1 /* $NetBSD: ieee80211_input.c,v 1.77 2013/09/13 20:19:53 joerg Exp $ */ 2 /*- 3 * Copyright (c) 2001 Atsushi Onoe 4 * Copyright (c) 2002-2005 Sam Leffler, Errno Consulting 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 3. The name of the author may not be used to endorse or promote products 16 * derived from this software without specific prior written permission. 17 * 18 * Alternatively, this software may be distributed under the terms of the 19 * GNU General Public License ("GPL") version 2 as published by the Free 20 * Software Foundation. 21 * 22 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 23 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 24 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 25 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 26 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 27 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 28 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 29 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 30 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 31 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 32 */ 33 34 #include <sys/cdefs.h> 35 #ifdef __FreeBSD__ 36 __FBSDID("$FreeBSD: src/sys/net80211/ieee80211_input.c,v 1.81 2005/08/10 16:22:29 sam Exp $"); 37 #endif 38 #ifdef __NetBSD__ 39 __KERNEL_RCSID(0, "$NetBSD: ieee80211_input.c,v 1.77 2013/09/13 20:19:53 joerg Exp $"); 40 #endif 41 42 #include "opt_inet.h" 43 44 #ifdef __NetBSD__ 45 #endif /* __NetBSD__ */ 46 47 #include <sys/param.h> 48 #include <sys/systm.h> 49 #include <sys/mbuf.h> 50 #include <sys/malloc.h> 51 #include <sys/endian.h> 52 #include <sys/kernel.h> 53 54 #include <sys/socket.h> 55 #include <sys/sockio.h> 56 #include <sys/endian.h> 57 #include <sys/errno.h> 58 #include <sys/proc.h> 59 #include <sys/sysctl.h> 60 61 #include <net/if.h> 62 #include <net/if_media.h> 63 #include <net/if_arp.h> 64 #include <net/if_ether.h> 65 #include <net/if_llc.h> 66 67 #include <net80211/ieee80211_netbsd.h> 68 #include <net80211/ieee80211_var.h> 69 70 #include <net/bpf.h> 71 72 #ifdef INET 73 #include <netinet/in.h> 74 #include <net/if_ether.h> 75 #endif 76 77 const struct timeval ieee80211_merge_print_intvl = {.tv_sec = 1, .tv_usec = 0}; 78 79 #ifdef IEEE80211_DEBUG 80 81 /* 82 * Decide if a received management frame should be 83 * printed when debugging is enabled. This filters some 84 * of the less interesting frames that come frequently 85 * (e.g. beacons). 86 */ 87 static __inline int 88 doprint(struct ieee80211com *ic, int subtype) 89 { 90 switch (subtype) { 91 case IEEE80211_FC0_SUBTYPE_BEACON: 92 return (ic->ic_flags & IEEE80211_F_SCAN); 93 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 94 return (ic->ic_opmode == IEEE80211_M_IBSS); 95 } 96 return 1; 97 } 98 99 /* 100 * Emit a debug message about discarding a frame or information 101 * element. One format is for extracting the mac address from 102 * the frame header; the other is for when a header is not 103 * available or otherwise appropriate. 104 */ 105 #define IEEE80211_DISCARD(_ic, _m, _wh, _type, _fmt, ...) do { \ 106 if ((_ic)->ic_debug & (_m)) \ 107 ieee80211_discard_frame(_ic, _wh, _type, _fmt, __VA_ARGS__);\ 108 } while (0) 109 #define IEEE80211_DISCARD_IE(_ic, _m, _wh, _type, _fmt, ...) do { \ 110 if ((_ic)->ic_debug & (_m)) \ 111 ieee80211_discard_ie(_ic, _wh, _type, _fmt, __VA_ARGS__);\ 112 } while (0) 113 #define IEEE80211_DISCARD_MAC(_ic, _m, _mac, _type, _fmt, ...) do { \ 114 if ((_ic)->ic_debug & (_m)) \ 115 ieee80211_discard_mac(_ic, _mac, _type, _fmt, __VA_ARGS__);\ 116 } while (0) 117 118 static const u_int8_t *ieee80211_getbssid(struct ieee80211com *, 119 const struct ieee80211_frame *); 120 static void ieee80211_discard_frame(struct ieee80211com *, 121 const struct ieee80211_frame *, const char *type, const char *fmt, ...); 122 static void ieee80211_discard_ie(struct ieee80211com *, 123 const struct ieee80211_frame *, const char *type, const char *fmt, ...); 124 static void ieee80211_discard_mac(struct ieee80211com *, 125 const u_int8_t mac[IEEE80211_ADDR_LEN], const char *type, 126 const char *fmt, ...); 127 #else 128 #define IEEE80211_DISCARD(_ic, _m, _wh, _type, _fmt, ...) 129 #define IEEE80211_DISCARD_IE(_ic, _m, _wh, _type, _fmt, ...) 130 #define IEEE80211_DISCARD_MAC(_ic, _m, _mac, _type, _fmt, ...) 131 #endif /* IEEE80211_DEBUG */ 132 133 static struct mbuf *ieee80211_defrag(struct ieee80211com *, 134 struct ieee80211_node *, struct mbuf *, int); 135 static struct mbuf *ieee80211_decap(struct ieee80211com *, struct mbuf *, int); 136 static void ieee80211_send_error(struct ieee80211com *, struct ieee80211_node *, 137 const u_int8_t *mac, int subtype, int arg); 138 static void ieee80211_deliver_data(struct ieee80211com *, 139 struct ieee80211_node *, struct mbuf *); 140 #ifndef IEEE80211_NO_HOSTAP 141 static void ieee80211_node_pwrsave(struct ieee80211_node *, int enable); 142 static void ieee80211_recv_pspoll(struct ieee80211com *, 143 struct ieee80211_node *, struct mbuf *); 144 #endif /* !IEEE80211_NO_HOSTAP */ 145 static void ieee80211_update_adhoc_node(struct ieee80211com *, 146 struct ieee80211_node *, struct ieee80211_frame *, 147 struct ieee80211_scanparams *, int, u_int32_t); 148 149 /* 150 * Process a received frame. The node associated with the sender 151 * should be supplied. If nothing was found in the node table then 152 * the caller is assumed to supply a reference to ic_bss instead. 153 * The RSSI and a timestamp are also supplied. The RSSI data is used 154 * during AP scanning to select a AP to associate with; it can have 155 * any units so long as values have consistent units and higher values 156 * mean ``better signal''. The receive timestamp is currently not used 157 * by the 802.11 layer. 158 */ 159 int 160 ieee80211_input(struct ieee80211com *ic, struct mbuf *m, 161 struct ieee80211_node *ni, int rssi, u_int32_t rstamp) 162 { 163 #define SEQ_LEQ(a,b) ((int)((a)-(b)) <= 0) 164 #define HAS_SEQ(type) ((type & 0x4) == 0) 165 struct ifnet *ifp = ic->ic_ifp; 166 struct ieee80211_frame *wh; 167 struct ieee80211_key *key; 168 struct ether_header *eh; 169 int hdrspace; 170 u_int8_t dir, type, subtype; 171 u_int8_t *bssid; 172 u_int16_t rxseq; 173 174 IASSERT(ni != NULL, ("null node")); 175 ni->ni_inact = ni->ni_inact_reload; 176 177 /* trim CRC here so WEP can find its own CRC at the end of packet. */ 178 if (m->m_flags & M_HASFCS) { 179 m_adj(m, -IEEE80211_CRC_LEN); 180 m->m_flags &= ~M_HASFCS; 181 } 182 type = -1; /* undefined */ 183 /* 184 * In monitor mode, send everything directly to bpf. 185 * XXX may want to include the CRC 186 */ 187 if (ic->ic_opmode == IEEE80211_M_MONITOR) 188 goto out; 189 190 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_min)) { 191 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY, 192 ni->ni_macaddr, NULL, 193 "too short (1): len %u", m->m_pkthdr.len); 194 ic->ic_stats.is_rx_tooshort++; 195 goto out; 196 } 197 /* 198 * Bit of a cheat here, we use a pointer for a 3-address 199 * frame format but don't reference fields past outside 200 * ieee80211_frame_min w/o first validating the data is 201 * present. 202 */ 203 wh = mtod(m, struct ieee80211_frame *); 204 205 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) != 206 IEEE80211_FC0_VERSION_0) { 207 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY, 208 ni->ni_macaddr, NULL, "wrong version %x", wh->i_fc[0]); 209 ic->ic_stats.is_rx_badversion++; 210 goto err; 211 } 212 213 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 214 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK; 215 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK; 216 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) { 217 switch (ic->ic_opmode) { 218 case IEEE80211_M_STA: 219 bssid = wh->i_addr2; 220 if (!IEEE80211_ADDR_EQ(bssid, ni->ni_bssid)) { 221 /* not interested in */ 222 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 223 bssid, NULL, "%s", "not to bss"); 224 ic->ic_stats.is_rx_wrongbss++; 225 goto out; 226 } 227 break; 228 case IEEE80211_M_IBSS: 229 case IEEE80211_M_AHDEMO: 230 case IEEE80211_M_HOSTAP: 231 if (dir != IEEE80211_FC1_DIR_NODS) 232 bssid = wh->i_addr1; 233 else if (type == IEEE80211_FC0_TYPE_CTL) 234 bssid = wh->i_addr1; 235 else { 236 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) { 237 IEEE80211_DISCARD_MAC(ic, 238 IEEE80211_MSG_ANY, ni->ni_macaddr, 239 NULL, "too short (2): len %u", 240 m->m_pkthdr.len); 241 ic->ic_stats.is_rx_tooshort++; 242 goto out; 243 } 244 bssid = wh->i_addr3; 245 } 246 if (type != IEEE80211_FC0_TYPE_DATA) 247 break; 248 /* 249 * Data frame, validate the bssid. 250 */ 251 if (!IEEE80211_ADDR_EQ(bssid, ic->ic_bss->ni_bssid) && 252 !IEEE80211_ADDR_EQ(bssid, ifp->if_broadcastaddr)) { 253 /* not interested in */ 254 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 255 bssid, NULL, "%s", "not to bss"); 256 ic->ic_stats.is_rx_wrongbss++; 257 goto out; 258 } 259 /* 260 * For adhoc mode we cons up a node when it doesn't 261 * exist. This should probably done after an ACL check. 262 */ 263 if (ni == ic->ic_bss && 264 ic->ic_opmode != IEEE80211_M_HOSTAP && 265 !IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_macaddr)) { 266 /* 267 * Fake up a node for this newly 268 * discovered member of the IBSS. 269 */ 270 ni = ieee80211_fakeup_adhoc_node(&ic->ic_sta, 271 wh->i_addr2); 272 if (ni == NULL) { 273 /* NB: stat kept for alloc failure */ 274 goto err; 275 } 276 } 277 break; 278 default: 279 goto out; 280 } 281 ni->ni_rssi = rssi; 282 ni->ni_rstamp = rstamp; 283 if (HAS_SEQ(type)) { 284 u_int8_t tid; 285 if (ieee80211_has_qos(wh)) { 286 tid = ((struct ieee80211_qosframe *)wh)-> 287 i_qos[0] & IEEE80211_QOS_TID; 288 if (TID_TO_WME_AC(tid) >= WME_AC_VI) 289 ic->ic_wme.wme_hipri_traffic++; 290 tid++; 291 } else 292 tid = 0; 293 rxseq = le16toh(*(u_int16_t *)wh->i_seq); 294 if ((wh->i_fc[1] & IEEE80211_FC1_RETRY) && 295 SEQ_LEQ(rxseq, ni->ni_rxseqs[tid])) { 296 /* duplicate, discard */ 297 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 298 bssid, "duplicate", 299 "seqno <%u,%u> fragno <%u,%u> tid %u", 300 rxseq >> IEEE80211_SEQ_SEQ_SHIFT, 301 ni->ni_rxseqs[tid] >> 302 IEEE80211_SEQ_SEQ_SHIFT, 303 rxseq & IEEE80211_SEQ_FRAG_MASK, 304 ni->ni_rxseqs[tid] & 305 IEEE80211_SEQ_FRAG_MASK, 306 tid); 307 ic->ic_stats.is_rx_dup++; 308 IEEE80211_NODE_STAT(ni, rx_dup); 309 goto out; 310 } 311 ni->ni_rxseqs[tid] = rxseq; 312 } 313 } 314 315 switch (type) { 316 case IEEE80211_FC0_TYPE_DATA: 317 hdrspace = ieee80211_hdrspace(ic, wh); 318 if (m->m_len < hdrspace && 319 (m = m_pullup(m, hdrspace)) == NULL) { 320 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY, 321 ni->ni_macaddr, NULL, 322 "data too short: expecting %u", hdrspace); 323 ic->ic_stats.is_rx_tooshort++; 324 goto out; /* XXX */ 325 } 326 switch (ic->ic_opmode) { 327 case IEEE80211_M_STA: 328 if (dir != IEEE80211_FC1_DIR_FROMDS) { 329 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 330 wh, "data", "%s", "unknown dir 0x%x", dir); 331 ic->ic_stats.is_rx_wrongdir++; 332 goto out; 333 } 334 if ((ifp->if_flags & IFF_SIMPLEX) && 335 IEEE80211_IS_MULTICAST(wh->i_addr1) && 336 IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_myaddr)) { 337 /* 338 * In IEEE802.11 network, multicast packet 339 * sent from me is broadcasted from AP. 340 * It should be silently discarded for 341 * SIMPLEX interface. 342 */ 343 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 344 wh, NULL, "%s", "multicast echo"); 345 ic->ic_stats.is_rx_mcastecho++; 346 goto out; 347 } 348 break; 349 case IEEE80211_M_IBSS: 350 case IEEE80211_M_AHDEMO: 351 if (dir != IEEE80211_FC1_DIR_NODS) { 352 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 353 wh, "data", "%s", "unknown dir 0x%x", dir); 354 ic->ic_stats.is_rx_wrongdir++; 355 goto out; 356 } 357 /* XXX no power-save support */ 358 break; 359 case IEEE80211_M_HOSTAP: 360 #ifndef IEEE80211_NO_HOSTAP 361 if (dir != IEEE80211_FC1_DIR_TODS) { 362 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 363 wh, "data", "%s", "unknown dir 0x%x", dir); 364 ic->ic_stats.is_rx_wrongdir++; 365 goto out; 366 } 367 /* check if source STA is associated */ 368 if (ni == ic->ic_bss) { 369 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 370 wh, "data", "%s", "unknown src"); 371 ieee80211_send_error(ic, ni, wh->i_addr2, 372 IEEE80211_FC0_SUBTYPE_DEAUTH, 373 IEEE80211_REASON_NOT_AUTHED); 374 ic->ic_stats.is_rx_notassoc++; 375 goto err; 376 } 377 if (ni->ni_associd == 0) { 378 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 379 wh, "data", "%s", "unassoc src"); 380 IEEE80211_SEND_MGMT(ic, ni, 381 IEEE80211_FC0_SUBTYPE_DISASSOC, 382 IEEE80211_REASON_NOT_ASSOCED); 383 ic->ic_stats.is_rx_notassoc++; 384 goto err; 385 } 386 387 /* 388 * Check for power save state change. 389 */ 390 if (((wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) ^ 391 (ni->ni_flags & IEEE80211_NODE_PWR_MGT))) 392 ieee80211_node_pwrsave(ni, 393 wh->i_fc[1] & IEEE80211_FC1_PWR_MGT); 394 #endif /* !IEEE80211_NO_HOSTAP */ 395 break; 396 default: 397 /* XXX here to keep compiler happy */ 398 goto out; 399 } 400 401 /* 402 * Handle privacy requirements. Note that we 403 * must not be preempted from here until after 404 * we (potentially) call ieee80211_crypto_demic; 405 * otherwise we may violate assumptions in the 406 * crypto cipher modules used to do delayed update 407 * of replay sequence numbers. 408 */ 409 if (wh->i_fc[1] & IEEE80211_FC1_WEP) { 410 if ((ic->ic_flags & IEEE80211_F_PRIVACY) == 0) { 411 /* 412 * Discard encrypted frames when privacy is off. 413 */ 414 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 415 wh, "WEP", "%s", "PRIVACY off"); 416 ic->ic_stats.is_rx_noprivacy++; 417 IEEE80211_NODE_STAT(ni, rx_noprivacy); 418 goto out; 419 } 420 key = ieee80211_crypto_decap(ic, ni, m, hdrspace); 421 if (key == NULL) { 422 /* NB: stats+msgs handled in crypto_decap */ 423 IEEE80211_NODE_STAT(ni, rx_wepfail); 424 goto out; 425 } 426 wh = mtod(m, struct ieee80211_frame *); 427 wh->i_fc[1] &= ~IEEE80211_FC1_WEP; 428 } else { 429 key = NULL; 430 } 431 432 /* 433 * Next up, any fragmentation. 434 */ 435 if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) { 436 m = ieee80211_defrag(ic, ni, m, hdrspace); 437 if (m == NULL) { 438 /* Fragment dropped or frame not complete yet */ 439 goto out; 440 } 441 } 442 wh = NULL; /* no longer valid, catch any uses */ 443 444 /* 445 * Next strip any MSDU crypto bits. 446 */ 447 if (key != NULL && !ieee80211_crypto_demic(ic, key, m, 0)) { 448 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 449 ni->ni_macaddr, "data", "%s", "demic error"); 450 IEEE80211_NODE_STAT(ni, rx_demicfail); 451 goto out; 452 } 453 454 /* copy to listener after decrypt */ 455 bpf_mtap3(ic->ic_rawbpf, m); 456 457 /* 458 * Finally, strip the 802.11 header. 459 */ 460 m = ieee80211_decap(ic, m, hdrspace); 461 if (m == NULL) { 462 /* don't count Null data frames as errors */ 463 if (subtype == IEEE80211_FC0_SUBTYPE_NODATA) 464 goto out; 465 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 466 ni->ni_macaddr, "data", "%s", "decap error"); 467 ic->ic_stats.is_rx_decap++; 468 IEEE80211_NODE_STAT(ni, rx_decap); 469 goto err; 470 } 471 eh = mtod(m, struct ether_header *); 472 if (!ieee80211_node_is_authorized(ni)) { 473 /* 474 * Deny any non-PAE frames received prior to 475 * authorization. For open/shared-key 476 * authentication the port is mark authorized 477 * after authentication completes. For 802.1x 478 * the port is not marked authorized by the 479 * authenticator until the handshake has completed. 480 */ 481 if (eh->ether_type != htons(ETHERTYPE_PAE)) { 482 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 483 eh->ether_shost, "data", 484 "unauthorized port: ether type 0x%x len %u", 485 eh->ether_type, m->m_pkthdr.len); 486 ic->ic_stats.is_rx_unauth++; 487 IEEE80211_NODE_STAT(ni, rx_unauth); 488 goto err; 489 } 490 } else { 491 /* 492 * When denying unencrypted frames, discard 493 * any non-PAE frames received without encryption. 494 */ 495 if ((ic->ic_flags & IEEE80211_F_DROPUNENC) && 496 key == NULL && 497 eh->ether_type != htons(ETHERTYPE_PAE)) { 498 /* 499 * Drop unencrypted frames. 500 */ 501 ic->ic_stats.is_rx_unencrypted++; 502 IEEE80211_NODE_STAT(ni, rx_unencrypted); 503 goto out; 504 } 505 } 506 ifp->if_ipackets++; 507 IEEE80211_NODE_STAT(ni, rx_data); 508 IEEE80211_NODE_STAT_ADD(ni, rx_bytes, m->m_pkthdr.len); 509 510 ieee80211_deliver_data(ic, ni, m); 511 return IEEE80211_FC0_TYPE_DATA; 512 513 case IEEE80211_FC0_TYPE_MGT: 514 IEEE80211_NODE_STAT(ni, rx_mgmt); 515 if (dir != IEEE80211_FC1_DIR_NODS) { 516 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 517 wh, "data", "%s", "unknown dir 0x%x", dir); 518 ic->ic_stats.is_rx_wrongdir++; 519 goto err; 520 } 521 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) { 522 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY, 523 ni->ni_macaddr, "mgt", "too short: len %u", 524 m->m_pkthdr.len); 525 ic->ic_stats.is_rx_tooshort++; 526 goto out; 527 } 528 #ifdef IEEE80211_DEBUG 529 if ((ieee80211_msg_debug(ic) && doprint(ic, subtype)) || 530 ieee80211_msg_dumppkts(ic)) { 531 if_printf(ic->ic_ifp, "received %s from %s rssi %d\n", 532 ieee80211_mgt_subtype_name[subtype >> 533 IEEE80211_FC0_SUBTYPE_SHIFT], 534 ether_sprintf(wh->i_addr2), rssi); 535 } 536 #endif 537 if (wh->i_fc[1] & IEEE80211_FC1_WEP) { 538 if (subtype != IEEE80211_FC0_SUBTYPE_AUTH) { 539 /* 540 * Only shared key auth frames with a challenge 541 * should be encrypted, discard all others. 542 */ 543 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 544 wh, ieee80211_mgt_subtype_name[subtype >> 545 IEEE80211_FC0_SUBTYPE_SHIFT], 546 "%s", "WEP set but not permitted"); 547 ic->ic_stats.is_rx_mgtdiscard++; /* XXX */ 548 goto out; 549 } 550 if ((ic->ic_flags & IEEE80211_F_PRIVACY) == 0) { 551 /* 552 * Discard encrypted frames when privacy is off. 553 */ 554 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 555 wh, "mgt", "%s", "WEP set but PRIVACY off"); 556 ic->ic_stats.is_rx_noprivacy++; 557 goto out; 558 } 559 hdrspace = ieee80211_hdrspace(ic, wh); 560 key = ieee80211_crypto_decap(ic, ni, m, hdrspace); 561 if (key == NULL) { 562 /* NB: stats+msgs handled in crypto_decap */ 563 goto out; 564 } 565 wh = mtod(m, struct ieee80211_frame *); 566 wh->i_fc[1] &= ~IEEE80211_FC1_WEP; 567 } 568 bpf_mtap3(ic->ic_rawbpf, m); 569 (*ic->ic_recv_mgmt)(ic, m, ni, subtype, rssi, rstamp); 570 m_freem(m); 571 return type; 572 573 case IEEE80211_FC0_TYPE_CTL: 574 IEEE80211_NODE_STAT(ni, rx_ctrl); 575 ic->ic_stats.is_rx_ctl++; 576 #ifndef IEEE80211_NO_HOSTAP 577 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 578 switch (subtype) { 579 case IEEE80211_FC0_SUBTYPE_PS_POLL: 580 ieee80211_recv_pspoll(ic, ni, m); 581 break; 582 } 583 } 584 #endif /* !IEEE80211_NO_HOSTAP */ 585 goto out; 586 default: 587 IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY, 588 wh, NULL, "bad frame type 0x%x", type); 589 /* should not come here */ 590 break; 591 } 592 err: 593 ifp->if_ierrors++; 594 out: 595 if (m != NULL) { 596 bpf_mtap3(ic->ic_rawbpf, m); 597 m_freem(m); 598 } 599 return type; 600 #undef SEQ_LEQ 601 } 602 603 /* 604 * This function reassemble fragments. 605 */ 606 static struct mbuf * 607 ieee80211_defrag(struct ieee80211com *ic, struct ieee80211_node *ni, 608 struct mbuf *m, int hdrspace) 609 { 610 struct ieee80211_frame *wh = mtod(m, struct ieee80211_frame *); 611 struct ieee80211_frame *lwh; 612 u_int16_t rxseq; 613 u_int8_t fragno; 614 u_int8_t more_frag = wh->i_fc[1] & IEEE80211_FC1_MORE_FRAG; 615 struct mbuf *mfrag; 616 617 IASSERT(!IEEE80211_IS_MULTICAST(wh->i_addr1), ("multicast fragm?")); 618 619 rxseq = le16toh(*(u_int16_t *)wh->i_seq); 620 fragno = rxseq & IEEE80211_SEQ_FRAG_MASK; 621 622 /* Quick way out, if there's nothing to defragment */ 623 if (!more_frag && fragno == 0 && ni->ni_rxfrag[0] == NULL) 624 return m; 625 626 /* 627 * Remove frag to insure it doesn't get reaped by timer. 628 */ 629 if (ni->ni_table == NULL) { 630 /* 631 * Should never happen. If the node is orphaned (not in 632 * the table) then input packets should not reach here. 633 * Otherwise, a concurrent request that yanks the table 634 * should be blocked by other interlocking and/or by first 635 * shutting the driver down. Regardless, be defensive 636 * here and just bail 637 */ 638 /* XXX need msg+stat */ 639 m_freem(m); 640 return NULL; 641 } 642 IEEE80211_NODE_LOCK(ni->ni_table); 643 mfrag = ni->ni_rxfrag[0]; 644 ni->ni_rxfrag[0] = NULL; 645 IEEE80211_NODE_UNLOCK(ni->ni_table); 646 647 /* 648 * Validate new fragment is in order and 649 * related to the previous ones. 650 */ 651 if (mfrag != NULL) { 652 u_int16_t last_rxseq; 653 654 lwh = mtod(mfrag, struct ieee80211_frame *); 655 last_rxseq = le16toh(*(u_int16_t *)lwh->i_seq); 656 /* NB: check seq # and frag together */ 657 if (rxseq != last_rxseq+1 || 658 !IEEE80211_ADDR_EQ(wh->i_addr1, lwh->i_addr1) || 659 !IEEE80211_ADDR_EQ(wh->i_addr2, lwh->i_addr2)) { 660 /* 661 * Unrelated fragment or no space for it, 662 * clear current fragments. 663 */ 664 m_freem(mfrag); 665 mfrag = NULL; 666 } 667 } 668 669 if (mfrag == NULL) { 670 if (fragno != 0) { /* !first fragment, discard */ 671 IEEE80211_NODE_STAT(ni, rx_defrag); 672 m_freem(m); 673 return NULL; 674 } 675 mfrag = m; 676 } else { /* concatenate */ 677 m_adj(m, hdrspace); /* strip header */ 678 m_cat(mfrag, m); 679 /* NB: m_cat doesn't update the packet header */ 680 mfrag->m_pkthdr.len += m->m_pkthdr.len; 681 /* track last seqnum and fragno */ 682 lwh = mtod(mfrag, struct ieee80211_frame *); 683 *(u_int16_t *) lwh->i_seq = *(u_int16_t *) wh->i_seq; 684 } 685 if (more_frag) { /* more to come, save */ 686 ni->ni_rxfragstamp = ticks; 687 ni->ni_rxfrag[0] = mfrag; 688 mfrag = NULL; 689 } 690 return mfrag; 691 } 692 693 static void 694 ieee80211_deliver_data(struct ieee80211com *ic, 695 struct ieee80211_node *ni, struct mbuf *m) 696 { 697 struct ether_header *eh = mtod(m, struct ether_header *); 698 struct ifnet *ifp = ic->ic_ifp; 699 ALTQ_DECL(struct altq_pktattr pktattr;) 700 int error; 701 702 /* perform as a bridge within the AP */ 703 if (ic->ic_opmode == IEEE80211_M_HOSTAP && 704 (ic->ic_flags & IEEE80211_F_NOBRIDGE) == 0) { 705 struct mbuf *m1 = NULL; 706 707 if (ETHER_IS_MULTICAST(eh->ether_dhost)) { 708 m1 = m_copypacket(m, M_DONTWAIT); 709 if (m1 == NULL) 710 ifp->if_oerrors++; 711 else 712 m1->m_flags |= M_MCAST; 713 } else { 714 /* 715 * Check if the destination is known; if so 716 * and the port is authorized dispatch directly. 717 */ 718 struct ieee80211_node *sta = 719 ieee80211_find_node(&ic->ic_sta, eh->ether_dhost); 720 if (sta != NULL) { 721 if (ieee80211_node_is_authorized(sta)) { 722 /* 723 * Beware of sending to ourself; this 724 * needs to happen via the normal 725 * input path. 726 */ 727 if (sta != ic->ic_bss) { 728 m1 = m; 729 m = NULL; 730 } 731 } else { 732 ic->ic_stats.is_rx_unauth++; 733 IEEE80211_NODE_STAT(sta, rx_unauth); 734 } 735 ieee80211_free_node(sta); 736 } 737 } 738 if (m1 != NULL) { 739 int len; 740 #ifdef ALTQ 741 if (ALTQ_IS_ENABLED(&ifp->if_snd)) { 742 altq_etherclassify(&ifp->if_snd, m1, 743 &pktattr); 744 } 745 #endif 746 len = m1->m_pkthdr.len; 747 IFQ_ENQUEUE(&ifp->if_snd, m1, &pktattr, error); 748 if (error) { 749 ifp->if_omcasts++; 750 m = NULL; 751 } 752 ifp->if_obytes += len; 753 } 754 } 755 if (m != NULL) { 756 /* 757 * XXX If we forward packet into transmitter of the AP, 758 * we don't need to duplicate for DLT_EN10MB. 759 */ 760 bpf_mtap(ifp, m); 761 762 if (ni->ni_vlan != 0) { 763 /* attach vlan tag */ 764 /* XXX goto err? */ 765 VLAN_INPUT_TAG(ifp, m, ni->ni_vlan, goto out); 766 } 767 (*ifp->if_input)(ifp, m); 768 } 769 return; 770 out: 771 if (m != NULL) { 772 bpf_mtap3(ic->ic_rawbpf, m); 773 m_freem(m); 774 } 775 } 776 777 static struct mbuf * 778 ieee80211_decap(struct ieee80211com *ic, struct mbuf *m, int hdrlen) 779 { 780 struct ieee80211_qosframe_addr4 wh; /* Max size address frames */ 781 struct ether_header *eh; 782 struct llc *llc; 783 784 if (m->m_len < hdrlen + sizeof(*llc) && 785 (m = m_pullup(m, hdrlen + sizeof(*llc))) == NULL) { 786 /* XXX stat, msg */ 787 return NULL; 788 } 789 memcpy(&wh, mtod(m, void *), hdrlen); 790 llc = (struct llc *)(mtod(m, char *) + hdrlen); 791 if (llc->llc_dsap == LLC_SNAP_LSAP && llc->llc_ssap == LLC_SNAP_LSAP && 792 llc->llc_control == LLC_UI && llc->llc_snap.org_code[0] == 0 && 793 llc->llc_snap.org_code[1] == 0 && llc->llc_snap.org_code[2] == 0) { 794 m_adj(m, hdrlen + sizeof(struct llc) - sizeof(*eh)); 795 llc = NULL; 796 } else { 797 m_adj(m, hdrlen - sizeof(*eh)); 798 } 799 eh = mtod(m, struct ether_header *); 800 switch (wh.i_fc[1] & IEEE80211_FC1_DIR_MASK) { 801 case IEEE80211_FC1_DIR_NODS: 802 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr1); 803 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr2); 804 break; 805 case IEEE80211_FC1_DIR_TODS: 806 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr3); 807 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr2); 808 break; 809 case IEEE80211_FC1_DIR_FROMDS: 810 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr1); 811 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr3); 812 break; 813 case IEEE80211_FC1_DIR_DSTODS: 814 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr3); 815 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr4); 816 break; 817 } 818 #ifdef ALIGNED_POINTER 819 if (!ALIGNED_POINTER(mtod(m, char *) + sizeof(*eh), u_int32_t)) { 820 struct mbuf *n, *n0, **np; 821 char *newdata; 822 int off, pktlen; 823 824 n0 = NULL; 825 np = &n0; 826 off = 0; 827 pktlen = m->m_pkthdr.len; 828 while (pktlen > off) { 829 if (n0 == NULL) { 830 MGETHDR(n, M_DONTWAIT, MT_DATA); 831 if (n == NULL) { 832 m_freem(m); 833 return NULL; 834 } 835 M_MOVE_PKTHDR(n, m); 836 n->m_len = MHLEN; 837 } else { 838 MGET(n, M_DONTWAIT, MT_DATA); 839 if (n == NULL) { 840 m_freem(m); 841 m_freem(n0); 842 return NULL; 843 } 844 n->m_len = MLEN; 845 } 846 if (pktlen - off >= MINCLSIZE) { 847 MCLGET(n, M_DONTWAIT); 848 if (n->m_flags & M_EXT) 849 n->m_len = n->m_ext.ext_size; 850 } 851 if (n0 == NULL) { 852 newdata = 853 (char *)ALIGN(n->m_data + sizeof(*eh)) - 854 sizeof(*eh); 855 n->m_len -= newdata - n->m_data; 856 n->m_data = newdata; 857 } 858 if (n->m_len > pktlen - off) 859 n->m_len = pktlen - off; 860 m_copydata(m, off, n->m_len, mtod(n, void *)); 861 off += n->m_len; 862 *np = n; 863 np = &n->m_next; 864 } 865 m_freem(m); 866 m = n0; 867 } 868 #endif /* ALIGNED_POINTER */ 869 if (llc != NULL) { 870 eh = mtod(m, struct ether_header *); 871 eh->ether_type = htons(m->m_pkthdr.len - sizeof(*eh)); 872 } 873 return m; 874 } 875 876 /* 877 * Install received rate set information in the node's state block. 878 */ 879 int 880 ieee80211_setup_rates(struct ieee80211_node *ni, 881 const u_int8_t *rates, const u_int8_t *xrates, int flags) 882 { 883 struct ieee80211com *ic = ni->ni_ic; 884 struct ieee80211_rateset *rs = &ni->ni_rates; 885 886 memset(rs, 0, sizeof(*rs)); 887 rs->rs_nrates = rates[1]; 888 memcpy(rs->rs_rates, rates + 2, rs->rs_nrates); 889 if (xrates != NULL) { 890 u_int8_t nxrates; 891 /* 892 * Tack on 11g extended supported rate element. 893 */ 894 nxrates = xrates[1]; 895 if (rs->rs_nrates + nxrates > IEEE80211_RATE_MAXSIZE) { 896 nxrates = IEEE80211_RATE_MAXSIZE - rs->rs_nrates; 897 IEEE80211_DPRINTF(ic, IEEE80211_MSG_XRATE, 898 "[%s] extended rate set too large;" 899 " only using %u of %u rates\n", 900 ether_sprintf(ni->ni_macaddr), nxrates, xrates[1]); 901 ic->ic_stats.is_rx_rstoobig++; 902 } 903 memcpy(rs->rs_rates + rs->rs_nrates, xrates+2, nxrates); 904 rs->rs_nrates += nxrates; 905 } 906 return ieee80211_fix_rate(ni, flags); 907 } 908 909 static void 910 ieee80211_auth_open(struct ieee80211com *ic, struct ieee80211_frame *wh, 911 struct ieee80211_node *ni, int rssi, u_int32_t rstamp, 912 u_int16_t seq, u_int16_t status) 913 { 914 915 if (ni->ni_authmode == IEEE80211_AUTH_SHARED) { 916 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 917 ni->ni_macaddr, "open auth", 918 "bad sta auth mode %u", ni->ni_authmode); 919 ic->ic_stats.is_rx_bad_auth++; /* XXX */ 920 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 921 /* XXX hack to workaround calling convention */ 922 ieee80211_send_error(ic, ni, wh->i_addr2, 923 IEEE80211_FC0_SUBTYPE_AUTH, 924 (seq + 1) | (IEEE80211_STATUS_ALG<<16)); 925 } 926 return; 927 } 928 switch (ic->ic_opmode) { 929 case IEEE80211_M_IBSS: 930 case IEEE80211_M_AHDEMO: 931 case IEEE80211_M_MONITOR: 932 /* should not come here */ 933 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 934 ni->ni_macaddr, "open auth", 935 "bad operating mode %u", ic->ic_opmode); 936 break; 937 938 case IEEE80211_M_HOSTAP: 939 #ifndef IEEE80211_NO_HOSTAP 940 if (ic->ic_state != IEEE80211_S_RUN || 941 seq != IEEE80211_AUTH_OPEN_REQUEST) { 942 ic->ic_stats.is_rx_bad_auth++; 943 return; 944 } 945 /* always accept open authentication requests */ 946 if (ni == ic->ic_bss) { 947 ni = ieee80211_dup_bss(&ic->ic_sta, wh->i_addr2); 948 if (ni == NULL) 949 return; 950 } else if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0) 951 (void) ieee80211_ref_node(ni); 952 /* 953 * Mark the node as referenced to reflect that it's 954 * reference count has been bumped to insure it remains 955 * after the transaction completes. 956 */ 957 ni->ni_flags |= IEEE80211_NODE_AREF; 958 959 IEEE80211_SEND_MGMT(ic, ni, 960 IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 961 IEEE80211_DPRINTF(ic, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 962 "[%s] station authenticated (open)\n", 963 ether_sprintf(ni->ni_macaddr)); 964 /* 965 * When 802.1x is not in use mark the port 966 * authorized at this point so traffic can flow. 967 */ 968 if (ni->ni_authmode != IEEE80211_AUTH_8021X) 969 ieee80211_node_authorize(ni); 970 #endif /* !IEEE80211_NO_HOSTAP */ 971 break; 972 973 case IEEE80211_M_STA: 974 if (ic->ic_state != IEEE80211_S_AUTH || 975 seq != IEEE80211_AUTH_OPEN_RESPONSE) { 976 ic->ic_stats.is_rx_bad_auth++; 977 return; 978 } 979 if (status != 0) { 980 IEEE80211_DPRINTF(ic, 981 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 982 "[%s] open auth failed (reason %d)\n", 983 ether_sprintf(ni->ni_macaddr), status); 984 /* XXX can this happen? */ 985 if (ni != ic->ic_bss) 986 ni->ni_fails++; 987 ic->ic_stats.is_rx_auth_fail++; 988 ieee80211_new_state(ic, IEEE80211_S_SCAN, 0); 989 } else 990 ieee80211_new_state(ic, IEEE80211_S_ASSOC, 991 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK); 992 break; 993 } 994 } 995 996 /* 997 * Send a management frame error response to the specified 998 * station. If ni is associated with the station then use 999 * it; otherwise allocate a temporary node suitable for 1000 * transmitting the frame and then free the reference so 1001 * it will go away as soon as the frame has been transmitted. 1002 */ 1003 static void 1004 ieee80211_send_error(struct ieee80211com *ic, struct ieee80211_node *ni, 1005 const u_int8_t *mac, int subtype, int arg) 1006 { 1007 int istmp; 1008 1009 if (ni == ic->ic_bss) { 1010 ni = ieee80211_tmp_node(ic, mac); 1011 if (ni == NULL) { 1012 /* XXX msg */ 1013 return; 1014 } 1015 istmp = 1; 1016 } else 1017 istmp = 0; 1018 IEEE80211_SEND_MGMT(ic, ni, subtype, arg); 1019 if (istmp) 1020 ieee80211_free_node(ni); 1021 } 1022 1023 static int 1024 alloc_challenge(struct ieee80211com *ic, struct ieee80211_node *ni) 1025 { 1026 if (ni->ni_challenge == NULL) 1027 ni->ni_challenge = malloc(IEEE80211_CHALLENGE_LEN, 1028 M_DEVBUF, M_NOWAIT); 1029 if (ni->ni_challenge == NULL) { 1030 IEEE80211_DPRINTF(ic, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1031 "[%s] shared key challenge alloc failed\n", 1032 ether_sprintf(ni->ni_macaddr)); 1033 /* XXX statistic */ 1034 } 1035 return (ni->ni_challenge != NULL); 1036 } 1037 1038 /* XXX TODO: add statistics */ 1039 static void 1040 ieee80211_auth_shared(struct ieee80211com *ic, struct ieee80211_frame *wh, 1041 u_int8_t *frm, u_int8_t *efrm, struct ieee80211_node *ni, int rssi, 1042 u_int32_t rstamp, u_int16_t seq, u_int16_t status) 1043 { 1044 u_int8_t *challenge; 1045 int estatus; 1046 1047 /* 1048 * NB: this can happen as we allow pre-shared key 1049 * authentication to be enabled w/o wep being turned 1050 * on so that configuration of these can be done 1051 * in any order. It may be better to enforce the 1052 * ordering in which case this check would just be 1053 * for sanity/consistency. 1054 */ 1055 if ((ic->ic_flags & IEEE80211_F_PRIVACY) == 0) { 1056 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1057 ni->ni_macaddr, "shared key auth", 1058 "%s", " PRIVACY is disabled"); 1059 estatus = IEEE80211_STATUS_ALG; 1060 goto bad; 1061 } 1062 /* 1063 * Pre-shared key authentication is evil; accept 1064 * it only if explicitly configured (it is supported 1065 * mainly for compatibility with clients like OS X). 1066 */ 1067 if (ni->ni_authmode != IEEE80211_AUTH_AUTO && 1068 ni->ni_authmode != IEEE80211_AUTH_SHARED) { 1069 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1070 ni->ni_macaddr, "shared key auth", 1071 "bad sta auth mode %u", ni->ni_authmode); 1072 ic->ic_stats.is_rx_bad_auth++; /* XXX maybe a unique error? */ 1073 estatus = IEEE80211_STATUS_ALG; 1074 goto bad; 1075 } 1076 1077 challenge = NULL; 1078 if (frm + 1 < efrm) { 1079 if ((frm[1] + 2) > (efrm - frm)) { 1080 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1081 ni->ni_macaddr, "shared key auth", 1082 "ie %d/%d too long", 1083 frm[0], (frm[1] + 2) - (efrm - frm)); 1084 ic->ic_stats.is_rx_bad_auth++; 1085 estatus = IEEE80211_STATUS_CHALLENGE; 1086 goto bad; 1087 } 1088 if (*frm == IEEE80211_ELEMID_CHALLENGE) 1089 challenge = frm; 1090 frm += frm[1] + 2; 1091 } 1092 switch (seq) { 1093 case IEEE80211_AUTH_SHARED_CHALLENGE: 1094 case IEEE80211_AUTH_SHARED_RESPONSE: 1095 if (challenge == NULL) { 1096 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1097 ni->ni_macaddr, "shared key auth", 1098 "%s", "no challenge"); 1099 ic->ic_stats.is_rx_bad_auth++; 1100 estatus = IEEE80211_STATUS_CHALLENGE; 1101 goto bad; 1102 } 1103 if (challenge[1] != IEEE80211_CHALLENGE_LEN) { 1104 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1105 ni->ni_macaddr, "shared key auth", 1106 "bad challenge len %d", challenge[1]); 1107 ic->ic_stats.is_rx_bad_auth++; 1108 estatus = IEEE80211_STATUS_CHALLENGE; 1109 goto bad; 1110 } 1111 default: 1112 break; 1113 } 1114 switch (ic->ic_opmode) { 1115 case IEEE80211_M_MONITOR: 1116 case IEEE80211_M_AHDEMO: 1117 case IEEE80211_M_IBSS: 1118 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1119 ni->ni_macaddr, "shared key auth", 1120 "bad operating mode %u", ic->ic_opmode); 1121 return; 1122 case IEEE80211_M_HOSTAP: 1123 #ifndef IEEE80211_NO_HOSTAP 1124 { 1125 int allocbs; 1126 if (ic->ic_state != IEEE80211_S_RUN) { 1127 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1128 ni->ni_macaddr, "shared key auth", 1129 "bad state %u", ic->ic_state); 1130 estatus = IEEE80211_STATUS_ALG; /* XXX */ 1131 goto bad; 1132 } 1133 switch (seq) { 1134 case IEEE80211_AUTH_SHARED_REQUEST: 1135 if (ni == ic->ic_bss) { 1136 ni = ieee80211_dup_bss(&ic->ic_sta, wh->i_addr2); 1137 if (ni == NULL) { 1138 /* NB: no way to return an error */ 1139 return; 1140 } 1141 allocbs = 1; 1142 } else { 1143 if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0) 1144 (void) ieee80211_ref_node(ni); 1145 allocbs = 0; 1146 } 1147 /* 1148 * Mark the node as referenced to reflect that it's 1149 * reference count has been bumped to insure it remains 1150 * after the transaction completes. 1151 */ 1152 ni->ni_flags |= IEEE80211_NODE_AREF; 1153 ni->ni_rssi = rssi; 1154 ni->ni_rstamp = rstamp; 1155 if (!alloc_challenge(ic, ni)) { 1156 /* NB: don't return error so they rexmit */ 1157 return; 1158 } 1159 get_random_bytes(ni->ni_challenge, 1160 IEEE80211_CHALLENGE_LEN); 1161 IEEE80211_DPRINTF(ic, 1162 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1163 "[%s] shared key %sauth request\n", 1164 ether_sprintf(ni->ni_macaddr), 1165 allocbs ? "" : "re"); 1166 break; 1167 case IEEE80211_AUTH_SHARED_RESPONSE: 1168 if (ni == ic->ic_bss) { 1169 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1170 ni->ni_macaddr, "shared key response", 1171 "%s", "unknown station"); 1172 /* NB: don't send a response */ 1173 return; 1174 } 1175 if (ni->ni_challenge == NULL) { 1176 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1177 ni->ni_macaddr, "shared key response", 1178 "%s", "no challenge recorded"); 1179 ic->ic_stats.is_rx_bad_auth++; 1180 estatus = IEEE80211_STATUS_CHALLENGE; 1181 goto bad; 1182 } 1183 if (memcmp(ni->ni_challenge, &challenge[2], 1184 challenge[1]) != 0) { 1185 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1186 ni->ni_macaddr, "shared key response", 1187 "%s", "challenge mismatch"); 1188 ic->ic_stats.is_rx_auth_fail++; 1189 estatus = IEEE80211_STATUS_CHALLENGE; 1190 goto bad; 1191 } 1192 IEEE80211_DPRINTF(ic, 1193 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1194 "[%s] station authenticated (shared key)\n", 1195 ether_sprintf(ni->ni_macaddr)); 1196 ieee80211_node_authorize(ni); 1197 break; 1198 default: 1199 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1200 ni->ni_macaddr, "shared key auth", 1201 "bad seq %d", seq); 1202 ic->ic_stats.is_rx_bad_auth++; 1203 estatus = IEEE80211_STATUS_SEQUENCE; 1204 goto bad; 1205 } 1206 IEEE80211_SEND_MGMT(ic, ni, 1207 IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 1208 } 1209 #endif /* !IEEE80211_NO_HOSTAP */ 1210 break; 1211 1212 case IEEE80211_M_STA: 1213 if (ic->ic_state != IEEE80211_S_AUTH) 1214 return; 1215 switch (seq) { 1216 case IEEE80211_AUTH_SHARED_PASS: 1217 if (ni->ni_challenge != NULL) { 1218 free(ni->ni_challenge, M_DEVBUF); 1219 ni->ni_challenge = NULL; 1220 } 1221 if (status != 0) { 1222 IEEE80211_DPRINTF(ic, 1223 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1224 "[%s] shared key auth failed (reason %d)\n", 1225 ether_sprintf(ieee80211_getbssid(ic, wh)), 1226 status); 1227 /* XXX can this happen? */ 1228 if (ni != ic->ic_bss) 1229 ni->ni_fails++; 1230 ic->ic_stats.is_rx_auth_fail++; 1231 return; 1232 } 1233 ieee80211_new_state(ic, IEEE80211_S_ASSOC, 1234 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK); 1235 break; 1236 case IEEE80211_AUTH_SHARED_CHALLENGE: 1237 if (!alloc_challenge(ic, ni)) 1238 return; 1239 /* XXX could optimize by passing recvd challenge */ 1240 memcpy(ni->ni_challenge, &challenge[2], challenge[1]); 1241 IEEE80211_SEND_MGMT(ic, ni, 1242 IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 1243 break; 1244 default: 1245 IEEE80211_DISCARD(ic, IEEE80211_MSG_AUTH, 1246 wh, "shared key auth", "bad seq %d", seq); 1247 ic->ic_stats.is_rx_bad_auth++; 1248 return; 1249 } 1250 break; 1251 } 1252 return; 1253 bad: 1254 #ifndef IEEE80211_NO_HOSTAP 1255 /* 1256 * Send an error response; but only when operating as an AP. 1257 */ 1258 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 1259 /* XXX hack to workaround calling convention */ 1260 ieee80211_send_error(ic, ni, wh->i_addr2, 1261 IEEE80211_FC0_SUBTYPE_AUTH, 1262 (seq + 1) | (estatus<<16)); 1263 } else if (ic->ic_opmode == IEEE80211_M_STA) { 1264 /* 1265 * Kick the state machine. This short-circuits 1266 * using the mgt frame timeout to trigger the 1267 * state transition. 1268 */ 1269 if (ic->ic_state == IEEE80211_S_AUTH) 1270 ieee80211_new_state(ic, IEEE80211_S_SCAN, 0); 1271 } 1272 #else 1273 ; 1274 #endif /* !IEEE80211_NO_HOSTAP */ 1275 } 1276 1277 /* Verify the existence and length of __elem or get out. */ 1278 #define IEEE80211_VERIFY_ELEMENT(__elem, __maxlen) do { \ 1279 if ((__elem) == NULL) { \ 1280 IEEE80211_DISCARD(ic, IEEE80211_MSG_ELEMID, \ 1281 wh, ieee80211_mgt_subtype_name[subtype >> \ 1282 IEEE80211_FC0_SUBTYPE_SHIFT], \ 1283 "%s", "no " #__elem ); \ 1284 ic->ic_stats.is_rx_elem_missing++; \ 1285 return; \ 1286 } \ 1287 if ((__elem)[1] > (__maxlen)) { \ 1288 IEEE80211_DISCARD(ic, IEEE80211_MSG_ELEMID, \ 1289 wh, ieee80211_mgt_subtype_name[subtype >> \ 1290 IEEE80211_FC0_SUBTYPE_SHIFT], \ 1291 "bad " #__elem " len %d", (__elem)[1]); \ 1292 ic->ic_stats.is_rx_elem_toobig++; \ 1293 return; \ 1294 } \ 1295 } while (0) 1296 1297 #define IEEE80211_VERIFY_LENGTH(_len, _minlen) do { \ 1298 if ((_len) < (_minlen)) { \ 1299 IEEE80211_DISCARD(ic, IEEE80211_MSG_ELEMID, \ 1300 wh, ieee80211_mgt_subtype_name[subtype >> \ 1301 IEEE80211_FC0_SUBTYPE_SHIFT], \ 1302 "%s", "ie too short"); \ 1303 ic->ic_stats.is_rx_elem_toosmall++; \ 1304 return; \ 1305 } \ 1306 } while (0) 1307 1308 #ifdef IEEE80211_DEBUG 1309 static void 1310 ieee80211_ssid_mismatch(struct ieee80211com *ic, const char *tag, 1311 u_int8_t mac[IEEE80211_ADDR_LEN], u_int8_t *ssid) 1312 { 1313 printf("[%s] discard %s frame, ssid mismatch: ", 1314 ether_sprintf(mac), tag); 1315 ieee80211_print_essid(ssid + 2, ssid[1]); 1316 printf("\n"); 1317 } 1318 1319 #define IEEE80211_VERIFY_SSID(_ni, _ssid) do { \ 1320 if ((_ssid)[1] != 0 && \ 1321 ((_ssid)[1] != (_ni)->ni_esslen || \ 1322 memcmp((_ssid) + 2, (_ni)->ni_essid, (_ssid)[1]) != 0)) { \ 1323 if (ieee80211_msg_input(ic)) \ 1324 ieee80211_ssid_mismatch(ic, \ 1325 ieee80211_mgt_subtype_name[subtype >> \ 1326 IEEE80211_FC0_SUBTYPE_SHIFT], \ 1327 wh->i_addr2, _ssid); \ 1328 ic->ic_stats.is_rx_ssidmismatch++; \ 1329 return; \ 1330 } \ 1331 } while (0) 1332 #else /* !IEEE80211_DEBUG */ 1333 #define IEEE80211_VERIFY_SSID(_ni, _ssid) do { \ 1334 if ((_ssid)[1] != 0 && \ 1335 ((_ssid)[1] != (_ni)->ni_esslen || \ 1336 memcmp((_ssid) + 2, (_ni)->ni_essid, (_ssid)[1]) != 0)) { \ 1337 ic->ic_stats.is_rx_ssidmismatch++; \ 1338 return; \ 1339 } \ 1340 } while (0) 1341 #endif /* !IEEE80211_DEBUG */ 1342 1343 /* unaligned little endian access */ 1344 #define LE_READ_2(p) \ 1345 ((u_int16_t) \ 1346 ((((const u_int8_t *)(p))[0] ) | \ 1347 (((const u_int8_t *)(p))[1] << 8))) 1348 #define LE_READ_4(p) \ 1349 ((u_int32_t) \ 1350 ((((const u_int8_t *)(p))[0] ) | \ 1351 (((const u_int8_t *)(p))[1] << 8) | \ 1352 (((const u_int8_t *)(p))[2] << 16) | \ 1353 (((const u_int8_t *)(p))[3] << 24))) 1354 1355 static __inline int 1356 iswpaoui(const u_int8_t *frm) 1357 { 1358 return frm[1] > 3 && LE_READ_4(frm+2) == ((WPA_OUI_TYPE<<24)|WPA_OUI); 1359 } 1360 1361 static __inline int 1362 iswmeoui(const u_int8_t *frm) 1363 { 1364 return frm[1] > 3 && LE_READ_4(frm+2) == ((WME_OUI_TYPE<<24)|WME_OUI); 1365 } 1366 1367 static __inline int 1368 iswmeparam(const u_int8_t *frm) 1369 { 1370 return frm[1] > 5 && LE_READ_4(frm+2) == ((WME_OUI_TYPE<<24)|WME_OUI) && 1371 frm[6] == WME_PARAM_OUI_SUBTYPE; 1372 } 1373 1374 static __inline int 1375 iswmeinfo(const u_int8_t *frm) 1376 { 1377 return frm[1] > 5 && LE_READ_4(frm+2) == ((WME_OUI_TYPE<<24)|WME_OUI) && 1378 frm[6] == WME_INFO_OUI_SUBTYPE; 1379 } 1380 1381 /* 1382 * Convert a WPA cipher selector OUI to an internal 1383 * cipher algorithm. Where appropriate we also 1384 * record any key length. 1385 */ 1386 static int 1387 wpa_cipher(u_int8_t *sel, u_int8_t *keylen) 1388 { 1389 #define WPA_SEL(x) (((x)<<24)|WPA_OUI) 1390 u_int32_t w = LE_READ_4(sel); 1391 1392 switch (w) { 1393 case WPA_SEL(WPA_CSE_NULL): 1394 return IEEE80211_CIPHER_NONE; 1395 case WPA_SEL(WPA_CSE_WEP40): 1396 if (keylen) 1397 *keylen = 40 / NBBY; 1398 return IEEE80211_CIPHER_WEP; 1399 case WPA_SEL(WPA_CSE_WEP104): 1400 if (keylen) 1401 *keylen = 104 / NBBY; 1402 return IEEE80211_CIPHER_WEP; 1403 case WPA_SEL(WPA_CSE_TKIP): 1404 return IEEE80211_CIPHER_TKIP; 1405 case WPA_SEL(WPA_CSE_CCMP): 1406 return IEEE80211_CIPHER_AES_CCM; 1407 } 1408 return 32; /* NB: so 1<< is discarded */ 1409 #undef WPA_SEL 1410 } 1411 1412 /* 1413 * Convert a WPA key management/authentication algorithm 1414 * to an internal code. 1415 */ 1416 static int 1417 wpa_keymgmt(u_int8_t *sel) 1418 { 1419 #define WPA_SEL(x) (((x)<<24)|WPA_OUI) 1420 u_int32_t w = LE_READ_4(sel); 1421 1422 switch (w) { 1423 case WPA_SEL(WPA_ASE_8021X_UNSPEC): 1424 return WPA_ASE_8021X_UNSPEC; 1425 case WPA_SEL(WPA_ASE_8021X_PSK): 1426 return WPA_ASE_8021X_PSK; 1427 case WPA_SEL(WPA_ASE_NONE): 1428 return WPA_ASE_NONE; 1429 } 1430 return 0; /* NB: so is discarded */ 1431 #undef WPA_SEL 1432 } 1433 1434 /* 1435 * Parse a WPA information element to collect parameters 1436 * and validate the parameters against what has been 1437 * configured for the system. 1438 */ 1439 static int 1440 ieee80211_parse_wpa(struct ieee80211com *ic, u_int8_t *frm, 1441 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh) 1442 { 1443 u_int8_t len = frm[1]; 1444 u_int32_t w; 1445 int n; 1446 1447 /* 1448 * Check the length once for fixed parts: OUI, type, 1449 * version, mcast cipher, and 2 selector counts. 1450 * Other, variable-length data, must be checked separately. 1451 */ 1452 if ((ic->ic_flags & IEEE80211_F_WPA1) == 0) { 1453 IEEE80211_DISCARD_IE(ic, 1454 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1455 wh, "WPA", "not WPA, flags 0x%x", ic->ic_flags); 1456 return IEEE80211_REASON_IE_INVALID; 1457 } 1458 if (len < 14) { 1459 IEEE80211_DISCARD_IE(ic, 1460 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1461 wh, "WPA", "too short, len %u", len); 1462 return IEEE80211_REASON_IE_INVALID; 1463 } 1464 frm += 6, len -= 4; /* NB: len is payload only */ 1465 /* NB: iswapoui already validated the OUI and type */ 1466 w = LE_READ_2(frm); 1467 if (w != WPA_VERSION) { 1468 IEEE80211_DISCARD_IE(ic, 1469 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1470 wh, "WPA", "bad version %u", w); 1471 return IEEE80211_REASON_IE_INVALID; 1472 } 1473 frm += 2, len -= 2; 1474 1475 /* multicast/group cipher */ 1476 w = wpa_cipher(frm, &rsn->rsn_mcastkeylen); 1477 if (w != rsn->rsn_mcastcipher) { 1478 IEEE80211_DISCARD_IE(ic, 1479 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1480 wh, "WPA", "mcast cipher mismatch; got %u, expected %u", 1481 w, rsn->rsn_mcastcipher); 1482 return IEEE80211_REASON_IE_INVALID; 1483 } 1484 frm += 4, len -= 4; 1485 1486 /* unicast ciphers */ 1487 n = LE_READ_2(frm); 1488 frm += 2, len -= 2; 1489 if (len < n*4+2) { 1490 IEEE80211_DISCARD_IE(ic, 1491 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1492 wh, "WPA", "ucast cipher data too short; len %u, n %u", 1493 len, n); 1494 return IEEE80211_REASON_IE_INVALID; 1495 } 1496 w = 0; 1497 for (; n > 0; n--) { 1498 w |= 1<<wpa_cipher(frm, &rsn->rsn_ucastkeylen); 1499 frm += 4, len -= 4; 1500 } 1501 w &= rsn->rsn_ucastcipherset; 1502 if (w == 0) { 1503 IEEE80211_DISCARD_IE(ic, 1504 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1505 wh, "WPA", "%s", "ucast cipher set empty"); 1506 return IEEE80211_REASON_IE_INVALID; 1507 } 1508 if (w & (1<<IEEE80211_CIPHER_TKIP)) 1509 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP; 1510 else 1511 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM; 1512 1513 /* key management algorithms */ 1514 n = LE_READ_2(frm); 1515 frm += 2, len -= 2; 1516 if (len < n*4) { 1517 IEEE80211_DISCARD_IE(ic, 1518 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1519 wh, "WPA", "key mgmt alg data too short; len %u, n %u", 1520 len, n); 1521 return IEEE80211_REASON_IE_INVALID; 1522 } 1523 w = 0; 1524 for (; n > 0; n--) { 1525 w |= wpa_keymgmt(frm); 1526 frm += 4, len -= 4; 1527 } 1528 w &= rsn->rsn_keymgmtset; 1529 if (w == 0) { 1530 IEEE80211_DISCARD_IE(ic, 1531 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1532 wh, "WPA", "%s", "no acceptable key mgmt alg"); 1533 return IEEE80211_REASON_IE_INVALID; 1534 } 1535 if (w & WPA_ASE_8021X_UNSPEC) 1536 rsn->rsn_keymgmt = WPA_ASE_8021X_UNSPEC; 1537 else 1538 rsn->rsn_keymgmt = WPA_ASE_8021X_PSK; 1539 1540 if (len > 2) /* optional capabilities */ 1541 rsn->rsn_caps = LE_READ_2(frm); 1542 1543 return 0; 1544 } 1545 1546 /* 1547 * Convert an RSN cipher selector OUI to an internal 1548 * cipher algorithm. Where appropriate we also 1549 * record any key length. 1550 */ 1551 static int 1552 rsn_cipher(u_int8_t *sel, u_int8_t *keylen) 1553 { 1554 #define RSN_SEL(x) (((x)<<24)|RSN_OUI) 1555 u_int32_t w = LE_READ_4(sel); 1556 1557 switch (w) { 1558 case RSN_SEL(RSN_CSE_NULL): 1559 return IEEE80211_CIPHER_NONE; 1560 case RSN_SEL(RSN_CSE_WEP40): 1561 if (keylen) 1562 *keylen = 40 / NBBY; 1563 return IEEE80211_CIPHER_WEP; 1564 case RSN_SEL(RSN_CSE_WEP104): 1565 if (keylen) 1566 *keylen = 104 / NBBY; 1567 return IEEE80211_CIPHER_WEP; 1568 case RSN_SEL(RSN_CSE_TKIP): 1569 return IEEE80211_CIPHER_TKIP; 1570 case RSN_SEL(RSN_CSE_CCMP): 1571 return IEEE80211_CIPHER_AES_CCM; 1572 case RSN_SEL(RSN_CSE_WRAP): 1573 return IEEE80211_CIPHER_AES_OCB; 1574 } 1575 return 32; /* NB: so 1<< is discarded */ 1576 #undef WPA_SEL 1577 } 1578 1579 /* 1580 * Convert an RSN key management/authentication algorithm 1581 * to an internal code. 1582 */ 1583 static int 1584 rsn_keymgmt(u_int8_t *sel) 1585 { 1586 #define RSN_SEL(x) (((x)<<24)|RSN_OUI) 1587 u_int32_t w = LE_READ_4(sel); 1588 1589 switch (w) { 1590 case RSN_SEL(RSN_ASE_8021X_UNSPEC): 1591 return RSN_ASE_8021X_UNSPEC; 1592 case RSN_SEL(RSN_ASE_8021X_PSK): 1593 return RSN_ASE_8021X_PSK; 1594 case RSN_SEL(RSN_ASE_NONE): 1595 return RSN_ASE_NONE; 1596 } 1597 return 0; /* NB: so is discarded */ 1598 #undef RSN_SEL 1599 } 1600 1601 /* 1602 * Parse a WPA/RSN information element to collect parameters 1603 * and validate the parameters against what has been 1604 * configured for the system. 1605 */ 1606 static int 1607 ieee80211_parse_rsn(struct ieee80211com *ic, u_int8_t *frm, 1608 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh) 1609 { 1610 u_int8_t len = frm[1]; 1611 u_int32_t w; 1612 int n; 1613 1614 /* 1615 * Check the length once for fixed parts: 1616 * version, mcast cipher, and 2 selector counts. 1617 * Other, variable-length data, must be checked separately. 1618 */ 1619 if ((ic->ic_flags & IEEE80211_F_WPA2) == 0) { 1620 IEEE80211_DISCARD_IE(ic, 1621 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1622 wh, "WPA", "not RSN, flags 0x%x", ic->ic_flags); 1623 return IEEE80211_REASON_IE_INVALID; 1624 } 1625 if (len < 10) { 1626 IEEE80211_DISCARD_IE(ic, 1627 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1628 wh, "RSN", "too short, len %u", len); 1629 return IEEE80211_REASON_IE_INVALID; 1630 } 1631 frm += 2; 1632 w = LE_READ_2(frm); 1633 if (w != RSN_VERSION) { 1634 IEEE80211_DISCARD_IE(ic, 1635 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1636 wh, "RSN", "bad version %u", w); 1637 return IEEE80211_REASON_IE_INVALID; 1638 } 1639 frm += 2, len -= 2; 1640 1641 /* multicast/group cipher */ 1642 w = rsn_cipher(frm, &rsn->rsn_mcastkeylen); 1643 if (w != rsn->rsn_mcastcipher) { 1644 IEEE80211_DISCARD_IE(ic, 1645 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1646 wh, "RSN", "mcast cipher mismatch; got %u, expected %u", 1647 w, rsn->rsn_mcastcipher); 1648 return IEEE80211_REASON_IE_INVALID; 1649 } 1650 frm += 4, len -= 4; 1651 1652 /* unicast ciphers */ 1653 n = LE_READ_2(frm); 1654 frm += 2, len -= 2; 1655 if (len < n*4+2) { 1656 IEEE80211_DISCARD_IE(ic, 1657 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1658 wh, "RSN", "ucast cipher data too short; len %u, n %u", 1659 len, n); 1660 return IEEE80211_REASON_IE_INVALID; 1661 } 1662 w = 0; 1663 for (; n > 0; n--) { 1664 w |= 1<<rsn_cipher(frm, &rsn->rsn_ucastkeylen); 1665 frm += 4, len -= 4; 1666 } 1667 w &= rsn->rsn_ucastcipherset; 1668 if (w == 0) { 1669 IEEE80211_DISCARD_IE(ic, 1670 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1671 wh, "RSN", "%s", "ucast cipher set empty"); 1672 return IEEE80211_REASON_IE_INVALID; 1673 } 1674 if (w & (1<<IEEE80211_CIPHER_TKIP)) 1675 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP; 1676 else 1677 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM; 1678 1679 /* key management algorithms */ 1680 n = LE_READ_2(frm); 1681 frm += 2, len -= 2; 1682 if (len < n*4) { 1683 IEEE80211_DISCARD_IE(ic, 1684 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1685 wh, "RSN", "key mgmt alg data too short; len %u, n %u", 1686 len, n); 1687 return IEEE80211_REASON_IE_INVALID; 1688 } 1689 w = 0; 1690 for (; n > 0; n--) { 1691 w |= rsn_keymgmt(frm); 1692 frm += 4, len -= 4; 1693 } 1694 w &= rsn->rsn_keymgmtset; 1695 if (w == 0) { 1696 IEEE80211_DISCARD_IE(ic, 1697 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1698 wh, "RSN", "%s", "no acceptable key mgmt alg"); 1699 return IEEE80211_REASON_IE_INVALID; 1700 } 1701 if (w & RSN_ASE_8021X_UNSPEC) 1702 rsn->rsn_keymgmt = RSN_ASE_8021X_UNSPEC; 1703 else 1704 rsn->rsn_keymgmt = RSN_ASE_8021X_PSK; 1705 1706 /* optional RSN capabilities */ 1707 if (len > 2) 1708 rsn->rsn_caps = LE_READ_2(frm); 1709 /* XXXPMKID */ 1710 1711 return 0; 1712 } 1713 1714 static int 1715 ieee80211_parse_wmeparams(struct ieee80211com *ic, u_int8_t *frm, 1716 const struct ieee80211_frame *wh) 1717 { 1718 #define MS(_v, _f) (((_v) & _f) >> _f##_S) 1719 struct ieee80211_wme_state *wme = &ic->ic_wme; 1720 u_int len = frm[1], qosinfo; 1721 int i; 1722 1723 if (len < sizeof(struct ieee80211_wme_param)-2) { 1724 IEEE80211_DISCARD_IE(ic, 1725 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WME, 1726 wh, "WME", "too short, len %u", len); 1727 return -1; 1728 } 1729 qosinfo = frm[offsetof(struct ieee80211_wme_param, param_qosInfo)]; 1730 qosinfo &= WME_QOSINFO_COUNT; 1731 /* XXX do proper check for wraparound */ 1732 if (qosinfo == wme->wme_wmeChanParams.cap_info) 1733 return 0; 1734 frm += offsetof(struct ieee80211_wme_param, params_acParams); 1735 for (i = 0; i < WME_NUM_AC; i++) { 1736 struct wmeParams *wmep = 1737 &wme->wme_wmeChanParams.cap_wmeParams[i]; 1738 /* NB: ACI not used */ 1739 wmep->wmep_acm = MS(frm[0], WME_PARAM_ACM); 1740 wmep->wmep_aifsn = MS(frm[0], WME_PARAM_AIFSN); 1741 wmep->wmep_logcwmin = MS(frm[1], WME_PARAM_LOGCWMIN); 1742 wmep->wmep_logcwmax = MS(frm[1], WME_PARAM_LOGCWMAX); 1743 wmep->wmep_txopLimit = LE_READ_2(frm+2); 1744 frm += 4; 1745 } 1746 wme->wme_wmeChanParams.cap_info = qosinfo; 1747 return 1; 1748 #undef MS 1749 } 1750 1751 void 1752 ieee80211_saveie(u_int8_t **iep, const u_int8_t *ie) 1753 { 1754 u_int ielen = ie[1]+2; 1755 /* 1756 * Record information element for later use. 1757 */ 1758 if (*iep == NULL || (*iep)[1] != ie[1]) { 1759 if (*iep != NULL) 1760 free(*iep, M_DEVBUF); 1761 *iep = malloc(ielen, M_DEVBUF, M_NOWAIT); 1762 } 1763 if (*iep != NULL) 1764 memcpy(*iep, ie, ielen); 1765 /* XXX note failure */ 1766 } 1767 1768 static void 1769 ieee80211_update_adhoc_node(struct ieee80211com *ic, struct ieee80211_node *ni, 1770 struct ieee80211_frame *wh, struct ieee80211_scanparams *scan, int rssi, 1771 u_int32_t rstamp) 1772 { 1773 if (!IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_macaddr)) { 1774 /* 1775 * Create a new entry in the neighbor table. 1776 * Records the TSF. 1777 */ 1778 if ((ni = ieee80211_add_neighbor(ic, wh, scan)) == NULL) 1779 return; 1780 } else if (ni->ni_capinfo == 0) { 1781 /* 1782 * Initialize a node that was "faked up." Records 1783 * the TSF. 1784 * 1785 * No need to check for a change of BSSID: ni could 1786 * not have been the IBSS (ic_bss) 1787 */ 1788 ieee80211_init_neighbor(ic, ni, wh, scan, 0); 1789 } else { 1790 /* Record TSF for potential resync. */ 1791 memcpy(ni->ni_tstamp.data, scan->tstamp, sizeof(ni->ni_tstamp)); 1792 } 1793 1794 ni->ni_rssi = rssi; 1795 ni->ni_rstamp = rstamp; 1796 1797 /* Mark a neighbor's change of BSSID. */ 1798 if (IEEE80211_ADDR_EQ(wh->i_addr3, ni->ni_bssid)) 1799 return; 1800 1801 IEEE80211_ADDR_COPY(ni->ni_bssid, wh->i_addr3); 1802 1803 if (ni != ic->ic_bss) 1804 return; 1805 else if (ic->ic_flags & IEEE80211_F_DESBSSID) { 1806 /* 1807 * Now, ni does not represent a network we 1808 * want to belong to, so start a scan. 1809 */ 1810 ieee80211_new_state(ic, IEEE80211_S_SCAN, 0); 1811 return; 1812 } else { 1813 /* 1814 * A RUN->RUN transition lets the driver 1815 * reprogram its BSSID filter. 1816 * 1817 * No need to SCAN, we already belong to 1818 * an IBSS that meets our criteria: channel, 1819 * SSID, etc. It could be harmful to scan, 1820 * too: if a scan does not detect nodes 1821 * belonging to my current IBSS, then we 1822 * will create a new IBSS at the end of 1823 * the scan, needlessly splitting the 1824 * network. 1825 */ 1826 ieee80211_new_state(ic, IEEE80211_S_RUN, 0); 1827 } 1828 } 1829 1830 void 1831 ieee80211_recv_mgmt(struct ieee80211com *ic, struct mbuf *m0, 1832 struct ieee80211_node *ni, 1833 int subtype, int rssi, u_int32_t rstamp) 1834 { 1835 #define ISPROBE(_st) ((_st) == IEEE80211_FC0_SUBTYPE_PROBE_RESP) 1836 #define ISREASSOC(_st) ((_st) == IEEE80211_FC0_SUBTYPE_REASSOC_RESP) 1837 struct ieee80211_frame *wh; 1838 u_int8_t *frm, *efrm; 1839 u_int8_t *ssid, *rates, *xrates, *wpa, *wme; 1840 int reassoc, resp, allocbs; 1841 u_int8_t rate; 1842 1843 wh = mtod(m0, struct ieee80211_frame *); 1844 frm = (u_int8_t *)&wh[1]; 1845 efrm = mtod(m0, u_int8_t *) + m0->m_len; 1846 switch (subtype) { 1847 case IEEE80211_FC0_SUBTYPE_PROBE_RESP: 1848 case IEEE80211_FC0_SUBTYPE_BEACON: { 1849 struct ieee80211_scanparams scan; 1850 1851 /* 1852 * We process beacon/probe response frames: 1853 * o when scanning, or 1854 * o station mode when associated (to collect state 1855 * updates such as 802.11g slot time), or 1856 * o adhoc mode (to discover neighbors) 1857 * Frames otherwise received are discarded. 1858 */ 1859 if (!((ic->ic_flags & IEEE80211_F_SCAN) || 1860 (ic->ic_opmode == IEEE80211_M_STA && ni->ni_associd) || 1861 ic->ic_opmode == IEEE80211_M_IBSS)) { 1862 ic->ic_stats.is_rx_mgtdiscard++; 1863 return; 1864 } 1865 /* 1866 * beacon/probe response frame format 1867 * [8] time stamp 1868 * [2] beacon interval 1869 * [2] capability information 1870 * [tlv] ssid 1871 * [tlv] supported rates 1872 * [tlv] country information 1873 * [tlv] parameter set (FH/DS) 1874 * [tlv] erp information 1875 * [tlv] extended supported rates 1876 * [tlv] WME 1877 * [tlv] WPA or RSN 1878 */ 1879 IEEE80211_VERIFY_LENGTH(efrm - frm, 12); 1880 memset(&scan, 0, sizeof(scan)); 1881 scan.tstamp = frm; frm += 8; 1882 scan.bintval = le16toh(*(u_int16_t *)frm); frm += 2; 1883 scan.capinfo = le16toh(*(u_int16_t *)frm); frm += 2; 1884 scan.bchan = ieee80211_chan2ieee(ic, ic->ic_curchan); 1885 scan.chan = scan.bchan; 1886 1887 while (frm < efrm) { 1888 switch (*frm) { 1889 case IEEE80211_ELEMID_SSID: 1890 scan.ssid = frm; 1891 break; 1892 case IEEE80211_ELEMID_RATES: 1893 scan.rates = frm; 1894 break; 1895 case IEEE80211_ELEMID_COUNTRY: 1896 scan.country = frm; 1897 break; 1898 case IEEE80211_ELEMID_FHPARMS: 1899 if (ic->ic_phytype == IEEE80211_T_FH) { 1900 scan.fhdwell = LE_READ_2(&frm[2]); 1901 scan.chan = IEEE80211_FH_CHAN(frm[4], frm[5]); 1902 scan.fhindex = frm[6]; 1903 } 1904 break; 1905 case IEEE80211_ELEMID_DSPARMS: 1906 /* 1907 * XXX hack this since depending on phytype 1908 * is problematic for multi-mode devices. 1909 */ 1910 if (ic->ic_phytype != IEEE80211_T_FH) 1911 scan.chan = frm[2]; 1912 break; 1913 case IEEE80211_ELEMID_TIM: 1914 /* XXX ATIM? */ 1915 scan.tim = frm; 1916 scan.timoff = frm - mtod(m0, u_int8_t *); 1917 break; 1918 case IEEE80211_ELEMID_IBSSPARMS: 1919 break; 1920 case IEEE80211_ELEMID_XRATES: 1921 scan.xrates = frm; 1922 break; 1923 case IEEE80211_ELEMID_ERP: 1924 if (frm[1] != 1) { 1925 IEEE80211_DISCARD_IE(ic, 1926 IEEE80211_MSG_ELEMID, wh, "ERP", 1927 "bad len %u", frm[1]); 1928 ic->ic_stats.is_rx_elem_toobig++; 1929 break; 1930 } 1931 scan.erp = frm[2]; 1932 break; 1933 case IEEE80211_ELEMID_RSN: 1934 scan.wpa = frm; 1935 break; 1936 case IEEE80211_ELEMID_VENDOR: 1937 if (iswpaoui(frm)) 1938 scan.wpa = frm; 1939 else if (iswmeparam(frm) || iswmeinfo(frm)) 1940 scan.wme = frm; 1941 /* XXX Atheros OUI support */ 1942 break; 1943 default: 1944 IEEE80211_DISCARD_IE(ic, IEEE80211_MSG_ELEMID, 1945 wh, "unhandled", 1946 "id %u, len %u", *frm, frm[1]); 1947 ic->ic_stats.is_rx_elem_unknown++; 1948 break; 1949 } 1950 frm += frm[1] + 2; 1951 } 1952 IEEE80211_VERIFY_ELEMENT(scan.rates, IEEE80211_RATE_MAXSIZE); 1953 IEEE80211_VERIFY_ELEMENT(scan.ssid, IEEE80211_NWID_LEN); 1954 if ( 1955 #if IEEE80211_CHAN_MAX < 255 1956 scan.chan > IEEE80211_CHAN_MAX || 1957 #endif 1958 isclr(ic->ic_chan_active, scan.chan)) { 1959 IEEE80211_DISCARD(ic, 1960 IEEE80211_MSG_ELEMID | IEEE80211_MSG_INPUT, 1961 wh, ieee80211_mgt_subtype_name[subtype >> 1962 IEEE80211_FC0_SUBTYPE_SHIFT], 1963 "invalid channel %u", scan.chan); 1964 ic->ic_stats.is_rx_badchan++; 1965 return; 1966 } 1967 if (scan.chan != scan.bchan && 1968 ic->ic_phytype != IEEE80211_T_FH) { 1969 /* 1970 * Frame was received on a channel different from the 1971 * one indicated in the DS params element id; 1972 * silently discard it. 1973 * 1974 * NB: this can happen due to signal leakage. 1975 * But we should take it for FH phy because 1976 * the rssi value should be correct even for 1977 * different hop pattern in FH. 1978 */ 1979 IEEE80211_DISCARD(ic, 1980 IEEE80211_MSG_ELEMID | IEEE80211_MSG_INPUT, 1981 wh, ieee80211_mgt_subtype_name[subtype >> 1982 IEEE80211_FC0_SUBTYPE_SHIFT], 1983 "for off-channel %u", scan.chan); 1984 ic->ic_stats.is_rx_chanmismatch++; 1985 return; 1986 } 1987 if (!(IEEE80211_BINTVAL_MIN <= scan.bintval && 1988 scan.bintval <= IEEE80211_BINTVAL_MAX)) { 1989 IEEE80211_DISCARD(ic, 1990 IEEE80211_MSG_ELEMID | IEEE80211_MSG_INPUT, 1991 wh, ieee80211_mgt_subtype_name[subtype >> 1992 IEEE80211_FC0_SUBTYPE_SHIFT], 1993 "bogus beacon interval", scan.bintval); 1994 ic->ic_stats.is_rx_badbintval++; 1995 return; 1996 } 1997 1998 if (ni != ic->ic_bss) { 1999 ni = ieee80211_refine_node_for_beacon(ic, ni, 2000 &ic->ic_channels[scan.chan], scan.ssid); 2001 } 2002 /* 2003 * Count frame now that we know it's to be processed. 2004 */ 2005 if (subtype == IEEE80211_FC0_SUBTYPE_BEACON) { 2006 ic->ic_stats.is_rx_beacon++; /* XXX remove */ 2007 IEEE80211_NODE_STAT(ni, rx_beacons); 2008 } else 2009 IEEE80211_NODE_STAT(ni, rx_proberesp); 2010 2011 /* 2012 * When operating in station mode, check for state updates. 2013 * Be careful to ignore beacons received while doing a 2014 * background scan. We consider only 11g/WMM stuff right now. 2015 */ 2016 if (ic->ic_opmode == IEEE80211_M_STA && 2017 ni->ni_associd != 0 && 2018 ((ic->ic_flags & IEEE80211_F_SCAN) == 0 || 2019 IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_bssid))) { 2020 /* record tsf of last beacon */ 2021 memcpy(ni->ni_tstamp.data, scan.tstamp, 2022 sizeof(ni->ni_tstamp)); 2023 if (ni->ni_erp != scan.erp) { 2024 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 2025 "[%s] erp change: was 0x%x, now 0x%x\n", 2026 ether_sprintf(wh->i_addr2), 2027 ni->ni_erp, scan.erp); 2028 if (ic->ic_curmode == IEEE80211_MODE_11G && 2029 (ni->ni_erp & IEEE80211_ERP_USE_PROTECTION)) 2030 ic->ic_flags |= IEEE80211_F_USEPROT; 2031 else 2032 ic->ic_flags &= ~IEEE80211_F_USEPROT; 2033 ni->ni_erp = scan.erp; 2034 /* XXX statistic */ 2035 } 2036 if ((ni->ni_capinfo ^ scan.capinfo) & IEEE80211_CAPINFO_SHORT_SLOTTIME) { 2037 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 2038 "[%s] capabilities change: before 0x%x," 2039 " now 0x%x\n", 2040 ether_sprintf(wh->i_addr2), 2041 ni->ni_capinfo, scan.capinfo); 2042 /* 2043 * NB: we assume short preamble doesn't 2044 * change dynamically 2045 */ 2046 ieee80211_set_shortslottime(ic, 2047 ic->ic_curmode == IEEE80211_MODE_11A || 2048 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME)); 2049 ni->ni_capinfo = scan.capinfo; 2050 /* XXX statistic */ 2051 } 2052 if (scan.wme != NULL && 2053 (ni->ni_flags & IEEE80211_NODE_QOS) && 2054 ieee80211_parse_wmeparams(ic, scan.wme, wh) > 0) 2055 ieee80211_wme_updateparams(ic); 2056 if (scan.tim != NULL) { 2057 struct ieee80211_tim_ie *ie = 2058 (struct ieee80211_tim_ie *) scan.tim; 2059 2060 ni->ni_dtim_count = ie->tim_count; 2061 ni->ni_dtim_period = ie->tim_period; 2062 } 2063 if (ic->ic_flags & IEEE80211_F_SCAN) 2064 ieee80211_add_scan(ic, &scan, wh, 2065 subtype, rssi, rstamp); 2066 ic->ic_bmiss_count = 0; 2067 return; 2068 } 2069 /* 2070 * If scanning, just pass information to the scan module. 2071 */ 2072 if (ic->ic_flags & IEEE80211_F_SCAN) { 2073 if (ic->ic_flags_ext & IEEE80211_FEXT_PROBECHAN) { 2074 /* 2075 * Actively scanning a channel marked passive; 2076 * send a probe request now that we know there 2077 * is 802.11 traffic present. 2078 * 2079 * XXX check if the beacon we recv'd gives 2080 * us what we need and suppress the probe req 2081 */ 2082 ieee80211_probe_curchan(ic, 1); 2083 ic->ic_flags_ext &= ~IEEE80211_FEXT_PROBECHAN; 2084 } 2085 ieee80211_add_scan(ic, &scan, wh, 2086 subtype, rssi, rstamp); 2087 return; 2088 } 2089 if (scan.capinfo & IEEE80211_CAPINFO_IBSS) 2090 ieee80211_update_adhoc_node(ic, ni, wh, &scan, rssi, 2091 rstamp); 2092 break; 2093 } 2094 2095 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 2096 if (ic->ic_opmode == IEEE80211_M_STA || 2097 ic->ic_state != IEEE80211_S_RUN) { 2098 ic->ic_stats.is_rx_mgtdiscard++; 2099 return; 2100 } 2101 if (IEEE80211_IS_MULTICAST(wh->i_addr2)) { 2102 /* frame must be directed */ 2103 ic->ic_stats.is_rx_mgtdiscard++; /* XXX stat */ 2104 return; 2105 } 2106 2107 /* 2108 * prreq frame format 2109 * [tlv] ssid 2110 * [tlv] supported rates 2111 * [tlv] extended supported rates 2112 */ 2113 ssid = rates = xrates = NULL; 2114 while (frm < efrm) { 2115 switch (*frm) { 2116 case IEEE80211_ELEMID_SSID: 2117 ssid = frm; 2118 break; 2119 case IEEE80211_ELEMID_RATES: 2120 rates = frm; 2121 break; 2122 case IEEE80211_ELEMID_XRATES: 2123 xrates = frm; 2124 break; 2125 } 2126 frm += frm[1] + 2; 2127 } 2128 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE); 2129 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN); 2130 IEEE80211_VERIFY_SSID(ic->ic_bss, ssid); 2131 if ((ic->ic_flags & IEEE80211_F_HIDESSID) && ssid[1] == 0) { 2132 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 2133 wh, ieee80211_mgt_subtype_name[subtype >> 2134 IEEE80211_FC0_SUBTYPE_SHIFT], 2135 "%s", "no ssid with ssid suppression enabled"); 2136 ic->ic_stats.is_rx_ssidmismatch++; /*XXX*/ 2137 return; 2138 } 2139 2140 if (ni == ic->ic_bss) { 2141 if (ic->ic_opmode != IEEE80211_M_IBSS) 2142 ni = ieee80211_tmp_node(ic, wh->i_addr2); 2143 else if (IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_macaddr)) 2144 ; 2145 else { 2146 /* 2147 * XXX Cannot tell if the sender is operating 2148 * in ibss mode. But we need a new node to 2149 * send the response so blindly add them to the 2150 * neighbor table. 2151 */ 2152 ni = ieee80211_fakeup_adhoc_node(&ic->ic_sta, 2153 wh->i_addr2); 2154 } 2155 if (ni == NULL) 2156 return; 2157 allocbs = 1; 2158 } else 2159 allocbs = 0; 2160 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 2161 "[%s] recv probe req\n", ether_sprintf(wh->i_addr2)); 2162 ni->ni_rssi = rssi; 2163 ni->ni_rstamp = rstamp; 2164 rate = ieee80211_setup_rates(ni, rates, xrates, 2165 IEEE80211_R_DOSORT | IEEE80211_R_DOFRATE 2166 | IEEE80211_R_DONEGO | IEEE80211_R_DODEL); 2167 if (rate & IEEE80211_RATE_BASIC) { 2168 IEEE80211_DISCARD(ic, IEEE80211_MSG_XRATE, 2169 wh, ieee80211_mgt_subtype_name[subtype >> 2170 IEEE80211_FC0_SUBTYPE_SHIFT], 2171 "%s", "recv'd rate set invalid"); 2172 } else { 2173 IEEE80211_SEND_MGMT(ic, ni, 2174 IEEE80211_FC0_SUBTYPE_PROBE_RESP, 0); 2175 } 2176 if (allocbs && ic->ic_opmode != IEEE80211_M_IBSS) { 2177 /* reclaim immediately */ 2178 ieee80211_free_node(ni); 2179 } 2180 break; 2181 2182 case IEEE80211_FC0_SUBTYPE_AUTH: { 2183 u_int16_t algo, seq, status; 2184 /* 2185 * auth frame format 2186 * [2] algorithm 2187 * [2] sequence 2188 * [2] status 2189 * [tlv*] challenge 2190 */ 2191 IEEE80211_VERIFY_LENGTH(efrm - frm, 6); 2192 algo = le16toh(*(u_int16_t *)frm); 2193 seq = le16toh(*(u_int16_t *)(frm + 2)); 2194 status = le16toh(*(u_int16_t *)(frm + 4)); 2195 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 2196 "[%s] recv auth frame with algorithm %d seq %d\n", 2197 ether_sprintf(wh->i_addr2), algo, seq); 2198 /* 2199 * Consult the ACL policy module if setup. 2200 */ 2201 if (ic->ic_acl != NULL && 2202 !ic->ic_acl->iac_check(ic, wh->i_addr2)) { 2203 IEEE80211_DISCARD(ic, IEEE80211_MSG_ACL, 2204 wh, "auth", "%s", "disallowed by ACL"); 2205 ic->ic_stats.is_rx_acl++; 2206 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 2207 IEEE80211_SEND_MGMT(ic, ni, 2208 IEEE80211_FC0_SUBTYPE_AUTH, 2209 (seq+1) | (IEEE80211_STATUS_UNSPECIFIED<<16)); 2210 } 2211 return; 2212 } 2213 if (ic->ic_flags & IEEE80211_F_COUNTERM) { 2214 IEEE80211_DISCARD(ic, 2215 IEEE80211_MSG_AUTH | IEEE80211_MSG_CRYPTO, 2216 wh, "auth", "%s", "TKIP countermeasures enabled"); 2217 ic->ic_stats.is_rx_auth_countermeasures++; 2218 #ifndef IEEE80211_NO_HOSTAP 2219 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 2220 IEEE80211_SEND_MGMT(ic, ni, 2221 IEEE80211_FC0_SUBTYPE_AUTH, 2222 IEEE80211_REASON_MIC_FAILURE); 2223 } 2224 #endif /* !IEEE80211_NO_HOSTAP */ 2225 return; 2226 } 2227 if (algo == IEEE80211_AUTH_ALG_SHARED) 2228 ieee80211_auth_shared(ic, wh, frm + 6, efrm, ni, rssi, 2229 rstamp, seq, status); 2230 else if (algo == IEEE80211_AUTH_ALG_OPEN) 2231 ieee80211_auth_open(ic, wh, ni, rssi, rstamp, seq, 2232 status); 2233 else { 2234 IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY, 2235 wh, "auth", "unsupported alg %d", algo); 2236 ic->ic_stats.is_rx_auth_unsupported++; 2237 #ifndef IEEE80211_NO_HOSTAP 2238 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 2239 /* XXX not right */ 2240 IEEE80211_SEND_MGMT(ic, ni, 2241 IEEE80211_FC0_SUBTYPE_AUTH, 2242 (seq+1) | (IEEE80211_STATUS_ALG<<16)); 2243 } 2244 #endif /* !IEEE80211_NO_HOSTAP */ 2245 return; 2246 } 2247 break; 2248 } 2249 2250 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ: 2251 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: { 2252 u_int16_t capinfo, lintval; 2253 struct ieee80211_rsnparms rsn; 2254 u_int8_t reason; 2255 2256 if (ic->ic_opmode != IEEE80211_M_HOSTAP || 2257 ic->ic_state != IEEE80211_S_RUN) { 2258 ic->ic_stats.is_rx_mgtdiscard++; 2259 return; 2260 } 2261 2262 if (subtype == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) { 2263 reassoc = 1; 2264 resp = IEEE80211_FC0_SUBTYPE_REASSOC_RESP; 2265 } else { 2266 reassoc = 0; 2267 resp = IEEE80211_FC0_SUBTYPE_ASSOC_RESP; 2268 } 2269 /* 2270 * asreq frame format 2271 * [2] capability information 2272 * [2] listen interval 2273 * [6*] current AP address (reassoc only) 2274 * [tlv] ssid 2275 * [tlv] supported rates 2276 * [tlv] extended supported rates 2277 * [tlv] WPA or RSN 2278 */ 2279 IEEE80211_VERIFY_LENGTH(efrm - frm, (reassoc ? 10 : 4)); 2280 if (!IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_bss->ni_bssid)) { 2281 IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY, 2282 wh, ieee80211_mgt_subtype_name[subtype >> 2283 IEEE80211_FC0_SUBTYPE_SHIFT], 2284 "%s", "wrong bssid"); 2285 ic->ic_stats.is_rx_assoc_bss++; 2286 return; 2287 } 2288 capinfo = le16toh(*(u_int16_t *)frm); frm += 2; 2289 lintval = le16toh(*(u_int16_t *)frm); frm += 2; 2290 if (reassoc) 2291 frm += 6; /* ignore current AP info */ 2292 ssid = rates = xrates = wpa = wme = NULL; 2293 while (frm < efrm) { 2294 switch (*frm) { 2295 case IEEE80211_ELEMID_SSID: 2296 ssid = frm; 2297 break; 2298 case IEEE80211_ELEMID_RATES: 2299 rates = frm; 2300 break; 2301 case IEEE80211_ELEMID_XRATES: 2302 xrates = frm; 2303 break; 2304 /* XXX verify only one of RSN and WPA ie's? */ 2305 case IEEE80211_ELEMID_RSN: 2306 wpa = frm; 2307 break; 2308 case IEEE80211_ELEMID_VENDOR: 2309 if (iswpaoui(frm)) 2310 wpa = frm; 2311 else if (iswmeinfo(frm)) 2312 wme = frm; 2313 /* XXX Atheros OUI support */ 2314 break; 2315 } 2316 frm += frm[1] + 2; 2317 } 2318 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE); 2319 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN); 2320 IEEE80211_VERIFY_SSID(ic->ic_bss, ssid); 2321 2322 if (ni == ic->ic_bss) { 2323 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, 2324 "[%s] deny %s request, sta not authenticated\n", 2325 ether_sprintf(wh->i_addr2), 2326 reassoc ? "reassoc" : "assoc"); 2327 ieee80211_send_error(ic, ni, wh->i_addr2, 2328 IEEE80211_FC0_SUBTYPE_DEAUTH, 2329 IEEE80211_REASON_ASSOC_NOT_AUTHED); 2330 ic->ic_stats.is_rx_assoc_notauth++; 2331 return; 2332 } 2333 /* assert right associstion security credentials */ 2334 if (wpa == NULL && (ic->ic_flags & IEEE80211_F_WPA)) { 2335 IEEE80211_DPRINTF(ic, 2336 IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, 2337 "[%s] no WPA/RSN IE in association request\n", 2338 ether_sprintf(wh->i_addr2)); 2339 IEEE80211_SEND_MGMT(ic, ni, 2340 IEEE80211_FC0_SUBTYPE_DEAUTH, 2341 IEEE80211_REASON_RSN_REQUIRED); 2342 ieee80211_node_leave(ic, ni); 2343 /* XXX distinguish WPA/RSN? */ 2344 ic->ic_stats.is_rx_assoc_badwpaie++; 2345 return; 2346 } 2347 if (wpa != NULL) { 2348 /* 2349 * Parse WPA information element. Note that 2350 * we initialize the param block from the node 2351 * state so that information in the IE overrides 2352 * our defaults. The resulting parameters are 2353 * installed below after the association is assured. 2354 */ 2355 rsn = ni->ni_rsn; 2356 if (wpa[0] != IEEE80211_ELEMID_RSN) 2357 reason = ieee80211_parse_wpa(ic, wpa, &rsn, wh); 2358 else 2359 reason = ieee80211_parse_rsn(ic, wpa, &rsn, wh); 2360 if (reason != 0) { 2361 IEEE80211_SEND_MGMT(ic, ni, 2362 IEEE80211_FC0_SUBTYPE_DEAUTH, reason); 2363 ieee80211_node_leave(ic, ni); 2364 /* XXX distinguish WPA/RSN? */ 2365 ic->ic_stats.is_rx_assoc_badwpaie++; 2366 return; 2367 } 2368 IEEE80211_DPRINTF(ic, 2369 IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, 2370 "[%s] %s ie: mc %u/%u uc %u/%u key %u caps 0x%x\n", 2371 ether_sprintf(wh->i_addr2), 2372 wpa[0] != IEEE80211_ELEMID_RSN ? "WPA" : "RSN", 2373 rsn.rsn_mcastcipher, rsn.rsn_mcastkeylen, 2374 rsn.rsn_ucastcipher, rsn.rsn_ucastkeylen, 2375 rsn.rsn_keymgmt, rsn.rsn_caps); 2376 } 2377 /* discard challenge after association */ 2378 if (ni->ni_challenge != NULL) { 2379 free(ni->ni_challenge, M_DEVBUF); 2380 ni->ni_challenge = NULL; 2381 } 2382 /* NB: 802.11 spec says to ignore station's privacy bit */ 2383 if ((capinfo & IEEE80211_CAPINFO_ESS) == 0) { 2384 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, 2385 "[%s] deny %s request, capability mismatch 0x%x\n", 2386 ether_sprintf(wh->i_addr2), 2387 reassoc ? "reassoc" : "assoc", capinfo); 2388 IEEE80211_SEND_MGMT(ic, ni, resp, 2389 IEEE80211_STATUS_CAPINFO); 2390 ieee80211_node_leave(ic, ni); 2391 ic->ic_stats.is_rx_assoc_capmismatch++; 2392 return; 2393 } 2394 rate = ieee80211_setup_rates(ni, rates, xrates, 2395 IEEE80211_R_DOSORT | IEEE80211_R_DOFRATE | 2396 IEEE80211_R_DONEGO | IEEE80211_R_DODEL); 2397 /* 2398 * If constrained to 11g-only stations reject an 2399 * 11b-only station. We cheat a bit here by looking 2400 * at the max negotiated xmit rate and assuming anyone 2401 * with a best rate <24Mb/s is an 11b station. 2402 */ 2403 if ((rate & IEEE80211_RATE_BASIC) || 2404 ((ic->ic_flags & IEEE80211_F_PUREG) && rate < 48)) { 2405 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, 2406 "[%s] deny %s request, rate set mismatch\n", 2407 ether_sprintf(wh->i_addr2), 2408 reassoc ? "reassoc" : "assoc"); 2409 IEEE80211_SEND_MGMT(ic, ni, resp, 2410 IEEE80211_STATUS_BASIC_RATE); 2411 ieee80211_node_leave(ic, ni); 2412 ic->ic_stats.is_rx_assoc_norate++; 2413 return; 2414 } 2415 ni->ni_rssi = rssi; 2416 ni->ni_rstamp = rstamp; 2417 ni->ni_intval = lintval; 2418 ni->ni_capinfo = capinfo; 2419 ni->ni_chan = ic->ic_bss->ni_chan; 2420 ni->ni_fhdwell = ic->ic_bss->ni_fhdwell; 2421 ni->ni_fhindex = ic->ic_bss->ni_fhindex; 2422 if (wpa != NULL) { 2423 /* 2424 * Record WPA/RSN parameters for station, mark 2425 * node as using WPA and record information element 2426 * for applications that require it. 2427 */ 2428 ni->ni_rsn = rsn; 2429 ieee80211_saveie(&ni->ni_wpa_ie, wpa); 2430 } else if (ni->ni_wpa_ie != NULL) { 2431 /* 2432 * Flush any state from a previous association. 2433 */ 2434 free(ni->ni_wpa_ie, M_DEVBUF); 2435 ni->ni_wpa_ie = NULL; 2436 } 2437 if (wme != NULL) { 2438 /* 2439 * Record WME parameters for station, mark node 2440 * as capable of QoS and record information 2441 * element for applications that require it. 2442 */ 2443 ieee80211_saveie(&ni->ni_wme_ie, wme); 2444 ni->ni_flags |= IEEE80211_NODE_QOS; 2445 } else if (ni->ni_wme_ie != NULL) { 2446 /* 2447 * Flush any state from a previous association. 2448 */ 2449 free(ni->ni_wme_ie, M_DEVBUF); 2450 ni->ni_wme_ie = NULL; 2451 ni->ni_flags &= ~IEEE80211_NODE_QOS; 2452 } 2453 ieee80211_node_join(ic, ni, resp); 2454 break; 2455 } 2456 2457 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP: 2458 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: { 2459 u_int16_t capinfo, associd; 2460 u_int16_t status; 2461 2462 if (ic->ic_opmode != IEEE80211_M_STA || 2463 ic->ic_state != IEEE80211_S_ASSOC) { 2464 ic->ic_stats.is_rx_mgtdiscard++; 2465 return; 2466 } 2467 2468 /* 2469 * asresp frame format 2470 * [2] capability information 2471 * [2] status 2472 * [2] association ID 2473 * [tlv] supported rates 2474 * [tlv] extended supported rates 2475 * [tlv] WME 2476 */ 2477 IEEE80211_VERIFY_LENGTH(efrm - frm, 6); 2478 ni = ic->ic_bss; 2479 capinfo = le16toh(*(u_int16_t *)frm); 2480 frm += 2; 2481 status = le16toh(*(u_int16_t *)frm); 2482 frm += 2; 2483 if (status != 0) { 2484 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 2485 "[%s] %sassoc failed (reason %d)\n", 2486 ether_sprintf(wh->i_addr2), 2487 ISREASSOC(subtype) ? "re" : "", status); 2488 if (ni != ic->ic_bss) /* XXX never true? */ 2489 ni->ni_fails++; 2490 ic->ic_stats.is_rx_auth_fail++; /* XXX */ 2491 return; 2492 } 2493 associd = le16toh(*(u_int16_t *)frm); 2494 frm += 2; 2495 2496 rates = xrates = wpa = wme = NULL; 2497 while (frm < efrm) { 2498 switch (*frm) { 2499 case IEEE80211_ELEMID_RATES: 2500 rates = frm; 2501 break; 2502 case IEEE80211_ELEMID_XRATES: 2503 xrates = frm; 2504 break; 2505 case IEEE80211_ELEMID_VENDOR: 2506 if (iswmeoui(frm)) 2507 wme = frm; 2508 /* XXX Atheros OUI support */ 2509 break; 2510 } 2511 frm += frm[1] + 2; 2512 } 2513 2514 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE); 2515 rate = ieee80211_setup_rates(ni, rates, xrates, 2516 IEEE80211_R_DOSORT | IEEE80211_R_DOFRATE | 2517 IEEE80211_R_DONEGO | IEEE80211_R_DODEL); 2518 if (rate & IEEE80211_RATE_BASIC) { 2519 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 2520 "[%s] %sassoc failed (rate set mismatch)\n", 2521 ether_sprintf(wh->i_addr2), 2522 ISREASSOC(subtype) ? "re" : ""); 2523 if (ni != ic->ic_bss) /* XXX never true? */ 2524 ni->ni_fails++; 2525 ic->ic_stats.is_rx_assoc_norate++; 2526 ieee80211_new_state(ic, IEEE80211_S_SCAN, 0); 2527 return; 2528 } 2529 2530 ni->ni_capinfo = capinfo; 2531 ni->ni_associd = associd; 2532 if (wme != NULL && 2533 ieee80211_parse_wmeparams(ic, wme, wh) >= 0) { 2534 ni->ni_flags |= IEEE80211_NODE_QOS; 2535 ieee80211_wme_updateparams(ic); 2536 } else 2537 ni->ni_flags &= ~IEEE80211_NODE_QOS; 2538 /* 2539 * Configure state now that we are associated. 2540 * 2541 * XXX may need different/additional driver callbacks? 2542 */ 2543 if (ic->ic_curmode == IEEE80211_MODE_11A || 2544 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_PREAMBLE)) { 2545 ic->ic_flags |= IEEE80211_F_SHPREAMBLE; 2546 ic->ic_flags &= ~IEEE80211_F_USEBARKER; 2547 } else { 2548 ic->ic_flags &= ~IEEE80211_F_SHPREAMBLE; 2549 ic->ic_flags |= IEEE80211_F_USEBARKER; 2550 } 2551 ieee80211_set_shortslottime(ic, 2552 ic->ic_curmode == IEEE80211_MODE_11A || 2553 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME)); 2554 /* 2555 * Honor ERP protection. 2556 * 2557 * NB: ni_erp should zero for non-11g operation. 2558 * XXX check ic_curmode anyway? 2559 */ 2560 if (ic->ic_curmode == IEEE80211_MODE_11G && 2561 (ni->ni_erp & IEEE80211_ERP_USE_PROTECTION)) 2562 ic->ic_flags |= IEEE80211_F_USEPROT; 2563 else 2564 ic->ic_flags &= ~IEEE80211_F_USEPROT; 2565 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 2566 "[%s] %sassoc success: %s preamble, %s slot time%s%s\n", 2567 ether_sprintf(wh->i_addr2), 2568 ISREASSOC(subtype) ? "re" : "", 2569 ic->ic_flags&IEEE80211_F_SHPREAMBLE ? "short" : "long", 2570 ic->ic_flags&IEEE80211_F_SHSLOT ? "short" : "long", 2571 ic->ic_flags&IEEE80211_F_USEPROT ? ", protection" : "", 2572 ni->ni_flags & IEEE80211_NODE_QOS ? ", QoS" : "" 2573 ); 2574 ieee80211_new_state(ic, IEEE80211_S_RUN, subtype); 2575 break; 2576 } 2577 2578 case IEEE80211_FC0_SUBTYPE_DEAUTH: { 2579 u_int16_t reason; 2580 2581 if (ic->ic_state == IEEE80211_S_SCAN) { 2582 ic->ic_stats.is_rx_mgtdiscard++; 2583 return; 2584 } 2585 /* 2586 * deauth frame format 2587 * [2] reason 2588 */ 2589 IEEE80211_VERIFY_LENGTH(efrm - frm, 2); 2590 reason = le16toh(*(u_int16_t *)frm); 2591 ic->ic_stats.is_rx_deauth++; 2592 IEEE80211_NODE_STAT(ni, rx_deauth); 2593 2594 if (!IEEE80211_ADDR_EQ(wh->i_addr1, ic->ic_myaddr)) { 2595 /* Not intended for this station. */ 2596 ic->ic_stats.is_rx_mgtdiscard++; 2597 break; 2598 } 2599 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 2600 "[%s] recv deauthenticate (reason %d)\n", 2601 ether_sprintf(ni->ni_macaddr), reason); 2602 switch (ic->ic_opmode) { 2603 case IEEE80211_M_STA: 2604 ieee80211_new_state(ic, IEEE80211_S_AUTH, 2605 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK); 2606 break; 2607 case IEEE80211_M_HOSTAP: 2608 #ifndef IEEE80211_NO_HOSTAP 2609 if (ni != ic->ic_bss) 2610 ieee80211_node_leave(ic, ni); 2611 #endif /* !IEEE80211_NO_HOSTAP */ 2612 break; 2613 default: 2614 ic->ic_stats.is_rx_mgtdiscard++; 2615 break; 2616 } 2617 break; 2618 } 2619 2620 case IEEE80211_FC0_SUBTYPE_DISASSOC: { 2621 u_int16_t reason; 2622 2623 if (ic->ic_state != IEEE80211_S_RUN && 2624 ic->ic_state != IEEE80211_S_ASSOC && 2625 ic->ic_state != IEEE80211_S_AUTH) { 2626 ic->ic_stats.is_rx_mgtdiscard++; 2627 return; 2628 } 2629 /* 2630 * disassoc frame format 2631 * [2] reason 2632 */ 2633 IEEE80211_VERIFY_LENGTH(efrm - frm, 2); 2634 reason = le16toh(*(u_int16_t *)frm); 2635 ic->ic_stats.is_rx_disassoc++; 2636 IEEE80211_NODE_STAT(ni, rx_disassoc); 2637 2638 if (!IEEE80211_ADDR_EQ(wh->i_addr1, ic->ic_myaddr)) { 2639 /* Not intended for this station. */ 2640 ic->ic_stats.is_rx_mgtdiscard++; 2641 break; 2642 } 2643 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 2644 "[%s] recv disassociate (reason %d)\n", 2645 ether_sprintf(ni->ni_macaddr), reason); 2646 switch (ic->ic_opmode) { 2647 case IEEE80211_M_STA: 2648 ieee80211_new_state(ic, IEEE80211_S_ASSOC, 2649 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK); 2650 break; 2651 case IEEE80211_M_HOSTAP: 2652 #ifndef IEEE80211_NO_HOSTAP 2653 if (ni != ic->ic_bss) 2654 ieee80211_node_leave(ic, ni); 2655 #endif /* !IEEE80211_NO_HOSTAP */ 2656 break; 2657 default: 2658 ic->ic_stats.is_rx_mgtdiscard++; 2659 break; 2660 } 2661 break; 2662 } 2663 default: 2664 IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY, 2665 wh, "mgt", "subtype 0x%x not handled", subtype); 2666 ic->ic_stats.is_rx_badsubtype++; 2667 break; 2668 } 2669 #undef ISREASSOC 2670 #undef ISPROBE 2671 } 2672 #undef IEEE80211_VERIFY_LENGTH 2673 #undef IEEE80211_VERIFY_ELEMENT 2674 2675 #ifndef IEEE80211_NO_HOSTAP 2676 /* 2677 * Handle station power-save state change. 2678 */ 2679 static void 2680 ieee80211_node_pwrsave(struct ieee80211_node *ni, int enable) 2681 { 2682 struct ieee80211com *ic = ni->ni_ic; 2683 struct mbuf *m; 2684 2685 if (enable) { 2686 if ((ni->ni_flags & IEEE80211_NODE_PWR_MGT) == 0) 2687 ic->ic_ps_sta++; 2688 ni->ni_flags |= IEEE80211_NODE_PWR_MGT; 2689 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, 2690 "[%s] power save mode on, %u sta's in ps mode\n", 2691 ether_sprintf(ni->ni_macaddr), ic->ic_ps_sta); 2692 return; 2693 } 2694 2695 if (ni->ni_flags & IEEE80211_NODE_PWR_MGT) 2696 ic->ic_ps_sta--; 2697 ni->ni_flags &= ~IEEE80211_NODE_PWR_MGT; 2698 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, 2699 "[%s] power save mode off, %u sta's in ps mode\n", 2700 ether_sprintf(ni->ni_macaddr), ic->ic_ps_sta); 2701 /* XXX if no stations in ps mode, flush mc frames */ 2702 2703 /* 2704 * Flush queued unicast frames. 2705 */ 2706 if (IEEE80211_NODE_SAVEQ_QLEN(ni) == 0) { 2707 if (ic->ic_set_tim != NULL) 2708 ic->ic_set_tim(ni, 0); /* just in case */ 2709 return; 2710 } 2711 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, 2712 "[%s] flush ps queue, %u packets queued\n", 2713 ether_sprintf(ni->ni_macaddr), IEEE80211_NODE_SAVEQ_QLEN(ni)); 2714 for (;;) { 2715 int qlen; 2716 2717 IEEE80211_NODE_SAVEQ_DEQUEUE(ni, m, qlen); 2718 if (m == NULL) 2719 break; 2720 /* 2721 * If this is the last packet, turn off the TIM bit. 2722 * If there are more packets, set the more packets bit 2723 * in the mbuf so ieee80211_encap will mark the 802.11 2724 * head to indicate more data frames will follow. 2725 */ 2726 if (qlen != 0) 2727 m->m_flags |= M_MORE_DATA; 2728 /* XXX need different driver interface */ 2729 /* XXX bypasses q max */ 2730 IF_ENQUEUE(&ic->ic_ifp->if_snd, m); 2731 } 2732 if (ic->ic_set_tim != NULL) 2733 ic->ic_set_tim(ni, 0); 2734 } 2735 2736 /* 2737 * Process a received ps-poll frame. 2738 */ 2739 static void 2740 ieee80211_recv_pspoll(struct ieee80211com *ic, 2741 struct ieee80211_node *ni, struct mbuf *m0) 2742 { 2743 struct ieee80211_frame_min *wh; 2744 struct mbuf *m; 2745 u_int16_t aid; 2746 int qlen; 2747 2748 wh = mtod(m0, struct ieee80211_frame_min *); 2749 if (ni->ni_associd == 0) { 2750 IEEE80211_DISCARD(ic, IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG, 2751 (struct ieee80211_frame *) wh, "ps-poll", 2752 "%s", "unassociated station"); 2753 ic->ic_stats.is_ps_unassoc++; 2754 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_DEAUTH, 2755 IEEE80211_REASON_NOT_ASSOCED); 2756 return; 2757 } 2758 2759 aid = le16toh(*(u_int16_t *)wh->i_dur); 2760 if (aid != ni->ni_associd) { 2761 IEEE80211_DISCARD(ic, IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG, 2762 (struct ieee80211_frame *) wh, "ps-poll", 2763 "aid mismatch: sta aid 0x%x poll aid 0x%x", 2764 ni->ni_associd, aid); 2765 ic->ic_stats.is_ps_badaid++; 2766 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_DEAUTH, 2767 IEEE80211_REASON_NOT_ASSOCED); 2768 return; 2769 } 2770 2771 /* Okay, take the first queued packet and put it out... */ 2772 IEEE80211_NODE_SAVEQ_DEQUEUE(ni, m, qlen); 2773 if (m == NULL) { 2774 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, 2775 "[%s] recv ps-poll, but queue empty\n", 2776 ether_sprintf(wh->i_addr2)); 2777 ieee80211_send_nulldata(ieee80211_ref_node(ni)); 2778 ic->ic_stats.is_ps_qempty++; /* XXX node stat */ 2779 if (ic->ic_set_tim != NULL) 2780 ic->ic_set_tim(ni, 0); /* just in case */ 2781 return; 2782 } 2783 /* 2784 * If there are more packets, set the more packets bit 2785 * in the packet dispatched to the station; otherwise 2786 * turn off the TIM bit. 2787 */ 2788 if (qlen != 0) { 2789 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, 2790 "[%s] recv ps-poll, send packet, %u still queued\n", 2791 ether_sprintf(ni->ni_macaddr), qlen); 2792 m->m_flags |= M_MORE_DATA; 2793 } else { 2794 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, 2795 "[%s] recv ps-poll, send packet, queue empty\n", 2796 ether_sprintf(ni->ni_macaddr)); 2797 if (ic->ic_set_tim != NULL) 2798 ic->ic_set_tim(ni, 0); 2799 } 2800 m->m_flags |= M_PWR_SAV; /* bypass PS handling */ 2801 IF_ENQUEUE(&ic->ic_ifp->if_snd, m); 2802 } 2803 #endif /* !IEEE80211_NO_HOSTAP */ 2804 2805 #ifdef IEEE80211_DEBUG 2806 /* 2807 * Debugging support. 2808 */ 2809 2810 /* 2811 * Return the bssid of a frame. 2812 */ 2813 static const u_int8_t * 2814 ieee80211_getbssid(struct ieee80211com *ic, const struct ieee80211_frame *wh) 2815 { 2816 if (ic->ic_opmode == IEEE80211_M_STA) 2817 return wh->i_addr2; 2818 if ((wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) != IEEE80211_FC1_DIR_NODS) 2819 return wh->i_addr1; 2820 if ((wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK) == IEEE80211_FC0_SUBTYPE_PS_POLL) 2821 return wh->i_addr1; 2822 return wh->i_addr3; 2823 } 2824 2825 void 2826 ieee80211_note(struct ieee80211com *ic, const char *fmt, ...) 2827 { 2828 char buf[128]; /* XXX */ 2829 va_list ap; 2830 2831 va_start(ap, fmt); 2832 vsnprintf(buf, sizeof(buf), fmt, ap); 2833 va_end(ap); 2834 2835 if_printf(ic->ic_ifp, "%s", buf); /* NB: no \n */ 2836 } 2837 2838 void 2839 ieee80211_note_frame(struct ieee80211com *ic, 2840 const struct ieee80211_frame *wh, 2841 const char *fmt, ...) 2842 { 2843 char buf[128]; /* XXX */ 2844 va_list ap; 2845 2846 va_start(ap, fmt); 2847 vsnprintf(buf, sizeof(buf), fmt, ap); 2848 va_end(ap); 2849 if_printf(ic->ic_ifp, "[%s] %s\n", 2850 ether_sprintf(ieee80211_getbssid(ic, wh)), buf); 2851 } 2852 2853 void 2854 ieee80211_note_mac(struct ieee80211com *ic, 2855 const u_int8_t mac[IEEE80211_ADDR_LEN], 2856 const char *fmt, ...) 2857 { 2858 char buf[128]; /* XXX */ 2859 va_list ap; 2860 2861 va_start(ap, fmt); 2862 vsnprintf(buf, sizeof(buf), fmt, ap); 2863 va_end(ap); 2864 if_printf(ic->ic_ifp, "[%s] %s\n", ether_sprintf(mac), buf); 2865 } 2866 2867 static void 2868 ieee80211_discard_frame(struct ieee80211com *ic, 2869 const struct ieee80211_frame *wh, 2870 const char *type, const char *fmt, ...) 2871 { 2872 va_list ap; 2873 2874 printf("[%s:%s] discard ", ic->ic_ifp->if_xname, 2875 ether_sprintf(ieee80211_getbssid(ic, wh))); 2876 if (type != NULL) 2877 printf("%s frame, ", type); 2878 else 2879 printf("frame, "); 2880 va_start(ap, fmt); 2881 vprintf(fmt, ap); 2882 va_end(ap); 2883 printf("\n"); 2884 } 2885 2886 static void 2887 ieee80211_discard_ie(struct ieee80211com *ic, 2888 const struct ieee80211_frame *wh, 2889 const char *type, const char *fmt, ...) 2890 { 2891 va_list ap; 2892 2893 printf("[%s:%s] discard ", ic->ic_ifp->if_xname, 2894 ether_sprintf(ieee80211_getbssid(ic, wh))); 2895 if (type != NULL) 2896 printf("%s information element, ", type); 2897 else 2898 printf("information element, "); 2899 va_start(ap, fmt); 2900 vprintf(fmt, ap); 2901 va_end(ap); 2902 printf("\n"); 2903 } 2904 2905 static void 2906 ieee80211_discard_mac(struct ieee80211com *ic, 2907 const u_int8_t mac[IEEE80211_ADDR_LEN], 2908 const char *type, const char *fmt, ...) 2909 { 2910 va_list ap; 2911 2912 printf("[%s:%s] discard ", ic->ic_ifp->if_xname, ether_sprintf(mac)); 2913 if (type != NULL) 2914 printf("%s frame, ", type); 2915 else 2916 printf("frame, "); 2917 va_start(ap, fmt); 2918 vprintf(fmt, ap); 2919 va_end(ap); 2920 printf("\n"); 2921 } 2922 #endif /* IEEE80211_DEBUG */ 2923