ni->ni_macaddr, "fast-frame", "%s", "first decap failed"); 943 ic->ic_stats.is_ff_tooshort++; 944 return NULL; 945 } 946 n = m_split(m, framelen, M_NOWAIT); 947 if (n == NULL) { 948 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY, 949 ni->ni_macaddr, "fast-frame", 950 "%s", "unable to split encapsulated frames"); 951 ic->ic_stats.is_ff_split++; 952 m_freem(m); /* NB: must reclaim */ 953 return NULL; 954 } 955 ieee80211_deliver_data(ic, ni, m); /* 1st of pair */ 956 957 /* 958 * Decap second frame. 959 */ 960 m_adj(n, roundup2(framelen, 4) - framelen); /* padding */ 961 n = ieee80211_decap1(n, &framelen); 962 if (n == NULL) { 963 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY, 964 ni->ni_macaddr, "fast-frame", "%s", "second decap failed"); 965 ic->ic_stats.is_ff_tooshort++; 966 } 967 /* XXX verify framelen against mbuf contents */ 968 return n; /* 2nd delivered by caller */ 969 #undef MS 970 } 971 972 /* 973 * Install received rate set information in the node's state block. 974 */ 975 int 976 ieee80211_setup_rates(struct ieee80211_node *ni, 977 const uint8_t *rates, const uint8_t *xrates, int flags) 978 { 979 struct ieee80211com *ic = ni->ni_ic; 980 struct ieee80211_rateset *rs = &ni->ni_rates; 981 982 memset(rs, 0, sizeof(*rs)); 983 rs->rs_nrates = rates[1]; 984 memcpy(rs->rs_rates, rates + 2, rs->rs_nrates); 985 if (xrates != NULL) { 986 uint8_t nxrates; 987 /* 988 * Tack on 11g extended supported rate element. 989 */ 990 nxrates = xrates[1]; 991 if (rs->rs_nrates + nxrates > IEEE80211_RATE_MAXSIZE) { 992 nxrates = IEEE80211_RATE_MAXSIZE - rs->rs_nrates; 993 IEEE80211_DPRINTF(ic, IEEE80211_MSG_XRATE, 994 "[%s] extended rate set too large;" 995 " only using %u of %u rates\n", 996 ether_sprintf(ni->ni_macaddr), nxrates, xrates[1]); 997 ic->ic_stats.is_rx_rstoobig++; 998 } 999 memcpy(rs->rs_rates + rs->rs_nrates, xrates+2, nxrates); 1000 rs->rs_nrates += nxrates; 1001 } 1002 return ieee80211_fix_rate(ni, rs, flags); 1003 } 1004 1005 static void 1006 ieee80211_auth_open(struct ieee80211com *ic, struct ieee80211_frame *wh, 1007 struct ieee80211_node *ni, int rssi, int noise, uint32_t rstamp, 1008 uint16_t seq, uint16_t status) 1009 { 1010 1011 if (ni->ni_authmode == IEEE80211_AUTH_SHARED) { 1012 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1013 ni->ni_macaddr, "open auth", 1014 "bad sta auth mode %u", ni->ni_authmode); 1015 ic->ic_stats.is_rx_bad_auth++; /* XXX */ 1016 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 1017 /* 1018 * Clear any challenge text that may be there if 1019 * a previous shared key auth failed and then an 1020 * open auth is attempted. 1021 */ 1022 if (ni->ni_challenge != NULL) { 1023 FREE(ni->ni_challenge, M_80211_NODE); 1024 ni->ni_challenge = NULL; 1025 } 1026 /* XXX hack to workaround calling convention */ 1027 ieee80211_send_error(ic, ni, wh->i_addr2, 1028 IEEE80211_FC0_SUBTYPE_AUTH, 1029 (seq + 1) | (IEEE80211_STATUS_ALG<<16)); 1030 } 1031 return; 1032 } 1033 switch (ic->ic_opmode) { 1034 case IEEE80211_M_IBSS: 1035 case IEEE80211_M_AHDEMO: 1036 case IEEE80211_M_MONITOR: 1037 case IEEE80211_M_WDS: 1038 /* should not come here */ 1039 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1040 ni->ni_macaddr, "open auth", 1041 "bad operating mode %u", ic->ic_opmode); 1042 break; 1043 1044 case IEEE80211_M_HOSTAP: 1045 if (ic->ic_state != IEEE80211_S_RUN || 1046 seq != IEEE80211_AUTH_OPEN_REQUEST) { 1047 ic->ic_stats.is_rx_bad_auth++; 1048 return; 1049 } 1050 /* always accept open authentication requests */ 1051 if (ni == ic->ic_bss) { 1052 ni = ieee80211_dup_bss(&ic->ic_sta, wh->i_addr2); 1053 if (ni == NULL) 1054 return; 1055 } else if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0) 1056 (void) ieee80211_ref_node(ni); 1057 /* 1058 * Mark the node as referenced to reflect that it's 1059 * reference count has been bumped to insure it remains 1060 * after the transaction completes. 1061 */ 1062 ni->ni_flags |= IEEE80211_NODE_AREF; 1063 1064 IEEE80211_SEND_MGMT(ic, ni, 1065 IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 1066 IEEE80211_DPRINTF(ic, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1067 "[%s] station authenticated (open)\n", 1068 ether_sprintf(ni->ni_macaddr)); 1069 /* 1070 * When 802.1x is not in use mark the port 1071 * authorized at this point so traffic can flow. 1072 */ 1073 if (ni->ni_authmode != IEEE80211_AUTH_8021X) 1074 ieee80211_node_authorize(ni); 1075 break; 1076 1077 case IEEE80211_M_STA: 1078 if (ic->ic_state != IEEE80211_S_AUTH || 1079 seq != IEEE80211_AUTH_OPEN_RESPONSE) { 1080 ic->ic_stats.is_rx_bad_auth++; 1081 return; 1082 } 1083 if (status != 0) { 1084 IEEE80211_DPRINTF(ic, 1085 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1086 "[%s] open auth failed (reason %d)\n", 1087 ether_sprintf(ni->ni_macaddr), status); 1088 /* XXX can this happen? */ 1089 if (ni != ic->ic_bss) 1090 ni->ni_fails++; 1091 ic->ic_stats.is_rx_auth_fail++; 1092 ieee80211_new_state(ic, IEEE80211_S_SCAN, 1093 IEEE80211_SCAN_FAIL_STATUS); 1094 } else 1095 ieee80211_new_state(ic, IEEE80211_S_ASSOC, 0); 1096 break; 1097 } 1098 } 1099 1100 /* 1101 * Send a management frame error response to the specified 1102 * station. If ni is associated with the station then use 1103 * it; otherwise allocate a temporary node suitable for 1104 * transmitting the frame and then free the reference so 1105 * it will go away as soon as the frame has been transmitted. 1106 */ 1107 static void 1108 ieee80211_send_error(struct ieee80211com *ic, struct ieee80211_node *ni, 1109 const uint8_t *mac, int subtype, int arg) 1110 { 1111 int istmp; 1112 1113 if (ni == ic->ic_bss) { 1114 ni = ieee80211_tmp_node(ic, mac); 1115 if (ni == NULL) { 1116 /* XXX msg */ 1117 return; 1118 } 1119 istmp = 1; 1120 } else 1121 istmp = 0; 1122 IEEE80211_SEND_MGMT(ic, ni, subtype, arg); 1123 if (istmp) 1124 ieee80211_free_node(ni); 1125 } 1126 1127 static int 1128 alloc_challenge(struct ieee80211com *ic, struct ieee80211_node *ni) 1129 { 1130 if (ni->ni_challenge == NULL) 1131 MALLOC(ni->ni_challenge, uint32_t*, IEEE80211_CHALLENGE_LEN, 1132 M_80211_NODE, M_NOWAIT); 1133 if (ni->ni_challenge == NULL) { 1134 IEEE80211_DPRINTF(ic, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1135 "[%s] shared key challenge alloc failed\n", 1136 ether_sprintf(ni->ni_macaddr)); 1137 /* XXX statistic */ 1138 } 1139 return (ni->ni_challenge != NULL); 1140 } 1141 1142 /* XXX TODO: add statistics */ 1143 static void 1144 ieee80211_auth_shared(struct ieee80211com *ic, struct ieee80211_frame *wh, 1145 uint8_t *frm, uint8_t *efrm, struct ieee80211_node *ni, 1146 int rssi, int noise, uint32_t rstamp, uint16_t seq, uint16_t status) 1147 { 1148 uint8_t *challenge; 1149 int allocbs, estatus; 1150 1151 /* 1152 * NB: this can happen as we allow pre-shared key 1153 * authentication to be enabled w/o wep being turned 1154 * on so that configuration of these can be done 1155 * in any order. It may be better to enforce the 1156 * ordering in which case this check would just be 1157 * for sanity/consistency. 1158 */ 1159 if ((ic->ic_flags & IEEE80211_F_PRIVACY) == 0) { 1160 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1161 ni->ni_macaddr, "shared key auth", 1162 "%s", " PRIVACY is disabled"); 1163 estatus = IEEE80211_STATUS_ALG; 1164 goto bad; 1165 } 1166 /* 1167 * Pre-shared key authentication is evil; accept 1168 * it only if explicitly configured (it is supported 1169 * mainly for compatibility with clients like OS X). 1170 */ 1171 if (ni->ni_authmode != IEEE80211_AUTH_AUTO && 1172 ni->ni_authmode != IEEE80211_AUTH_SHARED) { 1173 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1174 ni->ni_macaddr, "shared key auth", 1175 "bad sta auth mode %u", ni->ni_authmode); 1176 ic->ic_stats.is_rx_bad_auth++; /* XXX maybe a unique error? */ 1177 estatus = IEEE80211_STATUS_ALG; 1178 goto bad; 1179 } 1180 1181 challenge = NULL; 1182 if (frm + 1 < efrm) { 1183 if ((frm[1] + 2) > (efrm - frm)) { 1184 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1185 ni->ni_macaddr, "shared key auth", 1186 "ie %d/%d too long", 1187 frm[0], (frm[1] + 2) - (efrm - frm)); 1188 ic->ic_stats.is_rx_bad_auth++; 1189 estatus = IEEE80211_STATUS_CHALLENGE; 1190 goto bad; 1191 } 1192 if (*frm == IEEE80211_ELEMID_CHALLENGE) 1193 challenge = frm; 1194 frm += frm[1] + 2; 1195 } 1196 switch (seq) { 1197 case IEEE80211_AUTH_SHARED_CHALLENGE: 1198 case IEEE80211_AUTH_SHARED_RESPONSE: 1199 if (challenge == NULL) { 1200 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1201 ni->ni_macaddr, "shared key auth", 1202 "%s", "no challenge"); 1203 ic->ic_stats.is_rx_bad_auth++; 1204 estatus = IEEE80211_STATUS_CHALLENGE; 1205 goto bad; 1206 } 1207 if (challenge[1] != IEEE80211_CHALLENGE_LEN) { 1208 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1209 ni->ni_macaddr, "shared key auth", 1210 "bad challenge len %d", challenge[1]); 1211 ic->ic_stats.is_rx_bad_auth++; 1212 estatus = IEEE80211_STATUS_CHALLENGE; 1213 goto bad; 1214 } 1215 default: 1216 break; 1217 } 1218 switch (ic->ic_opmode) { 1219 case IEEE80211_M_MONITOR: 1220 case IEEE80211_M_AHDEMO: 1221 case IEEE80211_M_IBSS: 1222 case IEEE80211_M_WDS: 1223 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1224 ni->ni_macaddr, "shared key auth", 1225 "bad operating mode %u", ic->ic_opmode); 1226 return; 1227 case IEEE80211_M_HOSTAP: 1228 if (ic->ic_state != IEEE80211_S_RUN) { 1229 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1230 ni->ni_macaddr, "shared key auth", 1231 "bad state %u", ic->ic_state); 1232 estatus = IEEE80211_STATUS_ALG; /* XXX */ 1233 goto bad; 1234 } 1235 switch (seq) { 1236 case IEEE80211_AUTH_SHARED_REQUEST: 1237 if (ni == ic->ic_bss) { 1238 ni = ieee80211_dup_bss(&ic->ic_sta, wh->i_addr2); 1239 if (ni == NULL) { 1240 /* NB: no way to return an error */ 1241 return; 1242 } 1243 allocbs = 1; 1244 } else { 1245 if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0) 1246 (void) ieee80211_ref_node(ni); 1247 allocbs = 0; 1248 } 1249 /* 1250 * Mark the node as referenced to reflect that it's 1251 * reference count has been bumped to insure it remains 1252 * after the transaction completes. 1253 */ 1254 ni->ni_flags |= IEEE80211_NODE_AREF; 1255 ni->ni_rssi = rssi; 1256 ni->ni_noise = noise; 1257 ni->ni_rstamp = rstamp; 1258 if (!alloc_challenge(ic, ni)) { 1259 /* NB: don't return error so they rexmit */ 1260 return; 1261 } 1262 get_random_bytes(ni->ni_challenge, 1263 IEEE80211_CHALLENGE_LEN); 1264 IEEE80211_DPRINTF(ic, 1265 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1266 "[%s] shared key %sauth request\n", 1267 ether_sprintf(ni->ni_macaddr), 1268 allocbs ? "" : "re"); 1269 break; 1270 case IEEE80211_AUTH_SHARED_RESPONSE: 1271 if (ni == ic->ic_bss) { 1272 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1273 ni->ni_macaddr, "shared key response", 1274 "%s", "unknown station"); 1275 /* NB: don't send a response */ 1276 return; 1277 } 1278 if (ni->ni_challenge == NULL) { 1279 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1280 ni->ni_macaddr, "shared key response", 1281 "%s", "no challenge recorded"); 1282 ic->ic_stats.is_rx_bad_auth++; 1283 estatus = IEEE80211_STATUS_CHALLENGE; 1284 goto bad; 1285 } 1286 if (memcmp(ni->ni_challenge, &challenge[2], 1287 challenge[1]) != 0) { 1288 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1289 ni->ni_macaddr, "shared key response", 1290 "%s", "challenge mismatch"); 1291 ic->ic_stats.is_rx_auth_fail++; 1292 estatus = IEEE80211_STATUS_CHALLENGE; 1293 goto bad; 1294 } 1295 IEEE80211_DPRINTF(ic, 1296 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1297 "[%s] station authenticated (shared key)\n", 1298 ether_sprintf(ni->ni_macaddr)); 1299 ieee80211_node_authorize(ni); 1300 break; 1301 default: 1302 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1303 ni->ni_macaddr, "shared key auth", 1304 "bad seq %d", seq); 1305 ic->ic_stats.is_rx_bad_auth++; 1306 estatus = IEEE80211_STATUS_SEQUENCE; 1307 goto bad; 1308 } 1309 IEEE80211_SEND_MGMT(ic, ni, 1310 IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 1311 break; 1312 1313 case IEEE80211_M_STA: 1314 if (ic->ic_state != IEEE80211_S_AUTH) 1315 return; 1316 switch (seq) { 1317 case IEEE80211_AUTH_SHARED_PASS: 1318 if (ni->ni_challenge != NULL) { 1319 FREE(ni->ni_challenge, M_80211_NODE); 1320 ni->ni_challenge = NULL; 1321 } 1322 if (status != 0) { 1323 IEEE80211_DPRINTF(ic, 1324 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1325 "[%s] shared key auth failed (reason %d)\n", 1326 ether_sprintf(ieee80211_getbssid(ic, wh)), 1327 status); 1328 /* XXX can this happen? */ 1329 if (ni != ic->ic_bss) 1330 ni->ni_fails++; 1331 ic->ic_stats.is_rx_auth_fail++; 1332 return; 1333 } 1334 ieee80211_new_state(ic, IEEE80211_S_ASSOC, 0); 1335 break; 1336 case IEEE80211_AUTH_SHARED_CHALLENGE: 1337 if (!alloc_challenge(ic, ni)) 1338 return; 1339 /* XXX could optimize by passing recvd challenge */ 1340 memcpy(ni->ni_challenge, &challenge[2], challenge[1]); 1341 IEEE80211_SEND_MGMT(ic, ni, 1342 IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 1343 break; 1344 default: 1345 IEEE80211_DISCARD(ic, IEEE80211_MSG_AUTH, 1346 wh, "shared key auth", "bad seq %d", seq); 1347 ic->ic_stats.is_rx_bad_auth++; 1348 return; 1349 } 1350 break; 1351 } 1352 return; 1353 bad: 1354 /* 1355 * Send an error response; but only when operating as an AP. 1356 */ 1357 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 1358 /* XXX hack to workaround calling convention */ 1359 ieee80211_send_error(ic, ni, wh->i_addr2, 1360 IEEE80211_FC0_SUBTYPE_AUTH, 1361 (seq + 1) | (estatus<<16)); 1362 } else if (ic->ic_opmode == IEEE80211_M_STA) { 1363 /* 1364 * Kick the state machine. This short-circuits 1365 * using the mgt frame timeout to trigger the 1366 * state transition. 1367 */ 1368 if (ic->ic_state == IEEE80211_S_AUTH) 1369 ieee80211_new_state(ic, IEEE80211_S_SCAN, 1370 IEEE80211_SCAN_FAIL_STATUS); 1371 } 1372 } 1373 1374 /* Verify the existence and length of __elem or get out. */ 1375 #define IEEE80211_VERIFY_ELEMENT(__elem, __maxlen) do { \ 1376 if ((__elem) == NULL) { \ 1377 IEEE80211_DISCARD(ic, IEEE80211_MSG_ELEMID, \ 1378 wh, ieee80211_mgt_subtype_name[subtype >> \ 1379 IEEE80211_FC0_SUBTYPE_SHIFT], \ 1380 "%s", "no " #__elem ); \ 1381 ic->ic_stats.is_rx_elem_missing++; \ 1382 return; \ 1383 } \ 1384 if ((__elem)[1] > (__maxlen)) { \ 1385 IEEE80211_DISCARD(ic, IEEE80211_MSG_ELEMID, \ 1386 wh, ieee80211_mgt_subtype_name[subtype >> \ 1387 IEEE80211_FC0_SUBTYPE_SHIFT], \ 1388 "bad " #__elem " len %d", (__elem)[1]); \ 1389 ic->ic_stats.is_rx_elem_toobig++; \ 1390 return; \ 1391 } \ 1392 } while (0) 1393 1394 #define IEEE80211_VERIFY_LENGTH(_len, _minlen, _action) do { \ 1395 if ((_len) < (_minlen)) { \ 1396 IEEE80211_DISCARD(ic, IEEE80211_MSG_ELEMID, \ 1397 wh, ieee80211_mgt_subtype_name[subtype >> \ 1398 IEEE80211_FC0_SUBTYPE_SHIFT], \ 1399 "ie too short, got %d, expected %d", \ 1400 (_len), (_minlen)); \ 1401 ic->ic_stats.is_rx_elem_toosmall++; \ 1402 _action; \ 1403 } \ 1404 } while (0) 1405 1406 #ifdef IEEE80211_DEBUG 1407 static void 1408 ieee80211_ssid_mismatch(struct ieee80211com *ic, const char *tag, 1409 uint8_t mac[IEEE80211_ADDR_LEN], uint8_t *ssid) 1410 { 1411 printf("[%s] discard %s frame, ssid mismatch: ", 1412 ether_sprintf(mac), tag); 1413 ieee80211_print_essid(ssid + 2, ssid[1]); 1414 printf("\n"); 1415 } 1416 1417 #define IEEE80211_VERIFY_SSID(_ni, _ssid) do { \ 1418 if ((_ssid)[1] != 0 && \ 1419 ((_ssid)[1] != (_ni)->ni_esslen || \ 1420 memcmp((_ssid) + 2, (_ni)->ni_essid, (_ssid)[1]) != 0)) { \ 1421 if (ieee80211_msg_input(ic)) \ 1422 ieee80211_ssid_mismatch(ic, \ 1423 ieee80211_mgt_subtype_name[subtype >> \ 1424 IEEE80211_FC0_SUBTYPE_SHIFT], \ 1425 wh->i_addr2, _ssid); \ 1426 ic->ic_stats.is_rx_ssidmismatch++; \ 1427 return; \ 1428 } \ 1429 } while (0) 1430 #else /* !IEEE80211_DEBUG */ 1431 #define IEEE80211_VERIFY_SSID(_ni, _ssid) do { \ 1432 if ((_ssid)[1] != 0 && \ 1433 ((_ssid)[1] != (_ni)->ni_esslen || \ 1434 memcmp((_ssid) + 2, (_ni)->ni_essid, (_ssid)[1]) != 0)) { \ 1435 ic->ic_stats.is_rx_ssidmismatch++; \ 1436 return; \ 1437 } \ 1438 } while (0) 1439 #endif /* !IEEE80211_DEBUG */ 1440 1441 /* unalligned little endian access */ 1442 #define LE_READ_2(p) \ 1443 ((uint16_t) \ 1444 ((((const uint8_t *)(p))[0] ) | \ 1445 (((const uint8_t *)(p))[1] << 8))) 1446 #define LE_READ_4(p) \ 1447 ((uint32_t) \ 1448 ((((const uint8_t *)(p))[0] ) | \ 1449 (((const uint8_t *)(p))[1] << 8) | \ 1450 (((const uint8_t *)(p))[2] << 16) | \ 1451 (((const uint8_t *)(p))[3] << 24))) 1452 1453 static __inline int 1454 iswpaoui(const uint8_t *frm) 1455 { 1456 return frm[1] > 3 && LE_READ_4(frm+2) == ((WPA_OUI_TYPE<<24)|WPA_OUI); 1457 } 1458 1459 static __inline int 1460 iswmeoui(const uint8_t *frm) 1461 { 1462 return frm[1] > 3 && LE_READ_4(frm+2) == ((WME_OUI_TYPE<<24)|WME_OUI); 1463 } 1464 1465 static __inline int 1466 iswmeparam(const uint8_t *frm) 1467 { 1468 return frm[1] > 5 && LE_READ_4(frm+2) == ((WME_OUI_TYPE<<24)|WME_OUI) && 1469 frm[6] == WME_PARAM_OUI_SUBTYPE; 1470 } 1471 1472 static __inline int 1473 iswmeinfo(const uint8_t *frm) 1474 { 1475 return frm[1] > 5 && LE_READ_4(frm+2) == ((WME_OUI_TYPE<<24)|WME_OUI) && 1476 frm[6] == WME_INFO_OUI_SUBTYPE; 1477 } 1478 1479 static __inline int 1480 isatherosoui(const uint8_t *frm) 1481 { 1482 return frm[1] > 3 && LE_READ_4(frm+2) == ((ATH_OUI_TYPE<<24)|ATH_OUI); 1483 } 1484 1485 static __inline int 1486 ishtcapoui(const uint8_t *frm) 1487 { 1488 return frm[1] > 3 && LE_READ_4(frm+2) == ((BCM_OUI_HTCAP<<24)|BCM_OUI); 1489 } 1490 1491 static __inline int 1492 ishtinfooui(const uint8_t *frm) 1493 { 1494 return frm[1] > 3 && LE_READ_4(frm+2) == ((BCM_OUI_HTINFO<<24)|BCM_OUI); 1495 } 1496 1497 /* 1498 * Convert a WPA cipher selector OUI to an internal 1499 * cipher algorithm. Where appropriate we also 1500 * record any key length. 1501 */ 1502 static int 1503 wpa_cipher(uint8_t *sel, uint8_t *keylen) 1504 { 1505 #define WPA_SEL(x) (((x)<<24)|WPA_OUI) 1506 uint32_t w = LE_READ_4(sel); 1507 1508 switch (w) { 1509 case WPA_SEL(WPA_CSE_NULL): 1510 return IEEE80211_CIPHER_NONE; 1511 case WPA_SEL(WPA_CSE_WEP40): 1512 if (keylen) 1513 *keylen = 40 / NBBY; 1514 return IEEE80211_CIPHER_WEP; 1515 case WPA_SEL(WPA_CSE_WEP104): 1516 if (keylen) 1517 *keylen = 104 / NBBY; 1518 return IEEE80211_CIPHER_WEP; 1519 case WPA_SEL(WPA_CSE_TKIP): 1520 return IEEE80211_CIPHER_TKIP; 1521 case WPA_SEL(WPA_CSE_CCMP): 1522 return IEEE80211_CIPHER_AES_CCM; 1523 } 1524 return 32; /* NB: so 1<< is discarded */ 1525 #undef WPA_SEL 1526 } 1527 1528 /* 1529 * Convert a WPA key management/authentication algorithm 1530 * to an internal code. 1531 */ 1532 static int 1533 wpa_keymgmt(uint8_t *sel) 1534 { 1535 #define WPA_SEL(x) (((x)<<24)|WPA_OUI) 1536 uint32_t w = LE_READ_4(sel); 1537 1538 switch (w) { 1539 case WPA_SEL(WPA_ASE_8021X_UNSPEC): 1540 return WPA_ASE_8021X_UNSPEC; 1541 case WPA_SEL(WPA_ASE_8021X_PSK): 1542 return WPA_ASE_8021X_PSK; 1543 case WPA_SEL(WPA_ASE_NONE): 1544 return WPA_ASE_NONE; 1545 } 1546 return 0; /* NB: so is discarded */ 1547 #undef WPA_SEL 1548 } 1549 1550 /* 1551 * Parse a WPA information element to collect parameters 1552 * and validate the parameters against what has been 1553 * configured for the system. 1554 */ 1555 static int 1556 ieee80211_parse_wpa(struct ieee80211com *ic, uint8_t *frm, 1557 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh) 1558 { 1559 uint8_t len = frm[1]; 1560 uint32_t w; 1561 int n; 1562 1563 /* 1564 * Check the length once for fixed parts: OUI, type, 1565 * version, mcast cipher, and 2 selector counts. 1566 * Other, variable-length data, must be checked separately. 1567 */ 1568 if ((ic->ic_flags & IEEE80211_F_WPA1) == 0) { 1569 IEEE80211_DISCARD_IE(ic, 1570 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1571 wh, "WPA", "not WPA, flags 0x%x", ic->ic_flags); 1572 return IEEE80211_REASON_IE_INVALID; 1573 } 1574 if (len < 14) { 1575 IEEE80211_DISCARD_IE(ic, 1576 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1577 wh, "WPA", "too short, len %u", len); 1578 return IEEE80211_REASON_IE_INVALID; 1579 } 1580 frm += 6, len -= 4; /* NB: len is payload only */ 1581 /* NB: iswapoui already validated the OUI and type */ 1582 w = LE_READ_2(frm); 1583 if (w != WPA_VERSION) { 1584 IEEE80211_DISCARD_IE(ic, 1585 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1586 wh, "WPA", "bad version %u", w); 1587 return IEEE80211_REASON_IE_INVALID; 1588 } 1589 frm += 2, len -= 2; 1590 1591 /* multicast/group cipher */ 1592 w = wpa_cipher(frm, &rsn->rsn_mcastkeylen); 1593 if (w != rsn->rsn_mcastcipher) { 1594 IEEE80211_DISCARD_IE(ic, 1595 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1596 wh, "WPA", "mcast cipher mismatch; got %u, expected %u", 1597 w, rsn->rsn_mcastcipher); 1598 return IEEE80211_REASON_IE_INVALID; 1599 } 1600 frm += 4, len -= 4; 1601 1602 /* unicast ciphers */ 1603 n = LE_READ_2(frm); 1604 frm += 2, len -= 2; 1605 if (len < n*4+2) { 1606 IEEE80211_DISCARD_IE(ic, 1607 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1608 wh, "WPA", "ucast cipher data too short; len %u, n %u", 1609 len, n); 1610 return IEEE80211_REASON_IE_INVALID; 1611 } 1612 w = 0; 1613 for (; n > 0; n--) { 1614 w |= 1<<wpa_cipher(frm, &rsn->rsn_ucastkeylen); 1615 frm += 4, len -= 4; 1616 } 1617 w &= rsn->rsn_ucastcipherset; 1618 if (w == 0) { 1619 IEEE80211_DISCARD_IE(ic, 1620 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1621 wh, "WPA", "%s", "ucast cipher set empty"); 1622 return IEEE80211_REASON_IE_INVALID; 1623 } 1624 if (w & (1<<IEEE80211_CIPHER_TKIP)) 1625 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP; 1626 else 1627 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM; 1628 1629 /* key management algorithms */ 1630 n = LE_READ_2(frm); 1631 frm += 2, len -= 2; 1632 if (len < n*4) { 1633 IEEE80211_DISCARD_IE(ic, 1634 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1635 wh, "WPA", "key mgmt alg data too short; len %u, n %u", 1636 len, n); 1637 return IEEE80211_REASON_IE_INVALID; 1638 } 1639 w = 0; 1640 for (; n > 0; n--) { 1641 w |= wpa_keymgmt(frm); 1642 frm += 4, len -= 4; 1643 } 1644 w &= rsn->rsn_keymgmtset; 1645 if (w == 0) { 1646 IEEE80211_DISCARD_IE(ic, 1647 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1648 wh, "WPA", "%s", "no acceptable key mgmt alg"); 1649 return IEEE80211_REASON_IE_INVALID; 1650 } 1651 if (w & WPA_ASE_8021X_UNSPEC) 1652 rsn->rsn_keymgmt = WPA_ASE_8021X_UNSPEC; 1653 else 1654 rsn->rsn_keymgmt = WPA_ASE_8021X_PSK; 1655 1656 if (len > 2) /* optional capabilities */ 1657 rsn->rsn_caps = LE_READ_2(frm); 1658 1659 return 0; 1660 } 1661 1662 /* 1663 * Convert an RSN cipher selector OUI to an internal 1664 * cipher algorithm. Where appropriate we also 1665 * record any key length. 1666 */ 1667 static int 1668 rsn_cipher(uint8_t *sel, uint8_t *keylen) 1669 { 1670 #define RSN_SEL(x) (((x)<<24)|RSN_OUI) 1671 uint32_t w = LE_READ_4(sel); 1672 1673 switch (w) { 1674 case RSN_SEL(RSN_CSE_NULL): 1675 return IEEE80211_CIPHER_NONE; 1676 case RSN_SEL(RSN_CSE_WEP40): 1677 if (keylen) 1678 *keylen = 40 / NBBY; 1679 return IEEE80211_CIPHER_WEP; 1680 case RSN_SEL(RSN_CSE_WEP104): 1681 if (keylen) 1682 *keylen = 104 / NBBY; 1683 return IEEE80211_CIPHER_WEP; 1684 case RSN_SEL(RSN_CSE_TKIP): 1685 return IEEE80211_CIPHER_TKIP; 1686 case RSN_SEL(RSN_CSE_CCMP): 1687 return IEEE80211_CIPHER_AES_CCM; 1688 case RSN_SEL(RSN_CSE_WRAP): 1689 return IEEE80211_CIPHER_AES_OCB; 1690 } 1691 return 32; /* NB: so 1<< is discarded */ 1692 #undef WPA_SEL 1693 } 1694 1695 /* 1696 * Convert an RSN key management/authentication algorithm 1697 * to an internal code. 1698 */ 1699 static int 1700 rsn_keymgmt(uint8_t *sel) 1701 { 1702 #define RSN_SEL(x) (((x)<<24)|RSN_OUI) 1703 uint32_t w = LE_READ_4(sel); 1704 1705 switch (w) { 1706 case RSN_SEL(RSN_ASE_8021X_UNSPEC): 1707 return RSN_ASE_8021X_UNSPEC; 1708 case RSN_SEL(RSN_ASE_8021X_PSK): 1709 return RSN_ASE_8021X_PSK; 1710 case RSN_SEL(RSN_ASE_NONE): 1711 return RSN_ASE_NONE; 1712 } 1713 return 0; /* NB: so is discarded */ 1714 #undef RSN_SEL 1715 } 1716 1717 /* 1718 * Parse a WPA/RSN information element to collect parameters 1719 * and validate the parameters against what has been 1720 * configured for the system. 1721 */ 1722 static int 1723 ieee80211_parse_rsn(struct ieee80211com *ic, uint8_t *frm, 1724 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh) 1725 { 1726 uint8_t len = frm[1]; 1727 uint32_t w; 1728 int n; 1729 1730 /* 1731 * Check the length once for fixed parts: 1732 * version, mcast cipher, and 2 selector counts. 1733 * Other, variable-length data, must be checked separately. 1734 */ 1735 if ((ic->ic_flags & IEEE80211_F_WPA2) == 0) { 1736 IEEE80211_DISCARD_IE(ic, 1737 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1738 wh, "WPA", "not RSN, flags 0x%x", ic->ic_flags); 1739 return IEEE80211_REASON_IE_INVALID; 1740 } 1741 if (len < 10) { 1742 IEEE80211_DISCARD_IE(ic, 1743 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1744 wh, "RSN", "too short, len %u", len); 1745 return IEEE80211_REASON_IE_INVALID; 1746 } 1747 frm += 2; 1748 w = LE_READ_2(frm); 1749 if (w != RSN_VERSION) { 1750 IEEE80211_DISCARD_IE(ic, 1751 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1752 wh, "RSN", "bad version %u", w); 1753 return IEEE80211_REASON_IE_INVALID; 1754 } 1755 frm += 2, len -= 2; 1756 1757 /* multicast/group cipher */ 1758 w = rsn_cipher(frm, &rsn->rsn_mcastkeylen); 1759 if (w != rsn->rsn_mcastcipher) { 1760 IEEE80211_DISCARD_IE(ic, 1761 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1762 wh, "RSN", "mcast cipher mismatch; got %u, expected %u", 1763 w, rsn->rsn_mcastcipher); 1764 return IEEE80211_REASON_IE_INVALID; 1765 } 1766 frm += 4, len -= 4; 1767 1768 /* unicast ciphers */ 1769 n = LE_READ_2(frm); 1770 frm += 2, len -= 2; 1771 if (len < n*4+2) { 1772 IEEE80211_DISCARD_IE(ic, 1773 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1774 wh, "RSN", "ucast cipher data too short; len %u, n %u", 1775 len, n); 1776 return IEEE80211_REASON_IE_INVALID; 1777 } 1778 w = 0; 1779 for (; n > 0; n--) { 1780 w |= 1<<rsn_cipher(frm, &rsn->rsn_ucastkeylen); 1781 frm += 4, len -= 4; 1782 } 1783 w &= rsn->rsn_ucastcipherset; 1784 if (w == 0) { 1785 IEEE80211_DISCARD_IE(ic, 1786 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1787 wh, "RSN", "%s", "ucast cipher set empty"); 1788 return IEEE80211_REASON_IE_INVALID; 1789 } 1790 if (w & (1<<IEEE80211_CIPHER_TKIP)) 1791 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP; 1792 else 1793 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM; 1794 1795 /* key management algorithms */ 1796 n = LE_READ_2(frm); 1797 frm += 2, len -= 2; 1798 if (len < n*4) { 1799 IEEE80211_DISCARD_IE(ic, 1800 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1801 wh, "RSN", "key mgmt alg data too short; len %u, n %u", 1802 len, n); 1803 return IEEE80211_REASON_IE_INVALID; 1804 } 1805 w = 0; 1806 for (; n > 0; n--) { 1807 w |= rsn_keymgmt(frm); 1808 frm += 4, len -= 4; 1809 } 1810 w &= rsn->rsn_keymgmtset; 1811 if (w == 0) { 1812 IEEE80211_DISCARD_IE(ic, 1813 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1814 wh, "RSN", "%s", "no acceptable key mgmt alg"); 1815 return IEEE80211_REASON_IE_INVALID; 1816 } 1817 if (w & RSN_ASE_8021X_UNSPEC) 1818 rsn->rsn_keymgmt = RSN_ASE_8021X_UNSPEC; 1819 else 1820 rsn->rsn_keymgmt = RSN_ASE_8021X_PSK; 1821 1822 /* optional RSN capabilities */ 1823 if (len > 2) 1824 rsn->rsn_caps = LE_READ_2(frm); 1825 /* XXXPMKID */ 1826 1827 return 0; 1828 } 1829 1830 static int 1831 ieee80211_parse_wmeparams(struct ieee80211com *ic, uint8_t *frm, 1832 const struct ieee80211_frame *wh) 1833 { 1834 #define MS(_v, _f) (((_v) & _f) >> _f##_S) 1835 struct ieee80211_wme_state *wme = &ic->ic_wme; 1836 u_int len = frm[1], qosinfo; 1837 int i; 1838 1839 if (len < sizeof(struct ieee80211_wme_param)-2) { 1840 IEEE80211_DISCARD_IE(ic, 1841 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WME, 1842 wh, "WME", "too short, len %u", len); 1843 return -1; 1844 } 1845 qosinfo = frm[__offsetof(struct ieee80211_wme_param, param_qosInfo)]; 1846 qosinfo &= WME_QOSINFO_COUNT; 1847 /* XXX do proper check for wraparound */ 1848 if (qosinfo == wme->wme_wmeChanParams.cap_info) 1849 return 0; 1850 frm += __offsetof(struct ieee80211_wme_param, params_acParams); 1851 for (i = 0; i < WME_NUM_AC; i++) { 1852 struct wmeParams *wmep = 1853 &wme->wme_wmeChanParams.cap_wmeParams[i]; 1854 /* NB: ACI not used */ 1855 wmep->wmep_acm = MS(frm[0], WME_PARAM_ACM); 1856 wmep->wmep_aifsn = MS(frm[0], WME_PARAM_AIFSN); 1857 wmep->wmep_logcwmin = MS(frm[1], WME_PARAM_LOGCWMIN); 1858 wmep->wmep_logcwmax = MS(frm[1], WME_PARAM_LOGCWMAX); 1859 wmep->wmep_txopLimit = LE_READ_2(frm+2); 1860 frm += 4; 1861 } 1862 wme->wme_wmeChanParams.cap_info = qosinfo; 1863 return 1; 1864 #undef MS 1865 } 1866 1867 static int 1868 ieee80211_parse_athparams(struct ieee80211_node *ni, uint8_t *frm, 1869 const struct ieee80211_frame *wh) 1870 { 1871 struct ieee80211com *ic = ni->ni_ic; 1872 const struct ieee80211_ath_ie *ath; 1873 u_int len = frm[1]; 1874 int capschanged; 1875 uint16_t defkeyix; 1876 1877 if (len < sizeof(struct ieee80211_ath_ie)-2) { 1878 IEEE80211_DISCARD_IE(ic, 1879 IEEE80211_MSG_ELEMID | IEEE80211_MSG_SUPERG, 1880 wh, "Atheros", "too short, len %u", len); 1881 return -1; 1882 } 1883 ath = (const struct ieee80211_ath_ie *)frm; 1884 capschanged = (ni->ni_ath_flags != ath->ath_capability); 1885 defkeyix = LE_READ_2(ath->ath_defkeyix); 1886 if (capschanged || defkeyix != ni->ni_ath_defkeyix) { 1887 ni->ni_ath_flags = ath->ath_capability; 1888 ni->ni_ath_defkeyix = defkeyix; 1889 IEEE80211_DPRINTF(ic, IEEE80211_MSG_SUPERG, 1890 "[%s] ath ie change: new caps 0x%x defkeyix 0x%x\n", 1891 ether_sprintf(ni->ni_macaddr), 1892 ni->ni_ath_flags, ni->ni_ath_defkeyix); 1893 } 1894 if (IEEE80211_ATH_CAP(ic, ni, ATHEROS_CAP_TURBO_PRIME)) { 1895 uint16_t curflags, newflags; 1896 1897 /* 1898 * Check for turbo mode switch. Calculate flags 1899 * for the new mode and effect the switch. 1900 */ 1901 newflags = curflags = ic->ic_bsschan->ic_flags; 1902 /* NB: BOOST is not in ic_flags, so get it from the ie */ 1903 if (ath->ath_capability & ATHEROS_CAP_BOOST) 1904 newflags |= IEEE80211_CHAN_TURBO; 1905 else 1906 newflags &= ~IEEE80211_CHAN_TURBO; 1907 if (newflags != curflags) 1908 ieee80211_dturbo_switch(ic, newflags); 1909 } 1910 return capschanged; 1911 } 1912 1913 void 1914 ieee80211_saveath(struct ieee80211_node *ni, uint8_t *ie) 1915 { 1916 const struct ieee80211_ath_ie *ath = 1917 (const struct ieee80211_ath_ie *) ie; 1918 1919 ni->ni_ath_flags = ath->ath_capability; 1920 ni->ni_ath_defkeyix = LE_READ_2(&ath->ath_defkeyix); 1921 ieee80211_saveie(&ni->ni_ath_ie, ie); 1922 } 1923 1924 void 1925 ieee80211_saveie(uint8_t **iep, const uint8_t *ie) 1926 { 1927 u_int ielen = ie[1]+2; 1928 /* 1929 * Record information element for later use. 1930 */ 1931 if (*iep == NULL || (*iep)[1] != ie[1]) { 1932 if (*iep != NULL) 1933 FREE(*iep, M_80211_NODE); 1934 MALLOC(*iep, void*, ielen, M_80211_NODE, M_NOWAIT); 1935 } 1936 if (*iep != NULL) 1937 memcpy(*iep, ie, ielen); 1938 /* XXX note failure */ 1939 } 1940 1941 /* XXX find a better place for definition */ 1942 struct l2_update_frame { 1943 struct ether_header eh; 1944 uint8_t dsap; 1945 uint8_t ssap; 1946 uint8_t control; 1947 uint8_t xid[3]; 1948 } __packed; 1949 1950 /* 1951 * Deliver a TGf L2UF frame on behalf of a station. 1952 * This primes any bridge when the station is roaming 1953 * between ap's on the same wired network. 1954 */ 1955 static void 1956 ieee80211_deliver_l2uf(struct ieee80211_node *ni) 1957 { 1958 struct ieee80211com *ic = ni->ni_ic; 1959 struct ifnet *ifp = ic->ic_ifp; 1960 struct mbuf *m; 1961 struct l2_update_frame *l2uf; 1962 struct ether_header *eh; 1963 1964 m = m_gethdr(M_NOWAIT, MT_DATA); 1965 if (m == NULL) { 1966 IEEE80211_NOTE(ic, IEEE80211_MSG_ASSOC, ni, 1967 "%s", "no mbuf for l2uf frame"); 1968 ic->ic_stats.is_rx_nobuf++; /* XXX not right */ 1969 return; 1970 } 1971 l2uf = mtod(m, struct l2_update_frame *); 1972 eh = &l2uf->eh; 1973 /* dst: Broadcast address */ 1974 IEEE80211_ADDR_COPY(eh->ether_dhost, ifp->if_broadcastaddr); 1975 /* src: associated STA */ 1976 IEEE80211_ADDR_COPY(eh->ether_shost, ni->ni_macaddr); 1977 eh->ether_type = htons(sizeof(*l2uf) - sizeof(*eh)); 1978 1979 l2uf->dsap = 0; 1980 l2uf->ssap = 0; 1981 l2uf->control = 0xf5; 1982 l2uf->xid[0] = 0x81; 1983 l2uf->xid[1] = 0x80; 1984 l2uf->xid[2] = 0x00; 1985 1986 m->m_pkthdr.len = m->m_len = sizeof(*l2uf); 1987 ieee80211_deliver_data(ic, ni, m); 1988 } 1989 1990 static __inline int 1991 contbgscan(struct ieee80211com *ic) 1992 { 1993 return ((ic->ic_flags_ext & IEEE80211_FEXT_BGSCAN) && 1994 time_after(ticks, ic->ic_lastdata + ic->ic_bgscanidle)); 1995 } 1996 1997 static __inline int 1998 startbgscan(struct ieee80211com *ic) 1999 { 2000 return ((ic->ic_flags & IEEE80211_F_BGSCAN) && 2001 !IEEE80211_IS_CHAN_DTURBO(ic->ic_curchan) && 2002 time_after(ticks, ic->ic_lastscan + ic->ic_bgscanintvl) && 2003 time_after(ticks, ic->ic_lastdata + ic->ic_bgscanidle)); 2004 } 2005 2006 static void 2007 ratesetmismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh, 2008 int reassoc, int resp, const char *tag, int rate) 2009 { 2010 struct ieee80211com *ic = ni->ni_ic; 2011 2012 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, 2013 "[%s] deny %s request, %s rate set mismatch, rate 0x%x\n", 2014 ether_sprintf(wh->i_addr2), 2015 reassoc ? "reassoc" : "assoc", tag, rate); 2016 IEEE80211_SEND_MGMT(ic, ni, resp, IEEE80211_STATUS_BASIC_RATE); 2017 ieee80211_node_leave(ic, ni); 2018 ic->ic_stats.is_rx_assoc_norate++; 2019 } 2020 2021 static void 2022 capinfomismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh, 2023 int reassoc, int resp, const char *tag, int capinfo) 2024 { 2025 struct ieee80211com *ic = ni->ni_ic; 2026 2027 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, 2028 "[%s] deny %s request, %s mismatch 0x%x\n", 2029 ether_sprintf(wh->i_addr2), 2030 reassoc ? "reassoc" : "assoc", tag, capinfo); 2031 IEEE80211_SEND_MGMT(ic, ni, resp, IEEE80211_STATUS_CAPINFO); 2032 ieee80211_node_leave(ic, ni); 2033 ic->ic_stats.is_rx_assoc_capmismatch++; 2034 } 2035 2036 void 2037 ieee80211_recv_mgmt(struct ieee80211com *ic, struct mbuf *m0, 2038 struct ieee80211_node *ni, 2039 int subtype, int rssi, int noise, uint32_t rstamp) 2040 { 2041 #define ISPROBE(_st) ((_st) == IEEE80211_FC0_SUBTYPE_PROBE_RESP) 2042 #define ISREASSOC(_st) ((_st) == IEEE80211_FC0_SUBTYPE_REASSOC_RESP) 2043 struct ieee80211_frame *wh; 2044 uint8_t *frm, *efrm; 2045 uint8_t *ssid, *rates, *xrates, *wpa, *rsn, *wme, *ath, *htcap; 2046 int reassoc, resp, allocbs; 2047 uint8_t rate; 2048 2049 wh = mtod(m0, struct ieee80211_frame *); 2050 frm = (uint8_t *)&wh[1]; 2051 efrm = mtod(m0, uint8_t *) + m0->m_len; 2052 switch (subtype) { 2053 case IEEE80211_FC0_SUBTYPE_PROBE_RESP: 2054 case IEEE80211_FC0_SUBTYPE_BEACON: { 2055 struct ieee80211_scanparams scan; 2056 2057 /* 2058 * We process beacon/probe response frames: 2059 * o when scanning, or 2060 * o station mode when associated (to collect state 2061 * updates such as 802.11g slot time), or 2062 * o adhoc mode (to discover neighbors) 2063 * Frames otherwise received are discarded. 2064 */ 2065 if (!((ic->ic_flags & IEEE80211_F_SCAN) || 2066 (ic->ic_opmode == IEEE80211_M_STA && ni->ni_associd) || 2067 ic->ic_opmode == IEEE80211_M_IBSS)) { 2068 ic->ic_stats.is_rx_mgtdiscard++; 2069 return; 2070 } 2071 /* 2072 * beacon/probe response frame format 2073 * [8] time stamp 2074 * [2] beacon interval 2075 * [2] capability information 2076 * [tlv] ssid 2077 * [tlv] supported rates 2078 * [tlv] country information 2079 * [tlv] parameter set (FH/DS) 2080 * [tlv] erp information 2081 * [tlv] extended supported rates 2082 * [tlv] WME 2083 * [tlv] WPA or RSN 2084 * [tlv] HT capabilities 2085 * [tlv] HT information 2086 * [tlv] Atheros capabilities 2087 */ 2088 IEEE80211_VERIFY_LENGTH(efrm - frm, 12, return); 2089 memset(&scan, 0, sizeof(scan)); 2090 scan.tstamp = frm; frm += 8; 2091 scan.bintval = le16toh(*(uint16_t *)frm); frm += 2; 2092 scan.capinfo = le16toh(*(uint16_t *)frm); frm += 2; 2093 scan.bchan = IEEE80211_CHAN2IEEE(ic->ic_curchan); 2094 scan.curchan = ic->ic_curchan; 2095 2096 while (efrm - frm > 1) { 2097 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return); 2098 switch (*frm) { 2099 case IEEE80211_ELEMID_SSID: 2100 scan.ssid = frm; 2101 break; 2102 case IEEE80211_ELEMID_RATES: 2103 scan.rates = frm; 2104 break; 2105 case IEEE80211_ELEMID_COUNTRY: 2106 scan.country = frm; 2107 break; 2108 case IEEE80211_ELEMID_FHPARMS: 2109 if (ic->ic_phytype == IEEE80211_T_FH) { 2110 scan.fhdwell = LE_READ_2(&frm[2]); 2111 scan.bchan = IEEE80211_FH_CHAN(frm[4], frm[5]); 2112 scan.fhindex = frm[6]; 2113 } 2114 break; 2115 case IEEE80211_ELEMID_DSPARMS: 2116 /* 2117 * XXX hack this since depending on phytype 2118 * is problematic for multi-mode devices. 2119 */ 2120 if (ic->ic_phytype != IEEE80211_T_FH) 2121 scan.bchan = frm[2]; 2122 break; 2123 case IEEE80211_ELEMID_TIM: 2124 /* XXX ATIM? */ 2125 scan.tim = frm; 2126 scan.timoff = frm - mtod(m0, uint8_t *); 2127 break; 2128 case IEEE80211_ELEMID_IBSSPARMS: 2129 break; 2130 case IEEE80211_ELEMID_XRATES: 2131 scan.xrates = frm; 2132 break; 2133 case IEEE80211_ELEMID_ERP: 2134 if (frm[1] != 1) { 2135 IEEE80211_DISCARD_IE(ic, 2136 IEEE80211_MSG_ELEMID, wh, "ERP", 2137 "bad len %u", frm[1]); 2138 ic->ic_stats.is_rx_elem_toobig++; 2139 break; 2140 } 2141 scan.erp = frm[2]; 2142 break; 2143 case IEEE80211_ELEMID_HTCAP: 2144 scan.htcap = frm; 2145 break; 2146 case IEEE80211_ELEMID_RSN: 2147 scan.rsn = frm; 2148 break; 2149 case IEEE80211_ELEMID_HTINFO: 2150 scan.htinfo = frm; 2151 break; 2152 case IEEE80211_ELEMID_VENDOR: 2153 if (iswpaoui(frm)) 2154 scan.wpa = frm; 2155 else if (iswmeparam(frm) || iswmeinfo(frm)) 2156 scan.wme = frm; 2157 else if (isatherosoui(frm)) 2158 scan.ath = frm; 2159 else if (ic->ic_flags_ext & IEEE80211_FEXT_HTCOMPAT) { 2160 /* 2161 * Accept pre-draft HT ie's if the 2162 * standard ones have not been seen. 2163 */ 2164 if (ishtcapoui(frm)) { 2165 if (scan.htcap == NULL) 2166 scan.htcap = frm; 2167 } else if (ishtinfooui(frm)) { 2168 if (scan.htinfo == NULL) 2169 scan.htcap = frm; 2170 } 2171 } 2172 break; 2173 default: 2174 IEEE80211_DISCARD_IE(ic, IEEE80211_MSG_ELEMID, 2175 wh, "unhandled", 2176 "id %u, len %u", *frm, frm[1]); 2177 ic->ic_stats.is_rx_elem_unknown++; 2178 break; 2179 } 2180 frm += frm[1] + 2; 2181 } 2182 IEEE80211_VERIFY_ELEMENT(scan.rates, IEEE80211_RATE_MAXSIZE); 2183 if (scan.xrates != NULL) 2184 IEEE80211_VERIFY_ELEMENT(scan.xrates, 2185 IEEE80211_RATE_MAXSIZE - scan.rates[1]); 2186 IEEE80211_VERIFY_ELEMENT(scan.ssid, IEEE80211_NWID_LEN); 2187 #if IEEE80211_CHAN_MAX < 255 2188 if (scan.chan > IEEE80211_CHAN_MAX) { 2189 IEEE80211_DISCARD(ic, IEEE80211_MSG_ELEMID, 2190 wh, ieee80211_mgt_subtype_name[subtype >> 2191 IEEE80211_FC0_SUBTYPE_SHIFT], 2192 "invalid channel %u", scan.chan); 2193 ic->ic_stats.is_rx_badchan++; 2194 return; 2195 } 2196 #endif 2197 if (IEEE80211_CHAN2IEEE(scan.curchan) != scan.bchan && 2198 ic->ic_phytype != IEEE80211_T_FH) { 2199 /* 2200 * Frame was received on a channel different from the 2201 * one indicated in the DS params element id; 2202 * silently discard it. 2203 * 2204 * NB: this can happen due to signal leakage. 2205 * But we should take it for FH phy because 2206 * the rssi value should be correct even for 2207 * different hop pattern in FH. 2208 */ 2209 IEEE80211_DISCARD(ic, 2210 IEEE80211_MSG_ELEMID | IEEE80211_MSG_INPUT, 2211 wh, ieee80211_mgt_subtype_name[subtype >> 2212 IEEE80211_FC0_SUBTYPE_SHIFT], 2213 "for off-channel %u", 2214 IEEE80211_CHAN2IEEE(scan.curchan)); 2215 ic->ic_stats.is_rx_chanmismatch++; 2216 return; 2217 } 2218 if (!(IEEE80211_BINTVAL_MIN <= scan.bintval && 2219 scan.bintval <= IEEE80211_BINTVAL_MAX)) { 2220 IEEE80211_DISCARD(ic, 2221 IEEE80211_MSG_ELEMID | IEEE80211_MSG_INPUT, 2222 wh, ieee80211_mgt_subtype_name[subtype >> 2223 IEEE80211_FC0_SUBTYPE_SHIFT], 2224 "bogus beacon interval", scan.bintval); 2225 ic->ic_stats.is_rx_badbintval++; 2226 return; 2227 } 2228 /* 2229 * Process HT ie's. This is complicated by our 2230 * accepting both the standard ie's and the pre-draft 2231 * vendor OUI ie's that some vendors still use/require. 2232 */ 2233 if (scan.htcap != NULL) { 2234 IEEE80211_VERIFY_LENGTH(scan.htcap[1], 2235 scan.htcap[0] == IEEE80211_ELEMID_VENDOR ? 2236 4 + sizeof(struct ieee80211_ie_htcap)-2 : 2237 sizeof(struct ieee80211_ie_htcap)-2, 2238 scan.htcap = NULL); 2239 } 2240 if (scan.htinfo != NULL) { 2241 IEEE80211_VERIFY_LENGTH(scan.htinfo[1], 2242 scan.htinfo[0] == IEEE80211_ELEMID_VENDOR ? 2243 4 + sizeof(struct ieee80211_ie_htinfo)-2 : 2244 sizeof(struct ieee80211_ie_htinfo)-2, 2245 scan.htinfo = NULL); 2246 } 2247 2248 /* 2249 * Count frame now that we know it's to be processed. 2250 */ 2251 if (subtype == IEEE80211_FC0_SUBTYPE_BEACON) { 2252 ic->ic_stats.is_rx_beacon++; /* XXX remove */ 2253 IEEE80211_NODE_STAT(ni, rx_beacons); 2254 } else 2255 IEEE80211_NODE_STAT(ni, rx_proberesp); 2256 2257 /* 2258 * When operating in station mode, check for state updates. 2259 * Be careful to ignore beacons received while doing a 2260 * background scan. We consider only 11g/WMM stuff right now. 2261 */ 2262 if (ic->ic_opmode == IEEE80211_M_STA && 2263 ni->ni_associd != 0 && 2264 ((ic->ic_flags & IEEE80211_F_SCAN) == 0 || 2265 IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_bssid))) { 2266 /* record tsf of last beacon */ 2267 memcpy(ni->ni_tstamp.data, scan.tstamp, 2268 sizeof(ni->ni_tstamp)); 2269 /* count beacon frame for s/w bmiss handling */ 2270 ic->ic_swbmiss_count++; 2271 ic->ic_bmiss_count = 0; 2272 if (ni->ni_erp != scan.erp) { 2273 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 2274 "[%s] erp change: was 0x%x, now 0x%x\n", 2275 ether_sprintf(wh->i_addr2), 2276 ni->ni_erp, scan.erp); 2277 if (IEEE80211_IS_CHAN_ANYG(ic->ic_curchan) && 2278 (ni->ni_erp & IEEE80211_ERP_USE_PROTECTION)) 2279 ic->ic_flags |= IEEE80211_F_USEPROT; 2280 else 2281 ic->ic_flags &= ~IEEE80211_F_USEPROT; 2282 ni->ni_erp = scan.erp; 2283 /* XXX statistic */ 2284 } 2285 if ((ni->ni_capinfo ^ scan.capinfo) & IEEE80211_CAPINFO_SHORT_SLOTTIME) { 2286 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 2287 "[%s] capabilities change: before 0x%x," 2288 " now 0x%x\n", 2289 ether_sprintf(wh->i_addr2), 2290 ni->ni_capinfo, scan.capinfo); 2291 /* 2292 * NB: we assume short preamble doesn't 2293 * change dynamically 2294 */ 2295 ieee80211_set_shortslottime(ic, 2296 IEEE80211_IS_CHAN_A(ic->ic_bsschan) || 2297 (scan.capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME)); 2298 ni->ni_capinfo = (ni->ni_capinfo &~ IEEE80211_CAPINFO_SHORT_SLOTTIME) 2299 | (scan.capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME); 2300 /* XXX statistic */ 2301 } 2302 if (scan.wme != NULL && 2303 (ni->ni_flags & IEEE80211_NODE_QOS) && 2304 ieee80211_parse_wmeparams(ic, scan.wme, wh) > 0) 2305 ieee80211_wme_updateparams(ic); 2306 if (scan.ath != NULL) 2307 ieee80211_parse_athparams(ni, scan.ath, wh); 2308 if (scan.htcap != NULL) 2309 ieee80211_parse_htcap(ni, scan.htcap); 2310 if (scan.htinfo != NULL) 2311 ieee80211_parse_htinfo(ni, scan.htinfo); 2312 if (scan.tim != NULL) { 2313 struct ieee80211_tim_ie *tim = 2314 (struct ieee80211_tim_ie *) scan.tim; 2315 #if 0 2316 int aid = IEEE80211_AID(ni->ni_associd); 2317 int ix = aid / NBBY; 2318 int min = tim->tim_bitctl &~ 1; 2319 int max = tim->tim_len + min - 4; 2320 if ((tim->tim_bitctl&1) || 2321 (min <= ix && ix <= max && 2322 isset(tim->tim_bitmap - min, aid))) { 2323 /* 2324 * XXX Do not let bg scan kick off 2325 * we are expecting data. 2326 */ 2327 ic->ic_lastdata = ticks; 2328 ieee80211_sta_pwrsave(ic, 0); 2329 } 2330 #endif 2331 ni->ni_dtim_count = tim->tim_count; 2332 ni->ni_dtim_period = tim->tim_period; 2333 } 2334 /* 2335 * If scanning, pass the info to the scan module. 2336 * Otherwise, check if it's the right time to do 2337 * a background scan. Background scanning must 2338 * be enabled and we must not be operating in the 2339 * turbo phase of dynamic turbo mode. Then, 2340 * it's been a while since the last background 2341 * scan and if no data frames have come through 2342 * recently, kick off a scan. Note that this 2343 * is the mechanism by which a background scan 2344 * is started _and_ continued each time we 2345 * return on-channel to receive a beacon from 2346 * our ap. 2347 */ 2348 if (ic->ic_flags & IEEE80211_F_SCAN) { 2349 ieee80211_add_scan(ic, &scan, wh, 2350 subtype, rssi, noise, rstamp); 2351 } else if (contbgscan(ic)) { 2352 ieee80211_bg_scan(ic); 2353 } else if (startbgscan(ic)) { 2354 #if 0 2355 /* wakeup if we are sleeing */ 2356 ieee80211_set_pwrsave(ic, 0); 2357 #endif 2358 ieee80211_bg_scan(ic); 2359 } 2360 return; 2361 } 2362 /* 2363 * If scanning, just pass information to the scan module. 2364 */ 2365 if (ic->ic_flags & IEEE80211_F_SCAN) { 2366 if (ic->ic_flags_ext & IEEE80211_FEXT_PROBECHAN) { 2367 /* 2368 * Actively scanning a channel marked passive; 2369 * send a probe request now that we know there 2370 * is 802.11 traffic present. 2371 * 2372 * XXX check if the beacon we recv'd gives 2373 * us what we need and suppress the probe req 2374 */ 2375 ieee80211_probe_curchan(ic, 1); 2376 ic->ic_flags_ext &= ~IEEE80211_FEXT_PROBECHAN; 2377 } 2378 ieee80211_add_scan(ic, &scan, wh, 2379 subtype, rssi, noise, rstamp); 2380 return; 2381 } 2382 if (scan.capinfo & IEEE80211_CAPINFO_IBSS) { 2383 if (!IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_macaddr)) { 2384 /* 2385 * Create a new entry in the neighbor table. 2386 */ 2387 ni = ieee80211_add_neighbor(ic, wh, &scan); 2388 } else if (ni->ni_capinfo == 0) { 2389 /* 2390 * Update faked node created on transmit. 2391 * Note this also updates the tsf. 2392 */ 2393 ieee80211_init_neighbor(ni, wh, &scan); 2394 } else { 2395 /* 2396 * Record tsf for potential resync. 2397 */ 2398 memcpy(ni->ni_tstamp.data, scan.tstamp, 2399 sizeof(ni->ni_tstamp)); 2400 } 2401 if (ni != NULL) { 2402 ni->ni_rssi = rssi; 2403 ni->ni_noise = noise; 2404 ni->ni_rstamp = rstamp; 2405 } 2406 } 2407 break; 2408 } 2409 2410 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 2411 if (ic->ic_opmode == IEEE80211_M_STA || 2412 ic->ic_state != IEEE80211_S_RUN) { 2413 ic->ic_stats.is_rx_mgtdiscard++; 2414 return; 2415 } 2416 if (IEEE80211_IS_MULTICAST(wh->i_addr2)) { 2417 /* frame must be directed */ 2418 ic->ic_stats.is_rx_mgtdiscard++; /* XXX stat */ 2419 return; 2420 } 2421 2422 /* 2423 * prreq frame format 2424 * [tlv] ssid 2425 * [tlv] supported rates 2426 * [tlv] extended supported rates 2427 * [tlv] Atheros capabilities 2428 */ 2429 ssid = rates = xrates = ath = NULL; 2430 while (efrm - frm > 1) { 2431 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return); 2432 switch (*frm) { 2433 case IEEE80211_ELEMID_SSID: 2434 ssid = frm; 2435 break; 2436 case IEEE80211_ELEMID_RATES: 2437 rates = frm; 2438 break; 2439 case IEEE80211_ELEMID_XRATES: 2440 xrates = frm; 2441 break; 2442 case IEEE80211_ELEMID_VENDOR: 2443 if (isatherosoui(frm)) 2444 ath = frm; 2445 break; 2446 } 2447 frm += frm[1] + 2; 2448 } 2449 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE); 2450 if (xrates != NULL) 2451 IEEE80211_VERIFY_ELEMENT(xrates, 2452 IEEE80211_RATE_MAXSIZE - rates[1]); 2453 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN); 2454 IEEE80211_VERIFY_SSID(ic->ic_bss, ssid); 2455 if ((ic->ic_flags & IEEE80211_F_HIDESSID) && ssid[1] == 0) { 2456 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 2457 wh, ieee80211_mgt_subtype_name[subtype >> 2458 IEEE80211_FC0_SUBTYPE_SHIFT], 2459 "%s", "no ssid with ssid suppression enabled"); 2460 ic->ic_stats.is_rx_ssidmismatch++; /*XXX*/ 2461 return; 2462 } 2463 2464 allocbs = 0; 2465 if (ni == ic->ic_bss) { 2466 if (ic->ic_opmode != IEEE80211_M_IBSS) { 2467 ni = ieee80211_tmp_node(ic, wh->i_addr2); 2468 allocbs = 1; 2469 } else if (!IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_macaddr)) { 2470 /* 2471 * XXX Cannot tell if the sender is operating 2472 * in ibss mode. But we need a new node to 2473 * send the response so blindly add them to the 2474 * neighbor table. 2475 */ 2476 ni = ieee80211_fakeup_adhoc_node(&ic->ic_sta, 2477 wh->i_addr2); 2478 } 2479 if (ni == NULL) 2480 return; 2481 } 2482 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 2483 "[%s] recv probe req\n", ether_sprintf(wh->i_addr2)); 2484 ni->ni_rssi = rssi; 2485 ni->ni_rstamp = rstamp; 2486 rate = ieee80211_setup_rates(ni, rates, xrates, 2487 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE 2488 | IEEE80211_F_DONEGO | IEEE80211_F_DODEL); 2489 if (rate & IEEE80211_RATE_BASIC) { 2490 IEEE80211_DISCARD(ic, IEEE80211_MSG_XRATE, 2491 wh, ieee80211_mgt_subtype_name[subtype >> 2492 IEEE80211_FC0_SUBTYPE_SHIFT], 2493 "%s", "recv'd rate set invalid"); 2494 } else { 2495 IEEE80211_SEND_MGMT(ic, ni, 2496 IEEE80211_FC0_SUBTYPE_PROBE_RESP, 0); 2497 } 2498 if (allocbs) { 2499 /* 2500 * Temporary node created just to send a 2501 * response, reclaim immediately. 2502 */ 2503 ieee80211_free_node(ni); 2504 } else if (ath != NULL) 2505 ieee80211_saveath(ni, ath); 2506 break; 2507 2508 case IEEE80211_FC0_SUBTYPE_AUTH: { 2509 uint16_t algo, seq, status; 2510 /* 2511 * auth frame format 2512 * [2] algorithm 2513 * [2] sequence 2514 * [2] status 2515 * [tlv*] challenge 2516 */ 2517 IEEE80211_VERIFY_LENGTH(efrm - frm, 6, return); 2518 algo = le16toh(*(uint16_t *)frm); 2519 seq = le16toh(*(uint16_t *)(frm + 2)); 2520 status = le16toh(*(uint16_t *)(frm + 4)); 2521 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 2522 "[%s] recv auth frame with algorithm %d seq %d\n", 2523 ether_sprintf(wh->i_addr2), algo, seq); 2524 /* 2525 * Consult the ACL policy module if setup. 2526 */ 2527 if (ic->ic_acl != NULL && 2528 !ic->ic_acl->iac_check(ic, wh->i_addr2)) { 2529 IEEE80211_DISCARD(ic, IEEE80211_MSG_ACL, 2530 wh, "auth", "%s", "disallowed by ACL"); 2531 ic->ic_stats.is_rx_acl++; 2532 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 2533 IEEE80211_SEND_MGMT(ic, ni, 2534 IEEE80211_FC0_SUBTYPE_AUTH, 2535 (seq+1) | (IEEE80211_STATUS_UNSPECIFIED<<16)); 2536 } 2537 return; 2538 } 2539 if (ic->ic_flags & IEEE80211_F_COUNTERM) { 2540 IEEE80211_DISCARD(ic, 2541 IEEE80211_MSG_AUTH | IEEE80211_MSG_CRYPTO, 2542 wh, "auth", "%s", "TKIP countermeasures enabled"); 2543 ic->ic_stats.is_rx_auth_countermeasures++; 2544 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 2545 IEEE80211_SEND_MGMT(ic, ni, 2546 IEEE80211_FC0_SUBTYPE_AUTH, 2547 IEEE80211_REASON_MIC_FAILURE); 2548 } 2549 return; 2550 } 2551 if (algo == IEEE80211_AUTH_ALG_SHARED) 2552 ieee80211_auth_shared(ic, wh, frm + 6, efrm, ni, rssi, 2553 noise, rstamp, seq, status); 2554 else if (algo == IEEE80211_AUTH_ALG_OPEN) 2555 ieee80211_auth_open(ic, wh, ni, rssi, noise, rstamp, 2556 seq, status); 2557 else { 2558 IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY, 2559 wh, "auth", "unsupported alg %d", algo); 2560 ic->ic_stats.is_rx_auth_unsupported++; 2561 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 2562 /* XXX not right */ 2563 IEEE80211_SEND_MGMT(ic, ni, 2564 IEEE80211_FC0_SUBTYPE_AUTH, 2565 (seq+1) | (IEEE80211_STATUS_ALG<<16)); 2566 } 2567 return; 2568 } 2569 break; 2570 } 2571 2572 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ: 2573 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: { 2574 uint16_t capinfo, lintval; 2575 struct ieee80211_rsnparms rsnparms; 2576 uint8_t reason; 2577 int badwparsn; 2578 2579 if (ic->ic_opmode != IEEE80211_M_HOSTAP || 2580 ic->ic_state != IEEE80211_S_RUN) { 2581 ic->ic_stats.is_rx_mgtdiscard++; 2582 return; 2583 } 2584 2585 if (subtype == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) { 2586 reassoc = 1; 2587 resp = IEEE80211_FC0_SUBTYPE_REASSOC_RESP; 2588 } else { 2589 reassoc = 0; 2590 resp = IEEE80211_FC0_SUBTYPE_ASSOC_RESP; 2591 } 2592 /* 2593 * asreq frame format 2594 * [2] capability information 2595 * [2] listen interval 2596 * [6*] current AP address (reassoc only) 2597 * [tlv] ssid 2598 * [tlv] supported rates 2599 * [tlv] extended supported rates 2600 * [tlv] WPA or RSN 2601 * [tlv] HT capabilities 2602 * [tlv] Atheros capabilities 2603 */ 2604 IEEE80211_VERIFY_LENGTH(efrm - frm, (reassoc ? 10 : 4), return); 2605 if (!IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_bss->ni_bssid)) { 2606 IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY, 2607 wh, ieee80211_mgt_subtype_name[subtype >> 2608 IEEE80211_FC0_SUBTYPE_SHIFT], 2609 "%s", "wrong bssid"); 2610 ic->ic_stats.is_rx_assoc_bss++; 2611 return; 2612 } 2613 capinfo = le16toh(*(uint16_t *)frm); frm += 2; 2614 lintval = le16toh(*(uint16_t *)frm); frm += 2; 2615 if (reassoc) 2616 frm += 6; /* ignore current AP info */ 2617 ssid = rates = xrates = wpa = rsn = wme = ath = htcap = NULL; 2618 while (efrm - frm > 1) { 2619 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return); 2620 switch (*frm) { 2621 case IEEE80211_ELEMID_SSID: 2622 ssid = frm; 2623 break; 2624 case IEEE80211_ELEMID_RATES: 2625 rates = frm; 2626 break; 2627 case IEEE80211_ELEMID_XRATES: 2628 xrates = frm; 2629 break; 2630 /* XXX verify only one of RSN and WPA ie's? */ 2631 case IEEE80211_ELEMID_RSN: 2632 rsn = frm; 2633 break; 2634 case IEEE80211_ELEMID_HTCAP: 2635 htcap = frm; 2636 break; 2637 case IEEE80211_ELEMID_VENDOR: 2638 if (iswpaoui(frm)) 2639 wpa = frm; 2640 else if (iswmeinfo(frm)) 2641 wme = frm; 2642 else if (isatherosoui(frm)) 2643 ath = frm; 2644 else if (ic->ic_flags_ext & IEEE80211_FEXT_HTCOMPAT) { 2645 if (ishtcapoui(frm) && htcap == NULL) 2646 htcap = frm; 2647 } 2648 break; 2649 } 2650 frm += frm[1] + 2; 2651 } 2652 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE); 2653 if (xrates != NULL) 2654 IEEE80211_VERIFY_ELEMENT(xrates, 2655 IEEE80211_RATE_MAXSIZE - rates[1]); 2656 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN); 2657 IEEE80211_VERIFY_SSID(ic->ic_bss, ssid); 2658 if (htcap != NULL) { 2659 IEEE80211_VERIFY_LENGTH(htcap[1], 2660 htcap[0] == IEEE80211_ELEMID_VENDOR ? 2661 4 + sizeof(struct ieee80211_ie_htcap)-2 : 2662 sizeof(struct ieee80211_ie_htcap)-2, 2663 return); /* XXX just NULL out? */ 2664 } 2665 2666 if (ni == ic->ic_bss) { 2667 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, 2668 "[%s] deny %s request, sta not authenticated\n", 2669 ether_sprintf(wh->i_addr2), 2670 reassoc ? "reassoc" : "assoc"); 2671 ieee80211_send_error(ic, ni, wh->i_addr2, 2672 IEEE80211_FC0_SUBTYPE_DEAUTH, 2673 IEEE80211_REASON_ASSOC_NOT_AUTHED); 2674 ic->ic_stats.is_rx_assoc_notauth++; 2675 return; 2676 } 2677 /* assert right association security credentials */ 2678 badwparsn = 0; 2679 switch (ic->ic_flags & IEEE80211_F_WPA) { 2680 case IEEE80211_F_WPA1: 2681 if (wpa == NULL) 2682 badwparsn = 1; 2683 break; 2684 case IEEE80211_F_WPA2: 2685 if (rsn == NULL) 2686 badwparsn = 1; 2687 break; 2688 case IEEE80211_F_WPA1|IEEE80211_F_WPA2: 2689 if (wpa == NULL && rsn == NULL) 2690 badwparsn = 1; 2691 break; 2692 } 2693 if (badwparsn) { 2694 IEEE80211_DPRINTF(ic, 2695 IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, 2696 "[%s] no WPA/RSN IE in association request\n", 2697 ether_sprintf(wh->i_addr2)); 2698 IEEE80211_SEND_MGMT(ic, ni, 2699 IEEE80211_FC0_SUBTYPE_DEAUTH, 2700 IEEE80211_REASON_RSN_REQUIRED); 2701 ieee80211_node_leave(ic, ni); 2702 ic->ic_stats.is_rx_assoc_badwpaie++; 2703 return; 2704 } 2705 if (wpa != NULL || rsn != NULL) { 2706 /* 2707 * Parse WPA/RSN information element. Note that 2708 * we initialize the param block from the node 2709 * state so that information in the IE overrides 2710 * our defaults. The resulting parameters are 2711 * installed below after the association is assured. 2712 */ 2713 rsnparms = ni->ni_rsn; 2714 if (wpa != NULL) 2715 reason = ieee80211_parse_wpa(ic, wpa, &rsnparms, wh); 2716 else 2717 reason = ieee80211_parse_rsn(ic, rsn, &rsnparms, wh); 2718 if (reason != 0) { 2719 IEEE80211_SEND_MGMT(ic, ni, 2720 IEEE80211_FC0_SUBTYPE_DEAUTH, reason); 2721 ieee80211_node_leave(ic, ni); 2722 /* XXX distinguish WPA/RSN? */ 2723 ic->ic_stats.is_rx_assoc_badwpaie++; 2724 return; 2725 } 2726 IEEE80211_DPRINTF(ic, 2727 IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, 2728 "[%s] %s ie: mc %u/%u uc %u/%u key %u caps 0x%x\n", 2729 ether_sprintf(wh->i_addr2), 2730 wpa != NULL ? "WPA" : "RSN", 2731 rsnparms.rsn_mcastcipher, rsnparms.rsn_mcastkeylen, 2732 rsnparms.rsn_ucastcipher, rsnparms.rsn_ucastkeylen, 2733 rsnparms.rsn_keymgmt, rsnparms.rsn_caps); 2734 } 2735 /* discard challenge after association */ 2736 if (ni->ni_challenge != NULL) { 2737 FREE(ni->ni_challenge, M_80211_NODE); 2738 ni->ni_challenge = NULL; 2739 } 2740 /* NB: 802.11 spec says to ignore station's privacy bit */ 2741 if ((capinfo & IEEE80211_CAPINFO_ESS) == 0) { 2742 capinfomismatch(ni, wh, reassoc, resp, 2743 "capability", capinfo); 2744 return; 2745 } 2746 /* 2747 * Disallow re-associate w/ invalid slot time setting. 2748 */ 2749 if (ni->ni_associd != 0 && 2750 IEEE80211_IS_CHAN_ANYG(ic->ic_bsschan) && 2751 ((ni->ni_capinfo ^ capinfo) & IEEE80211_CAPINFO_SHORT_SLOTTIME)) { 2752 capinfomismatch(ni, wh, reassoc, resp, 2753 "slot time", capinfo); 2754 return; 2755 } 2756 rate = ieee80211_setup_rates(ni, rates, xrates, 2757 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | 2758 IEEE80211_F_DONEGO | IEEE80211_F_DODEL); 2759 if (rate & IEEE80211_RATE_BASIC) { 2760 ratesetmismatch(ni, wh, reassoc, resp, "basic", rate); 2761 return; 2762 } 2763 /* 2764 * If constrained to 11g-only stations reject an 2765 * 11b-only station. We cheat a bit here by looking 2766 * at the max negotiated xmit rate and assuming anyone 2767 * with a best rate <24Mb/s is an 11b station. 2768 */ 2769 if ((ic->ic_flags & IEEE80211_F_PUREG) && rate < 48) { 2770 ratesetmismatch(ni, wh, reassoc, resp, "11g", rate); 2771 return; 2772 } 2773 /* XXX enforce PUREN */ 2774 /* 802.11n-specific rateset handling */ 2775 if (IEEE80211_IS_CHAN_HT(ic->ic_curchan) && htcap != NULL) { 2776 rate = ieee80211_setup_htrates(ni, htcap, 2777 IEEE80211_F_DOFRATE | IEEE80211_F_DONEGO | 2778 IEEE80211_F_DOBRS); 2779 if (rate & IEEE80211_RATE_BASIC) { 2780 /* XXX 11n-specific stat */ 2781 ratesetmismatch(ni, wh, reassoc, resp, 2782 "HT", rate); 2783 return; 2784 } 2785 ieee80211_ht_node_init(ni, htcap); 2786 } else if (ni->ni_flags & IEEE80211_NODE_HT) 2787 ieee80211_ht_node_cleanup(ni); 2788 ni->ni_rssi = rssi; 2789 ni->ni_noise = noise; 2790 ni->ni_rstamp = rstamp; 2791 ni->ni_intval = lintval; 2792 ni->ni_capinfo = capinfo; 2793 ni->ni_chan = ic->ic_bsschan; 2794 ni->ni_fhdwell = ic->ic_bss->ni_fhdwell; 2795 ni->ni_fhindex = ic->ic_bss->ni_fhindex; 2796 if (wpa != NULL) { 2797 /* 2798 * Record WPA parameters for station, mark 2799 * node as using WPA and record information element 2800 * for applications that require it. 2801 */ 2802 ni->ni_rsn = rsnparms; 2803 ieee80211_saveie(&ni->ni_wpa_ie, wpa); 2804 } else if (ni->ni_wpa_ie != NULL) { 2805 /* 2806 * Flush any state from a previous association. 2807 */ 2808 FREE(ni->ni_wpa_ie, M_80211_NODE); 2809 ni->ni_wpa_ie = NULL; 2810 } 2811 if (rsn != NULL) { 2812 /* 2813 * Record RSN parameters for station, mark 2814 * node as using WPA and record information element 2815 * for applications that require it. 2816 */ 2817 ni->ni_rsn = rsnparms; 2818 ieee80211_saveie(&ni->ni_rsn_ie, rsn); 2819 } else if (ni->ni_rsn_ie != NULL) { 2820 /* 2821 * Flush any state from a previous association. 2822 */ 2823 FREE(ni->ni_rsn_ie, M_80211_NODE); 2824 ni->ni_rsn_ie = NULL; 2825 } 2826 if (wme != NULL) { 2827 /* 2828 * Record WME parameters for station, mark node 2829 * as capable of QoS and record information 2830 * element for applications that require it. 2831 */ 2832 ieee80211_saveie(&ni->ni_wme_ie, wme); 2833 ni->ni_flags |= IEEE80211_NODE_QOS; 2834 } else if (ni->ni_wme_ie != NULL) { 2835 /* 2836 * Flush any state from a previous association. 2837 */ 2838 FREE(ni->ni_wme_ie, M_80211_NODE); 2839 ni->ni_wme_ie = NULL; 2840 ni->ni_flags &= ~IEEE80211_NODE_QOS; 2841 } 2842 if (ath != NULL) { 2843 /* 2844 * Record ATH parameters for station, mark 2845 * node with appropriate capabilities, and 2846 * record the information element for 2847 * applications that require it. 2848 */ 2849 ieee80211_saveath(ni, ath); 2850 } else if (ni->ni_ath_ie != NULL) { 2851 /* 2852 * Flush any state from a previous association. 2853 */ 2854 FREE(ni->ni_ath_ie, M_80211_NODE); 2855 ni->ni_ath_ie = NULL; 2856 ni->ni_ath_flags = 0; 2857 } 2858 ieee80211_node_join(ic, ni, resp); 2859 ieee80211_deliver_l2uf(ni); 2860 break; 2861 } 2862 2863 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP: 2864 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: { 2865 uint16_t capinfo, associd; 2866 uint16_t status; 2867 2868 if (ic->ic_opmode != IEEE80211_M_STA || 2869 ic->ic_state != IEEE80211_S_ASSOC) { 2870 ic->ic_stats.is_rx_mgtdiscard++; 2871 return; 2872 } 2873 2874 /* 2875 * asresp frame format 2876 * [2] capability information 2877 * [2] status 2878 * [2] association ID 2879 * [tlv] supported rates 2880 * [tlv] extended supported rates 2881 * [tlv] WME 2882 * [tlv] HT capabilities 2883 */ 2884 IEEE80211_VERIFY_LENGTH(efrm - frm, 6, return); 2885 ni = ic->ic_bss; 2886 capinfo = le16toh(*(uint16_t *)frm); 2887 frm += 2; 2888 status = le16toh(*(uint16_t *)frm); 2889 frm += 2; 2890 if (status != 0) { 2891 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 2892 "[%s] %sassoc failed (reason %d)\n", 2893 ether_sprintf(wh->i_addr2), 2894 ISREASSOC(subtype) ? "re" : "", status); 2895 if (ni != ic->ic_bss) /* XXX never true? */ 2896 ni->ni_fails++; 2897 ic->ic_stats.is_rx_auth_fail++; /* XXX */ 2898 return; 2899 } 2900 associd = le16toh(*(uint16_t *)frm); 2901 frm += 2; 2902 2903 rates = xrates = wme = htcap = NULL; 2904 while (efrm - frm > 1) { 2905 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return); 2906 switch (*frm) { 2907 case IEEE80211_ELEMID_RATES: 2908 rates = frm; 2909 break; 2910 case IEEE80211_ELEMID_XRATES: 2911 xrates = frm; 2912 break; 2913 case IEEE80211_ELEMID_HTCAP: 2914 htcap = frm; 2915 break; 2916 case IEEE80211_ELEMID_VENDOR: 2917 if (iswmeoui(frm)) 2918 wme = frm; 2919 /* XXX Atheros OUI support */ 2920 break; 2921 } 2922 frm += frm[1] + 2; 2923 } 2924 2925 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE); 2926 if (xrates != NULL) 2927 IEEE80211_VERIFY_ELEMENT(xrates, 2928 IEEE80211_RATE_MAXSIZE - rates[1]); 2929 rate = ieee80211_setup_rates(ni, rates, xrates, 2930 IEEE80211_F_JOIN | 2931 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | 2932 IEEE80211_F_DONEGO | IEEE80211_F_DODEL); 2933 if (rate & IEEE80211_RATE_BASIC) { 2934 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 2935 "[%s] %sassoc failed (rate set mismatch)\n", 2936 ether_sprintf(wh->i_addr2), 2937 ISREASSOC(subtype) ? "re" : ""); 2938 if (ni != ic->ic_bss) /* XXX never true? */ 2939 ni->ni_fails++; 2940 ic->ic_stats.is_rx_assoc_norate++; 2941 ieee80211_new_state(ic, IEEE80211_S_SCAN, 2942 IEEE80211_SCAN_FAIL_STATUS); 2943 return; 2944 } 2945 2946 ni->ni_capinfo = capinfo; 2947 ni->ni_associd = associd; 2948 if (wme != NULL && 2949 ieee80211_parse_wmeparams(ic, wme, wh) >= 0) { 2950 ni->ni_flags |= IEEE80211_NODE_QOS; 2951 ieee80211_wme_updateparams(ic); 2952 } else 2953 ni->ni_flags &= ~IEEE80211_NODE_QOS; 2954 /* 2955 * Configure state now that we are associated. 2956 * 2957 * XXX may need different/additional driver callbacks? 2958 */ 2959 if (IEEE80211_IS_CHAN_A(ic->ic_curchan) || 2960 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_PREAMBLE)) { 2961 ic->ic_flags |= IEEE80211_F_SHPREAMBLE; 2962 ic->ic_flags &= ~IEEE80211_F_USEBARKER; 2963 } else { 2964 ic->ic_flags &= ~IEEE80211_F_SHPREAMBLE; 2965 ic->ic_flags |= IEEE80211_F_USEBARKER; 2966 } 2967 ieee80211_set_shortslottime(ic, 2968 IEEE80211_IS_CHAN_A(ic->ic_curchan) || 2969 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME)); 2970 /* 2971 * Honor ERP protection. 2972 * 2973 * NB: ni_erp should zero for non-11g operation. 2974 */ 2975 if (IEEE80211_IS_CHAN_ANYG(ic->ic_curchan) && 2976 (ni->ni_erp & IEEE80211_ERP_USE_PROTECTION)) 2977 ic->ic_flags |= IEEE80211_F_USEPROT; 2978 else 2979 ic->ic_flags &= ~IEEE80211_F_USEPROT; 2980 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 2981 "[%s] %sassoc success: %s preamble, %s slot time%s%s%s%s\n", 2982 ether_sprintf(wh->i_addr2), 2983 ISREASSOC(subtype) ? "re" : "", 2984 ic->ic_flags&IEEE80211_F_SHPREAMBLE ? "short" : "long", 2985 ic->ic_flags&IEEE80211_F_SHSLOT ? "short" : "long", 2986 ic->ic_flags&IEEE80211_F_USEPROT ? ", protection" : "", 2987 ni->ni_flags & IEEE80211_NODE_QOS ? ", QoS" : "", 2988 IEEE80211_ATH_CAP(ic, ni, IEEE80211_NODE_FF) ? 2989 ", fast-frames" : "", 2990 IEEE80211_ATH_CAP(ic, ni, IEEE80211_NODE_TURBOP) ? 2991 ", turbo" : "" 2992 ); 2993 ieee80211_new_state(ic, IEEE80211_S_RUN, subtype); 2994 break; 2995 } 2996 2997 case IEEE80211_FC0_SUBTYPE_DEAUTH: { 2998 uint16_t reason; 2999 3000 if (ic->ic_state == IEEE80211_S_SCAN) { 3001 ic->ic_stats.is_rx_mgtdiscard++; 3002 return; 3003 } 3004 /* 3005 * deauth frame format 3006 * [2] reason 3007 */ 3008 IEEE80211_VERIFY_LENGTH(efrm - frm, 2, return); 3009 reason = le16toh(*(uint16_t *)frm); 3010 ic->ic_stats.is_rx_deauth++; 3011 IEEE80211_NODE_STAT(ni, rx_deauth); 3012 3013 if (!IEEE80211_ADDR_EQ(wh->i_addr1, ic->ic_myaddr)) { 3014 /* NB: can happen when in promiscuous mode */ 3015 ic->ic_stats.is_rx_mgtdiscard++; 3016 break; 3017 } 3018 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 3019 "[%s] recv deauthenticate (reason %d)\n", 3020 ether_sprintf(ni->ni_macaddr), reason); 3021 switch (ic->ic_opmode) { 3022 case IEEE80211_M_STA: 3023 ieee80211_new_state(ic, IEEE80211_S_AUTH, 3024 (reason << 8) | IEEE80211_FC0_SUBTYPE_DEAUTH); 3025 break; 3026 case IEEE80211_M_HOSTAP: 3027 if (ni != ic->ic_bss) 3028 ieee80211_node_leave(ic, ni); 3029 break; 3030 default: 3031 ic->ic_stats.is_rx_mgtdiscard++; 3032 break; 3033 } 3034 break; 3035 } 3036 3037 case IEEE80211_FC0_SUBTYPE_DISASSOC: { 3038 uint16_t reason; 3039 3040 if (ic->ic_state != IEEE80211_S_RUN && 3041 ic->ic_state != IEEE80211_S_ASSOC && 3042 ic->ic_state != IEEE80211_S_AUTH) { 3043 ic->ic_stats.is_rx_mgtdiscard++; 3044 return; 3045 } 3046 /* 3047 * disassoc frame format 3048 * [2] reason 3049 */ 3050 IEEE80211_VERIFY_LENGTH(efrm - frm, 2, return); 3051 reason = le16toh(*(uint16_t *)frm); 3052 ic->ic_stats.is_rx_disassoc++; 3053 IEEE80211_NODE_STAT(ni, rx_disassoc); 3054 3055 if (!IEEE80211_ADDR_EQ(wh->i_addr1, ic->ic_myaddr)) { 3056 /* NB: can happen when in promiscuous mode */ 3057 ic->ic_stats.is_rx_mgtdiscard++; 3058 break; 3059 } 3060 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 3061 "[%s] recv disassociate (reason %d)\n", 3062 ether_sprintf(ni->ni_macaddr), reason); 3063 switch (ic->ic_opmode) { 3064 case IEEE80211_M_STA: 3065 ieee80211_new_state(ic, IEEE80211_S_ASSOC, 0); 3066 break; 3067 case IEEE80211_M_HOSTAP: 3068 if (ni != ic->ic_bss) 3069 ieee80211_node_leave(ic, ni); 3070 break; 3071 default: 3072 ic->ic_stats.is_rx_mgtdiscard++; 3073 break; 3074 } 3075 break; 3076 } 3077 3078 case IEEE80211_FC0_SUBTYPE_ACTION: { 3079 const struct ieee80211_action *ia; 3080 3081 if (ic->ic_state != IEEE80211_S_RUN && 3082 ic->ic_state != IEEE80211_S_ASSOC && 3083 ic->ic_state != IEEE80211_S_AUTH) { 3084 ic->ic_stats.is_rx_mgtdiscard++; 3085 return; 3086 } 3087 /* 3088 * action frame format: 3089 * [1] category 3090 * [1] action 3091 * [tlv] parameters 3092 */ 3093 IEEE80211_VERIFY_LENGTH(efrm - frm, 3094 sizeof(struct ieee80211_action), return); 3095 ia = (const struct ieee80211_action *) frm; 3096 3097 ic->ic_stats.is_rx_action++; 3098 IEEE80211_NODE_STAT(ni, rx_action); 3099 3100 /* verify frame payloads but defer processing */ 3101 /* XXX maybe push this to method */ 3102 switch (ia->ia_category) { 3103 case IEEE80211_ACTION_CAT_BA: 3104 switch (ia->ia_action) { 3105 case IEEE80211_ACTION_BA_ADDBA_REQUEST: 3106 IEEE80211_VERIFY_LENGTH(efrm - frm, 3107 sizeof(struct ieee80211_action_ba_addbarequest), 3108 return); 3109 break; 3110 case IEEE80211_ACTION_BA_ADDBA_RESPONSE: 3111 IEEE80211_VERIFY_LENGTH(efrm - frm, 3112 sizeof(struct ieee80211_action_ba_addbaresponse), 3113 return); 3114 break; 3115 case IEEE80211_ACTION_BA_DELBA: 3116 IEEE80211_VERIFY_LENGTH(efrm - frm, 3117 sizeof(struct ieee80211_action_ba_delba), 3118 return); 3119 break; 3120 } 3121 break; 3122 case IEEE80211_ACTION_CAT_HT: 3123 switch (ia->ia_action) { 3124 case IEEE80211_ACTION_HT_TXCHWIDTH: 3125 IEEE80211_VERIFY_LENGTH(efrm - frm, 3126 sizeof(struct ieee80211_action_ht_txchwidth), 3127 return); 3128 break; 3129 } 3130 break; 3131 } 3132 ic->ic_recv_action(ni, frm, efrm); 3133 break; 3134 } 3135 3136 default: 3137 IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY, 3138 wh, "mgt", "subtype 0x%x not handled", subtype); 3139 ic->ic_stats.is_rx_badsubtype++; 3140 break; 3141 } 3142 #undef ISREASSOC 3143 #undef ISPROBE 3144 } 3145 #undef IEEE80211_VERIFY_LENGTH 3146 #undef IEEE80211_VERIFY_ELEMENT 3147 3148 /* 3149 * Process a received ps-poll frame. 3150 */ 3151 static void 3152 ieee80211_recv_pspoll(struct ieee80211com *ic, 3153 struct ieee80211_node *ni, struct mbuf *m0) 3154 { 3155 struct ieee80211_frame_min *wh; 3156 struct mbuf *m; 3157 uint16_t aid; 3158 int qlen; 3159 3160 wh = mtod(m0, struct ieee80211_frame_min *); 3161 if (ni->ni_associd == 0) { 3162 IEEE80211_DISCARD(ic, IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG, 3163 (struct ieee80211_frame *) wh, "ps-poll", 3164 "%s", "unassociated station"); 3165 ic->ic_stats.is_ps_unassoc++; 3166 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_DEAUTH, 3167 IEEE80211_REASON_NOT_ASSOCED); 3168 return; 3169 } 3170 3171 aid = le16toh(*(uint16_t *)wh->i_dur); 3172 if (aid != ni->ni_associd) { 3173 IEEE80211_DISCARD(ic, IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG, 3174 (struct ieee80211_frame *) wh, "ps-poll", 3175 "aid mismatch: sta aid 0x%x poll aid 0x%x", 3176 ni->ni_associd, aid); 3177 ic->ic_stats.is_ps_badaid++; 3178 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_DEAUTH, 3179 IEEE80211_REASON_NOT_ASSOCED); 3180 return; 3181 } 3182 3183 /* Okay, take the first queued packet and put it out... */ 3184 IEEE80211_NODE_SAVEQ_DEQUEUE(ni, m, qlen); 3185 if (m == NULL) { 3186 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, 3187 "[%s] recv ps-poll, but queue empty\n", 3188 ether_sprintf(wh->i_addr2)); 3189 ieee80211_send_nulldata(ieee80211_ref_node(ni)); 3190 ic->ic_stats.is_ps_qempty++; /* XXX node stat */ 3191 if (ic->ic_set_tim != NULL) 3192 ic->ic_set_tim(ni, 0); /* just in case */ 3193 return; 3194 } 3195 /* 3196 * If there are more packets, set the more packets bit 3197 * in the packet dispatched to the station; otherwise 3198 * turn off the TIM bit. 3199 */ 3200 if (qlen != 0) { 3201 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, 3202 "[%s] recv ps-poll, send packet, %u still queued\n", 3203 ether_sprintf(ni->ni_macaddr), qlen); 3204 m->m_flags |= M_MORE_DATA; 3205 } else { 3206 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, 3207 "[%s] recv ps-poll, send packet, queue empty\n", 3208 ether_sprintf(ni->ni_macaddr)); 3209 if (ic->ic_set_tim != NULL) 3210 ic->ic_set_tim(ni, 0); 3211 } 3212 m->m_flags |= M_PWR_SAV; /* bypass PS handling */ 3213 IF_ENQUEUE(&ic->ic_ifp->if_snd, m); 3214 } 3215 3216 #ifdef IEEE80211_DEBUG 3217 /* 3218 * Debugging support. 3219 */ 3220 3221 /* 3222 * Return the bssid of a frame. 3223 */ 3224 static const uint8_t * 3225 ieee80211_getbssid(struct ieee80211com *ic, const struct ieee80211_frame *wh) 3226 { 3227 if (ic->ic_opmode == IEEE80211_M_STA) 3228 return wh->i_addr2; 3229 if ((wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) != IEEE80211_FC1_DIR_NODS) 3230 return wh->i_addr1; 3231 if ((wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK) == IEEE80211_FC0_SUBTYPE_PS_POLL) 3232 return wh->i_addr1; 3233 return wh->i_addr3; 3234 } 3235 3236 void 3237 ieee80211_note(struct ieee80211com *ic, const char *fmt, ...) 3238 { 3239 char buf[128]; /* XXX */ 3240 va_list ap; 3241 3242 va_start(ap, fmt); 3243 vsnprintf(buf, sizeof(buf), fmt, ap); 3244 va_end(ap); 3245 3246 if_printf(ic->ic_ifp, "%s", buf); /* NB: no \n */ 3247 } 3248 3249 void 3250 ieee80211_note_frame(struct ieee80211com *ic, 3251 const struct ieee80211_frame *wh, 3252 const char *fmt, ...) 3253 { 3254 char buf[128]; /* XXX */ 3255 va_list ap; 3256 3257 va_start(ap, fmt); 3258 vsnprintf(buf, sizeof(buf), fmt, ap); 3259 va_end(ap); 3260 if_printf(ic->ic_ifp, "[%s] %s\n", 3261 ether_sprintf(ieee80211_getbssid(ic, wh)), buf); 3262 } 3263 3264 void 3265 ieee80211_note_mac(struct ieee80211com *ic, 3266 const uint8_t mac[IEEE80211_ADDR_LEN], 3267 const char *fmt, ...) 3268 { 3269 char buf[128]; /* XXX */ 3270 va_list ap; 3271 3272 va_start(ap, fmt); 3273 vsnprintf(buf, sizeof(buf), fmt, ap); 3274 va_end(ap); 3275 if_printf(ic->ic_ifp, "[%s] %s\n", ether_sprintf(mac), buf); 3276 } 3277 3278 void 3279 ieee80211_discard_frame(struct ieee80211com *ic, 3280 const struct ieee80211_frame *wh, 3281 const char *type, const char *fmt, ...) 3282 { 3283 va_list ap; 3284 3285 printf("[%s:%s] discard ", ic->ic_ifp->if_xname, 3286 ether_sprintf(ieee80211_getbssid(ic, wh))); 3287 if (type != NULL) 3288 printf("%s frame, ", type); 3289 else 3290 printf("frame, "); 3291 va_start(ap, fmt); 3292 vprintf(fmt, ap); 3293 va_end(ap); 3294 printf("\n"); 3295 } 3296 3297 void 3298 ieee80211_discard_ie(struct ieee80211com *ic, 3299 const struct ieee80211_frame *wh, 3300 const char *type, const char *fmt, ...) 3301 { 3302 va_list ap; 3303 3304 printf("[%s:%s] discard ", ic->ic_ifp->if_xname, 3305 ether_sprintf(ieee80211_getbssid(ic, wh))); 3306 if (type != NULL) 3307 printf("%s information element, ", type); 3308 else 3309 printf("information element, "); 3310 va_start(ap, fmt); 3311 vprintf(fmt, ap); 3312 va_end(ap); 3313 printf("\n"); 3314 } 3315 3316 void 3317 ieee80211_discard_mac(struct ieee80211com *ic, 3318 const uint8_t mac[IEEE80211_ADDR_LEN], 3319 const char *type, const char *fmt, ...) 3320 { 3321 va_list ap; 3322 3323 printf("[%s:%s] discard ", ic->ic_ifp->if_xname, ether_sprintf(mac)); 3324 if (type != NULL) 3325 printf("%s frame, ", type); 3326 else 3327 printf("frame, "); 3328 va_start(ap, fmt); 3329 vprintf(fmt, ap); 3330 va_end(ap); 3331 printf("\n"); 3332 } 3333 #endif /* IEEE80211_DEBUG */ 3334