1 /* $OpenBSD: ieee80211_input.c,v 1.112 2009/09/13 14:42:52 krw Exp $ */ 2 3 /*- 4 * Copyright (c) 2001 Atsushi Onoe 5 * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting 6 * Copyright (c) 2007-2009 Damien Bergamini 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. The name of the author may not be used to endorse or promote products 18 * derived from this software without specific prior written permission. 19 * 20 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 21 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 22 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 23 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 24 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 25 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 26 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 27 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 28 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 29 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 30 */ 31 32 #include "bpfilter.h" 33 34 #include <sys/param.h> 35 #include <sys/systm.h> 36 #include <sys/mbuf.h> 37 #include <sys/malloc.h> 38 #include <sys/kernel.h> 39 #include <sys/socket.h> 40 #include <sys/sockio.h> 41 #include <sys/endian.h> 42 #include <sys/errno.h> 43 #include <sys/proc.h> 44 #include <sys/sysctl.h> 45 #include <sys/endian.h> 46 47 #include <net/if.h> 48 #include <net/if_dl.h> 49 #include <net/if_media.h> 50 #include <net/if_arp.h> 51 #include <net/if_llc.h> 52 53 #if NBPFILTER > 0 54 #include <net/bpf.h> 55 #endif 56 57 #ifdef INET 58 #include <netinet/in.h> 59 #include <netinet/if_ether.h> 60 #endif 61 62 #include <net80211/ieee80211_var.h> 63 #include <net80211/ieee80211_priv.h> 64 65 struct mbuf *ieee80211_defrag(struct ieee80211com *, struct mbuf *, int); 66 void ieee80211_defrag_timeout(void *); 67 #ifndef IEEE80211_NO_HT 68 void ieee80211_input_ba(struct ifnet *, struct mbuf *, 69 struct ieee80211_node *, int, struct ieee80211_rxinfo *); 70 void ieee80211_ba_move_window(struct ieee80211com *, 71 struct ieee80211_node *, u_int8_t, u_int16_t); 72 #endif 73 struct mbuf *ieee80211_align_mbuf(struct mbuf *); 74 void ieee80211_decap(struct ieee80211com *, struct mbuf *, 75 struct ieee80211_node *, int); 76 #ifndef IEEE80211_NO_HT 77 void ieee80211_amsdu_decap(struct ieee80211com *, struct mbuf *, 78 struct ieee80211_node *, int); 79 #endif 80 void ieee80211_deliver_data(struct ieee80211com *, struct mbuf *, 81 struct ieee80211_node *); 82 int ieee80211_parse_edca_params_body(struct ieee80211com *, 83 const u_int8_t *); 84 int ieee80211_parse_edca_params(struct ieee80211com *, const u_int8_t *); 85 int ieee80211_parse_wmm_params(struct ieee80211com *, const u_int8_t *); 86 enum ieee80211_cipher ieee80211_parse_rsn_cipher(const u_int8_t[]); 87 enum ieee80211_akm ieee80211_parse_rsn_akm(const u_int8_t[]); 88 int ieee80211_parse_rsn_body(struct ieee80211com *, const u_int8_t *, 89 u_int, struct ieee80211_rsnparams *); 90 int ieee80211_save_ie(const u_int8_t *, u_int8_t **); 91 void ieee80211_recv_probe_resp(struct ieee80211com *, struct mbuf *, 92 struct ieee80211_node *, struct ieee80211_rxinfo *, int); 93 #ifndef IEEE80211_STA_ONLY 94 void ieee80211_recv_probe_req(struct ieee80211com *, struct mbuf *, 95 struct ieee80211_node *, struct ieee80211_rxinfo *); 96 #endif 97 void ieee80211_recv_auth(struct ieee80211com *, struct mbuf *, 98 struct ieee80211_node *, struct ieee80211_rxinfo *); 99 #ifndef IEEE80211_STA_ONLY 100 void ieee80211_recv_assoc_req(struct ieee80211com *, struct mbuf *, 101 struct ieee80211_node *, struct ieee80211_rxinfo *, int); 102 #endif 103 void ieee80211_recv_assoc_resp(struct ieee80211com *, struct mbuf *, 104 struct ieee80211_node *, int); 105 void ieee80211_recv_deauth(struct ieee80211com *, struct mbuf *, 106 struct ieee80211_node *); 107 void ieee80211_recv_disassoc(struct ieee80211com *, struct mbuf *, 108 struct ieee80211_node *); 109 #ifndef IEEE80211_NO_HT 110 void ieee80211_recv_addba_req(struct ieee80211com *, struct mbuf *, 111 struct ieee80211_node *); 112 void ieee80211_recv_addba_resp(struct ieee80211com *, struct mbuf *, 113 struct ieee80211_node *); 114 void ieee80211_recv_delba(struct ieee80211com *, struct mbuf *, 115 struct ieee80211_node *); 116 #endif 117 void ieee80211_recv_sa_query_req(struct ieee80211com *, struct mbuf *, 118 struct ieee80211_node *); 119 #ifndef IEEE80211_STA_ONLY 120 void ieee80211_recv_sa_query_resp(struct ieee80211com *, struct mbuf *, 121 struct ieee80211_node *); 122 #endif 123 void ieee80211_recv_action(struct ieee80211com *, struct mbuf *, 124 struct ieee80211_node *); 125 #ifndef IEEE80211_STA_ONLY 126 void ieee80211_recv_pspoll(struct ieee80211com *, struct mbuf *, 127 struct ieee80211_node *); 128 #endif 129 #ifndef IEEE80211_NO_HT 130 void ieee80211_recv_bar(struct ieee80211com *, struct mbuf *, 131 struct ieee80211_node *); 132 void ieee80211_bar_tid(struct ieee80211com *, struct ieee80211_node *, 133 u_int8_t, u_int16_t); 134 #endif 135 136 /* 137 * Retrieve the length in bytes of an 802.11 header. 138 */ 139 u_int 140 ieee80211_get_hdrlen(const struct ieee80211_frame *wh) 141 { 142 u_int size = sizeof(*wh); 143 144 /* NB: does not work with control frames */ 145 KASSERT(ieee80211_has_seq(wh)); 146 147 if (ieee80211_has_addr4(wh)) 148 size += IEEE80211_ADDR_LEN; /* i_addr4 */ 149 if (ieee80211_has_qos(wh)) 150 size += sizeof(u_int16_t); /* i_qos */ 151 if (ieee80211_has_htc(wh)) 152 size += sizeof(u_int32_t); /* i_ht */ 153 return size; 154 } 155 156 /* 157 * Process a received frame. The node associated with the sender 158 * should be supplied. If nothing was found in the node table then 159 * the caller is assumed to supply a reference to ic_bss instead. 160 * The RSSI and a timestamp are also supplied. The RSSI data is used 161 * during AP scanning to select a AP to associate with; it can have 162 * any units so long as values have consistent units and higher values 163 * mean ``better signal''. The receive timestamp is currently not used 164 * by the 802.11 layer. 165 */ 166 void 167 ieee80211_input(struct ifnet *ifp, struct mbuf *m, struct ieee80211_node *ni, 168 struct ieee80211_rxinfo *rxi) 169 { 170 struct ieee80211com *ic = (void *)ifp; 171 struct ieee80211_frame *wh; 172 u_int16_t *orxseq, nrxseq, qos; 173 u_int8_t dir, type, subtype, tid; 174 int hdrlen, hasqos; 175 176 KASSERT(ni != NULL); 177 178 /* in monitor mode, send everything directly to bpf */ 179 if (ic->ic_opmode == IEEE80211_M_MONITOR) 180 goto out; 181 182 /* 183 * Do not process frames without an Address 2 field any further. 184 * Only CTS and ACK control frames do not have this field. 185 */ 186 if (m->m_len < sizeof(struct ieee80211_frame_min)) { 187 DPRINTF(("frame too short, len %u\n", m->m_len)); 188 ic->ic_stats.is_rx_tooshort++; 189 goto out; 190 } 191 192 wh = mtod(m, struct ieee80211_frame *); 193 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) != 194 IEEE80211_FC0_VERSION_0) { 195 DPRINTF(("frame with wrong version: %x\n", wh->i_fc[0])); 196 ic->ic_stats.is_rx_badversion++; 197 goto err; 198 } 199 200 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 201 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK; 202 203 if (type != IEEE80211_FC0_TYPE_CTL) { 204 hdrlen = ieee80211_get_hdrlen(wh); 205 if (m->m_len < hdrlen) { 206 DPRINTF(("frame too short, len %u\n", m->m_len)); 207 ic->ic_stats.is_rx_tooshort++; 208 goto err; 209 } 210 } 211 if ((hasqos = ieee80211_has_qos(wh))) { 212 qos = ieee80211_get_qos(wh); 213 tid = qos & IEEE80211_QOS_TID; 214 } 215 216 /* duplicate detection (see 9.2.9) */ 217 if (ieee80211_has_seq(wh) && 218 ic->ic_state != IEEE80211_S_SCAN) { 219 nrxseq = letoh16(*(u_int16_t *)wh->i_seq) >> 220 IEEE80211_SEQ_SEQ_SHIFT; 221 if (hasqos) 222 orxseq = &ni->ni_qos_rxseqs[tid]; 223 else 224 orxseq = &ni->ni_rxseq; 225 if ((wh->i_fc[1] & IEEE80211_FC1_RETRY) && 226 nrxseq == *orxseq) { 227 /* duplicate, silently discarded */ 228 ic->ic_stats.is_rx_dup++; 229 goto out; 230 } 231 *orxseq = nrxseq; 232 } 233 if (ic->ic_state != IEEE80211_S_SCAN) { 234 ni->ni_rssi = rxi->rxi_rssi; 235 ni->ni_rstamp = rxi->rxi_tstamp; 236 ni->ni_inact = 0; 237 } 238 239 #ifndef IEEE80211_STA_ONLY 240 if (ic->ic_opmode == IEEE80211_M_HOSTAP && 241 (ic->ic_caps & IEEE80211_C_APPMGT) && 242 ni->ni_state == IEEE80211_STA_ASSOC) { 243 if (wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) { 244 if (ni->ni_pwrsave == IEEE80211_PS_AWAKE) { 245 /* turn on PS mode */ 246 ni->ni_pwrsave = IEEE80211_PS_DOZE; 247 ic->ic_pssta++; 248 DPRINTF(("PS mode on for %s, count %d\n", 249 ether_sprintf(wh->i_addr2), ic->ic_pssta)); 250 } 251 } else if (ni->ni_pwrsave == IEEE80211_PS_DOZE) { 252 /* turn off PS mode */ 253 ni->ni_pwrsave = IEEE80211_PS_AWAKE; 254 ic->ic_pssta--; 255 DPRINTF(("PS mode off for %s, count %d\n", 256 ether_sprintf(wh->i_addr2), ic->ic_pssta)); 257 258 (*ic->ic_set_tim)(ic, ni->ni_associd, 0); 259 260 /* dequeue buffered unicast frames */ 261 while (!IF_IS_EMPTY(&ni->ni_savedq)) { 262 struct mbuf *m; 263 IF_DEQUEUE(&ni->ni_savedq, m); 264 IF_ENQUEUE(&ic->ic_pwrsaveq, m); 265 (*ifp->if_start)(ifp); 266 } 267 } 268 } 269 #endif 270 switch (type) { 271 case IEEE80211_FC0_TYPE_DATA: 272 switch (ic->ic_opmode) { 273 case IEEE80211_M_STA: 274 if (dir != IEEE80211_FC1_DIR_FROMDS) { 275 ic->ic_stats.is_rx_wrongdir++; 276 goto out; 277 } 278 if (ic->ic_state != IEEE80211_S_SCAN && 279 !IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_bssid)) { 280 /* Source address is not our BSS. */ 281 DPRINTF(("discard frame from SA %s\n", 282 ether_sprintf(wh->i_addr2))); 283 ic->ic_stats.is_rx_wrongbss++; 284 goto out; 285 } 286 if ((ifp->if_flags & IFF_SIMPLEX) && 287 IEEE80211_IS_MULTICAST(wh->i_addr1) && 288 IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_myaddr)) { 289 /* 290 * In IEEE802.11 network, multicast frame 291 * sent from me is broadcasted from AP. 292 * It should be silently discarded for 293 * SIMPLEX interface. 294 */ 295 ic->ic_stats.is_rx_mcastecho++; 296 goto out; 297 } 298 break; 299 #ifndef IEEE80211_STA_ONLY 300 case IEEE80211_M_IBSS: 301 case IEEE80211_M_AHDEMO: 302 if (dir != IEEE80211_FC1_DIR_NODS) { 303 ic->ic_stats.is_rx_wrongdir++; 304 goto out; 305 } 306 if (ic->ic_state != IEEE80211_S_SCAN && 307 !IEEE80211_ADDR_EQ(wh->i_addr3, 308 ic->ic_bss->ni_bssid) && 309 !IEEE80211_ADDR_EQ(wh->i_addr3, 310 etherbroadcastaddr)) { 311 /* Destination is not our BSS or broadcast. */ 312 DPRINTF(("discard data frame to DA %s\n", 313 ether_sprintf(wh->i_addr3))); 314 ic->ic_stats.is_rx_wrongbss++; 315 goto out; 316 } 317 break; 318 case IEEE80211_M_HOSTAP: 319 if (dir != IEEE80211_FC1_DIR_TODS) { 320 ic->ic_stats.is_rx_wrongdir++; 321 goto out; 322 } 323 if (ic->ic_state != IEEE80211_S_SCAN && 324 !IEEE80211_ADDR_EQ(wh->i_addr1, 325 ic->ic_bss->ni_bssid) && 326 !IEEE80211_ADDR_EQ(wh->i_addr1, 327 etherbroadcastaddr)) { 328 /* BSS is not us or broadcast. */ 329 DPRINTF(("discard data frame to BSS %s\n", 330 ether_sprintf(wh->i_addr1))); 331 ic->ic_stats.is_rx_wrongbss++; 332 goto out; 333 } 334 /* check if source STA is associated */ 335 if (ni == ic->ic_bss) { 336 DPRINTF(("data from unknown src %s\n", 337 ether_sprintf(wh->i_addr2))); 338 /* NB: caller deals with reference */ 339 ni = ieee80211_dup_bss(ic, wh->i_addr2); 340 if (ni != NULL) { 341 IEEE80211_SEND_MGMT(ic, ni, 342 IEEE80211_FC0_SUBTYPE_DEAUTH, 343 IEEE80211_REASON_NOT_AUTHED); 344 } 345 ic->ic_stats.is_rx_notassoc++; 346 goto err; 347 } 348 if (ni->ni_associd == 0) { 349 DPRINTF(("data from unassoc src %s\n", 350 ether_sprintf(wh->i_addr2))); 351 IEEE80211_SEND_MGMT(ic, ni, 352 IEEE80211_FC0_SUBTYPE_DISASSOC, 353 IEEE80211_REASON_NOT_ASSOCED); 354 ic->ic_stats.is_rx_notassoc++; 355 goto err; 356 } 357 break; 358 #endif /* IEEE80211_STA_ONLY */ 359 default: 360 /* can't get there */ 361 goto out; 362 } 363 364 #ifndef IEEE80211_NO_HT 365 if (!(rxi->rxi_flags & IEEE80211_RXI_AMPDU_DONE) && 366 hasqos && (qos & IEEE80211_QOS_ACK_POLICY_MASK) == 367 IEEE80211_QOS_ACK_POLICY_BA) { 368 /* check if we have a BA agreement for this RA/TID */ 369 if (ni->ni_rx_ba[tid].ba_state != 370 IEEE80211_BA_AGREED) { 371 DPRINTF(("no BA agreement for %s, TID %d\n", 372 ether_sprintf(ni->ni_macaddr), tid)); 373 /* send a DELBA with reason code UNKNOWN-BA */ 374 IEEE80211_SEND_ACTION(ic, ni, 375 IEEE80211_CATEG_BA, IEEE80211_ACTION_DELBA, 376 IEEE80211_REASON_SETUP_REQUIRED << 16 | 377 tid); 378 goto err; 379 } 380 /* go through A-MPDU reordering */ 381 ieee80211_input_ba(ifp, m, ni, tid, rxi); 382 return; /* don't free m! */ 383 } 384 #endif 385 if ((ic->ic_flags & IEEE80211_F_WEPON) || 386 ((ic->ic_flags & IEEE80211_F_RSNON) && 387 (ni->ni_flags & IEEE80211_NODE_RXPROT))) { 388 /* protection is on for Rx */ 389 if (!(rxi->rxi_flags & IEEE80211_RXI_HWDEC)) { 390 if (!(wh->i_fc[1] & IEEE80211_FC1_PROTECTED)) { 391 /* drop unencrypted */ 392 ic->ic_stats.is_rx_unencrypted++; 393 goto err; 394 } 395 /* do software decryption */ 396 m = ieee80211_decrypt(ic, m, ni); 397 if (m == NULL) { 398 ic->ic_stats.is_rx_wepfail++; 399 goto err; 400 } 401 wh = mtod(m, struct ieee80211_frame *); 402 } 403 } else if ((wh->i_fc[1] & IEEE80211_FC1_PROTECTED) || 404 (rxi->rxi_flags & IEEE80211_RXI_HWDEC)) { 405 /* frame encrypted but protection off for Rx */ 406 ic->ic_stats.is_rx_nowep++; 407 goto out; 408 } 409 410 #if NBPFILTER > 0 411 /* copy to listener after decrypt */ 412 if (ic->ic_rawbpf) 413 bpf_mtap(ic->ic_rawbpf, m, BPF_DIRECTION_IN); 414 #endif 415 416 #ifndef IEEE80211_NO_HT 417 if ((ni->ni_flags & IEEE80211_NODE_HT) && 418 hasqos && (qos & IEEE80211_QOS_AMSDU)) 419 ieee80211_amsdu_decap(ic, m, ni, hdrlen); 420 else 421 #endif 422 ieee80211_decap(ic, m, ni, hdrlen); 423 return; 424 425 case IEEE80211_FC0_TYPE_MGT: 426 if (dir != IEEE80211_FC1_DIR_NODS) { 427 ic->ic_stats.is_rx_wrongdir++; 428 goto err; 429 } 430 #ifndef IEEE80211_STA_ONLY 431 if (ic->ic_opmode == IEEE80211_M_AHDEMO) { 432 ic->ic_stats.is_rx_ahdemo_mgt++; 433 goto out; 434 } 435 #endif 436 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK; 437 438 /* drop frames without interest */ 439 if (ic->ic_state == IEEE80211_S_SCAN) { 440 if (subtype != IEEE80211_FC0_SUBTYPE_BEACON && 441 subtype != IEEE80211_FC0_SUBTYPE_PROBE_RESP) { 442 ic->ic_stats.is_rx_mgtdiscard++; 443 goto out; 444 } 445 } 446 447 if (ni->ni_flags & IEEE80211_NODE_RXMGMTPROT) { 448 /* MMPDU protection is on for Rx */ 449 if (subtype == IEEE80211_FC0_SUBTYPE_DISASSOC || 450 subtype == IEEE80211_FC0_SUBTYPE_DEAUTH || 451 subtype == IEEE80211_FC0_SUBTYPE_ACTION) { 452 if (!IEEE80211_IS_MULTICAST(wh->i_addr1) && 453 !(wh->i_fc[1] & IEEE80211_FC1_PROTECTED)) { 454 /* unicast mgmt not encrypted */ 455 goto out; 456 } 457 /* do software decryption */ 458 m = ieee80211_decrypt(ic, m, ni); 459 if (m == NULL) { 460 /* XXX stats */ 461 goto out; 462 } 463 wh = mtod(m, struct ieee80211_frame *); 464 } 465 } else if ((ic->ic_flags & IEEE80211_F_RSNON) && 466 (wh->i_fc[1] & IEEE80211_FC1_PROTECTED)) { 467 /* encrypted but MMPDU Rx protection off for TA */ 468 goto out; 469 } 470 471 if (ifp->if_flags & IFF_DEBUG) { 472 /* avoid to print too many frames */ 473 int doprint = 0; 474 475 switch (subtype) { 476 case IEEE80211_FC0_SUBTYPE_BEACON: 477 if (ic->ic_state == IEEE80211_S_SCAN) 478 doprint = 1; 479 break; 480 #ifndef IEEE80211_STA_ONLY 481 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 482 if (ic->ic_opmode == IEEE80211_M_IBSS) 483 doprint = 1; 484 break; 485 #endif 486 default: 487 doprint = 1; 488 break; 489 } 490 #ifdef IEEE80211_DEBUG 491 doprint += ieee80211_debug; 492 #endif 493 if (doprint) 494 printf("%s: received %s from %s rssi %d mode %s\n", 495 ifp->if_xname, 496 ieee80211_mgt_subtype_name[subtype 497 >> IEEE80211_FC0_SUBTYPE_SHIFT], 498 ether_sprintf(wh->i_addr2), rxi->rxi_rssi, 499 ieee80211_phymode_name[ieee80211_chan2mode(ic, 500 ic->ic_bss->ni_chan)]); 501 } 502 #if NBPFILTER > 0 503 if (ic->ic_rawbpf) 504 bpf_mtap(ic->ic_rawbpf, m, BPF_DIRECTION_IN); 505 /* 506 * Drop mbuf if it was filtered by bpf. Normally, this is 507 * done in ether_input() but IEEE 802.11 management frames 508 * are a special case. 509 */ 510 if (m->m_flags & M_FILDROP) { 511 m_freem(m); 512 return; 513 } 514 #endif 515 (*ic->ic_recv_mgmt)(ic, m, ni, rxi, subtype); 516 m_freem(m); 517 return; 518 519 case IEEE80211_FC0_TYPE_CTL: 520 ic->ic_stats.is_rx_ctl++; 521 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK; 522 switch (subtype) { 523 #ifndef IEEE80211_STA_ONLY 524 case IEEE80211_FC0_SUBTYPE_PS_POLL: 525 ieee80211_recv_pspoll(ic, m, ni); 526 break; 527 #endif 528 #ifndef IEEE80211_NO_HT 529 case IEEE80211_FC0_SUBTYPE_BAR: 530 ieee80211_recv_bar(ic, m, ni); 531 break; 532 #endif 533 default: 534 break; 535 } 536 goto out; 537 538 default: 539 DPRINTF(("bad frame type %x\n", type)); 540 /* should not come here */ 541 break; 542 } 543 err: 544 ifp->if_ierrors++; 545 out: 546 if (m != NULL) { 547 #if NBPFILTER > 0 548 if (ic->ic_rawbpf) 549 bpf_mtap(ic->ic_rawbpf, m, BPF_DIRECTION_IN); 550 #endif 551 m_freem(m); 552 } 553 } 554 555 /* 556 * Handle defragmentation (see 9.5 and Annex C). We support the concurrent 557 * reception of fragments of three fragmented MSDUs or MMPDUs. 558 */ 559 struct mbuf * 560 ieee80211_defrag(struct ieee80211com *ic, struct mbuf *m, int hdrlen) 561 { 562 const struct ieee80211_frame *owh, *wh; 563 struct ieee80211_defrag *df; 564 u_int16_t rxseq, seq; 565 u_int8_t frag; 566 int i; 567 568 wh = mtod(m, struct ieee80211_frame *); 569 rxseq = letoh16(*(const u_int16_t *)wh->i_seq); 570 seq = rxseq >> IEEE80211_SEQ_SEQ_SHIFT; 571 frag = rxseq & IEEE80211_SEQ_FRAG_MASK; 572 573 if (frag == 0 && !(wh->i_fc[1] & IEEE80211_FC1_MORE_FRAG)) 574 return m; /* not fragmented */ 575 576 if (frag == 0) { 577 /* first fragment, setup entry in the fragment cache */ 578 if (++ic->ic_defrag_cur == IEEE80211_DEFRAG_SIZE) 579 ic->ic_defrag_cur = 0; 580 df = &ic->ic_defrag[ic->ic_defrag_cur]; 581 if (df->df_m != NULL) 582 m_freem(df->df_m); /* discard old entry */ 583 df->df_seq = seq; 584 df->df_frag = 0; 585 df->df_m = m; 586 /* start receive MSDU timer of aMaxReceiveLifetime */ 587 timeout_add_sec(&df->df_to, 1); 588 return NULL; /* MSDU or MMPDU not yet complete */ 589 } 590 591 /* find matching entry in the fragment cache */ 592 for (i = 0; i < IEEE80211_DEFRAG_SIZE; i++) { 593 df = &ic->ic_defrag[i]; 594 if (df->df_m == NULL) 595 continue; 596 if (df->df_seq != seq || df->df_frag + 1 != frag) 597 continue; 598 owh = mtod(df->df_m, struct ieee80211_frame *); 599 /* frame type, source and destination must match */ 600 if (((wh->i_fc[0] ^ owh->i_fc[0]) & IEEE80211_FC0_TYPE_MASK) || 601 !IEEE80211_ADDR_EQ(wh->i_addr1, owh->i_addr1) || 602 !IEEE80211_ADDR_EQ(wh->i_addr2, owh->i_addr2)) 603 continue; 604 /* matching entry found */ 605 break; 606 } 607 if (i == IEEE80211_DEFRAG_SIZE) { 608 /* no matching entry found, discard fragment */ 609 ic->ic_if.if_ierrors++; 610 m_freem(m); 611 return NULL; 612 } 613 614 df->df_frag = frag; 615 /* strip 802.11 header and concatenate fragment */ 616 m_adj(m, hdrlen); 617 m_cat(df->df_m, m); 618 df->df_m->m_pkthdr.len += m->m_pkthdr.len; 619 620 if (wh->i_fc[1] & IEEE80211_FC1_MORE_FRAG) 621 return NULL; /* MSDU or MMPDU not yet complete */ 622 623 /* MSDU or MMPDU complete */ 624 timeout_del(&df->df_to); 625 m = df->df_m; 626 df->df_m = NULL; 627 return m; 628 } 629 630 /* 631 * Receive MSDU defragmentation timer exceeds aMaxReceiveLifetime. 632 */ 633 void 634 ieee80211_defrag_timeout(void *arg) 635 { 636 struct ieee80211_defrag *df = arg; 637 int s = splnet(); 638 639 /* discard all received fragments */ 640 m_freem(df->df_m); 641 df->df_m = NULL; 642 643 splx(s); 644 } 645 646 #ifndef IEEE80211_NO_HT 647 /* 648 * Process a received data MPDU related to a specific HT-immediate Block Ack 649 * agreement (see 9.10.7.6). 650 */ 651 void 652 ieee80211_input_ba(struct ifnet *ifp, struct mbuf *m, 653 struct ieee80211_node *ni, int tid, struct ieee80211_rxinfo *rxi) 654 { 655 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 656 struct ieee80211_frame *wh; 657 int idx, count; 658 u_int16_t sn; 659 660 wh = mtod(m, struct ieee80211_frame *); 661 sn = letoh16(*(u_int16_t *)wh->i_seq) >> IEEE80211_SEQ_SEQ_SHIFT; 662 663 /* reset Block Ack inactivity timer */ 664 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 665 666 if (SEQ_LT(sn, ba->ba_winstart)) { /* SN < WinStartB */ 667 ifp->if_ierrors++; 668 m_freem(m); /* discard the MPDU */ 669 return; 670 } 671 if (SEQ_LT(ba->ba_winend, sn)) { /* WinEndB < SN */ 672 count = (sn - ba->ba_winend) & 0xfff; 673 if (count > ba->ba_winsize) /* no overlap */ 674 count = ba->ba_winsize; 675 while (count-- > 0) { 676 /* gaps may exist */ 677 if (ba->ba_buf[ba->ba_head].m != NULL) { 678 ieee80211_input(ifp, ba->ba_buf[ba->ba_head].m, 679 ni, &ba->ba_buf[ba->ba_head].rxi); 680 ba->ba_buf[ba->ba_head].m = NULL; 681 } 682 ba->ba_head = (ba->ba_head + 1) % 683 IEEE80211_BA_MAX_WINSZ; 684 } 685 /* move window forward */ 686 ba->ba_winend = sn; 687 ba->ba_winstart = (sn - ba->ba_winsize + 1) & 0xfff; 688 } 689 /* WinStartB <= SN <= WinEndB */ 690 691 idx = (sn - ba->ba_winstart) & 0xfff; 692 idx = (ba->ba_head + idx) % IEEE80211_BA_MAX_WINSZ; 693 /* store the received MPDU in the buffer */ 694 if (ba->ba_buf[idx].m != NULL) { 695 ifp->if_ierrors++; 696 m_freem(m); 697 return; 698 } 699 ba->ba_buf[idx].m = m; 700 /* store Rx meta-data too */ 701 rxi->rxi_flags |= IEEE80211_RXI_AMPDU_DONE; 702 ba->ba_buf[idx].rxi = *rxi; 703 704 /* pass reordered MPDUs up to the next MAC process */ 705 while (ba->ba_buf[ba->ba_head].m != NULL) { 706 ieee80211_input(ifp, ba->ba_buf[ba->ba_head].m, ni, 707 &ba->ba_buf[ba->ba_head].rxi); 708 ba->ba_buf[ba->ba_head].m = NULL; 709 710 ba->ba_head = (ba->ba_head + 1) % IEEE80211_BA_MAX_WINSZ; 711 /* move window forward */ 712 ba->ba_winstart = (ba->ba_winstart + 1) & 0xfff; 713 } 714 ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff; 715 } 716 717 /* 718 * Change the value of WinStartB (move window forward) upon reception of a 719 * BlockAckReq frame or an ADDBA Request (PBAC). 720 */ 721 void 722 ieee80211_ba_move_window(struct ieee80211com *ic, struct ieee80211_node *ni, 723 u_int8_t tid, u_int16_t ssn) 724 { 725 struct ifnet *ifp = &ic->ic_if; 726 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 727 int count; 728 729 /* assert(WinStartB <= SSN) */ 730 731 count = (ssn - ba->ba_winstart) & 0xfff; 732 if (count > ba->ba_winsize) /* no overlap */ 733 count = ba->ba_winsize; 734 while (count-- > 0) { 735 /* gaps may exist */ 736 if (ba->ba_buf[ba->ba_head].m != NULL) { 737 ieee80211_input(ifp, ba->ba_buf[ba->ba_head].m, ni, 738 &ba->ba_buf[ba->ba_head].rxi); 739 ba->ba_buf[ba->ba_head].m = NULL; 740 } 741 ba->ba_head = (ba->ba_head + 1) % IEEE80211_BA_MAX_WINSZ; 742 } 743 /* move window forward */ 744 ba->ba_winstart = ssn; 745 746 /* pass reordered MPDUs up to the next MAC process */ 747 while (ba->ba_buf[ba->ba_head].m != NULL) { 748 ieee80211_input(ifp, ba->ba_buf[ba->ba_head].m, ni, 749 &ba->ba_buf[ba->ba_head].rxi); 750 ba->ba_buf[ba->ba_head].m = NULL; 751 752 ba->ba_head = (ba->ba_head + 1) % IEEE80211_BA_MAX_WINSZ; 753 /* move window forward */ 754 ba->ba_winstart = (ba->ba_winstart + 1) & 0xfff; 755 } 756 ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff; 757 } 758 #endif /* !IEEE80211_NO_HT */ 759 760 void 761 ieee80211_deliver_data(struct ieee80211com *ic, struct mbuf *m, 762 struct ieee80211_node *ni) 763 { 764 struct ifnet *ifp = &ic->ic_if; 765 struct ether_header *eh; 766 struct mbuf *m1; 767 768 eh = mtod(m, struct ether_header *); 769 770 if ((ic->ic_flags & IEEE80211_F_RSNON) && !ni->ni_port_valid && 771 eh->ether_type != htons(ETHERTYPE_PAE)) { 772 DPRINTF(("port not valid: %s\n", 773 ether_sprintf(eh->ether_dhost))); 774 ic->ic_stats.is_rx_unauth++; 775 m_freem(m); 776 return; 777 } 778 ifp->if_ipackets++; 779 780 /* 781 * Perform as a bridge within the AP. Notice that we do not 782 * bridge EAPOL frames as suggested in C.1.1 of IEEE Std 802.1X. 783 */ 784 m1 = NULL; 785 #ifndef IEEE80211_STA_ONLY 786 if (ic->ic_opmode == IEEE80211_M_HOSTAP && 787 !(ic->ic_flags & IEEE80211_F_NOBRIDGE) && 788 eh->ether_type != htons(ETHERTYPE_PAE)) { 789 struct ieee80211_node *ni1; 790 int error, len; 791 792 if (ETHER_IS_MULTICAST(eh->ether_dhost)) { 793 m1 = m_copym(m, 0, M_COPYALL, M_DONTWAIT); 794 if (m1 == NULL) 795 ifp->if_oerrors++; 796 else 797 m1->m_flags |= M_MCAST; 798 } else { 799 ni1 = ieee80211_find_node(ic, eh->ether_dhost); 800 if (ni1 != NULL && 801 ni1->ni_state == IEEE80211_STA_ASSOC) { 802 m1 = m; 803 m = NULL; 804 } 805 } 806 if (m1 != NULL) { 807 len = m1->m_pkthdr.len; 808 IFQ_ENQUEUE(&ifp->if_snd, m1, NULL, error); 809 if (error) 810 ifp->if_oerrors++; 811 else { 812 if (m != NULL) 813 ifp->if_omcasts++; 814 ifp->if_obytes += len; 815 if_start(ifp); 816 } 817 } 818 } 819 #endif 820 if (m != NULL) { 821 #if NBPFILTER > 0 822 /* 823 * If we forward frame into transmitter of the AP, 824 * we don't need to duplicate for DLT_EN10MB. 825 */ 826 if (ifp->if_bpf && m1 == NULL) 827 bpf_mtap(ifp->if_bpf, m, BPF_DIRECTION_IN); 828 #endif 829 if ((ic->ic_flags & IEEE80211_F_RSNON) && 830 eh->ether_type == htons(ETHERTYPE_PAE)) 831 ieee80211_eapol_key_input(ic, m, ni); 832 else 833 ether_input_mbuf(ifp, m); 834 } 835 } 836 837 /* 838 * Make sure protocol header (e.g. IP) is aligned on a 32-bit boundary. 839 * This is achieved by copying mbufs so drivers should try to map their 840 * buffers such that this copying is not necessary. It is however not 841 * always possible because 802.11 header length may vary (non-QoS+LLC 842 * is 32 bytes while QoS+LLC is 34 bytes). Some devices are smart and 843 * add 2 padding bytes after the 802.11 header in the QoS case so this 844 * function is there for stupid drivers/devices only. 845 */ 846 struct mbuf * 847 ieee80211_align_mbuf(struct mbuf *m) 848 { 849 struct mbuf *n, *n0, **np; 850 caddr_t newdata; 851 int off, pktlen; 852 853 n0 = NULL; 854 np = &n0; 855 off = 0; 856 pktlen = m->m_pkthdr.len; 857 while (pktlen > off) { 858 if (n0 == NULL) { 859 MGETHDR(n, M_DONTWAIT, MT_DATA); 860 if (n == NULL) { 861 m_freem(m); 862 return NULL; 863 } 864 if (m_dup_pkthdr(n, m)) { 865 m_free(n); 866 m_freem(m); 867 return (NULL); 868 } 869 n->m_len = MHLEN; 870 } else { 871 MGET(n, M_DONTWAIT, MT_DATA); 872 if (n == NULL) { 873 m_freem(m); 874 m_freem(n0); 875 return NULL; 876 } 877 n->m_len = MLEN; 878 } 879 if (pktlen - off >= MINCLSIZE) { 880 MCLGET(n, M_DONTWAIT); 881 if (n->m_flags & M_EXT) 882 n->m_len = n->m_ext.ext_size; 883 } 884 if (n0 == NULL) { 885 newdata = (caddr_t)ALIGN(n->m_data + ETHER_HDR_LEN) - 886 ETHER_HDR_LEN; 887 n->m_len -= newdata - n->m_data; 888 n->m_data = newdata; 889 } 890 if (n->m_len > pktlen - off) 891 n->m_len = pktlen - off; 892 m_copydata(m, off, n->m_len, mtod(n, caddr_t)); 893 off += n->m_len; 894 *np = n; 895 np = &n->m_next; 896 } 897 m_freem(m); 898 return n0; 899 } 900 901 void 902 ieee80211_decap(struct ieee80211com *ic, struct mbuf *m, 903 struct ieee80211_node *ni, int hdrlen) 904 { 905 struct ieee80211_qosframe_addr4 wh; /* largest 802.11 header */ 906 struct ether_header *eh; 907 struct llc *llc; 908 909 if (m->m_len < hdrlen + LLC_SNAPFRAMELEN && 910 (m = m_pullup(m, hdrlen + LLC_SNAPFRAMELEN)) == NULL) { 911 ic->ic_stats.is_rx_decap++; 912 return; 913 } 914 memcpy(&wh, mtod(m, caddr_t), hdrlen); 915 llc = (struct llc *)(mtod(m, caddr_t) + hdrlen); 916 if (llc->llc_dsap == LLC_SNAP_LSAP && 917 llc->llc_ssap == LLC_SNAP_LSAP && 918 llc->llc_control == LLC_UI && 919 llc->llc_snap.org_code[0] == 0 && 920 llc->llc_snap.org_code[1] == 0 && 921 llc->llc_snap.org_code[2] == 0) { 922 m_adj(m, hdrlen + LLC_SNAPFRAMELEN - ETHER_HDR_LEN); 923 llc = NULL; 924 } else { 925 m_adj(m, hdrlen - ETHER_HDR_LEN); 926 } 927 eh = mtod(m, struct ether_header *); 928 switch (wh.i_fc[1] & IEEE80211_FC1_DIR_MASK) { 929 case IEEE80211_FC1_DIR_NODS: 930 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr1); 931 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr2); 932 break; 933 case IEEE80211_FC1_DIR_TODS: 934 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr3); 935 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr2); 936 break; 937 case IEEE80211_FC1_DIR_FROMDS: 938 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr1); 939 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr3); 940 break; 941 case IEEE80211_FC1_DIR_DSTODS: 942 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr3); 943 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr4); 944 break; 945 } 946 if (!ALIGNED_POINTER(mtod(m, caddr_t) + ETHER_HDR_LEN, u_int32_t)) { 947 if ((m = ieee80211_align_mbuf(m)) == NULL) { 948 ic->ic_stats.is_rx_decap++; 949 return; 950 } 951 } 952 if (llc != NULL) { 953 eh = mtod(m, struct ether_header *); 954 eh->ether_type = htons(m->m_pkthdr.len - ETHER_HDR_LEN); 955 } 956 ieee80211_deliver_data(ic, m, ni); 957 } 958 959 #ifndef IEEE80211_NO_HT 960 /* 961 * Decapsulate an Aggregate MSDU (see 7.2.2.2). 962 */ 963 void 964 ieee80211_amsdu_decap(struct ieee80211com *ic, struct mbuf *m, 965 struct ieee80211_node *ni, int hdrlen) 966 { 967 struct mbuf *n; 968 struct ether_header *eh; 969 struct llc *llc; 970 int len, pad; 971 972 /* strip 802.11 header */ 973 m_adj(m, hdrlen); 974 975 for (;;) { 976 /* process an A-MSDU subframe */ 977 if (m->m_len < ETHER_HDR_LEN + LLC_SNAPFRAMELEN) { 978 m = m_pullup(m, ETHER_HDR_LEN + LLC_SNAPFRAMELEN); 979 if (m == NULL) { 980 ic->ic_stats.is_rx_decap++; 981 break; 982 } 983 } 984 eh = mtod(m, struct ether_header *); 985 /* examine 802.3 header */ 986 len = ntohs(eh->ether_type); 987 if (len < LLC_SNAPFRAMELEN) { 988 DPRINTF(("A-MSDU subframe too short (%d)\n", len)); 989 /* stop processing A-MSDU subframes */ 990 ic->ic_stats.is_rx_decap++; 991 m_freem(m); 992 break; 993 } 994 llc = (struct llc *)&eh[1]; 995 /* examine 802.2 LLC header */ 996 if (llc->llc_dsap == LLC_SNAP_LSAP && 997 llc->llc_ssap == LLC_SNAP_LSAP && 998 llc->llc_control == LLC_UI && 999 llc->llc_snap.org_code[0] == 0 && 1000 llc->llc_snap.org_code[1] == 0 && 1001 llc->llc_snap.org_code[2] == 0) { 1002 /* convert to Ethernet II header */ 1003 eh->ether_type = llc->llc_snap.ether_type; 1004 /* strip LLC+SNAP headers */ 1005 ovbcopy(eh, (u_int8_t *)eh + LLC_SNAPFRAMELEN, 1006 ETHER_HDR_LEN); 1007 m_adj(m, LLC_SNAPFRAMELEN); 1008 len -= LLC_SNAPFRAMELEN; 1009 } 1010 len += ETHER_HDR_LEN; 1011 1012 /* "detach" our A-MSDU subframe from the others */ 1013 n = m_split(m, len, M_NOWAIT); 1014 if (n == NULL) { 1015 /* stop processing A-MSDU subframes */ 1016 ic->ic_stats.is_rx_decap++; 1017 m_freem(m); 1018 break; 1019 } 1020 ieee80211_deliver_data(ic, m, ni); 1021 1022 m = n; 1023 /* remove padding */ 1024 pad = ((len + 3) & ~3) - len; 1025 m_adj(m, pad); 1026 } 1027 } 1028 #endif /* !IEEE80211_NO_HT */ 1029 1030 /* 1031 * Parse an EDCA Parameter Set element (see 7.3.2.27). 1032 */ 1033 int 1034 ieee80211_parse_edca_params_body(struct ieee80211com *ic, const u_int8_t *frm) 1035 { 1036 u_int updtcount; 1037 int aci; 1038 1039 /* 1040 * Check if EDCA parameters have changed XXX if we miss more than 1041 * 15 consecutive beacons, we might not detect changes to EDCA 1042 * parameters due to wraparound of the 4-bit Update Count field. 1043 */ 1044 updtcount = frm[0] & 0xf; 1045 if (updtcount == ic->ic_edca_updtcount) 1046 return 0; /* no changes to EDCA parameters, ignore */ 1047 ic->ic_edca_updtcount = updtcount; 1048 1049 frm += 2; /* skip QoS Info & Reserved fields */ 1050 1051 /* parse AC Parameter Records */ 1052 for (aci = 0; aci < EDCA_NUM_AC; aci++) { 1053 struct ieee80211_edca_ac_params *ac = &ic->ic_edca_ac[aci]; 1054 1055 ac->ac_acm = (frm[0] >> 4) & 0x1; 1056 ac->ac_aifsn = frm[0] & 0xf; 1057 ac->ac_ecwmin = frm[1] & 0xf; 1058 ac->ac_ecwmax = frm[1] >> 4; 1059 ac->ac_txoplimit = LE_READ_2(frm + 2); 1060 frm += 4; 1061 } 1062 /* give drivers a chance to update their settings */ 1063 if ((ic->ic_flags & IEEE80211_F_QOS) && ic->ic_updateedca != NULL) 1064 (*ic->ic_updateedca)(ic); 1065 1066 return 0; 1067 } 1068 1069 int 1070 ieee80211_parse_edca_params(struct ieee80211com *ic, const u_int8_t *frm) 1071 { 1072 if (frm[1] < 18) { 1073 ic->ic_stats.is_rx_elem_toosmall++; 1074 return IEEE80211_REASON_IE_INVALID; 1075 } 1076 return ieee80211_parse_edca_params_body(ic, frm + 2); 1077 } 1078 1079 int 1080 ieee80211_parse_wmm_params(struct ieee80211com *ic, const u_int8_t *frm) 1081 { 1082 if (frm[1] < 24) { 1083 ic->ic_stats.is_rx_elem_toosmall++; 1084 return IEEE80211_REASON_IE_INVALID; 1085 } 1086 return ieee80211_parse_edca_params_body(ic, frm + 8); 1087 } 1088 1089 enum ieee80211_cipher 1090 ieee80211_parse_rsn_cipher(const u_int8_t selector[4]) 1091 { 1092 if (memcmp(selector, MICROSOFT_OUI, 3) == 0) { /* WPA */ 1093 switch (selector[3]) { 1094 case 0: /* use group data cipher suite */ 1095 return IEEE80211_CIPHER_USEGROUP; 1096 case 1: /* WEP-40 */ 1097 return IEEE80211_CIPHER_WEP40; 1098 case 2: /* TKIP */ 1099 return IEEE80211_CIPHER_TKIP; 1100 case 4: /* CCMP (RSNA default) */ 1101 return IEEE80211_CIPHER_CCMP; 1102 case 5: /* WEP-104 */ 1103 return IEEE80211_CIPHER_WEP104; 1104 } 1105 } else if (memcmp(selector, IEEE80211_OUI, 3) == 0) { /* RSN */ 1106 /* from IEEE Std 802.11 - Table 20da */ 1107 switch (selector[3]) { 1108 case 0: /* use group data cipher suite */ 1109 return IEEE80211_CIPHER_USEGROUP; 1110 case 1: /* WEP-40 */ 1111 return IEEE80211_CIPHER_WEP40; 1112 case 2: /* TKIP */ 1113 return IEEE80211_CIPHER_TKIP; 1114 case 4: /* CCMP (RSNA default) */ 1115 return IEEE80211_CIPHER_CCMP; 1116 case 5: /* WEP-104 */ 1117 return IEEE80211_CIPHER_WEP104; 1118 case 6: /* BIP */ 1119 return IEEE80211_CIPHER_BIP; 1120 } 1121 } 1122 return IEEE80211_CIPHER_NONE; /* ignore unknown ciphers */ 1123 } 1124 1125 enum ieee80211_akm 1126 ieee80211_parse_rsn_akm(const u_int8_t selector[4]) 1127 { 1128 if (memcmp(selector, MICROSOFT_OUI, 3) == 0) { /* WPA */ 1129 switch (selector[3]) { 1130 case 1: /* IEEE 802.1X (RSNA default) */ 1131 return IEEE80211_AKM_8021X; 1132 case 2: /* PSK */ 1133 return IEEE80211_AKM_PSK; 1134 } 1135 } else if (memcmp(selector, IEEE80211_OUI, 3) == 0) { /* RSN */ 1136 /* from IEEE Std 802.11i-2004 - Table 20dc */ 1137 switch (selector[3]) { 1138 case 1: /* IEEE 802.1X (RSNA default) */ 1139 return IEEE80211_AKM_8021X; 1140 case 2: /* PSK */ 1141 return IEEE80211_AKM_PSK; 1142 case 5: /* IEEE 802.1X with SHA256 KDF */ 1143 return IEEE80211_AKM_SHA256_8021X; 1144 case 6: /* PSK with SHA256 KDF */ 1145 return IEEE80211_AKM_SHA256_PSK; 1146 } 1147 } 1148 return IEEE80211_AKM_NONE; /* ignore unknown AKMs */ 1149 } 1150 1151 /* 1152 * Parse an RSN element (see 7.3.2.25). 1153 */ 1154 int 1155 ieee80211_parse_rsn_body(struct ieee80211com *ic, const u_int8_t *frm, 1156 u_int len, struct ieee80211_rsnparams *rsn) 1157 { 1158 const u_int8_t *efrm; 1159 u_int16_t m, n, s; 1160 1161 efrm = frm + len; 1162 1163 /* check Version field */ 1164 if (LE_READ_2(frm) != 1) 1165 return IEEE80211_STATUS_RSN_IE_VER_UNSUP; 1166 frm += 2; 1167 1168 /* all fields after the Version field are optional */ 1169 1170 /* if Cipher Suite missing, default to CCMP */ 1171 rsn->rsn_groupcipher = IEEE80211_CIPHER_CCMP; 1172 rsn->rsn_nciphers = 1; 1173 rsn->rsn_ciphers = IEEE80211_CIPHER_CCMP; 1174 /* if Group Management Cipher Suite missing, defaut to BIP */ 1175 rsn->rsn_groupmgmtcipher = IEEE80211_CIPHER_BIP; 1176 /* if AKM Suite missing, default to 802.1X */ 1177 rsn->rsn_nakms = 1; 1178 rsn->rsn_akms = IEEE80211_AKM_8021X; 1179 /* if RSN capabilities missing, default to 0 */ 1180 rsn->rsn_caps = 0; 1181 rsn->rsn_npmkids = 0; 1182 1183 /* read Group Data Cipher Suite field */ 1184 if (frm + 4 > efrm) 1185 return 0; 1186 rsn->rsn_groupcipher = ieee80211_parse_rsn_cipher(frm); 1187 if (rsn->rsn_groupcipher == IEEE80211_CIPHER_USEGROUP) 1188 return IEEE80211_STATUS_BAD_GROUP_CIPHER; 1189 frm += 4; 1190 1191 /* read Pairwise Cipher Suite Count field */ 1192 if (frm + 2 > efrm) 1193 return 0; 1194 m = rsn->rsn_nciphers = LE_READ_2(frm); 1195 frm += 2; 1196 1197 /* read Pairwise Cipher Suite List */ 1198 if (frm + m * 4 > efrm) 1199 return IEEE80211_STATUS_IE_INVALID; 1200 rsn->rsn_ciphers = IEEE80211_CIPHER_NONE; 1201 while (m-- > 0) { 1202 rsn->rsn_ciphers |= ieee80211_parse_rsn_cipher(frm); 1203 frm += 4; 1204 } 1205 if (rsn->rsn_ciphers & IEEE80211_CIPHER_USEGROUP) { 1206 if (rsn->rsn_ciphers != IEEE80211_CIPHER_USEGROUP) 1207 return IEEE80211_STATUS_BAD_PAIRWISE_CIPHER; 1208 if (rsn->rsn_groupcipher == IEEE80211_CIPHER_CCMP) 1209 return IEEE80211_STATUS_BAD_PAIRWISE_CIPHER; 1210 } 1211 1212 /* read AKM Suite List Count field */ 1213 if (frm + 2 > efrm) 1214 return 0; 1215 n = rsn->rsn_nakms = LE_READ_2(frm); 1216 frm += 2; 1217 1218 /* read AKM Suite List */ 1219 if (frm + n * 4 > efrm) 1220 return IEEE80211_STATUS_IE_INVALID; 1221 rsn->rsn_akms = IEEE80211_AKM_NONE; 1222 while (n-- > 0) { 1223 rsn->rsn_akms |= ieee80211_parse_rsn_akm(frm); 1224 frm += 4; 1225 } 1226 1227 /* read RSN Capabilities field */ 1228 if (frm + 2 > efrm) 1229 return 0; 1230 rsn->rsn_caps = LE_READ_2(frm); 1231 frm += 2; 1232 1233 /* read PMKID Count field */ 1234 if (frm + 2 > efrm) 1235 return 0; 1236 s = rsn->rsn_npmkids = LE_READ_2(frm); 1237 frm += 2; 1238 1239 /* read PMKID List */ 1240 if (frm + s * IEEE80211_PMKID_LEN > efrm) 1241 return IEEE80211_STATUS_IE_INVALID; 1242 if (s != 0) { 1243 rsn->rsn_pmkids = frm; 1244 frm += s * IEEE80211_PMKID_LEN; 1245 } 1246 1247 /* read Group Management Cipher Suite field */ 1248 if (frm + 4 > efrm) 1249 return 0; 1250 rsn->rsn_groupmgmtcipher = ieee80211_parse_rsn_cipher(frm); 1251 1252 return IEEE80211_STATUS_SUCCESS; 1253 } 1254 1255 int 1256 ieee80211_parse_rsn(struct ieee80211com *ic, const u_int8_t *frm, 1257 struct ieee80211_rsnparams *rsn) 1258 { 1259 if (frm[1] < 2) { 1260 ic->ic_stats.is_rx_elem_toosmall++; 1261 return IEEE80211_STATUS_IE_INVALID; 1262 } 1263 return ieee80211_parse_rsn_body(ic, frm + 2, frm[1], rsn); 1264 } 1265 1266 int 1267 ieee80211_parse_wpa(struct ieee80211com *ic, const u_int8_t *frm, 1268 struct ieee80211_rsnparams *rsn) 1269 { 1270 if (frm[1] < 6) { 1271 ic->ic_stats.is_rx_elem_toosmall++; 1272 return IEEE80211_STATUS_IE_INVALID; 1273 } 1274 return ieee80211_parse_rsn_body(ic, frm + 6, frm[1] - 4, rsn); 1275 } 1276 1277 /* 1278 * Create (or update) a copy of an information element. 1279 */ 1280 int 1281 ieee80211_save_ie(const u_int8_t *frm, u_int8_t **ie) 1282 { 1283 if (*ie == NULL || (*ie)[1] != frm[1]) { 1284 if (*ie != NULL) 1285 free(*ie, M_DEVBUF); 1286 *ie = malloc(2 + frm[1], M_DEVBUF, M_NOWAIT); 1287 if (*ie == NULL) 1288 return ENOMEM; 1289 } 1290 memcpy(*ie, frm, 2 + frm[1]); 1291 return 0; 1292 } 1293 1294 /*- 1295 * Beacon/Probe response frame format: 1296 * [8] Timestamp 1297 * [2] Beacon interval 1298 * [2] Capability 1299 * [tlv] Service Set Identifier (SSID) 1300 * [tlv] Supported rates 1301 * [tlv] DS Parameter Set (802.11g) 1302 * [tlv] ERP Information (802.11g) 1303 * [tlv] Extended Supported Rates (802.11g) 1304 * [tlv] RSN (802.11i) 1305 * [tlv] EDCA Parameter Set (802.11e) 1306 * [tlv] QoS Capability (Beacon only, 802.11e) 1307 * [tlv] HT Capabilities (802.11n) 1308 * [tlv] HT Operation (802.11n) 1309 */ 1310 void 1311 ieee80211_recv_probe_resp(struct ieee80211com *ic, struct mbuf *m, 1312 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi, int isprobe) 1313 { 1314 const struct ieee80211_frame *wh; 1315 const u_int8_t *frm, *efrm; 1316 const u_int8_t *tstamp, *ssid, *rates, *xrates, *edcaie, *wmmie; 1317 const u_int8_t *rsnie, *wpaie, *htcaps, *htop; 1318 u_int16_t capinfo, bintval; 1319 u_int8_t chan, bchan, erp; 1320 int is_new; 1321 1322 /* 1323 * We process beacon/probe response frames for: 1324 * o station mode: to collect state 1325 * updates such as 802.11g slot time and for passive 1326 * scanning of APs 1327 * o adhoc mode: to discover neighbors 1328 * o hostap mode: for passive scanning of neighbor APs 1329 * o when scanning 1330 * In other words, in all modes other than monitor (which 1331 * does not process incoming frames) and adhoc-demo (which 1332 * does not use management frames at all). 1333 */ 1334 #ifdef DIAGNOSTIC 1335 if (ic->ic_opmode != IEEE80211_M_STA && 1336 #ifndef IEEE80211_STA_ONLY 1337 ic->ic_opmode != IEEE80211_M_IBSS && 1338 ic->ic_opmode != IEEE80211_M_HOSTAP && 1339 #endif 1340 ic->ic_state != IEEE80211_S_SCAN) { 1341 panic("%s: impossible operating mode", __func__); 1342 } 1343 #endif 1344 /* make sure all mandatory fixed fields are present */ 1345 if (m->m_len < sizeof(*wh) + 12) { 1346 DPRINTF(("frame too short\n")); 1347 return; 1348 } 1349 wh = mtod(m, struct ieee80211_frame *); 1350 frm = (const u_int8_t *)&wh[1]; 1351 efrm = mtod(m, u_int8_t *) + m->m_len; 1352 1353 tstamp = frm; frm += 8; 1354 bintval = LE_READ_2(frm); frm += 2; 1355 capinfo = LE_READ_2(frm); frm += 2; 1356 1357 ssid = rates = xrates = edcaie = wmmie = rsnie = wpaie = NULL; 1358 htcaps = htop = NULL; 1359 bchan = ieee80211_chan2ieee(ic, ic->ic_bss->ni_chan); 1360 chan = bchan; 1361 erp = 0; 1362 while (frm + 2 <= efrm) { 1363 if (frm + 2 + frm[1] > efrm) { 1364 ic->ic_stats.is_rx_elem_toosmall++; 1365 break; 1366 } 1367 switch (frm[0]) { 1368 case IEEE80211_ELEMID_SSID: 1369 ssid = frm; 1370 break; 1371 case IEEE80211_ELEMID_RATES: 1372 rates = frm; 1373 break; 1374 case IEEE80211_ELEMID_DSPARMS: 1375 if (frm[1] < 1) { 1376 ic->ic_stats.is_rx_elem_toosmall++; 1377 break; 1378 } 1379 chan = frm[2]; 1380 break; 1381 case IEEE80211_ELEMID_TIM: 1382 break; 1383 case IEEE80211_ELEMID_IBSSPARMS: 1384 break; 1385 case IEEE80211_ELEMID_XRATES: 1386 xrates = frm; 1387 break; 1388 case IEEE80211_ELEMID_ERP: 1389 if (frm[1] < 1) { 1390 ic->ic_stats.is_rx_elem_toosmall++; 1391 break; 1392 } 1393 erp = frm[2]; 1394 break; 1395 case IEEE80211_ELEMID_RSN: 1396 rsnie = frm; 1397 break; 1398 case IEEE80211_ELEMID_EDCAPARMS: 1399 edcaie = frm; 1400 break; 1401 case IEEE80211_ELEMID_QOS_CAP: 1402 break; 1403 #ifndef IEEE80211_NO_HT 1404 case IEEE80211_ELEMID_HTCAPS: 1405 htcaps = frm; 1406 break; 1407 case IEEE80211_ELEMID_HTOP: 1408 htop = frm; 1409 break; 1410 #endif 1411 case IEEE80211_ELEMID_VENDOR: 1412 if (frm[1] < 4) { 1413 ic->ic_stats.is_rx_elem_toosmall++; 1414 break; 1415 } 1416 if (memcmp(frm + 2, MICROSOFT_OUI, 3) == 0) { 1417 if (frm[5] == 1) 1418 wpaie = frm; 1419 else if (frm[1] >= 5 && 1420 frm[5] == 2 && frm[6] == 1) 1421 wmmie = frm; 1422 } 1423 break; 1424 default: 1425 DPRINTF(("element id %u/len %u ignored\n", 1426 frm[0], frm[1])); 1427 ic->ic_stats.is_rx_elem_unknown++; 1428 break; 1429 } 1430 frm += 2 + frm[1]; 1431 } 1432 /* supported rates element is mandatory */ 1433 if (rates == NULL || rates[1] > IEEE80211_RATE_MAXSIZE) { 1434 DPRINTF(("invalid supported rates element\n")); 1435 return; 1436 } 1437 /* SSID element is mandatory */ 1438 if (ssid == NULL || ssid[1] > IEEE80211_NWID_LEN) { 1439 DPRINTF(("invalid SSID element\n")); 1440 return; 1441 } 1442 1443 if ( 1444 #if IEEE80211_CHAN_MAX < 255 1445 chan > IEEE80211_CHAN_MAX || 1446 #endif 1447 isclr(ic->ic_chan_active, chan)) { 1448 DPRINTF(("ignore %s with invalid channel %u\n", 1449 isprobe ? "probe response" : "beacon", chan)); 1450 ic->ic_stats.is_rx_badchan++; 1451 return; 1452 } 1453 if ((ic->ic_state != IEEE80211_S_SCAN || 1454 !(ic->ic_caps & IEEE80211_C_SCANALL)) && 1455 chan != bchan) { 1456 /* 1457 * Frame was received on a channel different from the 1458 * one indicated in the DS params element id; 1459 * silently discard it. 1460 * 1461 * NB: this can happen due to signal leakage. 1462 */ 1463 DPRINTF(("ignore %s on channel %u marked for channel %u\n", 1464 isprobe ? "probe response" : "beacon", bchan, chan)); 1465 ic->ic_stats.is_rx_chanmismatch++; 1466 return; 1467 } 1468 /* 1469 * Use mac, channel and rssi so we collect only the 1470 * best potential AP with the equal bssid while scanning. 1471 * Collecting all potential APs may result in bloat of 1472 * the node tree. This call will return NULL if the node 1473 * for this APs does not exist or if the new node is the 1474 * potential better one. 1475 */ 1476 if ((ni = ieee80211_find_node_for_beacon(ic, wh->i_addr2, 1477 &ic->ic_channels[chan], ssid, rxi->rxi_rssi)) != NULL) 1478 return; 1479 1480 #ifdef IEEE80211_DEBUG 1481 if (ieee80211_debug && 1482 (ni == NULL || ic->ic_state == IEEE80211_S_SCAN)) { 1483 printf("%s: %s%s on chan %u (bss chan %u) ", 1484 __func__, (ni == NULL ? "new " : ""), 1485 isprobe ? "probe response" : "beacon", 1486 chan, bchan); 1487 ieee80211_print_essid(ssid + 2, ssid[1]); 1488 printf(" from %s\n", ether_sprintf((u_int8_t *)wh->i_addr2)); 1489 printf("%s: caps 0x%x bintval %u erp 0x%x\n", 1490 __func__, capinfo, bintval, erp); 1491 } 1492 #endif 1493 1494 if ((ni = ieee80211_find_node(ic, wh->i_addr2)) == NULL) { 1495 ni = ieee80211_alloc_node(ic, wh->i_addr2); 1496 if (ni == NULL) 1497 return; 1498 is_new = 1; 1499 } else 1500 is_new = 0; 1501 1502 /* 1503 * When operating in station mode, check for state updates 1504 * while we're associated. We consider only 11g stuff right 1505 * now. 1506 */ 1507 if (ic->ic_opmode == IEEE80211_M_STA && 1508 ic->ic_state == IEEE80211_S_RUN && 1509 ni->ni_state == IEEE80211_STA_BSS) { 1510 /* 1511 * Check if protection mode has changed since last beacon. 1512 */ 1513 if (ni->ni_erp != erp) { 1514 DPRINTF(("[%s] erp change: was 0x%x, now 0x%x\n", 1515 ether_sprintf((u_int8_t *)wh->i_addr2), 1516 ni->ni_erp, erp)); 1517 if (ic->ic_curmode == IEEE80211_MODE_11G && 1518 (erp & IEEE80211_ERP_USE_PROTECTION)) 1519 ic->ic_flags |= IEEE80211_F_USEPROT; 1520 else 1521 ic->ic_flags &= ~IEEE80211_F_USEPROT; 1522 ic->ic_bss->ni_erp = erp; 1523 } 1524 /* 1525 * Check if AP short slot time setting has changed 1526 * since last beacon and give the driver a chance to 1527 * update the hardware. 1528 */ 1529 if ((ni->ni_capinfo ^ capinfo) & 1530 IEEE80211_CAPINFO_SHORT_SLOTTIME) { 1531 ieee80211_set_shortslottime(ic, 1532 ic->ic_curmode == IEEE80211_MODE_11A || 1533 (capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME)); 1534 } 1535 } 1536 /* 1537 * We do not try to update EDCA parameters if QoS was not negotiated 1538 * with the AP at association time. 1539 */ 1540 if (ni->ni_flags & IEEE80211_NODE_QOS) { 1541 /* always prefer EDCA IE over Wi-Fi Alliance WMM IE */ 1542 if (edcaie != NULL) 1543 ieee80211_parse_edca_params(ic, edcaie); 1544 else if (wmmie != NULL) 1545 ieee80211_parse_wmm_params(ic, wmmie); 1546 } 1547 1548 if (ic->ic_state == IEEE80211_S_SCAN && 1549 #ifndef IEEE80211_STA_ONLY 1550 ic->ic_opmode != IEEE80211_M_HOSTAP && 1551 #endif 1552 (ic->ic_flags & IEEE80211_F_RSNON)) { 1553 struct ieee80211_rsnparams rsn; 1554 const u_int8_t *saveie = NULL; 1555 /* 1556 * If the AP advertises both RSN and WPA IEs (WPA1+WPA2), 1557 * we only store the parameters of the highest protocol 1558 * version we support. 1559 */ 1560 if (rsnie != NULL && 1561 (ic->ic_rsnprotos & IEEE80211_PROTO_RSN)) { 1562 if (ieee80211_parse_rsn(ic, rsnie, &rsn) == 0) { 1563 ni->ni_rsnprotos = IEEE80211_PROTO_RSN; 1564 saveie = rsnie; 1565 } 1566 } else if (wpaie != NULL && 1567 (ic->ic_rsnprotos & IEEE80211_PROTO_WPA)) { 1568 if (ieee80211_parse_wpa(ic, wpaie, &rsn) == 0) { 1569 ni->ni_rsnprotos = IEEE80211_PROTO_WPA; 1570 saveie = wpaie; 1571 } 1572 } 1573 if (saveie != NULL && 1574 ieee80211_save_ie(saveie, &ni->ni_rsnie) == 0) { 1575 ni->ni_rsnakms = rsn.rsn_akms; 1576 ni->ni_rsnciphers = rsn.rsn_ciphers; 1577 ni->ni_rsngroupcipher = rsn.rsn_groupcipher; 1578 ni->ni_rsngroupmgmtcipher = rsn.rsn_groupmgmtcipher; 1579 ni->ni_rsncaps = rsn.rsn_caps; 1580 } else 1581 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 1582 } else if (ic->ic_state == IEEE80211_S_SCAN) 1583 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 1584 1585 if (ssid[1] != 0 && ni->ni_esslen == 0) { 1586 ni->ni_esslen = ssid[1]; 1587 memset(ni->ni_essid, 0, sizeof(ni->ni_essid)); 1588 /* we know that ssid[1] <= IEEE80211_NWID_LEN */ 1589 memcpy(ni->ni_essid, &ssid[2], ssid[1]); 1590 } 1591 IEEE80211_ADDR_COPY(ni->ni_bssid, wh->i_addr3); 1592 ni->ni_rssi = rxi->rxi_rssi; 1593 ni->ni_rstamp = rxi->rxi_tstamp; 1594 memcpy(ni->ni_tstamp, tstamp, sizeof(ni->ni_tstamp)); 1595 ni->ni_intval = bintval; 1596 ni->ni_capinfo = capinfo; 1597 /* XXX validate channel # */ 1598 ni->ni_chan = &ic->ic_channels[chan]; 1599 ni->ni_erp = erp; 1600 /* NB: must be after ni_chan is setup */ 1601 ieee80211_setup_rates(ic, ni, rates, xrates, IEEE80211_F_DOSORT); 1602 1603 /* 1604 * When scanning we record results (nodes) with a zero 1605 * refcnt. Otherwise we want to hold the reference for 1606 * ibss neighbors so the nodes don't get released prematurely. 1607 * Anything else can be discarded (XXX and should be handled 1608 * above so we don't do so much work). 1609 */ 1610 if ( 1611 #ifndef IEEE80211_STA_ONLY 1612 ic->ic_opmode == IEEE80211_M_IBSS || 1613 #endif 1614 (is_new && isprobe)) { 1615 /* 1616 * Fake an association so the driver can setup it's 1617 * private state. The rate set has been setup above; 1618 * there is no handshake as in ap/station operation. 1619 */ 1620 if (ic->ic_newassoc) 1621 (*ic->ic_newassoc)(ic, ni, 1); 1622 } 1623 } 1624 1625 #ifndef IEEE80211_STA_ONLY 1626 /*- 1627 * Probe request frame format: 1628 * [tlv] SSID 1629 * [tlv] Supported rates 1630 * [tlv] Extended Supported Rates (802.11g) 1631 * [tlv] HT Capabilities (802.11n) 1632 */ 1633 void 1634 ieee80211_recv_probe_req(struct ieee80211com *ic, struct mbuf *m, 1635 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi) 1636 { 1637 const struct ieee80211_frame *wh; 1638 const u_int8_t *frm, *efrm; 1639 const u_int8_t *ssid, *rates, *xrates, *htcaps; 1640 u_int8_t rate; 1641 1642 if (ic->ic_opmode == IEEE80211_M_STA || 1643 ic->ic_state != IEEE80211_S_RUN) 1644 return; 1645 1646 wh = mtod(m, struct ieee80211_frame *); 1647 frm = (const u_int8_t *)&wh[1]; 1648 efrm = mtod(m, u_int8_t *) + m->m_len; 1649 1650 ssid = rates = xrates = htcaps = NULL; 1651 while (frm + 2 <= efrm) { 1652 if (frm + 2 + frm[1] > efrm) { 1653 ic->ic_stats.is_rx_elem_toosmall++; 1654 break; 1655 } 1656 switch (frm[0]) { 1657 case IEEE80211_ELEMID_SSID: 1658 ssid = frm; 1659 break; 1660 case IEEE80211_ELEMID_RATES: 1661 rates = frm; 1662 break; 1663 case IEEE80211_ELEMID_XRATES: 1664 xrates = frm; 1665 break; 1666 #ifndef IEEE80211_NO_HT 1667 case IEEE80211_ELEMID_HTCAPS: 1668 htcaps = frm; 1669 break; 1670 #endif 1671 } 1672 frm += 2 + frm[1]; 1673 } 1674 /* supported rates element is mandatory */ 1675 if (rates == NULL || rates[1] > IEEE80211_RATE_MAXSIZE) { 1676 DPRINTF(("invalid supported rates element\n")); 1677 return; 1678 } 1679 /* SSID element is mandatory */ 1680 if (ssid == NULL || ssid[1] > IEEE80211_NWID_LEN) { 1681 DPRINTF(("invalid SSID element\n")); 1682 return; 1683 } 1684 /* check that the specified SSID (if not wildcard) matches ours */ 1685 if (ssid[1] != 0 && (ssid[1] != ic->ic_bss->ni_esslen || 1686 memcmp(&ssid[2], ic->ic_bss->ni_essid, ic->ic_bss->ni_esslen))) { 1687 DPRINTF(("SSID mismatch\n")); 1688 ic->ic_stats.is_rx_ssidmismatch++; 1689 return; 1690 } 1691 /* refuse wildcard SSID if we're hiding our SSID in beacons */ 1692 if (ssid[1] == 0 && (ic->ic_flags & IEEE80211_F_HIDENWID)) { 1693 DPRINTF(("wildcard SSID rejected")); 1694 ic->ic_stats.is_rx_ssidmismatch++; 1695 return; 1696 } 1697 1698 if (ni == ic->ic_bss) { 1699 ni = ieee80211_dup_bss(ic, wh->i_addr2); 1700 if (ni == NULL) 1701 return; 1702 DPRINTF(("new probe req from %s\n", 1703 ether_sprintf((u_int8_t *)wh->i_addr2))); 1704 } 1705 ni->ni_rssi = rxi->rxi_rssi; 1706 ni->ni_rstamp = rxi->rxi_tstamp; 1707 rate = ieee80211_setup_rates(ic, ni, rates, xrates, 1708 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | IEEE80211_F_DONEGO | 1709 IEEE80211_F_DODEL); 1710 if (rate & IEEE80211_RATE_BASIC) { 1711 DPRINTF(("rate mismatch for %s\n", 1712 ether_sprintf((u_int8_t *)wh->i_addr2))); 1713 return; 1714 } 1715 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_PROBE_RESP, 0); 1716 } 1717 #endif /* IEEE80211_STA_ONLY */ 1718 1719 /*- 1720 * Authentication frame format: 1721 * [2] Authentication algorithm number 1722 * [2] Authentication transaction sequence number 1723 * [2] Status code 1724 */ 1725 void 1726 ieee80211_recv_auth(struct ieee80211com *ic, struct mbuf *m, 1727 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi) 1728 { 1729 const struct ieee80211_frame *wh; 1730 const u_int8_t *frm; 1731 u_int16_t algo, seq, status; 1732 1733 /* make sure all mandatory fixed fields are present */ 1734 if (m->m_len < sizeof(*wh) + 6) { 1735 DPRINTF(("frame too short\n")); 1736 return; 1737 } 1738 wh = mtod(m, struct ieee80211_frame *); 1739 frm = (const u_int8_t *)&wh[1]; 1740 1741 algo = LE_READ_2(frm); frm += 2; 1742 seq = LE_READ_2(frm); frm += 2; 1743 status = LE_READ_2(frm); frm += 2; 1744 DPRINTF(("auth %d seq %d from %s\n", algo, seq, 1745 ether_sprintf((u_int8_t *)wh->i_addr2))); 1746 1747 /* only "open" auth mode is supported */ 1748 if (algo != IEEE80211_AUTH_ALG_OPEN) { 1749 DPRINTF(("unsupported auth algorithm %d from %s\n", 1750 algo, ether_sprintf((u_int8_t *)wh->i_addr2))); 1751 ic->ic_stats.is_rx_auth_unsupported++; 1752 #ifndef IEEE80211_STA_ONLY 1753 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 1754 /* XXX hack to workaround calling convention */ 1755 IEEE80211_SEND_MGMT(ic, ni, 1756 IEEE80211_FC0_SUBTYPE_AUTH, 1757 IEEE80211_STATUS_ALG << 16 | ((seq + 1) & 0xffff)); 1758 } 1759 #endif 1760 return; 1761 } 1762 ieee80211_auth_open(ic, wh, ni, rxi, seq, status); 1763 } 1764 1765 #ifndef IEEE80211_STA_ONLY 1766 /*- 1767 * (Re)Association request frame format: 1768 * [2] Capability information 1769 * [2] Listen interval 1770 * [6*] Current AP address (Reassociation only) 1771 * [tlv] SSID 1772 * [tlv] Supported rates 1773 * [tlv] Extended Supported Rates (802.11g) 1774 * [tlv] RSN (802.11i) 1775 * [tlv] QoS Capability (802.11e) 1776 * [tlv] HT Capabilities (802.11n) 1777 */ 1778 void 1779 ieee80211_recv_assoc_req(struct ieee80211com *ic, struct mbuf *m, 1780 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi, int reassoc) 1781 { 1782 const struct ieee80211_frame *wh; 1783 const u_int8_t *frm, *efrm; 1784 const u_int8_t *ssid, *rates, *xrates, *rsnie, *wpaie, *htcaps; 1785 u_int16_t capinfo, bintval; 1786 int resp, status = 0; 1787 struct ieee80211_rsnparams rsn; 1788 u_int8_t rate; 1789 1790 if (ic->ic_opmode != IEEE80211_M_HOSTAP || 1791 ic->ic_state != IEEE80211_S_RUN) 1792 return; 1793 1794 /* make sure all mandatory fixed fields are present */ 1795 if (m->m_len < sizeof(*wh) + (reassoc ? 10 : 4)) { 1796 DPRINTF(("frame too short\n")); 1797 return; 1798 } 1799 wh = mtod(m, struct ieee80211_frame *); 1800 frm = (const u_int8_t *)&wh[1]; 1801 efrm = mtod(m, u_int8_t *) + m->m_len; 1802 1803 if (!IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_bss->ni_bssid)) { 1804 DPRINTF(("ignore other bss from %s\n", 1805 ether_sprintf((u_int8_t *)wh->i_addr2))); 1806 ic->ic_stats.is_rx_assoc_bss++; 1807 return; 1808 } 1809 capinfo = LE_READ_2(frm); frm += 2; 1810 bintval = LE_READ_2(frm); frm += 2; 1811 if (reassoc) { 1812 frm += IEEE80211_ADDR_LEN; /* skip current AP address */ 1813 resp = IEEE80211_FC0_SUBTYPE_REASSOC_RESP; 1814 } else 1815 resp = IEEE80211_FC0_SUBTYPE_ASSOC_RESP; 1816 1817 ssid = rates = xrates = rsnie = wpaie = htcaps = NULL; 1818 while (frm + 2 <= efrm) { 1819 if (frm + 2 + frm[1] > efrm) { 1820 ic->ic_stats.is_rx_elem_toosmall++; 1821 break; 1822 } 1823 switch (frm[0]) { 1824 case IEEE80211_ELEMID_SSID: 1825 ssid = frm; 1826 break; 1827 case IEEE80211_ELEMID_RATES: 1828 rates = frm; 1829 break; 1830 case IEEE80211_ELEMID_XRATES: 1831 xrates = frm; 1832 break; 1833 case IEEE80211_ELEMID_RSN: 1834 rsnie = frm; 1835 break; 1836 case IEEE80211_ELEMID_QOS_CAP: 1837 break; 1838 #ifndef IEEE80211_NO_HT 1839 case IEEE80211_ELEMID_HTCAPS: 1840 htcaps = frm; 1841 break; 1842 #endif 1843 case IEEE80211_ELEMID_VENDOR: 1844 if (frm[1] < 4) { 1845 ic->ic_stats.is_rx_elem_toosmall++; 1846 break; 1847 } 1848 if (memcmp(frm + 2, MICROSOFT_OUI, 3) == 0) { 1849 if (frm[5] == 1) 1850 wpaie = frm; 1851 } 1852 break; 1853 } 1854 frm += 2 + frm[1]; 1855 } 1856 /* supported rates element is mandatory */ 1857 if (rates == NULL || rates[1] > IEEE80211_RATE_MAXSIZE) { 1858 DPRINTF(("invalid supported rates element\n")); 1859 return; 1860 } 1861 /* SSID element is mandatory */ 1862 if (ssid == NULL || ssid[1] > IEEE80211_NWID_LEN) { 1863 DPRINTF(("invalid SSID element\n")); 1864 return; 1865 } 1866 /* check that the specified SSID matches ours */ 1867 if (ssid[1] != ic->ic_bss->ni_esslen || 1868 memcmp(&ssid[2], ic->ic_bss->ni_essid, ic->ic_bss->ni_esslen)) { 1869 DPRINTF(("SSID mismatch\n")); 1870 ic->ic_stats.is_rx_ssidmismatch++; 1871 return; 1872 } 1873 1874 if (ni->ni_state != IEEE80211_STA_AUTH && 1875 ni->ni_state != IEEE80211_STA_ASSOC) { 1876 DPRINTF(("deny %sassoc from %s, not authenticated\n", 1877 reassoc ? "re" : "", 1878 ether_sprintf((u_int8_t *)wh->i_addr2))); 1879 ni = ieee80211_dup_bss(ic, wh->i_addr2); 1880 if (ni != NULL) { 1881 IEEE80211_SEND_MGMT(ic, ni, 1882 IEEE80211_FC0_SUBTYPE_DEAUTH, 1883 IEEE80211_REASON_ASSOC_NOT_AUTHED); 1884 } 1885 ic->ic_stats.is_rx_assoc_notauth++; 1886 return; 1887 } 1888 1889 if (ni->ni_state == IEEE80211_STA_ASSOC && 1890 (ni->ni_flags & IEEE80211_NODE_MFP)) { 1891 if (ni->ni_flags & IEEE80211_NODE_SA_QUERY_FAILED) { 1892 /* send a protected Disassociate frame */ 1893 IEEE80211_SEND_MGMT(ic, ni, 1894 IEEE80211_FC0_SUBTYPE_DISASSOC, 1895 IEEE80211_REASON_AUTH_EXPIRE); 1896 /* terminate the old SA */ 1897 ieee80211_node_leave(ic, ni); 1898 } else { 1899 /* reject the (Re)Association Request temporarily */ 1900 IEEE80211_SEND_MGMT(ic, ni, resp, 1901 IEEE80211_STATUS_TRY_AGAIN_LATER); 1902 /* start SA Query procedure if not already engaged */ 1903 if (!(ni->ni_flags & IEEE80211_NODE_SA_QUERY)) 1904 ieee80211_sa_query_request(ic, ni); 1905 /* do not modify association state */ 1906 } 1907 return; 1908 } 1909 1910 if (!(capinfo & IEEE80211_CAPINFO_ESS)) { 1911 ic->ic_stats.is_rx_assoc_capmismatch++; 1912 status = IEEE80211_STATUS_CAPINFO; 1913 goto end; 1914 } 1915 rate = ieee80211_setup_rates(ic, ni, rates, xrates, 1916 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | IEEE80211_F_DONEGO | 1917 IEEE80211_F_DODEL); 1918 if (rate & IEEE80211_RATE_BASIC) { 1919 ic->ic_stats.is_rx_assoc_norate++; 1920 status = IEEE80211_STATUS_BASIC_RATE; 1921 goto end; 1922 } 1923 1924 if (ic->ic_flags & IEEE80211_F_RSNON) { 1925 const u_int8_t *saveie; 1926 /* 1927 * A station should never include both a WPA and an RSN IE 1928 * in its (Re)Association Requests, but if it does, we only 1929 * consider the IE of the highest version of the protocol 1930 * that is allowed (ie RSN over WPA). 1931 */ 1932 if (rsnie != NULL && 1933 (ic->ic_rsnprotos & IEEE80211_PROTO_RSN)) { 1934 status = ieee80211_parse_rsn(ic, rsnie, &rsn); 1935 if (status != 0) 1936 goto end; 1937 ni->ni_rsnprotos = IEEE80211_PROTO_RSN; 1938 saveie = rsnie; 1939 } else if (wpaie != NULL && 1940 (ic->ic_rsnprotos & IEEE80211_PROTO_WPA)) { 1941 status = ieee80211_parse_wpa(ic, wpaie, &rsn); 1942 if (status != 0) 1943 goto end; 1944 ni->ni_rsnprotos = IEEE80211_PROTO_WPA; 1945 saveie = wpaie; 1946 } else { 1947 /* 1948 * In an RSN, an AP shall not associate with STAs 1949 * that fail to include the RSN IE in the 1950 * (Re)Association Request. 1951 */ 1952 status = IEEE80211_STATUS_IE_INVALID; 1953 goto end; 1954 } 1955 /* 1956 * The initiating STA's RSN IE shall include one authentication 1957 * and pairwise cipher suite among those advertised by the 1958 * targeted AP. It shall also specify the group cipher suite 1959 * specified by the targeted AP. 1960 */ 1961 if (rsn.rsn_nakms != 1 || 1962 !(rsn.rsn_akms & ic->ic_bss->ni_rsnakms)) { 1963 status = IEEE80211_STATUS_BAD_AKMP; 1964 goto end; 1965 } 1966 if (rsn.rsn_nciphers != 1 || 1967 !(rsn.rsn_ciphers & ic->ic_bss->ni_rsnciphers)) { 1968 status = IEEE80211_STATUS_BAD_PAIRWISE_CIPHER; 1969 goto end; 1970 } 1971 if (rsn.rsn_groupcipher != ic->ic_bss->ni_rsngroupcipher) { 1972 status = IEEE80211_STATUS_BAD_GROUP_CIPHER; 1973 goto end; 1974 } 1975 1976 if ((ic->ic_bss->ni_rsncaps & IEEE80211_RSNCAP_MFPR) && 1977 !(rsn.rsn_caps & IEEE80211_RSNCAP_MFPC)) { 1978 status = IEEE80211_STATUS_MFP_POLICY; 1979 goto end; 1980 } 1981 if ((ic->ic_bss->ni_rsncaps & IEEE80211_RSNCAP_MFPC) && 1982 (rsn.rsn_caps & (IEEE80211_RSNCAP_MFPC | 1983 IEEE80211_RSNCAP_MFPR)) == IEEE80211_RSNCAP_MFPR) { 1984 /* STA advertises an invalid setting */ 1985 status = IEEE80211_STATUS_MFP_POLICY; 1986 goto end; 1987 } 1988 /* 1989 * A STA that has associated with Management Frame Protection 1990 * enabled shall not use cipher suite pairwise selector WEP40, 1991 * WEP104, TKIP, or "Use Group cipher suite". 1992 */ 1993 if ((rsn.rsn_caps & IEEE80211_RSNCAP_MFPC) && 1994 (rsn.rsn_ciphers != IEEE80211_CIPHER_CCMP || 1995 rsn.rsn_groupmgmtcipher != 1996 ic->ic_bss->ni_rsngroupmgmtcipher)) { 1997 status = IEEE80211_STATUS_MFP_POLICY; 1998 goto end; 1999 } 2000 2001 /* 2002 * Disallow new associations using TKIP if countermeasures 2003 * are active. 2004 */ 2005 if ((ic->ic_flags & IEEE80211_F_COUNTERM) && 2006 (rsn.rsn_ciphers == IEEE80211_CIPHER_TKIP || 2007 rsn.rsn_groupcipher == IEEE80211_CIPHER_TKIP)) { 2008 status = IEEE80211_STATUS_CIPHER_REJ_POLICY; 2009 goto end; 2010 } 2011 2012 /* everything looks fine, save IE and parameters */ 2013 if (ieee80211_save_ie(saveie, &ni->ni_rsnie) != 0) { 2014 status = IEEE80211_STATUS_TOOMANY; 2015 goto end; 2016 } 2017 ni->ni_rsnakms = rsn.rsn_akms; 2018 ni->ni_rsnciphers = rsn.rsn_ciphers; 2019 ni->ni_rsngroupcipher = ic->ic_bss->ni_rsngroupcipher; 2020 ni->ni_rsngroupmgmtcipher = ic->ic_bss->ni_rsngroupmgmtcipher; 2021 ni->ni_rsncaps = rsn.rsn_caps; 2022 2023 if (ieee80211_is_8021x_akm(ni->ni_rsnakms)) { 2024 struct ieee80211_pmk *pmk = NULL; 2025 const u_int8_t *pmkid = rsn.rsn_pmkids; 2026 /* 2027 * Check if we have a cached PMK entry matching one 2028 * of the PMKIDs specified in the RSN IE. 2029 */ 2030 while (rsn.rsn_npmkids-- > 0) { 2031 pmk = ieee80211_pmksa_find(ic, ni, pmkid); 2032 if (pmk != NULL) 2033 break; 2034 pmkid += IEEE80211_PMKID_LEN; 2035 } 2036 if (pmk != NULL) { 2037 memcpy(ni->ni_pmk, pmk->pmk_key, 2038 IEEE80211_PMK_LEN); 2039 memcpy(ni->ni_pmkid, pmk->pmk_pmkid, 2040 IEEE80211_PMKID_LEN); 2041 ni->ni_flags |= IEEE80211_NODE_PMK; 2042 } 2043 } 2044 } else 2045 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2046 2047 ni->ni_rssi = rxi->rxi_rssi; 2048 ni->ni_rstamp = rxi->rxi_tstamp; 2049 ni->ni_intval = bintval; 2050 ni->ni_capinfo = capinfo; 2051 ni->ni_chan = ic->ic_bss->ni_chan; 2052 end: 2053 if (status != 0) { 2054 IEEE80211_SEND_MGMT(ic, ni, resp, status); 2055 ieee80211_node_leave(ic, ni); 2056 } else 2057 ieee80211_node_join(ic, ni, resp); 2058 } 2059 #endif /* IEEE80211_STA_ONLY */ 2060 2061 /*- 2062 * (Re)Association response frame format: 2063 * [2] Capability information 2064 * [2] Status code 2065 * [2] Association ID (AID) 2066 * [tlv] Supported rates 2067 * [tlv] Extended Supported Rates (802.11g) 2068 * [tlv] EDCA Parameter Set (802.11e) 2069 * [tlv] HT Capabilities (802.11n) 2070 * [tlv] HT Operation (802.11n) 2071 */ 2072 void 2073 ieee80211_recv_assoc_resp(struct ieee80211com *ic, struct mbuf *m, 2074 struct ieee80211_node *ni, int reassoc) 2075 { 2076 struct ifnet *ifp = &ic->ic_if; 2077 const struct ieee80211_frame *wh; 2078 const u_int8_t *frm, *efrm; 2079 const u_int8_t *rates, *xrates, *edcaie, *wmmie, *htcaps, *htop; 2080 u_int16_t capinfo, status, associd; 2081 u_int8_t rate; 2082 2083 if (ic->ic_opmode != IEEE80211_M_STA || 2084 ic->ic_state != IEEE80211_S_ASSOC) { 2085 ic->ic_stats.is_rx_mgtdiscard++; 2086 return; 2087 } 2088 2089 /* make sure all mandatory fixed fields are present */ 2090 if (m->m_len < sizeof(*wh) + 6) { 2091 DPRINTF(("frame too short\n")); 2092 return; 2093 } 2094 wh = mtod(m, struct ieee80211_frame *); 2095 frm = (const u_int8_t *)&wh[1]; 2096 efrm = mtod(m, u_int8_t *) + m->m_len; 2097 2098 capinfo = LE_READ_2(frm); frm += 2; 2099 status = LE_READ_2(frm); frm += 2; 2100 if (status != IEEE80211_STATUS_SUCCESS) { 2101 if (ifp->if_flags & IFF_DEBUG) 2102 printf("%s: %sassociation failed (status %d)" 2103 " for %s\n", ifp->if_xname, 2104 reassoc ? "re" : "", 2105 status, ether_sprintf((u_int8_t *)wh->i_addr3)); 2106 if (ni != ic->ic_bss) 2107 ni->ni_fails++; 2108 ic->ic_stats.is_rx_auth_fail++; 2109 return; 2110 } 2111 associd = LE_READ_2(frm); frm += 2; 2112 2113 rates = xrates = edcaie = wmmie = htcaps = htop = NULL; 2114 while (frm + 2 <= efrm) { 2115 if (frm + 2 + frm[1] > efrm) { 2116 ic->ic_stats.is_rx_elem_toosmall++; 2117 break; 2118 } 2119 switch (frm[0]) { 2120 case IEEE80211_ELEMID_RATES: 2121 rates = frm; 2122 break; 2123 case IEEE80211_ELEMID_XRATES: 2124 xrates = frm; 2125 break; 2126 case IEEE80211_ELEMID_EDCAPARMS: 2127 edcaie = frm; 2128 break; 2129 #ifndef IEEE80211_NO_HT 2130 case IEEE80211_ELEMID_HTCAPS: 2131 htcaps = frm; 2132 break; 2133 case IEEE80211_ELEMID_HTOP: 2134 htop = frm; 2135 break; 2136 #endif 2137 case IEEE80211_ELEMID_VENDOR: 2138 if (frm[1] < 4) { 2139 ic->ic_stats.is_rx_elem_toosmall++; 2140 break; 2141 } 2142 if (memcmp(frm + 2, MICROSOFT_OUI, 3) == 0) { 2143 if (frm[1] >= 5 && frm[5] == 2 && frm[6] == 1) 2144 wmmie = frm; 2145 } 2146 break; 2147 } 2148 frm += 2 + frm[1]; 2149 } 2150 /* supported rates element is mandatory */ 2151 if (rates == NULL || rates[1] > IEEE80211_RATE_MAXSIZE) { 2152 DPRINTF(("invalid supported rates element\n")); 2153 return; 2154 } 2155 rate = ieee80211_setup_rates(ic, ni, rates, xrates, 2156 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | IEEE80211_F_DONEGO | 2157 IEEE80211_F_DODEL); 2158 if (rate & IEEE80211_RATE_BASIC) { 2159 DPRINTF(("rate mismatch for %s\n", 2160 ether_sprintf((u_int8_t *)wh->i_addr2))); 2161 ic->ic_stats.is_rx_assoc_norate++; 2162 return; 2163 } 2164 ni->ni_capinfo = capinfo; 2165 ni->ni_associd = associd; 2166 if (edcaie != NULL || wmmie != NULL) { 2167 /* force update of EDCA parameters */ 2168 ic->ic_edca_updtcount = -1; 2169 2170 if ((edcaie != NULL && 2171 ieee80211_parse_edca_params(ic, edcaie) == 0) || 2172 (wmmie != NULL && 2173 ieee80211_parse_wmm_params(ic, wmmie) == 0)) 2174 ni->ni_flags |= IEEE80211_NODE_QOS; 2175 else /* for Reassociation */ 2176 ni->ni_flags &= ~IEEE80211_NODE_QOS; 2177 } 2178 /* 2179 * Configure state now that we are associated. 2180 */ 2181 if (ic->ic_curmode == IEEE80211_MODE_11A || 2182 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_PREAMBLE)) 2183 ic->ic_flags |= IEEE80211_F_SHPREAMBLE; 2184 else 2185 ic->ic_flags &= ~IEEE80211_F_SHPREAMBLE; 2186 2187 ieee80211_set_shortslottime(ic, 2188 ic->ic_curmode == IEEE80211_MODE_11A || 2189 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME)); 2190 /* 2191 * Honor ERP protection. 2192 */ 2193 if (ic->ic_curmode == IEEE80211_MODE_11G && 2194 (ni->ni_erp & IEEE80211_ERP_USE_PROTECTION)) 2195 ic->ic_flags |= IEEE80211_F_USEPROT; 2196 else 2197 ic->ic_flags &= ~IEEE80211_F_USEPROT; 2198 /* 2199 * If not an RSNA, mark the port as valid, otherwise wait for 2200 * 802.1X authentication and 4-way handshake to complete.. 2201 */ 2202 if (ic->ic_flags & IEEE80211_F_RSNON) { 2203 /* XXX ic->ic_mgt_timer = 5; */ 2204 } else if (ic->ic_flags & IEEE80211_F_WEPON) 2205 ni->ni_flags |= IEEE80211_NODE_TXRXPROT; 2206 2207 ieee80211_new_state(ic, IEEE80211_S_RUN, 2208 IEEE80211_FC0_SUBTYPE_ASSOC_RESP); 2209 } 2210 2211 /*- 2212 * Deauthentication frame format: 2213 * [2] Reason code 2214 */ 2215 void 2216 ieee80211_recv_deauth(struct ieee80211com *ic, struct mbuf *m, 2217 struct ieee80211_node *ni) 2218 { 2219 const struct ieee80211_frame *wh; 2220 const u_int8_t *frm; 2221 u_int16_t reason; 2222 2223 /* make sure all mandatory fixed fields are present */ 2224 if (m->m_len < sizeof(*wh) + 2) { 2225 DPRINTF(("frame too short\n")); 2226 return; 2227 } 2228 wh = mtod(m, struct ieee80211_frame *); 2229 frm = (const u_int8_t *)&wh[1]; 2230 2231 reason = LE_READ_2(frm); 2232 2233 ic->ic_stats.is_rx_deauth++; 2234 switch (ic->ic_opmode) { 2235 case IEEE80211_M_STA: 2236 ieee80211_new_state(ic, IEEE80211_S_AUTH, 2237 IEEE80211_FC0_SUBTYPE_DEAUTH); 2238 break; 2239 #ifndef IEEE80211_STA_ONLY 2240 case IEEE80211_M_HOSTAP: 2241 if (ni != ic->ic_bss) { 2242 if (ic->ic_if.if_flags & IFF_DEBUG) 2243 printf("%s: station %s deauthenticated " 2244 "by peer (reason %d)\n", 2245 ic->ic_if.if_xname, 2246 ether_sprintf(ni->ni_macaddr), 2247 reason); 2248 ieee80211_node_leave(ic, ni); 2249 } 2250 break; 2251 #endif 2252 default: 2253 break; 2254 } 2255 } 2256 2257 /*- 2258 * Disassociation frame format: 2259 * [2] Reason code 2260 */ 2261 void 2262 ieee80211_recv_disassoc(struct ieee80211com *ic, struct mbuf *m, 2263 struct ieee80211_node *ni) 2264 { 2265 const struct ieee80211_frame *wh; 2266 const u_int8_t *frm; 2267 u_int16_t reason; 2268 2269 /* make sure all mandatory fixed fields are present */ 2270 if (m->m_len < sizeof(*wh) + 2) { 2271 DPRINTF(("frame too short\n")); 2272 return; 2273 } 2274 wh = mtod(m, struct ieee80211_frame *); 2275 frm = (const u_int8_t *)&wh[1]; 2276 2277 reason = LE_READ_2(frm); 2278 2279 ic->ic_stats.is_rx_disassoc++; 2280 switch (ic->ic_opmode) { 2281 case IEEE80211_M_STA: 2282 ieee80211_new_state(ic, IEEE80211_S_ASSOC, 2283 IEEE80211_FC0_SUBTYPE_DISASSOC); 2284 break; 2285 #ifndef IEEE80211_STA_ONLY 2286 case IEEE80211_M_HOSTAP: 2287 if (ni != ic->ic_bss) { 2288 if (ic->ic_if.if_flags & IFF_DEBUG) 2289 printf("%s: station %s disassociated " 2290 "by peer (reason %d)\n", 2291 ic->ic_if.if_xname, 2292 ether_sprintf(ni->ni_macaddr), 2293 reason); 2294 ieee80211_node_leave(ic, ni); 2295 } 2296 break; 2297 #endif 2298 default: 2299 break; 2300 } 2301 } 2302 2303 #ifndef IEEE80211_NO_HT 2304 /*- 2305 * ADDBA Request frame format: 2306 * [1] Category 2307 * [1] Action 2308 * [1] Dialog Token 2309 * [2] Block Ack Parameter Set 2310 * [2] Block Ack Timeout Value 2311 * [2] Block Ack Starting Sequence Control 2312 */ 2313 void 2314 ieee80211_recv_addba_req(struct ieee80211com *ic, struct mbuf *m, 2315 struct ieee80211_node *ni) 2316 { 2317 const struct ieee80211_frame *wh; 2318 const u_int8_t *frm; 2319 struct ieee80211_rx_ba *ba; 2320 u_int16_t params, ssn, bufsz, timeout, status; 2321 u_int8_t token, tid; 2322 2323 if (!(ni->ni_flags & IEEE80211_NODE_HT)) { 2324 DPRINTF(("received ADDBA req from non-HT STA %s\n", 2325 ether_sprintf(ni->ni_macaddr))); 2326 return; 2327 } 2328 if (m->m_len < sizeof(*wh) + 9) { 2329 DPRINTF(("frame too short\n")); 2330 return; 2331 } 2332 /* MLME-ADDBA.indication */ 2333 wh = mtod(m, struct ieee80211_frame *); 2334 frm = (const u_int8_t *)&wh[1]; 2335 2336 token = frm[2]; 2337 params = LE_READ_2(&frm[3]); 2338 tid = (params >> 2) & 0xf; 2339 bufsz = (params >> 6) & 0x3ff; 2340 timeout = LE_READ_2(&frm[5]); 2341 ssn = LE_READ_2(&frm[7]) >> 4; 2342 2343 ba = &ni->ni_rx_ba[tid]; 2344 /* check if we already have a Block Ack agreement for this RA/TID */ 2345 if (ba->ba_state == IEEE80211_BA_AGREED) { 2346 /* XXX should we update the timeout value? */ 2347 /* reset Block Ack inactivity timer */ 2348 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 2349 2350 /* check if it's a Protected Block Ack agreement */ 2351 if (!(ni->ni_flags & IEEE80211_NODE_MFP) || 2352 !(ni->ni_rsncaps & IEEE80211_RSNCAP_PBAC)) 2353 return; /* not a PBAC, ignore */ 2354 2355 /* PBAC: treat the ADDBA Request like a BlockAckReq */ 2356 if (SEQ_LT(ba->ba_winstart, ssn)) 2357 ieee80211_ba_move_window(ic, ni, tid, ssn); 2358 return; 2359 } 2360 /* if PBAC required but RA does not support it, refuse request */ 2361 if ((ic->ic_flags & IEEE80211_F_PBAR) && 2362 (!(ni->ni_flags & IEEE80211_NODE_MFP) || 2363 !(ni->ni_rsncaps & IEEE80211_RSNCAP_PBAC))) { 2364 status = IEEE80211_STATUS_REFUSED; 2365 goto resp; 2366 } 2367 /* 2368 * If the TID for which the Block Ack agreement is requested is 2369 * configured with a no-ACK policy, refuse the agreement. 2370 */ 2371 if (ic->ic_tid_noack & (1 << tid)) { 2372 status = IEEE80211_STATUS_REFUSED; 2373 goto resp; 2374 } 2375 /* check that we support the requested Block Ack Policy */ 2376 if (!(ic->ic_htcaps & IEEE80211_HTCAP_DELAYEDBA) && 2377 !(params & IEEE80211_BA_ACK_POLICY)) { 2378 status = IEEE80211_STATUS_INVALID_PARAM; 2379 goto resp; 2380 } 2381 2382 /* setup Block Ack agreement */ 2383 ba->ba_state = IEEE80211_BA_INIT; 2384 ba->ba_timeout_val = timeout * IEEE80211_DUR_TU; 2385 if (ba->ba_timeout_val < IEEE80211_BA_MIN_TIMEOUT) 2386 ba->ba_timeout_val = IEEE80211_BA_MIN_TIMEOUT; 2387 else if (ba->ba_timeout_val > IEEE80211_BA_MAX_TIMEOUT) 2388 ba->ba_timeout_val = IEEE80211_BA_MAX_TIMEOUT; 2389 timeout_set(&ba->ba_to, ieee80211_rx_ba_timeout, ba); 2390 ba->ba_winsize = bufsz; 2391 if (ba->ba_winsize == 0 || ba->ba_winsize > IEEE80211_BA_MAX_WINSZ) 2392 ba->ba_winsize = IEEE80211_BA_MAX_WINSZ; 2393 ba->ba_winstart = ssn; 2394 ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff; 2395 /* allocate and setup our reordering buffer */ 2396 ba->ba_buf = malloc(IEEE80211_BA_MAX_WINSZ * sizeof(*ba->ba_buf), 2397 M_DEVBUF, M_NOWAIT | M_ZERO); 2398 if (ba->ba_buf == NULL) { 2399 status = IEEE80211_STATUS_REFUSED; 2400 goto resp; 2401 } 2402 ba->ba_head = 0; 2403 2404 /* notify drivers of this new Block Ack agreement */ 2405 if (ic->ic_ampdu_rx_start != NULL && 2406 ic->ic_ampdu_rx_start(ic, ni, tid) != 0) { 2407 /* driver failed to setup, rollback */ 2408 free(ba->ba_buf, M_DEVBUF); 2409 ba->ba_buf = NULL; 2410 status = IEEE80211_STATUS_REFUSED; 2411 goto resp; 2412 } 2413 ba->ba_state = IEEE80211_BA_AGREED; 2414 /* start Block Ack inactivity timer */ 2415 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 2416 status = IEEE80211_STATUS_SUCCESS; 2417 resp: 2418 /* MLME-ADDBA.response */ 2419 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA, 2420 IEEE80211_ACTION_ADDBA_RESP, status << 16 | token << 8 | tid); 2421 } 2422 2423 /*- 2424 * ADDBA Response frame format: 2425 * [1] Category 2426 * [1] Action 2427 * [1] Dialog Token 2428 * [2] Status Code 2429 * [2] Block Ack Parameter Set 2430 * [2] Block Ack Timeout Value 2431 */ 2432 void 2433 ieee80211_recv_addba_resp(struct ieee80211com *ic, struct mbuf *m, 2434 struct ieee80211_node *ni) 2435 { 2436 const struct ieee80211_frame *wh; 2437 const u_int8_t *frm; 2438 struct ieee80211_tx_ba *ba; 2439 u_int16_t status, params, bufsz, timeout; 2440 u_int8_t token, tid; 2441 2442 if (m->m_len < sizeof(*wh) + 9) { 2443 DPRINTF(("frame too short\n")); 2444 return; 2445 } 2446 wh = mtod(m, struct ieee80211_frame *); 2447 frm = (const u_int8_t *)&wh[1]; 2448 2449 token = frm[2]; 2450 status = LE_READ_2(&frm[3]); 2451 params = LE_READ_2(&frm[5]); 2452 tid = (params >> 2) & 0xf; 2453 bufsz = (params >> 6) & 0x3ff; 2454 timeout = LE_READ_2(&frm[7]); 2455 2456 DPRINTF(("received ADDBA resp from %s, TID %d, status %d\n", 2457 ether_sprintf(ni->ni_macaddr), tid, status)); 2458 2459 /* 2460 * Ignore if no ADDBA request has been sent for this RA/TID or 2461 * if we already have a Block Ack agreement. 2462 */ 2463 ba = &ni->ni_tx_ba[tid]; 2464 if (ba->ba_state != IEEE80211_BA_REQUESTED) { 2465 DPRINTF(("no matching ADDBA req found\n")); 2466 return; 2467 } 2468 if (token != ba->ba_token) { 2469 DPRINTF(("ignoring ADDBA resp from %s: token %x!=%x\n", 2470 ether_sprintf(ni->ni_macaddr), token, ba->ba_token)); 2471 return; 2472 } 2473 /* we got an ADDBA Response matching our request, stop timeout */ 2474 timeout_del(&ba->ba_to); 2475 2476 if (status != IEEE80211_STATUS_SUCCESS) { 2477 /* MLME-ADDBA.confirm(Failure) */ 2478 ba->ba_state = IEEE80211_BA_INIT; 2479 return; 2480 } 2481 /* MLME-ADDBA.confirm(Success) */ 2482 ba->ba_state = IEEE80211_BA_AGREED; 2483 2484 /* notify drivers of this new Block Ack agreement */ 2485 if (ic->ic_ampdu_tx_start != NULL) 2486 (void)ic->ic_ampdu_tx_start(ic, ni, tid); 2487 2488 /* start Block Ack inactivity timeout */ 2489 if (ba->ba_timeout_val != 0) 2490 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 2491 } 2492 2493 /*- 2494 * DELBA frame format: 2495 * [1] Category 2496 * [1] Action 2497 * [2] DELBA Parameter Set 2498 * [2] Reason Code 2499 */ 2500 void 2501 ieee80211_recv_delba(struct ieee80211com *ic, struct mbuf *m, 2502 struct ieee80211_node *ni) 2503 { 2504 const struct ieee80211_frame *wh; 2505 const u_int8_t *frm; 2506 u_int16_t params, reason; 2507 u_int8_t tid; 2508 int i; 2509 2510 if (m->m_len < sizeof(*wh) + 6) { 2511 DPRINTF(("frame too short\n")); 2512 return; 2513 } 2514 wh = mtod(m, struct ieee80211_frame *); 2515 frm = (const u_int8_t *)&wh[1]; 2516 2517 params = LE_READ_2(&frm[2]); 2518 reason = LE_READ_2(&frm[4]); 2519 tid = params >> 12; 2520 2521 DPRINTF(("received DELBA from %s, TID %d, reason %d\n", 2522 ether_sprintf(ni->ni_macaddr), tid, reason)); 2523 2524 if (params & IEEE80211_DELBA_INITIATOR) { 2525 /* MLME-DELBA.indication(Originator) */ 2526 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 2527 2528 if (ba->ba_state != IEEE80211_BA_AGREED) { 2529 DPRINTF(("no matching Block Ack agreement\n")); 2530 return; 2531 } 2532 /* notify drivers of the end of the Block Ack agreement */ 2533 if (ic->ic_ampdu_rx_stop != NULL) 2534 ic->ic_ampdu_rx_stop(ic, ni, tid); 2535 2536 ba->ba_state = IEEE80211_BA_INIT; 2537 /* stop Block Ack inactivity timer */ 2538 timeout_del(&ba->ba_to); 2539 2540 if (ba->ba_buf != NULL) { 2541 /* free all MSDUs stored in reordering buffer */ 2542 for (i = 0; i < IEEE80211_BA_MAX_WINSZ; i++) 2543 if (ba->ba_buf[i].m != NULL) 2544 m_freem(ba->ba_buf[i].m); 2545 /* free reordering buffer */ 2546 free(ba->ba_buf, M_DEVBUF); 2547 ba->ba_buf = NULL; 2548 } 2549 } else { 2550 /* MLME-DELBA.indication(Recipient) */ 2551 struct ieee80211_tx_ba *ba = &ni->ni_tx_ba[tid]; 2552 2553 if (ba->ba_state != IEEE80211_BA_AGREED) { 2554 DPRINTF(("no matching Block Ack agreement\n")); 2555 return; 2556 } 2557 /* notify drivers of the end of the Block Ack agreement */ 2558 if (ic->ic_ampdu_tx_stop != NULL) 2559 ic->ic_ampdu_tx_stop(ic, ni, tid); 2560 2561 ba->ba_state = IEEE80211_BA_INIT; 2562 /* stop Block Ack inactivity timer */ 2563 timeout_del(&ba->ba_to); 2564 } 2565 } 2566 #endif /* !IEEE80211_NO_HT */ 2567 2568 /*- 2569 * SA Query Request frame format: 2570 * [1] Category 2571 * [1] Action 2572 * [16] Transaction Identifier 2573 */ 2574 void 2575 ieee80211_recv_sa_query_req(struct ieee80211com *ic, struct mbuf *m, 2576 struct ieee80211_node *ni) 2577 { 2578 const struct ieee80211_frame *wh; 2579 const u_int8_t *frm; 2580 2581 if (ic->ic_opmode != IEEE80211_M_STA || 2582 !(ni->ni_flags & IEEE80211_NODE_MFP)) { 2583 DPRINTF(("unexpected SA Query req from %s\n", 2584 ether_sprintf(ni->ni_macaddr))); 2585 return; 2586 } 2587 if (m->m_len < sizeof(*wh) + 4) { 2588 DPRINTF(("frame too short\n")); 2589 return; 2590 } 2591 wh = mtod(m, struct ieee80211_frame *); 2592 frm = (const u_int8_t *)&wh[1]; 2593 2594 /* MLME-SAQuery.indication */ 2595 2596 /* save Transaction Identifier for SA Query Response */ 2597 ni->ni_sa_query_trid = LE_READ_2(&frm[2]); 2598 2599 /* MLME-SAQuery.response */ 2600 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_SA_QUERY, 2601 IEEE80211_ACTION_SA_QUERY_RESP, 0); 2602 } 2603 2604 #ifndef IEEE80211_STA_ONLY 2605 /*- 2606 * SA Query Response frame format: 2607 * [1] Category 2608 * [1] Action 2609 * [16] Transaction Identifier 2610 */ 2611 void 2612 ieee80211_recv_sa_query_resp(struct ieee80211com *ic, struct mbuf *m, 2613 struct ieee80211_node *ni) 2614 { 2615 const struct ieee80211_frame *wh; 2616 const u_int8_t *frm; 2617 2618 /* ignore if we're not engaged in an SA Query with that STA */ 2619 if (!(ni->ni_flags & IEEE80211_NODE_SA_QUERY)) { 2620 DPRINTF(("unexpected SA Query resp from %s\n", 2621 ether_sprintf(ni->ni_macaddr))); 2622 return; 2623 } 2624 if (m->m_len < sizeof(*wh) + 4) { 2625 DPRINTF(("frame too short\n")); 2626 return; 2627 } 2628 wh = mtod(m, struct ieee80211_frame *); 2629 frm = (const u_int8_t *)&wh[1]; 2630 2631 /* check that Transaction Identifier matches */ 2632 if (ni->ni_sa_query_trid != LE_READ_2(&frm[2])) { 2633 DPRINTF(("transaction identifier does not match\n")); 2634 return; 2635 } 2636 /* MLME-SAQuery.confirm */ 2637 timeout_del(&ni->ni_sa_query_to); 2638 ni->ni_flags &= ~IEEE80211_NODE_SA_QUERY; 2639 } 2640 #endif 2641 2642 /*- 2643 * Action frame format: 2644 * [1] Category 2645 * [1] Action 2646 */ 2647 void 2648 ieee80211_recv_action(struct ieee80211com *ic, struct mbuf *m, 2649 struct ieee80211_node *ni) 2650 { 2651 const struct ieee80211_frame *wh; 2652 const u_int8_t *frm; 2653 2654 if (m->m_len < sizeof(*wh) + 2) { 2655 DPRINTF(("frame too short\n")); 2656 return; 2657 } 2658 wh = mtod(m, struct ieee80211_frame *); 2659 frm = (const u_int8_t *)&wh[1]; 2660 2661 switch (frm[0]) { 2662 #ifndef IEEE80211_NO_HT 2663 case IEEE80211_CATEG_BA: 2664 switch (frm[1]) { 2665 case IEEE80211_ACTION_ADDBA_REQ: 2666 ieee80211_recv_addba_req(ic, m, ni); 2667 break; 2668 case IEEE80211_ACTION_ADDBA_RESP: 2669 ieee80211_recv_addba_resp(ic, m, ni); 2670 break; 2671 case IEEE80211_ACTION_DELBA: 2672 ieee80211_recv_delba(ic, m, ni); 2673 break; 2674 } 2675 break; 2676 #endif 2677 case IEEE80211_CATEG_SA_QUERY: 2678 switch (frm[1]) { 2679 case IEEE80211_ACTION_SA_QUERY_REQ: 2680 ieee80211_recv_sa_query_req(ic, m, ni); 2681 break; 2682 #ifndef IEEE80211_STA_ONLY 2683 case IEEE80211_ACTION_SA_QUERY_RESP: 2684 ieee80211_recv_sa_query_resp(ic, m, ni); 2685 break; 2686 #endif 2687 } 2688 break; 2689 default: 2690 DPRINTF(("action frame category %d not handled\n", frm[0])); 2691 break; 2692 } 2693 } 2694 2695 void 2696 ieee80211_recv_mgmt(struct ieee80211com *ic, struct mbuf *m, 2697 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi, int subtype) 2698 { 2699 switch (subtype) { 2700 case IEEE80211_FC0_SUBTYPE_BEACON: 2701 ieee80211_recv_probe_resp(ic, m, ni, rxi, 0); 2702 break; 2703 case IEEE80211_FC0_SUBTYPE_PROBE_RESP: 2704 ieee80211_recv_probe_resp(ic, m, ni, rxi, 1); 2705 break; 2706 #ifndef IEEE80211_STA_ONLY 2707 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 2708 ieee80211_recv_probe_req(ic, m, ni, rxi); 2709 break; 2710 #endif 2711 case IEEE80211_FC0_SUBTYPE_AUTH: 2712 ieee80211_recv_auth(ic, m, ni, rxi); 2713 break; 2714 #ifndef IEEE80211_STA_ONLY 2715 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ: 2716 ieee80211_recv_assoc_req(ic, m, ni, rxi, 0); 2717 break; 2718 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: 2719 ieee80211_recv_assoc_req(ic, m, ni, rxi, 1); 2720 break; 2721 #endif 2722 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP: 2723 ieee80211_recv_assoc_resp(ic, m, ni, 0); 2724 break; 2725 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: 2726 ieee80211_recv_assoc_resp(ic, m, ni, 1); 2727 break; 2728 case IEEE80211_FC0_SUBTYPE_DEAUTH: 2729 ieee80211_recv_deauth(ic, m, ni); 2730 break; 2731 case IEEE80211_FC0_SUBTYPE_DISASSOC: 2732 ieee80211_recv_disassoc(ic, m, ni); 2733 break; 2734 case IEEE80211_FC0_SUBTYPE_ACTION: 2735 ieee80211_recv_action(ic, m, ni); 2736 break; 2737 default: 2738 DPRINTF(("mgmt frame with subtype 0x%x not handled\n", 2739 subtype)); 2740 ic->ic_stats.is_rx_badsubtype++; 2741 break; 2742 } 2743 } 2744 2745 #ifndef IEEE80211_STA_ONLY 2746 /* 2747 * Process an incoming PS-Poll control frame (see 11.2). 2748 */ 2749 void 2750 ieee80211_recv_pspoll(struct ieee80211com *ic, struct mbuf *m, 2751 struct ieee80211_node *ni) 2752 { 2753 struct ifnet *ifp = &ic->ic_if; 2754 struct ieee80211_frame_pspoll *psp; 2755 struct ieee80211_frame *wh; 2756 u_int16_t aid; 2757 2758 if (ic->ic_opmode != IEEE80211_M_HOSTAP || 2759 !(ic->ic_caps & IEEE80211_C_APPMGT) || 2760 ni->ni_state != IEEE80211_STA_ASSOC) 2761 return; 2762 2763 if (m->m_len < sizeof(*psp)) { 2764 DPRINTF(("frame too short, len %u\n", m->m_len)); 2765 ic->ic_stats.is_rx_tooshort++; 2766 return; 2767 } 2768 psp = mtod(m, struct ieee80211_frame_pspoll *); 2769 if (!IEEE80211_ADDR_EQ(psp->i_bssid, ic->ic_bss->ni_bssid)) { 2770 DPRINTF(("discard pspoll frame to BSS %s\n", 2771 ether_sprintf(psp->i_bssid))); 2772 ic->ic_stats.is_rx_wrongbss++; 2773 return; 2774 } 2775 aid = letoh16(*(u_int16_t *)psp->i_aid); 2776 if (aid != ni->ni_associd) { 2777 DPRINTF(("invalid pspoll aid %x from %s\n", aid, 2778 ether_sprintf(psp->i_ta))); 2779 return; 2780 } 2781 2782 /* take the first queued frame and put it out.. */ 2783 IF_DEQUEUE(&ni->ni_savedq, m); 2784 if (m == NULL) 2785 return; 2786 if (IF_IS_EMPTY(&ni->ni_savedq)) { 2787 /* last queued frame, turn off the TIM bit */ 2788 (*ic->ic_set_tim)(ic, ni->ni_associd, 0); 2789 } else { 2790 /* more queued frames, set the more data bit */ 2791 wh = mtod(m, struct ieee80211_frame *); 2792 wh->i_fc[1] |= IEEE80211_FC1_MORE_DATA; 2793 } 2794 IF_ENQUEUE(&ic->ic_pwrsaveq, m); 2795 (*ifp->if_start)(ifp); 2796 } 2797 #endif /* IEEE80211_STA_ONLY */ 2798 2799 #ifndef IEEE80211_NO_HT 2800 /* 2801 * Process an incoming BlockAckReq control frame (see 7.2.1.7). 2802 */ 2803 void 2804 ieee80211_recv_bar(struct ieee80211com *ic, struct mbuf *m, 2805 struct ieee80211_node *ni) 2806 { 2807 const struct ieee80211_frame_min *wh; 2808 const u_int8_t *frm; 2809 u_int16_t ctl, ssn; 2810 u_int8_t tid, ntids; 2811 2812 if (!(ni->ni_flags & IEEE80211_NODE_HT)) { 2813 DPRINTF(("received BlockAckReq from non-HT STA %s\n", 2814 ether_sprintf(ni->ni_macaddr))); 2815 return; 2816 } 2817 if (m->m_len < sizeof(*wh) + 4) { 2818 DPRINTF(("frame too short\n")); 2819 return; 2820 } 2821 wh = mtod(m, struct ieee80211_frame_min *); 2822 frm = (const u_int8_t *)&wh[1]; 2823 2824 /* read BlockAckReq Control field */ 2825 ctl = LE_READ_2(&frm[0]); 2826 tid = ctl >> 12; 2827 2828 /* determine BlockAckReq frame variant */ 2829 if (ctl & IEEE80211_BA_MULTI_TID) { 2830 /* Multi-TID BlockAckReq variant (PSMP only) */ 2831 ntids = tid + 1; 2832 2833 if (m->m_len < sizeof(*wh) + 2 + 4 * ntids) { 2834 DPRINTF(("MTBAR frame too short\n")); 2835 return; 2836 } 2837 frm += 2; /* skip BlockAckReq Control field */ 2838 while (ntids-- > 0) { 2839 /* read MTBAR Information field */ 2840 tid = LE_READ_2(&frm[0]) >> 12; 2841 ssn = LE_READ_2(&frm[2]) >> 4; 2842 ieee80211_bar_tid(ic, ni, tid, ssn); 2843 frm += 4; 2844 } 2845 } else { 2846 /* Basic or Compressed BlockAckReq variants */ 2847 ssn = LE_READ_2(&frm[2]) >> 4; 2848 ieee80211_bar_tid(ic, ni, tid, ssn); 2849 } 2850 } 2851 2852 /* 2853 * Process a BlockAckReq for a specific TID (see 9.10.7.6.3). 2854 * This is the common back-end for all BlockAckReq frame variants. 2855 */ 2856 void 2857 ieee80211_bar_tid(struct ieee80211com *ic, struct ieee80211_node *ni, 2858 u_int8_t tid, u_int16_t ssn) 2859 { 2860 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 2861 2862 /* check if we have a Block Ack agreement for RA/TID */ 2863 if (ba->ba_state != IEEE80211_BA_AGREED) { 2864 /* XXX not sure in PBAC case */ 2865 /* send a DELBA with reason code UNKNOWN-BA */ 2866 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA, 2867 IEEE80211_ACTION_DELBA, 2868 IEEE80211_REASON_SETUP_REQUIRED << 16 | tid); 2869 return; 2870 } 2871 /* check if it is a Protected Block Ack agreement */ 2872 if ((ni->ni_flags & IEEE80211_NODE_MFP) && 2873 (ni->ni_rsncaps & IEEE80211_RSNCAP_PBAC)) { 2874 /* ADDBA Requests must be used in PBAC case */ 2875 if (SEQ_LT(ssn, ba->ba_winstart) || 2876 SEQ_LT(ba->ba_winend, ssn)) 2877 ic->ic_stats.is_pbac_errs++; 2878 return; /* PBAC, do not move window */ 2879 } 2880 /* reset Block Ack inactivity timer */ 2881 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 2882 2883 if (SEQ_LT(ba->ba_winstart, ssn)) 2884 ieee80211_ba_move_window(ic, ni, tid, ssn); 2885 } 2886 #endif /* !IEEE80211_NO_HT */ 2887