1 /* $NetBSD: ieee80211_input.c,v 1.87 2017/02/02 10:05:35 nonaka Exp $ */ 2 /*- 3 * Copyright (c) 2001 Atsushi Onoe 4 * Copyright (c) 2002-2005 Sam Leffler, Errno Consulting 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 3. The name of the author may not be used to endorse or promote products 16 * derived from this software without specific prior written permission. 17 * 18 * Alternatively, this software may be distributed under the terms of the 19 * GNU General Public License ("GPL") version 2 as published by the Free 20 * Software Foundation. 21 * 22 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 23 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 24 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 25 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 26 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 27 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 28 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 29 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 30 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 31 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 32 */ 33 34 #include <sys/cdefs.h> 35 #ifdef __FreeBSD__ 36 __FBSDID("$FreeBSD: src/sys/net80211/ieee80211_input.c,v 1.81 2005/08/10 16:22:29 sam Exp $"); 37 #endif 38 #ifdef __NetBSD__ 39 __KERNEL_RCSID(0, "$NetBSD: ieee80211_input.c,v 1.87 2017/02/02 10:05:35 nonaka Exp $"); 40 #endif 41 42 #ifdef _KERNEL_OPT 43 #include "opt_inet.h" 44 #endif 45 46 #ifdef __NetBSD__ 47 #endif /* __NetBSD__ */ 48 49 #include <sys/param.h> 50 #include <sys/systm.h> 51 #include <sys/mbuf.h> 52 #include <sys/malloc.h> 53 #include <sys/endian.h> 54 #include <sys/kernel.h> 55 56 #include <sys/socket.h> 57 #include <sys/sockio.h> 58 #include <sys/endian.h> 59 #include <sys/errno.h> 60 #include <sys/proc.h> 61 #include <sys/sysctl.h> 62 #include <sys/cpu.h> 63 64 #include <net/if.h> 65 #include <net/if_media.h> 66 #include <net/if_arp.h> 67 #include <net/if_ether.h> 68 #include <net/if_llc.h> 69 70 #include <net80211/ieee80211_var.h> 71 72 #include <net/bpf.h> 73 74 #ifdef INET 75 #include <netinet/in.h> 76 #include <net/if_ether.h> 77 #endif 78 79 const struct timeval ieee80211_merge_print_intvl = {.tv_sec = 1, .tv_usec = 0}; 80 81 #ifdef IEEE80211_DEBUG 82 83 /* 84 * Decide if a received management frame should be 85 * printed when debugging is enabled. This filters some 86 * of the less interesting frames that come frequently 87 * (e.g. beacons). 88 */ 89 static __inline int 90 doprint(struct ieee80211com *ic, int subtype) 91 { 92 switch (subtype) { 93 case IEEE80211_FC0_SUBTYPE_BEACON: 94 return (ic->ic_flags & IEEE80211_F_SCAN); 95 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 96 return (ic->ic_opmode == IEEE80211_M_IBSS); 97 } 98 return 1; 99 } 100 101 /* 102 * Emit a debug message about discarding a frame or information 103 * element. One format is for extracting the mac address from 104 * the frame header; the other is for when a header is not 105 * available or otherwise appropriate. 106 */ 107 #define IEEE80211_DISCARD(_ic, _m, _wh, _type, _fmt, ...) do { \ 108 if ((_ic)->ic_debug & (_m)) \ 109 ieee80211_discard_frame(_ic, _wh, _type, _fmt, __VA_ARGS__);\ 110 } while (0) 111 #define IEEE80211_DISCARD_IE(_ic, _m, _wh, _type, _fmt, ...) do { \ 112 if ((_ic)->ic_debug & (_m)) \ 113 ieee80211_discard_ie(_ic, _wh, _type, _fmt, __VA_ARGS__);\ 114 } while (0) 115 #define IEEE80211_DISCARD_MAC(_ic, _m, _mac, _type, _fmt, ...) do { \ 116 if ((_ic)->ic_debug & (_m)) \ 117 ieee80211_discard_mac(_ic, _mac, _type, _fmt, __VA_ARGS__);\ 118 } while (0) 119 #define IEEE80211_DEBUGVAR(a) a 120 121 static const u_int8_t *ieee80211_getbssid(struct ieee80211com *, 122 const struct ieee80211_frame *); 123 static void ieee80211_discard_frame(struct ieee80211com *, 124 const struct ieee80211_frame *, const char *type, const char *fmt, ...); 125 static void ieee80211_discard_ie(struct ieee80211com *, 126 const struct ieee80211_frame *, const char *type, const char *fmt, ...); 127 static void ieee80211_discard_mac(struct ieee80211com *, 128 const u_int8_t mac[IEEE80211_ADDR_LEN], const char *type, 129 const char *fmt, ...); 130 #else 131 #define IEEE80211_DISCARD(_ic, _m, _wh, _type, _fmt, ...) 132 #define IEEE80211_DISCARD_IE(_ic, _m, _wh, _type, _fmt, ...) 133 #define IEEE80211_DISCARD_MAC(_ic, _m, _mac, _type, _fmt, ...) 134 #define IEEE80211_DEBUGVAR(a) 135 #endif /* IEEE80211_DEBUG */ 136 137 static struct mbuf *ieee80211_defrag(struct ieee80211com *, 138 struct ieee80211_node *, struct mbuf *, int); 139 static struct mbuf *ieee80211_decap(struct ieee80211com *, struct mbuf *, int); 140 static void ieee80211_send_error(struct ieee80211com *, struct ieee80211_node *, 141 const u_int8_t *mac, int subtype, int arg); 142 static void ieee80211_deliver_data(struct ieee80211com *, 143 struct ieee80211_node *, struct mbuf *); 144 #ifndef IEEE80211_NO_HOSTAP 145 static void ieee80211_node_pwrsave(struct ieee80211_node *, int enable); 146 static void ieee80211_recv_pspoll(struct ieee80211com *, 147 struct ieee80211_node *, struct mbuf *); 148 #endif /* !IEEE80211_NO_HOSTAP */ 149 static void ieee80211_update_adhoc_node(struct ieee80211com *, 150 struct ieee80211_node *, struct ieee80211_frame *, 151 struct ieee80211_scanparams *, int, u_int32_t); 152 153 /* 154 * Process a received frame. The node associated with the sender 155 * should be supplied. If nothing was found in the node table then 156 * the caller is assumed to supply a reference to ic_bss instead. 157 * The RSSI and a timestamp are also supplied. The RSSI data is used 158 * during AP scanning to select a AP to associate with; it can have 159 * any units so long as values have consistent units and higher values 160 * mean ``better signal''. The receive timestamp is currently not used 161 * by the 802.11 layer. 162 */ 163 int 164 ieee80211_input(struct ieee80211com *ic, struct mbuf *m, 165 struct ieee80211_node *ni, int rssi, u_int32_t rstamp) 166 { 167 #define SEQ_LEQ(a,b) ((int)((a)-(b)) <= 0) 168 #define HAS_SEQ(type) ((type & 0x4) == 0) 169 struct ifnet *ifp = ic->ic_ifp; 170 struct ieee80211_frame *wh; 171 struct ieee80211_key *key; 172 struct ether_header *eh; 173 int hdrspace; 174 u_int8_t dir, type, subtype; 175 u_int8_t *bssid; 176 u_int16_t rxseq; 177 IEEE80211_DEBUGVAR(char ebuf[3 * ETHER_ADDR_LEN]); 178 179 KASSERT(!cpu_intr_p()); 180 181 IASSERT(ni != NULL, ("null node")); 182 ni->ni_inact = ni->ni_inact_reload; 183 184 /* trim CRC here so WEP can find its own CRC at the end of packet. */ 185 if (m->m_flags & M_HASFCS) { 186 m_adj(m, -IEEE80211_CRC_LEN); 187 m->m_flags &= ~M_HASFCS; 188 } 189 type = -1; /* undefined */ 190 /* 191 * In monitor mode, send everything directly to bpf. 192 * XXX may want to include the CRC 193 */ 194 if (ic->ic_opmode == IEEE80211_M_MONITOR) 195 goto out; 196 197 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_min)) { 198 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY, 199 ni->ni_macaddr, NULL, 200 "too short (1): len %u", m->m_pkthdr.len); 201 ic->ic_stats.is_rx_tooshort++; 202 goto out; 203 } 204 /* 205 * Bit of a cheat here, we use a pointer for a 3-address 206 * frame format but don't reference fields past outside 207 * ieee80211_frame_min w/o first validating the data is 208 * present. 209 */ 210 wh = mtod(m, struct ieee80211_frame *); 211 212 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) != 213 IEEE80211_FC0_VERSION_0) { 214 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY, 215 ni->ni_macaddr, NULL, "wrong version %x", wh->i_fc[0]); 216 ic->ic_stats.is_rx_badversion++; 217 goto err; 218 } 219 220 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 221 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK; 222 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK; 223 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) { 224 switch (ic->ic_opmode) { 225 case IEEE80211_M_STA: 226 bssid = wh->i_addr2; 227 if (!IEEE80211_ADDR_EQ(bssid, ni->ni_bssid)) { 228 /* not interested in */ 229 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 230 bssid, NULL, "node %s, %s", 231 ether_snprintf(ebuf, sizeof(ebuf), 232 ni->ni_bssid), "not to bss"); 233 ic->ic_stats.is_rx_wrongbss++; 234 goto out; 235 } 236 237 /* Filter out packets not directed to us in case the 238 * device is in promiscous mode 239 */ 240 if ((! IEEE80211_IS_MULTICAST(wh->i_addr1)) 241 && (! IEEE80211_ADDR_EQ(wh->i_addr1, ic->ic_myaddr))) { 242 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 243 bssid, NULL, "not to cur sta: lladdr=%6D, addr1=%6D", 244 ic->ic_myaddr, ":", wh->i_addr1, ":"); 245 ic->ic_stats.is_rx_wrongbss++; 246 goto out; 247 } 248 break; 249 case IEEE80211_M_IBSS: 250 case IEEE80211_M_AHDEMO: 251 case IEEE80211_M_HOSTAP: 252 if (dir != IEEE80211_FC1_DIR_NODS) 253 bssid = wh->i_addr1; 254 else if (type == IEEE80211_FC0_TYPE_CTL) 255 bssid = wh->i_addr1; 256 else { 257 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) { 258 IEEE80211_DISCARD_MAC(ic, 259 IEEE80211_MSG_ANY, ni->ni_macaddr, 260 NULL, "too short (2): len %u", 261 m->m_pkthdr.len); 262 ic->ic_stats.is_rx_tooshort++; 263 goto out; 264 } 265 bssid = wh->i_addr3; 266 } 267 if (type != IEEE80211_FC0_TYPE_DATA) 268 break; 269 /* 270 * Data frame, validate the bssid. 271 */ 272 if (!IEEE80211_ADDR_EQ(bssid, ic->ic_bss->ni_bssid) && 273 !IEEE80211_ADDR_EQ(bssid, ifp->if_broadcastaddr)) { 274 /* not interested in */ 275 IEEE80211_DEBUGVAR( 276 char bbuf[3 * ETHER_ADDR_LEN]); 277 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 278 bssid, NULL, "bss %s, broadcast %s, %s", 279 ether_snprintf(ebuf, sizeof(ebuf), 280 ic->ic_bss->ni_bssid), 281 ether_snprintf(bbuf, sizeof(bbuf), 282 ifp->if_broadcastaddr), "not to bss"); 283 ic->ic_stats.is_rx_wrongbss++; 284 goto out; 285 } 286 /* 287 * For adhoc mode we cons up a node when it doesn't 288 * exist. This should probably done after an ACL check. 289 */ 290 if (ni == ic->ic_bss && 291 ic->ic_opmode != IEEE80211_M_HOSTAP && 292 !IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_macaddr)) { 293 /* 294 * Fake up a node for this newly 295 * discovered member of the IBSS. 296 */ 297 ni = ieee80211_fakeup_adhoc_node(&ic->ic_sta, 298 wh->i_addr2); 299 if (ni == NULL) { 300 /* NB: stat kept for alloc failure */ 301 goto err; 302 } 303 } 304 break; 305 default: 306 goto out; 307 } 308 ni->ni_rssi = rssi; 309 ni->ni_rstamp = rstamp; 310 if (HAS_SEQ(type) && (ic->ic_opmode != IEEE80211_M_STA || 311 !IEEE80211_IS_MULTICAST(wh->i_addr1))) { 312 u_int8_t tid, retry; 313 u_int16_t rxno, orxno; 314 315 if (ieee80211_has_qos(wh)) { 316 tid = ((struct ieee80211_qosframe *)wh)-> 317 i_qos[0] & IEEE80211_QOS_TID; 318 if (TID_TO_WME_AC(tid) >= WME_AC_VI) 319 ic->ic_wme.wme_hipri_traffic++; 320 tid++; 321 } else 322 tid = 0; 323 rxseq = le16toh(*(u_int16_t *)wh->i_seq); 324 retry = wh->i_fc[1] & IEEE80211_FC1_RETRY; 325 rxno = rxseq >> IEEE80211_SEQ_SEQ_SHIFT; 326 orxno = ni->ni_rxseqs[tid] >> IEEE80211_SEQ_SEQ_SHIFT; 327 if (retry && ( 328 (orxno == 4095 && rxno == orxno) || 329 (orxno != 4095 && 330 SEQ_LEQ(rxseq, ni->ni_rxseqs[tid])) 331 )) { 332 /* duplicate, discard */ 333 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 334 bssid, "duplicate", 335 "seqno <%u,%u> fragno <%u,%u> tid %u", 336 rxno, 337 orxno, 338 rxseq & IEEE80211_SEQ_FRAG_MASK, 339 ni->ni_rxseqs[tid] & 340 IEEE80211_SEQ_FRAG_MASK, 341 tid); 342 ic->ic_stats.is_rx_dup++; 343 IEEE80211_NODE_STAT(ni, rx_dup); 344 goto out; 345 } 346 ni->ni_rxseqs[tid] = rxseq; 347 } 348 } 349 350 switch (type) { 351 case IEEE80211_FC0_TYPE_DATA: 352 hdrspace = ieee80211_hdrspace(ic, wh); 353 if (m->m_len < hdrspace && 354 (m = m_pullup(m, hdrspace)) == NULL) { 355 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY, 356 ni->ni_macaddr, NULL, 357 "data too short: expecting %u", hdrspace); 358 ic->ic_stats.is_rx_tooshort++; 359 goto out; /* XXX */ 360 } 361 switch (ic->ic_opmode) { 362 case IEEE80211_M_STA: 363 if (dir != IEEE80211_FC1_DIR_FROMDS) { 364 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 365 wh, "data", "%s", "unknown dir 0x%x", dir); 366 ic->ic_stats.is_rx_wrongdir++; 367 goto out; 368 } 369 if ((ifp->if_flags & IFF_SIMPLEX) && 370 IEEE80211_IS_MULTICAST(wh->i_addr1) && 371 IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_myaddr)) { 372 /* 373 * In IEEE802.11 network, multicast packet 374 * sent from me is broadcasted from AP. 375 * It should be silently discarded for 376 * SIMPLEX interface. 377 */ 378 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 379 wh, NULL, "%s", "multicast echo"); 380 ic->ic_stats.is_rx_mcastecho++; 381 goto out; 382 } 383 break; 384 case IEEE80211_M_IBSS: 385 case IEEE80211_M_AHDEMO: 386 if (dir != IEEE80211_FC1_DIR_NODS) { 387 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 388 wh, "data", "%s", "unknown dir 0x%x", dir); 389 ic->ic_stats.is_rx_wrongdir++; 390 goto out; 391 } 392 /* XXX no power-save support */ 393 break; 394 case IEEE80211_M_HOSTAP: 395 #ifndef IEEE80211_NO_HOSTAP 396 if (dir != IEEE80211_FC1_DIR_TODS) { 397 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 398 wh, "data", "%s", "unknown dir 0x%x", dir); 399 ic->ic_stats.is_rx_wrongdir++; 400 goto out; 401 } 402 /* check if source STA is associated */ 403 if (ni == ic->ic_bss) { 404 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 405 wh, "data", "%s", "unknown src"); 406 ieee80211_send_error(ic, ni, wh->i_addr2, 407 IEEE80211_FC0_SUBTYPE_DEAUTH, 408 IEEE80211_REASON_NOT_AUTHED); 409 ic->ic_stats.is_rx_notassoc++; 410 goto err; 411 } 412 if (ni->ni_associd == 0) { 413 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 414 wh, "data", "%s", "unassoc src"); 415 IEEE80211_SEND_MGMT(ic, ni, 416 IEEE80211_FC0_SUBTYPE_DISASSOC, 417 IEEE80211_REASON_NOT_ASSOCED); 418 ic->ic_stats.is_rx_notassoc++; 419 goto err; 420 } 421 422 /* 423 * Check for power save state change. 424 */ 425 if (((wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) ^ 426 (ni->ni_flags & IEEE80211_NODE_PWR_MGT))) 427 ieee80211_node_pwrsave(ni, 428 wh->i_fc[1] & IEEE80211_FC1_PWR_MGT); 429 #endif /* !IEEE80211_NO_HOSTAP */ 430 break; 431 default: 432 /* XXX here to keep compiler happy */ 433 goto out; 434 } 435 436 /* 437 * Handle privacy requirements. Note that we 438 * must not be preempted from here until after 439 * we (potentially) call ieee80211_crypto_demic; 440 * otherwise we may violate assumptions in the 441 * crypto cipher modules used to do delayed update 442 * of replay sequence numbers. 443 */ 444 if (wh->i_fc[1] & IEEE80211_FC1_WEP) { 445 if ((ic->ic_flags & IEEE80211_F_PRIVACY) == 0) { 446 /* 447 * Discard encrypted frames when privacy is off. 448 */ 449 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 450 wh, "WEP", "%s", "PRIVACY off"); 451 ic->ic_stats.is_rx_noprivacy++; 452 IEEE80211_NODE_STAT(ni, rx_noprivacy); 453 goto out; 454 } 455 key = ieee80211_crypto_decap(ic, ni, m, hdrspace); 456 if (key == NULL) { 457 /* NB: stats+msgs handled in crypto_decap */ 458 IEEE80211_NODE_STAT(ni, rx_wepfail); 459 goto out; 460 } 461 wh = mtod(m, struct ieee80211_frame *); 462 wh->i_fc[1] &= ~IEEE80211_FC1_WEP; 463 } else { 464 key = NULL; 465 } 466 467 /* 468 * Next up, any fragmentation. 469 */ 470 if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) { 471 m = ieee80211_defrag(ic, ni, m, hdrspace); 472 if (m == NULL) { 473 /* Fragment dropped or frame not complete yet */ 474 goto out; 475 } 476 } 477 wh = NULL; /* no longer valid, catch any uses */ 478 479 /* 480 * Next strip any MSDU crypto bits. 481 */ 482 if (key != NULL && !ieee80211_crypto_demic(ic, key, m, 0)) { 483 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 484 ni->ni_macaddr, "data", "%s", "demic error"); 485 IEEE80211_NODE_STAT(ni, rx_demicfail); 486 goto out; 487 } 488 489 /* copy to listener after decrypt */ 490 bpf_mtap3(ic->ic_rawbpf, m); 491 492 /* 493 * Finally, strip the 802.11 header. 494 */ 495 m = ieee80211_decap(ic, m, hdrspace); 496 if (m == NULL) { 497 /* don't count Null data frames as errors */ 498 if (subtype == IEEE80211_FC0_SUBTYPE_NODATA) 499 goto out; 500 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 501 ni->ni_macaddr, "data", "%s", "decap error"); 502 ic->ic_stats.is_rx_decap++; 503 IEEE80211_NODE_STAT(ni, rx_decap); 504 goto err; 505 } 506 eh = mtod(m, struct ether_header *); 507 if (!ieee80211_node_is_authorized(ni)) { 508 /* 509 * Deny any non-PAE frames received prior to 510 * authorization. For open/shared-key 511 * authentication the port is mark authorized 512 * after authentication completes. For 802.1x 513 * the port is not marked authorized by the 514 * authenticator until the handshake has completed. 515 */ 516 if (eh->ether_type != htons(ETHERTYPE_PAE)) { 517 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 518 eh->ether_shost, "data", 519 "unauthorized port: ether type 0x%x len %u", 520 eh->ether_type, m->m_pkthdr.len); 521 ic->ic_stats.is_rx_unauth++; 522 IEEE80211_NODE_STAT(ni, rx_unauth); 523 goto err; 524 } 525 } else { 526 /* 527 * When denying unencrypted frames, discard 528 * any non-PAE frames received without encryption. 529 */ 530 if ((ic->ic_flags & IEEE80211_F_DROPUNENC) && 531 key == NULL && 532 eh->ether_type != htons(ETHERTYPE_PAE)) { 533 /* 534 * Drop unencrypted frames. 535 */ 536 ic->ic_stats.is_rx_unencrypted++; 537 IEEE80211_NODE_STAT(ni, rx_unencrypted); 538 goto out; 539 } 540 } 541 ifp->if_ipackets++; 542 IEEE80211_NODE_STAT(ni, rx_data); 543 IEEE80211_NODE_STAT_ADD(ni, rx_bytes, m->m_pkthdr.len); 544 545 ieee80211_deliver_data(ic, ni, m); 546 return IEEE80211_FC0_TYPE_DATA; 547 548 case IEEE80211_FC0_TYPE_MGT: 549 IEEE80211_NODE_STAT(ni, rx_mgmt); 550 if (dir != IEEE80211_FC1_DIR_NODS) { 551 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 552 wh, "data", "%s", "unknown dir 0x%x", dir); 553 ic->ic_stats.is_rx_wrongdir++; 554 goto err; 555 } 556 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) { 557 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY, 558 ni->ni_macaddr, "mgt", "too short: len %u", 559 m->m_pkthdr.len); 560 ic->ic_stats.is_rx_tooshort++; 561 goto out; 562 } 563 #ifdef IEEE80211_DEBUG 564 if ((ieee80211_msg_debug(ic) && doprint(ic, subtype)) || 565 ieee80211_msg_dumppkts(ic)) { 566 if_printf(ic->ic_ifp, "received %s from %s rssi %d\n", 567 ieee80211_mgt_subtype_name[subtype >> 568 IEEE80211_FC0_SUBTYPE_SHIFT], 569 ether_snprintf(ebuf, sizeof(ebuf), wh->i_addr2), 570 rssi); 571 } 572 #endif 573 if (wh->i_fc[1] & IEEE80211_FC1_WEP) { 574 if (subtype != IEEE80211_FC0_SUBTYPE_AUTH) { 575 /* 576 * Only shared key auth frames with a challenge 577 * should be encrypted, discard all others. 578 */ 579 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 580 wh, ieee80211_mgt_subtype_name[subtype >> 581 IEEE80211_FC0_SUBTYPE_SHIFT], 582 "%s", "WEP set but not permitted"); 583 ic->ic_stats.is_rx_mgtdiscard++; /* XXX */ 584 goto out; 585 } 586 if ((ic->ic_flags & IEEE80211_F_PRIVACY) == 0) { 587 /* 588 * Discard encrypted frames when privacy is off. 589 */ 590 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 591 wh, "mgt", "%s", "WEP set but PRIVACY off"); 592 ic->ic_stats.is_rx_noprivacy++; 593 goto out; 594 } 595 hdrspace = ieee80211_hdrspace(ic, wh); 596 key = ieee80211_crypto_decap(ic, ni, m, hdrspace); 597 if (key == NULL) { 598 /* NB: stats+msgs handled in crypto_decap */ 599 goto out; 600 } 601 wh = mtod(m, struct ieee80211_frame *); 602 wh->i_fc[1] &= ~IEEE80211_FC1_WEP; 603 } 604 bpf_mtap3(ic->ic_rawbpf, m); 605 (*ic->ic_recv_mgmt)(ic, m, ni, subtype, rssi, rstamp); 606 m_freem(m); 607 return type; 608 609 case IEEE80211_FC0_TYPE_CTL: 610 IEEE80211_NODE_STAT(ni, rx_ctrl); 611 ic->ic_stats.is_rx_ctl++; 612 #ifndef IEEE80211_NO_HOSTAP 613 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 614 switch (subtype) { 615 case IEEE80211_FC0_SUBTYPE_PS_POLL: 616 ieee80211_recv_pspoll(ic, ni, m); 617 break; 618 } 619 } 620 #endif /* !IEEE80211_NO_HOSTAP */ 621 goto out; 622 default: 623 IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY, 624 wh, NULL, "bad frame type 0x%x", type); 625 /* should not come here */ 626 break; 627 } 628 err: 629 ifp->if_ierrors++; 630 out: 631 if (m != NULL) { 632 bpf_mtap3(ic->ic_rawbpf, m); 633 m_freem(m); 634 } 635 return type; 636 #undef SEQ_LEQ 637 } 638 639 /* 640 * This function reassemble fragments. 641 */ 642 static struct mbuf * 643 ieee80211_defrag(struct ieee80211com *ic, struct ieee80211_node *ni, 644 struct mbuf *m, int hdrspace) 645 { 646 struct ieee80211_frame *wh = mtod(m, struct ieee80211_frame *); 647 struct ieee80211_frame *lwh; 648 u_int16_t rxseq; 649 u_int8_t fragno; 650 u_int8_t more_frag = wh->i_fc[1] & IEEE80211_FC1_MORE_FRAG; 651 struct mbuf *mfrag; 652 653 IASSERT(!IEEE80211_IS_MULTICAST(wh->i_addr1), ("multicast fragm?")); 654 655 rxseq = le16toh(*(u_int16_t *)wh->i_seq); 656 fragno = rxseq & IEEE80211_SEQ_FRAG_MASK; 657 658 /* Quick way out, if there's nothing to defragment */ 659 if (!more_frag && fragno == 0 && ni->ni_rxfrag[0] == NULL) 660 return m; 661 662 /* 663 * Remove frag to insure it doesn't get reaped by timer. 664 */ 665 if (ni->ni_table == NULL) { 666 /* 667 * Should never happen. If the node is orphaned (not in 668 * the table) then input packets should not reach here. 669 * Otherwise, a concurrent request that yanks the table 670 * should be blocked by other interlocking and/or by first 671 * shutting the driver down. Regardless, be defensive 672 * here and just bail 673 */ 674 /* XXX need msg+stat */ 675 m_freem(m); 676 return NULL; 677 } 678 IEEE80211_NODE_LOCK(ni->ni_table); 679 mfrag = ni->ni_rxfrag[0]; 680 ni->ni_rxfrag[0] = NULL; 681 IEEE80211_NODE_UNLOCK(ni->ni_table); 682 683 /* 684 * Validate new fragment is in order and 685 * related to the previous ones. 686 */ 687 if (mfrag != NULL) { 688 u_int16_t last_rxseq; 689 690 lwh = mtod(mfrag, struct ieee80211_frame *); 691 last_rxseq = le16toh(*(u_int16_t *)lwh->i_seq); 692 /* NB: check seq # and frag together */ 693 if (rxseq != last_rxseq+1 || 694 !IEEE80211_ADDR_EQ(wh->i_addr1, lwh->i_addr1) || 695 !IEEE80211_ADDR_EQ(wh->i_addr2, lwh->i_addr2)) { 696 /* 697 * Unrelated fragment or no space for it, 698 * clear current fragments. 699 */ 700 m_freem(mfrag); 701 mfrag = NULL; 702 } 703 } 704 705 if (mfrag == NULL) { 706 if (fragno != 0) { /* !first fragment, discard */ 707 IEEE80211_NODE_STAT(ni, rx_defrag); 708 m_freem(m); 709 return NULL; 710 } 711 mfrag = m; 712 } else { /* concatenate */ 713 m_adj(m, hdrspace); /* strip header */ 714 m_cat(mfrag, m); 715 /* NB: m_cat doesn't update the packet header */ 716 mfrag->m_pkthdr.len += m->m_pkthdr.len; 717 /* track last seqnum and fragno */ 718 lwh = mtod(mfrag, struct ieee80211_frame *); 719 *(u_int16_t *) lwh->i_seq = *(u_int16_t *) wh->i_seq; 720 } 721 if (more_frag) { /* more to come, save */ 722 ni->ni_rxfragstamp = ticks; 723 ni->ni_rxfrag[0] = mfrag; 724 mfrag = NULL; 725 } 726 return mfrag; 727 } 728 729 static void 730 ieee80211_deliver_data(struct ieee80211com *ic, 731 struct ieee80211_node *ni, struct mbuf *m) 732 { 733 struct ether_header *eh = mtod(m, struct ether_header *); 734 struct ifnet *ifp = ic->ic_ifp; 735 int error; 736 737 /* perform as a bridge within the AP */ 738 if (ic->ic_opmode == IEEE80211_M_HOSTAP && 739 (ic->ic_flags & IEEE80211_F_NOBRIDGE) == 0) { 740 struct mbuf *m1 = NULL; 741 742 if (ETHER_IS_MULTICAST(eh->ether_dhost)) { 743 m1 = m_copypacket(m, M_DONTWAIT); 744 if (m1 == NULL) 745 ifp->if_oerrors++; 746 else 747 m1->m_flags |= M_MCAST; 748 } else { 749 /* 750 * Check if the destination is known; if so 751 * and the port is authorized dispatch directly. 752 */ 753 struct ieee80211_node *sta = 754 ieee80211_find_node(&ic->ic_sta, eh->ether_dhost); 755 if (sta != NULL) { 756 if (ieee80211_node_is_authorized(sta)) { 757 /* 758 * Beware of sending to ourself; this 759 * needs to happen via the normal 760 * input path. 761 */ 762 if (sta != ic->ic_bss) { 763 m1 = m; 764 m = NULL; 765 } 766 } else { 767 ic->ic_stats.is_rx_unauth++; 768 IEEE80211_NODE_STAT(sta, rx_unauth); 769 } 770 ieee80211_free_node(sta); 771 } 772 } 773 if (m1 != NULL) { 774 int len; 775 #ifdef ALTQ 776 if (ALTQ_IS_ENABLED(&ifp->if_snd)) { 777 altq_etherclassify(&ifp->if_snd, m1); 778 } 779 #endif 780 len = m1->m_pkthdr.len; 781 IFQ_ENQUEUE(&ifp->if_snd, m1, error); 782 if (error) { 783 ifp->if_omcasts++; 784 m = NULL; 785 } 786 ifp->if_obytes += len; 787 } 788 } 789 if (m != NULL) { 790 791 if (ni->ni_vlan != 0) { 792 /* attach vlan tag */ 793 /* XXX goto err? */ 794 VLAN_INPUT_TAG(ifp, m, ni->ni_vlan, goto out); 795 } 796 797 /* 798 * XXX once ieee80211_input (or rxintr itself) runs in softint 799 * we have to change here too to use if_input. 800 */ 801 KASSERT(ifp->if_percpuq); 802 if_percpuq_enqueue(ifp->if_percpuq, m); 803 } 804 return; 805 out: 806 if (m != NULL) { 807 bpf_mtap3(ic->ic_rawbpf, m); 808 m_freem(m); 809 } 810 } 811 812 static struct mbuf * 813 ieee80211_decap(struct ieee80211com *ic, struct mbuf *m, int hdrlen) 814 { 815 struct ieee80211_qosframe_addr4 wh; /* Max size address frames */ 816 struct ether_header *eh; 817 struct llc *llc; 818 819 if (m->m_len < hdrlen + sizeof(*llc) && 820 (m = m_pullup(m, hdrlen + sizeof(*llc))) == NULL) { 821 /* XXX stat, msg */ 822 return NULL; 823 } 824 memcpy(&wh, mtod(m, void *), hdrlen); 825 llc = (struct llc *)(mtod(m, char *) + hdrlen); 826 if (llc->llc_dsap == LLC_SNAP_LSAP && llc->llc_ssap == LLC_SNAP_LSAP && 827 llc->llc_control == LLC_UI && llc->llc_snap.org_code[0] == 0 && 828 llc->llc_snap.org_code[1] == 0 && llc->llc_snap.org_code[2] == 0) { 829 m_adj(m, hdrlen + sizeof(struct llc) - sizeof(*eh)); 830 llc = NULL; 831 } else { 832 m_adj(m, hdrlen - sizeof(*eh)); 833 } 834 eh = mtod(m, struct ether_header *); 835 switch (wh.i_fc[1] & IEEE80211_FC1_DIR_MASK) { 836 case IEEE80211_FC1_DIR_NODS: 837 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr1); 838 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr2); 839 break; 840 case IEEE80211_FC1_DIR_TODS: 841 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr3); 842 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr2); 843 break; 844 case IEEE80211_FC1_DIR_FROMDS: 845 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr1); 846 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr3); 847 break; 848 case IEEE80211_FC1_DIR_DSTODS: 849 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr3); 850 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr4); 851 break; 852 } 853 #ifdef ALIGNED_POINTER 854 if (!ALIGNED_POINTER(mtod(m, char *) + sizeof(*eh), u_int32_t)) { 855 struct mbuf *n, *n0, **np; 856 char *newdata; 857 int off, pktlen; 858 859 n0 = NULL; 860 np = &n0; 861 off = 0; 862 pktlen = m->m_pkthdr.len; 863 while (pktlen > off) { 864 if (n0 == NULL) { 865 MGETHDR(n, M_DONTWAIT, MT_DATA); 866 if (n == NULL) { 867 m_freem(m); 868 return NULL; 869 } 870 M_MOVE_PKTHDR(n, m); 871 n->m_len = MHLEN; 872 } else { 873 MGET(n, M_DONTWAIT, MT_DATA); 874 if (n == NULL) { 875 m_freem(m); 876 m_freem(n0); 877 return NULL; 878 } 879 n->m_len = MLEN; 880 } 881 if (pktlen - off >= MINCLSIZE) { 882 MCLGET(n, M_DONTWAIT); 883 if (n->m_flags & M_EXT) 884 n->m_len = n->m_ext.ext_size; 885 } 886 if (n0 == NULL) { 887 newdata = 888 (char *)ALIGN(n->m_data + sizeof(*eh)) - 889 sizeof(*eh); 890 n->m_len -= newdata - n->m_data; 891 n->m_data = newdata; 892 } 893 if (n->m_len > pktlen - off) 894 n->m_len = pktlen - off; 895 m_copydata(m, off, n->m_len, mtod(n, void *)); 896 off += n->m_len; 897 *np = n; 898 np = &n->m_next; 899 } 900 m_freem(m); 901 m = n0; 902 } 903 #endif /* ALIGNED_POINTER */ 904 if (llc != NULL) { 905 eh = mtod(m, struct ether_header *); 906 eh->ether_type = htons(m->m_pkthdr.len - sizeof(*eh)); 907 } 908 return m; 909 } 910 911 /* 912 * Install received rate set information in the node's state block. 913 */ 914 int 915 ieee80211_setup_rates(struct ieee80211_node *ni, 916 const u_int8_t *rates, const u_int8_t *xrates, int flags) 917 { 918 struct ieee80211com *ic = ni->ni_ic; 919 struct ieee80211_rateset *rs = &ni->ni_rates; 920 921 memset(rs, 0, sizeof(*rs)); 922 rs->rs_nrates = rates[1]; 923 memcpy(rs->rs_rates, rates + 2, rs->rs_nrates); 924 if (xrates != NULL) { 925 u_int8_t nxrates; 926 /* 927 * Tack on 11g extended supported rate element. 928 */ 929 nxrates = xrates[1]; 930 if (rs->rs_nrates + nxrates > IEEE80211_RATE_MAXSIZE) { 931 IEEE80211_DEBUGVAR(char ebuf[3 * ETHER_ADDR_LEN]); 932 nxrates = IEEE80211_RATE_MAXSIZE - rs->rs_nrates; 933 IEEE80211_DPRINTF(ic, IEEE80211_MSG_XRATE, 934 "[%s] extended rate set too large;" 935 " only using %u of %u rates\n", 936 ether_snprintf(ebuf, sizeof(ebuf), ni->ni_macaddr), 937 nxrates, xrates[1]); 938 ic->ic_stats.is_rx_rstoobig++; 939 } 940 memcpy(rs->rs_rates + rs->rs_nrates, xrates+2, nxrates); 941 rs->rs_nrates += nxrates; 942 } 943 return ieee80211_fix_rate(ni, flags); 944 } 945 946 static void 947 ieee80211_auth_open(struct ieee80211com *ic, struct ieee80211_frame *wh, 948 struct ieee80211_node *ni, int rssi, u_int32_t rstamp, 949 u_int16_t seq, u_int16_t status) 950 { 951 IEEE80211_DEBUGVAR(char ebuf[3 * ETHER_ADDR_LEN]); 952 953 if (ni->ni_authmode == IEEE80211_AUTH_SHARED) { 954 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 955 ni->ni_macaddr, "open auth", 956 "bad sta auth mode %u", ni->ni_authmode); 957 ic->ic_stats.is_rx_bad_auth++; /* XXX */ 958 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 959 /* XXX hack to workaround calling convention */ 960 ieee80211_send_error(ic, ni, wh->i_addr2, 961 IEEE80211_FC0_SUBTYPE_AUTH, 962 (seq + 1) | (IEEE80211_STATUS_ALG<<16)); 963 } 964 return; 965 } 966 switch (ic->ic_opmode) { 967 case IEEE80211_M_IBSS: 968 case IEEE80211_M_AHDEMO: 969 case IEEE80211_M_MONITOR: 970 /* should not come here */ 971 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 972 ni->ni_macaddr, "open auth", 973 "bad operating mode %u", ic->ic_opmode); 974 break; 975 976 case IEEE80211_M_HOSTAP: 977 #ifndef IEEE80211_NO_HOSTAP 978 if (ic->ic_state != IEEE80211_S_RUN || 979 seq != IEEE80211_AUTH_OPEN_REQUEST) { 980 ic->ic_stats.is_rx_bad_auth++; 981 return; 982 } 983 /* always accept open authentication requests */ 984 if (ni == ic->ic_bss) { 985 ni = ieee80211_dup_bss(&ic->ic_sta, wh->i_addr2); 986 if (ni == NULL) 987 return; 988 } else if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0) 989 (void) ieee80211_ref_node(ni); 990 /* 991 * Mark the node as referenced to reflect that its 992 * reference count has been bumped to insure it remains 993 * after the transaction completes. 994 */ 995 ni->ni_flags |= IEEE80211_NODE_AREF; 996 997 IEEE80211_SEND_MGMT(ic, ni, 998 IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 999 IEEE80211_DPRINTF(ic, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1000 "[%s] station authenticated (open)\n", 1001 ether_snprintf(ebuf, sizeof(ebuf), ni->ni_macaddr)); 1002 /* 1003 * When 802.1x is not in use mark the port 1004 * authorized at this point so traffic can flow. 1005 */ 1006 if (ni->ni_authmode != IEEE80211_AUTH_8021X) 1007 ieee80211_node_authorize(ni); 1008 #endif /* !IEEE80211_NO_HOSTAP */ 1009 break; 1010 1011 case IEEE80211_M_STA: 1012 if (ic->ic_state != IEEE80211_S_AUTH || 1013 seq != IEEE80211_AUTH_OPEN_RESPONSE) { 1014 ic->ic_stats.is_rx_bad_auth++; 1015 return; 1016 } 1017 if (status != 0) { 1018 1019 IEEE80211_DPRINTF(ic, 1020 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1021 "[%s] open auth failed (reason %d)\n", 1022 ether_snprintf(ebuf, sizeof(ebuf), ni->ni_macaddr), 1023 status); 1024 /* XXX can this happen? */ 1025 if (ni != ic->ic_bss) 1026 ni->ni_fails++; 1027 ic->ic_stats.is_rx_auth_fail++; 1028 ieee80211_new_state(ic, IEEE80211_S_SCAN, 0); 1029 } else 1030 ieee80211_new_state(ic, IEEE80211_S_ASSOC, 1031 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK); 1032 break; 1033 } 1034 } 1035 1036 /* 1037 * Send a management frame error response to the specified 1038 * station. If ni is associated with the station then use 1039 * it; otherwise allocate a temporary node suitable for 1040 * transmitting the frame and then free the reference so 1041 * it will go away as soon as the frame has been transmitted. 1042 */ 1043 static void 1044 ieee80211_send_error(struct ieee80211com *ic, struct ieee80211_node *ni, 1045 const u_int8_t *mac, int subtype, int arg) 1046 { 1047 int istmp; 1048 1049 if (ni == ic->ic_bss) { 1050 ni = ieee80211_tmp_node(ic, mac); 1051 if (ni == NULL) { 1052 /* XXX msg */ 1053 return; 1054 } 1055 istmp = 1; 1056 } else 1057 istmp = 0; 1058 IEEE80211_SEND_MGMT(ic, ni, subtype, arg); 1059 if (istmp) 1060 ieee80211_free_node(ni); 1061 } 1062 1063 static int 1064 alloc_challenge(struct ieee80211com *ic, struct ieee80211_node *ni) 1065 { 1066 if (ni->ni_challenge == NULL) 1067 ni->ni_challenge = malloc(IEEE80211_CHALLENGE_LEN, 1068 M_DEVBUF, M_NOWAIT); 1069 if (ni->ni_challenge == NULL) { 1070 IEEE80211_DEBUGVAR(char ebuf[3 * ETHER_ADDR_LEN]); 1071 1072 IEEE80211_DPRINTF(ic, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1073 "[%s] shared key challenge alloc failed\n", 1074 ether_snprintf(ebuf, sizeof(ebuf), ni->ni_macaddr)); 1075 /* XXX statistic */ 1076 } 1077 return (ni->ni_challenge != NULL); 1078 } 1079 1080 /* XXX TODO: add statistics */ 1081 static void 1082 ieee80211_auth_shared(struct ieee80211com *ic, struct ieee80211_frame *wh, 1083 u_int8_t *frm, u_int8_t *efrm, struct ieee80211_node *ni, int rssi, 1084 u_int32_t rstamp, u_int16_t seq, u_int16_t status) 1085 { 1086 u_int8_t *challenge; 1087 int estatus; 1088 IEEE80211_DEBUGVAR(char ebuf[3 * ETHER_ADDR_LEN]); 1089 1090 /* 1091 * NB: this can happen as we allow pre-shared key 1092 * authentication to be enabled w/o wep being turned 1093 * on so that configuration of these can be done 1094 * in any order. It may be better to enforce the 1095 * ordering in which case this check would just be 1096 * for sanity/consistency. 1097 */ 1098 if ((ic->ic_flags & IEEE80211_F_PRIVACY) == 0) { 1099 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1100 ni->ni_macaddr, "shared key auth", 1101 "%s", " PRIVACY is disabled"); 1102 estatus = IEEE80211_STATUS_ALG; 1103 goto bad; 1104 } 1105 /* 1106 * Pre-shared key authentication is evil; accept 1107 * it only if explicitly configured (it is supported 1108 * mainly for compatibility with clients like OS X). 1109 */ 1110 if (ni->ni_authmode != IEEE80211_AUTH_AUTO && 1111 ni->ni_authmode != IEEE80211_AUTH_SHARED) { 1112 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1113 ni->ni_macaddr, "shared key auth", 1114 "bad sta auth mode %u", ni->ni_authmode); 1115 ic->ic_stats.is_rx_bad_auth++; /* XXX maybe a unique error? */ 1116 estatus = IEEE80211_STATUS_ALG; 1117 goto bad; 1118 } 1119 1120 challenge = NULL; 1121 if (frm + 1 < efrm) { 1122 if ((frm[1] + 2) > (efrm - frm)) { 1123 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1124 ni->ni_macaddr, "shared key auth", 1125 "ie %d/%d too long", 1126 frm[0], (frm[1] + 2) - (efrm - frm)); 1127 ic->ic_stats.is_rx_bad_auth++; 1128 estatus = IEEE80211_STATUS_CHALLENGE; 1129 goto bad; 1130 } 1131 if (*frm == IEEE80211_ELEMID_CHALLENGE) 1132 challenge = frm; 1133 frm += frm[1] + 2; 1134 } 1135 switch (seq) { 1136 case IEEE80211_AUTH_SHARED_CHALLENGE: 1137 case IEEE80211_AUTH_SHARED_RESPONSE: 1138 if (challenge == NULL) { 1139 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1140 ni->ni_macaddr, "shared key auth", 1141 "%s", "no challenge"); 1142 ic->ic_stats.is_rx_bad_auth++; 1143 estatus = IEEE80211_STATUS_CHALLENGE; 1144 goto bad; 1145 } 1146 if (challenge[1] != IEEE80211_CHALLENGE_LEN) { 1147 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1148 ni->ni_macaddr, "shared key auth", 1149 "bad challenge len %d", challenge[1]); 1150 ic->ic_stats.is_rx_bad_auth++; 1151 estatus = IEEE80211_STATUS_CHALLENGE; 1152 goto bad; 1153 } 1154 default: 1155 break; 1156 } 1157 switch (ic->ic_opmode) { 1158 case IEEE80211_M_MONITOR: 1159 case IEEE80211_M_AHDEMO: 1160 case IEEE80211_M_IBSS: 1161 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1162 ni->ni_macaddr, "shared key auth", 1163 "bad operating mode %u", ic->ic_opmode); 1164 return; 1165 case IEEE80211_M_HOSTAP: 1166 #ifndef IEEE80211_NO_HOSTAP 1167 { 1168 int allocbs; 1169 if (ic->ic_state != IEEE80211_S_RUN) { 1170 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1171 ni->ni_macaddr, "shared key auth", 1172 "bad state %u", ic->ic_state); 1173 estatus = IEEE80211_STATUS_ALG; /* XXX */ 1174 goto bad; 1175 } 1176 switch (seq) { 1177 case IEEE80211_AUTH_SHARED_REQUEST: 1178 if (ni == ic->ic_bss) { 1179 ni = ieee80211_dup_bss(&ic->ic_sta, wh->i_addr2); 1180 if (ni == NULL) { 1181 /* NB: no way to return an error */ 1182 return; 1183 } 1184 allocbs = 1; 1185 } else { 1186 if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0) 1187 (void) ieee80211_ref_node(ni); 1188 allocbs = 0; 1189 } 1190 __USE(allocbs); 1191 /* 1192 * Mark the node as referenced to reflect that its 1193 * reference count has been bumped to insure it remains 1194 * after the transaction completes. 1195 */ 1196 ni->ni_flags |= IEEE80211_NODE_AREF; 1197 ni->ni_rssi = rssi; 1198 ni->ni_rstamp = rstamp; 1199 if (!alloc_challenge(ic, ni)) { 1200 /* NB: don't return error so they rexmit */ 1201 return; 1202 } 1203 get_random_bytes(ni->ni_challenge, 1204 IEEE80211_CHALLENGE_LEN); 1205 IEEE80211_DPRINTF(ic, 1206 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1207 "[%s] shared key %sauth request\n", 1208 ether_snprintf(ebuf, sizeof(ebuf), 1209 ni->ni_macaddr), 1210 allocbs ? "" : "re"); 1211 break; 1212 case IEEE80211_AUTH_SHARED_RESPONSE: 1213 if (ni == ic->ic_bss) { 1214 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1215 ni->ni_macaddr, "shared key response", 1216 "%s", "unknown station"); 1217 /* NB: don't send a response */ 1218 return; 1219 } 1220 if (ni->ni_challenge == NULL) { 1221 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1222 ni->ni_macaddr, "shared key response", 1223 "%s", "no challenge recorded"); 1224 ic->ic_stats.is_rx_bad_auth++; 1225 estatus = IEEE80211_STATUS_CHALLENGE; 1226 goto bad; 1227 } 1228 if (memcmp(ni->ni_challenge, &challenge[2], 1229 challenge[1]) != 0) { 1230 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1231 ni->ni_macaddr, "shared key response", 1232 "%s", "challenge mismatch"); 1233 ic->ic_stats.is_rx_auth_fail++; 1234 estatus = IEEE80211_STATUS_CHALLENGE; 1235 goto bad; 1236 } 1237 IEEE80211_DPRINTF(ic, 1238 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1239 "[%s] station authenticated (shared key)\n", 1240 ether_snprintf(ebuf, sizeof(ebuf), ni->ni_macaddr)); 1241 ieee80211_node_authorize(ni); 1242 break; 1243 default: 1244 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1245 ni->ni_macaddr, "shared key auth", 1246 "bad seq %d", seq); 1247 ic->ic_stats.is_rx_bad_auth++; 1248 estatus = IEEE80211_STATUS_SEQUENCE; 1249 goto bad; 1250 } 1251 IEEE80211_SEND_MGMT(ic, ni, 1252 IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 1253 } 1254 #endif /* !IEEE80211_NO_HOSTAP */ 1255 break; 1256 1257 case IEEE80211_M_STA: 1258 if (ic->ic_state != IEEE80211_S_AUTH) 1259 return; 1260 switch (seq) { 1261 case IEEE80211_AUTH_SHARED_PASS: 1262 if (ni->ni_challenge != NULL) { 1263 free(ni->ni_challenge, M_DEVBUF); 1264 ni->ni_challenge = NULL; 1265 } 1266 if (status != 0) { 1267 IEEE80211_DPRINTF(ic, 1268 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1269 "[%s] shared key auth failed (reason %d)\n", 1270 ether_snprintf(ebuf, sizeof(ebuf), 1271 ieee80211_getbssid(ic, wh)), 1272 status); 1273 /* XXX can this happen? */ 1274 if (ni != ic->ic_bss) 1275 ni->ni_fails++; 1276 ic->ic_stats.is_rx_auth_fail++; 1277 return; 1278 } 1279 ieee80211_new_state(ic, IEEE80211_S_ASSOC, 1280 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK); 1281 break; 1282 case IEEE80211_AUTH_SHARED_CHALLENGE: 1283 if (!alloc_challenge(ic, ni)) 1284 return; 1285 /* XXX could optimize by passing recvd challenge */ 1286 memcpy(ni->ni_challenge, &challenge[2], challenge[1]); 1287 IEEE80211_SEND_MGMT(ic, ni, 1288 IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 1289 break; 1290 default: 1291 IEEE80211_DISCARD(ic, IEEE80211_MSG_AUTH, 1292 wh, "shared key auth", "bad seq %d", seq); 1293 ic->ic_stats.is_rx_bad_auth++; 1294 return; 1295 } 1296 break; 1297 } 1298 return; 1299 bad: 1300 #ifndef IEEE80211_NO_HOSTAP 1301 /* 1302 * Send an error response; but only when operating as an AP. 1303 */ 1304 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 1305 /* XXX hack to workaround calling convention */ 1306 ieee80211_send_error(ic, ni, wh->i_addr2, 1307 IEEE80211_FC0_SUBTYPE_AUTH, 1308 (seq + 1) | (estatus<<16)); 1309 } else if (ic->ic_opmode == IEEE80211_M_STA) { 1310 /* 1311 * Kick the state machine. This short-circuits 1312 * using the mgt frame timeout to trigger the 1313 * state transition. 1314 */ 1315 if (ic->ic_state == IEEE80211_S_AUTH) 1316 ieee80211_new_state(ic, IEEE80211_S_SCAN, 0); 1317 } 1318 #else 1319 ; 1320 #endif /* !IEEE80211_NO_HOSTAP */ 1321 } 1322 1323 /* Verify the existence and length of __elem or get out. */ 1324 #define IEEE80211_VERIFY_ELEMENT(__elem, __maxlen) do { \ 1325 if ((__elem) == NULL) { \ 1326 IEEE80211_DISCARD(ic, IEEE80211_MSG_ELEMID, \ 1327 wh, ieee80211_mgt_subtype_name[subtype >> \ 1328 IEEE80211_FC0_SUBTYPE_SHIFT], \ 1329 "%s", "no " #__elem ); \ 1330 ic->ic_stats.is_rx_elem_missing++; \ 1331 return; \ 1332 } \ 1333 if ((__elem)[1] > (__maxlen)) { \ 1334 IEEE80211_DISCARD(ic, IEEE80211_MSG_ELEMID, \ 1335 wh, ieee80211_mgt_subtype_name[subtype >> \ 1336 IEEE80211_FC0_SUBTYPE_SHIFT], \ 1337 "bad " #__elem " len %d", (__elem)[1]); \ 1338 ic->ic_stats.is_rx_elem_toobig++; \ 1339 return; \ 1340 } \ 1341 } while (0) 1342 1343 #define IEEE80211_VERIFY_LENGTH(_len, _minlen) do { \ 1344 if ((_len) < (_minlen)) { \ 1345 IEEE80211_DISCARD(ic, IEEE80211_MSG_ELEMID, \ 1346 wh, ieee80211_mgt_subtype_name[subtype >> \ 1347 IEEE80211_FC0_SUBTYPE_SHIFT], \ 1348 "%s", "ie too short"); \ 1349 ic->ic_stats.is_rx_elem_toosmall++; \ 1350 return; \ 1351 } \ 1352 } while (0) 1353 1354 #ifdef IEEE80211_DEBUG 1355 static void 1356 ieee80211_ssid_mismatch(struct ieee80211com *ic, const char *tag, 1357 u_int8_t mac[IEEE80211_ADDR_LEN], u_int8_t *ssid) 1358 { 1359 char ebuf[3 * ETHER_ADDR_LEN]; 1360 1361 printf("[%s] discard %s frame, ssid mismatch: ", 1362 ether_snprintf(ebuf, sizeof(ebuf), mac), tag); 1363 ieee80211_print_essid(ssid + 2, ssid[1]); 1364 printf("\n"); 1365 } 1366 1367 #define IEEE80211_VERIFY_SSID(_ni, _ssid) do { \ 1368 if ((_ssid)[1] != 0 && \ 1369 ((_ssid)[1] != (_ni)->ni_esslen || \ 1370 memcmp((_ssid) + 2, (_ni)->ni_essid, (_ssid)[1]) != 0)) { \ 1371 if (ieee80211_msg_input(ic)) \ 1372 ieee80211_ssid_mismatch(ic, \ 1373 ieee80211_mgt_subtype_name[subtype >> \ 1374 IEEE80211_FC0_SUBTYPE_SHIFT], \ 1375 wh->i_addr2, _ssid); \ 1376 ic->ic_stats.is_rx_ssidmismatch++; \ 1377 return; \ 1378 } \ 1379 } while (0) 1380 #else /* !IEEE80211_DEBUG */ 1381 #define IEEE80211_VERIFY_SSID(_ni, _ssid) do { \ 1382 if ((_ssid)[1] != 0 && \ 1383 ((_ssid)[1] != (_ni)->ni_esslen || \ 1384 memcmp((_ssid) + 2, (_ni)->ni_essid, (_ssid)[1]) != 0)) { \ 1385 ic->ic_stats.is_rx_ssidmismatch++; \ 1386 return; \ 1387 } \ 1388 } while (0) 1389 #endif /* !IEEE80211_DEBUG */ 1390 1391 /* unaligned little endian access */ 1392 #define LE_READ_2(p) \ 1393 ((u_int16_t) \ 1394 ((((const u_int8_t *)(p))[0] ) | \ 1395 (((const u_int8_t *)(p))[1] << 8))) 1396 #define LE_READ_4(p) \ 1397 ((u_int32_t) \ 1398 ((((const u_int8_t *)(p))[0] ) | \ 1399 (((const u_int8_t *)(p))[1] << 8) | \ 1400 (((const u_int8_t *)(p))[2] << 16) | \ 1401 (((const u_int8_t *)(p))[3] << 24))) 1402 1403 static __inline int 1404 iswpaoui(const u_int8_t *frm) 1405 { 1406 return frm[1] > 3 && LE_READ_4(frm+2) == ((WPA_OUI_TYPE<<24)|WPA_OUI); 1407 } 1408 1409 static __inline int 1410 iswmeoui(const u_int8_t *frm) 1411 { 1412 return frm[1] > 3 && LE_READ_4(frm+2) == ((WME_OUI_TYPE<<24)|WME_OUI); 1413 } 1414 1415 static __inline int 1416 iswmeparam(const u_int8_t *frm) 1417 { 1418 return frm[1] > 5 && LE_READ_4(frm+2) == ((WME_OUI_TYPE<<24)|WME_OUI) && 1419 frm[6] == WME_PARAM_OUI_SUBTYPE; 1420 } 1421 1422 static __inline int 1423 iswmeinfo(const u_int8_t *frm) 1424 { 1425 return frm[1] > 5 && LE_READ_4(frm+2) == ((WME_OUI_TYPE<<24)|WME_OUI) && 1426 frm[6] == WME_INFO_OUI_SUBTYPE; 1427 } 1428 1429 /* 1430 * Convert a WPA cipher selector OUI to an internal 1431 * cipher algorithm. Where appropriate we also 1432 * record any key length. 1433 */ 1434 static int 1435 wpa_cipher(u_int8_t *sel, u_int8_t *keylen) 1436 { 1437 #define WPA_SEL(x) (((x)<<24)|WPA_OUI) 1438 u_int32_t w = LE_READ_4(sel); 1439 1440 switch (w) { 1441 case WPA_SEL(WPA_CSE_NULL): 1442 return IEEE80211_CIPHER_NONE; 1443 case WPA_SEL(WPA_CSE_WEP40): 1444 if (keylen) 1445 *keylen = 40 / NBBY; 1446 return IEEE80211_CIPHER_WEP; 1447 case WPA_SEL(WPA_CSE_WEP104): 1448 if (keylen) 1449 *keylen = 104 / NBBY; 1450 return IEEE80211_CIPHER_WEP; 1451 case WPA_SEL(WPA_CSE_TKIP): 1452 return IEEE80211_CIPHER_TKIP; 1453 case WPA_SEL(WPA_CSE_CCMP): 1454 return IEEE80211_CIPHER_AES_CCM; 1455 } 1456 return 32; /* NB: so 1<< is discarded */ 1457 #undef WPA_SEL 1458 } 1459 1460 /* 1461 * Convert a WPA key management/authentication algorithm 1462 * to an internal code. 1463 */ 1464 static int 1465 wpa_keymgmt(u_int8_t *sel) 1466 { 1467 #define WPA_SEL(x) (((x)<<24)|WPA_OUI) 1468 u_int32_t w = LE_READ_4(sel); 1469 1470 switch (w) { 1471 case WPA_SEL(WPA_ASE_8021X_UNSPEC): 1472 return WPA_ASE_8021X_UNSPEC; 1473 case WPA_SEL(WPA_ASE_8021X_PSK): 1474 return WPA_ASE_8021X_PSK; 1475 case WPA_SEL(WPA_ASE_NONE): 1476 return WPA_ASE_NONE; 1477 } 1478 return 0; /* NB: so is discarded */ 1479 #undef WPA_SEL 1480 } 1481 1482 /* 1483 * Parse a WPA information element to collect parameters 1484 * and validate the parameters against what has been 1485 * configured for the system. 1486 */ 1487 static int 1488 ieee80211_parse_wpa(struct ieee80211com *ic, u_int8_t *frm, 1489 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh) 1490 { 1491 u_int8_t len = frm[1]; 1492 u_int32_t w; 1493 int n; 1494 1495 /* 1496 * Check the length once for fixed parts: OUI, type, 1497 * version, mcast cipher, and 2 selector counts. 1498 * Other, variable-length data, must be checked separately. 1499 */ 1500 if ((ic->ic_flags & IEEE80211_F_WPA1) == 0) { 1501 IEEE80211_DISCARD_IE(ic, 1502 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1503 wh, "WPA", "not WPA, flags 0x%x", ic->ic_flags); 1504 return IEEE80211_REASON_IE_INVALID; 1505 } 1506 if (len < 14) { 1507 IEEE80211_DISCARD_IE(ic, 1508 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1509 wh, "WPA", "too short, len %u", len); 1510 return IEEE80211_REASON_IE_INVALID; 1511 } 1512 frm += 6, len -= 4; /* NB: len is payload only */ 1513 /* NB: iswapoui already validated the OUI and type */ 1514 w = LE_READ_2(frm); 1515 if (w != WPA_VERSION) { 1516 IEEE80211_DISCARD_IE(ic, 1517 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1518 wh, "WPA", "bad version %u", w); 1519 return IEEE80211_REASON_IE_INVALID; 1520 } 1521 frm += 2, len -= 2; 1522 1523 /* multicast/group cipher */ 1524 w = wpa_cipher(frm, &rsn->rsn_mcastkeylen); 1525 if (w != rsn->rsn_mcastcipher) { 1526 IEEE80211_DISCARD_IE(ic, 1527 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1528 wh, "WPA", "mcast cipher mismatch; got %u, expected %u", 1529 w, rsn->rsn_mcastcipher); 1530 return IEEE80211_REASON_IE_INVALID; 1531 } 1532 frm += 4, len -= 4; 1533 1534 /* unicast ciphers */ 1535 n = LE_READ_2(frm); 1536 frm += 2, len -= 2; 1537 if (len < n*4+2) { 1538 IEEE80211_DISCARD_IE(ic, 1539 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1540 wh, "WPA", "ucast cipher data too short; len %u, n %u", 1541 len, n); 1542 return IEEE80211_REASON_IE_INVALID; 1543 } 1544 w = 0; 1545 for (; n > 0; n--) { 1546 w |= 1<<wpa_cipher(frm, &rsn->rsn_ucastkeylen); 1547 frm += 4, len -= 4; 1548 } 1549 w &= rsn->rsn_ucastcipherset; 1550 if (w == 0) { 1551 IEEE80211_DISCARD_IE(ic, 1552 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1553 wh, "WPA", "%s", "ucast cipher set empty"); 1554 return IEEE80211_REASON_IE_INVALID; 1555 } 1556 if (w & (1<<IEEE80211_CIPHER_TKIP)) 1557 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP; 1558 else 1559 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM; 1560 1561 /* key management algorithms */ 1562 n = LE_READ_2(frm); 1563 frm += 2, len -= 2; 1564 if (len < n*4) { 1565 IEEE80211_DISCARD_IE(ic, 1566 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1567 wh, "WPA", "key mgmt alg data too short; len %u, n %u", 1568 len, n); 1569 return IEEE80211_REASON_IE_INVALID; 1570 } 1571 w = 0; 1572 for (; n > 0; n--) { 1573 w |= wpa_keymgmt(frm); 1574 frm += 4, len -= 4; 1575 } 1576 w &= rsn->rsn_keymgmtset; 1577 if (w == 0) { 1578 IEEE80211_DISCARD_IE(ic, 1579 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1580 wh, "WPA", "%s", "no acceptable key mgmt alg"); 1581 return IEEE80211_REASON_IE_INVALID; 1582 } 1583 if (w & WPA_ASE_8021X_UNSPEC) 1584 rsn->rsn_keymgmt = WPA_ASE_8021X_UNSPEC; 1585 else 1586 rsn->rsn_keymgmt = WPA_ASE_8021X_PSK; 1587 1588 if (len > 2) /* optional capabilities */ 1589 rsn->rsn_caps = LE_READ_2(frm); 1590 1591 return 0; 1592 } 1593 1594 /* 1595 * Convert an RSN cipher selector OUI to an internal 1596 * cipher algorithm. Where appropriate we also 1597 * record any key length. 1598 */ 1599 static int 1600 rsn_cipher(u_int8_t *sel, u_int8_t *keylen) 1601 { 1602 #define RSN_SEL(x) (((x)<<24)|RSN_OUI) 1603 u_int32_t w = LE_READ_4(sel); 1604 1605 switch (w) { 1606 case RSN_SEL(RSN_CSE_NULL): 1607 return IEEE80211_CIPHER_NONE; 1608 case RSN_SEL(RSN_CSE_WEP40): 1609 if (keylen) 1610 *keylen = 40 / NBBY; 1611 return IEEE80211_CIPHER_WEP; 1612 case RSN_SEL(RSN_CSE_WEP104): 1613 if (keylen) 1614 *keylen = 104 / NBBY; 1615 return IEEE80211_CIPHER_WEP; 1616 case RSN_SEL(RSN_CSE_TKIP): 1617 return IEEE80211_CIPHER_TKIP; 1618 case RSN_SEL(RSN_CSE_CCMP): 1619 return IEEE80211_CIPHER_AES_CCM; 1620 case RSN_SEL(RSN_CSE_WRAP): 1621 return IEEE80211_CIPHER_AES_OCB; 1622 } 1623 return 32; /* NB: so 1<< is discarded */ 1624 #undef WPA_SEL 1625 } 1626 1627 /* 1628 * Convert an RSN key management/authentication algorithm 1629 * to an internal code. 1630 */ 1631 static int 1632 rsn_keymgmt(u_int8_t *sel) 1633 { 1634 #define RSN_SEL(x) (((x)<<24)|RSN_OUI) 1635 u_int32_t w = LE_READ_4(sel); 1636 1637 switch (w) { 1638 case RSN_SEL(RSN_ASE_8021X_UNSPEC): 1639 return RSN_ASE_8021X_UNSPEC; 1640 case RSN_SEL(RSN_ASE_8021X_PSK): 1641 return RSN_ASE_8021X_PSK; 1642 case RSN_SEL(RSN_ASE_NONE): 1643 return RSN_ASE_NONE; 1644 } 1645 return 0; /* NB: so is discarded */ 1646 #undef RSN_SEL 1647 } 1648 1649 /* 1650 * Parse a WPA/RSN information element to collect parameters 1651 * and validate the parameters against what has been 1652 * configured for the system. 1653 */ 1654 static int 1655 ieee80211_parse_rsn(struct ieee80211com *ic, u_int8_t *frm, 1656 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh) 1657 { 1658 u_int8_t len = frm[1]; 1659 u_int32_t w; 1660 int n; 1661 1662 /* 1663 * Check the length once for fixed parts: 1664 * version, mcast cipher, and 2 selector counts. 1665 * Other, variable-length data, must be checked separately. 1666 */ 1667 if ((ic->ic_flags & IEEE80211_F_WPA2) == 0) { 1668 IEEE80211_DISCARD_IE(ic, 1669 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1670 wh, "WPA", "not RSN, flags 0x%x", ic->ic_flags); 1671 return IEEE80211_REASON_IE_INVALID; 1672 } 1673 if (len < 10) { 1674 IEEE80211_DISCARD_IE(ic, 1675 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1676 wh, "RSN", "too short, len %u", len); 1677 return IEEE80211_REASON_IE_INVALID; 1678 } 1679 frm += 2; 1680 w = LE_READ_2(frm); 1681 if (w != RSN_VERSION) { 1682 IEEE80211_DISCARD_IE(ic, 1683 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1684 wh, "RSN", "bad version %u", w); 1685 return IEEE80211_REASON_IE_INVALID; 1686 } 1687 frm += 2, len -= 2; 1688 1689 /* multicast/group cipher */ 1690 w = rsn_cipher(frm, &rsn->rsn_mcastkeylen); 1691 if (w != rsn->rsn_mcastcipher) { 1692 IEEE80211_DISCARD_IE(ic, 1693 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1694 wh, "RSN", "mcast cipher mismatch; got %u, expected %u", 1695 w, rsn->rsn_mcastcipher); 1696 return IEEE80211_REASON_IE_INVALID; 1697 } 1698 frm += 4, len -= 4; 1699 1700 /* unicast ciphers */ 1701 n = LE_READ_2(frm); 1702 frm += 2, len -= 2; 1703 if (len < n*4+2) { 1704 IEEE80211_DISCARD_IE(ic, 1705 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1706 wh, "RSN", "ucast cipher data too short; len %u, n %u", 1707 len, n); 1708 return IEEE80211_REASON_IE_INVALID; 1709 } 1710 w = 0; 1711 for (; n > 0; n--) { 1712 w |= 1<<rsn_cipher(frm, &rsn->rsn_ucastkeylen); 1713 frm += 4, len -= 4; 1714 } 1715 w &= rsn->rsn_ucastcipherset; 1716 if (w == 0) { 1717 IEEE80211_DISCARD_IE(ic, 1718 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1719 wh, "RSN", "%s", "ucast cipher set empty"); 1720 return IEEE80211_REASON_IE_INVALID; 1721 } 1722 if (w & (1<<IEEE80211_CIPHER_TKIP)) 1723 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP; 1724 else 1725 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM; 1726 1727 /* key management algorithms */ 1728 n = LE_READ_2(frm); 1729 frm += 2, len -= 2; 1730 if (len < n*4) { 1731 IEEE80211_DISCARD_IE(ic, 1732 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1733 wh, "RSN", "key mgmt alg data too short; len %u, n %u", 1734 len, n); 1735 return IEEE80211_REASON_IE_INVALID; 1736 } 1737 w = 0; 1738 for (; n > 0; n--) { 1739 w |= rsn_keymgmt(frm); 1740 frm += 4, len -= 4; 1741 } 1742 w &= rsn->rsn_keymgmtset; 1743 if (w == 0) { 1744 IEEE80211_DISCARD_IE(ic, 1745 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1746 wh, "RSN", "%s", "no acceptable key mgmt alg"); 1747 return IEEE80211_REASON_IE_INVALID; 1748 } 1749 if (w & RSN_ASE_8021X_UNSPEC) 1750 rsn->rsn_keymgmt = RSN_ASE_8021X_UNSPEC; 1751 else 1752 rsn->rsn_keymgmt = RSN_ASE_8021X_PSK; 1753 1754 /* optional RSN capabilities */ 1755 if (len > 2) 1756 rsn->rsn_caps = LE_READ_2(frm); 1757 /* XXXPMKID */ 1758 1759 return 0; 1760 } 1761 1762 static int 1763 ieee80211_parse_wmeparams(struct ieee80211com *ic, u_int8_t *frm, 1764 const struct ieee80211_frame *wh) 1765 { 1766 #define MS(_v, _f) (((_v) & _f) >> _f##_S) 1767 struct ieee80211_wme_state *wme = &ic->ic_wme; 1768 u_int len = frm[1], qosinfo; 1769 int i; 1770 1771 if (len < sizeof(struct ieee80211_wme_param)-2) { 1772 IEEE80211_DISCARD_IE(ic, 1773 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WME, 1774 wh, "WME", "too short, len %u", len); 1775 return -1; 1776 } 1777 qosinfo = frm[offsetof(struct ieee80211_wme_param, param_qosInfo)]; 1778 qosinfo &= WME_QOSINFO_COUNT; 1779 /* XXX do proper check for wraparound */ 1780 if (qosinfo == wme->wme_wmeChanParams.cap_info) 1781 return 0; 1782 frm += offsetof(struct ieee80211_wme_param, params_acParams); 1783 for (i = 0; i < WME_NUM_AC; i++) { 1784 struct wmeParams *wmep = 1785 &wme->wme_wmeChanParams.cap_wmeParams[i]; 1786 /* NB: ACI not used */ 1787 wmep->wmep_acm = MS(frm[0], WME_PARAM_ACM); 1788 wmep->wmep_aifsn = MS(frm[0], WME_PARAM_AIFSN); 1789 wmep->wmep_logcwmin = MS(frm[1], WME_PARAM_LOGCWMIN); 1790 wmep->wmep_logcwmax = MS(frm[1], WME_PARAM_LOGCWMAX); 1791 wmep->wmep_txopLimit = LE_READ_2(frm+2); 1792 frm += 4; 1793 } 1794 wme->wme_wmeChanParams.cap_info = qosinfo; 1795 return 1; 1796 #undef MS 1797 } 1798 1799 void 1800 ieee80211_saveie(u_int8_t **iep, const u_int8_t *ie) 1801 { 1802 u_int ielen = ie[1]+2; 1803 /* 1804 * Record information element for later use. 1805 */ 1806 if (*iep == NULL || (*iep)[1] != ie[1]) { 1807 if (*iep != NULL) 1808 free(*iep, M_DEVBUF); 1809 *iep = malloc(ielen, M_DEVBUF, M_NOWAIT); 1810 } 1811 if (*iep != NULL) 1812 memcpy(*iep, ie, ielen); 1813 /* XXX note failure */ 1814 } 1815 1816 static void 1817 ieee80211_update_adhoc_node(struct ieee80211com *ic, struct ieee80211_node *ni, 1818 struct ieee80211_frame *wh, struct ieee80211_scanparams *scan, int rssi, 1819 u_int32_t rstamp) 1820 { 1821 if (!IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_macaddr)) { 1822 /* 1823 * Create a new entry in the neighbor table. 1824 * Records the TSF. 1825 */ 1826 if ((ni = ieee80211_add_neighbor(ic, wh, scan)) == NULL) 1827 return; 1828 } else if (ni->ni_capinfo == 0) { 1829 /* 1830 * Initialize a node that was "faked up." Records 1831 * the TSF. 1832 * 1833 * No need to check for a change of BSSID: ni could 1834 * not have been the IBSS (ic_bss) 1835 */ 1836 ieee80211_init_neighbor(ic, ni, wh, scan, 0); 1837 } else { 1838 /* Record TSF for potential resync. */ 1839 memcpy(ni->ni_tstamp.data, scan->tstamp, sizeof(ni->ni_tstamp)); 1840 } 1841 1842 ni->ni_rssi = rssi; 1843 ni->ni_rstamp = rstamp; 1844 1845 /* Mark a neighbor's change of BSSID. */ 1846 if (IEEE80211_ADDR_EQ(wh->i_addr3, ni->ni_bssid)) 1847 return; 1848 1849 IEEE80211_ADDR_COPY(ni->ni_bssid, wh->i_addr3); 1850 1851 if (ni != ic->ic_bss) 1852 return; 1853 else if (ic->ic_flags & IEEE80211_F_DESBSSID) { 1854 /* 1855 * Now, ni does not represent a network we 1856 * want to belong to, so start a scan. 1857 */ 1858 ieee80211_new_state(ic, IEEE80211_S_SCAN, 0); 1859 return; 1860 } else { 1861 /* 1862 * A RUN->RUN transition lets the driver 1863 * reprogram its BSSID filter. 1864 * 1865 * No need to SCAN, we already belong to 1866 * an IBSS that meets our criteria: channel, 1867 * SSID, etc. It could be harmful to scan, 1868 * too: if a scan does not detect nodes 1869 * belonging to my current IBSS, then we 1870 * will create a new IBSS at the end of 1871 * the scan, needlessly splitting the 1872 * network. 1873 */ 1874 ieee80211_new_state(ic, IEEE80211_S_RUN, 0); 1875 } 1876 } 1877 1878 void 1879 ieee80211_recv_mgmt(struct ieee80211com *ic, struct mbuf *m0, 1880 struct ieee80211_node *ni, 1881 int subtype, int rssi, u_int32_t rstamp) 1882 { 1883 #define ISPROBE(_st) ((_st) == IEEE80211_FC0_SUBTYPE_PROBE_RESP) 1884 #define ISREASSOC(_st) ((_st) == IEEE80211_FC0_SUBTYPE_REASSOC_RESP) 1885 struct ieee80211_frame *wh; 1886 u_int8_t *frm, *efrm; 1887 u_int8_t *ssid, *rates, *xrates, *wpa, *wme; 1888 int reassoc, resp, allocbs; 1889 u_int8_t rate; 1890 IEEE80211_DEBUGVAR(char ebuf[3 * ETHER_ADDR_LEN]); 1891 1892 wh = mtod(m0, struct ieee80211_frame *); 1893 frm = (u_int8_t *)&wh[1]; 1894 efrm = mtod(m0, u_int8_t *) + m0->m_len; 1895 switch (subtype) { 1896 case IEEE80211_FC0_SUBTYPE_PROBE_RESP: 1897 case IEEE80211_FC0_SUBTYPE_BEACON: { 1898 struct ieee80211_scanparams scan; 1899 1900 /* 1901 * We process beacon/probe response frames: 1902 * o when scanning, or 1903 * o station mode when associated (to collect state 1904 * updates such as 802.11g slot time), or 1905 * o adhoc mode (to discover neighbors) 1906 * Frames otherwise received are discarded. 1907 */ 1908 if (!((ic->ic_flags & IEEE80211_F_SCAN) || 1909 (ic->ic_opmode == IEEE80211_M_STA && ni->ni_associd) || 1910 ic->ic_opmode == IEEE80211_M_IBSS)) { 1911 ic->ic_stats.is_rx_mgtdiscard++; 1912 return; 1913 } 1914 /* 1915 * beacon/probe response frame format 1916 * [8] time stamp 1917 * [2] beacon interval 1918 * [2] capability information 1919 * [tlv] ssid 1920 * [tlv] supported rates 1921 * [tlv] country information 1922 * [tlv] parameter set (FH/DS) 1923 * [tlv] erp information 1924 * [tlv] extended supported rates 1925 * [tlv] WME 1926 * [tlv] WPA or RSN 1927 */ 1928 IEEE80211_VERIFY_LENGTH(efrm - frm, 12); 1929 memset(&scan, 0, sizeof(scan)); 1930 scan.tstamp = frm; frm += 8; 1931 scan.bintval = le16toh(*(u_int16_t *)frm); frm += 2; 1932 scan.capinfo = le16toh(*(u_int16_t *)frm); frm += 2; 1933 scan.bchan = ieee80211_chan2ieee(ic, ic->ic_curchan); 1934 scan.chan = scan.bchan; 1935 1936 while (frm < efrm) { 1937 switch (*frm) { 1938 case IEEE80211_ELEMID_SSID: 1939 scan.ssid = frm; 1940 break; 1941 case IEEE80211_ELEMID_RATES: 1942 scan.rates = frm; 1943 break; 1944 case IEEE80211_ELEMID_COUNTRY: 1945 scan.country = frm; 1946 break; 1947 case IEEE80211_ELEMID_FHPARMS: 1948 if (ic->ic_phytype == IEEE80211_T_FH) { 1949 scan.fhdwell = LE_READ_2(&frm[2]); 1950 scan.chan = IEEE80211_FH_CHAN(frm[4], frm[5]); 1951 scan.fhindex = frm[6]; 1952 } 1953 break; 1954 case IEEE80211_ELEMID_DSPARMS: 1955 /* 1956 * XXX hack this since depending on phytype 1957 * is problematic for multi-mode devices. 1958 */ 1959 if (ic->ic_phytype != IEEE80211_T_FH) 1960 scan.chan = frm[2]; 1961 break; 1962 case IEEE80211_ELEMID_TIM: 1963 /* XXX ATIM? */ 1964 scan.tim = frm; 1965 scan.timoff = frm - mtod(m0, u_int8_t *); 1966 break; 1967 case IEEE80211_ELEMID_IBSSPARMS: 1968 break; 1969 case IEEE80211_ELEMID_XRATES: 1970 scan.xrates = frm; 1971 break; 1972 case IEEE80211_ELEMID_ERP: 1973 if (frm[1] != 1) { 1974 IEEE80211_DISCARD_IE(ic, 1975 IEEE80211_MSG_ELEMID, wh, "ERP", 1976 "bad len %u", frm[1]); 1977 ic->ic_stats.is_rx_elem_toobig++; 1978 break; 1979 } 1980 scan.erp = frm[2]; 1981 break; 1982 case IEEE80211_ELEMID_RSN: 1983 scan.wpa = frm; 1984 break; 1985 case IEEE80211_ELEMID_VENDOR: 1986 if (iswpaoui(frm)) 1987 scan.wpa = frm; 1988 else if (iswmeparam(frm) || iswmeinfo(frm)) 1989 scan.wme = frm; 1990 /* XXX Atheros OUI support */ 1991 break; 1992 default: 1993 IEEE80211_DISCARD_IE(ic, IEEE80211_MSG_ELEMID, 1994 wh, "unhandled", 1995 "id %u, len %u", *frm, frm[1]); 1996 ic->ic_stats.is_rx_elem_unknown++; 1997 break; 1998 } 1999 frm += frm[1] + 2; 2000 } 2001 IEEE80211_VERIFY_ELEMENT(scan.rates, IEEE80211_RATE_MAXSIZE); 2002 IEEE80211_VERIFY_ELEMENT(scan.ssid, IEEE80211_NWID_LEN); 2003 if ( 2004 #if IEEE80211_CHAN_MAX < 255 2005 scan.chan > IEEE80211_CHAN_MAX || 2006 #endif 2007 isclr(ic->ic_chan_active, scan.chan)) { 2008 IEEE80211_DISCARD(ic, 2009 IEEE80211_MSG_ELEMID | IEEE80211_MSG_INPUT, 2010 wh, ieee80211_mgt_subtype_name[subtype >> 2011 IEEE80211_FC0_SUBTYPE_SHIFT], 2012 "invalid channel %u", scan.chan); 2013 ic->ic_stats.is_rx_badchan++; 2014 return; 2015 } 2016 if (scan.chan != scan.bchan && 2017 ic->ic_phytype != IEEE80211_T_FH) { 2018 /* 2019 * Frame was received on a channel different from the 2020 * one indicated in the DS params element id; 2021 * silently discard it. 2022 * 2023 * NB: this can happen due to signal leakage. 2024 * But we should take it for FH phy because 2025 * the rssi value should be correct even for 2026 * different hop pattern in FH. 2027 */ 2028 IEEE80211_DISCARD(ic, 2029 IEEE80211_MSG_ELEMID | IEEE80211_MSG_INPUT, 2030 wh, ieee80211_mgt_subtype_name[subtype >> 2031 IEEE80211_FC0_SUBTYPE_SHIFT], 2032 "for off-channel %u", scan.chan); 2033 ic->ic_stats.is_rx_chanmismatch++; 2034 return; 2035 } 2036 if (!(IEEE80211_BINTVAL_MIN <= scan.bintval && 2037 scan.bintval <= IEEE80211_BINTVAL_MAX)) { 2038 IEEE80211_DISCARD(ic, 2039 IEEE80211_MSG_ELEMID | IEEE80211_MSG_INPUT, 2040 wh, ieee80211_mgt_subtype_name[subtype >> 2041 IEEE80211_FC0_SUBTYPE_SHIFT], 2042 "bogus beacon interval", scan.bintval); 2043 ic->ic_stats.is_rx_badbintval++; 2044 return; 2045 } 2046 2047 if (ni != ic->ic_bss) { 2048 ni = ieee80211_refine_node_for_beacon(ic, ni, 2049 &ic->ic_channels[scan.chan], scan.ssid); 2050 } 2051 /* 2052 * Count frame now that we know it's to be processed. 2053 */ 2054 if (subtype == IEEE80211_FC0_SUBTYPE_BEACON) { 2055 ic->ic_stats.is_rx_beacon++; /* XXX remove */ 2056 IEEE80211_NODE_STAT(ni, rx_beacons); 2057 } else 2058 IEEE80211_NODE_STAT(ni, rx_proberesp); 2059 2060 /* 2061 * When operating in station mode, check for state updates. 2062 * Be careful to ignore beacons received while doing a 2063 * background scan. We consider only 11g/WMM stuff right now. 2064 */ 2065 if (ic->ic_opmode == IEEE80211_M_STA && 2066 ni->ni_associd != 0 && 2067 ((ic->ic_flags & IEEE80211_F_SCAN) == 0 || 2068 IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_bssid))) { 2069 /* record tsf of last beacon */ 2070 memcpy(ni->ni_tstamp.data, scan.tstamp, 2071 sizeof(ni->ni_tstamp)); 2072 if (ni->ni_erp != scan.erp) { 2073 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 2074 "[%s] erp change: was 0x%x, now 0x%x\n", 2075 ether_snprintf(ebuf, sizeof(ebuf), 2076 wh->i_addr2), ni->ni_erp, scan.erp); 2077 if (ic->ic_curmode == IEEE80211_MODE_11G && 2078 (ni->ni_erp & IEEE80211_ERP_USE_PROTECTION)) 2079 ic->ic_flags |= IEEE80211_F_USEPROT; 2080 else 2081 ic->ic_flags &= ~IEEE80211_F_USEPROT; 2082 ni->ni_erp = scan.erp; 2083 /* XXX statistic */ 2084 } 2085 if ((ni->ni_capinfo ^ scan.capinfo) & IEEE80211_CAPINFO_SHORT_SLOTTIME) { 2086 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 2087 "[%s] capabilities change: before 0x%x," 2088 " now 0x%x\n", 2089 ether_snprintf(ebuf, sizeof(ebuf), 2090 wh->i_addr2), 2091 ni->ni_capinfo, scan.capinfo); 2092 /* 2093 * NB: we assume short preamble doesn't 2094 * change dynamically 2095 */ 2096 ieee80211_set_shortslottime(ic, 2097 ic->ic_curmode == IEEE80211_MODE_11A || 2098 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME)); 2099 ni->ni_capinfo = scan.capinfo; 2100 /* XXX statistic */ 2101 } 2102 if (scan.wme != NULL && 2103 (ni->ni_flags & IEEE80211_NODE_QOS) && 2104 ieee80211_parse_wmeparams(ic, scan.wme, wh) > 0) 2105 ieee80211_wme_updateparams(ic); 2106 if (scan.tim != NULL) { 2107 struct ieee80211_tim_ie *ie = 2108 (struct ieee80211_tim_ie *) scan.tim; 2109 2110 ni->ni_dtim_count = ie->tim_count; 2111 ni->ni_dtim_period = ie->tim_period; 2112 } 2113 if (ic->ic_flags & IEEE80211_F_SCAN) 2114 ieee80211_add_scan(ic, &scan, wh, 2115 subtype, rssi, rstamp); 2116 ic->ic_bmiss_count = 0; 2117 return; 2118 } 2119 /* 2120 * If scanning, just pass information to the scan module. 2121 */ 2122 if (ic->ic_flags & IEEE80211_F_SCAN) { 2123 if (ic->ic_flags_ext & IEEE80211_FEXT_PROBECHAN) { 2124 /* 2125 * Actively scanning a channel marked passive; 2126 * send a probe request now that we know there 2127 * is 802.11 traffic present. 2128 * 2129 * XXX check if the beacon we recv'd gives 2130 * us what we need and suppress the probe req 2131 */ 2132 ieee80211_probe_curchan(ic, 1); 2133 ic->ic_flags_ext &= ~IEEE80211_FEXT_PROBECHAN; 2134 } 2135 ieee80211_add_scan(ic, &scan, wh, 2136 subtype, rssi, rstamp); 2137 return; 2138 } 2139 if (scan.capinfo & IEEE80211_CAPINFO_IBSS) 2140 ieee80211_update_adhoc_node(ic, ni, wh, &scan, rssi, 2141 rstamp); 2142 break; 2143 } 2144 2145 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 2146 if (ic->ic_opmode == IEEE80211_M_STA || 2147 ic->ic_state != IEEE80211_S_RUN) { 2148 ic->ic_stats.is_rx_mgtdiscard++; 2149 return; 2150 } 2151 if (IEEE80211_IS_MULTICAST(wh->i_addr2)) { 2152 /* frame must be directed */ 2153 ic->ic_stats.is_rx_mgtdiscard++; /* XXX stat */ 2154 return; 2155 } 2156 2157 /* 2158 * prreq frame format 2159 * [tlv] ssid 2160 * [tlv] supported rates 2161 * [tlv] extended supported rates 2162 */ 2163 ssid = rates = xrates = NULL; 2164 while (frm < efrm) { 2165 switch (*frm) { 2166 case IEEE80211_ELEMID_SSID: 2167 ssid = frm; 2168 break; 2169 case IEEE80211_ELEMID_RATES: 2170 rates = frm; 2171 break; 2172 case IEEE80211_ELEMID_XRATES: 2173 xrates = frm; 2174 break; 2175 } 2176 frm += frm[1] + 2; 2177 } 2178 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE); 2179 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN); 2180 IEEE80211_VERIFY_SSID(ic->ic_bss, ssid); 2181 if ((ic->ic_flags & IEEE80211_F_HIDESSID) && ssid[1] == 0) { 2182 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 2183 wh, ieee80211_mgt_subtype_name[subtype >> 2184 IEEE80211_FC0_SUBTYPE_SHIFT], 2185 "%s", "no ssid with ssid suppression enabled"); 2186 ic->ic_stats.is_rx_ssidmismatch++; /*XXX*/ 2187 return; 2188 } 2189 2190 if (ni == ic->ic_bss) { 2191 if (ic->ic_opmode != IEEE80211_M_IBSS) 2192 ni = ieee80211_tmp_node(ic, wh->i_addr2); 2193 else if (IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_macaddr)) 2194 ; 2195 else { 2196 /* 2197 * XXX Cannot tell if the sender is operating 2198 * in ibss mode. But we need a new node to 2199 * send the response so blindly add them to the 2200 * neighbor table. 2201 */ 2202 ni = ieee80211_fakeup_adhoc_node(&ic->ic_sta, 2203 wh->i_addr2); 2204 } 2205 if (ni == NULL) 2206 return; 2207 allocbs = 1; 2208 } else 2209 allocbs = 0; 2210 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 2211 "[%s] recv probe req\n", ether_snprintf( 2212 ebuf, sizeof(ebuf), wh->i_addr2)); 2213 ni->ni_rssi = rssi; 2214 ni->ni_rstamp = rstamp; 2215 rate = ieee80211_setup_rates(ni, rates, xrates, 2216 IEEE80211_R_DOSORT | IEEE80211_R_DOFRATE 2217 | IEEE80211_R_DONEGO | IEEE80211_R_DODEL); 2218 if (rate & IEEE80211_RATE_BASIC) { 2219 IEEE80211_DISCARD(ic, IEEE80211_MSG_XRATE, 2220 wh, ieee80211_mgt_subtype_name[subtype >> 2221 IEEE80211_FC0_SUBTYPE_SHIFT], 2222 "%s", "recv'd rate set invalid"); 2223 } else { 2224 IEEE80211_SEND_MGMT(ic, ni, 2225 IEEE80211_FC0_SUBTYPE_PROBE_RESP, 0); 2226 } 2227 if (allocbs && ic->ic_opmode != IEEE80211_M_IBSS) { 2228 /* reclaim immediately */ 2229 ieee80211_free_node(ni); 2230 } 2231 break; 2232 2233 case IEEE80211_FC0_SUBTYPE_AUTH: { 2234 u_int16_t algo, seq, status; 2235 /* 2236 * auth frame format 2237 * [2] algorithm 2238 * [2] sequence 2239 * [2] status 2240 * [tlv*] challenge 2241 */ 2242 IEEE80211_VERIFY_LENGTH(efrm - frm, 6); 2243 algo = le16toh(*(u_int16_t *)frm); 2244 seq = le16toh(*(u_int16_t *)(frm + 2)); 2245 status = le16toh(*(u_int16_t *)(frm + 4)); 2246 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 2247 "[%s] recv auth frame with algorithm %d seq %d\n", 2248 ether_snprintf(ebuf, sizeof(ebuf), wh->i_addr2), algo, seq); 2249 /* 2250 * Consult the ACL policy module if setup. 2251 */ 2252 if (ic->ic_acl != NULL && 2253 !ic->ic_acl->iac_check(ic, wh->i_addr2)) { 2254 IEEE80211_DISCARD(ic, IEEE80211_MSG_ACL, 2255 wh, "auth", "%s", "disallowed by ACL"); 2256 ic->ic_stats.is_rx_acl++; 2257 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 2258 IEEE80211_SEND_MGMT(ic, ni, 2259 IEEE80211_FC0_SUBTYPE_AUTH, 2260 (seq+1) | (IEEE80211_STATUS_UNSPECIFIED<<16)); 2261 } 2262 return; 2263 } 2264 if (ic->ic_flags & IEEE80211_F_COUNTERM) { 2265 IEEE80211_DISCARD(ic, 2266 IEEE80211_MSG_AUTH | IEEE80211_MSG_CRYPTO, 2267 wh, "auth", "%s", "TKIP countermeasures enabled"); 2268 ic->ic_stats.is_rx_auth_countermeasures++; 2269 #ifndef IEEE80211_NO_HOSTAP 2270 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 2271 IEEE80211_SEND_MGMT(ic, ni, 2272 IEEE80211_FC0_SUBTYPE_AUTH, 2273 IEEE80211_REASON_MIC_FAILURE); 2274 } 2275 #endif /* !IEEE80211_NO_HOSTAP */ 2276 return; 2277 } 2278 if (algo == IEEE80211_AUTH_ALG_SHARED) 2279 ieee80211_auth_shared(ic, wh, frm + 6, efrm, ni, rssi, 2280 rstamp, seq, status); 2281 else if (algo == IEEE80211_AUTH_ALG_OPEN) 2282 ieee80211_auth_open(ic, wh, ni, rssi, rstamp, seq, 2283 status); 2284 else { 2285 IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY, 2286 wh, "auth", "unsupported alg %d", algo); 2287 ic->ic_stats.is_rx_auth_unsupported++; 2288 #ifndef IEEE80211_NO_HOSTAP 2289 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 2290 /* XXX not right */ 2291 IEEE80211_SEND_MGMT(ic, ni, 2292 IEEE80211_FC0_SUBTYPE_AUTH, 2293 (seq+1) | (IEEE80211_STATUS_ALG<<16)); 2294 } 2295 #endif /* !IEEE80211_NO_HOSTAP */ 2296 return; 2297 } 2298 break; 2299 } 2300 2301 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ: 2302 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: { 2303 u_int16_t capinfo, lintval; 2304 struct ieee80211_rsnparms rsn; 2305 u_int8_t reason; 2306 2307 if (ic->ic_opmode != IEEE80211_M_HOSTAP || 2308 ic->ic_state != IEEE80211_S_RUN) { 2309 ic->ic_stats.is_rx_mgtdiscard++; 2310 return; 2311 } 2312 2313 if (subtype == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) { 2314 reassoc = 1; 2315 resp = IEEE80211_FC0_SUBTYPE_REASSOC_RESP; 2316 } else { 2317 reassoc = 0; 2318 resp = IEEE80211_FC0_SUBTYPE_ASSOC_RESP; 2319 } 2320 /* 2321 * asreq frame format 2322 * [2] capability information 2323 * [2] listen interval 2324 * [6*] current AP address (reassoc only) 2325 * [tlv] ssid 2326 * [tlv] supported rates 2327 * [tlv] extended supported rates 2328 * [tlv] WPA or RSN 2329 */ 2330 IEEE80211_VERIFY_LENGTH(efrm - frm, (reassoc ? 10 : 4)); 2331 if (!IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_bss->ni_bssid)) { 2332 IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY, 2333 wh, ieee80211_mgt_subtype_name[subtype >> 2334 IEEE80211_FC0_SUBTYPE_SHIFT], 2335 "%s", "wrong bssid"); 2336 ic->ic_stats.is_rx_assoc_bss++; 2337 return; 2338 } 2339 capinfo = le16toh(*(u_int16_t *)frm); frm += 2; 2340 lintval = le16toh(*(u_int16_t *)frm); frm += 2; 2341 if (reassoc) 2342 frm += 6; /* ignore current AP info */ 2343 ssid = rates = xrates = wpa = wme = NULL; 2344 while (frm < efrm) { 2345 switch (*frm) { 2346 case IEEE80211_ELEMID_SSID: 2347 ssid = frm; 2348 break; 2349 case IEEE80211_ELEMID_RATES: 2350 rates = frm; 2351 break; 2352 case IEEE80211_ELEMID_XRATES: 2353 xrates = frm; 2354 break; 2355 /* XXX verify only one of RSN and WPA ie's? */ 2356 case IEEE80211_ELEMID_RSN: 2357 wpa = frm; 2358 break; 2359 case IEEE80211_ELEMID_VENDOR: 2360 if (iswpaoui(frm)) 2361 wpa = frm; 2362 else if (iswmeinfo(frm)) 2363 wme = frm; 2364 /* XXX Atheros OUI support */ 2365 break; 2366 } 2367 frm += frm[1] + 2; 2368 } 2369 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE); 2370 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN); 2371 IEEE80211_VERIFY_SSID(ic->ic_bss, ssid); 2372 2373 if (ni == ic->ic_bss) { 2374 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, 2375 "[%s] deny %s request, sta not authenticated\n", 2376 ether_snprintf(ebuf, sizeof(ebuf), wh->i_addr2), 2377 reassoc ? "reassoc" : "assoc"); 2378 ieee80211_send_error(ic, ni, wh->i_addr2, 2379 IEEE80211_FC0_SUBTYPE_DEAUTH, 2380 IEEE80211_REASON_ASSOC_NOT_AUTHED); 2381 ic->ic_stats.is_rx_assoc_notauth++; 2382 return; 2383 } 2384 /* assert right associstion security credentials */ 2385 if (wpa == NULL && (ic->ic_flags & IEEE80211_F_WPA)) { 2386 IEEE80211_DPRINTF(ic, 2387 IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, 2388 "[%s] no WPA/RSN IE in association request\n", 2389 ether_snprintf(ebuf, sizeof(ebuf), wh->i_addr2)); 2390 IEEE80211_SEND_MGMT(ic, ni, 2391 IEEE80211_FC0_SUBTYPE_DEAUTH, 2392 IEEE80211_REASON_RSN_REQUIRED); 2393 ieee80211_node_leave(ic, ni); 2394 /* XXX distinguish WPA/RSN? */ 2395 ic->ic_stats.is_rx_assoc_badwpaie++; 2396 return; 2397 } 2398 if (wpa != NULL) { 2399 /* 2400 * Parse WPA information element. Note that 2401 * we initialize the param block from the node 2402 * state so that information in the IE overrides 2403 * our defaults. The resulting parameters are 2404 * installed below after the association is assured. 2405 */ 2406 rsn = ni->ni_rsn; 2407 if (wpa[0] != IEEE80211_ELEMID_RSN) 2408 reason = ieee80211_parse_wpa(ic, wpa, &rsn, wh); 2409 else 2410 reason = ieee80211_parse_rsn(ic, wpa, &rsn, wh); 2411 if (reason != 0) { 2412 IEEE80211_SEND_MGMT(ic, ni, 2413 IEEE80211_FC0_SUBTYPE_DEAUTH, reason); 2414 ieee80211_node_leave(ic, ni); 2415 /* XXX distinguish WPA/RSN? */ 2416 ic->ic_stats.is_rx_assoc_badwpaie++; 2417 return; 2418 } 2419 IEEE80211_DPRINTF(ic, 2420 IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, 2421 "[%s] %s ie: mc %u/%u uc %u/%u key %u caps 0x%x\n", 2422 ether_snprintf(ebuf, sizeof(ebuf), wh->i_addr2), 2423 wpa[0] != IEEE80211_ELEMID_RSN ? "WPA" : "RSN", 2424 rsn.rsn_mcastcipher, rsn.rsn_mcastkeylen, 2425 rsn.rsn_ucastcipher, rsn.rsn_ucastkeylen, 2426 rsn.rsn_keymgmt, rsn.rsn_caps); 2427 } 2428 /* discard challenge after association */ 2429 if (ni->ni_challenge != NULL) { 2430 free(ni->ni_challenge, M_DEVBUF); 2431 ni->ni_challenge = NULL; 2432 } 2433 /* NB: 802.11 spec says to ignore station's privacy bit */ 2434 if ((capinfo & IEEE80211_CAPINFO_ESS) == 0) { 2435 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, 2436 "[%s] deny %s request, capability mismatch 0x%x\n", 2437 ether_snprintf(ebuf, sizeof(ebuf), wh->i_addr2), 2438 reassoc ? "reassoc" : "assoc", capinfo); 2439 IEEE80211_SEND_MGMT(ic, ni, resp, 2440 IEEE80211_STATUS_CAPINFO); 2441 ieee80211_node_leave(ic, ni); 2442 ic->ic_stats.is_rx_assoc_capmismatch++; 2443 return; 2444 } 2445 rate = ieee80211_setup_rates(ni, rates, xrates, 2446 IEEE80211_R_DOSORT | IEEE80211_R_DOFRATE | 2447 IEEE80211_R_DONEGO | IEEE80211_R_DODEL); 2448 /* 2449 * If constrained to 11g-only stations reject an 2450 * 11b-only station. We cheat a bit here by looking 2451 * at the max negotiated xmit rate and assuming anyone 2452 * with a best rate <24Mb/s is an 11b station. 2453 */ 2454 if ((rate & IEEE80211_RATE_BASIC) || 2455 ((ic->ic_flags & IEEE80211_F_PUREG) && rate < 48)) { 2456 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, 2457 "[%s] deny %s request, rate set mismatch\n", 2458 ether_snprintf(ebuf, sizeof(ebuf), wh->i_addr2), 2459 reassoc ? "reassoc" : "assoc"); 2460 IEEE80211_SEND_MGMT(ic, ni, resp, 2461 IEEE80211_STATUS_BASIC_RATE); 2462 ieee80211_node_leave(ic, ni); 2463 ic->ic_stats.is_rx_assoc_norate++; 2464 return; 2465 } 2466 ni->ni_rssi = rssi; 2467 ni->ni_rstamp = rstamp; 2468 ni->ni_intval = lintval; 2469 ni->ni_capinfo = capinfo; 2470 ni->ni_chan = ic->ic_bss->ni_chan; 2471 ni->ni_fhdwell = ic->ic_bss->ni_fhdwell; 2472 ni->ni_fhindex = ic->ic_bss->ni_fhindex; 2473 if (wpa != NULL) { 2474 /* 2475 * Record WPA/RSN parameters for station, mark 2476 * node as using WPA and record information element 2477 * for applications that require it. 2478 */ 2479 ni->ni_rsn = rsn; 2480 ieee80211_saveie(&ni->ni_wpa_ie, wpa); 2481 } else if (ni->ni_wpa_ie != NULL) { 2482 /* 2483 * Flush any state from a previous association. 2484 */ 2485 free(ni->ni_wpa_ie, M_DEVBUF); 2486 ni->ni_wpa_ie = NULL; 2487 } 2488 if (wme != NULL) { 2489 /* 2490 * Record WME parameters for station, mark node 2491 * as capable of QoS and record information 2492 * element for applications that require it. 2493 */ 2494 ieee80211_saveie(&ni->ni_wme_ie, wme); 2495 ni->ni_flags |= IEEE80211_NODE_QOS; 2496 } else if (ni->ni_wme_ie != NULL) { 2497 /* 2498 * Flush any state from a previous association. 2499 */ 2500 free(ni->ni_wme_ie, M_DEVBUF); 2501 ni->ni_wme_ie = NULL; 2502 ni->ni_flags &= ~IEEE80211_NODE_QOS; 2503 } 2504 ieee80211_node_join(ic, ni, resp); 2505 break; 2506 } 2507 2508 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP: 2509 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: { 2510 u_int16_t capinfo, associd; 2511 u_int16_t status; 2512 2513 if (ic->ic_opmode != IEEE80211_M_STA || 2514 ic->ic_state != IEEE80211_S_ASSOC) { 2515 ic->ic_stats.is_rx_mgtdiscard++; 2516 return; 2517 } 2518 2519 /* 2520 * asresp frame format 2521 * [2] capability information 2522 * [2] status 2523 * [2] association ID 2524 * [tlv] supported rates 2525 * [tlv] extended supported rates 2526 * [tlv] WME 2527 */ 2528 IEEE80211_VERIFY_LENGTH(efrm - frm, 6); 2529 ni = ic->ic_bss; 2530 capinfo = le16toh(*(u_int16_t *)frm); 2531 frm += 2; 2532 status = le16toh(*(u_int16_t *)frm); 2533 frm += 2; 2534 if (status != 0) { 2535 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 2536 "[%s] %sassoc failed (reason %d)\n", 2537 ether_snprintf(ebuf, sizeof(ebuf), wh->i_addr2), 2538 ISREASSOC(subtype) ? "re" : "", status); 2539 if (ni != ic->ic_bss) /* XXX never true? */ 2540 ni->ni_fails++; 2541 ic->ic_stats.is_rx_auth_fail++; /* XXX */ 2542 return; 2543 } 2544 associd = le16toh(*(u_int16_t *)frm); 2545 frm += 2; 2546 2547 rates = xrates = wpa = wme = NULL; 2548 while (frm < efrm) { 2549 switch (*frm) { 2550 case IEEE80211_ELEMID_RATES: 2551 rates = frm; 2552 break; 2553 case IEEE80211_ELEMID_XRATES: 2554 xrates = frm; 2555 break; 2556 case IEEE80211_ELEMID_VENDOR: 2557 if (iswmeoui(frm)) 2558 wme = frm; 2559 /* XXX Atheros OUI support */ 2560 break; 2561 } 2562 frm += frm[1] + 2; 2563 } 2564 2565 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE); 2566 rate = ieee80211_setup_rates(ni, rates, xrates, 2567 IEEE80211_R_DOSORT | IEEE80211_R_DOFRATE | 2568 IEEE80211_R_DONEGO | IEEE80211_R_DODEL); 2569 if (rate & IEEE80211_RATE_BASIC) { 2570 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 2571 "[%s] %sassoc failed (rate set mismatch)\n", 2572 ether_snprintf(ebuf, sizeof(ebuf), wh->i_addr2), 2573 ISREASSOC(subtype) ? "re" : ""); 2574 if (ni != ic->ic_bss) /* XXX never true? */ 2575 ni->ni_fails++; 2576 ic->ic_stats.is_rx_assoc_norate++; 2577 ieee80211_new_state(ic, IEEE80211_S_SCAN, 0); 2578 return; 2579 } 2580 2581 ni->ni_capinfo = capinfo; 2582 ni->ni_associd = associd; 2583 if (wme != NULL && 2584 ieee80211_parse_wmeparams(ic, wme, wh) >= 0) { 2585 ni->ni_flags |= IEEE80211_NODE_QOS; 2586 ieee80211_wme_updateparams(ic); 2587 } else 2588 ni->ni_flags &= ~IEEE80211_NODE_QOS; 2589 /* 2590 * Configure state now that we are associated. 2591 * 2592 * XXX may need different/additional driver callbacks? 2593 */ 2594 if (ic->ic_curmode == IEEE80211_MODE_11A || 2595 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_PREAMBLE)) { 2596 ic->ic_flags |= IEEE80211_F_SHPREAMBLE; 2597 ic->ic_flags &= ~IEEE80211_F_USEBARKER; 2598 } else { 2599 ic->ic_flags &= ~IEEE80211_F_SHPREAMBLE; 2600 ic->ic_flags |= IEEE80211_F_USEBARKER; 2601 } 2602 ieee80211_set_shortslottime(ic, 2603 ic->ic_curmode == IEEE80211_MODE_11A || 2604 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME)); 2605 /* 2606 * Honor ERP protection. 2607 * 2608 * NB: ni_erp should zero for non-11g operation. 2609 * XXX check ic_curmode anyway? 2610 */ 2611 if (ic->ic_curmode == IEEE80211_MODE_11G && 2612 (ni->ni_erp & IEEE80211_ERP_USE_PROTECTION)) 2613 ic->ic_flags |= IEEE80211_F_USEPROT; 2614 else 2615 ic->ic_flags &= ~IEEE80211_F_USEPROT; 2616 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 2617 "[%s] %sassoc success: %s preamble, %s slot time%s%s\n", 2618 ether_snprintf(ebuf, sizeof(ebuf), wh->i_addr2), 2619 ISREASSOC(subtype) ? "re" : "", 2620 ic->ic_flags&IEEE80211_F_SHPREAMBLE ? "short" : "long", 2621 ic->ic_flags&IEEE80211_F_SHSLOT ? "short" : "long", 2622 ic->ic_flags&IEEE80211_F_USEPROT ? ", protection" : "", 2623 ni->ni_flags & IEEE80211_NODE_QOS ? ", QoS" : "" 2624 ); 2625 ieee80211_new_state(ic, IEEE80211_S_RUN, subtype); 2626 break; 2627 } 2628 2629 case IEEE80211_FC0_SUBTYPE_DEAUTH: { 2630 u_int16_t reason; 2631 2632 if (ic->ic_state == IEEE80211_S_SCAN) { 2633 ic->ic_stats.is_rx_mgtdiscard++; 2634 return; 2635 } 2636 /* 2637 * deauth frame format 2638 * [2] reason 2639 */ 2640 IEEE80211_VERIFY_LENGTH(efrm - frm, 2); 2641 reason = le16toh(*(u_int16_t *)frm); 2642 __USE(reason); 2643 ic->ic_stats.is_rx_deauth++; 2644 IEEE80211_NODE_STAT(ni, rx_deauth); 2645 2646 if (!IEEE80211_ADDR_EQ(wh->i_addr1, ic->ic_myaddr)) { 2647 /* Not intended for this station. */ 2648 ic->ic_stats.is_rx_mgtdiscard++; 2649 break; 2650 } 2651 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 2652 "[%s] recv deauthenticate (reason %d)\n", 2653 ether_snprintf(ebuf, sizeof(ebuf), ni->ni_macaddr), reason); 2654 switch (ic->ic_opmode) { 2655 case IEEE80211_M_STA: 2656 ieee80211_new_state(ic, IEEE80211_S_AUTH, 2657 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK); 2658 break; 2659 case IEEE80211_M_HOSTAP: 2660 #ifndef IEEE80211_NO_HOSTAP 2661 if (ni != ic->ic_bss) 2662 ieee80211_node_leave(ic, ni); 2663 #endif /* !IEEE80211_NO_HOSTAP */ 2664 break; 2665 default: 2666 ic->ic_stats.is_rx_mgtdiscard++; 2667 break; 2668 } 2669 break; 2670 } 2671 2672 case IEEE80211_FC0_SUBTYPE_DISASSOC: { 2673 u_int16_t reason; 2674 2675 if (ic->ic_state != IEEE80211_S_RUN && 2676 ic->ic_state != IEEE80211_S_ASSOC && 2677 ic->ic_state != IEEE80211_S_AUTH) { 2678 ic->ic_stats.is_rx_mgtdiscard++; 2679 return; 2680 } 2681 /* 2682 * disassoc frame format 2683 * [2] reason 2684 */ 2685 IEEE80211_VERIFY_LENGTH(efrm - frm, 2); 2686 reason = le16toh(*(u_int16_t *)frm); 2687 __USE(reason); 2688 ic->ic_stats.is_rx_disassoc++; 2689 IEEE80211_NODE_STAT(ni, rx_disassoc); 2690 2691 if (!IEEE80211_ADDR_EQ(wh->i_addr1, ic->ic_myaddr)) { 2692 /* Not intended for this station. */ 2693 ic->ic_stats.is_rx_mgtdiscard++; 2694 break; 2695 } 2696 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 2697 "[%s] recv disassociate (reason %d)\n", 2698 ether_snprintf(ebuf, sizeof(ebuf), ni->ni_macaddr), reason); 2699 switch (ic->ic_opmode) { 2700 case IEEE80211_M_STA: 2701 ieee80211_new_state(ic, IEEE80211_S_ASSOC, 2702 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK); 2703 break; 2704 case IEEE80211_M_HOSTAP: 2705 #ifndef IEEE80211_NO_HOSTAP 2706 if (ni != ic->ic_bss) 2707 ieee80211_node_leave(ic, ni); 2708 #endif /* !IEEE80211_NO_HOSTAP */ 2709 break; 2710 default: 2711 ic->ic_stats.is_rx_mgtdiscard++; 2712 break; 2713 } 2714 break; 2715 } 2716 default: 2717 IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY, 2718 wh, "mgt", "subtype 0x%x not handled", subtype); 2719 ic->ic_stats.is_rx_badsubtype++; 2720 break; 2721 } 2722 #undef ISREASSOC 2723 #undef ISPROBE 2724 } 2725 #undef IEEE80211_VERIFY_LENGTH 2726 #undef IEEE80211_VERIFY_ELEMENT 2727 2728 #ifndef IEEE80211_NO_HOSTAP 2729 /* 2730 * Handle station power-save state change. 2731 */ 2732 static void 2733 ieee80211_node_pwrsave(struct ieee80211_node *ni, int enable) 2734 { 2735 struct ieee80211com *ic = ni->ni_ic; 2736 struct mbuf *m; 2737 IEEE80211_DEBUGVAR(char ebuf[3 * ETHER_ADDR_LEN]); 2738 2739 if (enable) { 2740 if ((ni->ni_flags & IEEE80211_NODE_PWR_MGT) == 0) 2741 ic->ic_ps_sta++; 2742 ni->ni_flags |= IEEE80211_NODE_PWR_MGT; 2743 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, 2744 "[%s] power save mode on, %u sta's in ps mode\n", 2745 ether_snprintf(ebuf, sizeof(ebuf), ni->ni_macaddr), 2746 ic->ic_ps_sta); 2747 return; 2748 } 2749 2750 if (ni->ni_flags & IEEE80211_NODE_PWR_MGT) 2751 ic->ic_ps_sta--; 2752 ni->ni_flags &= ~IEEE80211_NODE_PWR_MGT; 2753 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, 2754 "[%s] power save mode off, %u sta's in ps mode\n", 2755 ether_snprintf(ebuf, sizeof(ebuf), ni->ni_macaddr), ic->ic_ps_sta); 2756 /* XXX if no stations in ps mode, flush mc frames */ 2757 2758 /* 2759 * Flush queued unicast frames. 2760 */ 2761 if (IEEE80211_NODE_SAVEQ_QLEN(ni) == 0) { 2762 if (ic->ic_set_tim != NULL) 2763 ic->ic_set_tim(ni, 0); /* just in case */ 2764 return; 2765 } 2766 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, 2767 "[%s] flush ps queue, %u packets queued\n", 2768 ether_snprintf(ebuf, sizeof(ebuf), ni->ni_macaddr), 2769 IEEE80211_NODE_SAVEQ_QLEN(ni)); 2770 for (;;) { 2771 int qlen; 2772 2773 IEEE80211_NODE_SAVEQ_DEQUEUE(ni, m, qlen); 2774 if (m == NULL) 2775 break; 2776 /* 2777 * If this is the last packet, turn off the TIM bit. 2778 * If there are more packets, set the more packets bit 2779 * in the mbuf so ieee80211_encap will mark the 802.11 2780 * head to indicate more data frames will follow. 2781 */ 2782 if (qlen != 0) 2783 m->m_flags |= M_MORE_DATA; 2784 /* XXX need different driver interface */ 2785 /* XXX bypasses q max */ 2786 IF_ENQUEUE(&ic->ic_ifp->if_snd, m); 2787 } 2788 if (ic->ic_set_tim != NULL) 2789 ic->ic_set_tim(ni, 0); 2790 } 2791 2792 /* 2793 * Process a received ps-poll frame. 2794 */ 2795 static void 2796 ieee80211_recv_pspoll(struct ieee80211com *ic, 2797 struct ieee80211_node *ni, struct mbuf *m0) 2798 { 2799 struct ieee80211_frame_min *wh; 2800 struct mbuf *m; 2801 u_int16_t aid; 2802 int qlen; 2803 IEEE80211_DEBUGVAR(char ebuf[3 * ETHER_ADDR_LEN]); 2804 2805 wh = mtod(m0, struct ieee80211_frame_min *); 2806 if (ni->ni_associd == 0) { 2807 IEEE80211_DISCARD(ic, IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG, 2808 (struct ieee80211_frame *) wh, "ps-poll", 2809 "%s", "unassociated station"); 2810 ic->ic_stats.is_ps_unassoc++; 2811 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_DEAUTH, 2812 IEEE80211_REASON_NOT_ASSOCED); 2813 return; 2814 } 2815 2816 aid = le16toh(*(u_int16_t *)wh->i_dur); 2817 if (aid != ni->ni_associd) { 2818 IEEE80211_DISCARD(ic, IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG, 2819 (struct ieee80211_frame *) wh, "ps-poll", 2820 "aid mismatch: sta aid 0x%x poll aid 0x%x", 2821 ni->ni_associd, aid); 2822 ic->ic_stats.is_ps_badaid++; 2823 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_DEAUTH, 2824 IEEE80211_REASON_NOT_ASSOCED); 2825 return; 2826 } 2827 2828 /* Okay, take the first queued packet and put it out... */ 2829 IEEE80211_NODE_SAVEQ_DEQUEUE(ni, m, qlen); 2830 if (m == NULL) { 2831 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, 2832 "[%s] recv ps-poll, but queue empty\n", 2833 ether_snprintf(ebuf, sizeof(ebuf), wh->i_addr2)); 2834 ieee80211_send_nulldata(ieee80211_ref_node(ni)); 2835 ic->ic_stats.is_ps_qempty++; /* XXX node stat */ 2836 if (ic->ic_set_tim != NULL) 2837 ic->ic_set_tim(ni, 0); /* just in case */ 2838 return; 2839 } 2840 /* 2841 * If there are more packets, set the more packets bit 2842 * in the packet dispatched to the station; otherwise 2843 * turn off the TIM bit. 2844 */ 2845 if (qlen != 0) { 2846 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, 2847 "[%s] recv ps-poll, send packet, %u still queued\n", 2848 ether_snprintf(ebuf, sizeof(ebuf), ni->ni_macaddr), qlen); 2849 m->m_flags |= M_MORE_DATA; 2850 } else { 2851 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, 2852 "[%s] recv ps-poll, send packet, queue empty\n", 2853 ether_snprintf(ebuf, sizeof(ebuf), ni->ni_macaddr)); 2854 if (ic->ic_set_tim != NULL) 2855 ic->ic_set_tim(ni, 0); 2856 } 2857 m->m_flags |= M_PWR_SAV; /* bypass PS handling */ 2858 IF_ENQUEUE(&ic->ic_ifp->if_snd, m); 2859 } 2860 #endif /* !IEEE80211_NO_HOSTAP */ 2861 2862 #ifdef IEEE80211_DEBUG 2863 /* 2864 * Debugging support. 2865 */ 2866 2867 /* 2868 * Return the bssid of a frame. 2869 */ 2870 static const u_int8_t * 2871 ieee80211_getbssid(struct ieee80211com *ic, const struct ieee80211_frame *wh) 2872 { 2873 if (ic->ic_opmode == IEEE80211_M_STA) 2874 return wh->i_addr2; 2875 if ((wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) != IEEE80211_FC1_DIR_NODS) 2876 return wh->i_addr1; 2877 if ((wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK) == IEEE80211_FC0_SUBTYPE_PS_POLL) 2878 return wh->i_addr1; 2879 return wh->i_addr3; 2880 } 2881 2882 void 2883 ieee80211_note(struct ieee80211com *ic, const char *fmt, ...) 2884 { 2885 char buf[128]; /* XXX */ 2886 va_list ap; 2887 2888 va_start(ap, fmt); 2889 vsnprintf(buf, sizeof(buf), fmt, ap); 2890 va_end(ap); 2891 2892 if_printf(ic->ic_ifp, "%s", buf); /* NB: no \n */ 2893 } 2894 2895 void 2896 ieee80211_note_frame(struct ieee80211com *ic, 2897 const struct ieee80211_frame *wh, 2898 const char *fmt, ...) 2899 { 2900 char buf[128]; /* XXX */ 2901 va_list ap; 2902 char ebuf[3 * ETHER_ADDR_LEN]; 2903 2904 va_start(ap, fmt); 2905 vsnprintf(buf, sizeof(buf), fmt, ap); 2906 va_end(ap); 2907 if_printf(ic->ic_ifp, "[%s] %s\n", 2908 ether_snprintf(ebuf, sizeof(ebuf), 2909 ieee80211_getbssid(ic, wh)), buf); 2910 } 2911 2912 void 2913 ieee80211_note_mac(struct ieee80211com *ic, 2914 const u_int8_t mac[IEEE80211_ADDR_LEN], 2915 const char *fmt, ...) 2916 { 2917 char buf[128]; /* XXX */ 2918 va_list ap; 2919 char ebuf[3 * ETHER_ADDR_LEN]; 2920 2921 va_start(ap, fmt); 2922 vsnprintf(buf, sizeof(buf), fmt, ap); 2923 va_end(ap); 2924 if_printf(ic->ic_ifp, "[%s] %s\n", ether_snprintf(ebuf, sizeof(ebuf), 2925 mac), buf); 2926 } 2927 2928 static void 2929 ieee80211_discard_frame(struct ieee80211com *ic, 2930 const struct ieee80211_frame *wh, 2931 const char *type, const char *fmt, ...) 2932 { 2933 va_list ap; 2934 char ebuf[3 * ETHER_ADDR_LEN]; 2935 2936 printf("[%s:%s] discard ", ic->ic_ifp->if_xname, 2937 ether_snprintf(ebuf, sizeof(ebuf), ieee80211_getbssid(ic, wh))); 2938 if (type != NULL) 2939 printf("%s frame, ", type); 2940 else 2941 printf("frame, "); 2942 va_start(ap, fmt); 2943 vprintf(fmt, ap); 2944 va_end(ap); 2945 printf("\n"); 2946 } 2947 2948 static void 2949 ieee80211_discard_ie(struct ieee80211com *ic, 2950 const struct ieee80211_frame *wh, 2951 const char *type, const char *fmt, ...) 2952 { 2953 va_list ap; 2954 char ebuf[3 * ETHER_ADDR_LEN]; 2955 2956 printf("[%s:%s] discard ", ic->ic_ifp->if_xname, 2957 ether_snprintf(ebuf, sizeof(ebuf), ieee80211_getbssid(ic, wh))); 2958 if (type != NULL) 2959 printf("%s information element, ", type); 2960 else 2961 printf("information element, "); 2962 va_start(ap, fmt); 2963 vprintf(fmt, ap); 2964 va_end(ap); 2965 printf("\n"); 2966 } 2967 2968 static void 2969 ieee80211_discard_mac(struct ieee80211com *ic, 2970 const u_int8_t mac[IEEE80211_ADDR_LEN], 2971 const char *type, const char *fmt, ...) 2972 { 2973 va_list ap; 2974 char ebuf[3 * ETHER_ADDR_LEN]; 2975 2976 printf("[%s:%s] discard ", ic->ic_ifp->if_xname, 2977 ether_snprintf(ebuf, sizeof(ebuf), mac)); 2978 if (type != NULL) 2979 printf("%s frame, ", type); 2980 else 2981 printf("frame, "); 2982 va_start(ap, fmt); 2983 vprintf(fmt, ap); 2984 va_end(ap); 2985 printf("\n"); 2986 } 2987 #endif /* IEEE80211_DEBUG */ 2988