1 /* $NetBSD: ieee80211_input.c,v 1.84 2016/05/14 13:35:40 mlelstv Exp $ */ 2 /*- 3 * Copyright (c) 2001 Atsushi Onoe 4 * Copyright (c) 2002-2005 Sam Leffler, Errno Consulting 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 3. The name of the author may not be used to endorse or promote products 16 * derived from this software without specific prior written permission. 17 * 18 * Alternatively, this software may be distributed under the terms of the 19 * GNU General Public License ("GPL") version 2 as published by the Free 20 * Software Foundation. 21 * 22 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 23 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 24 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 25 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 26 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 27 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 28 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 29 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 30 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 31 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 32 */ 33 34 #include <sys/cdefs.h> 35 #ifdef __FreeBSD__ 36 __FBSDID("$FreeBSD: src/sys/net80211/ieee80211_input.c,v 1.81 2005/08/10 16:22:29 sam Exp $"); 37 #endif 38 #ifdef __NetBSD__ 39 __KERNEL_RCSID(0, "$NetBSD: ieee80211_input.c,v 1.84 2016/05/14 13:35:40 mlelstv Exp $"); 40 #endif 41 42 #ifdef _KERNEL_OPT 43 #include "opt_inet.h" 44 #endif 45 46 #ifdef __NetBSD__ 47 #endif /* __NetBSD__ */ 48 49 #include <sys/param.h> 50 #include <sys/systm.h> 51 #include <sys/mbuf.h> 52 #include <sys/malloc.h> 53 #include <sys/endian.h> 54 #include <sys/kernel.h> 55 56 #include <sys/socket.h> 57 #include <sys/sockio.h> 58 #include <sys/endian.h> 59 #include <sys/errno.h> 60 #include <sys/proc.h> 61 #include <sys/sysctl.h> 62 63 #include <net/if.h> 64 #include <net/if_media.h> 65 #include <net/if_arp.h> 66 #include <net/if_ether.h> 67 #include <net/if_llc.h> 68 69 #include <net80211/ieee80211_netbsd.h> 70 #include <net80211/ieee80211_var.h> 71 72 #include <net/bpf.h> 73 74 #ifdef INET 75 #include <netinet/in.h> 76 #include <net/if_ether.h> 77 #endif 78 79 const struct timeval ieee80211_merge_print_intvl = {.tv_sec = 1, .tv_usec = 0}; 80 81 #ifdef IEEE80211_DEBUG 82 83 /* 84 * Decide if a received management frame should be 85 * printed when debugging is enabled. This filters some 86 * of the less interesting frames that come frequently 87 * (e.g. beacons). 88 */ 89 static __inline int 90 doprint(struct ieee80211com *ic, int subtype) 91 { 92 switch (subtype) { 93 case IEEE80211_FC0_SUBTYPE_BEACON: 94 return (ic->ic_flags & IEEE80211_F_SCAN); 95 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 96 return (ic->ic_opmode == IEEE80211_M_IBSS); 97 } 98 return 1; 99 } 100 101 /* 102 * Emit a debug message about discarding a frame or information 103 * element. One format is for extracting the mac address from 104 * the frame header; the other is for when a header is not 105 * available or otherwise appropriate. 106 */ 107 #define IEEE80211_DISCARD(_ic, _m, _wh, _type, _fmt, ...) do { \ 108 if ((_ic)->ic_debug & (_m)) \ 109 ieee80211_discard_frame(_ic, _wh, _type, _fmt, __VA_ARGS__);\ 110 } while (0) 111 #define IEEE80211_DISCARD_IE(_ic, _m, _wh, _type, _fmt, ...) do { \ 112 if ((_ic)->ic_debug & (_m)) \ 113 ieee80211_discard_ie(_ic, _wh, _type, _fmt, __VA_ARGS__);\ 114 } while (0) 115 #define IEEE80211_DISCARD_MAC(_ic, _m, _mac, _type, _fmt, ...) do { \ 116 if ((_ic)->ic_debug & (_m)) \ 117 ieee80211_discard_mac(_ic, _mac, _type, _fmt, __VA_ARGS__);\ 118 } while (0) 119 120 static const u_int8_t *ieee80211_getbssid(struct ieee80211com *, 121 const struct ieee80211_frame *); 122 static void ieee80211_discard_frame(struct ieee80211com *, 123 const struct ieee80211_frame *, const char *type, const char *fmt, ...); 124 static void ieee80211_discard_ie(struct ieee80211com *, 125 const struct ieee80211_frame *, const char *type, const char *fmt, ...); 126 static void ieee80211_discard_mac(struct ieee80211com *, 127 const u_int8_t mac[IEEE80211_ADDR_LEN], const char *type, 128 const char *fmt, ...); 129 #else 130 #define IEEE80211_DISCARD(_ic, _m, _wh, _type, _fmt, ...) 131 #define IEEE80211_DISCARD_IE(_ic, _m, _wh, _type, _fmt, ...) 132 #define IEEE80211_DISCARD_MAC(_ic, _m, _mac, _type, _fmt, ...) 133 #endif /* IEEE80211_DEBUG */ 134 135 static struct mbuf *ieee80211_defrag(struct ieee80211com *, 136 struct ieee80211_node *, struct mbuf *, int); 137 static struct mbuf *ieee80211_decap(struct ieee80211com *, struct mbuf *, int); 138 static void ieee80211_send_error(struct ieee80211com *, struct ieee80211_node *, 139 const u_int8_t *mac, int subtype, int arg); 140 static void ieee80211_deliver_data(struct ieee80211com *, 141 struct ieee80211_node *, struct mbuf *); 142 #ifndef IEEE80211_NO_HOSTAP 143 static void ieee80211_node_pwrsave(struct ieee80211_node *, int enable); 144 static void ieee80211_recv_pspoll(struct ieee80211com *, 145 struct ieee80211_node *, struct mbuf *); 146 #endif /* !IEEE80211_NO_HOSTAP */ 147 static void ieee80211_update_adhoc_node(struct ieee80211com *, 148 struct ieee80211_node *, struct ieee80211_frame *, 149 struct ieee80211_scanparams *, int, u_int32_t); 150 151 /* 152 * Process a received frame. The node associated with the sender 153 * should be supplied. If nothing was found in the node table then 154 * the caller is assumed to supply a reference to ic_bss instead. 155 * The RSSI and a timestamp are also supplied. The RSSI data is used 156 * during AP scanning to select a AP to associate with; it can have 157 * any units so long as values have consistent units and higher values 158 * mean ``better signal''. The receive timestamp is currently not used 159 * by the 802.11 layer. 160 */ 161 int 162 ieee80211_input(struct ieee80211com *ic, struct mbuf *m, 163 struct ieee80211_node *ni, int rssi, u_int32_t rstamp) 164 { 165 #define SEQ_LEQ(a,b) ((int)((a)-(b)) <= 0) 166 #define HAS_SEQ(type) ((type & 0x4) == 0) 167 struct ifnet *ifp = ic->ic_ifp; 168 struct ieee80211_frame *wh; 169 struct ieee80211_key *key; 170 struct ether_header *eh; 171 int hdrspace; 172 u_int8_t dir, type, subtype; 173 u_int8_t *bssid; 174 u_int16_t rxseq; 175 176 IASSERT(ni != NULL, ("null node")); 177 ni->ni_inact = ni->ni_inact_reload; 178 179 /* trim CRC here so WEP can find its own CRC at the end of packet. */ 180 if (m->m_flags & M_HASFCS) { 181 m_adj(m, -IEEE80211_CRC_LEN); 182 m->m_flags &= ~M_HASFCS; 183 } 184 type = -1; /* undefined */ 185 /* 186 * In monitor mode, send everything directly to bpf. 187 * XXX may want to include the CRC 188 */ 189 if (ic->ic_opmode == IEEE80211_M_MONITOR) 190 goto out; 191 192 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_min)) { 193 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY, 194 ni->ni_macaddr, NULL, 195 "too short (1): len %u", m->m_pkthdr.len); 196 ic->ic_stats.is_rx_tooshort++; 197 goto out; 198 } 199 /* 200 * Bit of a cheat here, we use a pointer for a 3-address 201 * frame format but don't reference fields past outside 202 * ieee80211_frame_min w/o first validating the data is 203 * present. 204 */ 205 wh = mtod(m, struct ieee80211_frame *); 206 207 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) != 208 IEEE80211_FC0_VERSION_0) { 209 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY, 210 ni->ni_macaddr, NULL, "wrong version %x", wh->i_fc[0]); 211 ic->ic_stats.is_rx_badversion++; 212 goto err; 213 } 214 215 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 216 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK; 217 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK; 218 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) { 219 switch (ic->ic_opmode) { 220 case IEEE80211_M_STA: 221 bssid = wh->i_addr2; 222 if (!IEEE80211_ADDR_EQ(bssid, ni->ni_bssid)) { 223 /* not interested in */ 224 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 225 bssid, NULL, "%s", "not to bss"); 226 ic->ic_stats.is_rx_wrongbss++; 227 goto out; 228 } 229 230 /* Filter out packets not directed to us in case the 231 * device is in promiscous mode 232 */ 233 if ((! IEEE80211_IS_MULTICAST(wh->i_addr1)) 234 && (! IEEE80211_ADDR_EQ(wh->i_addr1, ic->ic_myaddr))) { 235 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 236 bssid, NULL, "not to cur sta: lladdr=%6D, addr1=%6D", 237 ic->ic_myaddr, ":", wh->i_addr1, ":"); 238 ic->ic_stats.is_rx_wrongbss++; 239 goto out; 240 } 241 break; 242 case IEEE80211_M_IBSS: 243 case IEEE80211_M_AHDEMO: 244 case IEEE80211_M_HOSTAP: 245 if (dir != IEEE80211_FC1_DIR_NODS) 246 bssid = wh->i_addr1; 247 else if (type == IEEE80211_FC0_TYPE_CTL) 248 bssid = wh->i_addr1; 249 else { 250 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) { 251 IEEE80211_DISCARD_MAC(ic, 252 IEEE80211_MSG_ANY, ni->ni_macaddr, 253 NULL, "too short (2): len %u", 254 m->m_pkthdr.len); 255 ic->ic_stats.is_rx_tooshort++; 256 goto out; 257 } 258 bssid = wh->i_addr3; 259 } 260 if (type != IEEE80211_FC0_TYPE_DATA) 261 break; 262 /* 263 * Data frame, validate the bssid. 264 */ 265 if (!IEEE80211_ADDR_EQ(bssid, ic->ic_bss->ni_bssid) && 266 !IEEE80211_ADDR_EQ(bssid, ifp->if_broadcastaddr)) { 267 /* not interested in */ 268 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 269 bssid, NULL, "%s", "not to bss"); 270 ic->ic_stats.is_rx_wrongbss++; 271 goto out; 272 } 273 /* 274 * For adhoc mode we cons up a node when it doesn't 275 * exist. This should probably done after an ACL check. 276 */ 277 if (ni == ic->ic_bss && 278 ic->ic_opmode != IEEE80211_M_HOSTAP && 279 !IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_macaddr)) { 280 /* 281 * Fake up a node for this newly 282 * discovered member of the IBSS. 283 */ 284 ni = ieee80211_fakeup_adhoc_node(&ic->ic_sta, 285 wh->i_addr2); 286 if (ni == NULL) { 287 /* NB: stat kept for alloc failure */ 288 goto err; 289 } 290 } 291 break; 292 default: 293 goto out; 294 } 295 ni->ni_rssi = rssi; 296 ni->ni_rstamp = rstamp; 297 if (HAS_SEQ(type) && (ic->ic_opmode != IEEE80211_M_STA || 298 !IEEE80211_IS_MULTICAST(wh->i_addr1))) { 299 u_int8_t tid, retry; 300 u_int16_t rxno, orxno; 301 302 if (ieee80211_has_qos(wh)) { 303 tid = ((struct ieee80211_qosframe *)wh)-> 304 i_qos[0] & IEEE80211_QOS_TID; 305 if (TID_TO_WME_AC(tid) >= WME_AC_VI) 306 ic->ic_wme.wme_hipri_traffic++; 307 tid++; 308 } else 309 tid = 0; 310 rxseq = le16toh(*(u_int16_t *)wh->i_seq); 311 retry = wh->i_fc[1] & IEEE80211_FC1_RETRY; 312 rxno = rxseq >> IEEE80211_SEQ_SEQ_SHIFT; 313 orxno = ni->ni_rxseqs[tid] >> IEEE80211_SEQ_SEQ_SHIFT; 314 if (retry && ( 315 (orxno == 4095 && rxno == orxno) || 316 (orxno != 4095 && 317 SEQ_LEQ(rxseq, ni->ni_rxseqs[tid])) 318 )) { 319 /* duplicate, discard */ 320 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 321 bssid, "duplicate", 322 "seqno <%u,%u> fragno <%u,%u> tid %u", 323 rxno, 324 orxno, 325 rxseq & IEEE80211_SEQ_FRAG_MASK, 326 ni->ni_rxseqs[tid] & 327 IEEE80211_SEQ_FRAG_MASK, 328 tid); 329 ic->ic_stats.is_rx_dup++; 330 IEEE80211_NODE_STAT(ni, rx_dup); 331 goto out; 332 } 333 ni->ni_rxseqs[tid] = rxseq; 334 } 335 } 336 337 switch (type) { 338 case IEEE80211_FC0_TYPE_DATA: 339 hdrspace = ieee80211_hdrspace(ic, wh); 340 if (m->m_len < hdrspace && 341 (m = m_pullup(m, hdrspace)) == NULL) { 342 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY, 343 ni->ni_macaddr, NULL, 344 "data too short: expecting %u", hdrspace); 345 ic->ic_stats.is_rx_tooshort++; 346 goto out; /* XXX */ 347 } 348 switch (ic->ic_opmode) { 349 case IEEE80211_M_STA: 350 if (dir != IEEE80211_FC1_DIR_FROMDS) { 351 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 352 wh, "data", "%s", "unknown dir 0x%x", dir); 353 ic->ic_stats.is_rx_wrongdir++; 354 goto out; 355 } 356 if ((ifp->if_flags & IFF_SIMPLEX) && 357 IEEE80211_IS_MULTICAST(wh->i_addr1) && 358 IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_myaddr)) { 359 /* 360 * In IEEE802.11 network, multicast packet 361 * sent from me is broadcasted from AP. 362 * It should be silently discarded for 363 * SIMPLEX interface. 364 */ 365 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 366 wh, NULL, "%s", "multicast echo"); 367 ic->ic_stats.is_rx_mcastecho++; 368 goto out; 369 } 370 break; 371 case IEEE80211_M_IBSS: 372 case IEEE80211_M_AHDEMO: 373 if (dir != IEEE80211_FC1_DIR_NODS) { 374 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 375 wh, "data", "%s", "unknown dir 0x%x", dir); 376 ic->ic_stats.is_rx_wrongdir++; 377 goto out; 378 } 379 /* XXX no power-save support */ 380 break; 381 case IEEE80211_M_HOSTAP: 382 #ifndef IEEE80211_NO_HOSTAP 383 if (dir != IEEE80211_FC1_DIR_TODS) { 384 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 385 wh, "data", "%s", "unknown dir 0x%x", dir); 386 ic->ic_stats.is_rx_wrongdir++; 387 goto out; 388 } 389 /* check if source STA is associated */ 390 if (ni == ic->ic_bss) { 391 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 392 wh, "data", "%s", "unknown src"); 393 ieee80211_send_error(ic, ni, wh->i_addr2, 394 IEEE80211_FC0_SUBTYPE_DEAUTH, 395 IEEE80211_REASON_NOT_AUTHED); 396 ic->ic_stats.is_rx_notassoc++; 397 goto err; 398 } 399 if (ni->ni_associd == 0) { 400 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 401 wh, "data", "%s", "unassoc src"); 402 IEEE80211_SEND_MGMT(ic, ni, 403 IEEE80211_FC0_SUBTYPE_DISASSOC, 404 IEEE80211_REASON_NOT_ASSOCED); 405 ic->ic_stats.is_rx_notassoc++; 406 goto err; 407 } 408 409 /* 410 * Check for power save state change. 411 */ 412 if (((wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) ^ 413 (ni->ni_flags & IEEE80211_NODE_PWR_MGT))) 414 ieee80211_node_pwrsave(ni, 415 wh->i_fc[1] & IEEE80211_FC1_PWR_MGT); 416 #endif /* !IEEE80211_NO_HOSTAP */ 417 break; 418 default: 419 /* XXX here to keep compiler happy */ 420 goto out; 421 } 422 423 /* 424 * Handle privacy requirements. Note that we 425 * must not be preempted from here until after 426 * we (potentially) call ieee80211_crypto_demic; 427 * otherwise we may violate assumptions in the 428 * crypto cipher modules used to do delayed update 429 * of replay sequence numbers. 430 */ 431 if (wh->i_fc[1] & IEEE80211_FC1_WEP) { 432 if ((ic->ic_flags & IEEE80211_F_PRIVACY) == 0) { 433 /* 434 * Discard encrypted frames when privacy is off. 435 */ 436 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 437 wh, "WEP", "%s", "PRIVACY off"); 438 ic->ic_stats.is_rx_noprivacy++; 439 IEEE80211_NODE_STAT(ni, rx_noprivacy); 440 goto out; 441 } 442 key = ieee80211_crypto_decap(ic, ni, m, hdrspace); 443 if (key == NULL) { 444 /* NB: stats+msgs handled in crypto_decap */ 445 IEEE80211_NODE_STAT(ni, rx_wepfail); 446 goto out; 447 } 448 wh = mtod(m, struct ieee80211_frame *); 449 wh->i_fc[1] &= ~IEEE80211_FC1_WEP; 450 } else { 451 key = NULL; 452 } 453 454 /* 455 * Next up, any fragmentation. 456 */ 457 if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) { 458 m = ieee80211_defrag(ic, ni, m, hdrspace); 459 if (m == NULL) { 460 /* Fragment dropped or frame not complete yet */ 461 goto out; 462 } 463 } 464 wh = NULL; /* no longer valid, catch any uses */ 465 466 /* 467 * Next strip any MSDU crypto bits. 468 */ 469 if (key != NULL && !ieee80211_crypto_demic(ic, key, m, 0)) { 470 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 471 ni->ni_macaddr, "data", "%s", "demic error"); 472 IEEE80211_NODE_STAT(ni, rx_demicfail); 473 goto out; 474 } 475 476 /* copy to listener after decrypt */ 477 bpf_mtap3(ic->ic_rawbpf, m); 478 479 /* 480 * Finally, strip the 802.11 header. 481 */ 482 m = ieee80211_decap(ic, m, hdrspace); 483 if (m == NULL) { 484 /* don't count Null data frames as errors */ 485 if (subtype == IEEE80211_FC0_SUBTYPE_NODATA) 486 goto out; 487 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 488 ni->ni_macaddr, "data", "%s", "decap error"); 489 ic->ic_stats.is_rx_decap++; 490 IEEE80211_NODE_STAT(ni, rx_decap); 491 goto err; 492 } 493 eh = mtod(m, struct ether_header *); 494 if (!ieee80211_node_is_authorized(ni)) { 495 /* 496 * Deny any non-PAE frames received prior to 497 * authorization. For open/shared-key 498 * authentication the port is mark authorized 499 * after authentication completes. For 802.1x 500 * the port is not marked authorized by the 501 * authenticator until the handshake has completed. 502 */ 503 if (eh->ether_type != htons(ETHERTYPE_PAE)) { 504 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 505 eh->ether_shost, "data", 506 "unauthorized port: ether type 0x%x len %u", 507 eh->ether_type, m->m_pkthdr.len); 508 ic->ic_stats.is_rx_unauth++; 509 IEEE80211_NODE_STAT(ni, rx_unauth); 510 goto err; 511 } 512 } else { 513 /* 514 * When denying unencrypted frames, discard 515 * any non-PAE frames received without encryption. 516 */ 517 if ((ic->ic_flags & IEEE80211_F_DROPUNENC) && 518 key == NULL && 519 eh->ether_type != htons(ETHERTYPE_PAE)) { 520 /* 521 * Drop unencrypted frames. 522 */ 523 ic->ic_stats.is_rx_unencrypted++; 524 IEEE80211_NODE_STAT(ni, rx_unencrypted); 525 goto out; 526 } 527 } 528 ifp->if_ipackets++; 529 IEEE80211_NODE_STAT(ni, rx_data); 530 IEEE80211_NODE_STAT_ADD(ni, rx_bytes, m->m_pkthdr.len); 531 532 ieee80211_deliver_data(ic, ni, m); 533 return IEEE80211_FC0_TYPE_DATA; 534 535 case IEEE80211_FC0_TYPE_MGT: 536 IEEE80211_NODE_STAT(ni, rx_mgmt); 537 if (dir != IEEE80211_FC1_DIR_NODS) { 538 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 539 wh, "data", "%s", "unknown dir 0x%x", dir); 540 ic->ic_stats.is_rx_wrongdir++; 541 goto err; 542 } 543 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) { 544 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY, 545 ni->ni_macaddr, "mgt", "too short: len %u", 546 m->m_pkthdr.len); 547 ic->ic_stats.is_rx_tooshort++; 548 goto out; 549 } 550 #ifdef IEEE80211_DEBUG 551 if ((ieee80211_msg_debug(ic) && doprint(ic, subtype)) || 552 ieee80211_msg_dumppkts(ic)) { 553 if_printf(ic->ic_ifp, "received %s from %s rssi %d\n", 554 ieee80211_mgt_subtype_name[subtype >> 555 IEEE80211_FC0_SUBTYPE_SHIFT], 556 ether_sprintf(wh->i_addr2), rssi); 557 } 558 #endif 559 if (wh->i_fc[1] & IEEE80211_FC1_WEP) { 560 if (subtype != IEEE80211_FC0_SUBTYPE_AUTH) { 561 /* 562 * Only shared key auth frames with a challenge 563 * should be encrypted, discard all others. 564 */ 565 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 566 wh, ieee80211_mgt_subtype_name[subtype >> 567 IEEE80211_FC0_SUBTYPE_SHIFT], 568 "%s", "WEP set but not permitted"); 569 ic->ic_stats.is_rx_mgtdiscard++; /* XXX */ 570 goto out; 571 } 572 if ((ic->ic_flags & IEEE80211_F_PRIVACY) == 0) { 573 /* 574 * Discard encrypted frames when privacy is off. 575 */ 576 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 577 wh, "mgt", "%s", "WEP set but PRIVACY off"); 578 ic->ic_stats.is_rx_noprivacy++; 579 goto out; 580 } 581 hdrspace = ieee80211_hdrspace(ic, wh); 582 key = ieee80211_crypto_decap(ic, ni, m, hdrspace); 583 if (key == NULL) { 584 /* NB: stats+msgs handled in crypto_decap */ 585 goto out; 586 } 587 wh = mtod(m, struct ieee80211_frame *); 588 wh->i_fc[1] &= ~IEEE80211_FC1_WEP; 589 } 590 bpf_mtap3(ic->ic_rawbpf, m); 591 (*ic->ic_recv_mgmt)(ic, m, ni, subtype, rssi, rstamp); 592 m_freem(m); 593 return type; 594 595 case IEEE80211_FC0_TYPE_CTL: 596 IEEE80211_NODE_STAT(ni, rx_ctrl); 597 ic->ic_stats.is_rx_ctl++; 598 #ifndef IEEE80211_NO_HOSTAP 599 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 600 switch (subtype) { 601 case IEEE80211_FC0_SUBTYPE_PS_POLL: 602 ieee80211_recv_pspoll(ic, ni, m); 603 break; 604 } 605 } 606 #endif /* !IEEE80211_NO_HOSTAP */ 607 goto out; 608 default: 609 IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY, 610 wh, NULL, "bad frame type 0x%x", type); 611 /* should not come here */ 612 break; 613 } 614 err: 615 ifp->if_ierrors++; 616 out: 617 if (m != NULL) { 618 bpf_mtap3(ic->ic_rawbpf, m); 619 m_freem(m); 620 } 621 return type; 622 #undef SEQ_LEQ 623 } 624 625 /* 626 * This function reassemble fragments. 627 */ 628 static struct mbuf * 629 ieee80211_defrag(struct ieee80211com *ic, struct ieee80211_node *ni, 630 struct mbuf *m, int hdrspace) 631 { 632 struct ieee80211_frame *wh = mtod(m, struct ieee80211_frame *); 633 struct ieee80211_frame *lwh; 634 u_int16_t rxseq; 635 u_int8_t fragno; 636 u_int8_t more_frag = wh->i_fc[1] & IEEE80211_FC1_MORE_FRAG; 637 struct mbuf *mfrag; 638 639 IASSERT(!IEEE80211_IS_MULTICAST(wh->i_addr1), ("multicast fragm?")); 640 641 rxseq = le16toh(*(u_int16_t *)wh->i_seq); 642 fragno = rxseq & IEEE80211_SEQ_FRAG_MASK; 643 644 /* Quick way out, if there's nothing to defragment */ 645 if (!more_frag && fragno == 0 && ni->ni_rxfrag[0] == NULL) 646 return m; 647 648 /* 649 * Remove frag to insure it doesn't get reaped by timer. 650 */ 651 if (ni->ni_table == NULL) { 652 /* 653 * Should never happen. If the node is orphaned (not in 654 * the table) then input packets should not reach here. 655 * Otherwise, a concurrent request that yanks the table 656 * should be blocked by other interlocking and/or by first 657 * shutting the driver down. Regardless, be defensive 658 * here and just bail 659 */ 660 /* XXX need msg+stat */ 661 m_freem(m); 662 return NULL; 663 } 664 IEEE80211_NODE_LOCK(ni->ni_table); 665 mfrag = ni->ni_rxfrag[0]; 666 ni->ni_rxfrag[0] = NULL; 667 IEEE80211_NODE_UNLOCK(ni->ni_table); 668 669 /* 670 * Validate new fragment is in order and 671 * related to the previous ones. 672 */ 673 if (mfrag != NULL) { 674 u_int16_t last_rxseq; 675 676 lwh = mtod(mfrag, struct ieee80211_frame *); 677 last_rxseq = le16toh(*(u_int16_t *)lwh->i_seq); 678 /* NB: check seq # and frag together */ 679 if (rxseq != last_rxseq+1 || 680 !IEEE80211_ADDR_EQ(wh->i_addr1, lwh->i_addr1) || 681 !IEEE80211_ADDR_EQ(wh->i_addr2, lwh->i_addr2)) { 682 /* 683 * Unrelated fragment or no space for it, 684 * clear current fragments. 685 */ 686 m_freem(mfrag); 687 mfrag = NULL; 688 } 689 } 690 691 if (mfrag == NULL) { 692 if (fragno != 0) { /* !first fragment, discard */ 693 IEEE80211_NODE_STAT(ni, rx_defrag); 694 m_freem(m); 695 return NULL; 696 } 697 mfrag = m; 698 } else { /* concatenate */ 699 m_adj(m, hdrspace); /* strip header */ 700 m_cat(mfrag, m); 701 /* NB: m_cat doesn't update the packet header */ 702 mfrag->m_pkthdr.len += m->m_pkthdr.len; 703 /* track last seqnum and fragno */ 704 lwh = mtod(mfrag, struct ieee80211_frame *); 705 *(u_int16_t *) lwh->i_seq = *(u_int16_t *) wh->i_seq; 706 } 707 if (more_frag) { /* more to come, save */ 708 ni->ni_rxfragstamp = ticks; 709 ni->ni_rxfrag[0] = mfrag; 710 mfrag = NULL; 711 } 712 return mfrag; 713 } 714 715 static void 716 ieee80211_deliver_data(struct ieee80211com *ic, 717 struct ieee80211_node *ni, struct mbuf *m) 718 { 719 struct ether_header *eh = mtod(m, struct ether_header *); 720 struct ifnet *ifp = ic->ic_ifp; 721 int error; 722 723 /* perform as a bridge within the AP */ 724 if (ic->ic_opmode == IEEE80211_M_HOSTAP && 725 (ic->ic_flags & IEEE80211_F_NOBRIDGE) == 0) { 726 struct mbuf *m1 = NULL; 727 728 if (ETHER_IS_MULTICAST(eh->ether_dhost)) { 729 m1 = m_copypacket(m, M_DONTWAIT); 730 if (m1 == NULL) 731 ifp->if_oerrors++; 732 else 733 m1->m_flags |= M_MCAST; 734 } else { 735 /* 736 * Check if the destination is known; if so 737 * and the port is authorized dispatch directly. 738 */ 739 struct ieee80211_node *sta = 740 ieee80211_find_node(&ic->ic_sta, eh->ether_dhost); 741 if (sta != NULL) { 742 if (ieee80211_node_is_authorized(sta)) { 743 /* 744 * Beware of sending to ourself; this 745 * needs to happen via the normal 746 * input path. 747 */ 748 if (sta != ic->ic_bss) { 749 m1 = m; 750 m = NULL; 751 } 752 } else { 753 ic->ic_stats.is_rx_unauth++; 754 IEEE80211_NODE_STAT(sta, rx_unauth); 755 } 756 ieee80211_free_node(sta); 757 } 758 } 759 if (m1 != NULL) { 760 int len; 761 #ifdef ALTQ 762 if (ALTQ_IS_ENABLED(&ifp->if_snd)) { 763 altq_etherclassify(&ifp->if_snd, m1); 764 } 765 #endif 766 len = m1->m_pkthdr.len; 767 IFQ_ENQUEUE(&ifp->if_snd, m1, error); 768 if (error) { 769 ifp->if_omcasts++; 770 m = NULL; 771 } 772 ifp->if_obytes += len; 773 } 774 } 775 if (m != NULL) { 776 /* 777 * XXX If we forward packet into transmitter of the AP, 778 * we don't need to duplicate for DLT_EN10MB. 779 */ 780 bpf_mtap(ifp, m); 781 782 if (ni->ni_vlan != 0) { 783 /* attach vlan tag */ 784 /* XXX goto err? */ 785 VLAN_INPUT_TAG(ifp, m, ni->ni_vlan, goto out); 786 } 787 788 /* 789 * XXX once ieee80211_input (or rxintr itself) runs in softint 790 * we have to change here too to use if_input. 791 */ 792 KASSERT(ifp->if_percpuq); 793 if_percpuq_enqueue(ifp->if_percpuq, m); 794 } 795 return; 796 out: 797 if (m != NULL) { 798 bpf_mtap3(ic->ic_rawbpf, m); 799 m_freem(m); 800 } 801 } 802 803 static struct mbuf * 804 ieee80211_decap(struct ieee80211com *ic, struct mbuf *m, int hdrlen) 805 { 806 struct ieee80211_qosframe_addr4 wh; /* Max size address frames */ 807 struct ether_header *eh; 808 struct llc *llc; 809 810 if (m->m_len < hdrlen + sizeof(*llc) && 811 (m = m_pullup(m, hdrlen + sizeof(*llc))) == NULL) { 812 /* XXX stat, msg */ 813 return NULL; 814 } 815 memcpy(&wh, mtod(m, void *), hdrlen); 816 llc = (struct llc *)(mtod(m, char *) + hdrlen); 817 if (llc->llc_dsap == LLC_SNAP_LSAP && llc->llc_ssap == LLC_SNAP_LSAP && 818 llc->llc_control == LLC_UI && llc->llc_snap.org_code[0] == 0 && 819 llc->llc_snap.org_code[1] == 0 && llc->llc_snap.org_code[2] == 0) { 820 m_adj(m, hdrlen + sizeof(struct llc) - sizeof(*eh)); 821 llc = NULL; 822 } else { 823 m_adj(m, hdrlen - sizeof(*eh)); 824 } 825 eh = mtod(m, struct ether_header *); 826 switch (wh.i_fc[1] & IEEE80211_FC1_DIR_MASK) { 827 case IEEE80211_FC1_DIR_NODS: 828 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr1); 829 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr2); 830 break; 831 case IEEE80211_FC1_DIR_TODS: 832 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr3); 833 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr2); 834 break; 835 case IEEE80211_FC1_DIR_FROMDS: 836 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr1); 837 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr3); 838 break; 839 case IEEE80211_FC1_DIR_DSTODS: 840 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr3); 841 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr4); 842 break; 843 } 844 #ifdef ALIGNED_POINTER 845 if (!ALIGNED_POINTER(mtod(m, char *) + sizeof(*eh), u_int32_t)) { 846 struct mbuf *n, *n0, **np; 847 char *newdata; 848 int off, pktlen; 849 850 n0 = NULL; 851 np = &n0; 852 off = 0; 853 pktlen = m->m_pkthdr.len; 854 while (pktlen > off) { 855 if (n0 == NULL) { 856 MGETHDR(n, M_DONTWAIT, MT_DATA); 857 if (n == NULL) { 858 m_freem(m); 859 return NULL; 860 } 861 M_MOVE_PKTHDR(n, m); 862 n->m_len = MHLEN; 863 } else { 864 MGET(n, M_DONTWAIT, MT_DATA); 865 if (n == NULL) { 866 m_freem(m); 867 m_freem(n0); 868 return NULL; 869 } 870 n->m_len = MLEN; 871 } 872 if (pktlen - off >= MINCLSIZE) { 873 MCLGET(n, M_DONTWAIT); 874 if (n->m_flags & M_EXT) 875 n->m_len = n->m_ext.ext_size; 876 } 877 if (n0 == NULL) { 878 newdata = 879 (char *)ALIGN(n->m_data + sizeof(*eh)) - 880 sizeof(*eh); 881 n->m_len -= newdata - n->m_data; 882 n->m_data = newdata; 883 } 884 if (n->m_len > pktlen - off) 885 n->m_len = pktlen - off; 886 m_copydata(m, off, n->m_len, mtod(n, void *)); 887 off += n->m_len; 888 *np = n; 889 np = &n->m_next; 890 } 891 m_freem(m); 892 m = n0; 893 } 894 #endif /* ALIGNED_POINTER */ 895 if (llc != NULL) { 896 eh = mtod(m, struct ether_header *); 897 eh->ether_type = htons(m->m_pkthdr.len - sizeof(*eh)); 898 } 899 return m; 900 } 901 902 /* 903 * Install received rate set information in the node's state block. 904 */ 905 int 906 ieee80211_setup_rates(struct ieee80211_node *ni, 907 const u_int8_t *rates, const u_int8_t *xrates, int flags) 908 { 909 struct ieee80211com *ic = ni->ni_ic; 910 struct ieee80211_rateset *rs = &ni->ni_rates; 911 912 memset(rs, 0, sizeof(*rs)); 913 rs->rs_nrates = rates[1]; 914 memcpy(rs->rs_rates, rates + 2, rs->rs_nrates); 915 if (xrates != NULL) { 916 u_int8_t nxrates; 917 /* 918 * Tack on 11g extended supported rate element. 919 */ 920 nxrates = xrates[1]; 921 if (rs->rs_nrates + nxrates > IEEE80211_RATE_MAXSIZE) { 922 nxrates = IEEE80211_RATE_MAXSIZE - rs->rs_nrates; 923 IEEE80211_DPRINTF(ic, IEEE80211_MSG_XRATE, 924 "[%s] extended rate set too large;" 925 " only using %u of %u rates\n", 926 ether_sprintf(ni->ni_macaddr), nxrates, xrates[1]); 927 ic->ic_stats.is_rx_rstoobig++; 928 } 929 memcpy(rs->rs_rates + rs->rs_nrates, xrates+2, nxrates); 930 rs->rs_nrates += nxrates; 931 } 932 return ieee80211_fix_rate(ni, flags); 933 } 934 935 static void 936 ieee80211_auth_open(struct ieee80211com *ic, struct ieee80211_frame *wh, 937 struct ieee80211_node *ni, int rssi, u_int32_t rstamp, 938 u_int16_t seq, u_int16_t status) 939 { 940 941 if (ni->ni_authmode == IEEE80211_AUTH_SHARED) { 942 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 943 ni->ni_macaddr, "open auth", 944 "bad sta auth mode %u", ni->ni_authmode); 945 ic->ic_stats.is_rx_bad_auth++; /* XXX */ 946 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 947 /* XXX hack to workaround calling convention */ 948 ieee80211_send_error(ic, ni, wh->i_addr2, 949 IEEE80211_FC0_SUBTYPE_AUTH, 950 (seq + 1) | (IEEE80211_STATUS_ALG<<16)); 951 } 952 return; 953 } 954 switch (ic->ic_opmode) { 955 case IEEE80211_M_IBSS: 956 case IEEE80211_M_AHDEMO: 957 case IEEE80211_M_MONITOR: 958 /* should not come here */ 959 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 960 ni->ni_macaddr, "open auth", 961 "bad operating mode %u", ic->ic_opmode); 962 break; 963 964 case IEEE80211_M_HOSTAP: 965 #ifndef IEEE80211_NO_HOSTAP 966 if (ic->ic_state != IEEE80211_S_RUN || 967 seq != IEEE80211_AUTH_OPEN_REQUEST) { 968 ic->ic_stats.is_rx_bad_auth++; 969 return; 970 } 971 /* always accept open authentication requests */ 972 if (ni == ic->ic_bss) { 973 ni = ieee80211_dup_bss(&ic->ic_sta, wh->i_addr2); 974 if (ni == NULL) 975 return; 976 } else if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0) 977 (void) ieee80211_ref_node(ni); 978 /* 979 * Mark the node as referenced to reflect that its 980 * reference count has been bumped to insure it remains 981 * after the transaction completes. 982 */ 983 ni->ni_flags |= IEEE80211_NODE_AREF; 984 985 IEEE80211_SEND_MGMT(ic, ni, 986 IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 987 IEEE80211_DPRINTF(ic, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 988 "[%s] station authenticated (open)\n", 989 ether_sprintf(ni->ni_macaddr)); 990 /* 991 * When 802.1x is not in use mark the port 992 * authorized at this point so traffic can flow. 993 */ 994 if (ni->ni_authmode != IEEE80211_AUTH_8021X) 995 ieee80211_node_authorize(ni); 996 #endif /* !IEEE80211_NO_HOSTAP */ 997 break; 998 999 case IEEE80211_M_STA: 1000 if (ic->ic_state != IEEE80211_S_AUTH || 1001 seq != IEEE80211_AUTH_OPEN_RESPONSE) { 1002 ic->ic_stats.is_rx_bad_auth++; 1003 return; 1004 } 1005 if (status != 0) { 1006 IEEE80211_DPRINTF(ic, 1007 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1008 "[%s] open auth failed (reason %d)\n", 1009 ether_sprintf(ni->ni_macaddr), status); 1010 /* XXX can this happen? */ 1011 if (ni != ic->ic_bss) 1012 ni->ni_fails++; 1013 ic->ic_stats.is_rx_auth_fail++; 1014 ieee80211_new_state(ic, IEEE80211_S_SCAN, 0); 1015 } else 1016 ieee80211_new_state(ic, IEEE80211_S_ASSOC, 1017 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK); 1018 break; 1019 } 1020 } 1021 1022 /* 1023 * Send a management frame error response to the specified 1024 * station. If ni is associated with the station then use 1025 * it; otherwise allocate a temporary node suitable for 1026 * transmitting the frame and then free the reference so 1027 * it will go away as soon as the frame has been transmitted. 1028 */ 1029 static void 1030 ieee80211_send_error(struct ieee80211com *ic, struct ieee80211_node *ni, 1031 const u_int8_t *mac, int subtype, int arg) 1032 { 1033 int istmp; 1034 1035 if (ni == ic->ic_bss) { 1036 ni = ieee80211_tmp_node(ic, mac); 1037 if (ni == NULL) { 1038 /* XXX msg */ 1039 return; 1040 } 1041 istmp = 1; 1042 } else 1043 istmp = 0; 1044 IEEE80211_SEND_MGMT(ic, ni, subtype, arg); 1045 if (istmp) 1046 ieee80211_free_node(ni); 1047 } 1048 1049 static int 1050 alloc_challenge(struct ieee80211com *ic, struct ieee80211_node *ni) 1051 { 1052 if (ni->ni_challenge == NULL) 1053 ni->ni_challenge = malloc(IEEE80211_CHALLENGE_LEN, 1054 M_DEVBUF, M_NOWAIT); 1055 if (ni->ni_challenge == NULL) { 1056 IEEE80211_DPRINTF(ic, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1057 "[%s] shared key challenge alloc failed\n", 1058 ether_sprintf(ni->ni_macaddr)); 1059 /* XXX statistic */ 1060 } 1061 return (ni->ni_challenge != NULL); 1062 } 1063 1064 /* XXX TODO: add statistics */ 1065 static void 1066 ieee80211_auth_shared(struct ieee80211com *ic, struct ieee80211_frame *wh, 1067 u_int8_t *frm, u_int8_t *efrm, struct ieee80211_node *ni, int rssi, 1068 u_int32_t rstamp, u_int16_t seq, u_int16_t status) 1069 { 1070 u_int8_t *challenge; 1071 int estatus; 1072 1073 /* 1074 * NB: this can happen as we allow pre-shared key 1075 * authentication to be enabled w/o wep being turned 1076 * on so that configuration of these can be done 1077 * in any order. It may be better to enforce the 1078 * ordering in which case this check would just be 1079 * for sanity/consistency. 1080 */ 1081 if ((ic->ic_flags & IEEE80211_F_PRIVACY) == 0) { 1082 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1083 ni->ni_macaddr, "shared key auth", 1084 "%s", " PRIVACY is disabled"); 1085 estatus = IEEE80211_STATUS_ALG; 1086 goto bad; 1087 } 1088 /* 1089 * Pre-shared key authentication is evil; accept 1090 * it only if explicitly configured (it is supported 1091 * mainly for compatibility with clients like OS X). 1092 */ 1093 if (ni->ni_authmode != IEEE80211_AUTH_AUTO && 1094 ni->ni_authmode != IEEE80211_AUTH_SHARED) { 1095 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1096 ni->ni_macaddr, "shared key auth", 1097 "bad sta auth mode %u", ni->ni_authmode); 1098 ic->ic_stats.is_rx_bad_auth++; /* XXX maybe a unique error? */ 1099 estatus = IEEE80211_STATUS_ALG; 1100 goto bad; 1101 } 1102 1103 challenge = NULL; 1104 if (frm + 1 < efrm) { 1105 if ((frm[1] + 2) > (efrm - frm)) { 1106 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1107 ni->ni_macaddr, "shared key auth", 1108 "ie %d/%d too long", 1109 frm[0], (frm[1] + 2) - (efrm - frm)); 1110 ic->ic_stats.is_rx_bad_auth++; 1111 estatus = IEEE80211_STATUS_CHALLENGE; 1112 goto bad; 1113 } 1114 if (*frm == IEEE80211_ELEMID_CHALLENGE) 1115 challenge = frm; 1116 frm += frm[1] + 2; 1117 } 1118 switch (seq) { 1119 case IEEE80211_AUTH_SHARED_CHALLENGE: 1120 case IEEE80211_AUTH_SHARED_RESPONSE: 1121 if (challenge == NULL) { 1122 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1123 ni->ni_macaddr, "shared key auth", 1124 "%s", "no challenge"); 1125 ic->ic_stats.is_rx_bad_auth++; 1126 estatus = IEEE80211_STATUS_CHALLENGE; 1127 goto bad; 1128 } 1129 if (challenge[1] != IEEE80211_CHALLENGE_LEN) { 1130 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1131 ni->ni_macaddr, "shared key auth", 1132 "bad challenge len %d", challenge[1]); 1133 ic->ic_stats.is_rx_bad_auth++; 1134 estatus = IEEE80211_STATUS_CHALLENGE; 1135 goto bad; 1136 } 1137 default: 1138 break; 1139 } 1140 switch (ic->ic_opmode) { 1141 case IEEE80211_M_MONITOR: 1142 case IEEE80211_M_AHDEMO: 1143 case IEEE80211_M_IBSS: 1144 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1145 ni->ni_macaddr, "shared key auth", 1146 "bad operating mode %u", ic->ic_opmode); 1147 return; 1148 case IEEE80211_M_HOSTAP: 1149 #ifndef IEEE80211_NO_HOSTAP 1150 { 1151 int allocbs; 1152 if (ic->ic_state != IEEE80211_S_RUN) { 1153 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1154 ni->ni_macaddr, "shared key auth", 1155 "bad state %u", ic->ic_state); 1156 estatus = IEEE80211_STATUS_ALG; /* XXX */ 1157 goto bad; 1158 } 1159 switch (seq) { 1160 case IEEE80211_AUTH_SHARED_REQUEST: 1161 if (ni == ic->ic_bss) { 1162 ni = ieee80211_dup_bss(&ic->ic_sta, wh->i_addr2); 1163 if (ni == NULL) { 1164 /* NB: no way to return an error */ 1165 return; 1166 } 1167 allocbs = 1; 1168 } else { 1169 if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0) 1170 (void) ieee80211_ref_node(ni); 1171 allocbs = 0; 1172 } 1173 /* 1174 * Mark the node as referenced to reflect that its 1175 * reference count has been bumped to insure it remains 1176 * after the transaction completes. 1177 */ 1178 ni->ni_flags |= IEEE80211_NODE_AREF; 1179 ni->ni_rssi = rssi; 1180 ni->ni_rstamp = rstamp; 1181 if (!alloc_challenge(ic, ni)) { 1182 /* NB: don't return error so they rexmit */ 1183 return; 1184 } 1185 get_random_bytes(ni->ni_challenge, 1186 IEEE80211_CHALLENGE_LEN); 1187 IEEE80211_DPRINTF(ic, 1188 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1189 "[%s] shared key %sauth request\n", 1190 ether_sprintf(ni->ni_macaddr), 1191 allocbs ? "" : "re"); 1192 break; 1193 case IEEE80211_AUTH_SHARED_RESPONSE: 1194 if (ni == ic->ic_bss) { 1195 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1196 ni->ni_macaddr, "shared key response", 1197 "%s", "unknown station"); 1198 /* NB: don't send a response */ 1199 return; 1200 } 1201 if (ni->ni_challenge == NULL) { 1202 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1203 ni->ni_macaddr, "shared key response", 1204 "%s", "no challenge recorded"); 1205 ic->ic_stats.is_rx_bad_auth++; 1206 estatus = IEEE80211_STATUS_CHALLENGE; 1207 goto bad; 1208 } 1209 if (memcmp(ni->ni_challenge, &challenge[2], 1210 challenge[1]) != 0) { 1211 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1212 ni->ni_macaddr, "shared key response", 1213 "%s", "challenge mismatch"); 1214 ic->ic_stats.is_rx_auth_fail++; 1215 estatus = IEEE80211_STATUS_CHALLENGE; 1216 goto bad; 1217 } 1218 IEEE80211_DPRINTF(ic, 1219 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1220 "[%s] station authenticated (shared key)\n", 1221 ether_sprintf(ni->ni_macaddr)); 1222 ieee80211_node_authorize(ni); 1223 break; 1224 default: 1225 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1226 ni->ni_macaddr, "shared key auth", 1227 "bad seq %d", seq); 1228 ic->ic_stats.is_rx_bad_auth++; 1229 estatus = IEEE80211_STATUS_SEQUENCE; 1230 goto bad; 1231 } 1232 IEEE80211_SEND_MGMT(ic, ni, 1233 IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 1234 } 1235 #endif /* !IEEE80211_NO_HOSTAP */ 1236 break; 1237 1238 case IEEE80211_M_STA: 1239 if (ic->ic_state != IEEE80211_S_AUTH) 1240 return; 1241 switch (seq) { 1242 case IEEE80211_AUTH_SHARED_PASS: 1243 if (ni->ni_challenge != NULL) { 1244 free(ni->ni_challenge, M_DEVBUF); 1245 ni->ni_challenge = NULL; 1246 } 1247 if (status != 0) { 1248 IEEE80211_DPRINTF(ic, 1249 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1250 "[%s] shared key auth failed (reason %d)\n", 1251 ether_sprintf(ieee80211_getbssid(ic, wh)), 1252 status); 1253 /* XXX can this happen? */ 1254 if (ni != ic->ic_bss) 1255 ni->ni_fails++; 1256 ic->ic_stats.is_rx_auth_fail++; 1257 return; 1258 } 1259 ieee80211_new_state(ic, IEEE80211_S_ASSOC, 1260 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK); 1261 break; 1262 case IEEE80211_AUTH_SHARED_CHALLENGE: 1263 if (!alloc_challenge(ic, ni)) 1264 return; 1265 /* XXX could optimize by passing recvd challenge */ 1266 memcpy(ni->ni_challenge, &challenge[2], challenge[1]); 1267 IEEE80211_SEND_MGMT(ic, ni, 1268 IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 1269 break; 1270 default: 1271 IEEE80211_DISCARD(ic, IEEE80211_MSG_AUTH, 1272 wh, "shared key auth", "bad seq %d", seq); 1273 ic->ic_stats.is_rx_bad_auth++; 1274 return; 1275 } 1276 break; 1277 } 1278 return; 1279 bad: 1280 #ifndef IEEE80211_NO_HOSTAP 1281 /* 1282 * Send an error response; but only when operating as an AP. 1283 */ 1284 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 1285 /* XXX hack to workaround calling convention */ 1286 ieee80211_send_error(ic, ni, wh->i_addr2, 1287 IEEE80211_FC0_SUBTYPE_AUTH, 1288 (seq + 1) | (estatus<<16)); 1289 } else if (ic->ic_opmode == IEEE80211_M_STA) { 1290 /* 1291 * Kick the state machine. This short-circuits 1292 * using the mgt frame timeout to trigger the 1293 * state transition. 1294 */ 1295 if (ic->ic_state == IEEE80211_S_AUTH) 1296 ieee80211_new_state(ic, IEEE80211_S_SCAN, 0); 1297 } 1298 #else 1299 ; 1300 #endif /* !IEEE80211_NO_HOSTAP */ 1301 } 1302 1303 /* Verify the existence and length of __elem or get out. */ 1304 #define IEEE80211_VERIFY_ELEMENT(__elem, __maxlen) do { \ 1305 if ((__elem) == NULL) { \ 1306 IEEE80211_DISCARD(ic, IEEE80211_MSG_ELEMID, \ 1307 wh, ieee80211_mgt_subtype_name[subtype >> \ 1308 IEEE80211_FC0_SUBTYPE_SHIFT], \ 1309 "%s", "no " #__elem ); \ 1310 ic->ic_stats.is_rx_elem_missing++; \ 1311 return; \ 1312 } \ 1313 if ((__elem)[1] > (__maxlen)) { \ 1314 IEEE80211_DISCARD(ic, IEEE80211_MSG_ELEMID, \ 1315 wh, ieee80211_mgt_subtype_name[subtype >> \ 1316 IEEE80211_FC0_SUBTYPE_SHIFT], \ 1317 "bad " #__elem " len %d", (__elem)[1]); \ 1318 ic->ic_stats.is_rx_elem_toobig++; \ 1319 return; \ 1320 } \ 1321 } while (0) 1322 1323 #define IEEE80211_VERIFY_LENGTH(_len, _minlen) do { \ 1324 if ((_len) < (_minlen)) { \ 1325 IEEE80211_DISCARD(ic, IEEE80211_MSG_ELEMID, \ 1326 wh, ieee80211_mgt_subtype_name[subtype >> \ 1327 IEEE80211_FC0_SUBTYPE_SHIFT], \ 1328 "%s", "ie too short"); \ 1329 ic->ic_stats.is_rx_elem_toosmall++; \ 1330 return; \ 1331 } \ 1332 } while (0) 1333 1334 #ifdef IEEE80211_DEBUG 1335 static void 1336 ieee80211_ssid_mismatch(struct ieee80211com *ic, const char *tag, 1337 u_int8_t mac[IEEE80211_ADDR_LEN], u_int8_t *ssid) 1338 { 1339 printf("[%s] discard %s frame, ssid mismatch: ", 1340 ether_sprintf(mac), tag); 1341 ieee80211_print_essid(ssid + 2, ssid[1]); 1342 printf("\n"); 1343 } 1344 1345 #define IEEE80211_VERIFY_SSID(_ni, _ssid) do { \ 1346 if ((_ssid)[1] != 0 && \ 1347 ((_ssid)[1] != (_ni)->ni_esslen || \ 1348 memcmp((_ssid) + 2, (_ni)->ni_essid, (_ssid)[1]) != 0)) { \ 1349 if (ieee80211_msg_input(ic)) \ 1350 ieee80211_ssid_mismatch(ic, \ 1351 ieee80211_mgt_subtype_name[subtype >> \ 1352 IEEE80211_FC0_SUBTYPE_SHIFT], \ 1353 wh->i_addr2, _ssid); \ 1354 ic->ic_stats.is_rx_ssidmismatch++; \ 1355 return; \ 1356 } \ 1357 } while (0) 1358 #else /* !IEEE80211_DEBUG */ 1359 #define IEEE80211_VERIFY_SSID(_ni, _ssid) do { \ 1360 if ((_ssid)[1] != 0 && \ 1361 ((_ssid)[1] != (_ni)->ni_esslen || \ 1362 memcmp((_ssid) + 2, (_ni)->ni_essid, (_ssid)[1]) != 0)) { \ 1363 ic->ic_stats.is_rx_ssidmismatch++; \ 1364 return; \ 1365 } \ 1366 } while (0) 1367 #endif /* !IEEE80211_DEBUG */ 1368 1369 /* unaligned little endian access */ 1370 #define LE_READ_2(p) \ 1371 ((u_int16_t) \ 1372 ((((const u_int8_t *)(p))[0] ) | \ 1373 (((const u_int8_t *)(p))[1] << 8))) 1374 #define LE_READ_4(p) \ 1375 ((u_int32_t) \ 1376 ((((const u_int8_t *)(p))[0] ) | \ 1377 (((const u_int8_t *)(p))[1] << 8) | \ 1378 (((const u_int8_t *)(p))[2] << 16) | \ 1379 (((const u_int8_t *)(p))[3] << 24))) 1380 1381 static __inline int 1382 iswpaoui(const u_int8_t *frm) 1383 { 1384 return frm[1] > 3 && LE_READ_4(frm+2) == ((WPA_OUI_TYPE<<24)|WPA_OUI); 1385 } 1386 1387 static __inline int 1388 iswmeoui(const u_int8_t *frm) 1389 { 1390 return frm[1] > 3 && LE_READ_4(frm+2) == ((WME_OUI_TYPE<<24)|WME_OUI); 1391 } 1392 1393 static __inline int 1394 iswmeparam(const u_int8_t *frm) 1395 { 1396 return frm[1] > 5 && LE_READ_4(frm+2) == ((WME_OUI_TYPE<<24)|WME_OUI) && 1397 frm[6] == WME_PARAM_OUI_SUBTYPE; 1398 } 1399 1400 static __inline int 1401 iswmeinfo(const u_int8_t *frm) 1402 { 1403 return frm[1] > 5 && LE_READ_4(frm+2) == ((WME_OUI_TYPE<<24)|WME_OUI) && 1404 frm[6] == WME_INFO_OUI_SUBTYPE; 1405 } 1406 1407 /* 1408 * Convert a WPA cipher selector OUI to an internal 1409 * cipher algorithm. Where appropriate we also 1410 * record any key length. 1411 */ 1412 static int 1413 wpa_cipher(u_int8_t *sel, u_int8_t *keylen) 1414 { 1415 #define WPA_SEL(x) (((x)<<24)|WPA_OUI) 1416 u_int32_t w = LE_READ_4(sel); 1417 1418 switch (w) { 1419 case WPA_SEL(WPA_CSE_NULL): 1420 return IEEE80211_CIPHER_NONE; 1421 case WPA_SEL(WPA_CSE_WEP40): 1422 if (keylen) 1423 *keylen = 40 / NBBY; 1424 return IEEE80211_CIPHER_WEP; 1425 case WPA_SEL(WPA_CSE_WEP104): 1426 if (keylen) 1427 *keylen = 104 / NBBY; 1428 return IEEE80211_CIPHER_WEP; 1429 case WPA_SEL(WPA_CSE_TKIP): 1430 return IEEE80211_CIPHER_TKIP; 1431 case WPA_SEL(WPA_CSE_CCMP): 1432 return IEEE80211_CIPHER_AES_CCM; 1433 } 1434 return 32; /* NB: so 1<< is discarded */ 1435 #undef WPA_SEL 1436 } 1437 1438 /* 1439 * Convert a WPA key management/authentication algorithm 1440 * to an internal code. 1441 */ 1442 static int 1443 wpa_keymgmt(u_int8_t *sel) 1444 { 1445 #define WPA_SEL(x) (((x)<<24)|WPA_OUI) 1446 u_int32_t w = LE_READ_4(sel); 1447 1448 switch (w) { 1449 case WPA_SEL(WPA_ASE_8021X_UNSPEC): 1450 return WPA_ASE_8021X_UNSPEC; 1451 case WPA_SEL(WPA_ASE_8021X_PSK): 1452 return WPA_ASE_8021X_PSK; 1453 case WPA_SEL(WPA_ASE_NONE): 1454 return WPA_ASE_NONE; 1455 } 1456 return 0; /* NB: so is discarded */ 1457 #undef WPA_SEL 1458 } 1459 1460 /* 1461 * Parse a WPA information element to collect parameters 1462 * and validate the parameters against what has been 1463 * configured for the system. 1464 */ 1465 static int 1466 ieee80211_parse_wpa(struct ieee80211com *ic, u_int8_t *frm, 1467 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh) 1468 { 1469 u_int8_t len = frm[1]; 1470 u_int32_t w; 1471 int n; 1472 1473 /* 1474 * Check the length once for fixed parts: OUI, type, 1475 * version, mcast cipher, and 2 selector counts. 1476 * Other, variable-length data, must be checked separately. 1477 */ 1478 if ((ic->ic_flags & IEEE80211_F_WPA1) == 0) { 1479 IEEE80211_DISCARD_IE(ic, 1480 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1481 wh, "WPA", "not WPA, flags 0x%x", ic->ic_flags); 1482 return IEEE80211_REASON_IE_INVALID; 1483 } 1484 if (len < 14) { 1485 IEEE80211_DISCARD_IE(ic, 1486 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1487 wh, "WPA", "too short, len %u", len); 1488 return IEEE80211_REASON_IE_INVALID; 1489 } 1490 frm += 6, len -= 4; /* NB: len is payload only */ 1491 /* NB: iswapoui already validated the OUI and type */ 1492 w = LE_READ_2(frm); 1493 if (w != WPA_VERSION) { 1494 IEEE80211_DISCARD_IE(ic, 1495 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1496 wh, "WPA", "bad version %u", w); 1497 return IEEE80211_REASON_IE_INVALID; 1498 } 1499 frm += 2, len -= 2; 1500 1501 /* multicast/group cipher */ 1502 w = wpa_cipher(frm, &rsn->rsn_mcastkeylen); 1503 if (w != rsn->rsn_mcastcipher) { 1504 IEEE80211_DISCARD_IE(ic, 1505 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1506 wh, "WPA", "mcast cipher mismatch; got %u, expected %u", 1507 w, rsn->rsn_mcastcipher); 1508 return IEEE80211_REASON_IE_INVALID; 1509 } 1510 frm += 4, len -= 4; 1511 1512 /* unicast ciphers */ 1513 n = LE_READ_2(frm); 1514 frm += 2, len -= 2; 1515 if (len < n*4+2) { 1516 IEEE80211_DISCARD_IE(ic, 1517 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1518 wh, "WPA", "ucast cipher data too short; len %u, n %u", 1519 len, n); 1520 return IEEE80211_REASON_IE_INVALID; 1521 } 1522 w = 0; 1523 for (; n > 0; n--) { 1524 w |= 1<<wpa_cipher(frm, &rsn->rsn_ucastkeylen); 1525 frm += 4, len -= 4; 1526 } 1527 w &= rsn->rsn_ucastcipherset; 1528 if (w == 0) { 1529 IEEE80211_DISCARD_IE(ic, 1530 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1531 wh, "WPA", "%s", "ucast cipher set empty"); 1532 return IEEE80211_REASON_IE_INVALID; 1533 } 1534 if (w & (1<<IEEE80211_CIPHER_TKIP)) 1535 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP; 1536 else 1537 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM; 1538 1539 /* key management algorithms */ 1540 n = LE_READ_2(frm); 1541 frm += 2, len -= 2; 1542 if (len < n*4) { 1543 IEEE80211_DISCARD_IE(ic, 1544 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1545 wh, "WPA", "key mgmt alg data too short; len %u, n %u", 1546 len, n); 1547 return IEEE80211_REASON_IE_INVALID; 1548 } 1549 w = 0; 1550 for (; n > 0; n--) { 1551 w |= wpa_keymgmt(frm); 1552 frm += 4, len -= 4; 1553 } 1554 w &= rsn->rsn_keymgmtset; 1555 if (w == 0) { 1556 IEEE80211_DISCARD_IE(ic, 1557 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1558 wh, "WPA", "%s", "no acceptable key mgmt alg"); 1559 return IEEE80211_REASON_IE_INVALID; 1560 } 1561 if (w & WPA_ASE_8021X_UNSPEC) 1562 rsn->rsn_keymgmt = WPA_ASE_8021X_UNSPEC; 1563 else 1564 rsn->rsn_keymgmt = WPA_ASE_8021X_PSK; 1565 1566 if (len > 2) /* optional capabilities */ 1567 rsn->rsn_caps = LE_READ_2(frm); 1568 1569 return 0; 1570 } 1571 1572 /* 1573 * Convert an RSN cipher selector OUI to an internal 1574 * cipher algorithm. Where appropriate we also 1575 * record any key length. 1576 */ 1577 static int 1578 rsn_cipher(u_int8_t *sel, u_int8_t *keylen) 1579 { 1580 #define RSN_SEL(x) (((x)<<24)|RSN_OUI) 1581 u_int32_t w = LE_READ_4(sel); 1582 1583 switch (w) { 1584 case RSN_SEL(RSN_CSE_NULL): 1585 return IEEE80211_CIPHER_NONE; 1586 case RSN_SEL(RSN_CSE_WEP40): 1587 if (keylen) 1588 *keylen = 40 / NBBY; 1589 return IEEE80211_CIPHER_WEP; 1590 case RSN_SEL(RSN_CSE_WEP104): 1591 if (keylen) 1592 *keylen = 104 / NBBY; 1593 return IEEE80211_CIPHER_WEP; 1594 case RSN_SEL(RSN_CSE_TKIP): 1595 return IEEE80211_CIPHER_TKIP; 1596 case RSN_SEL(RSN_CSE_CCMP): 1597 return IEEE80211_CIPHER_AES_CCM; 1598 case RSN_SEL(RSN_CSE_WRAP): 1599 return IEEE80211_CIPHER_AES_OCB; 1600 } 1601 return 32; /* NB: so 1<< is discarded */ 1602 #undef WPA_SEL 1603 } 1604 1605 /* 1606 * Convert an RSN key management/authentication algorithm 1607 * to an internal code. 1608 */ 1609 static int 1610 rsn_keymgmt(u_int8_t *sel) 1611 { 1612 #define RSN_SEL(x) (((x)<<24)|RSN_OUI) 1613 u_int32_t w = LE_READ_4(sel); 1614 1615 switch (w) { 1616 case RSN_SEL(RSN_ASE_8021X_UNSPEC): 1617 return RSN_ASE_8021X_UNSPEC; 1618 case RSN_SEL(RSN_ASE_8021X_PSK): 1619 return RSN_ASE_8021X_PSK; 1620 case RSN_SEL(RSN_ASE_NONE): 1621 return RSN_ASE_NONE; 1622 } 1623 return 0; /* NB: so is discarded */ 1624 #undef RSN_SEL 1625 } 1626 1627 /* 1628 * Parse a WPA/RSN information element to collect parameters 1629 * and validate the parameters against what has been 1630 * configured for the system. 1631 */ 1632 static int 1633 ieee80211_parse_rsn(struct ieee80211com *ic, u_int8_t *frm, 1634 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh) 1635 { 1636 u_int8_t len = frm[1]; 1637 u_int32_t w; 1638 int n; 1639 1640 /* 1641 * Check the length once for fixed parts: 1642 * version, mcast cipher, and 2 selector counts. 1643 * Other, variable-length data, must be checked separately. 1644 */ 1645 if ((ic->ic_flags & IEEE80211_F_WPA2) == 0) { 1646 IEEE80211_DISCARD_IE(ic, 1647 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1648 wh, "WPA", "not RSN, flags 0x%x", ic->ic_flags); 1649 return IEEE80211_REASON_IE_INVALID; 1650 } 1651 if (len < 10) { 1652 IEEE80211_DISCARD_IE(ic, 1653 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1654 wh, "RSN", "too short, len %u", len); 1655 return IEEE80211_REASON_IE_INVALID; 1656 } 1657 frm += 2; 1658 w = LE_READ_2(frm); 1659 if (w != RSN_VERSION) { 1660 IEEE80211_DISCARD_IE(ic, 1661 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1662 wh, "RSN", "bad version %u", w); 1663 return IEEE80211_REASON_IE_INVALID; 1664 } 1665 frm += 2, len -= 2; 1666 1667 /* multicast/group cipher */ 1668 w = rsn_cipher(frm, &rsn->rsn_mcastkeylen); 1669 if (w != rsn->rsn_mcastcipher) { 1670 IEEE80211_DISCARD_IE(ic, 1671 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1672 wh, "RSN", "mcast cipher mismatch; got %u, expected %u", 1673 w, rsn->rsn_mcastcipher); 1674 return IEEE80211_REASON_IE_INVALID; 1675 } 1676 frm += 4, len -= 4; 1677 1678 /* unicast ciphers */ 1679 n = LE_READ_2(frm); 1680 frm += 2, len -= 2; 1681 if (len < n*4+2) { 1682 IEEE80211_DISCARD_IE(ic, 1683 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1684 wh, "RSN", "ucast cipher data too short; len %u, n %u", 1685 len, n); 1686 return IEEE80211_REASON_IE_INVALID; 1687 } 1688 w = 0; 1689 for (; n > 0; n--) { 1690 w |= 1<<rsn_cipher(frm, &rsn->rsn_ucastkeylen); 1691 frm += 4, len -= 4; 1692 } 1693 w &= rsn->rsn_ucastcipherset; 1694 if (w == 0) { 1695 IEEE80211_DISCARD_IE(ic, 1696 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1697 wh, "RSN", "%s", "ucast cipher set empty"); 1698 return IEEE80211_REASON_IE_INVALID; 1699 } 1700 if (w & (1<<IEEE80211_CIPHER_TKIP)) 1701 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP; 1702 else 1703 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM; 1704 1705 /* key management algorithms */ 1706 n = LE_READ_2(frm); 1707 frm += 2, len -= 2; 1708 if (len < n*4) { 1709 IEEE80211_DISCARD_IE(ic, 1710 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1711 wh, "RSN", "key mgmt alg data too short; len %u, n %u", 1712 len, n); 1713 return IEEE80211_REASON_IE_INVALID; 1714 } 1715 w = 0; 1716 for (; n > 0; n--) { 1717 w |= rsn_keymgmt(frm); 1718 frm += 4, len -= 4; 1719 } 1720 w &= rsn->rsn_keymgmtset; 1721 if (w == 0) { 1722 IEEE80211_DISCARD_IE(ic, 1723 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1724 wh, "RSN", "%s", "no acceptable key mgmt alg"); 1725 return IEEE80211_REASON_IE_INVALID; 1726 } 1727 if (w & RSN_ASE_8021X_UNSPEC) 1728 rsn->rsn_keymgmt = RSN_ASE_8021X_UNSPEC; 1729 else 1730 rsn->rsn_keymgmt = RSN_ASE_8021X_PSK; 1731 1732 /* optional RSN capabilities */ 1733 if (len > 2) 1734 rsn->rsn_caps = LE_READ_2(frm); 1735 /* XXXPMKID */ 1736 1737 return 0; 1738 } 1739 1740 static int 1741 ieee80211_parse_wmeparams(struct ieee80211com *ic, u_int8_t *frm, 1742 const struct ieee80211_frame *wh) 1743 { 1744 #define MS(_v, _f) (((_v) & _f) >> _f##_S) 1745 struct ieee80211_wme_state *wme = &ic->ic_wme; 1746 u_int len = frm[1], qosinfo; 1747 int i; 1748 1749 if (len < sizeof(struct ieee80211_wme_param)-2) { 1750 IEEE80211_DISCARD_IE(ic, 1751 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WME, 1752 wh, "WME", "too short, len %u", len); 1753 return -1; 1754 } 1755 qosinfo = frm[offsetof(struct ieee80211_wme_param, param_qosInfo)]; 1756 qosinfo &= WME_QOSINFO_COUNT; 1757 /* XXX do proper check for wraparound */ 1758 if (qosinfo == wme->wme_wmeChanParams.cap_info) 1759 return 0; 1760 frm += offsetof(struct ieee80211_wme_param, params_acParams); 1761 for (i = 0; i < WME_NUM_AC; i++) { 1762 struct wmeParams *wmep = 1763 &wme->wme_wmeChanParams.cap_wmeParams[i]; 1764 /* NB: ACI not used */ 1765 wmep->wmep_acm = MS(frm[0], WME_PARAM_ACM); 1766 wmep->wmep_aifsn = MS(frm[0], WME_PARAM_AIFSN); 1767 wmep->wmep_logcwmin = MS(frm[1], WME_PARAM_LOGCWMIN); 1768 wmep->wmep_logcwmax = MS(frm[1], WME_PARAM_LOGCWMAX); 1769 wmep->wmep_txopLimit = LE_READ_2(frm+2); 1770 frm += 4; 1771 } 1772 wme->wme_wmeChanParams.cap_info = qosinfo; 1773 return 1; 1774 #undef MS 1775 } 1776 1777 void 1778 ieee80211_saveie(u_int8_t **iep, const u_int8_t *ie) 1779 { 1780 u_int ielen = ie[1]+2; 1781 /* 1782 * Record information element for later use. 1783 */ 1784 if (*iep == NULL || (*iep)[1] != ie[1]) { 1785 if (*iep != NULL) 1786 free(*iep, M_DEVBUF); 1787 *iep = malloc(ielen, M_DEVBUF, M_NOWAIT); 1788 } 1789 if (*iep != NULL) 1790 memcpy(*iep, ie, ielen); 1791 /* XXX note failure */ 1792 } 1793 1794 static void 1795 ieee80211_update_adhoc_node(struct ieee80211com *ic, struct ieee80211_node *ni, 1796 struct ieee80211_frame *wh, struct ieee80211_scanparams *scan, int rssi, 1797 u_int32_t rstamp) 1798 { 1799 if (!IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_macaddr)) { 1800 /* 1801 * Create a new entry in the neighbor table. 1802 * Records the TSF. 1803 */ 1804 if ((ni = ieee80211_add_neighbor(ic, wh, scan)) == NULL) 1805 return; 1806 } else if (ni->ni_capinfo == 0) { 1807 /* 1808 * Initialize a node that was "faked up." Records 1809 * the TSF. 1810 * 1811 * No need to check for a change of BSSID: ni could 1812 * not have been the IBSS (ic_bss) 1813 */ 1814 ieee80211_init_neighbor(ic, ni, wh, scan, 0); 1815 } else { 1816 /* Record TSF for potential resync. */ 1817 memcpy(ni->ni_tstamp.data, scan->tstamp, sizeof(ni->ni_tstamp)); 1818 } 1819 1820 ni->ni_rssi = rssi; 1821 ni->ni_rstamp = rstamp; 1822 1823 /* Mark a neighbor's change of BSSID. */ 1824 if (IEEE80211_ADDR_EQ(wh->i_addr3, ni->ni_bssid)) 1825 return; 1826 1827 IEEE80211_ADDR_COPY(ni->ni_bssid, wh->i_addr3); 1828 1829 if (ni != ic->ic_bss) 1830 return; 1831 else if (ic->ic_flags & IEEE80211_F_DESBSSID) { 1832 /* 1833 * Now, ni does not represent a network we 1834 * want to belong to, so start a scan. 1835 */ 1836 ieee80211_new_state(ic, IEEE80211_S_SCAN, 0); 1837 return; 1838 } else { 1839 /* 1840 * A RUN->RUN transition lets the driver 1841 * reprogram its BSSID filter. 1842 * 1843 * No need to SCAN, we already belong to 1844 * an IBSS that meets our criteria: channel, 1845 * SSID, etc. It could be harmful to scan, 1846 * too: if a scan does not detect nodes 1847 * belonging to my current IBSS, then we 1848 * will create a new IBSS at the end of 1849 * the scan, needlessly splitting the 1850 * network. 1851 */ 1852 ieee80211_new_state(ic, IEEE80211_S_RUN, 0); 1853 } 1854 } 1855 1856 void 1857 ieee80211_recv_mgmt(struct ieee80211com *ic, struct mbuf *m0, 1858 struct ieee80211_node *ni, 1859 int subtype, int rssi, u_int32_t rstamp) 1860 { 1861 #define ISPROBE(_st) ((_st) == IEEE80211_FC0_SUBTYPE_PROBE_RESP) 1862 #define ISREASSOC(_st) ((_st) == IEEE80211_FC0_SUBTYPE_REASSOC_RESP) 1863 struct ieee80211_frame *wh; 1864 u_int8_t *frm, *efrm; 1865 u_int8_t *ssid, *rates, *xrates, *wpa, *wme; 1866 int reassoc, resp, allocbs; 1867 u_int8_t rate; 1868 1869 wh = mtod(m0, struct ieee80211_frame *); 1870 frm = (u_int8_t *)&wh[1]; 1871 efrm = mtod(m0, u_int8_t *) + m0->m_len; 1872 switch (subtype) { 1873 case IEEE80211_FC0_SUBTYPE_PROBE_RESP: 1874 case IEEE80211_FC0_SUBTYPE_BEACON: { 1875 struct ieee80211_scanparams scan; 1876 1877 /* 1878 * We process beacon/probe response frames: 1879 * o when scanning, or 1880 * o station mode when associated (to collect state 1881 * updates such as 802.11g slot time), or 1882 * o adhoc mode (to discover neighbors) 1883 * Frames otherwise received are discarded. 1884 */ 1885 if (!((ic->ic_flags & IEEE80211_F_SCAN) || 1886 (ic->ic_opmode == IEEE80211_M_STA && ni->ni_associd) || 1887 ic->ic_opmode == IEEE80211_M_IBSS)) { 1888 ic->ic_stats.is_rx_mgtdiscard++; 1889 return; 1890 } 1891 /* 1892 * beacon/probe response frame format 1893 * [8] time stamp 1894 * [2] beacon interval 1895 * [2] capability information 1896 * [tlv] ssid 1897 * [tlv] supported rates 1898 * [tlv] country information 1899 * [tlv] parameter set (FH/DS) 1900 * [tlv] erp information 1901 * [tlv] extended supported rates 1902 * [tlv] WME 1903 * [tlv] WPA or RSN 1904 */ 1905 IEEE80211_VERIFY_LENGTH(efrm - frm, 12); 1906 memset(&scan, 0, sizeof(scan)); 1907 scan.tstamp = frm; frm += 8; 1908 scan.bintval = le16toh(*(u_int16_t *)frm); frm += 2; 1909 scan.capinfo = le16toh(*(u_int16_t *)frm); frm += 2; 1910 scan.bchan = ieee80211_chan2ieee(ic, ic->ic_curchan); 1911 scan.chan = scan.bchan; 1912 1913 while (frm < efrm) { 1914 switch (*frm) { 1915 case IEEE80211_ELEMID_SSID: 1916 scan.ssid = frm; 1917 break; 1918 case IEEE80211_ELEMID_RATES: 1919 scan.rates = frm; 1920 break; 1921 case IEEE80211_ELEMID_COUNTRY: 1922 scan.country = frm; 1923 break; 1924 case IEEE80211_ELEMID_FHPARMS: 1925 if (ic->ic_phytype == IEEE80211_T_FH) { 1926 scan.fhdwell = LE_READ_2(&frm[2]); 1927 scan.chan = IEEE80211_FH_CHAN(frm[4], frm[5]); 1928 scan.fhindex = frm[6]; 1929 } 1930 break; 1931 case IEEE80211_ELEMID_DSPARMS: 1932 /* 1933 * XXX hack this since depending on phytype 1934 * is problematic for multi-mode devices. 1935 */ 1936 if (ic->ic_phytype != IEEE80211_T_FH) 1937 scan.chan = frm[2]; 1938 break; 1939 case IEEE80211_ELEMID_TIM: 1940 /* XXX ATIM? */ 1941 scan.tim = frm; 1942 scan.timoff = frm - mtod(m0, u_int8_t *); 1943 break; 1944 case IEEE80211_ELEMID_IBSSPARMS: 1945 break; 1946 case IEEE80211_ELEMID_XRATES: 1947 scan.xrates = frm; 1948 break; 1949 case IEEE80211_ELEMID_ERP: 1950 if (frm[1] != 1) { 1951 IEEE80211_DISCARD_IE(ic, 1952 IEEE80211_MSG_ELEMID, wh, "ERP", 1953 "bad len %u", frm[1]); 1954 ic->ic_stats.is_rx_elem_toobig++; 1955 break; 1956 } 1957 scan.erp = frm[2]; 1958 break; 1959 case IEEE80211_ELEMID_RSN: 1960 scan.wpa = frm; 1961 break; 1962 case IEEE80211_ELEMID_VENDOR: 1963 if (iswpaoui(frm)) 1964 scan.wpa = frm; 1965 else if (iswmeparam(frm) || iswmeinfo(frm)) 1966 scan.wme = frm; 1967 /* XXX Atheros OUI support */ 1968 break; 1969 default: 1970 IEEE80211_DISCARD_IE(ic, IEEE80211_MSG_ELEMID, 1971 wh, "unhandled", 1972 "id %u, len %u", *frm, frm[1]); 1973 ic->ic_stats.is_rx_elem_unknown++; 1974 break; 1975 } 1976 frm += frm[1] + 2; 1977 } 1978 IEEE80211_VERIFY_ELEMENT(scan.rates, IEEE80211_RATE_MAXSIZE); 1979 IEEE80211_VERIFY_ELEMENT(scan.ssid, IEEE80211_NWID_LEN); 1980 if ( 1981 #if IEEE80211_CHAN_MAX < 255 1982 scan.chan > IEEE80211_CHAN_MAX || 1983 #endif 1984 isclr(ic->ic_chan_active, scan.chan)) { 1985 IEEE80211_DISCARD(ic, 1986 IEEE80211_MSG_ELEMID | IEEE80211_MSG_INPUT, 1987 wh, ieee80211_mgt_subtype_name[subtype >> 1988 IEEE80211_FC0_SUBTYPE_SHIFT], 1989 "invalid channel %u", scan.chan); 1990 ic->ic_stats.is_rx_badchan++; 1991 return; 1992 } 1993 if (scan.chan != scan.bchan && 1994 ic->ic_phytype != IEEE80211_T_FH) { 1995 /* 1996 * Frame was received on a channel different from the 1997 * one indicated in the DS params element id; 1998 * silently discard it. 1999 * 2000 * NB: this can happen due to signal leakage. 2001 * But we should take it for FH phy because 2002 * the rssi value should be correct even for 2003 * different hop pattern in FH. 2004 */ 2005 IEEE80211_DISCARD(ic, 2006 IEEE80211_MSG_ELEMID | IEEE80211_MSG_INPUT, 2007 wh, ieee80211_mgt_subtype_name[subtype >> 2008 IEEE80211_FC0_SUBTYPE_SHIFT], 2009 "for off-channel %u", scan.chan); 2010 ic->ic_stats.is_rx_chanmismatch++; 2011 return; 2012 } 2013 if (!(IEEE80211_BINTVAL_MIN <= scan.bintval && 2014 scan.bintval <= IEEE80211_BINTVAL_MAX)) { 2015 IEEE80211_DISCARD(ic, 2016 IEEE80211_MSG_ELEMID | IEEE80211_MSG_INPUT, 2017 wh, ieee80211_mgt_subtype_name[subtype >> 2018 IEEE80211_FC0_SUBTYPE_SHIFT], 2019 "bogus beacon interval", scan.bintval); 2020 ic->ic_stats.is_rx_badbintval++; 2021 return; 2022 } 2023 2024 if (ni != ic->ic_bss) { 2025 ni = ieee80211_refine_node_for_beacon(ic, ni, 2026 &ic->ic_channels[scan.chan], scan.ssid); 2027 } 2028 /* 2029 * Count frame now that we know it's to be processed. 2030 */ 2031 if (subtype == IEEE80211_FC0_SUBTYPE_BEACON) { 2032 ic->ic_stats.is_rx_beacon++; /* XXX remove */ 2033 IEEE80211_NODE_STAT(ni, rx_beacons); 2034 } else 2035 IEEE80211_NODE_STAT(ni, rx_proberesp); 2036 2037 /* 2038 * When operating in station mode, check for state updates. 2039 * Be careful to ignore beacons received while doing a 2040 * background scan. We consider only 11g/WMM stuff right now. 2041 */ 2042 if (ic->ic_opmode == IEEE80211_M_STA && 2043 ni->ni_associd != 0 && 2044 ((ic->ic_flags & IEEE80211_F_SCAN) == 0 || 2045 IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_bssid))) { 2046 /* record tsf of last beacon */ 2047 memcpy(ni->ni_tstamp.data, scan.tstamp, 2048 sizeof(ni->ni_tstamp)); 2049 if (ni->ni_erp != scan.erp) { 2050 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 2051 "[%s] erp change: was 0x%x, now 0x%x\n", 2052 ether_sprintf(wh->i_addr2), 2053 ni->ni_erp, scan.erp); 2054 if (ic->ic_curmode == IEEE80211_MODE_11G && 2055 (ni->ni_erp & IEEE80211_ERP_USE_PROTECTION)) 2056 ic->ic_flags |= IEEE80211_F_USEPROT; 2057 else 2058 ic->ic_flags &= ~IEEE80211_F_USEPROT; 2059 ni->ni_erp = scan.erp; 2060 /* XXX statistic */ 2061 } 2062 if ((ni->ni_capinfo ^ scan.capinfo) & IEEE80211_CAPINFO_SHORT_SLOTTIME) { 2063 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 2064 "[%s] capabilities change: before 0x%x," 2065 " now 0x%x\n", 2066 ether_sprintf(wh->i_addr2), 2067 ni->ni_capinfo, scan.capinfo); 2068 /* 2069 * NB: we assume short preamble doesn't 2070 * change dynamically 2071 */ 2072 ieee80211_set_shortslottime(ic, 2073 ic->ic_curmode == IEEE80211_MODE_11A || 2074 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME)); 2075 ni->ni_capinfo = scan.capinfo; 2076 /* XXX statistic */ 2077 } 2078 if (scan.wme != NULL && 2079 (ni->ni_flags & IEEE80211_NODE_QOS) && 2080 ieee80211_parse_wmeparams(ic, scan.wme, wh) > 0) 2081 ieee80211_wme_updateparams(ic); 2082 if (scan.tim != NULL) { 2083 struct ieee80211_tim_ie *ie = 2084 (struct ieee80211_tim_ie *) scan.tim; 2085 2086 ni->ni_dtim_count = ie->tim_count; 2087 ni->ni_dtim_period = ie->tim_period; 2088 } 2089 if (ic->ic_flags & IEEE80211_F_SCAN) 2090 ieee80211_add_scan(ic, &scan, wh, 2091 subtype, rssi, rstamp); 2092 ic->ic_bmiss_count = 0; 2093 return; 2094 } 2095 /* 2096 * If scanning, just pass information to the scan module. 2097 */ 2098 if (ic->ic_flags & IEEE80211_F_SCAN) { 2099 if (ic->ic_flags_ext & IEEE80211_FEXT_PROBECHAN) { 2100 /* 2101 * Actively scanning a channel marked passive; 2102 * send a probe request now that we know there 2103 * is 802.11 traffic present. 2104 * 2105 * XXX check if the beacon we recv'd gives 2106 * us what we need and suppress the probe req 2107 */ 2108 ieee80211_probe_curchan(ic, 1); 2109 ic->ic_flags_ext &= ~IEEE80211_FEXT_PROBECHAN; 2110 } 2111 ieee80211_add_scan(ic, &scan, wh, 2112 subtype, rssi, rstamp); 2113 return; 2114 } 2115 if (scan.capinfo & IEEE80211_CAPINFO_IBSS) 2116 ieee80211_update_adhoc_node(ic, ni, wh, &scan, rssi, 2117 rstamp); 2118 break; 2119 } 2120 2121 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 2122 if (ic->ic_opmode == IEEE80211_M_STA || 2123 ic->ic_state != IEEE80211_S_RUN) { 2124 ic->ic_stats.is_rx_mgtdiscard++; 2125 return; 2126 } 2127 if (IEEE80211_IS_MULTICAST(wh->i_addr2)) { 2128 /* frame must be directed */ 2129 ic->ic_stats.is_rx_mgtdiscard++; /* XXX stat */ 2130 return; 2131 } 2132 2133 /* 2134 * prreq frame format 2135 * [tlv] ssid 2136 * [tlv] supported rates 2137 * [tlv] extended supported rates 2138 */ 2139 ssid = rates = xrates = NULL; 2140 while (frm < efrm) { 2141 switch (*frm) { 2142 case IEEE80211_ELEMID_SSID: 2143 ssid = frm; 2144 break; 2145 case IEEE80211_ELEMID_RATES: 2146 rates = frm; 2147 break; 2148 case IEEE80211_ELEMID_XRATES: 2149 xrates = frm; 2150 break; 2151 } 2152 frm += frm[1] + 2; 2153 } 2154 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE); 2155 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN); 2156 IEEE80211_VERIFY_SSID(ic->ic_bss, ssid); 2157 if ((ic->ic_flags & IEEE80211_F_HIDESSID) && ssid[1] == 0) { 2158 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 2159 wh, ieee80211_mgt_subtype_name[subtype >> 2160 IEEE80211_FC0_SUBTYPE_SHIFT], 2161 "%s", "no ssid with ssid suppression enabled"); 2162 ic->ic_stats.is_rx_ssidmismatch++; /*XXX*/ 2163 return; 2164 } 2165 2166 if (ni == ic->ic_bss) { 2167 if (ic->ic_opmode != IEEE80211_M_IBSS) 2168 ni = ieee80211_tmp_node(ic, wh->i_addr2); 2169 else if (IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_macaddr)) 2170 ; 2171 else { 2172 /* 2173 * XXX Cannot tell if the sender is operating 2174 * in ibss mode. But we need a new node to 2175 * send the response so blindly add them to the 2176 * neighbor table. 2177 */ 2178 ni = ieee80211_fakeup_adhoc_node(&ic->ic_sta, 2179 wh->i_addr2); 2180 } 2181 if (ni == NULL) 2182 return; 2183 allocbs = 1; 2184 } else 2185 allocbs = 0; 2186 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 2187 "[%s] recv probe req\n", ether_sprintf(wh->i_addr2)); 2188 ni->ni_rssi = rssi; 2189 ni->ni_rstamp = rstamp; 2190 rate = ieee80211_setup_rates(ni, rates, xrates, 2191 IEEE80211_R_DOSORT | IEEE80211_R_DOFRATE 2192 | IEEE80211_R_DONEGO | IEEE80211_R_DODEL); 2193 if (rate & IEEE80211_RATE_BASIC) { 2194 IEEE80211_DISCARD(ic, IEEE80211_MSG_XRATE, 2195 wh, ieee80211_mgt_subtype_name[subtype >> 2196 IEEE80211_FC0_SUBTYPE_SHIFT], 2197 "%s", "recv'd rate set invalid"); 2198 } else { 2199 IEEE80211_SEND_MGMT(ic, ni, 2200 IEEE80211_FC0_SUBTYPE_PROBE_RESP, 0); 2201 } 2202 if (allocbs && ic->ic_opmode != IEEE80211_M_IBSS) { 2203 /* reclaim immediately */ 2204 ieee80211_free_node(ni); 2205 } 2206 break; 2207 2208 case IEEE80211_FC0_SUBTYPE_AUTH: { 2209 u_int16_t algo, seq, status; 2210 /* 2211 * auth frame format 2212 * [2] algorithm 2213 * [2] sequence 2214 * [2] status 2215 * [tlv*] challenge 2216 */ 2217 IEEE80211_VERIFY_LENGTH(efrm - frm, 6); 2218 algo = le16toh(*(u_int16_t *)frm); 2219 seq = le16toh(*(u_int16_t *)(frm + 2)); 2220 status = le16toh(*(u_int16_t *)(frm + 4)); 2221 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 2222 "[%s] recv auth frame with algorithm %d seq %d\n", 2223 ether_sprintf(wh->i_addr2), algo, seq); 2224 /* 2225 * Consult the ACL policy module if setup. 2226 */ 2227 if (ic->ic_acl != NULL && 2228 !ic->ic_acl->iac_check(ic, wh->i_addr2)) { 2229 IEEE80211_DISCARD(ic, IEEE80211_MSG_ACL, 2230 wh, "auth", "%s", "disallowed by ACL"); 2231 ic->ic_stats.is_rx_acl++; 2232 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 2233 IEEE80211_SEND_MGMT(ic, ni, 2234 IEEE80211_FC0_SUBTYPE_AUTH, 2235 (seq+1) | (IEEE80211_STATUS_UNSPECIFIED<<16)); 2236 } 2237 return; 2238 } 2239 if (ic->ic_flags & IEEE80211_F_COUNTERM) { 2240 IEEE80211_DISCARD(ic, 2241 IEEE80211_MSG_AUTH | IEEE80211_MSG_CRYPTO, 2242 wh, "auth", "%s", "TKIP countermeasures enabled"); 2243 ic->ic_stats.is_rx_auth_countermeasures++; 2244 #ifndef IEEE80211_NO_HOSTAP 2245 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 2246 IEEE80211_SEND_MGMT(ic, ni, 2247 IEEE80211_FC0_SUBTYPE_AUTH, 2248 IEEE80211_REASON_MIC_FAILURE); 2249 } 2250 #endif /* !IEEE80211_NO_HOSTAP */ 2251 return; 2252 } 2253 if (algo == IEEE80211_AUTH_ALG_SHARED) 2254 ieee80211_auth_shared(ic, wh, frm + 6, efrm, ni, rssi, 2255 rstamp, seq, status); 2256 else if (algo == IEEE80211_AUTH_ALG_OPEN) 2257 ieee80211_auth_open(ic, wh, ni, rssi, rstamp, seq, 2258 status); 2259 else { 2260 IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY, 2261 wh, "auth", "unsupported alg %d", algo); 2262 ic->ic_stats.is_rx_auth_unsupported++; 2263 #ifndef IEEE80211_NO_HOSTAP 2264 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 2265 /* XXX not right */ 2266 IEEE80211_SEND_MGMT(ic, ni, 2267 IEEE80211_FC0_SUBTYPE_AUTH, 2268 (seq+1) | (IEEE80211_STATUS_ALG<<16)); 2269 } 2270 #endif /* !IEEE80211_NO_HOSTAP */ 2271 return; 2272 } 2273 break; 2274 } 2275 2276 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ: 2277 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: { 2278 u_int16_t capinfo, lintval; 2279 struct ieee80211_rsnparms rsn; 2280 u_int8_t reason; 2281 2282 if (ic->ic_opmode != IEEE80211_M_HOSTAP || 2283 ic->ic_state != IEEE80211_S_RUN) { 2284 ic->ic_stats.is_rx_mgtdiscard++; 2285 return; 2286 } 2287 2288 if (subtype == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) { 2289 reassoc = 1; 2290 resp = IEEE80211_FC0_SUBTYPE_REASSOC_RESP; 2291 } else { 2292 reassoc = 0; 2293 resp = IEEE80211_FC0_SUBTYPE_ASSOC_RESP; 2294 } 2295 /* 2296 * asreq frame format 2297 * [2] capability information 2298 * [2] listen interval 2299 * [6*] current AP address (reassoc only) 2300 * [tlv] ssid 2301 * [tlv] supported rates 2302 * [tlv] extended supported rates 2303 * [tlv] WPA or RSN 2304 */ 2305 IEEE80211_VERIFY_LENGTH(efrm - frm, (reassoc ? 10 : 4)); 2306 if (!IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_bss->ni_bssid)) { 2307 IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY, 2308 wh, ieee80211_mgt_subtype_name[subtype >> 2309 IEEE80211_FC0_SUBTYPE_SHIFT], 2310 "%s", "wrong bssid"); 2311 ic->ic_stats.is_rx_assoc_bss++; 2312 return; 2313 } 2314 capinfo = le16toh(*(u_int16_t *)frm); frm += 2; 2315 lintval = le16toh(*(u_int16_t *)frm); frm += 2; 2316 if (reassoc) 2317 frm += 6; /* ignore current AP info */ 2318 ssid = rates = xrates = wpa = wme = NULL; 2319 while (frm < efrm) { 2320 switch (*frm) { 2321 case IEEE80211_ELEMID_SSID: 2322 ssid = frm; 2323 break; 2324 case IEEE80211_ELEMID_RATES: 2325 rates = frm; 2326 break; 2327 case IEEE80211_ELEMID_XRATES: 2328 xrates = frm; 2329 break; 2330 /* XXX verify only one of RSN and WPA ie's? */ 2331 case IEEE80211_ELEMID_RSN: 2332 wpa = frm; 2333 break; 2334 case IEEE80211_ELEMID_VENDOR: 2335 if (iswpaoui(frm)) 2336 wpa = frm; 2337 else if (iswmeinfo(frm)) 2338 wme = frm; 2339 /* XXX Atheros OUI support */ 2340 break; 2341 } 2342 frm += frm[1] + 2; 2343 } 2344 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE); 2345 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN); 2346 IEEE80211_VERIFY_SSID(ic->ic_bss, ssid); 2347 2348 if (ni == ic->ic_bss) { 2349 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, 2350 "[%s] deny %s request, sta not authenticated\n", 2351 ether_sprintf(wh->i_addr2), 2352 reassoc ? "reassoc" : "assoc"); 2353 ieee80211_send_error(ic, ni, wh->i_addr2, 2354 IEEE80211_FC0_SUBTYPE_DEAUTH, 2355 IEEE80211_REASON_ASSOC_NOT_AUTHED); 2356 ic->ic_stats.is_rx_assoc_notauth++; 2357 return; 2358 } 2359 /* assert right associstion security credentials */ 2360 if (wpa == NULL && (ic->ic_flags & IEEE80211_F_WPA)) { 2361 IEEE80211_DPRINTF(ic, 2362 IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, 2363 "[%s] no WPA/RSN IE in association request\n", 2364 ether_sprintf(wh->i_addr2)); 2365 IEEE80211_SEND_MGMT(ic, ni, 2366 IEEE80211_FC0_SUBTYPE_DEAUTH, 2367 IEEE80211_REASON_RSN_REQUIRED); 2368 ieee80211_node_leave(ic, ni); 2369 /* XXX distinguish WPA/RSN? */ 2370 ic->ic_stats.is_rx_assoc_badwpaie++; 2371 return; 2372 } 2373 if (wpa != NULL) { 2374 /* 2375 * Parse WPA information element. Note that 2376 * we initialize the param block from the node 2377 * state so that information in the IE overrides 2378 * our defaults. The resulting parameters are 2379 * installed below after the association is assured. 2380 */ 2381 rsn = ni->ni_rsn; 2382 if (wpa[0] != IEEE80211_ELEMID_RSN) 2383 reason = ieee80211_parse_wpa(ic, wpa, &rsn, wh); 2384 else 2385 reason = ieee80211_parse_rsn(ic, wpa, &rsn, wh); 2386 if (reason != 0) { 2387 IEEE80211_SEND_MGMT(ic, ni, 2388 IEEE80211_FC0_SUBTYPE_DEAUTH, reason); 2389 ieee80211_node_leave(ic, ni); 2390 /* XXX distinguish WPA/RSN? */ 2391 ic->ic_stats.is_rx_assoc_badwpaie++; 2392 return; 2393 } 2394 IEEE80211_DPRINTF(ic, 2395 IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, 2396 "[%s] %s ie: mc %u/%u uc %u/%u key %u caps 0x%x\n", 2397 ether_sprintf(wh->i_addr2), 2398 wpa[0] != IEEE80211_ELEMID_RSN ? "WPA" : "RSN", 2399 rsn.rsn_mcastcipher, rsn.rsn_mcastkeylen, 2400 rsn.rsn_ucastcipher, rsn.rsn_ucastkeylen, 2401 rsn.rsn_keymgmt, rsn.rsn_caps); 2402 } 2403 /* discard challenge after association */ 2404 if (ni->ni_challenge != NULL) { 2405 free(ni->ni_challenge, M_DEVBUF); 2406 ni->ni_challenge = NULL; 2407 } 2408 /* NB: 802.11 spec says to ignore station's privacy bit */ 2409 if ((capinfo & IEEE80211_CAPINFO_ESS) == 0) { 2410 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, 2411 "[%s] deny %s request, capability mismatch 0x%x\n", 2412 ether_sprintf(wh->i_addr2), 2413 reassoc ? "reassoc" : "assoc", capinfo); 2414 IEEE80211_SEND_MGMT(ic, ni, resp, 2415 IEEE80211_STATUS_CAPINFO); 2416 ieee80211_node_leave(ic, ni); 2417 ic->ic_stats.is_rx_assoc_capmismatch++; 2418 return; 2419 } 2420 rate = ieee80211_setup_rates(ni, rates, xrates, 2421 IEEE80211_R_DOSORT | IEEE80211_R_DOFRATE | 2422 IEEE80211_R_DONEGO | IEEE80211_R_DODEL); 2423 /* 2424 * If constrained to 11g-only stations reject an 2425 * 11b-only station. We cheat a bit here by looking 2426 * at the max negotiated xmit rate and assuming anyone 2427 * with a best rate <24Mb/s is an 11b station. 2428 */ 2429 if ((rate & IEEE80211_RATE_BASIC) || 2430 ((ic->ic_flags & IEEE80211_F_PUREG) && rate < 48)) { 2431 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, 2432 "[%s] deny %s request, rate set mismatch\n", 2433 ether_sprintf(wh->i_addr2), 2434 reassoc ? "reassoc" : "assoc"); 2435 IEEE80211_SEND_MGMT(ic, ni, resp, 2436 IEEE80211_STATUS_BASIC_RATE); 2437 ieee80211_node_leave(ic, ni); 2438 ic->ic_stats.is_rx_assoc_norate++; 2439 return; 2440 } 2441 ni->ni_rssi = rssi; 2442 ni->ni_rstamp = rstamp; 2443 ni->ni_intval = lintval; 2444 ni->ni_capinfo = capinfo; 2445 ni->ni_chan = ic->ic_bss->ni_chan; 2446 ni->ni_fhdwell = ic->ic_bss->ni_fhdwell; 2447 ni->ni_fhindex = ic->ic_bss->ni_fhindex; 2448 if (wpa != NULL) { 2449 /* 2450 * Record WPA/RSN parameters for station, mark 2451 * node as using WPA and record information element 2452 * for applications that require it. 2453 */ 2454 ni->ni_rsn = rsn; 2455 ieee80211_saveie(&ni->ni_wpa_ie, wpa); 2456 } else if (ni->ni_wpa_ie != NULL) { 2457 /* 2458 * Flush any state from a previous association. 2459 */ 2460 free(ni->ni_wpa_ie, M_DEVBUF); 2461 ni->ni_wpa_ie = NULL; 2462 } 2463 if (wme != NULL) { 2464 /* 2465 * Record WME parameters for station, mark node 2466 * as capable of QoS and record information 2467 * element for applications that require it. 2468 */ 2469 ieee80211_saveie(&ni->ni_wme_ie, wme); 2470 ni->ni_flags |= IEEE80211_NODE_QOS; 2471 } else if (ni->ni_wme_ie != NULL) { 2472 /* 2473 * Flush any state from a previous association. 2474 */ 2475 free(ni->ni_wme_ie, M_DEVBUF); 2476 ni->ni_wme_ie = NULL; 2477 ni->ni_flags &= ~IEEE80211_NODE_QOS; 2478 } 2479 ieee80211_node_join(ic, ni, resp); 2480 break; 2481 } 2482 2483 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP: 2484 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: { 2485 u_int16_t capinfo, associd; 2486 u_int16_t status; 2487 2488 if (ic->ic_opmode != IEEE80211_M_STA || 2489 ic->ic_state != IEEE80211_S_ASSOC) { 2490 ic->ic_stats.is_rx_mgtdiscard++; 2491 return; 2492 } 2493 2494 /* 2495 * asresp frame format 2496 * [2] capability information 2497 * [2] status 2498 * [2] association ID 2499 * [tlv] supported rates 2500 * [tlv] extended supported rates 2501 * [tlv] WME 2502 */ 2503 IEEE80211_VERIFY_LENGTH(efrm - frm, 6); 2504 ni = ic->ic_bss; 2505 capinfo = le16toh(*(u_int16_t *)frm); 2506 frm += 2; 2507 status = le16toh(*(u_int16_t *)frm); 2508 frm += 2; 2509 if (status != 0) { 2510 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 2511 "[%s] %sassoc failed (reason %d)\n", 2512 ether_sprintf(wh->i_addr2), 2513 ISREASSOC(subtype) ? "re" : "", status); 2514 if (ni != ic->ic_bss) /* XXX never true? */ 2515 ni->ni_fails++; 2516 ic->ic_stats.is_rx_auth_fail++; /* XXX */ 2517 return; 2518 } 2519 associd = le16toh(*(u_int16_t *)frm); 2520 frm += 2; 2521 2522 rates = xrates = wpa = wme = NULL; 2523 while (frm < efrm) { 2524 switch (*frm) { 2525 case IEEE80211_ELEMID_RATES: 2526 rates = frm; 2527 break; 2528 case IEEE80211_ELEMID_XRATES: 2529 xrates = frm; 2530 break; 2531 case IEEE80211_ELEMID_VENDOR: 2532 if (iswmeoui(frm)) 2533 wme = frm; 2534 /* XXX Atheros OUI support */ 2535 break; 2536 } 2537 frm += frm[1] + 2; 2538 } 2539 2540 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE); 2541 rate = ieee80211_setup_rates(ni, rates, xrates, 2542 IEEE80211_R_DOSORT | IEEE80211_R_DOFRATE | 2543 IEEE80211_R_DONEGO | IEEE80211_R_DODEL); 2544 if (rate & IEEE80211_RATE_BASIC) { 2545 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 2546 "[%s] %sassoc failed (rate set mismatch)\n", 2547 ether_sprintf(wh->i_addr2), 2548 ISREASSOC(subtype) ? "re" : ""); 2549 if (ni != ic->ic_bss) /* XXX never true? */ 2550 ni->ni_fails++; 2551 ic->ic_stats.is_rx_assoc_norate++; 2552 ieee80211_new_state(ic, IEEE80211_S_SCAN, 0); 2553 return; 2554 } 2555 2556 ni->ni_capinfo = capinfo; 2557 ni->ni_associd = associd; 2558 if (wme != NULL && 2559 ieee80211_parse_wmeparams(ic, wme, wh) >= 0) { 2560 ni->ni_flags |= IEEE80211_NODE_QOS; 2561 ieee80211_wme_updateparams(ic); 2562 } else 2563 ni->ni_flags &= ~IEEE80211_NODE_QOS; 2564 /* 2565 * Configure state now that we are associated. 2566 * 2567 * XXX may need different/additional driver callbacks? 2568 */ 2569 if (ic->ic_curmode == IEEE80211_MODE_11A || 2570 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_PREAMBLE)) { 2571 ic->ic_flags |= IEEE80211_F_SHPREAMBLE; 2572 ic->ic_flags &= ~IEEE80211_F_USEBARKER; 2573 } else { 2574 ic->ic_flags &= ~IEEE80211_F_SHPREAMBLE; 2575 ic->ic_flags |= IEEE80211_F_USEBARKER; 2576 } 2577 ieee80211_set_shortslottime(ic, 2578 ic->ic_curmode == IEEE80211_MODE_11A || 2579 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME)); 2580 /* 2581 * Honor ERP protection. 2582 * 2583 * NB: ni_erp should zero for non-11g operation. 2584 * XXX check ic_curmode anyway? 2585 */ 2586 if (ic->ic_curmode == IEEE80211_MODE_11G && 2587 (ni->ni_erp & IEEE80211_ERP_USE_PROTECTION)) 2588 ic->ic_flags |= IEEE80211_F_USEPROT; 2589 else 2590 ic->ic_flags &= ~IEEE80211_F_USEPROT; 2591 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 2592 "[%s] %sassoc success: %s preamble, %s slot time%s%s\n", 2593 ether_sprintf(wh->i_addr2), 2594 ISREASSOC(subtype) ? "re" : "", 2595 ic->ic_flags&IEEE80211_F_SHPREAMBLE ? "short" : "long", 2596 ic->ic_flags&IEEE80211_F_SHSLOT ? "short" : "long", 2597 ic->ic_flags&IEEE80211_F_USEPROT ? ", protection" : "", 2598 ni->ni_flags & IEEE80211_NODE_QOS ? ", QoS" : "" 2599 ); 2600 ieee80211_new_state(ic, IEEE80211_S_RUN, subtype); 2601 break; 2602 } 2603 2604 case IEEE80211_FC0_SUBTYPE_DEAUTH: { 2605 u_int16_t reason; 2606 2607 if (ic->ic_state == IEEE80211_S_SCAN) { 2608 ic->ic_stats.is_rx_mgtdiscard++; 2609 return; 2610 } 2611 /* 2612 * deauth frame format 2613 * [2] reason 2614 */ 2615 IEEE80211_VERIFY_LENGTH(efrm - frm, 2); 2616 reason = le16toh(*(u_int16_t *)frm); 2617 ic->ic_stats.is_rx_deauth++; 2618 IEEE80211_NODE_STAT(ni, rx_deauth); 2619 2620 if (!IEEE80211_ADDR_EQ(wh->i_addr1, ic->ic_myaddr)) { 2621 /* Not intended for this station. */ 2622 ic->ic_stats.is_rx_mgtdiscard++; 2623 break; 2624 } 2625 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 2626 "[%s] recv deauthenticate (reason %d)\n", 2627 ether_sprintf(ni->ni_macaddr), reason); 2628 switch (ic->ic_opmode) { 2629 case IEEE80211_M_STA: 2630 ieee80211_new_state(ic, IEEE80211_S_AUTH, 2631 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK); 2632 break; 2633 case IEEE80211_M_HOSTAP: 2634 #ifndef IEEE80211_NO_HOSTAP 2635 if (ni != ic->ic_bss) 2636 ieee80211_node_leave(ic, ni); 2637 #endif /* !IEEE80211_NO_HOSTAP */ 2638 break; 2639 default: 2640 ic->ic_stats.is_rx_mgtdiscard++; 2641 break; 2642 } 2643 break; 2644 } 2645 2646 case IEEE80211_FC0_SUBTYPE_DISASSOC: { 2647 u_int16_t reason; 2648 2649 if (ic->ic_state != IEEE80211_S_RUN && 2650 ic->ic_state != IEEE80211_S_ASSOC && 2651 ic->ic_state != IEEE80211_S_AUTH) { 2652 ic->ic_stats.is_rx_mgtdiscard++; 2653 return; 2654 } 2655 /* 2656 * disassoc frame format 2657 * [2] reason 2658 */ 2659 IEEE80211_VERIFY_LENGTH(efrm - frm, 2); 2660 reason = le16toh(*(u_int16_t *)frm); 2661 ic->ic_stats.is_rx_disassoc++; 2662 IEEE80211_NODE_STAT(ni, rx_disassoc); 2663 2664 if (!IEEE80211_ADDR_EQ(wh->i_addr1, ic->ic_myaddr)) { 2665 /* Not intended for this station. */ 2666 ic->ic_stats.is_rx_mgtdiscard++; 2667 break; 2668 } 2669 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 2670 "[%s] recv disassociate (reason %d)\n", 2671 ether_sprintf(ni->ni_macaddr), reason); 2672 switch (ic->ic_opmode) { 2673 case IEEE80211_M_STA: 2674 ieee80211_new_state(ic, IEEE80211_S_ASSOC, 2675 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK); 2676 break; 2677 case IEEE80211_M_HOSTAP: 2678 #ifndef IEEE80211_NO_HOSTAP 2679 if (ni != ic->ic_bss) 2680 ieee80211_node_leave(ic, ni); 2681 #endif /* !IEEE80211_NO_HOSTAP */ 2682 break; 2683 default: 2684 ic->ic_stats.is_rx_mgtdiscard++; 2685 break; 2686 } 2687 break; 2688 } 2689 default: 2690 IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY, 2691 wh, "mgt", "subtype 0x%x not handled", subtype); 2692 ic->ic_stats.is_rx_badsubtype++; 2693 break; 2694 } 2695 #undef ISREASSOC 2696 #undef ISPROBE 2697 } 2698 #undef IEEE80211_VERIFY_LENGTH 2699 #undef IEEE80211_VERIFY_ELEMENT 2700 2701 #ifndef IEEE80211_NO_HOSTAP 2702 /* 2703 * Handle station power-save state change. 2704 */ 2705 static void 2706 ieee80211_node_pwrsave(struct ieee80211_node *ni, int enable) 2707 { 2708 struct ieee80211com *ic = ni->ni_ic; 2709 struct mbuf *m; 2710 2711 if (enable) { 2712 if ((ni->ni_flags & IEEE80211_NODE_PWR_MGT) == 0) 2713 ic->ic_ps_sta++; 2714 ni->ni_flags |= IEEE80211_NODE_PWR_MGT; 2715 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, 2716 "[%s] power save mode on, %u sta's in ps mode\n", 2717 ether_sprintf(ni->ni_macaddr), ic->ic_ps_sta); 2718 return; 2719 } 2720 2721 if (ni->ni_flags & IEEE80211_NODE_PWR_MGT) 2722 ic->ic_ps_sta--; 2723 ni->ni_flags &= ~IEEE80211_NODE_PWR_MGT; 2724 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, 2725 "[%s] power save mode off, %u sta's in ps mode\n", 2726 ether_sprintf(ni->ni_macaddr), ic->ic_ps_sta); 2727 /* XXX if no stations in ps mode, flush mc frames */ 2728 2729 /* 2730 * Flush queued unicast frames. 2731 */ 2732 if (IEEE80211_NODE_SAVEQ_QLEN(ni) == 0) { 2733 if (ic->ic_set_tim != NULL) 2734 ic->ic_set_tim(ni, 0); /* just in case */ 2735 return; 2736 } 2737 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, 2738 "[%s] flush ps queue, %u packets queued\n", 2739 ether_sprintf(ni->ni_macaddr), IEEE80211_NODE_SAVEQ_QLEN(ni)); 2740 for (;;) { 2741 int qlen; 2742 2743 IEEE80211_NODE_SAVEQ_DEQUEUE(ni, m, qlen); 2744 if (m == NULL) 2745 break; 2746 /* 2747 * If this is the last packet, turn off the TIM bit. 2748 * If there are more packets, set the more packets bit 2749 * in the mbuf so ieee80211_encap will mark the 802.11 2750 * head to indicate more data frames will follow. 2751 */ 2752 if (qlen != 0) 2753 m->m_flags |= M_MORE_DATA; 2754 /* XXX need different driver interface */ 2755 /* XXX bypasses q max */ 2756 IF_ENQUEUE(&ic->ic_ifp->if_snd, m); 2757 } 2758 if (ic->ic_set_tim != NULL) 2759 ic->ic_set_tim(ni, 0); 2760 } 2761 2762 /* 2763 * Process a received ps-poll frame. 2764 */ 2765 static void 2766 ieee80211_recv_pspoll(struct ieee80211com *ic, 2767 struct ieee80211_node *ni, struct mbuf *m0) 2768 { 2769 struct ieee80211_frame_min *wh; 2770 struct mbuf *m; 2771 u_int16_t aid; 2772 int qlen; 2773 2774 wh = mtod(m0, struct ieee80211_frame_min *); 2775 if (ni->ni_associd == 0) { 2776 IEEE80211_DISCARD(ic, IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG, 2777 (struct ieee80211_frame *) wh, "ps-poll", 2778 "%s", "unassociated station"); 2779 ic->ic_stats.is_ps_unassoc++; 2780 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_DEAUTH, 2781 IEEE80211_REASON_NOT_ASSOCED); 2782 return; 2783 } 2784 2785 aid = le16toh(*(u_int16_t *)wh->i_dur); 2786 if (aid != ni->ni_associd) { 2787 IEEE80211_DISCARD(ic, IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG, 2788 (struct ieee80211_frame *) wh, "ps-poll", 2789 "aid mismatch: sta aid 0x%x poll aid 0x%x", 2790 ni->ni_associd, aid); 2791 ic->ic_stats.is_ps_badaid++; 2792 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_DEAUTH, 2793 IEEE80211_REASON_NOT_ASSOCED); 2794 return; 2795 } 2796 2797 /* Okay, take the first queued packet and put it out... */ 2798 IEEE80211_NODE_SAVEQ_DEQUEUE(ni, m, qlen); 2799 if (m == NULL) { 2800 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, 2801 "[%s] recv ps-poll, but queue empty\n", 2802 ether_sprintf(wh->i_addr2)); 2803 ieee80211_send_nulldata(ieee80211_ref_node(ni)); 2804 ic->ic_stats.is_ps_qempty++; /* XXX node stat */ 2805 if (ic->ic_set_tim != NULL) 2806 ic->ic_set_tim(ni, 0); /* just in case */ 2807 return; 2808 } 2809 /* 2810 * If there are more packets, set the more packets bit 2811 * in the packet dispatched to the station; otherwise 2812 * turn off the TIM bit. 2813 */ 2814 if (qlen != 0) { 2815 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, 2816 "[%s] recv ps-poll, send packet, %u still queued\n", 2817 ether_sprintf(ni->ni_macaddr), qlen); 2818 m->m_flags |= M_MORE_DATA; 2819 } else { 2820 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, 2821 "[%s] recv ps-poll, send packet, queue empty\n", 2822 ether_sprintf(ni->ni_macaddr)); 2823 if (ic->ic_set_tim != NULL) 2824 ic->ic_set_tim(ni, 0); 2825 } 2826 m->m_flags |= M_PWR_SAV; /* bypass PS handling */ 2827 IF_ENQUEUE(&ic->ic_ifp->if_snd, m); 2828 } 2829 #endif /* !IEEE80211_NO_HOSTAP */ 2830 2831 #ifdef IEEE80211_DEBUG 2832 /* 2833 * Debugging support. 2834 */ 2835 2836 /* 2837 * Return the bssid of a frame. 2838 */ 2839 static const u_int8_t * 2840 ieee80211_getbssid(struct ieee80211com *ic, const struct ieee80211_frame *wh) 2841 { 2842 if (ic->ic_opmode == IEEE80211_M_STA) 2843 return wh->i_addr2; 2844 if ((wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) != IEEE80211_FC1_DIR_NODS) 2845 return wh->i_addr1; 2846 if ((wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK) == IEEE80211_FC0_SUBTYPE_PS_POLL) 2847 return wh->i_addr1; 2848 return wh->i_addr3; 2849 } 2850 2851 void 2852 ieee80211_note(struct ieee80211com *ic, const char *fmt, ...) 2853 { 2854 char buf[128]; /* XXX */ 2855 va_list ap; 2856 2857 va_start(ap, fmt); 2858 vsnprintf(buf, sizeof(buf), fmt, ap); 2859 va_end(ap); 2860 2861 if_printf(ic->ic_ifp, "%s", buf); /* NB: no \n */ 2862 } 2863 2864 void 2865 ieee80211_note_frame(struct ieee80211com *ic, 2866 const struct ieee80211_frame *wh, 2867 const char *fmt, ...) 2868 { 2869 char buf[128]; /* XXX */ 2870 va_list ap; 2871 2872 va_start(ap, fmt); 2873 vsnprintf(buf, sizeof(buf), fmt, ap); 2874 va_end(ap); 2875 if_printf(ic->ic_ifp, "[%s] %s\n", 2876 ether_sprintf(ieee80211_getbssid(ic, wh)), buf); 2877 } 2878 2879 void 2880 ieee80211_note_mac(struct ieee80211com *ic, 2881 const u_int8_t mac[IEEE80211_ADDR_LEN], 2882 const char *fmt, ...) 2883 { 2884 char buf[128]; /* XXX */ 2885 va_list ap; 2886 2887 va_start(ap, fmt); 2888 vsnprintf(buf, sizeof(buf), fmt, ap); 2889 va_end(ap); 2890 if_printf(ic->ic_ifp, "[%s] %s\n", ether_sprintf(mac), buf); 2891 } 2892 2893 static void 2894 ieee80211_discard_frame(struct ieee80211com *ic, 2895 const struct ieee80211_frame *wh, 2896 const char *type, const char *fmt, ...) 2897 { 2898 va_list ap; 2899 2900 printf("[%s:%s] discard ", ic->ic_ifp->if_xname, 2901 ether_sprintf(ieee80211_getbssid(ic, wh))); 2902 if (type != NULL) 2903 printf("%s frame, ", type); 2904 else 2905 printf("frame, "); 2906 va_start(ap, fmt); 2907 vprintf(fmt, ap); 2908 va_end(ap); 2909 printf("\n"); 2910 } 2911 2912 static void 2913 ieee80211_discard_ie(struct ieee80211com *ic, 2914 const struct ieee80211_frame *wh, 2915 const char *type, const char *fmt, ...) 2916 { 2917 va_list ap; 2918 2919 printf("[%s:%s] discard ", ic->ic_ifp->if_xname, 2920 ether_sprintf(ieee80211_getbssid(ic, wh))); 2921 if (type != NULL) 2922 printf("%s information element, ", type); 2923 else 2924 printf("information element, "); 2925 va_start(ap, fmt); 2926 vprintf(fmt, ap); 2927 va_end(ap); 2928 printf("\n"); 2929 } 2930 2931 static void 2932 ieee80211_discard_mac(struct ieee80211com *ic, 2933 const u_int8_t mac[IEEE80211_ADDR_LEN], 2934 const char *type, const char *fmt, ...) 2935 { 2936 va_list ap; 2937 2938 printf("[%s:%s] discard ", ic->ic_ifp->if_xname, ether_sprintf(mac)); 2939 if (type != NULL) 2940 printf("%s frame, ", type); 2941 else 2942 printf("frame, "); 2943 va_start(ap, fmt); 2944 vprintf(fmt, ap); 2945 va_end(ap); 2946 printf("\n"); 2947 } 2948 #endif /* IEEE80211_DEBUG */ 2949