1 /* $NetBSD: ieee80211_input.c,v 1.91 2017/12/10 08:56:23 maxv Exp $ */ 2 /*- 3 * Copyright (c) 2001 Atsushi Onoe 4 * Copyright (c) 2002-2005 Sam Leffler, Errno Consulting 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 3. The name of the author may not be used to endorse or promote products 16 * derived from this software without specific prior written permission. 17 * 18 * Alternatively, this software may be distributed under the terms of the 19 * GNU General Public License ("GPL") version 2 as published by the Free 20 * Software Foundation. 21 * 22 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 23 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 24 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 25 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 26 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 27 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 28 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 29 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 30 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 31 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 32 */ 33 34 #include <sys/cdefs.h> 35 #ifdef __FreeBSD__ 36 __FBSDID("$FreeBSD: src/sys/net80211/ieee80211_input.c,v 1.81 2005/08/10 16:22:29 sam Exp $"); 37 #endif 38 #ifdef __NetBSD__ 39 __KERNEL_RCSID(0, "$NetBSD: ieee80211_input.c,v 1.91 2017/12/10 08:56:23 maxv Exp $"); 40 #endif 41 42 #ifdef _KERNEL_OPT 43 #include "opt_inet.h" 44 #endif 45 46 #ifdef __NetBSD__ 47 #endif /* __NetBSD__ */ 48 49 #include <sys/param.h> 50 #include <sys/systm.h> 51 #include <sys/mbuf.h> 52 #include <sys/malloc.h> 53 #include <sys/endian.h> 54 #include <sys/kernel.h> 55 56 #include <sys/socket.h> 57 #include <sys/sockio.h> 58 #include <sys/endian.h> 59 #include <sys/errno.h> 60 #include <sys/proc.h> 61 #include <sys/sysctl.h> 62 #include <sys/cpu.h> 63 64 #include <net/if.h> 65 #include <net/if_media.h> 66 #include <net/if_arp.h> 67 #include <net/if_ether.h> 68 #include <net/if_llc.h> 69 70 #include <net80211/ieee80211_var.h> 71 72 #include <net/bpf.h> 73 74 #ifdef INET 75 #include <netinet/in.h> 76 #include <net/if_ether.h> 77 #endif 78 79 const struct timeval ieee80211_merge_print_intvl = {.tv_sec = 1, .tv_usec = 0}; 80 81 #ifdef IEEE80211_DEBUG 82 83 /* 84 * Decide if a received management frame should be 85 * printed when debugging is enabled. This filters some 86 * of the less interesting frames that come frequently 87 * (e.g. beacons). 88 */ 89 static __inline int 90 doprint(struct ieee80211com *ic, int subtype) 91 { 92 switch (subtype) { 93 case IEEE80211_FC0_SUBTYPE_BEACON: 94 return (ic->ic_flags & IEEE80211_F_SCAN); 95 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 96 return (ic->ic_opmode == IEEE80211_M_IBSS); 97 } 98 return 1; 99 } 100 101 /* 102 * Emit a debug message about discarding a frame or information 103 * element. One format is for extracting the mac address from 104 * the frame header; the other is for when a header is not 105 * available or otherwise appropriate. 106 */ 107 #define IEEE80211_DISCARD(_ic, _m, _wh, _type, _fmt, ...) do { \ 108 if ((_ic)->ic_debug & (_m)) \ 109 ieee80211_discard_frame(_ic, _wh, _type, _fmt, __VA_ARGS__);\ 110 } while (0) 111 #define IEEE80211_DISCARD_IE(_ic, _m, _wh, _type, _fmt, ...) do { \ 112 if ((_ic)->ic_debug & (_m)) \ 113 ieee80211_discard_ie(_ic, _wh, _type, _fmt, __VA_ARGS__);\ 114 } while (0) 115 #define IEEE80211_DISCARD_MAC(_ic, _m, _mac, _type, _fmt, ...) do { \ 116 if ((_ic)->ic_debug & (_m)) \ 117 ieee80211_discard_mac(_ic, _mac, _type, _fmt, __VA_ARGS__);\ 118 } while (0) 119 #define IEEE80211_DEBUGVAR(a) a 120 121 static const u_int8_t *ieee80211_getbssid(struct ieee80211com *, 122 const struct ieee80211_frame *); 123 static void ieee80211_discard_frame(struct ieee80211com *, 124 const struct ieee80211_frame *, const char *type, const char *fmt, ...); 125 static void ieee80211_discard_ie(struct ieee80211com *, 126 const struct ieee80211_frame *, const char *type, const char *fmt, ...); 127 static void ieee80211_discard_mac(struct ieee80211com *, 128 const u_int8_t mac[IEEE80211_ADDR_LEN], const char *type, 129 const char *fmt, ...); 130 #else 131 #define IEEE80211_DISCARD(_ic, _m, _wh, _type, _fmt, ...) 132 #define IEEE80211_DISCARD_IE(_ic, _m, _wh, _type, _fmt, ...) 133 #define IEEE80211_DISCARD_MAC(_ic, _m, _mac, _type, _fmt, ...) 134 #define IEEE80211_DEBUGVAR(a) 135 #endif /* IEEE80211_DEBUG */ 136 137 static struct mbuf *ieee80211_defrag(struct ieee80211com *, 138 struct ieee80211_node *, struct mbuf *, int); 139 static struct mbuf *ieee80211_decap(struct ieee80211com *, struct mbuf *, int); 140 static void ieee80211_send_error(struct ieee80211com *, struct ieee80211_node *, 141 const u_int8_t *mac, int subtype, int arg); 142 static void ieee80211_deliver_data(struct ieee80211com *, 143 struct ieee80211_node *, struct mbuf *); 144 #ifndef IEEE80211_NO_HOSTAP 145 static void ieee80211_node_pwrsave(struct ieee80211_node *, int enable); 146 static void ieee80211_recv_pspoll(struct ieee80211com *, 147 struct ieee80211_node *, struct mbuf *); 148 #endif /* !IEEE80211_NO_HOSTAP */ 149 static void ieee80211_update_adhoc_node(struct ieee80211com *, 150 struct ieee80211_node *, struct ieee80211_frame *, 151 struct ieee80211_scanparams *, int, u_int32_t); 152 153 /* 154 * Process a received frame. The node associated with the sender 155 * should be supplied. If nothing was found in the node table then 156 * the caller is assumed to supply a reference to ic_bss instead. 157 * The RSSI and a timestamp are also supplied. The RSSI data is used 158 * during AP scanning to select a AP to associate with; it can have 159 * any units so long as values have consistent units and higher values 160 * mean ``better signal''. The receive timestamp is currently not used 161 * by the 802.11 layer. 162 */ 163 int 164 ieee80211_input(struct ieee80211com *ic, struct mbuf *m, 165 struct ieee80211_node *ni, int rssi, u_int32_t rstamp) 166 { 167 #define SEQ_LEQ(a,b) ((int)((a)-(b)) <= 0) 168 #define HAS_SEQ(type) ((type & 0x4) == 0) 169 struct ifnet *ifp = ic->ic_ifp; 170 struct ieee80211_frame *wh; 171 struct ieee80211_key *key; 172 struct ether_header *eh; 173 int hdrspace; 174 u_int8_t dir, type, subtype; 175 u_int8_t *bssid; 176 u_int16_t rxseq; 177 IEEE80211_DEBUGVAR(char ebuf[3 * ETHER_ADDR_LEN]); 178 179 KASSERT(!cpu_intr_p()); 180 181 IASSERT(ni != NULL, ("null node")); 182 ni->ni_inact = ni->ni_inact_reload; 183 184 /* trim CRC here so WEP can find its own CRC at the end of packet. */ 185 if (m->m_flags & M_HASFCS) { 186 m_adj(m, -IEEE80211_CRC_LEN); 187 m->m_flags &= ~M_HASFCS; 188 } 189 type = -1; /* undefined */ 190 /* 191 * In monitor mode, send everything directly to bpf. 192 * XXX may want to include the CRC 193 */ 194 if (ic->ic_opmode == IEEE80211_M_MONITOR) 195 goto out; 196 197 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_min)) { 198 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY, 199 ni->ni_macaddr, NULL, 200 "too short (1): len %u", m->m_pkthdr.len); 201 ic->ic_stats.is_rx_tooshort++; 202 goto out; 203 } 204 /* 205 * Bit of a cheat here, we use a pointer for a 3-address 206 * frame format but don't reference fields past outside 207 * ieee80211_frame_min w/o first validating the data is 208 * present. 209 */ 210 wh = mtod(m, struct ieee80211_frame *); 211 212 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) != 213 IEEE80211_FC0_VERSION_0) { 214 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY, 215 ni->ni_macaddr, NULL, "wrong version %x", wh->i_fc[0]); 216 ic->ic_stats.is_rx_badversion++; 217 goto err; 218 } 219 220 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 221 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK; 222 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK; 223 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) { 224 switch (ic->ic_opmode) { 225 case IEEE80211_M_STA: 226 bssid = wh->i_addr2; 227 if (!IEEE80211_ADDR_EQ(bssid, ni->ni_bssid)) { 228 /* not interested in */ 229 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 230 bssid, NULL, "node %s, %s", 231 ether_snprintf(ebuf, sizeof(ebuf), 232 ni->ni_bssid), "not to bss"); 233 ic->ic_stats.is_rx_wrongbss++; 234 goto out; 235 } 236 237 /* Filter out packets not directed to us in case the 238 * device is in promiscous mode 239 */ 240 if ((! IEEE80211_IS_MULTICAST(wh->i_addr1)) 241 && (! IEEE80211_ADDR_EQ(wh->i_addr1, ic->ic_myaddr))) { 242 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 243 bssid, NULL, "not to cur sta: lladdr=%6D, addr1=%6D", 244 ic->ic_myaddr, ":", wh->i_addr1, ":"); 245 ic->ic_stats.is_rx_wrongbss++; 246 goto out; 247 } 248 break; 249 case IEEE80211_M_IBSS: 250 case IEEE80211_M_AHDEMO: 251 case IEEE80211_M_HOSTAP: 252 if (dir != IEEE80211_FC1_DIR_NODS) 253 bssid = wh->i_addr1; 254 else if (type == IEEE80211_FC0_TYPE_CTL) 255 bssid = wh->i_addr1; 256 else { 257 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) { 258 IEEE80211_DISCARD_MAC(ic, 259 IEEE80211_MSG_ANY, ni->ni_macaddr, 260 NULL, "too short (2): len %u", 261 m->m_pkthdr.len); 262 ic->ic_stats.is_rx_tooshort++; 263 goto out; 264 } 265 bssid = wh->i_addr3; 266 } 267 if (type != IEEE80211_FC0_TYPE_DATA) 268 break; 269 /* 270 * Data frame, validate the bssid. 271 */ 272 if (!IEEE80211_ADDR_EQ(bssid, ic->ic_bss->ni_bssid) && 273 !IEEE80211_ADDR_EQ(bssid, ifp->if_broadcastaddr)) { 274 /* not interested in */ 275 IEEE80211_DEBUGVAR( 276 char bbuf[3 * ETHER_ADDR_LEN]); 277 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 278 bssid, NULL, "bss %s, broadcast %s, %s", 279 ether_snprintf(ebuf, sizeof(ebuf), 280 ic->ic_bss->ni_bssid), 281 ether_snprintf(bbuf, sizeof(bbuf), 282 ifp->if_broadcastaddr), "not to bss"); 283 ic->ic_stats.is_rx_wrongbss++; 284 goto out; 285 } 286 /* 287 * For adhoc mode we cons up a node when it doesn't 288 * exist. This should probably done after an ACL check. 289 */ 290 if (ni == ic->ic_bss && 291 ic->ic_opmode != IEEE80211_M_HOSTAP && 292 !IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_macaddr)) { 293 /* 294 * Fake up a node for this newly 295 * discovered member of the IBSS. 296 */ 297 ni = ieee80211_fakeup_adhoc_node(&ic->ic_sta, 298 wh->i_addr2); 299 if (ni == NULL) { 300 /* NB: stat kept for alloc failure */ 301 goto err; 302 } 303 } 304 break; 305 default: 306 goto out; 307 } 308 ni->ni_rssi = rssi; 309 ni->ni_rstamp = rstamp; 310 if (HAS_SEQ(type) && (ic->ic_opmode != IEEE80211_M_STA || 311 !IEEE80211_IS_MULTICAST(wh->i_addr1))) { 312 u_int8_t tid, retry; 313 u_int16_t rxno, orxno; 314 315 if (ieee80211_has_qos(wh)) { 316 tid = ((struct ieee80211_qosframe *)wh)-> 317 i_qos[0] & IEEE80211_QOS_TID; 318 if (TID_TO_WME_AC(tid) >= WME_AC_VI) 319 ic->ic_wme.wme_hipri_traffic++; 320 tid++; 321 } else 322 tid = 0; 323 rxseq = le16toh(*(u_int16_t *)wh->i_seq); 324 retry = wh->i_fc[1] & IEEE80211_FC1_RETRY; 325 rxno = rxseq >> IEEE80211_SEQ_SEQ_SHIFT; 326 orxno = ni->ni_rxseqs[tid] >> IEEE80211_SEQ_SEQ_SHIFT; 327 if (retry && ( 328 (orxno == 4095 && rxno == orxno) || 329 (orxno != 4095 && 330 SEQ_LEQ(rxseq, ni->ni_rxseqs[tid])) 331 )) { 332 /* duplicate, discard */ 333 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 334 bssid, "duplicate", 335 "seqno <%u,%u> fragno <%u,%u> tid %u", 336 rxno, 337 orxno, 338 rxseq & IEEE80211_SEQ_FRAG_MASK, 339 ni->ni_rxseqs[tid] & 340 IEEE80211_SEQ_FRAG_MASK, 341 tid); 342 ic->ic_stats.is_rx_dup++; 343 IEEE80211_NODE_STAT(ni, rx_dup); 344 goto out; 345 } 346 ni->ni_rxseqs[tid] = rxseq; 347 } 348 } 349 350 switch (type) { 351 case IEEE80211_FC0_TYPE_DATA: 352 hdrspace = ieee80211_hdrspace(ic, wh); 353 if (m->m_len < hdrspace && 354 (m = m_pullup(m, hdrspace)) == NULL) { 355 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY, 356 ni->ni_macaddr, NULL, 357 "data too short: expecting %u", hdrspace); 358 ic->ic_stats.is_rx_tooshort++; 359 goto out; /* XXX */ 360 } 361 wh = mtod(m, struct ieee80211_frame *); 362 363 switch (ic->ic_opmode) { 364 case IEEE80211_M_STA: 365 if (dir != IEEE80211_FC1_DIR_FROMDS) { 366 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 367 wh, "data", "%s", "unknown dir 0x%x", dir); 368 ic->ic_stats.is_rx_wrongdir++; 369 goto out; 370 } 371 if ((ifp->if_flags & IFF_SIMPLEX) && 372 IEEE80211_IS_MULTICAST(wh->i_addr1) && 373 IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_myaddr)) { 374 /* 375 * In IEEE802.11 network, multicast packet 376 * sent from me is broadcasted from AP. 377 * It should be silently discarded for 378 * SIMPLEX interface. 379 */ 380 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 381 wh, NULL, "%s", "multicast echo"); 382 ic->ic_stats.is_rx_mcastecho++; 383 goto out; 384 } 385 break; 386 case IEEE80211_M_IBSS: 387 case IEEE80211_M_AHDEMO: 388 if (dir != IEEE80211_FC1_DIR_NODS) { 389 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 390 wh, "data", "%s", "unknown dir 0x%x", dir); 391 ic->ic_stats.is_rx_wrongdir++; 392 goto out; 393 } 394 /* XXX no power-save support */ 395 break; 396 case IEEE80211_M_HOSTAP: 397 #ifndef IEEE80211_NO_HOSTAP 398 if (dir != IEEE80211_FC1_DIR_TODS) { 399 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 400 wh, "data", "%s", "unknown dir 0x%x", dir); 401 ic->ic_stats.is_rx_wrongdir++; 402 goto out; 403 } 404 /* check if source STA is associated */ 405 if (ni == ic->ic_bss) { 406 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 407 wh, "data", "%s", "unknown src"); 408 ieee80211_send_error(ic, ni, wh->i_addr2, 409 IEEE80211_FC0_SUBTYPE_DEAUTH, 410 IEEE80211_REASON_NOT_AUTHED); 411 ic->ic_stats.is_rx_notassoc++; 412 goto err; 413 } 414 if (ni->ni_associd == 0) { 415 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 416 wh, "data", "%s", "unassoc src"); 417 IEEE80211_SEND_MGMT(ic, ni, 418 IEEE80211_FC0_SUBTYPE_DISASSOC, 419 IEEE80211_REASON_NOT_ASSOCED); 420 ic->ic_stats.is_rx_notassoc++; 421 goto err; 422 } 423 424 /* 425 * Check for power save state change. 426 */ 427 if (((wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) ^ 428 (ni->ni_flags & IEEE80211_NODE_PWR_MGT))) 429 ieee80211_node_pwrsave(ni, 430 wh->i_fc[1] & IEEE80211_FC1_PWR_MGT); 431 #endif /* !IEEE80211_NO_HOSTAP */ 432 break; 433 default: 434 /* XXX here to keep compiler happy */ 435 goto out; 436 } 437 438 /* 439 * Handle privacy requirements. Note that we 440 * must not be preempted from here until after 441 * we (potentially) call ieee80211_crypto_demic; 442 * otherwise we may violate assumptions in the 443 * crypto cipher modules used to do delayed update 444 * of replay sequence numbers. 445 */ 446 if (wh->i_fc[1] & IEEE80211_FC1_WEP) { 447 if ((ic->ic_flags & IEEE80211_F_PRIVACY) == 0) { 448 /* 449 * Discard encrypted frames when privacy is off. 450 */ 451 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 452 wh, "WEP", "%s", "PRIVACY off"); 453 ic->ic_stats.is_rx_noprivacy++; 454 IEEE80211_NODE_STAT(ni, rx_noprivacy); 455 goto out; 456 } 457 key = ieee80211_crypto_decap(ic, ni, &m, hdrspace); 458 if (key == NULL) { 459 /* NB: stats+msgs handled in crypto_decap */ 460 IEEE80211_NODE_STAT(ni, rx_wepfail); 461 goto out; 462 } 463 wh = mtod(m, struct ieee80211_frame *); 464 wh->i_fc[1] &= ~IEEE80211_FC1_WEP; 465 } else { 466 key = NULL; 467 } 468 469 /* 470 * Next up, any fragmentation. 471 */ 472 if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) { 473 m = ieee80211_defrag(ic, ni, m, hdrspace); 474 if (m == NULL) { 475 /* Fragment dropped or frame not complete yet */ 476 goto out; 477 } 478 } 479 wh = NULL; /* no longer valid, catch any uses */ 480 481 /* 482 * Next strip any MSDU crypto bits. 483 */ 484 if (key != NULL && !ieee80211_crypto_demic(ic, key, m, 0)) { 485 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 486 ni->ni_macaddr, "data", "%s", "demic error"); 487 IEEE80211_NODE_STAT(ni, rx_demicfail); 488 goto out; 489 } 490 491 /* copy to listener after decrypt */ 492 bpf_mtap3(ic->ic_rawbpf, m); 493 494 /* 495 * Finally, strip the 802.11 header. 496 */ 497 m = ieee80211_decap(ic, m, hdrspace); 498 if (m == NULL) { 499 /* don't count Null data frames as errors */ 500 if (subtype == IEEE80211_FC0_SUBTYPE_NODATA) 501 goto out; 502 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 503 ni->ni_macaddr, "data", "%s", "decap error"); 504 ic->ic_stats.is_rx_decap++; 505 IEEE80211_NODE_STAT(ni, rx_decap); 506 goto err; 507 } 508 eh = mtod(m, struct ether_header *); 509 if (!ieee80211_node_is_authorized(ni)) { 510 /* 511 * Deny any non-PAE frames received prior to 512 * authorization. For open/shared-key 513 * authentication the port is mark authorized 514 * after authentication completes. For 802.1x 515 * the port is not marked authorized by the 516 * authenticator until the handshake has completed. 517 */ 518 if (eh->ether_type != htons(ETHERTYPE_PAE)) { 519 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 520 eh->ether_shost, "data", 521 "unauthorized port: ether type 0x%x len %u", 522 eh->ether_type, m->m_pkthdr.len); 523 ic->ic_stats.is_rx_unauth++; 524 IEEE80211_NODE_STAT(ni, rx_unauth); 525 goto err; 526 } 527 } else { 528 /* 529 * When denying unencrypted frames, discard 530 * any non-PAE frames received without encryption. 531 */ 532 if ((ic->ic_flags & IEEE80211_F_DROPUNENC) && 533 key == NULL && 534 eh->ether_type != htons(ETHERTYPE_PAE)) { 535 /* 536 * Drop unencrypted frames. 537 */ 538 ic->ic_stats.is_rx_unencrypted++; 539 IEEE80211_NODE_STAT(ni, rx_unencrypted); 540 goto out; 541 } 542 } 543 ifp->if_ipackets++; 544 IEEE80211_NODE_STAT(ni, rx_data); 545 IEEE80211_NODE_STAT_ADD(ni, rx_bytes, m->m_pkthdr.len); 546 547 ieee80211_deliver_data(ic, ni, m); 548 return IEEE80211_FC0_TYPE_DATA; 549 550 case IEEE80211_FC0_TYPE_MGT: 551 IEEE80211_NODE_STAT(ni, rx_mgmt); 552 if (dir != IEEE80211_FC1_DIR_NODS) { 553 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 554 wh, "data", "%s", "unknown dir 0x%x", dir); 555 ic->ic_stats.is_rx_wrongdir++; 556 goto err; 557 } 558 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) { 559 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY, 560 ni->ni_macaddr, "mgt", "too short: len %u", 561 m->m_pkthdr.len); 562 ic->ic_stats.is_rx_tooshort++; 563 goto out; 564 } 565 #ifdef IEEE80211_DEBUG 566 if ((ieee80211_msg_debug(ic) && doprint(ic, subtype)) || 567 ieee80211_msg_dumppkts(ic)) { 568 if_printf(ic->ic_ifp, "received %s from %s rssi %d\n", 569 ieee80211_mgt_subtype_name[subtype >> 570 IEEE80211_FC0_SUBTYPE_SHIFT], 571 ether_snprintf(ebuf, sizeof(ebuf), wh->i_addr2), 572 rssi); 573 } 574 #endif 575 if (wh->i_fc[1] & IEEE80211_FC1_WEP) { 576 if (subtype != IEEE80211_FC0_SUBTYPE_AUTH) { 577 /* 578 * Only shared key auth frames with a challenge 579 * should be encrypted, discard all others. 580 */ 581 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 582 wh, ieee80211_mgt_subtype_name[subtype >> 583 IEEE80211_FC0_SUBTYPE_SHIFT], 584 "%s", "WEP set but not permitted"); 585 ic->ic_stats.is_rx_mgtdiscard++; /* XXX */ 586 goto out; 587 } 588 if ((ic->ic_flags & IEEE80211_F_PRIVACY) == 0) { 589 /* 590 * Discard encrypted frames when privacy is off. 591 */ 592 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 593 wh, "mgt", "%s", "WEP set but PRIVACY off"); 594 ic->ic_stats.is_rx_noprivacy++; 595 goto out; 596 } 597 hdrspace = ieee80211_hdrspace(ic, wh); 598 key = ieee80211_crypto_decap(ic, ni, &m, hdrspace); 599 if (key == NULL) { 600 /* NB: stats+msgs handled in crypto_decap */ 601 goto out; 602 } 603 wh = mtod(m, struct ieee80211_frame *); 604 wh->i_fc[1] &= ~IEEE80211_FC1_WEP; 605 } 606 bpf_mtap3(ic->ic_rawbpf, m); 607 (*ic->ic_recv_mgmt)(ic, m, ni, subtype, rssi, rstamp); 608 m_freem(m); 609 return type; 610 611 case IEEE80211_FC0_TYPE_CTL: 612 IEEE80211_NODE_STAT(ni, rx_ctrl); 613 ic->ic_stats.is_rx_ctl++; 614 #ifndef IEEE80211_NO_HOSTAP 615 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 616 switch (subtype) { 617 case IEEE80211_FC0_SUBTYPE_PS_POLL: 618 ieee80211_recv_pspoll(ic, ni, m); 619 break; 620 } 621 } 622 #endif /* !IEEE80211_NO_HOSTAP */ 623 goto out; 624 default: 625 IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY, 626 wh, NULL, "bad frame type 0x%x", type); 627 /* should not come here */ 628 break; 629 } 630 err: 631 ifp->if_ierrors++; 632 out: 633 if (m != NULL) { 634 bpf_mtap3(ic->ic_rawbpf, m); 635 m_freem(m); 636 } 637 return type; 638 #undef SEQ_LEQ 639 } 640 641 /* 642 * This function reassemble fragments. 643 */ 644 static struct mbuf * 645 ieee80211_defrag(struct ieee80211com *ic, struct ieee80211_node *ni, 646 struct mbuf *m, int hdrspace) 647 { 648 struct ieee80211_frame *wh = mtod(m, struct ieee80211_frame *); 649 struct ieee80211_frame *lwh; 650 u_int16_t rxseq; 651 u_int8_t fragno; 652 u_int8_t more_frag = wh->i_fc[1] & IEEE80211_FC1_MORE_FRAG; 653 struct mbuf *mfrag; 654 655 IASSERT(!IEEE80211_IS_MULTICAST(wh->i_addr1), ("multicast fragm?")); 656 657 rxseq = le16toh(*(u_int16_t *)wh->i_seq); 658 fragno = rxseq & IEEE80211_SEQ_FRAG_MASK; 659 660 /* Quick way out, if there's nothing to defragment */ 661 if (!more_frag && fragno == 0 && ni->ni_rxfrag[0] == NULL) 662 return m; 663 664 /* 665 * Remove frag to insure it doesn't get reaped by timer. 666 */ 667 if (ni->ni_table == NULL) { 668 /* 669 * Should never happen. If the node is orphaned (not in 670 * the table) then input packets should not reach here. 671 * Otherwise, a concurrent request that yanks the table 672 * should be blocked by other interlocking and/or by first 673 * shutting the driver down. Regardless, be defensive 674 * here and just bail 675 */ 676 /* XXX need msg+stat */ 677 m_freem(m); 678 return NULL; 679 } 680 IEEE80211_NODE_LOCK(ni->ni_table); 681 mfrag = ni->ni_rxfrag[0]; 682 ni->ni_rxfrag[0] = NULL; 683 IEEE80211_NODE_UNLOCK(ni->ni_table); 684 685 /* 686 * Validate new fragment is in order and 687 * related to the previous ones. 688 */ 689 if (mfrag != NULL) { 690 u_int16_t last_rxseq; 691 692 lwh = mtod(mfrag, struct ieee80211_frame *); 693 last_rxseq = le16toh(*(u_int16_t *)lwh->i_seq); 694 /* NB: check seq # and frag together */ 695 if (rxseq != last_rxseq+1 || 696 !IEEE80211_ADDR_EQ(wh->i_addr1, lwh->i_addr1) || 697 !IEEE80211_ADDR_EQ(wh->i_addr2, lwh->i_addr2)) { 698 /* 699 * Unrelated fragment or no space for it, 700 * clear current fragments. 701 */ 702 m_freem(mfrag); 703 mfrag = NULL; 704 } 705 } 706 707 if (mfrag == NULL) { 708 if (fragno != 0) { /* !first fragment, discard */ 709 IEEE80211_NODE_STAT(ni, rx_defrag); 710 m_freem(m); 711 return NULL; 712 } 713 mfrag = m; 714 } else { /* concatenate */ 715 m_adj(m, hdrspace); /* strip header */ 716 m_cat(mfrag, m); 717 /* NB: m_cat doesn't update the packet header */ 718 mfrag->m_pkthdr.len += m->m_pkthdr.len; 719 /* track last seqnum and fragno */ 720 lwh = mtod(mfrag, struct ieee80211_frame *); 721 *(u_int16_t *) lwh->i_seq = *(u_int16_t *) wh->i_seq; 722 } 723 if (more_frag) { /* more to come, save */ 724 ni->ni_rxfragstamp = ticks; 725 ni->ni_rxfrag[0] = mfrag; 726 mfrag = NULL; 727 } 728 return mfrag; 729 } 730 731 static void 732 ieee80211_deliver_data(struct ieee80211com *ic, 733 struct ieee80211_node *ni, struct mbuf *m) 734 { 735 struct ether_header *eh = mtod(m, struct ether_header *); 736 struct ifnet *ifp = ic->ic_ifp; 737 int error; 738 739 /* perform as a bridge within the AP */ 740 if (ic->ic_opmode == IEEE80211_M_HOSTAP && 741 (ic->ic_flags & IEEE80211_F_NOBRIDGE) == 0) { 742 struct mbuf *m1 = NULL; 743 744 if (ETHER_IS_MULTICAST(eh->ether_dhost)) { 745 m1 = m_copypacket(m, M_DONTWAIT); 746 if (m1 == NULL) 747 ifp->if_oerrors++; 748 else 749 m1->m_flags |= M_MCAST; 750 } else { 751 /* 752 * Check if the destination is known; if so 753 * and the port is authorized dispatch directly. 754 */ 755 struct ieee80211_node *sta = 756 ieee80211_find_node(&ic->ic_sta, eh->ether_dhost); 757 if (sta != NULL) { 758 if (ieee80211_node_is_authorized(sta)) { 759 /* 760 * Beware of sending to ourself; this 761 * needs to happen via the normal 762 * input path. 763 */ 764 if (sta != ic->ic_bss) { 765 m1 = m; 766 m = NULL; 767 } 768 } else { 769 ic->ic_stats.is_rx_unauth++; 770 IEEE80211_NODE_STAT(sta, rx_unauth); 771 } 772 ieee80211_free_node(sta); 773 } 774 } 775 if (m1 != NULL) { 776 int len; 777 #ifdef ALTQ 778 if (ALTQ_IS_ENABLED(&ifp->if_snd)) { 779 altq_etherclassify(&ifp->if_snd, m1); 780 } 781 #endif 782 len = m1->m_pkthdr.len; 783 IFQ_ENQUEUE(&ifp->if_snd, m1, error); 784 if (error) { 785 ifp->if_oerrors++; 786 m = NULL; 787 } 788 ifp->if_obytes += len; 789 } 790 } 791 if (m != NULL) { 792 793 if (ni->ni_vlan != 0) 794 vlan_set_tag(m, ni->ni_vlan); 795 796 /* 797 * XXX once ieee80211_input (or rxintr itself) runs in softint 798 * we have to change here too to use if_input. 799 */ 800 KASSERT(ifp->if_percpuq); 801 if_percpuq_enqueue(ifp->if_percpuq, m); 802 } 803 return; 804 } 805 806 static struct mbuf * 807 ieee80211_decap(struct ieee80211com *ic, struct mbuf *m, int hdrlen) 808 { 809 struct ieee80211_qosframe_addr4 wh; /* Max size address frames */ 810 struct ether_header *eh; 811 struct llc *llc; 812 813 if (m->m_len < hdrlen + sizeof(*llc) && 814 (m = m_pullup(m, hdrlen + sizeof(*llc))) == NULL) { 815 /* XXX stat, msg */ 816 return NULL; 817 } 818 memcpy(&wh, mtod(m, void *), hdrlen); 819 llc = (struct llc *)(mtod(m, char *) + hdrlen); 820 if (llc->llc_dsap == LLC_SNAP_LSAP && llc->llc_ssap == LLC_SNAP_LSAP && 821 llc->llc_control == LLC_UI && llc->llc_snap.org_code[0] == 0 && 822 llc->llc_snap.org_code[1] == 0 && llc->llc_snap.org_code[2] == 0) { 823 m_adj(m, hdrlen + sizeof(struct llc) - sizeof(*eh)); 824 llc = NULL; 825 } else { 826 m_adj(m, hdrlen - sizeof(*eh)); 827 } 828 eh = mtod(m, struct ether_header *); 829 switch (wh.i_fc[1] & IEEE80211_FC1_DIR_MASK) { 830 case IEEE80211_FC1_DIR_NODS: 831 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr1); 832 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr2); 833 break; 834 case IEEE80211_FC1_DIR_TODS: 835 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr3); 836 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr2); 837 break; 838 case IEEE80211_FC1_DIR_FROMDS: 839 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr1); 840 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr3); 841 break; 842 case IEEE80211_FC1_DIR_DSTODS: 843 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr3); 844 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr4); 845 break; 846 } 847 #ifdef ALIGNED_POINTER 848 if (!ALIGNED_POINTER(mtod(m, char *) + sizeof(*eh), u_int32_t)) { 849 struct mbuf *n, *n0, **np; 850 char *newdata; 851 int off, pktlen; 852 853 n0 = NULL; 854 np = &n0; 855 off = 0; 856 pktlen = m->m_pkthdr.len; 857 while (pktlen > off) { 858 if (n0 == NULL) { 859 MGETHDR(n, M_DONTWAIT, MT_DATA); 860 if (n == NULL) { 861 m_freem(m); 862 return NULL; 863 } 864 M_MOVE_PKTHDR(n, m); 865 n->m_len = MHLEN; 866 } else { 867 MGET(n, M_DONTWAIT, MT_DATA); 868 if (n == NULL) { 869 m_freem(m); 870 m_freem(n0); 871 return NULL; 872 } 873 n->m_len = MLEN; 874 } 875 if (pktlen - off >= MINCLSIZE) { 876 MCLGET(n, M_DONTWAIT); 877 if (n->m_flags & M_EXT) 878 n->m_len = n->m_ext.ext_size; 879 } 880 if (n0 == NULL) { 881 newdata = 882 (char *)ALIGN(n->m_data + sizeof(*eh)) - 883 sizeof(*eh); 884 n->m_len -= newdata - n->m_data; 885 n->m_data = newdata; 886 } 887 if (n->m_len > pktlen - off) 888 n->m_len = pktlen - off; 889 m_copydata(m, off, n->m_len, mtod(n, void *)); 890 off += n->m_len; 891 *np = n; 892 np = &n->m_next; 893 } 894 m_freem(m); 895 m = n0; 896 } 897 #endif /* ALIGNED_POINTER */ 898 if (llc != NULL) { 899 eh = mtod(m, struct ether_header *); 900 eh->ether_type = htons(m->m_pkthdr.len - sizeof(*eh)); 901 } 902 return m; 903 } 904 905 /* 906 * Install received rate set information in the node's state block. 907 */ 908 int 909 ieee80211_setup_rates(struct ieee80211_node *ni, 910 const u_int8_t *rates, const u_int8_t *xrates, int flags) 911 { 912 struct ieee80211com *ic = ni->ni_ic; 913 struct ieee80211_rateset *rs = &ni->ni_rates; 914 915 memset(rs, 0, sizeof(*rs)); 916 rs->rs_nrates = rates[1]; 917 memcpy(rs->rs_rates, rates + 2, rs->rs_nrates); 918 if (xrates != NULL) { 919 u_int8_t nxrates; 920 /* 921 * Tack on 11g extended supported rate element. 922 */ 923 nxrates = xrates[1]; 924 if (rs->rs_nrates + nxrates > IEEE80211_RATE_MAXSIZE) { 925 IEEE80211_DEBUGVAR(char ebuf[3 * ETHER_ADDR_LEN]); 926 nxrates = IEEE80211_RATE_MAXSIZE - rs->rs_nrates; 927 IEEE80211_DPRINTF(ic, IEEE80211_MSG_XRATE, 928 "[%s] extended rate set too large;" 929 " only using %u of %u rates\n", 930 ether_snprintf(ebuf, sizeof(ebuf), ni->ni_macaddr), 931 nxrates, xrates[1]); 932 ic->ic_stats.is_rx_rstoobig++; 933 } 934 memcpy(rs->rs_rates + rs->rs_nrates, xrates+2, nxrates); 935 rs->rs_nrates += nxrates; 936 } 937 return ieee80211_fix_rate(ni, flags); 938 } 939 940 static void 941 ieee80211_auth_open(struct ieee80211com *ic, struct ieee80211_frame *wh, 942 struct ieee80211_node *ni, int rssi, u_int32_t rstamp, 943 u_int16_t seq, u_int16_t status) 944 { 945 IEEE80211_DEBUGVAR(char ebuf[3 * ETHER_ADDR_LEN]); 946 947 if (ni->ni_authmode == IEEE80211_AUTH_SHARED) { 948 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 949 ni->ni_macaddr, "open auth", 950 "bad sta auth mode %u", ni->ni_authmode); 951 ic->ic_stats.is_rx_bad_auth++; /* XXX */ 952 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 953 /* XXX hack to workaround calling convention */ 954 ieee80211_send_error(ic, ni, wh->i_addr2, 955 IEEE80211_FC0_SUBTYPE_AUTH, 956 (seq + 1) | (IEEE80211_STATUS_ALG<<16)); 957 } 958 return; 959 } 960 switch (ic->ic_opmode) { 961 case IEEE80211_M_IBSS: 962 case IEEE80211_M_AHDEMO: 963 case IEEE80211_M_MONITOR: 964 /* should not come here */ 965 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 966 ni->ni_macaddr, "open auth", 967 "bad operating mode %u", ic->ic_opmode); 968 break; 969 970 case IEEE80211_M_HOSTAP: 971 #ifndef IEEE80211_NO_HOSTAP 972 if (ic->ic_state != IEEE80211_S_RUN || 973 seq != IEEE80211_AUTH_OPEN_REQUEST) { 974 ic->ic_stats.is_rx_bad_auth++; 975 return; 976 } 977 /* always accept open authentication requests */ 978 if (ni == ic->ic_bss) { 979 ni = ieee80211_dup_bss(&ic->ic_sta, wh->i_addr2); 980 if (ni == NULL) 981 return; 982 } else if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0) 983 (void) ieee80211_ref_node(ni); 984 /* 985 * Mark the node as referenced to reflect that its 986 * reference count has been bumped to insure it remains 987 * after the transaction completes. 988 */ 989 ni->ni_flags |= IEEE80211_NODE_AREF; 990 991 IEEE80211_SEND_MGMT(ic, ni, 992 IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 993 IEEE80211_DPRINTF(ic, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 994 "[%s] station authenticated (open)\n", 995 ether_snprintf(ebuf, sizeof(ebuf), ni->ni_macaddr)); 996 /* 997 * When 802.1x is not in use mark the port 998 * authorized at this point so traffic can flow. 999 */ 1000 if (ni->ni_authmode != IEEE80211_AUTH_8021X) 1001 ieee80211_node_authorize(ni); 1002 #endif /* !IEEE80211_NO_HOSTAP */ 1003 break; 1004 1005 case IEEE80211_M_STA: 1006 if (ic->ic_state != IEEE80211_S_AUTH || 1007 seq != IEEE80211_AUTH_OPEN_RESPONSE) { 1008 ic->ic_stats.is_rx_bad_auth++; 1009 return; 1010 } 1011 if (status != 0) { 1012 1013 IEEE80211_DPRINTF(ic, 1014 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1015 "[%s] open auth failed (reason %d)\n", 1016 ether_snprintf(ebuf, sizeof(ebuf), ni->ni_macaddr), 1017 status); 1018 /* XXX can this happen? */ 1019 if (ni != ic->ic_bss) 1020 ni->ni_fails++; 1021 ic->ic_stats.is_rx_auth_fail++; 1022 ieee80211_new_state(ic, IEEE80211_S_SCAN, 0); 1023 } else 1024 ieee80211_new_state(ic, IEEE80211_S_ASSOC, 1025 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK); 1026 break; 1027 } 1028 } 1029 1030 /* 1031 * Send a management frame error response to the specified 1032 * station. If ni is associated with the station then use 1033 * it; otherwise allocate a temporary node suitable for 1034 * transmitting the frame and then free the reference so 1035 * it will go away as soon as the frame has been transmitted. 1036 */ 1037 static void 1038 ieee80211_send_error(struct ieee80211com *ic, struct ieee80211_node *ni, 1039 const u_int8_t *mac, int subtype, int arg) 1040 { 1041 int istmp; 1042 1043 if (ni == ic->ic_bss) { 1044 ni = ieee80211_tmp_node(ic, mac); 1045 if (ni == NULL) { 1046 /* XXX msg */ 1047 return; 1048 } 1049 istmp = 1; 1050 } else 1051 istmp = 0; 1052 IEEE80211_SEND_MGMT(ic, ni, subtype, arg); 1053 if (istmp) 1054 ieee80211_free_node(ni); 1055 } 1056 1057 static int 1058 alloc_challenge(struct ieee80211com *ic, struct ieee80211_node *ni) 1059 { 1060 if (ni->ni_challenge == NULL) 1061 ni->ni_challenge = malloc(IEEE80211_CHALLENGE_LEN, 1062 M_DEVBUF, M_NOWAIT); 1063 if (ni->ni_challenge == NULL) { 1064 IEEE80211_DEBUGVAR(char ebuf[3 * ETHER_ADDR_LEN]); 1065 1066 IEEE80211_DPRINTF(ic, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1067 "[%s] shared key challenge alloc failed\n", 1068 ether_snprintf(ebuf, sizeof(ebuf), ni->ni_macaddr)); 1069 /* XXX statistic */ 1070 } 1071 return (ni->ni_challenge != NULL); 1072 } 1073 1074 /* XXX TODO: add statistics */ 1075 static void 1076 ieee80211_auth_shared(struct ieee80211com *ic, struct ieee80211_frame *wh, 1077 u_int8_t *frm, u_int8_t *efrm, struct ieee80211_node *ni, int rssi, 1078 u_int32_t rstamp, u_int16_t seq, u_int16_t status) 1079 { 1080 u_int8_t *challenge; 1081 int estatus; 1082 IEEE80211_DEBUGVAR(char ebuf[3 * ETHER_ADDR_LEN]); 1083 1084 /* 1085 * NB: this can happen as we allow pre-shared key 1086 * authentication to be enabled w/o wep being turned 1087 * on so that configuration of these can be done 1088 * in any order. It may be better to enforce the 1089 * ordering in which case this check would just be 1090 * for sanity/consistency. 1091 */ 1092 if ((ic->ic_flags & IEEE80211_F_PRIVACY) == 0) { 1093 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1094 ni->ni_macaddr, "shared key auth", 1095 "%s", " PRIVACY is disabled"); 1096 estatus = IEEE80211_STATUS_ALG; 1097 goto bad; 1098 } 1099 /* 1100 * Pre-shared key authentication is evil; accept 1101 * it only if explicitly configured (it is supported 1102 * mainly for compatibility with clients like OS X). 1103 */ 1104 if (ni->ni_authmode != IEEE80211_AUTH_AUTO && 1105 ni->ni_authmode != IEEE80211_AUTH_SHARED) { 1106 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1107 ni->ni_macaddr, "shared key auth", 1108 "bad sta auth mode %u", ni->ni_authmode); 1109 ic->ic_stats.is_rx_bad_auth++; /* XXX maybe a unique error? */ 1110 estatus = IEEE80211_STATUS_ALG; 1111 goto bad; 1112 } 1113 1114 challenge = NULL; 1115 if (frm + 1 < efrm) { 1116 if ((frm[1] + 2) > (efrm - frm)) { 1117 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1118 ni->ni_macaddr, "shared key auth", 1119 "ie %d/%d too long", 1120 frm[0], (frm[1] + 2) - (efrm - frm)); 1121 ic->ic_stats.is_rx_bad_auth++; 1122 estatus = IEEE80211_STATUS_CHALLENGE; 1123 goto bad; 1124 } 1125 if (*frm == IEEE80211_ELEMID_CHALLENGE) 1126 challenge = frm; 1127 frm += frm[1] + 2; 1128 } 1129 switch (seq) { 1130 case IEEE80211_AUTH_SHARED_CHALLENGE: 1131 case IEEE80211_AUTH_SHARED_RESPONSE: 1132 if (challenge == NULL) { 1133 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1134 ni->ni_macaddr, "shared key auth", 1135 "%s", "no challenge"); 1136 ic->ic_stats.is_rx_bad_auth++; 1137 estatus = IEEE80211_STATUS_CHALLENGE; 1138 goto bad; 1139 } 1140 if (challenge[1] != IEEE80211_CHALLENGE_LEN) { 1141 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1142 ni->ni_macaddr, "shared key auth", 1143 "bad challenge len %d", challenge[1]); 1144 ic->ic_stats.is_rx_bad_auth++; 1145 estatus = IEEE80211_STATUS_CHALLENGE; 1146 goto bad; 1147 } 1148 default: 1149 break; 1150 } 1151 switch (ic->ic_opmode) { 1152 case IEEE80211_M_MONITOR: 1153 case IEEE80211_M_AHDEMO: 1154 case IEEE80211_M_IBSS: 1155 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1156 ni->ni_macaddr, "shared key auth", 1157 "bad operating mode %u", ic->ic_opmode); 1158 return; 1159 case IEEE80211_M_HOSTAP: 1160 #ifndef IEEE80211_NO_HOSTAP 1161 { 1162 int allocbs; 1163 if (ic->ic_state != IEEE80211_S_RUN) { 1164 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1165 ni->ni_macaddr, "shared key auth", 1166 "bad state %u", ic->ic_state); 1167 estatus = IEEE80211_STATUS_ALG; /* XXX */ 1168 goto bad; 1169 } 1170 switch (seq) { 1171 case IEEE80211_AUTH_SHARED_REQUEST: 1172 if (ni == ic->ic_bss) { 1173 ni = ieee80211_dup_bss(&ic->ic_sta, wh->i_addr2); 1174 if (ni == NULL) { 1175 /* NB: no way to return an error */ 1176 return; 1177 } 1178 allocbs = 1; 1179 } else { 1180 if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0) 1181 (void) ieee80211_ref_node(ni); 1182 allocbs = 0; 1183 } 1184 __USE(allocbs); 1185 /* 1186 * Mark the node as referenced to reflect that its 1187 * reference count has been bumped to insure it remains 1188 * after the transaction completes. 1189 */ 1190 ni->ni_flags |= IEEE80211_NODE_AREF; 1191 ni->ni_rssi = rssi; 1192 ni->ni_rstamp = rstamp; 1193 if (!alloc_challenge(ic, ni)) { 1194 /* NB: don't return error so they rexmit */ 1195 return; 1196 } 1197 get_random_bytes(ni->ni_challenge, 1198 IEEE80211_CHALLENGE_LEN); 1199 IEEE80211_DPRINTF(ic, 1200 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1201 "[%s] shared key %sauth request\n", 1202 ether_snprintf(ebuf, sizeof(ebuf), 1203 ni->ni_macaddr), 1204 allocbs ? "" : "re"); 1205 break; 1206 case IEEE80211_AUTH_SHARED_RESPONSE: 1207 if (ni == ic->ic_bss) { 1208 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1209 ni->ni_macaddr, "shared key response", 1210 "%s", "unknown station"); 1211 /* NB: don't send a response */ 1212 return; 1213 } 1214 if (ni->ni_challenge == NULL) { 1215 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1216 ni->ni_macaddr, "shared key response", 1217 "%s", "no challenge recorded"); 1218 ic->ic_stats.is_rx_bad_auth++; 1219 estatus = IEEE80211_STATUS_CHALLENGE; 1220 goto bad; 1221 } 1222 if (memcmp(ni->ni_challenge, &challenge[2], 1223 challenge[1]) != 0) { 1224 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1225 ni->ni_macaddr, "shared key response", 1226 "%s", "challenge mismatch"); 1227 ic->ic_stats.is_rx_auth_fail++; 1228 estatus = IEEE80211_STATUS_CHALLENGE; 1229 goto bad; 1230 } 1231 IEEE80211_DPRINTF(ic, 1232 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1233 "[%s] station authenticated (shared key)\n", 1234 ether_snprintf(ebuf, sizeof(ebuf), ni->ni_macaddr)); 1235 ieee80211_node_authorize(ni); 1236 break; 1237 default: 1238 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1239 ni->ni_macaddr, "shared key auth", 1240 "bad seq %d", seq); 1241 ic->ic_stats.is_rx_bad_auth++; 1242 estatus = IEEE80211_STATUS_SEQUENCE; 1243 goto bad; 1244 } 1245 IEEE80211_SEND_MGMT(ic, ni, 1246 IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 1247 } 1248 #endif /* !IEEE80211_NO_HOSTAP */ 1249 break; 1250 1251 case IEEE80211_M_STA: 1252 if (ic->ic_state != IEEE80211_S_AUTH) 1253 return; 1254 switch (seq) { 1255 case IEEE80211_AUTH_SHARED_PASS: 1256 if (ni->ni_challenge != NULL) { 1257 free(ni->ni_challenge, M_DEVBUF); 1258 ni->ni_challenge = NULL; 1259 } 1260 if (status != 0) { 1261 IEEE80211_DPRINTF(ic, 1262 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1263 "[%s] shared key auth failed (reason %d)\n", 1264 ether_snprintf(ebuf, sizeof(ebuf), 1265 ieee80211_getbssid(ic, wh)), 1266 status); 1267 /* XXX can this happen? */ 1268 if (ni != ic->ic_bss) 1269 ni->ni_fails++; 1270 ic->ic_stats.is_rx_auth_fail++; 1271 return; 1272 } 1273 ieee80211_new_state(ic, IEEE80211_S_ASSOC, 1274 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK); 1275 break; 1276 case IEEE80211_AUTH_SHARED_CHALLENGE: 1277 if (!alloc_challenge(ic, ni)) 1278 return; 1279 /* XXX could optimize by passing recvd challenge */ 1280 memcpy(ni->ni_challenge, &challenge[2], challenge[1]); 1281 IEEE80211_SEND_MGMT(ic, ni, 1282 IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 1283 break; 1284 default: 1285 IEEE80211_DISCARD(ic, IEEE80211_MSG_AUTH, 1286 wh, "shared key auth", "bad seq %d", seq); 1287 ic->ic_stats.is_rx_bad_auth++; 1288 return; 1289 } 1290 break; 1291 } 1292 return; 1293 bad: 1294 #ifndef IEEE80211_NO_HOSTAP 1295 /* 1296 * Send an error response; but only when operating as an AP. 1297 */ 1298 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 1299 /* XXX hack to workaround calling convention */ 1300 ieee80211_send_error(ic, ni, wh->i_addr2, 1301 IEEE80211_FC0_SUBTYPE_AUTH, 1302 (seq + 1) | (estatus<<16)); 1303 } else if (ic->ic_opmode == IEEE80211_M_STA) { 1304 /* 1305 * Kick the state machine. This short-circuits 1306 * using the mgt frame timeout to trigger the 1307 * state transition. 1308 */ 1309 if (ic->ic_state == IEEE80211_S_AUTH) 1310 ieee80211_new_state(ic, IEEE80211_S_SCAN, 0); 1311 } 1312 #else 1313 ; 1314 #endif /* !IEEE80211_NO_HOSTAP */ 1315 } 1316 1317 /* Verify the existence and length of __elem or get out. */ 1318 #define IEEE80211_VERIFY_ELEMENT(__elem, __maxlen) do { \ 1319 if ((__elem) == NULL) { \ 1320 IEEE80211_DISCARD(ic, IEEE80211_MSG_ELEMID, \ 1321 wh, ieee80211_mgt_subtype_name[subtype >> \ 1322 IEEE80211_FC0_SUBTYPE_SHIFT], \ 1323 "%s", "no " #__elem ); \ 1324 ic->ic_stats.is_rx_elem_missing++; \ 1325 return; \ 1326 } \ 1327 if ((__elem)[1] > (__maxlen)) { \ 1328 IEEE80211_DISCARD(ic, IEEE80211_MSG_ELEMID, \ 1329 wh, ieee80211_mgt_subtype_name[subtype >> \ 1330 IEEE80211_FC0_SUBTYPE_SHIFT], \ 1331 "bad " #__elem " len %d", (__elem)[1]); \ 1332 ic->ic_stats.is_rx_elem_toobig++; \ 1333 return; \ 1334 } \ 1335 } while (0) 1336 1337 #define IEEE80211_VERIFY_LENGTH(_len, _minlen) do { \ 1338 if ((_len) < (_minlen)) { \ 1339 IEEE80211_DISCARD(ic, IEEE80211_MSG_ELEMID, \ 1340 wh, ieee80211_mgt_subtype_name[subtype >> \ 1341 IEEE80211_FC0_SUBTYPE_SHIFT], \ 1342 "%s", "ie too short"); \ 1343 ic->ic_stats.is_rx_elem_toosmall++; \ 1344 return; \ 1345 } \ 1346 } while (0) 1347 1348 #ifdef IEEE80211_DEBUG 1349 static void 1350 ieee80211_ssid_mismatch(struct ieee80211com *ic, const char *tag, 1351 u_int8_t mac[IEEE80211_ADDR_LEN], u_int8_t *ssid) 1352 { 1353 char ebuf[3 * ETHER_ADDR_LEN]; 1354 1355 printf("[%s] discard %s frame, ssid mismatch: ", 1356 ether_snprintf(ebuf, sizeof(ebuf), mac), tag); 1357 ieee80211_print_essid(ssid + 2, ssid[1]); 1358 printf("\n"); 1359 } 1360 1361 #define IEEE80211_VERIFY_SSID(_ni, _ssid) do { \ 1362 if ((_ssid)[1] != 0 && \ 1363 ((_ssid)[1] != (_ni)->ni_esslen || \ 1364 memcmp((_ssid) + 2, (_ni)->ni_essid, (_ssid)[1]) != 0)) { \ 1365 if (ieee80211_msg_input(ic)) \ 1366 ieee80211_ssid_mismatch(ic, \ 1367 ieee80211_mgt_subtype_name[subtype >> \ 1368 IEEE80211_FC0_SUBTYPE_SHIFT], \ 1369 wh->i_addr2, _ssid); \ 1370 ic->ic_stats.is_rx_ssidmismatch++; \ 1371 return; \ 1372 } \ 1373 } while (0) 1374 #else /* !IEEE80211_DEBUG */ 1375 #define IEEE80211_VERIFY_SSID(_ni, _ssid) do { \ 1376 if ((_ssid)[1] != 0 && \ 1377 ((_ssid)[1] != (_ni)->ni_esslen || \ 1378 memcmp((_ssid) + 2, (_ni)->ni_essid, (_ssid)[1]) != 0)) { \ 1379 ic->ic_stats.is_rx_ssidmismatch++; \ 1380 return; \ 1381 } \ 1382 } while (0) 1383 #endif /* !IEEE80211_DEBUG */ 1384 1385 /* unaligned little endian access */ 1386 #define LE_READ_2(p) \ 1387 ((u_int16_t) \ 1388 ((((const u_int8_t *)(p))[0] ) | \ 1389 (((const u_int8_t *)(p))[1] << 8))) 1390 #define LE_READ_4(p) \ 1391 ((u_int32_t) \ 1392 ((((const u_int8_t *)(p))[0] ) | \ 1393 (((const u_int8_t *)(p))[1] << 8) | \ 1394 (((const u_int8_t *)(p))[2] << 16) | \ 1395 (((const u_int8_t *)(p))[3] << 24))) 1396 1397 static __inline int 1398 iswpaoui(const u_int8_t *frm) 1399 { 1400 return frm[1] > 3 && LE_READ_4(frm+2) == ((WPA_OUI_TYPE<<24)|WPA_OUI); 1401 } 1402 1403 static __inline int 1404 iswmeoui(const u_int8_t *frm) 1405 { 1406 return frm[1] > 3 && LE_READ_4(frm+2) == ((WME_OUI_TYPE<<24)|WME_OUI); 1407 } 1408 1409 static __inline int 1410 iswmeparam(const u_int8_t *frm) 1411 { 1412 return frm[1] > 5 && LE_READ_4(frm+2) == ((WME_OUI_TYPE<<24)|WME_OUI) && 1413 frm[6] == WME_PARAM_OUI_SUBTYPE; 1414 } 1415 1416 static __inline int 1417 iswmeinfo(const u_int8_t *frm) 1418 { 1419 return frm[1] > 5 && LE_READ_4(frm+2) == ((WME_OUI_TYPE<<24)|WME_OUI) && 1420 frm[6] == WME_INFO_OUI_SUBTYPE; 1421 } 1422 1423 /* 1424 * Convert a WPA cipher selector OUI to an internal 1425 * cipher algorithm. Where appropriate we also 1426 * record any key length. 1427 */ 1428 static int 1429 wpa_cipher(u_int8_t *sel, u_int8_t *keylen) 1430 { 1431 #define WPA_SEL(x) (((x)<<24)|WPA_OUI) 1432 u_int32_t w = LE_READ_4(sel); 1433 1434 switch (w) { 1435 case WPA_SEL(WPA_CSE_NULL): 1436 return IEEE80211_CIPHER_NONE; 1437 case WPA_SEL(WPA_CSE_WEP40): 1438 if (keylen) 1439 *keylen = 40 / NBBY; 1440 return IEEE80211_CIPHER_WEP; 1441 case WPA_SEL(WPA_CSE_WEP104): 1442 if (keylen) 1443 *keylen = 104 / NBBY; 1444 return IEEE80211_CIPHER_WEP; 1445 case WPA_SEL(WPA_CSE_TKIP): 1446 return IEEE80211_CIPHER_TKIP; 1447 case WPA_SEL(WPA_CSE_CCMP): 1448 return IEEE80211_CIPHER_AES_CCM; 1449 } 1450 return 32; /* NB: so 1<< is discarded */ 1451 #undef WPA_SEL 1452 } 1453 1454 /* 1455 * Convert a WPA key management/authentication algorithm 1456 * to an internal code. 1457 */ 1458 static int 1459 wpa_keymgmt(u_int8_t *sel) 1460 { 1461 #define WPA_SEL(x) (((x)<<24)|WPA_OUI) 1462 u_int32_t w = LE_READ_4(sel); 1463 1464 switch (w) { 1465 case WPA_SEL(WPA_ASE_8021X_UNSPEC): 1466 return WPA_ASE_8021X_UNSPEC; 1467 case WPA_SEL(WPA_ASE_8021X_PSK): 1468 return WPA_ASE_8021X_PSK; 1469 case WPA_SEL(WPA_ASE_NONE): 1470 return WPA_ASE_NONE; 1471 } 1472 return 0; /* NB: so is discarded */ 1473 #undef WPA_SEL 1474 } 1475 1476 /* 1477 * Parse a WPA information element to collect parameters 1478 * and validate the parameters against what has been 1479 * configured for the system. 1480 */ 1481 static int 1482 ieee80211_parse_wpa(struct ieee80211com *ic, u_int8_t *frm, 1483 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh) 1484 { 1485 u_int8_t len = frm[1]; 1486 u_int32_t w; 1487 int n; 1488 1489 /* 1490 * Check the length once for fixed parts: OUI, type, 1491 * version, mcast cipher, and 2 selector counts. 1492 * Other, variable-length data, must be checked separately. 1493 */ 1494 if ((ic->ic_flags & IEEE80211_F_WPA1) == 0) { 1495 IEEE80211_DISCARD_IE(ic, 1496 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1497 wh, "WPA", "not WPA, flags 0x%x", ic->ic_flags); 1498 return IEEE80211_REASON_IE_INVALID; 1499 } 1500 if (len < 14) { 1501 IEEE80211_DISCARD_IE(ic, 1502 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1503 wh, "WPA", "too short, len %u", len); 1504 return IEEE80211_REASON_IE_INVALID; 1505 } 1506 frm += 6, len -= 4; /* NB: len is payload only */ 1507 /* NB: iswapoui already validated the OUI and type */ 1508 w = LE_READ_2(frm); 1509 if (w != WPA_VERSION) { 1510 IEEE80211_DISCARD_IE(ic, 1511 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1512 wh, "WPA", "bad version %u", w); 1513 return IEEE80211_REASON_IE_INVALID; 1514 } 1515 frm += 2, len -= 2; 1516 1517 /* multicast/group cipher */ 1518 w = wpa_cipher(frm, &rsn->rsn_mcastkeylen); 1519 if (w != rsn->rsn_mcastcipher) { 1520 IEEE80211_DISCARD_IE(ic, 1521 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1522 wh, "WPA", "mcast cipher mismatch; got %u, expected %u", 1523 w, rsn->rsn_mcastcipher); 1524 return IEEE80211_REASON_IE_INVALID; 1525 } 1526 frm += 4, len -= 4; 1527 1528 /* unicast ciphers */ 1529 n = LE_READ_2(frm); 1530 frm += 2, len -= 2; 1531 if (len < n*4+2) { 1532 IEEE80211_DISCARD_IE(ic, 1533 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1534 wh, "WPA", "ucast cipher data too short; len %u, n %u", 1535 len, n); 1536 return IEEE80211_REASON_IE_INVALID; 1537 } 1538 w = 0; 1539 for (; n > 0; n--) { 1540 w |= 1<<wpa_cipher(frm, &rsn->rsn_ucastkeylen); 1541 frm += 4, len -= 4; 1542 } 1543 w &= rsn->rsn_ucastcipherset; 1544 if (w == 0) { 1545 IEEE80211_DISCARD_IE(ic, 1546 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1547 wh, "WPA", "%s", "ucast cipher set empty"); 1548 return IEEE80211_REASON_IE_INVALID; 1549 } 1550 if (w & (1<<IEEE80211_CIPHER_TKIP)) 1551 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP; 1552 else 1553 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM; 1554 1555 /* key management algorithms */ 1556 n = LE_READ_2(frm); 1557 frm += 2, len -= 2; 1558 if (len < n*4) { 1559 IEEE80211_DISCARD_IE(ic, 1560 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1561 wh, "WPA", "key mgmt alg data too short; len %u, n %u", 1562 len, n); 1563 return IEEE80211_REASON_IE_INVALID; 1564 } 1565 w = 0; 1566 for (; n > 0; n--) { 1567 w |= wpa_keymgmt(frm); 1568 frm += 4, len -= 4; 1569 } 1570 w &= rsn->rsn_keymgmtset; 1571 if (w == 0) { 1572 IEEE80211_DISCARD_IE(ic, 1573 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1574 wh, "WPA", "%s", "no acceptable key mgmt alg"); 1575 return IEEE80211_REASON_IE_INVALID; 1576 } 1577 if (w & WPA_ASE_8021X_UNSPEC) 1578 rsn->rsn_keymgmt = WPA_ASE_8021X_UNSPEC; 1579 else 1580 rsn->rsn_keymgmt = WPA_ASE_8021X_PSK; 1581 1582 if (len > 2) /* optional capabilities */ 1583 rsn->rsn_caps = LE_READ_2(frm); 1584 1585 return 0; 1586 } 1587 1588 /* 1589 * Convert an RSN cipher selector OUI to an internal 1590 * cipher algorithm. Where appropriate we also 1591 * record any key length. 1592 */ 1593 static int 1594 rsn_cipher(u_int8_t *sel, u_int8_t *keylen) 1595 { 1596 #define RSN_SEL(x) (((x)<<24)|RSN_OUI) 1597 u_int32_t w = LE_READ_4(sel); 1598 1599 switch (w) { 1600 case RSN_SEL(RSN_CSE_NULL): 1601 return IEEE80211_CIPHER_NONE; 1602 case RSN_SEL(RSN_CSE_WEP40): 1603 if (keylen) 1604 *keylen = 40 / NBBY; 1605 return IEEE80211_CIPHER_WEP; 1606 case RSN_SEL(RSN_CSE_WEP104): 1607 if (keylen) 1608 *keylen = 104 / NBBY; 1609 return IEEE80211_CIPHER_WEP; 1610 case RSN_SEL(RSN_CSE_TKIP): 1611 return IEEE80211_CIPHER_TKIP; 1612 case RSN_SEL(RSN_CSE_CCMP): 1613 return IEEE80211_CIPHER_AES_CCM; 1614 case RSN_SEL(RSN_CSE_WRAP): 1615 return IEEE80211_CIPHER_AES_OCB; 1616 } 1617 return 32; /* NB: so 1<< is discarded */ 1618 #undef WPA_SEL 1619 } 1620 1621 /* 1622 * Convert an RSN key management/authentication algorithm 1623 * to an internal code. 1624 */ 1625 static int 1626 rsn_keymgmt(u_int8_t *sel) 1627 { 1628 #define RSN_SEL(x) (((x)<<24)|RSN_OUI) 1629 u_int32_t w = LE_READ_4(sel); 1630 1631 switch (w) { 1632 case RSN_SEL(RSN_ASE_8021X_UNSPEC): 1633 return RSN_ASE_8021X_UNSPEC; 1634 case RSN_SEL(RSN_ASE_8021X_PSK): 1635 return RSN_ASE_8021X_PSK; 1636 case RSN_SEL(RSN_ASE_NONE): 1637 return RSN_ASE_NONE; 1638 } 1639 return 0; /* NB: so is discarded */ 1640 #undef RSN_SEL 1641 } 1642 1643 /* 1644 * Parse a WPA/RSN information element to collect parameters 1645 * and validate the parameters against what has been 1646 * configured for the system. 1647 */ 1648 static int 1649 ieee80211_parse_rsn(struct ieee80211com *ic, u_int8_t *frm, 1650 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh) 1651 { 1652 u_int8_t len = frm[1]; 1653 u_int32_t w; 1654 int n; 1655 1656 /* 1657 * Check the length once for fixed parts: 1658 * version, mcast cipher, and 2 selector counts. 1659 * Other, variable-length data, must be checked separately. 1660 */ 1661 if ((ic->ic_flags & IEEE80211_F_WPA2) == 0) { 1662 IEEE80211_DISCARD_IE(ic, 1663 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1664 wh, "WPA", "not RSN, flags 0x%x", ic->ic_flags); 1665 return IEEE80211_REASON_IE_INVALID; 1666 } 1667 if (len < 10) { 1668 IEEE80211_DISCARD_IE(ic, 1669 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1670 wh, "RSN", "too short, len %u", len); 1671 return IEEE80211_REASON_IE_INVALID; 1672 } 1673 frm += 2; 1674 w = LE_READ_2(frm); 1675 if (w != RSN_VERSION) { 1676 IEEE80211_DISCARD_IE(ic, 1677 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1678 wh, "RSN", "bad version %u", w); 1679 return IEEE80211_REASON_IE_INVALID; 1680 } 1681 frm += 2, len -= 2; 1682 1683 /* multicast/group cipher */ 1684 w = rsn_cipher(frm, &rsn->rsn_mcastkeylen); 1685 if (w != rsn->rsn_mcastcipher) { 1686 IEEE80211_DISCARD_IE(ic, 1687 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1688 wh, "RSN", "mcast cipher mismatch; got %u, expected %u", 1689 w, rsn->rsn_mcastcipher); 1690 return IEEE80211_REASON_IE_INVALID; 1691 } 1692 frm += 4, len -= 4; 1693 1694 /* unicast ciphers */ 1695 n = LE_READ_2(frm); 1696 frm += 2, len -= 2; 1697 if (len < n*4+2) { 1698 IEEE80211_DISCARD_IE(ic, 1699 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1700 wh, "RSN", "ucast cipher data too short; len %u, n %u", 1701 len, n); 1702 return IEEE80211_REASON_IE_INVALID; 1703 } 1704 w = 0; 1705 for (; n > 0; n--) { 1706 w |= 1<<rsn_cipher(frm, &rsn->rsn_ucastkeylen); 1707 frm += 4, len -= 4; 1708 } 1709 w &= rsn->rsn_ucastcipherset; 1710 if (w == 0) { 1711 IEEE80211_DISCARD_IE(ic, 1712 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1713 wh, "RSN", "%s", "ucast cipher set empty"); 1714 return IEEE80211_REASON_IE_INVALID; 1715 } 1716 if (w & (1<<IEEE80211_CIPHER_TKIP)) 1717 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP; 1718 else 1719 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM; 1720 1721 /* key management algorithms */ 1722 n = LE_READ_2(frm); 1723 frm += 2, len -= 2; 1724 if (len < n*4) { 1725 IEEE80211_DISCARD_IE(ic, 1726 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1727 wh, "RSN", "key mgmt alg data too short; len %u, n %u", 1728 len, n); 1729 return IEEE80211_REASON_IE_INVALID; 1730 } 1731 w = 0; 1732 for (; n > 0; n--) { 1733 w |= rsn_keymgmt(frm); 1734 frm += 4, len -= 4; 1735 } 1736 w &= rsn->rsn_keymgmtset; 1737 if (w == 0) { 1738 IEEE80211_DISCARD_IE(ic, 1739 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1740 wh, "RSN", "%s", "no acceptable key mgmt alg"); 1741 return IEEE80211_REASON_IE_INVALID; 1742 } 1743 if (w & RSN_ASE_8021X_UNSPEC) 1744 rsn->rsn_keymgmt = RSN_ASE_8021X_UNSPEC; 1745 else 1746 rsn->rsn_keymgmt = RSN_ASE_8021X_PSK; 1747 1748 /* optional RSN capabilities */ 1749 if (len > 2) 1750 rsn->rsn_caps = LE_READ_2(frm); 1751 /* XXXPMKID */ 1752 1753 return 0; 1754 } 1755 1756 static int 1757 ieee80211_parse_wmeparams(struct ieee80211com *ic, u_int8_t *frm, 1758 const struct ieee80211_frame *wh) 1759 { 1760 #define MS(_v, _f) (((_v) & _f) >> _f##_S) 1761 struct ieee80211_wme_state *wme = &ic->ic_wme; 1762 u_int len = frm[1], qosinfo; 1763 int i; 1764 1765 if (len < sizeof(struct ieee80211_wme_param)-2) { 1766 IEEE80211_DISCARD_IE(ic, 1767 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WME, 1768 wh, "WME", "too short, len %u", len); 1769 return -1; 1770 } 1771 qosinfo = frm[offsetof(struct ieee80211_wme_param, param_qosInfo)]; 1772 qosinfo &= WME_QOSINFO_COUNT; 1773 /* XXX do proper check for wraparound */ 1774 if (qosinfo == wme->wme_wmeChanParams.cap_info) 1775 return 0; 1776 frm += offsetof(struct ieee80211_wme_param, params_acParams); 1777 for (i = 0; i < WME_NUM_AC; i++) { 1778 struct wmeParams *wmep = 1779 &wme->wme_wmeChanParams.cap_wmeParams[i]; 1780 /* NB: ACI not used */ 1781 wmep->wmep_acm = MS(frm[0], WME_PARAM_ACM); 1782 wmep->wmep_aifsn = MS(frm[0], WME_PARAM_AIFSN); 1783 wmep->wmep_logcwmin = MS(frm[1], WME_PARAM_LOGCWMIN); 1784 wmep->wmep_logcwmax = MS(frm[1], WME_PARAM_LOGCWMAX); 1785 wmep->wmep_txopLimit = LE_READ_2(frm+2); 1786 frm += 4; 1787 } 1788 wme->wme_wmeChanParams.cap_info = qosinfo; 1789 return 1; 1790 #undef MS 1791 } 1792 1793 void 1794 ieee80211_saveie(u_int8_t **iep, const u_int8_t *ie) 1795 { 1796 u_int ielen = ie[1]+2; 1797 /* 1798 * Record information element for later use. 1799 */ 1800 if (*iep == NULL || (*iep)[1] != ie[1]) { 1801 if (*iep != NULL) 1802 free(*iep, M_DEVBUF); 1803 *iep = malloc(ielen, M_DEVBUF, M_NOWAIT); 1804 } 1805 if (*iep != NULL) 1806 memcpy(*iep, ie, ielen); 1807 /* XXX note failure */ 1808 } 1809 1810 static void 1811 ieee80211_update_adhoc_node(struct ieee80211com *ic, struct ieee80211_node *ni, 1812 struct ieee80211_frame *wh, struct ieee80211_scanparams *scan, int rssi, 1813 u_int32_t rstamp) 1814 { 1815 if (!IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_macaddr)) { 1816 /* 1817 * Create a new entry in the neighbor table. 1818 * Records the TSF. 1819 */ 1820 if ((ni = ieee80211_add_neighbor(ic, wh, scan)) == NULL) 1821 return; 1822 } else if (ni->ni_capinfo == 0) { 1823 /* 1824 * Initialize a node that was "faked up." Records 1825 * the TSF. 1826 * 1827 * No need to check for a change of BSSID: ni could 1828 * not have been the IBSS (ic_bss) 1829 */ 1830 ieee80211_init_neighbor(ic, ni, wh, scan, 0); 1831 } else { 1832 /* Record TSF for potential resync. */ 1833 memcpy(ni->ni_tstamp.data, scan->tstamp, sizeof(ni->ni_tstamp)); 1834 } 1835 1836 ni->ni_rssi = rssi; 1837 ni->ni_rstamp = rstamp; 1838 1839 /* Mark a neighbor's change of BSSID. */ 1840 if (IEEE80211_ADDR_EQ(wh->i_addr3, ni->ni_bssid)) 1841 return; 1842 1843 IEEE80211_ADDR_COPY(ni->ni_bssid, wh->i_addr3); 1844 1845 if (ni != ic->ic_bss) 1846 return; 1847 else if (ic->ic_flags & IEEE80211_F_DESBSSID) { 1848 /* 1849 * Now, ni does not represent a network we 1850 * want to belong to, so start a scan. 1851 */ 1852 ieee80211_new_state(ic, IEEE80211_S_SCAN, 0); 1853 return; 1854 } else { 1855 /* 1856 * A RUN->RUN transition lets the driver 1857 * reprogram its BSSID filter. 1858 * 1859 * No need to SCAN, we already belong to 1860 * an IBSS that meets our criteria: channel, 1861 * SSID, etc. It could be harmful to scan, 1862 * too: if a scan does not detect nodes 1863 * belonging to my current IBSS, then we 1864 * will create a new IBSS at the end of 1865 * the scan, needlessly splitting the 1866 * network. 1867 */ 1868 ieee80211_new_state(ic, IEEE80211_S_RUN, 0); 1869 } 1870 } 1871 1872 void 1873 ieee80211_recv_mgmt(struct ieee80211com *ic, struct mbuf *m0, 1874 struct ieee80211_node *ni, 1875 int subtype, int rssi, u_int32_t rstamp) 1876 { 1877 #define ISPROBE(_st) ((_st) == IEEE80211_FC0_SUBTYPE_PROBE_RESP) 1878 #define ISREASSOC(_st) ((_st) == IEEE80211_FC0_SUBTYPE_REASSOC_RESP) 1879 struct ieee80211_frame *wh; 1880 u_int8_t *frm, *efrm; 1881 u_int8_t *ssid, *rates, *xrates, *wpa, *wme; 1882 int reassoc, resp, allocbs; 1883 u_int8_t rate; 1884 IEEE80211_DEBUGVAR(char ebuf[3 * ETHER_ADDR_LEN]); 1885 1886 wh = mtod(m0, struct ieee80211_frame *); 1887 frm = (u_int8_t *)&wh[1]; 1888 efrm = mtod(m0, u_int8_t *) + m0->m_len; 1889 switch (subtype) { 1890 case IEEE80211_FC0_SUBTYPE_PROBE_RESP: 1891 case IEEE80211_FC0_SUBTYPE_BEACON: { 1892 struct ieee80211_scanparams scan; 1893 1894 /* 1895 * We process beacon/probe response frames: 1896 * o when scanning, or 1897 * o station mode when associated (to collect state 1898 * updates such as 802.11g slot time), or 1899 * o adhoc mode (to discover neighbors) 1900 * Frames otherwise received are discarded. 1901 */ 1902 if (!((ic->ic_flags & IEEE80211_F_SCAN) || 1903 (ic->ic_opmode == IEEE80211_M_STA && ni->ni_associd) || 1904 ic->ic_opmode == IEEE80211_M_IBSS)) { 1905 ic->ic_stats.is_rx_mgtdiscard++; 1906 return; 1907 } 1908 /* 1909 * beacon/probe response frame format 1910 * [8] time stamp 1911 * [2] beacon interval 1912 * [2] capability information 1913 * [tlv] ssid 1914 * [tlv] supported rates 1915 * [tlv] country information 1916 * [tlv] parameter set (FH/DS) 1917 * [tlv] erp information 1918 * [tlv] extended supported rates 1919 * [tlv] WME 1920 * [tlv] WPA or RSN 1921 */ 1922 IEEE80211_VERIFY_LENGTH(efrm - frm, 12); 1923 memset(&scan, 0, sizeof(scan)); 1924 scan.tstamp = frm; frm += 8; 1925 scan.bintval = le16toh(*(u_int16_t *)frm); frm += 2; 1926 scan.capinfo = le16toh(*(u_int16_t *)frm); frm += 2; 1927 scan.bchan = ieee80211_chan2ieee(ic, ic->ic_curchan); 1928 scan.chan = scan.bchan; 1929 1930 while (frm < efrm) { 1931 switch (*frm) { 1932 case IEEE80211_ELEMID_SSID: 1933 scan.ssid = frm; 1934 break; 1935 case IEEE80211_ELEMID_RATES: 1936 scan.rates = frm; 1937 break; 1938 case IEEE80211_ELEMID_COUNTRY: 1939 scan.country = frm; 1940 break; 1941 case IEEE80211_ELEMID_FHPARMS: 1942 if (ic->ic_phytype == IEEE80211_T_FH) { 1943 scan.fhdwell = LE_READ_2(&frm[2]); 1944 scan.chan = IEEE80211_FH_CHAN(frm[4], frm[5]); 1945 scan.fhindex = frm[6]; 1946 } 1947 break; 1948 case IEEE80211_ELEMID_DSPARMS: 1949 /* 1950 * XXX hack this since depending on phytype 1951 * is problematic for multi-mode devices. 1952 */ 1953 if (ic->ic_phytype != IEEE80211_T_FH) 1954 scan.chan = frm[2]; 1955 break; 1956 case IEEE80211_ELEMID_TIM: 1957 /* XXX ATIM? */ 1958 scan.tim = frm; 1959 scan.timoff = frm - mtod(m0, u_int8_t *); 1960 break; 1961 case IEEE80211_ELEMID_IBSSPARMS: 1962 break; 1963 case IEEE80211_ELEMID_XRATES: 1964 scan.xrates = frm; 1965 break; 1966 case IEEE80211_ELEMID_ERP: 1967 if (frm[1] != 1) { 1968 IEEE80211_DISCARD_IE(ic, 1969 IEEE80211_MSG_ELEMID, wh, "ERP", 1970 "bad len %u", frm[1]); 1971 ic->ic_stats.is_rx_elem_toobig++; 1972 break; 1973 } 1974 scan.erp = frm[2]; 1975 break; 1976 case IEEE80211_ELEMID_RSN: 1977 scan.wpa = frm; 1978 break; 1979 case IEEE80211_ELEMID_VENDOR: 1980 if (iswpaoui(frm)) 1981 scan.wpa = frm; 1982 else if (iswmeparam(frm) || iswmeinfo(frm)) 1983 scan.wme = frm; 1984 /* XXX Atheros OUI support */ 1985 break; 1986 default: 1987 IEEE80211_DISCARD_IE(ic, IEEE80211_MSG_ELEMID, 1988 wh, "unhandled", 1989 "id %u, len %u", *frm, frm[1]); 1990 ic->ic_stats.is_rx_elem_unknown++; 1991 break; 1992 } 1993 frm += frm[1] + 2; 1994 } 1995 IEEE80211_VERIFY_ELEMENT(scan.rates, IEEE80211_RATE_MAXSIZE); 1996 IEEE80211_VERIFY_ELEMENT(scan.ssid, IEEE80211_NWID_LEN); 1997 if ( 1998 #if IEEE80211_CHAN_MAX < 255 1999 scan.chan > IEEE80211_CHAN_MAX || 2000 #endif 2001 isclr(ic->ic_chan_active, scan.chan)) { 2002 IEEE80211_DISCARD(ic, 2003 IEEE80211_MSG_ELEMID | IEEE80211_MSG_INPUT, 2004 wh, ieee80211_mgt_subtype_name[subtype >> 2005 IEEE80211_FC0_SUBTYPE_SHIFT], 2006 "invalid channel %u", scan.chan); 2007 ic->ic_stats.is_rx_badchan++; 2008 return; 2009 } 2010 if (scan.chan != scan.bchan && 2011 ic->ic_phytype != IEEE80211_T_FH) { 2012 /* 2013 * Frame was received on a channel different from the 2014 * one indicated in the DS params element id; 2015 * silently discard it. 2016 * 2017 * NB: this can happen due to signal leakage. 2018 * But we should take it for FH phy because 2019 * the rssi value should be correct even for 2020 * different hop pattern in FH. 2021 */ 2022 IEEE80211_DISCARD(ic, 2023 IEEE80211_MSG_ELEMID | IEEE80211_MSG_INPUT, 2024 wh, ieee80211_mgt_subtype_name[subtype >> 2025 IEEE80211_FC0_SUBTYPE_SHIFT], 2026 "for off-channel %u", scan.chan); 2027 ic->ic_stats.is_rx_chanmismatch++; 2028 return; 2029 } 2030 if (!(IEEE80211_BINTVAL_MIN <= scan.bintval && 2031 scan.bintval <= IEEE80211_BINTVAL_MAX)) { 2032 IEEE80211_DISCARD(ic, 2033 IEEE80211_MSG_ELEMID | IEEE80211_MSG_INPUT, 2034 wh, ieee80211_mgt_subtype_name[subtype >> 2035 IEEE80211_FC0_SUBTYPE_SHIFT], 2036 "bogus beacon interval", scan.bintval); 2037 ic->ic_stats.is_rx_badbintval++; 2038 return; 2039 } 2040 2041 if (ni != ic->ic_bss) { 2042 ni = ieee80211_refine_node_for_beacon(ic, ni, 2043 &ic->ic_channels[scan.chan], scan.ssid); 2044 } 2045 /* 2046 * Count frame now that we know it's to be processed. 2047 */ 2048 if (subtype == IEEE80211_FC0_SUBTYPE_BEACON) { 2049 ic->ic_stats.is_rx_beacon++; /* XXX remove */ 2050 IEEE80211_NODE_STAT(ni, rx_beacons); 2051 } else 2052 IEEE80211_NODE_STAT(ni, rx_proberesp); 2053 2054 /* 2055 * When operating in station mode, check for state updates. 2056 * Be careful to ignore beacons received while doing a 2057 * background scan. We consider only 11g/WMM stuff right now. 2058 */ 2059 if (ic->ic_opmode == IEEE80211_M_STA && 2060 ni->ni_associd != 0 && 2061 ((ic->ic_flags & IEEE80211_F_SCAN) == 0 || 2062 IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_bssid))) { 2063 /* record tsf of last beacon */ 2064 memcpy(ni->ni_tstamp.data, scan.tstamp, 2065 sizeof(ni->ni_tstamp)); 2066 if (ni->ni_erp != scan.erp) { 2067 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 2068 "[%s] erp change: was 0x%x, now 0x%x\n", 2069 ether_snprintf(ebuf, sizeof(ebuf), 2070 wh->i_addr2), ni->ni_erp, scan.erp); 2071 if (ic->ic_curmode == IEEE80211_MODE_11G && 2072 (ni->ni_erp & IEEE80211_ERP_USE_PROTECTION)) 2073 ic->ic_flags |= IEEE80211_F_USEPROT; 2074 else 2075 ic->ic_flags &= ~IEEE80211_F_USEPROT; 2076 ni->ni_erp = scan.erp; 2077 /* XXX statistic */ 2078 } 2079 if ((ni->ni_capinfo ^ scan.capinfo) & IEEE80211_CAPINFO_SHORT_SLOTTIME) { 2080 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 2081 "[%s] capabilities change: before 0x%x," 2082 " now 0x%x\n", 2083 ether_snprintf(ebuf, sizeof(ebuf), 2084 wh->i_addr2), 2085 ni->ni_capinfo, scan.capinfo); 2086 /* 2087 * NB: we assume short preamble doesn't 2088 * change dynamically 2089 */ 2090 ieee80211_set_shortslottime(ic, 2091 ic->ic_curmode == IEEE80211_MODE_11A || 2092 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME)); 2093 ni->ni_capinfo = scan.capinfo; 2094 /* XXX statistic */ 2095 } 2096 if (scan.wme != NULL && 2097 (ni->ni_flags & IEEE80211_NODE_QOS) && 2098 ieee80211_parse_wmeparams(ic, scan.wme, wh) > 0) 2099 ieee80211_wme_updateparams(ic); 2100 if (scan.tim != NULL) { 2101 struct ieee80211_tim_ie *ie = 2102 (struct ieee80211_tim_ie *) scan.tim; 2103 2104 ni->ni_dtim_count = ie->tim_count; 2105 ni->ni_dtim_period = ie->tim_period; 2106 } 2107 if (ic->ic_flags & IEEE80211_F_SCAN) 2108 ieee80211_add_scan(ic, &scan, wh, 2109 subtype, rssi, rstamp); 2110 ic->ic_bmiss_count = 0; 2111 return; 2112 } 2113 /* 2114 * If scanning, just pass information to the scan module. 2115 */ 2116 if (ic->ic_flags & IEEE80211_F_SCAN) { 2117 if (ic->ic_flags_ext & IEEE80211_FEXT_PROBECHAN) { 2118 /* 2119 * Actively scanning a channel marked passive; 2120 * send a probe request now that we know there 2121 * is 802.11 traffic present. 2122 * 2123 * XXX check if the beacon we recv'd gives 2124 * us what we need and suppress the probe req 2125 */ 2126 ieee80211_probe_curchan(ic, 1); 2127 ic->ic_flags_ext &= ~IEEE80211_FEXT_PROBECHAN; 2128 } 2129 ieee80211_add_scan(ic, &scan, wh, 2130 subtype, rssi, rstamp); 2131 return; 2132 } 2133 if (scan.capinfo & IEEE80211_CAPINFO_IBSS) 2134 ieee80211_update_adhoc_node(ic, ni, wh, &scan, rssi, 2135 rstamp); 2136 break; 2137 } 2138 2139 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 2140 if (ic->ic_opmode == IEEE80211_M_STA || 2141 ic->ic_state != IEEE80211_S_RUN) { 2142 ic->ic_stats.is_rx_mgtdiscard++; 2143 return; 2144 } 2145 if (IEEE80211_IS_MULTICAST(wh->i_addr2)) { 2146 /* frame must be directed */ 2147 ic->ic_stats.is_rx_mgtdiscard++; /* XXX stat */ 2148 return; 2149 } 2150 2151 /* 2152 * prreq frame format 2153 * [tlv] ssid 2154 * [tlv] supported rates 2155 * [tlv] extended supported rates 2156 */ 2157 ssid = rates = xrates = NULL; 2158 while (frm < efrm) { 2159 switch (*frm) { 2160 case IEEE80211_ELEMID_SSID: 2161 ssid = frm; 2162 break; 2163 case IEEE80211_ELEMID_RATES: 2164 rates = frm; 2165 break; 2166 case IEEE80211_ELEMID_XRATES: 2167 xrates = frm; 2168 break; 2169 } 2170 frm += frm[1] + 2; 2171 } 2172 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE); 2173 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN); 2174 IEEE80211_VERIFY_SSID(ic->ic_bss, ssid); 2175 if ((ic->ic_flags & IEEE80211_F_HIDESSID) && ssid[1] == 0) { 2176 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 2177 wh, ieee80211_mgt_subtype_name[subtype >> 2178 IEEE80211_FC0_SUBTYPE_SHIFT], 2179 "%s", "no ssid with ssid suppression enabled"); 2180 ic->ic_stats.is_rx_ssidmismatch++; /*XXX*/ 2181 return; 2182 } 2183 2184 if (ni == ic->ic_bss) { 2185 if (ic->ic_opmode != IEEE80211_M_IBSS) 2186 ni = ieee80211_tmp_node(ic, wh->i_addr2); 2187 else if (IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_macaddr)) 2188 ; 2189 else { 2190 /* 2191 * XXX Cannot tell if the sender is operating 2192 * in ibss mode. But we need a new node to 2193 * send the response so blindly add them to the 2194 * neighbor table. 2195 */ 2196 ni = ieee80211_fakeup_adhoc_node(&ic->ic_sta, 2197 wh->i_addr2); 2198 } 2199 if (ni == NULL) 2200 return; 2201 allocbs = 1; 2202 } else 2203 allocbs = 0; 2204 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 2205 "[%s] recv probe req\n", ether_snprintf( 2206 ebuf, sizeof(ebuf), wh->i_addr2)); 2207 ni->ni_rssi = rssi; 2208 ni->ni_rstamp = rstamp; 2209 rate = ieee80211_setup_rates(ni, rates, xrates, 2210 IEEE80211_R_DOSORT | IEEE80211_R_DOFRATE 2211 | IEEE80211_R_DONEGO | IEEE80211_R_DODEL); 2212 if (rate & IEEE80211_RATE_BASIC) { 2213 IEEE80211_DISCARD(ic, IEEE80211_MSG_XRATE, 2214 wh, ieee80211_mgt_subtype_name[subtype >> 2215 IEEE80211_FC0_SUBTYPE_SHIFT], 2216 "%s", "recv'd rate set invalid"); 2217 } else { 2218 IEEE80211_SEND_MGMT(ic, ni, 2219 IEEE80211_FC0_SUBTYPE_PROBE_RESP, 0); 2220 } 2221 if (allocbs && ic->ic_opmode != IEEE80211_M_IBSS) { 2222 /* reclaim immediately */ 2223 ieee80211_free_node(ni); 2224 } 2225 break; 2226 2227 case IEEE80211_FC0_SUBTYPE_AUTH: { 2228 u_int16_t algo, seq, status; 2229 /* 2230 * auth frame format 2231 * [2] algorithm 2232 * [2] sequence 2233 * [2] status 2234 * [tlv*] challenge 2235 */ 2236 IEEE80211_VERIFY_LENGTH(efrm - frm, 6); 2237 algo = le16toh(*(u_int16_t *)frm); 2238 seq = le16toh(*(u_int16_t *)(frm + 2)); 2239 status = le16toh(*(u_int16_t *)(frm + 4)); 2240 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 2241 "[%s] recv auth frame with algorithm %d seq %d\n", 2242 ether_snprintf(ebuf, sizeof(ebuf), wh->i_addr2), algo, seq); 2243 /* 2244 * Consult the ACL policy module if setup. 2245 */ 2246 if (ic->ic_acl != NULL && 2247 !ic->ic_acl->iac_check(ic, wh->i_addr2)) { 2248 IEEE80211_DISCARD(ic, IEEE80211_MSG_ACL, 2249 wh, "auth", "%s", "disallowed by ACL"); 2250 ic->ic_stats.is_rx_acl++; 2251 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 2252 IEEE80211_SEND_MGMT(ic, ni, 2253 IEEE80211_FC0_SUBTYPE_AUTH, 2254 (seq+1) | (IEEE80211_STATUS_UNSPECIFIED<<16)); 2255 } 2256 return; 2257 } 2258 if (ic->ic_flags & IEEE80211_F_COUNTERM) { 2259 IEEE80211_DISCARD(ic, 2260 IEEE80211_MSG_AUTH | IEEE80211_MSG_CRYPTO, 2261 wh, "auth", "%s", "TKIP countermeasures enabled"); 2262 ic->ic_stats.is_rx_auth_countermeasures++; 2263 #ifndef IEEE80211_NO_HOSTAP 2264 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 2265 IEEE80211_SEND_MGMT(ic, ni, 2266 IEEE80211_FC0_SUBTYPE_AUTH, 2267 IEEE80211_REASON_MIC_FAILURE); 2268 } 2269 #endif /* !IEEE80211_NO_HOSTAP */ 2270 return; 2271 } 2272 if (algo == IEEE80211_AUTH_ALG_SHARED) 2273 ieee80211_auth_shared(ic, wh, frm + 6, efrm, ni, rssi, 2274 rstamp, seq, status); 2275 else if (algo == IEEE80211_AUTH_ALG_OPEN) 2276 ieee80211_auth_open(ic, wh, ni, rssi, rstamp, seq, 2277 status); 2278 else { 2279 IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY, 2280 wh, "auth", "unsupported alg %d", algo); 2281 ic->ic_stats.is_rx_auth_unsupported++; 2282 #ifndef IEEE80211_NO_HOSTAP 2283 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 2284 /* XXX not right */ 2285 IEEE80211_SEND_MGMT(ic, ni, 2286 IEEE80211_FC0_SUBTYPE_AUTH, 2287 (seq+1) | (IEEE80211_STATUS_ALG<<16)); 2288 } 2289 #endif /* !IEEE80211_NO_HOSTAP */ 2290 return; 2291 } 2292 break; 2293 } 2294 2295 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ: 2296 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: { 2297 u_int16_t capinfo, lintval; 2298 struct ieee80211_rsnparms rsn; 2299 u_int8_t reason; 2300 2301 if (ic->ic_opmode != IEEE80211_M_HOSTAP || 2302 ic->ic_state != IEEE80211_S_RUN) { 2303 ic->ic_stats.is_rx_mgtdiscard++; 2304 return; 2305 } 2306 2307 if (subtype == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) { 2308 reassoc = 1; 2309 resp = IEEE80211_FC0_SUBTYPE_REASSOC_RESP; 2310 } else { 2311 reassoc = 0; 2312 resp = IEEE80211_FC0_SUBTYPE_ASSOC_RESP; 2313 } 2314 /* 2315 * asreq frame format 2316 * [2] capability information 2317 * [2] listen interval 2318 * [6*] current AP address (reassoc only) 2319 * [tlv] ssid 2320 * [tlv] supported rates 2321 * [tlv] extended supported rates 2322 * [tlv] WPA or RSN 2323 */ 2324 IEEE80211_VERIFY_LENGTH(efrm - frm, (reassoc ? 10 : 4)); 2325 if (!IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_bss->ni_bssid)) { 2326 IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY, 2327 wh, ieee80211_mgt_subtype_name[subtype >> 2328 IEEE80211_FC0_SUBTYPE_SHIFT], 2329 "%s", "wrong bssid"); 2330 ic->ic_stats.is_rx_assoc_bss++; 2331 return; 2332 } 2333 capinfo = le16toh(*(u_int16_t *)frm); frm += 2; 2334 lintval = le16toh(*(u_int16_t *)frm); frm += 2; 2335 if (reassoc) 2336 frm += 6; /* ignore current AP info */ 2337 ssid = rates = xrates = wpa = wme = NULL; 2338 while (frm < efrm) { 2339 switch (*frm) { 2340 case IEEE80211_ELEMID_SSID: 2341 ssid = frm; 2342 break; 2343 case IEEE80211_ELEMID_RATES: 2344 rates = frm; 2345 break; 2346 case IEEE80211_ELEMID_XRATES: 2347 xrates = frm; 2348 break; 2349 /* XXX verify only one of RSN and WPA ie's? */ 2350 case IEEE80211_ELEMID_RSN: 2351 wpa = frm; 2352 break; 2353 case IEEE80211_ELEMID_VENDOR: 2354 if (iswpaoui(frm)) 2355 wpa = frm; 2356 else if (iswmeinfo(frm)) 2357 wme = frm; 2358 /* XXX Atheros OUI support */ 2359 break; 2360 } 2361 frm += frm[1] + 2; 2362 } 2363 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE); 2364 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN); 2365 IEEE80211_VERIFY_SSID(ic->ic_bss, ssid); 2366 2367 if (ni == ic->ic_bss) { 2368 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, 2369 "[%s] deny %s request, sta not authenticated\n", 2370 ether_snprintf(ebuf, sizeof(ebuf), wh->i_addr2), 2371 reassoc ? "reassoc" : "assoc"); 2372 ieee80211_send_error(ic, ni, wh->i_addr2, 2373 IEEE80211_FC0_SUBTYPE_DEAUTH, 2374 IEEE80211_REASON_ASSOC_NOT_AUTHED); 2375 ic->ic_stats.is_rx_assoc_notauth++; 2376 return; 2377 } 2378 /* assert right associstion security credentials */ 2379 if (wpa == NULL && (ic->ic_flags & IEEE80211_F_WPA)) { 2380 IEEE80211_DPRINTF(ic, 2381 IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, 2382 "[%s] no WPA/RSN IE in association request\n", 2383 ether_snprintf(ebuf, sizeof(ebuf), wh->i_addr2)); 2384 IEEE80211_SEND_MGMT(ic, ni, 2385 IEEE80211_FC0_SUBTYPE_DEAUTH, 2386 IEEE80211_REASON_RSN_REQUIRED); 2387 ieee80211_node_leave(ic, ni); 2388 /* XXX distinguish WPA/RSN? */ 2389 ic->ic_stats.is_rx_assoc_badwpaie++; 2390 return; 2391 } 2392 if (wpa != NULL) { 2393 /* 2394 * Parse WPA information element. Note that 2395 * we initialize the param block from the node 2396 * state so that information in the IE overrides 2397 * our defaults. The resulting parameters are 2398 * installed below after the association is assured. 2399 */ 2400 rsn = ni->ni_rsn; 2401 if (wpa[0] != IEEE80211_ELEMID_RSN) 2402 reason = ieee80211_parse_wpa(ic, wpa, &rsn, wh); 2403 else 2404 reason = ieee80211_parse_rsn(ic, wpa, &rsn, wh); 2405 if (reason != 0) { 2406 IEEE80211_SEND_MGMT(ic, ni, 2407 IEEE80211_FC0_SUBTYPE_DEAUTH, reason); 2408 ieee80211_node_leave(ic, ni); 2409 /* XXX distinguish WPA/RSN? */ 2410 ic->ic_stats.is_rx_assoc_badwpaie++; 2411 return; 2412 } 2413 IEEE80211_DPRINTF(ic, 2414 IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, 2415 "[%s] %s ie: mc %u/%u uc %u/%u key %u caps 0x%x\n", 2416 ether_snprintf(ebuf, sizeof(ebuf), wh->i_addr2), 2417 wpa[0] != IEEE80211_ELEMID_RSN ? "WPA" : "RSN", 2418 rsn.rsn_mcastcipher, rsn.rsn_mcastkeylen, 2419 rsn.rsn_ucastcipher, rsn.rsn_ucastkeylen, 2420 rsn.rsn_keymgmt, rsn.rsn_caps); 2421 } 2422 /* discard challenge after association */ 2423 if (ni->ni_challenge != NULL) { 2424 free(ni->ni_challenge, M_DEVBUF); 2425 ni->ni_challenge = NULL; 2426 } 2427 /* NB: 802.11 spec says to ignore station's privacy bit */ 2428 if ((capinfo & IEEE80211_CAPINFO_ESS) == 0) { 2429 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, 2430 "[%s] deny %s request, capability mismatch 0x%x\n", 2431 ether_snprintf(ebuf, sizeof(ebuf), wh->i_addr2), 2432 reassoc ? "reassoc" : "assoc", capinfo); 2433 IEEE80211_SEND_MGMT(ic, ni, resp, 2434 IEEE80211_STATUS_CAPINFO); 2435 ieee80211_node_leave(ic, ni); 2436 ic->ic_stats.is_rx_assoc_capmismatch++; 2437 return; 2438 } 2439 rate = ieee80211_setup_rates(ni, rates, xrates, 2440 IEEE80211_R_DOSORT | IEEE80211_R_DOFRATE | 2441 IEEE80211_R_DONEGO | IEEE80211_R_DODEL); 2442 /* 2443 * If constrained to 11g-only stations reject an 2444 * 11b-only station. We cheat a bit here by looking 2445 * at the max negotiated xmit rate and assuming anyone 2446 * with a best rate <24Mb/s is an 11b station. 2447 */ 2448 if ((rate & IEEE80211_RATE_BASIC) || 2449 ((ic->ic_flags & IEEE80211_F_PUREG) && rate < 48)) { 2450 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, 2451 "[%s] deny %s request, rate set mismatch\n", 2452 ether_snprintf(ebuf, sizeof(ebuf), wh->i_addr2), 2453 reassoc ? "reassoc" : "assoc"); 2454 IEEE80211_SEND_MGMT(ic, ni, resp, 2455 IEEE80211_STATUS_BASIC_RATE); 2456 ieee80211_node_leave(ic, ni); 2457 ic->ic_stats.is_rx_assoc_norate++; 2458 return; 2459 } 2460 ni->ni_rssi = rssi; 2461 ni->ni_rstamp = rstamp; 2462 ni->ni_intval = lintval; 2463 ni->ni_capinfo = capinfo; 2464 ni->ni_chan = ic->ic_bss->ni_chan; 2465 ni->ni_fhdwell = ic->ic_bss->ni_fhdwell; 2466 ni->ni_fhindex = ic->ic_bss->ni_fhindex; 2467 if (wpa != NULL) { 2468 /* 2469 * Record WPA/RSN parameters for station, mark 2470 * node as using WPA and record information element 2471 * for applications that require it. 2472 */ 2473 ni->ni_rsn = rsn; 2474 ieee80211_saveie(&ni->ni_wpa_ie, wpa); 2475 } else if (ni->ni_wpa_ie != NULL) { 2476 /* 2477 * Flush any state from a previous association. 2478 */ 2479 free(ni->ni_wpa_ie, M_DEVBUF); 2480 ni->ni_wpa_ie = NULL; 2481 } 2482 if (wme != NULL) { 2483 /* 2484 * Record WME parameters for station, mark node 2485 * as capable of QoS and record information 2486 * element for applications that require it. 2487 */ 2488 ieee80211_saveie(&ni->ni_wme_ie, wme); 2489 ni->ni_flags |= IEEE80211_NODE_QOS; 2490 } else if (ni->ni_wme_ie != NULL) { 2491 /* 2492 * Flush any state from a previous association. 2493 */ 2494 free(ni->ni_wme_ie, M_DEVBUF); 2495 ni->ni_wme_ie = NULL; 2496 ni->ni_flags &= ~IEEE80211_NODE_QOS; 2497 } 2498 ieee80211_node_join(ic, ni, resp); 2499 break; 2500 } 2501 2502 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP: 2503 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: { 2504 u_int16_t capinfo, associd; 2505 u_int16_t status; 2506 2507 if (ic->ic_opmode != IEEE80211_M_STA || 2508 ic->ic_state != IEEE80211_S_ASSOC) { 2509 ic->ic_stats.is_rx_mgtdiscard++; 2510 return; 2511 } 2512 2513 /* 2514 * asresp frame format 2515 * [2] capability information 2516 * [2] status 2517 * [2] association ID 2518 * [tlv] supported rates 2519 * [tlv] extended supported rates 2520 * [tlv] WME 2521 */ 2522 IEEE80211_VERIFY_LENGTH(efrm - frm, 6); 2523 ni = ic->ic_bss; 2524 capinfo = le16toh(*(u_int16_t *)frm); 2525 frm += 2; 2526 status = le16toh(*(u_int16_t *)frm); 2527 frm += 2; 2528 if (status != 0) { 2529 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 2530 "[%s] %sassoc failed (reason %d)\n", 2531 ether_snprintf(ebuf, sizeof(ebuf), wh->i_addr2), 2532 ISREASSOC(subtype) ? "re" : "", status); 2533 if (ni != ic->ic_bss) /* XXX never true? */ 2534 ni->ni_fails++; 2535 ic->ic_stats.is_rx_auth_fail++; /* XXX */ 2536 return; 2537 } 2538 associd = le16toh(*(u_int16_t *)frm); 2539 frm += 2; 2540 2541 rates = xrates = wpa = wme = NULL; 2542 while (frm < efrm) { 2543 switch (*frm) { 2544 case IEEE80211_ELEMID_RATES: 2545 rates = frm; 2546 break; 2547 case IEEE80211_ELEMID_XRATES: 2548 xrates = frm; 2549 break; 2550 case IEEE80211_ELEMID_VENDOR: 2551 if (iswmeoui(frm)) 2552 wme = frm; 2553 /* XXX Atheros OUI support */ 2554 break; 2555 } 2556 frm += frm[1] + 2; 2557 } 2558 2559 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE); 2560 rate = ieee80211_setup_rates(ni, rates, xrates, 2561 IEEE80211_R_DOSORT | IEEE80211_R_DOFRATE | 2562 IEEE80211_R_DONEGO | IEEE80211_R_DODEL); 2563 if (rate & IEEE80211_RATE_BASIC) { 2564 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 2565 "[%s] %sassoc failed (rate set mismatch)\n", 2566 ether_snprintf(ebuf, sizeof(ebuf), wh->i_addr2), 2567 ISREASSOC(subtype) ? "re" : ""); 2568 if (ni != ic->ic_bss) /* XXX never true? */ 2569 ni->ni_fails++; 2570 ic->ic_stats.is_rx_assoc_norate++; 2571 ieee80211_new_state(ic, IEEE80211_S_SCAN, 0); 2572 return; 2573 } 2574 2575 ni->ni_capinfo = capinfo; 2576 ni->ni_associd = associd; 2577 if (wme != NULL && 2578 ieee80211_parse_wmeparams(ic, wme, wh) >= 0) { 2579 ni->ni_flags |= IEEE80211_NODE_QOS; 2580 ieee80211_wme_updateparams(ic); 2581 } else 2582 ni->ni_flags &= ~IEEE80211_NODE_QOS; 2583 /* 2584 * Configure state now that we are associated. 2585 * 2586 * XXX may need different/additional driver callbacks? 2587 */ 2588 if (ic->ic_curmode == IEEE80211_MODE_11A || 2589 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_PREAMBLE)) { 2590 ic->ic_flags |= IEEE80211_F_SHPREAMBLE; 2591 ic->ic_flags &= ~IEEE80211_F_USEBARKER; 2592 } else { 2593 ic->ic_flags &= ~IEEE80211_F_SHPREAMBLE; 2594 ic->ic_flags |= IEEE80211_F_USEBARKER; 2595 } 2596 ieee80211_set_shortslottime(ic, 2597 ic->ic_curmode == IEEE80211_MODE_11A || 2598 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME)); 2599 /* 2600 * Honor ERP protection. 2601 * 2602 * NB: ni_erp should zero for non-11g operation. 2603 * XXX check ic_curmode anyway? 2604 */ 2605 if (ic->ic_curmode == IEEE80211_MODE_11G && 2606 (ni->ni_erp & IEEE80211_ERP_USE_PROTECTION)) 2607 ic->ic_flags |= IEEE80211_F_USEPROT; 2608 else 2609 ic->ic_flags &= ~IEEE80211_F_USEPROT; 2610 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 2611 "[%s] %sassoc success: %s preamble, %s slot time%s%s\n", 2612 ether_snprintf(ebuf, sizeof(ebuf), wh->i_addr2), 2613 ISREASSOC(subtype) ? "re" : "", 2614 ic->ic_flags&IEEE80211_F_SHPREAMBLE ? "short" : "long", 2615 ic->ic_flags&IEEE80211_F_SHSLOT ? "short" : "long", 2616 ic->ic_flags&IEEE80211_F_USEPROT ? ", protection" : "", 2617 ni->ni_flags & IEEE80211_NODE_QOS ? ", QoS" : "" 2618 ); 2619 ieee80211_new_state(ic, IEEE80211_S_RUN, subtype); 2620 break; 2621 } 2622 2623 case IEEE80211_FC0_SUBTYPE_DEAUTH: { 2624 u_int16_t reason; 2625 2626 if (ic->ic_state == IEEE80211_S_SCAN) { 2627 ic->ic_stats.is_rx_mgtdiscard++; 2628 return; 2629 } 2630 /* 2631 * deauth frame format 2632 * [2] reason 2633 */ 2634 IEEE80211_VERIFY_LENGTH(efrm - frm, 2); 2635 reason = le16toh(*(u_int16_t *)frm); 2636 __USE(reason); 2637 ic->ic_stats.is_rx_deauth++; 2638 IEEE80211_NODE_STAT(ni, rx_deauth); 2639 2640 if (!IEEE80211_ADDR_EQ(wh->i_addr1, ic->ic_myaddr)) { 2641 /* Not intended for this station. */ 2642 ic->ic_stats.is_rx_mgtdiscard++; 2643 break; 2644 } 2645 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 2646 "[%s] recv deauthenticate (reason %d)\n", 2647 ether_snprintf(ebuf, sizeof(ebuf), ni->ni_macaddr), reason); 2648 switch (ic->ic_opmode) { 2649 case IEEE80211_M_STA: 2650 ieee80211_new_state(ic, IEEE80211_S_AUTH, 2651 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK); 2652 break; 2653 case IEEE80211_M_HOSTAP: 2654 #ifndef IEEE80211_NO_HOSTAP 2655 if (ni != ic->ic_bss) 2656 ieee80211_node_leave(ic, ni); 2657 #endif /* !IEEE80211_NO_HOSTAP */ 2658 break; 2659 default: 2660 ic->ic_stats.is_rx_mgtdiscard++; 2661 break; 2662 } 2663 break; 2664 } 2665 2666 case IEEE80211_FC0_SUBTYPE_DISASSOC: { 2667 u_int16_t reason; 2668 2669 if (ic->ic_state != IEEE80211_S_RUN && 2670 ic->ic_state != IEEE80211_S_ASSOC && 2671 ic->ic_state != IEEE80211_S_AUTH) { 2672 ic->ic_stats.is_rx_mgtdiscard++; 2673 return; 2674 } 2675 /* 2676 * disassoc frame format 2677 * [2] reason 2678 */ 2679 IEEE80211_VERIFY_LENGTH(efrm - frm, 2); 2680 reason = le16toh(*(u_int16_t *)frm); 2681 __USE(reason); 2682 ic->ic_stats.is_rx_disassoc++; 2683 IEEE80211_NODE_STAT(ni, rx_disassoc); 2684 2685 if (!IEEE80211_ADDR_EQ(wh->i_addr1, ic->ic_myaddr)) { 2686 /* Not intended for this station. */ 2687 ic->ic_stats.is_rx_mgtdiscard++; 2688 break; 2689 } 2690 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 2691 "[%s] recv disassociate (reason %d)\n", 2692 ether_snprintf(ebuf, sizeof(ebuf), ni->ni_macaddr), reason); 2693 switch (ic->ic_opmode) { 2694 case IEEE80211_M_STA: 2695 ieee80211_new_state(ic, IEEE80211_S_ASSOC, 2696 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK); 2697 break; 2698 case IEEE80211_M_HOSTAP: 2699 #ifndef IEEE80211_NO_HOSTAP 2700 if (ni != ic->ic_bss) 2701 ieee80211_node_leave(ic, ni); 2702 #endif /* !IEEE80211_NO_HOSTAP */ 2703 break; 2704 default: 2705 ic->ic_stats.is_rx_mgtdiscard++; 2706 break; 2707 } 2708 break; 2709 } 2710 default: 2711 IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY, 2712 wh, "mgt", "subtype 0x%x not handled", subtype); 2713 ic->ic_stats.is_rx_badsubtype++; 2714 break; 2715 } 2716 #undef ISREASSOC 2717 #undef ISPROBE 2718 } 2719 #undef IEEE80211_VERIFY_LENGTH 2720 #undef IEEE80211_VERIFY_ELEMENT 2721 2722 #ifndef IEEE80211_NO_HOSTAP 2723 /* 2724 * Handle station power-save state change. 2725 */ 2726 static void 2727 ieee80211_node_pwrsave(struct ieee80211_node *ni, int enable) 2728 { 2729 struct ieee80211com *ic = ni->ni_ic; 2730 struct mbuf *m; 2731 IEEE80211_DEBUGVAR(char ebuf[3 * ETHER_ADDR_LEN]); 2732 2733 if (enable) { 2734 if ((ni->ni_flags & IEEE80211_NODE_PWR_MGT) == 0) 2735 ic->ic_ps_sta++; 2736 ni->ni_flags |= IEEE80211_NODE_PWR_MGT; 2737 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, 2738 "[%s] power save mode on, %u sta's in ps mode\n", 2739 ether_snprintf(ebuf, sizeof(ebuf), ni->ni_macaddr), 2740 ic->ic_ps_sta); 2741 return; 2742 } 2743 2744 if (ni->ni_flags & IEEE80211_NODE_PWR_MGT) 2745 ic->ic_ps_sta--; 2746 ni->ni_flags &= ~IEEE80211_NODE_PWR_MGT; 2747 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, 2748 "[%s] power save mode off, %u sta's in ps mode\n", 2749 ether_snprintf(ebuf, sizeof(ebuf), ni->ni_macaddr), ic->ic_ps_sta); 2750 /* XXX if no stations in ps mode, flush mc frames */ 2751 2752 /* 2753 * Flush queued unicast frames. 2754 */ 2755 if (IEEE80211_NODE_SAVEQ_QLEN(ni) == 0) { 2756 if (ic->ic_set_tim != NULL) 2757 ic->ic_set_tim(ni, 0); /* just in case */ 2758 return; 2759 } 2760 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, 2761 "[%s] flush ps queue, %u packets queued\n", 2762 ether_snprintf(ebuf, sizeof(ebuf), ni->ni_macaddr), 2763 IEEE80211_NODE_SAVEQ_QLEN(ni)); 2764 for (;;) { 2765 int qlen; 2766 2767 IEEE80211_NODE_SAVEQ_DEQUEUE(ni, m, qlen); 2768 if (m == NULL) 2769 break; 2770 /* 2771 * If this is the last packet, turn off the TIM bit. 2772 * If there are more packets, set the more packets bit 2773 * in the mbuf so ieee80211_encap will mark the 802.11 2774 * head to indicate more data frames will follow. 2775 */ 2776 if (qlen != 0) 2777 m->m_flags |= M_MORE_DATA; 2778 /* XXX need different driver interface */ 2779 /* XXX bypasses q max */ 2780 IF_ENQUEUE(&ic->ic_ifp->if_snd, m); 2781 } 2782 if (ic->ic_set_tim != NULL) 2783 ic->ic_set_tim(ni, 0); 2784 } 2785 2786 /* 2787 * Process a received ps-poll frame. 2788 */ 2789 static void 2790 ieee80211_recv_pspoll(struct ieee80211com *ic, 2791 struct ieee80211_node *ni, struct mbuf *m0) 2792 { 2793 struct ieee80211_frame_min *wh; 2794 struct mbuf *m; 2795 u_int16_t aid; 2796 int qlen; 2797 IEEE80211_DEBUGVAR(char ebuf[3 * ETHER_ADDR_LEN]); 2798 2799 wh = mtod(m0, struct ieee80211_frame_min *); 2800 if (ni->ni_associd == 0) { 2801 IEEE80211_DISCARD(ic, IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG, 2802 (struct ieee80211_frame *) wh, "ps-poll", 2803 "%s", "unassociated station"); 2804 ic->ic_stats.is_ps_unassoc++; 2805 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_DEAUTH, 2806 IEEE80211_REASON_NOT_ASSOCED); 2807 return; 2808 } 2809 2810 aid = le16toh(*(u_int16_t *)wh->i_dur); 2811 if (aid != ni->ni_associd) { 2812 IEEE80211_DISCARD(ic, IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG, 2813 (struct ieee80211_frame *) wh, "ps-poll", 2814 "aid mismatch: sta aid 0x%x poll aid 0x%x", 2815 ni->ni_associd, aid); 2816 ic->ic_stats.is_ps_badaid++; 2817 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_DEAUTH, 2818 IEEE80211_REASON_NOT_ASSOCED); 2819 return; 2820 } 2821 2822 /* Okay, take the first queued packet and put it out... */ 2823 IEEE80211_NODE_SAVEQ_DEQUEUE(ni, m, qlen); 2824 if (m == NULL) { 2825 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, 2826 "[%s] recv ps-poll, but queue empty\n", 2827 ether_snprintf(ebuf, sizeof(ebuf), wh->i_addr2)); 2828 ieee80211_send_nulldata(ieee80211_ref_node(ni)); 2829 ic->ic_stats.is_ps_qempty++; /* XXX node stat */ 2830 if (ic->ic_set_tim != NULL) 2831 ic->ic_set_tim(ni, 0); /* just in case */ 2832 return; 2833 } 2834 /* 2835 * If there are more packets, set the more packets bit 2836 * in the packet dispatched to the station; otherwise 2837 * turn off the TIM bit. 2838 */ 2839 if (qlen != 0) { 2840 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, 2841 "[%s] recv ps-poll, send packet, %u still queued\n", 2842 ether_snprintf(ebuf, sizeof(ebuf), ni->ni_macaddr), qlen); 2843 m->m_flags |= M_MORE_DATA; 2844 } else { 2845 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, 2846 "[%s] recv ps-poll, send packet, queue empty\n", 2847 ether_snprintf(ebuf, sizeof(ebuf), ni->ni_macaddr)); 2848 if (ic->ic_set_tim != NULL) 2849 ic->ic_set_tim(ni, 0); 2850 } 2851 m->m_flags |= M_PWR_SAV; /* bypass PS handling */ 2852 IF_ENQUEUE(&ic->ic_ifp->if_snd, m); 2853 } 2854 #endif /* !IEEE80211_NO_HOSTAP */ 2855 2856 #ifdef IEEE80211_DEBUG 2857 /* 2858 * Debugging support. 2859 */ 2860 2861 /* 2862 * Return the bssid of a frame. 2863 */ 2864 static const u_int8_t * 2865 ieee80211_getbssid(struct ieee80211com *ic, const struct ieee80211_frame *wh) 2866 { 2867 if (ic->ic_opmode == IEEE80211_M_STA) 2868 return wh->i_addr2; 2869 if ((wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) != IEEE80211_FC1_DIR_NODS) 2870 return wh->i_addr1; 2871 if ((wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK) == IEEE80211_FC0_SUBTYPE_PS_POLL) 2872 return wh->i_addr1; 2873 return wh->i_addr3; 2874 } 2875 2876 void 2877 ieee80211_note(struct ieee80211com *ic, const char *fmt, ...) 2878 { 2879 char buf[128]; /* XXX */ 2880 va_list ap; 2881 2882 va_start(ap, fmt); 2883 vsnprintf(buf, sizeof(buf), fmt, ap); 2884 va_end(ap); 2885 2886 if_printf(ic->ic_ifp, "%s", buf); /* NB: no \n */ 2887 } 2888 2889 void 2890 ieee80211_note_frame(struct ieee80211com *ic, 2891 const struct ieee80211_frame *wh, 2892 const char *fmt, ...) 2893 { 2894 char buf[128]; /* XXX */ 2895 va_list ap; 2896 char ebuf[3 * ETHER_ADDR_LEN]; 2897 2898 va_start(ap, fmt); 2899 vsnprintf(buf, sizeof(buf), fmt, ap); 2900 va_end(ap); 2901 if_printf(ic->ic_ifp, "[%s] %s\n", 2902 ether_snprintf(ebuf, sizeof(ebuf), 2903 ieee80211_getbssid(ic, wh)), buf); 2904 } 2905 2906 void 2907 ieee80211_note_mac(struct ieee80211com *ic, 2908 const u_int8_t mac[IEEE80211_ADDR_LEN], 2909 const char *fmt, ...) 2910 { 2911 char buf[128]; /* XXX */ 2912 va_list ap; 2913 char ebuf[3 * ETHER_ADDR_LEN]; 2914 2915 va_start(ap, fmt); 2916 vsnprintf(buf, sizeof(buf), fmt, ap); 2917 va_end(ap); 2918 if_printf(ic->ic_ifp, "[%s] %s\n", ether_snprintf(ebuf, sizeof(ebuf), 2919 mac), buf); 2920 } 2921 2922 static void 2923 ieee80211_discard_frame(struct ieee80211com *ic, 2924 const struct ieee80211_frame *wh, 2925 const char *type, const char *fmt, ...) 2926 { 2927 va_list ap; 2928 char ebuf[3 * ETHER_ADDR_LEN]; 2929 2930 printf("[%s:%s] discard ", ic->ic_ifp->if_xname, 2931 ether_snprintf(ebuf, sizeof(ebuf), ieee80211_getbssid(ic, wh))); 2932 if (type != NULL) 2933 printf("%s frame, ", type); 2934 else 2935 printf("frame, "); 2936 va_start(ap, fmt); 2937 vprintf(fmt, ap); 2938 va_end(ap); 2939 printf("\n"); 2940 } 2941 2942 static void 2943 ieee80211_discard_ie(struct ieee80211com *ic, 2944 const struct ieee80211_frame *wh, 2945 const char *type, const char *fmt, ...) 2946 { 2947 va_list ap; 2948 char ebuf[3 * ETHER_ADDR_LEN]; 2949 2950 printf("[%s:%s] discard ", ic->ic_ifp->if_xname, 2951 ether_snprintf(ebuf, sizeof(ebuf), ieee80211_getbssid(ic, wh))); 2952 if (type != NULL) 2953 printf("%s information element, ", type); 2954 else 2955 printf("information element, "); 2956 va_start(ap, fmt); 2957 vprintf(fmt, ap); 2958 va_end(ap); 2959 printf("\n"); 2960 } 2961 2962 static void 2963 ieee80211_discard_mac(struct ieee80211com *ic, 2964 const u_int8_t mac[IEEE80211_ADDR_LEN], 2965 const char *type, const char *fmt, ...) 2966 { 2967 va_list ap; 2968 char ebuf[3 * ETHER_ADDR_LEN]; 2969 2970 printf("[%s:%s] discard ", ic->ic_ifp->if_xname, 2971 ether_snprintf(ebuf, sizeof(ebuf), mac)); 2972 if (type != NULL) 2973 printf("%s frame, ", type); 2974 else 2975 printf("frame, "); 2976 va_start(ap, fmt); 2977 vprintf(fmt, ap); 2978 va_end(ap); 2979 printf("\n"); 2980 } 2981 #endif /* IEEE80211_DEBUG */ 2982