1 /* $NetBSD: ieee80211_input.c,v 1.35 2004/08/10 00:57:21 dyoung Exp $ */ 2 /*- 3 * Copyright (c) 2001 Atsushi Onoe 4 * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 3. The name of the author may not be used to endorse or promote products 16 * derived from this software without specific prior written permission. 17 * 18 * Alternatively, this software may be distributed under the terms of the 19 * GNU General Public License ("GPL") version 2 as published by the Free 20 * Software Foundation. 21 * 22 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 23 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 24 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 25 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 26 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 27 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 28 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 29 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 30 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 31 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 32 */ 33 34 #include <sys/cdefs.h> 35 #ifdef __FreeBSD__ 36 __FBSDID("$FreeBSD: src/sys/net80211/ieee80211_input.c,v 1.20 2004/04/02 23:35:24 sam Exp $"); 37 #else 38 __KERNEL_RCSID(0, "$NetBSD: ieee80211_input.c,v 1.35 2004/08/10 00:57:21 dyoung Exp $"); 39 #endif 40 41 #include "opt_inet.h" 42 43 #ifdef __NetBSD__ 44 #include "bpfilter.h" 45 #endif /* __NetBSD__ */ 46 47 #include <sys/param.h> 48 #include <sys/systm.h> 49 #include <sys/mbuf.h> 50 #include <sys/malloc.h> 51 #include <sys/kernel.h> 52 #include <sys/socket.h> 53 #include <sys/sockio.h> 54 #include <sys/endian.h> 55 #include <sys/errno.h> 56 #ifdef __FreeBSD__ 57 #include <sys/bus.h> 58 #endif 59 #include <sys/proc.h> 60 #include <sys/sysctl.h> 61 62 #ifdef __FreeBSD__ 63 #include <machine/atomic.h> 64 #endif 65 66 #include <net/if.h> 67 #include <net/if_dl.h> 68 #include <net/if_media.h> 69 #include <net/if_arp.h> 70 #ifdef __FreeBSD__ 71 #include <net/ethernet.h> 72 #else 73 #include <net/if_ether.h> 74 #endif 75 #include <net/if_llc.h> 76 77 #include <net80211/ieee80211_var.h> 78 #include <net80211/ieee80211_compat.h> 79 80 #if NBPFILTER > 0 81 #include <net/bpf.h> 82 #endif 83 84 #ifdef INET 85 #include <netinet/in.h> 86 #ifdef __FreeBSD__ 87 #include <netinet/if_ether.h> 88 #else 89 #include <net/if_ether.h> 90 #endif 91 #endif 92 93 const struct timeval ieee80211_merge_print_intvl = {.tv_sec = 1, .tv_usec = 0}; 94 95 static void ieee80211_recv_pspoll(struct ieee80211com *, 96 struct mbuf *, int, u_int32_t); 97 98 #ifdef IEEE80211_DEBUG 99 /* 100 * Decide if a received management frame should be 101 * printed when debugging is enabled. This filters some 102 * of the less interesting frames that come frequently 103 * (e.g. beacons). 104 */ 105 static __inline int 106 doprint(struct ieee80211com *ic, int subtype) 107 { 108 switch (subtype) { 109 case IEEE80211_FC0_SUBTYPE_BEACON: 110 return (ic->ic_state == IEEE80211_S_SCAN); 111 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 112 return (ic->ic_opmode == IEEE80211_M_IBSS); 113 } 114 return 1; 115 } 116 #endif 117 118 /* 119 * Process a received frame. The node associated with the sender 120 * should be supplied. If nothing was found in the node table then 121 * the caller is assumed to supply a reference to ic_bss instead. 122 * The RSSI and a timestamp are also supplied. The RSSI data is used 123 * during AP scanning to select a AP to associate with; it can have 124 * any units so long as values have consistent units and higher values 125 * mean ``better signal''. The receive timestamp is currently not used 126 * by the 802.11 layer. 127 */ 128 void 129 ieee80211_input(struct ifnet *ifp, struct mbuf *m, struct ieee80211_node *ni, 130 int rssi, u_int32_t rstamp) 131 { 132 struct ieee80211com *ic = (void *)ifp; 133 struct ieee80211_frame *wh; 134 struct ether_header *eh; 135 struct mbuf *m1; 136 int len; 137 u_int8_t dir, type, subtype; 138 u_int16_t rxseq; 139 ALTQ_DECL(struct altq_pktattr pktattr;) 140 141 IASSERT(ni != NULL, ("null node")); 142 143 /* trim CRC here so WEP can find its own CRC at the end of packet. */ 144 if (m->m_flags & M_HASFCS) { 145 m_adj(m, -IEEE80211_CRC_LEN); 146 m->m_flags &= ~M_HASFCS; 147 } 148 149 /* 150 * In monitor mode, send everything directly to bpf. 151 * Also do not process frames w/o i_addr2 any further. 152 * XXX may want to include the CRC 153 */ 154 if (ic->ic_opmode == IEEE80211_M_MONITOR || 155 m->m_pkthdr.len < sizeof(struct ieee80211_frame_min)) 156 goto out; 157 158 wh = mtod(m, struct ieee80211_frame *); 159 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) != 160 IEEE80211_FC0_VERSION_0) { 161 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, 162 ("receive packet with wrong version: %x\n", 163 wh->i_fc[0])); 164 ic->ic_stats.is_rx_badversion++; 165 goto err; 166 } 167 168 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 169 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK; 170 /* 171 * NB: We are not yet prepared to handle control frames, 172 * but permitting drivers to send them to us allows 173 * them to go through bpf tapping at the 802.11 layer. 174 */ 175 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) { 176 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, 177 ("%s: frame too short, len %u\n", 178 __func__, m->m_pkthdr.len)); 179 ic->ic_stats.is_rx_tooshort++; 180 goto out; 181 } 182 if (ic->ic_state != IEEE80211_S_SCAN) { 183 ni->ni_rssi = rssi; 184 ni->ni_rstamp = rstamp; 185 rxseq = ni->ni_rxseq; 186 ni->ni_rxseq = 187 le16toh(*(u_int16_t *)wh->i_seq) >> IEEE80211_SEQ_SEQ_SHIFT; 188 /* TODO: fragment */ 189 if ((wh->i_fc[1] & IEEE80211_FC1_RETRY) && 190 rxseq == ni->ni_rxseq) { 191 /* duplicate, silently discarded */ 192 ic->ic_stats.is_rx_dup++; /* XXX per-station stat */ 193 goto out; 194 } 195 ni->ni_inact = 0; 196 if (ic->ic_opmode == IEEE80211_M_MONITOR) 197 goto out; 198 } 199 200 if (ic->ic_set_tim != NULL && 201 (wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) 202 && ni->ni_pwrsave == 0) { 203 /* turn on power save mode */ 204 205 if (ifp->if_flags & IFF_DEBUG) 206 printf("%s: power save mode on for %s\n", 207 ifp->if_xname, ether_sprintf(wh->i_addr2)); 208 209 ni->ni_pwrsave = IEEE80211_PS_SLEEP; 210 } 211 if (ic->ic_set_tim != NULL && 212 (wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) == 0 && 213 ni->ni_pwrsave != 0) { 214 /* turn off power save mode, dequeue stored packets */ 215 216 ni->ni_pwrsave = 0; 217 if (ic->ic_set_tim) 218 ic->ic_set_tim(ic, ni->ni_associd, 0); 219 220 if (ifp->if_flags & IFF_DEBUG) 221 printf("%s: power save mode off for %s\n", 222 ifp->if_xname, ether_sprintf(wh->i_addr2)); 223 224 while (!IF_IS_EMPTY(&ni->ni_savedq)) { 225 struct mbuf *m; 226 IF_DEQUEUE(&ni->ni_savedq, m); 227 IF_ENQUEUE(&ic->ic_pwrsaveq, m); 228 (*ifp->if_start)(ifp); 229 } 230 } 231 232 switch (type) { 233 case IEEE80211_FC0_TYPE_DATA: 234 switch (ic->ic_opmode) { 235 case IEEE80211_M_STA: 236 if (dir != IEEE80211_FC1_DIR_FROMDS) { 237 ic->ic_stats.is_rx_wrongdir++; 238 goto out; 239 } 240 if (ic->ic_state != IEEE80211_S_SCAN && 241 !IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_bssid)) { 242 /* Source address is not our BSS. */ 243 IEEE80211_DPRINTF(ic, IEEE80211_MSG_INPUT, 244 ("%s: discard frame from SA %s\n", 245 __func__, ether_sprintf(wh->i_addr2))); 246 ic->ic_stats.is_rx_wrongbss++; 247 goto out; 248 } 249 if ((ifp->if_flags & IFF_SIMPLEX) && 250 IEEE80211_IS_MULTICAST(wh->i_addr1) && 251 IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_myaddr)) { 252 /* 253 * In IEEE802.11 network, multicast packet 254 * sent from me is broadcasted from AP. 255 * It should be silently discarded for 256 * SIMPLEX interface. 257 */ 258 ic->ic_stats.is_rx_mcastecho++; 259 goto out; 260 } 261 break; 262 case IEEE80211_M_IBSS: 263 case IEEE80211_M_AHDEMO: 264 if (dir != IEEE80211_FC1_DIR_NODS) { 265 ic->ic_stats.is_rx_wrongdir++; 266 goto out; 267 } 268 if (ic->ic_state != IEEE80211_S_SCAN && 269 !IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_bss->ni_bssid) && 270 !IEEE80211_ADDR_EQ(wh->i_addr3, ifp->if_broadcastaddr)) { 271 /* Destination is not our BSS or broadcast. */ 272 IEEE80211_DPRINTF(ic, IEEE80211_MSG_INPUT, 273 ("%s: discard data frame to DA %s\n", 274 __func__, ether_sprintf(wh->i_addr3))); 275 ic->ic_stats.is_rx_wrongbss++; 276 goto out; 277 } 278 break; 279 case IEEE80211_M_HOSTAP: 280 if (dir != IEEE80211_FC1_DIR_TODS) { 281 ic->ic_stats.is_rx_wrongdir++; 282 goto out; 283 } 284 if (ic->ic_state != IEEE80211_S_SCAN && 285 !IEEE80211_ADDR_EQ(wh->i_addr1, ic->ic_bss->ni_bssid) && 286 !IEEE80211_ADDR_EQ(wh->i_addr1, ifp->if_broadcastaddr)) { 287 /* BSS is not us or broadcast. */ 288 IEEE80211_DPRINTF(ic, IEEE80211_MSG_INPUT, 289 ("%s: discard data frame to BSS %s\n", 290 __func__, ether_sprintf(wh->i_addr1))); 291 ic->ic_stats.is_rx_wrongbss++; 292 goto out; 293 } 294 /* check if source STA is associated */ 295 if (ni == ic->ic_bss) { 296 IEEE80211_DPRINTF(ic, IEEE80211_MSG_INPUT, 297 ("%s: data from unknown src %s\n", 298 __func__, ether_sprintf(wh->i_addr2))); 299 /* NB: caller deals with reference */ 300 ni = ieee80211_dup_bss(ic, wh->i_addr2); 301 if (ni != NULL) { 302 IEEE80211_SEND_MGMT(ic, ni, 303 IEEE80211_FC0_SUBTYPE_DEAUTH, 304 IEEE80211_REASON_NOT_AUTHED); 305 } 306 ic->ic_stats.is_rx_notassoc++; 307 goto err; 308 } 309 if (ni->ni_associd == 0) { 310 IEEE80211_DPRINTF(ic, IEEE80211_MSG_INPUT, 311 ("%s: data from unassoc src %s\n", 312 __func__, ether_sprintf(wh->i_addr2))); 313 IEEE80211_SEND_MGMT(ic, ni, 314 IEEE80211_FC0_SUBTYPE_DISASSOC, 315 IEEE80211_REASON_NOT_ASSOCED); 316 ic->ic_stats.is_rx_notassoc++; 317 goto err; 318 } 319 break; 320 case IEEE80211_M_MONITOR: 321 break; 322 } 323 if (wh->i_fc[1] & IEEE80211_FC1_WEP) { 324 if (ic->ic_flags & IEEE80211_F_PRIVACY) { 325 m = ieee80211_wep_crypt(ifp, m, 0); 326 if (m == NULL) { 327 ic->ic_stats.is_rx_wepfail++; 328 goto err; 329 } 330 wh = mtod(m, struct ieee80211_frame *); 331 } else { 332 ic->ic_stats.is_rx_nowep++; 333 goto out; 334 } 335 } 336 #if NBPFILTER > 0 337 /* copy to listener after decrypt */ 338 if (ic->ic_rawbpf) 339 bpf_mtap(ic->ic_rawbpf, m); 340 #endif 341 m = ieee80211_decap(ifp, m); 342 if (m == NULL) { 343 IEEE80211_DPRINTF(ic, IEEE80211_MSG_INPUT, 344 ("%s: decapsulation error for src %s\n", 345 __func__, ether_sprintf(wh->i_addr2))); 346 ic->ic_stats.is_rx_decap++; 347 goto err; 348 } 349 ifp->if_ipackets++; 350 351 /* perform as a bridge within the AP */ 352 m1 = NULL; 353 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 354 eh = mtod(m, struct ether_header *); 355 if (ETHER_IS_MULTICAST(eh->ether_dhost)) { 356 m1 = m_copypacket(m, M_DONTWAIT); 357 if (m1 == NULL) 358 ifp->if_oerrors++; 359 else 360 m1->m_flags |= M_MCAST; 361 } else { 362 ni = ieee80211_find_node(ic, eh->ether_dhost); 363 if (ni != NULL) { 364 if (ni->ni_associd != 0) { 365 m1 = m; 366 m = NULL; 367 } 368 } 369 } 370 if (m1 != NULL) { 371 #ifdef ALTQ 372 if (ALTQ_IS_ENABLED(&ifp->if_snd)) 373 altq_etherclassify(&ifp->if_snd, m1, 374 &pktattr); 375 #endif 376 len = m1->m_pkthdr.len; 377 IF_ENQUEUE(&ifp->if_snd, m1); 378 if (m != NULL) 379 ifp->if_omcasts++; 380 ifp->if_obytes += len; 381 } 382 } 383 if (m != NULL) { 384 #if NBPFILTER > 0 385 /* 386 * If we forward packet into transmitter of the AP, 387 * we don't need to duplicate for DLT_EN10MB. 388 */ 389 if (ifp->if_bpf && m1 == NULL) 390 bpf_mtap(ifp->if_bpf, m); 391 #endif 392 (*ifp->if_input)(ifp, m); 393 } 394 return; 395 396 case IEEE80211_FC0_TYPE_MGT: 397 if (dir != IEEE80211_FC1_DIR_NODS) { 398 ic->ic_stats.is_rx_wrongdir++; 399 goto err; 400 } 401 if (ic->ic_opmode == IEEE80211_M_AHDEMO) { 402 ic->ic_stats.is_rx_ahdemo_mgt++; 403 goto out; 404 } 405 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK; 406 407 /* drop frames without interest */ 408 if (ic->ic_state == IEEE80211_S_SCAN) { 409 if (subtype != IEEE80211_FC0_SUBTYPE_BEACON && 410 subtype != IEEE80211_FC0_SUBTYPE_PROBE_RESP) { 411 ic->ic_stats.is_rx_mgtdiscard++; 412 goto out; 413 } 414 } 415 416 #ifdef IEEE80211_DEBUG 417 if ((ieee80211_msg_debug(ic) && doprint(ic, subtype)) || 418 ieee80211_msg_dumppkts(ic)) { 419 if_printf(ifp, "received %s from %s rssi %d\n", 420 ieee80211_mgt_subtype_name[subtype 421 >> IEEE80211_FC0_SUBTYPE_SHIFT], 422 ether_sprintf(wh->i_addr2), rssi); 423 } 424 #endif 425 #if NBPFILTER > 0 426 if (ic->ic_rawbpf) 427 bpf_mtap(ic->ic_rawbpf, m); 428 #endif 429 (*ic->ic_recv_mgmt)(ic, m, ni, subtype, rssi, rstamp); 430 m_freem(m); 431 return; 432 433 case IEEE80211_FC0_TYPE_CTL: 434 ic->ic_stats.is_rx_ctl++; 435 if (ic->ic_opmode != IEEE80211_M_HOSTAP) 436 goto out; 437 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK; 438 if (subtype == IEEE80211_FC0_SUBTYPE_PS_POLL) { 439 /* XXX statistic */ 440 /* Dump out a single packet from the host */ 441 if (ifp->if_flags & IFF_DEBUG) 442 printf("%s: got power save probe from %s\n", 443 ifp->if_xname, 444 ether_sprintf(wh->i_addr2)); 445 ieee80211_recv_pspoll(ic, m, rssi, rstamp); 446 } 447 goto out; 448 default: 449 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, 450 ("%s: bad frame type %x\n", __func__, type)); 451 /* should not come here */ 452 break; 453 } 454 err: 455 ifp->if_ierrors++; 456 out: 457 if (m != NULL) { 458 #if NBPFILTER > 0 459 if (ic->ic_rawbpf) 460 bpf_mtap(ic->ic_rawbpf, m); 461 #endif 462 m_freem(m); 463 } 464 } 465 466 struct mbuf * 467 ieee80211_decap(struct ifnet *ifp, struct mbuf *m) 468 { 469 struct ether_header *eh; 470 struct ieee80211_frame wh; 471 struct llc *llc; 472 473 if (m->m_len < sizeof(wh) + sizeof(*llc)) { 474 m = m_pullup(m, sizeof(wh) + sizeof(*llc)); 475 if (m == NULL) 476 return NULL; 477 } 478 memcpy(&wh, mtod(m, caddr_t), sizeof(wh)); 479 llc = (struct llc *)(mtod(m, caddr_t) + sizeof(wh)); 480 if (llc->llc_dsap == LLC_SNAP_LSAP && llc->llc_ssap == LLC_SNAP_LSAP && 481 llc->llc_control == LLC_UI && llc->llc_snap.org_code[0] == 0 && 482 llc->llc_snap.org_code[1] == 0 && llc->llc_snap.org_code[2] == 0) { 483 m_adj(m, sizeof(wh) + sizeof(struct llc) - sizeof(*eh)); 484 llc = NULL; 485 } else { 486 m_adj(m, sizeof(wh) - sizeof(*eh)); 487 } 488 eh = mtod(m, struct ether_header *); 489 switch (wh.i_fc[1] & IEEE80211_FC1_DIR_MASK) { 490 case IEEE80211_FC1_DIR_NODS: 491 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr1); 492 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr2); 493 break; 494 case IEEE80211_FC1_DIR_TODS: 495 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr3); 496 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr2); 497 break; 498 case IEEE80211_FC1_DIR_FROMDS: 499 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr1); 500 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr3); 501 break; 502 case IEEE80211_FC1_DIR_DSTODS: 503 /* not yet supported */ 504 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, 505 ("%s: discard DS to DS frame\n", __func__)); 506 m_freem(m); 507 return NULL; 508 } 509 #ifdef ALIGNED_POINTER 510 if (!ALIGNED_POINTER(mtod(m, caddr_t) + sizeof(*eh), u_int32_t)) { 511 struct mbuf *n, *n0, **np; 512 caddr_t newdata; 513 int off, pktlen; 514 515 n0 = NULL; 516 np = &n0; 517 off = 0; 518 pktlen = m->m_pkthdr.len; 519 while (pktlen > off) { 520 if (n0 == NULL) { 521 MGETHDR(n, M_DONTWAIT, MT_DATA); 522 if (n == NULL) { 523 m_freem(m); 524 return NULL; 525 } 526 #ifdef __FreeBSD__ 527 M_MOVE_PKTHDR(n, m); 528 #else 529 M_COPY_PKTHDR(n, m); 530 #endif 531 n->m_len = MHLEN; 532 } else { 533 MGET(n, M_DONTWAIT, MT_DATA); 534 if (n == NULL) { 535 m_freem(m); 536 m_freem(n0); 537 return NULL; 538 } 539 n->m_len = MLEN; 540 } 541 if (pktlen - off >= MINCLSIZE) { 542 MCLGET(n, M_DONTWAIT); 543 if (n->m_flags & M_EXT) 544 n->m_len = n->m_ext.ext_size; 545 } 546 if (n0 == NULL) { 547 newdata = 548 (caddr_t)ALIGN(n->m_data + sizeof(*eh)) - 549 sizeof(*eh); 550 n->m_len -= newdata - n->m_data; 551 n->m_data = newdata; 552 } 553 if (n->m_len > pktlen - off) 554 n->m_len = pktlen - off; 555 m_copydata(m, off, n->m_len, mtod(n, caddr_t)); 556 off += n->m_len; 557 *np = n; 558 np = &n->m_next; 559 } 560 m_freem(m); 561 m = n0; 562 } 563 #endif /* ALIGNED_POINTER */ 564 if (llc != NULL) { 565 eh = mtod(m, struct ether_header *); 566 eh->ether_type = htons(m->m_pkthdr.len - sizeof(*eh)); 567 } 568 return m; 569 } 570 571 /* 572 * Install received rate set information in the node's state block. 573 */ 574 static int 575 ieee80211_setup_rates(struct ieee80211com *ic, struct ieee80211_node *ni, 576 u_int8_t *rates, u_int8_t *xrates, int flags) 577 { 578 struct ieee80211_rateset *rs = &ni->ni_rates; 579 580 memset(rs, 0, sizeof(*rs)); 581 rs->rs_nrates = rates[1]; 582 memcpy(rs->rs_rates, rates + 2, rs->rs_nrates); 583 if (xrates != NULL) { 584 u_int8_t nxrates; 585 /* 586 * Tack on 11g extended supported rate element. 587 */ 588 nxrates = xrates[1]; 589 if (rs->rs_nrates + nxrates > IEEE80211_RATE_MAXSIZE) { 590 nxrates = IEEE80211_RATE_MAXSIZE - rs->rs_nrates; 591 IEEE80211_DPRINTF(ic, IEEE80211_MSG_XRATE, 592 ("%s: extended rate set too large;" 593 " only using %u of %u rates\n", 594 __func__, nxrates, xrates[1])); 595 ic->ic_stats.is_rx_rstoobig++; 596 } 597 memcpy(rs->rs_rates + rs->rs_nrates, xrates+2, nxrates); 598 rs->rs_nrates += nxrates; 599 } 600 return ieee80211_fix_rate(ic, ni, flags); 601 } 602 603 /* Verify the existence and length of __elem or get out. */ 604 #define IEEE80211_VERIFY_ELEMENT(__elem, __maxlen) do { \ 605 if ((__elem) == NULL) { \ 606 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ELEMID, \ 607 ("%s: no " #__elem "in %s frame\n", \ 608 __func__, ieee80211_mgt_subtype_name[subtype >> \ 609 IEEE80211_FC0_SUBTYPE_SHIFT])); \ 610 ic->ic_stats.is_rx_elem_missing++; \ 611 return; \ 612 } \ 613 if ((__elem)[1] > (__maxlen)) { \ 614 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ELEMID, \ 615 ("%s: bad " #__elem " len %d in %s frame from %s\n",\ 616 __func__, (__elem)[1], \ 617 ieee80211_mgt_subtype_name[subtype >> \ 618 IEEE80211_FC0_SUBTYPE_SHIFT], \ 619 ether_sprintf(wh->i_addr2))); \ 620 ic->ic_stats.is_rx_elem_toobig++; \ 621 return; \ 622 } \ 623 } while (0) 624 625 #define IEEE80211_VERIFY_LENGTH(_len, _minlen) do { \ 626 if ((_len) < (_minlen)) { \ 627 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ELEMID, \ 628 ("%s: %s frame too short from %s\n", \ 629 __func__, \ 630 ieee80211_mgt_subtype_name[subtype >> \ 631 IEEE80211_FC0_SUBTYPE_SHIFT], \ 632 ether_sprintf(wh->i_addr2))); \ 633 ic->ic_stats.is_rx_elem_toosmall++; \ 634 return; \ 635 } \ 636 } while (0) 637 638 #ifdef IEEE80211_DEBUG 639 static void 640 ieee80211_ssid_mismatch(struct ieee80211com *ic, const char *tag, 641 u_int8_t mac[IEEE80211_ADDR_LEN], u_int8_t *ssid) 642 { 643 printf("[%s] %s req ssid mismatch: ", ether_sprintf(mac), tag); 644 ieee80211_print_essid(ssid + 2, ssid[1]); 645 printf("\n"); 646 } 647 648 #define IEEE80211_VERIFY_SSID(_ni, _ssid, _packet_type) do { \ 649 if ((_ssid)[1] != 0 && \ 650 ((_ssid)[1] != (_ni)->ni_esslen || \ 651 memcmp((_ssid) + 2, (_ni)->ni_essid, (_ssid)[1]) != 0)) { \ 652 if (ieee80211_msg_input(ic)) \ 653 ieee80211_ssid_mismatch(ic, _packet_type, \ 654 wh->i_addr2, _ssid); \ 655 ic->ic_stats.is_rx_ssidmismatch++; \ 656 return; \ 657 } \ 658 } while (0) 659 #else /* !IEEE80211_DEBUG */ 660 #define IEEE80211_VERIFY_SSID(_ni, _ssid, _packet_type) do { \ 661 if ((_ssid)[1] != 0 && \ 662 ((_ssid)[1] != (_ni)->ni_esslen || \ 663 memcmp((_ssid) + 2, (_ni)->ni_essid, (_ssid)[1]) != 0)) { \ 664 ic->ic_stats.is_rx_ssidmismatch++; \ 665 return; \ 666 } \ 667 } while (0) 668 #endif /* !IEEE80211_DEBUG */ 669 670 static void 671 ieee80211_auth_open(struct ieee80211com *ic, struct ieee80211_frame *wh, 672 struct ieee80211_node *ni, int rssi, u_int32_t rstamp, u_int16_t seq, 673 u_int16_t status) 674 { 675 switch (ic->ic_opmode) { 676 case IEEE80211_M_IBSS: 677 if (ic->ic_state != IEEE80211_S_RUN || 678 seq != IEEE80211_AUTH_OPEN_REQUEST) { 679 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 680 ("%s: discard auth from %s; state %u, seq %u\n", 681 __func__, ether_sprintf(wh->i_addr2), 682 ic->ic_state, seq)); 683 ic->ic_stats.is_rx_bad_auth++; 684 return; 685 } 686 ieee80211_new_state(ic, IEEE80211_S_AUTH, 687 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK); 688 break; 689 690 case IEEE80211_M_AHDEMO: 691 /* should not come here */ 692 break; 693 694 case IEEE80211_M_HOSTAP: 695 if (ic->ic_state != IEEE80211_S_RUN || 696 seq != IEEE80211_AUTH_OPEN_REQUEST) { 697 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 698 ("%s: discard auth from %s; state %u, seq %u\n", 699 __func__, ether_sprintf(wh->i_addr2), 700 ic->ic_state, seq)); 701 ic->ic_stats.is_rx_bad_auth++; 702 return; 703 } 704 if (ni == ic->ic_bss) { 705 ni = ieee80211_alloc_node(ic, wh->i_addr2); 706 if (ni == NULL) { 707 ic->ic_stats.is_rx_nodealloc++; 708 return; 709 } 710 IEEE80211_ADDR_COPY(ni->ni_bssid, ic->ic_bss->ni_bssid); 711 ni->ni_rssi = rssi; 712 ni->ni_rstamp = rstamp; 713 ni->ni_chan = ic->ic_bss->ni_chan; 714 } 715 IEEE80211_SEND_MGMT(ic, ni, 716 IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 717 IEEE80211_DPRINTF(ic, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 718 ("station %s %s authenticated (open)\n", 719 ether_sprintf(ni->ni_macaddr), 720 ((ni->ni_state != IEEE80211_STA_CACHE) 721 ? "newly" : "already"))); 722 ieee80211_node_newstate(ni, IEEE80211_STA_AUTH); 723 break; 724 725 case IEEE80211_M_STA: 726 if (ic->ic_state != IEEE80211_S_AUTH || 727 seq != IEEE80211_AUTH_OPEN_RESPONSE) { 728 ic->ic_stats.is_rx_bad_auth++; 729 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 730 ("%s: discard auth from %s; state %u, seq %u\n", 731 __func__, ether_sprintf(wh->i_addr2), 732 ic->ic_state, seq)); 733 return; 734 } 735 if (status != 0) { 736 IEEE80211_DPRINTF(ic, 737 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 738 ("open authentication failed (reason %d) for %s\n", 739 status, 740 ether_sprintf(wh->i_addr3))); 741 if (ni != ic->ic_bss) 742 ni->ni_fails++; 743 ic->ic_stats.is_rx_auth_fail++; 744 return; 745 } 746 ieee80211_new_state(ic, IEEE80211_S_ASSOC, 747 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK); 748 break; 749 case IEEE80211_M_MONITOR: 750 break; 751 } 752 } 753 754 /* TBD send appropriate responses on error? */ 755 static void 756 ieee80211_auth_shared(struct ieee80211com *ic, struct ieee80211_frame *wh, 757 u_int8_t *frm, u_int8_t *efrm, struct ieee80211_node *ni, int rssi, 758 u_int32_t rstamp, u_int16_t seq, u_int16_t status) 759 { 760 u_int8_t *challenge = NULL; 761 int i; 762 763 if ((ic->ic_flags & IEEE80211_F_PRIVACY) == 0) { 764 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 765 ("%s: WEP is off\n", __func__)); 766 return; 767 } 768 769 if (frm + 1 < efrm) { 770 if (frm[1] + 2 > efrm - frm) { 771 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 772 ("%s: elt %d %d bytes too long\n", __func__, 773 frm[0], (frm[1] + 2) - (int)(efrm - frm))); 774 ic->ic_stats.is_rx_bad_auth++; 775 return; 776 } 777 if (*frm == IEEE80211_ELEMID_CHALLENGE) 778 challenge = frm; 779 frm += frm[1] + 2; 780 } 781 switch (seq) { 782 case IEEE80211_AUTH_SHARED_CHALLENGE: 783 case IEEE80211_AUTH_SHARED_RESPONSE: 784 if (challenge == NULL) { 785 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 786 ("%s: no challenge sent\n", __func__)); 787 ic->ic_stats.is_rx_bad_auth++; 788 return; 789 } 790 if (challenge[1] != IEEE80211_CHALLENGE_LEN) { 791 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 792 ("%s: bad challenge len %d\n", 793 __func__, challenge[1])); 794 ic->ic_stats.is_rx_bad_auth++; 795 return; 796 } 797 default: 798 break; 799 } 800 switch (ic->ic_opmode) { 801 case IEEE80211_M_MONITOR: 802 case IEEE80211_M_AHDEMO: 803 case IEEE80211_M_IBSS: 804 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 805 ("%s: unexpected operating mode\n", __func__)); 806 return; 807 case IEEE80211_M_HOSTAP: 808 if (ic->ic_state != IEEE80211_S_RUN) { 809 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 810 ("%s: not running\n", __func__)); 811 return; 812 } 813 switch (seq) { 814 case IEEE80211_AUTH_SHARED_REQUEST: 815 if (ni == ic->ic_bss) { 816 ni = ieee80211_alloc_node(ic, wh->i_addr2); 817 if (ni == NULL) { 818 ic->ic_stats.is_rx_nodealloc++; 819 return; 820 } 821 IEEE80211_ADDR_COPY(ni->ni_bssid, 822 ic->ic_bss->ni_bssid); 823 ni->ni_rssi = rssi; 824 ni->ni_rstamp = rstamp; 825 ni->ni_chan = ic->ic_bss->ni_chan; 826 } 827 if (ni->ni_challenge == NULL) 828 ni->ni_challenge = (u_int32_t*)malloc( 829 IEEE80211_CHALLENGE_LEN, M_DEVBUF, 830 M_NOWAIT); 831 if (ni->ni_challenge == NULL) { 832 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 833 ("%s: challenge alloc failed\n", 834 __func__)); 835 /* XXX statistic */ 836 return; 837 } 838 for (i = IEEE80211_CHALLENGE_LEN / sizeof(u_int32_t); 839 --i >= 0; ) 840 ni->ni_challenge[i] = arc4random(); 841 IEEE80211_DPRINTF(ic, 842 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 843 ("shared key %sauth request from station %s\n", 844 ((ni->ni_state != IEEE80211_STA_CACHE) 845 ? "" : "re"), 846 ether_sprintf(ni->ni_macaddr))); 847 break; 848 case IEEE80211_AUTH_SHARED_RESPONSE: 849 if (ni == ic->ic_bss) { 850 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 851 ("%s: unknown STA\n", __func__)); 852 return; 853 } 854 if (ni->ni_challenge == NULL) { 855 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 856 ("%s: no challenge recorded\n", 857 __func__)); 858 ic->ic_stats.is_rx_bad_auth++; 859 return; 860 } 861 if (memcmp(ni->ni_challenge, &challenge[2], 862 challenge[1]) != 0) { 863 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 864 ("%s: challenge mismatch\n", __func__)); 865 ic->ic_stats.is_rx_auth_fail++; 866 return; 867 } 868 IEEE80211_DPRINTF(ic, 869 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 870 ("station %s authenticated (shared key)\n", 871 ether_sprintf(ni->ni_macaddr))); 872 ieee80211_node_newstate(ni, IEEE80211_STA_AUTH); 873 break; 874 default: 875 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 876 ("%s: bad shared key auth seq %d from %s\n", 877 __func__, seq, ether_sprintf(wh->i_addr2))); 878 ic->ic_stats.is_rx_bad_auth++; 879 return; 880 } 881 IEEE80211_SEND_MGMT(ic, ni, 882 IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 883 break; 884 885 case IEEE80211_M_STA: 886 if (ic->ic_state != IEEE80211_S_AUTH) 887 return; 888 switch (seq) { 889 case IEEE80211_AUTH_SHARED_PASS: 890 if (ni->ni_challenge != NULL) { 891 FREE(ni->ni_challenge, M_DEVBUF); 892 ni->ni_challenge = NULL; 893 } 894 if (status != 0) { 895 IEEE80211_DPRINTF(ic, 896 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 897 ("%s: auth failed (reason %d) for %s\n", 898 __func__, status, 899 ether_sprintf(wh->i_addr3))); 900 if (ni != ic->ic_bss) 901 ni->ni_fails++; 902 ic->ic_stats.is_rx_auth_fail++; 903 return; 904 } 905 ieee80211_new_state(ic, IEEE80211_S_ASSOC, 906 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK); 907 break; 908 case IEEE80211_AUTH_SHARED_CHALLENGE: 909 if (ni->ni_challenge == NULL) 910 ni->ni_challenge = (u_int32_t*)malloc( 911 challenge[1], M_DEVBUF, M_NOWAIT); 912 if (ni->ni_challenge == NULL) { 913 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 914 ("%s: challenge alloc failed\n", __func__)); 915 /* XXX statistic */ 916 return; 917 } 918 memcpy(ni->ni_challenge, &challenge[2], challenge[1]); 919 IEEE80211_SEND_MGMT(ic, ni, 920 IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 921 break; 922 default: 923 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 924 ("%s: bad seq %d from %s\n", __func__, seq, 925 ether_sprintf(wh->i_addr2))); 926 ic->ic_stats.is_rx_bad_auth++; 927 return; 928 } 929 break; 930 } 931 } 932 933 void 934 ieee80211_recv_mgmt(struct ieee80211com *ic, struct mbuf *m0, 935 struct ieee80211_node *ni, 936 int subtype, int rssi, u_int32_t rstamp) 937 { 938 #define ISPROBE(_st) ((_st) == IEEE80211_FC0_SUBTYPE_PROBE_RESP) 939 #define ISREASSOC(_st) ((_st) == IEEE80211_FC0_SUBTYPE_REASSOC_RESP) 940 struct ieee80211_frame *wh; 941 u_int8_t *frm, *efrm; 942 u_int8_t *ssid, *rates, *xrates; 943 int is_new, reassoc, resp; 944 945 wh = mtod(m0, struct ieee80211_frame *); 946 frm = (u_int8_t *)&wh[1]; 947 efrm = mtod(m0, u_int8_t *) + m0->m_len; 948 switch (subtype) { 949 case IEEE80211_FC0_SUBTYPE_PROBE_RESP: 950 case IEEE80211_FC0_SUBTYPE_BEACON: { 951 u_int8_t *tstamp, *bintval, *capinfo, *country; 952 u_int8_t chan, bchan, fhindex, erp; 953 u_int16_t fhdwell; 954 955 /* 956 * We process beacon/probe response frames for: 957 * o station mode: to collect state 958 * updates such as 802.11g slot time and for passive 959 * scanning of APs 960 * o adhoc mode: to discover neighbors 961 * o hostap mode: for passive scanning of neighbor APs 962 * o when scanning 963 * In other words, in all modes other than monitor (which 964 * does not process incoming packets) and adhoc-demo (which 965 * does not use management frames at all). 966 */ 967 #ifdef DIAGNOSTIC 968 if (ic->ic_opmode != IEEE80211_M_STA && 969 ic->ic_opmode != IEEE80211_M_IBSS && 970 ic->ic_opmode != IEEE80211_M_HOSTAP && 971 ic->ic_state != IEEE80211_S_SCAN) { 972 panic("%s: impossible", __func__); 973 } 974 #endif 975 /* 976 * beacon/probe response frame format 977 * [8] time stamp 978 * [2] beacon interval 979 * [2] capability information 980 * [tlv] ssid 981 * [tlv] supported rates 982 * [tlv] country information 983 * [tlv] parameter set (FH/DS) 984 * [tlv] erp information 985 * [tlv] extended supported rates 986 */ 987 IEEE80211_VERIFY_LENGTH(efrm - frm, 12); 988 tstamp = frm; frm += 8; 989 bintval = frm; frm += 2; 990 capinfo = frm; frm += 2; 991 ssid = rates = xrates = country = NULL; 992 bchan = ieee80211_chan2ieee(ic, ic->ic_bss->ni_chan); 993 chan = bchan; 994 fhdwell = 0; 995 fhindex = 0; 996 erp = 0; 997 while (frm < efrm) { 998 switch (*frm) { 999 case IEEE80211_ELEMID_SSID: 1000 ssid = frm; 1001 break; 1002 case IEEE80211_ELEMID_RATES: 1003 rates = frm; 1004 break; 1005 case IEEE80211_ELEMID_COUNTRY: 1006 country = frm; 1007 break; 1008 case IEEE80211_ELEMID_FHPARMS: 1009 if (ic->ic_phytype == IEEE80211_T_FH) { 1010 fhdwell = (frm[3] << 8) | frm[2]; 1011 chan = IEEE80211_FH_CHAN(frm[4], frm[5]); 1012 fhindex = frm[6]; 1013 } 1014 break; 1015 case IEEE80211_ELEMID_DSPARMS: 1016 /* 1017 * XXX hack this since depending on phytype 1018 * is problematic for multi-mode devices. 1019 */ 1020 if (ic->ic_phytype != IEEE80211_T_FH) 1021 chan = frm[2]; 1022 break; 1023 case IEEE80211_ELEMID_TIM: 1024 break; 1025 case IEEE80211_ELEMID_IBSSPARMS: 1026 break; 1027 case IEEE80211_ELEMID_XRATES: 1028 xrates = frm; 1029 break; 1030 case IEEE80211_ELEMID_ERP: 1031 if (frm[1] != 1) { 1032 IEEE80211_DPRINTF(ic, 1033 IEEE80211_MSG_ELEMID, 1034 ("%s: invalid ERP element; " 1035 "length %u, expecting 1\n", 1036 __func__, frm[1])); 1037 ic->ic_stats.is_rx_elem_toobig++; 1038 break; 1039 } 1040 erp = frm[2]; 1041 break; 1042 default: 1043 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ELEMID, 1044 ("%s: element id %u/len %u ignored\n", 1045 __func__, *frm, frm[1])); 1046 ic->ic_stats.is_rx_elem_unknown++; 1047 break; 1048 } 1049 frm += frm[1] + 2; 1050 } 1051 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE); 1052 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN); 1053 if ( 1054 #if IEEE80211_CHAN_MAX < 255 1055 chan > IEEE80211_CHAN_MAX || 1056 #endif 1057 isclr(ic->ic_chan_active, chan)) { 1058 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ELEMID, 1059 ("%s: ignore %s with invalid channel %u\n", 1060 __func__, 1061 ISPROBE(subtype) ? "probe response" : "beacon", 1062 chan)); 1063 ic->ic_stats.is_rx_badchan++; 1064 return; 1065 } 1066 if (chan != bchan && ic->ic_phytype != IEEE80211_T_FH) { 1067 /* 1068 * Frame was received on a channel different from the 1069 * one indicated in the DS params element id; 1070 * silently discard it. 1071 * 1072 * NB: this can happen due to signal leakage. 1073 * But we should take it for FH phy because 1074 * the rssi value should be correct even for 1075 * different hop pattern in FH. 1076 */ 1077 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ELEMID, 1078 ("%s: ignore %s on channel %u marked " 1079 "for channel %u\n", __func__, 1080 ISPROBE(subtype) ? "probe response" : "beacon", 1081 bchan, chan)); 1082 ic->ic_stats.is_rx_chanmismatch++; 1083 return; 1084 } 1085 1086 /* 1087 * Use mac and channel for lookup so we collect all 1088 * potential AP's when scanning. Otherwise we may 1089 * see the same AP on multiple channels and will only 1090 * record the last one. We could filter APs here based 1091 * on rssi, etc. but leave that to the end of the scan 1092 * so we can keep the selection criteria in one spot. 1093 * This may result in a bloat of the scanned AP list but 1094 * it shouldn't be too much. 1095 */ 1096 ni = ieee80211_find_node_for_beacon(ic, wh->i_addr2, 1097 &ic->ic_channels[chan], ssid); 1098 #ifdef IEEE80211_DEBUG 1099 if (ieee80211_debug && 1100 (ni == NULL || ic->ic_state == IEEE80211_S_SCAN)) { 1101 printf("%s: %s%s on chan %u (bss chan %u) ", 1102 __func__, (ni == NULL ? "new " : ""), 1103 ISPROBE(subtype) ? "probe response" : "beacon", 1104 chan, bchan); 1105 ieee80211_print_essid(ssid + 2, ssid[1]); 1106 printf(" from %s\n", ether_sprintf(wh->i_addr2)); 1107 printf("%s: caps 0x%x bintval %u erp 0x%x\n", 1108 __func__, le16toh(*(u_int16_t *)capinfo), 1109 le16toh(*(u_int16_t *)bintval), erp); 1110 if (country) { 1111 int i; 1112 printf("%s: country info", __func__); 1113 for (i = 0; i < country[1]; i++) 1114 printf(" %02x", country[i+2]); 1115 printf("\n"); 1116 } 1117 } 1118 #endif 1119 if (ni == NULL) { 1120 ni = ieee80211_alloc_node(ic, wh->i_addr2); 1121 if (ni == NULL) 1122 return; 1123 is_new = 1; 1124 } else 1125 is_new = 0; 1126 if (ssid[1] != 0 && ni->ni_esslen == 0) { 1127 /* 1128 * Update ESSID at probe response to adopt hidden AP by 1129 * Lucent/Cisco, which announces null ESSID in beacon. 1130 */ 1131 ni->ni_esslen = ssid[1]; 1132 memset(ni->ni_essid, 0, sizeof(ni->ni_essid)); 1133 memcpy(ni->ni_essid, ssid + 2, ssid[1]); 1134 } 1135 IEEE80211_ADDR_COPY(ni->ni_bssid, wh->i_addr3); 1136 ni->ni_rssi = rssi; 1137 ni->ni_rstamp = rstamp; 1138 memcpy(ni->ni_tstamp, tstamp, sizeof(ni->ni_tstamp)); 1139 ni->ni_intval = le16toh(*(u_int16_t *)bintval); 1140 ni->ni_capinfo = le16toh(*(u_int16_t *)capinfo); 1141 /* XXX validate channel # */ 1142 ni->ni_chan = &ic->ic_channels[chan]; 1143 ni->ni_fhdwell = fhdwell; 1144 ni->ni_fhindex = fhindex; 1145 ni->ni_erp = erp; 1146 /* NB: must be after ni_chan is setup */ 1147 ieee80211_setup_rates(ic, ni, rates, xrates, IEEE80211_F_DOSORT); 1148 /* 1149 * When scanning we record results (nodes) with a zero 1150 * refcnt. Otherwise we want to hold the reference for 1151 * ibss neighbors so the nodes don't get released prematurely. 1152 * Anything else can be discarded (XXX and should be handled 1153 * above so we don't do so much work). 1154 */ 1155 if (ic->ic_opmode == IEEE80211_M_IBSS || (is_new && 1156 ISPROBE(subtype))) { 1157 /* 1158 * Fake an association so the driver can setup it's 1159 * private state. The rate set has been setup above; 1160 * there is no handshake as in ap/station operation. 1161 */ 1162 if (ic->ic_newassoc) 1163 (*ic->ic_newassoc)(ic, ni, 1); 1164 } 1165 break; 1166 } 1167 1168 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: { 1169 u_int8_t rate; 1170 1171 if (ic->ic_opmode == IEEE80211_M_STA) 1172 return; 1173 if (ic->ic_state != IEEE80211_S_RUN) 1174 return; 1175 1176 /* 1177 * prreq frame format 1178 * [tlv] ssid 1179 * [tlv] supported rates 1180 * [tlv] extended supported rates 1181 */ 1182 ssid = rates = xrates = NULL; 1183 while (frm < efrm) { 1184 switch (*frm) { 1185 case IEEE80211_ELEMID_SSID: 1186 ssid = frm; 1187 break; 1188 case IEEE80211_ELEMID_RATES: 1189 rates = frm; 1190 break; 1191 case IEEE80211_ELEMID_XRATES: 1192 xrates = frm; 1193 break; 1194 } 1195 frm += frm[1] + 2; 1196 } 1197 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE); 1198 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN); 1199 IEEE80211_VERIFY_SSID(ic->ic_bss, ssid, "probe"); 1200 1201 if (ni == ic->ic_bss) { 1202 ni = ieee80211_dup_bss(ic, wh->i_addr2); 1203 if (ni == NULL) 1204 return; 1205 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 1206 ("%s: new probe req from %s\n", 1207 __func__, ether_sprintf(wh->i_addr2))); 1208 } 1209 ni->ni_rssi = rssi; 1210 ni->ni_rstamp = rstamp; 1211 rate = ieee80211_setup_rates(ic, ni, rates, xrates, 1212 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE 1213 | IEEE80211_F_DONEGO | IEEE80211_F_DODEL); 1214 if (rate & IEEE80211_RATE_BASIC) { 1215 IEEE80211_DPRINTF(ic, IEEE80211_MSG_XRATE, 1216 ("%s: rate negotiation failed: %s\n", 1217 __func__,ether_sprintf(wh->i_addr2))); 1218 } else { 1219 IEEE80211_SEND_MGMT(ic, ni, 1220 IEEE80211_FC0_SUBTYPE_PROBE_RESP, 0); 1221 } 1222 break; 1223 } 1224 1225 case IEEE80211_FC0_SUBTYPE_AUTH: { 1226 u_int16_t algo, seq, status; 1227 /* 1228 * auth frame format 1229 * [2] algorithm 1230 * [2] sequence 1231 * [2] status 1232 * [tlv*] challenge 1233 */ 1234 IEEE80211_VERIFY_LENGTH(efrm - frm, 6); 1235 algo = le16toh(*(u_int16_t *)frm); 1236 seq = le16toh(*(u_int16_t *)(frm + 2)); 1237 status = le16toh(*(u_int16_t *)(frm + 4)); 1238 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 1239 ("%s: algorithm %d seq %d from %s\n", 1240 __func__, algo, seq, ether_sprintf(wh->i_addr2))); 1241 1242 if (algo == IEEE80211_AUTH_ALG_SHARED) 1243 ieee80211_auth_shared(ic, wh, frm + 6, efrm, ni, rssi, 1244 rstamp, seq, status); 1245 else if (algo == IEEE80211_AUTH_ALG_OPEN) 1246 ieee80211_auth_open(ic, wh, ni, rssi, rstamp, seq, 1247 status); 1248 else { 1249 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, 1250 ("%s: unsupported auth algorithm %d from %s\n", 1251 __func__, algo, ether_sprintf(wh->i_addr2))); 1252 ic->ic_stats.is_rx_auth_unsupported++; 1253 return; 1254 } 1255 break; 1256 } 1257 1258 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ: 1259 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: { 1260 u_int16_t capinfo, bintval; 1261 1262 if (ic->ic_opmode != IEEE80211_M_HOSTAP || 1263 (ic->ic_state != IEEE80211_S_RUN)) 1264 return; 1265 1266 if (subtype == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) { 1267 reassoc = 1; 1268 resp = IEEE80211_FC0_SUBTYPE_REASSOC_RESP; 1269 } else { 1270 reassoc = 0; 1271 resp = IEEE80211_FC0_SUBTYPE_ASSOC_RESP; 1272 } 1273 /* 1274 * asreq frame format 1275 * [2] capability information 1276 * [2] listen interval 1277 * [6*] current AP address (reassoc only) 1278 * [tlv] ssid 1279 * [tlv] supported rates 1280 * [tlv] extended supported rates 1281 */ 1282 IEEE80211_VERIFY_LENGTH(efrm - frm, (reassoc ? 10 : 4)); 1283 if (!IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_bss->ni_bssid)) { 1284 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, 1285 ("%s: ignore assoc request with bss %s not " 1286 "our own\n", 1287 __func__, ether_sprintf(wh->i_addr2))); 1288 ic->ic_stats.is_rx_assoc_bss++; 1289 return; 1290 } 1291 capinfo = le16toh(*(u_int16_t *)frm); frm += 2; 1292 bintval = le16toh(*(u_int16_t *)frm); frm += 2; 1293 if (reassoc) 1294 frm += 6; /* ignore current AP info */ 1295 ssid = rates = xrates = NULL; 1296 while (frm < efrm) { 1297 switch (*frm) { 1298 case IEEE80211_ELEMID_SSID: 1299 ssid = frm; 1300 break; 1301 case IEEE80211_ELEMID_RATES: 1302 rates = frm; 1303 break; 1304 case IEEE80211_ELEMID_XRATES: 1305 xrates = frm; 1306 break; 1307 } 1308 frm += frm[1] + 2; 1309 } 1310 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE); 1311 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN); 1312 IEEE80211_VERIFY_SSID(ic->ic_bss, ssid, 1313 reassoc ? "reassoc" : "assoc"); 1314 1315 if (ni->ni_state != IEEE80211_STA_AUTH && 1316 ni->ni_state != IEEE80211_STA_ASSOC) { 1317 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, 1318 ("%s: deny %sassoc from %s, not authenticated\n", 1319 __func__, reassoc ? "re" : "", 1320 ether_sprintf(wh->i_addr2))); 1321 ni = ieee80211_dup_bss(ic, wh->i_addr2); 1322 if (ni != NULL) { 1323 IEEE80211_SEND_MGMT(ic, ni, 1324 IEEE80211_FC0_SUBTYPE_DEAUTH, 1325 IEEE80211_REASON_ASSOC_NOT_AUTHED); 1326 } 1327 ic->ic_stats.is_rx_assoc_notauth++; 1328 return; 1329 } 1330 /* discard challenge after association */ 1331 if (ni->ni_challenge != NULL) { 1332 FREE(ni->ni_challenge, M_DEVBUF); 1333 ni->ni_challenge = NULL; 1334 } 1335 /* XXX per-node cipher suite */ 1336 /* XXX some stations use the privacy bit for handling APs 1337 that suport both encrypted and unencrypted traffic */ 1338 if ((capinfo & IEEE80211_CAPINFO_ESS) == 0 || 1339 (capinfo & IEEE80211_CAPINFO_PRIVACY) != 1340 ((ic->ic_flags & IEEE80211_F_PRIVACY) ? 1341 IEEE80211_CAPINFO_PRIVACY : 0)) { 1342 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, 1343 ("%s: capability mismatch %x for %s\n", 1344 __func__, capinfo, ether_sprintf(wh->i_addr2))); 1345 IEEE80211_SEND_MGMT(ic, ni, resp, 1346 IEEE80211_STATUS_CAPINFO); 1347 ieee80211_node_leave(ic, ni); 1348 ic->ic_stats.is_rx_assoc_capmismatch++; 1349 return; 1350 } 1351 ieee80211_setup_rates(ic, ni, rates, xrates, 1352 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | 1353 IEEE80211_F_DONEGO | IEEE80211_F_DODEL); 1354 if (ni->ni_rates.rs_nrates == 0) { 1355 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, 1356 ("%s: rate mismatch for %s\n", 1357 __func__, ether_sprintf(wh->i_addr2))); 1358 /* XXX what rate will we send this at? */ 1359 IEEE80211_SEND_MGMT(ic, ni, resp, 1360 IEEE80211_STATUS_BASIC_RATE); 1361 ieee80211_node_leave(ic, ni); 1362 ic->ic_stats.is_rx_assoc_norate++; 1363 return; 1364 } 1365 ni->ni_rssi = rssi; 1366 ni->ni_rstamp = rstamp; 1367 ni->ni_intval = bintval; 1368 ni->ni_capinfo = capinfo; 1369 ni->ni_chan = ic->ic_bss->ni_chan; 1370 ni->ni_fhdwell = ic->ic_bss->ni_fhdwell; 1371 ni->ni_fhindex = ic->ic_bss->ni_fhindex; 1372 ieee80211_node_join(ic, ni, resp); 1373 break; 1374 } 1375 1376 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP: 1377 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: { 1378 u_int16_t status; 1379 1380 if (ic->ic_opmode != IEEE80211_M_STA || 1381 ic->ic_state != IEEE80211_S_ASSOC) { 1382 ic->ic_stats.is_rx_mgtdiscard++; 1383 return; 1384 } 1385 1386 /* 1387 * asresp frame format 1388 * [2] capability information 1389 * [2] status 1390 * [2] association ID 1391 * [tlv] supported rates 1392 * [tlv] extended supported rates 1393 */ 1394 IEEE80211_VERIFY_LENGTH(efrm - frm, 6); 1395 ni = ic->ic_bss; 1396 ni->ni_capinfo = le16toh(*(u_int16_t *)frm); 1397 frm += 2; 1398 1399 status = le16toh(*(u_int16_t *)frm); 1400 frm += 2; 1401 if (status != 0) { 1402 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 1403 ("%sassociation failed (reason %d) for %s\n", 1404 ISREASSOC(subtype) ? "re" : "", 1405 status, ether_sprintf(wh->i_addr3))); 1406 if (ni != ic->ic_bss) 1407 ni->ni_fails++; 1408 ic->ic_stats.is_rx_auth_fail++; 1409 return; 1410 } 1411 ni->ni_associd = le16toh(*(u_int16_t *)frm); 1412 frm += 2; 1413 1414 rates = xrates = NULL; 1415 while (frm < efrm) { 1416 switch (*frm) { 1417 case IEEE80211_ELEMID_RATES: 1418 rates = frm; 1419 break; 1420 case IEEE80211_ELEMID_XRATES: 1421 xrates = frm; 1422 break; 1423 } 1424 frm += frm[1] + 2; 1425 } 1426 1427 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE); 1428 ieee80211_setup_rates(ic, ni, rates, xrates, 1429 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | 1430 IEEE80211_F_DONEGO | IEEE80211_F_DODEL); 1431 if (ni->ni_rates.rs_nrates != 0) 1432 ieee80211_new_state(ic, IEEE80211_S_RUN, 1433 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK); 1434 break; 1435 } 1436 1437 case IEEE80211_FC0_SUBTYPE_DEAUTH: { 1438 u_int16_t reason; 1439 /* 1440 * deauth frame format 1441 * [2] reason 1442 */ 1443 IEEE80211_VERIFY_LENGTH(efrm - frm, 2); 1444 reason = le16toh(*(u_int16_t *)frm); 1445 ic->ic_stats.is_rx_deauth++; 1446 switch (ic->ic_opmode) { 1447 case IEEE80211_M_STA: 1448 ieee80211_new_state(ic, IEEE80211_S_AUTH, 1449 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK); 1450 break; 1451 case IEEE80211_M_HOSTAP: 1452 if (ni != ic->ic_bss) { 1453 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 1454 ("station %s deauthenticated by " 1455 "peer (reason %d)\n", 1456 ether_sprintf(ni->ni_macaddr), reason)); 1457 ieee80211_node_leave(ic, ni); 1458 } 1459 break; 1460 default: 1461 break; 1462 } 1463 break; 1464 } 1465 1466 case IEEE80211_FC0_SUBTYPE_DISASSOC: { 1467 u_int16_t reason; 1468 /* 1469 * disassoc frame format 1470 * [2] reason 1471 */ 1472 IEEE80211_VERIFY_LENGTH(efrm - frm, 2); 1473 reason = le16toh(*(u_int16_t *)frm); 1474 ic->ic_stats.is_rx_disassoc++; 1475 switch (ic->ic_opmode) { 1476 case IEEE80211_M_STA: 1477 ieee80211_new_state(ic, IEEE80211_S_ASSOC, 1478 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK); 1479 break; 1480 case IEEE80211_M_HOSTAP: 1481 if (ni != ic->ic_bss) { 1482 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 1483 ("station %s disassociated by " 1484 "peer (reason %d)\n", 1485 ether_sprintf(ni->ni_macaddr), reason)); 1486 ieee80211_node_leave(ic, ni); 1487 } 1488 break; 1489 default: 1490 break; 1491 } 1492 break; 1493 } 1494 default: 1495 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, 1496 ("%s: mgmt frame with subtype 0x%x not handled\n", 1497 __func__, subtype)); 1498 ic->ic_stats.is_rx_badsubtype++; 1499 break; 1500 } 1501 } 1502 1503 static void 1504 ieee80211_recv_pspoll(struct ieee80211com *ic, struct mbuf *m0, int rssi, 1505 u_int32_t rstamp) 1506 { 1507 struct ifnet *ifp = &ic->ic_if; 1508 struct ieee80211_frame *wh; 1509 struct ieee80211_node *ni; 1510 struct mbuf *m; 1511 u_int16_t aid; 1512 1513 if (ic->ic_set_tim == NULL) /* No powersaving functionality */ 1514 return; 1515 1516 wh = mtod(m0, struct ieee80211_frame *); 1517 1518 if ((ni = ieee80211_find_node(ic, wh->i_addr2)) == NULL) { 1519 if (ifp->if_flags & IFF_DEBUG) 1520 printf("%s: station %s sent bogus power save poll\n", 1521 ifp->if_xname, ether_sprintf(wh->i_addr2)); 1522 return; 1523 } 1524 1525 memcpy(&aid, wh->i_dur, sizeof(wh->i_dur)); 1526 if ((aid & 0xc000) != 0xc000) { 1527 if (ifp->if_flags & IFF_DEBUG) 1528 printf("%s: station %s sent bogus aid %x\n", 1529 ifp->if_xname, ether_sprintf(wh->i_addr2), aid); 1530 return; 1531 } 1532 1533 if (aid != ni->ni_associd) { 1534 if (ifp->if_flags & IFF_DEBUG) 1535 printf("%s: station %s aid %x doesn't match pspoll " 1536 "aid %x\n", 1537 ifp->if_xname, ether_sprintf(wh->i_addr2), 1538 ni->ni_associd, aid); 1539 return; 1540 } 1541 1542 /* Okay, take the first queued packet and put it out... */ 1543 1544 IF_DEQUEUE(&ni->ni_savedq, m); 1545 if (m == NULL) { 1546 if (ifp->if_flags & IFF_DEBUG) 1547 printf("%s: station %s sent pspoll, " 1548 "but no packets are saved\n", 1549 ifp->if_xname, ether_sprintf(wh->i_addr2)); 1550 return; 1551 } 1552 wh = mtod(m, struct ieee80211_frame *); 1553 1554 /* 1555 * If this is the last packet, turn off the TIM fields. 1556 * If there are more packets, set the more packets bit. 1557 */ 1558 1559 if (IF_IS_EMPTY(&ni->ni_savedq)) { 1560 if (ic->ic_set_tim) 1561 ic->ic_set_tim(ic, ni->ni_associd, 0); 1562 } else { 1563 wh->i_fc[1] |= IEEE80211_FC1_MORE_DATA; 1564 } 1565 1566 if (ifp->if_flags & IFF_DEBUG) 1567 printf("%s: enqueued power saving packet for station %s\n", 1568 ifp->if_xname, ether_sprintf(ni->ni_macaddr)); 1569 1570 IF_ENQUEUE(&ic->ic_pwrsaveq, m); 1571 (*ifp->if_start)(ifp); 1572 } 1573 1574 static int 1575 do_slow_print(struct ieee80211com *ic, int *did_print) 1576 { 1577 if ((ic->ic_if.if_flags & IFF_LINK0) == 0) 1578 return 0; 1579 if (!*did_print && (ic->ic_if.if_flags & IFF_DEBUG) == 0 && 1580 !ratecheck(&ic->ic_last_merge_print, &ieee80211_merge_print_intvl)) 1581 return 0; 1582 1583 *did_print = 1; 1584 return 1; 1585 } 1586 1587 /* ieee80211_ibss_merge helps merge 802.11 ad hoc networks. The 1588 * convention, set by the Wireless Ethernet Compatibility Alliance 1589 * (WECA), is that an 802.11 station will change its BSSID to match 1590 * the "oldest" 802.11 ad hoc network, on the same channel, that 1591 * has the station's desired SSID. The "oldest" 802.11 network 1592 * sends beacons with the greatest TSF timestamp. 1593 * 1594 * Return ENETRESET if the BSSID changed, 0 otherwise. 1595 * 1596 * XXX Perhaps we should compensate for the time that elapses 1597 * between the MAC receiving the beacon and the host processing it 1598 * in ieee80211_ibss_merge. 1599 */ 1600 int 1601 ieee80211_ibss_merge(struct ieee80211com *ic, struct ieee80211_node *ni, 1602 uint64_t local_tsft) 1603 { 1604 uint64_t beacon_tsft; 1605 int did_print = 0, sign; 1606 union { 1607 uint64_t word; 1608 uint8_t tstamp[8]; 1609 } u; 1610 1611 /* ensure alignment */ 1612 (void)memcpy(&u, &ni->ni_tstamp[0], sizeof(u)); 1613 beacon_tsft = le64toh(u.word); 1614 1615 /* we are faster, let the other guy catch up */ 1616 if (beacon_tsft < local_tsft) 1617 sign = -1; 1618 else 1619 sign = 1; 1620 1621 if (memcmp(ni->ni_bssid, ic->ic_bss->ni_bssid, 1622 IEEE80211_ADDR_LEN) == 0) { 1623 if (!do_slow_print(ic, &did_print)) 1624 return 0; 1625 printf("%s: tsft offset %s%" PRIu64 "\n", ic->ic_if.if_xname, 1626 (sign < 0) ? "-" : "", 1627 (sign < 0) 1628 ? (local_tsft - beacon_tsft) 1629 : (beacon_tsft - local_tsft)); 1630 return 0; 1631 } 1632 1633 if (sign < 0) 1634 return 0; 1635 1636 if (ieee80211_match_bss(ic, ni) != 0) 1637 return 0; 1638 1639 if (do_slow_print(ic, &did_print)) { 1640 printf("%s: atw_recv_beacon: bssid mismatch %s\n", 1641 ic->ic_if.if_xname, ether_sprintf(ni->ni_bssid)); 1642 printf("%s: my tsft %" PRIu64 " beacon tsft %" PRIu64 "\n", 1643 ic->ic_if.if_xname, local_tsft, beacon_tsft); 1644 printf("%s: sync TSF with %s\n", 1645 ic->ic_if.if_xname, ether_sprintf(ni->ni_macaddr)); 1646 } 1647 1648 ic->ic_flags &= ~IEEE80211_F_SIBSS; 1649 1650 /* negotiate rates with new IBSS */ 1651 ieee80211_fix_rate(ic, ni, IEEE80211_F_DOFRATE | 1652 IEEE80211_F_DONEGO | IEEE80211_F_DODEL); 1653 if (ni->ni_rates.rs_nrates == 0) { 1654 if (do_slow_print(ic, &did_print)) { 1655 printf("%s: rates mismatch, BSSID %s\n", 1656 ic->ic_if.if_xname, ether_sprintf(ni->ni_bssid)); 1657 } 1658 return 0; 1659 } 1660 1661 if (do_slow_print(ic, &did_print)) { 1662 printf("%s: sync BSSID %s -> ", 1663 ic->ic_if.if_xname, ether_sprintf(ic->ic_bss->ni_bssid)); 1664 printf("%s ", ether_sprintf(ni->ni_bssid)); 1665 printf("(from %s)\n", ether_sprintf(ni->ni_macaddr)); 1666 } 1667 1668 ieee80211_node_newstate(ni, IEEE80211_STA_BSS); 1669 (*ic->ic_node_copy)(ic, ic->ic_bss, ni); 1670 1671 return ENETRESET; 1672 } 1673 #undef IEEE80211_VERIFY_LENGTH 1674 #undef IEEE80211_VERIFY_ELEMENT 1675