1 /* $NetBSD: ieee80211_input.c,v 1.85 2016/09/27 20:20:06 christos Exp $ */ 2 /*- 3 * Copyright (c) 2001 Atsushi Onoe 4 * Copyright (c) 2002-2005 Sam Leffler, Errno Consulting 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 3. The name of the author may not be used to endorse or promote products 16 * derived from this software without specific prior written permission. 17 * 18 * Alternatively, this software may be distributed under the terms of the 19 * GNU General Public License ("GPL") version 2 as published by the Free 20 * Software Foundation. 21 * 22 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 23 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 24 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 25 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 26 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 27 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 28 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 29 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 30 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 31 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 32 */ 33 34 #include <sys/cdefs.h> 35 #ifdef __FreeBSD__ 36 __FBSDID("$FreeBSD: src/sys/net80211/ieee80211_input.c,v 1.81 2005/08/10 16:22:29 sam Exp $"); 37 #endif 38 #ifdef __NetBSD__ 39 __KERNEL_RCSID(0, "$NetBSD: ieee80211_input.c,v 1.85 2016/09/27 20:20:06 christos Exp $"); 40 #endif 41 42 #ifdef _KERNEL_OPT 43 #include "opt_inet.h" 44 #endif 45 46 #ifdef __NetBSD__ 47 #endif /* __NetBSD__ */ 48 49 #include <sys/param.h> 50 #include <sys/systm.h> 51 #include <sys/mbuf.h> 52 #include <sys/malloc.h> 53 #include <sys/endian.h> 54 #include <sys/kernel.h> 55 56 #include <sys/socket.h> 57 #include <sys/sockio.h> 58 #include <sys/endian.h> 59 #include <sys/errno.h> 60 #include <sys/proc.h> 61 #include <sys/sysctl.h> 62 63 #include <net/if.h> 64 #include <net/if_media.h> 65 #include <net/if_arp.h> 66 #include <net/if_ether.h> 67 #include <net/if_llc.h> 68 69 #include <net80211/ieee80211_var.h> 70 71 #include <net/bpf.h> 72 73 #ifdef INET 74 #include <netinet/in.h> 75 #include <net/if_ether.h> 76 #endif 77 78 const struct timeval ieee80211_merge_print_intvl = {.tv_sec = 1, .tv_usec = 0}; 79 80 #ifdef IEEE80211_DEBUG 81 82 /* 83 * Decide if a received management frame should be 84 * printed when debugging is enabled. This filters some 85 * of the less interesting frames that come frequently 86 * (e.g. beacons). 87 */ 88 static __inline int 89 doprint(struct ieee80211com *ic, int subtype) 90 { 91 switch (subtype) { 92 case IEEE80211_FC0_SUBTYPE_BEACON: 93 return (ic->ic_flags & IEEE80211_F_SCAN); 94 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 95 return (ic->ic_opmode == IEEE80211_M_IBSS); 96 } 97 return 1; 98 } 99 100 /* 101 * Emit a debug message about discarding a frame or information 102 * element. One format is for extracting the mac address from 103 * the frame header; the other is for when a header is not 104 * available or otherwise appropriate. 105 */ 106 #define IEEE80211_DISCARD(_ic, _m, _wh, _type, _fmt, ...) do { \ 107 if ((_ic)->ic_debug & (_m)) \ 108 ieee80211_discard_frame(_ic, _wh, _type, _fmt, __VA_ARGS__);\ 109 } while (0) 110 #define IEEE80211_DISCARD_IE(_ic, _m, _wh, _type, _fmt, ...) do { \ 111 if ((_ic)->ic_debug & (_m)) \ 112 ieee80211_discard_ie(_ic, _wh, _type, _fmt, __VA_ARGS__);\ 113 } while (0) 114 #define IEEE80211_DISCARD_MAC(_ic, _m, _mac, _type, _fmt, ...) do { \ 115 if ((_ic)->ic_debug & (_m)) \ 116 ieee80211_discard_mac(_ic, _mac, _type, _fmt, __VA_ARGS__);\ 117 } while (0) 118 #define IEEE80211_DEBUGVAR(a) a 119 120 static const u_int8_t *ieee80211_getbssid(struct ieee80211com *, 121 const struct ieee80211_frame *); 122 static void ieee80211_discard_frame(struct ieee80211com *, 123 const struct ieee80211_frame *, const char *type, const char *fmt, ...); 124 static void ieee80211_discard_ie(struct ieee80211com *, 125 const struct ieee80211_frame *, const char *type, const char *fmt, ...); 126 static void ieee80211_discard_mac(struct ieee80211com *, 127 const u_int8_t mac[IEEE80211_ADDR_LEN], const char *type, 128 const char *fmt, ...); 129 #else 130 #define IEEE80211_DISCARD(_ic, _m, _wh, _type, _fmt, ...) 131 #define IEEE80211_DISCARD_IE(_ic, _m, _wh, _type, _fmt, ...) 132 #define IEEE80211_DISCARD_MAC(_ic, _m, _mac, _type, _fmt, ...) 133 #define IEEE80211_DEBUGVAR(a) 134 #endif /* IEEE80211_DEBUG */ 135 136 static struct mbuf *ieee80211_defrag(struct ieee80211com *, 137 struct ieee80211_node *, struct mbuf *, int); 138 static struct mbuf *ieee80211_decap(struct ieee80211com *, struct mbuf *, int); 139 static void ieee80211_send_error(struct ieee80211com *, struct ieee80211_node *, 140 const u_int8_t *mac, int subtype, int arg); 141 static void ieee80211_deliver_data(struct ieee80211com *, 142 struct ieee80211_node *, struct mbuf *); 143 #ifndef IEEE80211_NO_HOSTAP 144 static void ieee80211_node_pwrsave(struct ieee80211_node *, int enable); 145 static void ieee80211_recv_pspoll(struct ieee80211com *, 146 struct ieee80211_node *, struct mbuf *); 147 #endif /* !IEEE80211_NO_HOSTAP */ 148 static void ieee80211_update_adhoc_node(struct ieee80211com *, 149 struct ieee80211_node *, struct ieee80211_frame *, 150 struct ieee80211_scanparams *, int, u_int32_t); 151 152 /* 153 * Process a received frame. The node associated with the sender 154 * should be supplied. If nothing was found in the node table then 155 * the caller is assumed to supply a reference to ic_bss instead. 156 * The RSSI and a timestamp are also supplied. The RSSI data is used 157 * during AP scanning to select a AP to associate with; it can have 158 * any units so long as values have consistent units and higher values 159 * mean ``better signal''. The receive timestamp is currently not used 160 * by the 802.11 layer. 161 */ 162 int 163 ieee80211_input(struct ieee80211com *ic, struct mbuf *m, 164 struct ieee80211_node *ni, int rssi, u_int32_t rstamp) 165 { 166 #define SEQ_LEQ(a,b) ((int)((a)-(b)) <= 0) 167 #define HAS_SEQ(type) ((type & 0x4) == 0) 168 struct ifnet *ifp = ic->ic_ifp; 169 struct ieee80211_frame *wh; 170 struct ieee80211_key *key; 171 struct ether_header *eh; 172 int hdrspace; 173 u_int8_t dir, type, subtype; 174 u_int8_t *bssid; 175 u_int16_t rxseq; 176 IEEE80211_DEBUGVAR(char ebuf[3 * ETHER_ADDR_LEN]); 177 178 IASSERT(ni != NULL, ("null node")); 179 ni->ni_inact = ni->ni_inact_reload; 180 181 /* trim CRC here so WEP can find its own CRC at the end of packet. */ 182 if (m->m_flags & M_HASFCS) { 183 m_adj(m, -IEEE80211_CRC_LEN); 184 m->m_flags &= ~M_HASFCS; 185 } 186 type = -1; /* undefined */ 187 /* 188 * In monitor mode, send everything directly to bpf. 189 * XXX may want to include the CRC 190 */ 191 if (ic->ic_opmode == IEEE80211_M_MONITOR) 192 goto out; 193 194 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_min)) { 195 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY, 196 ni->ni_macaddr, NULL, 197 "too short (1): len %u", m->m_pkthdr.len); 198 ic->ic_stats.is_rx_tooshort++; 199 goto out; 200 } 201 /* 202 * Bit of a cheat here, we use a pointer for a 3-address 203 * frame format but don't reference fields past outside 204 * ieee80211_frame_min w/o first validating the data is 205 * present. 206 */ 207 wh = mtod(m, struct ieee80211_frame *); 208 209 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) != 210 IEEE80211_FC0_VERSION_0) { 211 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY, 212 ni->ni_macaddr, NULL, "wrong version %x", wh->i_fc[0]); 213 ic->ic_stats.is_rx_badversion++; 214 goto err; 215 } 216 217 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 218 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK; 219 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK; 220 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) { 221 switch (ic->ic_opmode) { 222 case IEEE80211_M_STA: 223 bssid = wh->i_addr2; 224 if (!IEEE80211_ADDR_EQ(bssid, ni->ni_bssid)) { 225 /* not interested in */ 226 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 227 bssid, NULL, "node %s, %s", 228 ether_snprintf(ebuf, sizeof(ebuf), 229 ni->ni_bssid), "not to bss"); 230 ic->ic_stats.is_rx_wrongbss++; 231 goto out; 232 } 233 234 /* Filter out packets not directed to us in case the 235 * device is in promiscous mode 236 */ 237 if ((! IEEE80211_IS_MULTICAST(wh->i_addr1)) 238 && (! IEEE80211_ADDR_EQ(wh->i_addr1, ic->ic_myaddr))) { 239 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 240 bssid, NULL, "not to cur sta: lladdr=%6D, addr1=%6D", 241 ic->ic_myaddr, ":", wh->i_addr1, ":"); 242 ic->ic_stats.is_rx_wrongbss++; 243 goto out; 244 } 245 break; 246 case IEEE80211_M_IBSS: 247 case IEEE80211_M_AHDEMO: 248 case IEEE80211_M_HOSTAP: 249 if (dir != IEEE80211_FC1_DIR_NODS) 250 bssid = wh->i_addr1; 251 else if (type == IEEE80211_FC0_TYPE_CTL) 252 bssid = wh->i_addr1; 253 else { 254 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) { 255 IEEE80211_DISCARD_MAC(ic, 256 IEEE80211_MSG_ANY, ni->ni_macaddr, 257 NULL, "too short (2): len %u", 258 m->m_pkthdr.len); 259 ic->ic_stats.is_rx_tooshort++; 260 goto out; 261 } 262 bssid = wh->i_addr3; 263 } 264 if (type != IEEE80211_FC0_TYPE_DATA) 265 break; 266 /* 267 * Data frame, validate the bssid. 268 */ 269 if (!IEEE80211_ADDR_EQ(bssid, ic->ic_bss->ni_bssid) && 270 !IEEE80211_ADDR_EQ(bssid, ifp->if_broadcastaddr)) { 271 /* not interested in */ 272 IEEE80211_DEBUGVAR( 273 char bbuf[3 * ETHER_ADDR_LEN]); 274 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 275 bssid, NULL, "bss %s, broadcast %s, %s", 276 ether_snprintf(ebuf, sizeof(ebuf), 277 ic->ic_bss->ni_bssid), 278 ether_snprintf(bbuf, sizeof(bbuf), 279 ifp->if_broadcastaddr), "not to bss"); 280 ic->ic_stats.is_rx_wrongbss++; 281 goto out; 282 } 283 /* 284 * For adhoc mode we cons up a node when it doesn't 285 * exist. This should probably done after an ACL check. 286 */ 287 if (ni == ic->ic_bss && 288 ic->ic_opmode != IEEE80211_M_HOSTAP && 289 !IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_macaddr)) { 290 /* 291 * Fake up a node for this newly 292 * discovered member of the IBSS. 293 */ 294 ni = ieee80211_fakeup_adhoc_node(&ic->ic_sta, 295 wh->i_addr2); 296 if (ni == NULL) { 297 /* NB: stat kept for alloc failure */ 298 goto err; 299 } 300 } 301 break; 302 default: 303 goto out; 304 } 305 ni->ni_rssi = rssi; 306 ni->ni_rstamp = rstamp; 307 if (HAS_SEQ(type) && (ic->ic_opmode != IEEE80211_M_STA || 308 !IEEE80211_IS_MULTICAST(wh->i_addr1))) { 309 u_int8_t tid, retry; 310 u_int16_t rxno, orxno; 311 312 if (ieee80211_has_qos(wh)) { 313 tid = ((struct ieee80211_qosframe *)wh)-> 314 i_qos[0] & IEEE80211_QOS_TID; 315 if (TID_TO_WME_AC(tid) >= WME_AC_VI) 316 ic->ic_wme.wme_hipri_traffic++; 317 tid++; 318 } else 319 tid = 0; 320 rxseq = le16toh(*(u_int16_t *)wh->i_seq); 321 retry = wh->i_fc[1] & IEEE80211_FC1_RETRY; 322 rxno = rxseq >> IEEE80211_SEQ_SEQ_SHIFT; 323 orxno = ni->ni_rxseqs[tid] >> IEEE80211_SEQ_SEQ_SHIFT; 324 if (retry && ( 325 (orxno == 4095 && rxno == orxno) || 326 (orxno != 4095 && 327 SEQ_LEQ(rxseq, ni->ni_rxseqs[tid])) 328 )) { 329 /* duplicate, discard */ 330 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 331 bssid, "duplicate", 332 "seqno <%u,%u> fragno <%u,%u> tid %u", 333 rxno, 334 orxno, 335 rxseq & IEEE80211_SEQ_FRAG_MASK, 336 ni->ni_rxseqs[tid] & 337 IEEE80211_SEQ_FRAG_MASK, 338 tid); 339 ic->ic_stats.is_rx_dup++; 340 IEEE80211_NODE_STAT(ni, rx_dup); 341 goto out; 342 } 343 ni->ni_rxseqs[tid] = rxseq; 344 } 345 } 346 347 switch (type) { 348 case IEEE80211_FC0_TYPE_DATA: 349 hdrspace = ieee80211_hdrspace(ic, wh); 350 if (m->m_len < hdrspace && 351 (m = m_pullup(m, hdrspace)) == NULL) { 352 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY, 353 ni->ni_macaddr, NULL, 354 "data too short: expecting %u", hdrspace); 355 ic->ic_stats.is_rx_tooshort++; 356 goto out; /* XXX */ 357 } 358 switch (ic->ic_opmode) { 359 case IEEE80211_M_STA: 360 if (dir != IEEE80211_FC1_DIR_FROMDS) { 361 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 362 wh, "data", "%s", "unknown dir 0x%x", dir); 363 ic->ic_stats.is_rx_wrongdir++; 364 goto out; 365 } 366 if ((ifp->if_flags & IFF_SIMPLEX) && 367 IEEE80211_IS_MULTICAST(wh->i_addr1) && 368 IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_myaddr)) { 369 /* 370 * In IEEE802.11 network, multicast packet 371 * sent from me is broadcasted from AP. 372 * It should be silently discarded for 373 * SIMPLEX interface. 374 */ 375 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 376 wh, NULL, "%s", "multicast echo"); 377 ic->ic_stats.is_rx_mcastecho++; 378 goto out; 379 } 380 break; 381 case IEEE80211_M_IBSS: 382 case IEEE80211_M_AHDEMO: 383 if (dir != IEEE80211_FC1_DIR_NODS) { 384 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 385 wh, "data", "%s", "unknown dir 0x%x", dir); 386 ic->ic_stats.is_rx_wrongdir++; 387 goto out; 388 } 389 /* XXX no power-save support */ 390 break; 391 case IEEE80211_M_HOSTAP: 392 #ifndef IEEE80211_NO_HOSTAP 393 if (dir != IEEE80211_FC1_DIR_TODS) { 394 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 395 wh, "data", "%s", "unknown dir 0x%x", dir); 396 ic->ic_stats.is_rx_wrongdir++; 397 goto out; 398 } 399 /* check if source STA is associated */ 400 if (ni == ic->ic_bss) { 401 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 402 wh, "data", "%s", "unknown src"); 403 ieee80211_send_error(ic, ni, wh->i_addr2, 404 IEEE80211_FC0_SUBTYPE_DEAUTH, 405 IEEE80211_REASON_NOT_AUTHED); 406 ic->ic_stats.is_rx_notassoc++; 407 goto err; 408 } 409 if (ni->ni_associd == 0) { 410 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 411 wh, "data", "%s", "unassoc src"); 412 IEEE80211_SEND_MGMT(ic, ni, 413 IEEE80211_FC0_SUBTYPE_DISASSOC, 414 IEEE80211_REASON_NOT_ASSOCED); 415 ic->ic_stats.is_rx_notassoc++; 416 goto err; 417 } 418 419 /* 420 * Check for power save state change. 421 */ 422 if (((wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) ^ 423 (ni->ni_flags & IEEE80211_NODE_PWR_MGT))) 424 ieee80211_node_pwrsave(ni, 425 wh->i_fc[1] & IEEE80211_FC1_PWR_MGT); 426 #endif /* !IEEE80211_NO_HOSTAP */ 427 break; 428 default: 429 /* XXX here to keep compiler happy */ 430 goto out; 431 } 432 433 /* 434 * Handle privacy requirements. Note that we 435 * must not be preempted from here until after 436 * we (potentially) call ieee80211_crypto_demic; 437 * otherwise we may violate assumptions in the 438 * crypto cipher modules used to do delayed update 439 * of replay sequence numbers. 440 */ 441 if (wh->i_fc[1] & IEEE80211_FC1_WEP) { 442 if ((ic->ic_flags & IEEE80211_F_PRIVACY) == 0) { 443 /* 444 * Discard encrypted frames when privacy is off. 445 */ 446 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 447 wh, "WEP", "%s", "PRIVACY off"); 448 ic->ic_stats.is_rx_noprivacy++; 449 IEEE80211_NODE_STAT(ni, rx_noprivacy); 450 goto out; 451 } 452 key = ieee80211_crypto_decap(ic, ni, m, hdrspace); 453 if (key == NULL) { 454 /* NB: stats+msgs handled in crypto_decap */ 455 IEEE80211_NODE_STAT(ni, rx_wepfail); 456 goto out; 457 } 458 wh = mtod(m, struct ieee80211_frame *); 459 wh->i_fc[1] &= ~IEEE80211_FC1_WEP; 460 } else { 461 key = NULL; 462 } 463 464 /* 465 * Next up, any fragmentation. 466 */ 467 if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) { 468 m = ieee80211_defrag(ic, ni, m, hdrspace); 469 if (m == NULL) { 470 /* Fragment dropped or frame not complete yet */ 471 goto out; 472 } 473 } 474 wh = NULL; /* no longer valid, catch any uses */ 475 476 /* 477 * Next strip any MSDU crypto bits. 478 */ 479 if (key != NULL && !ieee80211_crypto_demic(ic, key, m, 0)) { 480 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 481 ni->ni_macaddr, "data", "%s", "demic error"); 482 IEEE80211_NODE_STAT(ni, rx_demicfail); 483 goto out; 484 } 485 486 /* copy to listener after decrypt */ 487 bpf_mtap3(ic->ic_rawbpf, m); 488 489 /* 490 * Finally, strip the 802.11 header. 491 */ 492 m = ieee80211_decap(ic, m, hdrspace); 493 if (m == NULL) { 494 /* don't count Null data frames as errors */ 495 if (subtype == IEEE80211_FC0_SUBTYPE_NODATA) 496 goto out; 497 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 498 ni->ni_macaddr, "data", "%s", "decap error"); 499 ic->ic_stats.is_rx_decap++; 500 IEEE80211_NODE_STAT(ni, rx_decap); 501 goto err; 502 } 503 eh = mtod(m, struct ether_header *); 504 if (!ieee80211_node_is_authorized(ni)) { 505 /* 506 * Deny any non-PAE frames received prior to 507 * authorization. For open/shared-key 508 * authentication the port is mark authorized 509 * after authentication completes. For 802.1x 510 * the port is not marked authorized by the 511 * authenticator until the handshake has completed. 512 */ 513 if (eh->ether_type != htons(ETHERTYPE_PAE)) { 514 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 515 eh->ether_shost, "data", 516 "unauthorized port: ether type 0x%x len %u", 517 eh->ether_type, m->m_pkthdr.len); 518 ic->ic_stats.is_rx_unauth++; 519 IEEE80211_NODE_STAT(ni, rx_unauth); 520 goto err; 521 } 522 } else { 523 /* 524 * When denying unencrypted frames, discard 525 * any non-PAE frames received without encryption. 526 */ 527 if ((ic->ic_flags & IEEE80211_F_DROPUNENC) && 528 key == NULL && 529 eh->ether_type != htons(ETHERTYPE_PAE)) { 530 /* 531 * Drop unencrypted frames. 532 */ 533 ic->ic_stats.is_rx_unencrypted++; 534 IEEE80211_NODE_STAT(ni, rx_unencrypted); 535 goto out; 536 } 537 } 538 ifp->if_ipackets++; 539 IEEE80211_NODE_STAT(ni, rx_data); 540 IEEE80211_NODE_STAT_ADD(ni, rx_bytes, m->m_pkthdr.len); 541 542 ieee80211_deliver_data(ic, ni, m); 543 return IEEE80211_FC0_TYPE_DATA; 544 545 case IEEE80211_FC0_TYPE_MGT: 546 IEEE80211_NODE_STAT(ni, rx_mgmt); 547 if (dir != IEEE80211_FC1_DIR_NODS) { 548 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 549 wh, "data", "%s", "unknown dir 0x%x", dir); 550 ic->ic_stats.is_rx_wrongdir++; 551 goto err; 552 } 553 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) { 554 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY, 555 ni->ni_macaddr, "mgt", "too short: len %u", 556 m->m_pkthdr.len); 557 ic->ic_stats.is_rx_tooshort++; 558 goto out; 559 } 560 #ifdef IEEE80211_DEBUG 561 if ((ieee80211_msg_debug(ic) && doprint(ic, subtype)) || 562 ieee80211_msg_dumppkts(ic)) { 563 if_printf(ic->ic_ifp, "received %s from %s rssi %d\n", 564 ieee80211_mgt_subtype_name[subtype >> 565 IEEE80211_FC0_SUBTYPE_SHIFT], 566 ether_snprintf(ebuf, sizeof(ebuf), wh->i_addr2), 567 rssi); 568 } 569 #endif 570 if (wh->i_fc[1] & IEEE80211_FC1_WEP) { 571 if (subtype != IEEE80211_FC0_SUBTYPE_AUTH) { 572 /* 573 * Only shared key auth frames with a challenge 574 * should be encrypted, discard all others. 575 */ 576 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 577 wh, ieee80211_mgt_subtype_name[subtype >> 578 IEEE80211_FC0_SUBTYPE_SHIFT], 579 "%s", "WEP set but not permitted"); 580 ic->ic_stats.is_rx_mgtdiscard++; /* XXX */ 581 goto out; 582 } 583 if ((ic->ic_flags & IEEE80211_F_PRIVACY) == 0) { 584 /* 585 * Discard encrypted frames when privacy is off. 586 */ 587 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 588 wh, "mgt", "%s", "WEP set but PRIVACY off"); 589 ic->ic_stats.is_rx_noprivacy++; 590 goto out; 591 } 592 hdrspace = ieee80211_hdrspace(ic, wh); 593 key = ieee80211_crypto_decap(ic, ni, m, hdrspace); 594 if (key == NULL) { 595 /* NB: stats+msgs handled in crypto_decap */ 596 goto out; 597 } 598 wh = mtod(m, struct ieee80211_frame *); 599 wh->i_fc[1] &= ~IEEE80211_FC1_WEP; 600 } 601 bpf_mtap3(ic->ic_rawbpf, m); 602 (*ic->ic_recv_mgmt)(ic, m, ni, subtype, rssi, rstamp); 603 m_freem(m); 604 return type; 605 606 case IEEE80211_FC0_TYPE_CTL: 607 IEEE80211_NODE_STAT(ni, rx_ctrl); 608 ic->ic_stats.is_rx_ctl++; 609 #ifndef IEEE80211_NO_HOSTAP 610 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 611 switch (subtype) { 612 case IEEE80211_FC0_SUBTYPE_PS_POLL: 613 ieee80211_recv_pspoll(ic, ni, m); 614 break; 615 } 616 } 617 #endif /* !IEEE80211_NO_HOSTAP */ 618 goto out; 619 default: 620 IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY, 621 wh, NULL, "bad frame type 0x%x", type); 622 /* should not come here */ 623 break; 624 } 625 err: 626 ifp->if_ierrors++; 627 out: 628 if (m != NULL) { 629 bpf_mtap3(ic->ic_rawbpf, m); 630 m_freem(m); 631 } 632 return type; 633 #undef SEQ_LEQ 634 } 635 636 /* 637 * This function reassemble fragments. 638 */ 639 static struct mbuf * 640 ieee80211_defrag(struct ieee80211com *ic, struct ieee80211_node *ni, 641 struct mbuf *m, int hdrspace) 642 { 643 struct ieee80211_frame *wh = mtod(m, struct ieee80211_frame *); 644 struct ieee80211_frame *lwh; 645 u_int16_t rxseq; 646 u_int8_t fragno; 647 u_int8_t more_frag = wh->i_fc[1] & IEEE80211_FC1_MORE_FRAG; 648 struct mbuf *mfrag; 649 650 IASSERT(!IEEE80211_IS_MULTICAST(wh->i_addr1), ("multicast fragm?")); 651 652 rxseq = le16toh(*(u_int16_t *)wh->i_seq); 653 fragno = rxseq & IEEE80211_SEQ_FRAG_MASK; 654 655 /* Quick way out, if there's nothing to defragment */ 656 if (!more_frag && fragno == 0 && ni->ni_rxfrag[0] == NULL) 657 return m; 658 659 /* 660 * Remove frag to insure it doesn't get reaped by timer. 661 */ 662 if (ni->ni_table == NULL) { 663 /* 664 * Should never happen. If the node is orphaned (not in 665 * the table) then input packets should not reach here. 666 * Otherwise, a concurrent request that yanks the table 667 * should be blocked by other interlocking and/or by first 668 * shutting the driver down. Regardless, be defensive 669 * here and just bail 670 */ 671 /* XXX need msg+stat */ 672 m_freem(m); 673 return NULL; 674 } 675 IEEE80211_NODE_LOCK(ni->ni_table); 676 mfrag = ni->ni_rxfrag[0]; 677 ni->ni_rxfrag[0] = NULL; 678 IEEE80211_NODE_UNLOCK(ni->ni_table); 679 680 /* 681 * Validate new fragment is in order and 682 * related to the previous ones. 683 */ 684 if (mfrag != NULL) { 685 u_int16_t last_rxseq; 686 687 lwh = mtod(mfrag, struct ieee80211_frame *); 688 last_rxseq = le16toh(*(u_int16_t *)lwh->i_seq); 689 /* NB: check seq # and frag together */ 690 if (rxseq != last_rxseq+1 || 691 !IEEE80211_ADDR_EQ(wh->i_addr1, lwh->i_addr1) || 692 !IEEE80211_ADDR_EQ(wh->i_addr2, lwh->i_addr2)) { 693 /* 694 * Unrelated fragment or no space for it, 695 * clear current fragments. 696 */ 697 m_freem(mfrag); 698 mfrag = NULL; 699 } 700 } 701 702 if (mfrag == NULL) { 703 if (fragno != 0) { /* !first fragment, discard */ 704 IEEE80211_NODE_STAT(ni, rx_defrag); 705 m_freem(m); 706 return NULL; 707 } 708 mfrag = m; 709 } else { /* concatenate */ 710 m_adj(m, hdrspace); /* strip header */ 711 m_cat(mfrag, m); 712 /* NB: m_cat doesn't update the packet header */ 713 mfrag->m_pkthdr.len += m->m_pkthdr.len; 714 /* track last seqnum and fragno */ 715 lwh = mtod(mfrag, struct ieee80211_frame *); 716 *(u_int16_t *) lwh->i_seq = *(u_int16_t *) wh->i_seq; 717 } 718 if (more_frag) { /* more to come, save */ 719 ni->ni_rxfragstamp = ticks; 720 ni->ni_rxfrag[0] = mfrag; 721 mfrag = NULL; 722 } 723 return mfrag; 724 } 725 726 static void 727 ieee80211_deliver_data(struct ieee80211com *ic, 728 struct ieee80211_node *ni, struct mbuf *m) 729 { 730 struct ether_header *eh = mtod(m, struct ether_header *); 731 struct ifnet *ifp = ic->ic_ifp; 732 int error; 733 734 /* perform as a bridge within the AP */ 735 if (ic->ic_opmode == IEEE80211_M_HOSTAP && 736 (ic->ic_flags & IEEE80211_F_NOBRIDGE) == 0) { 737 struct mbuf *m1 = NULL; 738 739 if (ETHER_IS_MULTICAST(eh->ether_dhost)) { 740 m1 = m_copypacket(m, M_DONTWAIT); 741 if (m1 == NULL) 742 ifp->if_oerrors++; 743 else 744 m1->m_flags |= M_MCAST; 745 } else { 746 /* 747 * Check if the destination is known; if so 748 * and the port is authorized dispatch directly. 749 */ 750 struct ieee80211_node *sta = 751 ieee80211_find_node(&ic->ic_sta, eh->ether_dhost); 752 if (sta != NULL) { 753 if (ieee80211_node_is_authorized(sta)) { 754 /* 755 * Beware of sending to ourself; this 756 * needs to happen via the normal 757 * input path. 758 */ 759 if (sta != ic->ic_bss) { 760 m1 = m; 761 m = NULL; 762 } 763 } else { 764 ic->ic_stats.is_rx_unauth++; 765 IEEE80211_NODE_STAT(sta, rx_unauth); 766 } 767 ieee80211_free_node(sta); 768 } 769 } 770 if (m1 != NULL) { 771 int len; 772 #ifdef ALTQ 773 if (ALTQ_IS_ENABLED(&ifp->if_snd)) { 774 altq_etherclassify(&ifp->if_snd, m1); 775 } 776 #endif 777 len = m1->m_pkthdr.len; 778 IFQ_ENQUEUE(&ifp->if_snd, m1, error); 779 if (error) { 780 ifp->if_omcasts++; 781 m = NULL; 782 } 783 ifp->if_obytes += len; 784 } 785 } 786 if (m != NULL) { 787 /* 788 * XXX If we forward packet into transmitter of the AP, 789 * we don't need to duplicate for DLT_EN10MB. 790 */ 791 bpf_mtap(ifp, m); 792 793 if (ni->ni_vlan != 0) { 794 /* attach vlan tag */ 795 /* XXX goto err? */ 796 VLAN_INPUT_TAG(ifp, m, ni->ni_vlan, goto out); 797 } 798 799 /* 800 * XXX once ieee80211_input (or rxintr itself) runs in softint 801 * we have to change here too to use if_input. 802 */ 803 KASSERT(ifp->if_percpuq); 804 if_percpuq_enqueue(ifp->if_percpuq, m); 805 } 806 return; 807 out: 808 if (m != NULL) { 809 bpf_mtap3(ic->ic_rawbpf, m); 810 m_freem(m); 811 } 812 } 813 814 static struct mbuf * 815 ieee80211_decap(struct ieee80211com *ic, struct mbuf *m, int hdrlen) 816 { 817 struct ieee80211_qosframe_addr4 wh; /* Max size address frames */ 818 struct ether_header *eh; 819 struct llc *llc; 820 821 if (m->m_len < hdrlen + sizeof(*llc) && 822 (m = m_pullup(m, hdrlen + sizeof(*llc))) == NULL) { 823 /* XXX stat, msg */ 824 return NULL; 825 } 826 memcpy(&wh, mtod(m, void *), hdrlen); 827 llc = (struct llc *)(mtod(m, char *) + hdrlen); 828 if (llc->llc_dsap == LLC_SNAP_LSAP && llc->llc_ssap == LLC_SNAP_LSAP && 829 llc->llc_control == LLC_UI && llc->llc_snap.org_code[0] == 0 && 830 llc->llc_snap.org_code[1] == 0 && llc->llc_snap.org_code[2] == 0) { 831 m_adj(m, hdrlen + sizeof(struct llc) - sizeof(*eh)); 832 llc = NULL; 833 } else { 834 m_adj(m, hdrlen - sizeof(*eh)); 835 } 836 eh = mtod(m, struct ether_header *); 837 switch (wh.i_fc[1] & IEEE80211_FC1_DIR_MASK) { 838 case IEEE80211_FC1_DIR_NODS: 839 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr1); 840 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr2); 841 break; 842 case IEEE80211_FC1_DIR_TODS: 843 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr3); 844 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr2); 845 break; 846 case IEEE80211_FC1_DIR_FROMDS: 847 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr1); 848 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr3); 849 break; 850 case IEEE80211_FC1_DIR_DSTODS: 851 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr3); 852 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr4); 853 break; 854 } 855 #ifdef ALIGNED_POINTER 856 if (!ALIGNED_POINTER(mtod(m, char *) + sizeof(*eh), u_int32_t)) { 857 struct mbuf *n, *n0, **np; 858 char *newdata; 859 int off, pktlen; 860 861 n0 = NULL; 862 np = &n0; 863 off = 0; 864 pktlen = m->m_pkthdr.len; 865 while (pktlen > off) { 866 if (n0 == NULL) { 867 MGETHDR(n, M_DONTWAIT, MT_DATA); 868 if (n == NULL) { 869 m_freem(m); 870 return NULL; 871 } 872 M_MOVE_PKTHDR(n, m); 873 n->m_len = MHLEN; 874 } else { 875 MGET(n, M_DONTWAIT, MT_DATA); 876 if (n == NULL) { 877 m_freem(m); 878 m_freem(n0); 879 return NULL; 880 } 881 n->m_len = MLEN; 882 } 883 if (pktlen - off >= MINCLSIZE) { 884 MCLGET(n, M_DONTWAIT); 885 if (n->m_flags & M_EXT) 886 n->m_len = n->m_ext.ext_size; 887 } 888 if (n0 == NULL) { 889 newdata = 890 (char *)ALIGN(n->m_data + sizeof(*eh)) - 891 sizeof(*eh); 892 n->m_len -= newdata - n->m_data; 893 n->m_data = newdata; 894 } 895 if (n->m_len > pktlen - off) 896 n->m_len = pktlen - off; 897 m_copydata(m, off, n->m_len, mtod(n, void *)); 898 off += n->m_len; 899 *np = n; 900 np = &n->m_next; 901 } 902 m_freem(m); 903 m = n0; 904 } 905 #endif /* ALIGNED_POINTER */ 906 if (llc != NULL) { 907 eh = mtod(m, struct ether_header *); 908 eh->ether_type = htons(m->m_pkthdr.len - sizeof(*eh)); 909 } 910 return m; 911 } 912 913 /* 914 * Install received rate set information in the node's state block. 915 */ 916 int 917 ieee80211_setup_rates(struct ieee80211_node *ni, 918 const u_int8_t *rates, const u_int8_t *xrates, int flags) 919 { 920 struct ieee80211com *ic = ni->ni_ic; 921 struct ieee80211_rateset *rs = &ni->ni_rates; 922 923 memset(rs, 0, sizeof(*rs)); 924 rs->rs_nrates = rates[1]; 925 memcpy(rs->rs_rates, rates + 2, rs->rs_nrates); 926 if (xrates != NULL) { 927 u_int8_t nxrates; 928 /* 929 * Tack on 11g extended supported rate element. 930 */ 931 nxrates = xrates[1]; 932 if (rs->rs_nrates + nxrates > IEEE80211_RATE_MAXSIZE) { 933 IEEE80211_DEBUGVAR(char ebuf[3 * ETHER_ADDR_LEN]); 934 nxrates = IEEE80211_RATE_MAXSIZE - rs->rs_nrates; 935 IEEE80211_DPRINTF(ic, IEEE80211_MSG_XRATE, 936 "[%s] extended rate set too large;" 937 " only using %u of %u rates\n", 938 ether_snprintf(ebuf, sizeof(ebuf), ni->ni_macaddr), 939 nxrates, xrates[1]); 940 ic->ic_stats.is_rx_rstoobig++; 941 } 942 memcpy(rs->rs_rates + rs->rs_nrates, xrates+2, nxrates); 943 rs->rs_nrates += nxrates; 944 } 945 return ieee80211_fix_rate(ni, flags); 946 } 947 948 static void 949 ieee80211_auth_open(struct ieee80211com *ic, struct ieee80211_frame *wh, 950 struct ieee80211_node *ni, int rssi, u_int32_t rstamp, 951 u_int16_t seq, u_int16_t status) 952 { 953 IEEE80211_DEBUGVAR(char ebuf[3 * ETHER_ADDR_LEN]); 954 955 if (ni->ni_authmode == IEEE80211_AUTH_SHARED) { 956 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 957 ni->ni_macaddr, "open auth", 958 "bad sta auth mode %u", ni->ni_authmode); 959 ic->ic_stats.is_rx_bad_auth++; /* XXX */ 960 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 961 /* XXX hack to workaround calling convention */ 962 ieee80211_send_error(ic, ni, wh->i_addr2, 963 IEEE80211_FC0_SUBTYPE_AUTH, 964 (seq + 1) | (IEEE80211_STATUS_ALG<<16)); 965 } 966 return; 967 } 968 switch (ic->ic_opmode) { 969 case IEEE80211_M_IBSS: 970 case IEEE80211_M_AHDEMO: 971 case IEEE80211_M_MONITOR: 972 /* should not come here */ 973 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 974 ni->ni_macaddr, "open auth", 975 "bad operating mode %u", ic->ic_opmode); 976 break; 977 978 case IEEE80211_M_HOSTAP: 979 #ifndef IEEE80211_NO_HOSTAP 980 if (ic->ic_state != IEEE80211_S_RUN || 981 seq != IEEE80211_AUTH_OPEN_REQUEST) { 982 ic->ic_stats.is_rx_bad_auth++; 983 return; 984 } 985 /* always accept open authentication requests */ 986 if (ni == ic->ic_bss) { 987 ni = ieee80211_dup_bss(&ic->ic_sta, wh->i_addr2); 988 if (ni == NULL) 989 return; 990 } else if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0) 991 (void) ieee80211_ref_node(ni); 992 /* 993 * Mark the node as referenced to reflect that its 994 * reference count has been bumped to insure it remains 995 * after the transaction completes. 996 */ 997 ni->ni_flags |= IEEE80211_NODE_AREF; 998 999 IEEE80211_SEND_MGMT(ic, ni, 1000 IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 1001 IEEE80211_DPRINTF(ic, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1002 "[%s] station authenticated (open)\n", 1003 ether_snprintf(ebuf, sizeof(ebuf), ni->ni_macaddr)); 1004 /* 1005 * When 802.1x is not in use mark the port 1006 * authorized at this point so traffic can flow. 1007 */ 1008 if (ni->ni_authmode != IEEE80211_AUTH_8021X) 1009 ieee80211_node_authorize(ni); 1010 #endif /* !IEEE80211_NO_HOSTAP */ 1011 break; 1012 1013 case IEEE80211_M_STA: 1014 if (ic->ic_state != IEEE80211_S_AUTH || 1015 seq != IEEE80211_AUTH_OPEN_RESPONSE) { 1016 ic->ic_stats.is_rx_bad_auth++; 1017 return; 1018 } 1019 if (status != 0) { 1020 1021 IEEE80211_DPRINTF(ic, 1022 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1023 "[%s] open auth failed (reason %d)\n", 1024 ether_snprintf(ebuf, sizeof(ebuf), ni->ni_macaddr), 1025 status); 1026 /* XXX can this happen? */ 1027 if (ni != ic->ic_bss) 1028 ni->ni_fails++; 1029 ic->ic_stats.is_rx_auth_fail++; 1030 ieee80211_new_state(ic, IEEE80211_S_SCAN, 0); 1031 } else 1032 ieee80211_new_state(ic, IEEE80211_S_ASSOC, 1033 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK); 1034 break; 1035 } 1036 } 1037 1038 /* 1039 * Send a management frame error response to the specified 1040 * station. If ni is associated with the station then use 1041 * it; otherwise allocate a temporary node suitable for 1042 * transmitting the frame and then free the reference so 1043 * it will go away as soon as the frame has been transmitted. 1044 */ 1045 static void 1046 ieee80211_send_error(struct ieee80211com *ic, struct ieee80211_node *ni, 1047 const u_int8_t *mac, int subtype, int arg) 1048 { 1049 int istmp; 1050 1051 if (ni == ic->ic_bss) { 1052 ni = ieee80211_tmp_node(ic, mac); 1053 if (ni == NULL) { 1054 /* XXX msg */ 1055 return; 1056 } 1057 istmp = 1; 1058 } else 1059 istmp = 0; 1060 IEEE80211_SEND_MGMT(ic, ni, subtype, arg); 1061 if (istmp) 1062 ieee80211_free_node(ni); 1063 } 1064 1065 static int 1066 alloc_challenge(struct ieee80211com *ic, struct ieee80211_node *ni) 1067 { 1068 if (ni->ni_challenge == NULL) 1069 ni->ni_challenge = malloc(IEEE80211_CHALLENGE_LEN, 1070 M_DEVBUF, M_NOWAIT); 1071 if (ni->ni_challenge == NULL) { 1072 IEEE80211_DEBUGVAR(char ebuf[3 * ETHER_ADDR_LEN]); 1073 1074 IEEE80211_DPRINTF(ic, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1075 "[%s] shared key challenge alloc failed\n", 1076 ether_snprintf(ebuf, sizeof(ebuf), ni->ni_macaddr)); 1077 /* XXX statistic */ 1078 } 1079 return (ni->ni_challenge != NULL); 1080 } 1081 1082 /* XXX TODO: add statistics */ 1083 static void 1084 ieee80211_auth_shared(struct ieee80211com *ic, struct ieee80211_frame *wh, 1085 u_int8_t *frm, u_int8_t *efrm, struct ieee80211_node *ni, int rssi, 1086 u_int32_t rstamp, u_int16_t seq, u_int16_t status) 1087 { 1088 u_int8_t *challenge; 1089 int estatus; 1090 IEEE80211_DEBUGVAR(char ebuf[3 * ETHER_ADDR_LEN]); 1091 1092 /* 1093 * NB: this can happen as we allow pre-shared key 1094 * authentication to be enabled w/o wep being turned 1095 * on so that configuration of these can be done 1096 * in any order. It may be better to enforce the 1097 * ordering in which case this check would just be 1098 * for sanity/consistency. 1099 */ 1100 if ((ic->ic_flags & IEEE80211_F_PRIVACY) == 0) { 1101 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1102 ni->ni_macaddr, "shared key auth", 1103 "%s", " PRIVACY is disabled"); 1104 estatus = IEEE80211_STATUS_ALG; 1105 goto bad; 1106 } 1107 /* 1108 * Pre-shared key authentication is evil; accept 1109 * it only if explicitly configured (it is supported 1110 * mainly for compatibility with clients like OS X). 1111 */ 1112 if (ni->ni_authmode != IEEE80211_AUTH_AUTO && 1113 ni->ni_authmode != IEEE80211_AUTH_SHARED) { 1114 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1115 ni->ni_macaddr, "shared key auth", 1116 "bad sta auth mode %u", ni->ni_authmode); 1117 ic->ic_stats.is_rx_bad_auth++; /* XXX maybe a unique error? */ 1118 estatus = IEEE80211_STATUS_ALG; 1119 goto bad; 1120 } 1121 1122 challenge = NULL; 1123 if (frm + 1 < efrm) { 1124 if ((frm[1] + 2) > (efrm - frm)) { 1125 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1126 ni->ni_macaddr, "shared key auth", 1127 "ie %d/%d too long", 1128 frm[0], (frm[1] + 2) - (efrm - frm)); 1129 ic->ic_stats.is_rx_bad_auth++; 1130 estatus = IEEE80211_STATUS_CHALLENGE; 1131 goto bad; 1132 } 1133 if (*frm == IEEE80211_ELEMID_CHALLENGE) 1134 challenge = frm; 1135 frm += frm[1] + 2; 1136 } 1137 switch (seq) { 1138 case IEEE80211_AUTH_SHARED_CHALLENGE: 1139 case IEEE80211_AUTH_SHARED_RESPONSE: 1140 if (challenge == NULL) { 1141 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1142 ni->ni_macaddr, "shared key auth", 1143 "%s", "no challenge"); 1144 ic->ic_stats.is_rx_bad_auth++; 1145 estatus = IEEE80211_STATUS_CHALLENGE; 1146 goto bad; 1147 } 1148 if (challenge[1] != IEEE80211_CHALLENGE_LEN) { 1149 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1150 ni->ni_macaddr, "shared key auth", 1151 "bad challenge len %d", challenge[1]); 1152 ic->ic_stats.is_rx_bad_auth++; 1153 estatus = IEEE80211_STATUS_CHALLENGE; 1154 goto bad; 1155 } 1156 default: 1157 break; 1158 } 1159 switch (ic->ic_opmode) { 1160 case IEEE80211_M_MONITOR: 1161 case IEEE80211_M_AHDEMO: 1162 case IEEE80211_M_IBSS: 1163 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1164 ni->ni_macaddr, "shared key auth", 1165 "bad operating mode %u", ic->ic_opmode); 1166 return; 1167 case IEEE80211_M_HOSTAP: 1168 #ifndef IEEE80211_NO_HOSTAP 1169 { 1170 int allocbs; 1171 if (ic->ic_state != IEEE80211_S_RUN) { 1172 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1173 ni->ni_macaddr, "shared key auth", 1174 "bad state %u", ic->ic_state); 1175 estatus = IEEE80211_STATUS_ALG; /* XXX */ 1176 goto bad; 1177 } 1178 switch (seq) { 1179 case IEEE80211_AUTH_SHARED_REQUEST: 1180 if (ni == ic->ic_bss) { 1181 ni = ieee80211_dup_bss(&ic->ic_sta, wh->i_addr2); 1182 if (ni == NULL) { 1183 /* NB: no way to return an error */ 1184 return; 1185 } 1186 allocbs = 1; 1187 } else { 1188 if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0) 1189 (void) ieee80211_ref_node(ni); 1190 allocbs = 0; 1191 } 1192 __USE(allocbs); 1193 /* 1194 * Mark the node as referenced to reflect that its 1195 * reference count has been bumped to insure it remains 1196 * after the transaction completes. 1197 */ 1198 ni->ni_flags |= IEEE80211_NODE_AREF; 1199 ni->ni_rssi = rssi; 1200 ni->ni_rstamp = rstamp; 1201 if (!alloc_challenge(ic, ni)) { 1202 /* NB: don't return error so they rexmit */ 1203 return; 1204 } 1205 get_random_bytes(ni->ni_challenge, 1206 IEEE80211_CHALLENGE_LEN); 1207 IEEE80211_DPRINTF(ic, 1208 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1209 "[%s] shared key %sauth request\n", 1210 ether_snprintf(ebuf, sizeof(ebuf), 1211 ni->ni_macaddr), 1212 allocbs ? "" : "re"); 1213 break; 1214 case IEEE80211_AUTH_SHARED_RESPONSE: 1215 if (ni == ic->ic_bss) { 1216 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1217 ni->ni_macaddr, "shared key response", 1218 "%s", "unknown station"); 1219 /* NB: don't send a response */ 1220 return; 1221 } 1222 if (ni->ni_challenge == NULL) { 1223 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1224 ni->ni_macaddr, "shared key response", 1225 "%s", "no challenge recorded"); 1226 ic->ic_stats.is_rx_bad_auth++; 1227 estatus = IEEE80211_STATUS_CHALLENGE; 1228 goto bad; 1229 } 1230 if (memcmp(ni->ni_challenge, &challenge[2], 1231 challenge[1]) != 0) { 1232 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1233 ni->ni_macaddr, "shared key response", 1234 "%s", "challenge mismatch"); 1235 ic->ic_stats.is_rx_auth_fail++; 1236 estatus = IEEE80211_STATUS_CHALLENGE; 1237 goto bad; 1238 } 1239 IEEE80211_DPRINTF(ic, 1240 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1241 "[%s] station authenticated (shared key)\n", 1242 ether_snprintf(ebuf, sizeof(ebuf), ni->ni_macaddr)); 1243 ieee80211_node_authorize(ni); 1244 break; 1245 default: 1246 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1247 ni->ni_macaddr, "shared key auth", 1248 "bad seq %d", seq); 1249 ic->ic_stats.is_rx_bad_auth++; 1250 estatus = IEEE80211_STATUS_SEQUENCE; 1251 goto bad; 1252 } 1253 IEEE80211_SEND_MGMT(ic, ni, 1254 IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 1255 } 1256 #endif /* !IEEE80211_NO_HOSTAP */ 1257 break; 1258 1259 case IEEE80211_M_STA: 1260 if (ic->ic_state != IEEE80211_S_AUTH) 1261 return; 1262 switch (seq) { 1263 case IEEE80211_AUTH_SHARED_PASS: 1264 if (ni->ni_challenge != NULL) { 1265 free(ni->ni_challenge, M_DEVBUF); 1266 ni->ni_challenge = NULL; 1267 } 1268 if (status != 0) { 1269 IEEE80211_DPRINTF(ic, 1270 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1271 "[%s] shared key auth failed (reason %d)\n", 1272 ether_snprintf(ebuf, sizeof(ebuf), 1273 ieee80211_getbssid(ic, wh)), 1274 status); 1275 /* XXX can this happen? */ 1276 if (ni != ic->ic_bss) 1277 ni->ni_fails++; 1278 ic->ic_stats.is_rx_auth_fail++; 1279 return; 1280 } 1281 ieee80211_new_state(ic, IEEE80211_S_ASSOC, 1282 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK); 1283 break; 1284 case IEEE80211_AUTH_SHARED_CHALLENGE: 1285 if (!alloc_challenge(ic, ni)) 1286 return; 1287 /* XXX could optimize by passing recvd challenge */ 1288 memcpy(ni->ni_challenge, &challenge[2], challenge[1]); 1289 IEEE80211_SEND_MGMT(ic, ni, 1290 IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 1291 break; 1292 default: 1293 IEEE80211_DISCARD(ic, IEEE80211_MSG_AUTH, 1294 wh, "shared key auth", "bad seq %d", seq); 1295 ic->ic_stats.is_rx_bad_auth++; 1296 return; 1297 } 1298 break; 1299 } 1300 return; 1301 bad: 1302 #ifndef IEEE80211_NO_HOSTAP 1303 /* 1304 * Send an error response; but only when operating as an AP. 1305 */ 1306 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 1307 /* XXX hack to workaround calling convention */ 1308 ieee80211_send_error(ic, ni, wh->i_addr2, 1309 IEEE80211_FC0_SUBTYPE_AUTH, 1310 (seq + 1) | (estatus<<16)); 1311 } else if (ic->ic_opmode == IEEE80211_M_STA) { 1312 /* 1313 * Kick the state machine. This short-circuits 1314 * using the mgt frame timeout to trigger the 1315 * state transition. 1316 */ 1317 if (ic->ic_state == IEEE80211_S_AUTH) 1318 ieee80211_new_state(ic, IEEE80211_S_SCAN, 0); 1319 } 1320 #else 1321 ; 1322 #endif /* !IEEE80211_NO_HOSTAP */ 1323 } 1324 1325 /* Verify the existence and length of __elem or get out. */ 1326 #define IEEE80211_VERIFY_ELEMENT(__elem, __maxlen) do { \ 1327 if ((__elem) == NULL) { \ 1328 IEEE80211_DISCARD(ic, IEEE80211_MSG_ELEMID, \ 1329 wh, ieee80211_mgt_subtype_name[subtype >> \ 1330 IEEE80211_FC0_SUBTYPE_SHIFT], \ 1331 "%s", "no " #__elem ); \ 1332 ic->ic_stats.is_rx_elem_missing++; \ 1333 return; \ 1334 } \ 1335 if ((__elem)[1] > (__maxlen)) { \ 1336 IEEE80211_DISCARD(ic, IEEE80211_MSG_ELEMID, \ 1337 wh, ieee80211_mgt_subtype_name[subtype >> \ 1338 IEEE80211_FC0_SUBTYPE_SHIFT], \ 1339 "bad " #__elem " len %d", (__elem)[1]); \ 1340 ic->ic_stats.is_rx_elem_toobig++; \ 1341 return; \ 1342 } \ 1343 } while (0) 1344 1345 #define IEEE80211_VERIFY_LENGTH(_len, _minlen) do { \ 1346 if ((_len) < (_minlen)) { \ 1347 IEEE80211_DISCARD(ic, IEEE80211_MSG_ELEMID, \ 1348 wh, ieee80211_mgt_subtype_name[subtype >> \ 1349 IEEE80211_FC0_SUBTYPE_SHIFT], \ 1350 "%s", "ie too short"); \ 1351 ic->ic_stats.is_rx_elem_toosmall++; \ 1352 return; \ 1353 } \ 1354 } while (0) 1355 1356 #ifdef IEEE80211_DEBUG 1357 static void 1358 ieee80211_ssid_mismatch(struct ieee80211com *ic, const char *tag, 1359 u_int8_t mac[IEEE80211_ADDR_LEN], u_int8_t *ssid) 1360 { 1361 char ebuf[3 * ETHER_ADDR_LEN]; 1362 1363 printf("[%s] discard %s frame, ssid mismatch: ", 1364 ether_snprintf(ebuf, sizeof(ebuf), mac), tag); 1365 ieee80211_print_essid(ssid + 2, ssid[1]); 1366 printf("\n"); 1367 } 1368 1369 #define IEEE80211_VERIFY_SSID(_ni, _ssid) do { \ 1370 if ((_ssid)[1] != 0 && \ 1371 ((_ssid)[1] != (_ni)->ni_esslen || \ 1372 memcmp((_ssid) + 2, (_ni)->ni_essid, (_ssid)[1]) != 0)) { \ 1373 if (ieee80211_msg_input(ic)) \ 1374 ieee80211_ssid_mismatch(ic, \ 1375 ieee80211_mgt_subtype_name[subtype >> \ 1376 IEEE80211_FC0_SUBTYPE_SHIFT], \ 1377 wh->i_addr2, _ssid); \ 1378 ic->ic_stats.is_rx_ssidmismatch++; \ 1379 return; \ 1380 } \ 1381 } while (0) 1382 #else /* !IEEE80211_DEBUG */ 1383 #define IEEE80211_VERIFY_SSID(_ni, _ssid) do { \ 1384 if ((_ssid)[1] != 0 && \ 1385 ((_ssid)[1] != (_ni)->ni_esslen || \ 1386 memcmp((_ssid) + 2, (_ni)->ni_essid, (_ssid)[1]) != 0)) { \ 1387 ic->ic_stats.is_rx_ssidmismatch++; \ 1388 return; \ 1389 } \ 1390 } while (0) 1391 #endif /* !IEEE80211_DEBUG */ 1392 1393 /* unaligned little endian access */ 1394 #define LE_READ_2(p) \ 1395 ((u_int16_t) \ 1396 ((((const u_int8_t *)(p))[0] ) | \ 1397 (((const u_int8_t *)(p))[1] << 8))) 1398 #define LE_READ_4(p) \ 1399 ((u_int32_t) \ 1400 ((((const u_int8_t *)(p))[0] ) | \ 1401 (((const u_int8_t *)(p))[1] << 8) | \ 1402 (((const u_int8_t *)(p))[2] << 16) | \ 1403 (((const u_int8_t *)(p))[3] << 24))) 1404 1405 static __inline int 1406 iswpaoui(const u_int8_t *frm) 1407 { 1408 return frm[1] > 3 && LE_READ_4(frm+2) == ((WPA_OUI_TYPE<<24)|WPA_OUI); 1409 } 1410 1411 static __inline int 1412 iswmeoui(const u_int8_t *frm) 1413 { 1414 return frm[1] > 3 && LE_READ_4(frm+2) == ((WME_OUI_TYPE<<24)|WME_OUI); 1415 } 1416 1417 static __inline int 1418 iswmeparam(const u_int8_t *frm) 1419 { 1420 return frm[1] > 5 && LE_READ_4(frm+2) == ((WME_OUI_TYPE<<24)|WME_OUI) && 1421 frm[6] == WME_PARAM_OUI_SUBTYPE; 1422 } 1423 1424 static __inline int 1425 iswmeinfo(const u_int8_t *frm) 1426 { 1427 return frm[1] > 5 && LE_READ_4(frm+2) == ((WME_OUI_TYPE<<24)|WME_OUI) && 1428 frm[6] == WME_INFO_OUI_SUBTYPE; 1429 } 1430 1431 /* 1432 * Convert a WPA cipher selector OUI to an internal 1433 * cipher algorithm. Where appropriate we also 1434 * record any key length. 1435 */ 1436 static int 1437 wpa_cipher(u_int8_t *sel, u_int8_t *keylen) 1438 { 1439 #define WPA_SEL(x) (((x)<<24)|WPA_OUI) 1440 u_int32_t w = LE_READ_4(sel); 1441 1442 switch (w) { 1443 case WPA_SEL(WPA_CSE_NULL): 1444 return IEEE80211_CIPHER_NONE; 1445 case WPA_SEL(WPA_CSE_WEP40): 1446 if (keylen) 1447 *keylen = 40 / NBBY; 1448 return IEEE80211_CIPHER_WEP; 1449 case WPA_SEL(WPA_CSE_WEP104): 1450 if (keylen) 1451 *keylen = 104 / NBBY; 1452 return IEEE80211_CIPHER_WEP; 1453 case WPA_SEL(WPA_CSE_TKIP): 1454 return IEEE80211_CIPHER_TKIP; 1455 case WPA_SEL(WPA_CSE_CCMP): 1456 return IEEE80211_CIPHER_AES_CCM; 1457 } 1458 return 32; /* NB: so 1<< is discarded */ 1459 #undef WPA_SEL 1460 } 1461 1462 /* 1463 * Convert a WPA key management/authentication algorithm 1464 * to an internal code. 1465 */ 1466 static int 1467 wpa_keymgmt(u_int8_t *sel) 1468 { 1469 #define WPA_SEL(x) (((x)<<24)|WPA_OUI) 1470 u_int32_t w = LE_READ_4(sel); 1471 1472 switch (w) { 1473 case WPA_SEL(WPA_ASE_8021X_UNSPEC): 1474 return WPA_ASE_8021X_UNSPEC; 1475 case WPA_SEL(WPA_ASE_8021X_PSK): 1476 return WPA_ASE_8021X_PSK; 1477 case WPA_SEL(WPA_ASE_NONE): 1478 return WPA_ASE_NONE; 1479 } 1480 return 0; /* NB: so is discarded */ 1481 #undef WPA_SEL 1482 } 1483 1484 /* 1485 * Parse a WPA information element to collect parameters 1486 * and validate the parameters against what has been 1487 * configured for the system. 1488 */ 1489 static int 1490 ieee80211_parse_wpa(struct ieee80211com *ic, u_int8_t *frm, 1491 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh) 1492 { 1493 u_int8_t len = frm[1]; 1494 u_int32_t w; 1495 int n; 1496 1497 /* 1498 * Check the length once for fixed parts: OUI, type, 1499 * version, mcast cipher, and 2 selector counts. 1500 * Other, variable-length data, must be checked separately. 1501 */ 1502 if ((ic->ic_flags & IEEE80211_F_WPA1) == 0) { 1503 IEEE80211_DISCARD_IE(ic, 1504 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1505 wh, "WPA", "not WPA, flags 0x%x", ic->ic_flags); 1506 return IEEE80211_REASON_IE_INVALID; 1507 } 1508 if (len < 14) { 1509 IEEE80211_DISCARD_IE(ic, 1510 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1511 wh, "WPA", "too short, len %u", len); 1512 return IEEE80211_REASON_IE_INVALID; 1513 } 1514 frm += 6, len -= 4; /* NB: len is payload only */ 1515 /* NB: iswapoui already validated the OUI and type */ 1516 w = LE_READ_2(frm); 1517 if (w != WPA_VERSION) { 1518 IEEE80211_DISCARD_IE(ic, 1519 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1520 wh, "WPA", "bad version %u", w); 1521 return IEEE80211_REASON_IE_INVALID; 1522 } 1523 frm += 2, len -= 2; 1524 1525 /* multicast/group cipher */ 1526 w = wpa_cipher(frm, &rsn->rsn_mcastkeylen); 1527 if (w != rsn->rsn_mcastcipher) { 1528 IEEE80211_DISCARD_IE(ic, 1529 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1530 wh, "WPA", "mcast cipher mismatch; got %u, expected %u", 1531 w, rsn->rsn_mcastcipher); 1532 return IEEE80211_REASON_IE_INVALID; 1533 } 1534 frm += 4, len -= 4; 1535 1536 /* unicast ciphers */ 1537 n = LE_READ_2(frm); 1538 frm += 2, len -= 2; 1539 if (len < n*4+2) { 1540 IEEE80211_DISCARD_IE(ic, 1541 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1542 wh, "WPA", "ucast cipher data too short; len %u, n %u", 1543 len, n); 1544 return IEEE80211_REASON_IE_INVALID; 1545 } 1546 w = 0; 1547 for (; n > 0; n--) { 1548 w |= 1<<wpa_cipher(frm, &rsn->rsn_ucastkeylen); 1549 frm += 4, len -= 4; 1550 } 1551 w &= rsn->rsn_ucastcipherset; 1552 if (w == 0) { 1553 IEEE80211_DISCARD_IE(ic, 1554 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1555 wh, "WPA", "%s", "ucast cipher set empty"); 1556 return IEEE80211_REASON_IE_INVALID; 1557 } 1558 if (w & (1<<IEEE80211_CIPHER_TKIP)) 1559 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP; 1560 else 1561 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM; 1562 1563 /* key management algorithms */ 1564 n = LE_READ_2(frm); 1565 frm += 2, len -= 2; 1566 if (len < n*4) { 1567 IEEE80211_DISCARD_IE(ic, 1568 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1569 wh, "WPA", "key mgmt alg data too short; len %u, n %u", 1570 len, n); 1571 return IEEE80211_REASON_IE_INVALID; 1572 } 1573 w = 0; 1574 for (; n > 0; n--) { 1575 w |= wpa_keymgmt(frm); 1576 frm += 4, len -= 4; 1577 } 1578 w &= rsn->rsn_keymgmtset; 1579 if (w == 0) { 1580 IEEE80211_DISCARD_IE(ic, 1581 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1582 wh, "WPA", "%s", "no acceptable key mgmt alg"); 1583 return IEEE80211_REASON_IE_INVALID; 1584 } 1585 if (w & WPA_ASE_8021X_UNSPEC) 1586 rsn->rsn_keymgmt = WPA_ASE_8021X_UNSPEC; 1587 else 1588 rsn->rsn_keymgmt = WPA_ASE_8021X_PSK; 1589 1590 if (len > 2) /* optional capabilities */ 1591 rsn->rsn_caps = LE_READ_2(frm); 1592 1593 return 0; 1594 } 1595 1596 /* 1597 * Convert an RSN cipher selector OUI to an internal 1598 * cipher algorithm. Where appropriate we also 1599 * record any key length. 1600 */ 1601 static int 1602 rsn_cipher(u_int8_t *sel, u_int8_t *keylen) 1603 { 1604 #define RSN_SEL(x) (((x)<<24)|RSN_OUI) 1605 u_int32_t w = LE_READ_4(sel); 1606 1607 switch (w) { 1608 case RSN_SEL(RSN_CSE_NULL): 1609 return IEEE80211_CIPHER_NONE; 1610 case RSN_SEL(RSN_CSE_WEP40): 1611 if (keylen) 1612 *keylen = 40 / NBBY; 1613 return IEEE80211_CIPHER_WEP; 1614 case RSN_SEL(RSN_CSE_WEP104): 1615 if (keylen) 1616 *keylen = 104 / NBBY; 1617 return IEEE80211_CIPHER_WEP; 1618 case RSN_SEL(RSN_CSE_TKIP): 1619 return IEEE80211_CIPHER_TKIP; 1620 case RSN_SEL(RSN_CSE_CCMP): 1621 return IEEE80211_CIPHER_AES_CCM; 1622 case RSN_SEL(RSN_CSE_WRAP): 1623 return IEEE80211_CIPHER_AES_OCB; 1624 } 1625 return 32; /* NB: so 1<< is discarded */ 1626 #undef WPA_SEL 1627 } 1628 1629 /* 1630 * Convert an RSN key management/authentication algorithm 1631 * to an internal code. 1632 */ 1633 static int 1634 rsn_keymgmt(u_int8_t *sel) 1635 { 1636 #define RSN_SEL(x) (((x)<<24)|RSN_OUI) 1637 u_int32_t w = LE_READ_4(sel); 1638 1639 switch (w) { 1640 case RSN_SEL(RSN_ASE_8021X_UNSPEC): 1641 return RSN_ASE_8021X_UNSPEC; 1642 case RSN_SEL(RSN_ASE_8021X_PSK): 1643 return RSN_ASE_8021X_PSK; 1644 case RSN_SEL(RSN_ASE_NONE): 1645 return RSN_ASE_NONE; 1646 } 1647 return 0; /* NB: so is discarded */ 1648 #undef RSN_SEL 1649 } 1650 1651 /* 1652 * Parse a WPA/RSN information element to collect parameters 1653 * and validate the parameters against what has been 1654 * configured for the system. 1655 */ 1656 static int 1657 ieee80211_parse_rsn(struct ieee80211com *ic, u_int8_t *frm, 1658 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh) 1659 { 1660 u_int8_t len = frm[1]; 1661 u_int32_t w; 1662 int n; 1663 1664 /* 1665 * Check the length once for fixed parts: 1666 * version, mcast cipher, and 2 selector counts. 1667 * Other, variable-length data, must be checked separately. 1668 */ 1669 if ((ic->ic_flags & IEEE80211_F_WPA2) == 0) { 1670 IEEE80211_DISCARD_IE(ic, 1671 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1672 wh, "WPA", "not RSN, flags 0x%x", ic->ic_flags); 1673 return IEEE80211_REASON_IE_INVALID; 1674 } 1675 if (len < 10) { 1676 IEEE80211_DISCARD_IE(ic, 1677 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1678 wh, "RSN", "too short, len %u", len); 1679 return IEEE80211_REASON_IE_INVALID; 1680 } 1681 frm += 2; 1682 w = LE_READ_2(frm); 1683 if (w != RSN_VERSION) { 1684 IEEE80211_DISCARD_IE(ic, 1685 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1686 wh, "RSN", "bad version %u", w); 1687 return IEEE80211_REASON_IE_INVALID; 1688 } 1689 frm += 2, len -= 2; 1690 1691 /* multicast/group cipher */ 1692 w = rsn_cipher(frm, &rsn->rsn_mcastkeylen); 1693 if (w != rsn->rsn_mcastcipher) { 1694 IEEE80211_DISCARD_IE(ic, 1695 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1696 wh, "RSN", "mcast cipher mismatch; got %u, expected %u", 1697 w, rsn->rsn_mcastcipher); 1698 return IEEE80211_REASON_IE_INVALID; 1699 } 1700 frm += 4, len -= 4; 1701 1702 /* unicast ciphers */ 1703 n = LE_READ_2(frm); 1704 frm += 2, len -= 2; 1705 if (len < n*4+2) { 1706 IEEE80211_DISCARD_IE(ic, 1707 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1708 wh, "RSN", "ucast cipher data too short; len %u, n %u", 1709 len, n); 1710 return IEEE80211_REASON_IE_INVALID; 1711 } 1712 w = 0; 1713 for (; n > 0; n--) { 1714 w |= 1<<rsn_cipher(frm, &rsn->rsn_ucastkeylen); 1715 frm += 4, len -= 4; 1716 } 1717 w &= rsn->rsn_ucastcipherset; 1718 if (w == 0) { 1719 IEEE80211_DISCARD_IE(ic, 1720 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1721 wh, "RSN", "%s", "ucast cipher set empty"); 1722 return IEEE80211_REASON_IE_INVALID; 1723 } 1724 if (w & (1<<IEEE80211_CIPHER_TKIP)) 1725 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP; 1726 else 1727 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM; 1728 1729 /* key management algorithms */ 1730 n = LE_READ_2(frm); 1731 frm += 2, len -= 2; 1732 if (len < n*4) { 1733 IEEE80211_DISCARD_IE(ic, 1734 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1735 wh, "RSN", "key mgmt alg data too short; len %u, n %u", 1736 len, n); 1737 return IEEE80211_REASON_IE_INVALID; 1738 } 1739 w = 0; 1740 for (; n > 0; n--) { 1741 w |= rsn_keymgmt(frm); 1742 frm += 4, len -= 4; 1743 } 1744 w &= rsn->rsn_keymgmtset; 1745 if (w == 0) { 1746 IEEE80211_DISCARD_IE(ic, 1747 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1748 wh, "RSN", "%s", "no acceptable key mgmt alg"); 1749 return IEEE80211_REASON_IE_INVALID; 1750 } 1751 if (w & RSN_ASE_8021X_UNSPEC) 1752 rsn->rsn_keymgmt = RSN_ASE_8021X_UNSPEC; 1753 else 1754 rsn->rsn_keymgmt = RSN_ASE_8021X_PSK; 1755 1756 /* optional RSN capabilities */ 1757 if (len > 2) 1758 rsn->rsn_caps = LE_READ_2(frm); 1759 /* XXXPMKID */ 1760 1761 return 0; 1762 } 1763 1764 static int 1765 ieee80211_parse_wmeparams(struct ieee80211com *ic, u_int8_t *frm, 1766 const struct ieee80211_frame *wh) 1767 { 1768 #define MS(_v, _f) (((_v) & _f) >> _f##_S) 1769 struct ieee80211_wme_state *wme = &ic->ic_wme; 1770 u_int len = frm[1], qosinfo; 1771 int i; 1772 1773 if (len < sizeof(struct ieee80211_wme_param)-2) { 1774 IEEE80211_DISCARD_IE(ic, 1775 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WME, 1776 wh, "WME", "too short, len %u", len); 1777 return -1; 1778 } 1779 qosinfo = frm[offsetof(struct ieee80211_wme_param, param_qosInfo)]; 1780 qosinfo &= WME_QOSINFO_COUNT; 1781 /* XXX do proper check for wraparound */ 1782 if (qosinfo == wme->wme_wmeChanParams.cap_info) 1783 return 0; 1784 frm += offsetof(struct ieee80211_wme_param, params_acParams); 1785 for (i = 0; i < WME_NUM_AC; i++) { 1786 struct wmeParams *wmep = 1787 &wme->wme_wmeChanParams.cap_wmeParams[i]; 1788 /* NB: ACI not used */ 1789 wmep->wmep_acm = MS(frm[0], WME_PARAM_ACM); 1790 wmep->wmep_aifsn = MS(frm[0], WME_PARAM_AIFSN); 1791 wmep->wmep_logcwmin = MS(frm[1], WME_PARAM_LOGCWMIN); 1792 wmep->wmep_logcwmax = MS(frm[1], WME_PARAM_LOGCWMAX); 1793 wmep->wmep_txopLimit = LE_READ_2(frm+2); 1794 frm += 4; 1795 } 1796 wme->wme_wmeChanParams.cap_info = qosinfo; 1797 return 1; 1798 #undef MS 1799 } 1800 1801 void 1802 ieee80211_saveie(u_int8_t **iep, const u_int8_t *ie) 1803 { 1804 u_int ielen = ie[1]+2; 1805 /* 1806 * Record information element for later use. 1807 */ 1808 if (*iep == NULL || (*iep)[1] != ie[1]) { 1809 if (*iep != NULL) 1810 free(*iep, M_DEVBUF); 1811 *iep = malloc(ielen, M_DEVBUF, M_NOWAIT); 1812 } 1813 if (*iep != NULL) 1814 memcpy(*iep, ie, ielen); 1815 /* XXX note failure */ 1816 } 1817 1818 static void 1819 ieee80211_update_adhoc_node(struct ieee80211com *ic, struct ieee80211_node *ni, 1820 struct ieee80211_frame *wh, struct ieee80211_scanparams *scan, int rssi, 1821 u_int32_t rstamp) 1822 { 1823 if (!IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_macaddr)) { 1824 /* 1825 * Create a new entry in the neighbor table. 1826 * Records the TSF. 1827 */ 1828 if ((ni = ieee80211_add_neighbor(ic, wh, scan)) == NULL) 1829 return; 1830 } else if (ni->ni_capinfo == 0) { 1831 /* 1832 * Initialize a node that was "faked up." Records 1833 * the TSF. 1834 * 1835 * No need to check for a change of BSSID: ni could 1836 * not have been the IBSS (ic_bss) 1837 */ 1838 ieee80211_init_neighbor(ic, ni, wh, scan, 0); 1839 } else { 1840 /* Record TSF for potential resync. */ 1841 memcpy(ni->ni_tstamp.data, scan->tstamp, sizeof(ni->ni_tstamp)); 1842 } 1843 1844 ni->ni_rssi = rssi; 1845 ni->ni_rstamp = rstamp; 1846 1847 /* Mark a neighbor's change of BSSID. */ 1848 if (IEEE80211_ADDR_EQ(wh->i_addr3, ni->ni_bssid)) 1849 return; 1850 1851 IEEE80211_ADDR_COPY(ni->ni_bssid, wh->i_addr3); 1852 1853 if (ni != ic->ic_bss) 1854 return; 1855 else if (ic->ic_flags & IEEE80211_F_DESBSSID) { 1856 /* 1857 * Now, ni does not represent a network we 1858 * want to belong to, so start a scan. 1859 */ 1860 ieee80211_new_state(ic, IEEE80211_S_SCAN, 0); 1861 return; 1862 } else { 1863 /* 1864 * A RUN->RUN transition lets the driver 1865 * reprogram its BSSID filter. 1866 * 1867 * No need to SCAN, we already belong to 1868 * an IBSS that meets our criteria: channel, 1869 * SSID, etc. It could be harmful to scan, 1870 * too: if a scan does not detect nodes 1871 * belonging to my current IBSS, then we 1872 * will create a new IBSS at the end of 1873 * the scan, needlessly splitting the 1874 * network. 1875 */ 1876 ieee80211_new_state(ic, IEEE80211_S_RUN, 0); 1877 } 1878 } 1879 1880 void 1881 ieee80211_recv_mgmt(struct ieee80211com *ic, struct mbuf *m0, 1882 struct ieee80211_node *ni, 1883 int subtype, int rssi, u_int32_t rstamp) 1884 { 1885 #define ISPROBE(_st) ((_st) == IEEE80211_FC0_SUBTYPE_PROBE_RESP) 1886 #define ISREASSOC(_st) ((_st) == IEEE80211_FC0_SUBTYPE_REASSOC_RESP) 1887 struct ieee80211_frame *wh; 1888 u_int8_t *frm, *efrm; 1889 u_int8_t *ssid, *rates, *xrates, *wpa, *wme; 1890 int reassoc, resp, allocbs; 1891 u_int8_t rate; 1892 IEEE80211_DEBUGVAR(char ebuf[3 * ETHER_ADDR_LEN]); 1893 1894 wh = mtod(m0, struct ieee80211_frame *); 1895 frm = (u_int8_t *)&wh[1]; 1896 efrm = mtod(m0, u_int8_t *) + m0->m_len; 1897 switch (subtype) { 1898 case IEEE80211_FC0_SUBTYPE_PROBE_RESP: 1899 case IEEE80211_FC0_SUBTYPE_BEACON: { 1900 struct ieee80211_scanparams scan; 1901 1902 /* 1903 * We process beacon/probe response frames: 1904 * o when scanning, or 1905 * o station mode when associated (to collect state 1906 * updates such as 802.11g slot time), or 1907 * o adhoc mode (to discover neighbors) 1908 * Frames otherwise received are discarded. 1909 */ 1910 if (!((ic->ic_flags & IEEE80211_F_SCAN) || 1911 (ic->ic_opmode == IEEE80211_M_STA && ni->ni_associd) || 1912 ic->ic_opmode == IEEE80211_M_IBSS)) { 1913 ic->ic_stats.is_rx_mgtdiscard++; 1914 return; 1915 } 1916 /* 1917 * beacon/probe response frame format 1918 * [8] time stamp 1919 * [2] beacon interval 1920 * [2] capability information 1921 * [tlv] ssid 1922 * [tlv] supported rates 1923 * [tlv] country information 1924 * [tlv] parameter set (FH/DS) 1925 * [tlv] erp information 1926 * [tlv] extended supported rates 1927 * [tlv] WME 1928 * [tlv] WPA or RSN 1929 */ 1930 IEEE80211_VERIFY_LENGTH(efrm - frm, 12); 1931 memset(&scan, 0, sizeof(scan)); 1932 scan.tstamp = frm; frm += 8; 1933 scan.bintval = le16toh(*(u_int16_t *)frm); frm += 2; 1934 scan.capinfo = le16toh(*(u_int16_t *)frm); frm += 2; 1935 scan.bchan = ieee80211_chan2ieee(ic, ic->ic_curchan); 1936 scan.chan = scan.bchan; 1937 1938 while (frm < efrm) { 1939 switch (*frm) { 1940 case IEEE80211_ELEMID_SSID: 1941 scan.ssid = frm; 1942 break; 1943 case IEEE80211_ELEMID_RATES: 1944 scan.rates = frm; 1945 break; 1946 case IEEE80211_ELEMID_COUNTRY: 1947 scan.country = frm; 1948 break; 1949 case IEEE80211_ELEMID_FHPARMS: 1950 if (ic->ic_phytype == IEEE80211_T_FH) { 1951 scan.fhdwell = LE_READ_2(&frm[2]); 1952 scan.chan = IEEE80211_FH_CHAN(frm[4], frm[5]); 1953 scan.fhindex = frm[6]; 1954 } 1955 break; 1956 case IEEE80211_ELEMID_DSPARMS: 1957 /* 1958 * XXX hack this since depending on phytype 1959 * is problematic for multi-mode devices. 1960 */ 1961 if (ic->ic_phytype != IEEE80211_T_FH) 1962 scan.chan = frm[2]; 1963 break; 1964 case IEEE80211_ELEMID_TIM: 1965 /* XXX ATIM? */ 1966 scan.tim = frm; 1967 scan.timoff = frm - mtod(m0, u_int8_t *); 1968 break; 1969 case IEEE80211_ELEMID_IBSSPARMS: 1970 break; 1971 case IEEE80211_ELEMID_XRATES: 1972 scan.xrates = frm; 1973 break; 1974 case IEEE80211_ELEMID_ERP: 1975 if (frm[1] != 1) { 1976 IEEE80211_DISCARD_IE(ic, 1977 IEEE80211_MSG_ELEMID, wh, "ERP", 1978 "bad len %u", frm[1]); 1979 ic->ic_stats.is_rx_elem_toobig++; 1980 break; 1981 } 1982 scan.erp = frm[2]; 1983 break; 1984 case IEEE80211_ELEMID_RSN: 1985 scan.wpa = frm; 1986 break; 1987 case IEEE80211_ELEMID_VENDOR: 1988 if (iswpaoui(frm)) 1989 scan.wpa = frm; 1990 else if (iswmeparam(frm) || iswmeinfo(frm)) 1991 scan.wme = frm; 1992 /* XXX Atheros OUI support */ 1993 break; 1994 default: 1995 IEEE80211_DISCARD_IE(ic, IEEE80211_MSG_ELEMID, 1996 wh, "unhandled", 1997 "id %u, len %u", *frm, frm[1]); 1998 ic->ic_stats.is_rx_elem_unknown++; 1999 break; 2000 } 2001 frm += frm[1] + 2; 2002 } 2003 IEEE80211_VERIFY_ELEMENT(scan.rates, IEEE80211_RATE_MAXSIZE); 2004 IEEE80211_VERIFY_ELEMENT(scan.ssid, IEEE80211_NWID_LEN); 2005 if ( 2006 #if IEEE80211_CHAN_MAX < 255 2007 scan.chan > IEEE80211_CHAN_MAX || 2008 #endif 2009 isclr(ic->ic_chan_active, scan.chan)) { 2010 IEEE80211_DISCARD(ic, 2011 IEEE80211_MSG_ELEMID | IEEE80211_MSG_INPUT, 2012 wh, ieee80211_mgt_subtype_name[subtype >> 2013 IEEE80211_FC0_SUBTYPE_SHIFT], 2014 "invalid channel %u", scan.chan); 2015 ic->ic_stats.is_rx_badchan++; 2016 return; 2017 } 2018 if (scan.chan != scan.bchan && 2019 ic->ic_phytype != IEEE80211_T_FH) { 2020 /* 2021 * Frame was received on a channel different from the 2022 * one indicated in the DS params element id; 2023 * silently discard it. 2024 * 2025 * NB: this can happen due to signal leakage. 2026 * But we should take it for FH phy because 2027 * the rssi value should be correct even for 2028 * different hop pattern in FH. 2029 */ 2030 IEEE80211_DISCARD(ic, 2031 IEEE80211_MSG_ELEMID | IEEE80211_MSG_INPUT, 2032 wh, ieee80211_mgt_subtype_name[subtype >> 2033 IEEE80211_FC0_SUBTYPE_SHIFT], 2034 "for off-channel %u", scan.chan); 2035 ic->ic_stats.is_rx_chanmismatch++; 2036 return; 2037 } 2038 if (!(IEEE80211_BINTVAL_MIN <= scan.bintval && 2039 scan.bintval <= IEEE80211_BINTVAL_MAX)) { 2040 IEEE80211_DISCARD(ic, 2041 IEEE80211_MSG_ELEMID | IEEE80211_MSG_INPUT, 2042 wh, ieee80211_mgt_subtype_name[subtype >> 2043 IEEE80211_FC0_SUBTYPE_SHIFT], 2044 "bogus beacon interval", scan.bintval); 2045 ic->ic_stats.is_rx_badbintval++; 2046 return; 2047 } 2048 2049 if (ni != ic->ic_bss) { 2050 ni = ieee80211_refine_node_for_beacon(ic, ni, 2051 &ic->ic_channels[scan.chan], scan.ssid); 2052 } 2053 /* 2054 * Count frame now that we know it's to be processed. 2055 */ 2056 if (subtype == IEEE80211_FC0_SUBTYPE_BEACON) { 2057 ic->ic_stats.is_rx_beacon++; /* XXX remove */ 2058 IEEE80211_NODE_STAT(ni, rx_beacons); 2059 } else 2060 IEEE80211_NODE_STAT(ni, rx_proberesp); 2061 2062 /* 2063 * When operating in station mode, check for state updates. 2064 * Be careful to ignore beacons received while doing a 2065 * background scan. We consider only 11g/WMM stuff right now. 2066 */ 2067 if (ic->ic_opmode == IEEE80211_M_STA && 2068 ni->ni_associd != 0 && 2069 ((ic->ic_flags & IEEE80211_F_SCAN) == 0 || 2070 IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_bssid))) { 2071 /* record tsf of last beacon */ 2072 memcpy(ni->ni_tstamp.data, scan.tstamp, 2073 sizeof(ni->ni_tstamp)); 2074 if (ni->ni_erp != scan.erp) { 2075 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 2076 "[%s] erp change: was 0x%x, now 0x%x\n", 2077 ether_snprintf(ebuf, sizeof(ebuf), 2078 wh->i_addr2), ni->ni_erp, scan.erp); 2079 if (ic->ic_curmode == IEEE80211_MODE_11G && 2080 (ni->ni_erp & IEEE80211_ERP_USE_PROTECTION)) 2081 ic->ic_flags |= IEEE80211_F_USEPROT; 2082 else 2083 ic->ic_flags &= ~IEEE80211_F_USEPROT; 2084 ni->ni_erp = scan.erp; 2085 /* XXX statistic */ 2086 } 2087 if ((ni->ni_capinfo ^ scan.capinfo) & IEEE80211_CAPINFO_SHORT_SLOTTIME) { 2088 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 2089 "[%s] capabilities change: before 0x%x," 2090 " now 0x%x\n", 2091 ether_snprintf(ebuf, sizeof(ebuf), 2092 wh->i_addr2), 2093 ni->ni_capinfo, scan.capinfo); 2094 /* 2095 * NB: we assume short preamble doesn't 2096 * change dynamically 2097 */ 2098 ieee80211_set_shortslottime(ic, 2099 ic->ic_curmode == IEEE80211_MODE_11A || 2100 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME)); 2101 ni->ni_capinfo = scan.capinfo; 2102 /* XXX statistic */ 2103 } 2104 if (scan.wme != NULL && 2105 (ni->ni_flags & IEEE80211_NODE_QOS) && 2106 ieee80211_parse_wmeparams(ic, scan.wme, wh) > 0) 2107 ieee80211_wme_updateparams(ic); 2108 if (scan.tim != NULL) { 2109 struct ieee80211_tim_ie *ie = 2110 (struct ieee80211_tim_ie *) scan.tim; 2111 2112 ni->ni_dtim_count = ie->tim_count; 2113 ni->ni_dtim_period = ie->tim_period; 2114 } 2115 if (ic->ic_flags & IEEE80211_F_SCAN) 2116 ieee80211_add_scan(ic, &scan, wh, 2117 subtype, rssi, rstamp); 2118 ic->ic_bmiss_count = 0; 2119 return; 2120 } 2121 /* 2122 * If scanning, just pass information to the scan module. 2123 */ 2124 if (ic->ic_flags & IEEE80211_F_SCAN) { 2125 if (ic->ic_flags_ext & IEEE80211_FEXT_PROBECHAN) { 2126 /* 2127 * Actively scanning a channel marked passive; 2128 * send a probe request now that we know there 2129 * is 802.11 traffic present. 2130 * 2131 * XXX check if the beacon we recv'd gives 2132 * us what we need and suppress the probe req 2133 */ 2134 ieee80211_probe_curchan(ic, 1); 2135 ic->ic_flags_ext &= ~IEEE80211_FEXT_PROBECHAN; 2136 } 2137 ieee80211_add_scan(ic, &scan, wh, 2138 subtype, rssi, rstamp); 2139 return; 2140 } 2141 if (scan.capinfo & IEEE80211_CAPINFO_IBSS) 2142 ieee80211_update_adhoc_node(ic, ni, wh, &scan, rssi, 2143 rstamp); 2144 break; 2145 } 2146 2147 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 2148 if (ic->ic_opmode == IEEE80211_M_STA || 2149 ic->ic_state != IEEE80211_S_RUN) { 2150 ic->ic_stats.is_rx_mgtdiscard++; 2151 return; 2152 } 2153 if (IEEE80211_IS_MULTICAST(wh->i_addr2)) { 2154 /* frame must be directed */ 2155 ic->ic_stats.is_rx_mgtdiscard++; /* XXX stat */ 2156 return; 2157 } 2158 2159 /* 2160 * prreq frame format 2161 * [tlv] ssid 2162 * [tlv] supported rates 2163 * [tlv] extended supported rates 2164 */ 2165 ssid = rates = xrates = NULL; 2166 while (frm < efrm) { 2167 switch (*frm) { 2168 case IEEE80211_ELEMID_SSID: 2169 ssid = frm; 2170 break; 2171 case IEEE80211_ELEMID_RATES: 2172 rates = frm; 2173 break; 2174 case IEEE80211_ELEMID_XRATES: 2175 xrates = frm; 2176 break; 2177 } 2178 frm += frm[1] + 2; 2179 } 2180 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE); 2181 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN); 2182 IEEE80211_VERIFY_SSID(ic->ic_bss, ssid); 2183 if ((ic->ic_flags & IEEE80211_F_HIDESSID) && ssid[1] == 0) { 2184 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 2185 wh, ieee80211_mgt_subtype_name[subtype >> 2186 IEEE80211_FC0_SUBTYPE_SHIFT], 2187 "%s", "no ssid with ssid suppression enabled"); 2188 ic->ic_stats.is_rx_ssidmismatch++; /*XXX*/ 2189 return; 2190 } 2191 2192 if (ni == ic->ic_bss) { 2193 if (ic->ic_opmode != IEEE80211_M_IBSS) 2194 ni = ieee80211_tmp_node(ic, wh->i_addr2); 2195 else if (IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_macaddr)) 2196 ; 2197 else { 2198 /* 2199 * XXX Cannot tell if the sender is operating 2200 * in ibss mode. But we need a new node to 2201 * send the response so blindly add them to the 2202 * neighbor table. 2203 */ 2204 ni = ieee80211_fakeup_adhoc_node(&ic->ic_sta, 2205 wh->i_addr2); 2206 } 2207 if (ni == NULL) 2208 return; 2209 allocbs = 1; 2210 } else 2211 allocbs = 0; 2212 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 2213 "[%s] recv probe req\n", ether_snprintf( 2214 ebuf, sizeof(ebuf), wh->i_addr2)); 2215 ni->ni_rssi = rssi; 2216 ni->ni_rstamp = rstamp; 2217 rate = ieee80211_setup_rates(ni, rates, xrates, 2218 IEEE80211_R_DOSORT | IEEE80211_R_DOFRATE 2219 | IEEE80211_R_DONEGO | IEEE80211_R_DODEL); 2220 if (rate & IEEE80211_RATE_BASIC) { 2221 IEEE80211_DISCARD(ic, IEEE80211_MSG_XRATE, 2222 wh, ieee80211_mgt_subtype_name[subtype >> 2223 IEEE80211_FC0_SUBTYPE_SHIFT], 2224 "%s", "recv'd rate set invalid"); 2225 } else { 2226 IEEE80211_SEND_MGMT(ic, ni, 2227 IEEE80211_FC0_SUBTYPE_PROBE_RESP, 0); 2228 } 2229 if (allocbs && ic->ic_opmode != IEEE80211_M_IBSS) { 2230 /* reclaim immediately */ 2231 ieee80211_free_node(ni); 2232 } 2233 break; 2234 2235 case IEEE80211_FC0_SUBTYPE_AUTH: { 2236 u_int16_t algo, seq, status; 2237 /* 2238 * auth frame format 2239 * [2] algorithm 2240 * [2] sequence 2241 * [2] status 2242 * [tlv*] challenge 2243 */ 2244 IEEE80211_VERIFY_LENGTH(efrm - frm, 6); 2245 algo = le16toh(*(u_int16_t *)frm); 2246 seq = le16toh(*(u_int16_t *)(frm + 2)); 2247 status = le16toh(*(u_int16_t *)(frm + 4)); 2248 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 2249 "[%s] recv auth frame with algorithm %d seq %d\n", 2250 ether_snprintf(ebuf, sizeof(ebuf), wh->i_addr2), algo, seq); 2251 /* 2252 * Consult the ACL policy module if setup. 2253 */ 2254 if (ic->ic_acl != NULL && 2255 !ic->ic_acl->iac_check(ic, wh->i_addr2)) { 2256 IEEE80211_DISCARD(ic, IEEE80211_MSG_ACL, 2257 wh, "auth", "%s", "disallowed by ACL"); 2258 ic->ic_stats.is_rx_acl++; 2259 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 2260 IEEE80211_SEND_MGMT(ic, ni, 2261 IEEE80211_FC0_SUBTYPE_AUTH, 2262 (seq+1) | (IEEE80211_STATUS_UNSPECIFIED<<16)); 2263 } 2264 return; 2265 } 2266 if (ic->ic_flags & IEEE80211_F_COUNTERM) { 2267 IEEE80211_DISCARD(ic, 2268 IEEE80211_MSG_AUTH | IEEE80211_MSG_CRYPTO, 2269 wh, "auth", "%s", "TKIP countermeasures enabled"); 2270 ic->ic_stats.is_rx_auth_countermeasures++; 2271 #ifndef IEEE80211_NO_HOSTAP 2272 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 2273 IEEE80211_SEND_MGMT(ic, ni, 2274 IEEE80211_FC0_SUBTYPE_AUTH, 2275 IEEE80211_REASON_MIC_FAILURE); 2276 } 2277 #endif /* !IEEE80211_NO_HOSTAP */ 2278 return; 2279 } 2280 if (algo == IEEE80211_AUTH_ALG_SHARED) 2281 ieee80211_auth_shared(ic, wh, frm + 6, efrm, ni, rssi, 2282 rstamp, seq, status); 2283 else if (algo == IEEE80211_AUTH_ALG_OPEN) 2284 ieee80211_auth_open(ic, wh, ni, rssi, rstamp, seq, 2285 status); 2286 else { 2287 IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY, 2288 wh, "auth", "unsupported alg %d", algo); 2289 ic->ic_stats.is_rx_auth_unsupported++; 2290 #ifndef IEEE80211_NO_HOSTAP 2291 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 2292 /* XXX not right */ 2293 IEEE80211_SEND_MGMT(ic, ni, 2294 IEEE80211_FC0_SUBTYPE_AUTH, 2295 (seq+1) | (IEEE80211_STATUS_ALG<<16)); 2296 } 2297 #endif /* !IEEE80211_NO_HOSTAP */ 2298 return; 2299 } 2300 break; 2301 } 2302 2303 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ: 2304 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: { 2305 u_int16_t capinfo, lintval; 2306 struct ieee80211_rsnparms rsn; 2307 u_int8_t reason; 2308 2309 if (ic->ic_opmode != IEEE80211_M_HOSTAP || 2310 ic->ic_state != IEEE80211_S_RUN) { 2311 ic->ic_stats.is_rx_mgtdiscard++; 2312 return; 2313 } 2314 2315 if (subtype == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) { 2316 reassoc = 1; 2317 resp = IEEE80211_FC0_SUBTYPE_REASSOC_RESP; 2318 } else { 2319 reassoc = 0; 2320 resp = IEEE80211_FC0_SUBTYPE_ASSOC_RESP; 2321 } 2322 /* 2323 * asreq frame format 2324 * [2] capability information 2325 * [2] listen interval 2326 * [6*] current AP address (reassoc only) 2327 * [tlv] ssid 2328 * [tlv] supported rates 2329 * [tlv] extended supported rates 2330 * [tlv] WPA or RSN 2331 */ 2332 IEEE80211_VERIFY_LENGTH(efrm - frm, (reassoc ? 10 : 4)); 2333 if (!IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_bss->ni_bssid)) { 2334 IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY, 2335 wh, ieee80211_mgt_subtype_name[subtype >> 2336 IEEE80211_FC0_SUBTYPE_SHIFT], 2337 "%s", "wrong bssid"); 2338 ic->ic_stats.is_rx_assoc_bss++; 2339 return; 2340 } 2341 capinfo = le16toh(*(u_int16_t *)frm); frm += 2; 2342 lintval = le16toh(*(u_int16_t *)frm); frm += 2; 2343 if (reassoc) 2344 frm += 6; /* ignore current AP info */ 2345 ssid = rates = xrates = wpa = wme = NULL; 2346 while (frm < efrm) { 2347 switch (*frm) { 2348 case IEEE80211_ELEMID_SSID: 2349 ssid = frm; 2350 break; 2351 case IEEE80211_ELEMID_RATES: 2352 rates = frm; 2353 break; 2354 case IEEE80211_ELEMID_XRATES: 2355 xrates = frm; 2356 break; 2357 /* XXX verify only one of RSN and WPA ie's? */ 2358 case IEEE80211_ELEMID_RSN: 2359 wpa = frm; 2360 break; 2361 case IEEE80211_ELEMID_VENDOR: 2362 if (iswpaoui(frm)) 2363 wpa = frm; 2364 else if (iswmeinfo(frm)) 2365 wme = frm; 2366 /* XXX Atheros OUI support */ 2367 break; 2368 } 2369 frm += frm[1] + 2; 2370 } 2371 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE); 2372 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN); 2373 IEEE80211_VERIFY_SSID(ic->ic_bss, ssid); 2374 2375 if (ni == ic->ic_bss) { 2376 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, 2377 "[%s] deny %s request, sta not authenticated\n", 2378 ether_snprintf(ebuf, sizeof(ebuf), wh->i_addr2), 2379 reassoc ? "reassoc" : "assoc"); 2380 ieee80211_send_error(ic, ni, wh->i_addr2, 2381 IEEE80211_FC0_SUBTYPE_DEAUTH, 2382 IEEE80211_REASON_ASSOC_NOT_AUTHED); 2383 ic->ic_stats.is_rx_assoc_notauth++; 2384 return; 2385 } 2386 /* assert right associstion security credentials */ 2387 if (wpa == NULL && (ic->ic_flags & IEEE80211_F_WPA)) { 2388 IEEE80211_DPRINTF(ic, 2389 IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, 2390 "[%s] no WPA/RSN IE in association request\n", 2391 ether_snprintf(ebuf, sizeof(ebuf), wh->i_addr2)); 2392 IEEE80211_SEND_MGMT(ic, ni, 2393 IEEE80211_FC0_SUBTYPE_DEAUTH, 2394 IEEE80211_REASON_RSN_REQUIRED); 2395 ieee80211_node_leave(ic, ni); 2396 /* XXX distinguish WPA/RSN? */ 2397 ic->ic_stats.is_rx_assoc_badwpaie++; 2398 return; 2399 } 2400 if (wpa != NULL) { 2401 /* 2402 * Parse WPA information element. Note that 2403 * we initialize the param block from the node 2404 * state so that information in the IE overrides 2405 * our defaults. The resulting parameters are 2406 * installed below after the association is assured. 2407 */ 2408 rsn = ni->ni_rsn; 2409 if (wpa[0] != IEEE80211_ELEMID_RSN) 2410 reason = ieee80211_parse_wpa(ic, wpa, &rsn, wh); 2411 else 2412 reason = ieee80211_parse_rsn(ic, wpa, &rsn, wh); 2413 if (reason != 0) { 2414 IEEE80211_SEND_MGMT(ic, ni, 2415 IEEE80211_FC0_SUBTYPE_DEAUTH, reason); 2416 ieee80211_node_leave(ic, ni); 2417 /* XXX distinguish WPA/RSN? */ 2418 ic->ic_stats.is_rx_assoc_badwpaie++; 2419 return; 2420 } 2421 IEEE80211_DPRINTF(ic, 2422 IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, 2423 "[%s] %s ie: mc %u/%u uc %u/%u key %u caps 0x%x\n", 2424 ether_snprintf(ebuf, sizeof(ebuf), wh->i_addr2), 2425 wpa[0] != IEEE80211_ELEMID_RSN ? "WPA" : "RSN", 2426 rsn.rsn_mcastcipher, rsn.rsn_mcastkeylen, 2427 rsn.rsn_ucastcipher, rsn.rsn_ucastkeylen, 2428 rsn.rsn_keymgmt, rsn.rsn_caps); 2429 } 2430 /* discard challenge after association */ 2431 if (ni->ni_challenge != NULL) { 2432 free(ni->ni_challenge, M_DEVBUF); 2433 ni->ni_challenge = NULL; 2434 } 2435 /* NB: 802.11 spec says to ignore station's privacy bit */ 2436 if ((capinfo & IEEE80211_CAPINFO_ESS) == 0) { 2437 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, 2438 "[%s] deny %s request, capability mismatch 0x%x\n", 2439 ether_snprintf(ebuf, sizeof(ebuf), wh->i_addr2), 2440 reassoc ? "reassoc" : "assoc", capinfo); 2441 IEEE80211_SEND_MGMT(ic, ni, resp, 2442 IEEE80211_STATUS_CAPINFO); 2443 ieee80211_node_leave(ic, ni); 2444 ic->ic_stats.is_rx_assoc_capmismatch++; 2445 return; 2446 } 2447 rate = ieee80211_setup_rates(ni, rates, xrates, 2448 IEEE80211_R_DOSORT | IEEE80211_R_DOFRATE | 2449 IEEE80211_R_DONEGO | IEEE80211_R_DODEL); 2450 /* 2451 * If constrained to 11g-only stations reject an 2452 * 11b-only station. We cheat a bit here by looking 2453 * at the max negotiated xmit rate and assuming anyone 2454 * with a best rate <24Mb/s is an 11b station. 2455 */ 2456 if ((rate & IEEE80211_RATE_BASIC) || 2457 ((ic->ic_flags & IEEE80211_F_PUREG) && rate < 48)) { 2458 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, 2459 "[%s] deny %s request, rate set mismatch\n", 2460 ether_snprintf(ebuf, sizeof(ebuf), wh->i_addr2), 2461 reassoc ? "reassoc" : "assoc"); 2462 IEEE80211_SEND_MGMT(ic, ni, resp, 2463 IEEE80211_STATUS_BASIC_RATE); 2464 ieee80211_node_leave(ic, ni); 2465 ic->ic_stats.is_rx_assoc_norate++; 2466 return; 2467 } 2468 ni->ni_rssi = rssi; 2469 ni->ni_rstamp = rstamp; 2470 ni->ni_intval = lintval; 2471 ni->ni_capinfo = capinfo; 2472 ni->ni_chan = ic->ic_bss->ni_chan; 2473 ni->ni_fhdwell = ic->ic_bss->ni_fhdwell; 2474 ni->ni_fhindex = ic->ic_bss->ni_fhindex; 2475 if (wpa != NULL) { 2476 /* 2477 * Record WPA/RSN parameters for station, mark 2478 * node as using WPA and record information element 2479 * for applications that require it. 2480 */ 2481 ni->ni_rsn = rsn; 2482 ieee80211_saveie(&ni->ni_wpa_ie, wpa); 2483 } else if (ni->ni_wpa_ie != NULL) { 2484 /* 2485 * Flush any state from a previous association. 2486 */ 2487 free(ni->ni_wpa_ie, M_DEVBUF); 2488 ni->ni_wpa_ie = NULL; 2489 } 2490 if (wme != NULL) { 2491 /* 2492 * Record WME parameters for station, mark node 2493 * as capable of QoS and record information 2494 * element for applications that require it. 2495 */ 2496 ieee80211_saveie(&ni->ni_wme_ie, wme); 2497 ni->ni_flags |= IEEE80211_NODE_QOS; 2498 } else if (ni->ni_wme_ie != NULL) { 2499 /* 2500 * Flush any state from a previous association. 2501 */ 2502 free(ni->ni_wme_ie, M_DEVBUF); 2503 ni->ni_wme_ie = NULL; 2504 ni->ni_flags &= ~IEEE80211_NODE_QOS; 2505 } 2506 ieee80211_node_join(ic, ni, resp); 2507 break; 2508 } 2509 2510 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP: 2511 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: { 2512 u_int16_t capinfo, associd; 2513 u_int16_t status; 2514 2515 if (ic->ic_opmode != IEEE80211_M_STA || 2516 ic->ic_state != IEEE80211_S_ASSOC) { 2517 ic->ic_stats.is_rx_mgtdiscard++; 2518 return; 2519 } 2520 2521 /* 2522 * asresp frame format 2523 * [2] capability information 2524 * [2] status 2525 * [2] association ID 2526 * [tlv] supported rates 2527 * [tlv] extended supported rates 2528 * [tlv] WME 2529 */ 2530 IEEE80211_VERIFY_LENGTH(efrm - frm, 6); 2531 ni = ic->ic_bss; 2532 capinfo = le16toh(*(u_int16_t *)frm); 2533 frm += 2; 2534 status = le16toh(*(u_int16_t *)frm); 2535 frm += 2; 2536 if (status != 0) { 2537 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 2538 "[%s] %sassoc failed (reason %d)\n", 2539 ether_snprintf(ebuf, sizeof(ebuf), wh->i_addr2), 2540 ISREASSOC(subtype) ? "re" : "", status); 2541 if (ni != ic->ic_bss) /* XXX never true? */ 2542 ni->ni_fails++; 2543 ic->ic_stats.is_rx_auth_fail++; /* XXX */ 2544 return; 2545 } 2546 associd = le16toh(*(u_int16_t *)frm); 2547 frm += 2; 2548 2549 rates = xrates = wpa = wme = NULL; 2550 while (frm < efrm) { 2551 switch (*frm) { 2552 case IEEE80211_ELEMID_RATES: 2553 rates = frm; 2554 break; 2555 case IEEE80211_ELEMID_XRATES: 2556 xrates = frm; 2557 break; 2558 case IEEE80211_ELEMID_VENDOR: 2559 if (iswmeoui(frm)) 2560 wme = frm; 2561 /* XXX Atheros OUI support */ 2562 break; 2563 } 2564 frm += frm[1] + 2; 2565 } 2566 2567 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE); 2568 rate = ieee80211_setup_rates(ni, rates, xrates, 2569 IEEE80211_R_DOSORT | IEEE80211_R_DOFRATE | 2570 IEEE80211_R_DONEGO | IEEE80211_R_DODEL); 2571 if (rate & IEEE80211_RATE_BASIC) { 2572 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 2573 "[%s] %sassoc failed (rate set mismatch)\n", 2574 ether_snprintf(ebuf, sizeof(ebuf), wh->i_addr2), 2575 ISREASSOC(subtype) ? "re" : ""); 2576 if (ni != ic->ic_bss) /* XXX never true? */ 2577 ni->ni_fails++; 2578 ic->ic_stats.is_rx_assoc_norate++; 2579 ieee80211_new_state(ic, IEEE80211_S_SCAN, 0); 2580 return; 2581 } 2582 2583 ni->ni_capinfo = capinfo; 2584 ni->ni_associd = associd; 2585 if (wme != NULL && 2586 ieee80211_parse_wmeparams(ic, wme, wh) >= 0) { 2587 ni->ni_flags |= IEEE80211_NODE_QOS; 2588 ieee80211_wme_updateparams(ic); 2589 } else 2590 ni->ni_flags &= ~IEEE80211_NODE_QOS; 2591 /* 2592 * Configure state now that we are associated. 2593 * 2594 * XXX may need different/additional driver callbacks? 2595 */ 2596 if (ic->ic_curmode == IEEE80211_MODE_11A || 2597 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_PREAMBLE)) { 2598 ic->ic_flags |= IEEE80211_F_SHPREAMBLE; 2599 ic->ic_flags &= ~IEEE80211_F_USEBARKER; 2600 } else { 2601 ic->ic_flags &= ~IEEE80211_F_SHPREAMBLE; 2602 ic->ic_flags |= IEEE80211_F_USEBARKER; 2603 } 2604 ieee80211_set_shortslottime(ic, 2605 ic->ic_curmode == IEEE80211_MODE_11A || 2606 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME)); 2607 /* 2608 * Honor ERP protection. 2609 * 2610 * NB: ni_erp should zero for non-11g operation. 2611 * XXX check ic_curmode anyway? 2612 */ 2613 if (ic->ic_curmode == IEEE80211_MODE_11G && 2614 (ni->ni_erp & IEEE80211_ERP_USE_PROTECTION)) 2615 ic->ic_flags |= IEEE80211_F_USEPROT; 2616 else 2617 ic->ic_flags &= ~IEEE80211_F_USEPROT; 2618 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 2619 "[%s] %sassoc success: %s preamble, %s slot time%s%s\n", 2620 ether_snprintf(ebuf, sizeof(ebuf), wh->i_addr2), 2621 ISREASSOC(subtype) ? "re" : "", 2622 ic->ic_flags&IEEE80211_F_SHPREAMBLE ? "short" : "long", 2623 ic->ic_flags&IEEE80211_F_SHSLOT ? "short" : "long", 2624 ic->ic_flags&IEEE80211_F_USEPROT ? ", protection" : "", 2625 ni->ni_flags & IEEE80211_NODE_QOS ? ", QoS" : "" 2626 ); 2627 ieee80211_new_state(ic, IEEE80211_S_RUN, subtype); 2628 break; 2629 } 2630 2631 case IEEE80211_FC0_SUBTYPE_DEAUTH: { 2632 u_int16_t reason; 2633 2634 if (ic->ic_state == IEEE80211_S_SCAN) { 2635 ic->ic_stats.is_rx_mgtdiscard++; 2636 return; 2637 } 2638 /* 2639 * deauth frame format 2640 * [2] reason 2641 */ 2642 IEEE80211_VERIFY_LENGTH(efrm - frm, 2); 2643 reason = le16toh(*(u_int16_t *)frm); 2644 __USE(reason); 2645 ic->ic_stats.is_rx_deauth++; 2646 IEEE80211_NODE_STAT(ni, rx_deauth); 2647 2648 if (!IEEE80211_ADDR_EQ(wh->i_addr1, ic->ic_myaddr)) { 2649 /* Not intended for this station. */ 2650 ic->ic_stats.is_rx_mgtdiscard++; 2651 break; 2652 } 2653 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 2654 "[%s] recv deauthenticate (reason %d)\n", 2655 ether_snprintf(ebuf, sizeof(ebuf), ni->ni_macaddr), reason); 2656 switch (ic->ic_opmode) { 2657 case IEEE80211_M_STA: 2658 ieee80211_new_state(ic, IEEE80211_S_AUTH, 2659 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK); 2660 break; 2661 case IEEE80211_M_HOSTAP: 2662 #ifndef IEEE80211_NO_HOSTAP 2663 if (ni != ic->ic_bss) 2664 ieee80211_node_leave(ic, ni); 2665 #endif /* !IEEE80211_NO_HOSTAP */ 2666 break; 2667 default: 2668 ic->ic_stats.is_rx_mgtdiscard++; 2669 break; 2670 } 2671 break; 2672 } 2673 2674 case IEEE80211_FC0_SUBTYPE_DISASSOC: { 2675 u_int16_t reason; 2676 2677 if (ic->ic_state != IEEE80211_S_RUN && 2678 ic->ic_state != IEEE80211_S_ASSOC && 2679 ic->ic_state != IEEE80211_S_AUTH) { 2680 ic->ic_stats.is_rx_mgtdiscard++; 2681 return; 2682 } 2683 /* 2684 * disassoc frame format 2685 * [2] reason 2686 */ 2687 IEEE80211_VERIFY_LENGTH(efrm - frm, 2); 2688 reason = le16toh(*(u_int16_t *)frm); 2689 __USE(reason); 2690 ic->ic_stats.is_rx_disassoc++; 2691 IEEE80211_NODE_STAT(ni, rx_disassoc); 2692 2693 if (!IEEE80211_ADDR_EQ(wh->i_addr1, ic->ic_myaddr)) { 2694 /* Not intended for this station. */ 2695 ic->ic_stats.is_rx_mgtdiscard++; 2696 break; 2697 } 2698 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 2699 "[%s] recv disassociate (reason %d)\n", 2700 ether_snprintf(ebuf, sizeof(ebuf), ni->ni_macaddr), reason); 2701 switch (ic->ic_opmode) { 2702 case IEEE80211_M_STA: 2703 ieee80211_new_state(ic, IEEE80211_S_ASSOC, 2704 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK); 2705 break; 2706 case IEEE80211_M_HOSTAP: 2707 #ifndef IEEE80211_NO_HOSTAP 2708 if (ni != ic->ic_bss) 2709 ieee80211_node_leave(ic, ni); 2710 #endif /* !IEEE80211_NO_HOSTAP */ 2711 break; 2712 default: 2713 ic->ic_stats.is_rx_mgtdiscard++; 2714 break; 2715 } 2716 break; 2717 } 2718 default: 2719 IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY, 2720 wh, "mgt", "subtype 0x%x not handled", subtype); 2721 ic->ic_stats.is_rx_badsubtype++; 2722 break; 2723 } 2724 #undef ISREASSOC 2725 #undef ISPROBE 2726 } 2727 #undef IEEE80211_VERIFY_LENGTH 2728 #undef IEEE80211_VERIFY_ELEMENT 2729 2730 #ifndef IEEE80211_NO_HOSTAP 2731 /* 2732 * Handle station power-save state change. 2733 */ 2734 static void 2735 ieee80211_node_pwrsave(struct ieee80211_node *ni, int enable) 2736 { 2737 struct ieee80211com *ic = ni->ni_ic; 2738 struct mbuf *m; 2739 IEEE80211_DEBUGVAR(char ebuf[3 * ETHER_ADDR_LEN]); 2740 2741 if (enable) { 2742 if ((ni->ni_flags & IEEE80211_NODE_PWR_MGT) == 0) 2743 ic->ic_ps_sta++; 2744 ni->ni_flags |= IEEE80211_NODE_PWR_MGT; 2745 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, 2746 "[%s] power save mode on, %u sta's in ps mode\n", 2747 ether_snprintf(ebuf, sizeof(ebuf), ni->ni_macaddr), 2748 ic->ic_ps_sta); 2749 return; 2750 } 2751 2752 if (ni->ni_flags & IEEE80211_NODE_PWR_MGT) 2753 ic->ic_ps_sta--; 2754 ni->ni_flags &= ~IEEE80211_NODE_PWR_MGT; 2755 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, 2756 "[%s] power save mode off, %u sta's in ps mode\n", 2757 ether_snprintf(ebuf, sizeof(ebuf), ni->ni_macaddr), ic->ic_ps_sta); 2758 /* XXX if no stations in ps mode, flush mc frames */ 2759 2760 /* 2761 * Flush queued unicast frames. 2762 */ 2763 if (IEEE80211_NODE_SAVEQ_QLEN(ni) == 0) { 2764 if (ic->ic_set_tim != NULL) 2765 ic->ic_set_tim(ni, 0); /* just in case */ 2766 return; 2767 } 2768 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, 2769 "[%s] flush ps queue, %u packets queued\n", 2770 ether_snprintf(ebuf, sizeof(ebuf), ni->ni_macaddr), 2771 IEEE80211_NODE_SAVEQ_QLEN(ni)); 2772 for (;;) { 2773 int qlen; 2774 2775 IEEE80211_NODE_SAVEQ_DEQUEUE(ni, m, qlen); 2776 if (m == NULL) 2777 break; 2778 /* 2779 * If this is the last packet, turn off the TIM bit. 2780 * If there are more packets, set the more packets bit 2781 * in the mbuf so ieee80211_encap will mark the 802.11 2782 * head to indicate more data frames will follow. 2783 */ 2784 if (qlen != 0) 2785 m->m_flags |= M_MORE_DATA; 2786 /* XXX need different driver interface */ 2787 /* XXX bypasses q max */ 2788 IF_ENQUEUE(&ic->ic_ifp->if_snd, m); 2789 } 2790 if (ic->ic_set_tim != NULL) 2791 ic->ic_set_tim(ni, 0); 2792 } 2793 2794 /* 2795 * Process a received ps-poll frame. 2796 */ 2797 static void 2798 ieee80211_recv_pspoll(struct ieee80211com *ic, 2799 struct ieee80211_node *ni, struct mbuf *m0) 2800 { 2801 struct ieee80211_frame_min *wh; 2802 struct mbuf *m; 2803 u_int16_t aid; 2804 int qlen; 2805 IEEE80211_DEBUGVAR(char ebuf[3 * ETHER_ADDR_LEN]); 2806 2807 wh = mtod(m0, struct ieee80211_frame_min *); 2808 if (ni->ni_associd == 0) { 2809 IEEE80211_DISCARD(ic, IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG, 2810 (struct ieee80211_frame *) wh, "ps-poll", 2811 "%s", "unassociated station"); 2812 ic->ic_stats.is_ps_unassoc++; 2813 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_DEAUTH, 2814 IEEE80211_REASON_NOT_ASSOCED); 2815 return; 2816 } 2817 2818 aid = le16toh(*(u_int16_t *)wh->i_dur); 2819 if (aid != ni->ni_associd) { 2820 IEEE80211_DISCARD(ic, IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG, 2821 (struct ieee80211_frame *) wh, "ps-poll", 2822 "aid mismatch: sta aid 0x%x poll aid 0x%x", 2823 ni->ni_associd, aid); 2824 ic->ic_stats.is_ps_badaid++; 2825 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_DEAUTH, 2826 IEEE80211_REASON_NOT_ASSOCED); 2827 return; 2828 } 2829 2830 /* Okay, take the first queued packet and put it out... */ 2831 IEEE80211_NODE_SAVEQ_DEQUEUE(ni, m, qlen); 2832 if (m == NULL) { 2833 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, 2834 "[%s] recv ps-poll, but queue empty\n", 2835 ether_snprintf(ebuf, sizeof(ebuf), wh->i_addr2)); 2836 ieee80211_send_nulldata(ieee80211_ref_node(ni)); 2837 ic->ic_stats.is_ps_qempty++; /* XXX node stat */ 2838 if (ic->ic_set_tim != NULL) 2839 ic->ic_set_tim(ni, 0); /* just in case */ 2840 return; 2841 } 2842 /* 2843 * If there are more packets, set the more packets bit 2844 * in the packet dispatched to the station; otherwise 2845 * turn off the TIM bit. 2846 */ 2847 if (qlen != 0) { 2848 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, 2849 "[%s] recv ps-poll, send packet, %u still queued\n", 2850 ether_snprintf(ebuf, sizeof(ebuf), ni->ni_macaddr), qlen); 2851 m->m_flags |= M_MORE_DATA; 2852 } else { 2853 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, 2854 "[%s] recv ps-poll, send packet, queue empty\n", 2855 ether_snprintf(ebuf, sizeof(ebuf), ni->ni_macaddr)); 2856 if (ic->ic_set_tim != NULL) 2857 ic->ic_set_tim(ni, 0); 2858 } 2859 m->m_flags |= M_PWR_SAV; /* bypass PS handling */ 2860 IF_ENQUEUE(&ic->ic_ifp->if_snd, m); 2861 } 2862 #endif /* !IEEE80211_NO_HOSTAP */ 2863 2864 #ifdef IEEE80211_DEBUG 2865 /* 2866 * Debugging support. 2867 */ 2868 2869 /* 2870 * Return the bssid of a frame. 2871 */ 2872 static const u_int8_t * 2873 ieee80211_getbssid(struct ieee80211com *ic, const struct ieee80211_frame *wh) 2874 { 2875 if (ic->ic_opmode == IEEE80211_M_STA) 2876 return wh->i_addr2; 2877 if ((wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) != IEEE80211_FC1_DIR_NODS) 2878 return wh->i_addr1; 2879 if ((wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK) == IEEE80211_FC0_SUBTYPE_PS_POLL) 2880 return wh->i_addr1; 2881 return wh->i_addr3; 2882 } 2883 2884 void 2885 ieee80211_note(struct ieee80211com *ic, const char *fmt, ...) 2886 { 2887 char buf[128]; /* XXX */ 2888 va_list ap; 2889 2890 va_start(ap, fmt); 2891 vsnprintf(buf, sizeof(buf), fmt, ap); 2892 va_end(ap); 2893 2894 if_printf(ic->ic_ifp, "%s", buf); /* NB: no \n */ 2895 } 2896 2897 void 2898 ieee80211_note_frame(struct ieee80211com *ic, 2899 const struct ieee80211_frame *wh, 2900 const char *fmt, ...) 2901 { 2902 char buf[128]; /* XXX */ 2903 va_list ap; 2904 char ebuf[3 * ETHER_ADDR_LEN]; 2905 2906 va_start(ap, fmt); 2907 vsnprintf(buf, sizeof(buf), fmt, ap); 2908 va_end(ap); 2909 if_printf(ic->ic_ifp, "[%s] %s\n", 2910 ether_snprintf(ebuf, sizeof(ebuf), 2911 ieee80211_getbssid(ic, wh)), buf); 2912 } 2913 2914 void 2915 ieee80211_note_mac(struct ieee80211com *ic, 2916 const u_int8_t mac[IEEE80211_ADDR_LEN], 2917 const char *fmt, ...) 2918 { 2919 char buf[128]; /* XXX */ 2920 va_list ap; 2921 char ebuf[3 * ETHER_ADDR_LEN]; 2922 2923 va_start(ap, fmt); 2924 vsnprintf(buf, sizeof(buf), fmt, ap); 2925 va_end(ap); 2926 if_printf(ic->ic_ifp, "[%s] %s\n", ether_snprintf(ebuf, sizeof(ebuf), 2927 mac), buf); 2928 } 2929 2930 static void 2931 ieee80211_discard_frame(struct ieee80211com *ic, 2932 const struct ieee80211_frame *wh, 2933 const char *type, const char *fmt, ...) 2934 { 2935 va_list ap; 2936 char ebuf[3 * ETHER_ADDR_LEN]; 2937 2938 printf("[%s:%s] discard ", ic->ic_ifp->if_xname, 2939 ether_snprintf(ebuf, sizeof(ebuf), ieee80211_getbssid(ic, wh))); 2940 if (type != NULL) 2941 printf("%s frame, ", type); 2942 else 2943 printf("frame, "); 2944 va_start(ap, fmt); 2945 vprintf(fmt, ap); 2946 va_end(ap); 2947 printf("\n"); 2948 } 2949 2950 static void 2951 ieee80211_discard_ie(struct ieee80211com *ic, 2952 const struct ieee80211_frame *wh, 2953 const char *type, const char *fmt, ...) 2954 { 2955 va_list ap; 2956 char ebuf[3 * ETHER_ADDR_LEN]; 2957 2958 printf("[%s:%s] discard ", ic->ic_ifp->if_xname, 2959 ether_snprintf(ebuf, sizeof(ebuf), ieee80211_getbssid(ic, wh))); 2960 if (type != NULL) 2961 printf("%s information element, ", type); 2962 else 2963 printf("information element, "); 2964 va_start(ap, fmt); 2965 vprintf(fmt, ap); 2966 va_end(ap); 2967 printf("\n"); 2968 } 2969 2970 static void 2971 ieee80211_discard_mac(struct ieee80211com *ic, 2972 const u_int8_t mac[IEEE80211_ADDR_LEN], 2973 const char *type, const char *fmt, ...) 2974 { 2975 va_list ap; 2976 char ebuf[3 * ETHER_ADDR_LEN]; 2977 2978 printf("[%s:%s] discard ", ic->ic_ifp->if_xname, 2979 ether_snprintf(ebuf, sizeof(ebuf), mac)); 2980 if (type != NULL) 2981 printf("%s frame, ", type); 2982 else 2983 printf("frame, "); 2984 va_start(ap, fmt); 2985 vprintf(fmt, ap); 2986 va_end(ap); 2987 printf("\n"); 2988 } 2989 #endif /* IEEE80211_DEBUG */ 2990